diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk index 688aaf5d..a26cd206 100644 --- a/BoardConfigCommon.mk +++ b/BoardConfigCommon.mk @@ -222,7 +222,6 @@ PROTOBUF_SUPPORTED := true # SELinux include device/qcom/sepolicy-legacy-um/SEPolicy.mk -SELINUX_IGNORE_NEVERALLOWS := true BOARD_VENDOR_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/vendor BOARD_PLAT_PUBLIC_SEPOLICY_DIR += $(COMMON_PATH)/sepolicy/public BOARD_PLAT_PRIVATE_SEPOLICY_DIR += $(COMMON_PATH)/sepolicy/private diff --git a/sepolicy/private/app.te b/sepolicy/private/app.te deleted file mode 100644 index 760b53e1..00000000 --- a/sepolicy/private/app.te +++ /dev/null @@ -1,2 +0,0 @@ -# Allow appdomain to get persist_camera_prop -get_prop(appdomain, vendor_persist_camera_prop) diff --git a/sepolicy/private/dnsmasq.te b/sepolicy/private/dnsmasq.te deleted file mode 100644 index cc70e2ab..00000000 --- a/sepolicy/private/dnsmasq.te +++ /dev/null @@ -1 +0,0 @@ -allow dnsmasq netd:unix_stream_socket { getattr }; diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts index de000cfc..d2179507 100644 --- a/sepolicy/private/file_contexts +++ b/sepolicy/private/file_contexts @@ -1,11 +1,5 @@ -# Apex Metadata -/data/apex/sessions(/.*)? u:object_r:apex_metadata_file:s0 -/data/apex/active(/.*)? u:object_r:apex_metadata_file:s0 -/data/apex/backup(/.*)? u:object_r:apex_metadata_file:s0 -/data/apex/hashtree(/.*)? u:object_r:apex_metadata_file:s0 - # Executables -/system/bin/chargeonlymode u:object_r:charger_exec:s0 +/system/bin/chargeonlymode u:object_r:charger_exec:s0 # OTA packages -/data/awaken_updates(/.*)? u:object_r:ota_package_file:s0 +/data/awaken_updates(/.*)? u:object_r:ota_package_file:s0 diff --git a/sepolicy/private/property_contexts b/sepolicy/private/property_contexts deleted file mode 100644 index 1c538ba3..00000000 --- a/sepolicy/private/property_contexts +++ /dev/null @@ -1 +0,0 @@ -sys.listeners.registered u:object_r:vendor_tee_listener_prop:s0 diff --git a/sepolicy/private/vendor_init.te b/sepolicy/private/vendor_init.te deleted file mode 100644 index 93586398..00000000 --- a/sepolicy/private/vendor_init.te +++ /dev/null @@ -1,2 +0,0 @@ -# Allow vendor_init to set persist_camera_prop -set_prop(vendor_init, vendor_persist_camera_prop) diff --git a/sepolicy/public/attributes b/sepolicy/public/attributes index f05c4111..1a0c38aa 100644 --- a/sepolicy/public/attributes +++ b/sepolicy/public/attributes @@ -1,2 +1 @@ -# HALs -hal_attribute(mlipay) +hal_attribute_lineage(mlipay) diff --git a/sepolicy/vendor/apexd.te b/sepolicy/vendor/apexd.te deleted file mode 100644 index 7e3fde6d..00000000 --- a/sepolicy/vendor/apexd.te +++ /dev/null @@ -1 +0,0 @@ -allow apexd apex_metadata_file:lnk_file r_file_perms; diff --git a/sepolicy/vendor/app.te b/sepolicy/vendor/app.te index e0c3d8a9..971d3fa7 100644 --- a/sepolicy/vendor/app.te +++ b/sepolicy/vendor/app.te @@ -1,7 +1,5 @@ -# Allow appdomain to get vendor_camera_prop -binder_call({ appdomain -isolated_app }, hal_mlipay_default) -get_prop(appdomain, vendor_camera_prop) -get_prop({ appdomain -isolated_app }, mlipay_prop) get_prop({ appdomain -isolated_app }, hal_fingerprint_prop) -get_prop({ appdomain -isolated_app }, ifaa_prop) -get_prop({ appdomain -isolated_app }, vendor_fp_prop) +get_prop({ appdomain -isolated_app }, mlipay_prop) + +allow { appdomain -isolated_app } adsprpcd_file:dir r_dir_perms; +allow { appdomain -isolated_app } public_adsprpcd_file:file r_file_perms; diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te index 62417158..9bdfbccc 100644 --- a/sepolicy/vendor/file.te +++ b/sepolicy/vendor/file.te @@ -1,26 +1,16 @@ -type fingerprint_data_file, file_type, data_file_type, core_data_file_type; -type fingerprint_sysfs, fs_type, sysfs_type; type ir_dev_file, file_type; -type sysfs_info, fs_type, sysfs_type; +type public_adsprpcd_file, file_type; +type sysfs_fingerprint, fs_type, sysfs_type; +type sysfs_touchpanel, fs_type, sysfs_type; type thermal_data_file, file_type, data_file_type; -# Fingerprint -type fingerprintd_device, file_type, dev_type; -type persist_fingerprint_file, file_type; -type sysfs_fingerprint, sysfs_type, fs_type; +# DeviceSettings +type sysfs_fpsinfo, sysfs_type, fs_type; +type sysfs_headphonegain, sysfs_type, fs_type; +type sysfs_micgain, sysfs_type, fs_type; # Kcal type kcal_dev, sysfs_type, fs_type; # Sockets type audio_socket, file_type; - -# Touchscreen wake_gesture -type proc_dt2w, fs_type, proc_type; -type sysfs_tap_to_wake, sysfs_type, fs_type; -type sysfs_touchpanel, fs_type, sysfs_type; - -# XiamiParts -type sysfs_fpsinfo, sysfs_type, fs_type; -type sysfs_headphonegain, sysfs_type, fs_type; -type sysfs_micgain, sysfs_type, fs_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts index ab6e678d..00b9c54f 100644 --- a/sepolicy/vendor/file_contexts +++ b/sepolicy/vendor/file_contexts @@ -4,35 +4,34 @@ # Biometric /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_sdm660 u:object_r:hal_fingerprint_sdm660_exec:s0 +# Biometric +/data/misc/camera u:object_r:camera_data_file:s0 + # blkio /dev/blkio(/.*)? u:object_r:blkio_dev:s0 /dev/blkio/background(/.*)? u:object_r:blkio_dev:s0 +# Debug +/sys/kernel/debug/mmc0/mmc0:0001/ext_csd u:object_r:debugfs_mmc:s0 + +# Executables +/vendor/bin/sh u:object_r:vendor_shell_exec:s0 + +# Fingerprint +/data/gf_data(/.*)? u:object_r:fingerprintd_data_file:s0 +/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/data/vendor/gf_data(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/dev/goodix_fp u:object_r:fingerprint_device:s0 + # Firmware /firmware u:object_r:firmware_file:s0 /bt_firmware u:object_r:bt_firmware_file:s0 -# FPC Fingerprint -/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0 -/(mnt/vendor)/persist/fpc(/.*)? u:object_r:persist_fingerprint_file:s0 -/sys/devices/soc/soc:fpc1020(/.*)? u:object_r:fingerprint_sysfs:s0 -/sys/bus/platform/devices/soc:fingerprint_fpc(/.*)? u:object_r:fingerprint_sysfs:s0 - -# Goodix Fingerprint -/data/misc/gf_data(/.*)? u:object_r:fingerprint_data_file:s0 -/data/misc/goodix(/.*)? u:object_r:fingerprint_data_file:s0 -/persist/data/gf* u:object_r:fingerprint_data_file:s0 -/data/gf_data(/.*)? u:object_r:fingerprintd_data_file:s0 -/data/vendor/gf_data(/.*)? u:object_r:fingerprint_vendor_data_file:s0 -/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0 -/dev/goodix_fp u:object_r:fingerprint_device:s0 - -# HVDCP -/sys/devices(/platform)?/soc/[a-z0-9]+\.i2c/i2c-[0-9]+/[0-9]+-[a-z0-9]+/[a-z0-9]+\.i2c:qcom,[a-z0-9]+@[a-z0-9]:qcom,smb[a-z0-9]+-parallel-slave@[0-9]+/power_supply/parallel(/.*)? u:object_r:sysfs_usb_supply:s0 - -# HW Info -/sys/devices/platform/HardwareInfo(/.*)? u:object_r:sysfs_info:s0 -/sys/devices/platform/HardwareInfo/gsensor u:object_r:sysfs_info:s0 +# Hexagon DSP-side executable needed for Halide operation +# This is labeled as public_adsprpcd_file as it needs to be read by apps +# (e.g. Google Camera App) +/mnt/vendor/dsp/fastrpc_shell_3 u:object_r:public_adsprpcd_file:s0 # IR /dev/lirc0 u:object_r:spidev_device:s0 @@ -52,21 +51,13 @@ /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white/max_brightness u:object_r:sysfs_graphics:s0 /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white/brightness u:object_r:sysfs_graphics:s0 - -# Misc -/sys/kernel/debug/mmc0/mmc0:0001/ext_csd u:object_r:debugfs_mmc:s0 - -# Persist -/persist/PRSensorData\.txt u:object_r:sensors_persist_file:s0 -/persist u:object_r:mnt_vendor_file:s0 - # Power /(vendor|system/vendor)/bin/hw/android\.hardware\.power-service\.xiaomi_sdm660-libperfmgr u:object_r:hal_power_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.mock u:object_r:hal_power_stats_default_exec:s0 -# Shell Script -/(vendor|system/vendor)/bin/init\.goodix\.sh u:object_r:init_fingerprint_exec:s0 -/vendor/bin/sh u:object_r:vendor_shell_exec:s0 +# Root files +/persist(/.*)? u:object_r:mnt_vendor_file:s0 +/proc/sys/fs/protected_regular u:object_r:proc:s0 # Service HALs /(vendor|system/vendor)/bin/hw/android\.hardware\.authsecret@1\.0-service u:object_r:hal_authsecret_default_exec:s0 @@ -74,15 +65,6 @@ # Sockets /dev/socket/audio_hw_socket u:object_r:audio_socket:s0 -# Tap to Wake -/sys/devices/soc/c177000.i2c/i2c-3/3-005d/enable_dt2w u:object_r:sysfs_tap_to_wake:s0 -/sys/devices/soc/c177000.i2c/i2c-3/3-0038/enable_dt2w u:object_r:sysfs_tap_to_wake:s0 -/proc/touchscreen/enable_dt2w u:object_r:sysfs_tap_to_wake:s0 -/sys/devices/soc/c175000\.i2c/i2c-1/1-[0-9a-f]+/input/input[0-9]+/wake_gesture u:object_r:sysfs_tap_to_wake:s0 -/proc/tp_gesture u:object_r:sysfs_tap_to_wake:s0 -/sys/touchpanel/double_tap u:object_r:sysfs_tap_to_wake:s0 -/proc/touchpanel/wake_gesture u:object_r:sysfs_tap_to_wake:s0 - # Thermal /data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0 diff --git a/sepolicy/vendor/fsck.te b/sepolicy/vendor/fsck.te deleted file mode 100644 index 53da22d8..00000000 --- a/sepolicy/vendor/fsck.te +++ /dev/null @@ -1 +0,0 @@ -dontaudit fsck self:capability { dac_override dac_read_search }; diff --git a/sepolicy/vendor/ftrace.te b/sepolicy/vendor/ftrace.te new file mode 100644 index 00000000..3b224998 --- /dev/null +++ b/sepolicy/vendor/ftrace.te @@ -0,0 +1,2 @@ +dontaudit hal_atrace_default debugfs_tracing_debug:file write; +dontaudit traced_probes debugfs_tracing_debug:file read; diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts index 0f3bdbf3..15045837 100644 --- a/sepolicy/vendor/genfs_contexts +++ b/sepolicy/vendor/genfs_contexts @@ -1,45 +1,44 @@ # Battery -genfscon sysfs /devices/soc/c176000.i2c/i2c-2/2-001d u:object_r:sysfs_battery_supply:s0 +genfscon sysfs /devices/soc/c176000.i2c/i2c-2/2-001d u:object_r:sysfs_battery_supply:s0 # Camera -genfscon sysfs /devices/soc/ca0c000.qcom,cci/ca0c000.qcom,cci:qcom,camera@3/video4linux/video5/name u:object_r:sysfs_graphics:s0 -genfscon sysfs /camera_sensorid/sensorid u:object_r:sysfs_graphics:s0 - -# Fingerprint -genfscon sysfs /devices/soc/soc:fingerprint_fpc/device_prepare u:object_r:fingerprint_sysfs:s0 -genfscon sysfs /devices/soc/soc:fingerprint_fpc/fingerdown_wait u:object_r:fingerprint_sysfs:s0 -genfscon sysfs /devices/soc/soc:fingerprint_fpc/irq u:object_r:fingerprint_sysfs:s0 -genfscon sysfs /devices/soc/soc:fingerprint_fpc/irq_enable u:object_r:fingerprint_sysfs:s0 -genfscon sysfs /devices/soc/soc:fingerprint_fpc/wakeup_enable u:object_r:fingerprint_sysfs:s0 -genfscon sysfs /devices/soc/soc:fpc1020/device_prepare u:object_r:fingerprint_sysfs:s0 -genfscon sysfs /devices/soc/soc:fpc1020/fingerdown_wait u:object_r:fingerprint_sysfs:s0 -genfscon sysfs /devices/soc/soc:fpc1020/irq u:object_r:fingerprint_sysfs:s0 -genfscon sysfs /devices/soc/soc:fpc1020/irq_enable u:object_r:fingerprint_sysfs:s0 -genfscon sysfs /devices/soc/soc:fpc1020/wakeup_enable u:object_r:fingerprint_sysfs:s0 - -# Graphics -genfscon sysfs /devices/virtual/graphics/fb0 u:object_r:sysfs_graphics:s0 -genfscon sysfs /devices/virtual/graphics/fb1 u:object_r:sysfs_graphics:s0 -genfscon sysfs /devices/virtual/graphics/fb2 u:object_r:sysfs_graphics:s0 - -# LED -genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight u:object_r:sysfs_graphics:s0 -genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight1 u:object_r:sysfs_graphics:s0 -genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white u:object_r:sysfs_graphics:s0 - -# Power -genfscon sysfs /devices/soc/soc:qcom,gpubw u:object_r:sysfs_devfreq:s0 -genfscon sysfs /devices/soc/soc:qcom,cpubw u:object_r:sysfs_devfreq:s0 -genfscon sysfs /devices/soc/soc:qcom,mincpubw u:object_r:sysfs_devfreq:s0 -genfscon sysfs /devices/soc/soc:qcom,memlat-cpu0 u:object_r:sysfs_devfreq:s0 -genfscon sysfs /devices/soc/soc:qcom,memlat-cpu4 u:object_r:sysfs_devfreq:s0 - -# Touchscreen -genfscon proc /nvt_wake_gesture u:object_r:proc_dt2w:s0 -genfscon sysfs /touchpanel u:object_r:sysfs_touchpanel:s0 +genfscon sysfs /devices/soc/ca0c000.qcom,cci/ca0c000.qcom,cci:qcom,camera@3/video4linux/video5/name u:object_r:sysfs_graphics:s0 +genfscon sysfs /camera_sensorid/sensorid u:object_r:sysfs_graphics:s0 # DeviceSettings -genfscon sysfs /devices/virtual/graphics/fb0/measured_fps u:object_r:sysfs_fpsinfo:s0 -genfscon sysfs /class/graphics/fb0/measured_fps u:object_r:sysfs_fpsinfo:s0 -genfscon sysfs /kernel/sound_control/headphone_gain u:object_r:sysfs_headphonegain:s0 -genfscon sysfs /kernel/sound_control/mic_gain u:object_r:sysfs_micgain:s0 +genfscon sysfs /devices/virtual/graphics/fb0/measured_fps u:object_r:sysfs_fpsinfo:s0 +genfscon sysfs /class/graphics/fb0/measured_fps u:object_r:sysfs_fpsinfo:s0 +genfscon sysfs /kernel/sound_control/headphone_gain u:object_r:sysfs_headphonegain:s0 +genfscon sysfs /kernel/sound_control/mic_gain u:object_r:sysfs_micgain:s0 + +# Fingerprint +genfscon sysfs /devices/soc/soc:fingerprint_fpc/device_prepare u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/soc/soc:fingerprint_fpc/fingerdown_wait u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/soc/soc:fingerprint_fpc/irq u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/soc/soc:fingerprint_fpc/irq_enable u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/soc/soc:fingerprint_fpc/wakeup_enable u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/soc/soc:fpc1020/device_prepare u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/soc/soc:fpc1020/fingerdown_wait u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/soc/soc:fpc1020/irq u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/soc/soc:fpc1020/irq_enable u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/soc/soc:fpc1020/wakeup_enable u:object_r:sysfs_fingerprint:s0 + +# Graphics +genfscon sysfs /devices/virtual/graphics/fb0 u:object_r:sysfs_graphics:s0 +genfscon sysfs /devices/virtual/graphics/fb1 u:object_r:sysfs_graphics:s0 +genfscon sysfs /devices/virtual/graphics/fb2 u:object_r:sysfs_graphics:s0 + +# LED +genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight u:object_r:sysfs_graphics:s0 +genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight1 u:object_r:sysfs_graphics:s0 +genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white u:object_r:sysfs_graphics:s0 + +# Power +genfscon sysfs /devices/soc/soc:qcom,gpubw u:object_r:sysfs_devfreq:s0 +genfscon sysfs /devices/soc/soc:qcom,cpubw u:object_r:sysfs_devfreq:s0 +genfscon sysfs /devices/soc/soc:qcom,mincpubw u:object_r:sysfs_devfreq:s0 +genfscon sysfs /devices/soc/soc:qcom,memlat-cpu0 u:object_r:sysfs_devfreq:s0 +genfscon sysfs /devices/soc/soc:qcom,memlat-cpu4 u:object_r:sysfs_devfreq:s0 + +# Touchpanel +genfscon sysfs /touchpanel u:object_r:sysfs_touchpanel:s0 diff --git a/sepolicy/vendor/gmscore_app.te b/sepolicy/vendor/gmscore_app.te index 898b2f13..b2b7f71b 100644 --- a/sepolicy/vendor/gmscore_app.te +++ b/sepolicy/vendor/gmscore_app.te @@ -1,3 +1,2 @@ -allow gmscore_app blkio_dev:dir search; -allow gmscore_app bt_firmware_file:filesystem getattr; -allow gmscore_app firmware_file:filesystem getattr; +binder_call(gmscore_app, hal_memtrack_default); +dontaudit gmscore_app { bt_firmware_file firmware_file }:filesystem getattr; diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te index be7612da..545ce2b7 100644 --- a/sepolicy/vendor/hal_audio_default.te +++ b/sepolicy/vendor/hal_audio_default.te @@ -1,9 +1,5 @@ allow hal_audio_default audio_socket:sock_file rw_file_perms; -allow hal_audio_default diag_device:chr_file { read write }; allow hal_audio_default sysfs:dir r_dir_perms; -allow hal_audio_default sysfs_info:file { open getattr read }; -allow hal_audio_default vendor_data_file:dir { create write add_name }; -allow hal_audio_default vendor_data_file:file { append create getattr open read }; get_prop(hal_audio_default, dirac_prop) set_prop(hal_audio_default, dirac_prop) diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te index 50cc54a2..4c92ef79 100644 --- a/sepolicy/vendor/hal_camera_default.te +++ b/sepolicy/vendor/hal_camera_default.te @@ -1,17 +1,5 @@ -allow hal_camera_default camera_data_file:dir w_dir_perms; -allow hal_camera_default camera_data_file:file create_file_perms; -allow hal_camera_default hal_graphics_allocator_hwservice:hwservice_manager find; -allow hal_camera_default media_rw_data_file:file { getattr }; -allow hal_camera_default sysfs:file { getattr open read }; -allow hal_camera_default sysfs_kgsl:dir search; -allow hal_camera_default sysfs_kgsl:file r_file_perms; -allow hal_camera_default vendor_video_prop:file r_file_perms; -allow hal_camera_default vendor_default_prop:property_service set; - hal_client_domain(hal_camera_default, hal_configstore) -binder_call(hal_camera_default, hal_graphics_allocator_default) +hal_client_domain(hal_camera_default, hal_graphics_allocator) get_prop(hal_camera_default, vendor_video_prop) -set_prop(hal_camera_default, exported_camera_prop) -set_prop(hal_camera_default, vendor_camera_prop) -set_prop(hal_camera_default, vendor_video_prop) -typeattribute hal_camera_default data_between_core_and_vendor_violators; + +allow hal_camera_default sysfs_kgsl:file r_file_perms; diff --git a/sepolicy/vendor/hal_fingerprint_sdm660.te b/sepolicy/vendor/hal_fingerprint_sdm660.te index f75636b3..83d4bc8f 100644 --- a/sepolicy/vendor/hal_fingerprint_sdm660.te +++ b/sepolicy/vendor/hal_fingerprint_sdm660.te @@ -16,29 +16,11 @@ typeattribute hal_fingerprint_sdm660 data_between_core_and_vendor_violators; # access to /data/system/users/[0-9]+/fpdata allow hal_fingerprint_sdm660 fingerprintd_data_file:dir rw_dir_perms; allow hal_fingerprint_sdm660 fingerprintd_data_file:file create_file_perms; -allow hal_fingerprint_sdm660 fingerprint_data_file:file rw_file_perms; -allow hal_fingerprint_sdm660 fingerprint_sysfs:file rw_file_perms; -allow hal_fingerprint_sdm660 fingerprint_sysfs:dir r_dir_perms; -allow hal_fingerprint_sdm660 fingerprint_sysfs:lnk_file read; -allow hal_fingerprint_sdm660 hal_fingerprint_sdm660:netlink_socket { create bind write read }; allow hal_fingerprint_sdm660 hal_perf_hwservice:hwservice_manager find; -allow hal_fingerprint_sdm660 media_rw_data_file:dir search; -allow hal_fingerprint_sdm660 mnt_user_file:dir search; -allow hal_fingerprint_sdm660 mnt_user_file:lnk_file r_file_perms; -allow hal_fingerprint_sdm660 persist_file:dir r_dir_perms; -allow hal_fingerprint_sdm660 persist_fingerprint_file:file r_file_perms; -allow hal_fingerprint_sdm660 rootfs:dir read; allow hal_fingerprint_sdm660 self:netlink_socket create_socket_perms_no_ioctl; -allow hal_fingerprint_sdm660 sysfs_devfreq:file r_file_perms; -allow hal_fingerprint_sdm660 system_data_file:file r_file_perms; +allow hal_fingerprint_sdm660 sysfs_fingerprint:file rw_file_perms; allow hal_fingerprint_sdm660 sysfs_devfreq:dir search; -allow hal_fingerprint_sdm660 sysfs_sectouch:dir search; -allow hal_fingerprint_sdm660 sdcardfs:dir search; -allow hal_fingerprint_sdm660 storage_file:dir search; -allow hal_fingerprint_sdm660 storage_file:lnk_file read; -allow hal_fingerprint_sdm660 vendor_mpctl_prop:file read; -allow hal_fingerprint_sdm660 vendor_fp_prop:property_service set; -allow hal_fingerprint_sdm660 vendor_fp_prop:file { getattr open read }; +allow hal_fingerprint_sdm660 sysfs_devfreq:file r_file_perms; binder_call(hal_fingerprint_sdm660, hal_perf_default) r_dir_file(hal_fingerprint_sdm660, firmware_file) diff --git a/sepolicy/vendor/hal_imsrtp.te b/sepolicy/vendor/hal_imsrtp.te deleted file mode 100644 index e130c8d3..00000000 --- a/sepolicy/vendor/hal_imsrtp.te +++ /dev/null @@ -1 +0,0 @@ -binder_call(hal_imsrtp, radio) diff --git a/sepolicy/vendor/hal_mlipay_default.te b/sepolicy/vendor/hal_mlipay.te similarity index 56% rename from sepolicy/vendor/hal_mlipay_default.te rename to sepolicy/vendor/hal_mlipay.te index 94f632ff..18d04133 100644 --- a/sepolicy/vendor/hal_mlipay_default.te +++ b/sepolicy/vendor/hal_mlipay.te @@ -1,13 +1,20 @@ type hal_mlipay_default, domain; -type hal_mlipay_default_exec, exec_type, vendor_file_type, file_type; +hal_server_domain(hal_mlipay_default, hal_mlipay) -add_hwservice(hal_mlipay_default, hal_mlipay_hwservice) -get_prop(hal_mlipay_default, hwservicemanager_prop) +type hal_mlipay_default_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hal_mlipay_default) -hwbinder_use(hal_mlipay_default) -r_dir_file(hal_mlipay_default, firmware_file) -get_prop(hal_mlipay_default, hal_fingerprint_prop); -set_prop(hal_mlipay_default, mlipay_prop); + +# Allow hwbinder call from hal client to server +binder_call(hal_mlipay_client, hal_mlipay_server) + +# Add hwservice related rules +add_hwservice(hal_mlipay_server, hal_mlipay_hwservice) +allow hal_mlipay_client hal_mlipay_hwservice:hwservice_manager find; allow hal_mlipay_default tee_device:chr_file rw_file_perms; allow hal_mlipay_default ion_device:chr_file r_file_perms; + +r_dir_file(hal_mlipay_default, firmware_file) +set_prop(hal_mlipay_default, mlipay_prop); + +get_prop(hal_mlipay_default, hal_fingerprint_prop); diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te index 5beefe3e..283c917d 100644 --- a/sepolicy/vendor/hal_power_default.te +++ b/sepolicy/vendor/hal_power_default.te @@ -1,25 +1,10 @@ -# Allow writing to files in /proc/tp_gesture -allow hal_power_default proc:file rw_file_perms; -allow hal_power_default proc:dir search; -allow hal_power_default proc_dt2w:file rw_file_perms; - -allow hal_power_default sysfs_touchpanel:file rw_file_perms; -allow hal_power_default sysfs_touchpanel:dir search; -allow hal_power_default sysfs_tap_to_wake:file rw_file_perms; - -r_dir_file(hal_power_default, sysfs_graphics) - +allow hal_power_default cgroup:file read; allow hal_power_default device_latency:chr_file rw_file_perms; allow hal_power_default { sysfs_devfreq sysfs_kgsl }:dir search; allow hal_power_default { sysfs_devfreq sysfs_kgsl }:{ file lnk_file } rw_file_perms; allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms; -allow hal_power_default sysfs:file { read open getattr }; +allow hal_power_default sysfs_touchpanel:dir search; +allow hal_power_default sysfs_touchpanel:file rw_file_perms; -allow hal_power_default proc:file { write }; r_dir_file(hal_power_default, sysfs_graphics) - -# To dump -allow hal_power_default cgroup:file read; - set_prop(hal_power_default, vendor_power_prop) - diff --git a/sepolicy/vendor/hal_power_stats_default.te b/sepolicy/vendor/hal_power_stats_default.te new file mode 100644 index 00000000..b454d201 --- /dev/null +++ b/sepolicy/vendor/hal_power_stats_default.te @@ -0,0 +1 @@ +allow hal_power_stats_default sysfs:dir read; diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te index 2e0e5156..7227d204 100644 --- a/sepolicy/vendor/hal_sensors_default.te +++ b/sepolicy/vendor/hal_sensors_default.te @@ -1,7 +1,4 @@ -allow hal_sensors_default diag_device:chr_file { read write }; -allow hal_sensors_default sysfs:file { read open }; -allow hal_sensors_default sysfs_info:file { read write }; -set_prop(hal_sensors_default, camera_prop) - allow hal_sensors_default audio_socket:sock_file rw_file_perms; + unix_socket_connect(hal_sensors_default, audio, hal_audio_default) +set_prop(hal_sensors_default, camera_prop) diff --git a/sepolicy/vendor/hal_wifi_default.te b/sepolicy/vendor/hal_wifi_default.te new file mode 100644 index 00000000..1d9b65c9 --- /dev/null +++ b/sepolicy/vendor/hal_wifi_default.te @@ -0,0 +1,3 @@ +allow hal_wifi_default exported_wifi_prop:property_service set; +allow hal_wifi_default proc_net:file write; +allow hal_wifi_default self:capability sys_module; diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts index f8c69de4..6ffb1fcd 100644 --- a/sepolicy/vendor/hwservice_contexts +++ b/sepolicy/vendor/hwservice_contexts @@ -1,11 +1,7 @@ -com.fingerprints.extension::IFingerprintEngineering u:object_r:hal_fingerprint_hwservice:s0 -com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0 -com.fingerprints.extension::IFingerprintNavigation u:object_r:hal_fingerprint_hwservice:s0 com.fingerprints.extension::IFingerprintCalibration u:object_r:hal_fingerprint_hwservice:s0 -com.fingerprints.extension::IFingerprintSenseTouch u:object_r:hal_fingerprint_hwservice:s0 com.fingerprints.extension::IFingerprintEngineering u:object_r:hal_fingerprint_hwservice:s0 com.fingerprints.extension::IFingerprintNavigation u:object_r:hal_fingerprint_hwservice:s0 +com.fingerprints.extension::IFingerprintSenseTouch u:object_r:hal_fingerprint_hwservice:s0 com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0 vendor.goodix.hardware.fingerprint::IGoodixBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0 -vendor.qti.hardware.fingerprint::IQtiExtendedFingerprint u:object_r:hal_fingerprint_hwservice:s0 vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0 diff --git a/sepolicy/vendor/ims.te b/sepolicy/vendor/ims.te deleted file mode 100644 index 23178ef3..00000000 --- a/sepolicy/vendor/ims.te +++ /dev/null @@ -1 +0,0 @@ -dontaudit ims diag_device:chr_file { read write }; diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te index d63739f2..b5213773 100644 --- a/sepolicy/vendor/init.te +++ b/sepolicy/vendor/init.te @@ -1,13 +1,5 @@ -allow init blkio_dev:file { create open read write }; -allow init hwservicemanager:binder { call transfer }; -allow init ipa_dev:chr_file open; -allow init ion_device:chr_file ioctl; -allow init property_socket:sock_file write; -allow init persist_block_device:lnk_file relabelto; -allow init sysfs_dm:file { open write }; -allow init sysfs_info:file { open read }; -allow init sysfs:file setattr; -allow init sysfs_graphics:file { open write }; -allow init sysfs_battery_supply:file setattr; +allow init adsprpcd_file:file mounton; allow init socket_device:sock_file { unlink setattr create }; +allow init sysfs_graphics:file { read open }; +allow init sysfs_battery_supply:file setattr; allow init vendor_default_prop:property_service set; diff --git a/sepolicy/vendor/init_fingerprint.te b/sepolicy/vendor/init_fingerprint.te deleted file mode 100644 index a5f01372..00000000 --- a/sepolicy/vendor/init_fingerprint.te +++ /dev/null @@ -1,16 +0,0 @@ -type init_fingerprint, domain; -type init_fingerprint_exec, exec_type, vendor_file_type, file_type; -typeattribute init_fingerprint data_between_core_and_vendor_violators; - -# Allow for transition from init domain to init_fingerprint -init_daemon_domain(init_fingerprint) - -# Shell script needs to execute /vendor/bin/sh -allow init_fingerprint vendor_shell_exec:file rx_file_perms; -allow init_fingerprint vendor_toolbox_exec:file rx_file_perms; - -# Allow to delete file -allow init_fingerprint mnt_vendor_file:dir search; -allow init_fingerprint persist_drm_file:dir { read search open write remove_name }; -allow init_fingerprint persist_drm_file:file { getattr unlink }; -allow init_fingerprint system_data_file:file r_file_perms; diff --git a/sepolicy/vendor/ipacm.te b/sepolicy/vendor/ipacm.te deleted file mode 100644 index 3c1d3a4f..00000000 --- a/sepolicy/vendor/ipacm.te +++ /dev/null @@ -1,4 +0,0 @@ -# Fix for WLAN tethering offload -# SELinux : avc: denied { set } for property=wifi.active.interface pid=2918 uid=1010 gid=1010 scontext=u:r::s0 tcontext=u:object_r:default_prop:s0 tclass=property_service -allow hal_wifi_default exported_wifi_prop:property_service set; - diff --git a/sepolicy/vendor/netmgrd.te b/sepolicy/vendor/netmgrd.te new file mode 100644 index 00000000..efe48539 --- /dev/null +++ b/sepolicy/vendor/netmgrd.te @@ -0,0 +1,2 @@ +set_prop(netmgrd, vendor_radio_prop) +set_prop(netmgrd, vendor_data_ko_prop) diff --git a/sepolicy/vendor/platform_app.te b/sepolicy/vendor/platform_app.te deleted file mode 100644 index ff032a80..00000000 --- a/sepolicy/vendor/platform_app.te +++ /dev/null @@ -1,2 +0,0 @@ -allow platform_app blkio_dev:dir search; -allow platform_app sysfs_kgsl:dir search; diff --git a/sepolicy/vendor/priv_app.te b/sepolicy/vendor/priv_app.te deleted file mode 100644 index 26c126e4..00000000 --- a/sepolicy/vendor/priv_app.te +++ /dev/null @@ -1 +0,0 @@ -allow priv_app blkio_dev:dir search; diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te index 719e9e1e..dc3d129d 100644 --- a/sepolicy/vendor/property.te +++ b/sepolicy/vendor/property.te @@ -1,15 +1,11 @@ type hal_fingerprint_prop, property_type; -type ifaa_prop, property_type; type mlipay_prop, property_type; -type vendor_fp_prop, property_type; -type vendor_camera_prop, property_type; # Dirac type dirac_prop, property_type; +# Power +type vendor_power_prop, property_type; + # Thermal engine type thermal_engine_prop, property_type; - -# Power -type power_prop, property_type; -type vendor_power_prop, property_type; diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts index dfa89291..2c19faa8 100644 --- a/sepolicy/vendor/property_contexts +++ b/sepolicy/vendor/property_contexts @@ -6,7 +6,6 @@ audio_hal.period_multiplier u:object_r:vendor_default_prop:s0 persist.audio.fluence.voicecomm u:object_r:vendor_default_prop:s0 # Camera -camera. u:object_r:camera_prop:s0 camera.clientname u:object_r:camera_prop:s0 camera.debug. u:object_r:camera_prop:s0 camera.facebeauty.version u:object_r:camera_prop:s0 @@ -20,19 +19,19 @@ persist.camera. u:object_r:vendor_default_prop:s0 persist.vendor.camera. u:object_r:camera_prop:s0 vendor.camera.eis.gyro_name u:object_r:camera_prop:s0 vidc.enc.dcvs.extra-buff-count u:object_r:vendor_default_prop:s0 +vendor.camera.cpuperf.en u:object_r:vendor_default_prop:s0 # Dirac persist.audio.dirac. u:object_r:dirac_prop:s0 # Fingerprint fpc_kpi u:object_r:vendor_default_prop:s0 -gf.debug.dump_data u:object_r:hal_fingerprint_prop:s0 +gf.debug.dump_data u:object_r:vendor_default_prop:s0 persist.sys.fp. u:object_r:hal_fingerprint_prop:s0 persist.vendor.sys.fp. u:object_r:hal_fingerprint_prop:s0 ro.boot.fp. u:object_r:hal_fingerprint_prop:s0 -sys.fp. u:object_r:hal_fingerprint_prop:s0 ro.boot.fpsensor u:object_r:hal_fingerprint_prop:s0 -persist.sys.fp.info u:object_r:hal_fingerprint_prop:s0 +sys.fp. u:object_r:hal_fingerprint_prop:s0 # Media gpu.stats.debug.level u:object_r:vendor_default_prop:s0 @@ -47,10 +46,13 @@ sys.post_boot.parsed u:object_r:vendor_mpctl_prop:s0 # Power vendor.powerhal. u:object_r:vendor_power_prop:s0 +# RIL +ro.build.software.version u:object_r:exported_radio_prop:s0 +ro.product.mod_device u:object_r:exported_radio_prop:s0 +persist.vendor.data.offload_ko_load u:object_r:vendor_radio_prop:s0 +persist.vendor.data.shsusr_load u:object_r:vendor_radio_prop:s0 +persist.vendor.data.qmipriod_load u:object_r:vendor_radio_prop:s0 + # Thermal engine persist.sys.thermal. u:object_r:thermal_engine_prop:s0 sys.thermal. u:object_r:thermal_engine_prop:s0 - -# vendor_default_prop -vendor.camera.cpuperf.en u:object_r:vendor_default_prop:s0 -vendor.display.lcd_density u:object_r:vendor_default_prop:s0 diff --git a/sepolicy/vendor/qti_init_shell.te b/sepolicy/vendor/qti_init_shell.te index 020eca29..db9b3583 100644 --- a/sepolicy/vendor/qti_init_shell.te +++ b/sepolicy/vendor/qti_init_shell.te @@ -1,7 +1,5 @@ allow qti_init_shell ctl_start_prop:property_service set; allow qti_init_shell ctl_stop_prop:property_service set; -allow qti_init_shell sysfs_cpu_boost:file write; -allow qti_init_shell sysfs:file write; -allow qti_init_shell vendor_radio_data_file:dir { getattr read search }; -allow qti_init_shell vendor_radio_data_file:file { getattr read setattr write }; + +dontaudit qti_init_shell system_prop:property_service set; dontaudit qti_init_shell self:capability { dac_override dac_read_search }; diff --git a/sepolicy/vendor/radio.te b/sepolicy/vendor/radio.te index 6cca9efa..abdeb244 100644 --- a/sepolicy/vendor/radio.te +++ b/sepolicy/vendor/radio.te @@ -1,20 +1,7 @@ -allow radio hal_datafactory_hwservice:hwservice_manager find; binder_call(radio, cnd) binder_call(radio, hal_imsrtp) -allow radio { cameraserver_service mediaextractor_service mediaserver_service mediametrics_service drmserver_service audioserver_service }:service_manager find; -get_prop(radio, qcom_ims_prop) -dontaudit { - cnd - netmgrd - qti - adpl - hal_audio_default - rild - hal_imsrtp - hal_rcsservice - hal_sensors_default - hal_graphics_composer_default - sensors - vendor_dpmd -} diag_device:chr_file { read write }; +allow radio hal_datafactory_hwservice:hwservice_manager find; +allow radio hal_iwlan_hwservice:hwservice_manager find; + +get_prop(radio, vendor_qcom_ims_prop) diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te index 7ec4f2d9..dfbf4d5b 100644 --- a/sepolicy/vendor/rild.te +++ b/sepolicy/vendor/rild.te @@ -1,2 +1,18 @@ -allow rild qcom_ims_prop:file { getattr open read }; allow rild vendor_file:file ioctl; +allow rild vendor_qcom_ims_prop:file { getattr open read }; + +dontaudit { + adpl + cnd + hal_audio_default + hal_imsrtp + hal_rcsservice + hal_sensors_default + hal_graphics_composer_default + ims + netmgrd + qti + rild + sensors + vendor_dpmd +} diag_device:chr_file { read write }; diff --git a/sepolicy/vendor/rmt_storage.te b/sepolicy/vendor/rmt_storage.te deleted file mode 100644 index a50f114c..00000000 --- a/sepolicy/vendor/rmt_storage.te +++ /dev/null @@ -1,2 +0,0 @@ -r_dir_file(rmt_storage, sysfs_data) -r_dir_file(rmt_storage, sysfs_ssr) diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te index 3b0897b6..97d57d5d 100644 --- a/sepolicy/vendor/system_app.te +++ b/sepolicy/vendor/system_app.te @@ -1,19 +1,14 @@ allow system_app blkio_dev:dir search; -allow system_app hal_mlipay_default:binder call; -allow system_app kcal_dev:file rw_file_perms; allow system_app kcal_dev:dir search; +allow system_app kcal_dev:file rw_file_perms; allow system_app proc_vmallocinfo:file read; -allow system_app sysfs_thermal:file rw_file_perms; -allow system_app sysfs_thermal:dir search; -allow system_app sysfs_vibrator:file rw_file_perms; allow system_app sysfs_vibrator:dir search; +allow system_app sysfs_vibrator:file rw_file_perms; allow system_app sysfs_graphics:dir search; -allow system_app sysfs_graphics:file rw_file_perms; allow system_app sysfs_leds:dir search; allow system_app sysfs_fpsinfo:file rw_file_perms; allow system_app sysfs_headphonegain:file rw_file_perms; allow system_app sysfs_micgain:file rw_file_perms; allow system_app sysfs_zram:dir search; -allow system_app vendor_default_prop:file { getattr open read }; -allow system_app wificond:binder call; + set_prop(system_app, system_prop); diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te index 47add3f9..0532e079 100644 --- a/sepolicy/vendor/system_server.te +++ b/sepolicy/vendor/system_server.te @@ -1,22 +1,6 @@ -allow system_server app_zygote:process getpgid; +get_prop(system_server, userspace_reboot_exported_prop) + allow system_server blkio_dev:dir search; -allow system_server default_android_service:service_manager add; -allow system_server exported_camera_prop:file read; -allow system_server kernel:system syslog_read; -allow system_server media_rw_data_file:dir { setattr }; allow system_server sysfs_battery_supply:file rw_file_perms; -allow system_server sysfs_kgsl:lnk_file { read }; -allow system_server sysfs_vibrator:file rw_file_perms; -allow system_server thermal_service:service_manager find; -allow system_server userspace_reboot_exported_prop:file read; -allow system_server vendor_camera_prop:file { getattr open read }; -allow system_server vendor_default_prop:file { getattr open read }; -allow system_server vendor_keylayout_file:dir search; -allow system_server vendor_keylayout_file:file r_file_perms; -allow system_server zygote:process { getpgid }; dontaudit system_server sysfs:file { read open getattr }; - -get_prop(system_server, exported_camera_prop) -get_prop(system_server, userspace_reboot_config_prop) -get_prop(system_server, userspace_reboot_exported_prop) diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te index 7d3fa5d4..0a124bc7 100644 --- a/sepolicy/vendor/tee.te +++ b/sepolicy/vendor/tee.te @@ -1,6 +1,6 @@ # TODO(b/36644492): Remove data_between_core_and_vendor_violators once # tee no longer directly accesses /data owned by the frameworks. typeattribute tee data_between_core_and_vendor_violators; +allow tee system_data_file:dir r_dir_perms; allow tee fingerprintd_data_file:dir rw_dir_perms; allow tee fingerprintd_data_file:file create_file_perms; -allow tee system_data_file:dir r_dir_perms; diff --git a/sepolicy/vendor/thermal-engine.te b/sepolicy/vendor/thermal-engine.te index 31a69f5b..3e7ef368 100644 --- a/sepolicy/vendor/thermal-engine.te +++ b/sepolicy/vendor/thermal-engine.te @@ -1,8 +1,8 @@ -allow thermal-engine property_socket:sock_file write; -allow thermal-engine sysfs:dir r_dir_perms; -allow thermal-engine self:capability { chown fowner }; allow thermal-engine thermal_data_file:dir rw_dir_perms; allow thermal-engine thermal_data_file:file create_file_perms; +allow thermal-engine sysfs:dir r_dir_perms; +allow thermal-engine self:capability { chown fowner }; dontaudit thermal-engine self:capability dac_override; + set_prop(thermal-engine, thermal_engine_prop); -r_dir_file(thermal-engine sysfs_thermal) +r_dir_file(thermal-engine, sysfs_thermal) diff --git a/sepolicy/vendor/time_daemon.te b/sepolicy/vendor/time_daemon.te deleted file mode 100644 index e9fbf794..00000000 --- a/sepolicy/vendor/time_daemon.te +++ /dev/null @@ -1 +0,0 @@ -allow time_daemon self:capability { setgid setuid }; diff --git a/sepolicy/vendor/traced_probes.te b/sepolicy/vendor/traced_probes.te deleted file mode 100644 index b10064fe..00000000 --- a/sepolicy/vendor/traced_probes.te +++ /dev/null @@ -1 +0,0 @@ -dontaudit traced_probes debugfs_tracing_debug:file { read open getattr }; diff --git a/sepolicy/vendor/ueventd.te b/sepolicy/vendor/ueventd.te deleted file mode 100644 index b1b25e3f..00000000 --- a/sepolicy/vendor/ueventd.te +++ /dev/null @@ -1,5 +0,0 @@ -allow ueventd ir_dev_file:chr_file { create setattr }; -allow ueventd kcal_dev:dir r_dir_perms; -allow ueventd kcal_dev:file rw_file_perms; -allow ueventd kcal_dev:lnk_file r_file_perms; -allow ueventd metadata_file:dir search; diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te index c163c237..ed7a88dd 100644 --- a/sepolicy/vendor/vendor_init.te +++ b/sepolicy/vendor/vendor_init.te @@ -1,38 +1,10 @@ -#============= vendor_init ============== typeattribute vendor_init data_between_core_and_vendor_violators; allow vendor_init { - media_rw_data_file system_data_file tombstone_data_file - camera_data_file }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom }; -allow vendor_init apex_metadata_file:dir create_dir_perms; -allow vendor_init fingerprint_data_file:dir {setattr create}; -allow vendor_init media_rw_data_file:file { getattr relabelfrom }; -allow vendor_init persist_debug_prop:file read; -allow vendor_init rootfs:dir { add_name create setattr write }; -allow vendor_init rootfs:lnk_file setattr; -allow vendor_init unlabeled:{ dir file } { getattr relabelfrom }; -allow vendor_init blkio_dev:file { open read write create }; -allow vendor_init proc_dirty:file write; - -allow vendor_init { - audio_prop - bservice_prop - persist_debug_prop - vendor_persist_dpm_prop - qcom_ims_prop - reschedule_service_prop - thermal_engine_prop - vendor_ssr_prop - vendor_fp_prop -}:property_service set; - set_prop(vendor_init, camera_prop) -set_prop(vendor_init, exported_camera_prop) -set_prop(vendor_init, vendor_camera_prop) -set_prop(vendor_init, freq_prop) -set_prop(vendor_init, fm_prop) +set_prop(vendor_init, vendor_freq_prop) set_prop(vendor_init, vendor_power_prop) diff --git a/sepolicy/vendor/vendor_toolbox.te b/sepolicy/vendor/vendor_toolbox.te index 13b2a4cb..77dd3de1 100644 --- a/sepolicy/vendor/vendor_toolbox.te +++ b/sepolicy/vendor/vendor_toolbox.te @@ -9,42 +9,3 @@ allow vendor_toolbox vendor_toolbox_exec:file execute_no_trans; # Allow vendor_toolbox to read directories in rootfs allow vendor_toolbox rootfs:dir r_dir_perms; - -# Allow vendor_toolbox to remove "security.*" xattrs from /mnt/vendor/persist -allow vendor_toolbox { - mnt_vendor_file - persist_alarm_file - persist_block_device - persist_bluetooth_file - persist_bms_file - persist_display_file - persist_drm_file - persist_file - persist_fingerprint_file - persist_hvdcp_file - persist_misc_file - persist_qti_fp_file - persist_rfs_file - persist_rfs_shared_hlos_file - persist_secnvm_file - persist_time_file - persist_vpp_file - regionalization_file - rfs_file - rfs_shared_hlos_file - sensors_persist_file - unlabeled - vendor_persist_mmi_file -}:dir { r_dir_perms setattr getattr}; - -allow vendor_toolbox { - mnt_vendor_file - persist_alarm_file - persist_block_device - persist_bluetooth_file - persist_bms_file - persist_hvdcp_file - persist_time_file - regionalization_file - sensors_persist_file -}:file { getattr}; diff --git a/sepolicy/vendor/wcnss_service.te b/sepolicy/vendor/wcnss_service.te new file mode 100644 index 00000000..a145ee9e --- /dev/null +++ b/sepolicy/vendor/wcnss_service.te @@ -0,0 +1,3 @@ +allow wcnss_service sysfs:file { read open }; +allow wcnss_service sysfs_net:dir search; +allow wcnss_service vendor_shell_exec:file execute_no_trans; diff --git a/sepolicy/vendor/webview_zygote.te b/sepolicy/vendor/webview_zygote.te deleted file mode 100644 index c8a7ec28..00000000 --- a/sepolicy/vendor/webview_zygote.te +++ /dev/null @@ -1 +0,0 @@ -allow webview_zygote zygote:unix_dgram_socket write; diff --git a/sepolicy/vendor/zygote.te b/sepolicy/vendor/zygote.te deleted file mode 100644 index 4f4f5983..00000000 --- a/sepolicy/vendor/zygote.te +++ /dev/null @@ -1 +0,0 @@ -allow zygote exported_camera_prop:file { read write };