MiPad4/android_device_xiaomi_sdm660-common
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sdm660-common: sepolicy: Rework sepolicy (No more neverallow)

Browse source 
- Thanks to LineageOS and our sdm660 community

Change-Id: I54c7d76260041b7c383428449e149aa35d51de9b3c
This commit is contained in:
OdSazib 2021-04-17 23:30:26 +06:00
parent 53c3064ba1
commit 478a2b33b6
No known key found for this signature in database
GPG key ID: B678DBD07079B021
50 changed files with 164 additions and 383 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
BoardConfigCommon.mk
View file

@ -222,7 +222,6 @@ PROTOBUF_SUPPORTED := true
# SELinux
include device/qcom/sepolicy-legacy-um/SEPolicy.mk
SELINUX_IGNORE_NEVERALLOWS := true
BOARD_VENDOR_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/vendor
BOARD_PLAT_PUBLIC_SEPOLICY_DIR += $(COMMON_PATH)/sepolicy/public
BOARD_PLAT_PRIVATE_SEPOLICY_DIR += $(COMMON_PATH)/sepolicy/private

2
sepolicy/private/app.te
View file

@ -1,2 +0,0 @@
# Allow appdomain to get persist_camera_prop
get_prop(appdomain, vendor_persist_camera_prop)

1
sepolicy/private/dnsmasq.te
View file

@ -1 +0,0 @@
allow dnsmasq netd:unix_stream_socket { getattr };

6
sepolicy/private/file_contexts
View file

@ -1,9 +1,3 @@
# Apex Metadata
/data/apex/sessions(/.*)? u:object_r:apex_metadata_file:s0
/data/apex/active(/.*)? u:object_r:apex_metadata_file:s0
/data/apex/backup(/.*)? u:object_r:apex_metadata_file:s0
/data/apex/hashtree(/.*)? u:object_r:apex_metadata_file:s0
# Executables
/system/bin/chargeonlymode u:object_r:charger_exec:s0

1
sepolicy/private/property_contexts
View file

@ -1 +0,0 @@
sys.listeners.registered u:object_r:vendor_tee_listener_prop:s0

2
sepolicy/private/vendor_init.te
View file

@ -1,2 +0,0 @@
# Allow vendor_init to set persist_camera_prop
set_prop(vendor_init, vendor_persist_camera_prop)

3
sepolicy/public/attributes
View file

@ -1,2 +1 @@
# HALs
hal_attribute(mlipay)
hal_attribute_lineage(mlipay)

1
sepolicy/vendor/apexd.te vendored
View file

@ -1 +0,0 @@
allow apexd apex_metadata_file:lnk_file r_file_perms;

10
sepolicy/vendor/app.te vendored
View file

@ -1,7 +1,5 @@
# Allow appdomain to get vendor_camera_prop
binder_call({ appdomain -isolated_app }, hal_mlipay_default)
get_prop(appdomain, vendor_camera_prop)
get_prop({ appdomain -isolated_app }, mlipay_prop)
get_prop({ appdomain -isolated_app }, hal_fingerprint_prop)
get_prop({ appdomain -isolated_app }, ifaa_prop)
get_prop({ appdomain -isolated_app }, vendor_fp_prop)
get_prop({ appdomain -isolated_app }, mlipay_prop)
allow { appdomain -isolated_app } adsprpcd_file:dir r_dir_perms;
allow { appdomain -isolated_app } public_adsprpcd_file:file r_file_perms;

24
sepolicy/vendor/file.te vendored
View file

@ -1,26 +1,16 @@
type fingerprint_data_file, file_type, data_file_type, core_data_file_type;
type fingerprint_sysfs, fs_type, sysfs_type;
type ir_dev_file, file_type;
type sysfs_info, fs_type, sysfs_type;
type public_adsprpcd_file, file_type;
type sysfs_fingerprint, fs_type, sysfs_type;
type sysfs_touchpanel, fs_type, sysfs_type;
type thermal_data_file, file_type, data_file_type;
# Fingerprint
type fingerprintd_device, file_type, dev_type;
type persist_fingerprint_file, file_type;
type sysfs_fingerprint, sysfs_type, fs_type;
# DeviceSettings
type sysfs_fpsinfo, sysfs_type, fs_type;
type sysfs_headphonegain, sysfs_type, fs_type;
type sysfs_micgain, sysfs_type, fs_type;
# Kcal
type kcal_dev, sysfs_type, fs_type;
# Sockets
type audio_socket, file_type;
# Touchscreen wake_gesture
type proc_dt2w, fs_type, proc_type;
type sysfs_tap_to_wake, sysfs_type, fs_type;
type sysfs_touchpanel, fs_type, sysfs_type;
# XiamiParts
type sysfs_fpsinfo, sysfs_type, fs_type;
type sysfs_headphonegain, sysfs_type, fs_type;
type sysfs_micgain, sysfs_type, fs_type;

64
sepolicy/vendor/file_contexts vendored
View file

@ -4,35 +4,34 @@
# Biometric
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_sdm660 u:object_r:hal_fingerprint_sdm660_exec:s0
# Biometric
/data/misc/camera u:object_r:camera_data_file:s0
# blkio
/dev/blkio(/.*)? u:object_r:blkio_dev:s0
/dev/blkio/background(/.*)? u:object_r:blkio_dev:s0
# Debug
/sys/kernel/debug/mmc0/mmc0:0001/ext_csd u:object_r:debugfs_mmc:s0
# Executables
/vendor/bin/sh u:object_r:vendor_shell_exec:s0
# Fingerprint
/data/gf_data(/.*)? u:object_r:fingerprintd_data_file:s0
/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor/gf_data(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/dev/goodix_fp u:object_r:fingerprint_device:s0
# Firmware
/firmware u:object_r:firmware_file:s0
/bt_firmware u:object_r:bt_firmware_file:s0
# FPC Fingerprint
/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/(mnt/vendor)/persist/fpc(/.*)? u:object_r:persist_fingerprint_file:s0
/sys/devices/soc/soc:fpc1020(/.*)? u:object_r:fingerprint_sysfs:s0
/sys/bus/platform/devices/soc:fingerprint_fpc(/.*)? u:object_r:fingerprint_sysfs:s0
# Goodix Fingerprint
/data/misc/gf_data(/.*)? u:object_r:fingerprint_data_file:s0
/data/misc/goodix(/.*)? u:object_r:fingerprint_data_file:s0
/persist/data/gf* u:object_r:fingerprint_data_file:s0
/data/gf_data(/.*)? u:object_r:fingerprintd_data_file:s0
/data/vendor/gf_data(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/dev/goodix_fp u:object_r:fingerprint_device:s0
# HVDCP
/sys/devices(/platform)?/soc/[a-z0-9]+\.i2c/i2c-[0-9]+/[0-9]+-[a-z0-9]+/[a-z0-9]+\.i2c:qcom,[a-z0-9]+@[a-z0-9]:qcom,smb[a-z0-9]+-parallel-slave@[0-9]+/power_supply/parallel(/.*)? u:object_r:sysfs_usb_supply:s0
# HW Info
/sys/devices/platform/HardwareInfo(/.*)? u:object_r:sysfs_info:s0
/sys/devices/platform/HardwareInfo/gsensor u:object_r:sysfs_info:s0
# Hexagon DSP-side executable needed for Halide operation
# This is labeled as public_adsprpcd_file as it needs to be read by apps
# (e.g. Google Camera App)
/mnt/vendor/dsp/fastrpc_shell_3 u:object_r:public_adsprpcd_file:s0
# IR
/dev/lirc0 u:object_r:spidev_device:s0
@ -52,21 +51,13 @@
/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white/max_brightness u:object_r:sysfs_graphics:s0
/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white/brightness u:object_r:sysfs_graphics:s0
# Misc
/sys/kernel/debug/mmc0/mmc0:0001/ext_csd u:object_r:debugfs_mmc:s0
# Persist
/persist/PRSensorData\.txt u:object_r:sensors_persist_file:s0
/persist u:object_r:mnt_vendor_file:s0
# Power
/(vendor|system/vendor)/bin/hw/android\.hardware\.power-service\.xiaomi_sdm660-libperfmgr u:object_r:hal_power_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.mock u:object_r:hal_power_stats_default_exec:s0
# Shell Script
/(vendor|system/vendor)/bin/init\.goodix\.sh u:object_r:init_fingerprint_exec:s0
/vendor/bin/sh u:object_r:vendor_shell_exec:s0
# Root files
/persist(/.*)? u:object_r:mnt_vendor_file:s0
/proc/sys/fs/protected_regular u:object_r:proc:s0
# Service HALs
/(vendor|system/vendor)/bin/hw/android\.hardware\.authsecret@1\.0-service u:object_r:hal_authsecret_default_exec:s0
@ -74,15 +65,6 @@
# Sockets
/dev/socket/audio_hw_socket u:object_r:audio_socket:s0
# Tap to Wake
/sys/devices/soc/c177000.i2c/i2c-3/3-005d/enable_dt2w u:object_r:sysfs_tap_to_wake:s0
/sys/devices/soc/c177000.i2c/i2c-3/3-0038/enable_dt2w u:object_r:sysfs_tap_to_wake:s0
/proc/touchscreen/enable_dt2w u:object_r:sysfs_tap_to_wake:s0
/sys/devices/soc/c175000\.i2c/i2c-1/1-[0-9a-f]+/input/input[0-9]+/wake_gesture u:object_r:sysfs_tap_to_wake:s0
/proc/tp_gesture u:object_r:sysfs_tap_to_wake:s0
/sys/touchpanel/double_tap u:object_r:sysfs_tap_to_wake:s0
/proc/touchpanel/wake_gesture u:object_r:sysfs_tap_to_wake:s0
# Thermal
/data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0

1
sepolicy/vendor/fsck.te vendored
View file

@ -1 +0,0 @@
dontaudit fsck self:capability { dac_override dac_read_search };

2
sepolicy/vendor/ftrace.te vendored Normal file
View file

@ -0,0 +1,2 @@
dontaudit hal_atrace_default debugfs_tracing_debug:file write;
dontaudit traced_probes debugfs_tracing_debug:file read;

35
sepolicy/vendor/genfs_contexts vendored
View file

@ -5,17 +5,23 @@ genfscon sysfs /devices/soc/c176000.i2c/i2c-2/2-001d u:object_r:sysfs
genfscon sysfs /devices/soc/ca0c000.qcom,cci/ca0c000.qcom,cci:qcom,camera@3/video4linux/video5/name u:object_r:sysfs_graphics:s0
genfscon sysfs /camera_sensorid/sensorid u:object_r:sysfs_graphics:s0
# DeviceSettings
genfscon sysfs /devices/virtual/graphics/fb0/measured_fps u:object_r:sysfs_fpsinfo:s0
genfscon sysfs /class/graphics/fb0/measured_fps u:object_r:sysfs_fpsinfo:s0
genfscon sysfs /kernel/sound_control/headphone_gain u:object_r:sysfs_headphonegain:s0
genfscon sysfs /kernel/sound_control/mic_gain u:object_r:sysfs_micgain:s0
# Fingerprint
genfscon sysfs /devices/soc/soc:fingerprint_fpc/device_prepare u:object_r:fingerprint_sysfs:s0
genfscon sysfs /devices/soc/soc:fingerprint_fpc/fingerdown_wait u:object_r:fingerprint_sysfs:s0
genfscon sysfs /devices/soc/soc:fingerprint_fpc/irq u:object_r:fingerprint_sysfs:s0
genfscon sysfs /devices/soc/soc:fingerprint_fpc/irq_enable u:object_r:fingerprint_sysfs:s0
genfscon sysfs /devices/soc/soc:fingerprint_fpc/wakeup_enable u:object_r:fingerprint_sysfs:s0
genfscon sysfs /devices/soc/soc:fpc1020/device_prepare u:object_r:fingerprint_sysfs:s0
genfscon sysfs /devices/soc/soc:fpc1020/fingerdown_wait u:object_r:fingerprint_sysfs:s0
genfscon sysfs /devices/soc/soc:fpc1020/irq u:object_r:fingerprint_sysfs:s0
genfscon sysfs /devices/soc/soc:fpc1020/irq_enable u:object_r:fingerprint_sysfs:s0
genfscon sysfs /devices/soc/soc:fpc1020/wakeup_enable u:object_r:fingerprint_sysfs:s0
genfscon sysfs /devices/soc/soc:fingerprint_fpc/device_prepare u:object_r:sysfs_fingerprint:s0
genfscon sysfs /devices/soc/soc:fingerprint_fpc/fingerdown_wait u:object_r:sysfs_fingerprint:s0
genfscon sysfs /devices/soc/soc:fingerprint_fpc/irq u:object_r:sysfs_fingerprint:s0
genfscon sysfs /devices/soc/soc:fingerprint_fpc/irq_enable u:object_r:sysfs_fingerprint:s0
genfscon sysfs /devices/soc/soc:fingerprint_fpc/wakeup_enable u:object_r:sysfs_fingerprint:s0
genfscon sysfs /devices/soc/soc:fpc1020/device_prepare u:object_r:sysfs_fingerprint:s0
genfscon sysfs /devices/soc/soc:fpc1020/fingerdown_wait u:object_r:sysfs_fingerprint:s0
genfscon sysfs /devices/soc/soc:fpc1020/irq u:object_r:sysfs_fingerprint:s0
genfscon sysfs /devices/soc/soc:fpc1020/irq_enable u:object_r:sysfs_fingerprint:s0
genfscon sysfs /devices/soc/soc:fpc1020/wakeup_enable u:object_r:sysfs_fingerprint:s0
# Graphics
genfscon sysfs /devices/virtual/graphics/fb0 u:object_r:sysfs_graphics:s0
@ -34,12 +40,5 @@ genfscon sysfs /devices/soc/soc:qcom,mincpubw u:object_r:sysfs
genfscon sysfs /devices/soc/soc:qcom,memlat-cpu0 u:object_r:sysfs_devfreq:s0
genfscon sysfs /devices/soc/soc:qcom,memlat-cpu4 u:object_r:sysfs_devfreq:s0
# Touchscreen
genfscon proc /nvt_wake_gesture u:object_r:proc_dt2w:s0
# Touchpanel
genfscon sysfs /touchpanel u:object_r:sysfs_touchpanel:s0
# DeviceSettings
genfscon sysfs /devices/virtual/graphics/fb0/measured_fps u:object_r:sysfs_fpsinfo:s0
genfscon sysfs /class/graphics/fb0/measured_fps u:object_r:sysfs_fpsinfo:s0
genfscon sysfs /kernel/sound_control/headphone_gain u:object_r:sysfs_headphonegain:s0
genfscon sysfs /kernel/sound_control/mic_gain u:object_r:sysfs_micgain:s0

5
sepolicy/vendor/gmscore_app.te vendored
View file

@ -1,3 +1,2 @@
allow gmscore_app blkio_dev:dir search;
allow gmscore_app bt_firmware_file:filesystem getattr;
allow gmscore_app firmware_file:filesystem getattr;
binder_call(gmscore_app, hal_memtrack_default);
dontaudit gmscore_app { bt_firmware_file firmware_file }:filesystem getattr;

4
sepolicy/vendor/hal_audio_default.te vendored
View file

@ -1,9 +1,5 @@
allow hal_audio_default audio_socket:sock_file rw_file_perms;
allow hal_audio_default diag_device:chr_file { read write };
allow hal_audio_default sysfs:dir r_dir_perms;
allow hal_audio_default sysfs_info:file { open getattr read };
allow hal_audio_default vendor_data_file:dir { create write add_name };
allow hal_audio_default vendor_data_file:file { append create getattr open read };
get_prop(hal_audio_default, dirac_prop)
set_prop(hal_audio_default, dirac_prop)

18
sepolicy/vendor/hal_camera_default.te vendored
View file

@ -1,17 +1,5 @@
allow hal_camera_default camera_data_file:dir w_dir_perms;
allow hal_camera_default camera_data_file:file create_file_perms;
allow hal_camera_default hal_graphics_allocator_hwservice:hwservice_manager find;
allow hal_camera_default media_rw_data_file:file { getattr };
allow hal_camera_default sysfs:file { getattr open read };
allow hal_camera_default sysfs_kgsl:dir search;
allow hal_camera_default sysfs_kgsl:file r_file_perms;
allow hal_camera_default vendor_video_prop:file r_file_perms;
allow hal_camera_default vendor_default_prop:property_service set;
hal_client_domain(hal_camera_default, hal_configstore)
binder_call(hal_camera_default, hal_graphics_allocator_default)
hal_client_domain(hal_camera_default, hal_graphics_allocator)
get_prop(hal_camera_default, vendor_video_prop)
set_prop(hal_camera_default, exported_camera_prop)
set_prop(hal_camera_default, vendor_camera_prop)
set_prop(hal_camera_default, vendor_video_prop)
typeattribute hal_camera_default data_between_core_and_vendor_violators;
allow hal_camera_default sysfs_kgsl:file r_file_perms;

22
sepolicy/vendor/hal_fingerprint_sdm660.te vendored
View file

@ -16,29 +16,11 @@ typeattribute hal_fingerprint_sdm660 data_between_core_and_vendor_violators;
# access to /data/system/users/[0-9]+/fpdata
allow hal_fingerprint_sdm660 fingerprintd_data_file:dir rw_dir_perms;
allow hal_fingerprint_sdm660 fingerprintd_data_file:file create_file_perms;
allow hal_fingerprint_sdm660 fingerprint_data_file:file rw_file_perms;
allow hal_fingerprint_sdm660 fingerprint_sysfs:file rw_file_perms;
allow hal_fingerprint_sdm660 fingerprint_sysfs:dir r_dir_perms;
allow hal_fingerprint_sdm660 fingerprint_sysfs:lnk_file read;
allow hal_fingerprint_sdm660 hal_fingerprint_sdm660:netlink_socket { create bind write read };
allow hal_fingerprint_sdm660 hal_perf_hwservice:hwservice_manager find;
allow hal_fingerprint_sdm660 media_rw_data_file:dir search;
allow hal_fingerprint_sdm660 mnt_user_file:dir search;
allow hal_fingerprint_sdm660 mnt_user_file:lnk_file r_file_perms;
allow hal_fingerprint_sdm660 persist_file:dir r_dir_perms;
allow hal_fingerprint_sdm660 persist_fingerprint_file:file r_file_perms;
allow hal_fingerprint_sdm660 rootfs:dir read;
allow hal_fingerprint_sdm660 self:netlink_socket create_socket_perms_no_ioctl;
allow hal_fingerprint_sdm660 sysfs_devfreq:file r_file_perms;
allow hal_fingerprint_sdm660 system_data_file:file r_file_perms;
allow hal_fingerprint_sdm660 sysfs_fingerprint:file rw_file_perms;
allow hal_fingerprint_sdm660 sysfs_devfreq:dir search;
allow hal_fingerprint_sdm660 sysfs_sectouch:dir search;
allow hal_fingerprint_sdm660 sdcardfs:dir search;
allow hal_fingerprint_sdm660 storage_file:dir search;
allow hal_fingerprint_sdm660 storage_file:lnk_file read;
allow hal_fingerprint_sdm660 vendor_mpctl_prop:file read;
allow hal_fingerprint_sdm660 vendor_fp_prop:property_service set;
allow hal_fingerprint_sdm660 vendor_fp_prop:file { getattr open read };
allow hal_fingerprint_sdm660 sysfs_devfreq:file r_file_perms;
binder_call(hal_fingerprint_sdm660, hal_perf_default)
r_dir_file(hal_fingerprint_sdm660, firmware_file)

1
sepolicy/vendor/hal_imsrtp.te vendored
View file

@ -1 +0,0 @@
binder_call(hal_imsrtp, radio)

21
sepolicy/vendor/hal_mlipay_default.te → sepolicy/vendor/hal_mlipay.te vendored
View file

@ -1,13 +1,20 @@
type hal_mlipay_default, domain;
type hal_mlipay_default_exec, exec_type, vendor_file_type, file_type;
hal_server_domain(hal_mlipay_default, hal_mlipay)
add_hwservice(hal_mlipay_default, hal_mlipay_hwservice)
get_prop(hal_mlipay_default, hwservicemanager_prop)
type hal_mlipay_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_mlipay_default)
hwbinder_use(hal_mlipay_default)
r_dir_file(hal_mlipay_default, firmware_file)
get_prop(hal_mlipay_default, hal_fingerprint_prop);
set_prop(hal_mlipay_default, mlipay_prop);
# Allow hwbinder call from hal client to server
binder_call(hal_mlipay_client, hal_mlipay_server)
# Add hwservice related rules
add_hwservice(hal_mlipay_server, hal_mlipay_hwservice)
allow hal_mlipay_client hal_mlipay_hwservice:hwservice_manager find;
allow hal_mlipay_default tee_device:chr_file rw_file_perms;
allow hal_mlipay_default ion_device:chr_file r_file_perms;
r_dir_file(hal_mlipay_default, firmware_file)
set_prop(hal_mlipay_default, mlipay_prop);
get_prop(hal_mlipay_default, hal_fingerprint_prop);

21
sepolicy/vendor/hal_power_default.te vendored
View file

@ -1,25 +1,10 @@
# Allow writing to files in /proc/tp_gesture
allow hal_power_default proc:file rw_file_perms;
allow hal_power_default proc:dir search;
allow hal_power_default proc_dt2w:file rw_file_perms;
allow hal_power_default sysfs_touchpanel:file rw_file_perms;
allow hal_power_default sysfs_touchpanel:dir search;
allow hal_power_default sysfs_tap_to_wake:file rw_file_perms;
r_dir_file(hal_power_default, sysfs_graphics)
allow hal_power_default cgroup:file read;
allow hal_power_default device_latency:chr_file rw_file_perms;
allow hal_power_default { sysfs_devfreq sysfs_kgsl }:dir search;
allow hal_power_default { sysfs_devfreq sysfs_kgsl }:{ file lnk_file } rw_file_perms;
allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms;
allow hal_power_default sysfs:file { read open getattr };
allow hal_power_default sysfs_touchpanel:dir search;
allow hal_power_default sysfs_touchpanel:file rw_file_perms;
allow hal_power_default proc:file { write };
r_dir_file(hal_power_default, sysfs_graphics)
# To dump
allow hal_power_default cgroup:file read;
set_prop(hal_power_default, vendor_power_prop)

1
sepolicy/vendor/hal_power_stats_default.te vendored Normal file
View file

@ -0,0 +1 @@
allow hal_power_stats_default sysfs:dir read;

7
sepolicy/vendor/hal_sensors_default.te vendored
View file

@ -1,7 +1,4 @@
allow hal_sensors_default diag_device:chr_file { read write };
allow hal_sensors_default sysfs:file { read open };
allow hal_sensors_default sysfs_info:file { read write };
set_prop(hal_sensors_default, camera_prop)
allow hal_sensors_default audio_socket:sock_file rw_file_perms;
unix_socket_connect(hal_sensors_default, audio, hal_audio_default)
set_prop(hal_sensors_default, camera_prop)

3
sepolicy/vendor/hal_wifi_default.te vendored Normal file
View file

@ -0,0 +1,3 @@
allow hal_wifi_default exported_wifi_prop:property_service set;
allow hal_wifi_default proc_net:file write;
allow hal_wifi_default self:capability sys_module;

6
sepolicy/vendor/hwservice_contexts vendored
View file

@ -1,11 +1,7 @@
com.fingerprints.extension::IFingerprintEngineering u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintNavigation u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintCalibration u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintSenseTouch u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintEngineering u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintNavigation u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintSenseTouch u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0
vendor.goodix.hardware.fingerprint::IGoodixBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
vendor.qti.hardware.fingerprint::IQtiExtendedFingerprint u:object_r:hal_fingerprint_hwservice:s0
vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0

1
sepolicy/vendor/ims.te vendored
View file

@ -1 +0,0 @@
dontaudit ims diag_device:chr_file { read write };

14
sepolicy/vendor/init.te vendored
View file

@ -1,13 +1,5 @@
allow init blkio_dev:file { create open read write };
allow init hwservicemanager:binder { call transfer };
allow init ipa_dev:chr_file open;
allow init ion_device:chr_file ioctl;
allow init property_socket:sock_file write;
allow init persist_block_device:lnk_file relabelto;
allow init sysfs_dm:file { open write };
allow init sysfs_info:file { open read };
allow init sysfs:file setattr;
allow init sysfs_graphics:file { open write };
allow init sysfs_battery_supply:file setattr;
allow init adsprpcd_file:file mounton;
allow init socket_device:sock_file { unlink setattr create };
allow init sysfs_graphics:file { read open };
allow init sysfs_battery_supply:file setattr;
allow init vendor_default_prop:property_service set;

16
sepolicy/vendor/init_fingerprint.te vendored
View file

@ -1,16 +0,0 @@
type init_fingerprint, domain;
type init_fingerprint_exec, exec_type, vendor_file_type, file_type;
typeattribute init_fingerprint data_between_core_and_vendor_violators;
# Allow for transition from init domain to init_fingerprint
init_daemon_domain(init_fingerprint)
# Shell script needs to execute /vendor/bin/sh
allow init_fingerprint vendor_shell_exec:file rx_file_perms;
allow init_fingerprint vendor_toolbox_exec:file rx_file_perms;
# Allow to delete file
allow init_fingerprint mnt_vendor_file:dir search;
allow init_fingerprint persist_drm_file:dir { read search open write remove_name };
allow init_fingerprint persist_drm_file:file { getattr unlink };
allow init_fingerprint system_data_file:file r_file_perms;

4
sepolicy/vendor/ipacm.te vendored
View file

@ -1,4 +0,0 @@
# Fix for WLAN tethering offload
# SELinux : avc: denied { set } for property=wifi.active.interface pid=2918 uid=1010 gid=1010 scontext=u:r::s0 tcontext=u:object_r:default_prop:s0 tclass=property_service
allow hal_wifi_default exported_wifi_prop:property_service set;

2
sepolicy/vendor/netmgrd.te vendored Normal file
View file

@ -0,0 +1,2 @@
set_prop(netmgrd, vendor_radio_prop)
set_prop(netmgrd, vendor_data_ko_prop)

2
sepolicy/vendor/platform_app.te vendored
View file

@ -1,2 +0,0 @@
allow platform_app blkio_dev:dir search;
allow platform_app sysfs_kgsl:dir search;

1
sepolicy/vendor/priv_app.te vendored
View file

@ -1 +0,0 @@
allow priv_app blkio_dev:dir search;

10
sepolicy/vendor/property.te vendored
View file

@ -1,15 +1,11 @@
type hal_fingerprint_prop, property_type;
type ifaa_prop, property_type;
type mlipay_prop, property_type;
type vendor_fp_prop, property_type;
type vendor_camera_prop, property_type;
# Dirac
type dirac_prop, property_type;
# Power
type vendor_power_prop, property_type;
# Thermal engine
type thermal_engine_prop, property_type;
# Power
type power_prop, property_type;
type vendor_power_prop, property_type;

18
sepolicy/vendor/property_contexts vendored
View file

@ -6,7 +6,6 @@ audio_hal.period_multiplier u:object_r:vendor_default_prop:s0
persist.audio.fluence.voicecomm u:object_r:vendor_default_prop:s0
# Camera
camera. u:object_r:camera_prop:s0
camera.clientname u:object_r:camera_prop:s0
camera.debug. u:object_r:camera_prop:s0
camera.facebeauty.version u:object_r:camera_prop:s0
@ -20,19 +19,19 @@ persist.camera. u:object_r:vendor_default_prop:s0
persist.vendor.camera. u:object_r:camera_prop:s0
vendor.camera.eis.gyro_name u:object_r:camera_prop:s0
vidc.enc.dcvs.extra-buff-count u:object_r:vendor_default_prop:s0
vendor.camera.cpuperf.en u:object_r:vendor_default_prop:s0
# Dirac
persist.audio.dirac. u:object_r:dirac_prop:s0
# Fingerprint
fpc_kpi u:object_r:vendor_default_prop:s0
gf.debug.dump_data u:object_r:hal_fingerprint_prop:s0
gf.debug.dump_data u:object_r:vendor_default_prop:s0
persist.sys.fp. u:object_r:hal_fingerprint_prop:s0
persist.vendor.sys.fp. u:object_r:hal_fingerprint_prop:s0
ro.boot.fp. u:object_r:hal_fingerprint_prop:s0
sys.fp. u:object_r:hal_fingerprint_prop:s0
ro.boot.fpsensor u:object_r:hal_fingerprint_prop:s0
persist.sys.fp.info u:object_r:hal_fingerprint_prop:s0
sys.fp. u:object_r:hal_fingerprint_prop:s0
# Media
gpu.stats.debug.level u:object_r:vendor_default_prop:s0
@ -47,10 +46,13 @@ sys.post_boot.parsed u:object_r:vendor_mpctl_prop:s0
# Power
vendor.powerhal. u:object_r:vendor_power_prop:s0
# RIL
ro.build.software.version u:object_r:exported_radio_prop:s0
ro.product.mod_device u:object_r:exported_radio_prop:s0
persist.vendor.data.offload_ko_load u:object_r:vendor_radio_prop:s0
persist.vendor.data.shsusr_load u:object_r:vendor_radio_prop:s0
persist.vendor.data.qmipriod_load u:object_r:vendor_radio_prop:s0
# Thermal engine
persist.sys.thermal. u:object_r:thermal_engine_prop:s0
sys.thermal. u:object_r:thermal_engine_prop:s0
# vendor_default_prop
vendor.camera.cpuperf.en u:object_r:vendor_default_prop:s0
vendor.display.lcd_density u:object_r:vendor_default_prop:s0

6
sepolicy/vendor/qti_init_shell.te vendored
View file

@ -1,7 +1,5 @@
allow qti_init_shell ctl_start_prop:property_service set;
allow qti_init_shell ctl_stop_prop:property_service set;
allow qti_init_shell sysfs_cpu_boost:file write;
allow qti_init_shell sysfs:file write;
allow qti_init_shell vendor_radio_data_file:dir { getattr read search };
allow qti_init_shell vendor_radio_data_file:file { getattr read setattr write };
dontaudit qti_init_shell system_prop:property_service set;
dontaudit qti_init_shell self:capability { dac_override dac_read_search };

21
sepolicy/vendor/radio.te vendored
View file

@ -1,20 +1,7 @@
allow radio hal_datafactory_hwservice:hwservice_manager find;
binder_call(radio, cnd)
binder_call(radio, hal_imsrtp)
allow radio { cameraserver_service mediaextractor_service mediaserver_service mediametrics_service drmserver_service audioserver_service }:service_manager find;
get_prop(radio, qcom_ims_prop)
dontaudit {
cnd
netmgrd
qti
adpl
hal_audio_default
rild
hal_imsrtp
hal_rcsservice
hal_sensors_default
hal_graphics_composer_default
sensors
vendor_dpmd
} diag_device:chr_file { read write };
allow radio hal_datafactory_hwservice:hwservice_manager find;
allow radio hal_iwlan_hwservice:hwservice_manager find;
get_prop(radio, vendor_qcom_ims_prop)

18
sepolicy/vendor/rild.te vendored
View file

@ -1,2 +1,18 @@
allow rild qcom_ims_prop:file { getattr open read };
allow rild vendor_file:file ioctl;
allow rild vendor_qcom_ims_prop:file { getattr open read };
dontaudit {
adpl
cnd
hal_audio_default
hal_imsrtp
hal_rcsservice
hal_sensors_default
hal_graphics_composer_default
ims
netmgrd
qti
rild
sensors
vendor_dpmd
} diag_device:chr_file { read write };

2
sepolicy/vendor/rmt_storage.te vendored
View file

@ -1,2 +0,0 @@
r_dir_file(rmt_storage, sysfs_data)
r_dir_file(rmt_storage, sysfs_ssr)

11
sepolicy/vendor/system_app.te vendored
View file

@ -1,19 +1,14 @@
allow system_app blkio_dev:dir search;
allow system_app hal_mlipay_default:binder call;
allow system_app kcal_dev:file rw_file_perms;
allow system_app kcal_dev:dir search;
allow system_app kcal_dev:file rw_file_perms;
allow system_app proc_vmallocinfo:file read;
allow system_app sysfs_thermal:file rw_file_perms;
allow system_app sysfs_thermal:dir search;
allow system_app sysfs_vibrator:file rw_file_perms;
allow system_app sysfs_vibrator:dir search;
allow system_app sysfs_vibrator:file rw_file_perms;
allow system_app sysfs_graphics:dir search;
allow system_app sysfs_graphics:file rw_file_perms;
allow system_app sysfs_leds:dir search;
allow system_app sysfs_fpsinfo:file rw_file_perms;
allow system_app sysfs_headphonegain:file rw_file_perms;
allow system_app sysfs_micgain:file rw_file_perms;
allow system_app sysfs_zram:dir search;
allow system_app vendor_default_prop:file { getattr open read };
allow system_app wificond:binder call;
set_prop(system_app, system_prop);

20
sepolicy/vendor/system_server.te vendored
View file

@ -1,22 +1,6 @@
allow system_server app_zygote:process getpgid;
get_prop(system_server, userspace_reboot_exported_prop)
allow system_server blkio_dev:dir search;
allow system_server default_android_service:service_manager add;
allow system_server exported_camera_prop:file read;
allow system_server kernel:system syslog_read;
allow system_server media_rw_data_file:dir { setattr };
allow system_server sysfs_battery_supply:file rw_file_perms;
allow system_server sysfs_kgsl:lnk_file { read };
allow system_server sysfs_vibrator:file rw_file_perms;
allow system_server thermal_service:service_manager find;
allow system_server userspace_reboot_exported_prop:file read;
allow system_server vendor_camera_prop:file { getattr open read };
allow system_server vendor_default_prop:file { getattr open read };
allow system_server vendor_keylayout_file:dir search;
allow system_server vendor_keylayout_file:file r_file_perms;
allow system_server zygote:process { getpgid };
dontaudit system_server sysfs:file { read open getattr };
get_prop(system_server, exported_camera_prop)
get_prop(system_server, userspace_reboot_config_prop)
get_prop(system_server, userspace_reboot_exported_prop)

2
sepolicy/vendor/tee.te vendored
View file

@ -1,6 +1,6 @@
# TODO(b/36644492): Remove data_between_core_and_vendor_violators once
# tee no longer directly accesses /data owned by the frameworks.
typeattribute tee data_between_core_and_vendor_violators;
allow tee system_data_file:dir r_dir_perms;
allow tee fingerprintd_data_file:dir rw_dir_perms;
allow tee fingerprintd_data_file:file create_file_perms;
allow tee system_data_file:dir r_dir_perms;

8
sepolicy/vendor/thermal-engine.te vendored
View file

@ -1,8 +1,8 @@
allow thermal-engine property_socket:sock_file write;
allow thermal-engine sysfs:dir r_dir_perms;
allow thermal-engine self:capability { chown fowner };
allow thermal-engine thermal_data_file:dir rw_dir_perms;
allow thermal-engine thermal_data_file:file create_file_perms;
allow thermal-engine sysfs:dir r_dir_perms;
allow thermal-engine self:capability { chown fowner };
dontaudit thermal-engine self:capability dac_override;
set_prop(thermal-engine, thermal_engine_prop);
r_dir_file(thermal-engine sysfs_thermal)
r_dir_file(thermal-engine, sysfs_thermal)

1
sepolicy/vendor/time_daemon.te vendored
View file

@ -1 +0,0 @@
allow time_daemon self:capability { setgid setuid };

1
sepolicy/vendor/traced_probes.te vendored
View file

@ -1 +0,0 @@
dontaudit traced_probes debugfs_tracing_debug:file { read open getattr };

5
sepolicy/vendor/ueventd.te vendored
View file

@ -1,5 +0,0 @@
allow ueventd ir_dev_file:chr_file { create setattr };
allow ueventd kcal_dev:dir r_dir_perms;
allow ueventd kcal_dev:file rw_file_perms;
allow ueventd kcal_dev:lnk_file r_file_perms;
allow ueventd metadata_file:dir search;

30
sepolicy/vendor/vendor_init.te vendored
View file

@ -1,38 +1,10 @@
#============= vendor_init ==============
typeattribute vendor_init data_between_core_and_vendor_violators;
allow vendor_init {
media_rw_data_file
system_data_file
tombstone_data_file
camera_data_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init apex_metadata_file:dir create_dir_perms;
allow vendor_init fingerprint_data_file:dir {setattr create};
allow vendor_init media_rw_data_file:file { getattr relabelfrom };
allow vendor_init persist_debug_prop:file read;
allow vendor_init rootfs:dir { add_name create setattr write };
allow vendor_init rootfs:lnk_file setattr;
allow vendor_init unlabeled:{ dir file } { getattr relabelfrom };
allow vendor_init blkio_dev:file { open read write create };
allow vendor_init proc_dirty:file write;
allow vendor_init {
audio_prop
bservice_prop
persist_debug_prop
vendor_persist_dpm_prop
qcom_ims_prop
reschedule_service_prop
thermal_engine_prop
vendor_ssr_prop
vendor_fp_prop
}:property_service set;
set_prop(vendor_init, camera_prop)
set_prop(vendor_init, exported_camera_prop)
set_prop(vendor_init, vendor_camera_prop)
set_prop(vendor_init, freq_prop)
set_prop(vendor_init, fm_prop)
set_prop(vendor_init, vendor_freq_prop)
set_prop(vendor_init, vendor_power_prop)

39
sepolicy/vendor/vendor_toolbox.te vendored
View file

@ -9,42 +9,3 @@ allow vendor_toolbox vendor_toolbox_exec:file execute_no_trans;
# Allow vendor_toolbox to read directories in rootfs
allow vendor_toolbox rootfs:dir r_dir_perms;
# Allow vendor_toolbox to remove "security.*" xattrs from /mnt/vendor/persist
allow vendor_toolbox {
mnt_vendor_file
persist_alarm_file
persist_block_device
persist_bluetooth_file
persist_bms_file
persist_display_file
persist_drm_file
persist_file
persist_fingerprint_file
persist_hvdcp_file
persist_misc_file
persist_qti_fp_file
persist_rfs_file
persist_rfs_shared_hlos_file
persist_secnvm_file
persist_time_file
persist_vpp_file
regionalization_file
rfs_file
rfs_shared_hlos_file
sensors_persist_file
unlabeled
vendor_persist_mmi_file
}:dir { r_dir_perms setattr getattr};
allow vendor_toolbox {
mnt_vendor_file
persist_alarm_file
persist_block_device
persist_bluetooth_file
persist_bms_file
persist_hvdcp_file
persist_time_file
regionalization_file
sensors_persist_file
}:file { getattr};

3
sepolicy/vendor/wcnss_service.te vendored Normal file
View file

@ -0,0 +1,3 @@
allow wcnss_service sysfs:file { read open };
allow wcnss_service sysfs_net:dir search;
allow wcnss_service vendor_shell_exec:file execute_no_trans;

1
sepolicy/vendor/webview_zygote.te vendored
View file

@ -1 +0,0 @@
allow webview_zygote zygote:unix_dgram_socket write;

1
sepolicy/vendor/zygote.te vendored
View file

@ -1 +0,0 @@
allow zygote exported_camera_prop:file { read write };