[ALPS04760107] Fix high risk selinux

Fix high risk selinux in atci MTK-Commit-Id: 920482c8d6406a57b2b653e98b8b28c30c2e6d1b Change-Id: I6cbd85f3699f055312a5f6b2ea577bd9161ef29e CR-Id: ALPS04760107 Feature: [Module]ATCI (AT Command Interface)
2020-01-18 10:20:00 +08:00 · 2020-01-18 10:20:00 +08:00 · 1a9ed28058
commit 1a9ed28058
parent ef2d9a611a
2 changed files with 2 additions and 11 deletions
--- a/non_plat/atci_service.te
+++ b/non_plat/atci_service.te
@ -13,9 +13,6 @@ init_daemon_domain(atci_service)
 allow atci_service block_device:dir search;
 allow atci_service misc2_block_device:blk_file { open read write };
 allow atci_service misc2_device:chr_file { open read write };
-allow atci_service bootdevice_block_device:blk_file { open read write };
-
-allow atci_service self:capability { net_raw chown fsetid sys_nice net_admin fowner sys_admin };
 allow atci_service camera_isp_device:chr_file { read write ioctl open };
 allow atci_service graphics_device:chr_file { read write ioctl open };
 allow atci_service graphics_device:dir search;
@ -71,11 +68,9 @@ allow atci_service storage_file:lnk_file read;
 #allow atci_service media_rw_data_file:file { read write create open };

 #============= atci_service ==============
-allow atci_service property_socket:sock_file write;
 allow atci_service CAM_CAL_DRV_device:chr_file { read write ioctl open};

-allow atci_service init:unix_stream_socket connectto;
-allow atci_service mtk_em_prop:property_service set;
+set_prop(atci_service, mtk_em_prop)

 # Date : 2016/03/02
 # Operation : M-Migration
--- a/non_plat/atcid.te
+++ b/non_plat/atcid.te
@ -9,8 +9,7 @@ type atcid, domain;
 type atcid_exec, exec_type, file_type, vendor_file_type;

 init_daemon_domain(atcid)
-allow atcid init:unix_stream_socket connectto;
-allow atcid property_socket:sock_file write;
+set_prop(atcid,persist_service_atci_prop)
 allow atcid block_device:dir search;
 allow atcid socket_device:sock_file write;

@ -20,11 +19,8 @@ hwbinder_use(atcid)
 hal_client_domain(atcid, hal_telephony)

 allow atcid ttyGS_device:chr_file { read write ioctl open };
-allow atcid persist_service_atci_prop:property_service set;
-allow atcid misc2_device:chr_file { read write open };
 allow atcid wmtWifi_device:chr_file { write open };
 allow atcid misc2_block_device:blk_file { read write open };
-allow atcid bootdevice_block_device:blk_file { open read write };
 allow atci_service gpu_device:chr_file { read write open ioctl getattr };
 allow atcid self:capability sys_time;