diff --git a/BoardConfig.mk b/BoardConfig.mk index 43196cb..b1aa044 100644 --- a/BoardConfig.mk +++ b/BoardConfig.mk @@ -176,7 +176,6 @@ include device/mediatek/sepolicy_vndr/SEPolicy.mk SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/private SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/public BOARD_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/vendor -SELINUX_IGNORE_NEVERALLOWS := true # Touch SOONG_CONFIG_NAMESPACES += OPLUS_LINEAGE_TOUCH_HAL diff --git a/sepolicy/private/audioserver.te b/sepolicy/private/audioserver.te deleted file mode 100644 index 8e5bf84..0000000 --- a/sepolicy/private/audioserver.te +++ /dev/null @@ -1,3 +0,0 @@ -allow audioserver audioserver_tmpfs:file { read write execute }; -allow audioserver system_file:file { execmod }; -allow audioserver unlabeled:file { read write execute open getattr }; diff --git a/sepolicy/private/init.te b/sepolicy/private/init.te deleted file mode 100644 index 0998be5..0000000 --- a/sepolicy/private/init.te +++ /dev/null @@ -1,2 +0,0 @@ -allow init vtservice_service:service_manager { find add }; -allow init vtservice_hidl_service:service_manager { find add }; diff --git a/sepolicy/private/mediaserver.te b/sepolicy/private/mediaserver.te index 3ba7d18..699f7f0 100644 --- a/sepolicy/private/mediaserver.te +++ b/sepolicy/private/mediaserver.te @@ -1,4 +1,2 @@ -allow mediaserver mediaserver_tmpfs:file { read write execute }; -allow mediaserver system_file:file { execmod }; allow mediaserver opluscamera_app_data_file:file rw_file_perms; allow mediaserver package_native_service:service_manager find; diff --git a/sepolicy/private/opluscamera_app.te b/sepolicy/private/opluscamera_app.te index 5e1cb3b..a69a6ad 100644 --- a/sepolicy/private/opluscamera_app.te +++ b/sepolicy/private/opluscamera_app.te @@ -37,7 +37,6 @@ binder_call(opluscamera_app, gpuservice) allow opluscamera_app media_session_service:service_manager find; allow opluscamera_app osense_service:service_manager find; allow opluscamera_app oplus_resource_manager_service:service_manager find; -allow opluscamera_app oplus_exsystem_service_app:service_manager find; allow opluscamera_app OPLUSExService_service:service_manager find; allow opluscamera_app app_compatibility_service:service_manager find; allow opluscamera_app game_service:service_manager find; diff --git a/sepolicy/private/property.te b/sepolicy/private/property.te deleted file mode 100644 index 01e41a5..0000000 --- a/sepolicy/private/property.te +++ /dev/null @@ -1,2 +0,0 @@ -type cabc_prop, property_type; -type vib_strength_prop, property_type; diff --git a/sepolicy/private/property_contexts b/sepolicy/private/property_contexts index 6bcfa22..e3943ec 100644 --- a/sepolicy/private/property_contexts +++ b/sepolicy/private/property_contexts @@ -6,6 +6,7 @@ demo.hole u:object_r:exported_system_prop:s0 demo.near u:object_r:exported_system_prop:s0 demo.far u:object_r:exported_system_prop:s0 demo.fb u:object_r:exported_system_prop:s0 +oplus.debug.nvram.enable u:object_r:exported_system_prop:s0 ro.oplus.camera. u:object_r:system_oplus_camera_prop:s0 ro.oplus.market.name u:object_r:system_oplus_camera_prop:s0 ro.oplus.system.camera. u:object_r:system_oplus_camera_prop:s0 @@ -25,5 +26,5 @@ ro.oplus.version. u:object_r:system_oplus_project_prop:s0 ro.oplus.image. u:object_r:system_oplus_project_prop:s0 # Realme Parts -persist.cabc_profile u:object_r:cabc_prop:s0 -persist.vib_strength u:object_r:vib_strength_prop:s0 +persist.cabc_profile u:object_r:system_cabc_prop:s0 +persist.vib_strength u:object_r:system_vib_strength_prop:s0 diff --git a/sepolicy/private/system_app.te b/sepolicy/private/system_app.te index f075907..14ffeba 100644 --- a/sepolicy/private/system_app.te +++ b/sepolicy/private/system_app.te @@ -1,5 +1,5 @@ # Allow system app to set vibration prop -set_prop(system_app, vib_strength_prop) +set_prop(system_app, system_vib_strength_prop) # Allow system_app to set cabc props -set_prop(system_app, cabc_prop) +set_prop(system_app, system_cabc_prop) diff --git a/sepolicy/private/vtservice.te b/sepolicy/private/vtservice.te index fb1716e..57eae33 100644 --- a/sepolicy/private/vtservice.te +++ b/sepolicy/private/vtservice.te @@ -1,3 +1 @@ allow vtservice radio_service:service_manager find; -allow vtservice vtservice_service:service_manager add; -get_prop(vtservice, vendor_default_prop) diff --git a/sepolicy/public/property.te b/sepolicy/public/property.te index 6146d94..3ab8ffa 100644 --- a/sepolicy/public/property.te +++ b/sepolicy/public/property.te @@ -9,3 +9,7 @@ system_public_prop(system_fingerprint_prop) # Version system_vendor_config_prop(system_oplus_project_prop) + +# Realme Parts +system_public_prop(system_vib_strength_prop) +system_public_prop(system_cabc_prop) diff --git a/sepolicy/vendor/audioserver.te b/sepolicy/vendor/audioserver.te deleted file mode 100644 index 49edfa8..0000000 --- a/sepolicy/vendor/audioserver.te +++ /dev/null @@ -1 +0,0 @@ -allow audioserver vendor_default_prop:file rw_file_perms; diff --git a/sepolicy/vendor/cameraserver.te b/sepolicy/vendor/cameraserver.te index 3d40f2c..b86b8ce 100644 --- a/sepolicy/vendor/cameraserver.te +++ b/sepolicy/vendor/cameraserver.te @@ -1 +1 @@ -set_prop(cameraserver, vendor_oplus_prop) +get_prop(cameraserver, vendor_oplus_prop) diff --git a/sepolicy/vendor/ccci_rpcd.te b/sepolicy/vendor/ccci_rpcd.te deleted file mode 100644 index a167219..0000000 --- a/sepolicy/vendor/ccci_rpcd.te +++ /dev/null @@ -1 +0,0 @@ -allow ccci_rpcd default_prop:file rw_file_perms; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts index 9dfd16d..484f0a2 100644 --- a/sepolicy/vendor/file_contexts +++ b/sepolicy/vendor/file_contexts @@ -3,6 +3,12 @@ /mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 /(odm|vendor/odm)/bin/hw/vendor\.oplus\.hardware\.engcamera@1\.0-service u:object_r:mtk_hal_camera_exec:s0 /(odm|vendor/odm)/bin/hw/vendor\.oplus\.hardware\.cammidasservice@1\.0-service u:object_r:mtk_hal_camera_exec:s0 +/(vendor|odm)/lib(64)?/android\.hardware\.graphics\.allocator@2\.0\.so u:object_r:same_process_hal_file:s0 +/(vendor|odm)/lib(64)?/android\.hardware\.graphics\.allocator@3\.0\.so u:object_r:same_process_hal_file:s0 +/(vendor|odm)/lib(64)?/android\.hardware\.graphics\.allocator@4\.0\.so u:object_r:same_process_hal_file:s0 +/(vendor|odm)/lib(64)?/android\.hardware\.graphics\.common-V2-ndk_platform\.so u:object_r:same_process_hal_file:s0 +/(vendor|odm)/lib(64)?/android\.hardware\.graphics\.common-V2-ndk\.so u:object_r:same_process_hal_file:s0 +/(vendor|odm)/lib(64)?/vendor\.oplus\.hardware\.ormsHalService-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 /(vendor|odm)/lib(64)?/libAlgoProcess\.so u:object_r:same_process_hal_file:s0 /(vendor|odm)/lib(64)?/libapsjpeg\.so u:object_r:same_process_hal_file:s0 /(vendor|odm)/lib(64)?/libapsexif\.so u:object_r:same_process_hal_file:s0 diff --git a/sepolicy/vendor/fsck.te b/sepolicy/vendor/fsck.te index ba39ba0..f5de999 100644 --- a/sepolicy/vendor/fsck.te +++ b/sepolicy/vendor/fsck.te @@ -1,4 +1 @@ -allow fsck mnt_vendor_file:dir { search }; -allow fsck nvdata_file:dir { getattr }; -allow fsck nvcfg_file:dir { getattr }; allow fsck oplus_block_device:blk_file rw_file_perms; diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te index 2e058fc..447eadc 100644 --- a/sepolicy/vendor/hal_audio_default.te +++ b/sepolicy/vendor/hal_audio_default.te @@ -1,5 +1,4 @@ allow hal_audio_default hal_audio_default:process { execmem }; -allow hal_audio_default audio_data_file:dir { search }; allow hal_audio_default mtk_hal_power_hwservice:hwservice_manager find; binder_call(hal_audio_default, mtk_hal_power) diff --git a/sepolicy/vendor/hal_charger_oplus.te b/sepolicy/vendor/hal_charger_oplus.te index 3c8ee61..0a1fe8b 100644 --- a/sepolicy/vendor/hal_charger_oplus.te +++ b/sepolicy/vendor/hal_charger_oplus.te @@ -1,10 +1,11 @@ type hal_charger_oplus, domain; type hal_charger_oplus_exec, exec_type, vendor_file_type, file_type; +add_hwservice(hal_charger_oplus, hal_charger_oplus_hwservice) + init_daemon_domain(hal_charger_oplus) hwbinder_use(hal_charger_oplus) -add_hwservice(hal_charger_oplus, hal_charger_oplus_hwservice) allow hal_charger_oplus fwk_sensor_hwservice:hwservice_manager find; allow hal_charger_oplus hal_charger_oplus:netlink_kobject_uevent_socket { read create bind getopt setopt }; @@ -40,7 +41,7 @@ r_dir_file(hal_charger_oplus, sysfs_batteryinfo) get_prop(hal_charger_oplus, hwservicemanager_prop) -allow hal_charger_oplus vendor_sysfs_ac_supply:dir rw_dir_perms; +allow hal_charger_oplus vendor_sysfs_ac_supply:dir r_dir_perms; allow hal_charger_oplus vendor_sysfs_ac_supply:file rw_file_perms; allow hal_charger_oplus oplus_block_device:dir search; allow hal_charger_oplus oplus_block_device:file r_file_perms; diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te index e656fd1..ff5f13e 100644 --- a/sepolicy/vendor/hal_fingerprint_default.te +++ b/sepolicy/vendor/hal_fingerprint_default.te @@ -1,5 +1,7 @@ binder_call(hal_fingerprint_default, hal_fingerprint_default) +add_hwservice(hal_fingerprint_default, hal_fingerprint_oplus_hwservice) + allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms; allow hal_fingerprint_default oplus_fingerprint_file:dir { create_dir_perms rw_dir_perms }; allow hal_fingerprint_default oplus_fingerprint_file:file { create_file_perms rw_file_perms }; @@ -28,11 +30,10 @@ allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; allow hal_fingerprint_default vendor_sysfs_battery_supply:dir r_dir_perms; allow hal_fingerprint_default vendor_sysfs_battery_supply:file r_file_perms; -add_hwservice(hal_fingerprint_default, hal_commondcs_oplus_hwservice) -add_hwservice(hal_fingerprint_default, oplus_hal_ormsHal_hwservice) -add_hwservice(hal_fingerprint_default, hal_performance_oplus_hwservice) -add_hwservice(hal_fingerprint_default, hal_osense_oplus_hwservice) -add_hwservice(hal_fingerprint_default, hal_fingerprint_oplus_hwservice) +allow hal_fingerprint_default hal_commondcs_oplus_hwservice:hwservice_manager find; +allow hal_fingerprint_default oplus_hal_ormsHal_hwservice:hwservice_manager find; +allow hal_fingerprint_default hal_performance_oplus_hwservice:hwservice_manager find; +allow hal_fingerprint_default hal_osense_oplus_hwservice:hwservice_manager find; get_prop(hal_fingerprint_default, system_oplus_project_prop) set_prop(hal_fingerprint_default, system_fingerprint_prop) diff --git a/sepolicy/vendor/hal_nfc_default.te b/sepolicy/vendor/hal_nfc_default.te index 22a9c2b..cd0a344 100644 --- a/sepolicy/vendor/hal_nfc_default.te +++ b/sepolicy/vendor/hal_nfc_default.te @@ -1,2 +1 @@ -allow hal_nfc_default device:chr_file rw_file_perms; allow hal_nfc_default device:chr_file ioctl; diff --git a/sepolicy/vendor/hal_performance_oplus.te b/sepolicy/vendor/hal_performance_oplus.te index 1628cb2..7f8fbad 100644 --- a/sepolicy/vendor/hal_performance_oplus.te +++ b/sepolicy/vendor/hal_performance_oplus.te @@ -1,18 +1,18 @@ type hal_performance_oplus, domain; type hal_performance_oplus_exec, exec_type, vendor_file_type, file_type; +add_hwservice(hal_performance_oplus, hal_performance_oplus_hwservice) init_daemon_domain(hal_performance_oplus) hwbinder_use(hal_performance_oplus) -add_hwservice(hal_performance_oplus, hal_performance_oplus_hwservice) + get_prop(hal_performance_oplus, hwservicemanager_prop) set_prop(hal_performance_oplus, hwservicemanager_prop) -allow hal_performance_oplus hwservicemanager_prop:file rw_file_perms; +allow hal_performance_oplus hwservicemanager_prop:file { read getattr open }; allow hal_performance_oplus hal_fingerprint_default:dir search; allow hal_performance_oplus mtk_hal_audio:dir search; allow hal_performance_oplus hal_audio_default:dir search; allow hal_performance_oplus vendor_proc_oplus_version:file r_file_perms; allow hal_performance_oplus proc_version:file r_file_perms; -allow hal_performance_oplus system_prop:file r_file_perms; allow hal_performance_oplus mtk_hal_audio:file rw_file_perms; allow hal_performance_oplus hal_fingerprint_default:file rw_file_perms; diff --git a/sepolicy/vendor/hwservicemanager.te b/sepolicy/vendor/hwservicemanager.te deleted file mode 100644 index af185f9..0000000 --- a/sepolicy/vendor/hwservicemanager.te +++ /dev/null @@ -1 +0,0 @@ -allow hwservicemanager init:binder { transfer }; diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te index 58d0659..5f2d9c2 100644 --- a/sepolicy/vendor/init.te +++ b/sepolicy/vendor/init.te @@ -1,36 +1,26 @@ -binder_use(init) -hwbinder_use(init) allow proc_perfmgr proc:filesystem associate ; allow proc_cpufreq proc:filesystem associate ; allow vendor_proc_display proc:filesystem associate ; -allow init vendor_shell_exec:file rx_file_perms; -allow init vendor_toolbox_exec:file rx_file_perms; +allow init vendor_shell_exec:file {r_file_perms execute}; +allow init vendor_toolbox_exec:file {r_file_perms execute}; allow init proc:file rw_file_perms; allow init proc_swappiness:file rw_file_perms; allow init proc_watermark_scale_factor:file rw_file_perms; -allow init privapp_data_file:dir rw_dir_perms; -allow init app_data_file:dir rw_dir_perms; -allow init system_app_data_file:dir rw_dir_perms; allow init sysfs_devices_block:file rw_file_perms; allow init sysfs_leds:file create_file_perms; -allow init mtk_hal_camera_exec:file rx_file_perms; +allow init mtk_hal_camera_exec:file {r_file_perms execute}; allow init vendor_sysfs_otg_switch:file create_file_perms; allow init vendor_sysfs_usb_supply:file create_file_perms; allow init vendor_sysfs_graphics:file create_file_perms; allow init vendor_proc_display:file create_file_perms; -allow init ccci_device:chr_file create_file_perms; -binder_call(init, vtservice_hidl) -binder_call(init, surfaceflinger) -binder_call(init, radio) +allow init ccci_device:chr_file r_file_perms; allow init vtservice_hidl:fd { use }; -allow init shell_exec:file rx_file_perms; +allow init shell_exec:file {r_file_perms execute}; allow init mtk_hal_audio:file rw_file_perms; -allow init system_file:file rx_file_perms; -allow init hal_performance_oplus_exec:file rx_file_perms; -add_hwservice(init, hal_performance_oplus_hwservice) -add_hwservice(init, mtk_hal_videotelephony_hwservice) -allow init surfaceflinger_service:service_manager find; -allow init radio_service:service_manager find; +allow init system_file:file {r_file_perms execute}; +allow init hal_performance_oplus_exec:file {r_file_perms execute}; +allow init hal_performance_oplus_hwservice:hwservice_manager find; +allow init mtk_hal_videotelephony_hwservice:hwservice_manager find; allow init oplus_block_device:lnk_file relabelto; -allow init oplus_orms_aidl_service_exec:file rx_file_perms; +allow init oplus_orms_aidl_service_exec:file {r_file_perms execute}; allow init sysfs_vibrator:file rw_file_perms; diff --git a/sepolicy/vendor/mnld.te b/sepolicy/vendor/mnld.te new file mode 100644 index 0000000..7dda752 --- /dev/null +++ b/sepolicy/vendor/mnld.te @@ -0,0 +1 @@ +r_dir_file(mnld, vendor_proc_oplus_version) diff --git a/sepolicy/vendor/mobicore.te b/sepolicy/vendor/mobicore.te index e9f6cd8..0f95b7c 100644 --- a/sepolicy/vendor/mobicore.te +++ b/sepolicy/vendor/mobicore.te @@ -1,2 +1 @@ -allow mobicore system_prop:file rw_file_perms; -allow mobicore system_oplus_project_prop:file rw_file_perms; +allow mobicore system_oplus_project_prop:file { read getattr open map }; diff --git a/sepolicy/vendor/mtk_hal_audio.te b/sepolicy/vendor/mtk_hal_audio.te index 40d7924..d49e5d3 100644 --- a/sepolicy/vendor/mtk_hal_audio.te +++ b/sepolicy/vendor/mtk_hal_audio.te @@ -1,11 +1,7 @@ type mtk_hal_audio_tmpfs, fs_type; -allow mtk_hal_audio mtk_hal_audio_tmpfs:file rx_file_perms; -allow mtk_hal_audio default_prop:property_service { set }; allow mtk_hal_audio mtk_hal_audio:process { execmem }; -allow mtk_hal_audio system_prop:file { read }; allow mtk_hal_audio untrusted_app:fifo_file { write }; -allow mtk_hal_audio vendor_default_prop:property_service { set }; r_dir_file(mtk_hal_audio, vendor_proc_oplus_version) get_prop(mtk_hal_audio, system_oplus_audio_prop) @@ -13,6 +9,5 @@ set_prop(mtk_hal_audio, system_oplus_audio_prop) set_prop(mtk_hal_audio, vendor_audio_tuning_prop) allow mtk_hal_audio persist_data_file:dir r_dir_perms; -allow mtk_hal_audio init:binder { call }; -add_hwservice(mtk_hal_audio, hal_performance_oplus_hwservice) binder_call(mtk_hal_audio, hal_performance_oplus) +allow mtk_hal_audio hal_performance_oplus_hwservice:hwservice_manager find; diff --git a/sepolicy/vendor/mtk_hal_camera.te b/sepolicy/vendor/mtk_hal_camera.te index 9340c96..1487ac7 100644 --- a/sepolicy/vendor/mtk_hal_camera.te +++ b/sepolicy/vendor/mtk_hal_camera.te @@ -1,17 +1,14 @@ add_hwservice(mtk_hal_camera, hal_camera_oplus_hwservice) -add_hwservice(mtk_hal_camera, oplus_hal_ormsHal_hwservice) -add_hwservice(mtk_hal_camera, hal_performance_oplus_hwservice) -add_hwservice(mtk_hal_camera, hal_osense_oplus_hwservice) -add_hwservice(mtk_hal_camera, mtk_hal_mmagent_hwservice) + +allow mtk_hal_camera oplus_hal_ormsHal_hwservice:hwservice_manager find; +allow mtk_hal_camera hal_performance_oplus_hwservice:hwservice_manager find; +allow mtk_hal_camera hal_osense_oplus_hwservice:hwservice_manager find; r_dir_file(mtk_hal_camera, proc_boost_pool) r_dir_file(mtk_hal_camera, proc_sched_assist) r_dir_file(mtk_hal_camera, proc_version) -r_dir_file(mtk_hal_camera, system_data_file) r_dir_file(mtk_hal_camera, vendor_proc_oplus_version) -get_prop(mtk_hal_camera, default_prop) -get_prop(mtk_hal_camera, system_prop) set_prop(mtk_hal_camera, vendor_oplus_prop) get_prop(mtk_hal_camera, system_oplus_camera_prop) @@ -25,4 +22,3 @@ allow mtk_hal_camera proc_boost_pool:file rw_file_perms; binder_call(mtk_hal_camera, mtk_hal_mmagent) binder_call(mtk_hal_camera, opluscamera_app) allow mtk_hal_camera opluscamera_app:fd use; -r_dir_file(mtk_hal_camera, system_data_file) diff --git a/sepolicy/vendor/network_stack.te b/sepolicy/vendor/network_stack.te new file mode 100644 index 0000000..c3e029d --- /dev/null +++ b/sepolicy/vendor/network_stack.te @@ -0,0 +1 @@ +allow network_stack proc_net:file r_file_perms; diff --git a/sepolicy/vendor/oplus_hal_ormsHal.te b/sepolicy/vendor/oplus_hal_ormsHal.te index 672d540..933a98e 100644 --- a/sepolicy/vendor/oplus_hal_ormsHal.te +++ b/sepolicy/vendor/oplus_hal_ormsHal.te @@ -8,13 +8,12 @@ get_prop(oplus_hal_ormsHal, hwservicemanager_prop) set_prop(oplus_hal_ormsHal, hwservicemanager_prop) allow oplus_hal_ormsHal oplus_hal_ormsHal_exec:file rx_file_perms; -allow oplus_hal_ormsHal hwservicemanager_prop:file rw_file_perms; +allow oplus_hal_ormsHal hwservicemanager_prop:file { read getattr open }; allow oplus_hal_ormsHal hal_fingerprint_default:dir search; allow oplus_hal_ormsHal mtk_hal_audio:dir search; allow oplus_hal_ormsHal hal_audio_default:dir search; allow oplus_hal_ormsHal vendor_proc_oplus_version:file r_file_perms; allow oplus_hal_ormsHal proc_version:file r_file_perms; -allow oplus_hal_ormsHal system_prop:file r_file_perms; allow oplus_hal_ormsHal mtk_hal_audio:file rw_file_perms; allow oplus_hal_ormsHal hal_fingerprint_default:file rw_file_perms; binder_call(oplus_hal_ormsHal, servicemanager) diff --git a/sepolicy/vendor/opluscamera_app.te b/sepolicy/vendor/opluscamera_app.te index b0f4494..9e50bcc 100644 --- a/sepolicy/vendor/opluscamera_app.te +++ b/sepolicy/vendor/opluscamera_app.te @@ -1,27 +1,25 @@ -hal_client_domain(opluscamera_app, hal_camera) r_dir_file(opluscamera_app, vendor_sysfs_graphics) r_dir_file(opluscamera_app, persist_camera_file) r_dir_file(opluscamera_app, persist_data_file) -r_dir_file(opluscamera_app, mnt_vendor_file) -r_dir_file(opluscamera_app, vendor_file) -r_dir_file(opluscamera_app, shell_data_file) +allow opluscamera_app shell_data_file:file r_file_perms; +allow opluscamera_app shell_data_file:dir r_dir_perms; allow opluscamera_app hal_osense_oplus_hwservice:hwservice_manager find; allow opluscamera_app hal_performance_oplus_hwservice:hwservice_manager find; -allow opluscamera_app mtk_hal_bgs_hwservice:hwservice_manager find; -allow opluscamera_app hal_camera_hwservice:hwservice_manager find; -get_prop(opluscamera_app, vendor_oplus_prop) +hal_client_domain(opluscamera_app, hal_mtk_bgs) +hal_client_domain(opluscamera_app, hal_mtk_mmagent) + binder_call(opluscamera_app, mtk_hal_camera) binder_call(opluscamera_app, hal_performance_oplus) binder_call(opluscamera_app, mtk_hal_camera) binder_call(opluscamera_app, hal_performance_oplus) binder_call(opluscamera_app, mtk_hal_neuralnetworks) -allow opluscamera_app vendor_file:file x_file_perms; allow opluscamera_app system_data_file:file r_file_perms; allow opluscamera_app apusys_device:chr_file { ioctl read write open }; allow opluscamera_app mtk_hal_neuralnetworks:fd use; allow opluscamera_app mtk_hal_camera:fd use; allow opluscamera_app vpu_device:chr_file { ioctl read open }; +get_prop(opluscamera_app, vendor_oplus_prop) diff --git a/sepolicy/vendor/platform_app.te b/sepolicy/vendor/platform_app.te index 0bf049c..55c7bb2 100644 --- a/sepolicy/vendor/platform_app.te +++ b/sepolicy/vendor/platform_app.te @@ -1,9 +1,8 @@ r_dir_file(platform_app, vendor_sysfs_graphics) -add_hwservice(platform_app, hal_osense_oplus_hwservice) -add_hwservice(platform_app, hal_performance_oplus_hwservice) -add_hwservice(platform_app, mtk_hal_bgs_hwservice) -get_prop(platform_app, vendor_oplus_prop) +allow platform_app hal_performance_oplus_hwservice:hwservice_manager find; +allow platform_app hal_osense_oplus_hwservice:hwservice_manager find; + binder_call(platform_app, mtk_hal_camera) binder_call(platform_app, hal_performance_oplus) binder_call(platform_app, mtk_hal_camera) @@ -11,10 +10,9 @@ binder_call(platform_app, hal_performance_oplus) r_dir_file(platform_app, persist_camera_file) r_dir_file(platform_app, persist_data_file) -r_dir_file(platform_app, mnt_vendor_file) -r_dir_file(platform_app, vendor_file) -r_dir_file(platform_app, shell_data_file) +allow platform_app shell_data_file:file r_file_perms; +allow platform_app shell_data_file:dir r_dir_perms; -allow platform_app vendor_file:file x_file_perms; allow platform_app system_data_file:file r_file_perms; allow platform_app apusys_device:chr_file { ioctl read write open }; +get_prop(platform_app, vendor_oplus_prop) diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te index fcd5abf..dfe120a 100644 --- a/sepolicy/vendor/property.te +++ b/sepolicy/vendor/property.te @@ -1,4 +1,4 @@ vendor_internal_prop(vendor_fingerprint_prop) -vendor_internal_prop(vendor_oplus_prop) +vendor_public_prop(vendor_oplus_prop) vendor_internal_prop(vendor_audio_tuning_prop) vendor_internal_prop(vendor_audio_prop) diff --git a/sepolicy/vendor/radio.te b/sepolicy/vendor/radio.te index 23c5890..52b4eb5 100644 --- a/sepolicy/vendor/radio.te +++ b/sepolicy/vendor/radio.te @@ -1,4 +1 @@ -allow radio vendor_default_prop:file rw_file_perms; -allow radio init:binder call; -allow radio vendor_mtk_radio_prop:property_service { set }; -binder_call(radio, init) +get_prop(radio, vendor_mtk_radio_prop) diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te index a7c21f8..204f4f6 100644 --- a/sepolicy/vendor/rild.te +++ b/sepolicy/vendor/rild.te @@ -3,5 +3,3 @@ set_prop(rild, vendor_mtk_telephony_addon_prop) set_prop(rild, vendor_mtk_mdrsra_v2_support_prop) set_prop(rild, vendor_mtk_xfrm_support_prop) set_prop(rild, vendor_mtk_md_prop) -allow rild vendor_default_prop:property_service { set }; -allow rild default_prop:file rw_file_perms; diff --git a/sepolicy/vendor/servicemanager.te b/sepolicy/vendor/servicemanager.te index 1f6931c..3c953ae 100644 --- a/sepolicy/vendor/servicemanager.te +++ b/sepolicy/vendor/servicemanager.te @@ -1,3 +1,2 @@ -binder_call(servicemanager, init) binder_call(servicemanager, oplus_orms_aidl_service) r_dir_file(servicemanager, oplus_orms_aidl_service) diff --git a/sepolicy/vendor/surfaceflinger.te b/sepolicy/vendor/surfaceflinger.te index 12d6ee1..19bca38 100644 --- a/sepolicy/vendor/surfaceflinger.te +++ b/sepolicy/vendor/surfaceflinger.te @@ -1,3 +1 @@ -allow surfaceflinger vendor_default_prop:file rw_file_perms; -allow surfaceflinger mtk_hal_mmagent_hwservice:hwservice_manager find; binder_call(surfaceflinger, mtk_hal_mmagent) diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te index 3e37318..90aab5d 100644 --- a/sepolicy/vendor/system_app.te +++ b/sepolicy/vendor/system_app.te @@ -1,9 +1,7 @@ r_dir_file(system_app, vendor_sysfs_graphics) r_dir_file(system_app, vendor_sysfs_usb_supply) -r_dir_file(system_app, sysfs_batteryinfo) allow system_app vendor_sysfs_graphics:file rw_file_perms; allow system_app vendor_sysfs_usb_supply:file rw_file_perms; -allow system_app sysfs_batteryinfo:file rw_file_perms; allow system_app vendor_sysfs_otg_switch:file rw_file_perms; allow system_app vendor_sysfs_battery_supply:dir r_dir_perms; allow system_app vendor_sysfs_battery_supply:file rw_file_perms; diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te index 901322f..991d152 100644 --- a/sepolicy/vendor/vendor_init.te +++ b/sepolicy/vendor/vendor_init.te @@ -11,6 +11,6 @@ allow vendor_init vendor_sysfs_otg_switch:file w_file_perms; allow vendor_init vendor_proc_display:file w_file_perms; -allow vendor_init vts_status_prop:file rw_file_perms; -allow vendor_init system_prop:file rw_file_perms; +allow vendor_init vts_status_prop:file { read getattr open }; +allow vendor_init system_prop:file { read getattr open }; allow vendor_init proc_swappiness:file rw_file_perms; diff --git a/sepolicy/vendor/zygote.te b/sepolicy/vendor/zygote.te index 14a9882..d702f01 100644 --- a/sepolicy/vendor/zygote.te +++ b/sepolicy/vendor/zygote.te @@ -1,2 +1,2 @@ -set_prop(zygote, vendor_mtk_gpu_prop) -set_prop(zygote, vendor_mtk_sec_video_path_support_prop) +get_prop(zygote, vendor_mtk_gpu_prop) +get_prop(zygote, vendor_mtk_sec_video_path_support_prop)