diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te index 9d1a5f9..197a74e 100644 --- a/sepolicy/audioserver.te +++ b/sepolicy/audioserver.te @@ -1,5 +1,9 @@ # Allow rild to connect to gpsd unix_socket_connect(audioserver, property, rild) +# /efs/maxim allow audioserver { efs_file sec_efs_file }:dir r_dir_perms; allow audioserver { efs_file sec_efs_file }:file r_file_perms; + +# TFA98xx amplifier +allow audioserver amplifier_device:chr_file rw_file_perms; diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te index 7884d52..c4dea7e 100644 --- a/sepolicy/bluetooth.te +++ b/sepolicy/bluetooth.te @@ -1,5 +1,8 @@ # /dev/ttySAC0 allow bluetooth bluetooth_device:chr_file { rw_file_perms ioctl }; +# wcnss_filter +allow bluetooth wcnss_filter:unix_stream_socket connectto; + # /data/.cid.info allow bluetooth wifi_data_file:file r_file_perms; diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te index 17c04b5..302d5e0 100644 --- a/sepolicy/cameraserver.te +++ b/sepolicy/cameraserver.te @@ -1,18 +1,18 @@ +# /dev/m2m1shot_jpeg +allow cameraserver camera_device:chr_file rw_file_perms; + # /sys/devices/virtual/camera/*/*_camfw -allow cameraserver sysfs_camera_writable:file rw_file_perms; +allow cameraserver sysfs_camera:file rw_file_perms; # searching for syses nodes -allow cameraserver sysfs_camera_writable:dir search; +allow cameraserver sysfs_camera:dir search; + +# /data/camera/ISP_CV +allow cameraserver camera_data_file:file r_file_perms; # /data/media(/.*)? allow cameraserver media_rw_data_file:dir r_dir_perms; allow cameraserver media_rw_data_file:file r_file_perms; -# /dev/m2m1shot_jpeg -allow cameraserver camera_device:chr_file rw_file_perms; - -# /sys/devices/virtual/camera/*/*_camfw -allow cameraserver sysfs_camera_writable:file rw_file_perms; - -# /data/camera/ISP_CV -allow cameraserver camera_data_file:file r_file_perms; +# sysfs_virtual +allow cameraserver sysfs_virtual:dir search; diff --git a/sepolicy/charger.te b/sepolicy/charger.te new file mode 100644 index 0000000..61e5af8 --- /dev/null +++ b/sepolicy/charger.te @@ -0,0 +1 @@ +allow charger sysfs_charger:file { open read getattr }; diff --git a/sepolicy/cpboot-daemon.te b/sepolicy/cpboot-daemon.te index c4a3a10..cf5bd38 100644 --- a/sepolicy/cpboot-daemon.te +++ b/sepolicy/cpboot-daemon.te @@ -1,11 +1,11 @@ # modem daemon sec label -type cpboot-daemon, domain; -type cpboot-daemon_exec, exec_type, file_type; +type cpboot-daemon, domain, coredomain; +type cpboot-daemon_exec, exec_type, file_type, system_file_type; net_domain(cpboot-daemon) init_daemon_domain(cpboot-daemon) wakelock_use(cpboot-daemon) -#unix_socket_connect(cpboot-daemon, property, init) +set_prop(cpboot-daemon, modemloader_prop) allow cpboot-daemon self:capability { setuid setgid }; @@ -14,22 +14,23 @@ allow cpboot-daemon self:capability { setuid setgid }; allow cpboot-daemon kernel:system syslog_read; allow cpboot-daemon cgroup:dir create_dir_perms; +# /dev/log/* +#allow cpboot-daemon log_device:dir r_dir_perms; +#allow cpboot-daemon log_device:chr_file rw_file_perms; # /dev/kmsg (write to kernel log) allow cpboot-daemon kmsg_device:chr_file rw_file_perms; # /dev/umts_boot0 allow cpboot-daemon mif_device:chr_file rw_file_perms; - # /dev/mbin0 allow cpboot-daemon emmcblk_device:blk_file r_file_perms; - -# /dev/spi_boot_link -allow cpboot-daemon radio_device:chr_file rw_file_perms; - # /dev/block/mmcblk0p13 allow cpboot-daemon block_device:dir r_dir_perms; allow cpboot-daemon radio_block_device:blk_file r_file_perms; +# /dev/mipi-lli/lli_control +allow cpboot-daemon sysfs_mipi:file rw_file_perms; + # /efs allow cpboot-daemon efs_file:dir r_dir_perms; @@ -40,7 +41,7 @@ allow cpboot-daemon bin_nv_data_efs_file:file rw_file_perms; allow cpboot-daemon sysfs:file r_file_perms; # /proc/cmdline -allow cpboot-daemon proc:file r_file_perms; +allow cpboot-daemon proc_cmdline:file r_file_perms; # set properties on boot set_prop(cpboot-daemon, cpboot-daemon_prop) diff --git a/sepolicy/device.te b/sepolicy/device.te index 770e271..89cfe5d 100644 --- a/sepolicy/device.te +++ b/sepolicy/device.te @@ -1,26 +1,35 @@ -# /dev/s5p-smem -type secmem_device, dev_type; +# /dev/ttySAC3 +type bluetooth_device, dev_type; -# /dev/umts* -type mif_device, dev_type; - -# /dev/block/mmcblk0p[0-9] +# /dev/block/mmcblk0p[0-9] (/dev/mbin0) type emmcblk_device, file_type; +# Radio block device mounted on /efs. +type radio_block_device, dev_type; + +# /dev/umts_boot*, /dev/ehci_power +type mif_device, dev_type; + # /dev/rfkill type rfkill_device, dev_type; -# efs -type efs_block_device, dev_type; +# /dev/s5p-smem +type secmem_device, dev_type; -# radio -type radio_block_device, dev_type; +# /dev/bbd*, /dev/ttyBCM[0-9]* +type bbd_device, dev_type; -# gps -type gps_device, dev_type; +# /dev/vfsspi +type fingerprint_device, dev_type; -# bluetooth -type bluetooth_device, dev_type; +# /dev/batch_io +type sensor_device, dev_type; + +# /dev/i2c-20 - TFA98xx amplifier +type amplifier_device, dev_type; # /dev/knox_kap type knox_device, dev_type; + +# GPS +type gps_device, dev_type; diff --git a/sepolicy/domain.te b/sepolicy/domain.te index 051c0e7..c8d8d53 100644 --- a/sepolicy/domain.te +++ b/sepolicy/domain.te @@ -1 +1 @@ -dontaudit domain kernel:system module_request; \ No newline at end of file +dontaudit domain kernel:system module_request; diff --git a/sepolicy/file.te b/sepolicy/file.te index c9583f8..5e76bd6 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,23 +1,42 @@ -# efs types +### efs types type app_efs_file, file_type; type battery_efs_file, file_type; +type baro_delta_factoryapp_efs_file, file_type; type bin_nv_data_efs_file, file_type; -type nv_log_efs_file, file_type; +type sec_efs_file, file_type; +# widewine, drm type cpk_efs_file, file_type; +type drm_efs_file, file_type; +type factorymode_factoryapp_efs_file, file_type; type imei_efs_file, file_type; type prov_efs_file, file_type; -type sec_efs_file, file_type; -type wifi_efs_file, file_type; +type radio_factoryapp_efs_file, file_type; type sensor_efs_file, file_type; - -# general types -type mobicore_data_file, file_type, data_file_type, core_data_file_type; +type sensor_factoryapp_efs_file, file_type; +type wifi_efs_file, file_type; +# gps type gps_data_file, file_type, data_file_type, core_data_file_type; -type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; +type gps_socket, file_type; -# sysfs types -type sysfs_mdnie_writable, fs_type, sysfs_type, mlstrustedobject; -type sysfs_sec, fs_type, sysfs_type, fs_type, mlstrustedobject; -type sysfs_camera_writable, fs_type, sysfs_type, mlstrustedobject; +### data types +type display_vendor_data_file, file_type, data_file_type; + +### sysfs types +type sysfs_mdnie, fs_type, sysfs_type, mlstrustedobject; +type sysfs_mipi, fs_type, sysfs_type, mlstrustedobject; +type sysfs_multipdp, fs_type, sysfs_type, mlstrustedobject; +type sysfs_sec, fs_type, sysfs_type, mlstrustedobject; +type sysfs_camera, fs_type, sysfs_type, mlstrustedobject; +type sysfs_charger, fs_type, sysfs_type, mlstrustedobject; +type sysfs_gps, fs_type, sysfs_type, mlstrustedobject; +type sysfs_brightness, fs_type, sysfs_type, mlstrustedobject; +type sysfs_input, fs_type, sysfs_type, mlstrustedobject; +type sysfs_svc, fs_type, sysfs_type, mlstrustedobject; +type sysfs_lcd, fs_type, sysfs_type, mlstrustedobject; +type sysfs_modem, fs_type, sysfs_type, mlstrustedobject; +type sysfs_virtual, fs_type, sysfs_type, mlstrustedobject; + +# file +type mobicore_data_file, file_type, data_file_type, core_data_file_type; allow sysfs_type tmpfs:filesystem associate; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index b38a970..6efd1a8 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -1,10 +1,15 @@ -# devices +########################## +# Devices /dev/mali[0-9]* u:object_r:gpu_device:s0 -/dev/mali.* u:object_r:video_device:s0 + +/dev/bcm2079x u:object_r:nfc_device:s0 +/dev/sec-nfc u:object_r:nfc_device:s0 /dev/ttySAC0 u:object_r:bluetooth_device:s0 /dev/s5p-smem u:object_r:secmem_device:s0 +/dev/mobicore u:object_r:tee_device:s0 +/dev/mobicore-user u:object_r:tee_device:s0 /dev/v4l-subdev[0-9]* u:object_r:video_device:s0 /dev/m2m1shot_scaler[0-9]* u:object_r:video_device:s0 @@ -13,14 +18,14 @@ /dev/mtp_usb* u:object_r:mtp_device:s0 +/dev/__cbd_msg_ u:object_r:mif_device:s0 /dev/umts.* u:object_r:mif_device:s0 +/dev/ehci_power u:object_r:mif_device:s0 +/dev/mipi-lli/lli_control u:object_r:mif_device:s0 /dev/gnss_ipc u:object_r:gps_device:s0 /dev/ttySAC[1-9]* u:object_r:gps_device:s0 -/dev/socket/rild2 u:object_r:rild_socket:s0 -/dev/socket/rild-debug2 u:object_r:rild_debug_socket:s0 - /dev/block/mmcblk0p[0-9]* u:object_r:emmcblk_device:s0 /dev/block/mmcblk0p10 u:object_r:boot_block_device:s0 @@ -32,62 +37,172 @@ /dev/rfkill u:object_r:rfkill_device:s0 +/dev/bbd_control u:object_r:bbd_device:s0 +/dev/bbd_packet u:object_r:bbd_device:s0 +/dev/bbd_patch u:object_r:bbd_device:s0 +/dev/bbd_reliable u:object_r:bbd_device:s0 +/dev/bbd_sensor u:object_r:bbd_device:s0 +/dev/bbd_sio u:object_r:bbd_device:s0 +/dev/ttyBCM[0-9]* u:object_r:bbd_device:s0 + +/dev/esfp0 u:object_r:fingerprint_device:s0 + +/dev/batch_io u:object_r:sensor_device:s0 +/dev/ssp_sensorhub u:object_r:sensor_device:s0 + +# TFA98xx amplifier +/dev/i2c-20 u:object_r:amplifier_device:s0 + # Knox status /dev/knox_kap u:object_r:knox_device:s0 +#################################### # efs files -/efs/FactoryApp(/.*)? u:object_r:app_efs_file:s0 -/efs/FactoryApp/gyro_cal_data u:object_r:sensor_efs_file:s0 +/efs/FactoryApp(/.*)? u:object_r:app_efs_file:s0 +/efs/FactoryApp/baro_delta u:object_r:baro_delta_factoryapp_efs_file:s0 +/efs/FactoryApp/factorymode u:object_r:factorymode_factoryapp_efs_file:s0 +/efs/FactoryApp/fdata u:object_r:radio_factoryapp_efs_file:s0 +/efs/FactoryApp/hist_nv u:object_r:radio_factoryapp_efs_file:s0 +/efs/FactoryApp/prox_cal u:object_r:sensor_factoryapp_efs_file:s0 +/efs/FactoryApp/test_nv u:object_r:radio_factoryapp_efs_file:s0 /efs/Battery(/.*)? u:object_r:battery_efs_file:s0 /efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 +/efs/drm(/.*)? u:object_r:drm_efs_file:s0 /efs/gyro_cal_data u:object_r:sensor_efs_file:s0 -/efs/cpk/h2k.dat u:object_r:cpk_efs_file:s0 /efs/h2k\.dat u:object_r:cpk_efs_file:s0 /efs/imei(/.*)? u:object_r:imei_efs_file:s0 /efs/nv_data.bin(.*) u:object_r:bin_nv_data_efs_file:s0 +/efs/nv.log u:object_r:bin_nv_data_efs_file:s0 /efs/\.nv_core\.bak(.*) u:object_r:bin_nv_data_efs_file:s0 -/efs/nv.log u:object_r:nv_log_efs_file:s0 /efs/prov(/.*)? u:object_r:prov_efs_file:s0 /efs/prov_data(/.*)? u:object_r:prov_efs_file:s0 -/efs/sec_efs(/.*)? u:object_r:sec_efs_file:s0 -/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0 -/efs/wv.keys u:object_r:cpk_efs_file:s0 +/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0 +/efs/wv\.keys u:object_r:cpk_efs_file:s0 +/cpefs(/.*)? u:object_r:sec_efs_file:s0 + +#################################### # data files -/data/camera(/.*)? u:object_r:camera_data_file:s0 -/data/misc/radio(/.*)? u:object_r:radio_data_file:s0 -/data/system/gps(/.*)? u:object_r:gps_data_file:s0 -/data/\.cid\.info u:object_r:wifi_data_file:s0 -/data/misc/conn/\.wifiver\.info u:object_r:wifi_data_file:s0 +/data/nfc(/.*)? u:object_r:nfc_data_file:s0 +/data/\.cid\.info u:object_r:wifi_data_file:s0 +/data/misc/conn/\.wifiver\.info u:object_r:wifi_data_file:s0 +/data/misc/radio(/.*)? u:object_r:radio_data_file:s0 + +# gps +/data/system/gps(/.*)? u:object_r:gps_data_file:s0 +/data/gps/ctrlpipe u:object_r:gps_data_file:s0 +/data/gps/\.gpslogd\.pipe u:object_r:gps_data_file:s0 +/data/gps/nmeapipe u:object_r:gps_data_file:s0 + +# mobicore +/data/misc/mcRegistry(/.*)? u:object_r:mobicore_data_file:s0 + +/data/biometrics(/.*)? u:object_r:fingerprintd_data_file:s0 + +# camera +/data/camera/ISP_CV u:object_r:camera_data_file:s0 + +#################################### # sysfs files -/sys/class/power_supply/battery/music -- u:object_r:sysfs_writable:s0 -/sys/class/devfreq/exynos5-busfreq-mif(/.*)? -- u:object_r:sysfs_writable:s0 -/sys/class/lcd(/.*)? -- u:object_r:sysfs_writable:s0 -/sys/class/sec(/.*)? -- u:object_r:sysfs_sec:s0 +/sys/class/power_supply/battery/music -- u:object_r:sysfs:s0 +/sys/class/devfreq/exynos5-busfreq-mif(/.*)? -- u:object_r:sysfs:s0 # bluetooth -/sys/devices/bluetooth/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 -/sys/devices/bluetooth/rfkill/rfkill0/type u:object_r:sysfs_bluetooth_writable:s0 -/sys/devices/bluetooth/extldo u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices/bluetooth/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices/bluetooth/rfkill/rfkill0/type u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices/bluetooth/extldo u:object_r:sysfs_bluetooth_writable:s0 -/sys/devices/virtual/camera(/.*)? u:object_r:sysfs_camera_writable:s0 +# brightness +/sys/devices/[0-9]*\.dsim/backlight/panel/brightness u:object_r:sysfs_brightness:s0 +/sys/devices/[0-9]*\.dsim/backlight/panel/max_brightness u:object_r:sysfs_brightness:s0 -/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/mode u:object_r:sysfs_mdnie_writable:s0 -/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/scenario u:object_r:sysfs_mdnie_writable:s0 -/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/night_mode u:object_r:sysfs_mdnie_writable:s0 -/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/lux u:object_r:sysfs_mdnie_writable:s0 -/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/sensorRGB u:object_r:sysfs_mdnie_writable:s0 +# camera +/sys/devices/virtual/camera(/.*)? u:object_r:sysfs_camera:s0 -/system/bin/modemloader u:object_r:modemloader_exec:s0 -/system/bin/wifiloader u:object_r:wifiloader_exec:s0 -/system/bin/cbd u:object_r:cpboot-daemon_exec:s0 -/system/bin/gpsd u:object_r:gpsd_exec:s0 +# charger +/sys/devices/battery/power_supply(/.*) u:object_r:sysfs_charger:s0 +/sys/devices/13870000.i2c/i2c-7/7-003d/s2mu004-charger/power_supply(/.*) u:object_r:sysfs_charger:s0 +/sys/devices/13830000.i2c/i2c-10/10-003b/power_supply(/.*) u:object_r:sysfs_charger:s0 -# Mobicore -/dev/mobicore u:object_r:tee_device:s0 -/dev/mobicore-user u:object_r:tee_device:s0 -/data/misc/mcRegistry(/.*)? u:object_r:tee_data_file:s0 -/system/bin/mcDriverDaemon u:object_r:tee_exec:s0 +# CP device +/dev/spi_boot_link u:object_r:radio_device:s0 +# cbd +/sys/devices/10f24000.mipi-lli/lli_control u:object_r:sysfs_mipi:s0 + +# livedisplay +/data/vendor/display(/.*)? u:object_r:display_vendor_data_file:s0 + +# gps +/sys/devices/soc0/machine u:object_r:sysfs_gps:s0 +/sys/devices/soc0/revision u:object_r:sysfs_gps:s0 + +# input +/sys/devices/i2c@20/i2c-6/6-0020/input/input0(/.*)? u:object_r:sysfs_input:s0 +/sys/devices/13890000.i2c/i2c-9/9-0048/input/input1(/.*)? u:object_r:sysfs_input:s0 +/sys/devices/10610000.hsi2c/i2c-0/0-a004/input/input2(/.*)? u:object_r:sysfs_input:s0 +/sys/devices/gpio_keys/input/input3(/.*)? u:object_r:sysfs_input:s0 +/sys/devices/hall/input/input4(/.*)? u:object_r:sysfs_input:s0 +/sys/devices/certify_hall/input/input5(/.*)? u:object_r:sysfs_input:s0 + +# lcd +/sys/devices/[0-9]*\.dsim/lcd/panel/adaptive_control u:object_r:sysfs_lcd:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/alpm u:object_r:sysfs_lcd:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/dpui u:object_r:sysfs_lcd:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/dpui_dbg u:object_r:sysfs_lcd:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/lcd_type u:object_r:sysfs_lcd:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/lux u:object_r:sysfs_lcd:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/manufacture_code u:object_r:sysfs_lcd:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/temperature u:object_r:sysfs_lcd:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/window_type u:object_r:sysfs_lcd:s0 + +# modem +/sys/module/modem_ctrl_ss310ap/parameters/ds_detect u:object_r:sysfs_modem:s0 + +# rild +/sys/devices/virtual/misc/multipdp(/.*) u:object_r:sysfs_multipdp:s0 +/dev/socket/rild2 u:object_r:rild_socket:s0 +/dev/socket/rild-debug2 u:object_r:rild_debug_socket:s0 + +# mDNIe +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/mode u:object_r:sysfs_mdnie:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/scenario u:object_r:sysfs_mdnie:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/lux u:object_r:sysfs_mdnie:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/sensorRGB u:object_r:sysfs_mdnie:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/accessibility u:object_r:sysfs_mdnie:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/night_mode u:object_r:sysfs_mdnie:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/mdnie_ldu u:object_r:sysfs_mdnie:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/whiteRGB u:object_r:sysfs_mdnie:s0 + +# sec +/sys/class/sec(/.*)? -- u:object_r:sysfs_sec:s0 + +# svc +/sys/devices/svc(/.*)? u:object_r:sysfs_svc:s0 + +# virtual +/sys/devices/virtual(/.*)? u:object_r:sysfs_virtual:s0 + + +#################################### +# deamons +# + +/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.samsung u:object_r:hal_fingerprint_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.samsung u:object_r:hal_light_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service\.exynos u:object_r:hal_power_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.3-radio-service\.samsung u:object_r:hal_radio_default_exec:s0 +/(vendor|system/vendor)/bin/hw/sec\.android\.hardware\.nfc@1\.2-service u:object_r:hal_nfc_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.lineage\.livedisplay@2\.0-service\.samsung-exynos u:object_r:hal_lineage_livedisplay_sysfs_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.samsung u:object_r:hal_lineage_touch_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.gnss@2\.0-service u:object_r:hal_gnss_default_exec:s0 + +/(vendor|system/vendor)/bin/cbd u:object_r:cpboot-daemon_exec:s0 +/(vendor|system/vendor)/bin/gpsd u:object_r:gpsd_exec:s0 +/(vendor|system/vendor)/bin/macloader u:object_r:macloader_exec:s0 +/(vendor|system/vendor)/bin/mcDriverDaemon u:object_r:tee_exec:s0 +/(vendor|system/vendor)/bin/modemloader u:object_r:modemloader_exec:s0 +/(vendor|system/vendor)/bin/sensorhubservice u:object_r:sensorhubservice_exec:s0 +/(vendor|system/vendor)/bin/wcnss_filter u:object_r:wcnss_filter_exec:s0 diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te index 96d0567..be65ed3 100644 --- a/sepolicy/fsck.te +++ b/sepolicy/fsck.te @@ -1,3 +1,2 @@ # /dev/block/mmcblk0p3 -allow fsck emmcblk_device:blk_file rw_file_perms; -allow fsck efs_block_device:blk_file { ioctl open read write }; +allow fsck emmcblk_device:blk_file { read write open ioctl getattr }; diff --git a/sepolicy/gpsd.te b/sepolicy/gpsd.te index 7e8cfeb..d33bb17 100644 --- a/sepolicy/gpsd.te +++ b/sepolicy/gpsd.te @@ -1,37 +1,43 @@ -# gps daemon sec label -type gpsd, domain; -type gpsd_exec, exec_type, file_type; +type gpsd, domain, coredomain; +type gpsd_exec, exec_type, file_type, system_file_type; -init_daemon_domain(gpsd) -wakelock_use(gpsd) +init_daemon_domain(gpsd); # Automatically label files created in /data/system/gps as gps_data_file file_type_auto_trans(gpsd, system_data_file, gps_data_file) -# Allow rild to connect to gpsd +# Allow rild and netd to connect to gpsd unix_socket_connect(gpsd, property, rild) +unix_socket_connect(gpsd, property, netd) allow gpsd system_server:unix_stream_socket { read write setopt }; binder_call(gpsd, system_server) binder_use(gpsd) +# Sockets +type_transition gpsd gps_data_file:sock_file gps_socket; + +allow gpsd dnsproxyd_socket:sock_file write; +allow gpsd fwmarkd_socket:sock_file write; +allow gpsd gps_socket:sock_file create_file_perms; +allow gpsd self:udp_socket { create bind connect read setopt write }; + +# sysfs_gps +allow gpsd system_file:dir { open read getattr }; +allow gpsd sysfs_gps:file { open read getattr }; + # /dev/ttySAC0 allow gpsd bluetooth_device:chr_file { getattr setattr rw_file_perms }; allow gpsd gps_device:chr_file { getattr setattr rw_file_perms }; -allow gpsd gps_data_file:dir { search write add_name remove_name }; -allow gpsd gps_data_file:file { create rw_file_perms }; +allow gpsd gps_data_file:dir { search write add_name remove_name rw_dir_perms }; allow gpsd gps_data_file:fifo_file { unlink create setattr getattr rw_file_perms }; allow gpsd sysfs_wake_lock:file rw_file_perms; -allow gpsd sysfs:file { open read getattr }; - -allow gpsd dnsproxyd_socket:sock_file write; -allow gpsd fwmarkd_socket:sock_file write; -allow gpsd netd:unix_stream_socket connectto; -allow gpsd self:udp_socket { connect create read setopt write }; +allow gpsd sensorservice_service:service_manager { find }; +# /dev/umts_boot0 allow gpsd mif_device:chr_file r_file_perms; -allow gpsd shell_exec:file { execute execute_no_trans getattr open read }; -allow gpsd toolbox_exec:file { execute execute_no_trans getattr open read }; + +allow gpsd shell_exec:file execute; diff --git a/sepolicy/hal_audio_default.te b/sepolicy/hal_audio_default.te new file mode 100644 index 0000000..391ef29 --- /dev/null +++ b/sepolicy/hal_audio_default.te @@ -0,0 +1 @@ +allow hal_audio_default amplifier_device:chr_file { open read write ioctl }; diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te index a482538..4a0cd12 100644 --- a/sepolicy/hal_camera_default.te +++ b/sepolicy/hal_camera_default.te @@ -1,5 +1,5 @@ -allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find; -allow hal_camera_default sysfs_camera_writable:dir search; -allow hal_camera_default sysfs_camera_writable:file { getattr open read write }; -allow hal_camera_default vndbinder_device:chr_file { read write open ioctl}; +# vndbinder +allow hal_camera_default vndbinder_device:chr_file rw_file_perms; +# sysfs +allow hal_camera_default sysfs_virtual:dir search; diff --git a/sepolicy/hal_fingerprint_default.te b/sepolicy/hal_fingerprint_default.te new file mode 100644 index 0000000..122d488 --- /dev/null +++ b/sepolicy/hal_fingerprint_default.te @@ -0,0 +1,20 @@ +# allow hal_fingerprint_default to communicate with various devices +binder_call(system_app, hal_fingerprint_default); + +# kernel fp device +allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms; + +# secure memory device +allow hal_fingerprint_default secmem_device:chr_file rw_file_perms; + +# trust zone device +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; +allow hal_fingerprint_default tee:unix_stream_socket connectto; + +# /data/biometrics/* +allow hal_fingerprint_default fingerprintd_data_file:dir create_dir_perms; +allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms; + +# sysfs_virtual +allow hal_fingerprint_default sysfs_virtual:dir { read open search }; +allow hal_fingerprint_default sysfs_virtual:file { read open }; diff --git a/sepolicy/hal_light_default.te b/sepolicy/hal_light_default.te new file mode 100644 index 0000000..db428c5 --- /dev/null +++ b/sepolicy/hal_light_default.te @@ -0,0 +1,3 @@ +allow hal_light_default sysfs_brightness:file { open read write getattr }; +allow hal_light_default sysfs_virtual:dir search; +allow hal_light_default sysfs_virtual:file { read write open getattr }; diff --git a/sepolicy/hal_lineage_livedisplay_sysfs.te b/sepolicy/hal_lineage_livedisplay_sysfs.te new file mode 100644 index 0000000..1f4db7b --- /dev/null +++ b/sepolicy/hal_lineage_livedisplay_sysfs.te @@ -0,0 +1,6 @@ +# Allow LiveDisplay to store files under /data/vendor/display and access them +allow hal_lineage_livedisplay_sysfs display_vendor_data_file:dir rw_dir_perms; +allow hal_lineage_livedisplay_sysfs display_vendor_data_file:file create_file_perms; +# Allow LiveDisplay to read and write to files in sysfs_graphics, sysfs_mdnie +allow hal_lineage_livedisplay_sysfs sysfs_mdnie:dir search; +allow hal_lineage_livedisplay_sysfs sysfs_mdnie:file rw_file_perms; diff --git a/sepolicy/hal_lineage_touch_default.te b/sepolicy/hal_lineage_touch_default.te new file mode 100644 index 0000000..60c7184 --- /dev/null +++ b/sepolicy/hal_lineage_touch_default.te @@ -0,0 +1,6 @@ +allow hal_lineage_touch_default sysfs_input:dir search; +allow hal_lineage_touch_default sysfs_input:file rw_file_perms; + +allow hal_lineage_touch_default sysfs_virtual:dir search; +allow hal_lineage_touch_default sysfs_virtual:file { open read getattr }; +allow hal_lineage_touch_default sysfs_virtual:lnk_file read; diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te index b932ecd..6893489 100644 --- a/sepolicy/hal_power_default.te +++ b/sepolicy/hal_power_default.te @@ -1,3 +1,13 @@ -allow hal_power_default sysfs:file { open write read }; +# Allow reading of sysfs nodes to find input devices +allow hal_power_default sysfs:dir r_dir_perms; +allow hal_power_default sysfs:file r_file_perms; + allow hal_power_default sysfs_devices_system_cpu:file write; -allow hal_power_default sysfs:dir { open read }; + +allow hal_power_default sysfs_input:dir { open read search }; +allow hal_power_default sysfs_input:file { open read write getattr }; + +allow hal_power_default sysfs_virtual:dir { open read search }; +allow hal_power_default sysfs_virtual:file { open read write getattr }; +allow hal_power_default sysfs:dir { read open }; +allow hal_power_default sysfs:file { read write open }; diff --git a/sepolicy/hal_wifi_default.te b/sepolicy/hal_wifi_default.te index 4dd46bc..0fcb8a2 100644 --- a/sepolicy/hal_wifi_default.te +++ b/sepolicy/hal_wifi_default.te @@ -1,6 +1,15 @@ -allow hal_wifi_default sysfs:file write; +#### hal_wifi_default +# + +# wifi_data_file +allow hal_wifi_default wifi_data_file:file { read write open }; + +# /efs +allow hal_wifi_default efs_file:dir search; + +# /efs/wifi allow hal_wifi_default wifi_efs_file:dir search; allow hal_wifi_default wifi_efs_file:file { open read }; -allow hal_wifi_default system_data_file:file { open read }; -allow hal_wifi_default efs_file:dir search; -allow hal_wifi_default wifi_data_file:file { open read write }; + +# load .ko modules +allow hal_wifi_default self:capability sys_module; diff --git a/sepolicy/healthd.te b/sepolicy/healthd.te index 2889bfa..9ea50d0 100644 --- a/sepolicy/healthd.te +++ b/sepolicy/healthd.te @@ -1,3 +1,5 @@ # healthd allow healthd device:dir rw_dir_perms; -allow healthd rtc_device:chr_file rw_file_perms; \ No newline at end of file +allow healthd rtc_device:chr_file rw_file_perms; +allow healthd sysfs:file { open read getattr }; +allow healthd sysfs_charger:file { open read getattr }; diff --git a/sepolicy/init.te b/sepolicy/init.te index 92918a5..16acd62 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -11,10 +11,11 @@ allow init block_device:lnk_file { setattr }; allow init tmpfs:lnk_file create_file_perms; # /sys/class/power_supply/battery and /sys/class/android_usb/android0 -allow init sysfs:dir r_dir_perms; +allow init proc:file { getattr setattr read write open }; -# required for LD_SHIM_LIBS -allow init { domain -lmkd -crash_dump }:process noatsecure; +# Shim libs +allow init cameraserver:process noatsecure; +allow init hal_fingerprint_default:process noatsecure; # /data allow init sdcardd_exec:file r_file_perms; @@ -23,15 +24,33 @@ allow init sdcardd_exec:file r_file_perms; allow init sysfs:lnk_file setattr; # read/chown mDNIE symlinks -allow init sysfs_mdnie_writable:lnk_file { read setattr }; +allow init sysfs_mdnie:lnk_file { read setattr }; # read/chown camera firmware -allow init sysfs_camera_writable:file { relabelto setattr }; -allow init sysfs_camera_writable:filesystem associate; +allow init sysfs_camera:file { relabelto setattr }; +allow init sysfs_camera:filesystem associate; +# sysfs +allow init sysfs_bluetooth_writable:file setattr; +allow init sysfs_mdnie:file setattr; +allow init sysfs_multipdp:file setattr; +allow init sysfs_devices_system_cpu:file write; +allow init sysfs_gps:file setattr; +allow init sysfs_sec:file setattr ; +allow init sysfs_brightness:file setattr; +allow init sysfs_input:file setattr; +allow init sysfs_lcd:file { setattr open }; +allow init sysfs_svc:file setattr; +allow init sysfs_modem:file { setattr open write }; +allow init sysfs_wlan_fwpath:file setattr; +allow init sysfs_virtual:file { open setattr write }; +allow init sysfs_virtual:lnk_file read; +allow init sysfs_charger:file setattr; +allow init sysfs:file setattr; + +unix_socket_connect(init, property, rild) allow init socket_device:sock_file { unlink create setattr }; -allow init sysfs_sec:lnk_file read; - -allow init block_device:blk_file write; -allow init property_socket:sock_file write; +allow init tee_device:chr_file { read write open ioctl getattr }; +allow init system_file:file execute; +allow init sysfs_modem:file r_file_perms; diff --git a/sepolicy/installd.te b/sepolicy/installd.te index 4f47f22..a82d90c 100644 --- a/sepolicy/installd.te +++ b/sepolicy/installd.te @@ -1,2 +1,3 @@ # TbStorage (mobicore) -allow installd tee_data_file:dir { rw_dir_perms rmdir }; +allow installd mobicore_data_file:dir { rw_dir_perms rmdir }; +allow installd device:file { read write open }; diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te index a0e6acd..cc8c840 100644 --- a/sepolicy/kernel.te +++ b/sepolicy/kernel.te @@ -1,29 +1,27 @@ allow kernel self:capability { chown mknod }; +dontaudit kernel kernel:capability { dac_override dac_read_search }; # /dev/mbin0 allow kernel emmcblk_device:blk_file r_file_perms; allow kernel device:blk_file { create setattr getattr unlink }; - # /bus/usb/001/001 allow kernel device:dir { create write remove_name rmdir add_name }; allow kernel device:chr_file { create setattr getattr unlink }; # /sys/devices/system/cpu/cpu[0-9]/cpufreq/* allow kernel sysfs_devices_system_cpu:file { setattr }; -allow kernel sysfs:file { setattr open }; +allow kernel sysfs:file { setattr }; # /efs contents allow kernel { app_efs_file battery_efs_file efs_file sensor_efs_file }:dir r_dir_perms; allow kernel { app_efs_file battery_efs_file efs_file sensor_efs_file }:file rw_file_perms; -allow kernel sysfs_sec:dir search; -allow kernel sysfs_sec:lnk_file read; - -allow kernel device:blk_file { create setattr }; - # /efs/wifi/.mac.info allow kernel wifi_efs_file:dir r_dir_perms; allow kernel wifi_efs_file:file r_file_perms; # /data/misc/conn/.wifiver.info allow kernel wifi_data_file:file rw_file_perms; + +# sysfs_lcd +allow kernel sysfs_lcd:file { open read }; diff --git a/sepolicy/macloader.te b/sepolicy/macloader.te new file mode 100644 index 0000000..1e80d50 --- /dev/null +++ b/sepolicy/macloader.te @@ -0,0 +1,30 @@ +#### macloader +# +type macloader, domain, coredomain; +type macloader_exec, exec_type, file_type, system_file_type; + +init_daemon_domain(macloader) + +allow macloader self:capability { chown fowner fsetid }; +allow macloader self:process execmem; + +# Write into /data +allow macloader system_data_file:dir { add_name search write }; +allow macloader system_file:file execute_no_trans; + +# /data/.cid.info +# Automatically label files created in /data/ as wifi_data_file +file_type_auto_trans(macloader, system_data_file, wifi_data_file) + +allow macloader wifi_data_file:dir create_dir_perms; +allow macloader wifi_data_file:file { create_file_perms getattr setattr }; + +# /sys/module/dhd/parameters/nvram_path +allow macloader sysfs:file rw_file_perms; + +# /efs +allow macloader efs_file:dir r_dir_perms; + +# /efs/wifi/.mac.info +allow macloader wifi_efs_file:dir r_dir_perms; +allow macloader wifi_efs_file:file r_file_perms; diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te new file mode 100644 index 0000000..1078589 --- /dev/null +++ b/sepolicy/mediacodec.te @@ -0,0 +1,11 @@ +# /system/lib/omx/ +allow mediacodec system_file:dir r_dir_perms; + +# /sys/class/video4linux/video6/name +allow mediacodec sysfs:file r_file_perms; + +allow mediacodec sysfs:dir { open read }; + +# sysfs_virtual +allow mediacodec sysfs_virtual:dir { open read search }; +allow mediacodec sysfs_virtual:file { open read }; diff --git a/sepolicy/mediadrmserver.te b/sepolicy/mediadrmserver.te new file mode 100644 index 0000000..58b5bd7 --- /dev/null +++ b/sepolicy/mediadrmserver.te @@ -0,0 +1,2 @@ +allow mediadrmserver media_data_file:file { getattr open read create write }; +allow mediadrmserver media_data_file:dir { getattr write search add_name }; diff --git a/sepolicy/mediaextractor.te b/sepolicy/mediaextractor.te index 44ae5a9..3d8072d 100644 --- a/sepolicy/mediaextractor.te +++ b/sepolicy/mediaextractor.te @@ -1 +1 @@ -allow mediaextractor fuse:file { getattr read }; +allow mediaextractor fuse:file { read getattr }; diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te index 3c96e40..52e86b0 100644 --- a/sepolicy/mediaserver.te +++ b/sepolicy/mediaserver.te @@ -10,5 +10,3 @@ allow mediaserver camera_device:chr_file { read write open getattr ioctl }; # Snap permissions allow mediaserver sensorservice_service:service_manager { find }; allow mediaserver system_server:unix_stream_socket { read write }; - -allow mediaserver ion_device:chr_file write; diff --git a/sepolicy/modemloader.te b/sepolicy/modemloader.te index 8be56f4..6f351c1 100644 --- a/sepolicy/modemloader.te +++ b/sepolicy/modemloader.te @@ -1,9 +1,10 @@ -# modemloader -type modemloader, domain; -type modemloader_exec, exec_type, file_type; +#### modemloader +# +type modemloader, domain, coredomain; +type modemloader_exec, exec_type, file_type, system_file_type; init_daemon_domain(modemloader) allow modemloader proc:file r_file_perms; -set_prop(modemloader, modemloader_prop); +set_prop(modemloader, modemloader_prop) diff --git a/sepolicy/netd.te b/sepolicy/netd.te index c9a2a7f..092c011 100644 --- a/sepolicy/netd.te +++ b/sepolicy/netd.te @@ -1,4 +1,4 @@ allow netd self:capability sys_module; - allow netd gpsd:fd use; -allow netd gpsd:udp_socket { getopt read setopt write }; +allow netd gpsd:udp_socket { read write getopt setopt }; +allow netd device:file { read write open }; diff --git a/sepolicy/nfc.te b/sepolicy/nfc.te new file mode 100644 index 0000000..70f7fd2 --- /dev/null +++ b/sepolicy/nfc.te @@ -0,0 +1,2 @@ +allow nfc sec_efs_file:dir search; +allow nfc efs_file:dir search; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts index 6ce57c0..9505a3c 100644 --- a/sepolicy/property_contexts +++ b/sepolicy/property_contexts @@ -3,10 +3,6 @@ persist.bluetooth_fw_ver u:object_r:bluetooth_prop:s0 ro.bluetooth.tty u:object_r:bluetooth_prop:s0 wc_transport. u:object_r:bluetooth_prop:s0 -# radio -persist.ril.modem.board u:object_r:radio_prop:s0 -persist.ril.ims.eutranParam u:object_r:radio_prop:s0 - # modemloader hw.revision u:object_r:modemloader_prop:s0 ro.cbd.dt_revision u:object_r:modemloader_prop:s0 @@ -15,3 +11,9 @@ ro.modemloader.done u:object_r:modemloader_prop:s0 # mobicore sys.mobicoredaemon.enable u:object_r:tee_prop:s0 + +# radio +persist.ril.modem.board u:object_r:radio_prop:s0 +persist.ril.ims.eutranParam u:object_r:radio_prop:s0 +persist.ril.ims.utranParam u:object_r:radio_prop:s0 +persist.ril.interfaceconf.failed u:object_r:radio_prop:s0 diff --git a/sepolicy/rild.te b/sepolicy/rild.te index 7cf5794..bc05016 100644 --- a/sepolicy/rild.te +++ b/sepolicy/rild.te @@ -4,13 +4,12 @@ allow rild self:capability { chown }; # Allow additiional efs access allow rild bin_nv_data_efs_file:file create_file_perms; allow rild imei_efs_file:dir r_dir_perms; -allow rild imei_efs_file:file r_file_perms; +allow rild imei_efs_file:file rw_file_perms; allow rild app_efs_file:dir r_dir_perms; allow rild app_efs_file:file r_file_perms; # /dev allow rild audioserver:dir r_dir_perms; - # /proc//cmdline allow rild audioserver:file r_file_perms; @@ -18,9 +17,12 @@ allow rild audioserver:file r_file_perms; allow rild block_device:dir r_dir_perms; allow rild emmcblk_device:blk_file r_file_perms; -# /dev/umts* +# /dev/umts_boot0, /dev/umts_ipc0 allow rild mif_device:chr_file rw_file_perms; +# /sys/devices/virtual/misc/multipdp/waketime +allow rild sysfs_multipdp:file rw_file_perms; + # /proc/sys/net/ipv6/conf/*/accept_ra_defrtr allow rild proc_net:file rw_file_perms; @@ -34,7 +36,6 @@ allow rild mediaserver:file { open read getattr }; # /data/misc/radio/* allow rild radio_data_file:dir rw_dir_perms; allow rild radio_data_file:file create_file_perms; - # /data/data/com.android.providers.telephony/databases/telephony.db allow rild radio_data_file:lnk_file r_file_perms; @@ -50,11 +51,5 @@ allow rild radio_block_device:blk_file r_file_perms; # persist.ril.modem.board set_prop(modemloader, radio_prop) -allow rild sec_efs_file:file getattr; -allow rild sec_efs_file:dir search; -allow rild sysfs:dir r_dir_perms; -allow rild sysfs_sec:dir search; -allow rild sysfs_sec:lnk_file read; - # /dev/knox_kap allow rild knox_device:chr_file r_file_perms; diff --git a/sepolicy/sensorhubservice.te b/sepolicy/sensorhubservice.te new file mode 100644 index 0000000..534f9c2 --- /dev/null +++ b/sepolicy/sensorhubservice.te @@ -0,0 +1,24 @@ +#### sensorhubservice +# +type sensorhubservice, domain, coredomain; +type sensorhubservice_exec, exec_type, file_type, system_file_type; +type sensorhubservice_service, app_api_service, system_server_service, service_manager_type; +init_daemon_domain(sensorhubservice) + +# /dev/input[0-9]* +allow sensorhubservice input_device:dir r_dir_perms; +allow sensorhubservice { input_device sensor_device }:chr_file rw_file_perms; + +# binder call +allow sensorhubservice servicemanager:binder { call transfer }; + +allow sensorhubservice sysfs:file { getattr open read }; + +# sysfs_virtual +allow sensorhubservice sysfs_virtual:file { open read getattr setattr }; +allow sensorhubservice sysfs_virtual:dir { open read search }; +allow sensorhubservice sysfs_virtual:lnk_file read; + +allow sensorhubservice sysfs_input:dir search; +allow sensorhubservice sysfs_input:lnk_file read; +allow sensorhubservice sysfs_input:file { read write open getattr }; diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts index 7c40f68..1738339 100644 --- a/sepolicy/service_contexts +++ b/sepolicy/service_contexts @@ -1,2 +1,13 @@ -# HWC -Exynos.HWCService u:object_r:surfaceflinger_service:s0 \ No newline at end of file +vendor.samsung_slsi.hardware.ExynosHWCServiceTW::IExynosHWCServiceTW u:object_r:hal_vendor_surfaceflinger_hwservice:s0 +vendor.samsung.hardware.gnss::ISecGnss u:object_r:hal_gnss_hwservice:s0 +vendor.trustonic.tee::ITee u:object_r:hal_tee_hwservice:s0 +vendor.trustonic.teeregistry::ITeeRegistry u:object_r:hal_teeregistry_hwservice:s0 +vendor.samsung.hardware.security.widevine.keyprovisioning::ISehWidevineKeyProvisioning u:object_r:hal_wvkprov_hwservice:s0 +vendor.samsung.hardware.bluetooth.a2dp::ISehBluetoothAudioOffload u:object_r:hal_bluetooth_a2dp_hwservice:s0 +vendor.samsung.hardware.bluetooth.a2dpsink::ISehBluetoothA2dpSinkProvidersFactory u:object_r:hal_bluetooth_a2dp_hwservice:s0 +vendor.samsung.hardware.snap::ISehSnap u:object_r:snap_hwservice:s0 +vendor.samsung.hardware.radio.bridge::ISehBridge u:object_r:hal_telephony_hwservice:s0 +vendor.samsung.hardware.radio::ISehRadio u:object_r:hal_telephony_hwservice:s0 +vendor.samsung.hardware.radio.channel::ISehChannel u:object_r:hal_telephony_hwservice:s0 +com.qualcomm.qti.ant::IAntHci u:object_r:hal_bluetooth_hwservice:s0 + diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te new file mode 100644 index 0000000..e1b618a --- /dev/null +++ b/sepolicy/servicemanager.te @@ -0,0 +1,3 @@ +allow servicemanager sensorhubservice:dir search; +allow servicemanager sensorhubservice:file { getattr open read }; +allow servicemanager sensorhubservice:process getattr; diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te index 0c8687e..b83165c 100644 --- a/sepolicy/surfaceflinger.te +++ b/sepolicy/surfaceflinger.te @@ -1,2 +1,3 @@ # HWC allow surfaceflinger secmem_device:chr_file rw_file_perms; +allow surfaceflinger sysfs:file { getattr open read }; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te index 2f8a6ae..c9d70d0 100644 --- a/sepolicy/system_app.te +++ b/sepolicy/system_app.te @@ -1,3 +1,3 @@ -allow system_app sysfs_mdnie_writable:{ file lnk_file } rw_file_perms; -allow system_app sysfs_mdnie_writable:dir search; +allow system_app sysfs_mdnie:{ file lnk_file } rw_file_perms; +allow system_app sysfs_mdnie:dir search; allow system_app wificond:binder call; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index 6359aa8..16aeb19 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -1,10 +1,11 @@ # /dev/mbin0 allow system_server emmcblk_device:dir search; +allow system_server emmcblk_device:blk_file { read write open ioctl getattr }; # /efs allow system_server efs_file:dir r_dir_perms; -# /efs/FactoryApp/gyro_cal_data +# /efs/gyro_cal_data allow system_server sensor_efs_file:file r_file_perms; # /data/system/gps/.gps.interface.pipe.* @@ -15,7 +16,7 @@ allow system_server gps_data_file:fifo_file create_file_perms; allow system_server gps_data_file:dir rw_dir_perms; # /data/system/gps/chip.info -allow system_server gps_data_file:file create_file_perms; +allow system_server gps_data_file:file r_file_perms; # /efs/prox_cal allow system_server efs_file:file r_file_perms; @@ -30,22 +31,27 @@ allow system_server wifi_efs_file:dir r_dir_perms; allow system_server wifi_efs_file:file r_file_perms; # mDNIE -allow system_server sysfs_mdnie_writable:lnk_file rw_file_perms; -allow system_server sysfs_mdnie_writable:dir r_dir_perms; -allow system_server sysfs_mdnie_writable:file rw_file_perms; +allow system_server sysfs_mdnie:lnk_file rw_file_perms; +allow system_server sysfs_mdnie:file rw_file_perms; # memtrack HAL allow system_server debugfs:dir r_dir_perms; -allow system_server debugfs:file r_file_perms; + +# sensor HAL +allow system_server sensor_device:chr_file rw_file_perms; +allow system_server baro_delta_factoryapp_efs_file:file r_file_perms; +allow system_server sensor_factoryapp_efs_file:file r_file_perms; + +# sysfs +allow system_server sysfs_brightness:file write; +allow system_server sysfs_input:file write; +allow system_server sysfs_sec:file write; +allow system_server sysfs_devices_system_cpu:file write; +allow system_server sysfs_virtual:file write; # /data/system/gps/xtraee.bin allow system_server gps_data_file:file create_file_perms; -allow system_server emmcblk_device:blk_file { getattr ioctl open read write }; -allow system_server gps_data_file:dir { add_name remove_name write search }; -allow system_server gps_data_file:file { create setattr unlink write }; -allow system_server gpsd:unix_stream_socket connectto; -allow system_server sysfs_sec:dir search; -allow system_server sysfs_sec:lnk_file read; -allow system_server crash_dump:process getpgid; -allow system_server unlabeled:dir write; +unix_socket_connect(system_server, property, gpsd) + +allow system_server proc:file { read open getattr }; diff --git a/sepolicy/tee.te b/sepolicy/tee.te index 960cebf..f0a2508 100644 --- a/sepolicy/tee.te +++ b/sepolicy/tee.te @@ -1,11 +1,11 @@ # mobicore # Allow to create files and directories /data/app/mcRegistry -file_type_auto_trans(tee, apk_data_file, tee_data_file); +file_type_auto_trans(tee, apk_data_file, mobicore_data_file); # /efs allow tee { efs_file prov_efs_file }:dir r_dir_perms; allow tee { efs_file prov_efs_file }:file r_file_perms; # sys.mobicore.enable -set_prop(tee, tee_prop) +set_prop(tee, tee_prop) diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te index 1095b4d..437ed7c 100644 --- a/sepolicy/ueventd.te +++ b/sepolicy/ueventd.te @@ -1,11 +1,11 @@ # /dev/block/mmcblk0p[0-9] -#allow ueventd emmcblk_device:blk_file create_file_perms; +allow ueventd emmcblk_device:blk_file { ioctl read write create getattr setattr lock append unlink open }; -allow ueventd emmcblk_device:blk_file { relabelfrom relabelto create setattr unlink getattr }; +# /sys/devices/virtual/misc/multipdp/uevent +allow ueventd sysfs_multipdp:file rw_file_perms; + +allow ueventd emmcblk_device:blk_file { relabelfrom relabelto create setattr unlink }; # read/chown camera firmware -allow ueventd sysfs_camera_writable:file { relabelto getattr rw_file_perms }; -allow ueventd sysfs_camera_writable:filesystem associate; - -allow ueventd sysfs_sec:dir { open read relabelto search }; -allow ueventd sysfs_sec:lnk_file relabelto; +allow ueventd sysfs_camera:file { relabelto getattr rw_file_perms }; +allow ueventd sysfs_camera:filesystem associate; diff --git a/sepolicy/uncrypt.te b/sepolicy/uncrypt.te index 78db9c8..1f5142f 100644 --- a/sepolicy/uncrypt.te +++ b/sepolicy/uncrypt.te @@ -1,2 +1,2 @@ allow uncrypt emmcblk_device:blk_file w_file_perms; -allow uncrypt emmcblk_device:dir r_dir_perms; \ No newline at end of file +allow uncrypt emmcblk_device:dir r_dir_perms; diff --git a/sepolicy/vold.te b/sepolicy/vold.te index c147c5e..dc2658a 100644 --- a/sepolicy/vold.te +++ b/sepolicy/vold.te @@ -2,4 +2,7 @@ allow vold efs_file:dir r_dir_perms; # /dev/block/mmcblk0p[0-9] allow vold emmcblk_device:dir create_dir_perms; -#allow vold emmcblk_device:blk_file create_file_perms; +allow vold emmcblk_device:blk_file { ioctl read write create getattr setattr lock append unlink open }; + +# sysfs_virtual +allow vold sysfs_virtual:file write; diff --git a/sepolicy/wcnss_filter.te b/sepolicy/wcnss_filter.te new file mode 100644 index 0000000..3543f1f --- /dev/null +++ b/sepolicy/wcnss_filter.te @@ -0,0 +1,8 @@ +type wcnss_filter, domain, coredomain; +type wcnss_filter_exec, exec_type, file_type, system_file_type; + +init_daemon_domain(wcnss_filter) + +allow wcnss_filter bluetooth_device:chr_file rw_file_perms; + +set_prop(wcnss_filter, bluetooth_prop); diff --git a/sepolicy/webview_zygote.te b/sepolicy/webview_zygote.te new file mode 100644 index 0000000..c8a7ec2 --- /dev/null +++ b/sepolicy/webview_zygote.te @@ -0,0 +1 @@ +allow webview_zygote zygote:unix_dgram_socket write; diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te new file mode 100644 index 0000000..e17b8cf --- /dev/null +++ b/sepolicy/zygote.te @@ -0,0 +1 @@ +allow zygote proc_cmdline:file { getattr open read write };