diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk index 612a61e..eb8d02b 100644 --- a/BoardConfigCommon.mk +++ b/BoardConfigCommon.mk @@ -177,6 +177,7 @@ VENDOR_SECURITY_PATCH := 2021-07-01 # Sepolicy include device/qcom/sepolicy_vndr/SEPolicy.mk +BOARD_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/vendor # Verified Boot BOARD_AVB_ENABLE := true diff --git a/sepolicy/vendor/adsprpcd.te b/sepolicy/vendor/adsprpcd.te new file mode 100644 index 0000000..58fe3e7 --- /dev/null +++ b/sepolicy/vendor/adsprpcd.te @@ -0,0 +1 @@ +r_dir_file(vendor_adsprpcd, vendor_sysfs_graphics) diff --git a/sepolicy/vendor/app.te b/sepolicy/vendor/app.te new file mode 100644 index 0000000..6ea1879 --- /dev/null +++ b/sepolicy/vendor/app.te @@ -0,0 +1,2 @@ +get_prop({ appdomain -isolated_app }, vendor_fp_prop) +get_prop({ appdomain -isolated_app }, vendor_tee_listener_prop) diff --git a/sepolicy/vendor/batterysecret.te b/sepolicy/vendor/batterysecret.te new file mode 100644 index 0000000..c6a6425 --- /dev/null +++ b/sepolicy/vendor/batterysecret.te @@ -0,0 +1,49 @@ +type batterysecret, domain; +type batterysecret_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(batterysecret) + +r_dir_file(batterysecret, cgroup) +r_dir_file(batterysecret, mnt_vendor_file) +r_dir_file(batterysecret, vendor_sysfs_battery_supply) +r_dir_file(batterysecret, sysfs_batteryinfo) +r_dir_file(batterysecret, sysfs_type) +r_dir_file(batterysecret, vendor_sysfs_usb_supply) +r_dir_file(batterysecret, vendor_sysfs_usbpd_device) + +allow batterysecret { + mnt_vendor_file + persist_subsys_file + rootfs +}:dir rw_dir_perms; + +allow batterysecret { + persist_subsys_file + vendor_sysfs_battery_supply + sysfs_usb + vendor_sysfs_usb_supply + vendor_sysfs_usbpd_device +}:file w_file_perms; + +allow batterysecret kmsg_device:chr_file rw_file_perms; + +allow batterysecret self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +allow batterysecret self:global_capability_class_set { + sys_tty_config + sys_boot +}; + +allow batterysecret self:capability { + chown + fsetid +}; + +allow batterysecret { + system_suspend_hwservice + hidl_manager_hwservice +}:hwservice_manager find; + +binder_call(batterysecret, system_suspend_server) + +wakelock_use(batterysecret) diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te new file mode 100644 index 0000000..b785fc9 --- /dev/null +++ b/sepolicy/vendor/device.te @@ -0,0 +1,5 @@ +type fingerprint_device, dev_type; + +type lirc_device, dev_type; + +type sound_device, dev_type; diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te index 5676e77..5b3c5b4 100644 --- a/sepolicy/vendor/file.te +++ b/sepolicy/vendor/file.te @@ -1 +1,15 @@ +type audio_socket, file_type; + +type camera_persist_file, file_type, vendor_persist_type; + +type fingerprint_data_file, data_file_type, file_type, vendor_persist_type; + +type persist_subsys_file, vendor_persist_type, file_type; + +type sysfs_msm_boot, fs_type, sysfs_type; + +type sysfs_msm_subsys, sysfs_type, fs_type; + type thermal_link_device, dev_type; + +type vendor_sysfs_iio, fs_type, sysfs_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts index aac47cd..7dc74d3 100644 --- a/sepolicy/vendor/file_contexts +++ b/sepolicy/vendor/file_contexts @@ -1,11 +1,38 @@ +# Audio +/dev/socket/audio_hw_socket u:object_r:audio_socket:s0 + +# Camera +/mnt/vendor/persist/camera(/.*)? u:object_r:camera_persist_file:s0 + +# Charger +/vendor/bin/batterysecret u:object_r:batterysecret_exec:s0 + # Fingerprint /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2.1-service\.xiaomi_atoll u:object_r:hal_fingerprint_default_exec:s0 +# Fingerprint - devices +/dev/goodix_fp u:object_r:fingerprint_device:s0 + +# Fingerprint - data +/data/vendor/goodix(/.*)? u:object_r:fingerprint_data_file:s0 +/data/vendor/fpc(/.*)? u:object_r:fingerprint_data_file:s0 + +# IR +/dev/spidev0.1 u:object_r:lirc_device:s0 + # Lights /vendor/bin/hw/android\.hardware\.lights-service\.xiaomi_atoll u:object_r:hal_light_default_exec:s0 +# Persist subsystem +/mnt/vendor/persist/subsys(/.*)? u:object_r:persist_subsys_file:s0 + # Power /vendor/bin/hw/android\.hardware\.power-service\.xiaomi-libperfmgr u:object_r:hal_power_default_exec:s0 +# Sys +/sys/bus/iio/devices u:object_r:vendor_sysfs_iio:s0 +/sys/devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:vadc@3100/iio:device0(/.*)? u:object_r:vendor_sysfs_iio:s0 +/sys/devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-04/c440000.qcom,spmi:qcom,pm6150l@4:vadc@3100/iio:device1(/.*)? u:object_r:vendor_sysfs_iio:s0 + # Thermal /vendor/bin/hw/android\.hardware\.thermal@2\.0-service\.xiaomi_atoll u:object_r:hal_thermal_default_exec:s0 diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts new file mode 100644 index 0000000..e3860c3 --- /dev/null +++ b/sepolicy/vendor/genfs_contexts @@ -0,0 +1,56 @@ +# DSP +genfscon sysfs /kernel/boot_cdsp/boot u:object_r:sysfs_msm_boot:s0 + +# Display +genfscon sysfs /devices/platform/soc/5000000.qcom,kgsl-3d0 u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/idle_state u:object_r:vendor_sysfs_graphics:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,cpu-cpu-llcc-bw u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,cpu-llcc-ddr-bw u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,cpu0-cpu-l3-lat u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,cpu6-cpu-l3-lat u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,dsi-display u:object_r:vendor_sysfs_graphics:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,gpubw u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,gpubw/devfreq u:object_r:sysfs_msm_subsys:s0 + +# Health +genfscon sysfs /class/power_supply/battery/capacity u:object_r:vendor_sysfs_battery_supply:s0 +genfscon sysfs /devices/platform/soc/soc:maxim_ds28e16/power_supply/batt_verify u:object_r:vendor_sysfs_battery_supply:s0 + +# LED +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-05/c440000.qcom,spmi:qcom,pm6150l@5:qcom,leds@d000/leds/white u:object_r:sysfs_leds:s0 + +# Wakeup source stats +genfscon sysfs /devices/platform/soc/18800000.qcom,icnss/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/88c000.qcom,qup_uart/tty/ttyHS0/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/88e0000.qcom,msm-eud/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/890000.i2c/i2c-1/1-005a/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/a600000.ssusb/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qcom,power-on@800/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qcom,qpnp-smb5/power_supply/battery/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qcom,qpnp-smb5/power_supply/dc/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qcom,qpnp-smb5/power_supply/main/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qcom,qpnp-smb5/power_supply/pc_port/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qcom,qpnp-smb5/power_supply/usb/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qcom,qpnp-smb5/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qcom,usb-pdphy@1700/usbpd/usbpd0/otg_default/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qcom,usb-pdphy@1700/usbpd/usbpd0/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qpnp,qg/power_supply/bms/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-04/c440000.qcom,spmi:qcom,pm6150l@4:qcom,power-on@800/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:gpio_keys/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,msm-audio-apr/soc:qcom,msm-audio-apr:qcom,q6core-audio/soc:qcom,msm-audio-apr:qcom,q6core-audio:bolero-cdc/rx-macro/rx_swr_ctrl/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,msm-audio-apr/soc:qcom,msm-audio-apr:qcom,q6core-audio/soc:qcom,msm-audio-apr:qcom,q6core-audio:bolero-cdc/tx-macro/tx_swr_ctrl/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/input/input1/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_aac/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_alac/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_amrnb/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_amrwbplus/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_amrwb/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_ape/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_evrc/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_g711alaw/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_g711mlaw/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_mp3/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_multi_aac/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_qcelp/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_wma/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/msm_wmapro/power/wakeup u:object_r:sysfs_wakeup:s0 diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te new file mode 100644 index 0000000..a981cff --- /dev/null +++ b/sepolicy/vendor/hal_audio_default.te @@ -0,0 +1,14 @@ +# For interfacing with PowerHAL +hal_client_domain(hal_audio_default, hal_power) + +# Allow hal_audio_default to read vendor_persist_audio_file +r_dir_file(hal_audio_default, vendor_persist_audio_file) + +r_dir_file(hal_audio_default, sysfs) + +binder_call(hal_audio_default, system_suspend_server) + +set_prop(hal_audio_default, vendor_audio_prop) + +allow hal_audio_default audio_socket:sock_file rw_file_perms; +allow hal_audio_default system_suspend_hwservice:hwservice_manager find; diff --git a/sepolicy/vendor/hal_bluetooth_default.te b/sepolicy/vendor/hal_bluetooth_default.te new file mode 100644 index 0000000..d63e66c --- /dev/null +++ b/sepolicy/vendor/hal_bluetooth_default.te @@ -0,0 +1,2 @@ +# Allow hal_bluetooth_default to read files in vendor_wifi_vendor_data_file +r_dir_file(hal_bluetooth_default, vendor_wifi_vendor_data_file) diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te new file mode 100644 index 0000000..b82ed14 --- /dev/null +++ b/sepolicy/vendor/hal_camera_default.te @@ -0,0 +1,17 @@ +# For interfacing with PowerHAL +hal_client_domain(hal_camera_default, hal_power) + +# Allow hal_camera_default to read to vendor_sysfs_kgsl +r_dir_file(hal_camera_default, vendor_sysfs_kgsl) + +# Allow hal_camera_default to read to mnt/vendor/persist/camera +r_dir_file(hal_camera_default, camera_persist_file) +r_dir_file(hal_camera_default, mnt_vendor_file) +r_dir_file(hal_camera_default, vendor_persist_sensors_file) + +allow hal_camera_default proc_stat:file read; + +set_prop(hal_camera_default, vendor_camera_prop) + +allow hal_camera_default socket_device:sock_file write; +allow hal_camera_default proc_stat:file { open }; diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te new file mode 100644 index 0000000..fe2e71e --- /dev/null +++ b/sepolicy/vendor/hal_fingerprint_default.te @@ -0,0 +1,33 @@ +allow hal_fingerprint_default fingerprint_data_file:dir rw_dir_perms; +allow hal_fingerprint_default fingerprint_data_file:file create_file_perms; + +allow hal_fingerprint_default { + fingerprint_device + input_device + tee_device + uhid_device +}: chr_file rw_file_perms; + +allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; + +allow hal_fingerprint_default { + input_device + vendor_sysfs_graphics + sysfs_msm_subsys +}: dir r_dir_perms; + +allow hal_fingerprint_default { + vendor_sysfs_fingerprint + vendor_sysfs_fps_attr + vendor_sysfs_graphics + sysfs_msm_subsys +}: file rw_file_perms; + +r_dir_file(hal_fingerprint_default, firmware_file) + +get_prop(system_server, vendor_fp_prop); + +set_prop(hal_fingerprint_default, vendor_fp_prop) + +allow hal_fingerprint_default vendor_sysfs_spss:dir { search }; +allow hal_fingerprint_default vendor_sysfs_spss:file { open read }; diff --git a/sepolicy/vendor/hal_health_default.te b/sepolicy/vendor/hal_health_default.te new file mode 100644 index 0000000..6cecf70 --- /dev/null +++ b/sepolicy/vendor/hal_health_default.te @@ -0,0 +1,2 @@ +allow hal_health_default sysfs_wakeup:dir r_dir_perms; +allow hal_health_default sysfs_wakeup:file r_file_perms; diff --git a/sepolicy/vendor/hal_ir_default.te b/sepolicy/vendor/hal_ir_default.te new file mode 100644 index 0000000..b945493 --- /dev/null +++ b/sepolicy/vendor/hal_ir_default.te @@ -0,0 +1,4 @@ +allow hal_ir_default lirc_device:{ + chr_file + file +} rw_file_perms; diff --git a/sepolicy/vendor/hal_light_default.te b/sepolicy/vendor/hal_light_default.te new file mode 100644 index 0000000..50ede18 --- /dev/null +++ b/sepolicy/vendor/hal_light_default.te @@ -0,0 +1,5 @@ +allow hal_light_default { + sysfs_leds +}:file rw_file_perms; + +r_dir_file(hal_light_default, sysfs_leds) diff --git a/sepolicy/vendor/hal_nfc_default.te b/sepolicy/vendor/hal_nfc_default.te new file mode 100644 index 0000000..59872eb --- /dev/null +++ b/sepolicy/vendor/hal_nfc_default.te @@ -0,0 +1,3 @@ +# Data file accesses. +allow hal_nfc_default vendor_nfc_vendor_data_file:dir create_dir_perms; +allow hal_nfc_default vendor_nfc_vendor_data_file:file create_file_perms; diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te new file mode 100644 index 0000000..b7131de --- /dev/null +++ b/sepolicy/vendor/hal_power_default.te @@ -0,0 +1,32 @@ +# Allow hal_power_default to write to dt2w nodes +allow hal_power_default input_device:dir r_dir_perms; +allow hal_power_default input_device:chr_file rw_file_perms; + +r_dir_file(hal_power_default, input_device) + +allow hal_power_default { + vendor_sysfs_devfreq + sysfs_msm_subsys +}:dir search; + +allow hal_power_default { + cgroup + proc + vendor_sysfs_devfreq + sysfs_devices_system_cpu + vendor_sysfs_graphics + vendor_sysfs_kgsl + sysfs_msm_subsys + vendor_sysfs_scsi_host +}:{ + file + lnk_file +} rw_file_perms; + +allow hal_power_default vendor_latency_device:chr_file rw_file_perms; + +# Rule for hal_power_default to access graphics composer process +unix_socket_connect(hal_power_default, vendor_pps, hal_graphics_composer_default); + +# To get/set powerhal state property +set_prop(hal_power_default, power_prop) diff --git a/sepolicy/vendor/hal_power_stats_default.te b/sepolicy/vendor/hal_power_stats_default.te new file mode 100644 index 0000000..3ccdf89 --- /dev/null +++ b/sepolicy/vendor/hal_power_stats_default.te @@ -0,0 +1,2 @@ +allow hal_power_stats_default vendor_sysfs_iio:dir r_dir_perms; +allow hal_power_stats_default vendor_sysfs_iio:file r_file_perms; diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te new file mode 100644 index 0000000..028f3c6 --- /dev/null +++ b/sepolicy/vendor/hal_sensors_default.te @@ -0,0 +1,9 @@ +unix_socket_connect(hal_sensors_default, audio, hal_audio_default) + +allow hal_sensors_default audio_socket:sock_file rw_file_perms; +allow hal_sensors_default socket_device:sock_file rw_file_perms; +allow hal_sensors_default iio_device:chr_file rw_file_perms; +allow hal_sensors_default vendor_sysfs_iio:dir r_dir_perms; +allow hal_sensors_default vendor_sysfs_iio:file rw_file_perms; + +get_prop(hal_sensors_default, vendor_adsprpc_prop) diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts new file mode 100644 index 0000000..d37b6d6 --- /dev/null +++ b/sepolicy/vendor/hwservice_contexts @@ -0,0 +1,2 @@ +vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_hwservice:s0 +vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemonExt u:object_r:hal_fingerprint_hwservice:s0 diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te new file mode 100644 index 0000000..3a57d5d --- /dev/null +++ b/sepolicy/vendor/init.te @@ -0,0 +1,4 @@ +# For mount tracefs tracefs /sys/kernel/tracing +allow init debugfs_tracing_debug:dir mounton; + +allow init same_process_hal_file:file execute; diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te index 8cab56f..aa2e854 100644 --- a/sepolicy/vendor/property.te +++ b/sepolicy/vendor/property.te @@ -1 +1,7 @@ +type power_prop, property_type; + +type vendor_device_prop, property_type; + +type vendor_fp_prop, property_type; + type vendor_thermal_prop, property_type; diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts index 7cc4b5a..7d45ee7 100644 --- a/sepolicy/vendor/property_contexts +++ b/sepolicy/vendor/property_contexts @@ -1,2 +1,26 @@ +# Camera +persist.vendor.camera.mi.module. u:object_r:vendor_camera_prop:s0 +vendor.camera. u:object_r:vendor_camera_prop:s0 +persist.camera. u:object_r:vendor_camera_prop:s0 + +# Fingerprint +persist.vendor.sys.fp. u:object_r:vendor_fp_prop:s0 +ro.hardware.fp u:object_r:vendor_fp_prop:s0 +vendor.fps_hal. u:object_r:vendor_fp_prop:s0 +vendor.sys.fp u:object_r:vendor_fp_prop:s0 + +# Power +vendor.powerhal.state u:object_r:power_prop:s0 +vendor.powerhal.audio u:object_r:power_prop:s0 +vendor.powerhal.lpm u:object_r:power_prop:s0 +vendor.powerhal.init u:object_r:power_prop:s0 +vendor.powerhal.rendering u:object_r:power_prop:s0 + +# Recovery +ro.build.expect. u:object_r:exported_default_prop:s0 + # Thermal vendor.thermal. u:object_r:vendor_thermal_prop:s0 + +# USB +sys.usb.configfs u:object_r:system_prop:s0 diff --git a/sepolicy/vendor/radio.te b/sepolicy/vendor/radio.te new file mode 100644 index 0000000..4670c6a --- /dev/null +++ b/sepolicy/vendor/radio.te @@ -0,0 +1 @@ +get_prop(radio, vendor_audio_prop) diff --git a/sepolicy/vendor/sensors.te b/sepolicy/vendor/sensors.te new file mode 100644 index 0000000..2dc5c72 --- /dev/null +++ b/sepolicy/vendor/sensors.te @@ -0,0 +1,2 @@ +# Allow sensors to access backlight sysfs state +r_dir_file(vendor_sensors, vendor_sysfs_graphics) diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te new file mode 100644 index 0000000..2c1079d --- /dev/null +++ b/sepolicy/vendor/system_app.te @@ -0,0 +1,6 @@ +allow system_app vendor_sysfs_battery_supply:dir { search }; +allow system_app vendor_sysfs_battery_supply:file { read }; +allow system_app vendor_sysfs_battery_supply:file { open }; +allow system_app vendor_sysfs_battery_supply:file { getattr }; + +r_dir_file(system_app, vendor_sysfs_battery_supply) diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te new file mode 100644 index 0000000..0787229 --- /dev/null +++ b/sepolicy/vendor/tee.te @@ -0,0 +1,7 @@ +allow tee fingerprint_data_file:dir create_dir_perms; +allow tee { + fingerprint_data_file + mnt_vendor_file +}:file create_file_perms; + +allow tee mnt_vendor_file:dir rw_dir_perms; diff --git a/sepolicy/vendor/thermal-engine.te b/sepolicy/vendor/thermal-engine.te new file mode 100644 index 0000000..3f87c39 --- /dev/null +++ b/sepolicy/vendor/thermal-engine.te @@ -0,0 +1,11 @@ +allow vendor_thermal-engine { + vendor_sysfs_devfreq + sysfs_msm_subsys +}:dir r_dir_perms; + +allow vendor_thermal-engine vendor_sysfs_devfreq:file rw_file_perms; + +# Rule for vendor_thermal-engine to access init process +unix_socket_connect(vendor_thermal-engine, property, init); + +set_prop(vendor_thermal-engine, vendor_thermal_prop) diff --git a/sepolicy/vendor/uevent.te b/sepolicy/vendor/uevent.te new file mode 100644 index 0000000..ae98f62 --- /dev/null +++ b/sepolicy/vendor/uevent.te @@ -0,0 +1 @@ +allow ueventd self:capability sys_nice; diff --git a/sepolicy/vendor/vendor_hal_perf_default.te b/sepolicy/vendor/vendor_hal_perf_default.te new file mode 100644 index 0000000..aa21090 --- /dev/null +++ b/sepolicy/vendor/vendor_hal_perf_default.te @@ -0,0 +1 @@ +allow vendor_hal_perf_default sysfs_msm_subsys:dir search; diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te index 3133b1e..62d9dff 100644 --- a/sepolicy/vendor/vendor_init.te +++ b/sepolicy/vendor/vendor_init.te @@ -1,2 +1,17 @@ +set_prop(vendor_init, power_prop) +set_prop(vendor_init, vendor_alarm_boot_prop) +set_prop(vendor_init, vendor_video_prop) + +allow vendor_init { + vendor_debugfs_clk + proc_dirty + proc +}:file w_file_perms; + +allow vendor_init block_device:lnk_file setattr; +allow vendor_init vendor_camera_prop:property_service set; + +allow vendor_init input_device:chr_file { create setattr unlink rw_file_perms }; + allow vendor_init thermal_link_device:dir r_dir_perms; allow vendor_init thermal_link_device:lnk_file r_file_perms; diff --git a/sepolicy/vendor/vendor_qti_init_shell.te b/sepolicy/vendor/vendor_qti_init_shell.te new file mode 100644 index 0000000..d5bb7ed --- /dev/null +++ b/sepolicy/vendor/vendor_qti_init_shell.te @@ -0,0 +1,4 @@ +allow vendor_qti_init_shell configfs:dir rw_dir_perms; +allow vendor_qti_init_shell configfs:file create_file_perms; +allow vendor_qti_init_shell ctl_stop_prop:property_service set; +allow vendor_qti_init_shell sysfs_wakeup:file setattr;