From 30c8d6c293ff49d826422e35a3b0ae55c119c759 Mon Sep 17 00:00:00 2001 From: Arian Date: Tue, 19 Mar 2024 22:26:56 +0100 Subject: [PATCH] sm8450-common: sepolicy: Overall cleanup Change-Id: I0d6282ea0315774fa29e8155cb0e113123025623 --- sepolicy/public/property_contexts | 5 --- sepolicy/vendor/agmservice_qti.te | 1 - sepolicy/vendor/audioadsprpcd.te | 2 - sepolicy/vendor/audioserver.te | 8 ---- sepolicy/vendor/batterysecret.te | 17 ++++--- sepolicy/vendor/bluetooth.te | 27 ----------- sepolicy/vendor/bootanim.te | 2 - sepolicy/vendor/device.te | 21 ++++++--- sepolicy/vendor/file_contexts | 5 +-- sepolicy/vendor/genfs_contexts | 1 + sepolicy/vendor/hal_audio.te | 8 +--- sepolicy/vendor/hal_camera_default.te | 35 +++++---------- .../vendor/hal_citsensorservice_xiaomi.te | 45 +++++++------------ sepolicy/vendor/hal_fingerprint.te | 4 +- sepolicy/vendor/hal_mfidoca.te | 22 ++++----- sepolicy/vendor/hal_mlipay.te | 24 +++++----- sepolicy/vendor/hal_mtdservice.te | 30 ++++++------- sepolicy/vendor/hal_nfc.te | 4 +- sepolicy/vendor/hal_quickcamera.te | 28 +++--------- sepolicy/vendor/hal_secure_element.te | 4 +- sepolicy/vendor/hal_sensorcommunicate.te | 26 +++++------ sepolicy/vendor/hal_sensors.te | 4 +- sepolicy/vendor/hal_slaservice.te | 21 +++++---- sepolicy/vendor/hal_tidaservice.te | 29 ++++++------ sepolicy/vendor/hwservice_contexts | 30 ++++++++----- sepolicy/vendor/init.te | 3 +- sepolicy/vendor/mi_thermald.te | 7 ++- sepolicy/vendor/property.te | 3 -- sepolicy/vendor/qrtr.te | 2 - sepolicy/vendor/rild.te | 4 +- sepolicy/vendor/slad.te | 5 +++ sepolicy/vendor/surfaceflinger.te | 1 - sepolicy/vendor/tee.te | 3 +- sepolicy/vendor/vendor_qti_init_shell.te | 10 +---- sepolicy/vendor/wcnss_service.te | 16 ++----- 35 files changed, 184 insertions(+), 273 deletions(-) delete mode 100644 sepolicy/public/property_contexts delete mode 100644 sepolicy/vendor/agmservice_qti.te delete mode 100644 sepolicy/vendor/audioadsprpcd.te delete mode 100644 sepolicy/vendor/audioserver.te delete mode 100644 sepolicy/vendor/bluetooth.te delete mode 100644 sepolicy/vendor/bootanim.te delete mode 100644 sepolicy/vendor/qrtr.te delete mode 100644 sepolicy/vendor/surfaceflinger.te diff --git a/sepolicy/public/property_contexts b/sepolicy/public/property_contexts deleted file mode 100644 index 075ddf8..0000000 --- a/sepolicy/public/property_contexts +++ /dev/null @@ -1,5 +0,0 @@ -# MIUI -ro.miui. u:object_r:exported_system_prop:s0 -ro.product.mod_device u:object_r:exported_default_prop:s0 exact string -ro.cust.test u:object_r:exported_system_prop:s0 -ro.carrier u:object_r:exported_default_prop:s0 exact string diff --git a/sepolicy/vendor/agmservice_qti.te b/sepolicy/vendor/agmservice_qti.te deleted file mode 100644 index 8fbf391..0000000 --- a/sepolicy/vendor/agmservice_qti.te +++ /dev/null @@ -1 +0,0 @@ -allow vendor_agmservice_qti debugfs:dir r_dir_perms; diff --git a/sepolicy/vendor/audioadsprpcd.te b/sepolicy/vendor/audioadsprpcd.te deleted file mode 100644 index 3d09e8c..0000000 --- a/sepolicy/vendor/audioadsprpcd.te +++ /dev/null @@ -1,2 +0,0 @@ -allow vendor_audioadsprpcd vendor_audio_data_file:dir search; -allow vendor_audioadsprpcd vendor_audio_data_file:file { append create getattr open read setattr write }; diff --git a/sepolicy/vendor/audioserver.te b/sepolicy/vendor/audioserver.te deleted file mode 100644 index 66e8b39..0000000 --- a/sepolicy/vendor/audioserver.te +++ /dev/null @@ -1,8 +0,0 @@ -allow audioserver system_server:dir search; -allow audioserver mediaserver:dir search; -allow audioserver mediaserver:file { open read }; -allow audioserver system_app:dir search; -allow audioserver hal_audio_default:process signal; -allow audioserver sound_device:chr_file rw_file_perms; -get_prop(audioserver, bootanim_system_prop) -set_prop(audioserver, audio_prop) diff --git a/sepolicy/vendor/batterysecret.te b/sepolicy/vendor/batterysecret.te index aeaf192..53563b5 100644 --- a/sepolicy/vendor/batterysecret.te +++ b/sepolicy/vendor/batterysecret.te @@ -1,3 +1,11 @@ +type batterysecret, domain; +type batterysecret_exec, exec_type, vendor_file_type, file_type; + +hwbinder_use(batterysecret) +init_daemon_domain(batterysecret) + +binder_call(batterysecret, system_suspend_server) + allow batterysecret rootfs:dir write; allow batterysecret self:capability sys_tty_config; allow batterysecret self:capability sys_boot; @@ -12,8 +20,6 @@ allow batterysecret vendor_sysfs_qcom_battery:file rw_file_perms; allow batterysecret vendor_sysfs_qcom_battery:file write; allow batterysecret vendor_sysfs_qcom_battery:file { open read write }; allow batterysecret vendor_sysfs_qcom_battery:dir r_dir_perms; -allow batterysecret system_suspend_server:binder { call transfer }; -allow batterysecret system_suspend_server:fd *; allow batterysecret system_suspend_hwservice:hwservice_manager find; allow batterysecret hidl_manager_hwservice:hwservice_manager find; allow batterysecret sysfs:file write; @@ -22,14 +28,13 @@ allow batterysecret vendor_sysfs_usb_supply:file write; allow batterysecret sysfs_batteryinfo:file r_file_perms; allow batterysecret kmsg_device:chr_file rw_file_perms; allow batterysecret mnt_vendor_file:dir rw_dir_perms; -init_daemon_domain(batterysecret) + r_dir_file(batterysecret, sysfs_type) r_dir_file(batterysecret, rootfs) r_dir_file(batterysecret, cgroup) r_dir_file(batterysecret, vendor_sysfs_usb_supply) + get_prop(batterysecret, hwservicemanager_prop) get_prop(batterysecret, vendor_default_prop) set_prop(batterysecret, vendor_system_prop) -hwbinder_use(batterysecret) -type batterysecret, domain; -type batterysecret_exec, exec_type, vendor_file_type, file_type; + diff --git a/sepolicy/vendor/bluetooth.te b/sepolicy/vendor/bluetooth.te deleted file mode 100644 index e9fb29f..0000000 --- a/sepolicy/vendor/bluetooth.te +++ /dev/null @@ -1,27 +0,0 @@ -allow bluetooth hal_audio:binder { call transfer }; -allow bluetooth hal_audio:fd *; -allow bluetooth sysfs_bluetooth_writable:file w_file_perms; -allow bluetooth media_rw_data_file:dir create_dir_perms; -allow bluetooth media_rw_data_file:file create_file_perms; -allow bluetooth serial_device:chr_file rw_file_perms; -allow bluetooth uhid_device:chr_file rw_file_perms; -allow bluetooth vendor_bt_device:chr_file rw_file_perms; -allow bluetooth vendor_smd_device:chr_file rw_file_perms; -allow bluetooth vendor_hal_iop_hwservice:hwservice_manager find; -allow bluetooth vendor_default_prop:file { getattr map }; -allow bluetooth vendor_bt_data_file:dir search; -allow bluetooth vendor_bt_data_file:file { getattr open read }; -allow bluetooth system_app_data_file:dir getattr; -allow bluetooth system_app_data_file:file { getattr open read }; -allow bluetooth self:socket { create getopt read write }; -#allow bluetooth self:socket ioctl; -allow bluetooth servicemanager:fd *; -allow bluetooth system_app:binder { call transfer }; -allow bluetooth system_app:fd *; -allow bluetooth vendor_dun_service:service_manager find; -allow bluetooth hal_audio_hwservice:hwservice_manager find; -#allowxperm bluetooth self:ioctl socket ((range 0xc300 0xc305)); -dontaudit bluetooth netd_service:service_manager find; -get_prop(bluetooth, vendor_display_prop) -get_prop(bluetooth, vendor_audio_prop) -binder_use(bluetooth) diff --git a/sepolicy/vendor/bootanim.te b/sepolicy/vendor/bootanim.te deleted file mode 100644 index 819874a..0000000 --- a/sepolicy/vendor/bootanim.te +++ /dev/null @@ -1,2 +0,0 @@ -allow bootanim vendor_audio_prop:file read; -allow bootanim vendor_proc_audiod:file read; diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te index 54b32b9..06520bc 100644 --- a/sepolicy/vendor/device.te +++ b/sepolicy/vendor/device.te @@ -1,9 +1,20 @@ -type vendor_displayfeature_device, dev_type; +# Audio type sound_device, dev_type, mlstrustedobject; + +# Camera type stmvl53l5_device, dev_type; + +# Display +type vendor_displayfeature_device, dev_type; + +# Fingerprint type vendor_fingerprint_device, dev_type; -type touchfeature_device, dev_type; -type vendor_radio_smd_device, dev_type; + +# IR type ir_spi_device, dev_type; -type ddr_partition, dev_type; -type minidump_data_file, data_file_type, file_type; + +# Modem +type vendor_radio_smd_device, dev_type; + +# Touchscreen +type touchfeature_device, dev_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts index 49abf27..ebdc4bd 100644 --- a/sepolicy/vendor/file_contexts +++ b/sepolicy/vendor/file_contexts @@ -11,7 +11,6 @@ # Camera /(vendor|system/vendor)/bin/hw/vendor.xiaomi.hardware.quickcamera@1.0-service u:object_r:hal_quickcamera_default_exec:s0 /mnt/vendor/persist/camera(/.*)? u:object_r:camera_persist_file:s0 -#/vendor/bin/camera_cal u:object_r:DualCameraCal_exec:s0 /vendor/lib(64)?/libQnnHtpV69Stub\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libQnnHtp\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libSNPE\.so u:object_r:same_process_hal_file:s0 @@ -64,6 +63,7 @@ # Mac Address /data/vendor/mac_addr(/.*)? u:object_r:vendor_mac_vendor_data_file:s0 +/mnt/vendor/persist/qca6490/wlan_mac\.bin u:object_r:vendor_mac_vendor_data_file:s0 /vendor/bin/nv_mac u:object_r:vendor_wcnss_service_exec:s0 # Mlipay @@ -86,9 +86,6 @@ # QRTR /(vendor|system/vendor)/bin/qrtr-lookup u:object_r:vendor_qrtr_exec:s0 -# RIL -/data/vendor/diag(/.*)? u:object_r:minidump_data_file:s0 - # Sensors /(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@2.1-service\.xiaomi-multihal u:object_r:hal_sensors_default_exec:s0 /(vendor|system/vendor)/bin/hw/vendor.xiaomi.sensor.communicate@1.0-service u:object_r:vendor_hal_sensorcommunicate_default_exec:s0 diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts index 56ba1db..6fb00e5 100644 --- a/sepolicy/vendor/genfs_contexts +++ b/sepolicy/vendor/genfs_contexts @@ -6,6 +6,7 @@ genfscon sysfs /devices/platform/soc/soc:spf_core_platform/soc:spf_core_platform # Suspend genfscon sysfs /devices/platform/soc/3000000.remoteproc-adsp/remoteproc/remoteproc2/3000000.remoteproc-adsp:glink-edge/3000000.remoteproc-adsp:glink-edge.adsp_apps.-1.-1/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/884000.i2c/i2c-3/3-005a/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/88c000.i2c/i2c-6/6-005a/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/990000.spi/spi_master/spi0/spi0.0/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/c42d000.qcom,spmi/spmi-0/0-00/c42d000.qcom,spmi:qcom,pmk8350@0:pon_hlos@1300/c42d000.qcom,spmi:qcom,pmk8350@0:pon_hlos@1300:pwrkey-bark/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/c42d000.qcom,spmi/spmi-0/0-00/c42d000.qcom,spmi:qcom,pmk8350@0:pon_hlos@1300/c42d000.qcom,spmi:qcom,pmk8350@0:pon_hlos@1300:pwrkey-resin-bark/wakeup u:object_r:sysfs_wakeup:s0 diff --git a/sepolicy/vendor/hal_audio.te b/sepolicy/vendor/hal_audio.te index ea23ad1..67d56d6 100644 --- a/sepolicy/vendor/hal_audio.te +++ b/sepolicy/vendor/hal_audio.te @@ -1,10 +1,6 @@ -allow hal_audio_default vendor_persist_audio_file:file rw_file_perms; -allow hal_audio_default mnt_vendor_file:dir r_dir_perms; -allow hal_audio_default vendor_audio_prop:property_service set; allow hal_audio_default audio_socket:sock_file rw_file_perms; allow hal_audio_default sound_device:chr_file rw_file_perms; -allow hal_audio_default sysfs_f0_value:file rw_file_perms; -allow hal_audio_default sysfs:file rw_file_perms; -unix_socket_connect(hal_audio_default, property, init) + unix_socket_connect(hal_audio_default, property, hal_sensors_default) + set_prop(hal_audio_default, vendor_audio_prop) diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te index 1f56e9a..5ccfc03 100644 --- a/sepolicy/vendor/hal_camera_default.te +++ b/sepolicy/vendor/hal_camera_default.te @@ -1,38 +1,25 @@ attribute vendor_hal_camerapostproc_xiaomi; attribute vendor_hal_camerapostproc_xiaomi_client; attribute vendor_hal_camerapostproc_xiaomi_server; + type vendor_hal_camerapostproc_xiaomi_hwservice, hwservice_manager_type; -allow vendor_hal_camerapostproc_xiaomi_client vendor_hal_camerapostproc_xiaomi_server:binder { call transfer }; -allow vendor_hal_camerapostproc_xiaomi_client vendor_hal_camerapostproc_xiaomi_server:binder transfer; -allow vendor_hal_camerapostproc_xiaomi_client vendor_hal_camerapostproc_xiaomi_server:fd *; -allow vendor_hal_camerapostproc_xiaomi_client vendor_hal_camerapostproc_xiaomi_hwservice:hwservice_manager find; -allow vendor_hal_camerapostproc_xiaomi_server vendor_hal_camerapostproc_xiaomi_client:binder transfer; -allow vendor_hal_camerapostproc_xiaomi_server vendor_hal_camerapostproc_xiaomi_client:binder { call transfer }; -allow vendor_hal_camerapostproc_xiaomi_server vendor_hal_camerapostproc_xiaomi_client:fd *; -allow vendor_hal_camerapostproc_xiaomi platform_app:binder transfer; -allow vendor_hal_camerapostproc_xiaomi platform_app:binder { call transfer }; -allow vendor_hal_camerapostproc_xiaomi platform_app:fd *; -allow vendor_hal_camerapostproc_xiaomi priv_app:binder transfer; -allow vendor_hal_camerapostproc_xiaomi priv_app:binder { call transfer }; -allow vendor_hal_camerapostproc_xiaomi priv_app:fd *; -allow vendor_hal_camerapostproc_xiaomi system_app:binder transfer; -allow vendor_hal_camerapostproc_xiaomi system_app:binder { call transfer }; -allow vendor_hal_camerapostproc_xiaomi system_app:fd *; -add_hwservice(vendor_hal_camerapostproc_xiaomi_server, vendor_hal_camerapostproc_xiaomi_hwservice) +binder_call(vendor_hal_camerapostproc_xiaomi_client, vendor_hal_camerapostproc_xiaomi_server) +binder_call(vendor_hal_camerapostproc_xiaomi_server, vendor_hal_camerapostproc_xiaomi_client) + +hal_server_domain(hal_camera_default, vendor_hal_camerapostproc_xiaomi) +hal_attribute_hwservice(hal_camera, vendor_hal_camerapostproc_xiaomi_hwservice) -allow hal_camera_client vendor_hal_camerapostproc_xiaomi_hwservice:hwservice_manager find; -allow hal_camera_default mnt_vendor_file:dir search; allow hal_camera_default camera_persist_file:dir search; allow hal_camera_default vendor_persist_sensors_file:dir search; allow hal_camera_default stmvl53l5_device:chr_file { ioctl open read write }; -allow hal_camera_default hal_quickcamera_hwservice:hwservice_manager { add find }; -dontaudit hal_camera graphics_device:dir search; -dontaudit hal_camera_default default_prop:file read; + r_dir_file(hal_camera_default, mnt_vendor_file) r_dir_file(hal_camera_default, camera_persist_file) r_dir_file(hal_camera_default, vendor_persist_sensors_file) -hal_server_domain(hal_camera_default, vendor_hal_camerapostproc_xiaomi) -add_hwservice(hal_camera_server, vendor_hal_camerapostproc_xiaomi_hwservice) + set_prop(hal_camera_default, vendor_camera_p3enable_prop) set_prop(hal_camera_default, vendor_camera_sensor_prop) + +dontaudit hal_camera graphics_device:dir search; +dontaudit hal_camera_default default_prop:file read; diff --git a/sepolicy/vendor/hal_citsensorservice_xiaomi.te b/sepolicy/vendor/hal_citsensorservice_xiaomi.te index 8f71cb8..bb1579a 100644 --- a/sepolicy/vendor/hal_citsensorservice_xiaomi.te +++ b/sepolicy/vendor/hal_citsensorservice_xiaomi.te @@ -1,50 +1,39 @@ -type vendor_hal_citsensorservice_xiaomi_default, domain; -type vendor_hal_citsensorservice_xiaomi_default_exec, exec_type, file_type, vendor_file_type; -type vendor_hal_citsensorservice_xiaomi_hwservice, hwservice_manager_type; attribute vendor_hal_citsensorservice_xiaomi; attribute vendor_hal_citsensorservice_xiaomi_client; attribute vendor_hal_citsensorservice_xiaomi_server; + +type vendor_hal_citsensorservice_xiaomi_default, domain; +type vendor_hal_citsensorservice_xiaomi_default_exec, exec_type, file_type, vendor_file_type; +type vendor_hal_citsensorservice_xiaomi_hwservice, hwservice_manager_type; + init_daemon_domain(vendor_hal_citsensorservice_xiaomi_default) -r_dir_file(vendor_hal_citsensorservice_xiaomi_default, mnt_vendor_file) -#set_prop(vendor_hal_citsensorservice_xiaomi_default, vendor_cct_prop) -vndbinder_use(vendor_hal_citsensorservice_xiaomi) + hal_server_domain(vendor_hal_citsensorservice_xiaomi_default, vendor_hal_citsensorservice_xiaomi) hal_client_domain(vendor_hal_citsensorservice_xiaomi_default, hal_graphics_allocator) + add_hwservice(vendor_hal_citsensorservice_xiaomi_server, vendor_hal_citsensorservice_xiaomi_hwservice) -allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_server:binder { call transfer }; -allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_server:binder transfer; -allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_server:fd *; -allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_hwservice:hwservice_manager find; -allow vendor_hal_citsensorservice_xiaomi_server vendor_hal_citsensorservice_xiaomi_client:binder transfer; -allow vendor_hal_citsensorservice_xiaomi_server vendor_hal_citsensorservice_xiaomi_client:binder { call transfer }; -allow vendor_hal_citsensorservice_xiaomi_server vendor_hal_citsensorservice_xiaomi_client:fd *; -allow vendor_hal_citsensorservice_xiaomi_default input_device:dir rw_dir_perms; -allow vendor_hal_citsensorservice_xiaomi_default input_device:chr_file rw_file_perms; -allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_data:file r_file_perms; + +vndbinder_use(vendor_hal_citsensorservice_xiaomi) +binder_call(vendor_hal_citsensorservice_xiaomi_client, vendor_hal_citsensorservice_xiaomi_server) +binder_call(vendor_hal_citsensorservice_xiaomi_server, vendor_hal_citsensorservice_xiaomi_client) +binder_call(vendor_hal_citsensorservice_xiaomi_default, vendor_hal_display_config_hwservice) +binder_call(vendor_hal_citsensorservice_xiaomi_default, hal_graphics_composer) + allow vendor_hal_citsensorservice_xiaomi_default self:socket create_socket_perms; allow vendor_hal_citsensorservice_xiaomi_default self:qipcrtr_socket create_socket_perms; -allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_graphics:dir r_dir_perms; -allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_graphics:file r_file_perms; allow vendor_hal_citsensorservice_xiaomi_default vendor_persist_sensors_file:dir create_dir_perms; allow vendor_hal_citsensorservice_xiaomi_default vendor_persist_sensors_file:file create_file_perms; allow vendor_hal_citsensorservice_xiaomi_default fwk_sensor_hwservice:hwservice_manager find; -allow vendor_hal_citsensorservice_xiaomi_default system_server:binder call; -allow vendor_hal_citsensorservice_xiaomi_default system_server:binder transfer; +allow vendor_hal_citsensorservice_xiaomi_default system_server:binder { call transfer }; allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_displayfeature:dir search; allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_displayfeature:file { open read }; allow vendor_hal_citsensorservice_xiaomi_default vendor_displayfeature_device:chr_file { ioctl open read write }; allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_mapper_hwservice:hwservice_manager find; -allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_display_config_hwservice:hwservice_manager find; -allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_display_config_hwservice:binder { call transfer }; -allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_display_config_hwservice:fd *; -allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_composer:binder { call transfer }; -allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_composer:fd *; allow vendor_hal_citsensorservice_xiaomi_default vendor_qdisplay_service:service_manager find; -allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_composer_default:binder transfer; allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_sensorcommunicate_default:binder call; allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_sensorcommunicate_default:binder transfer; -allowxperm vendor_hal_citsensorservice_xiaomi_default self:socket ioctl { 0xc300 0xc301 0xc302 0xc303 0xc304 0xc305 }; -allowxperm vendor_hal_citsensorservice_xiaomi_default self:qipcrtr_socket ioctl { 0xc300 0xc301 0xc302 0xc303 0xc304 0xc305 }; +allowxperm vendor_hal_citsensorservice_xiaomi_default self:socket ioctl msm_sock_ipc_ioctls; +allowxperm vendor_hal_citsensorservice_xiaomi_default self:qipcrtr_socket ioctl msm_sock_ipc_ioctls; get_prop(vendor_hal_citsensorservice_xiaomi_default, vendor_sensors_prop) userdebug_or_eng(`get_prop(vendor_hal_citsensorservice_xiaomi_default, vendor_sensors_debug_prop)'); diff --git a/sepolicy/vendor/hal_fingerprint.te b/sepolicy/vendor/hal_fingerprint.te index 32b6b75..706264d 100644 --- a/sepolicy/vendor/hal_fingerprint.te +++ b/sepolicy/vendor/hal_fingerprint.te @@ -1,9 +1,7 @@ type vendor_hal_fingerprint_hwservice_xiaomi, hwservice_manager_type; -allow hal_fingerprint_default dmabuf_system_heap_device:chr_file r_file_perms; -allow hal_fingerprint_default input_device:chr_file rwx_file_perms; +allow hal_fingerprint_default input_device:chr_file rw_file_perms; allow hal_fingerprint_default input_device:dir r_dir_perms; -allow hal_fingerprint_default mnt_vendor_file:dir search; allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; allow hal_fingerprint_default sysfs_tp_fodstatus:chr_file r_file_perms; allow hal_fingerprint_default sysfs_tp_fodstatus:file r_file_perms; diff --git a/sepolicy/vendor/hal_mfidoca.te b/sepolicy/vendor/hal_mfidoca.te index b1860b5..a382bcf 100644 --- a/sepolicy/vendor/hal_mfidoca.te +++ b/sepolicy/vendor/hal_mfidoca.te @@ -1,13 +1,17 @@ type hal_mfidoca_default, domain; type hal_mfidoca_default_exec, exec_type, file_type, vendor_file_type; type hal_mfidoca_hwservice, hwservice_manager_type; + hal_attribute(mfidoca) -allow hal_mfidoca_client hal_mfidoca_server:binder { call transfer }; -allow hal_mfidoca_client hal_mfidoca_server:binder transfer; -allow hal_mfidoca_client hal_mfidoca_server:fd *; -allow hal_mfidoca_server hal_mfidoca_client:binder transfer; -allow hal_mfidoca_server hal_mfidoca_client:binder { call transfer }; -allow hal_mfidoca_server hal_mfidoca_client:fd *; +init_daemon_domain(hal_mfidoca_default) + +hwbinder_use(hal_mfidoca_default) +binder_call(hal_mfidoca_client, hal_mfidoca_server) +binder_call(hal_mfidoca_server, hal_mfidoca_client) + +add_hwservice(hal_mfidoca_server, hal_mfidoca_hwservice) +hal_server_domain(hal_mfidoca_default, hal_mfidoca) + allow hal_mfidoca_default tee_device:chr_file rw_file_perms; allow hal_mfidoca_default firmware_file:dir r_dir_perms; allow hal_mfidoca_default firmware_file:file r_file_perms; @@ -15,10 +19,8 @@ allow hal_mfidoca_default ion_device:chr_file rw_file_perms; allow hal_mfidoca_default vendor_dmabuf_qseecom_heap_device:chr_file { ioctl open read }; allow hal_mfidoca_default vendor_dmabuf_qseecom_ta_heap_device:chr_file { ioctl open read }; allow hal_mfidoca_default hal_mtdservice_default:binder transfer; -init_daemon_domain(hal_mfidoca_default) + get_prop(hal_mfidoca_default, vendor_fp_prop) get_prop(hal_mfidoca_default, vendor_system_prop) set_prop(hal_mfidoca_default, vendor_payment_security_prop) -hwbinder_use(hal_mfidoca_default) -hal_server_domain(hal_mfidoca_default, hal_mfidoca) -add_hwservice(hal_mfidoca_server, hal_mfidoca_hwservice) + diff --git a/sepolicy/vendor/hal_mlipay.te b/sepolicy/vendor/hal_mlipay.te index 35af621..28143f8 100644 --- a/sepolicy/vendor/hal_mlipay.te +++ b/sepolicy/vendor/hal_mlipay.te @@ -1,27 +1,25 @@ type hal_mlipay_default, domain; type hal_mlipay_default_exec, exec_type, file_type, vendor_file_type; type hal_mlipay_hwservice, hwservice_manager_type; + hal_attribute(mlipay) -allow hal_mlipay_client hal_mlipay_server:binder { call transfer }; -allow hal_mlipay_client hal_mlipay_server:binder transfer; -allow hal_mlipay_client hal_mlipay_server:fd *; -allow hal_mlipay_client hal_mlipay_hwservice:hwservice_manager find; -allow hal_mlipay_server hal_mlipay_client:binder transfer; -allow hal_mlipay_server hal_mlipay_client:binder { call transfer }; -allow hal_mlipay_server hal_mlipay_client:fd *; -allow hal_mlipay_default hal_mlipay_hwservice:hwservice_manager add; +init_daemon_domain(hal_mlipay_default) + +hwbinder_use(hal_mlipay_default) +binder_call(hal_mlipay_client, hal_mlipay_server) +binder_call(hal_mlipay_server, hal_mlipay_client) + +add_hwservice(hal_mlipay_server, hal_mlipay_hwservice) +hal_server_domain(hal_mlipay_default, hal_mlipay) + allow hal_mlipay_default tee_device:chr_file rw_file_perms; allow hal_mlipay_default firmware_file:dir r_dir_perms; allow hal_mlipay_default firmware_file:file r_file_perms; allow hal_mlipay_default ion_device:chr_file rw_file_perms; -allow hal_mlipay_default rootfs:lnk_file r_file_perms; allow hal_mlipay_default vendor_dmabuf_qseecom_heap_device:chr_file { ioctl open read }; allow hal_mlipay_default vendor_dmabuf_qseecom_ta_heap_device:chr_file { ioctl open read }; allow hal_mlipay_default hal_mtdservice_default:binder transfer; -init_daemon_domain(hal_mlipay_default) + get_prop(hal_mlipay_default, vendor_fp_prop) get_prop(hal_mlipay_default, vendor_system_prop) set_prop(hal_mlipay_default, vendor_payment_security_prop) -hwbinder_use(hal_mlipay_default) -hal_server_domain(hal_mlipay_default, hal_mlipay) -add_hwservice(hal_mlipay_server, hal_mlipay_hwservice) diff --git a/sepolicy/vendor/hal_mtdservice.te b/sepolicy/vendor/hal_mtdservice.te index 2e2a46f..ef5f255 100644 --- a/sepolicy/vendor/hal_mtdservice.te +++ b/sepolicy/vendor/hal_mtdservice.te @@ -1,17 +1,20 @@ type hal_mtdservice_default, domain; type hal_mtdservice_default_exec, exec_type, file_type, vendor_file_type; type hal_mtdservice_hwservice, hwservice_manager_type; + hal_attribute(mtdservice) -allow hal_mtdservice_client hal_mtdservice_server:binder { call transfer }; -allow hal_mtdservice_client hal_mtdservice_server:binder transfer; -allow hal_mtdservice_client hal_mtdservice_server:fd *; -allow hal_mtdservice_server hal_mtdservice_client:binder transfer; -allow hal_mtdservice_server hal_mtdservice_client:binder { call transfer }; -allow hal_mtdservice_server hal_mtdservice_client:fd *; -allow hal_mtdservice_default hal_mlipay_default:binder { call transfer }; -allow hal_mtdservice_default hal_mlipay_default:fd *; -allow hal_mtdservice_default hal_mfidoca_default:binder { call transfer }; -allow hal_mtdservice_default hal_mfidoca_default:fd *; + +init_daemon_domain(hal_mtdservice_default) + +hwbinder_use(hal_mtdservice_default) +binder_call(hal_mtdservice_client, hal_mtdservice_server) +binder_call(hal_mtdservice_server, hal_mtdservice_client) +binder_call(hal_mtdservice_default, hal_mlipay_default) +binder_call(hal_mtdservice_default, hal_mfidoca_default) + +add_hwservice(hal_mtdservice_server, hal_mtdservice_hwservice) +hal_server_domain(hal_mtdservice_default, hal_mtdservice) + allow hal_mtdservice_default hal_mtdservice_hwservice:hwservice_manager add; allow hal_mtdservice_default firmware_file:dir r_dir_perms; allow hal_mtdservice_default firmware_file:file r_file_perms; @@ -43,13 +46,8 @@ allow hal_mtdservice_default system_server:binder transfer; allow hal_mtdservice_default block_device:dir r_dir_perms; allow hal_mtdservice_default vendor_dmabuf_qseecom_heap_device:chr_file { ioctl open read }; allow hal_mtdservice_default vendor_dmabuf_qseecom_ta_heap_device:chr_file { ioctl open read }; -allow hal_mtdservice_default hal_tidaservice_default:binder transfer; -allow hal_mtdservice_default hal_secure_element_default:binder transfer; type_transition hal_mtdservice mnt_vendor_file:dir vendor_persist_drm_file "fdsd"; -init_daemon_domain(hal_mtdservice_default) + get_prop(hal_mtdservice_default, vendor_system_prop) get_prop(hal_mtdservice_default, vendor_cpuid_prop) set_prop(hal_mtdservice_default, vendor_payment_security_prop) -hwbinder_use(hal_mtdservice_default) -hal_server_domain(hal_mtdservice_default, hal_mtdservice) -add_hwservice(hal_mtdservice_server, hal_mtdservice_hwservice) diff --git a/sepolicy/vendor/hal_nfc.te b/sepolicy/vendor/hal_nfc.te index ffc602b..2695d8a 100644 --- a/sepolicy/vendor/hal_nfc.te +++ b/sepolicy/vendor/hal_nfc.te @@ -1,4 +1,4 @@ allow hal_nfc_default vendor_nfc_vendor_data_file:dir create_dir_perms; -allow hal_nfc_default vendor_data_file:dir rw_dir_perms; -allow hal_nfc_default vendor_data_file:file { create rw_file_perms }; +allow hal_nfc_default vendor_nfc_vendor_data_file:file create_file_perms; + get_prop(hal_nfc_default, vendor_nfc_mi_prop) diff --git a/sepolicy/vendor/hal_quickcamera.te b/sepolicy/vendor/hal_quickcamera.te index 673884a..fb03090 100644 --- a/sepolicy/vendor/hal_quickcamera.te +++ b/sepolicy/vendor/hal_quickcamera.te @@ -1,27 +1,13 @@ type hal_quickcamera_default, domain; type hal_quickcamera_default_exec, exec_type, file_type, vendor_file_type; type hal_quickcamera_hwservice, hwservice_manager_type; + hal_attribute(quickcamera) -allow hal_quickcamera_client hal_quickcamera_server:binder { call transfer }; -allow hal_quickcamera_client hal_quickcamera_server:binder transfer; -allow hal_quickcamera_client hal_quickcamera_server:fd *; -allow hal_quickcamera_client hal_quickcamera_hwservice:hwservice_manager find; -allow hal_quickcamera_server hal_quickcamera_client:binder transfer; -allow hal_quickcamera_server hal_quickcamera_client:binder { call transfer }; -allow hal_quickcamera_server hal_quickcamera_client:fd *; -allow hal_quickcamera_server hidl_base_hwservice:hwservice_manager add; -allow hal_quickcamera_server hal_quickcamera_hwservice:hwservice_manager { add find }; -allow hal_quickcamera_default platform_app:binder transfer; -allow hal_quickcamera_default platform_app:binder { call transfer }; -allow hal_quickcamera_default platform_app:fd *; -allow hal_quickcamera_default system_app:binder transfer; -allow hal_quickcamera_default system_app:binder { call transfer }; -allow hal_quickcamera_default system_app:fd *; -allow hal_quickcamera platform_app:binder transfer; -allow hal_quickcamera platform_app:binder { call transfer }; -allow hal_quickcamera platform_app:fd *; -allow hal_quickcamera system_app:binder transfer; -allow hal_quickcamera system_app:binder { call transfer }; -allow hal_quickcamera system_app:fd *; + init_daemon_domain(hal_quickcamera_default) hal_server_domain(hal_quickcamera_default, hal_quickcamera) + +binder_call(hal_quickcamera_client, hal_quickcamera_server) +binder_call(hal_quickcamera_server, hal_quickcamera_client) + +add_hwservice(hal_quickcamera_server, hal_quickcamera_hwservice) diff --git a/sepolicy/vendor/hal_secure_element.te b/sepolicy/vendor/hal_secure_element.te index 97bd98f..d9f28dd 100644 --- a/sepolicy/vendor/hal_secure_element.te +++ b/sepolicy/vendor/hal_secure_element.te @@ -1,3 +1,3 @@ +binder_call(hal_secure_element_default, hal_mtdservice_default) + allow hal_secure_element_default hal_mtdservice_hwservice:hwservice_manager find; -allow hal_secure_element_default hal_mtdservice_default:binder { call transfer }; -allow hal_secure_element_default hal_mtdservice_default:fd *; diff --git a/sepolicy/vendor/hal_sensorcommunicate.te b/sepolicy/vendor/hal_sensorcommunicate.te index 103a163..7ddc0b3 100644 --- a/sepolicy/vendor/hal_sensorcommunicate.te +++ b/sepolicy/vendor/hal_sensorcommunicate.te @@ -1,26 +1,24 @@ type vendor_hal_sensorcommunicate_default, domain; type vendor_hal_sensorcommunicate_default_exec, exec_type, file_type, vendor_file_type; type vendor_hal_sensorcommunicate_hwservice, hwservice_manager_type; + attribute vendor_hal_sensorcommunicate; attribute vendor_hal_sensorcommunicate_client; attribute vendor_hal_sensorcommunicate_server; -allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_server:binder { call transfer }; -allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_server:binder transfer; -allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_server:fd *; + +init_daemon_domain(vendor_hal_sensorcommunicate_default) + +hwbinder_use(vendor_hal_sensorcommunicate_default) +binder_call(vendor_hal_sensorcommunicate_client, vendor_hal_sensorcommunicate_server) +binder_call(vendor_hal_sensorcommunicate_server, vendor_hal_sensorcommunicate_client) + +add_hwservice(vendor_hal_sensorcommunicate_server, vendor_hal_sensorcommunicate_hwservice) +hal_server_domain(vendor_hal_sensorcommunicate_default, vendor_hal_sensorcommunicate) + allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_hwservice:hwservice_manager find; -allow vendor_hal_sensorcommunicate_server vendor_hal_sensorcommunicate_client:binder transfer; -allow vendor_hal_sensorcommunicate_server vendor_hal_sensorcommunicate_client:binder { call transfer }; -allow vendor_hal_sensorcommunicate_server vendor_hal_sensorcommunicate_client:fd *; -allow vendor_hal_sensorcommunicate_default fwk_sensor_hwservice:hwservice_manager find; allow vendor_hal_sensorcommunicate_default vendor_hal_citsensorservice_xiaomi_hwservice:hwservice_manager find; -allow vendor_hal_sensorcommunicate_default system_server:binder call; -allow vendor_hal_sensorcommunicate_default system_server:binder transfer; allow vendor_hal_sensorcommunicate_default vendor_hal_citsensorservice_xiaomi_default:binder call; allow vendor_hal_sensorcommunicate_default vendor_hal_citsensorservice_xiaomi_default:binder transfer; -allow vendor_hal_sensorcommunicate_default mnt_vendor_file:dir search; allow vendor_hal_sensorcommunicate_default vendor_persist_sensors_file:dir search; allow vendor_hal_sensorcommunicate_default vendor_persist_sensors_file:file { getattr open read }; -init_daemon_domain(vendor_hal_sensorcommunicate_default) -hwbinder_use(vendor_hal_sensorcommunicate_default) -hal_server_domain(vendor_hal_sensorcommunicate_default, vendor_hal_sensorcommunicate) -add_hwservice(vendor_hal_sensorcommunicate_server, vendor_hal_sensorcommunicate_hwservice) + diff --git a/sepolicy/vendor/hal_sensors.te b/sepolicy/vendor/hal_sensors.te index fd3349b..a62b255 100644 --- a/sepolicy/vendor/hal_sensors.te +++ b/sepolicy/vendor/hal_sensors.te @@ -4,5 +4,5 @@ allow hal_sensors_default sound_device:chr_file rw_file_perms; allow hal_sensors_default vendor_sysfs_graphics:dir r_dir_perms; allow hal_sensors_default vendor_sysfs_graphics:file r_file_perms; allow hal_sensors_default stmvl53l5_device:chr_file { ioctl open read write }; - -allow hal_sensors_default sysfs_tp_fodstatus:file r_file_perms; \ No newline at end of file +allow hal_sensors_default sysfs_tp_fodstatus:file r_file_perms; +allow hal_sensors_default sysfs_tp_virtual_prox:file rw_file_perms; diff --git a/sepolicy/vendor/hal_slaservice.te b/sepolicy/vendor/hal_slaservice.te index c3bcb81..12a6780 100644 --- a/sepolicy/vendor/hal_slaservice.te +++ b/sepolicy/vendor/hal_slaservice.te @@ -1,17 +1,22 @@ type hal_slaservice_qti, domain; type hal_slaservice_qti_exec, exec_type, file_type, vendor_file_type; type hal_slaservice_hwservice, hwservice_manager_type; + hal_attribute(slaservice) -allow hal_slaservice_qti vendor_slad_prop:file read; -allow hal_slaservice_qti socket_device:sock_file write; -allow hal_slaservice_client hal_slaservice_server:binder { call transfer }; -allow hal_slaservice_client hal_slaservice_server:fd *; -allow hal_slaservice_client hal_slaservice_hwservice:hwservice_manager find; -allow hal_slaservice_server hal_slaservice_client:binder transfer; + init_daemon_domain(hal_slaservice_qti) + +add_hwservice(hal_slaservice_server, hal_slaservice_hwservice) +hal_server_domain(hal_slaservice_qti, hal_slaservice) + +binder_call(hal_slaservice_client, hal_slaservice_server) + +allow hal_slaservice_qti socket_device:sock_file write; +allow hal_slaservice_client hal_slaservice_hwservice:hwservice_manager find; + unix_socket_connect(hal_slaservice_qti, property, slad) unix_socket_connect(hal_slaservice_qti, slad, init) unix_socket_connect(hal_slaservice_qti, slad, slad) + +set_prop(hal_slaservice_qti, vendor_slad_prop) set_prop(hal_slaservice_qti, vendor_slad_prop) -hal_server_domain(hal_slaservice_qti, hal_slaservice) -add_hwservice(hal_slaservice_server, hal_slaservice_hwservice) diff --git a/sepolicy/vendor/hal_tidaservice.te b/sepolicy/vendor/hal_tidaservice.te index 2b2c75e..4d14d89 100644 --- a/sepolicy/vendor/hal_tidaservice.te +++ b/sepolicy/vendor/hal_tidaservice.te @@ -1,34 +1,31 @@ type hal_tidaservice_default, domain; type hal_tidaservice_default_exec, exec_type, file_type, vendor_file_type; type hal_tidaservice_hwservice, hwservice_manager_type; + hal_attribute(tidaservice) -allow hal_tidaservice_client hal_tidaservice_server:binder { call transfer }; -allow hal_tidaservice_client hal_tidaservice_server:binder transfer; -allow hal_tidaservice_client hal_tidaservice_server:fd *; + +init_daemon_domain(hal_tidaservice_default) + +hwbinder_use(hal_tidaservice_default) +binder_call(hal_tidaservice_client, hal_tidaservice_server) +binder_call(hal_tidaservice_server, hal_tidaservice_client) +binder_call(hal_tidaservice_default, hal_mtdservice_default) + +add_hwservice(hal_tidaservice_server, hal_tidaservice_hwservice) +hal_server_domain(hal_tidaservice_default, hal_tidaservice) + allow hal_tidaservice_client hal_tidaservice_hwservice:hwservice_manager find; -allow hal_tidaservice_server hal_tidaservice_client:binder transfer; -allow hal_tidaservice_server hal_tidaservice_client:binder { call transfer }; -allow hal_tidaservice_server hal_tidaservice_client:fd *; -allow hal_tidaservice_default hal_mtdservice_default:binder { call transfer }; -allow hal_tidaservice_default hal_mtdservice_default:fd *; allow hal_tidaservice_default tee_device:chr_file rw_file_perms; allow hal_tidaservice_default firmware_file:dir r_dir_perms; allow hal_tidaservice_default firmware_file:file r_file_perms; allow hal_tidaservice_default ion_device:chr_file rw_file_perms; -allow hal_tidaservice_default rootfs:lnk_file r_file_perms; allow hal_tidaservice_default hal_mtdservice_hwservice:hwservice_manager find; -allow hal_tidaservice_default platform_app:binder transfer; allow hal_tidaservice_default vendor_hal_tui_comm_hwservice:hwservice_manager find; allow hal_tidaservice_default vendor_hal_tui_comm_hwservice:binder { call transfer }; allow hal_tidaservice_default vendor_hal_tui_comm_qti:binder { call transfer }; -allow hal_tidaservice_default sysfs:dir { open read }; -allow hal_tidaservice_default sysfs:file { open read write }; allow hal_tidaservice_default vendor_dmabuf_qseecom_heap_device:chr_file { ioctl open read }; allow hal_tidaservice_default vendor_dmabuf_qseecom_ta_heap_device:chr_file { ioctl open read }; -init_daemon_domain(hal_tidaservice_default) + get_prop(hal_tidaservice_default, vendor_fp_prop) get_prop(hal_tidaservice_default, vendor_system_prop) get_prop(hal_tidaservice_default, vendor_payment_security_prop) -hwbinder_use(hal_tidaservice_default) -hal_server_domain(hal_tidaservice_default, hal_tidaservice) -add_hwservice(hal_tidaservice_server, hal_tidaservice_hwservice) diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts index 03fe312..054f3e8 100644 --- a/sepolicy/vendor/hwservice_contexts +++ b/sepolicy/vendor/hwservice_contexts @@ -1,12 +1,20 @@ -vendor.xiaomi.hardware.campostproc::IMiPostProcService u:object_r:vendor_hal_camerapostproc_xiaomi_hwservice:s0 -vendor.qti.sla.service::ISlaService u:object_r:hal_slaservice_hwservice:s0 -vendor.xiaomi.sensor.citsensorservice::ICitSensorService u:object_r:vendor_hal_citsensorservice_xiaomi_hwservice:s0 -vendor.xiaomi.sensor.communicate::ISensorCommunicate u:object_r:vendor_hal_sensorcommunicate_hwservice:s0 -vendor.xiaomi.hardware.quickcamera::IQuickCameraService u:object_r:hal_quickcamera_hwservice:s0 +# Camera +vendor.xiaomi.hardware.bgservice::IBGService u:object_r:vendor_hal_camerapostproc_xiaomi_hwservice:s0 +vendor.xiaomi.hardware.campostproc::IMiPostProcService u:object_r:vendor_hal_camerapostproc_xiaomi_hwservice:s0 +vendor.xiaomi.hardware.quickcamera::IQuickCameraService u:object_r:hal_quickcamera_hwservice:s0 -vendor.xiaomi.hardware.mfidoca::IFidoService u:object_r:hal_mfidoca_hwservice:s0 -vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0 -vendor.xiaomi.hardware.mtdservice::IMTService u:object_r:hal_mtdservice_hwservice:s0 -vendor.xiaomi.hardware.tidaservice::ITidaService u:object_r:hal_tidaservice_hwservice:s0 -vendor.xiaomi.hardware.bgservice::IBGService u:object_r:vendor_hal_camerapostproc_xiaomi_hwservice:s0 -vendor.xiaomi.hardware.fx.tunnel::IMiFxTunnel u:object_r:vendor_hal_fingerprint_hwservice_xiaomi:s0 +# Fingerprint +vendor.xiaomi.hardware.fx.tunnel::IMiFxTunnel u:object_r:vendor_hal_fingerprint_hwservice_xiaomi:s0 + +# SLA +vendor.qti.sla.service::ISlaService u:object_r:hal_slaservice_hwservice:s0 + +# Sensors +vendor.xiaomi.sensor.citsensorservice::ICitSensorService u:object_r:vendor_hal_citsensorservice_xiaomi_hwservice:s0 +vendor.xiaomi.sensor.communicate::ISensorCommunicate u:object_r:vendor_hal_sensorcommunicate_hwservice:s0 + +# Mlipay +vendor.xiaomi.hardware.mfidoca::IFidoService u:object_r:hal_mfidoca_hwservice:s0 +vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0 +vendor.xiaomi.hardware.mtdservice::IMTService u:object_r:hal_mtdservice_hwservice:s0 +vendor.xiaomi.hardware.tidaservice::ITidaService u:object_r:hal_tidaservice_hwservice:s0 diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te index 669be8d..6b73d42 100644 --- a/sepolicy/vendor/init.te +++ b/sepolicy/vendor/init.te @@ -1,6 +1,6 @@ -allow init ddr_training_exec:file { execute getattr open read }; allow init slad_exec:file { getattr open read }; allow init sla_data_file:file rw_file_perms; + set_prop(vendor_init, vendor_fp_prop) set_prop(vendor_init, vendor_fp_info_prop) set_prop(vendor_init, vendor_thermal_normal_prop) @@ -8,4 +8,3 @@ set_prop(vendor_init, vendor_nfc_mi_prop) set_prop(vendor_init, vendor_ssr_prop) set_prop(vendor_init, vendor_edgnss_qxwz_downloadak_prop) set_prop(vendor_init, vendor_qcc_prop) -allow vendor_init cgroup:file getattr; diff --git a/sepolicy/vendor/mi_thermald.te b/sepolicy/vendor/mi_thermald.te index 9f81f0d..7eab53c 100644 --- a/sepolicy/vendor/mi_thermald.te +++ b/sepolicy/vendor/mi_thermald.te @@ -1,5 +1,8 @@ type mi_thermald, domain, mlstrustedsubject; type mi_thermald_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(mi_thermald) + allow mi_thermald sysfs_devices_system_cpu:file rw_file_perms; allow mi_thermald self:capability { fsetid sys_boot }; allow mi_thermald sysfs_thermal:file w_file_perms; @@ -22,9 +25,9 @@ allow mi_thermald vendor_data_file:dir { add_name read remove_name watch write } allow mi_thermald vendor_data_file:file { create getattr open read rename setattr unlink write }; allow mi_thermald sys_thermal_wifi_limit:file { open read write }; allow mi_thermald sys_thermal_wifi_limit:file rw_file_perms; -init_daemon_domain(mi_thermald) + r_dir_file(mi_thermald, sysfs_thermal) -r_dir_file(mi_thermald, sysfs) r_dir_file(mi_thermald, sysfs_leds) r_dir_file(mi_thermald, vendor_sysfs_qcom_battery) + set_prop(mi_thermald, vendor_thermal_normal_prop) diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te index f12679f..b5977b8 100644 --- a/sepolicy/vendor/property.te +++ b/sepolicy/vendor/property.te @@ -2,9 +2,6 @@ vendor_public_prop(vendor_camera_p3enable_prop) vendor_public_prop(vendor_camera_sensor_prop) -# DDR -vendor_public_prop(vendor_ddr_prop) - # Device ID vendor_public_prop(vendor_deviceid_prop) vendor_public_prop(vendor_sno_prop) diff --git a/sepolicy/vendor/qrtr.te b/sepolicy/vendor/qrtr.te deleted file mode 100644 index 8e6d5f9..0000000 --- a/sepolicy/vendor/qrtr.te +++ /dev/null @@ -1,2 +0,0 @@ -allow vendor_qrtr vendor_data_file:dir create_dir_perms; -allow vendor_qrtr vendor_data_file:file create_file_perms; diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te index 25e4c59..2387d3e 100644 --- a/sepolicy/vendor/rild.te +++ b/sepolicy/vendor/rild.te @@ -2,8 +2,6 @@ allow rild vendor_radio_smd_device:file { open read write }; allow rild vendor_radio_smd_device:chr_file { open read write }; allow rild vendor_modem_data_file:dir create_dir_perms; allow rild vendor_modem_data_file:file create_file_perms; + set_prop(rild, vendor_deviceid_prop) set_prop(rild, vendor_sno_prop) -#set_prop(rild, default_prop) -allow rild vendor_data_file:dir create_dir_perms; -allow rild vendor_data_file:file create_file_perms; diff --git a/sepolicy/vendor/slad.te b/sepolicy/vendor/slad.te index 7e96836..93a203a 100644 --- a/sepolicy/vendor/slad.te +++ b/sepolicy/vendor/slad.te @@ -1,6 +1,7 @@ type slad, domain; type slad_exec, exec_type, file_type, vendor_file_type; type qti_proc_sla, proc_type; + allow slad slad_socket:sock_file { getattr read write }; allow slad slad_socket:sock_file unlink; allow slad slad:netlink_socket { bind create read write }; @@ -22,8 +23,11 @@ allow slad socket_device:sock_file { create setattr unlink }; allow slad qti_proc_sla:dir search; allow slad qti_proc_sla:file { map open read write }; allow slad vendor_shell_exec:file execute_no_trans; + dontaudit slad self:capability dac_read_search; + init_daemon_domain(slad) + unix_socket_connect(slad, dnsproxyd, slad) unix_socket_connect(slad, dnsproxyd, netd) unix_socket_connect(slad, dnsproxyd, init) @@ -32,5 +36,6 @@ unix_socket_connect(slad, fwmarkd, netd) unix_socket_connect(slad, fwmarkd, init) unix_socket_connect(slad, property, slad) unix_socket_connect(slad, property, netd) + set_prop(slad, vendor_slad_prop) net_domain(slad) diff --git a/sepolicy/vendor/surfaceflinger.te b/sepolicy/vendor/surfaceflinger.te deleted file mode 100644 index 587488a..0000000 --- a/sepolicy/vendor/surfaceflinger.te +++ /dev/null @@ -1 +0,0 @@ -allow surfaceflinger vendor_sysfs_graphics:dir { open read search }; diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te index 65cbffd..d2556fb 100644 --- a/sepolicy/vendor/tee.te +++ b/sepolicy/vendor/tee.te @@ -1,3 +1,2 @@ -allow tee vendor_fingerprint_data_file:dir rw_dir_perms; -allow tee vendor_fingerprint_data_file:file rw_file_perms; +allow tee vendor_fingerprint_data_file:dir create_dir_perms; allow tee vendor_fingerprint_data_file:file create_file_perms; diff --git a/sepolicy/vendor/vendor_qti_init_shell.te b/sepolicy/vendor/vendor_qti_init_shell.te index ba9d023..062b992 100644 --- a/sepolicy/vendor/vendor_qti_init_shell.te +++ b/sepolicy/vendor/vendor_qti_init_shell.te @@ -1,11 +1,3 @@ -allow vendor_qti_init_shell configfs:dir { add_name create write }; -# NECESSARY? -allow vendor_qti_init_shell configfs:dir setattr; -# END -allow vendor_qti_init_shell sysfs_dm:file rw_file_perms; -allow vendor_qti_init_shell sysfs_dm:dir r_dir_perms; allow vendor_qti_init_shell vendor_sysfs_msm_perf:file w_file_perms; -allow vendor_qti_init_shell vendor_sysfs_qdss_dev:file { setattr write }; -set_prop(vendor_qti_init_shell, vendor_panel_info_prop) -#get_prop(vendor_qti_init_shell, default_prop) +set_prop(vendor_qti_init_shell, vendor_panel_info_prop) diff --git a/sepolicy/vendor/wcnss_service.te b/sepolicy/vendor/wcnss_service.te index 17ce312..892ba94 100644 --- a/sepolicy/vendor/wcnss_service.te +++ b/sepolicy/vendor/wcnss_service.te @@ -1,16 +1,6 @@ -#allow vendor_wcnss_service self:netlink_generic_socket ioctl; allow vendor_wcnss_service self:capability { net_raw setgid setuid }; -#allow vendor_wcnss_service self:packet_socket { bind create getopt ioctl map read setopt }; allow vendor_wcnss_service self:packet_socket write; allow vendor_wcnss_service sysfs_net:file read; -allow vendor_wcnss_service vendor_mac_vendor_data_file:dir { add_name open read search setattr write }; -allow vendor_wcnss_service vendor_mac_vendor_data_file:dir rw_dir_perms; -allow vendor_wcnss_service vendor_mac_vendor_data_file:file { create getattr open read setattr write }; -allow vendor_wcnss_service mnt_vendor_file:dir { add_name create read search write }; -allow vendor_wcnss_service mnt_vendor_file:file { create open read setattr write }; -#allow vendor_wcnss_service vendor_diag_device:chr_file { create ioctl open read write }; -allow vendor_wcnss_service vendor_sysfs_diag:dir search; -allow vendor_wcnss_service vendor_sysfs_diag:file { open read }; -allow vendor_wcnss_service vendor_wifi_vendor_log_data_file:dir { add_name getattr open read remove_name search setattr write }; -allow vendor_wcnss_service vendor_wifi_vendor_log_data_file:file { append create getattr open read rename setattr unlink write }; -allow vendor_wcnss_service vendor_proc_wifi_dbg:file { create getattr open read setattr write }; +allow vendor_wcnss_service mnt_vendor_file:dir search; +allow vendor_wcnss_service vendor_mac_vendor_data_file:dir create_dir_perms; +allow vendor_wcnss_service vendor_mac_vendor_data_file:file create_file_perms;