aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTony Jose <gmoto1179@gmail.com>2021-05-16 20:06:34 +0530
committerJeferson Rodrigo de Oliveira <jroliveira.oliveira301@gmail.com>2021-06-23 16:01:48 +0200
commitaad6a775bbf902f843baabd671cf42c23963cd0f (patch)
treed92179f1d02fb2c4beeef9e0a3bdc848fe2e0e1f
parentcb55a9673b6912a8a1577de4f497f12d63328852 (diff)
msm8916-common: sepolicy: Cleanup and Re-organize
* Sort Alphabetically where is possible * Remove some duplicate rules * Use uniform indentation * Use macros for some rules Change-Id: I60fd0e9658a4ae667d0efef266623541b1d2b1a3
Diffstat
-rw-r--r--sepolicy/akmd09912.te1
-rw-r--r--sepolicy/app.te2
-rw-r--r--sepolicy/bootanim.te2
-rw-r--r--sepolicy/cameraserver.te5
-rw-r--r--sepolicy/file.te10
-rw-r--r--sepolicy/file_contexts93
-rw-r--r--sepolicy/fsck.te9
-rw-r--r--sepolicy/genfs_contexts21
-rw-r--r--sepolicy/gmscore_app.te3
-rw-r--r--sepolicy/gpuservice.te2
-rw-r--r--sepolicy/hal_drm_clearkey.te4
-rw-r--r--sepolicy/hal_health_default.te1
-rw-r--r--sepolicy/hal_light_default.te2
-rw-r--r--sepolicy/hal_sensors_default.te7
-rw-r--r--sepolicy/hal_wifi_default.te2
-rw-r--r--sepolicy/init.te7
-rw-r--r--sepolicy/mediaserver.te15
-rw-r--r--sepolicy/mmi_boot_sh.te15
-rw-r--r--sepolicy/mmi_touch_sh.te4
-rw-r--r--sepolicy/netmgrd.te5
-rw-r--r--sepolicy/plataform_app.te2
-rw-r--r--sepolicy/priv_app.te2
-rw-r--r--sepolicy/property.te2
-rw-r--r--sepolicy/property_contexts2
-rw-r--r--sepolicy/rild.te6
-rw-r--r--sepolicy/service.te2
-rw-r--r--sepolicy/service_contexts2
-rw-r--r--sepolicy/stml0xx.te1
-rw-r--r--sepolicy/system_app.te13
-rw-r--r--sepolicy/system_server.te9
-rw-r--r--sepolicy/timekeep.te1
-rw-r--r--sepolicy/vendor_init.te20
32 files changed, 125 insertions, 147 deletions
diff --git a/sepolicy/akmd09912.te b/sepolicy/akmd09912.te
index c13f37b..5c3d8c1 100644
--- a/sepolicy/akmd09912.te
+++ b/sepolicy/akmd09912.te
@@ -1,5 +1,6 @@
type akmd09912, domain;
type akmd09912_exec, exec_type, vendor_file_type, file_type;
+
init_daemon_domain(akmd09912)
allow akmd09912 sensors_data_file:dir w_dir_perms;
diff --git a/sepolicy/app.te b/sepolicy/app.te
index 874b05c..d7fc240 100644
--- a/sepolicy/app.te
+++ b/sepolicy/app.te
@@ -1,2 +1,2 @@
-get_prop(appdomain, theme_prop)
get_prop(appdomain, exported_camera_prop);
+get_prop(appdomain, theme_prop)
diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te
index 5fa3368..c6888a5 100644
--- a/sepolicy/bootanim.te
+++ b/sepolicy/bootanim.te
@@ -1 +1 @@
-get_prop(bootanim, userspace_reboot_exported_prop); \ No newline at end of file
+get_prop(bootanim, userspace_reboot_exported_prop);
diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te
index 56f5cba..f15b349 100644
--- a/sepolicy/cameraserver.te
+++ b/sepolicy/cameraserver.te
@@ -1,8 +1,9 @@
allow cameraserver camera_bgproc_service:service_manager add;
allow cameraserver camera_socket:dir rw_dir_perms;
allow cameraserver camera_socket:file create_file_perms;
-set_prop(cameraserver, exported_system_prop);
allow cameraserver sysfs_batteryinfo:file r_file_perms;
allow cameraserver sysfs_batteryinfo:dir search;
-allow cameraserver serialno_prop:file { getattr open read };
+
+get_prop(cameraserver, serialno_prop)
set_prop(cameraserver, camera_prop)
+set_prop(cameraserver, exported_system_prop)
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 80d405c..7a2913c 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -2,6 +2,9 @@
type blkio_device, dev_type;
type blkio, file_type;
+# Camera
+type sysfs_camera, fs_type, sysfs_type;
+
# Cutback socket (RILD)
type cutback_data_file, file_type, data_file_type;
@@ -16,13 +19,14 @@ type sysfs_mmi_touch, fs_type, sysfs_type;
# proc
type proc_bootinfo, fs_type, proc_type;
+type proc_swap, fs_type;
+type proc_kernel_sched, fs_type, proc_type;
# RIL
type netmgr_data_file, file_type, data_file_type;
type persist_modem_file, file_type;
+# Timekeep
type sysfs_msm_subsys, sysfs_type, fs_type;
type sysfs_timekeep, fs_type, sysfs_type;
-type sysfs_camera, fs_type, sysfs_type;
-type proc_swap, fs_type;
-type proc_kernel_sched, fs_type, proc_type; \ No newline at end of file
+
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 9f6fa3a..3b40684 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -1,75 +1,68 @@
# Binaries
-/vendor/bin/adsprpcd u:object_r:adsprpcd_exec:s0
-/vendor/bin/imsdatadaemon u:object_r:ims_exec:s0
-/vendor/bin/imsqmidaemon u:object_r:ims_exec:s0
-/vendor/bin/irsc_util u:object_r:irsc_util_exec:s0
-/vendor/bin/mm-qcamera-daemon u:object_r:mm-qcamerad_exec:s0
-/vendor/bin/netmgrd u:object_r:netmgrd_exec:s0
-/vendor/bin/qmuxd u:object_r:qmuxd_exec:s0
-/vendor/bin/qseecomd u:object_r:tee_exec:s0
-/vendor/bin/rmt_storage u:object_r:rmt_storage_exec:s0
+/vendor/bin/adsprpcd u:object_r:adsprpcd_exec:s0
+/vendor/bin/imsdatadaemon u:object_r:ims_exec:s0
+/vendor/bin/imsqmidaemon u:object_r:ims_exec:s0
+/vendor/bin/irsc_util u:object_r:irsc_util_exec:s0
+/vendor/bin/mm-qcamera-daemon u:object_r:mm-qcamerad_exec:s0
+/vendor/bin/netmgrd u:object_r:netmgrd_exec:s0
+/vendor/bin/qmuxd u:object_r:qmuxd_exec:s0
+/vendor/bin/qseecomd u:object_r:tee_exec:s0
+/vendor/bin/rmt_storage u:object_r:rmt_storage_exec:s0
-/(vendor|system/vendor)/bin/timekeep u:object_r:timekeep_exec:s0
-/(vendor|system/vendor)/bin/stml0xx u:object_r:stml0xx_exec:s0
-/(vendor|system/vendor)/bin/qmi_motext_hook u:object_r:rild_exec:s0
-/(vendor|system/vendor)/bin/akmd09912 u:object_r:akmd09912_exec:s0
-/(vendor|system/vendor)/bin/init\.device\.config\.sh u:object_r:device_config_exec:s0
-/(vendor|system/vendor)/bin/init\.mmi\.boot\.sh u:object_r:mmi_boot_sh_exec:s0
-/(vendor|system/vendor)/bin/init\.mmi\.bt\.sh u:object_r:mmi_bt_sh_exec:s0
-/(vendor|system/vendor)/bin/init\.mmi\.touch\.sh u:object_r:mmi_touch_sh_exec:s0
-/(vendor|system/vendor)/bin/stml0xx_wrapper\.sh u:object_r:stml0xx_exec:s0
+/(vendor|system/vendor)/bin/akmd09912 u:object_r:akmd09912_exec:s0
+/(vendor|system/vendor)/bin/init\.device\.config\.sh u:object_r:device_config_exec:s0
+/(vendor|system/vendor)/bin/init\.mmi\.boot\.sh u:object_r:mmi_boot_sh_exec:s0
+/(vendor|system/vendor)/bin/init\.mmi\.bt\.sh u:object_r:mmi_bt_sh_exec:s0
+/(vendor|system/vendor)/bin/init\.mmi\.touch\.sh u:object_r:mmi_touch_sh_exec:s0
+/(vendor|system/vendor)/bin/qmi_motext_hook u:object_r:rild_exec:s0
+/(vendor|system/vendor)/bin/stml0xx u:object_r:stml0xx_exec:s0
+/(vendor|system/vendor)/bin/stml0xx_wrapper\.sh u:object_r:stml0xx_exec:s0
+/(vendor|system/vendor)/bin/timekeep u:object_r:timekeep_exec:s0
# blkio
-/dev/blkio(/.*)? u:object_r:blkio_dev:s0
-/dev/blkio/background(/.*)? u:object_r:blkio_dev:s0
+/dev/blkio(/.*)? u:object_r:blkio_dev:s0
+/dev/blkio/background(/.*)? u:object_r:blkio_dev:s0
# Camera
-/sys/devices/virtual/camera(/.*)? u:object_r:sysfs_camera:s0
-/sys/devices/w1_bus_master1(/.*)? u:object_r:sysfs_graphics:s0
+/sys/devices/virtual/camera(/.*)? u:object_r:sysfs_camera:s0
+/sys/devices/w1_bus_master1(/.*)? u:object_r:sysfs_graphics:s0
+
+# FSG
+/fsg(/.*)? u:object_r:fsg_file:s0
+/pds(/.*)? u:object_r:firmware_file:s0
# Device nodes
-/dev/cpuset(/.*)? u:object_r:cgroup:s0
-/dev/stune(/.*)? u:object_r:cgroup:s0
+/dev/cpuset(/.*)? u:object_r:cgroup:s0
# DRM
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.2-service\.widevine u:object_r:hal_drm_widevine_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.3-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0
-/data/vendor/mediadrm(/.*)? u:object_r:media_data_file:s0
+/data/vendor/mediadrm(/.*)? u:object_r:media_data_file:s0
# Gatekeeper
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.software u:object_r:hal_gatekeeper_default_exec:s0
# Lights
-/sys/devices/soc\.0/leds-atc-[0-9]+/leds(/.*)? u:object_r:sysfs_leds:s0
-/sys/devices/soc\.0/78b7000\.spi/spi_master/spi0/spi0\.0/leds/rgb(/.*)? u:object_r:sysfs_leds:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service.msm8916 u:object_r:hal_light_default_exec:s0
+/sys/devices/soc\.0/leds-atc-[0-9]+/leds(/.*)? u:object_r:sysfs_leds:s0
+/sys/devices/soc\.0/78b7000\.spi/spi_master/spi0/spi0\.0/leds/rgb(/.*)? u:object_r:sysfs_leds:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service.msm8916 u:object_r:hal_light_default_exec:s0
# mmi_touch related /sys files
-/sys/devices/soc\.0/78b6000\.i2c/i2c-2/2-0020(/.*)? u:object_r:sysfs_mmi_touch:s0
+/sys/devices/soc\.0/78b6000\.i2c/i2c-2/2-0020(/.*)? u:object_r:sysfs_mmi_touch:s0
# Partitions
-/dev/block/platform/soc\.0/7824900\.sdhci/by-name/metadata u:object_r:metadata_block_device:s0
-
-# FSG
-/fsg(/.*)? u:object_r:fsg_file:s0
-/pds(/.*)? u:object_r:firmware_file:s0
+/dev/block/platform/soc\.0/7824900\.sdhci/by-name/metadata u:object_r:metadata_block_device:s0
# RIL
-/data/misc/cutback(/.*)? u:object_r:cutback_data_file:s0
-/data/misc/netmgr(/.*)? u:object_r:netmgr_data_file:s0
-/dev/socket/cutback u:object_r:rild_socket:s0
-/persist/mdm(/.*)? u:object_r:persist_modem_file:s0
+/data/misc/cutback(/.*)? u:object_r:cutback_data_file:s0
+/data/misc/netmgr(/.*)? u:object_r:netmgr_data_file:s0
+/dev/socket/cutback u:object_r:rild_socket:s0
+/persist/mdm(/.*)? u:object_r:persist_modem_file:s0
# Sensors
-/dev/akm09912 u:object_r:sensors_device:s0
-/dev/akm09912_dev u:object_r:sensors_device:s0
-/dev/stml0xx u:object_r:sensors_device:s0
-/dev/stml0xx_as u:object_r:sensors_device:s0
-/dev/stml0xx_ms u:object_r:sensors_device:s0
-/data/misc/akmd(/.*)? u:object_r:sensors_data_file:s0
-
-# sysfs - battery/charger
-/sys/devices/battery\.[0-9]+/power_supply(/.*)? u:object_r:sysfs_batteryinfo:s0
-/sys/devices/i2c\.[0-9]+/i2c-[0-9]+/[0-9]+-[a-z0-9]+/max[a-z0-9]+-charger/power_supply(/.*)? u:object_r:sysfs_batteryinfo:s0
-/sys/devices/i2c\.[0-9]+/i2c-[0-9]+/[0-9]+-[a-z0-9]+/power_supply(/.*)? u:object_r:sysfs_batteryinfo:s0
-/sys/devices/msm_dwc3/power_supply(/.*)? u:object_r:sysfs_batteryinfo:s0
+/dev/akm09912 u:object_r:sensors_device:s0
+/dev/akm09912_dev u:object_r:sensors_device:s0
+/dev/stml0xx u:object_r:sensors_device:s0
+/dev/stml0xx_as u:object_r:sensors_device:s0
+/dev/stml0xx_ms u:object_r:sensors_device:s0
+/data/misc/akmd(/.*)? u:object_r:sensors_data_file:s0
diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te
index ad69193..08f5818 100644
--- a/sepolicy/fsck.te
+++ b/sepolicy/fsck.te
@@ -1,8 +1,7 @@
-allow fsck persist_block_device:blk_file rw_file_perms;
+allow fsck block_device:blk_file { ioctl open read write };
allow fsck cache_file:dir r_dir_perms;
-allow fsck persist_file:dir r_dir_perms;
+allow fsck modem_efs_partition_device:blk_file { ioctl open read write };
allow fsck modem_efs_partition_device:blk_file { read write };
+allow fsck persist_block_device:blk_file rw_file_perms;
+allow fsck persist_file:dir r_dir_perms;
allow fsck self:capability { dac_override dac_read_search };
-allow fsck block_device:blk_file { ioctl open read write };
-allow fsck modem_efs_partition_device:blk_file { ioctl open read write };
-
diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
index 1c4e02f..238322b 100644
--- a/sepolicy/genfs_contexts
+++ b/sepolicy/genfs_contexts
@@ -1,15 +1,14 @@
genfscon sysfs /devices/soc.0/7824900.sdhci/mmc_host/mmc0/mmc0:0001/block/mmcblk0/stat u:object_r:sysfs_disk_stat:s0
-genfscon sysfs /devices/soc.0/78d9000.usb u:object_r:sysfs_batteryinfo:s0
-genfscon sysfs /devices/soc.0/78b5000.i2c/i2c-1/1-006b/power_supply u:object_r:sysfs_batteryinfo:s0
genfscon sysfs /devices/soc.0/78b5000.i2c/i2c-1/1-0036/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/soc.0/78b5000.i2c/i2c-1/1-006b/power_supply u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/soc.0/78d9000.usb u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/soc.0/qpnp-rtc-[0-9]+ u:object_r:sysfs_rtc:s0
genfscon sysfs /sys/devices/soc.0/78b8000.i2c/i2c-4/4-0020/power_supply u:object_r:sysfs_mmi_touch:s0
-genfscon proc /bootinfo u:object_r:proc_bootinfo:s0
-
-genfscon sysfs /devices/soc.0/qpnp-rtc-8/ u:object_r:sysfs_rtc:s0
-genfscon proc /sys/vm/swappiness u:object_r:proc_swap:s0
-genfscon proc /sys/kernel/sched_cfs_bandwidth_slice_us u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_small_task u:object_r:proc_kernel_sched:s0
-genfscon proc /sys/kernel/sched_ravg_hist_size u:object_r:proc_kernel_sched:s0
-genfscon proc /sys/kernel/sched_wake_to_idle u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_window_stats_policy u:object_r:proc_kernel_sched:s0
+genfscon proc /bootinfo u:object_r:proc_bootinfo:s0
+genfscon proc /sys/kernel/sched_cfs_bandwidth_slice_us u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_ravg_hist_size u:object_r:proc_kernel_sched:s0
+genfscon proc /sys/kernel/sched_small_task u:object_r:proc_kernel_sched:s0
+genfscon proc /sys/kernel/sched_wake_to_idle u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_window_stats_policy u:object_r:proc_kernel_sched:s0
+genfscon proc /sys/vm/swappiness u:object_r:proc_swap:s0
diff --git a/sepolicy/gmscore_app.te b/sepolicy/gmscore_app.te
index 2bbeb71..133db54 100644
--- a/sepolicy/gmscore_app.te
+++ b/sepolicy/gmscore_app.te
@@ -1,4 +1,5 @@
allow gmscore_app hal_memtrack_hwservice:hwservice_manager find;
+
binder_call(gmscore_app, hal_memtrack_default);
get_prop(gmscore_app, adbd_prop);
@@ -12,6 +13,6 @@ get_prop(gmscore_app, bg_daemon_prop);
get_prop(gmscore_app, bluetooth_a2dp_offload_prop);
get_prop(gmscore_app, bluetooth_audio_hal_prop);
get_prop(gmscore_app, boot_animation_prop);
-get_prop(gmscore_app, boot_mode_prop);
get_prop(gmscore_app, bootloader_boot_reason_prop);
+get_prop(gmscore_app, boot_mode_prop);
get_prop(gmscore_app, boottime_prop);
diff --git a/sepolicy/gpuservice.te b/sepolicy/gpuservice.te
index 3322cbd..42f588e 100644
--- a/sepolicy/gpuservice.te
+++ b/sepolicy/gpuservice.te
@@ -1 +1 @@
-allow gpuservice opengles_prop:file r_file_perms;
+get_prop(gpuservice, opengles_prop)
diff --git a/sepolicy/hal_drm_clearkey.te b/sepolicy/hal_drm_clearkey.te
index 633ec1f..36cc5b3 100644
--- a/sepolicy/hal_drm_clearkey.te
+++ b/sepolicy/hal_drm_clearkey.te
@@ -1,7 +1,7 @@
# policy for /vendor/bin/hw/android.hardware.drm@1.2-service.clearkey
type hal_drm_clearkey, domain;
type hal_drm_clearkey_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_drm_clearkey)
+allow hal_drm_clearkey { appdomain -isolated_app }:fd use;
hal_server_domain(hal_drm_clearkey, hal_drm)
+init_daemon_domain(hal_drm_clearkey)
vndbinder_use(hal_drm_clearkey);
-allow hal_drm_clearkey { appdomain -isolated_app }:fd use;
diff --git a/sepolicy/hal_health_default.te b/sepolicy/hal_health_default.te
index c6ef695..f352c8c 100644
--- a/sepolicy/hal_health_default.te
+++ b/sepolicy/hal_health_default.te
@@ -1,4 +1,3 @@
allow hal_health_default sysfs:file { getattr open read };
allow hal_health_default sysfs_mmi_touch:dir {search open read};
allow hal_health_default sysfs_mmi_touch:file read;
-
diff --git a/sepolicy/hal_light_default.te b/sepolicy/hal_light_default.te
index a6fdd91..30f6408 100644
--- a/sepolicy/hal_light_default.te
+++ b/sepolicy/hal_light_default.te
@@ -1 +1 @@
-allow hal_light_default sysfs_leds:file { rw_file_perms };
+allow hal_light_default sysfs_leds:file rw_file_perms;
diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te
index a46db49..92493ba 100644
--- a/sepolicy/hal_sensors_default.te
+++ b/sepolicy/hal_sensors_default.te
@@ -4,17 +4,16 @@ binder_call(hal_sensors_default, servicemanager)
binder_call(hal_sensors_default, mm-qcamerad)
binder_call(hal_sensors_default, system_server)
-binder_call(hal_sensors_default, system_app)
-binder_call(hal_sensors_default, priv_app)
binder_call(hal_sensors_default, platform_app)
+binder_call(hal_sensors_default, priv_app)
+binder_call(hal_sensors_default, system_app)
+allow hal_sensors_default proc_net:file { getattr open read };
allow hal_sensors_default self:capability { dac_override };
allow hal_sensors_default sensors_device:chr_file { ioctl open read };
allow hal_sensors_default sysfs:file { open read write };
allow hal_sensors_default system_data_file:file { getattr open read };
-allow hal_sensors_default proc_net:file { getattr open read };
-
allow hal_sensors_default {
sysfs_batteryinfo
sysfs_graphics
diff --git a/sepolicy/hal_wifi_default.te b/sepolicy/hal_wifi_default.te
index 0915016..96bdde4 100644
--- a/sepolicy/hal_wifi_default.te
+++ b/sepolicy/hal_wifi_default.te
@@ -1,5 +1,3 @@
allow hal_wifi_default firmware_file:dir search;
-
allow hal_wifi_default proc_net:file rw_file_perms;
set_prop(hal_wifi_default,vendor_wifi_prop)
-
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 036c85d..65151e5 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -1,9 +1,6 @@
+allow init blkio_dev:file { create open read write };
allow init firmware_file:dir mounton;
allow init fsg_file:dir mounton;
allow init pstorefs:dir mounton;
+allow init sysfs_batteryinfo:file setattr;
allow init sysfs_graphics:file { setattr w_file_perms };
-allow init blkio_dev:file { create open read write };
-
-allow init {
- sysfs_batteryinfo
-}:file setattr;
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
index 7a6ed46..7f40c80 100644
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te
@@ -1,27 +1,24 @@
binder_call(mediaserver, hal_configstore)
-allow mediaserver hal_configstore_ISurfaceFlingerConfigs:hwservice_manager { find };
-allow mediaserver sysfs_batteryinfo:dir r_dir_perms;
-allow mediaserver sysfs_batteryinfo:file r_file_perms;
-
#for v4L node "name" access
allow mediaserver sysfs_graphics:file rw_file_perms;
allow mediaserver camera_bgproc_service:service_manager { add };
allow mediaserver device:dir r_dir_perms;
+allow mediaserver hal_configstore_ISurfaceFlingerConfigs:hwservice_manager { find };
+allow mediaserver serialno_prop:file { read open };
-allow mediaserver serialno_prop:file read;
-allow mediaserver serialno_prop:file open;
-
+allow mediaserver sysfs_batteryinfo:dir r_dir_perms;
+allow mediaserver sysfs_batteryinfo:file r_file_perms;
allow mediaserver sysfs_battery_supply:dir search;
allow mediaserver sysfs_battery_supply:file { getattr open read };
# Use HALs
hal_client_domain(mediaserver, hal_lineage_camera_motor)
-allow mediaserver hal_camera_hwservice:hwservice_manager find;
-allow mediaserver sensor_privacy_service:service_manager find;
allow mediaserver cameraproxy_service:service_manager find;
allow mediaserver cameraserver_service:service_manager add;
allow mediaserver fwk_camera_hwservice:hwservice_manager add;
+allow mediaserver hal_camera_hwservice:hwservice_manager find;
+allow mediaserver sensor_privacy_service:service_manager find;
allow mediaserver sysfs_camera:file { getattr open read };
diff --git a/sepolicy/mmi_boot_sh.te b/sepolicy/mmi_boot_sh.te
index e0ccf8d..ec1de83 100644
--- a/sepolicy/mmi_boot_sh.te
+++ b/sepolicy/mmi_boot_sh.te
@@ -4,22 +4,21 @@ type mmi_boot_sh_exec, exec_type, vendor_file_type, file_type;
# Started by init
init_daemon_domain(mmi_boot_sh)
-allow mmi_boot_sh firmware_file:dir search;
+# Logs to /dev/kmsg
+allow mmi_boot_sh kmsg_device:chr_file w_file_perms;
# shell scripts need to execute /vendor/bin/sh and toolbox
allow mmi_boot_sh vendor_shell_exec:file rx_file_perms;
allow mmi_boot_sh vendor_toolbox_exec:file rx_file_perms;
-# Logs to /dev/kmsg
-allow mmi_boot_sh kmsg_device:chr_file w_file_perms;
-
+allow mmi_boot_sh firmware_file:dir search;
+allow mmi_boot_sh proc_cmdline:file r_file_perms;
allow mmi_boot_sh proc:file rw_file_perms;
+allow mmi_boot_sh proc_slabinfo:file r_file_perms;
+allow mmi_boot_sh radio_data_file:dir create_dir_perms;
allow mmi_boot_sh radio_data_file:file create_file_perms;
allow mmi_boot_sh self:capability chown;
allow mmi_boot_sh sysfs_socinfo:file write;
-allow mmi_boot_sh radio_data_file:dir create_dir_perms;
-set_prop(mmi_boot_sh, manufacturedate_prop)
set_prop(mmi_boot_sh, hw_rev_prop)
-allow mmi_boot_sh proc_slabinfo:file r_file_perms;
-allow mmi_boot_sh proc_cmdline:file r_file_perms;
+set_prop(mmi_boot_sh, manufacturedate_prop)
diff --git a/sepolicy/mmi_touch_sh.te b/sepolicy/mmi_touch_sh.te
index 219860d..cf5b170 100644
--- a/sepolicy/mmi_touch_sh.te
+++ b/sepolicy/mmi_touch_sh.te
@@ -18,7 +18,7 @@ allow mmi_touch_sh kmsg_device:chr_file w_file_perms;
allow mmi_touch_sh sysfs_mmi_touch:{ file lnk_file } create_file_perms;
allow mmi_touch_sh sysfs_mmi_touch:dir r_dir_perms;
-get_prop(mmi_touch_sh, hw_rev_prop);
allow mmi_touch_sh sysfs:dir { open read };
allow mmi_touch_sh sysfs:file { read open setattr getattr };
-allow mmi_touch_sh sysfs_mmi_touch:file { setattr };
+
+get_prop(mmi_touch_sh, hw_rev_prop);
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index 1553f46..b21c367 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -1,5 +1,4 @@
allow netmgrd netmgr_data_file:dir { add_name search write };
-allow netmgrd netmgr_data_file:file create;
-allow netmgrd netmgr_data_file:file rw_file_perms;
+allow netmgrd netmgr_data_file:file { rw_file_perms create };
allow netmgrd sysfs_net:dir r_dir_perms;
-allow netmgrd sysfs_net:file rw_file_perms; \ No newline at end of file
+allow netmgrd sysfs_net:file rw_file_perms;
diff --git a/sepolicy/plataform_app.te b/sepolicy/plataform_app.te
index 3646737..9c5893b 100644
--- a/sepolicy/plataform_app.te
+++ b/sepolicy/plataform_app.te
@@ -1,3 +1,3 @@
+allow platform_app blkio_dev:dir search;
allow platform_app sysfs_batteryinfo:dir search;
allow platform_app system_app_data_file:dir r_dir_perms;
-allow platform_app blkio_dev:dir search;
diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te
index 11406bd..1c9433d 100644
--- a/sepolicy/priv_app.te
+++ b/sepolicy/priv_app.te
@@ -1,4 +1,4 @@
allow priv_app device:dir r_dir_perms;
+allow priv_app hal_memtrack_hwservice:hwservice_manager find;
allow priv_app proc_interrupts:file { open read getattr };
allow priv_app proc_modules:file { open read getattr };
-allow priv_app hal_memtrack_hwservice:hwservice_manager find;
diff --git a/sepolicy/property.te b/sepolicy/property.te
index b684728..646c77b 100644
--- a/sepolicy/property.te
+++ b/sepolicy/property.te
@@ -3,4 +3,6 @@ type hw_rev_prop, property_type;
type dualsim_prop, property_type;
type manufacturedate_prop, property_type;
type rmtfs_prop, property_type;
+
+# Timekeep
type timekeep_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
index b6ebce1..303aa8c 100644
--- a/sepolicy/property_contexts
+++ b/sepolicy/property_contexts
@@ -4,6 +4,6 @@ ro.device.dualsim u:object_r:dualsim_prop:s0
ro.device.cdma u:object_r:dualsim_prop:s0
ro.hw.revision u:object_r:hw_rev_prop:s0
rmtfs. u:object_r:rmtfs_prop:s0
-persist.vendor.timeadjust u:object_r:timekeep_prop:s0
+persist.vendor.timeadjust u:object_r:timekeep_prop:s0
persist.vendor.service.bdroid.bdaddr u:object_r:bluetooth_prop:s0
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
index 6a0c605..6e8a0d7 100644
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -1,15 +1,15 @@
allow rild cutback_data_file:dir rw_dir_perms;
allow rild cutback_data_file:sock_file create_file_perms;
allow rild fsg_file:file r_file_perms;
-allow rild system_data_file:sock_file create_file_perms;
-allow rild proc_bootinfo:file r_file_perms;
allow rild persist_file:dir search;
allow rild persist_modem_file:dir rw_dir_perms;
allow rild persist_modem_file:file create_file_perms;
-allow rild wifi_prop:file read;
+allow rild proc_bootinfo:file r_file_perms;
+allow rild system_data_file:sock_file create_file_perms;
# rild needs to execute /system/bin/qmi_motext_hook
allow rild rild_exec:file execute_no_trans;
dontaudit rild vendor_file:file ioctl;
+
get_prop(rild, wifi_prop);
diff --git a/sepolicy/service.te b/sepolicy/service.te
index ff363c7..637caa6 100644
--- a/sepolicy/service.te
+++ b/sepolicy/service.te
@@ -1 +1 @@
-type camera_bgproc_service, service_manager_type;
+type camera_bgproc_service, service_manager_type;
diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts
index 43c9bf4..efd24c8 100644
--- a/sepolicy/service_contexts
+++ b/sepolicy/service_contexts
@@ -1 +1 @@
-media.camera_bgproc u:object_r:camera_bgproc_service:s0
+media.camera_bgproc u:object_r:camera_bgproc_service:s0
diff --git a/sepolicy/stml0xx.te b/sepolicy/stml0xx.te
index 6d9598a..764da56 100644
--- a/sepolicy/stml0xx.te
+++ b/sepolicy/stml0xx.te
@@ -10,6 +10,5 @@ r_dir_file(stml0xx, firmware_file)
allow stml0xx vendor_shell_exec:file rx_file_perms;
allow stml0xx vendor_toolbox_exec:file rx_file_perms;
-allow stml0xx vendor_shell_exec:file read;
allow stml0xx stml0xx_exec:file execute_no_trans;
allow stml0xx sensors_device:chr_file rw_file_perms;
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
index 680c7a7..926c357 100644
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -1,18 +1,17 @@
+allow system_app apex_service:service_manager find;
allow system_app proc_pagetypeinfo:file { getattr open read };
allow system_app sysfs_zram:dir search;
allow system_app sysfs_zram:file { getattr open read };
-
-binder_call(system_app, hal_power_default)
-
allow system_app time_data_file:dir { write search };
allow system_app time_data_file:file { write open getattr };
+allow system_app wificond:binder call;
+
+binder_call(system_app, hal_power_default)
-set_prop(system_app, timekeep_prop)
-r_dir_file(system_app, sysfs_timekeep)
r_dir_file(system_app, sysfs_rtc)
+r_dir_file(system_app, sysfs_timekeep)
-allow system_app apex_service:service_manager find;
-allow system_app wificond:binder call;
+set_prop(system_app, timekeep_prop)
dontaudit system_app {
apex_service
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 14b8489..c67c1c9 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -1,12 +1,11 @@
+allow system_server app_zygote:process { getpgid };
+allow system_server media_rw_data_file:dir { setattr };
allow system_server sensors_device:chr_file rw_file_perms;
# location
binder_call(system_server, location);
-get_prop(system_server, userspace_reboot_exported_prop);
-get_prop(system_server, userspace_reboot_config_prop);
get_prop(system_server, exported_camera_prop);
+get_prop(system_server, userspace_reboot_config_prop);
+get_prop(system_server, userspace_reboot_exported_prop);
get_prop(system_server, vendor_security_patch_level_prop);
-allow system_server app_zygote:process { getpgid };
-allow system_server media_rw_data_file:dir { setattr };
-
diff --git a/sepolicy/timekeep.te b/sepolicy/timekeep.te
index 93fdc9c..fbcf325 100644
--- a/sepolicy/timekeep.te
+++ b/sepolicy/timekeep.te
@@ -18,4 +18,3 @@ allow timekeep sysfs_rtc:{ file lnk_file } r_file_perms;
allow timekeep sysfs_msm_subsys:dir search;
r_dir_file(timekeep, sysfs_timekeep)
-
diff --git a/sepolicy/vendor_init.te b/sepolicy/vendor_init.te
index ebf9ed0..e05fdc2 100644
--- a/sepolicy/vendor_init.te
+++ b/sepolicy/vendor_init.te
@@ -6,24 +6,18 @@ allow vendor_init {
radio_data_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
+allow vendor_init firmware_file:dir search;
allow vendor_init radio_data_file:file create_file_perms;
-allow vendor_init rootfs:file create_file_perms;
allow vendor_init rootfs:dir create_dir_perms;
-
-allow vendor_init firmware_file:dir search;
-
-
-allow vendor_init proc:file write;
-allow vendor_init unlabeled:dir setattr;
-allow vendor_init unlabeled:file setattr;
-
-allow vendor_init unlabeled:{ dir file } { getattr relabelfrom };
+allow vendor_init rootfs:file create_file_perms;
allow vendor_init wifi_data_file:dir {search};
allow vendor_init wifi_data_file:file {create_file_perms};
-allow vendor_init blkio_device:file { open read write create };
+allow vendor_init unlabeled:{ dir file } { getattr relabelfrom setattr };
+
allow vendor_init blkio_dev:file { open read write create };
+allow vendor_init blkio_device:file { open read write create };
allow vendor_init proc_dirty:file write;
-
-allow vendor_init proc_swap:file write;
+allow vendor_init proc:file write;
allow vendor_init proc_kernel_sched:file w_file_perms;
+allow vendor_init proc_swap:file write;
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-20 00:47:54 +0000