diff --git a/sepolicy/adspd.te b/sepolicy/adspd.te index b11e40d..a59357b 100644 --- a/sepolicy/adspd.te +++ b/sepolicy/adspd.te @@ -1,5 +1,5 @@ type adspd, domain; -type adspd_exec, exec_type, file_type; +type adspd_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(adspd) allow adspd audio_device:chr_file { ioctl open read write }; diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te index d28a479..e202b31 100644 --- a/sepolicy/cameraserver.te +++ b/sepolicy/cameraserver.te @@ -1,2 +1,58 @@ -# Shouldn't do this here -allow cameraserver self:netlink_kobject_uevent_socket { read bind create setopt }; +binder_call(cameraserver, servicemanager); + +allow cameraserver nfc_data_file:dir search; +allow cameraserver nfc_data_file:fifo_file write; +allow cameraserver nfc_data_file:fifo_file open; + +allow cameraserver sensorservice_service:service_manager { find }; +allow cameraserver system_file:dir { read open }; + +allow cameraserver sdcardfs:dir { read write open getattr add_name remove_name rw_file_perms rmdir search }; +allow cameraserver sdcardfs:file { create open read write unlink getattr }; +allow cameraserver storage_file:dir search; + +allow cameraserver persist_file:file { read write open create getattr create_file_perms rw_file_perms }; +allow cameraserver persist_file:dir { read write open create_file_perms rw_file_perms search add_name create }; +allow cameraserver fuse:file { read write open create getattr create_file_perms rw_file_perms }; +allow cameraserver fuse:dir { read write open create_file_perms rw_file_perms search add_name create }; +allow cameraserver tmpfs:file { read write open create getattr create_file_perms rw_file_perms }; +allow cameraserver tmpfs:dir { read write open create_file_perms rw_file_perms search add_name create }; +allow cameraserver storage_file:dir r_dir_perms; +allow cameraserver storage_file:lnk_file r_file_perms; +allow cameraserver mnt_user_file:dir r_dir_perms; +allow cameraserver mnt_user_file:lnk_file r_file_perms; +allow cameraserver media_rw_data_file:dir { open read search write add_name }; +allow cameraserver media_rw_data_file:file { create read write open }; + +allow cameraserver sysfs:file { open write }; + +allow cameraserver cameraserver:process { execmem }; + +#### +allow cameraserver debug_prop:file { r_file_perms }; +allow cameraserver debug_prop:property_service set; + +####### +#allow cameraserver persist_file:file rw_file_perms; +#allow cameraserver persist_file:file setattr; +allow cameraserver shell_exec:file { read open execute }; +allow cameraserver self:socket create; +allow cameraserver camera_prop:property_service set; +allow cameraserver init:unix_stream_socket connectto; +allow cameraserver sensors_persist_file:file { open read }; +allow cameraserver property_socket:sock_file write; +#allow cameraserver cameraserver:socket { { getattr read ioctl lock } { append write lock } }; +allow cameraserver shell_exec:file { execute getattr }; +allow cameraserver system_file:file execute; + +allow cameraserver debugfs:dir { read open }; + + + +allow cameraserver nfc_data_file:file { open write }; +allow cameraserver socket_device:sock_file write; + +allow cameraserver hal_perf_default:binder call; + +allow cameraserver sysfs_battery_supply:dir search; +allow cameraserver sysfs_battery_supply:file { getattr open read }; diff --git a/sepolicy/esepmdaemon.te b/sepolicy/esepmdaemon.te new file mode 100644 index 0000000..fdef3c0 --- /dev/null +++ b/sepolicy/esepmdaemon.te @@ -0,0 +1,2 @@ +binder_call(esepmdaemon, servicemanager); + diff --git a/sepolicy/file.te b/sepolicy/file.te index f398c73..133f0d8 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -42,4 +42,17 @@ type sysfs_cnss, fs_type, sysfs_type; type sysfs_fpc, fs_type, sysfs_type; type fpc_socket, file_type; +type fpc_data_file, file_type; + type sysfs_wcnsscore, fs_type, sysfs_type; + +type nv_data_file, file_type; +type sysfs_rmt_storage, fs_type, sysfs_type; +type debugfs_rmt_storage, debugfs_type, fs_type; +type debugfs_rpm, debugfs_type, fs_type; +type debugfs_wlan, debugfs_type, fs_type; +type perfd_data_file, file_type, data_file_type; +type proc_kernel_sched, fs_type; +type sysfs_power_management, sysfs_type, fs_type; +type proc_touchpanel, fs_type; + diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 2f9c0b2..33ea6f1 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -6,12 +6,10 @@ /dev/hidraw[0-9]* u:object_r:amps_raw_device:s0 # Binaries -/system/bin/adspd u:object_r:adspd_exec:s0 +#/system/vendor/bin/adspd u:object_r:adspd_exec:s0 /system/bin/charge_only_mode u:object_r:charge_only_exec:s0 -/system/bin/init\.mmi\.boot\.sh u:object_r:mmi_boot_exec:s0 -/system/bin/wlan_carrier_bin\.sh u:object_r:init_wifi_exec:s0 -/system/bin/motosh u:object_r:sensor_hub_exec:s0 -/system/bin/akmd09912 u:object_r:akmd_exec:s0 +#/system/vendor/bin/init\.mmi\.boot\.sh u:object_r:mmi_boot_exec:s0 +#/system/vendor/bin/wlan_carrier_bin\.sh u:object_r:init_wifi_exec:s0 # CMActions /sys/homebutton(/.*)? u:object_r:sysfs_homebutton:s0 @@ -110,3 +108,19 @@ # WCNSS /sys/module/wcnsscore/parameters(/.*)? u:object_r:sysfs_wcnsscore:s0 + +/data/misc/perfd(/.*)? u:object_r:perfd_data_file:s0 +/data/system/perfd(/.*)? u:object_r:perfd_data_file:s0 +/data/oemnvitems(/.*)? u:object_r:nv_data_file:s0 +/data/vendor/time(/.*)? u:object_r:time_data_file:s0 + +/system/vendor/bin/perfd u:object_r:perfd_exec:s0 +/system/vendor/bin/hw/android\.hardware\.power@1\.1-service\.qti u:object_r:hal_power_default_exec:s0 +/system/vendor/radio(/.*)? u:object_r:radio_data_file:s0 +/system/vendor/bin/sensorservice_32 u:object_r:hal_sensors_default_exec:s0 + +/system/vendor/bin/qmi_motext_hook u:object_r:radio_data_file:s0 + +/sys/kernel/debug/rmt_storage(/.*)? u:object_r:debugfs_rmt_storage:s0 + +/data/vendor/nfc(/.*)? u:object_r:nfc_data_file:s0 diff --git a/sepolicy/init.te b/sepolicy/init.te index 0fa0385..2c2ff33 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -1,5 +1,18 @@ +# binder_call(init, mm-qcamerad); +#binder_call(init, hwservicemanager); +# binder_call(init, servicemanager); + +allow init hwservicemanager:binder call; +allow init mm-qcamerad:binder transfer; +allow init platform_app:binder transfer; + +allow init sysfs_devices_system_cpu:dir write; +allow init sysfs_lowmemorykiller:dir write; +allow init system_app:binder transfer; +allow init system_data_file:file lock; + allow init audio_device:chr_file { write ioctl }; -allow init input_device:chr_file ioctl; +allow init input_device:chr_file rw_file_perms; allow init sensors_device:chr_file { write ioctl }; allow init tee_device:chr_file { write ioctl }; @@ -21,3 +34,25 @@ allow init self:netlink_socket { read write getattr connect }; allow init debugfs:file write; allow init persist_file:filesystem { getattr mount relabelfrom relabelto }; + +# binder_call(batterystats_service, servicemanager); +# allow init batterystats_service:service_manager find; + +# binder_call(hal_sensors_hwservice, servicemanager); +# allow init hal_sensors_hwservice:service_manager find; + +allow init self:capability sys_nice; + +allow init bt_firmware_file:filesystem { associate }; +allow init firmware_file:filesystem { associate }; +allow init firmware_file:dir mounton; + +allow init sensors_device:chr_file { rw_file_perms create }; + +allow init self:netlink_route_socket { bind create getopt nlmsg_read read setopt write }; + +allow init self:capability2 { block_suspend }; + +allow init hal_sensors_hwservice:hwservice_manager find; + +allow init { domain -lmkd -crash_dump }:process noatsecure; diff --git a/sepolicy/init_wifi.te b/sepolicy/init_wifi.te index dbd4b95..211f86e 100644 --- a/sepolicy/init_wifi.te +++ b/sepolicy/init_wifi.te @@ -1,5 +1,5 @@ type init_wifi, domain; -type init_wifi_exec, exec_type, file_type; +type init_wifi_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(init_wifi) # shell scripts need to execute /system/bin/sh diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te index be8faed..91d9023 100644 --- a/sepolicy/mm-qcamerad.te +++ b/sepolicy/mm-qcamerad.te @@ -1,4 +1,21 @@ +binder_call(mm-qcamerad, servicemanager); +binder_use(mm-qcamerad); +binder_call(mm-qcamerad, binderservicedomain); +binder_call(mm-qcamerad, appdomain); + +allow servicemanager mm-qcamerad:dir { search }; +allow servicemanager mm-qcamerad:file { read open }; +allow servicemanager mm-qcamerad:process { getattr }; + +allow mm-qcamerad camera_data_file:sock_file { create unlink write }; +allow mm-qcamerad system_server:unix_stream_socket rw_socket_perms; +allow mm-qcamerad sensorservice_service:service_manager find; +allow mm-qcamerad vendor_camera_data_file:file rw_file_perms; +allow mm-qcamerad permission_service:service_manager find; allow mm-qcamerad debug_prop:property_service set; allow mm-qcamerad persist_file:dir search; allow mm-qcamerad persist_file:file { read getattr open }; allow mm-qcamerad system_data_file:dir read; + +allow mm-qcamerad init:unix_stream_socket { read write }; +allow mm-qcamerad sysfs_graphics:file { open read }; diff --git a/sepolicy/mmi_boot.te b/sepolicy/mmi_boot.te index 23f5431..e3f56ac 100644 --- a/sepolicy/mmi_boot.te +++ b/sepolicy/mmi_boot.te @@ -1,5 +1,5 @@ type mmi_boot, domain; -type mmi_boot_exec, exec_type, file_type; +type mmi_boot_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(mmi_boot) # shell scripts need to execute /system/bin/sh diff --git a/sepolicy/nfc.te b/sepolicy/nfc.te new file mode 100644 index 0000000..e69de29 diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te new file mode 100644 index 0000000..c20cff3 --- /dev/null +++ b/sepolicy/platform_app.te @@ -0,0 +1,9 @@ +typeattribute platform_app mlstrustedsubject; + +# binder_call(platform_app, init); + +allow platform_app isdbt_device:chr_file rw_file_perms; +allow platform_app rootfs:dir getattr; + +allow platform_app init:unix_stream_socket { read write }; + diff --git a/sepolicy/rfs_access.te b/sepolicy/rfs_access.te index f4264c9..7d6aced 100644 --- a/sepolicy/rfs_access.te +++ b/sepolicy/rfs_access.te @@ -1 +1,3 @@ allow rfs_access self:capability net_raw; +allow rfs_access persist_file:file { getattr open read rename setattr unlink write }; + diff --git a/sepolicy/rfs_file.te b/sepolicy/rfs_file.te new file mode 100644 index 0000000..fdcfab6 --- /dev/null +++ b/sepolicy/rfs_file.te @@ -0,0 +1 @@ +allow rfs_file persist_file:filesystem associate; diff --git a/sepolicy/rild.te b/sepolicy/rild.te index 1f19d2c..f998213 100644 --- a/sepolicy/rild.te +++ b/sepolicy/rild.te @@ -1,11 +1,14 @@ -allow rild cutback_data_file:dir rw_dir_perms; -allow rild cutback_data_file:sock_file create_file_perms; -allow rild fsg_file:file r_file_perms; -allow rild fsg_file:dir r_dir_perms; -allow rild fsg_file:lnk_file read; -allow rild persist_file:dir search; -allow rild persist_file:file rw_file_perms; -allow rild sensorservice_service:service_manager find; -allow rild system_server:binder { transfer call }; -allow rild system_server:unix_stream_socket { read getopt write }; +binder_call(rild, servicemanager); +binder_call(rild, audioserver_service); +binder_call(rild, per_mgr_service_old); +allow rild per_mgr_service_old:service_manager find; +set_prop(rild, diag_prop); +allow rild nv_data_file:dir rw_dir_perms; +allow rild nv_data_file:file create_file_perms; +allow rild radio_data_file:dir rw_dir_perms; +allow rild radio_data_file:file create_file_perms; +allow rild fsg_file:file { getattr open read }; + +allow rild cutback_data_file:dir { add_name remove_name write }; +allow rild cutback_data_file:sock_file { create unlink write }; diff --git a/sepolicy/sensor_hub.te b/sepolicy/sensor_hub.te index d86fb50..a0f0a5d 100644 --- a/sepolicy/sensor_hub.te +++ b/sepolicy/sensor_hub.te @@ -1,6 +1,12 @@ type sensor_hub, domain; -type sensor_hub_exec, exec_type, file_type; +type sensor_hub_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(sensor_hub) +binder_use(sensor_hub) +binder_service(sensor_hub) + allow sensor_hub sensors_device:chr_file rw_file_perms; set_prop(sensor_hub, motosh_prop) + +allow sensor_hub firmware_file:file { getattr open read }; +allow sensor_hub vendor_file:file rx_file_perms; diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te new file mode 100644 index 0000000..e1ce98f --- /dev/null +++ b/sepolicy/servicemanager.te @@ -0,0 +1,37 @@ +allow servicemanager init:dir search; +allow servicemanager init:file { open read }; +allow servicemanager init:process getattr; +allow servicemanager qseeproxy:dir search; +allow servicemanager qseeproxy:file { open read }; +allow servicemanager rild:dir search; +allow servicemanager rild:file { open read }; +allow servicemanager rild:process getattr; + +allow servicemanager hal_fingerprint_default:dir search; +allow servicemanager hal_fingerprint_default:file read; +allow servicemanager qseeproxy:process getattr; + + +allow servicemanager hal_camera_default:dir search; +allow servicemanager hal_camera_default:file { open read }; +allow servicemanager hal_camera_default:process getattr; + +allow servicemanager hal_fingerprint_default:file open; +allow servicemanager hal_fingerprint_default:process getattr; + +allow servicemanager wcnss_service:dir search; +allow servicemanager wcnss_service:file { open read }; + +allow servicemanager esepmdaemon:dir search; +allow servicemanager esepmdaemon:file { open read }; +allow servicemanager esepmdaemon:process getattr; + +allow servicemanager per_mgr:dir search; +allow servicemanager per_mgr:file { open read }; +allow servicemanager per_mgr:process getattr; +allow servicemanager wcnss_service:process getattr; + +allow servicemanager hal_gnss_qti:dir search; +allow servicemanager hal_gnss_qti:file { open read }; +allow servicemanager hal_gnss_qti:process getattr; + diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te new file mode 100644 index 0000000..9d58727 --- /dev/null +++ b/sepolicy/surfaceflinger.te @@ -0,0 +1,5 @@ +get_prop(surfaceflinger, diag_prop); +allow surfaceflinger perfd_data_file:sock_file write; +allow surfaceflinger perfd_data_file:dir search; +allow surfaceflinger perfd:unix_stream_socket connectto; + diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te index a38f530..cfd5f0b 100644 --- a/sepolicy/system_app.te +++ b/sepolicy/system_app.te @@ -1,4 +1,19 @@ -allow system_app sysfs_homebutton:dir r_dir_perms; -allow system_app sysfs_homebutton:file rw_file_perms; -allow system_app fingerprintd:binder call; +allow system_app proc_touchpanel:dir search; +allow system_app sysfs_vibrator:file rw_file_perms; +allow system_app sysfs_vibrator:dir search; +allow system_app sysfs_graphics:file rw_file_perms; +allow system_app sysfs_graphics:dir search; +allow system_app proc_touchpanel:file rw_file_perms; +allow system_app sysfs_fpc:file rw_file_perms; +allow system_app fuse_device:filesystem getattr; +allow system_app time_daemon:unix_stream_socket connectto; + +allow system_app init:unix_stream_socket { read write }; +allow system_app sysfs_homebutton:file write; +allow system_app sysfs_screen_off_gestures:file write; + +get_prop(system_app, diag_prop); +get_prop(system_app, qemu_hw_mainkeys_prop); +binder_call(system_app, qtitetherservice_service); +binder_call(system_app, wificond); diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index e468d9b..10ebbc7 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -5,4 +5,10 @@ allow system_server persist_file:file create_file_perms; allow system_server rild:binder transfer; allow system_server sysfs_capsense:dir search; allow system_server sysfs_capsense:file rw_file_perms; +allow system_server init:unix_stream_socket { read }; +# allow system_server dalvikcache_data_file:file { execute }; +allow system_server qti_debugfs:file { getattr open read }; +allow system_server init:unix_stream_socket write; + +get_prop(system_server, alarm_boot_prop) diff --git a/sepolicy/toolbox.te b/sepolicy/toolbox.te new file mode 100644 index 0000000..83ea6da --- /dev/null +++ b/sepolicy/toolbox.te @@ -0,0 +1,15 @@ +set_prop(toolbox, diag_prop); +set_prop(toolbox, hw_rev_prop); +set_prop(toolbox, touch_prop); +get_prop(toolbox rmnet_mux_prop); +allow toolbox init:fifo_file { write getattr }; + +allow toolbox self:capability { chown dac_override }; + +allow toolbox proc:file rw_file_perms; +allow toolbox radio_data_file:file rw_file_perms; +allow toolbox firmware_file:file getattr; +allow toolbox init:fifo_file ioctl; +allow toolbox sysfs:dir rw_dir_perms; +allow toolbox sysfs:file rw_file_perms; +allow toolbox init:fifo_file read; diff --git a/sepolicy/untrusted_app_25.te b/sepolicy/untrusted_app_25.te new file mode 100644 index 0000000..091bdfc --- /dev/null +++ b/sepolicy/untrusted_app_25.te @@ -0,0 +1,6 @@ +#allow untrusted_app_25 hal_memtrack_hwservice:hwservice_manager find; +#allow untrusted_app_25 proc:file read; +#allow untrusted_app_25 qti_debugfs:file read; + +allow untrusted_app_25 init:unix_stream_socket { read write }; + diff --git a/sepolicy/vold.te b/sepolicy/vold.te new file mode 100644 index 0000000..d2533cb --- /dev/null +++ b/sepolicy/vold.te @@ -0,0 +1 @@ +allow vold persist_file:dir { ioctl open read }; diff --git a/sepolicy/wcnss_service.te b/sepolicy/wcnss_service.te index 46c74a3..5cb0d81 100644 --- a/sepolicy/wcnss_service.te +++ b/sepolicy/wcnss_service.te @@ -1 +1,8 @@ -allow wcnss_service self:capability { setgid setuid }; +binder_call(wcnss_service, servicemanager); +set_prop(wcnss_service, wifi_prop); +get_prop(wcnss_service, diag_prop); +allow wcnss_service toolbox_exec:file { execute getattr execute_no_trans read open }; +allow wcnss_service shell_exec:file { execute getattr execute_no_trans read open }; +allowxperm wcnss_service self:udp_socket ioctl priv_sock_ioctls; + +allow wcnss_service per_mgr_service_old:service_manager find;