diff --git a/sepolicy/private/property_contexts b/sepolicy/private/property_contexts index 25a69d79..1c538ba3 100644 --- a/sepolicy/private/property_contexts +++ b/sepolicy/private/property_contexts @@ -1,2 +1 @@ -sys.listeners.registered u:object_r:vendor_tee_listener_prop:s0 -vendor.camera.aux.packageblacklist u:object_r:vendor_camera_prop:s0 +sys.listeners.registered u:object_r:vendor_tee_listener_prop:s0 diff --git a/sepolicy/vendor/app.te b/sepolicy/vendor/app.te index 6773cc2d..e0c3d8a9 100644 --- a/sepolicy/vendor/app.te +++ b/sepolicy/vendor/app.te @@ -1,6 +1,6 @@ # Allow appdomain to get vendor_camera_prop -get_prop(appdomain, vendor_camera_prop) binder_call({ appdomain -isolated_app }, hal_mlipay_default) +get_prop(appdomain, vendor_camera_prop) get_prop({ appdomain -isolated_app }, mlipay_prop) get_prop({ appdomain -isolated_app }, hal_fingerprint_prop) get_prop({ appdomain -isolated_app }, ifaa_prop) diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te index 441f7134..b8c83d57 100644 --- a/sepolicy/vendor/device.te +++ b/sepolicy/vendor/device.te @@ -1,3 +1,3 @@ +type blkio_dev, dev_type; type fingerprint_device, dev_type; type spidev_device, dev_type; -type blkio_dev, dev_type; diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te index a42171d7..4995dfb3 100644 --- a/sepolicy/vendor/file.te +++ b/sepolicy/vendor/file.te @@ -1,14 +1,8 @@ -type ir_dev_file, file_type; type fingerprint_data_file, file_type, data_file_type, core_data_file_type; type fingerprint_sysfs, fs_type, sysfs_type; +type ir_dev_file, file_type; type sysfs_info, fs_type, sysfs_type; - -allow ueventd ir_dev_file:chr_file { create setattr }; - -# Touchscreen wake_gesture -type sysfs_tap_to_wake, sysfs_type, fs_type; -type sysfs_touchpanel, fs_type, sysfs_type; -type proc_dt2w, fs_type, proc_type; +type thermal_data_file, file_type, data_file_type; # Fingerprint type fingerprintd_device, file_type, dev_type; @@ -21,7 +15,10 @@ type hall_dev, sysfs_type, fs_type; # Kcal type kcal_dev, sysfs_type, fs_type; -type thermal_data_file, file_type, data_file_type; +# Touchscreen wake_gesture +type proc_dt2w, fs_type, proc_type; +type sysfs_tap_to_wake, sysfs_type, fs_type; +type sysfs_touchpanel, fs_type, sysfs_type; # XiamiParts type sysfs_fpsinfo, sysfs_type, fs_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts index 768c9b6a..ec3da935 100644 --- a/sepolicy/vendor/file_contexts +++ b/sepolicy/vendor/file_contexts @@ -1,83 +1,89 @@ +# Amplifier +/(vendor|system/vendor)/bin/tinymix u:object_r:vendor_tinyalsa_exec:s0 + # Biometric -/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_sdm660 u:object_r:hal_fingerprint_sdm660_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_sdm660 u:object_r:hal_fingerprint_sdm660_exec:s0 # blkio -/dev/blkio(/.*)? u:object_r:blkio_dev:s0 - -# Goodix Fingerprint -/data/misc/gf_data(/.*)? u:object_r:fingerprint_data_file:s0 -/data/misc/goodix(/.*)? u:object_r:fingerprint_data_file:s0 -/persist/data/gf* u:object_r:fingerprint_data_file:s0 -/data/gf_data(/.*)? u:object_r:fingerprintd_data_file:s0 -/data/vendor/gf_data(/.*)? u:object_r:fingerprint_vendor_data_file:s0 -/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0 -/dev/goodix_fp u:object_r:fingerprint_device:s0 - -# FPC Fingerprint -/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0 -/(mnt/vendor)/persist/fpc(/.*)? u:object_r:persist_fingerprint_file:s0 -/sys/devices/soc/soc:fpc1020(/.*)? u:object_r:fingerprint_sysfs:s0 -/sys/bus/platform/devices/soc:fingerprint_fpc(/.*)? u:object_r:fingerprint_sysfs:s0 - -# Hall Switch -/sys/module/hall/parameters(/.*)? u:object_r:hall_dev:s0 +/dev/blkio(/.*)? u:object_r:blkio_dev:s0 +/dev/blkio/background(/.*)? u:object_r:blkio_dev:s0 # Firmware -/firmware u:object_r:firmware_file:s0 -/bt_firmware u:object_r:bt_firmware_file:s0 +/firmware u:object_r:firmware_file:s0 +/bt_firmware u:object_r:bt_firmware_file:s0 -# Amplifier -/(vendor|system/vendor)/bin/tinymix u:object_r:vendor_tinyalsa_exec:s0 +# FPC Fingerprint +/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/(mnt/vendor)/persist/fpc(/.*)? u:object_r:persist_fingerprint_file:s0 +/sys/devices/soc/soc:fpc1020(/.*)? u:object_r:fingerprint_sysfs:s0 +/sys/bus/platform/devices/soc:fingerprint_fpc(/.*)? u:object_r:fingerprint_sysfs:s0 + +# Goodix Fingerprint +/data/misc/gf_data(/.*)? u:object_r:fingerprint_data_file:s0 +/data/misc/goodix(/.*)? u:object_r:fingerprint_data_file:s0 +/persist/data/gf* u:object_r:fingerprint_data_file:s0 +/data/gf_data(/.*)? u:object_r:fingerprintd_data_file:s0 +/data/vendor/gf_data(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/dev/goodix_fp u:object_r:fingerprint_device:s0 + +# Hall Switch +/sys/module/hall/parameters(/.*)? u:object_r:hall_dev:s0 # HVDCP /sys/devices(/platform)?/soc/[a-z0-9]+\.i2c/i2c-[0-9]+/[0-9]+-[a-z0-9]+/[a-z0-9]+\.i2c:qcom,[a-z0-9]+@[a-z0-9]:qcom,smb[a-z0-9]+-parallel-slave@[0-9]+/power_supply/parallel(/.*)? u:object_r:sysfs_usb_supply:s0 # HW Info -/sys/devices/platform/HardwareInfo(/.*)? u:object_r:sysfs_info:s0 -/sys/devices/platform/HardwareInfo/gsensor u:object_r:sysfs_info:s0 +/sys/devices/platform/HardwareInfo(/.*)? u:object_r:sysfs_info:s0 +/sys/devices/platform/HardwareInfo/gsensor u:object_r:sysfs_info:s0 # IR -/dev/lirc0 u:object_r:spidev_device:s0 -/dev/spidev7.1 u:object_r:spidev_device:s0 +/dev/lirc0 u:object_r:spidev_device:s0 +/dev/spidev7.1 u:object_r:spidev_device:s0 # Kcal -/sys/devices/platform/kcal_ctrl.0(/.*)? u:object_r:kcal_dev:s0 -/sys/bus/platform/drivers/kcal_ctrl(/.*)? u:object_r:kcal_dev:s0 - -# Notification LED -/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white/max_brightness u:object_r:sysfs_graphics:s0 -/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white/brightness u:object_r:sysfs_graphics:s0 +/sys/devices/platform/kcal_ctrl.0(/.*)? u:object_r:kcal_dev:s0 +/sys/bus/platform/drivers/kcal_ctrl(/.*)? u:object_r:kcal_dev:s0 # Light HAL -/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_sdm660 u:object_r:hal_light_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_sdm660 u:object_r:hal_light_default_exec:s0 # Mlipay -/(vendor|system/vendor)/bin/mlipayd@1.1 u:object_r:hal_mlipay_default_exec:s0 +/(vendor|system/vendor)/bin/mlipayd@1.1 u:object_r:hal_mlipay_default_exec:s0 + +# Notification LED +/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white/max_brightness u:object_r:sysfs_graphics:s0 +/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white/brightness u:object_r:sysfs_graphics:s0 + + +# Misc +/sys/kernel/debug/mmc0/mmc0:0001/ext_csd u:object_r:debugfs_mmc:s0 # Persist /persist/PRSensorData\.txt u:object_r:sensors_persist_file:s0 /persist u:object_r:mnt_vendor_file:s0 # Shell Script -/(vendor|system/vendor)/bin/init\.goodix\.sh u:object_r:init_fingerprint_exec:s0 - -# Tap to Wake -/sys/devices/soc/c177000.i2c/i2c-3/3-005d/enable_dt2w u:object_r:sysfs_tap_to_wake:s0 -/sys/devices/soc/c177000.i2c/i2c-3/3-0038/enable_dt2w u:object_r:sysfs_tap_to_wake:s0 -/proc/touchscreen/enable_dt2w u:object_r:sysfs_tap_to_wake:s0 -/sys/devices/soc/c175000\.i2c/i2c-1/1-[0-9a-f]+/input/input[0-9]+/wake_gesture u:object_r:sysfs_tap_to_wake:s0 -/proc/tp_gesture u:object_r:sysfs_tap_to_wake:s0 -/sys/touchpanel/double_tap u:object_r:sysfs_tap_to_wake:s0 -/proc/touchpanel/wake_gesture u:object_r:sysfs_tap_to_wake:s0 - -# Thermal -/data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0 - -# Video4linux sysfs nodes -/sys/devices/soc/caa0000\.qcom,jpeg/video4linux/video1(/.*)? u:object_r:sysfs_graphics:s0 - -# USB -/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service\.xiaomi_sdm660 u:object_r:hal_usb_default_exec:s0 +/(vendor|system/vendor)/bin/init\.goodix\.sh u:object_r:init_fingerprint_exec:s0 +/vendor/bin/sh u:object_r:vendor_shell_exec:s0 # Service HALs -/(vendor|system/vendor)/bin/hw/android\.hardware\.authsecret@1\.0-service u:object_r:hal_authsecret_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.authsecret@1\.0-service u:object_r:hal_authsecret_default_exec:s0 + +# Tap to Wake +/sys/devices/soc/c177000.i2c/i2c-3/3-005d/enable_dt2w u:object_r:sysfs_tap_to_wake:s0 +/sys/devices/soc/c177000.i2c/i2c-3/3-0038/enable_dt2w u:object_r:sysfs_tap_to_wake:s0 +/proc/touchscreen/enable_dt2w u:object_r:sysfs_tap_to_wake:s0 +/sys/devices/soc/c175000\.i2c/i2c-1/1-[0-9a-f]+/input/input[0-9]+/wake_gesture u:object_r:sysfs_tap_to_wake:s0 +/proc/tp_gesture u:object_r:sysfs_tap_to_wake:s0 +/sys/touchpanel/double_tap u:object_r:sysfs_tap_to_wake:s0 +/proc/touchpanel/wake_gesture u:object_r:sysfs_tap_to_wake:s0 + +# Thermal +/data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0 + +# USB +/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service\.xiaomi_sdm660 u:object_r:hal_usb_default_exec:s0 + +# Video4linux sysfs nodes +/sys/devices/soc/caa0000\.qcom,jpeg/video4linux/video1(/.*)? u:object_r:sysfs_graphics:s0 diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts index b10b4326..ca02d5d1 100644 --- a/sepolicy/vendor/genfs_contexts +++ b/sepolicy/vendor/genfs_contexts @@ -1,6 +1,10 @@ # Battery genfscon sysfs /devices/soc/c176000.i2c/i2c-2/2-001d u:object_r:sysfs_battery_supply:s0 +# Camera +genfscon sysfs /devices/soc/ca0c000.qcom,cci/ca0c000.qcom,cci:qcom,camera@3/video4linux/video5/name u:object_r:sysfs_graphics:s0 +genfscon sysfs /camera_sensorid/sensorid u:object_r:sysfs_graphics:s0 + # Fingerprint genfscon sysfs /devices/soc/soc:fingerprint_fpc/device_prepare u:object_r:fingerprint_sysfs:s0 genfscon sysfs /devices/soc/soc:fingerprint_fpc/fingerdown_wait u:object_r:fingerprint_sysfs:s0 @@ -17,21 +21,16 @@ genfscon sysfs /devices/soc/soc:fpc1020/wakeup_enable u:object_r:finge genfscon sysfs /devices/virtual/graphics/fb0 u:object_r:sysfs_graphics:s0 genfscon sysfs /devices/virtual/graphics/fb1 u:object_r:sysfs_graphics:s0 genfscon sysfs /devices/virtual/graphics/fb2 u:object_r:sysfs_graphics:s0 -genfscon sysfs /devices/virtual/graphics/fb3 u:object_r:sysfs_graphics:s0 - -# Camera -genfscon sysfs /devices/soc/ca0c000.qcom,cci/ca0c000.qcom,cci:qcom,camera@3/video4linux/video5/name u:object_r:sysfs_graphics:s0 -genfscon sysfs /camera_sensorid/sensorid u:object_r:sysfs_graphics:s0 - -# Touchscreen -genfscon proc /nvt_wake_gesture u:object_r:proc_dt2w:s0 -genfscon sysfs /touchpanel u:object_r:sysfs_touchpanel:s0 # LED genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight u:object_r:sysfs_graphics:s0 genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/button-backlight1 u:object_r:sysfs_graphics:s0 genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/white u:object_r:sysfs_graphics:s0 +# Touchscreen +genfscon proc /nvt_wake_gesture u:object_r:proc_dt2w:s0 +genfscon sysfs /touchpanel u:object_r:sysfs_touchpanel:s0 + # XiaomiParts genfscon sysfs /devices/virtual/graphics/fb0/measured_fps u:object_r:sysfs_fpsinfo:s0 genfscon sysfs /class/graphics/fb0/measured_fps u:object_r:sysfs_fpsinfo:s0 diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te index 0c46a405..2be3f60b 100644 --- a/sepolicy/vendor/hal_audio_default.te +++ b/sepolicy/vendor/hal_audio_default.te @@ -1,4 +1,5 @@ +allow hal_audio_default diag_device:chr_file { read write }; +allow hal_audio_default sysfs:dir r_dir_perms; allow hal_audio_default sysfs_info:file { open getattr read }; allow hal_audio_default vendor_data_file:dir { create write add_name }; allow hal_audio_default vendor_data_file:file { append create getattr open read }; -allow hal_audio_default sysfs:dir r_dir_perms; diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te index 8d1d20fa..b7a638a7 100644 --- a/sepolicy/vendor/hal_camera_default.te +++ b/sepolicy/vendor/hal_camera_default.te @@ -1,13 +1,14 @@ -binder_call(hal_camera_default, hal_configstore_default) -binder_call(hal_camera_default, hal_graphics_allocator_default) -typeattribute hal_camera_default data_between_core_and_vendor_violators; - -allow hal_camera_default sysfs:file { getattr open read }; -allow hal_camera_default sysfs_kgsl:file r_file_perms; - -allow hal_camera_default media_rw_data_file:file { getattr }; - allow hal_camera_default camera_data_file:dir w_dir_perms; allow hal_camera_default camera_data_file:file create_file_perms; +allow hal_camera_default media_rw_data_file:file { getattr }; +allow hal_camera_default sysfs:file { getattr open read }; +allow hal_camera_default sysfs_kgsl:dir search; +allow hal_camera_default sysfs_kgsl:file r_file_perms; +allow hal_camera_default vendor_video_prop:file r_file_perms; +binder_call(hal_camera_default, hal_configstore_default) +binder_call(hal_camera_default, hal_graphics_allocator_default) +set_prop(hal_camera_default, exported_camera_prop) set_prop(hal_camera_default, vendor_camera_prop) +set_prop(hal_camera_default, vendor_video_prop) +typeattribute hal_camera_default data_between_core_and_vendor_violators; diff --git a/sepolicy/vendor/hal_fingerprint_sdm660.te b/sepolicy/vendor/hal_fingerprint_sdm660.te index 88ed9f97..2cbe9886 100644 --- a/sepolicy/vendor/hal_fingerprint_sdm660.te +++ b/sepolicy/vendor/hal_fingerprint_sdm660.te @@ -1,7 +1,6 @@ type hal_fingerprint_sdm660, domain; -hal_server_domain(hal_fingerprint_sdm660, hal_fingerprint) - type hal_fingerprint_sdm660_exec, exec_type, vendor_file_type, file_type; +hal_server_domain(hal_fingerprint_sdm660, hal_fingerprint) init_daemon_domain(hal_fingerprint_sdm660) allow hal_fingerprint_sdm660 { @@ -13,43 +12,35 @@ allow hal_fingerprint_sdm660 { # TODO(b/36644492): Remove data_between_core_and_vendor_violators once # hal_fingerprint no longer directly accesses fingerprintd_data_file. typeattribute hal_fingerprint_sdm660 data_between_core_and_vendor_violators; -# access to /data/system/users/[0-9]+/fpdata +# access to /data/system/users/[0-9]+/fpdata allow hal_fingerprint_sdm660 fingerprintd_data_file:dir rw_dir_perms; allow hal_fingerprint_sdm660 fingerprintd_data_file:file create_file_perms; allow hal_fingerprint_sdm660 fingerprint_data_file:file rw_file_perms; - allow hal_fingerprint_sdm660 fingerprint_sysfs:file rw_file_perms; allow hal_fingerprint_sdm660 fingerprint_sysfs:dir r_dir_perms; allow hal_fingerprint_sdm660 fingerprint_sysfs:lnk_file read; +allow hal_fingerprint_sdm660 hal_fingerprint_sdm660:netlink_socket { create bind write read }; +allow hal_fingerprint_sdm660 hal_perf_hwservice:hwservice_manager find; +allow hal_fingerprint_sdm660 media_rw_data_file:dir search; +allow hal_fingerprint_sdm660 mnt_user_file:dir search; +allow hal_fingerprint_sdm660 mnt_user_file:lnk_file r_file_perms; +allow hal_fingerprint_sdm660 persist_file:dir r_dir_perms; +allow hal_fingerprint_sdm660 persist_fingerprint_file:file r_file_perms; +allow hal_fingerprint_sdm660 rootfs:dir read; +allow hal_fingerprint_sdm660 self:netlink_socket create_socket_perms_no_ioctl; allow hal_fingerprint_sdm660 sysfs_devfreq:file r_file_perms; allow hal_fingerprint_sdm660 system_data_file:file r_file_perms; allow hal_fingerprint_sdm660 sysfs_devfreq:dir search; allow hal_fingerprint_sdm660 sysfs_sectouch:dir search; - -allow hal_fingerprint_sdm660 persist_file:dir r_dir_perms; -allow hal_fingerprint_sdm660 persist_fingerprint_file:file r_file_perms; - -allow hal_fingerprint_sdm660 mnt_user_file:dir search; -allow hal_fingerprint_sdm660 mnt_user_file:lnk_file r_file_perms; allow hal_fingerprint_sdm660 sdcardfs:dir search; allow hal_fingerprint_sdm660 storage_file:dir search; allow hal_fingerprint_sdm660 storage_file:lnk_file read; - -allow hal_fingerprint_sdm660 hal_perf_hwservice:hwservice_manager find; -allow hal_fingerprint_sdm660 rootfs:dir read; allow hal_fingerprint_sdm660 vendor_mpctl_prop:file read; - allow hal_fingerprint_sdm660 vendor_fp_prop:property_service set; allow hal_fingerprint_sdm660 vendor_fp_prop:file { getattr open read }; -allow hal_fingerprint_sdm660 hal_fingerprint_sdm660:netlink_socket { create bind write read }; - -allow hal_fingerprint_sdm660 self:netlink_socket create_socket_perms_no_ioctl; - -allow hal_fingerprint_sdm660 hal_perf_hwservice:hwservice_manager find; binder_call(hal_fingerprint_sdm660, hal_perf_default) - r_dir_file(hal_fingerprint_sdm660, firmware_file) set_prop(hal_fingerprint_sdm660, hal_fingerprint_prop) diff --git a/sepolicy/vendor/hal_mlipay_default.te b/sepolicy/vendor/hal_mlipay_default.te index c6f721ca..94f632ff 100644 --- a/sepolicy/vendor/hal_mlipay_default.te +++ b/sepolicy/vendor/hal_mlipay_default.te @@ -1,16 +1,13 @@ type hal_mlipay_default, domain; - type hal_mlipay_default_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_mlipay_default) -hwbinder_use(hal_mlipay_default) -get_prop(hal_mlipay_default, hwservicemanager_prop) add_hwservice(hal_mlipay_default, hal_mlipay_hwservice) +get_prop(hal_mlipay_default, hwservicemanager_prop) +init_daemon_domain(hal_mlipay_default) +hwbinder_use(hal_mlipay_default) +r_dir_file(hal_mlipay_default, firmware_file) +get_prop(hal_mlipay_default, hal_fingerprint_prop); +set_prop(hal_mlipay_default, mlipay_prop); allow hal_mlipay_default tee_device:chr_file rw_file_perms; allow hal_mlipay_default ion_device:chr_file r_file_perms; - -r_dir_file(hal_mlipay_default, firmware_file) -set_prop(hal_mlipay_default, mlipay_prop); - -get_prop(hal_mlipay_default, hal_fingerprint_prop); diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te index 84daa506..2ed7de43 100644 --- a/sepolicy/vendor/hal_power_default.te +++ b/sepolicy/vendor/hal_power_default.te @@ -1,9 +1,8 @@ -allow hal_power_default sysfs_touchpanel:file rw_file_perms; -allow hal_power_default sysfs_touchpanel:dir search; - -allow hal_power_default proc_dt2w:file rw_file_perms; -allow hal_power_default sysfs_tap_to_wake:file rw_file_perms; - # Allow writing to files in /proc/tp_gesture allow hal_power_default proc:file rw_file_perms; allow hal_power_default proc:dir search; +allow hal_power_default proc_dt2w:file rw_file_perms; + +allow hal_power_default sysfs_touchpanel:file rw_file_perms; +allow hal_power_default sysfs_touchpanel:dir search; +allow hal_power_default sysfs_tap_to_wake:file rw_file_perms; diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te index cca11199..a0d7974c 100644 --- a/sepolicy/vendor/hal_sensors_default.te +++ b/sepolicy/vendor/hal_sensors_default.te @@ -1,3 +1,4 @@ +allow hal_sensors_default diag_device:chr_file { read write }; allow hal_sensors_default sysfs:file { read open }; allow hal_sensors_default sysfs_info:file { read write }; set_prop(hal_sensors_default, camera_prop) diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts index fb3d0e41..f8c69de4 100644 --- a/sepolicy/vendor/hwservice_contexts +++ b/sepolicy/vendor/hwservice_contexts @@ -1,11 +1,11 @@ -vendor.goodix.hardware.fingerprint::IGoodixBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0 -com.fingerprints.extension::IFingerprintEngineering u:object_r:hal_fingerprint_hwservice:s0 -com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0 -com.fingerprints.extension::IFingerprintNavigation u:object_r:hal_fingerprint_hwservice:s0 -com.fingerprints.extension::IFingerprintCalibration u:object_r:hal_fingerprint_hwservice:s0 -com.fingerprints.extension::IFingerprintSenseTouch u:object_r:hal_fingerprint_hwservice:s0 -vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0 -com.fingerprints.extension::IFingerprintEngineering u:object_r:hal_fingerprint_hwservice:s0 -com.fingerprints.extension::IFingerprintNavigation u:object_r:hal_fingerprint_hwservice:s0 -com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0 -vendor.qti.hardware.fingerprint::IQtiExtendedFingerprint u:object_r:hal_fingerprint_hwservice:s0 +com.fingerprints.extension::IFingerprintEngineering u:object_r:hal_fingerprint_hwservice:s0 +com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0 +com.fingerprints.extension::IFingerprintNavigation u:object_r:hal_fingerprint_hwservice:s0 +com.fingerprints.extension::IFingerprintCalibration u:object_r:hal_fingerprint_hwservice:s0 +com.fingerprints.extension::IFingerprintSenseTouch u:object_r:hal_fingerprint_hwservice:s0 +com.fingerprints.extension::IFingerprintEngineering u:object_r:hal_fingerprint_hwservice:s0 +com.fingerprints.extension::IFingerprintNavigation u:object_r:hal_fingerprint_hwservice:s0 +com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0 +vendor.goodix.hardware.fingerprint::IGoodixBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0 +vendor.qti.hardware.fingerprint::IQtiExtendedFingerprint u:object_r:hal_fingerprint_hwservice:s0 +vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0 diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te index 11e72db5..d63739f2 100644 --- a/sepolicy/vendor/init.te +++ b/sepolicy/vendor/init.te @@ -1,12 +1,13 @@ +allow init blkio_dev:file { create open read write }; allow init hwservicemanager:binder { call transfer }; allow init ipa_dev:chr_file open; allow init ion_device:chr_file ioctl; allow init property_socket:sock_file write; +allow init persist_block_device:lnk_file relabelto; allow init sysfs_dm:file { open write }; -allow init vendor_default_prop:property_service set; allow init sysfs_info:file { open read }; allow init sysfs:file setattr; -allow init persist_block_device:lnk_file relabelto; allow init sysfs_graphics:file { open write }; allow init sysfs_battery_supply:file setattr; allow init socket_device:sock_file { unlink setattr create }; +allow init vendor_default_prop:property_service set; diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te index d2b57a69..77f4d8ab 100644 --- a/sepolicy/vendor/property.te +++ b/sepolicy/vendor/property.te @@ -1,7 +1,7 @@ type hal_fingerprint_prop, property_type; +type ifaa_prop, property_type; type mlipay_prop, property_type; type vendor_fp_prop, property_type; -type ifaa_prop, property_type; type vendor_camera_prop, property_type; # Thermal engine diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts index aab45329..67f32566 100644 --- a/sepolicy/vendor/property_contexts +++ b/sepolicy/vendor/property_contexts @@ -5,46 +5,42 @@ audio_hal.in_period_size u:object_r:vendor_default_prop:s0 audio_hal.period_multiplier u:object_r:vendor_default_prop:s0 persist.audio.fluence.voicecomm u:object_r:vendor_default_prop:s0 -# Mlipay -persist.vendor.sys.pay. u:object_r:mlipay_prop:s0 -persist.vendor.sys.provision.status u:object_r:mlipay_prop:s0 - -# Fingerprint -fpc_kpi u:object_r:vendor_default_prop:s0 -gf.debug.dump_data u:object_r:hal_fingerprint_prop:s0 -persist.sys.fp. u:object_r:hal_fingerprint_prop:s0 -persist.vendor.sys.fp. u:object_r:hal_fingerprint_prop:s0 -ro.boot.fp. u:object_r:hal_fingerprint_prop:s0 -sys.fp. u:object_r:hal_fingerprint_prop:s0 -ro.boot.fpsensor u:object_r:hal_fingerprint_prop:s0 -persist.sys.fp.info u:object_r:hal_fingerprint_prop:s0 - # Camera -camera. u:object_r:camera_prop:s0 -cameradaemon.SaveMemAtBoot u:object_r:camera_prop:s0 -cpp.set.clock u:object_r:camera_prop:s0 -disable.cpp.power.collapse u:object_r:camera_prop:s0 -persist.camera. u:object_r:camera_prop:s0 -persist.vendor.camera. u:object_r:vendor_camera_prop:s0 +camera. u:object_r:camera_prop:s0 +cameradaemon.SaveMemAtBoot u:object_r:camera_prop:s0 +cpp.set.clock u:object_r:camera_prop:s0 +disable.cpp.power.collapse u:object_r:camera_prop:s0 +persist.camera. u:object_r:camera_prop:s0 +persist.vendor.camera. u:object_r:vendor_camera_prop:s0 vendor.camera.eis.gyro_name u:object_r:vendor_camera_prop:s0 vidc.enc.dcvs.extra-buff-count u:object_r:vendor_default_prop:s0 -# Thermal engine -persist.sys.thermal. u:object_r:thermal_engine_prop:s0 -sys.thermal. u:object_r:thermal_engine_prop:s0 - -# vendor_default_prop -vendor.display.lcd_density u:object_r:vendor_default_prop:s0 - -# Media -gpu.stats.debug.level u:object_r:vendor_default_prop:s0 - -# MPCTL -sys.post_boot.parsed u:object_r:vendor_mpctl_prop:s0 +# Fingerprint +fpc_kpi u:object_r:vendor_default_prop:s0 +gf.debug.dump_data u:object_r:hal_fingerprint_prop:s0 +persist.sys.fp. u:object_r:hal_fingerprint_prop:s0 +persist.vendor.sys.fp. u:object_r:hal_fingerprint_prop:s0 +ro.boot.fp. u:object_r:hal_fingerprint_prop:s0 +sys.fp. u:object_r:hal_fingerprint_prop:s0 +ro.boot.fpsensor u:object_r:hal_fingerprint_prop:s0 +persist.sys.fp.info u:object_r:hal_fingerprint_prop:s0 # Hall wakeup -persist.service.folio_daemon u:object_r:system_prop:s0 +persist.service.folio_daemon u:object_r:system_prop:s0 -# Fix for WLAN tethering offload -# SELinux : avc: denied { set } for property=wifi.active.interface pid=2918 uid=1010 gid=1010 scontext=u:r::s0 tcontext=u:object_r:default_prop:s0 tclass=property_service -wifi.active.interface u:object_r:exported_wifi_prop:s0 +# Media +gpu.stats.debug.level u:object_r:vendor_default_prop:s0 + +# Mlipay +persist.vendor.sys.pay. u:object_r:mlipay_prop:s0 +persist.vendor.sys.provision.status u:object_r:mlipay_prop:s0 + +# MPCTL +sys.post_boot.parsed u:object_r:vendor_mpctl_prop:s0 + +# Thermal engine +persist.sys.thermal. u:object_r:thermal_engine_prop:s0 +sys.thermal. u:object_r:thermal_engine_prop:s0 + +# vendor_default_prop +vendor.display.lcd_density u:object_r:vendor_default_prop:s0 diff --git a/sepolicy/vendor/radio.te b/sepolicy/vendor/radio.te index deadaa11..c84eff05 100644 --- a/sepolicy/vendor/radio.te +++ b/sepolicy/vendor/radio.te @@ -1,5 +1,3 @@ -binder_call(radio, cnd) - allow radio hal_datafactory_hwservice:hwservice_manager find; - +binder_call(radio, cnd) get_prop(radio, qcom_ims_prop) diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te index 3fe8b2ee..7ec4f2d9 100644 --- a/sepolicy/vendor/rild.te +++ b/sepolicy/vendor/rild.te @@ -1,2 +1,2 @@ -allow rild vendor_file:file ioctl; allow rild qcom_ims_prop:file { getattr open read }; +allow rild vendor_file:file ioctl; diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te index 4261d26b..6f1ce2bf 100644 --- a/sepolicy/vendor/system_app.te +++ b/sepolicy/vendor/system_app.te @@ -1,10 +1,10 @@ -allow system_app vendor_default_prop:file { getattr open read }; -allow system_app wificond:binder call; +allow system_app blkio_dev:dir search; allow system_app hal_mlipay_default:binder call; -allow system_app kcal_dev:file rw_file_perms; -allow system_app kcal_dev:dir search; allow system_app hall_dev:file rw_file_perms; allow system_app hall_dev:dir search; +allow system_app kcal_dev:file rw_file_perms; +allow system_app kcal_dev:dir search; +allow system_app proc_vmallocinfo:file read; allow system_app sysfs_thermal:file rw_file_perms; allow system_app sysfs_thermal:dir search; allow system_app sysfs_vibrator:file rw_file_perms; @@ -15,4 +15,7 @@ allow system_app sysfs_leds:dir search; allow system_app sysfs_fpsinfo:file rw_file_perms; allow system_app sysfs_headphonegain:file rw_file_perms; allow system_app sysfs_micgain:file rw_file_perms; +allow system_app sysfs_zram:dir search; +allow system_app vendor_default_prop:file { getattr open read }; +allow system_app wificond:binder call; set_prop(system_app, system_prop); diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te index 08454841..18145c4b 100644 --- a/sepolicy/vendor/system_server.te +++ b/sepolicy/vendor/system_server.te @@ -1,8 +1,12 @@ -allow system_server vendor_keylayout_file:dir search; -allow system_server vendor_keylayout_file:file r_file_perms; +allow system_server blkio_dev:dir search; +allow system_server default_android_service:service_manager add; +allow system_server exported_camera_prop:file read; +allow system_server kernel:system syslog_read; +allow system_server sysfs_battery_supply:file rw_file_perms; allow system_server sysfs_vibrator:file rw_file_perms; -allow system_server sysfs_rtc:file r_file_perms; +allow system_server thermal_service:service_manager find; +allow system_server userspace_reboot_exported_prop:file read; allow system_server vendor_camera_prop:file { getattr open read }; allow system_server vendor_default_prop:file { getattr open read }; -allow system_server thermal_service:service_manager find; -allow system_server sysfs_battery_supply:file rw_file_perms; +allow system_server vendor_keylayout_file:dir search; +allow system_server vendor_keylayout_file:file r_file_perms; diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te index 0a124bc7..7d3fa5d4 100644 --- a/sepolicy/vendor/tee.te +++ b/sepolicy/vendor/tee.te @@ -1,6 +1,6 @@ # TODO(b/36644492): Remove data_between_core_and_vendor_violators once # tee no longer directly accesses /data owned by the frameworks. typeattribute tee data_between_core_and_vendor_violators; -allow tee system_data_file:dir r_dir_perms; allow tee fingerprintd_data_file:dir rw_dir_perms; allow tee fingerprintd_data_file:file create_file_perms; +allow tee system_data_file:dir r_dir_perms; diff --git a/sepolicy/vendor/thermal-engine.te b/sepolicy/vendor/thermal-engine.te index 3dcbe674..31a69f5b 100644 --- a/sepolicy/vendor/thermal-engine.te +++ b/sepolicy/vendor/thermal-engine.te @@ -1,9 +1,8 @@ -allow thermal-engine thermal_data_file:dir rw_dir_perms; -allow thermal-engine thermal_data_file:file create_file_perms; +allow thermal-engine property_socket:sock_file write; allow thermal-engine sysfs:dir r_dir_perms; allow thermal-engine self:capability { chown fowner }; -allow thermal-engine property_socket:sock_file write; +allow thermal-engine thermal_data_file:dir rw_dir_perms; +allow thermal-engine thermal_data_file:file create_file_perms; dontaudit thermal-engine self:capability dac_override; - set_prop(thermal-engine, thermal_engine_prop); r_dir_file(thermal-engine sysfs_thermal) diff --git a/sepolicy/vendor/ueventd.te b/sepolicy/vendor/ueventd.te index af24dc13..b64089c1 100644 --- a/sepolicy/vendor/ueventd.te +++ b/sepolicy/vendor/ueventd.te @@ -1,7 +1,8 @@ -allow ueventd kcal_dev:dir r_dir_perms; -allow ueventd kcal_dev:file rw_file_perms; -allow ueventd kcal_dev:lnk_file r_file_perms; allow ueventd hall_dev:dir r_dir_perms; allow ueventd hall_dev:file rw_file_perms; allow ueventd hall_dev:lnk_file r_file_perms; +allow ueventd ir_dev_file:chr_file { create setattr }; +allow ueventd kcal_dev:dir r_dir_perms; +allow ueventd kcal_dev:file rw_file_perms; +allow ueventd kcal_dev:lnk_file r_file_perms; allow ueventd metadata_file:dir search; diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te index 6a8f7aa6..43260e63 100644 --- a/sepolicy/vendor/vendor_init.te +++ b/sepolicy/vendor/vendor_init.te @@ -30,6 +30,7 @@ allow vendor_init { }:property_service set; set_prop(vendor_init, camera_prop) +set_prop(vendor_init, exported_camera_prop) set_prop(vendor_init, vendor_camera_prop) set_prop(vendor_init, freq_prop) set_prop(vendor_init, fm_prop) diff --git a/sepolicy/vendor/vendor_toolbox.te b/sepolicy/vendor/vendor_toolbox.te index 25c9c34b..13b2a4cb 100644 --- a/sepolicy/vendor/vendor_toolbox.te +++ b/sepolicy/vendor/vendor_toolbox.te @@ -1,5 +1,4 @@ type vendor_toolbox, domain; - init_daemon_domain(vendor_toolbox) # Allow vendor_toolbox to use sys_admin capability diff --git a/sepolicy/vendor/zygote.te b/sepolicy/vendor/zygote.te new file mode 100644 index 00000000..4f4f5983 --- /dev/null +++ b/sepolicy/vendor/zygote.te @@ -0,0 +1 @@ +allow zygote exported_camera_prop:file { read write };