From 26be43ff39e25d3ece30f24b961727362ed7ee9f Mon Sep 17 00:00:00 2001 From: nnippon99 Date: Thu, 11 May 2023 13:50:37 +0300 Subject: [PATCH] [SQUASH] sm6375-common: sepolicy: Address more denials MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * This is a squash commit from nnippon99:thirteen veux: Address some missing denials veux: Address wcnss denials veux: Set ro.product.mod_device correctly and label sepolicy for it * Proper set ro.product.mod_device depending on variant * This needed for MIUICamera to work veux: Add support for MiuiCamera! veux: sepolicy: allow last_kmsg and fix denial W init : type=1400 audit(0.0:7): avc: denied { setattr } for name="last_kmsg" dev="proc" ino=4026532174 scontext=u:r:init:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0 W BootReceiver: cannot read last msg W BootReceiver: java.io.FileNotFoundException: /proc/last_kmsg: open failed: EACCES (Permission denied) W BootReceiver: at libcore.io.IoBridge.open(IoBridge.java:574) W BootReceiver: at java.io.FileInputStream.(FileInputStream.java:160) W BootReceiver: at android.os.FileUtils.readTextFile(FileUtils.java:637) W BootReceiver: at com.android.server.BootReceiver.logFsShutdownTime(BootReceiver.java:649) W BootReceiver: at com.android.server.BootReceiver.logBootEvents(BootReceiver.java:305) W BootReceiver: at com.android.server.BootReceiver.-$$Nest$mlogBootEvents(Unknown Source:0) W BootReceiver: at com.android.server.BootReceiver$1.run(BootReceiver.java:139) W BootReceiver: Caused by: android.system.ErrnoException: open failed: EACCES (Permission denied) W BootReceiver: at libcore.io.Linux.open(Native Method) W BootReceiver: at libcore.io.ForwardingOs.open(ForwardingOs.java:563) W BootReceiver: at libcore.io.BlockGuardOs.open(BlockGuardOs.java:274) W BootReceiver: at libcore.io.IoBridge.open(IoBridge.java:560) W BootReceiver: ... 6 more veux: sepolicy: Fix logspam * This is a SQUASH commit for multiple commits for fixing some logspam veux: sepolicy: Label more sysfs wakeup nodes veux: sepolicy: Label more graphics nodes E WiredAccessoryManager: file /sys/devices/platform/soc/soc:qcom,msm-ext-disp/extcon/extcon3/name not found E WiredAccessoryManager: file /sys/devices/platform/soc/soc:qcom,msm-ext-disp/extcon/extcon2/name not found E WiredAccessoryManager: file /sys/devices/platform/soc/soc:qcom,msm-ext-disp/extcon/extcon1/name not found E WiredAccessoryManager: file /sys/devices/platform/soc/soc:qcom,msm-ext-disp/extcon/extcon0/name not found veux: sepolicy: address radio.qcriNvOpt hwservice denial veux: sepolicy: Allow user apps to read proc/zoneinfo files * E nightwatch-target: /proc/zoneinfo open: errno=13 * E nightwatch-target: sysmeminfo parse failed * avc: denied { read } for name="zoneinfo" dev="proc" ino=4026531859 scontext=u:r:untrusted_app:s0:c61,c257,c512,c768 tcontext=u:object_r:proc_zoneinfo:s0 tclass=file permissive=0 app=com.facebook.katana veux: sepolicy: Fix Build errors veux: sepolicy: Resolve qemu_hw_prop denial avc: denied { read } for name="u:object_r:qemu_hw_prop:s0" dev="tmpfs" ino=1316 scontext=u:r:system_app:s0 tcontext=u:object_r:qemu_hw_prop:s0 tclass=file permissive=0 veux: sepolicy: Fix isolated_app denial avc: denied { setattr } for comm="CrUtilityMain" name="commands.json" dev="mmcblk0p42" ino=1251111 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c153,c256,c512,c768 tclass=file permissive=0 avc: denied { setattr } for comm="CrUtilityMain" name="commands.json" dev="mmcblk0p42" ino=1251111 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c153,c256,c512,c768 tclass=file permissive=0 avc: denied { setattr } for comm="CrUtilityMain" name="f2" dev="mmcblk0p42" ino=1251128 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c153,c256,c512,c768 tclass=file permissive=0 avc: denied { setattr } for comm="CrUtilityMain" name="f2" dev="mmcblk0p42" ino=1251128 scontext=u:r:isolated_app:s0:c512,c768 tcontext=u:object_r:app_data_file:s0:c153,c256,c512,c768 tclass=file permissive=0 veux: Label some radio property W libc : Unable to set property "ro.vendor.ril.svlte1x" to "false": error code: 0xb W libc : Unable to set property "ro.vendor.ril.svdo" to "false": error code: 0xb veux: prop: set some props and fix log W libc : Unable to set property "ro.telephony.call_ring.multiple" to "false": error code: 0xb W libc : Unable to set property "ro.vendor.ril.svlte1x" to "false": error code: 0xb W libc : Unable to set property "ro.vendor.ril.svdo" to "false": error code: 0xb veux: sepolicy: fix some denials * Rearranges sepolicy/vendor/genfs_contexts properly too W libc : Access denied finding property "ro.miui.singlesim" W libc : Access denied finding property "ro.product.marketname" W libc : Access denied finding property "ro.miui.ui.version.code" W libc : Access denied finding property "ro.hardware.chipname" W libc : Access denied finding property "ro.vendor.aware_available" W libc : Access denied finding property "ro.vendor.gfx.32bit.target" W libc : Access denied finding property 'wifi.interface' W binder:2540_3: type=1400 audit: avc: denied { open } for path="/dev/__properties__/u:object_r:vendor_aware_available_prop:s0" dev="tmpfs" ino=1946 scontext=u:r:system_app:s0 tcontext=u:object_r:vendor_aware_available_prop:s0 tclass=file permissive=0 E android.system.suspend@1.0-service: Error opening kernel wakelock stats for: wakeup63 (../../devices/virtual/misc/msm_g711mlaw/wakeup63): Permission denied E android.system.suspend@1.0-service: Error opening kernel wakelock stats for: wakeup58 (../../devices/virtual/misc/msm_amrwb/wakeup58): Permission denied veux: sepolicy: Allow perf hal to read graphics composer W/perf@2.2-servic(882): type=1400 audit(0.0:120396): avc: denied { search } for name="880" dev="proc" ino=394316 scontext=u:r:vendor_hal_perf_default:s0 tcontext=u:r:hal_graphics_composer_default:s0 tclass=dir permissive=0 veux: sepolicy: fix denial avc: denied { read } for comm="e2fsck" name="sde26" dev="tmpfs" ino=15571 scontext=u:r:fsck:s0 tcontext=u:object_r:vendor_custom_ab_block_device:s0 tclass=blk_file permissive=0 avc: denied { read write } for comm="e2fsck" name="sde26" dev="tmpfs" ino=15571 scontext=u:r:fsck:s0 tcontext=u:object_r:vendor_custom_ab_block_device:s0 tclass=blk_file permissive=0 veux: sepolicy: Fix avc denials related to vendor/toolbox.te avc: denied { kill } for comm="mkswap" capability=5 scontext=u:r🧰s0 tcontext=u:r🧰s0 tclass=capability permissive=0 veux: sepolicy: Resolve system_app denial veux: sepolicy: KANG missing entries from sm8350-common Signed-off-by: nnippon99 Change-Id: Ica2495d4c2833b0c0509db802115ca720cc7511a --- sepolicy/private/linkerconfig.te | 1 + sepolicy/private/mediaprovider_app.te | 1 + sepolicy/private/property_contexts | 13 ++ sepolicy/private/service_contexts | 7 + sepolicy/private/system_app.te | 3 + sepolicy/private/vendor_qtelephony.te | 1 + sepolicy/private/vold_prepare_subdirs.te | 1 + sepolicy/vendor/appdomain.te | 1 + sepolicy/vendor/attributes | 7 + sepolicy/vendor/cameraserver.te | 1 + sepolicy/vendor/dataservice_app.te | 1 + sepolicy/vendor/dontaudit.te | 4 + sepolicy/vendor/file.te | 7 + sepolicy/vendor/file_contexts | 82 ++++++----- sepolicy/vendor/fsck.te | 2 + sepolicy/vendor/genfs_contexts | 137 +++++++++++------- sepolicy/vendor/hal_audio_default.te | 12 +- sepolicy/vendor/hal_camera_default.te | 21 +++ sepolicy/vendor/hal_cameraperf.te | 6 + sepolicy/vendor/hal_camerapostproc_xiaomi.te | 6 + sepolicy/vendor/hal_perf_default.te | 9 +- sepolicy/vendor/hal_secure_element_default.te | 2 + sepolicy/vendor/hal_sensors_default.te | 2 + sepolicy/vendor/hal_usb_qti.te | 1 + sepolicy/vendor/hwservice.te | 1 + sepolicy/vendor/hwservice_contexts | 13 ++ sepolicy/vendor/init.te | 10 ++ sepolicy/vendor/isolated_app.te | 1 + sepolicy/vendor/kernel.te | 1 + sepolicy/vendor/mediaserver.te | 1 + sepolicy/vendor/network_stack.te | 1 + sepolicy/vendor/platform_app.te | 25 +++- sepolicy/vendor/priv_app.te | 8 + sepolicy/vendor/property.te | 9 ++ sepolicy/vendor/property_contexts | 57 +++++--- sepolicy/vendor/rild.te | 3 + sepolicy/vendor/servicemanager.te | 4 + sepolicy/vendor/surfaceflinger.te | 3 + sepolicy/vendor/system_app.te | 12 ++ sepolicy/vendor/system_server.te | 7 + sepolicy/vendor/toolbox.te | 1 + sepolicy/vendor/untrusted_app.te | 6 + sepolicy/vendor/vdc.te | 1 + .../vendor_hal_camerapostproc_xiaomi.te | 1 + sepolicy/vendor/vendor_hal_perf_default.te | 1 + sepolicy/vendor/vendor_init.te | 2 + sepolicy/vendor/vendor_qtelephony.te | 4 + sepolicy/vendor/vendor_qti_init_shell.te | 7 + sepolicy/vendor/wcnss_service.te | 7 + sepolicy/vendor/zygote.te | 2 + 50 files changed, 400 insertions(+), 116 deletions(-) create mode 100644 sepolicy/private/linkerconfig.te create mode 100644 sepolicy/private/mediaprovider_app.te create mode 100644 sepolicy/private/property_contexts create mode 100644 sepolicy/private/service_contexts create mode 100644 sepolicy/private/vendor_qtelephony.te create mode 100644 sepolicy/private/vold_prepare_subdirs.te create mode 100644 sepolicy/vendor/appdomain.te create mode 100644 sepolicy/vendor/attributes create mode 100644 sepolicy/vendor/cameraserver.te create mode 100644 sepolicy/vendor/dataservice_app.te create mode 100644 sepolicy/vendor/dontaudit.te create mode 100644 sepolicy/vendor/fsck.te create mode 100644 sepolicy/vendor/hal_cameraperf.te create mode 100644 sepolicy/vendor/hal_camerapostproc_xiaomi.te create mode 100644 sepolicy/vendor/hal_secure_element_default.te create mode 100644 sepolicy/vendor/hal_usb_qti.te create mode 100644 sepolicy/vendor/isolated_app.te create mode 100644 sepolicy/vendor/kernel.te create mode 100644 sepolicy/vendor/mediaserver.te create mode 100644 sepolicy/vendor/network_stack.te create mode 100644 sepolicy/vendor/priv_app.te create mode 100644 sepolicy/vendor/rild.te create mode 100644 sepolicy/vendor/servicemanager.te create mode 100644 sepolicy/vendor/surfaceflinger.te create mode 100644 sepolicy/vendor/system_server.te create mode 100644 sepolicy/vendor/toolbox.te create mode 100644 sepolicy/vendor/untrusted_app.te create mode 100644 sepolicy/vendor/vdc.te create mode 100644 sepolicy/vendor/vendor_hal_camerapostproc_xiaomi.te create mode 100644 sepolicy/vendor/vendor_hal_perf_default.te create mode 100644 sepolicy/vendor/vendor_init.te create mode 100644 sepolicy/vendor/vendor_qtelephony.te create mode 100644 sepolicy/vendor/wcnss_service.te create mode 100644 sepolicy/vendor/zygote.te diff --git a/sepolicy/private/linkerconfig.te b/sepolicy/private/linkerconfig.te new file mode 100644 index 0000000..7aaad9c --- /dev/null +++ b/sepolicy/private/linkerconfig.te @@ -0,0 +1 @@ +allow linkerconfig linkerconfig:capability { sys_admin kill }; diff --git a/sepolicy/private/mediaprovider_app.te b/sepolicy/private/mediaprovider_app.te new file mode 100644 index 0000000..9e38095 --- /dev/null +++ b/sepolicy/private/mediaprovider_app.te @@ -0,0 +1 @@ +allow mediaprovider_app radio_service:service_manager find; diff --git a/sepolicy/private/property_contexts b/sepolicy/private/property_contexts new file mode 100644 index 0000000..2a4c57f --- /dev/null +++ b/sepolicy/private/property_contexts @@ -0,0 +1,13 @@ +# GLobal +ro.boot.hwc u:object_r:exported_default_prop:s0 +ro.build.flavor u:object_r:build_prop:s0 +ro.product.mod_device u:object_r:build_prop:s0 +ro.product.marketname u:object_r:build_prop:s0 + +# Hardware +ro.hardware.chipname u:object_r:exported_default_prop:s0 + +# MIUI +ro.cust.test u:object_r:exported_system_prop:s0 +ro.miui. u:object_r:exported_system_prop:s0 +ro.fota.oem u:object_r:exported_system_prop:s0 diff --git a/sepolicy/private/service_contexts b/sepolicy/private/service_contexts new file mode 100644 index 0000000..4a8d172 --- /dev/null +++ b/sepolicy/private/service_contexts @@ -0,0 +1,7 @@ +# IMS +vendor.qti.hardware.radio.ims.IImsRadio/imsradio0 u:object_r:vendor_hal_telephony_service:s0 +vendor.qti.hardware.radio.ims.IImsRadio/imsradio1 u:object_r:vendor_hal_telephony_service:s0 +vendor.qti.hardware.radio.qtiradio.IQtiRadioStable/slot1 u:object_r:vendor_hal_telephony_service:s0 +vendor.qti.hardware.radio.qtiradio.IQtiRadioStable/slot2 u:object_r:vendor_hal_telephony_service:s0 +vendor.qti.hardware.radio.am.IQcRilAudio/slot1 u:object_r:vendor_hal_telephony_service:s0 +vendor.qti.hardware.radio.am.IQcRilAudio/slot2 u:object_r:vendor_hal_telephony_service:s0 diff --git a/sepolicy/private/system_app.te b/sepolicy/private/system_app.te index 2de0fb8..5fae7c8 100644 --- a/sepolicy/private/system_app.te +++ b/sepolicy/private/system_app.te @@ -2,3 +2,6 @@ hal_client_domain(system_app, hal_mlipay) allow system_app sysfs_zram:dir search; allow system_app sysfs_zram:file r_file_perms; + +# Allow settings to query qemu.hw.mainkeys +get_prop(system_app, qemu_hw_prop) diff --git a/sepolicy/private/vendor_qtelephony.te b/sepolicy/private/vendor_qtelephony.te new file mode 100644 index 0000000..82cadc5 --- /dev/null +++ b/sepolicy/private/vendor_qtelephony.te @@ -0,0 +1 @@ +allow vendor_qtelephony vendor_hal_telephony_service:service_manager find; diff --git a/sepolicy/private/vold_prepare_subdirs.te b/sepolicy/private/vold_prepare_subdirs.te new file mode 100644 index 0000000..a4e4cd4 --- /dev/null +++ b/sepolicy/private/vold_prepare_subdirs.te @@ -0,0 +1 @@ +allow vold_prepare_subdirs checkin_data_file:dir relabelfrom; diff --git a/sepolicy/vendor/appdomain.te b/sepolicy/vendor/appdomain.te new file mode 100644 index 0000000..b510ce2 --- /dev/null +++ b/sepolicy/vendor/appdomain.te @@ -0,0 +1 @@ +get_prop(appdomain, vendor_camera_prop) diff --git a/sepolicy/vendor/attributes b/sepolicy/vendor/attributes new file mode 100644 index 0000000..b6c5ebf --- /dev/null +++ b/sepolicy/vendor/attributes @@ -0,0 +1,7 @@ +# Camera +attribute vendor_hal_cameraperf; +attribute vendor_hal_cameraperf_client; +attribute vendor_hal_cameraperf_server; +attribute vendor_hal_camerapostproc_xiaomi; +attribute vendor_hal_camerapostproc_xiaomi_client; +attribute vendor_hal_camerapostproc_xiaomi_server; diff --git a/sepolicy/vendor/cameraserver.te b/sepolicy/vendor/cameraserver.te new file mode 100644 index 0000000..39b2054 --- /dev/null +++ b/sepolicy/vendor/cameraserver.te @@ -0,0 +1 @@ +allow cameraserver property_socket:sock_file { write }; diff --git a/sepolicy/vendor/dataservice_app.te b/sepolicy/vendor/dataservice_app.te new file mode 100644 index 0000000..44dd9dd --- /dev/null +++ b/sepolicy/vendor/dataservice_app.te @@ -0,0 +1 @@ +allow vendor_dataservice_app vendor_hal_imsfactory_hwservice:hwservice_manager { find }; diff --git a/sepolicy/vendor/dontaudit.te b/sepolicy/vendor/dontaudit.te new file mode 100644 index 0000000..84547c0 --- /dev/null +++ b/sepolicy/vendor/dontaudit.te @@ -0,0 +1,4 @@ +dontaudit { + hal_camera_default + rild +} default_prop:file r_file_perms; diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te index 25528eb..28d55fe 100644 --- a/sepolicy/vendor/file.te +++ b/sepolicy/vendor/file.te @@ -10,6 +10,13 @@ type camera_persist_file, vendor_persist_type, file_type; # Fingerprint type fingerprint_data_file, data_file_type, core_data_file_type, file_type; +# KMSG +type proc_last_kmsg, fs_type, proc_type; + +# Others +type sysfs_msm_subsys, sysfs_type, fs_type; +type vendor_sysfs_iio, fs_type, sysfs_type; + # Thermal type thermal_data_file, data_file_type, file_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts index a0491e6..c6848dd 100644 --- a/sepolicy/vendor/file_contexts +++ b/sepolicy/vendor/file_contexts @@ -1,67 +1,77 @@ # Audio -/dev/socket/audio_hw_socket u:object_r:audio_socket:s0 -/dev/elliptic(.*)? u:object_r:sound_device:s0 -/mnt/vendor/persist/audio/cali_test.bin u:object_r:vendor_persist_audio_file:s0 -/mnt/vendor/persist/audio/fsm_calib.bin u:object_r:vendor_persist_audio_file:s0 -/mnt/vendor/persist/audio/aw_cali.bin u:object_r:vendor_persist_audio_file:s0 +/dev/socket/audio_hw_socket u:object_r:audio_socket:s0 +/dev/elliptic(.*)? u:object_r:sound_device:s0 +/dev/mius(.*)? u:object_r:sound_device:s0 +/mnt/vendor/persist/audio/cali_test.bin u:object_r:vendor_persist_audio_file:s0 +/mnt/vendor/persist/audio/fsm_calib.bin u:object_r:vendor_persist_audio_file:s0 +/mnt/vendor/persist/audio/aw_cali.bin u:object_r:vendor_persist_audio_file:s0 # Battery -/vendor/bin/batterysecret u:object_r:batterysecret_exec:s0 -/mnt/vendor/persist/subsys(/.*)? u:object_r:persist_subsys_file:s0 +/vendor/bin/batterysecret u:object_r:batterysecret_exec:s0 +/mnt/vendor/persist/subsys(/.*)? u:object_r:persist_subsys_file:s0 # Bluetooth -/vendor/bin/init\.mi\.btmac\.sh u:object_r:vendor_qti_init_shell_exec:s0 +/vendor/bin/init\.mi\.btmac\.sh u:object_r:vendor_qti_init_shell_exec:s0 # Camera -/mnt/vendor/persist/camera(/.*)? u:object_r:camera_persist_file:s0 +/mnt/vendor/persist/camera(/.*)? u:object_r:camera_persist_file:s0 +/vendor/lib(64)?/libmialgoengine\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libipebpsstriping\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libipebpsstriping170\.so u:object_r:same_process_hal_file:s0 # Hexagon DSP-side executable needed for Halide operation # This is labeled as public_adsprpcd_file as it needs to be read by apps # (e.g. Google Camera App) -/mnt/vendor/dsp/fastrpc_shell_3 u:object_r:public_adsprpcd_file:s0 +/mnt/vendor/dsp/fastrpc_shell_3 u:object_r:public_adsprpcd_file:s0 # Fingerprint -/dev/goodix_fp u:object_r:fingerprint_device:s0 -/dev/silead_fp u:object_r:fingerprint_device:s0 -/dev/silead_s.* u:object_r:fingerprint_device:s0 -/dev/silead_stub u:object_r:fingerprint_device:s0 -/dev/spidev.* u:object_r:fingerprint_device:s0 -/data/gf_data(/.*)? u:object_r:fingerprint_data_file:s0 -/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0 -/data/vendor/fpdump(/.*)? u:object_r:fingerprint_vendor_data_file:s0 -/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0 -/data/vendor_de/[0-9]+/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0 -/data/vendor/goodix/gf_data(/.*)? u:object_r:fingerprint_vendor_data_file:s0 -/data/vendor/silead(/.*)? u:object_r:fingerprint_vendor_data_file:s0 -/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2.3-service\.xiaomi u:object_r:hal_fingerprint_default_exec:s0 -/vendor/bin/hw/vendor\.silead\.hardware\.fingerprintext@1\.0-service u:object_r:hal_fingerprint_default_exec:s0 +/dev/goodix_fp u:object_r:fingerprint_device:s0 +/dev/silead_fp u:object_r:fingerprint_device:s0 +/dev/silead_s.* u:object_r:fingerprint_device:s0 +/dev/silead_stub u:object_r:fingerprint_device:s0 +/dev/spidev.* u:object_r:fingerprint_device:s0 +/data/gf_data(/.*)? u:object_r:fingerprint_data_file:s0 +/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/data/vendor/fpdump(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/data/vendor_de/[0-9]+/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/data/vendor/goodix/gf_data(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/data/vendor/silead(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2.3-service\.xiaomi u:object_r:hal_fingerprint_default_exec:s0 +/vendor/bin/hw/vendor\.silead\.hardware\.fingerprintext@1\.0-service u:object_r:hal_fingerprint_default_exec:s0 # IR -/dev/ir_spi u:object_r:ir_spi_device:s0 +/dev/ir_spi u:object_r:ir_spi_device:s0 # Label read_ahead_kb in /data partition -/sys/devices/platform/soc/4804000.ufshc/host0/target0:0:0/0:0:0:0/block/sda/queue/read_ahead_kb u:object_r:vendor_sysfs_scsi_host:s0 +/sys/devices/platform/soc/4804000.ufshc/host0/target0:0:0/0:0:0:0/block/sda/queue/read_ahead_kb u:object_r:vendor_sysfs_scsi_host:s0 # Label discard_max_bytes in /data partition -/sys/devices/platform/soc/4804000.ufshc/host0/target0:0:0/0:0:0:0/block/sda/queue/discard_max_bytes u:object_r:vendor_sysfs_scsi_host:s0 +/sys/devices/platform/soc/4804000.ufshc/host0/target0:0:0/0:0:0:0/block/sda/queue/discard_max_bytes u:object_r:vendor_sysfs_scsi_host:s0 # Mlipay -/vendor/bin/mlipayd@1.1 u:object_r:hal_mlipay_default_exec:s0 +/vendor/bin/mlipayd@1.1 u:object_r:hal_mlipay_default_exec:s0 # NFC -/dev/pn553 u:object_r:nfc_device:s0 -/dev/pn54x u:object_r:nfc_device:s0 +/dev/pn553 u:object_r:nfc_device:s0 +/dev/pn54x u:object_r:nfc_device:s0 # Sensors -/vendor/bin/hw/android\.hardware\.sensors@2.1-service\.xiaomi_holi-multihal u:object_r:hal_sensors_default_exec:s0 +/sys/bus/iio/devices u:object_r:vendor_sysfs_iio:s0 +/sys/devices/platform/us_prox.0/iio:device1(/.*)? u:object_r:vendor_sysfs_iio:s0 +/sys/devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm6125@0:vadc@3100/iio:device0(/.*)? u:object_r:vendor_sysfs_iio:s0 +/sys/devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:vadc@3100/iio:device0(/.*)? u:object_r:vendor_sysfs_iio:s0 +/sys/devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-04/c440000.qcom,spmi:qcom,pm6150l@4:vadc@3100/iio:device1(/.*)? u:object_r:vendor_sysfs_iio:s0 +/vendor/bin/hw/android\.hardware\.sensors@2.1-service\.xiaomi_holi-multihal u:object_r:hal_sensors_default_exec:s0 # Thermal -/data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0 -/vendor/bin/mi_thermald u:object_r:mi_thermald_exec:s0 +/data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0 +/vendor/bin/mi_thermald u:object_r:mi_thermald_exec:s0 # Vibrator -/vendor/bin/hw/vendor\.qti\.hardware\.vibrator\.service\.xiaomi_holi u:object_r:hal_vibrator_default_exec:s0 +/vendor/bin/hw/vendor\.qti\.hardware\.vibrator\.service\.xiaomi_holi u:object_r:hal_vibrator_default_exec:s0 # Xiaomi MAC -/data/vendor/mac_addr(/.*)? u:object_r:vendor_wifi_vendor_data_file:s0 -/data/vendor/wlan_logs(/.*)? u:object_r:vendor_wifi_vendor_data_file:s0 +/data/vendor/mac_addr(/.*)? u:object_r:vendor_wifi_vendor_data_file:s0 +/data/vendor/wlan_logs(/.*)? u:object_r:vendor_wifi_vendor_data_file:s0 +/vendor/bin/nv_mac u:object_r:vendor_wcnss_service_exec:s0 diff --git a/sepolicy/vendor/fsck.te b/sepolicy/vendor/fsck.te new file mode 100644 index 0000000..59ae7b3 --- /dev/null +++ b/sepolicy/vendor/fsck.te @@ -0,0 +1,2 @@ +allow fsck fsck:capability kill; +allow fsck vendor_custom_ab_block_device:blk_file { read write open ioctl }; diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts index 8dc2c5b..e48887d 100644 --- a/sepolicy/vendor/genfs_contexts +++ b/sepolicy/vendor/genfs_contexts @@ -1,63 +1,100 @@ # Battery -genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/power_supply u:object_r:vendor_sysfs_battery_supply:s0 +genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/power_supply u:object_r:vendor_sysfs_battery_supply:s0 + +# Display +genfscon sysfs /devices/platform/soc/5000000.qcom,kgsl-3d0 u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,cpu-cpu-llcc-bw u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,cpu-llcc-ddr-bw u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,cpu0-cpu-l3-lat u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,cpu6-cpu-l3-lat u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,gpubw u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,gpubw/devfreq u:object_r:sysfs_msm_subsys:s0 + # Extcon sysfs -genfscon sysfs /devices/platform/soc/1628000.qcom,msm-eud/extcon u:object_r:sysfs_extcon:s0 -genfscon sysfs /devices/platform/soc/soc:rt-pd-manager/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/soc/1628000.qcom,msm-eud/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/soc/soc:rt-pd-manager/extcon u:object_r:sysfs_extcon:s0 # Fingerprint -genfscon sysfs /devices/platform/soc/soc:fpc1020 u:object_r:vendor_sysfs_fingerprint:s0 -genfscon sysfs /devices/platform/soc/soc:fpc1020/wakeup_enable u:object_r:vendor_sysfs_fingerprint:s0 -genfscon sysfs /devices/platform/soc/soc:goodix_fp u:object_r:vendor_sysfs_fingerprint:s0 -genfscon sysfs /devices/platform/soc/soc:silead_fp u:object_r:vendor_sysfs_fingerprint:s0 +genfscon sysfs /devices/platform/soc/soc:fpc1020 u:object_r:vendor_sysfs_fingerprint:s0 +genfscon sysfs /devices/platform/soc/soc:fpc1020/wakeup_enable u:object_r:vendor_sysfs_fingerprint:s0 +genfscon sysfs /devices/platform/soc/soc:goodix_fp u:object_r:vendor_sysfs_fingerprint:s0 +genfscon sysfs /devices/platform/soc/soc:silead_fp u:object_r:vendor_sysfs_fingerprint:s0 + +# Graphics +genfscon sysfs /devices/platform/soc/soc:qcom,msm-ext-disp/extcon/extcon[0-4]+/name u:object_r:vendor_sysfs_graphics:s0 + +# kmsg +genfscon proc /last_kmsg u:object_r:proc_last_kmsg:s0 # SSR -genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0 -genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0 -genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0 -genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0 -genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0 -genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0 -genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0 -genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0 +genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0 +genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0 +genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0 +genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0 +genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0 +genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0 +genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0 +genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0 # Touchpanel -genfscon proc /tp_gesture u:object_r:proc_touchpanel:s0 +genfscon proc /tp_gesture u:object_r:proc_touchpanel:s0 # Wakeup nodes -genfscon sysfs /devices/platform/soc/soc:goodix_fp/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/soc:silead_fp/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/soc:fpc1020/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-modem/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-0066/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-0055/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-005a/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-0066/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-0028/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-004e/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-006a/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-cdsp/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys3/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/soc:qcom,msm-audio-apr/soc:qcom,msm-audio-apr:qcom,q6core-audio/soc:qcom,msm-audio-apr:qcom,q6core-audio:bolero-cdc/va-macro/va_swr_ctrl/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/6000000.qcom,mss/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys2/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/b000000.qcom,turing/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys1/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/4a84000.qcom,qup_uart/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys0/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/subsys4/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/1628000.qcom,msm-eud/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys5/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/5800000.qcom,ipa/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/c800000.qcom,icnss/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/4e00000.ssusb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/dummy_hcd.0/usb1/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/1628000.qcom,msm-eud/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm6125@0:qcom,power-on@800/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-06/1c40000.qcom,spmi:qcom,pmk8350@0:rtc@6100/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-004e/tcpc/type_c_port0/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-004e/tcpc/type_c_port0/dual-role-type_c_port0/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/dummy_hcd.0/usb1/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-0055/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-005a/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-0066/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/4a84000.qcom,qup_uart/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-0028/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-004e/tcpc/type_c_port0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-004e/tcpc/type_c_port0/dual-role-type_c_port0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-004e/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-0066/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-006a/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/4e00000.ssusb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/5800000.qcom,ipa/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys5/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys2/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/6000000.qcom,mss/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys1/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/b000000.qcom,turing/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/c800000.qcom,icnss/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:fpc1020/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:goodix_fp/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:gpio_keys/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys3/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/subsys4/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,msm-audio-apr/soc:qcom,msm-audio-apr:qcom,q6core-audio/soc:qcom,msm-audio-apr:qcom,q6core-audio:bolero-cdc/va-macro/va_swr_ctrl/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,smp2p_sleepstate/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-adsp/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-cdsp/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-modem/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:silead_fp/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/fastrpc/adsprpc-smd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/fastrpc/adsprpc-smd-secure/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_aac/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_alac/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_amrnb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_amrwb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_amrwbplus/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_ape/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_evrc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_g711alaw/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_g711mlaw/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_mp3/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_multi_aac/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_qcelp/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_wma/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_wmapro/wakeup u:object_r:sysfs_wakeup:s0 diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te index 7e6e5a4..8d783b5 100644 --- a/sepolicy/vendor/hal_audio_default.te +++ b/sepolicy/vendor/hal_audio_default.te @@ -1,13 +1,11 @@ # Allow hal_audio_default to read vendor_persist_audio_file -r_dir_file(hal_audio_default, vendor_persist_audio_file) - -r_dir_file(hal_audio_default, sysfs) +allow hal_audio_default audio_socket:sock_file rw_file_perms; +allow hal_audio_default sound_device:chr_file rw_file_perms; +allow hal_audio_default system_suspend_hwservice:hwservice_manager find; binder_call(hal_audio_default, system_suspend_server) -allow hal_audio_default system_suspend_hwservice:hwservice_manager find; +r_dir_file(hal_audio_default, sysfs) +r_dir_file(hal_audio_default, vendor_persist_audio_file) set_prop(hal_audio_default, vendor_audio_prop) - -allow hal_audio_default audio_socket:sock_file rw_file_perms; -allow hal_audio_default sound_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te index ec53a62..01d3439 100644 --- a/sepolicy/vendor/hal_camera_default.te +++ b/sepolicy/vendor/hal_camera_default.te @@ -1,7 +1,28 @@ +type vendor_hal_cameraperf_hwservice, hwservice_manager_type, protected_hwservice; +type vendor_hal_camerapostproc_xiaomi_hwservice, hwservice_manager_type; + r_dir_file(hal_camera_default, camera_persist_file) r_dir_file(hal_camera_default, mnt_vendor_file) +get_prop(hal_camera_default, vendor_camera_prop) set_prop(hal_camera_default, vendor_camera_prop) +hal_server_domain(hal_camera_default, vendor_hal_cameraperf) +hal_server_domain(hal_camera_default, vendor_hal_camerapostproc_xiaomi) + +add_hwservice(hal_camera_server, vendor_hal_cameraperf_hwservice) +add_hwservice(hal_camera_server, vendor_hal_camerapostproc_xiaomi_hwservice) + +allow hal_camera_client vendor_hal_cameraperf_hwservice:hwservice_manager find; +allow hal_camera_client vendor_hal_camerapostproc_xiaomi_hwservice:hwservice_manager find; + +allow hal_camera_default platform_app:binder { call transfer }; +allow hal_camera_default priv_app:binder { call transfer }; allow hal_camera_default public_adsprpcd_file:file r_file_perms; +allow hal_camera_default system_server:binder { call transfer }; allow hal_camera_default vendor_xdsp_device:chr_file r_file_perms; +allow hal_camera_default vendor_xdsp_device:chr_file { ioctl open read write }; + +dontaudit hal_camera_default property_type:file { getattr open map }; +allow hal_camera_default system_server:binder { call }; +allow hal_camera_default mnt_vendor_file:dir { search }; diff --git a/sepolicy/vendor/hal_cameraperf.te b/sepolicy/vendor/hal_cameraperf.te new file mode 100644 index 0000000..375a101 --- /dev/null +++ b/sepolicy/vendor/hal_cameraperf.te @@ -0,0 +1,6 @@ +binder_call(vendor_hal_cameraperf_client, vendor_hal_cameraperf_server) +binder_call(vendor_hal_cameraperf_server, vendor_hal_cameraperf_client) + +add_hwservice(vendor_hal_cameraperf_server, vendor_hal_cameraperf_hwservice) + +allow vendor_hal_cameraperf_client vendor_hal_cameraperf_hwservice:hwservice_manager find; diff --git a/sepolicy/vendor/hal_camerapostproc_xiaomi.te b/sepolicy/vendor/hal_camerapostproc_xiaomi.te new file mode 100644 index 0000000..6fa00ac --- /dev/null +++ b/sepolicy/vendor/hal_camerapostproc_xiaomi.te @@ -0,0 +1,6 @@ +binder_call(vendor_hal_camerapostproc_xiaomi_client, vendor_hal_camerapostproc_xiaomi_server) +binder_call(vendor_hal_camerapostproc_xiaomi_server, vendor_hal_camerapostproc_xiaomi_client) + +add_hwservice(vendor_hal_camerapostproc_xiaomi_server, vendor_hal_camerapostproc_xiaomi_hwservice) + +allow vendor_hal_camerapostproc_xiaomi_client vendor_hal_camerapostproc_xiaomi_hwservice:hwservice_manager find; diff --git a/sepolicy/vendor/hal_perf_default.te b/sepolicy/vendor/hal_perf_default.te index 5d19e84..a0689f7 100644 --- a/sepolicy/vendor/hal_perf_default.te +++ b/sepolicy/vendor/hal_perf_default.te @@ -1,5 +1,12 @@ +r_dir_file(vendor_hal_perf_default, system_server) + allow vendor_hal_perf_default hal_audio_default:dir r_dir_perms; allow vendor_hal_perf_default hal_audio_default:file r_file_perms; allow vendor_hal_perf_default hal_fingerprint_default:dir r_dir_perms; allow vendor_hal_perf_default hal_fingerprint_default:file r_file_perms; -allow vendor_hal_perf_default hal_camera_default:dir r_dir_perms; +allow vendor_hal_perf_default hal_camera_default:dir { read open }; +allow vendor_hal_perf_default hal_graphics_composer_default:dir r_dir_perms; +allow vendor_hal_perf_default hal_graphics_composer_default:file r_file_perms; +allow vendor_hal_perf_default sysfs_thermal:file w_file_perms; +allow vendor_hal_perf_default ctl_start_prop:property_service { set }; +allow vendor_hal_perf_default ctl_stop_prop:property_service { set }; diff --git a/sepolicy/vendor/hal_secure_element_default.te b/sepolicy/vendor/hal_secure_element_default.te new file mode 100644 index 0000000..3c59706 --- /dev/null +++ b/sepolicy/vendor/hal_secure_element_default.te @@ -0,0 +1,2 @@ +# Allow Secure Element hal to access /date/vendor/nfc/ +r_dir_file(hal_secure_element_default, vendor_nfc_vendor_data_file) diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te index 3640403..4b53b97 100644 --- a/sepolicy/vendor/hal_sensors_default.te +++ b/sepolicy/vendor/hal_sensors_default.te @@ -8,5 +8,7 @@ allow hal_sensors_default audio_socket:sock_file rw_file_perms; allow hal_sensors_default socket_device:sock_file rw_file_perms; allow hal_sensors_default sound_device:chr_file rw_file_perms; allow hal_sensors_default iio_device:chr_file rw_file_perms; +allow hal_sensors_default vendor_sysfs_iio:dir r_dir_perms; +allow hal_sensors_default vendor_sysfs_iio:file rw_file_perms; get_prop(hal_sensors_default, vendor_adsprpc_prop) diff --git a/sepolicy/vendor/hal_usb_qti.te b/sepolicy/vendor/hal_usb_qti.te new file mode 100644 index 0000000..074717d --- /dev/null +++ b/sepolicy/vendor/hal_usb_qti.te @@ -0,0 +1 @@ +allow vendor_hal_usb_qti vendor_sysfs_iio:dir search; diff --git a/sepolicy/vendor/hwservice.te b/sepolicy/vendor/hwservice.te index 158b6cc..4d6e0f4 100644 --- a/sepolicy/vendor/hwservice.te +++ b/sepolicy/vendor/hwservice.te @@ -1 +1,2 @@ type hal_mlipay_hwservice, hwservice_manager_type; +type hal_rilnv_hwservice, hwservice_manager_type; diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts index 70fa5a0..7758fdf 100644 --- a/sepolicy/vendor/hwservice_contexts +++ b/sepolicy/vendor/hwservice_contexts @@ -1,3 +1,7 @@ +# Camera +vendor.xiaomi.hardware.cameraperf::IMiCameraPerfService u:object_r:vendor_hal_cameraperf_hwservice:s0 +vendor.xiaomi.hardware.campostproc::IMiPostProcService u:object_r:vendor_hal_camerapostproc_xiaomi_hwservice:s0 + # Fingerprint com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0 com.fingerprints.extension::IFingerprintNavigation u:object_r:hal_fingerprint_hwservice:s0 @@ -8,7 +12,16 @@ vendor.silead.hardware.fingerprintext::ISileadFingerprint u:object_r:hal_f # Mlipay vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0 +vendor.xiaomi.hardware.misys::IMiSys u:object_r:hal_mlipay_hwservice:s0 # NFC vendor.nxp.nxpnfc::INxpNfc u:object_r:hal_nfc_hwservice:s0 vendor.nxp.nxpnfclegacy::INxpNfcLegacy u:object_r:hal_nfc_hwservice:s0 + +# Radio +vendor.qti.hardware.radio.qcriNvOpt::IqcriNvOpt u:object_r:hal_rilnv_hwservice:s0 +vendor.qti.hardware.radio.ims::IImsRadio u:object_r:hal_telephony_hwservice:s0 +vendor.qti.hardware.radio.ims.IImsRadio/imsradio0 u:object_r:hal_telephony_hwservice:s0 +vendor.qti.hardware.radio.ims.IImsRadio/imsradio1 u:object_r:hal_telephony_hwservice:s0 +ro.vendor.ril.svlte1x u:object_r:vendor_radio_prop:s0 +ro.vendor.ril.svdo u:object_r:vendor_radio_prop:s0 diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te index f0426a4..76afec8 100644 --- a/sepolicy/vendor/init.te +++ b/sepolicy/vendor/init.te @@ -3,3 +3,13 @@ allow init debugfs_tracing_debug:dir mounton; # Allow init to set read_ahead_kb and discard_max_bytes on /data partition allow init vendor_sysfs_scsi_host:file w_file_perms; + +allow init debugfs_tracing_debug:dir mounton; + +# /proc/last_kmsg +allow init proc_last_kmsg:file r_file_perms; +allow init proc_last_kmsg:file setattr; + +allow init vendor_file:file execute; + +allow init hwservicemanager:binder { call transfer }; diff --git a/sepolicy/vendor/isolated_app.te b/sepolicy/vendor/isolated_app.te new file mode 100644 index 0000000..9cb8dc8 --- /dev/null +++ b/sepolicy/vendor/isolated_app.te @@ -0,0 +1 @@ +allow isolated_app app_data_file:file { read write getattr lock setattr }; diff --git a/sepolicy/vendor/kernel.te b/sepolicy/vendor/kernel.te new file mode 100644 index 0000000..8778c93 --- /dev/null +++ b/sepolicy/vendor/kernel.te @@ -0,0 +1 @@ +dontaudit kernel mnt_vendor_file:dir search; diff --git a/sepolicy/vendor/mediaserver.te b/sepolicy/vendor/mediaserver.te new file mode 100644 index 0000000..2df4ba3 --- /dev/null +++ b/sepolicy/vendor/mediaserver.te @@ -0,0 +1 @@ +allow mediaserver package_native_service:service_manager find; diff --git a/sepolicy/vendor/network_stack.te b/sepolicy/vendor/network_stack.te new file mode 100644 index 0000000..17fcac8 --- /dev/null +++ b/sepolicy/vendor/network_stack.te @@ -0,0 +1 @@ +allow network_stack proc_net:file rw_file_perms; diff --git a/sepolicy/vendor/platform_app.te b/sepolicy/vendor/platform_app.te index fe0c352..683dc65 100644 --- a/sepolicy/vendor/platform_app.te +++ b/sepolicy/vendor/platform_app.te @@ -1,3 +1,26 @@ -allow platform_app vendor_hal_soter_hwservice:hwservice_manager find; +typeattribute platform_app system_executes_vendor_violators; +typeattribute platform_app halclientdomain; +typeattribute platform_app vendor_hal_camerapostproc_xiaomi_client; binder_call(platform_app, vendor_hal_soter_qti) + +allow platform_app adsprpcd_file:dir { getattr open read search }; +allow platform_app adsprpcd_file:file { getattr open read }; +allow platform_app app_data_file:file { execute }; +allow platform_app hal_camera_default:binder { call transfer }; +allow platform_app hal_camera_default:fd *; +allow platform_app servicemanager:binder { call transfer }; +allow platform_app vendor_audio_prop:file { getattr open read map }; +allow platform_app vendor_camera_data_file:dir { append map r_dir_perms write }; +allow platform_app vendor_display_prop:file { getattr open read map }; +allow platform_app vendor_hal_camerapostproc_xiaomi:binder { call transfer }; +allow platform_app vendor_hal_camerapostproc_xiaomi:fd *; +allow platform_app vendor_hal_camerapostproc_xiaomi_hwservice:hwservice_manager find; +allow platform_app vendor_file:file { read open getattr map execute}; +allow platform_app vendor_hal_soter_hwservice:hwservice_manager find; +allow platform_app vendor_qdsp_device:chr_file { ioctl open read write }; +allow platform_app vendor_xdsp_device:chr_file { ioctl open read write }; + +get_prop(platform_app, vendor_camera_prop) +get_prop(platform_app, vendor_fingerprint_prop) +allow platform_app vendor_sys_video_prop:file { read }; diff --git a/sepolicy/vendor/priv_app.te b/sepolicy/vendor/priv_app.te new file mode 100644 index 0000000..d010969 --- /dev/null +++ b/sepolicy/vendor/priv_app.te @@ -0,0 +1,8 @@ +dontaudit priv_app mnt_vendor_file:dir search; + +allow priv_app hal_camera_default:binder { call transfer }; +allow priv_app hal_camera_default:fd *; +allow priv_app vendor_audio_prop:file { getattr open read map }; +allow priv_app vendor_display_prop:file { getattr open read map }; +allow priv_app vendor_hal_camerapostproc_xiaomi_hwservice:hwservice_manager find; +allow priv_app vendor_qdsp_device:chr_file { ioctl open read write }; diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te index e3c449b..c38e9ab 100644 --- a/sepolicy/vendor/property.te +++ b/sepolicy/vendor/property.te @@ -1,5 +1,14 @@ +# Aware +vendor_restricted_prop(vendor_aware_available_prop); + # Fingerprint vendor_restricted_prop(vendor_fingerprint_prop) # Thermal vendor_internal_prop(vendor_thermal_normal_prop) + +# IMEI +vendor_internal_prop(vendor_deviceid_prop); + +# Serial number +vendor_internal_prop(vendor_sno_prop); diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts index 331e450..9dd531a 100644 --- a/sepolicy/vendor/property_contexts +++ b/sepolicy/vendor/property_contexts @@ -1,32 +1,47 @@ +# Aware +ro.vendor.aware_available u:object_r:vendor_aware_available_prop:s0 + # Camera -camera. u:object_r:vendor_camera_prop:s0 -persist.camera. u:object_r:vendor_camera_prop:s0 -ro.boot.camera.config u:object_r:vendor_camera_prop:s0 -ro.camera. u:object_r:vendor_camera_prop:s0 -ro.vendor.camera. u:object_r:vendor_camera_prop:s0 -vendor.camera.config. u:object_r:vendor_camera_prop:s0 -vendor.camera.sensor. u:object_r:vendor_camera_prop:s0 +camera. u:object_r:vendor_camera_prop:s0 +persist.camera. u:object_r:vendor_camera_prop:s0 +ro.boot.camera.config u:object_r:vendor_camera_prop:s0 +ro.camera. u:object_r:vendor_camera_prop:s0 +ro.vendor.camera. u:object_r:vendor_camera_prop:s0 +vendor.camera.config. u:object_r:vendor_camera_prop:s0 +vendor.camera.sensor. u:object_r:vendor_camera_prop:s0 +sys.boot.hwc u:object_r:vendor_camera_prop:s0 # Fingerprint -gf.debug. u:object_r:vendor_fingerprint_prop:s0 -persist.vendor.sys.fp. u:object_r:vendor_fingerprint_prop:s0 -ro.hardware.fp. u:object_r:vendor_fingerprint_prop:s0 -sys.fp.vendor u:object_r:vendor_fingerprint_prop:s0 -vendor.fps_hal. u:object_r:vendor_fingerprint_prop:s0 -vendor.silead.fp.ext. u:object_r:vendor_fingerprint_prop:s0 +gf.debug. u:object_r:vendor_fingerprint_prop:s0 +persist.vendor.sys.fp. u:object_r:vendor_fingerprint_prop:s0 +ro.hardware.fp. u:object_r:vendor_fingerprint_prop:s0 +sys.fp.vendor u:object_r:vendor_fingerprint_prop:s0 +vendor.fps_hal. u:object_r:vendor_fingerprint_prop:s0 +vendor.silead.fp.ext. u:object_r:vendor_fingerprint_prop:s0 + +# Graphics +ro.vendor.gfx.32bit.target u:object_r:vendor_default_prop:s0 # Mlipay -persist.vendor.sys.pay. u:object_r:vendor_tee_listener_prop:s0 -persist.vendor.sys.provision.status u:object_r:vendor_tee_listener_prop:s0 +persist.vendor.sys.pay. u:object_r:vendor_tee_listener_prop:s0 +persist.vendor.sys.provision.status u:object_r:vendor_tee_listener_prop:s0 # RIL -odm.ril.radio.status. u:object_r:vendor_radio_prop:s0 -odm.ril.radio.status.sim1 u:object_r:vendor_radio_prop:s0 -odm.ril.radio.status.sim2 u:object_r:vendor_radio_prop:s0 +odm.ril.radio.status. u:object_r:vendor_radio_prop:s0 +odm.ril.radio.status.sim1 u:object_r:vendor_radio_prop:s0 +odm.ril.radio.status.sim2 u:object_r:vendor_radio_prop:s0 +ro.vendor.oem.imei u:object_r:vendor_deviceid_prop:s0 +ro.vendor.oem.imei1 u:object_r:vendor_deviceid_prop:s0 +ro.vendor.oem.imei2 u:object_r:vendor_deviceid_prop:s0 + +# Serial number +ro.vendor.oem.sno u:object_r:vendor_sno_prop:s0 +ro.vendor.oem.psno u:object_r:vendor_sno_prop:s0 # Thermal -vendor.sys.thermal. u:object_r:vendor_thermal_normal_prop:s0 +vendor.sys.thermal. u:object_r:vendor_thermal_normal_prop:s0 # Wi-Fi -ro.vendor.ril.oem.btmac u:object_r:vendor_wifi_prop:s0 -ro.vendor.ril.oem.wifimac u:object_r:vendor_wifi_prop:s0 +ro.vendor.ril.oem.btmac u:object_r:vendor_wifi_prop:s0 +ro.vendor.ril.oem.wifimac u:object_r:vendor_wifi_prop:s0 +wifi.interface u:object_r:wifi_hal_prop:s0 diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te new file mode 100644 index 0000000..dca6f88 --- /dev/null +++ b/sepolicy/vendor/rild.te @@ -0,0 +1,3 @@ +add_hwservice(rild, hal_rilnv_hwservice) +set_prop(rild, vendor_deviceid_prop) +set_prop(rild, vendor_sno_prop) diff --git a/sepolicy/vendor/servicemanager.te b/sepolicy/vendor/servicemanager.te new file mode 100644 index 0000000..3e51d63 --- /dev/null +++ b/sepolicy/vendor/servicemanager.te @@ -0,0 +1,4 @@ +allow servicemanager platform_app:binder { call transfer }; +allow servicemanager platform_app:dir search; +allow servicemanager platform_app:file { read open }; +allow servicemanager platform_app:process getattr; diff --git a/sepolicy/vendor/surfaceflinger.te b/sepolicy/vendor/surfaceflinger.te new file mode 100644 index 0000000..66c0505 --- /dev/null +++ b/sepolicy/vendor/surfaceflinger.te @@ -0,0 +1,3 @@ +allow surfaceflinger vendor_firmware_file:dir search; +dontaudit surfaceflinger vendor_firmware_file:file r_file_perms; +allow surfaceflinger hal_graphics_composer_default:file r_file_perms; diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te index b21b347..57ea845 100644 --- a/sepolicy/vendor/system_app.te +++ b/sepolicy/vendor/system_app.te @@ -1 +1,13 @@ +allow system_app sysfs_thermal:file rw_file_perms; + allow system_app proc_pagetypeinfo:file r_file_perms; +allow system_app sysfs_zram:dir search; +allow system_app sysfs_zram:file r_file_perms; + +# vendor_aware_prop +get_prop(system_app, vendor_aware_available_prop); + +binder_call(system_app, hal_audio_default) +binder_call(system_app, hal_vibrator_default) +binder_call(system_app, hal_wifi_supplicant_default) +binder_call(system_app, wificond) diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te new file mode 100644 index 0000000..c0de81d --- /dev/null +++ b/sepolicy/vendor/system_server.te @@ -0,0 +1,7 @@ +allow system_server hal_camera_default:binder { call transfer }; +allow system_server hal_camera_default:fd *; + +# /proc/last_kmsg +allow system_server proc_last_kmsg:file r_file_perms; + +allow system_server system_file:file r_file_perms; diff --git a/sepolicy/vendor/toolbox.te b/sepolicy/vendor/toolbox.te new file mode 100644 index 0000000..81d65cd --- /dev/null +++ b/sepolicy/vendor/toolbox.te @@ -0,0 +1 @@ +allow toolbox toolbox:capability { sys_admin kill }; diff --git a/sepolicy/vendor/untrusted_app.te b/sepolicy/vendor/untrusted_app.te new file mode 100644 index 0000000..06908be --- /dev/null +++ b/sepolicy/vendor/untrusted_app.te @@ -0,0 +1,6 @@ +dontaudit untrusted_app proc:file r_file_perms; + +allow untrusted_app proc_zoneinfo:file { read }; +allow untrusted_app tmpfs:lnk_file { read }; +allow untrusted_app shell_test_data_file:dir { search }; +allow untrusted_app app_data_file:file { execute }; diff --git a/sepolicy/vendor/vdc.te b/sepolicy/vendor/vdc.te new file mode 100644 index 0000000..ec5fb3d --- /dev/null +++ b/sepolicy/vendor/vdc.te @@ -0,0 +1 @@ +allow vdc self:capability kill; diff --git a/sepolicy/vendor/vendor_hal_camerapostproc_xiaomi.te b/sepolicy/vendor/vendor_hal_camerapostproc_xiaomi.te new file mode 100644 index 0000000..efd1884 --- /dev/null +++ b/sepolicy/vendor/vendor_hal_camerapostproc_xiaomi.te @@ -0,0 +1 @@ +allow vendor_hal_camerapostproc_xiaomi platform_app:binder transfer; diff --git a/sepolicy/vendor/vendor_hal_perf_default.te b/sepolicy/vendor/vendor_hal_perf_default.te new file mode 100644 index 0000000..aa21090 --- /dev/null +++ b/sepolicy/vendor/vendor_hal_perf_default.te @@ -0,0 +1 @@ +allow vendor_hal_perf_default sysfs_msm_subsys:dir search; diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te new file mode 100644 index 0000000..833d052 --- /dev/null +++ b/sepolicy/vendor/vendor_init.te @@ -0,0 +1,2 @@ +allow vendor_init proc_dirty:file rw_file_perms; +allow vendor_init block_device:lnk_file setattr; diff --git a/sepolicy/vendor/vendor_qtelephony.te b/sepolicy/vendor/vendor_qtelephony.te new file mode 100644 index 0000000..f9be619 --- /dev/null +++ b/sepolicy/vendor/vendor_qtelephony.te @@ -0,0 +1,4 @@ +allow vendor_qtelephony hal_telephony_hwservice:hwservice_manager find; +set_prop(vendor_qtelephony, radio_prop) + +allow vendor_qtelephony vendor_hal_datafactory_hwservice:hwservice_manager find; diff --git a/sepolicy/vendor/vendor_qti_init_shell.te b/sepolicy/vendor/vendor_qti_init_shell.te index 1b25678..9a61c4e 100644 --- a/sepolicy/vendor/vendor_qti_init_shell.te +++ b/sepolicy/vendor/vendor_qti_init_shell.te @@ -2,3 +2,10 @@ allow vendor_qti_init_shell vendor_bluetooth_prop:property_service set; allow vendor_qti_init_shell vendor_wifi_vendor_data_file:dir search; allow vendor_qti_init_shell vendor_wifi_vendor_data_file:file r_file_perms; +allow vendor_qti_init_shell configfs:dir rw_dir_perms; +allow vendor_qti_init_shell configfs:file create_file_perms; +allow vendor_qti_init_shell ctl_stop_prop:property_service set; +allow vendor_qti_init_shell sysfs_wakeup:file setattr; +allow vendor_qti_init_shell sysfs:file { setattr write }; +allow vendor_qti_init_shell proc_watermark_scale_factor:file w_file_perms; +allow vendor_qti_init_shell proc_watermark_boost_factor:file w_file_perms; diff --git a/sepolicy/vendor/wcnss_service.te b/sepolicy/vendor/wcnss_service.te new file mode 100644 index 0000000..7f5315a --- /dev/null +++ b/sepolicy/vendor/wcnss_service.te @@ -0,0 +1,7 @@ +allow vendor_wcnss_service vendor_wifi_vendor_wpa_socket:dir { search write add_name remove_name }; +allow vendor_wcnss_service vendor_data_file:dir create_dir_perms; +allow vendor_wcnss_service vendor_data_file:file create_file_perms; + +allow vendor_wcnss_service vendor_wifi_vendor_wpa_socket:dir create_dir_perms; +allow vendor_wcnss_service vendor_wifi_vendor_wpa_socket:sock_file create_file_perms; +allow vendor_wcnss_service property_socket:sock_file write; diff --git a/sepolicy/vendor/zygote.te b/sepolicy/vendor/zygote.te new file mode 100644 index 0000000..35530e0 --- /dev/null +++ b/sepolicy/vendor/zygote.te @@ -0,0 +1,2 @@ +allow zygote self:capability kill; +allow zygote adsprpcd_file:dir { search };