sm8450-common: sepolicy: Overall cleanup

Change-Id: I0d6282ea0315774fa29e8155cb0e113123025623
This commit is contained in:
Arian 2024-03-19 22:26:56 +01:00
parent 14be88afd4
commit 30c8d6c293
35 changed files with 184 additions and 273 deletions

View file

@ -1,5 +0,0 @@
# MIUI
ro.miui. u:object_r:exported_system_prop:s0
ro.product.mod_device u:object_r:exported_default_prop:s0 exact string
ro.cust.test u:object_r:exported_system_prop:s0
ro.carrier u:object_r:exported_default_prop:s0 exact string

View file

@ -1 +0,0 @@
allow vendor_agmservice_qti debugfs:dir r_dir_perms;

View file

@ -1,2 +0,0 @@
allow vendor_audioadsprpcd vendor_audio_data_file:dir search;
allow vendor_audioadsprpcd vendor_audio_data_file:file { append create getattr open read setattr write };

View file

@ -1,8 +0,0 @@
allow audioserver system_server:dir search;
allow audioserver mediaserver:dir search;
allow audioserver mediaserver:file { open read };
allow audioserver system_app:dir search;
allow audioserver hal_audio_default:process signal;
allow audioserver sound_device:chr_file rw_file_perms;
get_prop(audioserver, bootanim_system_prop)
set_prop(audioserver, audio_prop)

View file

@ -1,3 +1,11 @@
type batterysecret, domain;
type batterysecret_exec, exec_type, vendor_file_type, file_type;
hwbinder_use(batterysecret)
init_daemon_domain(batterysecret)
binder_call(batterysecret, system_suspend_server)
allow batterysecret rootfs:dir write;
allow batterysecret self:capability sys_tty_config;
allow batterysecret self:capability sys_boot;
@ -12,8 +20,6 @@ allow batterysecret vendor_sysfs_qcom_battery:file rw_file_perms;
allow batterysecret vendor_sysfs_qcom_battery:file write;
allow batterysecret vendor_sysfs_qcom_battery:file { open read write };
allow batterysecret vendor_sysfs_qcom_battery:dir r_dir_perms;
allow batterysecret system_suspend_server:binder { call transfer };
allow batterysecret system_suspend_server:fd *;
allow batterysecret system_suspend_hwservice:hwservice_manager find;
allow batterysecret hidl_manager_hwservice:hwservice_manager find;
allow batterysecret sysfs:file write;
@ -22,14 +28,13 @@ allow batterysecret vendor_sysfs_usb_supply:file write;
allow batterysecret sysfs_batteryinfo:file r_file_perms;
allow batterysecret kmsg_device:chr_file rw_file_perms;
allow batterysecret mnt_vendor_file:dir rw_dir_perms;
init_daemon_domain(batterysecret)
r_dir_file(batterysecret, sysfs_type)
r_dir_file(batterysecret, rootfs)
r_dir_file(batterysecret, cgroup)
r_dir_file(batterysecret, vendor_sysfs_usb_supply)
get_prop(batterysecret, hwservicemanager_prop)
get_prop(batterysecret, vendor_default_prop)
set_prop(batterysecret, vendor_system_prop)
hwbinder_use(batterysecret)
type batterysecret, domain;
type batterysecret_exec, exec_type, vendor_file_type, file_type;

View file

@ -1,27 +0,0 @@
allow bluetooth hal_audio:binder { call transfer };
allow bluetooth hal_audio:fd *;
allow bluetooth sysfs_bluetooth_writable:file w_file_perms;
allow bluetooth media_rw_data_file:dir create_dir_perms;
allow bluetooth media_rw_data_file:file create_file_perms;
allow bluetooth serial_device:chr_file rw_file_perms;
allow bluetooth uhid_device:chr_file rw_file_perms;
allow bluetooth vendor_bt_device:chr_file rw_file_perms;
allow bluetooth vendor_smd_device:chr_file rw_file_perms;
allow bluetooth vendor_hal_iop_hwservice:hwservice_manager find;
allow bluetooth vendor_default_prop:file { getattr map };
allow bluetooth vendor_bt_data_file:dir search;
allow bluetooth vendor_bt_data_file:file { getattr open read };
allow bluetooth system_app_data_file:dir getattr;
allow bluetooth system_app_data_file:file { getattr open read };
allow bluetooth self:socket { create getopt read write };
#allow bluetooth self:socket ioctl;
allow bluetooth servicemanager:fd *;
allow bluetooth system_app:binder { call transfer };
allow bluetooth system_app:fd *;
allow bluetooth vendor_dun_service:service_manager find;
allow bluetooth hal_audio_hwservice:hwservice_manager find;
#allowxperm bluetooth self:ioctl socket ((range 0xc300 0xc305));
dontaudit bluetooth netd_service:service_manager find;
get_prop(bluetooth, vendor_display_prop)
get_prop(bluetooth, vendor_audio_prop)
binder_use(bluetooth)

View file

@ -1,2 +0,0 @@
allow bootanim vendor_audio_prop:file read;
allow bootanim vendor_proc_audiod:file read;

View file

@ -1,9 +1,20 @@
type vendor_displayfeature_device, dev_type;
# Audio
type sound_device, dev_type, mlstrustedobject;
# Camera
type stmvl53l5_device, dev_type;
# Display
type vendor_displayfeature_device, dev_type;
# Fingerprint
type vendor_fingerprint_device, dev_type;
type touchfeature_device, dev_type;
type vendor_radio_smd_device, dev_type;
# IR
type ir_spi_device, dev_type;
type ddr_partition, dev_type;
type minidump_data_file, data_file_type, file_type;
# Modem
type vendor_radio_smd_device, dev_type;
# Touchscreen
type touchfeature_device, dev_type;

View file

@ -11,7 +11,6 @@
# Camera
/(vendor|system/vendor)/bin/hw/vendor.xiaomi.hardware.quickcamera@1.0-service u:object_r:hal_quickcamera_default_exec:s0
/mnt/vendor/persist/camera(/.*)? u:object_r:camera_persist_file:s0
#/vendor/bin/camera_cal u:object_r:DualCameraCal_exec:s0
/vendor/lib(64)?/libQnnHtpV69Stub\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libQnnHtp\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libSNPE\.so u:object_r:same_process_hal_file:s0
@ -64,6 +63,7 @@
# Mac Address
/data/vendor/mac_addr(/.*)? u:object_r:vendor_mac_vendor_data_file:s0
/mnt/vendor/persist/qca6490/wlan_mac\.bin u:object_r:vendor_mac_vendor_data_file:s0
/vendor/bin/nv_mac u:object_r:vendor_wcnss_service_exec:s0
# Mlipay
@ -86,9 +86,6 @@
# QRTR
/(vendor|system/vendor)/bin/qrtr-lookup u:object_r:vendor_qrtr_exec:s0
# RIL
/data/vendor/diag(/.*)? u:object_r:minidump_data_file:s0
# Sensors
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@2.1-service\.xiaomi-multihal u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/vendor.xiaomi.sensor.communicate@1.0-service u:object_r:vendor_hal_sensorcommunicate_default_exec:s0

View file

@ -6,6 +6,7 @@ genfscon sysfs /devices/platform/soc/soc:spf_core_platform/soc:spf_core_platform
# Suspend
genfscon sysfs /devices/platform/soc/3000000.remoteproc-adsp/remoteproc/remoteproc2/3000000.remoteproc-adsp:glink-edge/3000000.remoteproc-adsp:glink-edge.adsp_apps.-1.-1/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/884000.i2c/i2c-3/3-005a/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/88c000.i2c/i2c-6/6-005a/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/990000.spi/spi_master/spi0/spi0.0/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/c42d000.qcom,spmi/spmi-0/0-00/c42d000.qcom,spmi:qcom,pmk8350@0:pon_hlos@1300/c42d000.qcom,spmi:qcom,pmk8350@0:pon_hlos@1300:pwrkey-bark/wakeup u:object_r:sysfs_wakeup:s0
genfscon sysfs /devices/platform/soc/c42d000.qcom,spmi/spmi-0/0-00/c42d000.qcom,spmi:qcom,pmk8350@0:pon_hlos@1300/c42d000.qcom,spmi:qcom,pmk8350@0:pon_hlos@1300:pwrkey-resin-bark/wakeup u:object_r:sysfs_wakeup:s0

View file

@ -1,10 +1,6 @@
allow hal_audio_default vendor_persist_audio_file:file rw_file_perms;
allow hal_audio_default mnt_vendor_file:dir r_dir_perms;
allow hal_audio_default vendor_audio_prop:property_service set;
allow hal_audio_default audio_socket:sock_file rw_file_perms;
allow hal_audio_default sound_device:chr_file rw_file_perms;
allow hal_audio_default sysfs_f0_value:file rw_file_perms;
allow hal_audio_default sysfs:file rw_file_perms;
unix_socket_connect(hal_audio_default, property, init)
unix_socket_connect(hal_audio_default, property, hal_sensors_default)
set_prop(hal_audio_default, vendor_audio_prop)

View file

@ -1,38 +1,25 @@
attribute vendor_hal_camerapostproc_xiaomi;
attribute vendor_hal_camerapostproc_xiaomi_client;
attribute vendor_hal_camerapostproc_xiaomi_server;
type vendor_hal_camerapostproc_xiaomi_hwservice, hwservice_manager_type;
allow vendor_hal_camerapostproc_xiaomi_client vendor_hal_camerapostproc_xiaomi_server:binder { call transfer };
allow vendor_hal_camerapostproc_xiaomi_client vendor_hal_camerapostproc_xiaomi_server:binder transfer;
allow vendor_hal_camerapostproc_xiaomi_client vendor_hal_camerapostproc_xiaomi_server:fd *;
allow vendor_hal_camerapostproc_xiaomi_client vendor_hal_camerapostproc_xiaomi_hwservice:hwservice_manager find;
allow vendor_hal_camerapostproc_xiaomi_server vendor_hal_camerapostproc_xiaomi_client:binder transfer;
allow vendor_hal_camerapostproc_xiaomi_server vendor_hal_camerapostproc_xiaomi_client:binder { call transfer };
allow vendor_hal_camerapostproc_xiaomi_server vendor_hal_camerapostproc_xiaomi_client:fd *;
allow vendor_hal_camerapostproc_xiaomi platform_app:binder transfer;
allow vendor_hal_camerapostproc_xiaomi platform_app:binder { call transfer };
allow vendor_hal_camerapostproc_xiaomi platform_app:fd *;
allow vendor_hal_camerapostproc_xiaomi priv_app:binder transfer;
allow vendor_hal_camerapostproc_xiaomi priv_app:binder { call transfer };
allow vendor_hal_camerapostproc_xiaomi priv_app:fd *;
allow vendor_hal_camerapostproc_xiaomi system_app:binder transfer;
allow vendor_hal_camerapostproc_xiaomi system_app:binder { call transfer };
allow vendor_hal_camerapostproc_xiaomi system_app:fd *;
add_hwservice(vendor_hal_camerapostproc_xiaomi_server, vendor_hal_camerapostproc_xiaomi_hwservice)
binder_call(vendor_hal_camerapostproc_xiaomi_client, vendor_hal_camerapostproc_xiaomi_server)
binder_call(vendor_hal_camerapostproc_xiaomi_server, vendor_hal_camerapostproc_xiaomi_client)
hal_server_domain(hal_camera_default, vendor_hal_camerapostproc_xiaomi)
hal_attribute_hwservice(hal_camera, vendor_hal_camerapostproc_xiaomi_hwservice)
allow hal_camera_client vendor_hal_camerapostproc_xiaomi_hwservice:hwservice_manager find;
allow hal_camera_default mnt_vendor_file:dir search;
allow hal_camera_default camera_persist_file:dir search;
allow hal_camera_default vendor_persist_sensors_file:dir search;
allow hal_camera_default stmvl53l5_device:chr_file { ioctl open read write };
allow hal_camera_default hal_quickcamera_hwservice:hwservice_manager { add find };
dontaudit hal_camera graphics_device:dir search;
dontaudit hal_camera_default default_prop:file read;
r_dir_file(hal_camera_default, mnt_vendor_file)
r_dir_file(hal_camera_default, camera_persist_file)
r_dir_file(hal_camera_default, vendor_persist_sensors_file)
hal_server_domain(hal_camera_default, vendor_hal_camerapostproc_xiaomi)
add_hwservice(hal_camera_server, vendor_hal_camerapostproc_xiaomi_hwservice)
set_prop(hal_camera_default, vendor_camera_p3enable_prop)
set_prop(hal_camera_default, vendor_camera_sensor_prop)
dontaudit hal_camera graphics_device:dir search;
dontaudit hal_camera_default default_prop:file read;

View file

@ -1,50 +1,39 @@
type vendor_hal_citsensorservice_xiaomi_default, domain;
type vendor_hal_citsensorservice_xiaomi_default_exec, exec_type, file_type, vendor_file_type;
type vendor_hal_citsensorservice_xiaomi_hwservice, hwservice_manager_type;
attribute vendor_hal_citsensorservice_xiaomi;
attribute vendor_hal_citsensorservice_xiaomi_client;
attribute vendor_hal_citsensorservice_xiaomi_server;
type vendor_hal_citsensorservice_xiaomi_default, domain;
type vendor_hal_citsensorservice_xiaomi_default_exec, exec_type, file_type, vendor_file_type;
type vendor_hal_citsensorservice_xiaomi_hwservice, hwservice_manager_type;
init_daemon_domain(vendor_hal_citsensorservice_xiaomi_default)
r_dir_file(vendor_hal_citsensorservice_xiaomi_default, mnt_vendor_file)
#set_prop(vendor_hal_citsensorservice_xiaomi_default, vendor_cct_prop)
vndbinder_use(vendor_hal_citsensorservice_xiaomi)
hal_server_domain(vendor_hal_citsensorservice_xiaomi_default, vendor_hal_citsensorservice_xiaomi)
hal_client_domain(vendor_hal_citsensorservice_xiaomi_default, hal_graphics_allocator)
add_hwservice(vendor_hal_citsensorservice_xiaomi_server, vendor_hal_citsensorservice_xiaomi_hwservice)
allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_server:binder { call transfer };
allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_server:binder transfer;
allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_server:fd *;
allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_hwservice:hwservice_manager find;
allow vendor_hal_citsensorservice_xiaomi_server vendor_hal_citsensorservice_xiaomi_client:binder transfer;
allow vendor_hal_citsensorservice_xiaomi_server vendor_hal_citsensorservice_xiaomi_client:binder { call transfer };
allow vendor_hal_citsensorservice_xiaomi_server vendor_hal_citsensorservice_xiaomi_client:fd *;
allow vendor_hal_citsensorservice_xiaomi_default input_device:dir rw_dir_perms;
allow vendor_hal_citsensorservice_xiaomi_default input_device:chr_file rw_file_perms;
allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_data:file r_file_perms;
vndbinder_use(vendor_hal_citsensorservice_xiaomi)
binder_call(vendor_hal_citsensorservice_xiaomi_client, vendor_hal_citsensorservice_xiaomi_server)
binder_call(vendor_hal_citsensorservice_xiaomi_server, vendor_hal_citsensorservice_xiaomi_client)
binder_call(vendor_hal_citsensorservice_xiaomi_default, vendor_hal_display_config_hwservice)
binder_call(vendor_hal_citsensorservice_xiaomi_default, hal_graphics_composer)
allow vendor_hal_citsensorservice_xiaomi_default self:socket create_socket_perms;
allow vendor_hal_citsensorservice_xiaomi_default self:qipcrtr_socket create_socket_perms;
allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_graphics:dir r_dir_perms;
allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_graphics:file r_file_perms;
allow vendor_hal_citsensorservice_xiaomi_default vendor_persist_sensors_file:dir create_dir_perms;
allow vendor_hal_citsensorservice_xiaomi_default vendor_persist_sensors_file:file create_file_perms;
allow vendor_hal_citsensorservice_xiaomi_default fwk_sensor_hwservice:hwservice_manager find;
allow vendor_hal_citsensorservice_xiaomi_default system_server:binder call;
allow vendor_hal_citsensorservice_xiaomi_default system_server:binder transfer;
allow vendor_hal_citsensorservice_xiaomi_default system_server:binder { call transfer };
allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_displayfeature:dir search;
allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_displayfeature:file { open read };
allow vendor_hal_citsensorservice_xiaomi_default vendor_displayfeature_device:chr_file { ioctl open read write };
allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_mapper_hwservice:hwservice_manager find;
allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_display_config_hwservice:hwservice_manager find;
allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_display_config_hwservice:binder { call transfer };
allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_display_config_hwservice:fd *;
allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_composer:binder { call transfer };
allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_composer:fd *;
allow vendor_hal_citsensorservice_xiaomi_default vendor_qdisplay_service:service_manager find;
allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_composer_default:binder transfer;
allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_sensorcommunicate_default:binder call;
allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_sensorcommunicate_default:binder transfer;
allowxperm vendor_hal_citsensorservice_xiaomi_default self:socket ioctl { 0xc300 0xc301 0xc302 0xc303 0xc304 0xc305 };
allowxperm vendor_hal_citsensorservice_xiaomi_default self:qipcrtr_socket ioctl { 0xc300 0xc301 0xc302 0xc303 0xc304 0xc305 };
allowxperm vendor_hal_citsensorservice_xiaomi_default self:socket ioctl msm_sock_ipc_ioctls;
allowxperm vendor_hal_citsensorservice_xiaomi_default self:qipcrtr_socket ioctl msm_sock_ipc_ioctls;
get_prop(vendor_hal_citsensorservice_xiaomi_default, vendor_sensors_prop)
userdebug_or_eng(`get_prop(vendor_hal_citsensorservice_xiaomi_default, vendor_sensors_debug_prop)');

View file

@ -1,9 +1,7 @@
type vendor_hal_fingerprint_hwservice_xiaomi, hwservice_manager_type;
allow hal_fingerprint_default dmabuf_system_heap_device:chr_file r_file_perms;
allow hal_fingerprint_default input_device:chr_file rwx_file_perms;
allow hal_fingerprint_default input_device:chr_file rw_file_perms;
allow hal_fingerprint_default input_device:dir r_dir_perms;
allow hal_fingerprint_default mnt_vendor_file:dir search;
allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
allow hal_fingerprint_default sysfs_tp_fodstatus:chr_file r_file_perms;
allow hal_fingerprint_default sysfs_tp_fodstatus:file r_file_perms;

View file

@ -1,13 +1,17 @@
type hal_mfidoca_default, domain;
type hal_mfidoca_default_exec, exec_type, file_type, vendor_file_type;
type hal_mfidoca_hwservice, hwservice_manager_type;
hal_attribute(mfidoca)
allow hal_mfidoca_client hal_mfidoca_server:binder { call transfer };
allow hal_mfidoca_client hal_mfidoca_server:binder transfer;
allow hal_mfidoca_client hal_mfidoca_server:fd *;
allow hal_mfidoca_server hal_mfidoca_client:binder transfer;
allow hal_mfidoca_server hal_mfidoca_client:binder { call transfer };
allow hal_mfidoca_server hal_mfidoca_client:fd *;
init_daemon_domain(hal_mfidoca_default)
hwbinder_use(hal_mfidoca_default)
binder_call(hal_mfidoca_client, hal_mfidoca_server)
binder_call(hal_mfidoca_server, hal_mfidoca_client)
add_hwservice(hal_mfidoca_server, hal_mfidoca_hwservice)
hal_server_domain(hal_mfidoca_default, hal_mfidoca)
allow hal_mfidoca_default tee_device:chr_file rw_file_perms;
allow hal_mfidoca_default firmware_file:dir r_dir_perms;
allow hal_mfidoca_default firmware_file:file r_file_perms;
@ -15,10 +19,8 @@ allow hal_mfidoca_default ion_device:chr_file rw_file_perms;
allow hal_mfidoca_default vendor_dmabuf_qseecom_heap_device:chr_file { ioctl open read };
allow hal_mfidoca_default vendor_dmabuf_qseecom_ta_heap_device:chr_file { ioctl open read };
allow hal_mfidoca_default hal_mtdservice_default:binder transfer;
init_daemon_domain(hal_mfidoca_default)
get_prop(hal_mfidoca_default, vendor_fp_prop)
get_prop(hal_mfidoca_default, vendor_system_prop)
set_prop(hal_mfidoca_default, vendor_payment_security_prop)
hwbinder_use(hal_mfidoca_default)
hal_server_domain(hal_mfidoca_default, hal_mfidoca)
add_hwservice(hal_mfidoca_server, hal_mfidoca_hwservice)

View file

@ -1,27 +1,25 @@
type hal_mlipay_default, domain;
type hal_mlipay_default_exec, exec_type, file_type, vendor_file_type;
type hal_mlipay_hwservice, hwservice_manager_type;
hal_attribute(mlipay)
allow hal_mlipay_client hal_mlipay_server:binder { call transfer };
allow hal_mlipay_client hal_mlipay_server:binder transfer;
allow hal_mlipay_client hal_mlipay_server:fd *;
allow hal_mlipay_client hal_mlipay_hwservice:hwservice_manager find;
allow hal_mlipay_server hal_mlipay_client:binder transfer;
allow hal_mlipay_server hal_mlipay_client:binder { call transfer };
allow hal_mlipay_server hal_mlipay_client:fd *;
allow hal_mlipay_default hal_mlipay_hwservice:hwservice_manager add;
init_daemon_domain(hal_mlipay_default)
hwbinder_use(hal_mlipay_default)
binder_call(hal_mlipay_client, hal_mlipay_server)
binder_call(hal_mlipay_server, hal_mlipay_client)
add_hwservice(hal_mlipay_server, hal_mlipay_hwservice)
hal_server_domain(hal_mlipay_default, hal_mlipay)
allow hal_mlipay_default tee_device:chr_file rw_file_perms;
allow hal_mlipay_default firmware_file:dir r_dir_perms;
allow hal_mlipay_default firmware_file:file r_file_perms;
allow hal_mlipay_default ion_device:chr_file rw_file_perms;
allow hal_mlipay_default rootfs:lnk_file r_file_perms;
allow hal_mlipay_default vendor_dmabuf_qseecom_heap_device:chr_file { ioctl open read };
allow hal_mlipay_default vendor_dmabuf_qseecom_ta_heap_device:chr_file { ioctl open read };
allow hal_mlipay_default hal_mtdservice_default:binder transfer;
init_daemon_domain(hal_mlipay_default)
get_prop(hal_mlipay_default, vendor_fp_prop)
get_prop(hal_mlipay_default, vendor_system_prop)
set_prop(hal_mlipay_default, vendor_payment_security_prop)
hwbinder_use(hal_mlipay_default)
hal_server_domain(hal_mlipay_default, hal_mlipay)
add_hwservice(hal_mlipay_server, hal_mlipay_hwservice)

View file

@ -1,17 +1,20 @@
type hal_mtdservice_default, domain;
type hal_mtdservice_default_exec, exec_type, file_type, vendor_file_type;
type hal_mtdservice_hwservice, hwservice_manager_type;
hal_attribute(mtdservice)
allow hal_mtdservice_client hal_mtdservice_server:binder { call transfer };
allow hal_mtdservice_client hal_mtdservice_server:binder transfer;
allow hal_mtdservice_client hal_mtdservice_server:fd *;
allow hal_mtdservice_server hal_mtdservice_client:binder transfer;
allow hal_mtdservice_server hal_mtdservice_client:binder { call transfer };
allow hal_mtdservice_server hal_mtdservice_client:fd *;
allow hal_mtdservice_default hal_mlipay_default:binder { call transfer };
allow hal_mtdservice_default hal_mlipay_default:fd *;
allow hal_mtdservice_default hal_mfidoca_default:binder { call transfer };
allow hal_mtdservice_default hal_mfidoca_default:fd *;
init_daemon_domain(hal_mtdservice_default)
hwbinder_use(hal_mtdservice_default)
binder_call(hal_mtdservice_client, hal_mtdservice_server)
binder_call(hal_mtdservice_server, hal_mtdservice_client)
binder_call(hal_mtdservice_default, hal_mlipay_default)
binder_call(hal_mtdservice_default, hal_mfidoca_default)
add_hwservice(hal_mtdservice_server, hal_mtdservice_hwservice)
hal_server_domain(hal_mtdservice_default, hal_mtdservice)
allow hal_mtdservice_default hal_mtdservice_hwservice:hwservice_manager add;
allow hal_mtdservice_default firmware_file:dir r_dir_perms;
allow hal_mtdservice_default firmware_file:file r_file_perms;
@ -43,13 +46,8 @@ allow hal_mtdservice_default system_server:binder transfer;
allow hal_mtdservice_default block_device:dir r_dir_perms;
allow hal_mtdservice_default vendor_dmabuf_qseecom_heap_device:chr_file { ioctl open read };
allow hal_mtdservice_default vendor_dmabuf_qseecom_ta_heap_device:chr_file { ioctl open read };
allow hal_mtdservice_default hal_tidaservice_default:binder transfer;
allow hal_mtdservice_default hal_secure_element_default:binder transfer;
type_transition hal_mtdservice mnt_vendor_file:dir vendor_persist_drm_file "fdsd";
init_daemon_domain(hal_mtdservice_default)
get_prop(hal_mtdservice_default, vendor_system_prop)
get_prop(hal_mtdservice_default, vendor_cpuid_prop)
set_prop(hal_mtdservice_default, vendor_payment_security_prop)
hwbinder_use(hal_mtdservice_default)
hal_server_domain(hal_mtdservice_default, hal_mtdservice)
add_hwservice(hal_mtdservice_server, hal_mtdservice_hwservice)

View file

@ -1,4 +1,4 @@
allow hal_nfc_default vendor_nfc_vendor_data_file:dir create_dir_perms;
allow hal_nfc_default vendor_data_file:dir rw_dir_perms;
allow hal_nfc_default vendor_data_file:file { create rw_file_perms };
allow hal_nfc_default vendor_nfc_vendor_data_file:file create_file_perms;
get_prop(hal_nfc_default, vendor_nfc_mi_prop)

View file

@ -1,27 +1,13 @@
type hal_quickcamera_default, domain;
type hal_quickcamera_default_exec, exec_type, file_type, vendor_file_type;
type hal_quickcamera_hwservice, hwservice_manager_type;
hal_attribute(quickcamera)
allow hal_quickcamera_client hal_quickcamera_server:binder { call transfer };
allow hal_quickcamera_client hal_quickcamera_server:binder transfer;
allow hal_quickcamera_client hal_quickcamera_server:fd *;
allow hal_quickcamera_client hal_quickcamera_hwservice:hwservice_manager find;
allow hal_quickcamera_server hal_quickcamera_client:binder transfer;
allow hal_quickcamera_server hal_quickcamera_client:binder { call transfer };
allow hal_quickcamera_server hal_quickcamera_client:fd *;
allow hal_quickcamera_server hidl_base_hwservice:hwservice_manager add;
allow hal_quickcamera_server hal_quickcamera_hwservice:hwservice_manager { add find };
allow hal_quickcamera_default platform_app:binder transfer;
allow hal_quickcamera_default platform_app:binder { call transfer };
allow hal_quickcamera_default platform_app:fd *;
allow hal_quickcamera_default system_app:binder transfer;
allow hal_quickcamera_default system_app:binder { call transfer };
allow hal_quickcamera_default system_app:fd *;
allow hal_quickcamera platform_app:binder transfer;
allow hal_quickcamera platform_app:binder { call transfer };
allow hal_quickcamera platform_app:fd *;
allow hal_quickcamera system_app:binder transfer;
allow hal_quickcamera system_app:binder { call transfer };
allow hal_quickcamera system_app:fd *;
init_daemon_domain(hal_quickcamera_default)
hal_server_domain(hal_quickcamera_default, hal_quickcamera)
binder_call(hal_quickcamera_client, hal_quickcamera_server)
binder_call(hal_quickcamera_server, hal_quickcamera_client)
add_hwservice(hal_quickcamera_server, hal_quickcamera_hwservice)

View file

@ -1,3 +1,3 @@
binder_call(hal_secure_element_default, hal_mtdservice_default)
allow hal_secure_element_default hal_mtdservice_hwservice:hwservice_manager find;
allow hal_secure_element_default hal_mtdservice_default:binder { call transfer };
allow hal_secure_element_default hal_mtdservice_default:fd *;

View file

@ -1,26 +1,24 @@
type vendor_hal_sensorcommunicate_default, domain;
type vendor_hal_sensorcommunicate_default_exec, exec_type, file_type, vendor_file_type;
type vendor_hal_sensorcommunicate_hwservice, hwservice_manager_type;
attribute vendor_hal_sensorcommunicate;
attribute vendor_hal_sensorcommunicate_client;
attribute vendor_hal_sensorcommunicate_server;
allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_server:binder { call transfer };
allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_server:binder transfer;
allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_server:fd *;
init_daemon_domain(vendor_hal_sensorcommunicate_default)
hwbinder_use(vendor_hal_sensorcommunicate_default)
binder_call(vendor_hal_sensorcommunicate_client, vendor_hal_sensorcommunicate_server)
binder_call(vendor_hal_sensorcommunicate_server, vendor_hal_sensorcommunicate_client)
add_hwservice(vendor_hal_sensorcommunicate_server, vendor_hal_sensorcommunicate_hwservice)
hal_server_domain(vendor_hal_sensorcommunicate_default, vendor_hal_sensorcommunicate)
allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_hwservice:hwservice_manager find;
allow vendor_hal_sensorcommunicate_server vendor_hal_sensorcommunicate_client:binder transfer;
allow vendor_hal_sensorcommunicate_server vendor_hal_sensorcommunicate_client:binder { call transfer };
allow vendor_hal_sensorcommunicate_server vendor_hal_sensorcommunicate_client:fd *;
allow vendor_hal_sensorcommunicate_default fwk_sensor_hwservice:hwservice_manager find;
allow vendor_hal_sensorcommunicate_default vendor_hal_citsensorservice_xiaomi_hwservice:hwservice_manager find;
allow vendor_hal_sensorcommunicate_default system_server:binder call;
allow vendor_hal_sensorcommunicate_default system_server:binder transfer;
allow vendor_hal_sensorcommunicate_default vendor_hal_citsensorservice_xiaomi_default:binder call;
allow vendor_hal_sensorcommunicate_default vendor_hal_citsensorservice_xiaomi_default:binder transfer;
allow vendor_hal_sensorcommunicate_default mnt_vendor_file:dir search;
allow vendor_hal_sensorcommunicate_default vendor_persist_sensors_file:dir search;
allow vendor_hal_sensorcommunicate_default vendor_persist_sensors_file:file { getattr open read };
init_daemon_domain(vendor_hal_sensorcommunicate_default)
hwbinder_use(vendor_hal_sensorcommunicate_default)
hal_server_domain(vendor_hal_sensorcommunicate_default, vendor_hal_sensorcommunicate)
add_hwservice(vendor_hal_sensorcommunicate_server, vendor_hal_sensorcommunicate_hwservice)

View file

@ -4,5 +4,5 @@ allow hal_sensors_default sound_device:chr_file rw_file_perms;
allow hal_sensors_default vendor_sysfs_graphics:dir r_dir_perms;
allow hal_sensors_default vendor_sysfs_graphics:file r_file_perms;
allow hal_sensors_default stmvl53l5_device:chr_file { ioctl open read write };
allow hal_sensors_default sysfs_tp_fodstatus:file r_file_perms;
allow hal_sensors_default sysfs_tp_virtual_prox:file rw_file_perms;

View file

@ -1,17 +1,22 @@
type hal_slaservice_qti, domain;
type hal_slaservice_qti_exec, exec_type, file_type, vendor_file_type;
type hal_slaservice_hwservice, hwservice_manager_type;
hal_attribute(slaservice)
allow hal_slaservice_qti vendor_slad_prop:file read;
allow hal_slaservice_qti socket_device:sock_file write;
allow hal_slaservice_client hal_slaservice_server:binder { call transfer };
allow hal_slaservice_client hal_slaservice_server:fd *;
allow hal_slaservice_client hal_slaservice_hwservice:hwservice_manager find;
allow hal_slaservice_server hal_slaservice_client:binder transfer;
init_daemon_domain(hal_slaservice_qti)
add_hwservice(hal_slaservice_server, hal_slaservice_hwservice)
hal_server_domain(hal_slaservice_qti, hal_slaservice)
binder_call(hal_slaservice_client, hal_slaservice_server)
allow hal_slaservice_qti socket_device:sock_file write;
allow hal_slaservice_client hal_slaservice_hwservice:hwservice_manager find;
unix_socket_connect(hal_slaservice_qti, property, slad)
unix_socket_connect(hal_slaservice_qti, slad, init)
unix_socket_connect(hal_slaservice_qti, slad, slad)
set_prop(hal_slaservice_qti, vendor_slad_prop)
set_prop(hal_slaservice_qti, vendor_slad_prop)
hal_server_domain(hal_slaservice_qti, hal_slaservice)
add_hwservice(hal_slaservice_server, hal_slaservice_hwservice)

View file

@ -1,34 +1,31 @@
type hal_tidaservice_default, domain;
type hal_tidaservice_default_exec, exec_type, file_type, vendor_file_type;
type hal_tidaservice_hwservice, hwservice_manager_type;
hal_attribute(tidaservice)
allow hal_tidaservice_client hal_tidaservice_server:binder { call transfer };
allow hal_tidaservice_client hal_tidaservice_server:binder transfer;
allow hal_tidaservice_client hal_tidaservice_server:fd *;
init_daemon_domain(hal_tidaservice_default)
hwbinder_use(hal_tidaservice_default)
binder_call(hal_tidaservice_client, hal_tidaservice_server)
binder_call(hal_tidaservice_server, hal_tidaservice_client)
binder_call(hal_tidaservice_default, hal_mtdservice_default)
add_hwservice(hal_tidaservice_server, hal_tidaservice_hwservice)
hal_server_domain(hal_tidaservice_default, hal_tidaservice)
allow hal_tidaservice_client hal_tidaservice_hwservice:hwservice_manager find;
allow hal_tidaservice_server hal_tidaservice_client:binder transfer;
allow hal_tidaservice_server hal_tidaservice_client:binder { call transfer };
allow hal_tidaservice_server hal_tidaservice_client:fd *;
allow hal_tidaservice_default hal_mtdservice_default:binder { call transfer };
allow hal_tidaservice_default hal_mtdservice_default:fd *;
allow hal_tidaservice_default tee_device:chr_file rw_file_perms;
allow hal_tidaservice_default firmware_file:dir r_dir_perms;
allow hal_tidaservice_default firmware_file:file r_file_perms;
allow hal_tidaservice_default ion_device:chr_file rw_file_perms;
allow hal_tidaservice_default rootfs:lnk_file r_file_perms;
allow hal_tidaservice_default hal_mtdservice_hwservice:hwservice_manager find;
allow hal_tidaservice_default platform_app:binder transfer;
allow hal_tidaservice_default vendor_hal_tui_comm_hwservice:hwservice_manager find;
allow hal_tidaservice_default vendor_hal_tui_comm_hwservice:binder { call transfer };
allow hal_tidaservice_default vendor_hal_tui_comm_qti:binder { call transfer };
allow hal_tidaservice_default sysfs:dir { open read };
allow hal_tidaservice_default sysfs:file { open read write };
allow hal_tidaservice_default vendor_dmabuf_qseecom_heap_device:chr_file { ioctl open read };
allow hal_tidaservice_default vendor_dmabuf_qseecom_ta_heap_device:chr_file { ioctl open read };
init_daemon_domain(hal_tidaservice_default)
get_prop(hal_tidaservice_default, vendor_fp_prop)
get_prop(hal_tidaservice_default, vendor_system_prop)
get_prop(hal_tidaservice_default, vendor_payment_security_prop)
hwbinder_use(hal_tidaservice_default)
hal_server_domain(hal_tidaservice_default, hal_tidaservice)
add_hwservice(hal_tidaservice_server, hal_tidaservice_hwservice)

View file

@ -1,12 +1,20 @@
vendor.xiaomi.hardware.campostproc::IMiPostProcService u:object_r:vendor_hal_camerapostproc_xiaomi_hwservice:s0
vendor.qti.sla.service::ISlaService u:object_r:hal_slaservice_hwservice:s0
vendor.xiaomi.sensor.citsensorservice::ICitSensorService u:object_r:vendor_hal_citsensorservice_xiaomi_hwservice:s0
vendor.xiaomi.sensor.communicate::ISensorCommunicate u:object_r:vendor_hal_sensorcommunicate_hwservice:s0
vendor.xiaomi.hardware.quickcamera::IQuickCameraService u:object_r:hal_quickcamera_hwservice:s0
# Camera
vendor.xiaomi.hardware.bgservice::IBGService u:object_r:vendor_hal_camerapostproc_xiaomi_hwservice:s0
vendor.xiaomi.hardware.campostproc::IMiPostProcService u:object_r:vendor_hal_camerapostproc_xiaomi_hwservice:s0
vendor.xiaomi.hardware.quickcamera::IQuickCameraService u:object_r:hal_quickcamera_hwservice:s0
vendor.xiaomi.hardware.mfidoca::IFidoService u:object_r:hal_mfidoca_hwservice:s0
vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0
vendor.xiaomi.hardware.mtdservice::IMTService u:object_r:hal_mtdservice_hwservice:s0
vendor.xiaomi.hardware.tidaservice::ITidaService u:object_r:hal_tidaservice_hwservice:s0
vendor.xiaomi.hardware.bgservice::IBGService u:object_r:vendor_hal_camerapostproc_xiaomi_hwservice:s0
vendor.xiaomi.hardware.fx.tunnel::IMiFxTunnel u:object_r:vendor_hal_fingerprint_hwservice_xiaomi:s0
# Fingerprint
vendor.xiaomi.hardware.fx.tunnel::IMiFxTunnel u:object_r:vendor_hal_fingerprint_hwservice_xiaomi:s0
# SLA
vendor.qti.sla.service::ISlaService u:object_r:hal_slaservice_hwservice:s0
# Sensors
vendor.xiaomi.sensor.citsensorservice::ICitSensorService u:object_r:vendor_hal_citsensorservice_xiaomi_hwservice:s0
vendor.xiaomi.sensor.communicate::ISensorCommunicate u:object_r:vendor_hal_sensorcommunicate_hwservice:s0
# Mlipay
vendor.xiaomi.hardware.mfidoca::IFidoService u:object_r:hal_mfidoca_hwservice:s0
vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0
vendor.xiaomi.hardware.mtdservice::IMTService u:object_r:hal_mtdservice_hwservice:s0
vendor.xiaomi.hardware.tidaservice::ITidaService u:object_r:hal_tidaservice_hwservice:s0

View file

@ -1,6 +1,6 @@
allow init ddr_training_exec:file { execute getattr open read };
allow init slad_exec:file { getattr open read };
allow init sla_data_file:file rw_file_perms;
set_prop(vendor_init, vendor_fp_prop)
set_prop(vendor_init, vendor_fp_info_prop)
set_prop(vendor_init, vendor_thermal_normal_prop)
@ -8,4 +8,3 @@ set_prop(vendor_init, vendor_nfc_mi_prop)
set_prop(vendor_init, vendor_ssr_prop)
set_prop(vendor_init, vendor_edgnss_qxwz_downloadak_prop)
set_prop(vendor_init, vendor_qcc_prop)
allow vendor_init cgroup:file getattr;

View file

@ -1,5 +1,8 @@
type mi_thermald, domain, mlstrustedsubject;
type mi_thermald_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(mi_thermald)
allow mi_thermald sysfs_devices_system_cpu:file rw_file_perms;
allow mi_thermald self:capability { fsetid sys_boot };
allow mi_thermald sysfs_thermal:file w_file_perms;
@ -22,9 +25,9 @@ allow mi_thermald vendor_data_file:dir { add_name read remove_name watch write }
allow mi_thermald vendor_data_file:file { create getattr open read rename setattr unlink write };
allow mi_thermald sys_thermal_wifi_limit:file { open read write };
allow mi_thermald sys_thermal_wifi_limit:file rw_file_perms;
init_daemon_domain(mi_thermald)
r_dir_file(mi_thermald, sysfs_thermal)
r_dir_file(mi_thermald, sysfs)
r_dir_file(mi_thermald, sysfs_leds)
r_dir_file(mi_thermald, vendor_sysfs_qcom_battery)
set_prop(mi_thermald, vendor_thermal_normal_prop)

View file

@ -2,9 +2,6 @@
vendor_public_prop(vendor_camera_p3enable_prop)
vendor_public_prop(vendor_camera_sensor_prop)
# DDR
vendor_public_prop(vendor_ddr_prop)
# Device ID
vendor_public_prop(vendor_deviceid_prop)
vendor_public_prop(vendor_sno_prop)

View file

@ -1,2 +0,0 @@
allow vendor_qrtr vendor_data_file:dir create_dir_perms;
allow vendor_qrtr vendor_data_file:file create_file_perms;

View file

@ -2,8 +2,6 @@ allow rild vendor_radio_smd_device:file { open read write };
allow rild vendor_radio_smd_device:chr_file { open read write };
allow rild vendor_modem_data_file:dir create_dir_perms;
allow rild vendor_modem_data_file:file create_file_perms;
set_prop(rild, vendor_deviceid_prop)
set_prop(rild, vendor_sno_prop)
#set_prop(rild, default_prop)
allow rild vendor_data_file:dir create_dir_perms;
allow rild vendor_data_file:file create_file_perms;

View file

@ -1,6 +1,7 @@
type slad, domain;
type slad_exec, exec_type, file_type, vendor_file_type;
type qti_proc_sla, proc_type;
allow slad slad_socket:sock_file { getattr read write };
allow slad slad_socket:sock_file unlink;
allow slad slad:netlink_socket { bind create read write };
@ -22,8 +23,11 @@ allow slad socket_device:sock_file { create setattr unlink };
allow slad qti_proc_sla:dir search;
allow slad qti_proc_sla:file { map open read write };
allow slad vendor_shell_exec:file execute_no_trans;
dontaudit slad self:capability dac_read_search;
init_daemon_domain(slad)
unix_socket_connect(slad, dnsproxyd, slad)
unix_socket_connect(slad, dnsproxyd, netd)
unix_socket_connect(slad, dnsproxyd, init)
@ -32,5 +36,6 @@ unix_socket_connect(slad, fwmarkd, netd)
unix_socket_connect(slad, fwmarkd, init)
unix_socket_connect(slad, property, slad)
unix_socket_connect(slad, property, netd)
set_prop(slad, vendor_slad_prop)
net_domain(slad)

View file

@ -1 +0,0 @@
allow surfaceflinger vendor_sysfs_graphics:dir { open read search };

View file

@ -1,3 +1,2 @@
allow tee vendor_fingerprint_data_file:dir rw_dir_perms;
allow tee vendor_fingerprint_data_file:file rw_file_perms;
allow tee vendor_fingerprint_data_file:dir create_dir_perms;
allow tee vendor_fingerprint_data_file:file create_file_perms;

View file

@ -1,11 +1,3 @@
allow vendor_qti_init_shell configfs:dir { add_name create write };
# NECESSARY?
allow vendor_qti_init_shell configfs:dir setattr;
# END
allow vendor_qti_init_shell sysfs_dm:file rw_file_perms;
allow vendor_qti_init_shell sysfs_dm:dir r_dir_perms;
allow vendor_qti_init_shell vendor_sysfs_msm_perf:file w_file_perms;
allow vendor_qti_init_shell vendor_sysfs_qdss_dev:file { setattr write };
set_prop(vendor_qti_init_shell, vendor_panel_info_prop)
#get_prop(vendor_qti_init_shell, default_prop)
set_prop(vendor_qti_init_shell, vendor_panel_info_prop)

View file

@ -1,16 +1,6 @@
#allow vendor_wcnss_service self:netlink_generic_socket ioctl;
allow vendor_wcnss_service self:capability { net_raw setgid setuid };
#allow vendor_wcnss_service self:packet_socket { bind create getopt ioctl map read setopt };
allow vendor_wcnss_service self:packet_socket write;
allow vendor_wcnss_service sysfs_net:file read;
allow vendor_wcnss_service vendor_mac_vendor_data_file:dir { add_name open read search setattr write };
allow vendor_wcnss_service vendor_mac_vendor_data_file:dir rw_dir_perms;
allow vendor_wcnss_service vendor_mac_vendor_data_file:file { create getattr open read setattr write };
allow vendor_wcnss_service mnt_vendor_file:dir { add_name create read search write };
allow vendor_wcnss_service mnt_vendor_file:file { create open read setattr write };
#allow vendor_wcnss_service vendor_diag_device:chr_file { create ioctl open read write };
allow vendor_wcnss_service vendor_sysfs_diag:dir search;
allow vendor_wcnss_service vendor_sysfs_diag:file { open read };
allow vendor_wcnss_service vendor_wifi_vendor_log_data_file:dir { add_name getattr open read remove_name search setattr write };
allow vendor_wcnss_service vendor_wifi_vendor_log_data_file:file { append create getattr open read rename setattr unlink write };
allow vendor_wcnss_service vendor_proc_wifi_dbg:file { create getattr open read setattr write };
allow vendor_wcnss_service mnt_vendor_file:dir search;
allow vendor_wcnss_service vendor_mac_vendor_data_file:dir create_dir_perms;
allow vendor_wcnss_service vendor_mac_vendor_data_file:file create_file_perms;