From 221b221b8a58e4559ed1b34dcf974a82798209e6 Mon Sep 17 00:00:00 2001 From: Astrako Date: Tue, 28 Jan 2020 00:06:11 +0100 Subject: [PATCH] universal7870: import Pie sepolicies --- sepolicy/audioserver.te | 5 ++ sepolicy/bluetooth.te | 5 ++ sepolicy/cameraserver.te | 18 +++++ sepolicy/cpboot-daemon.te | 48 +++++++++++++ sepolicy/device.te | 26 +++++++ sepolicy/domain.te | 1 + sepolicy/file.te | 23 ++++++ sepolicy/file_contexts | 93 +++++++++++++++++++++++++ sepolicy/fsck.te | 3 + sepolicy/gpsd.te | 37 ++++++++++ sepolicy/hal_bluetooth_default.te | 1 + sepolicy/hal_camera_default.te | 5 ++ sepolicy/hal_drm_default.te | 5 ++ sepolicy/hal_gnss_default.te | 4 ++ sepolicy/hal_power_default.te | 3 + sepolicy/hal_sensors_default.te | 3 + sepolicy/hal_wifi_default.te | 6 ++ sepolicy/hal_wifi_supplicant_default.te | 2 + sepolicy/healthd.te | 3 + sepolicy/init.te | 37 ++++++++++ sepolicy/installd.te | 2 + sepolicy/kernel.te | 29 ++++++++ sepolicy/mediacode.te | 5 ++ sepolicy/mediaextractor.te | 1 + sepolicy/mediaserver.te | 14 ++++ sepolicy/modemloader.te | 9 +++ sepolicy/netd.te | 4 ++ sepolicy/property.te | 8 +++ sepolicy/property_contexts | 17 +++++ sepolicy/rild.te | 60 ++++++++++++++++ sepolicy/service_contexts | 2 + sepolicy/surfaceflinger.te | 2 + sepolicy/sysfs_sec.te | 2 + sepolicy/system_app.te | 3 + sepolicy/system_server.te | 51 ++++++++++++++ sepolicy/tee.te | 11 +++ sepolicy/toolbox.te | 6 ++ sepolicy/ueventd.te | 11 +++ sepolicy/uncrypt.te | 2 + sepolicy/vold.te | 5 ++ sepolicy/wifiloader.te | 11 +++ 41 files changed, 583 insertions(+) create mode 100644 sepolicy/audioserver.te create mode 100644 sepolicy/bluetooth.te create mode 100644 sepolicy/cameraserver.te create mode 100644 sepolicy/cpboot-daemon.te create mode 100644 sepolicy/device.te create mode 100644 sepolicy/domain.te create mode 100644 sepolicy/file.te create mode 100644 sepolicy/file_contexts create mode 100644 sepolicy/fsck.te create mode 100644 sepolicy/gpsd.te create mode 100644 sepolicy/hal_bluetooth_default.te create mode 100644 sepolicy/hal_camera_default.te create mode 100644 sepolicy/hal_drm_default.te create mode 100644 sepolicy/hal_gnss_default.te create mode 100644 sepolicy/hal_power_default.te create mode 100644 sepolicy/hal_sensors_default.te create mode 100644 sepolicy/hal_wifi_default.te create mode 100644 sepolicy/hal_wifi_supplicant_default.te create mode 100644 sepolicy/healthd.te create mode 100644 sepolicy/init.te create mode 100644 sepolicy/installd.te create mode 100644 sepolicy/kernel.te create mode 100644 sepolicy/mediacode.te create mode 100644 sepolicy/mediaextractor.te create mode 100644 sepolicy/mediaserver.te create mode 100644 sepolicy/modemloader.te create mode 100644 sepolicy/netd.te create mode 100644 sepolicy/property.te create mode 100644 sepolicy/property_contexts create mode 100644 sepolicy/rild.te create mode 100644 sepolicy/service_contexts create mode 100644 sepolicy/surfaceflinger.te create mode 100644 sepolicy/sysfs_sec.te create mode 100644 sepolicy/system_app.te create mode 100644 sepolicy/system_server.te create mode 100644 sepolicy/tee.te create mode 100644 sepolicy/toolbox.te create mode 100644 sepolicy/ueventd.te create mode 100644 sepolicy/uncrypt.te create mode 100644 sepolicy/vold.te create mode 100644 sepolicy/wifiloader.te diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te new file mode 100644 index 0000000..9d1a5f9 --- /dev/null +++ b/sepolicy/audioserver.te @@ -0,0 +1,5 @@ +# Allow rild to connect to gpsd +unix_socket_connect(audioserver, property, rild) + +allow audioserver { efs_file sec_efs_file }:dir r_dir_perms; +allow audioserver { efs_file sec_efs_file }:file r_file_perms; diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te new file mode 100644 index 0000000..7884d52 --- /dev/null +++ b/sepolicy/bluetooth.te @@ -0,0 +1,5 @@ +# /dev/ttySAC0 +allow bluetooth bluetooth_device:chr_file { rw_file_perms ioctl }; + +# /data/.cid.info +allow bluetooth wifi_data_file:file r_file_perms; diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te new file mode 100644 index 0000000..17c04b5 --- /dev/null +++ b/sepolicy/cameraserver.te @@ -0,0 +1,18 @@ +# /sys/devices/virtual/camera/*/*_camfw +allow cameraserver sysfs_camera_writable:file rw_file_perms; + +# searching for syses nodes +allow cameraserver sysfs_camera_writable:dir search; + +# /data/media(/.*)? +allow cameraserver media_rw_data_file:dir r_dir_perms; +allow cameraserver media_rw_data_file:file r_file_perms; + +# /dev/m2m1shot_jpeg +allow cameraserver camera_device:chr_file rw_file_perms; + +# /sys/devices/virtual/camera/*/*_camfw +allow cameraserver sysfs_camera_writable:file rw_file_perms; + +# /data/camera/ISP_CV +allow cameraserver camera_data_file:file r_file_perms; diff --git a/sepolicy/cpboot-daemon.te b/sepolicy/cpboot-daemon.te new file mode 100644 index 0000000..c4a3a10 --- /dev/null +++ b/sepolicy/cpboot-daemon.te @@ -0,0 +1,48 @@ +# modem daemon sec label +type cpboot-daemon, domain; +type cpboot-daemon_exec, exec_type, file_type; + +net_domain(cpboot-daemon) +init_daemon_domain(cpboot-daemon) +wakelock_use(cpboot-daemon) +#unix_socket_connect(cpboot-daemon, property, init) + +allow cpboot-daemon self:capability { setuid setgid }; + +# FIXME neverallow rule +# allow cpboot-daemon self:capability mknod; +allow cpboot-daemon kernel:system syslog_read; +allow cpboot-daemon cgroup:dir create_dir_perms; + +# /dev/kmsg (write to kernel log) +allow cpboot-daemon kmsg_device:chr_file rw_file_perms; + +# /dev/umts_boot0 +allow cpboot-daemon mif_device:chr_file rw_file_perms; + +# /dev/mbin0 +allow cpboot-daemon emmcblk_device:blk_file r_file_perms; + +# /dev/spi_boot_link +allow cpboot-daemon radio_device:chr_file rw_file_perms; + +# /dev/block/mmcblk0p13 +allow cpboot-daemon block_device:dir r_dir_perms; +allow cpboot-daemon radio_block_device:blk_file r_file_perms; + +# /efs +allow cpboot-daemon efs_file:dir r_dir_perms; + +# /efs/nv_data.bin +allow cpboot-daemon bin_nv_data_efs_file:file rw_file_perms; + +# /sys/bus/usb/devices/1-2/idVendor +allow cpboot-daemon sysfs:file r_file_perms; + +# /proc/cmdline +allow cpboot-daemon proc:file r_file_perms; + +# set properties on boot +set_prop(cpboot-daemon, cpboot-daemon_prop) +set_prop(cpboot-daemon, radio_prop) +set_prop(cpboot-daemon, system_prop) diff --git a/sepolicy/device.te b/sepolicy/device.te new file mode 100644 index 0000000..770e271 --- /dev/null +++ b/sepolicy/device.te @@ -0,0 +1,26 @@ +# /dev/s5p-smem +type secmem_device, dev_type; + +# /dev/umts* +type mif_device, dev_type; + +# /dev/block/mmcblk0p[0-9] +type emmcblk_device, file_type; + +# /dev/rfkill +type rfkill_device, dev_type; + +# efs +type efs_block_device, dev_type; + +# radio +type radio_block_device, dev_type; + +# gps +type gps_device, dev_type; + +# bluetooth +type bluetooth_device, dev_type; + +# /dev/knox_kap +type knox_device, dev_type; diff --git a/sepolicy/domain.te b/sepolicy/domain.te new file mode 100644 index 0000000..051c0e7 --- /dev/null +++ b/sepolicy/domain.te @@ -0,0 +1 @@ +dontaudit domain kernel:system module_request; \ No newline at end of file diff --git a/sepolicy/file.te b/sepolicy/file.te new file mode 100644 index 0000000..c9583f8 --- /dev/null +++ b/sepolicy/file.te @@ -0,0 +1,23 @@ +# efs types +type app_efs_file, file_type; +type battery_efs_file, file_type; +type bin_nv_data_efs_file, file_type; +type nv_log_efs_file, file_type; +type cpk_efs_file, file_type; +type imei_efs_file, file_type; +type prov_efs_file, file_type; +type sec_efs_file, file_type; +type wifi_efs_file, file_type; +type sensor_efs_file, file_type; + +# general types +type mobicore_data_file, file_type, data_file_type, core_data_file_type; +type gps_data_file, file_type, data_file_type, core_data_file_type; +type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; + +# sysfs types +type sysfs_mdnie_writable, fs_type, sysfs_type, mlstrustedobject; +type sysfs_sec, fs_type, sysfs_type, fs_type, mlstrustedobject; +type sysfs_camera_writable, fs_type, sysfs_type, mlstrustedobject; + +allow sysfs_type tmpfs:filesystem associate; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts new file mode 100644 index 0000000..b38a970 --- /dev/null +++ b/sepolicy/file_contexts @@ -0,0 +1,93 @@ +# devices +/dev/mali[0-9]* u:object_r:gpu_device:s0 +/dev/mali.* u:object_r:video_device:s0 + +/dev/ttySAC0 u:object_r:bluetooth_device:s0 + +/dev/s5p-smem u:object_r:secmem_device:s0 + +/dev/v4l-subdev[0-9]* u:object_r:video_device:s0 +/dev/m2m1shot_scaler[0-9]* u:object_r:video_device:s0 +/dev/media[0-3]* u:object_r:camera_device:s0 +/dev/m2m1shot_jpeg u:object_r:camera_device:s0 + +/dev/mtp_usb* u:object_r:mtp_device:s0 + +/dev/umts.* u:object_r:mif_device:s0 + +/dev/gnss_ipc u:object_r:gps_device:s0 +/dev/ttySAC[1-9]* u:object_r:gps_device:s0 + +/dev/socket/rild2 u:object_r:rild_socket:s0 +/dev/socket/rild-debug2 u:object_r:rild_debug_socket:s0 + +/dev/block/mmcblk0p[0-9]* u:object_r:emmcblk_device:s0 + +/dev/block/mmcblk0p10 u:object_r:boot_block_device:s0 +/dev/block/mmcblk0p11 u:object_r:recovery_block_device:s0 +/dev/block/mmcblk0p13 u:object_r:radio_block_device:s0 +/dev/block/mmcblk0p19 u:object_r:system_block_device:s0 +/dev/block/mmcblk0p20 u:object_r:cache_block_device:s0 +/dev/block/mmcblk0p25 u:object_r:userdata_block_device:s0 + +/dev/rfkill u:object_r:rfkill_device:s0 + +# Knox status +/dev/knox_kap u:object_r:knox_device:s0 + +# efs files +/efs/FactoryApp(/.*)? u:object_r:app_efs_file:s0 +/efs/FactoryApp/gyro_cal_data u:object_r:sensor_efs_file:s0 + +/efs/Battery(/.*)? u:object_r:battery_efs_file:s0 +/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 +/efs/gyro_cal_data u:object_r:sensor_efs_file:s0 +/efs/cpk/h2k.dat u:object_r:cpk_efs_file:s0 +/efs/h2k\.dat u:object_r:cpk_efs_file:s0 +/efs/imei(/.*)? u:object_r:imei_efs_file:s0 +/efs/nv_data.bin(.*) u:object_r:bin_nv_data_efs_file:s0 +/efs/\.nv_core\.bak(.*) u:object_r:bin_nv_data_efs_file:s0 +/efs/nv.log u:object_r:nv_log_efs_file:s0 +/efs/prov(/.*)? u:object_r:prov_efs_file:s0 +/efs/prov_data(/.*)? u:object_r:prov_efs_file:s0 +/efs/sec_efs(/.*)? u:object_r:sec_efs_file:s0 +/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0 +/efs/wv.keys u:object_r:cpk_efs_file:s0 + +# data files +/data/camera(/.*)? u:object_r:camera_data_file:s0 +/data/misc/radio(/.*)? u:object_r:radio_data_file:s0 +/data/system/gps(/.*)? u:object_r:gps_data_file:s0 +/data/\.cid\.info u:object_r:wifi_data_file:s0 +/data/misc/conn/\.wifiver\.info u:object_r:wifi_data_file:s0 + +# sysfs files +/sys/class/power_supply/battery/music -- u:object_r:sysfs_writable:s0 +/sys/class/devfreq/exynos5-busfreq-mif(/.*)? -- u:object_r:sysfs_writable:s0 +/sys/class/lcd(/.*)? -- u:object_r:sysfs_writable:s0 +/sys/class/sec(/.*)? -- u:object_r:sysfs_sec:s0 + +# bluetooth +/sys/devices/bluetooth/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices/bluetooth/rfkill/rfkill0/type u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices/bluetooth/extldo u:object_r:sysfs_bluetooth_writable:s0 + +/sys/devices/virtual/camera(/.*)? u:object_r:sysfs_camera_writable:s0 + +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/mode u:object_r:sysfs_mdnie_writable:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/scenario u:object_r:sysfs_mdnie_writable:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/night_mode u:object_r:sysfs_mdnie_writable:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/lux u:object_r:sysfs_mdnie_writable:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/sensorRGB u:object_r:sysfs_mdnie_writable:s0 + +/system/bin/modemloader u:object_r:modemloader_exec:s0 +/system/bin/wifiloader u:object_r:wifiloader_exec:s0 +/system/bin/cbd u:object_r:cpboot-daemon_exec:s0 +/system/bin/gpsd u:object_r:gpsd_exec:s0 + +# Mobicore +/dev/mobicore u:object_r:tee_device:s0 +/dev/mobicore-user u:object_r:tee_device:s0 +/data/misc/mcRegistry(/.*)? u:object_r:tee_data_file:s0 +/system/bin/mcDriverDaemon u:object_r:tee_exec:s0 + diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te new file mode 100644 index 0000000..96d0567 --- /dev/null +++ b/sepolicy/fsck.te @@ -0,0 +1,3 @@ +# /dev/block/mmcblk0p3 +allow fsck emmcblk_device:blk_file rw_file_perms; +allow fsck efs_block_device:blk_file { ioctl open read write }; diff --git a/sepolicy/gpsd.te b/sepolicy/gpsd.te new file mode 100644 index 0000000..7e8cfeb --- /dev/null +++ b/sepolicy/gpsd.te @@ -0,0 +1,37 @@ +# gps daemon sec label +type gpsd, domain; +type gpsd_exec, exec_type, file_type; + +init_daemon_domain(gpsd) +wakelock_use(gpsd) + +# Automatically label files created in /data/system/gps as gps_data_file +file_type_auto_trans(gpsd, system_data_file, gps_data_file) + +# Allow rild to connect to gpsd +unix_socket_connect(gpsd, property, rild) + +allow gpsd system_server:unix_stream_socket { read write setopt }; + +binder_call(gpsd, system_server) +binder_use(gpsd) + +# /dev/ttySAC0 +allow gpsd bluetooth_device:chr_file { getattr setattr rw_file_perms }; +allow gpsd gps_device:chr_file { getattr setattr rw_file_perms }; +allow gpsd gps_data_file:dir { search write add_name remove_name }; +allow gpsd gps_data_file:file { create rw_file_perms }; +allow gpsd gps_data_file:fifo_file { unlink create setattr getattr rw_file_perms }; + +allow gpsd sysfs_wake_lock:file rw_file_perms; + +allow gpsd sysfs:file { open read getattr }; + +allow gpsd dnsproxyd_socket:sock_file write; +allow gpsd fwmarkd_socket:sock_file write; +allow gpsd netd:unix_stream_socket connectto; +allow gpsd self:udp_socket { connect create read setopt write }; + +allow gpsd mif_device:chr_file r_file_perms; +allow gpsd shell_exec:file { execute execute_no_trans getattr open read }; +allow gpsd toolbox_exec:file { execute execute_no_trans getattr open read }; diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te new file mode 100644 index 0000000..7a70b17 --- /dev/null +++ b/sepolicy/hal_bluetooth_default.te @@ -0,0 +1 @@ +allow hal_bluetooth_default device:chr_file ioctl; diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te new file mode 100644 index 0000000..a482538 --- /dev/null +++ b/sepolicy/hal_camera_default.te @@ -0,0 +1,5 @@ +allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find; +allow hal_camera_default sysfs_camera_writable:dir search; +allow hal_camera_default sysfs_camera_writable:file { getattr open read write }; +allow hal_camera_default vndbinder_device:chr_file { read write open ioctl}; + diff --git a/sepolicy/hal_drm_default.te b/sepolicy/hal_drm_default.te new file mode 100644 index 0000000..fd17e20 --- /dev/null +++ b/sepolicy/hal_drm_default.te @@ -0,0 +1,5 @@ +allow hal_drm_default vndbinder_device:chr_file { ioctl open read write }; + +allow hal_drm_default secmem_device:chr_file { read write open getattr ioctl }; +allow hal_drm_default efs_file:dir search; +allow hal_drm_default cpk_efs_file:file { open read getattr }; diff --git a/sepolicy/hal_gnss_default.te b/sepolicy/hal_gnss_default.te new file mode 100644 index 0000000..54381d0 --- /dev/null +++ b/sepolicy/hal_gnss_default.te @@ -0,0 +1,4 @@ +allow hal_gnss_default gps_data_file:file getattr; +allow hal_gnss_default vndbinder_device:chr_file { ioctl open read write }; +allow hal_gnss_default gpsd:unix_stream_socket connectto; + diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te new file mode 100644 index 0000000..b932ecd --- /dev/null +++ b/sepolicy/hal_power_default.te @@ -0,0 +1,3 @@ +allow hal_power_default sysfs:file { open write read }; +allow hal_power_default sysfs_devices_system_cpu:file write; +allow hal_power_default sysfs:dir { open read }; diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te new file mode 100644 index 0000000..82d8719 --- /dev/null +++ b/sepolicy/hal_sensors_default.te @@ -0,0 +1,3 @@ +allow hal_sensors_default input_device:dir { open read search }; +allow hal_sensors_default sysfs:dir { open read }; + diff --git a/sepolicy/hal_wifi_default.te b/sepolicy/hal_wifi_default.te new file mode 100644 index 0000000..4dd46bc --- /dev/null +++ b/sepolicy/hal_wifi_default.te @@ -0,0 +1,6 @@ +allow hal_wifi_default sysfs:file write; +allow hal_wifi_default wifi_efs_file:dir search; +allow hal_wifi_default wifi_efs_file:file { open read }; +allow hal_wifi_default system_data_file:file { open read }; +allow hal_wifi_default efs_file:dir search; +allow hal_wifi_default wifi_data_file:file { open read write }; diff --git a/sepolicy/hal_wifi_supplicant_default.te b/sepolicy/hal_wifi_supplicant_default.te new file mode 100644 index 0000000..8d550fc --- /dev/null +++ b/sepolicy/hal_wifi_supplicant_default.te @@ -0,0 +1,2 @@ +allow hal_wifi_supplicant_default rfkill_device:chr_file { open read }; + diff --git a/sepolicy/healthd.te b/sepolicy/healthd.te new file mode 100644 index 0000000..2889bfa --- /dev/null +++ b/sepolicy/healthd.te @@ -0,0 +1,3 @@ +# healthd +allow healthd device:dir rw_dir_perms; +allow healthd rtc_device:chr_file rw_file_perms; \ No newline at end of file diff --git a/sepolicy/init.te b/sepolicy/init.te new file mode 100644 index 0000000..92918a5 --- /dev/null +++ b/sepolicy/init.te @@ -0,0 +1,37 @@ +# Mount debugfs on /sys/kernel/debug. +allow init debugfs:dir mounton; + +# Mount EFS on /efs +allow init efs_file:dir mounton; + +# /dev/block/mmcblk0p[0-9] +allow init emmcblk_device:blk_file rw_file_perms; + +allow init block_device:lnk_file { setattr }; +allow init tmpfs:lnk_file create_file_perms; + +# /sys/class/power_supply/battery and /sys/class/android_usb/android0 +allow init sysfs:dir r_dir_perms; + +# required for LD_SHIM_LIBS +allow init { domain -lmkd -crash_dump }:process noatsecure; + +# /data +allow init sdcardd_exec:file r_file_perms; + +# sysfs iio:device[0-9] +allow init sysfs:lnk_file setattr; + +# read/chown mDNIE symlinks +allow init sysfs_mdnie_writable:lnk_file { read setattr }; + +# read/chown camera firmware +allow init sysfs_camera_writable:file { relabelto setattr }; +allow init sysfs_camera_writable:filesystem associate; + +allow init socket_device:sock_file { unlink create setattr }; + +allow init sysfs_sec:lnk_file read; + +allow init block_device:blk_file write; +allow init property_socket:sock_file write; diff --git a/sepolicy/installd.te b/sepolicy/installd.te new file mode 100644 index 0000000..4f47f22 --- /dev/null +++ b/sepolicy/installd.te @@ -0,0 +1,2 @@ +# TbStorage (mobicore) +allow installd tee_data_file:dir { rw_dir_perms rmdir }; diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te new file mode 100644 index 0000000..a0e6acd --- /dev/null +++ b/sepolicy/kernel.te @@ -0,0 +1,29 @@ +allow kernel self:capability { chown mknod }; + +# /dev/mbin0 +allow kernel emmcblk_device:blk_file r_file_perms; +allow kernel device:blk_file { create setattr getattr unlink }; + +# /bus/usb/001/001 +allow kernel device:dir { create write remove_name rmdir add_name }; +allow kernel device:chr_file { create setattr getattr unlink }; + +# /sys/devices/system/cpu/cpu[0-9]/cpufreq/* +allow kernel sysfs_devices_system_cpu:file { setattr }; +allow kernel sysfs:file { setattr open }; + +# /efs contents +allow kernel { app_efs_file battery_efs_file efs_file sensor_efs_file }:dir r_dir_perms; +allow kernel { app_efs_file battery_efs_file efs_file sensor_efs_file }:file rw_file_perms; + +allow kernel sysfs_sec:dir search; +allow kernel sysfs_sec:lnk_file read; + +allow kernel device:blk_file { create setattr }; + +# /efs/wifi/.mac.info +allow kernel wifi_efs_file:dir r_dir_perms; +allow kernel wifi_efs_file:file r_file_perms; + +# /data/misc/conn/.wifiver.info +allow kernel wifi_data_file:file rw_file_perms; diff --git a/sepolicy/mediacode.te b/sepolicy/mediacode.te new file mode 100644 index 0000000..953ad15 --- /dev/null +++ b/sepolicy/mediacode.te @@ -0,0 +1,5 @@ +# /system/lib/omx/ +allow mediacodec system_file:dir r_dir_perms; + +# /sys/class/video4linux/video6/name +allow mediacodec sysfs:file r_file_perms; \ No newline at end of file diff --git a/sepolicy/mediaextractor.te b/sepolicy/mediaextractor.te new file mode 100644 index 0000000..44ae5a9 --- /dev/null +++ b/sepolicy/mediaextractor.te @@ -0,0 +1 @@ +allow mediaextractor fuse:file { getattr read }; diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te new file mode 100644 index 0000000..3c96e40 --- /dev/null +++ b/sepolicy/mediaserver.te @@ -0,0 +1,14 @@ +# /efs +allow mediaserver efs_file:dir r_dir_perms; + +# /efs/wv.keys +allow mediaserver efs_file:file r_file_perms; + +# /dev/m2m1shot_jpeg +allow mediaserver camera_device:chr_file { read write open getattr ioctl }; + +# Snap permissions +allow mediaserver sensorservice_service:service_manager { find }; +allow mediaserver system_server:unix_stream_socket { read write }; + +allow mediaserver ion_device:chr_file write; diff --git a/sepolicy/modemloader.te b/sepolicy/modemloader.te new file mode 100644 index 0000000..8be56f4 --- /dev/null +++ b/sepolicy/modemloader.te @@ -0,0 +1,9 @@ +# modemloader +type modemloader, domain; +type modemloader_exec, exec_type, file_type; + +init_daemon_domain(modemloader) + +allow modemloader proc:file r_file_perms; + +set_prop(modemloader, modemloader_prop); diff --git a/sepolicy/netd.te b/sepolicy/netd.te new file mode 100644 index 0000000..c9a2a7f --- /dev/null +++ b/sepolicy/netd.te @@ -0,0 +1,4 @@ +allow netd self:capability sys_module; + +allow netd gpsd:fd use; +allow netd gpsd:udp_socket { getopt read setopt write }; diff --git a/sepolicy/property.te b/sepolicy/property.te new file mode 100644 index 0000000..8161cea --- /dev/null +++ b/sepolicy/property.te @@ -0,0 +1,8 @@ +# CP-Boot Daemon +type cpboot-daemon_prop, property_type; + +# modemloader +type modemloader_prop, property_type; + +# mobicore (tee) +type tee_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts new file mode 100644 index 0000000..6ce57c0 --- /dev/null +++ b/sepolicy/property_contexts @@ -0,0 +1,17 @@ +# bluetooth +persist.bluetooth_fw_ver u:object_r:bluetooth_prop:s0 +ro.bluetooth.tty u:object_r:bluetooth_prop:s0 +wc_transport. u:object_r:bluetooth_prop:s0 + +# radio +persist.ril.modem.board u:object_r:radio_prop:s0 +persist.ril.ims.eutranParam u:object_r:radio_prop:s0 + +# modemloader +hw.revision u:object_r:modemloader_prop:s0 +ro.cbd.dt_revision u:object_r:modemloader_prop:s0 +ril.cbd.dt_revision u:object_r:modemloader_prop:s0 +ro.modemloader.done u:object_r:modemloader_prop:s0 + +# mobicore +sys.mobicoredaemon.enable u:object_r:tee_prop:s0 diff --git a/sepolicy/rild.te b/sepolicy/rild.te new file mode 100644 index 0000000..7cf5794 --- /dev/null +++ b/sepolicy/rild.te @@ -0,0 +1,60 @@ +# Allow rild to change perms +allow rild self:capability { chown }; + +# Allow additiional efs access +allow rild bin_nv_data_efs_file:file create_file_perms; +allow rild imei_efs_file:dir r_dir_perms; +allow rild imei_efs_file:file r_file_perms; +allow rild app_efs_file:dir r_dir_perms; +allow rild app_efs_file:file r_file_perms; + +# /dev +allow rild audioserver:dir r_dir_perms; + +# /proc//cmdline +allow rild audioserver:file r_file_perms; + +# /dev/mbin0 +allow rild block_device:dir r_dir_perms; +allow rild emmcblk_device:blk_file r_file_perms; + +# /dev/umts* +allow rild mif_device:chr_file rw_file_perms; + +# /proc/sys/net/ipv6/conf/*/accept_ra_defrtr +allow rild proc_net:file rw_file_perms; + +allow rild gpsd:dir r_dir_perms; +allow rild gpsd:file r_file_perms; + +# rild reads /proc/pid/cmdline of mediaserver +allow rild mediaserver:dir { open read search getattr }; +allow rild mediaserver:file { open read getattr }; + +# /data/misc/radio/* +allow rild radio_data_file:dir rw_dir_perms; +allow rild radio_data_file:file create_file_perms; + +# /data/data/com.android.providers.telephony/databases/telephony.db +allow rild radio_data_file:lnk_file r_file_perms; + +# sdcard/SDET_PLMN/input/MNCMCC.txt +allow rild storage_file:dir { r_dir_perms }; +allow rild storage_file:lnk_file { r_file_perms }; +allow rild mnt_user_file:dir { r_dir_perms }; +allow rild mnt_user_file:lnk_file { r_file_perms }; + +# Modem firmware download +allow rild radio_block_device:blk_file r_file_perms; + +# persist.ril.modem.board +set_prop(modemloader, radio_prop) + +allow rild sec_efs_file:file getattr; +allow rild sec_efs_file:dir search; +allow rild sysfs:dir r_dir_perms; +allow rild sysfs_sec:dir search; +allow rild sysfs_sec:lnk_file read; + +# /dev/knox_kap +allow rild knox_device:chr_file r_file_perms; diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts new file mode 100644 index 0000000..7c40f68 --- /dev/null +++ b/sepolicy/service_contexts @@ -0,0 +1,2 @@ +# HWC +Exynos.HWCService u:object_r:surfaceflinger_service:s0 \ No newline at end of file diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te new file mode 100644 index 0000000..0c8687e --- /dev/null +++ b/sepolicy/surfaceflinger.te @@ -0,0 +1,2 @@ +# HWC +allow surfaceflinger secmem_device:chr_file rw_file_perms; diff --git a/sepolicy/sysfs_sec.te b/sepolicy/sysfs_sec.te new file mode 100644 index 0000000..eaaf54a --- /dev/null +++ b/sepolicy/sysfs_sec.te @@ -0,0 +1,2 @@ +#============= sysfs_sec ============== +allow sysfs_sec sysfs:filesystem associate; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te new file mode 100644 index 0000000..2f8a6ae --- /dev/null +++ b/sepolicy/system_app.te @@ -0,0 +1,3 @@ +allow system_app sysfs_mdnie_writable:{ file lnk_file } rw_file_perms; +allow system_app sysfs_mdnie_writable:dir search; +allow system_app wificond:binder call; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te new file mode 100644 index 0000000..6359aa8 --- /dev/null +++ b/sepolicy/system_server.te @@ -0,0 +1,51 @@ +# /dev/mbin0 +allow system_server emmcblk_device:dir search; + +# /efs +allow system_server efs_file:dir r_dir_perms; + +# /efs/FactoryApp/gyro_cal_data +allow system_server sensor_efs_file:file r_file_perms; + +# /data/system/gps/.gps.interface.pipe.* +type_transition system_server system_data_file:fifo_file gps_data_file ".flp.interface.pipe.to_gpsd"; +type_transition system_server system_data_file:fifo_file gps_data_file ".gps.interface.pipe.to_gpsd"; +type_transition system_server system_data_file:fifo_file gps_data_file ".gps.interface.pipe.to_jni"; +allow system_server gps_data_file:fifo_file create_file_perms; +allow system_server gps_data_file:dir rw_dir_perms; + +# /data/system/gps/chip.info +allow system_server gps_data_file:file create_file_perms; + +# /efs/prox_cal +allow system_server efs_file:file r_file_perms; + +# /efs/FactoryApp +allow system_server app_efs_file:dir r_dir_perms; +allow system_server app_efs_file:file r_file_perms; + +# WifiMachine +allow system_server self:capability { sys_module }; +allow system_server wifi_efs_file:dir r_dir_perms; +allow system_server wifi_efs_file:file r_file_perms; + +# mDNIE +allow system_server sysfs_mdnie_writable:lnk_file rw_file_perms; +allow system_server sysfs_mdnie_writable:dir r_dir_perms; +allow system_server sysfs_mdnie_writable:file rw_file_perms; + +# memtrack HAL +allow system_server debugfs:dir r_dir_perms; +allow system_server debugfs:file r_file_perms; + +# /data/system/gps/xtraee.bin +allow system_server gps_data_file:file create_file_perms; + +allow system_server emmcblk_device:blk_file { getattr ioctl open read write }; +allow system_server gps_data_file:dir { add_name remove_name write search }; +allow system_server gps_data_file:file { create setattr unlink write }; +allow system_server gpsd:unix_stream_socket connectto; +allow system_server sysfs_sec:dir search; +allow system_server sysfs_sec:lnk_file read; +allow system_server crash_dump:process getpgid; +allow system_server unlabeled:dir write; diff --git a/sepolicy/tee.te b/sepolicy/tee.te new file mode 100644 index 0000000..960cebf --- /dev/null +++ b/sepolicy/tee.te @@ -0,0 +1,11 @@ +# mobicore + +# Allow to create files and directories /data/app/mcRegistry +file_type_auto_trans(tee, apk_data_file, tee_data_file); + +# /efs +allow tee { efs_file prov_efs_file }:dir r_dir_perms; +allow tee { efs_file prov_efs_file }:file r_file_perms; + +# sys.mobicore.enable +set_prop(tee, tee_prop) diff --git a/sepolicy/toolbox.te b/sepolicy/toolbox.te new file mode 100644 index 0000000..5355ee0 --- /dev/null +++ b/sepolicy/toolbox.te @@ -0,0 +1,6 @@ +allow toolbox block_device:dir { add_name write }; +allow toolbox block_device:lnk_file create; +allow toolbox emmcblk_device:blk_file setattr; +allow toolbox self:capability { chown fowner fsetid }; +allow toolbox sysfs:file getattr; +allow toolbox sysfs_devices_system_cpu:file setattr; diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te new file mode 100644 index 0000000..1095b4d --- /dev/null +++ b/sepolicy/ueventd.te @@ -0,0 +1,11 @@ +# /dev/block/mmcblk0p[0-9] +#allow ueventd emmcblk_device:blk_file create_file_perms; + +allow ueventd emmcblk_device:blk_file { relabelfrom relabelto create setattr unlink getattr }; + +# read/chown camera firmware +allow ueventd sysfs_camera_writable:file { relabelto getattr rw_file_perms }; +allow ueventd sysfs_camera_writable:filesystem associate; + +allow ueventd sysfs_sec:dir { open read relabelto search }; +allow ueventd sysfs_sec:lnk_file relabelto; diff --git a/sepolicy/uncrypt.te b/sepolicy/uncrypt.te new file mode 100644 index 0000000..78db9c8 --- /dev/null +++ b/sepolicy/uncrypt.te @@ -0,0 +1,2 @@ +allow uncrypt emmcblk_device:blk_file w_file_perms; +allow uncrypt emmcblk_device:dir r_dir_perms; \ No newline at end of file diff --git a/sepolicy/vold.te b/sepolicy/vold.te new file mode 100644 index 0000000..c147c5e --- /dev/null +++ b/sepolicy/vold.te @@ -0,0 +1,5 @@ +# /efs +allow vold efs_file:dir r_dir_perms; +# /dev/block/mmcblk0p[0-9] +allow vold emmcblk_device:dir create_dir_perms; +#allow vold emmcblk_device:blk_file create_file_perms; diff --git a/sepolicy/wifiloader.te b/sepolicy/wifiloader.te new file mode 100644 index 0000000..3cde6bb --- /dev/null +++ b/sepolicy/wifiloader.te @@ -0,0 +1,11 @@ +# wifiloader +type wifiloader, domain; +type wifiloader_exec, exec_type, file_type; + +init_daemon_domain(wifiloader) + +allow wifiloader proc:file r_file_perms; + +# load .ko modules +allow kernel self:capability sys_module; +allow wifiloader self:capability sys_module;