sim1222/device_xiaomi_miatoll
1
0
Fork 0
mirror of https://github.com/PixelExperience-Devices/device_xiaomi_miatoll.git synced 2025-04-29 02:37:19 +09:00
Code Issues Projects Releases Wiki Activity

miatoll: Clean up sepolicy

Browse Source 
Change-Id: I5bb632565e72abcf8c71db1d94b8b71075381fa0
This commit is contained in:
Alexander Winkowski 2023-04-23 04:55:23 +00:00
parent f9f5a79e9a
commit 1e5c6ab56b
No known key found for this signature in database
GPG Key ID: 72762A66704CDE44
30 changed files with 23 additions and 172 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
BoardConfig.mk
View File

@ -177,7 +177,6 @@ VENDOR_SECURITY_PATCH := 2022-06-05
# Sepolicy
include device/qcom/sepolicy_vndr-legacy-um/SEPolicy.mk
SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/private
BOARD_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/vendor
# Verified Boot

2
sepolicy/private/property_contexts
View File

@ -1,2 +0,0 @@
# WiFi Display
persist.vendor.setWFDInfo. u:object_r:vendor_wfd_sys_debug_prop:s0

1
sepolicy/private/system_server.te
View File

@ -1 +0,0 @@
get_prop(system_server, vendor_wfd_sys_debug_prop)

1
sepolicy/private/vendor_wfd_app.te
View File

@ -1 +0,0 @@
get_prop(vendor_wfd_app, vendor_wfd_sys_debug_prop)

1
sepolicy/vendor/adsprpcd.te vendored
View File

@ -1 +0,0 @@
r_dir_file(vendor_adsprpcd, vendor_sysfs_graphics)

2
sepolicy/vendor/app.te vendored
View File

@ -1,4 +1,2 @@
allow { appdomain -isolated_app } vendor_xdsp_device:chr_file r_file_perms;
get_prop({ appdomain -isolated_app }, vendor_fingerprint_prop)
get_prop({ appdomain -isolated_app }, vendor_tee_listener_prop)

8
sepolicy/vendor/file.te vendored
View File

@ -1,17 +1,9 @@
type audio_socket, file_type;
type camera_persist_file, file_type, vendor_persist_type;
type fingerprint_data_file, data_file_type, core_data_file_type, file_type;
type persist_subsys_file, vendor_persist_type, file_type;
type sysfs_msm_boot, fs_type, sysfs_type;
type sysfs_msm_subsys, sysfs_type, fs_type;
type thermal_link_device, dev_type;
type sysfs_touchpanel, fs_type, sysfs_type;
type vendor_sysfs_iio, fs_type, sysfs_type;

34
sepolicy/vendor/file_contexts vendored
View File

@ -1,40 +1,32 @@
# Audio
/dev/socket/audio_hw_socket u:object_r:audio_socket:s0
# Camera
/mnt/vendor/persist/camera(/.*)? u:object_r:camera_persist_file:s0
/mnt/vendor/persist/camera(/.*)? u:object_r:camera_persist_file:s0
# Charger
/vendor/bin/batterysecret u:object_r:batterysecret_exec:s0
/vendor/bin/batterysecret u:object_r:batterysecret_exec:s0
# Fingerprint
/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2.3-service\.xiaomi u:object_r:hal_fingerprint_default_exec:s0
/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2.3-service\.xiaomi u:object_r:hal_fingerprint_default_exec:s0
# Fingerprint - devices
/dev/goodix_fp u:object_r:fingerprint_device:s0
/dev/goodix_fp u:object_r:fingerprint_device:s0
# Fingerprint - data
/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0
/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0
# IR
/dev/spidev0.1 u:object_r:lirc_device:s0
/dev/spidev0.1 u:object_r:lirc_device:s0
# Lights
/vendor/bin/hw/android\.hardware\.light-service\.xiaomi u:object_r:hal_light_default_exec:s0
/vendor/bin/hw/android\.hardware\.light-service\.xiaomi u:object_r:hal_light_default_exec:s0
# Persist subsystem
/mnt/vendor/persist/subsys(/.*)? u:object_r:persist_subsys_file:s0
/mnt/vendor/persist/subsys(/.*)? u:object_r:persist_subsys_file:s0
# Power
/vendor/bin/hw/android\.hardware\.power-service\.xiaomi-libperfmgr u:object_r:hal_power_default_exec:s0
# Sys
/sys/bus/iio/devices u:object_r:vendor_sysfs_iio:s0
/sys/devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:vadc@3100/iio:device0(/.*)? u:object_r:vendor_sysfs_iio:s0
/sys/devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-04/c440000.qcom,spmi:qcom,pm6150l@4:vadc@3100/iio:device1(/.*)? u:object_r:vendor_sysfs_iio:s0
/vendor/bin/hw/android\.hardware\.power-service\.xiaomi-libperfmgr u:object_r:hal_power_default_exec:s0
# Thermal
/vendor/bin/hw/android\.hardware\.thermal@2\.0-service\.pixel u:object_r:hal_thermal_default_exec:s0
/vendor/bin/thermal_symlinks u:object_r:init-thermal-symlinks-sh_exec:s0
/dev/thermal(/.*)? u:object_r:thermal_link_device:s0
/vendor/bin/hw/android\.hardware\.thermal@2\.0-service\.pixel u:object_r:hal_thermal_default_exec:s0
/vendor/bin/thermal_symlinks u:object_r:init-thermal-symlinks-sh_exec:s0
/dev/thermal(/.*)? u:object_r:thermal_link_device:s0

19
sepolicy/vendor/genfs_contexts vendored
View File

@ -1,26 +1,15 @@
# DSP
genfscon sysfs /kernel/boot_cdsp/boot u:object_r:sysfs_msm_boot:s0
# Display
genfscon sysfs /devices/platform/soc/5000000.qcom,kgsl-3d0 u:object_r:sysfs_msm_subsys:s0
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/idle_state u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/platform/soc/soc:qcom,cpu-cpu-llcc-bw u:object_r:sysfs_msm_subsys:s0
genfscon sysfs /devices/platform/soc/soc:qcom,cpu-llcc-ddr-bw u:object_r:sysfs_msm_subsys:s0
genfscon sysfs /devices/platform/soc/soc:qcom,cpu0-cpu-l3-lat u:object_r:sysfs_msm_subsys:s0
genfscon sysfs /devices/platform/soc/soc:qcom,cpu6-cpu-l3-lat u:object_r:sysfs_msm_subsys:s0
genfscon sysfs /devices/platform/soc/soc:qcom,dsi-display u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/platform/soc/soc:qcom,gpubw u:object_r:sysfs_msm_subsys:s0
genfscon sysfs /devices/platform/soc/soc:qcom,gpubw/devfreq u:object_r:sysfs_msm_subsys:s0
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/idle_state u:object_r:vendor_sysfs_graphics:s0
# Health
genfscon sysfs /class/power_supply/battery/capacity u:object_r:vendor_sysfs_battery_supply:s0
genfscon sysfs /devices/platform/soc/soc:maxim_ds28e16/power_supply/batt_verify u:object_r:vendor_sysfs_battery_supply:s0
genfscon sysfs /class/power_supply/battery/capacity u:object_r:vendor_sysfs_battery_supply:s0
genfscon sysfs /devices/platform/soc/soc:maxim_ds28e16/power_supply/batt_verify u:object_r:vendor_sysfs_battery_supply:s0
# LED
genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-05/c440000.qcom,spmi:qcom,pm6150l@5:qcom,leds@d000/leds/white u:object_r:sysfs_leds:s0
# Touchpanel
genfscon sysfs /touchpanel u:object_r:sysfs_touchpanel:s0
genfscon sysfs /touchpanel u:object_r:sysfs_touchpanel:s0
# Wakeup source stats
genfscon sysfs /devices/platform/soc/18800000.qcom,icnss/wakeup u:object_r:sysfs_wakeup:s0

14
sepolicy/vendor/hal_audio_default.te vendored
View File

@ -1,14 +0,0 @@
# For interfacing with PowerHAL
hal_client_domain(hal_audio_default, hal_power)
# Allow hal_audio_default to read vendor_persist_audio_file
r_dir_file(hal_audio_default, vendor_persist_audio_file)
r_dir_file(hal_audio_default, sysfs)
binder_call(hal_audio_default, system_suspend_server)
set_prop(hal_audio_default, vendor_audio_prop)
allow hal_audio_default audio_socket:sock_file rw_file_perms;
allow hal_audio_default system_suspend_hwservice:hwservice_manager find;

2
sepolicy/vendor/hal_bluetooth_default.te vendored
View File

@ -1,2 +0,0 @@
# Allow hal_bluetooth_default to read files in vendor_wifi_vendor_data_file
r_dir_file(hal_bluetooth_default, vendor_wifi_vendor_data_file)

17
sepolicy/vendor/hal_camera_default.te vendored
View File

@ -1,19 +1,4 @@
# For interfacing with PowerHAL
hal_client_domain(hal_camera_default, hal_power)
# Allow hal_camera_default to read to vendor_sysfs_kgsl
r_dir_file(hal_camera_default, vendor_sysfs_kgsl)
allow hal_camera_default mnt_vendor_file:dir search;
# Allow hal_camera_default to read to mnt/vendor/persist/camera
r_dir_file(hal_camera_default, camera_persist_file)
r_dir_file(hal_camera_default, mnt_vendor_file)
r_dir_file(hal_camera_default, vendor_persist_sensors_file)
allow hal_camera_default proc_stat:file read;
set_prop(hal_camera_default, vendor_camera_prop)
allow hal_camera_default socket_device:sock_file write;
allow hal_camera_default proc_stat:file { open };
allow hal_camera_default vendor_xdsp_device:chr_file r_file_perms;

11
sepolicy/vendor/hal_fingerprint_default.te vendored
View File

@ -12,22 +12,13 @@ allow hal_fingerprint_default {
allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
allow hal_fingerprint_default {
input_device
vendor_sysfs_graphics
sysfs_msm_subsys
}: dir r_dir_perms;
allow hal_fingerprint_default input_device:dir r_dir_perms;
allow hal_fingerprint_default {
vendor_sysfs_fingerprint
vendor_sysfs_fps_attr
vendor_sysfs_graphics
sysfs_msm_subsys
}: file rw_file_perms;
r_dir_file(hal_fingerprint_default, firmware_file)
set_prop(hal_fingerprint_default, vendor_fingerprint_prop)
allow hal_fingerprint_default vendor_sysfs_spss:dir { search };
allow hal_fingerprint_default vendor_sysfs_spss:file { open read };

2
sepolicy/vendor/hal_health_default.te vendored
View File

@ -1,2 +0,0 @@
allow hal_health_default sysfs_wakeup:dir r_dir_perms;
allow hal_health_default sysfs_wakeup:file r_file_perms;

1
sepolicy/vendor/hal_neuralnetworks_default.te vendored
View File

@ -1 +0,0 @@
get_prop(vendor_hal_neuralnetworks_default, vendor_adsprpc_prop)

20
sepolicy/vendor/hal_power_default.te vendored
View File

@ -1,34 +1,16 @@
# Allow hal_power_default to write to dt2w nodes
allow hal_power_default input_device:dir r_dir_perms;
allow hal_power_default input_device:chr_file rw_file_perms;
r_dir_file(hal_power_default, input_device)
allow hal_power_default {
vendor_sysfs_devfreq
sysfs_msm_subsys
sysfs_touchpanel
}:dir search;
allow hal_power_default {
cgroup
proc
vendor_sysfs_devfreq
sysfs_devices_system_cpu
vendor_sysfs_graphics
vendor_sysfs_kgsl
sysfs_msm_subsys
sysfs_touchpanel
vendor_sysfs_scsi_host
}:{
file
lnk_file
} rw_file_perms;
allow hal_power_default vendor_latency_device:chr_file rw_file_perms;
# Rule for hal_power_default to access graphics composer process
unix_socket_connect(hal_power_default, vendor_pps, hal_graphics_composer_default);
}:file rw_file_perms;
# To get/set powerhal state property
set_prop(hal_power_default, vendor_power_prop)

2
sepolicy/vendor/hal_power_stats_default.te vendored
View File

@ -1,2 +0,0 @@
allow hal_power_stats_default vendor_sysfs_iio:dir r_dir_perms;
allow hal_power_stats_default vendor_sysfs_iio:file r_file_perms;

9
sepolicy/vendor/hal_sensors_default.te vendored
View File

@ -1,9 +0,0 @@
unix_socket_connect(hal_sensors_default, audio, hal_audio_default)
allow hal_sensors_default audio_socket:sock_file rw_file_perms;
allow hal_sensors_default socket_device:sock_file rw_file_perms;
allow hal_sensors_default iio_device:chr_file rw_file_perms;
allow hal_sensors_default vendor_sysfs_iio:dir r_dir_perms;
allow hal_sensors_default vendor_sysfs_iio:file rw_file_perms;
get_prop(hal_sensors_default, vendor_adsprpc_prop)

2
sepolicy/vendor/hal_thermal_default.te vendored
View File

@ -6,6 +6,6 @@ allow hal_thermal_default proc_stat:file r_file_perms;
allow hal_thermal_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
hal_client_domain(hal_thermal_default, hal_power);
hal_client_domain(hal_thermal_default, hal_power)
get_prop(hal_thermal_default, vendor_thermal_prop)

1
sepolicy/vendor/init.te vendored
View File

@ -1 +0,0 @@
allow init same_process_hal_file:file execute;

2
sepolicy/vendor/property.te vendored
View File

@ -2,4 +2,4 @@ vendor_internal_prop(vendor_power_prop)
vendor_internal_prop(vendor_thermal_prop)
vendor_restricted_prop(vendor_fingerprint_prop);
vendor_restricted_prop(vendor_fingerprint_prop)

2
sepolicy/vendor/property_contexts vendored
View File

@ -1,7 +1,5 @@
# Camera
persist.vendor.camera.mi.module. u:object_r:vendor_camera_prop:s0
vendor.camera. u:object_r:vendor_camera_prop:s0
persist.camera. u:object_r:vendor_camera_prop:s0
# Fingerprint
persist.vendor.sys.fp. u:object_r:vendor_fingerprint_prop:s0

1
sepolicy/vendor/radio.te vendored
View File

@ -1 +0,0 @@
get_prop(radio, vendor_audio_prop)

2
sepolicy/vendor/sensors.te vendored
View File

@ -1,2 +0,0 @@
# Allow sensors to access backlight sysfs state
r_dir_file(vendor_sensors, vendor_sysfs_graphics)

6
sepolicy/vendor/system_app.te vendored
View File

@ -1,6 +0,0 @@
allow system_app vendor_sysfs_battery_supply:dir { search };
allow system_app vendor_sysfs_battery_supply:file { read };
allow system_app vendor_sysfs_battery_supply:file { open };
allow system_app vendor_sysfs_battery_supply:file { getattr };
r_dir_file(system_app, vendor_sysfs_battery_supply)

11
sepolicy/vendor/thermal-engine.te vendored
View File

@ -1,11 +0,0 @@
allow vendor_thermal-engine {
vendor_sysfs_devfreq
sysfs_msm_subsys
}:dir r_dir_perms;
allow vendor_thermal-engine vendor_sysfs_devfreq:file rw_file_perms;
# Rule for vendor_thermal-engine to access init process
unix_socket_connect(vendor_thermal-engine, property, init);
set_prop(vendor_thermal-engine, vendor_thermal_prop)

1
sepolicy/vendor/uevent.te vendored
View File

@ -1 +0,0 @@
allow ueventd self:capability sys_nice;

1
sepolicy/vendor/vendor_hal_perf_default.te vendored
View File

@ -1 +0,0 @@
allow vendor_hal_perf_default sysfs_msm_subsys:dir search;

15
sepolicy/vendor/vendor_init.te vendored
View File

@ -1,16 +1,3 @@
set_prop(vendor_init, vendor_power_prop)
set_prop(vendor_init, vendor_alarm_boot_prop)
set_prop(vendor_init, vendor_video_prop)
allow vendor_init {
proc_dirty
proc
}:file w_file_perms;
allow vendor_init block_device:lnk_file setattr;
allow vendor_init vendor_camera_prop:property_service set;
allow vendor_init input_device:chr_file { create setattr unlink rw_file_perms };
allow vendor_init thermal_link_device:dir r_dir_perms;
allow vendor_init thermal_link_device:lnk_file r_file_perms;
allow vendor_init proc_dirty:file w_file_perms;

4
sepolicy/vendor/vendor_qti_init_shell.te vendored
View File

@ -1,4 +0,0 @@
allow vendor_qti_init_shell configfs:dir rw_dir_perms;
allow vendor_qti_init_shell configfs:file create_file_perms;
allow vendor_qti_init_shell ctl_stop_prop:property_service set;
allow vendor_qti_init_shell sysfs_wakeup:file setattr;