Fix some denials

TTTT555 · TTTT555 · commit 68d3191a9d44 · 2020-02-18T14:47:31.000+02:00
diff --git a/rootdir/etc/ueventd.qcom.rc b/rootdir/etc/ueventd.qcom.rc
@@ -221,8 +221,9 @@ subsystem msm_camera
 # drv2605 LRA vibrator
 /dev/drv2605              0660   system     system
 
-# Add device block for FRP
-/dev/block/bootdevice/by-name/config    0660   system     system
+# Add device block for FRP (+sd_load)
+/dev/block/platform/soc.0/7824900.sdhci/by-name/config    0644   system     system
+/dev/block/platform/soc.0/7864900.sdhci/by-name/config    0644   system     system
 
 # Libprocessgroup permissions
 /dev/acct/uid_*           0777   system     system
diff --git a/sepolicy/vendor/bootanim.te b/sepolicy/vendor/bootanim.te
@@ -1 +1 @@
-allow bootanim vendor_file:file { read open execute getattr };
+allow bootanim vendor_file:file { rx_file_perms };
diff --git a/sepolicy/vendor/dex2oat.te b/sepolicy/vendor/dex2oat.te
@@ -1 +1 @@
-allow dex2oat vendor_file:file { execute read open getattr };
+allow dex2oat vendor_file:file { rx_file_perms };
diff --git a/sepolicy/vendor/fsck_untrusted.te b/sepolicy/vendor/fsck_untrusted.te
@@ -1 +1 @@
-allow fsck_untrusted vendor_file:file { execute read open getattr };
+allow fsck_untrusted vendor_file:file { rx_file_perms };
diff --git a/sepolicy/vendor/kernel.te b/sepolicy/vendor/kernel.te
@@ -1,3 +1,5 @@
 allow kernel domain:process setsched;
 allow kernel self:capability dac_override;
+allow kernel untrusted_app:fd use;
+allow kernel untrusted_app_25:fd use;
 allow kernel untrusted_app_27:fd use;
diff --git a/sepolicy/vendor/logpersist.te b/sepolicy/vendor/logpersist.te
@@ -1 +1 @@
-allow logpersist vendor_file:file { execute read open getattr };
+allow logpersist vendor_file:file { rx_file_perms };
diff --git a/sepolicy/vendor/mediaserver.te b/sepolicy/vendor/mediaserver.te
@@ -1,3 +1,3 @@
 allow mediaserver hal_lineage_camera_motor_hwservice:hwservice_manager { find };
 allow mediaserver media_rw_data_file:file { read open execute getattr };
-allow mediaserver vendor_file:file { read open execute getattr };
+allow mediaserver vendor_file:file { rx_file_perms };
diff --git a/sepolicy/vendor/platform_app.te b/sepolicy/vendor/platform_app.te
@@ -1,2 +1,2 @@
-allow platform_app vendor_file:file { open read getattr };
+allow platform_app vendor_file:file { r_file_perms };
 allow platform_app init:binder { call transfer };
diff --git a/sepolicy/vendor/sdcardd.te b/sepolicy/vendor/sdcardd.te
@@ -1 +1 @@
-allow sdcardd vendor_file:file { open read getattr execute };
+allow sdcardd vendor_file:file { rx_file_perms };
diff --git a/sepolicy/vendor/shell.te b/sepolicy/vendor/shell.te
@@ -1 +1 @@
-allow shell vendor_file:file { execute read open getattr };
+allow shell vendor_file:file { rx_file_perms };
diff --git a/sepolicy/vendor/surfaceflinger.te b/sepolicy/vendor/surfaceflinger.te
@@ -1,2 +1,2 @@
 allow surfaceflinger default_android_service:service_manager { add find };
-allow surfaceflinger vendor_file:file { read open getattr execute };
+allow surfaceflinger vendor_file:file { rx_file_perms };
diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te
@@ -9,6 +9,6 @@ allow system_server sysfs_battery_supply:file r_file_perms;
 allow system_server sysfs_sensors:lnk_file { read };
 allow system_server sysfs_sensors:dir { read open };
 allow system_server sysfs_vibrator:file r_file_perms;
-allow system_server vendor_file:file { execute open read write getattr };
+allow system_server vendor_file:file { rwx_file_perms };
 allow system_server default_android_hwservice:hwservice_manager { find };
 allow system_server init:binder { call };
diff --git a/sepolicy/vendor/untrusted_app.te b/sepolicy/vendor/untrusted_app.te
@@ -28,3 +28,5 @@
 unix_socket_connect(untrusted_app,dpmtcm, dpmd);
 allow untrusted_app dpmtcm_socket:sock_file w_file_perms;
 allow untrusted_app dpmd:unix_stream_socket connectto;
+
+allow untrusted_app vendor_file:file { r_file_perms };
diff --git a/sepolicy/vendor/untrusted_app_25.te b/sepolicy/vendor/untrusted_app_25.te
@@ -28,3 +28,5 @@
 unix_socket_connect(untrusted_app_25,dpmtcm, dpmd);
 allow untrusted_app_25 dpmtcm_socket:sock_file w_file_perms;
 allow untrusted_app_25 dpmd:unix_stream_socket connectto;
+
+allow untrusted_app_25 vendor_file:file { r_file_perms };
diff --git a/sepolicy/vendor/untrusted_app_27.te b/sepolicy/vendor/untrusted_app_27.te
@@ -29,5 +29,5 @@ unix_socket_connect(untrusted_app_27,dpmtcm, dpmd);
 allow untrusted_app_27 dpmtcm_socket:sock_file w_file_perms;
 allow untrusted_app_27 dpmd:unix_stream_socket connectto;
 allow untrusted_app_27 proc_stat:file { open read getattr };
-allow untrusted_app_27 vendor_file:file { open read getattr };
+allow untrusted_app_27 vendor_file:file { r_file_perms };
 allow untrusted_app_27 sysfs_kgsl:file { open read getattr };
diff --git a/sepolicy/vendor/webview_zygote.te b/sepolicy/vendor/webview_zygote.te
@@ -1,4 +1,4 @@
 allow webview_zygote zygote:unix_dgram_socket write;
 allow webview_zygote proc_cmdline:file r_file_perms;
-#allow webview_zygote theme_data_file:dir search;
+#allow webview_zygote theme_data_file:dir { search };
 #allow webview_zygote theme_data_file:file r_file_perms;
diff --git a/sepolicy/vendor/zygote.te b/sepolicy/vendor/zygote.te
@@ -1 +1 @@
-allow zygote vendor_file:file { execute read open getattr };
+allow zygote vendor_file:file { rx_file_perms };

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-allow bootanim vendor_file:file { read open execute getattr };`
	`1`	`+allow bootanim vendor_file:file { rx_file_perms };`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-allow dex2oat vendor_file:file { execute read open getattr };`
	`1`	`+allow dex2oat vendor_file:file { rx_file_perms };`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-allow fsck_untrusted vendor_file:file { execute read open getattr };`
	`1`	`+allow fsck_untrusted vendor_file:file { rx_file_perms };`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-allow logpersist vendor_file:file { execute read open getattr };`
	`1`	`+allow logpersist vendor_file:file { rx_file_perms };`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`-allow platform_app vendor_file:file { open read getattr };`
	`1`	`+allow platform_app vendor_file:file { r_file_perms };`
`2`	`2`	`allow platform_app init:binder { call transfer };`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-allow sdcardd vendor_file:file { open read getattr execute };`
	`1`	`+allow sdcardd vendor_file:file { rx_file_perms };`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-allow shell vendor_file:file { execute read open getattr };`
	`1`	`+allow shell vendor_file:file { rx_file_perms };`
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`	`1`	`allow surfaceflinger default_android_service:service_manager { add find };`
`2`		`-allow surfaceflinger vendor_file:file { read open getattr execute };`
	`2`	`+allow surfaceflinger vendor_file:file { rx_file_perms };`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-allow zygote vendor_file:file { execute read open getattr };`
	`1`	`+allow zygote vendor_file:file { rx_file_perms };`