[ALPS03841839] fix nvram SELinux violations
[Detail]fix nvram selinux violations [Solution]remove system_data_file sepolicy from nvram_daemon.te/nvram_agent_binder.te MTK-Commit-Id: 4a9272ef13c590133649ca46d962f14768a216ef Change-Id: I473edae03de50c6d747477e34e6eb797b7b1875e CR-Id: ALPS03841839 Feature: NVRAM Partition
This commit is contained in:
parent
06fbbbdb00
commit
9764053433
@ -32,42 +32,6 @@ allow merged_hal_service mnld_data_file:dir create_file_perms;
|
|||||||
allow merged_hal_service mnld_data_file:dir rw_dir_perms;
|
allow merged_hal_service mnld_data_file:dir rw_dir_perms;
|
||||||
allow merged_hal_service mnld:unix_dgram_socket sendto;
|
allow merged_hal_service mnld:unix_dgram_socket sendto;
|
||||||
|
|
||||||
#for nvram agent hidl
|
|
||||||
allow merged_hal_service hwservicemanager_prop:file r_file_perms;
|
|
||||||
allow merged_hal_service sysfs:file { read open };
|
|
||||||
allow merged_hal_service system_data_file:lnk_file read;
|
|
||||||
hal_server_domain(merged_hal_service, hal_nvramagent)
|
|
||||||
# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder.
|
|
||||||
#hal_server_domain(merged_hal_service, hal_nvramagent)
|
|
||||||
#for nvram agent hidl access nvram file
|
|
||||||
allow merged_hal_service nvram_agent_service:service_manager add;
|
|
||||||
allow merged_hal_service nvram_device:blk_file rw_file_perms;
|
|
||||||
allow merged_hal_service bootdevice_block_device:blk_file rw_file_perms;
|
|
||||||
allow merged_hal_service nvdata_device:blk_file rw_file_perms;
|
|
||||||
allow merged_hal_service nvram_data_file:dir create_dir_perms;
|
|
||||||
allow merged_hal_service nvram_data_file:file create_file_perms;
|
|
||||||
allow merged_hal_service nvram_data_file:lnk_file read;
|
|
||||||
allow merged_hal_service nvdata_file:lnk_file read;
|
|
||||||
allow merged_hal_service nvdata_file:dir create_dir_perms;
|
|
||||||
allow merged_hal_service nvdata_file:file create_file_perms;
|
|
||||||
#allow merged_hal_service system_file:file execute_no_trans;
|
|
||||||
allow merged_hal_service als_ps_device:chr_file r_file_perms;
|
|
||||||
allow merged_hal_service mtk-adc-cali_device:chr_file rw_file_perms;
|
|
||||||
allow merged_hal_service gsensor_device:chr_file r_file_perms;
|
|
||||||
allow merged_hal_service gyroscope_device:chr_file r_file_perms;
|
|
||||||
allow merged_hal_service init:unix_stream_socket connectto;
|
|
||||||
allow merged_hal_service property_socket:sock_file write;
|
|
||||||
allow merged_hal_service sysfs:file write;
|
|
||||||
#allow merged_hal_service self:capability { fowner chown dac_override fsetid };
|
|
||||||
typeattribute merged_hal_service data_between_core_and_vendor_violators;
|
|
||||||
allow merged_hal_service system_data_file:dir create_file_perms;
|
|
||||||
allow merged_hal_service nvram_device:chr_file rw_file_perms;
|
|
||||||
allow merged_hal_service pro_info_device:chr_file rw_file_perms;
|
|
||||||
allow merged_hal_service block_device:dir search;
|
|
||||||
allow merged_hal_service app_data_file:file write;
|
|
||||||
allow merged_hal_service mtd_device:dir search;
|
|
||||||
allow merged_hal_service mtd_device:chr_file rw_file_perms;
|
|
||||||
|
|
||||||
#graphics allocator permissions
|
#graphics allocator permissions
|
||||||
hal_server_domain(merged_hal_service, hal_graphics_allocator)
|
hal_server_domain(merged_hal_service, hal_graphics_allocator)
|
||||||
allow merged_hal_service gpu_device:dir search;
|
allow merged_hal_service gpu_device:dir search;
|
||||||
|
@ -40,8 +40,9 @@ allow nvram_agent_binder init:unix_stream_socket connectto;
|
|||||||
allow nvram_agent_binder property_socket:sock_file write;
|
allow nvram_agent_binder property_socket:sock_file write;
|
||||||
allow nvram_agent_binder sysfs:file write;
|
allow nvram_agent_binder sysfs:file write;
|
||||||
#allow nvram_agent_binder self:capability { fowner chown dac_override fsetid };
|
#allow nvram_agent_binder self:capability { fowner chown dac_override fsetid };
|
||||||
typeattribute nvram_agent_binder data_between_core_and_vendor_violators;
|
#typeattribute nvram_agent_binder data_between_core_and_vendor_violators;
|
||||||
allow nvram_agent_binder system_data_file:dir create_file_perms;
|
#remove from Android P
|
||||||
|
#allow nvram_agent_binder system_data_file:dir create_file_perms;
|
||||||
|
|
||||||
# Purpose: for backup
|
# Purpose: for backup
|
||||||
allow nvram_agent_binder nvram_device:chr_file rw_file_perms;
|
allow nvram_agent_binder nvram_device:chr_file rw_file_perms;
|
||||||
@ -58,7 +59,8 @@ allow nvram_agent_binder hwservicemanager_prop:file r_file_perms;
|
|||||||
|
|
||||||
#for nvram hidl client support
|
#for nvram hidl client support
|
||||||
allow nvram_agent_binder sysfs:file { read open };
|
allow nvram_agent_binder sysfs:file { read open };
|
||||||
allow nvram_agent_binder system_data_file:lnk_file read;
|
#remove from android P
|
||||||
|
#allow nvram_agent_binder system_data_file:lnk_file read;
|
||||||
|
|
||||||
# Allow to use HWBinder IPC
|
# Allow to use HWBinder IPC
|
||||||
hwbinder_use(nvram_agent_binder);
|
hwbinder_use(nvram_agent_binder);
|
||||||
|
@ -70,8 +70,9 @@ allow nvram_daemon proc_lk_env:file rw_file_perms;
|
|||||||
|
|
||||||
# Purpose: for workaround
|
# Purpose: for workaround
|
||||||
# Todo: Remove this policy
|
# Todo: Remove this policy
|
||||||
typeattribute nvram_daemon data_between_core_and_vendor_violators;
|
#typeattribute nvram_daemon data_between_core_and_vendor_violators;
|
||||||
allow nvram_daemon system_data_file:dir write;
|
#remove from Android P
|
||||||
|
#allow nvram_daemon system_data_file:dir write;
|
||||||
|
|
||||||
# Purpose: property set
|
# Purpose: property set
|
||||||
#allow nvram_daemon service_nvram_init_prop:property_service set;
|
#allow nvram_daemon service_nvram_init_prop:property_service set;
|
||||||
@ -79,11 +80,13 @@ allow nvram_daemon system_data_file:dir write;
|
|||||||
# Purpose: copy /fstab*
|
# Purpose: copy /fstab*
|
||||||
allow nvram_daemon rootfs:dir { read open };
|
allow nvram_daemon rootfs:dir { read open };
|
||||||
allow nvram_daemon rootfs:file r_file_perms;
|
allow nvram_daemon rootfs:file r_file_perms;
|
||||||
allow nvram_daemon system_data_file:lnk_file read;
|
#remove from Android P
|
||||||
|
#allow nvram_daemon system_data_file:lnk_file read;
|
||||||
|
|
||||||
# Purpose: remove /data/nvram link
|
# Purpose: remove /data/nvram link
|
||||||
allow nvram_daemon system_data_file:dir { remove_name add_name };
|
#remove from Android P
|
||||||
allow nvram_daemon system_data_file:lnk_file { create unlink };
|
#allow nvram_daemon system_data_file:dir { remove_name add_name };
|
||||||
|
#allow nvram_daemon system_data_file:lnk_file { create unlink };
|
||||||
allow nvram_daemon nvram_data_file:lnk_file unlink;
|
allow nvram_daemon nvram_data_file:lnk_file unlink;
|
||||||
# Purpose: for run toolbox command: chown chmode..
|
# Purpose: for run toolbox command: chown chmode..
|
||||||
#allow nvram_daemon toolbox_exec:file rx_file_perms;
|
#allow nvram_daemon toolbox_exec:file rx_file_perms;
|
||||||
|
Loading…
x
Reference in New Issue
Block a user