diff --git a/BoardConfig.mk b/BoardConfig.mk index 94e4afc..da8d932 100644 --- a/BoardConfig.mk +++ b/BoardConfig.mk @@ -176,7 +176,6 @@ VENDOR_SECURITY_PATCH := 2022-06-05 # Sepolicy include device/qcom/sepolicy_vndr-legacy-um/SEPolicy.mk -SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/private BOARD_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/vendor # Verified Boot diff --git a/sepolicy/private/property_contexts b/sepolicy/private/property_contexts deleted file mode 100644 index c847b7e..0000000 --- a/sepolicy/private/property_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# WiFi Display -persist.vendor.setWFDInfo. u:object_r:vendor_wfd_sys_debug_prop:s0 diff --git a/sepolicy/private/system_server.te b/sepolicy/private/system_server.te deleted file mode 100644 index 0071ee2..0000000 --- a/sepolicy/private/system_server.te +++ /dev/null @@ -1 +0,0 @@ -get_prop(system_server, vendor_wfd_sys_debug_prop) diff --git a/sepolicy/private/vendor_wfd_app.te b/sepolicy/private/vendor_wfd_app.te deleted file mode 100644 index 4e78cfb..0000000 --- a/sepolicy/private/vendor_wfd_app.te +++ /dev/null @@ -1 +0,0 @@ -get_prop(vendor_wfd_app, vendor_wfd_sys_debug_prop) diff --git a/sepolicy/vendor/adsprpcd.te b/sepolicy/vendor/adsprpcd.te deleted file mode 100644 index 58fe3e7..0000000 --- a/sepolicy/vendor/adsprpcd.te +++ /dev/null @@ -1 +0,0 @@ -r_dir_file(vendor_adsprpcd, vendor_sysfs_graphics) diff --git a/sepolicy/vendor/app.te b/sepolicy/vendor/app.te index 23e2e3d..016405a 100644 --- a/sepolicy/vendor/app.te +++ b/sepolicy/vendor/app.te @@ -1,4 +1,2 @@ -allow { appdomain -isolated_app } vendor_xdsp_device:chr_file r_file_perms; - get_prop({ appdomain -isolated_app }, vendor_fingerprint_prop) get_prop({ appdomain -isolated_app }, vendor_tee_listener_prop) diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te index ddec8cd..051a57a 100644 --- a/sepolicy/vendor/file.te +++ b/sepolicy/vendor/file.te @@ -1,17 +1,9 @@ -type audio_socket, file_type; - type camera_persist_file, file_type, vendor_persist_type; type fingerprint_data_file, data_file_type, core_data_file_type, file_type; type persist_subsys_file, vendor_persist_type, file_type; -type sysfs_msm_boot, fs_type, sysfs_type; - -type sysfs_msm_subsys, sysfs_type, fs_type; - type thermal_link_device, dev_type; type sysfs_touchpanel, fs_type, sysfs_type; - -type vendor_sysfs_iio, fs_type, sysfs_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts index b96736a..996aa2c 100644 --- a/sepolicy/vendor/file_contexts +++ b/sepolicy/vendor/file_contexts @@ -1,40 +1,32 @@ -# Audio -/dev/socket/audio_hw_socket u:object_r:audio_socket:s0 - # Camera -/mnt/vendor/persist/camera(/.*)? u:object_r:camera_persist_file:s0 +/mnt/vendor/persist/camera(/.*)? u:object_r:camera_persist_file:s0 # Charger -/vendor/bin/batterysecret u:object_r:batterysecret_exec:s0 +/vendor/bin/batterysecret u:object_r:batterysecret_exec:s0 # Fingerprint -/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2.3-service\.xiaomi u:object_r:hal_fingerprint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2.3-service\.xiaomi u:object_r:hal_fingerprint_default_exec:s0 # Fingerprint - devices -/dev/goodix_fp u:object_r:fingerprint_device:s0 +/dev/goodix_fp u:object_r:fingerprint_device:s0 # Fingerprint - data -/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0 -/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/data/vendor/goodix(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0 # IR -/dev/spidev0.1 u:object_r:lirc_device:s0 +/dev/spidev0.1 u:object_r:lirc_device:s0 # Lights -/vendor/bin/hw/android\.hardware\.light-service\.xiaomi u:object_r:hal_light_default_exec:s0 +/vendor/bin/hw/android\.hardware\.light-service\.xiaomi u:object_r:hal_light_default_exec:s0 # Persist subsystem -/mnt/vendor/persist/subsys(/.*)? u:object_r:persist_subsys_file:s0 +/mnt/vendor/persist/subsys(/.*)? u:object_r:persist_subsys_file:s0 # Power -/vendor/bin/hw/android\.hardware\.power-service\.xiaomi-libperfmgr u:object_r:hal_power_default_exec:s0 - -# Sys -/sys/bus/iio/devices u:object_r:vendor_sysfs_iio:s0 -/sys/devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:vadc@3100/iio:device0(/.*)? u:object_r:vendor_sysfs_iio:s0 -/sys/devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-04/c440000.qcom,spmi:qcom,pm6150l@4:vadc@3100/iio:device1(/.*)? u:object_r:vendor_sysfs_iio:s0 +/vendor/bin/hw/android\.hardware\.power-service\.xiaomi-libperfmgr u:object_r:hal_power_default_exec:s0 # Thermal -/vendor/bin/hw/android\.hardware\.thermal@2\.0-service\.pixel u:object_r:hal_thermal_default_exec:s0 -/vendor/bin/thermal_symlinks u:object_r:init-thermal-symlinks-sh_exec:s0 -/dev/thermal(/.*)? u:object_r:thermal_link_device:s0 +/vendor/bin/hw/android\.hardware\.thermal@2\.0-service\.pixel u:object_r:hal_thermal_default_exec:s0 +/vendor/bin/thermal_symlinks u:object_r:init-thermal-symlinks-sh_exec:s0 +/dev/thermal(/.*)? u:object_r:thermal_link_device:s0 diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts index 2188a78..518e462 100644 --- a/sepolicy/vendor/genfs_contexts +++ b/sepolicy/vendor/genfs_contexts @@ -1,26 +1,15 @@ -# DSP -genfscon sysfs /kernel/boot_cdsp/boot u:object_r:sysfs_msm_boot:s0 - # Display -genfscon sysfs /devices/platform/soc/5000000.qcom,kgsl-3d0 u:object_r:sysfs_msm_subsys:s0 -genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/idle_state u:object_r:vendor_sysfs_graphics:s0 -genfscon sysfs /devices/platform/soc/soc:qcom,cpu-cpu-llcc-bw u:object_r:sysfs_msm_subsys:s0 -genfscon sysfs /devices/platform/soc/soc:qcom,cpu-llcc-ddr-bw u:object_r:sysfs_msm_subsys:s0 -genfscon sysfs /devices/platform/soc/soc:qcom,cpu0-cpu-l3-lat u:object_r:sysfs_msm_subsys:s0 -genfscon sysfs /devices/platform/soc/soc:qcom,cpu6-cpu-l3-lat u:object_r:sysfs_msm_subsys:s0 -genfscon sysfs /devices/platform/soc/soc:qcom,dsi-display u:object_r:vendor_sysfs_graphics:s0 -genfscon sysfs /devices/platform/soc/soc:qcom,gpubw u:object_r:sysfs_msm_subsys:s0 -genfscon sysfs /devices/platform/soc/soc:qcom,gpubw/devfreq u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/idle_state u:object_r:vendor_sysfs_graphics:s0 # Health -genfscon sysfs /class/power_supply/battery/capacity u:object_r:vendor_sysfs_battery_supply:s0 -genfscon sysfs /devices/platform/soc/soc:maxim_ds28e16/power_supply/batt_verify u:object_r:vendor_sysfs_battery_supply:s0 +genfscon sysfs /class/power_supply/battery/capacity u:object_r:vendor_sysfs_battery_supply:s0 +genfscon sysfs /devices/platform/soc/soc:maxim_ds28e16/power_supply/batt_verify u:object_r:vendor_sysfs_battery_supply:s0 # LED genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-05/c440000.qcom,spmi:qcom,pm6150l@5:qcom,leds@d000/leds/white u:object_r:sysfs_leds:s0 # Touchpanel -genfscon sysfs /touchpanel u:object_r:sysfs_touchpanel:s0 +genfscon sysfs /touchpanel u:object_r:sysfs_touchpanel:s0 # Wakeup source stats genfscon sysfs /devices/platform/soc/18800000.qcom,icnss/wakeup u:object_r:sysfs_wakeup:s0 diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te deleted file mode 100644 index a981cff..0000000 --- a/sepolicy/vendor/hal_audio_default.te +++ /dev/null @@ -1,14 +0,0 @@ -# For interfacing with PowerHAL -hal_client_domain(hal_audio_default, hal_power) - -# Allow hal_audio_default to read vendor_persist_audio_file -r_dir_file(hal_audio_default, vendor_persist_audio_file) - -r_dir_file(hal_audio_default, sysfs) - -binder_call(hal_audio_default, system_suspend_server) - -set_prop(hal_audio_default, vendor_audio_prop) - -allow hal_audio_default audio_socket:sock_file rw_file_perms; -allow hal_audio_default system_suspend_hwservice:hwservice_manager find; diff --git a/sepolicy/vendor/hal_bluetooth_default.te b/sepolicy/vendor/hal_bluetooth_default.te deleted file mode 100644 index d63e66c..0000000 --- a/sepolicy/vendor/hal_bluetooth_default.te +++ /dev/null @@ -1,2 +0,0 @@ -# Allow hal_bluetooth_default to read files in vendor_wifi_vendor_data_file -r_dir_file(hal_bluetooth_default, vendor_wifi_vendor_data_file) diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te index b2f6226..eb914ff 100644 --- a/sepolicy/vendor/hal_camera_default.te +++ b/sepolicy/vendor/hal_camera_default.te @@ -1,19 +1,4 @@ -# For interfacing with PowerHAL -hal_client_domain(hal_camera_default, hal_power) - -# Allow hal_camera_default to read to vendor_sysfs_kgsl -r_dir_file(hal_camera_default, vendor_sysfs_kgsl) +allow hal_camera_default mnt_vendor_file:dir search; # Allow hal_camera_default to read to mnt/vendor/persist/camera r_dir_file(hal_camera_default, camera_persist_file) -r_dir_file(hal_camera_default, mnt_vendor_file) -r_dir_file(hal_camera_default, vendor_persist_sensors_file) - -allow hal_camera_default proc_stat:file read; - -set_prop(hal_camera_default, vendor_camera_prop) - -allow hal_camera_default socket_device:sock_file write; -allow hal_camera_default proc_stat:file { open }; - -allow hal_camera_default vendor_xdsp_device:chr_file r_file_perms; diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te index c08e947..3ae64c0 100644 --- a/sepolicy/vendor/hal_fingerprint_default.te +++ b/sepolicy/vendor/hal_fingerprint_default.te @@ -12,22 +12,13 @@ allow hal_fingerprint_default { allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; -allow hal_fingerprint_default { - input_device - vendor_sysfs_graphics - sysfs_msm_subsys -}: dir r_dir_perms; +allow hal_fingerprint_default input_device:dir r_dir_perms; allow hal_fingerprint_default { vendor_sysfs_fingerprint vendor_sysfs_fps_attr - vendor_sysfs_graphics - sysfs_msm_subsys }: file rw_file_perms; r_dir_file(hal_fingerprint_default, firmware_file) set_prop(hal_fingerprint_default, vendor_fingerprint_prop) - -allow hal_fingerprint_default vendor_sysfs_spss:dir { search }; -allow hal_fingerprint_default vendor_sysfs_spss:file { open read }; diff --git a/sepolicy/vendor/hal_health_default.te b/sepolicy/vendor/hal_health_default.te deleted file mode 100644 index 6cecf70..0000000 --- a/sepolicy/vendor/hal_health_default.te +++ /dev/null @@ -1,2 +0,0 @@ -allow hal_health_default sysfs_wakeup:dir r_dir_perms; -allow hal_health_default sysfs_wakeup:file r_file_perms; diff --git a/sepolicy/vendor/hal_neuralnetworks_default.te b/sepolicy/vendor/hal_neuralnetworks_default.te deleted file mode 100644 index 2e81a1c..0000000 --- a/sepolicy/vendor/hal_neuralnetworks_default.te +++ /dev/null @@ -1 +0,0 @@ -get_prop(vendor_hal_neuralnetworks_default, vendor_adsprpc_prop) diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te index 8b29578..468adc2 100644 --- a/sepolicy/vendor/hal_power_default.te +++ b/sepolicy/vendor/hal_power_default.te @@ -1,34 +1,16 @@ -# Allow hal_power_default to write to dt2w nodes -allow hal_power_default input_device:dir r_dir_perms; -allow hal_power_default input_device:chr_file rw_file_perms; - -r_dir_file(hal_power_default, input_device) - allow hal_power_default { vendor_sysfs_devfreq - sysfs_msm_subsys sysfs_touchpanel }:dir search; allow hal_power_default { - cgroup - proc vendor_sysfs_devfreq sysfs_devices_system_cpu vendor_sysfs_graphics vendor_sysfs_kgsl - sysfs_msm_subsys sysfs_touchpanel vendor_sysfs_scsi_host -}:{ - file - lnk_file -} rw_file_perms; - -allow hal_power_default vendor_latency_device:chr_file rw_file_perms; - -# Rule for hal_power_default to access graphics composer process -unix_socket_connect(hal_power_default, vendor_pps, hal_graphics_composer_default); +}:file rw_file_perms; # To get/set powerhal state property set_prop(hal_power_default, vendor_power_prop) diff --git a/sepolicy/vendor/hal_power_stats_default.te b/sepolicy/vendor/hal_power_stats_default.te deleted file mode 100644 index 3ccdf89..0000000 --- a/sepolicy/vendor/hal_power_stats_default.te +++ /dev/null @@ -1,2 +0,0 @@ -allow hal_power_stats_default vendor_sysfs_iio:dir r_dir_perms; -allow hal_power_stats_default vendor_sysfs_iio:file r_file_perms; diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te deleted file mode 100644 index 028f3c6..0000000 --- a/sepolicy/vendor/hal_sensors_default.te +++ /dev/null @@ -1,9 +0,0 @@ -unix_socket_connect(hal_sensors_default, audio, hal_audio_default) - -allow hal_sensors_default audio_socket:sock_file rw_file_perms; -allow hal_sensors_default socket_device:sock_file rw_file_perms; -allow hal_sensors_default iio_device:chr_file rw_file_perms; -allow hal_sensors_default vendor_sysfs_iio:dir r_dir_perms; -allow hal_sensors_default vendor_sysfs_iio:file rw_file_perms; - -get_prop(hal_sensors_default, vendor_adsprpc_prop) diff --git a/sepolicy/vendor/hal_thermal_default.te b/sepolicy/vendor/hal_thermal_default.te index 42ce07e..5302156 100644 --- a/sepolicy/vendor/hal_thermal_default.te +++ b/sepolicy/vendor/hal_thermal_default.te @@ -6,6 +6,6 @@ allow hal_thermal_default proc_stat:file r_file_perms; allow hal_thermal_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; -hal_client_domain(hal_thermal_default, hal_power); +hal_client_domain(hal_thermal_default, hal_power) get_prop(hal_thermal_default, vendor_thermal_prop) diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te deleted file mode 100644 index a49844e..0000000 --- a/sepolicy/vendor/init.te +++ /dev/null @@ -1 +0,0 @@ -allow init same_process_hal_file:file execute; diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te index d16a64a..40e2e7e 100644 --- a/sepolicy/vendor/property.te +++ b/sepolicy/vendor/property.te @@ -2,4 +2,4 @@ vendor_internal_prop(vendor_power_prop) vendor_internal_prop(vendor_thermal_prop) -vendor_restricted_prop(vendor_fingerprint_prop); +vendor_restricted_prop(vendor_fingerprint_prop) diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts index 0ec0083..e406adf 100644 --- a/sepolicy/vendor/property_contexts +++ b/sepolicy/vendor/property_contexts @@ -1,7 +1,5 @@ # Camera -persist.vendor.camera.mi.module. u:object_r:vendor_camera_prop:s0 vendor.camera. u:object_r:vendor_camera_prop:s0 -persist.camera. u:object_r:vendor_camera_prop:s0 # Fingerprint persist.vendor.sys.fp. u:object_r:vendor_fingerprint_prop:s0 diff --git a/sepolicy/vendor/radio.te b/sepolicy/vendor/radio.te deleted file mode 100644 index 4670c6a..0000000 --- a/sepolicy/vendor/radio.te +++ /dev/null @@ -1 +0,0 @@ -get_prop(radio, vendor_audio_prop) diff --git a/sepolicy/vendor/sensors.te b/sepolicy/vendor/sensors.te deleted file mode 100644 index 2dc5c72..0000000 --- a/sepolicy/vendor/sensors.te +++ /dev/null @@ -1,2 +0,0 @@ -# Allow sensors to access backlight sysfs state -r_dir_file(vendor_sensors, vendor_sysfs_graphics) diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te deleted file mode 100644 index 2c1079d..0000000 --- a/sepolicy/vendor/system_app.te +++ /dev/null @@ -1,6 +0,0 @@ -allow system_app vendor_sysfs_battery_supply:dir { search }; -allow system_app vendor_sysfs_battery_supply:file { read }; -allow system_app vendor_sysfs_battery_supply:file { open }; -allow system_app vendor_sysfs_battery_supply:file { getattr }; - -r_dir_file(system_app, vendor_sysfs_battery_supply) diff --git a/sepolicy/vendor/thermal-engine.te b/sepolicy/vendor/thermal-engine.te deleted file mode 100644 index 3f87c39..0000000 --- a/sepolicy/vendor/thermal-engine.te +++ /dev/null @@ -1,11 +0,0 @@ -allow vendor_thermal-engine { - vendor_sysfs_devfreq - sysfs_msm_subsys -}:dir r_dir_perms; - -allow vendor_thermal-engine vendor_sysfs_devfreq:file rw_file_perms; - -# Rule for vendor_thermal-engine to access init process -unix_socket_connect(vendor_thermal-engine, property, init); - -set_prop(vendor_thermal-engine, vendor_thermal_prop) diff --git a/sepolicy/vendor/uevent.te b/sepolicy/vendor/uevent.te deleted file mode 100644 index ae98f62..0000000 --- a/sepolicy/vendor/uevent.te +++ /dev/null @@ -1 +0,0 @@ -allow ueventd self:capability sys_nice; diff --git a/sepolicy/vendor/vendor_hal_perf_default.te b/sepolicy/vendor/vendor_hal_perf_default.te deleted file mode 100644 index aa21090..0000000 --- a/sepolicy/vendor/vendor_hal_perf_default.te +++ /dev/null @@ -1 +0,0 @@ -allow vendor_hal_perf_default sysfs_msm_subsys:dir search; diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te index 2553fc4..556b994 100644 --- a/sepolicy/vendor/vendor_init.te +++ b/sepolicy/vendor/vendor_init.te @@ -1,16 +1,3 @@ set_prop(vendor_init, vendor_power_prop) -set_prop(vendor_init, vendor_alarm_boot_prop) -set_prop(vendor_init, vendor_video_prop) -allow vendor_init { - proc_dirty - proc -}:file w_file_perms; - -allow vendor_init block_device:lnk_file setattr; -allow vendor_init vendor_camera_prop:property_service set; - -allow vendor_init input_device:chr_file { create setattr unlink rw_file_perms }; - -allow vendor_init thermal_link_device:dir r_dir_perms; -allow vendor_init thermal_link_device:lnk_file r_file_perms; +allow vendor_init proc_dirty:file w_file_perms; diff --git a/sepolicy/vendor/vendor_qti_init_shell.te b/sepolicy/vendor/vendor_qti_init_shell.te deleted file mode 100644 index d5bb7ed..0000000 --- a/sepolicy/vendor/vendor_qti_init_shell.te +++ /dev/null @@ -1,4 +0,0 @@ -allow vendor_qti_init_shell configfs:dir rw_dir_perms; -allow vendor_qti_init_shell configfs:file create_file_perms; -allow vendor_qti_init_shell ctl_stop_prop:property_service set; -allow vendor_qti_init_shell sysfs_wakeup:file setattr;