diff options
| author | Sumit Semwal <sumit.semwal@linaro.org> | 2018-06-19 17:52:33 +0530 |
|---|---|---|
| committer | Sumit Semwal <sumit.semwal@linaro.org> | 2018-07-24 20:31:42 +0530 |
| commit | d02043d01ad9eb9bebe9256f21654ffa8e277232 (patch) | |
| tree | 1172a77240bda1cef5cb29a6672f637545412869 | |
| parent | 51624e382d3e2288cea4ad120dec7f3ce8ce5e98 (diff) | |
sepolicy: Add bits needed for Treble
FULL_TREBLE requires changes to sepolicies related to
dragonboard - lets add those bits.
Most of this work is done standing on shoulders of giants -
Vishal Bhoj <vishal.bhoj@linaro.org>,
Amit Pundir <amit.pundir@linaro.org>
I just relied heavily on their advice to sort these out - ofcourse,
mistakes are all mine :)
Change-Id: I6fd5092705f87220a1d44d907cc18d6976ae7d6f
Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
| -rw-r--r-- | sepolicy/bootanim.te | 2 | ||||
| -rw-r--r-- | sepolicy/file_contexts | 8 | ||||
| -rw-r--r-- | sepolicy/hal_drm_default.te | 3 | ||||
| -rw-r--r-- | sepolicy/hal_graphics_composer_default.te | 2 | ||||
| -rw-r--r-- | sepolicy/platform_app.te | 2 | ||||
| -rw-r--r-- | sepolicy/priv_app.te | 2 | ||||
| -rw-r--r-- | sepolicy/surfaceflinger.te | 5 | ||||
| -rw-r--r-- | sepolicy/system_app.te | 2 | ||||
| -rw-r--r-- | sepolicy/system_server.te | 8 | ||||
| -rw-r--r-- | sepolicy/zygote.te | 2 |
10 files changed, 33 insertions, 3 deletions
diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te index 8325bb3..7343d6e 100644 --- a/sepolicy/bootanim.te +++ b/sepolicy/bootanim.te @@ -3,3 +3,5 @@ allow bootanim device:dir { open read }; allow bootanim gpu_device:chr_file { getattr ioctl map open read write }; allow bootanim sysfs_mdss:dir search; allow bootanim sysfs_mdss:file { getattr open read }; + +allow bootanim same_process_hal_file:file { execute getattr map open read }; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index ca709d4..e151827 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -10,3 +10,11 @@ /sys/devices/platform/soc/1a00000.mdss u:object_r:sysfs_mdss:s0 /system/bin/tinymix u:object_r:tinymix_exec:s0 + +/(vendor|system/vendor)/lib(64)?/hw/gralloc\.gbm\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libglapi\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libgbm\.so u:object_r:same_process_hal_file:s0 + +/(vendor|system/vendor)/lib(64)?/dri/gallium_dri\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libdrm_freedreno\.so u:object_r:same_process_hal_file:s0 diff --git a/sepolicy/hal_drm_default.te b/sepolicy/hal_drm_default.te new file mode 100644 index 0000000..389860d --- /dev/null +++ b/sepolicy/hal_drm_default.te @@ -0,0 +1,3 @@ +# audit2allow fixes for FULL_TREBLE +#============= hal_drm_default ============== +allow hal_drm_default vndbinder_device:chr_file rw_file_perms; diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te index 7a0e52d..37f37f7 100644 --- a/sepolicy/hal_graphics_composer_default.te +++ b/sepolicy/hal_graphics_composer_default.te @@ -8,4 +8,4 @@ allow hal_graphics_composer_default gpu_device:chr_file { getattr ioctl open rea allow hal_graphics_composer_default sysfs_mdss:file { getattr open read }; allow hal_graphics_composer_default sysfs_mdss:dir search; allow hal_graphics_composer_default hal_configstore_default:binder call; -allow hal_graphics_composer_default vndbinder_device:chr_file { ioctl map open read write }; +allow hal_graphics_composer_default vndbinder_device:chr_file { ioctl map open read write map }; diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te new file mode 100644 index 0000000..5bec997 --- /dev/null +++ b/sepolicy/platform_app.te @@ -0,0 +1,2 @@ +#============= platform_app ============== +allow platform_app same_process_hal_file:file { execute getattr map open read }; diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te new file mode 100644 index 0000000..5ed777d --- /dev/null +++ b/sepolicy/priv_app.te @@ -0,0 +1,2 @@ +#============= priv_app ============== +allow priv_app same_process_hal_file:file { getattr map open read }; diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te index b54146a..d33773d 100644 --- a/sepolicy/surfaceflinger.te +++ b/sepolicy/surfaceflinger.te @@ -2,6 +2,7 @@ allow surfaceflinger sw_sync_device:chr_file rw_file_perms; # audit2allow fixes wrt external/mesa3d project update to mesa-18.0 allow surfaceflinger device:dir { open read }; -allow surfaceflinger gpu_device:chr_file { getattr ioctl map open read write }; +allow surfaceflinger gpu_device:chr_file { getattr ioctl map open read write map}; allow surfaceflinger sysfs_mdss:dir search; -allow surfaceflinger sysfs_mdss:file { getattr open read }; +allow surfaceflinger sysfs_mdss:file { getattr open read map }; +allow surfaceflinger same_process_hal_file:file { getattr open read }; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te new file mode 100644 index 0000000..0411c77 --- /dev/null +++ b/sepolicy/system_app.te @@ -0,0 +1,2 @@ +#============= system_app ============== +allow system_app same_process_hal_file:file { execute getattr map open read }; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te new file mode 100644 index 0000000..ce89613 --- /dev/null +++ b/sepolicy/system_server.te @@ -0,0 +1,8 @@ +# TODO(b/73123675): BatterySaver needs access to cpufreq. Remove this access +# once cpufreq functionality is hidden behind a HAL. +allow system_server sysfs_devices_system_cpu:file w_file_perms; +dontaudit system_server self:capability sys_module; + +# audit2allow +allow system_server same_process_hal_file:file { getattr map open read }; +allow system_server sysfs_mdss:file { getattr open read }; diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te new file mode 100644 index 0000000..b6b1702 --- /dev/null +++ b/sepolicy/zygote.te @@ -0,0 +1,2 @@ +#============= zygote ============== +allow zygote vendor_file:file read; |