Evolution-x-devices/device_xiaomi_stone
2
0
Fork 0
mirror of https://github.com/Evolution-X-Devices/device_xiaomi_stone synced 2026-01-27 17:18:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

[SQUASH] sm6375-common: sepolicy: Address more denials

Browse Source 
* This is a squash commit from nnippon99:thirteen

veux: Address some missing denials

veux: Address wcnss denials

veux: Set ro.product.mod_device correctly and label sepolicy for it
* Proper set ro.product.mod_device depending on variant
* This needed for MIUICamera to work

veux: Add support for MiuiCamera!

veux: sepolicy: allow last_kmsg and fix denial
W init    : type=1400 audit(0.0:7): avc: denied { setattr } for name="last_kmsg" dev="proc" ino=4026532174 scontext=u:r:init:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0

W BootReceiver: cannot read last msg
W BootReceiver: java.io.FileNotFoundException: /proc/last_kmsg: open failed: EACCES (Permission denied)
W BootReceiver:	at libcore.io.IoBridge.open(IoBridge.java:574)
W BootReceiver:	at java.io.FileInputStream.<init>(FileInputStream.java:160)
W BootReceiver:	at android.os.FileUtils.readTextFile(FileUtils.java:637)
W BootReceiver:	at com.android.server.BootReceiver.logFsShutdownTime(BootReceiver.java:649)
W BootReceiver:	at com.android.server.BootReceiver.logBootEvents(BootReceiver.java:305)
W BootReceiver:	at com.android.server.BootReceiver.-$$Nest$mlogBootEvents(Unknown Source:0)
W BootReceiver:	at com.android.server.BootReceiver$1.run(BootReceiver.java:139)
W BootReceiver: Caused by: android.system.ErrnoException: open failed: EACCES (Permission denied)
W BootReceiver:	at libcore.io.Linux.open(Native Method)
W BootReceiver:	at libcore.io.ForwardingOs.open(ForwardingOs.java:563)
W BootReceiver:	at libcore.io.BlockGuardOs.open(BlockGuardOs.java:274)
W BootReceiver:	at libcore.io.IoBridge.open(IoBridge.java:560)
W BootReceiver:	... 6 more

veux: sepolicy: Fix logspam
* This is a SQUASH commit for multiple commits for fixing some logspam

veux: sepolicy: Label more sysfs wakeup nodes

veux: sepolicy: Label more graphics nodes
E WiredAccessoryManager: file /sys/devices/platform/soc/soc:qcom,msm-ext-disp/extcon/extcon3/name not found
E WiredAccessoryManager: file /sys/devices/platform/soc/soc:qcom,msm-ext-disp/extcon/extcon2/name not found
E WiredAccessoryManager: file /sys/devices/platform/soc/soc:qcom,msm-ext-disp/extcon/extcon1/name not found
E WiredAccessoryManager: file /sys/devices/platform/soc/soc:qcom,msm-ext-disp/extcon/extcon0/name not found

veux: sepolicy: address radio.qcriNvOpt hwservice denial

veux: sepolicy: Allow user apps to read proc/zoneinfo files

* E nightwatch-target: /proc/zoneinfo open: errno=13
* E nightwatch-target: sysmeminfo parse failed

* avc: denied { read } for name="zoneinfo" dev="proc" ino=4026531859 scontext=u:r:untrusted_app:s0:c61,c257,c512,c768 tcontext=u:object_r:proc_zoneinfo:s0 tclass=file permissive=0 app=com.facebook.katana

veux: sepolicy: Fix Build errors

veux: sepolicy: Resolve qemu_hw_prop denial

avc: denied { read } for name="u:object_r:qemu_hw_prop:s0" dev="tmpfs" ino=1316 scontext=u:r:system_app:s0 tcontext=u:object_r:qemu_hw_prop:s0 tclass=file permissive=0

veux: sepolicy: Fix isolated_app denial

avc: denied { setattr } for comm="CrUtilityMain" name="commands.json" dev="mmcblk0p42" ino=1251111 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c153,c256,c512,c768 tclass=file permissive=0
avc: denied { setattr } for comm="CrUtilityMain" name="commands.json" dev="mmcblk0p42" ino=1251111 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c153,c256,c512,c768 tclass=file permissive=0
avc: denied { setattr } for comm="CrUtilityMain" name="f2" dev="mmcblk0p42" ino=1251128 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c153,c256,c512,c768 tclass=file permissive=0
avc: denied { setattr } for comm="CrUtilityMain" name="f2" dev="mmcblk0p42" ino=1251128 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c153,c256,c512,c768 tclass=file permissive=0

veux: Label some radio property
W libc    : Unable to set property "ro.vendor.ril.svlte1x" to "false": error code: 0xb
W libc    : Unable to set property "ro.vendor.ril.svdo" to "false": error code: 0xb

veux: prop: set some props and fix log
W libc    : Unable to set property "ro.telephony.call_ring.multiple" to "false": error code: 0xb
W libc    : Unable to set property "ro.vendor.ril.svlte1x" to "false": error code: 0xb
W libc    : Unable to set property "ro.vendor.ril.svdo" to "false": error code: 0xb

veux: sepolicy: fix some denials
* Rearranges sepolicy/vendor/genfs_contexts properly too

W libc    : Access denied finding property "ro.miui.singlesim"
W libc    : Access denied finding property "ro.product.marketname"
W libc    : Access denied finding property "ro.miui.ui.version.code"
W libc    : Access denied finding property "ro.hardware.chipname"
W libc    : Access denied finding property "ro.vendor.aware_available"
W libc    : Access denied finding property "ro.vendor.gfx.32bit.target"

W libc    : Access denied finding property 'wifi.interface'

W binder:2540_3: type=1400 audit: avc: denied { open } for path="/dev/__properties__/u:object_r:vendor_aware_available_prop:s0" dev="tmpfs" ino=1946 scontext=u:r:system_app:s0 tcontext=u:object_r:vendor_aware_available_prop:s0 tclass=file permissive=0

E android.system.suspend@1.0-service: Error opening kernel wakelock stats for: wakeup63 (../../devices/virtual/misc/msm_g711mlaw/wakeup63): Permission denied

E android.system.suspend@1.0-service: Error opening kernel wakelock stats for: wakeup58 (../../devices/virtual/misc/msm_amrwb/wakeup58): Permission denied

veux: sepolicy: Allow perf hal to read graphics composer
W/perf@2.2-servic(882): type=1400 audit(0.0:120396): avc: denied { search } for name="880" dev="proc" ino=394316 scontext=u:r:vendor_hal_perf_default:s0 tcontext=u:r:hal_graphics_composer_default:s0 tclass=dir permissive=0

veux: sepolicy: fix denial
avc: denied { read } for comm="e2fsck" name="sde26" dev="tmpfs" ino=15571 scontext=u:r:fsck:s0 tcontext=u:object_r:vendor_custom_ab_block_device:s0 tclass=blk_file permissive=0
avc: denied { read write } for comm="e2fsck" name="sde26" dev="tmpfs" ino=15571 scontext=u:r:fsck:s0 tcontext=u:object_r:vendor_custom_ab_block_device:s0 tclass=blk_file permissive=0

veux: sepolicy: Fix avc denials related to vendor/toolbox.te
avc: denied { kill } for comm="mkswap" capability=5 scontext=u:r🧰s0 tcontext=u:r🧰s0 tclass=capability permissive=0

veux: sepolicy: Resolve system_app denial

veux: sepolicy: KANG missing entries from sm8350-common

Signed-off-by: nnippon99 <adamayyad1999@hotmail.com>
Change-Id: Ica2495d4c2833b0c0509db802115ca720cc7511a
This commit is contained in:
nnippon99
2023-05-11 13:50:37 +03:00
committed by boedhack99
parent ffa3258380
commit 26be43ff39
50 changed files with 400 additions and 116 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
sepolicy/private/linkerconfig.te Normal file
View File

@@ -0,0 +1 @@
allow linkerconfig linkerconfig:capability { sys_admin kill };

1
sepolicy/private/mediaprovider_app.te Normal file
View File

@@ -0,0 +1 @@
allow mediaprovider_app radio_service:service_manager find;

13
sepolicy/private/property_contexts Normal file
View File

@@ -0,0 +1,13 @@
# GLobal
ro.boot.hwc u:object_r:exported_default_prop:s0
ro.build.flavor u:object_r:build_prop:s0
ro.product.mod_device u:object_r:build_prop:s0
ro.product.marketname u:object_r:build_prop:s0
# Hardware
ro.hardware.chipname u:object_r:exported_default_prop:s0
# MIUI
ro.cust.test u:object_r:exported_system_prop:s0
ro.miui. u:object_r:exported_system_prop:s0
ro.fota.oem u:object_r:exported_system_prop:s0

7
sepolicy/private/service_contexts Normal file
View File

@@ -0,0 +1,7 @@
# IMS
vendor.qti.hardware.radio.ims.IImsRadio/imsradio0 u:object_r:vendor_hal_telephony_service:s0
vendor.qti.hardware.radio.ims.IImsRadio/imsradio1 u:object_r:vendor_hal_telephony_service:s0
vendor.qti.hardware.radio.qtiradio.IQtiRadioStable/slot1 u:object_r:vendor_hal_telephony_service:s0
vendor.qti.hardware.radio.qtiradio.IQtiRadioStable/slot2 u:object_r:vendor_hal_telephony_service:s0
vendor.qti.hardware.radio.am.IQcRilAudio/slot1 u:object_r:vendor_hal_telephony_service:s0
vendor.qti.hardware.radio.am.IQcRilAudio/slot2 u:object_r:vendor_hal_telephony_service:s0

3
sepolicy/private/system_app.te
View File

@@ -2,3 +2,6 @@ hal_client_domain(system_app, hal_mlipay)
allow system_app sysfs_zram:dir search;
allow system_app sysfs_zram:file r_file_perms;
# Allow settings to query qemu.hw.mainkeys
get_prop(system_app, qemu_hw_prop)

1
sepolicy/private/vendor_qtelephony.te Normal file
View File

@@ -0,0 +1 @@
allow vendor_qtelephony vendor_hal_telephony_service:service_manager find;

1
sepolicy/private/vold_prepare_subdirs.te Normal file
View File

@@ -0,0 +1 @@
allow vold_prepare_subdirs checkin_data_file:dir relabelfrom;

1
sepolicy/vendor/appdomain.te vendored Normal file
View File

@@ -0,0 +1 @@
get_prop(appdomain, vendor_camera_prop)

7
sepolicy/vendor/attributes vendored Normal file
View File

@@ -0,0 +1,7 @@
# Camera
attribute vendor_hal_cameraperf;
attribute vendor_hal_cameraperf_client;
attribute vendor_hal_cameraperf_server;
attribute vendor_hal_camerapostproc_xiaomi;
attribute vendor_hal_camerapostproc_xiaomi_client;
attribute vendor_hal_camerapostproc_xiaomi_server;

1
sepolicy/vendor/cameraserver.te vendored Normal file
View File

@@ -0,0 +1 @@
allow cameraserver property_socket:sock_file { write };

1
sepolicy/vendor/dataservice_app.te vendored Normal file
View File

@@ -0,0 +1 @@
allow vendor_dataservice_app vendor_hal_imsfactory_hwservice:hwservice_manager { find };

4
sepolicy/vendor/dontaudit.te vendored Normal file
View File

@@ -0,0 +1,4 @@
dontaudit {
hal_camera_default
rild
} default_prop:file r_file_perms;

7
sepolicy/vendor/file.te vendored
View File

@@ -10,6 +10,13 @@ type camera_persist_file, vendor_persist_type, file_type;
# Fingerprint
type fingerprint_data_file, data_file_type, core_data_file_type, file_type;
# KMSG
type proc_last_kmsg, fs_type, proc_type;
# Others
type sysfs_msm_subsys, sysfs_type, fs_type;
type vendor_sysfs_iio, fs_type, sysfs_type;
# Thermal
type thermal_data_file, data_file_type, file_type;

82
sepolicy/vendor/file_contexts vendored
View File

@@ -1,67 +1,77 @@
# Audio
/dev/socket/audio_hw_socket u:object_r:audio_socket:s0
/dev/elliptic(.*)? u:object_r:sound_device:s0
/mnt/vendor/persist/audio/cali_test.bin u:object_r:vendor_persist_audio_file:s0
/mnt/vendor/persist/audio/fsm_calib.bin u:object_r:vendor_persist_audio_file:s0
/mnt/vendor/persist/audio/aw_cali.bin u:object_r:vendor_persist_audio_file:s0
/dev/socket/audio_hw_socket u:object_r:audio_socket:s0
/dev/elliptic(.*)? u:object_r:sound_device:s0
/dev/mius(.*)? u:object_r:sound_device:s0
/mnt/vendor/persist/audio/cali_test.bin u:object_r:vendor_persist_audio_file:s0
/mnt/vendor/persist/audio/fsm_calib.bin u:object_r:vendor_persist_audio_file:s0
/mnt/vendor/persist/audio/aw_cali.bin u:object_r:vendor_persist_audio_file:s0
# Battery
/vendor/bin/batterysecret u:object_r:batterysecret_exec:s0
/mnt/vendor/persist/subsys(/.*)? u:object_r:persist_subsys_file:s0
/vendor/bin/batterysecret u:object_r:batterysecret_exec:s0
/mnt/vendor/persist/subsys(/.*)? u:object_r:persist_subsys_file:s0
# Bluetooth
/vendor/bin/init\.mi\.btmac\.sh u:object_r:vendor_qti_init_shell_exec:s0
/vendor/bin/init\.mi\.btmac\.sh u:object_r:vendor_qti_init_shell_exec:s0
# Camera
/mnt/vendor/persist/camera(/.*)? u:object_r:camera_persist_file:s0
/mnt/vendor/persist/camera(/.*)? u:object_r:camera_persist_file:s0
/vendor/lib(64)?/libmialgoengine\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libipebpsstriping\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libipebpsstriping170\.so u:object_r:same_process_hal_file:s0
# Hexagon DSP-side executable needed for Halide operation
# This is labeled as public_adsprpcd_file as it needs to be read by apps
# (e.g. Google Camera App)
/mnt/vendor/dsp/fastrpc_shell_3 u:object_r:public_adsprpcd_file:s0
/mnt/vendor/dsp/fastrpc_shell_3 u:object_r:public_adsprpcd_file:s0
# Fingerprint
/dev/goodix_fp u:object_r:fingerprint_device:s0
/dev/silead_fp u:object_r:fingerprint_device:s0
/dev/silead_s.* u:object_r:fingerprint_device:s0
/dev/silead_stub u:object_r:fingerprint_device:s0
/dev/spidev.* u:object_r:fingerprint_device:s0
/data/gf_data(/.*)? u:object_r:fingerprint_data_file:s0
/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor/fpdump(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor_de/[0-9]+/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor/goodix/gf_data(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor/silead(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2.3-service\.xiaomi u:object_r:hal_fingerprint_default_exec:s0
/vendor/bin/hw/vendor\.silead\.hardware\.fingerprintext@1\.0-service u:object_r:hal_fingerprint_default_exec:s0
/dev/goodix_fp u:object_r:fingerprint_device:s0
/dev/silead_fp u:object_r:fingerprint_device:s0
/dev/silead_s.* u:object_r:fingerprint_device:s0
/dev/silead_stub u:object_r:fingerprint_device:s0
/dev/spidev.* u:object_r:fingerprint_device:s0
/data/gf_data(/.*)? u:object_r:fingerprint_data_file:s0
/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor/fpdump(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor_de/[0-9]+/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor/goodix/gf_data(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor/silead(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2.3-service\.xiaomi u:object_r:hal_fingerprint_default_exec:s0
/vendor/bin/hw/vendor\.silead\.hardware\.fingerprintext@1\.0-service u:object_r:hal_fingerprint_default_exec:s0
# IR
/dev/ir_spi u:object_r:ir_spi_device:s0
/dev/ir_spi u:object_r:ir_spi_device:s0
# Label read_ahead_kb in /data partition
/sys/devices/platform/soc/4804000.ufshc/host0/target0:0:0/0:0:0:0/block/sda/queue/read_ahead_kb u:object_r:vendor_sysfs_scsi_host:s0
/sys/devices/platform/soc/4804000.ufshc/host0/target0:0:0/0:0:0:0/block/sda/queue/read_ahead_kb u:object_r:vendor_sysfs_scsi_host:s0
# Label discard_max_bytes in /data partition
/sys/devices/platform/soc/4804000.ufshc/host0/target0:0:0/0:0:0:0/block/sda/queue/discard_max_bytes u:object_r:vendor_sysfs_scsi_host:s0
/sys/devices/platform/soc/4804000.ufshc/host0/target0:0:0/0:0:0:0/block/sda/queue/discard_max_bytes u:object_r:vendor_sysfs_scsi_host:s0
# Mlipay
/vendor/bin/mlipayd@1.1 u:object_r:hal_mlipay_default_exec:s0
/vendor/bin/mlipayd@1.1 u:object_r:hal_mlipay_default_exec:s0
# NFC
/dev/pn553 u:object_r:nfc_device:s0
/dev/pn54x u:object_r:nfc_device:s0
/dev/pn553 u:object_r:nfc_device:s0
/dev/pn54x u:object_r:nfc_device:s0
# Sensors
/vendor/bin/hw/android\.hardware\.sensors@2.1-service\.xiaomi_holi-multihal u:object_r:hal_sensors_default_exec:s0
/sys/bus/iio/devices u:object_r:vendor_sysfs_iio:s0
/sys/devices/platform/us_prox.0/iio:device1(/.*)? u:object_r:vendor_sysfs_iio:s0
/sys/devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm6125@0:vadc@3100/iio:device0(/.*)? u:object_r:vendor_sysfs_iio:s0
/sys/devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:vadc@3100/iio:device0(/.*)? u:object_r:vendor_sysfs_iio:s0
/sys/devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-04/c440000.qcom,spmi:qcom,pm6150l@4:vadc@3100/iio:device1(/.*)? u:object_r:vendor_sysfs_iio:s0
/vendor/bin/hw/android\.hardware\.sensors@2.1-service\.xiaomi_holi-multihal u:object_r:hal_sensors_default_exec:s0
# Thermal
/data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0
/vendor/bin/mi_thermald u:object_r:mi_thermald_exec:s0
/data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0
/vendor/bin/mi_thermald u:object_r:mi_thermald_exec:s0
# Vibrator
/vendor/bin/hw/vendor\.qti\.hardware\.vibrator\.service\.xiaomi_holi u:object_r:hal_vibrator_default_exec:s0
/vendor/bin/hw/vendor\.qti\.hardware\.vibrator\.service\.xiaomi_holi u:object_r:hal_vibrator_default_exec:s0
# Xiaomi MAC
/data/vendor/mac_addr(/.*)? u:object_r:vendor_wifi_vendor_data_file:s0
/data/vendor/wlan_logs(/.*)? u:object_r:vendor_wifi_vendor_data_file:s0
/data/vendor/mac_addr(/.*)? u:object_r:vendor_wifi_vendor_data_file:s0
/data/vendor/wlan_logs(/.*)? u:object_r:vendor_wifi_vendor_data_file:s0
/vendor/bin/nv_mac u:object_r:vendor_wcnss_service_exec:s0

2
sepolicy/vendor/fsck.te vendored Normal file
View File

@@ -0,0 +1,2 @@
allow fsck fsck:capability kill;
allow fsck vendor_custom_ab_block_device:blk_file { read write open ioctl };

137
sepolicy/vendor/genfs_contexts vendored
View File

@@ -1,63 +1,100 @@
# Battery
genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/power_supply u:object_r:vendor_sysfs_battery_supply:s0
genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/power_supply u:object_r:vendor_sysfs_battery_supply:s0
# Display
genfscon sysfs /devices/platform/soc/5000000.qcom,kgsl-3d0 u:object_r:sysfs_msm_subsys:s0
genfscon sysfs /devices/platform/soc/soc:qcom,cpu-cpu-llcc-bw u:object_r:sysfs_msm_subsys:s0
genfscon sysfs /devices/platform/soc/soc:qcom,cpu-llcc-ddr-bw u:object_r:sysfs_msm_subsys:s0
genfscon sysfs /devices/platform/soc/soc:qcom,cpu0-cpu-l3-lat u:object_r:sysfs_msm_subsys:s0
genfscon sysfs /devices/platform/soc/soc:qcom,cpu6-cpu-l3-lat u:object_r:sysfs_msm_subsys:s0
genfscon sysfs /devices/platform/soc/soc:qcom,gpubw u:object_r:sysfs_msm_subsys:s0
genfscon sysfs /devices/platform/soc/soc:qcom,gpubw/devfreq u:object_r:sysfs_msm_subsys:s0
# Extcon sysfs
genfscon sysfs /devices/platform/soc/1628000.qcom,msm-eud/extcon u:object_r:sysfs_extcon:s0
genfscon sysfs /devices/platform/soc/soc:rt-pd-manager/extcon u:object_r:sysfs_extcon:s0
genfscon sysfs /devices/platform/soc/1628000.qcom,msm-eud/extcon u:object_r:sysfs_extcon:s0
genfscon sysfs /devices/platform/soc/soc:rt-pd-manager/extcon u:object_r:sysfs_extcon:s0
# Fingerprint
genfscon sysfs /devices/platform/soc/soc:fpc1020 u:object_r:vendor_sysfs_fingerprint:s0
genfscon sysfs /devices/platform/soc/soc:fpc1020/wakeup_enable u:object_r:vendor_sysfs_fingerprint:s0
genfscon sysfs /devices/platform/soc/soc:goodix_fp u:object_r:vendor_sysfs_fingerprint:s0
genfscon sysfs /devices/platform/soc/soc:silead_fp u:object_r:vendor_sysfs_fingerprint:s0
genfscon sysfs /devices/platform/soc/soc:fpc1020 u:object_r:vendor_sysfs_fingerprint:s0
genfscon sysfs /devices/platform/soc/soc:fpc1020/wakeup_enable u:object_r:vendor_sysfs_fingerprint:s0
genfscon sysfs /devices/platform/soc/soc:goodix_fp u:object_r:vendor_sysfs_fingerprint:s0
genfscon sysfs /devices/platform/soc/soc:silead_fp u:object_r:vendor_sysfs_fingerprint:s0
# Graphics
genfscon sysfs /devices/platform/soc/soc:qcom,msm-ext-disp/extcon/extcon[0-4]+/name u:object_r:vendor_sysfs_graphics:s0
# kmsg
genfscon proc /last_kmsg u:object_r:proc_last_kmsg:s0
# SSR
genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0
genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0
genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0
genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0
genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0
genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0
genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0
genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0
genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0
genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0
genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0
genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0
genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0
genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0
genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0
genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0
# Touchpanel
genfscon proc /tp_gesture u:object_r:proc_touchpanel:s0
genfscon proc /tp_gesture u:object_r:proc_touchpanel:s0
# Wakeup nodes
genfscon sysfs /devices/platform/soc/soc:goodix_fp/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:silead_fp/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:fpc1020/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-modem/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-0066/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-0055/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-005a/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-0066/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-0028/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-004e/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-006a/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-cdsp/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys3/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:qcom,msm-audio-apr/soc:qcom,msm-audio-apr:qcom,q6core-audio/soc:qcom,msm-audio-apr:qcom,q6core-audio:bolero-cdc/va-macro/va_swr_ctrl/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/6000000.qcom,mss/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys2/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/b000000.qcom,turing/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys1/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/4a84000.qcom,qup_uart/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys0/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/subsys4/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/1628000.qcom,msm-eud/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys5/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/5800000.qcom,ipa/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/c800000.qcom,icnss/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/4e00000.ssusb/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/dummy_hcd.0/usb1/wakeup/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/1628000.qcom,msm-eud/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm6125@0:qcom,power-on@800/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-06/1c40000.qcom,spmi:qcom,pmk8350@0:rtc@6100/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-004e/tcpc/type_c_port0/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-004e/tcpc/type_c_port0/dual-role-type_c_port0/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/dummy_hcd.0/usb1/wakeup/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-0055/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-005a/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-0066/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/4a84000.qcom,qup_uart/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-0028/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-004e/tcpc/type_c_port0/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-004e/tcpc/type_c_port0/dual-role-type_c_port0/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-004e/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-0066/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-006a/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/4e00000.ssusb/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/5800000.qcom,ipa/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys5/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys2/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/6000000.qcom,mss/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys0/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys1/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/b000000.qcom,turing/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/c800000.qcom,icnss/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:fpc1020/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:goodix_fp/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:gpio_keys/wakeup/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys3/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/wakeup/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/subsys4/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/wakeup/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:qcom,msm-audio-apr/soc:qcom,msm-audio-apr:qcom,q6core-audio/soc:qcom,msm-audio-apr:qcom,q6core-audio:bolero-cdc/va-macro/va_swr_ctrl/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:qcom,smp2p_sleepstate/wakeup/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-adsp/wakeup/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-cdsp/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-modem/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/soc:silead_fp/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/virtual/fastrpc/adsprpc-smd/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/virtual/fastrpc/adsprpc-smd-secure/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/virtual/misc/msm_aac/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/virtual/misc/msm_alac/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/virtual/misc/msm_amrnb/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/virtual/misc/msm_amrwb/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/virtual/misc/msm_amrwbplus/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/virtual/misc/msm_ape/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/virtual/misc/msm_evrc/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/virtual/misc/msm_g711alaw/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/virtual/misc/msm_g711mlaw/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/virtual/misc/msm_mp3/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/virtual/misc/msm_multi_aac/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/virtual/misc/msm_qcelp/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/virtual/misc/msm_wma/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/virtual/misc/msm_wmapro/wakeup u:object_r:sysfs_wakeup:s0

12
sepolicy/vendor/hal_audio_default.te vendored
View File

@@ -1,13 +1,11 @@
# Allow hal_audio_default to read vendor_persist_audio_file
r_dir_file(hal_audio_default, vendor_persist_audio_file)
r_dir_file(hal_audio_default, sysfs)
allow hal_audio_default audio_socket:sock_file rw_file_perms;
allow hal_audio_default sound_device:chr_file rw_file_perms;
allow hal_audio_default system_suspend_hwservice:hwservice_manager find;
binder_call(hal_audio_default, system_suspend_server)
allow hal_audio_default system_suspend_hwservice:hwservice_manager find;
r_dir_file(hal_audio_default, sysfs)
r_dir_file(hal_audio_default, vendor_persist_audio_file)
set_prop(hal_audio_default, vendor_audio_prop)
allow hal_audio_default audio_socket:sock_file rw_file_perms;
allow hal_audio_default sound_device:chr_file rw_file_perms;

21
sepolicy/vendor/hal_camera_default.te vendored
View File

@@ -1,7 +1,28 @@
type vendor_hal_cameraperf_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_camerapostproc_xiaomi_hwservice, hwservice_manager_type;
r_dir_file(hal_camera_default, camera_persist_file)
r_dir_file(hal_camera_default, mnt_vendor_file)
get_prop(hal_camera_default, vendor_camera_prop)
set_prop(hal_camera_default, vendor_camera_prop)
hal_server_domain(hal_camera_default, vendor_hal_cameraperf)
hal_server_domain(hal_camera_default, vendor_hal_camerapostproc_xiaomi)
add_hwservice(hal_camera_server, vendor_hal_cameraperf_hwservice)
add_hwservice(hal_camera_server, vendor_hal_camerapostproc_xiaomi_hwservice)
allow hal_camera_client vendor_hal_cameraperf_hwservice:hwservice_manager find;
allow hal_camera_client vendor_hal_camerapostproc_xiaomi_hwservice:hwservice_manager find;
allow hal_camera_default platform_app:binder { call transfer };
allow hal_camera_default priv_app:binder { call transfer };
allow hal_camera_default public_adsprpcd_file:file r_file_perms;
allow hal_camera_default system_server:binder { call transfer };
allow hal_camera_default vendor_xdsp_device:chr_file r_file_perms;
allow hal_camera_default vendor_xdsp_device:chr_file { ioctl open read write };
dontaudit hal_camera_default property_type:file { getattr open map };
allow hal_camera_default system_server:binder { call };
allow hal_camera_default mnt_vendor_file:dir { search };

6
sepolicy/vendor/hal_cameraperf.te vendored Normal file
View File

@@ -0,0 +1,6 @@
binder_call(vendor_hal_cameraperf_client, vendor_hal_cameraperf_server)
binder_call(vendor_hal_cameraperf_server, vendor_hal_cameraperf_client)
add_hwservice(vendor_hal_cameraperf_server, vendor_hal_cameraperf_hwservice)
allow vendor_hal_cameraperf_client vendor_hal_cameraperf_hwservice:hwservice_manager find;

6
sepolicy/vendor/hal_camerapostproc_xiaomi.te vendored Normal file
View File

@@ -0,0 +1,6 @@
binder_call(vendor_hal_camerapostproc_xiaomi_client, vendor_hal_camerapostproc_xiaomi_server)
binder_call(vendor_hal_camerapostproc_xiaomi_server, vendor_hal_camerapostproc_xiaomi_client)
add_hwservice(vendor_hal_camerapostproc_xiaomi_server, vendor_hal_camerapostproc_xiaomi_hwservice)
allow vendor_hal_camerapostproc_xiaomi_client vendor_hal_camerapostproc_xiaomi_hwservice:hwservice_manager find;

9
sepolicy/vendor/hal_perf_default.te vendored
View File

@@ -1,5 +1,12 @@
r_dir_file(vendor_hal_perf_default, system_server)
allow vendor_hal_perf_default hal_audio_default:dir r_dir_perms;
allow vendor_hal_perf_default hal_audio_default:file r_file_perms;
allow vendor_hal_perf_default hal_fingerprint_default:dir r_dir_perms;
allow vendor_hal_perf_default hal_fingerprint_default:file r_file_perms;
allow vendor_hal_perf_default hal_camera_default:dir r_dir_perms;
allow vendor_hal_perf_default hal_camera_default:dir { read open };
allow vendor_hal_perf_default hal_graphics_composer_default:dir r_dir_perms;
allow vendor_hal_perf_default hal_graphics_composer_default:file r_file_perms;
allow vendor_hal_perf_default sysfs_thermal:file w_file_perms;
allow vendor_hal_perf_default ctl_start_prop:property_service { set };
allow vendor_hal_perf_default ctl_stop_prop:property_service { set };

2
sepolicy/vendor/hal_secure_element_default.te vendored Normal file
View File

@@ -0,0 +1,2 @@
# Allow Secure Element hal to access /date/vendor/nfc/
r_dir_file(hal_secure_element_default, vendor_nfc_vendor_data_file)

2
sepolicy/vendor/hal_sensors_default.te vendored
View File

@@ -8,5 +8,7 @@ allow hal_sensors_default audio_socket:sock_file rw_file_perms;
allow hal_sensors_default socket_device:sock_file rw_file_perms;
allow hal_sensors_default sound_device:chr_file rw_file_perms;
allow hal_sensors_default iio_device:chr_file rw_file_perms;
allow hal_sensors_default vendor_sysfs_iio:dir r_dir_perms;
allow hal_sensors_default vendor_sysfs_iio:file rw_file_perms;
get_prop(hal_sensors_default, vendor_adsprpc_prop)

1
sepolicy/vendor/hal_usb_qti.te vendored Normal file
View File

@@ -0,0 +1 @@
allow vendor_hal_usb_qti vendor_sysfs_iio:dir search;

1
sepolicy/vendor/hwservice.te vendored
View File

@@ -1 +1,2 @@
type hal_mlipay_hwservice, hwservice_manager_type;
type hal_rilnv_hwservice, hwservice_manager_type;

13
sepolicy/vendor/hwservice_contexts vendored
View File

@@ -1,3 +1,7 @@
# Camera
vendor.xiaomi.hardware.cameraperf::IMiCameraPerfService u:object_r:vendor_hal_cameraperf_hwservice:s0
vendor.xiaomi.hardware.campostproc::IMiPostProcService u:object_r:vendor_hal_camerapostproc_xiaomi_hwservice:s0
# Fingerprint
com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0
com.fingerprints.extension::IFingerprintNavigation u:object_r:hal_fingerprint_hwservice:s0
@@ -8,7 +12,16 @@ vendor.silead.hardware.fingerprintext::ISileadFingerprint u:object_r:hal_f
# Mlipay
vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0
vendor.xiaomi.hardware.misys::IMiSys u:object_r:hal_mlipay_hwservice:s0
# NFC
vendor.nxp.nxpnfc::INxpNfc u:object_r:hal_nfc_hwservice:s0
vendor.nxp.nxpnfclegacy::INxpNfcLegacy u:object_r:hal_nfc_hwservice:s0
# Radio
vendor.qti.hardware.radio.qcriNvOpt::IqcriNvOpt u:object_r:hal_rilnv_hwservice:s0
vendor.qti.hardware.radio.ims::IImsRadio u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.radio.ims.IImsRadio/imsradio0 u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.radio.ims.IImsRadio/imsradio1 u:object_r:hal_telephony_hwservice:s0
ro.vendor.ril.svlte1x u:object_r:vendor_radio_prop:s0
ro.vendor.ril.svdo u:object_r:vendor_radio_prop:s0

10
sepolicy/vendor/init.te vendored
View File

@@ -3,3 +3,13 @@ allow init debugfs_tracing_debug:dir mounton;
# Allow init to set read_ahead_kb and discard_max_bytes on /data partition
allow init vendor_sysfs_scsi_host:file w_file_perms;
allow init debugfs_tracing_debug:dir mounton;
# /proc/last_kmsg
allow init proc_last_kmsg:file r_file_perms;
allow init proc_last_kmsg:file setattr;
allow init vendor_file:file execute;
allow init hwservicemanager:binder { call transfer };

1
sepolicy/vendor/isolated_app.te vendored Normal file
View File

@@ -0,0 +1 @@
allow isolated_app app_data_file:file { read write getattr lock setattr };

1
sepolicy/vendor/kernel.te vendored Normal file
View File

@@ -0,0 +1 @@
dontaudit kernel mnt_vendor_file:dir search;

1
sepolicy/vendor/mediaserver.te vendored Normal file
View File

@@ -0,0 +1 @@
allow mediaserver package_native_service:service_manager find;

1
sepolicy/vendor/network_stack.te vendored Normal file
View File

@@ -0,0 +1 @@
allow network_stack proc_net:file rw_file_perms;

25
sepolicy/vendor/platform_app.te vendored
View File

@@ -1,3 +1,26 @@
allow platform_app vendor_hal_soter_hwservice:hwservice_manager find;
typeattribute platform_app system_executes_vendor_violators;
typeattribute platform_app halclientdomain;
typeattribute platform_app vendor_hal_camerapostproc_xiaomi_client;
binder_call(platform_app, vendor_hal_soter_qti)
allow platform_app adsprpcd_file:dir { getattr open read search };
allow platform_app adsprpcd_file:file { getattr open read };
allow platform_app app_data_file:file { execute };
allow platform_app hal_camera_default:binder { call transfer };
allow platform_app hal_camera_default:fd *;
allow platform_app servicemanager:binder { call transfer };
allow platform_app vendor_audio_prop:file { getattr open read map };
allow platform_app vendor_camera_data_file:dir { append map r_dir_perms write };
allow platform_app vendor_display_prop:file { getattr open read map };
allow platform_app vendor_hal_camerapostproc_xiaomi:binder { call transfer };
allow platform_app vendor_hal_camerapostproc_xiaomi:fd *;
allow platform_app vendor_hal_camerapostproc_xiaomi_hwservice:hwservice_manager find;
allow platform_app vendor_file:file { read open getattr map execute};
allow platform_app vendor_hal_soter_hwservice:hwservice_manager find;
allow platform_app vendor_qdsp_device:chr_file { ioctl open read write };
allow platform_app vendor_xdsp_device:chr_file { ioctl open read write };
get_prop(platform_app, vendor_camera_prop)
get_prop(platform_app, vendor_fingerprint_prop)
allow platform_app vendor_sys_video_prop:file { read };

8
sepolicy/vendor/priv_app.te vendored Normal file
View File

@@ -0,0 +1,8 @@
dontaudit priv_app mnt_vendor_file:dir search;
allow priv_app hal_camera_default:binder { call transfer };
allow priv_app hal_camera_default:fd *;
allow priv_app vendor_audio_prop:file { getattr open read map };
allow priv_app vendor_display_prop:file { getattr open read map };
allow priv_app vendor_hal_camerapostproc_xiaomi_hwservice:hwservice_manager find;
allow priv_app vendor_qdsp_device:chr_file { ioctl open read write };

9
sepolicy/vendor/property.te vendored
View File

@@ -1,5 +1,14 @@
# Aware
vendor_restricted_prop(vendor_aware_available_prop);
# Fingerprint
vendor_restricted_prop(vendor_fingerprint_prop)
# Thermal
vendor_internal_prop(vendor_thermal_normal_prop)
# IMEI
vendor_internal_prop(vendor_deviceid_prop);
# Serial number
vendor_internal_prop(vendor_sno_prop);

57
sepolicy/vendor/property_contexts vendored
View File

@@ -1,32 +1,47 @@
# Aware
ro.vendor.aware_available u:object_r:vendor_aware_available_prop:s0
# Camera
camera. u:object_r:vendor_camera_prop:s0
persist.camera. u:object_r:vendor_camera_prop:s0
ro.boot.camera.config u:object_r:vendor_camera_prop:s0
ro.camera. u:object_r:vendor_camera_prop:s0
ro.vendor.camera. u:object_r:vendor_camera_prop:s0
vendor.camera.config. u:object_r:vendor_camera_prop:s0
vendor.camera.sensor. u:object_r:vendor_camera_prop:s0
camera. u:object_r:vendor_camera_prop:s0
persist.camera. u:object_r:vendor_camera_prop:s0
ro.boot.camera.config u:object_r:vendor_camera_prop:s0
ro.camera. u:object_r:vendor_camera_prop:s0
ro.vendor.camera. u:object_r:vendor_camera_prop:s0
vendor.camera.config. u:object_r:vendor_camera_prop:s0
vendor.camera.sensor. u:object_r:vendor_camera_prop:s0
sys.boot.hwc u:object_r:vendor_camera_prop:s0
# Fingerprint
gf.debug. u:object_r:vendor_fingerprint_prop:s0
persist.vendor.sys.fp. u:object_r:vendor_fingerprint_prop:s0
ro.hardware.fp. u:object_r:vendor_fingerprint_prop:s0
sys.fp.vendor u:object_r:vendor_fingerprint_prop:s0
vendor.fps_hal. u:object_r:vendor_fingerprint_prop:s0
vendor.silead.fp.ext. u:object_r:vendor_fingerprint_prop:s0
gf.debug. u:object_r:vendor_fingerprint_prop:s0
persist.vendor.sys.fp. u:object_r:vendor_fingerprint_prop:s0
ro.hardware.fp. u:object_r:vendor_fingerprint_prop:s0
sys.fp.vendor u:object_r:vendor_fingerprint_prop:s0
vendor.fps_hal. u:object_r:vendor_fingerprint_prop:s0
vendor.silead.fp.ext. u:object_r:vendor_fingerprint_prop:s0
# Graphics
ro.vendor.gfx.32bit.target u:object_r:vendor_default_prop:s0
# Mlipay
persist.vendor.sys.pay. u:object_r:vendor_tee_listener_prop:s0
persist.vendor.sys.provision.status u:object_r:vendor_tee_listener_prop:s0
persist.vendor.sys.pay. u:object_r:vendor_tee_listener_prop:s0
persist.vendor.sys.provision.status u:object_r:vendor_tee_listener_prop:s0
# RIL
odm.ril.radio.status. u:object_r:vendor_radio_prop:s0
odm.ril.radio.status.sim1 u:object_r:vendor_radio_prop:s0
odm.ril.radio.status.sim2 u:object_r:vendor_radio_prop:s0
odm.ril.radio.status. u:object_r:vendor_radio_prop:s0
odm.ril.radio.status.sim1 u:object_r:vendor_radio_prop:s0
odm.ril.radio.status.sim2 u:object_r:vendor_radio_prop:s0
ro.vendor.oem.imei u:object_r:vendor_deviceid_prop:s0
ro.vendor.oem.imei1 u:object_r:vendor_deviceid_prop:s0
ro.vendor.oem.imei2 u:object_r:vendor_deviceid_prop:s0
# Serial number
ro.vendor.oem.sno u:object_r:vendor_sno_prop:s0
ro.vendor.oem.psno u:object_r:vendor_sno_prop:s0
# Thermal
vendor.sys.thermal. u:object_r:vendor_thermal_normal_prop:s0
vendor.sys.thermal. u:object_r:vendor_thermal_normal_prop:s0
# Wi-Fi
ro.vendor.ril.oem.btmac u:object_r:vendor_wifi_prop:s0
ro.vendor.ril.oem.wifimac u:object_r:vendor_wifi_prop:s0
ro.vendor.ril.oem.btmac u:object_r:vendor_wifi_prop:s0
ro.vendor.ril.oem.wifimac u:object_r:vendor_wifi_prop:s0
wifi.interface u:object_r:wifi_hal_prop:s0

3
sepolicy/vendor/rild.te vendored Normal file
View File

@@ -0,0 +1,3 @@
add_hwservice(rild, hal_rilnv_hwservice)
set_prop(rild, vendor_deviceid_prop)
set_prop(rild, vendor_sno_prop)

4
sepolicy/vendor/servicemanager.te vendored Normal file
View File

@@ -0,0 +1,4 @@
allow servicemanager platform_app:binder { call transfer };
allow servicemanager platform_app:dir search;
allow servicemanager platform_app:file { read open };
allow servicemanager platform_app:process getattr;

3
sepolicy/vendor/surfaceflinger.te vendored Normal file
View File

@@ -0,0 +1,3 @@
allow surfaceflinger vendor_firmware_file:dir search;
dontaudit surfaceflinger vendor_firmware_file:file r_file_perms;
allow surfaceflinger hal_graphics_composer_default:file r_file_perms;

12
sepolicy/vendor/system_app.te vendored
View File

@@ -1 +1,13 @@
allow system_app sysfs_thermal:file rw_file_perms;
allow system_app proc_pagetypeinfo:file r_file_perms;
allow system_app sysfs_zram:dir search;
allow system_app sysfs_zram:file r_file_perms;
# vendor_aware_prop
get_prop(system_app, vendor_aware_available_prop);
binder_call(system_app, hal_audio_default)
binder_call(system_app, hal_vibrator_default)
binder_call(system_app, hal_wifi_supplicant_default)
binder_call(system_app, wificond)

7
sepolicy/vendor/system_server.te vendored Normal file
View File

@@ -0,0 +1,7 @@
allow system_server hal_camera_default:binder { call transfer };
allow system_server hal_camera_default:fd *;
# /proc/last_kmsg
allow system_server proc_last_kmsg:file r_file_perms;
allow system_server system_file:file r_file_perms;

1
sepolicy/vendor/toolbox.te vendored Normal file
View File

@@ -0,0 +1 @@
allow toolbox toolbox:capability { sys_admin kill };

6
sepolicy/vendor/untrusted_app.te vendored Normal file
View File

@@ -0,0 +1,6 @@
dontaudit untrusted_app proc:file r_file_perms;
allow untrusted_app proc_zoneinfo:file { read };
allow untrusted_app tmpfs:lnk_file { read };
allow untrusted_app shell_test_data_file:dir { search };
allow untrusted_app app_data_file:file { execute };

1
sepolicy/vendor/vdc.te vendored Normal file
View File

@@ -0,0 +1 @@
allow vdc self:capability kill;

1
sepolicy/vendor/vendor_hal_camerapostproc_xiaomi.te vendored Normal file
View File

@@ -0,0 +1 @@
allow vendor_hal_camerapostproc_xiaomi platform_app:binder transfer;

1
sepolicy/vendor/vendor_hal_perf_default.te vendored Normal file
View File

@@ -0,0 +1 @@
allow vendor_hal_perf_default sysfs_msm_subsys:dir search;

2
sepolicy/vendor/vendor_init.te vendored Normal file
View File

@@ -0,0 +1,2 @@
allow vendor_init proc_dirty:file rw_file_perms;
allow vendor_init block_device:lnk_file setattr;

4
sepolicy/vendor/vendor_qtelephony.te vendored Normal file
View File

@@ -0,0 +1,4 @@
allow vendor_qtelephony hal_telephony_hwservice:hwservice_manager find;
set_prop(vendor_qtelephony, radio_prop)
allow vendor_qtelephony vendor_hal_datafactory_hwservice:hwservice_manager find;

7
sepolicy/vendor/vendor_qti_init_shell.te vendored
View File

@@ -2,3 +2,10 @@
allow vendor_qti_init_shell vendor_bluetooth_prop:property_service set;
allow vendor_qti_init_shell vendor_wifi_vendor_data_file:dir search;
allow vendor_qti_init_shell vendor_wifi_vendor_data_file:file r_file_perms;
allow vendor_qti_init_shell configfs:dir rw_dir_perms;
allow vendor_qti_init_shell configfs:file create_file_perms;
allow vendor_qti_init_shell ctl_stop_prop:property_service set;
allow vendor_qti_init_shell sysfs_wakeup:file setattr;
allow vendor_qti_init_shell sysfs:file { setattr write };
allow vendor_qti_init_shell proc_watermark_scale_factor:file w_file_perms;
allow vendor_qti_init_shell proc_watermark_boost_factor:file w_file_perms;

7
sepolicy/vendor/wcnss_service.te vendored Normal file
View File

@@ -0,0 +1,7 @@
allow vendor_wcnss_service vendor_wifi_vendor_wpa_socket:dir { search write add_name remove_name };
allow vendor_wcnss_service vendor_data_file:dir create_dir_perms;
allow vendor_wcnss_service vendor_data_file:file create_file_perms;
allow vendor_wcnss_service vendor_wifi_vendor_wpa_socket:dir create_dir_perms;
allow vendor_wcnss_service vendor_wifi_vendor_wpa_socket:sock_file create_file_perms;
allow vendor_wcnss_service property_socket:sock_file write;

2
sepolicy/vendor/zygote.te vendored Normal file
View File

@@ -0,0 +1,2 @@
allow zygote self:capability kill;
allow zygote adsprpcd_file:dir { search };