Initial Commit4

sepolicy/adspd.te

@@ -0,0 +1,13 @@
+type adspd, domain, domain_deprecated;
+type adspd_exec, exec_type, file_type;
+init_daemon_domain(adspd)
+
+allow adspd audio_device:chr_file { ioctl open read write };
+allow adspd audio_device:dir search;
+allow adspd input_device:chr_file { ioctl open read };
+allow adspd input_device:dir search;
+allow adspd sysfs_adsp:file write;
+# The below one is WRONG
+allow adspd sysfs:file write;
+
+set_prop(adspd, adspd_prop)

sepolicy/cameraserver.te

@@ -0,0 +1,2 @@
+# Shouldn't do this here
+allow cameraserver self:netlink_kobject_uevent_socket { read bind create setopt };

sepolicy/device.te

@@ -0,0 +1 @@
+type laser_device, dev_type;

sepolicy/file.te

@@ -0,0 +1,12 @@
+# FSG
+type fsg_file, fs_type, contextmount_type;
+
+# RIL
+type netmgr_data_file, file_type, data_file_type;
+
+# sysfs
+type sysfs_adsp, fs_type, sysfs_type;
+type sysfs_homebutton, fs_type, sysfs_type;
+type sysfs_mmi_fp, fs_type, sysfs_type;
+type sysfs_mmi_laser, fs_type, sysfs_type;
+type sysfs_mmi_touch, fs_type, sysfs_type;

sepolicy/file_contexts

@@ -0,0 +1,39 @@
+# ADSP
+/sys/kernel/aov(/.*)?                                    u:object_r:sysfs_adsp:s0
+
+# Binaries
+/system/bin/adspd                                        u:object_r:adspd_exec:s0
+/system/bin/init\.mmi\.boot\.sh                          u:object_r:mmi_boot_exec:s0
+/system/bin/init\.mmi\.laser\.sh                         u:object_r:mmi_laser_exec:s0
+/system/bin/init\.mmi\.touch\.sh                         u:object_r:mmi_touch_sh_exec:s0
+/system/bin/motosh                                       u:object_r:sensor_hub_exec:s0
+
+# Camera
+/sys/kernel/range/offset                                 u:object_r:sysfs_mmi_laser:s0
+
+# CMActions
+/sys/homebutton/enable                                   u:object_r:sysfs_homebutton:s0
+
+# Fingerprint
+/data/.fps(/.*)?                                         u:object_r:fingerprintd_data_file:s0
+/data/fpc                                                u:object_r:fingerprintd_data_file:s0
+/sys/devices/soc/7af8000\.spi/spi_master/spi8/spi8\.0(/.*)?  u:object_r:sysfs_mmi_fp:s0
+
+# mmi_touch related /sys files
+/sys/devices/soc/78b7000\.i2c/i2c-3/3-0020(/.*)?         u:object_r:sysfs_mmi_touch:s0
+
+# Partitions
+/dev/block/bootdevice/by-name/cache                      u:object_r:cache_block_device:s0
+/dev/block/bootdevice/by-name/frp                        u:object_r:frp_block_device:s0
+/dev/block/bootdevice/by-name/metadata                   u:object_r:metadata_block_device:s0
+/dev/block/bootdevice/by-name/persist                    u:object_r:persist_block_device:s0
+
+# RIL
+/data/misc/netmgr(/.*)?                                  u:object_r:netmgr_data_file:s0
+
+# Sensors
+/dev/laser                                               u:object_r:laser_device:s0
+/dev/mmi_sys_temp                                        u:object_r:thermal_device:s0
+/dev/motosh                                              u:object_r:sensors_device:s0
+/dev/motosh_as                                           u:object_r:sensors_device:s0
+/dev/motosh_ms                                           u:object_r:sensors_device:s0

sepolicy/fingerprintd.te

@@ -0,0 +1,9 @@
+allow fingerprintd firmware_file:dir search;
+allow fingerprintd firmware_file:file { getattr open read };
+allow fingerprintd fingerprintd_data_file:dir { add_name getattr remove_name write };
+allow fingerprintd fingerprintd_data_file:file { append create getattr open setattr unlink };
+allow fingerprintd fingerprintd_data_file:sock_file { create unlink };
+allow fingerprintd sysfs_mmi_fp:dir { open read search };
+allow fingerprintd sysfs_mmi_fp:file rw_file_perms;
+allow fingerprintd system_data_file:sock_file unlink;
+allow fingerprintd tee_device:chr_file { ioctl open read write };

sepolicy/init.te

@@ -0,0 +1,21 @@
+allow init audio_device:chr_file { write ioctl };
+allow init input_device:chr_file ioctl;
+allow init sensors_device:chr_file { write ioctl };
+allow init tee_device:chr_file { write ioctl };
+
+allow init servicemanager:binder { transfer call };
+allow init system_server:binder call;
+
+allow init property_socket:sock_file write;
+allow init socket_device:sock_file { create setattr unlink };
+
+allow init system_data_file:file { rename append };
+allow init firmware_file:dir mounton;
+
+# ptt_socket_app
+allow init dnsproxyd_socket:sock_file write;
+allow init netd:unix_stream_socket connectto;
+allow init self:netlink_socket { read write getattr connect };
+
+allow init debugfs:file write;
+allow init persist_file:filesystem { getattr mount relabelfrom relabelto };

sepolicy/mediacodec.te

@@ -0,0 +1 @@
+allow mediacodec firmware_file:file { open read };

sepolicy/mediadrmserver.te

@@ -0,0 +1,2 @@
+allow mediadrmserver firmware_file:dir search;
+allow mediadrmserver firmware_file:file r_file_perms;

sepolicy/mediaserver.te

@@ -0,0 +1,2 @@
+allow mediaserver persist_file:dir search;
+allow mediaserver persist_file:file { read getattr open };

sepolicy/mm-qcamerad.te

@@ -0,0 +1,4 @@
+allow mm-qcamerad laser_device:chr_file { read write ioctl open };
+allow mm-qcamerad persist_file:dir search;
+allow mm-qcamerad persist_file:file { read getattr open };
+allow mm-qcamerad system_data_file:dir read;

sepolicy/mmi_boot.te

@@ -0,0 +1,16 @@
+type mmi_boot, domain, domain_deprecated;
+type mmi_boot_exec, exec_type, file_type;
+init_daemon_domain(mmi_boot)
+
+# shell scripts need to execute /system/bin/sh
+allow mmi_boot shell_exec:file rx_file_perms;
+allow mmi_boot toolbox_exec:file rx_file_perms;
+
+allow mmi_boot radio_data_file:dir { add_name search write };
+allow mmi_boot radio_data_file:file { create setattr };
+allow mmi_boot radio_data_file:file rw_file_perms;
+allow mmi_boot self:capability chown;
+allow mmi_boot self:capability dac_override;
+allow mmi_boot sysfs_socinfo:file write;
+
+set_prop(mmi_boot, hw_rev_prop);

sepolicy/mmi_laser.te

@@ -0,0 +1,15 @@
+type mmi_laser, domain, domain_deprecated;
+type mmi_laser_exec, exec_type, file_type;
+init_daemon_domain(mmi_laser)
+
+# shell scripts need to execute /system/bin/sh
+allow mmi_laser shell_exec:file rx_file_perms;
+allow mmi_laser toolbox_exec:file rx_file_perms;
+
+# Logs to /dev/kmsg
+allow mmi_laser kmsg_device:chr_file w_file_perms;
+
+allow mmi_laser persist_file:dir search;
+allow mmi_laser persist_file:file r_file_perms;
+allow mmi_laser self:capability dac_override;
+allow mmi_laser sysfs_mmi_laser:file rw_file_perms;

sepolicy/mmi_touch_te.te

@@ -0,0 +1,27 @@
+type mmi_touch_sh, domain;
+type mmi_touch_sh_exec, exec_type, file_type;
+init_daemon_domain(mmi_touch_sh)
+
+# shell scripts need to execute /system/bin/sh
+allow mmi_touch_sh shell_exec:file rx_file_perms;
+allow mmi_touch_sh toolbox_exec:file rx_file_perms;
+
+# Logs to /dev/kmsg
+allow mmi_touch_sh kmsg_device:chr_file w_file_perms;
+
+# Write to /sys/path/to/firmware/forcereflash
+# Read from /sys/path/to/firmware/poweron (and others)
+allow mmi_touch_sh sysfs_mmi_touch:file rw_file_perms;
+allow mmi_touch_sh sysfs_mmi_touch:file setattr;
+allow mmi_touch_sh sysfs_mmi_touch:dir search;
+allow mmi_touch_sh system_file:dir r_file_perms;
+allow mmi_touch_sh self:capability chown;
+
+# WRONG
+allow mmi_touch_sh sysfs:dir r_dir_perms;
+allow mmi_touch_sh sysfs:file rw_file_perms;
+allow mmi_touch_sh sysfs:file setattr;
+allow mmi_touch_sh sysfs:lnk_file getattr;
+
+set_prop(mmi_touch_sh, touch_prop);
+set_prop(mmi_touch_sh, hw_rev_prop);

sepolicy/netmgrd.te

@@ -0,0 +1,4 @@
+allow netmgrd netmgr_data_file:dir { add_name search write };
+allow netmgrd netmgr_data_file:file create;
+allow netmgrd netmgr_data_file:file rw_file_perms;
+allow netmgrd self:capability dac_override;

sepolicy/per_mgr.te

@@ -0,0 +1 @@
+allow per_mgr self:capability net_raw;

sepolicy/persist_file.te

@@ -0,0 +1 @@
+allow persist_file self:filesystem associate;

sepolicy/priv_app.te

@@ -0,0 +1 @@
+allow priv_app device:dir r_dir_perms;

sepolicy/property.te

@@ -0,0 +1,4 @@
+type adspd_prop, property_type;
+type motosh_prop, property_type;
+type hw_rev_prop, property_type;
+type touch_prop, property_type;

sepolicy/property_contexts

@@ -0,0 +1,5 @@
+hw.aov.disable_hotword  u:object_r:adspd_prop:s0
+hw.aov.hotword_dsp_path u:object_r:adspd_prop:s0
+hw.motosh.booted        u:object_r:motosh_prop:s0
+ro.hw.revision          u:object_r:hw_rev_prop:s0
+hw.touch.status         u:object_r:touch_prop:s0

sepolicy/rfs_access.te

@@ -0,0 +1 @@
+allow rfs_access self:capability net_raw;

sepolicy/rild.te

@@ -0,0 +1,2 @@
+allow rild persist_file:dir search;
+allow rild persist_file:file rw_file_perms;

sepolicy/rmt_storage.te

@@ -0,0 +1,3 @@
+allow rmt_storage fsg_file:dir search;
+allow rmt_storage fsg_file:file { read open };
+allow rmt_storage self:capability dac_override;

sepolicy/sensor_hub.te

@@ -0,0 +1,6 @@
+type sensor_hub, domain, domain_deprecated;
+type sensor_hub_exec, exec_type, file_type;
+init_daemon_domain(sensor_hub)
+
+allow sensor_hub sensors_device:chr_file rw_file_perms;
+set_prop(sensor_hub, motosh_prop)

sepolicy/system_app.te

@@ -0,0 +1 @@
+allow system_app sysfs_homebutton:file rw_file_perms;

sepolicy/system_server.te

@@ -0,0 +1,2 @@
+allow system_server persist_file:dir rw_dir_perms;
+allow system_server persist_file:file rw_file_perms;

sepolicy/time_daemon.te

@@ -0,0 +1 @@
+allow time_daemon persist_file:file rw_file_perms;

sepolicy/ueventd.te

@@ -0,0 +1,4 @@
+allow ueventd device:chr_file { relabelfrom relabelto };
+allow ueventd sysfs_mmi_fp:file w_file_perms;
+allow ueventd sysfs_mmi_touch:file w_file_perms;
+allow ueventd sysfs_mmi_touch:dir search;

sepolicy/wcnss_service.te

@@ -0,0 +1 @@
+allow wcnss_service self:capability { setgid setuid };