msm8996-common: Initial sepolicy

* Lots of parts are from the old one so thanks to everyone who contributed to that one
* Still it doesn't boot in enforcing though

Signed-off-by: dd3boh <dade.garberi@gmail.com>

28 files changed, 122 insertions, 1 deletions

diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk
index 938d632..09eeb20 100644
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@@ -185,7 +185,7 @@ TARGET_USERIMAGES_USE_F2FS := true
 
 # SELinux
 # include device/qcom/sepolicy/sepolicy.mk
-# BOARD_SEPOLICY_DIRS += $(VENDOR_PATH)/sepolicy
+BOARD_SEPOLICY_DIRS += $(VENDOR_PATH)/sepolicy
 
 # Timeservice
 BOARD_USES_QC_TIME_SERVICES := true
diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te
new file mode 100644
index 0000000..5c5f2fd
--- /dev/null
+++ b/sepolicy/audioserver.te
@@ -0,0 +1,2 @@
+allow audioserver socket_device:sock_file write;
+allow audioserver thermal-engine:unix_stream_socket connectto;
diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te
new file mode 100644
index 0000000..b37ca3c
--- /dev/null
+++ b/sepolicy/cameraserver.te
@@ -0,0 +1 @@
+allow cameraserver init:unix_dgram_socket sendto;
diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te
new file mode 100644
index 0000000..2ff6d41
--- /dev/null
+++ b/sepolicy/cnd.te
@@ -0,0 +1 @@
+allow cnd cnd:capability { setuid dac_override chown dac_override dac_read_search setgid fsetid };
diff --git a/sepolicy/dataservice_app.te b/sepolicy/dataservice_app.te
new file mode 100644
index 0000000..4f36595
--- /dev/null
+++ b/sepolicy/dataservice_app.te
@@ -0,0 +1,2 @@
+allow dataservice_app cnd_socket:sock_file write;
+allow dataservice_app cnd:unix_stream_socket connectto;
diff --git a/sepolicy/device.te b/sepolicy/device.te
new file mode 100644
index 0000000..e271129
--- /dev/null
+++ b/sepolicy/device.te
@@ -0,0 +1 @@
+type fpc1020_device, dev_type;
diff --git a/sepolicy/energyawareness.te b/sepolicy/energyawareness.te
new file mode 100644
index 0000000..8d8250e
--- /dev/null
+++ b/sepolicy/energyawareness.te
@@ -0,0 +1 @@
+allow energyawareness sysfs:{ dir file } { read open getattr };
diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644
index 0000000..a74868d
--- /dev/null
+++ b/sepolicy/file.te
@@ -0,0 +1,9 @@
+type debugfs_msm_core, debugfs_type, fs_type;
+type debugfs_rmts, debugfs_type, fs_type;
+type fpc_data_file, file_type;
+type fpc_images_file, file_type;
+type nv_data_file, file_type;
+type sysfs_fpc_irq, sysfs_type, fs_type;
+type sysfs_fpc_proximity, sysfs_type, fs_type;
+type sysfs_fpc_utouch_disable, fs_type, sysfs_type;
+type thermal_data_file, file_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
new file mode 100644
index 0000000..979f833
--- /dev/null
+++ b/sepolicy/file_contexts
@@ -0,0 +1,35 @@
+# We have a couple of non-standard NV partitions
+/dev/block/bootdevice/by-name/oem_dycnvbk                       u:object_r:modem_efs_partition_device:s0
+/dev/block/bootdevice/by-name/oem_stanvbk                       u:object_r:modem_efs_partition_device:s0
+
+# FRP partition
+/dev/block/bootdevice/by-name/config                            u:object_r:frp_block_device:s0
+
+/persist/sensors/gyro_sensitity_cal                             u:object_r:sensors_persist_file:s0
+
+/data/oemnvitems(/.*)?                                          u:object_r:nv_data_file:s0
+
+/dev/fpc1020                                                    u:object_r:fpc1020_device:s0
+/data/fpc(/.*)?                                                 u:object_r:fpc_data_file:s0
+/data/fpc_images(/.*)?                                          u:object_r:fpc_images_file:s0
+/sys/devices/soc/soc:fpc_fpc1020/irq                            u:object_r:sysfs_fpc_irq:s0
+/sys/devices/soc/soc:fpc_fpc1020/proximity_state                u:object_r:sysfs_fpc_proximity:s0
+/sys/devices/soc/soc:fpc1020/utouch_disable                     u:object_r:sysfs_fpc_utouch_disable:s0
+
+/dev/dash                                                       u:object_r:input_device:s0
+/sys/devices/soc/.*ssusb/power_supply/usb(/.*)?                 u:object_r:sysfs_usb_supply:s0
+
+/sys/devices/soc/qpnp-smbcharger-[0-9a-f]+/power_supply/battery/capacity u:object_r:sysfs_batteryinfo:s0
+/sys/devices/soc/qpnp-smbcharger-[0-9a-f]+/power_supply/battery/current_now u:object_r:sysfs_batteryinfo:s0
+/sys/devices/soc/qpnp-smbcharger-[0-9a-f]+/power_supply/battery/voltage_now u:object_r:sysfs_batteryinfo:s0
+/sys/devices/soc/qpnp-smbcharger-[0-9a-f]+/power_supply/battery/temp u:object_r:sysfs_batteryinfo:s0
+
+/sys/kernel/debug/msm_core(/.*)?                                u:object_r:debugfs_msm_core:s0
+
+/sys/kernel/debug/rmt_storage/rmts                              u:object_r:debugfs_rmts:s0
+
+/system/bin/readmac                   				u:object_r:readmac_exec:s0
+
+# Data files
+/data/decrypt.txt                     u:object_r:thermal_data_file:s0
+/data/misc/netmgr/log.txt             u:object_r:netmgrd_data_file:s0
diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te
new file mode 100644
index 0000000..b9c5021
--- /dev/null
+++ b/sepolicy/fsck.te
@@ -0,0 +1 @@
+allow fsck rootfs:lnk_file getattr;
diff --git a/sepolicy/hal_fingerprint_default.te b/sepolicy/hal_fingerprint_default.te
new file mode 100644
index 0000000..314093c
--- /dev/null
+++ b/sepolicy/hal_fingerprint_default.te
@@ -0,0 +1,11 @@
+r_dir_file(hal_fingerprint_default, firmware_file)
+allow hal_fingerprint_default tee_device:chr_file ioctl;
+allow hal_fingerprint_default sysfs:file write;
+allow hal_fingerprint_default fpc_data_file:dir rw_dir_perms;
+allow hal_fingerprint_default fpc_data_file:sock_file { create unlink setattr };
+allow hal_fingerprint_default fpc_images_file:dir rw_dir_perms;
+allow hal_fingerprint_default fpc_images_file:file create_file_perms;
+allow hal_fingerprint_default sysfs_fpc_irq:file rw_file_perms;
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_default firmware_file:dir { search read };
+allow hal_fingerprint_default firmware_file:file { read open };
diff --git a/sepolicy/ims.te b/sepolicy/ims.te
new file mode 100644
index 0000000..d9d0cb0
--- /dev/null
+++ b/sepolicy/ims.te
@@ -0,0 +1 @@
+allow ims ims:capability net_raw;
diff --git a/sepolicy/init.te b/sepolicy/init.te
new file mode 100644
index 0000000..33a9b3e
--- /dev/null
+++ b/sepolicy/init.te
@@ -0,0 +1,2 @@
+allow init socket_device:sock_file { create unlink setattr };
+allow init proc_dirty_ratio:file write;
diff --git a/sepolicy/location.te b/sepolicy/location.te
new file mode 100644
index 0000000..0e4623a
--- /dev/null
+++ b/sepolicy/location.te
@@ -0,0 +1,3 @@
+allow location system_data_file:dir { write remove_name };
+allow location system_data_file:sock_file { unlink create setattr };
+allow location system_data_file:dir add_name;
diff --git a/sepolicy/netd.te b/sepolicy/netd.te
new file mode 100644
index 0000000..46e8ed6
--- /dev/null
+++ b/sepolicy/netd.te
@@ -0,0 +1 @@
+r_dir_file(netd, firmware_file)
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
new file mode 100644
index 0000000..0f20b71
--- /dev/null
+++ b/sepolicy/netmgrd.te
@@ -0,0 +1,5 @@
+type_transition netmgrd system_data_file:file netmgrd_data_file "log.txt";
+allow netmgrd self:capability dac_override;
+allow netmgrd netmgrd_data_file:file rw_file_perms;
+allow netmgrd diag_device:chr_file { read write };
+allow netmgrd net_data_file:dir read;
diff --git a/sepolicy/per_mgr.te b/sepolicy/per_mgr.te
new file mode 100644
index 0000000..e7eaf7f
--- /dev/null
+++ b/sepolicy/per_mgr.te
@@ -0,0 +1 @@
+allow per_mgr servicemanager:binder { call transfer };
diff --git a/sepolicy/qmuxd.te b/sepolicy/qmuxd.te
new file mode 100644
index 0000000..d9fd325
--- /dev/null
+++ b/sepolicy/qmuxd.te
@@ -0,0 +1 @@
+allow qmuxd diag_device:chr_file { read write };
diff --git a/sepolicy/qseeproxy.te b/sepolicy/qseeproxy.te
new file mode 100644
index 0000000..edd215b
--- /dev/null
+++ b/sepolicy/qseeproxy.te
@@ -0,0 +1 @@
+allow qseeproxy servicemanager:binder { call transfer };
diff --git a/sepolicy/radio.te b/sepolicy/radio.te
new file mode 100644
index 0000000..64f05c6
--- /dev/null
+++ b/sepolicy/radio.te
@@ -0,0 +1 @@
+allow radio qmuxd_socket:dir search;
diff --git a/sepolicy/readmac.te b/sepolicy/readmac.te
new file mode 100644
index 0000000..2a326e0
--- /dev/null
+++ b/sepolicy/readmac.te
@@ -0,0 +1,18 @@
+type readmac, domain;
+type readmac_exec, exec_type, file_type;
+
+# Allow for transition from init domain to readmac
+init_daemon_domain(readmac)
+
+# Allow readmac to communicate with qmuxd via qmux_radio socket
+qmux_socket(readmac)
+
+# Allow readmac to fully access wlan_mac.bin persist file
+allow readmac persist_file:dir rw_dir_perms;
+allow readmac persist_file:file create_file_perms;
+
+allow readmac self:capability dac_override;
+allow readmac self:socket create_socket_perms_no_ioctl;
+
+allow readmac diag_device:chr_file rw_file_perms;
+allow readmac sysfs:file r_file_perms;
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
new file mode 100644
index 0000000..e5cff92
--- /dev/null
+++ b/sepolicy/rild.te
@@ -0,0 +1,3 @@
+allow rild servicemanager:binder call;
+allow rild nv_data_file:dir rw_dir_perms;
+allow rild nv_data_file:file create_file_perms;
diff --git a/sepolicy/rmt_storage.te b/sepolicy/rmt_storage.te
new file mode 100644
index 0000000..5e6c045
--- /dev/null
+++ b/sepolicy/rmt_storage.te
@@ -0,0 +1 @@
+allow rmt_storage rmt_storage:capability sys_admin;
diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te
new file mode 100644
index 0000000..6a17ff7
--- /dev/null
+++ b/sepolicy/servicemanager.te
@@ -0,0 +1,4 @@
+allow servicemanager { init per_mgr qseeproxy }:dir search;
+allow servicemanager per_mgr:file { read open };
+allow servicemanager { per_mgr qseeproxy }:process getattr;
+allow servicemanager qseeproxy:file { read open };
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
new file mode 100644
index 0000000..25177b5
--- /dev/null
+++ b/sepolicy/system_app.te
@@ -0,0 +1 @@
+allow system_app sysfs_fpc_proximity:file rw_file_perms;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
new file mode 100644
index 0000000..ef21160
--- /dev/null
+++ b/sepolicy/system_server.te
@@ -0,0 +1,3 @@
+allow system_server alarm_boot_prop:file { read open getattr };
+allow system_server persist_file:dir write;
+allow system_server sysfs_fpc_utouch_disable:file rw_file_perms;
diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te
new file mode 100644
index 0000000..4b8c024
--- /dev/null
+++ b/sepolicy/thermal-engine.te
@@ -0,0 +1,10 @@
+type_transition thermal-engine system_data_file:file thermal_data_file "decrypt.txt";
+allow thermal-engine sysfs_kgsl:file r_file_perms;
+allow thermal-engine system_data_file:dir w_dir_perms;
+allow thermal-engine thermal_data_file:file create_file_perms;
+allow thermal-engine sysfs_usb_supply:dir search;
+allow thermal-engine sysfs_usb_supply:file r_file_perms;
+allow thermal-engine diag_device:chr_file { read write };
+allow thermal-engine diag_device:chr_file open;
+allow thermal-engine diag_device:chr_file ioctl;
+allow thermal-engine socket_device:sock_file { create setattr };
diff --git a/sepolicy/webview_zygote.te b/sepolicy/webview_zygote.te
new file mode 100644
index 0000000..bb1116c
--- /dev/null
+++ b/sepolicy/webview_zygote.te
@@ -0,0 +1 @@
+allow webview_zygote mnt_expand_file:dir getattr;