mirror of
https://github.com/AetherDroid/android_device_samsung_universal7570-common.git
synced 2025-10-28 15:08:51 +01:00
universal7870: sepolicy changes
This commit is contained in:
Alejandro
parent
fe0365c96c
commit
614eefb430
13 changed files with 161 additions and 115 deletions
|
|
@ -1,5 +1,5 @@
|
|||
# Allow rild to connect to gpsd
|
||||
unix_socket_connect(audioserver, property, rild)
|
||||
# unix_socket_connect(audioserver, property, rild)
|
||||
|
||||
# /efs/maxim
|
||||
r_dir_file(audioserver, efs_file);
|
||||
|
|
|
|||
|
|
@ -50,4 +50,12 @@ type sysfs_v4l, sysfs_type, fs_type, mlstrustedobject;
|
|||
type sysfs_sswap, sysfs_type, fs_type, mlstrustedobject;
|
||||
|
||||
### data types
|
||||
type biometrics_vendor_data_file, file_type, data_file_type;
|
||||
type conn_vendor_data_file, file_type, data_file_type;
|
||||
type display_vendor_data_file, file_type, data_file_type;
|
||||
type gps_vendor_data_file, file_type, data_file_type;
|
||||
type log_vendor_data_file, file_type, data_file_type;
|
||||
type log_cbd_vendor_data_file, file_type, data_file_type;
|
||||
type radio_vendor_data_file, file_type, data_file_type;
|
||||
type sswap_vendor_data_file, file_type, data_file_type;
|
||||
type wifi_vendor_data_file, file_type, data_file_type;
|
||||
|
|
@ -22,20 +22,17 @@
|
|||
/dev/ehci_power u:object_r:mif_device:s0
|
||||
/dev/mipi-lli/lli_control u:object_r:mif_device:s0
|
||||
|
||||
/dev/gnss_ipc u:object_r:gps_device:s0
|
||||
/dev/ttySAC[0-1]* u:object_r:gps_device:s0
|
||||
/dev/ttyBCM[0-9]* u:object_r:bbd_device:s0
|
||||
/dev/ttySAC[0-9]* u:object_r:bluetooth_device:s0
|
||||
#/dev/ttySAC0 u:object_r:hci_attach_dev:s0
|
||||
|
||||
/dev/block/vnswap0 u:object_r:sswap_device:s0
|
||||
|
||||
/dev/block/mmcblk0p[0-9]* u:object_r:emmcblk_device:s0
|
||||
|
||||
/dev/block/mmcblk0p10 u:object_r:boot_block_device:s0
|
||||
/dev/block/mmcblk0p11 u:object_r:recovery_block_device:s0
|
||||
/dev/block/mmcblk0p14 u:object_r:radio_block_device:s0
|
||||
/dev/block/mmcblk0p17 u:object_r:frp_block_device:s0
|
||||
/dev/block/mmcblk0p20 u:object_r:system_block_device:s0
|
||||
/dev/block/mmcblk0p21 u:object_r:cache_block_device:s0
|
||||
/dev/block/mmcblk0p23 u:object_r:userdata_block_device:s0
|
||||
#/dev/block/platform/13540000.dwmmc0/by-name/EFS u:object_r:efs_block_device:s0
|
||||
#/dev/block/platform/13540000.dwmmc0/by-name/CPEFS u:object_r:sec_efs_file:s0
|
||||
#/dev/block/platform/13540000.dwmmc0/by-name/RADIO u:object_r:radio_block_device:s0
|
||||
|
||||
/dev/rfkill u:object_r:rfkill_device:s0
|
||||
|
||||
|
|
@ -45,7 +42,7 @@
|
|||
/dev/bbd_reliable u:object_r:bbd_device:s0
|
||||
/dev/bbd_sensor u:object_r:bbd_device:s0
|
||||
/dev/bbd_sio u:object_r:bbd_device:s0
|
||||
/dev/ttyBCM[0-9]* u:object_r:bbd_device:s0
|
||||
#/dev/ttyBCM[0-9]* u:object_r:bbd_device:s0
|
||||
|
||||
/dev/esfp0 u:object_r:fingerprint_device:s0
|
||||
/dev/vfsspi u:object_r:fingerprint_device:s0
|
||||
|
|
@ -103,6 +100,15 @@
|
|||
# camera
|
||||
/data/camera/ISP_CV u:object_r:camera_data_file:s0
|
||||
|
||||
# vendor
|
||||
/data/vendor/biometrics(/.*)? u:object_r:biometrics_vendor_data_file:s0
|
||||
/data/vendor/conn(/.*)? u:object_r:conn_vendor_data_file:s0
|
||||
/data/vendor/gps(/.*)? u:object_r:gps_vendor_data_file:s0
|
||||
/data/vendor/wifi(/.*)? u:object_r:wifi_vendor_data_file:s0
|
||||
/data/vendor/log(/.*)? u:object_r:log_vendor_data_file:s0
|
||||
/data/vendor/log/cbd(/.*)? u:object_r:log_cbd_vendor_data_file:s0
|
||||
/data/vendor/secradio(/.*)? u:object_r:radio_vendor_data_file:s0
|
||||
|
||||
####################################
|
||||
# sysfs files
|
||||
#/sys/class/power_supply/battery/music -- u:object_r:sysfs_writable:s0
|
||||
|
|
@ -121,6 +127,37 @@
|
|||
# cbd
|
||||
/sys/devices/10f24000.mipi-lli/lli_control u:object_r:sysfs_mipi:s0
|
||||
|
||||
# efs
|
||||
#/cpefs(/.*)? u:object_r:sec_efs_file:s0
|
||||
#/efs/Battery(/.*)? u:object_r:battery_efs_file:s0
|
||||
#/efs/DAK(/.*)? u:object_r:prov_efs_file:s0
|
||||
#/efs/afc(/.*)? u:object_r:sec_efs_file:s0
|
||||
#/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0
|
||||
#/efs/cpk(/.*)? u:object_r:cpk_efs_file:s0
|
||||
#/efs/imei(/.*)? u:object_r:imei_efs_file:s0
|
||||
#/efs/nfc(/.*)? u:object_r:nfc_efs_file:s0
|
||||
#/efs/nv_data\.bin(.*) u:object_r:bin_nv_data_efs_file:s0
|
||||
#/efs/pfw_data(/.*)? u:object_r:pfw_efs_file:s0
|
||||
#/efs/prov(/.*)? u:object_r:prov_efs_file:s0
|
||||
#/efs/prov_data(/.*)? u:object_r:prov_efs_file:s0
|
||||
#/efs/root(/.*)? u:object_r:app_efs_file:s0
|
||||
#/efs/tee(/.*)? u:object_r:tee_efs_file:s0
|
||||
#/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0
|
||||
|
||||
/mnt/vendor/efs(/.*)? u:object_r:efs_file:s0
|
||||
/mnt/vendor/efs/DAK(/.*)? u:object_r:prov_efs_file:s0
|
||||
/mnt/vendor/efs/afc(/.*)? u:object_r:sec_efs_file:s0
|
||||
/mnt/vendor/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0
|
||||
/mnt/vendor/efs/cpk(/.*)? u:object_r:cpk_efs_file:s0
|
||||
/mnt/vendor/efs/imei(/.*)? u:object_r:imei_efs_file:s0
|
||||
/mnt/vendor/efs/nv_data\.bin(.*) u:object_r:bin_nv_data_efs_file:s0
|
||||
#/mnt/vendor/efs/pfw_data(/.*)? u:object_r:pfw_efs_file:s0
|
||||
/mnt/vendor/efs/prov(/.*)? u:object_r:prov_efs_file:s0
|
||||
/mnt/vendor/efs/prov_data(/.*)? u:object_r:prov_efs_file:s0
|
||||
/mnt/vendor/efs/root(/.*)? u:object_r:app_efs_file:s0
|
||||
#/mnt/vendor/efs/tee(/.*)? u:object_r:tee_efs_file:s0
|
||||
/mnt/vendor/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0
|
||||
|
||||
# gps
|
||||
/sys/class/sec/gps u:object_r:sysfs_gps:s0
|
||||
/sys/devices/soc0/machine u:object_r:sysfs_gps:s0
|
||||
|
|
@ -168,3 +205,7 @@
|
|||
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.samsung u:object_r:hal_light_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.samsung u:object_r:hal_fingerprint_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service\.exynos u:object_r:hal_power_default_exec:s0
|
||||
|
||||
# Samsung proprietaries
|
||||
/(vendor|system/vendor)/bin/hw/sec\.android\.hardware\.nfc@1\.2-service u:object_r:hal_nfc_default_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.gnss@2\.0-service u:object_r:hal_gnss_default_exec:s0
|
||||
|
|
|
|||
|
|
@ -12,5 +12,5 @@ allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
|
|||
allow hal_fingerprint_default tee:unix_stream_socket connectto;
|
||||
|
||||
# /data/biometrics/*
|
||||
allow hal_fingerprint_default fingerprintd_data_file:dir create_dir_perms;
|
||||
allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
|
||||
# allow hal_fingerprint_default fingerprintd_data_file:dir create_dir_perms;
|
||||
# allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
|
||||
|
|
|
|||
|
|
@ -1,53 +1,36 @@
|
|||
type gpsd, domain;
|
||||
type gpsd_exec, exec_type, file_type, vendor_file_type;
|
||||
type gpsd, domain, netdomain;
|
||||
type gpsd_exec, exec_type, vendor_file_type, file_type;
|
||||
|
||||
# gpsd is started by init, type transit from init domain to gpsd domain
|
||||
init_daemon_domain(gpsd)
|
||||
|
||||
# Automatically label files created in /data/system/gps as gps_data_file
|
||||
file_type_auto_trans(gpsd, system_data_file, gps_data_file)
|
||||
allow gpsd rild:unix_stream_socket connectto;
|
||||
|
||||
# Allow rild and netd to connect to gpsd
|
||||
unix_socket_connect(gpsd, property, rild)
|
||||
unix_socket_connect(gpsd, property, netd)
|
||||
get_prop(gpsd, exported_radio_prop)
|
||||
get_prop(gpsd, exported_config_prop)
|
||||
|
||||
allow gpsd system_server:unix_stream_socket rw_socket_perms;
|
||||
get_prop(gpsd, hwservicemanager_prop)
|
||||
hwbinder_use(gpsd)
|
||||
allow gpsd system_suspend_hwservice:hwservice_manager { find };
|
||||
allow gpsd fwk_sensor_hwservice:hwservice_manager { find };
|
||||
|
||||
binder_call(gpsd, system_suspend_server)
|
||||
binder_call(gpsd, system_server)
|
||||
binder_use(gpsd)
|
||||
binder_call(system_server, gpsd)
|
||||
|
||||
# Sockets
|
||||
type_transition gpsd gps_data_file:sock_file gps_socket;
|
||||
allow gpsd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
||||
allow gpsd self:{ tcp_socket udp_socket } create_stream_socket_perms;
|
||||
allow gpsd port:tcp_socket { name_bind name_connect };
|
||||
allow gpsd port:udp_socket name_bind;
|
||||
allow gpsd node:{ tcp_socket udp_socket } node_bind;
|
||||
|
||||
allow gpsd dnsproxyd_socket:sock_file write;
|
||||
# /acct/tasks
|
||||
allow gpsd cgroup:file getattr;
|
||||
|
||||
# /dev/socket/fwmarkd
|
||||
allow gpsd fwmarkd_socket:sock_file write;
|
||||
allow gpsd gps_socket:sock_file create_file_perms;
|
||||
allow gpsd self:udp_socket create_socket_perms;
|
||||
|
||||
# sysfs_gps
|
||||
allow gpsd sysfs_gps:dir search;
|
||||
allow gpsd sysfs_gps:lnk_file read;
|
||||
allow gpsd sysfs_gps:file rw_file_perms;
|
||||
|
||||
# /dev/ttySAC3
|
||||
allow gpsd gps_device:chr_file { setattr rw_file_perms };
|
||||
allow gpsd gps_data_file:dir rw_dir_perms;
|
||||
allow gpsd gps_data_file:fifo_file create_file_perms;
|
||||
|
||||
allow gpsd sysfs_wake_lock:file rw_file_perms;
|
||||
|
||||
allow gpsd sensorservice_service:service_manager find;
|
||||
|
||||
# /dev/umts_boot0
|
||||
allow gpsd mif_device:chr_file r_file_perms;
|
||||
|
||||
# TCP sockets
|
||||
allow gpsd port:tcp_socket { name_connect name_bind };
|
||||
allow gpsd self:tcp_socket create_socket_perms;
|
||||
allow gpsd node:tcp_socket node_bind;
|
||||
|
||||
# sec sysfs files
|
||||
#allow gpsd sysfs_sec:dir search;
|
||||
|
||||
# hwservicemanager ready prop
|
||||
allow gpsd hwservicemanager:binder call;
|
||||
allow gpsd hwservicemanager_prop:file { open read getattr};
|
||||
# /data/vendor/gps
|
||||
allow gpsd gps_vendor_data_file:dir rw_dir_perms;
|
||||
allow gpsd gps_vendor_data_file:file create_file_perms;
|
||||
allow gpsd gps_vendor_data_file:fifo_file create_file_perms;
|
||||
|
|
|
|||
|
|
@ -6,5 +6,5 @@ allow hal_drm_default tee:unix_stream_socket connectto;
|
|||
allow hal_drm_default efs_file:dir search;
|
||||
allow hal_drm_default cpk_efs_file:file r_file_perms;
|
||||
|
||||
allow hal_drm_default media_data_file:file create_file_perms;
|
||||
allow hal_drm_default media_data_file:dir create_dir_perms;
|
||||
# allow hal_drm_default media_data_vendor_file:file create_file_perms;
|
||||
# allow hal_drm_default media_data_vendor_file:dir create_dir_perms;
|
||||
|
|
|
|||
|
|
@ -1,5 +1,12 @@
|
|||
vndbinder_use(hal_gnss_default)
|
||||
# hal_gnss_default.te
|
||||
|
||||
# Allow gnss to access the gpsd data files
|
||||
allow hal_gnss_default gps_data_file:dir w_dir_perms;
|
||||
allow hal_gnss_default gps_data_file:fifo_file create_file_perms;
|
||||
# cgroups tasks
|
||||
allow hal_gnss_default cgroup:file getattr;
|
||||
|
||||
# /data/vendor/gps
|
||||
allow hal_gnss_default gps_vendor_data_file:dir rw_dir_perms;
|
||||
allow hal_gnss_default gps_vendor_data_file:file create_file_perms;
|
||||
allow hal_gnss_default gps_vendor_data_file:fifo_file create_file_perms;
|
||||
|
||||
# /mnt/vendor
|
||||
allow hal_gnss_default mnt_vendor_file:dir search;
|
||||
|
|
|
|||
|
|
@ -3,6 +3,6 @@ allow hal_wifi_default efs_file:dir search;
|
|||
allow hal_wifi_default wifi_efs_file:dir search;
|
||||
allow hal_wifi_default wifi_efs_file:file r_file_perms;
|
||||
|
||||
allow hal_wifi_default wifi_data_file:file r_file_perms;
|
||||
# allow hal_wifi_default wifi_data_file:file r_file_perms;
|
||||
|
||||
allow hal_wifi_default sysfs_wifi:file write;
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
allow netd self:capability sys_module;
|
||||
allow netd gpsd:fd use;
|
||||
allow netd gpsd:udp_socket rw_socket_perms;
|
||||
allow netd gpsd:tcp_socket rw_socket_perms;
|
||||
# allow netd self:capability sys_module;
|
||||
# allow netd gpsd:fd use;
|
||||
# allow netd gpsd:udp_socket rw_socket_perms;
|
||||
# allow netd gpsd:tcp_socket rw_socket_perms;
|
||||
|
|
|
|||
|
|
@ -1,59 +1,66 @@
|
|||
# Allow rild to change perms
|
||||
allow rild self:capability chown;
|
||||
# rild.te
|
||||
|
||||
# Allow additiional efs access
|
||||
r_dir_file(rild, imei_efs_file);
|
||||
r_dir_file(rild, app_efs_file);
|
||||
allow rild block_device:dir search;
|
||||
allow rild mnt_vendor_file:dir { getattr search };
|
||||
|
||||
# /efs/nv_data.bin
|
||||
allow rild bin_nv_data_efs_file:file create_file_perms;
|
||||
allowxperm rild bin_nv_data_efs_file:file ioctl { 0x6601 0x6602 };
|
||||
# audio hal
|
||||
allow rild hal_audio_default:dir search;
|
||||
allow rild hal_audio_default:file r_file_perms;
|
||||
|
||||
# audioserver
|
||||
r_dir_file(rild, audioserver);
|
||||
# gps
|
||||
allow rild gpsd:dir search;
|
||||
allow rild gpsd:file r_file_perms;
|
||||
|
||||
# /dev/mbin0
|
||||
allow rild block_device:dir r_dir_perms;
|
||||
allow rild emmcblk_device:blk_file r_file_perms;
|
||||
# /data
|
||||
allow rild system_data_file:dir getattr;
|
||||
|
||||
# /dev/umts_boot0, /dev/umts_ipc0
|
||||
allow rild mif_device:chr_file rw_file_perms;
|
||||
# /data/vendor/log
|
||||
allow rild log_vendor_data_file:dir rw_dir_perms;
|
||||
allow rild log_vendor_data_file:file create_file_perms;
|
||||
|
||||
# /sys/devices/virtual/misc/multipdp/waketime
|
||||
allow rild sysfs_multipdp:file rw_file_perms;
|
||||
# /dev/block/platform/.+/by-name/radio
|
||||
allow rild radio_block_device:blk_file r_file_perms;
|
||||
|
||||
allow rild sysfs_input:file rw_file_perms;
|
||||
# /dev/drb
|
||||
# allow rild drb_device:chr_file rw_file_perms;
|
||||
|
||||
# /dev/umts_*
|
||||
# /dev/umts_ipc*
|
||||
# allow rild vendor_radio_device:chr_file rw_file_perms;
|
||||
|
||||
# /data/vendor/secradio
|
||||
allow rild radio_vendor_data_file:dir rw_dir_perms;
|
||||
allow rild radio_vendor_data_file:file create_file_perms;
|
||||
|
||||
# /efs/FactoryApp/
|
||||
# /mnt/vendor/efs/root
|
||||
allow rild app_efs_file:dir r_dir_perms;
|
||||
allow rild app_efs_file:file { rw_file_perms setattr };
|
||||
|
||||
# /efs/imei
|
||||
allow rild imei_efs_file:dir r_dir_perms;
|
||||
allow rild imei_efs_file:file r_file_perms;
|
||||
|
||||
# /mnt/vendor/efs/
|
||||
allow rild prov_efs_file:dir r_dir_perms;
|
||||
allow rild prov_efs_file:file r_file_perms;
|
||||
|
||||
# /mnt/vendor/efs/nv_data.bin
|
||||
allow rild bin_nv_data_efs_file:file { rw_file_perms setattr unlink };
|
||||
|
||||
# /proc/net/xt_qtaguid/iface_stat_fmt
|
||||
allow rild proc_qtaguid_stat:file r_file_perms;
|
||||
|
||||
# /proc/sys/net/ipv6/conf/*/accept_ra_defrtr
|
||||
allow rild proc_net:file rw_file_perms;
|
||||
|
||||
r_dir_file(rild, gpsd);
|
||||
# mdc.
|
||||
# persist.sys.omc_support
|
||||
# ro.csc.
|
||||
get_prop(rild, exported_config_prop);
|
||||
|
||||
allow rild proc_qtaguid_stat:file r_file_perms;
|
||||
# ro.boot.cpboot, ril.NwNmId[0-9]
|
||||
get_prop(rild, exported_radio_prop)
|
||||
|
||||
# rild reads /proc/pid/cmdline of mediaserver
|
||||
r_dir_file(rild, mediaserver);
|
||||
|
||||
# /data/misc/radio/*
|
||||
allow rild radio_data_file:dir rw_dir_perms;
|
||||
allow rild radio_data_file:file create_file_perms;
|
||||
# /data/data/com.android.providers.telephony/databases/telephony.db
|
||||
allow rild radio_data_file:lnk_file r_file_perms;
|
||||
|
||||
# sdcard/SDET_PLMN/input/MNCMCC.txt
|
||||
allow rild storage_file:dir r_dir_perms;
|
||||
allow rild storage_file:lnk_file r_file_perms;
|
||||
allow rild mnt_user_file:dir r_dir_perms;
|
||||
allow rild mnt_user_file:lnk_file r_file_perms;
|
||||
|
||||
# Modem firmware download
|
||||
allow rild radio_block_device:blk_file r_file_perms;
|
||||
|
||||
# persist.ril.modem.board
|
||||
set_prop(modemloader, radio_prop)
|
||||
|
||||
# /dev/knox_kap
|
||||
allow rild knox_device:chr_file r_file_perms;
|
||||
|
||||
# /data/media/0
|
||||
allow rild media_rw_data_file:dir r_dir_perms;
|
||||
# vendor.cbd.
|
||||
# set_prop(rild, vendor_cbd_prop)
|
||||
|
|
|
|||
|
|
@ -54,4 +54,4 @@ allow system_server sysfs_input:file rw_file_perms;
|
|||
|
||||
allow system_server proc_input_devices:file r_file_perms;
|
||||
|
||||
unix_socket_connect(system_server, property, gpsd)
|
||||
# unix_socket_connect(system_server, property, gpsd)
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ allow tee { efs_file prov_efs_file }:dir r_dir_perms;
|
|||
allow tee { efs_file prov_efs_file }:file r_file_perms;
|
||||
|
||||
# Allow mobicore to search apk data
|
||||
allow tee apk_data_file:dir search;
|
||||
# allow tee apk_data_file:dir search;
|
||||
|
||||
# sys.mobicore.enable
|
||||
set_prop(tee, tee_prop)
|
||||
|
|
|
|||
|
|
@ -8,7 +8,7 @@ unix_socket_connect(wifiloader, property, init)
|
|||
|
||||
allow wifiloader proc:file r_file_perms;
|
||||
allow wifiloader sysfs_wlan_fwpath:file setattr;
|
||||
allow wifiloader wifi_data_file:file rw_file_perms;
|
||||
# allow wifiloader wifi_data_file:file rw_file_perms;
|
||||
set_prop(wifiloader, wifi_prop);
|
||||
|
||||
# /efs
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue