Add sepolicy denials for many GSIs

Author: TTTT555

sepolicy/private/priv.te

@@ -1,5 +1,5 @@
 allow system_app storaged:binder call;
-allow storaged vendor_file:file { r_file_perms };
+allow storaged vendor_file:file { rx_file_perms };
 
 allow storaged sysfs:file { r_file_perms };
 allow storaged sysfs_disk_stat:file { r_file_perms };

sepolicy/vendor/blkid_untrusted.te

@@ -0,0 +1 @@
+allow blkid_untrusted vendor_file:file { rx_file_perms };

sepolicy/vendor/cameraserver.te

@@ -70,4 +70,5 @@ allow cameraserver vendor_file:file { rx_file_perms };
 
 allow cameraserver video_device:chr_file { rw_file_perms };
 allow cameraserver hidl_allocator_hwservice:hwservice_manager { find };
+allow cameraserver default_android_hwservice:hwservice_manager { find };
 

sepolicy/vendor/hwservicemanager.te

@@ -0,0 +1,2 @@
+allow hwservicemanager init:dir { r_dir_perms };
+allow hwservicemanager init:file { r_file_perms };

sepolicy/vendor/idmap.te

@@ -1 +1 @@
-allow idmap vendor_file:file { read execute getattr };
+allow idmap vendor_file:file { rx_file_perms };

sepolicy/vendor/init.te

@@ -1,7 +1,40 @@
 allow init sysfs:file setattr;
 allow init debugfs:file write;
 allow init proc:file { r_file_perms };
-allow init system_file:file mounton;
+allow init system_file:file { mounton execute_no_trans };
+allow init platform_app:binder { call transfer };
+allow init servicemanager:binder { call };
+allow init hwservicemanager:binder { call };
+allow init system_server:binder { call transfer };
+allow init mediacodec:binder { call transfer };
+allow init mediaserver_service:service_manager { add find };
+allow init cameraserver_service:service_manager { add };
+allow init hal_camera_hwservice:hwservice_manager { find };
+allow init hidl_allocator_hwservice:hwservice_manager { find };
+allow init thermal_socket:sock_file { rw_file_perms };
+allow init thermal-engine:unix_stream_socket { connectto };
+allow init video_device:chr_file { rw_file_perms };
+allow init ion_device:chr_file { rw_file_perms };
+allow init mm-qcamerad:unix_dgram_socket { sendto };
+allow init hal_omx_hwservice:hwservice_manager { find };
+allow init processinfo_service:service_manager { find };
+allow init batterystats_service:service_manager { find };
+allow init appops_service:service_manager { find };
+allow init cameraproxy_service:service_manager { find };
+allow init hal_lineage_camera_motor_hwservice:hwservice_manager { find };
+allow init permission_service:service_manager { find };
+allow init media_rw_data_file:file { x_file_perms };
+allow init activity_service:service_manager { find };
+allow init vendor_file:file { rx_file_perms };
+allow init pmsg_device:chr_file { r_file_perms };
+allow init mediaextractor_service:service_manager { find };
+allow init mediaextractor:binder { call };
+allow init drmserver_service:service_manager { find };
+allow init drmserver:drmservice { openDecryptSession };
+allow init audioserver_service:service_manager { find };
+allow init audioserver:binder { call transfer };
+allow init hidl_memory_hwservice:hwservice_manager { find };
+allow init mediametrics_service:service_manager { find };
 
 
 # required for LD_PRELOAD

sepolicy/vendor/location.te

@@ -0,0 +1 @@
+allow location media_rw_data_file:file { rx_file_perms };

sepolicy/vendor/mediacodec.te

@@ -1 +1,2 @@
 r_dir_file(mediacodec, firmware_file)
+allow mediacodec init:binder { transfer };

sepolicy/vendor/platform_app.te

@@ -1 +1,2 @@
 allow platform_app vendor_file:file { open read getattr };
+allow platform_app init:binder { call transfer };

sepolicy/vendor/servicemanager.te

@@ -0,0 +1,5 @@
+allow servicemanager init:dir { search };
+allow servicemanager init:file { r_file_perms };
+allow servicemanager init:binder { transfer };
+allow servicemanager init:process { getattr };
+allow servicemanager init:binder { transfer };

sepolicy/vendor/sgdisk.te

@@ -1 +1 @@
-allow sgdisk vendor_file:file { open read getattr };
+allow sgdisk vendor_file:file { rx_file_perms };

sepolicy/vendor/system_server.te

@@ -11,3 +11,4 @@ allow system_server sysfs_sensors:dir { read open };
 allow system_server sysfs_vibrator:file r_file_perms;
 allow system_server vendor_file:file { execute open read write getattr };
 allow system_server default_android_hwservice:hwservice_manager { find };
+allow system_server init:binder { call };

sepolicy/vendor/toolbox.te

@@ -1 +1,9 @@
-allow toolbox vendor_file:file { read open getattr execute };
+allow toolbox vendor_file:file { rx_file_perms };
+allow toolbox init:fifo_file { rw_file_perms };
+allow toolbox property_socket:sock_file { rw_file_perms };
+allow toolbox init:unix_stream_socket { connectto };
+allow toolbox cache_file:dir { r_dir_perms };
+allow toolbox persist_file:dir { r_dir_perms };
+allow toolbox proc_filesystems:file { r_file_perms };
+allow toolbox vendor_overlay_file:dir { r_dir_perms };
+allow toolbox vendor_configs_file:dir { mounton };

sepolicy/vendor/vold.te

@@ -1,2 +1,3 @@
-allow vold vendor_file:file { open read getattr };
-allow vold_prepare_subdirs vendor_file:file { open read getattr };
+allow vold vendor_file:file { rx_file_perms };
+allow vold_prepare_subdirs vendor_file:file { rx_file_perms };
+