aboutsummaryrefslogtreecommitdiff
path: root/sepolicy
diff options
context:
space:
mode:
Diffstat (limited to 'sepolicy')
-rw-r--r--sepolicy/alipay_app.te56
-rw-r--r--sepolicy/bluetooth_loader.te6
-rw-r--r--sepolicy/cnd.te1
-rw-r--r--sepolicy/device.te1
-rw-r--r--sepolicy/file.te5
-rw-r--r--sepolicy/file_contexts20
-rw-r--r--sepolicy/fingerprintd.te12
-rw-r--r--sepolicy/genfs_contexts3
-rw-r--r--sepolicy/ifaad.te26
-rw-r--r--sepolicy/ims.te1
-rw-r--r--sepolicy/init.te2
-rw-r--r--sepolicy/ipacm-diag.te4
-rw-r--r--sepolicy/kernel.te3
-rw-r--r--sepolicy/location.te1
-rw-r--r--sepolicy/log.te1
-rw-r--r--sepolicy/mac_permissions.xml18
-rw-r--r--sepolicy/mm-qcamerad.te2
-rw-r--r--sepolicy/netd.te3
-rw-r--r--sepolicy/netmgrd.te1
-rw-r--r--sepolicy/per_mgr.te1
-rw-r--r--sepolicy/perfd.te1
-rw-r--r--sepolicy/platform_app.te2
-rw-r--r--sepolicy/property.te1
-rw-r--r--sepolicy/property_contexts1
-rw-r--r--sepolicy/qmuxd.te3
-rw-r--r--sepolicy/qti.te3
-rw-r--r--sepolicy/qti_init_shell.te7
-rw-r--r--sepolicy/rild.te3
-rw-r--r--sepolicy/sdcardd.te1
-rw-r--r--sepolicy/seapp_contexts2
-rw-r--r--sepolicy/sensors.te3
-rw-r--r--sepolicy/service.te1
-rw-r--r--sepolicy/service_contexts2
-rw-r--r--sepolicy/servicemanager.te3
-rw-r--r--sepolicy/system_app.te2
-rw-r--r--sepolicy/system_server.te5
-rw-r--r--sepolicy/thermal-engine.te3
-rw-r--r--sepolicy/time_daemon.te1
-rw-r--r--sepolicy/ueventd.te1
-rw-r--r--sepolicy/untrusted_app.te1
-rw-r--r--sepolicy/vold.te2
-rw-r--r--sepolicy/zygote.te2
42 files changed, 217 insertions, 0 deletions
diff --git a/sepolicy/alipay_app.te b/sepolicy/alipay_app.te
new file mode 100644
index 0000000..6cc3ad2
--- /dev/null
+++ b/sepolicy/alipay_app.te
@@ -0,0 +1,56 @@
+# Generally based on untrusted_app.te
+
+type alipay_app, domain;
+app_domain(alipay_app)
+net_domain(alipay_app)
+bluetooth_domain(alipay_app)
+
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+allow alipay_app app_data_file:file { rx_file_perms execmod };
+
+# Used by Finsky / Android "Verify Apps" functionality when
+# running "adb install foo.apk".
+# TODO: Long term, we don't want apps probing into shell data files.
+# Figure out a way to remove these rules.
+allow alipay_app shell_data_file:file r_file_perms;
+allow alipay_app shell_data_file:dir r_dir_perms;
+
+# Read and write system app data files passed over Binder.
+# Motivating case was /data/data/com.android.settings/cache/*.jpg for
+# cropping or taking user photos.
+allow alipay_app system_app_data_file:file { read write getattr };
+
+#
+# Rules migrated from old app domains coalesced into alipay_app.
+# This includes what used to be media_app, shared_app, and release_app.
+#
+
+# Access to /data/media.
+allow alipay_app media_rw_data_file:dir create_dir_perms;
+allow alipay_app media_rw_data_file:file create_file_perms;
+
+# Traverse into /mnt/media_rw for bypassing FUSE daemon
+# TODO: narrow this to just MediaProvider
+allow alipay_app mnt_media_rw_file:dir search;
+
+# Write to /cache.
+allow alipay_app cache_file:dir create_dir_perms;
+allow alipay_app cache_file:file create_file_perms;
+
+allow alipay_app battery_service:service_manager find;
+allow alipay_app drmserver_service:service_manager find;
+allow alipay_app healthd_service:service_manager find;
+allow alipay_app mediaserver_service:service_manager find;
+allow alipay_app nfc_service:service_manager find;
+allow alipay_app radio_service:service_manager find;
+allow alipay_app surfaceflinger_service:service_manager find;
+allow alipay_app app_api_service:service_manager find;
+allow alipay_app ifaadaemon_service:service_manager find;
+
+# TODO: remove this once priv-apps are no longer running in alipay_app
+allow alipay_app system_api_service:service_manager find;
+
+# Programs routinely attempt to scan through /system, looking
+# for files. Suppress the denials when they occur.
+dontaudit alipay_app exec_type:file getattr;
diff --git a/sepolicy/bluetooth_loader.te b/sepolicy/bluetooth_loader.te
new file mode 100644
index 0000000..0f287d7
--- /dev/null
+++ b/sepolicy/bluetooth_loader.te
@@ -0,0 +1,6 @@
+# Bluetooth executables and scripts
+type bluetooth_loader, domain;
+type bluetooth_loader_exec, exec_type, file_type;
+
+# Start bdAddrLoader from init
+init_daemon_domain(bluetooth_loader)
diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te
new file mode 100644
index 0000000..e325e40
--- /dev/null
+++ b/sepolicy/cnd.te
@@ -0,0 +1 @@
+allow cnd diag_prop:property_service set;
diff --git a/sepolicy/device.te b/sepolicy/device.te
new file mode 100644
index 0000000..e271129
--- /dev/null
+++ b/sepolicy/device.te
@@ -0,0 +1 @@
+type fpc1020_device, dev_type;
diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644
index 0000000..139812a
--- /dev/null
+++ b/sepolicy/file.te
@@ -0,0 +1,5 @@
+type fpc_data_file, file_type;
+type fpc_images_file, file_type;
+type sysfs_fpc_irq, sysfs_type, fs_type;
+type proc_touchpanel, fs_type;
+type nv_data_file, file_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
new file mode 100644
index 0000000..b89c4d0
--- /dev/null
+++ b/sepolicy/file_contexts
@@ -0,0 +1,20 @@
+# We have a couple of non-standard NV partitions
+/dev/block/bootdevice/by-name/oem_dycnvbk u:object_r:modem_efs_partition_device:s0
+/dev/block/bootdevice/by-name/oem_stanvbk u:object_r:modem_efs_partition_device:s0
+
+# FRP partition
+/dev/block/bootdevice/by-name/config u:object_r:frp_block_device:s0
+
+/system/etc/init\.qcom\.bt\.sh u:object_r:bluetooth_loader_exec:s0
+
+/persist/sensors/gyro_sensitity_cal u:object_r:sensors_persist_file:s0
+
+/data/oemnvitems(/.*)? u:object_r:nv_data_file:s0
+
+/dev/fpc1020 u:object_r:fpc1020_device:s0
+/data/fpc(/.*)? u:object_r:fpc_data_file:s0
+/data/fpc_images(/.*)? u:object_r:fpc_images_file:s0
+/sys/devices/soc/soc:fpc_fpc1020/irq u:object_r:sysfs_fpc_irq:s0
+
+#IFAA
+/system/bin/ifaad u:object_r:ifaad_exec:s0
diff --git a/sepolicy/fingerprintd.te b/sepolicy/fingerprintd.te
new file mode 100644
index 0000000..29e56af
--- /dev/null
+++ b/sepolicy/fingerprintd.te
@@ -0,0 +1,12 @@
+allow fingerprintd firmware_file:file { read getattr open };
+allow fingerprintd firmware_file:dir search;
+allow fingerprintd fpc_data_file:dir { write remove_name add_name search read open };
+allow fingerprintd fpc_data_file:sock_file { create unlink setattr };
+allow fingerprintd fpc_images_file:dir { read write open add_name search };
+allow fingerprintd fpc_images_file:file { write create open getattr };
+allow fingerprintd sysfs_fpc_irq:file { read write open };
+allow fingerprintd tee_device:chr_file { read write ioctl open };
+allow fingerprintd sysfs:file write;
+allow fingerprintd proc_touchpanel:dir search;
+allow fingerprintd proc_touchpanel:file { read open };
+allow fingerprintd vfat:file { read getattr open };
diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
new file mode 100644
index 0000000..cfc50b6
--- /dev/null
+++ b/sepolicy/genfs_contexts
@@ -0,0 +1,3 @@
+genfscon proc /touchpanel u:object_r:proc_touchpanel:s0
+genfscon proc /s1302 u:object_r:proc_touchpanel:s0
+genfscon proc /tri-state-key u:object_r:proc_touchpanel:s0
diff --git a/sepolicy/ifaad.te b/sepolicy/ifaad.te
new file mode 100644
index 0000000..3650eaa
--- /dev/null
+++ b/sepolicy/ifaad.te
@@ -0,0 +1,26 @@
+type ifaad, domain;
+type ifaad_exec, exec_type, file_type;
+
+#Allow for transition from init domain to ifaad
+init_daemon_domain(ifaad)
+
+#Allow ifaad to use Binder IPC
+binder_use(ifaad)
+
+#Allow servicemanager to interact with ifaad
+binder_call(ifaad, servicemanager)
+
+#Allow alipay_app to interact with ifaad
+binder_call(ifaad, alipay_app)
+
+#Mark ifaad as a Binder service domain
+binder_service(ifaad)
+
+#Allow ifaad to be registered with service manager
+allow ifaad ifaadaemon_service:service_manager add;
+
+#Allow access to tee device
+allow ifaad tee_device:chr_file rw_file_perms;
+
+#Allow access to firmware
+r_dir_file(ifaad, firmware_file)
diff --git a/sepolicy/ims.te b/sepolicy/ims.te
new file mode 100644
index 0000000..d7338bd
--- /dev/null
+++ b/sepolicy/ims.te
@@ -0,0 +1 @@
+allow ims diag_prop:property_service set;
diff --git a/sepolicy/init.te b/sepolicy/init.te
new file mode 100644
index 0000000..ee83502
--- /dev/null
+++ b/sepolicy/init.te
@@ -0,0 +1,2 @@
+allow init vfat:file { read open };
+allow init socket_device:sock_file { create setattr unlink };
diff --git a/sepolicy/ipacm-diag.te b/sepolicy/ipacm-diag.te
new file mode 100644
index 0000000..70bc113
--- /dev/null
+++ b/sepolicy/ipacm-diag.te
@@ -0,0 +1,4 @@
+allow ipacm-diag init:unix_stream_socket connectto;
+allow ipacm-diag property_socket:sock_file write;
+allow ipacm-diag system_prop:property_service set;
+allow ipacm-diag diag_prop:property_service set;
diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te
new file mode 100644
index 0000000..70a2ac8
--- /dev/null
+++ b/sepolicy/kernel.te
@@ -0,0 +1,3 @@
+allow kernel vfat:file open;
+allow kernel self:capability { dac_read_search dac_override };
+allow kernel self:socket create;
diff --git a/sepolicy/location.te b/sepolicy/location.te
new file mode 100644
index 0000000..756bb26
--- /dev/null
+++ b/sepolicy/location.te
@@ -0,0 +1 @@
+allow location permission_service:service_manager find;
diff --git a/sepolicy/log.te b/sepolicy/log.te
new file mode 100644
index 0000000..2e9f1eb
--- /dev/null
+++ b/sepolicy/log.te
@@ -0,0 +1 @@
+allow logd unlabeled:dir search;
diff --git a/sepolicy/mac_permissions.xml b/sepolicy/mac_permissions.xml
new file mode 100644
index 0000000..a025144
--- /dev/null
+++ b/sepolicy/mac_permissions.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+ <!-- Alipay -->
+ <signer signature="30820244308201ad02044b28a3c9300d06092a864886f70d01010405003068310b300906035504061302636e3110300e060355040813076265696a696e673110300e060355040713076265696a696e67310f300d060355040a1306616c69706179310f300d060355040b1306616c69706179311330110603550403130a73686971756e2e7368693020170d3039313231363039303932395a180f32303531303131303039303932395a3068310b300906035504061302636e3110300e060355040813076265696a696e673110300e060355040713076265696a696e67310f300d060355040a1306616c69706179310f300d060355040b1306616c69706179311330110603550403130a73686971756e2e73686930819f300d06092a864886f70d010101050003818d0030818902818100b6cbad6cbd5ed0d209afc69ad3b7a617efaae9b3c47eabe0be42d924936fa78c8001b1fd74b079e5ff9690061dacfa4768e981a526b9ca77156ca36251cf2f906d105481374998a7e6e6e18f75ca98b8ed2eaf86ff402c874cca0a263053f22237858206867d210020daa38c48b20cc9dfd82b44a51aeb5db459b22794e2d6490203010001300d06092a864886f70d010104050003818100b6b5e3854b2d5daaa02d127195d13a1927991176047982feaa3d1625740788296443e9000fe14dfe6701d7e86be06b9282e68d4eff32b19d48555b8a0838a6e146238f048aca986715d7eab0fb445796bbd19360a7721b8d99ba04581af957a290c47302055f813862f3c40b840e95898e72a1de03b6257a1acad4b482cd815c">
+ <package name="com.eg.android.AlipayGphone" >
+ <seinfo value="alipay" />
+ </package>
+ </signer>
+
+ <!-- Taobao -->
+ <signer signature="30820243308201aca00302010202044c59152e300d06092a864886f70d01010505003066310b300906035504061302434e3111300f060355040813087a68656a69616e673111300f0603550407130868616e677a686f75310f300d060355040a130674616f62616f310f300d060355040b130674616f62616f310f300d0603550403130674616f62616f301e170d3130303830343037323232325a170d3337313232303037323232325a3066310b300906035504061302434e3111300f060355040813087a68656a69616e673111300f0603550407130868616e677a686f75310f300d060355040a130674616f62616f310f300d060355040b130674616f62616f310f300d0603550403130674616f62616f30819f300d06092a864886f70d010101050003818d00308189028181008406125f369fde2720f7264923a63dc48e1243c1d9783ed44d8c276602d2d570073d92c155b81d5899e9a8a97e06353ac4b044d07ca3e2333677d199e0969c96489f6323ed5368e1760731704402d0112c002ccd09a06d27946269a438fe4b0216b718b658eed9d165023f24c6ddaec0af6f47ada8306ad0c4f0fcd80d9b69110203010001300d06092a864886f70d01010505000381810053dc5a9acd6fed237c2ff2b81d502edb88bee1ea22ad0e2ad1bb8e2e2e1c20a08f3797af894f35e092c78178090acddf7e8333c8d819736380f2cc91656b684bd4b30b5bb467351bf5f494f4453768a079b4d76311654e20dea7edf106ab958d92040ab8379fca39a4cdd496571eb4e29ce83bbbe770166ba5a03fd7bf90dbcd">
+ <package name="com.taobao.taobao" >
+ <seinfo value="taobao" />
+ </package>
+ </signer>
+
+</policy>
diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te
new file mode 100644
index 0000000..e8cdb14
--- /dev/null
+++ b/sepolicy/mm-qcamerad.te
@@ -0,0 +1,2 @@
+allow mm-qcamerad camera_prop:property_service set;
+allow mm-qcamerad permission_service:service_manager find;
diff --git a/sepolicy/netd.te b/sepolicy/netd.te
new file mode 100644
index 0000000..5d204e5
--- /dev/null
+++ b/sepolicy/netd.te
@@ -0,0 +1,3 @@
+allow netd firmware_file:file { read open };
+allow netd firmware_file:dir search;
+allow netd vfat:file { read open };
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
new file mode 100644
index 0000000..8dab413
--- /dev/null
+++ b/sepolicy/netmgrd.te
@@ -0,0 +1 @@
+allow netmgrd diag_prop:property_service set;
diff --git a/sepolicy/per_mgr.te b/sepolicy/per_mgr.te
new file mode 100644
index 0000000..d5f2aa5
--- /dev/null
+++ b/sepolicy/per_mgr.te
@@ -0,0 +1 @@
+allow per_mgr vfat:file { read open };
diff --git a/sepolicy/perfd.te b/sepolicy/perfd.te
new file mode 100644
index 0000000..458f70f
--- /dev/null
+++ b/sepolicy/perfd.te
@@ -0,0 +1 @@
+allow perfd system_server:file write;
diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
new file mode 100644
index 0000000..84de19f
--- /dev/null
+++ b/sepolicy/platform_app.te
@@ -0,0 +1,2 @@
+allow platform_app battery_service:service_manager find;
+allow platform_app healthd_service:service_manager find;
diff --git a/sepolicy/property.te b/sepolicy/property.te
new file mode 100644
index 0000000..85dcb78
--- /dev/null
+++ b/sepolicy/property.te
@@ -0,0 +1 @@
+type diag_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
new file mode 100644
index 0000000..854b445
--- /dev/null
+++ b/sepolicy/property_contexts
@@ -0,0 +1 @@
+persist.sys.diag.max.size u:object_r:diag_prop:s0
diff --git a/sepolicy/qmuxd.te b/sepolicy/qmuxd.te
new file mode 100644
index 0000000..e3fe26b
--- /dev/null
+++ b/sepolicy/qmuxd.te
@@ -0,0 +1,3 @@
+allow qmuxd diag_prop:property_service set;
+allow qmuxd init:unix_stream_socket connectto;
+allow qmuxd property_socket:sock_file write;
diff --git a/sepolicy/qti.te b/sepolicy/qti.te
new file mode 100644
index 0000000..2121a58
--- /dev/null
+++ b/sepolicy/qti.te
@@ -0,0 +1,3 @@
+allow qti diag_prop:property_service set;
+allow qti init:unix_stream_socket connectto;
+allow qti property_socket:sock_file write;
diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te
new file mode 100644
index 0000000..18f7ecc
--- /dev/null
+++ b/sepolicy/qti_init_shell.te
@@ -0,0 +1,7 @@
+allow qti_init_shell kmsg_device:chr_file { write open };
+allow qti_init_shell bluetooth_loader_exec:file r_file_perms;
+allow qti_init_shell diag_prop:property_service set;
+allow qti_init_shell qmuxd:unix_stream_socket connectto;
+allow qti_init_shell qmuxd_socket:dir { write add_name search remove_name };
+allow qti_init_shell qmuxd_socket:sock_file { write create unlink };
+allow qti_init_shell self:socket { write getopt create read ioctl };
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
new file mode 100644
index 0000000..c176c48
--- /dev/null
+++ b/sepolicy/rild.te
@@ -0,0 +1,3 @@
+allow rild nv_data_file:dir { getattr search write add_name };
+allow rild nv_data_file:file { write open create };
+allow rild diag_prop:property_service set;
diff --git a/sepolicy/sdcardd.te b/sepolicy/sdcardd.te
new file mode 100644
index 0000000..0f4c71d
--- /dev/null
+++ b/sepolicy/sdcardd.te
@@ -0,0 +1 @@
+allow sdcardd userdata_block_device:blk_file r_file_perms;
diff --git a/sepolicy/seapp_contexts b/sepolicy/seapp_contexts
new file mode 100644
index 0000000..c69f557
--- /dev/null
+++ b/sepolicy/seapp_contexts
@@ -0,0 +1,2 @@
+user=_app seinfo=alipay name=com.eg.android.AlipayGphone* domain=alipay_app type=app_data_file
+user=_app seinfo=taobao name=com.taobao.taobao* domain=alipay_app type=app_data_file
diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te
new file mode 100644
index 0000000..fc45cdd
--- /dev/null
+++ b/sepolicy/sensors.te
@@ -0,0 +1,3 @@
+allow sensors property_socket:sock_file write;
+allow sensors init:unix_stream_socket connectto;
+allow sensors diag_prop:property_service set;
diff --git a/sepolicy/service.te b/sepolicy/service.te
new file mode 100644
index 0000000..86f3627
--- /dev/null
+++ b/sepolicy/service.te
@@ -0,0 +1 @@
+type ifaadaemon_service, service_manager_type;
diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts
new file mode 100644
index 0000000..118cacd
--- /dev/null
+++ b/sepolicy/service_contexts
@@ -0,0 +1,2 @@
+#IFAA
+android.hardware.ifaa.IIfaaDaemon u:object_r:ifaadaemon_service:s0
diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te
new file mode 100644
index 0000000..2df4dc0
--- /dev/null
+++ b/sepolicy/servicemanager.te
@@ -0,0 +1,3 @@
+allow servicemanager ifaad:dir r_dir_perms;
+allow servicemanager ifaad:file r_file_perms;
+allow servicemanager ifaad:process getattr;
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
new file mode 100644
index 0000000..d4f37b1
--- /dev/null
+++ b/sepolicy/system_app.te
@@ -0,0 +1,2 @@
+allow system_app proc_touchpanel:dir search;
+allow system_app proc_touchpanel:file { write read getattr open read };
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
new file mode 100644
index 0000000..503b1df
--- /dev/null
+++ b/sepolicy/system_server.te
@@ -0,0 +1,5 @@
+allow system_server persist_file:dir { read write };
+allow system_server proc_touchpanel:dir search;
+allow system_server proc_touchpanel:file { write open getattr read };
+allow system_server sensors_persist_file:file { read getattr open };
+allow system_server sensors_persist_file:dir search;
diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te
new file mode 100644
index 0000000..d57ef05
--- /dev/null
+++ b/sepolicy/thermal-engine.te
@@ -0,0 +1,3 @@
+allow thermal-engine diag_prop:property_service set;
+allow thermal-engine init:unix_stream_socket connectto;
+allow thermal-engine property_socket:sock_file write;
diff --git a/sepolicy/time_daemon.te b/sepolicy/time_daemon.te
new file mode 100644
index 0000000..29af080
--- /dev/null
+++ b/sepolicy/time_daemon.te
@@ -0,0 +1 @@
+allow time_daemon property_socket:sock_file write;
diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te
new file mode 100644
index 0000000..ea55aa4
--- /dev/null
+++ b/sepolicy/ueventd.te
@@ -0,0 +1 @@
+allow ueventd vfat:file { read open };
diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te
new file mode 100644
index 0000000..70de2b0
--- /dev/null
+++ b/sepolicy/untrusted_app.te
@@ -0,0 +1 @@
+allow untrusted_app ifaadaemon_service:service_manager { find };
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
new file mode 100644
index 0000000..9dfc1e9
--- /dev/null
+++ b/sepolicy/vold.te
@@ -0,0 +1,2 @@
+allow vold proc_touchpanel:dir { read open };
+allow vold system_block_device:blk_file getattr;
diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te
new file mode 100644
index 0000000..d9874bc
--- /dev/null
+++ b/sepolicy/zygote.te
@@ -0,0 +1,2 @@
+allow zygote input_device:dir { r_file_perms search };
+allow zygote input_device:chr_file rw_file_perms;
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-20 11:53:34 +0000