From 9b4ea921988092df9d1dfeb0ebdf4a491868e78e Mon Sep 17 00:00:00 2001 From: Ramii Ahmed Date: Mon, 4 Jan 2021 13:12:12 +0000 Subject: [PATCH] sm6250-common: Enforcing bring up for R sm6250-common: Label Light & Perf HALs sm6250-common: Add Sensor Service to Manifest sm6250-common: Disable APEXes sm6250-common: Revert "Introduce 'SafailNet'" sm6250-common: Address FP HAL Denials sm6250-common: Merge Erfan Fingerprint Sepolicy Co-authored-by: Erfan Abdi Co-authored-by: Volodymyr Zhdanov Co-authored-by: Cosmin Tanislav --- BoardConfigCommon.mk | 1 - common.mk | 6 +-- manifest.xml | 15 +++++++- rootdir/etc/init.qcom.rc | 1 - rootdir/etc/init.safailnet.rc | 8 ---- sepolicy/private/fsck.te | 1 + sepolicy/private/linkerconfig.te | 1 + sepolicy/private/system_suspend.te | 2 + sepolicy/private/vdc.te | 1 + sepolicy/vendor/battery.te | 4 -- sepolicy/vendor/device.te | 2 + sepolicy/vendor/file_contexts | 20 +++++++++- sepolicy/vendor/hal_fingerprint_default.te | 26 +++++++++++++ sepolicy/vendor/hal_health_default.te | 1 + sepolicy/vendor/hal_ir_default.te | 2 + sepolicy/vendor/hal_light_default.te | 1 + sepolicy/vendor/hal_sensors_default.te | 1 + sepolicy/vendor/hwservice_contexts | 2 + sepolicy/vendor/property.te | 4 ++ sepolicy/vendor/property_contexts | 45 ++++++++++++++++++++++ sepolicy/vendor/tee.te | 4 ++ sepolicy/vendor/vendor_init.te | 11 ++++++ 22 files changed, 137 insertions(+), 22 deletions(-) delete mode 100644 rootdir/etc/init.safailnet.rc create mode 100644 sepolicy/private/fsck.te create mode 100644 sepolicy/private/linkerconfig.te create mode 100644 sepolicy/private/system_suspend.te create mode 100644 sepolicy/private/vdc.te create mode 100644 sepolicy/vendor/device.te create mode 100644 sepolicy/vendor/hal_fingerprint_default.te create mode 100644 sepolicy/vendor/hal_health_default.te create mode 100644 sepolicy/vendor/hal_ir_default.te create mode 100644 sepolicy/vendor/hal_light_default.te create mode 100644 sepolicy/vendor/hal_sensors_default.te create mode 100644 sepolicy/vendor/hwservice_contexts create mode 100644 sepolicy/vendor/property.te create mode 100644 sepolicy/vendor/property_contexts create mode 100644 sepolicy/vendor/tee.te create mode 100644 sepolicy/vendor/vendor_init.te diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk index aee7448..d38ca57 100644 --- a/BoardConfigCommon.mk +++ b/BoardConfigCommon.mk @@ -102,7 +102,6 @@ BOARD_KERNEL_CMDLINE += msm_rtb.filter=0x237 BOARD_KERNEL_CMDLINE += service_locator.enable=1 BOARD_KERNEL_CMDLINE += swiotlb=1 BOARD_KERNEL_CMDLINE += video=vfb:640x400,bpp=32,memsize=3072000 -BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive # HIDL DEVICE_MANIFEST_FILE := $(COMMON_PATH)/manifest.xml diff --git a/common.mk b/common.mk index 8a57fa0..a4bf8c4 100644 --- a/common.mk +++ b/common.mk @@ -10,9 +10,6 @@ $(call inherit-product, $(SRC_TARGET_DIR)/product/full_base_telephony.mk) # Inherit proprietary targets $(call inherit-product-if-exists, vendor/xiaomi/sm6250-common/sm6250-common-vendor.mk) -# Enable updating of APEXes -$(call inherit-product, $(SRC_TARGET_DIR)/product/updatable_apex.mk) - # Setup dalvik vm configs $(call inherit-product, frameworks/native/build/phone-xhdpi-4096-dalvik-heap.mk) @@ -199,8 +196,7 @@ PRODUCT_PACKAGES += \ PRODUCT_COPY_FILES += \ $(LOCAL_PATH)/rootdir/etc/init.qcom.rc:$(TARGET_COPY_OUT_VENDOR)/etc/init/hw/init.qcom.rc \ $(LOCAL_PATH)/rootdir/etc/init.qcom.usb.rc:$(TARGET_COPY_OUT_VENDOR)/etc/init/hw/init.qcom.usb.rc \ - $(LOCAL_PATH)/rootdir/etc/init.target.rc:$(TARGET_COPY_OUT_VENDOR)/etc/init/hw/init.target.rc \ - $(LOCAL_PATH)/rootdir/etc/init.safailnet.rc:$(TARGET_COPY_OUT_VENDOR)/etc/init/hw/init.safailnet.rc + $(LOCAL_PATH)/rootdir/etc/init.target.rc:$(TARGET_COPY_OUT_VENDOR)/etc/init/hw/init.target.rc PRODUCT_COPY_FILES += \ $(LOCAL_PATH)/rootdir/bin/init.qcom.post_boot.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.qcom.post_boot.sh \ diff --git a/manifest.xml b/manifest.xml index 113d6af..9f157e9 100644 --- a/manifest.xml +++ b/manifest.xml @@ -481,12 +481,12 @@ vendor.qti.hardware.perf hwbinder - 2.0 + 2.2 IPerf default - @2.0::IPerf/default + @2.2::IPerf/default vendor.qti.hardware.qdutils_disp @@ -687,6 +687,17 @@ @1.0::ITuiComm/default + + android.frameworks.sensorservice + hwbinder + 1.0 + + ISensors + default + + @1.0::ISensors/default + @1.0::ISensorManager/default + vendor.qti.hardware.wifidisplaysession hwbinder diff --git a/rootdir/etc/init.qcom.rc b/rootdir/etc/init.qcom.rc index 6715d40..7173152 100644 --- a/rootdir/etc/init.qcom.rc +++ b/rootdir/etc/init.qcom.rc @@ -28,7 +28,6 @@ import /vendor/etc/init/hw/init.qcom.usb.rc import /vendor/etc/init/hw/init.target.rc import /vendor/etc/init/hw/init.device.rc -import /vendor/etc/init/hw/init.safailnet.rc on early-init mount debugfs debugfs /sys/kernel/debug diff --git a/rootdir/etc/init.safailnet.rc b/rootdir/etc/init.safailnet.rc deleted file mode 100644 index 53676c5..0000000 --- a/rootdir/etc/init.safailnet.rc +++ /dev/null @@ -1,8 +0,0 @@ -# Safetynet bypass -# Inspired in magisk source code, by topjohnwu -# Ported to ramdisk by jhenrique09 - -on boot - # selinux nodes, hide permissive state - chmod 0640 /sys/fs/selinux/enforce - chmod 0440 /sys/fs/selinux/policy diff --git a/sepolicy/private/fsck.te b/sepolicy/private/fsck.te new file mode 100644 index 0000000..9990eda --- /dev/null +++ b/sepolicy/private/fsck.te @@ -0,0 +1 @@ +dontaudit fsck self:capability kill; diff --git a/sepolicy/private/linkerconfig.te b/sepolicy/private/linkerconfig.te new file mode 100644 index 0000000..6b0a1fa --- /dev/null +++ b/sepolicy/private/linkerconfig.te @@ -0,0 +1 @@ +dontaudit linkerconfig self:capability kill; diff --git a/sepolicy/private/system_suspend.te b/sepolicy/private/system_suspend.te new file mode 100644 index 0000000..03824e2 --- /dev/null +++ b/sepolicy/private/system_suspend.te @@ -0,0 +1,2 @@ +allow system_suspend sysfs:dir { open read }; +dontaudit system_suspend sysfs:file { getattr open read }; diff --git a/sepolicy/private/vdc.te b/sepolicy/private/vdc.te new file mode 100644 index 0000000..9123f99 --- /dev/null +++ b/sepolicy/private/vdc.te @@ -0,0 +1 @@ +dontaudit vdc self:capability kill; diff --git a/sepolicy/vendor/battery.te b/sepolicy/vendor/battery.te index 4c91aaa..77d6ff0 100644 --- a/sepolicy/vendor/battery.te +++ b/sepolicy/vendor/battery.te @@ -21,7 +21,6 @@ r_dir_file(battery_daemons, vendor_sysfs_usbpd_device) allow battery_daemons persist_subsys_file:dir w_dir_perms; allow battery_daemons rootfs:dir w_dir_perms; - allow battery_daemons kmsg_device:chr_file w_file_perms; allow battery_daemons persist_subsys_file:file w_file_perms; allow battery_daemons sysfs:file w_file_perms; @@ -29,12 +28,9 @@ allow battery_daemons vendor_sysfs_battery_supply:file w_file_perms; allow battery_daemons sysfs_usb:file w_file_perms; allow battery_daemons vendor_sysfs_usb_supply:file w_file_perms; allow battery_daemons vendor_sysfs_usbpd_device:file w_file_perms; - allow battery_daemons self:global_capability_class_set sys_tty_config; allow battery_daemons self:global_capability_class_set sys_boot; - allow battery_daemons self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; - allow battery_daemons self:capability { chown fsetid }; wakelock_use(battery_daemons) diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te new file mode 100644 index 0000000..b84e726 --- /dev/null +++ b/sepolicy/vendor/device.te @@ -0,0 +1,2 @@ +type fingerprint_device, dev_type; +type spidev_device, dev_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts index 5dd0560..6ac7dbf 100644 --- a/sepolicy/vendor/file_contexts +++ b/sepolicy/vendor/file_contexts @@ -3,8 +3,26 @@ /vendor/bin/batterysecret u:object_r:batterysecret_exec:s0 /mnt/vendor/persist/subsys(/.*)? u:object_r:persist_subsys_file:s0 +# Biometric +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_sm6250 u:object_r:hal_fingerprint_default_exec:s0 + # Fingerprint -/vendor/bin/hw/android\.hardware\.fingerprint@2\.1-service\.xiaomi_sm6250 u:object_r:hal_fingerprint_default_exec:s0 +/data/gf_data(/.*)? u:object_r:fingerprintd_data_file:s0 +/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/data/vendor/gf_data(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/dev/goodix_fp u:object_r:fingerprint_device:s0 + +# IR +/dev/lirc0 u:object_r:spidev_device:s0 +/dev/spidev7.1 u:object_r:spidev_device:s0 +/dev/spidev0.1 u:object_r:spidev_device:s0 + +#Light +/vendor/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_sm6250 u:object_r:hal_light_default_exec:s0 + +#Perf +/vendor/bin/hw/vendor\.qti\.hardware\.perf@2\.2-service\.xiaomi_sm6250 u:object_r:same_process_hal_file:s0 # Power HAL /vendor/bin/hw/android\.hardware\.power@1\.3-service\.xiaomi_sm6250 u:object_r:hal_power_default_exec:s0 diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te new file mode 100644 index 0000000..0fa98c8 --- /dev/null +++ b/sepolicy/vendor/hal_fingerprint_default.te @@ -0,0 +1,26 @@ +hal_server_domain(hal_fingerprint_default, hal_fingerprint) +init_daemon_domain(hal_fingerprint_default) + +# access to /data/system/users/[0-9]+/fpdata +allow hal_fingerprint_default fingerprintd_data_file:dir rw_dir_perms; +allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms; +allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; +allow hal_fingerprint_default vendor_hal_perf_hwservice:hwservice_manager find; +allow hal_fingerprint_default vendor_sysfs_fps_attr:file { open read write }; +allow hal_fingerprint_default property_socket:sock_file write; +allow hal_fingerprint_default init:unix_stream_socket connectto; + +allow hal_fingerprint_default { + fingerprint_device + tee_device + uhid_device +}:chr_file rw_file_perms; + +# TODO(b/36644492): Remove data_between_core_and_vendor_violators once +# hal_fingerprint no longer directly accesses fingerprintd_data_file. +typeattribute hal_fingerprint_default data_between_core_and_vendor_violators; +binder_call(hal_fingerprint_default, hal_perf_default) +r_dir_file(hal_fingerprint_default, firmware_file) +set_prop(hal_fingerprint_default, hal_fingerprint_prop) +dontaudit hal_fingerprint_default storage_file:dir search; + diff --git a/sepolicy/vendor/hal_health_default.te b/sepolicy/vendor/hal_health_default.te new file mode 100644 index 0000000..146238d --- /dev/null +++ b/sepolicy/vendor/hal_health_default.te @@ -0,0 +1 @@ +allow hal_health_default sysfs:file read; diff --git a/sepolicy/vendor/hal_ir_default.te b/sepolicy/vendor/hal_ir_default.te new file mode 100644 index 0000000..f6f771a --- /dev/null +++ b/sepolicy/vendor/hal_ir_default.te @@ -0,0 +1,2 @@ +get_prop(hal_ir_default, lirc_prop) +allow hal_ir_default spidev_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/hal_light_default.te b/sepolicy/vendor/hal_light_default.te new file mode 100644 index 0000000..ba3fc9b --- /dev/null +++ b/sepolicy/vendor/hal_light_default.te @@ -0,0 +1 @@ +allow hal_light_default sysfs:file { open write getattr }; diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te new file mode 100644 index 0000000..e117d6a --- /dev/null +++ b/sepolicy/vendor/hal_sensors_default.te @@ -0,0 +1 @@ +set_prop(hal_sensors_default, vendor_camera_prop) diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts new file mode 100644 index 0000000..d83bf7f --- /dev/null +++ b/sepolicy/vendor/hwservice_contexts @@ -0,0 +1,2 @@ +vendor.goodix.hardware.fingerprint::IGoodixBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0 +vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0 diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te new file mode 100644 index 0000000..b4bba15 --- /dev/null +++ b/sepolicy/vendor/property.te @@ -0,0 +1,4 @@ +type hal_fingerprint_prop, property_type; +type mlipay_prop, property_type; +type thermal_engine_prop, property_type; +type lirc_prop, property_type; diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts new file mode 100644 index 0000000..053c0fe --- /dev/null +++ b/sepolicy/vendor/property_contexts @@ -0,0 +1,45 @@ +# Audio +audio.sys.noisy.broadcast.delay u:object_r:vendor_default_prop:s0 +audio.sys.offload.pstimeout.secs u:object_r:vendor_default_prop:s0 +audio_hal.in_period_size u:object_r:vendor_default_prop:s0 +audio_hal.period_multiplier u:object_r:vendor_default_prop:s0 +persist.audio.fluence.voicecomm u:object_r:vendor_default_prop:s0 + +# Camera +cameradaemon.SaveMemAtBoot u:object_r:vendor_default_prop:s0 +cpp.set.clock u:object_r:vendor_default_prop:s0 +disable.cpp.power.collapse u:object_r:vendor_default_prop:s0 +vendor.camera.eis.gyro_name u:object_r:vendor_camera_prop:s0 +vidc.enc.dcvs.extra-buff-count u:object_r:vendor_default_prop:s0 + +#IR +ro.lirc.dev u:object_r:lirc_prop:s0 + +# Fingerprint +fpc_kpi u:object_r:vendor_default_prop:s0 +gf.debug.dump_data u:object_r:vendor_default_prop:s0 +persist.sys.fp. u:object_r:hal_fingerprint_prop:s0 +persist.vendor.sys.fp. u:object_r:hal_fingerprint_prop:s0 +ro.boot.fp. u:object_r:hal_fingerprint_prop:s0 +ro.boot.fpsensor u:object_r:hal_fingerprint_prop:s0 +sys.fp. u:object_r:hal_fingerprint_prop:s0 + +# Media +gpu.stats.debug.level u:object_r:vendor_default_prop:s0 + +# Mlipay +persist.vendor.sys.pay. u:object_r:mlipay_prop:s0 +persist.vendor.sys.provision.status u:object_r:mlipay_prop:s0 + +# RIL +ro.build.software.version u:object_r:exported_radio_prop:s0 +ro.fota.oem u:object_r:exported_radio_prop:s0 +ro.miui. u:object_r:exported_radio_prop:s0 +ro.product.mod_device u:object_r:exported_radio_prop:s0 + +# Thermal engine +persist.sys.thermal. u:object_r:thermal_engine_prop:s0 +sys.thermal. u:object_r:thermal_engine_prop:s0 + +# Wlan +persist.vendor.wigig.npt.enable u:object_r:vendor_default_prop:s0 diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te new file mode 100644 index 0000000..a372b82 --- /dev/null +++ b/sepolicy/vendor/tee.te @@ -0,0 +1,4 @@ +typeattribute tee data_between_core_and_vendor_violators; +allow tee system_data_file:dir r_dir_perms; +allow tee fingerprintd_data_file:dir rw_dir_perms; +allow tee fingerprintd_data_file:file create_file_perms; diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te new file mode 100644 index 0000000..5335e96 --- /dev/null +++ b/sepolicy/vendor/vendor_init.te @@ -0,0 +1,11 @@ +typeattribute vendor_init data_between_core_and_vendor_violators; + +allow vendor_init { + system_data_file + tombstone_data_file +}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom }; + +allow init adsprpcd_file:file mounton; + +set_prop(vendor_init, vendor_freq_prop) +set_prop(vendor_init, vendor_camera_prop)