kunlun2: Address some initial denials
- Nuke folder creation that breaks encryption - Nuke permissivers and other creepy things - Properly label light and fp HALs - Address initial fingerprint denials - Label camera zui prop
This commit is contained in:
Giammarco Senatore
parent
e6d6a83f22
commit
c119216557
13 changed files with 39 additions and 71 deletions
|
|
@ -350,7 +350,6 @@ on post-fs-data
|
|||
chown system system /sys/devices/platform/msm_sdcc.4/polling
|
||||
|
||||
#Create the symlink to qcn wpa_supplicant folder for ar6000 wpa_supplicant
|
||||
mkdir /data/system 0775 system system
|
||||
#symlink /data/misc/wifi/wpa_supplicant /data/system/wpa_supplicant
|
||||
|
||||
#Create directories for Location services
|
||||
|
|
|
|||
4
sepolicy/vendor/binderfs.te
vendored
4
sepolicy/vendor/binderfs.te
vendored
|
|
@ -1,4 +0,0 @@
|
|||
# REVERT ME: make binderfs permissive
|
||||
userdebug_or_eng(`
|
||||
permissive binderfs;
|
||||
')
|
||||
7
sepolicy/vendor/file.te
vendored
7
sepolicy/vendor/file.te
vendored
|
|
@ -8,10 +8,5 @@ type sysfs_system_sleep_stats, sysfs_type, fs_type;
|
|||
type sysfs_rpm, sysfs_type, fs_type;
|
||||
type sysfs_power_stats, sysfs_type, fs_type;
|
||||
type sysfs_tp, fs_type, sysfs_type;
|
||||
#type sysfs_ssr, sysfs_type, fs_type;
|
||||
#type sysfs_ssr_toggle, sysfs_type, fs_type;
|
||||
#type sysfs_devfreq, sysfs_type, fs_type;
|
||||
#type sysfs_kgsl, sysfs_type, fs_type;
|
||||
#type sysfs_scsi_devices, sysfs_type, fs_type;
|
||||
type debugfs_wlan, debugfs_type, fs_type;
|
||||
type proc_sysctl_schedboost, proc_type, fs_type;
|
||||
type debugfs_sched_features, debugfs_type, fs_type;
|
||||
|
|
|
|||
3
sepolicy/vendor/file_contexts
vendored
3
sepolicy/vendor/file_contexts
vendored
|
|
@ -7,8 +7,9 @@
|
|||
/data/display(/.*)? u:object_r:display_data_file:s0
|
||||
|
||||
# Custom HALs
|
||||
/vendor/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
|
||||
/vendor/bin/hw/android\.hardware\.light@2\.0-service\.lenovo_kunlun2 u:object_r:hal_light_default_exec:s0
|
||||
/vendor/bin/hw/android\.hardware\.power-service\.lenovo u:object_r:hal_power_default_exec:s0
|
||||
/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-fpcservice u:object_r:hal_fingerprint_default_exec:s0
|
||||
|
||||
# Touch
|
||||
/sys/class/touch/tp_dev/gesture_on u:object_r:sysfs_tp:s0
|
||||
|
|
|
|||
2
sepolicy/vendor/genfs_contexts
vendored
2
sepolicy/vendor/genfs_contexts
vendored
|
|
@ -20,8 +20,8 @@ genfscon sysfs /devices/platform/soc/4080000.qcom,mss/subsys6/restart_level u:ob
|
|||
genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys7/restart_level u:object_r:sysfs_ssr_toggle:s0
|
||||
genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/subsys8/restart_level u:object_r:sysfs_ssr_toggle:s0
|
||||
|
||||
genfscon debugfs /wlan0 u:object_r:debugfs_wlan:s0
|
||||
genfscon debugfs /sched_features u:object_r:debugfs_sched_features:s0
|
||||
genfscon proc /sys/kernel/sched_boost u:object_r:proc_sysctl_schedboost:s0
|
||||
|
||||
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/idle_state u:object_r:sysfs_graphics:s0
|
||||
|
||||
|
|
|
|||
15
sepolicy/vendor/hal_audio_default.te
vendored
15
sepolicy/vendor/hal_audio_default.te
vendored
|
|
@ -1,14 +1,3 @@
|
|||
# Allow access to the HALs
|
||||
hal_client_domain(hal_audio_default, hal_sensors)
|
||||
allow hal_audio_default mnt_vendor_file:dir search;
|
||||
|
||||
# Allow binder communication with hal_sensors_default
|
||||
binder_call(hal_audio_default, hal_sensors_default)
|
||||
|
||||
# Allow hal_audio_default to find hal_sensors_hwservice
|
||||
allow hal_audio_default hal_sensors_hwservice:hwservice_manager find;
|
||||
|
||||
# Allow hal_audio_default to read audio_device
|
||||
allow hal_audio_default audio_device:dir r_dir_perms;
|
||||
|
||||
# Allow hal_audio_default to read files in mnt_vendor_file
|
||||
r_dir_file(hal_audio_default, mnt_vendor_file)
|
||||
set_prop(hal_audio_default, vendor_audio_prop)
|
||||
|
|
|
|||
1
sepolicy/vendor/hal_fingerprint_default.te
vendored
Normal file
1
sepolicy/vendor/hal_fingerprint_default.te
vendored
Normal file
|
|
@ -0,0 +1 @@
|
|||
allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
|
||||
32
sepolicy/vendor/hal_power_default.te
vendored
32
sepolicy/vendor/hal_power_default.te
vendored
|
|
@ -1,24 +1,27 @@
|
|||
allow hal_power_default debugfs_wlan:dir r_dir_perms;
|
||||
allow hal_power_default debugfs_wlan:file r_file_perms;
|
||||
allow hal_power_default input_device:dir r_dir_perms;
|
||||
allow hal_power_default input_device:chr_file rw_file_perms;
|
||||
|
||||
allow hal_power_default sysfs_rpm:file r_file_perms;
|
||||
allow hal_power_default sysfs_system_sleep_stats:file r_file_perms;
|
||||
allow hal_power_default sysfs_graphics:dir search;
|
||||
allow hal_power_default sysfs_graphics:file r_file_perms;
|
||||
|
||||
r_dir_file(hal_power_default, sysfs_tp)
|
||||
allow hal_power_default sysfs_tp:file write;
|
||||
allow hal_power_default sysfs_kgsl:lnk_file rw_file_perms;
|
||||
allow hal_power_default sysfs_kgsl:file rw_file_perms;
|
||||
allow hal_power_default sysfs_devfreq:dir search;
|
||||
allow hal_power_default sysfs_devfreq:file rw_file_perms;
|
||||
|
||||
# To do powerhint on nodes defined in powerhint.json
|
||||
allow hal_power_default sysfs_devfreq:dir search;
|
||||
allow hal_power_default sysfs_devfreq:{ file lnk_file } rw_file_perms;
|
||||
allow hal_power_default sysfs_kgsl:dir search;
|
||||
allow hal_power_default sysfs_kgsl:{ file lnk_file } rw_file_perms;
|
||||
allow hal_power_default sysfs_msm_subsys:dir search;
|
||||
allow hal_power_default sysfs_msm_subsys:file rw_file_perms;
|
||||
allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms;
|
||||
allow hal_power_default device_latency:chr_file rw_file_perms;
|
||||
allow hal_power_default cgroup:dir search;
|
||||
allow hal_power_default cgroup:file rw_file_perms;
|
||||
allow hal_power_default debugfs_sched_features:file rw_file_perms;
|
||||
allow hal_power_default proc_sysctl_schedboost:file rw_file_perms;
|
||||
|
||||
allow hal_power_default input_device:dir r_dir_perms;
|
||||
allow hal_power_default input_device:chr_file rw_file_perms;
|
||||
# Allow power hal to talk to mm-pp-daemon to control display lpm
|
||||
allow hal_power_default mm-pp-daemon:unix_stream_socket connectto;
|
||||
allow hal_power_default pps_socket:sock_file write;
|
||||
|
||||
# To get/set powerhal state property
|
||||
set_prop(hal_power_default, vendor_power_prop)
|
||||
|
|
@ -26,6 +29,5 @@ set_prop(hal_power_default, vendor_power_prop)
|
|||
# Rule for hal_power_default to access graphics composer process
|
||||
unix_socket_connect(hal_power_default, pps, hal_graphics_composer_default);
|
||||
|
||||
# Allow powerhal trigger dt2w node
|
||||
allow hal_power_default proc_touchpanel:dir search;
|
||||
allow hal_power_default proc_touchpanel:file r_file_perms;
|
||||
r_dir_file(hal_power_default, sysfs_tp)
|
||||
allow hal_power_default sysfs_tp:file write;
|
||||
|
|
|
|||
10
sepolicy/vendor/init.te
vendored
10
sepolicy/vendor/init.te
vendored
|
|
@ -1,7 +1,3 @@
|
|||
# Allow init to mount wlan kernel module
|
||||
allow init vendor_file:file mounton;
|
||||
|
||||
# Allow init to mount vendor configs
|
||||
allow init vendor_configs_file:dir mounton;
|
||||
|
||||
permissive init;
|
||||
allow init self:netlink_route_socket rw_socket_perms_no_ioctl;
|
||||
allow init self:rawip_socket create_socket_perms_no_ioctl;
|
||||
allow init socket_device:sock_file { unlink setattr create };
|
||||
|
|
|
|||
3
sepolicy/vendor/property.te
vendored
3
sepolicy/vendor/property.te
vendored
|
|
@ -1,6 +1,3 @@
|
|||
type vendor_camera_prop, property_type;
|
||||
#type camera_prop, property_type;
|
||||
#type vendor_display_prop, property_type;
|
||||
#type vendor_audio_prop, property_type;
|
||||
type vendor_power_prop, property_type;
|
||||
type thermal_engine_prop, property_type;
|
||||
|
|
|
|||
13
sepolicy/vendor/property_contexts
vendored
13
sepolicy/vendor/property_contexts
vendored
|
|
@ -1,17 +1,16 @@
|
|||
audio. u:object_r:vendor_audio_prop:s0
|
||||
persist.audio u:object_r:vendor_audio_prop:s0
|
||||
persist.speaker u:object_r:vendor_audio_prop:s0
|
||||
|
||||
#Camera
|
||||
# Camera
|
||||
camera. u:object_r:camera_prop:s0
|
||||
persist.camera. u:object_r:camera_prop:s0
|
||||
ro.camera. u:object_r:camera_prop:s0
|
||||
persist.vendor.camera. u:object_r:camera_prop:s0
|
||||
sys.camera. u:object_r:camera_prop:s0
|
||||
|
||||
# Powerhal
|
||||
# PowerHAL
|
||||
vendor.powerhal.state u:object_r:vendor_power_prop:s0
|
||||
vendor.powerhal.audio u:object_r:vendor_power_prop:s0
|
||||
vendor.powerhal.lpm u:object_r:vendor_power_prop:s0
|
||||
vendor.powerhal.init u:object_r:vendor_power_prop:s0
|
||||
vendor.powerhal.rendering u:object_r:vendor_power_prop:s0
|
||||
vendor.powerhal.dalvik. u:object_r:vendor_power_prop:s0
|
||||
|
||||
# Thermal
|
||||
persist.sys.thermal. u:object_r:thermal_engine_prop:s0
|
||||
|
|
|
|||
16
sepolicy/vendor/vendor_init.te
vendored
16
sepolicy/vendor/vendor_init.te
vendored
|
|
@ -1,16 +1,8 @@
|
|||
permissive vendor_init;
|
||||
|
||||
#type qti_init_shell_exec, exec_type, vendor_file_type,file_type;
|
||||
|
||||
# Allow vendor_init to set public_vendor_default_prop
|
||||
set_prop(vendor_init, public_vendor_default_prop)
|
||||
typeattribute vendor_init data_between_core_and_vendor_violators;
|
||||
set_prop(vendor_init, vendor_power_prop)
|
||||
set_prop(vendor_init, freq_prop)
|
||||
|
||||
# Allow vendor_init to write to sysfs_ssr_toggl
|
||||
allow vendor_init sysfs_ssr_toggle:file w_file_perms;
|
||||
|
||||
# Allow vendor_init to check encryption status of system_data_file
|
||||
allow vendor_init system_data_file:dir { ioctl open read setattr };
|
||||
|
||||
# Allow vendor_init to set vendor_camera_prop
|
||||
set_prop(vendor_init, vendor_camera_prop)
|
||||
# Allow vendor_init to enable/disable sched_boost
|
||||
allow vendor_init proc_sysctl_schedboost:file rw_file_perms;
|
||||
|
|
|
|||
1
sepolicy/vendor/vold.te
vendored
Normal file
1
sepolicy/vendor/vold.te
vendored
Normal file
|
|
@ -0,0 +1 @@
|
|||
allow vold sysfs_mmc_host:file rw_file_perms;
|
||||
Loading…
Reference in a new issue