sanders: start that treble disaster

sepolicy/vendor/adspd.te

@@ -0,0 +1,19 @@
+type adspd, domain;
+type adspd_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(adspd)
+
+binder_use(adspd)
+binder_service(adspd)
+binder_call(adspd, system_server)
+
+allow adspd vendor_shell_exec:file entrypoint;
+
+allow adspd audio_device:chr_file { ioctl open read write };
+allow adspd audio_device:dir search;
+allow adspd input_device:chr_file { ioctl open read };
+allow adspd input_device:dir search;
+allow adspd sysfs_adsp:file write;
+# The below one is WRONG
+allow adspd sysfs:file write;
+
+set_prop(adspd, adspd_prop)

sepolicy/vendor/bootanim.te

@@ -0,0 +1,7 @@
+allow bootanim hwservicemanager:binder call;
+
+# TODO(b/62954877). On Android Wear, bootanim reads the time
+# during boot to display. It currently gets that time from a file
+# in /data/system. This should be moved. In the meantime, suppress
+# this denial on wahoo since this functionality is not used.
+dontaudit bootanim system_data_file:dir read;

sepolicy/vendor/cameraserver.te

@@ -0,0 +1,58 @@
+binder_call(cameraserver, servicemanager);
+
+allow cameraserver nfc_data_file:dir search;
+allow cameraserver nfc_data_file:fifo_file write;
+allow cameraserver nfc_data_file:fifo_file open;
+
+allow cameraserver sensorservice_service:service_manager { find };
+allow cameraserver system_file:dir { read open };
+
+allow cameraserver sdcardfs:dir { read write open getattr add_name remove_name rw_file_perms rmdir search };
+allow cameraserver sdcardfs:file { create open read write unlink getattr };
+allow cameraserver storage_file:dir search;
+
+allow cameraserver persist_file:file { read write open create getattr create_file_perms rw_file_perms };
+allow cameraserver persist_file:dir { read write open create_file_perms rw_file_perms search add_name create };
+allow cameraserver fuse:file { read write open create getattr create_file_perms rw_file_perms };
+allow cameraserver fuse:dir { read write open create_file_perms rw_file_perms search add_name create };
+allow cameraserver tmpfs:file { read write open create getattr create_file_perms rw_file_perms };
+allow cameraserver tmpfs:dir { read write open create_file_perms rw_file_perms search add_name create };
+allow cameraserver storage_file:dir r_dir_perms;
+allow cameraserver storage_file:lnk_file r_file_perms;
+allow cameraserver mnt_user_file:dir r_dir_perms;
+allow cameraserver mnt_user_file:lnk_file r_file_perms;
+allow cameraserver media_rw_data_file:dir { open read search write add_name };
+allow cameraserver media_rw_data_file:file { create read write open };
+
+allow cameraserver sysfs:file { open write };
+
+allow cameraserver cameraserver:process { execmem };
+
+####
+allow cameraserver debug_prop:file { r_file_perms };
+allow cameraserver debug_prop:property_service set;
+
+#######
+#allow cameraserver persist_file:file rw_file_perms;
+#allow cameraserver persist_file:file setattr;
+allow cameraserver shell_exec:file { read open execute };
+allow cameraserver self:socket create;
+allow cameraserver camera_prop:property_service set;
+allow cameraserver init:unix_stream_socket connectto;
+allow cameraserver sensors_persist_file:file { open read };
+allow cameraserver property_socket:sock_file write;
+#allow cameraserver cameraserver:socket { { getattr read ioctl lock } { append write lock } };
+allow cameraserver shell_exec:file { execute getattr };
+allow cameraserver system_file:file execute;
+
+allow cameraserver debugfs:dir { read open };
+
+allow cameraserver nfc_data_file:file { open write };
+allow cameraserver socket_device:sock_file write;
+
+allow cameraserver hal_perf_default:binder call;
+
+allow cameraserver sysfs_battery_supply:dir search;
+allow cameraserver sysfs_battery_supply:file { getattr open read };
+
+allow cameraserver camera_bgproc_service:service_manager { add find };

sepolicy/vendor/charge_only.te

@@ -0,0 +1,17 @@
+type charge_only, domain;
+type charge_only_exec, exec_type, file_type;
+init_daemon_domain(charge_only)
+
+allow charge_only chargeonly_data_file:dir rw_dir_perms;
+allow charge_only chargeonly_data_file:file rw_file_perms;
+allow charge_only graphics_device:chr_file rw_file_perms;
+allow charge_only graphics_device:dir search;
+allow charge_only input_device:chr_file r_file_perms;
+allow charge_only input_device:dir search;
+allow charge_only self:capability { dac_override net_admin sys_tty_config sys_boot };
+allow charge_only self:netlink_kobject_uevent_socket { bind read setopt create };
+allow charge_only sysfs:dir { read open };
+allow charge_only sysfs:file { read open write };
+allow charge_only sysfs_wake_lock:file rw_file_perms;
+allow charge_only system_data_file:dir { write add_name };
+allow charge_only tty_device:chr_file rw_file_perms;

sepolicy/vendor/cnd.te

@@ -0,0 +1,2 @@
+allow cnd system_wpa_socket:sock_file { unlink };
+allow cnd diag_device:chr_file { read write };

sepolicy/vendor/device.te

@@ -0,0 +1,11 @@
+type adspd_device, dev_type;
+type amps_raw_device, dev_type;
+type compass_device, dev_type;
+type haptics_device, dev_type;
+type hob_device, dev_type;
+type hw_block_device, dev_type;
+type graphics_fb_device, dev_type;
+type synaptics_rmi_device, dev_type;
+type shwi_device, dev_type;
+type isdbt_device, dev_type;
+type utags_block_device, dev_type;

sepolicy/vendor/energyawareness.te

@@ -0,0 +1,2 @@
+allow energyawareness sysfs_uio:file r_file_perms;
+allow energyawareness sysfs_rmt_storage:file r_file_perms;

sepolicy/vendor/esepmdaemon.te

@@ -0,0 +1,2 @@
+binder_call(esepmdaemon, servicemanager);
+

sepolicy/vendor/file.te

@@ -0,0 +1,57 @@
+# ADSP
+type adspd_data_file, file_type, data_file_type;
+
+# charge_only_mode
+type chargeonly_data_file, file_type, data_file_type;
+
+# FSG
+type fsg_file, fs_type, contextmount_type;
+
+# Modem
+type persist_modem_file, file_type, data_file_type;
+
+type persist_omadm_file, file_type, data_file_type;
+type sds_data_file, file_type, data_file_type;
+type pds_public_file, file_type, data_file_type;
+type persist_camera_file, file_type, data_file_type;
+type persist_antcap_file, file_type, data_file_type;
+type pds_telephony_file, file_type, data_file_type;
+type pds_omadm_file, file_type, data_file_type;
+type persist_audio_file, file_type, data_file_type;
+
+type moodle_data_file, file_type, data_file_type;
+type cutback_data_file, file_type, data_file_type;
+
+type dbvc_data_file, file_type, data_file_type;
+
+type akmd_data_file, file_type, data_file_type;
+
+type wapi_supplicant_data_file, file_type, data_file_type;
+
+# RIL
+type netmgr_data_file, file_type, data_file_type;
+
+# sysfs
+type sysfs_adsp, fs_type, sysfs_type;
+type sysfs_homebutton, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_mmi_fp, fs_type, sysfs_type;
+
+type sysfs_capsense, fs_type, sysfs_type;
+type sysfs_batt, fs_type, sysfs_type;
+type sysfs_cnss, fs_type, sysfs_type;
+type sysfs_fpc, fs_type, sysfs_type;
+
+type fpc_socket, file_type;
+type fpc_data_file, file_type;
+
+type sysfs_wcnsscore, fs_type, sysfs_type;
+
+type nv_data_file, file_type;
+type sysfs_rmt_storage, fs_type, sysfs_type;
+type debugfs_rmt_storage, debugfs_type, fs_type;
+type debugfs_wlan, debugfs_type, fs_type;
+type perfd_data_file, file_type, data_file_type;
+type proc_kernel_sched, fs_type;
+type sysfs_power_management, sysfs_type, fs_type;
+type proc_touchpanel, fs_type;
+

sepolicy/vendor/file_contexts

@@ -0,0 +1,131 @@
+# ADSP
+/sys/kernel/aov(/.*)?                                    u:object_r:sysfs_adsp:s0
+/data/adspd(/.*)?                                        u:object_r:adspd_data_file:s0
+
+# AMPS
+/dev/hidraw[0-9]*                                        u:object_r:amps_raw_device:s0
+
+# Binaries
+/system/vendor/bin/adspd                                        u:object_r:adspd_exec:s0
+/system/bin/charge_only_mode                             u:object_r:charge_only_exec:s0
+/system/vendor/bin/init\.mmi\.boot\.sh                          u:object_r:mmi_boot_exec:s0
+/system/vendor/bin/wlan_carrier_bin\.sh                         u:object_r:init_wifi_exec:s0
+/system/vendor/bin/init\.qti\.fm\.sh		u:object_r:qti_init_shell_exec:s0
+
+# CMActions
+/sys/homebutton(/.*)?                                    u:object_r:sysfs_homebutton:s0
+
+# Motorola services
+/data/chargeonlymode(/.*)?                               u:object_r:chargeonly_data_file:s0
+
+# Fingerprint
+/data/.fps(/.*)?                                         u:object_r:fingerprintd_data_file:s0
+/data/fpc                                                u:object_r:fingerprintd_data_file:s0
+/data/fpc/socket                                         u:object_r:fpc_socket:s0
+
+/sys/devices/soc/7af8000.spi/spi_master/spi8/spi8.0(/.*)? u:object_r:sysfs_fpc:s0
+
+# Modem
+/persist/mdm(/.*)?                                       u:object_r:persist_modem_file:s0
+
+/persist/prop(/.*)?                                      u:object_r:persist_omadm_file:s0
+/persist/prov(/.*)?                                      u:object_r:persist_drm_file:s0
+/persist/omadm(/.*)?                                     u:object_r:persist_omadm_file:s0
+/persist/omadm_database(/.*)?                            u:object_r:persist_omadm_file:s0
+/persist/omadm_cust_database(/.*)?                       u:object_r:persist_omadm_file:s0
+/persist/public(/.*)?                                    u:object_r:pds_public_file:s0
+/persist/camera(/.*)?                                    u:object_r:persist_camera_file:s0
+/persist/captouch_(.*)?                                  u:object_r:persist_antcap_file:s0
+/persist/telephony(/.*)?                                 u:object_r:pds_telephony_file:s0
+/persist/public/telephony(/.*)?                          u:object_r:pds_telephony_file:s0
+/persist/public/omadm(/.*)?                              u:object_r:pds_omadm_file:s0
+/persist/factory/audio(/.*)?                             u:object_r:persist_audio_file:s0
+/persist/\.bt_nv\.bin                                    u:object_r:bluetooth_data_file:s0
+
+/data/wapi_certificate(/.*)?                             u:object_r:wapi_supplicant_data_file:s0
+
+/data/misc/akmd(/.*)?                                    u:object_r:akmd_data_file:s0
+
+/data/local/dbvc(/.*)?                                   u:object_r:dbvc_data_file:s0
+/data/local/moodle(/.*)?                                 u:object_r:moodle_data_file:s0
+/data/misc/cutback(/.*)?                                 u:object_r:cutback_data_file:s0
+
+/data/misc/sds(/.*)?                                     u:object_r:sds_data_file:s0
+
+/sys/class/capsense(/.*)?                                u:object_r:sysfs_capsense:s0
+/sys/module/qpnp_bms(/.*)?                               u:object_r:sysfs_batt:s0
+/sys/module/cnss_pci(/.*)?                               u:object_r:sysfs_cnss:s0
+
+/sys/devices/iio_sysfs_trigger(/.*)?                     u:object_r:sysfs_sensors:s0
+/sys/devices/virtual/stm401/stm401_ms(/.*)?              u:object_r:sysfs_sensors:s0
+/sys/devices/virtual/stm401/stm401_as(/.*)?              u:object_r:sysfs_sensors:s0
+
+/sys/devices/platform/msm_ssbi.0/pm8921-core/pm8921-charger(/.*)? u:object_r:sysfs_batt:s0
+
+/dev/rmi0                                                u:object_r:synaptics_rmi_device:s0
+/dev/sec                                                 u:object_r:shwi_device:s0
+/dev/kgsl                                                u:object_r:gpu_device:s0
+/dev/isdbt                                               u:object_r:isdbt_device:s0
+/dev/ttyHS3                                              u:object_r:adspd_device:s0
+/dev/akm8963                                             u:object_r:compass_device:s0
+/dev/drv2605                                             u:object_r:haptics_device:s0
+/dev/akm09912                                            u:object_r:compass_device:s0
+/dev/motcamera0                                          u:object_r:camera_device:s0
+/dev/akm8963_dev                                         u:object_r:compass_device:s0
+/dev/stml0xx_akm                                         u:object_r:compass_device:s0
+/dev/akm09912_dev                                        u:object_r:compass_device:s0
+/dev/mot_hob_ram                                         u:object_r:hob_device:s0
+/dev/smd3                                                u:object_r:hci_attach_dev:s0
+
+
+/dev/bcm2079x-i2c                                        u:object_r:nfc_device:s0
+
+/dev/fb_quickdraw                                        u:object_r:graphics_fb_device:s0
+
+# Partitions
+/dev/block/bootdevice/by-name/cache                      u:object_r:cache_block_device:s0
+/dev/block/bootdevice/by-name/frp                        u:object_r:frp_block_device:s0
+/dev/block/bootdevice/by-name/hw                         u:object_r:hw_block_device:s0
+/dev/block/bootdevice/by-name/metadata                   u:object_r:metadata_block_device:s0
+/dev/block/mmcblk0p35                                    u:object_r:metadata_block_device:s0
+/dev/block/bootdevice/by-name/persist                    u:object_r:persist_block_device:s0
+/dev/block/bootdevice/by-name/utagsBackup                u:object_r:utags_block_device:s0
+/dev/block/bootdevice/by-name/utags                      u:object_r:utags_block_device:s0
+
+# RIL
+/data/misc/netmgr(/.*)?                                  u:object_r:netmgr_data_file:s0
+
+# Sensors
+/dev/mmi_sys_temp                                        u:object_r:thermal_device:s0
+/dev/motosh                                              u:object_r:sensors_device:s0
+/dev/motosh_as                                           u:object_r:sensors_device:s0
+/dev/motosh_ms                                           u:object_r:sensors_device:s0
+/dev/stm401.*                                            u:object_r:sensors_device:s0
+/dev/lis3dh                                              u:object_r:sensors_device:s0
+/dev/stml0xx                                             u:object_r:sensors_device:s0
+/dev/l3g4200d                                            u:object_r:sensors_device:s0
+/dev/stml0xx_ms                                          u:object_r:sensors_device:s0
+/dev/stml0xx_as                                          u:object_r:sensors_device:s0
+/data/misc/sensor(/.*)?                                  u:object_r:sensors_data_file:s0
+
+# WCNSS
+/sys/module/wcnsscore/parameters(/.*)?                   u:object_r:sysfs_wcnsscore:s0
+
+/data/misc/perfd(/.*)?                                          u:object_r:perfd_data_file:s0
+/data/system/perfd(/.*)?                                        u:object_r:perfd_data_file:s0
+/data/oemnvitems(/.*)?                                          u:object_r:nv_data_file:s0
+/data/vendor/time(/.*)?                                         u:object_r:time_data_file:s0
+
+/system/vendor/bin/perfd           u:object_r:perfd_exec:s0
+/system/vendor/bin/hw/android\.hardware\.power@1\.1-service-qti          u:object_r:hal_power_default_exec:s0
+/system/vendor/radio(/.*)? u:object_r:radio_data_file:s0
+
+/system/vendor/bin/qmi_motext_hook u:object_r:rild_exec:s0
+
+/sys/kernel/debug/rmt_storage(/.*)? u:object_r:debugfs_rmt_storage:s0
+
+/data/vendor/nfc(/.*)? u:object_r:nfc_data_file:s0
+
+# Fingerprint custom hal
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service_32 u:object_r:hal_fingerprint_default_exec:s0
+

sepolicy/vendor/fingerprintd.te

@@ -0,0 +1,12 @@
+allow fingerprintd firmware_file:dir search;
+allow fingerprintd firmware_file:file { getattr open read };
+allow fingerprintd fingerprintd_data_file:dir { add_name getattr remove_name write };
+allow fingerprintd fingerprintd_data_file:file { append create getattr open setattr unlink };
+allow fingerprintd fingerprintd_data_file:sock_file { create unlink };
+allow fingerprintd sysfs_mmi_fp:dir { open read search };
+allow fingerprintd sysfs_mmi_fp:file rw_file_perms;
+allow fingerprintd system_data_file:sock_file unlink;
+allow fingerprintd sysfs_fpc:dir r_dir_perms;
+allow fingerprintd sysfs_fpc:file rw_file_perms;
+allow fingerprintd tee_device:chr_file { ioctl open read write };
+allow fingerprintd uhid_device:chr_file rw_file_perms;

sepolicy/vendor/firmware_file.te

@@ -0,0 +1,2 @@
+allow firmware_file rootfs:filesystem associate;
+

sepolicy/vendor/fsck.te

@@ -0,0 +1 @@
+# allow fsck block_device:blk_file { read write };

sepolicy/vendor/hal_camera_default.te

@@ -0,0 +1,4 @@
+allow hal_camera_default gpu_device:dir r_dir_perms;
+allow hal_camera_default gpu_device:file r_file_perms;
+allow hal_camera_default hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+allow hal_camera_default hal_configstore_default:binder call;

sepolicy/vendor/hal_drm_default.te

@@ -0,0 +1,2 @@
+allow hal_drm_default firmware_file:lnk_file read;
+allow hal_drm_default debug_prop:file read;

sepolicy/vendor/hal_fingerprint_default.te

@@ -0,0 +1,14 @@
+allow hal_fingerprint_default sysfs_fpc:file rw_file_perms;
+allow hal_fingerprint_default sysfs_fpc:dir r_dir_perms;
+allow hal_fingerprint_default fpc_data_file:dir rw_dir_perms;
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_default firmware_file:dir search;
+allow hal_fingerprint_default firmware_file:file r_file_perms;
+allow hal_fingerprint_default fpc_data_file:sock_file { create unlink rw_file_perms };
+allow hal_fingerprint_default sysfs_graphics:dir r_dir_perms;
+allow hal_fingerprint_default sysfs_graphics:file r_file_perms;
+allow hal_fingerprint_default sysfs_leds:dir r_dir_perms;
+allow hal_fingerprint_default sysfs_leds:file r_file_perms;
+allow hal_fingerprint_default fingerprintd_data_file:sock_file { create unlink };
+allow hal_fingerprint_default uhid_device:chr_file rw_file_perms;
+allow hal_fingerprint_default fpc_socket:sock_file unlink;

sepolicy/vendor/hal_gnss_qti.te

@@ -0,0 +1,19 @@
+binder_call(hal_gnss_qti, servicemanager);
+get_prop(hal_gnss_qti, diag_prop);
+allow hal_gnss_qti per_mgr_service_old:service_manager find;
+allow hal_gnss_qti debug_prop:file read;
+allow hal_gnss_qti property_socket:sock_file write;
+
+# Most HALs are not allowed to use network sockets. Qcom library
+# libqdi is used across multiple processes which are clients of
+# netmgrd including the GNSS HAL. libqdi first attempts to get the network
+# interface using an IOCTL on a UDP INET socket, which isn't allowed here.
+# If that fails, it falls back to using libc's if_nameindex() which requires
+# a netlink route socket, which HALs may use. Due to the initial
+# attempt to use a UDP socket, we still see a selinux denial,
+# but it is safe to ignore.
+# TODO (b/37730994) Remove udp_socket requirement from
+# libqdi and have all its clients use netlink route
+# sockets.
+# Taken from device/google/wahoo
+dontaudit hal_gnss_qti self:udp_socket create;

sepolicy/vendor/hal_light_default.te

@@ -0,0 +1 @@
+allow hal_light_default sysfs:file { open read write };

sepolicy/vendor/hal_power_default.te

@@ -0,0 +1,2 @@
+allow hal_power_default sysfs:file rw_file_perms;
+

sepolicy/vendor/hal_sensors_default.te

@@ -0,0 +1,20 @@
+binder_call(hal_sensors_default, hwservicemanager)
+binder_call(hal_sensors_default, servicemanager)
+
+binder_call(hal_sensors_default, mm-qcamerad)
+binder_call(hal_sensors_default, system_server)
+
+binder_call(hal_sensors_default, system_app)
+binder_call(hal_sensors_default, priv_app)
+binder_call(hal_sensors_default, platform_app)
+
+allow hal_sensors_default self:capability { dac_override };
+allow hal_sensors_default sensors_device:chr_file { ioctl open read };
+allow hal_sensors_default sysfs:file { open read write };
+allow hal_sensors_default system_data_file:file { getattr open read };
+
+allow hal_sensors_default proc_net:file { getattr open read };
+allow hal_sensors_default sysfs_capsense:dir search;
+allow hal_sensors_default sysfs_capsense:file { open write };
+
+

sepolicy/vendor/hwservicemanager.te

@@ -0,0 +1,9 @@
+#allow hwservicemanager init:binder call;
+allow hwservicemanager init:dir search;
+allow hwservicemanager init:file { open read };
+allow hwservicemanager init:process getattr;
+
+binder_use(hwservicemanager);
+
+binder_call(hwservicemanager, hal_power_default);
+binder_call(hwservicemanager, hal_usb_default);

sepolicy/vendor/ims.te

@@ -0,0 +1,4 @@
+allow ims debug_prop:property_service set;
+get_prop(ims, debug_prop);
+allow ims self:capability net_raw;
+allow ims diag_device:chr_file { read write };

sepolicy/vendor/init.te

@@ -0,0 +1,55 @@
+# binder_call(init, mm-qcamerad);
+#binder_call(init, hwservicemanager);
+# binder_call(init, servicemanager);
+
+allow init hwservicemanager:binder call;
+allow init mm-qcamerad:binder transfer;
+allow init platform_app:binder transfer;
+
+allow init sysfs_devices_system_cpu:dir write;
+allow init sysfs_lowmemorykiller:dir write;
+allow init system_app:binder transfer;
+allow init system_data_file:file lock;
+
+allow init audio_device:chr_file { write ioctl };
+allow init input_device:chr_file rw_file_perms;
+allow init sensors_device:chr_file { write ioctl };
+allow init tee_device:chr_file { write ioctl };
+
+allow init servicemanager:binder { transfer call };
+allow init system_server:binder { transfer call };
+
+allow init property_socket:sock_file write;
+allow init socket_device:sock_file { create setattr unlink };
+
+allow init system_data_file:file { rename append };
+allow init firmware_file:dir mounton;
+
+allow init fm_radio_device:chr_file write;
+
+# ptt_socket_app
+allow init dnsproxyd_socket:sock_file write;
+allow init netd:unix_stream_socket connectto;
+allow init self:netlink_socket { read write getattr connect };
+
+allow init debugfs:file write;
+allow init persist_file:filesystem { getattr mount relabelfrom relabelto unmount };
+
+allow init self:capability sys_nice;
+
+allow init bt_firmware_file:filesystem { associate };
+allow init firmware_file:filesystem { associate };
+
+allow init sensors_device:chr_file { rw_file_perms create };
+
+allow init self:netlink_route_socket { bind create getopt nlmsg_read read setopt write };
+
+allow init self:capability2 { block_suspend };
+
+allow init hal_sensors_hwservice:hwservice_manager find;
+
+allow init { domain -lmkd -crash_dump }:process noatsecure;
+
+allow init hal_perf_hwservice:hwservice_manager find;
+allow init hidl_base_hwservice:hwservice_manager add;
+

sepolicy/vendor/init_wifi.te

@@ -0,0 +1,15 @@
+type init_wifi, domain;
+type init_wifi_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(init_wifi)
+
+binder_use(init_wifi)
+binder_service(init_wifi)
+binder_call(init_wifi, system_server)
+
+# shell scripts need to execute /system/bin/sh
+allow init_wifi vendor_shell_exec:file rx_file_perms;
+allow init_wifi vendor_toolbox_exec:file rx_file_perms;
+allow init_wifi vendor_shell_exec:file entrypoint;
+
+allow init_wifi sysfs_wcnsscore:file rw_file_perms;
+allow init_wifi sysfs_wcnsscore:dir rw_dir_perms;

sepolicy/vendor/installd.te

@@ -0,0 +1,3 @@
+allow installd firmware_file:filesystem quotaget;
+allow installd fsg_file:filesystem quotaget;
+allow installd persist_file:filesystem quotaget;

sepolicy/vendor/kernel.te

@@ -0,0 +1,3 @@
+allow kernel hw_block_device:blk_file rw_file_perms;
+allow kernel vfat:file open;
+allow kernel self:socket create;

sepolicy/vendor/logd.te

@@ -0,0 +1 @@
+allow logd self:capability dac_override;

sepolicy/vendor/mediacodec.te

@@ -0,0 +1 @@
+allow mediacodec firmware_file:file { open read };

sepolicy/vendor/mediadrmserver.te

@@ -0,0 +1,2 @@
+allow mediadrmserver firmware_file:dir search;
+allow mediadrmserver firmware_file:file r_file_perms;

sepolicy/vendor/mediaextractor.te

@@ -0,0 +1,4 @@
+allow mediaextractor fuse:file r_file_perms;
+allow mediaextractor system_server:fifo_file { write append };
+allow mediaextractor sdcardfs:file r_file_perms;
+allow mediaextractor vfat:file r_file_perms;

sepolicy/vendor/mediaserver.te

@@ -0,0 +1,2 @@
+allow mediaserver persist_file:dir search;
+allow mediaserver persist_file:file { read getattr open };

sepolicy/vendor/mm-qcamerad.te

@@ -0,0 +1,28 @@
+binder_call(mm-qcamerad, servicemanager);
+binder_use(mm-qcamerad);
+binder_call(mm-qcamerad, binderservicedomain);
+binder_call(mm-qcamerad, appdomain);
+binder_call(mm-qcamerad, hal_sensors_default);
+set_prop(mm-qcamerad, camera_prop);
+
+allow servicemanager mm-qcamerad:dir { search };
+allow servicemanager mm-qcamerad:file { read open };
+allow servicemanager mm-qcamerad:process { getattr };
+
+allow mm-qcamerad camera_data_file:sock_file { create unlink write };
+allow mm-qcamerad system_server:unix_stream_socket rw_socket_perms;
+allow mm-qcamerad sensorservice_service:service_manager find;
+allow mm-qcamerad vendor_camera_data_file:file rw_file_perms;
+allow mm-qcamerad permission_service:service_manager find;
+allow mm-qcamerad debug_prop:property_service set;
+allow mm-qcamerad persist_file:dir search;
+allow mm-qcamerad persist_file:file { read getattr open };
+allow mm-qcamerad system_data_file:dir read;
+
+allow mm-qcamerad init:unix_stream_socket { read write };
+allow mm-qcamerad sysfs_graphics:file { open read };
+
+allow mm-qcamerad hal_sensors_default:unix_stream_socket { read write };
+
+allow mm-qcamerad hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+allow mm-qcamerad hal_configstore_default:binder call;

sepolicy/vendor/mmi_boot.te

@@ -0,0 +1,21 @@
+type mmi_boot, domain;
+type mmi_boot_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(mmi_boot)
+
+binder_use(mmi_boot)
+binder_service(mmi_boot)
+binder_call(mmi_boot, system_server)
+
+# shell scripts need to execute /system/bin/sh
+allow mmi_boot vendor_shell_exec:file rx_file_perms;
+allow mmi_boot vendor_toolbox_exec:file rx_file_perms;
+allow mmi_boot vendor_shell_exec:file entrypoint;
+
+allow mmi_boot radio_data_file:dir { add_name search write };
+allow mmi_boot radio_data_file:file { create setattr };
+allow mmi_boot radio_data_file:file rw_file_perms;
+allow mmi_boot self:capability chown;
+allow mmi_boot self:capability dac_override;
+allow mmi_boot sysfs_socinfo:file write;
+
+set_prop(mmi_boot, hw_rev_prop);

sepolicy/vendor/netd.te

@@ -0,0 +1,2 @@
+allow netd untrusted_app_25:unix_stream_socket { read write };
+

sepolicy/vendor/netmgrd.te

@@ -0,0 +1,8 @@
+allow netmgrd netmgr_data_file:dir { add_name search write };
+allow netmgrd netmgr_data_file:file create;
+allow netmgrd netmgr_data_file:file rw_file_perms;
+allow netmgrd self:capability dac_override;
+allow netmgrd net_data_file:dir r_dir_perms;
+allow netmgrd netd_socket:sock_file write;
+allow netmgrd toolbox_exec:file { execute getattr execute_no_trans read open };
+r_dir_file(netmgrd, net_data_file)

sepolicy/vendor/per_mgr.te

@@ -0,0 +1 @@
+allow per_mgr self:capability net_raw;

sepolicy/vendor/perfd.te

@@ -0,0 +1,42 @@
+type perfd, domain;
+type perfd_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(perfd)
+
+allow perfd cgroup:file r_file_perms;
+
+allow perfd cameraserver:process signull;
+
+# files in /data/misc/perfd and /data/system/perfd
+allow perfd perfd_data_file:dir create_dir_perms;
+allow perfd perfd_data_file:{ file sock_file } create_file_perms;
+
+allow perfd proc_kernel_sched:file r_file_perms;
+
+# read access /sys
+r_dir_file(perfd, sysfs_type)
+# normally write is not granted to the default "sysfs" label.
+# In this case, perfd needs access to files in /sys that are
+# commonly created and destroyed. When the kernel creates them,
+# they are created with the default label "sysfs". For robustness,
+# allow perfd to write to "sysfs" to ensure it can optimally
+# tune the power/cpu settings.
+allow perfd sysfs:file write;
+allow perfd sysfs_msm_perf:file write;
+allow perfd sysfs_ssr:file write;
+allow perfd sysfs_devices_system_cpu:file write;
+allow perfd sysfs_power_management:file write;
+allow perfd sysfs_devfreq:file write;
+allow perfd sysfs_lib:file write;
+
+allow perfd proc_kernel_sched:file w_file_perms;
+allow perfd gpu_device:chr_file rw_file_perms;
+
+# perfd uses kill(pid, 0) to determine if a process exists.
+# Determining if a process exists does not require the kill capability
+# since a permission denied indicates the process exists.
+dontaudit perfd self:capability kill;
+
+allow perfd surfaceflinger:process signull;
+allow perfd hal_graphics_composer_default:process signull;
+
+get_prop(perfd, freq_prop);

sepolicy/vendor/peripheral_manager.te

@@ -0,0 +1,5 @@
+binder_call(per_mgr, servicemanager);
+allow per_mgr self:capability net_raw;
+allow per_mgr per_mgr_service_old:service_manager { add find };
+allow per_mgr servicemanager:binder { call transfer };
+

sepolicy/vendor/persist_file.te

@@ -0,0 +1 @@
+allow persist_file self:filesystem associate;

sepolicy/vendor/platform_app.te

@@ -0,0 +1,10 @@
+get_prop(platform_app, camera_prop);
+get_prop(platform_app, qemu_hw_mainkeys_prop);
+binder_call(platform_app, hal_sensors_default);
+
+allow platform_app rootfs:dir getattr;
+
+allow platform_app init:unix_stream_socket { read write };
+allow platform_app hal_sensors_default:unix_stream_socket { read write };
+
+allow platform_app qemu_hw_mainkeys_prop:file {getattr open read};

sepolicy/vendor/priv_app.te

@@ -0,0 +1,6 @@
+allow priv_app device:dir r_dir_perms;
+allow priv_app persist_file:filesystem getattr;
+allow priv_app proc_interrupts:file { open read getattr };
+allow priv_app proc_modules:file { open read getattr };
+get_prop(priv_app, adspd_prop);
+get_prop(priv_app, qemu_hw_mainkeys_prop);

sepolicy/vendor/property.te

@@ -0,0 +1,7 @@
+type adspd_prop, property_type;
+type motosh_prop, property_type;
+type hw_rev_prop, property_type;
+type touch_prop, property_type;
+type diag_prop, property_type;
+type thermal_prop, property_type;
+type qti_telephony_prop, property_type;

sepolicy/vendor/property_contexts

@@ -0,0 +1,5 @@
+hw.aov.disable_hotword             u:object_r:adspd_prop:s0
+hw.aov.hotword_dsp_path            u:object_r:adspd_prop:s0
+hw.motosh.booted                   u:object_r:motosh_prop:s0
+ro.boot.hardware.revision          u:object_r:hw_rev_prop:s0
+hw.touch.status                    u:object_r:touch_prop:s0

sepolicy/vendor/qseeproxy.te

@@ -0,0 +1,3 @@
+binder_call(qseeproxy, servicemanager);
+allow qseeproxy self:process getattr;
+allow qseeproxy qseeproxy_service_old:service_manager { add find };

sepolicy/vendor/qtelephony.te

@@ -0,0 +1 @@
+allow qtelephony radio_service:service_manager find;

sepolicy/vendor/qti.te

@@ -0,0 +1,2 @@
+get_prop(qti, diag_prop)
+allow qti diag_device:chr_file { read write };

sepolicy/vendor/qti_init_shell.te

@@ -0,0 +1,9 @@
+set_prop(qti_init_shell, hw_rev_prop);
+allow qti_init_shell apk_data_file:dir { write add_name create };
+allow qti_init_shell apk_data_file:file { create write setattr };
+allow qti_init_shell hci_attach_dev:chr_file { read write open ioctl };
+
+allow qti_init_shell kmsg_device:chr_file write;
+allow qti_init_shell sysfs_wcnsscore:file write;
+
+allow qti_init_shell kmsg_device:chr_file open;

sepolicy/vendor/radio.te

@@ -0,0 +1,2 @@
+allow radio system_app_data_file:dir getattr;
+allow radio qmuxd_socket:sock_file write;

sepolicy/vendor/rfs_access.te

@@ -0,0 +1,4 @@
+allow rfs_access self:capability net_raw;
+allow rfs_access persist_file:file { getattr open read rename setattr unlink write };
+allow rfs_access vendor_tombstone_data_file:dir search;
+

sepolicy/vendor/rfs_file.te

@@ -0,0 +1 @@
+allow rfs_file persist_file:filesystem associate;

sepolicy/vendor/rild.te

@@ -0,0 +1,19 @@
+binder_call(rild, servicemanager);
+binder_call(rild, audioserver_service);
+binder_call(rild, system_server);
+allow rild per_mgr_service_old:service_manager find;
+set_prop(rild, diag_prop);
+allow rild nv_data_file:dir rw_dir_perms;
+allow rild nv_data_file:file create_file_perms;
+allow rild radio_data_file:dir rw_dir_perms;
+allow rild radio_data_file:file create_file_perms;
+allow rild fsg_file:file { getattr open read };
+allow rild fsg_file:dir { search open read };
+allow rild fsg_file:lnk_file read;
+
+allow rild cutback_data_file:dir rw_dir_perms;
+allow rild cutback_data_file:sock_file create_file_perms;
+
+allow rild rild_exec:file execute_no_trans;
+
+allow rild fwk_sensor_hwservice:hwservice_manager find;

sepolicy/vendor/rmt_storage.te

@@ -0,0 +1,12 @@
+allow rmt_storage sysfs_rmt_storage:file rw_file_perms;
+allow rmt_storage sysfs_rmt_storage:dir { search open };
+allow rmt_storage sysfs_uio:file r_file_perms;
+allow rmt_storage sysfs_uio:dir { read open search };
+allow rmt_storage sysfs_uio:lnk_file { read };
+allow rmt_storage debugfs_rmt_storage:dir search;
+allow rmt_storage debugfs_rmt_storage:file w_file_perms;
+
+allow rmt_storage fsg_file:file { open read };
+allow rmt_storage self:capability dac_override;
+
+allow rmt_storage fsg_file:dir search;

sepolicy/vendor/service.te

@@ -0,0 +1,3 @@
+type qseeproxy_service_old,           service_manager_type;
+type per_mgr_service_old,             service_manager_type;
+type camera_bgproc_service,           service_manager_type;

sepolicy/vendor/service_contexts

@@ -0,0 +1,4 @@
+com.qualcomm.qti.qseeproxy                     u:object_r:qseeproxy_service_old:s0
+vendor.qcom.PeripheralManager                  u:object_r:per_mgr_service_old:s0
+media.camera_bgproc                            u:object_r:camera_bgproc_service:s0
+

sepolicy/vendor/servicemanager.te

@@ -0,0 +1,45 @@
+allow servicemanager init:dir search;
+allow servicemanager init:file { open read };
+allow servicemanager init:process getattr;
+allow servicemanager qseeproxy:dir search;
+allow servicemanager qseeproxy:file { open read };
+allow servicemanager rild:dir search;
+allow servicemanager rild:file { open read };
+allow servicemanager rild:process getattr;
+
+allow servicemanager hal_fingerprint_default:dir search;
+allow servicemanager hal_fingerprint_default:file read;
+allow servicemanager qseeproxy:process getattr;
+
+
+allow servicemanager hal_camera_default:dir search;
+allow servicemanager hal_camera_default:file { open read };
+allow servicemanager hal_camera_default:process getattr;
+
+allow servicemanager hal_fingerprint_default:file open;
+allow servicemanager hal_fingerprint_default:process getattr;
+
+allow servicemanager wcnss_service:dir search;
+allow servicemanager wcnss_service:file { open read };
+
+allow servicemanager esepmdaemon:dir search;
+allow servicemanager esepmdaemon:file { open read };
+allow servicemanager esepmdaemon:process getattr;
+
+allow servicemanager per_mgr:dir search;
+allow servicemanager per_mgr:file { open read };
+allow servicemanager per_mgr:process getattr;
+allow servicemanager wcnss_service:process getattr;
+
+allow servicemanager hal_gnss_qti:dir search;
+allow servicemanager hal_gnss_qti:file { open read };
+allow servicemanager hal_gnss_qti:process getattr;
+
+allow servicemanager hal_sensors_default:dir search;
+allow servicemanager hal_sensors_default:file { open read };
+allow servicemanager hal_sensors_default:process getattr;
+
+allow servicemanager sensors:dir search;
+allow servicemanager sensors:file { open read };
+allow servicemanager sensors:process getattr;
+

sepolicy/vendor/surfaceflinger.te

@@ -0,0 +1,8 @@
+get_prop(surfaceflinger, diag_prop);
+allow surfaceflinger perfd_data_file:sock_file write;
+allow surfaceflinger perfd_data_file:dir search;
+allow surfaceflinger perfd:unix_stream_socket connectto;
+allow surfaceflinger diag_device:chr_file { read write };
+
+binder_call(surfaceflinger, hwservicemanager)
+

sepolicy/vendor/system_app.te

@@ -0,0 +1,18 @@
+allow system_app proc_touchpanel:dir search;
+allow system_app sysfs_vibrator:file rw_file_perms;
+allow system_app sysfs_vibrator:dir search;
+allow system_app sysfs_graphics:file rw_file_perms;
+allow system_app sysfs_graphics:dir search;
+allow system_app proc_touchpanel:file rw_file_perms;
+allow system_app sysfs_fpc:file rw_file_perms;
+allow system_app fuse_device:filesystem getattr;
+allow system_app time_daemon:unix_stream_socket connectto;
+
+allow system_app init:unix_stream_socket { read write };
+allow system_app sysfs_homebutton:file write;
+
+get_prop(system_app, diag_prop);
+get_prop(system_app, qemu_hw_mainkeys_prop);
+binder_call(system_app, qtitetherservice_service);
+binder_call(system_app, wificond);
+

sepolicy/vendor/system_server.te

@@ -0,0 +1,20 @@
+binder_call(system_server, rild);
+
+allow system_server sysfs_homebutton:file rw_file_perms;
+allow system_server sysfs_homebutton:dir r_dir_perms;
+allow system_server persist_file:dir create_dir_perms;
+allow system_server persist_file:file create_file_perms;
+allow system_server rild:binder transfer;
+allow system_server sysfs_capsense:dir search;
+allow system_server sysfs_capsense:file rw_file_perms;
+allow system_server init:unix_stream_socket { read };
+# allow system_server dalvikcache_data_file:file { execute };
+
+allow system_server qti_debugfs:file { getattr open read };
+allow system_server init:unix_stream_socket write;
+
+allow system_server sensors_device:chr_file { ioctl open read };
+
+allow system_server vendor_file:file { getattr open read execute };
+
+get_prop(system_server, alarm_boot_prop)

sepolicy/vendor/tee.te

@@ -0,0 +1 @@
+allow tee persist_file:file r_file_perms;

sepolicy/vendor/thermal-engine.te

@@ -0,0 +1,9 @@
+get_prop(thermal-engine, diag_prop)
+allow thermal-engine socket_device:sock_file { create setattr };
+allow thermal-engine sysfs_rmt_storage:dir search;
+allow thermal-engine sysfs_rmt_storage:file r_file_perms;
+allow thermal-engine sysfs_uio:file r_file_perms;
+allow thermal-engine sysfs_uio:dir { read open search };
+allow thermal-engine sysfs_uio:lnk_file { read };
+allow thermal-engine sysfs_vadc_dev:lnk_file { read open };
+allow thermal-engine sysfs_vadc_dev:dir rw_dir_perms;

sepolicy/vendor/time_daemon.te

@@ -0,0 +1,3 @@
+get_prop(time_daemon, diag_prop);
+
+allow time_daemon persist_file:file { open read write };

sepolicy/vendor/toolbox.te

@@ -0,0 +1,15 @@
+set_prop(toolbox, diag_prop);
+set_prop(toolbox, hw_rev_prop);
+set_prop(toolbox, touch_prop);
+get_prop(toolbox rmnet_mux_prop);
+allow toolbox init:fifo_file { write getattr };
+
+allow toolbox self:capability { chown dac_override };
+
+allow toolbox proc:file rw_file_perms;
+allow toolbox radio_data_file:file rw_file_perms;
+allow toolbox firmware_file:file getattr;
+allow toolbox init:fifo_file ioctl;
+allow toolbox sysfs:dir rw_dir_perms;
+allow toolbox sysfs:file rw_file_perms;
+allow toolbox init:fifo_file read;

sepolicy/vendor/ueventd.te

@@ -0,0 +1,5 @@
+allow ueventd sysfs_mmi_fp:file w_file_perms;
+
+allow ueventd synaptics_rmi_device:chr_file { rw_file_perms relabelfrom relabelto};
+allow ueventd sysfs_fpc:file rw_file_perms;
+allow ueventd sysfs_sensors:file rw_file_perms;

sepolicy/vendor/untrusted_app.te

@@ -0,0 +1,12 @@
+get_prop(untrusted_app, camera_prop);
+get_prop(untrusted_app_25, camera_prop);
+allow untrusted_app sysfs_zram:dir { search read };
+allow untrusted_app sysfs_zram:file { open read getattr };
+
+get_prop(untrusted_app, net_dns_prop);
+
+allow untrusted_app firmware_file:dir read;
+allow untrusted_app fsg_file:dir read;
+allow untrusted_app net_dns_prop:file read;
+allow untrusted_app persist_file:dir getattr;
+allow untrusted_app persist_file:filesystem getattr;

sepolicy/vendor/untrusted_app_25.te

@@ -0,0 +1,10 @@
+#allow untrusted_app_25 hal_memtrack_hwservice:hwservice_manager find;
+#allow untrusted_app_25 proc:file read;
+#allow untrusted_app_25 qti_debugfs:file read;
+
+allow untrusted_app_25 init:unix_stream_socket { read write };
+
+allow untrusted_app_25 proc_stat:file read;
+allow untrusted_app_25 qemu_hw_mainkeys_prop:file read;
+allow untrusted_app_25 self:udp_socket ioctl;
+allow untrusted_app_25 vold_exec:file read;

sepolicy/vendor/vold.te

@@ -0,0 +1,2 @@
+allow vold persist_file:dir { ioctl open read };
+allow vold metadata_block_device:blk_file { rw_file_perms };

sepolicy/vendor/wcnss_filter.te

@@ -0,0 +1 @@
+get_prop(wcnss_filter, diag_prop);

sepolicy/vendor/wcnss_service.te

@@ -0,0 +1,8 @@
+binder_call(wcnss_service, servicemanager);
+set_prop(wcnss_service, wifi_prop);
+get_prop(wcnss_service, diag_prop);
+allow wcnss_service toolbox_exec:file { execute getattr execute_no_trans read open };
+allow wcnss_service shell_exec:file { execute getattr execute_no_trans read open };
+allowxperm wcnss_service self:udp_socket ioctl priv_sock_ioctls;
+
+allow wcnss_service per_mgr_service_old:service_manager find;

sepolicy/vendor/zygote.te

@@ -0,0 +1 @@
+allow zygote self:capability sys_nice;