From 14f08dc1feff3444e0d482a15e0bd2e2b8abb71b Mon Sep 17 00:00:00 2001 From: DennySPb Date: Sun, 11 Jul 2021 18:59:44 +0200 Subject: [PATCH] Initial selinux policies * convert existing one to vendor --- BoardConfig.mk | 7 ++- sepolicy/private/app.te | 4 -- sepolicy/private/device.te | 2 - sepolicy/private/dontaudit.te | 1 - sepolicy/private/file.te | 21 ------- sepolicy/private/file_contexts | 25 --------- sepolicy/private/flipendo.te | 1 - sepolicy/private/fm_app.te | 2 - sepolicy/private/genfs_contexts | 10 ---- sepolicy/private/hal_audio.te | 8 --- sepolicy/private/hal_bluetooth.te | 2 - sepolicy/private/hal_camera.te | 2 - sepolicy/private/hal_livedisplay_default.te | 29 ---------- sepolicy/private/hal_power_pixel.te | 55 ------------------- sepolicy/private/hal_sensors.te | 2 - sepolicy/private/hwservice.te | 2 - sepolicy/private/ims.te | 7 --- sepolicy/private/init.te | 12 ---- sepolicy/private/property.te | 5 -- sepolicy/private/property_contexts | 5 -- sepolicy/private/qti_init_shell.te | 21 ------- sepolicy/private/ssr_setup.te | 7 --- sepolicy/private/surfaceflinger.te | 1 - sepolicy/private/system_server.te | 5 -- sepolicy/private/thermal-engine.te | 4 -- sepolicy/private/vendor_init.te | 13 ----- sepolicy/private/vold.te | 2 - sepolicy/vendor/app.te | 3 + sepolicy/vendor/binderfs.te | 4 ++ sepolicy/vendor/cameraserver.te | 1 + sepolicy/vendor/device.te | 3 + sepolicy/vendor/domain.te | 2 + sepolicy/vendor/file.te | 18 ++++++ sepolicy/vendor/file_contexts | 11 ++++ sepolicy/vendor/genfs_contexts | 36 ++++++++++++ sepolicy/vendor/hal_bluetooth.te | 1 + sepolicy/vendor/hal_camera_default.te | 7 +++ sepolicy/vendor/hal_fingerprint.te | 1 + sepolicy/vendor/hal_light.te | 1 + sepolicy/vendor/hal_power_default.te | 28 ++++++++++ sepolicy/vendor/hal_usb.te | 2 + sepolicy/vendor/hal_wifi.te | 1 + .../{private => vendor}/hwservice_contexts | 1 - sepolicy/vendor/hwservicemanager.te | 1 + sepolicy/vendor/init.te | 13 +++++ sepolicy/vendor/iorap_prefetcherd.te | 2 + sepolicy/vendor/platform_app.te | 1 + sepolicy/vendor/property.te | 5 ++ sepolicy/vendor/property_contexts | 14 +++++ sepolicy/vendor/system_server.te | 2 + sepolicy/vendor/vendor_init.te | 13 +++++ sepolicy/vendor/vndservice.te | 1 + 52 files changed, 175 insertions(+), 252 deletions(-) delete mode 100644 sepolicy/private/app.te delete mode 100644 sepolicy/private/device.te delete mode 100644 sepolicy/private/dontaudit.te delete mode 100644 sepolicy/private/file.te delete mode 100644 sepolicy/private/file_contexts delete mode 100644 sepolicy/private/flipendo.te delete mode 100644 sepolicy/private/fm_app.te delete mode 100644 sepolicy/private/genfs_contexts delete mode 100644 sepolicy/private/hal_audio.te delete mode 100644 sepolicy/private/hal_bluetooth.te delete mode 100644 sepolicy/private/hal_camera.te delete mode 100644 sepolicy/private/hal_livedisplay_default.te delete mode 100644 sepolicy/private/hal_power_pixel.te delete mode 100644 sepolicy/private/hal_sensors.te delete mode 100644 sepolicy/private/hwservice.te delete mode 100644 sepolicy/private/ims.te delete mode 100644 sepolicy/private/init.te delete mode 100644 sepolicy/private/property.te delete mode 100644 sepolicy/private/property_contexts delete mode 100644 sepolicy/private/qti_init_shell.te delete mode 100644 sepolicy/private/ssr_setup.te delete mode 100644 sepolicy/private/surfaceflinger.te delete mode 100644 sepolicy/private/system_server.te delete mode 100644 sepolicy/private/thermal-engine.te delete mode 100644 sepolicy/private/vendor_init.te delete mode 100644 sepolicy/private/vold.te create mode 100644 sepolicy/vendor/app.te create mode 100644 sepolicy/vendor/binderfs.te create mode 100644 sepolicy/vendor/cameraserver.te create mode 100644 sepolicy/vendor/device.te create mode 100644 sepolicy/vendor/domain.te create mode 100644 sepolicy/vendor/file.te create mode 100644 sepolicy/vendor/file_contexts create mode 100644 sepolicy/vendor/genfs_contexts create mode 100644 sepolicy/vendor/hal_bluetooth.te create mode 100644 sepolicy/vendor/hal_camera_default.te create mode 100644 sepolicy/vendor/hal_fingerprint.te create mode 100644 sepolicy/vendor/hal_light.te create mode 100644 sepolicy/vendor/hal_power_default.te create mode 100644 sepolicy/vendor/hal_usb.te create mode 100644 sepolicy/vendor/hal_wifi.te rename sepolicy/{private => vendor}/hwservice_contexts (53%) create mode 100644 sepolicy/vendor/hwservicemanager.te create mode 100644 sepolicy/vendor/init.te create mode 100644 sepolicy/vendor/iorap_prefetcherd.te create mode 100644 sepolicy/vendor/platform_app.te create mode 100644 sepolicy/vendor/property.te create mode 100644 sepolicy/vendor/property_contexts create mode 100644 sepolicy/vendor/system_server.te create mode 100644 sepolicy/vendor/vendor_init.te create mode 100644 sepolicy/vendor/vndservice.te diff --git a/BoardConfig.mk b/BoardConfig.mk index 59b35ac..7089eb9 100644 --- a/BoardConfig.mk +++ b/BoardConfig.mk @@ -32,6 +32,7 @@ TARGET_BOARD_PLATFORM := sdm710 # Kernel TARGET_KERNEL_CONFIG := kunlun2_defconfig BOARD_KERNEL_CMDLINE := console=ttyMSM0,115200n8 earlycon=msm_geni_serial,0xA90000 androidboot.hardware=qcom androidboot.console=ttyMSM0 video=vfb:640x400,bpp=32,memsize=3072000 msm_rtb.filter=0x237 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 service_locator.enable=1 androidboot.configfs=true androidboot.usbcontroller=a600000.dwc3 swiotlb=1 loop.max_part=7 +BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive BOARD_KERNEL_BASE := 0x00000000 BOARD_KERNEL_PAGESIZE := 4096 BOARD_KERNEL_TAGS_OFFSET := 0x00000100 @@ -117,9 +118,9 @@ TARGET_RELEASETOOLS_EXTENSIONS := $(DEVICE_PATH) TARGET_PROVIDES_QTI_TELEPHONY_JAR := true # Sepolicy -# PRIVATE_EXCLUDE_BUILD_TEST := true -include device/qcom/sepolicy/SEPolicy.mk -BOARD_PLAT_PRIVATE_SEPOLICY_DIR += $(DEVICE_PATH)/sepolicy/private +include device/qcom/sepolicy_vndr/SEPolicy.mk + +BOARD_VENDOR_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/vendor SELINUX_IGNORE_NEVERALLOWS := true # Treble diff --git a/sepolicy/private/app.te b/sepolicy/private/app.te deleted file mode 100644 index 145daf6..0000000 --- a/sepolicy/private/app.te +++ /dev/null @@ -1,4 +0,0 @@ -# Allow appdomain to get vendor_camera_prop -get_prop(appdomain, vendor_camera_prop) - -get_prop(appdomain, vendor_default_prop) diff --git a/sepolicy/private/device.te b/sepolicy/private/device.te deleted file mode 100644 index 9a90839..0000000 --- a/sepolicy/private/device.te +++ /dev/null @@ -1,2 +0,0 @@ -type device_latency, dev_type; -type diag_device, dev_type, mlstrustedobject; diff --git a/sepolicy/private/dontaudit.te b/sepolicy/private/dontaudit.te deleted file mode 100644 index 744be45..0000000 --- a/sepolicy/private/dontaudit.te +++ /dev/null @@ -1 +0,0 @@ -dontaudit gmscore_app firmware_file:filesystem getattr; diff --git a/sepolicy/private/file.te b/sepolicy/private/file.te deleted file mode 100644 index 288287c..0000000 --- a/sepolicy/private/file.te +++ /dev/null @@ -1,21 +0,0 @@ -type adsprpcd_file, file_type; -type bt_firmware_file, file_type; -type firmware_file, file_type; -type persist_file, file_type; -type sensors_persist_file, file_type; -type proc_touchpanel, fs_type, proc_type; -type sysfs_graphics, sysfs_type, fs_type; -type sysfs_devfreq, sysfs_type, fs_type; -type pps_socket, file_type; -type display_data_file, data_file_type, core_data_file_type, file_type; -type vendor_firmware_file, vendor_file_type, file_type; -type sysfs_msm_subsys, sysfs_type, fs_type; -type sysfs_system_sleep_stats, sysfs_type, fs_type; -type sysfs_rpm, sysfs_type, fs_type; -type sysfs_kgsl, sysfs_type, fs_type; -type sysfs_scsi_devices, sysfs_type, fs_type; -type debugfs_wlan, debugfs_type, fs_type; -type debugfs_sched_features, debugfs_type, fs_type; -type proc_sysctl_schedboost, proc_type, fs_type; -type sysfs_tp, fs_type, sysfs_type; -type sysfs_mmc_host, fs_type, sysfs_type; diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts deleted file mode 100644 index 32fe4ce..0000000 --- a/sepolicy/private/file_contexts +++ /dev/null @@ -1,25 +0,0 @@ -# Data files -/data/display(/.*)? u:object_r:display_data_file:s0 - -# Dev nodes -/dev/diag u:object_r:diag_device:s0 - -# Files in rootfs -/bt_firmware(/.*)? u:object_r:bt_firmware_file:s0 -/dsp(/.*)? u:object_r:adsprpcd_file:s0 -/firmware(/.*)? u:object_r:firmware_file:s0 -/persist(/.*)? u:object_r:persist_file:s0 - -# HALs -/system/bin/hw/android\.hardware\.power-service\.lenovo u:object_r:hal_power_pixel_exec:s0 -/system/bin/hw/lineage\.livedisplay@2\.0-service-sdm u:object_r:shal_livedisplay_default_exec:s0 -/(system|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0 - -# IMS -/vendor/bin/imsdatadaemon u:object_r:ims_exec:s0 - -# Thermal config -/(system|system/vendor)/etc/thermal-engine.conf u:object_r:vendor_configs_file:s0 - -# Touch -/sys/class/touch/tp_dev/gesture_on u:object_r:sysfs_tp:s0 diff --git a/sepolicy/private/flipendo.te b/sepolicy/private/flipendo.te deleted file mode 100644 index a207858..0000000 --- a/sepolicy/private/flipendo.te +++ /dev/null @@ -1 +0,0 @@ -binder_call(flipendo, hal_power_pixel); diff --git a/sepolicy/private/fm_app.te b/sepolicy/private/fm_app.te deleted file mode 100644 index 583c24c..0000000 --- a/sepolicy/private/fm_app.te +++ /dev/null @@ -1,2 +0,0 @@ -allow vendor_fm_app hal_fm_hwservice:hwservice_manager find; -allow vendor_fm_app hal_bluetooth:binder { call transfer }; diff --git a/sepolicy/private/genfs_contexts b/sepolicy/private/genfs_contexts deleted file mode 100644 index 44ce6c8..0000000 --- a/sepolicy/private/genfs_contexts +++ /dev/null @@ -1,10 +0,0 @@ -genfscon proc /touchpanel u:object_r:proc_touchpanel:s0 -genfscon debugfs /wlan0 u:object_r:debugfs_wlan:s0 -genfscon debugfs /sched_features u:object_r:debugfs_sched_features:s0 -genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/idle_state u:object_r:sysfs_graphics:s0 -genfscon sysfs /devices/platform/soc/soc:qcom,l3-cdsp/devfreq u:object_r:sysfs_devfreq:s0 -genfscon sysfs /devices/platform/soc/1d84000.ufshc/clkgate_enable u:object_r:sysfs_scsi_devices:s0 -genfscon sysfs /devices/platform/soc/1d84000.ufshc/hibern8_on_idle_enable u:object_r:sysfs_scsi_devices:s0 -genfscon sysfs /power/rpmh_stats/master_stats u:object_r:sysfs_rpm:s0 -genfscon sysfs /power/system_sleep/stats u:object_r:sysfs_system_sleep_stats:s0 -genfscon proc /sys/kernel/sched_boost u:object_r:proc_sysctl_schedboost:s0 diff --git a/sepolicy/private/hal_audio.te b/sepolicy/private/hal_audio.te deleted file mode 100644 index 326ada8..0000000 --- a/sepolicy/private/hal_audio.te +++ /dev/null @@ -1,8 +0,0 @@ -allow hal_audio diag_device:chr_file rw_file_perms; - -allow hal_audio sysfs:dir read; - -allow hal_audio hal_power_pixel:binder call; - -get_prop(hal_audio, default_prop) -get_prop(hal_audio, audio_prop) diff --git a/sepolicy/private/hal_bluetooth.te b/sepolicy/private/hal_bluetooth.te deleted file mode 100644 index 9092adc..0000000 --- a/sepolicy/private/hal_bluetooth.te +++ /dev/null @@ -1,2 +0,0 @@ -allow hal_bluetooth vendor_fm_app:binder call; -allow hal_bluetooth diag_device:chr_file rw_file_perms; diff --git a/sepolicy/private/hal_camera.te b/sepolicy/private/hal_camera.te deleted file mode 100644 index 4c200ab..0000000 --- a/sepolicy/private/hal_camera.te +++ /dev/null @@ -1,2 +0,0 @@ -get_prop(hal_camera, system_prop) -get_prop(hal_camera, default_prop) diff --git a/sepolicy/private/hal_livedisplay_default.te b/sepolicy/private/hal_livedisplay_default.te deleted file mode 100644 index 8bdc1d4..0000000 --- a/sepolicy/private/hal_livedisplay_default.te +++ /dev/null @@ -1,29 +0,0 @@ -type shal_livedisplay_default, coredomain, domain; -hal_server_domain(shal_livedisplay_default, hal_lineage_livedisplay) - -type shal_livedisplay_default_exec, exec_type, file_type; -init_daemon_domain(shal_livedisplay_default) - -# Allow LiveDisplay to perform binder IPC to vendor.display.color::IDisplayColor -type hal_display_color_default, domain; -binder_call(shal_livedisplay_default, hal_display_color_default) - -allow shal_livedisplay_default hal_display_color_hwservice:hwservice_manager find; - -# Talk to the binder device node -allow shal_livedisplay_default binder_device:chr_file rw_file_perms; - -# Allow LiveDisplay to store files under /data/display and access them -allow shal_livedisplay_default display_data_file:dir rw_dir_perms; -allow shal_livedisplay_default display_data_file:file create_file_perms; - -# Allow LiveDisplay to access pps socket -type mm-pp-daemon, domain; -typeattribute mm-pp-daemon socket_between_core_and_vendor_violators; -unix_socket_connect(shal_livedisplay_default, pps, mm-pp-daemon) - -# Allow LiveDisplay to read display props -get_prop(shal_livedisplay_default, vendor_display_prop) - -# Grant LiveDisplay access over the control nodes -allow shal_livedisplay_default sysfs_graphics:file rw_file_perms; diff --git a/sepolicy/private/hal_power_pixel.te b/sepolicy/private/hal_power_pixel.te deleted file mode 100644 index 483ffcf..0000000 --- a/sepolicy/private/hal_power_pixel.te +++ /dev/null @@ -1,55 +0,0 @@ -type hal_power_pixel, coredomain, domain; -hal_server_domain(hal_power_pixel, hal_power) - -type hal_power_pixel_exec, system_file_type, exec_type, file_type; -init_daemon_domain(hal_power_pixel) - -# Allow hal_power_pixel to write to dt2w nodes -allow hal_power_pixel proc_touchpanel:dir search; -allow hal_power_pixel proc_touchpanel:file w_file_perms; - -allow hal_power_pixel debugfs_wlan:dir r_dir_perms; -allow hal_power_pixel debugfs_wlan:file r_file_perms; - -allow hal_power_pixel self:capability dac_override; - -allow hal_power_pixel system_file:file r_file_perms; - -allow hal_power_pixel sysfs_graphics:dir search; -allow hal_power_pixel sysfs_graphics:file r_file_perms; - -allow hal_power_pixel sysfs_rpm:file r_file_perms; -allow hal_power_pixel sysfs_system_sleep_stats:file r_file_perms; - -r_dir_file(hal_power, sysfs_tp) -allow hal_power_pixel sysfs_tp:file write; - -# To do powerhint on nodes defined in powerhint.json -allow hal_power_pixel sysfs_devfreq:dir search; -allow hal_power_pixel sysfs_devfreq:{ file lnk_file } rw_file_perms; -allow hal_power_pixel sysfs_scsi_devices:dir search; -allow hal_power_pixel sysfs_scsi_devices:{ file lnk_file } rw_file_perms; -allow hal_power_pixel sysfs_kgsl:dir search; -allow hal_power_pixel sysfs_kgsl:{ file lnk_file } rw_file_perms; -allow hal_power_pixel sysfs_msm_subsys:dir search; -allow hal_power_pixel sysfs_msm_subsys:file rw_file_perms; -allow hal_power_pixel sysfs_devices_system_cpu:file rw_file_perms; -allow hal_power_pixel device_latency:chr_file rw_file_perms; -allow hal_power_pixel proc_sysctl_schedboost:file rw_file_perms; -allow hal_power_pixel debugfs_sched_features:dir search; -allow hal_power_pixel debugfs_sched_features:file rw_file_perms; -allow hal_power_pixel input_device:dir search; -allow hal_power_pixel input_device:chr_file rw_file_perms; - -allow hal_power_pixel hal_power_hwservice:hwservice_manager add; -allow hal_power_pixel hidl_base_hwservice:hwservice_manager add; -allow hal_power_pixel hal_power_service:service_manager add; -binder_call(hal_power_pixel, hwservicemanager) -binder_call(hal_power_pixel, hal_audio) -binder_call(hal_power_pixel, servicemanager); - -# To get hwservicemanager state -get_prop(hal_power_pixel, hwservicemanager_prop) - -# To get/set powerhal state property -set_prop(hal_power_pixel, vendor_power_prop) diff --git a/sepolicy/private/hal_sensors.te b/sepolicy/private/hal_sensors.te deleted file mode 100644 index cda7609..0000000 --- a/sepolicy/private/hal_sensors.te +++ /dev/null @@ -1,2 +0,0 @@ -allow hal_sensors diag_device:chr_file rw_file_perms; -allow hal_sensors system_server:fd use; diff --git a/sepolicy/private/hwservice.te b/sepolicy/private/hwservice.te deleted file mode 100644 index 9842fa0..0000000 --- a/sepolicy/private/hwservice.te +++ /dev/null @@ -1,2 +0,0 @@ -type hal_display_color_hwservice, hwservice_manager_type; -type hal_fm_hwservice, hwservice_manager_type; diff --git a/sepolicy/private/ims.te b/sepolicy/private/ims.te deleted file mode 100644 index 01140db..0000000 --- a/sepolicy/private/ims.te +++ /dev/null @@ -1,7 +0,0 @@ -type ims, domain; -type ims_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(ims) -net_domain(ims) - -allow ims diag_device:chr_file rw_file_perms; diff --git a/sepolicy/private/init.te b/sepolicy/private/init.te deleted file mode 100644 index 1cdd012..0000000 --- a/sepolicy/private/init.te +++ /dev/null @@ -1,12 +0,0 @@ -allow init proc_touchpanel:dir search; -allow init proc_touchpanel:file { write setattr open}; - -# Allow init to mount vendor configs -allow init vendor_configs_file:dir mounton; -allow init vendor_configs_file:file mounton; - -allow init self:netlink_generic_socket read; - -allow init sysfs_tp:file setattr; - -allow init vendor_file:file execute; diff --git a/sepolicy/private/property.te b/sepolicy/private/property.te deleted file mode 100644 index b7cc24f..0000000 --- a/sepolicy/private/property.te +++ /dev/null @@ -1,5 +0,0 @@ -type vendor_camera_prop, property_type; -type vendor_display_prop, property_type; -type vendor_power_prop, property_type; -type vendor_ssr_prop, property_type; -type vendor_cap_configstore_dbg_prop, property_type; diff --git a/sepolicy/private/property_contexts b/sepolicy/private/property_contexts deleted file mode 100644 index 0ea1fde..0000000 --- a/sepolicy/private/property_contexts +++ /dev/null @@ -1,5 +0,0 @@ -vendor.powerhal.state u:object_r:vendor_power_prop:s0 -vendor.powerhal.audio u:object_r:vendor_power_prop:s0 -vendor.powerhal.init u:object_r:vendor_power_prop:s0 -vendor.powerhal.rendering u:object_r:vendor_power_prop:s0 -ro.vendor.fm.use_audio_session u:object_r:vendor_default_prop:s0 diff --git a/sepolicy/private/qti_init_shell.te b/sepolicy/private/qti_init_shell.te deleted file mode 100644 index 6d8b298..0000000 --- a/sepolicy/private/qti_init_shell.te +++ /dev/null @@ -1,21 +0,0 @@ -type qti_init_shell, domain; - -allow qti_init_shell sysfs_io_sched_tuneable:file w_file_perms; -dontaudit qti_init_shell self:capability { dac_override dac_read_search }; - -allow qti_init_shell configfs:dir create_dir_perms; -allow qti_init_shell configfs:file create_file_perms; -allow qti_init_shell configfs:lnk_file create_file_perms; - -allow qti_init_shell persist_file:lnk_file read; - -allow qti_init_shell sensors_persist_file:fifo_file create_file_perms; - -allow qti_init_shell shell_exec:file rx_file_perms; - -allow qti_init_shell sysfs:file setattr; -allow qti_init_shell sysfs_leds:file setattr; - -allow qti_init_shell toolbox_exec:file rx_file_perms; - -get_prop(qti_init_shell, default_prop) diff --git a/sepolicy/private/ssr_setup.te b/sepolicy/private/ssr_setup.te deleted file mode 100644 index 84428b8..0000000 --- a/sepolicy/private/ssr_setup.te +++ /dev/null @@ -1,7 +0,0 @@ -type vendor_ssr_setup, domain; -type vendor_ssr_setup_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(vendor_ssr_setup); - -allow vendor_ssr_setup sysfs:file rw_file_perms; - -get_prop(vendor_ssr_setup, vendor_ssr_prop) diff --git a/sepolicy/private/surfaceflinger.te b/sepolicy/private/surfaceflinger.te deleted file mode 100644 index 89e18d4..0000000 --- a/sepolicy/private/surfaceflinger.te +++ /dev/null @@ -1 +0,0 @@ -binder_call(surfaceflinger, hal_power_pixel); diff --git a/sepolicy/private/system_server.te b/sepolicy/private/system_server.te deleted file mode 100644 index 9362aba..0000000 --- a/sepolicy/private/system_server.te +++ /dev/null @@ -1,5 +0,0 @@ -allow system_server hal_power_pixel:binder call; - -allow system_server sysfs:file read; - -get_prop(system_server, vendor_camera_prop) diff --git a/sepolicy/private/thermal-engine.te b/sepolicy/private/thermal-engine.te deleted file mode 100644 index c792f68..0000000 --- a/sepolicy/private/thermal-engine.te +++ /dev/null @@ -1,4 +0,0 @@ -type thermal-engine, domain; - -allow thermal-engine sysfs_devfreq:dir r_dir_perms; -allow thermal-engine sysfs:dir r_dir_perms; diff --git a/sepolicy/private/vendor_init.te b/sepolicy/private/vendor_init.te deleted file mode 100644 index 2fcd9e5..0000000 --- a/sepolicy/private/vendor_init.te +++ /dev/null @@ -1,13 +0,0 @@ -typeattribute vendor_init data_between_core_and_vendor_violators; - -# Allow vendor_init to check encryption status of system_data_file -allow vendor_init system_data_file:dir { ioctl open read setattr }; - -allow vendor_init block_device:lnk_file setattr; - -allow vendor_init persist_file:lnk_file read; - -get_prop(vendor_init, default_prop) -get_prop(vendor_init, persist_debug_prop) - -set_prop(vendor_init, default_prop) diff --git a/sepolicy/private/vold.te b/sepolicy/private/vold.te deleted file mode 100644 index 9cd14b3..0000000 --- a/sepolicy/private/vold.te +++ /dev/null @@ -1,2 +0,0 @@ -# For setting read_ahead_kb -allow vold sysfs_mmc_host:file w_file_perms; diff --git a/sepolicy/vendor/app.te b/sepolicy/vendor/app.te new file mode 100644 index 0000000..c43b33e --- /dev/null +++ b/sepolicy/vendor/app.te @@ -0,0 +1,3 @@ +# Allow appdomain to get some props +get_prop(appdomain, vendor_camera_prop) +get_prop(appdomain, camera_prop) diff --git a/sepolicy/vendor/binderfs.te b/sepolicy/vendor/binderfs.te new file mode 100644 index 0000000..549c466 --- /dev/null +++ b/sepolicy/vendor/binderfs.te @@ -0,0 +1,4 @@ +# REVERT ME: make binderfs permissive +userdebug_or_eng(` + permissive binderfs; +') diff --git a/sepolicy/vendor/cameraserver.te b/sepolicy/vendor/cameraserver.te new file mode 100644 index 0000000..5d87570 --- /dev/null +++ b/sepolicy/vendor/cameraserver.te @@ -0,0 +1 @@ +allow cameraserver camera_data_file:file { getattr open write }; diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te new file mode 100644 index 0000000..0792042 --- /dev/null +++ b/sepolicy/vendor/device.te @@ -0,0 +1,3 @@ +type oem_block_device, dev_type; +type param_block_device, dev_type; +type param_device, dev_type; diff --git a/sepolicy/vendor/domain.te b/sepolicy/vendor/domain.te new file mode 100644 index 0000000..bae6bf0 --- /dev/null +++ b/sepolicy/vendor/domain.te @@ -0,0 +1,2 @@ +# Allow domain to get public_vendor_default_prop +get_prop(domain, public_vendor_default_prop) diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te new file mode 100644 index 0000000..dd8be5e --- /dev/null +++ b/sepolicy/vendor/file.te @@ -0,0 +1,18 @@ +type display_data_file, file_type, data_file_type, core_data_file_type; +type proc_touchpanel, fs_type; +type sysfs_oem, sysfs_type, fs_type; + +type sysfs_msm_subsys, sysfs_type, fs_type; +type sysfs_system_sleep_stats, sysfs_type, fs_type; +type sysfs_rpm, sysfs_type, fs_type; +type sysfs_power_stats, sysfs_type, fs_type; +#type sysfs_graphics, sysfs_type, fs_type; +#type sysfs_ssr, sysfs_type, fs_type; +#type sysfs_ssr_toggle, sysfs_type, fs_type; +#type sysfs_devfreq, sysfs_type, fs_type; +#type sysfs_kgsl, sysfs_type, fs_type; +#type sysfs_scsi_devices, sysfs_type, fs_type; +type debugfs_wlan, debugfs_type, fs_type; +type debugfs_sched_features, debugfs_type, fs_type; + +type proc_sysctl_schedboost, proc_type, fs_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts new file mode 100644 index 0000000..0e829db --- /dev/null +++ b/sepolicy/vendor/file_contexts @@ -0,0 +1,11 @@ +# Files in rootfs +/bt_firmware(/.*)? u:object_r:bt_firmware_file:s0 +/firmware(/.*)? u:object_r:firmware_file:s0 +/persist(/.*)? u:object_r:persist_file:s0 + +# Data files +/data/display(/.*)? u:object_r:display_data_file:s0 + +# Custom HALs +/vendor/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0 +/vendor/bin/hw/android\.hardware\.power-service\.lenovo u:object_r:hal_power_default_exec:s0 diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts new file mode 100644 index 0000000..1dc95b5 --- /dev/null +++ b/sepolicy/vendor/genfs_contexts @@ -0,0 +1,36 @@ +# Display +genfscon proc /touchpanel u:object_r:proc_touchpanel:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pmi8998@2:qcom,qpnp-smb2/power_supply u:object_r:sysfs_battery_supply:s0 +#genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pmi8998@2:qcom,qpnp-smb2/power_supply/main u:object_r:sysfs_battery_supply:s0 + +# SSR +genfscon sysfs /devices/platform/soc/aae0000.qcom,venus/subsys0/name u:object_r:sysfs_ssr:s0 +genfscon sysfs /devices/platform/soc/aae0000.qcom,venus/subsys0/restart_level u:object_r:sysfs_ssr_toggle:s0 + +genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys1/name u:object_r:sysfs_ssr:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys1/restart_level u:object_r:sysfs_ssr_toggle:s0 + +genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/subsys2/restart_level u:object_r:sysfs_ssr_toggle:s0 + +genfscon sysfs /devices/platform/soc/17300000.qcom,lpass/subsys3/name u:object_r:sysfs_ssr:s0 +genfscon sysfs /devices/platform/soc/17300000.qcom,lpass/subsys3/restart_level u:object_r:sysfs_ssr_toggle:s0 + +genfscon sysfs /devices/platform/soc/5c00000.qcom,ssc/subsys4/name u:object_r:sysfs_ssr:s0 +genfscon sysfs /devices/platform/soc/5c00000.qcom,ssc/subsys4/restart_level u:object_r:sysfs_ssr_toggle:s0 + +genfscon sysfs /devices/platform/soc/8300000.qcom,turing/subsys5/name u:object_r:sysfs_ssr:s0 +genfscon sysfs /devices/platform/soc/8300000.qcom,turing/subsys5/restart_level u:object_r:sysfs_ssr_toggle:s0 + +genfscon sysfs /devices/platform/soc/4080000.qcom,mss/subsys6/name u:object_r:sysfs_ssr:s0 +genfscon sysfs /devices/platform/soc/4080000.qcom,mss/subsys6/restart_level u:object_r:sysfs_ssr_toggle:s0 + +genfscon debugfs /wlan0 u:object_r:debugfs_wlan:s0 +genfscon debugfs /sched_features u:object_r:debugfs_sched_features:s0 + +genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/idle_state u:object_r:sysfs_graphics:s0 + +#genfscon sysfs /class/devfreq u:object_r:sysfs_devfreq:s0 + +genfscon sysfs /power/rpmh_stats/master_stats u:object_r:sysfs_rpm:s0 +genfscon sysfs /power/system_sleep/stats u:object_r:sysfs_system_sleep_stats:s0 +genfscon sysfs /kernel/wlan/power_stats u:object_r:sysfs_power_stats:s0 diff --git a/sepolicy/vendor/hal_bluetooth.te b/sepolicy/vendor/hal_bluetooth.te new file mode 100644 index 0000000..d783ae5 --- /dev/null +++ b/sepolicy/vendor/hal_bluetooth.te @@ -0,0 +1 @@ +allow hal_bluetooth vendor_data_file:file r_file_perms; diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te new file mode 100644 index 0000000..c72d48c --- /dev/null +++ b/sepolicy/vendor/hal_camera_default.te @@ -0,0 +1,7 @@ +allow hal_camera_default sysfs:file read; +allow hal_camera_default sdcardfs:dir { search }; +allow hal_camera_default sdcardfs:file { rw_file_perms }; +allow hal_camera_default nfc_data_file: dir { search open}; +allow hal_camera_default default_android_hwservice:hwservice_manager find; +allow hal_camera_default mnt_vendor_file:dir { add_name write }; +allow hal_camera_default mnt_vendor_file:file { create getattr open read write }; diff --git a/sepolicy/vendor/hal_fingerprint.te b/sepolicy/vendor/hal_fingerprint.te new file mode 100644 index 0000000..08e9920 --- /dev/null +++ b/sepolicy/vendor/hal_fingerprint.te @@ -0,0 +1 @@ +get_prop(hal_fingerprint, default_prop) diff --git a/sepolicy/vendor/hal_light.te b/sepolicy/vendor/hal_light.te new file mode 100644 index 0000000..530ad70 --- /dev/null +++ b/sepolicy/vendor/hal_light.te @@ -0,0 +1 @@ +allow hal_light sysfs_oem:file getattr; diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te new file mode 100644 index 0000000..87b515e --- /dev/null +++ b/sepolicy/vendor/hal_power_default.te @@ -0,0 +1,28 @@ +allow hal_power_default debugfs_wlan:dir r_dir_perms; +allow hal_power_default debugfs_wlan:file r_file_perms; + +allow hal_power_default sysfs_graphics:dir search; +allow hal_power_default sysfs_graphics:file r_file_perms; + +allow hal_power_default sysfs_rpm:file r_file_perms; +allow hal_power_default sysfs_system_sleep_stats:file r_file_perms; + +# To do powerhint on nodes defined in powerhint.json +allow hal_power_default sysfs_devfreq:dir search; +allow hal_power_default sysfs_devfreq:{ file lnk_file } rw_file_perms; +allow hal_power_default sysfs_kgsl:dir search; +allow hal_power_default sysfs_kgsl:{ file lnk_file } rw_file_perms; +allow hal_power_default sysfs_msm_subsys:dir search; +allow hal_power_default sysfs_msm_subsys:file rw_file_perms; +allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms; +allow hal_power_default device_latency:chr_file rw_file_perms; + +allow hal_power_default input_device:dir r_dir_perms; +allow hal_power_default input_device:chr_file rw_file_perms; + +# To get/set powerhal state property +set_prop(hal_power_default, vendor_power_prop) +allow hal_power_default system_prop:file r_file_perms; + +# Rule for hal_power_default to access graphics composer process +unix_socket_connect(hal_power_default, pps, hal_graphics_composer_default); diff --git a/sepolicy/vendor/hal_usb.te b/sepolicy/vendor/hal_usb.te new file mode 100644 index 0000000..91e851a --- /dev/null +++ b/sepolicy/vendor/hal_usb.te @@ -0,0 +1,2 @@ +# Allow hal_usb to read and write to sysfs_oem +allow hal_usb sysfs_oem:file rw_file_perms; diff --git a/sepolicy/vendor/hal_wifi.te b/sepolicy/vendor/hal_wifi.te new file mode 100644 index 0000000..5573700 --- /dev/null +++ b/sepolicy/vendor/hal_wifi.te @@ -0,0 +1 @@ +allow hal_wifi proc_net:file w_file_perms; diff --git a/sepolicy/private/hwservice_contexts b/sepolicy/vendor/hwservice_contexts similarity index 53% rename from sepolicy/private/hwservice_contexts rename to sepolicy/vendor/hwservice_contexts index befffac..8e793b3 100644 --- a/sepolicy/private/hwservice_contexts +++ b/sepolicy/vendor/hwservice_contexts @@ -1,2 +1 @@ vendor.display.color::IDisplayColor u:object_r:hal_display_color_hwservice:s0 -vendor.qti.hardware.fm::IFmHci u:object_r:hal_fm_hwservice:s0 diff --git a/sepolicy/vendor/hwservicemanager.te b/sepolicy/vendor/hwservicemanager.te new file mode 100644 index 0000000..02e12c9 --- /dev/null +++ b/sepolicy/vendor/hwservicemanager.te @@ -0,0 +1 @@ +allow hwservicemanager init:binder transfer; diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te new file mode 100644 index 0000000..2bb5e0f --- /dev/null +++ b/sepolicy/vendor/init.te @@ -0,0 +1,13 @@ +# Allow init to mount wlan kernel module +allow init vendor_file:file mounton; + +# Allow init to mount vendor configs +allow init vendor_configs_file:dir mounton; + +# Allow init to chown/chmod on pseudo files in /sys +allow init sysfs_type:file { open read setattr }; + +# Allow init create cgroups +allow init cgroup:file create; + +permissive init; diff --git a/sepolicy/vendor/iorap_prefetcherd.te b/sepolicy/vendor/iorap_prefetcherd.te new file mode 100644 index 0000000..f3be2b9 --- /dev/null +++ b/sepolicy/vendor/iorap_prefetcherd.te @@ -0,0 +1,2 @@ +r_dir_file(iorap_prefetcherd, media_rw_data_file) +r_dir_file(iorap_prefetcherd, radio_data_file) diff --git a/sepolicy/vendor/platform_app.te b/sepolicy/vendor/platform_app.te new file mode 100644 index 0000000..a9cd643 --- /dev/null +++ b/sepolicy/vendor/platform_app.te @@ -0,0 +1 @@ +allow platform_app sysfs_graphics:file r_file_perms; diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te new file mode 100644 index 0000000..5dc804e --- /dev/null +++ b/sepolicy/vendor/property.te @@ -0,0 +1,5 @@ +type vendor_camera_prop, property_type; +#type camera_prop, property_type; +#type vendor_display_prop, property_type; +#type vendor_audio_prop, property_type; +type vendor_power_prop, property_type; diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts new file mode 100644 index 0000000..95d2282 --- /dev/null +++ b/sepolicy/vendor/property_contexts @@ -0,0 +1,14 @@ +audio. u:object_r:vendor_audio_prop:s0 +persist.audio u:object_r:vendor_audio_prop:s0 +persist.speaker u:object_r:vendor_audio_prop:s0 + +#Camera +persist.camera. u:object_r:exported_system_prop:s0 +ro.camera. u:object_r:exported_system_prop:s0 + +# Powerhal +vendor.powerhal.state u:object_r:vendor_power_prop:s0 +vendor.powerhal.audio u:object_r:vendor_power_prop:s0 +vendor.powerhal.lpm u:object_r:vendor_power_prop:s0 +vendor.powerhal.init u:object_r:vendor_power_prop:s0 +vendor.powerhal.rendering u:object_r:vendor_power_prop:s0 diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te new file mode 100644 index 0000000..aab90ec --- /dev/null +++ b/sepolicy/vendor/system_server.te @@ -0,0 +1,2 @@ +allow system_server default_android_hwservice:hwservice_manager find; +allow system_server init:binder call; diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te new file mode 100644 index 0000000..64bd151 --- /dev/null +++ b/sepolicy/vendor/vendor_init.te @@ -0,0 +1,13 @@ +permissive vendor_init; + +#type qti_init_shell_exec, exec_type, vendor_file_type,file_type; + +# Allow vendor_init to set public_vendor_default_prop +set_prop(vendor_init, public_vendor_default_prop) +typeattribute vendor_init data_between_core_and_vendor_violators; + +# Allow vendor_init to check encryption status of system_data_file +allow vendor_init system_data_file:dir { ioctl open read setattr }; + +# Allow vendor_init to set vendor_camera_prop +set_prop(vendor_init, vendor_camera_prop) diff --git a/sepolicy/vendor/vndservice.te b/sepolicy/vendor/vndservice.te new file mode 100644 index 0000000..d844c2e --- /dev/null +++ b/sepolicy/vendor/vndservice.te @@ -0,0 +1 @@ +type power_stats_service, vndservice_manager_type;