sdm660-common: sepolicy: Update sepolicy for 4.19

sepolicy/private/system_app.te

@@ -1 +1,2 @@
 hal_client_domain(system_app, hal_mlipay)
+binder_call(system_app, storaged)

sepolicy/private/system_suspend.te

@@ -1,2 +1,3 @@
 # To resolve arbitrary sysfs paths from /sys/class/wakeup/* symlinks.
 allow system_suspend sysfs_type:dir r_dir_perms;
+dontaudit system_suspend sysfs:file r_file_perms;

sepolicy/vendor/adsprpcd.te

@@ -0,0 +1 @@
+r_dir_file(adsprpcd, public_adsprpcd_file)

sepolicy/vendor/bluetooth.te

@@ -0,0 +1 @@
+get_prop(bluetooth, vendor_bluetooth_prop)

sepolicy/vendor/cameraserver.te

@@ -0,0 +1,3 @@
+binder_call(cameraserver, mediacodec);
+get_prop(cameraserver, vendor_persist_camera_prop)
+get_prop(cameraserver, vendor_video_prop)

sepolicy/vendor/cdsprpcd.te

@@ -0,0 +1,2 @@
+r_dir_file(cdsprpcd, public_adsprpcd_file)
+allow cdsprpcd xdsp_device:chr_file r_file_perms;

sepolicy/vendor/cnd.te

@@ -0,0 +1 @@
+add_hwservice(cnd, vendor_hal_slmadapter_hwservice)

sepolicy/vendor/file.te

@@ -9,6 +9,9 @@ type sysfs_fpsinfo, sysfs_type, fs_type;
 type sysfs_headphonegain, sysfs_type, fs_type;
 type sysfs_micgain, sysfs_type, fs_type;
 
+# HVDCP
+type vendor_sysfs_hvdcp, fs_type, sysfs_type;
+
 # Kcal
 type kcal_dev, sysfs_type, fs_type;
 

sepolicy/vendor/file_contexts

@@ -25,8 +25,9 @@
 /dev/goodix_fp                                                                                                              u:object_r:fingerprint_device:s0
 
 # Firmware
-/firmware                                                                                                                   u:object_r:firmware_file:s0
+/firmware(/.*)?                                                                                                             u:object_r:firmware_file:s0
-/bt_firmware                                                                                                                u:object_r:bt_firmware_file:s0
+/bt_firmware(/.*)?                                                                                                          u:object_r:bt_firmware_file:s0
+/persist(/.*)?                                                                                                              u:object_r:persist_file:s0
 
 # Hexagon DSP-side executable needed for Halide operation
 # This is labeled as public_adsprpcd_file as it needs to be read by apps
@@ -56,7 +57,6 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.mock                                           u:object_r:hal_power_stats_default_exec:s0
 
 # Root files
-/persist(/.*)?                                                                                                              u:object_r:mnt_vendor_file:s0
 /proc/sys/fs/protected_regular                                                                                              u:object_r:proc:s0
 
 # Service HALs

sepolicy/vendor/ftrace.te

@@ -1,2 +0,0 @@
-dontaudit hal_atrace_default debugfs_tracing_debug:file write;
-dontaudit traced_probes debugfs_tracing_debug:file read;

sepolicy/vendor/genfs_contexts

@@ -63,8 +63,6 @@ genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-02/800f000.q
 genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:anlg-cdc@f000/wakeup                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:qcom,pm660_rtc/wakeup                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:qcom,power-on@800/wakeup                       u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:qcom,qpnp-smb2/wakeup                          u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:qcom,usb-pdphy@1700/wakeup                     u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:qpnp,fg/wakeup                                 u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/virtual/diag/wakeup                                                                                                          u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/virtual/misc/msm_aac/wakeup                                                                                                  u:object_r:sysfs_wakeup:s0

sepolicy/vendor/hal_audio_default.te

@@ -1,4 +1,5 @@
 allow hal_audio_default audio_socket:sock_file rw_file_perms;
+allow hal_audio_default mnt_vendor_file:dir search;
 allow hal_audio_default sysfs:dir r_dir_perms;
 
 get_prop(hal_audio_default, dirac_prop)

sepolicy/vendor/hal_bootctrl_default.te

@@ -0,0 +1 @@
+allow hal_bootctl_default sysfs_dt_firmware_android:dir r_dir_perms;

sepolicy/vendor/hal_camera_default.te

@@ -1,5 +1,6 @@
 hal_client_domain(hal_camera_default, hal_configstore)
 hal_client_domain(hal_camera_default, hal_graphics_allocator)
+get_prop(hal_camera_default, vendor_camera_prop)
 get_prop(hal_camera_default, vendor_video_prop)
 
 allow hal_camera_default sysfs_kgsl:file r_file_perms;

sepolicy/vendor/hal_neuralnetworks_default.te

@@ -0,0 +1 @@
+r_dir_file(hal_neuralnetworks_default, public_adsprpcd_file)

sepolicy/vendor/hal_wifi_hostapd_default.te

@@ -0,0 +1 @@
+allow hal_wifi_hostapd_default wifi_vendor_data_file:dir write;

sepolicy/vendor/hvdcp.te

@@ -0,0 +1 @@
+allow hvdcp vendor_sysfs_hvdcp:file r_file_perms;

sepolicy/vendor/hwservice.te

@@ -1 +1,2 @@
 type hal_mlipay_hwservice, hwservice_manager_type;
+type vendor_hal_slmadapter_hwservice, hwservice_manager_type, protected_hwservice;

sepolicy/vendor/hwservice_contexts

@@ -1,7 +1,9 @@
+android.hardware.memtrack::IMemtrack                                    u:object_r:hal_memtrack_hwservice:s0
 com.fingerprints.extension::IFingerprintCalibration                     u:object_r:hal_fingerprint_hwservice:s0
 com.fingerprints.extension::IFingerprintEngineering                     u:object_r:hal_fingerprint_hwservice:s0
 com.fingerprints.extension::IFingerprintNavigation                      u:object_r:hal_fingerprint_hwservice:s0
 com.fingerprints.extension::IFingerprintSenseTouch                      u:object_r:hal_fingerprint_hwservice:s0
 com.fingerprints.extension::IFingerprintSensorTest                      u:object_r:hal_fingerprint_hwservice:s0
 vendor.goodix.hardware.fingerprint::IGoodixBiometricsFingerprint        u:object_r:hal_fingerprint_hwservice:s0
+vendor.qti.hardware.slmadapter::ISlmAdapter                             u:object_r:vendor_hal_slmadapter_hwservice:s0
 vendor.xiaomi.hardware.mlipay::IMlipayService                           u:object_r:hal_mlipay_hwservice:s0

sepolicy/vendor/init.te

@@ -3,3 +3,8 @@ allow init socket_device:sock_file { unlink setattr create };
 allow init sysfs_graphics:file { read open };
 allow init sysfs_battery_supply:file setattr;
 allow init vendor_default_prop:property_service set;
+
+allow init {
+    bt_firmware_file
+    firmware_file
+}:filesystem getattr;

sepolicy/vendor/mediaprovider.te

@@ -0,0 +1 @@
+binder_call(mediaprovider, gpuservice)

sepolicy/vendor/mutalex.te

@@ -0,0 +1,6 @@
+type vendor_mutualex, domain;
+type vendor_mutualex_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(vendor_mutualex)
+
+allow vendor_mutualex self:socket create_socket_perms_no_ioctl;

sepolicy/vendor/netmgrd.te

@@ -1,2 +1,3 @@
-set_prop(netmgrd, vendor_radio_prop)
 set_prop(netmgrd, vendor_data_ko_prop)
+set_prop(netmgrd, vendor_data_qmipriod_prop)
+set_prop(netmgrd, vendor_radio_prop)

sepolicy/vendor/property.te

@@ -1,6 +1,8 @@
 type hal_fingerprint_prop, property_type;
 type mlipay_prop, property_type;
 
+vendor_restricted_prop(vendor_camera_prop);
+
 # Dirac
 type dirac_prop, property_type;
 

sepolicy/vendor/property_contexts

@@ -51,9 +51,6 @@ vendor.powerhal.dalvik.                 u:object_r:vendor_power_prop:s0
 # RIL
 ro.build.software.version               u:object_r:exported_radio_prop:s0
 ro.product.mod_device                   u:object_r:exported_radio_prop:s0
-persist.vendor.data.offload_ko_load     u:object_r:vendor_radio_prop:s0
-persist.vendor.data.shsusr_load         u:object_r:vendor_radio_prop:s0
-persist.vendor.data.qmipriod_load       u:object_r:vendor_radio_prop:s0
 
 # Thermal engine
 vendor.thermal.config                   u:object_r:vendor_thermal_prop:s0

sepolicy/vendor/ssgtzd.te

@@ -0,0 +1 @@
+allow ssgtzd self:socket create_socket_perms_no_ioctl;

sepolicy/vendor/system_app.te

@@ -10,5 +10,7 @@ allow system_app sysfs_fpsinfo:file rw_file_perms;
 allow system_app sysfs_headphonegain:file rw_file_perms;
 allow system_app sysfs_micgain:file rw_file_perms;
 allow system_app sysfs_zram:dir search;
+allow system_app sysfs_zram:file r_file_perms;
 
+get_prop(system_app, system_prop);
 set_prop(system_app, system_prop);

sepolicy/vendor/system_server.te

@@ -1,5 +1,6 @@
 get_prop(system_server, userspace_reboot_exported_prop)
 
+allow system_server app_zygote:process getpgid;
 allow system_server blkio_dev:dir search;
 allow system_server sysfs_battery_supply:file rw_file_perms;
 

sepolicy/vendor/thermal-engine.te

@@ -2,7 +2,8 @@ allow thermal-engine thermal_data_file:dir rw_dir_perms;
 allow thermal-engine thermal_data_file:file create_file_perms;
 allow thermal-engine sysfs:dir r_dir_perms;
 allow thermal-engine self:capability { chown fowner };
-dontaudit thermal-engine self:capability dac_override;
 
 set_prop(thermal-engine, vendor_thermal_prop);
 r_dir_file(thermal-engine, sysfs_thermal)
+
+dontaudit thermal-engine self:capability dac_override;

sepolicy/vendor/vendor_init.te

@@ -5,6 +5,8 @@ allow vendor_init {
   tombstone_data_file
 }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
 
+allow vendor_init tee_device:chr_file getattr;
+
 set_prop(vendor_init, camera_prop)
 set_prop(vendor_init, vendor_freq_prop)
 set_prop(vendor_init, vendor_power_prop)

sepolicy/vendor/wcnss_service.te

@@ -1,3 +1,5 @@
-allow wcnss_service sysfs:file { read open };
+allow wcnss_service kmsg_device:chr_file w_file_perms;
+allow wcnss_service proc_net:file r_file_perms;
+allow wcnss_service sysfs:file r_file_perms;
 allow wcnss_service sysfs_net:dir search;
-allow wcnss_service vendor_shell_exec:file execute_no_trans;
+allow wcnss_service vendor_shell_exec:file x_file_perms;