sepolicy: Clean sepolicies rules defined in qcom/sepolicy-legacy

* Also perform minor codestyle improvements Change-Id: I264c3979d9a4fb97b6950ef299648b921de9f319
AdrianDC · Aug 18, 2020 · 30246e8 · 30246e8
1 parent 753b74d
commit 30246e8
Show file tree

Hide file tree

Showing 36 changed files with 12 additions and 200 deletions.
diff --git a/board/selinux.mk b/board/selinux.mk
@@ -4,9 +4,3 @@ include device/qcom/sepolicy-legacy/sepolicy.mk
 # Device sepolicies
 BOARD_SEPOLICY_DIRS += \
     $(DEVICE_PATH)/sepolicy
-
-# LineageOS device sepolicies
-ifeq ($(BOARD_AOSP_BASED),)
-BOARD_SEPOLICY_DIRS += \
-    $(DEVICE_PATH)/sepolicy-lineage
-endif
diff --git a/sepolicy-lineage/mediaserver.te b/sepolicy-lineage/mediaserver.te
diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te
@@ -1,3 +1,2 @@
 #============= audioserver ==============
 allow audioserver debugfs_asoc:dir { open read search };
-allow audioserver hal_power_hwservice:hwservice_manager find;
diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te
diff --git a/sepolicy/device.te b/sepolicy/device.te
@@ -1,13 +1,6 @@
 # /dev/block partitions
-type bootloader_block_device, dev_type;
 type ltalabel_block_device, dev_type;
-type modem_block_device, dev_type;
 type trim_area_partition_device, dev_type;
 
 # /dev devices
-type diag_device, dev_type;
-type fm_device, dev_type;
-type qmuxd_socket, dev_type;
 type shared_log_device, dev_type;
-type smd_device, dev_type;
-type wlan_device, dev_type;
diff --git a/sepolicy/domain.te b/sepolicy/domain.te
diff --git a/sepolicy/file.te b/sepolicy/file.te
@@ -4,35 +4,23 @@ type sysfs_block_iosched, fs_type, sysfs_type;
 type sysfs_bluetooth_control, fs_type, sysfs_type;
 type sysfs_bus_i2c, fs_type, sysfs_type;
 type sysfs_camera_torch, fs_type, sysfs_type;
-type sysfs_charger, fs_type, sysfs_type;
-type sysfs_cpu_boost, fs_type, sysfs_type;
 type sysfs_disk_polling, fs_type, sysfs_type;
-type sysfs_fm_dl, fs_type, sysfs_type;
 type sysfs_glove_mode, fs_type, sysfs_type;
 type sysfs_gpio, fs_type, sysfs_type;
 type sysfs_i2c_name, fs_type, sysfs_type;
 type sysfs_input_devices, fs_type, sysfs_type;
 type sysfs_lights_effects, fs_type, sysfs_type;
 type sysfs_mac_serial, fs_type, sysfs_type;
-type sysfs_memory_ksm, fs_type, sysfs_type;
 type sysfs_mhl, fs_type, sysfs_type;
-type sysfs_msmuart_file, fs_type, sysfs_type;
 type sysfs_power_control, fs_type, sysfs_type;
 type sysfs_proximity_sensor, sysfs_type, fs_type;
 type sysfs_rmtfs, sysfs_type, fs_type;
-type sysfs_sensors, sysfs_type, fs_type;
-type sysfs_smdcntl_open_timeout, sysfs_type, fs_type;
-type sysfs_surfaceflinger, sysfs_type, fs_type;
 type sysfs_system_soc, fs_type, sysfs_type;
 type sysfs_thermal_control, fs_type, sysfs_type;
 type sysfs_wcnss_ssr, fs_type, sysfs_type;
 
 # debugfs
 type debugfs_asoc, debugfs_type, fs_type;
-type debugfs_kgsl, debugfs_type, fs_type;
 
 # /dev/socket
 type tad_socket, file_type;
-
-# /data
-type fm_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
@@ -1,49 +1,29 @@
 # /dev partitions
-/dev/block/mmcblk0                                                                u:object_r:root_block_device:s0
 /dev/block/platform/msm_sdcc\.1/by-name/Cache                                     u:object_r:cache_block_device:s0
 /dev/block/platform/msm_sdcc\.1/by-name/FOTAKernel                                u:object_r:recovery_block_device:s0
 /dev/block/platform/msm_sdcc\.1/by-name/LTALabel                                  u:object_r:ltalabel_block_device:s0
 /dev/block/platform/msm_sdcc\.1/by-name/Kernel                                    u:object_r:boot_block_device:s0
 /dev/block/platform/msm_sdcc\.1/by-name/TA                                        u:object_r:trim_area_partition_device:s0
 /dev/block/platform/msm_sdcc\.1/by-name/Userdata                                  u:object_r:userdata_block_device:s0
 /dev/block/platform/msm_sdcc\.1/by-name/apps_log                                  u:object_r:misc_block_device:s0
-/dev/block/platform/msm_sdcc\.1/by-name/fsg                                       u:object_r:modem_block_device:s0
-/dev/block/platform/msm_sdcc\.1/by-name/modemst1                                  u:object_r:modem_block_device:s0
-/dev/block/platform/msm_sdcc\.1/by-name/modemst2                                  u:object_r:modem_block_device:s0
-/dev/block/zram0                                                                  u:object_r:swap_block_device:s0
 
 # /dev devices
-/dev/diag                                                                         u:object_r:diag_device:s0
 /dev/gemini.*                                                                     u:object_r:video_device:s0
-/dev/kgsl-3d0                                                                     u:object_r:gpu_device:s0
-/dev/media([0-9])+                                                                u:object_r:video_device:s0
 /dev/msm_acdb                                                                     u:object_r:audio_device:s0
-/dev/msm_camera(/.*)?                                                             u:object_r:video_device:s0
-/dev/msm_rotator                                                                  u:object_r:video_device:s0
 /dev/msm_vidc.*                                                                   u:object_r:video_device:s0
 /dev/msm_vpe_standalone                                                           u:object_r:video_device:s0
-/dev/qseecom                                                                      u:object_r:tee_device:s0
-/dev/radio0                                                                       u:object_r:fm_device:s0
 /dev/smd2                                                                         u:object_r:hci_attach_dev:s0
 /dev/smd3                                                                         u:object_r:hci_attach_dev:s0
 /dev/smd([0-9])+                                                                  u:object_r:smd_device:s0
 /dev/smdcntl[0-7]                                                                 u:object_r:radio_device:s0
-/dev/smem_log                                                                     u:object_r:shared_log_device:s0
-/dev/socket/qmux_audio(/.*)?                                                      u:object_r:qmuxd_socket:s0
-/dev/socket/qmux_bluetooth(/.*)?                                                  u:object_r:qmuxd_socket:s0
-/dev/socket/qmux_gps(/.*)?                                                        u:object_r:qmuxd_socket:s0
-/dev/socket/qmux_radio(/.*)?                                                      u:object_r:qmuxd_socket:s0
-/dev/socket/qmux_nfc(/.*)?                                                        u:object_r:qmuxd_socket:s0
 /dev/socket/tad                                                                   u:object_r:tad_socket:s0
-/dev/v4l-subdev.*                                                                 u:object_r:video_device:s0
-/dev/wcnss_wlan                                                                   u:object_r:wlan_device:s0
 
 # /system
 /system/bin/hci_qcomm_init                                                        u:object_r:hci_attach_exec:s0
 /system/bin/irsc_util                                                             u:object_r:irsc_util_exec:s0
 /system/bin/netmgrd                                                               u:object_r:netmgrd_exec:s0
 /system/bin/qmuxd                                                                 u:object_r:qmuxd_exec:s0
-/system/bin/rmt_storage                                                           u:object_r:rmt_exec:s0
+/system/bin/rmt_storage                                                           u:object_r:rmt_storage_exec:s0
 /system/bin/secchand                                                              u:object_r:secchand_exec:s0
 /system/bin/ta_qmi_service                                                        u:object_r:ta_qmi_service_exec:s0
 /system/bin/updatemiscta                                                          u:object_r:updatemiscta_exec:s0
@@ -63,8 +43,6 @@
 /sys/bus/i2c(/.*)?                                                                u:object_r:sysfs_bus_i2c:s0
 /sys/class/gpio(/.*)?                                                             u:object_r:sysfs_gpio:s0
 /sys/class/power_supply/battery(/.*)?                                             u:object_r:sysfs_batteryinfo:s0
-/sys/class/thermal(/.*)?                                                          u:object_r:sysfs_thermal:s0
-/sys/class/uio(/.*)?                                                              u:object_r:sysfs_rmtfs:s0
 /sys/devices/i2c-3/3-0024/main_ttsp_core.cyttsp4_i2c_adapter/finger_threshold     u:object_r:sysfs_glove_mode:s0
 /sys/devices/i2c-3/3-0024/main_ttsp_core.cyttsp4_i2c_adapter/signal_disparity     u:object_r:sysfs_glove_mode:s0
 /sys/devices/i2c-10/10-0039/mhl/sii8334(/.*)?                                     u:object_r:sysfs_mhl:s0
@@ -115,21 +93,13 @@
 /sys/devices/platform/wcnss_wlan.0/wcnss_mac_addr                                 u:object_r:sysfs_mac_address:s0
 /sys/devices/system/soc/soc0/hw_platform                                          u:object_r:sysfs_system_soc:s0
 /sys/devices/system/soc/soc0/id                                                   u:object_r:sysfs_system_soc:s0
-/sys/devices/virtual/graphics/fb([0-2])+/hpd                                      u:object_r:sysfs_surfaceflinger:s0
-/sys/devices/virtual/graphics/fb([0-2])+/format_3d                                u:object_r:sysfs_surfaceflinger:s0
-/sys/devices/virtual/graphics/fb([0-2])+/msm_fb_fps_level                         u:object_r:sysfs_surfaceflinger:s0
-/sys/devices/virtual/graphics/fb([0-2])+/product_description                      u:object_r:sysfs_surfaceflinger:s0
-/sys/devices/virtual/graphics/fb([0-2])+/vendor_name                              u:object_r:sysfs_surfaceflinger:s0
-/sys/devices/virtual/graphics/fb([0-2])+/video_mode                               u:object_r:sysfs_surfaceflinger:s0
+/sys/devices/virtual/graphics/fb([0-3])+/format_3d                                u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_fps_level                         u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/graphics/fb([0-3])+/video_mode                               u:object_r:sysfs_graphics:s0
 /sys/devices/virtual/input                                                        u:object_r:sysfs_input_devices:s0
-/sys/devices/virtual/smdpkt/smdcntl([0-9])+/open_timeout                          u:object_r:sysfs_smdcntl_open_timeout:s0
-/sys/devices/virtual/thermal(/.*)?                                                u:object_r:sysfs_thermal:s0
 /sys/devices/virtual/timed_output/vibrator/level                                  u:object_r:sysfs_vibrator:s0
-/sys/kernel/mm/ksm(/.*)?                                                          u:object_r:sysfs_memory_ksm:s0
 /sys/module/cpu_boost/parameters(/.*)?                                            u:object_r:sysfs_cpu_boost:s0
-/sys/module/msm_serial_hs/parameters/debug_mask                                   u:object_r:sysfs_msmuart_file:s0
 /sys/module/hci_smd/parameters/hcismd_set                                         u:object_r:sysfs_bluetooth_control:s0
-/sys/module/msm_thermal/core_control/cpus_offlined                                u:object_r:sysfs_thermal_control:s0
 /sys/module/msm_thermal/core_control/enabled                                      u:object_r:sysfs_thermal_control:s0
 /sys/module/msm_thermal/parameters/enabled                                        u:object_r:sysfs_thermal_control:s0
 /sys/module/pm_8x60/modes/cpu([0-1])+/power_collapse/idle_enabled                 u:object_r:sysfs_power_control:s0
@@ -138,17 +108,14 @@
 /sys/module/pm_8x60/modes/cpu([0-1])+/standalone_power_collapse/idle_enabled      u:object_r:sysfs_power_control:s0
 /sys/module/pm_8x60/modes/cpu([0-1])+/standalone_power_collapse/suspend_enabled   u:object_r:sysfs_power_control:s0
 /sys/module/pm8921_charger/parameters(/.*)?                                       u:object_r:sysfs_batteryinfo:s0
-/sys/module/radio_iris_transport/parameters/fmsmd_set                             u:object_r:sysfs_fm_dl:s0
 /sys/module/rpm_resources/enable_low_power(/.*)?                                  u:object_r:sysfs_power_control:s0
 /sys/module/wcnss_ssr_8960/parameters/enable_riva_ssr                             u:object_r:sysfs_wcnss_ssr:s0
 
 # debugfs
 /sys/kernel/debug/asoc(/.*)?                                                      u:object_r:debugfs_asoc:s0
 
 # /data
-/data/camera(/.*)?                                                                u:object_r:camera_data_file:s0
 /data/etc/flashled_vf_factory                                                     u:object_r:camera_data_file:s0
-/data/misc/fm(/.*)?                                                               u:object_r:fm_data_file:s0
 
 # /
 /tombstones                                                                       u:object_r:rootfs:s0
diff --git a/sepolicy/fm_dl.te b/sepolicy/fm_dl.te
@@ -8,8 +8,7 @@ set_prop(fm_dl, fm_prop)
 #============= fm_dl ==============
 allow fm_dl fm_data_file:dir ra_dir_perms;
 allow fm_dl fm_data_file:file create_file_perms;
-allow fm_dl fm_device:chr_file r_file_perms;
 allow fm_dl shell_exec:file { entrypoint getattr read };
-allow fm_dl sysfs_fm_dl:file w_file_perms;
+allow fm_dl sysfs_fm:file w_file_perms;
 allow fm_dl system_file:file execute_no_trans;
 allow fm_dl toolbox_exec:file rx_file_perms;
diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te
diff --git a/sepolicy/hal_drm_default.te b/sepolicy/hal_drm_default.te
diff --git a/sepolicy/hal_graphics_composer.te b/sepolicy/hal_graphics_composer.te
@@ -2,8 +2,4 @@
 vndbinder_use(hal_graphics_composer_default)
 allow hal_graphics_composer self:netlink_kobject_uevent_socket read;
 allow hal_graphics_composer sysfs:file { getattr open read };
-allow hal_graphics_composer sysfs_surfaceflinger:file { open read write };
-allow hal_graphics_composer video_device:chr_file { ioctl open read write };
-allow hal_graphics_composer_default qdisplay_service:service_manager { add find };
-allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 allow hal_graphics_composer_default sysfs_system_soc:file { getattr open read };
diff --git a/sepolicy/hal_memtrack_default.te b/sepolicy/hal_memtrack_default.te
diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te
@@ -1,6 +1,4 @@
 #============= hal_sensors_default ==============
-allow hal_sensors_default input_device:dir r_dir_perms;
-allow hal_sensors_default input_device:chr_file r_file_perms;
 allow hal_sensors_default sysfs_als:file rw_file_perms;
 allow hal_sensors_default sysfs_bus_i2c:dir { open read search };
 allow hal_sensors_default sysfs_bus_i2c:lnk_file read;

diff --git a/sepolicy/hci_attach.te b/sepolicy/hci_attach.te
@@ -3,12 +3,12 @@ type hci_attach_exec, system_file_type, exec_type, file_type;
 
 init_daemon_domain(hci_attach)
 
+set_prop(hci_attach, bluetooth_prop)
 set_prop(hci_attach, wifi_prop)
 
 #============= hci_attach ==============
 allow hci_attach bluetooth_data_file:dir search;
 allow hci_attach bluetooth_data_file:file r_file_perms;
-allow hci_attach bluetooth_prop:property_service set;
 allow hci_attach hci_attach_dev:chr_file rw_file_perms;
 allow hci_attach hci_attach_exec:file execute_no_trans;
 allow hci_attach shell_exec:file { entrypoint getattr read };

diff --git a/sepolicy/init.te b/sepolicy/init.te
@@ -1,27 +1,23 @@
 #============= init ==============
 allow init camera_data_file:file getattr;
-allow init fm_device:chr_file write;
-allow init proc_filesystems:file getattr;
 allow init sysfs_batteryinfo:file { open setattr write };
 allow init sysfs_block_iosched:file write;
 allow init sysfs_bluetooth_control:file setattr;
 allow init sysfs_camera_torch:file setattr;
 allow init sysfs_cpu_boost:file { open setattr write };
 allow init sysfs_devices_system_cpu:file write;
 allow init sysfs_disk_polling:file { setattr write };
-allow init sysfs_fm_dl:file setattr;
+allow init sysfs_fm:file setattr;
 allow init sysfs_glove_mode:file { open setattr write };
 allow init sysfs_leds:file setattr;
-allow init sysfs_memory_ksm:file { open write };
 allow init sysfs_mhl:file setattr;
 allow init sysfs_power_control:file { open write };
 allow init sysfs_proximity_sensor:file setattr;
 allow init sysfs_sensors:file setattr;
-allow init sysfs_surfaceflinger:file setattr;
+allow init sysfs_graphics:file setattr;
 allow init sysfs_thermal:file { open setattr write };
 allow init sysfs_thermal_control:file { open write };
 allow init sysfs_usb:file write;
 allow init sysfs_wcnss_ssr:file { open setattr write };
 allow init sysfs_wlan_fwpath:file setattr;
-allow init tmpfs:lnk_file create;
 allow init wlan_device:chr_file write;
diff --git a/sepolicy/ioctl_defines b/sepolicy/ioctl_defines
diff --git a/sepolicy/ioctl_macros b/sepolicy/ioctl_macros
diff --git a/sepolicy/irsc_util.te b/sepolicy/irsc_util.te
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
@@ -1,9 +1,5 @@
-set_prop(mediaserver, camera_prop);
-
 #============= mediaserver ==============
 allow mediaserver audio_device:chr_file { ioctl open read write };
-allow mediaserver camera_data_file:dir create_dir_perms;
-allow mediaserver camera_data_file:file create_file_perms;
 allow mediaserver sensorservice_service:service_manager find;
 allow mediaserver sysfs_als:file { getattr open read write };
 allow mediaserver sysfs_batteryinfo:dir search;

diff --git a/sepolicy/netd.te b/sepolicy/netd.te
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
@@ -1,23 +1,3 @@
-type netmgrd, domain;
-type netmgrd_exec, exec_type, file_type;
-
-init_daemon_domain(netmgrd)
-
-qmux_socket(netmgrd)
-
-set_prop(netmgrd, net_radio_prop)
-
-wakelock_use(netmgrd)
-
 #============= netmgrd ==============
 allow netmgrd diag_device:chr_file rw_file_perms;
-allow netmgrd netmgrd:capability { fsetid net_admin net_raw setgid setpcap setuid sys_module };
-allow netmgrd netmgrd:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
-allow netmgrd netmgrd:netlink_socket create_socket_perms_no_ioctl;
-allow netmgrd proc_net:file w_file_perms;
-allow netmgrd self:udp_socket create_socket_perms;
-allow netmgrd shell_exec:file rx_file_perms;
-allow netmgrd system_file:file x_file_perms;
-allow netmgrd toolbox_exec:file rx_file_perms;
-allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls;
 r_dir_file(netmgrd, net_data_file)
diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
@@ -1,3 +1,2 @@
 #============= platform_app ==============
-allow platform_app nfc_service:service_manager find;
 allow platform_app sysfs_thermal:file { getattr open read };
diff --git a/sepolicy/property.te b/sepolicy/property.te
@@ -1,5 +1,2 @@
 # property service keys
-type camera_prop, property_type;
-type fm_prop, property_type;
 type updatemiscta_prop, property_type;
-type vendor_bluetooth_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
@@ -1,7 +1,4 @@
 # property service keys
 camera.0.                                                                         u:object_r:camera_prop:s0
 camera.1.                                                                         u:object_r:camera_prop:s0
-hw.fm.                                                                            u:object_r:fm_prop:s0
 persist.tareset.notfirstboot                                                      u:object_r:updatemiscta_prop:s0
-vendor.bluetooth.                                                                 u:object_r:bluetooth_prop:s0
-vendor.wc_transport.                                                              u:object_r:vendor_bluetooth_prop:s0