diff --git a/PlatformConfig.mk b/PlatformConfig.mk index 01d96c5..1f4f4c5 100644 --- a/PlatformConfig.mk +++ b/PlatformConfig.mk @@ -88,6 +88,9 @@ BOARD_HAVE_BCM_FM := true TARGET_SYSTEM_PROP += $(PLATFORM_COMMON_PATH)/system.prop # SELinux +ifeq ($(BOARD_USES_QCOM_HARDWARE),true) +include device/qcom/sepolicy/sepolicy.mk +endif BOARD_SEPOLICY_DIRS += $(PLATFORM_COMMON_PATH)/sepolicy include device/sony/common/CommonConfigOmni.mk diff --git a/omni.dependencies b/omni.dependencies index e4e8157..d08892b 100644 --- a/omni.dependencies +++ b/omni.dependencies @@ -11,6 +11,12 @@ "target_path": "kernel/sony/msm8994", "revision": "android-7.1" }, + { + "remote": "omnirom", + "repository": "android_device_qcom_caf-sepolicy", + "target_path": "device/qcom/sepolicy", + "revision": "android-7.1" + }, { "remote": "omnirom", "repository": "android_hardware_qcom_display-caf-msm8992", diff --git a/rootdir/init.kitakami-caf.rc b/rootdir/init.kitakami-caf.rc index 8256ac4..eac37dc 100644 --- a/rootdir/init.kitakami-caf.rc +++ b/rootdir/init.kitakami-caf.rc @@ -893,7 +893,7 @@ service ppd /system/vendor/bin/mm-pp-daemon disabled user system socket pps stream 0660 system system - seclabel u:r:ppd:s0 + seclabel u:r:mm-pp-daemon:s0 group system graphics on property:init.svc.surfaceflinger=stopped diff --git a/sepolicy/addrsetup.te b/sepolicy/addrsetup.te new file mode 100644 index 0000000..511a1d9 --- /dev/null +++ b/sepolicy/addrsetup.te @@ -0,0 +1,17 @@ +type addrsetup, domain, domain_deprecated; +type addrsetup_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(addrsetup) + +# Connect to /dev/socket/tad +unix_socket_connect(addrsetup, tad, tad) + +allow addrsetup bluetooth_data_file:dir rw_dir_perms; +allow addrsetup bluetooth_data_file:file create_file_perms; + +allow addrsetup sysfs_addrsetup:file rw_file_perms; + +unix_socket_connect(addrsetup, tad, tad) + +allow addrsetup urandom_device:file read; diff --git a/sepolicy/apfd.te b/sepolicy/apfd.te new file mode 100644 index 0000000..6dfc759 --- /dev/null +++ b/sepolicy/apfd.te @@ -0,0 +1,5 @@ +type apfd, domain, domain_deprecated; +type apfd_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(apfd) diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te new file mode 100644 index 0000000..a110816 --- /dev/null +++ b/sepolicy/audioserver.te @@ -0,0 +1 @@ +allow audioserver rootfs:lnk_file getattr; diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te new file mode 100644 index 0000000..e17672b --- /dev/null +++ b/sepolicy/bluetooth.te @@ -0,0 +1,2 @@ +rw_dir_file(bluetooth, sysfs_bluetooth_writable) + diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te new file mode 100644 index 0000000..5a5ea53 --- /dev/null +++ b/sepolicy/bootanim.te @@ -0,0 +1,3 @@ +set_prop(bootanim, boot_animation_prop) + +allow bootanim rootfs:lnk_file getattr; diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te new file mode 100644 index 0000000..9ec7f97 --- /dev/null +++ b/sepolicy/cameraserver.te @@ -0,0 +1,16 @@ +allow cameraserver rootfs:lnk_file getattr; + +allow cameraserver sysfs:file rw_file_perms; + +allow cameraserver system_server:unix_stream_socket read; + +allow cameraserver mm-qcamerad:unix_stream_socket { read connectto }; + +allow cameraserver sensorservice_service:service_manager { find }; + +allow cameraserver idd_file:dir create_dir_perms; +allow cameraserver idd_socket:sock_file { rw_file_perms }; +allow cameraserver idd_socket:dir { rw_dir_perms }; +allow cameraserver idd:unix_dgram_socket { sendto }; + +unix_socket_connect(cameraserver, secd, secd) diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te new file mode 100644 index 0000000..7570c7c --- /dev/null +++ b/sepolicy/cnd.te @@ -0,0 +1,16 @@ +unix_socket_connect(cnd, qmuxd, qmuxd) + +allow cnd self:socket { create write read ioctl }; + +allow cnd self:netlink_xfrm_socket { create bind setopt getopt }; +allow cnd self:netlink_route_socket { create bind setopt getopt }; +allow cnd self:netlink_tcpdiag_socket { create bind setopt getopt }; + +allow cnd qmuxd_socket:dir { create_dir_perms add_name }; +allow cnd qmuxd_socket:sock_file create_file_perms; + +allow cnd socket_device:dir { rw_dir_perms add_name }; +allow cnd socket_device:sock_file create_file_perms; + +allow cnd sysfs_subsys:file r_file_perms; +allow cnd sysfs_pronto:file r_file_perms; diff --git a/sepolicy/debuggerd.te b/sepolicy/debuggerd.te new file mode 100644 index 0000000..6c2efb0 --- /dev/null +++ b/sepolicy/debuggerd.te @@ -0,0 +1,2 @@ +allow debuggerd urandom_device:file { getattr open read }; + diff --git a/sepolicy/device.te b/sepolicy/device.te new file mode 100644 index 0000000..0e8e885 --- /dev/null +++ b/sepolicy/device.te @@ -0,0 +1,5 @@ +type subsys_modem_device, dev_type; +type trim_area_partition_device, dev_type; +type persist_block_device, dev_type; +type idd_block_device, dev_type; + diff --git a/sepolicy/domain.te b/sepolicy/domain.te new file mode 100644 index 0000000..79c8675 --- /dev/null +++ b/sepolicy/domain.te @@ -0,0 +1,2 @@ +allow { domain -untrusted_app } diag_device:chr_file rw_file_perms; + diff --git a/sepolicy/dpmd.te b/sepolicy/dpmd.te new file mode 100644 index 0000000..698131a --- /dev/null +++ b/sepolicy/dpmd.te @@ -0,0 +1,23 @@ +allow dpmd self:capability { + dac_override + net_raw + net_admin + setuid + setgid + chown + fsetid +}; + +allow dpmd property_socket:sock_file create_file_perms; +allow dpmd init:unix_stream_socket connectto; + +allow dpmd self:netlink_route_socket { create bind write nlmsg_read read }; +allow dpmd self:udp_socket { create ioctl }; +allow dpmd socket_device:dir { rw_dir_perms add_name }; +allow dpmd socket_device:sock_file create_file_perms; +allow dpmd proc_net:file create_file_perms; + +allow dpmd sysfs_subsys:file r_file_perms; +allow dpmd sysfs_pronto:file r_file_perms; + +allow dpmd sysfs_wake_lock:file create_file_perms; diff --git a/sepolicy/file.te b/sepolicy/file.te new file mode 100644 index 0000000..0f3efb9 --- /dev/null +++ b/sepolicy/file.te @@ -0,0 +1,42 @@ +# Define debugfs for rmt storage +type debugfs_rmt_storage, fs_type, debugfs_type; + +type tad_socket, file_type; +type ta_data_file, file_type; + +type proc_kernel_sched, fs_type; + +type acdb_data_file, file_type, data_file_type; + +type sysfs_addrsetup, fs_type, sysfs_type; +type sysfs_fingerprintd_writable, fs_type, sysfs_type; +type sysfs_performance, sysfs_type, fs_type; +type sysfs_power_management, fs_type, sysfs_type; +type sysfs_pronto, fs_type, sysfs_type; +type sysfs_rmt_storage, fs_type, sysfs_type; +type sysfs_subsys, sysfs_type, fs_type; +type sysfs_timekeep, fs_type, sysfs_type; +type sysfs_video, fs_type, sysfs_type; + +# BRCM BT FM +type brcm_ldisc_sysfs, sysfs_type, fs_type; +type brcm_uim_exec, exec_type, file_type; + +# idd /rca +type idd_socket, file_type; +type idd_file, file_type; +type idd_data_file, file_type, data_file_type; +type idd_lostfound_file, file_type; +type misc_file, file_type; +type misc_lostfound_file, file_type; + +# secd +type secd_socket, file_type; +type secd_data_file, file_type, data_file_type; + +# taimport +type taimport_data_file, file_type, data_file_type; + +# ppd +type ppd_data_file, file_type, data_file_type; + diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts new file mode 100644 index 0000000..e8f712f --- /dev/null +++ b/sepolicy/file_contexts @@ -0,0 +1,187 @@ +################################### +# Dev nodes +# +/dev/brcm_bt_drv u:object_r:hci_attach_dev:s0 +/dev/video.* u:object_r:video_device:s0 +/dev/pn54x u:object_r:nfc_device:s0 +/dev/subsys_modem u:object_r:subsys_modem_device:s0 +/dev/tfa98xx u:object_r:audio_device:s0 +/dev/ttyHS0 u:object_r:hci_attach_dev:s0 + +################################### +# Dev block nodes +# + +/dev/block/mmcblk0p1 u:object_r:trim_area_partition_device:s0 +/dev/block/mmcblk0p24 u:object_r:cache_block_device:s0 +/dev/block/bootdevice/by-name/TA u:object_r:trim_area_partition_device:s0 +/dev/block/bootdevice/by-name/FOTAKernel u:object_r:recovery_block_device:s0 +/dev/block/bootdevice/by-name/apps_log u:object_r:misc_block_device:s0 +/dev/block/bootdevice/by-name/diag u:object_r:idd_block_device:s0 + +/dev/block/platform(/soc\.0|/soc)?/7824900\.sdhci/by-name/TA u:object_r:trim_area_partition_device:s0 +/dev/block/platform(/soc\.0|/soc)?/7824900\.sdhci/by-name/FOTAKernel u:object_r:recovery_block_device:s0 +/dev/block/platform(/soc\.0|/soc)?/7824900\.sdhci/by-name/apps_log u:object_r:misc_block_device:s0 +/dev/block/platform(/soc\.0|/soc)?/7824900\.sdhci/by-name/persist u:object_r:persist_block_device:s0 + +################################### +# Dev socket nodes +# +/dev/socket/tad u:object_r:tad_socket:s0 + +################################### +# System files +# +/system/bin/brcm-uim-sysfs u:object_r:brcm_uim_exec:s0 +/system/bin/macaddrsetup u:object_r:addrsetup_exec:s0 +/system/bin/thermanager u:object_r:thermanager_exec:s0 +/system/bin/timekeep u:object_r:timekeep_exec:s0 +/system/bin/tfa9890_amp u:object_r:tfa_amp_exec:s0 +/system/vendor/bin/irsc_util u:object_r:irsc_util_exec:s0 +/system/vendor/bin/mlog_qmi_service u:object_r:mlog_qmi_exec:s0 +/system/vendor/bin/mm-qcamera-daemon u:object_r:mm-qcamerad_exec:s0 +/system/vendor/bin/msm_irqbalance u:object_r:msm_irqbalanced_exec:s0 +/system/vendor/bin/netmgrd u:object_r:netmgrd_exec:s0 +/system/vendor/bin/qmuxd u:object_r:qmuxd_exec:s0 +/system/vendor/bin/qseecomd u:object_r:tee_exec:s0 +/system/vendor/bin/rmt_storage u:object_r:rmt_storage_exec:s0 +/system/vendor/bin/sct_service u:object_r:sct_exec:s0 +/system/vendor/bin/sensors.qcom u:object_r:sensors_exec:s0 +/system/vendor/bin/tad_static u:object_r:tad_exec:s0 +/system/vendor/bin/ta_qmi_service u:object_r:ta_qmi_exec:s0 +/system/vendor/bin/gtsconfd u:object_r:gtsconfd_exec:s0 +/system/vendor/bin/apfd u:object_r:apfd_exec:s0 +/system/vendor/bin/cnd u:object_r:cnd_exec:s0 +/system/vendor/bin/startup-logger u:object_r:startup-logger_exec:s0 +/system/vendor/bin/ipacm u:object_r:ipacm_exec:s0 +/system/vendor/bin/dpmd u:object_r:dpmd_exec:s0 + +################################### +# sysfs files +# +/sys/class/uio(/.*)? u:object_r:sysfs_uio:s0 +/sys/devices/virtual/graphics/fb([0-2])+/hpd u:object_r:sysfs_graphics:s0 +/sys/devices/virtual/graphics/fb([0-2])+/res_info u:object_r:sysfs_graphics:s0 +/sys/devices/virtual/graphics/fb([0-2])+/s3d_mode u:object_r:sysfs_graphics:s0 +/sys/devices/soc0(/.*)? u:object_r:sysfs_socinfo:s0 + +# BRCM BT FM +/sys/bus/platform/drivers/bcm_ldisc/soc\:bcmbt_ldisc(/.*)? u:object_r:brcm_ldisc_sysfs:s0 +/sys/bus/platform/drivers/bcm_ldisc/bcmbt_ldisc.93(/.*)? u:object_r:brcm_ldisc_sysfs:s0 + +/sys/devices(/soc\.0|/soc)?/fpc1145_device/spi_prepare u:object_r:sysfs_fingerprintd_writable:s0 +/sys/devices(/soc\.0|/soc)?/fpc1145\.105/spi_prepare u:object_r:sysfs_fingerprintd_writable:s0 +/sys/devices(/soc\.0|/soc)?/fpc1145_device/wakeup_enable u:object_r:sysfs_fingerprintd_writable:s0 +/sys/devices(/soc\.0|/soc)?/fpc1145\.105/wakeup_enable u:object_r:sysfs_fingerprintd_writable:s0 +/sys/devices(/soc\.0|/soc)?/fpc1145_device/irq u:object_r:sysfs_fingerprintd_writable:s0 +/sys/devices(/soc\.0|/soc)?/fpc1145\.105/irq u:object_r:sysfs_fingerprintd_writable:s0 + +# Modules +/sys/module/cpu_boost(/.*)? u:object_r:sysfs_devices_system_cpu:s0 +/sys/module/lpm_levels/parameters/sleep_disabled u:object_r:sysfs_power_management:s0 +/sys/module/msm_performance(/.*)? u:object_r:sysfs_performance:s0 + +# Bluetooth +/sys/devices(/soc\.0|/soc)?/bluesleep\.(81|89)/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices(/soc\.0|/soc)?/bcm43xx.([0-9])+/rfkill/rfkill[0-9](/.*)? u:object_r:sysfs_bluetooth_writable:s0 + +# Storage +/sys/devices(/soc\.0|/soc)?/(fd80000|0)?\.qcom,rmtfs_sharedmem/uio/uio0/name u:object_r:sysfs_rmt_storage:s0 +/sys/devices(/soc\.0|/soc)?/(fd80000|0)?\.qcom,rmtfs_sharedmem/uio/uio0/version u:object_r:sysfs_rmt_storage:s0 +/sys/devices(/soc\.0|/soc)?/(fd80000|0)?\.qcom,rmtfs_sharedmem/uio/uio0/maps/map0(/.*)? u:object_r:sysfs_rmt_storage:s0 +/sys/kernel/debug/rmt_storage(/.*)? u:object_r:debugfs_rmt_storage:s0 + +# Subsystem +/sys/devices(/soc\.0|/soc)?/(fe200000|c200000)\.qcom,lpass/subsys1/name u:object_r:sysfs_subsys:s0 +/sys/devices(/soc\.0|/soc)?/fc880000\.qcom,mss/subsys2/name u:object_r:sysfs_subsys:s0 +/sys/devices(/soc\.0|/soc)?/(fc880000|4080000)\.qcom,mss/subsys3/name u:object_r:sysfs_subsys:s0 +/sys/devices(/soc\.0|/soc)?/(fdce0000|1de0000)\.qcom,venus/subsys0/name u:object_r:sysfs_subsys:s0 + +# Thermal +/sys/devices(/soc\.0|/soc)?/02-qcom,qpnp-smbcharger/power_supply/battery/charging_enabled u:object_r:sysfs_thermal:s0 +/sys/devices(/soc\.0|/soc)?/02-qcom,qpnp-smbcharger/power_supply/battery/system_temp_level u:object_r:sysfs_thermal:s0 +/sys/devices(/soc\.0|/soc)?/f9200000\.ssusb/power_supply/usb/current_max u:object_r:sysfs_thermal:s0 +/sys/devices(/soc\.0|/soc)?/fdb00000\.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpuclk u:object_r:sysfs_thermal:s0 +/sys/devices(/soc\.0|/soc)?/fdb00000\.qcom,kgsl-3d0/kgsl/kgsl-3d0/max_gpuclk u:object_r:sysfs_thermal:s0 + +# Timekeep +/sys/devices(/soc\.0|/soc)?/00-qcom,pm(8941|8950|8994)_rtc/rtc/rtc0/since_epoch u:object_r:sysfs_timekeep:s0 + +# USB & Power +/sys/devices/msm_dwc3/power_supply/usb/type u:object_r:sysfs_usb_supply:s0 +/sys/devices/msm_dwc3/power_supply/usb/device u:object_r:sysfs_usb_supply:s0 +/sys/devices/00-qcom,charger/power_supply/battery/capacity u:object_r:sysfs_batteryinfo:s0 +/sys/devices(/soc\.0|/soc)?/02-qcom,qpnp-smbcharger/power_supply/battery/capacity u:object_r:sysfs_batteryinfo:s0 + +# Video +/sys/devices(/soc\.0|/soc)?/fd8c0000\.qcom,msm-cam/video4linux/video0/name u:object_r:sysfs_video:s0 +/sys/devices(/soc\.0|/soc)?/fd878000\.qcom,fd/video4linux/video1/name u:object_r:sysfs_video:s0 + +# WiFi MAC address +/sys/devices(/soc\.0|/soc)?/fb000000\.qcom,wcnss-wlan/wcnss_mac_addr u:object_r:sysfs_addrsetup:s0 +/sys/devices/platform/bcmdhd_wlan/macaddr u:object_r:sysfs_addrsetup:s0 +/sys/devices/soc/soc\:bcmdhd_wlan/macaddr u:object_r:sysfs_addrsetup:s0 +/sys/devices(/soc\.0|/soc)?/bcmdhd_wlan.(90|114|115)/macaddr u:object_r:sysfs_addrsetup:s0 +/sys/devices(/soc\.0|/soc)?/(fb21b000|a21b000)\.qcom,pronto/subsys2/name u:object_r:sysfs_pronto:s0 + +# Zram +/sys/devices/virtual/block/zram0/mem_used_total u:object_r:sysfs_zram:s0 + +################################### +# data files +# +/data/audio/acdbdata(/.*)? u:object_r:acdb_data_file:s0 + +################################### +# proc files +# +/proc/bluetooth/sleep/proto u:object_r:sysfs_bluetooth_writable:s0 +/proc/bluetooth/sleep/lpm u:object_r:sysfs_bluetooth_writable:s0 +/proc/bluetooth/sleep/btwrite u:object_r:sysfs_bluetooth_writable:s0 + +################################### +# idd/rca files +# +/idd(/.*)? u:object_r:idd_file:s0 +/idd/socket(/.*)? u:object_r:idd_socket:s0 +/idd/output(/.*)? u:object_r:idd_file:s0 +/idd/startup-prober(/.*)? u:object_r:idd_file:s0 +/idd/lost\+found(/.*)? u:object_r:idd_lostfound_file:s0 +/rca(/.*)? u:object_r:misc_file:s0 +/rca/plugins(/.*)? u:object_r:misc_file:s0 +/rca/lost\+found(/.*)? u:object_r:misc_lostfound_file:s0 + +/system/etc/iddd.conf u:object_r:idd_data_file:s0 +/system/vendor/bin/iddd u:object_r:idd_exec:s0 +/system/vendor/bin/idd-logreader u:object_r:idd_exec:s0 + +################################### +# secd +# +/data/credmgr(/.*)? u:object_r:secd_data_file:s0 +/system/vendor/bin/secd u:object_r:secd_exec:s0 +/dev/socket/secd_credmgr_sock u:object_r:secd_socket:s0 +/dev/socket/secd_devsec_sock u:object_r:secd_socket:s0 +/dev/socket/secd_ebl_sock u:object_r:secd_socket:s0 + +################################### +# updatemiscta +# +/system/vendor/bin/updatemiscta u:object_r:updatemiscta_exec:s0 + +################################### +# taimport +# +/data/customization(/.*)? u:object_r:taimport_data_file:s0 +/system/vendor/bin/taimport u:object_r:taimport_exec:s0 + +################################### +# keyprovd +# +/system/vendor/bin/keyprovd u:object_r:keyprovd_exec:s0 + +################################### +# fingerprintd +# +/data/fpc(/.*)? u:object_r:fingerprintd_data_file:s0 + diff --git a/sepolicy/fingerprintd.te b/sepolicy/fingerprintd.te new file mode 100644 index 0000000..ea7fda6 --- /dev/null +++ b/sepolicy/fingerprintd.te @@ -0,0 +1,15 @@ +allow fingerprintd sysfs_fingerprintd_writable:file rw_file_perms; +allow fingerprintd tee_device:chr_file rw_file_perms; +allow fingerprintd sysfs:file w_file_perms; + +r_dir_file(fingerprintd, input_device) +allow fingerprintd input_device:chr_file { read open ioctl }; + +allow fingerprintd fingerprintd_data_file:dir create_dir_perms; +allow fingerprintd fingerprintd_data_file:file create_file_perms; +allow fingerprintd fingerprintd_data_file:sock_file { create unlink }; + +allow fingerprintd idd_file:dir create_dir_perms; +allow fingerprintd idd_socket:dir { search }; +allow fingerprintd idd_socket:sock_file create_file_perms; +allow fingerprintd idd:unix_dgram_socket { sendto }; diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te new file mode 100644 index 0000000..ddb1f7f --- /dev/null +++ b/sepolicy/fsck.te @@ -0,0 +1,4 @@ +allow fsck urandom_device:file getattr; +allow fsck idd_block_device:blk_file { rw_file_perms }; +allow fsck misc_block_device:blk_file { rw_file_perms }; +allow fsck cache_block_device:blk_file { rw_file_perms }; diff --git a/sepolicy/gatekeeperd.te b/sepolicy/gatekeeperd.te new file mode 100644 index 0000000..55ad2a1 --- /dev/null +++ b/sepolicy/gatekeeperd.te @@ -0,0 +1,3 @@ +allow gatekeeperd firmware_file:file r_file_perms; +allow gatekeeperd firmware_file:dir search; +set_prop(gatekeeperd, tee_prop) diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts new file mode 100644 index 0000000..768c6e0 --- /dev/null +++ b/sepolicy/genfs_contexts @@ -0,0 +1,11 @@ +genfscon proc /bluetooth/sleep/lpm u:object_r:proc_bluetooth_writable:s0 +genfscon proc /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0 +genfscon proc /bluetooth/sleep/proto u:object_r:proc_bluetooth_writable:s0 +genfscon proc /sys/kernel/sched_boost u:object_r:proc_kernel_sched:s0 +genfscon proc /sys/kernel/sched_downmigrate u:object_r:proc_kernel_sched:s0 +genfscon proc /sys/kernel/sched_freq_dec_notify u:object_r:proc_kernel_sched:s0 +genfscon proc /sys/kernel/sched_freq_inc_notify u:object_r:proc_kernel_sched:s0 +genfscon proc /sys/kernel/sched_init_task_load u:object_r:proc_kernel_sched:s0 +genfscon proc /sys/kernel/sched_migration_fixup u:object_r:proc_kernel_sched:s0 +genfscon proc /sys/kernel/sched_small_task u:object_r:proc_kernel_sched:s0 +genfscon proc /sys/kernel/sched_upmigrate u:object_r:proc_kernel_sched:s0 diff --git a/sepolicy/gtsconfd.te b/sepolicy/gtsconfd.te new file mode 100644 index 0000000..8ef086f --- /dev/null +++ b/sepolicy/gtsconfd.te @@ -0,0 +1,5 @@ +type gtsconfd, domain, domain_deprecated; +type gtsconfd_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(gtsconfd) diff --git a/sepolicy/idd.te b/sepolicy/idd.te new file mode 100644 index 0000000..61b8397 --- /dev/null +++ b/sepolicy/idd.te @@ -0,0 +1,24 @@ +type idd, domain, domain_deprecated; +type idd_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(idd) + +# Connect to /dev/socket/tad +unix_socket_connect(idd, tad, tad) + +# Read /proc/stat +allow idd proc:file r_file_perms; + +allow idd idd_file:file create_file_perms; +allow idd idd_file:dir create_dir_perms; +allow idd idd_socket:file create_file_perms; +allow idd idd_socket:dir create_dir_perms; +allow idd idd_socket:sock_file { write create getattr setattr unlink }; +allow idd idd_socket:dir create_dir_perms; + +allow idd misc_file:file create_file_perms; +allow idd misc_file:dir create_dir_perms; + +allow idd logdr_socket:sock_file write; +allow idd logd:unix_stream_socket connectto; diff --git a/sepolicy/init.te b/sepolicy/init.te new file mode 100644 index 0000000..4abc020 --- /dev/null +++ b/sepolicy/init.te @@ -0,0 +1,31 @@ +#For sdcard +allow init tmpfs:file create_file_perms; +allow init tmpfs:dir create_dir_perms; + +allow init proc_kernel_sched:file write; + +allow init persist_file:dir mounton; +allow init debugfs:file w_file_perms; +allow init sysfs:dir w_dir_perms; + +#FM BCM +allow init hci_attach_dev:chr_file rw_file_perms; +allow init brcm_uim_exec:file { execute getattr read open }; +allow init brcm_ldisc_sysfs:lnk_file { read }; +allow init uim:process { siginh noatsecure transition rlimitinh }; + +allow init taimport_exec:file { execute read open }; +allow init trim_area_partition_device:blk_file setattr; +allow init idd_file:dir { mounton }; +allow init misc_file:dir { mounton }; +allow init socket_device:sock_file { create setattr getattr unlink }; + +allow init startup-logger:process { rlimitinh siginh noatsecure }; +allow init taimport:process { rlimitinh siginh noatsecure }; + +domain_auto_trans(init, startup-logger_exec, startup-logger) +domain_auto_trans(init, taimport_exec, taimport) + +unix_socket_connect(init, secd, secd) +allow init self:capability { sys_module }; +allow init kernel:key { search }; diff --git a/sepolicy/installd.te b/sepolicy/installd.te new file mode 100644 index 0000000..ca7fef7 --- /dev/null +++ b/sepolicy/installd.te @@ -0,0 +1 @@ +allow installd system_app_data_file:dir { create_dir_perms relabelfrom relabelto }; diff --git a/sepolicy/irsc_util.te b/sepolicy/irsc_util.te new file mode 100644 index 0000000..4da6134 --- /dev/null +++ b/sepolicy/irsc_util.te @@ -0,0 +1 @@ +allow irsc_util self:socket create_socket_perms; diff --git a/sepolicy/isolated_app.te b/sepolicy/isolated_app.te new file mode 100644 index 0000000..e30ce29 --- /dev/null +++ b/sepolicy/isolated_app.te @@ -0,0 +1 @@ +allow isolated_app { shell_data_file app_data_file }:dir { getattr search }; diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te new file mode 100644 index 0000000..089070a --- /dev/null +++ b/sepolicy/kernel.te @@ -0,0 +1,10 @@ +allow kernel device:dir create_dir_perms; +allow kernel device:chr_file { create setattr getattr }; +allow kernel tmpfs:file create_file_perms; +allow kernel tmpfs:dir create_dir_perms; +allow kernel rootfs:file rx_file_perms; +allow kernel touchfusion_exec:file relabelto; + +allow kernel self:socket create; + +allow kernel self:capability mknod; diff --git a/sepolicy/keyprovd.te b/sepolicy/keyprovd.te new file mode 100644 index 0000000..4539ba7 --- /dev/null +++ b/sepolicy/keyprovd.te @@ -0,0 +1,31 @@ +type keyprovd, domain, domain_deprecated; +type keyprovd_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(keyprovd) + +allow keyprovd self:capability { + dac_override + net_raw + net_admin + setuid + setgid + chown + fsetid +}; + +unix_socket_connect(keyprovd, tad, tad) +unix_socket_connect(keyprovd, secd, secd) + +set_prop(keyprovd, keyprovd_prop) + +allow keyprovd property_socket:sock_file create_file_perms; +allow keyprovd socket_device:dir { rw_dir_perms add_name }; +allow keyprovd socket_device:sock_file create_file_perms; + +allow keyprovd sysfs_subsys:file r_file_perms; + +allow keyprovd tee_device:chr_file rw_file_perms; +allow keyprovd tee_prop:file { read open getattr }; + +allow keyprovd init:unix_stream_socket { connectto }; diff --git a/sepolicy/keystore.te b/sepolicy/keystore.te new file mode 100644 index 0000000..2288be7 --- /dev/null +++ b/sepolicy/keystore.te @@ -0,0 +1 @@ +allow keystore { firmware_file tee_prop }:file r_file_perms; diff --git a/sepolicy/lmkd.te b/sepolicy/lmkd.te new file mode 100644 index 0000000..cb19798 --- /dev/null +++ b/sepolicy/lmkd.te @@ -0,0 +1,4 @@ +allow lmkd sysfs_lowmemorykiller:dir search; + +allow lmkd urandom_device:file { getattr open read }; + diff --git a/sepolicy/logd.te b/sepolicy/logd.te new file mode 100644 index 0000000..03f2a4a --- /dev/null +++ b/sepolicy/logd.te @@ -0,0 +1 @@ +allow logd urandom_device:file { getattr open read }; diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te new file mode 100644 index 0000000..9b41187 --- /dev/null +++ b/sepolicy/mediacodec.te @@ -0,0 +1 @@ +allow mediacodec rootfs:lnk_file getattr; diff --git a/sepolicy/mediadrmserver.te b/sepolicy/mediadrmserver.te new file mode 100644 index 0000000..6940aa4 --- /dev/null +++ b/sepolicy/mediadrmserver.te @@ -0,0 +1,3 @@ +allow mediadrmserver rootfs:lnk_file getattr; +unix_socket_connect(mediadrmserver, tad, tad) +unix_socket_connect(mediadrmserver, secd, secd) diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te new file mode 100644 index 0000000..6c410d1 --- /dev/null +++ b/sepolicy/mediaserver.te @@ -0,0 +1,14 @@ +allow mediaserver camera_data_file:dir search; +allow mediaserver mm-qcamerad:unix_dgram_socket sendto; + +allow mediaserver cameraserver_service:service_manager add; +allow mediaserver cameraproxy_service:service_manager find; + +qmux_socket(mediaserver) + +# stock cam +unix_socket_connect(mediaserver, secd, secd) +allow mediaserver system_server:unix_stream_socket read; +allow mediaserver mm-qcamerad:unix_stream_socket connectto; +allow mediaserver sysfs:file rw_file_perms; +allow mediaserver sensorservice_service:service_manager find; diff --git a/sepolicy/mlog_qmi.te b/sepolicy/mlog_qmi.te new file mode 100644 index 0000000..cee65d1 --- /dev/null +++ b/sepolicy/mlog_qmi.te @@ -0,0 +1,11 @@ +type mlog_qmi, domain, domain_deprecated; +type mlog_qmi_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(mlog_qmi) + +allow mlog_qmi self:capability { net_raw }; +allow mlog_qmi self:socket create_socket_perms; + +# Access to /dev/smem_log +allow mlog_qmi smem_log_device:chr_file rw_file_perms; diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te new file mode 100644 index 0000000..c35c202 --- /dev/null +++ b/sepolicy/mm-qcamerad.te @@ -0,0 +1,11 @@ +allow mm-qcamerad { graphics_device camera_data_file }:dir { add_name remove_name search write }; +allow mm-qcamerad camera_data_file:file { create getattr open read write }; +allow mm-qcamerad camera_data_file:sock_file create_file_perms; +allow mm-qcamerad { graphics_device gpu_device video_device }:chr_file rw_file_perms; +allow mm-qcamerad sysfs_video:file r_file_perms; +allow mm-qcamerad { cameraserver surfaceflinger }:fd use; +allow mm-qcamerad camera_prop:property_service set; +allow mm-qcamerad property_socket:sock_file write; +allow mm-qcamerad init:unix_stream_socket connectto; + +allow mm-qcamerad mediaserver:fd use; diff --git a/sepolicy/msm_irqbalanced.te b/sepolicy/msm_irqbalanced.te new file mode 100644 index 0000000..6cbf2e5 --- /dev/null +++ b/sepolicy/msm_irqbalanced.te @@ -0,0 +1 @@ +allow msm_irqbalanced proc:file r_file_perms; diff --git a/sepolicy/netd.te b/sepolicy/netd.te new file mode 100644 index 0000000..c6b9ddc --- /dev/null +++ b/sepolicy/netd.te @@ -0,0 +1,3 @@ +allow netd netd:capability sys_module; + +binder_use(netd); diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te new file mode 100644 index 0000000..b5d14a9 --- /dev/null +++ b/sepolicy/netmgrd.te @@ -0,0 +1,19 @@ +#Allow netmgrd operations +allow netmgrd netmgrd:capability { + dac_override +}; + +set_prop(netmgrd, system_prop) +set_prop(netmgrd, net_radio_prop) + +allow netmgrd self:netlink_xfrm_socket { create bind }; + +allow netmgrd shell_exec:file rx_file_perms; + +rw_dir_file(netmgrd, sysfs) +r_dir_file(netmgrd, sysfs_pronto) +r_dir_file(netmgrd, sysfs_socinfo) +r_dir_file(netmgrd, sysfs_subsys) + +allow netmgrd toolbox_exec:file rx_file_perms; + diff --git a/sepolicy/nfc.te b/sepolicy/nfc.te new file mode 100644 index 0000000..4693a65 --- /dev/null +++ b/sepolicy/nfc.te @@ -0,0 +1,2 @@ +allow nfc media_rw_data_file:dir rw_dir_perms; +allow nfc media_rw_data_file:file rename; diff --git a/sepolicy/peripheral_manager.te b/sepolicy/peripheral_manager.te new file mode 100644 index 0000000..e099264 --- /dev/null +++ b/sepolicy/peripheral_manager.te @@ -0,0 +1,7 @@ +# Needed by ipc_router +allow per_mgr self:capability net_raw; + +allow per_mgr subsys_modem_device:chr_file { open read }; + +r_dir_file(per_mgr, sysfs_pronto) +r_dir_file(per_mgr, sysfs_subsys) diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te new file mode 100644 index 0000000..9f9faff --- /dev/null +++ b/sepolicy/platform_app.te @@ -0,0 +1,2 @@ +allow platform_app fm_radio_device:chr_file { open read }; + diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te new file mode 100644 index 0000000..9fd2336 --- /dev/null +++ b/sepolicy/priv_app.te @@ -0,0 +1,16 @@ +allow priv_app device:dir r_dir_perms; +allow priv_app vfat:dir rw_dir_perms; +allow priv_app vfat:dir create; +allow priv_app vfat:dir { setattr rmdir }; +allow priv_app vfat:file rw_file_perms; +allow priv_app vfat:file { create getattr }; + +allow priv_app block_device:dir { getattr }; +allow priv_app proc_sysrq:file { getattr }; +allow priv_app proc_iomem:file { getattr }; + +allow priv_app sysfs:dir r_dir_perms; +allow priv_app sysfs:file r_file_perms; + +# sonycam +allow priv_app device:dir r_dir_perms; diff --git a/sepolicy/property.te b/sepolicy/property.te new file mode 100644 index 0000000..e19c2f3 --- /dev/null +++ b/sepolicy/property.te @@ -0,0 +1,7 @@ +type tee_prop, property_type; +type timekeep_prop, property_type; + +type adbtcpes_prop, property_type; + +type keyprovd_prop, property_type; + diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts new file mode 100644 index 0000000..4d7de5e --- /dev/null +++ b/sepolicy/property_contexts @@ -0,0 +1,7 @@ +sys.keymaster.loaded u:object_r:tee_prop:s0 +sys.listeners.registered u:object_r:tee_prop:s0 +persist.sys.timeadjust u:object_r:timekeep_prop:s0 + +adb.network.port.es u:object_r:adbtcpes_prop:s0 + +persist.keyprovd. u:object_r:keyprovd_prop:s0 diff --git a/sepolicy/qmuxd.te b/sepolicy/qmuxd.te new file mode 100644 index 0000000..c241e44 --- /dev/null +++ b/sepolicy/qmuxd.te @@ -0,0 +1,3 @@ +r_dir_file(qmuxd, sysfs_pronto) +r_dir_file(qmuxd, sysfs_socinfo) +r_dir_file(qmuxd, sysfs_subsys) diff --git a/sepolicy/qseecomd.te b/sepolicy/qseecomd.te new file mode 100644 index 0000000..a8d4b2c --- /dev/null +++ b/sepolicy/qseecomd.te @@ -0,0 +1,8 @@ +# Allow tee to directly save and load fingerprint data +allow tee fingerprintd_data_file:dir rw_dir_perms; +allow tee fingerprintd_data_file:file create_file_perms; + +# Provide tee ability to access QMUXD/IPCRouter for QMI +qmux_socket(tee); + +set_prop(tee, tee_prop) diff --git a/sepolicy/radio.te b/sepolicy/radio.te new file mode 100644 index 0000000..9ba85de --- /dev/null +++ b/sepolicy/radio.te @@ -0,0 +1 @@ +allow radio system_app_data_file:dir getattr; diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te new file mode 100644 index 0000000..ee9df67 --- /dev/null +++ b/sepolicy/recovery.te @@ -0,0 +1,2 @@ +# Recovery needs access to syslog +allow recovery self:capability2 syslog; diff --git a/sepolicy/rild.te b/sepolicy/rild.te new file mode 100644 index 0000000..fd5c70b --- /dev/null +++ b/sepolicy/rild.te @@ -0,0 +1,22 @@ +binder_call(audioserver, rild) +binder_call(rild, audioserver) +binder_call(rild, mediaserver) +binder_service(rild) + +qmux_socket(rild); + +allow rild sysfs_pronto:file r_file_perms; +allow rild { audioserver_service mediaserver_service }:service_manager find; + +r_dir_file(rild, sysfs_socinfo) +r_dir_file(rild, sysfs_subsys) + +allow rild tee_device:chr_file { read write open ioctl }; +allow rild idd_socket:dir { search }; +allow rild idd_file:dir create_dir_perms; +allow rild idd_socket:sock_file { write }; +allow rild idd:unix_dgram_socket { sendto }; + +allow rild persist_file:dir create_dir_perms; + +unix_socket_connect(rild, tad, tad) diff --git a/sepolicy/rmt_storage.te b/sepolicy/rmt_storage.te new file mode 100644 index 0000000..671234e --- /dev/null +++ b/sepolicy/rmt_storage.te @@ -0,0 +1,12 @@ +allow rmt_storage debugfs_rmt_storage:file rw_file_perms; +allow rmt_storage debugfs_rmt_storage:dir r_dir_perms; +allow rmt_storage { debugfs debugfs_rmt_storage }:filesystem associate; + +# sys_admin is needed for ioprio_set +allow rmt_storage self:capability { + dac_override + net_raw +}; + +r_dir_file(rmt_storage, sysfs_rmt_storage) +r_dir_file(rmt_storage, sysfs_uio) diff --git a/sepolicy/sct.te b/sepolicy/sct.te new file mode 100644 index 0000000..5badd30 --- /dev/null +++ b/sepolicy/sct.te @@ -0,0 +1,12 @@ +type sct, domain, domain_deprecated; +type sct_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(sct) + +allow sct self:capability net_raw; + +allow sct self:socket create_socket_perms; + +# Access to /dev/smem_log +allow sct smem_log_device:chr_file rw_file_perms; diff --git a/sepolicy/seapp_contexts b/sepolicy/seapp_contexts new file mode 100644 index 0000000..5162ba3 --- /dev/null +++ b/sepolicy/seapp_contexts @@ -0,0 +1,2 @@ +#Add new domain for Timekeep +user=system seinfo=platform name=com.sony.timekeep domain=system_app type=system_app_data_file diff --git a/sepolicy/secd.te b/sepolicy/secd.te new file mode 100644 index 0000000..2945eec --- /dev/null +++ b/sepolicy/secd.te @@ -0,0 +1,26 @@ +type secd, domain, domain_deprecated; +type secd_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(secd) + +# Connect to /dev/socket/tad +unix_socket_connect(secd, tad, tad) + +# Connect to /idd/socket +allow secd idd_socket:dir rw_dir_perms; +allow secd idd_socket:sock_file rw_file_perms; +allow secd idd:unix_dgram_socket { sendto }; +unix_socket_connect(secd, idd, idd) + +# Read /proc/stat +allow secd proc:file r_file_perms; + +allow secd tee_device:chr_file rw_file_perms; + +allow secd secd_data_file:file create_file_perms; +allow secd secd_data_file:dir create_dir_perms; + +allow secd idd_file:file create_file_perms; +allow secd idd_file:dir { create_dir_perms search }; + diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te new file mode 100644 index 0000000..7952c39 --- /dev/null +++ b/sepolicy/sensors.te @@ -0,0 +1,12 @@ +allow sensors self:capability { + net_raw +}; + +allow sensors self:socket { bind create ioctl read write }; + +r_dir_file(sensors, sysfs_pronto) +r_dir_file(sensors, sysfs_socinfo) +r_dir_file(sensors, sysfs_subsys) +r_dir_file(sensors, system_file) + +unix_socket_connect(sensors, tad, tad) diff --git a/sepolicy/service.te b/sepolicy/service.te new file mode 100644 index 0000000..06a71e4 --- /dev/null +++ b/sepolicy/service.te @@ -0,0 +1 @@ +type timekeep_service, service_manager_type; diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts new file mode 100644 index 0000000..162c0e1 --- /dev/null +++ b/sepolicy/service_contexts @@ -0,0 +1 @@ +com.sony.timekeep u:object_r:timekeep_service:s0 diff --git a/sepolicy/shell.te b/sepolicy/shell.te new file mode 100644 index 0000000..f83511e --- /dev/null +++ b/sepolicy/shell.te @@ -0,0 +1,7 @@ +get_prop(shell, boot_animation_prop) +get_prop(shell, camera_prop) +get_prop(shell, device_logging_prop) +get_prop(shell, mmc_prop) +get_prop(shell, safemode_prop) +get_prop(shell, tee_prop) +get_prop(shell, timekeep_prop) diff --git a/sepolicy/startup-logger.te b/sepolicy/startup-logger.te new file mode 100644 index 0000000..0f1c8e2 --- /dev/null +++ b/sepolicy/startup-logger.te @@ -0,0 +1,22 @@ +# startup-logger +type startup-logger, domain, domain_deprecated; +type startup-logger_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(startup-logger) + +# Connect to /dev/socket/tad +unix_socket_connect(startup-logger, tad, tad) + +allow startup-logger self:capability { + dac_read_search + dac_override + net_admin + setgid + setuid + sys_nice +}; + +allow startup-logger dpmd_exec:file { getattr read open }; +allow startup-logger idd_file:dir { create_dir_perms search }; +allow startup-logger idd_file:file { create_file_perms }; diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te new file mode 100644 index 0000000..3b61b46 --- /dev/null +++ b/sepolicy/surfaceflinger.te @@ -0,0 +1,3 @@ +rw_dir_file(surfaceflinger, sysfs_graphics) + +allow surfaceflinger persist_display_file:dir { search }; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te new file mode 100644 index 0000000..ac9b004 --- /dev/null +++ b/sepolicy/system_app.te @@ -0,0 +1,18 @@ +# fm_radio app needes (open read ioctl) on fm_radio_device + +set_prop(system_app, timekeep_prop) + +r_dir_file(system_app, sysfs_timekeep) + +allow system_app activity_service:service_manager find; +allow system_app connectivity_service:service_manager find; +allow system_app display_service:service_manager find; +allow system_app network_management_service:service_manager find; +allow system_app time_data_file:dir { create_dir_perms search }; +allow system_app time_data_file:file create_file_perms; +allow system_app media_rw_data_file:dir r_dir_perms; +allow system_app fuse_device:filesystem getattr; + +# ExtendedSettings props +allow system_app adbtcpes_prop:property_service set; +allow system_app camera_prop:property_service set; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te new file mode 100644 index 0000000..8ee93a1 --- /dev/null +++ b/sepolicy/system_server.te @@ -0,0 +1,10 @@ +allow system_server { persist_file system_app_data_file }:dir { open read search }; +allow system_server persist_file:file { getattr open write }; +allow system_server xlat_prop:file { getattr open read }; + +r_dir_file(system_server, sysfs_addrsetup) +r_dir_file(system_server, sysfs_pronto) +r_dir_file(system_server, sysfs_socinfo) +r_dir_file(system_server, sysfs_subsys) + +allow system_server fingerprintd_data_file:sock_file rw_file_perms; diff --git a/sepolicy/ta_qmi.te b/sepolicy/ta_qmi.te new file mode 100644 index 0000000..303d5b0 --- /dev/null +++ b/sepolicy/ta_qmi.te @@ -0,0 +1,21 @@ +type ta_qmi, domain, domain_deprecated; +type ta_qmi_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(ta_qmi) + +# XXX: What exactly is this needed for? - Need to investigate +allow ta_qmi self:capability { dac_override net_raw }; + +allow ta_qmi self:socket create_socket_perms; + +# Connect to /dev/socket/tad +unix_socket_connect(ta_qmi, tad, tad) + +# Wakelocks! +wakelock_use(ta_qmi) + +# Access to /dev/smem_log +allow ta_qmi smem_log_device:chr_file rw_file_perms; + +allow ta_qmi self:capability { setgid setuid }; diff --git a/sepolicy/tad.te b/sepolicy/tad.te new file mode 100644 index 0000000..9dbd3e4 --- /dev/null +++ b/sepolicy/tad.te @@ -0,0 +1,12 @@ +type tad, domain, domain_deprecated; +type tad_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(tad) + +# Read /proc/stat +allow tad proc:file r_file_perms; + +# Allow tad to work it's magic +allow tad trim_area_partition_device:blk_file rw_file_perms; +allow tad block_device:dir search; diff --git a/sepolicy/taimport.te b/sepolicy/taimport.te new file mode 100644 index 0000000..6376e1b --- /dev/null +++ b/sepolicy/taimport.te @@ -0,0 +1,19 @@ +type taimport, domain, domain_deprecated; +type taimport_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(taimport) + +allow taimport self:capability { + dac_override + net_raw + net_admin + setuid + setgid + chown + fsetid +}; + +allow taimport init:unix_stream_socket { connectto }; +allow taimport taimport_exec:file { getattr read }; +allow taimport property_socket:sock_file { write }; diff --git a/sepolicy/te_macros b/sepolicy/te_macros new file mode 100644 index 0000000..f145a27 --- /dev/null +++ b/sepolicy/te_macros @@ -0,0 +1,9 @@ +##################################### +# rw_dir_file(domain, type) +# Allow the specified domain to read and write directories, files +# and symbolic links of the specified type. +define(`rw_dir_file', ` +allow $1 $2:dir rw_dir_perms; +allow $1 $2:{ file lnk_file } rw_file_perms; +') + diff --git a/sepolicy/tee.te b/sepolicy/tee.te new file mode 100644 index 0000000..a81cde2 --- /dev/null +++ b/sepolicy/tee.te @@ -0,0 +1,7 @@ +allow tee persist_file:file create_file_perms; +allow tee persist_file:dir create_dir_perms; + +allow tee persist_drm_file:file create_file_perms; +allow tee persist_drm_file:dir create_dir_perms; + +allow tee qseeproxy_service:service_manager add; diff --git a/sepolicy/tfa_amp.te b/sepolicy/tfa_amp.te new file mode 100644 index 0000000..34e7b84 --- /dev/null +++ b/sepolicy/tfa_amp.te @@ -0,0 +1,10 @@ +type tfa_amp, domain, domain_deprecated; +type tfa_amp_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(tfa_amp) + +allow tfa_amp self:capability dac_override; + +# Access to /dev/tfa98xx +allow tfa_amp audio_device:chr_file rw_file_perms; diff --git a/sepolicy/thermanager.te b/sepolicy/thermanager.te new file mode 100644 index 0000000..81bd800 --- /dev/null +++ b/sepolicy/thermanager.te @@ -0,0 +1,15 @@ +type thermanager, domain, domain_deprecated; +type thermanager_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(thermanager) + +allow thermanager self:capability dac_override; + +# Hotplugging destroys sysfs so they lose all contexts when recreated. +rw_dir_file(thermanager, sysfs) + +rw_dir_file(thermanager, sysfs_devices_system_cpu) +rw_dir_file(thermanager, sysfs_usb_supply) +rw_dir_file(thermanager, sysfs_thermal) +rw_dir_file(thermanager, sysfs_performance) diff --git a/sepolicy/timekeep.te b/sepolicy/timekeep.te new file mode 100644 index 0000000..69d2da2 --- /dev/null +++ b/sepolicy/timekeep.te @@ -0,0 +1,20 @@ +type timekeep, domain, domain_deprecated; +type timekeep_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(timekeep) + +allow timekeep self:capability { + fowner + fsetid + sys_time + dac_override + dac_read_search +}; + +allow timekeep time_data_file:file create_file_perms; +allow timekeep time_data_file:dir { create_dir_perms search }; + +set_prop(timekeep, timekeep_prop) + +r_dir_file(timekeep, sysfs_timekeep) diff --git a/sepolicy/toolbox.te b/sepolicy/toolbox.te new file mode 100644 index 0000000..e9c8b54 --- /dev/null +++ b/sepolicy/toolbox.te @@ -0,0 +1 @@ +allow toolbox self:capability dac_override; diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te new file mode 100644 index 0000000..8afe934 --- /dev/null +++ b/sepolicy/ueventd.te @@ -0,0 +1,10 @@ +# For BT to access sysfs_bluetooth_writable +rw_dir_file(ueventd, sysfs_bluetooth_writable) + +allow ueventd tmpfs:file create_file_perms; +allow ueventd tmpfs:dir create_dir_perms; + +allow ueventd device:file relabelfrom; +allow ueventd urandom_device:file { relabelto setattr }; +allow ueventd vfat:file { open read }; + diff --git a/sepolicy/uim.te b/sepolicy/uim.te new file mode 100644 index 0000000..6f4e78c --- /dev/null +++ b/sepolicy/uim.te @@ -0,0 +1,10 @@ +type uim, domain; + +rw_dir_file(uim, sysfs) +rw_dir_file(uim, brcm_ldisc_sysfs) +rw_dir_file(uim, bluetooth_data_file) +rw_dir_file(uim, sysfs_bluetooth_writable) +allow uim brcm_uim_exec:file { entrypoint read execute getattr }; +allow uim hci_attach_dev:chr_file { read write ioctl open }; +allow uim self:capability { net_admin dac_override }; +allow uim rootfs:lnk_file getattr; diff --git a/sepolicy/uncrypt.te b/sepolicy/uncrypt.te new file mode 100644 index 0000000..b869251 --- /dev/null +++ b/sepolicy/uncrypt.te @@ -0,0 +1 @@ +allow uncrypt kmsg_device:chr_file { write }; diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te new file mode 100644 index 0000000..253f2a9 --- /dev/null +++ b/sepolicy/untrusted_app.te @@ -0,0 +1,14 @@ +allow untrusted_app vfat:dir rw_dir_perms; +allow untrusted_app vfat:dir create; +allow untrusted_app vfat:file rw_file_perms; +allow untrusted_app vfat:file create; +allow untrusted_app vfat:dir { setattr rmdir }; + +allow untrusted_app block_device:dir { getattr }; +allow untrusted_app proc_sysrq:file { getattr }; +allow untrusted_app proc_iomem:file { getattr }; + +allow untrusted_app sysfs:dir r_dir_perms; +allow untrusted_app sysfs:file r_file_perms; +allow untrusted_app sysfs_zram:dir r_dir_perms; +allow untrusted_app sysfs_zram:file r_file_perms; diff --git a/sepolicy/updatemiscta.te b/sepolicy/updatemiscta.te new file mode 100644 index 0000000..22bf080 --- /dev/null +++ b/sepolicy/updatemiscta.te @@ -0,0 +1,14 @@ +type updatemiscta, domain, domain_deprecated; +type updatemiscta_exec, exec_type, file_type; + +# Started by init +init_daemon_domain(updatemiscta) + +# Connect to /dev/socket/tad +unix_socket_connect(updatemiscta, tad, tad) + +# Connect to /idd/socket +unix_socket_connect(updatemiscta, idd, idd) + +# Connect to /dev/socket/property +unix_socket_connect(updatemiscta, property, init) diff --git a/sepolicy/vold.te b/sepolicy/vold.te new file mode 100644 index 0000000..ca875ea --- /dev/null +++ b/sepolicy/vold.te @@ -0,0 +1,5 @@ +allow vold urandom_device:file { getattr open read }; +allow vold storage_stub_file:dir rw_dir_perms; +allow vold fuse_device:dir { open read search write }; + +allow vold tee_prop:file { read open getattr };