universal7870: update sepolicy (wip)

2025-09-07 00:38:06 -04:00 · 2020-03-26 11:38:15 +01:00 · 2020-03-26 11:38:15 +01:00 · 4cd64b76bd
commit 4cd64b76bd
parent 841f56ecbf
46 changed files with 515 additions and 184 deletions
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@ -11,10 +11,11 @@ allow init block_device:lnk_file { setattr };
 allow init tmpfs:lnk_file create_file_perms;

 # /sys/class/power_supply/battery and /sys/class/android_usb/android0
-allow init sysfs:dir r_dir_perms;
+allow init proc:file { getattr setattr read write open };

-# required for LD_SHIM_LIBS
-allow init { domain -lmkd -crash_dump }:process noatsecure;
+# Shim libs
+allow init cameraserver:process noatsecure;
+allow init hal_fingerprint_default:process noatsecure;

 # /data
 allow init sdcardd_exec:file r_file_perms;
@ -23,15 +24,33 @@ allow init sdcardd_exec:file r_file_perms;
 allow init sysfs:lnk_file setattr;

 # read/chown mDNIE symlinks
-allow init sysfs_mdnie_writable:lnk_file { read setattr };
+allow init sysfs_mdnie:lnk_file { read setattr };

 # read/chown camera firmware
-allow init sysfs_camera_writable:file { relabelto setattr };
-allow init sysfs_camera_writable:filesystem associate;
+allow init sysfs_camera:file { relabelto setattr };
+allow init sysfs_camera:filesystem associate;

+# sysfs
+allow init sysfs_bluetooth_writable:file setattr;
+allow init sysfs_mdnie:file setattr;
+allow init sysfs_multipdp:file setattr;
+allow init sysfs_devices_system_cpu:file write;
+allow init sysfs_gps:file setattr;
+allow init sysfs_sec:file setattr ;
+allow init sysfs_brightness:file setattr;
+allow init sysfs_input:file setattr;
+allow init sysfs_lcd:file { setattr open };
+allow init sysfs_svc:file setattr;
+allow init sysfs_modem:file { setattr open write };
+allow init sysfs_wlan_fwpath:file setattr;
+allow init sysfs_virtual:file { open setattr write };
+allow init sysfs_virtual:lnk_file read;
+allow init sysfs_charger:file setattr;
+allow init sysfs:file setattr;
+
+unix_socket_connect(init, property, rild)
 allow init socket_device:sock_file { unlink create setattr };

-allow init sysfs_sec:lnk_file read;
-
-allow init block_device:blk_file write;
-allow init property_socket:sock_file write;
+allow init tee_device:chr_file { read write open ioctl getattr };
+allow init system_file:file execute;
+allow init sysfs_modem:file r_file_perms;