diff options
221 files changed, 4211 insertions, 88 deletions
@@ -19,4 +19,33 @@ LOCAL_PATH := $(call my-dir) ifeq ($(USES_DEVICE_GOOGLE_B1C1),true) subdir_makefiles=$(call first-makefiles-under,$(LOCAL_PATH)) $(foreach mk,$(subdir_makefiles),$(info including $(mk) ...)$(eval include $(mk))) + +CNE_SYMLINK := $(TARGET_OUT)/etc/cne +$(CNE_SYMLINK): $(LOCAL_INSTALLED_MODULE) + @echo "CNE directory link: $@" + @mkdir -p $(dir $@) + @rm -rf $@ + $(hide) ln -sf /product/etc/cne $@ + +ALL_DEFAULT_INSTALLED_MODULES += $(CNE_SYMLINK) + +IMS_LIBS := libimscamera_jni.so libimsmedia_jni.so +IMS_SYMLINKS := $(addprefix $(TARGET_OUT)/app/ims/lib/arm64/,$(notdir $(IMS_LIBS))) +$(IMS_SYMLINKS): $(LOCAL_INSTALLED_MODULE) + @echo "IMS lib link: $@" + @mkdir -p $(dir $@) + @rm -rf $@ + $(hide) ln -sf /system/lib64/$(notdir $@) $@ + +ALL_DEFAULT_INSTALLED_MODULES += $(IMS_SYMLINKS) + +DM_LIBS := libdmengine.so libdmjavaplugin.so +DM_SYMLINKS := $(addprefix $(TARGET_OUT)/priv-app/DMService/lib/arm/,$(notdir $(DM_LIBS))) +$(DM_SYMLINKS): $(LOCAL_INSTALLED_MODULE) + @echo "DMService lib link: $@" + @mkdir -p $(dir $@) + @rm -rf $@ + $(hide) ln -sf /system/lib/$(notdir $@) $@ + +ALL_DEFAULT_INSTALLED_MODULES += $(DM_SYMLINKS) endif diff --git a/AndroidProducts.mk b/AndroidProducts.mk index 599f286..fcc1ff1 100644 --- a/AndroidProducts.mk +++ b/AndroidProducts.mk @@ -17,3 +17,5 @@ PRODUCT_MAKEFILES := \ $(LOCAL_DIR)/aosp_crosshatch.mk \ $(LOCAL_DIR)/aosp_blueline.mk \ + $(LOCAL_DIR)/lineage_blueline.mk \ + $(LOCAL_DIR)/lineage_crosshatch.mk diff --git a/BoardConfig-common.mk b/BoardConfig-common.mk index de21237..cb271ef 100644 --- a/BoardConfig-common.mk +++ b/BoardConfig-common.mk @@ -58,7 +58,7 @@ BOARD_BOOT_HEADER_VERSION := 1 BOARD_MKBOOTIMG_ARGS += --header_version $(BOARD_BOOT_HEADER_VERSION) # DTBO partition definitions -BOARD_PREBUILT_DTBOIMAGE := device/google/crosshatch-kernel/dtbo.img +TARGET_NEEDS_DTBOIMAGE := true BOARD_DTBOIMG_PARTITION_SIZE := 8388608 TARGET_NO_BOOTLOADER ?= true @@ -121,7 +121,7 @@ BOARD_ROOT_EXTRA_SYMLINKS := /vendor/dsp:/dsp BOARD_ROOT_EXTRA_SYMLINKS += /mnt/vendor/persist:/persist BOARD_ROOT_EXTRA_SYMLINKS += /vendor/firmware_mnt:/firmware -include device/google/crosshatch-sepolicy/crosshatch-sepolicy.mk +include device/google/crosshatch/sepolicy/crosshatch-sepolicy.mk TARGET_FS_CONFIG_GEN := device/google/crosshatch/config.fs @@ -210,7 +210,7 @@ DEVICE_FRAMEWORK_COMPATIBILITY_MATRIX_FILE := device/google/crosshatch/device_fr DEVICE_FRAMEWORK_MANIFEST_FILE := device/google/crosshatch/framework_manifest.xml # Userdebug only Vendor Interface Manifest -ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT))) +ifneq (,$(filter eng, $(TARGET_BUILD_VARIANT))) DEVICE_MANIFEST_FILE += device/google/crosshatch/manifest_userdebug.xml endif @@ -222,33 +222,6 @@ BOARD_PROPERTY_OVERRIDES_SPLIT_ENABLED := true # Use mke2fs to create ext4 images TARGET_USES_MKE2FS := true -# Kernel modules -ifeq (,$(filter-out blueline_gcc crosshatch_gcc, $(TARGET_PRODUCT))) -BOARD_VENDOR_KERNEL_MODULES += \ - $(wildcard device/google/crosshatch-kernel/gcc/*.ko) -else ifeq (,$(filter-out blueline_kasan crosshatch_kasan, $(TARGET_PRODUCT))) -BOARD_VENDOR_KERNEL_MODULES += \ - $(wildcard device/google/crosshatch-kernel/kasan/*.ko) -else ifeq (,$(filter-out blueline_kcfi crosshatch_kcfi, $(TARGET_PRODUCT))) -BOARD_VENDOR_KERNEL_MODULES += \ - $(wildcard device/google/crosshatch-kernel/kcfi/*.ko) -else ifeq (,$(filter-out blueline_kernel_debug_memory crosshatch_kernel_debug_memory, $(TARGET_PRODUCT))) -BOARD_VENDOR_KERNEL_MODULES += \ - $(wildcard device/google/crosshatch-kernel/debug_memory/*.ko) -else ifeq (,$(filter-out blueline_kernel_debug_locking crosshatch_kernel_debug_locking, $(TARGET_PRODUCT))) -BOARD_VENDOR_KERNEL_MODULES += \ - $(wildcard device/google/crosshatch-kernel/debug_locking/*.ko) -else ifeq (,$(filter-out blueline_kernel_debug_hang crosshatch_kernel_debug_hang, $(TARGET_PRODUCT))) -BOARD_VENDOR_KERNEL_MODULES += \ - $(wildcard device/google/crosshatch-kernel/debug_hang/*.ko) -else ifeq (,$(filter-out blueline_kernel_debug_api crosshatch_kernel_debug_api, $(TARGET_PRODUCT))) -BOARD_VENDOR_KERNEL_MODULES += \ - $(wildcard device/google/crosshatch-kernel/debug_api/*.ko) -else -BOARD_VENDOR_KERNEL_MODULES += \ - $(wildcard device/google/crosshatch-kernel/*.ko) -endif - # Testing related defines BOARD_PERFSETUP_SCRIPT := platform_testing/scripts/perf-setup/b1c1-setup.sh diff --git a/BoardConfigLineage.mk b/BoardConfigLineage.mk new file mode 100644 index 0000000..f1794da --- /dev/null +++ b/BoardConfigLineage.mk @@ -0,0 +1,13 @@ +# Common board config for crosshatch, blueline + +BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS += --flag 2 + +BOARD_KERNEL_IMAGE_NAME := Image.lz4-dtb +TARGET_COMPILE_WITH_MSM_KERNEL := true +TARGET_KERNEL_ARCH := arm64 +TARGET_KERNEL_CLANG_COMPILE := true +TARGET_KERNEL_CONFIG := lineageos_crosshatch_defconfig +TARGET_KERNEL_CROSS_COMPILE_PREFIX := aarch64-linux-android- +TARGET_KERNEL_SOURCE := kernel/google/crosshatch + +-include vendor/google/crosshatch/BoardConfigVendor.mk diff --git a/blueline/BoardConfig.mk b/blueline/BoardConfig.mk index 68e5b0d..8d9ba24 100644 --- a/blueline/BoardConfig.mk +++ b/blueline/BoardConfig.mk @@ -14,6 +14,9 @@ # limitations under the License. # +# Allow Lineage config to override others +-include device/google/crosshatch/blueline/BoardConfigLineage.mk + TARGET_BOOTLOADER_BOARD_NAME := blueline TARGET_RECOVERY_UI_MARGIN_HEIGHT := 20 diff --git a/blueline/BoardConfigLineage.mk b/blueline/BoardConfigLineage.mk new file mode 100644 index 0000000..af2de4f --- /dev/null +++ b/blueline/BoardConfigLineage.mk @@ -0,0 +1,2 @@ +# Boardconfig for lineage_blueline +-include device/google/crosshatch/BoardConfigLineage.mk diff --git a/blueline/device-lineage.mk b/blueline/device-lineage.mk new file mode 100644 index 0000000..7bb47f6 --- /dev/null +++ b/blueline/device-lineage.mk @@ -0,0 +1,4 @@ +# Overlays +DEVICE_PACKAGE_OVERLAYS += device/google/crosshatch/blueline/overlay-lineage + +$(call inherit-product, device/google/crosshatch/device-lineage.mk) diff --git a/blueline/overlay-lineage/lineage-sdk/lineage/res/res/values/config.xml b/blueline/overlay-lineage/lineage-sdk/lineage/res/res/values/config.xml new file mode 100644 index 0000000..e334d93 --- /dev/null +++ b/blueline/overlay-lineage/lineage-sdk/lineage/res/res/values/config.xml @@ -0,0 +1,28 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- +/* +** Copyright 2018, The LineageOS Project +** +** Licensed under the Apache License, Version 2.0 (the "License"); +** you may not use this file except in compliance with the License. +** You may obtain a copy of the License at +** +** http://www.apache.org/licenses/LICENSE-2.0 +** +** Unless required by applicable law or agreed to in writing, software +** distributed under the License is distributed on an "AS IS" BASIS, +** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +** See the License for the specific language governing permissions and +** limitations under the License. +*/ +--> + +<resources xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2"> + + <!-- The list of vendor package signatures that should also be considered + platform signatures, specifically for use on devices with a vendor partition. --> + <string-array name="config_vendorPlatformSignatures" translatable="false"> + <item>308203BB308202A3A003020102020900F00F8E7F45E72D86300D06092A864886F70D01010B05003074310B30090603550406130255533113301106035504080C0A43616C69666F726E69613116301406035504070C0D4D6F756E7461696E205669657731143012060355040A0C0B476F6F676C6520496E632E3110300E060355040B0C07416E64726F69643110300E06035504030C07416E64726F6964301E170D3136303531303138313332385A170D3433303932363138313332385A3074310B30090603550406130255533113301106035504080C0A43616C69666F726E69613116301406035504070C0D4D6F756E7461696E205669657731143012060355040A0C0B476F6F676C6520496E632E3110300E060355040B0C07416E64726F69643110300E06035504030C07416E64726F696430820122300D06092A864886F70D01010105000382010F003082010A02820101009DA10ED05B5EBFE8E5794CFA3A633E605748FDB8F3545C288D9EFFBA4F2CA1BFC16DA0D4C5724575A21D4DF9D44C1B068785C084BFD4C7071EEF258F2169494239B55FCF187E529760D77DD495F65872D6BF7E61C764A368D0AA6272A51C10E91F89991EA147377B3B37B2ED714E622D17288C8A7003DC6A11022F1B0C6EB005A18CFAB5EF3F9B6912EE1B1CBECCD96A1F76DEBB6E6A9BFCCB76E9C2D279EF119D9E9BF6A089C21507FD00A0237A0C11C32946FE123C0A2CE0C52CB4D3B5D815281F244E4F998CDC4D765459BF1FFA960FC48324869DB0555A6844A94204891A01CCA268448374C7CD17661C74C692FB32AF0DF4C20AFF02F9966B5C94BB80710203010001A350304E301D0603551D0E041604149078B7EBD42D359E4E98E6FEF868CABFFA634F9F301F0603551D230418301680149078B7EBD42D359E4E98E6FEF868CABFFA634F9F300C0603551D13040530030101FF300D06092A864886F70D01010B050003820101008646166908812FD5373CE79FBAAC62F691ECDDCB82619D35BD990D068689E15E0C556D246ED8AE96816743D80CEE443F94F55CB6E169CC8F10B3770C434F351E50170F445369A26A4C37B2CA893C14A3AF7C7513A5420784CE4B6D9B92ED61252F5335A11C75EC978B979B1CD776DC3081094C3E7BE161C21E868303E0B40CB6441A95BB85F6CF83BD707735DAB8908C954CF5BB8553D0384480E1D789130D19151CA2AB01F928657E0DF2AD1FB31DCE18436BF873E4E924A59B7A89AE18C8B93CE0FF2C0ECAB4E7A67CEA1F7022CEA3C27699FA67D3B4965ABF9CE89016F33A08BFBE25AD2A9A6626C1A98802F0592DE720BDEFDDE83963D767C7AD96915224</item> + <item>308203C7308202AFA003020102021500B5304C33A0D498C8F16A147F7290B347799B28AB300D06092A864886F70D01010B05003074310B3009060355040613025553311330110603550408130A43616C69666F726E6961311630140603550407130D4D6F756E7461696E205669657731143012060355040A130B476F6F676C6520496E632E3110300E060355040B1307416E64726F69643110300E06035504031307416E64726F6964301E170D3138303432333232303533345A170D3438303432333232303533345A3074310B3009060355040613025553311330110603550408130A43616C69666F726E6961311630140603550407130D4D6F756E7461696E205669657731143012060355040A130B476F6F676C6520496E632E3110300E060355040B1307416E64726F69643110300E06035504031307416E64726F696430820122300D06092A864886F70D01010105000382010F003082010A0282010100A15109F0566BAFF9EDB515D2CAC130D21E950E625972AF32828141BB9DC1AEA251B6E5B6D5744776A3D17FCADCFE31B32CF5B66C1B62FA359E3308E8C152332DB729C056D6E2BCC68873118CA69355726ED86E48CC29CF6797BB00938450E6AF679D822236E5C095BA0016397929D1A145062C80F3CBEA37CFF09AE1B4E2FB8BD24713E344A4B9D93BBA6085E2279761B8D5168EA80C58F386F7F83B73DFB349B74F9CFDAE57D7882060C5383FA26119F8B1E27BEE1CD3E608AAD24847CE478754180489DC8ADF8A3B1847D818EE763A38C4A9A84C6EA313FBFECF1DC8F9DAC089B87FE926EA98229624CC79F3178BC9ECA8EE19365A22B99F180430976FC4030203010001A350304E300C0603551D13040530030101FF301D0603551D0E04160414E4108EBE267D13BD7CBE6E5E1301DCB42898F2A3301F0603551D23041830168014E4108EBE267D13BD7CBE6E5E1301DCB42898F2A3300D06092A864886F70D01010B050003820101003F9EB26A760A9C9FCD5A835E1211BC2FA025C152B43B90A4EF10860F516F878707136337887704323D4D911F8FE75E7CD6C8016F4FC1200735D3C1A89C9CB73B28CDBC2E33FE211D404380FFD3A6A85049691A430ACCD2009EEA0B017245AF7B9DB971CA427642FD04F9F1C1B9DB812AD8AD87C3FC48332D003C159EFF0DC0F263836011E49D7171FD279EF0CA79C13A29902BBCAE99416010E8F34FDF10B43EB7E3338EAD6487017747BDA62D9D839AA94F98E8025A7A6DA1A41D62C32E0C217F3E137F015DA8373F4B0C5BBC3F2520752346895B17FA5B472F7B553A6D896AB409DA98F91CF182952A021357B3AA52CFE3307FC66BD9A05D874B5466F3BB0A</item> + </string-array> +</resources> diff --git a/crosshatch/BoardConfig.mk b/crosshatch/BoardConfig.mk index b1d8aa1..546f1cd 100644 --- a/crosshatch/BoardConfig.mk +++ b/crosshatch/BoardConfig.mk @@ -14,6 +14,9 @@ # limitations under the License. # +# Allow Lineage config to override others +-include device/google/crosshatch/crosshatch/BoardConfigLineage.mk + TARGET_BOOTLOADER_BOARD_NAME := crosshatch TARGET_RECOVERY_UI_MARGIN_HEIGHT := 165 diff --git a/crosshatch/BoardConfigLineage.mk b/crosshatch/BoardConfigLineage.mk new file mode 100644 index 0000000..9465779 --- /dev/null +++ b/crosshatch/BoardConfigLineage.mk @@ -0,0 +1,2 @@ +# Boardconfig for lineage_crosshatch +-include device/google/crosshatch/BoardConfigLineage.mk diff --git a/crosshatch/device-lineage.mk b/crosshatch/device-lineage.mk new file mode 100644 index 0000000..af821eb --- /dev/null +++ b/crosshatch/device-lineage.mk @@ -0,0 +1,4 @@ +# Overlays +DEVICE_PACKAGE_OVERLAYS += device/google/crosshatch/crosshatch/overlay-lineage + +$(call inherit-product, device/google/crosshatch/device-lineage.mk) diff --git a/crosshatch/overlay-lineage/lineage-sdk/lineage/res/res/values/config.xml b/crosshatch/overlay-lineage/lineage-sdk/lineage/res/res/values/config.xml new file mode 100644 index 0000000..6c74575 --- /dev/null +++ b/crosshatch/overlay-lineage/lineage-sdk/lineage/res/res/values/config.xml @@ -0,0 +1,31 @@ +<?xml version="1.0" encoding="utf-8"?> +<!-- +/* +** Copyright 2018, The LineageOS Project +** +** Licensed under the Apache License, Version 2.0 (the "License"); +** you may not use this file except in compliance with the License. +** You may obtain a copy of the License at +** +** http://www.apache.org/licenses/LICENSE-2.0 +** +** Unless required by applicable law or agreed to in writing, software +** distributed under the License is distributed on an "AS IS" BASIS, +** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +** See the License for the specific language governing permissions and +** limitations under the License. +*/ +--> + +<resources xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2"> + + <!-- The list of vendor package signatures that should also be considered + platform signatures, specifically for use on devices with a vendor partition. --> + <string-array name="config_vendorPlatformSignatures" translatable="false"> + <item>308203BB308202A3A003020102020900F00F8E7F45E72D86300D06092A864886F70D01010B05003074310B30090603550406130255533113301106035504080C0A43616C69666F726E69613116301406035504070C0D4D6F756E7461696E205669657731143012060355040A0C0B476F6F676C6520496E632E3110300E060355040B0C07416E64726F69643110300E06035504030C07416E64726F6964301E170D3136303531303138313332385A170D3433303932363138313332385A3074310B30090603550406130255533113301106035504080C0A43616C69666F726E69613116301406035504070C0D4D6F756E7461696E205669657731143012060355040A0C0B476F6F676C6520496E632E3110300E060355040B0C07416E64726F69643110300E06035504030C07416E64726F696430820122300D06092A864886F70D01010105000382010F003082010A02820101009DA10ED05B5EBFE8E5794CFA3A633E605748FDB8F3545C288D9EFFBA4F2CA1BFC16DA0D4C5724575A21D4DF9D44C1B068785C084BFD4C7071EEF258F2169494239B55FCF187E529760D77DD495F65872D6BF7E61C764A368D0AA6272A51C10E91F89991EA147377B3B37B2ED714E622D17288C8A7003DC6A11022F1B0C6EB005A18CFAB5EF3F9B6912EE1B1CBECCD96A1F76DEBB6E6A9BFCCB76E9C2D279EF119D9E9BF6A089C21507FD00A0237A0C11C32946FE123C0A2CE0C52CB4D3B5D815281F244E4F998CDC4D765459BF1FFA960FC48324869DB0555A6844A94204891A01CCA268448374C7CD17661C74C692FB32AF0DF4C20AFF02F9966B5C94BB80710203010001A350304E301D0603551D0E041604149078B7EBD42D359E4E98E6FEF868CABFFA634F9F301F0603551D230418301680149078B7EBD42D359E4E98E6FEF868CABFFA634F9F300C0603551D13040530030101FF300D06092A864886F70D01010B050003820101008646166908812FD5373CE79FBAAC62F691ECDDCB82619D35BD990D068689E15E0C556D246ED8AE96816743D80CEE443F94F55CB6E169CC8F10B3770C434F351E50170F445369A26A4C37B2CA893C14A3AF7C7513A5420784CE4B6D9B92ED61252F5335A11C75EC978B979B1CD776DC3081094C3E7BE161C21E868303E0B40CB6441A95BB85F6CF83BD707735DAB8908C954CF5BB8553D0384480E1D789130D19151CA2AB01F928657E0DF2AD1FB31DCE18436BF873E4E924A59B7A89AE18C8B93CE0FF2C0ECAB4E7A67CEA1F7022CEA3C27699FA67D3B4965ABF9CE89016F33A08BFBE25AD2A9A6626C1A98802F0592DE720BDEFDDE83963D767C7AD96915224</item> + </string-array> + + <!-- Define that we use a higher screen ratio (18:9) than standard (16:9) --> + <bool name="config_haveHigherAspectRatioScreen">true</bool> + +</resources> diff --git a/device-lineage.mk b/device-lineage.mk new file mode 100644 index 0000000..4d81305 --- /dev/null +++ b/device-lineage.mk @@ -0,0 +1,9 @@ +# EUICC +PRODUCT_COPY_FILES += \ + frameworks/native/data/etc/android.hardware.telephony.euicc.xml:system/etc/permissions/android.hardware.telephony.euicc.xml + +# RCS +PRODUCT_PACKAGES += \ + com.android.ims.rcsmanager \ + PresencePolling \ + RcsService diff --git a/device-proprietary-files.txt b/device-proprietary-files.txt new file mode 100644 index 0000000..abbed41 --- /dev/null +++ b/device-proprietary-files.txt @@ -0,0 +1,98 @@ +# Audio +etc/ambient/matcher_tah.leveldb +etc/firmware/dnd.descriptor +etc/firmware/dnd.sound_model +etc/firmware/music_detector.descriptor +etc/firmware/music_detector.sound_model +-priv-app/AmbientSensePrebuilt/AmbientSensePrebuilt.apk;PRESIGNED + +# Bluetooth +lib64/libaptX_encoder.so +lib64/libaptXHD_encoder.so + +# Easel +-app/EaselServicePrebuilt/EaselServicePrebuilt.apk;PRESIGNED + +# Hotword +-priv-app/HotwordEnrollmentOKGoogleWCD9340/HotwordEnrollmentOKGoogleWCD9340.apk;PRESIGNED +-priv-app/HotwordEnrollmentTGoogleWCD9340/HotwordEnrollmentTGoogleWCD9340.apk;PRESIGNED +-priv-app/HotwordEnrollmentXGoogleWCD9340/HotwordEnrollmentXGoogleWCD9340.apk;PRESIGNED + +# Listen +lib64/liblistenjni.so +lib64/liblistensoundmodel2.so +lib/liblistenjni.so +lib/liblistensoundmodel2.so + +# Permissions +etc/permissions/privapp-permissions-bluecross.xml + +# Radio +-app/datastatusnotification/datastatusnotification.apk +-app/embms/embms.apk +-app/ims/ims.apk +-app/QAS_DVC_MSP/QAS_DVC_MSP.apk +-app/QAS_DVC_MSP_VZW/QAS_DVC_MSP_VZW.apk +-app/QtiTelephonyService/QtiTelephonyService.apk +-app/remotesimlockservice/remotesimlockservice.apk +-app/uimlpaservice/uimlpaservice.apk +-app/uceShimService/uceShimService.apk +etc/permissions/com.android.omadm.service.xml +etc/permissions/com.google.modemservice.xml +etc/permissions/com.google.omadm.trigger.xml +etc/permissions/embms.xml +etc/permissions/lpa.xml +etc/permissions/qcrilhook.xml +etc/permissions/RemoteSimlock.xml +etc/permissions/telephonyservice.xml +etc/sysconfig/qti_whitelist.xml +etc/sysconfig/whitelist_com.android.omadm.service.xml +-framework/com.qualcomm.qti.uceservice-V2.0-java.jar +-framework/embmslibrary.jar +-framework/LowPowerMonitorDeviceInterface.jar +-framework/LowPowerMonitorDeviceRpm.jar +-framework/PowerAnomalyDataModemInterface.jar +-framework/PowerAnomalyQcril.jar +-framework/qcrilhook.jar +-framework/QtiTelephonyServicelibrary.jar +-framework/uimlpalibrary.jar +-framework/uimremotesimlocklibrary.jar +-framework/vendor.qti.ims.callinfo-V1.0-java.jar +lib64/lib-imsvideocodec.so +lib64/lib-imsvtextutils.so +lib64/lib-imsvt.so +lib64/lib-imsvtutils.so +lib64/libimscamera_jni.so +lib64/libimsmedia_jni.so +lib64/librcc.so +lib/lib-imsvideocodec.so +lib/lib-imsvtextutils.so +lib/lib-imsvt.so +lib/lib-imsvtutils.so +lib/libdmengine.so +lib/libdmjavaplugin.so +lib/librcc.so +-priv-app/CarrierSetup/CarrierSetup.apk +-priv-app/CNEService/CNEService.apk +-priv-app/DMService/DMService.apk +-priv-app/EuiccGoogle/EuiccGoogle.apk;PRESIGNED +priv-app/EuiccGoogle/esim-full-v0.img +priv-app/EuiccGoogle/esim-v1.img +-priv-app/grilservice/grilservice.apk +-priv-app/ModemService/ModemService.apk +-priv-app/OemDmTrigger/OemDmTrigger.apk +-priv-app/qcrilmsgtunnel/qcrilmsgtunnel.apk + +# Sprint +etc/permissions/com.android.sdm.plugins.sprintdm.xml +-priv-app/SprintDM/SprintDM.apk +-priv-app/SprintHM/SprintHM.apk + +# VZW +-app/vzw_msdc_api/vzw_msdc_api.apk +etc/permissions/com.verizon.embms.xml +etc/permissions/com.verizon.provider.xml +etc/permissions/features-verizon.xml +-framework/VerizonUnifiedSettings.jar;PRESIGNED +-priv-app/VerizonAuthDialog/VerizonAuthDialog.apk;PRESIGNED +-priv-app/WfcActivation/WfcActivation.apk;PRESIGNED @@ -63,19 +63,12 @@ ifeq ($(wildcard vendor/google_devices/crosshatch/proprietary/device-vendor-cros BUILD_WITHOUT_VENDOR := true endif -ifeq ($(TARGET_PREBUILT_KERNEL),) - LOCAL_KERNEL := device/google/crosshatch-kernel/Image.lz4-dtb -else - LOCAL_KERNEL := $(TARGET_PREBUILT_KERNEL) -endif - PRODUCT_CHARACTERISTICS := nosdcard PRODUCT_SHIPPING_API_LEVEL := 28 DEVICE_PACKAGE_OVERLAYS += $(LOCAL_PATH)/overlay PRODUCT_COPY_FILES += \ - $(LOCAL_KERNEL):kernel \ $(LOCAL_PATH)/init.recovery.hardware.rc:root/init.recovery.$(PRODUCT_PLATFORM).rc \ $(LOCAL_PATH)/init.hardware.rc:$(TARGET_COPY_OUT_VENDOR)/etc/init/hw/init.$(PRODUCT_PLATFORM).rc \ $(LOCAL_PATH)/init.hardware.usb.rc:$(TARGET_COPY_OUT_VENDOR)/etc/init/hw/init.$(PRODUCT_PLATFORM).usb.rc \ @@ -104,7 +97,7 @@ PRODUCT_COPY_FILES += \ PRODUCT_COPY_FILES += \ $(LOCAL_PATH)/init.edge_sense.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.edge_sense.sh -ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT))) +ifneq (,$(filter eng, $(TARGET_BUILD_VARIANT))) PRODUCT_COPY_FILES += \ $(LOCAL_PATH)/init.hardware.diag.rc.userdebug:$(TARGET_COPY_OUT_VENDOR)/etc/init/hw/init.$(PRODUCT_PLATFORM).diag.rc PRODUCT_COPY_FILES += \ @@ -528,7 +521,7 @@ PRODUCT_PACKAGES += \ android.hardware.soundtrigger@2.1-impl \ android.hardware.audio@2.0-service -ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT))) +ifneq (,$(filter eng, $(TARGET_BUILD_VARIANT))) PRODUCT_PACKAGES += \ tinyplay \ tinycap \ @@ -586,7 +579,7 @@ PRODUCT_COPY_FILES += \ $(LOCAL_PATH)/seccomp_policy/codec2.vendor.ext.policy:$(TARGET_COPY_OUT_VENDOR)/etc/seccomp_policy/codec2.vendor.ext.policy \ $(LOCAL_PATH)/seccomp_policy/mediacodec.policy:$(TARGET_COPY_OUT_VENDOR)/etc/seccomp_policy/mediacodec.policy -ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT))) +ifneq (,$(filter eng, $(TARGET_BUILD_VARIANT))) # Subsystem ramdump PRODUCT_PROPERTY_OVERRIDES += \ persist.vendor.sys.ssr.enable_ramdumps=1 @@ -609,7 +602,7 @@ PRODUCT_PACKAGES += \ # b/36703476 # Set default log size on userdebug/eng build to 1M -ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT))) +ifneq (,$(filter eng, $(TARGET_BUILD_VARIANT))) PRODUCT_PROPERTY_OVERRIDES += ro.logd.size=1M endif @@ -691,8 +684,6 @@ PRODUCT_COPY_FILES += \ device/google/crosshatch/vibrator/cs40l20/cs40l20.wmfw:$(TARGET_COPY_OUT_VENDOR)/firmware/cs40l20.wmfw \ device/google/crosshatch/vibrator/cs40l20/cs40l20.bin:$(TARGET_COPY_OUT_VENDOR)/firmware/cs40l20.bin -PRODUCT_VENDOR_KERNEL_HEADERS := device/google/crosshatch/sdm845/kernel-headers - # Audio ACDB data PRODUCT_COPY_FILES += \ device/google/crosshatch/acdbdata/OEM/sdm845-tavil-snd-card/Bluetooth_cal.acdb:$(TARGET_COPY_OUT_VENDOR)/etc/acdbdata/OEM/sdm845-tavil-snd-card/Bluetooth_cal.acdb \ @@ -722,7 +713,7 @@ PRODUCT_COPY_FILES += \ device/google/crosshatch/acdbdata/adsp_avs_config.acdb:$(TARGET_COPY_OUT_VENDOR)/etc/acdbdata/adsp_avs_config.acdb # Audio ACDB workspace files for QACT -ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT))) +ifneq (,$(filter eng, $(TARGET_BUILD_VARIANT))) PRODUCT_COPY_FILES += \ device/google/crosshatch/acdbdata/OEM/sdm845-tavil-snd-card/workspaceFile.qwsp:$(TARGET_COPY_OUT_VENDOR)/etc/acdbdata/OEM/sdm845-tavil-snd-card/workspaceFile.qwsp \ device/google/crosshatch/acdbdata/OEM/sdm845-tavil-b1-snd-card/workspaceFile.qwsp:$(TARGET_COPY_OUT_VENDOR)/etc/acdbdata/OEM/sdm845-tavil-b1-snd-card/workspaceFile.qwsp \ @@ -746,7 +737,7 @@ PRODUCT_PROPERTY_OVERRIDES += \ ro.radio.log_prefix="modem_log_" # Enable modem logging for debug -ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT))) +ifneq (,$(filter eng, $(TARGET_BUILD_VARIANT))) PRODUCT_PROPERTY_OVERRIDES += \ persist.vendor.sys.modem.diag.mdlog=true \ persist.vendor.sys.modem.diag.mdlog_br_num=5 @@ -765,7 +756,7 @@ PRODUCT_SYSTEM_DEFAULT_PROPERTIES += \ TARGET_ENABLE_MEDIADRM_64 := true # default usb oem functions -ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT))) +ifneq (,$(filter eng, $(TARGET_BUILD_VARIANT))) PRODUCT_PROPERTY_OVERRIDES += \ persist.vendor.usb.usbradio.config=diag endif diff --git a/extract-files.sh b/extract-files.sh new file mode 100755 index 0000000..0d15945 --- /dev/null +++ b/extract-files.sh @@ -0,0 +1,56 @@ +#!/bin/bash +# +# Copyright (C) 2018 The LineageOS Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e + +VENDOR=google +DEVICE=crosshatch + +# Load extractutils and do some sanity checks +MY_DIR="${BASH_SOURCE%/*}" +if [[ ! -d "$MY_DIR" ]]; then MY_DIR="$PWD"; fi + +CM_ROOT="$MY_DIR"/../../.. + +HELPER="$CM_ROOT"/vendor/lineage/build/tools/extract_utils.sh +if [ ! -f "$HELPER" ]; then + echo "Unable to find helper script at $HELPER" + exit 1 +fi +. "$HELPER" + +if [ $# -eq 0 ]; then + SRC=adb +else + if [ $# -eq 1 ]; then + SRC=$1 + else + echo "$0: bad number of arguments" + echo "" + echo "usage: $0 [PATH_TO_EXPANDED_ROM]" + echo "" + echo "If PATH_TO_EXPANDED_ROM is not specified, blobs will be extracted from" + echo "the device using adb pull." + exit 1 + fi +fi + +# Initialize the helper +setup_vendor "$DEVICE" "$VENDOR" "$CM_ROOT" + +extract "$MY_DIR"/device-proprietary-files.txt "$SRC" + +"$MY_DIR"/setup-makefiles.sh diff --git a/json-c/Android.mk b/json-c/Android.mk deleted file mode 100644 index 139a10c..0000000 --- a/json-c/Android.mk +++ /dev/null @@ -1,35 +0,0 @@ -LIBJSON_ROOT := $(call my-dir) -include $(CLEAR_VARS) -LOCAL_MODULE := libjson -LOCAL_PATH := $(LIBJSON_ROOT) -LOCAL_C_INCLUDES += $(TARGET_OUT_INTERMEDIATES)/KERNEL_OBJ/usr/include -LOCAL_ADDITIONAL_DEPENDENCIES += $(TARGET_OUT_INTERMEDIATES)/KERNEL_OBJ/usr -LOCAL_COPY_HEADERS_TO := libjson/inc -LOCAL_COPY_HEADERS := bits.h \ - config.h \ - debug.h \ - linkhash.h \ - arraylist.h \ - json.h \ - json_config.h \ - json_inttypes.h \ - json_util.h \ - json_object.h \ - json_tokener.h \ - json_object_iterator.h \ - json_c_version.h -LOCAL_SRC_FILES := arraylist.c \ - debug.c \ - json_c_version.c \ - json_object.c \ - json_object_iterator.c \ - json_tokener.c \ - json_util.c \ - libjson.c \ - linkhash.c \ - printbuf.c \ - random_seed.c -LOCAL_SHARED_LIBRARIES := libcutils libutils -LOCAL_MODULE_TAG := optional -LOCAL_VENDOR_MODULE := true -include $(BUILD_SHARED_LIBRARY) diff --git a/lineage.dependencies b/lineage.dependencies new file mode 100644 index 0000000..c0de09e --- /dev/null +++ b/lineage.dependencies @@ -0,0 +1,6 @@ +[ + { + "repository": "android_kernel_google_crosshatch", + "target_path": "kernel/google/crosshatch" + } +] diff --git a/lineage_blueline.mk b/lineage_blueline.mk new file mode 100644 index 0000000..0352b1c --- /dev/null +++ b/lineage_blueline.mk @@ -0,0 +1,26 @@ +# Boot animation +TARGET_SCREEN_HEIGHT := 2160 +TARGET_SCREEN_WIDTH := 1080 + +# Inherit some common Lineage stuff. +$(call inherit-product, vendor/lineage/config/common_full_phone.mk) + +# Inherit device configuration +$(call inherit-product, device/google/crosshatch/aosp_blueline.mk) + +-include device/google/crosshatch/blueline/device-lineage.mk + +## Device identifier. This must come after all inclusions +PRODUCT_NAME := lineage_blueline +PRODUCT_BRAND := google +PRODUCT_MODEL := Pixel 3 +TARGET_MANUFACTURER := Google +PRODUCT_RESTRICT_VENDOR_FILES := false + +PRODUCT_BUILD_PROP_OVERRIDES += \ + PRODUCT_NAME=blueline \ + PRIVATE_BUILD_DESC="blueline-user 9 PQ1A.190105.004 5148680 release-keys" + +BUILD_FINGERPRINT := google/blueline/blueline:9/PQ1A.190105.004/5148680:user/release-keys + +$(call inherit-product-if-exists, vendor/google/crosshatch/crosshatch-vendor.mk) diff --git a/lineage_crosshatch.mk b/lineage_crosshatch.mk new file mode 100644 index 0000000..ce8d435 --- /dev/null +++ b/lineage_crosshatch.mk @@ -0,0 +1,26 @@ +# Boot animation +TARGET_SCREEN_HEIGHT := 2960 +TARGET_SCREEN_WIDTH := 1440 + +# Inherit some common Lineage stuff. +$(call inherit-product, vendor/lineage/config/common_full_phone.mk) + +# Inherit device configuration +$(call inherit-product, device/google/crosshatch/aosp_crosshatch.mk) + +-include device/google/crosshatch/crosshatch/device-lineage.mk + +## Device identifier. This must come after all inclusions +PRODUCT_NAME := lineage_crosshatch +PRODUCT_BRAND := google +PRODUCT_MODEL := Pixel 3 XL +TARGET_MANUFACTURER := Google +PRODUCT_RESTRICT_VENDOR_FILES := false + +PRODUCT_BUILD_PROP_OVERRIDES += \ + PRODUCT_NAME=crosshatch \ + PRIVATE_BUILD_DESC="crosshatch-user 9 PQ1A.190105.004 5148680 release-keys" + +BUILD_FINGERPRINT := google/crosshatch/crosshatch:9/PQ1A.190105.004/5148680:user/release-keys + +$(call inherit-product-if-exists, vendor/google/crosshatch/crosshatch-vendor.mk) diff --git a/qti_whitelist.xml b/qti_whitelist.xml index 1370310..b444839 100644 --- a/qti_whitelist.xml +++ b/qti_whitelist.xml @@ -34,7 +34,7 @@ <!-- These are telephony components that need to freely run in the background --> <allow-in-power-save package="com.qualcomm.atfwd" /> <allow-in-power-save package="com.qualcomm.qti.telephonyservice" /> - <allow-in-power-save package="com.qulacomm.qcrilmsgtunnel" /> + <allow-in-power-save package="com.qualcomm.qcrilmsgtunnel" /> <allow-in-power-save package="com.qualcomm.qti.ims" /> <allow-in-power-save package="com.qualcomm.qti.radioconfiginterface" /> </config> diff --git a/sdm845/thermal-engine/Android.mk b/sdm845/thermal-engine/Android.mk index 7b0ac46..f0607fb 100644 --- a/sdm845/thermal-engine/Android.mk +++ b/sdm845/thermal-engine/Android.mk @@ -12,9 +12,3 @@ LOCAL_COPY_HEADERS_TO := thermal-engine LOCAL_COPY_HEADERS := ./thermal_client.h include $(BUILD_COPY_HEADERS) - -include $(CLEAR_VARS) -LOCAL_MODULE := libThermal_headers -LOCAL_EXPORT_C_INCLUDE_DIRS := $(LOCAL_PATH) -LOCAL_VENDOR_MODULE := true -include $(BUILD_HEADER_LIBRARY) diff --git a/sepolicy/OWNERS b/sepolicy/OWNERS new file mode 100644 index 0000000..9d3f1b1 --- /dev/null +++ b/sepolicy/OWNERS @@ -0,0 +1,9 @@ +alanstokes@google.com +bowgotsai@google.com +dcashman@google.com +jbires@google.com +jeffv@google.com +jgalenson@google.com +sspatil@google.com +tomcherry@google.com +trong@google.com diff --git a/sepolicy/crosshatch-sepolicy.mk b/sepolicy/crosshatch-sepolicy.mk new file mode 100644 index 0000000..ed24814 --- /dev/null +++ b/sepolicy/crosshatch-sepolicy.mk @@ -0,0 +1,8 @@ +BOARD_PLAT_PUBLIC_SEPOLICY_DIR := device/google/crosshatch/sepolicy/public +BOARD_PLAT_PRIVATE_SEPOLICY_DIR := device/google/crosshatch/sepolicy/private + +# vendors +BOARD_SEPOLICY_DIRS += device/google/crosshatch/sepolicy/vendor/qcom/common +BOARD_SEPOLICY_DIRS += device/google/crosshatch/sepolicy/vendor/qcom/sdm845 +BOARD_SEPOLICY_DIRS += device/google/crosshatch/sepolicy/vendor/google +BOARD_SEPOLICY_DIRS += device/google/crosshatch/sepolicy/vendor/verizon diff --git a/sepolicy/private/certs/wfcactivation.x509.pem b/sepolicy/private/certs/wfcactivation.x509.pem new file mode 100644 index 0000000..bead020 --- /dev/null +++ b/sepolicy/private/certs/wfcactivation.x509.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDyTCCArGgAwIBAgIJAODrqTpclyUkMA0GCSqGSIb3DQEBCwUAMHsxCzAJBgNV +BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW +aWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDEXMBUG +A1UEAwwOd2ZjX2FjdGl2YXRpb24wHhcNMTgwMjIxMDA1NTM4WhcNNDUwNzA5MDA1 +NTM4WjB7MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UE +BwwNTW91bnRhaW4gVmlldzEUMBIGA1UECgwLR29vZ2xlIEluYy4xEDAOBgNVBAsM +B0FuZHJvaWQxFzAVBgNVBAMMDndmY19hY3RpdmF0aW9uMIIBIjANBgkqhkiG9w0B +AQEFAAOCAQ8AMIIBCgKCAQEAruKdMaQjRrlTwLHWAhUwLXoq+1glzoQ5ibqHDg4i +GPPlwT7qPG8xWW6UmTiLNES6YSDpvCvptqrZccecviYfYIg7/JCF/xr2cFt9Gyyo +L0muemdUMFjGQJxKCQMi8jlqPVgfcy7ZEfVvoDWUupD7hVVA6TFkWH1nv/5GzJVK +h7D4vBaYE6qwM1+NJjrbk1O8SMMCES7MkJhpnfbRYr8d5uxSzDWqqeqvM6CFSvKw +cxqbCcNl0MDgSCgtnxzZZjg5AFuPECV8lgJpxFEqgEIK1fsebK5G8o4buokMW+W4 +ZT2LZtMq/qsZXl59h22KQX2w5mcI6KyV8WZOcPPOm8uf8wIDAQABo1AwTjAdBgNV +HQ4EFgQU9jpHDUfkIqBODCp9/c5TsraA9sowHwYDVR0jBBgwFoAU9jpHDUfkIqBO +DCp9/c5TsraA9sowDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAZMf+ +KD3oFS0cv/C0qQx28wW5BKFb/PM6RxDwTRF7yyJj4+uZU0+O8NJEqBNDgHusFJR6 +2ZXXiWDqzNb0scZxD95FP1YxiLPAcbn2oCTkGPYcCsBmT1i25RsIKTb7fR3UJ/bY +V55CQy1FjX5H1katVpezi1bs17stqrjL0aCk8s7wZPQ9KTy7SfMF9rUfg8ltrj8s +MD5cq21GJuJMpI2kNUV7IT+4B3CeHzpm0iy8NmbavgNezZAx1za4QIySNcKfdsSs +7PsNYPS0R9BeZK/4u4/yrQvRV0lXzQcIJPpwr0cfuhcgcHG8sbCLaw4Ph6go9kRL +hvY7ZX9pdBLS8ukQ4w== +-----END CERTIFICATE----- diff --git a/sepolicy/private/dataservice_app.te b/sepolicy/private/dataservice_app.te new file mode 100644 index 0000000..74dcb07 --- /dev/null +++ b/sepolicy/private/dataservice_app.te @@ -0,0 +1,16 @@ +typeattribute dataservice_app coredomain; +app_domain(dataservice_app) +net_domain(dataservice_app) + +add_service(dataservice_app, cne_service) +add_service(dataservice_app, uce_service) +allow dataservice_app { + app_api_service + audioserver_service + radio_service +}:service_manager find; + +allow dataservice_app radio_data_file:dir create_dir_perms; +allow dataservice_app radio_data_file:{ file lnk_file } create_file_perms; + +hwbinder_use(dataservice_app) diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts new file mode 100644 index 0000000..c078e97 --- /dev/null +++ b/sepolicy/private/file_contexts @@ -0,0 +1 @@ +/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0 diff --git a/sepolicy/private/keys.conf b/sepolicy/private/keys.conf new file mode 100644 index 0000000..1f60f88 --- /dev/null +++ b/sepolicy/private/keys.conf @@ -0,0 +1,2 @@ +[@WFCACTIVATION] +ALL : device/google/crosshatch/sepolicy/private/certs/wfcactivation.x509.pem diff --git a/sepolicy/private/mac_permissions.xml b/sepolicy/private/mac_permissions.xml new file mode 100644 index 0000000..636d579 --- /dev/null +++ b/sepolicy/private/mac_permissions.xml @@ -0,0 +1,26 @@ +<?xml version="1.0" encoding="utf-8"?> +<policy> + +<!-- + + * A signature is a hex encoded X.509 certificate or a tag defined in + keys.conf and is required for each signer tag. + * A signer tag may contain a seinfo tag and multiple package stanzas. + * A default tag is allowed that can contain policy for all apps not signed with a + previously listed cert. It may not contain any inner package stanzas. + * Each signer/default/package tag is allowed to contain one seinfo tag. This tag + represents additional info that each app can use in setting a SELinux security + context on the eventual process. + * When a package is installed the following logic is used to determine what seinfo + value, if any, is assigned. + - All signatures used to sign the app are checked first. + - If a signer stanza has inner package stanzas, those stanza will be checked + to try and match the package name of the app. If the package name matches + then that seinfo tag is used. If no inner package matches then the outer + seinfo tag is assigned. + - The default tag is consulted last if needed. +--> + <signer signature="@WFCACTIVATION" > + <seinfo value="wfcactivation" /> + </signer> +</policy> diff --git a/sepolicy/private/preloads_copy.te b/sepolicy/private/preloads_copy.te new file mode 100644 index 0000000..4ee52b9 --- /dev/null +++ b/sepolicy/private/preloads_copy.te @@ -0,0 +1,14 @@ +type preloads_copy, domain, coredomain; +type preloads_copy_exec, exec_type, file_type; + +init_daemon_domain(preloads_copy) + +allow preloads_copy shell_exec:file rx_file_perms; +allow preloads_copy toolbox_exec:file rx_file_perms; +allow preloads_copy preloads_data_file:dir create_dir_perms; +allow preloads_copy preloads_data_file:file create_file_perms; +allow preloads_copy preloads_media_file:dir create_dir_perms; +allow preloads_copy preloads_media_file:file create_file_perms; + +# Allow to copy from /postinstall +allow preloads_copy system_file:dir r_dir_perms; diff --git a/sepolicy/private/priv_app.te b/sepolicy/private/priv_app.te new file mode 100644 index 0000000..408a352 --- /dev/null +++ b/sepolicy/private/priv_app.te @@ -0,0 +1,3 @@ +dontaudit priv_app sysfs:file read; +dontaudit priv_app zygote:dir search; +dontaudit priv_app mnt_vendor_file:dir search; diff --git a/sepolicy/private/radio.te b/sepolicy/private/radio.te new file mode 100644 index 0000000..d187ca8 --- /dev/null +++ b/sepolicy/private/radio.te @@ -0,0 +1,2 @@ +allow radio uce_service:service_manager find; +add_service(radio, qchook_service) diff --git a/sepolicy/private/recovery.te b/sepolicy/private/recovery.te new file mode 100644 index 0000000..c68244f --- /dev/null +++ b/sepolicy/private/recovery.te @@ -0,0 +1,3 @@ +recovery_only(` + allow recovery citadel_device:chr_file rw_file_perms; +') diff --git a/sepolicy/private/seapp_contexts b/sepolicy/private/seapp_contexts new file mode 100644 index 0000000..57a99de --- /dev/null +++ b/sepolicy/private/seapp_contexts @@ -0,0 +1,2 @@ +# Domain for WfcActivation app +user=_app seinfo=wfcactivation name=com.google.android.wfcactivation domain=wfc_activation_app levelFrom=all diff --git a/sepolicy/private/service.te b/sepolicy/private/service.te new file mode 100644 index 0000000..e5abcaa --- /dev/null +++ b/sepolicy/private/service.te @@ -0,0 +1,3 @@ +type cne_service, service_manager_type; +type uce_service, service_manager_type; +type qchook_service, service_manager_type; diff --git a/sepolicy/private/service_contexts b/sepolicy/private/service_contexts new file mode 100644 index 0000000..bf26183 --- /dev/null +++ b/sepolicy/private/service_contexts @@ -0,0 +1,5 @@ +qti.ims.ext u:object_r:radio_service:s0 +cneservice u:object_r:cne_service:s0 +uce u:object_r:uce_service:s0 +rcs u:object_r:radio_service:s0 +qchook u:object_r:qchook_service:s0 diff --git a/sepolicy/private/wfc_activation_app.te b/sepolicy/private/wfc_activation_app.te new file mode 100644 index 0000000..cd32efc --- /dev/null +++ b/sepolicy/private/wfc_activation_app.te @@ -0,0 +1,9 @@ +type wfc_activation_app, domain, coredomain; + +app_domain(wfc_activation_app) +net_domain(wfc_activation_app) + +# Services +allow wfc_activation_app app_api_service:service_manager find; +allow wfc_activation_app qchook_service:service_manager find; +allow wfc_activation_app radio_service:service_manager find; diff --git a/sepolicy/public/charger.te b/sepolicy/public/charger.te new file mode 100644 index 0000000..51f3c3d --- /dev/null +++ b/sepolicy/public/charger.te @@ -0,0 +1 @@ +allow charger self:capability2 wake_alarm; diff --git a/sepolicy/public/dataservice_app.te b/sepolicy/public/dataservice_app.te new file mode 100644 index 0000000..8c8d82f --- /dev/null +++ b/sepolicy/public/dataservice_app.te @@ -0,0 +1 @@ +type dataservice_app, domain;
\ No newline at end of file diff --git a/sepolicy/public/hwservice.te b/sepolicy/public/hwservice.te new file mode 100644 index 0000000..f0c1e33 --- /dev/null +++ b/sepolicy/public/hwservice.te @@ -0,0 +1 @@ +type hal_pixelstats_hwservice, hwservice_manager_type; diff --git a/sepolicy/vendor/google/bug_map b/sepolicy/vendor/google/bug_map new file mode 100644 index 0000000..6e372ad --- /dev/null +++ b/sepolicy/vendor/google/bug_map @@ -0,0 +1,27 @@ +bootanim vendor_default_prop file 78460200 +cdsprpcd system_file dir 109882276 +dataservice_app vendor_default_prop file 78460200 +drmserver sdcardfs dir 77869200 +hal_graphics_composer_default mnt_vendor_file dir 80078218 +hal_keymaster_citadel exported3_system_prop file 110231496 +hal_rcsservice sysfs_soc dir 78460200 +hal_sensors_default mnt_vendor_file dir 110926064 +hardware_info_app sysfs_msm_subsys dir 78460200 +ims default_prop file 78119118 +init proc file 110466938 +netmgrd proc_net file 110926064 +per_proxy exported3_system_prop file 80153956 +platform_app vendor_default_prop file 78460200 +priv_app vendor_default_prop file 78460200 +rild socket_device dir 78460200 +rmt_storage sysfs_msm_subsys dir 78460200 +sensors mnt_vendor_file dir 110926064 +sensors vendor_modem_diag_prop file 78460200 +shell sysfs_wlc dir 79757453 +ssr_setup vendor_ssr_prop file 78460200 +system_app vendor_default_prop file 78460200 +system_server vendor_default_prop file 78460200 +untrusted_app vendor_default_prop file 78460200 +wcnss_service exported3_system_prop file 80153956 +crash_dump hexagon_halide_file file 78460200 +hal_sensors_default persist_debug_prop file 80249631 diff --git a/sepolicy/vendor/google/certs/app.x509.pem b/sepolicy/vendor/google/certs/app.x509.pem new file mode 100644 index 0000000..8e3e627 --- /dev/null +++ b/sepolicy/vendor/google/certs/app.x509.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEqDCCA5CgAwIBAgIJANWFuGx90071MA0GCSqGSIb3DQEBBAUAMIGUMQswCQYD +VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4g +VmlldzEQMA4GA1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UE +AxMHQW5kcm9pZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTAe +Fw0wODA0MTUyMzM2NTZaFw0zNTA5MDEyMzM2NTZaMIGUMQswCQYDVQQGEwJVUzET +MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4G +A1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9p +ZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTCCASAwDQYJKoZI +hvcNAQEBBQADggENADCCAQgCggEBANbOLggKv+IxTdGNs8/TGFy0PTP6DHThvbbR +24kT9ixcOd9W+EaBPWW+wPPKQmsHxajtWjmQwWfna8mZuSeJS48LIgAZlKkpFeVy +xW0qMBujb8X8ETrWy550NaFtI6t9+u7hZeTfHwqNvacKhp1RbE6dBRGWynwMVX8X +W8N1+UjFaq6GCJukT4qmpN2afb8sCjUigq0GuMwYXrFVee74bQgLHWGJwPmvmLHC +69EH6kWr22ijx4OKXlSIx2xT1AsSHee70w5iDBiK4aph27yH3TxkXy9V89TDdexA +cKk/cVHYNnDBapcavl7y0RiQ4biu8ymM8Ga/nmzhRKya6G0cGw8CAQOjgfwwgfkw +HQYDVR0OBBYEFI0cxb6VTEM8YYY6FbBMvAPyT+CyMIHJBgNVHSMEgcEwgb6AFI0c +xb6VTEM8YYY6FbBMvAPyT+CyoYGapIGXMIGUMQswCQYDVQQGEwJVUzETMBEGA1UE +CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4GA1UEChMH +QW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9pZDEiMCAG +CSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbYIJANWFuGx90071MAwGA1Ud +EwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADggEBABnTDPEF+3iSP0wNfdIjIz1AlnrP +zgAIHVvXxunW7SBrDhEglQZBbKJEk5kT0mtKoOD1JMrSu1xuTKEBahWRbqHsXcla +XjoBADb0kkjVEJu/Lh5hgYZnOjvlba8Ld7HCKePCVePoTJBdI4fvugnL8TsgK05a +IskyY0hKI9L8KfqfGTl1lzOv2KoWD0KWwtAWPoGChZxmQ+nBli+gwYMzM1vAkP+a +ayLe0a1EQimlOalO762r0GXO0ks+UeXde2Z4e+8S/pf7pITEI/tP+MxJTALw9QUW +Ev9lKTk+jkbqxbsh8nfBUapfKqYn0eidpwq2AzVp3juYl7//fKnaPhJD9gs= +-----END CERTIFICATE----- diff --git a/sepolicy/vendor/google/certs/easel.x509.pem b/sepolicy/vendor/google/certs/easel.x509.pem new file mode 100644 index 0000000..695ecf3 --- /dev/null +++ b/sepolicy/vendor/google/certs/easel.x509.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID1zCCAr+gAwIBAgIJAKOIETaYwmxkMA0GCSqGSIb3DQEBCwUAMIGBMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4g +VmlldzEUMBIGA1UECgwLR29vZ2xlIEluYy4xEDAOBgNVBAsMB0FuZHJvaWQxHTAb +BgNVBAMMFGVhc2Vsc2VydmljZS1hbmRyb2lkMB4XDTE3MDYwMTE4MjUxM1oXDTQ0 +MTAxNzE4MjUxM1owgYExCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh +MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQ +MA4GA1UECwwHQW5kcm9pZDEdMBsGA1UEAwwUZWFzZWxzZXJ2aWNlLWFuZHJvaWQw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdqipNwS7MFSdJV0Y51Tc1 +UU55YkVlwKBjSmYfKpmURR/OqqkP4AswI7byxbapLSZiJAS6TdJmL0QC9ycMOfQL +7RFSKdiY72Ze0abYxpaimj0iVprHVTmaakVg/0o7Dx4hOEqWE6U1TUCK3tAWzyJq +gfH8sJQbFygGpSrEG+XvgN4VAzUEzC6WvV4gAg+5QWYB/Jqh3PJM0iI7WHsjp7oY +j1w2E/R9YHjEOlXa8vB8Mbh1zAghtzWoMry73Xyo8h3Ji3jSGqM+YP+JGCKMEHBm +TE7ywZdi1btKfGEB6WAoZ9IxnX6ezlFmCt3H+LtHS1iiaZf+hl8vnWkX5oddkpUj +AgMBAAGjUDBOMB0GA1UdDgQWBBQ6dUV+uzBrL91ibZm6y4hU49lXXDAfBgNVHSME +GDAWgBQ6dUV+uzBrL91ibZm6y4hU49lXXDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 +DQEBCwUAA4IBAQBjGGh2oj/c8L9oCsImdSdlDtxMsUT26LKr3UaqhY4xsYp32pcF +ICSjkufog6l7+oOfYISV2r7pN6e9nHoxky9lns9a7jP6Mrh+oL9kTTcWKMo1F88I +jppWvo0hc8WuGef1Sh3DpYi4jSmdUa8HESLeB9LskCxBAS5iwE4x6VAOxfVGOfWw +o3LQ1Y8QL256NPkgQfS+V4hFW+7l2corVYHCRbmXfsHyCk9yesbMsjE1TgdZH9Ys +SyamPaLSZ/Heelqrha0DqdWO1KDQcKC8oISichTJ++EphsdTUsEz6rzCYziPf7A6 +MNmY9YdjnvD5f2IBusSPGC0Bzqn9JdpBnAPL +-----END CERTIFICATE----- diff --git a/sepolicy/vendor/google/certs/tango.x509.pem b/sepolicy/vendor/google/certs/tango.x509.pem new file mode 100644 index 0000000..431c1a5 --- /dev/null +++ b/sepolicy/vendor/google/certs/tango.x509.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDWjCCAkKgAwIBAgIEUlNYsDANBgkqhkiG9w0BAQUFADBvMRAwDgYDVQQGEwdV +bmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3duMREwDwYD +VQQKEwhNb3Rvcm9sYTERMA8GA1UECxMIVHJhaWxtaXgxETAPBgNVBAMTCFRyYWls +bWl4MB4XDTEzMTAwODAwNTgyNFoXDTQxMDIyMzAwNTgyNFowbzEQMA4GA1UEBhMH +VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjERMA8G +A1UEChMITW90b3JvbGExETAPBgNVBAsTCFRyYWlsbWl4MREwDwYDVQQDEwhUcmFp +bG1peDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKQBftL+C3I6JiLF +utgzqfQ5YHNpL8Vjov8RbKTeYbyNSDMB+knby2wuiGgcSWMYokD7uhR2ysPtyv52 +CM9O8MWXelgJ3mdxLh4WzcWzELXW529J08FKpgcM5579/EpSdQQlh1WHlnTAoNdm +xsgWJQMM0CR+/0puIkc1W6GM3cOfS9KNeL/08wfjxRVeFMpyM6DhHMbDxVuNYq57 +mm3xTAMSmsxEveYsZDjNnZgYZDVJoCnWlpT+1KivzYFxp+1pstk7I76WlwqIqCoz +nT3NTVj9h9kvQcd4IgDe+UEygdPa1cAMO4wYdFlGDQKqZjIYvnAy1Qi1JqoeyEr+ +8ggpr2UCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAjpKzuYGq3tICtYZSXbuUmJbj +dIsFRivWxCP25TQ/Csv+tiOijHsU3HNbNXvn8EamkyRi/LoQy7ThoDYhFaQJFaYb +wU4mgdoGxj5rH6URlH/qPmWP6nuM2NQBt0VLwh/MWaXm8u0WY5Tzfd/mRwwc+UMM +9TJhuQxaf42gjnyQO+d/eBves7lL23vDPFCP8okQ3aAzsg5lDFQ6nT+91TXvMpCx +zIurNhce+i2M8tX0IkHmqkEKGBfTdoeUkOVH7Lnac30D5P6daGJrt6PBpWUa8OMC +5VdKhy+DE9cQFE8qG+lDZxg56PqZdWG1pyUotFViUAYkA16Ct5363yLWWYid6g== +-----END CERTIFICATE----- diff --git a/sepolicy/vendor/google/certs/tango_release.x509.pem b/sepolicy/vendor/google/certs/tango_release.x509.pem new file mode 100644 index 0000000..07ac5af --- /dev/null +++ b/sepolicy/vendor/google/certs/tango_release.x509.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIJAO+A5DYVLfprMA0GCSqGSIb3DQEBBQUAMHcxCzAJBgNV +BAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBW +aWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQMA4GA1UECwwHQW5kcm9pZDETMBEG +A1UEAwwKdGFuZ29fY29yZTAeFw0xNjA0MjYxOTQ2MzdaFw00MzA5MTIxOTQ2Mzda +MHcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1N +b3VudGFpbiBWaWV3MRQwEgYDVQQKDAtHb29nbGUgSW5jLjEQMA4GA1UECwwHQW5k +cm9pZDETMBEGA1UEAwwKdGFuZ29fY29yZTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAPJYCbynrmMeP8ZtqzBMoNhMOUGuq9p77j6gM3B90jQ6f2LRVL09 +l3UM+wu+SxTV2T6PXR9LXB0FiJ1waqMQ5yPBZzptQqckUw2ov5uhpx9yE8KqeTGQ +W03xoXoo5S38OztAME8rGMcUtuofEySAWm4Qxm6iq8aZ+NlJAViVztffC9Wx0Kqs +pJ7kgvFSv11ZFPP6EADdihSjH3ApQgU4dlIc4Nevh5fGE7gEY5fxU/NBEDMawhox +pI9UEWSG4QNB4sE9Wwh0AM9GJ5+5S6xG55bsY/SHEbzMv2NsYVjayQiNb2D4nK+r +NdgjTBq508d9m8ybpNjxZRFEs/SagYLV23cCAwEAAaNQME4wHQYDVR0OBBYEFE/G +b+OBEdIfHSDmF/1bl6Q98nXlMB8GA1UdIwQYMBaAFE/Gb+OBEdIfHSDmF/1bl6Q9 +8nXlMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBACpBNrrt/50EwS2A +/8jQG/2W20OawIkSjGAyICQ2TiOwu9nOw2LcZh6GNE1tCjCPCAzXGMC+5UTS09aA +ElfG/9WiUK2PjuqeOe8l57XHaHxvL+oVQUbmjiU8RIR9bgiN/BqVklN1LIrXAMNd +CtcVkXYcnhQE3vlhCxfjwqn+2GMghDTftiQZDL/mxflckAY7hJxVV7dexewNoXQ0 +bVNBuvAnFTl6fG5HAZGRG6y89GLcugzbxVKbRzcuxEVPFDiLQJJcW2e9C/u1cP0+ +91aoz+/Ick0DCSMrEVJPo2w3saPSDUONOS6Tu9JPm2rRwdlM2I/ipmlU3ziwwM6K +0+4WtYc= +-----END CERTIFICATE----- + diff --git a/sepolicy/vendor/google/certs/tango_userdev.x509.pem b/sepolicy/vendor/google/certs/tango_userdev.x509.pem new file mode 100644 index 0000000..e86c720 --- /dev/null +++ b/sepolicy/vendor/google/certs/tango_userdev.x509.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDjzCCAnegAwIBAgIEaRjVZzANBgkqhkiG9w0BAQsFADB3MQ4wDAYDVQQGEwU5 +NTExNzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxDzANBgNV +BAoTBkdvb2dsZTEWMBQGA1UECxMNUHJvamVjdCBUYW5nbzEXMBUGA1UEAxMOQ2hh +cmxlcyBMIENoZW4wIBcNMTQxMDE1MjIzNjE3WhgPMzAxMzAyMTUyMjM2MTdaMHcx +DjAMBgNVBAYTBTk1MTE3MQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4g +VmlldzEPMA0GA1UEChMGR29vZ2xlMRYwFAYDVQQLEw1Qcm9qZWN0IFRhbmdvMRcw +FQYDVQQDEw5DaGFybGVzIEwgQ2hlbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBAI1d+E9l4ndaDNqzMzJuXf2jslm3/y1oIumQo3dwCa6rF77kxxmI9lM7 +52+tR06dLwnT7uEcO2mQgZ7TWY2tgrXwVYSCzu+WSuc1KgtlLIvcoBodUKSR4vGI +gsvG9eJwVZAVOLOBpF96OJoTOIwLaN1DokkKoBXDkONlYP0hU4/Yo7qxTbM64a+Y +DeAdZ9hirq8p11VZC0o930Ejc47+RZoNt5YMVtpeVBzSrrMLuwZAvD1wrzK9gP9j +xwS/knQSsCb9UZ3OpFogCUeiyFO/lDE9BJHbmDiJch0X52rOm5SKvr4kwduGcENy +oWjmmQR1jjIzxQuO2G8CGJkEmA57vp8CAwEAAaMhMB8wHQYDVR0OBBYEFMvhYFl2 +LMBcFi1vcDPkyz4g0Q4cMA0GCSqGSIb3DQEBCwUAA4IBAQAW9YM5ATbSO5T1sULQ +MhJ2IvqQcPTpP4KUfnHSXLSucyotmsCSVNhuTX+KYHTOmS3srEjv63qojYz8QpeJ +GLlIMbrRPI4MSoZgzMWBX71Ld27rMXbVeKiFa44L3+5XBC15WxoqPJSOxAFsv1Lt +mI5CwqtywwhEUqMR9jBeHn8AhZyOB8gP592BCLs8YVKl0aYQruaNcUuc5PRPiKgH +iCPkaPoyUMCVsfZjOI6IAuu8PGeiXn4QJgcc8YQcEgpSqYea/TqgeLdV+mAER5BK +qg1kX528kWm+K+0PJScVaZk9jZHYo5qMFFWAc9DreNTLWETQEMPi3E6BVY0EI/56 +GsqT +-----END CERTIFICATE----- diff --git a/sepolicy/vendor/google/citadeld.te b/sepolicy/vendor/google/citadeld.te new file mode 100644 index 0000000..b177f7d --- /dev/null +++ b/sepolicy/vendor/google/citadeld.te @@ -0,0 +1,11 @@ +type citadeld, domain; +type citadeld_exec, exec_type, vendor_file_type, file_type; + +vndbinder_use(citadeld) +add_service(citadeld, citadeld_service) + +allow citadeld citadel_device:chr_file rw_file_perms; + +init_daemon_domain(citadeld) + +allow citadeld debugfs_ipc:dir search; diff --git a/sepolicy/vendor/google/device.te b/sepolicy/vendor/google/device.te new file mode 100644 index 0000000..d4bb97a --- /dev/null +++ b/sepolicy/vendor/google/device.te @@ -0,0 +1,3 @@ +type citadel_device, dev_type; +type ramoops_device, dev_type; +type maxfg_device, dev_type;
\ No newline at end of file diff --git a/sepolicy/vendor/google/dumpstate.te b/sepolicy/vendor/google/dumpstate.te new file mode 100644 index 0000000..f261798 --- /dev/null +++ b/sepolicy/vendor/google/dumpstate.te @@ -0,0 +1 @@ +allow dumpstate proc_slabinfo:file r_file_perms; diff --git a/sepolicy/vendor/google/file.te b/sepolicy/vendor/google/file.te new file mode 100644 index 0000000..ce6a826 --- /dev/null +++ b/sepolicy/vendor/google/file.te @@ -0,0 +1,6 @@ +type sysfs_pstore, sysfs_type, fs_type; +type ramoops_vendor_data_file, file_type, data_file_type, mlstrustedobject; +type proc_touch, proc_type, fs_type; +type sysfs_display, sysfs_type, fs_type; +type sysfs_pixelstats, sysfs_type, fs_type; +type persist_battery_file, file_type; diff --git a/sepolicy/vendor/google/file_contexts b/sepolicy/vendor/google/file_contexts new file mode 100644 index 0000000..31a0882 --- /dev/null +++ b/sepolicy/vendor/google/file_contexts @@ -0,0 +1,23 @@ +# dev nodes +/dev/citadel0 u:object_r:citadel_device:s0 +/dev/access-metadata u:object_r:ramoops_device:s0 +/dev/access-ramoops u:object_r:ramoops_device:s0 +/dev/maxfg_history u:object_r:maxfg_device:s0 + +/vendor/bin/hw/android\.hardware\.authsecret@1\.0-service\.citadel u:object_r:hal_authsecret_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.oemlock@1\.0-service\.citadel u:object_r:hal_oemlock_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.keymaster@4\.0-service.citadel u:object_r:hal_keymaster_citadel_exec:s0 +/vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0 +/vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0 +/vendor/bin/hw/wait_for_strongbox u:object_r:wait_for_strongbox_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element@1\.0-service-disabled u:object_r:hal_secure_element_default_exec:s0 +/vendor/bin/hw/android\.hardware\.power@1\.3-service\.crosshatch-libperfmgr u:object_r:hal_power_default_exec:s0 +/vendor/bin/init\.firstboot\.sh u:object_r:init-firstboot_exec:s0 +/vendor/bin/ramoops u:object_r:ramoops_exec:s0 +/vendor/bin/init\.ramoops\.sh u:object_r:ramoops_exec:s0 +/vendor/bin/pixelstats-vendor u:object_r:pixelstats_vendor_exec:s0 + +/data/vendor_ce/[0-9]+/ramoops(/.*)? u:object_r:ramoops_vendor_data_file:s0 + +/persist/battery(/.*)? u:object_r:persist_battery_file:s0 diff --git a/sepolicy/vendor/google/fsck.te b/sepolicy/vendor/google/fsck.te new file mode 100644 index 0000000..9c64f10 --- /dev/null +++ b/sepolicy/vendor/google/fsck.te @@ -0,0 +1,2 @@ +allow fsck persist_block_device:blk_file rw_file_perms; + diff --git a/sepolicy/vendor/google/genfs_contexts b/sepolicy/vendor/google/genfs_contexts new file mode 100644 index 0000000..cba7474 --- /dev/null +++ b/sepolicy/vendor/google/genfs_contexts @@ -0,0 +1,7 @@ +genfscon sysfs /devices/platform/soc/171c0000.slim/tavil-slim-pgd/tavil_codec u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/virtual/misc/msm_cirrus_playback/resistance_left_right u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/virtual/ramoops/pstore/aes_key u:object_r:sysfs_pstore:s0 +genfscon sysfs /devices/virtual/ramoops/pstore/aes_key_iv u:object_r:sysfs_pstore:s0 +genfscon sysfs /devices/virtual/ramoops/pstore/aes_key_tag u:object_r:sysfs_pstore:s0 +genfscon sysfs /devices/virtual/ramoops/pstore/use_alt u:object_r:sysfs_pstore:s0 +genfscon proc /fts/driver_test u:object_r:proc_touch:s0 diff --git a/sepolicy/vendor/google/google_camera_app.te b/sepolicy/vendor/google/google_camera_app.te new file mode 100644 index 0000000..6520084 --- /dev/null +++ b/sepolicy/vendor/google/google_camera_app.te @@ -0,0 +1,44 @@ +type google_camera_app, domain, coredomain; + +app_domain(google_camera_app) +net_domain(google_camera_app) + +# Access standard system services +allow google_camera_app app_api_service:service_manager find; +allow google_camera_app audioserver_service:service_manager find; +allow google_camera_app cameraserver_service:service_manager find; +allow google_camera_app drmserver_service:service_manager find; +allow google_camera_app mediacodec_service:service_manager find; +allow google_camera_app mediaextractor_service:service_manager find; +allow google_camera_app mediaserver_service:service_manager find; +allow google_camera_app mediametrics_service:service_manager find; +allow google_camera_app nfc_service:service_manager find; +allow google_camera_app surfaceflinger_service:service_manager find; + +allow google_camera_app hidl_token_hwservice:hwservice_manager find; + +# Execute libraries from RenderScript cache +allow google_camera_app app_data_file:file { rx_file_perms }; + +# Read memory info +allow google_camera_app proc_meminfo:file r_file_perms; + +# gdbserver / stack traces +allow google_camera_app self:process ptrace; + +# Access to Hexagon DSP kernel device +allow google_camera_app qdsp_device:chr_file { r_file_perms }; + +# Read adsp files + +allow google_camera_app adsprpcd_file:lnk_file r_file_perms; + +# Read and write system app data files passed over Binder. +# Motivating case was /data/data/com.android.settings/cache/*.jpg for +# cropping or taking user photos. +allow google_camera_app system_app_data_file:file { read write getattr }; + +# Allow GoogleCamera access easel. +allow google_camera_app hal_paintbox_hwservice:hwservice_manager find; +binder_call(google_camera_app, easel) +allow google_camera_app easel_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/google/hal_authsecret_citadel.te b/sepolicy/vendor/google/hal_authsecret_citadel.te new file mode 100644 index 0000000..029d957 --- /dev/null +++ b/sepolicy/vendor/google/hal_authsecret_citadel.te @@ -0,0 +1,9 @@ +type hal_authsecret_citadel, domain; +type hal_authsecret_citadel_exec, exec_type, vendor_file_type, file_type; + +vndbinder_use(hal_authsecret_citadel) +binder_call(hal_authsecret_citadel, citadeld) +allow hal_authsecret_citadel citadeld_service:service_manager find; + +hal_server_domain(hal_authsecret_citadel, hal_authsecret) +init_daemon_domain(hal_authsecret_citadel) diff --git a/sepolicy/vendor/google/hal_confirmationui.te b/sepolicy/vendor/google/hal_confirmationui.te new file mode 100644 index 0000000..e6e07b8 --- /dev/null +++ b/sepolicy/vendor/google/hal_confirmationui.te @@ -0,0 +1,14 @@ +allow hal_confirmationui_server tee_device:chr_file rw_file_perms; +allow hal_confirmationui_server ion_device:chr_file r_file_perms; + +allow hal_confirmationui_server hal_tui_comm_hwservice:hwservice_manager find; +binder_call(hal_confirmationui_server, hal_tui_comm) + +vndbinder_use(hal_confirmationui_server) +allow hal_confirmationui_server citadeld_service:service_manager find; +binder_call(hal_confirmationui_server, citadeld) + +binder_call(hal_confirmationui_server, keystore) + +allow hal_confirmationui_server input_device:chr_file rw_file_perms; +allow hal_confirmationui_server input_device:dir r_dir_perms; diff --git a/sepolicy/vendor/google/hal_fingerprint.te b/sepolicy/vendor/google/hal_fingerprint.te new file mode 100644 index 0000000..cc53b02 --- /dev/null +++ b/sepolicy/vendor/google/hal_fingerprint.te @@ -0,0 +1,5 @@ +allow hal_fingerprint_default hal_pixelstats_hwservice:hwservice_manager find; +allow hal_fingerprint_default pixelstats_system:binder call; + +allow hal_fingerprint input_device:dir r_dir_perms; +allow hal_fingerprint input_device:chr_file r_file_perms; diff --git a/sepolicy/vendor/google/hal_health_default.te b/sepolicy/vendor/google/hal_health_default.te new file mode 100644 index 0000000..49e6207 --- /dev/null +++ b/sepolicy/vendor/google/hal_health_default.te @@ -0,0 +1,21 @@ +r_dir_file(hal_health_default, sysfs_msm_subsys) + +# storage +r_dir_file(hal_health_default, sysfs_scsi_devices_0000) + +# wireless charger +allow hal_health_default sysfs_wlc:dir r_dir_perms; + +allow hal_health_default hal_pixelstats_hwservice:hwservice_manager find; +allow hal_health_default pixelstats_system:binder call; +allow hal_health_default persist_file:dir search; +allow hal_health_default persist_battery_file:file create_file_perms; +allow hal_health_default persist_battery_file:dir rw_dir_perms; +allow hal_health_default sysfs_batteryinfo:dir search; +allow hal_health_default sysfs_batteryinfo:file rw_file_perms; + +get_prop(hal_health_default, vendor_shutdown_prop) +set_prop(hal_health_default, vendor_shutdown_prop) + +allow hal_health_default self:capability2 wake_alarm; +allow hal_health_default mnt_vendor_file:dir search; diff --git a/sepolicy/vendor/google/hal_keymaster_citadel.te b/sepolicy/vendor/google/hal_keymaster_citadel.te new file mode 100644 index 0000000..ebca378 --- /dev/null +++ b/sepolicy/vendor/google/hal_keymaster_citadel.te @@ -0,0 +1,12 @@ +type hal_keymaster_citadel, domain; +type hal_keymaster_citadel_exec, exec_type, vendor_file_type, file_type; + +vndbinder_use(hal_keymaster_citadel) +binder_call(hal_keymaster_citadel, citadeld) +allow hal_keymaster_citadel citadeld_service:service_manager find; + +hal_server_domain(hal_keymaster_citadel, hal_keymaster) +init_daemon_domain(hal_keymaster_citadel) + +get_prop(hal_keymaster_citadel, vendor_tee_listener_prop) +get_prop(hal_keymaster_citadel, vendor_security_patch_level_prop) diff --git a/sepolicy/vendor/google/hal_oemlock_citadel.te b/sepolicy/vendor/google/hal_oemlock_citadel.te new file mode 100644 index 0000000..d3ff719 --- /dev/null +++ b/sepolicy/vendor/google/hal_oemlock_citadel.te @@ -0,0 +1,9 @@ +type hal_oemlock_citadel, domain; +type hal_oemlock_citadel_exec, exec_type, vendor_file_type, file_type; + +vndbinder_use(hal_oemlock_citadel) +binder_call(hal_oemlock_citadel, citadeld) +allow hal_oemlock_citadel citadeld_service:service_manager find; + +hal_server_domain(hal_oemlock_citadel, hal_oemlock) +init_daemon_domain(hal_oemlock_citadel) diff --git a/sepolicy/vendor/google/hal_weaver_citadel.te b/sepolicy/vendor/google/hal_weaver_citadel.te new file mode 100644 index 0000000..59914a8 --- /dev/null +++ b/sepolicy/vendor/google/hal_weaver_citadel.te @@ -0,0 +1,9 @@ +type hal_weaver_citadel, domain; +type hal_weaver_citadel_exec, exec_type, vendor_file_type, file_type; + +vndbinder_use(hal_weaver_citadel) +binder_call(hal_weaver_citadel, citadeld) +allow hal_weaver_citadel citadeld_service:service_manager find; + +hal_server_domain(hal_weaver_citadel, hal_weaver) +init_daemon_domain(hal_weaver_citadel) diff --git a/sepolicy/vendor/google/init-devstart-sh.te b/sepolicy/vendor/google/init-devstart-sh.te new file mode 100644 index 0000000..aecddc0 --- /dev/null +++ b/sepolicy/vendor/google/init-devstart-sh.te @@ -0,0 +1,2 @@ +# ramoops +dontaudit init-qcom-devstart-sh sysfs_pstore:file { getattr }; diff --git a/sepolicy/vendor/google/init-firstboot.te b/sepolicy/vendor/google/init-firstboot.te new file mode 100644 index 0000000..7ca7168 --- /dev/null +++ b/sepolicy/vendor/google/init-firstboot.te @@ -0,0 +1,15 @@ +type init-firstboot, domain; +type init-firstboot_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init-firstboot) + +allow init-firstboot vendor_shell_exec:file rx_file_perms; +allow init-firstboot vendor_toolbox_exec:file rx_file_perms; + +# Read USB connection state +allow init-firstboot sysfs_msm_subsys:dir search; +r_dir_file(init-firstboot, sysfs_batteryinfo) + +# Set property to trigger a shutdown +set_prop(init-firstboot, powerctl_prop) + diff --git a/sepolicy/vendor/google/init_citadel.te b/sepolicy/vendor/google/init_citadel.te new file mode 100644 index 0000000..f96ab15 --- /dev/null +++ b/sepolicy/vendor/google/init_citadel.te @@ -0,0 +1,14 @@ +type init_citadel, domain; +type init_citadel_exec, exec_type, vendor_file_type, file_type; + +# Shell script exec (toolbox) +allow init_citadel vendor_shell_exec:file r_file_perms; +allow init_citadel vendor_toolbox_exec:file rx_file_perms; +allow init_citadel vendor_file:file rx_file_perms; + +# Citadel communication must be via citadeld +vndbinder_use(init_citadel) +binder_call(init_citadel, citadeld) +allow init_citadel citadeld_service:service_manager find; + +init_daemon_domain(init_citadel) diff --git a/sepolicy/vendor/google/keys.conf b/sepolicy/vendor/google/keys.conf new file mode 100644 index 0000000..3e2b8bc --- /dev/null +++ b/sepolicy/vendor/google/keys.conf @@ -0,0 +1,16 @@ +[@TANGO] +ALL : device/google/crosshatch/sepolicy/vendor/google/certs/tango_release.x509.pem + +# Release builds of Android should not trust development builds of Tango. +# Unfortnately the infrastructure requires a certificate for each build variant, +# so switch to a bogus, unused cert for user builds. +[@TANGO_DEV] +ENG : device/google/crosshatch/sepolicy/vendor/google/certs/tango.x509.pem +USERDEBUG : device/google/crosshatch/sepolicy/vendor/google/certs/tango.x509.pem +USER : device/google/crosshatch/sepolicy/vendor/google/certs/tango_userdev.x509.pem + +[@GOOGLE] +ALL : device/google/crosshatch/sepolicy/vendor/google/certs/app.x509.pem + +[@EASEL] +ALL : device/google/crosshatch/sepolicy/vendor/google/certs/easel.x509.pem diff --git a/sepolicy/vendor/google/mac_permissions.xml b/sepolicy/vendor/google/mac_permissions.xml new file mode 100644 index 0000000..401dc83 --- /dev/null +++ b/sepolicy/vendor/google/mac_permissions.xml @@ -0,0 +1,36 @@ +<?xml version="1.0" encoding="utf-8"?> +<policy> + +<!-- + + * A signature is a hex encoded X.509 certificate or a tag defined in + keys.conf and is required for each signer tag. + * A signer tag may contain a seinfo tag and multiple package stanzas. + * A default tag is allowed that can contain policy for all apps not signed with a + previously listed cert. It may not contain any inner package stanzas. + * Each signer/default/package tag is allowed to contain one seinfo tag. This tag + represents additional info that each app can use in setting a SELinux security + context on the eventual process. + * When a package is installed the following logic is used to determine what seinfo + value, if any, is assigned. + - All signatures used to sign the app are checked first. + - If a signer stanza has inner package stanzas, those stanza will be checked + to try and match the package name of the app. If the package name matches + then that seinfo tag is used. If no inner package matches then the outer + seinfo tag is assigned. + - The default tag is consulted last if needed. +--> + <!-- google apps key --> + <signer signature="@GOOGLE" > + <seinfo value="google" /> + </signer> + <signer signature="@TANGO" > + <seinfo value="tango" /> + </signer> + <signer signature="@TANGO_DEV" > + <seinfo value="tango" /> + </signer> + <signer signature="@EASEL" > + <seinfo value="easel" /> + </signer> +</policy> diff --git a/sepolicy/vendor/google/mediacodec.te b/sepolicy/vendor/google/mediacodec.te new file mode 100644 index 0000000..d5b29f9 --- /dev/null +++ b/sepolicy/vendor/google/mediacodec.te @@ -0,0 +1 @@ +allow mediacodec self:binder call; diff --git a/sepolicy/vendor/google/pixelstats.te b/sepolicy/vendor/google/pixelstats.te new file mode 100644 index 0000000..eac0297 --- /dev/null +++ b/sepolicy/vendor/google/pixelstats.te @@ -0,0 +1,10 @@ +hal_attribute(pixelstats) + +# pixelstats system +type pixelstats_system, domain, coredomain; + +add_hwservice(pixelstats_system, hal_pixelstats_hwservice) + +hal_server_domain(pixelstats_system, hal_pixelstats) +init_daemon_domain(pixelstats_system) +type pixelstats_system_exec, exec_type, file_type; diff --git a/sepolicy/vendor/google/pixelstats_vendor.te b/sepolicy/vendor/google/pixelstats_vendor.te new file mode 100644 index 0000000..44c1957 --- /dev/null +++ b/sepolicy/vendor/google/pixelstats_vendor.te @@ -0,0 +1,19 @@ +# pixelstats vendor +type pixelstats_vendor, domain; + +type pixelstats_vendor_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(pixelstats_vendor) + +get_prop(pixelstats_vendor, hwservicemanager_prop) +hwbinder_use(pixelstats_vendor) +allow pixelstats_vendor hal_pixelstats_hwservice:hwservice_manager find; +binder_call(pixelstats_vendor, pixelstats_system) + +unix_socket_connect(pixelstats_vendor, chre, chre) + +allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms; +allow pixelstats_vendor sysfs_batteryinfo:dir search; +allow pixelstats_vendor sysfs_batteryinfo:file r_file_perms; +allow pixelstats_vendor sysfs_pixelstats:dir search; +allow pixelstats_vendor sysfs_pixelstats:file rw_file_perms; +allow pixelstats_vendor self:netlink_kobject_uevent_socket { create setopt bind read }; diff --git a/sepolicy/vendor/google/property.te b/sepolicy/vendor/google/property.te new file mode 100644 index 0000000..c41748b --- /dev/null +++ b/sepolicy/vendor/google/property.te @@ -0,0 +1,2 @@ +type vendor_ramoops_prop, property_type; +type vendor_shutdown_prop, property_type; diff --git a/sepolicy/vendor/google/property_contexts b/sepolicy/vendor/google/property_contexts new file mode 100644 index 0000000..426ee5d --- /dev/null +++ b/sepolicy/vendor/google/property_contexts @@ -0,0 +1,6 @@ +# ramoops +vendor.ramoops. u:object_r:vendor_ramoops_prop:s0 + +persist.vendor.radio.no_wait_for_card u:object_r:vendor_radio_prop:s0 +vendor.powerhal.rendering u:object_r:power_prop:s0 +persist.vendor.shutdown. u:object_r:vendor_shutdown_prop:s0 diff --git a/sepolicy/vendor/google/ramoops.te b/sepolicy/vendor/google/ramoops.te new file mode 100644 index 0000000..b998465 --- /dev/null +++ b/sepolicy/vendor/google/ramoops.te @@ -0,0 +1,18 @@ +type ramoops, domain; +type ramoops_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(ramoops); + +# kmod=crypto-gcm(aes) +dontaudit ramoops kernel:system module_request; + +allow ramoops ramoops_exec:file rx_file_perms; +allow ramoops vendor_shell_exec:file rx_file_perms; +allow ramoops vendor_toolbox_exec:file rx_file_perms; + +set_prop(ramoops, vendor_ramoops_prop); + +allow ramoops sysfs_pstore:file rw_file_perms; +allow ramoops ramoops_device:chr_file rw_file_perms; +allow ramoops ramoops_vendor_data_file:file create_file_perms; +allow ramoops ramoops_vendor_data_file:dir rw_dir_perms; diff --git a/sepolicy/vendor/google/vendor_init.te b/sepolicy/vendor/google/vendor_init.te new file mode 100644 index 0000000..f3b371b --- /dev/null +++ b/sepolicy/vendor/google/vendor_init.te @@ -0,0 +1,3 @@ +# To allow setting audio.camerasound.force based on +# ro.boot.hardware.radio.subtype at boot +get_prop(vendor_init, vendor_radio_sku_prop) diff --git a/sepolicy/vendor/google/vndservice.te b/sepolicy/vendor/google/vndservice.te new file mode 100644 index 0000000..6bf77c8 --- /dev/null +++ b/sepolicy/vendor/google/vndservice.te @@ -0,0 +1 @@ +type citadeld_service, vndservice_manager_type; diff --git a/sepolicy/vendor/google/vndservice_contexts b/sepolicy/vendor/google/vndservice_contexts new file mode 100644 index 0000000..5534176 --- /dev/null +++ b/sepolicy/vendor/google/vndservice_contexts @@ -0,0 +1 @@ +android.hardware.citadel.ICitadeld u:object_r:citadeld_service:s0 diff --git a/sepolicy/vendor/google/wait_for_strongbox.te b/sepolicy/vendor/google/wait_for_strongbox.te new file mode 100644 index 0000000..c9586c8 --- /dev/null +++ b/sepolicy/vendor/google/wait_for_strongbox.te @@ -0,0 +1,9 @@ +# wait_for_strongbox service +type wait_for_strongbox, domain; +type wait_for_strongbox_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(wait_for_strongbox) + +hal_client_domain(wait_for_strongbox, hal_keymaster) + +allow wait_for_strongbox kmsg_device:chr_file w_file_perms;
\ No newline at end of file diff --git a/sepolicy/vendor/qcom/common/adsprpcd.te b/sepolicy/vendor/qcom/common/adsprpcd.te new file mode 100644 index 0000000..ee0489a --- /dev/null +++ b/sepolicy/vendor/qcom/common/adsprpcd.te @@ -0,0 +1,11 @@ +type adsprpcd, domain; +type adsprpcd_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(adsprpcd) + +allow adsprpcd ion_device:chr_file r_file_perms; +allow adsprpcd qdsp_device:chr_file r_file_perms; + +allow adsprpcd system_file:dir r_dir_perms; + +r_dir_file(adsprpcd, adsprpcd_file) diff --git a/sepolicy/vendor/qcom/common/app.te b/sepolicy/vendor/qcom/common/app.te new file mode 100644 index 0000000..567c115 --- /dev/null +++ b/sepolicy/vendor/qcom/common/app.te @@ -0,0 +1,4 @@ +# For the camera app +get_prop(appdomain, vendor_camera_prop) + +get_prop(appdomain, vendor_display_prop) diff --git a/sepolicy/vendor/qcom/common/attributes b/sepolicy/vendor/qcom/common/attributes new file mode 100644 index 0000000..c3d1601 --- /dev/null +++ b/sepolicy/vendor/qcom/common/attributes @@ -0,0 +1,2 @@ +# All types in /mnt/vendor/persist +attribute vendor_persist_type; diff --git a/sepolicy/vendor/qcom/common/audioserver.te b/sepolicy/vendor/qcom/common/audioserver.te new file mode 100644 index 0000000..4dd8b7c --- /dev/null +++ b/sepolicy/vendor/qcom/common/audioserver.te @@ -0,0 +1,4 @@ +binder_call(audioserver, bootanim) + +allow audioserver sysfs_soc:file r_file_perms; +allow audioserver sysfs_soc:dir search; diff --git a/sepolicy/vendor/qcom/common/bluetooth.te b/sepolicy/vendor/qcom/common/bluetooth.te new file mode 100644 index 0000000..c025f91 --- /dev/null +++ b/sepolicy/vendor/qcom/common/bluetooth.te @@ -0,0 +1,5 @@ +typeattribute bluetooth system_writes_vendor_properties_violators; +set_prop(bluetooth, vendor_bluetooth_prop) + +# Allow access to net_admin ioctls +allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls; diff --git a/sepolicy/vendor/qcom/common/bootanim.te b/sepolicy/vendor/qcom/common/bootanim.te new file mode 100644 index 0000000..0125ef0 --- /dev/null +++ b/sepolicy/vendor/qcom/common/bootanim.te @@ -0,0 +1,12 @@ +allow bootanim hwservicemanager:binder call; + +# TODO(b/62954877). On Android Wear, bootanim reads the time +# during boot to display. It currently gets that time from a file +# in /data/system. This should be moved. In the meantime, suppress +# this denial on phones since this functionality is not used. +dontaudit bootanim system_data_file:dir read; + +# TODO(b/37205419): Remove upon resolution +dontaudit bootanim kernel:system module_request; + +get_prop(bootanim, vendor_display_prop) diff --git a/sepolicy/vendor/qcom/common/cameraserver.te b/sepolicy/vendor/qcom/common/cameraserver.te new file mode 100644 index 0000000..bebc32f --- /dev/null +++ b/sepolicy/vendor/qcom/common/cameraserver.te @@ -0,0 +1,13 @@ +allow cameraserver gpu_device:chr_file rw_file_perms; + +typeattribute cameraserver system_writes_vendor_properties_violators; +get_prop(cameraserver, vendor_camera_prop) + +allow cameraserver sysfs_camera:file r_file_perms; +allow cameraserver sysfs_camera:dir search; + +allow cameraserver system_server:unix_stream_socket { read write }; + +binder_call(cameraserver, mediacodec) + +dontaudit cameraserver vendor_display_prop:file r_file_perms; diff --git a/sepolicy/vendor/qcom/common/cdsprpcd.te b/sepolicy/vendor/qcom/common/cdsprpcd.te new file mode 100644 index 0000000..ab1f819 --- /dev/null +++ b/sepolicy/vendor/qcom/common/cdsprpcd.te @@ -0,0 +1,16 @@ +# cdsprpcd daemon +type cdsprpcd, domain; +type cdsprpcd_exec, exec_type, vendor_file_type, file_type; + +# Started by init +init_daemon_domain(cdsprpcd) + +# For reading dir/files on /dsp +r_dir_file(cdsprpcd, adsprpcd_file) + +allow cdsprpcd qdsp_device:chr_file r_file_perms; +allow cdsprpcd ion_device:chr_file r_file_perms; + +r_dir_file(cdsprpcd, sysfs_devfreq) +allow cdsprpcd sysfs_devfreq_l3cdsp:dir r_dir_perms; +allow cdsprpcd sysfs_devfreq_l3cdsp:file rw_file_perms;
\ No newline at end of file diff --git a/sepolicy/vendor/qcom/common/chre.te b/sepolicy/vendor/qcom/common/chre.te new file mode 100644 index 0000000..4a06565 --- /dev/null +++ b/sepolicy/vendor/qcom/common/chre.te @@ -0,0 +1,21 @@ +# This daemon loads the Context Hub Runtime Environment (CHRE) dynamic modules +# onto the SLPI using FastRPC, and exposes a sockets interface for clients on +# the applications processor to interact CHRE +type chre, domain; +type chre_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(chre) + +allow chre system_file:dir read; + +allow chre ion_device:chr_file r_file_perms; +allow chre qdsp_device:chr_file r_file_perms; +allow chre dsp_device:chr_file r_file_perms; + +r_dir_file(chre, adsprpcd_file) + +# Allow CHRE to obtain wakelock +wakelock_use(chre) + +# To communicate with ST HAL +hal_client_domain(chre, hal_audio) diff --git a/sepolicy/vendor/qcom/common/cnd.te b/sepolicy/vendor/qcom/common/cnd.te new file mode 100644 index 0000000..5e0a85d --- /dev/null +++ b/sepolicy/vendor/qcom/common/cnd.te @@ -0,0 +1,55 @@ +type cnd, domain; +type cnd_exec, exec_type, vendor_file_type, file_type; +file_type_auto_trans(cnd, socket_device, cnd_socket); + +# cnd is started by init, type transit from init domain to cnd domain +init_daemon_domain(cnd) + +#communicating with QTI wlan driver for WFC/ VTiWLAN quality +allow cnd self:capability net_bind_service; + +unix_socket_send(cnd, wpa, hal_wifi_supplicant) +allow cnd wpa_data_file:dir rw_dir_perms; +allow cnd wpa_data_file:sock_file create_file_perms; +allow cnd wpa_socket:sock_file write; + +allow cnd self:udp_socket create_socket_perms; +allowxperm cnd self:udp_socket ioctl SIOCGIFMTU; +allow cnd self:{ + # Allow receiving NETLINK responses from WLAN driver. + netlink_socket + netlink_generic_socket +} create_socket_perms_no_ioctl; + +allow cnd sysfs_timestamp_switch:file r_file_perms; +r_dir_file(cnd, sysfs_msm_subsys) +r_dir_file(cnd, sysfs_diag) +r_dir_file(cnd, sysfs_soc) + +allow cnd proc_meminfo:file r_file_perms; + +set_prop(cnd, cnd_prop) + +allow cnd self:socket create_socket_perms; +allowxperm cnd self:socket ioctl msm_sock_ipc_ioctls; + +# allow cnd to access cnd_data_file +allow cnd cnd_data_file:file create_file_perms; +allow cnd cnd_data_file:sock_file { unlink create setattr }; +allow cnd cnd_data_file:dir rw_dir_perms; + +# allow cnd to obtain wakelock +wakelock_use(cnd) + +allow cnd ipa_vendor_data_file:dir r_dir_perms; +allow cnd ipa_vendor_data_file:file r_file_perms; + +# To register cnd to hwbinder +add_hwservice(cnd, hal_cne_hwservice) +hwbinder_use(cnd) +get_prop(cnd, hwservicemanager_prop) +binder_call(cnd, dataservice_app) +binder_call(cnd, ims) +binder_call(cnd, location) + +dontaudit cnd kernel:system module_request; diff --git a/sepolicy/vendor/qcom/common/con_monitor.te b/sepolicy/vendor/qcom/common/con_monitor.te new file mode 100644 index 0000000..98b1f78 --- /dev/null +++ b/sepolicy/vendor/qcom/common/con_monitor.te @@ -0,0 +1,12 @@ +# ConnectivityMonitor app +type con_monitor_app, domain; + +app_domain(con_monitor_app) + +set_prop(con_monitor_app, radio_prop) +allow con_monitor_app app_api_service:service_manager find; +allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms; +allow con_monitor_app radio_vendor_data_file:file create_file_perms; +allow con_monitor_app radio_service:service_manager find; +allow con_monitor_app audioserver_service:service_manager find; +hal_client_domain(con_monitor_app, hal_power); diff --git a/sepolicy/vendor/qcom/common/dataservice_app.te b/sepolicy/vendor/qcom/common/dataservice_app.te new file mode 100644 index 0000000..e07d0bf --- /dev/null +++ b/sepolicy/vendor/qcom/common/dataservice_app.te @@ -0,0 +1,11 @@ +get_prop(dataservice_app, cnd_prop) + +r_dir_file(dataservice_app, sysfs_msm_subsys) + +allow dataservice_app hal_imsrcsd_hwservice:hwservice_manager find; +allow dataservice_app hal_cne_hwservice:hwservice_manager find; + +binder_call(dataservice_app, cnd) + +# imsrcsd to bind with UceShimService.apk +binder_call(dataservice_app, hal_rcsservice) diff --git a/sepolicy/vendor/qcom/common/device.te b/sepolicy/vendor/qcom/common/device.te new file mode 100644 index 0000000..b20c09c --- /dev/null +++ b/sepolicy/vendor/qcom/common/device.te @@ -0,0 +1,25 @@ +type ab_block_device, dev_type; +type at_device, dev_type; +type avtimer_device, dev_type; +type bt_device, dev_type; +type diag_device, dev_type, mlstrustedobject; +type dsp_device, dev_type; +type easel_device, dev_type, mlstrustedobject; +type gpt_block_device, dev_type; +type ipa_dev, dev_type; +type latency_device, dev_type; +type modem_block_device, dev_type; +type persist_block_device, dev_type; +type qsee_ipc_irq_spss_device, dev_type; +type qdsp_device, dev_type, mlstrustedobject; +type ramdump_device, dev_type; +type rmnet_device, dev_type; +type ramdump_block_device, dev_type; +type seemplog_device, dev_type; +type sg_device, dev_type; +type smd_device, dev_type; +type spcom_device, dev_type; +type ssd_block_device, dev_type; +type ssr_device, dev_type; +type wlan_device, dev_type; +type xbl_block_device, dev_type; diff --git a/sepolicy/vendor/qcom/common/domain.te b/sepolicy/vendor/qcom/common/domain.te new file mode 100644 index 0000000..bb6b3b7 --- /dev/null +++ b/sepolicy/vendor/qcom/common/domain.te @@ -0,0 +1,14 @@ +userdebug_or_eng(` + allow domain diag_device:chr_file rw_file_perms; +') + +# In order for /sys/kernel/debug/kgsl/proc/<pid>/mem +# to be created for memory tracking, the domain of +# the tracked process must have permission to search +# in /sys/kernel/debug/kgsl +allow domain debugfs_kgsl:dir search; + +allow domain debugfs_ion:dir search; + +get_prop(domain, public_vendor_default_prop) +get_prop(domain, vendor_radio_prop) diff --git a/sepolicy/vendor/qcom/common/dumpstate.te b/sepolicy/vendor/qcom/common/dumpstate.te new file mode 100644 index 0000000..6892e27 --- /dev/null +++ b/sepolicy/vendor/qcom/common/dumpstate.te @@ -0,0 +1,17 @@ +userdebug_or_eng(` + allow dumpstate proc_modules:file r_file_perms; + allow dumpstate proc_stat:file r_file_perms; + allow dumpstate persist_file:dir r_dir_perms; + allow dumpstate sysfs_leds:dir search; + allow dumpstate system_block_device:blk_file r_file_perms; + + dontaudit dumpstate self:netlink_xfrm_socket create_socket_perms_no_ioctl; + + binder_call(dumpstate, per_mgr) +') + +# For collecting bugreports. +allow dumpstate sysfs_scsi_devices_0000:file r_file_perms; +allow dumpstate sysfs_scsi_devices_other:file r_file_perms; +allow dumpstate sysfs_devices_block:file r_file_perms; +dontaudit dumpstate kernel:system module_request; diff --git a/sepolicy/vendor/qcom/common/easel.te b/sepolicy/vendor/qcom/common/easel.te new file mode 100644 index 0000000..65d9105 --- /dev/null +++ b/sepolicy/vendor/qcom/common/easel.te @@ -0,0 +1,32 @@ +# easel service +type easel, domain; +type easel_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(easel) + +hwbinder_use(easel) +add_hwservice(easel, hal_paintbox_hwservice) +get_prop(easel, hwservicemanager_prop) + +# access easel dev nodes +allow easel easel_device:chr_file rw_file_perms; +allow easel sysfs_easel:file rw_file_perms; +allow easel sysfs_easel:dir r_dir_perms; + +# access easel thermal sysfs +allow easel sysfs_thermal:dir r_dir_perms; +allow easel sysfs_thermal:file r_file_perms; +allow easel sysfs_thermal:lnk_file r_file_perms; + +# access "/proc/stat" +allow easel proc_stat:file r_file_perms; + +allow easel google_camera_app:binder call; +allow easel hal_camera_default:binder call; +allow easel hal_neuralnetworks_paintbox:binder call; + +allow easel hal_graphics_allocator_default:fd use; +allow easel ion_device:chr_file r_file_perms; + +# access to keychain for kernel based authentication +allow easel kernel:key search;
\ No newline at end of file diff --git a/sepolicy/vendor/qcom/common/easelservice_app.te b/sepolicy/vendor/qcom/common/easelservice_app.te new file mode 100644 index 0000000..f18b223 --- /dev/null +++ b/sepolicy/vendor/qcom/common/easelservice_app.te @@ -0,0 +1,11 @@ +type easelservice_app, domain; + +app_domain(easelservice_app) + +allow easelservice_app app_api_service:service_manager find; +allow easelservice_app surfaceflinger_service:service_manager find; +# Access to mnh_sm driver +allow easelservice_app easel_device:chr_file { read write ioctl open }; +# Access to libeaselmanager_client.so +allow easelservice_app hal_paintbox_hwservice:hwservice_manager find; +binder_call(easelservice_app, easel) diff --git a/sepolicy/vendor/qcom/common/factory_ota_app.te b/sepolicy/vendor/qcom/common/factory_ota_app.te new file mode 100644 index 0000000..8fe1a51 --- /dev/null +++ b/sepolicy/vendor/qcom/common/factory_ota_app.te @@ -0,0 +1,18 @@ +type factory_ota_app, domain, coredomain; + +app_domain(factory_ota_app) +net_domain(factory_ota_app) + +# Write to /data/ota_package for OTA packages. +allow factory_ota_app ota_package_file:dir rw_dir_perms; +allow factory_ota_app ota_package_file:file create_file_perms; + +# Properties +typeattribute factory_ota_app system_writes_vendor_properties_violators; +set_prop(factory_ota_app, factory_ota_prop); + +# Services +allow factory_ota_app app_api_service:service_manager find; +binder_call(factory_ota_app, update_engine) # Allow Factory OTA to call Update Engine +binder_call(update_engine, factory_ota_app) # Allow Update Engine to call the Factory OTA callback +allow factory_ota_app update_engine_service:service_manager find; diff --git a/sepolicy/vendor/qcom/common/file.te b/sepolicy/vendor/qcom/common/file.te new file mode 100644 index 0000000..6c6f48f --- /dev/null +++ b/sepolicy/vendor/qcom/common/file.te @@ -0,0 +1,131 @@ +type sysfs_camera, sysfs_type, fs_type; +type sysfs_devfreq, fs_type, sysfs_type; +type sysfs_easel, sysfs_type, fs_type; +type sysfs_fingerprint, sysfs_type, fs_type; +type sysfs_graphics, sysfs_type, fs_type; +type sysfs_laser, sysfs_type, fs_type; +type sysfs_lights, sysfs_type, fs_type; +type sysfs_mdss_mdp_caps, sysfs_type, fs_type; +type sysfs_devfreq_l3cdsp, fs_type, sysfs_type; +type sysfs_msm_subsys, sysfs_type, fs_type; +type sysfs_msm_subsys_restart, sysfs_type, fs_type; +type sysfs_msm_wlan, sysfs_type, fs_type; +type sysfs_poweroff, sysfs_type, fs_type; +type sysfs_rmtfs, sysfs_type, fs_type; +type sysfs_soc, sysfs_type, fs_type; +type sysfs_scsi_devices_0000, sysfs_type, fs_type; +type sysfs_scsi_devices_other, sysfs_type, fs_type; +type sysfs_devices_block, sysfs_type, fs_type; +type sysfs_system_sleep_stats, sysfs_type, fs_type; +type sysfs_timestamp_switch, sysfs_type, fs_type; +type sysfs_touch, sysfs_type, fs_type; +type sysfs_usb_c, sysfs_type, fs_type; +type sysfs_usb_device, sysfs_type, fs_type; +# b/70518189 vDSO experiments +type sysfs_vdso, fs_type, sysfs_type; +# See b/67205273. +type sysfs_gpio_export, fs_type, sysfs_type; +type sysfs_pinctrl, fs_type, sysfs_type; +type sysfs_devicetree_ese, fs_type, sysfs_type; +type sysfs_rpm, sysfs_type, fs_type; +type sysfs_wlc, sysfs_type, fs_type; +type sysfs_esim, sysfs_type, fs_type; + +type debugfs_clk, debugfs_type, fs_type; +type debugfs_ion, debugfs_type, fs_type; +type debugfs_ipc, debugfs_type, fs_type; +type debugfs_kgsl, debugfs_type, fs_type; +type debugfs_rmt_storage, debugfs_type, fs_type; +type debugfs_usb, debugfs_type, fs_type; +type debugfs_wlan, debugfs_type, fs_type; +type debugfs_easel, debugfs_type, fs_type; +type debugfs_mdp, debugfs_type, fs_type; +type debugfs_icnss, debugfs_type, fs_type; +type debugfs_f2fs, debugfs_type, fs_type; +type debugfs_ufs, debugfs_type, fs_type; +type debugfs_dma_bufinfo, debugfs_type, fs_type; +type debugfs_tzdbg, debugfs_type, fs_type; +type debugfs_fg_sram, debugfs_type, fs_type; +type debugfs_pmic_votable, debugfs_type, fs_type; +type debugfs_maxfg, debugfs_type, fs_type; +type debugfs_sched_features, debugfs_type, fs_type; + +# /proc +type proc_wifi_dbg, proc_type, fs_type; +type proc_f2fs, proc_type, fs_type; +type proc_swappiness, proc_type, fs_type; +type proc_sysctl_autogroup, proc_type, fs_type; +type proc_sysctl_schedboost, proc_type, fs_type; + +type netmgrd_socket, file_type; +type thermal_socket, file_type; + +type ims_socket, file_type; +type ipacm_socket, file_type; +type cnd_socket, file_type; +type chre_socket, file_type; +type hal_bootctl_socket, file_type; +type pps_socket, file_type; +type location_socket, file_type; + +type firmware_file, fs_type, contextmount_type; + +type cnd_data_file, file_type, data_file_type; +type location_data_file, file_type, data_file_type; + +type persist_file, file_type, vendor_persist_type; +type persist_audio_file, file_type; +type persist_camera_file, file_type; +type persist_data_file, file_type, vendor_persist_type; +type persist_display_file, file_type; +type persist_drm_file, file_type, vendor_persist_type; +type persist_haptics_file, file_type; +type persist_rfs_file, file_type; +type persist_sensors_file, file_type; +type persist_time_file, file_type; + +type netmgr_data_file, file_type, data_file_type; +type netmgr_recovery_data_file, file_type, data_file_type; +type ipa_vendor_data_file, file_type, data_file_type; + +type camera_vendor_data_file, file_type, data_file_type; +type display_vendor_data_file, file_type, data_file_type; +type nfc_vendor_data_file, file_type, data_file_type; +type radio_vendor_data_file, file_type, data_file_type, mlstrustedobject; +type cnss_vendor_data_file, file_type, data_file_type, mlstrustedobject; +type ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject; +type wifidump_vendor_data_file, file_type, data_file_type; +type modem_dump_file, file_type, data_file_type; +type sensors_vendor_data_file, file_type, data_file_type; +type secure_element_vendor_data_file, file_type, data_file_type; +type ssr_log_file, file_type, data_file_type; +type audio_vendor_data_file, file_type, data_file_type; +type modem_fdr_file, file_type, data_file_type; +type mediadrm_vendor_data_file, file_type, data_file_type; +type data_qsee_file, file_type, data_file_type; +type vendor_tui_data_file, file_type, data_file_type; +type wifi_vendor_log_data_file, file_type, data_file_type; +type hal_neuralnetworks_data_file, file_type, data_file_type; +type modem_stat_data_file, file_type, data_file_type; + +#data sysfs files +type sysfs_data, fs_type, sysfs_type; + +#diag sysfs files +type sysfs_diag, fs_type, sysfs_type; + +type hexagon_halide_file, vendor_file_type, file_type; + +#rfs files +type mpss_rfs_data_file, data_file_type, file_type; +type rfs_tombstone_data_file, data_file_type, file_type; + +# used for /dsp files +type adsprpcd_file, file_type, vendor_file_type; + +# msm_irqbalance +type proc_irq, fs_type, proc_type; +type sysfs_irq, fs_type, sysfs_type; +type irqbalance_socket, file_type; + +allow rootfs labeledfs:filesystem associate; diff --git a/sepolicy/vendor/qcom/common/file_contexts b/sepolicy/vendor/qcom/common/file_contexts new file mode 100644 index 0000000..e3f3730 --- /dev/null +++ b/sepolicy/vendor/qcom/common/file_contexts @@ -0,0 +1,260 @@ +# dev nodes +/dev/btpower u:object_r:bt_device:s0 +/dev/diag u:object_r:diag_device:s0 +/dev/kgsl-3d0 u:object_r:gpu_device:s0 +/dev/rtc0 u:object_r:rtc_device:s0 +/dev/smd.* u:object_r:smd_device:s0 +# TODO: does ttyMSM0 need to be more specific +/dev/ttyMSM0 u:object_r:tty_device:s0 +/dev/ipa u:object_r:ipa_dev:s0 +/dev/wwan_ioctl u:object_r:ipa_dev:s0 +/dev/ipaNatTable u:object_r:ipa_dev:s0 +/dev/cpu_dma_latency u:object_r:latency_device:s0 +/dev/rmnet_ctrl.* u:object_r:rmnet_device:s0 +/dev/at_.* u:object_r:at_device:s0 +/dev/video([0-9])+ u:object_r:video_device:s0 +/dev/media([0-9])+ u:object_r:video_device:s0 +/dev/v4l-subdev.* u:object_r:video_device:s0 +/dev/qseecom u:object_r:tee_device:s0 +/dev/qsee_ipc_irq_spss u:object_r:qsee_ipc_irq_spss_device:s0 +/dev/seemplog u:object_r:seemplog_device:s0 +/dev/spcom u:object_r:spcom_device:s0 +/dev/jpeg[0-9]* u:object_r:video_device:s0 +/dev/adsprpc-smd u:object_r:qdsp_device:s0 +/dev/sdsprpc-smd u:object_r:dsp_device:s0 +/dev/wcd-dsp-glink u:object_r:audio_device:s0 +/dev/wcd_dsp0_control u:object_r:audio_device:s0 +/dev/wcd-spi-ac-client u:object_r:audio_device:s0 +/dev/msm_.* u:object_r:audio_device:s0 +/dev/avtimer u:object_r:avtimer_device:s0 +/dev/subsys_.* u:object_r:ssr_device:s0 +/dev/ramdump_.* u:object_r:ramdump_device:s0 +/dev/sg[0-9]+ u:object_r:sg_device:s0 +/dev/sensors u:object_r:sensors_device:s0 +/dev/mnh_sm u:object_r:easel_device:s0 +/dev/easelcomm-client u:object_r:easel_device:s0 +/dev/pn81a u:object_r:secure_element_device:s0 +# camera rainbow sensor +/dev/vd6281 u:object_r:camera_device:s0 +# pcm device receiving rainbow sensor data +/dev/snd/pcmC0D27c u:object_r:camera_device:s0 +/dev/snd/pcmC1D27c u:object_r:camera_device:s0 +/dev/dri/card0 u:object_r:graphics_device:s0 +/dev/dri/controlD64 u:object_r:graphics_device:s0 +/dev/dri/renderD128 u:object_r:graphics_device:s0 + +# dev socket nodes +/dev/socket/chre u:object_r:chre_socket:s0 +/dev/socket/msm_irqbalance u:object_r:irqbalance_socket:s0 +/dev/socket/ims_qmid u:object_r:ims_socket:s0 +/dev/socket/ims_datad u:object_r:ims_socket:s0 +/dev/socket/ipacm_log_file u:object_r:ipacm_socket:s0 +/dev/socket/cnd u:object_r:cnd_socket:s0 +/dev/socket/thermal-send-client u:object_r:thermal_socket:s0 +/dev/socket/thermal-recv-client u:object_r:thermal_socket:s0 +/dev/socket/thermal-recv-passive-client u:object_r:thermal_socket:s0 +/dev/socket/netmgr(/.*)? u:object_r:netmgrd_socket:s0 +/data/vendor/netmgr/recovery(/.*)? u:object_r:netmgr_recovery_data_file:s0 +/dev/socket/pps u:object_r:pps_socket:s0 +/dev/socket/location(/.*)? u:object_r:location_socket:s0 +/dev/nq-nci u:object_r:nfc_device:s0 +/dev/ttyHS0 u:object_r:hci_attach_dev:s0 +/dev/wlan u:object_r:wlan_device:s0 + +# Block device holding the GPT, where the A/B attributes are stored. +/dev/block/sda u:object_r:gpt_block_device:s0 + +# Block devices for the drive that holds the xbl_a and xbl_b partitions. +/dev/block/sd[bc]1? u:object_r:xbl_block_device:s0 + +# Block device for hal_bootctl +/dev/block/sde u:object_r:boot_block_device:s0 + +# Block device for ZRAM +/dev/block/zram0 u:object_r:swap_block_device:s0 + +# files in /vendor +/vendor/bin/hw/android\.hardware\.dumpstate@1\.0-service.crosshatch u:object_r:hal_dumpstate_impl_exec:s0 +/vendor/bin/hw/android\.hardware\.vr@1\.0-service.crosshatch u:object_r:hal_vr_default_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:hal_fingerprint_default_exec:s0 +/vendor/bin/thermal-engine u:object_r:thermal-engine_exec:s0 +/vendor/bin/sensors\.qti u:object_r:sensors_exec:s0 +/vendor/bin/ssr_setup u:object_r:ssr_setup_exec:s0 +/vendor/bin/ssr_diag u:object_r:ssr_diag_exec:s0 +/vendor/bin/pm-service u:object_r:per_mgr_exec:s0 +/vendor/bin/pm-proxy u:object_r:per_proxy_exec:s0 +/vendor/bin/qseecomd u:object_r:tee_exec:s0 +/vendor/bin/subsystem_ramdump u:object_r:subsystem_ramdump_exec:s0 +/vendor/bin/adsprpcd u:object_r:adsprpcd_exec:s0 +/vendor/bin/cdsprpcd u:object_r:cdsprpcd_exec:s0 +/vendor/bin/irsc_util u:object_r:irsc_util_exec:s0 +/vendor/bin/rmt_storage u:object_r:rmt_storage_exec:s0 +/vendor/bin/tftp_server u:object_r:rfs_access_exec:s0 +/vendor/bin/cnss-daemon u:object_r:wcnss_service_exec:s0 +/vendor/bin/cnss_diag u:object_r:wcnss_service_exec:s0 +/vendor/bin/diag_mdlog u:object_r:qlogd_exec:s0 +/vendor/bin/netmgrd u:object_r:netmgrd_exec:s0 +/vendor/bin/port-bridge u:object_r:port-bridge_exec:s0 +/vendor/bin/qti u:object_r:qti_exec:s0 +/vendor/bin/ramdump u:object_r:ramdump_exec:s0 +/vendor/bin/smlog_dump u:object_r:smlog_dump_exec:s0 +/vendor/bin/loc_launcher u:object_r:location_exec:s0 +/vendor/bin/lowi-server u:object_r:location_exec:s0 +/vendor/bin/xtra-daemon u:object_r:location_exec:s0 +/vendor/bin/pd-mapper u:object_r:pd_mapper_exec:s0 +/vendor/bin/imsqmidaemon u:object_r:ims_exec:s0 +/vendor/bin/imsdatadaemon u:object_r:ims_exec:s0 +/vendor/bin/ims_rtp_daemon u:object_r:hal_imsrtp_exec:s0 +/vendor/bin/ipacm u:object_r:hal_tetheroffload_default_exec:s0 +/vendor/bin/ipacm-diag u:object_r:hal_tetheroffload_default_exec:s0 +/vendor/bin/msm_irqbalance u:object_r:irqbalance_exec:s0 +/vendor/bin/cnd u:object_r:cnd_exec:s0 +/vendor/bin/easelmanagerd u:object_r:easel_exec:s0 +/vendor/bin/hw/android\.hardware\.usb@1\.1-service\.crosshatch u:object_r:hal_usb_impl_exec:s0 +/vendor/bin/hw/android\.hardware\.thermal@1\.1-service\.crosshatch u:object_r:hal_thermal_default_exec:s0 +/vendor/bin/chre u:object_r:chre_exec:s0 +/vendor/bin/time_daemon u:object_r:time_daemon_exec:s0 +/vendor/bin/imsrcsd u:object_r:hal_rcsservice_exec:s0 +/vendor/bin/init\.qcom\.devstart\.sh u:object_r:init-qcom-devstart-sh_exec:s0 +/vendor/bin/init\.qcom\.ipastart\.sh u:object_r:init-qcom-ipastart-sh_exec:s0 +/vendor/bin/init\.qcom\.wlan\.sh u:object_r:init-qcom-wlan-sh_exec:s0 +/vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 +/vendor/etc/init\.insmod\.cfg u:object_r:init-insmod-sh_exec:s0 +/vendor/bin/init\.power\.sh u:object_r:init_power_exec:s0 +/vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 +/vendor/bin/ftmdaemon u:object_r:ftmd_exec:s0 +/vendor/bin/hw/qcrild u:object_r:rild_exec:s0 +/vendor/bin/mm-pp-dpps u:object_r:mm-pp-daemon_exec:s0 + +/vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service-crosshatch u:object_r:hal_confirmationui_default_exec:s0 +/vendor/bin/hw/android\.hardware\.drm@1\.1-service\.widevine u:object_r:hal_drm_widevine_exec:s0 +/vendor/bin/hw/android\.hardware\.drm@1\.1-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 +/vendor/bin/hw/android\.hardware\.vibrator@1\.2-service\.crosshatch u:object_r:hal_vibrator_default_exec:s0 +/vendor/bin/hw/android\.hardware\.keymaster@4\.0-service-qti u:object_r:hal_keymaster_qti_exec:s0 +/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service-qti u:object_r:hal_gatekeeper_qti_exec:s0 +/vendor/bin/hw/android\.hardware\.gnss@1\.1-service-qti u:object_r:hal_gnss_qti_exec:s0 +/vendor/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_default_exec:s0 +/vendor/bin/hw/vendor\.qti\.hardware\.tui_comm@1\.0-service-qti u:object_r:hal_tui_comm_exec:s0 +/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 +/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.0-service-paintbox u:object_r:hal_neuralnetworks_paintbox_exec:s0 +/vendor/bin/hw/android\.hardware\.health@2\.0-service\.crosshatch u:object_r:hal_health_default_exec:s0 +/vendor/bin/hw/vendor\.qti\.media\.c2@1\.0-service u:object_r:mediacodec_exec:s0 +/vendor/bin/hw/hardware\.google\.media\.c2@1\.0-service-software u:object_r:mediacodec_exec:s0 +/vendor/bin/hw/vendor\.qti\.hardware\.display\.allocator@1\.0-service u:object_r:hal_graphics_allocator_default_exec:s0 +/vendor/bin/hw/vendor\.google\.wireless_charger@1\.0-service-vendor u:object_r:hal_wlc_exec:s0 +/vendor/bin/hw/hardware\.google\.light@1\.0-service u:object_r:hal_light_default_exec:s0 + +############################################### +# same-process HAL files and their dependencies +# +/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl-qti-display\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgrallocutils\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgralloccore\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libqdMetaData\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/lib_aion_buffer\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libqservice\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libqdutils\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libadreno_utils\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgsl\.so u:object_r:same_process_hal_file:s0 + +/vendor/lib(64)?/libEGL_adreno\.so u:object_r:same_process_hal_file:s0 + +/vendor/lib(64)?/libdrmutils\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 + +# /vendor/app/TimeService/TimeService.apk +/vendor/lib(64)?/libTimeService\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libtime_genoff\.so u:object_r:same_process_hal_file:s0 + +# RenderScript dependencies. +# To test: run cts -m CtsRenderscriptTestCases +/vendor/lib(64)?/libRSDriver_adreno\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libCB\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libllvm-qgl\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libbccQTI\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libllvm-qcom\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/librs_adreno\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/librs_adreno_sha1\.so u:object_r:same_process_hal_file:s0 + +# libGLESv2_adreno depends on this +/vendor/lib(64)?/libllvm-glnext\.so u:object_r:same_process_hal_file:s0 + +# Hexagon DSP-side executable needed for Halide operation +# This is labeled as same_process_hal_file as it needs to be read by apps +# (e.g. Google Camera App) +/vendor/lib/dsp/cdsp/fastrpc_shell_3 u:object_r:same_process_hal_file:s0 + +# Vendor libs that are exposed to apps (those listed in /vendor/etc/public.libraries.txt +# and their dependencies) +/vendor/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libadsprpc\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libcdsprpc\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libsdsprpc\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libeaselmanager_client\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/vendor\.google_paintbox@1\.0\.so u:object_r:same_process_hal_file:s0 + +# data files +/data/vendor/netmgr(/.*)? u:object_r:netmgr_data_file:s0 +/data/vendor/location(/.*)? u:object_r:location_data_file:s0 +/data/nfc(/.*)? u:object_r:nfc_data_file:s0 +/data/vendor/camera(/.*)? u:object_r:camera_vendor_data_file:s0 +/data/vendor/display(/.*)? u:object_r:display_vendor_data_file:s0 +/data/vendor/nfc(/.*)? u:object_r:nfc_vendor_data_file:s0 +/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 +/data/vendor/wifi/cnss_diag(/.*)? u:object_r:cnss_vendor_data_file:s0 +/data/vendor/wifi/wlan_logs(/.*)? u:object_r:wifi_vendor_log_data_file:s0 +/data/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_data_file:s0 +/data/vendor/ssrdump(/.*)? u:object_r:ramdump_vendor_data_file:s0 +/data/vendor/wifidump(/.*)? u:object_r:wifidump_vendor_data_file:s0 +/data/vendor/modem_dump(/.*)? u:object_r:modem_dump_file:s0 +/data/vendor/ipa(/.*)? u:object_r:ipa_vendor_data_file:s0 +/data/vendor/sensors(/.*)? u:object_r:sensors_vendor_data_file:s0 +/data/vendor/rfs/mpss(/.*)? u:object_r:mpss_rfs_data_file:s0 +/data/vendor/tombstones/rfs(/.*)? u:object_r:rfs_tombstone_data_file:s0 +/data/vendor/ssrlog(/.*)? u:object_r:ssr_log_file:s0 +/data/vendor/secure_element(/.*)? u:object_r:secure_element_vendor_data_file:s0 +/data/vendor/audio(/.*)? u:object_r:audio_vendor_data_file:s0 +/data/vendor/modem_fdr(/.*)? u:object_r:modem_fdr_file:s0 +/data/vendor/connectivity(/.*)? u:object_r:cnd_data_file:s0 +/data/vendor/misc/qsee(/.*)? u:object_r:data_qsee_file:s0 +/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 +/data/vendor/tui(/.*)? u:object_r:vendor_tui_data_file:s0 +/data/vendor/nnhal(/.*)? u:object_r:hal_neuralnetworks_data_file:s0 +/data/vendor/modem_stat/debug\.txt u:object_r:modem_stat_data_file:s0 + +# / +/tombstones u:object_r:rootfs:s0 +# TODO: Remove them once no need to maintain the backward compatibility. +/dsp(/.*)? u:object_r:adsprpcd_file:s0 + +/vendor/dsp(/.*)? u:object_r:adsprpcd_file:s0 + +# files in firmware +/vender/firmware_mnt(/.*)? u:object_r:firmware_file:s0 + +# TODO: Remove them once no need to maintain the backward compatibility. (b/111219177) +/persist u:object_r:rootfs:s0 +/firmware u:object_r:rootfs:s0 +/dsp u:object_r:rootfs:s0 + +# /persist +/mnt/vendor/persist(/.*)? u:object_r:persist_file:s0 +/mnt/vendor/persist/audio(/.*)? u:object_r:persist_audio_file:s0 +/mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 +/mnt/vendor/persist/data(/.*)? u:object_r:persist_data_file:s0 +/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 +/mnt/vendor/persist/drm(/.*)? u:object_r:persist_drm_file:s0 +/mnt/vendor/persist/haptics(/.*)? u:object_r:persist_haptics_file:s0 +/mnt/vendor/persist/hlos_rfs(/.*)? u:object_r:persist_rfs_file:s0 +/mnt/vendor/persist/rfs(/.*)? u:object_r:persist_rfs_file:s0 +/mnt/vendor/persist/sensors(/.*)? u:object_r:persist_sensors_file:s0 +/mnt/vendor/persist/time(/.*)? u:object_r:persist_time_file:s0 + +# b/70518189 vDSO experiments +/sys/module/vdso/parameters u:object_r:sysfs_vdso:s0 + +# eSIM +/sys/firmware/devicetree/base/chosen/cdt/cdb2/esim u:object_r:sysfs_esim:s0 + +# vendor-provided system HAL +/system/bin/hw/hardware\.google\.pixelstats@1\.0-service u:object_r:pixelstats_system_exec:s0 diff --git a/sepolicy/vendor/qcom/common/fsck.te b/sepolicy/vendor/qcom/common/fsck.te new file mode 100644 index 0000000..e27251c --- /dev/null +++ b/sepolicy/vendor/qcom/common/fsck.te @@ -0,0 +1,3 @@ +allow fsck proc_version:file r_file_perms; +allow fsck sysfs_dm:dir search; +allow fsck sysfs_dm:file r_file_perms; diff --git a/sepolicy/vendor/qcom/common/ftmd.te b/sepolicy/vendor/qcom/common/ftmd.te new file mode 100644 index 0000000..d824dd4 --- /dev/null +++ b/sepolicy/vendor/qcom/common/ftmd.te @@ -0,0 +1,7 @@ +type ftmd, domain; +type ftmd_exec, exec_type, vendor_file_type, file_type; + +userdebug_or_eng(` + # make transition from init to its domain + init_daemon_domain(ftmd) +') diff --git a/sepolicy/vendor/qcom/common/gatekeeperd.te b/sepolicy/vendor/qcom/common/gatekeeperd.te new file mode 100644 index 0000000..f5536d3 --- /dev/null +++ b/sepolicy/vendor/qcom/common/gatekeeperd.te @@ -0,0 +1 @@ +typeattribute gatekeeperd system_writes_vendor_properties_violators; diff --git a/sepolicy/vendor/qcom/common/genfs_contexts b/sepolicy/vendor/qcom/common/genfs_contexts new file mode 100644 index 0000000..78e3ce6 --- /dev/null +++ b/sepolicy/vendor/qcom/common/genfs_contexts @@ -0,0 +1,143 @@ +genfscon proc /debug/fwdump u:object_r:proc_wifi_dbg:s0 +genfscon proc /debugdriver/driverdump u:object_r:proc_wifi_dbg:s0 +genfscon proc /ath_pktlog/cld u:object_r:proc_wifi_dbg:s0 +genfscon proc /irq u:object_r:proc_irq:s0 +genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 +genfscon proc /sys/vm/swappiness u:object_r:proc_swappiness:s0 +genfscon proc /sys/kernel/sched_autogroup_enabled u:object_r:proc_sysctl_autogroup:s0 +genfscon proc /sys/kernel/sched_boost u:object_r:proc_sysctl_schedboost:s0 + +genfscon sysfs /devices/platform/soc/soc:qcom,cpubw u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,llccbw u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,mincpubw u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,l3-cpu0 u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,l3-cpu4 u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /class/devfreq u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,memlat-cpu0 u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,memlat-cpu4 u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,l3-cpu0/devfreq u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,l3-cpu4/devfreq u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,llccbw/devfreq u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 +genfscon sysfs /devices/platform/soc/888000.i2c/i2c-2/2-0049 u:object_r:sysfs_touch:s0 + +genfscon sysfs /devices/platform/soc/1d84000.ufshc/host0/target0:0:0/0:0:0:0 u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/soc/1d84000.ufshc/host0/target0:0:0/0:0:0:1 u:object_r:sysfs_scsi_devices_other:s0 +genfscon sysfs /devices/platform/soc/1d84000.ufshc/host0/target0:0:0/0:0:0:2 u:object_r:sysfs_scsi_devices_other:s0 +genfscon sysfs /devices/platform/soc/1d84000.ufshc/host0/target0:0:0/0:0:0:3 u:object_r:sysfs_scsi_devices_other:s0 +genfscon sysfs /devices/platform/soc/1d84000.ufshc/host0/target0:0:0/0:0:0:4 u:object_r:sysfs_scsi_devices_other:s0 +genfscon sysfs /devices/platform/soc/1d84000.ufshc/host0/target0:0:0/0:0:0:5 u:object_r:sysfs_scsi_devices_other:s0 +genfscon sysfs /devices/platform/soc/1d84000.ufshc/health u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/soc/1d84000.ufshc/version u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/soc/1d84000.ufshc/slowio_read_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/soc/1d84000.ufshc/slowio_write_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/soc/1d84000.ufshc/slowio_unmap_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/soc/1d84000.ufshc/slowio_sync_cnt u:object_r:sysfs_scsi_devices_0000:s0 + +genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 + +genfscon sysfs /class/thermal u:object_r:sysfs_thermal:s0 +genfscon sysfs /class/uio u:object_r:sysfs_uio:s0 +genfscon sysfs /devices/platform/soc/894000.i2c u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,gpubw u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/4080000.qcom,mss u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/17300000.qcom,lpass u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/188101c.qcom,spss u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/5c00000.qcom,ssc u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_rotator u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/894000.i2c/i2c-3/3-0043/leds u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/soc/894000.i2c/i2c-3/3-005a/leds u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,dsi-display@4/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,dsi-display@51/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,dsi-display@51/backlight/vr_mode u:object_r:sysfs_lights:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,dsi-display@51/panel_info u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,dsi-display@52/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,dsi-display@52/backlight/vr_mode u:object_r:sysfs_lights:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,dsi-display@52/panel_info u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/soc/5000000.qcom,kgsl-3d0 u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/aae0000.qcom,venus u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/8300000.qcom,turing u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /devices/platform/soc/0.qcom,rmtfs_sharedmem u:object_r:sysfs_rmtfs:s0 +genfscon sysfs /devices/platform/soc/soc:fp_fpc1020 u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/idle_state u:object_r:sysfs_graphics:s0 +genfscon sysfs /devices/virtual/thermal u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/virtual/wahoo_laser u:object_r:sysfs_laser:s0 +genfscon sysfs /module/msm_thermal u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/soc/18800000.qcom,icnss/net u:object_r:sysfs_net:s0 +genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0 +genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0 +genfscon sysfs /module/diagchar/parameters/timestamp_switch u:object_r:sysfs_timestamp_switch:s0 +genfscon sysfs /devices/virtual/graphics/fb0 u:object_r:sysfs_graphics:s0 +genfscon sysfs /devices/virtual/graphics/fb1 u:object_r:sysfs_graphics:s0 +genfscon sysfs /devices/soc0 u:object_r:sysfs_soc:s0 +genfscon sysfs /devices/virtual/misc/mnh_sm u:object_r:sysfs_easel:s0 +genfscon sysfs /devices/platform/soc/a88000.i2c/i2c-0/0-0066 u:object_r:sysfs_easel:s0 +genfscon sysfs /devices/platform/soc/ac5a000.qcom,fd u:object_r:sysfs_camera:s0 +genfscon sysfs /devices/platform/soc/ac4a000.qcom,cci u:object_r:sysfs_camera:s0 +genfscon sysfs /devices/platform/soc/a88000.i2c/i2c-0/0-000c/a88000.i2c:qcom,smb1355@c:qcom,smb1355-charger@1000/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/soc/a88000.i2c/i2c-0/0-0061 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/soc/a88000.i2c/i2c-0/0-0061/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/soc/a90000.i2c/i2c-4/4-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pmi8998@2:qcom,qpnp-smb2/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pmi8998@2:qpnp,fg u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-03/c440000.qcom,spmi:qcom,pmi8998@3:qcom,leds u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/backlight/panel0-backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm8998@0:qcom,pm8998_rtc/rtc u:object_r:sysfs_rtc:s0 +genfscon sysfs /bus/msm_subsys u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /module/subsystem_restart u:object_r:sysfs_msm_subsys_restart:s0 +genfscon sysfs /kernel/boot_adsp/boot u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /kernel/boot_slpi/boot u:object_r:sysfs_msm_subsys:s0 +genfscon sysfs /kernel/irq_helper/irq_blacklist_on u:object_r:sysfs_irq:s0 +genfscon sysfs /kernel/wifi/wlan u:object_r:sysfs_msm_wlan:s0 +genfscon sysfs /class/typec u:object_r:sysfs_usb_c:s0 +genfscon sysfs /class/typec/usbc0 u:object_r:sysfs_usb_c:s0 +genfscon sysfs /devices/platform/soc/a800000.ssusb/a800000.dwc3/xhci-hcd.0.auto/usb1 u:object_r:sysfs_usb_device:s0 +genfscon sysfs /devices/platform/soc/a800000.ssusb/a800000.dwc3/xhci-hcd.0.auto/usb2 u:object_r:sysfs_usb_device:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pmi8998@2:qcom,usb-pdphy@1700/usbpd0/typec u:object_r:sysfs_usb_c:s0 + +genfscon sysfs /module/diagchar u:object_r:sysfs_diag:s0 +genfscon sysfs /module/msm_poweroff u:object_r:sysfs_poweroff:s0 + +genfscon sysfs /class/gpio/export u:object_r:sysfs_gpio_export:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm8998@0:pinctrl@c000 u:object_r:sysfs_pinctrl:s0 +genfscon sysfs /firmware/devicetree/base/soc/qcom,spmi@c440000/qcom,pm8998@0/pinctrl@c000/ u:object_r:sysfs_pinctrl:s0 +genfscon sysfs /firmware/devicetree/base/soc/i2c@88c000/nq@28/ese/loader_scripts_path u:object_r:sysfs_devicetree_ese:s0 +genfscon sysfs /power/rpmh_stats/master_stats u:object_r:sysfs_rpm:s0 + +genfscon sysfs /devices/virtual/block/ u:object_r:sysfs_devices_block:s0 + +genfscon sysfs /power/system_sleep/stats u:object_r:sysfs_system_sleep_stats:s0 + +genfscon debugfs /kgsl/proc u:object_r:debugfs_kgsl:s0 +genfscon debugfs /clk/debug_suspend u:object_r:debugfs_clk:s0 +genfscon debugfs /wlan0 u:object_r:debugfs_wlan:s0 +genfscon debugfs /mnh_sm u:object_r:debugfs_easel:s0 + +genfscon debugfs /ion u:object_r:debugfs_ion:s0 +genfscon debugfs /ipc_logging u:object_r:debugfs_ipc:s0 +genfscon debugfs /tcpm/usbpd0 u:object_r:debugfs_usb:s0 +genfscon debugfs /pd_engine/usbpd0 u:object_r:debugfs_usb:s0 +genfscon debugfs /88e2000.qusb/tune1 u:object_r:debugfs_usb:s0 +genfscon debugfs /88e2000.qusb/tune2 u:object_r:debugfs_usb:s0 +genfscon debugfs /88e2000.qusb/tune3 u:object_r:debugfs_usb:s0 +genfscon debugfs /88e2000.qusb/tune4 u:object_r:debugfs_usb:s0 +genfscon debugfs /88e2000.qusb/tune5 u:object_r:debugfs_usb:s0 +genfscon debugfs /88e2000.qusb/bias_ctrl_1 u:object_r:debugfs_usb:s0 +genfscon debugfs /88e2000.qusb/bias_ctrl_2 u:object_r:debugfs_usb:s0 +genfscon debugfs /ipc_logging/smblib/log u:object_r:debugfs_usb:s0 +genfscon debugfs /msm_ipc_router u:object_r:debugfs_ipc:s0 +genfscon debugfs /mdp u:object_r:debugfs_mdp:s0 +genfscon debugfs /rmt_storage u:object_r:debugfs_rmt_storage:s0 +genfscon debugfs /icnss u:object_r:debugfs_icnss:s0 +genfscon debugfs /f2fs u:object_r:debugfs_f2fs:s0 +genfscon debugfs /ufshcd0 u:object_r:debugfs_ufs:s0 +genfscon debugfs /tzdbg u:object_r:debugfs_tzdbg:s0 +genfscon debugfs /fg/sram u:object_r:debugfs_fg_sram:s0 +genfscon debugfs /pmic-votable u:object_r:debugfs_pmic_votable:s0 +genfscon debugfs /regmap/4-0036 u:object_r:debugfs_maxfg:s0 +genfscon debugfs /regmap/4-000b u:object_r:debugfs_maxfg:s0 +genfscon debugfs /dma_buf/bufinfo u:object_r:debugfs_dma_bufinfo:s0 +genfscon debugfs /sched_features u:object_r:debugfs_sched_features:s0 diff --git a/sepolicy/vendor/qcom/common/hal_audio_default.te b/sepolicy/vendor/qcom/common/hal_audio_default.te new file mode 100644 index 0000000..9b5dc33 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_audio_default.te @@ -0,0 +1,21 @@ +r_dir_file(hal_audio_default, sysfs_soc) + +hal_client_domain(hal_audio_default, hal_power) + +userdebug_or_eng(` + allow hal_audio diag_device:chr_file rw_file_perms; +') + +# read-only permission to obtain the calibration data +r_dir_file(hal_audio_default, persist_audio_file); +allow hal_audio_default mnt_vendor_file:dir search; +allow hal_audio_default persist_file:dir search; + +allow hal_audio_default audio_vendor_data_file:dir rw_dir_perms; +allow hal_audio_default audio_vendor_data_file:file create_file_perms; + +# For interfacing with PowerHAL +hal_client_domain(hal_audio_default, hal_power) + +# Allow hal to take wakelock +wakelock_use(hal_audio_default) diff --git a/sepolicy/vendor/qcom/common/hal_bluetooth_default.te b/sepolicy/vendor/qcom/common/hal_bluetooth_default.te new file mode 100644 index 0000000..acdeaf5 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_bluetooth_default.te @@ -0,0 +1,19 @@ +allow hal_bluetooth_default bt_device:chr_file rw_file_perms; + +# talk to system_server to set priority +allow hal_bluetooth fwk_scheduler_hwservice:hwservice_manager find; +allow hal_bluetooth system_server:binder call; + +set_prop(hal_bluetooth_default, vendor_bluetooth_prop) + +userdebug_or_eng(` + allow hal_bluetooth_default diag_device:chr_file rw_file_perms; + allow hal_bluetooth_default ramdump_vendor_data_file:dir w_dir_perms; + allow hal_bluetooth_default ramdump_vendor_data_file:file { create w_file_perms }; + allow hal_bluetooth_default sysfs_timestamp_switch:file r_file_perms; + r_dir_file(hal_bluetooth_default, debugfs_ipc) + r_dir_file(hal_bluetooth_default, sysfs_diag) + set_prop(hal_bluetooth_default, vendor_ssr_prop) +') + +dontaudit hal_bluetooth_default diag_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/qcom/common/hal_bootctl.te b/sepolicy/vendor/qcom/common/hal_bootctl.te new file mode 100644 index 0000000..68428a4 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_bootctl.te @@ -0,0 +1,28 @@ +# These are the permissions required to use the boot_control HAL implemented +# here: hardware/qcom/bootctrl/boot_control.c + +# Getting and setting GPT attributes for the bootloader iterates over all the +# partition names in the block_device directory /dev/block/.../by-name +allow hal_bootctl block_device:dir r_dir_perms; + +# Edit the attributes stored in the GPT. +allow hal_bootctl gpt_block_device:blk_file rw_file_perms; +allow hal_bootctl ab_block_device:blk_file getattr; +allow hal_bootctl boot_block_device:blk_file rw_file_perms; +allow hal_bootctl modem_block_device:blk_file getattr; +allow hal_bootctl system_block_device:blk_file getattr; +allow hal_bootctl_server misc_block_device:blk_file rw_file_perms; + +# Access /dev/sgN devices (generic SCSI) to write the +# A/B slot selection for the XBL partition. Allow also to issue a +# UFS_IOCTL_QUERY ioctl. +allow hal_bootctl sg_device:chr_file rw_file_perms; +allow hal_bootctl self:capability sys_admin; +allow hal_bootctl tmpfs:lnk_file r_file_perms; + +# Read the sysfs to lookup what /dev/sgN device +# corresponds to the XBL partitions. +allow hal_bootctl sysfs_type:dir r_dir_perms; + +# Write to the XBL devices. +allow hal_bootctl xbl_block_device:blk_file rw_file_perms; diff --git a/sepolicy/vendor/qcom/common/hal_camera.te b/sepolicy/vendor/qcom/common/hal_camera.te new file mode 100644 index 0000000..0f4e690 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_camera.te @@ -0,0 +1,60 @@ +allow hal_camera self:capability sys_nice; + +# communicate with camera +#allow hal_camera camera:unix_dgram_socket sendto; +#allow hal_camera camera_data_file:sock_file write; +#allow hal_camera camera_device:chr_file rw_file_perms; + +allow hal_camera gpu_device:chr_file rw_file_perms; + +# access to /dev/input/event{5,10} +allow hal_camera input_device:dir r_dir_perms; +allow hal_camera input_device:chr_file r_file_perms; + +set_prop(hal_camera, vendor_camera_prop) + +#allow hal_camera sysfs_enable_ps_sensor:file w_file_perms; +r_dir_file(hal_camera, sysfs_type) +# find libraries +allow hal_camera system_file:dir r_dir_perms; + +allow hal_camera qdisplay_service:service_manager find; + +allow hal_camera_default mnt_vendor_file:lnk_file r_file_perms; +allow hal_camera_default mnt_vendor_file:dir r_dir_perms; + +# access vd6281 rainbow sensor files +allow hal_camera sysfs_camera:dir search; +allow hal_camera sysfs_camera:file rw_file_perms; +allow hal_camera audio_device:dir search; + +# talk to system_server + +allow hal_camera system_server:unix_stream_socket { read write }; + +allow hal_camera self:socket { create ioctl read write }; + +# allow hal_camera to call some socket ioctls +allowxperm hal_camera self:socket ioctl { IPC_ROUTER_IOCTL_LOOKUP_SERVER IPC_ROUTER_IOCTL_BIND_CONTROL_PORT }; + +# ignore spurious denial +dontaudit hal_camera graphics_device:dir search; + +allow hal_camera camera_vendor_data_file:dir rw_dir_perms; +allow hal_camera camera_vendor_data_file:file create_file_perms; + +userdebug_or_eng(` + allow hal_camera diag_device:chr_file rw_file_perms; +') + +# access easel dev nodes +allow hal_camera easel_device:chr_file rw_file_perms; +allow hal_camera sysfs_easel:file rw_file_perms; + +# access hexagon +allow hal_camera qdsp_device:chr_file r_file_perms; + +#dual front lens calibration file +allow hal_camera persist_file:dir search; +allow hal_camera persist_camera_file:dir search; +allow hal_camera persist_camera_file:file { getattr open read }; diff --git a/sepolicy/vendor/qcom/common/hal_camera_default.te b/sepolicy/vendor/qcom/common/hal_camera_default.te new file mode 100644 index 0000000..bee51fe --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_camera_default.te @@ -0,0 +1,36 @@ +allow hal_camera_default input_device:dir r_dir_perms; + +allow hal_camera_default sysfs_laser:file w_file_perms; +vndbinder_use(hal_camera_default); +allow hal_camera_default qdisplay_service:service_manager { find }; + +allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find; +allow hal_camera_default hal_graphics_allocator_hwservice:hwservice_manager find; + +binder_call(hal_camera_default, hal_graphics_composer) +binder_call(hal_camera_default, system_server) +binder_call(hal_camera_default, hal_graphics_allocator) + +# For camera team debugging +userdebug_or_eng(` + allow hal_camera_default camera_vendor_data_file:dir create_dir_perms; + allow hal_camera_default camera_vendor_data_file:file create_file_perms; +') + +# For interfacing with PowerHAL +hal_client_domain(hal_camera_default, hal_power) + +# For interfacing with ThermalHAL +hal_client_domain(hal_camera_default, hal_thermal) + +# For boot time GPU access (b/111370628) +hal_client_domain(hal_camera_default, hal_configstore) + +allow hal_camera_default proc_stat:file r_file_perms; + +allow hal_camera_default hal_paintbox_hwservice:hwservice_manager find; +binder_call(hal_camera_default, easel) + +dontaudit hal_camera_default kernel:system module_request; + +dontaudit hal_camera_default vendor_display_prop:file r_file_perms; diff --git a/sepolicy/vendor/qcom/common/hal_cas_default.te b/sepolicy/vendor/qcom/common/hal_cas_default.te new file mode 100644 index 0000000..1fb5d35 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_cas_default.te @@ -0,0 +1,2 @@ +# Allow CAS HAL to use vendor-binder service +vndbinder_use(hal_cas_default); diff --git a/sepolicy/vendor/qcom/common/hal_contexthub.te b/sepolicy/vendor/qcom/common/hal_contexthub.te new file mode 100644 index 0000000..10c5d53 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_contexthub.te @@ -0,0 +1,3 @@ +# Allow context hub HAL to communicate with daemon via socket +allow hal_contexthub_default chre:unix_stream_socket connectto; +allow hal_contexthub_default chre_socket:sock_file write; diff --git a/sepolicy/vendor/qcom/common/hal_drm_clearkey.te b/sepolicy/vendor/qcom/common/hal_drm_clearkey.te new file mode 100644 index 0000000..976b9fa --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_drm_clearkey.te @@ -0,0 +1,11 @@ +# policy for /vendor/bin/hw/android.hardware.drm@1.1-service.clearkey +type hal_drm_clearkey, domain; +type hal_drm_clearkey_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_drm_clearkey) + +hal_server_domain(hal_drm_clearkey, hal_drm) + +vndbinder_use(hal_drm_clearkey); + +allow hal_drm_clearkey { appdomain -isolated_app }:fd use; diff --git a/sepolicy/vendor/qcom/common/hal_drm_default.te b/sepolicy/vendor/qcom/common/hal_drm_default.te new file mode 100644 index 0000000..3781f12 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_drm_default.te @@ -0,0 +1 @@ +allow hal_drm_default vndbinder_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/qcom/common/hal_drm_widevine.te b/sepolicy/vendor/qcom/common/hal_drm_widevine.te new file mode 100644 index 0000000..67bf293 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_drm_widevine.te @@ -0,0 +1,17 @@ +# policy for /vendor/bin/hw/android.hardware.drm@1.1-service.widevine +type hal_drm_widevine, domain; +type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_drm_widevine) + +hal_server_domain(hal_drm_widevine, hal_drm) + +vndbinder_use(hal_drm_widevine); + +allow hal_drm mediacodec:fd use; +allow hal_drm { appdomain -isolated_app }:fd use; + +allow hal_drm_widevine hal_allocator_server:fd use; + +allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms; +allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms; diff --git a/sepolicy/vendor/qcom/common/hal_dumpstate_impl.te b/sepolicy/vendor/qcom/common/hal_dumpstate_impl.te new file mode 100644 index 0000000..2780dcf --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_dumpstate_impl.te @@ -0,0 +1,124 @@ +type hal_dumpstate_impl, domain; +hal_server_domain(hal_dumpstate_impl, hal_dumpstate) + +type hal_dumpstate_impl_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_dumpstate_impl) + +# Execute dump scripts from vendor partition +allow hal_dumpstate_impl vendor_shell_exec:file rx_file_perms; +allow hal_dumpstate_impl vendor_toolbox_exec:file rx_file_perms; + +userdebug_or_eng(` + # smlog_dump + domain_auto_trans(hal_dumpstate_impl, smlog_dump_exec, smlog_dump) + allow hal_dumpstate_impl modem_dump_file:dir create_dir_perms; + allow hal_dumpstate_impl modem_dump_file:file create_file_perms; + allow hal_dumpstate_impl radio_vendor_data_file:dir r_dir_perms; + allow hal_dumpstate_impl radio_vendor_data_file:file r_file_perms; + allow hal_dumpstate_impl netmgr_data_file:dir r_dir_perms; + allow hal_dumpstate_impl netmgr_data_file:file r_file_perms; + allow hal_dumpstate_impl debugfs_ipc:dir r_dir_perms; + allow hal_dumpstate_impl debugfs_ipc:file r_file_perms; + allow hal_dumpstate_impl debugfs_tzdbg:dir search; + allow hal_dumpstate_impl debugfs_tzdbg:file r_file_perms; + allow hal_dumpstate_impl sysfs_usb_device:dir r_dir_perms; + allow hal_dumpstate_impl sysfs_usb_device:file r_file_perms; + allow hal_dumpstate_impl ssr_log_file:dir search; + allow hal_dumpstate_impl ssr_log_file:file r_file_perms; + allow hal_dumpstate_impl sysfs_esim:file r_file_perms; + + set_prop(hal_dumpstate_impl, vendor_modem_diag_prop) +') + +allow hal_dumpstate_impl modem_stat_data_file:file r_file_perms; + +allow hal_dumpstate_impl uio_device:chr_file rw_file_perms; +r_dir_file(hal_dumpstate_impl, sysfs_uio) +r_dir_file(hal_dumpstate_impl, sysfs_rmtfs) +r_dir_file(hal_dumpstate_impl, sysfs_msm_subsys) +r_dir_file(hal_dumpstate_impl, sysfs_soc) +r_dir_file(hal_dumpstate_impl, sysfs_thermal) +r_dir_file(hal_dumpstate_impl, sysfs_easel) + +allow hal_dumpstate_impl sysfs_thermal:dir search; +allow hal_dumpstate_impl sysfs_thermal:file r_file_perms; +allow hal_dumpstate_impl sysfs_rpm:file r_file_perms; +allow hal_dumpstate_impl sysfs_system_sleep_stats:file r_file_perms; + +allow hal_dumpstate_impl debugfs_ion:dir r_dir_perms; +allow hal_dumpstate_impl debugfs_ion:file r_file_perms; +allow hal_dumpstate_impl debugfs_wlan:dir r_dir_perms; +allow hal_dumpstate_impl debugfs_wlan:file r_file_perms; +allow hal_dumpstate_impl debugfs_icnss:dir r_dir_perms; +allow hal_dumpstate_impl debugfs_icnss:file r_file_perms; +allow hal_dumpstate_impl debugfs_ipc:file r_file_perms; +allow hal_dumpstate_impl debugfs_f2fs:dir r_dir_perms; +allow hal_dumpstate_impl debugfs_f2fs:file r_file_perms; +allow hal_dumpstate_impl debugfs_ufs:dir r_dir_perms; +allow hal_dumpstate_impl debugfs_ufs:file r_file_perms; +allow hal_dumpstate_impl proc_stat:file r_file_perms; +allow hal_dumpstate_impl proc_f2fs:dir r_dir_perms; +allow hal_dumpstate_impl proc_f2fs:file r_file_perms; + +# Access to files for dumping +allow hal_dumpstate_impl sysfs:dir r_dir_perms; +# usb logs +allow hal_dumpstate_impl debugfs_usb:file r_file_perms; + +#Access display debug data +allow hal_dumpstate_impl display_vendor_data_file:dir r_dir_perms; +allow hal_dumpstate_impl display_vendor_data_file:file r_file_perms; + +# Access to touch firmware info +allow hal_dumpstate_impl sysfs_touch:dir r_dir_perms; +allow hal_dumpstate_impl sysfs_touch:file rw_file_perms; + +# Access to touch proc node +allow hal_dumpstate_impl proc_touch:file rw_file_perms; + +# Access to WLC firmware info +allow hal_dumpstate_impl sysfs_wlc:dir r_dir_perms; +allow hal_dumpstate_impl sysfs_wlc:file r_file_perms; + +# Access to UFS info +allow hal_dumpstate_impl sysfs_scsi_devices_0000:dir r_dir_perms; +allow hal_dumpstate_impl sysfs_scsi_devices_0000:file r_file_perms; + +# Access to MPSS RFS info +userdebug_or_eng(` +allow hal_dumpstate_impl mpss_rfs_data_file:dir r_dir_perms; +allow hal_dumpstate_impl mpss_rfs_data_file:file r_file_perms; +') + +# For collecting bugreports. +allow hal_dumpstate_impl shell_data_file:file getattr; +allow hal_dumpstate_impl sysfs_system_sleep_stats:file r_file_perms; +# For '/vendor/bin/sh -c getprop | grep vendor.sys.modem.diag' +allow hal_dumpstate_impl vendor_file:file execute_no_trans; +userdebug_or_eng(`allow hal_dumpstate_impl debugfs_dma_bufinfo:file r_file_perms;') +dontaudit hal_dumpstate_impl debugfs_dma_bufinfo:file r_file_perms; + +# Query and dump power supply nodes +allow hal_dumpstate_impl sysfs_batteryinfo:dir search; +allow hal_dumpstate_impl sysfs_batteryinfo:file r_file_perms; + +# Dump QCOM FG content +allow hal_dumpstate_impl debugfs_fg_sram:dir search; +allow hal_dumpstate_impl debugfs_fg_sram:file rw_file_perms; + +# Dump Maxim FG content +allow hal_dumpstate_impl debugfs_maxfg:dir search; +allow hal_dumpstate_impl debugfs_maxfg:file r_file_perms; +allow hal_dumpstate_impl tmpfs:dir search; +allow hal_dumpstate_impl maxfg_device:chr_file r_file_perms; + +# Dump PMIC votables +allow hal_dumpstate_impl debugfs_pmic_votable:dir r_dir_perms; +allow hal_dumpstate_impl debugfs_pmic_votable:file r_file_perms; + +userdebug_or_eng(` + # Citadel communication must be via citadeld + vndbinder_use(hal_dumpstate_impl) + binder_call(hal_dumpstate_impl, citadeld) + allow hal_dumpstate_impl citadeld_service:service_manager find; +') diff --git a/sepolicy/vendor/qcom/common/hal_fingerprint.te b/sepolicy/vendor/qcom/common/hal_fingerprint.te new file mode 100644 index 0000000..0f8d65c --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_fingerprint.te @@ -0,0 +1,15 @@ +allow hal_fingerprint sysfs_fingerprint:dir r_dir_perms; +allow hal_fingerprint sysfs_fingerprint:file rw_file_perms; +allow hal_fingerprint sysfs_msm_subsys:dir search; +allow hal_fingerprint sysfs_msm_subsys:file r_file_perms; +allow hal_fingerprint sysfs_camera:dir search; +allow hal_fingerprint sysfs_camera:file r_file_perms; +allow hal_fingerprint sysfs_leds:dir search; +allow hal_fingerprint sysfs_leds:file r_file_perms; +allow hal_fingerprint sysfs_pinctrl:dir search; +allow hal_fingerprint sysfs_pinctrl:file r_file_perms; + +allow hal_fingerprint tee_device:file rw_file_perms; +allow hal_fingerprint tee_device:chr_file rw_file_perms; +allow hal_fingerprint uhid_device:chr_file rw_file_perms; + diff --git a/sepolicy/vendor/qcom/common/hal_gatekeeper.te b/sepolicy/vendor/qcom/common/hal_gatekeeper.te new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_gatekeeper.te diff --git a/sepolicy/vendor/qcom/common/hal_gatekeeper_qti.te b/sepolicy/vendor/qcom/common/hal_gatekeeper_qti.te new file mode 100644 index 0000000..27b3511 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_gatekeeper_qti.te @@ -0,0 +1,7 @@ +type hal_gatekeeper_qti, domain; +hal_server_domain(hal_gatekeeper_qti, hal_gatekeeper) + +type hal_gatekeeper_qti_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_gatekeeper_qti) + +get_prop(hal_gatekeeper_qti, vendor_tee_listener_prop) diff --git a/sepolicy/vendor/qcom/common/hal_gnss_qti.te b/sepolicy/vendor/qcom/common/hal_gnss_qti.te new file mode 100644 index 0000000..bdd76f1 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_gnss_qti.te @@ -0,0 +1,38 @@ +type hal_gnss_qti, domain; +hal_server_domain(hal_gnss_qti, hal_gnss) + +type hal_gnss_qti_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_gnss_qti) + +r_dir_file(hal_gnss_qti, sysfs_msm_subsys) + +vndbinder_use(hal_gnss_qti) + +allow hal_gnss_qti sysfs_soc:dir r_dir_perms; +allow hal_gnss_qti sysfs_soc:file r_file_perms; + +binder_call(hal_gnss_qti, per_mgr) +allow hal_gnss_qti per_mgr_service:service_manager find; + +# /data/vendor/location +allow hal_gnss_qti location_data_file:dir create_dir_perms; +allow hal_gnss_qti location_data_file:sock_file { create unlink write}; +allow hal_gnss_qti location_data_file:file create_file_perms; + +# /dev/socket/location +allow hal_gnss_qti location_socket:sock_file create_file_perms; +allow hal_gnss_qti location_socket:dir rw_dir_perms; + +# xtra/socket_xtra +allow hal_gnss_qti location:unix_dgram_socket sendto; + +allow hal_gnss_qti self:socket create_socket_perms; +allowxperm hal_gnss_qti self:socket ioctl msm_sock_ipc_ioctls; + +unix_socket_connect(hal_gnss_qti, netmgrd, netmgrd) +allow hal_gnss_qti netmgrd_socket:dir search; + +allow hal_gnss_qti self:netlink_generic_socket { bind create read }; +allow hal_gnss_qti self:netlink_route_socket { bind create nlmsg_read read write }; + +dontaudit hal_gnss_qti kernel:system module_request; diff --git a/sepolicy/vendor/qcom/common/hal_graphics_allocator_default.te b/sepolicy/vendor/qcom/common/hal_graphics_allocator_default.te new file mode 100644 index 0000000..646fc81 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_graphics_allocator_default.te @@ -0,0 +1,2 @@ +dontaudit hal_graphics_allocator_default vendor_display_prop:file r_file_perms; + diff --git a/sepolicy/vendor/qcom/common/hal_graphics_composer_default.te b/sepolicy/vendor/qcom/common/hal_graphics_composer_default.te new file mode 100644 index 0000000..50815e2 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_graphics_composer_default.te @@ -0,0 +1,57 @@ +# Binder access (for display.qservice) +vndbinder_use(hal_graphics_composer_default) +allow hal_graphics_composer_default qdisplay_service:service_manager { add find }; + +allow hal_graphics_composer_default sysfs_camera:dir search; +allow hal_graphics_composer_default sysfs_camera:file r_file_perms; +allow hal_graphics_composer_default sysfs_msm_subsys:dir search; +allow hal_graphics_composer_default sysfs_msm_subsys:file r_file_perms; +allow hal_graphics_composer_default sysfs_mdss_mdp_caps:file r_file_perms; +allow hal_graphics_composer_default persist_file:dir search; + +# Allow dir search in '/mnt/vendor' +allow hal_graphics_composer_default mnt_vendor_file:dir search; +allow hal_graphics_composer_default mnt_vendor_file:file r_file_perms; + +# Allow dir search in '/mnt/vendor/persist/display(/.*)?' +allow hal_graphics_composer_default persist_display_file:dir r_dir_perms; +allow hal_graphics_composer_default persist_display_file:file r_file_perms; + +# Allow dir search in '/oem' +allow hal_graphics_composer_default oemfs:dir r_dir_perms; + +allow hal_graphics_composer_default hal_graphics_mapper_hwservice:hwservice_manager find; + +hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator) + +r_dir_file(hal_graphics_composer_default, sysfs_leds) + +allow hal_graphics_composer_default video_device:chr_file rw_file_perms; + +# HWC_UeventThread +allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +# Access /sys/devices/virtual/graphics/fb0 +r_dir_file(hal_graphics_composer_default, sysfs_type) + +allow hal_graphics_composer_default display_vendor_data_file:dir create_dir_perms; +allow hal_graphics_composer_default display_vendor_data_file:file create_file_perms; + +# Rule for pps socket usage +unix_socket_connect(hal_graphics_composer_default, pps, mm-pp-daemon) + +# allow composer to register display config +add_hwservice(hal_graphics_composer_default, hal_display_config_hwservice); + +userdebug_or_eng(` + allow hal_graphics_composer_default debugfs_mdp:dir r_dir_perms; + allow hal_graphics_composer_default debugfs_mdp:file r_file_perms; +') + +dontaudit hal_graphics_composer_default kernel:system module_request; + +dontaudit hal_graphics_composer_default vendor_display_prop:file r_file_perms; + +#allow composer access hal_light +hal_client_domain(hal_graphics_composer_default, hal_light); +allow hal_graphics_composer_default hal_light_hwservice:hwservice_manager find; diff --git a/sepolicy/vendor/qcom/common/hal_imsrtp.te b/sepolicy/vendor/qcom/common/hal_imsrtp.te new file mode 100644 index 0000000..1ad890c --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_imsrtp.te @@ -0,0 +1,34 @@ +#ims rtp service +type hal_imsrtp, domain; +type hal_imsrtp_exec, exec_type, vendor_file_type, file_type; + +# Started by init +init_daemon_domain(hal_imsrtp) +net_domain(hal_imsrtp) + +hwbinder_use(hal_imsrtp) +get_prop(hal_imsrtp, hwservicemanager_prop) +add_hwservice(hal_imsrtp, hal_imsrtp_hwservice) + +allow hal_imsrtp self:socket create_socket_perms; +unix_socket_connect(hal_imsrtp, ims, ims) + +allow hal_imsrtp sysfs_timestamp_switch:file r_file_perms; + +# ioctlcmd=c302 +allowxperm hal_imsrtp self:socket ioctl msm_sock_ipc_ioctls; + +allow hal_imsrtp self:capability net_bind_service; + +allow hal_imsrtp sysfs_timestamp_switch:file r_file_perms; +allow hal_imsrtp ion_device:chr_file r_file_perms; +allow hal_imsrtp sysfs_data:file r_file_perms; +r_dir_file(hal_imsrtp, sysfs_msm_subsys) +r_dir_file(hal_imsrtp, sysfs_diag) +r_dir_file(hal_imsrtp, sysfs_soc) + +allow hal_imsrtp ion_device:chr_file r_file_perms; +get_prop(hal_imsrtp, ims_prop) +binder_call(hal_imsrtp, radio) + +dontaudit hal_imsrtp kernel:system module_request; diff --git a/sepolicy/vendor/qcom/common/hal_keymaster_qti.te b/sepolicy/vendor/qcom/common/hal_keymaster_qti.te new file mode 100644 index 0000000..50a284c --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_keymaster_qti.te @@ -0,0 +1,9 @@ +type hal_keymaster_qti, domain; +hal_server_domain(hal_keymaster_qti, hal_keymaster) + +type hal_keymaster_qti_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_keymaster_qti) + +get_prop(hal_keymaster_qti, vendor_tee_listener_prop) +get_prop(hal_keymaster_qti, vendor_security_patch_level_prop) + diff --git a/sepolicy/vendor/qcom/common/hal_light.te b/sepolicy/vendor/qcom/common/hal_light.te new file mode 100644 index 0000000..966b257 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_light.te @@ -0,0 +1,4 @@ +allow hal_light sysfs_graphics:dir search; +allow hal_light sysfs_graphics:file rw_file_perms; +allow hal_light sysfs_lights:dir search; +allow hal_light sysfs_lights:file rw_file_perms; diff --git a/sepolicy/vendor/qcom/common/hal_light_default.te b/sepolicy/vendor/qcom/common/hal_light_default.te new file mode 100644 index 0000000..b7de530 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_light_default.te @@ -0,0 +1 @@ +allow hal_light_default sysfs_msm_subsys:dir search; diff --git a/sepolicy/vendor/qcom/common/hal_memtrack_default.te b/sepolicy/vendor/qcom/common/hal_memtrack_default.te new file mode 100644 index 0000000..4ffa74c --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_memtrack_default.te @@ -0,0 +1 @@ +allow hal_memtrack_default debugfs_kgsl:file { open read getattr }; diff --git a/sepolicy/vendor/qcom/common/hal_neuralnetworks_paintbox.te b/sepolicy/vendor/qcom/common/hal_neuralnetworks_paintbox.te new file mode 100644 index 0000000..a9eb274 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_neuralnetworks_paintbox.te @@ -0,0 +1,16 @@ +type hal_neuralnetworks_paintbox, domain; +hal_server_domain(hal_neuralnetworks_paintbox, hal_neuralnetworks) + +type hal_neuralnetworks_paintbox_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_neuralnetworks_paintbox) + +allow hal_neuralnetworks_paintbox hal_paintbox_hwservice:hwservice_manager find; + +allow hal_neuralnetworks_paintbox proc_stat:file r_file_perms; +allow hal_neuralnetworks_paintbox easel_device:chr_file rw_file_perms; + +# allow hal_neuralnetworks_paintbox to use ION buffer +allow hal_neuralnetworks_paintbox hal_graphics_allocator_default:fd use; +allow hal_neuralnetworks_paintbox ion_device:chr_file r_file_perms; + +binder_call(hal_neuralnetworks_paintbox, easel) diff --git a/sepolicy/vendor/qcom/common/hal_nfc_default.te b/sepolicy/vendor/qcom/common/hal_nfc_default.te new file mode 100644 index 0000000..48f6d90 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_nfc_default.te @@ -0,0 +1,9 @@ +# Data file accesses. +allow hal_nfc_default nfc_vendor_data_file:dir create_dir_perms; +allow hal_nfc_default nfc_vendor_data_file:file create_file_perms; + +allow hal_nfc_default hal_secure_element_default:binder call; + +allow hal_nfc_default nxpese_hwservice:hwservice_manager find; +add_hwservice(hal_nfc_default, nxpnfc_hwservice) +get_prop(hal_nfc_default, persist_nfc_prop) diff --git a/sepolicy/vendor/qcom/common/hal_power_default.te b/sepolicy/vendor/qcom/common/hal_power_default.te new file mode 100644 index 0000000..7d90ebc --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_power_default.te @@ -0,0 +1,28 @@ +allow hal_power_default sysfs_graphics:dir search; +allow hal_power_default sysfs_graphics:file r_file_perms; + +allow hal_power_default sysfs_rpm:file r_file_perms; +allow hal_power_default sysfs_system_sleep_stats:file r_file_perms; + +allow hal_power_default debugfs_wlan:dir r_dir_perms; +allow hal_power_default debugfs_wlan:file r_file_perms; + +allow hal_power_default debugfs_easel:dir search; +allow hal_power_default debugfs_easel:file r_file_perms; + +# To do powerhint on nodes defined in powerhint.json +allow hal_power_default sysfs_msm_subsys:dir search; +allow hal_power_default sysfs_msm_subsys:file rw_file_perms; +allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms; +allow hal_power_default latency_device:chr_file rw_file_perms; +allow hal_power_default cgroup:dir search; +allow hal_power_default cgroup:file rw_file_perms; +allow hal_power_default debugfs_sched_features:file rw_file_perms; +allow hal_power_default proc_sysctl_schedboost:file rw_file_perms; + +# Allow power hal to talk to mm-pp-daemon to control display lpm +allow hal_power_default mm-pp-daemon:unix_stream_socket connectto; +allow hal_power_default pps_socket:sock_file write; + +# To get/set powerhal state property +set_prop(hal_power_default, power_prop) diff --git a/sepolicy/vendor/qcom/common/hal_radioext_default.te b/sepolicy/vendor/qcom/common/hal_radioext_default.te new file mode 100644 index 0000000..795d823 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_radioext_default.te @@ -0,0 +1,24 @@ +type hal_radioext_default, domain; +type hal_radioext_default_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_radioext_default) + +hwbinder_use(hal_radioext_default) +get_prop(hal_radioext_default, hwservicemanager_prop) +add_hwservice(hal_radioext_default, hal_radioext_hwservice) +binder_call(hal_radioext_default, radio) + +r_dir_file(hal_radioext_default, sysfs_msm_subsys) + +allow hal_radioext_default self:socket create_socket_perms; +allow hal_radioext_default sysfs_soc:dir search; +allow hal_radioext_default sysfs_soc:file r_file_perms; +allowxperm hal_radioext_default self:socket ioctl msm_sock_ipc_ioctls; + +userdebug_or_eng(` + allow hal_radioext_default radio_vendor_data_file:dir create_dir_perms; + allow hal_radioext_default radio_vendor_data_file:file create_file_perms; +') + +allow hal_radioext_default modem_stat_data_file:file create_file_perms; + +dontaudit hal_radioext_default kernel:system module_request; diff --git a/sepolicy/vendor/qcom/common/hal_rcsservice.te b/sepolicy/vendor/qcom/common/hal_rcsservice.te new file mode 100644 index 0000000..13c4b13 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_rcsservice.te @@ -0,0 +1,44 @@ +type hal_rcsservice, domain; +type hal_rcsservice_exec, exec_type, vendor_file_type, file_type; + +# Started by init +init_daemon_domain(hal_rcsservice) +net_domain(hal_rcsservice) + +get_prop(hal_rcsservice, hwservicemanager_prop) + +# To register imsrcsd to hwBinder +hwbinder_use(hal_rcsservice) +# add IUceSerive and IService to Hidl interface +add_hwservice(hal_rcsservice, hal_imsrcsd_hwservice) +add_hwservice(hal_rcsservice, hal_imscallinfo_hwservice) + +get_prop(hal_rcsservice, ims_prop) + +get_prop(hal_rcsservice, hwservicemanager_prop) + +# allow hal to read sysfs file +r_dir_file(hal_rcsservice, sysfs_msm_subsys) +r_dir_file(hal_rcsservice, sysfs_diag) +r_dir_file(hal_rcsservice, sysfs_soc) + +allow hal_rcsservice sysfs_timestamp_switch:file r_file_perms; + +#required for socket creation +unix_socket_connect(hal_rcsservice, ims, ims) +allow hal_rcsservice self:socket create_socket_perms; +allowxperm hal_rcsservice self:socket ioctl msm_sock_ipc_ioctls; + +# imsrcsd to bind with UceShimService.apk +binder_call(hal_rcsservice, dataservice_app) + +# imsrcsd needs read/write access to devpts +allow hal_rcsservice devpts:chr_file rw_file_perms; + +# allow imsrcsd capabilities +wakelock_use(hal_rcsservice) +allow hal_rcsservice self:capability net_bind_service; + +set_prop(hal_rcsservice, ctl_vendor_imsrcsservice_prop) + +dontaudit hal_rcsservice kernel:system module_request; diff --git a/sepolicy/vendor/qcom/common/hal_secure_element_default.te b/sepolicy/vendor/qcom/common/hal_secure_element_default.te new file mode 100644 index 0000000..a492a26 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_secure_element_default.te @@ -0,0 +1,11 @@ +hal_client_domain(hal_secure_element_default, hal_nfc) + +get_prop(hal_secure_element, vendor_secure_element_prop) +allow hal_secure_element_default nxpnfc_hwservice:hwservice_manager find; +add_hwservice(hal_secure_element_default, nxpese_hwservice) + +allow hal_secure_element_default secure_element_vendor_data_file:dir create_dir_perms; +allow hal_secure_element_default secure_element_vendor_data_file:file create_file_perms; + +allow hal_secure_element_default sysfs_devicetree_ese:file r_file_perms; +allow hal_secure_element_default debugfs_ipc:dir search; diff --git a/sepolicy/vendor/qcom/common/hal_sensors_default.te b/sepolicy/vendor/qcom/common/hal_sensors_default.te new file mode 100644 index 0000000..c5bc960 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_sensors_default.te @@ -0,0 +1,27 @@ +# read and write factory calibration and sensor configuration data +allow hal_sensors_default mnt_vendor_file:dir search; +allow hal_sensors_default persist_file:dir search; +r_dir_file(hal_sensors_default, persist_sensors_file) +allow hal_sensors_default persist_sensors_file:dir create_dir_perms; +allow hal_sensors_default persist_sensors_file:file create_file_perms; + +# interact with the sensors low power island (SLPI) CPU +allow hal_sensors_default self:socket { create ioctl read write }; +allowxperm hal_sensors_default self:socket ioctl msm_sock_ipc_ioctls; +r_dir_file(hal_sensors_default, sysfs_msm_subsys); + +allow hal_sensors_default qdsp_device:chr_file r_file_perms; + +allow hal_sensors_default sensors_vendor_data_file:dir create_dir_perms; +allow hal_sensors_default sensors_vendor_data_file:file create_file_perms; + +# needed by elmyra_raw.cpp +allow hal_sensors_default chre:unix_stream_socket connectto; +allow hal_sensors_default chre_socket:sock_file write; + +dontaudit hal_sensors_default kernel:system module_request; + +# Allow to read /sys/class/power_supply/usb/input_current_now +r_dir_file(hal_sensors_default, sysfs_batteryinfo) + +r_dir_file(hal_sensors_default, adsprpcd_file) diff --git a/sepolicy/vendor/qcom/common/hal_telephony.te b/sepolicy/vendor/qcom/common/hal_telephony.te new file mode 100644 index 0000000..78ecbb4 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_telephony.te @@ -0,0 +1 @@ +set_prop(hal_telephony_server, vendor_radio_prop) diff --git a/sepolicy/vendor/qcom/common/hal_tetheroffload_default.te b/sepolicy/vendor/qcom/common/hal_tetheroffload_default.te new file mode 100644 index 0000000..273f8ec --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_tetheroffload_default.te @@ -0,0 +1,24 @@ +# associate netdomain to use for accessing internet sockets +net_domain(hal_tetheroffload_default) + +userdebug_or_eng(` + # Allow using the logging file between ipacm and ipacm-diag + unix_socket_send(hal_tetheroffload_default, ipacm, hal_tetheroffload_default) +') +# Allow operations with /dev/ipa, /dev/wwan_ioctl and /dev/ipaNatTable +allow hal_tetheroffload_default ipa_dev:chr_file rw_file_perms; + +# Allow receiving NETLINK messages +allow hal_tetheroffload_default self:{ + netlink_socket + netlink_generic_socket +} create_socket_perms_no_ioctl; + +# Allow creating and modifying the PID file +allow hal_tetheroffload_default ipa_vendor_data_file:dir w_dir_perms; +allow hal_tetheroffload_default ipa_vendor_data_file:file create_file_perms; + +# Register to hwbinder service +add_hwservice(hal_tetheroffload_default, hal_tetheroffload_hwservice) +hwbinder_use(hal_tetheroffload_default) +get_prop(hal_tetheroffload_default, hwservicemanager_prop) diff --git a/sepolicy/vendor/qcom/common/hal_thermal_default.te b/sepolicy/vendor/qcom/common/hal_thermal_default.te new file mode 100644 index 0000000..0d56bc1 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_thermal_default.te @@ -0,0 +1,14 @@ +allow hal_thermal_default sysfs_thermal:dir { open read search }; +allow hal_thermal_default sysfs_thermal:file { getattr open read }; +allow hal_thermal_default sysfs_thermal:lnk_file read; + +allow hal_thermal_default sysfs_batteryinfo:dir search; +allow hal_thermal_default sysfs_batteryinfo:file r_file_perms; +allow hal_thermal_default sysfs_batteryinfo:lnk_file read; +allow hal_thermal_default sysfs_msm_subsys:dir search; +allow hal_thermal_default sysfs_msm_subsys:file r_file_perms; +allow hal_thermal_default sysfs_msm_subsys:lnk_file read; + +allow hal_thermal_default proc_stat:file { getattr open read }; +# read thermal_config +get_prop(hal_thermal_default, vendor_thermal_prop) diff --git a/sepolicy/vendor/qcom/common/hal_tui_comm.te b/sepolicy/vendor/qcom/common/hal_tui_comm.te new file mode 100644 index 0000000..c282127 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_tui_comm.te @@ -0,0 +1,13 @@ +type hal_tui_comm, domain; +type hal_tui_comm_exec, file_type, vendor_file_type, exec_type; + +init_daemon_domain(hal_tui_comm); + +get_prop(hal_tui_comm, hwservicemanager_prop) + +add_hwservice(hal_tui_comm, hal_tui_comm_hwservice) +hwbinder_use(hal_tui_comm) + +binder_call(hal_tui_comm, secure_ui_service_app) + +allow hal_tui_comm hal_graphics_allocator_default:fd use; diff --git a/sepolicy/vendor/qcom/common/hal_usb_impl.te b/sepolicy/vendor/qcom/common/hal_usb_impl.te new file mode 100644 index 0000000..bfa2daa --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_usb_impl.te @@ -0,0 +1,17 @@ +type hal_usb_impl, domain; +hal_server_domain(hal_usb_impl, hal_usb) +hal_server_domain(hal_usb_impl, hal_usb_gadget) + +type hal_usb_impl_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_usb_impl) + +allow hal_usb_impl sysfs_msm_subsys:dir search; +allow hal_usb_impl sysfs_msm_subsys:file r_file_perms; +r_dir_file(hal_usb_impl, sysfs_usb_c) +allow hal_usb_impl sysfs_usb_c:file w_file_perms; +allow hal_usb_impl sysfs_usb_device:dir r_dir_perms; +allow hal_usb_impl sysfs_usb_device:file rw_file_perms; +allow hal_usb_impl configfs:file create_file_perms; + +set_prop(hal_usb_impl, vendor_usb_config_prop) +get_prop(hal_usb_impl, vendor_usb_prop) diff --git a/sepolicy/vendor/qcom/common/hal_vibrator_default.te b/sepolicy/vendor/qcom/common/hal_vibrator_default.te new file mode 100644 index 0000000..41b336d --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_vibrator_default.te @@ -0,0 +1,9 @@ +r_dir_file(hal_vibrator_default, sysfs_leds) +allow hal_vibrator_default sysfs_leds:file w_file_perms; +allow hal_vibrator_default sysfs_msm_subsys:file rw_file_perms; +allow hal_vibrator_default sysfs_msm_subsys:dir search; + +# read-only permission to obtain the calibration data +r_dir_file(hal_vibrator_default, persist_haptics_file) +allow hal_vibrator_default mnt_vendor_file:dir search; +allow hal_vibrator_default persist_file:dir search; diff --git a/sepolicy/vendor/qcom/common/hal_vr.te b/sepolicy/vendor/qcom/common/hal_vr.te new file mode 100644 index 0000000..c0387ef --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_vr.te @@ -0,0 +1,2 @@ +# interact with thermal_config +set_prop(hal_vr, vendor_thermal_prop) diff --git a/sepolicy/vendor/qcom/common/hal_wifi_default.te b/sepolicy/vendor/qcom/common/hal_wifi_default.te new file mode 100644 index 0000000..2760895 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_wifi_default.te @@ -0,0 +1,22 @@ +# Allow wifi hal access to LOWI +allow hal_wifi_default location:unix_stream_socket connectto; + +# write to files owned by location daemon +allow hal_wifi_default location_socket:dir search; +allow hal_wifi_default location_socket:sock_file write; +allow hal_wifi_default location_data_file:{ file fifo_file } create_file_perms; + +allow hal_wifi_default wlan_device:chr_file w_file_perms; + +# Allow wifi hal to read debug info from the driver. +r_dir_file(hal_wifi_default, proc_wifi_dbg) + +dontaudit hal_wifi_default kernel:system module_request; +dontaudit hal_wifi_default self:capability sys_module; + +userdebug_or_eng(` +# debugfs entries are only needed in user-debug or eng builds + +# Allow wifi hal to access wlan debugfs files and directories +allow hal_wifi_default debugfs_wlan:dir r_dir_perms; +') diff --git a/sepolicy/vendor/qcom/common/hal_wifi_hostapd.te b/sepolicy/vendor/qcom/common/hal_wifi_hostapd.te new file mode 100644 index 0000000..f9f37c9 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_wifi_hostapd.te @@ -0,0 +1,3 @@ +userdebug_or_eng(` +allow hal_wifi_hostapd wifi_vendor_log_data_file:dir search; +') diff --git a/sepolicy/vendor/qcom/common/hal_wifi_offload_default.te b/sepolicy/vendor/qcom/common/hal_wifi_offload_default.te new file mode 100644 index 0000000..00df6a7 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_wifi_offload_default.te @@ -0,0 +1,3 @@ +# Allow Wifi Offload HAL to communicate with daemon via socket +allow hal_wifi_offload_default chre:unix_stream_socket connectto; +allow hal_wifi_offload_default chre_socket:sock_file write; diff --git a/sepolicy/vendor/qcom/common/hal_wifi_supplicant_default.te b/sepolicy/vendor/qcom/common/hal_wifi_supplicant_default.te new file mode 100644 index 0000000..c7b4eb9 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_wifi_supplicant_default.te @@ -0,0 +1,5 @@ +allow hal_wifi_supplicant_default self:socket create_socket_perms; +# ioctlcmd=c304, c302 +allowxperm hal_wifi_supplicant_default self:socket ioctl msm_sock_ipc_ioctls; + +allow hal_wifi_supplicant_default cnd:unix_dgram_socket sendto; diff --git a/sepolicy/vendor/qcom/common/hal_wlc.te b/sepolicy/vendor/qcom/common/hal_wlc.te new file mode 100644 index 0000000..6765388 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hal_wlc.te @@ -0,0 +1,15 @@ +type hal_wlc, domain; +type hal_wlc_exec, exec_type, vendor_file_type, file_type; + +hwbinder_use(hal_wlc) +add_hwservice(hal_wlc, hal_wlc_hwservice) +get_prop(hal_wlc, hwservicemanager_prop) + +init_daemon_domain(hal_wlc) + +# Allow access to /sys/class/power_supply/wireless +r_dir_file(hal_wlc, sysfs_batteryinfo) + +# Allow access to /sys/devices/platform/soc/a88000.i2c/i2c-0/0-0061 +r_dir_file(hal_wlc, sysfs_wlc) +allow hal_wlc sysfs_wlc:file rw_file_perms; diff --git a/sepolicy/vendor/qcom/common/hardware_info_app.te b/sepolicy/vendor/qcom/common/hardware_info_app.te new file mode 100644 index 0000000..5c290fd --- /dev/null +++ b/sepolicy/vendor/qcom/common/hardware_info_app.te @@ -0,0 +1,30 @@ +type hardware_info_app, domain; + +app_domain(hardware_info_app) + +# App +allow hardware_info_app app_data_file:file execute; + +# Services +allow hardware_info_app app_api_service:service_manager find; + +# Shell +allow hardware_info_app shell_data_file:dir search; +allow hardware_info_app shell_data_file:file { open read }; + +# SysFS +allow hardware_info_app sysfs_batteryinfo:dir search; +allow hardware_info_app sysfs_batteryinfo:file { getattr open read }; +allow hardware_info_app sysfs_camera:dir search; +allow hardware_info_app sysfs_camera:file { getattr open read }; +allow hardware_info_app sysfs_msm_subsys:dir search; +allow hardware_info_app sysfs_scsi_devices_0000:dir search; +allow hardware_info_app sysfs_scsi_devices_0000:file { getattr open read }; +allow hardware_info_app sysfs_soc:dir search; +allow hardware_info_app sysfs_soc:file { getattr open read }; +allow hardware_info_app sysfs_display:dir search; +allow hardware_info_app sysfs_display:file { getattr open read }; + +# Devices +allow hardware_info_app tmpfs:dir search; +allow hardware_info_app maxfg_device:chr_file r_file_perms; diff --git a/sepolicy/vendor/qcom/common/healthd.te b/sepolicy/vendor/qcom/common/healthd.te new file mode 100644 index 0000000..d4f839d --- /dev/null +++ b/sepolicy/vendor/qcom/common/healthd.te @@ -0,0 +1 @@ +allow healthd self:capability2 wake_alarm; diff --git a/sepolicy/vendor/qcom/common/hwservice.te b/sepolicy/vendor/qcom/common/hwservice.te new file mode 100644 index 0000000..0947aed --- /dev/null +++ b/sepolicy/vendor/qcom/common/hwservice.te @@ -0,0 +1,15 @@ +type vnd_ims_radio_hwservice, hwservice_manager_type; +type vnd_qcrilhook_hwservice, hwservice_manager_type; +type vnd_atcmdfwd_hwservice, hwservice_manager_type; +type hal_imsrtp_hwservice, hwservice_manager_type; +type hal_imscallinfo_hwservice, hwservice_manager_type; +type hal_ipacm_hwservice, hwservice_manager_type; +type hal_cne_hwservice, hwservice_manager_type; +type hal_imsrcsd_hwservice, hwservice_manager_type; +type hal_radioext_hwservice, hwservice_manager_type; +type hal_display_config_hwservice, hwservice_manager_type; +type nxpese_hwservice, hwservice_manager_type; +type nxpnfc_hwservice, hwservice_manager_type; +type hal_tui_comm_hwservice, hwservice_manager_type; +type hal_paintbox_hwservice, hwservice_manager_type; +type hal_wlc_hwservice, hwservice_manager_type; diff --git a/sepolicy/vendor/qcom/common/hwservice_contexts b/sepolicy/vendor/qcom/common/hwservice_contexts new file mode 100644 index 0000000..4d81c64 --- /dev/null +++ b/sepolicy/vendor/qcom/common/hwservice_contexts @@ -0,0 +1,25 @@ +vendor.qti.hardware.radio.ims::IImsRadio u:object_r:vnd_ims_radio_hwservice:s0 +vendor.qti.hardware.radio.qcrilhook::IQtiOemHook u:object_r:vnd_qcrilhook_hwservice:s0 +com.qualcomm.qti.ant::IAntHci u:object_r:hal_bluetooth_hwservice:s0 +com.qualcomm.qti.uceservice::IUceService u:object_r:hal_imsrcsd_hwservice:s0 +vendor.qti.ims.callinfo::IService u:object_r:hal_imscallinfo_hwservice:s0 +vendor.qti.hardware.radio.atcmdfwd::IAtCmdFwd u:object_r:vnd_atcmdfwd_hwservice:s0 +vendor.qti.hardware.radio.am::IQcRilAudio u:object_r:vnd_qcrilhook_hwservice:s0 +vendor.qti.imsrtpservice::IRTPService u:object_r:hal_imsrtp_hwservice:s0 +vendor.qti.hardware.radio.lpa::IUimLpa u:object_r:hal_telephony_hwservice:s0 +vendor.qti.hardware.radio.uim_remote_client::IUimRemoteServiceClient u:object_r:hal_telephony_hwservice:s0 +vendor.qti.hardware.radio.uim_remote_server::IUimRemoteServiceServer u:object_r:hal_telephony_hwservice:s0 +vendor.qti.hardware.radio.uim::IUim u:object_r:hal_telephony_hwservice:s0 +vendor.qti.hardware.tui_comm::ITuiComm u:object_r:hal_tui_comm_hwservice:s0 +com.quicinc.cne.api::IApiService u:object_r:hal_cne_hwservice:s0 +com.quicinc.cne.server::IServer u:object_r:hal_cne_hwservice:s0 +vendor.google.radioext::IRadioExt u:object_r:hal_radioext_hwservice:s0 +vendor.display.config::IDisplayConfig u:object_r:hal_display_config_hwservice:s0 +vendor.nxp.nxpnfc::INxpNfc u:object_r:nxpnfc_hwservice:s0 +vendor.nxp.nxpese::INxpEse u:object_r:nxpese_hwservice:s0 +hardware.google.media.c2::IConfigurable u:object_r:hal_codec2_hwservice:s0 +hardware.google.media.c2::IComponentStore u:object_r:hal_codec2_hwservice:s0 +vendor.google_paintbox::IManagerService u:object_r:hal_paintbox_hwservice:s0 +hardware.google.pixelstats::IPixelStats u:object_r:hal_pixelstats_hwservice:s0 +vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_wlc_hwservice:s0 +hardware.google.light::ILight u:object_r:hal_light_hwservice:s0 diff --git a/sepolicy/vendor/qcom/common/ims.te b/sepolicy/vendor/qcom/common/ims.te new file mode 100644 index 0000000..5d0cd9e --- /dev/null +++ b/sepolicy/vendor/qcom/common/ims.te @@ -0,0 +1,37 @@ +type ims, domain; +type ims_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(ims) +net_domain(ims) + +get_prop(ims, hwservicemanager_prop) +set_prop(ims, ims_prop) + +unix_socket_connect(ims, netmgrd, netmgrd) + +allow ims sysfs_soc:dir search; +allow ims sysfs_soc:file r_file_perms; +allow ims sysfs_timestamp_switch:file r_file_perms; + +allow ims self:capability net_bind_service; + +allow ims ion_device:chr_file r_file_perms; + +unix_socket_connect(ims, cnd, cnd) + +allow ims self:socket create_socket_perms; +allow ims ims_socket:sock_file write; +allow ims self:netlink_generic_socket create_socket_perms_no_ioctl; +allow ims netmgrd_socket:dir search; +allow ims netmgrd_socket:sock_file w_file_perms; +allowxperm ims self:socket ioctl msm_sock_ipc_ioctls; +allowxperm ims self:udp_socket ioctl RMNET_IOCTL_EXTENDED; + +r_dir_file(ims, sysfs_msm_subsys) +r_dir_file(ims, sysfs_diag) + +hwbinder_use(ims) +allow ims hal_cne_hwservice:hwservice_manager find; +binder_call(ims, cnd) + +dontaudit ims kernel:system module_request; diff --git a/sepolicy/vendor/qcom/common/init-devstart-sh.te b/sepolicy/vendor/qcom/common/init-devstart-sh.te new file mode 100644 index 0000000..87ec1fc --- /dev/null +++ b/sepolicy/vendor/qcom/common/init-devstart-sh.te @@ -0,0 +1,36 @@ +type init-qcom-devstart-sh, domain; +type init-qcom-devstart-sh_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init-qcom-devstart-sh) + +allow init-qcom-devstart-sh vendor_shell_exec:file rx_file_perms; +allow init-qcom-devstart-sh vendor_toolbox_exec:file rx_file_perms; + +# execute grep +allow init-qcom-devstart-sh vendor_file:file rx_file_perms; + +# Set the vendor.qcom.devup property +set_prop(init-qcom-devstart-sh, vendor_device_prop) +# Set the sys.slpi.firmware.version property. +set_prop(init-qcom-devstart-sh, public_vendor_system_prop) + +# Set boot_adsp and boot_slpi to 1 +allow init-qcom-devstart-sh sysfs_msm_subsys:file w_file_perms; + +# Initialize Edge Sense. +# See b/67205273. +allow init-qcom-devstart-sh sysfs:dir r_dir_perms; +allow init-qcom-devstart-sh sysfs_pinctrl:dir r_dir_perms; +allow init-qcom-devstart-sh sysfs_pinctrl:file rw_file_perms; +allow init-qcom-devstart-sh sysfs_gpio_export:file w_file_perms; +allow init-qcom-devstart-sh sysfs_soc:dir r_dir_perms; +allow init-qcom-devstart-sh sysfs_soc:file r_file_perms; +allow init-qcom-devstart-sh sysfs_msm_subsys:dir r_dir_perms; +allow init-qcom-devstart-sh sysfs_msm_subsys:file r_file_perms; +allow init-qcom-devstart-sh sysfs_scsi_devices_0000:file r_file_perms; +allow init-qcom-devstart-sh sysfs_pixelstats:file r_file_perms; +# Ignore permissions used but not needed. +dontaudit init-qcom-devstart-sh sysfs:file { create getattr }; +dontaudit init-qcom-devstart-sh sysfs_type:dir { read write }; +dontaudit init-qcom-devstart-sh sysfs_graphics:file getattr; +dontaudit init-qcom-devstart-sh sysfs_devices_block:file getattr; diff --git a/sepolicy/vendor/qcom/common/init-insmod-sh.te b/sepolicy/vendor/qcom/common/init-insmod-sh.te new file mode 100644 index 0000000..0428e83 --- /dev/null +++ b/sepolicy/vendor/qcom/common/init-insmod-sh.te @@ -0,0 +1,18 @@ +type init-insmod-sh, domain; +type init-insmod-sh_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init-insmod-sh) + +allow init-insmod-sh vendor_shell_exec:file rx_file_perms; +allow init-insmod-sh vendor_toolbox_exec:file rx_file_perms; + +# Set the vendor.all.modules.ready property +set_prop(init-insmod-sh, vendor_device_prop) + +# Allow insmod +allow init-insmod-sh self:capability sys_module; +allow init-insmod-sh system_file:system module_load; + +allow init-insmod-sh vendor_file:system module_load; + +allow init-insmod-sh kernel:key search; diff --git a/sepolicy/vendor/qcom/common/init-ipastart-sh.te b/sepolicy/vendor/qcom/common/init-ipastart-sh.te new file mode 100644 index 0000000..d2e1754 --- /dev/null +++ b/sepolicy/vendor/qcom/common/init-ipastart-sh.te @@ -0,0 +1,10 @@ +type init-qcom-ipastart-sh, domain; +type init-qcom-ipastart-sh_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init-qcom-ipastart-sh) + +allow init-qcom-ipastart-sh vendor_shell_exec:file rx_file_perms; +allow init-qcom-ipastart-sh vendor_toolbox_exec:file rx_file_perms; + +# Set /dev/ipa to 1 +allow init-qcom-ipastart-sh ipa_dev:chr_file w_file_perms; diff --git a/sepolicy/vendor/qcom/common/init-wlan-sh.te b/sepolicy/vendor/qcom/common/init-wlan-sh.te new file mode 100644 index 0000000..36179ef --- /dev/null +++ b/sepolicy/vendor/qcom/common/init-wlan-sh.te @@ -0,0 +1,14 @@ +type init-qcom-wlan-sh, domain; +type init-qcom-wlan-sh_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init-qcom-wlan-sh) + +allow init-qcom-wlan-sh vendor_shell_exec:file rx_file_perms; +allow init-qcom-wlan-sh vendor_toolbox_exec:file rx_file_perms; + +# Set the sys.wlan.driver.version and sys.wlan.firmware.version property +set_prop(init-qcom-wlan-sh, vendor_wifi_version) + +# /sys/kernel/wifi/wlan/driver_version and /sys/kernel/wifi/wlan/fw/0/version +allow init-qcom-wlan-sh sysfs_msm_wlan:dir r_dir_perms; +allow init-qcom-wlan-sh sysfs_msm_wlan:file r_file_perms; diff --git a/sepolicy/vendor/qcom/common/init.te b/sepolicy/vendor/qcom/common/init.te new file mode 100644 index 0000000..60e491b --- /dev/null +++ b/sepolicy/vendor/qcom/common/init.te @@ -0,0 +1,22 @@ +# symlink /sdcard to backing block +allow init tmpfs:lnk_file create; +allow init configfs:lnk_file create; + +allow init configfs:file w_file_perms; +allow init debugfs_clk:file w_file_perms; + +allow init tty_device:chr_file rw_file_perms; + +allow init mnt_vendor_file:dir mounton; + +allow init ab_block_device:lnk_file relabelto; +allow init boot_block_device:lnk_file relabelto; + +dontaudit init kernel:system module_request; + +# b/70518189 vDSO experiments +allow init sysfs_vdso:file w_file_perms; + +allow init sysfs_poweroff:file w_file_perms; +# b/72993533 Thermal mitigation in recovery mode +allow init sysfs_thermal:file w_file_perms; diff --git a/sepolicy/vendor/qcom/common/init_power.te b/sepolicy/vendor/qcom/common/init_power.te new file mode 100644 index 0000000..02108a2 --- /dev/null +++ b/sepolicy/vendor/qcom/common/init_power.te @@ -0,0 +1,16 @@ +type init_power, domain; +type init_power_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init_power) + +allow init_power vendor_shell_exec:file rx_file_perms; +allow init_power vendor_toolbox_exec:file rx_file_perms; + +r_dir_file(init_power, sysfs_msm_subsys) + +allow init_power sysfs_msm_subsys:file write; +allow init_power sysfs_thermal:dir search; +allow init_power sysfs_thermal:file w_file_perms; +allow init_power sysfs_devices_system_cpu:file w_file_perms; +allow init_power sysfs_soc:file r_file_perms; +allow init_power sysfs_soc:dir search; diff --git a/sepolicy/vendor/qcom/common/init_radio.te b/sepolicy/vendor/qcom/common/init_radio.te new file mode 100644 index 0000000..ff4da34 --- /dev/null +++ b/sepolicy/vendor/qcom/common/init_radio.te @@ -0,0 +1,11 @@ +# /vendor/bin/init.radio.sh +type init_radio, domain; +type init_radio_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init_radio) + +allow init_radio vendor_shell_exec:file rx_file_perms; +allow init_radio vendor_toolbox_exec:file rx_file_perms; + +allow init_radio radio_vendor_data_file:dir create_dir_perms; +allow init_radio radio_vendor_data_file:file create_file_perms; diff --git a/sepolicy/vendor/qcom/common/ioctl_defines b/sepolicy/vendor/qcom/common/ioctl_defines new file mode 100644 index 0000000..e1c50a7 --- /dev/null +++ b/sepolicy/vendor/qcom/common/ioctl_defines @@ -0,0 +1,10 @@ +# socket ioctls +define(`RMNET_IOCTL_EXTENDED', `0x000089FD') + +# socket ioctls defined in the kernel in include/uapi/linux/msm_ipc.h +define(`IPC_ROUTER_IOCTL_GET_VERSION', `0x0000c300') +define(`IPC_ROUTER_IOCTL_GET_MTU', `0x0000c301') +define(`IPC_ROUTER_IOCTL_LOOKUP_SERVER', `0x0000c302') +define(`IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE', `0x0000c303') +define(`IPC_ROUTER_IOCTL_BIND_CONTROL_PORT', `0x0000c304') +define(`IPC_ROUTER_IOCTL_CONFIG_SEC_RULES', `0x0000c305') diff --git a/sepolicy/vendor/qcom/common/ioctl_macros b/sepolicy/vendor/qcom/common/ioctl_macros new file mode 100644 index 0000000..dd9a2e8 --- /dev/null +++ b/sepolicy/vendor/qcom/common/ioctl_macros @@ -0,0 +1,8 @@ +define(`msm_sock_ipc_ioctls', `{ +IPC_ROUTER_IOCTL_GET_VERSION +IPC_ROUTER_IOCTL_GET_MTU +IPC_ROUTER_IOCTL_LOOKUP_SERVER +IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE +IPC_ROUTER_IOCTL_BIND_CONTROL_PORT +IPC_ROUTER_IOCTL_CONFIG_SEC_RULES +}') diff --git a/sepolicy/vendor/qcom/common/irqbalance.te b/sepolicy/vendor/qcom/common/irqbalance.te new file mode 100644 index 0000000..8b54f16 --- /dev/null +++ b/sepolicy/vendor/qcom/common/irqbalance.te @@ -0,0 +1,14 @@ +type irqbalance, domain; +type irqbalance_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(irqbalance); + +allow irqbalance sysfs_devices_system_cpu:file rw_file_perms; +allow irqbalance proc_irq:dir r_dir_perms; +allow irqbalance proc_irq:file rw_file_perms; +allow irqbalance sysfs_irq:file r_file_perms; + +allow irqbalance proc_stat:file r_file_perms; +allow irqbalance proc_interrupts:file r_file_perms; + +r_dir_file(irqbalance, proc) diff --git a/sepolicy/vendor/qcom/common/irsc_util.te b/sepolicy/vendor/qcom/common/irsc_util.te new file mode 100644 index 0000000..79f3c73 --- /dev/null +++ b/sepolicy/vendor/qcom/common/irsc_util.te @@ -0,0 +1,7 @@ +type irsc_util, domain; +type irsc_util_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(irsc_util) + +allow irsc_util self:socket create_socket_perms; +allowxperm irsc_util self:socket ioctl msm_sock_ipc_ioctls; diff --git a/sepolicy/vendor/qcom/common/kernel.te b/sepolicy/vendor/qcom/common/kernel.te new file mode 100644 index 0000000..8a47572 --- /dev/null +++ b/sepolicy/vendor/qcom/common/kernel.te @@ -0,0 +1,13 @@ +# for diag over socket +userdebug_or_eng(` + allow kernel self:socket create; + allow kernel debugfs_wlan:dir search; +') + +dontaudit kernel kernel:system module_request; + +# Read FDs from /vendor/firmware +allow kernel vendor_file:file r_file_perms; + +allow kernel debugfs_ipc:dir search; +allow kernel persist_file:dir search; diff --git a/sepolicy/vendor/qcom/common/location.te b/sepolicy/vendor/qcom/common/location.te new file mode 100644 index 0000000..24f5c63 --- /dev/null +++ b/sepolicy/vendor/qcom/common/location.te @@ -0,0 +1,57 @@ +# loc_launcher service +# which launches various other services supporting GPS & Wifi-RTT (LOWI) location +type location, domain; +type location_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(location) + +# STOPSHIP b/28340421 +# Temporarily grant this permission (for LOWI) and log its use. +allow location self:capability { net_admin }; +auditallow location self:capability { net_admin }; + +allow location self:capability { setgid setuid }; + +hwbinder_use(location) +get_prop(location, hwservicemanager_prop) +allow location fwk_sensor_hwservice:hwservice_manager find; +binder_call(location, system_server) +allow location hal_wifi:unix_stream_socket { read write }; + +# Enable standard network access (for XTRA download) +net_domain(location) + +# And some additional network access +allow location self:netlink_generic_socket create_socket_perms_no_ioctl; +allow location self:netlink_socket create_socket_perms_no_ioctl; +allowxperm location self:udp_socket ioctl { SIOCGIFINDEX SIOCGIFHWADDR SIOCIWFIRSTPRIV_05 }; + +allow location self:socket create_socket_perms; +# whitelist socket ioctl commands +allowxperm location self:socket ioctl msm_sock_ipc_ioctls; + +# files in /sys +r_dir_file(location, sysfs_type) + +dontaudit location kernel:system module_request; + +allow location proc_net:file r_file_perms; + +# execute /vendor/bin/lowi-server +allow location location_exec:file rx_file_perms; + +# /data/vendor/location +allow location location_data_file:dir create_dir_perms; +allow location location_data_file:file create_file_perms; + +# /dev/socket/location +allow location location_socket:sock_file create_file_perms; +allow location location_socket:dir rw_dir_perms; +allow location hal_gnss_qti:unix_dgram_socket sendto; + +userdebug_or_eng(` + allow location diag_device:chr_file rw_file_perms; +') + +allow location hal_cne_hwservice:hwservice_manager find; +binder_call(location, cnd) diff --git a/sepolicy/vendor/qcom/common/logger_app.te b/sepolicy/vendor/qcom/common/logger_app.te new file mode 100644 index 0000000..2d2660e --- /dev/null +++ b/sepolicy/vendor/qcom/common/logger_app.te @@ -0,0 +1,24 @@ +type logger_app, domain; + +userdebug_or_eng(` + app_domain(logger_app) + net_domain(logger_app) + + allow logger_app app_api_service:service_manager find; + allow logger_app surfaceflinger_service:service_manager find; + + allow logger_app diag_device:chr_file rw_file_perms; + allow logger_app qlogd_exec:file rx_file_perms; + + allow logger_app radio_vendor_data_file:file create_file_perms; + allow logger_app radio_vendor_data_file:dir create_dir_perms; + + allow logger_app cnss_vendor_data_file:dir create_dir_perms; + allow logger_app cnss_vendor_data_file:file create_file_perms; + + set_prop(logger_app, vendor_cnss_diag_prop) + set_prop(logger_app, vendor_modem_diag_prop) + set_prop(logger_app, vendor_bluetooth_log_prop) + + get_prop(logger_app, vendor_usb_config_prop) +') diff --git a/sepolicy/vendor/qcom/common/mediacodec.te b/sepolicy/vendor/qcom/common/mediacodec.te new file mode 100644 index 0000000..1efcc40 --- /dev/null +++ b/sepolicy/vendor/qcom/common/mediacodec.te @@ -0,0 +1,10 @@ +allow mediacodec sysfs_soc:file r_file_perms; +allow mediacodec sysfs_soc:dir search; + +allow mediacodec system_file:dir r_dir_perms; + +userdebug_or_eng(` + allow mediacodec dumpstate:fd use; +') + +dontaudit mediacodec vendor_display_prop:file r_file_perms; diff --git a/sepolicy/vendor/qcom/common/mediaextractor.te b/sepolicy/vendor/qcom/common/mediaextractor.te new file mode 100644 index 0000000..18abafc --- /dev/null +++ b/sepolicy/vendor/qcom/common/mediaextractor.te @@ -0,0 +1,3 @@ +userdebug_or_eng(` + allow mediaextractor dumpstate:fifo_file append; +') diff --git a/sepolicy/vendor/qcom/common/mediaserver.te b/sepolicy/vendor/qcom/common/mediaserver.te new file mode 100644 index 0000000..4b0a3d5 --- /dev/null +++ b/sepolicy/vendor/qcom/common/mediaserver.te @@ -0,0 +1,2 @@ +dontaudit mediaserver vendor_display_prop:file r_file_perms; + diff --git a/sepolicy/vendor/qcom/common/mm-pp-daemon.te b/sepolicy/vendor/qcom/common/mm-pp-daemon.te new file mode 100644 index 0000000..c2b7c1d --- /dev/null +++ b/sepolicy/vendor/qcom/common/mm-pp-daemon.te @@ -0,0 +1,29 @@ +type mm-pp-daemon, domain; +type mm-pp-daemon_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(mm-pp-daemon) + +#Need to use fb/drm ioctls to communicate with kernel +allow mm-pp-daemon graphics_device:chr_file rw_file_perms; +allow mm-pp-daemon graphics_device:dir r_dir_perms; + +# Allow reading/writing data config files +allow mm-pp-daemon display_vendor_data_file:dir create_dir_perms; +allow mm-pp-daemon display_vendor_data_file:file create_file_perms; + +# Rule for IPC communication +allow mm-pp-daemon qdisplay_service:service_manager find; +vndbinder_use(mm-pp-daemon) +hwbinder_use(mm-pp-daemon) +hal_client_domain(mm-pp-daemon, hal_graphics_composer) +allow mm-pp-daemon fwk_sensor_hwservice:hwservice_manager find; +binder_call(mm-pp-daemon, system_server) + +# Allow mm-pp-daemon to change the brightness +allow mm-pp-daemon sysfs_leds:dir r_dir_perms; +allow mm-pp-daemon sysfs_leds:file rw_file_perms; +allow mm-pp-daemon sysfs_leds:lnk_file read; +r_dir_file(mm-pp-daemon, sysfs_leds) +allow mm-pp-daemon sysfs_graphics:dir r_dir_perms; +allow mm-pp-daemon sysfs_graphics:file rw_file_perms; +allow mm-pp-daemon sysfs_data:file r_file_perms; diff --git a/sepolicy/vendor/qcom/common/modem_diagnostics.te b/sepolicy/vendor/qcom/common/modem_diagnostics.te new file mode 100644 index 0000000..af7ef6b --- /dev/null +++ b/sepolicy/vendor/qcom/common/modem_diagnostics.te @@ -0,0 +1,16 @@ +# ModemDiagnosticSystem app +type modem_diagnostic_app, domain; + +app_domain(modem_diagnostic_app) +net_domain(modem_diagnostic_app) + +allow modem_diagnostic_app app_api_service:service_manager find; +allow modem_diagnostic_app surfaceflinger_service:service_manager find; + +userdebug_or_eng(` + allow modem_diagnostic_app diag_device:chr_file rw_file_perms; + + allow modem_diagnostic_app sysfs_esim:file r_file_perms; + + set_prop(modem_diagnostic_app, vendor_modem_diag_prop) +') diff --git a/sepolicy/vendor/qcom/common/netd.te b/sepolicy/vendor/qcom/common/netd.te new file mode 100644 index 0000000..91c6d73 --- /dev/null +++ b/sepolicy/vendor/qcom/common/netd.te @@ -0,0 +1,4 @@ +dontaudit netd kernel:system module_request; +dontaudit netd self:capability sys_module; +dontaudit netd proc_net:dir write; +dontaudit netd sysfs_net:dir write; diff --git a/sepolicy/vendor/qcom/common/netmgrd.te b/sepolicy/vendor/qcom/common/netmgrd.te new file mode 100644 index 0000000..1390c1b --- /dev/null +++ b/sepolicy/vendor/qcom/common/netmgrd.te @@ -0,0 +1,67 @@ +type netmgrd, domain; +type netmgrd_exec, exec_type, vendor_file_type, file_type; + +net_domain(netmgrd) +init_daemon_domain(netmgrd) + +set_prop(netmgrd, vendor_net_radio_prop) + +# communicate with netd +unix_socket_connect(netmgrd, netd, netd) + +allow netmgrd netmgrd_socket:dir w_dir_perms; +allow netmgrd netmgrd_socket:sock_file create_file_perms; +allow netmgrd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write }; +allow netmgrd self:netlink_generic_socket create_socket_perms_no_ioctl; +allow netmgrd self:netlink_route_socket nlmsg_write; +allow netmgrd self:netlink_socket create_socket_perms_no_ioctl; +allow netmgrd self:socket create_socket_perms; +allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls; +allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls; + +allow netmgrd sysfs_net:dir r_dir_perms; +allow netmgrd sysfs_net:file rw_file_perms; +allow netmgrd sysfs_soc:dir search; +allow netmgrd sysfs_soc:file r_file_perms; +allow netmgrd sysfs_msm_subsys:dir r_dir_perms; +allow netmgrd sysfs_msm_subsys:file r_file_perms; + +allow netmgrd system_file:file lock; + +r_dir_file(netmgrd, sysfs_msm_subsys) + +wakelock_use(netmgrd) + +#Allow netutils usage +domain_auto_trans(netmgrd, netutils_wrapper_exec, netutils_wrapper) +allow netmgrd netutils_wrapper:process sigkill; + +#Allow diag logging +allow netmgrd sysfs_timestamp_switch:file { read open }; +userdebug_or_eng(` + r_dir_file(netmgrd, sysfs_diag) +') + +#Ignore if device loading for private IOCTL failed +dontaudit netmgrd kernel:system { module_request }; + +allow netmgrd proc_net:file rw_file_perms; +allow netmgrd netmgr_data_file:dir rw_dir_perms; +allow netmgrd netmgr_data_file:file create_file_perms; +allow netmgrd system_file:file execute_no_trans; +allow netmgrd netmgr_recovery_data_file:file create_file_perms; +allow netmgrd netmgr_recovery_data_file:dir rw_dir_perms; + +allow netmgrd self:capability { net_admin net_raw setgid setpcap setuid }; + +allow netmgrd vendor_toolbox_exec:file rx_file_perms; + +# Allow netmgrd to use netd HAL +allow netmgrd system_net_netd_hwservice:hwservice_manager find; +get_prop(netmgrd, hwservicemanager_prop) +binder_call(netmgrd, netd) +hwbinder_use(netmgrd) + +dontaudit netmgrd kernel:system module_request; +dontaudit netmgrd self:system module_request; +dontaudit netmgrd self:capability sys_module; diff --git a/sepolicy/vendor/qcom/common/netutils_wrapper.te b/sepolicy/vendor/qcom/common/netutils_wrapper.te new file mode 100644 index 0000000..bea7374 --- /dev/null +++ b/sepolicy/vendor/qcom/common/netutils_wrapper.te @@ -0,0 +1,9 @@ +# For netutils to be able to write their stdout stderr to the pipes opened by netmgrd +allow netutils_wrapper netmgrd:fd use; +allow netutils_wrapper netmgrd:fifo_file { getattr read write append }; + +dontaudit netutils_wrapper netmgrd:unix_stream_socket { read write }; +dontaudit netutils_wrapper netmgrd:socket { read write }; +dontaudit netutils_wrapper netmgrd:netlink_socket { getattr read write append }; +dontaudit netutils_wrapper kernel:system module_request; +dontaudit netutils_wrapper self:capability sys_module; diff --git a/sepolicy/vendor/qcom/common/pd_services.te b/sepolicy/vendor/qcom/common/pd_services.te new file mode 100644 index 0000000..1232d26 --- /dev/null +++ b/sepolicy/vendor/qcom/common/pd_services.te @@ -0,0 +1,17 @@ +type pd_mapper, domain; + +type pd_mapper_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(pd_mapper); + +allow pd_mapper self:capability { setgid setpcap setuid net_bind_service }; + +allow pd_mapper firmware_file:dir r_dir_perms; +allow pd_mapper firmware_file:file r_file_perms; + +allow pd_mapper self:socket create_socket_perms; +allowxperm pd_mapper self:socket ioctl IPC_ROUTER_IOCTL_BIND_CONTROL_PORT; + +r_dir_file(pd_mapper, sysfs_msm_subsys) +userdebug_or_eng(`set_prop(pd_mapper, vendor_ssr_prop)') + +dontaudit pd_mapper kernel:system module_request; diff --git a/sepolicy/vendor/qcom/common/per_mgr.te b/sepolicy/vendor/qcom/common/per_mgr.te new file mode 100644 index 0000000..72d944d --- /dev/null +++ b/sepolicy/vendor/qcom/common/per_mgr.te @@ -0,0 +1,26 @@ +# Policy for pm-service and pm-proxy +type per_mgr, domain; +type per_mgr_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(per_mgr); + +add_service(per_mgr, per_mgr_service) + +vndbinder_use(per_mgr) +binder_call(per_mgr, hal_gnss) +binder_call(per_mgr, per_proxy) +binder_call(per_mgr, wcnss_service) +binder_call(per_mgr, rild) + +allow per_mgr self:capability net_bind_service; + +allow per_mgr self:socket create_socket_perms; +allowxperm per_mgr self:socket ioctl msm_sock_ipc_ioctls; +allow per_mgr ssr_device:chr_file { open read }; + +r_dir_file(per_mgr, sysfs_msm_subsys) +r_dir_file(per_mgr, sysfs) + +set_prop(per_mgr, per_mgr_state_prop) + +dontaudit per_mgr kernel:system module_request; diff --git a/sepolicy/vendor/qcom/common/per_proxy.te b/sepolicy/vendor/qcom/common/per_proxy.te new file mode 100644 index 0000000..9c11dc9 --- /dev/null +++ b/sepolicy/vendor/qcom/common/per_proxy.te @@ -0,0 +1,11 @@ +# Policy for /system/bin/pm-proxy +type per_proxy, domain; +type per_proxy_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(per_proxy) + +allow per_proxy per_mgr_service:service_manager find; +r_dir_file(per_proxy, sysfs_type) + +vndbinder_use(per_proxy) +binder_call(per_proxy, per_mgr) diff --git a/sepolicy/vendor/qcom/common/platform_app.te b/sepolicy/vendor/qcom/common/platform_app.te new file mode 100644 index 0000000..d268a1c --- /dev/null +++ b/sepolicy/vendor/qcom/common/platform_app.te @@ -0,0 +1,7 @@ +# To read /persist/sensors/elmyra. +allow platform_app persist_file:dir search; +allow platform_app persist_sensors_file:dir search; +allow platform_app persist_sensors_file:file r_file_perms; +# To find and bind hal_wlc +allow platform_app hal_wlc_hwservice:hwservice_manager find; +allow platform_app hal_wlc:binder call; diff --git a/sepolicy/vendor/qcom/common/port-bridge.te b/sepolicy/vendor/qcom/common/port-bridge.te new file mode 100644 index 0000000..e28872e --- /dev/null +++ b/sepolicy/vendor/qcom/common/port-bridge.te @@ -0,0 +1,11 @@ +type port-bridge, domain; +type port-bridge_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(port-bridge) + +r_dir_file(port-bridge, sysfs_msm_subsys) + +allow port-bridge sysfs_soc:dir search; +allow port-bridge sysfs_soc:file r_file_perms; + +allow port-bridge at_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/qcom/common/property.te b/sepolicy/vendor/qcom/common/property.te new file mode 100644 index 0000000..071ebc2 --- /dev/null +++ b/sepolicy/vendor/qcom/common/property.te @@ -0,0 +1,31 @@ +type vendor_camera_prop, property_type; +type cnd_prop, property_type; +type factory_ota_prop, property_type; +type ims_prop, property_type; +type vendor_ramdump_prop, property_type; +type public_vendor_default_prop, property_type; +type public_vendor_system_prop, property_type; +type vendor_ssr_prop, property_type; +type vendor_cnss_diag_prop, property_type; +type vendor_tee_listener_prop, property_type; +type vendor_thermal_prop, property_type; +type vendor_modem_diag_prop, property_type; +type vendor_usb_prop, property_type; +type vendor_time_prop, property_type; +type power_prop, property_type; +type vendor_wifi_version, property_type; +type per_mgr_state_prop, property_type; +type vendor_bluetooth_prop, property_type; +type vendor_net_radio_prop, property_type; +type vendor_secure_element_prop, property_type; +type vendor_device_prop, property_type; +type vendor_radio_prop, property_type; +type vendor_display_prop, property_type; +type persist_nfc_prop, property_type; +type vendor_bluetooth_log_prop, property_type; +type vendor_usb_config_prop, property_type; +type vendor_radio_sku_prop, property_type; +type ctl_vendor_rmt_storage_prop, property_type; + +#imsrcsservice +type ctl_vendor_imsrcsservice_prop, property_type; diff --git a/sepolicy/vendor/qcom/common/property_contexts b/sepolicy/vendor/qcom/common/property_contexts new file mode 100644 index 0000000..d54b8f0 --- /dev/null +++ b/sepolicy/vendor/qcom/common/property_contexts @@ -0,0 +1,195 @@ +vendor.debug.camera. u:object_r:vendor_camera_prop:s0 +persist.vendor.camera. u:object_r:vendor_camera_prop:s0 +persist.camera. u:object_r:vendor_camera_prop:s0 +ro.vendor.camera. u:object_r:vendor_camera_prop:s0 +persist.vendor.sys.cnd u:object_r:cnd_prop:s0 +ro.boot.sota u:object_r:factory_ota_prop:s0 +vendor.ims. u:object_r:ims_prop:s0 +persist.vendor.ims. u:object_r:ims_prop:s0 +persist.net.doxlat u:object_r:vendor_net_radio_prop:s0 +vendor.debug.ramdump. u:object_r:vendor_ramdump_prop:s0 +persist.vendor.sys.crash_rcu u:object_r:vendor_ramdump_prop:s0 +ro.boot.ramdump u:object_r:vendor_ramdump_prop:s0 +vendor.debug.ssrdump u:object_r:vendor_ssr_prop:s0 +persist.vendor.sys.cnss. u:object_r:vendor_cnss_diag_prop:s0 +vendor.sys.listeners.registered u:object_r:vendor_tee_listener_prop:s0 +vendor.thermal.vr_mode u:object_r:vendor_thermal_prop:s0 +vendor.thermal.hw_mode u:object_r:vendor_thermal_prop:s0 +ctl.vendor.thermal-engine u:object_r:vendor_thermal_prop:s0 +persist.vendor.sys.modem.diag. u:object_r:vendor_modem_diag_prop:s0 +vendor.sys.modem.diag. u:object_r:vendor_modem_diag_prop:s0 +persist.vendor.sys.ssr. u:object_r:vendor_ssr_prop:s0 +persist.vendor.radio. u:object_r:radio_prop:s0 +ro.vendor.ril. u:object_r:radio_prop:s0 +vendor.qcom.time.set u:object_r:vendor_time_prop:s0 +vendor.usb. u:object_r:vendor_usb_prop:s0 +persist.vendor.usb. u:object_r:vendor_usb_prop:s0 +vendor.powerhal.state u:object_r:power_prop:s0 +vendor.powerhal.audio u:object_r:power_prop:s0 +vendor.powerhal.lpm u:object_r:power_prop:s0 +vendor.powerhal.init u:object_r:power_prop:s0 +sys.wlan.driver.version u:object_r:vendor_wifi_version:s0 +sys.wlan.firmware.version u:object_r:vendor_wifi_version:s0 +vendor.peripheral. u:object_r:per_mgr_state_prop:s0 +vendor.ese. u:object_r:vendor_secure_element_prop:s0 +vendor.qcom.devup u:object_r:vendor_device_prop:s0 +vendor.all.modules.ready u:object_r:vendor_device_prop:s0 +sys.slpi.firmware.version u:object_r:public_vendor_system_prop:s0 +ctl.vendor.imsrcsservice u:object_r:ctl_vendor_imsrcsservice_prop:s0 +persist.vendor.usb.config u:object_r:vendor_usb_config_prop:s0 +vendor.usb.config u:object_r:vendor_usb_config_prop:s0 +ro.boot.hardware.radio.subtype u:object_r:vendor_radio_sku_prop:s0 +ctl.vendor.rmt_storage u:object_r:ctl_vendor_rmt_storage_prop:s0 + +# vendor_default_prop +audio_hal.in_period_size u:object_r:vendor_default_prop:s0 +audio_hal.period_multiplier u:object_r:vendor_default_prop:s0 +audio_hal.period_size u:object_r:vendor_default_prop:s0 +audio.adm.buffering.ms u:object_r:vendor_default_prop:s0 +audio.snd_card.open.retries u:object_r:vendor_default_prop:s0 +audio.usb.enable.debug u:object_r:vendor_default_prop:s0 +audio.volume.listener.dump u:object_r:vendor_default_prop:s0 +audio.volume.headset.gain.depcal u:object_r:vendor_default_prop:s0 +fpc_kpi u:object_r:vendor_default_prop:s0 +persist.audio.calfile0 u:object_r:vendor_default_prop:s0 +persist.audio.dualmic.config u:object_r:vendor_default_prop:s0 +persist.audio.fluence.speaker u:object_r:vendor_default_prop:s0 +persist.audio.fluence.voicecall u:object_r:vendor_default_prop:s0 +persist.audio.fluence.voicecomm u:object_r:vendor_default_prop:s0 +persist.audio.fluence.voicerec u:object_r:vendor_default_prop:s0 +persist.cne.override.memlimit u:object_r:vendor_default_prop:s0 +persist.data_netmgrd_mtu u:object_r:vendor_default_prop:s0 +persist.data.df.agg.dl_pad u:object_r:vendor_default_prop:s0 +persist.data.df.agg.dl_pkt u:object_r:vendor_default_prop:s0 +persist.data.df.agg.dl_size u:object_r:vendor_default_prop:s0 +persist.data.df.dl_mode u:object_r:vendor_default_prop:s0 +persist.data.df.iwlan_mux u:object_r:vendor_default_prop:s0 +persist.data.df.mux_count u:object_r:vendor_default_prop:s0 +persist.data.df.ul_mode u:object_r:vendor_default_prop:s0 +persist.data.dont_use_epc u:object_r:vendor_default_prop:s0 +persist.data.dont_use_npflag u:object_r:vendor_default_prop:s0 +persist.data.dpm.enable u:object_r:vendor_default_prop:s0 +persist.data.dropssdp u:object_r:vendor_default_prop:s0 +persist.data.ibfc.enable u:object_r:vendor_default_prop:s0 +persist.vendor.data.iwlan.enable u:object_r:vendor_default_prop:s0 +persist.data.iwlan.ims.enable u:object_r:vendor_default_prop:s0 +persist.data.iwlan.rekey u:object_r:vendor_default_prop:s0 +persist.data.llf.enable u:object_r:vendor_default_prop:s0 +persist.data.netmgrd.qos.enable u:object_r:vendor_default_prop:s0 +persist.data.netmgrd.qos.hybrid u:object_r:vendor_default_prop:s0 +persist.data.netmgr.log_to_file u:object_r:vendor_default_prop:s0 +persist.data.netmgr.wl.timeout u:object_r:vendor_default_prop:s0 +persist.vendor.data.port_bridge.log u:object_r:vendor_default_prop:s0 +persist.data.profile_update u:object_r:vendor_default_prop:s0 +persist.data.target.msm8998 u:object_r:vendor_default_prop:s0 +persist.data.tcpackprio.enable u:object_r:vendor_default_prop:s0 +persist.data.wda.enable u:object_r:vendor_default_prop:s0 +persist.debug.sensors.daemon u:object_r:vendor_default_prop:s0 +persist.debug.sensors.hal_diag_logging u:object_r:vendor_default_prop:s0 +persist.debug.sensors.hal u:object_r:vendor_default_prop:s0 +persist.hwc.blit.comp u:object_r:vendor_default_prop:s0 +persist.metadata_dynfps.disable u:object_r:vendor_default_prop:s0 +persist.msmirqbalance.debug u:object_r:vendor_default_prop:s0 +persist.vendor.net.logmask u:object_r:vendor_default_prop:s0 +persist.rmnet.data.enable u:object_r:vendor_default_prop:s0 +qcom.bluetooth.soc u:object_r:vendor_default_prop:s0 +qdcm.diagonal_matrix_mode u:object_r:vendor_default_prop:s0 +qdcm.only_pcc_for_trans u:object_r:vendor_default_prop:s0 +ro.build.software.version u:object_r:vendor_default_prop:s0 +ro.camera.wrapper.hal3TrebleMinorVersion u:object_r:vendor_default_prop:s0 +ro.fota.oem u:object_r:vendor_default_prop:s0 +ro.lean u:object_r:vendor_default_prop:s0 +ro.qcom.ad u:object_r:vendor_default_prop:s0 +ro.qc.sdk.audio.fluencetype u:object_r:vendor_default_prop:s0 +ro.qualcomm.cabl u:object_r:vendor_default_prop:s0 +ro.qualcomm.foss u:object_r:vendor_default_prop:s0 +ro.qualcomm.svi u:object_r:vendor_default_prop:s0 +sdm.debug.disable_avr u:object_r:vendor_default_prop:s0 +sdm.composition_simulation u:object_r:vendor_default_prop:s0 +sdm.debug.disable_dest_scalar u:object_r:vendor_default_prop:s0 +sdm.debug.disable_display_ubwc_ff_voting u:object_r:vendor_default_prop:s0 +sdm.debug.disable_fb_cropping u:object_r:vendor_default_prop:s0 +sdm.debug.disable_inline_rotator u:object_r:vendor_default_prop:s0 +sdm.debug.disable_inline_rotator_secure u:object_r:vendor_default_prop:s0 +sdm.debug.disable_multirect u:object_r:vendor_default_prop:s0 +sdm.debug.disable_partial_split u:object_r:vendor_default_prop:s0 +sdm.debug.disable_rotator_split u:object_r:vendor_default_prop:s0 +sdm.debug.disable_scalar u:object_r:vendor_default_prop:s0 +sdm.debug.disable_skip_validate u:object_r:vendor_default_prop:s0 +sdm.debug.prefersplit u:object_r:vendor_default_prop:s0 +sdm.debug.prioritize_cache u:object_r:vendor_default_prop:s0 +sdm.debug.reduced_config u:object_r:vendor_default_prop:s0 +sdm.debug.rotator_disable_ubwc u:object_r:vendor_default_prop:s0 +sdm.debug.rotator_downscale u:object_r:vendor_default_prop:s0 +sdm.disable_decimation u:object_r:vendor_default_prop:s0 +sdm.disable_hdr_lut_gen u:object_r:vendor_default_prop:s0 +sdm.fb_size_width u:object_r:vendor_default_prop:s0 +sdm.fb_size_height u:object_r:vendor_default_prop:s0 +sdm.idle_time u:object_r:vendor_default_prop:s0 +sdm.idle_time.inactive u:object_r:vendor_default_prop:s0 +sdm.max_external_layers u:object_r:vendor_default_prop:s0 +sdm.max_upscale u:object_r:vendor_default_prop:s0 +sdm.mixer_resolution u:object_r:vendor_default_prop:s0 +sdm.primary.mixer_stages u:object_r:vendor_default_prop:s0 +sdm.virtual.mixer_stages u:object_r:vendor_default_prop:s0 +sdm.video_mode_panel u:object_r:vendor_default_prop:s0 +sdm.drop_skewed_vsync u:object_r:vendor_default_prop:s0 +sys.disable_ext_animation u:object_r:vendor_default_prop:s0 +sys.hwc_disable_hdr u:object_r:vendor_default_prop:s0 + +# public_vendor_default_prop +fastrpc.debug.trace u:object_r:public_vendor_default_prop:s0 +fastrpc.perf.kernel u:object_r:public_vendor_default_prop:s0 +fastrpc.perf.adsp u:object_r:public_vendor_default_prop:s0 +fastrpc.perf.freq u:object_r:public_vendor_default_prop:s0 +fastrpc.process.attrs u:object_r:public_vendor_default_prop:s0 +persist.vendor.cne.feature u:object_r:public_vendor_default_prop:s0 +persist.cne.logging.qxdm u:object_r:public_vendor_default_prop:s0 +persist.vendor.cnd.wqe u:object_r:public_vendor_default_prop:s0 +persist.vendor.qti.telephony.vt_cam_interface u:object_r:public_vendor_default_prop:s0 +ro.boot.hardware.platform u:object_r:public_vendor_default_prop:s0 +ro.graphics.memory u:object_r:public_vendor_default_prop:s0 + +# vendor_radio_prop +persist.radio.RATE_ADAPT_ENABLE u:object_r:vendor_radio_prop:s0 +persist.radio.ROTATION_ENABLE u:object_r:vendor_radio_prop:s0 +persist.radio.VT_ENABLE u:object_r:vendor_radio_prop:s0 +persist.radio.VT_HYBRID_ENABLE u:object_r:vendor_radio_prop:s0 +persist.radio.smlog_switch u:object_r:vendor_radio_prop:s0 +persist.radio.videopause.mode u:object_r:vendor_radio_prop:s0 +persist.vendor.radio.apm_sim_not_pwdn u:object_r:vendor_radio_prop:s0 +persist.vendor.radio.custom_ecc u:object_r:vendor_radio_prop:s0 +persist.vendor.radio.data_con_rprt u:object_r:vendor_radio_prop:s0 +persist.vendor.radio.data_ltd_sys_ind u:object_r:vendor_radio_prop:s0 +persist.vendor.radio.is_wps_enabled u:object_r:vendor_radio_prop:s0 +persist.vendor.radio.sib16_support u:object_r:vendor_radio_prop:s0 +persist.vendor.radio.snapshot_enabled u:object_r:vendor_radio_prop:s0 +persist.vendor.radio.snapshot_timer u:object_r:vendor_radio_prop:s0 +persist.vendor.radio.relay_oprt_change u:object_r:vendor_radio_prop:s0 +persist.vendor.radio.uicc_se_enabled u:object_r:vendor_radio_prop:s0 +ro.radio.log_loc u:object_r:vendor_radio_prop:s0 +ro.radio.log_prefix u:object_r:vendor_radio_prop:s0 + +# vendor_bluetooth_prop +persist.vendor.bluetooth.a4wp u:object_r:vendor_bluetooth_prop:s0 +persist.vendor.bluetooth.csoc.cnt u:object_r:vendor_bluetooth_prop:s0 +persist.vendor.service.bdroid.fwsnoop u:object_r:vendor_bluetooth_prop:s0 +persist.vendor.service.bdroid.sibs u:object_r:vendor_bluetooth_prop:s0 +persist.vendor.service.bdroid.snooplog u:object_r:vendor_bluetooth_prop:s0 +persist.vendor.service.bdroid.soclog u:object_r:vendor_bluetooth_prop:s0 +persist.vendor.service.bdroid.ssrlvl u:object_r:vendor_bluetooth_prop:s0 +ro.vendor.bluetooth.emb_wp_mode u:object_r:vendor_bluetooth_prop:s0 +ro.vendor.bluetooth.wipower u:object_r:vendor_bluetooth_prop:s0 + +#Display +vendor.gralloc.map_fb_memory u:object_r:vendor_display_prop:s0 +vendor.gralloc.disable_ubwc u:object_r:vendor_display_prop:s0 +vendor.debug.prerotation.disable u:object_r:vendor_display_prop:s0 +vendor.debug.egl.changepixelformat u:object_r:vendor_display_prop:s0 +vendor.debug.egl.swapinterval u:object_r:vendor_display_prop:s0 + +# persist_nfc_prop +persist.nfc. u:object_r:persist_nfc_prop:s0 + +# Pixel Logger (Bluetooth) +vendor.sys.logger.bluetooth u:object_r:vendor_bluetooth_log_prop:s0 diff --git a/sepolicy/vendor/qcom/common/qlogd.te b/sepolicy/vendor/qcom/common/qlogd.te new file mode 100644 index 0000000..e000ecb --- /dev/null +++ b/sepolicy/vendor/qcom/common/qlogd.te @@ -0,0 +1,15 @@ +type qlogd, domain; +type qlogd_exec, exec_type, vendor_file_type, file_type; + +userdebug_or_eng(` + # make transition from init to its domain + init_daemon_domain(qlogd) + + allow qlogd diag_device:chr_file rw_file_perms; + allow qlogd qlogd_exec:file rx_file_perms; + + allow qlogd radio_vendor_data_file:file create_file_perms; + allow qlogd radio_vendor_data_file:dir create_dir_perms; + + set_prop(qlogd, vendor_modem_diag_prop) +') diff --git a/sepolicy/vendor/qcom/common/qtelephony.te b/sepolicy/vendor/qcom/common/qtelephony.te new file mode 100644 index 0000000..e9a0073 --- /dev/null +++ b/sepolicy/vendor/qcom/common/qtelephony.te @@ -0,0 +1,9 @@ +# Qualcomm telephony apps, such as AtFwd and FastDormancy +type qtelephony, domain; + +app_domain(qtelephony) + +hwbinder_use(qtelephony) +add_hwservice(qtelephony, vnd_atcmdfwd_hwservice) + +allow qtelephony app_api_service:service_manager find; diff --git a/sepolicy/vendor/qcom/common/qti.te b/sepolicy/vendor/qcom/common/qti.te new file mode 100644 index 0000000..7f221b8 --- /dev/null +++ b/sepolicy/vendor/qcom/common/qti.te @@ -0,0 +1,18 @@ +type qti, domain; +type qti_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(qti) +net_domain(qti) + +allow qti sysfs_soc:dir search; +allow qti sysfs_soc:file r_file_perms; + +allow qti smd_device:chr_file { read write }; +allow qti rmnet_device:chr_file rw_file_perms; + +allow qti self:socket create_socket_perms; +allowxperm qti self:socket ioctl msm_sock_ipc_ioctls; + +r_dir_file(qti, sysfs_msm_subsys) + +dontaudit qti kernel:system module_request; diff --git a/sepolicy/vendor/qcom/common/radio.te b/sepolicy/vendor/qcom/common/radio.te new file mode 100644 index 0000000..4e33dfe --- /dev/null +++ b/sepolicy/vendor/qcom/common/radio.te @@ -0,0 +1,28 @@ +typeattribute radio system_writes_vendor_properties_violators; + +get_prop(radio, ims_prop) +get_prop(radio, vendor_radio_prop) + +allow radio vendor_file:lnk_file r_file_perms; +allow radio vendor_framework_file:file r_file_perms; +allow radio vendor_framework_file:dir search; + +hwbinder_use(radio) +allow radio vnd_ims_radio_hwservice:hwservice_manager find; +allow radio vnd_qcrilhook_hwservice:hwservice_manager find; +allow radio hal_imsrtp_hwservice:hwservice_manager find; +allow radio hal_radioext_hwservice:hwservice_manager find; + +add_service(radio, radio_service) +allow radio { + mediaextractor_service + mediacodec_service +}:service_manager find; + +r_dir_file(radio, sysfs_msm_subsys) + +# IMS needs permission to use avtimer +allow radio avtimer_device:chr_file r_file_perms; + +binder_call(radio, hal_imsrtp) +binder_call(radio, hal_radioext_default) diff --git a/sepolicy/vendor/qcom/common/ramdump.te b/sepolicy/vendor/qcom/common/ramdump.te new file mode 100644 index 0000000..9d22aa5 --- /dev/null +++ b/sepolicy/vendor/qcom/common/ramdump.te @@ -0,0 +1,26 @@ +type ramdump_exec, exec_type, vendor_file_type, file_type; + +userdebug_or_eng(` + type ramdump, domain; + init_daemon_domain(ramdump) + + set_prop(ramdump, vendor_ramdump_prop) + + allow ramdump self:capability sys_rawio; + + allow ramdump ramdump_vendor_data_file:dir create_dir_perms; + allow ramdump ramdump_vendor_data_file:file create_file_perms; + allow ramdump { + proc + proc_cmdline + }:file r_file_perms; + + allow ramdump block_device:dir search; + allow ramdump misc_block_device:blk_file rw_file_perms; + allow ramdump userdata_block_device:blk_file rw_file_perms; + + # read from /fstab.sdm845 + allow ramdump rootfs:file r_file_perms; + + r_dir_file(ramdump, sysfs_type) +') diff --git a/sepolicy/vendor/qcom/common/ramdump_app.te b/sepolicy/vendor/qcom/common/ramdump_app.te new file mode 100644 index 0000000..b511c3b --- /dev/null +++ b/sepolicy/vendor/qcom/common/ramdump_app.te @@ -0,0 +1,15 @@ +type ramdump_app, domain; + +userdebug_or_eng(` + app_domain(ramdump_app) + + allow ramdump_app app_api_service:service_manager find; + allow ramdump_app surfaceflinger_service:service_manager find; + + allow ramdump_app ramdump_vendor_data_file:file create_file_perms; + allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms; + allow ramdump_app wifidump_vendor_data_file:file r_file_perms; + + set_prop(ramdump_app, vendor_ramdump_prop); + get_prop(system_app, vendor_ssr_prop) +') diff --git a/sepolicy/vendor/qcom/common/rfs_access.te b/sepolicy/vendor/qcom/common/rfs_access.te new file mode 100644 index 0000000..280ab02 --- /dev/null +++ b/sepolicy/vendor/qcom/common/rfs_access.te @@ -0,0 +1,30 @@ +type rfs_access, domain; +type rfs_access_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(rfs_access) + +#For tftp server +allow rfs_access self:capability { chown setgid setpcap setuid net_bind_service }; + +wakelock_use(rfs_access) + +r_dir_file(rfs_access, firmware_file); + +# For tftp server file access +allow rfs_access mnt_vendor_file:dir search; +allow rfs_access mnt_vendor_file:file r_file_perms; +allow rfs_access persist_file:dir search; +allow rfs_access persist_rfs_file:dir create_dir_perms; +allow rfs_access persist_rfs_file:file create_file_perms; +allow rfs_access mpss_rfs_data_file:dir create_dir_perms; +allow rfs_access mpss_rfs_data_file:file create_file_perms; +allow rfs_access rfs_tombstone_data_file:dir create_dir_perms; +allow rfs_access rfs_tombstone_data_file:file create_file_perms; + +allow rfs_access self:socket create_socket_perms_no_ioctl; +userdebug_or_eng(` +allow rfs_access wifidump_vendor_data_file:dir rw_dir_perms; +allow rfs_access wifidump_vendor_data_file:file create_file_perms; +') + +dontaudit rfs_access kernel:system module_request; diff --git a/sepolicy/vendor/qcom/common/rild.te b/sepolicy/vendor/qcom/common/rild.te new file mode 100644 index 0000000..e82e1a3 --- /dev/null +++ b/sepolicy/vendor/qcom/common/rild.te @@ -0,0 +1,32 @@ +binder_call(rild, per_mgr) + +vndbinder_use(rild) + +allow rild netmgrd_socket:dir search; +unix_socket_connect(rild, netmgrd, netmgrd) + +allow rild vendor_file:file { execute_no_trans lock ioctl }; + +allow rild per_mgr_service:service_manager find; + +add_hwservice(rild, vnd_ims_radio_hwservice) +add_hwservice(rild, vnd_qcrilhook_hwservice) + +allow rild self:socket ioctl; +allowxperm rild self:socket ioctl msm_sock_ipc_ioctls; +allow rild time_daemon:unix_stream_socket connectto; + +userdebug_or_eng(` + domain_auto_trans(rild, smlog_dump_exec, smlog_dump) +') + +allow rild radio_vendor_data_file:dir rw_dir_perms; +allow rild radio_vendor_data_file:file create_file_perms; + +get_prop(rild, factory_ota_prop) +set_prop(rild, vendor_radio_prop) + +# Allow vendor native process to read the proc file of xt_qtaguid +allow rild proc_qtaguid_stat:file r_file_perms; + +hal_server_domain(rild, hal_secure_element) diff --git a/sepolicy/vendor/qcom/common/rmt_storage.te b/sepolicy/vendor/qcom/common/rmt_storage.te new file mode 100644 index 0000000..4363f1c --- /dev/null +++ b/sepolicy/vendor/qcom/common/rmt_storage.te @@ -0,0 +1,33 @@ +type rmt_storage, domain; +type rmt_storage_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(rmt_storage) + +wakelock_use(rmt_storage) + +r_dir_file(rmt_storage, sysfs_msm_subsys) + +set_prop(rmt_storage, ctl_vendor_rmt_storage_prop) + +allow rmt_storage self:capability { net_bind_service setgid setpcap setuid }; + +allow rmt_storage modem_block_device:blk_file rw_file_perms; +allow rmt_storage uio_device:chr_file rw_file_perms; +allow rmt_storage block_device:dir search; + +allow rmt_storage sysfs_uio:dir r_dir_perms; +allow rmt_storage sysfs_uio:lnk_file r_file_perms; + +allow rmt_storage sysfs_rmtfs:dir search; +allow rmt_storage sysfs_rmtfs:file r_file_perms; +allow rmt_storage sysfs_rmtfs:dir search; + +allow rmt_storage self:socket create_socket_perms; +allowxperm rmt_storage self:socket ioctl IPC_ROUTER_IOCTL_BIND_CONTROL_PORT; + +allow rmt_storage kmsg_device:chr_file w_file_perms; + +allow rmt_storage modem_fdr_file:dir rw_dir_perms; +allow rmt_storage modem_fdr_file:file create_file_perms; + +dontaudit rmt_storage kernel:system module_request; diff --git a/sepolicy/vendor/qcom/common/seapp_contexts b/sepolicy/vendor/qcom/common/seapp_contexts new file mode 100644 index 0000000..f5f6dca --- /dev/null +++ b/sepolicy/vendor/qcom/common/seapp_contexts @@ -0,0 +1,39 @@ +user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file +user=_app seinfo=platform name=com.android.pixellogger domain=logger_app type=app_data_file levelFrom=all +user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all + +user=_app seinfo=platform name=com.qualcomm.telephony domain=qtelephony type=app_data_file levelFrom=all + +#Add new domain for DataServices +# Domain for CNEService , uceShimService and other connectivity services +user=radio seinfo=platform name=.dataservices domain=dataservice_app type=radio_data_file + +# The default domain for tango_core process +user=_app seinfo=tango name=com.google.tango domain=tango_core type=app_data_file levelFrom=user +user=_app seinfo=tango name=com.google.tango.* domain=tango_core type=app_data_file levelFrom=user + +# A fallback in case tango_core is missing something critical that untrusted_app provides +user=_app seinfo=tango name=com.google.tango:app domain=untrusted_app type=app_data_file levelFrom=user + +# Factory OTA +user=_app seinfo=platform name=com.google.android.factoryota domain=factory_ota_app levelFrom=all + +# Hardware Info Collection +user=_app seinfo=platform name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user + +# Use a custom domain for GoogleCamera, to allow for Hexagon DSP access +user=_app seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=user + +#Needed for time service apk +user=_app seinfo=platform name=com.qualcomm.timeservice domain=timeservice_app type=app_data_file + +# Domain for easelservice app +user=_app seinfo=easel name=com.google.android.imaging.easel.service domain=easelservice_app type=app_data_file levelFrom=user + +#Domain for connectivity monitor +user=radio seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all + +# Domain for modem diagnostic system +user=_app seinfo=platform name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user + +user=_app seinfo=platform name=com.qualcomm.qti.services.secureui* domain=secure_ui_service_app levelFrom=all diff --git a/sepolicy/vendor/qcom/common/secure_ui_service_app.te b/sepolicy/vendor/qcom/common/secure_ui_service_app.te new file mode 100644 index 0000000..2130553 --- /dev/null +++ b/sepolicy/vendor/qcom/common/secure_ui_service_app.te @@ -0,0 +1,12 @@ +type secure_ui_service_app, domain; +app_domain(secure_ui_service_app); + +binder_use(secure_ui_service_app); +hwbinder_use(secure_ui_service_app); +binder_call(secure_ui_service_app, hal_tui_comm); +binder_call(secure_ui_service_app, surfaceflinger); +binder_call(secure_ui_service_app, system_server); + +allow secure_ui_service_app hal_tui_comm_hwservice:hwservice_manager find; + +allow secure_ui_service_app app_api_service:service_manager find; diff --git a/sepolicy/vendor/qcom/common/sensors.te b/sepolicy/vendor/qcom/common/sensors.te new file mode 100644 index 0000000..a9c68bf --- /dev/null +++ b/sepolicy/vendor/qcom/common/sensors.te @@ -0,0 +1,43 @@ +# Policy for sensor daemon +type sensors, domain; +type sensors_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(sensors) + +allow sensors self:capability { + setuid + setgid + net_bind_service +}; + +allow sensors self:socket create_socket_perms; +allowxperm sensors self:socket ioctl msm_sock_ipc_ioctls; + +allow sensors persist_sensors_file:dir rw_dir_perms; +allow sensors persist_sensors_file:file create_file_perms; +allow sensors mnt_vendor_file:dir { getattr search }; +allow sensors persist_file:dir search; + +allow sensors system_file:dir r_dir_perms; +allow sensors sensors_device:chr_file rw_file_perms; + +# sensor direct mode +allow sensors qdsp_device:chr_file ioctl; + +allow sensors sysfs_soc:dir search; +allow sensors sysfs_soc:file r_file_perms; +r_dir_file(sensors, sysfs_msm_subsys) + +allow sensors ion_device:chr_file r_file_perms; +allow sensors qdsp_device:chr_file r_file_perms; + +# Allow to getprop persist.vendor.sys.modem.diag.mdlog +get_prop(sensors, vendor_modem_diag_prop) + +# Allow to read /sys/class/power_supply/usb/input_current_now +r_dir_file(sensors, sysfs_batteryinfo) + +# For reading dir/files on /dsp +r_dir_file(sensors, adsprpcd_file) + +dontaudit sensors kernel:system module_request; diff --git a/sepolicy/vendor/qcom/common/service.te b/sepolicy/vendor/qcom/common/service.te new file mode 100644 index 0000000..2b24fe4 --- /dev/null +++ b/sepolicy/vendor/qcom/common/service.te @@ -0,0 +1 @@ +type imsuce_service, service_manager_type; diff --git a/sepolicy/vendor/qcom/common/service_contexts b/sepolicy/vendor/qcom/common/service_contexts new file mode 100644 index 0000000..49215db --- /dev/null +++ b/sepolicy/vendor/qcom/common/service_contexts @@ -0,0 +1,2 @@ +com.fingerprints.extension.IFingerprintNavigation u:object_r:fingerprint_service:s0 +com.qualcomm.qti.uceservice u:object_r:imsuce_service:s0 diff --git a/sepolicy/vendor/qcom/common/shell.te b/sepolicy/vendor/qcom/common/shell.te new file mode 100644 index 0000000..7496c42 --- /dev/null +++ b/sepolicy/vendor/qcom/common/shell.te @@ -0,0 +1,2 @@ +# To allow non-root to find power_supply management info +allow shell sysfs_msm_subsys:dir search; diff --git a/sepolicy/vendor/qcom/common/smlog_dump.te b/sepolicy/vendor/qcom/common/smlog_dump.te new file mode 100644 index 0000000..bc8d94b --- /dev/null +++ b/sepolicy/vendor/qcom/common/smlog_dump.te @@ -0,0 +1,27 @@ +type smlog_dump_exec, exec_type, vendor_file_type, file_type; + +userdebug_or_eng(` + type smlog_dump, domain; + allow smlog_dump modem_dump_file:dir create_dir_perms; + allow smlog_dump modem_dump_file:file create_file_perms; + r_dir_file(smlog_dump, sysfs_uio) + r_dir_file(smlog_dump, sysfs_rmtfs) + + allow smlog_dump diag_device:chr_file rw_file_perms; + allow smlog_dump radio_vendor_data_file:file { append read write }; + allow smlog_dump rild:fd use; + allow smlog_dump rild:fifo_file { read write }; + allow smlog_dump rild:unix_stream_socket { read write }; + allow smlog_dump rild:netlink_generic_socket { read write }; + allow smlog_dump self:socket create_socket_perms; + allowxperm smlog_dump self:socket ioctl msm_sock_ipc_ioctls; + allow smlog_dump sysfs:dir r_dir_perms; + allow smlog_dump sysfs_msm_subsys:dir r_dir_perms; + allow smlog_dump sysfs_msm_subsys:file r_file_perms; + allow smlog_dump sysfs_msm_subsys:lnk_file read; + allow smlog_dump sysfs_soc:dir search; + allow smlog_dump sysfs_soc:file r_file_perms; + allow smlog_dump dumpstate:fd use; + allow smlog_dump hal_dumpstate_impl:fd use; + allow smlog_dump uio_device:chr_file rw_file_perms; +') diff --git a/sepolicy/vendor/qcom/common/ssr_detector.te b/sepolicy/vendor/qcom/common/ssr_detector.te new file mode 100644 index 0000000..a5ffd3b --- /dev/null +++ b/sepolicy/vendor/qcom/common/ssr_detector.te @@ -0,0 +1,21 @@ +# SSRestartDetector app +type ssr_detector_app, domain; + +app_domain(ssr_detector_app) + +userdebug_or_eng(` + allow ssr_detector_app ramdump_vendor_data_file:dir r_dir_perms; + allow ssr_detector_app ramdump_vendor_data_file:file r_file_perms; + get_prop(ssr_detector_app, vendor_ssr_prop) + get_prop(ssr_detector_app, vendor_wifi_version) +') + +allow ssr_detector_app app_api_service:service_manager find; + +# ssr_detector app's data type is system_app_data_file. +allow ssr_detector_app system_app_data_file:dir create_dir_perms; +allow ssr_detector_app system_app_data_file:{ file lnk_file } create_file_perms; + +allow ssr_detector_app sysfs:lnk_file r_file_perms; + +r_dir_file(ssr_detector_app, sysfs_msm_subsys) diff --git a/sepolicy/vendor/qcom/common/ssr_diag.te b/sepolicy/vendor/qcom/common/ssr_diag.te new file mode 100644 index 0000000..45a3ee2 --- /dev/null +++ b/sepolicy/vendor/qcom/common/ssr_diag.te @@ -0,0 +1,4 @@ +type ssr_diag, domain; +type ssr_diag_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(ssr_diag); diff --git a/sepolicy/vendor/qcom/common/ssr_setup.te b/sepolicy/vendor/qcom/common/ssr_setup.te new file mode 100644 index 0000000..acc9fa7 --- /dev/null +++ b/sepolicy/vendor/qcom/common/ssr_setup.te @@ -0,0 +1,10 @@ +type ssr_setup, domain; +type ssr_setup_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(ssr_setup); + +allow ssr_setup sysfs_msm_subsys:dir r_dir_perms; +allow ssr_setup sysfs_msm_subsys:file rw_file_perms; +allow ssr_setup sysfs_msm_subsys:lnk_file read; + +get_prop(ssr_setup, vendor_ssr_prop) diff --git a/sepolicy/vendor/qcom/common/subsystem_ramdump.te b/sepolicy/vendor/qcom/common/subsystem_ramdump.te new file mode 100644 index 0000000..9b65cb1 --- /dev/null +++ b/sepolicy/vendor/qcom/common/subsystem_ramdump.te @@ -0,0 +1,29 @@ +type subsystem_ramdump_exec, exec_type, vendor_file_type, file_type; + +userdebug_or_eng(` + type subsystem_ramdump, domain; + + init_daemon_domain(subsystem_ramdump); + + allow subsystem_ramdump device:dir r_dir_perms; + allow subsystem_ramdump ramdump_device:chr_file r_file_perms; + + r_dir_file(subsystem_ramdump, sysfs_type); + + allow subsystem_ramdump ramdump_vendor_data_file:dir rw_dir_perms; + allow subsystem_ramdump ramdump_vendor_data_file:file create_file_perms; + + allow subsystem_ramdump wifidump_vendor_data_file:dir { r_dir_perms remove_name write }; + allow subsystem_ramdump wifidump_vendor_data_file:file { r_file_perms rename setattr unlink }; + allow subsystem_ramdump diag_device:chr_file rw_file_perms; + allow subsystem_ramdump self:socket create_socket_perms; + allowxperm subsystem_ramdump self:socket ioctl msm_sock_ipc_ioctls; + allow subsystem_ramdump self:capability { fowner }; + + allow subsystem_ramdump ssr_log_file:dir rw_dir_perms; + allow subsystem_ramdump ssr_log_file:file create_file_perms; + + set_prop(subsystem_ramdump, vendor_ssr_prop); + + dontaudit subsystem_ramdump kernel:system module_request; +') diff --git a/sepolicy/vendor/qcom/common/surfaceflinger.te b/sepolicy/vendor/qcom/common/surfaceflinger.te new file mode 100644 index 0000000..79c6a9d --- /dev/null +++ b/sepolicy/vendor/qcom/common/surfaceflinger.te @@ -0,0 +1,5 @@ +dontaudit surfaceflinger vendor_file:file read; +dontaudit surfaceflinger kernel:system module_request; +dontaudit surfaceflinger vendor_default_prop:file read; +userdebug_or_eng(`get_prop(surfaceflinger, vendor_display_prop)') +allow surfaceflinger debugfs_ion:dir search; diff --git a/sepolicy/vendor/qcom/common/system_app.te b/sepolicy/vendor/qcom/common/system_app.te new file mode 100644 index 0000000..98d25c7 --- /dev/null +++ b/sepolicy/vendor/qcom/common/system_app.te @@ -0,0 +1,3 @@ +typeattribute system_app system_writes_vendor_properties_violators; + +set_prop(system_app, vendor_bluetooth_prop) diff --git a/sepolicy/vendor/qcom/common/system_server.te b/sepolicy/vendor/qcom/common/system_server.te new file mode 100644 index 0000000..16c0c92 --- /dev/null +++ b/sepolicy/vendor/qcom/common/system_server.te @@ -0,0 +1,14 @@ +allow system_server self:socket ioctl; +allowxperm system_server self:socket ioctl msm_sock_ipc_ioctls; + +binder_call(system_server, hal_camera_default) +binder_call(system_server, mm-pp-daemon) + +allow system_server persist_file:dir search; +allow system_server persist_sensors_file:dir search; +allow system_server persist_sensors_file:file r_file_perms; +allow system_server wlan_device:chr_file rw_file_perms; + +dontaudit system_server self:capability sys_module; + +dontaudit system_server vendor_display_prop:file r_file_perms; diff --git a/sepolicy/vendor/qcom/common/tango_core.te b/sepolicy/vendor/qcom/common/tango_core.te new file mode 100644 index 0000000..4a736eb --- /dev/null +++ b/sepolicy/vendor/qcom/common/tango_core.te @@ -0,0 +1,13 @@ +type tango_core, domain; + +app_domain(tango_core) + +allow tango_core persist_file:dir search; +allow tango_core persist_sensors_file:dir search; +allow tango_core persist_sensors_file:file { getattr open read }; +allow tango_core qdsp_device:chr_file { ioctl open read }; +allow tango_core vendor_file:file { getattr open read }; + +allow tango_core app_api_service:service_manager find; +allow tango_core surfaceflinger_service:service_manager find; +allow tango_core cameraserver_service:service_manager find; diff --git a/sepolicy/vendor/qcom/common/tee.te b/sepolicy/vendor/qcom/common/tee.te new file mode 100644 index 0000000..e0b198f --- /dev/null +++ b/sepolicy/vendor/qcom/common/tee.te @@ -0,0 +1,31 @@ +allow tee self:capability { chown setgid setuid sys_admin sys_rawio }; + +allow tee device:dir r_dir_perms; + +set_prop(tee, vendor_tee_listener_prop) +get_prop(tee, hwservicemanager_prop) + +hwbinder_use(tee) +vndbinder_use(tee) + +binder_call(tee, hal_tui_comm) +binder_call(tee, hal_graphics_composer_default) +allow tee hal_tui_comm_hwservice:hwservice_manager find; +allow tee qdisplay_service:service_manager find; +allow tee vendor_tui_data_file:file rw_file_perms; +allow tee vendor_tui_data_file:dir search; + +allow tee block_device:dir { getattr search }; +allow tee ssd_block_device:blk_file rw_file_perms; +allow tee sg_device:chr_file { rw_file_perms setattr }; + +allow tee mnt_vendor_file:dir r_dir_perms; +allow tee persist_file:dir r_dir_perms; +allow tee persist_drm_file:dir create_dir_perms; +allow tee persist_drm_file:file create_file_perms; +allow tee persist_data_file:dir create_dir_perms; +allow tee persist_data_file:file create_file_perms; + +allow tee time_daemon:unix_stream_socket connectto; + +allow tee hal_graphics_allocator_default:fd use; diff --git a/sepolicy/vendor/qcom/common/thermal-engine.te b/sepolicy/vendor/qcom/common/thermal-engine.te new file mode 100644 index 0000000..5953c17 --- /dev/null +++ b/sepolicy/vendor/qcom/common/thermal-engine.te @@ -0,0 +1,37 @@ +type thermal-engine, domain; +type thermal-engine_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(thermal-engine) + +allow thermal-engine self:capability2 block_suspend; + +# to read /sys/devices +allow thermal-engine sysfs:dir r_dir_perms; + +allow thermal-engine sysfs_msm_subsys:dir r_dir_perms; +allow thermal-engine sysfs_msm_subsys:file rw_file_perms; +allow thermal-engine sysfs_soc:dir search; +allow thermal-engine sysfs_soc:file r_file_perms; +allow thermal-engine sysfs_thermal:dir r_dir_perms; +allow thermal-engine sysfs_thermal:file rw_file_perms; +allow thermal-engine sysfs_rmtfs:dir search; +allow thermal-engine sysfs_rmtfs:file r_file_perms; + +allow thermal-engine audio_device:chr_file rw_file_perms; + +r_dir_file(thermal-engine, sysfs_leds) +r_dir_file(thermal-engine, sysfs_msm_subsys) +r_dir_file(thermal-engine, sysfs_uio) +r_dir_file(thermal-engine, sysfs_batteryinfo) + +allow thermal-engine self:netlink_kobject_uevent_socket { create setopt bind read }; + +allow thermal-engine self:socket create_socket_perms; +allowxperm thermal-engine self:socket ioctl msm_sock_ipc_ioctls; + +# reboot/shutdown for thermal limits exceeded +set_prop(thermal-engine, powerctl_prop) + +allow thermal-engine self:capability2 wake_alarm; + +dontaudit thermal-engine kernel:system module_request; diff --git a/sepolicy/vendor/qcom/common/time_daemon.te b/sepolicy/vendor/qcom/common/time_daemon.te new file mode 100644 index 0000000..d77bc57 --- /dev/null +++ b/sepolicy/vendor/qcom/common/time_daemon.te @@ -0,0 +1,28 @@ +type time_daemon, domain; +type time_daemon_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(time_daemon) + +allow time_daemon self:capability { setgid setuid sys_time }; + +allow time_daemon rtc_device:chr_file r_file_perms; + +r_dir_file(time_daemon, sysfs_msm_subsys) + +allow time_daemon sysfs_soc:dir search; +allow time_daemon sysfs_soc:file r_file_perms; + +# Set time property +set_prop(time_daemon, vendor_time_prop); + +allow time_daemon persist_time_file:dir w_dir_perms; +allow time_daemon persist_time_file:file create_file_perms; +allow time_daemon persist_time_file:dir search; + +allow time_daemon mnt_vendor_file:dir search; +allow time_daemon persist_file:dir search; + +allow time_daemon self:socket create_socket_perms; +allowxperm time_daemon self:socket ioctl msm_sock_ipc_ioctls; + +dontaudit time_daemon kernel:system module_request; diff --git a/sepolicy/vendor/qcom/common/timeservice_app.te b/sepolicy/vendor/qcom/common/timeservice_app.te new file mode 100644 index 0000000..c047793 --- /dev/null +++ b/sepolicy/vendor/qcom/common/timeservice_app.te @@ -0,0 +1,6 @@ +type timeservice_app, domain; +app_domain(timeservice_app); + +allow timeservice_app app_api_service:service_manager find; +allow timeservice_app app_data_file:dir { search getattr }; +allow timeservice_app time_daemon:unix_stream_socket connectto; diff --git a/sepolicy/vendor/qcom/common/ueventd.te b/sepolicy/vendor/qcom/common/ueventd.te new file mode 100644 index 0000000..f0a175d --- /dev/null +++ b/sepolicy/vendor/qcom/common/ueventd.te @@ -0,0 +1,20 @@ +allow ueventd sysfs_thermal:file w_file_perms; +allow ueventd sysfs_leds:file w_file_perms; +allow ueventd sysfs_camera:file w_file_perms; +allow ueventd sysfs_easel:file w_file_perms; +allow ueventd sysfs_fingerprint:file w_file_perms; +allow ueventd sysfs_graphics:file w_file_perms; +allow ueventd sysfs_laser:file w_file_perms; +allow ueventd sysfs_rmtfs:file w_file_perms; +allow ueventd sysfs_scsi_devices_0000:file write; +allow ueventd sysfs_soc:file w_file_perms; +allow ueventd sysfs_net:file w_file_perms; +allow ueventd sysfs_msm_subsys:file w_file_perms; +allow ueventd sysfs_bluetooth_writable:file w_file_perms; +allow ueventd sysfs_usb_c:file w_file_perms; +allow ueventd firmware_file:lnk_file read; +allow ueventd firmware_file:dir search; +allow ueventd firmware_file:file r_file_perms; +allow ueventd tmpfs:blk_file getattr; +allow ueventd persist_file:dir search; +allow ueventd persist_file:file r_file_perms; diff --git a/sepolicy/vendor/qcom/common/update_engine_common.te b/sepolicy/vendor/qcom/common/update_engine_common.te new file mode 100644 index 0000000..527b331 --- /dev/null +++ b/sepolicy/vendor/qcom/common/update_engine_common.te @@ -0,0 +1,4 @@ +# Allow update_engine and update_engine_sideload (recovery) read/write on the +# device-specific partitions it should update. +allow update_engine_common postinstall_mnt_dir:dir r_dir_perms; +allow update_engine_common tmpfs:lnk_file r_file_perms; diff --git a/sepolicy/vendor/qcom/common/vendor_init.te b/sepolicy/vendor/qcom/common/vendor_init.te new file mode 100644 index 0000000..2ee704d --- /dev/null +++ b/sepolicy/vendor/qcom/common/vendor_init.te @@ -0,0 +1,32 @@ +allow vendor_init debugfs_clk:file w_file_perms; +allow vendor_init proc_uid_cpupower:file w_file_perms; +allow vendor_init proc_sysctl_autogroup:file w_file_perms; +allow vendor_init proc_sysctl_schedboost:file w_file_perms; +allow vendor_init proc_irq:file w_file_perms; +allow vendor_init proc_swappiness:file w_file_perms; +allow vendor_init camera_vendor_data_file:dir create_dir_perms; +dontaudit vendor_init kernel:system module_request; + +# Allow vendor_init to write to /proc/sysrq-trigger on userdebug and eng builds +userdebug_or_eng(` + allow vendor_init proc_sysrq:file w_file_perms; +') + +set_prop(vendor_init, vendor_camera_prop) +set_prop(vendor_init, factory_ota_prop) +set_prop(vendor_init, power_prop) +set_prop(vendor_init, public_vendor_default_prop) +set_prop(vendor_init, vendor_bluetooth_prop) +set_prop(vendor_init, vendor_modem_diag_prop) +set_prop(vendor_init, vendor_thermal_prop) +set_prop(vendor_init, vendor_radio_prop) +set_prop(vendor_init, persist_nfc_prop) +set_prop(vendor_init, vendor_display_prop) +set_prop(vendor_init, vendor_ssr_prop) + +allow vendor_init unlabeled:dir { getattr relabelfrom }; + +#TUI Files +allow vendor_init vendor_tui_data_file:dir create_dir_perms; + +set_prop(vendor_init, vendor_usb_prop) diff --git a/sepolicy/vendor/qcom/common/vndservice.te b/sepolicy/vendor/qcom/common/vndservice.te new file mode 100644 index 0000000..44c45ca --- /dev/null +++ b/sepolicy/vendor/qcom/common/vndservice.te @@ -0,0 +1,2 @@ +type qdisplay_service, vndservice_manager_type; +type per_mgr_service, vndservice_manager_type; diff --git a/sepolicy/vendor/qcom/common/vndservice_contexts b/sepolicy/vendor/qcom/common/vndservice_contexts new file mode 100644 index 0000000..1db4aa0 --- /dev/null +++ b/sepolicy/vendor/qcom/common/vndservice_contexts @@ -0,0 +1,2 @@ +display.qservice u:object_r:qdisplay_service:s0 +vendor.qcom.PeripheralManager u:object_r:per_mgr_service:s0 diff --git a/sepolicy/vendor/qcom/common/vold.te b/sepolicy/vendor/qcom/common/vold.te new file mode 100644 index 0000000..9746357 --- /dev/null +++ b/sepolicy/vendor/qcom/common/vold.te @@ -0,0 +1,8 @@ +get_prop(vold, vendor_tee_listener_prop) + +allow vold sysfs_scsi_devices_0000:file w_file_perms; +allow vold sysfs_scsi_devices_other:file w_file_perms; +allow vold sysfs_devices_block:file write; + +# generated by proc scan, unnecessary +dontaudit vold proc_irq:dir read; diff --git a/sepolicy/vendor/qcom/common/wcnss_service.te b/sepolicy/vendor/qcom/common/wcnss_service.te new file mode 100644 index 0000000..9b00774 --- /dev/null +++ b/sepolicy/vendor/qcom/common/wcnss_service.te @@ -0,0 +1,47 @@ +type wcnss_service, domain; +type wcnss_service_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(wcnss_service) +net_domain(wcnss_service) + +vndbinder_use(wcnss_service) +binder_call(wcnss_service, per_mgr) + +allow wcnss_service per_mgr_service:service_manager find; + +allow wcnss_service vendor_shell_exec:file rx_file_perms; +allow wcnss_service vendor_toolbox_exec:file rx_file_perms; + +allow wcnss_service proc_net:file w_file_perms; + +allow wcnss_service self:socket create_socket_perms; +allowxperm wcnss_service self:socket ioctl msm_sock_ipc_ioctls; +allowxperm wcnss_service self:udp_socket ioctl { SIOCIWFIRSTPRIV_05 SIOCSIFFLAGS }; +allow wcnss_service self:netlink_generic_socket create_socket_perms_no_ioctl; +allow wcnss_service self:netlink_socket create_socket_perms_no_ioctl; + +allow wcnss_service cnss_vendor_data_file:dir create_dir_perms; +allow wcnss_service cnss_vendor_data_file:file create_file_perms; + +allow wcnss_service proc_net:file getattr; + +r_dir_file(wcnss_service, sysfs_msm_subsys) +# pkt logging for cnss_diag +userdebug_or_eng(` + allow wcnss_service wifi_vendor_log_data_file:dir create_dir_perms; + allow wcnss_service wifi_vendor_log_data_file:file create_file_perms; + r_dir_file(wcnss_service, proc_wifi_dbg) +') + +allow wcnss_service sysfs_soc:dir search; +allow wcnss_service sysfs_soc:file r_file_perms; + +# request_firmware causes a denial for /firmware. It can be safely ignored +dontaudit wcnss_service firmware_file:dir search; + +r_dir_file(wcnss_service, sysfs_net) + +# used for collecting the sku for radio for BDF file selection +get_prop(wcnss_service, vendor_radio_sku_prop) + +dontaudit wcnss_service kernel:system module_request; diff --git a/sepolicy/vendor/qcom/sdm845/file_contexts b/sepolicy/vendor/qcom/sdm845/file_contexts new file mode 100644 index 0000000..4603b8d --- /dev/null +++ b/sepolicy/vendor/qcom/sdm845/file_contexts @@ -0,0 +1,45 @@ +# dev block nodes +/dev/block/platform/soc/1d84000\.ufshc/by-name/abl_[ab] u:object_r:ab_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/aop_[ab] u:object_r:ab_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/apdp_[ab] u:object_r:ab_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/cmnlib64_[ab] u:object_r:ab_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/cmnlib_[ab] u:object_r:ab_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/dtbo_[ab] u:object_r:ab_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/devcfg_[ab] u:object_r:ab_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/hyp_[ab] u:object_r:ab_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/keymaster_[ab] u:object_r:ab_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/laf_[ab] u:object_r:ab_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/msadp_[ab] u:object_r:ab_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/pmic_[ab] u:object_r:ab_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/qupfw_[ab] u:object_r:ab_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/rpm_[ab] u:object_r:ab_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/storsec_[ab] u:object_r:ab_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/trusty_[ab] u:object_r:ab_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/tz_[ab] u:object_r:ab_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/vbmeta_[ab] u:object_r:ab_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/xbl_config_[ab] u:object_r:ab_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/boot_[ab] u:object_r:boot_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/metadata u:object_r:metadata_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/misc u:object_r:misc_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/fsc u:object_r:modem_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/fsg u:object_r:modem_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/modem_[ab] u:object_r:modem_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/modemst[12] u:object_r:modem_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/ssd u:object_r:ssd_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/persist u:object_r:persist_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/product_[ab] u:object_r:system_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/system_[ab] u:object_r:system_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/vendor_[ab] u:object_r:system_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/xbl_[ab] u:object_r:xbl_block_device:s0 +############################################### +# same-process HAL files and their dependencies +############################################### +/vendor/lib(64)?/hw/gralloc\.sdm845\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/vulkan\.sdm845\.so u:object_r:same_process_hal_file:s0 + +#files in vendor +/vendor/bin/hdcp_srm u:object_r:hdcp_srm_exec:s0 +/vendor/bin/sscrpcd u:object_r:sensors_exec:s0 +/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.1-service-qti u:object_r:hal_neuralnetworks_default_exec:s0 diff --git a/sepolicy/vendor/qcom/sdm845/genfs_contexts b/sepolicy/vendor/qcom/sdm845/genfs_contexts new file mode 100644 index 0000000..561c50a --- /dev/null +++ b/sepolicy/vendor/qcom/sdm845/genfs_contexts @@ -0,0 +1,2 @@ +genfscon sysfs /devices/platform/soc/soc:qcom,l3-cdsp/devfreq u:object_r:sysfs_devfreq:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,l3-cdsp/devfreq/soc:qcom,l3-cdsp/userspace u:object_r:sysfs_devfreq_l3cdsp:s0 diff --git a/sepolicy/vendor/qcom/sdm845/hal_neuralnetworks.te b/sepolicy/vendor/qcom/sdm845/hal_neuralnetworks.te new file mode 100644 index 0000000..8100c40 --- /dev/null +++ b/sepolicy/vendor/qcom/sdm845/hal_neuralnetworks.te @@ -0,0 +1,17 @@ +type hal_neuralnetworks_default, domain; +hal_server_domain(hal_neuralnetworks_default, hal_neuralnetworks) + +type hal_neuralnetworks_default_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_neuralnetworks_default) + +allow hal_neuralnetworks_default fwk_sensor_hwservice:hwservice_manager find; +allow hal_neuralnetworks_default qdsp_device:chr_file r_file_perms; +allow hal_neuralnetworks_default ion_device:chr_file r_file_perms; + +allow hal_neuralnetworks_default app_data_file:file { read getattr }; +allow hal_neuralnetworks_default shell_data_file:file { read getattr }; +allow hal_neuralnetworks_default hal_neuralnetworks_data_file:dir create_dir_perms; +allow hal_neuralnetworks_default hal_neuralnetworks_data_file:{ file fifo_file } create_file_perms; +allow hal_neuralnetworks_default gpu_device:chr_file rw_file_perms; + +r_dir_file(hal_neuralnetworks_default, adsprpcd_file) diff --git a/sepolicy/vendor/qcom/sdm845/hdcp_srm.te b/sepolicy/vendor/qcom/sdm845/hdcp_srm.te new file mode 100644 index 0000000..0e4c4fa --- /dev/null +++ b/sepolicy/vendor/qcom/sdm845/hdcp_srm.te @@ -0,0 +1,10 @@ +#hdcp_srm service +type hdcp_srm, domain; + +type hdcp_srm_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hdcp_srm) + +# TEE access +allow hdcp_srm tee_device:chr_file rw_file_perms; +allow hdcp_srm ion_device:chr_file r_file_perms; diff --git a/sepolicy/vendor/qcom/sdm845/update_engine_common.te b/sepolicy/vendor/qcom/sdm845/update_engine_common.te new file mode 100644 index 0000000..268dd2b --- /dev/null +++ b/sepolicy/vendor/qcom/sdm845/update_engine_common.te @@ -0,0 +1,5 @@ +# Allow update_engine and update_engine_sideload (recovery) read/write on the +# device-specific partitions it should update. +allow update_engine_common xbl_block_device:blk_file rw_file_perms; +allow update_engine_common modem_block_device:blk_file rw_file_perms; +allow update_engine_common ab_block_device:blk_file rw_file_perms; diff --git a/sepolicy/vendor/verizon/keys.conf b/sepolicy/vendor/verizon/keys.conf new file mode 100644 index 0000000..6bac1a3 --- /dev/null +++ b/sepolicy/vendor/verizon/keys.conf @@ -0,0 +1,2 @@ +[@VERIZON] +ALL : device/google/crosshatch/sepolicy/vendor/verizon/verizon.x509.pem diff --git a/sepolicy/vendor/verizon/mac_permissions.xml b/sepolicy/vendor/verizon/mac_permissions.xml new file mode 100644 index 0000000..770f40a --- /dev/null +++ b/sepolicy/vendor/verizon/mac_permissions.xml @@ -0,0 +1,6 @@ +<?xml version="1.0" encoding="utf-8"?> +<policy> + <signer signature="@VERIZON" > + <seinfo value="verizon" /> + </signer> +</policy> diff --git a/sepolicy/vendor/verizon/obdm_app.te b/sepolicy/vendor/verizon/obdm_app.te new file mode 100644 index 0000000..f24baad --- /dev/null +++ b/sepolicy/vendor/verizon/obdm_app.te @@ -0,0 +1,19 @@ +type obdm_app, domain, coredomain; + +app_domain(obdm_app) +net_domain(obdm_app) + +allow obdm_app proc_stat:file r_file_perms; + +# talk to /dev/diag +allow obdm_app diag_device:chr_file rw_file_perms; + +allow obdm_app app_api_service:service_manager find; +allow obdm_app radio_service:service_manager find; +allow obdm_app surfaceflinger_service:service_manager find; + +allow obdm_app self:socket create_socket_perms; +allowxperm obdm_app self:socket ioctl { 0x0000c302 0x0000c304 }; + +allow obdm_app sysfs:dir r_dir_perms; +r_dir_file(obdm_app, sysfs_msm_subsys) diff --git a/sepolicy/vendor/verizon/seapp_contexts b/sepolicy/vendor/verizon/seapp_contexts new file mode 100644 index 0000000..951fef3 --- /dev/null +++ b/sepolicy/vendor/verizon/seapp_contexts @@ -0,0 +1,3 @@ +# Verizon for OBDM tool +user=_app seinfo=verizon name=com.verizon.obdm domain=obdm_app type=app_data_file levelFrom=all +user=_app seinfo=verizon name=com.verizon.obdm:background domain=obdm_app type=app_data_file levelFrom=all diff --git a/sepolicy/vendor/verizon/verizon.x509.pem b/sepolicy/vendor/verizon/verizon.x509.pem new file mode 100644 index 0000000..a06efc2 --- /dev/null +++ b/sepolicy/vendor/verizon/verizon.x509.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDczCCAlugAwIBAgIEMzx+mzANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJV +UzELMAkGA1UECBMCTkoxDzANBgNVBAcTBldhcnJlbjEZMBcGA1UEChMQVmVyaXpv +biBXaXJlbGVzczELMAkGA1UECxMCRFQxFDASBgNVBAMTC0RNQVQgQ2xpZW50MCAX +DTE2MTAxMTIxMzgzN1oYDzIxMTYwOTE3MjEzODM3WjBpMQswCQYDVQQGEwJVUzEL +MAkGA1UECBMCTkoxDzANBgNVBAcTBldhcnJlbjEZMBcGA1UEChMQVmVyaXpvbiBX +aXJlbGVzczELMAkGA1UECxMCRFQxFDASBgNVBAMTC0RNQVQgQ2xpZW50MIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAr8y6pz1KPVolO8wj02oWSzuLZHWg +HuatQ5RlbXFBqS9/ScPSw3t/Yt+jg2++VUG726qL7ydx8g3AzMktWHNkdhg6j8Dz +fkEMa/oqcr+VOAQyPw4X0xkUs6ICsEuULRaAwY1NwSVCrTuSlxzlmumbTCg+tp4Y +m2FXEct8VNayJcrLnTwl/IiYmFLNLLiZPrwqbSkMVfYbfxws7c2lVZI4qhIC7WWA +HW5PyhO3Vdhjoj4E1QzkyabtB6el3kfE0xIta1IHV2iJdoAlESjaj3UT1i9d+Twt +7DCsu/ZevIl/g/vwbYi2uqQuSs/a3/qeUcawvcQZR4vWHo/Gx8PyiTZHJwIDAQAB +oyEwHzAdBgNVHQ4EFgQUMytyC5Cq0A2kE99nyokx0kTzVH0wDQYJKoZIhvcNAQEL +BQADggEBAE8AexGFmzTp0ZGgRaiv80ONc5PVA12T7h2F5ZN1Yqg99yhpoS6kBIsw +EG149nIcgOnSYk7ukTcjfsKcbFaB7tV1dw6SUqjmsqLpzVxGI32/DVdIorfxwaHZ +dKjvlC9Yh1uDEipKuEzR+nXRnzMdMzEv6KOXeIXJxTHY/f538oPVuiXksdnjllmV +xL1waQrZzdS15hfeBpGlC0WXk9wMiBbJNfEqQ5/J0EaFu+zPk8R3VLQ8WvKcXPyK +30vZ56McQuwz2MT/gQxnR84LRXUhLGoWOr0MYFzOwhTso2vhIlEysGX+HtkEJh3L +Hc+p+viW7lz17QqvZmOxjb6atkRpOVY= +-----END CERTIFICATE----- diff --git a/setup-makefiles.sh b/setup-makefiles.sh new file mode 100755 index 0000000..183a078 --- /dev/null +++ b/setup-makefiles.sh @@ -0,0 +1,68 @@ +#!/bin/bash +# +# Copyright (C) 2017-2018 The LineageOS Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +set -e + +VENDOR=google +DEVICE=crosshatch + +INITIAL_COPYRIGHT_YEAR=2017 + +# Load extractutils and do some sanity checks +MY_DIR="${BASH_SOURCE%/*}" +if [[ ! -d "$MY_DIR" ]]; then MY_DIR="$PWD"; fi + +LINEAGE_ROOT="$MY_DIR"/../../.. + +HELPER="$LINEAGE_ROOT"/vendor/lineage/build/tools/extract_utils.sh +if [ ! -f "$HELPER" ]; then + echo "Unable to find helper script at $HELPER" + exit 1 +fi +. "$HELPER" + +# Write custom header to allow blueline to inherit +function write_crosshatch_headers() { + write_header "$ANDROIDMK" + + cat << EOF >> "$ANDROIDMK" +LOCAL_PATH := \$(call my-dir) + +EOF + cat << EOF >> "$ANDROIDMK" +ifneq (\$(filter crosshatch blueline,\$(TARGET_DEVICE)),) + +EOF + + write_header "$BOARDMK" + write_header "$PRODUCTMK" +} + +# Initialize the helper +setup_vendor "$DEVICE" "$VENDOR" "$LINEAGE_ROOT" + +# Copyright headers and guards +write_crosshatch_headers + +# The standard blobs +write_makefiles "$MY_DIR"/device-proprietary-files.txt + +cat << EOF >> "$ANDROIDMK" + +EOF + +# Finish +write_footers |