From 37eea615875060cc4024db3c13a2ffbdd59975aa Mon Sep 17 00:00:00 2001 From: Arian Date: Mon, 6 Mar 2023 17:19:06 +0100 Subject: [PATCH] sm8450-common: Initial sepolicy Change-Id: Ia21793576649e8518e79e4680e0b79b6a9331720 --- BoardConfigCommon.mk | 4 + sepolicy/public/property_contexts | 5 + sepolicy/vendor/agmservice_qti.te | 1 + sepolicy/vendor/audioadsprpcd.te | 2 + sepolicy/vendor/audioserver.te | 8 + sepolicy/vendor/batterysecret.te | 35 +++++ sepolicy/vendor/bluetooth.te | 27 ++++ sepolicy/vendor/bootanim.te | 2 + sepolicy/vendor/ddr_training.te | 8 + sepolicy/vendor/device.te | 9 ++ sepolicy/vendor/file.te | 41 +++++ sepolicy/vendor/file_contexts | 97 ++++++++++++ sepolicy/vendor/genfs_contexts | 15 ++ sepolicy/vendor/hal_audio.te | 12 ++ sepolicy/vendor/hal_bluetooth.te | 2 + sepolicy/vendor/hal_camera_default.te | 37 +++++ .../vendor/hal_citsensorservice_xiaomi.te | 50 ++++++ sepolicy/vendor/hal_display_config.te | 2 + sepolicy/vendor/hal_displayfeature_xiaomi.te | 69 +++++++++ sepolicy/vendor/hal_dms.te | 18 +++ sepolicy/vendor/hal_fingerprint.te | 26 ++++ sepolicy/vendor/hal_gnss.te | 8 + sepolicy/vendor/hal_graphics_composer.te | 15 ++ sepolicy/vendor/hal_light.te | 3 + sepolicy/vendor/hal_mfidoca.te | 24 +++ sepolicy/vendor/hal_mlipay.te | 27 ++++ sepolicy/vendor/hal_mtdservice.te | 55 +++++++ sepolicy/vendor/hal_nfc.te | 3 + sepolicy/vendor/hal_perf.te | 20 +++ sepolicy/vendor/hal_power.te | 1 + sepolicy/vendor/hal_quickcamera.te | 27 ++++ sepolicy/vendor/hal_secure_element.te | 3 + sepolicy/vendor/hal_sensorcommunicate.te | 26 ++++ sepolicy/vendor/hal_sensors.te | 8 + sepolicy/vendor/hal_slaservice.te | 17 +++ sepolicy/vendor/hal_tidaservice.te | 34 +++++ sepolicy/vendor/hwservice_contexts | 14 ++ sepolicy/vendor/init.te | 8 + sepolicy/vendor/mi_thermald.te | 30 ++++ sepolicy/vendor/modprobe.te | 1 + sepolicy/vendor/property.te | 40 +++++ sepolicy/vendor/property_contexts | 144 ++++++++++++++++++ sepolicy/vendor/qrtr.te | 2 + sepolicy/vendor/rild.te | 9 ++ sepolicy/vendor/slad.te | 36 +++++ sepolicy/vendor/surfaceflinger.te | 4 + sepolicy/vendor/system_server.te | 1 + sepolicy/vendor/tee.te | 3 + sepolicy/vendor/vendor_qti_init_shell.te | 11 ++ sepolicy/vendor/vendorcodec.te | 25 +++ sepolicy/vendor/vndservice_contexts | 2 + sepolicy/vendor/wcnss_service.te | 16 ++ 52 files changed, 1087 insertions(+) create mode 100644 sepolicy/public/property_contexts create mode 100644 sepolicy/vendor/agmservice_qti.te create mode 100644 sepolicy/vendor/audioadsprpcd.te create mode 100644 sepolicy/vendor/audioserver.te create mode 100644 sepolicy/vendor/batterysecret.te create mode 100644 sepolicy/vendor/bluetooth.te create mode 100644 sepolicy/vendor/bootanim.te create mode 100644 sepolicy/vendor/ddr_training.te create mode 100644 sepolicy/vendor/device.te create mode 100644 sepolicy/vendor/file.te create mode 100644 sepolicy/vendor/file_contexts create mode 100644 sepolicy/vendor/genfs_contexts create mode 100644 sepolicy/vendor/hal_audio.te create mode 100644 sepolicy/vendor/hal_bluetooth.te create mode 100644 sepolicy/vendor/hal_camera_default.te create mode 100644 sepolicy/vendor/hal_citsensorservice_xiaomi.te create mode 100644 sepolicy/vendor/hal_display_config.te create mode 100644 sepolicy/vendor/hal_displayfeature_xiaomi.te create mode 100644 sepolicy/vendor/hal_dms.te create mode 100644 sepolicy/vendor/hal_fingerprint.te create mode 100644 sepolicy/vendor/hal_gnss.te create mode 100644 sepolicy/vendor/hal_graphics_composer.te create mode 100644 sepolicy/vendor/hal_light.te create mode 100644 sepolicy/vendor/hal_mfidoca.te create mode 100644 sepolicy/vendor/hal_mlipay.te create mode 100644 sepolicy/vendor/hal_mtdservice.te create mode 100644 sepolicy/vendor/hal_nfc.te create mode 100644 sepolicy/vendor/hal_perf.te create mode 100644 sepolicy/vendor/hal_power.te create mode 100644 sepolicy/vendor/hal_quickcamera.te create mode 100644 sepolicy/vendor/hal_secure_element.te create mode 100644 sepolicy/vendor/hal_sensorcommunicate.te create mode 100644 sepolicy/vendor/hal_sensors.te create mode 100644 sepolicy/vendor/hal_slaservice.te create mode 100644 sepolicy/vendor/hal_tidaservice.te create mode 100644 sepolicy/vendor/hwservice_contexts create mode 100644 sepolicy/vendor/init.te create mode 100644 sepolicy/vendor/mi_thermald.te create mode 100644 sepolicy/vendor/modprobe.te create mode 100644 sepolicy/vendor/property.te create mode 100644 sepolicy/vendor/property_contexts create mode 100644 sepolicy/vendor/qrtr.te create mode 100644 sepolicy/vendor/rild.te create mode 100644 sepolicy/vendor/slad.te create mode 100644 sepolicy/vendor/surfaceflinger.te create mode 100644 sepolicy/vendor/system_server.te create mode 100644 sepolicy/vendor/tee.te create mode 100644 sepolicy/vendor/vendor_qti_init_shell.te create mode 100644 sepolicy/vendor/vendorcodec.te create mode 100644 sepolicy/vendor/vndservice_contexts create mode 100644 sepolicy/vendor/wcnss_service.te diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk index 0bc4c28..b07e735 100644 --- a/BoardConfigCommon.mk +++ b/BoardConfigCommon.mk @@ -108,6 +108,10 @@ ENABLE_VENDOR_RIL_SERVICE := true # Sepolicy include device/qcom/sepolicy_vndr/SEPolicy.mk +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/private +SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/public +BOARD_VENDOR_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/vendor + # VINTF DEVICE_MATRIX_FILE := $(COMMON_PATH)/vintf/compatibility_matrix.xml diff --git a/sepolicy/public/property_contexts b/sepolicy/public/property_contexts new file mode 100644 index 0000000..075ddf8 --- /dev/null +++ b/sepolicy/public/property_contexts @@ -0,0 +1,5 @@ +# MIUI +ro.miui. u:object_r:exported_system_prop:s0 +ro.product.mod_device u:object_r:exported_default_prop:s0 exact string +ro.cust.test u:object_r:exported_system_prop:s0 +ro.carrier u:object_r:exported_default_prop:s0 exact string diff --git a/sepolicy/vendor/agmservice_qti.te b/sepolicy/vendor/agmservice_qti.te new file mode 100644 index 0000000..8fbf391 --- /dev/null +++ b/sepolicy/vendor/agmservice_qti.te @@ -0,0 +1 @@ +allow vendor_agmservice_qti debugfs:dir r_dir_perms; diff --git a/sepolicy/vendor/audioadsprpcd.te b/sepolicy/vendor/audioadsprpcd.te new file mode 100644 index 0000000..3d09e8c --- /dev/null +++ b/sepolicy/vendor/audioadsprpcd.te @@ -0,0 +1,2 @@ +allow vendor_audioadsprpcd vendor_audio_data_file:dir search; +allow vendor_audioadsprpcd vendor_audio_data_file:file { append create getattr open read setattr write }; diff --git a/sepolicy/vendor/audioserver.te b/sepolicy/vendor/audioserver.te new file mode 100644 index 0000000..66e8b39 --- /dev/null +++ b/sepolicy/vendor/audioserver.te @@ -0,0 +1,8 @@ +allow audioserver system_server:dir search; +allow audioserver mediaserver:dir search; +allow audioserver mediaserver:file { open read }; +allow audioserver system_app:dir search; +allow audioserver hal_audio_default:process signal; +allow audioserver sound_device:chr_file rw_file_perms; +get_prop(audioserver, bootanim_system_prop) +set_prop(audioserver, audio_prop) diff --git a/sepolicy/vendor/batterysecret.te b/sepolicy/vendor/batterysecret.te new file mode 100644 index 0000000..aeaf192 --- /dev/null +++ b/sepolicy/vendor/batterysecret.te @@ -0,0 +1,35 @@ +allow batterysecret rootfs:dir write; +allow batterysecret self:capability sys_tty_config; +allow batterysecret self:capability sys_boot; +allow batterysecret self:capability { chown fsetid }; +allow batterysecret self:netlink_kobject_uevent_socket { bind create read setopt }; +allow batterysecret self:capability2 block_suspend; +allow batterysecret self:cap2_userns block_suspend; +allow batterysecret sysfs_wake_lock:file rw_file_perms; +allow batterysecret vendor_sysfs_battery_supply:file rw_file_perms; +allow batterysecret vendor_sysfs_battery_supply:dir r_dir_perms; +allow batterysecret vendor_sysfs_qcom_battery:file rw_file_perms; +allow batterysecret vendor_sysfs_qcom_battery:file write; +allow batterysecret vendor_sysfs_qcom_battery:file { open read write }; +allow batterysecret vendor_sysfs_qcom_battery:dir r_dir_perms; +allow batterysecret system_suspend_server:binder { call transfer }; +allow batterysecret system_suspend_server:fd *; +allow batterysecret system_suspend_hwservice:hwservice_manager find; +allow batterysecret hidl_manager_hwservice:hwservice_manager find; +allow batterysecret sysfs:file write; +allow batterysecret sysfs_usb:file w_file_perms; +allow batterysecret vendor_sysfs_usb_supply:file write; +allow batterysecret sysfs_batteryinfo:file r_file_perms; +allow batterysecret kmsg_device:chr_file rw_file_perms; +allow batterysecret mnt_vendor_file:dir rw_dir_perms; +init_daemon_domain(batterysecret) +r_dir_file(batterysecret, sysfs_type) +r_dir_file(batterysecret, rootfs) +r_dir_file(batterysecret, cgroup) +r_dir_file(batterysecret, vendor_sysfs_usb_supply) +get_prop(batterysecret, hwservicemanager_prop) +get_prop(batterysecret, vendor_default_prop) +set_prop(batterysecret, vendor_system_prop) +hwbinder_use(batterysecret) +type batterysecret, domain; +type batterysecret_exec, exec_type, vendor_file_type, file_type; diff --git a/sepolicy/vendor/bluetooth.te b/sepolicy/vendor/bluetooth.te new file mode 100644 index 0000000..e9fb29f --- /dev/null +++ b/sepolicy/vendor/bluetooth.te @@ -0,0 +1,27 @@ +allow bluetooth hal_audio:binder { call transfer }; +allow bluetooth hal_audio:fd *; +allow bluetooth sysfs_bluetooth_writable:file w_file_perms; +allow bluetooth media_rw_data_file:dir create_dir_perms; +allow bluetooth media_rw_data_file:file create_file_perms; +allow bluetooth serial_device:chr_file rw_file_perms; +allow bluetooth uhid_device:chr_file rw_file_perms; +allow bluetooth vendor_bt_device:chr_file rw_file_perms; +allow bluetooth vendor_smd_device:chr_file rw_file_perms; +allow bluetooth vendor_hal_iop_hwservice:hwservice_manager find; +allow bluetooth vendor_default_prop:file { getattr map }; +allow bluetooth vendor_bt_data_file:dir search; +allow bluetooth vendor_bt_data_file:file { getattr open read }; +allow bluetooth system_app_data_file:dir getattr; +allow bluetooth system_app_data_file:file { getattr open read }; +allow bluetooth self:socket { create getopt read write }; +#allow bluetooth self:socket ioctl; +allow bluetooth servicemanager:fd *; +allow bluetooth system_app:binder { call transfer }; +allow bluetooth system_app:fd *; +allow bluetooth vendor_dun_service:service_manager find; +allow bluetooth hal_audio_hwservice:hwservice_manager find; +#allowxperm bluetooth self:ioctl socket ((range 0xc300 0xc305)); +dontaudit bluetooth netd_service:service_manager find; +get_prop(bluetooth, vendor_display_prop) +get_prop(bluetooth, vendor_audio_prop) +binder_use(bluetooth) diff --git a/sepolicy/vendor/bootanim.te b/sepolicy/vendor/bootanim.te new file mode 100644 index 0000000..819874a --- /dev/null +++ b/sepolicy/vendor/bootanim.te @@ -0,0 +1,2 @@ +allow bootanim vendor_audio_prop:file read; +allow bootanim vendor_proc_audiod:file read; diff --git a/sepolicy/vendor/ddr_training.te b/sepolicy/vendor/ddr_training.te new file mode 100644 index 0000000..52f9408 --- /dev/null +++ b/sepolicy/vendor/ddr_training.te @@ -0,0 +1,8 @@ +allow ddr_training ddr_training_exec:file { entrypoint execute getattr open read }; +allow ddr_training vendor_toolbox_exec:file { entrypoint execute execute_no_trans getattr open read }; +allow ddr_training block_device:dir r_dir_perms; +allow ddr_training ddr_partition:blk_file rw_file_perms; +init_daemon_domain(ddr_training) +unix_socket_connect(ddr_training, property, init) +type ddr_training, domain; +type ddr_training_exec, exec_type, file_type, vendor_file_type; diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te new file mode 100644 index 0000000..54b32b9 --- /dev/null +++ b/sepolicy/vendor/device.te @@ -0,0 +1,9 @@ +type vendor_displayfeature_device, dev_type; +type sound_device, dev_type, mlstrustedobject; +type stmvl53l5_device, dev_type; +type vendor_fingerprint_device, dev_type; +type touchfeature_device, dev_type; +type vendor_radio_smd_device, dev_type; +type ir_spi_device, dev_type; +type ddr_partition, dev_type; +type minidump_data_file, data_file_type, file_type; diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te new file mode 100644 index 0000000..fd9bd33 --- /dev/null +++ b/sepolicy/vendor/file.te @@ -0,0 +1,41 @@ +# Audio +type sysfs_f0_value, fs_type, sysfs_type; +type audio_socket, file_type; + +# Battery +type vendor_sysfs_qcom_battery, fs_type, sysfs_type; + +# Camera +type camera_persist_file, file_type, mlstrustedobject, vendor_persist_type; + +# Diag +type vendor_modem_data_file, data_file_type, file_type; + +# Display +type vendor_sysfs_displayfeature, fs_type, sysfs_type; + +# Fingerprint +type vendor_fingerprint_data_file, data_file_type, file_type; +type vendor_fingerprint_data_file_fpdump, data_file_type, file_type; + +# GNSS +type qx_oss_vendor_data_file, data_file_type, file_type; +type vendor_ins_vendor_data_file, data_file_type, file_type; + +# Mac Address +type vendor_mac_vendor_data_file, data_file_type, file_type, mlstrustedobject; + +# Mlipay +type ta_data_file, data_file_type, file_type; + +# SLA +type sla_data_file, data_file_type, file_type; +type slad_socket, file_type; + +# Thermal +type sys_thermal_wifi_limit, fs_type, sysfs_type; +type sys_thermal_flash_state, fs_type, sysfs_type; +type thermal_data_file, data_file_type, file_type; + +# Touchfeature +type sysfs_tp_fodstatus, fs_type, sysfs_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts new file mode 100644 index 0000000..fdf1e7f --- /dev/null +++ b/sepolicy/vendor/file_contexts @@ -0,0 +1,97 @@ +# Audio +/dev/socket/audio_hw_socket u:object_r:audio_socket:s0 +/dev/socket/audio_us_socket_0 u:object_r:audio_socket:s0 +/dev/socket/audio_us_socket_1 u:object_r:audio_socket:s0 +/dev/xlog u:object_r:sound_device:s0 +/sys/devices/platform/soc/[a-z0-9]+.i2c/i2c-+[0-9]/[0-9]+-00+[a-z0-9]+[a-z0-9]/f0_value u:object_r:sysfs_f0_value:s0 + +# Battery +/(vendor|system/vendor)/bin/batterysecret u:object_r:batterysecret_exec:s0 + +# Camera +/(vendor|system/vendor)/bin/hw/vendor.xiaomi.hardware.quickcamera@1.0-service u:object_r:hal_quickcamera_default_exec:s0 +/mnt/vendor/persist/camera(/.*)? u:object_r:camera_persist_file:s0 +#/vendor/bin/camera_cal u:object_r:DualCameraCal_exec:s0 + +# CIT +/(vendor|system/vendor)/bin/hw/vendor.xiaomi.sensor.citsensorservice@1.1-service u:object_r:vendor_hal_citsensorservice_xiaomi_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor.xiaomi.sensor.citsensorservice@2.0-service u:object_r:vendor_hal_citsensorservice_xiaomi_default_exec:s0 + +# Diag +/data/vendor/modem(/.*)? u:object_r:vendor_modem_data_file:s0 + +# Display +/(vendor|system/vendor)/bin/displayfeature u:object_r:vendor_displayfeature_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.xiaomi\.hardware\.displayfeature@1\.0-service u:object_r:vendor_hal_displayfeature_xiaomi_default_exec:s0 +/dev/mi_display/disp_feature u:object_r:vendor_displayfeature_device:s0 +/sys/devices/virtual/mi_display/disp_feature/disp-DSI-+[0-1](/.*)? u:object_r:vendor_sysfs_displayfeature:s0 + +# Dolby +/data/vendor/dolby(/.*)? u:object_r:vendor_data_file:s0 +/vendor/bin/hw/dolbycodec2 u:object_r:vendorcodec_exec:s0 + +# Fingerprint +/data/vendor/fpc(/.*)? u:object_r:vendor_fingerprint_data_file:s0 +/data/vendor/goodix(/.*)? u:object_r:vendor_fingerprint_data_file:s0 +/dev/goodix_fp u:object_r:vendor_fingerprint_device:s0 +/mnt/vendor/persist/fpc(/.*)? u:object_r:vendor_fingerprint_data_file:s0 +/mnt/vendor/persist/goodix(/.*)? u:object_r:vendor_fingerprint_data_file:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.3-service\.xiaomi u:object_r:hal_fingerprint_default_exec:s0 + +# GNSS +/data/vendor/ins(/.*)? u:object_r:vendor_ins_vendor_data_file:s0 +/data/vendor/qxwz(/.*)? u:object_r:qx_oss_vendor_data_file:s0 +/mnt/vendor/persist/qxwz u:object_r:qx_oss_vendor_data_file:s0 + +# IR +/dev/ir_spi u:object_r:ir_spi_device:s0 + +# Mac Address +/data/vendor/mac_addr(/.*)? u:object_r:vendor_mac_vendor_data_file:s0 +/vendor/bin/nv_mac u:object_r:vendor_wcnss_service_exec:s0 + +# Mlipay +/(vendor|system/vendor)/bin/fidoca u:object_r:hal_mfidoca_default_exec:s0 +/(vendor|system/vendor)/bin/mlipayd u:object_r:hal_mlipay_default_exec:s0 +/(vendor|system/vendor)/bin/mlipayd@1.1 u:object_r:hal_mlipay_default_exec:s0 +/(vendor|system/vendor)/bin/mtd u:object_r:hal_mtdservice_default_exec:s0 +/(vendor|system/vendor)/bin/mtd@1.1 u:object_r:hal_mtdservice_default_exec:s0 +/(vendor|system/vendor)/bin/mtd@1.2 u:object_r:hal_mtdservice_default_exec:s0 +/(vendor|system/vendor)/bin/mtd@1.3 u:object_r:hal_mtdservice_default_exec:s0 +/(vendor|system/vendor)/bin/tidad u:object_r:hal_tidaservice_default_exec:s0 +/(vendor|system/vendor)/bin/tidad@1.1 u:object_r:hal_tidaservice_default_exec:s0 +/(vendor|system/vendor)/bin/tidad@1.2 u:object_r:hal_tidaservice_default_exec:s0 +/data/vendor/images(/.*)? u:object_r:ta_data_file:s0 +/mnt/vendor/persist/fdsd(/.*)? u:object_r:vendor_persist_drm_file:s0 + +# Modem +/dev/smd8 u:object_r:vendor_radio_smd_device:s0 + +# QRTR +/(vendor|system/vendor)/bin/qrtr-lookup u:object_r:vendor_qrtr_exec:s0 + +# RIL +/data/vendor/diag(/.*)? u:object_r:minidump_data_file:s0 + +# Sensors +/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@2.1-service\.xiaomi-multihal u:object_r:hal_sensors_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor.xiaomi.sensor.communicate@1.0-service u:object_r:vendor_hal_sensorcommunicate_default_exec:s0 +/dev/stmvl53l5 u:object_r:stmvl53l5_device:s0 + +# SLA +/(vendor|system/vendor)/bin/hw/vendor\.qti\.sla\.service\@1\.0-service u:object_r:hal_slaservice_qti_exec:s0 +/data/vendor/sla(/.*)? u:object_r:sla_data_file:s0 +/dev/socket/slad u:object_r:slad_socket:s0 + +# Thermal +/(vendor|system/vendor)/bin/mi_thermald u:object_r:mi_thermald_exec:s0 +/data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0 +/sys/class/thermal/thermal_message/flash_state u:object_r:sys_thermal_flash_state:s0 +/sys/class/thermal/thermal_message/wifi_limit u:object_r:sys_thermal_wifi_limit:s0 +/sys/class/thermal/thermal_zone87/temp u:object_r:sysfs_thermal:s0 +/sys/devices/virtual/thermal/thermal_message/flash_state u:object_r:sys_thermal_flash_state:s0 +/sys/devices/virtual/thermal/thermal_message/wifi_limit u:object_r:sys_thermal_wifi_limit:s0 + +# Touchfeature +/dev/xiaomi-touch u:object_r:touchfeature_device:s0 +/sys/devices/virtual/touch/tp_dev/fod_status u:object_r:sysfs_tp_fodstatus:s0 diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts new file mode 100644 index 0000000..0c2bb39 --- /dev/null +++ b/sepolicy/vendor/genfs_contexts @@ -0,0 +1,15 @@ +# Extcon +genfscon sysfs /devices/platform/soc/88e0000.qcom,msm-eud/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,msm-ext-disp/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/soc/soc:spf_core_platform/soc:spf_core_platform:lpass-cdc/wcd938x-codec/extcon u:object_r:sysfs_extcon:s0 + +# Suspend +genfscon sysfs /devices/platform/soc/3000000.remoteproc-adsp/remoteproc/remoteproc2/3000000.remoteproc-adsp:glink-edge/3000000.remoteproc-adsp:glink-edge.adsp_apps.-1.-1/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/884000.i2c/i2c-3/3-005a/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/990000.spi/spi_master/spi0/spi0.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/c42d000.qcom,spmi/spmi-0/0-00/c42d000.qcom,spmi:qcom,pmk8350@0:pon_hlos@1300/c42d000.qcom,spmi:qcom,pmk8350@0:pon_hlos@1300:pwrkey-bark/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/c42d000.qcom,spmi/spmi-0/0-00/c42d000.qcom,spmi:qcom,pmk8350@0:pon_hlos@1300/c42d000.qcom,spmi:qcom,pmk8350@0:pon_hlos@1300:pwrkey-resin-bark/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:fingerprint_goodix/wakeup u:object_r:sysfs_wakeup:s0 + +# Touchfeature +genfscon sysfs /devices/virtual/touch/touch_dev/fod_press_status u:object_r:sysfs_tp_fodstatus:s0 diff --git a/sepolicy/vendor/hal_audio.te b/sepolicy/vendor/hal_audio.te new file mode 100644 index 0000000..4413299 --- /dev/null +++ b/sepolicy/vendor/hal_audio.te @@ -0,0 +1,12 @@ +hal_attribute(dms) +allow hal_audio_default vendor_persist_audio_file:file rw_file_perms; +allow hal_audio_default mnt_vendor_file:dir r_dir_perms; +allow hal_audio_default vendor_audio_prop:property_service set; +allow hal_audio_default audio_socket:sock_file rw_file_perms; +allow hal_audio_default sound_device:chr_file rw_file_perms; +allow hal_audio_default sysfs_f0_value:file rw_file_perms; +allow hal_audio_default sysfs:file rw_file_perms; +unix_socket_connect(hal_audio_default, property, init) +unix_socket_connect(hal_audio_default, property, hal_sensors_default) +hal_client_domain(hal_audio_default, hal_dms) +set_prop(hal_audio_default, vendor_audio_prop) diff --git a/sepolicy/vendor/hal_bluetooth.te b/sepolicy/vendor/hal_bluetooth.te new file mode 100644 index 0000000..7036782 --- /dev/null +++ b/sepolicy/vendor/hal_bluetooth.te @@ -0,0 +1,2 @@ +allow hal_bluetooth_default vendor_mac_vendor_data_file:dir search; +allow hal_bluetooth_default vendor_mac_vendor_data_file:file { open read }; diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te new file mode 100644 index 0000000..9069b53 --- /dev/null +++ b/sepolicy/vendor/hal_camera_default.te @@ -0,0 +1,37 @@ +attribute vendor_hal_camerapostproc_xiaomi; +attribute vendor_hal_camerapostproc_xiaomi_client; +attribute vendor_hal_camerapostproc_xiaomi_server; +type vendor_hal_camerapostproc_xiaomi_hwservice, hwservice_manager_type; + +allow vendor_hal_camerapostproc_xiaomi_client vendor_hal_camerapostproc_xiaomi_server:binder { call transfer }; +allow vendor_hal_camerapostproc_xiaomi_client vendor_hal_camerapostproc_xiaomi_server:binder transfer; +allow vendor_hal_camerapostproc_xiaomi_client vendor_hal_camerapostproc_xiaomi_server:fd *; +allow vendor_hal_camerapostproc_xiaomi_client vendor_hal_camerapostproc_xiaomi_hwservice:hwservice_manager find; +allow vendor_hal_camerapostproc_xiaomi_server vendor_hal_camerapostproc_xiaomi_client:binder transfer; +allow vendor_hal_camerapostproc_xiaomi_server vendor_hal_camerapostproc_xiaomi_client:binder { call transfer }; +allow vendor_hal_camerapostproc_xiaomi_server vendor_hal_camerapostproc_xiaomi_client:fd *; +allow vendor_hal_camerapostproc_xiaomi platform_app:binder transfer; +allow vendor_hal_camerapostproc_xiaomi platform_app:binder { call transfer }; +allow vendor_hal_camerapostproc_xiaomi platform_app:fd *; +allow vendor_hal_camerapostproc_xiaomi priv_app:binder transfer; +allow vendor_hal_camerapostproc_xiaomi priv_app:binder { call transfer }; +allow vendor_hal_camerapostproc_xiaomi priv_app:fd *; +allow vendor_hal_camerapostproc_xiaomi system_app:binder transfer; +allow vendor_hal_camerapostproc_xiaomi system_app:binder { call transfer }; +allow vendor_hal_camerapostproc_xiaomi system_app:fd *; +add_hwservice(vendor_hal_camerapostproc_xiaomi_server, vendor_hal_camerapostproc_xiaomi_hwservice) + +allow hal_camera_client vendor_hal_camerapostproc_xiaomi_hwservice:hwservice_manager find; +allow hal_camera_default mnt_vendor_file:dir search; +allow hal_camera_default camera_persist_file:dir search; +allow hal_camera_default vendor_persist_sensors_file:dir search; +allow hal_camera_default stmvl53l5_device:chr_file { ioctl open read write }; +allow hal_camera_default hal_quickcamera_hwservice:hwservice_manager { add find }; +dontaudit hal_camera graphics_device:dir search; +dontaudit hal_camera_default default_prop:file read; +r_dir_file(hal_camera_default, mnt_vendor_file) +r_dir_file(hal_camera_default, camera_persist_file) +r_dir_file(hal_camera_default, vendor_persist_sensors_file) +hal_server_domain(hal_camera_default, vendor_hal_camerapostproc_xiaomi) +add_hwservice(hal_camera_server, vendor_hal_camerapostproc_xiaomi_hwservice) +set_prop(hal_camera_default, vendor_camera_sensor_prop) diff --git a/sepolicy/vendor/hal_citsensorservice_xiaomi.te b/sepolicy/vendor/hal_citsensorservice_xiaomi.te new file mode 100644 index 0000000..7aafce1 --- /dev/null +++ b/sepolicy/vendor/hal_citsensorservice_xiaomi.te @@ -0,0 +1,50 @@ +type vendor_hal_citsensorservice_xiaomi_default, domain; +type vendor_hal_citsensorservice_xiaomi_default_exec, exec_type, file_type, vendor_file_type; +type vendor_hal_citsensorservice_xiaomi_hwservice, hwservice_manager_type; +attribute vendor_hal_citsensorservice_xiaomi; +attribute vendor_hal_citsensorservice_xiaomi_client; +attribute vendor_hal_citsensorservice_xiaomi_server; +init_daemon_domain(vendor_hal_citsensorservice_xiaomi_default) +r_dir_file(vendor_hal_citsensorservice_xiaomi_default, mnt_vendor_file) +#set_prop(vendor_hal_citsensorservice_xiaomi_default, vendor_cct_prop) +vndbinder_use(vendor_hal_citsensorservice_xiaomi) +hal_server_domain(vendor_hal_citsensorservice_xiaomi_default, vendor_hal_citsensorservice_xiaomi) +hal_client_domain(vendor_hal_citsensorservice_xiaomi_default, hal_graphics_allocator) +add_hwservice(vendor_hal_citsensorservice_xiaomi_server, vendor_hal_citsensorservice_xiaomi_hwservice) +allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_server:binder { call transfer }; +allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_server:binder transfer; +allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_server:fd *; +allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_hwservice:hwservice_manager find; +allow vendor_hal_citsensorservice_xiaomi_server vendor_hal_citsensorservice_xiaomi_client:binder transfer; +allow vendor_hal_citsensorservice_xiaomi_server vendor_hal_citsensorservice_xiaomi_client:binder { call transfer }; +allow vendor_hal_citsensorservice_xiaomi_server vendor_hal_citsensorservice_xiaomi_client:fd *; +allow vendor_hal_citsensorservice_xiaomi_default input_device:dir rw_dir_perms; +allow vendor_hal_citsensorservice_xiaomi_default input_device:chr_file rw_file_perms; +allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_data:file r_file_perms; +allow vendor_hal_citsensorservice_xiaomi_default self:socket create_socket_perms; +allow vendor_hal_citsensorservice_xiaomi_default self:qipcrtr_socket create_socket_perms; +allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_graphics:dir r_dir_perms; +allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_graphics:file r_file_perms; +allow vendor_hal_citsensorservice_xiaomi_default vendor_persist_sensors_file:dir create_dir_perms; +allow vendor_hal_citsensorservice_xiaomi_default vendor_persist_sensors_file:file create_file_perms; +allow vendor_hal_citsensorservice_xiaomi_default fwk_sensor_hwservice:hwservice_manager find; +allow vendor_hal_citsensorservice_xiaomi_default system_server:binder call; +allow vendor_hal_citsensorservice_xiaomi_default system_server:binder transfer; +allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_displayfeature:dir search; +allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_displayfeature:file { open read }; +allow vendor_hal_citsensorservice_xiaomi_default vendor_displayfeature_device:chr_file { ioctl open read write }; +allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_mapper_hwservice:hwservice_manager find; +allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_display_config_hwservice:hwservice_manager find; +allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_display_config_hwservice:binder { call transfer }; +allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_display_config_hwservice:fd *; +allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_composer:binder { call transfer }; +allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_composer:fd *; +allow vendor_hal_citsensorservice_xiaomi_default vendor_qdisplay_service:service_manager find; +allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_composer_default:binder transfer; +allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_sensorcommunicate_default:binder call; +allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_sensorcommunicate_default:binder transfer; +allowxperm vendor_hal_citsensorservice_xiaomi_default self:socket ioctl { 0xc300 0xc301 0xc302 0xc303 0xc304 0xc305 }; +allowxperm vendor_hal_citsensorservice_xiaomi_default self:qipcrtr_socket ioctl { 0xc300 0xc301 0xc302 0xc303 0xc304 0xc305 }; + +get_prop(vendor_hal_citsensorservice_xiaomi_default, vendor_sensors_prop) +get_prop(vendor_hal_citsensorservice_xiaomi_default, vendor_sensors_debug_prop) diff --git a/sepolicy/vendor/hal_display_config.te b/sepolicy/vendor/hal_display_config.te new file mode 100644 index 0000000..1c79364 --- /dev/null +++ b/sepolicy/vendor/hal_display_config.te @@ -0,0 +1,2 @@ +allow vendor_hal_display_config_hwservice vendor_hal_displayfeature_xiaomi_default:binder transfer; +allow vendor_hal_display_config_hwservice vendor_hal_citsensorservice_xiaomi_default:binder transfer; diff --git a/sepolicy/vendor/hal_displayfeature_xiaomi.te b/sepolicy/vendor/hal_displayfeature_xiaomi.te new file mode 100644 index 0000000..4774d52 --- /dev/null +++ b/sepolicy/vendor/hal_displayfeature_xiaomi.te @@ -0,0 +1,69 @@ +type vendor_hal_displayfeature_xiaomi_default, domain; +type vendor_hal_displayfeature_xiaomi_default_exec, exec_type, file_type, vendor_file_type; +type vendor_hal_displayfeature_xiaomi_hwservice, hwservice_manager_type; +type vendor_mistcdisplay_service, vndservice_manager_type; + +type vendor_displayfeature, domain; +type vendor_displayfeature_exec, exec_type, file_type, vendor_file_type; +type vendor_DisplayFeatureControl_service, vndservice_manager_type; + +allow vendor_hal_displayfeature_xiaomi vendor_sysfs_graphics:file rw_file_perms; +allow vendor_hal_displayfeature_xiaomi vendor_qdisplay_service:service_manager find; +allow vendor_hal_displayfeature_xiaomi hal_graphics_composer:binder { call transfer }; +allow vendor_hal_displayfeature_xiaomi hal_graphics_composer:fd *; +allow vendor_hal_displayfeature_xiaomi graphics_device:chr_file rw_file_perms; +allow vendor_hal_displayfeature_xiaomi graphics_device:dir r_dir_perms; +allow vendor_hal_displayfeature_xiaomi_default sysfs:file { getattr open read write }; +allow vendor_hal_displayfeature_xiaomi_default sensors_device:chr_file r_file_perms; +allow vendor_hal_displayfeature_xiaomi_default fwk_sensor_hwservice:hwservice_manager find; +allow vendor_hal_displayfeature_xiaomi_default system_server:binder { call transfer }; +allow vendor_hal_displayfeature_xiaomi_default vendor_hal_display_config_hwservice:hwservice_manager find; +allow vendor_hal_displayfeature_xiaomi_default vendor_hal_display_config_hwservice:binder { call transfer }; +allow vendor_hal_displayfeature_xiaomi_default vendor_hal_display_config_hwservice:fd *; +allow vendor_hal_displayfeature_xiaomi_default vendor_display_vendor_data_file:dir create_dir_perms; +allow vendor_hal_displayfeature_xiaomi_default vendor_display_vendor_data_file:file create_file_perms; +allow vendor_hal_displayfeature_xiaomi_default vendor_displayfeature_device:chr_file { ioctl open read write }; +allow vendor_hal_displayfeature_xiaomi_default vendor_sysfs_displayfeature:dir r_dir_perms; +allow vendor_hal_displayfeature_xiaomi_default vendor_sysfs_displayfeature:file rw_file_perms; +allow vendor_hal_displayfeature_xiaomi_default vendor_mistcdisplay_service:service_manager find; +allow vendor_hal_displayfeature_xiaomi_default system_app:binder { call transfer }; +allow vendor_hal_displayfeature_xiaomi_default system_app:fd *; +allow vendor_hal_displayfeature_xiaomi_default surfaceflinger:binder call; +allow vendor_hal_displayfeature_xiaomi_client vendor_hal_displayfeature_xiaomi_server:binder { call transfer }; +allow vendor_hal_displayfeature_xiaomi_client vendor_hal_displayfeature_xiaomi_server:fd *; +allow vendor_hal_displayfeature_xiaomi_client vendor_hal_displayfeature_xiaomi_hwservice:hwservice_manager find; +allow vendor_hal_displayfeature_xiaomi_server vendor_hal_displayfeature_xiaomi_client:binder transfer; +attribute vendor_hal_displayfeature_xiaomi; +attribute vendor_hal_displayfeature_xiaomi_client; +attribute vendor_hal_displayfeature_xiaomi_server; +init_daemon_domain(vendor_hal_displayfeature_xiaomi_default) +r_dir_file(vendor_hal_displayfeature_xiaomi, vendor_sysfs_graphics) +unix_socket_connect(vendor_hal_displayfeature_xiaomi_default, property, vendor_sensors) +get_prop(vendor_hal_displayfeature_xiaomi_default, vendor_mpctl_prop) +set_prop(vendor_hal_displayfeature_xiaomi_default, vendor_displayfeature_prop) +vndbinder_use(vendor_hal_displayfeature_xiaomi) +hal_server_domain(vendor_hal_displayfeature_xiaomi_default, vendor_hal_displayfeature_xiaomi) +hal_client_domain(vendor_hal_displayfeature_xiaomi_default, vendor_hal_display_color) +hal_client_domain(vendor_hal_displayfeature_xiaomi_default, vendor_hal_display_postproc) +add_hwservice(vendor_hal_displayfeature_xiaomi_server, vendor_hal_displayfeature_xiaomi_hwservice) + +allow vendor_displayfeature system_server:binder transfer; +allow vendor_displayfeature system_server:binder { call transfer }; +allow vendor_displayfeature system_server:fd *; +allow vendor_displayfeature appdomain:binder { call transfer }; +allow vendor_displayfeature appdomain:fd *; +allow vendor_displayfeature sysfs:file { getattr open read write }; +allow vendor_displayfeature vendor_file:file r_file_perms; +allow vendor_displayfeature graphics_device:dir r_dir_perms; +allow vendor_displayfeature graphics_device:chr_file rw_file_perms; +init_daemon_domain(vendor_displayfeature) +get_prop(vendor_displayfeature, hwservicemanager_prop) +get_prop(vendor_displayfeature, vendor_displayfeature_prop) +hwbinder_use(vendor_displayfeature) +vndbinder_use(vendor_displayfeature) +hal_client_domain(vendor_displayfeature, hal_graphics_composer) +hal_client_domain(vendor_displayfeature, hal_light) +hal_client_domain(vendor_displayfeature, vendor_hal_display_color) +hal_client_domain(vendor_displayfeature, vendor_hal_display_postproc) +hal_client_domain(vendor_displayfeature, vendor_hal_displayfeature_xiaomi) +add_service(vendor_displayfeature, vendor_DisplayFeatureControl_service) diff --git a/sepolicy/vendor/hal_dms.te b/sepolicy/vendor/hal_dms.te new file mode 100644 index 0000000..0f51466 --- /dev/null +++ b/sepolicy/vendor/hal_dms.te @@ -0,0 +1,18 @@ +type hal_dms_default, domain; +type hal_dms_default_exec, exec_type, file_type, vendor_file_type; +type hal_dms_hwservice, hwservice_manager_type; +#hal_attribute(dms) +allow hal_dms_client hal_dms_server:binder { call transfer }; +allow hal_dms_client hal_dms_server:binder transfer; +allow hal_dms_client hal_dms_server:fd *; +allow hal_dms_client hal_dms_hwservice:hwservice_manager find; +allow hal_dms_server hal_dms_client:binder transfer; +allow hal_dms_server hal_dms_client:binder { call transfer }; +allow hal_dms_server hal_dms_client:fd *; +allow hal_dms_default hal_dms_hwservice:hwservice_manager add; +allow hal_dms_default vendor_data_file:dir rw_dir_perms; +allow hal_dms_default vendor_data_file:file create_file_perms; +init_daemon_domain(hal_dms_default) +set_prop(hal_dms_default, vendor_audio_prop) +hal_server_domain(hal_dms_default, hal_dms) +add_hwservice(hal_dms_server, hal_dms_hwservice) diff --git a/sepolicy/vendor/hal_fingerprint.te b/sepolicy/vendor/hal_fingerprint.te new file mode 100644 index 0000000..4cd8ff0 --- /dev/null +++ b/sepolicy/vendor/hal_fingerprint.te @@ -0,0 +1,26 @@ +type vendor_hal_fingerprint_hwservice_xiaomi, hwservice_manager_type; + +allow hal_fingerprint_default vendor_fingerprint_data_file:dir create_dir_perms; +allow hal_fingerprint_default vendor_fingerprint_data_file:file create_file_perms; +allow hal_fingerprint_default vendor_hal_perf_hwservice:hwservice_manager find; +allow hal_fingerprint_default vendor_hal_perf_default:binder call; +allow hal_fingerprint_default vendor_sysfs_graphics:dir r_dir_perms; +allow hal_fingerprint_default vendor_sysfs_graphics:file rw_file_perms; +allow hal_fingerprint_default input_device:dir r_dir_perms; +allow hal_fingerprint_default input_device:chr_file rwx_file_perms; +allow hal_fingerprint_default mnt_vendor_file:dir search; +allow hal_fingerprint_default vendor_fingerprint_device:chr_file rwx_file_perms; +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; +allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; +allow hal_fingerprint_default vendor_sysfs_displayfeature:dir { open read }; +allow hal_fingerprint_default vendor_sysfs_displayfeature:file { open read }; +allow hal_fingerprint_default vendor_dmabuf_qseecom_ta_heap_device:chr_file r_file_perms; +allow hal_fingerprint_default vendor_dmabuf_qseecom_heap_device:chr_file r_file_perms; +allow hal_fingerprint_default sysfs_tp_fodstatus:chr_file r_file_perms; +allow hal_fingerprint_default sysfs_tp_fodstatus:file r_file_perms; +allow hal_fingerprint_default vendor_hal_fingerprint_hwservice_xiaomi:hwservice_manager { add find }; +allow hal_fingerprint_default touchfeature_device:chr_file rw_file_perms; + +get_prop(hal_fingerprint_default, vendor_panel_info_prop) +set_prop(hal_fingerprint_default, vendor_fp_prop) +set_prop(hal_fingerprint_default, vendor_fp_info_prop) diff --git a/sepolicy/vendor/hal_gnss.te b/sepolicy/vendor/hal_gnss.te new file mode 100644 index 0000000..69ffd39 --- /dev/null +++ b/sepolicy/vendor/hal_gnss.te @@ -0,0 +1,8 @@ +allow vendor_hal_gnss_qti vendor_ins_vendor_data_file:dir rw_dir_perms; +allow vendor_hal_gnss_qti vendor_ins_vendor_data_file:file create_file_perms; +allow vendor_hal_gnss_qti vendor_persist_sensors_file:dir rw_dir_perms; +allow vendor_hal_gnss_qti vendor_persist_sensors_file:file create_file_perms; +allow vendor_hal_gnss_qti mnt_vendor_file:dir search; +allow vendor_hal_gnss_qti mnt_vendor_file:dir rw_dir_perms; +get_prop(vendor_hal_gnss_qti, vendor_sensors_prop) +get_prop(vendor_hal_gnss_qti, vendor_mi_ins_prop) diff --git a/sepolicy/vendor/hal_graphics_composer.te b/sepolicy/vendor/hal_graphics_composer.te new file mode 100644 index 0000000..c3f4a9a --- /dev/null +++ b/sepolicy/vendor/hal_graphics_composer.te @@ -0,0 +1,15 @@ +allow hal_graphics_composer vendor_hal_displayfeature_xiaomi:binder transfer; +allow hal_graphics_composer vendor_hal_citsensorservice_xiaomi_default:binder transfer; +allow hal_graphics_composer vendor_hal_citsensorservice_xiaomi_hwservice:hwservice_manager find; +allow hal_graphics_composer_default vendor_displayfeature_device:chr_file { ioctl open read }; +allow hal_graphics_composer_default vendor_sysfs_displayfeature:dir { open read search }; +allow hal_graphics_composer_default vendor_sysfs_displayfeature:file { open read write }; +allow hal_graphics_composer_default vendor_hal_citsensorservice_xiaomi_default:binder call; +allow hal_graphics_composer_default vendor_hal_citsensorservice_xiaomi_default:binder { call transfer }; +allow hal_graphics_composer_default vendor_hal_citsensorservice_xiaomi_default:fd *; +get_prop(hal_graphics_composer, vendor_displayfeature_prop) +set_prop(hal_graphics_composer_default, vendor_ctl_vendor_display_prop) +set_prop(hal_graphics_composer_default, vendor_display_prop) +hal_client_domain(hal_graphics_composer_default, vendor_hal_displayfeature_xiaomi) +allow hal_graphics_composer_default vendor_mistcdisplay_service:service_manager find; +add_service(hal_graphics_composer_default, vendor_mistcdisplay_service) diff --git a/sepolicy/vendor/hal_light.te b/sepolicy/vendor/hal_light.te new file mode 100644 index 0000000..c2cf4f0 --- /dev/null +++ b/sepolicy/vendor/hal_light.te @@ -0,0 +1,3 @@ +allow hal_light_default vendor_displayfeature_device:chr_file { ioctl open read write }; +allow hal_light_default vendor_sysfs_displayfeature:dir r_dir_perms; +allow hal_light_default vendor_sysfs_displayfeature:file rw_file_perms; diff --git a/sepolicy/vendor/hal_mfidoca.te b/sepolicy/vendor/hal_mfidoca.te new file mode 100644 index 0000000..b1860b5 --- /dev/null +++ b/sepolicy/vendor/hal_mfidoca.te @@ -0,0 +1,24 @@ +type hal_mfidoca_default, domain; +type hal_mfidoca_default_exec, exec_type, file_type, vendor_file_type; +type hal_mfidoca_hwservice, hwservice_manager_type; +hal_attribute(mfidoca) +allow hal_mfidoca_client hal_mfidoca_server:binder { call transfer }; +allow hal_mfidoca_client hal_mfidoca_server:binder transfer; +allow hal_mfidoca_client hal_mfidoca_server:fd *; +allow hal_mfidoca_server hal_mfidoca_client:binder transfer; +allow hal_mfidoca_server hal_mfidoca_client:binder { call transfer }; +allow hal_mfidoca_server hal_mfidoca_client:fd *; +allow hal_mfidoca_default tee_device:chr_file rw_file_perms; +allow hal_mfidoca_default firmware_file:dir r_dir_perms; +allow hal_mfidoca_default firmware_file:file r_file_perms; +allow hal_mfidoca_default ion_device:chr_file rw_file_perms; +allow hal_mfidoca_default vendor_dmabuf_qseecom_heap_device:chr_file { ioctl open read }; +allow hal_mfidoca_default vendor_dmabuf_qseecom_ta_heap_device:chr_file { ioctl open read }; +allow hal_mfidoca_default hal_mtdservice_default:binder transfer; +init_daemon_domain(hal_mfidoca_default) +get_prop(hal_mfidoca_default, vendor_fp_prop) +get_prop(hal_mfidoca_default, vendor_system_prop) +set_prop(hal_mfidoca_default, vendor_payment_security_prop) +hwbinder_use(hal_mfidoca_default) +hal_server_domain(hal_mfidoca_default, hal_mfidoca) +add_hwservice(hal_mfidoca_server, hal_mfidoca_hwservice) diff --git a/sepolicy/vendor/hal_mlipay.te b/sepolicy/vendor/hal_mlipay.te new file mode 100644 index 0000000..35af621 --- /dev/null +++ b/sepolicy/vendor/hal_mlipay.te @@ -0,0 +1,27 @@ +type hal_mlipay_default, domain; +type hal_mlipay_default_exec, exec_type, file_type, vendor_file_type; +type hal_mlipay_hwservice, hwservice_manager_type; +hal_attribute(mlipay) +allow hal_mlipay_client hal_mlipay_server:binder { call transfer }; +allow hal_mlipay_client hal_mlipay_server:binder transfer; +allow hal_mlipay_client hal_mlipay_server:fd *; +allow hal_mlipay_client hal_mlipay_hwservice:hwservice_manager find; +allow hal_mlipay_server hal_mlipay_client:binder transfer; +allow hal_mlipay_server hal_mlipay_client:binder { call transfer }; +allow hal_mlipay_server hal_mlipay_client:fd *; +allow hal_mlipay_default hal_mlipay_hwservice:hwservice_manager add; +allow hal_mlipay_default tee_device:chr_file rw_file_perms; +allow hal_mlipay_default firmware_file:dir r_dir_perms; +allow hal_mlipay_default firmware_file:file r_file_perms; +allow hal_mlipay_default ion_device:chr_file rw_file_perms; +allow hal_mlipay_default rootfs:lnk_file r_file_perms; +allow hal_mlipay_default vendor_dmabuf_qseecom_heap_device:chr_file { ioctl open read }; +allow hal_mlipay_default vendor_dmabuf_qseecom_ta_heap_device:chr_file { ioctl open read }; +allow hal_mlipay_default hal_mtdservice_default:binder transfer; +init_daemon_domain(hal_mlipay_default) +get_prop(hal_mlipay_default, vendor_fp_prop) +get_prop(hal_mlipay_default, vendor_system_prop) +set_prop(hal_mlipay_default, vendor_payment_security_prop) +hwbinder_use(hal_mlipay_default) +hal_server_domain(hal_mlipay_default, hal_mlipay) +add_hwservice(hal_mlipay_server, hal_mlipay_hwservice) diff --git a/sepolicy/vendor/hal_mtdservice.te b/sepolicy/vendor/hal_mtdservice.te new file mode 100644 index 0000000..2e2a46f --- /dev/null +++ b/sepolicy/vendor/hal_mtdservice.te @@ -0,0 +1,55 @@ +type hal_mtdservice_default, domain; +type hal_mtdservice_default_exec, exec_type, file_type, vendor_file_type; +type hal_mtdservice_hwservice, hwservice_manager_type; +hal_attribute(mtdservice) +allow hal_mtdservice_client hal_mtdservice_server:binder { call transfer }; +allow hal_mtdservice_client hal_mtdservice_server:binder transfer; +allow hal_mtdservice_client hal_mtdservice_server:fd *; +allow hal_mtdservice_server hal_mtdservice_client:binder transfer; +allow hal_mtdservice_server hal_mtdservice_client:binder { call transfer }; +allow hal_mtdservice_server hal_mtdservice_client:fd *; +allow hal_mtdservice_default hal_mlipay_default:binder { call transfer }; +allow hal_mtdservice_default hal_mlipay_default:fd *; +allow hal_mtdservice_default hal_mfidoca_default:binder { call transfer }; +allow hal_mtdservice_default hal_mfidoca_default:fd *; +allow hal_mtdservice_default hal_mtdservice_hwservice:hwservice_manager add; +allow hal_mtdservice_default firmware_file:dir r_dir_perms; +allow hal_mtdservice_default firmware_file:file r_file_perms; +allow hal_mtdservice_default ion_device:chr_file rw_file_perms; +allow hal_mtdservice_default vendor_persist_drm_file:dir { create_dir_perms relabelto }; +allow hal_mtdservice_default vendor_persist_drm_file:file { create_file_perms relabelto }; +allow hal_mtdservice_default vendor_persist_file:dir r_dir_perms; +allow hal_mtdservice_default mnt_vendor_file:dir { create_dir_perms relabelfrom }; +allow hal_mtdservice_default proc:file r_file_perms; +allow hal_mtdservice_default tee_device:chr_file rw_file_perms; +allow hal_mtdservice_default system_data_file:dir getattr; +allow hal_mtdservice_default hal_mlipay_hwservice:hwservice_manager find; +allow hal_mtdservice_default hal_mfidoca_hwservice:hwservice_manager find; +allow hal_mtdservice_default platform_app:binder transfer; +allow hal_mtdservice_default system_app:binder transfer; +allow hal_mtdservice_default ta_data_file:file create_file_perms; +allow hal_mtdservice_default ta_data_file:dir rw_dir_perms; +allow hal_mtdservice_default vendor_hal_tui_comm_hwservice:hwservice_manager find; +allow hal_mtdservice_default vendor_hal_tui_comm_hwservice:binder { call transfer }; +allow hal_mtdservice_default vendor_hal_tui_comm_qti:binder { call transfer }; +allow hal_mtdservice_default sysfs:dir { open read }; +allow hal_mtdservice_default sysfs:file { open read write }; +allow hal_mtdservice_default vendor_qce_device:chr_file rw_file_perms; +allow hal_mtdservice_default vendor_sg_device:chr_file { open read }; +allow hal_mtdservice_default vendor_sg_device:chr_file { ioctl write }; +allow hal_mtdservice_default vendor_persist_data_file:dir getattr; +allow hal_mtdservice_default vendor_smcinvoke_device:chr_file { ioctl open read write }; +allow hal_mtdservice_default system_server:binder transfer; +allow hal_mtdservice_default block_device:dir r_dir_perms; +allow hal_mtdservice_default vendor_dmabuf_qseecom_heap_device:chr_file { ioctl open read }; +allow hal_mtdservice_default vendor_dmabuf_qseecom_ta_heap_device:chr_file { ioctl open read }; +allow hal_mtdservice_default hal_tidaservice_default:binder transfer; +allow hal_mtdservice_default hal_secure_element_default:binder transfer; +type_transition hal_mtdservice mnt_vendor_file:dir vendor_persist_drm_file "fdsd"; +init_daemon_domain(hal_mtdservice_default) +get_prop(hal_mtdservice_default, vendor_system_prop) +get_prop(hal_mtdservice_default, vendor_cpuid_prop) +set_prop(hal_mtdservice_default, vendor_payment_security_prop) +hwbinder_use(hal_mtdservice_default) +hal_server_domain(hal_mtdservice_default, hal_mtdservice) +add_hwservice(hal_mtdservice_server, hal_mtdservice_hwservice) diff --git a/sepolicy/vendor/hal_nfc.te b/sepolicy/vendor/hal_nfc.te new file mode 100644 index 0000000..87b62ef --- /dev/null +++ b/sepolicy/vendor/hal_nfc.te @@ -0,0 +1,3 @@ +allow hal_nfc_default vendor_nfc_vendor_data_file:dir create_dir_perms; +allow hal_nfc_default vendor_data_file:dir rw_dir_perms; +allow hal_nfc_default vendor_data_file:file { create rw_file_perms }; diff --git a/sepolicy/vendor/hal_perf.te b/sepolicy/vendor/hal_perf.te new file mode 100644 index 0000000..dc30a49 --- /dev/null +++ b/sepolicy/vendor/hal_perf.te @@ -0,0 +1,20 @@ +allow vendor_hal_perf_default hal_graphics_composer_default:process getpgid; +allow vendor_hal_perf_default hal_graphics_composer_default:dir r_dir_perms; +allow vendor_hal_perf_default hal_graphics_composer_default:file r_file_perms; +allow vendor_hal_perf_default hal_graphics_composer_default:file append; +allow vendor_hal_perf_default hal_graphics_composer:dir search; +allow vendor_hal_perf_default hal_camera_default:dir r_dir_perms; +allow vendor_hal_perf_default hal_camera_default:file r_file_perms; +allow vendor_hal_perf_default hal_fingerprint_default:dir r_dir_perms; +allow vendor_hal_perf_default hal_fingerprint_default:file r_file_perms; +allow vendor_hal_perf_default sysfs_thermal:file rw_file_perms; +allow vendor_hal_perf_default hal_audio_default:dir search; +allow vendor_hal_perf_default hal_audio_default:file { open read }; +allow vendor_hal_perf_default thermal_data_file:dir { read search watch }; +allow vendor_hal_perf_default thermal_data_file:file { getattr open read setattr unlink }; +allow vendor_hal_perf_default vendor_hal_displayfeature_xiaomi_default:dir search; +allow vendor_hal_perf_default vendor_hal_displayfeature_xiaomi_default:file read; +allow vendor_hal_perf_default mi_thermald:dir r_dir_perms; +allow vendor_hal_perf_default mi_thermald:file r_file_perms; + +set_prop(vendor_hal_perf_default, vendor_wlc_public_prop) \ No newline at end of file diff --git a/sepolicy/vendor/hal_power.te b/sepolicy/vendor/hal_power.te new file mode 100644 index 0000000..92f56ab --- /dev/null +++ b/sepolicy/vendor/hal_power.te @@ -0,0 +1 @@ +allow hal_power_default touchfeature_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/hal_quickcamera.te b/sepolicy/vendor/hal_quickcamera.te new file mode 100644 index 0000000..673884a --- /dev/null +++ b/sepolicy/vendor/hal_quickcamera.te @@ -0,0 +1,27 @@ +type hal_quickcamera_default, domain; +type hal_quickcamera_default_exec, exec_type, file_type, vendor_file_type; +type hal_quickcamera_hwservice, hwservice_manager_type; +hal_attribute(quickcamera) +allow hal_quickcamera_client hal_quickcamera_server:binder { call transfer }; +allow hal_quickcamera_client hal_quickcamera_server:binder transfer; +allow hal_quickcamera_client hal_quickcamera_server:fd *; +allow hal_quickcamera_client hal_quickcamera_hwservice:hwservice_manager find; +allow hal_quickcamera_server hal_quickcamera_client:binder transfer; +allow hal_quickcamera_server hal_quickcamera_client:binder { call transfer }; +allow hal_quickcamera_server hal_quickcamera_client:fd *; +allow hal_quickcamera_server hidl_base_hwservice:hwservice_manager add; +allow hal_quickcamera_server hal_quickcamera_hwservice:hwservice_manager { add find }; +allow hal_quickcamera_default platform_app:binder transfer; +allow hal_quickcamera_default platform_app:binder { call transfer }; +allow hal_quickcamera_default platform_app:fd *; +allow hal_quickcamera_default system_app:binder transfer; +allow hal_quickcamera_default system_app:binder { call transfer }; +allow hal_quickcamera_default system_app:fd *; +allow hal_quickcamera platform_app:binder transfer; +allow hal_quickcamera platform_app:binder { call transfer }; +allow hal_quickcamera platform_app:fd *; +allow hal_quickcamera system_app:binder transfer; +allow hal_quickcamera system_app:binder { call transfer }; +allow hal_quickcamera system_app:fd *; +init_daemon_domain(hal_quickcamera_default) +hal_server_domain(hal_quickcamera_default, hal_quickcamera) diff --git a/sepolicy/vendor/hal_secure_element.te b/sepolicy/vendor/hal_secure_element.te new file mode 100644 index 0000000..97bd98f --- /dev/null +++ b/sepolicy/vendor/hal_secure_element.te @@ -0,0 +1,3 @@ +allow hal_secure_element_default hal_mtdservice_hwservice:hwservice_manager find; +allow hal_secure_element_default hal_mtdservice_default:binder { call transfer }; +allow hal_secure_element_default hal_mtdservice_default:fd *; diff --git a/sepolicy/vendor/hal_sensorcommunicate.te b/sepolicy/vendor/hal_sensorcommunicate.te new file mode 100644 index 0000000..103a163 --- /dev/null +++ b/sepolicy/vendor/hal_sensorcommunicate.te @@ -0,0 +1,26 @@ +type vendor_hal_sensorcommunicate_default, domain; +type vendor_hal_sensorcommunicate_default_exec, exec_type, file_type, vendor_file_type; +type vendor_hal_sensorcommunicate_hwservice, hwservice_manager_type; +attribute vendor_hal_sensorcommunicate; +attribute vendor_hal_sensorcommunicate_client; +attribute vendor_hal_sensorcommunicate_server; +allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_server:binder { call transfer }; +allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_server:binder transfer; +allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_server:fd *; +allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_hwservice:hwservice_manager find; +allow vendor_hal_sensorcommunicate_server vendor_hal_sensorcommunicate_client:binder transfer; +allow vendor_hal_sensorcommunicate_server vendor_hal_sensorcommunicate_client:binder { call transfer }; +allow vendor_hal_sensorcommunicate_server vendor_hal_sensorcommunicate_client:fd *; +allow vendor_hal_sensorcommunicate_default fwk_sensor_hwservice:hwservice_manager find; +allow vendor_hal_sensorcommunicate_default vendor_hal_citsensorservice_xiaomi_hwservice:hwservice_manager find; +allow vendor_hal_sensorcommunicate_default system_server:binder call; +allow vendor_hal_sensorcommunicate_default system_server:binder transfer; +allow vendor_hal_sensorcommunicate_default vendor_hal_citsensorservice_xiaomi_default:binder call; +allow vendor_hal_sensorcommunicate_default vendor_hal_citsensorservice_xiaomi_default:binder transfer; +allow vendor_hal_sensorcommunicate_default mnt_vendor_file:dir search; +allow vendor_hal_sensorcommunicate_default vendor_persist_sensors_file:dir search; +allow vendor_hal_sensorcommunicate_default vendor_persist_sensors_file:file { getattr open read }; +init_daemon_domain(vendor_hal_sensorcommunicate_default) +hwbinder_use(vendor_hal_sensorcommunicate_default) +hal_server_domain(vendor_hal_sensorcommunicate_default, vendor_hal_sensorcommunicate) +add_hwservice(vendor_hal_sensorcommunicate_server, vendor_hal_sensorcommunicate_hwservice) diff --git a/sepolicy/vendor/hal_sensors.te b/sepolicy/vendor/hal_sensors.te new file mode 100644 index 0000000..fd3349b --- /dev/null +++ b/sepolicy/vendor/hal_sensors.te @@ -0,0 +1,8 @@ +allow hal_sensors_default audio_socket:sock_file rw_file_perms; +allow hal_sensors_default hal_audio_default:unix_stream_socket connectto; +allow hal_sensors_default sound_device:chr_file rw_file_perms; +allow hal_sensors_default vendor_sysfs_graphics:dir r_dir_perms; +allow hal_sensors_default vendor_sysfs_graphics:file r_file_perms; +allow hal_sensors_default stmvl53l5_device:chr_file { ioctl open read write }; + +allow hal_sensors_default sysfs_tp_fodstatus:file r_file_perms; \ No newline at end of file diff --git a/sepolicy/vendor/hal_slaservice.te b/sepolicy/vendor/hal_slaservice.te new file mode 100644 index 0000000..c3bcb81 --- /dev/null +++ b/sepolicy/vendor/hal_slaservice.te @@ -0,0 +1,17 @@ +type hal_slaservice_qti, domain; +type hal_slaservice_qti_exec, exec_type, file_type, vendor_file_type; +type hal_slaservice_hwservice, hwservice_manager_type; +hal_attribute(slaservice) +allow hal_slaservice_qti vendor_slad_prop:file read; +allow hal_slaservice_qti socket_device:sock_file write; +allow hal_slaservice_client hal_slaservice_server:binder { call transfer }; +allow hal_slaservice_client hal_slaservice_server:fd *; +allow hal_slaservice_client hal_slaservice_hwservice:hwservice_manager find; +allow hal_slaservice_server hal_slaservice_client:binder transfer; +init_daemon_domain(hal_slaservice_qti) +unix_socket_connect(hal_slaservice_qti, property, slad) +unix_socket_connect(hal_slaservice_qti, slad, init) +unix_socket_connect(hal_slaservice_qti, slad, slad) +set_prop(hal_slaservice_qti, vendor_slad_prop) +hal_server_domain(hal_slaservice_qti, hal_slaservice) +add_hwservice(hal_slaservice_server, hal_slaservice_hwservice) diff --git a/sepolicy/vendor/hal_tidaservice.te b/sepolicy/vendor/hal_tidaservice.te new file mode 100644 index 0000000..2b2c75e --- /dev/null +++ b/sepolicy/vendor/hal_tidaservice.te @@ -0,0 +1,34 @@ +type hal_tidaservice_default, domain; +type hal_tidaservice_default_exec, exec_type, file_type, vendor_file_type; +type hal_tidaservice_hwservice, hwservice_manager_type; +hal_attribute(tidaservice) +allow hal_tidaservice_client hal_tidaservice_server:binder { call transfer }; +allow hal_tidaservice_client hal_tidaservice_server:binder transfer; +allow hal_tidaservice_client hal_tidaservice_server:fd *; +allow hal_tidaservice_client hal_tidaservice_hwservice:hwservice_manager find; +allow hal_tidaservice_server hal_tidaservice_client:binder transfer; +allow hal_tidaservice_server hal_tidaservice_client:binder { call transfer }; +allow hal_tidaservice_server hal_tidaservice_client:fd *; +allow hal_tidaservice_default hal_mtdservice_default:binder { call transfer }; +allow hal_tidaservice_default hal_mtdservice_default:fd *; +allow hal_tidaservice_default tee_device:chr_file rw_file_perms; +allow hal_tidaservice_default firmware_file:dir r_dir_perms; +allow hal_tidaservice_default firmware_file:file r_file_perms; +allow hal_tidaservice_default ion_device:chr_file rw_file_perms; +allow hal_tidaservice_default rootfs:lnk_file r_file_perms; +allow hal_tidaservice_default hal_mtdservice_hwservice:hwservice_manager find; +allow hal_tidaservice_default platform_app:binder transfer; +allow hal_tidaservice_default vendor_hal_tui_comm_hwservice:hwservice_manager find; +allow hal_tidaservice_default vendor_hal_tui_comm_hwservice:binder { call transfer }; +allow hal_tidaservice_default vendor_hal_tui_comm_qti:binder { call transfer }; +allow hal_tidaservice_default sysfs:dir { open read }; +allow hal_tidaservice_default sysfs:file { open read write }; +allow hal_tidaservice_default vendor_dmabuf_qseecom_heap_device:chr_file { ioctl open read }; +allow hal_tidaservice_default vendor_dmabuf_qseecom_ta_heap_device:chr_file { ioctl open read }; +init_daemon_domain(hal_tidaservice_default) +get_prop(hal_tidaservice_default, vendor_fp_prop) +get_prop(hal_tidaservice_default, vendor_system_prop) +get_prop(hal_tidaservice_default, vendor_payment_security_prop) +hwbinder_use(hal_tidaservice_default) +hal_server_domain(hal_tidaservice_default, hal_tidaservice) +add_hwservice(hal_tidaservice_server, hal_tidaservice_hwservice) diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts new file mode 100644 index 0000000..8f917b1 --- /dev/null +++ b/sepolicy/vendor/hwservice_contexts @@ -0,0 +1,14 @@ +vendor.xiaomi.hardware.campostproc::IMiPostProcService u:object_r:vendor_hal_camerapostproc_xiaomi_hwservice:s0 +vendor.xiaomi.hardware.displayfeature::IDisplayFeature u:object_r:vendor_hal_displayfeature_xiaomi_hwservice:s0 +vendor.qti.sla.service::ISlaService u:object_r:hal_slaservice_hwservice:s0 +vendor.xiaomi.sensor.citsensorservice::ICitSensorService u:object_r:vendor_hal_citsensorservice_xiaomi_hwservice:s0 +vendor.xiaomi.sensor.communicate::ISensorCommunicate u:object_r:vendor_hal_sensorcommunicate_hwservice:s0 +vendor.xiaomi.hardware.quickcamera::IQuickCameraService u:object_r:hal_quickcamera_hwservice:s0 + +vendor.dolby.hardware.dms::IDms u:object_r:hal_dms_hwservice:s0 +vendor.xiaomi.hardware.mfidoca::IFidoService u:object_r:hal_mfidoca_hwservice:s0 +vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0 +vendor.xiaomi.hardware.mtdservice::IMTService u:object_r:hal_mtdservice_hwservice:s0 +vendor.xiaomi.hardware.tidaservice::ITidaService u:object_r:hal_tidaservice_hwservice:s0 +vendor.xiaomi.hardware.bgservice::IBGService u:object_r:vendor_hal_camerapostproc_xiaomi_hwservice:s0 +vendor.xiaomi.hardware.fx.tunnel::IMiFxTunnel u:object_r:vendor_hal_fingerprint_hwservice_xiaomi:s0 diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te new file mode 100644 index 0000000..a6d4d53 --- /dev/null +++ b/sepolicy/vendor/init.te @@ -0,0 +1,8 @@ +allow init ddr_training_exec:file { execute getattr open read }; +allow init slad_exec:file { getattr open read }; +allow init sla_data_file:file rw_file_perms; +allow vendor_init vendor_ddr_prop:property_service set; +set_prop(vendor_init, vendor_fp_prop) +set_prop(vendor_init, vendor_fp_info_prop) +set_prop(vendor_init, vendor_qcc_prop) +allow vendor_init cgroup:file getattr; \ No newline at end of file diff --git a/sepolicy/vendor/mi_thermald.te b/sepolicy/vendor/mi_thermald.te new file mode 100644 index 0000000..9f81f0d --- /dev/null +++ b/sepolicy/vendor/mi_thermald.te @@ -0,0 +1,30 @@ +type mi_thermald, domain, mlstrustedsubject; +type mi_thermald_exec, exec_type, vendor_file_type, file_type; +allow mi_thermald sysfs_devices_system_cpu:file rw_file_perms; +allow mi_thermald self:capability { fsetid sys_boot }; +allow mi_thermald sysfs_thermal:file w_file_perms; +allow mi_thermald sysfs:file w_file_perms; +allow mi_thermald vendor_sysfs_kgsl:dir r_dir_perms; +allow mi_thermald vendor_sysfs_kgsl:file rw_file_perms; +allow mi_thermald vendor_sysfs_kgsl:lnk_file r_file_perms; +allow mi_thermald vendor_sysfs_battery_supply:dir r_dir_perms; +allow mi_thermald vendor_sysfs_battery_supply:file rw_file_perms; +allow mi_thermald vendor_sysfs_battery_supply:lnk_file r_file_perms; +allow mi_thermald vendor_sysfs_qcom_battery:file rw_file_perms; +allow mi_thermald vendor_sysfs_graphics:dir r_dir_perms; +allow mi_thermald vendor_sysfs_graphics:file rw_file_perms; +allow mi_thermald vendor_sysfs_graphics:lnk_file r_file_perms; +allow mi_thermald thermal_data_file:dir { add_name read remove_name search watch write }; +allow mi_thermald thermal_data_file:file { create getattr open read rename setattr unlink write }; +allow mi_thermald mi_thermald:capability { chown fowner }; +allow mi_thermald mi_thermald:capability2 { block_suspend wake_alarm }; +allow mi_thermald vendor_data_file:dir { add_name read remove_name watch write }; +allow mi_thermald vendor_data_file:file { create getattr open read rename setattr unlink write }; +allow mi_thermald sys_thermal_wifi_limit:file { open read write }; +allow mi_thermald sys_thermal_wifi_limit:file rw_file_perms; +init_daemon_domain(mi_thermald) +r_dir_file(mi_thermald, sysfs_thermal) +r_dir_file(mi_thermald, sysfs) +r_dir_file(mi_thermald, sysfs_leds) +r_dir_file(mi_thermald, vendor_sysfs_qcom_battery) +set_prop(mi_thermald, vendor_thermal_normal_prop) diff --git a/sepolicy/vendor/modprobe.te b/sepolicy/vendor/modprobe.te new file mode 100644 index 0000000..7bd90d8 --- /dev/null +++ b/sepolicy/vendor/modprobe.te @@ -0,0 +1 @@ +allow vendor_modprobe block_device:dir search; diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te new file mode 100644 index 0000000..28fc1b1 --- /dev/null +++ b/sepolicy/vendor/property.te @@ -0,0 +1,40 @@ +# Camera +vendor_public_prop(vendor_camera_sensor_prop) + +# DDR +vendor_public_prop(vendor_ddr_prop) + +# Device ID +vendor_public_prop(vendor_deviceid_prop) +vendor_public_prop(vendor_sno_prop) +vendor_public_prop(vendor_cpuid_prop) + +# Dolby +vendor_internal_prop(vendor_dolbyv_prop) + +# Display +vendor_public_prop(vendor_displayfeature_prop) +vendor_internal_prop(vendor_ctl_vendor_display_prop) + +# Fingerprint +vendor_restricted_prop(vendor_fp_info_prop) +vendor_public_prop(vendor_fp_prop) + +# GNSS +vendor_public_prop(vendor_edgnss_qxwz_downloadak_prop) +vendor_public_prop(vendor_mi_ins_prop) + +# Mlipay +vendor_public_prop(vendor_payment_security_prop) + +# NFC +vendor_public_prop(vendor_nfc_mi_prop) + +# Panel +vendor_public_prop(vendor_panel_info_prop) + +# SLA +type vendor_slad_prop, property_type, vendor_property_type; + +# Thermal +vendor_public_prop(vendor_thermal_normal_prop) diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts new file mode 100644 index 0000000..e7269e0 --- /dev/null +++ b/sepolicy/vendor/property_contexts @@ -0,0 +1,144 @@ +# Camera +vendor.camera.sensor. u:object_r:vendor_camera_sensor_prop:s0 + +# DDR +vendor.ddr_training.is.start u:object_r:vendor_ddr_prop:s0 + +# Device ID +persist.vendor.radio.imei u:object_r:vendor_deviceid_prop:s0 +persist.vendor.radio.meid u:object_r:vendor_deviceid_prop:s0 +ro.vendor.oem.imei u:object_r:vendor_deviceid_prop:s0 +ro.vendor.oem.meid u:object_r:vendor_deviceid_prop:s0 +ro.vendor.oem.psno u:object_r:vendor_sno_prop:s0 +ro.vendor.oem.sno u:object_r:vendor_sno_prop:s0 + +# Display +persist.vendor.dc_backlight.enable u:object_r:vendor_displayfeature_prop:s0 +persist.vendor.dc_backlight.threshold u:object_r:vendor_displayfeature_prop:s0 +persist.vendor.df.color.temp u:object_r:vendor_displayfeature_prop:s0 +persist.vendor.df.extcolor.proc u:object_r:vendor_displayfeature_prop:s0 +persist.vendor.dfps.level u:object_r:vendor_displayfeature_prop:s0 +persist.vendor.disable_idle_fps u:object_r:vendor_displayfeature_prop:s0 +persist.vendor.disable_idle_fps.threshold u:object_r:vendor_displayfeature_prop:s0 +persist.vendor.displayfeature.video.pq.type u:object_r:vendor_displayfeature_prop:s0 +persist.vendor.dolbyvision.flat_on u:object_r:vendor_displayfeature_prop:s0 +persist.vendor.fod.modified.dc_status u:object_r:vendor_displayfeature_prop:s0 +persist.vendor.max.brightness u:object_r:vendor_displayfeature_prop:s0 +persist.vendor.power.dfps.level u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.all_modes.colorpick_adjust u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.aod.brightness.cust u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.aod_layer.check u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.bcbc.enable u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.cabc.enable u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.cct.need.check.touch.enable u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.colorpick_adjust u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.df.effect.conflict u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.dfps.enable u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.ai_disp.enable u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.aod_monitor_default_fps u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.benchmark_app u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.default_fps u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.dither u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.dolbyvision.support u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.dual_builtin_disp u:object_r:vendor_displayfeature_prop:s0 +#ro.vendor.display.dynamic_refresh_rate u:object_r:vendor_promotion_prop:s0 +ro.vendor.display.expert_calib.enable u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.fod_monitor_default_fps u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.hwc_thermal_dimming u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.idle_default_fps u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.idle_default_fps.support u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.ltpo.idle.switch.powercloud u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.ltpo.powerfull.with.charger.support u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.ltpo.sync.tp u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.ltpo.tp.idle.lowbrightness.support u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.mi_calib.enable u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.nature_mode.enable u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.papercontrast.opt u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.primary.fps.limit u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.primary_idle_refresh_rate u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.secondary_idle_refresh_rate u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.set_fps_stat_timer_ms u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.set_sec_idle_timer_ms u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.switch_resolution.support u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.touch.idle.enable u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.type u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.ultimate.perf.support u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.display.video_or_camera_fps.support u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.displayfeature.dump u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.dualpanel.dfps u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.eyecare.level u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.eyecare.threshold u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.fod.110nit.lux.level u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.fod.dimlayer.enable u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.fps.switch.default u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.fps.switch.thermal u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.gcp.enable u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.hbm_backlight.enable u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.hist.threshold u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.histogram.enable u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.localhbm.enable u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.media.video.style.support u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.need.check.cup.hbm.coverlayer.enable u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.pcc.dc.enable u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.sdr2hdr.by.layer.support u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.sf.enable_fb_scaling u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.soft_backlight.enable u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.sre.enable u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.standard.video.enable u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.thermal.dimming.enable u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.use.partial.brightness u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.video.style.by.layer.support u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.video_box.version u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.whitepoint_calibration_enable u:object_r:vendor_displayfeature_prop:s0 +ro.vendor.xiaomi.bl.poll u:object_r:vendor_displayfeature_prop:s0 +vendor.display.enable_fb_scaling u:object_r:vendor_displayfeature_prop:s0 +vendor.display.hwc_backlight.support u:object_r:vendor_displayfeature_prop:s0 +vendor.displayfeature.entry.enable u:object_r:vendor_displayfeature_prop:s0 +vendor.hbm.enable u:object_r:vendor_displayfeature_prop:s0 +vendor.video.mode.status u:object_r:vendor_displayfeature_prop:s0 + +# Dolby +vendor.dolbyv. u:object_r:vendor_dolbyv_prop:s0 + +# Fingerprint +persist.vendor.sys.fp. u:object_r:vendor_fp_prop:s0 +persist.vendor.sys.fp.info u:object_r:vendor_fp_info_prop:s0 +persist.vendor.sys.fp.uid u:object_r:vendor_fp_info_prop:s0 +vendor.fps_hal. u:object_r:vendor_fp_prop:s0 +vendor.panel.display. u:object_r:vendor_fp_prop:s0 +ro.hardware.fp.udfps u:object_r:vendor_fp_prop:s0 + +# GNSS +ro.vendor.gnss.edgnss.downloadQxwzAk u:object_r:vendor_edgnss_qxwz_downloadak_prop:s0 + +# Panel +vendor.panel. u:object_r:vendor_panel_info_prop:s0 + +# Mlipay +persist.vendor.sys.pay.fido u:object_r:vendor_payment_security_prop:s0 +persist.vendor.sys.pay.fido2 u:object_r:vendor_payment_security_prop:s0 +persist.vendor.sys.pay.ifaa u:object_r:vendor_payment_security_prop:s0 +persist.vendor.sys.pay.soter u:object_r:vendor_payment_security_prop:s0 +persist.vendor.sys.pay.widevine u:object_r:vendor_payment_security_prop:s0 +persist.vendor.sys.provision.status u:object_r:vendor_payment_security_prop:s0 +vendor.sys.feature_state u:object_r:vendor_payment_security_prop:s0 +vendor.sys.rpmb_state u:object_r:vendor_payment_security_prop:s0 + +# NFC +ro.vendor.nfc. u:object_r:vendor_nfc_mi_prop:s0 +ro.vendor.se. u:object_r:vendor_nfc_mi_prop:s0 + +# Sensors +persist.vendor.sensors.ins. u:object_r:vendor_mi_ins_prop:s0 +persist.vendor.sensors.ins_debug u:object_r:vendor_mi_ins_prop:s0 + +# SLA +vendor.sla.enabled u:object_r:vendor_slad_prop:s0 +vendor.sla.ifaces u:object_r:vendor_slad_prop:s0 +vendor.sla.mode u:object_r:vendor_slad_prop:s0 +vendor.sla.uidwhitelist u:object_r:vendor_slad_prop:s0 +vendor.sla.wlan.interface u:object_r:vendor_slad_prop:s0 +vendor.sla.wwan.interface u:object_r:vendor_slad_prop:s0 + +# Thermal +vendor.sys.thermal.data.path u:object_r:vendor_thermal_normal_prop:s0 diff --git a/sepolicy/vendor/qrtr.te b/sepolicy/vendor/qrtr.te new file mode 100644 index 0000000..8e6d5f9 --- /dev/null +++ b/sepolicy/vendor/qrtr.te @@ -0,0 +1,2 @@ +allow vendor_qrtr vendor_data_file:dir create_dir_perms; +allow vendor_qrtr vendor_data_file:file create_file_perms; diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te new file mode 100644 index 0000000..25e4c59 --- /dev/null +++ b/sepolicy/vendor/rild.te @@ -0,0 +1,9 @@ +allow rild vendor_radio_smd_device:file { open read write }; +allow rild vendor_radio_smd_device:chr_file { open read write }; +allow rild vendor_modem_data_file:dir create_dir_perms; +allow rild vendor_modem_data_file:file create_file_perms; +set_prop(rild, vendor_deviceid_prop) +set_prop(rild, vendor_sno_prop) +#set_prop(rild, default_prop) +allow rild vendor_data_file:dir create_dir_perms; +allow rild vendor_data_file:file create_file_perms; diff --git a/sepolicy/vendor/slad.te b/sepolicy/vendor/slad.te new file mode 100644 index 0000000..7e96836 --- /dev/null +++ b/sepolicy/vendor/slad.te @@ -0,0 +1,36 @@ +type slad, domain; +type slad_exec, exec_type, file_type, vendor_file_type; +type qti_proc_sla, proc_type; +allow slad slad_socket:sock_file { getattr read write }; +allow slad slad_socket:sock_file unlink; +allow slad slad:netlink_socket { bind create read write }; +allow slad proc_net:file { getattr open read }; +allow slad system_file:lnk_file getattr; +allow slad self:capability { net_admin net_raw setgid setuid }; +allow slad self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; +allow slad self:netlink_generic_socket { bind create read setopt write }; +allow slad self:rawip_socket { create getopt read setopt write }; +allow slad self:udp_socket { connect create getattr }; +allow slad sla_data_file:dir { add_name create read remove_name search unlink write }; +allow slad sla_data_file:dir create_dir_perms; +allow slad sla_data_file:file create_file_perms; +allow slad sla_data_file:file rw_file_perms; +allow slad socket_device:dir write; +allow slad socket_device:dir remove_name; +allow slad socket_device:dir add_name; +allow slad socket_device:sock_file { create setattr unlink }; +allow slad qti_proc_sla:dir search; +allow slad qti_proc_sla:file { map open read write }; +allow slad vendor_shell_exec:file execute_no_trans; +dontaudit slad self:capability dac_read_search; +init_daemon_domain(slad) +unix_socket_connect(slad, dnsproxyd, slad) +unix_socket_connect(slad, dnsproxyd, netd) +unix_socket_connect(slad, dnsproxyd, init) +unix_socket_connect(slad, fwmarkd, slad) +unix_socket_connect(slad, fwmarkd, netd) +unix_socket_connect(slad, fwmarkd, init) +unix_socket_connect(slad, property, slad) +unix_socket_connect(slad, property, netd) +set_prop(slad, vendor_slad_prop) +net_domain(slad) diff --git a/sepolicy/vendor/surfaceflinger.te b/sepolicy/vendor/surfaceflinger.te new file mode 100644 index 0000000..b4aed05 --- /dev/null +++ b/sepolicy/vendor/surfaceflinger.te @@ -0,0 +1,4 @@ +allow surfaceflinger vendor_sysfs_displayfeature:dir r_dir_perms; +allow surfaceflinger vendor_sysfs_displayfeature:file rw_file_perms; +allow surfaceflinger vendor_displayfeature_device:chr_file { ioctl open read write }; +allow surfaceflinger vendor_sysfs_graphics:dir { open read search }; diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te new file mode 100644 index 0000000..40d97f5 --- /dev/null +++ b/sepolicy/vendor/system_server.te @@ -0,0 +1 @@ +allow system_server vendor_hal_displayfeature_xiaomi_default:binder { call transfer }; \ No newline at end of file diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te new file mode 100644 index 0000000..65cbffd --- /dev/null +++ b/sepolicy/vendor/tee.te @@ -0,0 +1,3 @@ +allow tee vendor_fingerprint_data_file:dir rw_dir_perms; +allow tee vendor_fingerprint_data_file:file rw_file_perms; +allow tee vendor_fingerprint_data_file:file create_file_perms; diff --git a/sepolicy/vendor/vendor_qti_init_shell.te b/sepolicy/vendor/vendor_qti_init_shell.te new file mode 100644 index 0000000..ba9d023 --- /dev/null +++ b/sepolicy/vendor/vendor_qti_init_shell.te @@ -0,0 +1,11 @@ +allow vendor_qti_init_shell configfs:dir { add_name create write }; +# NECESSARY? +allow vendor_qti_init_shell configfs:dir setattr; +# END +allow vendor_qti_init_shell sysfs_dm:file rw_file_perms; +allow vendor_qti_init_shell sysfs_dm:dir r_dir_perms; +allow vendor_qti_init_shell vendor_sysfs_msm_perf:file w_file_perms; +allow vendor_qti_init_shell vendor_sysfs_qdss_dev:file { setattr write }; +set_prop(vendor_qti_init_shell, vendor_panel_info_prop) + +#get_prop(vendor_qti_init_shell, default_prop) diff --git a/sepolicy/vendor/vendorcodec.te b/sepolicy/vendor/vendorcodec.te new file mode 100644 index 0000000..5163cd8 --- /dev/null +++ b/sepolicy/vendor/vendorcodec.te @@ -0,0 +1,25 @@ +type vendorcodec, domain; +type vendorcodec_exec, exec_type, file_type, vendor_file_type; +allow vendorcodec hal_sensors_hwservice:hwservice_manager find; +allow vendorcodec fwk_sensor_hwservice:hwservice_manager find; +allow vendorcodec hal_sensors_default:fd *; +allow vendorcodec storage_file:lnk_file read; +allow vendorcodec mnt_user_file:dir search; +allow vendorcodec mnt_user_file:lnk_file read; +allow vendorcodec hal_configstore_default:binder call; +allow vendorcodec media_rw_data_file:file write; +allow vendorcodec gpu_device:chr_file { getattr ioctl open read write }; +allow vendorcodec gpu_device:chr_file map; +allow vendorcodec vendor_display_prop:file read; +allow vendorcodec vendor_display_prop:file open; +allow vendorcodec vendor_display_prop:file getattr; +allow vendorcodec vendor_display_prop:file map; +allow vendorcodec dmabuf_system_heap_device:chr_file { getattr ioctl open read }; +init_daemon_domain(vendorcodec) +set_prop(vendorcodec, vendor_dolbyv_prop) +vndbinder_use(vendorcodec) +hal_server_domain(vendorcodec, hal_codec2) +hal_client_domain(vendorcodec, hal_allocator) +hal_client_domain(vendorcodec, hal_codec2) +hal_client_domain(vendorcodec, hal_graphics_allocator) +hal_client_domain(vendorcodec, hal_sensors) diff --git a/sepolicy/vendor/vndservice_contexts b/sepolicy/vendor/vndservice_contexts new file mode 100644 index 0000000..d80dbf1 --- /dev/null +++ b/sepolicy/vendor/vndservice_contexts @@ -0,0 +1,2 @@ +display.mistcservice u:object_r:vendor_mistcdisplay_service:s0 +DisplayFeatureControl u:object_r:vendor_DisplayFeatureControl_service:s0 diff --git a/sepolicy/vendor/wcnss_service.te b/sepolicy/vendor/wcnss_service.te new file mode 100644 index 0000000..17ce312 --- /dev/null +++ b/sepolicy/vendor/wcnss_service.te @@ -0,0 +1,16 @@ +#allow vendor_wcnss_service self:netlink_generic_socket ioctl; +allow vendor_wcnss_service self:capability { net_raw setgid setuid }; +#allow vendor_wcnss_service self:packet_socket { bind create getopt ioctl map read setopt }; +allow vendor_wcnss_service self:packet_socket write; +allow vendor_wcnss_service sysfs_net:file read; +allow vendor_wcnss_service vendor_mac_vendor_data_file:dir { add_name open read search setattr write }; +allow vendor_wcnss_service vendor_mac_vendor_data_file:dir rw_dir_perms; +allow vendor_wcnss_service vendor_mac_vendor_data_file:file { create getattr open read setattr write }; +allow vendor_wcnss_service mnt_vendor_file:dir { add_name create read search write }; +allow vendor_wcnss_service mnt_vendor_file:file { create open read setattr write }; +#allow vendor_wcnss_service vendor_diag_device:chr_file { create ioctl open read write }; +allow vendor_wcnss_service vendor_sysfs_diag:dir search; +allow vendor_wcnss_service vendor_sysfs_diag:file { open read }; +allow vendor_wcnss_service vendor_wifi_vendor_log_data_file:dir { add_name getattr open read remove_name search setattr write }; +allow vendor_wcnss_service vendor_wifi_vendor_log_data_file:file { append create getattr open read rename setattr unlink write }; +allow vendor_wcnss_service vendor_proc_wifi_dbg:file { create getattr open read setattr write };