From 5219a2446a901ee8d381b15166601fb7a5673e86 Mon Sep 17 00:00:00 2001 From: LinkBoi00 Date: Thu, 11 Aug 2022 16:16:05 +0300 Subject: [PATCH] rosemary: sepolicy: Initial vendor SEpolicy Co-authored-by: Vaisakh Murali Signed-off-by: LinkBoi00 Change-Id: If2f65d3bd9b5849557b911fa2cbfcc2392d568c9 --- BoardConfig.mk | 4 ++++ sepolicy/vendor/file.te | 3 +++ sepolicy/vendor/file_contexts | 10 ++++++++++ sepolicy/vendor/hal_fingerprint_default.te | 13 +++++++++++++ sepolicy/vendor/hal_light_default.te | 3 +++ sepolicy/vendor/hal_secure_element_default.te | 3 +++ sepolicy/vendor/hal_wifi_default.te | 5 +++++ sepolicy/vendor/property.te | 1 + sepolicy/vendor/property_contexts | 18 ++++++++++++++++++ sepolicy/vendor/vendor_init.te | 1 + 10 files changed, 61 insertions(+) create mode 100644 sepolicy/vendor/file.te create mode 100644 sepolicy/vendor/file_contexts create mode 100644 sepolicy/vendor/hal_fingerprint_default.te create mode 100644 sepolicy/vendor/hal_light_default.te create mode 100644 sepolicy/vendor/hal_secure_element_default.te create mode 100644 sepolicy/vendor/hal_wifi_default.te create mode 100644 sepolicy/vendor/property.te create mode 100644 sepolicy/vendor/property_contexts create mode 100644 sepolicy/vendor/vendor_init.te diff --git a/BoardConfig.mk b/BoardConfig.mk index ae17279..70921e1 100644 --- a/BoardConfig.mk +++ b/BoardConfig.mk @@ -135,6 +135,10 @@ TARGET_RECOVERY_PIXEL_FORMAT := "RGBX_8888" # RIL ENABLE_VENDOR_RIL_SERVICE := true +# Sepolicy +include device/mediatek/sepolicy_vndr/SEPolicy.mk +BOARD_VENDOR_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/vendor + # SPL VENDOR_SECURITY_PATCH := 2021-10-01 diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te new file mode 100644 index 0000000..c39d356 --- /dev/null +++ b/sepolicy/vendor/file.te @@ -0,0 +1,3 @@ +# Fingerprint +type vendor_fingerprint_data_file, data_file_type, file_type; +type vendor_fingerprint_device, dev_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts new file mode 100644 index 0000000..cdfdd22 --- /dev/null +++ b/sepolicy/vendor/file_contexts @@ -0,0 +1,10 @@ +# Fingerprint +/mnt/vendor/persist/goodix(/.*)? u:object_r:vendor_fingerprint_data_file:s0 +/mnt/vendor/persist/fpc(/.*)? u:object_r:vendor_fingerprint_data_file:s0 +/data/vendor/fpdump(/.*)? u:object_r:vendor_fingerprint_data_file:s0 +/data/vendor/goodix(/.*)? u:object_r:vendor_fingerprint_data_file:s0 +/data/vendor/fpc(/.*)? u:object_r:vendor_fingerprint_data_file:s0 +/data/gf_data(/.*)? u:object_r:vendor_fingerprint_data_file:s0 + +# Lights +/(vendor|system/vendor)/bin/hw/android\.hardware\.light-service\.rosemary u:object_r:hal_light_default_exec:s0 diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te new file mode 100644 index 0000000..617ac49 --- /dev/null +++ b/sepolicy/vendor/hal_fingerprint_default.te @@ -0,0 +1,13 @@ +# Allow fingerprint HAL to read and write fingerprint node +allow hal_fingerprint_default vendor_fingerprint_device:chr_file rw_file_perms; + +# Allow fingerprint HAL to setup fingerprint database files +allow hal_fingerprint_default vendor_fingerprint_data_file:dir rw_dir_perms; +allow hal_fingerprint_default vendor_fingerprint_data_file:file create_file_perms; + +# Create fingerprint HAL entrypoint +allow hal_fingerprint_default hal_fingerprint_default_exec:file entrypoint; + +# Allow fingerprint HAL to get and set its props +get_prop(hal_fingerprint_default, vendor_fingerprint_prop) +set_prop(hal_fingerprint_default, vendor_fingerprint_prop) diff --git a/sepolicy/vendor/hal_light_default.te b/sepolicy/vendor/hal_light_default.te new file mode 100644 index 0000000..ae5d398 --- /dev/null +++ b/sepolicy/vendor/hal_light_default.te @@ -0,0 +1,3 @@ +# Grant read perms to hal_light_default for sysfs_leds +allow hal_light_default sysfs_leds:file rw_file_perms; +r_dir_file(hal_light_default, sysfs_leds) diff --git a/sepolicy/vendor/hal_secure_element_default.te b/sepolicy/vendor/hal_secure_element_default.te new file mode 100644 index 0000000..c323c74 --- /dev/null +++ b/sepolicy/vendor/hal_secure_element_default.te @@ -0,0 +1,3 @@ +# Allow SE HAL to rw nfc_device +allow hal_secure_element_default nfc_device:file rw_file_perms; +allow hal_secure_element_default nfc_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/hal_wifi_default.te b/sepolicy/vendor/hal_wifi_default.te new file mode 100644 index 0000000..018289a --- /dev/null +++ b/sepolicy/vendor/hal_wifi_default.te @@ -0,0 +1,5 @@ +# Set fw prop +set_prop(hal_wifi_default, vendor_mtk_wifi_hal_prop) + +# Get hotspot prop +get_prop(hal_wifi_default, vendor_mtk_wifi_hotspot_prop) diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te new file mode 100644 index 0000000..c922579 --- /dev/null +++ b/sepolicy/vendor/property.te @@ -0,0 +1 @@ +vendor_restricted_prop(vendor_fingerprint_prop); diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts new file mode 100644 index 0000000..e80778b --- /dev/null +++ b/sepolicy/vendor/property_contexts @@ -0,0 +1,18 @@ +# Audio +audio.adm.buffering.ms u:object_r:vendor_mtk_audiohal_prop:s0 +audio_hal.period_multiplier u:object_r:vendor_mtk_audiohal_prop:s0 +vendor.audio.spkcal.copy.inhal u:object_r:vendor_mtk_audiohal_prop:s0 + +# Camera +vendor.camera.sensor. u:object_r:vendor_mtk_camera_prop:s0 +persist.vendor.camera. u:object_r:vendor_mtk_camera_prop:s0 +demo.hole u:object_r:vendor_mtk_camera_prop:s0 +demo.near u:object_r:vendor_mtk_camera_prop:s0 +demo.far u:object_r:vendor_mtk_camera_prop:s0 +demo.fb u:object_r:vendor_mtk_camera_prop:s0 + +# Fingerprint +gf.debug.dump_bigdata_data u:object_r:vendor_fingerprint_prop:s0 +persist.sys.fp.goodix. u:object_r:vendor_fingerprint_prop:s0 +persist.vendor.sys.fp. u:object_r:vendor_fingerprint_prop:s0 +vendor.fps_hal. u:object_r:vendor_fingerprint_prop:s0 diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te new file mode 100644 index 0000000..872887d --- /dev/null +++ b/sepolicy/vendor/vendor_init.te @@ -0,0 +1 @@ +get_prop(vendor_init, vts_status_prop)