diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk index a313d96..8b72c33 100644 --- a/BoardConfigCommon.mk +++ b/BoardConfigCommon.mk @@ -72,7 +72,6 @@ BOARD_MKBOOTIMG_INIT_ARGS += --header_version $(BOARD_INIT_BOOT_HEADER_VERSION) BOARD_BOOTCONFIG := \ androidboot.hardware=qcom \ androidboot.memcg=1 \ - androidboot.selinux=permissive \ androidboot.usbcontroller=a600000.dwc3 BOARD_KERNEL_CMDLINE := \ @@ -167,6 +166,9 @@ VENDOR_SECURITY_PATCH := $(BOOT_SECURITY_PATCH) # SEPolicy include device/qcom/sepolicy_vndr/SEPolicy.mk include device/lineage/sepolicy/libperfmgr/sepolicy.mk +BOARD_VENDOR_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/vendor +PRODUCT_PRIVATE_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/private +PRODUCT_PUBLIC_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/public # Verified Boot BOARD_AVB_ENABLE := true diff --git a/sepolicy/private/property_contexts b/sepolicy/private/property_contexts new file mode 100644 index 0000000..a405573 --- /dev/null +++ b/sepolicy/private/property_contexts @@ -0,0 +1,30 @@ +# Camera +service.camera. u:object_r:sec_camera_prop:s0 + +# CSC +persist.sys.omcnw_path u:object_r:exported_config_prop:s0 +persist.sys.omcnw_path2 u:object_r:exported_config_prop:s0 +ro.omc.region u:object_r:exported_config_prop:s0 +ro.csc. u:object_r:exported_config_prop:s0 +mdc. u:object_r:exported_config_prop:s0 + +# Hermesd +security.securehw. u:object_r:vendor_securehw_prop:s0 +security.securenvm.available u:object_r:vendor_securenvm_prop:s0 + +# Product +ro.product_ship u:object_r:product_ship_prop:s0 + +# Radio +persist.ril. u:object_r:radio_prop:s0 +ro.multisim. u:object_r:radio_prop:s0 +ril.NwNmId u:object_r:telephony_config_prop:s0 +ril.NwNmId2 u:object_r:telephony_config_prop:s0 +ro.simbased.changetype u:object_r:telephony_config_prop:s0 + +# Sensor +persist.dm.passive. u:object_r:system_sensor_prop:s0 +ro.factory.sensor. u:object_r:exported_system_prop:s0 + +# Thermal +dev.sdhms.thermal.hv u:object_r:exported_system_prop:s0 diff --git a/sepolicy/public/property.te b/sepolicy/public/property.te new file mode 100644 index 0000000..0286bfb --- /dev/null +++ b/sepolicy/public/property.te @@ -0,0 +1,5 @@ +system_public_prop(sec_camera_prop) +system_public_prop(system_sensor_prop) +system_public_prop(product_ship_prop) +vendor_restricted_prop(vendor_securehw_prop) +vendor_restricted_prop(vendor_securenvm_prop) diff --git a/sepolicy/vendor/attributes b/sepolicy/vendor/attributes new file mode 100644 index 0000000..095037f --- /dev/null +++ b/sepolicy/vendor/attributes @@ -0,0 +1,4 @@ +# Hyper +attribute hal_hyper; +attribute hal_hyper_server; +attribute hal_hyper_client; diff --git a/sepolicy/vendor/cameraserver.te b/sepolicy/vendor/cameraserver.te new file mode 100644 index 0000000..e4b6c59 --- /dev/null +++ b/sepolicy/vendor/cameraserver.te @@ -0,0 +1,2 @@ +# Allow cameraserver to call hal_thermal_default +binder_call(cameraserver, hal_thermal_default) diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te new file mode 100644 index 0000000..8a0db3d --- /dev/null +++ b/sepolicy/vendor/device.te @@ -0,0 +1,12 @@ +# Block Device +type carrier_block_device, dev_type; +type dsp_block_device, dev_type; +type efs_block_device, dev_type; +type omr_block_device, dev_type; +type sec_efs_block_device, dev_type; + +# Hermesd Device +type k250a_device, dev_type; + +# Radio Device +type drb_device, dev_type; diff --git a/sepolicy/vendor/factory_ssc.te b/sepolicy/vendor/factory_ssc.te new file mode 100644 index 0000000..03b7ace --- /dev/null +++ b/sepolicy/vendor/factory_ssc.te @@ -0,0 +1,19 @@ +type factory_ssc, domain; +type factory_ssc_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(factory_ssc) + +allow factory_ssc self:netlink_socket { bind create read write }; +allow factory_ssc factory_ssc:qipcrtr_socket create_socket_perms_no_ioctl; +allow factory_ssc property_socket:sock_file { append getattr ioctl read write }; + +# Allow factory_ssc to read/write app_efs_file +allow factory_ssc app_efs_file:dir create_dir_perms; +allow factory_ssc app_efs_file:file create_file_perms; + +# Allow factory_ssc to read/write efs_file +allow factory_ssc efs_file:dir create_dir_perms; +allow factory_ssc efs_file:file create_file_perms; + +# Allow factory_ssc to read sec_efs_file +allow factory_ssc sec_efs_file:dir r_dir_perms; diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te new file mode 100644 index 0000000..4d897e3 --- /dev/null +++ b/sepolicy/vendor/file.te @@ -0,0 +1,52 @@ +# Audio +type vendor_sysfs_cirrus_cal, fs_type, sysfs_type; + +# Battery +type vendor_sysfs_battery, fs_type, sysfs_type; + +# Blutooth +type vendor_convergence_data_file, file_type, data_file_type; + +# Camera +type vendor_sysfs_camera_writable, fs_type, sysfs_type; + +# EFS +type app_efs_file, file_type; +type battery_efs_file, file_type; +type camera_efs_file, file_type; +type dak_efs_file, file_type; +type imei_efs_file, file_type; +type sec_efs_file, file_type; +type tee_efs_file, file_type; + +# Fingerprint +type vendor_biometrics_data_file, file_type, data_file_type; + +# Gatekeeper +type vendor_gatekeeper_data_file, file_type, data_file_type; + +# Input +type proc_bus_input, fs_type, proc_type; +type vendor_sysfs_input, fs_type, sysfs_type; + +# Proc +type proc_simslot_count, fs_type, proc_type; + +# Qms +type vendor_qms_config_data_file, file_type, data_file_type; +type vendor_qms_main_data_file, file_type, data_file_type; +type vendor_qms_other_data_file, file_type, data_file_type; + +# Sensor +type vendor_sysfs_sensors_writable, fs_type, sysfs_type; + +# Thermal +type vendor_sysfs_thermal, fs_type, sysfs_type; + +# Touchscreen +type vendor_sysfs_touchscreen, fs_type, sysfs_type; +type vendor_sysfs_touchscreen_writable, fs_type, sysfs_type; + +# Vibrator +type vendor_sysfs_vib_support, fs_type, sysfs_type; +type vendor_sysfs_vib_writable, fs_type, sysfs_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts new file mode 100644 index 0000000..fdfaa07 --- /dev/null +++ b/sepolicy/vendor/file_contexts @@ -0,0 +1,85 @@ +# efs files +/efs/Battery(/.*)? u:object_r:battery_efs_file:s0 +/efs/DAK(/.*)? u:object_r:dak_efs_file:s0 +/efs/FactoryApp(/.*)? u:object_r:app_efs_file:s0 +/efs/afc(/.*)? u:object_r:sec_efs_file:s0 +/efs/biometrics(/.*)? u:object_r:sec_efs_file:s0 +/efs/cirrus(/.*)? u:object_r:sec_efs_file:s0 +/efs/imei(/.*)? u:object_r:imei_efs_file:s0 +/efs/recovery(/.*)? u:object_r:sec_efs_file:s0 +/efs/sec_efs(/.*)? u:object_r:sec_efs_file:s0 +/efs/usb_hw_param(/.*)? u:object_r:sec_efs_file:s0 + +# mnt/efs files +/mnt/vendor/efs(/.*)? u:object_r:sec_efs_file:s0 +/mnt/vendor/efs/DAK(/.*)? u:object_r:dak_efs_file:s0 +/mnt/vendor/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 +/mnt/vendor/efs/camera(/.*)? u:object_r:camera_efs_file:s0 +/mnt/vendor/efs/prov(/.*)? u:object_r:dak_efs_file:s0 +/mnt/vendor/efs/prov_data(/.*)? u:object_r:dak_efs_file:s0 +/mnt/vendor/efs/tee(/.*)? u:object_r:tee_efs_file:s0 + +# Convergence data +/data/vendor/conn(/.*)? u:object_r:vendor_convergence_data_file:s0 + +# Fingerprint data +/data/vendor/biometrics(/.*)? u:object_r:vendor_biometrics_data_file:s0 + +# Firmware +/odm/firmware(/.*)? u:object_r:vendor_firmware_file:s0 + +# Gatekeeper data +/data/vendor/gatekeeper(/.*)? u:object_r:vendor_gatekeeper_data_file:s0 + +# Hermesd device +/dev/k250a u:object_r:k250a_device:s0 + +# NFC device +/dev/pn547 u:object_r:nfc_device:s0 + +# Qms logs +/data/vendor/qms_logs/config(/.*)? u:object_r:vendor_qms_config_data_file:s0 +/data/vendor/qms_logs/main(/.*)? u:object_r:vendor_qms_main_data_file:s0 +/data/vendor/qms_logs/other(/.*)? u:object_r:vendor_qms_other_data_file:s0 + +# Radio device +/dev/drb u:object_r:drb_device:s0 + +# Secradio data +/data/vendor/secradio(/.*)? u:object_r:vendor_radio_vendor_data_file:s0 + +# Secure Element device +/dev/p61 u:object_r:secure_element_device:s0 + +# Serial device +/dev/ttyGS[0-9]* u:object_r:serial_device:s0 +/dev/ttyHS[0-9]* u:object_r:serial_device:s0 + +# Touchscreen +/sys/devices/platform/soc/ac0000.qcom,qupv3_1_geni_se/a90000.spi/spi_master/spi[0-9]/spi[0-9].[0-9]/input/input[0-9]/enabled u:object_r:vendor_sysfs_touchscreen_writable:s0 + +# UFS Devices +/dev/block/platform/soc/1d84000.ufshc/by-name/bluetooth u:object_r:vendor_modem_block_device:s0 +/dev/block/platform/soc/1d84000.ufshc/by-name/carrier u:object_r:carrier_block_device:s0 +/dev/block/platform/soc/1d84000.ufshc/by-name/dsp u:object_r:dsp_block_device:s0 +/dev/block/platform/soc/1d84000.ufshc/by-name/dtbo u:object_r:dtbo_block_device:s0 +/dev/block/platform/soc/1d84000.ufshc/by-name/efs u:object_r:efs_block_device:s0 +/dev/block/platform/soc/1d84000.ufshc/by-name/modem u:object_r:vendor_modem_block_device:s0 +/dev/block/platform/soc/1d84000.ufshc/by-name/omr u:object_r:omr_block_device:s0 +/dev/block/platform/soc/1d84000.ufshc/by-name/persistent u:object_r:frp_block_device:s0 +/dev/block/platform/soc/1d84000.ufshc/by-name/sec_efs u:object_r:sec_efs_block_device:s0 + +# Vendor +/(vendor|system/vendor)/bin/factory\.ssc u:object_r:factory_ssc_exec:s0 +/(vendor|system/vendor)/bin/hermesd u:object_r:hermesd_exec:s0 +/(vendor|system/vendor)/bin/hw/android.hardware.sensors-service.samsung-multihal u:object_r:hal_sensors_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint(@[0-9].[0-9])?-service\.samsung u:object_r:hal_fingerprint_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service u:object_r:hal_secure_element_default_exec:s0 +/(vendor|system/vendor)/bin/hw/nxp\.android\.hardware\.nfc@1\.2-service u:object_r:hal_nfc_default_exec:s0 +/(vendor|system/vendor)/bin/hw/sehradiomanager u:object_r:sehradiomanager_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.camera\.provider-service_64 u:object_r:hal_camera_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.health-service u:object_r:hal_health_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.hyper-service u:object_r:hal_hyper_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.thermal@1\.0-service u:object_r:hal_thermal_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.vibrator-service u:object_r:hal_vibrator_default_exec:s0 +/(vendor|system/vendor)/bin/secril_config_svc u:object_r:vendor_secril_config_svc_exec:s0 diff --git a/sepolicy/vendor/fsck.te b/sepolicy/vendor/fsck.te new file mode 100644 index 0000000..20c81fc --- /dev/null +++ b/sepolicy/vendor/fsck.te @@ -0,0 +1,7 @@ +allow fsck self:capability kill; + +allow fsck { + efs_block_device + sec_efs_block_device + carrier_block_device +}:blk_file rw_file_perms; diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts new file mode 100644 index 0000000..a82a38f --- /dev/null +++ b/sepolicy/vendor/genfs_contexts @@ -0,0 +1,88 @@ +# Proc +genfscon proc "/simslot_count" u:object_r:proc_simslot_count:s0 + +# Audio +genfscon sysfs "/devices/virtual/cirrus/cirrus_bd" u:object_r:vendor_sysfs_cirrus_cal:s0 +genfscon sysfs "/devices/virtual/cirrus/cirrus_cal" u:object_r:vendor_sysfs_cirrus_cal:s0 + +# Battery +genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:battery/power_supply" u:object_r:vendor_sysfs_battery:s0 +genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:battery/power_supply/battery/batt_factory_mode" u:object_r:vendor_sysfs_battery:s0 +genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:sec-direct-charger/power_supply/sec-direct-charger" u:object_r:vendor_sysfs_battery:s0 +genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/994000.i2c/i2c-36/36-005b/power_supply/mfc-charger" u:object_r:vendor_sysfs_battery:s0 +genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0057/power_supply/pca9481-charger" u:object_r:vendor_sysfs_battery:s0 +genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0066/max77705-charger/power_supply/max77705-charger" u:object_r:vendor_sysfs_battery:s0 +genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0066/max77705-charger/power_supply/max77705-otg" u:object_r:vendor_sysfs_battery:s0 +genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0066/max77705-fuelgauge/power_supply/max77705-fuelgauge" u:object_r:vendor_sysfs_battery:s0 + +# Camera +genfscon sysfs "/devices/virtual/camera" u:object_r:vendor_sysfs_camera:s0 +genfscon sysfs "/devices/virtual/camera/flash/rear_flash" u:object_r:vendor_sysfs_camera_writable:s0 +genfscon sysfs "/devices/virtual/camera/rear/ssrm_camera_info" u:object_r:vendor_sysfs_camera_writable:s0 + +# Input +genfscon proc "/bus/input/devices" u:object_r:proc_bus_input:s0 +genfscon sysfs "/class/input" u:object_r:vendor_sysfs_input:s0 +genfscon sysfs "/devices/virtual/input" u:object_r:vendor_sysfs_input:s0 + +# Wakeup +genfscon sysfs "/devices/platform/i2c@31/i2c-31/31-0059/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/i2c@33/i2c-33/33-0028/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:battery/power_supply/ac/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:battery/power_supply/battery/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:battery/power_supply/otg/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:battery/power_supply/pogo/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:battery/power_supply/usb/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:battery/power_supply/wireless/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:battery/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:hall_ic/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:sec-direct-charger/power_supply/sec-direct-charger/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/samsung_mobile_device/samsung_mobile_device:sec-direct-charger/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/soc/1c00000.qcom,pcie/pci0000:00/0000:00:00.0/0000:01:00.0/mhi_1103_00.01.00/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/994000.i2c/i2c-36/36-005b/power_supply/mfc-charger/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/994000.i2c/i2c-36/36-005b/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/998000.i2c/i2c-18/18-0040/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/998000.i2c/i2c-18/18-0041/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0057/power_supply/pca9481-charger/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0057/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0066/max77705-charger/power_supply/max77705-charger/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0066/max77705-charger/power_supply/max77705-otg/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0066/max77705-charger/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0066/max77705-fuelgauge/power_supply/max77705-fuelgauge/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0066/max77705-fuelgauge/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0066/max77705-usbc/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/soc/9c0000.qcom,qupv3_i2c_geni_se/9a0000.i2c/i2c-37/37-0066/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/soc/ac0000.qcom,qupv3_1_geni_se/a90000.spi/spi_master/spi0/spi0.0/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/soc/ac0000.qcom,qupv3_1_geni_se/a90000.spi/spi_master/spi1/spi1.0/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/soc/ae90000.qcom,dp_display/wakeup" u:object_r:sysfs_wakeup:s0 +genfscon sysfs "/devices/platform/soc/soc:qcom,qbt2000/wakeup" u:object_r:sysfs_wakeup:s0 + +# Sensor +genfscon sysfs "/devices/virtual/sensor_event" u:object_r:vendor_sysfs_sensors:s0 +genfscon sysfs "/devices/virtual/sensors" u:object_r:vendor_sysfs_sensors:s0 +genfscon sysfs "/devices/virtual/sensors/flip_cover_detector_sensor/factory_cover_status" u:object_r:vendor_sysfs_sensors_writable:s0 +genfscon sysfs "/devices/virtual/sensors/flip_cover_detector_sensor/nfc_cover_status" u:object_r:vendor_sysfs_sensors_writable:s0 + +# Hall +genfscon sysfs "/devices/virtual/sec/hall_ic/hall_detect" u:object_r:vendor_sysfs_sensors_writable:s0 + +# Thermal +genfscon sysfs "/devices/virtual/audio/amp" u:object_r:vendor_sysfs_thermal:s0 +genfscon sysfs "/devices/virtual/sec/sec-ap-thermistor" u:object_r:vendor_sysfs_thermal:s0 +genfscon sysfs "/devices/virtual/sec/sec-cf-thermistor" u:object_r:vendor_sysfs_thermal:s0 +genfscon sysfs "/devices/virtual/sec/sec-cp-thermistor" u:object_r:vendor_sysfs_thermal:s0 +genfscon sysfs "/devices/virtual/sec/sec-pa-thermistor" u:object_r:vendor_sysfs_thermal:s0 +genfscon sysfs "/devices/virtual/sec/sec-wf-thermistor" u:object_r:vendor_sysfs_thermal:s0 + +# Touchscreen +genfscon sysfs "/class/sec/tsp" u:object_r:vendor_sysfs_touchscreen:s0 +genfscon sysfs "/class/sec/tsp/input/enabled" u:object_r:vendor_sysfs_touchscreen_writable:s0 +genfscon sysfs "/devices/virtual/sec/tsp" u:object_r:vendor_sysfs_touchscreen:s0 +genfscon sysfs "/devices/virtual/sec/tsp/cmd" u:object_r:vendor_sysfs_touchscreen_writable:s0 +genfscon sysfs "/devices/virtual/sec/tsp/ear_detect_enable" u:object_r:vendor_sysfs_touchscreen_writable:s0 +genfscon sysfs "/devices/virtual/sec/tsp/input/enabled" u:object_r:vendor_sysfs_touchscreen_writable:s0 +genfscon sysfs "/devices/virtual/sec/tsp/prox_power_off" u:object_r:vendor_sysfs_touchscreen_writable:s0 + +# Vibrator +genfscon sysfs "/devices/virtual/sec_vib_inputff/control/use_sep_index" u:object_r:vendor_sysfs_vib_writable:s0 +genfscon sysfs "/devices/virtual/vib_info_class/vib_support_info/functions" u:object_r:vendor_sysfs_vib_support:s0 diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te new file mode 100644 index 0000000..80d5d20 --- /dev/null +++ b/sepolicy/vendor/hal_audio_default.te @@ -0,0 +1,20 @@ +# Allow audio HAL to read sec_efs_file +r_dir_file(hal_audio_default, sec_efs_file) + +# Allow audio HAL to read imei_efs_file +r_dir_file(hal_audio_default, imei_efs_file) + +# Allow audio HAL to search efs_file +allow hal_audio_default efs_file:dir search; + +# Allow audio HAL to read/write vendor_sysfs_cirrus_cal +allow hal_audio_default vendor_sysfs_cirrus_cal:dir r_dir_perms; +allow hal_audio_default vendor_sysfs_cirrus_cal:file rw_file_perms; + +# Allow audio HAL to read vendor_radio_prop +get_prop(hal_audio_default, vendor_radio_prop) + +# Allow audio HAL to access hal_bluetooth_a2dp_hwservice +allow hal_audio_default hal_bluetooth_a2dp_hwservice:hwservice_manager find; + +dontaudit hal_audio_default default_prop:file { read open getattr map }; diff --git a/sepolicy/vendor/hal_bluetooth_default.te b/sepolicy/vendor/hal_bluetooth_default.te new file mode 100644 index 0000000..e99f564 --- /dev/null +++ b/sepolicy/vendor/hal_bluetooth_default.te @@ -0,0 +1,25 @@ +# Allow bluetooth HAL to create bluetooth_efs_file +allow hal_bluetooth_default bluetooth_efs_file:dir create_dir_perms; +allow hal_bluetooth_default bluetooth_efs_file:file create_file_perms; + +# Allow bluetooth HAL to read app_efs_file +r_dir_file(hal_bluetooth_default, app_efs_file) + +# Allow bluetooth HAL to search sec_efs_file +allow hal_bluetooth_default sec_efs_file:dir search; + +# Allow bluetooth HAL to read/write serial device +allow hal_bluetooth_default serial_device:chr_file rw_file_perms; + +# Allow bluetooth HAL to read vendor_convergence_data_file +r_dir_file(hal_bluetooth_default, vendor_convergence_data_file) + +# Allow bluetooth HAL to write vendor_convergence_data_file +allow hal_bluetooth_default vendor_convergence_data_file:file rw_file_perms; + +# Allow bluetooth HAL to read /mnt/vendor/ +r_dir_file(hal_bluetooth_default, mnt_vendor_file) + +# Allow bluetooth HAL to write bluetooth properties +set_prop(hal_bluetooth_default, bluetooth_a2dp_offload_prop) +set_prop(hal_bluetooth_default, vendor_bluetooth_prop) diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te new file mode 100644 index 0000000..cde53b5 --- /dev/null +++ b/sepolicy/vendor/hal_camera_default.te @@ -0,0 +1,34 @@ +# Allow camera HAL to read app_efs_file +r_dir_file(hal_camera_default, app_efs_file) + +# Allow camera HAL to read efs_file +r_dir_file(hal_camera_default, efs_file) + +# Allow camera HAL to read/write camera_efs_file +allow hal_camera_default camera_efs_file:dir create_dir_perms; +allow hal_camera_default camera_efs_file:file create_file_perms; + +# Allow camera HAL to read vendor_sysfs_camera +r_dir_file(hal_camera_default, vendor_sysfs_camera) + +# Allow camera HAL to write vendor_sysfs_camera_writable +allow hal_camera_default vendor_sysfs_camera_writable:file rw_file_perms; + +# Allow camera HAL to read /mnt/vendor/ +r_dir_file(hal_camera_default, mnt_vendor_file) + +# Allow camera HAL to read vendor_sysfs_sensors +r_dir_file(hal_camera_default, vendor_sysfs_sensors) + +# Allow camera HAL to read proc_meminfo +allow hal_camera_default proc_meminfo:file r_file_perms; + +hal_client_domain(hal_camera_default, hal_hyper) +hal_client_domain(hal_camera_default, hal_thermal) + +get_prop(hal_camera_default, sec_camera_prop) +set_prop(hal_camera_default, sec_camera_prop) + +allow hal_camera_default system_server:binder call; + +allow hal_camera_default rild:unix_stream_socket connectto; diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te new file mode 100644 index 0000000..2736d9e --- /dev/null +++ b/sepolicy/vendor/hal_fingerprint_default.te @@ -0,0 +1,24 @@ +# Allow fingerprint HAL to read efs_file +r_dir_file(hal_fingerprint_default, efs_file) + +# Allow fingerprint HAL to read sec_efs_file +allow hal_fingerprint_default sec_efs_file:dir create_dir_perms; +allow hal_fingerprint_default sec_efs_file:file create_file_perms; + +# Allow fingerprint HAL to access qbt device +allow hal_fingerprint_default vendor_qbt_device:chr_file rw_file_perms; + +# Allow fingerprint HAL to access tee device +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; +allow hal_fingerprint_default vendor_dmabuf_qseecom_heap_device:chr_file rw_file_perms; +allow hal_fingerprint_default vendor_dmabuf_qseecom_ta_heap_device:chr_file rw_file_perms; + +# Allow fingerprint HAL to search tee_efs_file +allow hal_fingerprint_default tee_efs_file:dir search; + +# Allow fingerprint HAL to read/write vendor_biometrics_data_file +allow hal_fingerprint_default vendor_biometrics_data_file:dir create_dir_perms; +allow hal_fingerprint_default vendor_biometrics_data_file:file create_file_perms; + +# Allow fingerprint HAL to search vendor_sysfs_battery files +allow hal_fingerprint_default vendor_sysfs_battery:dir search; diff --git a/sepolicy/vendor/hal_gatekeeper_default.te b/sepolicy/vendor/hal_gatekeeper_default.te new file mode 100644 index 0000000..06979ea --- /dev/null +++ b/sepolicy/vendor/hal_gatekeeper_default.te @@ -0,0 +1,2 @@ +# Allow gatekeeper HAL to access sqeecom device +allow hal_gatekeeper_default vendor_dmabuf_qseecom_heap_device:chr_file r_file_perms; diff --git a/sepolicy/vendor/hal_health_default.te b/sepolicy/vendor/hal_health_default.te new file mode 100644 index 0000000..4078dfc --- /dev/null +++ b/sepolicy/vendor/hal_health_default.te @@ -0,0 +1,22 @@ +# Allow health HAL to read/write app_efs_file +allow hal_health_default app_efs_file:dir rw_dir_perms; +allow hal_health_default app_efs_file:file create_file_perms; + +# Allow health HAL to read/write battery_efs_file +allow hal_health_default battery_efs_file:dir create_dir_perms; +allow hal_health_default battery_efs_file:file create_file_perms; + +# Allow health HAL to search efs_file +allow hal_health_default efs_file:dir search; + +# Allow health HAL to read/write vendor_sysfs_battery +r_dir_file(hal_health_default, vendor_sysfs_battery) +allow hal_health_default vendor_sysfs_battery:file w_file_perms; + +# Allow health HAL to access sysfs wakeup files +allow hal_health_default sysfs_wakeup:dir r_dir_perms; +allow hal_health_default sysfs_wakeup:file r_file_perms; + +# Allow Thermal service to access the health HAL +allow hal_health_default hal_thermal_samsung_hwservice:hwservice_manager find; +binder_call(hal_health_default, hal_thermal_default) diff --git a/sepolicy/vendor/hal_hyper_default.te b/sepolicy/vendor/hal_hyper_default.te new file mode 100644 index 0000000..02f60f8 --- /dev/null +++ b/sepolicy/vendor/hal_hyper_default.te @@ -0,0 +1,15 @@ +type hal_hyper_default, domain; + +hal_server_domain(hal_hyper_default, hal_hyper) + +type hal_hyper_default_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_hyper_default) + +binder_call(hal_hyper_client, hal_hyper_server) + +add_service(hal_hyper_server, hal_hyper_service) +allow hal_hyper_client hal_hyper_service:service_manager find; + +allow hal_hyper_default servicemanager:binder { call transfer }; + +get_prop(hal_hyper_default, product_ship_prop) diff --git a/sepolicy/vendor/hal_keymint_default.te b/sepolicy/vendor/hal_keymint_default.te new file mode 100644 index 0000000..dd3539e --- /dev/null +++ b/sepolicy/vendor/hal_keymint_default.te @@ -0,0 +1,25 @@ +# Allow keymint HAL to read/write efs_file +allow hal_keymint_default efs_file:dir create_dir_perms; +allow hal_keymint_default efs_file:file create_file_perms; + +# Allow keymint HAL to read/write dak_efs_file +allow hal_keymint_default dak_efs_file:dir create_dir_perms; +allow hal_keymint_default dak_efs_file:file create_file_perms; + +# Allow keymint HAL to read/write sec_efs_file +allow hal_keymint_default sec_efs_file:dir create_dir_perms; +allow hal_keymint_default sec_efs_file:file create_file_perms; + +# Allow keymint HAL to access TZ device +allow hal_keymint_default vendor_dmabuf_qseecom_ta_heap_device:chr_file r_file_perms; +allow hal_keymint_default vendor_dmabuf_qseecom_heap_device:chr_file r_file_perms; +allow hal_keymint_default vendor_dmabuf_secure_sp_tz_heap_device:chr_file r_file_perms; +allow hal_keymint_default vendor_skp_device:chr_file r_file_perms; +allow hal_keymint_default vendor_spcom_device:chr_file rw_file_perms; +allow hal_keymint_default vendor_spss_utils_device:chr_file rw_file_perms; + +get_prop(hal_keymint_default, vendor_tee_listener_prop) +get_prop(hal_keymint_default, vendor_spcomlib_prop) +allow hal_keymint_default mnt_vendor_file:dir search; + +unix_socket_connect(hal_keymint_default, property, hermesd) diff --git a/sepolicy/vendor/hal_nfc_default.te b/sepolicy/vendor/hal_nfc_default.te new file mode 100644 index 0000000..83334f5 --- /dev/null +++ b/sepolicy/vendor/hal_nfc_default.te @@ -0,0 +1,8 @@ +# Allow vibrator HAL to search sec_efs files +allow hal_nfc_default sec_efs_file:dir search; + +# Allow NFC HAL to use nfc devices +allow hal_nfc_default nfc_device:chr_file rw_file_perms; + +# Allow NFC HAL to read NFC properties +get_prop(hal_nfc_default, vendor_sec_nfc_prop) diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te new file mode 100644 index 0000000..84b341d --- /dev/null +++ b/sepolicy/vendor/hal_power_default.te @@ -0,0 +1,19 @@ +# Allow power HAL to to read/write proc file +allow hal_power_default proc:file rw_file_perms; + +# Allow power HAL to read/write vendor_sysfs_input +allow hal_power_default vendor_sysfs_input:dir r_dir_perms; +allow hal_power_default vendor_sysfs_input:file rw_file_perms; + +# Allow power HAL to to read vendor_sysfs_touchscreen +r_dir_file(hal_power_default, vendor_sysfs_touchscreen) +allow hal_power_default vendor_sysfs_touchscreen:file w_file_perms; + +# Allow power HAL to to read/write vendor_sysfs_touchscreen_writable +allow hal_power_default vendor_sysfs_touchscreen_writable:file rw_file_perms; + +# Allow power HAL to to read/write vendor_sysfs_battery +allow hal_power_default vendor_sysfs_battery:dir r_dir_perms; +allow hal_power_default vendor_sysfs_battery:file rw_file_perms; + +hal_client_domain(hal_power_default, hal_hyper) diff --git a/sepolicy/vendor/hal_secure_element_default.te b/sepolicy/vendor/hal_secure_element_default.te new file mode 100644 index 0000000..7865bed --- /dev/null +++ b/sepolicy/vendor/hal_secure_element_default.te @@ -0,0 +1,8 @@ +# Allow secure element HAL to access secure_element_device +allow hal_secure_element_default secure_element_device:chr_file rw_file_perms; + +init_daemon_domain(hal_secure_element_default) +unix_socket_connect(hal_secure_element_default, property, rild) + +# Allow secure element HAL to write vendor_sehal_init_prop +set_prop(hal_secure_element_default, vendor_sehal_init_prop) diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te new file mode 100644 index 0000000..6f033a4 --- /dev/null +++ b/sepolicy/vendor/hal_sensors_default.te @@ -0,0 +1,30 @@ +# Allow sensor HAL to to read/write app_efs_file +allow hal_sensors_default app_efs_file:dir rw_dir_perms; +allow hal_sensors_default app_efs_file:file create_file_perms; + +# Allow sensor HAL to to read/write efs_file +allow hal_sensors_default efs_file:dir rw_dir_perms; +allow hal_sensors_default efs_file:file create_file_perms; + +# Allow sensor HAL to access iio device +allow hal_sensors_default iio_device:chr_file r_file_perms; + +# Allow sensor HAL to read/write vendor_sysfs_input +allow hal_sensors_default vendor_sysfs_input:dir r_dir_perms; +allow hal_sensors_default vendor_sysfs_input:file rw_file_perms; + +# Allow sensor HAL to read/write vendor_sysfs_sensors_writable +allow hal_sensors_default vendor_sysfs_sensors_writable:dir r_dir_perms; +allow hal_sensors_default vendor_sysfs_sensors_writable:file rw_file_perms; + +# Allow sensor HAL to to read/wite sec touchscreen +r_dir_file(hal_sensors_default, vendor_sysfs_touchscreen) + +# Allow sensor HAL to to read/write vendor_sysfs_touchscreen_writable +allow hal_sensors_default vendor_sysfs_touchscreen_writable:file rw_file_perms; + +binder_call(hal_sensors_default, system_server) + +get_prop(hal_sensors_default, build_bootimage_prop) + +get_prop(hal_sensors_default, system_sensor_prop) diff --git a/sepolicy/vendor/hal_thermal_default.te b/sepolicy/vendor/hal_thermal_default.te new file mode 100644 index 0000000..ed4e42f --- /dev/null +++ b/sepolicy/vendor/hal_thermal_default.te @@ -0,0 +1,21 @@ +# Allow thermal HAL to read/write vendor_sysfs_thermal files +r_dir_file(hal_thermal_default, vendor_sysfs_thermal) +allow hal_thermal_default vendor_sysfs_thermal:file w_file_perms; + +# Allow thermal HAL to read vendor_sysfs_battery files +r_dir_file(hal_thermal_default, vendor_sysfs_battery) + +# Allow hwservice_manager to find fwk_camera_hwservice +allow hal_thermal_default fwk_camera_hwservice:hwservice_manager find; + +# Allow hal_thermal_default to call cameraserver +binder_call(hal_thermal_default, cameraserver) + +hal_client_domain(hal_thermal_default, hal_audio) +hal_client_domain(hal_thermal_default, hal_hyper) + +unix_socket_connect(hal_thermal_default, property, rild) +get_prop(hal_thermal_default, vendor_thermal_prop) +set_prop(hal_thermal_default, vendor_thermal_test_prop) + +add_hwservice(hal_thermal_server, hal_thermal_samsung_hwservice) diff --git a/sepolicy/vendor/hal_vibrator_default.te b/sepolicy/vendor/hal_vibrator_default.te new file mode 100644 index 0000000..95ef882 --- /dev/null +++ b/sepolicy/vendor/hal_vibrator_default.te @@ -0,0 +1,18 @@ +# Allow vibrator HAL to read input_device files +allow hal_vibrator_default input_device:dir r_dir_perms; + +# Allow vibrator HAL to access input device +allow hal_vibrator_default input_device:chr_file rw_file_perms; + +# Allow vibrator HAL to read app_efs_file files +allow hal_vibrator_default app_efs_file:dir rw_dir_perms; +allow hal_vibrator_default app_efs_file:file create_file_perms; + +# Allow vibrator HAL to search efs files +allow hal_vibrator_default efs_file:dir search; + +# Allow vibrator HAL to read proc_bus_input files +r_dir_file(hal_vibrator_default, proc_bus_input) + +allow hal_vibrator_default vendor_sysfs_vib_support:file rw_file_perms; +allow hal_vibrator_default vendor_sysfs_vib_writable:file rw_file_perms; diff --git a/sepolicy/vendor/hermesd.te b/sepolicy/vendor/hermesd.te new file mode 100644 index 0000000..e3a1c08 --- /dev/null +++ b/sepolicy/vendor/hermesd.te @@ -0,0 +1,29 @@ +type hermesd, domain; +type hermesd_exec, exec_type, file_type, vendor_file_type; +hal_server_domain(hermesd, hal_weaver) +hal_client_domain(hermesd, hal_keymint) + +init_daemon_domain(hermesd) +unix_socket_connect(hermesd, property, init) + +# Allow hermesd to access k250a device +allow hermesd k250a_device:chr_file rw_file_perms; + +# Allow hermesd to access tee device +allow hermesd tee_device:chr_file rw_file_perms; + +# Allow hermesd to search tee_efs_file +allow hermesd tee_efs_file:dir search; + +# Allow hermesd to access TZ device +allow hermesd vendor_dmabuf_qseecom_heap_device:chr_file r_file_perms; +allow hermesd vendor_dmabuf_qseecom_ta_heap_device:chr_file r_file_perms; + +# Allow hermesd to read/write vendor_gatekeeper_data_file +allow hermesd vendor_gatekeeper_data_file:dir create_dir_perms; +allow hermesd vendor_gatekeeper_data_file:file create_file_perms; + +allow hermesd hal_keymint_default:binder transfer; + +set_prop(hermesd, vendor_securenvm_prop) +set_prop(hermesd, vendor_securehw_prop) diff --git a/sepolicy/vendor/hwservice.te b/sepolicy/vendor/hwservice.te new file mode 100644 index 0000000..a8e8c17 --- /dev/null +++ b/sepolicy/vendor/hwservice.te @@ -0,0 +1,3 @@ +type hal_bluetooth_a2dp_hwservice, hwservice_manager_type; + +type hal_thermal_samsung_hwservice, hwservice_manager_type; diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts new file mode 100644 index 0000000..bc5d970 --- /dev/null +++ b/sepolicy/vendor/hwservice_contexts @@ -0,0 +1,11 @@ +# Bluetooth +vendor.samsung.hardware.bluetooth.a2dp::ISehBluetoothAudioOffload u:object_r:hal_bluetooth_a2dp_hwservice:s0 +vendor.samsung.hardware.bluetooth.a2dpsink::ISehBluetoothA2dpSinkProvidersFactory u:object_r:hal_bluetooth_a2dp_hwservice:s0 +vendor.samsung.hardware.bluetooth.audio::ISehBluetoothAudioProviderFactory u:object_r:hal_audio_hwservice:s0 +vendor.samsung.hardware.bluetooth::ISehBluetooth u:object_r:hal_bluetooth_hwservice:s0 + +# NFC +vendor.samsung.hardware.nfc::ISehNfc u:object_r:hal_nfc_hwservice:s0 + +# Thermal +vendor.samsung.hardware.thermal::ISehThermal u:object_r:hal_thermal_samsung_hwservice:s0 diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te new file mode 100644 index 0000000..8e5dbfa --- /dev/null +++ b/sepolicy/vendor/init.te @@ -0,0 +1,5 @@ +allow init efs_file:dir mounton; + +allow init sec_efs_file:dir mounton; + +allow init vendor_firmware_file:file mounton; diff --git a/sepolicy/vendor/netutils_wrapper.te b/sepolicy/vendor/netutils_wrapper.te new file mode 100644 index 0000000..fdba112 --- /dev/null +++ b/sepolicy/vendor/netutils_wrapper.te @@ -0,0 +1,15 @@ +# Allow netutils_wrapper to access drb_device +allow netutils_wrapper drb_device:chr_file rw_file_perms; + +# Allow netutils_wrapper to read/write sec_efs_file +allow netutils_wrapper sec_efs_file:file rw_file_perms; + +# Allow netutils_wrapper to access rild +allow netutils_wrapper rild:fd use; +allow netutils_wrapper rild:fifo_file { getattr read write }; +allow netutils_wrapper rild:netlink_route_socket { read write }; +allow netutils_wrapper rild:unix_stream_socket { read write }; +allow netutils_wrapper rild:netlink_generic_socket { read write }; +allow netutils_wrapper rild:netlink_xfrm_socket { read write }; +allow netutils_wrapper rild:udp_socket { read write }; +allow netutils_wrapper rild:tcp_socket { read write }; diff --git a/sepolicy/vendor/network_stack.te b/sepolicy/vendor/network_stack.te new file mode 100644 index 0000000..3fbd162 --- /dev/null +++ b/sepolicy/vendor/network_stack.te @@ -0,0 +1,2 @@ +# Allow network_stack to read proc_net file +allow network_stack proc_net:file rw_file_perms; diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te new file mode 100644 index 0000000..ccdf7bd --- /dev/null +++ b/sepolicy/vendor/property.te @@ -0,0 +1,12 @@ +# NFC +vendor_internal_prop(vendor_sec_nfc_prop) + +# Secure Element +vendor_internal_prop(vendor_sehal_init_prop) + +# Tee +vendor_internal_prop(vendor_qseecomd_prop) + +# Thermal +vendor_internal_prop(vendor_thermal_prop) +vendor_internal_prop(vendor_thermal_test_prop) diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts new file mode 100644 index 0000000..1e4e6de --- /dev/null +++ b/sepolicy/vendor/property_contexts @@ -0,0 +1,22 @@ +# Bluetooth +vendor.bluetooth_fw_ver u:object_r:vendor_bluetooth_prop:s0 +vendor.bluetooth_nv_ver u:object_r:vendor_bluetooth_prop:s0 + +# NFC +ro.vendor.nfc. u:object_r:vendor_sec_nfc_prop:s0 + +# Radio +ro.vendor.multisim. u:object_r:vendor_radio_prop:s0 +ro.vendor.radio. u:object_r:vendor_radio_prop:s0 +ro.vendor.sec.radio. u:object_r:vendor_radio_prop:s0 +vendor.calls. u:object_r:vendor_radio_prop:s0 + +# Secure Element +vendor.seHal.init u:object_r:vendor_sehal_init_prop:s0 + +# Tee +vendor.sys.qseecomd. u:object_r:vendor_qseecomd_prop:s0 + +# Thermal +vendor.thermal. u:object_r:vendor_thermal_prop:s0 +vendor.thermal.amb. u:object_r:vendor_thermal_test_prop:s0 diff --git a/sepolicy/vendor/qms.te b/sepolicy/vendor/qms.te new file mode 100644 index 0000000..44dcfd5 --- /dev/null +++ b/sepolicy/vendor/qms.te @@ -0,0 +1,7 @@ +# Allow qms to read/write vendor_qms_main_data_file +allow vendor_qms vendor_qms_main_data_file:dir create_dir_perms; +allow vendor_qms vendor_qms_main_data_file:file create_file_perms; + +# Allow qms to read/write vendor_qms_config_data_file +allow vendor_qms vendor_qms_config_data_file:dir r_dir_perms; +allow vendor_qms vendor_qms_config_data_file:file r_file_perms; diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te new file mode 100644 index 0000000..4ce8d53 --- /dev/null +++ b/sepolicy/vendor/rild.te @@ -0,0 +1,45 @@ +# Allow rild to read/write proc file +allow rild proc_net:file rw_file_perms; +allow rild proc_qtaguid_stat:file r_file_perms; + +# Allow rild to read/write app_efs_file +allow rild app_efs_file:dir create_dir_perms; +allow rild app_efs_file:file create_file_perms; + +# Allow rild to read/write dak_efs_file +allow rild dak_efs_file:dir create_dir_perms; +allow rild dak_efs_file:file create_file_perms; + +# Allow rild to read/write efs_file +allow rild efs_file:dir rw_dir_perms; + +# Allow rild to read/write imei_efs_file +allow rild imei_efs_file:dir create_dir_perms; +allow rild imei_efs_file:file create_file_perms; + +# Allow rild to read/write sec_efs_file +allow rild sec_efs_file:dir create_dir_perms; +allow rild sec_efs_file:file create_file_perms; + +# Allow rild to access drb_device +allow rild drb_device:chr_file rw_file_perms; + +# Allow rild to access tun_device +allow rild tun_device:chr_file rw_file_perms; +allow rild self:tun_socket { create relabelfrom relabelto }; +allowxperm rild tun_device:chr_file ioctl { 0x54ca 0x54cb }; + +# Allow rild to access data files +allow rild mnt_vendor_file:dir r_dir_perms; +allow rild system_data_file:dir { getattr search }; +allow rild vendor_radio_vendor_data_file:dir create_dir_perms; +allow rild vendor_radio_vendor_data_file:file create_file_perms; + +# Allow rild to access vendor hals +r_dir_file(rild, hal_audio_default) +r_dir_file(rild, hal_camera_default) + +set_prop(rild, vendor_data_ko_prop) +set_prop(rild, vendor_data_shsusr_prop) + +dontaudit rild { default_prop system_prop }:file { read open getattr map }; diff --git a/sepolicy/vendor/sehradiomanager.te b/sepolicy/vendor/sehradiomanager.te new file mode 100644 index 0000000..885c7f5 --- /dev/null +++ b/sepolicy/vendor/sehradiomanager.te @@ -0,0 +1,11 @@ +type sehradiomanager, domain; +type sehradiomanager_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(sehradiomanager) + +get_prop(sehradiomanager, vendor_radio_prop) +get_prop(sehradiomanager, hwservicemanager_prop) +binder_call(sehradiomanager, hwservicemanager) +binder_call(sehradiomanager, servicemanager) +binder_call(servicemanager, sehradiomanager) +hal_client_domain(sehradiomanager, hal_telephony) diff --git a/sepolicy/vendor/service.te b/sepolicy/vendor/service.te new file mode 100644 index 0000000..1e6a8a5 --- /dev/null +++ b/sepolicy/vendor/service.te @@ -0,0 +1 @@ +type hal_hyper_service, hal_service_type, service_manager_type; diff --git a/sepolicy/vendor/service_contexts b/sepolicy/vendor/service_contexts new file mode 100644 index 0000000..45c2aea --- /dev/null +++ b/sepolicy/vendor/service_contexts @@ -0,0 +1,25 @@ +# Hyper +vendor.samsung.hardware.hyper.ISehHyPer/default u:object_r:hal_hyper_service:s0 + +# Gnss +vendor.samsung.hardware.gnss.ISehGnss/default u:object_r:hal_gnss_service:s0 + +# Keymint +vendor.samsung.hardware.keymint.ISehKeyMintExtension/default u:object_r:hal_keymint_service:s0 +vendor.samsung.hardware.keymint.ISehKeyMintFactory/default u:object_r:hal_keymint_service:s0 + +# Radio +vendor.samsung.hardware.radio.bridge.ISehRadioBridge/slot1 u:object_r:hal_radio_service:s0 +vendor.samsung.hardware.radio.bridge.ISehRadioBridge/slot2 u:object_r:hal_radio_service:s0 +vendor.samsung.hardware.radio.channel.ISehRadioChannel/epdgd u:object_r:hal_radio_service:s0 +vendor.samsung.hardware.radio.channel.ISehRadioChannel/epdgd2 u:object_r:hal_radio_service:s0 +vendor.samsung.hardware.radio.channel.ISehRadioChannel/imsd u:object_r:hal_radio_service:s0 +vendor.samsung.hardware.radio.channel.ISehRadioChannel/imsd2 u:object_r:hal_radio_service:s0 +vendor.samsung.hardware.radio.data.ISehRadioData/slot1 u:object_r:hal_radio_service:s0 +vendor.samsung.hardware.radio.data.ISehRadioData/slot2 u:object_r:hal_radio_service:s0 +vendor.samsung.hardware.radio.messaging.ISehRadioMessaging/slot1 u:object_r:hal_radio_service:s0 +vendor.samsung.hardware.radio.messaging.ISehRadioMessaging/slot2 u:object_r:hal_radio_service:s0 +vendor.samsung.hardware.radio.network.ISehRadioNetwork/slot1 u:object_r:hal_radio_service:s0 +vendor.samsung.hardware.radio.network.ISehRadioNetwork/slot2 u:object_r:hal_radio_service:s0 +vendor.samsung.hardware.radio.sim.ISehRadioSim/slot1 u:object_r:hal_radio_service:s0 +vendor.samsung.hardware.radio.sim.ISehRadioSim/slot2 u:object_r:hal_radio_service:s0 diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te new file mode 100644 index 0000000..cd44216 --- /dev/null +++ b/sepolicy/vendor/tee.te @@ -0,0 +1,12 @@ +# Allow tee to read/write sec_efs_file +allow tee sec_efs_file:dir create_dir_perms; +allow tee sec_efs_file:file create_file_perms; + +# Allow tee to read/write vendor_gatekeeper_data_file +allow tee vendor_gatekeeper_data_file:dir create_dir_perms; +allow tee vendor_gatekeeper_data_file:file create_file_perms; + +# Allow tee to access kmsg device +allow tee kmsg_device:chr_file rw_file_perms; + +set_prop(tee, vendor_qseecomd_prop) diff --git a/sepolicy/vendor/vendor_hal_gnss_qti.te b/sepolicy/vendor/vendor_hal_gnss_qti.te new file mode 100644 index 0000000..c26ea38 --- /dev/null +++ b/sepolicy/vendor/vendor_hal_gnss_qti.te @@ -0,0 +1,7 @@ +# Allow gnss HAL to read/write vendor_sysfs_battery +allow vendor_hal_gnss_qti vendor_sysfs_battery:file rw_file_perms; +allow vendor_hal_gnss_qti vendor_sysfs_battery:dir r_dir_perms; + +allow vendor_hal_gnss_qti hal_gnss_service:service_manager add; + +dontaudit vendor_hal_gnss_qti { default_prop system_prop }:file { read open getattr map }; diff --git a/sepolicy/vendor/vendor_hal_usb_qti.te b/sepolicy/vendor/vendor_hal_usb_qti.te new file mode 100644 index 0000000..454d209 --- /dev/null +++ b/sepolicy/vendor/vendor_hal_usb_qti.te @@ -0,0 +1 @@ +allow vendor_hal_usb_qti vendor_sysfs_battery:dir search; diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te new file mode 100644 index 0000000..027fd36 --- /dev/null +++ b/sepolicy/vendor/vendor_init.te @@ -0,0 +1,7 @@ +allow vendor_init tmpfs:dir create_dir_perms; + +allow vendor_init cgroup:file rw_file_perms; + +allow vendor_init block_device:lnk_file setattr; + +allow vendor_init vendor_ssr_prop:property_service set; diff --git a/sepolicy/vendor/vendor_qti_init_shell.te b/sepolicy/vendor/vendor_qti_init_shell.te new file mode 100644 index 0000000..1528013 --- /dev/null +++ b/sepolicy/vendor/vendor_qti_init_shell.te @@ -0,0 +1 @@ +allow vendor_qti_init_shell kmsg_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/vendor_secril_config_svc.te b/sepolicy/vendor/vendor_secril_config_svc.te new file mode 100644 index 0000000..66c6543 --- /dev/null +++ b/sepolicy/vendor/vendor_secril_config_svc.te @@ -0,0 +1,21 @@ +type vendor_secril_config_svc, domain, halserverdomain, hal_telephony, hal_telephony_server; +type vendor_secril_config_svc_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(vendor_secril_config_svc) +unix_socket_connect(vendor_secril_config_svc, property, init) + +# Allow secril_config_svc to read sec_efs_file +r_dir_file(vendor_secril_config_svc, sec_efs_file) + +# Allow secril_config_svc to search mnt_vendor_file +allow vendor_secril_config_svc mnt_vendor_file:dir search; + +# Allow secril_config_svc to read/write imei_efs_file +allow vendor_secril_config_svc imei_efs_file:dir create_dir_perms; +allow vendor_secril_config_svc imei_efs_file:file create_file_perms; + +# Allow secril_config_svc to read/write radio props +set_prop(vendor_secril_config_svc, radio_prop) +set_prop(vendor_secril_config_svc, vendor_radio_prop) + +allow vendor_secril_config_svc proc_simslot_count:file r_file_perms; diff --git a/sepolicy/vendor/vendor_thermal-engine.te b/sepolicy/vendor/vendor_thermal-engine.te new file mode 100644 index 0000000..cb92fab --- /dev/null +++ b/sepolicy/vendor/vendor_thermal-engine.te @@ -0,0 +1,2 @@ +# Allow thermal-engine to read vendor_sysfs_battery +r_dir_file(vendor_thermal-engine, vendor_sysfs_battery) diff --git a/sepolicy/vendor/vendor_time_daemon.te b/sepolicy/vendor/vendor_time_daemon.te new file mode 100644 index 0000000..69d429a --- /dev/null +++ b/sepolicy/vendor/vendor_time_daemon.te @@ -0,0 +1,4 @@ +allow vendor_time_daemon rild:dir search; +allow vendor_time_daemon rild:file { read open }; +allow vendor_time_daemon tee:dir { search }; +allow vendor_time_daemon tee:file { read open };