deb: sepolicyo8.0

Change-Id: I2302c8dd125b56399029773527b9047c62fac74d

8 files changed, 32 insertions, 0 deletions

diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te
new file mode 100644
index 0000000..945d7a4
--- /dev/null
+++ b/sepolicy/audioserver.te
@@ -0,0 +1,4 @@
+# Grant access to Qualcomm MSM Interface (QMI) audio sockets to audioserver
+allow audioserver qmux:unix_stream_socket connectto;
+allow audioserver qmuxd_socket:dir write;
+allow audioserver sysfs:file { getattr open };
diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te
new file mode 100644
index 0000000..86ec1d9
--- /dev/null
+++ b/sepolicy/cameraserver.te
@@ -0,0 +1,6 @@
+allow cameraserver gpu_device:chr_file rw_file_perms;
+
+allow cameraserver system_server:unix_stream_socket { read write };
+
+# TODO (b/37688918) Verify that this is actually needed and not a violation of treble
+binder_call(cameraserver, mediacodec)
diff --git a/sepolicy/init.te b/sepolicy/init.te
new file mode 100644
index 0000000..ad7caf4
--- /dev/null
+++ b/sepolicy/init.te
@@ -0,0 +1,2 @@
+#============= init ==============
+allow init socket_device:sock_file { create setattr };
diff --git a/sepolicy/nfc.te b/sepolicy/nfc.te
new file mode 100644
index 0000000..95f0aa4
--- /dev/null
+++ b/sepolicy/nfc.te
@@ -0,0 +1,3 @@
+#============= nfc ==============
+allow nfc sysfs:dir open;
+allow nfc sysfs:dir read;
diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
new file mode 100644
index 0000000..10ffd36
--- /dev/null
+++ b/sepolicy/platform_app.te
@@ -0,0 +1,2 @@
+allow platform_app nfc_service:service_manager find;
+allow platform_app sysfs_thermal:file { getattr open read };
diff --git a/sepolicy/shell.te b/sepolicy/shell.te
new file mode 100644
index 0000000..f286021
--- /dev/null
+++ b/sepolicy/shell.te
@@ -0,0 +1,3 @@
+#============= shell ==============
+allow shell sysfs:file { getattr open read };
+
diff --git a/sepolicy/tt b/sepolicy/tt
new file mode 100644
index 0000000..50fbc88
--- /dev/null
+++ b/sepolicy/tt
@@ -0,0 +1,8 @@
+11-29 22:19:54.122   279   279 I android.hardwar: type=1400 audit(0.0:464): avc: denied { read } for name="online" dev="sysfs" ino=34 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
+11-29 22:19:54.122   279   279 I android.hardwar: type=1400 audit(0.0:465): avc: denied { open } for name="online" dev="sysfs" ino=34 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
+11-29 22:19:54.122   279   279 I android.hardwar: type=1400 audit(0.0:466): avc: denied { getattr } for path="/sys/devices/system/cpu/online" dev="sysfs" ino=34 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
+11-29 22:52:58.255  6884  6884 I shikdutta.vysor: type=1400 audit(0.0:423): avc: denied { read } for name="cpu" dev="sysfs" ino=32 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1
+11-29 22:52:58.255  6884  6884 I shikdutta.vysor: type=1400 audit(0.0:424): avc: denied { open } for name="cpu" dev="sysfs" ino=32 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1
+11-29 22:52:58.335  6884  6884 I shikdutta.vysor: type=1400 audit(0.0:425): avc: denied { read } for name="present" dev="sysfs" ino=36 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
+
+
diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te
new file mode 100644
index 0000000..974fa59
--- /dev/null
+++ b/sepolicy/untrusted_app.te
@@ -0,0 +1,4 @@
+#============= untrusted_app ==============
+allow untrusted_app sysfs:dir { open read };
+allow untrusted_app sysfs:file read;
+