From 8936a7fda0586a3ffab487ff718354a1fc37f011 Mon Sep 17 00:00:00 2001 From: LuK1337 Date: Tue, 12 Feb 2019 15:50:09 +0100 Subject: [PATCH] sdm845-common: sepolicy: Copy over public_vendor_default_prop rules from qcom sepolicy * This addresses many denials introduced by enabling vendor and system property isolation. Change-Id: I24e04fc24be32698c7fdae4b28e90e9c20161a77 --- sepolicy/private/domain.te | 2 ++ sepolicy/private/property.te | 1 + sepolicy/private/property_contexts | 7 +++++++ sepolicy/private/vendor_init.te | 3 +++ 4 files changed, 13 insertions(+) create mode 100644 sepolicy/private/domain.te create mode 100644 sepolicy/private/property_contexts diff --git a/sepolicy/private/domain.te b/sepolicy/private/domain.te new file mode 100644 index 0000000..bae6bf0 --- /dev/null +++ b/sepolicy/private/domain.te @@ -0,0 +1,2 @@ +# Allow domain to get public_vendor_default_prop +get_prop(domain, public_vendor_default_prop) diff --git a/sepolicy/private/property.te b/sepolicy/private/property.te index 028c77c..5118a31 100644 --- a/sepolicy/private/property.te +++ b/sepolicy/private/property.te @@ -1 +1,2 @@ +type public_vendor_default_prop, property_type; type vendor_camera_prop, property_type; diff --git a/sepolicy/private/property_contexts b/sepolicy/private/property_contexts new file mode 100644 index 0000000..d415bb7 --- /dev/null +++ b/sepolicy/private/property_contexts @@ -0,0 +1,7 @@ +ro.vendor.graphics.memory u:object_r:public_vendor_default_prop:s0 +vendor.debug.egl.changepixelformat u:object_r:public_vendor_default_prop:s0 +vendor.debug.egl.profiler u:object_r:public_vendor_default_prop:s0 +vendor.debug.egl.swapinterval u:object_r:public_vendor_default_prop:s0 +vendor.debug.prerotation.disable u:object_r:public_vendor_default_prop:s0 +vendor.debug.rs. u:object_r:public_vendor_default_prop:s0 +vendor.dump.gpu.output u:object_r:public_vendor_default_prop:s0 diff --git a/sepolicy/private/vendor_init.te b/sepolicy/private/vendor_init.te index 5387eda..1305c24 100644 --- a/sepolicy/private/vendor_init.te +++ b/sepolicy/private/vendor_init.te @@ -1,2 +1,5 @@ +# Allow vendor_init to set public_vendor_default_prop +set_prop(vendor_init, public_vendor_default_prop) + # Allow vendor_init to set vendor_camera_prop set_prop(vendor_init, vendor_camera_prop)