diff options
Diffstat (limited to 'sepolicy/vendor')
36 files changed, 240 insertions, 0 deletions
diff --git a/sepolicy/vendor/adsprpcd.te b/sepolicy/vendor/adsprpcd.te new file mode 100644 index 0000000..8707457 --- /dev/null +++ b/sepolicy/vendor/adsprpcd.te @@ -0,0 +1 @@ +allow adsprpcd_file self:filesystem associate; diff --git a/sepolicy/vendor/charger.te b/sepolicy/vendor/charger.te new file mode 100644 index 0000000..f9509e4 --- /dev/null +++ b/sepolicy/vendor/charger.te @@ -0,0 +1 @@ +allow charger sysfs_battery_supply:file read; diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te new file mode 100644 index 0000000..e271129 --- /dev/null +++ b/sepolicy/vendor/device.te @@ -0,0 +1 @@ +type fpc1020_device, dev_type; diff --git a/sepolicy/vendor/domain.te b/sepolicy/vendor/domain.te new file mode 100644 index 0000000..69158d7 --- /dev/null +++ b/sepolicy/vendor/domain.te @@ -0,0 +1,37 @@ +get_prop(domain, camera_prop) + +dontaudit domain self:capability sys_module; +dontaudit domain kernel:system module_request; + +# b/29072816 +# Triggered by kernel code which calls request_firmware(), which +# eventually calls filp_open(), which attempts to look in /firmware +# for the firmware file itself using the context of the calling +# domain. +# This does not occur on other Android builds because the marlin +# kernel has various references to /firmware paths in the following +# code: +# +# /* direct firmware loading support */ +# static char fw_path_para[256]; +# static const char * const fw_path[] = { +# fw_path_para, +# "/lib/firmware/updates/" UTS_RELEASE, +# "/lib/firmware/updates", +# "/lib/firmware/" UTS_RELEASE, +# "/lib/firmware", +# "/firmware/image", +# "/firmware/radio", +# "/firmware/adsp" //HTC_AUD +# }; +# +# As described at http://www.makelinux.net/ldd3/chp-14-sect-8 , +# the userspace helper (in our case, ueventd) should always be loading +# these files, not the requesting process itself. It is only due to a +# hack added by Linus Torvalds that the kernel even attempt to load +# firmware files directly from the filesystem +# (https://github.com/torvalds/linux/commit/abb139e75c2cdbb955e840d6331cb5863e409d0e). +# +# Suppress these denials for most domains, since ueventd should be doing the +# opening of the firmware. +dontaudit domain firmware_file:dir search; diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te new file mode 100644 index 0000000..430dd83 --- /dev/null +++ b/sepolicy/vendor/file.te @@ -0,0 +1,14 @@ +# /data +type acdbdelta_vendor_data_file, file_type, data_file_type; +type fpc_data_file, core_data_file_type, data_file_type, file_type; +type thermal_data_file, core_data_file_type, data_file_type, file_type; + +# debugfs +type debugfs_rmt, debugfs_type, fs_type; + +# /sys +type sysfs_fingerprint, sysfs_type, fs_type; +type sysfs_pcie, sysfs_type, fs_type, mlstrustedobject; +type sysfs_wifi, sysfs_type, fs_type, mlstrustedobject; +type sysfs_scsi_devices_0000, sysfs_type, fs_type; +type sysfs_doubletap, sysfs_type, fs_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts new file mode 100644 index 0000000..f3745f7 --- /dev/null +++ b/sepolicy/vendor/file_contexts @@ -0,0 +1,36 @@ +# Binaries +/(vendor|system/vendor)/bin/init.bt.sh u:object_r:qti_init_shell_exec:s0 +/(vendor|system/vendor)/bin/init.wlan.sh u:object_r:qti_init_shell_exec:s0 + +# Bluetooth +/sys/devices/vendor/vendor:bt_qca6174/extldo u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices/vendor/vendor:bt_qca6174/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 + +# Data files +/data/fpc(/.*)? u:object_r:fpc_data_file:s0 +/data/decrypt\.txt u:object_r:thermal_data_file:s0 +/data/vendor/qcam(/.*)? u:object_r:vendor_camera_data_file:s0 +/data/vendor/misc/audio/acdbdata/delta(/.*)? u:object_r:acdbdelta_vendor_data_file:s0 + +# Devices +/dev/fpc1020 u:object_r:fpc1020_device:s0 +/dev/tfa9890 u:object_r:audio_device:s0 + +# Firmware +/firmware u:object_r:firmware_file:s0 +/bt_firmware u:object_r:bt_firmware_file:s0 + +# HALs +/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.zuk_8996 u:object_r:hal_light_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.zuk_8996 u:object_r:hal_lineage_touch_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.1-service.widevine u:object_r:hal_drm_widevine_exec:s0 + +# Persist +/persist(/.*)? u:object_r:mnt_vendor_file:s0 + +# Sys files +/sys/devices/soc/soc:fpc1020(/.*)? u:object_r:sysfs_fingerprint:s0 +/sys/devices/soc/soc:fpc1020/enable_wakeup u:object_r:sysfs_fingerprint:s0 +/sys/devices/soc/soc:fpc1020/proximity_state u:object_r:sysfs_fingerprint:s0 +/sys/devices/soc/soc:fpc1020/irq u:object_r:sysfs_fingerprint:s0 +/sys/devices/soc/soc:fpc1020/utouch_disable u:object_r:sysfs_fingerprint:s0 diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts new file mode 100644 index 0000000..ead7684 --- /dev/null +++ b/sepolicy/vendor/genfs_contexts @@ -0,0 +1,17 @@ +# debugfs +genfscon debugfs /rmt_storage u:object_r:debugfs_rmt:s0 + +# sysfs +genfscon sysfs /devices/soc/600000.qcom,pcie u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/soc/624000.ufshc/host0/target0:0:0/0:0:0:0 u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/soc/624000.ufshc/health u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/soc/600000.qcom,pcie/pci0000:00/0000:00:00.0/0000:01:00.0/net/wlan0 u:object_r:sysfs_wifi:s0 +genfscon sysfs /devices/soc/400f000.qcom,spmi/spmi-0/spmi0-02/400f000.qcom,spmi:qcom,pmi8994@2:qcom,fg/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/soc/400f000.qcom,spmi/spmi-0/spmi0-02/400f000.qcom,spmi:qcom,pmi8994@2:qcom,qpnp-smbcharger/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/soc/400f000.qcom,spmi/spmi-0/spmi0-02/400f000.qcom,spmi:qcom,pmi8994@2:bcl@4200/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/soc/7411000.qusb/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/soc/75b5000.i2c/i2c-7/7-001d/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/soc/400f000.qcom,spmi/spmi-0/spmi0-03/400f000.qcom,spmi:qcom,pmi8994@3:qcom,haptics@c000/leds u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/soc/400f000.qcom,spmi/spmi-0/spmi0-03/400f000.qcom,spmi:qcom,pmi8994@3:qcom,leds@d000/leds u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/soc/400f000.qcom,spmi/spmi-0/spmi0-00/400f000.qcom,spmi:qcom,pm8994@0:qcom,pm8994_rtc/rtc u:object_r:sysfs_rtc:s0 +genfscon sysfs /devices/virtual/touch/tp_dev/gesture_on u:object_r:sysfs_doubletap:s0 diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te new file mode 100644 index 0000000..90f2907 --- /dev/null +++ b/sepolicy/vendor/hal_audio_default.te @@ -0,0 +1,9 @@ +allow hal_audio_default vendor_audio_data_file:file create_file_perms; +allow hal_audio_default vendor_audio_data_file:dir rw_dir_perms; +allow hal_audio_default vendor_data_file:file create_file_perms; +allow hal_audio_default vendor_data_file:dir rw_dir_perms; +allow hal_audio_default thermal_socket:sock_file write; +allow hal_audio_default thermal-engine:unix_stream_socket connectto; + +allow hal_audio_default acdbdelta_vendor_data_file:dir rw_dir_perms; +allow hal_audio_default acdbdelta_vendor_data_file:file create_file_perms; diff --git a/sepolicy/vendor/hal_bluetooth_default.te b/sepolicy/vendor/hal_bluetooth_default.te new file mode 100644 index 0000000..35da311 --- /dev/null +++ b/sepolicy/vendor/hal_bluetooth_default.te @@ -0,0 +1,3 @@ +typeattribute hal_bluetooth_default data_between_core_and_vendor_violators; +allow hal_bluetooth_default bluetooth_data_file:dir rw_dir_perms; +allow hal_bluetooth_default bluetooth_data_file:file create_file_perms; diff --git a/sepolicy/vendor/hal_bluetooth_qti.te b/sepolicy/vendor/hal_bluetooth_qti.te new file mode 100644 index 0000000..429585f --- /dev/null +++ b/sepolicy/vendor/hal_bluetooth_qti.te @@ -0,0 +1 @@ +allow hal_bluetooth_qti sysfs_bluetooth_writable:file rw_file_perms; diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te new file mode 100644 index 0000000..1978c79 --- /dev/null +++ b/sepolicy/vendor/hal_camera_default.te @@ -0,0 +1,4 @@ +typeattribute hal_camera_default data_between_core_and_vendor_violators; + +allow hal_camera_default camera_data_file:dir create_dir_perms; +allow hal_camera_default camera_data_file:file create_file_perms; diff --git a/sepolicy/vendor/hal_cas_default.te b/sepolicy/vendor/hal_cas_default.te new file mode 100644 index 0000000..1fb5d35 --- /dev/null +++ b/sepolicy/vendor/hal_cas_default.te @@ -0,0 +1,2 @@ +# Allow CAS HAL to use vendor-binder service +vndbinder_use(hal_cas_default); diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te new file mode 100644 index 0000000..3f3d799 --- /dev/null +++ b/sepolicy/vendor/hal_fingerprint_default.te @@ -0,0 +1,14 @@ +typeattribute hal_fingerprint_default data_between_core_and_vendor_violators; + +r_dir_file(hal_fingerprint_default, firmware_file) + +allow hal_fingerprint_default sysfs_fingerprint:dir r_dir_perms; +allow hal_fingerprint_default sysfs_fingerprint:file rw_file_perms; + +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; +allow hal_fingerprint_default firmware_file:file r_file_perms; + +allow hal_fingerprint_default { fpc_data_file system_data_file }:dir create_dir_perms; +allow hal_fingerprint_default fpc_data_file:sock_file { create setattr unlink }; +allow hal_fingerprint_default fingerprintd_data_file:dir rw_dir_perms; +allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms; diff --git a/sepolicy/vendor/hal_lineage_touch_default.te b/sepolicy/vendor/hal_lineage_touch_default.te new file mode 100644 index 0000000..3e8c270 --- /dev/null +++ b/sepolicy/vendor/hal_lineage_touch_default.te @@ -0,0 +1,2 @@ +allow hal_lineage_touch_default sysfs_fingerprint:dir search; +allow hal_lineage_touch_default sysfs_fingerprint:file rw_file_perms; diff --git a/sepolicy/vendor/hal_perf_default.te b/sepolicy/vendor/hal_perf_default.te new file mode 100644 index 0000000..55a1680 --- /dev/null +++ b/sepolicy/vendor/hal_perf_default.te @@ -0,0 +1 @@ +set_prop(hal_perf_default, vendor_mpctl_prop) diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te new file mode 100644 index 0000000..9618dac --- /dev/null +++ b/sepolicy/vendor/hal_power_default.te @@ -0,0 +1,6 @@ +allow hal_power_default sysfs_kgsl:lnk_file { open read write }; +allow hal_power_default sysfs_devfreq:dir search; +allow hal_power_default sysfs_devfreq:file { open write }; +allow hal_power_default sysfs_kgsl:file { open write }; +allow hal_power_default device_latency:chr_file { open write }; +allow hal_power_default sysfs_doubletap:file { open write }; diff --git a/sepolicy/vendor/hwservicemanager.te b/sepolicy/vendor/hwservicemanager.te new file mode 100644 index 0000000..fe3d17b --- /dev/null +++ b/sepolicy/vendor/hwservicemanager.te @@ -0,0 +1,2 @@ +allow hwservicemanager init:dir search; +allow hwservicemanager init:file r_file_perms; diff --git a/sepolicy/vendor/ims.te b/sepolicy/vendor/ims.te new file mode 100644 index 0000000..aeef10b --- /dev/null +++ b/sepolicy/vendor/ims.te @@ -0,0 +1 @@ +set_prop(ims, ctl_stop_prop) diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te new file mode 100644 index 0000000..ef5a03f --- /dev/null +++ b/sepolicy/vendor/init.te @@ -0,0 +1,7 @@ +allow init ion_device:chr_file ioctl; +allow init hidl_base_hwservice:hwservice_manager add; +allow init sysfs_fingerprint:file { open read setattr write }; +allow init hidl_base_hwservice:hwservice_manager add; +allow init sysfs_graphics:lnk_file read; +allow init adsprpcd_file:filesystem { mount relabelfrom relabelto }; +allow init socket_device:sock_file { unlink setattr create }; diff --git a/sepolicy/vendor/mm-qcamerad.te b/sepolicy/vendor/mm-qcamerad.te new file mode 100644 index 0000000..1100a7b --- /dev/null +++ b/sepolicy/vendor/mm-qcamerad.te @@ -0,0 +1,4 @@ +typeattribute mm-qcamerad data_between_core_and_vendor_violators; + +allow mm-qcamerad camera_data_file:dir create_dir_perms; +allow mm-qcamerad camera_data_file:file create_file_perms; diff --git a/sepolicy/vendor/net.te b/sepolicy/vendor/net.te new file mode 100644 index 0000000..7196642 --- /dev/null +++ b/sepolicy/vendor/net.te @@ -0,0 +1 @@ +allow netd sysfs_net:file rw_file_perms; diff --git a/sepolicy/vendor/netd.te b/sepolicy/vendor/netd.te new file mode 100644 index 0000000..7196642 --- /dev/null +++ b/sepolicy/vendor/netd.te @@ -0,0 +1 @@ +allow netd sysfs_net:file rw_file_perms; diff --git a/sepolicy/vendor/netmgrd.te b/sepolicy/vendor/netmgrd.te new file mode 100644 index 0000000..b98e8d9 --- /dev/null +++ b/sepolicy/vendor/netmgrd.te @@ -0,0 +1,6 @@ +allow netmgrd sysfs_net:dir search; +allow netmgrd sysfs_net:file rw_file_perms; +allow netmgrd property_socket:sock_file write; +allow netmgrd init:unix_stream_socket connectto; + +set_prop(netmgrd, vendor_xlat_prop) diff --git a/sepolicy/vendor/netutils_wrapper.te b/sepolicy/vendor/netutils_wrapper.te new file mode 100644 index 0000000..c5233ee --- /dev/null +++ b/sepolicy/vendor/netutils_wrapper.te @@ -0,0 +1 @@ +allow netutils_wrapper netmgrd:socket { read write }; diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te new file mode 100644 index 0000000..9520846 --- /dev/null +++ b/sepolicy/vendor/property.te @@ -0,0 +1 @@ +type oem_unlock_prop, property_type; diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts new file mode 100644 index 0000000..1ae2e9b --- /dev/null +++ b/sepolicy/vendor/property_contexts @@ -0,0 +1,11 @@ +# Camera +persist.camera. u:object_r:camera_prop:s0 + +# Netmgrd +persist.net.doxlat u:object_r:vendor_xlat_prop:s0 + +# OEM unlocking +ro.oem_unlock_supported u:object_r:oem_unlock_prop:s0 + +# Qseecomd +sys.listeners.registered u:object_r:vendor_tee_listener_prop:s0 diff --git a/sepolicy/vendor/qti_init_shell.te b/sepolicy/vendor/qti_init_shell.te new file mode 100644 index 0000000..56c35ba --- /dev/null +++ b/sepolicy/vendor/qti_init_shell.te @@ -0,0 +1,15 @@ +allow qti_init_shell vendor_radio_data_file:dir { getattr open read search setattr }; +allow qti_init_shell file_contexts_file:file { getattr open read }; + +# Allow qti_init_shell to fully access wlan_mac.bin persist file +allow qti_init_shell mnt_vendor_file:dir rw_dir_perms; +allow qti_init_shell mnt_vendor_file:file create_file_perms; + +# Allow qti_init_shell to write and read /mnt/vendor/persist/bluetooth/bt_mac +allow qti_init_shell persist_bluetooth_file:dir { add_name create search write }; +allow qti_init_shell persist_bluetooth_file:file { create getattr open read write }; + +# Allow qti_init_shell to read cmdline +allow qti_init_shell proc_cmdline:file { getattr open read }; + +set_prop(qti_init_shell, oem_unlock_prop) diff --git a/sepolicy/vendor/radio.te b/sepolicy/vendor/radio.te new file mode 100644 index 0000000..d84a656 --- /dev/null +++ b/sepolicy/vendor/radio.te @@ -0,0 +1,3 @@ +allow radio hal_datafactory_hwservice:hwservice_manager find; + +get_prop(radio, vendor_qcom_ims_prop) diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te new file mode 100644 index 0000000..06625de --- /dev/null +++ b/sepolicy/vendor/rild.te @@ -0,0 +1 @@ +allow rild vendor_file:file ioctl; diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te new file mode 100644 index 0000000..d0e4915 --- /dev/null +++ b/sepolicy/vendor/system_app.te @@ -0,0 +1,7 @@ +allow system_app sysfs_fingerprint:file rw_file_perms; +allow system_app sysfs_fingerprint:dir search; +allow system_app shell_prop:property_service set; +allow system_app hal_imsrcsd_hwservice:hwservice_manager find; + +binder_call(system_app, wificond); +get_prop(system_app, oem_unlock_prop); diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te new file mode 100644 index 0000000..0c7fbe6 --- /dev/null +++ b/sepolicy/vendor/system_server.te @@ -0,0 +1,2 @@ +get_prop(system_server, vendor_alarm_boot_prop) +allow system_server sysfs_vibrator:file read; diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te new file mode 100644 index 0000000..cd127c1 --- /dev/null +++ b/sepolicy/vendor/tee.te @@ -0,0 +1,6 @@ +typeattribute tee data_between_core_and_vendor_violators; + +allow tee fingerprintd_data_file:file create_file_perms; +allow tee fingerprintd_data_file:dir rw_dir_perms; +allow tee system_data_file:dir r_dir_perms; +allow tee system_data_root_file:dir r_dir_perms; diff --git a/sepolicy/vendor/thermal-engine.te b/sepolicy/vendor/thermal-engine.te new file mode 100644 index 0000000..4ad4f10 --- /dev/null +++ b/sepolicy/vendor/thermal-engine.te @@ -0,0 +1,6 @@ +allow thermal-engine { sysfs_batteryinfo sysfs_usb_supply }:file r_file_perms; +allow thermal-engine sysfs_batteryinfo:file write; +allow thermal-engine { sysfs_batteryinfo sysfs_usb_supply }:dir search; + +# Allow thermal-engine to read files in /sys +r_dir_file(thermal-engine, sysfs) diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te new file mode 100644 index 0000000..a8019ae --- /dev/null +++ b/sepolicy/vendor/vendor_init.te @@ -0,0 +1,13 @@ +typeattribute vendor_init data_between_core_and_vendor_violators; + +allow vendor_init { + camera_data_file + fpc_data_file + media_rw_data_file + system_data_file + vendor_time_data_file + thermal_data_file + tombstone_data_file +}:dir create_dir_perms; + +allow vendor_init device:file create_file_perms; diff --git a/sepolicy/vendor/vold.te b/sepolicy/vendor/vold.te new file mode 100644 index 0000000..86aa2dc --- /dev/null +++ b/sepolicy/vendor/vold.te @@ -0,0 +1 @@ +allow vold sysfs_scsi_devices_0000:file w_file_perms; diff --git a/sepolicy/vendor/wcnss_service.te b/sepolicy/vendor/wcnss_service.te new file mode 100644 index 0000000..35908ad --- /dev/null +++ b/sepolicy/vendor/wcnss_service.te @@ -0,0 +1,2 @@ +allow wcnss_service { sysfs_pcie sysfs_wifi }:dir search; +allow wcnss_service { sysfs_pcie sysfs_wifi }:file rw_file_perms; |