From 0a263a571668988af7c0a25b7e23b195fe12e9b8 Mon Sep 17 00:00:00 2001 From: OdSazib Date: Sun, 27 Jun 2021 22:45:59 +0600 Subject: [PATCH] sdm660-common: sepolicy: Update sepolicy for 4.19 --- sepolicy/private/system_app.te | 1 + sepolicy/private/system_suspend.te | 1 + sepolicy/vendor/adsprpcd.te | 1 + sepolicy/vendor/bluetooth.te | 1 + sepolicy/vendor/cameraserver.te | 3 +++ sepolicy/vendor/cdsprpcd.te | 2 ++ sepolicy/vendor/cnd.te | 1 + sepolicy/vendor/file.te | 3 +++ sepolicy/vendor/file_contexts | 6 +++--- sepolicy/vendor/ftrace.te | 2 -- sepolicy/vendor/genfs_contexts | 2 -- sepolicy/vendor/hal_audio_default.te | 1 + sepolicy/vendor/hal_bootctrl_default.te | 1 + sepolicy/vendor/hal_camera_default.te | 1 + sepolicy/vendor/hal_neuralnetworks_default.te | 1 + sepolicy/vendor/hal_wifi_hostapd_default.te | 1 + sepolicy/vendor/hvdcp.te | 1 + sepolicy/vendor/hwservice.te | 1 + sepolicy/vendor/hwservice_contexts | 2 ++ sepolicy/vendor/init.te | 5 +++++ sepolicy/vendor/mediaprovider.te | 1 + sepolicy/vendor/mutalex.te | 6 ++++++ sepolicy/vendor/netmgrd.te | 3 ++- sepolicy/vendor/property.te | 2 ++ sepolicy/vendor/property_contexts | 3 --- sepolicy/vendor/ssgtzd.te | 1 + sepolicy/vendor/system_app.te | 2 ++ sepolicy/vendor/system_server.te | 1 + sepolicy/vendor/thermal-engine.te | 3 ++- sepolicy/vendor/vendor_init.te | 2 ++ sepolicy/vendor/wcnss_service.te | 6 ++++-- 31 files changed, 53 insertions(+), 14 deletions(-) create mode 100644 sepolicy/vendor/adsprpcd.te create mode 100644 sepolicy/vendor/bluetooth.te create mode 100644 sepolicy/vendor/cameraserver.te create mode 100644 sepolicy/vendor/cdsprpcd.te create mode 100644 sepolicy/vendor/cnd.te delete mode 100644 sepolicy/vendor/ftrace.te create mode 100644 sepolicy/vendor/hal_bootctrl_default.te create mode 100644 sepolicy/vendor/hal_neuralnetworks_default.te create mode 100644 sepolicy/vendor/hal_wifi_hostapd_default.te create mode 100644 sepolicy/vendor/hvdcp.te create mode 100644 sepolicy/vendor/mediaprovider.te create mode 100644 sepolicy/vendor/mutalex.te create mode 100644 sepolicy/vendor/ssgtzd.te diff --git a/sepolicy/private/system_app.te b/sepolicy/private/system_app.te index c9f1b37e..cec1ec5a 100644 --- a/sepolicy/private/system_app.te +++ b/sepolicy/private/system_app.te @@ -1 +1,2 @@ hal_client_domain(system_app, hal_mlipay) +binder_call(system_app, storaged) diff --git a/sepolicy/private/system_suspend.te b/sepolicy/private/system_suspend.te index 46814df4..21ff8c68 100644 --- a/sepolicy/private/system_suspend.te +++ b/sepolicy/private/system_suspend.te @@ -1,2 +1,3 @@ # To resolve arbitrary sysfs paths from /sys/class/wakeup/* symlinks. allow system_suspend sysfs_type:dir r_dir_perms; +dontaudit system_suspend sysfs:file r_file_perms; diff --git a/sepolicy/vendor/adsprpcd.te b/sepolicy/vendor/adsprpcd.te new file mode 100644 index 00000000..b0693316 --- /dev/null +++ b/sepolicy/vendor/adsprpcd.te @@ -0,0 +1 @@ +r_dir_file(adsprpcd, public_adsprpcd_file) diff --git a/sepolicy/vendor/bluetooth.te b/sepolicy/vendor/bluetooth.te new file mode 100644 index 00000000..97299bea --- /dev/null +++ b/sepolicy/vendor/bluetooth.te @@ -0,0 +1 @@ +get_prop(bluetooth, vendor_bluetooth_prop) diff --git a/sepolicy/vendor/cameraserver.te b/sepolicy/vendor/cameraserver.te new file mode 100644 index 00000000..567844df --- /dev/null +++ b/sepolicy/vendor/cameraserver.te @@ -0,0 +1,3 @@ +binder_call(cameraserver, mediacodec); +get_prop(cameraserver, vendor_persist_camera_prop) +get_prop(cameraserver, vendor_video_prop) diff --git a/sepolicy/vendor/cdsprpcd.te b/sepolicy/vendor/cdsprpcd.te new file mode 100644 index 00000000..8bdb3f4b --- /dev/null +++ b/sepolicy/vendor/cdsprpcd.te @@ -0,0 +1,2 @@ +r_dir_file(cdsprpcd, public_adsprpcd_file) +allow cdsprpcd xdsp_device:chr_file r_file_perms; diff --git a/sepolicy/vendor/cnd.te b/sepolicy/vendor/cnd.te new file mode 100644 index 00000000..88c581dc --- /dev/null +++ b/sepolicy/vendor/cnd.te @@ -0,0 +1 @@ +add_hwservice(cnd, vendor_hal_slmadapter_hwservice) diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te index 9bdfbccc..9cbc9390 100644 --- a/sepolicy/vendor/file.te +++ b/sepolicy/vendor/file.te @@ -9,6 +9,9 @@ type sysfs_fpsinfo, sysfs_type, fs_type; type sysfs_headphonegain, sysfs_type, fs_type; type sysfs_micgain, sysfs_type, fs_type; +# HVDCP +type vendor_sysfs_hvdcp, fs_type, sysfs_type; + # Kcal type kcal_dev, sysfs_type, fs_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts index 66a85850..1c7e5e3e 100644 --- a/sepolicy/vendor/file_contexts +++ b/sepolicy/vendor/file_contexts @@ -25,8 +25,9 @@ /dev/goodix_fp u:object_r:fingerprint_device:s0 # Firmware -/firmware u:object_r:firmware_file:s0 -/bt_firmware u:object_r:bt_firmware_file:s0 +/firmware(/.*)? u:object_r:firmware_file:s0 +/bt_firmware(/.*)? u:object_r:bt_firmware_file:s0 +/persist(/.*)? u:object_r:persist_file:s0 # Hexagon DSP-side executable needed for Halide operation # This is labeled as public_adsprpcd_file as it needs to be read by apps @@ -56,7 +57,6 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.mock u:object_r:hal_power_stats_default_exec:s0 # Root files -/persist(/.*)? u:object_r:mnt_vendor_file:s0 /proc/sys/fs/protected_regular u:object_r:proc:s0 # Service HALs diff --git a/sepolicy/vendor/ftrace.te b/sepolicy/vendor/ftrace.te deleted file mode 100644 index 3b224998..00000000 --- a/sepolicy/vendor/ftrace.te +++ /dev/null @@ -1,2 +0,0 @@ -dontaudit hal_atrace_default debugfs_tracing_debug:file write; -dontaudit traced_probes debugfs_tracing_debug:file read; diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts index 1f131b37..7cfce5a8 100644 --- a/sepolicy/vendor/genfs_contexts +++ b/sepolicy/vendor/genfs_contexts @@ -63,8 +63,6 @@ genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-02/800f000.q genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:anlg-cdc@f000/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:qcom,pm660_rtc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:qcom,power-on@800/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:qcom,qpnp-smb2/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:qcom,usb-pdphy@1700/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:qpnp,fg/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/virtual/diag/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/virtual/misc/msm_aac/wakeup u:object_r:sysfs_wakeup:s0 diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te index 545ce2b7..2bdd2407 100644 --- a/sepolicy/vendor/hal_audio_default.te +++ b/sepolicy/vendor/hal_audio_default.te @@ -1,4 +1,5 @@ allow hal_audio_default audio_socket:sock_file rw_file_perms; +allow hal_audio_default mnt_vendor_file:dir search; allow hal_audio_default sysfs:dir r_dir_perms; get_prop(hal_audio_default, dirac_prop) diff --git a/sepolicy/vendor/hal_bootctrl_default.te b/sepolicy/vendor/hal_bootctrl_default.te new file mode 100644 index 00000000..e30e07da --- /dev/null +++ b/sepolicy/vendor/hal_bootctrl_default.te @@ -0,0 +1 @@ +allow hal_bootctl_default sysfs_dt_firmware_android:dir r_dir_perms; diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te index 4c92ef79..c66be0f7 100644 --- a/sepolicy/vendor/hal_camera_default.te +++ b/sepolicy/vendor/hal_camera_default.te @@ -1,5 +1,6 @@ hal_client_domain(hal_camera_default, hal_configstore) hal_client_domain(hal_camera_default, hal_graphics_allocator) +get_prop(hal_camera_default, vendor_camera_prop) get_prop(hal_camera_default, vendor_video_prop) allow hal_camera_default sysfs_kgsl:file r_file_perms; diff --git a/sepolicy/vendor/hal_neuralnetworks_default.te b/sepolicy/vendor/hal_neuralnetworks_default.te new file mode 100644 index 00000000..d6e9d482 --- /dev/null +++ b/sepolicy/vendor/hal_neuralnetworks_default.te @@ -0,0 +1 @@ +r_dir_file(hal_neuralnetworks_default, public_adsprpcd_file) diff --git a/sepolicy/vendor/hal_wifi_hostapd_default.te b/sepolicy/vendor/hal_wifi_hostapd_default.te new file mode 100644 index 00000000..498cd54f --- /dev/null +++ b/sepolicy/vendor/hal_wifi_hostapd_default.te @@ -0,0 +1 @@ +allow hal_wifi_hostapd_default wifi_vendor_data_file:dir write; diff --git a/sepolicy/vendor/hvdcp.te b/sepolicy/vendor/hvdcp.te new file mode 100644 index 00000000..a042f64e --- /dev/null +++ b/sepolicy/vendor/hvdcp.te @@ -0,0 +1 @@ +allow hvdcp vendor_sysfs_hvdcp:file r_file_perms; diff --git a/sepolicy/vendor/hwservice.te b/sepolicy/vendor/hwservice.te index 158b6cc8..b166f141 100644 --- a/sepolicy/vendor/hwservice.te +++ b/sepolicy/vendor/hwservice.te @@ -1 +1,2 @@ type hal_mlipay_hwservice, hwservice_manager_type; +type vendor_hal_slmadapter_hwservice, hwservice_manager_type, protected_hwservice; diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts index 6ffb1fcd..7c285f1b 100644 --- a/sepolicy/vendor/hwservice_contexts +++ b/sepolicy/vendor/hwservice_contexts @@ -1,7 +1,9 @@ +android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0 com.fingerprints.extension::IFingerprintCalibration u:object_r:hal_fingerprint_hwservice:s0 com.fingerprints.extension::IFingerprintEngineering u:object_r:hal_fingerprint_hwservice:s0 com.fingerprints.extension::IFingerprintNavigation u:object_r:hal_fingerprint_hwservice:s0 com.fingerprints.extension::IFingerprintSenseTouch u:object_r:hal_fingerprint_hwservice:s0 com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0 vendor.goodix.hardware.fingerprint::IGoodixBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0 +vendor.qti.hardware.slmadapter::ISlmAdapter u:object_r:vendor_hal_slmadapter_hwservice:s0 vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0 diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te index b5213773..bfd5aa19 100644 --- a/sepolicy/vendor/init.te +++ b/sepolicy/vendor/init.te @@ -3,3 +3,8 @@ allow init socket_device:sock_file { unlink setattr create }; allow init sysfs_graphics:file { read open }; allow init sysfs_battery_supply:file setattr; allow init vendor_default_prop:property_service set; + +allow init { + bt_firmware_file + firmware_file +}:filesystem getattr; diff --git a/sepolicy/vendor/mediaprovider.te b/sepolicy/vendor/mediaprovider.te new file mode 100644 index 00000000..848822b2 --- /dev/null +++ b/sepolicy/vendor/mediaprovider.te @@ -0,0 +1 @@ +binder_call(mediaprovider, gpuservice) diff --git a/sepolicy/vendor/mutalex.te b/sepolicy/vendor/mutalex.te new file mode 100644 index 00000000..a94a03a5 --- /dev/null +++ b/sepolicy/vendor/mutalex.te @@ -0,0 +1,6 @@ +type vendor_mutualex, domain; +type vendor_mutualex_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(vendor_mutualex) + +allow vendor_mutualex self:socket create_socket_perms_no_ioctl; diff --git a/sepolicy/vendor/netmgrd.te b/sepolicy/vendor/netmgrd.te index efe48539..c8b13109 100644 --- a/sepolicy/vendor/netmgrd.te +++ b/sepolicy/vendor/netmgrd.te @@ -1,2 +1,3 @@ -set_prop(netmgrd, vendor_radio_prop) set_prop(netmgrd, vendor_data_ko_prop) +set_prop(netmgrd, vendor_data_qmipriod_prop) +set_prop(netmgrd, vendor_radio_prop) diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te index f0e33d76..88bbecba 100644 --- a/sepolicy/vendor/property.te +++ b/sepolicy/vendor/property.te @@ -1,6 +1,8 @@ type hal_fingerprint_prop, property_type; type mlipay_prop, property_type; +vendor_restricted_prop(vendor_camera_prop); + # Dirac type dirac_prop, property_type; diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts index ebf0e0a9..b5e88296 100644 --- a/sepolicy/vendor/property_contexts +++ b/sepolicy/vendor/property_contexts @@ -51,9 +51,6 @@ vendor.powerhal.dalvik. u:object_r:vendor_power_prop:s0 # RIL ro.build.software.version u:object_r:exported_radio_prop:s0 ro.product.mod_device u:object_r:exported_radio_prop:s0 -persist.vendor.data.offload_ko_load u:object_r:vendor_radio_prop:s0 -persist.vendor.data.shsusr_load u:object_r:vendor_radio_prop:s0 -persist.vendor.data.qmipriod_load u:object_r:vendor_radio_prop:s0 # Thermal engine vendor.thermal.config u:object_r:vendor_thermal_prop:s0 diff --git a/sepolicy/vendor/ssgtzd.te b/sepolicy/vendor/ssgtzd.te new file mode 100644 index 00000000..15838969 --- /dev/null +++ b/sepolicy/vendor/ssgtzd.te @@ -0,0 +1 @@ +allow ssgtzd self:socket create_socket_perms_no_ioctl; diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te index 97d57d5d..4ab0bdfa 100644 --- a/sepolicy/vendor/system_app.te +++ b/sepolicy/vendor/system_app.te @@ -10,5 +10,7 @@ allow system_app sysfs_fpsinfo:file rw_file_perms; allow system_app sysfs_headphonegain:file rw_file_perms; allow system_app sysfs_micgain:file rw_file_perms; allow system_app sysfs_zram:dir search; +allow system_app sysfs_zram:file r_file_perms; +get_prop(system_app, system_prop); set_prop(system_app, system_prop); diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te index 0532e079..23eef0e9 100644 --- a/sepolicy/vendor/system_server.te +++ b/sepolicy/vendor/system_server.te @@ -1,5 +1,6 @@ get_prop(system_server, userspace_reboot_exported_prop) +allow system_server app_zygote:process getpgid; allow system_server blkio_dev:dir search; allow system_server sysfs_battery_supply:file rw_file_perms; diff --git a/sepolicy/vendor/thermal-engine.te b/sepolicy/vendor/thermal-engine.te index 734e865e..ca721efe 100644 --- a/sepolicy/vendor/thermal-engine.te +++ b/sepolicy/vendor/thermal-engine.te @@ -2,7 +2,8 @@ allow thermal-engine thermal_data_file:dir rw_dir_perms; allow thermal-engine thermal_data_file:file create_file_perms; allow thermal-engine sysfs:dir r_dir_perms; allow thermal-engine self:capability { chown fowner }; -dontaudit thermal-engine self:capability dac_override; set_prop(thermal-engine, vendor_thermal_prop); r_dir_file(thermal-engine, sysfs_thermal) + +dontaudit thermal-engine self:capability dac_override; diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te index ed7a88dd..3062345f 100644 --- a/sepolicy/vendor/vendor_init.te +++ b/sepolicy/vendor/vendor_init.te @@ -5,6 +5,8 @@ allow vendor_init { tombstone_data_file }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom }; +allow vendor_init tee_device:chr_file getattr; + set_prop(vendor_init, camera_prop) set_prop(vendor_init, vendor_freq_prop) set_prop(vendor_init, vendor_power_prop) diff --git a/sepolicy/vendor/wcnss_service.te b/sepolicy/vendor/wcnss_service.te index a145ee9e..0bd36460 100644 --- a/sepolicy/vendor/wcnss_service.te +++ b/sepolicy/vendor/wcnss_service.te @@ -1,3 +1,5 @@ -allow wcnss_service sysfs:file { read open }; +allow wcnss_service kmsg_device:chr_file w_file_perms; +allow wcnss_service proc_net:file r_file_perms; +allow wcnss_service sysfs:file r_file_perms; allow wcnss_service sysfs_net:dir search; -allow wcnss_service vendor_shell_exec:file execute_no_trans; +allow wcnss_service vendor_shell_exec:file x_file_perms;