kirin970: sepolicy: Add only the most important policies from logs

in order to address some denials

Change-Id: Ib18585cad78cf1f4dae46cffe8685873b278efd7

24 files changed, 118 insertions, 0 deletions

diff --git a/sepolicy/private/attributes b/sepolicy/private/attributes
new file mode 100644
index 0000000..fcbfecf
--- /dev/null
+++ b/sepolicy/private/attributes
@@ -0,0 +1,9 @@
+# Temporary attribute used for migrating permissions out of domain.
+# Motivation: Domain is overly permissive. Start removing permissions
+# from domain and assign them to the domain_deprecated attribute.
+# Domain_deprecated and domain can initially be assigned to all
+# domains. The goal is to not assign domain_deprecated to new domains
+# and to start removing domain_deprecated where it's not required or
+# reassigning the appropriate permissions to the inheriting domain
+# when necessary.
+attribute domain_deprecated;
diff --git a/sepolicy/private/displayeffect.te b/sepolicy/private/displayeffect.te
new file mode 100644
index 0000000..4b6820b
--- /dev/null
+++ b/sepolicy/private/displayeffect.te
@@ -0,0 +1,2 @@
+# displayeffect - display effect
+type displayeffect, domain;
diff --git a/sepolicy/private/displayengineserver.te b/sepolicy/private/displayengineserver.te
index 9f937b8..899c911 100644
--- a/sepolicy/private/displayengineserver.te
+++ b/sepolicy/private/displayengineserver.te
@@ -20,3 +20,15 @@ allow displayengineserver displayengine_hwservice:hwservice_manager find;
 
 # Allow displayengineserver to find surfaceflinger_service
 allow displayengineserver surfaceflinger_service:service_manager find;
+
+# Allow displayengineserver to find 3rd party apps hwservice
+allow displayengineserver untrusted_app_visible_hisi_hwservice:hwservice_manager find;
+
+# Allow displayengineserver to read inside /data/cust
+allow displayengineserver cust_data_file:lnk_file read;
+
+# Allow displayengineserver to call binder displayeffect
+binder_call(displayengineserver, displayeffect)
+
+# Allow displayengineserver to call binder hal_displayengine_default
+binder_call(displayengineserver, hal_displayengine_default)
diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts
index 0761e63..6baa417 100644
--- a/sepolicy/private/file_contexts
+++ b/sepolicy/private/file_contexts
@@ -27,6 +27,7 @@
 /data/product\.bin        u:object_r:cust_data_file:s0
 /data/test_nv\.bin        u:object_r:cust_data_file:s0
 /data/test_ver\.bin       u:object_r:cust_data_file:s0
+/data/cust                u:object_r:cust_data_file:s0
 
 # Rootfs
 /cust(/.*)?            u:object_r:system_file:s0
@@ -44,3 +45,4 @@
 
 # Configs
 /system/etc/audio_policy_configuration.xml    u:object_r:vendor_configs_file:s0
+/odm/etc/permissions      u:object_r:odm_xml_file:s0
diff --git a/sepolicy/private/fsck.te b/sepolicy/private/fsck.te
new file mode 100644
index 0000000..b665258
--- /dev/null
+++ b/sepolicy/private/fsck.te
@@ -0,0 +1,5 @@
+allow fsck block_device:blk_file { rw_file_perms };
+allow fsck hisee_blkdev:blk_file { rw_file_perms };
+allow fsck mke2fs_blkdev:blk_file { rw_file_perms };
+allow fsck modem_log_file:dir getattr;
+allow fsck modem_fw_file:dir getattr;
diff --git a/sepolicy/private/hal_displayengine_default.te b/sepolicy/private/hal_displayengine_default.te
new file mode 100644
index 0000000..dd1feda
--- /dev/null
+++ b/sepolicy/private/hal_displayengine_default.te
@@ -0,0 +1,3 @@
+type hal_displayengine_default, domain;
+
+allow hal_displayengine_default sysfs:file { open read };
diff --git a/sepolicy/private/healthd.te b/sepolicy/private/healthd.te
new file mode 100644
index 0000000..d4f839d
--- /dev/null
+++ b/sepolicy/private/healthd.te
@@ -0,0 +1 @@
+allow healthd self:capability2 wake_alarm;
diff --git a/sepolicy/private/hinetmanager.te b/sepolicy/private/hinetmanager.te
new file mode 100644
index 0000000..968b9c5
--- /dev/null
+++ b/sepolicy/private/hinetmanager.te
@@ -0,0 +1,9 @@
+type hinetmanager, domain;
+type hinetmanager_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hinetmanager);
+
+# Allow hinetmanager to have rw, create and link perms inside /data/vendor/hinetmanager
+allow hinetmanager hinetmanager_data_vendor_file:file { create_file_perms link_file_perms rw_file_perms };
+
+allow hinetmanager self:capability dac_override;
diff --git a/sepolicy/private/hwemerffu_service.te b/sepolicy/private/hwemerffu_service.te
new file mode 100644
index 0000000..f4a670d
--- /dev/null
+++ b/sepolicy/private/hwemerffu_service.te
@@ -0,0 +1,9 @@
+type hwemerffu_service, domain;
+type hwemerffu_service_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hwemerffu_service);
+
+# Allow hwemerffu_service to search for a file inside /data/vendor/fw
+allow hwemerffu_service hwemerffu_file:dir search;
+
+allow hwemerffu_service self:capability dac_override;
diff --git a/sepolicy/private/hwsched.te b/sepolicy/private/hwsched.te
new file mode 100644
index 0000000..36c8fa8
--- /dev/null
+++ b/sepolicy/private/hwsched.te
@@ -0,0 +1,7 @@
+type hwsched, domain;
+type hwsched_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hwsched);
+
+# Allow hwsched to read inside /data/cust
+allow hwsched cust_data_file:lnk_file read;
diff --git a/sepolicy/private/init.te b/sepolicy/private/init.te
index afc2fcf..2fba7e8 100644
--- a/sepolicy/private/init.te
+++ b/sepolicy/private/init.te
@@ -20,3 +20,7 @@ allow init vendor_configs_file:dir mounton;
 
 # Allow init to load kernel modules
 allow init kernel:system module_request;
+
+allow hwsched system_data_file:lnk_file read;
+
+allow init sysfs_led:file setattr;
diff --git a/sepolicy/private/irqbalance.te b/sepolicy/private/irqbalance.te
new file mode 100644
index 0000000..6d3aba4
--- /dev/null
+++ b/sepolicy/private/irqbalance.te
@@ -0,0 +1,6 @@
+type irqbalance, domain;
+type irqbalance_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(irqbalance);
+
+allow irqbalance self:capability dac_override;
diff --git a/sepolicy/private/kernel.te b/sepolicy/private/kernel.te
new file mode 100644
index 0000000..14ee49b
--- /dev/null
+++ b/sepolicy/private/kernel.te
@@ -0,0 +1,7 @@
+allow kernel device:dir rw_dir_perms;
+allow kernel self:capability { mknod dac_override };
+allow kernel sysfs_devices_system_cpu:file write;
+allow kernel dubai_log_device:chr_file { read write open };
+allow kernel device:chr_file { create setattr };
+allow kernel system_data_file:dir { create_dir_perms rw_dir_perms };
+allow kernel system_data_file:file create_file_perms;
diff --git a/sepolicy/private/mac_addr_normalization.te b/sepolicy/private/mac_addr_normalization.te
new file mode 100644
index 0000000..fde1330
--- /dev/null
+++ b/sepolicy/private/mac_addr_normalization.te
@@ -0,0 +1,8 @@
+# mac_addr_normalization daemon
+type mac_addr_normalization, domain, domain_deprecated;
+type mac_addr_normalization_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(mac_addr_normalization)
+
+allow mac_addr_normalization bluetooth_prop:file r_file_perms;
diff --git a/sepolicy/private/netd.te b/sepolicy/private/netd.te
new file mode 100644
index 0000000..0a8b7a4
--- /dev/null
+++ b/sepolicy/private/netd.te
@@ -0,0 +1 @@
+allow netd sysfs:file { read write open };
diff --git a/sepolicy/private/priv_app.te b/sepolicy/private/priv_app.te
index 6c318ee..5c9b49d 100644
--- a/sepolicy/private/priv_app.te
+++ b/sepolicy/private/priv_app.te
@@ -4,3 +4,6 @@ binder_call(hal_camera_server, priv_app)
 
 # Allow priv_app to find default_hisi_hwservice
 allow priv_app default_hisi_hwservice:hwservice_manager find;
+
+allow priv_app mnt_modem_file:dir search;
+allow priv_app sysfs:file { read write open };
diff --git a/sepolicy/private/radio.te b/sepolicy/private/radio.te
new file mode 100644
index 0000000..12ad26d
--- /dev/null
+++ b/sepolicy/private/radio.te
@@ -0,0 +1,3 @@
+allow radio odm_xml_file:dir rw_dir_perms;
+allow radio odm_xml_file:file rw_file_perms;
+
diff --git a/sepolicy/private/service_contexts b/sepolicy/private/service_contexts
index 31414a2..34e86c0 100644
--- a/sepolicy/private/service_contexts
+++ b/sepolicy/private/service_contexts
@@ -1,2 +1,3 @@
 DisplayEngineService    u:object_r:display_engine_service:s0
 extphone                u:object_r:radio_service:s0
+IDisplayEffectClient    u:object_r:untrusted_app_visible_hisi_hwservice:s0
diff --git a/sepolicy/private/system_server.te b/sepolicy/private/system_server.te
index cf154b7..def5980 100644
--- a/sepolicy/private/system_server.te
+++ b/sepolicy/private/system_server.te
@@ -12,3 +12,9 @@ allow system_server display_engine_service:service_manager find;
 
 # Allow system_server to find hal_ext_fingerprint_hwservice
 allow system_server hal_ext_fingerprint_hwservice:hwservice_manager find;
+
+# Allow system_server to read and write to sysfs_zram
+allow system_server sysfs_zram:lnk_file rw_file_perms;
+
+# Allow system_server to read inside /sys
+allow system_server sysfs:file r_file_perms;
diff --git a/sepolicy/private/te_macros b/sepolicy/private/te_macros
new file mode 100644
index 0000000..fd244c7
--- /dev/null
+++ b/sepolicy/private/te_macros
@@ -0,0 +1,4 @@
+#####################################
+# Common groupings of permissions.
+#
+define(`link_file_perms', `{ getattr link unlink rename }')
diff --git a/sepolicy/private/vendor_init.te b/sepolicy/private/vendor_init.te
new file mode 100644
index 0000000..ded5968
--- /dev/null
+++ b/sepolicy/private/vendor_init.te
@@ -0,0 +1,2 @@
+allow vendor_init kernel:system module_request;
+allow vendor_init tmpfs:lnk_file create;
diff --git a/sepolicy/private/vold.te b/sepolicy/private/vold.te
index 230d8c6..76b1c20 100644
--- a/sepolicy/private/vold.te
+++ b/sepolicy/private/vold.te
@@ -7,3 +7,9 @@ allow vold {
 
 # Allow vold to list files in mnt_modem_file
 allow vold mnt_modem_file:dir search;
+
+# Allow vold to write to sdd system block
+allow vold sys_block_sdd:file write;
+
+# Allow vold to write inside zram file system
+allow vold sysfs_zram:file write;
diff --git a/sepolicy/public/file.te b/sepolicy/public/file.te
index 161bde5..11852de 100644
--- a/sepolicy/public/file.te
+++ b/sepolicy/public/file.te
@@ -21,3 +21,10 @@ type sysfs_devices_platform_amba, sysfs_type, fs_type;
 type sysfs_fingerprint, sysfs_type, fs_type;
 type sysfs_touchscreen, sysfs_type, fs_type;
 type teecd_data_file, file_type;
+type hisee_blkdev, dev_type;
+type odm_xml_file, file_type;
+type sys_block_sdd, dev_type;
+type modem_fw_file, data_file_type, file_type;
+type hinetmanager_data_vendor_file, data_file_type, file_type;
+type hwemerffu_file, data_file_type, file_type;
+type sysfs_led, sysfs_type, file_type;
diff --git a/sepolicy/public/service.te b/sepolicy/public/service.te
index 4a25ddb..f39fd2a 100644
--- a/sepolicy/public/service.te
+++ b/sepolicy/public/service.te
@@ -1 +1,2 @@
 type display_engine_service, service_manager_type;
+type untrusted_app_visible_hisi_hwservice, service_manager_type;