From eaa9bbce92292afc441b00fb406050851285a187 Mon Sep 17 00:00:00 2001 From: Luca Stefani Date: Sun, 3 Feb 2019 11:54:04 +0100 Subject: [PATCH] sdm845-common: Fix neverallows Change-Id: I9a73f72b9c5c01afbaf6c2f960c7e25ca923d90c --- sepolicy/private/file.te | 2 +- sepolicy/private/genfs_contexts | 4 ++-- sepolicy/private/hal_light_sdm845.te | 17 +++++++++++++++-- sepolicy/private/init.te | 5 ++++- sepolicy/private/system_server.te | 2 +- 5 files changed, 23 insertions(+), 7 deletions(-) diff --git a/sepolicy/private/file.te b/sepolicy/private/file.te index 5a9a4fb..5d49fae 100644 --- a/sepolicy/private/file.te +++ b/sepolicy/private/file.te @@ -5,7 +5,7 @@ type op1_file, file_type; type op2_file, file_type; type persist_file, file_type; type proc_touchpanel, fs_type; -type sysfs_livedisplay, sysfs_type, fs_type; type sysfs_fpc_proximity, sysfs_type, fs_type; type sysfs_oem, sysfs_type, fs_type; +type sysfs_graphics, sysfs_type, fs_type; type sysfs_battery_supply, sysfs_type, fs_type; diff --git a/sepolicy/private/genfs_contexts b/sepolicy/private/genfs_contexts index f96e494..ccce21b 100644 --- a/sepolicy/private/genfs_contexts +++ b/sepolicy/private/genfs_contexts @@ -1,4 +1,4 @@ genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pmi8998@2:qcom,qpnp-smb2/power_supply/dc u:object_r:sysfs_battery_supply:s0 genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pmi8998@2:qcom,qpnp-smb2/power_supply/main u:object_r:sysfs_battery_supply:s0 -genfscon sysfs /devices/platform/soc/soc:qcom,dsi-display@18/hbm u:object_r:sysfs_livedisplay:s0 -genfscon sysfs /devices/platform/soc/soc:qcom,dsi-display@18/display_mode u:object_r:sysfs_livedisplay:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,dsi-display@18/hbm u:object_r:sysfs_livedisplay_tuneable:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,dsi-display@18/display_mode u:object_r:sysfs_livedisplay_tuneable:s0 diff --git a/sepolicy/private/hal_light_sdm845.te b/sepolicy/private/hal_light_sdm845.te index 20e0d9c..361f687 100644 --- a/sepolicy/private/hal_light_sdm845.te +++ b/sepolicy/private/hal_light_sdm845.te @@ -1,7 +1,20 @@ type hal_light_sdm845, coredomain, domain; -hal_server_domain(hal_light_sdm845, hal_light) + +# Allow a base set of permissions required for a domain to offer a +# HAL implementation of the specified type over HwBinder. +typeattribute hal_light_sdm845 halserverdomain; +typeattribute hal_light_sdm845 hal_light_server; + +# HwBinder IPC from client to server, and callbacks +binder_call(hal_light_client, hal_light_server) +binder_call(hal_light_server, hal_light_client) + +add_hwservice(hal_light_server, hal_light_hwservice) +allow hal_light_client hal_light_hwservice:hwservice_manager find; type hal_light_sdm845_exec, exec_type, file_type; init_daemon_domain(hal_light_sdm845) -allow hal_light_sdm845 sysfs_oem:file rw_file_perms; +allow hal_light_sdm845 { sysfs_graphics sysfs_oem }:lnk_file read; +allow hal_light_sdm845 { sysfs_graphics sysfs_oem }:file rw_file_perms; +allow hal_light_sdm845 { sysfs_graphics sysfs_leds sysfs_oem }:dir r_dir_perms; diff --git a/sepolicy/private/init.te b/sepolicy/private/init.te index 463e759..03cbeab 100644 --- a/sepolicy/private/init.te +++ b/sepolicy/private/init.te @@ -5,4 +5,7 @@ allow init vendor_file:file mounton; allow init vendor_configs_file:file mounton; # Allow init to chown/chmod on pseudo files in /sys -allow init sysfs_type:file { open read setattr }; +allow init { + sysfs_fpc_proximity + sysfs_graphics +}:file { open read setattr }; diff --git a/sepolicy/private/system_server.te b/sepolicy/private/system_server.te index b0c8a62..27db71c 100644 --- a/sepolicy/private/system_server.te +++ b/sepolicy/private/system_server.te @@ -1,2 +1,2 @@ # Allow access to LiveDisplay tuning nodes -allow system_server sysfs_livedisplay:file rw_file_perms; +allow system_server sysfs_livedisplay_tuneable:file rw_file_perms;