diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te index 197a74e..cbee924 100644 --- a/sepolicy/audioserver.te +++ b/sepolicy/audioserver.te @@ -2,8 +2,8 @@ unix_socket_connect(audioserver, property, rild) # /efs/maxim -allow audioserver { efs_file sec_efs_file }:dir r_dir_perms; -allow audioserver { efs_file sec_efs_file }:file r_file_perms; +r_dir_file(audioserver, efs_file); +r_dir_file(audioserver, sec_efs_file); # TFA98xx amplifier allow audioserver amplifier_device:chr_file rw_file_perms; diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te index c4dea7e..4a80b40 100644 --- a/sepolicy/bluetooth.te +++ b/sepolicy/bluetooth.te @@ -1,8 +1,6 @@ -# /dev/ttySAC0 -allow bluetooth bluetooth_device:chr_file { rw_file_perms ioctl }; - -# wcnss_filter -allow bluetooth wcnss_filter:unix_stream_socket connectto; +# /dev/ttySAC3 +allow bluetooth bluetooth_device:chr_file rw_file_perms ; +allow hal_bluetooth_default bluetooth_device:chr_file rw_file_perms; # /data/.cid.info allow bluetooth wifi_data_file:file r_file_perms; diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te index 302d5e0..85e7a11 100644 --- a/sepolicy/cameraserver.te +++ b/sepolicy/cameraserver.te @@ -2,17 +2,11 @@ allow cameraserver camera_device:chr_file rw_file_perms; # /sys/devices/virtual/camera/*/*_camfw -allow cameraserver sysfs_camera:file rw_file_perms; - -# searching for syses nodes allow cameraserver sysfs_camera:dir search; +allow cameraserver sysfs_camera:file rw_file_perms; # /data/camera/ISP_CV allow cameraserver camera_data_file:file r_file_perms; # /data/media(/.*)? -allow cameraserver media_rw_data_file:dir r_dir_perms; -allow cameraserver media_rw_data_file:file r_file_perms; - -# sysfs_virtual -allow cameraserver sysfs_virtual:dir search; +r_dir_file(cameraserver, media_rw_data_file); diff --git a/sepolicy/charger.te b/sepolicy/charger.te index 61e5af8..52e3cd5 100644 --- a/sepolicy/charger.te +++ b/sepolicy/charger.te @@ -1 +1 @@ -allow charger sysfs_charger:file { open read getattr }; +allow charger sysfs_usb_supply:file rw_file_perms; diff --git a/sepolicy/cpboot-daemon.te b/sepolicy/cpboot-daemon.te index cf5bd38..de2cd2f 100644 --- a/sepolicy/cpboot-daemon.te +++ b/sepolicy/cpboot-daemon.te @@ -1,6 +1,6 @@ # modem daemon sec label -type cpboot-daemon, domain, coredomain; -type cpboot-daemon_exec, exec_type, file_type, system_file_type; +type cpboot-daemon, domain; +type cpboot-daemon_exec, exec_type, file_type, vendor_file_type; net_domain(cpboot-daemon) init_daemon_domain(cpboot-daemon) @@ -24,6 +24,8 @@ allow cpboot-daemon kmsg_device:chr_file rw_file_perms; allow cpboot-daemon mif_device:chr_file rw_file_perms; # /dev/mbin0 allow cpboot-daemon emmcblk_device:blk_file r_file_perms; +# /dev/spi_boot_link +allow cpboot-daemon radio_device:chr_file rw_file_perms; # /dev/block/mmcblk0p13 allow cpboot-daemon block_device:dir r_dir_perms; allow cpboot-daemon radio_block_device:blk_file r_file_perms; @@ -36,12 +38,12 @@ allow cpboot-daemon efs_file:dir r_dir_perms; # /efs/nv_data.bin allow cpboot-daemon bin_nv_data_efs_file:file rw_file_perms; +allow cpboot-daemon efs_file:file rw_file_perms; -# /sys/bus/usb/devices/1-2/idVendor -allow cpboot-daemon sysfs:file r_file_perms; - -# /proc/cmdline +# /proc permissions allow cpboot-daemon proc_cmdline:file r_file_perms; +allow cpboot-daemon proc_dt_firmware:dir search; +allow cpboot-daemon proc_dt_firmware:file { open read }; # set properties on boot set_prop(cpboot-daemon, cpboot-daemon_prop) diff --git a/sepolicy/domain.te b/sepolicy/domain.te deleted file mode 100644 index c8d8d53..0000000 --- a/sepolicy/domain.te +++ /dev/null @@ -1 +0,0 @@ -dontaudit domain kernel:system module_request; diff --git a/sepolicy/file.te b/sepolicy/file.te index 5e76bd6..08b2666 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -4,6 +4,7 @@ type battery_efs_file, file_type; type baro_delta_factoryapp_efs_file, file_type; type bin_nv_data_efs_file, file_type; type sec_efs_file, file_type; + # widewine, drm type cpk_efs_file, file_type; type drm_efs_file, file_type; @@ -14,29 +15,39 @@ type radio_factoryapp_efs_file, file_type; type sensor_efs_file, file_type; type sensor_factoryapp_efs_file, file_type; type wifi_efs_file, file_type; + # gps type gps_data_file, file_type, data_file_type, core_data_file_type; type gps_socket, file_type; -### data types -type display_vendor_data_file, file_type, data_file_type; +# proc +type proc_vm, fs_type, proc_type; +type proc_dt_firmware, fs_type, proc_type; +type proc_reset_reason, fs_type, proc_type; +type proc_simslot_count, fs_type, proc_type; +type proc_input_devices, fs_type, proc_type; +type proc_sec, fs_type, proc_type; ### sysfs types +#type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; type sysfs_mdnie, fs_type, sysfs_type, mlstrustedobject; type sysfs_mipi, fs_type, sysfs_type, mlstrustedobject; type sysfs_multipdp, fs_type, sysfs_type, mlstrustedobject; -type sysfs_sec, fs_type, sysfs_type, mlstrustedobject; +type sysfs_sec, fs_type, sysfs_type, fs_type, mlstrustedobject; +type sysfs_sensors, fs_type, sysfs_type, fs_type, mlstrustedobject; +type sysfs_input, fs_type, sysfs_type, fs_type, mlstrustedobject; type sysfs_camera, fs_type, sysfs_type, mlstrustedobject; -type sysfs_charger, fs_type, sysfs_type, mlstrustedobject; type sysfs_gps, fs_type, sysfs_type, mlstrustedobject; -type sysfs_brightness, fs_type, sysfs_type, mlstrustedobject; -type sysfs_input, fs_type, sysfs_type, mlstrustedobject; -type sysfs_svc, fs_type, sysfs_type, mlstrustedobject; -type sysfs_lcd, fs_type, sysfs_type, mlstrustedobject; -type sysfs_modem, fs_type, sysfs_type, mlstrustedobject; -type sysfs_virtual, fs_type, sysfs_type, mlstrustedobject; +type sysfs_light, fs_type, sysfs_type, mlstrustedobject; +type sysfs_wifi, fs_type, sysfs_type, mlstrustedobject; +type sysfs_usb_supply, sysfs_type, fs_type, mlstrustedobject; +type sysfs_mmc, sysfs_type, fs_type, mlstrustedobject; +type sysfs_graphics, sysfs_type, fs_type, mlstrustedobject; +type sysfs_ion, sysfs_type, fs_type, mlstrustedobject; +type sysfs_block, sysfs_type, fs_type, mlstrustedobject; +type sysfs_jack, sysfs_type, fs_type, mlstrustedobject; +type sysfs_v4l, sysfs_type, fs_type, mlstrustedobject; +type sysfs_sswap, sysfs_type, fs_type, mlstrustedobject; -# file -type mobicore_data_file, file_type, data_file_type, core_data_file_type; - -allow sysfs_type tmpfs:filesystem associate; +### data types +type display_vendor_data_file, file_type, data_file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 6efd1a8..7ceb0ea 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -1,11 +1,12 @@ ########################## # Devices +# /dev/mali[0-9]* u:object_r:gpu_device:s0 /dev/bcm2079x u:object_r:nfc_device:s0 /dev/sec-nfc u:object_r:nfc_device:s0 -/dev/ttySAC0 u:object_r:bluetooth_device:s0 +/dev/ttySAC3 u:object_r:bluetooth_device:s0 /dev/s5p-smem u:object_r:secmem_device:s0 /dev/mobicore u:object_r:tee_device:s0 @@ -16,24 +17,25 @@ /dev/media[0-3]* u:object_r:camera_device:s0 /dev/m2m1shot_jpeg u:object_r:camera_device:s0 -/dev/mtp_usb* u:object_r:mtp_device:s0 - /dev/__cbd_msg_ u:object_r:mif_device:s0 /dev/umts.* u:object_r:mif_device:s0 /dev/ehci_power u:object_r:mif_device:s0 /dev/mipi-lli/lli_control u:object_r:mif_device:s0 /dev/gnss_ipc u:object_r:gps_device:s0 -/dev/ttySAC[1-9]* u:object_r:gps_device:s0 +/dev/ttySAC[0-1]* u:object_r:gps_device:s0 + +/dev/block/vnswap0 u:object_r:sswap_device:s0 /dev/block/mmcblk0p[0-9]* u:object_r:emmcblk_device:s0 /dev/block/mmcblk0p10 u:object_r:boot_block_device:s0 /dev/block/mmcblk0p11 u:object_r:recovery_block_device:s0 -/dev/block/mmcblk0p13 u:object_r:radio_block_device:s0 -/dev/block/mmcblk0p19 u:object_r:system_block_device:s0 -/dev/block/mmcblk0p20 u:object_r:cache_block_device:s0 -/dev/block/mmcblk0p25 u:object_r:userdata_block_device:s0 +/dev/block/mmcblk0p14 u:object_r:radio_block_device:s0 +/dev/block/mmcblk0p17 u:object_r:frp_block_device:s0 +/dev/block/mmcblk0p20 u:object_r:system_block_device:s0 +/dev/block/mmcblk0p21 u:object_r:cache_block_device:s0 +/dev/block/mmcblk0p23 u:object_r:userdata_block_device:s0 /dev/rfkill u:object_r:rfkill_device:s0 @@ -46,12 +48,13 @@ /dev/ttyBCM[0-9]* u:object_r:bbd_device:s0 /dev/esfp0 u:object_r:fingerprint_device:s0 +/dev/vfsspi u:object_r:fingerprint_device:s0 /dev/batch_io u:object_r:sensor_device:s0 /dev/ssp_sensorhub u:object_r:sensor_device:s0 # TFA98xx amplifier -/dev/i2c-20 u:object_r:amplifier_device:s0 +/dev/i2c-0 u:object_r:amplifier_device:s0 # Knox status /dev/knox_kap u:object_r:knox_device:s0 @@ -79,7 +82,6 @@ /efs/prov_data(/.*)? u:object_r:prov_efs_file:s0 /efs/wifi(/.*)? u:object_r:wifi_efs_file:s0 /efs/wv\.keys u:object_r:cpk_efs_file:s0 - /cpefs(/.*)? u:object_r:sec_efs_file:s0 #################################### @@ -87,17 +89,14 @@ /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/\.cid\.info u:object_r:wifi_data_file:s0 /data/misc/conn/\.wifiver\.info u:object_r:wifi_data_file:s0 - /data/misc/radio(/.*)? u:object_r:radio_data_file:s0 +/data/vendor/display(/.*)? u:object_r:display_vendor_data_file:s0 # gps -/data/system/gps(/.*)? u:object_r:gps_data_file:s0 -/data/gps/ctrlpipe u:object_r:gps_data_file:s0 -/data/gps/\.gpslogd\.pipe u:object_r:gps_data_file:s0 -/data/gps/nmeapipe u:object_r:gps_data_file:s0 - -# mobicore -/data/misc/mcRegistry(/.*)? u:object_r:mobicore_data_file:s0 +/data/system/gps(/.*)? u:object_r:gps_data_file:s0 +/data/gps/ctrlpipe u:object_r:gps_data_file:s0 +/data/gps/\.gpslogd\.pipe u:object_r:gps_data_file:s0 +/data/gps/nmeapipe u:object_r:gps_data_file:s0 /data/biometrics(/.*)? u:object_r:fingerprintd_data_file:s0 @@ -106,25 +105,15 @@ #################################### # sysfs files -/sys/class/power_supply/battery/music -- u:object_r:sysfs:s0 -/sys/class/devfreq/exynos5-busfreq-mif(/.*)? -- u:object_r:sysfs:s0 +#/sys/class/power_supply/battery/music -- u:object_r:sysfs_writable:s0 +#/sys/class/devfreq/exynos5-busfreq-mif(/.*)? -- u:object_r:sysfs_writable:s0 +#/sys/class/lcd(/.*)? -- u:object_r:sysfs_writable:s0 # bluetooth -/sys/devices/bluetooth/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 -/sys/devices/bluetooth/rfkill/rfkill0/type u:object_r:sysfs_bluetooth_writable:s0 -/sys/devices/bluetooth/extldo u:object_r:sysfs_bluetooth_writable:s0 - -# brightness -/sys/devices/[0-9]*\.dsim/backlight/panel/brightness u:object_r:sysfs_brightness:s0 -/sys/devices/[0-9]*\.dsim/backlight/panel/max_brightness u:object_r:sysfs_brightness:s0 - -# camera -/sys/devices/virtual/camera(/.*)? u:object_r:sysfs_camera:s0 - -# charger -/sys/devices/battery/power_supply(/.*) u:object_r:sysfs_charger:s0 -/sys/devices/13870000.i2c/i2c-7/7-003d/s2mu004-charger/power_supply(/.*) u:object_r:sysfs_charger:s0 -/sys/devices/13830000.i2c/i2c-10/10-003b/power_supply(/.*) u:object_r:sysfs_charger:s0 +/sys/devices/bluetooth.[0-9]*/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices/bluetooth.[0-9]*/rfkill/rfkill0/type u:object_r:sysfs_bluetooth_writable:s0 +/sys/class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +/sys/class/rfkill/rfkill0/type u:object_r:sysfs_bluetooth_writable:s0 # CP device /dev/spi_boot_link u:object_r:radio_device:s0 @@ -132,34 +121,11 @@ # cbd /sys/devices/10f24000.mipi-lli/lli_control u:object_r:sysfs_mipi:s0 -# livedisplay -/data/vendor/display(/.*)? u:object_r:display_vendor_data_file:s0 - # gps -/sys/devices/soc0/machine u:object_r:sysfs_gps:s0 -/sys/devices/soc0/revision u:object_r:sysfs_gps:s0 - -# input -/sys/devices/i2c@20/i2c-6/6-0020/input/input0(/.*)? u:object_r:sysfs_input:s0 -/sys/devices/13890000.i2c/i2c-9/9-0048/input/input1(/.*)? u:object_r:sysfs_input:s0 -/sys/devices/10610000.hsi2c/i2c-0/0-a004/input/input2(/.*)? u:object_r:sysfs_input:s0 -/sys/devices/gpio_keys/input/input3(/.*)? u:object_r:sysfs_input:s0 -/sys/devices/hall/input/input4(/.*)? u:object_r:sysfs_input:s0 -/sys/devices/certify_hall/input/input5(/.*)? u:object_r:sysfs_input:s0 - -# lcd -/sys/devices/[0-9]*\.dsim/lcd/panel/adaptive_control u:object_r:sysfs_lcd:s0 -/sys/devices/[0-9]*\.dsim/lcd/panel/alpm u:object_r:sysfs_lcd:s0 -/sys/devices/[0-9]*\.dsim/lcd/panel/dpui u:object_r:sysfs_lcd:s0 -/sys/devices/[0-9]*\.dsim/lcd/panel/dpui_dbg u:object_r:sysfs_lcd:s0 -/sys/devices/[0-9]*\.dsim/lcd/panel/lcd_type u:object_r:sysfs_lcd:s0 -/sys/devices/[0-9]*\.dsim/lcd/panel/lux u:object_r:sysfs_lcd:s0 -/sys/devices/[0-9]*\.dsim/lcd/panel/manufacture_code u:object_r:sysfs_lcd:s0 -/sys/devices/[0-9]*\.dsim/lcd/panel/temperature u:object_r:sysfs_lcd:s0 -/sys/devices/[0-9]*\.dsim/lcd/panel/window_type u:object_r:sysfs_lcd:s0 - -# modem -/sys/module/modem_ctrl_ss310ap/parameters/ds_detect u:object_r:sysfs_modem:s0 +/sys/class/sec/gps u:object_r:sysfs_gps:s0 +/sys/devices/soc0/machine u:object_r:sysfs_gps:s0 +/sys/devices/soc0/revision u:object_r:sysfs_gps:s0 +/sys/devices/139c0000.pinctrl/gpio/gpio137/value u:object_r:sysfs_gps:s0 # rild /sys/devices/virtual/misc/multipdp(/.*) u:object_r:sysfs_multipdp:s0 @@ -167,42 +133,38 @@ /dev/socket/rild-debug2 u:object_r:rild_debug_socket:s0 # mDNIe -/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/mode u:object_r:sysfs_mdnie:s0 -/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/scenario u:object_r:sysfs_mdnie:s0 -/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/lux u:object_r:sysfs_mdnie:s0 -/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/sensorRGB u:object_r:sysfs_mdnie:s0 -/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/accessibility u:object_r:sysfs_mdnie:s0 -/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/night_mode u:object_r:sysfs_mdnie:s0 -/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/mdnie_ldu u:object_r:sysfs_mdnie:s0 -/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/whiteRGB u:object_r:sysfs_mdnie:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/accessibility u:object_r:sysfs_mdnie:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/mode u:object_r:sysfs_mdnie:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/scenario u:object_r:sysfs_mdnie:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/lux u:object_r:sysfs_mdnie:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/sensorRGB u:object_r:sysfs_mdnie:s0 -# sec -/sys/class/sec(/.*)? -- u:object_r:sysfs_sec:s0 - -# svc -/sys/devices/svc(/.*)? u:object_r:sysfs_svc:s0 - -# virtual -/sys/devices/virtual(/.*)? u:object_r:sysfs_virtual:s0 +# Lights +/sys/devices/virtual/sec/sec_touchkey/brightness u:object_r:sysfs_light:s0 +/sys/devices/14800000.dsim/backlight/panel(/.*)? u:object_r:sysfs_light:s0 +/sys/class/leds(/.*)? u:object_r:sysfs_light:s0 +/sys/devices/virtual/sec/led(/.*)? u:object_r:sysfs_light:s0 +/sys/class/lcd/panel/power_reduce u:object_r:sysfs_light:s0 +/sys/devices/i2c.24/i2c-6/6-0030/leds(/.*)? u:object_r:sysfs_light:s0 +# Wifi +/sys/module/dhd/parameters/firmware_path u:object_r:sysfs_wifi:s0 #################################### # deamons # -/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.samsung u:object_r:hal_fingerprint_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.samsung u:object_r:hal_light_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service\.exynos u:object_r:hal_power_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.3-radio-service\.samsung u:object_r:hal_radio_default_exec:s0 -/(vendor|system/vendor)/bin/hw/sec\.android\.hardware\.nfc@1\.2-service u:object_r:hal_nfc_default_exec:s0 -/(vendor|system/vendor)/bin/hw/vendor\.lineage\.livedisplay@2\.0-service\.samsung-exynos u:object_r:hal_lineage_livedisplay_sysfs_exec:s0 -/(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.samsung u:object_r:hal_lineage_touch_default_exec:s0 -/(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.gnss@2\.0-service u:object_r:hal_gnss_default_exec:s0 +/(vendor|system/vendor)/bin/mcDriverDaemon u:object_r:tee_exec:s0 +/(vendor|system/vendor)/bin/modemloader u:object_r:modemloader_exec:s0 +/(vendor|system/vendor)/bin/wifiloader u:object_r:wifiloader_exec:s0 -/(vendor|system/vendor)/bin/cbd u:object_r:cpboot-daemon_exec:s0 -/(vendor|system/vendor)/bin/gpsd u:object_r:gpsd_exec:s0 -/(vendor|system/vendor)/bin/macloader u:object_r:macloader_exec:s0 -/(vendor|system/vendor)/bin/mcDriverDaemon u:object_r:tee_exec:s0 -/(vendor|system/vendor)/bin/modemloader u:object_r:modemloader_exec:s0 -/(vendor|system/vendor)/bin/sensorhubservice u:object_r:sensorhubservice_exec:s0 -/(vendor|system/vendor)/bin/wcnss_filter u:object_r:wcnss_filter_exec:s0 +/(vendor|system/vendor)/bin/cbd u:object_r:cpboot-daemon_exec:s0 +/(vendor|system/vendor)/bin/gpsd u:object_r:gpsd_exec:s0 +/(vendor|system/vendor)/bin/sswap u:object_r:sswap_exec:s0 + +/(vendor|system/vendor)/bin/hw/vendor\.lineage\.livedisplay@2\.0-service\.samsung-exynos u:object_r:hal_lineage_livedisplay_sysfs_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.samsung u:object_r:hal_lineage_touch_default_exec:s0 + +/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.samsung u:object_r:hal_light_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.samsung u:object_r:hal_fingerprint_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service\.exynos u:object_r:hal_power_default_exec:s0 diff --git a/sepolicy/fingerprintd.te b/sepolicy/fingerprintd.te new file mode 100644 index 0000000..81af2ba --- /dev/null +++ b/sepolicy/fingerprintd.te @@ -0,0 +1,16 @@ +# allow hal_fingerprint_default to communicate with various devices +binder_call(system_app, hal_fingerprint_default) + +# kernel fp device +allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms; + +# secure memory device +allow hal_fingerprint_default secmem_device:chr_file rw_file_perms; + +# trust zone device +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; +allow hal_fingerprint_default tee:unix_stream_socket connectto; + +# /data/biometrics/* +allow hal_fingerprint_default fingerprintd_data_file:dir create_dir_perms; +allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms; diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te index be65ed3..6185843 100644 --- a/sepolicy/fsck.te +++ b/sepolicy/fsck.te @@ -1,2 +1,3 @@ -# /dev/block/mmcblk0p3 -allow fsck emmcblk_device:blk_file { read write open ioctl getattr }; +# /dev/block/mmcblk0p[0-9]* +allow fsck emmcblk_device:blk_file rw_file_perms; +allowxperm fsck emmcblk_device:blk_file ioctl { BLKDISCARDZEROES BLKROGET }; diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts new file mode 100644 index 0000000..3d7ffda --- /dev/null +++ b/sepolicy/genfs_contexts @@ -0,0 +1,115 @@ +genfscon proc /device-tree u:object_r:proc_dt_firmware:s0 + +genfscon proc /sys/vm/dirty_ratio u:object_r:proc_vm:s0 +genfscon proc /sys/vm/dirty_bytes u:object_r:proc_vm:s0 +genfscon proc /sys/vm/dirty_background_bytes u:object_r:proc_vm:s0 +genfscon proc /sys/vm/min_free_kbytes u:object_r:proc_vm:s0 + +genfscon proc /sys/vm/swappiness u:object_r:proc_vm:s0 +genfscon proc /sys/vm/vfs_cache_pressure u:object_r:proc_vm:s0 + +genfscon proc /reset_reason u:object_r:proc_reset_reason:s0 +genfscon proc /simslot_count u:object_r:proc_simslot_count:s0 + +genfscon proc /bus/input/devices u:object_r:proc_input_devices:s0 + +# SEC devices +genfscon proc /sec_log u:object_r:proc_sec:s0 +#genfscon sysfs /class/sec u:object_r:sysfs_sec:s0 + +# Power supply devices +genfscon sysfs /devices/battery.20/power_supply u:object_r:sysfs_usb_supply:s0 +genfscon sysfs /devices/i2c.26/i2c-8/8-0034/s2mu003-charger/power_supply u:object_r:sysfs_usb_supply:s0 +genfscon sysfs /devices/13890000.hsi2c/i2c-2/2-0035/power_supply u:object_r:sysfs_usb_supply:s0 +genfscon sysfs /devices/platform/htc_battery/power_supply/ps u:object_r:sysfs_usb_supply:s0 + +# Input devices +genfscon sysfs /devices/virtual/sec/sec_touchkey u:object_r:sysfs_input:s0 +genfscon sysfs /devices/virtual/sec/sec_key u:object_r:sysfs_input:s0 +genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_input:s0 +genfscon sysfs /devices/virtual/secgpio_check u:object_r:sysfs_input:s0 +genfscon sysfs /devices/virtual/input u:object_r:sysfs_input:s0 + +# A3 power devices +genfscon sysfs /devices/i2c.21/i2c-4/4-0035/power_supply u:object_r:sysfs_usb_supply:s0 +genfscon sysfs /devices/13890000.hsi2c/i2c-2/2-0034/s2mu003-charger/power_supply u:object_r:sysfs_usb_supply:s0 + +# A3 Input devices +genfscon sysfs /devices/13850000.i2c/i2c-10/10-0050/input/input3 u:object_r:sysfs_input:s0 +genfscon sysfs /devices/i2c.23/i2c-5/5-0020/input/input2 u:object_r:sysfs_input:s0 + +# A5 power supply devices +genfscon sysfs /devices/battery.43/power_supply u:object_r:sysfs_usb_supply:s0 +genfscon sysfs /devices/i2c.42/i2c-7/7-0071/power_supply u:object_r:sysfs_usb_supply:s0 +genfscon sysfs /devices/13890000.hsi2c/i2c-2/2-0049/sm5705-charger/power_supply u:object_r:sysfs_usb_supply:s0 + +# A5 Input devices +genfscon sysfs /devices/13850000.i2c/i2c-10/10-0020/input/input3 u:object_r:sysfs_input:s0 +genfscon sysfs /devices/i2c.20/i2c-4/4-0020/input/input2 u:object_r:sysfs_input:s0 +genfscon sysfs /devices/virtual/fingerprint/fingerprint u:object_r:sysfs_input:s0 + +# S5 NEO Input devices +genfscon sysfs /devices/13860000.i2c/i2c-11/11-0048/input/input2 u:object_r:sysfs_input:s0 +genfscon sysfs /devices/i2c.22/i2c-4/4-0020/input/input1 u:object_r:sysfs_input:s0 + +# SEC GPIO input devices +genfscon sysfs /class/secgpio_check/secgpio_check_all/gpioinit_check u:object_r:sysfs_input:s0 +genfscon sysfs /class/secgpio_check/secgpio_check_all/gpiosleep_check u:object_r:sysfs_input:s0 +genfscon sysfs /class/secgpio_check/secgpio_check_all/checked_sleepGPIO u:object_r:sysfs_input:s0 + +# Input booster +genfscon sysfs /class/input_booster/level u:object_r:sysfs_input:s0 +genfscon sysfs /class/input_booster/head u:object_r:sysfs_input:s0 +genfscon sysfs /class/input_booster/tail u:object_r:sysfs_input:s0 + +# Swap +genfscon sysfs /devices/virtual/block/vnswap0 u:object_r:sysfs_sswap:s0 + +# CPU/Scheduler devices +genfscon sysfs /power/cpufreq_table u:object_r:sysfs_devices_system_cpu:s0 +genfscon sysfs /power/cpufreq_min_limit u:object_r:sysfs_devices_system_cpu:s0 +genfscon sysfs /power/cpufreq_max_limit u:object_r:sysfs_devices_system_cpu:s0 + +genfscon sysfs /module/cpuidle/parameters/off u:object_r:sysfs_devices_system_cpu:s0 +genfscon sysfs /module/cpuidle_exynos64_smp/parameters/enable_mask u:object_r:sysfs_devices_system_cpu:s0 + +genfscon sysfs /module/workqueue/parameters/power_efficient u:object_r:sysfs_devices_system_cpu:s0 + +# Camera +genfscon sysfs /devices/virtual/camera u:object_r:sysfs_camera:s0 + +# GPS +genfscon sysfs /devices/virtual/sec/gps u:object_r:sysfs_gps:s0 + +# Audio sysfs +genfscon sysfs /devices/virtual/audio/earjack u:object_r:sysfs_jack:s0 + +# USB lun device +genfscon sysfs /devices/13580000.usb/gadget/lun0 u:object_r:sysfs_android_usb:s0 + +# MMC block device cache files +genfscon sysfs /devices/virtual/bdi/179:0/read_ahead_kb u:object_r:sysfs_block:s0 +genfscon sysfs /devices/virtual/bdi/179:32/read_ahead_kb u:object_r:sysfs_block:s0 + +# ION +genfscon sysfs /devices/virtual/ion_cma u:object_r:sysfs_ion:s0 + +# Sensors +genfscon sysfs /devices/virtual/sensors u:object_r:sysfs_sensors:s0 +genfscon sysfs /devices/13870000.hsi2c/i2c-0/0-0028/iio:device0 u:object_r:sysfs_sensors:s0 +genfscon sysfs /devices/13870000.hsi2c/i2c-0/0-0068/iio:device1 u:object_r:sysfs_sensors:s0 +genfscon sysfs /devices/13870000.hsi2c/i2c-0/0-002e/iio:device2 u:object_r:sysfs_sensors:s0 + + +genfscon sysfs /devices/13540000.dwmmc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_mmc:s0 + +genfscon sysfs /devices/virtual/net/rmnet0 u:object_r:sysfs_net:s0 +genfscon sysfs /devices/virtual/net/rmnet1 u:object_r:sysfs_net:s0 +genfscon sysfs /devices/virtual/net/rmnet2 u:object_r:sysfs_net:s0 +genfscon sysfs /devices/virtual/net/rmnet3 u:object_r:sysfs_net:s0 + +genfscon sysfs /devices/14830000.decon_fb u:object_r:sysfs_graphics:s0 +genfscon sysfs /devices/14800000.dsim u:object_r:sysfs_graphics:s0 + +# video4linux +genfscon sysfs /devices/12800000.mfc0/video4linux u:object_r:sysfs_v4l:s0 diff --git a/sepolicy/gpsd.te b/sepolicy/gpsd.te index d33bb17..60c4c2b 100644 --- a/sepolicy/gpsd.te +++ b/sepolicy/gpsd.te @@ -1,7 +1,7 @@ -type gpsd, domain, coredomain; -type gpsd_exec, exec_type, file_type, system_file_type; +type gpsd, domain; +type gpsd_exec, exec_type, file_type, vendor_file_type; -init_daemon_domain(gpsd); +init_daemon_domain(gpsd) # Automatically label files created in /data/system/gps as gps_data_file file_type_auto_trans(gpsd, system_data_file, gps_data_file) @@ -10,7 +10,7 @@ file_type_auto_trans(gpsd, system_data_file, gps_data_file) unix_socket_connect(gpsd, property, rild) unix_socket_connect(gpsd, property, netd) -allow gpsd system_server:unix_stream_socket { read write setopt }; +allow gpsd system_server:unix_stream_socket rw_socket_perms; binder_call(gpsd, system_server) binder_use(gpsd) @@ -21,23 +21,33 @@ type_transition gpsd gps_data_file:sock_file gps_socket; allow gpsd dnsproxyd_socket:sock_file write; allow gpsd fwmarkd_socket:sock_file write; allow gpsd gps_socket:sock_file create_file_perms; -allow gpsd self:udp_socket { create bind connect read setopt write }; - -# sysfs_gps -allow gpsd system_file:dir { open read getattr }; -allow gpsd sysfs_gps:file { open read getattr }; +allow gpsd self:udp_socket create_socket_perms; -# /dev/ttySAC0 -allow gpsd bluetooth_device:chr_file { getattr setattr rw_file_perms }; -allow gpsd gps_device:chr_file { getattr setattr rw_file_perms }; -allow gpsd gps_data_file:dir { search write add_name remove_name rw_dir_perms }; -allow gpsd gps_data_file:fifo_file { unlink create setattr getattr rw_file_perms }; +# sysfs_gps +allow gpsd sysfs_gps:dir search; +allow gpsd sysfs_gps:lnk_file read; +allow gpsd sysfs_gps:file rw_file_perms; + +# /dev/ttySAC3 +allow gpsd gps_device:chr_file { setattr rw_file_perms }; +allow gpsd gps_data_file:dir rw_dir_perms; +allow gpsd gps_data_file:fifo_file create_file_perms; allow gpsd sysfs_wake_lock:file rw_file_perms; -allow gpsd sensorservice_service:service_manager { find }; +allow gpsd sensorservice_service:service_manager find; # /dev/umts_boot0 allow gpsd mif_device:chr_file r_file_perms; -allow gpsd shell_exec:file execute; +# TCP sockets +allow gpsd port:tcp_socket { name_connect name_bind }; +allow gpsd self:tcp_socket create_socket_perms; +allow gpsd node:tcp_socket node_bind; + +# sec sysfs files +#allow gpsd sysfs_sec:dir search; + +# hwservicemanager ready prop +allow gpsd hwservicemanager:binder call; +allow gpsd hwservicemanager_prop:file { open read getattr}; diff --git a/sepolicy/hal_audio_default.te b/sepolicy/hal_audio_default.te deleted file mode 100644 index 391ef29..0000000 --- a/sepolicy/hal_audio_default.te +++ /dev/null @@ -1 +0,0 @@ -allow hal_audio_default amplifier_device:chr_file { open read write ioctl }; diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te index 7a70b17..418dcf8 100644 --- a/sepolicy/hal_bluetooth_default.te +++ b/sepolicy/hal_bluetooth_default.te @@ -1 +1,6 @@ -allow hal_bluetooth_default device:chr_file ioctl; +# /dev/ttySAC3 +allow hal_bluetooth_default bluetooth_device:chr_file rw_file_perms; + +# /efs +allow hal_bluetooth_default efs_file:dir search; +r_dir_file(hal_bluetooth_default, bluetooth_efs_file) diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te index 4a0cd12..38fa4e4 100644 --- a/sepolicy/hal_camera_default.te +++ b/sepolicy/hal_camera_default.te @@ -1,5 +1,6 @@ -# vndbinder -allow hal_camera_default vndbinder_device:chr_file rw_file_perms; +allow hal_camera_default sysfs_camera:dir search; +allow hal_camera_default sysfs_camera:file rw_file_perms; -# sysfs -allow hal_camera_default sysfs_virtual:dir search; +allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find; + +vndbinder_use(hal_camera_default) diff --git a/sepolicy/hal_drm_default.te b/sepolicy/hal_drm_default.te index fd17e20..92eb999 100644 --- a/sepolicy/hal_drm_default.te +++ b/sepolicy/hal_drm_default.te @@ -1,5 +1,10 @@ -allow hal_drm_default vndbinder_device:chr_file { ioctl open read write }; +vndbinder_use(hal_drm_default) -allow hal_drm_default secmem_device:chr_file { read write open getattr ioctl }; +# /dev/s5p-smem +allow hal_drm_default secmem_device:chr_file rw_file_perms; +allow hal_drm_default tee:unix_stream_socket connectto; allow hal_drm_default efs_file:dir search; -allow hal_drm_default cpk_efs_file:file { open read getattr }; +allow hal_drm_default cpk_efs_file:file r_file_perms; + +allow hal_drm_default media_data_file:file create_file_perms; +allow hal_drm_default media_data_file:dir create_dir_perms; diff --git a/sepolicy/hal_fingerprint_default.te b/sepolicy/hal_fingerprint_default.te index 122d488..7f187f9 100644 --- a/sepolicy/hal_fingerprint_default.te +++ b/sepolicy/hal_fingerprint_default.te @@ -1,20 +1,2 @@ -# allow hal_fingerprint_default to communicate with various devices -binder_call(system_app, hal_fingerprint_default); - -# kernel fp device -allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms; - -# secure memory device -allow hal_fingerprint_default secmem_device:chr_file rw_file_perms; - -# trust zone device -allow hal_fingerprint_default tee_device:chr_file rw_file_perms; -allow hal_fingerprint_default tee:unix_stream_socket connectto; - -# /data/biometrics/* -allow hal_fingerprint_default fingerprintd_data_file:dir create_dir_perms; -allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms; - -# sysfs_virtual -allow hal_fingerprint_default sysfs_virtual:dir { read open search }; -allow hal_fingerprint_default sysfs_virtual:file { read open }; +allow hal_fingerprint_default sysfs_input:dir search; +allow hal_fingerprint_default sysfs_input:file rw_file_perms; diff --git a/sepolicy/hal_gnss_default.te b/sepolicy/hal_gnss_default.te index 54381d0..3e4fac7 100644 --- a/sepolicy/hal_gnss_default.te +++ b/sepolicy/hal_gnss_default.te @@ -1,4 +1,5 @@ -allow hal_gnss_default gps_data_file:file getattr; -allow hal_gnss_default vndbinder_device:chr_file { ioctl open read write }; -allow hal_gnss_default gpsd:unix_stream_socket connectto; +vndbinder_use(hal_gnss_default) +# Allow gnss to access the gpsd data files +allow hal_gnss_default gps_data_file:dir w_dir_perms; +allow hal_gnss_default gps_data_file:fifo_file create_file_perms; diff --git a/sepolicy/hal_graphics_composer.te b/sepolicy/hal_graphics_composer.te new file mode 100644 index 0000000..1916c0a --- /dev/null +++ b/sepolicy/hal_graphics_composer.te @@ -0,0 +1,7 @@ +# Graphics sysfs +allow hal_graphics_composer_default sysfs_graphics:dir search; +allow hal_graphics_composer_default sysfs_graphics:file rw_file_perms; + +# uevent socket +allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + diff --git a/sepolicy/hal_health_default.te b/sepolicy/hal_health_default.te new file mode 100644 index 0000000..89b18e7 --- /dev/null +++ b/sepolicy/hal_health_default.te @@ -0,0 +1,2 @@ +r_dir_file(hal_health_default, sysfs_usb_supply) +allow hal_health_default sysfs_usb_supply:file rw_file_perms; diff --git a/sepolicy/hal_light_default.te b/sepolicy/hal_light_default.te index db428c5..854a807 100644 --- a/sepolicy/hal_light_default.te +++ b/sepolicy/hal_light_default.te @@ -1,3 +1,13 @@ -allow hal_light_default sysfs_brightness:file { open read write getattr }; -allow hal_light_default sysfs_virtual:dir search; -allow hal_light_default sysfs_virtual:file { read write open getattr }; +allow hal_light_default sysfs_light:dir search; +allow hal_light_default sysfs_light:file rw_file_perms; + +allow hal_light_default sysfs_graphics:dir search; +allow hal_light_default sysfs_graphics:file rw_file_perms; + +allow hal_light_default sysfs_input:dir search; +allow hal_light_default sysfs_input:lnk_file read; +allow hal_light_default sysfs_input:file rw_file_perms; + +allow hal_light_default sysfs_sec:dir search; +allow hal_light_default sysfs_sec:lnk_file read; +allow hal_light_default sysfs_sec:file rw_file_perms; diff --git a/sepolicy/hal_lineage_livedisplay_sysfs.te b/sepolicy/hal_lineage_livedisplay_sysfs.te index 1f4db7b..82c371d 100644 --- a/sepolicy/hal_lineage_livedisplay_sysfs.te +++ b/sepolicy/hal_lineage_livedisplay_sysfs.te @@ -1,6 +1,14 @@ # Allow LiveDisplay to store files under /data/vendor/display and access them allow hal_lineage_livedisplay_sysfs display_vendor_data_file:dir rw_dir_perms; allow hal_lineage_livedisplay_sysfs display_vendor_data_file:file create_file_perms; + # Allow LiveDisplay to read and write to files in sysfs_graphics, sysfs_mdnie -allow hal_lineage_livedisplay_sysfs sysfs_mdnie:dir search; -allow hal_lineage_livedisplay_sysfs sysfs_mdnie:file rw_file_perms; +allow hal_lineage_livedisplay_sysfs { + sysfs_graphics + sysfs_mdnie +}:dir search; + +allow hal_lineage_livedisplay_sysfs { + sysfs_graphics + sysfs_mdnie +}:file rw_file_perms; diff --git a/sepolicy/hal_lineage_touch_default.te b/sepolicy/hal_lineage_touch_default.te index 60c7184..044f569 100644 --- a/sepolicy/hal_lineage_touch_default.te +++ b/sepolicy/hal_lineage_touch_default.te @@ -1,6 +1,2 @@ allow hal_lineage_touch_default sysfs_input:dir search; allow hal_lineage_touch_default sysfs_input:file rw_file_perms; - -allow hal_lineage_touch_default sysfs_virtual:dir search; -allow hal_lineage_touch_default sysfs_virtual:file { open read getattr }; -allow hal_lineage_touch_default sysfs_virtual:lnk_file read; diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te index 6893489..bbc53b1 100644 --- a/sepolicy/hal_power_default.te +++ b/sepolicy/hal_power_default.te @@ -2,12 +2,18 @@ allow hal_power_default sysfs:dir r_dir_perms; allow hal_power_default sysfs:file r_file_perms; -allow hal_power_default sysfs_devices_system_cpu:file write; +# Input devices +allow hal_power_default sysfs_input:dir r_dir_perms; +allow hal_power_default sysfs_input:file rw_file_perms; -allow hal_power_default sysfs_input:dir { open read search }; -allow hal_power_default sysfs_input:file { open read write getattr }; +# CPU devices +allow hal_power_default sysfs_devices_system_cpu:dir search; +allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms; -allow hal_power_default sysfs_virtual:dir { open read search }; -allow hal_power_default sysfs_virtual:file { open read write getattr }; -allow hal_power_default sysfs:dir { read open }; -allow hal_power_default sysfs:file { read write open }; +# Lights +allow hal_power_default sysfs_light:dir search; +allow hal_power_default sysfs_light:file rw_file_perms; + +# Graphics +allow hal_power_default sysfs_graphics:dir search; +allow hal_power_default sysfs_graphics:file rw_file_perms; diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te deleted file mode 100644 index 82d8719..0000000 --- a/sepolicy/hal_sensors_default.te +++ /dev/null @@ -1,3 +0,0 @@ -allow hal_sensors_default input_device:dir { open read search }; -allow hal_sensors_default sysfs:dir { open read }; - diff --git a/sepolicy/hal_wifi_default.te b/sepolicy/hal_wifi_default.te index 0fcb8a2..7cf9e4d 100644 --- a/sepolicy/hal_wifi_default.te +++ b/sepolicy/hal_wifi_default.te @@ -1,15 +1,8 @@ -#### hal_wifi_default -# - -# wifi_data_file -allow hal_wifi_default wifi_data_file:file { read write open }; - -# /efs allow hal_wifi_default efs_file:dir search; -# /efs/wifi allow hal_wifi_default wifi_efs_file:dir search; -allow hal_wifi_default wifi_efs_file:file { open read }; +allow hal_wifi_default wifi_efs_file:file r_file_perms; -# load .ko modules -allow hal_wifi_default self:capability sys_module; +allow hal_wifi_default wifi_data_file:file r_file_perms; + +allow hal_wifi_default sysfs_wifi:file write; diff --git a/sepolicy/hal_wifi_supplicant_default.te b/sepolicy/hal_wifi_supplicant_default.te deleted file mode 100644 index 8d550fc..0000000 --- a/sepolicy/hal_wifi_supplicant_default.te +++ /dev/null @@ -1,2 +0,0 @@ -allow hal_wifi_supplicant_default rfkill_device:chr_file { open read }; - diff --git a/sepolicy/healthd.te b/sepolicy/healthd.te index 9ea50d0..5aa5870 100644 --- a/sepolicy/healthd.te +++ b/sepolicy/healthd.te @@ -1,5 +1,3 @@ -# healthd -allow healthd device:dir rw_dir_perms; allow healthd rtc_device:chr_file rw_file_perms; -allow healthd sysfs:file { open read getattr }; -allow healthd sysfs_charger:file { open read getattr }; + +allow healthd sysfs_usb_supply:file rw_file_perms; diff --git a/sepolicy/init.te b/sepolicy/init.te index 16acd62..a6114dc 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -4,18 +4,17 @@ allow init debugfs:dir mounton; # Mount EFS on /efs allow init efs_file:dir mounton; +# Mount CPEFS on /cpefs +allow init sec_efs_file:dir mounton; + # /dev/block/mmcblk0p[0-9] allow init emmcblk_device:blk_file rw_file_perms; -allow init block_device:lnk_file { setattr }; +allow init block_device:lnk_file setattr; allow init tmpfs:lnk_file create_file_perms; # /sys/class/power_supply/battery and /sys/class/android_usb/android0 -allow init proc:file { getattr setattr read write open }; - -# Shim libs -allow init cameraserver:process noatsecure; -allow init hal_fingerprint_default:process noatsecure; +allow init sysfs_usb_supply:file { rw_file_perms setattr }; # /data allow init sdcardd_exec:file r_file_perms; @@ -23,34 +22,74 @@ allow init sdcardd_exec:file r_file_perms; # sysfs iio:device[0-9] allow init sysfs:lnk_file setattr; +# sysfs ion device +allow init sysfs_ion:file setattr; + +# sysfs usb device +allow init sysfs_android_usb:file setattr; + # read/chown mDNIE symlinks -allow init sysfs_mdnie:lnk_file { read setattr }; +allow init sysfs_mdnie:lnk_file { r_file_perms setattr }; +allow init sysfs_mdnie:file rw_file_perms; # read/chown camera firmware allow init sysfs_camera:file { relabelto setattr }; allow init sysfs_camera:filesystem associate; -# sysfs +# WiFi firmware permissions +allow init sysfs_wifi:file setattr; + +# Input devices +allow init sysfs_input:file { rw_file_perms setattr }; + +# BT permissions allow init sysfs_bluetooth_writable:file setattr; -allow init sysfs_mdnie:file setattr; -allow init sysfs_multipdp:file setattr; -allow init sysfs_devices_system_cpu:file write; -allow init sysfs_gps:file setattr; -allow init sysfs_sec:file setattr ; -allow init sysfs_brightness:file setattr; -allow init sysfs_input:file setattr; -allow init sysfs_lcd:file { setattr open }; -allow init sysfs_svc:file setattr; -allow init sysfs_modem:file { setattr open write }; -allow init sysfs_wlan_fwpath:file setattr; -allow init sysfs_virtual:file { open setattr write }; -allow init sysfs_virtual:lnk_file read; -allow init sysfs_charger:file setattr; -allow init sysfs:file setattr; + +# GPS permissions +allow init sysfs_gps:lnk_file read; +allow init sysfs_gps:file { rw_file_perms setattr }; +allow init gps_data_file:fifo_file write; +allow init gps_data_file:file lock; +allow init gps_device:chr_file { open read write }; + +# CPU permissions +allow init sysfs_devices_system_cpu:file rw_file_perms; + +# umts permissions +allow init mif_device:chr_file rw_file_perms; + +# sswap permissions +allow init sswap_device:blk_file write; +allow init sysfs_sswap:file { open write }; + +# Block device sysfs +allow init sysfs_block:file rw_file_perms; + +# Audio Jack +allow init sysfs_jack:file setattr; unix_socket_connect(init, property, rild) -allow init socket_device:sock_file { unlink create setattr }; -allow init tee_device:chr_file { read write open ioctl getattr }; -allow init system_file:file execute; -allow init sysfs_modem:file r_file_perms; +# Allow access to /proc/device-tree nodes +r_dir_file(init, proc_dt_firmware) + +allow init sysfs_mmc:file { w_file_perms setattr }; +allow init sysfs_net:file rw_file_perms; +allow init sysfs_graphics:file { rw_file_perms setattr }; +allow init sysfs_light:file { rw_file_perms setattr }; +allow init sysfs_light:lnk_file { rw_file_perms setattr }; +allow init sysfs_mdnie:file setattr; +allow init sysfs_sec:file { rw_file_perms setattr }; +allow init sysfs_sec:lnk_file read; +allow init sysfs_sensors:file { rw_file_perms setattr }; +allow init sysfs_sensors:lnk_file read; +allow init sysfs_multipdp:file setattr; + +# Proc files +allow init proc_reset_reason:file { rw_file_perms setattr }; +allow init proc_vm:file rw_file_perms; +allow init proc_simslot_count:file rw_file_perms; +allow init proc_sec:file { rw_file_perms setattr }; + +# Sockets +allow init socket_device:sock_file { read write getattr setattr create unlink }; diff --git a/sepolicy/installd.te b/sepolicy/installd.te deleted file mode 100644 index a82d90c..0000000 --- a/sepolicy/installd.te +++ /dev/null @@ -1,3 +0,0 @@ -# TbStorage (mobicore) -allow installd mobicore_data_file:dir { rw_dir_perms rmdir }; -allow installd device:file { read write open }; diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te index cc8c840..fda2282 100644 --- a/sepolicy/kernel.te +++ b/sepolicy/kernel.te @@ -1,27 +1,22 @@ allow kernel self:capability { chown mknod }; -dontaudit kernel kernel:capability { dac_override dac_read_search }; # /dev/mbin0 allow kernel emmcblk_device:blk_file r_file_perms; -allow kernel device:blk_file { create setattr getattr unlink }; -# /bus/usb/001/001 -allow kernel device:dir { create write remove_name rmdir add_name }; -allow kernel device:chr_file { create setattr getattr unlink }; # /sys/devices/system/cpu/cpu[0-9]/cpufreq/* -allow kernel sysfs_devices_system_cpu:file { setattr }; -allow kernel sysfs:file { setattr }; +allow kernel sysfs_devices_system_cpu:file setattr; # /efs contents allow kernel { app_efs_file battery_efs_file efs_file sensor_efs_file }:dir r_dir_perms; allow kernel { app_efs_file battery_efs_file efs_file sensor_efs_file }:file rw_file_perms; # /efs/wifi/.mac.info -allow kernel wifi_efs_file:dir r_dir_perms; -allow kernel wifi_efs_file:file r_file_perms; +r_dir_file(kernel, wifi_efs_file); # /data/misc/conn/.wifiver.info allow kernel wifi_data_file:file rw_file_perms; -# sysfs_lcd -allow kernel sysfs_lcd:file { open read }; +# Allow kernel to search tmpfs +allow kernel tmpfs:dir search; + +allow kernel self:capability sys_module; diff --git a/sepolicy/macloader.te b/sepolicy/macloader.te deleted file mode 100644 index 1e80d50..0000000 --- a/sepolicy/macloader.te +++ /dev/null @@ -1,30 +0,0 @@ -#### macloader -# -type macloader, domain, coredomain; -type macloader_exec, exec_type, file_type, system_file_type; - -init_daemon_domain(macloader) - -allow macloader self:capability { chown fowner fsetid }; -allow macloader self:process execmem; - -# Write into /data -allow macloader system_data_file:dir { add_name search write }; -allow macloader system_file:file execute_no_trans; - -# /data/.cid.info -# Automatically label files created in /data/ as wifi_data_file -file_type_auto_trans(macloader, system_data_file, wifi_data_file) - -allow macloader wifi_data_file:dir create_dir_perms; -allow macloader wifi_data_file:file { create_file_perms getattr setattr }; - -# /sys/module/dhd/parameters/nvram_path -allow macloader sysfs:file rw_file_perms; - -# /efs -allow macloader efs_file:dir r_dir_perms; - -# /efs/wifi/.mac.info -allow macloader wifi_efs_file:dir r_dir_perms; -allow macloader wifi_efs_file:file r_file_perms; diff --git a/sepolicy/mediacode.te b/sepolicy/mediacode.te deleted file mode 100644 index 953ad15..0000000 --- a/sepolicy/mediacode.te +++ /dev/null @@ -1,5 +0,0 @@ -# /system/lib/omx/ -allow mediacodec system_file:dir r_dir_perms; - -# /sys/class/video4linux/video6/name -allow mediacodec sysfs:file r_file_perms; \ No newline at end of file diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te index 1078589..14cdbdc 100644 --- a/sepolicy/mediacodec.te +++ b/sepolicy/mediacodec.te @@ -1,11 +1,5 @@ # /system/lib/omx/ allow mediacodec system_file:dir r_dir_perms; -# /sys/class/video4linux/video6/name -allow mediacodec sysfs:file r_file_perms; - -allow mediacodec sysfs:dir { open read }; - -# sysfs_virtual -allow mediacodec sysfs_virtual:dir { open read search }; -allow mediacodec sysfs_virtual:file { open read }; +# /sys/class/video4linux/* +r_dir_file(mediacodec, sysfs_v4l); diff --git a/sepolicy/mediadrmserver.te b/sepolicy/mediadrmserver.te deleted file mode 100644 index 58b5bd7..0000000 --- a/sepolicy/mediadrmserver.te +++ /dev/null @@ -1,2 +0,0 @@ -allow mediadrmserver media_data_file:file { getattr open read create write }; -allow mediadrmserver media_data_file:dir { getattr write search add_name }; diff --git a/sepolicy/mediaextractor.te b/sepolicy/mediaextractor.te deleted file mode 100644 index 3d8072d..0000000 --- a/sepolicy/mediaextractor.te +++ /dev/null @@ -1 +0,0 @@ -allow mediaextractor fuse:file { read getattr }; diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te index 52e86b0..02b8f37 100644 --- a/sepolicy/mediaserver.te +++ b/sepolicy/mediaserver.te @@ -5,8 +5,8 @@ allow mediaserver efs_file:dir r_dir_perms; allow mediaserver efs_file:file r_file_perms; # /dev/m2m1shot_jpeg -allow mediaserver camera_device:chr_file { read write open getattr ioctl }; +allow mediaserver camera_device:chr_file rw_file_perms; # Snap permissions -allow mediaserver sensorservice_service:service_manager { find }; -allow mediaserver system_server:unix_stream_socket { read write }; +allow mediaserver sensorservice_service:service_manager find; +allow mediaserver system_server:unix_stream_socket rw_stream_socket_perms; diff --git a/sepolicy/modemloader.te b/sepolicy/modemloader.te index 6f351c1..8f63890 100644 --- a/sepolicy/modemloader.te +++ b/sepolicy/modemloader.te @@ -1,7 +1,7 @@ #### modemloader # -type modemloader, domain, coredomain; -type modemloader_exec, exec_type, file_type, system_file_type; +type modemloader, domain; +type modemloader_exec, exec_type, file_type, vendor_file_type; init_daemon_domain(modemloader) diff --git a/sepolicy/netd.te b/sepolicy/netd.te index 092c011..8cfd7b7 100644 --- a/sepolicy/netd.te +++ b/sepolicy/netd.te @@ -1,4 +1,4 @@ allow netd self:capability sys_module; allow netd gpsd:fd use; -allow netd gpsd:udp_socket { read write getopt setopt }; -allow netd device:file { read write open }; +allow netd gpsd:udp_socket rw_socket_perms; +allow netd gpsd:tcp_socket rw_socket_perms; diff --git a/sepolicy/nfc.te b/sepolicy/nfc.te deleted file mode 100644 index 70f7fd2..0000000 --- a/sepolicy/nfc.te +++ /dev/null @@ -1,2 +0,0 @@ -allow nfc sec_efs_file:dir search; -allow nfc efs_file:dir search; diff --git a/sepolicy/property.te b/sepolicy/property.te index 8161cea..0fcbd1e 100644 --- a/sepolicy/property.te +++ b/sepolicy/property.te @@ -6,3 +6,6 @@ type modemloader_prop, property_type; # mobicore (tee) type tee_prop, property_type; + +# sswap +type sswap_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts index 9505a3c..7559794 100644 --- a/sepolicy/property_contexts +++ b/sepolicy/property_contexts @@ -17,3 +17,6 @@ persist.ril.modem.board u:object_r:radio_prop:s0 persist.ril.ims.eutranParam u:object_r:radio_prop:s0 persist.ril.ims.utranParam u:object_r:radio_prop:s0 persist.ril.interfaceconf.failed u:object_r:radio_prop:s0 + +# sswap +persist.sys.swapoff u:object_r:sswap_prop:s0 diff --git a/sepolicy/rild.te b/sepolicy/rild.te index bc05016..d743cac 100644 --- a/sepolicy/rild.te +++ b/sepolicy/rild.te @@ -1,17 +1,16 @@ # Allow rild to change perms -allow rild self:capability { chown }; +allow rild self:capability chown; # Allow additiional efs access -allow rild bin_nv_data_efs_file:file create_file_perms; -allow rild imei_efs_file:dir r_dir_perms; -allow rild imei_efs_file:file rw_file_perms; -allow rild app_efs_file:dir r_dir_perms; -allow rild app_efs_file:file r_file_perms; +r_dir_file(rild, imei_efs_file); +r_dir_file(rild, app_efs_file); -# /dev -allow rild audioserver:dir r_dir_perms; -# /proc//cmdline -allow rild audioserver:file r_file_perms; +# /efs/nv_data.bin +allow rild bin_nv_data_efs_file:file create_file_perms; +allowxperm rild bin_nv_data_efs_file:file ioctl { 0x6601 0x6602 }; + +# audioserver +r_dir_file(rild, audioserver); # /dev/mbin0 allow rild block_device:dir r_dir_perms; @@ -23,15 +22,17 @@ allow rild mif_device:chr_file rw_file_perms; # /sys/devices/virtual/misc/multipdp/waketime allow rild sysfs_multipdp:file rw_file_perms; +allow rild sysfs_input:file rw_file_perms; + # /proc/sys/net/ipv6/conf/*/accept_ra_defrtr allow rild proc_net:file rw_file_perms; -allow rild gpsd:dir r_dir_perms; -allow rild gpsd:file r_file_perms; +r_dir_file(rild, gpsd); + +allow rild proc_qtaguid_stat:file r_file_perms; # rild reads /proc/pid/cmdline of mediaserver -allow rild mediaserver:dir { open read search getattr }; -allow rild mediaserver:file { open read getattr }; +r_dir_file(rild, mediaserver); # /data/misc/radio/* allow rild radio_data_file:dir rw_dir_perms; @@ -40,10 +41,10 @@ allow rild radio_data_file:file create_file_perms; allow rild radio_data_file:lnk_file r_file_perms; # sdcard/SDET_PLMN/input/MNCMCC.txt -allow rild storage_file:dir { r_dir_perms }; -allow rild storage_file:lnk_file { r_file_perms }; -allow rild mnt_user_file:dir { r_dir_perms }; -allow rild mnt_user_file:lnk_file { r_file_perms }; +allow rild storage_file:dir r_dir_perms; +allow rild storage_file:lnk_file r_file_perms; +allow rild mnt_user_file:dir r_dir_perms; +allow rild mnt_user_file:lnk_file r_file_perms; # Modem firmware download allow rild radio_block_device:blk_file r_file_perms; @@ -53,3 +54,6 @@ set_prop(modemloader, radio_prop) # /dev/knox_kap allow rild knox_device:chr_file r_file_perms; + +# /data/media/0 +allow rild media_rw_data_file:dir r_dir_perms; diff --git a/sepolicy/sensorhubservice.te b/sepolicy/sensorhubservice.te deleted file mode 100644 index 534f9c2..0000000 --- a/sepolicy/sensorhubservice.te +++ /dev/null @@ -1,24 +0,0 @@ -#### sensorhubservice -# -type sensorhubservice, domain, coredomain; -type sensorhubservice_exec, exec_type, file_type, system_file_type; -type sensorhubservice_service, app_api_service, system_server_service, service_manager_type; -init_daemon_domain(sensorhubservice) - -# /dev/input[0-9]* -allow sensorhubservice input_device:dir r_dir_perms; -allow sensorhubservice { input_device sensor_device }:chr_file rw_file_perms; - -# binder call -allow sensorhubservice servicemanager:binder { call transfer }; - -allow sensorhubservice sysfs:file { getattr open read }; - -# sysfs_virtual -allow sensorhubservice sysfs_virtual:file { open read getattr setattr }; -allow sensorhubservice sysfs_virtual:dir { open read search }; -allow sensorhubservice sysfs_virtual:lnk_file read; - -allow sensorhubservice sysfs_input:dir search; -allow sensorhubservice sysfs_input:lnk_file read; -allow sensorhubservice sysfs_input:file { read write open getattr }; diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts index 1738339..566bde9 100644 --- a/sepolicy/service_contexts +++ b/sepolicy/service_contexts @@ -1,13 +1,2 @@ -vendor.samsung_slsi.hardware.ExynosHWCServiceTW::IExynosHWCServiceTW u:object_r:hal_vendor_surfaceflinger_hwservice:s0 -vendor.samsung.hardware.gnss::ISecGnss u:object_r:hal_gnss_hwservice:s0 -vendor.trustonic.tee::ITee u:object_r:hal_tee_hwservice:s0 -vendor.trustonic.teeregistry::ITeeRegistry u:object_r:hal_teeregistry_hwservice:s0 -vendor.samsung.hardware.security.widevine.keyprovisioning::ISehWidevineKeyProvisioning u:object_r:hal_wvkprov_hwservice:s0 -vendor.samsung.hardware.bluetooth.a2dp::ISehBluetoothAudioOffload u:object_r:hal_bluetooth_a2dp_hwservice:s0 -vendor.samsung.hardware.bluetooth.a2dpsink::ISehBluetoothA2dpSinkProvidersFactory u:object_r:hal_bluetooth_a2dp_hwservice:s0 -vendor.samsung.hardware.snap::ISehSnap u:object_r:snap_hwservice:s0 -vendor.samsung.hardware.radio.bridge::ISehBridge u:object_r:hal_telephony_hwservice:s0 -vendor.samsung.hardware.radio::ISehRadio u:object_r:hal_telephony_hwservice:s0 -vendor.samsung.hardware.radio.channel::ISehChannel u:object_r:hal_telephony_hwservice:s0 -com.qualcomm.qti.ant::IAntHci u:object_r:hal_bluetooth_hwservice:s0 - +# HWC +Exynos.HWCService u:object_r:surfaceflinger_service:s0 diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te deleted file mode 100644 index e1b618a..0000000 --- a/sepolicy/servicemanager.te +++ /dev/null @@ -1,3 +0,0 @@ -allow servicemanager sensorhubservice:dir search; -allow servicemanager sensorhubservice:file { getattr open read }; -allow servicemanager sensorhubservice:process getattr; diff --git a/sepolicy/sswap.te b/sepolicy/sswap.te new file mode 100644 index 0000000..41fefb8 --- /dev/null +++ b/sepolicy/sswap.te @@ -0,0 +1,18 @@ +type sswap, domain; +type sswap_exec, exec_type, file_type, vendor_file_type; +type sswap_device, dev_type; + +init_daemon_domain(sswap); + +allow sswap sswap_device:blk_file rw_file_perms; +allow sswap sysfs_sswap:file rw_file_perms; +allow sswap sysfs_sswap:dir search; +allow sswap block_device:dir search; +allow sswap self:capability sys_admin; + +allow sswap proc_meminfo:file r_file_perms; + +allow sswap properties_device:dir r_dir_perms; +r_dir_file(sswap, proc_stat); + +set_prop(sswap, sswap_prop) diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te index b83165c..7d0f0a8 100644 --- a/sepolicy/surfaceflinger.te +++ b/sepolicy/surfaceflinger.te @@ -1,3 +1,4 @@ # HWC allow surfaceflinger secmem_device:chr_file rw_file_perms; -allow surfaceflinger sysfs:file { getattr open read }; +allow surfaceflinger sysfs_graphics:file rw_file_perms; +r_dir_file(surfaceflinger, sysfs_graphics) \ No newline at end of file diff --git a/sepolicy/sysfs_sec.te b/sepolicy/sysfs_sec.te deleted file mode 100644 index eaaf54a..0000000 --- a/sepolicy/sysfs_sec.te +++ /dev/null @@ -1,2 +0,0 @@ -#============= sysfs_sec ============== -allow sysfs_sec sysfs:filesystem associate; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te index c9d70d0..4d74449 100644 --- a/sepolicy/system_app.te +++ b/sepolicy/system_app.te @@ -1,3 +1,4 @@ allow system_app sysfs_mdnie:{ file lnk_file } rw_file_perms; allow system_app sysfs_mdnie:dir search; +allow system_app sysfs_graphics:dir search; allow system_app wificond:binder call; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index 16aeb19..68aba79 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -1,7 +1,3 @@ -# /dev/mbin0 -allow system_server emmcblk_device:dir search; -allow system_server emmcblk_device:blk_file { read write open ioctl getattr }; - # /efs allow system_server efs_file:dir r_dir_perms; @@ -26,12 +22,13 @@ allow system_server app_efs_file:dir r_dir_perms; allow system_server app_efs_file:file r_file_perms; # WifiMachine -allow system_server self:capability { sys_module }; +allow system_server self:capability sys_module; allow system_server wifi_efs_file:dir r_dir_perms; allow system_server wifi_efs_file:file r_file_perms; # mDNIE allow system_server sysfs_mdnie:lnk_file rw_file_perms; +#allow system_server sysfs_mdnie:dir rw_dir_perms; allow system_server sysfs_mdnie:file rw_file_perms; # memtrack HAL @@ -41,17 +38,20 @@ allow system_server debugfs:dir r_dir_perms; allow system_server sensor_device:chr_file rw_file_perms; allow system_server baro_delta_factoryapp_efs_file:file r_file_perms; allow system_server sensor_factoryapp_efs_file:file r_file_perms; - -# sysfs -allow system_server sysfs_brightness:file write; -allow system_server sysfs_input:file write; -allow system_server sysfs_sec:file write; -allow system_server sysfs_devices_system_cpu:file write; -allow system_server sysfs_virtual:file write; +allow system_server sysfs_sensors:file rw_file_perms; # /data/system/gps/xtraee.bin allow system_server gps_data_file:file create_file_perms; -unix_socket_connect(system_server, property, gpsd) +# Bluetooth buildprop +get_prop(system_server, bluetooth_prop) -allow system_server proc:file { read open getattr }; +# Grpahics sysfs +allow system_server sysfs_graphics:file rw_file_perms; + +# Input sysfs +allow system_server sysfs_input:file rw_file_perms; + +allow system_server proc_input_devices:file r_file_perms; + +unix_socket_connect(system_server, property, gpsd) diff --git a/sepolicy/tee.te b/sepolicy/tee.te index f0a2508..e2f5141 100644 --- a/sepolicy/tee.te +++ b/sepolicy/tee.te @@ -1,11 +1,9 @@ -# mobicore - -# Allow to create files and directories /data/app/mcRegistry -file_type_auto_trans(tee, apk_data_file, mobicore_data_file); - # /efs allow tee { efs_file prov_efs_file }:dir r_dir_perms; allow tee { efs_file prov_efs_file }:file r_file_perms; +# Allow mobicore to search apk data +allow tee apk_data_file:dir search; + # sys.mobicore.enable set_prop(tee, tee_prop) diff --git a/sepolicy/toolbox.te b/sepolicy/toolbox.te deleted file mode 100644 index 5355ee0..0000000 --- a/sepolicy/toolbox.te +++ /dev/null @@ -1,6 +0,0 @@ -allow toolbox block_device:dir { add_name write }; -allow toolbox block_device:lnk_file create; -allow toolbox emmcblk_device:blk_file setattr; -allow toolbox self:capability { chown fowner fsetid }; -allow toolbox sysfs:file getattr; -allow toolbox sysfs_devices_system_cpu:file setattr; diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te index 437ed7c..a252eb6 100644 --- a/sepolicy/ueventd.te +++ b/sepolicy/ueventd.te @@ -1,11 +1,14 @@ # /dev/block/mmcblk0p[0-9] -allow ueventd emmcblk_device:blk_file { ioctl read write create getattr setattr lock append unlink open }; +allow ueventd emmcblk_device:blk_file { relabelfrom relabelto create setattr unlink rw_file_perms }; # /sys/devices/virtual/misc/multipdp/uevent allow ueventd sysfs_multipdp:file rw_file_perms; -allow ueventd emmcblk_device:blk_file { relabelfrom relabelto create setattr unlink }; - # read/chown camera firmware -allow ueventd sysfs_camera:file { relabelto getattr rw_file_perms }; +allow ueventd sysfs_camera:file { relabelto rw_file_perms }; allow ueventd sysfs_camera:filesystem associate; + +allow ueventd sysfs_usb_supply:file w_file_perms; + +# Allow access to /proc/device-tree nodes +r_dir_file(ueventd, proc_dt_firmware) diff --git a/sepolicy/vold.te b/sepolicy/vold.te index dc2658a..4da2966 100644 --- a/sepolicy/vold.te +++ b/sepolicy/vold.te @@ -2,7 +2,7 @@ allow vold efs_file:dir r_dir_perms; # /dev/block/mmcblk0p[0-9] allow vold emmcblk_device:dir create_dir_perms; -allow vold emmcblk_device:blk_file { ioctl read write create getattr setattr lock append unlink open }; +allow vold emmcblk_device:blk_file { setattr unlink rw_file_perms }; -# sysfs_virtual -allow vold sysfs_virtual:file write; +allow vold sysfs_mmc:file w_file_perms; +r_dir_file(vold, proc_dt_firmware) diff --git a/sepolicy/wcnss_filter.te b/sepolicy/wcnss_filter.te deleted file mode 100644 index 3543f1f..0000000 --- a/sepolicy/wcnss_filter.te +++ /dev/null @@ -1,8 +0,0 @@ -type wcnss_filter, domain, coredomain; -type wcnss_filter_exec, exec_type, file_type, system_file_type; - -init_daemon_domain(wcnss_filter) - -allow wcnss_filter bluetooth_device:chr_file rw_file_perms; - -set_prop(wcnss_filter, bluetooth_prop); diff --git a/sepolicy/webview_zygote.te b/sepolicy/webview_zygote.te deleted file mode 100644 index c8a7ec2..0000000 --- a/sepolicy/webview_zygote.te +++ /dev/null @@ -1 +0,0 @@ -allow webview_zygote zygote:unix_dgram_socket write; diff --git a/sepolicy/wifiloader.te b/sepolicy/wifiloader.te index 3cde6bb..c07043f 100644 --- a/sepolicy/wifiloader.te +++ b/sepolicy/wifiloader.te @@ -1,11 +1,22 @@ -# wifiloader +#### wifiloader +# type wifiloader, domain; -type wifiloader_exec, exec_type, file_type; +type wifiloader_exec, exec_type, file_type, vendor_file_type; init_daemon_domain(wifiloader) +unix_socket_connect(wifiloader, property, init) allow wifiloader proc:file r_file_perms; +allow wifiloader sysfs_wlan_fwpath:file setattr; +allow wifiloader wifi_data_file:file rw_file_perms; +set_prop(wifiloader, wifi_prop); + +# /efs +allow wifiloader efs_file:dir search; + +# /efs/wifi +allow wifiloader wifi_efs_file:dir search; +allow wifiloader wifi_efs_file:file r_file_perms; # load .ko modules -allow kernel self:capability sys_module; -allow wifiloader self:capability sys_module; +allow wifiloader self:capability { chown sys_module }; diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te index e17b8cf..a6e244a 100644 --- a/sepolicy/zygote.te +++ b/sepolicy/zygote.te @@ -1 +1 @@ -allow zygote proc_cmdline:file { getattr open read write }; +dontaudit zygote proc_cmdline:file r_file_perms; diff --git a/sepolicy_minimal/file.te b/sepolicy_minimal/file.te deleted file mode 100644 index e81d445..0000000 --- a/sepolicy_minimal/file.te +++ /dev/null @@ -1,3 +0,0 @@ -type sec_efs_file, file_type; - - diff --git a/sepolicy_minimal/file_contexts b/sepolicy_minimal/file_contexts deleted file mode 100644 index b1cd761..0000000 --- a/sepolicy_minimal/file_contexts +++ /dev/null @@ -1,3 +0,0 @@ -/cpefs(/.*)? u:object_r:sec_efs_file:s0 - -