From 2f07f5abc09763b3636646e67d7d55793a5b329c Mon Sep 17 00:00:00 2001 From: GiaSen Date: Mon, 7 Dec 2020 14:17:43 +0100 Subject: [PATCH] kunlun2: Go enforcing Bind mount etc files because vendor_overlay/29/etc makes device to reboot to recovery from pstore vdc: Command: cryptfs enablefilecrypto Failed: Status(-8, EX_SERVICE_SPECIFIC): '0: ' --- BoardConfig.mk | 5 +- device.mk | 4 +- light/Android.mk | 2 +- rootdir/etc/init.qcom.rc | 3 ++ sepolicy/private/app.te | 2 + sepolicy/private/device.te | 2 + sepolicy/private/file.te | 16 ++++++ sepolicy/private/file_contexts | 16 ++++++ sepolicy/private/genfs_contexts | 15 ++++++ sepolicy/private/hal_audio.te | 1 + sepolicy/private/hal_fingerprint_sdm710.te | 6 +++ sepolicy/private/hal_livedisplay_default.te | 29 +++++++++++ sepolicy/private/hal_power_pixel.te | 54 +++++++++++++++++++++ sepolicy/private/hal_powerstats.te | 19 ++++++++ sepolicy/private/hal_sensors_default.te | 2 + sepolicy/private/hwservice.te | 1 + sepolicy/private/hwservice_contexts | 1 + sepolicy/private/init.te | 9 ++++ sepolicy/private/property.te | 3 ++ sepolicy/private/property_contexts | 5 ++ sepolicy/private/qti_init_shell.te | 4 ++ sepolicy/private/system_server.te | 3 ++ sepolicy/private/thermal-engine.te | 4 ++ sepolicy/private/vendor_init.te | 4 ++ 24 files changed, 203 insertions(+), 7 deletions(-) create mode 100644 sepolicy/private/app.te create mode 100644 sepolicy/private/device.te create mode 100644 sepolicy/private/genfs_contexts create mode 100644 sepolicy/private/hal_audio.te create mode 100644 sepolicy/private/hal_fingerprint_sdm710.te create mode 100644 sepolicy/private/hal_livedisplay_default.te create mode 100644 sepolicy/private/hal_power_pixel.te create mode 100644 sepolicy/private/hal_powerstats.te create mode 100644 sepolicy/private/hal_sensors_default.te create mode 100644 sepolicy/private/hwservice.te create mode 100644 sepolicy/private/hwservice_contexts create mode 100644 sepolicy/private/init.te create mode 100644 sepolicy/private/property.te create mode 100644 sepolicy/private/property_contexts create mode 100644 sepolicy/private/qti_init_shell.te create mode 100644 sepolicy/private/system_server.te create mode 100644 sepolicy/private/thermal-engine.te create mode 100644 sepolicy/private/vendor_init.te diff --git a/BoardConfig.mk b/BoardConfig.mk index a9a6964..ee48eb1 100644 --- a/BoardConfig.mk +++ b/BoardConfig.mk @@ -31,7 +31,6 @@ TARGET_BOARD_PLATFORM := sdm710 # Kernel BOARD_KERNEL_CMDLINE := console=ttyMSM0,115200n8 earlycon=msm_geni_serial,0xA90000 androidboot.hardware=qcom androidboot.console=ttyMSM0 video=vfb:640x400,bpp=32,memsize=3072000 msm_rtb.filter=0x237 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 service_locator.enable=1 androidboot.configfs=true androidboot.usbcontroller=a600000.dwc3 swiotlb=1 loop.max_part=7 -BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive BOARD_KERNEL_BASE := 0x00000000 BOARD_KERNEL_PAGESIZE := 4096 BOARD_KERNEL_TAGS_OFFSET := 0x00000100 @@ -92,9 +91,7 @@ TARGET_PROVIDES_QTI_TELEPHONY_JAR := true # Sepolicy # PRIVATE_EXCLUDE_BUILD_TEST := true include device/qcom/sepolicy/SEPolicy.mk - BOARD_PLAT_PRIVATE_SEPOLICY_DIR += $(DEVICE_PATH)/sepolicy/private - SELINUX_IGNORE_NEVERALLOWS := true # Treble @@ -110,4 +107,4 @@ BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flags 2 BOARD_AVB_RECOVERY_ALGORITHM := SHA256_RSA4096 BOARD_AVB_RECOVERY_KEY_PATH := external/avb/test/data/testkey_rsa4096.pem BOARD_AVB_RECOVERY_ROLLBACK_INDEX := 1 -BOARD_AVB_RECOVERY_ROLLBACK_INDEX_LOCATION := 1 \ No newline at end of file +BOARD_AVB_RECOVERY_ROLLBACK_INDEX_LOCATION := 1 diff --git a/device.mk b/device.mk index 9329f40..f96f128 100644 --- a/device.mk +++ b/device.mk @@ -146,11 +146,11 @@ PRODUCT_PACKAGES += \ # Thermal config PRODUCT_COPY_FILES += \ - $(LOCAL_PATH)/configs/thermal-engine.conf:$(TARGET_COPY_OUT_PRODUCT)/vendor_overlay/$(PRODUCT_TARGET_VNDK_VERSION)/etc/thermal-engine.conf + $(LOCAL_PATH)/configs/thermal-engine.conf:$(TARGET_COPY_OUT_SYSTEM)/etc/thermal-engine.conf # WiFi PRODUCT_COPY_FILES += \ - $(LOCAL_PATH)/wifi/WCNSS_qcom_cfg.ini:$(TARGET_COPY_OUT_PRODUCT)/vendor_overlay/$(PRODUCT_TARGET_VNDK_VERSION)/etc/wifi/WCNSS_qcom_cfg.ini + $(LOCAL_PATH)/wifi/WCNSS_qcom_cfg.ini:$(TARGET_COPY_OUT_SYSTEM)/etc/wifi/WCNSS_qcom_cfg.ini # WiFi Display PRODUCT_PACKAGES += \ diff --git a/light/Android.mk b/light/Android.mk index d619e55..3b68b1b 100644 --- a/light/Android.mk +++ b/light/Android.mk @@ -34,7 +34,7 @@ LOCAL_MODULE := android.hardware.light@2.0-service.lenovo_kunlun2.rc LOCAL_MODULE_TAGS := optional LOCAL_MODULE_CLASS := ETC -LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/vendor_overlay/$(PRODUCT_TARGET_VNDK_VERSION)/etc/init +LOCAL_MODULE_PATH := $(TARGET_OUT_ETC)/init LOCAL_MODULE_STEM := android.hardware.light@2.0-service.rc LOCAL_SRC_FILES := android.hardware.light@2.0-service.lenovo_kunlun2.rc diff --git a/rootdir/etc/init.qcom.rc b/rootdir/etc/init.qcom.rc index ad3e3ce..05e9370 100644 --- a/rootdir/etc/init.qcom.rc +++ b/rootdir/etc/init.qcom.rc @@ -42,6 +42,9 @@ on init write /proc/sys/vm/page-cluster 0 mount none /system/etc/audio_policy_configuration.xml /vendor/etc/audio_policy_configuration.xml bind + mount none /system/etc/thermal-engine.conf /vendor/etc/thermal-engine.conf bind + mount none /system/etc/wifi/WCNSS_qcom_cfg.ini /vendor/etc/wifi/WCNSS_qcom_cfg.ini bind + mount none /system/etc/init/android.hardware.light@2.0-service.rc /vendor/etc/init/android.hardware.light@2.0-service.rc bind mount none /vendor/lost+found /vendor/overlay bind on late-fs diff --git a/sepolicy/private/app.te b/sepolicy/private/app.te new file mode 100644 index 0000000..9f418bd --- /dev/null +++ b/sepolicy/private/app.te @@ -0,0 +1,2 @@ +# Allow appdomain to get vendor_camera_prop +get_prop(appdomain, vendor_camera_prop) diff --git a/sepolicy/private/device.te b/sepolicy/private/device.te new file mode 100644 index 0000000..9a90839 --- /dev/null +++ b/sepolicy/private/device.te @@ -0,0 +1,2 @@ +type device_latency, dev_type; +type diag_device, dev_type, mlstrustedobject; diff --git a/sepolicy/private/file.te b/sepolicy/private/file.te index d74de02..fe38e7e 100644 --- a/sepolicy/private/file.te +++ b/sepolicy/private/file.te @@ -2,3 +2,19 @@ type adsprpcd_file, file_type; type bt_firmware_file, file_type; type firmware_file, file_type; type persist_file, file_type; +type proc_touchpanel, fs_type, proc_type; +type sysfs_msm_subsys, sysfs_type, fs_type; +type sysfs_system_sleep_stats, sysfs_type, fs_type; +type sysfs_rpm, sysfs_type, fs_type; +type sysfs_graphics, sysfs_type, fs_type; +type sysfs_devfreq, sysfs_type, fs_type; +type sysfs_kgsl, sysfs_type, fs_type; +type sysfs_scsi_devices, sysfs_type, fs_type; +type sysfs_power_stats, sysfs_type, fs_type; +type debugfs_wlan, debugfs_type, fs_type; +type debugfs_sched_features, debugfs_type, fs_type; +type proc_sysctl_schedboost, proc_type, fs_type; +type pps_socket, file_type; +type display_data_file, data_file_type, core_data_file_type, file_type; +type vendor_firmware_file, vendor_file_type, file_type; +type sysfs_tp, fs_type, sysfs_type; diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts index d8ede0c..91dcd7a 100644 --- a/sepolicy/private/file_contexts +++ b/sepolicy/private/file_contexts @@ -1,5 +1,21 @@ +# Data files +/data/display(/.*)? u:object_r:display_data_file:s0 + # Files in rootfs /bt_firmware(/.*)? u:object_r:bt_firmware_file:s0 /dsp(/.*)? u:object_r:adsprpcd_file:s0 /firmware(/.*)? u:object_r:firmware_file:s0 /persist(/.*)? u:object_r:persist_file:s0 + +# HALs +/system/bin/hw/android\.hardware\.power@1\.3-service\.lenovo-libperfmgr u:object_r:hal_power_pixel_exec:s0 +/system/bin/hw/android\.hardware\.power\.stats@1\.0-service\.lenovo u:object_r:hal_powerstats_exec:s0 +/system/bin/hw/lineage\.livedisplay@2\.0-service-sdm u:object_r:shal_livedisplay_default_exec:s0 +/(product|system/product)/vendor_overlay/[0-9]+/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0 + +# Touch +/sys/devices/virtual/touch/tp_dev/gesture_on u:object_r:sysfs_tp:s0 + +# Vendor overlay +/(product|system/product)/vendor_overlay/[0-9]+/lib(64)?/hw u:object_r:vendor_hal_file:s0 +/(product|system/product)/vendor_overlay/[0-9]+/lib(64)?/soundfx u:object_r:vendor_hal_file:s0 diff --git a/sepolicy/private/genfs_contexts b/sepolicy/private/genfs_contexts new file mode 100644 index 0000000..95f4fba --- /dev/null +++ b/sepolicy/private/genfs_contexts @@ -0,0 +1,15 @@ +genfscon proc /touchpanel u:object_r:proc_touchpanel:s0 +genfscon debugfs /wlan0 u:object_r:debugfs_wlan:s0 +genfscon debugfs /sched_features u:object_r:debugfs_sched_features:s0 + +genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/idle_state u:object_r:sysfs_graphics:s0 + +genfscon sysfs /devices/platform/soc/soc:qcom,l3-cdsp/devfreq u:object_r:sysfs_devfreq:s0 +genfscon sysfs /devices/platform/soc/1d84000.ufshc/clkgate_enable u:object_r:sysfs_scsi_devices:s0 +genfscon sysfs /devices/platform/soc/1d84000.ufshc/hibern8_on_idle_enable u:object_r:sysfs_scsi_devices:s0 + +genfscon sysfs /power/rpmh_stats/master_stats u:object_r:sysfs_rpm:s0 +genfscon sysfs /kernel/wlan/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /power/system_sleep/stats u:object_r:sysfs_system_sleep_stats:s0 + +genfscon proc /sys/kernel/sched_boost u:object_r:proc_sysctl_schedboost:s0 diff --git a/sepolicy/private/hal_audio.te b/sepolicy/private/hal_audio.te new file mode 100644 index 0000000..c2b37b7 --- /dev/null +++ b/sepolicy/private/hal_audio.te @@ -0,0 +1 @@ +allow hal_audio hal_power_pixel:binder call; diff --git a/sepolicy/private/hal_fingerprint_sdm710.te b/sepolicy/private/hal_fingerprint_sdm710.te new file mode 100644 index 0000000..e20276e --- /dev/null +++ b/sepolicy/private/hal_fingerprint_sdm710.te @@ -0,0 +1,6 @@ +type hal_fingerprint_sdm710, coredomain, domain; +hal_client_domain(hal_fingerprint_sdm710, hal_fingerprint) +hal_server_domain(hal_fingerprint_sdm710, hal_fingerprint) + +type hal_fingerprint_sdm710_exec, system_file_type, exec_type, file_type; +init_daemon_domain(hal_fingerprint_sdm710) diff --git a/sepolicy/private/hal_livedisplay_default.te b/sepolicy/private/hal_livedisplay_default.te new file mode 100644 index 0000000..8bdc1d4 --- /dev/null +++ b/sepolicy/private/hal_livedisplay_default.te @@ -0,0 +1,29 @@ +type shal_livedisplay_default, coredomain, domain; +hal_server_domain(shal_livedisplay_default, hal_lineage_livedisplay) + +type shal_livedisplay_default_exec, exec_type, file_type; +init_daemon_domain(shal_livedisplay_default) + +# Allow LiveDisplay to perform binder IPC to vendor.display.color::IDisplayColor +type hal_display_color_default, domain; +binder_call(shal_livedisplay_default, hal_display_color_default) + +allow shal_livedisplay_default hal_display_color_hwservice:hwservice_manager find; + +# Talk to the binder device node +allow shal_livedisplay_default binder_device:chr_file rw_file_perms; + +# Allow LiveDisplay to store files under /data/display and access them +allow shal_livedisplay_default display_data_file:dir rw_dir_perms; +allow shal_livedisplay_default display_data_file:file create_file_perms; + +# Allow LiveDisplay to access pps socket +type mm-pp-daemon, domain; +typeattribute mm-pp-daemon socket_between_core_and_vendor_violators; +unix_socket_connect(shal_livedisplay_default, pps, mm-pp-daemon) + +# Allow LiveDisplay to read display props +get_prop(shal_livedisplay_default, vendor_display_prop) + +# Grant LiveDisplay access over the control nodes +allow shal_livedisplay_default sysfs_graphics:file rw_file_perms; diff --git a/sepolicy/private/hal_power_pixel.te b/sepolicy/private/hal_power_pixel.te new file mode 100644 index 0000000..7ea2b06 --- /dev/null +++ b/sepolicy/private/hal_power_pixel.te @@ -0,0 +1,54 @@ +type hal_power_pixel, coredomain, domain; +hal_server_domain(hal_power_pixel, hal_power) + +type hal_power_pixel_exec, system_file_type, exec_type, file_type; +init_daemon_domain(hal_power_pixel) + +# Allow hal_power_pixel to write to dt2w nodes +allow hal_power_pixel proc_touchpanel:dir search; +allow hal_power_pixel proc_touchpanel:file w_file_perms; + +allow hal_power_pixel debugfs_wlan:dir r_dir_perms; +allow hal_power_pixel debugfs_wlan:file r_file_perms; + +allow hal_power_pixel self:capability dac_override; + +allow hal_power_pixel system_file:file r_file_perms; + +allow hal_power_pixel sysfs_graphics:dir search; +allow hal_power_pixel sysfs_graphics:file r_file_perms; + +allow hal_power_pixel sysfs_rpm:file r_file_perms; +allow hal_power_pixel sysfs_system_sleep_stats:file r_file_perms; +allow hal_power_pixel sysfs_power_stats:file r_file_perms; + +r_dir_file(hal_power, sysfs_tp) +allow hal_power_pixel sysfs_tp:file write; + +# To do powerhint on nodes defined in powerhint.json +allow hal_power_pixel sysfs_devfreq:dir search; +allow hal_power_pixel sysfs_devfreq:{ file lnk_file } rw_file_perms; +allow hal_power_pixel sysfs_scsi_devices:dir search; +allow hal_power_pixel sysfs_scsi_devices:{ file lnk_file } rw_file_perms; +allow hal_power_pixel sysfs_kgsl:dir search; +allow hal_power_pixel sysfs_kgsl:{ file lnk_file } rw_file_perms; +allow hal_power_pixel sysfs_msm_subsys:dir search; +allow hal_power_pixel sysfs_msm_subsys:file rw_file_perms; +allow hal_power_pixel sysfs_devices_system_cpu:file rw_file_perms; +allow hal_power_pixel device_latency:chr_file rw_file_perms; +allow hal_power_pixel proc_sysctl_schedboost:file rw_file_perms; +allow hal_power_pixel debugfs_sched_features:dir search; +allow hal_power_pixel debugfs_sched_features:file rw_file_perms; +allow hal_power_pixel input_device:dir search; +allow hal_power_pixel input_device:chr_file rw_file_perms; + +allow hal_power_pixel hal_power_hwservice:hwservice_manager add; +allow hal_power_pixel hidl_base_hwservice:hwservice_manager add; +binder_call(hal_power_pixel, hwservicemanager) +binder_call(hal_power_pixel, hal_audio) + +# To get hwservicemanager state +get_prop(hal_power_pixel, hwservicemanager_prop) + +# To get/set powerhal state property +set_prop(hal_power_pixel, vendor_power_prop) diff --git a/sepolicy/private/hal_powerstats.te b/sepolicy/private/hal_powerstats.te new file mode 100644 index 0000000..dfb1db0 --- /dev/null +++ b/sepolicy/private/hal_powerstats.te @@ -0,0 +1,19 @@ +type hal_powerstats, domain; +type hal_powerstats_exec, system_file_type, exec_type, file_type; +init_daemon_domain(hal_powerstats) + +allow hal_powerstats sysfs_rpm:file r_file_perms; +allow hal_powerstats sysfs_system_sleep_stats:file r_file_perms; +allow hal_powerstats sysfs_power_stats:file r_file_perms; + +allow hal_powerstats default_android_service:service_manager add; +allow hal_powerstats hal_power_stats_hwservice:hwservice_manager { add find }; +allow hal_powerstats hidl_base_hwservice:hwservice_manager add; +get_prop(hal_powerstats, hwservicemanager_prop) + +binder_call(hal_powerstats, servicemanager) +binder_call(hal_powerstats, hwservicemanager) +binder_call(hal_powerstats, system_server) +allow hal_powerstats binder_device:chr_file rw_file_perms; + +allow servicemanager hal_powerstats:binder call; diff --git a/sepolicy/private/hal_sensors_default.te b/sepolicy/private/hal_sensors_default.te new file mode 100644 index 0000000..cda7609 --- /dev/null +++ b/sepolicy/private/hal_sensors_default.te @@ -0,0 +1,2 @@ +allow hal_sensors diag_device:chr_file rw_file_perms; +allow hal_sensors system_server:fd use; diff --git a/sepolicy/private/hwservice.te b/sepolicy/private/hwservice.te new file mode 100644 index 0000000..17ca6fc --- /dev/null +++ b/sepolicy/private/hwservice.te @@ -0,0 +1 @@ +type hal_display_color_hwservice, hwservice_manager_type; diff --git a/sepolicy/private/hwservice_contexts b/sepolicy/private/hwservice_contexts new file mode 100644 index 0000000..8e793b3 --- /dev/null +++ b/sepolicy/private/hwservice_contexts @@ -0,0 +1 @@ +vendor.display.color::IDisplayColor u:object_r:hal_display_color_hwservice:s0 diff --git a/sepolicy/private/init.te b/sepolicy/private/init.te new file mode 100644 index 0000000..4550faa --- /dev/null +++ b/sepolicy/private/init.te @@ -0,0 +1,9 @@ +allow init proc_touchpanel:dir search; +allow init proc_touchpanel:file { write setattr open}; + +# Allow init to mount vendor configs +allow init vendor_configs_file:dir mounton; +allow init vendor_configs_file:file mounton; + +# Allow init to mount vendor overlay +allow init vendor_overlay_file:dir mounton; diff --git a/sepolicy/private/property.te b/sepolicy/private/property.te new file mode 100644 index 0000000..888f742 --- /dev/null +++ b/sepolicy/private/property.te @@ -0,0 +1,3 @@ +type vendor_camera_prop, property_type; +type vendor_power_prop, property_type; +type vendor_display_prop, property_type; diff --git a/sepolicy/private/property_contexts b/sepolicy/private/property_contexts new file mode 100644 index 0000000..d4ec336 --- /dev/null +++ b/sepolicy/private/property_contexts @@ -0,0 +1,5 @@ +# Powerhal +vendor.powerhal.state u:object_r:vendor_power_prop:s0 +vendor.powerhal.audio u:object_r:vendor_power_prop:s0 +vendor.powerhal.init u:object_r:vendor_power_prop:s0 +vendor.powerhal.rendering u:object_r:vendor_power_prop:s0 diff --git a/sepolicy/private/qti_init_shell.te b/sepolicy/private/qti_init_shell.te new file mode 100644 index 0000000..5f1c35a --- /dev/null +++ b/sepolicy/private/qti_init_shell.te @@ -0,0 +1,4 @@ +type qti_init_shell, domain; + +allow qti_init_shell sysfs_io_sched_tuneable:file w_file_perms; +dontaudit qti_init_shell self:capability { dac_override dac_read_search }; diff --git a/sepolicy/private/system_server.te b/sepolicy/private/system_server.te new file mode 100644 index 0000000..4758f6c --- /dev/null +++ b/sepolicy/private/system_server.te @@ -0,0 +1,3 @@ +get_prop(system_server, vendor_camera_prop) +allow system_server hal_power_pixel:binder call; +allow system_server hal_powerstats:binder call; diff --git a/sepolicy/private/thermal-engine.te b/sepolicy/private/thermal-engine.te new file mode 100644 index 0000000..c792f68 --- /dev/null +++ b/sepolicy/private/thermal-engine.te @@ -0,0 +1,4 @@ +type thermal-engine, domain; + +allow thermal-engine sysfs_devfreq:dir r_dir_perms; +allow thermal-engine sysfs:dir r_dir_perms; diff --git a/sepolicy/private/vendor_init.te b/sepolicy/private/vendor_init.te new file mode 100644 index 0000000..fdadda7 --- /dev/null +++ b/sepolicy/private/vendor_init.te @@ -0,0 +1,4 @@ +typeattribute vendor_init data_between_core_and_vendor_violators; + +# Allow vendor_init to check encryption status of system_data_file +allow vendor_init system_data_file:dir { ioctl open read setattr };