commit e7be37ed5258c775fb53a151af4c92da00207514
author SamarV-121 <samarvispute121@gmail.com> Wed Jul 14 23:42:06 2021 +0530
committer SamarV-121 <samarvispute121@gmail.com> Tue Jul 20 10:21:50 2021 +0530
tree 763dfe3a60cce19cfd50321d24e71d07a378d31b
parent 1a69ff3518001e59f3f6a6a8469ce1f9e0cf0025

universal7904: sepolicy: Resolve neverallows

libsepol.report_failure: neverallow on line 9 of device/samsung/universal7904-common/sepolicy/vendor/mediacodec.te (or line 60921 of policy.conf) violated by allow hal_power_default hal_power_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 5 of system/sepolicy/public/hal_power.te (or line 19140 of policy.conf) violated by allow mediacodec hal_power_hwservice:hwservice_manager { find };
libsepol.report_failure: neverallow on line 5 of system/sepolicy/public/hal_power.te (or line 19132 of policy.conf) violated by allow mediacodec hal_power_hwservice:hwservice_manager { add };
libsepol.report_failure: neverallow on line 990 of system/sepolicy/public/domain.te (or line 13095 of policy.conf) violated by allow zygote vendor_file:file { read };
libsepol.report_failure: neverallow on line 861 of system/sepolicy/public/domain.te (or line 12818 of policy.conf) violated by allow hal_fingerprint_default fingerprintd_data_file:dir { write };
libsepol.report_failure: neverallow on line 861 of system/sepolicy/public/domain.te (or line 12818 of policy.conf) violated by allow rild radio_data_file:dir { search };
libsepol.report_failure: neverallow on line 861 of system/sepolicy/public/domain.te (or line 12818 of policy.conf) violated by allow hal_camera_default camera_data_file:dir { search };
libsepol.report_failure: neverallow on line 861 of system/sepolicy/public/domain.te (or line 12818 of policy.conf) violated by allow hal_drm_widevine media_data_file:dir { search };
libsepol.report_failure: neverallow on line 831 of system/sepolicy/public/domain.te (or line 12761 of policy.conf) violated by allow rild radio_data_file:file { lock open watch watch_reads };

Change-Id: I47cc5117dda055ca4041e666bb7ffa8a51f9a3d9
Signed-off-by: SamarV-121 <samarvispute121@gmail.com>

sepolicy/vendor/hal_camera_default.te

diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te
index 313e7bc..274d1e8 100644
--- a/sepolicy/vendor/hal_camera_default.te
+++ b/sepolicy/vendor/hal_camera_default.te
@@ -7,7 +7,6 @@
 allow hal_camera_default sysfs_virtual:file rw_file_perms;
 allow hal_camera_default sysfs_camera:dir search;
 allow hal_camera_default sysfs_camera:file rw_file_perms;
-allow hal_camera_default camera_data_file:dir search;
 
 get_prop(hal_camera_default, exported_camera_prop)
 

sepolicy/vendor/hal_drm_widevine.te

diff --git a/sepolicy/vendor/hal_drm_widevine.te b/sepolicy/vendor/hal_drm_widevine.te
index 97c6652..fee899d 100644
--- a/sepolicy/vendor/hal_drm_widevine.te
+++ b/sepolicy/vendor/hal_drm_widevine.te
@@ -14,7 +14,6 @@
 
 allow hal_drm_widevine mediadrm_data_file:dir create_dir_perms;
 allow hal_drm_widevine mediadrm_data_file:file create_file_perms;
-allow hal_drm_widevine media_data_file:dir search;
 allow hal_drm_widevine vendor_data_file:dir create_dir_perms;
 allow hal_drm_widevine vendor_data_file:file create_file_perms;
 

sepolicy/vendor/hal_fingerprint_default.te

diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te
index 00aa5bc..a5fa396 100644
--- a/sepolicy/vendor/hal_fingerprint_default.te
+++ b/sepolicy/vendor/hal_fingerprint_default.te
@@ -1,3 +1,5 @@
+typeattribute hal_fingerprint_default data_between_core_and_vendor_violators;
+
 allow hal_fingerprint_default fingerprintd_data_file:dir write;
 allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms;
 allow hal_fingerprint_default sysfs_virtual:dir search;

sepolicy/vendor/mediacodec.te

diff --git a/sepolicy/vendor/mediacodec.te b/sepolicy/vendor/mediacodec.te
index 433a7ff..ec2a674 100644
--- a/sepolicy/vendor/mediacodec.te
+++ b/sepolicy/vendor/mediacodec.te
@@ -3,7 +3,4 @@
 allow mediacodec sysfs_v4l_mfc:dir search;
 allow mediacodec sysfs_v4l_mfc:file r_file_perms;
 
-binder_call(mediacodec, hal_power_default)
-binder_call(hal_power_default, mediacodec)
-
-add_hwservice(mediacodec, hal_power_hwservice)
+hal_client_domain(mediacodec, hal_power);

sepolicy/vendor/rild.te

diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te
index 8ad6313..250b090 100644
--- a/sepolicy/vendor/rild.te
+++ b/sepolicy/vendor/rild.te
@@ -8,8 +8,6 @@
 
 allow rild radio_vendor_data_file:file create_file_perms;
 allow rild radio_vendor_data_file:dir rw_dir_perms;
-allow rild radio_data_file:file rw_file_perms;
-allow rild radio_data_file:dir search;
 
 allow rild proc_qtaguid_stat:file read;
 

sepolicy/vendor/zygote.te

diff --git a/sepolicy/vendor/zygote.te b/sepolicy/vendor/zygote.te
index 84b4e2a..01d0350 100644
--- a/sepolicy/vendor/zygote.te
+++ b/sepolicy/vendor/zygote.te
@@ -1,3 +1 @@
 get_prop(zygote, exported_camera_prop); 
-# allow zygote system_file:dir write;
-allow zygote vendor_file:file read;