lettuce: Initial commit

8 files changed, 65 insertions, 0 deletions

diff --git a/sepolicy/bluetooth_loader.te b/sepolicy/bluetooth_loader.te
new file mode 100644
index 0000000..a5197ef
--- /dev/null
+++ b/sepolicy/bluetooth_loader.te
@@ -0,0 +1,39 @@
+# Bluetooth executables and scripts
+type bluetooth_loader, domain;
+type bluetooth_loader_exec, exec_type, file_type;
+
+# Start bdAddrLoader from init
+init_daemon_domain(bluetooth_loader)
+
+# Run init.qcom.bt.sh
+allow bluetooth_loader shell_exec:file { entrypoint read };
+allow bluetooth_loader bluetooth_loader_exec:file { getattr open execute_no_trans };
+
+# init.qcom.bt.sh needs /system/bin/log access
+allow bluetooth_loader devpts:chr_file rw_file_perms;
+
+# Run hci_qcomm_init from init.qcom.bt.sh
+domain_auto_trans(bluetooth_loader, hci_attach_exec, hci_attach)
+allow hci_attach bluetooth_loader:fd use;
+
+# Read mac address from persist partition
+allow bluetooth_loader persist_file:dir search;
+r_dir_file(bluetooth_loader, bluetooth_data_file)
+allow bluetooth_loader self:capability { dac_override dac_read_search };
+
+# Talk to init over the property socket
+unix_socket_connect(bluetooth_loader, property, init)
+# Set persist.service.bdroid.* and bluetooth.* property values
+allow bluetooth_loader bluetooth_prop:property_service set;
+
+# Allow getprop/setprop for init.qcom.bt.sh
+allow bluetooth_loader system_file:file execute_no_trans;
+
+# Access the smd device
+allow bluetooth_loader hci_attach_dev:chr_file rw_file_perms;
+
+# And qmuxd
+allow bluetooth_loader qmuxd_socket:dir { write add_name remove_name search };
+allow bluetooth_loader qmuxd_socket:sock_file { create setattr getattr write unlink };
+allow bluetooth_loader qmuxd:unix_stream_socket { connectto };
+#
diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644
index 0000000..92f0547
--- /dev/null
+++ b/sepolicy/file.te
@@ -0,0 +1,4 @@
+type touchpanel_sysfs, fs_type, sysfs_type;
+type leds_device, file_type, dev_type;
+type color_device, file_type, dev_type;
+type ylparams_device, file_type, dev_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
new file mode 100644
index 0000000..9c946d9
--- /dev/null
+++ b/sepolicy/file_contexts
@@ -0,0 +1,9 @@
+/dev/color_enhancement                          u:object_r:color_device:s0
+
+/persist/.genmac                                u:object_r:wifi_data_file:s0
+/persist/.bt_nv.bin                             u:object_r:bluetooth_data_file:s0
+
+/system/bin/btnvtool                            u:object_r:bluetooth_loader_exec:s0
+/system/etc/init\.qcom\.bt\.sh                  u:object_r:bluetooth_loader_exec:s0
+
+/dev/smd3                                       u:object_r:hci_attach_dev:s0
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
new file mode 100644
index 0000000..bb6cb2e
--- /dev/null
+++ b/sepolicy/property_contexts
@@ -0,0 +1,2 @@
+qualcomm.bluetooth.              u:object_r:bluetooth_prop:s0
+qualcomm.bt.                     u:object_r:bluetooth_prop:s0
diff --git a/sepolicy/qseecomd.te b/sepolicy/qseecomd.te
new file mode 100644
index 0000000..891b48c
--- /dev/null
+++ b/sepolicy/qseecomd.te
@@ -0,0 +1 @@
+allow tee system_prop:property_service set;
diff --git a/sepolicy/system.te b/sepolicy/system.te
new file mode 100644
index 0000000..dd49b8e
--- /dev/null
+++ b/sepolicy/system.te
@@ -0,0 +1 @@
+allow system_server leds_device:chr_file rw_file_perms;
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
new file mode 100644
index 0000000..f1b4c52
--- /dev/null
+++ b/sepolicy/system_app.te
@@ -0,0 +1,6 @@
+# for Settings' access to TapToWake and KeyDisabler
+allow system_app touchpanel_sysfs:file rw_file_perms;
+allow system_app touchpanel_sysfs:dir { search };
+
+# Color Calibration
+allow system_app color_device:chr_file rw_file_perms;
diff --git a/sepolicy/wcnss_service.te b/sepolicy/wcnss_service.te
new file mode 100644
index 0000000..fa453c2
--- /dev/null
+++ b/sepolicy/wcnss_service.te
@@ -0,0 +1,3 @@
+allow wcnss_service ylparams_device:chr_file r_file_perms;
+
+allow wcnss_service persist_file:dir search;