sm8250-common: Re:Start sepolicy
* Drop all old rules, but keep tri-state-key. * Also introduce dashd/wlchgd domain as they are needed for seclabels. Change-Id: I0a7121f51d106d927866aead746a49b3dea6a149
This commit is contained in:
LuK1337
@@ -1,2 +0,0 @@
|
||||
# Allow appdomain to get vendor_camera_prop
|
||||
get_prop(appdomain, vendor_camera_prop)
|
||||
@@ -1,3 +0,0 @@
|
||||
attribute hal_display;
|
||||
attribute hal_display_client;
|
||||
attribute hal_display_server;
|
||||
@@ -1,21 +0,0 @@
|
||||
# rootfs
|
||||
type op1_file, file_type;
|
||||
type op2_file, file_type;
|
||||
|
||||
# proc
|
||||
type proc_touchpanel, fs_type, proc_type;
|
||||
type procfs_oem_wireless, fs_type, proc_type;
|
||||
|
||||
# sysfs
|
||||
type sysfs_battery_supply, sysfs_type, fs_type;
|
||||
type sysfs_fod, sysfs_type, fs_type;
|
||||
type sysfs_fpc_proximity, sysfs_type, fs_type;
|
||||
type sysfs_graphics, sysfs_type, fs_type;
|
||||
type sysfs_oem, sysfs_type, fs_type;
|
||||
type sysfs_ssr, sysfs_type, fs_type;
|
||||
type sysfs_ssr_toggle, sysfs_type, fs_type;
|
||||
type sysfs_usb_supply, sysfs_type, fs_type;
|
||||
|
||||
# data
|
||||
type display_misc_file, file_type, data_file_type, core_data_file_type;
|
||||
type vendor_qmipriod_data_file, file_type, data_file_type;
|
||||
@@ -1,28 +1,2 @@
|
||||
# Devices
|
||||
/dev/smcinvoke u:object_r:tee_device:s0
|
||||
|
||||
# Data files
|
||||
/data/misc/display(/.*)? u:object_r:display_misc_file:s0
|
||||
|
||||
# Files in rootfs
|
||||
/op1(/.*)? u:object_r:op1_file:s0
|
||||
/op2(/.*)? u:object_r:op2_file:s0
|
||||
|
||||
# Files in sysfs
|
||||
/sys/devices/platform/soc/soc:goodix_fp/proximity_state u:object_r:sysfs_fpc_proximity:s0
|
||||
|
||||
# HALs
|
||||
/(product|system/product)/vendor_overlay/[0-9]+/bin/hw/android\.hardware\.power-service u:object_r:hal_power_default_exec:s0
|
||||
/(product|system/product)/vendor_overlay/[0-9]+/bin/hw/vendor\.qti\.hardware\.vibrator\.service u:object_r:hal_vibrator_default_exec:s0
|
||||
/system/bin/hw/lineage\.biometrics\.fingerprint\.inscreen@1.0-service\.oneplus_kona u:object_r:hal_fod_kona_exec:s0
|
||||
/system/bin/hw/lineage\.livedisplay@2\.0-service\.oneplus_kona u:object_r:hal_livedisplay_kona_exec:s0
|
||||
/system/bin/hw/lineage\.powershare@1\.0-service\.oneplus_kona u:object_r:hal_powershare_kona_exec:s0
|
||||
/system/bin/hw/lineage\.touch@1\.0-service\.oneplus_kona u:object_r:hal_touch_kona_exec:s0
|
||||
|
||||
# tri-state-key
|
||||
/system/bin/tri-state-key_daemon u:object_r:tri-state-key_daemon_exec:s0
|
||||
|
||||
# Vendor overlay
|
||||
/(product|system/product)/vendor_overlay/[0-9]+/etc(/.*)? u:object_r:vendor_configs_file:s0
|
||||
/(product|system/product)/vendor_overlay/[0-9]+/lib(64)?/hw u:object_r:vendor_hal_file:s0
|
||||
/(product|system/product)/vendor_overlay/[0-9]+/overlay(/.*)? u:object_r:vendor_overlay_file:s0
|
||||
|
||||
@@ -1,52 +0,0 @@
|
||||
# Display
|
||||
genfscon proc /touchpanel u:object_r:proc_touchpanel:s0
|
||||
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/DCI_P3 u:object_r:sysfs_livedisplay_tuneable:s0
|
||||
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/dim_alpha u:object_r:sysfs_fod:s0
|
||||
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/hbm u:object_r:sysfs_livedisplay_tuneable:s0
|
||||
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/native_display_loading_effect_mode u:object_r:sysfs_livedisplay_tuneable:s0
|
||||
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/native_display_p3_mode u:object_r:sysfs_livedisplay_tuneable:s0
|
||||
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/native_display_srgb_color_mode u:object_r:sysfs_livedisplay_tuneable:s0
|
||||
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/native_display_wide_color_mode u:object_r:sysfs_livedisplay_tuneable:s0
|
||||
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/night_mode u:object_r:sysfs_livedisplay_tuneable:s0
|
||||
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/op_friginer_print_hbm u:object_r:sysfs_fod:s0
|
||||
|
||||
# Power supply
|
||||
genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,qpnp-smb2/power_supply/dc u:object_r:sysfs_battery_supply:s0
|
||||
genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,qpnp-smb2/power_supply/main u:object_r:sysfs_battery_supply:s0
|
||||
|
||||
# SSR
|
||||
genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys0/name u:object_r:sysfs_ssr:s0
|
||||
genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys0/restart_level u:object_r:sysfs_ssr_toggle:s0
|
||||
|
||||
genfscon sysfs /devices/platform/soc/soc:qcom,ipa_uc/subsys1/name u:object_r:sysfs_ssr:s0
|
||||
genfscon sysfs /devices/platform/soc/soc:qcom,ipa_uc/subsys1/restart_level u:object_r:sysfs_ssr_toggle:s0
|
||||
|
||||
genfscon sysfs /devices/platform/soc/17300000.qcom,lpass/subsys2/name u:object_r:sysfs_ssr:s0
|
||||
genfscon sysfs /devices/platform/soc/17300000.qcom,lpass/subsys2/restart_level u:object_r:sysfs_ssr_toggle:s0
|
||||
|
||||
genfscon sysfs /devices/platform/soc/8300000.qcom,turing/subsys3/name u:object_r:sysfs_ssr:s0
|
||||
genfscon sysfs /devices/platform/soc/8300000.qcom,turing/subsys3/restart_level u:object_r:sysfs_ssr_toggle:s0
|
||||
|
||||
genfscon sysfs /devices/platform/soc/aab0000.qcom,venus/subsys4/name u:object_r:sysfs_ssr:s0
|
||||
genfscon sysfs /devices/platform/soc/aab0000.qcom,venus/subsys4/restart_level u:object_r:sysfs_ssr_toggle:s0
|
||||
|
||||
genfscon sysfs /devices/platform/soc/188101c.qcom,spss/subsys5/name u:object_r:sysfs_ssr:s0
|
||||
genfscon sysfs /devices/platform/soc/188101c.qcom,spss/subsys5/restart_level u:object_r:sysfs_ssr_toggle:s0
|
||||
|
||||
genfscon sysfs /devices/platform/soc/abb0000.qcom,cvpss/subsys6/name u:object_r:sysfs_ssr:s0
|
||||
genfscon sysfs /devices/platform/soc/abb0000.qcom,cvpss/subsys6/restart_level u:object_r:sysfs_ssr_toggle:s0
|
||||
|
||||
genfscon sysfs /devices/platform/soc/5c00000.qcom,ssc/subsys7/name u:object_r:sysfs_ssr:s0
|
||||
genfscon sysfs /devices/platform/soc/5c00000.qcom,ssc/subsys7/restart_level u:object_r:sysfs_ssr_toggle:s0
|
||||
|
||||
genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/subsys8/name u:object_r:sysfs_ssr:s0
|
||||
genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/subsys8/restart_level u:object_r:sysfs_ssr_toggle:s0
|
||||
|
||||
genfscon sysfs /devices/platform/soc/b0000000.qcom,cnss-qca6390/subsys9/name u:object_r:sysfs_ssr:s0
|
||||
genfscon sysfs /devices/platform/soc/b0000000.qcom,cnss-qca6390/subsys9/restart_level u:object_r:sysfs_ssr_toggle:s0
|
||||
|
||||
genfscon sysfs /devices/platform/soc/soc:qcom,mdm0/subsys10/name u:object_r:sysfs_ssr:s0
|
||||
genfscon sysfs /devices/platform/soc/soc:qcom,mdm0/subsys10/restart_level u:object_r:sysfs_ssr_toggle:s0
|
||||
|
||||
genfscon sysfs /devices/platform/soc/9800000.qcom,npu/subsys11/name u:object_r:sysfs_ssr:s0
|
||||
genfscon sysfs /devices/platform/soc/9800000.qcom,npu/subsys11/restart_level u:object_r:sysfs_ssr_toggle:s0
|
||||
@@ -1 +0,0 @@
|
||||
type hal_display_default, domain;
|
||||
@@ -1,23 +0,0 @@
|
||||
type hal_fod_kona, coredomain, domain;
|
||||
hal_server_domain(hal_fod_kona, hal_lineage_fod)
|
||||
|
||||
type hal_fod_kona_exec, system_file_type, exec_type, file_type;
|
||||
init_daemon_domain(hal_fod_kona)
|
||||
|
||||
# Allow access to the HALs
|
||||
hal_client_domain(hal_fod_kona, hal_fingerprint)
|
||||
|
||||
# Allow binder communication with hal_display_default
|
||||
binder_call(hal_fod_kona, hal_display_default)
|
||||
|
||||
# Allow binder communication with hal_fingerprint
|
||||
binder_call(hal_fod_kona, hal_fingerprint)
|
||||
|
||||
# Allow hal_fod_kona to hal_display_hwservice
|
||||
allow hal_fod_kona hal_display_hwservice:hwservice_manager find;
|
||||
|
||||
# Allow hal_fod_kona to hal_fingerprint_hwservice
|
||||
allow hal_fod_kona hal_fingerprint_hwservice:hwservice_manager find;
|
||||
|
||||
# Allow hal_fod_kona to read and write to sysfs_fod
|
||||
allow hal_fod_kona sysfs_fod:file rw_file_perms;
|
||||
@@ -1,26 +0,0 @@
|
||||
type hal_livedisplay_kona, coredomain, domain;
|
||||
hal_server_domain(hal_livedisplay_kona, hal_lineage_livedisplay)
|
||||
|
||||
type hal_livedisplay_kona_exec, system_file_type, exec_type, file_type;
|
||||
init_daemon_domain(hal_livedisplay_kona)
|
||||
|
||||
# Allow hal_livedisplay_kona to find vendor_hal_display_color_hwservice
|
||||
type vendor_hal_display_color_hwservice, hwservice_manager_type;
|
||||
allow hal_livedisplay_kona vendor_hal_display_color_hwservice:hwservice_manager find;
|
||||
|
||||
# Allow binder communication with vendor_hal_display_color_default
|
||||
type vendor_hal_display_color_default, domain;
|
||||
binder_call(hal_livedisplay_kona, vendor_hal_display_color_default)
|
||||
|
||||
# Allow hal_livedisplay_kona to use binder service
|
||||
binder_use(hal_livedisplay_kona)
|
||||
|
||||
# Allow LiveDisplay to store files under /data/misc/display and access them
|
||||
allow hal_livedisplay_kona display_misc_file:dir rw_dir_perms;
|
||||
allow hal_livedisplay_kona display_misc_file:file create_file_perms;
|
||||
|
||||
# Grant access over LiveDisplay tuneables
|
||||
allow hal_livedisplay_kona { sysfs_livedisplay_tuneable sysfs_oem }:file rw_file_perms;
|
||||
|
||||
# Allow hal_livedisplay_kona to set config_prop
|
||||
set_prop(hal_livedisplay_kona, config_prop)
|
||||
@@ -1,2 +0,0 @@
|
||||
allow hal_power proc_touchpanel:dir search;
|
||||
allow hal_power proc_touchpanel:file w_file_perms;
|
||||
@@ -1,9 +0,0 @@
|
||||
type hal_powershare_kona, coredomain, domain;
|
||||
hal_server_domain(hal_powershare_kona, hal_lineage_powershare)
|
||||
|
||||
type hal_powershare_kona_exec, system_file_type, exec_type, file_type;
|
||||
init_daemon_domain(hal_powershare_kona)
|
||||
|
||||
# Allow access to wireless rx enable nodes
|
||||
allow hal_powershare_kona procfs_oem_wireless:dir search;
|
||||
allow hal_powershare_kona procfs_oem_wireless:file rw_file_perms;
|
||||
@@ -1,9 +0,0 @@
|
||||
type hal_touch_kona, coredomain, domain;
|
||||
hal_server_domain(hal_touch_kona, hal_lineage_touch)
|
||||
|
||||
type hal_touch_kona_exec, system_file_type, exec_type, file_type;
|
||||
init_daemon_domain(hal_touch_kona)
|
||||
|
||||
# Allow access to gesture enable nodes
|
||||
allow hal_touch_kona proc_touchpanel:dir search;
|
||||
allow hal_touch_kona proc_touchpanel:file rw_file_perms;
|
||||
@@ -1,2 +0,0 @@
|
||||
# Allow hal_usb to read and write to sysfs_oem
|
||||
allow hal_usb sysfs_oem:file rw_file_perms;
|
||||
@@ -1 +0,0 @@
|
||||
type hal_display_hwservice, hwservice_manager_type;
|
||||
@@ -1,15 +0,0 @@
|
||||
# Allow init to mount vendor configs
|
||||
allow init vendor_configs_file:dir mounton;
|
||||
|
||||
# Allow init to mount vendor overlays
|
||||
allow init vendor_overlay_file:dir mounton;
|
||||
|
||||
# Allow init to chown/chmod on pseudo files in /sys
|
||||
allow init {
|
||||
sysfs_fod
|
||||
sysfs_fpc_proximity
|
||||
sysfs_graphics
|
||||
}:file { open read setattr };
|
||||
|
||||
# Allow init to write to otg_switch
|
||||
allow init sysfs_usb_supply:file w_file_perms;
|
||||
@@ -1 +0,0 @@
|
||||
type vendor_camera_prop, property_type;
|
||||
@@ -1 +0,0 @@
|
||||
sys.display.mode u:object_r:config_prop:s0
|
||||
@@ -1,2 +0,0 @@
|
||||
# Allow vendor_init to set vendor_camera_prop
|
||||
set_prop(vendor_init, vendor_camera_prop)
|
||||
@@ -1,6 +0,0 @@
|
||||
type vendor_qmipriod, domain;
|
||||
|
||||
userdebug_or_eng(`
|
||||
allow vendor_qmipriod vendor_qmipriod_data_file:dir rw_dir_perms;
|
||||
allow vendor_qmipriod vendor_qmipriod_data_file:file create_file_perms;
|
||||
')
|
||||
Reference in New Issue
Block a user