diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te index cbee924..4c25766 100644 --- a/sepolicy/audioserver.te +++ b/sepolicy/audioserver.te @@ -1,5 +1,5 @@ # Allow rild to connect to gpsd -unix_socket_connect(audioserver, property, rild) +# unix_socket_connect(audioserver, property, rild) # /efs/maxim r_dir_file(audioserver, efs_file); diff --git a/sepolicy/file.te b/sepolicy/file.te index 08b2666..a83dd66 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -50,4 +50,12 @@ type sysfs_v4l, sysfs_type, fs_type, mlstrustedobject; type sysfs_sswap, sysfs_type, fs_type, mlstrustedobject; ### data types +type biometrics_vendor_data_file, file_type, data_file_type; +type conn_vendor_data_file, file_type, data_file_type; type display_vendor_data_file, file_type, data_file_type; +type gps_vendor_data_file, file_type, data_file_type; +type log_vendor_data_file, file_type, data_file_type; +type log_cbd_vendor_data_file, file_type, data_file_type; +type radio_vendor_data_file, file_type, data_file_type; +type sswap_vendor_data_file, file_type, data_file_type; +type wifi_vendor_data_file, file_type, data_file_type; \ No newline at end of file diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 7ceb0ea..d5a56cc 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -22,20 +22,17 @@ /dev/ehci_power u:object_r:mif_device:s0 /dev/mipi-lli/lli_control u:object_r:mif_device:s0 -/dev/gnss_ipc u:object_r:gps_device:s0 -/dev/ttySAC[0-1]* u:object_r:gps_device:s0 +/dev/ttyBCM[0-9]* u:object_r:bbd_device:s0 +/dev/ttySAC[0-9]* u:object_r:bluetooth_device:s0 +#/dev/ttySAC0 u:object_r:hci_attach_dev:s0 /dev/block/vnswap0 u:object_r:sswap_device:s0 /dev/block/mmcblk0p[0-9]* u:object_r:emmcblk_device:s0 -/dev/block/mmcblk0p10 u:object_r:boot_block_device:s0 -/dev/block/mmcblk0p11 u:object_r:recovery_block_device:s0 -/dev/block/mmcblk0p14 u:object_r:radio_block_device:s0 -/dev/block/mmcblk0p17 u:object_r:frp_block_device:s0 -/dev/block/mmcblk0p20 u:object_r:system_block_device:s0 -/dev/block/mmcblk0p21 u:object_r:cache_block_device:s0 -/dev/block/mmcblk0p23 u:object_r:userdata_block_device:s0 +#/dev/block/platform/13540000.dwmmc0/by-name/EFS u:object_r:efs_block_device:s0 +#/dev/block/platform/13540000.dwmmc0/by-name/CPEFS u:object_r:sec_efs_file:s0 +#/dev/block/platform/13540000.dwmmc0/by-name/RADIO u:object_r:radio_block_device:s0 /dev/rfkill u:object_r:rfkill_device:s0 @@ -45,7 +42,7 @@ /dev/bbd_reliable u:object_r:bbd_device:s0 /dev/bbd_sensor u:object_r:bbd_device:s0 /dev/bbd_sio u:object_r:bbd_device:s0 -/dev/ttyBCM[0-9]* u:object_r:bbd_device:s0 +#/dev/ttyBCM[0-9]* u:object_r:bbd_device:s0 /dev/esfp0 u:object_r:fingerprint_device:s0 /dev/vfsspi u:object_r:fingerprint_device:s0 @@ -103,6 +100,15 @@ # camera /data/camera/ISP_CV u:object_r:camera_data_file:s0 +# vendor +/data/vendor/biometrics(/.*)? u:object_r:biometrics_vendor_data_file:s0 +/data/vendor/conn(/.*)? u:object_r:conn_vendor_data_file:s0 +/data/vendor/gps(/.*)? u:object_r:gps_vendor_data_file:s0 +/data/vendor/wifi(/.*)? u:object_r:wifi_vendor_data_file:s0 +/data/vendor/log(/.*)? u:object_r:log_vendor_data_file:s0 +/data/vendor/log/cbd(/.*)? u:object_r:log_cbd_vendor_data_file:s0 +/data/vendor/secradio(/.*)? u:object_r:radio_vendor_data_file:s0 + #################################### # sysfs files #/sys/class/power_supply/battery/music -- u:object_r:sysfs_writable:s0 @@ -121,6 +127,37 @@ # cbd /sys/devices/10f24000.mipi-lli/lli_control u:object_r:sysfs_mipi:s0 +# efs +#/cpefs(/.*)? u:object_r:sec_efs_file:s0 +#/efs/Battery(/.*)? u:object_r:battery_efs_file:s0 +#/efs/DAK(/.*)? u:object_r:prov_efs_file:s0 +#/efs/afc(/.*)? u:object_r:sec_efs_file:s0 +#/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 +#/efs/cpk(/.*)? u:object_r:cpk_efs_file:s0 +#/efs/imei(/.*)? u:object_r:imei_efs_file:s0 +#/efs/nfc(/.*)? u:object_r:nfc_efs_file:s0 +#/efs/nv_data\.bin(.*) u:object_r:bin_nv_data_efs_file:s0 +#/efs/pfw_data(/.*)? u:object_r:pfw_efs_file:s0 +#/efs/prov(/.*)? u:object_r:prov_efs_file:s0 +#/efs/prov_data(/.*)? u:object_r:prov_efs_file:s0 +#/efs/root(/.*)? u:object_r:app_efs_file:s0 +#/efs/tee(/.*)? u:object_r:tee_efs_file:s0 +#/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0 + +/mnt/vendor/efs(/.*)? u:object_r:efs_file:s0 +/mnt/vendor/efs/DAK(/.*)? u:object_r:prov_efs_file:s0 +/mnt/vendor/efs/afc(/.*)? u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 +/mnt/vendor/efs/cpk(/.*)? u:object_r:cpk_efs_file:s0 +/mnt/vendor/efs/imei(/.*)? u:object_r:imei_efs_file:s0 +/mnt/vendor/efs/nv_data\.bin(.*) u:object_r:bin_nv_data_efs_file:s0 +#/mnt/vendor/efs/pfw_data(/.*)? u:object_r:pfw_efs_file:s0 +/mnt/vendor/efs/prov(/.*)? u:object_r:prov_efs_file:s0 +/mnt/vendor/efs/prov_data(/.*)? u:object_r:prov_efs_file:s0 +/mnt/vendor/efs/root(/.*)? u:object_r:app_efs_file:s0 +#/mnt/vendor/efs/tee(/.*)? u:object_r:tee_efs_file:s0 +/mnt/vendor/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0 + # gps /sys/class/sec/gps u:object_r:sysfs_gps:s0 /sys/devices/soc0/machine u:object_r:sysfs_gps:s0 @@ -168,3 +205,7 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.samsung u:object_r:hal_light_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.samsung u:object_r:hal_fingerprint_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service\.exynos u:object_r:hal_power_default_exec:s0 + +# Samsung proprietaries +/(vendor|system/vendor)/bin/hw/sec\.android\.hardware\.nfc@1\.2-service u:object_r:hal_nfc_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.gnss@2\.0-service u:object_r:hal_gnss_default_exec:s0 diff --git a/sepolicy/fingerprintd.te b/sepolicy/fingerprintd.te index 81af2ba..7373384 100644 --- a/sepolicy/fingerprintd.te +++ b/sepolicy/fingerprintd.te @@ -12,5 +12,5 @@ allow hal_fingerprint_default tee_device:chr_file rw_file_perms; allow hal_fingerprint_default tee:unix_stream_socket connectto; # /data/biometrics/* -allow hal_fingerprint_default fingerprintd_data_file:dir create_dir_perms; -allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms; +# allow hal_fingerprint_default fingerprintd_data_file:dir create_dir_perms; +# allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms; diff --git a/sepolicy/gpsd.te b/sepolicy/gpsd.te index 60c4c2b..3d6a98b 100644 --- a/sepolicy/gpsd.te +++ b/sepolicy/gpsd.te @@ -1,53 +1,36 @@ -type gpsd, domain; -type gpsd_exec, exec_type, file_type, vendor_file_type; +type gpsd, domain, netdomain; +type gpsd_exec, exec_type, vendor_file_type, file_type; +# gpsd is started by init, type transit from init domain to gpsd domain init_daemon_domain(gpsd) -# Automatically label files created in /data/system/gps as gps_data_file -file_type_auto_trans(gpsd, system_data_file, gps_data_file) +allow gpsd rild:unix_stream_socket connectto; -# Allow rild and netd to connect to gpsd -unix_socket_connect(gpsd, property, rild) -unix_socket_connect(gpsd, property, netd) +get_prop(gpsd, exported_radio_prop) +get_prop(gpsd, exported_config_prop) -allow gpsd system_server:unix_stream_socket rw_socket_perms; +get_prop(gpsd, hwservicemanager_prop) +hwbinder_use(gpsd) +allow gpsd system_suspend_hwservice:hwservice_manager { find }; +allow gpsd fwk_sensor_hwservice:hwservice_manager { find }; +binder_call(gpsd, system_suspend_server) binder_call(gpsd, system_server) -binder_use(gpsd) +binder_call(system_server, gpsd) -# Sockets -type_transition gpsd gps_data_file:sock_file gps_socket; +allow gpsd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +allow gpsd self:{ tcp_socket udp_socket } create_stream_socket_perms; +allow gpsd port:tcp_socket { name_bind name_connect }; +allow gpsd port:udp_socket name_bind; +allow gpsd node:{ tcp_socket udp_socket } node_bind; -allow gpsd dnsproxyd_socket:sock_file write; +# /acct/tasks +allow gpsd cgroup:file getattr; + +# /dev/socket/fwmarkd allow gpsd fwmarkd_socket:sock_file write; -allow gpsd gps_socket:sock_file create_file_perms; -allow gpsd self:udp_socket create_socket_perms; -# sysfs_gps -allow gpsd sysfs_gps:dir search; -allow gpsd sysfs_gps:lnk_file read; -allow gpsd sysfs_gps:file rw_file_perms; - -# /dev/ttySAC3 -allow gpsd gps_device:chr_file { setattr rw_file_perms }; -allow gpsd gps_data_file:dir rw_dir_perms; -allow gpsd gps_data_file:fifo_file create_file_perms; - -allow gpsd sysfs_wake_lock:file rw_file_perms; - -allow gpsd sensorservice_service:service_manager find; - -# /dev/umts_boot0 -allow gpsd mif_device:chr_file r_file_perms; - -# TCP sockets -allow gpsd port:tcp_socket { name_connect name_bind }; -allow gpsd self:tcp_socket create_socket_perms; -allow gpsd node:tcp_socket node_bind; - -# sec sysfs files -#allow gpsd sysfs_sec:dir search; - -# hwservicemanager ready prop -allow gpsd hwservicemanager:binder call; -allow gpsd hwservicemanager_prop:file { open read getattr}; +# /data/vendor/gps +allow gpsd gps_vendor_data_file:dir rw_dir_perms; +allow gpsd gps_vendor_data_file:file create_file_perms; +allow gpsd gps_vendor_data_file:fifo_file create_file_perms; diff --git a/sepolicy/hal_drm_default.te b/sepolicy/hal_drm_default.te index 92eb999..604f69e 100644 --- a/sepolicy/hal_drm_default.te +++ b/sepolicy/hal_drm_default.te @@ -6,5 +6,5 @@ allow hal_drm_default tee:unix_stream_socket connectto; allow hal_drm_default efs_file:dir search; allow hal_drm_default cpk_efs_file:file r_file_perms; -allow hal_drm_default media_data_file:file create_file_perms; -allow hal_drm_default media_data_file:dir create_dir_perms; +# allow hal_drm_default media_data_vendor_file:file create_file_perms; +# allow hal_drm_default media_data_vendor_file:dir create_dir_perms; diff --git a/sepolicy/hal_gnss_default.te b/sepolicy/hal_gnss_default.te index 3e4fac7..5911960 100644 --- a/sepolicy/hal_gnss_default.te +++ b/sepolicy/hal_gnss_default.te @@ -1,5 +1,12 @@ -vndbinder_use(hal_gnss_default) +# hal_gnss_default.te -# Allow gnss to access the gpsd data files -allow hal_gnss_default gps_data_file:dir w_dir_perms; -allow hal_gnss_default gps_data_file:fifo_file create_file_perms; +# cgroups tasks +allow hal_gnss_default cgroup:file getattr; + +# /data/vendor/gps +allow hal_gnss_default gps_vendor_data_file:dir rw_dir_perms; +allow hal_gnss_default gps_vendor_data_file:file create_file_perms; +allow hal_gnss_default gps_vendor_data_file:fifo_file create_file_perms; + +# /mnt/vendor +allow hal_gnss_default mnt_vendor_file:dir search; diff --git a/sepolicy/hal_wifi_default.te b/sepolicy/hal_wifi_default.te index 7cf9e4d..3a997fe 100644 --- a/sepolicy/hal_wifi_default.te +++ b/sepolicy/hal_wifi_default.te @@ -3,6 +3,6 @@ allow hal_wifi_default efs_file:dir search; allow hal_wifi_default wifi_efs_file:dir search; allow hal_wifi_default wifi_efs_file:file r_file_perms; -allow hal_wifi_default wifi_data_file:file r_file_perms; +# allow hal_wifi_default wifi_data_file:file r_file_perms; allow hal_wifi_default sysfs_wifi:file write; diff --git a/sepolicy/netd.te b/sepolicy/netd.te index 8cfd7b7..f8fcc02 100644 --- a/sepolicy/netd.te +++ b/sepolicy/netd.te @@ -1,4 +1,4 @@ -allow netd self:capability sys_module; -allow netd gpsd:fd use; -allow netd gpsd:udp_socket rw_socket_perms; -allow netd gpsd:tcp_socket rw_socket_perms; +# allow netd self:capability sys_module; +# allow netd gpsd:fd use; +# allow netd gpsd:udp_socket rw_socket_perms; +# allow netd gpsd:tcp_socket rw_socket_perms; diff --git a/sepolicy/rild.te b/sepolicy/rild.te index d743cac..4a67b8a 100644 --- a/sepolicy/rild.te +++ b/sepolicy/rild.te @@ -1,59 +1,66 @@ -# Allow rild to change perms -allow rild self:capability chown; +# rild.te -# Allow additiional efs access -r_dir_file(rild, imei_efs_file); -r_dir_file(rild, app_efs_file); +allow rild block_device:dir search; +allow rild mnt_vendor_file:dir { getattr search }; -# /efs/nv_data.bin -allow rild bin_nv_data_efs_file:file create_file_perms; -allowxperm rild bin_nv_data_efs_file:file ioctl { 0x6601 0x6602 }; +# audio hal +allow rild hal_audio_default:dir search; +allow rild hal_audio_default:file r_file_perms; -# audioserver -r_dir_file(rild, audioserver); +# gps +allow rild gpsd:dir search; +allow rild gpsd:file r_file_perms; -# /dev/mbin0 -allow rild block_device:dir r_dir_perms; -allow rild emmcblk_device:blk_file r_file_perms; +# /data +allow rild system_data_file:dir getattr; -# /dev/umts_boot0, /dev/umts_ipc0 -allow rild mif_device:chr_file rw_file_perms; +# /data/vendor/log +allow rild log_vendor_data_file:dir rw_dir_perms; +allow rild log_vendor_data_file:file create_file_perms; -# /sys/devices/virtual/misc/multipdp/waketime -allow rild sysfs_multipdp:file rw_file_perms; +# /dev/block/platform/.+/by-name/radio +allow rild radio_block_device:blk_file r_file_perms; -allow rild sysfs_input:file rw_file_perms; +# /dev/drb +# allow rild drb_device:chr_file rw_file_perms; + +# /dev/umts_* +# /dev/umts_ipc* +# allow rild vendor_radio_device:chr_file rw_file_perms; + +# /data/vendor/secradio +allow rild radio_vendor_data_file:dir rw_dir_perms; +allow rild radio_vendor_data_file:file create_file_perms; + +# /efs/FactoryApp/ +# /mnt/vendor/efs/root +allow rild app_efs_file:dir r_dir_perms; +allow rild app_efs_file:file { rw_file_perms setattr }; + +# /efs/imei +allow rild imei_efs_file:dir r_dir_perms; +allow rild imei_efs_file:file r_file_perms; + +# /mnt/vendor/efs/ +allow rild prov_efs_file:dir r_dir_perms; +allow rild prov_efs_file:file r_file_perms; + +# /mnt/vendor/efs/nv_data.bin +allow rild bin_nv_data_efs_file:file { rw_file_perms setattr unlink }; + +# /proc/net/xt_qtaguid/iface_stat_fmt +allow rild proc_qtaguid_stat:file r_file_perms; # /proc/sys/net/ipv6/conf/*/accept_ra_defrtr allow rild proc_net:file rw_file_perms; -r_dir_file(rild, gpsd); +# mdc. +# persist.sys.omc_support +# ro.csc. +get_prop(rild, exported_config_prop); -allow rild proc_qtaguid_stat:file r_file_perms; +# ro.boot.cpboot, ril.NwNmId[0-9] +get_prop(rild, exported_radio_prop) -# rild reads /proc/pid/cmdline of mediaserver -r_dir_file(rild, mediaserver); - -# /data/misc/radio/* -allow rild radio_data_file:dir rw_dir_perms; -allow rild radio_data_file:file create_file_perms; -# /data/data/com.android.providers.telephony/databases/telephony.db -allow rild radio_data_file:lnk_file r_file_perms; - -# sdcard/SDET_PLMN/input/MNCMCC.txt -allow rild storage_file:dir r_dir_perms; -allow rild storage_file:lnk_file r_file_perms; -allow rild mnt_user_file:dir r_dir_perms; -allow rild mnt_user_file:lnk_file r_file_perms; - -# Modem firmware download -allow rild radio_block_device:blk_file r_file_perms; - -# persist.ril.modem.board -set_prop(modemloader, radio_prop) - -# /dev/knox_kap -allow rild knox_device:chr_file r_file_perms; - -# /data/media/0 -allow rild media_rw_data_file:dir r_dir_perms; +# vendor.cbd. +# set_prop(rild, vendor_cbd_prop) diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index 68aba79..17164bd 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -54,4 +54,4 @@ allow system_server sysfs_input:file rw_file_perms; allow system_server proc_input_devices:file r_file_perms; -unix_socket_connect(system_server, property, gpsd) +# unix_socket_connect(system_server, property, gpsd) diff --git a/sepolicy/tee.te b/sepolicy/tee.te index e2f5141..381ccc5 100644 --- a/sepolicy/tee.te +++ b/sepolicy/tee.te @@ -3,7 +3,7 @@ allow tee { efs_file prov_efs_file }:dir r_dir_perms; allow tee { efs_file prov_efs_file }:file r_file_perms; # Allow mobicore to search apk data -allow tee apk_data_file:dir search; +# allow tee apk_data_file:dir search; # sys.mobicore.enable set_prop(tee, tee_prop) diff --git a/sepolicy/wifiloader.te b/sepolicy/wifiloader.te index c07043f..eb2557f 100644 --- a/sepolicy/wifiloader.te +++ b/sepolicy/wifiloader.te @@ -8,7 +8,7 @@ unix_socket_connect(wifiloader, property, init) allow wifiloader proc:file r_file_perms; allow wifiloader sysfs_wlan_fwpath:file setattr; -allow wifiloader wifi_data_file:file rw_file_perms; +# allow wifiloader wifi_data_file:file rw_file_perms; set_prop(wifiloader, wifi_prop); # /efs