880a69cd42
As part of security hardening access to sysfs label related sepolicy rules should be removed. So cleaning all the directory reads and sysfs:file access which were seen in the following . hal_bootctl hal_gnss_qti hal_pasrmanager pd_services ssr_diag ssr_setup thermal-engine qmuxd sensors hal_perf_default Change-Id: I51e98a3f68211357e2bb1455f28a96fc3aad4d88
65 lines
2.5 KiB
Text
65 lines
2.5 KiB
Text
# Copyright (c) 2016, The Linux Foundation. All rights reserved.
|
|
#
|
|
# Redistribution and use in source and binary forms, with or without
|
|
# modification, are permitted provided that the following conditions are
|
|
# met:
|
|
# * Redistributions of source code must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
# * Redistributions in binary form must reproduce the above
|
|
# copyright notice, this list of conditions and the following
|
|
# disclaimer in the documentation and/or other materials provided
|
|
# with the distribution.
|
|
# * Neither the name of The Linux Foundation nor the names of its
|
|
# contributors may be used to endorse or promote products derived
|
|
# from this software without specific prior written permission.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
|
|
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
|
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
|
|
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
|
|
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
|
|
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
|
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
|
|
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
|
|
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
# spdaemon service
|
|
type spdaemon, domain;
|
|
|
|
type spdaemon_exec, exec_type, vendor_file_type, file_type;
|
|
|
|
init_daemon_domain(spdaemon)
|
|
|
|
# Allow access to spcom device
|
|
allow spdaemon spcom_device:chr_file rw_file_perms;
|
|
|
|
# Allow access to skp device
|
|
allow spdaemon skp_device:chr_file rw_file_perms;
|
|
|
|
# Allow access to sp_ssr device
|
|
allow spdaemon spdaemon_ssr_device:chr_file rw_file_perms;
|
|
allow spdaemon sp_ssr_device:chr_file rw_file_perms;
|
|
|
|
# Allow access to sp_keymaster device
|
|
allow spdaemon sp_keymaster_device:chr_file rw_file_perms;
|
|
|
|
# Allow access to cryptoapp device
|
|
allow spdaemon cryptoapp_device:chr_file rw_file_perms;
|
|
|
|
# Allow access to ion device
|
|
allow spdaemon ion_device:chr_file rw_file_perms;
|
|
|
|
# Allow to load SPSS firmware images
|
|
r_dir_file(spdaemon, firmware_file);
|
|
|
|
|
|
# Allow SPSS-PIL via Peripheral Manager
|
|
#binder_use(spdaemon)
|
|
use_vendor_per_mgr(spdaemon)
|
|
|
|
# Allow set/get prop to set/check if app is loaded
|
|
set_prop(spdaemon, spcomlib_prop)
|
|
|
|
allow spdaemon sysfs_data:file r_file_perms;
|