sdm710-common: Go enforcing

- major cleanup
- sepolicy from xiaomi-sdm845-common
- label both goodix and fpc
- allystar GPS uart port and ontim nodes

BoardConfigCommon.mk

@@ -31,7 +31,6 @@ TARGET_BOARD_PLATFORM := sdm710
 
 # Kernel
 BOARD_KERNEL_CMDLINE := console=ttyMSM0,115200n8 earlycon=msm_geni_serial,0xA90000 androidboot.hardware=qcom androidboot.console=ttyMSM0 video=vfb:640x400,bpp=32,memsize=3072000 msm_rtb.filter=0x237 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 service_locator.enable=1 androidboot.configfs=true androidboot.usbcontroller=a600000.dwc3 swiotlb=1 loop.max_part=7
-BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive
 BOARD_KERNEL_BASE := 0x00000000
 BOARD_KERNEL_PAGESIZE := 4096
 BOARD_KERNEL_TAGS_OFFSET := 0x00000100

rootdir/etc/init.target.rc

@@ -47,10 +47,6 @@ on init
     write /dev/stune/top-app/schedtune.colocate 1
     write /sys/module/qpnp_rtc/parameters/poweron_alarm 1
 
-    # touch gesture wake node permission
-    chown system /sys/class/touch/tp_dev/gesture_on
-    chown 0660 /sys/class/touch/tp_dev/gesture_on
-
 on fs
     wait /dev/block/platform/soc/${ro.boot.bootdevice}
     symlink /dev/block/platform/soc/${ro.boot.bootdevice} /dev/block/bootdevice
@@ -125,6 +121,10 @@ on boot
     setprop vendor.usb.qdss.inst.name "qdss"
     setprop sys.usb.configfs 1
 
+    # touch gesture wake node permission
+    chown system system /sys/class/touch/tp_dev/gesture_on
+    chmod 0660 /sys/class/touch/tp_dev/gesture_on
+
 service vendor.pd_mapper /vendor/bin/pd-mapper
     class core
     user system

sepolicy/vendor/adsprpcd.te

@@ -0,0 +1 @@
+allow adsprpcd persist_file:lnk_file read;

sepolicy/vendor/appdomain.te

@@ -0,0 +1 @@
+get_prop(appdomain, camera_prop)

sepolicy/vendor/cameraserver.te

@@ -1 +0,0 @@
-allow cameraserver camera_data_file:file { getattr open write };

sepolicy/vendor/device.te

@@ -1,3 +1,3 @@
-type oem_block_device, dev_type;
+type fingerprint_device, dev_type;
-type param_block_device, dev_type;
+
-type param_device, dev_type;
+type gps_device, dev_type;

sepolicy/vendor/domain.te

@@ -1,2 +0,0 @@
-# Allow domain to get public_vendor_default_prop
-get_prop(domain, public_vendor_default_prop)

sepolicy/vendor/file.te

@@ -1,12 +1,12 @@
-type display_data_file, file_type, data_file_type, core_data_file_type;
+type fingerprint_data_file, data_file_type, file_type;
-type proc_touchpanel, fs_type, proc_type;
-type sysfs_oem, sysfs_type, fs_type;
-
 type thermal_data_file, data_file_type, file_type;
-type sysfs_msm_subsys, sysfs_type, fs_type;
+
-type sysfs_system_sleep_stats, sysfs_type, fs_type;
-type sysfs_rpm, sysfs_type, fs_type;
-type sysfs_power_stats, sysfs_type, fs_type;
-type sysfs_tp, fs_type, sysfs_type;
-type proc_sysctl_schedboost, proc_type, fs_type;
 type debugfs_sched_features, debugfs_type, fs_type;
+type proc_sysctl_schedboost, proc_type, fs_type;
+
+type sysfs_fingerprint, sysfs_type, fs_type;
+type sysfs_gps, sysfs_type, fs_type;
+type sysfs_msm_subsys, sysfs_type, fs_type;
+type sysfs_rpm, sysfs_type, fs_type;
+type sysfs_system_sleep_stats, sysfs_type, fs_type;
+type sysfs_tp, fs_type, sysfs_type;

sepolicy/vendor/file_contexts

@@ -1,16 +1,24 @@
+# Data files
+/data/vendor/fpc(/.*)?                        u:object_r:fingerprint_data_file:s0
+/data/vendor/goodix(/.*)?                     u:object_r:fingerprint_data_file:s0
+
 # Files in rootfs
 /bt_firmware(/.*)?       u:object_r:bt_firmware_file:s0
 /firmware(/.*)?          u:object_r:firmware_file:s0
 /persist(/.*)?           u:object_r:persist_file:s0
 
-# Data files
+# Fingerprint devices
-/data/display(/.*)?      u:object_r:display_data_file:s0
+/dev/goodix_fp                                  u:object_r:fingerprint_device:s0
+/sys/devices/(platform)?/soc/soc:fpc1020(/.*)?  u:object_r:sysfs_fingerprint:s0
 
-# Custom HALs
+# HALs
 /vendor/bin/hw/android\.hardware\.light@2\.0-service\.lenovo_sdm710                      u:object_r:hal_light_default_exec:s0
 /vendor/bin/hw/android\.hardware\.power-service\.lenovo                                  u:object_r:hal_power_default_exec:s0
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-fpcservice                u:object_r:hal_fingerprint_default_exec:s0
 /vendor/bin/hw/android\.hardware\.atrace@1.0-service\.pixel                              u:object_r:hal_atrace_default_exec:s0
 
-# Touch
+# Allystar GPS
-/sys/class/touch/tp_dev/gesture_on  u:object_r:sysfs_tp:s0
+/sys/ontim_bootinfo/gps_avdd_en              u:object_r:sysfs_gps:s0
+/sys/ontim_bootinfo/gps_lna                  u:object_r:sysfs_gps:s0
+/sys/ontim_bootinfo/gps_reset                u:object_r:sysfs_gps:s0
+/dev/ttyHS1                                  u:object_r:gps_device:s0

sepolicy/vendor/genfs_contexts

@@ -1,32 +1,8 @@
-# Display
+genfscon sysfs /power/rpmh_stats/master_stats         u:object_r:sysfs_rpm:s0
-genfscon proc  /touchpanel u:object_r:proc_touchpanel:s0
+genfscon sysfs /power/system_sleep/stats              u:object_r:sysfs_system_sleep_stats:s0
-genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pmi8998@2:qcom,qpnp-smb2/power_supply u:object_r:sysfs_battery_supply:s0
-#genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pmi8998@2:qcom,qpnp-smb2/power_supply/main u:object_r:sysfs_battery_supply:s0
-
-# SSR
-genfscon sysfs /devices/platform/soc/aae0000.qcom,venus/subsys0/name u:object_r:sysfs_ssr:s0
-genfscon sysfs /devices/platform/soc/aae0000.qcom,venus/subsys0/restart_level u:object_r:sysfs_ssr_toggle:s0
-genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys1/name u:object_r:sysfs_ssr:s0
-genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys1/restart_level u:object_r:sysfs_ssr_toggle:s0
-genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/subsys2/restart_level u:object_r:sysfs_ssr_toggle:s0
-genfscon sysfs /devices/platform/soc/17300000.qcom,lpass/subsys3/name u:object_r:sysfs_ssr:s0
-genfscon sysfs /devices/platform/soc/17300000.qcom,lpass/subsys3/restart_level u:object_r:sysfs_ssr_toggle:s0
-genfscon sysfs /devices/platform/soc/5c00000.qcom,ssc/subsys4/name u:object_r:sysfs_ssr:s0
-genfscon sysfs /devices/platform/soc/5c00000.qcom,ssc/subsys4/restart_level u:object_r:sysfs_ssr_toggle:s0
-genfscon sysfs /devices/platform/soc/8300000.qcom,turing/subsys5/name u:object_r:sysfs_ssr:s0
-genfscon sysfs /devices/platform/soc/8300000.qcom,turing/subsys5/restart_level u:object_r:sysfs_ssr_toggle:s0
-genfscon sysfs /devices/platform/soc/4080000.qcom,mss/subsys6/name u:object_r:sysfs_ssr:s0
-genfscon sysfs /devices/platform/soc/4080000.qcom,mss/subsys6/restart_level u:object_r:sysfs_ssr_toggle:s0
-genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys7/restart_level u:object_r:sysfs_ssr_toggle:s0
-genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/subsys8/restart_level u:object_r:sysfs_ssr_toggle:s0
 
 genfscon debugfs /sched_features                      u:object_r:debugfs_sched_features:s0
 genfscon proc /sys/kernel/sched_boost                 u:object_r:proc_sysctl_schedboost:s0
 
-genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/idle_state    u:object_r:sysfs_graphics:s0
+# DT2W
-
+genfscon sysfs /devices/virtual/touch/tp_dev/gesture_on u:object_r:sysfs_tp:s0
-#genfscon sysfs /class/devfreq                         u:object_r:sysfs_devfreq:s0
-
-genfscon sysfs /power/rpmh_stats/master_stats         u:object_r:sysfs_rpm:s0
-genfscon sysfs /power/system_sleep/stats              u:object_r:sysfs_system_sleep_stats:s0
-genfscon sysfs /kernel/wlan/power_stats               u:object_r:sysfs_power_stats:s0

sepolicy/vendor/hal_bluetooth.te

@@ -1 +0,0 @@
-allow hal_bluetooth vendor_data_file:file r_file_perms;

sepolicy/vendor/hal_bluetooth_qti.te

@@ -0,0 +1,2 @@
+allow hal_bluetooth_qti wifi_vendor_data_file:dir search;
+allow hal_bluetooth_qti wifi_vendor_data_file:file r_file_perms;

sepolicy/vendor/hal_camera_default.te

@@ -1,5 +1,14 @@
-allow hal_camera_default sysfs:file read;
+allow hal_camera_default gpu_device:chr_file rw_file_perms;
-allow hal_camera_default sdcardfs:dir { search };
+
-allow hal_camera_default sdcardfs:file { rw_file_perms };
+allow hal_camera_default remosaic_daemon_service:service_manager find;
-allow hal_camera_default mnt_vendor_file:dir { add_name write };
+
-allow hal_camera_default mnt_vendor_file:file { create getattr open read write };
+allow hal_camera_default sysfs_kgsl:dir search;
+allow hal_camera_default sysfs_kgsl:file r_file_perms;
+
+allow hal_camera_default sysfs_leds:dir r_dir_perms;
+allow hal_camera_default sysfs_leds:file rw_file_perms;
+allow hal_camera_default sysfs_leds:lnk_file read;
+
+userdebug_or_eng(`
+  get_prop(hal_camera_default, sensors_dbg_prop)
+')

sepolicy/vendor/hal_fingerprint_default.te

@@ -1 +1,15 @@
+allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms;
+allow hal_fingerprint_default fingerprint_data_file:dir create_dir_perms;
+allow hal_fingerprint_default fingerprint_data_file:file create_file_perms;
+allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_fingerprint_default sysfs_fingerprint:file rw_file_perms;
+allow hal_fingerprint_default sysfs_fingerprint:dir r_dir_perms;
+
 allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_default uhid_device:chr_file rw_file_perms;
+
+set_prop(hal_fingerprint_default, vendor_fp_prop)
+hal_client_domain(hal_fingerprint_default, hal_perf)
+
+# Ignore all logging requests
+dontaudit hal_fingerprint storage_file:dir search;

sepolicy/vendor/hal_gnss_default.te

@@ -0,0 +1,3 @@
+allow hal_gnss_default gps_device:chr_file rw_file_perms;
+allow hal_gnss_default location_data_file:dir search;
+allow hal_gnss_default sysfs_gps:file rw_file_perms;

sepolicy/vendor/hal_light.te

@@ -1 +0,0 @@
-allow hal_light sysfs_oem:file getattr;

sepolicy/vendor/hal_sensors_default.te

@@ -1,19 +1,7 @@
-# Allow binder communication with hal_audio_default
+allow hal_sensors_default mnt_vendor_file:file r_file_perms;
-binder_call(hal_sensors_default, hal_audio_default)
 
-# Allow hal_sensors_default to find hal_graphics_mapper_hwservice
+get_prop(hal_sensors_default, adsprpc_prop)
-allow hal_sensors_default hal_graphics_mapper_hwservice:hwservice_manager find;
-
-# Allow hal_sensors_default to read files in mnt_vendor_file
-r_dir_file(hal_sensors_default, mnt_vendor_file)
-
-# Allow hal_sensors_default to read files in sysfs_graphics
-r_dir_file(hal_sensors_default, sysfs_graphics)
-
-# Allow hal_sensors_default to read and write to proc_touchpanel
-allow hal_sensors_default proc_touchpanel:dir search;
-allow hal_sensors_default proc_touchpanel:file rw_file_perms;
-
-# Allow hal_sensors_default to read graphics sysfs nodes
-r_dir_file(hal_sensors_default, sysfs_graphics)
 
+userdebug_or_eng(`
+  get_prop(hal_sensors_default, sensors_dbg_prop)
+')

sepolicy/vendor/hal_usb.te

@@ -1,2 +0,0 @@
-# Allow hal_usb to read and write to sysfs_oem
-allow hal_usb sysfs_oem:file rw_file_perms;

sepolicy/vendor/hal_wifi.te

@@ -1 +0,0 @@
-allow hal_wifi proc_net:file w_file_perms;

sepolicy/vendor/hal_wifi_default.te

@@ -0,0 +1 @@
+allow hal_wifi_default proc_net:file rw_file_perms;

sepolicy/vendor/hwservice_contexts

@@ -1 +1,8 @@
-vendor.display.color::IDisplayColor      u:object_r:hal_display_color_hwservice:s0
+com.fingerprints.extension::IFingerprintEngineering                           u:object_r:hal_fingerprint_hwservice:s0
+com.fingerprints.extension::IFingerprintSensorTest                            u:object_r:hal_fingerprint_hwservice:s0
+com.fingerprints.extension::IFingerprintNavigation                            u:object_r:hal_fingerprint_hwservice:s0
+com.fingerprints.extension::IFingerprintCalibration                           u:object_r:hal_fingerprint_hwservice:s0
+com.fingerprints.extension::IFingerprintSenseTouch                            u:object_r:hal_fingerprint_hwservice:s0
+vendor.goodix.hardware.fingerprintextension::IGoodixBiometricsFingerprint     u:object_r:hal_fingerprint_hwservice:s0
+vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon       u:object_r:hal_fingerprint_hwservice:s0
+vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemonExt    u:object_r:hal_fingerprint_hwservice:s0

sepolicy/vendor/iorap_prefetcherd.te

@@ -1,2 +0,0 @@
-r_dir_file(iorap_prefetcherd, media_rw_data_file)
-r_dir_file(iorap_prefetcherd, radio_data_file)

sepolicy/vendor/kernel.te

@@ -1,7 +0,0 @@
-allow kernel self:system syslog_read;
-
-# Allow kernel to read kmsg_device
-allow kernel kmsg_device:chr_file r_file_perms;
-
-# Allow kernel to search in block_device
-allow kernel block_device:dir search;

sepolicy/vendor/platform_app.te

@@ -1 +0,0 @@
-allow platform_app sysfs_graphics:file r_file_perms;

sepolicy/vendor/property.te

@@ -1,3 +1,7 @@
-type vendor_camera_prop, property_type;
-type vendor_power_prop, property_type;
 type thermal_engine_prop, property_type;
+
+type vendor_camera_prop, property_type;
+
+type vendor_fp_prop, property_type;
+
+type vendor_power_prop, property_type;

sepolicy/vendor/property_contexts

@@ -4,6 +4,11 @@ persist.camera.             u:object_r:camera_prop:s0
 persist.vendor.camera.      u:object_r:camera_prop:s0
 sys.camera.                 u:object_r:camera_prop:s0
 
+# Fingerprint
+gf.debug.dump_bigdata_data  u:object_r:vendor_fp_prop:s0
+vendor.fps_hal.             u:object_r:vendor_fp_prop:s0
+persist.vendor.runin.fphwid u:object_r:vendor_fp_prop:s0
+
 # PowerHAL
 vendor.powerhal.state      u:object_r:vendor_power_prop:s0
 vendor.powerhal.audio      u:object_r:vendor_power_prop:s0

sepolicy/vendor/qti_init_shell.te

@@ -1,2 +0,0 @@
-# Allow qti_init_shell to write to sysfs_scsi_host
-allow qti_init_shell sysfs_scsi_host:file w_file_perms;

sepolicy/vendor/qtidataservices_app.te

@@ -0,0 +1 @@
+allow qtidataservices_app self:socket create_socket_perms_no_ioctl;

sepolicy/vendor/remosaic_daemon.te

@@ -0,0 +1,8 @@
+type remosaic_daemon, domain;
+type remosaic_daemon_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(remosaic_daemon)
+
+vndbinder_use(remosaic_daemon)
+
+allow remosaic_daemon remosaic_daemon_service:service_manager add;

sepolicy/vendor/vndservice.te

@@ -1 +1 @@
-type power_stats_service, vndservice_manager_type;
+type remosaic_daemon_service, vndservice_manager_type;

sepolicy/vendor/vndservice_contexts

@@ -0,0 +1 @@
+android.IRemosaicDaemon                        u:object_r:remosaic_daemon_service:s0