MiPad4/android_device_xiaomi_sdm660-common
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sdm66-common: sepolicy: Fix labeling sysfs nodes for K4.19

Browse source 
- Address more denials and label some new nodes

Signed-off-by: OdSazib <odsazib@gmail.com>
This commit is contained in:
OdSazib 2021-07-16 14:41:24 +06:00
parent 4ec9f92ace
commit 5351cc35f9
No known key found for this signature in database
GPG key ID: 41E22825A5BD3496
8 changed files with 55 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
sepolicy/private/system_suspend.te
View file

@ -1,3 +1,4 @@
# To resolve arbitrary sysfs paths from /sys/class/wakeup/* symlinks.
allow system_suspend sysfs_type:dir r_dir_perms;
allow system_suspend sysfs_wakeup:file r_file_perms;
dontaudit system_suspend sysfs:file r_file_perms;

74
sepolicy/vendor/file_contexts vendored
View file

@ -1,79 +1,79 @@
# Amplifier
/(vendor|system/vendor)/bin/tinymix u:object_r:vendor_tinyalsa_exec:s0
/(vendor|system/vendor)/bin/tinymix u:object_r:vendor_tinyalsa_exec:s0
# Biometric
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_sdm660 u:object_r:hal_fingerprint_sdm660_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_sdm660 u:object_r:hal_fingerprint_sdm660_exec:s0
# Biometric
/data/misc/camera u:object_r:camera_data_file:s0
# Camera
/data/misc/camera u:object_r:camera_data_file:s0
# blkio
/dev/blkio(/.*)? u:object_r:blkio_dev:s0
/dev/blkio/background(/.*)? u:object_r:blkio_dev:s0
/dev/blkio(/.*)? u:object_r:blkio_dev:s0
/dev/blkio/background(/.*)? u:object_r:blkio_dev:s0
# CNE
/(vendor|system/vendor)/bin/mutualex u:object_r:vendor_mutualex_exec:s0
# Debug
/sys/kernel/debug/mmc0/mmc0:0001/ext_csd u:object_r:debugfs_mmc:s0
/(vendor|system/vendor)/bin/mutualex u:object_r:vendor_mutualex_exec:s0
# Executables
/vendor/bin/sh u:object_r:vendor_shell_exec:s0
/vendor/bin/sh u:object_r:vendor_shell_exec:s0
# Fingerprint
/data/gf_data(/.*)? u:object_r:fingerprintd_data_file:s0
/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor/gf_data(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/dev/goodix_fp u:object_r:fingerprint_device:s0
/data/gf_data(/.*)? u:object_r:fingerprintd_data_file:s0
/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor/gf_data(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/dev/goodix_fp u:object_r:fingerprint_device:s0
# Firmware
/firmware(/.*)? u:object_r:firmware_file:s0
/bt_firmware(/.*)? u:object_r:bt_firmware_file:s0
/persist(/.*)? u:object_r:persist_file:s0
/firmware(/.*)? u:object_r:firmware_file:s0
/bt_firmware(/.*)? u:object_r:bt_firmware_file:s0
/persist(/.*)? u:object_r:persist_file:s0
# Hexagon DSP-side executable needed for Halide operation
# This is labeled as public_adsprpcd_file as it needs to be read by apps
# (e.g. Google Camera App)
/mnt/vendor/dsp/fastrpc_shell_3 u:object_r:public_adsprpcd_file:s0
/mnt/vendor/dsp/fastrpc_shell_3 u:object_r:public_adsprpcd_file:s0
# IR
/dev/lirc0 u:object_r:spidev_device:s0
/dev/spidev7.1 u:object_r:spidev_device:s0
/dev/lirc0 u:object_r:spidev_device:s0
/dev/spidev7.1 u:object_r:spidev_device:s0
# Kcal
/sys/devices/platform/kcal_ctrl.0(/.*)? u:object_r:kcal_dev:s0
/sys/bus/platform/drivers/kcal_ctrl(/.*)? u:object_r:kcal_dev:s0
/sys/devices/platform/kcal_ctrl.0(/.*)? u:object_r:kcal_dev:s0
/sys/bus/platform/drivers/kcal_ctrl(/.*)? u:object_r:kcal_dev:s0
# Light HAL
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_sdm660 u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_sdm660 u:object_r:hal_light_default_exec:s0
# Mlipay
/(vendor|system/vendor)/bin/mlipayd@1.1 u:object_r:hal_mlipay_default_exec:s0
/(vendor|system/vendor)/bin/mlipayd@1.1 u:object_r:hal_mlipay_default_exec:s0
# Notification LED
/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white/max_brightness u:object_r:sysfs_graphics:s0
/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white/brightness u:object_r:sysfs_graphics:s0
/sys/devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/blue(/.*)? u:object_r:sysfs_graphics:s0
/sys/devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/green(/.*)? u:object_r:sysfs_graphics:s0
/sys/devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/red(/.*)? u:object_r:sysfs_graphics:s0
/sys/devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white(/.*)? u:object_r:sysfs_graphics:s0
/sys/devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d300/leds/flashlight(/.*)? u:object_r:sysfs_graphics:s0
# Power
/(vendor|system/vendor)/bin/hw/android\.hardware\.power-service\.xiaomi_sdm660-libperfmgr u:object_r:hal_power_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.mock u:object_r:hal_power_stats_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power-service\.xiaomi_sdm660-libperfmgr u:object_r:hal_power_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.mock u:object_r:hal_power_stats_default_exec:s0
# Root files
/proc/sys/fs/protected_regular u:object_r:proc:s0
/proc/sys/fs/protected_regular u:object_r:proc:s0
# Service HALs
/(vendor|system/vendor)/bin/hw/android\.hardware\.authsecret@1\.0-service u:object_r:hal_authsecret_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.authsecret@1\.0-service u:object_r:hal_authsecret_default_exec:s0
# Sockets
/dev/socket/audio_hw_socket u:object_r:audio_socket:s0
/dev/socket/audio_hw_socket u:object_r:audio_socket:s0
# Thermal
/data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@2\.0-service\.mock u:object_r:hal_thermal_default_exec:s0
/data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@2\.0-service\.mock u:object_r:hal_thermal_default_exec:s0
# USB
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service\.xiaomi_sdm660 u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service\.xiaomi_sdm660 u:object_r:hal_usb_default_exec:s0
# Video4linux sysfs nodes
/sys/devices/platform/soc/caa0000\.qcom,jpeg/video4linux/video1(/.*)? u:object_r:sysfs_graphics:s0
/sys/devices/platform/soc/caa0000\.qcom,jpeg/video4linux/video1(/.*)? u:object_r:sysfs_graphics:s0

10
sepolicy/vendor/genfs_contexts vendored
View file

@ -1,7 +1,11 @@
# Battery
genfscon sysfs /devices/platform/soc/c175000.i2c/i2c-1/1-0062 u:object_r:sysfs_battery_supply:s0
genfscon sysfs /devices/platform/soc/c176000.i2c/i2c-2/2-001d u:object_r:sysfs_battery_supply:s0
# Camera
genfscon sysfs /devices/platform/soc/ca0c000.qcom,cci/ca0c000.qcom,cci:qcom,camera@0/video4linux/video2/name u:object_r:sysfs_graphics:s0
genfscon sysfs /devices/platform/soc/ca0c000.qcom,cci/ca0c000.qcom,cci:qcom,camera@1/video4linux/video3/name u:object_r:sysfs_graphics:s0
genfscon sysfs /devices/platform/soc/ca0c000.qcom,cci/ca0c000.qcom,cci:qcom,camera@2/video4linux/video4/name u:object_r:sysfs_graphics:s0
genfscon sysfs /devices/platform/soc/ca0c000.qcom,cci/ca0c000.qcom,cci:qcom,camera@3/video4linux/video5/name u:object_r:sysfs_graphics:s0
genfscon sysfs /camera_sensorid/sensorid u:object_r:sysfs_graphics:s0
@ -22,6 +26,11 @@ genfscon sysfs /devices/platform/soc/soc:fpc1020/fingerdown_wait
genfscon sysfs /devices/platform/soc/soc:fpc1020/irq u:object_r:sysfs_fingerprint:s0
genfscon sysfs /devices/platform/soc/soc:fpc1020/irq_enable u:object_r:sysfs_fingerprint:s0
genfscon sysfs /devices/platform/soc/soc:fpc1020/wakeup_enable u:object_r:sysfs_fingerprint:s0
genfscon sysfs /devices/platform/soc/soc:goodix_fp/device_prepare u:object_r:sysfs_fingerprint:s0
genfscon sysfs /devices/platform/soc/soc:goodix_fp/fingerdown_wait u:object_r:sysfs_fingerprint:s0
genfscon sysfs /devices/platform/soc/soc:goodix_fp/irq u:object_r:sysfs_fingerprint:s0
genfscon sysfs /devices/platform/soc/soc:goodix_fp/irq_enable u:object_r:sysfs_fingerprint:s0
genfscon sysfs /devices/platform/soc/soc:goodix_fp/wakeup_enable u:object_r:sysfs_fingerprint:s0
# Graphics
genfscon sysfs /devices/virtual/graphics/fb0 u:object_r:sysfs_graphics:s0
@ -32,6 +41,7 @@ genfscon sysfs /devices/virtual/graphics/fb2
genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight u:object_r:sysfs_graphics:s0
genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight1 u:object_r:sysfs_graphics:s0
genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white u:object_r:sysfs_graphics:s0
genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d300/leds/flashlight u:object_r:sysfs_graphics:s0
# Power
genfscon sysfs /devices/platform/soc/soc:qcom,gpubw u:object_r:sysfs_devfreq:s0

3
sepolicy/vendor/hal_power_stats_default.te vendored
View file

@ -1 +1,2 @@
allow hal_power_stats_default sysfs:dir read;
allow hal_power_stats_default sysfs:dir { open read };
allow hal_power_stats_default sysfs:file { open read };

1
sepolicy/vendor/init.te vendored
View file

@ -1,4 +1,5 @@
allow init adsprpcd_file:file mounton;
allow init apex_metadata_file:lnk_file read;
allow init socket_device:sock_file { unlink setattr create };
allow init sysfs_graphics:file { read open };
allow init sysfs_battery_supply:file setattr;

2
sepolicy/vendor/qti_init_shell.te vendored
View file

@ -1,5 +1,7 @@
allow qti_init_shell ctl_start_prop:property_service set;
allow qti_init_shell ctl_stop_prop:property_service set;
allow qti_init_shell self:perf_event cpu;
allow qti_init_shell sysfs:file { setattr write };
dontaudit qti_init_shell system_prop:property_service set;
dontaudit qti_init_shell self:capability { dac_override dac_read_search };

1
sepolicy/vendor/ueventd.te vendored Normal file
View file

@ -0,0 +1 @@
allow ueventd metadata_file:dir search;

1
sepolicy/vendor/vendor_init.te vendored
View file

@ -1,6 +1,7 @@
typeattribute vendor_init data_between_core_and_vendor_violators;
allow vendor_init {
camera_data_file
system_data_file
tombstone_data_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };