From 3e93f804b6ffcb73669e68456b28e829d984661b Mon Sep 17 00:00:00 2001 From: Isaac Chen Date: Mon, 7 May 2018 17:35:48 +0200 Subject: [PATCH] msm8937-common: sepolicy: Initial O denial Signed-off-by: Isaac Chen --- .../fingerprintd/IFingerprintDaemon.cpp | 2 +- sepolicy/camera.te | 1 + sepolicy/file.te | 1 - sepolicy/file_contexts | 8 +++---- sepolicy/fingerprintd.te | 12 ----------- sepolicy/fsck.te | 2 ++ sepolicy/gx_fpd.te | 6 +++--- sepolicy/hal_camera_default.te | 1 + sepolicy/hal_fingerprint_default.te | 21 +++++++++++++++++++ sepolicy/netmgrd.te | 3 --- sepolicy/qti_init_shell.te | 1 + sepolicy/rild.te | 1 + sepolicy/service_contexts | 1 + 13 files changed, 36 insertions(+), 24 deletions(-) create mode 100644 sepolicy/camera.te delete mode 100644 sepolicy/fingerprintd.te create mode 100644 sepolicy/hal_camera_default.te create mode 100644 sepolicy/hal_fingerprint_default.te delete mode 100644 sepolicy/netmgrd.te create mode 100644 sepolicy/rild.te diff --git a/biometrics/fingerprintd/IFingerprintDaemon.cpp b/biometrics/fingerprintd/IFingerprintDaemon.cpp index 64c4093..ef511b7 100644 --- a/biometrics/fingerprintd/IFingerprintDaemon.cpp +++ b/biometrics/fingerprintd/IFingerprintDaemon.cpp @@ -329,6 +329,6 @@ class BpFingerprintDaemon : public BpInterface { } }; -IMPLEMENT_META_INTERFACE(FingerprintDaemon, "android.hardware.fingerprint.IFingerprintDaemon"); +IMPLEMENT_META_INTERFACE(FingerprintDaemon, "android.hardware.fingerprint.IFingerprintCustomDaemon"); }; // namespace android diff --git a/sepolicy/camera.te b/sepolicy/camera.te new file mode 100644 index 0000000..a5e8de9 --- /dev/null +++ b/sepolicy/camera.te @@ -0,0 +1 @@ +allow mm-qcamerad { sysfs sysfs_graphics }:file r_file_perms; diff --git a/sepolicy/file.te b/sepolicy/file.te index abf3166..95f4577 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,5 +1,4 @@ type fpc_data_file, file_type, data_file_type; type fpce_socket, file_type; type fpc_sysfs, fs_type, sysfs_type; -type netmgrd_data_file, file_type; type gx_fpd_data_file, file_type, data_file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 24c764e..7934d2d 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -5,9 +5,6 @@ /dev/block/bootdevice/by-name/persist u:object_r:persist_block_device:s0 /dev/block/bootdevice/by-name/userdata u:object_r:userdata_block_device:s0 -# Data files -/data/misc/netmgr/log\.txt u:object_r:netmgrd_data_file:s0 - # Fpc Fingerprint /data/fpc(/.*)? u:object_r:fpc_data_file:s0 /dev/socket/fpce(/.*)? u:object_r:fpce_socket:s0 @@ -17,7 +14,7 @@ /dev/gf66xx-spi u:object_r:gx_fpd_device:s0 /dev/ttyACM[0-9]* u:object_r:gx_fpd_device:s0 /dev/goodix_fp* u:object_r:gx_fpd_device:s0 -/system/bin/gx_fpd u:object_r:gx_fpd_exec:s0 +/(vendor|system/vendor)/bin/gx_fpd u:object_r:gx_fpd_exec:s0 # Goodix Fingerprint data /data/system/fingerprint(/.*)? u:object_r:gx_fpd_data_file:s0 @@ -25,3 +22,6 @@ # Ir /dev/lirc[0-9]* u:object_r:lirc_device:s0 + +# Light +/sys/devices/soc/78b6000\.i2c/i2c-2/2-[0-9a-f]+/leds(/.*)? u:object_r:sysfs_leds:s0 diff --git a/sepolicy/fingerprintd.te b/sepolicy/fingerprintd.te deleted file mode 100644 index 96123e0..0000000 --- a/sepolicy/fingerprintd.te +++ /dev/null @@ -1,12 +0,0 @@ -allow fingerprintd gx_fpd:binder { transfer call }; -allow fingerprintd gx_fpd_service:service_manager find; -allow fingerprintd fingerprint_service:service_manager find; -allow fingerprintd fpc_sysfs:file rw_file_perms; -allow fingerprintd fpc_sysfs:dir rw_dir_perms; -allow fingerprintd tee_device:chr_file rw_file_perms; -allow fingerprintd uhid_device:chr_file rw_file_perms; -allow fingerprintd fpc_data_file:dir rw_dir_perms; -allow fingerprintd fpc_data_file:sock_file create_file_perms; -allow fingerprintd storage_file:dir search; -set_prop(fingerprintd, system_prop) -r_dir_file(fingerprintd, firmware_file) diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te index 1500b5f..3b22259 100644 --- a/sepolicy/fsck.te +++ b/sepolicy/fsck.te @@ -1 +1,3 @@ allow fsck persist_block_device:blk_file rw_file_perms; + +dontaudit fsck block_device:blk_file rw_file_perms; diff --git a/sepolicy/gx_fpd.te b/sepolicy/gx_fpd.te index 78e02b5..fa46d05 100644 --- a/sepolicy/gx_fpd.te +++ b/sepolicy/gx_fpd.te @@ -6,7 +6,7 @@ init_daemon_domain(gx_fpd) binder_use(gx_fpd) # need to find KeyStore and add self -allow gx_fpd fingerprintd_service:service_manager { add find }; +add_service(hal_fingerprint_default, gx_fpd) # allow HAL module to read dir contents allow gx_fpd gx_fpd_data_file:file create_file_perms; @@ -32,8 +32,8 @@ allow gx_fpd tee_device:chr_file rw_file_perms; allow gx_fpd ion_device:chr_file rw_file_perms; #allow create socket -allow gx_fpd self:socket create_socket_perms; -allow gx_fpd self:{ netlink_socket netlink_generic_socket } create_socket_perms; +allow gx_fpd self:socket create_socket_perms_no_ioctl; +allow gx_fpd self:{ netlink_socket netlink_generic_socket } create_socket_perms_no_ioctl; #allow read/write property set_prop(gx_fpd, system_prop) diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te new file mode 100644 index 0000000..ba65e48 --- /dev/null +++ b/sepolicy/hal_camera_default.te @@ -0,0 +1 @@ +allow hal_camera_default camera_data_file:sock_file rw_file_perms; diff --git a/sepolicy/hal_fingerprint_default.te b/sepolicy/hal_fingerprint_default.te new file mode 100644 index 0000000..11027fc --- /dev/null +++ b/sepolicy/hal_fingerprint_default.te @@ -0,0 +1,21 @@ +binder_use(hal_fingerprint_default) +add_service(hal_fingerprint_default, hal_fingerprint_service) +binder_call(hal_fingerprint_default, gx_fpd) + +allow hal_fingerprint_default gx_fpd_service:service_manager find; + +allow gx_fpd hal_fingerprint_default:binder call; + +allow hal_fingerprint_default fingerprint_service:service_manager find; +allow hal_fingerprint_default keystore_service:service_manager find; + +allow hal_fingerprint_default fpc_sysfs:file rw_file_perms; +allow hal_fingerprint_default fpc_sysfs:dir rw_dir_perms; +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; +allow hal_fingerprint_default uhid_device:chr_file rw_file_perms; +allow hal_fingerprint_default fpc_data_file:dir rw_dir_perms; +allow hal_fingerprint_default fpc_data_file:sock_file create_file_perms; + +r_dir_file(hal_fingerprint_default, firmware_file) + +use_keystore(hal_fingerprint_default) diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te deleted file mode 100644 index 825a231..0000000 --- a/sepolicy/netmgrd.te +++ /dev/null @@ -1,3 +0,0 @@ -type_transition netmgrd system_data_file:file netmgrd_data_file "log.txt"; - -allow netmgrd netmgrd_data_file:file create_file_perms; diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te index 965c1b4..a212854 100644 --- a/sepolicy/qti_init_shell.te +++ b/sepolicy/qti_init_shell.te @@ -1,3 +1,4 @@ allow qti_init_shell bluetooth_data_file:file r_file_perms; allow qti_init_shell bluetooth_loader_exec:file { read open }; allow qti_init_shell proc:dir setattr; +allow qti_init_shell sysfs:file write; diff --git a/sepolicy/rild.te b/sepolicy/rild.te new file mode 100644 index 0000000..06625de --- /dev/null +++ b/sepolicy/rild.te @@ -0,0 +1 @@ +allow rild vendor_file:file ioctl; diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts index eb3bd76..4fdf722 100644 --- a/sepolicy/service_contexts +++ b/sepolicy/service_contexts @@ -1 +1,2 @@ goodix.fp u:object_r:gx_fpd_service:s0 +android.hardware.fingerprint.IFingerprintCustomDaemon u:object_r:hal_fingerprint_service:s0