Merge "[ALPS03853366] Fix kisd sepolicy issue for android p[1/3]" into alps-trunk-p0.basic

Change-Id: Iabc0ec3b7609ea9a8b8f4e46662b4cd3e4e29d90 MTK-Commit-Id: 8077b66089b85bef61e63e73d4d827112a17c415
author: Long Yang <long.yang@mediatek.com> 2019-01-31 14:31:19 +0800
committer: Gerrit Code Review <gerrit@mediatek.com> 2019-01-31 14:31:19 +0800
commit: 3d8e4ce9093ff40261fae053f576b3a0701c5641 (patch)
tree: 82aedaade0cfbc4560dec98d31091d5ea5188943 /prebuilts
parent: d02c10594b4f67ed26c32bebb6b799ae761e4fb4 (diff)
parent: 5017c50a3e40c18a73cebdd05b9d846ad23e1044 (diff)
download: wembley-sepolicy-3d8e4ce9093ff40261fae053f576b3a0701c5641.tar.gz
5 files changed, 6 insertions, 11 deletions
diff --git a/prebuilts/api/26.0/nonplat_sepolicy.cil b/prebuilts/api/26.0/nonplat_sepolicy.cil
index e9299ae..1df48e5 100755
--- a/prebuilts/api/26.0/nonplat_sepolicy.cil
+++ b/prebuilts/api/26.0/nonplat_sepolicy.cil
@@ -8583,7 +8583,6 @@
 (allow mediaserver_26_0 sw_sync_device (chr_file (ioctl read write getattr lock append open)))
 (allow mediaserver_26_0 camera_owe_device (chr_file (ioctl read write getattr lock append open)))
 (allow mediaserver_26_0 proc_26_0 (file (ioctl read getattr lock open)))
-(allow mediaserver_26_0 kisd_26_0 (unix_stream_socket (connectto)))
 (allow mediaserver_26_0 mtk_cmdq_device (chr_file (ioctl read open)))
 (allow meta_tst_26_0 ttyGS_device (chr_file (ioctl read write getattr lock append open)))
 (allow meta_tst_26_0 ttyMT_device (chr_file (ioctl read write getattr lock append open)))
diff --git a/prebuilts/api/26.0/plat_private/file_contexts b/prebuilts/api/26.0/plat_private/file_contexts
index 1a13a11..2392bc0 100755
--- a/prebuilts/api/26.0/plat_private/file_contexts
+++ b/prebuilts/api/26.0/plat_private/file_contexts
@@ -22,7 +22,7 @@
 /system/bin/audiocmdservice_atci u:object_r:audiocmdservice_atci_exec:s0
 /system/bin/boot_logo_updater u:object_r:boot_logo_updater_exec:s0
 /system/bin/meta_tst u:object_r:meta_tst_exec:s0
-/system/bin/kisd u:object_r:kisd_exec:s0
+/(system\/vendor|vendor)/bin/kisd u:object_r:kisd_exec:s0
 /system/bin/pre_meta u:object_r:pre_meta_exec:s0
 /system/bin/factory u:object_r:factory_exec:s0
 
@@ -38,4 +38,4 @@
 /system/bin/storagemanagerd u:object_r:storagemanagerd_exec:s0
 
 # For drmserver
-/sys/block/mmcblk0rpmb/size u:object_r:access_sys_file:s0
-\ No newline at end of file
+/sys/block/mmcblk0rpmb/size u:object_r:access_sys_file:s0
diff --git a/prebuilts/api/26.0/plat_private/kisd.te b/prebuilts/api/26.0/plat_private/kisd.te
index 856859b..0b9efbb 100755
--- a/prebuilts/api/26.0/plat_private/kisd.te
+++ b/prebuilts/api/26.0/plat_private/kisd.te
@@ -1,13 +1,13 @@
 # ==============================================
-# Policy File of /system/bin/kisd Executable File
+# Policy File of /vendor/bin/kisd Executable File
 
 
 # ==============================================
 # Type Declaration
 # ==============================================
 
-type kisd_exec, exec_type, file_type;
-typeattribute kisd coredomain;
+type kisd_exec, exec_type, file_type, vendor_file_type;
+typeattribute kisd mlstrustedsubject;
 
 # ==============================================
 # MTK Policy Rule
@@ -20,16 +20,13 @@ typeattribute kisd data_between_core_and_vendor_violators;
 allow kisd provision_file:dir {read write open ioctl add_name search remove_name};
 allow kisd provision_file:file {create read write open getattr unlink};
 allow kisd system_file:file {execute_no_trans};
-allow kisd shell_exec:file {read open getattr};
 allow kisd block_device:dir {read write open ioctl search};
 allow kisd kb_block_device:blk_file {read write open ioctl getattr};
 allow kisd dkb_block_device:blk_file {read write open ioctl getattr};
 allow kisd key_install_data_file:dir {write remove_name add_name};
 allow kisd key_install_data_file:file {write getattr read create unlink open};
 allow kisd key_install_data_file:dir search;
-#allow kisd self:capability {dac_override dac_read_search};
 allow kisd mtd_device:chr_file { open read write };
 allow kisd mtd_device:dir { search };
 allow kisd kb_block_device:chr_file {read write open ioctl getattr};
 allow kisd dkb_block_device:chr_file {read write open ioctl getattr};
-
diff --git a/prebuilts/api/26.0/plat_private/meta_tst.te b/prebuilts/api/26.0/plat_private/meta_tst.te
index f4da912..c1e00f2 100755
--- a/prebuilts/api/26.0/plat_private/meta_tst.te
+++ b/prebuilts/api/26.0/plat_private/meta_tst.te
@@ -31,7 +31,6 @@ allow meta_tst sysfs_wake_lock:file rw_file_perms;
 allow meta_tst property_socket:sock_file w_file_perms;
 #allow meta_tst vold_socket:sock_file w_file_perms;
 allow meta_tst init:unix_stream_socket connectto;
-allow meta_tst kisd:unix_stream_socket connectto;
 allow meta_tst vold:unix_stream_socket connectto;
 allow meta_tst node:tcp_socket node_bind;
 allow meta_tst labeledfs:filesystem unmount;
diff --git a/prebuilts/api/26.0/plat_public/kisd.te b/prebuilts/api/26.0/plat_public/kisd.te
index cc7bd44..40ae7e3 100755
--- a/prebuilts/api/26.0/plat_public/kisd.te
+++ b/prebuilts/api/26.0/plat_public/kisd.te
@@ -1,5 +1,5 @@
 # ==============================================
-# Policy File of /system/bin/kisd Executable File
+# Policy File of /vendor/bin/kisd Executable File
 
 
 # ==============================================
author	Long Yang <long.yang@mediatek.com>	2019-01-31 14:31:19 +0800
committer	Gerrit Code Review <gerrit@mediatek.com>	2019-01-31 14:31:19 +0800
commit	3d8e4ce9093ff40261fae053f576b3a0701c5641 (patch)
tree	82aedaade0cfbc4560dec98d31091d5ea5188943 /prebuilts
parent	d02c10594b4f67ed26c32bebb6b799ae761e4fb4 (diff)
parent	5017c50a3e40c18a73cebdd05b9d846ad23e1044 (diff)
download	wembley-sepolicy-3d8e4ce9093ff40261fae053f576b3a0701c5641.tar.gz