From 915e5bfa31e8f1f725e9e3461370c8535017d2e8 Mon Sep 17 00:00:00 2001 From: Isaac Chen Date: Wed, 24 Jul 2019 06:04:32 +0200 Subject: wayne-common: Address denials for P Signed-off-by: Isaac Chen Change-Id: I6759914e91c1cc437304d74328e970daeb3d25e3 --- sepolicy/app.te | 4 +++- sepolicy/atfwd.te | 1 + sepolicy/bt_firmware_file.te | 2 -- sepolicy/dpmd.te | 2 -- sepolicy/file.te | 8 +++++++- sepolicy/file_contexts | 17 ++++++++++++++++- sepolicy/firmware_file.te | 2 -- sepolicy/genfs_contexts | 2 ++ sepolicy/hal_audio_default.te | 2 ++ sepolicy/hal_camera_default.te | 7 +++++-- sepolicy/hal_cas_default.te | 3 +-- sepolicy/hal_fingerprint_wayne.te | 5 ++++- sepolicy/hal_gnss_qti.te | 1 + sepolicy/hal_graphics_composer_default.te | 4 ++-- sepolicy/hal_light_default.te | 1 + sepolicy/hal_mlipay_default.te | 2 +- sepolicy/hal_power_default.te | 3 ++- sepolicy/hal_sensors_default.te | 1 + sepolicy/hvdcp.te | 1 - sepolicy/hwservice.te | 2 +- sepolicy/hwservicemanager.te | 1 - sepolicy/init.te | 7 +++++-- sepolicy/init_fingerprint.te | 3 +-- sepolicy/kernel.te | 1 + sepolicy/location.te | 1 + sepolicy/netmgrd.te | 1 + sepolicy/per_mgr.te | 2 -- sepolicy/priv_app.te | 1 + sepolicy/property.te | 4 ++-- sepolicy/property_contexts | 11 +++++++++-- sepolicy/qti_init_shell.te | 5 +++-- sepolicy/radio.te | 2 -- sepolicy/rild.te | 1 - sepolicy/system_app.te | 4 +++- sepolicy/system_server.te | 6 ++++-- sepolicy/tee.te | 12 ++++++------ sepolicy/thermal-engine.te | 6 ++++++ sepolicy/vendor_init.te | 13 +++++++++++++ 38 files changed, 106 insertions(+), 45 deletions(-) create mode 100644 sepolicy/atfwd.te delete mode 100644 sepolicy/bt_firmware_file.te delete mode 100644 sepolicy/dpmd.te delete mode 100644 sepolicy/firmware_file.te create mode 100644 sepolicy/genfs_contexts create mode 100644 sepolicy/hal_audio_default.te create mode 100644 sepolicy/hal_gnss_qti.te create mode 100644 sepolicy/hal_light_default.te create mode 100644 sepolicy/hal_sensors_default.te create mode 100644 sepolicy/kernel.te create mode 100644 sepolicy/location.te create mode 100644 sepolicy/netmgrd.te delete mode 100644 sepolicy/per_mgr.te create mode 100644 sepolicy/priv_app.te delete mode 100644 sepolicy/radio.te create mode 100644 sepolicy/thermal-engine.te create mode 100644 sepolicy/vendor_init.te (limited to 'sepolicy') diff --git a/sepolicy/app.te b/sepolicy/app.te index 3858674..c61957b 100644 --- a/sepolicy/app.te +++ b/sepolicy/app.te @@ -1,4 +1,6 @@ +# Allow appdomain to get vendor_camera_prop +get_prop(appdomain, vendor_camera_prop) allow { appdomain -isolated_app } hal_mlipay_hwservice:hwservice_manager find; binder_call({ appdomain -isolated_app }, hal_mlipay_default) -get_prop({ appdomain -isolated_app }, ifaa_prop) +get_prop({ appdomain -isolated_app }, mlipay_prop) get_prop({ appdomain -isolated_app }, hal_fingerprint_prop) diff --git a/sepolicy/atfwd.te b/sepolicy/atfwd.te new file mode 100644 index 0000000..a60277a --- /dev/null +++ b/sepolicy/atfwd.te @@ -0,0 +1 @@ +allow atfwd sysfs:file read; diff --git a/sepolicy/bt_firmware_file.te b/sepolicy/bt_firmware_file.te deleted file mode 100644 index a6a13a1..0000000 --- a/sepolicy/bt_firmware_file.te +++ /dev/null @@ -1,2 +0,0 @@ -#============= bt_firmware_file ============== -allow bt_firmware_file rootfs:filesystem associate; diff --git a/sepolicy/dpmd.te b/sepolicy/dpmd.te deleted file mode 100644 index e73c6fe..0000000 --- a/sepolicy/dpmd.te +++ /dev/null @@ -1,2 +0,0 @@ -#============= dpmd ============== -allow dpmd vendor_file:file { execute getattr open read }; diff --git a/sepolicy/file.te b/sepolicy/file.te index 7aed2d6..2ca38b9 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,2 +1,8 @@ -type fingerprint_data_file, file_type, data_file_type; +type debugfs_wlan, debugfs_type, fs_type; +type ir_dev_file, file_type; +type proc_dt2w, fs_type, proc_type; +type fingerprint_data_file, file_type, data_file_type, core_data_file_type; type fingerprint_sysfs, fs_type, sysfs_type; +type vendor_keylayout_file, file_type, vendor_file_type; +type sysfs_light, fs_type, sysfs_type; +type thermal_data_file, file_type, data_file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 19975c3..6939ff5 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -9,22 +9,37 @@ # Goodix Fingerprint data /data/gf_data/frr_database.db u:object_r:fingerprint_data_file:s0 +/data/misc/gf_data(/.*)? u:object_r:fingerprint_data_file:s0 +/data/misc/goodix(/.*)? u:object_r:fingerprint_data_file:s0 /persist/data/gf* u:object_r:fingerprint_data_file:s0 +# Fpc Fingerprint data +/persist/fpc(/.*)? u:object_r:fingerprint_data_file:s0 + # HVDCP /sys/devices(/platform)?/soc/[a-z0-9]+\.i2c/i2c-[0-9]+/[0-9]+-[a-z0-9]+/[a-z0-9]+\.i2c:qcom,[a-z0-9]+@[a-z0-9]:qcom,smb[a-z0-9]+-parallel-slave@[0-9]+/power_supply/parallel(/.*)? u:object_r:sysfs_usb_supply:s0 # IR /dev/spidev7.1 u:object_r:spidev_device:s0 +# Keylayout +/vendor/usr/idc(/.*)? u:object_r:vendor_keylayout_file:s0 +/vendor/usr/keylayout(/.*)? u:object_r:vendor_keylayout_file:s0 + # Light HAL /(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_wayne u:object_r:hal_light_default_exec:s0 # Mlipay -/(vendor|system/vendor)/bin/mlipayd u:object_r:hal_mlipay_default_exec:s0 +/(vendor|system/vendor)/bin/mlipayd@1.1 u:object_r:hal_mlipay_default_exec:s0 # Persist /persist/PRSensorData\.txt u:object_r:sensors_persist_file:s0 +# RTC +/sys/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:qcom,pm660_rtc/rtc/rtc0(/.*)? u:object_r:sysfs_rtc:s0 + # Shell Script /(vendor|system/vendor)/bin/init\.goodix\.sh u:object_r:init_fingerprint_exec:s0 + +# Thermal +/data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0 diff --git a/sepolicy/firmware_file.te b/sepolicy/firmware_file.te deleted file mode 100644 index 57f6c2d..0000000 --- a/sepolicy/firmware_file.te +++ /dev/null @@ -1,2 +0,0 @@ -#============= firmware_file ============== -allow firmware_file rootfs:filesystem associate; diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts new file mode 100644 index 0000000..638c917 --- /dev/null +++ b/sepolicy/genfs_contexts @@ -0,0 +1,2 @@ +genfscon proc /nvt_wake_gesture u:object_r:proc_dt2w:s0 +genfscon debugfs /wlan0 u:object_r:debugfs_wlan:s0 diff --git a/sepolicy/hal_audio_default.te b/sepolicy/hal_audio_default.te new file mode 100644 index 0000000..128920f --- /dev/null +++ b/sepolicy/hal_audio_default.te @@ -0,0 +1,2 @@ +allow hal_audio_default vendor_data_file:dir { create write add_name }; +allow hal_audio_default vendor_data_file:file { append create getattr open read }; diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te index 4d5138b..0f40bbd 100644 --- a/sepolicy/hal_camera_default.te +++ b/sepolicy/hal_camera_default.te @@ -1,3 +1,6 @@ -allow hal_camera_default sysfs_kgsl:file r_file_perms; +binder_call(hal_camera_default, hal_configstore_default) +binder_call(hal_camera_default, hal_graphics_allocator_default) + allow hal_camera_default { hal_configstore_ISurfaceFlingerConfigs hal_graphics_allocator_hwservice }:hwservice_manager find; -allow hal_camera_default { hal_configstore_default hal_graphics_allocator_default }:binder call; +allow hal_camera_default sysfs:file { getattr open read }; +allow hal_camera_default sysfs_kgsl:file { getattr open read }; diff --git a/sepolicy/hal_cas_default.te b/sepolicy/hal_cas_default.te index fec0fc4..18b00de 100644 --- a/sepolicy/hal_cas_default.te +++ b/sepolicy/hal_cas_default.te @@ -1,2 +1 @@ -#============= hal_cas_default ============== -allow hal_cas_default vndbinder_device:chr_file { ioctl open read write }; +vndbinder_use(hal_cas_default) diff --git a/sepolicy/hal_fingerprint_wayne.te b/sepolicy/hal_fingerprint_wayne.te index 470c6d8..11a99de 100644 --- a/sepolicy/hal_fingerprint_wayne.te +++ b/sepolicy/hal_fingerprint_wayne.te @@ -2,15 +2,18 @@ type hal_fingerprint_wayne, domain, binder_in_vendor_violators; hal_server_domain(hal_fingerprint_wayne, hal_fingerprint) type hal_fingerprint_wayne_exec, exec_type, vendor_file_type, file_type; +typeattribute hal_fingerprint_wayne data_between_core_and_vendor_violators; binder_use(hal_fingerprint_wayne) init_daemon_domain(hal_fingerprint_wayne) allow hal_fingerprint_wayne fingerprint_device:chr_file { read write open ioctl }; allow hal_fingerprint_wayne { tee_device uhid_device }:chr_file { read write open ioctl }; allow hal_fingerprint_wayne fingerprint_data_file:file rw_file_perms; +allow hal_fingerprint_wayne fingerprintd_data_file:dir rw_dir_perms; +allow hal_fingerprint_wayne fingerprintd_data_file:file create_file_perms; allow hal_fingerprint_wayne { fuse mnt_user_file storage_file }:dir search; allow hal_fingerprint_wayne { mnt_user_file storage_file }:lnk_file read; -allow hal_fingerprint_wayne fingerprint_sysfs:dir rw_dir_perms; +allow hal_fingerprint_wayne fingerprint_sysfs:dir r_dir_perms; allow hal_fingerprint_wayne fingerprint_sysfs:file rw_file_perms; allow hal_fingerprint_wayne hal_fingerprint_wayne:netlink_socket { create bind write read }; diff --git a/sepolicy/hal_gnss_qti.te b/sepolicy/hal_gnss_qti.te new file mode 100644 index 0000000..711c8bb --- /dev/null +++ b/sepolicy/hal_gnss_qti.te @@ -0,0 +1 @@ +allow hal_gnss_qti sysfs:file { read open }; diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te index c8c0e02..39e8fb4 100644 --- a/sepolicy/hal_graphics_composer_default.te +++ b/sepolicy/hal_graphics_composer_default.te @@ -1,2 +1,2 @@ -#============= hal_graphics_composer_default ============== -allow hal_graphics_composer_default sysfs:file { getattr open read }; +allow hal_graphics_composer_default sysfs_graphics:file r_file_perms; +allow hal_graphics_composer_default sysfs_graphics:lnk_file read; diff --git a/sepolicy/hal_light_default.te b/sepolicy/hal_light_default.te new file mode 100644 index 0000000..e0592d7 --- /dev/null +++ b/sepolicy/hal_light_default.te @@ -0,0 +1 @@ +allow hal_light_default sysfs_light:file rw_file_perms; diff --git a/sepolicy/hal_mlipay_default.te b/sepolicy/hal_mlipay_default.te index eb48621..c6f721c 100644 --- a/sepolicy/hal_mlipay_default.te +++ b/sepolicy/hal_mlipay_default.te @@ -11,6 +11,6 @@ allow hal_mlipay_default tee_device:chr_file rw_file_perms; allow hal_mlipay_default ion_device:chr_file r_file_perms; r_dir_file(hal_mlipay_default, firmware_file) -set_prop(hal_mlipay_default, ifaa_prop); +set_prop(hal_mlipay_default, mlipay_prop); get_prop(hal_mlipay_default, hal_fingerprint_prop); diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te index 7e0a992..2df04b0 100644 --- a/sepolicy/hal_power_default.te +++ b/sepolicy/hal_power_default.te @@ -1 +1,2 @@ -allow hal_power_default proc:file rw_file_perms; +allow hal_power_default proc_dt2w:file rw_file_perms; +r_dir_file(hal_power_default, debugfs_wlan) diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te new file mode 100644 index 0000000..28414f9 --- /dev/null +++ b/sepolicy/hal_sensors_default.te @@ -0,0 +1 @@ +allow hal_sensors_default sysfs:file { read open }; diff --git a/sepolicy/hvdcp.te b/sepolicy/hvdcp.te index 894bb5f..49a6b78 100644 --- a/sepolicy/hvdcp.te +++ b/sepolicy/hvdcp.te @@ -1,2 +1 @@ -#============= hvdcp ============== allow hvdcp sysfs:file { open read }; diff --git a/sepolicy/hwservice.te b/sepolicy/hwservice.te index 6c299d1..32adecb 100644 --- a/sepolicy/hwservice.te +++ b/sepolicy/hwservice.te @@ -1,2 +1,2 @@ type goodixhw_service, hwservice_manager_type; -type hal_mlipay_hwservice, hwservice_manager_type; +type hal_mlipay_hwservice, hwservice_manager_type, untrusted_app_visible_hwservice; diff --git a/sepolicy/hwservicemanager.te b/sepolicy/hwservicemanager.te index cc438b8..3262afb 100644 --- a/sepolicy/hwservicemanager.te +++ b/sepolicy/hwservicemanager.te @@ -2,4 +2,3 @@ allow hwservicemanager init:dir search; allow hwservicemanager init:file { open read }; allow hwservicemanager init:process getattr; - diff --git a/sepolicy/init.te b/sepolicy/init.te index bba943e..734baea 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -1,3 +1,6 @@ -#============= init ============== allow init hwservicemanager:binder { call transfer }; -allow init btnvtool_exec:file execute; +allow init ipa_dev:chr_file open; +allow init ion_device:chr_file ioctl; +allow init property_socket:sock_file write; +allow init sysfs_dm:file { open write }; +allow init tee_device:chr_file { write ioctl }; diff --git a/sepolicy/init_fingerprint.te b/sepolicy/init_fingerprint.te index 4c27535..b45cdd6 100644 --- a/sepolicy/init_fingerprint.te +++ b/sepolicy/init_fingerprint.te @@ -11,5 +11,4 @@ allow init_fingerprint vendor_toolbox_exec:file rx_file_perms; # Allow to delete file allow init_fingerprint persist_file:dir search; allow init_fingerprint persist_drm_file:dir { read search open write remove_name }; -allow init_fingerprint persist_drm_file:file { getattr unlink }; -allow init_fingerprint system_data_file:file r_file_perms; +allow init_fingerprint persist_drm_file:file { getattr unlink }; \ No newline at end of file diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te new file mode 100644 index 0000000..9ba3537 --- /dev/null +++ b/sepolicy/kernel.te @@ -0,0 +1 @@ +allow kernel debugfs_wlan:dir search; diff --git a/sepolicy/location.te b/sepolicy/location.te new file mode 100644 index 0000000..4333581 --- /dev/null +++ b/sepolicy/location.te @@ -0,0 +1 @@ +allow location sysfs:file { read open }; diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te new file mode 100644 index 0000000..47ce266 --- /dev/null +++ b/sepolicy/netmgrd.te @@ -0,0 +1 @@ +allow netmgrd property_socket:sock_file write; diff --git a/sepolicy/per_mgr.te b/sepolicy/per_mgr.te deleted file mode 100644 index 1882a34..0000000 --- a/sepolicy/per_mgr.te +++ /dev/null @@ -1,2 +0,0 @@ -#============= per_mgr ============== -allow per_mgr self:capability { dac_override net_raw }; diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te new file mode 100644 index 0000000..7ae851d --- /dev/null +++ b/sepolicy/priv_app.te @@ -0,0 +1 @@ +allow priv_app sysfs_graphics:file { getattr open read }; \ No newline at end of file diff --git a/sepolicy/property.te b/sepolicy/property.te index 20dd7a4..313445c 100644 --- a/sepolicy/property.te +++ b/sepolicy/property.te @@ -1,3 +1,3 @@ type hal_fingerprint_prop, property_type; -type ifaa_prop, property_type; - +type mlipay_prop, property_type; +type thermal_engine_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts index 57f8ba8..037565e 100644 --- a/sepolicy/property_contexts +++ b/sepolicy/property_contexts @@ -1,5 +1,12 @@ +persist.camera. u:object_r:camera_prop:s0 +persist.vendor.camera. u:object_r:camera_prop:s0 sys.fp.goodix u:object_r:hal_fingerprint_prop:s0 sys.fp.vendor u:object_r:hal_fingerprint_prop:s0 persist.sys.fp.info u:object_r:hal_fingerprint_prop:s0 -persist.sys.fp.vendor u:object_r:hal_fingerprint_prop:s0 -persist.sys.ifaa u:object_r:ifaa_prop:s0 +persist.vendor.sys.fp.vendor u:object_r:hal_fingerprint_prop:s0 +persist.vendor.sys.pay.fido u:object_r:mlipay_prop:s0 +persist.vendor.sys.pay.ifaa u:object_r:mlipay_prop:s0 +persist.vendor.sys.pay.soter u:object_r:mlipay_prop:s0 +persist.vendor.sys.provision.status u:object_r:mlipay_prop:s0 +persist.sys.thermal. u:object_r:thermal_engine_prop:s0 +sys.thermal. u:object_r:thermal_engine_prop:s0 diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te index 6967fc4..aa81398 100644 --- a/sepolicy/qti_init_shell.te +++ b/sepolicy/qti_init_shell.te @@ -1,3 +1,4 @@ -#============= qti_init_shell ============== allow qti_init_shell sysfs_cpu_boost:file write; -allow qti_init_shell sysfs_lowmemorykiller:dir write; +allow qti_init_shell sysfs:file write; +allow qti_init_shell vendor_radio_data_file:dir { getattr read search }; +allow qti_init_shell vendor_radio_data_file:file { getattr read setattr write }; diff --git a/sepolicy/radio.te b/sepolicy/radio.te deleted file mode 100644 index 4d6fc0f..0000000 --- a/sepolicy/radio.te +++ /dev/null @@ -1,2 +0,0 @@ -#============= radio ============== -allow radio vendor_file:file { execute getattr open read }; diff --git a/sepolicy/rild.te b/sepolicy/rild.te index d66bc7c..06625de 100644 --- a/sepolicy/rild.te +++ b/sepolicy/rild.te @@ -1,2 +1 @@ -#============= rild ============== allow rild vendor_file:file ioctl; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te index c9f1b37..c7d0026 100644 --- a/sepolicy/system_app.te +++ b/sepolicy/system_app.te @@ -1 +1,3 @@ -hal_client_domain(system_app, hal_mlipay) +allow system_app vendor_default_prop:file { getattr open read }; +allow system_app wificond:binder call; +add_service(system_app, goodixhw_service) diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index c658e69..c9135cf 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -1,2 +1,4 @@ -#============= system_server ============== -allow system_server vendor_file:file { execute getattr open read }; +allow system_server vendor_keylayout_file:dir search; +allow system_server vendor_keylayout_file:file r_file_perms; +allow system_server sysfs_vibrator:file rw_file_perms; +allow system_server sysfs_rtc:file r_file_perms; diff --git a/sepolicy/tee.te b/sepolicy/tee.te index 85c98a8..0a124bc 100644 --- a/sepolicy/tee.te +++ b/sepolicy/tee.te @@ -1,6 +1,6 @@ -# /data/goodix labeling -type_transition tee system_data_file:{ dir file } fingerprint_data_file; - -allow tee fingerprint_data_file:dir create_dir_perms; -allow tee fingerprint_data_file:file create_file_perms; -allow tee system_data_file:dir create_dir_perms; +# TODO(b/36644492): Remove data_between_core_and_vendor_violators once +# tee no longer directly accesses /data owned by the frameworks. +typeattribute tee data_between_core_and_vendor_violators; +allow tee system_data_file:dir r_dir_perms; +allow tee fingerprintd_data_file:dir rw_dir_perms; +allow tee fingerprintd_data_file:file create_file_perms; diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te new file mode 100644 index 0000000..0e03308 --- /dev/null +++ b/sepolicy/thermal-engine.te @@ -0,0 +1,6 @@ +allow thermal-engine thermal_data_file:dir rw_dir_perms; +allow thermal-engine thermal_data_file:file create_file_perms; +allow thermal-engine self:capability { chown fowner }; +dontaudit thermal-engine self:capability dac_override; + +set_prop(thermal-engine, thermal_engine_prop); diff --git a/sepolicy/vendor_init.te b/sepolicy/vendor_init.te new file mode 100644 index 0000000..9f602b1 --- /dev/null +++ b/sepolicy/vendor_init.te @@ -0,0 +1,13 @@ +typeattribute vendor_init data_between_core_and_vendor_violators; + +allow vendor_init { + system_data_file + tombstone_data_file +}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom }; + +set_prop(vendor_init, camera_prop) +allow vendor_init rootfs:dir { add_name create setattr write }; +allow vendor_init persist_debug_prop:property_service set; +allow vendor_init persist_dpm_prop:property_service set; +allow vendor_init qcom_ims_prop:property_service set; +allow vendor_init rootfs:lnk_file setattr; -- cgit v1.2.3