MiPad4/android_device_xiaomi_sdm660-common
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sdm660-common: sepolicy: Update sepolicy and cleanup

Browse source 
* Address some denials from android 11
* Fix video recording
* Sort in alphabetic order

Signed-off-by: OdSazib <odsazib@gmail.com>
This commit is contained in:
OdSazib 2020-08-06 14:08:04 +06:00
parent ad4a731b53
commit 9a192b7de0
No known key found for this signature in database
GPG key ID: 0954440B60470871
26 changed files with 189 additions and 195 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
sepolicy/private/property_contexts
View file

@ -1,2 +1 @@
sys.listeners.registered u:object_r:vendor_tee_listener_prop:s0
vendor.camera.aux.packageblacklist u:object_r:vendor_camera_prop:s0
sys.listeners.registered u:object_r:vendor_tee_listener_prop:s0

2
sepolicy/vendor/app.te vendored
View file

@ -1,6 +1,6 @@
# Allow appdomain to get vendor_camera_prop
get_prop(appdomain, vendor_camera_prop)
binder_call({ appdomain -isolated_app }, hal_mlipay_default)
get_prop(appdomain, vendor_camera_prop)
get_prop({ appdomain -isolated_app }, mlipay_prop)
get_prop({ appdomain -isolated_app }, hal_fingerprint_prop)
get_prop({ appdomain -isolated_app }, ifaa_prop)

2
sepolicy/vendor/device.te vendored
View file

@ -1,3 +1,3 @@
type blkio_dev, dev_type;
type fingerprint_device, dev_type;
type spidev_device, dev_type;
type blkio_dev, dev_type;

15
sepolicy/vendor/file.te vendored
View file

@ -1,14 +1,8 @@
type ir_dev_file, file_type;
type fingerprint_data_file, file_type, data_file_type, core_data_file_type;
type fingerprint_sysfs, fs_type, sysfs_type;
type ir_dev_file, file_type;
type sysfs_info, fs_type, sysfs_type;
allow ueventd ir_dev_file:chr_file { create setattr };
# Touchscreen wake_gesture
type sysfs_tap_to_wake, sysfs_type, fs_type;
type sysfs_touchpanel, fs_type, sysfs_type;
type proc_dt2w, fs_type, proc_type;
type thermal_data_file, file_type, data_file_type;
# Fingerprint
type fingerprintd_device, file_type, dev_type;
@ -21,7 +15,10 @@ type hall_dev, sysfs_type, fs_type;
# Kcal
type kcal_dev, sysfs_type, fs_type;
type thermal_data_file, file_type, data_file_type;
# Touchscreen wake_gesture
type proc_dt2w, fs_type, proc_type;
type sysfs_tap_to_wake, sysfs_type, fs_type;
type sysfs_touchpanel, fs_type, sysfs_type;
# XiamiParts
type sysfs_fpsinfo, sysfs_type, fs_type;

118
sepolicy/vendor/file_contexts vendored
View file

@ -1,83 +1,89 @@
# Amplifier
/(vendor|system/vendor)/bin/tinymix u:object_r:vendor_tinyalsa_exec:s0
# Biometric
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_sdm660 u:object_r:hal_fingerprint_sdm660_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_sdm660 u:object_r:hal_fingerprint_sdm660_exec:s0
# blkio
/dev/blkio(/.*)? u:object_r:blkio_dev:s0
# Goodix Fingerprint
/data/misc/gf_data(/.*)? u:object_r:fingerprint_data_file:s0
/data/misc/goodix(/.*)? u:object_r:fingerprint_data_file:s0
/persist/data/gf* u:object_r:fingerprint_data_file:s0
/data/gf_data(/.*)? u:object_r:fingerprintd_data_file:s0
/data/vendor/gf_data(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/dev/goodix_fp u:object_r:fingerprint_device:s0
# FPC Fingerprint
/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/(mnt/vendor)/persist/fpc(/.*)? u:object_r:persist_fingerprint_file:s0
/sys/devices/soc/soc:fpc1020(/.*)? u:object_r:fingerprint_sysfs:s0
/sys/bus/platform/devices/soc:fingerprint_fpc(/.*)? u:object_r:fingerprint_sysfs:s0
# Hall Switch
/sys/module/hall/parameters(/.*)? u:object_r:hall_dev:s0
/dev/blkio(/.*)? u:object_r:blkio_dev:s0
/dev/blkio/background(/.*)? u:object_r:blkio_dev:s0
# Firmware
/firmware u:object_r:firmware_file:s0
/bt_firmware u:object_r:bt_firmware_file:s0
/firmware u:object_r:firmware_file:s0
/bt_firmware u:object_r:bt_firmware_file:s0
# Amplifier
/(vendor|system/vendor)/bin/tinymix u:object_r:vendor_tinyalsa_exec:s0
# FPC Fingerprint
/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/(mnt/vendor)/persist/fpc(/.*)? u:object_r:persist_fingerprint_file:s0
/sys/devices/soc/soc:fpc1020(/.*)? u:object_r:fingerprint_sysfs:s0
/sys/bus/platform/devices/soc:fingerprint_fpc(/.*)? u:object_r:fingerprint_sysfs:s0
# Goodix Fingerprint
/data/misc/gf_data(/.*)? u:object_r:fingerprint_data_file:s0
/data/misc/goodix(/.*)? u:object_r:fingerprint_data_file:s0
/persist/data/gf* u:object_r:fingerprint_data_file:s0
/data/gf_data(/.*)? u:object_r:fingerprintd_data_file:s0
/data/vendor/gf_data(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/dev/goodix_fp u:object_r:fingerprint_device:s0
# Hall Switch
/sys/module/hall/parameters(/.*)? u:object_r:hall_dev:s0
# HVDCP
/sys/devices(/platform)?/soc/[a-z0-9]+\.i2c/i2c-[0-9]+/[0-9]+-[a-z0-9]+/[a-z0-9]+\.i2c:qcom,[a-z0-9]+@[a-z0-9]:qcom,smb[a-z0-9]+-parallel-slave@[0-9]+/power_supply/parallel(/.*)? u:object_r:sysfs_usb_supply:s0
# HW Info
/sys/devices/platform/HardwareInfo(/.*)? u:object_r:sysfs_info:s0
/sys/devices/platform/HardwareInfo/gsensor u:object_r:sysfs_info:s0
/sys/devices/platform/HardwareInfo(/.*)? u:object_r:sysfs_info:s0
/sys/devices/platform/HardwareInfo/gsensor u:object_r:sysfs_info:s0
# IR
/dev/lirc0 u:object_r:spidev_device:s0
/dev/spidev7.1 u:object_r:spidev_device:s0
/dev/lirc0 u:object_r:spidev_device:s0
/dev/spidev7.1 u:object_r:spidev_device:s0
# Kcal
/sys/devices/platform/kcal_ctrl.0(/.*)? u:object_r:kcal_dev:s0
/sys/bus/platform/drivers/kcal_ctrl(/.*)? u:object_r:kcal_dev:s0
# Notification LED
/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white/max_brightness u:object_r:sysfs_graphics:s0
/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white/brightness u:object_r:sysfs_graphics:s0
/sys/devices/platform/kcal_ctrl.0(/.*)? u:object_r:kcal_dev:s0
/sys/bus/platform/drivers/kcal_ctrl(/.*)? u:object_r:kcal_dev:s0
# Light HAL
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_sdm660 u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_sdm660 u:object_r:hal_light_default_exec:s0
# Mlipay
/(vendor|system/vendor)/bin/mlipayd@1.1 u:object_r:hal_mlipay_default_exec:s0
/(vendor|system/vendor)/bin/mlipayd@1.1 u:object_r:hal_mlipay_default_exec:s0
# Notification LED
/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white/max_brightness u:object_r:sysfs_graphics:s0
/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white/brightness u:object_r:sysfs_graphics:s0
# Misc
/sys/kernel/debug/mmc0/mmc0:0001/ext_csd u:object_r:debugfs_mmc:s0
# Persist
/persist/PRSensorData\.txt u:object_r:sensors_persist_file:s0
/persist u:object_r:mnt_vendor_file:s0
# Shell Script
/(vendor|system/vendor)/bin/init\.goodix\.sh u:object_r:init_fingerprint_exec:s0
# Tap to Wake
/sys/devices/soc/c177000.i2c/i2c-3/3-005d/enable_dt2w u:object_r:sysfs_tap_to_wake:s0
/sys/devices/soc/c177000.i2c/i2c-3/3-0038/enable_dt2w u:object_r:sysfs_tap_to_wake:s0
/proc/touchscreen/enable_dt2w u:object_r:sysfs_tap_to_wake:s0
/sys/devices/soc/c175000\.i2c/i2c-1/1-[0-9a-f]+/input/input[0-9]+/wake_gesture u:object_r:sysfs_tap_to_wake:s0
/proc/tp_gesture u:object_r:sysfs_tap_to_wake:s0
/sys/touchpanel/double_tap u:object_r:sysfs_tap_to_wake:s0
/proc/touchpanel/wake_gesture u:object_r:sysfs_tap_to_wake:s0
# Thermal
/data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0
# Video4linux sysfs nodes
/sys/devices/soc/caa0000\.qcom,jpeg/video4linux/video1(/.*)? u:object_r:sysfs_graphics:s0
# USB
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service\.xiaomi_sdm660 u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/init\.goodix\.sh u:object_r:init_fingerprint_exec:s0
/vendor/bin/sh u:object_r:vendor_shell_exec:s0
# Service HALs
/(vendor|system/vendor)/bin/hw/android\.hardware\.authsecret@1\.0-service u:object_r:hal_authsecret_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.authsecret@1\.0-service u:object_r:hal_authsecret_default_exec:s0
# Tap to Wake
/sys/devices/soc/c177000.i2c/i2c-3/3-005d/enable_dt2w u:object_r:sysfs_tap_to_wake:s0
/sys/devices/soc/c177000.i2c/i2c-3/3-0038/enable_dt2w u:object_r:sysfs_tap_to_wake:s0
/proc/touchscreen/enable_dt2w u:object_r:sysfs_tap_to_wake:s0
/sys/devices/soc/c175000\.i2c/i2c-1/1-[0-9a-f]+/input/input[0-9]+/wake_gesture u:object_r:sysfs_tap_to_wake:s0
/proc/tp_gesture u:object_r:sysfs_tap_to_wake:s0
/sys/touchpanel/double_tap u:object_r:sysfs_tap_to_wake:s0
/proc/touchpanel/wake_gesture u:object_r:sysfs_tap_to_wake:s0
# Thermal
/data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0
# USB
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service\.xiaomi_sdm660 u:object_r:hal_usb_default_exec:s0
# Video4linux sysfs nodes
/sys/devices/soc/caa0000\.qcom,jpeg/video4linux/video1(/.*)? u:object_r:sysfs_graphics:s0

17
sepolicy/vendor/genfs_contexts vendored
View file

@ -1,6 +1,10 @@
# Battery
genfscon sysfs /devices/soc/c176000.i2c/i2c-2/2-001d u:object_r:sysfs_battery_supply:s0
# Camera
genfscon sysfs /devices/soc/ca0c000.qcom,cci/ca0c000.qcom,cci:qcom,camera@3/video4linux/video5/name u:object_r:sysfs_graphics:s0
genfscon sysfs /camera_sensorid/sensorid u:object_r:sysfs_graphics:s0
# Fingerprint
genfscon sysfs /devices/soc/soc:fingerprint_fpc/device_prepare u:object_r:fingerprint_sysfs:s0
genfscon sysfs /devices/soc/soc:fingerprint_fpc/fingerdown_wait u:object_r:fingerprint_sysfs:s0
@ -17,21 +21,16 @@ genfscon sysfs /devices/soc/soc:fpc1020/wakeup_enable u:object_r:finge
genfscon sysfs /devices/virtual/graphics/fb0 u:object_r:sysfs_graphics:s0
genfscon sysfs /devices/virtual/graphics/fb1 u:object_r:sysfs_graphics:s0
genfscon sysfs /devices/virtual/graphics/fb2 u:object_r:sysfs_graphics:s0
genfscon sysfs /devices/virtual/graphics/fb3 u:object_r:sysfs_graphics:s0
# Camera
genfscon sysfs /devices/soc/ca0c000.qcom,cci/ca0c000.qcom,cci:qcom,camera@3/video4linux/video5/name u:object_r:sysfs_graphics:s0
genfscon sysfs /camera_sensorid/sensorid u:object_r:sysfs_graphics:s0
# Touchscreen
genfscon proc /nvt_wake_gesture u:object_r:proc_dt2w:s0
genfscon sysfs /touchpanel u:object_r:sysfs_touchpanel:s0
# LED
genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight u:object_r:sysfs_graphics:s0
genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight1 u:object_r:sysfs_graphics:s0
genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white u:object_r:sysfs_graphics:s0
# Touchscreen
genfscon proc /nvt_wake_gesture u:object_r:proc_dt2w:s0
genfscon sysfs /touchpanel u:object_r:sysfs_touchpanel:s0
# XiaomiParts
genfscon sysfs /devices/virtual/graphics/fb0/measured_fps u:object_r:sysfs_fpsinfo:s0
genfscon sysfs /class/graphics/fb0/measured_fps u:object_r:sysfs_fpsinfo:s0

3
sepolicy/vendor/hal_audio_default.te vendored
View file

@ -1,4 +1,5 @@
allow hal_audio_default diag_device:chr_file { read write };
allow hal_audio_default sysfs:dir r_dir_perms;
allow hal_audio_default sysfs_info:file { open getattr read };
allow hal_audio_default vendor_data_file:dir { create write add_name };
allow hal_audio_default vendor_data_file:file { append create getattr open read };
allow hal_audio_default sysfs:dir r_dir_perms;

19
sepolicy/vendor/hal_camera_default.te vendored
View file

@ -1,13 +1,14 @@
binder_call(hal_camera_default, hal_configstore_default)
binder_call(hal_camera_default, hal_graphics_allocator_default)
typeattribute hal_camera_default data_between_core_and_vendor_violators;
allow hal_camera_default sysfs:file { getattr open read };
allow hal_camera_default sysfs_kgsl:file r_file_perms;
allow hal_camera_default media_rw_data_file:file { getattr };
allow hal_camera_default camera_data_file:dir w_dir_perms;
allow hal_camera_default camera_data_file:file create_file_perms;
allow hal_camera_default media_rw_data_file:file { getattr };
allow hal_camera_default sysfs:file { getattr open read };
allow hal_camera_default sysfs_kgsl:dir search;
allow hal_camera_default sysfs_kgsl:file r_file_perms;
allow hal_camera_default vendor_video_prop:file r_file_perms;
binder_call(hal_camera_default, hal_configstore_default)
binder_call(hal_camera_default, hal_graphics_allocator_default)
set_prop(hal_camera_default, exported_camera_prop)
set_prop(hal_camera_default, vendor_camera_prop)
set_prop(hal_camera_default, vendor_video_prop)
typeattribute hal_camera_default data_between_core_and_vendor_violators;

31
sepolicy/vendor/hal_fingerprint_sdm660.te vendored
View file

@ -1,7 +1,6 @@
type hal_fingerprint_sdm660, domain;
hal_server_domain(hal_fingerprint_sdm660, hal_fingerprint)
type hal_fingerprint_sdm660_exec, exec_type, vendor_file_type, file_type;
hal_server_domain(hal_fingerprint_sdm660, hal_fingerprint)
init_daemon_domain(hal_fingerprint_sdm660)
allow hal_fingerprint_sdm660 {
@ -13,43 +12,35 @@ allow hal_fingerprint_sdm660 {
# TODO(b/36644492): Remove data_between_core_and_vendor_violators once
# hal_fingerprint no longer directly accesses fingerprintd_data_file.
typeattribute hal_fingerprint_sdm660 data_between_core_and_vendor_violators;
# access to /data/system/users/[0-9]+/fpdata
# access to /data/system/users/[0-9]+/fpdata
allow hal_fingerprint_sdm660 fingerprintd_data_file:dir rw_dir_perms;
allow hal_fingerprint_sdm660 fingerprintd_data_file:file create_file_perms;
allow hal_fingerprint_sdm660 fingerprint_data_file:file rw_file_perms;
allow hal_fingerprint_sdm660 fingerprint_sysfs:file rw_file_perms;
allow hal_fingerprint_sdm660 fingerprint_sysfs:dir r_dir_perms;
allow hal_fingerprint_sdm660 fingerprint_sysfs:lnk_file read;
allow hal_fingerprint_sdm660 hal_fingerprint_sdm660:netlink_socket { create bind write read };
allow hal_fingerprint_sdm660 hal_perf_hwservice:hwservice_manager find;
allow hal_fingerprint_sdm660 media_rw_data_file:dir search;
allow hal_fingerprint_sdm660 mnt_user_file:dir search;
allow hal_fingerprint_sdm660 mnt_user_file:lnk_file r_file_perms;
allow hal_fingerprint_sdm660 persist_file:dir r_dir_perms;
allow hal_fingerprint_sdm660 persist_fingerprint_file:file r_file_perms;
allow hal_fingerprint_sdm660 rootfs:dir read;
allow hal_fingerprint_sdm660 self:netlink_socket create_socket_perms_no_ioctl;
allow hal_fingerprint_sdm660 sysfs_devfreq:file r_file_perms;
allow hal_fingerprint_sdm660 system_data_file:file r_file_perms;
allow hal_fingerprint_sdm660 sysfs_devfreq:dir search;
allow hal_fingerprint_sdm660 sysfs_sectouch:dir search;
allow hal_fingerprint_sdm660 persist_file:dir r_dir_perms;
allow hal_fingerprint_sdm660 persist_fingerprint_file:file r_file_perms;
allow hal_fingerprint_sdm660 mnt_user_file:dir search;
allow hal_fingerprint_sdm660 mnt_user_file:lnk_file r_file_perms;
allow hal_fingerprint_sdm660 sdcardfs:dir search;
allow hal_fingerprint_sdm660 storage_file:dir search;
allow hal_fingerprint_sdm660 storage_file:lnk_file read;
allow hal_fingerprint_sdm660 hal_perf_hwservice:hwservice_manager find;
allow hal_fingerprint_sdm660 rootfs:dir read;
allow hal_fingerprint_sdm660 vendor_mpctl_prop:file read;
allow hal_fingerprint_sdm660 vendor_fp_prop:property_service set;
allow hal_fingerprint_sdm660 vendor_fp_prop:file { getattr open read };
allow hal_fingerprint_sdm660 hal_fingerprint_sdm660:netlink_socket { create bind write read };
allow hal_fingerprint_sdm660 self:netlink_socket create_socket_perms_no_ioctl;
allow hal_fingerprint_sdm660 hal_perf_hwservice:hwservice_manager find;
binder_call(hal_fingerprint_sdm660, hal_perf_default)
r_dir_file(hal_fingerprint_sdm660, firmware_file)
set_prop(hal_fingerprint_sdm660, hal_fingerprint_prop)

15
sepolicy/vendor/hal_mlipay_default.te vendored
View file

@ -1,16 +1,13 @@
type hal_mlipay_default, domain;
type hal_mlipay_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_mlipay_default)
hwbinder_use(hal_mlipay_default)
get_prop(hal_mlipay_default, hwservicemanager_prop)
add_hwservice(hal_mlipay_default, hal_mlipay_hwservice)
get_prop(hal_mlipay_default, hwservicemanager_prop)
init_daemon_domain(hal_mlipay_default)
hwbinder_use(hal_mlipay_default)
r_dir_file(hal_mlipay_default, firmware_file)
get_prop(hal_mlipay_default, hal_fingerprint_prop);
set_prop(hal_mlipay_default, mlipay_prop);
allow hal_mlipay_default tee_device:chr_file rw_file_perms;
allow hal_mlipay_default ion_device:chr_file r_file_perms;
r_dir_file(hal_mlipay_default, firmware_file)
set_prop(hal_mlipay_default, mlipay_prop);
get_prop(hal_mlipay_default, hal_fingerprint_prop);

11
sepolicy/vendor/hal_power_default.te vendored
View file

@ -1,9 +1,8 @@
allow hal_power_default sysfs_touchpanel:file rw_file_perms;
allow hal_power_default sysfs_touchpanel:dir search;
allow hal_power_default proc_dt2w:file rw_file_perms;
allow hal_power_default sysfs_tap_to_wake:file rw_file_perms;
# Allow writing to files in /proc/tp_gesture
allow hal_power_default proc:file rw_file_perms;
allow hal_power_default proc:dir search;
allow hal_power_default proc_dt2w:file rw_file_perms;
allow hal_power_default sysfs_touchpanel:file rw_file_perms;
allow hal_power_default sysfs_touchpanel:dir search;
allow hal_power_default sysfs_tap_to_wake:file rw_file_perms;

1
sepolicy/vendor/hal_sensors_default.te vendored
View file

@ -1,3 +1,4 @@
allow hal_sensors_default diag_device:chr_file { read write };
allow hal_sensors_default sysfs:file { read open };
allow hal_sensors_default sysfs_info:file { read write };
set_prop(hal_sensors_default, camera_prop)

22
sepolicy/vendor/hwservice_contexts vendored
View file

@ -1,11 +1,11 @@
vendor.goodix.hardware.fingerprint::IGoodixBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintEngineering u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintNavigation u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintCalibration u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintSenseTouch u:object_r:hal_fingerprint_hwservice:s0
vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0
com.fingerprints.extension::IFingerprintEngineering u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintNavigation u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0
vendor.qti.hardware.fingerprint::IQtiExtendedFingerprint u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintEngineering u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintNavigation u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintCalibration u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintSenseTouch u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintEngineering u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintNavigation u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0
vendor.goodix.hardware.fingerprint::IGoodixBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
vendor.qti.hardware.fingerprint::IQtiExtendedFingerprint u:object_r:hal_fingerprint_hwservice:s0
vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0

5
sepolicy/vendor/init.te vendored
View file

@ -1,12 +1,13 @@
allow init blkio_dev:file { create open read write };
allow init hwservicemanager:binder { call transfer };
allow init ipa_dev:chr_file open;
allow init ion_device:chr_file ioctl;
allow init property_socket:sock_file write;
allow init persist_block_device:lnk_file relabelto;
allow init sysfs_dm:file { open write };
allow init vendor_default_prop:property_service set;
allow init sysfs_info:file { open read };
allow init sysfs:file setattr;
allow init persist_block_device:lnk_file relabelto;
allow init sysfs_graphics:file { open write };
allow init sysfs_battery_supply:file setattr;
allow init socket_device:sock_file { unlink setattr create };
allow init vendor_default_prop:property_service set;

2
sepolicy/vendor/property.te vendored
View file

@ -1,7 +1,7 @@
type hal_fingerprint_prop, property_type;
type ifaa_prop, property_type;
type mlipay_prop, property_type;
type vendor_fp_prop, property_type;
type ifaa_prop, property_type;
type vendor_camera_prop, property_type;
# Thermal engine

68
sepolicy/vendor/property_contexts vendored
View file

@ -5,46 +5,42 @@ audio_hal.in_period_size u:object_r:vendor_default_prop:s0
audio_hal.period_multiplier u:object_r:vendor_default_prop:s0
persist.audio.fluence.voicecomm u:object_r:vendor_default_prop:s0
# Mlipay
persist.vendor.sys.pay. u:object_r:mlipay_prop:s0
persist.vendor.sys.provision.status u:object_r:mlipay_prop:s0
# Fingerprint
fpc_kpi u:object_r:vendor_default_prop:s0
gf.debug.dump_data u:object_r:hal_fingerprint_prop:s0
persist.sys.fp. u:object_r:hal_fingerprint_prop:s0
persist.vendor.sys.fp. u:object_r:hal_fingerprint_prop:s0
ro.boot.fp. u:object_r:hal_fingerprint_prop:s0
sys.fp. u:object_r:hal_fingerprint_prop:s0
ro.boot.fpsensor u:object_r:hal_fingerprint_prop:s0
persist.sys.fp.info u:object_r:hal_fingerprint_prop:s0
# Camera
camera. u:object_r:camera_prop:s0
cameradaemon.SaveMemAtBoot u:object_r:camera_prop:s0
cpp.set.clock u:object_r:camera_prop:s0
disable.cpp.power.collapse u:object_r:camera_prop:s0
persist.camera. u:object_r:camera_prop:s0
persist.vendor.camera. u:object_r:vendor_camera_prop:s0
camera. u:object_r:camera_prop:s0
cameradaemon.SaveMemAtBoot u:object_r:camera_prop:s0
cpp.set.clock u:object_r:camera_prop:s0
disable.cpp.power.collapse u:object_r:camera_prop:s0
persist.camera. u:object_r:camera_prop:s0
persist.vendor.camera. u:object_r:vendor_camera_prop:s0
vendor.camera.eis.gyro_name u:object_r:vendor_camera_prop:s0
vidc.enc.dcvs.extra-buff-count u:object_r:vendor_default_prop:s0
# Thermal engine
persist.sys.thermal. u:object_r:thermal_engine_prop:s0
sys.thermal. u:object_r:thermal_engine_prop:s0
# vendor_default_prop
vendor.display.lcd_density u:object_r:vendor_default_prop:s0
# Media
gpu.stats.debug.level u:object_r:vendor_default_prop:s0
# MPCTL
sys.post_boot.parsed u:object_r:vendor_mpctl_prop:s0
# Fingerprint
fpc_kpi u:object_r:vendor_default_prop:s0
gf.debug.dump_data u:object_r:hal_fingerprint_prop:s0
persist.sys.fp. u:object_r:hal_fingerprint_prop:s0
persist.vendor.sys.fp. u:object_r:hal_fingerprint_prop:s0
ro.boot.fp. u:object_r:hal_fingerprint_prop:s0
sys.fp. u:object_r:hal_fingerprint_prop:s0
ro.boot.fpsensor u:object_r:hal_fingerprint_prop:s0
persist.sys.fp.info u:object_r:hal_fingerprint_prop:s0
# Hall wakeup
persist.service.folio_daemon u:object_r:system_prop:s0
persist.service.folio_daemon u:object_r:system_prop:s0
# Fix for WLAN tethering offload
# SELinux : avc: denied { set } for property=wifi.active.interface pid=2918 uid=1010 gid=1010 scontext=u:r::s0 tcontext=u:object_r:default_prop:s0 tclass=property_service
wifi.active.interface u:object_r:exported_wifi_prop:s0
# Media
gpu.stats.debug.level u:object_r:vendor_default_prop:s0
# Mlipay
persist.vendor.sys.pay. u:object_r:mlipay_prop:s0
persist.vendor.sys.provision.status u:object_r:mlipay_prop:s0
# MPCTL
sys.post_boot.parsed u:object_r:vendor_mpctl_prop:s0
# Thermal engine
persist.sys.thermal. u:object_r:thermal_engine_prop:s0
sys.thermal. u:object_r:thermal_engine_prop:s0
# vendor_default_prop
vendor.display.lcd_density u:object_r:vendor_default_prop:s0

4
sepolicy/vendor/radio.te vendored
View file

@ -1,5 +1,3 @@
binder_call(radio, cnd)
allow radio hal_datafactory_hwservice:hwservice_manager find;
binder_call(radio, cnd)
get_prop(radio, qcom_ims_prop)

2
sepolicy/vendor/rild.te vendored
View file

@ -1,2 +1,2 @@
allow rild vendor_file:file ioctl;
allow rild qcom_ims_prop:file { getattr open read };
allow rild vendor_file:file ioctl;

11
sepolicy/vendor/system_app.te vendored
View file

@ -1,10 +1,10 @@
allow system_app vendor_default_prop:file { getattr open read };
allow system_app wificond:binder call;
allow system_app blkio_dev:dir search;
allow system_app hal_mlipay_default:binder call;
allow system_app kcal_dev:file rw_file_perms;
allow system_app kcal_dev:dir search;
allow system_app hall_dev:file rw_file_perms;
allow system_app hall_dev:dir search;
allow system_app kcal_dev:file rw_file_perms;
allow system_app kcal_dev:dir search;
allow system_app proc_vmallocinfo:file read;
allow system_app sysfs_thermal:file rw_file_perms;
allow system_app sysfs_thermal:dir search;
allow system_app sysfs_vibrator:file rw_file_perms;
@ -15,4 +15,7 @@ allow system_app sysfs_leds:dir search;
allow system_app sysfs_fpsinfo:file rw_file_perms;
allow system_app sysfs_headphonegain:file rw_file_perms;
allow system_app sysfs_micgain:file rw_file_perms;
allow system_app sysfs_zram:dir search;
allow system_app vendor_default_prop:file { getattr open read };
allow system_app wificond:binder call;
set_prop(system_app, system_prop);

14
sepolicy/vendor/system_server.te vendored
View file

@ -1,8 +1,12 @@
allow system_server vendor_keylayout_file:dir search;
allow system_server vendor_keylayout_file:file r_file_perms;
allow system_server blkio_dev:dir search;
allow system_server default_android_service:service_manager add;
allow system_server exported_camera_prop:file read;
allow system_server kernel:system syslog_read;
allow system_server sysfs_battery_supply:file rw_file_perms;
allow system_server sysfs_vibrator:file rw_file_perms;
allow system_server sysfs_rtc:file r_file_perms;
allow system_server thermal_service:service_manager find;
allow system_server userspace_reboot_exported_prop:file read;
allow system_server vendor_camera_prop:file { getattr open read };
allow system_server vendor_default_prop:file { getattr open read };
allow system_server thermal_service:service_manager find;
allow system_server sysfs_battery_supply:file rw_file_perms;
allow system_server vendor_keylayout_file:dir search;
allow system_server vendor_keylayout_file:file r_file_perms;

2
sepolicy/vendor/tee.te vendored
View file

@ -1,6 +1,6 @@
# TODO(b/36644492): Remove data_between_core_and_vendor_violators once
# tee no longer directly accesses /data owned by the frameworks.
typeattribute tee data_between_core_and_vendor_violators;
allow tee system_data_file:dir r_dir_perms;
allow tee fingerprintd_data_file:dir rw_dir_perms;
allow tee fingerprintd_data_file:file create_file_perms;
allow tee system_data_file:dir r_dir_perms;

7
sepolicy/vendor/thermal-engine.te vendored
View file

@ -1,9 +1,8 @@
allow thermal-engine thermal_data_file:dir rw_dir_perms;
allow thermal-engine thermal_data_file:file create_file_perms;
allow thermal-engine property_socket:sock_file write;
allow thermal-engine sysfs:dir r_dir_perms;
allow thermal-engine self:capability { chown fowner };
allow thermal-engine property_socket:sock_file write;
allow thermal-engine thermal_data_file:dir rw_dir_perms;
allow thermal-engine thermal_data_file:file create_file_perms;
dontaudit thermal-engine self:capability dac_override;
set_prop(thermal-engine, thermal_engine_prop);
r_dir_file(thermal-engine sysfs_thermal)

7
sepolicy/vendor/ueventd.te vendored
View file

@ -1,7 +1,8 @@
allow ueventd kcal_dev:dir r_dir_perms;
allow ueventd kcal_dev:file rw_file_perms;
allow ueventd kcal_dev:lnk_file r_file_perms;
allow ueventd hall_dev:dir r_dir_perms;
allow ueventd hall_dev:file rw_file_perms;
allow ueventd hall_dev:lnk_file r_file_perms;
allow ueventd ir_dev_file:chr_file { create setattr };
allow ueventd kcal_dev:dir r_dir_perms;
allow ueventd kcal_dev:file rw_file_perms;
allow ueventd kcal_dev:lnk_file r_file_perms;
allow ueventd metadata_file:dir search;

1
sepolicy/vendor/vendor_init.te vendored
View file

@ -30,6 +30,7 @@ allow vendor_init {
}:property_service set;
set_prop(vendor_init, camera_prop)
set_prop(vendor_init, exported_camera_prop)
set_prop(vendor_init, vendor_camera_prop)
set_prop(vendor_init, freq_prop)
set_prop(vendor_init, fm_prop)

1
sepolicy/vendor/vendor_toolbox.te vendored
View file

@ -1,5 +1,4 @@
type vendor_toolbox, domain;
init_daemon_domain(vendor_toolbox)
# Allow vendor_toolbox to use sys_admin capability

1
sepolicy/vendor/zygote.te vendored Normal file
View file

@ -0,0 +1 @@
allow zygote exported_camera_prop:file { read write };