update sepolicy
This commit is contained in:
Valera1978
parent
0f8b5622bf
commit
b4a746c5ee
25 changed files with 220 additions and 388 deletions
|
|
@ -213,10 +213,8 @@ VENDOR_SECURITY_PATCH := 2019-08-01
|
|||
SELINUX_IGNORE_NEVERALLOWS := true
|
||||
|
||||
# SELinux
|
||||
#include device/qcom/sepolicy/sepolicy.mk
|
||||
#BOARD_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy
|
||||
|
||||
include $(DEVICE_PATH)/sepolicy_tmp/sepolicy.mk
|
||||
include device/qcom/sepolicy/sepolicy.mk
|
||||
BOARD_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy
|
||||
|
||||
# Wifi
|
||||
BOARD_HAS_QCOM_WLAN := true
|
||||
|
|
|
|||
191
sepolicy/add.te
191
sepolicy/add.te
|
|
@ -1,2 +1,189 @@
|
|||
#============= sensors ==============
|
||||
allow sensors efs_file:dir search;
|
||||
#============= bluetooth ==============
|
||||
allow bluetooth init:binder { call transfer };
|
||||
|
||||
#============= cameraserver ==============
|
||||
allow cameraserver init:binder call;
|
||||
allow cameraserver init:unix_dgram_socket sendto;
|
||||
allow cameraserver sysfs:file { getattr open read };
|
||||
allow cameraserver vendor_camera_data_file:sock_file write;
|
||||
|
||||
#============= fsck ==============
|
||||
allow fsck block_device:blk_file { open read write };
|
||||
|
||||
#============= hal_fingerprint_default ==============
|
||||
allow hal_fingerprint_default fingerprintd_data_file:dir write;
|
||||
allow hal_fingerprint_default vendor_data_file:dir { add_name create open read remove_name rmdir write };
|
||||
allow hal_fingerprint_default vendor_data_file:file { create getattr open read rename unlink write };
|
||||
|
||||
#============= hal_gnss_qti ==============
|
||||
allow hal_gnss_qti init:binder { call transfer };
|
||||
allow hal_gnss_qti init:unix_dgram_socket sendto;
|
||||
allow hal_gnss_qti init:unix_stream_socket connectto;
|
||||
allow hal_gnss_qti netmgrd_socket:sock_file write;
|
||||
allow hal_gnss_qti self:netlink_generic_socket { bind create };
|
||||
allow hal_gnss_qti self:socket { create ioctl read write };
|
||||
allow hal_gnss_qti sysfs:file { open read };
|
||||
|
||||
#============= hal_graphics_composer_default ==============
|
||||
allow hal_graphics_composer_default init:binder call;
|
||||
|
||||
#============= hal_health_default ==============
|
||||
allow hal_health_default sysfs:file { getattr open read };
|
||||
|
||||
#============= hal_power_default ==============
|
||||
allow hal_power_default init:binder call;
|
||||
|
||||
#============= hal_sensors_default ==============
|
||||
allow hal_sensors_default persist_data_file:file { open read };
|
||||
allow hal_sensors_default sysfs:file { open read write getattr };
|
||||
|
||||
#============= hwservicemanager ==============
|
||||
allow hwservicemanager init:binder { call transfer };
|
||||
|
||||
#============= init ==============
|
||||
allow init audio_device:chr_file { ioctl open read write };
|
||||
allow init block_device:blk_file write;
|
||||
allow init bluetooth:binder call;
|
||||
allow init cameraserver:fd use;
|
||||
allow init debugfs_rmt_storage:file write;
|
||||
allow init device:chr_file { ioctl open read write };
|
||||
allow init dnsproxyd_socket:sock_file write;
|
||||
allow init dnsresolver_service:service_manager find;
|
||||
allow init graphics_device:chr_file { ioctl open read write };
|
||||
allow init hal_alarm_qti_hwservice:hwservice_manager { add find };
|
||||
allow init hal_bluetooth_hwservice:hwservice_manager { add find };
|
||||
allow init hal_display_color_hwservice:hwservice_manager add;
|
||||
allow init hal_display_postproc_hwservice:hwservice_manager add;
|
||||
allow init hal_drm_hwservice:hwservice_manager add;
|
||||
allow init hal_fm_hwservice:hwservice_manager find;
|
||||
allow init hal_iop_hwservice:hwservice_manager { add find };
|
||||
allow init hal_perf_hwservice:hwservice_manager add;
|
||||
allow init hal_tetheroffload_hwservice:hwservice_manager add;
|
||||
allow init hci_attach_dev:chr_file { ioctl open read write };
|
||||
allow init ion_device:chr_file { open read };
|
||||
allow init ipa_dev:chr_file { ioctl open read write };
|
||||
allow init ipa_vendor_data_file:file lock;
|
||||
allow init location_data_file:file { ioctl lock };
|
||||
allow init location_socket:sock_file write;
|
||||
allow init netd:binder call;
|
||||
allow init netd_service:service_manager find;
|
||||
allow init netutils_wrapper_exec:file { execute execute_no_trans getattr open read };
|
||||
allow init persist_data_file:dir mounton;
|
||||
allow init persist_data_file:file rename;
|
||||
allow init proc:file setattr;
|
||||
allow init qdsp_device:chr_file { ioctl open read };
|
||||
allow init rmnet_device:chr_file { open read write };
|
||||
allow init rtc_device:chr_file { ioctl open read };
|
||||
allow init self:binder { call transfer };
|
||||
allow init self:capability { net_bind_service sys_module };
|
||||
allow init self:capability2 block_suspend;
|
||||
allow init self:netlink_generic_socket { bind create read write };
|
||||
allow init self:netlink_kobject_uevent_socket { bind create getopt read setopt };
|
||||
allow init self:netlink_route_socket { bind create getattr getopt nlmsg_read read setopt write };
|
||||
allow init self:netlink_socket { setopt write };
|
||||
allow init self:netlink_xfrm_socket { bind create };
|
||||
allow init self:rawip_socket { create getopt setopt };
|
||||
allow init self:socket { bind connect create ioctl read write };
|
||||
allow init self:tcp_socket { read write };
|
||||
allow init self:udp_socket { ioctl read write };
|
||||
allow init sensors_device:chr_file { ioctl open read };
|
||||
allow init ssr_device:chr_file { open read };
|
||||
allow init sysfs:file { open read write };
|
||||
allow init sysfs_camera:file { open read write };
|
||||
allow init sysfs_graphics:file { open read };
|
||||
allow init sysfs_kgsl:file { open read };
|
||||
allow init sysfs_mpctl:file { open read write };
|
||||
allow init sysfs_thermal:file write;
|
||||
allow init sysfs_wake_lock:file { append open write };
|
||||
allow init system_file:file execute_no_trans;
|
||||
allow init system_net_netd_hwservice:hwservice_manager find;
|
||||
allow init system_suspend_hwservice:hwservice_manager find;
|
||||
allow init tee_device:chr_file { open read };
|
||||
allow init uio_device:chr_file { open read write };
|
||||
allow init vendor_bt_data_file:file append;
|
||||
allow init vendor_file:file execute_no_trans;
|
||||
allow init vendor_per_mgr_service:service_manager { add find };
|
||||
allow init video_device:chr_file { ioctl open read write };
|
||||
allow init vndbinder_device:chr_file { ioctl open read write };
|
||||
allow init vndservicemanager:binder { call transfer };
|
||||
|
||||
allow init hal_gnss_qti:unix_dgram_socket sendto;
|
||||
allow init hal_graphics_allocator_default:fd use;
|
||||
allow init rild:binder call;
|
||||
allow init rmnet_device:chr_file ioctl;
|
||||
allow init self:netlink_generic_socket { getattr setopt };
|
||||
allow init self:netlink_route_socket nlmsg_write;
|
||||
allow init self:udp_socket ioctl;
|
||||
allow init sysfs_net:file { open write };
|
||||
|
||||
allow init hal_gnss_qti:binder call;
|
||||
allow init self:udp_socket ioctl;
|
||||
|
||||
allow init fwmarkd_socket:sock_file write;
|
||||
allow init netd:unix_stream_socket connectto;
|
||||
allow init self:tcp_socket { getopt setopt };
|
||||
allow init self:udp_socket ioctl;
|
||||
allow init vendor_data_file:file { ioctl lock };
|
||||
|
||||
#============= netd ==============
|
||||
allow netd init:tcp_socket { getopt read setopt write };
|
||||
|
||||
#============= installd ==============
|
||||
allow installd device:file { open write };
|
||||
|
||||
#============= location ==============
|
||||
allow location init:unix_stream_socket { read write };
|
||||
allow location mnt_vendor_file:dir getattr;
|
||||
allow location persist_data_file:file { open read };
|
||||
allow location self:capability net_bind_service;
|
||||
allow location self:socket { bind create ioctl read write };
|
||||
allow location sysfs:file { open read };
|
||||
|
||||
#============= mediacodec ==============
|
||||
allow mediacodec init:binder call;
|
||||
|
||||
#============= netd ==============
|
||||
allow netd device:file { open write };
|
||||
|
||||
#============= rild ==============
|
||||
allow rild init:binder { call transfer };
|
||||
|
||||
#============= system_app ==============
|
||||
allow system_app apex_service:service_manager find;
|
||||
allow system_app proc_pagetypeinfo:file read;
|
||||
allow system_app system_suspend_control_service:service_manager find;
|
||||
|
||||
#============= system_server ==============
|
||||
allow system_server proc:file { getattr open read };
|
||||
|
||||
#============= ueventd ==============
|
||||
allow ueventd persist_data_file:dir search;
|
||||
|
||||
#============= vendor_init ==============
|
||||
allow vendor_init camera_data_file:dir { create setattr };
|
||||
allow vendor_init nfc_data_file:dir setattr;
|
||||
allow vendor_init system_data_file:dir { add_name create setattr write };
|
||||
|
||||
#============= vndservicemanager ==============
|
||||
allow vndservicemanager init:binder transfer;
|
||||
|
||||
#============= vold ==============
|
||||
allow vold hal_bootctl_hwservice:hwservice_manager find;
|
||||
allow vold persist_data_file:dir { ioctl open read };
|
||||
|
||||
#============= webview_zygote ==============
|
||||
allow webview_zygote app_data_file:dir getattr;
|
||||
|
||||
#============= cameraserver ==============
|
||||
allow cameraserver default_prop:property_service set;
|
||||
allow cameraserver vendor_data_file:sock_file write;
|
||||
|
||||
#============= hal_audio_default ==============
|
||||
allow hal_audio_default vendor_data_file:file { append getattr open read };
|
||||
|
||||
#============= hal_wifi_default ==============
|
||||
allow hal_wifi_default default_prop:property_service set;
|
||||
|
||||
#============= rild ==============
|
||||
allow rild vendor_data_file:dir { add_name open read remove_name write };
|
||||
allow rild vendor_data_file:file { create getattr ioctl lock open read unlink write };
|
||||
|
|
|
|||
123
sepolicy/add1.te
Executable file → Normal file
123
sepolicy/add1.te
Executable file → Normal file
|
|
@ -1,100 +1,23 @@
|
|||
#============= rfs_access ==============
|
||||
allow rfs_access self:capability dac_override;
|
||||
|
||||
#============= system_app ==============
|
||||
allow system_app proc_pagetypeinfo:file { getattr open read };
|
||||
|
||||
#============= atfwd ==============
|
||||
allow atfwd sysfs:file { open read };
|
||||
|
||||
#============= audioserver ==============
|
||||
allow audioserver vendor_data_file:dir { add_name write };
|
||||
allow audioserver vendor_data_file:file { getattr append create open read };
|
||||
|
||||
#============= cameraserver ==============
|
||||
allow cameraserver default_prop:property_service set;
|
||||
allow cameraserver mm-qcamerad:unix_dgram_socket sendto;
|
||||
allow cameraserver sysfs:file { getattr open read };
|
||||
|
||||
#============= fsck ==============
|
||||
allow fsck block_device:blk_file { open read write };
|
||||
allow fsck mnt_vendor_file:dir getattr;
|
||||
allow fsck e2fsck_device:blk_file ioctl;
|
||||
|
||||
#============= hal_bluetooth_qti ==============
|
||||
allow hal_bluetooth_qti default_prop:property_service set;
|
||||
|
||||
#============= hal_fingerprint_default ==============
|
||||
allow hal_fingerprint_default fingerprintd_data_file:dir write;
|
||||
|
||||
#============= hal_gnss_qti ==============
|
||||
allow hal_gnss_qti sysfs:file { read open };
|
||||
|
||||
#============= hal_health_default ==============
|
||||
allow hal_health_default sysfs:file { getattr open read };
|
||||
|
||||
#============= hal_perf_default ==============
|
||||
allow hal_perf_default default_prop:property_service set;
|
||||
allow hal_perf_default self:capability dac_override;
|
||||
|
||||
#============= healthd ==============
|
||||
allow healthd sysfs:file { getattr open read };
|
||||
|
||||
#============= init ==============
|
||||
allow init hal_drm_hwservice:hwservice_manager add;
|
||||
allow init proc:file { open write };
|
||||
allow init sysfs:file { open setattr write };
|
||||
allow init sysfs_boot_adsp:file { open setattr };
|
||||
allow init sysfs_cpu_boost:file { open write };
|
||||
allow init sysfs_devices_system_cpu:file write;
|
||||
allow init sysfs_lowmemorykiller:file { open write };
|
||||
allow init sysfs_msm_perf:file setattr;
|
||||
allow init sysfs_msm_power:file { open write };
|
||||
allow init sysfs_poweron_alarm:file { open write };
|
||||
allow init sysfs_slpi:file open;
|
||||
allow init sysfs_thermal:file write;
|
||||
allow init vendor_file:file execute_no_trans;
|
||||
allow init sysfs_devfreq:file { open write };
|
||||
allow init vndbinder_device:chr_file read;
|
||||
allow init shell_exec:file execute_no_trans;
|
||||
allow init sysfs_ea:file setattr;
|
||||
allow init sysfs_camera:file setattr;
|
||||
allow init sysfs_lib:file setattr;
|
||||
allow init sysfs_sensors:lnk_file read;
|
||||
allow init sysfs_wlan_fwpath:file setattr;
|
||||
|
||||
#============= netmgrd ==============
|
||||
allow netmgrd sysfs:file { open read };
|
||||
|
||||
#============= mm-qcamerad ==============
|
||||
allow mm-qcamerad vendor_default_prop:property_service set;
|
||||
allow mm-qcamerad default_prop:property_service set;
|
||||
|
||||
#============= rild ==============
|
||||
allow rild system_prop:property_service set;
|
||||
|
||||
#============= sensors ==============
|
||||
allow sensors sysfs:file { open read };
|
||||
|
||||
#============= location ==============
|
||||
allow location sysfs:file { open read };
|
||||
|
||||
#============= system_server ==============
|
||||
allow system_server dalvikcache_data_file:file execute;
|
||||
allow system_server sensors_persist_file:dir search;
|
||||
allow system_server sensors_persist_file:file { open read };
|
||||
allow system_server vendor_camera_prop:file { getattr open read };
|
||||
|
||||
#============= tee ==============
|
||||
allow tee system_prop:property_service set;
|
||||
|
||||
#============= time_daemon ==============
|
||||
allow time_daemon sysfs:file { open read };
|
||||
allow time_daemon time_data_file:dir { add_name write };
|
||||
allow time_daemon time_data_file:file { create open read write };
|
||||
|
||||
#============= vold ==============
|
||||
allow vold mnt_vendor_file:dir { open read ioctl };
|
||||
|
||||
#============= webview_zygote ==============
|
||||
allow webview_zygote zygote:unix_dgram_socket write;
|
||||
#============= hal_dpmQmiMgr ==============
|
||||
allow hal_dpmQmiMgr sysfs:file { open read };
|
||||
|
||||
#============= hal_graphics_composer_default ==============
|
||||
allow hal_graphics_composer_default persist_data_file:dir search;
|
||||
|
||||
#============= hal_sensors_default ==============
|
||||
allow hal_sensors_default persist_data_file:dir search;
|
||||
|
||||
#============= hwservicemanager ==============
|
||||
allow hwservicemanager init:file open;
|
||||
allow hwservicemanager init:process getattr;
|
||||
|
||||
#============= init ==============
|
||||
allow init default_android_hwservice:hwservice_manager add;
|
||||
allow init netmgrd_socket:sock_file write;
|
||||
allow init self:netlink_tcpdiag_socket { bind create getopt setopt };
|
||||
allow init self:udp_socket ioctl;
|
||||
|
||||
#============= vndservicemanager ==============
|
||||
allow vndservicemanager init:dir search;
|
||||
allow vndservicemanager init:file { open read };
|
||||
allow vndservicemanager init:process getattr;
|
||||
|
|
|
|||
|
|
@ -1,50 +0,0 @@
|
|||
#============= cnd ==============
|
||||
allow cnd default_android_hwservice:hwservice_manager add;
|
||||
|
||||
#============= hal_rcsservice ==============
|
||||
allow hal_rcsservice sysfs:file { open read };
|
||||
|
||||
#============= ims ==============
|
||||
allow ims sysfs:file { open read };
|
||||
|
||||
#============= netmgrd ==============
|
||||
allow netmgrd default_prop:property_service set;
|
||||
allow netmgrd init:unix_stream_socket connectto;
|
||||
allow netmgrd property_socket:sock_file write;
|
||||
|
||||
#============= rmt_storage ==============
|
||||
allow rmt_storage debugfs:file { open write };
|
||||
|
||||
#============= shell ==============
|
||||
allow shell hal_telephony_hwservice:hwservice_manager add;
|
||||
allow shell hidl_base_hwservice:hwservice_manager add;
|
||||
allow shell kernel:system syslog_read;
|
||||
allow shell rild_exec:file execute_no_trans;
|
||||
allow shell self:socket getattr;
|
||||
allow shell sysfs:file { open read };
|
||||
allow shell vendor_per_mgr_service:service_manager find;
|
||||
|
||||
#============= hal_dpmQmiMgr ==============
|
||||
allow hal_dpmQmiMgr sysfs:file { open read };
|
||||
|
||||
#============= hal_imsrtp ==============
|
||||
allow hal_imsrtp sysfs:file { open read };
|
||||
|
||||
#============= init ==============
|
||||
allow init node:tcp_socket node_bind;
|
||||
allow init self:tcp_socket bind;
|
||||
allow init diag_device:chr_file { read write ioctl };
|
||||
|
||||
#============= sensors ==============
|
||||
allow sensors self:capability dac_override;
|
||||
|
||||
#============= thermal-engine ==============
|
||||
allow thermal-engine self:capability dac_override;
|
||||
|
||||
#============= qti_init_shell ==============
|
||||
allow qti_init_shell self:capability dac_override;
|
||||
allow qti_init_shell system_data_file:dir { add_name create write read open getattr setattr };
|
||||
allow qti_init_shell vendor_radio_data_file:dir { add_name create write read open getattr setattr };
|
||||
|
||||
#============= init ==============
|
||||
allow init sysfs:file read;
|
||||
|
|
@ -1,31 +0,0 @@
|
|||
#============= audioserver ==============
|
||||
allow audioserver vendor_audio_data_file:dir { add_name write };
|
||||
allow audioserver vendor_audio_data_file:file { append create open read getattr };
|
||||
|
||||
#============= shell ==============
|
||||
allow shell self:socket { read write ioctl create };
|
||||
allow shell sysfs:file getattr;
|
||||
allow shell vendor_radio_data_file:dir getattr;
|
||||
allow shell vendor_radio_prop:file { getattr open read };
|
||||
allow shell vndbinder_device:chr_file { ioctl open read write };
|
||||
allow shell vndservicemanager:binder call;
|
||||
allow shell vendor_per_mgr:binder { transfer call };
|
||||
allow shell radio_prop:property_service set;
|
||||
allow shell vendor_radio_prop:property_service set;
|
||||
|
||||
#============= vndservicemanager ==============
|
||||
allow vndservicemanager shell:dir search;
|
||||
allow vndservicemanager shell:file { open read };
|
||||
allow vndservicemanager shell:process getattr;
|
||||
allow vndservicemanager shell:binder transfer;
|
||||
|
||||
#============= hal_memtrack_default ==============
|
||||
allow hal_memtrack_default debugfs:file { getattr open read };
|
||||
|
||||
#============= tee ==============
|
||||
allow tee gatekeeper_data_file:dir { add_name open write };
|
||||
allow tee gatekeeper_data_file:file getattr;
|
||||
allow tee system_data_file:dir { open read };
|
||||
|
||||
#============= hal_gnss_qti ==============
|
||||
allow hal_gnss_qti qmuxd_socket:dir write;
|
||||
|
|
@ -1,16 +0,0 @@
|
|||
#============= qti_init_shell ==============
|
||||
allow qti_init_shell sysfs:file { setattr write };
|
||||
allow qti_init_shell sysfs_devfreq:file setattr;
|
||||
allow qti_init_shell sysfs_devices_system_cpu:file setattr;
|
||||
allow qti_init_shell sysfs_msm_power:file setattr;
|
||||
allow qti_init_shell vendor_radio_data_file:file { create read open write getattr setattr };
|
||||
allow qti_init_shell default_prop:property_service set;
|
||||
allow qti_init_shell kmsg_device:chr_file { open write };
|
||||
allow qti_init_shell system_prop:property_service set;
|
||||
|
||||
#============= hal_gnss_qti ==============
|
||||
allow hal_gnss_qti qmuxd_socket:dir { add_name remove_name };
|
||||
allow hal_gnss_qti qmuxd_socket:sock_file { create unlink };
|
||||
|
||||
#============= tee ==============
|
||||
allow tee gatekeeper_data_file:file { create write };
|
||||
|
|
@ -1,33 +0,0 @@
|
|||
#============= dataservice_app ==============
|
||||
allow dataservice_app default_android_hwservice:hwservice_manager find;
|
||||
|
||||
#============= hal_sensors_default ==============
|
||||
allow hal_sensors_default sysfs:file { open read };
|
||||
|
||||
#============= qti ==============
|
||||
allow qti sysfs:file { open read };
|
||||
|
||||
#============= surfaceflinger ==============
|
||||
allow surfaceflinger default_android_service:service_manager { add find };
|
||||
allow surfaceflinger hal_display_config_hwservice:hwservice_manager add;
|
||||
|
||||
#============= cnd ==============
|
||||
allow cnd sysfs:file { open read };
|
||||
|
||||
#============= hal_sensors_default ==============
|
||||
allow hal_sensors_default sysfs:file { getattr write };
|
||||
|
||||
#============= audioserver ==============
|
||||
allow audioserver vendor_audio_data_file:dir search;
|
||||
allow audioserver efs_file:dir search;
|
||||
|
||||
#============= qti_init_shell ==============
|
||||
allow qti_init_shell ctl_start_prop:property_service set;
|
||||
allow qti_init_shell ctl_stop_prop:property_service set;
|
||||
allow qti_init_shell vendor_radio_data_file:dir search;
|
||||
|
||||
#============= surfaceflinger ==============
|
||||
allow surfaceflinger sysfs_leds:dir search;
|
||||
allow surfaceflinger mnt_vendor_file:dir search;
|
||||
allow surfaceflinger display_vendor_data_file:dir search;
|
||||
allow surfaceflinger persist_display_file:dir search;
|
||||
|
|
@ -1,32 +0,0 @@
|
|||
#============= system_server ==============
|
||||
allow system_server mnt_vendor_file:dir search;
|
||||
|
||||
#============= crash_dump ==============
|
||||
allow crash_dump init:process ptrace;
|
||||
|
||||
#============= init ==============
|
||||
allow init vndbinder_device:chr_file { open read write ioctl };
|
||||
|
||||
#============= mm-qcamerad ==============
|
||||
allow mm-qcamerad sysfs_leds:dir search;
|
||||
|
||||
#============= priv_app ==============
|
||||
allow priv_app firmware_file:filesystem getattr;
|
||||
allow priv_app su_exec:file { open read };
|
||||
allow priv_app sysfs:file { open read };
|
||||
|
||||
#============= system_server ==============
|
||||
allow system_server thermal_service:service_manager find;
|
||||
allow system_server vfat:dir { open read };
|
||||
|
||||
#============= untrusted_app ==============
|
||||
allow untrusted_app proc_tty_drivers:file read;
|
||||
allow untrusted_app selinuxfs:file read;
|
||||
allow untrusted_app serialno_prop:file read;
|
||||
|
||||
#============= untrusted_app_27 ==============
|
||||
allow untrusted_app_27 proc:file read;
|
||||
allow untrusted_app_27 sysfs_net:dir search;
|
||||
|
||||
#============= hal_bluetooth_qti ==============
|
||||
allow hal_bluetooth_qti bluetooth_data_file:dir search;
|
||||
|
|
@ -1,58 +0,0 @@
|
|||
#============= hal_bluetooth_qti ==============
|
||||
allow hal_bluetooth_qti bluetooth_data_file:dir { write add_name };
|
||||
allow hal_bluetooth_qti bluetooth_data_file:file { create open read write };
|
||||
|
||||
#============= init ==============
|
||||
allow init proc:file { read getattr };
|
||||
allow init rootfs:file execute_no_trans;
|
||||
allow init vendor_toolbox_exec:file execute_no_trans;
|
||||
allow init hal_lineage_touch_hwservice:hwservice_manager add;
|
||||
|
||||
#============= system_app ==============
|
||||
allow system_app perfprofd:binder call;
|
||||
allow system_app wificond:binder call;
|
||||
|
||||
#============= system_server ==============
|
||||
allow system_server init:binder call;
|
||||
|
||||
#============= hwservicemanager ==============
|
||||
allow hwservicemanager init:binder call;
|
||||
allow hwservicemanager init:file open;
|
||||
allow hwservicemanager init:process getattr;
|
||||
|
||||
#============= untrusted_app ==============
|
||||
allow untrusted_app selinuxfs:file open;
|
||||
|
||||
#============= untrusted_app_27 ==============
|
||||
allow untrusted_app_27 apk_data_file:file setattr;
|
||||
allow untrusted_app_27 proc:file open;
|
||||
allow untrusted_app_27 proc:file getattr;
|
||||
|
||||
#============= cameraserver ==============
|
||||
allow cameraserver sysfs_graphics:file read;
|
||||
|
||||
#============= mm-qcamerad ==============
|
||||
allow mm-qcamerad camera_data_file:dir write;
|
||||
|
||||
#============= system_app ==============
|
||||
allow system_app init:binder call;
|
||||
|
||||
#============= keystore ==============
|
||||
allow keystore vendor_tee_listener_prop:file { read open getattr };
|
||||
|
||||
#============= hal_fingerprint_default ==============
|
||||
allow hal_fingerprint_default vendor_data_file:dir { read write open add_name create remove_name rmdir };
|
||||
allow hal_fingerprint_default vendor_data_file:file { read write open create getattr rename unlink };
|
||||
|
||||
#============= tee ==============
|
||||
allow tee vendor_default_prop:property_service set;
|
||||
|
||||
#============= netutils_wrapper ==============
|
||||
allow netutils_wrapper netmgrd:socket { read write };
|
||||
|
||||
|
||||
#============= hal_lineage_touch_default ==============
|
||||
allow hal_lineage_touch_default sysfs:file read;
|
||||
|
||||
#============= system_server ==============
|
||||
allow system_server mnt_vendor_file:dir getattr;
|
||||
|
|
@ -1,5 +0,0 @@
|
|||
allow energyawareness sysfs_uio:dir { open read search };
|
||||
allow energyawareness sysfs_uio:lnk_file read;
|
||||
allow energyawareness sysfs_uio_file:dir search;
|
||||
allow energyawareness sysfs_uio_file:file { getattr open read };
|
||||
allow energyawareness sysfs:file { getattr open read };
|
||||
|
|
@ -5,5 +5,5 @@ type sysfs_mdnie, fs_type, sysfs_type;
|
|||
type biometrics_data_file, file_type, data_file_type;
|
||||
type dsp_file, fs_type, contextmount_type;
|
||||
type sysfs_sec, fs_type, sysfs_type;
|
||||
type sysfs_camera, fs_type, sysfs_type;
|
||||
#type sysfs_camera, fs_type, sysfs_type;
|
||||
type battery_efs_file, file_type;
|
||||
|
|
|
|||
|
|
@ -39,6 +39,11 @@
|
|||
/sys/devices/virtual/camera(/.*)? u:object_r:sysfs_camera:s0
|
||||
/sys/devices/virtual/sec/sec_key/hall_irq_ctrl u:object_r:sysfs_sec:s0
|
||||
|
||||
/firmware(/.*)? u:object_r:vendor_firmware_file:s0
|
||||
/firmware-modem(/.*)? u:object_r:vendor_firmware_file:s0
|
||||
/bt_firmware(/.*)? u:object_r:vendor_firmware_file:s0
|
||||
/persist(/.*)? u:object_r:persist_data_file:s0
|
||||
|
||||
# HALs
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service\.widevine u:object_r:hal_drm_widevine_exec:s0
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
genfscon debugfs /rmt_storage u:object_r:debugfs_rmt:s0
|
||||
|
||||
genfscon sysfs /devices/soc/6a00000.ssusb/6a00000.dwc3/gadget/lun0/ u:object_r:sysfs_android_usb:s0
|
||||
genfscon sysfs /devices/soc/6a00000.ssusb/power_supply u:object_r:sysfs_batteryinfo:s0
|
||||
genfscon sysfs /devices/soc/75b5000.i2c/i2c-7/7-001d/power_supply u:object_r:sysfs_batteryinfo:s0
|
||||
|
|
|
|||
|
|
@ -3,4 +3,3 @@ allow hal_bluetooth_default bluetooth_data_file:dir { write add_name };
|
|||
allow hal_bluetooth_default firmware_file:dir search;
|
||||
allow hal_bluetooth_default firmware_file:file { getattr open read };
|
||||
allow hal_bluetooth_default sysfs:file write;
|
||||
allow hal_bluetooth_default wcnss_filter:unix_stream_socket connectto;
|
||||
|
|
|
|||
|
|
@ -1,2 +0,0 @@
|
|||
allow hal_bluetooth_qti efs_file:dir search;
|
||||
allow hal_bluetooth_qti sysfs:file write;
|
||||
|
|
@ -1,14 +0,0 @@
|
|||
allow mm-qcamerad camera_data_file:sock_file { create unlink };
|
||||
allow mm-qcamerad camera_data_file:dir search;
|
||||
|
||||
allow mm-qcamerad camera_socket:dir w_dir_perms;
|
||||
allow mm-qcamerad camera_socket:sock_file { create unlink write };
|
||||
|
||||
allow mm-qcamerad dsp_file:dir r_dir_perms;
|
||||
allow mm-qcamerad dsp_file:file r_file_perms;
|
||||
allow mm-qcamerad unlabeled:file { getattr open read };
|
||||
allow mm-qcamerad sysfs:file { getattr open read write };
|
||||
allow mm-qcamerad camera_data_file:sock_file { create unlink };
|
||||
allow mm-qcamerad system_prop:property_service set;
|
||||
allow mm-qcamerad sysfs_camera:dir search;
|
||||
allow mm-qcamerad sysfs_camera:file { getattr open read write };
|
||||
|
|
@ -1,3 +1,2 @@
|
|||
allow netmgrd self:capability dac_override;
|
||||
allow netmgrd unlabeled:file { getattr open read };
|
||||
allow netmgrd netd_socket:sock_file write;
|
||||
|
|
|
|||
|
|
@ -1,5 +1,4 @@
|
|||
persist.sys.timeadjust u:object_r:timekeep_prop:s0
|
||||
service.camera.hdmi_preview u:object_r:camera_prop:s0
|
||||
storage.efs_sync.done u:object_r:rmt_storage_prop:s0
|
||||
|
||||
ro.sys.oem.sno u:object_r:system_radio_prop:s0
|
||||
|
|
|
|||
|
|
@ -2,7 +2,4 @@ set_prop(system_app, timekeep_prop)
|
|||
|
||||
allow system_app sysfs_mdnie:file rw_file_perms;
|
||||
|
||||
allow system_app time_data_file:dir search;
|
||||
allow system_app time_data_file:file rw_file_perms;
|
||||
|
||||
allow system_app time_daemon:unix_stream_socket connectto;
|
||||
|
|
|
|||
|
|
@ -1,4 +0,0 @@
|
|||
allow tbaseLoader ion_device:chr_file { ioctl open read };
|
||||
allow tbaseLoader system_prop:property_service set;
|
||||
allow tbaseLoader init:unix_stream_socket connectto;
|
||||
allow tbaseLoader property_socket:sock_file write;
|
||||
|
|
@ -13,7 +13,4 @@ allow timekeep self:capability {
|
|||
dac_read_search
|
||||
};
|
||||
|
||||
allow timekeep time_data_file:file create_file_perms;
|
||||
allow timekeep time_data_file:dir create_dir_perms;
|
||||
|
||||
set_prop(timekeep, timekeep_prop)
|
||||
|
|
|
|||
|
|
@ -9,5 +9,4 @@ allow toolbox property_socket:sock_file write;
|
|||
allow toolbox sensors_prop:property_service set;
|
||||
allow toolbox radio_data_file:dir { add_name create getattr open read setattr write };
|
||||
allow toolbox self:capability dac_override;
|
||||
allow toolbox sensors_persist_file:dir getattr;
|
||||
allow toolbox proc:file { open read };
|
||||
|
|
|
|||
|
|
@ -1,2 +0,0 @@
|
|||
type firmware_file, file_type;
|
||||
type persist_file, file_type;
|
||||
|
|
@ -1,4 +0,0 @@
|
|||
/firmware(/.*)? u:object_r:firmware_file:s0
|
||||
/firmware-modem(/.*)? u:object_r:firmware_file:s0
|
||||
/bt_firmware(/.*)? u:object_r:firmware_file:s0
|
||||
/persist(/.*)? u:object_r:persist_file:s0
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
#
|
||||
# Copyright (C) 2018 The LineageOS Project
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
#
|
||||
|
||||
BOARD_SEPOLICY_DIRS += \
|
||||
device/samsung/gts3llte/sepolicy_tmp/common
|
||||
Loading…
Reference in a new issue