From 30246e8639ad4d3c776cb672a5ef7b723be82c26 Mon Sep 17 00:00:00 2001 From: Adrian DC Date: Sun, 18 Aug 2019 15:40:42 +0200 Subject: [PATCH] sepolicy: Clean sepolicies rules defined in qcom/sepolicy-legacy * Also perform minor codestyle improvements Change-Id: I264c3979d9a4fb97b6950ef299648b921de9f319 --- board/selinux.mk | 6 ----- sepolicy-lineage/mediaserver.te | 1 - sepolicy/audioserver.te | 1 - sepolicy/bluetooth.te | 1 - sepolicy/device.te | 7 ------ sepolicy/domain.te | 1 - sepolicy/file.te | 12 --------- sepolicy/file_contexts | 41 +++---------------------------- sepolicy/fm_dl.te | 3 +-- sepolicy/genfs_contexts | 1 - sepolicy/hal_bluetooth_default.te | 5 ---- sepolicy/hal_drm_default.te | 1 - sepolicy/hal_graphics_composer.te | 4 --- sepolicy/hal_memtrack_default.te | 5 ---- sepolicy/hal_sensors_default.te | 2 -- sepolicy/hci_attach.te | 2 +- sepolicy/init.te | 8 ++---- sepolicy/ioctl_defines | 7 ------ sepolicy/ioctl_macros | 8 ------ sepolicy/irsc_util.te | 8 ------ sepolicy/mediaserver.te | 4 --- sepolicy/netd.te | 1 - sepolicy/netmgrd.te | 20 --------------- sepolicy/platform_app.te | 1 - sepolicy/property.te | 3 --- sepolicy/property_contexts | 3 --- sepolicy/qmuxd.te | 9 ------- sepolicy/rild.te | 4 --- sepolicy/rmt.te | 17 ------------- sepolicy/rmt_storage.te | 4 +++ sepolicy/surfaceflinger.te | 2 -- sepolicy/system_app.te | 1 - sepolicy/system_server.te | 6 ----- sepolicy/te_macros | 11 --------- sepolicy/vndservice.te | 1 - sepolicy/vndservice_contexts | 1 - 36 files changed, 12 insertions(+), 200 deletions(-) delete mode 100644 sepolicy-lineage/mediaserver.te delete mode 100644 sepolicy/bluetooth.te delete mode 100644 sepolicy/domain.te delete mode 100644 sepolicy/genfs_contexts delete mode 100644 sepolicy/hal_bluetooth_default.te delete mode 100644 sepolicy/hal_drm_default.te delete mode 100644 sepolicy/hal_memtrack_default.te delete mode 100644 sepolicy/ioctl_defines delete mode 100644 sepolicy/ioctl_macros delete mode 100644 sepolicy/irsc_util.te delete mode 100644 sepolicy/netd.te delete mode 100644 sepolicy/rmt.te create mode 100644 sepolicy/rmt_storage.te delete mode 100644 sepolicy/te_macros delete mode 100644 sepolicy/vndservice.te delete mode 100644 sepolicy/vndservice_contexts diff --git a/board/selinux.mk b/board/selinux.mk index 34b837dc..58b7c4b5 100644 --- a/board/selinux.mk +++ b/board/selinux.mk @@ -4,9 +4,3 @@ include device/qcom/sepolicy-legacy/sepolicy.mk # Device sepolicies BOARD_SEPOLICY_DIRS += \ $(DEVICE_PATH)/sepolicy - -# LineageOS device sepolicies -ifeq ($(BOARD_AOSP_BASED),) -BOARD_SEPOLICY_DIRS += \ - $(DEVICE_PATH)/sepolicy-lineage -endif diff --git a/sepolicy-lineage/mediaserver.te b/sepolicy-lineage/mediaserver.te deleted file mode 100644 index f2807dba..00000000 --- a/sepolicy-lineage/mediaserver.te +++ /dev/null @@ -1 +0,0 @@ -hal_client_domain(mediaserver, hal_lineage_camera_motor) diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te index 9f09a4b2..c2b25620 100644 --- a/sepolicy/audioserver.te +++ b/sepolicy/audioserver.te @@ -1,3 +1,2 @@ #============= audioserver ============== allow audioserver debugfs_asoc:dir { open read search }; -allow audioserver hal_power_hwservice:hwservice_manager find; diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te deleted file mode 100644 index f25c68b9..00000000 --- a/sepolicy/bluetooth.te +++ /dev/null @@ -1 +0,0 @@ -set_prop(bluetooth, bluetooth_prop) diff --git a/sepolicy/device.te b/sepolicy/device.te index 6bcdaf52..d46dbcd5 100644 --- a/sepolicy/device.te +++ b/sepolicy/device.te @@ -1,13 +1,6 @@ # /dev/block partitions -type bootloader_block_device, dev_type; type ltalabel_block_device, dev_type; -type modem_block_device, dev_type; type trim_area_partition_device, dev_type; # /dev devices -type diag_device, dev_type; -type fm_device, dev_type; -type qmuxd_socket, dev_type; type shared_log_device, dev_type; -type smd_device, dev_type; -type wlan_device, dev_type; diff --git a/sepolicy/domain.te b/sepolicy/domain.te deleted file mode 100644 index 47ea634f..00000000 --- a/sepolicy/domain.te +++ /dev/null @@ -1 +0,0 @@ -allow domain debugfs_kgsl:dir search; diff --git a/sepolicy/file.te b/sepolicy/file.te index 4f88778c..8850b0b0 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -4,35 +4,23 @@ type sysfs_block_iosched, fs_type, sysfs_type; type sysfs_bluetooth_control, fs_type, sysfs_type; type sysfs_bus_i2c, fs_type, sysfs_type; type sysfs_camera_torch, fs_type, sysfs_type; -type sysfs_charger, fs_type, sysfs_type; -type sysfs_cpu_boost, fs_type, sysfs_type; type sysfs_disk_polling, fs_type, sysfs_type; -type sysfs_fm_dl, fs_type, sysfs_type; type sysfs_glove_mode, fs_type, sysfs_type; type sysfs_gpio, fs_type, sysfs_type; type sysfs_i2c_name, fs_type, sysfs_type; type sysfs_input_devices, fs_type, sysfs_type; type sysfs_lights_effects, fs_type, sysfs_type; type sysfs_mac_serial, fs_type, sysfs_type; -type sysfs_memory_ksm, fs_type, sysfs_type; type sysfs_mhl, fs_type, sysfs_type; -type sysfs_msmuart_file, fs_type, sysfs_type; type sysfs_power_control, fs_type, sysfs_type; type sysfs_proximity_sensor, sysfs_type, fs_type; type sysfs_rmtfs, sysfs_type, fs_type; -type sysfs_sensors, sysfs_type, fs_type; -type sysfs_smdcntl_open_timeout, sysfs_type, fs_type; -type sysfs_surfaceflinger, sysfs_type, fs_type; type sysfs_system_soc, fs_type, sysfs_type; type sysfs_thermal_control, fs_type, sysfs_type; type sysfs_wcnss_ssr, fs_type, sysfs_type; # debugfs type debugfs_asoc, debugfs_type, fs_type; -type debugfs_kgsl, debugfs_type, fs_type; # /dev/socket type tad_socket, file_type; - -# /data -type fm_data_file, file_type, data_file_type, core_data_file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index bfba0dbb..f2546190 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -1,5 +1,4 @@ # /dev partitions -/dev/block/mmcblk0 u:object_r:root_block_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/Cache u:object_r:cache_block_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/FOTAKernel u:object_r:recovery_block_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/LTALabel u:object_r:ltalabel_block_device:s0 @@ -7,43 +6,24 @@ /dev/block/platform/msm_sdcc\.1/by-name/TA u:object_r:trim_area_partition_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/Userdata u:object_r:userdata_block_device:s0 /dev/block/platform/msm_sdcc\.1/by-name/apps_log u:object_r:misc_block_device:s0 -/dev/block/platform/msm_sdcc\.1/by-name/fsg u:object_r:modem_block_device:s0 -/dev/block/platform/msm_sdcc\.1/by-name/modemst1 u:object_r:modem_block_device:s0 -/dev/block/platform/msm_sdcc\.1/by-name/modemst2 u:object_r:modem_block_device:s0 -/dev/block/zram0 u:object_r:swap_block_device:s0 # /dev devices -/dev/diag u:object_r:diag_device:s0 /dev/gemini.* u:object_r:video_device:s0 -/dev/kgsl-3d0 u:object_r:gpu_device:s0 -/dev/media([0-9])+ u:object_r:video_device:s0 /dev/msm_acdb u:object_r:audio_device:s0 -/dev/msm_camera(/.*)? u:object_r:video_device:s0 -/dev/msm_rotator u:object_r:video_device:s0 /dev/msm_vidc.* u:object_r:video_device:s0 /dev/msm_vpe_standalone u:object_r:video_device:s0 -/dev/qseecom u:object_r:tee_device:s0 -/dev/radio0 u:object_r:fm_device:s0 /dev/smd2 u:object_r:hci_attach_dev:s0 /dev/smd3 u:object_r:hci_attach_dev:s0 /dev/smd([0-9])+ u:object_r:smd_device:s0 /dev/smdcntl[0-7] u:object_r:radio_device:s0 -/dev/smem_log u:object_r:shared_log_device:s0 -/dev/socket/qmux_audio(/.*)? u:object_r:qmuxd_socket:s0 -/dev/socket/qmux_bluetooth(/.*)? u:object_r:qmuxd_socket:s0 -/dev/socket/qmux_gps(/.*)? u:object_r:qmuxd_socket:s0 -/dev/socket/qmux_radio(/.*)? u:object_r:qmuxd_socket:s0 -/dev/socket/qmux_nfc(/.*)? u:object_r:qmuxd_socket:s0 /dev/socket/tad u:object_r:tad_socket:s0 -/dev/v4l-subdev.* u:object_r:video_device:s0 -/dev/wcnss_wlan u:object_r:wlan_device:s0 # /system /system/bin/hci_qcomm_init u:object_r:hci_attach_exec:s0 /system/bin/irsc_util u:object_r:irsc_util_exec:s0 /system/bin/netmgrd u:object_r:netmgrd_exec:s0 /system/bin/qmuxd u:object_r:qmuxd_exec:s0 -/system/bin/rmt_storage u:object_r:rmt_exec:s0 +/system/bin/rmt_storage u:object_r:rmt_storage_exec:s0 /system/bin/secchand u:object_r:secchand_exec:s0 /system/bin/ta_qmi_service u:object_r:ta_qmi_service_exec:s0 /system/bin/updatemiscta u:object_r:updatemiscta_exec:s0 @@ -63,8 +43,6 @@ /sys/bus/i2c(/.*)? u:object_r:sysfs_bus_i2c:s0 /sys/class/gpio(/.*)? u:object_r:sysfs_gpio:s0 /sys/class/power_supply/battery(/.*)? u:object_r:sysfs_batteryinfo:s0 -/sys/class/thermal(/.*)? u:object_r:sysfs_thermal:s0 -/sys/class/uio(/.*)? u:object_r:sysfs_rmtfs:s0 /sys/devices/i2c-3/3-0024/main_ttsp_core.cyttsp4_i2c_adapter/finger_threshold u:object_r:sysfs_glove_mode:s0 /sys/devices/i2c-3/3-0024/main_ttsp_core.cyttsp4_i2c_adapter/signal_disparity u:object_r:sysfs_glove_mode:s0 /sys/devices/i2c-10/10-0039/mhl/sii8334(/.*)? u:object_r:sysfs_mhl:s0 @@ -115,21 +93,13 @@ /sys/devices/platform/wcnss_wlan.0/wcnss_mac_addr u:object_r:sysfs_mac_address:s0 /sys/devices/system/soc/soc0/hw_platform u:object_r:sysfs_system_soc:s0 /sys/devices/system/soc/soc0/id u:object_r:sysfs_system_soc:s0 -/sys/devices/virtual/graphics/fb([0-2])+/hpd u:object_r:sysfs_surfaceflinger:s0 -/sys/devices/virtual/graphics/fb([0-2])+/format_3d u:object_r:sysfs_surfaceflinger:s0 -/sys/devices/virtual/graphics/fb([0-2])+/msm_fb_fps_level u:object_r:sysfs_surfaceflinger:s0 -/sys/devices/virtual/graphics/fb([0-2])+/product_description u:object_r:sysfs_surfaceflinger:s0 -/sys/devices/virtual/graphics/fb([0-2])+/vendor_name u:object_r:sysfs_surfaceflinger:s0 -/sys/devices/virtual/graphics/fb([0-2])+/video_mode u:object_r:sysfs_surfaceflinger:s0 +/sys/devices/virtual/graphics/fb([0-3])+/format_3d u:object_r:sysfs_graphics:s0 +/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_fps_level u:object_r:sysfs_graphics:s0 +/sys/devices/virtual/graphics/fb([0-3])+/video_mode u:object_r:sysfs_graphics:s0 /sys/devices/virtual/input u:object_r:sysfs_input_devices:s0 -/sys/devices/virtual/smdpkt/smdcntl([0-9])+/open_timeout u:object_r:sysfs_smdcntl_open_timeout:s0 -/sys/devices/virtual/thermal(/.*)? u:object_r:sysfs_thermal:s0 /sys/devices/virtual/timed_output/vibrator/level u:object_r:sysfs_vibrator:s0 -/sys/kernel/mm/ksm(/.*)? u:object_r:sysfs_memory_ksm:s0 /sys/module/cpu_boost/parameters(/.*)? u:object_r:sysfs_cpu_boost:s0 -/sys/module/msm_serial_hs/parameters/debug_mask u:object_r:sysfs_msmuart_file:s0 /sys/module/hci_smd/parameters/hcismd_set u:object_r:sysfs_bluetooth_control:s0 -/sys/module/msm_thermal/core_control/cpus_offlined u:object_r:sysfs_thermal_control:s0 /sys/module/msm_thermal/core_control/enabled u:object_r:sysfs_thermal_control:s0 /sys/module/msm_thermal/parameters/enabled u:object_r:sysfs_thermal_control:s0 /sys/module/pm_8x60/modes/cpu([0-1])+/power_collapse/idle_enabled u:object_r:sysfs_power_control:s0 @@ -138,7 +108,6 @@ /sys/module/pm_8x60/modes/cpu([0-1])+/standalone_power_collapse/idle_enabled u:object_r:sysfs_power_control:s0 /sys/module/pm_8x60/modes/cpu([0-1])+/standalone_power_collapse/suspend_enabled u:object_r:sysfs_power_control:s0 /sys/module/pm8921_charger/parameters(/.*)? u:object_r:sysfs_batteryinfo:s0 -/sys/module/radio_iris_transport/parameters/fmsmd_set u:object_r:sysfs_fm_dl:s0 /sys/module/rpm_resources/enable_low_power(/.*)? u:object_r:sysfs_power_control:s0 /sys/module/wcnss_ssr_8960/parameters/enable_riva_ssr u:object_r:sysfs_wcnss_ssr:s0 @@ -146,9 +115,7 @@ /sys/kernel/debug/asoc(/.*)? u:object_r:debugfs_asoc:s0 # /data -/data/camera(/.*)? u:object_r:camera_data_file:s0 /data/etc/flashled_vf_factory u:object_r:camera_data_file:s0 -/data/misc/fm(/.*)? u:object_r:fm_data_file:s0 # / /tombstones u:object_r:rootfs:s0 diff --git a/sepolicy/fm_dl.te b/sepolicy/fm_dl.te index 2ae9670a..9b6f87f8 100644 --- a/sepolicy/fm_dl.te +++ b/sepolicy/fm_dl.te @@ -8,8 +8,7 @@ set_prop(fm_dl, fm_prop) #============= fm_dl ============== allow fm_dl fm_data_file:dir ra_dir_perms; allow fm_dl fm_data_file:file create_file_perms; -allow fm_dl fm_device:chr_file r_file_perms; allow fm_dl shell_exec:file { entrypoint getattr read }; -allow fm_dl sysfs_fm_dl:file w_file_perms; +allow fm_dl sysfs_fm:file w_file_perms; allow fm_dl system_file:file execute_no_trans; allow fm_dl toolbox_exec:file rx_file_perms; diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts deleted file mode 100644 index ff1d4cd6..00000000 --- a/sepolicy/genfs_contexts +++ /dev/null @@ -1 +0,0 @@ -genfscon debugfs /kgsl/proc u:object_r:debugfs_kgsl:s0 diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te deleted file mode 100644 index 6154dc50..00000000 --- a/sepolicy/hal_bluetooth_default.te +++ /dev/null @@ -1,5 +0,0 @@ -set_prop(hal_bluetooth_default, vendor_bluetooth_prop) - -#============= hal_bluetooth_default ============== -allow hal_bluetooth_default bluetooth_data_file:dir search; -allow hal_bluetooth_default bluetooth_data_file:file { open read }; diff --git a/sepolicy/hal_drm_default.te b/sepolicy/hal_drm_default.te deleted file mode 100644 index 0acbc0d4..00000000 --- a/sepolicy/hal_drm_default.te +++ /dev/null @@ -1 +0,0 @@ -vndbinder_use(hal_drm_default) diff --git a/sepolicy/hal_graphics_composer.te b/sepolicy/hal_graphics_composer.te index c37ab425..6b598106 100644 --- a/sepolicy/hal_graphics_composer.te +++ b/sepolicy/hal_graphics_composer.te @@ -2,8 +2,4 @@ vndbinder_use(hal_graphics_composer_default) allow hal_graphics_composer self:netlink_kobject_uevent_socket read; allow hal_graphics_composer sysfs:file { getattr open read }; -allow hal_graphics_composer sysfs_surfaceflinger:file { open read write }; -allow hal_graphics_composer video_device:chr_file { ioctl open read write }; -allow hal_graphics_composer_default qdisplay_service:service_manager { add find }; -allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; allow hal_graphics_composer_default sysfs_system_soc:file { getattr open read }; diff --git a/sepolicy/hal_memtrack_default.te b/sepolicy/hal_memtrack_default.te deleted file mode 100644 index 9ba6df4b..00000000 --- a/sepolicy/hal_memtrack_default.te +++ /dev/null @@ -1,5 +0,0 @@ -#============= hal_memtrack_default ============== -allow hal_memtrack_default surfaceflinger:file read; -dontaudit hal_memtrack_default { domain -surfaceflinger }:dir search; -dontaudit hal_memtrack_default { domain -surfaceflinger }:file { open read getattr }; -r_dir_file(hal_memtrack_default, debugfs_kgsl); diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te index 085dee1e..9eb001fd 100644 --- a/sepolicy/hal_sensors_default.te +++ b/sepolicy/hal_sensors_default.te @@ -1,6 +1,4 @@ #============= hal_sensors_default ============== -allow hal_sensors_default input_device:dir r_dir_perms; -allow hal_sensors_default input_device:chr_file r_file_perms; allow hal_sensors_default sysfs_als:file rw_file_perms; allow hal_sensors_default sysfs_bus_i2c:dir { open read search }; allow hal_sensors_default sysfs_bus_i2c:lnk_file read; diff --git a/sepolicy/hci_attach.te b/sepolicy/hci_attach.te index b3db9e18..82f14880 100644 --- a/sepolicy/hci_attach.te +++ b/sepolicy/hci_attach.te @@ -3,12 +3,12 @@ type hci_attach_exec, system_file_type, exec_type, file_type; init_daemon_domain(hci_attach) +set_prop(hci_attach, bluetooth_prop) set_prop(hci_attach, wifi_prop) #============= hci_attach ============== allow hci_attach bluetooth_data_file:dir search; allow hci_attach bluetooth_data_file:file r_file_perms; -allow hci_attach bluetooth_prop:property_service set; allow hci_attach hci_attach_dev:chr_file rw_file_perms; allow hci_attach hci_attach_exec:file execute_no_trans; allow hci_attach shell_exec:file { entrypoint getattr read }; diff --git a/sepolicy/init.te b/sepolicy/init.te index 2e88eddf..3c5d8312 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -1,7 +1,5 @@ #============= init ============== allow init camera_data_file:file getattr; -allow init fm_device:chr_file write; -allow init proc_filesystems:file getattr; allow init sysfs_batteryinfo:file { open setattr write }; allow init sysfs_block_iosched:file write; allow init sysfs_bluetooth_control:file setattr; @@ -9,19 +7,17 @@ allow init sysfs_camera_torch:file setattr; allow init sysfs_cpu_boost:file { open setattr write }; allow init sysfs_devices_system_cpu:file write; allow init sysfs_disk_polling:file { setattr write }; -allow init sysfs_fm_dl:file setattr; +allow init sysfs_fm:file setattr; allow init sysfs_glove_mode:file { open setattr write }; allow init sysfs_leds:file setattr; -allow init sysfs_memory_ksm:file { open write }; allow init sysfs_mhl:file setattr; allow init sysfs_power_control:file { open write }; allow init sysfs_proximity_sensor:file setattr; allow init sysfs_sensors:file setattr; -allow init sysfs_surfaceflinger:file setattr; +allow init sysfs_graphics:file setattr; allow init sysfs_thermal:file { open setattr write }; allow init sysfs_thermal_control:file { open write }; allow init sysfs_usb:file write; allow init sysfs_wcnss_ssr:file { open setattr write }; allow init sysfs_wlan_fwpath:file setattr; -allow init tmpfs:lnk_file create; allow init wlan_device:chr_file write; diff --git a/sepolicy/ioctl_defines b/sepolicy/ioctl_defines deleted file mode 100644 index 93a833d8..00000000 --- a/sepolicy/ioctl_defines +++ /dev/null @@ -1,7 +0,0 @@ -# socket ioctls defined in the kernel in include/uapi/linux/msm_ipc.h -define(`IPC_ROUTER_IOCTL_GET_VERSION', `0x0000c300') -define(`IPC_ROUTER_IOCTL_GET_MTU', `0x0000c301') -define(`IPC_ROUTER_IOCTL_LOOKUP_SERVER', `0x0000c302') -define(`IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE', `0x0000c303') -define(`IPC_ROUTER_IOCTL_BIND_CONTROL_PORT', `0x0000c304') -define(`IPC_ROUTER_IOCTL_CONFIG_SEC_RULES', `0x0000c305') diff --git a/sepolicy/ioctl_macros b/sepolicy/ioctl_macros deleted file mode 100644 index dd9a2e86..00000000 --- a/sepolicy/ioctl_macros +++ /dev/null @@ -1,8 +0,0 @@ -define(`msm_sock_ipc_ioctls', `{ -IPC_ROUTER_IOCTL_GET_VERSION -IPC_ROUTER_IOCTL_GET_MTU -IPC_ROUTER_IOCTL_LOOKUP_SERVER -IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE -IPC_ROUTER_IOCTL_BIND_CONTROL_PORT -IPC_ROUTER_IOCTL_CONFIG_SEC_RULES -}') diff --git a/sepolicy/irsc_util.te b/sepolicy/irsc_util.te deleted file mode 100644 index 799d3773..00000000 --- a/sepolicy/irsc_util.te +++ /dev/null @@ -1,8 +0,0 @@ -type irsc_util, domain; -type irsc_util_exec, exec_type, file_type; - -init_daemon_domain(irsc_util) - -#============= irsc_util ============== -allow irsc_util self:socket create_socket_perms; -allowxperm irsc_util self:socket ioctl msm_sock_ipc_ioctls; diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te index b8ab5924..f0cd448f 100644 --- a/sepolicy/mediaserver.te +++ b/sepolicy/mediaserver.te @@ -1,9 +1,5 @@ -set_prop(mediaserver, camera_prop); - #============= mediaserver ============== allow mediaserver audio_device:chr_file { ioctl open read write }; -allow mediaserver camera_data_file:dir create_dir_perms; -allow mediaserver camera_data_file:file create_file_perms; allow mediaserver sensorservice_service:service_manager find; allow mediaserver sysfs_als:file { getattr open read write }; allow mediaserver sysfs_batteryinfo:dir search; diff --git a/sepolicy/netd.te b/sepolicy/netd.te deleted file mode 100644 index 2b002ec9..00000000 --- a/sepolicy/netd.te +++ /dev/null @@ -1 +0,0 @@ -dontaudit netd self:capability sys_module; diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te index 2dc66a0d..20f3ad42 100644 --- a/sepolicy/netmgrd.te +++ b/sepolicy/netmgrd.te @@ -1,23 +1,3 @@ -type netmgrd, domain; -type netmgrd_exec, exec_type, file_type; - -init_daemon_domain(netmgrd) - -qmux_socket(netmgrd) - -set_prop(netmgrd, net_radio_prop) - -wakelock_use(netmgrd) - #============= netmgrd ============== allow netmgrd diag_device:chr_file rw_file_perms; -allow netmgrd netmgrd:capability { fsetid net_admin net_raw setgid setpcap setuid sys_module }; -allow netmgrd netmgrd:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; -allow netmgrd netmgrd:netlink_socket create_socket_perms_no_ioctl; -allow netmgrd proc_net:file w_file_perms; -allow netmgrd self:udp_socket create_socket_perms; -allow netmgrd shell_exec:file rx_file_perms; -allow netmgrd system_file:file x_file_perms; -allow netmgrd toolbox_exec:file rx_file_perms; -allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls; r_dir_file(netmgrd, net_data_file) diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te index 01de4d82..aac66a6f 100644 --- a/sepolicy/platform_app.te +++ b/sepolicy/platform_app.te @@ -1,3 +1,2 @@ #============= platform_app ============== -allow platform_app nfc_service:service_manager find; allow platform_app sysfs_thermal:file { getattr open read }; diff --git a/sepolicy/property.te b/sepolicy/property.te index bcb9d70c..054ad5e9 100644 --- a/sepolicy/property.te +++ b/sepolicy/property.te @@ -1,5 +1,2 @@ # property service keys -type camera_prop, property_type; -type fm_prop, property_type; type updatemiscta_prop, property_type; -type vendor_bluetooth_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts index 846c8b7e..68e728e1 100644 --- a/sepolicy/property_contexts +++ b/sepolicy/property_contexts @@ -1,7 +1,4 @@ # property service keys camera.0. u:object_r:camera_prop:s0 camera.1. u:object_r:camera_prop:s0 -hw.fm. u:object_r:fm_prop:s0 persist.tareset.notfirstboot u:object_r:updatemiscta_prop:s0 -vendor.bluetooth. u:object_r:bluetooth_prop:s0 -vendor.wc_transport. u:object_r:vendor_bluetooth_prop:s0 diff --git a/sepolicy/qmuxd.te b/sepolicy/qmuxd.te index 1adc0f03..dc4ac023 100644 --- a/sepolicy/qmuxd.te +++ b/sepolicy/qmuxd.te @@ -1,14 +1,5 @@ -type qmuxd, domain; -type qmuxd_exec, exec_type, file_type; - -init_daemon_domain(qmuxd) - -wakelock_use(qmuxd) - #============= qmuxd ============== allow qmuxd diag_device:chr_file rw_file_perms; allow qmuxd qmuxd_socket:dir w_dir_perms; allow qmuxd qmuxd_socket:sock_file create_file_perms; allow qmuxd radio_device:chr_file rw_file_perms; -allow qmuxd self:socket create_socket_perms_no_ioctl; -allow qmuxd sysfs_smdcntl_open_timeout:file rw_file_perms; diff --git a/sepolicy/rild.te b/sepolicy/rild.te index 3da635d0..ba8f31d2 100644 --- a/sepolicy/rild.te +++ b/sepolicy/rild.te @@ -1,7 +1,3 @@ -qmux_socket(rild) - #============= rild ============== allow rild diag_device:chr_file rw_file_perms; allow rild proc_cmdline:file { getattr open read }; -allow rild self:socket ioctl; -allowxperm rild self:socket ioctl msm_sock_ipc_ioctls; diff --git a/sepolicy/rmt.te b/sepolicy/rmt.te deleted file mode 100644 index 70892a73..00000000 --- a/sepolicy/rmt.te +++ /dev/null @@ -1,17 +0,0 @@ -type rmt, domain; -type rmt_exec, exec_type, file_type; - -init_daemon_domain(rmt) - -wakelock_use(rmt) - -#============= rmt ============== -allow rmt block_device:dir r_dir_perms; -allow rmt modem_block_device:blk_file rw_file_perms; -allow rmt root_block_device:blk_file r_file_perms; -allow rmt self:capability { setgid setuid }; -allow rmt self:socket create_socket_perms; -allow rmt shared_log_device:chr_file rw_file_perms; -allow rmt uio_device:chr_file rw_file_perms; -allowxperm rmt self:socket ioctl msm_sock_ipc_ioctls; -r_dir_file(rmt, sysfs_rmtfs) diff --git a/sepolicy/rmt_storage.te b/sepolicy/rmt_storage.te new file mode 100644 index 00000000..cee7ab94 --- /dev/null +++ b/sepolicy/rmt_storage.te @@ -0,0 +1,4 @@ +#============= rmt_storage ============== +allow rmt_storage modem_block_device:blk_file rw_file_perms; +allow rmt_storage shared_log_device:chr_file rw_file_perms; +r_dir_file(rmt_storage, sysfs_rmtfs) diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te index b822eee5..f096241a 100644 --- a/sepolicy/surfaceflinger.te +++ b/sepolicy/surfaceflinger.te @@ -1,4 +1,2 @@ #============= surfaceflinger ============== -allow surfaceflinger qdisplay_service:service_manager { add find }; -allow surfaceflinger sysfs_surfaceflinger:file rw_file_perms; allow surfaceflinger sysfs_thermal:file { getattr open read }; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te index f02e94d9..ce585b6f 100644 --- a/sepolicy/system_app.te +++ b/sepolicy/system_app.te @@ -2,6 +2,5 @@ set_prop(system_app, fm_prop) #============= system_app ============== allow system_app fm_data_file:file r_file_perms; -allow system_app fm_device:chr_file r_file_perms; allow system_app selinuxfs:file { open read }; allow system_app sysfs_glove_mode:file { getattr open write }; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index 2c30d5da..f415f427 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -1,13 +1,7 @@ -qmux_socket(system_server) - #============= system_server ============== allow system_server diag_device:chr_file rw_file_perms; allow system_server graphics_device:chr_file { ioctl open read write }; -allow system_server graphics_device:dir search; allow system_server mediaserver:process sigkill; -allow system_server self:socket ioctl; allow system_server sysfs_als:file write; allow system_server sysfs_glove_mode:file rw_file_perms; allow system_server sysfs_proximity_sensor:file write; -allowxperm system_server self:socket ioctl msm_sock_ipc_ioctls; -r_dir_file(system_server, debugfs_kgsl); diff --git a/sepolicy/te_macros b/sepolicy/te_macros deleted file mode 100644 index 485bfb7d..00000000 --- a/sepolicy/te_macros +++ /dev/null @@ -1,11 +0,0 @@ -##################################### -# qmux_socket(clientdomain) -# Allow client domain to connecto and send -# via a local socket to the qmux domain. -# Also allow the client domain to remove -# its own socket. -define(`qmux_socket', ` -allow $1 qmuxd_socket:dir create_dir_perms; -unix_socket_connect($1, qmuxd, qmuxd) -allow $1 qmuxd_socket:sock_file { read getattr write setattr create unlink }; -') diff --git a/sepolicy/vndservice.te b/sepolicy/vndservice.te deleted file mode 100644 index c272cbcf..00000000 --- a/sepolicy/vndservice.te +++ /dev/null @@ -1 +0,0 @@ -type qdisplay_service, vndservice_manager_type; diff --git a/sepolicy/vndservice_contexts b/sepolicy/vndservice_contexts deleted file mode 100644 index 2b9cf7fc..00000000 --- a/sepolicy/vndservice_contexts +++ /dev/null @@ -1 +0,0 @@ -display.qservice u:object_r:qdisplay_service:s0