From 63a775260b765b7f599926dac932e37af5406278 Mon Sep 17 00:00:00 2001 From: ronaxdevil Date: Thu, 26 Mar 2020 10:26:49 +0530 Subject: [PATCH] sanders: sepol: update sepolicy -ref: https://github.com/crdroidandroid/android_device_motorola_sanders/tree/10.0-20200126 Signed-off-by: ronaxdevil --- sepolicy/vendor/atfwd.te | 1 + sepolicy/vendor/cameraserver.te | 14 +++-- sepolicy/vendor/charge_only.te | 42 --------------- sepolicy/vendor/cnd.te | 5 +- sepolicy/vendor/energyawareness.te | 4 +- sepolicy/vendor/file.te | 11 ++-- sepolicy/vendor/file_contexts | 51 +++++++++---------- sepolicy/vendor/fingerprintd.te | 6 +-- sepolicy/vendor/firmware_file.te | 2 +- sepolicy/vendor/fsck.te | 1 + sepolicy/vendor/hal_audio_default.te | 3 +- sepolicy/vendor/hal_camera_default.te | 14 +++-- sepolicy/vendor/hal_drm_default.te | 4 +- sepolicy/vendor/hal_esepowermanager_qti.te | 1 + sepolicy/vendor/hal_fingerprint_default.te | 16 ++++-- sepolicy/vendor/hal_gatekeeper_default.te | 1 + sepolicy/vendor/hal_gnss_qti.te | 9 ++-- sepolicy/vendor/hal_health_default.te | 1 + sepolicy/vendor/hal_keymaster_default.te | 1 + sepolicy/vendor/hal_keymaster_qti.te | 1 + sepolicy/vendor/hal_memtrack_default.te | 1 + sepolicy/vendor/hal_nfc_default.te | 5 ++ sepolicy/vendor/hal_sensors_default.te | 4 +- .../hal_sensorscalibrate_qti_default.te | 1 + sepolicy/vendor/hal_wifi_default.te | 1 + sepolicy/vendor/healthd.te | 1 + sepolicy/vendor/hwservice_contexts | 5 ++ sepolicy/vendor/ims.te | 10 ++-- sepolicy/vendor/init.te | 43 ++++++++++------ sepolicy/vendor/installd.te | 10 ++-- sepolicy/vendor/isdbt_app.te | 9 ++++ sepolicy/vendor/kernel.te | 1 + sepolicy/vendor/location.te | 2 + sepolicy/vendor/logd.te | 1 + sepolicy/vendor/logpersist.te | 3 ++ sepolicy/vendor/mediacodec.te | 4 +- sepolicy/vendor/mediadrmserver.te | 4 +- sepolicy/vendor/mm-qcamerad.te | 35 ++++++++----- sepolicy/vendor/mmi_boot.te | 2 +- sepolicy/vendor/netd.te | 3 +- sepolicy/vendor/netmgrd.te | 11 ++-- sepolicy/vendor/nfc.te | 2 + sepolicy/vendor/per_mgr.te | 2 +- sepolicy/vendor/perfd.te | 14 ++--- sepolicy/vendor/persist_file.te | 2 +- sepolicy/vendor/platform_app.te | 2 +- sepolicy/vendor/priv_app.te | 7 ++- sepolicy/vendor/property.te | 6 +-- sepolicy/vendor/property_contexts | 5 +- sepolicy/vendor/qseeproxy.te | 6 ++- sepolicy/vendor/qtelephony.te | 2 +- sepolicy/vendor/qti.te | 5 +- sepolicy/vendor/qti_init_shell.te | 12 +++-- sepolicy/vendor/radio.te | 5 +- sepolicy/vendor/rfs_access.te | 8 +-- sepolicy/vendor/rfs_file.te | 2 +- sepolicy/vendor/rild.te | 18 ++++++- sepolicy/vendor/rmt_storage.te | 35 +++++-------- sepolicy/vendor/seapp_contexts | 2 + sepolicy/vendor/sensors.te | 1 + sepolicy/vendor/service_contexts | 8 +-- sepolicy/vendor/servicemanager.te | 38 +++++++------- sepolicy/vendor/surfaceflinger.te | 6 ++- sepolicy/vendor/system_app.te | 15 +++--- sepolicy/vendor/system_server.te | 12 +++-- sepolicy/vendor/tee.te | 9 +++- sepolicy/vendor/thermal-engine.te | 21 +++++--- sepolicy/vendor/time_daemon.te | 8 ++- sepolicy/vendor/toolbox.te | 2 +- sepolicy/vendor/ueventd.te | 4 +- sepolicy/vendor/untrusted_app.te | 16 +++++- sepolicy/vendor/vendor_init.te | 26 ++++++++++ sepolicy/vendor/vendor_per_mgr.te | 2 + sepolicy/vendor/vendor_ssr_setup.te | 1 + sepolicy/vendor/vold.te | 4 +- sepolicy/vendor/wcnss_filter.te | 3 +- sepolicy/vendor/wcnss_service.te | 9 ++-- sepolicy/vendor/webview_zygote.te | 1 + sepolicy/vendor/zygote.te | 1 + 79 files changed, 399 insertions(+), 267 deletions(-) create mode 100644 sepolicy/vendor/atfwd.te delete mode 100644 sepolicy/vendor/charge_only.te create mode 100644 sepolicy/vendor/hal_esepowermanager_qti.te create mode 100644 sepolicy/vendor/hal_gatekeeper_default.te create mode 100644 sepolicy/vendor/hal_health_default.te create mode 100644 sepolicy/vendor/hal_keymaster_default.te create mode 100644 sepolicy/vendor/hal_keymaster_qti.te create mode 100644 sepolicy/vendor/hal_memtrack_default.te create mode 100644 sepolicy/vendor/hal_nfc_default.te create mode 100644 sepolicy/vendor/hal_sensorscalibrate_qti_default.te create mode 100644 sepolicy/vendor/hal_wifi_default.te create mode 100644 sepolicy/vendor/healthd.te create mode 100644 sepolicy/vendor/hwservice_contexts create mode 100644 sepolicy/vendor/isdbt_app.te create mode 100644 sepolicy/vendor/location.te create mode 100644 sepolicy/vendor/logd.te create mode 100644 sepolicy/vendor/logpersist.te create mode 100644 sepolicy/vendor/seapp_contexts create mode 100644 sepolicy/vendor/sensors.te create mode 100644 sepolicy/vendor/vendor_init.te create mode 100644 sepolicy/vendor/vendor_per_mgr.te create mode 100644 sepolicy/vendor/vendor_ssr_setup.te create mode 100644 sepolicy/vendor/webview_zygote.te diff --git a/sepolicy/vendor/atfwd.te b/sepolicy/vendor/atfwd.te new file mode 100644 index 0000000..a60277a --- /dev/null +++ b/sepolicy/vendor/atfwd.te @@ -0,0 +1 @@ +allow atfwd sysfs:file read; diff --git a/sepolicy/vendor/cameraserver.te b/sepolicy/vendor/cameraserver.te index feb4596..fbe49bd 100644 --- a/sepolicy/vendor/cameraserver.te +++ b/sepolicy/vendor/cameraserver.te @@ -25,7 +25,7 @@ allow cameraserver media_rw_data_file:file { create read write open }; allow cameraserver cameraserver:process { execmem }; #### -#allow cameraserver debug_prop:file { r_file_perms }; +allow cameraserver debug_prop:file { r_file_perms }; allow cameraserver debug_prop:property_service set; ####### @@ -33,7 +33,7 @@ allow cameraserver debug_prop:property_service set; #allow cameraserver persist_file:file setattr; allow cameraserver shell_exec:file { read open execute }; allow cameraserver self:socket create; -#allow cameraserver camera_prop:property_service set; +allow cameraserver camera_prop:property_service set; allow cameraserver init:unix_stream_socket connectto; allow cameraserver property_socket:sock_file write; #allow cameraserver cameraserver:socket { { getattr read ioctl lock } { append write lock } }; @@ -45,9 +45,13 @@ allow cameraserver debugfs:dir { read open }; allow cameraserver nfc_data_file:file { open write }; allow cameraserver socket_device:sock_file write; -#allow cameraserver hal_perf_default:binder call; +allow cameraserver hal_perf_default:binder call; -#allow cameraserver sysfs_battery_supply:dir search; -#allow cameraserver sysfs_battery_supply:file { getattr open read }; +allow cameraserver sysfs_battery_supply:dir search; +allow cameraserver sysfs_battery_supply:file { getattr open read }; allow cameraserver camera_bgproc_service:service_manager { add find }; +allow cameraserver self:netlink_kobject_uevent_socket { read bind create setopt }; +allow cameraserver default_android_service:service_manager find; +allow cameraserver rootfs:lnk_file getattr; +allow cameraserver init:unix_dgram_socket { sendto }; diff --git a/sepolicy/vendor/charge_only.te b/sepolicy/vendor/charge_only.te deleted file mode 100644 index 24ebe81..0000000 --- a/sepolicy/vendor/charge_only.te +++ /dev/null @@ -1,42 +0,0 @@ -type charge_only, domain; -type charge_only_exec, exec_type, file_type, vendor_file_type; -init_daemon_domain(charge_only) - -# Write to /dev/kmsg -allow charge_only kmsg_device:chr_file rw_file_perms; - -# Read access to pseudo filesystems. -r_dir_file(charge_only, sysfs_type) -r_dir_file(charge_only, rootfs) -r_dir_file(charge_only, cgroup) - -allow charge_only self:capability { net_admin sys_tty_config sys_boot }; -allow charge_only self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; - -wakelock_use(charge_only) - -# Write to /sys/power/state -# TODO: Split into a separate type? -allow charge_only sysfs:dir { read open }; -allow charge_only sysfs:file { read open write }; - -allow charge_only sysfs_wake_lock:file rw_file_perms; - -allow charge_only sysfs_batteryinfo:file r_file_perms; - -# Read /sys/fs/pstore/console-ramoops -# Don't worry about overly broad permissions for now, as there's -# only one file in /sys/fs/pstore -allow charge_only pstorefs:dir r_dir_perms; -allow charge_only pstorefs:file r_file_perms; - -allow charge_only graphics_device:dir r_dir_perms; -allow charge_only graphics_device:chr_file rw_file_perms; -allow charge_only input_device:dir r_dir_perms; -allow charge_only input_device:chr_file r_file_perms; -allow charge_only tty_device:chr_file rw_file_perms; -allow charge_only proc_sysrq:file rw_file_perms; - -# charger needs to tell init to continue the boot -# process when running in charger mode. -set_prop(charge_only, system_prop) diff --git a/sepolicy/vendor/cnd.te b/sepolicy/vendor/cnd.te index c2553eb..4c47de1 100644 --- a/sepolicy/vendor/cnd.te +++ b/sepolicy/vendor/cnd.te @@ -1,2 +1,3 @@ -#allow cnd diag_device:chr_file { read write }; -#allow cnd self:capability { net_raw }; +allow cnd diag_device:chr_file { read write }; +allow cnd self:capability { chown dac_override fsetid net_raw }; +allow cnd sysfs:file read; diff --git a/sepolicy/vendor/energyawareness.te b/sepolicy/vendor/energyawareness.te index f9f7b52..e2ccd54 100644 --- a/sepolicy/vendor/energyawareness.te +++ b/sepolicy/vendor/energyawareness.te @@ -1,2 +1,2 @@ -#allow energyawareness sysfs_uio:file r_file_perms; -#allow energyawareness sysfs_rmt_storage:file r_file_perms; +allow energyawareness sysfs_uio:file r_file_perms; +allow energyawareness sysfs_rmt_storage:file r_file_perms; diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te index 54ddd9f..23a3a13 100644 --- a/sepolicy/vendor/file.te +++ b/sepolicy/vendor/file.te @@ -1,9 +1,6 @@ # ADSP type adspd_data_file, file_type, data_file_type, core_data_file_type; -# charge_only_mode -type chargeonly_data_file, file_type, data_file_type, core_data_file_type; - # FSG type fsg_file, fs_type, contextmount_type; @@ -31,11 +28,8 @@ type wapi_supplicant_data_file, file_type, data_file_type, core_data_file_type; # RIL type netmgr_data_file, file_type, data_file_type, core_data_file_type; -#test firmware -type firmware_file, file_type; - # sysfs -#type sysfs_adsp, fs_type, sysfs_type; +type sysfs_adsp, fs_type, sysfs_type; type sysfs_homebutton, fs_type, sysfs_type, mlstrustedobject; type sysfs_mmi_fp, fs_type, sysfs_type; @@ -52,7 +46,6 @@ type sysfs_wcnsscore, fs_type, sysfs_type; type nv_data_file, file_type, data_file_type, core_data_file_type; type sysfs_rmt_storage, fs_type, sysfs_type; type debugfs_rmt_storage, debugfs_type, fs_type; -type debugfs_wlan, debugfs_type, fs_type; type perfd_data_file, file_type, data_file_type, core_data_file_type; type proc_kernel_sched, fs_type; type sysfs_power_management, sysfs_type, fs_type; @@ -60,3 +53,5 @@ type proc_touchpanel, fs_type; type camera_socket, file_type, data_file_type, core_data_file_type; type sysfs_screen_off_gestures, fs_type, sysfs_type, mlstrustedobject; +type sysfs_fpc_proximity, sysfs_type, fs_type; +type theme_data_file, file_type, data_file_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts index cddaeac..d444954 100644 --- a/sepolicy/vendor/file_contexts +++ b/sepolicy/vendor/file_contexts @@ -1,41 +1,36 @@ -#/dev/block/platform/soc/7824900.sdhci/mmcblk0p19 u:object_r:modem_efs_partition_device:s0 -#/dev/block/platform/soc/7824900.sdhci/mmcblk0p27 u:object_r:modem_efs_partition_device:s0 -#/dev/block/platform/soc/7824900.sdhci/mmcblk0p28 u:object_r:modem_efs_partition_device:s0 - -# FSG -/fsg u:object_r:fsg_file:s0 - # ADSP -#/sys/kernel/aov(/.*)? u:object_r:sysfs_adsp:s0 +/sys/kernel/aov(/.*)? u:object_r:sysfs_adsp:s0 /data/adspd(/.*)? u:object_r:adspd_data_file:s0 # AMPS /dev/hidraw[0-9]* u:object_r:amps_raw_device:s0 # Binaries -/vendor/bin/charge_only_mode u:object_r:charge_only_exec:s0 /vendor/bin/init\.mmi\.boot\.sh u:object_r:mmi_boot_exec:s0 /vendor/bin/wlan_carrier_bin\.sh u:object_r:init_wifi_exec:s0 -#/vendor/bin/init\.qti\.fm\.sh u:object_r:qti_init_shell_exec:s0 +/vendor/bin/init\.qti\.fm\.sh u:object_r:qti_init_shell_exec:s0 + +#Camera +/(vendor|system/vendor)/bin/hw/motorola\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0 +/(vendor|system/vendor)/lib/motorola\.hardware\.camera\.device@1\.0.so u:object_r:hal_camera_default_exec:s0 +/(vendor|system/vendor)/lib/motorola\.hardware\.camera\.provider@2\.4.so u:object_r:hal_camera_default_exec:s0 # CMActions /sys/homebutton(/.*)? u:object_r:sysfs_homebutton:s0 -# Motorola services -/data/chargeonlymode(/.*)? u:object_r:chargeonly_data_file:s0 - # Fingerprint /data/.fps(/.*)? u:object_r:fingerprintd_data_file:s0 /data/fpc u:object_r:fingerprintd_data_file:s0 /data/fpc/socket u:object_r:fpc_socket:s0 -/sys/devices/soc/7af8000.spi/spi_master/spi8/spi8.0(/.*)? u:object_r:sysfs_fpc:s0 +/sys/devices/soc/7af8000.spi/spi_master/spi8/spi8.0(/.*)? u:object_r:sysfs_fpc:s0 +/sys/devices/soc/7af8000.spi/spi_master/spi8/spi8.0/proximity_state u:object_r:sysfs_fpc_proximity:s0 # Modem /persist/mdm(/.*)? u:object_r:persist_modem_file:s0 /persist/prop(/.*)? u:object_r:persist_omadm_file:s0 -#/persist/prov(/.*)? u:object_r:persist_drm_file:s0 +/persist/prov(/.*)? u:object_r:persist_drm_file:s0 /persist/omadm(/.*)? u:object_r:persist_omadm_file:s0 /persist/omadm_database(/.*)? u:object_r:persist_omadm_file:s0 /persist/omadm_cust_database(/.*)? u:object_r:persist_omadm_file:s0 @@ -62,9 +57,9 @@ /sys/module/qpnp_bms(/.*)? u:object_r:sysfs_batt:s0 /sys/module/cnss_pci(/.*)? u:object_r:sysfs_cnss:s0 -#/sys/devices/iio_sysfs_trigger(/.*)? u:object_r:sysfs_sensors:s0 -#/sys/devices/virtual/stm401/stm401_ms(/.*)? u:object_r:sysfs_sensors:s0 -#/sys/devices/virtual/stm401/stm401_as(/.*)? u:object_r:sysfs_sensors:s0 +/sys/devices/iio_sysfs_trigger(/.*)? u:object_r:sysfs_sensors:s0 +/sys/devices/virtual/stm401/stm401_ms(/.*)? u:object_r:sysfs_sensors:s0 +/sys/devices/virtual/stm401/stm401_as(/.*)? u:object_r:sysfs_sensors:s0 /sys/devices/platform/msm_ssbi.0/pm8921-core/pm8921-charger(/.*)? u:object_r:sysfs_batt:s0 @@ -94,7 +89,7 @@ /dev/block/bootdevice/by-name/hw u:object_r:hw_block_device:s0 /dev/block/bootdevice/by-name/metadata u:object_r:metadata_block_device:s0 /dev/block/mmcblk0p35 u:object_r:metadata_block_device:s0 -#/dev/block/bootdevice/by-name/persist u:object_r:persist_block_device:s0 +/dev/block/bootdevice/by-name/persist u:object_r:persist_block_device:s0 /dev/block/bootdevice/by-name/utagsBackup u:object_r:utags_block_device:s0 /dev/block/bootdevice/by-name/utags u:object_r:utags_block_device:s0 @@ -102,7 +97,7 @@ /data/misc/netmgr(/.*)? u:object_r:netmgr_data_file:s0 # Sensors -#/dev/mmi_sys_temp u:object_r:thermal_device:s0 +/dev/mmi_sys_temp u:object_r:thermal_device:s0 /dev/motosh u:object_r:sensors_device:s0 /dev/motosh_as u:object_r:sensors_device:s0 /dev/motosh_ms u:object_r:sensors_device:s0 @@ -120,21 +115,25 @@ /data/system/perfd(/.*)? u:object_r:perfd_data_file:s0 /data/oemnvitems(/.*)? u:object_r:nv_data_file:s0 -/(vendor|system/vendor)/bin/perfd u:object_r:perfd_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.1-service-qti u:object_r:hal_power_default_exec:s0 -#/(vendor|system/vendor)/radio(/.*)? u:object_r:radio_data_file:s0 +/system/vendor/bin/perfd u:object_r:perfd_exec:s0 +/system/vendor/bin/hw/android\.hardware\.power@1\.1-service-qti u:object_r:hal_power_default_exec:s0 +/system/vendor/radio(/.*)? u:object_r:radio_data_file:s0 -/(vendor|system/vendor)/bin/qmi_motext_hook u:object_r:rild_exec:s0 +/system/vendor/bin/qmi_motext_hook u:object_r:rild_exec:s0 /sys/kernel/debug/rmt_storage(/.*)? u:object_r:debugfs_rmt_storage:s0 # Fingerprint custom hal /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service_32 u:object_r:hal_fingerprint_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-fpcservice u:object_r:hal_fingerprint_default_exec:s0 # Light HAL /(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service.sanders u:object_r:hal_light_default_exec:s0 /sys/devices/soc/1a00000.qcom,mdss_mdp/1a00000.qcom,mdss_mdp:qcom,mdss_fb_primary/leds/lcd-backlight/brightness u:object_r:sysfs_leds:s0 /sys/devices/soc/leds-atc-20/leds/charging/brightness u:object_r:sysfs_leds:s0 -# files in firmware -/firmware(/.*)? u:object_r:firmware_file:s0 +# Files in firmware +/firmware(/.*)? u:object_r:firmware_file:s0 + +# Files in fsg +/fsg(/.*)? u:object_r:fsg_file:s0 diff --git a/sepolicy/vendor/fingerprintd.te b/sepolicy/vendor/fingerprintd.te index ac6cbc7..0bd43f4 100644 --- a/sepolicy/vendor/fingerprintd.te +++ b/sepolicy/vendor/fingerprintd.te @@ -1,5 +1,5 @@ -#allow fingerprintd firmware_file:dir search; -#allow fingerprintd firmware_file:file { getattr open read }; +allow fingerprintd firmware_file:dir search; +allow fingerprintd firmware_file:file { getattr open read }; allow fingerprintd fingerprintd_data_file:dir { add_name getattr remove_name write }; allow fingerprintd fingerprintd_data_file:file { append create getattr open setattr unlink }; allow fingerprintd fingerprintd_data_file:sock_file { create unlink }; @@ -8,5 +8,5 @@ allow fingerprintd sysfs_mmi_fp:file rw_file_perms; allow fingerprintd system_data_file:sock_file unlink; allow fingerprintd sysfs_fpc:dir r_dir_perms; allow fingerprintd sysfs_fpc:file rw_file_perms; -#allow fingerprintd tee_device:chr_file { ioctl open read write }; +allow fingerprintd tee_device:chr_file { ioctl open read write }; allow fingerprintd uhid_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/firmware_file.te b/sepolicy/vendor/firmware_file.te index 1beb479..87b8ba7 100644 --- a/sepolicy/vendor/firmware_file.te +++ b/sepolicy/vendor/firmware_file.te @@ -1,2 +1,2 @@ -#allow firmware_file rootfs:filesystem associate; +allow firmware_file rootfs:filesystem associate; diff --git a/sepolicy/vendor/fsck.te b/sepolicy/vendor/fsck.te index 48352f1..b0f25a4 100644 --- a/sepolicy/vendor/fsck.te +++ b/sepolicy/vendor/fsck.te @@ -1 +1,2 @@ # allow fsck block_device:blk_file { read write }; +allow fsck fsck:capability { dac_override dac_read_search }; diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te index 2932230..ed4786f 100644 --- a/sepolicy/vendor/hal_audio_default.te +++ b/sepolicy/vendor/hal_audio_default.te @@ -1,2 +1 @@ -get_prop(hal_audio_default, dirac_prop) -set_prop(hal_audio_default, dirac_prop) +allow hal_audio_default sysfs:dir {open read }; diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te index 0753840..ca7eec1 100644 --- a/sepolicy/vendor/hal_camera_default.te +++ b/sepolicy/vendor/hal_camera_default.te @@ -1,4 +1,10 @@ -#allow hal_camera_default gpu_device:dir r_dir_perms; -#allow hal_camera_default gpu_device:file r_file_perms; -#allow hal_camera_default hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find; -#allow hal_camera_default hal_configstore_default:binder call; +allow hal_camera_default gpu_device:dir r_dir_perms; +allow hal_camera_default gpu_device:file r_file_perms; +allow hal_camera_default hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find; +allow hal_camera_default hal_configstore_default:binder call; +allow hal_camera_default unlabeled:file {open getattr read }; +allow hal_camera_default camera_data_file:sock_file write; +allow hal_camera_default persist_file:file { rw_file_perms setattr }; +allow hal_camera_default hal_graphics_allocator_hwservice:hwservice_manager { find }; +allow hal_camera_default system_server:unix_stream_socket { read write }; +allow hal_camera_default sysfs:file { read open getattr }; diff --git a/sepolicy/vendor/hal_drm_default.te b/sepolicy/vendor/hal_drm_default.te index 6ef8588..b244688 100644 --- a/sepolicy/vendor/hal_drm_default.te +++ b/sepolicy/vendor/hal_drm_default.te @@ -1,2 +1,2 @@ -#allow hal_drm_default firmware_file:lnk_file read; -#allow hal_drm_default debug_prop:file read; +allow hal_drm_default firmware_file:lnk_file read; +allow hal_drm_default debug_prop:file read; diff --git a/sepolicy/vendor/hal_esepowermanager_qti.te b/sepolicy/vendor/hal_esepowermanager_qti.te new file mode 100644 index 0000000..74b07d3 --- /dev/null +++ b/sepolicy/vendor/hal_esepowermanager_qti.te @@ -0,0 +1 @@ +allow hal_esepowermanager_qti unlabeled:dir search; diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te index b21e053..7dc26ff 100644 --- a/sepolicy/vendor/hal_fingerprint_default.te +++ b/sepolicy/vendor/hal_fingerprint_default.te @@ -2,10 +2,18 @@ allow hal_fingerprint_default sysfs_fpc:file rw_file_perms; allow hal_fingerprint_default sysfs_fpc:dir r_dir_perms; allow hal_fingerprint_default fpc_data_file:dir rw_dir_perms; allow hal_fingerprint_default tee_device:chr_file rw_file_perms; -#allow hal_fingerprint_default firmware_file:dir search; -#allow hal_fingerprint_default firmware_file:file r_file_perms; -#allow hal_fingerprint_default sysfs_graphics:dir r_dir_perms; -#allow hal_fingerprint_default sysfs_graphics:file r_file_perms; +allow hal_fingerprint_default firmware_file:dir search; +allow hal_fingerprint_default firmware_file:file r_file_perms; +allow hal_fingerprint_default sysfs_graphics:dir r_dir_perms; +allow hal_fingerprint_default sysfs_graphics:file r_file_perms; allow hal_fingerprint_default sysfs_leds:dir r_dir_perms; allow hal_fingerprint_default sysfs_leds:file r_file_perms; allow hal_fingerprint_default uhid_device:chr_file rw_file_perms; + +allow hal_fingerprint_default default_android_hwservice:hwservice_manager { add }; +allow hal_fingerprint_default unlabeled:dir search; +allow hal_fingerprint_default unlabeled:file { getattr open read }; +allow hal_fingerprint_default fingerprintd_data_file:dir { add_name getattr remove_name search write }; +allow hal_fingerprint_default system_data_file:dir { add_name getattr create write }; +allow hal_fingerprint_default system_data_file:file create; +allow hal_fingerprint_default fingerprintd_data_file:file { getattr rename unlink }; diff --git a/sepolicy/vendor/hal_gatekeeper_default.te b/sepolicy/vendor/hal_gatekeeper_default.te new file mode 100644 index 0000000..7ed299c --- /dev/null +++ b/sepolicy/vendor/hal_gatekeeper_default.te @@ -0,0 +1 @@ +get_prop(hal_gatekeeper_default, tee_listener_prop) diff --git a/sepolicy/vendor/hal_gnss_qti.te b/sepolicy/vendor/hal_gnss_qti.te index 55af1e8..7ac8548 100644 --- a/sepolicy/vendor/hal_gnss_qti.te +++ b/sepolicy/vendor/hal_gnss_qti.te @@ -1,6 +1,6 @@ -#get_prop(hal_gnss_qti, diag_prop); -#allow hal_gnss_qti debug_prop:file read; -#allow hal_gnss_qti property_socket:sock_file write; +get_prop(hal_gnss_qti, diag_prop); +allow hal_gnss_qti debug_prop:file read; +allow hal_gnss_qti property_socket:sock_file write; # Most HALs are not allowed to use network sockets. Qcom library # libqdi is used across multiple processes which are clients of @@ -14,4 +14,5 @@ # libqdi and have all its clients use netlink route # sockets. # Taken from device/google/wahoo -#dontaudit hal_gnss_qti self:udp_socket create; +dontaudit hal_gnss_qti self:udp_socket create; +allow hal_gnss_qti sysfs:file read; diff --git a/sepolicy/vendor/hal_health_default.te b/sepolicy/vendor/hal_health_default.te new file mode 100644 index 0000000..b2aa03c --- /dev/null +++ b/sepolicy/vendor/hal_health_default.te @@ -0,0 +1 @@ +allow hal_health_default sysfs:file { open getattr read }; diff --git a/sepolicy/vendor/hal_keymaster_default.te b/sepolicy/vendor/hal_keymaster_default.te new file mode 100644 index 0000000..1c22749 --- /dev/null +++ b/sepolicy/vendor/hal_keymaster_default.te @@ -0,0 +1 @@ +get_prop(hal_keymaster_default, tee_listener_prop) diff --git a/sepolicy/vendor/hal_keymaster_qti.te b/sepolicy/vendor/hal_keymaster_qti.te new file mode 100644 index 0000000..200ad96 --- /dev/null +++ b/sepolicy/vendor/hal_keymaster_qti.te @@ -0,0 +1 @@ +allow hal_keymaster_qti system_file:file read; \ No newline at end of file diff --git a/sepolicy/vendor/hal_memtrack_default.te b/sepolicy/vendor/hal_memtrack_default.te new file mode 100644 index 0000000..4eeb834 --- /dev/null +++ b/sepolicy/vendor/hal_memtrack_default.te @@ -0,0 +1 @@ +allow hal_memtrack_default sysfs_kgsl:lnk_file read; \ No newline at end of file diff --git a/sepolicy/vendor/hal_nfc_default.te b/sepolicy/vendor/hal_nfc_default.te new file mode 100644 index 0000000..22fd4d1 --- /dev/null +++ b/sepolicy/vendor/hal_nfc_default.te @@ -0,0 +1,5 @@ +#allow hal_nfc_default default_android_hwservice:hwservice_manager { add find }; +add_hwservice(hal_nfc_default, hal_nfc_hwservice); +add_hwservice(hal_nfc_default, hal_secure_element_hwservice); +allow hal_nfc_default nfc_vendor_data_file:dir { add_name create search write }; +allow hal_nfc_default nfc_vendor_data_file:file create; diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te index c549df0..cbe6077 100644 --- a/sepolicy/vendor/hal_sensors_default.te +++ b/sepolicy/vendor/hal_sensors_default.te @@ -1,7 +1,7 @@ binder_call(hal_sensors_default, hwservicemanager) # binder_call(hal_sensors_default, servicemanager) -#binder_call(hal_sensors_default, mm-qcamerad) +binder_call(hal_sensors_default, mm-qcamerad) binder_call(hal_sensors_default, system_server) binder_call(hal_sensors_default, system_app) @@ -16,4 +16,4 @@ allow hal_sensors_default proc_net:file { getattr open read }; allow hal_sensors_default sysfs_capsense:dir search; allow hal_sensors_default sysfs_capsense:file { open write }; - +allow hal_sensors_default sysfs:dir { open read }; diff --git a/sepolicy/vendor/hal_sensorscalibrate_qti_default.te b/sepolicy/vendor/hal_sensorscalibrate_qti_default.te new file mode 100644 index 0000000..8d90a40 --- /dev/null +++ b/sepolicy/vendor/hal_sensorscalibrate_qti_default.te @@ -0,0 +1 @@ +allow hal_sensorscalibrate_qti_default sysfs:file read; diff --git a/sepolicy/vendor/hal_wifi_default.te b/sepolicy/vendor/hal_wifi_default.te new file mode 100644 index 0000000..c7d81d4 --- /dev/null +++ b/sepolicy/vendor/hal_wifi_default.te @@ -0,0 +1 @@ +allow hal_wifi_default unlabeled:dir search; diff --git a/sepolicy/vendor/healthd.te b/sepolicy/vendor/healthd.te new file mode 100644 index 0000000..14ca57b --- /dev/null +++ b/sepolicy/vendor/healthd.te @@ -0,0 +1 @@ +allow healthd sysfs:file { open getattr read }; diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts new file mode 100644 index 0000000..4ef660c --- /dev/null +++ b/sepolicy/vendor/hwservice_contexts @@ -0,0 +1,5 @@ +vendor.nxp.nxpese::INxpEse u:object_r:hal_secure_element_hwservice:s0 +vendor.nxp.nxpnfc::INxpNfc u:object_r:hal_nfc_hwservice:s0 + +motorola.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0 +motorola.hardware.mods_camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0 diff --git a/sepolicy/vendor/ims.te b/sepolicy/vendor/ims.te index 200fcfa..bc8620c 100644 --- a/sepolicy/vendor/ims.te +++ b/sepolicy/vendor/ims.te @@ -1,4 +1,6 @@ -#allow ims debug_prop:property_service set; -#get_prop(ims, debug_prop); -#allow ims self:capability net_raw; -#allow ims diag_device:chr_file { read write }; +allow ims debug_prop:property_service set; +get_prop(ims, debug_prop); +set_prop(ims, debug_prop) +allow ims self:capability net_raw; +allow ims diag_device:chr_file { read write }; +allow ims sysfs:file read; diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te index 761edc6..bd78335 100644 --- a/sepolicy/vendor/init.te +++ b/sepolicy/vendor/init.te @@ -2,9 +2,11 @@ #binder_call(init, hwservicemanager); # binder_call(init, servicemanager); -#allow init hwservicemanager:binder call; -#allow init mm-qcamerad:binder transfer; -#allow init platform_app:binder transfer; +add_hwservice( init, hal_camera_hwservice); + +allow init hwservicemanager:binder call; +allow init mm-qcamerad:binder transfer; +allow init platform_app:binder transfer; allow init system_app:binder transfer; allow init system_data_file:file lock; @@ -12,7 +14,7 @@ allow init system_data_file:file lock; allow init audio_device:chr_file { write ioctl }; allow init input_device:chr_file rw_file_perms; allow init sensors_device:chr_file { write ioctl }; -#allow init tee_device:chr_file { write ioctl }; +allow init tee_device:chr_file { write ioctl }; allow init servicemanager:binder { transfer call }; allow init system_server:binder { transfer call }; @@ -20,10 +22,10 @@ allow init system_server:binder { transfer call }; allow init property_socket:sock_file write; allow init socket_device:sock_file { create setattr unlink }; -#allow init system_data_file:file { rename append }; -#allow init firmware_file:dir mounton; +allow init system_data_file:file { rename append }; +allow init firmware_file:dir mounton; -#allow init fm_radio_device:chr_file write; +allow init fm_radio_device:chr_file write; # ptt_socket_app allow init dnsproxyd_socket:sock_file write; @@ -31,12 +33,12 @@ allow init netd:unix_stream_socket connectto; allow init self:netlink_socket { read write getattr connect }; allow init debugfs:file write; -#allow init persist_file:filesystem { getattr mount relabelfrom relabelto unmount }; +allow init persist_file:filesystem { getattr mount relabelfrom relabelto unmount }; allow init self:capability sys_nice; -#allow init bt_firmware_file:filesystem { associate }; -#allow init firmware_file:filesystem { associate }; +allow init bt_firmware_file:filesystem { associate }; +allow init firmware_file:filesystem { associate }; allow init sensors_device:chr_file { rw_file_perms create }; @@ -44,10 +46,21 @@ allow init self:netlink_route_socket { bind create getopt nlmsg_read read setopt allow init self:capability2 { block_suspend }; -#allow init hal_sensors_hwservice:hwservice_manager find; - -#allow init { domain -lmkd -crash_dump }:process noatsecure; - -#allow init hal_perf_hwservice:hwservice_manager find; +allow init hal_sensors_hwservice:hwservice_manager find; +allow init { domain -lmkd -crash_dump }:process noatsecure; +allow init hal_perf_hwservice:hwservice_manager find; allow init hidl_base_hwservice:hwservice_manager add; +allow init hidl_allocator_hwservice:hwservice_manager { find }; +allow init hal_graphics_mapper_hwservice:hwservice_manager { find }; +allow init hal_bluetooth_hwservice:hwservice_manager { find }; +allow init hidl_base_hwservice:hwservice_manager { add }; +allow init hal_gnss_hwservice:hwservice_manager { find }; +allow init system_net_netd_hwservice:hwservice_manager { find }; +allow init default_android_hwservice:hwservice_manager { add find }; +allow init hal_camera_hwservice:hwservice_manager add; +allow init hal_fingerprint_hwservice:hwservice_manager add; +allow init sysfs:file setattr; +allow init system_file:dir relabelfrom; +allow init shell_exec:file execute_no_trans; +allow init system_file:file relabelfrom; diff --git a/sepolicy/vendor/installd.te b/sepolicy/vendor/installd.te index 2bcef88..2da02c5 100644 --- a/sepolicy/vendor/installd.te +++ b/sepolicy/vendor/installd.te @@ -1,4 +1,6 @@ -#allow installd firmware_file:filesystem quotaget; -#allow installd fsg_file:filesystem quotaget; -#allow installd persist_file:filesystem quotaget; - +allow installd firmware_file:filesystem quotaget; +allow installd fsg_file:filesystem quotaget; +allow installd persist_file:filesystem quotaget; +allow installd adb_data_file:dir search; +allow installd adb_data_file:file { getattr open read }; +allow installd device:file write; diff --git a/sepolicy/vendor/isdbt_app.te b/sepolicy/vendor/isdbt_app.te new file mode 100644 index 0000000..eea89ac --- /dev/null +++ b/sepolicy/vendor/isdbt_app.te @@ -0,0 +1,9 @@ +type isdbt_app, domain, mlstrustedsubject; + +app_domain(isdbt_app) +binder_use(isdbt_app) + +allow isdbt_app isdbt_device:chr_file rw_file_perms; +allow isdbt_app media_rw_data_file:dir { rw_dir_perms create getattr rmdir search }; +allow isdbt_app { accessibility_service activity_service appops_service connectivity_service content_service display_service graphicsstats_service input_method_service input_service location_service mount_service network_management_service radio_service registry_service surfaceflinger_service textservices_service uimode_service vibrator_service wifi_service audio_service audioserver_service media_router_service notification_service autofill_service mediametrics_service mediaserver_service media_session_service mediametrics_service batterystats_service power_service user_service }:service_manager find; +allow isdbt_app telecom_service:service_manager find; diff --git a/sepolicy/vendor/kernel.te b/sepolicy/vendor/kernel.te index cd77e5e..0ea8b33 100644 --- a/sepolicy/vendor/kernel.te +++ b/sepolicy/vendor/kernel.te @@ -1,3 +1,4 @@ allow kernel hw_block_device:blk_file rw_file_perms; allow kernel vfat:file open; allow kernel self:socket create; +allow kernel unlabeled:file { open read }; diff --git a/sepolicy/vendor/location.te b/sepolicy/vendor/location.te new file mode 100644 index 0000000..7ad8ff5 --- /dev/null +++ b/sepolicy/vendor/location.te @@ -0,0 +1,2 @@ +allow location wcnss_prop:file { getattr open read }; +allow location sysfs:file read; diff --git a/sepolicy/vendor/logd.te b/sepolicy/vendor/logd.te new file mode 100644 index 0000000..2e9f1eb --- /dev/null +++ b/sepolicy/vendor/logd.te @@ -0,0 +1 @@ +allow logd unlabeled:dir search; diff --git a/sepolicy/vendor/logpersist.te b/sepolicy/vendor/logpersist.te new file mode 100644 index 0000000..84a9e93 --- /dev/null +++ b/sepolicy/vendor/logpersist.te @@ -0,0 +1,3 @@ +allow logpersist self:capability { dac_override dac_read_search }; +allow logpersist cache_file:dir { add_name open read search write }; +allow logpersist cache_file:file { append create getattr open }; diff --git a/sepolicy/vendor/mediacodec.te b/sepolicy/vendor/mediacodec.te index 5e3da85..f84782f 100644 --- a/sepolicy/vendor/mediacodec.te +++ b/sepolicy/vendor/mediacodec.te @@ -1 +1,3 @@ -#allow mediacodec firmware_file:file { open read }; +allow mediacodec firmware_file:file { open read }; +allow mediacodec unlabeled:dir search; +allow mediacodec unlabeled:file { open read }; diff --git a/sepolicy/vendor/mediadrmserver.te b/sepolicy/vendor/mediadrmserver.te index 4854e6f..296f1ee 100644 --- a/sepolicy/vendor/mediadrmserver.te +++ b/sepolicy/vendor/mediadrmserver.te @@ -1,2 +1,2 @@ -#allow mediadrmserver firmware_file:dir search; -#allow mediadrmserver firmware_file:file r_file_perms; +allow mediadrmserver firmware_file:dir search; +allow mediadrmserver firmware_file:file r_file_perms; diff --git a/sepolicy/vendor/mm-qcamerad.te b/sepolicy/vendor/mm-qcamerad.te index 07866fe..f3dff9f 100644 --- a/sepolicy/vendor/mm-qcamerad.te +++ b/sepolicy/vendor/mm-qcamerad.te @@ -1,27 +1,38 @@ -#type_transition mm-qcamerad camera_data_file:sock_file camera_socket "cam_socket1"; -#type_transition mm-qcamerad camera_data_file:sock_file camera_socket "cam_socket2"; +type_transition mm-qcamerad camera_data_file:sock_file camera_socket "cam_socket1"; +type_transition mm-qcamerad camera_data_file:sock_file camera_socket "cam_socket2"; +allow mm-qcamerad camera_socket:sock_file { create unlink write }; +allow mm-qcamerad sysfs_graphics:file r_file_perms; # binder_call(mm-qcamerad, servicemanager); # binder_use(mm-qcamerad); # binder_call(mm-qcamerad, binderservicedomain); # binder_call(mm-qcamerad, appdomain); # binder_call(mm-qcamerad, hal_sensors_default); -#set_prop(mm-qcamerad, camera_prop); +set_prop(mm-qcamerad, camera_prop); -#allow servicemanager mm-qcamerad:dir { search }; -#allow servicemanager mm-qcamerad:file { read open }; -#allow servicemanager mm-qcamerad:process { getattr }; +allow servicemanager mm-qcamerad:dir { search }; +allow servicemanager mm-qcamerad:file { read open }; +allow servicemanager mm-qcamerad:process { getattr }; # allow mm-qcamerad camera_data_file:sock_file { create unlink write }; # allow mm-qcamerad system_server:unix_stream_socket rw_socket_perms; #allow mm-qcamerad sensorservice_service:service_manager find; -#allow mm-qcamerad vendor_camera_data_file:file rw_file_perms; +allow mm-qcamerad vendor_camera_data_file:file rw_file_perms; # allow mm-qcamerad permission_service:service_manager find; -#allow mm-qcamerad debug_prop:property_service set; +allow mm-qcamerad debug_prop:property_service set; -#allow mm-qcamerad init:unix_stream_socket { read write }; +allow mm-qcamerad init:unix_stream_socket { read write }; -#allow mm-qcamerad hal_sensors_default:unix_stream_socket { read write }; +allow mm-qcamerad hal_sensors_default:unix_stream_socket { read write }; -#allow mm-qcamerad hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find; -#allow mm-qcamerad hal_configstore_default:binder call; +allow mm-qcamerad hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find; +allow mm-qcamerad hal_configstore_default:binder call; + +allow mm-qcamerad binder_device:chr_file { ioctl open read write }; +allow mm-qcamerad camera_data_file:dir search; +allow mm-qcamerad sysfs:file { open read }; +allow mm-qcamerad vendor_data_file:dir read; +allow mm-qcamerad unlabeled:dir search; +allow mm-qcamerad unlabeled:file { open read }; +allow mm-qcamerad default_prop:property_service set; +allow mm-qcamerad mnt_vendor_file:file { getattr open read }; diff --git a/sepolicy/vendor/mmi_boot.te b/sepolicy/vendor/mmi_boot.te index 667ca9c..c7391a5 100644 --- a/sepolicy/vendor/mmi_boot.te +++ b/sepolicy/vendor/mmi_boot.te @@ -11,6 +11,6 @@ allow mmi_boot vendor_shell_exec:file rx_file_perms; allow mmi_boot vendor_toolbox_exec:file rx_file_perms; allow mmi_boot vendor_shell_exec:file entrypoint; -#allow mmi_boot sysfs_socinfo:file write; +allow mmi_boot sysfs_socinfo:file write; set_prop(mmi_boot, hw_rev_prop); diff --git a/sepolicy/vendor/netd.te b/sepolicy/vendor/netd.te index 465ec2f..7d8885f 100644 --- a/sepolicy/vendor/netd.te +++ b/sepolicy/vendor/netd.te @@ -1,2 +1,3 @@ +#============= netd ============== +allow netd device:file write; allow netd untrusted_app_25:unix_stream_socket { read write }; - diff --git a/sepolicy/vendor/netmgrd.te b/sepolicy/vendor/netmgrd.te index 91ee202..451e9f8 100644 --- a/sepolicy/vendor/netmgrd.te +++ b/sepolicy/vendor/netmgrd.te @@ -1,5 +1,6 @@ -#allow netmgrd toolbox_exec:file { getattr read open }; - -#allow netmgrd init:unix_stream_socket connectto; -#allow netmgrd property_socket:sock_file write; -#allow netmgrd system_file:file lock; +allow netmgrd toolbox_exec:file { getattr read open }; +allow netmgrd init:unix_stream_socket connectto; +allow netmgrd property_socket:sock_file write; +allow netmgrd system_file:file { execute lock }; +allow netmgrd default_prop:property_service set; +allow netmgrd sysfs:file read; diff --git a/sepolicy/vendor/nfc.te b/sepolicy/vendor/nfc.te index e69de29..f1b1c49 100644 --- a/sepolicy/vendor/nfc.te +++ b/sepolicy/vendor/nfc.te @@ -0,0 +1,2 @@ +allow nfc nfc_vendor_data_file:dir { add_name read search write }; +allow nfc nfc_vendor_data_file:file { create open read write }; diff --git a/sepolicy/vendor/per_mgr.te b/sepolicy/vendor/per_mgr.te index 14d3df8..2ce01f4 100644 --- a/sepolicy/vendor/per_mgr.te +++ b/sepolicy/vendor/per_mgr.te @@ -1 +1 @@ -#allow vendor_per_mgr self:capability net_raw; +allow vendor_per_mgr self:capability net_raw; diff --git a/sepolicy/vendor/perfd.te b/sepolicy/vendor/perfd.te index 925e01e..a26766b 100644 --- a/sepolicy/vendor/perfd.te +++ b/sepolicy/vendor/perfd.te @@ -16,13 +16,13 @@ r_dir_file(perfd, sysfs_type) # they are created with the default label "sysfs". For robustness, # allow perfd to write to "sysfs" to ensure it can optimally # tune the power/cpu settings. -#allow perfd sysfs:file write; -#allow perfd sysfs_msm_perf:file write; -#allow perfd sysfs_ssr:file write; +allow perfd sysfs:file write; +allow perfd sysfs_msm_perf:file write; +allow perfd sysfs_ssr:file write; allow perfd sysfs_devices_system_cpu:file write; -#allow perfd sysfs_power_management:file write; -#allow perfd sysfs_devfreq:file write; -#allow perfd sysfs_lib:file write; +allow perfd sysfs_power_management:file write; +allow perfd sysfs_devfreq:file write; +allow perfd sysfs_lib:file write; allow perfd proc_kernel_sched:file w_file_perms; allow perfd gpu_device:chr_file rw_file_perms; @@ -35,4 +35,4 @@ dontaudit perfd self:capability kill; allow perfd surfaceflinger:process signull; allow perfd hal_graphics_composer_default:process signull; -#get_prop(perfd, freq_prop); +get_prop(perfd, freq_prop); diff --git a/sepolicy/vendor/persist_file.te b/sepolicy/vendor/persist_file.te index df49968..a55225e 100644 --- a/sepolicy/vendor/persist_file.te +++ b/sepolicy/vendor/persist_file.te @@ -1 +1 @@ -#allow persist_file self:filesystem associate; +allow persist_file self:filesystem associate; diff --git a/sepolicy/vendor/platform_app.te b/sepolicy/vendor/platform_app.te index 215dcb1..5dee295 100644 --- a/sepolicy/vendor/platform_app.te +++ b/sepolicy/vendor/platform_app.te @@ -1,7 +1,7 @@ -#get_prop(platform_app, camera_prop); binder_call(platform_app, hal_sensors_default); allow platform_app rootfs:dir getattr; allow platform_app init:unix_stream_socket { read write }; allow platform_app hal_sensors_default:unix_stream_socket { read write }; +allow platform_app vendor_file:file getattr; diff --git a/sepolicy/vendor/priv_app.te b/sepolicy/vendor/priv_app.te index 07623cd..87a52e8 100644 --- a/sepolicy/vendor/priv_app.te +++ b/sepolicy/vendor/priv_app.te @@ -1,6 +1,9 @@ +allow priv_app adb_data_file:dir search; allow priv_app device:dir r_dir_perms; -#allow priv_app persist_file:filesystem getattr; -#allow priv_app proc_interrupts:file { open read getattr }; +allow priv_app persist_file:filesystem getattr; +allow priv_app proc_interrupts:file { open read getattr }; allow priv_app proc_modules:file { open read getattr }; get_prop(priv_app, adspd_prop); allow priv_app sysfs:dir open; +allow priv_app mnt_vendor_file:dir search; +allow priv_app sysfs:file { getattr open read }; diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te index 28b8025..859c0b3 100644 --- a/sepolicy/vendor/property.te +++ b/sepolicy/vendor/property.te @@ -5,7 +5,5 @@ type touch_prop, property_type; type diag_prop, property_type; type thermal_prop, property_type; type qti_telephony_prop, property_type; -type dirac_prop, property_type; -# Spectrum -type spectrum_prop, property_type; - +type tee_listener_prop, property_type; +type wcnss_prop, property_type; diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts index 3a1ed72..8ac06b7 100644 --- a/sepolicy/vendor/property_contexts +++ b/sepolicy/vendor/property_contexts @@ -3,7 +3,4 @@ hw.aov.hotword_dsp_path u:object_r:adspd_prop:s0 hw.motosh.booted u:object_r:motosh_prop:s0 ro.boot.hardware.revision u:object_r:hw_rev_prop:s0 hw.touch.status u:object_r:touch_prop:s0 -persist.audio.dirac. u:object_r:dirac_prop:s0 -# Spectrum -persist.spectrum.profile u:object_r:spectrum_prop:s0 - +sys.listeners.registered u:object_r:tee_listener_prop:s0 diff --git a/sepolicy/vendor/qseeproxy.te b/sepolicy/vendor/qseeproxy.te index 280977c..c82211e 100644 --- a/sepolicy/vendor/qseeproxy.te +++ b/sepolicy/vendor/qseeproxy.te @@ -1,3 +1,7 @@ # binder_call(qseeproxy, servicemanager); -#allow qseeproxy self:process getattr; +allow qseeproxy self:process getattr; +allow qseeproxy default_android_service:service_manager { add }; # allow qseeproxy qseeproxy_service_old:service_manager { add find }; +add_service(qseeproxy, qseeproxy_service); +allow qseeproxy binder_device:chr_file { ioctl open read write }; +allow qseeproxy servicemanager:binder { call transfer }; diff --git a/sepolicy/vendor/qtelephony.te b/sepolicy/vendor/qtelephony.te index 2dcc4dd..7e0cb06 100644 --- a/sepolicy/vendor/qtelephony.te +++ b/sepolicy/vendor/qtelephony.te @@ -1 +1 @@ -#allow qtelephony radio_service:service_manager find; +allow qtelephony radio_service:service_manager find; diff --git a/sepolicy/vendor/qti.te b/sepolicy/vendor/qti.te index 48867db..4b99fc9 100644 --- a/sepolicy/vendor/qti.te +++ b/sepolicy/vendor/qti.te @@ -1,2 +1,3 @@ -#get_prop(qti, diag_prop) -#allow qti diag_device:chr_file { read write }; +get_prop(qti, diag_prop) +allow qti diag_device:chr_file { read write }; +allow qti sysfs:file read; diff --git a/sepolicy/vendor/qti_init_shell.te b/sepolicy/vendor/qti_init_shell.te index 99bee39..a682c6e 100644 --- a/sepolicy/vendor/qti_init_shell.te +++ b/sepolicy/vendor/qti_init_shell.te @@ -1,7 +1,9 @@ -#set_prop(qti_init_shell, hw_rev_prop); -#allow qti_init_shell hci_attach_dev:chr_file { read write open ioctl }; +set_prop(qti_init_shell, hw_rev_prop); +allow qti_init_shell hci_attach_dev:chr_file { read write open ioctl }; -#allow qti_init_shell kmsg_device:chr_file write; -#allow qti_init_shell sysfs_wcnsscore:file write; +allow qti_init_shell kmsg_device:chr_file write; +allow qti_init_shell sysfs_wcnsscore:file write; -#allow qti_init_shell kmsg_device:chr_file open; +allow qti_init_shell kmsg_device:chr_file open; +allow qti_init_shell self:capability dac_override; +allow qti_init_shell vendor_file:system module_load; diff --git a/sepolicy/vendor/radio.te b/sepolicy/vendor/radio.te index 13cd2fa..1939b54 100644 --- a/sepolicy/vendor/radio.te +++ b/sepolicy/vendor/radio.te @@ -1,3 +1,4 @@ allow radio system_app_data_file:dir getattr; -#allow radio qmuxd_socket:sock_file write; -#allow radio vendor_file:file { getattr open read }; +allow radio qmuxd_socket:sock_file write; + +allow radio vendor_file:file { execute getattr open read }; diff --git a/sepolicy/vendor/rfs_access.te b/sepolicy/vendor/rfs_access.te index dde766c..351dafb 100644 --- a/sepolicy/vendor/rfs_access.te +++ b/sepolicy/vendor/rfs_access.te @@ -1,4 +1,4 @@ -#allow rfs_access self:capability net_raw; -#allow rfs_access persist_file:file { getattr open read rename setattr unlink write }; -#allow rfs_access vendor_tombstone_data_file:dir search; - +allow rfs_access persist_file:file { getattr open read rename setattr unlink write }; +allow rfs_access vendor_tombstone_data_file:dir search; +allow rfs_access self:capability { dac_override dac_read_search net_raw }; +allow rfs_access unlabeled:file { getattr setattr }; diff --git a/sepolicy/vendor/rfs_file.te b/sepolicy/vendor/rfs_file.te index e57e78f..fdcfab6 100644 --- a/sepolicy/vendor/rfs_file.te +++ b/sepolicy/vendor/rfs_file.te @@ -1 +1 @@ -#allow rfs_file persist_file:filesystem associate; +allow rfs_file persist_file:filesystem associate; diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te index e773757..0eeeda7 100644 --- a/sepolicy/vendor/rild.te +++ b/sepolicy/vendor/rild.te @@ -1,10 +1,26 @@ binder_call(rild, audioserver_service); binder_call(rild, system_server); set_prop(rild, diag_prop); +set_prop(rild, system_radio_prop) allow rild fsg_file:file { getattr open read }; allow rild fsg_file:dir { search open read }; allow rild fsg_file:lnk_file read; allow rild rild_exec:file execute_no_trans; - allow rild fwk_sensor_hwservice:hwservice_manager find; + +allow rild cutback_data_file:sock_file { create setattr unlink write }; +allow rild cutback_data_file:dir { add_name open read remove_name search write }; +allow rild unlabeled:dir { getattr search }; +allow rild vendor_file:file execute_no_trans; +allow rild proc:file { open read }; +allow rild unlabeled:file { getattr open read }; +allow rild unlabeled:dir { getattr open read }; +allow rild mnt_vendor_file:dir search; +allow rild vendor_toolbox_exec:file execute_no_trans; +allow rild mnt_vendor_file:file { open read write }; +allow rild unlabeled:lnk_file read; +allow rild qcom_ims_prop:property_service { set }; + +dontaudit rild tombstone_data_file:dir { search }; +dontaudit rild vendor_file:file { ioctl }; diff --git a/sepolicy/vendor/rmt_storage.te b/sepolicy/vendor/rmt_storage.te index 1abfcd0..cce1785 100644 --- a/sepolicy/vendor/rmt_storage.te +++ b/sepolicy/vendor/rmt_storage.te @@ -1,24 +1,15 @@ -#allow rmt_storage { -# modem_efs_partition_device -#}:blk_file rw_file_perms; +allow rmt_storage sysfs_rmt_storage:file rw_file_perms; +allow rmt_storage sysfs_rmt_storage:dir { search open }; +allow rmt_storage sysfs_uio:file r_file_perms; +allow rmt_storage sysfs_uio:dir { read open search }; +allow rmt_storage sysfs_uio:lnk_file { read }; +allow rmt_storage debugfs_rmt_storage:dir search; +allow rmt_storage debugfs_rmt_storage:file w_file_perms; -#r_dir_file(rmt_storage fsg_file) -#r_dir_file(rmt_storage, persist_file) +allow rmt_storage fsg_file:file { open read }; +allow rmt_storage fsg_file:dir search; +allow rmt_storage fsg_file:lnk_file read; -#allow rmt_storage sysfs_rmt_storage:file rw_file_perms; -#allow rmt_storage sysfs_rmt_storage:dir { search open }; -#allow rmt_storage sysfs_uio:file r_file_perms; -#allow rmt_storage sysfs_uio:dir { read open search }; -#allow rmt_storage sysfs_uio:lnk_file { read }; - -#allow rmt_storage debugfs_rmt_storage:dir r_dir_perms; -#allow rmt_storage debugfs_rmt_storage:file rw_file_perms; - -#allow rmt_storage fsg_file:file { open read }; -#allow rmt_storage fsg_file:dir search; -#allow rmt_storage fsg_file:lnk_file read; - -#allow rmt_storage persist_file:dir r_dir_perms; - -#allow rmt_storage vendor_radio_prop:file { getattr open read }; -#allow rmt_storage vendor_file:dir search; +allow rmt_storage self:capability dac_override; +allow rmt_storage unlabeled:dir search; +allow rmt_storage unlabeled:file { open read }; \ No newline at end of file diff --git a/sepolicy/vendor/seapp_contexts b/sepolicy/vendor/seapp_contexts new file mode 100644 index 0000000..8e8e2ff --- /dev/null +++ b/sepolicy/vendor/seapp_contexts @@ -0,0 +1,2 @@ +user=_app seinfo=platform name=com.motorola.dtv domain=isdbt_app type=app_data_file levelFrom=user +user=_app seinfo=platform name=com.motorola.dtvservice domain=isdbt_app type=app_data_file levelFrom=user diff --git a/sepolicy/vendor/sensors.te b/sepolicy/vendor/sensors.te new file mode 100644 index 0000000..cb3a915 --- /dev/null +++ b/sepolicy/vendor/sensors.te @@ -0,0 +1 @@ +allow sensors sysfs:file { read }; diff --git a/sepolicy/vendor/service_contexts b/sepolicy/vendor/service_contexts index c584563..aee0ac4 100644 --- a/sepolicy/vendor/service_contexts +++ b/sepolicy/vendor/service_contexts @@ -1,4 +1,4 @@ -com.qualcomm.qti.qseeproxy u:object_r:qseeproxy_service_old:s0 -vendor.qcom.PeripheralManager u:object_r:per_mgr_service_old:s0 -media.camera_bgproc u:object_r:camera_bgproc_service:s0 - +com.qualcomm.qti.qseeproxy u:object_r:qseeproxy_service:s0 +vendor.qcom.PeripheralManager u:object_r:per_mgr_service_old:s0 +media.camera_bgproc u:object_r:camera_bgproc_service:s0 +com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0 diff --git a/sepolicy/vendor/servicemanager.te b/sepolicy/vendor/servicemanager.te index ad0af27..286a1ac 100644 --- a/sepolicy/vendor/servicemanager.te +++ b/sepolicy/vendor/servicemanager.te @@ -1,45 +1,45 @@ allow servicemanager init:dir search; allow servicemanager init:file { open read }; allow servicemanager init:process getattr; -#allow servicemanager qseeproxy:dir search; -#allow servicemanager qseeproxy:file { open read }; +allow servicemanager qseeproxy:dir search; +allow servicemanager qseeproxy:file { open read }; allow servicemanager rild:dir search; allow servicemanager rild:file { open read }; allow servicemanager rild:process getattr; allow servicemanager hal_fingerprint_default:dir search; allow servicemanager hal_fingerprint_default:file read; -#allow servicemanager qseeproxy:process getattr; +allow servicemanager qseeproxy:process getattr; allow servicemanager hal_camera_default:dir search; -allow servicemanager hal_camera_default:file { open read }; +allow servicemanager hal_camera_default:file { open read r_file_perms }; allow servicemanager hal_camera_default:process getattr; allow servicemanager hal_fingerprint_default:file open; allow servicemanager hal_fingerprint_default:process getattr; -#allow servicemanager wcnss_service:dir search; -#allow servicemanager wcnss_service:file { open read }; +allow servicemanager wcnss_service:dir search; +allow servicemanager wcnss_service:file { open read }; -#allow servicemanager esepmdaemon:dir search; -#allow servicemanager esepmdaemon:file { open read }; -#allow servicemanager esepmdaemon:process getattr; +allow servicemanager esepmdaemon:dir search; +allow servicemanager esepmdaemon:file { open read }; +allow servicemanager esepmdaemon:process getattr; -#allow servicemanager vendor_per_mgr:dir search; -#allow servicemanager vendor_per_mgr:file { open read }; -#allow servicemanager vendor_per_mgr:process getattr; -#allow servicemanager wcnss_service:process getattr; +allow servicemanager vendor_per_mgr:dir search; +allow servicemanager vendor_per_mgr:file { open read }; +allow servicemanager vendor_per_mgr:process getattr; +allow servicemanager wcnss_service:process getattr; -#allow servicemanager hal_gnss_qti:dir search; -#allow servicemanager hal_gnss_qti:file { open read }; -#allow servicemanager hal_gnss_qti:process getattr; +allow servicemanager hal_gnss_qti:dir search; +allow servicemanager hal_gnss_qti:file { open read }; +allow servicemanager hal_gnss_qti:process getattr; allow servicemanager hal_sensors_default:dir search; allow servicemanager hal_sensors_default:file { open read }; allow servicemanager hal_sensors_default:process getattr; -#allow servicemanager sensors:dir search; -#allow servicemanager sensors:file { open read }; -#allow servicemanager sensors:process getattr; +allow servicemanager sensors:dir search; +allow servicemanager sensors:file { open read }; +allow servicemanager sensors:process getattr; diff --git a/sepolicy/vendor/surfaceflinger.te b/sepolicy/vendor/surfaceflinger.te index 683f467..e70ccb2 100644 --- a/sepolicy/vendor/surfaceflinger.te +++ b/sepolicy/vendor/surfaceflinger.te @@ -1,6 +1,8 @@ get_prop(surfaceflinger, diag_prop); -#allow surfaceflinger perfd_data_file:sock_file write; -#allow surfaceflinger diag_device:chr_file { read write }; +allow surfaceflinger perfd_data_file:sock_file write; +allow surfaceflinger diag_device:chr_file { read write }; +allow surfaceflinger hal_perf_hwservice:hwservice_manager find; +allow surfaceflinger hal_perf_default:binder { call }; binder_call(surfaceflinger, hwservicemanager) diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te index 2d15003..a852af8 100644 --- a/sepolicy/vendor/system_app.te +++ b/sepolicy/vendor/system_app.te @@ -1,23 +1,22 @@ allow system_app proc_touchpanel:dir search; allow system_app sysfs_vibrator:file rw_file_perms; -#allow system_app sysfs_vibrator:dir search; -#allow system_app sysfs_graphics:file rw_file_perms; -#allow system_app sysfs_graphics:dir search; +allow system_app sysfs_vibrator:dir search; +allow system_app sysfs_graphics:file rw_file_perms; +allow system_app sysfs_graphics:dir search; allow system_app proc_touchpanel:file rw_file_perms; allow system_app sysfs_fpc:file rw_file_perms; allow system_app fuse_device:filesystem getattr; -allow system_app spectrum_prop:property_service set; allow system_app init:unix_stream_socket { read write }; allow system_app sysfs_homebutton:file write; +allow system_app sysfs_screen_off_gestures:file write; +allow system_app sysfs_fpc_proximity:file { rw_file_perms }; get_prop(system_app, diag_prop); -#binder_call(system_app, qtitetherservice_service); +binder_call(system_app, qtitetherservice_service); binder_call(system_app, wificond); -get_prop(system_app, spectrum_prop); - allow system_app hidl_base_hwservice:hwservice_manager add; allow system_app sysfs_homebutton:dir search; allow system_app sysfs_homebutton:file { getattr open }; - +allow system_app hal_atfwd_hwservice:hwservice_manager add; diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te index cc76694..0707131 100644 --- a/sepolicy/vendor/system_server.te +++ b/sepolicy/vendor/system_server.te @@ -7,12 +7,18 @@ allow system_server sysfs_capsense:dir search; allow system_server sysfs_capsense:file rw_file_perms; allow system_server init:unix_stream_socket { read }; -#allow system_server qti_debugfs:file { getattr open read }; +allow system_server qti_debugfs:file { getattr open read }; allow system_server init:unix_stream_socket write; allow system_server sensors_device:chr_file { ioctl open read }; -#allow system_server vendor_file:file { getattr read }; - +allow system_server vendor_file:file { execute getattr read }; allow system_server sysfs:file getattr; allow system_server thermal_service:service_manager find; +allow system_server adb_data_file:dir { getattr open read search }; +allow system_server sysfs:file{ open read }; +allow system_server vendor_file:file open; +allow system_server adb_data_file:file { getattr open read }; +allow system_server dalvikcache_data_file:file { execute write }; + +allow system_server persist_camera_prop:file read; \ No newline at end of file diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te index 08c22a1..55a53b3 100644 --- a/sepolicy/vendor/tee.te +++ b/sepolicy/vendor/tee.te @@ -1 +1,8 @@ -#allow tee persist_file:file r_file_perms; +allow tee persist_file:file r_file_perms; + +set_prop(tee, tee_listener_prop) + +allow tee persist_file:dir r_dir_perms; +allow tee fingerprintd_data_file:dir create_dir_perms; +allow tee fingerprintd_data_file:file create_file_perms; +allow tee system_data_file:dir { r_dir_perms read }; diff --git a/sepolicy/vendor/thermal-engine.te b/sepolicy/vendor/thermal-engine.te index 68fbd5b..69ec695 100644 --- a/sepolicy/vendor/thermal-engine.te +++ b/sepolicy/vendor/thermal-engine.te @@ -1,8 +1,13 @@ -#get_prop(thermal-engine, diag_prop) -#allow thermal-engine socket_device:sock_file { create setattr }; -#allow thermal-engine sysfs_rmt_storage:dir search; -#allow thermal-engine sysfs_rmt_storage:file r_file_perms; -#allow thermal-engine sysfs_uio:file r_file_perms; -#allow thermal-engine sysfs_uio:dir { read open search }; -#allow thermal-engine sysfs_uio:lnk_file { read }; -#allow thermal-engine sysfs_vadc_dev:lnk_file { read open }; +get_prop(thermal-engine, diag_prop) +allow thermal-engine socket_device:sock_file { create setattr }; +allow thermal-engine sysfs_rmt_storage:dir search; +allow thermal-engine sysfs_rmt_storage:file r_file_perms; +allow thermal-engine sysfs_uio:file r_file_perms; +allow thermal-engine sysfs_uio:dir { read open search }; +allow thermal-engine sysfs_uio:lnk_file { read }; +allow thermal-engine sysfs_vadc_dev:lnk_file { read open }; + +allow thermal-engine self:capability { dac_override dac_read_search }; +allow thermal-engine sysfs_vadc_dev:dir search; +allow thermal-engine sysfs:file { read write getattr }; +allow thermal-engine sysfs:dir read; diff --git a/sepolicy/vendor/time_daemon.te b/sepolicy/vendor/time_daemon.te index 701d4d8..08b0650 100644 --- a/sepolicy/vendor/time_daemon.te +++ b/sepolicy/vendor/time_daemon.te @@ -1,3 +1,7 @@ -#get_prop(time_daemon, diag_prop); +get_prop(time_daemon, diag_prop); -#allow time_daemon persist_file:file { open read write }; +allow time_daemon persist_file:file { open read write }; + +allow time_daemon sysfs:file { open read }; + +allow time_daemon time_daemon:capability { dac_override dac_read_search }; diff --git a/sepolicy/vendor/toolbox.te b/sepolicy/vendor/toolbox.te index 3369795..2371116 100644 --- a/sepolicy/vendor/toolbox.te +++ b/sepolicy/vendor/toolbox.te @@ -4,4 +4,4 @@ set_prop(toolbox, touch_prop); allow toolbox init:fifo_file { write getattr read ioctl }; allow toolbox radio_data_file:file rw_file_perms; -#allow toolbox firmware_file:file getattr; +allow toolbox firmware_file:file getattr; \ No newline at end of file diff --git a/sepolicy/vendor/ueventd.te b/sepolicy/vendor/ueventd.te index 9286066..f04bab5 100644 --- a/sepolicy/vendor/ueventd.te +++ b/sepolicy/vendor/ueventd.te @@ -2,4 +2,6 @@ allow ueventd sysfs_mmi_fp:file w_file_perms; allow ueventd synaptics_rmi_device:chr_file { rw_file_perms relabelfrom relabelto}; allow ueventd sysfs_fpc:file rw_file_perms; -#allow ueventd sysfs_sensors:file rw_file_perms; +allow ueventd sysfs_sensors:file rw_file_perms; +allow ueventd unlabeled:dir search; +allow ueventd unlabeled:file { getattr open read }; diff --git a/sepolicy/vendor/untrusted_app.te b/sepolicy/vendor/untrusted_app.te index b07565e..a4e8564 100644 --- a/sepolicy/vendor/untrusted_app.te +++ b/sepolicy/vendor/untrusted_app.te @@ -1,7 +1,19 @@ #get_prop(untrusted_app, camera_prop); #get_prop(untrusted_app_25, camera_prop); -allow untrusted_app sysfs_zram:dir { search read }; -allow untrusted_app sysfs_zram:file { open read getattr }; +#allow untrusted_app sysfs_zram:dir { search read }; +#allow untrusted_app sysfs_zram:file { open read getattr }; #allow untrusted_app firmware_file:dir read; #allow untrusted_app fsg_file:dir read; + +allow untrusted_app proc_zoneinfo:file { getattr open read }; +allow untrusted_app proc_qtaguid_stat:file { getattr open read }; +allow untrusted_app hal_memtrack_hwservice:hwservice_manager find; +allow untrusted_app bluetooth_prop:file read; +allow untrusted_app debugfs_trace_marker:file getattr; +allow untrusted_app proc:file read; +allow untrusted_app proc_version:file read; +allow untrusted_app serialno_prop:file read; +allow untrusted_app sysfs_net:dir search; +allow untrusted_app hal_memtrack_default:binder call; +allow untrusted_app sysfs_switch:dir search; diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te new file mode 100644 index 0000000..92bbbfd --- /dev/null +++ b/sepolicy/vendor/vendor_init.te @@ -0,0 +1,26 @@ +allow vendor_init camera_data_file:dir { create setattr }; +allow vendor_init media_rw_data_file:file { getattr relabelfrom }; +allow vendor_init media_rw_data_file:dir setattr; +allow vendor_init rootfs:dir { add_name write }; +allow vendor_init system_data_file:dir { add_name create setattr write }; +allow vendor_init time_data_file:dir setattr; +allow vendor_init adsprpcd_file:lnk_file create; +allow vendor_init firmware_file:lnk_file create; +allow vendor_init tombstone_data_file:dir { add_name create search setattr write }; +allow vendor_init cutback_data_file:dir { create setattr }; +allow vendor_init dbvc_data_file:dir { create setattr }; +allow vendor_init moodle_data_file:dir { create setattr }; +allow vendor_init sds_data_file:dir { create setattr }; +allow vendor_init wapi_supplicant_data_file:dir { create setattr }; +allow vendor_init fingerprintd_data_file:dir { create setattr }; +allow vendor_init adspd_data_file:dir setattr; +allow vendor_init usermodehelper:file write; +allow vendor_init netmgr_data_file:dir { create setattr }; +allow vendor_init time_data_file:dir create; +allow vendor_init adspd_data_file:dir create; + +allow vendor_init persist_camera_file:dir { setattr search }; +allow vendor_init persist_modem_file:dir setattr; +allow vendor_init persist_audio_file:dir setattr; +allow vendor_init pds_public_file:dir { setattr search }; +allow vendor_init unlabeled:file write; diff --git a/sepolicy/vendor/vendor_per_mgr.te b/sepolicy/vendor/vendor_per_mgr.te new file mode 100644 index 0000000..06da324 --- /dev/null +++ b/sepolicy/vendor/vendor_per_mgr.te @@ -0,0 +1,2 @@ +allow vendor_per_mgr unlabeled:dir search; +allow vendor_per_mgr unlabeled:file { open read }; diff --git a/sepolicy/vendor/vendor_ssr_setup.te b/sepolicy/vendor/vendor_ssr_setup.te new file mode 100644 index 0000000..7f1768f --- /dev/null +++ b/sepolicy/vendor/vendor_ssr_setup.te @@ -0,0 +1 @@ +allow vendor_ssr_setup sysfs:file read; diff --git a/sepolicy/vendor/vold.te b/sepolicy/vendor/vold.te index 2ac7cdb..c07c990 100644 --- a/sepolicy/vendor/vold.te +++ b/sepolicy/vendor/vold.te @@ -1,2 +1,4 @@ -#allow vold persist_file:dir { ioctl open read }; +allow vold persist_file:dir { ioctl open read }; allow vold metadata_block_device:blk_file { rw_file_perms }; + +get_prop(vold, tee_listener_prop) diff --git a/sepolicy/vendor/wcnss_filter.te b/sepolicy/vendor/wcnss_filter.te index 7ee98f9..8a28d81 100644 --- a/sepolicy/vendor/wcnss_filter.te +++ b/sepolicy/vendor/wcnss_filter.te @@ -1 +1,2 @@ -#get_prop(wcnss_filter, diag_prop); +type wcnss_filter, domain; +get_prop(wcnss_filter, diag_prop); diff --git a/sepolicy/vendor/wcnss_service.te b/sepolicy/vendor/wcnss_service.te index 420b83f..c8542ce 100644 --- a/sepolicy/vendor/wcnss_service.te +++ b/sepolicy/vendor/wcnss_service.te @@ -1,8 +1,11 @@ # binder_call(wcnss_service, servicemanager); -#set_prop(wcnss_service, wifi_prop); -#get_prop(wcnss_service, diag_prop); +set_prop(wcnss_service, wifi_prop); +get_prop(wcnss_service, diag_prop); # allow wcnss_service toolbox_exec:file { execute getattr execute_no_trans read open }; # allow wcnss_service shell_exec:file { execute getattr execute_no_trans read open }; -#allowxperm wcnss_service self:udp_socket ioctl priv_sock_ioctls; +allowxperm wcnss_service self:udp_socket ioctl priv_sock_ioctls; # allow wcnss_service per_mgr_service_old:service_manager find; + +allow wcnss_service unlabeled:dir search; +allow wcnss_service unlabeled:file { open read }; diff --git a/sepolicy/vendor/webview_zygote.te b/sepolicy/vendor/webview_zygote.te new file mode 100644 index 0000000..1c9d479 --- /dev/null +++ b/sepolicy/vendor/webview_zygote.te @@ -0,0 +1 @@ +allow webview_zygote theme_data_file:dir search; diff --git a/sepolicy/vendor/zygote.te b/sepolicy/vendor/zygote.te index e7d14e1..c9c9bbe 100644 --- a/sepolicy/vendor/zygote.te +++ b/sepolicy/vendor/zygote.te @@ -1 +1,2 @@ allow zygote self:capability sys_nice; +allow zygote proc_cmdline:file { getattr open read };