From d02043d01ad9eb9bebe9256f21654ffa8e277232 Mon Sep 17 00:00:00 2001 From: Sumit Semwal Date: Tue, 19 Jun 2018 17:52:33 +0530 Subject: sepolicy: Add bits needed for Treble FULL_TREBLE requires changes to sepolicies related to dragonboard - lets add those bits. Most of this work is done standing on shoulders of giants - Vishal Bhoj , Amit Pundir I just relied heavily on their advice to sort these out - ofcourse, mistakes are all mine :) Change-Id: I6fd5092705f87220a1d44d907cc18d6976ae7d6f Signed-off-by: Sumit Semwal --- sepolicy/bootanim.te | 2 ++ sepolicy/file_contexts | 8 ++++++++ sepolicy/hal_drm_default.te | 3 +++ sepolicy/hal_graphics_composer_default.te | 2 +- sepolicy/platform_app.te | 2 ++ sepolicy/priv_app.te | 2 ++ sepolicy/surfaceflinger.te | 5 +++-- sepolicy/system_app.te | 2 ++ sepolicy/system_server.te | 8 ++++++++ sepolicy/zygote.te | 2 ++ 10 files changed, 33 insertions(+), 3 deletions(-) create mode 100644 sepolicy/hal_drm_default.te create mode 100644 sepolicy/platform_app.te create mode 100644 sepolicy/priv_app.te create mode 100644 sepolicy/system_app.te create mode 100644 sepolicy/system_server.te create mode 100644 sepolicy/zygote.te diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te index 8325bb3..7343d6e 100644 --- a/sepolicy/bootanim.te +++ b/sepolicy/bootanim.te @@ -3,3 +3,5 @@ allow bootanim device:dir { open read }; allow bootanim gpu_device:chr_file { getattr ioctl map open read write }; allow bootanim sysfs_mdss:dir search; allow bootanim sysfs_mdss:file { getattr open read }; + +allow bootanim same_process_hal_file:file { execute getattr map open read }; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index ca709d4..e151827 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -10,3 +10,11 @@ /sys/devices/platform/soc/1a00000.mdss u:object_r:sysfs_mdss:s0 /system/bin/tinymix u:object_r:tinymix_exec:s0 + +/(vendor|system/vendor)/lib(64)?/hw/gralloc\.gbm\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libglapi\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libgbm\.so u:object_r:same_process_hal_file:s0 + +/(vendor|system/vendor)/lib(64)?/dri/gallium_dri\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libdrm_freedreno\.so u:object_r:same_process_hal_file:s0 diff --git a/sepolicy/hal_drm_default.te b/sepolicy/hal_drm_default.te new file mode 100644 index 0000000..389860d --- /dev/null +++ b/sepolicy/hal_drm_default.te @@ -0,0 +1,3 @@ +# audit2allow fixes for FULL_TREBLE +#============= hal_drm_default ============== +allow hal_drm_default vndbinder_device:chr_file rw_file_perms; diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te index 7a0e52d..37f37f7 100644 --- a/sepolicy/hal_graphics_composer_default.te +++ b/sepolicy/hal_graphics_composer_default.te @@ -8,4 +8,4 @@ allow hal_graphics_composer_default gpu_device:chr_file { getattr ioctl open rea allow hal_graphics_composer_default sysfs_mdss:file { getattr open read }; allow hal_graphics_composer_default sysfs_mdss:dir search; allow hal_graphics_composer_default hal_configstore_default:binder call; -allow hal_graphics_composer_default vndbinder_device:chr_file { ioctl map open read write }; +allow hal_graphics_composer_default vndbinder_device:chr_file { ioctl map open read write map }; diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te new file mode 100644 index 0000000..5bec997 --- /dev/null +++ b/sepolicy/platform_app.te @@ -0,0 +1,2 @@ +#============= platform_app ============== +allow platform_app same_process_hal_file:file { execute getattr map open read }; diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te new file mode 100644 index 0000000..5ed777d --- /dev/null +++ b/sepolicy/priv_app.te @@ -0,0 +1,2 @@ +#============= priv_app ============== +allow priv_app same_process_hal_file:file { getattr map open read }; diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te index b54146a..d33773d 100644 --- a/sepolicy/surfaceflinger.te +++ b/sepolicy/surfaceflinger.te @@ -2,6 +2,7 @@ allow surfaceflinger sw_sync_device:chr_file rw_file_perms; # audit2allow fixes wrt external/mesa3d project update to mesa-18.0 allow surfaceflinger device:dir { open read }; -allow surfaceflinger gpu_device:chr_file { getattr ioctl map open read write }; +allow surfaceflinger gpu_device:chr_file { getattr ioctl map open read write map}; allow surfaceflinger sysfs_mdss:dir search; -allow surfaceflinger sysfs_mdss:file { getattr open read }; +allow surfaceflinger sysfs_mdss:file { getattr open read map }; +allow surfaceflinger same_process_hal_file:file { getattr open read }; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te new file mode 100644 index 0000000..0411c77 --- /dev/null +++ b/sepolicy/system_app.te @@ -0,0 +1,2 @@ +#============= system_app ============== +allow system_app same_process_hal_file:file { execute getattr map open read }; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te new file mode 100644 index 0000000..ce89613 --- /dev/null +++ b/sepolicy/system_server.te @@ -0,0 +1,8 @@ +# TODO(b/73123675): BatterySaver needs access to cpufreq. Remove this access +# once cpufreq functionality is hidden behind a HAL. +allow system_server sysfs_devices_system_cpu:file w_file_perms; +dontaudit system_server self:capability sys_module; + +# audit2allow +allow system_server same_process_hal_file:file { getattr map open read }; +allow system_server sysfs_mdss:file { getattr open read }; diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te new file mode 100644 index 0000000..b6b1702 --- /dev/null +++ b/sepolicy/zygote.te @@ -0,0 +1,2 @@ +#============= zygote ============== +allow zygote vendor_file:file read; -- cgit v1.2.3