diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk index d79dbd6..0b31f1f 100644 --- a/BoardConfigCommon.mk +++ b/BoardConfigCommon.mk @@ -154,8 +154,7 @@ TARGET_RECOVERY_DEVICE_MODULES := libinit_msm8953 # Kernel TARGET_COMPILE_WITH_MSM_KERNEL := true -BOARD_KERNEL_CMDLINE := console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=qcom user_debug=30 msm_rtb.filter=0x237 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 androidboot.bootdevice=7824900.sdhci firmware_class.path=/vendor/firmware_mnt/image loop.max_part=16 -BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive +BOARD_KERNEL_CMDLINE := console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 androidboot.hardware=qcom user_debug=30 msm_rtb.filter=0x237 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 androidboot.bootdevice=7824900.sdhci loop.max_part=16 BOARD_KERNEL_BASE := 0x80000000 BOARD_KERNEL_PAGESIZE := 2048 BOARD_KERNEL_TAGS_OFFSET := 0x00000100 @@ -208,8 +207,9 @@ CUSTOM_APNS_FILE := $(COMMON_PATH)/configs/sprint_apns.xml BOARD_ROOT_EXTRA_FOLDERS := persist # SELinux -#include device/qcom/sepolicy-legacy-um/sepolicy.mk +include device/qcom/sepolicy-legacy-um/sepolicy.mk BOARD_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/vendor +BOARD_PLAT_PRIVATE_SEPOLICY_DIR += $(COMMON_PATH)/sepolicy/private # Wifi BOARD_HAS_QCOM_WLAN := true diff --git a/rootdir/etc/init.target.rc b/rootdir/etc/init.target.rc index d2b0f8c..7c06490 100644 --- a/rootdir/etc/init.target.rc +++ b/rootdir/etc/init.target.rc @@ -68,7 +68,9 @@ on fs chmod 0771 /mnt/vendor/persist mkdir /mnt/vendor/persist/data 0700 system system mkdir /mnt/vendor/persist/bms 0700 root system - restorecon_recursive /persist + # Reloading context for NPI uses /mnt/vendor/persist + exec u:r:vendor_toolbox:s0 root audio bluetooth graphics media net_raw system vendor_rfs vendor_rfs_shared -- /vendor/bin/toybox_vendor find /mnt/vendor/persist -type d -exec /vendor/bin/toybox_vendor setfattr -x security.sehash {} \; + restorecon_recursive /mnt/vendor/persist write /proc/sys/vm/swappiness 100 #write /sys/kernel/boot_adsp/boot 1 diff --git a/sepolicy/private/app.te b/sepolicy/private/app.te new file mode 100644 index 0000000..5cfea1a --- /dev/null +++ b/sepolicy/private/app.te @@ -0,0 +1,2 @@ +# Allow appdomain to get persist_camera_prop +get_prop(appdomain, persist_camera_prop) diff --git a/sepolicy/private/hwservice_contexts b/sepolicy/private/hwservice_contexts new file mode 100644 index 0000000..80f2a07 --- /dev/null +++ b/sepolicy/private/hwservice_contexts @@ -0,0 +1,2 @@ +vendor.nxp.nxpese::INxpEse u:object_r:nxpese_hwservice:s0 +vendor.nxp.nxpnfc::INxpNfc u:object_r:nxpnfc_hwservice:s0 diff --git a/sepolicy/private/system_app.te b/sepolicy/private/system_app.te new file mode 100644 index 0000000..f8a3fd4 --- /dev/null +++ b/sepolicy/private/system_app.te @@ -0,0 +1 @@ +get_prop(system_app, persist_camera_prop); diff --git a/sepolicy/private/system_server.te b/sepolicy/private/system_server.te new file mode 100644 index 0000000..141c9e7 --- /dev/null +++ b/sepolicy/private/system_server.te @@ -0,0 +1 @@ +get_prop(system_server, persist_camera_prop) diff --git a/sepolicy/private/untrusted_app.te b/sepolicy/private/untrusted_app.te new file mode 100644 index 0000000..3c427fa --- /dev/null +++ b/sepolicy/private/untrusted_app.te @@ -0,0 +1 @@ +get_prop(untrusted_app, persist_camera_prop) diff --git a/sepolicy/vendor/bootanim.te b/sepolicy/vendor/bootanim.te new file mode 100644 index 0000000..055cc40 --- /dev/null +++ b/sepolicy/vendor/bootanim.te @@ -0,0 +1 @@ +allow bootanim sysfs_kgsl:dir search; diff --git a/sepolicy/vendor/charge_only.te b/sepolicy/vendor/charge_only.te new file mode 100644 index 0000000..3672a14 --- /dev/null +++ b/sepolicy/vendor/charge_only.te @@ -0,0 +1,98 @@ +type charge_only, domain; +type charge_only_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(charge_only) + +# Read chargeonly_data_file +allow charge_only chargeonly_data_file:dir rw_dir_perms; +allow charge_only chargeonly_data_file:file create_file_perms; + +# Write to /dev/kmsg +allow charge_only kmsg_device:chr_file rw_file_perms; + +# Read access to pseudo filesystems. +r_dir_file(charge_only, sysfs_type) +r_dir_file(charge_only, rootfs) +r_dir_file(charge_only, cgroup) + +# Self permissions +allow charge_only self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +# Wakelock +wakelock_use(charge_only) + +# Allow access to sysfs +allow charge_only sysfs:dir { read open }; +allow charge_only sysfs:file rw_file_perms; + +# Allow access to wakelock sysfs +allow charge_only sysfs_wake_lock:file rw_file_perms; + +# Allow access to battery info sysfs +allow charge_only sysfs_batteryinfo:file r_file_perms; + +# Allow access to battery supply sysfs +allow charge_only sysfs_battery_supply:dir r_dir_perms; +allow charge_only sysfs_battery_supply:file r_file_perms; +allow charge_only sysfs_battery_supply:lnk_file r_file_perms; + +# Allow access to usb supply sysfs +allow charge_only sysfs_usb_supply:dir r_dir_perms; +allow charge_only sysfs_usb_supply:file r_file_perms; + +# Allow access to thermal sysfs +allow charge_only sysfs_thermal:dir r_dir_perms; +allow charge_only sysfs_thermal:file r_file_perms; +allow charge_only sysfs_thermal:lnk_file r_file_perms; + +# Allow access to power sysfs +allow charge_only sysfs_power:file rw_file_perms; + +# Allow access to led sysfs +allow charge_only sysfs_leds:file rw_file_perms; + +# Allow access to graphics sysfs +allow charge_only sysfs_graphics:dir r_dir_perms; +allow charge_only sysfs_graphics:file rw_file_perms; + +# Read /sys/fs/pstore/console-ramoops +# Don't worry about overly broad permissions for now, as there's +# only one file in /sys/fs/pstore +allow charge_only pstorefs:dir r_dir_perms; +allow charge_only pstorefs:file r_file_perms; + +# Allow access to graphics dev +allow charge_only graphics_device:dir r_dir_perms; +allow charge_only graphics_device:chr_file rw_file_perms; + +# Allow access to input dev +allow charge_only input_device:dir r_dir_perms; +allow charge_only input_device:chr_file r_file_perms; + +# Allow access to tty dev +allow charge_only tty_device:chr_file rw_file_perms; + +# Allow access to rtc dev +allow charge_only rtc_device:chr_file rw_file_perms; + +# Allow access to proc_sysrq +allow charge_only proc_sysrq:file rw_file_perms; + +# Allow access to persist dir +allow charge_only persist_chargeonly_file:dir r_dir_perms; +allow charge_only persist_chargeonly_file:file r_file_perms; + +# Allow access to vendor dir +allow charge_only mnt_vendor_file:dir r_dir_perms; + +# Exec shell scripts +allow charge_only vendor_shell_exec:file rx_file_perms; + +# Socks +allow charge_only property_socket:sock_file write; +allow charge_only init:unix_stream_socket connectto; + +# Props +get_prop(charge_only, powerctl_prop) +set_prop(charge_only, powerctl_prop) +get_prop(charge_only, vendor_display_prop) +get_prop(charge_only, moto_boot_prop) diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te index 3896a7b..27756af 100644 --- a/sepolicy/vendor/file.te +++ b/sepolicy/vendor/file.te @@ -1,4 +1,21 @@ -type adsprpcd_file, file_type; -type firmware_file, file_type; -type fsg_firmware_file, file_type; -type persist_file, file_type; +type debugfs_rmts, debugfs_type, fs_type; +type debugfs_wlan, debugfs_type, fs_type; +type fsg_firmware_file, file_type, contextmount_type, vendor_file_type; +type perfd_socket, file_type; +type persist_camera_file, file_type; +type persist_battery_file, file_type; +type persist_mdm_file, file_type, vendor_persist_type; +type sysfs_fingerprint, sysfs_type, fs_type; +type fingerprint_data_file, data_file_type, file_type; +type fingerprint_socket, data_file_type, file_type; +type sysfs_hwmon, sysfs_type, fs_type; +type sysfs_sensor, sysfs_type, fs_type; +type sysfs_wifi, sysfs_type, fs_type; +type system_fps_data_file, file_type, data_file_type, core_data_file_type; + +# charge_only_mode +type chargeonly_data_file, file_type, data_file_type; +type persist_chargeonly_file, file_type, data_file_type; + +# Healthd +type sysfs_healthd, fs_type, sysfs_type, mlstrustedobject; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts index 8f5f39e..d687386 100644 --- a/sepolicy/vendor/file_contexts +++ b/sepolicy/vendor/file_contexts @@ -1,5 +1,73 @@ -/dsp(/.*)? u:object_r:adsprpcd_file:s0 -/firmware(/.*)? u:object_r:firmware_file:s0 -/fsg(/.*)? u:object_r:fsg_firmware_file:s0 -/persist(/.*)? u:object_r:persist_file:s0 +# Dev block nodes for eMMC +/dev/block/platform/soc/7824900\.sdhci/by-name/persist2 u:object_r:persist_block_device:s0 +# EMMC A/B partitions +/dev/block/platform/soc/7824900\.sdhci/by-name/dto_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/soc/7824900\.sdhci/by-name/fsg_[ab] u:object_r:modem_efs_partition_device:s0 +/dev/block/platform/soc/7824900\.sdhci/by-name/logo_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/soc/7824900\.sdhci/by-name/oem_[ab] u:object_r:system_block_device:s0 +/dev/block/platform/soc/7824900\.sdhci/by-name/prov_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/soc/7824900\.sdhci/by-name/storsec_[ab] u:object_r:custom_ab_block_device:s0 +/firmware/image(/.*)? u:object_r:firmware_file:s0 + +/dev/mmi_sys_temp u:object_r:thermal_device:s0 +/dev/socket/perfd u:object_r:perfd_socket:s0 + +/(vendor|system/vendor)/fsg u:object_r:fsg_firmware_file:s0 + +/dev/v4l2-hal-ctrl u:object_r:video_device:s0 +/sys/devices/soc/8c0000\.qcom,msm-cam/video4linux/video0(/.*)? u:object_r:sysfs_graphics:s0 +/sys/devices/soc/caa0000\.qcom,jpeg/video4linux/video1(/.*)? u:object_r:sysfs_graphics:s0 +/sys/devices/soc/caa4000\.qcom,fd/video4linux/video2(/.*)? u:object_r:sysfs_graphics:s0 +/sys/devices/soc/ca0c000\.qcom,cci/ca0c000.qcom,cci:qcom,camera@0/video4linux/video4(/.*)? u:object_r:sysfs_graphics:s0 +/(mnt/vendor)/persist/camera(/.*)? u:object_r:persist_camera_file:s0 +/sys/devices/virtual/laser(/.*)? u:object_r:sysfs_sensor:s0 +/sys/devices/virtual/input/input4(/.*)? u:object_r:sysfs_sensor:s0 + +/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-fpcservice u:object_r:hal_fingerprint_fpc_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service-ets u:object_r:hal_fingerprint_fpc_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.msm8953 u:object_r:hal_light_default_exec:s0 +/(vendor|system/vendor)/bin/init\.mmi\.(laser|usb)\.sh u:object_r:qti_init_shell_exec:s0 +/(vendor|system/vendor)/bin/init\.qcom\.power\.sh u:object_r:qti_init_shell_exec:s0 +/(vendor|system/vendor)/bin/perfd u:object_r:perfd_exec:s0 + +/sys/devices/soc/c900000\.qcom,mdss_mdp/c900000\.qcom,mdss_mdp:qcom,mdss_fb_primary/leds/lcd-backlight(/.*)? u:object_r:sysfs_leds:s0 +/sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-03/800f000\.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/charging(/.*)? u:object_r:sysfs_leds:s0 + +/sys/kernel/debug/rmt_storage(/.*)? u:object_r:debugfs_rmts:s0 +/sys/kernel/boot_wlan(/.*)? u:object_r:sysfs_wifi:s0 + +/sys/devices/soc/soc:fpc_fpc1020(/.*)? u:object_r:sysfs_fingerprint:s0 +/sys/devices/platform/egis_input(/.*)? u:object_r:sysfs_fingerprint:s0 +/sys/devices/soc/0.et320(/.*)? u:object_r:sysfs_fingerprint:s0 +/(mnt/vendor)/persist/egis(/.*)? u:object_r:fingerprint_data_file:s0 +/dev/esfp0 u:object_r:tee_device:s0 +/data/\.fps(/.*)? u:object_r:system_fps_data_file:s0 +/data/vendor/misc/cutback(/.*)? u:object_r:vendor_radio_data_file:s0 +/data/vendor/fpc(/.*)? u:object_r:fingerprint_data_file:s0 +/data/vendor/fpc/socket u:object_r:fingerprint_socket:s0 +/data/vendor/.fps(/.*)? u:object_r:fingerprint_data_file:s0 + +# Input devices +/(vendor|system/vendor)/usr/idc(/.*)? u:object_r:vendor_idc_file:s0 +/(vendor|system/vendor)/usr/keylayout(/.*)? u:object_r:vendor_keylayout_file:s0 + +/(vendor|system/vendor)/bin/wlan_carrier_bin\.sh u:object_r:init_wifi_exec:s0 + +# Charger +/data/vendor/chargeonly(/.*)? u:object_r:chargeonly_data_file:s0 +/(mnt/vendor/persist|persist)/chargeonly(/.*)? u:object_r:persist_chargeonly_file:s0 +/(vendor|system/vendor)/bin/charge_only_mode u:object_r:charge_only_exec:s0 + +# Persist mdm +/(mnt/vendor)/persist/mdm(/.*)? u:object_r:persist_mdm_file:s0 + +# Battery and healthd +/(mnt/vendor)/persist/battery(/.*)? u:object_r:persist_battery_file:s0 +/sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-00/800f000\.qcom,spmi:qcom,pm660@0:qcom,qpnp-smb2/power_supply/battery(/.*)? u:object_r:sysfs_healthd:s0 +/sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-00/800f000\.qcom,spmi:qcom,pm660@0:qcom,qpnp-smb2/power_supply/dc(/.*)? u:object_r:sysfs_healthd:s0 +/sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-00/800f000\.qcom,spmi:qcom,pm660@0:qcom,qpnp-smb2/power_supply/main(/.*)? u:object_r:sysfs_healthd:s0 +/sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-00/800f000\.qcom,spmi:qcom,pm660@0:qcom,qpnp-smb2/power_supply/pc_port(/.*)? u:object_r:sysfs_healthd:s0 +/sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-00/800f000\.qcom,spmi:qcom,pm660@0:qcom,qpnp-smb2/power_supply/usb(/.*)? u:object_r:sysfs_healthd:s0 +/sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-00/800f000\.qcom,spmi:qcom,pm660@0:qcom,qpnp-smb2/power_supply/usbeb(/.*)? u:object_r:sysfs_healthd:s0 +/sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-00/800f000\.qcom,spmi:qcom,pm660@0:qcom,qpnp-smb2/power_supply/wireless(/.*)? u:object_r:sysfs_healthd:s0 diff --git a/sepolicy/vendor/fsck.te b/sepolicy/vendor/fsck.te new file mode 100644 index 0000000..04c6467 --- /dev/null +++ b/sepolicy/vendor/fsck.te @@ -0,0 +1 @@ +allow fsck modem_block_device:blk_file rw_file_perms; diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts new file mode 100644 index 0000000..b91a98d --- /dev/null +++ b/sepolicy/vendor/genfs_contexts @@ -0,0 +1,22 @@ +genfscon debugfs /wlan0 u:object_r:debugfs_wlan:s0 + +genfscon sysfs /devices/virtual/hwmon u:object_r:sysfs_hwmon:s0 +genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:vadc@3100/hwmon u:object_r:sysfs_hwmon:s0 + +genfscon sysfs /devices/soc/soc:qcom,cpubw u:object_r:sysfs_devfreq:s0 +genfscon sysfs /devices/soc/soc:qcom,mincpubw u:object_r:sysfs_devfreq:s0 +genfscon sysfs /devices/soc/soc:qcom,memlat-cpu0 u:object_r:sysfs_devfreq:s0 +genfscon sysfs /devices/soc/soc:qcom,memlat-cpu4 u:object_r:sysfs_devfreq:s0 + +genfscon sysfs /devices/soc/ca0c000.qcom,cci/ca0c000.qcom,cci:qcom,camera@0/video4linux/video4/name u:object_r:sysfs_graphics:s0 +genfscon sysfs /devices/soc/ca0c000.qcom,cci/ca0c000.qcom,cci:qcom,camera@1/video4linux/video5/name u:object_r:sysfs_graphics:s0 +genfscon sysfs /devices/soc/ca0c000.qcom,cci/ca0c000.qcom,cci:qcom,camera@2/video4linux/video6/name u:object_r:sysfs_graphics:s0 + +genfscon sysfs /devices/bt_wcn3990/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +genfscon sysfs /devices/bt_wcn3990/rfkill/rfkill0/type u:object_r:sysfs_bluetooth_writable:s0 +genfscon sysfs /devices/bt_wcn3990/extldo u:object_r:sysfs_bluetooth_writable:s0 + +genfscon sysfs /devices/soc/c176000.i2c/i2c-2/2-005b/leds/vibrator u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/soc/soc:mmi_pl_chg_manager/power_supply/mmi_pl_chg_manager u:object_r:sysfs_battery_supply:s0 + +genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d800/leds u:object_r:sysfs_leds:s0 diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te new file mode 100644 index 0000000..e4ee9a0 --- /dev/null +++ b/sepolicy/vendor/hal_audio_default.te @@ -0,0 +1,3 @@ +unix_socket_connect(hal_audio_default, perfd, perfd) + +allow hal_audio_default sysfs:dir { open read }; diff --git a/sepolicy/vendor/hal_bootctl_default.te b/sepolicy/vendor/hal_bootctl_default.te new file mode 100644 index 0000000..5c25f59 --- /dev/null +++ b/sepolicy/vendor/hal_bootctl_default.te @@ -0,0 +1,2 @@ +allow hal_bootctl_default modem_efs_partition_device:blk_file getattr; + diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te new file mode 100644 index 0000000..d48a419 --- /dev/null +++ b/sepolicy/vendor/hal_camera_default.te @@ -0,0 +1,10 @@ +r_dir_file(hal_camera_default, persist_camera_file) +allow hal_camera_default sysfs_battery_supply:dir search; +allow hal_camera_default sysfs_battery_supply:file { getattr open read }; +allow hal_camera_default mnt_vendor_file:file rw_file_perms; +allow hal_camera_default vendor_data_file:dir read; +allow hal_camera_default camera_prop:property_service set; +allow hal_camera_default sysfs_healthd:dir search; + +get_prop(hal_camera_default, moto_boot_prop) +set_prop(hal_camera_default, camera_prop) diff --git a/sepolicy/vendor/hal_cas_default.te b/sepolicy/vendor/hal_cas_default.te new file mode 100644 index 0000000..18b00de --- /dev/null +++ b/sepolicy/vendor/hal_cas_default.te @@ -0,0 +1 @@ +vndbinder_use(hal_cas_default) diff --git a/sepolicy/vendor/hal_fingerprint_fpc.te b/sepolicy/vendor/hal_fingerprint_fpc.te new file mode 100644 index 0000000..c239cfe --- /dev/null +++ b/sepolicy/vendor/hal_fingerprint_fpc.te @@ -0,0 +1,40 @@ +type hal_fingerprint_fpc, domain; +typeattribute hal_fingerprint_fpc data_between_core_and_vendor_violators; + +hal_server_domain(hal_fingerprint_fpc, hal_fingerprint) + +type hal_fingerprint_fpc_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_fingerprint_fpc) + +hwbinder_use(hal_fingerprint_fpc) +vndbinder_use(hal_fingerprint_fpc) + +# Check if hwservicemanager is ready +get_prop(hal_fingerprint_fpc, hwservicemanager_prop) + +# Add com.fingerprints.extension::IFingerprint* service to hwservicemanager +add_hwservice(hal_fingerprint_fpc, fpc_extension_service) + +r_dir_file(hal_fingerprint_fpc, firmware_file) +r_dir_file(hal_fingerprint_fpc, sysfs_devfreq) + +allow hal_fingerprint_fpc tee_device:chr_file { open read write ioctl }; +allow hal_fingerprint_fpc uhid_device:chr_file rw_file_perms; +allow hal_fingerprint_fpc sysfs_fingerprint:dir r_dir_perms; +allow hal_fingerprint_fpc sysfs_fingerprint:file rw_file_perms; + +# Allow hal_fingerprint_fpc to add and find fpc_extension_service +allow hal_fingerprint_fpc fpc_extension_service:hwservice_manager { add find }; + +allow hal_fingerprint_fpc fingerprint_data_file:dir rw_dir_perms; +allow hal_fingerprint_fpc fingerprint_data_file:file create_file_perms; + +allow hal_fingerprint_fpc self:netlink_socket create_socket_perms_no_ioctl; + +allow hal_fingerprint_fpc system_fps_data_file:dir { create_dir_perms }; +allow hal_fingerprint_fpc system_fps_data_file:file { create_file_perms }; + +allow hal_fingerprint_fpc fingerprintd_data_file:dir rw_dir_perms; +allow hal_fingerprint_fpc fingerprintd_data_file:file create_file_perms; + +allow hal_fingerprint_fpc tee_device:chr_file getattr; diff --git a/sepolicy/vendor/hal_graphics_composer_default.te b/sepolicy/vendor/hal_graphics_composer_default.te new file mode 100644 index 0000000..5c61a86 --- /dev/null +++ b/sepolicy/vendor/hal_graphics_composer_default.te @@ -0,0 +1 @@ +allow hal_graphics_composer_default sysfs_graphics:file r_file_perms; diff --git a/sepolicy/vendor/hal_health_default.te b/sepolicy/vendor/hal_health_default.te new file mode 100644 index 0000000..eb0ce19 --- /dev/null +++ b/sepolicy/vendor/hal_health_default.te @@ -0,0 +1,10 @@ +allow hal_health_default persist_battery_file:file create_file_perms; +allow hal_health_default persist_battery_file:dir rw_dir_perms; +allow hal_health_default persist_file:dir search; +allow hal_health_default sysfs_batteryinfo:file rw_file_perms; + +allow hal_health_default mnt_vendor_file:file { getattr open read }; +allow hal_health_default mnt_vendor_file:dir { search write }; +allow hal_health_default sysfs:file { getattr open read }; +allow hal_health_default sysfs_healthd:dir r_dir_perms; +allow hal_health_default sysfs_healthd:file rw_file_perms; diff --git a/sepolicy/vendor/hal_light_default.te b/sepolicy/vendor/hal_light_default.te new file mode 100644 index 0000000..30f6408 --- /dev/null +++ b/sepolicy/vendor/hal_light_default.te @@ -0,0 +1 @@ +allow hal_light_default sysfs_leds:file rw_file_perms; diff --git a/sepolicy/vendor/hal_nfc_default.te b/sepolicy/vendor/hal_nfc_default.te new file mode 100644 index 0000000..bce1837 --- /dev/null +++ b/sepolicy/vendor/hal_nfc_default.te @@ -0,0 +1,5 @@ +allow hal_nfc_default nfc_vendor_data_file:dir rw_dir_perms; +allow hal_nfc_default nfc_vendor_data_file:file create_file_perms; + +allow hal_nfc_default nxpese_hwservice:hwservice_manager { add find }; +allow hal_nfc_default nxpnfc_hwservice:hwservice_manager { add find }; diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te new file mode 100644 index 0000000..d626b55 --- /dev/null +++ b/sepolicy/vendor/hal_power_default.te @@ -0,0 +1,4 @@ +r_dir_file(hal_power_default, debugfs_wlan) +r_dir_file(hal_power_default, sysfs_graphics) +unix_socket_connect(hal_power_default, perfd, perfd) +allow hal_sensors_default sysfs_sensor:lnk_file read; diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te new file mode 100644 index 0000000..09fc048 --- /dev/null +++ b/sepolicy/vendor/hal_sensors_default.te @@ -0,0 +1,7 @@ +allow hal_sensors_default sysfs_sensor:dir r_dir_perms; +allow hal_sensors_default sysfs_sensor:file rw_file_perms; +allow hal_sensors_default self:netlink_kobject_uevent_socket { setopt bind }; +allow hal_sensors_default debugfs:dir { open read }; +allow hal_sensors_default self:netlink_kobject_uevent_socket { create read }; +allow hal_sensors_default sysfs:dir { open read }; +allow hal_sensors_default sysfs:file { getattr open read write }; diff --git a/sepolicy/vendor/hal_vibrator_default.te b/sepolicy/vendor/hal_vibrator_default.te new file mode 100644 index 0000000..9cf8949 --- /dev/null +++ b/sepolicy/vendor/hal_vibrator_default.te @@ -0,0 +1,2 @@ +r_dir_file(hal_vibrator_default, sysfs_leds) +allow hal_vibrator_default sysfs_leds:file rw_file_perms; diff --git a/sepolicy/vendor/hal_wifi_default.te b/sepolicy/vendor/hal_wifi_default.te new file mode 100644 index 0000000..a7a6836 --- /dev/null +++ b/sepolicy/vendor/hal_wifi_default.te @@ -0,0 +1,2 @@ +allow hal_wifi_default sysfs_wifi:file w_file_perms; +allow hal_wifi_default proc_net:file w_file_perms; diff --git a/sepolicy/vendor/healthd.te b/sepolicy/vendor/healthd.te new file mode 100644 index 0000000..4401d3d --- /dev/null +++ b/sepolicy/vendor/healthd.te @@ -0,0 +1,2 @@ +allow healthd sysfs_healthd:dir r_dir_perms; +allow healthd sysfs_healthd:file rw_file_perms; diff --git a/sepolicy/vendor/hvdcp.te b/sepolicy/vendor/hvdcp.te new file mode 100644 index 0000000..1f388ed --- /dev/null +++ b/sepolicy/vendor/hvdcp.te @@ -0,0 +1,4 @@ +allow hvdcp sysfs_batteryinfo:dir r_dir_perms; +allow hvdcp sysfs_batteryinfo:file r_file_perms; +allow hvdcp sysfs_healthd:dir r_dir_perms; +allow hvdcp sysfs_healthd:file r_file_perms; diff --git a/sepolicy/vendor/hwservice.te b/sepolicy/vendor/hwservice.te new file mode 100644 index 0000000..341cf6e --- /dev/null +++ b/sepolicy/vendor/hwservice.te @@ -0,0 +1,4 @@ +type fpc_extension_service, hwservice_manager_type; + +type nxpese_hwservice, hwservice_manager_type; +type nxpnfc_hwservice, hwservice_manager_type; diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts new file mode 100644 index 0000000..9a4b6e9 --- /dev/null +++ b/sepolicy/vendor/hwservice_contexts @@ -0,0 +1,6 @@ +com.fingerprints.extension::IFingerprintAuthenticator u:object_r:fpc_extension_service:s0 +com.fingerprints.extension::IFingerprintCalibration u:object_r:fpc_extension_service:s0 +com.fingerprints.extension::IFingerprintEngineering u:object_r:fpc_extension_service:s0 +com.fingerprints.extension::IFingerprintNavigation u:object_r:fpc_extension_service:s0 +com.fingerprints.extension::IFingerprintSensorTest u:object_r:fpc_extension_service:s0 +vendor.egistec.hardware.fingerprint::IBiometricsFingerprintEts u:object_r:fpc_extension_service:s0 diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te new file mode 100644 index 0000000..2c66338 --- /dev/null +++ b/sepolicy/vendor/init.te @@ -0,0 +1,11 @@ +allow init fsg_firmware_file:dir { mounton }; +allow init socket_device:sock_file { create setattr unlink }; +allow init fsg_firmware_file:filesystem { relabelfrom mount }; +allow init vendor_file:file execute; +#TODO: This should not be needed and needs to be cleaned. +allow fsg_firmware_file self:filesystem associate; +allow init mnt_product_file:dir mounton; + +allow init bt_firmware_file:filesystem getattr; +allow init firmware_file:filesystem getattr; +allow init fsg_firmware_file:filesystem getattr; diff --git a/sepolicy/vendor/init_wifi.te b/sepolicy/vendor/init_wifi.te new file mode 100644 index 0000000..da77815 --- /dev/null +++ b/sepolicy/vendor/init_wifi.te @@ -0,0 +1,6 @@ +type init_wifi, domain; +type init_wifi_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(init_wifi) + +allow init_wifi sysfs:file { open write }; +allow init_wifi vendor_toolbox_exec:file execute_no_trans; diff --git a/sepolicy/vendor/installd.te b/sepolicy/vendor/installd.te new file mode 100644 index 0000000..eca198d --- /dev/null +++ b/sepolicy/vendor/installd.te @@ -0,0 +1,4 @@ +allow installd bt_firmware_file:filesystem quotaget; +allow installd firmware_file:filesystem quotaget; +allow installd fsg_firmware_file:filesystem quotaget; + diff --git a/sepolicy/vendor/kernel.te b/sepolicy/vendor/kernel.te new file mode 100644 index 0000000..4013339 --- /dev/null +++ b/sepolicy/vendor/kernel.te @@ -0,0 +1 @@ +r_dir_file(kernel, debugfs_wlan) diff --git a/sepolicy/vendor/mediacodec.te b/sepolicy/vendor/mediacodec.te new file mode 100644 index 0000000..1b4904e --- /dev/null +++ b/sepolicy/vendor/mediacodec.te @@ -0,0 +1 @@ +unix_socket_connect(mediacodec, perfd, perfd) diff --git a/sepolicy/vendor/nfc.te b/sepolicy/vendor/nfc.te new file mode 100644 index 0000000..3ad4687 --- /dev/null +++ b/sepolicy/vendor/nfc.te @@ -0,0 +1,3 @@ +allow nfc nfc_vendor_data_file:dir rw_dir_perms; +allow nfc nfc_vendor_data_file:file create_file_perms; +get_prop(nfc, moto_boot_prop) diff --git a/sepolicy/vendor/per_mgr.te b/sepolicy/vendor/per_mgr.te new file mode 100644 index 0000000..d1e34c7 --- /dev/null +++ b/sepolicy/vendor/per_mgr.te @@ -0,0 +1 @@ +allow vendor_per_mgr self:capability { net_raw }; diff --git a/sepolicy/vendor/perfd.te b/sepolicy/vendor/perfd.te new file mode 100644 index 0000000..a8afe76 --- /dev/null +++ b/sepolicy/vendor/perfd.te @@ -0,0 +1,37 @@ +type perfd, domain; +type perfd_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(perfd) + +# perfd uses kill(pid, 0) to determine if a process exists. +# Determining if a process exists does not require the kill capability +# since a permission denied indicates the process exists. +dontaudit perfd self:capability kill; + +allow perfd mediacodec:process signull; +allow perfd hal_power_default:process signull; + +allow perfd cgroup:file rw_file_perms; + +allow perfd proc:file rw_file_perms; +allow perfd sysfs_scsi_host:file r_file_perms; +r_dir_file(perfd, sysfs_graphics) +r_dir_file(perfd, sysfs_socinfo) + +allow perfd sysfs_devices_system_cpu:file w_file_perms; + +allow perfd perfd_socket:sock_file write; + +allow perfd device_latency:chr_file w_file_perms; + +# wahoo sysfs_msm_subsys is sysfs_devfreq + sysfs_kgsl +r_dir_file(perfd, sysfs_devfreq) +allow perfd sysfs_devfreq:file w_file_perms; + +r_dir_file(perfd, sysfs_kgsl) +allow perfd sysfs_kgsl:file w_file_perms; + +allow perfd sysfs_msm_perf:dir r_dir_perms; +allow perfd sysfs_msm_perf:file rw_file_perms; + +get_prop(perfd, freq_prop) diff --git a/sepolicy/vendor/platform_app.te b/sepolicy/vendor/platform_app.te new file mode 100644 index 0000000..02a9832 --- /dev/null +++ b/sepolicy/vendor/platform_app.te @@ -0,0 +1,5 @@ +allow platform_app sysfs_kgsl:dir search; +allow platform_app sysfs_kgsl:file { getattr open read }; +allow platform_app sysfs_healthd:dir r_dir_perms; +allow platform_app sysfs_healthd:file rw_file_perms; +get_prop(platform_app, moto_boot_prop) diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te new file mode 100644 index 0000000..ad0918b --- /dev/null +++ b/sepolicy/vendor/property.te @@ -0,0 +1,3 @@ +type power_prop, property_type; +type moto_boot_prop, property_type; +type vendor_fm_prop, property_type; diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts new file mode 100644 index 0000000..00d46ee --- /dev/null +++ b/sepolicy/vendor/property_contexts @@ -0,0 +1,36 @@ +vendor.ril. u:object_r:vendor_radio_prop:s0 +vendor.rmnet_vnd.rps_mask u:object_r:vendor_usb_prop:s0 + +ro.boot.adb_early u:object_r:moto_boot_prop:s0 +ro.boot.secure_hardware u:object_r:moto_boot_prop:s0 +ro.boot.radio u:object_r:moto_boot_prop:s0 +ro.boot.device u:object_r:moto_boot_prop:s0 +ro.boot.dualsim u:object_r:moto_boot_prop:s0 +ro.boot.hardware.sku u:object_r:moto_boot_prop:s0 +ro.boot.carrier u:object_r:moto_boot_prop:s0 +ro.boot.cid u:object_r:moto_boot_prop:s0 +ro.boot.fsg-id u:object_r:moto_boot_prop:s0 +ro.boot.hwrev u:object_r:moto_boot_prop:s0 +ro.boot.powerup_reason u:object_r:moto_boot_prop:s0 +ro.boot.bl_state u:object_r:moto_boot_prop:s0 +ro.boot.revision u:object_r:moto_boot_prop:s0 +ro.vendor.hw.dualsim u:object_r:moto_boot_prop:s0 +ro.vendor.hw.device u:object_r:moto_boot_prop:s0 +ro.vendor.hw.radio u:object_r:moto_boot_prop:s0 +ro.vendor.hw.hwrev u:object_r:moto_boot_prop:s0 +ro.vendor.hw.revision u:object_r:moto_boot_prop:s0 +ro.vendor.boot.radio u:object_r:moto_boot_prop:s0 +ro.vendor.bootreason u:object_r:moto_boot_prop:s0 +ro.vendor.boot.hwrev u:object_r:moto_boot_prop:s0 +ro.vendor.boot.powerup_reason u:object_r:moto_boot_prop:s0 +ro.vendor.boot.bl_state u:object_r:moto_boot_prop:s0 +ro.vendor.boot.serialno u:object_r:moto_boot_prop:s0 +ro.vendor.carrier u:object_r:moto_boot_prop:s0 +ro.vendor.boot.cid u:object_r:moto_boot_prop:s0 +ro.vendor.fsg-id u:object_r:moto_boot_prop:s0 +ro.vendor.zygote u:object_r:moto_boot_prop:s0 +vendor.boot_completed u:object_r:moto_boot_prop:s0 + +ro.vendor.fm. u:object_r:vendor_fm_prop:s0 + +persist.vendor.camera. u:object_r:camera_prop:s0 diff --git a/sepolicy/vendor/qti_init_shell.te b/sepolicy/vendor/qti_init_shell.te new file mode 100644 index 0000000..4802d3d --- /dev/null +++ b/sepolicy/vendor/qti_init_shell.te @@ -0,0 +1,16 @@ +allow qti_init_shell sysfs_sensor:file { rw_file_perms setattr }; +allow qti_init_shell persist_camera_file:file r_file_perms; +allow qti_init_shell kmsg_device:chr_file { open write }; +allow qti_init_shell sysfs:file { rw_file_perms setattr }; +allow qti_init_shell vendor_radio_data_file:dir rw_dir_perms; +allow qti_init_shell vendor_radio_data_file:file create_file_perms; + +get_prop(qti_init_shell, moto_boot_prop) +get_prop(qti_init_shell, vendor_radio_prop) +set_prop(qti_init_shell, exported2_default_prop) + +# Silence qemu.hw.mainkeys denial that we don't need +dontaudit qti_init_shell default_prop:property_service set; + +# Silence DAC denials +dontaudit qti_init_shell self:capability { dac_override dac_read_search }; diff --git a/sepolicy/vendor/radio.te b/sepolicy/vendor/radio.te new file mode 100644 index 0000000..d83cd42 --- /dev/null +++ b/sepolicy/vendor/radio.te @@ -0,0 +1 @@ +get_prop(radio, qcom_ims_prop) diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te new file mode 100644 index 0000000..626e979 --- /dev/null +++ b/sepolicy/vendor/rild.te @@ -0,0 +1,15 @@ +allow rild vendor_file:file rx_file_perms; +allow rild persist_mdm_file:dir search; +allow rild persist_mdm_file:file rw_file_perms; +allow rild fwk_sensor_hwservice:hwservice_manager find; +allow rild system_server:binder { call transfer }; +allow rild mnt_vendor_file:dir search; +allow rild mnt_vendor_file:file rw_file_perms; +allow rild proc:file r_file_perms; +allow rild input_device:dir { open read }; +allow rild vendor_radio_data_file:dir rw_dir_perms; +allow rild vendor_radio_data_file:file rw_file_perms; +allow rild vendor_radio_data_file:sock_file create_file_perms; +get_prop(rild, moto_boot_prop) +get_prop(rild, vendor_radio_prop) +get_prop(rild, wifi_prop) diff --git a/sepolicy/vendor/rmt_storage.te b/sepolicy/vendor/rmt_storage.te new file mode 100644 index 0000000..47c9ff7 --- /dev/null +++ b/sepolicy/vendor/rmt_storage.te @@ -0,0 +1,18 @@ +allow rmt_storage { + modem_efs_partition_device + ssd_device +}:blk_file rw_file_perms; + +r_dir_file(rmt_storage fsg_firmware_file) +r_dir_file(rmt_storage, persist_file) + +allow rmt_storage debugfs_rmts:dir r_dir_perms; +allow rmt_storage debugfs_rmts:file rw_file_perms; + +allow rmt_storage persist_rfs_file:dir search; +allow rmt_storage persist_rfs_file:file rw_file_perms; +allow rmt_storage mnt_vendor_file:dir search; +get_prop(rmt_storage, vendor_radio_prop) + +get_prop(rmt_storage, moto_boot_prop) +allow rmt_storage sysfs_data:file r_file_perms; diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te new file mode 100644 index 0000000..6d09b98 --- /dev/null +++ b/sepolicy/vendor/system_app.te @@ -0,0 +1 @@ +get_prop(system_app, vendor_fm_prop) diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te new file mode 100644 index 0000000..ac51b83 --- /dev/null +++ b/sepolicy/vendor/system_server.te @@ -0,0 +1,8 @@ +binder_call(system_server,rild); + +allow system_server sysfs_vibrator:file read; +allow system_server fpc_extension_service:hwservice_manager find; +allow system_server vendor_keylayout_file:dir r_dir_perms; +allow system_server vendor_keylayout_file:file r_file_perms; +allow system_server vendor_idc_file:dir r_dir_perms; +allow system_server vendor_idc_file:file r_file_perms; diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te new file mode 100644 index 0000000..3ae1964 --- /dev/null +++ b/sepolicy/vendor/tee.te @@ -0,0 +1,4 @@ +typeattribute tee data_between_core_and_vendor_violators; + +allow tee fingerprintd_data_file:dir rw_dir_perms; +allow tee fingerprintd_data_file:file create_file_perms; diff --git a/sepolicy/vendor/thermal-engine.te b/sepolicy/vendor/thermal-engine.te new file mode 100644 index 0000000..ea50f9e --- /dev/null +++ b/sepolicy/vendor/thermal-engine.te @@ -0,0 +1,18 @@ +typeattribute thermal-engine data_between_core_and_vendor_violators; + +# Allow thermal-engine to read files in /sys +r_dir_file(thermal-engine, sysfs) + +allow thermal-engine sysfs_healthd:dir search; +allow thermal-engine sysfs_healthd:file rw_file_perms; + +allow thermal-engine self:capability { chown fowner }; + +get_prop(thermal-engine, moto_boot_prop) +allow thermal-engine { proc_stat proc_loadavg }:file r_file_perms; + +allow thermal-engine sysfs_hwmon:dir r_dir_perms; +allow thermal-engine sysfs_hwmon:file rw_file_perms; +allow thermal-engine sysfs_devfreq:dir r_dir_perms; +allow thermal-engine sysfs_devfreq:file rw_file_perms; +r_dir_file(thermal-engine sysfs_socinfo) diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te new file mode 100644 index 0000000..2420f55 --- /dev/null +++ b/sepolicy/vendor/vendor_init.te @@ -0,0 +1,22 @@ +typeattribute vendor_init data_between_core_and_vendor_violators; + +allow vendor_init { + dhcp_data_file + media_rw_data_file + system_data_file + tombstone_data_file + wifi_data_file + camera_data_file + fingerprint_data_file +}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom }; + +allow vendor_init proc_uid_cpupower:file write; + +# Allow vendor_init to relabel unlabeled files and directories +allow vendor_init unlabeled:{ dir file } { getattr relabelfrom }; + +get_prop(vendor_init, moto_boot_prop) +set_prop(vendor_init, moto_boot_prop) +set_prop(vendor_init, vendor_fm_prop) + +allow vendor_init system_fps_data_file:dir create_dir_perms; diff --git a/sepolicy/vendor/vendor_toolbox.te b/sepolicy/vendor/vendor_toolbox.te new file mode 100644 index 0000000..2721e2f --- /dev/null +++ b/sepolicy/vendor/vendor_toolbox.te @@ -0,0 +1,54 @@ +type vendor_toolbox, domain; + +init_daemon_domain(vendor_toolbox) + +# Allow vendor_toolbox to use sys_admin capability +allow vendor_toolbox self:capability sys_admin; + +# Allow vendor_toolbox to execute /vendor/bin/toybox_vendor +allow vendor_toolbox vendor_toolbox_exec:file execute_no_trans; + +# Allow vendor_toolbox to read directories in rootfs +allow vendor_toolbox rootfs:dir r_dir_perms; + +# Allow vendor_toolbox to remove "security.*" xattrs from /mnt/vendor/persist +allow vendor_toolbox { + fingerprint_data_file + mnt_vendor_file + persist_alarm_file + persist_audio_file + persist_block_device + persist_bluetooth_file + persist_bms_file + persist_camera_file + persist_display_file + persist_drm_file + persist_file + persist_hvdcp_file + persist_mdm_file + persist_misc_file + persist_qti_fp_file + persist_rfs_file + persist_rfs_shared_hlos_file + persist_secnvm_file + persist_time_file + persist_vpp_file + regionalization_file + rfs_file + rfs_shared_hlos_file + sensors_persist_file + unlabeled + vendor_persist_mmi_file +}:dir { r_dir_perms setattr }; + +allow vendor_toolbox { + fingerprint_data_file + mnt_vendor_file + persist_bluetooth_file + persist_camera_file + persist_drm_file + persist_mdm_file + persist_rfs_file + persist_time_file + sensors_persist_file +}:file { r_file_perms setattr }; diff --git a/sepolicy/vendor/vold.te b/sepolicy/vendor/vold.te new file mode 100644 index 0000000..ee3ed64 --- /dev/null +++ b/sepolicy/vendor/vold.te @@ -0,0 +1,2 @@ +#============= vold ============== +allow vold system_data_file:file { ioctl open }; diff --git a/sepolicy/vendor/wcnss_service.te b/sepolicy/vendor/wcnss_service.te new file mode 100644 index 0000000..95c9a3e --- /dev/null +++ b/sepolicy/vendor/wcnss_service.te @@ -0,0 +1 @@ +get_prop(wcnss_service, moto_boot_prop)