diff --git a/sepolicy/adsprpcd.te b/sepolicy/adsprpcd.te index 47c4bfb..3f7c671 100644 --- a/sepolicy/adsprpcd.te +++ b/sepolicy/adsprpcd.te @@ -1,4 +1,3 @@ -allow adsprpcd_file self:filesystem associate; allow adsprpcd mnt_vendor_file:dir create_dir_perms; allow adsprpcd mnt_vendor_file:file create_file_perms; diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te deleted file mode 100644 index fc6d999..0000000 --- a/sepolicy/audioserver.te +++ /dev/null @@ -1,3 +0,0 @@ -# Allow audioserver to create socket files for audio arbitration -allow audioserver audio_data_file:sock_file { create setattr unlink }; -allow audioserver audio_data_file:dir remove_name; diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te deleted file mode 100644 index b4fdbe3..0000000 --- a/sepolicy/cnd.te +++ /dev/null @@ -1,5 +0,0 @@ -# Allow cnd to access cnd_core_data_file -allow cnd cnd_core_data_file:file create_file_perms; -allow cnd cnd_core_data_file:sock_file { unlink create setattr }; - -allow cnd system_wpa_socket:sock_file unlink; diff --git a/sepolicy/dataservice_app.te b/sepolicy/dataservice_app.te deleted file mode 100644 index dc7f9c0..0000000 --- a/sepolicy/dataservice_app.te +++ /dev/null @@ -1,5 +0,0 @@ -allow dataservice_app system_app_data_file:dir create_dir_perms; -allow dataservice_app system_app_data_file:{ file lnk_file } create_file_perms; - -# Allow dataservice_app to read files in cnd_core_data_file -r_dir_file(dataservice_app, cnd_core_data_file) diff --git a/sepolicy/device.te b/sepolicy/device.te index dc643ed..b1670ca 100644 --- a/sepolicy/device.te +++ b/sepolicy/device.te @@ -1,3 +1,13 @@ -type captouch_device, dev_type; -type sound_device, dev_type; -type sysmatdrv_device, dev_type; +type botablk_device, dev_type; +type debug_block_device, dev_type; +type dsp_block_device, dev_type; +type dun_device, dev_type; +type efsblk_device, dev_type; +type fp_sensor_device, dev_type; +type hiddenblk_device, dev_type; +type kgsl_device, dev_type; +type omr_block_device, dev_type; +type paramblk_device, dev_type; +type sec_efsblk_device, dev_type; +type steady_block_device, dev_type; +type tz_device, dev_type; diff --git a/sepolicy/domain.te b/sepolicy/domain.te deleted file mode 100644 index 0de160e..0000000 --- a/sepolicy/domain.te +++ /dev/null @@ -1,2 +0,0 @@ -# Silence /dev/stune logspam -dontaudit domain device:file w_file_perms; diff --git a/sepolicy/file.te b/sepolicy/file.te index ebd6fba..9e1db56 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,27 +1,53 @@ -type camera_socket, file_type, core_data_file_type, data_file_type; -type cnd_core_data_file, file_type, core_data_file_type, data_file_type; -type debugfs_rmt, debugfs_type, fs_type; -type firmware-modem_file, file_type, contextmount_type, vendor_file_type; -type fpc_data_file, core_data_file_type, data_file_type, file_type; +# data +type biometrics_vendor_data_file, data_file_type, file_type; +type vendor_audiopcm_data_file, data_file_type, file_type; +type vendor_convergence_data_file, data_file_type, file_type; +type vendor_gps_file, data_file_type, file_type; +type vendor_log_file, data_file_type, file_type; + +# efs +type app_efs_file, file_type, mlstrustedobject; +type battery_efs_file, file_type; +type bin_nv_data_efs_file, file_type; +type carrier_efs_file, file_type, mlstrustedobject; +type cpk_efs_file, file_type; +type drm_efs_file, file_type; +type dsms_efs_file, file_type; +type efs_gsm_file, file_type; +type gatekeeper_efs_file, file_type; +type imei_efs_file, file_type, mlstrustedobject; +type iss_efs_file, file_type; +type kpm_efs_file, file_type; +type mb_po_efs_file, file_type; +type nfc_efs_file, file_type; +type nv_core_efs_file, file_type; +type otadm_efs_file, file_type; +type pdp_efs_file, file_type; +type pfw_efs_file, file_type, mlstrustedobject; +type prov_efs_file, file_type; +type retailmode_efs_file, file_type, mlstrustedobject; +type sec_efs_file, file_type, mlstrustedobject; +type sec_poc_file, file_type, mlstrustedobject; +type snap_efs_file, file_type, mlstrustedobject; +type snapsec_efs_file, file_type; +type ssm_efs_file, file_type; +type tee_efs_file, file_type; +type vaultkeeper_efs_file, file_type; +type wifi_efs_file, file_type, mlstrustedobject; + +# proc +type proc_default_smp_affinity, fs_type, proc_type; +type proc_simslot_count, fs_type, proc_type; +type proc_swappiness, fs_type, proc_type; + +# rootfs type omr_file, file_type, mlstrustedobject; -type persist_qc_senseid_file, file_type; -type persist_usf_cal_file, file_type; -type proc_buttons, proc_type, fs_type; -type proc_touchpanel, proc_type, sysfs_type, fs_type; -type qfp-daemon_core_data_file, file_type, core_data_file_type, data_file_type; -type sysfs_cnss_common, sysfs_type, fs_type; -type sysfs_fpc, sysfs_type, fs_type; -type sysfs_fpc_keyevents, sysfs_type, fs_type; -type sysfs_fpc_wakeup, sysfs_type, fs_type; -type sysfs_fpc_proximity, sysfs_type, fs_type; -type sysfs_panel, sysfs_type, fs_type; + +# sysfs type sysfs_audio_writable, fs_type, sysfs_type; type sysfs_camera_writable, fs_type, sysfs_type; +type sysfs_fpc, fs_type, sysfs_type; type sysfs_lcd_writable, fs_type, sysfs_type; type sysfs_mdnie_writable, fs_type, sysfs_type; -type sysfs_sec_keypad, fs_type, sysfs_type; -type sysfs_sec_switch, fs_type, sysfs_type; type sysfs_tsp, fs_type, sysfs_type; type sysfs_wifi, fs_type, sysfs_type; -type thermal_data_file, core_data_file_type, data_file_type, file_type; - diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 7709777..2104c3b 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -1,65 +1,195 @@ -# Devices -/dev/captouch u:object_r:captouch_device:s0 -/dev/elliptic(.*)? u:object_r:sound_device:s0 -/dev/pn548 u:object_r:nfc_device:s0 -/dev/sysmatdrv u:object_r:sysmatdrv_device:s0 - -# Sys files -/sys/devices/soc/75b7000\.i2c/i2c-9/9-[0-9a-f]+/leds(/.*)? u:object_r:sysfs_leds:s0 -/sys/devices/soc/leds-qpnp-[0-9]+/leds(/.*)? u:object_r:sysfs_leds:s0 - -/sys/devices/soc/75ba000\.i2c/i2c-12/12-[0-9a-f]+/panel_(color|vendor) u:object_r:sysfs_panel:s0 - -/sys/devices/soc/75ba000\.i2c/i2c-12/12-[0-9a-f]+/input/input[0-9]+/0dbutton u:object_r:proc_touchpanel:s0 - -/sys/devices/soc/75ba000\.i2c/i2c-12/12-[0-9a-f]+(/input/input[0-9]+)?/reversed_keys u:object_r:proc_touchpanel:s0 - -/sys/devices/soc/75ba000\.i2c/i2c-12/12-[0-9a-f]+/input/input[0-9]+/wake_gesture u:object_r:proc_touchpanel:s0 -/sys/devices/soc/75ba000\.i2c/i2c-12/12-[0-9a-f]+/wakeup_mode u:object_r:proc_touchpanel:s0 - -/sys/devices/soc/soc:fpc_fpc1020/irq u:object_r:sysfs_fpc:s0 -/sys/devices/soc/soc:fpc_fpc1020/enable_key_events u:object_r:sysfs_fpc_keyevents:s0 -/sys/devices/soc/soc:fpc_fpc1020/enable_wakeup u:object_r:sysfs_fpc_wakeup:s0 -/sys/devices/soc/soc:fpc_fpc1020/proximity_state u:object_r:sysfs_fpc_proximity:s0 - -/sys/module/cnss_common/parameters/bdwlan_file u:object_r:sysfs_cnss_common:s0 - -# Data files -/data/fpc(/.*)? u:object_r:fpc_data_file:s0 -/data/camera(/.*)? u:object_r:camera_socket:s0 -/data/connectivity(/.*)? u:object_r:cnd_core_data_file:s0 -/data/decrypt\.txt u:object_r:thermal_data_file:s0 -/data/misc/stargate(/.*)? u:object_r:qfp-daemon_core_data_file:s0 - -# Persist files -/(mnt/vendor)/persist/audio/us_cal u:object_r:persist_usf_cal_file:s0 -/(mnt/vendor)/persist/PRSensorData\.txt u:object_r:sensors_persist_file:s0 -/(mnt/vendor)/persist/PSensor3cm_ct\.txt u:object_r:sensors_persist_file:s0 -/(mnt/vendor)/persist/qc_senseid(/.*)? u:object_r:persist_qc_senseid_file:s0 - -# Root files -/bt_firmware(/.*)? u:object_r:bt_firmware_file:s0 -/firmware(/.*)? u:object_r:firmware_file:s0 -/firmware-modem(/.*)? u:object_r:firmware-modem_file:s0 -/omr(/.*)? u:object_r:omr_file:s0 +# Block devices +/dev/block/platform/soc/624000\.sdhci/by-name/bota u:object_r:botablk_device:s0 +/dev/block/platform/soc/624000\.sdhci/by-name/config u:object_r:frp_block_device:s0 +/dev/block/platform/soc/624000\.sdhci/by-name/debug u:object_r:debug_block_device:s0 +/dev/block/platform/soc/624000\.sdhci/by-name/dsp u:object_r:dsp_block_device:s0 +/dev/block/platform/soc/624000\.sdhci/by-name/dtbo u:object_r:boot_block_device:s0 +/dev/block/platform/soc/624000\.sdhci/by-name/efs u:object_r:efsblk_device:s0 +/dev/block/platform/soc/624000\.sdhci/by-name/hidden u:object_r:hiddenblk_device:s0 +/dev/block/platform/soc/624000\.sdhci/by-name/omr u:object_r:omr_block_device:s0 +/dev/block/platform/soc/624000\.sdhci/by-name/param u:object_r:paramblk_device:s0 +/dev/block/platform/soc/624000\.sdhci/by-name/persistent u:object_r:frp_block_device:s0 +/dev/block/platform/soc/624000\.sdhci/by-name/sec_efs u:object_r:sec_efsblk_device:s0 +/dev/block/platform/soc/624000\.sdhci/by-name/steady u:object_r:steady_block_device:s0 +/dev/block/platform/soc/624000\.sdhci/by-name/vbmeta u:object_r:boot_block_device:s0 +/dev/block/platform/soc/624000\.sdhci/by-name/vendor u:object_r:system_block_device:s0 # Binaries -/system/bin/chargeonlymode u:object_r:charger_exec:s0 +/(vendor|system/vendor)/bin/hw/macloader u:object_r:macloader_exec:s0 +/(vendor|system/vendor)/bin/secril_config_svc u:object_r:secril_config_svc_exec:s0 +/(vendor|system/vendor)/dsp(/.*)? u:object_r:adsprpcd_file:s0 + +# Data files +/data/vendor/biometrics(/.*)? u:object_r:biometrics_vendor_data_file:s0 +/data/vendor/conn(/.*)? u:object_r:vendor_convergence_data_file:s0 +/data/vendor/gps(/.*)? u:object_r:vendor_gps_file:s0 +/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 +/data/vendor/log/audiopcm(/.*)? u:object_r:vendor_audiopcm_data_file:s0 +/data/vendor/secradio(/.*)? u:object_r:vendor_radio_data_file:s0 + +# Devices +/dev/android_rndis_qc u:object_r:radio_device:s0 +/dev/cdma_.* u:object_r:radio_device:s0 +/dev/dbmdx-[0-9]+ u:object_r:audio_device:s0 +/dev/dun u:object_r:dun_device:s0 +/dev/esfp[0-9]+ u:object_r:fp_sensor_device:s0 +/dev/gsm_.* u:object_r:radio_device:s0 +/dev/link_pm u:object_r:radio_device:s0 +/dev/mdm u:object_r:radio_device:s0 +/dev/network_latency u:object_r:radio_device:s0 +/dev/network_throughput u:object_r:radio_device:s0 +/dev/nmea u:object_r:radio_device:s0 +/dev/qmi[0-9]* u:object_r:radio_device:s0 +/dev/tzic u:object_r:tz_device:s0 + +# EFS files +/efs/\.drm(/.*)? u:object_r:drm_efs_file:s0 +/efs/\.nv_core\.bak(.*) u:object_r:nv_core_efs_file:s0 +/efs/afc(/.*)? u:object_r:sec_efs_file:s0 +/efs/apn-changes\.xml u:object_r:sec_efs_file:s0 +/efs/Battery(/.*)? u:object_r:battery_efs_file:s0 +/efs/bench(/.*)? u:object_r:sec_efs_file:s0 +/efs/biometrics(/.*)? u:object_r:sec_efs_file:s0 +/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 +/efs/calibration_data u:object_r:sec_efs_file:s0 +/efs/CamMotorSlideCnt u:object_r:app_efs_file:s0 +/efs/carrier(/.*)? u:object_r:carrier_efs_file:s0 +/efs/cpk(/.*)? u:object_r:cpk_efs_file:s0 +/efs/DAK(/.*)? u:object_r:prov_efs_file:s0 +/efs/drm(/.*)? u:object_r:drm_efs_file:s0 +/efs/drx(/.*)? u:object_r:sec_efs_file:s0 +/efs/dsms(/.*)? u:object_r:dsms_efs_file:s0 +/efs/etc/poc(/.*)? u:object_r:sec_poc_file:s0 +/efs/FactoryApp(/.*)? u:object_r:app_efs_file:s0 +/efs/gatekeeper(/.*)? u:object_r:gatekeeper_efs_file:s0 +/efs/grip_cal_data u:object_r:sec_efs_file:s0 +/efs/gyro_cal_data u:object_r:sec_efs_file:s0 +/efs/hw_offset u:object_r:sec_efs_file:s0 +/efs/imei(/.*)? u:object_r:imei_efs_file:s0 +/efs/ims_setting(/.*)? u:object_r:sec_efs_file:s0 +/efs/iss(/.*)? u:object_r:iss_efs_file:s0 +/efs/logguard(/.*)? u:object_r:iss_efs_file:s0 +/efs/lpm(/.*)? u:object_r:sec_efs_file:s0 +/efs/maxim(/.*)? u:object_r:sec_efs_file:s0 +/efs/mb_po(/.*)? u:object_r:mb_po_efs_file:s0 +/efs/mc(/.*)? u:object_r:prov_efs_file:s0 +/efs/misc(/.*)? u:object_r:sec_efs_file:s0 +/efs/nfc(/.*)? u:object_r:nfc_efs_file:s0 +/efs/nv_data\.bin(.*) u:object_r:bin_nv_data_efs_file:s0 +/efs/nv_fsm_data\.bin u:object_r:bin_nv_data_efs_file:s0 +/efs/nxp(/.*)? u:object_r:sec_efs_file:s0 +/efs/osc_trim u:object_r:sec_efs_file:s0 +/efs/otadm(/.*)? u:object_r:otadm_efs_file:s0 +/efs/otadm_sw_version u:object_r:otadm_efs_file:s0 +/efs/pdp_bkup(/.*)? u:object_r:pdp_efs_file:s0 +/efs/pfw_data(/.*)? u:object_r:pfw_efs_file:s0 +/efs/prov(/.*)? u:object_r:prov_efs_file:s0 +/efs/prov_data(/.*)? u:object_r:prov_efs_file:s0 +/efs/prox_cal u:object_r:sec_efs_file:s0 +/efs/qualcomm(/.*)? u:object_r:sec_efs_file:s0 +/efs/recovery(/.*)? u:object_r:sec_efs_file:s0 +/efs/richtek(/.*)? u:object_r:sec_efs_file:s0 +/efs/root(/.*)? u:object_r:app_efs_file:s0 +/efs/sec_efs(/.*)? u:object_r:sec_efs_file:s0 +/efs/sec_efs/iss/.policy_config u:object_r:sec_efs_file:s0 +/efs/sec_efs/kpm(/.*)? u:object_r:kpm_efs_file:s0 +/efs/sec_efs/retailmode(/.*)? u:object_r:retailmode_efs_file:s0 +/efs/security(/.*)? u:object_r:prov_efs_file:s0 +/efs/sktdm_mem(/.*)? u:object_r:sec_efs_file:s0 +/efs/SlideCount u:object_r:app_efs_file:s0 +/efs/SMS(/.*)? u:object_r:sec_efs_file:s0 +/efs/snap(/.*)? u:object_r:snap_efs_file:s0 +/efs/snapsec(/.*)? u:object_r:snapsec_efs_file:s0 +/efs/ssm(/.*)? u:object_r:ssm_efs_file:s0 +/efs/tas25xx(/.*)? u:object_r:sec_efs_file:s0 +/efs/TEE(/.*)? u:object_r:prov_efs_file:s0 +/efs/tee(/.*)? u:object_r:tee_efs_file:s0 +/efs/usb_hw_param(/.*)? u:object_r:sec_efs_file:s0 +/efs/vk(/.*)? u:object_r:vaultkeeper_efs_file:s0 +/efs/vold(/.*)? u:object_r:sec_efs_file:s0 +/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0 +/efs/wv\.keys u:object_r:sec_efs_file:s0 +/efs_gsm(/.*)? u:object_r:efs_gsm_file:s0 +/mnt/vendor/efs(/.*)? u:object_r:efs_file:s0 +/mnt/vendor/efs/\.drm(/.*)? u:object_r:drm_efs_file:s0 +/mnt/vendor/efs/\.nv_core\.bak(.*) u:object_r:nv_core_efs_file:s0 +/mnt/vendor/efs/Battery(/.*)? u:object_r:battery_efs_file:s0 +/mnt/vendor/efs/bench(/.*)? u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 +/mnt/vendor/efs/calibration_data u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/carrier(/.*)? u:object_r:carrier_efs_file:s0 +/mnt/vendor/efs/cirrus(/.*)? u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/cpk(/.*)? u:object_r:cpk_efs_file:s0 +/mnt/vendor/efs/DAK(/.*)? u:object_r:prov_efs_file:s0 +/mnt/vendor/efs/drm(/.*)? u:object_r:drm_efs_file:s0 +/mnt/vendor/efs/drx(/.*)? u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/etc/poc(/.*)? u:object_r:sec_poc_file:s0 +/mnt/vendor/efs/FactoryApp(/.*)? u:object_r:app_efs_file:s0 +/mnt/vendor/efs/grip_cal_data u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/gyro_cal_data u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/hw_offset u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/imei(/.*)? u:object_r:imei_efs_file:s0 +/mnt/vendor/efs/ims_setting(/.*)? u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/iss(/.*)? u:object_r:iss_efs_file:s0 +/mnt/vendor/efs/logguard(/.*)? u:object_r:iss_efs_file:s0 +/mnt/vendor/efs/maxim(/.*)? u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/mc(/.*)? u:object_r:prov_efs_file:s0 +/mnt/vendor/efs/misc(/.*)? u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/nv_data\.bin(.*) u:object_r:bin_nv_data_efs_file:s0 +/mnt/vendor/efs/nv_fsm_data\.bin u:object_r:bin_nv_data_efs_file:s0 +/mnt/vendor/efs/nxp(/.*)? u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/osc_trim u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/otadm(/.*)? u:object_r:otadm_efs_file:s0 +/mnt/vendor/efs/otadm_sw_version u:object_r:otadm_efs_file:s0 +/mnt/vendor/efs/pfw_data(/.*)? u:object_r:pfw_efs_file:s0 +/mnt/vendor/efs/pn-changes\.xml u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/prov(/.*)? u:object_r:prov_efs_file:s0 +/mnt/vendor/efs/prov_data(/.*)? u:object_r:prov_efs_file:s0 +/mnt/vendor/efs/prox_cal u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/qualcomm(/.*)? u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/recovery(/.*)? u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/richtek(/.*)? u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/root(/.*)? u:object_r:app_efs_file:s0 +/mnt/vendor/efs/sec_efs(/.*)? u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/sec_efs/iss/.policy_config u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/sec_efs/retailmode(/.*)? u:object_r:retailmode_efs_file:s0 +/mnt/vendor/efs/security(/.*)? u:object_r:prov_efs_file:s0 +/mnt/vendor/efs/sktdm_mem(/.*)? u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/SlideCount u:object_r:app_efs_file:s0 +/mnt/vendor/efs/SMS(/.*)? u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/TEE(/.*)? u:object_r:prov_efs_file:s0 +/mnt/vendor/efs/tee(/.*)? u:object_r:tee_efs_file:s0 +/mnt/vendor/efs/usb_hw_param(/.*)? u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/vk(/.*)? u:object_r:vaultkeeper_efs_file:s0 +/mnt/vendor/efs/vold(/.*)? u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0 +/mnt/vendor/efs/wv\.keys u:object_r:sec_efs_file:s0 # HALs -/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.1-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.1-service\.widevine u:object_r:hal_drm_widevine_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.samsung u:object_r:hal_fingerprint_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service\.samsung u:object_r:hal_health_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service\.samsung u:object_r:hal_keymaster_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.samsung u:object_r:hal_light_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.1-service\.gts3l u:object_r:hal_usb_default_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.lineage\.livedisplay@2\.0-service\.samsung-qcom u:object_r:hal_lineage_livedisplay_sysfs_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.miscpower@1\.0-service u:object_r:hal_power_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0 - -# Shell scripts -/(vendor|system/vendor)/bin/init\.panel\.sh u:object_r:init_panel_exec:s0 -/(vendor|system/vendor)/bin/init\.tfa\.sh u:object_r:init_tfa_exec:s0 +# Rootfs +/firmware(/.*)? u:object_r:firmware_file:s0 +/omr(/.*)? u:object_r:omr_file:s0 +/persist(/.*)? u:object_r:persist_file:s0 +# Sys +/sys/class/camera(/.*)? -- u:object_r:sysfs_camera_writable:s0 +/sys/class/lcd(/.*)? -- u:object_r:sysfs_lcd_writable:s0 +/sys/class/power_supply(/.*)? -- u:object_r:sysfs_batteryinfo:s0 +/sys/class/power_supply/battery(/.*)? -- u:object_r:sysfs_batteryinfo:s0 +/sys/class/rfkill/rfkill[0-9]+/state -- u:object_r:sysfs_bluetooth_writable:s0 +/sys/class/rfkill/rfkill[0-9]+/type -- u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices/platform/soc/soc:battery/power_supply(/.*)? -- u:object_r:sysfs_batteryinfo:s0 +/sys/devices/virtual/audio/earjack/state u:object_r:sysfs_audio_writable:s0 +/sys/devices/virtual/fingerprint/fingerprint(/.*)? u:object_r:sysfs_fpc:s0 +/sys/devices/virtual/lcd/panel(/.*)? u:object_r:sysfs_lcd_writable:s0 +/sys/devices/virtual/mdnie(/.*)? -- u:object_r:sysfs_mdnie_writable:s0 +/sys/devices/virtual/sec/tsp(/.*)? u:object_r:sysfs_tsp:s0 diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts index 72d3404..3083173 100644 --- a/sepolicy/genfs_contexts +++ b/sepolicy/genfs_contexts @@ -1,17 +1,23 @@ -genfscon debugfs /rmt_storage u:object_r:debugfs_rmt:s0 +genfscon proc /irq/default_smp_affinity u:object_r:proc_default_smp_affinity:s0 +genfscon proc /memsize u:object_r:proc_meminfo:s0 +genfscon proc /schedstat u:object_r:proc_sched:s0 +genfscon proc /simslot_count u:object_r:proc_simslot_count:s0 +genfscon proc /sys/kernel/sched_boost u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sched_cstate_aware u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sched_downmigrate u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sched_group_downmigrate u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sched_group_upmigrate u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sched_initial_task_util u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sched_sync_hint_enable u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sched_upmigrate u:object_r:proc_sched:s0 +genfscon proc /sys/kernel/sched_walt_rotate_big_tasks u:object_r:proc_sched:s0 +genfscon proc /sys/vm/swappiness u:object_r:proc_swappiness:s0 -genfscon proc /buttons u:object_r:proc_buttons:s0 -genfscon proc /touchpanel u:object_r:proc_touchpanel:s0 - -genfscon sysfs /devices/soc/6a00000.ssusb/6a00000.dwc3/gadget/lun0/ u:object_r:sysfs_android_usb:s0 -genfscon sysfs /devices/soc/6a00000.ssusb/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/soc/70000.qcom,msm-core/uio/uio1 u:object_r:sysfs_uio_file:s0 -genfscon sysfs /devices/soc/70000.qcom,msm-thermal/uio/uio2 u:object_r:sysfs_uio_file:s0 -genfscon sysfs /devices/soc/75b5000.i2c/i2c-7/7-001d/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/soc/msm-bcl-19/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/soc/msm-bcl-21/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/soc/qpnp-fg-22/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/soc/qpnp-fg-24/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/soc/qpnp-smbcharger-21/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/soc/qpnp-smbcharger-23/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/soc/soc:qcom,bcl/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/soc/qpnp-smbcharger-[a-z0-9]+/power_supply/dc(/.*)? u:object_r:sysfs_battery_supply:s0 +genfscon sysfs /devices/soc/qpnp-smbcharger-[a-z0-9]+/power_supply/battery(/.*)? u:object_r:sysfs_battery_supply:s0 +genfscon sysfs /devices/virtual/lcd/panel u:object_r:sysfs_lcd_writable:s0 +genfscon sysfs /devices/virtual/sensors/ssc_core/ssc_hw_rev u:object_r:sysfs_sensors:s0 +genfscon sysfs /power/cpufreq_max_limit u:object_r:sysfs_power:s0 +genfscon sysfs /power/cpufreq_min_limit u:object_r:sysfs_power:s0 +genfscon sysfs /power/cpufreq_table u:object_r:sysfs_power:s0 +genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 diff --git a/sepolicy/hal_audio_default.te b/sepolicy/hal_audio_default.te index 213d126..13532c3 100644 --- a/sepolicy/hal_audio_default.te +++ b/sepolicy/hal_audio_default.te @@ -1 +1,13 @@ -r_dir_file(hal_audio_default, persist_usf_cal_file) +allow hal_audio_default hal_bluetooth_a2dp_hwservice:hwservice_manager { add find }; + +allow hal_audio_default sysfs_audio_writable:file r_file_perms; + +allow hal_audio_default sec_efs_file:dir create_dir_perms; +allow hal_audio_default sec_efs_file:file create_file_perms; + +allow hal_audio_default vendor_audio_data_file:dir create_dir_perms; + +allow hal_audio_default vendor_audiopcm_data_file:dir create_dir_perms; +allow hal_audio_default vendor_audiopcm_data_file:file create_file_perms; + +allow hal_audio_default vendor_log_file:dir r_dir_perms; diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te deleted file mode 100644 index 1855fa5..0000000 --- a/sepolicy/hal_bluetooth_default.te +++ /dev/null @@ -1,2 +0,0 @@ -allow hal_bluetooth_default bluetooth_data_file:dir ra_dir_perms; -allow hal_bluetooth_default bluetooth_data_file:file create_file_perms; diff --git a/sepolicy/hal_bluetooth_qti.te b/sepolicy/hal_bluetooth_qti.te new file mode 100644 index 0000000..713f1c9 --- /dev/null +++ b/sepolicy/hal_bluetooth_qti.te @@ -0,0 +1,10 @@ +allow hal_bluetooth_qti efs_file:dir r_dir_perms; + +allow hal_bluetooth_qti bluetooth_efs_file:dir rw_dir_perms; +allow hal_bluetooth_qti bluetooth_efs_file:file create_file_perms; + +allow hal_bluetooth_qti diag_device:chr_file rw_file_perms; + +r_dir_file(hal_bluetooth_qti, vendor_convergence_data_file) + +get_prop(hal_bluetooth_qti, vendor_factory_prop) diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te index 115e23b..d9f6739 100644 --- a/sepolicy/hal_camera_default.te +++ b/sepolicy/hal_camera_default.te @@ -1 +1,14 @@ -allow hal_camera_default camera_data_file:sock_file write; +allow hal_camera_default app_efs_file:dir rw_dir_perms; +allow hal_camera_default app_efs_file:file rw_file_perms; + +allow hal_camera_default sysfs_camera_writable:dir r_dir_perms; +allow hal_camera_default sysfs_camera_writable:file rw_file_perms; + +allow hal_camera_default sysfs_sensors:file r_file_perms; + +r_dir_file(hal_camera_default, efs_file) +r_dir_file(hal_camera_default, sec_poc_file) + +get_prop(hal_camera_default, graphics_vulkan_prop) +get_prop(hal_camera_default, vendor_factory_prop) +set_prop(hal_camera_default, sec_camera_prop) diff --git a/sepolicy/hal_drm_default.te b/sepolicy/hal_drm_default.te deleted file mode 100644 index 27d340a..0000000 --- a/sepolicy/hal_drm_default.te +++ /dev/null @@ -1,2 +0,0 @@ -allow hal_drm_default media_data_file:dir create_dir_perms; -allow hal_drm_default media_data_file:file create_file_perms; diff --git a/sepolicy/hal_drm_widevine.te b/sepolicy/hal_drm_widevine.te deleted file mode 100644 index 52adb5d..0000000 --- a/sepolicy/hal_drm_widevine.te +++ /dev/null @@ -1,2 +0,0 @@ -allow hal_drm_widevine media_data_file:dir create_dir_perms; -allow hal_drm_widevine media_data_file:file create_file_perms; diff --git a/sepolicy/hal_fingerprint_default.te b/sepolicy/hal_fingerprint_default.te index e5007b2..5f290f6 100644 --- a/sepolicy/hal_fingerprint_default.te +++ b/sepolicy/hal_fingerprint_default.te @@ -1,21 +1,21 @@ -binder_call(hal_fingerprint_default, qfp-daemon) -binder_use(hal_fingerprint_default) - -# Allow hal_fingerprint_default to open firmware images -r_dir_file(hal_fingerprint_default, firmware_file) - -allow hal_fingerprint_default iqfp_service:service_manager find; - -allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms; -allow hal_fingerprint_default fingerprintd_data_file:dir rw_dir_perms; -allow hal_fingerprint_default fpc_data_file:dir rw_dir_perms; -allow hal_fingerprint_default fpc_data_file:file create_file_perms; -allow hal_fingerprint_default fpc_data_file:sock_file { create unlink }; -allow hal_fingerprint_default sysfs_fpc:dir r_dir_perms; -allow hal_fingerprint_default sysfs_fpc:file rw_file_perms; -allow hal_fingerprint_default sysmatdrv_device:chr_file w_file_perms; +allow hal_fingerprint_default fp_sensor_device:chr_file rw_file_perms; allow hal_fingerprint_default tee_device:chr_file rw_file_perms; -allow hal_fingerprint_default uhid_device:chr_file rw_file_perms; -# Ignore all logging requests -dontaudit hal_fingerprint_default storage_file:dir search; +allow hal_fingerprint_default firmware_file:file r_file_perms; + +allow hal_fingerprint_default efs_file:file r_file_perms; + +allow hal_fingerprint_default sec_poc_file:file r_file_perms; + +allow hal_fingerprint_default sec_efs_file:dir create_dir_perms; +allow hal_fingerprint_default sec_efs_file:file create_file_perms; + +allow hal_fingerprint_default sysfs_fpc:dir r_dir_perms; +allow hal_fingerprint_default sysfs_fpc:file r_file_perms; +allow hal_fingerprint_default sysfs_fpc:lnk_file r_file_perms; + +allow hal_fingerprint_default biometrics_vendor_data_file:dir create_dir_perms; +allow hal_fingerprint_default biometrics_vendor_data_file:file create_file_perms; + +allow hal_fingerprint_default vendor_data_file:dir create_dir_perms; +allow hal_fingerprint_default vendor_data_file:file create_file_perms; diff --git a/sepolicy/hal_gatekeeper_default.te b/sepolicy/hal_gatekeeper_default.te new file mode 100644 index 0000000..0ca7bf2 --- /dev/null +++ b/sepolicy/hal_gatekeeper_default.te @@ -0,0 +1,12 @@ +allow hal_gatekeeper_default tz_device:chr_file rw_file_perms; + +allow hal_gatekeeper_default efs_file:dir search; + +allow hal_gatekeeper_default sec_poc_file:dir search; + +allow hal_gatekeeper_default prov_efs_file:dir create_dir_perms; +allow hal_gatekeeper_default prov_efs_file:file create_file_perms; + +get_prop(hal_gatekeeper_default, tzdaemon_prop) +get_prop(hal_gatekeeper_default, vendor_tztsdaemon_prop) +set_prop(hal_gatekeeper_default, dumpstate_options_prop) \ No newline at end of file diff --git a/sepolicy/hal_gnss_qti.te b/sepolicy/hal_gnss_qti.te new file mode 100644 index 0000000..db6acc3 --- /dev/null +++ b/sepolicy/hal_gnss_qti.te @@ -0,0 +1,9 @@ +binder_call(hal_gnss_qti, hal_gnss_default) + +allow hal_gnss_qti location_data_file:dir rw_dir_perms; +allow hal_gnss_qti location_data_file:file rw_file_perms; + +allow hal_gnss_qti vendor_data_file:dir rw_dir_perms; + +allow hal_gnss_qti vendor_gps_file:dir rw_dir_perms; +allow hal_gnss_qti vendor_gps_file:file create_file_perms; diff --git a/sepolicy/hal_health_default.te b/sepolicy/hal_health_default.te new file mode 100644 index 0000000..99a4436 --- /dev/null +++ b/sepolicy/hal_health_default.te @@ -0,0 +1,5 @@ +allow hal_health_default mnt_vendor_file:dir search; + +r_dir_file(hal_health_default, app_efs_file) +r_dir_file(hal_health_default, efs_file) +r_dir_file(hal_health_default, battery_efs_file) diff --git a/sepolicy/hal_keymaster_default.te b/sepolicy/hal_keymaster_default.te new file mode 100644 index 0000000..716c21e --- /dev/null +++ b/sepolicy/hal_keymaster_default.te @@ -0,0 +1,23 @@ +allow hal_keymaster_default mnt_vendor_file:dir r_dir_perms; + +allow hal_keymaster_default firmware_file:file r_file_perms; + +allow hal_keymaster_default efs_file:dir r_dir_perms; +allow hal_keymaster_default efs_file:file r_file_perms; +allow hal_keymaster_default efs_file:lnk_file r_file_perms; + +allow hal_keymaster_default prov_efs_file:dir create_dir_perms; +allow hal_keymaster_default prov_efs_file:file create_file_perms; + +allow hal_keymaster_default sec_poc_file:dir r_dir_perms; +allow hal_keymaster_default sec_poc_file:file r_file_perms; +allow hal_keymaster_default sec_poc_file:lnk_file r_file_perms; + +allow hal_keymaster_default tee_device:chr_file rw_file_perms; +allow hal_keymaster_default tz_device:chr_file rw_file_perms; + +get_prop(hal_keymaster_default, compact_dump_prop) +get_prop(hal_keymaster_default, tzdaemon_prop) +get_prop(hal_keymaster_default, vendor_tztsdaemon_prop) +set_prop(hal_keymaster_default, ctl_start_prop) +set_prop(hal_keymaster_default, dumpstate_options_prop) diff --git a/sepolicy/hal_lineage_livedisplay_sysfs.te b/sepolicy/hal_lineage_livedisplay_sysfs.te new file mode 100644 index 0000000..81b46d6 --- /dev/null +++ b/sepolicy/hal_lineage_livedisplay_sysfs.te @@ -0,0 +1,8 @@ +allow hal_lineage_livedisplay_sysfs display_vendor_data_file:dir rw_dir_perms; +allow hal_lineage_livedisplay_sysfs display_vendor_data_file:file create_file_perms; + +allow hal_lineage_livedisplay_sysfs sysfs_lcd_writable:dir search; +allow hal_lineage_livedisplay_sysfs sysfs_lcd_writable:file rw_file_perms; + +allow hal_lineage_livedisplay_sysfs sysfs_mdnie_writable:dir search; +allow hal_lineage_livedisplay_sysfs sysfs_mdnie_writable:file rw_file_perms; diff --git a/sepolicy/hal_lineage_touch_default.te b/sepolicy/hal_lineage_touch_default.te deleted file mode 100644 index 2782309..0000000 --- a/sepolicy/hal_lineage_touch_default.te +++ /dev/null @@ -1,2 +0,0 @@ -allow hal_lineage_touch_default proc_touchpanel:dir search; -allow hal_lineage_touch_default proc_touchpanel:file rw_file_perms; diff --git a/sepolicy/hal_perf_default.te b/sepolicy/hal_perf_default.te index 115df51..c333929 100644 --- a/sepolicy/hal_perf_default.te +++ b/sepolicy/hal_perf_default.te @@ -1 +1,5 @@ -dontaudit hal_perf_default self:capability { dac_override dac_read_search }; +allow hal_perf_default self:capability kill; + +allow hal_perf_default proc_sched:file rw_file_perms; + +get_prop(hal_perf_default, sec_camera_prop) diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te index 31c8814..3fd57fa 100644 --- a/sepolicy/hal_power_default.te +++ b/sepolicy/hal_power_default.te @@ -1,11 +1,9 @@ add_hwservice(hal_power_default, hal_miscpower_hwservice) -# Allow writing to files in /proc/touchpanel -allow hal_power_default proc_touchpanel:dir search; -allow hal_power_default proc_touchpanel:file rw_file_perms; - allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms; + allow hal_power_default sysfs_batteryinfo:dir r_dir_perms; allow hal_power_default sysfs_batteryinfo:file rw_file_perms; + allow hal_power_default sysfs_tsp:dir r_dir_perms; allow hal_power_default sysfs_tsp:file rw_file_perms; diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te index 5e0dea4..3a1995b 100644 --- a/sepolicy/hal_sensors_default.te +++ b/sepolicy/hal_sensors_default.te @@ -1,6 +1,20 @@ -allow hal_sensors_default audioserver:binder { call transfer }; -allow hal_sensors_default audioserver_service:service_manager find; +allow hal_sensors_default input_device:dir r_dir_perms; +allow hal_sensors_default input_device:chr_file rw_file_perms; -allow hal_sensors_default sound_device:chr_file rw_file_perms; +allow hal_sensors_default sysfs_sensors:dir r_dir_perms; +allow hal_sensors_default sysfs_sensors:file rw_file_perms; -binder_use(hal_sensors_default) +allow hal_sensors_default mnt_vendor_file:dir rw_dir_perms; +allow hal_sensors_default mnt_vendor_file:file create_file_perms; + +allow hal_sensors_default app_efs_file:dir create_dir_perms; +allow hal_sensors_default app_efs_file:file create_file_perms; + +allow hal_sensors_default sec_poc_file:dir r_dir_perms; + +r_dir_file(hal_sensors_default, efs_file) +r_dir_file(hal_sensors_default, sec_poc_file) + +userdebug_or_eng(` + get_prop(hal_sensors_default, sensors_dbg_prop) +') diff --git a/sepolicy/hal_usb_default.te b/sepolicy/hal_usb_default.te new file mode 100644 index 0000000..ecae48f --- /dev/null +++ b/sepolicy/hal_usb_default.te @@ -0,0 +1 @@ +allow hal_usb_default sysfs_usb:file rw_file_perms; diff --git a/sepolicy/healthd.te b/sepolicy/healthd.te new file mode 100644 index 0000000..f840745 --- /dev/null +++ b/sepolicy/healthd.te @@ -0,0 +1,11 @@ +allow healthd app_efs_file:dir rw_file_perms; +allow healthd app_efs_file:file create_file_perms; + +allow healthd battery_efs_file:dir create_dir_perms; +allow healthd battery_efs_file:file create_file_perms; + +allow healthd sysfs_battery_supply:file w_file_perms; +allow healthd sysfs_batteryinfo:file w_file_perms; + +r_dir_file(healthd, efs_file) +r_dir_file(healthd, sec_poc_file) diff --git a/sepolicy/hvdcp.te b/sepolicy/hvdcp.te deleted file mode 100644 index 7682376..0000000 --- a/sepolicy/hvdcp.te +++ /dev/null @@ -1,4 +0,0 @@ -dontaudit hvdcp self:capability dac_override; - -allow hvdcp sysfs_batteryinfo:dir search; -allow hvdcp sysfs_batteryinfo:file rw_file_perms; diff --git a/sepolicy/hwservice_contexts b/sepolicy/hwservice_contexts index cd1465b..f6a3f09 100644 --- a/sepolicy/hwservice_contexts +++ b/sepolicy/hwservice_contexts @@ -2,7 +2,7 @@ vendor.samsung.hardware.bluetooth.a2dp::ISecBluetoothAudioOffload vendor.samsung.hardware.bluetooth.a2dpsink::ISecBluetoothA2dpSinkProvidersFactory u:object_r:hal_bluetooth_a2dp_hwservice:s0 vendor.samsung.hardware.bluetooth.audio::ISecBluetoothAudioProvidersFactory u:object_r:hal_audio_hwservice:s0 vendor.samsung.hardware.bluetooth::ISecBluetooth u:object_r:hal_bluetooth_hwservice:s0 -vendor.samsung.hardware.exthealth::IExtHealth u:object_r:hal_health_hwservice:s0 +vendor.samsung.hardware.camera.provider::ISecCameraProvider u:object_r:hal_camera_hwservice:s0 vendor.samsung.hardware.gnss::ISecGnss u:object_r:hal_gnss_hwservice:s0 vendor.samsung.hardware.health::ISecHealth u:object_r:hal_health_hwservice:s0 vendor.samsung.hardware.miscpower::ISecMiscPower u:object_r:hal_miscpower_hwservice:s0 diff --git a/sepolicy/init.te b/sepolicy/init.te index d68e66e..6a2e001 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -1,3 +1,5 @@ -; -allow init adsprpcd_file:filesystem { mount relabelfrom relabelto }; -allow init debugfs:file write; +allow init efs_file:dir mounton; +allow init omr_file:dir mounton; +allow init vendor_firmware_file:file mounton; + +allow init socket_device:sock_file create; diff --git a/sepolicy/init_panel.te b/sepolicy/init_panel.te deleted file mode 100644 index a6fd5b9..0000000 --- a/sepolicy/init_panel.te +++ /dev/null @@ -1,15 +0,0 @@ -type init_panel, domain; -type init_panel_exec, exec_type, vendor_file_type, file_type; - -# Allow for transition from init domain to init_panel -init_daemon_domain(init_panel) - -# Allow to read panel color and vendor sysfs -allow init_panel sysfs_panel:file r_file_perms; - -# Shell script needs to execute /vendor/bin/sh -allow init_panel vendor_shell_exec:file rx_file_perms; -allow init_panel vendor_toolbox_exec:file rx_file_perms; - -# Set panel property -set_prop(init_panel, system_panel_prop) diff --git a/sepolicy/init_tfa.te b/sepolicy/init_tfa.te deleted file mode 100644 index ddfc547..0000000 --- a/sepolicy/init_tfa.te +++ /dev/null @@ -1,16 +0,0 @@ -type init_tfa, domain; -type init_tfa_exec, exec_type, vendor_file_type, file_type; - -# Allow for transition from init domain to init_tfa -init_daemon_domain(init_tfa) - -# Allow read and write to sound card device -allow init_tfa audio_device:chr_file rw_file_perms; -allow init_tfa audio_device:dir search; - -# Allow executing tinyplay -allow init_tfa system_file:file execute_no_trans; - -# Shell script needs to execute /vendor/bin/sh -allow init_tfa vendor_shell_exec:file rx_file_perms; -allow init_tfa vendor_toolbox_exec:file rx_file_perms; diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te new file mode 100644 index 0000000..2e77581 --- /dev/null +++ b/sepolicy/kernel.te @@ -0,0 +1,3 @@ +allow kernel block_device:dir search; + +allow kernel debug_block_device:blk_file rw_file_perms; diff --git a/sepolicy/macloader.te b/sepolicy/macloader.te new file mode 100644 index 0000000..8720438 --- /dev/null +++ b/sepolicy/macloader.te @@ -0,0 +1,37 @@ +type macloader, domain; +type macloader_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(macloader) + +allow macloader self:capability { chown fowner fsetid net_admin net_raw sys_module }; + +allow macloader self:udp_socket { ioctl create }; +allowxperm macloader self:udp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS }; + +allow macloader efs_file:dir search; +allow macloader mnt_vendor_file:dir r_dir_perms; +allow macloader sec_poc_file:dir search; + +allow macloader wifi_efs_file:dir create_dir_perms; +allow macloader wifi_efs_file:file create_file_perms; + +allow macloader vendor_convergence_data_file:dir create_dir_perms; +allow macloader vendor_convergence_data_file:file create_file_perms; + +allow macloader kernel:key search; +allow macloader kernel:system module_request; + +allow macloader kmsg_device:chr_file rw_file_perms; + +allow macloader system_file:system module_load; + +allow macloader vendor_shell_exec:file rx_file_perms; + +allow macloader sysfs:file { read write open getattr }; +allow macloader sysfs_net:dir r_dir_perms; +allow macloader sysfs_wlan_fwpath:file w_file_perms; + +allow macloader sysfs_wifi:dir r_dir_perms; +allow macloader sysfs_wifi:file rw_file_perms; + +get_prop(macloader, sec_cnss_diag_prop) diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te deleted file mode 100644 index ba7d8be..0000000 --- a/sepolicy/mediaserver.te +++ /dev/null @@ -1,3 +0,0 @@ -# Allow mediaserver to create socket files for audio arbitration -allow mediaserver audio_data_file:sock_file { create setattr unlink }; -allow mediaserver audio_data_file:dir remove_name; diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te deleted file mode 100644 index 5a7f786..0000000 --- a/sepolicy/mm-qcamerad.te +++ /dev/null @@ -1,5 +0,0 @@ -allow mm-qcamerad camera_data_file:sock_file { create unlink }; -allow mm-qcamerad camera_data_file:dir search; - -allow mm-qcamerad camera_socket:dir w_dir_perms; -allow mm-qcamerad camera_socket:sock_file { create unlink write }; diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te deleted file mode 100644 index 6b36af4..0000000 --- a/sepolicy/netmgrd.te +++ /dev/null @@ -1 +0,0 @@ -set_prop(netmgrd, vendor_xlat_prop) diff --git a/sepolicy/per_proxy_helper.te b/sepolicy/per_proxy_helper.te new file mode 100644 index 0000000..53869fb --- /dev/null +++ b/sepolicy/per_proxy_helper.te @@ -0,0 +1,8 @@ +type per_proxy_helper, domain; +type per_proxy_helper_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(per_proxy_helper) + +allow per_proxy_helper firmware_file:file r_file_perms; + +allow per_proxy_helper ssr_device:chr_file r_file_perms; diff --git a/sepolicy/property.te b/sepolicy/property.te index e70f1b5..d15e047 100644 --- a/sepolicy/property.te +++ b/sepolicy/property.te @@ -1 +1,11 @@ -type system_panel_prop, property_type; +type compact_dump_prop, property_type; +type csc_prop, property_type; +type ina_status_prop, property_type; +type receiver_error_prop, property_type; +type sec_camera_prop, property_type; +type sec_cnss_diag_prop, property_type; +type tzdaemon_prop, property_type; +type vendor_factory_prop, property_type; +type vendor_members_prop, property_type; +type vendor_qseecomd_prop, property_type; +type vendor_tztsdaemon_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts index 417b34d..a387ac1 100644 --- a/sepolicy/property_contexts +++ b/sepolicy/property_contexts @@ -1,14 +1,21 @@ -service.soundcard. u:object_r:audio_prop:s0 -audio. u:object_r:audio_prop:s0 - -dual.camera.cs.br u:object_r:camera_prop:s0 -persist.camera. u:object_r:camera_prop:s0 - -persist.net.doxlat u:object_r:vendor_xlat_prop:s0 -ro.sys.oem.sno u:object_r:system_radio_prop:s0 -sys.fake_bs_flag0 u:object_r:system_radio_prop:s0 -sys.fake_bs_flag1 u:object_r:system_radio_prop:s0 - -sys.listeners.registered u:object_r:vendor_tee_listener_prop:s0 - -sys.panel. u:object_r:system_panel_prop:s0 +camera. u:object_r:camera_prop:s0 +cnss_diag.service u:object_r:sec_cnss_diag_prop:s0 +init.svc.compact_dump u:object_r:compact_dump_prop:s0 +mdc. u:object_r:csc_prop:s0 +persist.camera. u:object_r:camera_prop:s0 +persist.sys.bt.driver.version u:object_r:vendor_bluetooth_prop:s0 +persist.sys.ina.status u:object_r:ina_status_prop:s0 +persist.vendor.camera. u:object_r:sec_camera_prop:s0 +persist.vendor.camera.debug.logfile u:object_r:sec_camera_prop:s0 +persist.vendor.members. u:object_r:vendor_members_prop:s0 +ro.csc. u:object_r:csc_prop:s0 +ro.error.receiver.default u:object_r:receiver_error_prop:s0 +ro.factory.factory_binary u:object_r:vendor_factory_prop:s0 +ro.fastbootd.available u:object_r:exported_default_prop:s0 +ro.netflix.channel u:object_r:csc_prop:s0 +ro.vendor.multisim. u:object_r:vendor_radio_prop:s0 +ro.vendor.radio. u:object_r:vendor_radio_prop:s0 +vendor.bluetooth_fw_ver u:object_r:vendor_bluetooth_prop:s0 +vendor.npu.usr_drv.log_mask u:object_r:sec_camera_prop:s0 +vendor.sys.qseecomd. u:object_r:vendor_qseecomd_prop:s0 +vendor.tzts_daemon u:object_r:vendor_tztsdaemon_prop:s0 diff --git a/sepolicy/qfp-daemon.te b/sepolicy/qfp-daemon.te deleted file mode 100644 index a5b2de0..0000000 --- a/sepolicy/qfp-daemon.te +++ /dev/null @@ -1,24 +0,0 @@ -binder_call(qfp-daemon, hal_fingerprint_default) -binder_use(qfp-daemon) - -allow qfp-daemon self:socket create_socket_perms; -allowxperm qfp-daemon self:socket ioctl msm_sock_ipc_ioctls; - -allow qfp-daemon captouch_device:chr_file rw_file_perms; - -allow qfp-daemon mnt_vendor_file:dir search; - -allow qfp-daemon qfp-daemon_core_data_file:dir { rw_dir_perms setattr }; -allow qfp-daemon qfp-daemon_core_data_file:file create_file_perms; - -# Access QFP Android Proxy -allow qfp-daemon qfp_proxy_service:service_manager find; - -# Add IQfpService service -allow qfp-daemon iqfp_service:service_manager add; - -r_dir_file(qfp-daemon, persist_qc_senseid_file) -r_dir_file(qfp-daemon, sensors_persist_file) - -# Ignore all logging requests -dontaudit qfp-daemon storage_file:dir search; diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te index 3e410bc..2df91cd 100644 --- a/sepolicy/qti_init_shell.te +++ b/sepolicy/qti_init_shell.te @@ -1,4 +1,5 @@ -allow qti_init_shell proc_buttons:dir { r_dir_perms setattr }; -allow qti_init_shell proc_buttons:file { getattr setattr }; -allow qti_init_shell proc_touchpanel:dir { r_dir_perms setattr }; -allow qti_init_shell proc_touchpanel:file { getattr setattr }; +allow qti_init_shell mnt_vendor_file:dir create_dir_perms; + +allow qti_init_shell sensors_persist_file:dir create_dir_perms; + +set_prop(qti_init_shell, ctl_default_prop) diff --git a/sepolicy/rild.te b/sepolicy/rild.te index 7d780da..c8190d4 100644 --- a/sepolicy/rild.te +++ b/sepolicy/rild.te @@ -1,4 +1,8 @@ -set_prop(rild, system_radio_prop) +allow rild self:tun_socket create; -dontaudit rild tombstone_data_file:dir search; -dontaudit rild vendor_file:file ioctl; +allow rild tun_device:chr_file rw_file_perms; +allowxperm rild tun_device:chr_file ioctl { TUNSETIFF TUNSETPERSIST }; + +allow rild proc_net:file write; + +get_prop(rild, csc_prop) diff --git a/sepolicy/rmt_storage.te b/sepolicy/rmt_storage.te deleted file mode 100644 index 3f531cb..0000000 --- a/sepolicy/rmt_storage.te +++ /dev/null @@ -1,5 +0,0 @@ -# debugfs access -userdebug_or_eng(` - allow rmt_storage debugfs_rmt:dir search; - allow rmt_storage debugfs_rmt:file rw_file_perms; -') diff --git a/sepolicy/seapp_contexts b/sepolicy/seapp_contexts deleted file mode 100644 index 0c0c87d..0000000 --- a/sepolicy/seapp_contexts +++ /dev/null @@ -1 +0,0 @@ -user=system seinfo=platform name=.dataservices domain=dataservice_app type=radio_data_file diff --git a/sepolicy/secril_config_svc.te b/sepolicy/secril_config_svc.te new file mode 100644 index 0000000..2ca15d4 --- /dev/null +++ b/sepolicy/secril_config_svc.te @@ -0,0 +1,14 @@ +type secril_config_svc, domain; +type secril_config_svc_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(secril_config_svc) + +allow secril_config_svc mnt_vendor_file:dir search; + +r_dir_file(secril_config_svc, efs_file) +r_dir_file(secril_config_svc, sec_poc_file) + +allow secril_config_svc proc_simslot_count:file r_file_perms; + +get_prop(secril_config_svc, csc_prop) +set_prop(secril_config_svc, vendor_radio_prop) diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te deleted file mode 100644 index 518a873..0000000 --- a/sepolicy/sensors.te +++ /dev/null @@ -1 +0,0 @@ -get_prop(sensors, system_panel_prop) diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te deleted file mode 100644 index 3ee2803..0000000 --- a/sepolicy/system_app.te +++ /dev/null @@ -1,20 +0,0 @@ -# Allow ConfigPanel to work -allow system_app proc_buttons:dir search; -allow system_app proc_buttons:file rw_file_perms; -allow system_app proc_touchpanel:dir search; -allow system_app proc_touchpanel:file rw_file_perms; -allow system_app sysfs_fpc_keyevents:file rw_file_perms; -allow system_app sysfs_fpc_wakeup:file rw_file_perms; - -# Allow PocketMode to work -allow system_app sysfs_fpc_proximity:file rw_file_perms; - -# Allow system_app to read and create files in cnd_core_data_file -allow system_app cnd_core_data_file:dir w_dir_perms; -allow system_app cnd_core_data_file:file create_file_perms; - -# Allow system_app to read and create files in qfp-daemon_core_data_file -allow system_app qfp-daemon_core_data_file:dir create_dir_perms; -allow system_app qfp-daemon_core_data_file:file create_file_perms; - -allow system_app qfp_proxy_service:service_manager add; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te deleted file mode 100644 index 0422942..0000000 --- a/sepolicy/system_server.te +++ /dev/null @@ -1,3 +0,0 @@ -allow system_server sound_device:chr_file rw_file_perms; -allow system_server sysfs_fpc_keyevents:file rw_file_perms; -allow system_server sysfs_fpc_wakeup:file rw_file_perms; diff --git a/sepolicy/tee.te b/sepolicy/tee.te index 529cb1e..59ecde4 100644 --- a/sepolicy/tee.te +++ b/sepolicy/tee.te @@ -1,10 +1,45 @@ -allow tee fingerprintd_data_file:dir rw_dir_perms; -allow tee fingerprintd_data_file:file create_file_perms; +hwbinder_use(tee) +vndbinder_use(tee) -allow tee persist_qc_senseid_file:dir create_dir_perms; -allow tee persist_qc_senseid_file:file create_file_perms; +binder_call(tee, appdomain) +binder_call(tee, hal_graphics_allocator_default) +binder_call(tee, hal_graphics_composer_default) -allow tee qfp-daemon_core_data_file:dir create_dir_perms; -allow tee qfp-daemon_core_data_file:file create_file_perms; +allow tee self:netlink_generic_socket create_socket_perms_no_ioctl; +allow tee self:netlink_socket create_socket_perms_no_ioctl; -allow tee system_data_file:dir r_dir_perms; +allow tee hal_graphics_mapper_hwservice:hwservice_manager find; + +allow tee graphics_device:blk_file rw_file_perms; +allow tee kmsg_device:blk_file rw_file_perms; +allow tee properties_device:blk_file rw_file_perms; + +allow tee persist_file:lnk_file r_file_perms; + +allow tee proc:file r_file_perms; + +allow tee proc_stat:file r_file_perms; + +allow tee proc_sysrq:file w_file_perms; + +allow tee rootfs:dir r_dir_perms; +allow tee rootfs:file r_file_perms; +allow tee rootfs:lnk_file r_file_perms; + +allow tee efs_file:dir create_dir_perms; +allow tee efs_file:file create_file_perms; + +allow tee prov_efs_file:dir create_dir_perms; +allow tee prov_efs_file:file create_file_perms; + +allow tee sec_poc_file:dir create_dir_perms; +allow tee sec_poc_file:file create_file_perms; + +allow tee vaultkeeper_efs_file:dir rw_dir_perms; +allow tee vaultkeeper_efs_file:file rw_file_perms; + +allow tee vendor_data_file:dir create_dir_perms; +allow tee vendor_data_file:file create_file_perms; + +get_prop(tee, hwservicemanager_prop) +set_prop(tee, vendor_qseecomd_prop) diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te deleted file mode 100644 index 580e596..0000000 --- a/sepolicy/thermal-engine.te +++ /dev/null @@ -1,3 +0,0 @@ -allow thermal-engine sysfs:dir r_dir_perms; - -r_dir_file(thermal-engine, sysfs_batteryinfo) diff --git a/sepolicy/time_daemon.te b/sepolicy/time_daemon.te index e9fbf79..7b922ed 100644 --- a/sepolicy/time_daemon.te +++ b/sepolicy/time_daemon.te @@ -1 +1 @@ -allow time_daemon self:capability { setgid setuid }; +r_dir_file(time_daemon, timeservice_app) diff --git a/sepolicy/vendor_init.te b/sepolicy/vendor_init.te index cb1e1ee..bcea5e3 100644 --- a/sepolicy/vendor_init.te +++ b/sepolicy/vendor_init.te @@ -1,10 +1,17 @@ -allow vendor_init { - camera_data_file - media_rw_data_file - nfc_data_file - qfp-daemon_core_data_file - system_data_file - time_data_file - wifi_data_file - wpa_socket -}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom }; +allow vendor_init cgroup:file rw_file_perms; + +allow vendor_init proc_default_smp_affinity:file rw_file_perms; +allow vendor_init proc_hung_task:file rw_file_perms; +allow vendor_init proc_sched:file rw_file_perms; +allow vendor_init proc_swappiness:file rw_file_perms; +allow vendor_init proc_sysrq:file rw_file_perms; + +set_prop(vendor_init, camera_prop) +set_prop(vendor_init, config_prop) +set_prop(vendor_init, csc_prop) +set_prop(vendor_init, ffs_prop) +set_prop(vendor_init, ina_status_prop) +set_prop(vendor_init, receiver_error_prop) +set_prop(vendor_init, vendor_iop_prop) +set_prop(vendor_init, vendor_members_prop) +set_prop(vendor_init, vold_prop) diff --git a/sepolicy/wcnss_service.te b/sepolicy/wcnss_service.te new file mode 100644 index 0000000..2afd80d --- /dev/null +++ b/sepolicy/wcnss_service.te @@ -0,0 +1 @@ +r_dir_file(wcnss_service, vendor_convergence_data_file)