Silence the denials

Change-Id: I3c03b222caec86c0b0e6975669a85bdef153ce58
AICP · Nov 25, 2016 · db6cadd · db6cadd
1 parent b0ed8e7
commit db6cadd
Show file tree

Hide file tree

Showing 13 changed files with 40 additions and 5 deletions.
diff --git a/init.mako.rc b/init.mako.rc
@@ -329,7 +329,7 @@ service qmuxd /system/bin/qmuxd
 service kickstart /system/bin/qcks -i /firmware/image/ -r /data/tombstones/mdm/
     class core
     user system
-    group system
+    group system wakelock
     oneshot
 
 service netmgrd /system/bin/netmgrd
@@ -383,10 +383,10 @@ service thermald /system/bin/thermald
     class main
     group radio system
 
-service mpdecision /system/bin/mpdecision --no_sleep --avg_comp
+service mpdecision /system/bin/mpdecision --avg_comp
     class main
     user root
-    group root system
+    group root readproc system
 
 service qcamerasvr /system/bin/mm-qcamera-daemon
     class late_start

diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te
@@ -0,0 +1,4 @@
+allow audioserver self:socket { create ioctl read };
+allow audioserver qmuxd_socket:dir { add_name write search };
+allow audioserver qmuxd_socket:sock_file { create write setattr };
+allow audioserver qmux:unix_stream_socket connectto;
diff --git a/sepolicy/bluetooth_loader.te b/sepolicy/bluetooth_loader.te
@@ -26,3 +26,5 @@ allow { bluetooth bluetooth_loader } bluetooth_prop:property_service set;
 # Allow getprop/setprop for init.mako.bt.sh
 allow bluetooth_loader system_file:file execute_no_trans;
 allow bluetooth_loader toolbox_exec:file rx_file_perms;
+
+unix_socket_connect(bluetooth_loader, property, init)
diff --git a/sepolicy/camera.te b/sepolicy/camera.te
@@ -5,10 +5,12 @@ type camera_exec, exec_type, file_type;
 # Started by init
 init_daemon_domain(camera)
 
+allow camera system_file:file execmod;
+
 # Interact with other media devices
 allow camera video_device:dir search;
 allow camera { gpu_device video_device }:chr_file rw_file_perms;
-allow camera { surfaceflinger mediaserver }:fd use;
+allow camera { surfaceflinger mediaserver cameraserver }:fd use;
 
 # Create front and back camera sockets (/data/cam_socket[01])
 type_transition camera system_data_file:sock_file camera_socket "cam_socket0";
@@ -25,3 +27,9 @@ allow camera gpu_device:chr_file { read write open ioctl };
 # Connect to sensor socket (/data/app/sensor_ctl_socket)
 unix_socket_connect(camera, sensors, sensors)
 allow camera sensors_socket:sock_file read;
+
+allow camera apk_data_file:dir rw_dir_perms;
+allow camera storage_file:dir rw_dir_perms;
+allow camera storage_file:lnk_file rw_file_perms;
+allow camera mnt_user_file:dir rw_dir_perms;
+allow camera fuse:dir rw_dir_perms;
diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te
@@ -0,0 +1,7 @@
+unix_socket_send(cameraserver, camera, camera);
+unix_socket_send(cameraserver, mpdecision, mpdecision);
+
+allow cameraserver sysfs:file r_file_perms;
+
+# for libmmjpeg
+allow cameraserver system_file:file execmod;
diff --git a/sepolicy/init.te b/sepolicy/init.te
@@ -1,2 +1,3 @@
 allow init diag_device:chr_file unlink;
 allow init tmpfs:lnk_file create_file_perms;
+allow init sysfs_hardware:file rw_file_perms;
diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te
@@ -0,0 +1 @@
+allow mediacodec audio_device:chr_file { open read write ioctl };
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
@@ -8,4 +8,10 @@ unix_socket_send(mediaserver, mpdecision, mpdecision)
 # TODO: Investigate the specific type of socket.
 allow mediaserver self:socket create_socket_perms;
 
+# For text relocations in /system/vendor/lib/libmmjpeg.so
+allow mediaserver system_file:file execmod;
+
 allow mediaserver media_rw_data_file:file write;
+
+allow mediaserver camera_device:chr_file { read write open ioctl };
+allow mediaserver audio_device:chr_file { read write open ioctl };
diff --git a/sepolicy/mpdecision.te b/sepolicy/mpdecision.te
@@ -42,5 +42,6 @@ allow mpdecision sysfs:file write;
 # /proc/PID/status file.
 r_dir_file(mpdecision, system_server)
 r_dir_file(mpdecision, mediaserver)
+r_dir_file(mpdecision, cameraserver)
 
 allow mpdecision self:capability sys_nice;
diff --git a/sepolicy/rmt.te b/sepolicy/rmt.te
@@ -6,7 +6,7 @@ type rmt_exec, exec_type, file_type;
 init_daemon_domain(rmt)
 
 # Drop (user, group) to (nobody, nobody)
-allow rmt self:capability { setuid setgid };
+allow rmt self:capability { setuid setgid dac_override };
 
 # opens and reads /dev/block/mmcblk0
 allow rmt root_block_device:blk_file r_file_perms;

diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
@@ -24,3 +24,6 @@ allow system_server radio_device:chr_file r_file_perms;
 allow system_server self:netlink_socket create_socket_perms;
 
 allow system_server sysfs_hardware:file rw_file_perms;
+
+allow system_server persist_file:dir r_dir_perms;
+allow system_server unlabeled:file unlink;
diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te
@@ -3,3 +3,4 @@ allow ueventd { radio_efs_file wifi_data_file }:file r_file_perms;
 allow ueventd { firmware_file wifi_data_file }:dir r_dir_perms;
 allow ueventd { firmware_file wifi_data_file }:file r_file_perms;
 allow ueventd sysfs_smdcntl_open_timeout:file setattr;
+allow ueventd sysfs_hardware:file rw_file_perms;
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
@@ -0,0 +1 @@
+allow vold persist_file:dir r_dir_perms;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		allow mediacodec audio_device:chr_file { open read write ioctl };