diff options
| -rwxr-xr-x | rootdir/etc/init.qcom.usb.rc | 1 | ||||
| -rw-r--r-- | sepolicy/cnd.te | 2 | ||||
| -rw-r--r-- | sepolicy/dpmd.te | 3 | ||||
| -rw-r--r-- | sepolicy/file.te | 4 | ||||
| -rw-r--r-- | sepolicy/file_contexts | 83 | ||||
| -rw-r--r-- | sepolicy/genfs_contexts | 3 | ||||
| -rw-r--r-- | sepolicy/hal_audio_default.te | 3 | ||||
| -rw-r--r-- | sepolicy/hal_bluetooth_default.te | 2 | ||||
| -rw-r--r-- | sepolicy/hal_camera_default.te | 1 | ||||
| -rw-r--r-- | sepolicy/hal_light_default.te | 1 | ||||
| -rw-r--r-- | sepolicy/hal_power_default.te | 1 | ||||
| -rw-r--r-- | sepolicy/mm-qcamerad.te | 1 | ||||
| -rw-r--r-- | sepolicy/priv_app.te | 2 | ||||
| -rw-r--r-- | sepolicy/qseeproxy.te | 1 | ||||
| -rw-r--r-- | sepolicy/qti_init_shell.te | 4 | ||||
| -rw-r--r-- | sepolicy/radio.te | 1 | ||||
| -rw-r--r-- | sepolicy/rild.te | 10 | ||||
| -rw-r--r-- | sepolicy/servicemanager.te | 6 | ||||
| -rw-r--r-- | sepolicy/system_app.te | 1 | ||||
| -rw-r--r-- | sepolicy/zygote.te | 1 |
20 files changed, 96 insertions, 35 deletions
diff --git a/rootdir/etc/init.qcom.usb.rc b/rootdir/etc/init.qcom.usb.rc index da54d40..890ff8d 100755 --- a/rootdir/etc/init.qcom.usb.rc +++ b/rootdir/etc/init.qcom.usb.rc @@ -42,6 +42,7 @@ service qcom-usb-sh /system/bin/sh /init.qcom.usb.sh class core user root oneshot + seclabel u:r:qti_init_shell:s0 # Following are the parameters required for usb functionality. They provide configurable options like # product_id/vendor id and allows specifying required functions: diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te index 2ff6d41..b66fa5f 100644 --- a/sepolicy/cnd.te +++ b/sepolicy/cnd.te @@ -1 +1 @@ -allow cnd cnd:capability { setuid dac_override chown dac_override dac_read_search setgid fsetid }; +allow cnd cnd:capability { setuid dac_override chown dac_override dac_read_search setgid fsetid net_raw }; diff --git a/sepolicy/dpmd.te b/sepolicy/dpmd.te new file mode 100644 index 0000000..b3a868b --- /dev/null +++ b/sepolicy/dpmd.te @@ -0,0 +1,3 @@ +allow dpmd dpmd:capability { dac_override dac_read_search chown fsetid }; +allow dpmd socket_device:dir { add_name write }; +allow dpmd socket_device:sock_file { create setattr }; diff --git a/sepolicy/file.te b/sepolicy/file.te index a74868d..bcf12b5 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,8 +1,6 @@ -type debugfs_msm_core, debugfs_type, fs_type; -type debugfs_rmts, debugfs_type, fs_type; type fpc_data_file, file_type; type fpc_images_file, file_type; -type nv_data_file, file_type; +type nv_data_file, file_type, data_file_type; type sysfs_fpc_irq, sysfs_type, fs_type; type sysfs_fpc_proximity, sysfs_type, fs_type; type sysfs_fpc_utouch_disable, fs_type, sysfs_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 08ee6ab..0338e52 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -1,42 +1,71 @@ -# We have a couple of non-standard NV partitions -/dev/block/bootdevice/by-name/oem_dycnvbk u:object_r:modem_efs_partition_device:s0 -/dev/block/bootdevice/by-name/oem_stanvbk u:object_r:modem_efs_partition_device:s0 +# charger +/dev/dash u:object_r:input_device:s0 +/sys/devices/soc/.*ssusb/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0 +/sys/devices/soc/qpnp-smbcharger-[0-9a-f]+/power_supply/battery(/.*)? u:object_r:sysfs_batteryinfo:s0 + +# Data files +/data/decrypt.txt u:object_r:thermal_data_file:s0 +/data/misc/netmgr/log.txt u:object_r:netmgrd_data_file:s0 -/dev/block/mmcblk0p40 u:object_r:persist_block_device:s0 +# fingerprint +/dev/fpc1020 u:object_r:fpc1020_device:s0 +/data/fpc(/.*)? u:object_r:fpc_data_file:s0 +/data/fpc_images(/.*)? u:object_r:fpc_images_file:s0 +/sys/devices/soc/soc:fpc_fpc1020/irq u:object_r:sysfs_fpc_irq:s0 +/sys/devices/soc/soc:fpc_fpc1020/proximity_state u:object_r:sysfs_fpc_proximity:s0 +/sys/devices/soc/soc:fpc1020/utouch_disable u:object_r:sysfs_fpc_utouch_disable:s0 # FRP partition /dev/block/bootdevice/by-name/config u:object_r:frp_block_device:s0 -/persist/sensors/gyro_sensitity_cal u:object_r:sensors_persist_file:s0 +# fsc +/dev/block/mmcblk0p35 u:object_r:modem_efs_partition_device:s0 -/sys/kernel/debug/rmt_storage/rmts u:object_r:qti_debugfs:s0 +# fsg +/dev/block/mmcblk0p11 u:object_r:modem_efs_partition_device:s0 -/persist/rfs(/.*)? u:object_r:rfs_file:s0 +# legacy paths +/system/bin/qseecomd u:object_r:tee_exec:s0 +/system/bin/irsc_util u:object_r:irsc_util_exec:s0 +/system/bin/rmt_storage u:object_r:rmt_storage_exec:s0 +/system/bin/sensors.qcom u:object_r:sensors_exec:s0 +/system/bin/adsprpcd u:object_r:adsprpcd_exec:s0 +/system/bin/cnd u:object_r:cnd_exec:s0 +/system/bin/imsqmidaemon u:object_r:ims_exec:s0 +/system/bin/imsdatadaemon u:object_r:ims_exec:s0 +/system/bin/energy-awareness u:object_r:energyawareness_exec:s0 +/system/bin/tftp_server u:object_r:rfs_access_exec:s0 +/system/bin/port-bridge u:object_r:port-bridge_exec:s0 +/system/bin/netmgrd u:object_r:netmgrd_exec:s0 +/system/bin/pm-service u:object_r:per_mgr_exec:s0 +/system/bin/pm-proxy u:object_r:per_mgr_exec:s0 +/system/bin/time_daemon u:object_r:time_daemon_exec:s0 +/system/bin/cnss-daemon u:object_r:wcnss_service_exec:s0 -/data/oemnvitems(/.*)? u:object_r:nv_data_file:s0 +# modemst1 +/dev/block/mmcblk0p37 u:object_r:modem_efs_partition_device:s0 -/dev/fpc1020 u:object_r:fpc1020_device:s0 -/data/fpc(/.*)? u:object_r:fpc_data_file:s0 -/data/fpc_images(/.*)? u:object_r:fpc_images_file:s0 -/sys/devices/soc/soc:fpc_fpc1020/irq u:object_r:sysfs_fpc_irq:s0 -/sys/devices/soc/soc:fpc_fpc1020/proximity_state u:object_r:sysfs_fpc_proximity:s0 -/sys/devices/soc/soc:fpc1020/utouch_disable u:object_r:sysfs_fpc_utouch_disable:s0 +# modemst2 +/dev/block/mmcblk0p38 u:object_r:modem_efs_partition_device:s0 -/dev/dash u:object_r:input_device:s0 -/sys/devices/soc/.*ssusb/power_supply/usb(/.*)? u:object_r:sysfs_usb_supply:s0 +# NV partitions +/dev/block/bootdevice/by-name/oem_dycnvbk u:object_r:modem_efs_partition_device:s0 +/dev/block/bootdevice/by-name/oem_stanvbk u:object_r:modem_efs_partition_device:s0 +/data/oemnvitems(/.*)? u:object_r:nv_data_file:s0 -/sys/devices/soc/qpnp-smbcharger-[0-9a-f]+/power_supply/battery(/.*)? u:object_r:sysfs_batteryinfo:s0 +# persist +/dev/block/mmcblk0p40 u:object_r:persist_block_device:s0 +/persist/rfs(/.*)? u:object_r:rfs_file:s0 +/persist/sensors/gyro_sensitity_cal u:object_r:sensors_persist_file:s0 -/sys/kernel/debug/msm_core(/.*)? u:object_r:debugfs_msm_core:s0 +# readmac +/system/bin/readmac u:object_r:readmac_exec:s0 -/system/bin/readmac u:object_r:readmac_exec:s0 +# ril +/system/vendor/qcril.db u:object_r:nv_data_file:s0 -# Data files -/data/decrypt.txt u:object_r:thermal_data_file:s0 -/data/misc/netmgr/log.txt u:object_r:netmgrd_data_file:s0 +# ssd +/dev/block/mmcblk0p36 u:object_r:ssd_device:s0 -# legacy paths -/system/bin/qseecomd u:object_r:tee_exec:s0 -/system/bin/irsc_util u:object_r:irsc_util_exec:s0 -/system/bin/rmt_storage u:object_r:rmt_storage_exec:s0 -/system/bin/sensors.qcom u:object_r:sensors_exec:s0 +# userdata +/dev/block/mmcblk0p48 u:object_r:userdata_block_device:s0 diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts new file mode 100644 index 0000000..3ffc13b --- /dev/null +++ b/sepolicy/genfs_contexts @@ -0,0 +1,3 @@ +genfscon debugfs /rmt_storage/rmts u:object_r:qti_debugfs:s0 + +genfscon debugfs /msm_core u:object_r:qti_debugfs:s0 diff --git a/sepolicy/hal_audio_default.te b/sepolicy/hal_audio_default.te new file mode 100644 index 0000000..950d6bc --- /dev/null +++ b/sepolicy/hal_audio_default.te @@ -0,0 +1,3 @@ +allow hal_audio_default socket_device:sock_file write; +allow hal_audio_default audio_data_file:sock_file { unlink create setattr }; +allow hal_audio_default thermal-engine:unix_stream_socket connectto; diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te new file mode 100644 index 0000000..e60f709 --- /dev/null +++ b/sepolicy/hal_bluetooth_default.te @@ -0,0 +1,2 @@ +allow hal_bluetooth_default bluetooth_data_file:dir search; +allow hal_bluetooth_default bluetooth_data_file:file { append getattr open read write }; diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te new file mode 100644 index 0000000..30dbf6a --- /dev/null +++ b/sepolicy/hal_camera_default.te @@ -0,0 +1 @@ +allow hal_camera_default camera_data_file:sock_file write; diff --git a/sepolicy/hal_light_default.te b/sepolicy/hal_light_default.te new file mode 100644 index 0000000..fdc5c46 --- /dev/null +++ b/sepolicy/hal_light_default.te @@ -0,0 +1 @@ +allow hal_light_default sysfs:file { open read write }; diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te new file mode 100644 index 0000000..316a62c --- /dev/null +++ b/sepolicy/hal_power_default.te @@ -0,0 +1 @@ +allow hal_power_default sysfs:file { write open }; diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te new file mode 100644 index 0000000..6b6626b --- /dev/null +++ b/sepolicy/mm-qcamerad.te @@ -0,0 +1 @@ +allow mm-qcamerad camera_data_file:{ file sock_file } { create unlink }; diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te new file mode 100644 index 0000000..5b470fe --- /dev/null +++ b/sepolicy/priv_app.te @@ -0,0 +1,2 @@ +allow priv_app device:dir { open read }; +allow priv_app { camera_prop proc_interrupts }:file { open read }; diff --git a/sepolicy/qseeproxy.te b/sepolicy/qseeproxy.te index edd215b..9eeb608 100644 --- a/sepolicy/qseeproxy.te +++ b/sepolicy/qseeproxy.te @@ -1 +1,2 @@ allow qseeproxy servicemanager:binder { call transfer }; +allow qseeproxy default_android_service:service_manager find; diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te index 67789aa..ce9fa4c 100644 --- a/sepolicy/qti_init_shell.te +++ b/sepolicy/qti_init_shell.te @@ -1,4 +1,6 @@ allow qti_init_shell shell_exec:file { r_file_perms entrypoint }; allow qti_init_shell toolbox_exec:file { r_file_perms execute_no_trans execute }; -allow qti_init_shell sysfs:file { rw_file_perms }; +allow qti_init_shell sysfs:file rw_file_perms; + +allow qti_init_shell kmsg_device:chr_file { open write }; diff --git a/sepolicy/radio.te b/sepolicy/radio.te new file mode 100644 index 0000000..c23fafe --- /dev/null +++ b/sepolicy/radio.te @@ -0,0 +1 @@ +allow radio qmuxd_socket:dir search; diff --git a/sepolicy/rild.te b/sepolicy/rild.te index e5cff92..3238c3d 100644 --- a/sepolicy/rild.te +++ b/sepolicy/rild.te @@ -1,3 +1,13 @@ allow rild servicemanager:binder call; allow rild nv_data_file:dir rw_dir_perms; allow rild nv_data_file:file create_file_perms; + +allow rild radio_data_file:dir search; +allow rild vendor_configs_file:file ioctl; + +allow rild qcom_ims_prop:property_service set; + +allow rild default_android_service:service_manager find; + +allow rild radio_data_file:file { create getattr ioctl lock open read unlink write }; +allow rild radio_data_file:dir { add_name getattr open read remove_name write }; diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te index 6a17ff7..984bb16 100644 --- a/sepolicy/servicemanager.te +++ b/sepolicy/servicemanager.te @@ -1,4 +1,4 @@ -allow servicemanager { init per_mgr qseeproxy }:dir search; -allow servicemanager per_mgr:file { read open }; +allow servicemanager { init per_mgr rild qseeproxy }:dir search; allow servicemanager { per_mgr qseeproxy }:process getattr; -allow servicemanager qseeproxy:file { read open }; +allow servicemanager { per_mgr rild qseeproxy }:file { read open }; +allow servicemanager rild:process getattr; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te index 25177b5..44c918c 100644 --- a/sepolicy/system_app.te +++ b/sepolicy/system_app.te @@ -1 +1,2 @@ allow system_app sysfs_fpc_proximity:file rw_file_perms; +allow system_app time_daemon:unix_stream_socket connectto; diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te new file mode 100644 index 0000000..e830681 --- /dev/null +++ b/sepolicy/zygote.te @@ -0,0 +1 @@ +allow zygote cgroup:file create; |