From f0e4521a9f325e0ef4678f971181e2378c5970af Mon Sep 17 00:00:00 2001 From: Hendra Manudinata Date: Sat, 13 Mar 2021 05:07:20 +0700 Subject: [PATCH] universal7570: import sepolicy from 7870 The sepolicy before seems to be broken Change-Id: I890a28429f03e47a183a0a0b755987f3495994c3 --- sepolicy/audioloader.te | 9 - sepolicy/audioserver.te | 9 + sepolicy/bluetooth.te | 6 + sepolicy/cameraserver.te | 12 ++ sepolicy/charger.te | 1 + sepolicy/cpboot-daemon.te | 51 +++++ sepolicy/device.te | 35 ++++ sepolicy/file.te | 65 ++++++ sepolicy/file_contexts | 231 ++++++++++++++++++++-- sepolicy/fingerprintd.te | 16 ++ sepolicy/fsck.te | 3 + sepolicy/genfs_contexts | 115 +++++++++++ sepolicy/gpsd.te | 36 ++++ sepolicy/hal_bluetooth_default.te | 6 + sepolicy/hal_camera_default.te | 6 + sepolicy/hal_drm_clearkey.te | 10 + sepolicy/hal_drm_default.te | 10 + sepolicy/hal_drm_widevine.te | 23 +++ sepolicy/hal_fingerprint_default.te | 2 + sepolicy/hal_gnss_default.te | 12 ++ sepolicy/hal_graphics_composer.te | 7 + sepolicy/hal_health_default.te | 2 + sepolicy/hal_light_7570.te | 7 - sepolicy/hal_light_default.te | 13 ++ sepolicy/hal_lineage_livedisplay_sysfs.te | 14 ++ sepolicy/hal_lineage_touch_default.te | 2 + sepolicy/hal_power_7570.te | 9 - sepolicy/hal_power_default.te | 19 ++ sepolicy/hal_sensors_default.te | 4 + sepolicy/hal_vibrator_7570.te | 8 - sepolicy/hal_wifi_default.te | 8 + sepolicy/healthd.te | 3 + sepolicy/init.te | 102 +++++++++- sepolicy/kernel.te | 23 ++- sepolicy/lpm.te | 1 - sepolicy/mediacodec.te | 5 + sepolicy/mediaserver.te | 12 ++ sepolicy/modemloader.te | 10 + sepolicy/netd.te | 4 + sepolicy/property.te | 11 ++ sepolicy/property_contexts | 22 +++ sepolicy/rild.te | 66 +++++++ sepolicy/service_contexts | 2 + sepolicy/sswap.te | 18 ++ sepolicy/surfaceflinger.te | 4 + sepolicy/system_app.te | 4 + sepolicy/system_server.te | 59 +++++- sepolicy/tee.te | 9 + sepolicy/ueventd.te | 14 ++ sepolicy/uncrypt.te | 2 + sepolicy/vold.te | 8 + sepolicy/wifiloader.te | 22 +++ sepolicy/zygote.te | 1 + 53 files changed, 1095 insertions(+), 58 deletions(-) delete mode 100644 sepolicy/audioloader.te create mode 100644 sepolicy/audioserver.te create mode 100644 sepolicy/bluetooth.te create mode 100644 sepolicy/cameraserver.te create mode 100644 sepolicy/charger.te create mode 100644 sepolicy/cpboot-daemon.te create mode 100644 sepolicy/device.te create mode 100644 sepolicy/file.te create mode 100644 sepolicy/fingerprintd.te create mode 100644 sepolicy/fsck.te create mode 100644 sepolicy/genfs_contexts create mode 100644 sepolicy/gpsd.te create mode 100644 sepolicy/hal_bluetooth_default.te create mode 100644 sepolicy/hal_camera_default.te create mode 100644 sepolicy/hal_drm_clearkey.te create mode 100644 sepolicy/hal_drm_default.te create mode 100644 sepolicy/hal_drm_widevine.te create mode 100644 sepolicy/hal_fingerprint_default.te create mode 100644 sepolicy/hal_gnss_default.te create mode 100644 sepolicy/hal_graphics_composer.te create mode 100644 sepolicy/hal_health_default.te delete mode 100644 sepolicy/hal_light_7570.te create mode 100644 sepolicy/hal_light_default.te create mode 100644 sepolicy/hal_lineage_livedisplay_sysfs.te create mode 100644 sepolicy/hal_lineage_touch_default.te delete mode 100644 sepolicy/hal_power_7570.te create mode 100644 sepolicy/hal_power_default.te create mode 100644 sepolicy/hal_sensors_default.te delete mode 100644 sepolicy/hal_vibrator_7570.te create mode 100644 sepolicy/hal_wifi_default.te create mode 100644 sepolicy/healthd.te delete mode 100644 sepolicy/lpm.te create mode 100644 sepolicy/mediacodec.te create mode 100644 sepolicy/mediaserver.te create mode 100644 sepolicy/modemloader.te create mode 100644 sepolicy/netd.te create mode 100644 sepolicy/property.te create mode 100644 sepolicy/property_contexts create mode 100644 sepolicy/rild.te create mode 100644 sepolicy/service_contexts create mode 100644 sepolicy/sswap.te create mode 100644 sepolicy/surfaceflinger.te create mode 100644 sepolicy/system_app.te create mode 100644 sepolicy/tee.te create mode 100644 sepolicy/ueventd.te create mode 100644 sepolicy/uncrypt.te create mode 100644 sepolicy/vold.te create mode 100644 sepolicy/wifiloader.te create mode 100644 sepolicy/zygote.te diff --git a/sepolicy/audioloader.te b/sepolicy/audioloader.te deleted file mode 100644 index 3544ce9..0000000 --- a/sepolicy/audioloader.te +++ /dev/null @@ -1,9 +0,0 @@ -type audioloader, domain, coredomain; -type audioloader_exec, exec_type, file_type; -init_daemon_domain(audioloader) - -binder_use(audioloader) -binder_call(audioloader, audioserver) -binder_call(audioserver, audioloader) - -allow audioloader audioserver_service:service_manager find; diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te new file mode 100644 index 0000000..4c25766 --- /dev/null +++ b/sepolicy/audioserver.te @@ -0,0 +1,9 @@ +# Allow rild to connect to gpsd +# unix_socket_connect(audioserver, property, rild) + +# /efs/maxim +r_dir_file(audioserver, efs_file); +r_dir_file(audioserver, sec_efs_file); + +# TFA98xx amplifier +allow audioserver amplifier_device:chr_file rw_file_perms; diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te new file mode 100644 index 0000000..4a80b40 --- /dev/null +++ b/sepolicy/bluetooth.te @@ -0,0 +1,6 @@ +# /dev/ttySAC3 +allow bluetooth bluetooth_device:chr_file rw_file_perms ; +allow hal_bluetooth_default bluetooth_device:chr_file rw_file_perms; + +# /data/.cid.info +allow bluetooth wifi_data_file:file r_file_perms; diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te new file mode 100644 index 0000000..85e7a11 --- /dev/null +++ b/sepolicy/cameraserver.te @@ -0,0 +1,12 @@ +# /dev/m2m1shot_jpeg +allow cameraserver camera_device:chr_file rw_file_perms; + +# /sys/devices/virtual/camera/*/*_camfw +allow cameraserver sysfs_camera:dir search; +allow cameraserver sysfs_camera:file rw_file_perms; + +# /data/camera/ISP_CV +allow cameraserver camera_data_file:file r_file_perms; + +# /data/media(/.*)? +r_dir_file(cameraserver, media_rw_data_file); diff --git a/sepolicy/charger.te b/sepolicy/charger.te new file mode 100644 index 0000000..52e3cd5 --- /dev/null +++ b/sepolicy/charger.te @@ -0,0 +1 @@ +allow charger sysfs_usb_supply:file rw_file_perms; diff --git a/sepolicy/cpboot-daemon.te b/sepolicy/cpboot-daemon.te new file mode 100644 index 0000000..de2cd2f --- /dev/null +++ b/sepolicy/cpboot-daemon.te @@ -0,0 +1,51 @@ +# modem daemon sec label +type cpboot-daemon, domain; +type cpboot-daemon_exec, exec_type, file_type, vendor_file_type; + +net_domain(cpboot-daemon) +init_daemon_domain(cpboot-daemon) +wakelock_use(cpboot-daemon) +set_prop(cpboot-daemon, modemloader_prop) + +allow cpboot-daemon self:capability { setuid setgid }; + +# FIXME neverallow rule +# allow cpboot-daemon self:capability mknod; +allow cpboot-daemon kernel:system syslog_read; +allow cpboot-daemon cgroup:dir create_dir_perms; + +# /dev/log/* +#allow cpboot-daemon log_device:dir r_dir_perms; +#allow cpboot-daemon log_device:chr_file rw_file_perms; +# /dev/kmsg (write to kernel log) +allow cpboot-daemon kmsg_device:chr_file rw_file_perms; + +# /dev/umts_boot0 +allow cpboot-daemon mif_device:chr_file rw_file_perms; +# /dev/mbin0 +allow cpboot-daemon emmcblk_device:blk_file r_file_perms; +# /dev/spi_boot_link +allow cpboot-daemon radio_device:chr_file rw_file_perms; +# /dev/block/mmcblk0p13 +allow cpboot-daemon block_device:dir r_dir_perms; +allow cpboot-daemon radio_block_device:blk_file r_file_perms; + +# /dev/mipi-lli/lli_control +allow cpboot-daemon sysfs_mipi:file rw_file_perms; + +# /efs +allow cpboot-daemon efs_file:dir r_dir_perms; + +# /efs/nv_data.bin +allow cpboot-daemon bin_nv_data_efs_file:file rw_file_perms; +allow cpboot-daemon efs_file:file rw_file_perms; + +# /proc permissions +allow cpboot-daemon proc_cmdline:file r_file_perms; +allow cpboot-daemon proc_dt_firmware:dir search; +allow cpboot-daemon proc_dt_firmware:file { open read }; + +# set properties on boot +set_prop(cpboot-daemon, cpboot-daemon_prop) +set_prop(cpboot-daemon, radio_prop) +set_prop(cpboot-daemon, system_prop) diff --git a/sepolicy/device.te b/sepolicy/device.te new file mode 100644 index 0000000..89cfe5d --- /dev/null +++ b/sepolicy/device.te @@ -0,0 +1,35 @@ +# /dev/ttySAC3 +type bluetooth_device, dev_type; + +# /dev/block/mmcblk0p[0-9] (/dev/mbin0) +type emmcblk_device, file_type; + +# Radio block device mounted on /efs. +type radio_block_device, dev_type; + +# /dev/umts_boot*, /dev/ehci_power +type mif_device, dev_type; + +# /dev/rfkill +type rfkill_device, dev_type; + +# /dev/s5p-smem +type secmem_device, dev_type; + +# /dev/bbd*, /dev/ttyBCM[0-9]* +type bbd_device, dev_type; + +# /dev/vfsspi +type fingerprint_device, dev_type; + +# /dev/batch_io +type sensor_device, dev_type; + +# /dev/i2c-20 - TFA98xx amplifier +type amplifier_device, dev_type; + +# /dev/knox_kap +type knox_device, dev_type; + +# GPS +type gps_device, dev_type; diff --git a/sepolicy/file.te b/sepolicy/file.te new file mode 100644 index 0000000..20a467a --- /dev/null +++ b/sepolicy/file.te @@ -0,0 +1,65 @@ +### efs types +type app_efs_file, file_type; +type battery_efs_file, file_type; +type baro_delta_factoryapp_efs_file, file_type; +type bin_nv_data_efs_file, file_type; +type sec_efs_file, file_type; + +# widewine, drm +type cpk_efs_file, file_type; +type drm_efs_file, file_type; +type factorymode_factoryapp_efs_file, file_type; +type imei_efs_file, file_type; +type prov_efs_file, file_type; +type radio_factoryapp_efs_file, file_type; +type sensor_efs_file, file_type; +type sensor_factoryapp_efs_file, file_type; +type wifi_efs_file, file_type; + +# gps +type gps_data_file, file_type, data_file_type, core_data_file_type; +type gps_socket, file_type; + +# proc +type proc_vm, fs_type, proc_type; +type proc_dt_firmware, fs_type, proc_type; +type proc_reset_reason, fs_type, proc_type; +type proc_simslot_count, fs_type, proc_type; +type proc_input_devices, fs_type, proc_type; +type proc_sec, fs_type, proc_type; + +### sysfs types +#type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; +type sysfs_mdnie, fs_type, sysfs_type, mlstrustedobject; +type sysfs_mipi, fs_type, sysfs_type, mlstrustedobject; +type sysfs_multipdp, fs_type, sysfs_type, mlstrustedobject; +type sysfs_sec, fs_type, sysfs_type, fs_type, mlstrustedobject; +type sysfs_sensors, fs_type, sysfs_type, fs_type, mlstrustedobject; +type sysfs_input, fs_type, sysfs_type, fs_type, mlstrustedobject; +type sysfs_camera, fs_type, sysfs_type, mlstrustedobject; +type sysfs_gps, fs_type, sysfs_type, mlstrustedobject; +type sysfs_light, fs_type, sysfs_type, mlstrustedobject; +type sysfs_wifi, fs_type, sysfs_type, mlstrustedobject; +type sysfs_usb_supply, sysfs_type, fs_type, mlstrustedobject; +type sysfs_mmc, sysfs_type, fs_type, mlstrustedobject; +type sysfs_graphics, sysfs_type, fs_type, mlstrustedobject; +type sysfs_ion, sysfs_type, fs_type, mlstrustedobject; +type sysfs_block, sysfs_type, fs_type, mlstrustedobject; +type sysfs_jack, sysfs_type, fs_type, mlstrustedobject; +type sysfs_v4l, sysfs_type, fs_type, mlstrustedobject; +type sysfs_sswap, sysfs_type, fs_type, mlstrustedobject; + +### data types +type biometrics_vendor_data_file, file_type, data_file_type; +type camera_vendor_data_file, file_type, data_file_type; +type conn_vendor_data_file, file_type, data_file_type; +type display_vendor_data_file, file_type, data_file_type; +type gk_vendor_data_file, file_type, data_file_type; +type gps_vendor_data_file, file_type, data_file_type; +type log_vendor_data_file, file_type, data_file_type; +type log_cbd_vendor_data_file, file_type, data_file_type; +type media_vendor_data_file, file_type, data_file_type; +type mediadrm_vendor_data_file, file_type, data_file_type; +type radio_vendor_data_file, file_type, data_file_type; +type sswap_vendor_data_file, file_type, data_file_type; +type wifi_vendor_data_file, file_type, data_file_type; \ No newline at end of file diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 382b88a..2dc1ea1 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -1,22 +1,221 @@ -# Audio -/system/bin/audioloader u:object_r:audioloader_exec:s0 -/system/etc/usb_audio_policy_configuration.xml u:object_r:vendor_configs_file:s0 +########################## +# Devices +# +/dev/mali[0-9]* u:object_r:gpu_device:s0 -# Bluetooth -/sys/devices/platform/bluetooth/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 -/sys/devices/platform/bluetooth/rfkill/rfkill0/type u:object_r:sysfs_bluetooth_writable:s0 +/dev/bcm2079x u:object_r:nfc_device:s0 +/dev/sec-nfc u:object_r:nfc_device:s0 -# Block device for ZRAM -/dev/block/zram0 u:object_r:swap_block_device:s0 +/dev/ttySAC3 u:object_r:bluetooth_device:s0 -# LPM -/system/bin/lpm u:object_r:lpm_exec:s0 +/dev/s5p-smem u:object_r:secmem_device:s0 +/dev/mobicore u:object_r:tee_device:s0 +/dev/mobicore-user u:object_r:tee_device:s0 -# Power HAL -/system/bin/hw/android.hardware\.power@1\.0-service\.7570 u:object_r:hal_power_7570_exec:s0 +/dev/v4l-subdev[0-9]* u:object_r:video_device:s0 +/dev/m2m1shot_scaler[0-9]* u:object_r:video_device:s0 +/dev/media[0-3]* u:object_r:camera_device:s0 +/dev/m2m1shot_jpeg u:object_r:camera_device:s0 -# Lights HAL -/system/bin/hw/android.hardware\.light@2\.0-service\.7570 u:object_r:hal_light_7570_exec:s0 +/dev/__cbd_msg_ u:object_r:mif_device:s0 +/dev/umts.* u:object_r:mif_device:s0 +/dev/ehci_power u:object_r:mif_device:s0 +/dev/mipi-lli/lli_control u:object_r:mif_device:s0 -# Vibrator HAL -/system/bin/hw/android.hardware\.vibrator@1\.0-service\.7570 u:object_r:hal_vibrator_7570_exec:s0 +/dev/ttyBCM[0-9]* u:object_r:bbd_device:s0 +/dev/ttySAC[0-9]* u:object_r:bluetooth_device:s0 +#/dev/ttySAC0 u:object_r:hci_attach_dev:s0 + +/dev/block/vnswap0 u:object_r:sswap_device:s0 + +/dev/block/mmcblk0p[0-9]* u:object_r:emmcblk_device:s0 + +#/dev/block/platform/13540000.dwmmc0/by-name/EFS u:object_r:efs_block_device:s0 +#/dev/block/platform/13540000.dwmmc0/by-name/CPEFS u:object_r:sec_efs_file:s0 +#/dev/block/platform/13540000.dwmmc0/by-name/RADIO u:object_r:radio_block_device:s0 + +/dev/rfkill u:object_r:rfkill_device:s0 + +/dev/bbd_control u:object_r:bbd_device:s0 +/dev/bbd_packet u:object_r:bbd_device:s0 +/dev/bbd_patch u:object_r:bbd_device:s0 +/dev/bbd_reliable u:object_r:bbd_device:s0 +/dev/bbd_sensor u:object_r:bbd_device:s0 +/dev/bbd_sio u:object_r:bbd_device:s0 +#/dev/ttyBCM[0-9]* u:object_r:bbd_device:s0 + +/dev/esfp0 u:object_r:fingerprint_device:s0 +/dev/vfsspi u:object_r:fingerprint_device:s0 + +/dev/batch_io u:object_r:sensor_device:s0 +/dev/ssp_sensorhub u:object_r:sensor_device:s0 + +# TFA98xx amplifier +/dev/i2c-0 u:object_r:amplifier_device:s0 + +# Knox status +/dev/knox_kap u:object_r:knox_device:s0 + +#################################### +# efs files +/efs/FactoryApp(/.*)? u:object_r:app_efs_file:s0 +/efs/FactoryApp/baro_delta u:object_r:baro_delta_factoryapp_efs_file:s0 +/efs/FactoryApp/factorymode u:object_r:factorymode_factoryapp_efs_file:s0 +/efs/FactoryApp/fdata u:object_r:radio_factoryapp_efs_file:s0 +/efs/FactoryApp/hist_nv u:object_r:radio_factoryapp_efs_file:s0 +/efs/FactoryApp/prox_cal u:object_r:sensor_factoryapp_efs_file:s0 +/efs/FactoryApp/test_nv u:object_r:radio_factoryapp_efs_file:s0 + +/efs/Battery(/.*)? u:object_r:battery_efs_file:s0 +/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 +/efs/drm(/.*)? u:object_r:drm_efs_file:s0 +/efs/gyro_cal_data u:object_r:sensor_efs_file:s0 +/efs/h2k\.dat u:object_r:cpk_efs_file:s0 +/efs/imei(/.*)? u:object_r:imei_efs_file:s0 +/efs/nv_data.bin(.*) u:object_r:bin_nv_data_efs_file:s0 +/efs/nv.log u:object_r:bin_nv_data_efs_file:s0 +/efs/\.nv_core\.bak(.*) u:object_r:bin_nv_data_efs_file:s0 +/efs/prov(/.*)? u:object_r:prov_efs_file:s0 +/efs/prov_data(/.*)? u:object_r:prov_efs_file:s0 +/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0 +/efs/wv\.keys u:object_r:cpk_efs_file:s0 +/cpefs(/.*)? u:object_r:sec_efs_file:s0 + +#################################### +# data files +/data/nfc(/.*)? u:object_r:nfc_data_file:s0 +/data/\.cid\.info u:object_r:wifi_data_file:s0 +/data/misc/conn/\.wifiver\.info u:object_r:wifi_data_file:s0 +/data/misc/radio(/.*)? u:object_r:radio_data_file:s0 + +# gps +/data/system/gps(/.*)? u:object_r:gps_data_file:s0 +/data/gps/ctrlpipe u:object_r:gps_data_file:s0 +/data/gps/\.gpslogd\.pipe u:object_r:gps_data_file:s0 +/data/gps/nmeapipe u:object_r:gps_data_file:s0 + +/data/biometrics(/.*)? u:object_r:fingerprintd_data_file:s0 + +# camera +/data/camera/ISP_CV u:object_r:camera_data_file:s0 + +# vendor +/data/vendor/biometrics(/.*)? u:object_r:biometrics_vendor_data_file:s0 +/data/vendor/conn(/.*)? u:object_r:conn_vendor_data_file:s0 +/data/vendor/gps(/.*)? u:object_r:gps_vendor_data_file:s0 +/data/vendor/wifi(/.*)? u:object_r:wifi_vendor_data_file:s0 +/data/vendor/log(/.*)? u:object_r:log_vendor_data_file:s0 +/data/vendor/log/cbd(/.*)? u:object_r:log_cbd_vendor_data_file:s0 +/data/vendor/secradio(/.*)? u:object_r:radio_vendor_data_file:s0 + +/data/vendor/camera(/.*)? u:object_r:camera_vendor_data_file:s0 +/data/vendor/display(/.*)? u:object_r:display_vendor_data_file:s0 +/data/vendor/media(/.*)? u:object_r:media_vendor_data_file:s0 +/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 +/data/vendor/gk(/.*)? u:object_r:gk_vendor_data_file:s0 +/data/camera(/.*)? u:object_r:camera_data_file:s0 + +#################################### +# sysfs files +#/sys/class/power_supply/battery/music -- u:object_r:sysfs_writable:s0 +#/sys/class/devfreq/exynos5-busfreq-mif(/.*)? -- u:object_r:sysfs_writable:s0 +#/sys/class/lcd(/.*)? -- u:object_r:sysfs_writable:s0 + +# bluetooth +/sys/devices/bluetooth.[0-9]*/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices/bluetooth.[0-9]*/rfkill/rfkill0/type u:object_r:sysfs_bluetooth_writable:s0 +/sys/class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +/sys/class/rfkill/rfkill0/type u:object_r:sysfs_bluetooth_writable:s0 + +# CP device +/dev/spi_boot_link u:object_r:radio_device:s0 + +# cbd +/sys/devices/10f24000.mipi-lli/lli_control u:object_r:sysfs_mipi:s0 + +# efs +#/cpefs(/.*)? u:object_r:sec_efs_file:s0 +#/efs/Battery(/.*)? u:object_r:battery_efs_file:s0 +#/efs/DAK(/.*)? u:object_r:prov_efs_file:s0 +#/efs/afc(/.*)? u:object_r:sec_efs_file:s0 +#/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 +#/efs/cpk(/.*)? u:object_r:cpk_efs_file:s0 +#/efs/imei(/.*)? u:object_r:imei_efs_file:s0 +#/efs/nfc(/.*)? u:object_r:nfc_efs_file:s0 +#/efs/nv_data\.bin(.*) u:object_r:bin_nv_data_efs_file:s0 +#/efs/pfw_data(/.*)? u:object_r:pfw_efs_file:s0 +#/efs/prov(/.*)? u:object_r:prov_efs_file:s0 +#/efs/prov_data(/.*)? u:object_r:prov_efs_file:s0 +#/efs/root(/.*)? u:object_r:app_efs_file:s0 +#/efs/tee(/.*)? u:object_r:tee_efs_file:s0 +#/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0 + +/mnt/vendor/efs(/.*)? u:object_r:efs_file:s0 +/mnt/vendor/efs/DAK(/.*)? u:object_r:prov_efs_file:s0 +/mnt/vendor/efs/afc(/.*)? u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 +/mnt/vendor/efs/cpk(/.*)? u:object_r:cpk_efs_file:s0 +/mnt/vendor/efs/imei(/.*)? u:object_r:imei_efs_file:s0 +/mnt/vendor/efs/nv_data\.bin(.*) u:object_r:bin_nv_data_efs_file:s0 +#/mnt/vendor/efs/pfw_data(/.*)? u:object_r:pfw_efs_file:s0 +/mnt/vendor/efs/prov(/.*)? u:object_r:prov_efs_file:s0 +/mnt/vendor/efs/prov_data(/.*)? u:object_r:prov_efs_file:s0 +/mnt/vendor/efs/root(/.*)? u:object_r:app_efs_file:s0 +#/mnt/vendor/efs/tee(/.*)? u:object_r:tee_efs_file:s0 +/mnt/vendor/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0 + +# gps +/sys/class/sec/gps u:object_r:sysfs_gps:s0 +/sys/devices/soc0/machine u:object_r:sysfs_gps:s0 +/sys/devices/soc0/revision u:object_r:sysfs_gps:s0 +/sys/devices/139c0000.pinctrl/gpio/gpio137/value u:object_r:sysfs_gps:s0 + +# rild +/sys/devices/virtual/misc/multipdp(/.*) u:object_r:sysfs_multipdp:s0 +/dev/socket/rild2 u:object_r:rild_socket:s0 +/dev/socket/rild-debug2 u:object_r:rild_debug_socket:s0 + +# mDNIe +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/accessibility u:object_r:sysfs_mdnie:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/mode u:object_r:sysfs_mdnie:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/scenario u:object_r:sysfs_mdnie:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/lux u:object_r:sysfs_mdnie:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/sensorRGB u:object_r:sysfs_mdnie:s0 + +# Lights +/sys/devices/virtual/sec/sec_touchkey/brightness u:object_r:sysfs_light:s0 +/sys/devices/14800000.dsim/backlight/panel(/.*)? u:object_r:sysfs_light:s0 +/sys/class/leds(/.*)? u:object_r:sysfs_light:s0 +/sys/devices/virtual/sec/led(/.*)? u:object_r:sysfs_light:s0 +/sys/class/lcd/panel/power_reduce u:object_r:sysfs_light:s0 +/sys/devices/i2c.24/i2c-6/6-0030/leds(/.*)? u:object_r:sysfs_light:s0 + +# Wifi +/sys/module/dhd/parameters/firmware_path u:object_r:sysfs_wifi:s0 + +#################################### +# deamons +# + +/(vendor|system/vendor)/bin/mcDriverDaemon u:object_r:tee_exec:s0 +/(vendor|system/vendor)/bin/modemloader u:object_r:modemloader_exec:s0 +/(vendor|system/vendor)/bin/wifiloader u:object_r:wifiloader_exec:s0 + +/(vendor|system/vendor)/bin/cbd u:object_r:cpboot-daemon_exec:s0 +/(vendor|system/vendor)/bin/gpsd u:object_r:gpsd_exec:s0 +/(vendor|system/vendor)/bin/sswap u:object_r:sswap_exec:s0 + +/(vendor|system/vendor)/bin/hw/vendor\.lineage\.livedisplay@2\.0-service\.samsung-exynos u:object_r:hal_lineage_livedisplay_sysfs_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.samsung u:object_r:hal_lineage_touch_default_exec:s0 + +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]\.[0-9]-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]\.[0-9]-service\.widevine u:object_r:hal_drm_widevine_exec:s0 + +/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.samsung u:object_r:hal_light_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.samsung u:object_r:hal_fingerprint_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service\.exynos u:object_r:hal_power_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@2\.0-service\.samsung u:object_r:hal_thermal_default_exec:s0 + +# Samsung proprietaries +/(vendor|system/vendor)/bin/hw/sec\.android\.hardware\.nfc@1\.2-service u:object_r:hal_nfc_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.gnss@2\.0-service u:object_r:hal_gnss_default_exec:s0 diff --git a/sepolicy/fingerprintd.te b/sepolicy/fingerprintd.te new file mode 100644 index 0000000..7373384 --- /dev/null +++ b/sepolicy/fingerprintd.te @@ -0,0 +1,16 @@ +# allow hal_fingerprint_default to communicate with various devices +binder_call(system_app, hal_fingerprint_default) + +# kernel fp device +allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms; + +# secure memory device +allow hal_fingerprint_default secmem_device:chr_file rw_file_perms; + +# trust zone device +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; +allow hal_fingerprint_default tee:unix_stream_socket connectto; + +# /data/biometrics/* +# allow hal_fingerprint_default fingerprintd_data_file:dir create_dir_perms; +# allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms; diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te new file mode 100644 index 0000000..6185843 --- /dev/null +++ b/sepolicy/fsck.te @@ -0,0 +1,3 @@ +# /dev/block/mmcblk0p[0-9]* +allow fsck emmcblk_device:blk_file rw_file_perms; +allowxperm fsck emmcblk_device:blk_file ioctl { BLKDISCARDZEROES BLKROGET }; diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts new file mode 100644 index 0000000..3d7ffda --- /dev/null +++ b/sepolicy/genfs_contexts @@ -0,0 +1,115 @@ +genfscon proc /device-tree u:object_r:proc_dt_firmware:s0 + +genfscon proc /sys/vm/dirty_ratio u:object_r:proc_vm:s0 +genfscon proc /sys/vm/dirty_bytes u:object_r:proc_vm:s0 +genfscon proc /sys/vm/dirty_background_bytes u:object_r:proc_vm:s0 +genfscon proc /sys/vm/min_free_kbytes u:object_r:proc_vm:s0 + +genfscon proc /sys/vm/swappiness u:object_r:proc_vm:s0 +genfscon proc /sys/vm/vfs_cache_pressure u:object_r:proc_vm:s0 + +genfscon proc /reset_reason u:object_r:proc_reset_reason:s0 +genfscon proc /simslot_count u:object_r:proc_simslot_count:s0 + +genfscon proc /bus/input/devices u:object_r:proc_input_devices:s0 + +# SEC devices +genfscon proc /sec_log u:object_r:proc_sec:s0 +#genfscon sysfs /class/sec u:object_r:sysfs_sec:s0 + +# Power supply devices +genfscon sysfs /devices/battery.20/power_supply u:object_r:sysfs_usb_supply:s0 +genfscon sysfs /devices/i2c.26/i2c-8/8-0034/s2mu003-charger/power_supply u:object_r:sysfs_usb_supply:s0 +genfscon sysfs /devices/13890000.hsi2c/i2c-2/2-0035/power_supply u:object_r:sysfs_usb_supply:s0 +genfscon sysfs /devices/platform/htc_battery/power_supply/ps u:object_r:sysfs_usb_supply:s0 + +# Input devices +genfscon sysfs /devices/virtual/sec/sec_touchkey u:object_r:sysfs_input:s0 +genfscon sysfs /devices/virtual/sec/sec_key u:object_r:sysfs_input:s0 +genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_input:s0 +genfscon sysfs /devices/virtual/secgpio_check u:object_r:sysfs_input:s0 +genfscon sysfs /devices/virtual/input u:object_r:sysfs_input:s0 + +# A3 power devices +genfscon sysfs /devices/i2c.21/i2c-4/4-0035/power_supply u:object_r:sysfs_usb_supply:s0 +genfscon sysfs /devices/13890000.hsi2c/i2c-2/2-0034/s2mu003-charger/power_supply u:object_r:sysfs_usb_supply:s0 + +# A3 Input devices +genfscon sysfs /devices/13850000.i2c/i2c-10/10-0050/input/input3 u:object_r:sysfs_input:s0 +genfscon sysfs /devices/i2c.23/i2c-5/5-0020/input/input2 u:object_r:sysfs_input:s0 + +# A5 power supply devices +genfscon sysfs /devices/battery.43/power_supply u:object_r:sysfs_usb_supply:s0 +genfscon sysfs /devices/i2c.42/i2c-7/7-0071/power_supply u:object_r:sysfs_usb_supply:s0 +genfscon sysfs /devices/13890000.hsi2c/i2c-2/2-0049/sm5705-charger/power_supply u:object_r:sysfs_usb_supply:s0 + +# A5 Input devices +genfscon sysfs /devices/13850000.i2c/i2c-10/10-0020/input/input3 u:object_r:sysfs_input:s0 +genfscon sysfs /devices/i2c.20/i2c-4/4-0020/input/input2 u:object_r:sysfs_input:s0 +genfscon sysfs /devices/virtual/fingerprint/fingerprint u:object_r:sysfs_input:s0 + +# S5 NEO Input devices +genfscon sysfs /devices/13860000.i2c/i2c-11/11-0048/input/input2 u:object_r:sysfs_input:s0 +genfscon sysfs /devices/i2c.22/i2c-4/4-0020/input/input1 u:object_r:sysfs_input:s0 + +# SEC GPIO input devices +genfscon sysfs /class/secgpio_check/secgpio_check_all/gpioinit_check u:object_r:sysfs_input:s0 +genfscon sysfs /class/secgpio_check/secgpio_check_all/gpiosleep_check u:object_r:sysfs_input:s0 +genfscon sysfs /class/secgpio_check/secgpio_check_all/checked_sleepGPIO u:object_r:sysfs_input:s0 + +# Input booster +genfscon sysfs /class/input_booster/level u:object_r:sysfs_input:s0 +genfscon sysfs /class/input_booster/head u:object_r:sysfs_input:s0 +genfscon sysfs /class/input_booster/tail u:object_r:sysfs_input:s0 + +# Swap +genfscon sysfs /devices/virtual/block/vnswap0 u:object_r:sysfs_sswap:s0 + +# CPU/Scheduler devices +genfscon sysfs /power/cpufreq_table u:object_r:sysfs_devices_system_cpu:s0 +genfscon sysfs /power/cpufreq_min_limit u:object_r:sysfs_devices_system_cpu:s0 +genfscon sysfs /power/cpufreq_max_limit u:object_r:sysfs_devices_system_cpu:s0 + +genfscon sysfs /module/cpuidle/parameters/off u:object_r:sysfs_devices_system_cpu:s0 +genfscon sysfs /module/cpuidle_exynos64_smp/parameters/enable_mask u:object_r:sysfs_devices_system_cpu:s0 + +genfscon sysfs /module/workqueue/parameters/power_efficient u:object_r:sysfs_devices_system_cpu:s0 + +# Camera +genfscon sysfs /devices/virtual/camera u:object_r:sysfs_camera:s0 + +# GPS +genfscon sysfs /devices/virtual/sec/gps u:object_r:sysfs_gps:s0 + +# Audio sysfs +genfscon sysfs /devices/virtual/audio/earjack u:object_r:sysfs_jack:s0 + +# USB lun device +genfscon sysfs /devices/13580000.usb/gadget/lun0 u:object_r:sysfs_android_usb:s0 + +# MMC block device cache files +genfscon sysfs /devices/virtual/bdi/179:0/read_ahead_kb u:object_r:sysfs_block:s0 +genfscon sysfs /devices/virtual/bdi/179:32/read_ahead_kb u:object_r:sysfs_block:s0 + +# ION +genfscon sysfs /devices/virtual/ion_cma u:object_r:sysfs_ion:s0 + +# Sensors +genfscon sysfs /devices/virtual/sensors u:object_r:sysfs_sensors:s0 +genfscon sysfs /devices/13870000.hsi2c/i2c-0/0-0028/iio:device0 u:object_r:sysfs_sensors:s0 +genfscon sysfs /devices/13870000.hsi2c/i2c-0/0-0068/iio:device1 u:object_r:sysfs_sensors:s0 +genfscon sysfs /devices/13870000.hsi2c/i2c-0/0-002e/iio:device2 u:object_r:sysfs_sensors:s0 + + +genfscon sysfs /devices/13540000.dwmmc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_mmc:s0 + +genfscon sysfs /devices/virtual/net/rmnet0 u:object_r:sysfs_net:s0 +genfscon sysfs /devices/virtual/net/rmnet1 u:object_r:sysfs_net:s0 +genfscon sysfs /devices/virtual/net/rmnet2 u:object_r:sysfs_net:s0 +genfscon sysfs /devices/virtual/net/rmnet3 u:object_r:sysfs_net:s0 + +genfscon sysfs /devices/14830000.decon_fb u:object_r:sysfs_graphics:s0 +genfscon sysfs /devices/14800000.dsim u:object_r:sysfs_graphics:s0 + +# video4linux +genfscon sysfs /devices/12800000.mfc0/video4linux u:object_r:sysfs_v4l:s0 diff --git a/sepolicy/gpsd.te b/sepolicy/gpsd.te new file mode 100644 index 0000000..3d6a98b --- /dev/null +++ b/sepolicy/gpsd.te @@ -0,0 +1,36 @@ +type gpsd, domain, netdomain; +type gpsd_exec, exec_type, vendor_file_type, file_type; + +# gpsd is started by init, type transit from init domain to gpsd domain +init_daemon_domain(gpsd) + +allow gpsd rild:unix_stream_socket connectto; + +get_prop(gpsd, exported_radio_prop) +get_prop(gpsd, exported_config_prop) + +get_prop(gpsd, hwservicemanager_prop) +hwbinder_use(gpsd) +allow gpsd system_suspend_hwservice:hwservice_manager { find }; +allow gpsd fwk_sensor_hwservice:hwservice_manager { find }; + +binder_call(gpsd, system_suspend_server) +binder_call(gpsd, system_server) +binder_call(system_server, gpsd) + +allow gpsd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +allow gpsd self:{ tcp_socket udp_socket } create_stream_socket_perms; +allow gpsd port:tcp_socket { name_bind name_connect }; +allow gpsd port:udp_socket name_bind; +allow gpsd node:{ tcp_socket udp_socket } node_bind; + +# /acct/tasks +allow gpsd cgroup:file getattr; + +# /dev/socket/fwmarkd +allow gpsd fwmarkd_socket:sock_file write; + +# /data/vendor/gps +allow gpsd gps_vendor_data_file:dir rw_dir_perms; +allow gpsd gps_vendor_data_file:file create_file_perms; +allow gpsd gps_vendor_data_file:fifo_file create_file_perms; diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te new file mode 100644 index 0000000..418dcf8 --- /dev/null +++ b/sepolicy/hal_bluetooth_default.te @@ -0,0 +1,6 @@ +# /dev/ttySAC3 +allow hal_bluetooth_default bluetooth_device:chr_file rw_file_perms; + +# /efs +allow hal_bluetooth_default efs_file:dir search; +r_dir_file(hal_bluetooth_default, bluetooth_efs_file) diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te new file mode 100644 index 0000000..38fa4e4 --- /dev/null +++ b/sepolicy/hal_camera_default.te @@ -0,0 +1,6 @@ +allow hal_camera_default sysfs_camera:dir search; +allow hal_camera_default sysfs_camera:file rw_file_perms; + +allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find; + +vndbinder_use(hal_camera_default) diff --git a/sepolicy/hal_drm_clearkey.te b/sepolicy/hal_drm_clearkey.te new file mode 100644 index 0000000..64b5d41 --- /dev/null +++ b/sepolicy/hal_drm_clearkey.te @@ -0,0 +1,10 @@ +# hal_drm_clearkey.te + +type hal_drm_clearkey, domain; +hal_server_domain(hal_drm_clearkey, hal_drm) + +type hal_drm_clearkey_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_drm_clearkey) + +hwbinder_use(hal_drm_clearkey) +get_prop(hal_drm_clearkey, hwservicemanager_prop) diff --git a/sepolicy/hal_drm_default.te b/sepolicy/hal_drm_default.te new file mode 100644 index 0000000..af689d4 --- /dev/null +++ b/sepolicy/hal_drm_default.te @@ -0,0 +1,10 @@ +vndbinder_use(hal_drm_default) + +# /dev/s5p-smem +allow hal_drm_default secmem_device:chr_file rw_file_perms; +allow hal_drm_default tee:unix_stream_socket connectto; +allow hal_drm_default efs_file:dir search; +allow hal_drm_default cpk_efs_file:file r_file_perms; + +allow hal_drm_default media_vendor_data_file:file create_file_perms; +allow hal_drm_default media_vendor_data_file:dir create_dir_perms; diff --git a/sepolicy/hal_drm_widevine.te b/sepolicy/hal_drm_widevine.te new file mode 100644 index 0000000..eca9731 --- /dev/null +++ b/sepolicy/hal_drm_widevine.te @@ -0,0 +1,23 @@ +# hal_drm_widevine.te +type hal_drm_widevine, domain; +hal_server_domain(hal_drm_widevine, hal_drm) + +type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_drm_widevine) + +allow hal_drm_widevine mediacodec:fd use; +allow hal_drm_widevine { appdomain -isolated_app }:fd use; + +# /data/vendor/mediadrm/ +allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms; +allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms; + +# /dev/s5p-smem +allow hal_drm_widevine secmem_device:chr_file rw_file_perms; + +# /dev/tzdev +#allow hal_drm_widevine tz_user_device:chr_file rw_file_perms; + +# /efs/wv.keys +allow hal_drm_widevine efs_file:dir search; +allow hal_drm_widevine sec_efs_file:file r_file_perms; diff --git a/sepolicy/hal_fingerprint_default.te b/sepolicy/hal_fingerprint_default.te new file mode 100644 index 0000000..7f187f9 --- /dev/null +++ b/sepolicy/hal_fingerprint_default.te @@ -0,0 +1,2 @@ +allow hal_fingerprint_default sysfs_input:dir search; +allow hal_fingerprint_default sysfs_input:file rw_file_perms; diff --git a/sepolicy/hal_gnss_default.te b/sepolicy/hal_gnss_default.te new file mode 100644 index 0000000..5911960 --- /dev/null +++ b/sepolicy/hal_gnss_default.te @@ -0,0 +1,12 @@ +# hal_gnss_default.te + +# cgroups tasks +allow hal_gnss_default cgroup:file getattr; + +# /data/vendor/gps +allow hal_gnss_default gps_vendor_data_file:dir rw_dir_perms; +allow hal_gnss_default gps_vendor_data_file:file create_file_perms; +allow hal_gnss_default gps_vendor_data_file:fifo_file create_file_perms; + +# /mnt/vendor +allow hal_gnss_default mnt_vendor_file:dir search; diff --git a/sepolicy/hal_graphics_composer.te b/sepolicy/hal_graphics_composer.te new file mode 100644 index 0000000..1916c0a --- /dev/null +++ b/sepolicy/hal_graphics_composer.te @@ -0,0 +1,7 @@ +# Graphics sysfs +allow hal_graphics_composer_default sysfs_graphics:dir search; +allow hal_graphics_composer_default sysfs_graphics:file rw_file_perms; + +# uevent socket +allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + diff --git a/sepolicy/hal_health_default.te b/sepolicy/hal_health_default.te new file mode 100644 index 0000000..89b18e7 --- /dev/null +++ b/sepolicy/hal_health_default.te @@ -0,0 +1,2 @@ +r_dir_file(hal_health_default, sysfs_usb_supply) +allow hal_health_default sysfs_usb_supply:file rw_file_perms; diff --git a/sepolicy/hal_light_7570.te b/sepolicy/hal_light_7570.te deleted file mode 100644 index ee0fcf6..0000000 --- a/sepolicy/hal_light_7570.te +++ /dev/null @@ -1,7 +0,0 @@ -type hal_light_7570, domain, coredomain; -hal_server_domain(hal_light_7570, hal_light) - -type hal_light_7570_exec, exec_type, file_type; -init_daemon_domain(hal_light_7570) - -allow hal_light_7570 sysfs:file rw_file_perms; diff --git a/sepolicy/hal_light_default.te b/sepolicy/hal_light_default.te new file mode 100644 index 0000000..854a807 --- /dev/null +++ b/sepolicy/hal_light_default.te @@ -0,0 +1,13 @@ +allow hal_light_default sysfs_light:dir search; +allow hal_light_default sysfs_light:file rw_file_perms; + +allow hal_light_default sysfs_graphics:dir search; +allow hal_light_default sysfs_graphics:file rw_file_perms; + +allow hal_light_default sysfs_input:dir search; +allow hal_light_default sysfs_input:lnk_file read; +allow hal_light_default sysfs_input:file rw_file_perms; + +allow hal_light_default sysfs_sec:dir search; +allow hal_light_default sysfs_sec:lnk_file read; +allow hal_light_default sysfs_sec:file rw_file_perms; diff --git a/sepolicy/hal_lineage_livedisplay_sysfs.te b/sepolicy/hal_lineage_livedisplay_sysfs.te new file mode 100644 index 0000000..82c371d --- /dev/null +++ b/sepolicy/hal_lineage_livedisplay_sysfs.te @@ -0,0 +1,14 @@ +# Allow LiveDisplay to store files under /data/vendor/display and access them +allow hal_lineage_livedisplay_sysfs display_vendor_data_file:dir rw_dir_perms; +allow hal_lineage_livedisplay_sysfs display_vendor_data_file:file create_file_perms; + +# Allow LiveDisplay to read and write to files in sysfs_graphics, sysfs_mdnie +allow hal_lineage_livedisplay_sysfs { + sysfs_graphics + sysfs_mdnie +}:dir search; + +allow hal_lineage_livedisplay_sysfs { + sysfs_graphics + sysfs_mdnie +}:file rw_file_perms; diff --git a/sepolicy/hal_lineage_touch_default.te b/sepolicy/hal_lineage_touch_default.te new file mode 100644 index 0000000..044f569 --- /dev/null +++ b/sepolicy/hal_lineage_touch_default.te @@ -0,0 +1,2 @@ +allow hal_lineage_touch_default sysfs_input:dir search; +allow hal_lineage_touch_default sysfs_input:file rw_file_perms; diff --git a/sepolicy/hal_power_7570.te b/sepolicy/hal_power_7570.te deleted file mode 100644 index d7cbd7b..0000000 --- a/sepolicy/hal_power_7570.te +++ /dev/null @@ -1,9 +0,0 @@ -type hal_power_7570, domain, coredomain; -hal_server_domain(hal_power_7570, hal_power) - -type hal_power_7570_exec, exec_type, file_type; -init_daemon_domain(hal_power_7570) - -allow hal_power_7570 cgroup:file rw_file_perms; -allow hal_power_7570 sysfs:file rw_file_perms; -allow hal_power_7570 sysfs_devices_system_cpu:file rw_file_perms; diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te new file mode 100644 index 0000000..bbc53b1 --- /dev/null +++ b/sepolicy/hal_power_default.te @@ -0,0 +1,19 @@ +# Allow reading of sysfs nodes to find input devices +allow hal_power_default sysfs:dir r_dir_perms; +allow hal_power_default sysfs:file r_file_perms; + +# Input devices +allow hal_power_default sysfs_input:dir r_dir_perms; +allow hal_power_default sysfs_input:file rw_file_perms; + +# CPU devices +allow hal_power_default sysfs_devices_system_cpu:dir search; +allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms; + +# Lights +allow hal_power_default sysfs_light:dir search; +allow hal_power_default sysfs_light:file rw_file_perms; + +# Graphics +allow hal_power_default sysfs_graphics:dir search; +allow hal_power_default sysfs_graphics:file rw_file_perms; diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te new file mode 100644 index 0000000..fcfd7ff --- /dev/null +++ b/sepolicy/hal_sensors_default.te @@ -0,0 +1,4 @@ +# hal_sensors_default.te + +# cgroup tasks +allow hal_sensors_default cgroup:file getattr; diff --git a/sepolicy/hal_vibrator_7570.te b/sepolicy/hal_vibrator_7570.te deleted file mode 100644 index 536b3b6..0000000 --- a/sepolicy/hal_vibrator_7570.te +++ /dev/null @@ -1,8 +0,0 @@ -type hal_vibrator_7570, domain, coredomain; -hal_server_domain(hal_vibrator_7570, hal_vibrator) - -type hal_vibrator_7570_exec, exec_type, file_type; -init_daemon_domain(hal_vibrator_7570) - -allow hal_vibrator_7570 sysfs:file rw_file_perms; -allow hal_vibrator_7570 sysfs_vibrator:file rw_file_perms; diff --git a/sepolicy/hal_wifi_default.te b/sepolicy/hal_wifi_default.te new file mode 100644 index 0000000..3a997fe --- /dev/null +++ b/sepolicy/hal_wifi_default.te @@ -0,0 +1,8 @@ +allow hal_wifi_default efs_file:dir search; + +allow hal_wifi_default wifi_efs_file:dir search; +allow hal_wifi_default wifi_efs_file:file r_file_perms; + +# allow hal_wifi_default wifi_data_file:file r_file_perms; + +allow hal_wifi_default sysfs_wifi:file write; diff --git a/sepolicy/healthd.te b/sepolicy/healthd.te new file mode 100644 index 0000000..5aa5870 --- /dev/null +++ b/sepolicy/healthd.te @@ -0,0 +1,3 @@ +allow healthd rtc_device:chr_file rw_file_perms; + +allow healthd sysfs_usb_supply:file rw_file_perms; diff --git a/sepolicy/init.te b/sepolicy/init.te index bbe3fad..79f9467 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -1,5 +1,97 @@ -allow init vendor_configs_file:file mounton; -allow init vendor_overlay_file:dir mounton; -allow init ram_device:blk_file write; -allow init sysfs_zram:file { create_file_perms rw_file_perms }; -allow init sysfs_zram:dir rw_dir_perms; +# Mount debugfs on /sys/kernel/debug. +allow init debugfs:dir mounton; + +# Mount EFS on /efs +allow init efs_file:dir mounton; + +# Mount CPEFS on /cpefs +allow init sec_efs_file:dir mounton; + +# /dev/block/mmcblk0p[0-9] +allow init emmcblk_device:blk_file rw_file_perms; + +allow init block_device:lnk_file setattr; +allow init tmpfs:lnk_file create_file_perms; + +# /sys/class/power_supply/battery and /sys/class/android_usb/android0 +allow init sysfs_usb_supply:file { rw_file_perms setattr }; + +# /data +allow init sdcardd_exec:file r_file_perms; + +# sysfs iio:device[0-9] +allow init sysfs:lnk_file setattr; + +# sysfs ion device +allow init sysfs_ion:file setattr; + +# sysfs usb device +allow init sysfs_android_usb:file setattr; + +# read/chown mDNIE symlinks +allow init sysfs_mdnie:lnk_file { r_file_perms setattr }; +allow init sysfs_mdnie:file rw_file_perms; + +# read/chown camera firmware +allow init sysfs_camera:file { relabelto setattr }; +allow init sysfs_camera:filesystem associate; + +# WiFi firmware permissions +allow init sysfs_wifi:file setattr; + +# Input devices +allow init sysfs_input:file { rw_file_perms setattr }; + +# BT permissions +allow init sysfs_bluetooth_writable:file setattr; + +# GPS permissions +allow init sysfs_gps:lnk_file read; +allow init sysfs_gps:file { rw_file_perms setattr }; +allow init gps_data_file:fifo_file write; +allow init gps_data_file:file lock; +allow init gps_device:chr_file { open read write }; + +# CPU permissions +allow init sysfs_devices_system_cpu:file rw_file_perms; + +# umts permissions +allow init mif_device:chr_file rw_file_perms; + +# sswap permissions +allow init sswap_device:blk_file write; +allow init sysfs_sswap:file { open write }; + +# Block device sysfs +allow init sysfs_block:file rw_file_perms; + +# Audio Jack +allow init sysfs_jack:file setattr; + +unix_socket_connect(init, property, rild) + +# Allow access to /proc/device-tree nodes +r_dir_file(init, proc_dt_firmware) + +allow init sysfs_mmc:file { w_file_perms setattr }; +allow init sysfs_net:file rw_file_perms; +allow init sysfs_graphics:file { rw_file_perms setattr }; +allow init sysfs_light:file { rw_file_perms setattr }; +allow init sysfs_light:lnk_file { rw_file_perms setattr }; +allow init sysfs_mdnie:file setattr; +allow init sysfs_sec:file { rw_file_perms setattr }; +allow init sysfs_sec:lnk_file read; +allow init sysfs_sensors:file { rw_file_perms setattr }; +allow init sysfs_sensors:lnk_file read; +allow init sysfs_multipdp:file setattr; + +# Proc files +allow init proc_reset_reason:file { rw_file_perms setattr }; +allow init proc_vm:file rw_file_perms; +allow init proc_simslot_count:file rw_file_perms; +allow init proc_sec:file { rw_file_perms setattr }; + +# Sockets +allow init socket_device:sock_file { read write getattr setattr create unlink }; + +# allow init hal_drm_hwservice:hwservice_manager add; diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te index 64d7f39..fda2282 100644 --- a/sepolicy/kernel.te +++ b/sepolicy/kernel.te @@ -1 +1,22 @@ -allow kernel vendor_file:file r_file_perms; +allow kernel self:capability { chown mknod }; + +# /dev/mbin0 +allow kernel emmcblk_device:blk_file r_file_perms; + +# /sys/devices/system/cpu/cpu[0-9]/cpufreq/* +allow kernel sysfs_devices_system_cpu:file setattr; + +# /efs contents +allow kernel { app_efs_file battery_efs_file efs_file sensor_efs_file }:dir r_dir_perms; +allow kernel { app_efs_file battery_efs_file efs_file sensor_efs_file }:file rw_file_perms; + +# /efs/wifi/.mac.info +r_dir_file(kernel, wifi_efs_file); + +# /data/misc/conn/.wifiver.info +allow kernel wifi_data_file:file rw_file_perms; + +# Allow kernel to search tmpfs +allow kernel tmpfs:dir search; + +allow kernel self:capability sys_module; diff --git a/sepolicy/lpm.te b/sepolicy/lpm.te deleted file mode 100644 index 87f2c8a..0000000 --- a/sepolicy/lpm.te +++ /dev/null @@ -1 +0,0 @@ -type lpm_exec, exec_type, file_type; diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te new file mode 100644 index 0000000..14cdbdc --- /dev/null +++ b/sepolicy/mediacodec.te @@ -0,0 +1,5 @@ +# /system/lib/omx/ +allow mediacodec system_file:dir r_dir_perms; + +# /sys/class/video4linux/* +r_dir_file(mediacodec, sysfs_v4l); diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te new file mode 100644 index 0000000..02b8f37 --- /dev/null +++ b/sepolicy/mediaserver.te @@ -0,0 +1,12 @@ +# /efs +allow mediaserver efs_file:dir r_dir_perms; + +# /efs/wv.keys +allow mediaserver efs_file:file r_file_perms; + +# /dev/m2m1shot_jpeg +allow mediaserver camera_device:chr_file rw_file_perms; + +# Snap permissions +allow mediaserver sensorservice_service:service_manager find; +allow mediaserver system_server:unix_stream_socket rw_stream_socket_perms; diff --git a/sepolicy/modemloader.te b/sepolicy/modemloader.te new file mode 100644 index 0000000..8f63890 --- /dev/null +++ b/sepolicy/modemloader.te @@ -0,0 +1,10 @@ +#### modemloader +# +type modemloader, domain; +type modemloader_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(modemloader) + +allow modemloader proc:file r_file_perms; + +set_prop(modemloader, modemloader_prop) diff --git a/sepolicy/netd.te b/sepolicy/netd.te new file mode 100644 index 0000000..f8fcc02 --- /dev/null +++ b/sepolicy/netd.te @@ -0,0 +1,4 @@ +# allow netd self:capability sys_module; +# allow netd gpsd:fd use; +# allow netd gpsd:udp_socket rw_socket_perms; +# allow netd gpsd:tcp_socket rw_socket_perms; diff --git a/sepolicy/property.te b/sepolicy/property.te new file mode 100644 index 0000000..0fcbd1e --- /dev/null +++ b/sepolicy/property.te @@ -0,0 +1,11 @@ +# CP-Boot Daemon +type cpboot-daemon_prop, property_type; + +# modemloader +type modemloader_prop, property_type; + +# mobicore (tee) +type tee_prop, property_type; + +# sswap +type sswap_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts new file mode 100644 index 0000000..7559794 --- /dev/null +++ b/sepolicy/property_contexts @@ -0,0 +1,22 @@ +# bluetooth +persist.bluetooth_fw_ver u:object_r:bluetooth_prop:s0 +ro.bluetooth.tty u:object_r:bluetooth_prop:s0 +wc_transport. u:object_r:bluetooth_prop:s0 + +# modemloader +hw.revision u:object_r:modemloader_prop:s0 +ro.cbd.dt_revision u:object_r:modemloader_prop:s0 +ril.cbd.dt_revision u:object_r:modemloader_prop:s0 +ro.modemloader.done u:object_r:modemloader_prop:s0 + +# mobicore +sys.mobicoredaemon.enable u:object_r:tee_prop:s0 + +# radio +persist.ril.modem.board u:object_r:radio_prop:s0 +persist.ril.ims.eutranParam u:object_r:radio_prop:s0 +persist.ril.ims.utranParam u:object_r:radio_prop:s0 +persist.ril.interfaceconf.failed u:object_r:radio_prop:s0 + +# sswap +persist.sys.swapoff u:object_r:sswap_prop:s0 diff --git a/sepolicy/rild.te b/sepolicy/rild.te new file mode 100644 index 0000000..4a67b8a --- /dev/null +++ b/sepolicy/rild.te @@ -0,0 +1,66 @@ +# rild.te + +allow rild block_device:dir search; +allow rild mnt_vendor_file:dir { getattr search }; + +# audio hal +allow rild hal_audio_default:dir search; +allow rild hal_audio_default:file r_file_perms; + +# gps +allow rild gpsd:dir search; +allow rild gpsd:file r_file_perms; + +# /data +allow rild system_data_file:dir getattr; + +# /data/vendor/log +allow rild log_vendor_data_file:dir rw_dir_perms; +allow rild log_vendor_data_file:file create_file_perms; + +# /dev/block/platform/.+/by-name/radio +allow rild radio_block_device:blk_file r_file_perms; + +# /dev/drb +# allow rild drb_device:chr_file rw_file_perms; + +# /dev/umts_* +# /dev/umts_ipc* +# allow rild vendor_radio_device:chr_file rw_file_perms; + +# /data/vendor/secradio +allow rild radio_vendor_data_file:dir rw_dir_perms; +allow rild radio_vendor_data_file:file create_file_perms; + +# /efs/FactoryApp/ +# /mnt/vendor/efs/root +allow rild app_efs_file:dir r_dir_perms; +allow rild app_efs_file:file { rw_file_perms setattr }; + +# /efs/imei +allow rild imei_efs_file:dir r_dir_perms; +allow rild imei_efs_file:file r_file_perms; + +# /mnt/vendor/efs/ +allow rild prov_efs_file:dir r_dir_perms; +allow rild prov_efs_file:file r_file_perms; + +# /mnt/vendor/efs/nv_data.bin +allow rild bin_nv_data_efs_file:file { rw_file_perms setattr unlink }; + +# /proc/net/xt_qtaguid/iface_stat_fmt +allow rild proc_qtaguid_stat:file r_file_perms; + +# /proc/sys/net/ipv6/conf/*/accept_ra_defrtr +allow rild proc_net:file rw_file_perms; + +# mdc. +# persist.sys.omc_support +# ro.csc. +get_prop(rild, exported_config_prop); + +# ro.boot.cpboot, ril.NwNmId[0-9] +get_prop(rild, exported_radio_prop) + +# vendor.cbd. +# set_prop(rild, vendor_cbd_prop) diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts new file mode 100644 index 0000000..566bde9 --- /dev/null +++ b/sepolicy/service_contexts @@ -0,0 +1,2 @@ +# HWC +Exynos.HWCService u:object_r:surfaceflinger_service:s0 diff --git a/sepolicy/sswap.te b/sepolicy/sswap.te new file mode 100644 index 0000000..41fefb8 --- /dev/null +++ b/sepolicy/sswap.te @@ -0,0 +1,18 @@ +type sswap, domain; +type sswap_exec, exec_type, file_type, vendor_file_type; +type sswap_device, dev_type; + +init_daemon_domain(sswap); + +allow sswap sswap_device:blk_file rw_file_perms; +allow sswap sysfs_sswap:file rw_file_perms; +allow sswap sysfs_sswap:dir search; +allow sswap block_device:dir search; +allow sswap self:capability sys_admin; + +allow sswap proc_meminfo:file r_file_perms; + +allow sswap properties_device:dir r_dir_perms; +r_dir_file(sswap, proc_stat); + +set_prop(sswap, sswap_prop) diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te new file mode 100644 index 0000000..7d0f0a8 --- /dev/null +++ b/sepolicy/surfaceflinger.te @@ -0,0 +1,4 @@ +# HWC +allow surfaceflinger secmem_device:chr_file rw_file_perms; +allow surfaceflinger sysfs_graphics:file rw_file_perms; +r_dir_file(surfaceflinger, sysfs_graphics) \ No newline at end of file diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te new file mode 100644 index 0000000..4d74449 --- /dev/null +++ b/sepolicy/system_app.te @@ -0,0 +1,4 @@ +allow system_app sysfs_mdnie:{ file lnk_file } rw_file_perms; +allow system_app sysfs_mdnie:dir search; +allow system_app sysfs_graphics:dir search; +allow system_app wificond:binder call; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index 31e6b13..17164bd 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -1,2 +1,57 @@ -type boot_prop, property_type; -set_prop(system_server, boot_prop); +# /efs +allow system_server efs_file:dir r_dir_perms; + +# /efs/gyro_cal_data +allow system_server sensor_efs_file:file r_file_perms; + +# /data/system/gps/.gps.interface.pipe.* +type_transition system_server system_data_file:fifo_file gps_data_file ".flp.interface.pipe.to_gpsd"; +type_transition system_server system_data_file:fifo_file gps_data_file ".gps.interface.pipe.to_gpsd"; +type_transition system_server system_data_file:fifo_file gps_data_file ".gps.interface.pipe.to_jni"; +allow system_server gps_data_file:fifo_file create_file_perms; +allow system_server gps_data_file:dir rw_dir_perms; + +# /data/system/gps/chip.info +allow system_server gps_data_file:file r_file_perms; + +# /efs/prox_cal +allow system_server efs_file:file r_file_perms; + +# /efs/FactoryApp +allow system_server app_efs_file:dir r_dir_perms; +allow system_server app_efs_file:file r_file_perms; + +# WifiMachine +allow system_server self:capability sys_module; +allow system_server wifi_efs_file:dir r_dir_perms; +allow system_server wifi_efs_file:file r_file_perms; + +# mDNIE +allow system_server sysfs_mdnie:lnk_file rw_file_perms; +#allow system_server sysfs_mdnie:dir rw_dir_perms; +allow system_server sysfs_mdnie:file rw_file_perms; + +# memtrack HAL +allow system_server debugfs:dir r_dir_perms; + +# sensor HAL +allow system_server sensor_device:chr_file rw_file_perms; +allow system_server baro_delta_factoryapp_efs_file:file r_file_perms; +allow system_server sensor_factoryapp_efs_file:file r_file_perms; +allow system_server sysfs_sensors:file rw_file_perms; + +# /data/system/gps/xtraee.bin +allow system_server gps_data_file:file create_file_perms; + +# Bluetooth buildprop +get_prop(system_server, bluetooth_prop) + +# Grpahics sysfs +allow system_server sysfs_graphics:file rw_file_perms; + +# Input sysfs +allow system_server sysfs_input:file rw_file_perms; + +allow system_server proc_input_devices:file r_file_perms; + +# unix_socket_connect(system_server, property, gpsd) diff --git a/sepolicy/tee.te b/sepolicy/tee.te new file mode 100644 index 0000000..381ccc5 --- /dev/null +++ b/sepolicy/tee.te @@ -0,0 +1,9 @@ +# /efs +allow tee { efs_file prov_efs_file }:dir r_dir_perms; +allow tee { efs_file prov_efs_file }:file r_file_perms; + +# Allow mobicore to search apk data +# allow tee apk_data_file:dir search; + +# sys.mobicore.enable +set_prop(tee, tee_prop) diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te new file mode 100644 index 0000000..a252eb6 --- /dev/null +++ b/sepolicy/ueventd.te @@ -0,0 +1,14 @@ +# /dev/block/mmcblk0p[0-9] +allow ueventd emmcblk_device:blk_file { relabelfrom relabelto create setattr unlink rw_file_perms }; + +# /sys/devices/virtual/misc/multipdp/uevent +allow ueventd sysfs_multipdp:file rw_file_perms; + +# read/chown camera firmware +allow ueventd sysfs_camera:file { relabelto rw_file_perms }; +allow ueventd sysfs_camera:filesystem associate; + +allow ueventd sysfs_usb_supply:file w_file_perms; + +# Allow access to /proc/device-tree nodes +r_dir_file(ueventd, proc_dt_firmware) diff --git a/sepolicy/uncrypt.te b/sepolicy/uncrypt.te new file mode 100644 index 0000000..1f5142f --- /dev/null +++ b/sepolicy/uncrypt.te @@ -0,0 +1,2 @@ +allow uncrypt emmcblk_device:blk_file w_file_perms; +allow uncrypt emmcblk_device:dir r_dir_perms; diff --git a/sepolicy/vold.te b/sepolicy/vold.te new file mode 100644 index 0000000..4da2966 --- /dev/null +++ b/sepolicy/vold.te @@ -0,0 +1,8 @@ +# /efs +allow vold efs_file:dir r_dir_perms; +# /dev/block/mmcblk0p[0-9] +allow vold emmcblk_device:dir create_dir_perms; +allow vold emmcblk_device:blk_file { setattr unlink rw_file_perms }; + +allow vold sysfs_mmc:file w_file_perms; +r_dir_file(vold, proc_dt_firmware) diff --git a/sepolicy/wifiloader.te b/sepolicy/wifiloader.te new file mode 100644 index 0000000..eb2557f --- /dev/null +++ b/sepolicy/wifiloader.te @@ -0,0 +1,22 @@ +#### wifiloader +# +type wifiloader, domain; +type wifiloader_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(wifiloader) +unix_socket_connect(wifiloader, property, init) + +allow wifiloader proc:file r_file_perms; +allow wifiloader sysfs_wlan_fwpath:file setattr; +# allow wifiloader wifi_data_file:file rw_file_perms; +set_prop(wifiloader, wifi_prop); + +# /efs +allow wifiloader efs_file:dir search; + +# /efs/wifi +allow wifiloader wifi_efs_file:dir search; +allow wifiloader wifi_efs_file:file r_file_perms; + +# load .ko modules +allow wifiloader self:capability { chown sys_module }; diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te new file mode 100644 index 0000000..a6e244a --- /dev/null +++ b/sepolicy/zygote.te @@ -0,0 +1 @@ +dontaudit zygote proc_cmdline:file r_file_perms;