diff options
| -rw-r--r-- | BoardConfigCommon.mk | 2 | ||||
| -rw-r--r-- | sepolicy/audioserver.te | 2 | ||||
| -rw-r--r-- | sepolicy/cameraserver.te | 1 | ||||
| -rw-r--r-- | sepolicy/cnd.te | 1 | ||||
| -rw-r--r-- | sepolicy/dataservice_app.te | 2 | ||||
| -rw-r--r-- | sepolicy/device.te | 1 | ||||
| -rw-r--r-- | sepolicy/energyawareness.te | 1 | ||||
| -rw-r--r-- | sepolicy/file.te | 9 | ||||
| -rw-r--r-- | sepolicy/file_contexts | 35 | ||||
| -rw-r--r-- | sepolicy/fsck.te | 1 | ||||
| -rw-r--r-- | sepolicy/hal_fingerprint_default.te | 11 | ||||
| -rw-r--r-- | sepolicy/ims.te | 1 | ||||
| -rw-r--r-- | sepolicy/init.te | 2 | ||||
| -rw-r--r-- | sepolicy/location.te | 3 | ||||
| -rw-r--r-- | sepolicy/netd.te | 1 | ||||
| -rw-r--r-- | sepolicy/netmgrd.te | 5 | ||||
| -rw-r--r-- | sepolicy/per_mgr.te | 1 | ||||
| -rw-r--r-- | sepolicy/qmuxd.te | 1 | ||||
| -rw-r--r-- | sepolicy/qseeproxy.te | 1 | ||||
| -rw-r--r-- | sepolicy/radio.te | 1 | ||||
| -rw-r--r-- | sepolicy/readmac.te | 18 | ||||
| -rw-r--r-- | sepolicy/rild.te | 3 | ||||
| -rw-r--r-- | sepolicy/rmt_storage.te | 1 | ||||
| -rw-r--r-- | sepolicy/servicemanager.te | 4 | ||||
| -rw-r--r-- | sepolicy/system_app.te | 1 | ||||
| -rw-r--r-- | sepolicy/system_server.te | 3 | ||||
| -rw-r--r-- | sepolicy/thermal-engine.te | 10 | ||||
| -rw-r--r-- | sepolicy/webview_zygote.te | 1 |
28 files changed, 122 insertions, 1 deletions
diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk index 938d632..09eeb20 100644 --- a/BoardConfigCommon.mk +++ b/BoardConfigCommon.mk @@ -185,7 +185,7 @@ TARGET_USERIMAGES_USE_F2FS := true # SELinux # include device/qcom/sepolicy/sepolicy.mk -# BOARD_SEPOLICY_DIRS += $(VENDOR_PATH)/sepolicy +BOARD_SEPOLICY_DIRS += $(VENDOR_PATH)/sepolicy # Timeservice BOARD_USES_QC_TIME_SERVICES := true diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te new file mode 100644 index 0000000..5c5f2fd --- /dev/null +++ b/sepolicy/audioserver.te @@ -0,0 +1,2 @@ +allow audioserver socket_device:sock_file write; +allow audioserver thermal-engine:unix_stream_socket connectto; diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te new file mode 100644 index 0000000..b37ca3c --- /dev/null +++ b/sepolicy/cameraserver.te @@ -0,0 +1 @@ +allow cameraserver init:unix_dgram_socket sendto; diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te new file mode 100644 index 0000000..2ff6d41 --- /dev/null +++ b/sepolicy/cnd.te @@ -0,0 +1 @@ +allow cnd cnd:capability { setuid dac_override chown dac_override dac_read_search setgid fsetid }; diff --git a/sepolicy/dataservice_app.te b/sepolicy/dataservice_app.te new file mode 100644 index 0000000..4f36595 --- /dev/null +++ b/sepolicy/dataservice_app.te @@ -0,0 +1,2 @@ +allow dataservice_app cnd_socket:sock_file write; +allow dataservice_app cnd:unix_stream_socket connectto; diff --git a/sepolicy/device.te b/sepolicy/device.te new file mode 100644 index 0000000..e271129 --- /dev/null +++ b/sepolicy/device.te @@ -0,0 +1 @@ +type fpc1020_device, dev_type; diff --git a/sepolicy/energyawareness.te b/sepolicy/energyawareness.te new file mode 100644 index 0000000..8d8250e --- /dev/null +++ b/sepolicy/energyawareness.te @@ -0,0 +1 @@ +allow energyawareness sysfs:{ dir file } { read open getattr }; diff --git a/sepolicy/file.te b/sepolicy/file.te new file mode 100644 index 0000000..a74868d --- /dev/null +++ b/sepolicy/file.te @@ -0,0 +1,9 @@ +type debugfs_msm_core, debugfs_type, fs_type; +type debugfs_rmts, debugfs_type, fs_type; +type fpc_data_file, file_type; +type fpc_images_file, file_type; +type nv_data_file, file_type; +type sysfs_fpc_irq, sysfs_type, fs_type; +type sysfs_fpc_proximity, sysfs_type, fs_type; +type sysfs_fpc_utouch_disable, fs_type, sysfs_type; +type thermal_data_file, file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts new file mode 100644 index 0000000..979f833 --- /dev/null +++ b/sepolicy/file_contexts @@ -0,0 +1,35 @@ +# We have a couple of non-standard NV partitions +/dev/block/bootdevice/by-name/oem_dycnvbk u:object_r:modem_efs_partition_device:s0 +/dev/block/bootdevice/by-name/oem_stanvbk u:object_r:modem_efs_partition_device:s0 + +# FRP partition +/dev/block/bootdevice/by-name/config u:object_r:frp_block_device:s0 + +/persist/sensors/gyro_sensitity_cal u:object_r:sensors_persist_file:s0 + +/data/oemnvitems(/.*)? u:object_r:nv_data_file:s0 + +/dev/fpc1020 u:object_r:fpc1020_device:s0 +/data/fpc(/.*)? u:object_r:fpc_data_file:s0 +/data/fpc_images(/.*)? u:object_r:fpc_images_file:s0 +/sys/devices/soc/soc:fpc_fpc1020/irq u:object_r:sysfs_fpc_irq:s0 +/sys/devices/soc/soc:fpc_fpc1020/proximity_state u:object_r:sysfs_fpc_proximity:s0 +/sys/devices/soc/soc:fpc1020/utouch_disable u:object_r:sysfs_fpc_utouch_disable:s0 + +/dev/dash u:object_r:input_device:s0 +/sys/devices/soc/.*ssusb/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0 + +/sys/devices/soc/qpnp-smbcharger-[0-9a-f]+/power_supply/battery/capacity u:object_r:sysfs_batteryinfo:s0 +/sys/devices/soc/qpnp-smbcharger-[0-9a-f]+/power_supply/battery/current_now u:object_r:sysfs_batteryinfo:s0 +/sys/devices/soc/qpnp-smbcharger-[0-9a-f]+/power_supply/battery/voltage_now u:object_r:sysfs_batteryinfo:s0 +/sys/devices/soc/qpnp-smbcharger-[0-9a-f]+/power_supply/battery/temp u:object_r:sysfs_batteryinfo:s0 + +/sys/kernel/debug/msm_core(/.*)? u:object_r:debugfs_msm_core:s0 + +/sys/kernel/debug/rmt_storage/rmts u:object_r:debugfs_rmts:s0 + +/system/bin/readmac u:object_r:readmac_exec:s0 + +# Data files +/data/decrypt.txt u:object_r:thermal_data_file:s0 +/data/misc/netmgr/log.txt u:object_r:netmgrd_data_file:s0 diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te new file mode 100644 index 0000000..b9c5021 --- /dev/null +++ b/sepolicy/fsck.te @@ -0,0 +1 @@ +allow fsck rootfs:lnk_file getattr; diff --git a/sepolicy/hal_fingerprint_default.te b/sepolicy/hal_fingerprint_default.te new file mode 100644 index 0000000..314093c --- /dev/null +++ b/sepolicy/hal_fingerprint_default.te @@ -0,0 +1,11 @@ +r_dir_file(hal_fingerprint_default, firmware_file) +allow hal_fingerprint_default tee_device:chr_file ioctl; +allow hal_fingerprint_default sysfs:file write; +allow hal_fingerprint_default fpc_data_file:dir rw_dir_perms; +allow hal_fingerprint_default fpc_data_file:sock_file { create unlink setattr }; +allow hal_fingerprint_default fpc_images_file:dir rw_dir_perms; +allow hal_fingerprint_default fpc_images_file:file create_file_perms; +allow hal_fingerprint_default sysfs_fpc_irq:file rw_file_perms; +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; +allow hal_fingerprint_default firmware_file:dir { search read }; +allow hal_fingerprint_default firmware_file:file { read open }; diff --git a/sepolicy/ims.te b/sepolicy/ims.te new file mode 100644 index 0000000..d9d0cb0 --- /dev/null +++ b/sepolicy/ims.te @@ -0,0 +1 @@ +allow ims ims:capability net_raw; diff --git a/sepolicy/init.te b/sepolicy/init.te new file mode 100644 index 0000000..33a9b3e --- /dev/null +++ b/sepolicy/init.te @@ -0,0 +1,2 @@ +allow init socket_device:sock_file { create unlink setattr }; +allow init proc_dirty_ratio:file write; diff --git a/sepolicy/location.te b/sepolicy/location.te new file mode 100644 index 0000000..0e4623a --- /dev/null +++ b/sepolicy/location.te @@ -0,0 +1,3 @@ +allow location system_data_file:dir { write remove_name }; +allow location system_data_file:sock_file { unlink create setattr }; +allow location system_data_file:dir add_name; diff --git a/sepolicy/netd.te b/sepolicy/netd.te new file mode 100644 index 0000000..46e8ed6 --- /dev/null +++ b/sepolicy/netd.te @@ -0,0 +1 @@ +r_dir_file(netd, firmware_file) diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te new file mode 100644 index 0000000..0f20b71 --- /dev/null +++ b/sepolicy/netmgrd.te @@ -0,0 +1,5 @@ +type_transition netmgrd system_data_file:file netmgrd_data_file "log.txt"; +allow netmgrd self:capability dac_override; +allow netmgrd netmgrd_data_file:file rw_file_perms; +allow netmgrd diag_device:chr_file { read write }; +allow netmgrd net_data_file:dir read; diff --git a/sepolicy/per_mgr.te b/sepolicy/per_mgr.te new file mode 100644 index 0000000..e7eaf7f --- /dev/null +++ b/sepolicy/per_mgr.te @@ -0,0 +1 @@ +allow per_mgr servicemanager:binder { call transfer }; diff --git a/sepolicy/qmuxd.te b/sepolicy/qmuxd.te new file mode 100644 index 0000000..d9fd325 --- /dev/null +++ b/sepolicy/qmuxd.te @@ -0,0 +1 @@ +allow qmuxd diag_device:chr_file { read write }; diff --git a/sepolicy/qseeproxy.te b/sepolicy/qseeproxy.te new file mode 100644 index 0000000..edd215b --- /dev/null +++ b/sepolicy/qseeproxy.te @@ -0,0 +1 @@ +allow qseeproxy servicemanager:binder { call transfer }; diff --git a/sepolicy/radio.te b/sepolicy/radio.te new file mode 100644 index 0000000..64f05c6 --- /dev/null +++ b/sepolicy/radio.te @@ -0,0 +1 @@ +allow radio qmuxd_socket:dir search; diff --git a/sepolicy/readmac.te b/sepolicy/readmac.te new file mode 100644 index 0000000..2a326e0 --- /dev/null +++ b/sepolicy/readmac.te @@ -0,0 +1,18 @@ +type readmac, domain; +type readmac_exec, exec_type, file_type; + +# Allow for transition from init domain to readmac +init_daemon_domain(readmac) + +# Allow readmac to communicate with qmuxd via qmux_radio socket +qmux_socket(readmac) + +# Allow readmac to fully access wlan_mac.bin persist file +allow readmac persist_file:dir rw_dir_perms; +allow readmac persist_file:file create_file_perms; + +allow readmac self:capability dac_override; +allow readmac self:socket create_socket_perms_no_ioctl; + +allow readmac diag_device:chr_file rw_file_perms; +allow readmac sysfs:file r_file_perms; diff --git a/sepolicy/rild.te b/sepolicy/rild.te new file mode 100644 index 0000000..e5cff92 --- /dev/null +++ b/sepolicy/rild.te @@ -0,0 +1,3 @@ +allow rild servicemanager:binder call; +allow rild nv_data_file:dir rw_dir_perms; +allow rild nv_data_file:file create_file_perms; diff --git a/sepolicy/rmt_storage.te b/sepolicy/rmt_storage.te new file mode 100644 index 0000000..5e6c045 --- /dev/null +++ b/sepolicy/rmt_storage.te @@ -0,0 +1 @@ +allow rmt_storage rmt_storage:capability sys_admin; diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te new file mode 100644 index 0000000..6a17ff7 --- /dev/null +++ b/sepolicy/servicemanager.te @@ -0,0 +1,4 @@ +allow servicemanager { init per_mgr qseeproxy }:dir search; +allow servicemanager per_mgr:file { read open }; +allow servicemanager { per_mgr qseeproxy }:process getattr; +allow servicemanager qseeproxy:file { read open }; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te new file mode 100644 index 0000000..25177b5 --- /dev/null +++ b/sepolicy/system_app.te @@ -0,0 +1 @@ +allow system_app sysfs_fpc_proximity:file rw_file_perms; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te new file mode 100644 index 0000000..ef21160 --- /dev/null +++ b/sepolicy/system_server.te @@ -0,0 +1,3 @@ +allow system_server alarm_boot_prop:file { read open getattr }; +allow system_server persist_file:dir write; +allow system_server sysfs_fpc_utouch_disable:file rw_file_perms; diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te new file mode 100644 index 0000000..4b8c024 --- /dev/null +++ b/sepolicy/thermal-engine.te @@ -0,0 +1,10 @@ +type_transition thermal-engine system_data_file:file thermal_data_file "decrypt.txt"; +allow thermal-engine sysfs_kgsl:file r_file_perms; +allow thermal-engine system_data_file:dir w_dir_perms; +allow thermal-engine thermal_data_file:file create_file_perms; +allow thermal-engine sysfs_usb_supply:dir search; +allow thermal-engine sysfs_usb_supply:file r_file_perms; +allow thermal-engine diag_device:chr_file { read write }; +allow thermal-engine diag_device:chr_file open; +allow thermal-engine diag_device:chr_file ioctl; +allow thermal-engine socket_device:sock_file { create setattr }; diff --git a/sepolicy/webview_zygote.te b/sepolicy/webview_zygote.te new file mode 100644 index 0000000..bb1116c --- /dev/null +++ b/sepolicy/webview_zygote.te @@ -0,0 +1 @@ +allow webview_zygote mnt_expand_file:dir getattr; |