From a58d7459e567bdd128c22fb1fa19ee29d6274191 Mon Sep 17 00:00:00 2001 From: SamarV-121 Date: Sun, 3 Sep 2023 10:22:36 +0530 Subject: [PATCH] sepolicy: isolated_app -> isolated_app_all * neverallow Change-Id: If7dbddf30472de3b7c04c2e4f9a27e03e6ada619 --- basic/debug/plat_private/mobile_log_d.te | 2 +- basic/non_plat/app.te | 14 +++++++------- basic/non_plat/domain.te | 4 ++-- basic/non_plat/hal_drm_clearkey.te | 2 +- basic/non_plat/hal_drm_widevine.te | 2 +- basic/non_plat/merged_hal_service.te | 2 +- basic/non_plat/mtk_safe_halserverdomain_type.te | 4 ++-- basic/non_plat/netd.te | 2 +- bsp/non_plat/domain.te | 2 +- bsp/non_plat/zygote.te | 4 ++-- 10 files changed, 19 insertions(+), 19 deletions(-) diff --git a/basic/debug/plat_private/mobile_log_d.te b/basic/debug/plat_private/mobile_log_d.te index e8d4697..90b4403 100644 --- a/basic/debug/plat_private/mobile_log_d.te +++ b/basic/debug/plat_private/mobile_log_d.te @@ -13,7 +13,7 @@ allow mobile_log_d kernel:system syslog_mod; #GMO project dontaudit mobile_log_d untrusted_app:fd use; -dontaudit mobile_log_d isolated_app:fd use; +dontaudit mobile_log_d isolated_app_all:fd use; #debug property set set_prop(mobile_log_d, debug_prop) diff --git a/basic/non_plat/app.te b/basic/non_plat/app.te index 9e9a6e1..b941167 100644 --- a/basic/non_plat/app.te +++ b/basic/non_plat/app.te @@ -34,7 +34,7 @@ allowxperm appdomain proc_perfmgr:file ioctl { # Date : W19.23 # Operation : Migration # Purpose : For platform app com.android.gallery3d -allow { appdomain -isolated_app } radio_data_file:file rw_file_perms; +allow { appdomain -isolated_app_all } radio_data_file:file rw_file_perms; # Date : W19.23 # Operation : Migration @@ -43,12 +43,12 @@ allowxperm appdomain appdomain:fifo_file ioctl SNDCTL_TMR_START; # Date : W20.26 # Operation : Migration -# Purpose : For apps other than isolated_app call hidl -hwbinder_use({ appdomain -isolated_app }) -get_prop({ appdomain -isolated_app }, hwservicemanager_prop) -allow { appdomain -isolated_app } hidl_manager_hwservice:hwservice_manager find; -binder_call({ appdomain -isolated_app }, mtk_safe_halserverdomain_type) -allow { appdomain -isolated_app } mtk_safe_hwservice_manager_type:hwservice_manager find; +# Purpose : For apps other than isolated_app_all call hidl +hwbinder_use({ appdomain -isolated_app_all }) +get_prop({ appdomain -isolated_app_all }, hwservicemanager_prop) +allow { appdomain -isolated_app_all } hidl_manager_hwservice:hwservice_manager find; +binder_call({ appdomain -isolated_app_all }, mtk_safe_halserverdomain_type) +allow { appdomain -isolated_app_all } mtk_safe_hwservice_manager_type:hwservice_manager find; # Date : 2021/04/24 # Operation: addwindow diff --git a/basic/non_plat/domain.te b/basic/non_plat/domain.te index 458e0f0..451a9c2 100644 --- a/basic/non_plat/domain.te +++ b/basic/non_plat/domain.te @@ -11,7 +11,7 @@ get_prop(domain, mtk_core_property_type) # as it is a public interface for all processes to read some OTP data. allow { domain - -isolated_app + -isolated_app_all } sysfs_devinfo:file r_file_perms; # Date : W18.45 @@ -19,5 +19,5 @@ allow { # Purpose : drvb need dgb2 permission allow { domain - -isolated_app + -isolated_app_all } sysfs_gpu_mtk:file r_file_perms; diff --git a/basic/non_plat/hal_drm_clearkey.te b/basic/non_plat/hal_drm_clearkey.te index 3bcb375..4ae0d44 100644 --- a/basic/non_plat/hal_drm_clearkey.te +++ b/basic/non_plat/hal_drm_clearkey.te @@ -14,4 +14,4 @@ hal_server_domain(hal_drm_clearkey, hal_drm) vndbinder_use(hal_drm_clearkey) -allow hal_drm_clearkey { appdomain -isolated_app }:fd use; +allow hal_drm_clearkey { appdomain -isolated_app_all }:fd use; diff --git a/basic/non_plat/hal_drm_widevine.te b/basic/non_plat/hal_drm_widevine.te index 0cad4e7..c14ef0e 100644 --- a/basic/non_plat/hal_drm_widevine.te +++ b/basic/non_plat/hal_drm_widevine.te @@ -10,7 +10,7 @@ init_daemon_domain(hal_drm_widevine) hal_server_domain(hal_drm_widevine, hal_drm) allow hal_drm_widevine mediacodec:fd use; -allow hal_drm_widevine { appdomain -isolated_app }:fd use; +allow hal_drm_widevine { appdomain -isolated_app_all }:fd use; vndbinder_use(hal_drm_widevine) diff --git a/basic/non_plat/merged_hal_service.te b/basic/non_plat/merged_hal_service.te index d0f003c..1de279d 100644 --- a/basic/non_plat/merged_hal_service.te +++ b/basic/non_plat/merged_hal_service.te @@ -42,7 +42,7 @@ hal_client_domain(merged_hal_service, hal_allocator) #for default drm permissions hal_server_domain(merged_hal_service, hal_drm) allow merged_hal_service mediacodec:fd use; -allow merged_hal_service { appdomain -isolated_app }:fd use; +allow merged_hal_service { appdomain -isolated_app_all }:fd use; # Date : WK18.23 # Operation : P Migration diff --git a/basic/non_plat/mtk_safe_halserverdomain_type.te b/basic/non_plat/mtk_safe_halserverdomain_type.te index 74cb3b2..33ce4e0 100644 --- a/basic/non_plat/mtk_safe_halserverdomain_type.te +++ b/basic/non_plat/mtk_safe_halserverdomain_type.te @@ -4,5 +4,5 @@ # Date : W20.26 # Operation : Migration -# Purpose : For apps other than isolated_app call hidl -binder_call(mtk_safe_halserverdomain_type, { appdomain -isolated_app }) +# Purpose : For apps other than isolated_app_all call hidl +binder_call(mtk_safe_halserverdomain_type, { appdomain -isolated_app_all }) diff --git a/basic/non_plat/netd.te b/basic/non_plat/netd.te index f93ff1f..f991c21 100644 --- a/basic/non_plat/netd.te +++ b/basic/non_plat/netd.te @@ -31,7 +31,7 @@ allow netd untrusted_app:fd use; # Operation : SQC # Purpose : CTS for wifi allow netd untrusted_app:unix_stream_socket rw_socket_perms_no_ioctl; -allow netd isolated_app:fd use; +allow netd isolated_app_all:fd use; # MTK support app feature get_prop(netd, vendor_mtk_app_prop) diff --git a/bsp/non_plat/domain.te b/bsp/non_plat/domain.te index d724bc1..29316ca 100644 --- a/bsp/non_plat/domain.te +++ b/bsp/non_plat/domain.te @@ -5,7 +5,7 @@ # Date : WK15.29 # Operation : Migration # Purpose : for device bring up, not to block early migration -allow { domain -isolated_app } storage_file:dir search; +allow { domain -isolated_app_all } storage_file:dir search; # Date : W17.47 # Allow system_server to enable/disable logmuch_prop for Wi-Fi logging purpose diff --git a/bsp/non_plat/zygote.te b/bsp/non_plat/zygote.te index 6e65086..491db84 100644 --- a/bsp/non_plat/zygote.te +++ b/bsp/non_plat/zygote.te @@ -19,8 +19,8 @@ allow zygote servicemanager:binder call; # Date : WK14.49 # Operation : SQC -# Purpose : for isolated_app to use fd (ex: share image by gmail) -allow zygote isolated_app:fd use; +# Purpose : for isolated_app_all to use fd (ex: share image by gmail) +allow zygote isolated_app_all:fd use; # Date : WK15.02 # Operation : SQC