diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk index 601f442..4262632 100644 --- a/BoardConfigCommon.mk +++ b/BoardConfigCommon.mk @@ -117,6 +117,10 @@ VENDOR_SECURITY_PATCH := 2021-04-01 # Sepolicy include device/qcom/sepolicy_vndr/SEPolicy.mk +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/private +SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/public +BOARD_VENDOR_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/vendor +BUILD_BROKEN_VENDOR_PROPERTY_NAMESPACE := true # Verified Boot BOARD_AVB_ENABLE := true diff --git a/sepolicy/private/devicesettings_app.te b/sepolicy/private/devicesettings_app.te new file mode 100644 index 0000000..8f53590 --- /dev/null +++ b/sepolicy/private/devicesettings_app.te @@ -0,0 +1,21 @@ +type devicesettings_app, domain; +typeattribute devicesettings_app mlstrustedsubject; + +app_domain(devicesettings_app) + +# Access standard system services +allow devicesettings_app app_api_service:service_manager find; +allow devicesettings_app audioserver_service:service_manager find; + +# Allow reading and writing shared prefs +allow devicesettings_app system_app_data_file:dir create_dir_perms; +allow devicesettings_app system_app_data_file:{ file lnk_file } create_file_perms; + +# Allow binder communication with gpuservice +binder_call(devicesettings_app, gpuservice) + +# Allow XiaomiParts to read and write to cgroup +allow devicesettings_app cgroup:file rw_file_perms; + +# Allow XiaomiParts to write to sysfs_thermal +allow devicesettings_app sysfs_thermal:file w_file_perms; diff --git a/sepolicy/private/property_contexts b/sepolicy/private/property_contexts new file mode 100644 index 0000000..54260af --- /dev/null +++ b/sepolicy/private/property_contexts @@ -0,0 +1,12 @@ +# IMEI +persist.radio.imei u:object_r:deviceid_prop:s0 +persist.radio.meid u:object_r:deviceid_prop:s0 +ro.ril.miui.imei u:object_r:deviceid_prop:s0 +ro.ril.oem.imei u:object_r:deviceid_prop:s0 +ro.ril.oem.meid u:object_r:deviceid_prop:s0 + +# MIUI specific +ro.cust.test u:object_r:exported_system_prop:s0 +ro.boot.hwc u:object_r:exported_default_prop:s0 +ro.product.mod_device u:object_r:build_prop:s0 +ro.miui. u:object_r:exported_system_prop:s0 diff --git a/sepolicy/private/seapp_contexts b/sepolicy/private/seapp_contexts new file mode 100644 index 0000000..c0131ec --- /dev/null +++ b/sepolicy/private/seapp_contexts @@ -0,0 +1 @@ +user=system seinfo=platform name=org.lineageos.settings domain=devicesettings_app type=system_app_data_file diff --git a/sepolicy/private/system_app.te b/sepolicy/private/system_app.te new file mode 100644 index 0000000..c9f1b37 --- /dev/null +++ b/sepolicy/private/system_app.te @@ -0,0 +1 @@ +hal_client_domain(system_app, hal_mlipay) diff --git a/sepolicy/public/attributes b/sepolicy/public/attributes new file mode 100644 index 0000000..1a0c38a --- /dev/null +++ b/sepolicy/public/attributes @@ -0,0 +1 @@ +hal_attribute_lineage(mlipay) diff --git a/sepolicy/public/property.te b/sepolicy/public/property.te new file mode 100644 index 0000000..09dbfd1 --- /dev/null +++ b/sepolicy/public/property.te @@ -0,0 +1 @@ +vendor_public_prop(deviceid_prop) diff --git a/sepolicy/vendor/app.te b/sepolicy/vendor/app.te new file mode 100644 index 0000000..6ea1879 --- /dev/null +++ b/sepolicy/vendor/app.te @@ -0,0 +1,2 @@ +get_prop({ appdomain -isolated_app }, vendor_fp_prop) +get_prop({ appdomain -isolated_app }, vendor_tee_listener_prop) diff --git a/sepolicy/vendor/appdomain.te b/sepolicy/vendor/appdomain.te new file mode 100644 index 0000000..c95bf2b --- /dev/null +++ b/sepolicy/vendor/appdomain.te @@ -0,0 +1 @@ +get_prop(appdomain, camera_prop) diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te new file mode 100644 index 0000000..e817f6d --- /dev/null +++ b/sepolicy/vendor/device.te @@ -0,0 +1,7 @@ +type fingerprint_device, dev_type; + +type gps_device, dev_type; + +type lirc_device, dev_type; + +type ultrasound_device, dev_type; diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te new file mode 100644 index 0000000..1629251 --- /dev/null +++ b/sepolicy/vendor/file.te @@ -0,0 +1,35 @@ +type audio_socket, file_type; + +type debugfs_sched_features, debugfs_type, fs_type; + +type debugfs_wlan, debugfs_type, fs_type; + +type fingerprint_data_file, data_file_type, file_type; + +type gps_data_file, data_file_type, file_type; + +type gps_socket, file_type; + +type persist_audio_file, file_type, vendor_persist_type; + +type persist_camera_file, file_type, vendor_persist_type; + +type proc_sysctl_autogroup, proc_type, fs_type; + +type proc_sysctl_schedboost, proc_type, fs_type; + +type proc_tp, proc_type, fs_type; + +type sysfs_fingerprint, sysfs_type, fs_type; + +type sysfs_gps, sysfs_type, fs_type; + +type sysfs_msm_subsys, sysfs_type, fs_type; + +type sysfs_rpm, sysfs_type, fs_type; + +type sysfs_system_sleep_stats, sysfs_type, fs_type; + +type sysfs_touchpanel, sysfs_type, fs_type; + +type thermal_data_file, data_file_type, file_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts new file mode 100644 index 0000000..7d0df8e --- /dev/null +++ b/sepolicy/vendor/file_contexts @@ -0,0 +1,82 @@ +# Audio +/dev/socket/audio_hw_socket u:object_r:audio_socket:s0 +/mnt/vendor/persist/audio(/.*)? u:object_r:persist_audio_file:s0 + +# Camera +/mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 +/vendor/bin/remosaic_daemon u:object_r:remosaic_daemon_exec:s0 + +# Display +/sys/devices/platform/soc/[a-z0-9]+.qcom,mdss_mdp/drm/card([0-3])+/card([0-3])+-DSI-1/disp_param u:object_r:sysfs_graphics:s0 +/sys/devices/platform/soc/[a-z0-9]+.qcom,mdss_mdp/drm/card([0-3])+/card([0-3])+-DSI-1/dynamic_fps u:object_r:sysfs_graphics:s0 +/sys/devices/platform/soc/[a-z0-9]+.qcom,mdss_mdp/drm/card([0-3])+/card([0-3])+-DSI-1/hbm_status u:object_r:sysfs_graphics:s0 +/sys/devices/platform/soc/[a-z0-9]+.qcom,mdss_mdp/drm/card([0-3])+/card([0-3])+-DSI-1/panel_info u:object_r:sysfs_graphics:s0 +/sys/devices/platform/soc/[a-z0-9]+.qcom,mdss_mdp/drm/card([0-3])+/card([0-3])+-DSI-1/smart_fps_value u:object_r:sysfs_graphics:s0 + +# Fingerprint +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.3-service\.xiaomi u:object_r:hal_fingerprint_default_exec:s0 + +# Fingerprint data +/data/gf_data(/.*)? u:object_r:fingerprint_data_file:s0 +/data/vendor/fpc(/.*)? u:object_r:fingerprint_data_file:s0 +/data/vendor/fpdump(/.*)? u:object_r:fingerprint_data_file:s0 +/data/vendor/goodix(/.*)? u:object_r:fingerprint_data_file:s0 +/data/vendor/syna(/.*)? u:object_r:fingerprint_data_file:s0 + +# Fingerprint devices +/dev/goodix_fp u:object_r:fingerprint_device:s0 +/dev/vfsspi u:object_r:fingerprint_device:s0 + +# GPS +/vendor/bin/glgps u:object_r:glgps_exec:s0 +/vendor/bin/ignss_2_0 u:object_r:hal_gnss_default_exec:s0 +/vendor/bin/lhd u:object_r:lhd_exec:s0 + +# GPS data +/data/vendor/gps(/.*)? u:object_r:gps_data_file:s0 + +# GPS devices +/dev/bbd_control u:object_r:gps_device:s0 +/dev/bbd_patch u:object_r:gps_device:s0 +/dev/bbd_sensor u:object_r:gps_device:s0 +/dev/ttyBCM u:object_r:gps_device:s0 + +# GPS nodes +/dev/socket/gps u:object_r:gps_socket:s0 +/sys/devices/platform/soc/[0-9]+\.spi/spi_master/spi[0-9]+/spi[0-9]+\.0/nstandby u:object_r:sysfs_gps:s0 + +# IR +/vendor/bin/hw/android\.hardware\.ir@1\.0-service\.xiaomi u:object_r:hal_ir_default_exec:s0 + +# IR devices +/dev/ir_spi u:object_r:lirc_device:s0 +/dev/lirc[0-9] u:object_r:lirc_device:s0 +/dev/spidev[0-9]\.1 u:object_r:lirc_device:s0 + +# LED +/sys/devices/platform/soc/[a-z0-9]+.qcom,spmi/spmi-[0-1]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,leds@d000/leds(/.*)? u:object_r:sysfs_leds:s0 +/sys/devices/platform/soc/[a-z0-9]+.i2c/i2c-[0-9]/[0-9]-[a-z0-9]+/leds(/.*)? u:object_r:sysfs_leds:s0 + +# Lights +/vendor/bin/hw/android\.hardware\.light-service\.xiaomi u:object_r:hal_light_default_exec:s0 + +# Mlipay +/vendor/bin/mlipayd@1\.1 u:object_r:hal_mlipay_default_exec:s0 + +# Neural-networks +/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.2-service-qti u:object_r:hal_neuralnetworks_default_exec:s0 + +# Power +/vendor/bin/hw/android\.hardware\.power-service\.xiaomi-libperfmgr u:object_r:hal_power_default_exec:s0 + +# Thermal +/data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0 +/vendor/bin/mi_thermald u:object_r:mi_thermald_exec:s0 + +# Ultrasound devices +/dev/elliptic(.*)? u:object_r:ultrasound_device:s0 +/dev/mius(.*)? u:object_r:ultrasound_device:s0 + +# WiFi +/data/vendor/mac_addr(/.*)? u:object_r:wifi_vendor_data_file:s0 +/vendor/bin/nv_mac u:object_r:wcnss_service_exec:s0 diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts new file mode 100644 index 0000000..1def13e --- /dev/null +++ b/sepolicy/vendor/genfs_contexts @@ -0,0 +1,55 @@ +# Display +genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/idle_state u:object_r:sysfs_graphics:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,dsi-display u:object_r:sysfs_graphics:s0 + +# Fingerprint +genfscon sysfs /devices/platform/soc/soc:fingerprint_fpc/device_prepare u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/platform/soc/soc:fingerprint_fpc/fingerdown_wait u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/platform/soc/soc:fingerprint_fpc/irq u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/platform/soc/soc:fingerprint_fpc/wakeup_enable u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/platform/soc/soc:fingerprint_goodix/proximity_state u:object_r:sysfs_fingerprint:s0 + +# FOD +genfscon sysfs /devices/virtual/touch/tp_dev/fod_status u:object_r:sysfs_fingerprint:s0 + +# Health +genfscon sysfs /class/power_supply/battery/capacity u:object_r:sysfs_battery_supply:s0 +genfscon sysfs /devices/platform/soc/884000.i2c/i2c-3/3-0066/power_supply/bq2597x-standalone u:object_r:sysfs_battery_supply:s0 +genfscon sysfs /devices/platform/soc/884000.i2c/i2c-5/5-0066/power_supply/bq2597x-standalone u:object_r:sysfs_battery_supply:s0 +genfscon sysfs /devices/platform/soc/890000.i2c/i2c-0/0-0066/power_supply/bq2597x-standalone u:object_r:sysfs_battery_supply:s0 +genfscon sysfs /devices/platform/soc/a88000.i2c/i2c-0/0-004b/power_supply/parallel u:object_r:sysfs_battery_supply:s0 +genfscon sysfs /devices/platform/soc/a88000.i2c/i2c-0/0-0061/power_supply/idt u:object_r:sysfs_battery_supply:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,qpnp-smb5/power_supply/wireless u:object_r:sysfs_battery_supply:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pmi8998@2:qcom,qpnp-smb2/power_supply/wireless u:object_r:sysfs_battery_supply:s0 +genfscon sysfs /devices/platform/soc/soc:maxim_ds28e16/power_supply/batt_verify u:object_r:sysfs_battery_supply:s0 + +# LED +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-05/c440000.qcom,spmi:qcom,pm6150l@5:qcom,leds@d300/leds/flashlight/brightness u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-05/c440000.qcom,spmi:qcom,pm6150l@5:qcom,leds@d300/leds/led:torch_0/brightness u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-05/c440000.qcom,spmi:qcom,pm6150l@5:qcom,leds@d300/leds/led:torch_1/brightness u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-05/c440000.qcom,spmi:qcom,pm6150l@5:qcom,leds@d300/leds/led:switch_0/brightness u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-05/c440000.qcom,spmi:qcom,pm6150l@5:qcom,leds@d300/leds/led:switch_1/brightness u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-03/c440000.qcom,spmi:qcom,pmi8998@3:qcom,leds@d000/leds/white u:object_r:sysfs_leds:s0 + +# Power +genfscon debugfs /sched_features u:object_r:debugfs_sched_features:s0 +genfscon proc /sys/kernel/sched_autogroup_enabled u:object_r:proc_sysctl_autogroup:s0 +genfscon proc /sys/kernel/sched_boost u:object_r:proc_sysctl_schedboost:s0 +genfscon sysfs /power/rpmh_stats/master_stats u:object_r:sysfs_rpm:s0 +genfscon sysfs /power/system_sleep/stats u:object_r:sysfs_system_sleep_stats:s0 + +# Subsystem +genfscon sysfs /devices/platform/soc/soc:qcom,cpubw u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,gpubw u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,l3-cpu0 u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,l3-cpu4 u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,llccbw u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,mincpubw u:object_r:sysfs_msm_subsys:s0 + +# Touchscreen +genfscon proc /tp_fw_version u:object_r:proc_tp:s0 +genfscon proc /tp_lockdown_info u:object_r:proc_tp:s0 +genfscon sysfs /touchpanel u:object_r:sysfs_touchpanel:s0 + +# Wi-Fi +genfscon debugfs /wlan0 u:object_r:debugfs_wlan:s0 diff --git a/sepolicy/vendor/glgps.te b/sepolicy/vendor/glgps.te new file mode 100644 index 0000000..9cc5983 --- /dev/null +++ b/sepolicy/vendor/glgps.te @@ -0,0 +1,24 @@ +type glgps, domain; +type glgps_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(glgps) +net_domain(glgps) + +allow glgps fwk_sensor_hwservice:hwservice_manager find; + +allow glgps gps_data_file:dir create_dir_perms; +allow glgps gps_data_file:fifo_file create_file_perms; +allow glgps gps_data_file:file create_file_perms; +allow glgps gps_data_file:lnk_file create_file_perms; +allow glgps gps_data_file:sock_file create_file_perms; + +allow glgps gps_device:chr_file rw_file_perms; + +allow glgps self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +allow glgps gps_socket:sock_file create_file_perms; + +binder_call(glgps, system_server) + +typeattribute glgps halclientdomain; + +wakelock_use(glgps) diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te new file mode 100644 index 0000000..3169c3a --- /dev/null +++ b/sepolicy/vendor/hal_audio_default.te @@ -0,0 +1,7 @@ +allow hal_audio_default mnt_vendor_file:dir search; +r_dir_file(hal_audio_default, persist_audio_file) + +get_prop(hal_audio_default, vendor_bluetooth_prop) +set_prop(hal_audio_default, vendor_audio_prop) + +allow hal_audio_default audio_socket:sock_file rw_file_perms; diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te new file mode 100644 index 0000000..0a9e947 --- /dev/null +++ b/sepolicy/vendor/hal_camera_default.te @@ -0,0 +1,14 @@ +allow hal_camera_default gpu_device:chr_file rw_file_perms; + +allow hal_camera_default remosaic_daemon_service:service_manager find; + +allow hal_camera_default sysfs_kgsl:dir search; +allow hal_camera_default sysfs_kgsl:file r_file_perms; + +allow hal_camera_default sysfs_leds:dir r_dir_perms; +allow hal_camera_default sysfs_leds:file rw_file_perms; +allow hal_camera_default sysfs_leds:lnk_file read; + +allow hal_camera_default sysfs_thermal:file w_file_perms; + +r_dir_file(hal_camera_default, persist_camera_file) diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te new file mode 100644 index 0000000..9a9de9b --- /dev/null +++ b/sepolicy/vendor/hal_fingerprint_default.te @@ -0,0 +1,17 @@ +allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms; +allow hal_fingerprint_default fingerprint_data_file:dir create_dir_perms; +allow hal_fingerprint_default fingerprint_data_file:file create_file_perms; +allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; +allow hal_fingerprint_default sysfs_fingerprint:file rw_file_perms; +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; +allow hal_fingerprint_default uhid_device:chr_file rw_file_perms; +allow hal_fingerprint_default input_device:dir r_dir_perms; +allow hal_fingerprint_default input_device:chr_file rw_file_perms; + +allow hal_fingerprint_default sysfs_graphics:dir search; +allow hal_fingerprint_default sysfs_graphics:file rw_file_perms; +allow hal_fingerprint_default sysfs_msm_subsys:dir search; +allow hal_fingerprint_default sysfs_msm_subsys:file r_file_perms; + +set_prop(hal_fingerprint_default, vendor_fp_prop) +hal_client_domain(hal_fingerprint_default, hal_perf) diff --git a/sepolicy/vendor/hal_gnss_default.te b/sepolicy/vendor/hal_gnss_default.te new file mode 100644 index 0000000..c2346f2 --- /dev/null +++ b/sepolicy/vendor/hal_gnss_default.te @@ -0,0 +1,2 @@ +allow hal_gnss_default gps_data_file:dir rw_dir_perms; +allow hal_gnss_default gps_data_file:fifo_file create_file_perms; diff --git a/sepolicy/vendor/hal_imsrtp.te b/sepolicy/vendor/hal_imsrtp.te new file mode 100644 index 0000000..e130c8d --- /dev/null +++ b/sepolicy/vendor/hal_imsrtp.te @@ -0,0 +1 @@ +binder_call(hal_imsrtp, radio) diff --git a/sepolicy/vendor/hal_ir_default.te b/sepolicy/vendor/hal_ir_default.te new file mode 100644 index 0000000..fabc5c1 --- /dev/null +++ b/sepolicy/vendor/hal_ir_default.te @@ -0,0 +1,2 @@ +allow hal_ir_default lirc_device:chr_file rw_file_perms; +allow hal_ir_default lirc_device:file rw_file_perms; diff --git a/sepolicy/vendor/hal_mlipay.te b/sepolicy/vendor/hal_mlipay.te new file mode 100644 index 0000000..3e9ef84 --- /dev/null +++ b/sepolicy/vendor/hal_mlipay.te @@ -0,0 +1,5 @@ +# HwBinder IPC from client to server +binder_call(hal_mlipay_client, hal_mlipay_server) + +add_hwservice(hal_mlipay_server, hal_mlipay_hwservice) +allow hal_mlipay_client hal_mlipay_hwservice:hwservice_manager find; diff --git a/sepolicy/vendor/hal_mlipay_default.te b/sepolicy/vendor/hal_mlipay_default.te new file mode 100644 index 0000000..1b36f10 --- /dev/null +++ b/sepolicy/vendor/hal_mlipay_default.te @@ -0,0 +1,13 @@ +type hal_mlipay_default, domain; +hal_server_domain(hal_mlipay_default, hal_mlipay) + +type hal_mlipay_default_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_mlipay_default) + +allow hal_mlipay_default ion_device:chr_file rw_file_perms; +allow hal_mlipay_default tee_device:chr_file rw_file_perms; +r_dir_file(hal_mlipay_default, firmware_file) + +get_prop(hal_mlipay_default, vendor_fp_prop) +set_prop(hal_mlipay_default, vendor_tee_listener_prop) diff --git a/sepolicy/vendor/hal_nfc_default.te b/sepolicy/vendor/hal_nfc_default.te new file mode 100644 index 0000000..ffc5a42 --- /dev/null +++ b/sepolicy/vendor/hal_nfc_default.te @@ -0,0 +1,2 @@ +allow hal_power_default nfc_vendor_data_file:dir create_dir_perms; +allow hal_power_default nfc_vendor_data_file:file create_file_perms; diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te new file mode 100644 index 0000000..7d5fc52 --- /dev/null +++ b/sepolicy/vendor/hal_power_default.te @@ -0,0 +1,31 @@ +allow hal_power_default input_device:dir r_dir_perms; +allow hal_power_default input_device:chr_file rw_file_perms; + +allow hal_power_default sysfs_graphics:dir search; +allow hal_power_default sysfs_graphics:file r_file_perms; + +allow hal_power_default sysfs_rpm:file r_file_perms; +allow hal_power_default sysfs_system_sleep_stats:file r_file_perms; + +allow hal_power_default sysfs_touchpanel:dir r_dir_perms; +allow hal_power_default sysfs_touchpanel:file rw_file_perms; + +allow hal_power_default debugfs_wlan:dir r_dir_perms; +allow hal_power_default debugfs_wlan:file r_file_perms; + +# To do powerhint on nodes defined in powerhint.json +allow hal_power_default sysfs_devfreq:dir search; +allow hal_power_default sysfs_devfreq:file rw_file_perms; +allow hal_power_default sysfs_kgsl:lnk_file read; +allow hal_power_default sysfs_kgsl:file rw_file_perms; +allow hal_power_default sysfs_msm_subsys:dir search; +allow hal_power_default sysfs_msm_subsys:file rw_file_perms; +allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms; +allow hal_power_default device_latency:chr_file rw_file_perms; +allow hal_power_default cgroup:dir search; +allow hal_power_default cgroup:file rw_file_perms; +allow hal_power_default debugfs_sched_features:file rw_file_perms; +allow hal_power_default proc_sysctl_schedboost:file rw_file_perms; + +# To get/set powerhal state property +set_prop(hal_power_default, vendor_power_prop) diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te new file mode 100644 index 0000000..a56d1cd --- /dev/null +++ b/sepolicy/vendor/hal_sensors_default.te @@ -0,0 +1,8 @@ +allow hal_sensors_default mnt_vendor_file:file r_file_perms; +allow hal_sensors_default ultrasound_device:chr_file rw_file_perms; + +allow hal_sensors_default audio_socket:sock_file rw_file_perms; +unix_socket_connect(hal_sensors_default, audio, hal_audio_default) + +get_prop(hal_sensors_default, adsprpc_prop) +get_prop(hal_sensors_default, sensors_prop) diff --git a/sepolicy/vendor/hwservice.te b/sepolicy/vendor/hwservice.te new file mode 100644 index 0000000..158b6cc --- /dev/null +++ b/sepolicy/vendor/hwservice.te @@ -0,0 +1 @@ +type hal_mlipay_hwservice, hwservice_manager_type; diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts new file mode 100644 index 0000000..01ef36d --- /dev/null +++ b/sepolicy/vendor/hwservice_contexts @@ -0,0 +1,21 @@ +# Fingerprint +com.fingerprints.extension::IFingerprintEngineering u:object_r:hal_fingerprint_hwservice:s0 +com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0 +com.fingerprints.extension::IFingerprintNavigation u:object_r:hal_fingerprint_hwservice:s0 +com.fingerprints.extension::IFingerprintCalibration u:object_r:hal_fingerprint_hwservice:s0 +com.fingerprints.extension::IFingerprintSenseTouch u:object_r:hal_fingerprint_hwservice:s0 +vendor.goodix.hardware.fingerprintextension::IGoodixBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0 +vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_hwservice:s0 +vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemonExt u:object_r:hal_fingerprint_hwservice:s0 +vendor.synaptics.fingerprints.interfaces.extensions::ISensorTest u:object_r:hal_fingerprint_hwservice:s0 +vendor.synaptics.fingerprints.interfaces.extensions::INavigation u:object_r:hal_fingerprint_hwservice:s0 +vendor.synaptics.fingerprints.interfaces.extensions::IFpCollection u:object_r:hal_fingerprint_hwservice:s0 + +# Mlipay +vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0 + +# NFC +vendor.nxp.nxpnfc::INxpNfc u:object_r:hal_nfc_hwservice:s0 + +# Secure element +vendor.nxp.nxpese::INxpEse u:object_r:hal_secure_element_hwservice:s0 diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te new file mode 100644 index 0000000..30d9cfb --- /dev/null +++ b/sepolicy/vendor/init.te @@ -0,0 +1 @@ +allow init socket_device:sock_file { unlink setattr create }; diff --git a/sepolicy/vendor/kernel.te b/sepolicy/vendor/kernel.te new file mode 100644 index 0000000..9ba3537 --- /dev/null +++ b/sepolicy/vendor/kernel.te @@ -0,0 +1 @@ +allow kernel debugfs_wlan:dir search; diff --git a/sepolicy/vendor/lhd.te b/sepolicy/vendor/lhd.te new file mode 100644 index 0000000..f12506f --- /dev/null +++ b/sepolicy/vendor/lhd.te @@ -0,0 +1,14 @@ +type lhd, domain; +type lhd_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(lhd) +net_domain(lhd) + +allow lhd gps_data_file:dir create_dir_perms; +allow lhd gps_data_file:fifo_file create_file_perms; +allow lhd gps_data_file:file create_file_perms; + +allow lhd gps_device:chr_file rw_file_perms; +allow lhd sysfs_gps:file rw_file_perms; + +wakelock_use(lhd) diff --git a/sepolicy/vendor/mi_thermald.te b/sepolicy/vendor/mi_thermald.te new file mode 100644 index 0000000..b1ecf28 --- /dev/null +++ b/sepolicy/vendor/mi_thermald.te @@ -0,0 +1,28 @@ +type mi_thermald, domain; +type mi_thermald_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(mi_thermald) + +allow mi_thermald self:capability { chown fowner fsetid }; + +# Allow mi_thermald to read thermal_data_file +allow mi_thermald thermal_data_file:dir rw_dir_perms; +allow mi_thermald thermal_data_file:file create_file_perms; + +r_dir_file(mi_thermald, sysfs_battery_supply) +r_dir_file(mi_thermald, sysfs_devices_system_cpu) +r_dir_file(mi_thermald, sysfs_graphics) +r_dir_file(mi_thermald, sysfs_kgsl) +r_dir_file(mi_thermald, sysfs_leds) +r_dir_file(mi_thermald, sysfs_thermal) + +allow mi_thermald sysfs_battery_supply:file rw_file_perms; +allow mi_thermald sysfs_battery_supply:lnk_file rw_file_perms; +allow mi_thermald sysfs_devices_system_cpu:file rw_file_perms; +allow mi_thermald sysfs_devices_system_cpu:lnk_file rw_file_perms; +allow mi_thermald sysfs_kgsl:file rw_file_perms; +allow mi_thermald sysfs_kgsl:lnk_file rw_file_perms; +allow mi_thermald sysfs_thermal:file rw_file_perms; +allow mi_thermald sysfs_thermal:lnk_file rw_file_perms; + +set_prop(mi_thermald, vendor_thermal_normal_prop) diff --git a/sepolicy/vendor/mm-pp-daemon.te b/sepolicy/vendor/mm-pp-daemon.te new file mode 100644 index 0000000..733fe6e --- /dev/null +++ b/sepolicy/vendor/mm-pp-daemon.te @@ -0,0 +1 @@ +get_prop(mm-pp-daemon, vendor_dpps_prop) diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te new file mode 100644 index 0000000..e4ec2b3 --- /dev/null +++ b/sepolicy/vendor/property.te @@ -0,0 +1,7 @@ +vendor_internal_prop(vendor_thermal_normal_prop) + +vendor_internal_prop(vendor_dpps_prop) + +vendor_public_prop(vendor_fp_prop) + +vendor_internal_prop(vendor_power_prop) diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts new file mode 100644 index 0000000..bcc2009 --- /dev/null +++ b/sepolicy/vendor/property_contexts @@ -0,0 +1,54 @@ +# Audio +audio.soundtrigger.debug.urser_id u:object_r:audio_prop:s0 +audio_hal.in_period_size u:object_r:audio_prop:s0 + +# Camera +camera. u:object_r:camera_prop:s0 +persist.camera. u:object_r:camera_prop:s0 +persist.debug.sf.showfps u:object_r:camera_prop:s0 +persist.vendor.camera u:object_r:camera_prop:s0 +ro.camera.res.fmq.size u:object_r:camera_prop:s0 +ro.camera.req.fmq.size u:object_r:camera_prop:s0 +ro.vendor.camera. u:object_r:camera_prop:s0 +vendor.camera.boot_complete u:object_r:camera_prop:s0 +vendor.camera.sensor. u:object_r:camera_prop:s0 +vidhance. u:object_r:camera_prop:s0 + +# Display post processing +init.svc.ppd u:object_r:vendor_dpps_prop:s0 +ro.vendor.display.ad u:object_r:vendor_dpps_prop:s0 +ro.vendor.display.sensortype u:object_r:vendor_dpps_prop:s0 + +# Fingerprint +fpc_kpi u:object_r:vendor_fp_prop:s0 +gf.debug. u:object_r:vendor_fp_prop:s0 +persist.sys.fp. u:object_r:vendor_fp_prop:s0 +persist.vendor.fpc. u:object_r:vendor_fp_prop:s0 +persist.vendor.sys.fp. u:object_r:vendor_fp_prop:s0 +ro.boot.fpsensor u:object_r:vendor_fp_prop:s0 +ro.hardware.fp u:object_r:vendor_fp_prop:s0 +vendor.fps_hal. u:object_r:vendor_fp_prop:s0 + +# MIUI specific +ro.boot.factorybuild u:object_r:exported_default_prop:s0 +ro.boot.hwversion u:object_r:exported_default_prop:s0 +ro.carrier.name u:object_r:exported_default_prop:s0 +ro.miui.cust_variant u:object_r:exported_default_prop:s0 + +# Mlipay +persist.vendor.sys.pay u:object_r:vendor_tee_listener_prop:s0 + +# Power +vendor.powerhal. u:object_r:vendor_power_prop:s0 + +# Sensors +persist.sensor. u:object_r:sensors_prop:s0 +invn.hal.data. u:object_r:sensors_prop:s0 +invn.hal.debug. u:object_r:sensors_prop:s0 +invn.hal.entry. u:object_r:sensors_prop:s0 +invn.hal.verbose. u:object_r:sensors_prop:s0 + +# Thermal +persist.sys.thermal. u:object_r:vendor_thermal_normal_prop:s0 +sys.thermal. u:object_r:vendor_thermal_normal_prop:s0 +vendor.sys.thermal. u:object_r:vendor_thermal_normal_prop:s0 diff --git a/sepolicy/vendor/radio.te b/sepolicy/vendor/radio.te new file mode 100644 index 0000000..d5df7b2 --- /dev/null +++ b/sepolicy/vendor/radio.te @@ -0,0 +1,14 @@ +allow radio audioserver_service:service_manager find; +allow radio cameraserver_service:service_manager find; +allow radio drmserver_service:service_manager find; +allow radio hal_datafactory_hwservice:hwservice_manager find; +allow radio hal_iwlan_hwservice:hwservice_manager find; +allow radio mediaextractor_service:service_manager find; +allow radio mediametrics_service:service_manager find; +allow radio mediaserver_service:service_manager find; + +binder_call(radio, cnd) +binder_call(radio, gpuservice) +binder_call(radio, hal_imsrtp) + +get_prop(radio, qcom_ims_prop) diff --git a/sepolicy/vendor/remosaic_daemon.te b/sepolicy/vendor/remosaic_daemon.te new file mode 100644 index 0000000..ac2418d --- /dev/null +++ b/sepolicy/vendor/remosaic_daemon.te @@ -0,0 +1,8 @@ +type remosaic_daemon, domain; +type remosaic_daemon_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(remosaic_daemon) + +vndbinder_use(remosaic_daemon) + +add_service(remosaic_daemon, remosaic_daemon_service) diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te new file mode 100644 index 0000000..0c072df --- /dev/null +++ b/sepolicy/vendor/rild.te @@ -0,0 +1 @@ +set_prop(rild, deviceid_prop) diff --git a/sepolicy/vendor/sensors.te b/sepolicy/vendor/sensors.te new file mode 100644 index 0000000..f406084 --- /dev/null +++ b/sepolicy/vendor/sensors.te @@ -0,0 +1 @@ +allow sensors proc_tp:file r_file_perms; diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te new file mode 100644 index 0000000..e975d9e --- /dev/null +++ b/sepolicy/vendor/system_server.te @@ -0,0 +1 @@ +binder_call(system_server, glgps) diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te new file mode 100644 index 0000000..8423715 --- /dev/null +++ b/sepolicy/vendor/tee.te @@ -0,0 +1,2 @@ +allow tee fingerprint_data_file:dir create_dir_perms; +allow tee fingerprint_data_file:file create_file_perms; diff --git a/sepolicy/vendor/thermal-engine.te b/sepolicy/vendor/thermal-engine.te new file mode 100644 index 0000000..ef381df --- /dev/null +++ b/sepolicy/vendor/thermal-engine.te @@ -0,0 +1,7 @@ +allow thermal-engine thermal_data_file:dir rw_dir_perms; +allow thermal-engine thermal_data_file:file create_file_perms; + +allow thermal-engine self:capability { chown fowner }; +allow thermal-engine sysfs_devfreq:dir r_dir_perms; + +set_prop(thermal-engine, vendor_thermal_normal_prop) diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te new file mode 100644 index 0000000..9130be7 --- /dev/null +++ b/sepolicy/vendor/vendor_init.te @@ -0,0 +1,4 @@ +allow vendor_init proc_sysctl_autogroup:file w_file_perms; +allow vendor_init proc_sysctl_schedboost:file w_file_perms; + +set_prop(vendor_init, vendor_power_prop) diff --git a/sepolicy/vendor/vndservice.te b/sepolicy/vendor/vndservice.te new file mode 100644 index 0000000..b6d0463 --- /dev/null +++ b/sepolicy/vendor/vndservice.te @@ -0,0 +1 @@ +type remosaic_daemon_service, vndservice_manager_type; diff --git a/sepolicy/vendor/vndservice_contexts b/sepolicy/vendor/vndservice_contexts new file mode 100644 index 0000000..68c55dc --- /dev/null +++ b/sepolicy/vendor/vndservice_contexts @@ -0,0 +1,2 @@ +# Camera +android.IRemosaicDaemon u:object_r:remosaic_daemon_service:s0 diff --git a/sepolicy/vendor/vold.te b/sepolicy/vendor/vold.te new file mode 100644 index 0000000..9cd14b3 --- /dev/null +++ b/sepolicy/vendor/vold.te @@ -0,0 +1,2 @@ +# For setting read_ahead_kb +allow vold sysfs_mmc_host:file w_file_perms; diff --git a/sepolicy/vendor/vppservice.te b/sepolicy/vendor/vppservice.te new file mode 100644 index 0000000..9a39868 --- /dev/null +++ b/sepolicy/vendor/vppservice.te @@ -0,0 +1 @@ +hal_client_domain(vendor_vppservice, hal_capabilityconfigstore_qti)