diff options
| author | Ethan Chen <intervigil@gmail.com> | 2014-12-23 19:27:37 -0800 |
|---|---|---|
| committer | Ethan Chen <intervigil@gmail.com> | 2014-12-23 21:46:17 -0800 |
| commit | 675f20bc222602589de61734309cf15235af87d2 (patch) | |
| tree | 41683755e8087ddef9be14368a8937e053a78f09 | |
| parent | 4f32423ddc655d9643bd5c4cd2bf642994ae23ce (diff) | |
ghost: Reduce permissiveness of SELinux policy
Change-Id: I5506a95dce47115edd5d45f6d371531add7ed4a5
| -rw-r--r-- | sepolicy/file_contexts | 1 | ||||
| -rw-r--r-- | sepolicy/init_shell.te | 2 | ||||
| -rw-r--r-- | sepolicy/location.te | 6 | ||||
| -rw-r--r-- | sepolicy/mm-qcamerad.te | 11 | ||||
| -rw-r--r-- | sepolicy/rmt_storage.te | 4 | ||||
| -rw-r--r-- | sepolicy/thermal-engine.te | 2 |
6 files changed, 7 insertions, 19 deletions
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index a0f4417..85dd9ff 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -12,7 +12,6 @@ # GPS /data/misc/gpsone_d(/.*)? u:object_r:location_data_file:s0 -/data/misc/gsiff_ctrl_q u:object_r:location_data_file:s0 # JPEG engine /dev/gemini.* u:object_r:camera_device:s0 diff --git a/sepolicy/init_shell.te b/sepolicy/init_shell.te index b4f0b04..d091c6d 100644 --- a/sepolicy/init_shell.te +++ b/sepolicy/init_shell.te @@ -1 +1 @@ -allow init_shell utags_block_device:blk_file create_file_perms; +allow init_shell utags_block_device:blk_file { open read }; diff --git a/sepolicy/location.te b/sepolicy/location.te index c302522..f749b36 100644 --- a/sepolicy/location.te +++ b/sepolicy/location.te @@ -1,7 +1,3 @@ -allow location location_data_file:fifo_file rw_file_perms; -allow location system_data_file:dir w_dir_perms; -allow location system_data_file:fifo_file create_file_perms; -type_transition location system_data_file:file location_data_file; allow location system_server:unix_stream_socket { read write }; - binder_call(location, system_server) +type_transition location system_data_file:file location_data_file; diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te index 02d3e24..796e6f7 100644 --- a/sepolicy/mm-qcamerad.te +++ b/sepolicy/mm-qcamerad.te @@ -1,10 +1,3 @@ -# Create front and back camera sockets (/data/cam_socket[01]) -type_transition mm-qcamerad system_data_file:sock_file camera_socket "cam_socket0"; -allow mm-qcamerad audio_device:chr_file rw_file_perms; -allow mm-qcamerad audio_device:dir r_dir_perms; -allow mm-qcamerad camera_socket:chr_file rw_file_perms; allow mm-qcamerad graphics_device:dir search; -allow mm-qcamerad graphics_device:chr_file rw_file_perms; -allow mm-qcamerad mpdecision:unix_stream_socket connectto; -allow mm-qcamerad socket_device:sock_file w_file_perms; -allow mm-qcamerad system_data_file:sock_file create_file_perms; +allow mm-qcamerad graphics_device:chr_file { open read write ioctl }; +type_transition mm-qcamerad system_data_file:sock_file camera_socket "cam_socket0"; diff --git a/sepolicy/rmt_storage.te b/sepolicy/rmt_storage.te index be27a3a..64f49eb 100644 --- a/sepolicy/rmt_storage.te +++ b/sepolicy/rmt_storage.te @@ -1,5 +1,5 @@ typeattribute rmt_storage rmt_placeholder; allow rmt_storage firmware_file:dir search; -allow rmt_storage firmware_file:file r_file_perms; -allow rmt_storage kmem_device:chr_file rw_file_perms; +allow rmt_storage firmware_file:file { open read }; +allow rmt_storage kmem_device:chr_file { open read write }; allow rmt_storage self:capability sys_rawio; diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te index e5a2711..e9b0429 100644 --- a/sepolicy/thermal-engine.te +++ b/sepolicy/thermal-engine.te @@ -1,3 +1,3 @@ allow thermal-engine self:capability { chown net_admin }; allow thermal-engine self:netlink_kobject_uevent_socket { read bind setopt }; -allow thermal-engine sysfs:file w_file_perms; +allow thermal-engine sysfs:file { open read write }; |