kunlun2: Go enforcing
Bind mount etc files because vendor_overlay/29/etc makes device to reboot to recovery from pstore vdc: Command: cryptfs enablefilecrypto Failed: Status(-8, EX_SERVICE_SPECIFIC): '0: '
This commit is contained in:
GiaSen
parent
b86cae0eba
commit
2f07f5abc0
24 changed files with 203 additions and 7 deletions
|
|
@ -31,7 +31,6 @@ TARGET_BOARD_PLATFORM := sdm710
|
|||
|
||||
# Kernel
|
||||
BOARD_KERNEL_CMDLINE := console=ttyMSM0,115200n8 earlycon=msm_geni_serial,0xA90000 androidboot.hardware=qcom androidboot.console=ttyMSM0 video=vfb:640x400,bpp=32,memsize=3072000 msm_rtb.filter=0x237 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 service_locator.enable=1 androidboot.configfs=true androidboot.usbcontroller=a600000.dwc3 swiotlb=1 loop.max_part=7
|
||||
BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive
|
||||
BOARD_KERNEL_BASE := 0x00000000
|
||||
BOARD_KERNEL_PAGESIZE := 4096
|
||||
BOARD_KERNEL_TAGS_OFFSET := 0x00000100
|
||||
|
|
@ -92,9 +91,7 @@ TARGET_PROVIDES_QTI_TELEPHONY_JAR := true
|
|||
# Sepolicy
|
||||
# PRIVATE_EXCLUDE_BUILD_TEST := true
|
||||
include device/qcom/sepolicy/SEPolicy.mk
|
||||
|
||||
BOARD_PLAT_PRIVATE_SEPOLICY_DIR += $(DEVICE_PATH)/sepolicy/private
|
||||
|
||||
SELINUX_IGNORE_NEVERALLOWS := true
|
||||
|
||||
# Treble
|
||||
|
|
@ -110,4 +107,4 @@ BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flags 2
|
|||
BOARD_AVB_RECOVERY_ALGORITHM := SHA256_RSA4096
|
||||
BOARD_AVB_RECOVERY_KEY_PATH := external/avb/test/data/testkey_rsa4096.pem
|
||||
BOARD_AVB_RECOVERY_ROLLBACK_INDEX := 1
|
||||
BOARD_AVB_RECOVERY_ROLLBACK_INDEX_LOCATION := 1
|
||||
BOARD_AVB_RECOVERY_ROLLBACK_INDEX_LOCATION := 1
|
||||
|
|
|
|||
|
|
@ -146,11 +146,11 @@ PRODUCT_PACKAGES += \
|
|||
|
||||
# Thermal config
|
||||
PRODUCT_COPY_FILES += \
|
||||
$(LOCAL_PATH)/configs/thermal-engine.conf:$(TARGET_COPY_OUT_PRODUCT)/vendor_overlay/$(PRODUCT_TARGET_VNDK_VERSION)/etc/thermal-engine.conf
|
||||
$(LOCAL_PATH)/configs/thermal-engine.conf:$(TARGET_COPY_OUT_SYSTEM)/etc/thermal-engine.conf
|
||||
|
||||
# WiFi
|
||||
PRODUCT_COPY_FILES += \
|
||||
$(LOCAL_PATH)/wifi/WCNSS_qcom_cfg.ini:$(TARGET_COPY_OUT_PRODUCT)/vendor_overlay/$(PRODUCT_TARGET_VNDK_VERSION)/etc/wifi/WCNSS_qcom_cfg.ini
|
||||
$(LOCAL_PATH)/wifi/WCNSS_qcom_cfg.ini:$(TARGET_COPY_OUT_SYSTEM)/etc/wifi/WCNSS_qcom_cfg.ini
|
||||
|
||||
# WiFi Display
|
||||
PRODUCT_PACKAGES += \
|
||||
|
|
|
|||
|
|
@ -34,7 +34,7 @@ LOCAL_MODULE := android.hardware.light@2.0-service.lenovo_kunlun2.rc
|
|||
LOCAL_MODULE_TAGS := optional
|
||||
LOCAL_MODULE_CLASS := ETC
|
||||
|
||||
LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/vendor_overlay/$(PRODUCT_TARGET_VNDK_VERSION)/etc/init
|
||||
LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/init
|
||||
LOCAL_MODULE_STEM := android.hardware.light@2.0-service.rc
|
||||
|
||||
LOCAL_SRC_FILES := android.hardware.light@2.0-service.lenovo_kunlun2.rc
|
||||
|
|
|
|||
|
|
@ -42,6 +42,9 @@ on init
|
|||
write /proc/sys/vm/page-cluster 0
|
||||
|
||||
mount none /system/etc/audio_policy_configuration.xml /vendor/etc/audio_policy_configuration.xml bind
|
||||
mount none /system/etc/thermal-engine.conf /vendor/etc/thermal-engine.conf bind
|
||||
mount none /system/etc/wifi/WCNSS_qcom_cfg.ini /vendor/etc/wifi/WCNSS_qcom_cfg.ini bind
|
||||
mount none /system/etc/init/android.hardware.light@2.0-service.rc /vendor/etc/init/android.hardware.light@2.0-service.rc bind
|
||||
mount none /vendor/lost+found /vendor/overlay bind
|
||||
|
||||
on late-fs
|
||||
|
|
|
|||
2
sepolicy/private/app.te
Normal file
2
sepolicy/private/app.te
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
# Allow appdomain to get vendor_camera_prop
|
||||
get_prop(appdomain, vendor_camera_prop)
|
||||
2
sepolicy/private/device.te
Normal file
2
sepolicy/private/device.te
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
type device_latency, dev_type;
|
||||
type diag_device, dev_type, mlstrustedobject;
|
||||
|
|
@ -2,3 +2,19 @@ type adsprpcd_file, file_type;
|
|||
type bt_firmware_file, file_type;
|
||||
type firmware_file, file_type;
|
||||
type persist_file, file_type;
|
||||
type proc_touchpanel, fs_type, proc_type;
|
||||
type sysfs_msm_subsys, sysfs_type, fs_type;
|
||||
type sysfs_system_sleep_stats, sysfs_type, fs_type;
|
||||
type sysfs_rpm, sysfs_type, fs_type;
|
||||
type sysfs_graphics, sysfs_type, fs_type;
|
||||
type sysfs_devfreq, sysfs_type, fs_type;
|
||||
type sysfs_kgsl, sysfs_type, fs_type;
|
||||
type sysfs_scsi_devices, sysfs_type, fs_type;
|
||||
type sysfs_power_stats, sysfs_type, fs_type;
|
||||
type debugfs_wlan, debugfs_type, fs_type;
|
||||
type debugfs_sched_features, debugfs_type, fs_type;
|
||||
type proc_sysctl_schedboost, proc_type, fs_type;
|
||||
type pps_socket, file_type;
|
||||
type display_data_file, data_file_type, core_data_file_type, file_type;
|
||||
type vendor_firmware_file, vendor_file_type, file_type;
|
||||
type sysfs_tp, fs_type, sysfs_type;
|
||||
|
|
|
|||
|
|
@ -1,5 +1,21 @@
|
|||
# Data files
|
||||
/data/display(/.*)? u:object_r:display_data_file:s0
|
||||
|
||||
# Files in rootfs
|
||||
/bt_firmware(/.*)? u:object_r:bt_firmware_file:s0
|
||||
/dsp(/.*)? u:object_r:adsprpcd_file:s0
|
||||
/firmware(/.*)? u:object_r:firmware_file:s0
|
||||
/persist(/.*)? u:object_r:persist_file:s0
|
||||
|
||||
# HALs
|
||||
/system/bin/hw/android\.hardware\.power@1\.3-service\.lenovo-libperfmgr u:object_r:hal_power_pixel_exec:s0
|
||||
/system/bin/hw/android\.hardware\.power\.stats@1\.0-service\.lenovo u:object_r:hal_powerstats_exec:s0
|
||||
/system/bin/hw/lineage\.livedisplay@2\.0-service-sdm u:object_r:shal_livedisplay_default_exec:s0
|
||||
/(product|system/product)/vendor_overlay/[0-9]+/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
|
||||
|
||||
# Touch
|
||||
/sys/devices/virtual/touch/tp_dev/gesture_on u:object_r:sysfs_tp:s0
|
||||
|
||||
# Vendor overlay
|
||||
/(product|system/product)/vendor_overlay/[0-9]+/lib(64)?/hw u:object_r:vendor_hal_file:s0
|
||||
/(product|system/product)/vendor_overlay/[0-9]+/lib(64)?/soundfx u:object_r:vendor_hal_file:s0
|
||||
|
|
|
|||
15
sepolicy/private/genfs_contexts
Normal file
15
sepolicy/private/genfs_contexts
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
genfscon proc /touchpanel u:object_r:proc_touchpanel:s0
|
||||
genfscon debugfs /wlan0 u:object_r:debugfs_wlan:s0
|
||||
genfscon debugfs /sched_features u:object_r:debugfs_sched_features:s0
|
||||
|
||||
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/idle_state u:object_r:sysfs_graphics:s0
|
||||
|
||||
genfscon sysfs /devices/platform/soc/soc:qcom,l3-cdsp/devfreq u:object_r:sysfs_devfreq:s0
|
||||
genfscon sysfs /devices/platform/soc/1d84000.ufshc/clkgate_enable u:object_r:sysfs_scsi_devices:s0
|
||||
genfscon sysfs /devices/platform/soc/1d84000.ufshc/hibern8_on_idle_enable u:object_r:sysfs_scsi_devices:s0
|
||||
|
||||
genfscon sysfs /power/rpmh_stats/master_stats u:object_r:sysfs_rpm:s0
|
||||
genfscon sysfs /kernel/wlan/power_stats u:object_r:sysfs_power_stats:s0
|
||||
genfscon sysfs /power/system_sleep/stats u:object_r:sysfs_system_sleep_stats:s0
|
||||
|
||||
genfscon proc /sys/kernel/sched_boost u:object_r:proc_sysctl_schedboost:s0
|
||||
1
sepolicy/private/hal_audio.te
Normal file
1
sepolicy/private/hal_audio.te
Normal file
|
|
@ -0,0 +1 @@
|
|||
allow hal_audio hal_power_pixel:binder call;
|
||||
6
sepolicy/private/hal_fingerprint_sdm710.te
Normal file
6
sepolicy/private/hal_fingerprint_sdm710.te
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
type hal_fingerprint_sdm710, coredomain, domain;
|
||||
hal_client_domain(hal_fingerprint_sdm710, hal_fingerprint)
|
||||
hal_server_domain(hal_fingerprint_sdm710, hal_fingerprint)
|
||||
|
||||
type hal_fingerprint_sdm710_exec, system_file_type, exec_type, file_type;
|
||||
init_daemon_domain(hal_fingerprint_sdm710)
|
||||
29
sepolicy/private/hal_livedisplay_default.te
Normal file
29
sepolicy/private/hal_livedisplay_default.te
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
type shal_livedisplay_default, coredomain, domain;
|
||||
hal_server_domain(shal_livedisplay_default, hal_lineage_livedisplay)
|
||||
|
||||
type shal_livedisplay_default_exec, exec_type, file_type;
|
||||
init_daemon_domain(shal_livedisplay_default)
|
||||
|
||||
# Allow LiveDisplay to perform binder IPC to vendor.display.color::IDisplayColor
|
||||
type hal_display_color_default, domain;
|
||||
binder_call(shal_livedisplay_default, hal_display_color_default)
|
||||
|
||||
allow shal_livedisplay_default hal_display_color_hwservice:hwservice_manager find;
|
||||
|
||||
# Talk to the binder device node
|
||||
allow shal_livedisplay_default binder_device:chr_file rw_file_perms;
|
||||
|
||||
# Allow LiveDisplay to store files under /data/display and access them
|
||||
allow shal_livedisplay_default display_data_file:dir rw_dir_perms;
|
||||
allow shal_livedisplay_default display_data_file:file create_file_perms;
|
||||
|
||||
# Allow LiveDisplay to access pps socket
|
||||
type mm-pp-daemon, domain;
|
||||
typeattribute mm-pp-daemon socket_between_core_and_vendor_violators;
|
||||
unix_socket_connect(shal_livedisplay_default, pps, mm-pp-daemon)
|
||||
|
||||
# Allow LiveDisplay to read display props
|
||||
get_prop(shal_livedisplay_default, vendor_display_prop)
|
||||
|
||||
# Grant LiveDisplay access over the control nodes
|
||||
allow shal_livedisplay_default sysfs_graphics:file rw_file_perms;
|
||||
54
sepolicy/private/hal_power_pixel.te
Normal file
54
sepolicy/private/hal_power_pixel.te
Normal file
|
|
@ -0,0 +1,54 @@
|
|||
type hal_power_pixel, coredomain, domain;
|
||||
hal_server_domain(hal_power_pixel, hal_power)
|
||||
|
||||
type hal_power_pixel_exec, system_file_type, exec_type, file_type;
|
||||
init_daemon_domain(hal_power_pixel)
|
||||
|
||||
# Allow hal_power_pixel to write to dt2w nodes
|
||||
allow hal_power_pixel proc_touchpanel:dir search;
|
||||
allow hal_power_pixel proc_touchpanel:file w_file_perms;
|
||||
|
||||
allow hal_power_pixel debugfs_wlan:dir r_dir_perms;
|
||||
allow hal_power_pixel debugfs_wlan:file r_file_perms;
|
||||
|
||||
allow hal_power_pixel self:capability dac_override;
|
||||
|
||||
allow hal_power_pixel system_file:file r_file_perms;
|
||||
|
||||
allow hal_power_pixel sysfs_graphics:dir search;
|
||||
allow hal_power_pixel sysfs_graphics:file r_file_perms;
|
||||
|
||||
allow hal_power_pixel sysfs_rpm:file r_file_perms;
|
||||
allow hal_power_pixel sysfs_system_sleep_stats:file r_file_perms;
|
||||
allow hal_power_pixel sysfs_power_stats:file r_file_perms;
|
||||
|
||||
r_dir_file(hal_power, sysfs_tp)
|
||||
allow hal_power_pixel sysfs_tp:file write;
|
||||
|
||||
# To do powerhint on nodes defined in powerhint.json
|
||||
allow hal_power_pixel sysfs_devfreq:dir search;
|
||||
allow hal_power_pixel sysfs_devfreq:{ file lnk_file } rw_file_perms;
|
||||
allow hal_power_pixel sysfs_scsi_devices:dir search;
|
||||
allow hal_power_pixel sysfs_scsi_devices:{ file lnk_file } rw_file_perms;
|
||||
allow hal_power_pixel sysfs_kgsl:dir search;
|
||||
allow hal_power_pixel sysfs_kgsl:{ file lnk_file } rw_file_perms;
|
||||
allow hal_power_pixel sysfs_msm_subsys:dir search;
|
||||
allow hal_power_pixel sysfs_msm_subsys:file rw_file_perms;
|
||||
allow hal_power_pixel sysfs_devices_system_cpu:file rw_file_perms;
|
||||
allow hal_power_pixel device_latency:chr_file rw_file_perms;
|
||||
allow hal_power_pixel proc_sysctl_schedboost:file rw_file_perms;
|
||||
allow hal_power_pixel debugfs_sched_features:dir search;
|
||||
allow hal_power_pixel debugfs_sched_features:file rw_file_perms;
|
||||
allow hal_power_pixel input_device:dir search;
|
||||
allow hal_power_pixel input_device:chr_file rw_file_perms;
|
||||
|
||||
allow hal_power_pixel hal_power_hwservice:hwservice_manager add;
|
||||
allow hal_power_pixel hidl_base_hwservice:hwservice_manager add;
|
||||
binder_call(hal_power_pixel, hwservicemanager)
|
||||
binder_call(hal_power_pixel, hal_audio)
|
||||
|
||||
# To get hwservicemanager state
|
||||
get_prop(hal_power_pixel, hwservicemanager_prop)
|
||||
|
||||
# To get/set powerhal state property
|
||||
set_prop(hal_power_pixel, vendor_power_prop)
|
||||
19
sepolicy/private/hal_powerstats.te
Normal file
19
sepolicy/private/hal_powerstats.te
Normal file
|
|
@ -0,0 +1,19 @@
|
|||
type hal_powerstats, domain;
|
||||
type hal_powerstats_exec, system_file_type, exec_type, file_type;
|
||||
init_daemon_domain(hal_powerstats)
|
||||
|
||||
allow hal_powerstats sysfs_rpm:file r_file_perms;
|
||||
allow hal_powerstats sysfs_system_sleep_stats:file r_file_perms;
|
||||
allow hal_powerstats sysfs_power_stats:file r_file_perms;
|
||||
|
||||
allow hal_powerstats default_android_service:service_manager add;
|
||||
allow hal_powerstats hal_power_stats_hwservice:hwservice_manager { add find };
|
||||
allow hal_powerstats hidl_base_hwservice:hwservice_manager add;
|
||||
get_prop(hal_powerstats, hwservicemanager_prop)
|
||||
|
||||
binder_call(hal_powerstats, servicemanager)
|
||||
binder_call(hal_powerstats, hwservicemanager)
|
||||
binder_call(hal_powerstats, system_server)
|
||||
allow hal_powerstats binder_device:chr_file rw_file_perms;
|
||||
|
||||
allow servicemanager hal_powerstats:binder call;
|
||||
2
sepolicy/private/hal_sensors_default.te
Normal file
2
sepolicy/private/hal_sensors_default.te
Normal file
|
|
@ -0,0 +1,2 @@
|
|||
allow hal_sensors diag_device:chr_file rw_file_perms;
|
||||
allow hal_sensors system_server:fd use;
|
||||
1
sepolicy/private/hwservice.te
Normal file
1
sepolicy/private/hwservice.te
Normal file
|
|
@ -0,0 +1 @@
|
|||
type hal_display_color_hwservice, hwservice_manager_type;
|
||||
1
sepolicy/private/hwservice_contexts
Normal file
1
sepolicy/private/hwservice_contexts
Normal file
|
|
@ -0,0 +1 @@
|
|||
vendor.display.color::IDisplayColor u:object_r:hal_display_color_hwservice:s0
|
||||
9
sepolicy/private/init.te
Normal file
9
sepolicy/private/init.te
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
allow init proc_touchpanel:dir search;
|
||||
allow init proc_touchpanel:file { write setattr open};
|
||||
|
||||
# Allow init to mount vendor configs
|
||||
allow init vendor_configs_file:dir mounton;
|
||||
allow init vendor_configs_file:file mounton;
|
||||
|
||||
# Allow init to mount vendor overlay
|
||||
allow init vendor_overlay_file:dir mounton;
|
||||
3
sepolicy/private/property.te
Normal file
3
sepolicy/private/property.te
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
type vendor_camera_prop, property_type;
|
||||
type vendor_power_prop, property_type;
|
||||
type vendor_display_prop, property_type;
|
||||
5
sepolicy/private/property_contexts
Normal file
5
sepolicy/private/property_contexts
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
# Powerhal
|
||||
vendor.powerhal.state u:object_r:vendor_power_prop:s0
|
||||
vendor.powerhal.audio u:object_r:vendor_power_prop:s0
|
||||
vendor.powerhal.init u:object_r:vendor_power_prop:s0
|
||||
vendor.powerhal.rendering u:object_r:vendor_power_prop:s0
|
||||
4
sepolicy/private/qti_init_shell.te
Normal file
4
sepolicy/private/qti_init_shell.te
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
type qti_init_shell, domain;
|
||||
|
||||
allow qti_init_shell sysfs_io_sched_tuneable:file w_file_perms;
|
||||
dontaudit qti_init_shell self:capability { dac_override dac_read_search };
|
||||
3
sepolicy/private/system_server.te
Normal file
3
sepolicy/private/system_server.te
Normal file
|
|
@ -0,0 +1,3 @@
|
|||
get_prop(system_server, vendor_camera_prop)
|
||||
allow system_server hal_power_pixel:binder call;
|
||||
allow system_server hal_powerstats:binder call;
|
||||
4
sepolicy/private/thermal-engine.te
Normal file
4
sepolicy/private/thermal-engine.te
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
type thermal-engine, domain;
|
||||
|
||||
allow thermal-engine sysfs_devfreq:dir r_dir_perms;
|
||||
allow thermal-engine sysfs:dir r_dir_perms;
|
||||
4
sepolicy/private/vendor_init.te
Normal file
4
sepolicy/private/vendor_init.te
Normal file
|
|
@ -0,0 +1,4 @@
|
|||
typeattribute vendor_init data_between_core_and_vendor_violators;
|
||||
|
||||
# Allow vendor_init to check encryption status of system_data_file
|
||||
allow vendor_init system_data_file:dir { ioctl open read setattr };
|
||||
Loading…
Reference in a new issue