universal7870: sepolicy changes

sepolicy/audioserver.te

@@ -1,5 +1,5 @@
 # Allow rild to connect to gpsd
-unix_socket_connect(audioserver, property, rild)
+# unix_socket_connect(audioserver, property, rild)
 
 # /efs/maxim
 r_dir_file(audioserver, efs_file);

sepolicy/file.te

@@ -50,4 +50,12 @@ type sysfs_v4l, sysfs_type, fs_type, mlstrustedobject;
 type sysfs_sswap, sysfs_type, fs_type, mlstrustedobject;
 
 ### data types
+type biometrics_vendor_data_file, file_type, data_file_type;
+type conn_vendor_data_file, file_type, data_file_type;
 type display_vendor_data_file, file_type, data_file_type;
+type gps_vendor_data_file, file_type, data_file_type;
+type log_vendor_data_file, file_type, data_file_type;
+type log_cbd_vendor_data_file, file_type, data_file_type;
+type radio_vendor_data_file, file_type, data_file_type;
+type sswap_vendor_data_file, file_type, data_file_type;
+type wifi_vendor_data_file, file_type, data_file_type;

sepolicy/file_contexts

@@ -22,20 +22,17 @@
 /dev/ehci_power              u:object_r:mif_device:s0
 /dev/mipi-lli/lli_control    u:object_r:mif_device:s0
 
-/dev/gnss_ipc                u:object_r:gps_device:s0
+/dev/ttyBCM[0-9]*            u:object_r:bbd_device:s0
-/dev/ttySAC[0-1]*            u:object_r:gps_device:s0
+/dev/ttySAC[0-9]*            u:object_r:bluetooth_device:s0
+#/dev/ttySAC0                 u:object_r:hci_attach_dev:s0
 
 /dev/block/vnswap0           u:object_r:sswap_device:s0
 
 /dev/block/mmcblk0p[0-9]*    u:object_r:emmcblk_device:s0
 
-/dev/block/mmcblk0p10        u:object_r:boot_block_device:s0
+#/dev/block/platform/13540000.dwmmc0/by-name/EFS u:object_r:efs_block_device:s0
-/dev/block/mmcblk0p11        u:object_r:recovery_block_device:s0
+#/dev/block/platform/13540000.dwmmc0/by-name/CPEFS   u:object_r:sec_efs_file:s0
-/dev/block/mmcblk0p14        u:object_r:radio_block_device:s0
+#/dev/block/platform/13540000.dwmmc0/by-name/RADIO u:object_r:radio_block_device:s0
-/dev/block/mmcblk0p17        u:object_r:frp_block_device:s0
-/dev/block/mmcblk0p20        u:object_r:system_block_device:s0
-/dev/block/mmcblk0p21        u:object_r:cache_block_device:s0
-/dev/block/mmcblk0p23        u:object_r:userdata_block_device:s0
 
 /dev/rfkill                  u:object_r:rfkill_device:s0
 
@@ -45,7 +42,7 @@
 /dev/bbd_reliable            u:object_r:bbd_device:s0
 /dev/bbd_sensor              u:object_r:bbd_device:s0
 /dev/bbd_sio                 u:object_r:bbd_device:s0
-/dev/ttyBCM[0-9]*            u:object_r:bbd_device:s0
+#/dev/ttyBCM[0-9]*            u:object_r:bbd_device:s0
 
 /dev/esfp0                   u:object_r:fingerprint_device:s0
 /dev/vfsspi                  u:object_r:fingerprint_device:s0
@@ -103,6 +100,15 @@
 # camera
 /data/camera/ISP_CV          u:object_r:camera_data_file:s0
 
+# vendor
+/data/vendor/biometrics(/.*)?                u:object_r:biometrics_vendor_data_file:s0
+/data/vendor/conn(/.*)?                      u:object_r:conn_vendor_data_file:s0
+/data/vendor/gps(/.*)?                       u:object_r:gps_vendor_data_file:s0
+/data/vendor/wifi(/.*)?                      u:object_r:wifi_vendor_data_file:s0
+/data/vendor/log(/.*)?                       u:object_r:log_vendor_data_file:s0
+/data/vendor/log/cbd(/.*)?                   u:object_r:log_cbd_vendor_data_file:s0
+/data/vendor/secradio(/.*)?                  u:object_r:radio_vendor_data_file:s0
+
 ####################################
 # sysfs files
 #/sys/class/power_supply/battery/music -- u:object_r:sysfs_writable:s0
@@ -121,6 +127,37 @@
 # cbd
 /sys/devices/10f24000.mipi-lli/lli_control  u:object_r:sysfs_mipi:s0
 
+# efs
+#/cpefs(/.*)?                                 u:object_r:sec_efs_file:s0
+#/efs/Battery(/.*)?                           u:object_r:battery_efs_file:s0
+#/efs/DAK(/.*)?                               u:object_r:prov_efs_file:s0
+#/efs/afc(/.*)?                               u:object_r:sec_efs_file:s0
+#/efs/bluetooth(/.*)?                         u:object_r:bluetooth_efs_file:s0
+#/efs/cpk(/.*)?                               u:object_r:cpk_efs_file:s0
+#/efs/imei(/.*)?                              u:object_r:imei_efs_file:s0
+#/efs/nfc(/.*)?                               u:object_r:nfc_efs_file:s0
+#/efs/nv_data\.bin(.*)                        u:object_r:bin_nv_data_efs_file:s0
+#/efs/pfw_data(/.*)?                          u:object_r:pfw_efs_file:s0
+#/efs/prov(/.*)?                              u:object_r:prov_efs_file:s0
+#/efs/prov_data(/.*)?                         u:object_r:prov_efs_file:s0
+#/efs/root(/.*)?                              u:object_r:app_efs_file:s0
+#/efs/tee(/.*)?                               u:object_r:tee_efs_file:s0
+#/efs/wifi(/.*)?                              u:object_r:wifi_efs_file:s0
+
+/mnt/vendor/efs(/.*)?                        u:object_r:efs_file:s0
+/mnt/vendor/efs/DAK(/.*)?                    u:object_r:prov_efs_file:s0
+/mnt/vendor/efs/afc(/.*)?                    u:object_r:sec_efs_file:s0
+/mnt/vendor/efs/bluetooth(/.*)?              u:object_r:bluetooth_efs_file:s0
+/mnt/vendor/efs/cpk(/.*)?                    u:object_r:cpk_efs_file:s0
+/mnt/vendor/efs/imei(/.*)?                   u:object_r:imei_efs_file:s0
+/mnt/vendor/efs/nv_data\.bin(.*)             u:object_r:bin_nv_data_efs_file:s0
+#/mnt/vendor/efs/pfw_data(/.*)?               u:object_r:pfw_efs_file:s0
+/mnt/vendor/efs/prov(/.*)?                   u:object_r:prov_efs_file:s0
+/mnt/vendor/efs/prov_data(/.*)?              u:object_r:prov_efs_file:s0
+/mnt/vendor/efs/root(/.*)?                   u:object_r:app_efs_file:s0
+#/mnt/vendor/efs/tee(/.*)?                    u:object_r:tee_efs_file:s0
+/mnt/vendor/efs/wifi(/.*)?                   u:object_r:wifi_efs_file:s0
+
 # gps
 /sys/class/sec/gps                                  u:object_r:sysfs_gps:s0
 /sys/devices/soc0/machine                           u:object_r:sysfs_gps:s0
@@ -168,3 +205,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.samsung               u:object_r:hal_light_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.samsung u:object_r:hal_fingerprint_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service\.exynos                u:object_r:hal_power_default_exec:s0
+
+# Samsung proprietaries
+/(vendor|system/vendor)/bin/hw/sec\.android\.hardware\.nfc@1\.2-service		                u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.gnss@2\.0-service                 u:object_r:hal_gnss_default_exec:s0

sepolicy/fingerprintd.te

@@ -12,5 +12,5 @@ allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
 allow hal_fingerprint_default tee:unix_stream_socket connectto;
 
 # /data/biometrics/*
-allow hal_fingerprint_default fingerprintd_data_file:dir create_dir_perms;
+# allow hal_fingerprint_default fingerprintd_data_file:dir create_dir_perms;
-allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
+# allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;

sepolicy/gpsd.te

@@ -1,53 +1,36 @@
-type gpsd, domain;
+type gpsd, domain, netdomain;
-type gpsd_exec, exec_type, file_type, vendor_file_type;
+type gpsd_exec, exec_type, vendor_file_type, file_type;
 
+# gpsd is started by init, type transit from init domain to gpsd domain
 init_daemon_domain(gpsd)
 
-# Automatically label files created in /data/system/gps as gps_data_file
+allow gpsd rild:unix_stream_socket connectto;
-file_type_auto_trans(gpsd, system_data_file, gps_data_file)
 
-# Allow rild and netd to connect to gpsd
+get_prop(gpsd, exported_radio_prop)
-unix_socket_connect(gpsd, property, rild)
+get_prop(gpsd, exported_config_prop)
-unix_socket_connect(gpsd, property, netd)
 
-allow gpsd system_server:unix_stream_socket rw_socket_perms;
+get_prop(gpsd, hwservicemanager_prop)
+hwbinder_use(gpsd)
+allow gpsd system_suspend_hwservice:hwservice_manager { find };
+allow gpsd fwk_sensor_hwservice:hwservice_manager { find };
 
+binder_call(gpsd, system_suspend_server)
 binder_call(gpsd, system_server)
-binder_use(gpsd)
+binder_call(system_server, gpsd)
 
-# Sockets
+allow gpsd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-type_transition gpsd gps_data_file:sock_file gps_socket;
+allow gpsd self:{ tcp_socket udp_socket } create_stream_socket_perms;
+allow gpsd port:tcp_socket { name_bind name_connect };
+allow gpsd port:udp_socket name_bind;
+allow gpsd node:{ tcp_socket udp_socket } node_bind;
 
-allow gpsd dnsproxyd_socket:sock_file write;
+# /acct/tasks
+allow gpsd cgroup:file getattr;
+
+# /dev/socket/fwmarkd
 allow gpsd fwmarkd_socket:sock_file write;
-allow gpsd gps_socket:sock_file create_file_perms;
-allow gpsd self:udp_socket create_socket_perms;
 
-# sysfs_gps
+# /data/vendor/gps
-allow gpsd sysfs_gps:dir search;
+allow gpsd gps_vendor_data_file:dir rw_dir_perms;
-allow gpsd sysfs_gps:lnk_file read;
+allow gpsd gps_vendor_data_file:file create_file_perms;
-allow gpsd sysfs_gps:file rw_file_perms;
+allow gpsd gps_vendor_data_file:fifo_file create_file_perms;
-
-# /dev/ttySAC3
-allow gpsd gps_device:chr_file { setattr rw_file_perms };
-allow gpsd gps_data_file:dir rw_dir_perms;
-allow gpsd gps_data_file:fifo_file create_file_perms;
-
-allow gpsd sysfs_wake_lock:file rw_file_perms;
-
-allow gpsd sensorservice_service:service_manager find;
-
-# /dev/umts_boot0
-allow gpsd mif_device:chr_file r_file_perms;
-
-# TCP sockets
-allow gpsd port:tcp_socket { name_connect name_bind };
-allow gpsd self:tcp_socket create_socket_perms;
-allow gpsd node:tcp_socket node_bind;
-
-# sec sysfs files
-#allow gpsd sysfs_sec:dir search;
-
-# hwservicemanager ready prop
-allow gpsd hwservicemanager:binder call;
-allow gpsd hwservicemanager_prop:file { open read getattr};

sepolicy/hal_drm_default.te

@@ -6,5 +6,5 @@ allow hal_drm_default tee:unix_stream_socket connectto;
 allow hal_drm_default efs_file:dir search;
 allow hal_drm_default cpk_efs_file:file r_file_perms;
 
-allow hal_drm_default media_data_file:file create_file_perms;
+# allow hal_drm_default media_data_vendor_file:file create_file_perms;
-allow hal_drm_default media_data_file:dir create_dir_perms;
+# allow hal_drm_default media_data_vendor_file:dir create_dir_perms;

sepolicy/hal_gnss_default.te

@@ -1,5 +1,12 @@
-vndbinder_use(hal_gnss_default)
+# hal_gnss_default.te
 
-# Allow gnss to access the gpsd data files
+# cgroups tasks
-allow hal_gnss_default gps_data_file:dir w_dir_perms;
+allow hal_gnss_default cgroup:file getattr;
-allow hal_gnss_default gps_data_file:fifo_file create_file_perms;
+
+# /data/vendor/gps
+allow hal_gnss_default gps_vendor_data_file:dir rw_dir_perms;
+allow hal_gnss_default gps_vendor_data_file:file create_file_perms;
+allow hal_gnss_default gps_vendor_data_file:fifo_file create_file_perms;
+
+# /mnt/vendor
+allow hal_gnss_default mnt_vendor_file:dir search;

sepolicy/hal_wifi_default.te

@@ -3,6 +3,6 @@ allow hal_wifi_default efs_file:dir search;
 allow hal_wifi_default wifi_efs_file:dir search;
 allow hal_wifi_default wifi_efs_file:file r_file_perms;
 
-allow hal_wifi_default wifi_data_file:file r_file_perms;
+# allow hal_wifi_default wifi_data_file:file r_file_perms;
 
 allow hal_wifi_default sysfs_wifi:file write;

sepolicy/netd.te

@@ -1,4 +1,4 @@
-allow netd self:capability sys_module;
+# allow netd self:capability sys_module;
-allow netd gpsd:fd use;
+# allow netd gpsd:fd use;
-allow netd gpsd:udp_socket rw_socket_perms;
+# allow netd gpsd:udp_socket rw_socket_perms;
-allow netd gpsd:tcp_socket rw_socket_perms;
+# allow netd gpsd:tcp_socket rw_socket_perms;

sepolicy/rild.te

@@ -1,59 +1,66 @@
-# Allow rild to change perms
+# rild.te
-allow rild self:capability chown;
 
-# Allow additiional efs access
+allow rild block_device:dir search;
-r_dir_file(rild, imei_efs_file);
+allow rild mnt_vendor_file:dir { getattr search };
-r_dir_file(rild, app_efs_file);
 
-# /efs/nv_data.bin
+# audio hal
-allow rild bin_nv_data_efs_file:file create_file_perms;
+allow rild hal_audio_default:dir search;
-allowxperm rild bin_nv_data_efs_file:file ioctl { 0x6601 0x6602 };
+allow rild hal_audio_default:file r_file_perms;
 
-# audioserver
+# gps
-r_dir_file(rild, audioserver);
+allow rild gpsd:dir search;
+allow rild gpsd:file r_file_perms;
 
-# /dev/mbin0
+# /data
-allow rild block_device:dir r_dir_perms;
+allow rild system_data_file:dir getattr;
-allow rild emmcblk_device:blk_file r_file_perms;
 
-# /dev/umts_boot0, /dev/umts_ipc0
+# /data/vendor/log
-allow rild mif_device:chr_file rw_file_perms;
+allow rild log_vendor_data_file:dir rw_dir_perms;
+allow rild log_vendor_data_file:file create_file_perms;
 
-# /sys/devices/virtual/misc/multipdp/waketime
+# /dev/block/platform/.+/by-name/radio
-allow rild sysfs_multipdp:file rw_file_perms;
+allow rild radio_block_device:blk_file r_file_perms;
 
-allow rild sysfs_input:file rw_file_perms;
+# /dev/drb
+# allow rild drb_device:chr_file rw_file_perms;
+
+# /dev/umts_*
+# /dev/umts_ipc*
+# allow rild vendor_radio_device:chr_file rw_file_perms;
+
+# /data/vendor/secradio
+allow rild radio_vendor_data_file:dir rw_dir_perms;
+allow rild radio_vendor_data_file:file create_file_perms;
+
+# /efs/FactoryApp/
+# /mnt/vendor/efs/root
+allow rild app_efs_file:dir r_dir_perms;
+allow rild app_efs_file:file { rw_file_perms setattr };
+
+# /efs/imei
+allow rild imei_efs_file:dir r_dir_perms;
+allow rild imei_efs_file:file r_file_perms;
+
+# /mnt/vendor/efs/
+allow rild prov_efs_file:dir r_dir_perms;
+allow rild prov_efs_file:file r_file_perms;
+
+# /mnt/vendor/efs/nv_data.bin
+allow rild bin_nv_data_efs_file:file { rw_file_perms setattr unlink };
+
+# /proc/net/xt_qtaguid/iface_stat_fmt
+allow rild proc_qtaguid_stat:file r_file_perms;
 
 # /proc/sys/net/ipv6/conf/*/accept_ra_defrtr
 allow rild proc_net:file rw_file_perms;
 
-r_dir_file(rild, gpsd);
+# mdc.
+# persist.sys.omc_support
+# ro.csc.
+get_prop(rild, exported_config_prop);
 
-allow rild proc_qtaguid_stat:file r_file_perms;
+# ro.boot.cpboot, ril.NwNmId[0-9]
+get_prop(rild, exported_radio_prop)
 
-# rild reads /proc/pid/cmdline of mediaserver
+# vendor.cbd.
-r_dir_file(rild, mediaserver);
+# set_prop(rild, vendor_cbd_prop)
-
-# /data/misc/radio/*
-allow rild radio_data_file:dir rw_dir_perms;
-allow rild radio_data_file:file create_file_perms;
-# /data/data/com.android.providers.telephony/databases/telephony.db
-allow rild radio_data_file:lnk_file r_file_perms;
-
-# sdcard/SDET_PLMN/input/MNCMCC.txt
-allow rild storage_file:dir r_dir_perms;
-allow rild storage_file:lnk_file r_file_perms;
-allow rild mnt_user_file:dir r_dir_perms;
-allow rild mnt_user_file:lnk_file r_file_perms;
-
-# Modem firmware download
-allow rild radio_block_device:blk_file r_file_perms;
-
-# persist.ril.modem.board
-set_prop(modemloader, radio_prop)
-
-# /dev/knox_kap
-allow rild knox_device:chr_file r_file_perms;
-
-# /data/media/0
-allow rild media_rw_data_file:dir r_dir_perms;

sepolicy/system_server.te

@@ -54,4 +54,4 @@ allow system_server sysfs_input:file rw_file_perms;
 
 allow system_server proc_input_devices:file r_file_perms;
 
-unix_socket_connect(system_server, property, gpsd)
+# unix_socket_connect(system_server, property, gpsd)

sepolicy/tee.te

@@ -3,7 +3,7 @@ allow tee { efs_file prov_efs_file }:dir r_dir_perms;
 allow tee { efs_file prov_efs_file }:file r_file_perms;
 
 # Allow mobicore to search apk data
-allow tee apk_data_file:dir search;
+# allow tee apk_data_file:dir search;
 
 # sys.mobicore.enable
 set_prop(tee, tee_prop)

sepolicy/wifiloader.te

@@ -8,7 +8,7 @@ unix_socket_connect(wifiloader, property, init)
 
 allow wifiloader proc:file r_file_perms;
 allow wifiloader sysfs_wlan_fwpath:file setattr;
-allow wifiloader wifi_data_file:file rw_file_perms;
+# allow wifiloader wifi_data_file:file rw_file_perms;
 set_prop(wifiloader, wifi_prop);
 
 # /efs