LineageOS/android_device_qcom_sepolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: LineageOS:lineage-21.0
Branches Tags
LineageOS:lineage-21.0 LineageOS:lineage-21.0-ap1a LineageOS:lineage-21.0-legacy-um LineageOS:lineage-21.0-legacy-um-ap1a
...
pull from: LineageOS:lineage-21.0-legacy-um
Branches Tags
LineageOS:lineage-21.0 LineageOS:lineage-21.0-ap1a LineageOS:lineage-21.0-legacy-um LineageOS:lineage-21.0-legacy-um-ap1a

248 Commits
lineage-21 ... lineage-21

Author SHA1 Message Date
Bruno Martins
84869e5cb4 legacy: Add common telephony rules 
Seen across msm4.4 and msm4.9 families.

Change-Id: I47a049dc72e30363b728aa8c25f4571c3b25045b
 2024-04-14 16:34:29 +00:00
Ankit Siddhapura
b7e999e50c sepolicy: fix domain for com.qualcomm.telephony 
fixed `E SELinux : selinux_android_setcontext:  Error setting context for
app with uid 10133, seinfo platform:targetSdkVersion=31:complete: Invalid argument

Change-Id: I9c14ebd9413e877d29a99b07534aed0ac3108610
 2024-04-02 21:55:13 +00:00
Bruno Martins
d3dc18a45c legacy: Allow communication between rild and data module 
Fixes full IWLAN mode on msm8998 devices.

Change-Id: Id7cb510336f6ee28033d7683cc2c01b29db6c6a2
 2024-03-31 02:47:12 +01:00
Michael Bestas
7eabf65ff9 Merge tag 'LA.UM.12.2.1.r1-02900-sdm660.0' into staging/lineage-21.0_merge-LA.UM.12.2.1.r1-02900-sdm660.0 
"LA.UM.12.2.1.r1-02900-sdm660.0"

* tag 'LA.UM.12.2.1.r1-02900-sdm660.0':
  Sepolicy : Allow vendor_init to access bluetooth prop.
  Add sepolicy dir and sock permissions to location module
  location AVC denials during user profile switch

 Conflicts:
	legacy/vendor/common/property_contexts

Change-Id: Ic870aa5f9abe177e4d8c00a1bf3d9b66b67e3d75
 2024-03-29 12:08:16 +02:00
Michael Bestas
a55fc3cc31 legacy: Allow USB HAL get vendor_usb_prop 
Similar to hal_usb_qti.

Change-Id: If0f608f8f2c59a21f89ffebc118e56c559a90755
 2024-03-22 13:44:03 +01:00
Linux Build Service Account
f7b43c73fc Merge 781cfc8b70 on remote branch 
Change-Id: I14db31b322d381a2eefde3dab9fd83520aa478d7
 2024-02-20 04:36:52 -08:00
Neelu Maheshwari
781cfc8b70 Sepolicy : Allow vendor_init to access bluetooth prop. 
Change-Id: I393b039b87ac8d717f42640030c1e5d01049ab70
 2024-02-08 23:56:36 -08:00
Linux Build Service Account
dabe110bf0 Merge "Add sepolicy dir and sock permissions to location module" into sepolicy.lnx.12.0.c2 2024-01-30 21:10:00 -08:00
Harikrishnan Hariharan
e1c8914c62 Add sepolicy dir and sock permissions to location module 
Allow location module to have directory read, write
and socket create permissions in /data/vendor/ path.

CRs-Fixed: 2205732
Change-Id: I4a75623b562337e13b121bacf86af0f97f457916
 2024-01-25 09:06:34 +05:30
Nilesh Gharde
8273b09de3 location AVC denials during user profile switch 
CRs-fixed: 3713029
Change-Id: Ie20f60a981769278dc1fda195e55f27942cd6a78
 2024-01-23 03:12:55 -08:00
Bruno Martins
18b608b651 Merge tag 'LA.UM.12.2.1.r1-02500-sdm660.0' of https://git.codelinaro.org/clo/la/device/qcom/sepolicy into lineage-21.0-legacy-um 
"LA.UM.12.2.1.r1-02500-sdm660.0"

* tag 'LA.UM.12.2.1.r1-02500-sdm660.0' of https://git.codelinaro.org/clo/la/device/qcom/sepolicy:
  sepolicy : Allow apps to have read access to vendor_display_prop
  sepolicy:qcc: add qcc path to dropbox
  sepolicy:qcc : switch to platform app
  Sepolicy : dontaudit to vendor.hw.fm.init property
  SE Policy change to fix avc denial for qcrild socket
  Avc denials on sdm660 from location, hal_gnss_qti
  sepolicy: Add file context for Widevine DRM
  sepolicy: Add file context for DRM
  sepolicy: Fix qcc avc denial issue
  sepolicy:donotaudit for com.qualcomm.location
  Sepolicy rules to allow Gnss Hal to access ssgtz
  sepolicy rules to allow Gnss Hal to access RIL Srv
  Allow vendor_location_xtwifi_client to access ssgtzd socket

 Conflicts:
	generic/vendor/common/file_contexts
	legacy/vendor/common/vendor_init.te

Change-Id: Ibcd6a15e0ee9ab5bee6da5bafb41702e67549e30
 2024-01-09 10:36:03 +00:00
Linux Build Service Account
696224d4c9 Merge 8569f71b88 on remote branch 
Change-Id: I1c1e45d37872a1c5a0e8ff18582e942fbd7cb504
 2023-12-22 00:49:45 -08:00
Neelu Maheshwari
8569f71b88 sepolicy : Allow apps to have read access to vendor_display_prop 
Change-Id: Ib2793107a54fa1a2df60ac872645277a9a0b2415
 2023-11-27 23:29:02 -08:00
Michael Bestas
4bf4c11974 Revert "sepolicy: Label idle_state node" 
This reverts commit 4479f08d19.

Change-Id: Iecfb9e94e65e45597a43256eb877fb8c8a8f4717
 2023-11-28 02:31:57 +02:00
Linux Build Service Account
36ea3c2980 Merge "SE Policy change to fix avc denial for qcrild socket" into sepolicy.lnx.12.0.c2 2023-11-27 01:46:54 -08:00
Linux Build Service Account
1ea539bb46 Merge "Avc denials on sdm660 from location, hal_gnss_qti" into sepolicy.lnx.12.0.c2 2023-11-27 01:46:51 -08:00
BeYkeRYkt
4479f08d19 sepolicy: Label idle_state node 
Change-Id: I4ab197511726e28f7005d0e808803493e406591e
 2023-11-25 23:45:59 +00:00
Linux Build Service Account
0591d9f541 Merge 5207f749c4 on remote branch 
Change-Id: I09b5099e114c2765b525dbc8674085569aa746a7
 2023-11-24 15:02:54 -08:00
Linux Build Service Account
5207f749c4 Merge "sepolicy: Add file context for Widevine DRM" into sepolicy.lnx.12.0.c2 2023-11-22 23:31:23 -08:00
Linux Build Service Account
2664ad4668 Merge "Sepolicy : dontaudit to vendor.hw.fm.init property" into sepolicy.lnx.12.0.c2 2023-11-17 02:52:29 -08:00
Linux Build Service Account
0ccdfafa9a Merge "sepolicy:qcc : switch to platform app" into sepolicy.lnx.12.0.c2 2023-11-16 22:21:34 -08:00
Sanghoon Shin
2145757135 sepolicy:qcc: add qcc path to dropbox 
allow both "qcc" and "qdma" in preparation to transition to "qcc"
to avoid use "qdma" word in implementation

Change-Id: I608f8ecc14e56f3b17823c759c7064f09601f594
 2023-11-16 05:10:18 -08:00
Sanghoon Shin
4c6d84fd65 sepolicy:qcc : switch to platform app 
Change-Id: I661fef3af7d0a9518f67e14f2787999f268485e0
 2023-11-16 05:10:11 -08:00
Neelu Maheshwari
adc7e8bb6b Sepolicy : dontaudit to vendor.hw.fm.init property 
Change-Id: I0abc011871328bb269767ceffe9b6ddb2cf9b185
 2023-11-16 17:39:38 +05:30
Kamesh Relangi
4603509240 SE Policy change to fix avc denial for qcrild socket 
Change-Id: I1c2f3378d974a07496590a3dbd1b20323dbbba16
 2023-11-15 11:51:54 +05:30
Nilesh Gharde
1750c0806f Avc denials on sdm660 from location, hal_gnss_qti 
Change-Id: I3ac6a4d5db46cce66eecd70531a180e21177d979
CRs-fixed: 3661430
 2023-11-15 11:48:10 +05:30
Bruno Martins
f9b54fb034 sepolicy: Label QTI health AIDL service 
Change-Id: Ic49f0d4fa46ac4749e9bad3a9d4a780c54c3880e
 2023-11-13 17:01:08 +00:00
Bruno Martins
ce7b0f7cac sepolicy: Remove duplicate hwservice_contexts 
Multiple same specifications for vendor.qti.hardware.systemhelper::ISystemResource.
Multiple same specifications for vendor.qti.hardware.systemhelper::ISystemEvent.

Change-Id: Ied0215bcc342c5f93fdd5ae4ba5e2a16ba8bf83f
 2023-11-12 13:03:10 +00:00
Alexander Martinz
6aeeffc61d legacy: allow apexd to write to sysfs_mmc_host 
As qualcomm relabels read_ahead_kb and friends as sysfs_mmc_host
we explicitly need to grant apexd access to it or it will break.

This results in eg GSIs to be unbootable.

type=1400 audit(3799551.036:40): avc: denied { read write }
  for comm="apexd" name="read_ahead_kb" dev="sysfs" ino=81305
  scontext=u:r:apexd:s0 tcontext=u:object_r:sysfs_mmc_host:s0
  tclass=file permissive=0

Change-Id: Iea24b94318893e8526e06e24bc3308acba37b0cc
Signed-off-by: Alexander Martinz <amartinz@shiftphones.com>
 2023-11-03 22:21:59 +00:00
Linux Build Service Account
e1e39dc497 Merge "sepolicy: Add file context for DRM" into sepolicy.lnx.12.0.r21-rel 2023-11-03 08:14:01 -07:00
Prabhat Roy
a14482b2b1 sepolicy: Add file context for Widevine DRM 
Set context for widevine services
android.hardware.drm-service-widevine
android.hardware.drm-service-lazy.widevine

validation:
xts test case: passes all the xts test case

Change-Id: I568149e2c91f86a72007fb5b04f5597f133eea64
 2023-11-03 12:46:32 +05:30
Prabhat Roy
a17345a7ce sepolicy: Add file context for DRM 
Change-Id: I568149e2c91f86a72007fb5b04f5597f133eea64
 2023-11-02 11:12:02 +05:30
LuK1337
f0f3f11097 sepolicy: isolated_app -> isolated_app_all 
Change-Id: I10b09afe41b927875d1f7c37d6fc18b75ae1250a
 2023-10-31 23:56:49 +00:00
Giovanni Ricca
47ba089fb7 sepolicy: Drop duplicate label 
* Merged on https://review.lineageos.org/c/LineageOS/android_device_lineage_sepolicy/+/371121

Change-Id: If4ab4cf2765572b662a60286651ab967fb90d133
 2023-10-28 15:08:26 +02:00
Linux Build Service Account
a015be7f62 Merge "sepolicy: Fix qcc avc denial issue" into sepolicy.lnx.12.0.c2 2023-10-11 23:26:20 -07:00
Neelu Maheshwari
8b41a7958b sepolicy: Fix qcc avc denial issue 
Add rule to allow qcc to access runtime data file and fix below
    denial:

    avc: denied { read } for  comm="qccsyshal@1.2-s" name="qcc" dev="dm-36" ino=682
    scontext=u:r:vendor_qccsyshal_qti:s0 tcontext=u:object_r:system_data_file:s0
    tclass=dir permissive=0

Change-Id: I1477af3537b8158d4c47af93cf753db89e20cccd
 2023-10-11 23:03:28 -07:00
Neelu Maheshwari
61bf1906d7 sepolicy:donotaudit for com.qualcomm.location 
auditd  : type=1400 audit(0.0:25): avc:  denied  { read } for  comm="alcomm.location"
name="u:object_r:default_prop:s0" dev="tmpfs" ino=23722
scontext=u:r:vendor_location_app:s0 tcontext=u:object_r:default_prop:s0
tclass=file permissive=0 app=com.qualcomm.location

Change-Id: I1fe8e7730f569fbaf955e79aba784de70cc9f944
 2023-10-11 22:56:13 -07:00
Linux Build Service Account
bd5cc9c436 Merge 1347478fc8 on remote branch 
Change-Id: I40b303693249945736a7815f1f5bf1a4c25a15b4
 2023-10-03 13:37:46 -07:00
Bharath
9f61741dd6 sepolicy: Label QTI Thermal HAL 2.0 
The name was changed from thermal.msm8953 to a generic one while
moving to 2.0. Hence, add proper label to the new HAL binary.

Change-Id: I7e73035224a3f421c1f8f8e7a4e0f6ab072fab32
(cherry picked from commit 578d104a6e72b9289af668780acd571bad4bc489)
 2023-09-28 15:09:36 +05:30
Nilesh Gharde
cdaad86cac Sepolicy rules to allow Gnss Hal to access ssgtz 
CRs-fixed: 3593483
Change-Id: Iec880aa7908f2c3aa71695a4961823ff7dd0b677
 2023-09-25 00:06:03 -07:00
Linux Build Service Account
1347478fc8 Merge "Allow vendor_location_xtwifi_client to access ssgtzd socket" into sepolicy.lnx.12.0.c2 2023-09-20 02:28:21 -07:00
Linux Build Service Account
a859c67fc9 Merge "sepolicy rules to allow Gnss Hal to access RIL Srv" into sepolicy.lnx.12.0.c2 2023-09-20 02:28:18 -07:00
Nolen Johnson
fd5f0ffce2 legacy: common: Label discard_max_bytes for SDB devices 
Change-Id: Ic95a3bfdb53073b6f68b985ea1fbd3f3c3ce34a3
 2023-08-23 15:13:41 +00:00
me-cafebabe
ada4be8ba0 Allow FM2 app to read/write vendor.hw.fm. props 
* Those props are used by vendor/qcom/opensource/fm-commonsys/jni/android_hardware_fm.cpp

Change-Id: I1a141e7d4a0e7d1d788fb049e0e8625d1b2d7e27
 2023-08-04 09:50:10 +02:00
jro1979oliver
d2866673fb sepolicy: Import legacy usb rules 
- commit https://review.lineageos.org/c/LineageOS/android_device_qcom_sepolicy/+/360376
  relabeled the usb hal and we hit the following log:

usb@1.0-service: type=1400 audit(0.0:5346): avc: denied { search } for uid=1000 name="usbpd0" dev="sysfs" ino=40564 scontext=u:r:hal_usb_default:s0 tcontext=u:object_r:sysfs_usbpd_device:s0 tclass=dir permissive=0
07-13 12: 41:07.134   816  2117 E android.hardware.usb@1.0-service: uevent received SUBSYSTEM=dual_role_usb
07-13 12: 41:07.135   816  2117 I android.hardware.usb@1.0-service: otg_default
07-13 12: 41:07.135   816  2117 E android.hardware.usb@1.0-service: getCurrentRole: Failed to open filesystem node
07-13 12: 41:07.135   816  2117 E android.hardware.usb@1.0-service: Error while retreiving portNames
07-13 12: 41:07.138  1588  2451 E UsbPortManager: port status enquiry failed

Co-authored-by: ExactExampl <64069095+ExactExampl@users.noreply.github.com>
Change-Id: I6b58a248195c59f09514caa7b89c2810f7a8e146
 2023-07-25 19:45:53 +03:00
Michael Bestas
b1710c61ea sdm660: Label 4.19 backlight node 
Change-Id: Ied1fc8844852fbef3711e46bcc07d4ec100e7a12
 2023-07-15 14:01:14 +03:00
Quallenauge
470d8edfda sepolicy: Allow qti_init_shell to set proc_watermark_scale_factor. 
Change-Id: I5e59fd91e723df95224e5738295c2b8007f6f053
 2023-07-15 14:01:14 +03:00
Michael Bestas
fc9b1c6105 sepolicy: Guard debugfs rules 
Allow building with PRODUCT_SET_DEBUGFS_RESTRICTIONS set.

Change-Id: I0d0703ea21f1f812c06247a3db2bc755e8904149
 2023-07-15 14:01:14 +03:00
Bruno Martins
5484e1497d hal_usb_qti: Make legacy rules more aligned with QVA 
Change-Id: If35e87a56efb3e7a82ed2f06bb4dcab8ec4a0e82
 2023-07-15 14:01:14 +03:00
LuK1337
c2b70184e1 sepolicy: Label QTI USB HAL 
Change-Id: I0fce6172ce47f4f61d9ee2cb829749b4e5643403
 2023-07-15 14:01:14 +03:00
Michael Bestas
28a0580725 Merge tag 'LA.UM.11.2.1.r1-04100-sdm660.0' into staging/lineage-20.0_merge-LA.UM.11.2.1.r1-04100-sdm660.0 
"LA.UM.11.2.1.r1-04100-sdm660.0"

* tag 'LA.UM.11.2.1.r1-04100-sdm660.0':
  sepolicy: Compilation fix for newer upgrade.
  sepolicy: Add sepolicy rules for TZAS
  sepolicy: using SYSTEM_EXT_<PUBLIC/PRIVATE>_SEPOLICY_DIRS variable
  sepolicy: Add policy for atfwd client
  sepolicy: Add sepolicy for AtCmdFwd app

 Conflicts:
	SEPolicy.mk

Change-Id: I3743693bab62bcacd4862b40fe3a51e8131ca66a
 2023-07-11 16:17:48 +03:00
Michael Bestas
1d7b129f0b sepolicy: Allow location read xtra-daemon control property 
Change-Id: If869f21c4397c65672c9319990d8dc4baca2aa3a
 2023-06-07 00:58:30 +03:00
Linux Build Service Account
f76894974a Merge 6f68a803eb on remote branch 
Change-Id: I6dea49853525da383085cce2826bf5a5e2372249
 2023-06-05 08:12:29 -07:00
Himanshu Agrawal
6f68a803eb sepolicy: Compilation fix for newer upgrade. 
Change-Id: I7eb38060cb0a1ad3e09d221022bd5955fb95b396
 2023-05-19 05:10:20 -07:00
Linux Build Service Account
546edbb3c4 Merge "sepolicy: using SYSTEM_EXT_<PUBLIC/PRIVATE>_SEPOLICY_DIRS variable" into sepolicy.lnx.12.0.c2 2023-05-19 04:43:49 -07:00
Mobashshirur Rahman
5115a5faef sepolicy rules to allow Gnss Hal to access RIL Srv 
Change-Id: Iacbe878f740c71923d5da5c82fbe754ec9fb156b
 2023-05-17 17:18:25 +05:30
Mobashshirur Rahman
b3c7469b74 Allow vendor_location_xtwifi_client to access ssgtzd socket 
Change-Id: Ia3bdc36b455192f87fc480143068f49e8a401314
 2023-05-17 17:12:39 +05:30
Michael Bestas
efdc05a907 sepolicy: Restrict access to /sys/devices/soc0/serial_number 
Change-Id: I6254ef6e160ff0d3c3ce2e51f20f557e75826dff
 2023-05-11 20:14:34 +03:00
Himanshu Agrawal
0d44cf1b75 sepolicy: Add sepolicy rules for TZAS 
Add the sepolicy rules for trustzone
access service to provide it access to
various vendor and android services.

Change-Id: I80f8bcb9a917ed18331fa3b92f1e8c65f8c631ad
 2023-05-09 03:05:55 -07:00
Himanshu Agrawal
c88bdefd08 sepolicy: using SYSTEM_EXT_<PUBLIC/PRIVATE>_SEPOLICY_DIRS variable 
BOARD_PLAT_<PUBLIC/PRIVATE>SEPOLICY_DIR is going to be deprecated
so using new flag.

Change-Id: I039e81ca3bced08038f0e7f2ea3e706947d024fb
 2023-05-09 03:05:14 -07:00
Linux Build Service Account
1f3c5bd578 Merge ee6be5f18d on remote branch 
Change-Id: I7cb5c59bb7b8b05fa9eaa8db83f442e8e73d8521
 2023-05-03 00:42:23 -07:00
Michael Bestas
f587eed501 Merge tag 'LA.UM.11.2.1.r1-03400-sdm660.0' into staging/lineage-20.0_merge-LA.UM.11.2.1.r1-03400-sdm660.0 
"LA.UM.11.2.1.r1-03400-sdm660.0"

# By Arvind Kumar (1) and Jiani Liu (1)
# Via Jiani Liu (1) and Linux Build Service Account (1)
* tag 'LA.UM.11.2.1.r1-03400-sdm660.0':
  Add sepolicy for ISupplicantVendor aidl
  Permission to access binderfs for binder info

Change-Id: Ice22795ff63de9cc918af6a22e113fe1fce1de83
 2023-04-24 18:10:38 +03:00
Sridhar Kasukurthi
ee6be5f18d sepolicy: Add policy for atfwd client 
Add policy for atfwd daemon client

Change-Id: I0251b892ffdfbd02ba16b3dc08998581b1c45015
CRs-Fixed: 3450521
 2023-04-05 11:54:07 +05:30
Linux Build Service Account
5a2d5c4c76 Merge f9714cd55d on remote branch 
Change-Id: I6783a1c218a62aa4ba21eb2a5fb009f7e7e04e18
 2023-04-03 11:26:09 -07:00
Michael Bestas
eca848c791 Merge tag 'LA.UM.11.2.1.r1-03300-sdm660.0' into staging/lineage-20.0_merge-LA.UM.11.2.1.r1-03300-sdm660.0 
"LA.UM.11.2.1.r1-03300-sdm660.0"

# By Jiani Liu (1) and Sanghoon Shin (1)
# Via Gerrit - the friendly Code Review server (1) and Linux Build Service Account (1)
* tag 'LA.UM.11.2.1.r1-03300-sdm660.0':
  Add sepolicy for ISupplicantVendor aidl
  sepolicy: fix issue on non-snap target

Change-Id: I512ef692ad0178c26817da2745b67e5dd43c1ee1
 2023-03-24 03:08:25 +02:00
Sridhar Kasukurthi
5411d6a5af sepolicy: Add sepolicy for AtCmdFwd app 
Change-Id: I5b3bf28701a785988dcaaaf207a98d0d1cb3f002
 2023-03-23 15:46:34 +05:30
Jiani Liu
e0e6534e6e Add sepolicy for ISupplicantVendor aidl 
This commit adds required sepolicy changes to avoid avc denial for new
vendor.qti.hardware.wifi.supplicant.ISupplicantVendor/default.

Change-Id: Ie272772338299eb2c684b1c3683e062b12ca486b
 2023-03-06 22:56:30 -08:00
Jiani Liu
f9714cd55d Add sepolicy for ISupplicantVendor aidl 
This commit adds required sepolicy changes to avoid avc denial for new
vendor.qti.hardware.wifi.supplicant.ISupplicantVendor/default.

Change-Id: Ie272772338299eb2c684b1c3683e062b12ca486b
 2023-03-07 14:54:08 +08:00
Georg Veichtlbauer
286e849647 sepolicy: msm8998: Label discard_max_bytes 
Change-Id: I7adc3514c0958da8d27d7210b84c375dc66d9c43
 2023-02-16 09:38:36 +01:00
Georg Veichtlbauer
95d4b318ab sepolicy: msm8998: Label extcon cable nodes 
Change-Id: I8e48a9a1c411a5573902833da48da6dbc1b15bb7
 2023-02-15 10:49:36 +01:00
Jarl-Penguin
509eb10cca sepolicy: qva: Allow FM app to find mediametrics service 
11-03 19:54:34.702   693   693 I auditd  : avc:  denied  { find } for
 pid=13778 uid=10126 name=media.metrics
 scontext=u:r:vendor_fm_app:s0:c126,c256,c512,c768
 tcontext=u:object_r:mediametrics_service:s0
 tclass=service_manager permissive=0

Signed-off-by: Jarl-Penguin <jarlpenguin@outlook.com>
Change-Id: I1d9b402dd18e54e5d07550e8ae0ef7e9c804bb12
 2022-11-03 20:11:57 +01:00
Arvind Kumar
127987d3e0 Permission to access binderfs for binder info 
Change-Id: If386da636f084c2c67ee6323300aae0c2ac75bc5
 2022-11-03 11:43:07 +05:30
Georg Veichtlbauer
0c87ade841 poweroffalarm_app: Remove levelFrom attribute 
levelFrom is used to determine the level (sensitivity + categories)
for MLS/MCS. If set to all, level is determined from both UID and
user ID. This is bad for poweroffalarm, as it needs to be able to
write to /persist/alarm/data which has a context without mls_level:
  u:object_r:persist_alarm_file:s0
instead of
  u:object_r:persist_alarm_file:s0:c0,c256,c512,c768

Change-Id: I9a8b706cdedc090281e4b5542eb34816b7ff338e
 2022-10-19 11:26:56 +02:00
Guixiong Wei
397c843152 Sepolicy: Remove poweroffalarm system uid 
remove poweroffalarm system uid

Change-Id: I2e93c12b5e9b0169b77d1beecbdbbb7757b8ee1e
 2022-10-19 00:04:09 +02:00
Michael Bestas
4cc11498a0 Merge tag 'LA.UM.11.2.1.r1-01900-sdm660.0' into staging/lineage-20.0_merge-LA.UM.11.2.1.r1-01900-sdm660.0 
"LA.UM.11.2.1.r1-01900-sdm660.0"

# By Neelu Maheshwari (1) and Sanghoon Shin (1)
# Via Gerrit - the friendly Code Review server (1) and Linux Build Service Account (1)
* tag 'LA.UM.11.2.1.r1-01900-sdm660.0':
  sepolicy: fix issue on non-snap target
  Sepolicy : Fixed Multiple AVC Denials in 11.2.1 SDM660.

 Conflicts:
	generic/vendor/common/hwservice.te
	generic/vendor/common/hwservice_contexts
	legacy/vendor/msm8996/hal_qccvndhalservice.te
	legacy/vendor/sdm660/file_contexts
	qva/vendor/common/hwservice.te
	qva/vendor/common/hwservice_contexts

Change-Id: Ic0fa79f8c74969f25061f50706000abee5b0d008
 2022-10-05 18:54:55 +03:00
Linux Build Service Account
3e81a78fdd Merge c3c0f8aeca on remote branch 
Change-Id: I4053f6994cdf346625ada7ec92df795c7fcf76f6
 2022-09-29 04:53:55 -07:00
Michael Bestas
176268430e Label old telephony extension 
* It was renamed in bb15e90b05

Change-Id: I0a4ac559c2fe1b9e8c3267a8afa4ebc7a3a17600
 2022-09-16 19:32:19 +01:00
Mao Jinlong
68d4eb0fcb sepolicy-legacy-um: poweroffalarm_app: Add power off alarm app 
Make power off alarm app as an independent app domain so that
the sepolies will not affect other apps.
[Giovix92]: Adapt it to lineage-18.1

CRs-Fixed: 2113144
Original Change-Id: Ia80575b6dea893bde30636b9a814a6f20ea54b6f

Change-Id: Ie56c5cbade7332a145f10cd5fff0955bcfc724ef
 2022-09-16 19:32:19 +01:00
Nolen Johnson
9aa35a0a35 legacy: vendor: Allow location to read wifi_hal_prop 
Change-Id: If40681d4c172676b4895d14f65600eb41de8978b
 2022-09-16 19:32:19 +01:00
Michael Bestas
8a47dfda7f sdm660: Remove overly broad init rule 
* The services should be labelled properly instead

Change-Id: I401790e6b0f7bd3bcbc2dd185ced30c28ea5ad91
 2022-09-16 19:32:19 +01:00
Michael Bestas
be9129900a sdm660: Remove duplicate init rule 
* Already defined in common

Change-Id: Ifa56dbfde90b6b7bdc6f2ae7d7dca1df974f92ac
 2022-09-16 19:32:19 +01:00
Michael Bestas
23be04abfc Label persist.vendor.bluetooth. properties 
* As seen on non legacy

Change-Id: I06c8b554256565f536fc643e3a743272c841cdef
 2022-09-16 19:32:19 +01:00
Arian
4060ff2ecc sepolicy: legacy: qva: Allow cnd to read wifi_hal_prop 
The `wifi.interface` property was labelled as `exported_default_prop` by
system/sepolicy in android 11. Since android 12 it is labelled as
`wifi_hal_prop` which causes the following denial.

W libc    : Access denied finding property "wifi.interface"
W cnd     : type=1400 audit(0.0:22): avc: denied { read } for name="u:object_r:wifi_hal_prop:s0" dev="tmpfs" ino=26257 scontext=u:r:cnd:s0 tcontext=u:object_r:wifi_hal_prop:s0 tclass=file permissive=0

Change-Id: I6cf8ad4133ca3013d844d4ef3b2701de22f408b0
 2022-09-16 19:32:19 +01:00
Arthur Shuai
4b5ae9efcd Sepolicy: add define for lksecapp 
Change-Id: Ibdfad127f8d537c94f99420dfa9f843381f38207
 2022-09-16 19:32:19 +01:00
Michael Bestas
c2299d1a1b Allow vendor_init set vendor_time_service_prop 
* Required to set persist.vendor.delta_time.enable=true
  in vendor build.prop with property isolation enabled

Change-Id: I180f236c6aac2a7266f4d49dfe9c1ca9e5582c5c
 2022-09-16 19:32:19 +01:00
Michael Bestas
a8566d9272 sdm660: Label sysfs_uio_file 
Change-Id: I10d90a4dd01ec86f6d371685e7669b7b8f676529
 2022-09-16 19:32:19 +01:00
Michael Bestas
8d011c9136 sdm660: Label sysfs_ssr_toggle 
Change-Id: If24855f5e72d904043e69893fa5590ac26b46ff5
 2022-09-16 19:32:19 +01:00
Chirayu Desai
f906323821 Label persist/rfs recursively 
* restorecon_recursive silenty fails otherwise.

Change-Id: If31d9b55dc68f39ee6b43d784167e7233b8e07c8
 2022-09-16 19:32:19 +01:00
Michael Bestas
2f24aeb0d0 common: Label persist.vendor.camera.debug.logfile 
* Used in recent camera HALs

Change-Id: I81ac7c9bf262365a6baabde3fac5ce652c8e683c
 2022-09-16 19:32:19 +01:00
Aayush Gupta
6912f5f7cf sdm660: Generate contexts for rtc 
[   14.612920] type=1400 audit(1601989375.643:13): avc: denied { open } for comm="system_server" path="/sys/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:qcom,pm660_rtc/rtc/rtc0/hctosys" dev="sysfs" ino=33519 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
[   14.612933] type=1400 audit(1601989375.643:14): avc: denied { getattr } for comm="system_server" path="/sys/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:qcom,pm660_rtc/rtc/rtc0/hctosys" dev="sysfs" ino=33519 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: If6b278de0a67086595cee21395d1ceaf52fbef28
 2022-09-16 19:32:19 +01:00
Mohit Aggarwal
05a2a86d19 sepolicy: setting secontext to rtc node 
Change-Id: I0235cd63bfa7fc46aca1a047e40d1fc4b71d4ea0
 2022-09-16 19:32:19 +01:00
Amit P Choudhari
858c757661 sepolicy: Add rw permission for i2c touch sys node 
Change-Id: Ife56a3253bd97c2da2d7b70c0553627d32d153ba
 2022-09-16 19:32:19 +01:00
Michael Bestas
bac2436661 Use set_prop() macro for property sets 
Change-Id: Id67a05f8ed718cad5856613c2700f4ce1e404cf0
 2022-09-16 19:32:19 +01:00
Scott Warner
e7b12756b8 sepolicy: Remove duplicate property definition 
vendor_persist_camera_prop is already declared in Lineage sepolicy

Change-Id: Idfc24a85c7654796cdb243443953a8e0bfb28b0a
 2022-09-16 19:32:19 +01:00
Shashi Shekar Shankar
fbb827151a sepolicy : msm8998: remove regexp for ssr node on sysfs 
Remove regexp & add target specific genfs_context

CRs-Fixed: 2166567

Change-Id: Ib950ca0d72bc7e5647410e1876a8ce9095ca9aba
 2022-08-25 16:40:31 +03:00
Bruno Martins
ae7a74c359 sepolicy: Allow mm-qcamerad to access v4L "name" node 
Change-Id: I42b329d782795feed776b09d5c12d89be9bac868
 2022-08-25 16:40:31 +03:00
Bruno Martins
4bb1c0d112 sepolicy: Fix video4linux "name" node labeling 
Do u even regex, br0?

Change-Id: If907448d394f967268c9f72051bec5a47220087b
 2022-08-25 16:40:31 +03:00
Michael Bestas
43fcd25c65 msm8998: Label LED sysfs 
* Similar to sdm660

Change-Id: I691e0f7a7ea3fcf753a353cbe2171cc167bac3bf
 2022-08-25 16:40:31 +03:00
Michael Bestas
fac17c5891 msm8998: Label usbpd sysfs 
* Similar to sdm660

Change-Id: I069843bc98b742afe61b1b845a9874be0ee5f61f
 2022-08-25 16:40:31 +03:00
Michael Bestas
5b3bff23e6 Import msm8996 policy from lineage-18.1-legacy-um 
Imported as of 5205565e573ab463a783a3bdbb44c6c4bc91600b

Change-Id: I94a6261260a3cb49da8fa7be910edac19efebb3a
 2022-08-25 16:40:29 +03:00
Rashed Abdel-Tawab
ad15a7e3b2 qcom: Label vendor files with (vendor|system/vendor) instead of vendor 
Not all devices have a vendor partition so these labels blatantly get
ignored without labelling system/vendor on those devices.

Change-Id: I244d667f6b3ddcf7eac71719a981dc25dc401873
 2022-08-25 16:39:54 +03:00
Michael Bestas
0f1c7b599f sepolicy: Label persist partition for all SoCs 
Change-Id: I8db3acb9a1b958ec59c7f14c6ee16ea466548cc7
 2022-08-25 16:39:33 +03:00
dianlujitao
243bad646f sepolicy: Unlabel aux camera whitelist prop 
* This will be properly labeled in device/lineage/sepolicy
   to make it readable to everything on every device

Change-Id: Idec6cad06c51ba73519f61e95c74e1c8915d301b
 2022-08-25 16:39:33 +03:00
Volodymyr Zhdanov
abb050ee08 legacy: Fix newline in file_contexts 
Change-Id: Ia1543799d5cf858053dd127c1e9ea9559236bd9e
 2022-08-25 16:39:33 +03:00
Aayush Gupta
f6a26f29fb sepolicy: Switch to BOARD_VENDOR_SEPOLICY_DIRS 
- BOARD_SEPOLICY_DIRS is deprecated and gives compile-time
  errors when used in unison with a device using BOARD_VENDOR_SEPOLICY_DIRS

Ref:
[0]: ec3ac470a9

Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: Icefb062cc8cdef532b4310684d9a66afe97e49c4
 2022-08-25 16:39:31 +03:00
Michael Bestas
b8b7988874 sepolicy: Switch to SYSTEM_EXT_{PUBLIC,PRIVATE}_SEPOLICY_DIRS 
Fixes:
warning: BOARD_PLAT_PRIVATE_SEPOLICY_DIR has been deprecated.
    Use SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS instead.
warning: BOARD_PLAT_PUBLIC_SEPOLICY_DIR has been deprecated.
    Use SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS instead.
Change-Id: I752602079de8ff4c5370fe3ec861b8746838d878
(cherry picked from commit 0212863d2b1b58189e1c88bb86e5479121bd8e4d)
 2022-08-25 16:38:38 +03:00
Michael Bestas
ac5c138f8d sepolicy: Remove rules for non legacy platforms 
* All these platforms are not legacy and shall inherit from the proper
   branch (lineage-20.0)

Change-Id: I475ae930ac5b682b613a9b17dece7fa4a160a6ba
 2022-08-25 16:38:34 +03:00
Pig
8f6ad8b0b2 sepolicy: Include Lineage-specific QCOM sepolicy 
Change-Id: Ibf70e4c8ab9d91b50c62c3e9f1263e1624e8ca00
 2022-08-25 16:38:11 +03:00
Michael Bestas
9451b7e77c sepolicy: Update paths for new repository location 
Change-Id: Ibdaed7b3ff6463c682c65091ffbc82c36bfff348
 2022-08-25 01:21:51 +03:00
Pig
1a84f354e2 sepolicy: Remove QCOM guards 
Change-Id: I0efd0b96f45ecfa9eec0b98087f0582dcd282798
 2022-08-25 01:21:51 +03:00
Chirayu Desai
2db04fd842 Add .gitupstream file 
Change-Id: I09a51a0b5f5826488a1596bcaf81bf0ed26a258c
 2022-08-25 01:21:51 +03:00
Linux Build Service Account
e38a736110 Merge a8d0a3a4af on remote branch 
Change-Id: Ia484fe61849bc4b47d62a4ae6371b63491f650f4
 2022-08-11 06:25:08 -07:00
Sanghoon Shin
c3c0f8aeca sepolicy: fix issue on non-snap target 
1. avc: denied { search } for comm="com.qti.qcc" name="qdma" dev="dm-8" ino=546
scontext=u:r:system_app:s0 tcontext=u:object_r:vendor_qcc_data_file:s0 tclass=dir permissive=0
2. avc:  denied  { find } for interface=vendor.qti.hardware.qccvndhal::IQccvndhal
sid=u:r:system_app:s0 pid=2183 scontext=u:r:system_app:s0
tcontext=u:object_r:vendor_hal_qccvndhal_hwservice:s0 tclass=hwservice_manager permissive=0

Change-Id: Ib252a7507274d0d6c97e8adc72775d23e9900de1
 2022-07-22 15:10:41 -07:00
Sanghoon Shin
01fae0b45b sepolicy: fix issue on non-snap target 
1. avc: denied { search } for comm="com.qti.qcc" name="qdma" dev="dm-8" ino=546
scontext=u:r:system_app:s0 tcontext=u:object_r:vendor_qcc_data_file:s0 tclass=dir permissive=0
2. avc:  denied  { find } for interface=vendor.qti.hardware.qccvndhal::IQccvndhal
sid=u:r:system_app:s0 pid=2183 scontext=u:r:system_app:s0
tcontext=u:object_r:vendor_hal_qccvndhal_hwservice:s0 tclass=hwservice_manager permissive=0

Change-Id: Ib252a7507274d0d6c97e8adc72775d23e9900de1
 2022-07-15 18:10:49 -07:00
Neelu Maheshwari
a8d0a3a4af Sepolicy : Fixed Multiple AVC Denials in 11.2.1 SDM660. 
Change-Id: I720fc8af14e1aea42d343603f740f09066f5427a
 2022-07-15 00:39:19 -07:00
Linux Build Service Account
44efe810c7 Merge 3114a14f3d on remote branch 
Change-Id: I382268a84c0bf682e41e2f33ea4f146afe283f0d
 2022-05-23 08:29:01 -07:00
Akhil P Oommen
9608542d69 sepolicy: Add shell permission to /sys/class/kgsl/kgsl-3d0/perfcounter 
Allow shell users to have permission to update sysfs node
/sys/class/kgsl/kgsl-3d0/perfcounter

Change-Id: I648b7f4b25e4c8c1644be5046677f41e7b5d2f8c
 2022-03-29 23:22:36 -07:00
Linux Build Service Account
b7568aa432 Merge b22b63ec7b on remote branch 
Change-Id: I8bc29a888dab397cbc8af9860891572939c5ab40
 2022-03-25 00:52:42 -07:00
Akhil P Oommen
3114a14f3d sepolicy: Add shell permission to /sys/class/kgsl/kgsl-3d0/perfcounter 
Allow shell users to have permission to update sysfs node
/sys/class/kgsl/kgsl-3d0/perfcounter

Change-Id: I648b7f4b25e4c8c1644be5046677f41e7b5d2f8c
 2022-03-23 14:52:03 +05:30
Himanshu Agrawal
b22b63ec7b sepolicy:labeling socid and granting the permission to the domains 
for legacy target.

remove read permission for untrusted app to read device info.
Soc_id and family are set to be global read.

Change-Id: I2a30d75f6678f78c746b7b02d8a5abcda6248cea
 2022-01-27 08:45:24 -08:00
Bharat Pawar
ccd2504ebd sepolicy: Add create socket file permission for wcnss_service 
cnss_cli use unix socket to communicate with cnss-daemon.
cnss-daemon need create unix socket server file when init.

Change-Id: Ibbe1eb1f418da17c0155a0663f6a94d8777ef80f
 2022-01-03 16:57:59 +05:30
Bharat Pawar
9ee7d8250c sepolicy: Add create socket file permission for wcnss_service 
cnss_cli use unix socket to communicate with cnss-daemon.
cnss-daemon need create unix socket server file when init.

Change-Id: Ibbe1eb1f418da17c0155a0663f6a94d8777ef80f
 2022-01-03 14:46:27 +05:30
Linux Build Service Account
1ce68a4aed Merge e1dd1dfb1a on remote branch 
Change-Id: I7869a6c59ce25d346ab93f24ae65e4e57948c2e0
 2021-12-22 04:00:04 -08:00
Himanshu Agrawal
e1dd1dfb1a sepolicy: Modified qcc files from qva to generic 
Change-Id: I637d4db79ee85cdf6e26d5cc6b446755f1be80d2
 2021-12-17 11:53:21 +05:30
Himanshu Agrawal
3970a6c9e5 sepolicy: Address multiple avc denials during bootup 
Change-Id: I9eb5510799b33ab17f56d0e1f1440f38b87fa2c3
 2021-12-09 15:16:04 +05:30
Himanshu Agrawal
48290d633b sepolicy: Add device specific wakeup nodes 
Change-Id: I1f39b7e7d13920969f2573e157b217c05adf50fa
 2021-12-06 01:15:58 -08:00
Neelu Maheshwari
cd83ea175c Sepolicy : Fixes for multiple avc denial for sdm660 
Change-Id: If0df4244e417775503e524a8cd5a2212dde0748e
 2021-12-01 16:03:44 +05:30
Bharat Pawar
8e4f3f73e8 Merge commit 'f5b11b78873f9020b7b5073db4bab492c06ea0a2' into HEAD 
Change-Id: I74aa29107039188b14f7585d031483a9e4ef91db
 2021-11-26 12:51:12 +05:30
Neelu Maheshwari
3a39145fbd Sepolicy : Fixes for Multiple denials 
Change-Id: I51e915e0a41a1d24947f79a7d0128a934f02dcfa
 2021-11-17 03:39:10 -08:00
Linux Build Service Account
f5b11b7887 Merge "Sepolicy: Fix avc denial seen during boot up." into sepolicy.lnx.12.0.c2 2021-10-29 10:57:01 -07:00
Linux Build Service Account
9246e22f7a Merge "sepolicy: adding getattr perm for init" into sepolicy.lnx.12.0.c2 2021-10-29 10:56:01 -07:00
Sundhara Raja Usiripati
7353e15e06 sepolicy: adding getattr perm for init 
Change-Id: I4b7295066031aa838139dda203fec019a11386dd
 2021-10-28 07:52:55 -07:00
Neelu Maheshwari
27d9d234b4 sepolicy: Add find permission to systemhelper_app.te 
Change-Id: Ia2a650d5d77dd70b7e6044bfe914f6494c4ed06a
 2021-10-28 07:52:03 -07:00
Amritendu Biswas
183f2de411 sepolicy: support qmi based embms msdc on legacy targets 
Change-Id: I0cac6d60d636ce546f91764703faca468c0ce85f
 2021-10-28 13:52:17 +05:30
Himanshu Agrawal
a3b4f4e984 Sepolicy: Fix avc denial seen during boot up. 
avc: denied { search } for name="location" dev="dm-8" ino=514
scontext=u:r:tlocd:s0 tcontext=u:object_r:location_data_file:s0
tclass=dir permissive=0

avc: denied { write } for name="kmsg" dev="tmpfs" ino=1559
scontext=u:r:wcnss_service:s0 tcontext=u:object_r:kmsg_device:s0
tclass=chr_file permissive=0

- Added these policies as part of reduce avc deniels in boot up

Change-Id: I68868f5c3084bd10d8e74dd0623160a849dab5b9
 2021-10-28 11:12:46 +05:30
Amritendu Biswas
1d3d799a98 sepolicy: support qmi based embms msdc on legacy targets 
Change-Id: I0cac6d60d636ce546f91764703faca468c0ce85f
 2021-10-27 05:13:38 -07:00
Linux Build Service Account
a7cd38e552 Merge "sepolicy: Add read dir permission to hal_bootctl.te" into sepolicy.lnx.6.0.r19-rel 2021-10-21 22:33:24 -07:00
Sundhara Raja Usiripati
b5ffca926b sepolicy: Add read dir permission to hal_bootctl.te 
hal_bootctl needs read permission to sysfs_dt_firmware_android

Change-Id: I6e89b2db756d7070bc4b815cf15a6a4f241d137b
 2021-10-21 09:26:07 -07:00
Himanshu Agrawal
2541672377 sepolicy: Allow access for /dev/qseecom from vendor_init 
avc: denied { getattr } for path="/dev/qseecom" dev="tmpfs" ino=25714
scontext=u:r:vendor_init:s0 tcontext=u:object_r:tee_device:s0
tclass=chr_file permissive=0

Change-Id: Ia55d4e07c4596ab9d2f78cba91b22d84bf35dc5d
 2021-10-21 09:21:01 -07:00
Linux Build Service Account
064c4b07f1 Merge "sepolicy: Add read dir permission to hal_bootctl.te" into sepolicy.lnx.12.0.c2 2021-10-21 01:29:51 -07:00
Himanshu Agrawal
bd0d1c24e4 sepolicy: Allow access for /dev/qseecom from vendor_init 
avc: denied { getattr } for path="/dev/qseecom" dev="tmpfs" ino=25714
scontext=u:r:vendor_init:s0 tcontext=u:object_r:tee_device:s0
tclass=chr_file permissive=0

Change-Id: Ia55d4e07c4596ab9d2f78cba91b22d84bf35dc5d
 2021-10-12 22:08:32 +05:30
Bharat Pawar
5e7da35857 Merge commit '438292158d28d0bde335ba9b2c9aa7ab6d3d8cf0' into HEAD 
Change-Id: I3213fd07a382cf9d006eef8f34dd12c6b5f0f3fe
 2021-10-01 22:16:47 +05:30
Bharat Pawar
48156903a4 Revert "sepolicy: Fix compilation issue" 
This reverts commit 35b7f89f2b.

Change-Id: I789a827b405241d290cfd061df87d5d7fcf31442
 2021-10-01 22:16:16 +05:30
Sundhara Raja Usiripati
da451f1c9f sepolicy: Add read dir permission to hal_bootctl.te 
hal_bootctl needs read permission to sysfs_dt_firmware_android

Change-Id: I6e89b2db756d7070bc4b815cf15a6a4f241d137b
 2021-09-27 15:27:52 +05:30
Linux Build Service Account
438292158d Merge "sepolicy: Add drm clearkey policies" into sepolicy.lnx.12.0.c2 2021-09-21 02:18:49 -07:00
Bharat Pawar
f6f772dfb9 sepolicy: Add drm clearkey policies 
Add selinux rules for drm clearkey services. Refine and extend drm
widevine service rules for future updates.

Change-Id: I1f73fd97ba083085be898f39d96ce2e61e99ca7b
 2021-09-21 00:22:22 -07:00
Linux Build Service Account
fbbbf01dbf Merge "sepolicy: get radio_control_prop multisim property" into sepolicy.lnx.12.0.c2 2021-09-13 04:06:02 -07:00
Bharat Pawar
0c919f535a sepolicy: Add drm clearkey policies 
Add selinux rules for drm clearkey services. Refine and extend drm
widevine service rules for future updates.

Change-Id: I1f73fd97ba083085be898f39d96ce2e61e99ca7b
 2021-09-09 16:42:26 +05:30
Himanshu Agrawal
dd9c8c1825 sepolicy: making system/product and vendor restricted/internal prop 
making system/product and vendor to restricted and public
prop for all the extendeded core prop and property type defined in public

Change-Id: Icbfe02ecb49a70619d6aa03a45975b2db186f559
 2021-09-02 08:03:33 -07:00
Himanshu Agrawal
baa098a5bd sepolicy: Fix compilation issues 
Change-Id: I60fc0aec2f6d4e3330210d52529fba20eb403d92
 2021-08-13 12:35:04 +05:30
Linux Build Service Account
e601b28326 Merge "sepolicy: get radio_control_prop multisim property" into sepolicy.lnx.6.0.r19-rel 2021-08-10 23:34:40 -07:00
Sridhar Kasukurthi
9d1a538365 sepolicy: get radio_control_prop multisim property 
- Allow reading of persist.radio.multisim.config
  property
- Add qtiphone and telephonyservice policy to
  legacy folder

Change-Id: I6ecd57d18cb97760d8133e239940b1e2ad69e55c
 2021-08-10 05:13:53 -07:00
Himanshu Agrawal
7671ef762c sepolicy: making system/product and vendor restricted/internal prop 
making system/product and vendor to restricted and public
prop for all the extendeded core prop and property type defined in public

Change-Id: Icbfe02ecb49a70619d6aa03a45975b2db186f559
 2021-08-10 05:01:54 -07:00
Sridhar Kasukurthi
76f88bb757 sepolicy: get radio_control_prop multisim property 
- Allow reading of persist.radio.multisim.config
  property
- Add qtiphone and telephonyservice policy to
  legacy folder

Change-Id: I6ecd57d18cb97760d8133e239940b1e2ad69e55c
 2021-08-10 02:04:24 -07:00
Linux Build Service Account
8c7ce50ac1 Merge 6123a9d0e8 on remote branch 
Change-Id: Ib85cc04ae2a9affa1c16ac8592e3db679e94af33
 2021-07-08 12:50:02 -07:00
Bharat Pawar
35b7f89f2b sepolicy: Fix compilation issue 
Change-Id: I17fec6d00a4eea33bed1f669668e14d589b3d40f
 2021-06-07 18:24:46 +05:30
Himanshu Agrawal
6123a9d0e8 sepolicy: Add cpu4-ddr-latfloor devfreq node for K4.19 
cpu4-ddr-latfloor devfreq node for K4.19

Change-Id: I1b8462b45de419d79819288bab62f3d56cb84533
 2021-06-03 18:21:17 +05:30
Monika Singh
2a00ecb00b sepolicy: Update qseecomd sepolicy to access tmpfs 
Update policies for qseecomd so that it can access
SFS.

Change-Id: I9bfe8c242de441a4a4171af93481bf00eda7d8f7
 2021-05-25 03:09:23 -07:00
Himanshu Agrawal
a473048fb3 sepolicy: Addressing post-boot denials 
Change-Id: I5282c1acf9f096c6363c77afc0443b06f00a6c37
 2021-05-17 17:12:16 +05:30
Himanshu Agrawal
d7eb0cc6b6 sepolicy: Fix /sys/devices/soc0 read permission issue 
Change-Id: I189fea846191f6407d6c6b9fb767595466b7dc06
 2021-05-05 22:14:35 -07:00
qctecmdr
d418e08af1 Merge "sensors : Updating property name" 2021-05-03 09:18:08 -07:00
Eruvaram Kumar Raja Reddy
f575fdf52f sepolicy: msm8937: Add sysnode for imsdatadaemon 
Add a change to fix avc denial for the imsdatadaemon

Change-Id: I0f2eacf7ee08660b5dd8d39b0ed3a096a3813b38
 2021-04-30 08:20:43 -07:00
Akhil Manikoth Kallankandy
2906bf533d sensors : Updating property name 
changing property name according to VtsTrebleSysPropTest

Change-Id: I95bae88a4126606c4d5eef992d863e483766212f
 2021-04-30 05:45:21 -07:00
qctecmdr
98d6c29eae Merge "sepolicy: msm8937: Add label for wakeup sources" 2021-04-26 04:53:35 -07:00
Himanshu Agrawal
53203d8bfb sepolicy: Add sepolicy rules for vm_bms 
create vendor_vm_bms_debug_prop for debug properties.

Change-Id: I6ac3986af96bb50288e404c377613c6b0d4dc998
 2021-04-22 22:53:53 -07:00
Eruvaram Kumar Raja Reddy
892ac25bce sepolicy: msm8937: Add label for wakeup sources 
Add a change to fix the avc denials for the wakeup source
used for different nodes.

Change-Id: I3f51e966e33fdabdae8cb43bc425ee42d8b3356d
 2021-04-22 02:42:45 -07:00
qctecmdr
6ed2f466d1 Merge "sepolicy: Addressing multiple on-boot denials present" 2021-04-21 23:48:23 -07:00
Himanshu Agrawal
c5495488d8 sepolicy: Addressing multiple on-boot denials present 
Multiple on boot denials has been addressed for
improving device performance.

Change-Id: If0db0c0bd334da91c879d9170d03171c2bf4a91d
 2021-04-20 15:50:51 +05:30
Himanshu Agrawal
efc87f7815 sepolicy: sdm439: Add cpu-ddr-latfloor devfreq node for K4.19 
Add cpu-ddr-latfloor devfreq node for sdm439 target

Change-Id: Id0d84edc1d6474a09ef5c90f9ea5c4f59537728e
 2021-04-19 11:09:26 +05:30
Himanshu Agrawal
38419ce515 sepolicy: Add cpu-ddr-latfloor devfreq node for K4.19 
cpu-ddr-latfloor devfreq node for K4.19

Change-Id: I55e72f915d8de62d47adda386ffabe8421e5c502
 2021-04-14 17:27:31 +05:30
Prerna Kalla
debf881517 sepolicy: Add label for KM 4.1 service 
Add label for KM 4.1 service.

Change-Id: Iab41f356da6562c9c0b9ed942f20442cfc6ec8f2
 2021-04-02 03:55:53 -07:00
qctecmdr
bfca115857 Merge "sepolicy: cpu-ddr devfreq nodes for K4.19" 2021-04-01 03:51:10 -07:00
Karthik Gopalan
3bfa6d9474 sepolicy: cpu-ddr devfreq nodes for K4.19 
cpu-ddr devfreq nodes for K4.19

Change-Id: I2e270c2e89b19b6eda9a020ff6d35cd7f0d04d84
 2021-04-01 02:38:57 -07:00
qctecmdr
e8d0a199a9 Merge "sensros : changing property name" 2021-04-01 01:48:49 -07:00
Akhil Manikoth Kallankandy
7849fcf55f sensros : changing property name 
Change-Id: I17e71ca56e9fa050221972c846a9f99db8761283
 2021-03-31 14:24:32 +05:30
Himanshu Agrawal
bdbe69b3b8 sepolicy: msm8937: Add label for wakeup sources 
Add a change to fix the avc denials for the wakeup source
used for different nodes.

Change-Id: I9309363b04aac163364809083edf359dcab2ab0c
 2021-03-30 03:26:17 -07:00
Himanshu Agrawal
58dfef56b4 sepolicy: msm8937: Add selinux rules for update engine 
Change-Id: I8ba1ca16083613445b7642f83fdccc73a252f658
 2021-03-23 14:20:43 +05:30
Himanshu Agrawal
d7706eea69 sepolicy: Create subsys nodes for QM215GO on kernel 4.19 
Add subsystem handling mapping for mss and venus firmware
for QM215GO on kernel 4.19.

Change-Id: I26799baf24a58c6f80d60560e232f9e8709b1cc6
 2021-03-11 09:51:59 -08:00
Akhil Manikoth Kallankandy
025be09c29 sensor:adding label for new property 
adding label for property use to enable qrtr-ns service

Change-Id: I5634c0c85a0dae9d13151d99f984e22987705636
 2021-03-09 20:26:02 +05:30
Rajshekar Eashwarappa
39c3a61ec2 sepolicy: Adding vbmeta and dtbo dev/block path 
Change required for A/B, DAP build.

Change-Id: I43d91e029935f347ebd9cc00fd129dbc810c94a7
 2021-02-22 01:00:54 -08:00
qctecmdr
e373d6be26 Merge "sepolicy : add new qsta_app.te file for QSTA app" 2021-02-10 23:49:55 -08:00
Akhil Manikoth Kallankandy
86ab7112b8 sepolicy : add new qsta_app.te file for QSTA app 
Change-Id: I7c1086ef983a2a74415a5291b39dfc0305bcc601
 2021-02-11 10:40:40 +05:30
Shivam Agrawal
3b8db900e7 sepolicy: Revert WFD specific Upmerge changes 
Change-Id: I23ac8a7511f2c1c8133bdba8e1155177a51e0bc1
 2021-01-25 08:39:36 -08:00
qctecmdr
34ef27f337 Merge "sepolicy: msm8998: Add sepolicy labels for charger/fg nodes" 2021-01-06 22:31:07 -08:00
Guixiong Wei
b69efc2215 sepolicy: Remove poweroffalarm system uid and redundant rules 
remove poweroffalarm system uid and redundant rules

Change-Id: If51e9ae948b68f1187c66d748935fd1014e72e11
 2020-12-15 18:39:22 -08:00
Gurram Pravalika
ffb6c9041c sepolicy: Add policies for for video in HAL1 
Change-Id: I954b96582719e3e7145fd0ab1afd0425494c3ba7
 2020-12-14 22:57:44 -08:00
qctecmdr
6cfdc77609 Merge "sepolicy : Upmerge changes." 2020-12-14 00:14:39 -08:00
Nitin Shivpure
d5327a1a9d sepolicy: allow bluetooth to make binder call to gpuservice 
allow bluetooth to make binder call to gpuservice.

CRs-fixed: 2748533
Change-Id: Idff3f3c0377fc5dae3e715417556c696f7e4620e
 2020-12-14 10:33:49 +05:30
Himanshu Agrawal
0240ff9832 sepolicy : Upmerge changes. 
Change-Id: I90fb0d6eb70bd5e0e790f8bae7b6cd0501442338
 2020-12-11 06:07:39 -08:00
Shayak Biswas
1442222426 Allow dumpstate for a binder call with power Hal 
This allows dumpstate to have a binder call with power
Hal, this is needed for a CTS testcase:
SELinuxHostTest#testNoBugreportDenials

Change-Id: I646fdce79776083df74df48134e85c65dbee69dc
 2020-12-11 09:56:09 +05:30
Himanshu Agrawal
7fdf0be393 sepolicy: msm8998: Add sepolicy labels for charger/fg nodes 
Add sepolicy labels for charger/fg nodes,
to allow access permissions to userspace.

Change-Id: I74a193a6dd3be6ecceb5939ca814661029d8105b
 2020-12-10 18:31:36 +05:30
Kripa Bhat
5d40fe89f3 Allow dumpstate to have a binder call with Lights Hal 
This allows dumpstate to have a binder call with Lights
Hal, this is needed for a CTS testcase:
SELinuxHostTest#testNoBugreportDenials

Change-Id: Iec081b1069b2569c68b72ff009f12018c946a0a8
 2020-12-08 22:51:16 -08:00
Manjunatha Ramachandra
06bbb12f3f sepolicy: updating label on read_ahead_kb nodes 
Removing read_ahead_kb nodes from sysfs_mmc_host
node. And adding sysfs_dm to perf hal and
init_shell files' allow list.
This change is being made inorder to address
the bugnizer 161927268 for legacy msm8937_32go platforms.

CRs-Fixed: 2826612
Change-Id: I190b9891eaf52fc4eb7d4fd73567572101ee288e
 2020-12-02 23:27:09 -08:00
Himanshu Agrawal
7cde36f779 Add sepolices to update engine domain. 
While applying OTA update package, update engine
    loops through partitions entries/mountpoints.
    Add few policies and supress the dac ones.

- Allow update_engine to access recovery partition for OTA
- Allow update engine to access to metadata_file.
    With virtual-ab feature, update engine needs access
    to metadata_file, allow the same.

Change-Id: I07636f79870594a07755c54e55b5b6846e53c2e9
 2020-12-01 06:08:31 -08:00
Eruvaram Kumar Raja Reddy
f997082943 sepolicy: adding vendor prefix to avoid naming colision 
Update legacy properties with vendor prefix to void VTS failure
due to API30 changes

CRs-Fixed: 2825382

Change-Id: I39a5de4ad6450d805bf74e88aabc38c8347d89a4
 2020-11-30 17:01:29 +05:30
Himanshu Agrawal
9871e2edb6 Allow vendor_init to set ubwc property 
vendor.video.disable.ubwc is added to /vendor/build.prop,
allowing vendor_init to set this property to ensure the
property can be read by mm-video and through getprop

Change-Id: I99f658ea60cb83d4ebea6709db27e93166ad0667
 2020-11-27 11:51:38 +05:30
Milap Gajjar
2ef09c6613 genfs_context: Enabling Vibrator for msm8998 
Sepolicy: Added Access permission for vibrator

Change-Id: I38017a3641c84aa570d53c1e339082bc781c5187
CRs-Fixed: 2810219
 2020-11-24 20:36:33 -08:00
qctecmdr
aa7d66b220 Merge "genfs_context: Enabling Vibrator for sdm660" 2020-11-24 03:02:24 -08:00
Jeya R
29b1061aaa sepolicy: Add permissions in init for vendor_adsprpc_prop 
Add permissions in init shell to modify vendor_adsprpc_prop.
Change-Id: I5a4dcbf54686c3add9fa0756aff7bb694d96adcb
Acked-by: Deepika Singh <dsi@qti.qualcomm.com>
 2020-11-18 15:22:36 +05:30
Mandeep Singh
3de9ff4499 genfs_context: Enabling Vibrator for sdm660 
Sepolicy: Added Access permission for vibrator

Change-Id: I7152a77d676c8b97bd5da1f5c86446f42ac65c97
CRs-Fixed: 2810635
 2020-11-03 09:37:37 +05:30
Shawn Shin
ce33f422e7 sepolicy:qcc add to legacy 
Change-Id: I7031cd4070c478f1fccfe8e0b1e7053d6c57c36e
 2020-10-30 16:10:52 -07:00
qctecmdr
758b6d2b99 Merge "sepolicy: align fst-manager and wigig legacy rules" 2020-10-29 23:51:22 -07:00
qctecmdr
887dc95b06 Merge "sepolicy: allow block_suspend deniel for lmkd" 2020-10-28 00:12:18 -07:00
Dedy Lansky
046ff067d0 sepolicy: align fst-manager and wigig legacy rules 
Add legacy rules for enabling fst-manager to act
as a HAL service, and allow fst-manager and wigig
framework to access the capability config store.
These rules were missing in the legacy folder and
copied from the qva rules since there are still
platforms that need them.

Change-Id: I7a08bec9f3f84599a6392e8a5bd22c26e28e00a3
 2020-10-27 22:53:42 -07:00
Himanshu Agrawal
21fbe23415 sepolicy: allow block_suspend deniel for lmkd 
Avoid below deniel for lmkd:
avc: denied{ block_suspend }for comm="lmkd" capability=36
scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability2
permissive=0.

Change-Id: I332281110d4fa1fa208349a302fdc33a3a40d8ef
 2020-10-27 22:31:24 -07:00
Arvind Kumar
7af4487b0c Add file context for Light AIDL HAL Service 
Change-Id: I1e5a79a5846910f90362d97899e5fc0d7dbfadbb
 2020-10-27 00:54:23 -07:00
Ankur Sharma
ae9d933056 Sepolicy denials xtra for legacy R targets 
- Fix sepolicy denial when xtra-daemon access the cacert
service.
- Allow location clientdomain to perform binder IPC to
qtidataservices_app serverdomain.

Change-Id: I0aae254fb4b4a67336d67f96856a2cf0d70954fc
CRs-Fixed: 2778560
 2020-10-21 07:34:12 -07:00
c_gopir
7dff049400 Sepolicy : Add power AIDL to context 
Add power HAL exec to file contexts

Change-Id: Ib97298e739f030454256c88f78e6862c2f4838bb
 2020-10-19 21:44:18 -07:00
qctecmdr
1e9503d754 Merge "sepolicy: Add video property to get permission" 2020-10-15 22:17:56 -07:00
Milap Gajjar
78877b8b75 msm8998 inital bringup with enforce mode 
Change-Id: If8164daa32ca0ba796a4bf78e9c450ce1669b509
 2020-10-15 01:56:39 -07:00
Paras Nagda
44e4db86e8 sepolicy: Add video property to get permission 
Allow Zygote to read video property

Change-Id: Iac936e84549cde02e2b87309f32cdbd2d8a0fe5f
 2020-10-14 06:30:06 -07:00
Milap Gajjar
ef77a8cdd5 sdm660: Initial bring up sepolicy changes 
Change-Id: Ifa42b7bebd66884698697fecc538f1ff6057519d
 2020-10-14 03:27:54 -07:00
Paras Nagda
5bc47cdaf0 sepolicy: Add video property get permission 
Allow mediaserver to read video sys property

Change-Id: Id09d5fbcbacbba3130ca9d7759ff67ade3a839b3
 2020-10-06 22:26:31 -07:00
qctecmdr
b22751353a Merge "sepolicy: add policies for DSP HAL manager" 2020-09-30 00:50:57 -07:00
Jiten Patel
c4f5909333 sepolicy: Policy fix for rpmb partition 
On 4.19 kernel, due to upstream commit <97548575be>
(mmc: block: Convert RPMB to a character device),
Block device design for RPMB is now changed to char device.
This change add required permissions for qseecom daemon to
be able to access new device design for RPMB eMMC device.

Change-Id: I77a4ffc2107e61f66fe75cd2ccdc4d8da2685523
 2020-09-26 17:09:23 +05:30
Karthik Gopalan
bc3a9ace81 sepolicy: Add policies for beluga properties 
Add policies for beluga properties

Change-Id: I25283d9148166ad158181efddebd61277eebf8cb
 2020-09-24 01:36:11 -07:00
qctecmdr
e40220732a Merge "sepolicy: Allow all app domains to search sysfs_kgsl" 2020-09-23 01:51:40 -07:00
Vamsi Krishna Gattupalli
fa6d5b4fdc sepolicy: add policies for DSP HAL manager 
Add DSP HAL manager related attributes and policies. Allow untrusted
shell apps and APKs to be a client of the DSP HAL server. Mark the
DSP HAL interface library as same process HAL.

Change-Id: I7b2e5c716c6191d480d26d39a3adf188dc3aefb3
 2020-09-22 10:52:41 +05:30
Murthy Nidadavolu
8d4a25335b sepolicy: Updating sepolicy for DRM HAL 
Adding 1.3 drm HAL to file_contexts.

Change-Id: I59f87fb9eb4a1605cf299a973986164f6761dab2
 2020-09-18 13:39:59 +05:30
qctecmdr
ee00935244 Merge "sepolicy: Update thermal-engine sepolicy rules for legacy vendor file" 2020-09-16 03:30:27 -07:00
Nilesh Gharde
07cedab877 Sepolicy denials for location on legacy R targets 
Fix for denial when xtra-demon trying getting
qccsyshal service  instance

Change-Id: I522531dee26dd5ee426a7ae966e49a0a4e685481
CRs-fixed: 2765244
 2020-09-15 11:55:49 +05:30
Asha Magadi Venkateshamurthy
7ef030e945 sepolicy: Update thermal-engine sepolicy rules for legacy vendor file 
Update legacy thermal-engine sepolicy rule for SDM660 target by adding
access of sysfs nodes of thermal devices, kgsl and devfreq by adding
sepolicy rules.

Change-Id: I49c511d2dbc67169daa937102d58839eb799b977
 2020-09-14 12:14:23 +05:30
qctecmdr
7036682bb5 Merge "sepolicy: add support for separate dcvs script for sdm660" 2020-09-04 05:32:35 -07:00
Asha Magadi Venkateshamurthy
c7c8131f02 sepolicy: add support for separate dcvs script for sdm660 
Give sepolicy permission to dcvs node used to set
memlat parameters.

Change-Id: Iadddf5d11375a6d7cc48d523ed8c44baf4643be1
 2020-09-04 10:55:17 +05:30
Bharat Pawar
b4ca9cb07f sepolicy: Allow all app domains to search sysfs_kgsl 
Fixing below avc denails
type=1400 audit(0.0:86144): avc: denied { search } for
name="kgsl-3d0" dev="sysfs" ino=43551 scontext=u:r:mediaswcodec:s0

Change-Id: Ibf7a9a231119c23c4830538323587edbe95150a2
 2020-09-03 19:15:02 +05:30
Bharat Pawar
90dc370d64 sepolicy: Adding rules for servicetracker HAL for legacy target. 
Also adding file_context for servicetracker V1.2
Change-Id: I7145f86093c954376e6dd8bbcd8f6d2e6005a981
 2020-09-03 17:47:59 +05:30
Bharat Pawar
3bdddf83fd sepolicy: Add label for vibrator AIDL HAL service 
Add selinux label for vibrator AIDL HAL service
so that it can accessthe vibrator device correctly.

Change-Id: I6486b6cf399ce60a671b187c624993820c6f246c
 2020-08-21 15:48:02 +05:30
qctecmdr
f95a6b8611 Merge "perf: Fix sepolicy errors during boot" 2020-08-13 07:28:05 -07:00
qctecmdr
33281c7bda Merge "Sepolicy: ported all Wfd sepolicy from sepolicy.lnx.5.0" 2020-08-13 05:34:25 -07:00
qctecmdr
3c94562422 Merge "sepolicy: Remove all qssi specific WFD sepolicy change" 2020-08-13 03:40:25 -07:00
Shashi Shekar Shankar
ded4b6e973 perf: Fix sepolicy errors during boot 
Fix sepolicy errors on legacy targets.

Change-Id: Ia491e7e3330243d3ec70fba97c3beafc65f93afc
 2020-08-12 19:57:11 -07:00
Pavan Kumar M
b7b9097e20 sepolicy: Add sepolicy rules for IImsFactory HAL for legacy targets 
Change-Id: I371457018f309bb3a23138ac8d71d4628430f69e
 2020-08-07 04:26:38 -07:00
Rajeswari N
ae41118035 sepolicy: Add perf 2.2 hal 
Support for perf HAL 2.2 uprev

Change-Id: Ia6abea00751494803bf78839ef96608dfbc9b09d
 2020-08-04 15:15:36 +05:30
Shivam Agrawal
ff436b9716 Sepolicy: ported all Wfd sepolicy from sepolicy.lnx.5.0 
- WFD sepolicy fix.

Change-Id: I1000b0277318ca7439a5bb177787dffe8d51b7c9
 2020-07-29 14:10:43 +05:30
qctecmdr
d580bc7940 Merge "Allow BT LAZY HAL serivce to access bluetooth hal" 2020-07-28 08:46:15 -07:00
qctecmdr
8e93513c1d Merge "sepolicy: Add interface entry for Legacy HAL" 2020-07-28 06:48:53 -07:00
Bharat Pawar
b98304acab Allow BT LAZY HAL serivce to access bluetooth hal 
BT lazy service is a new shared object on go targets
which requires to access BT HAL.

Change-Id: I5b4248a35c52211e03da9f0f9410d967e2b2c602
 2020-07-22 22:54:28 +05:30
Tapas Dey
c6aece100b sepolicy: Add interface entry for Legacy HAL 
Added INxpNfcLegacy HAL interface entry
for Legacy HAL.

Change-Id: I8e241a7f13ce5d6431a47c3084384af6c0291cba
 2020-07-22 14:08:54 +05:30
Shivam Agrawal
05ae9e6df9 sepolicy: Remove all qssi specific WFD sepolicy change 
- revert all qssi specific WFD sepolicy changes on 6.0.c2
  to port WFD sepolicy changes from sepolicy.lnx.5.0

Change-Id: I22e335471e2877ce1c3fd24c1997ae037c4f38df
 2020-07-16 19:57:37 +05:30
Rajeswari N
5bab8c4b02 sepolicy: sepolicy changes for perf HAL Uprev 
Perf Hal Uprev 2.1 support added and IPerfcallback HAL added

Change-Id: Icd1cfba45e2a118de9a1944e6d9709ae458b9015
 2020-07-16 00:04:44 -07:00
Rajshekar Eashwarappa
dbb48aa54b SEPolicy: Adding sdm660 policies 
Change-Id: I71b5ec869475846e0c7b8f3ba00f6a018a631a50
 2020-07-10 01:00:59 -07:00
himta ram
10a90a8e77 sepolicy: add sepolicy rules for pronto based targets 
Add sepolicy rule for pronto based targets.

CRs-Fixed: 2724004
Change-Id: I64804f3dd532934d314cb5731fc7f1633d13a236
 2020-07-02 14:00:32 +05:30
qctecmdr
a55d07264e Merge "sepolicy: Adding vendor_qti_init_shell label to legacy" 2020-07-01 09:29:09 -07:00
qctecmdr
a123f4808c Merge "Remove QtiTetherService references" 2020-07-01 09:23:48 -07:00
Pavan Kumar M
5cffcfdf15 Remove QtiTetherService references 
QtiTetherService is not used anymore, remove all
the existing references

Change-Id: I9cf47507686907d29faef44c65d6e30dd584f19c
CRs-Fixed: 2710079
 2020-06-15 10:21:25 +05:30
Udipto Goswami
12fed7ec7d sepolicy: Adding vendor_qti_init_shell label to legacy 
There are some targets which uses legacy sepolicy but
USB uses vendor_qti_init_shell label for its rc file
execution which causes a mismatch as legacy uses
qti_init_shell. This stop the USB rc file from
executing the command for calling the script file
responsible for setting the composition.
Ultimately setting the default value which is adb
on bootup instead of default composition.

Fix this by setting an alias as vendor_qti_init_shell
in legacy sepolicy for qti_init_shell allowing USB
to use vendor label.

Change-Id: Ia8953ed61bb1b87d01b17d02fc7e4bf4b86e66eb
Signed-off-by: Udipto Goswami <ugoswami@codeaurora.org>
 2020-06-12 04:00:05 -07:00
Bharat Pawar
5fb71e0e4a sepolicy: Pick legacy sepolicies for 8953/37 targets 
Pick legacy sepolicy rules instaed of qva for 8953 and
8937 targets.

Change-Id: I509de01be51f1fc19ac3e1f49ffcf3f547c70457
 2020-06-12 14:25:51 +05:30
Bharat Pawar
327503aee9 sepolicy: Add support for 8937 and 8953 targets 
Change-Id: I22d8f079acfc59c16adb66e46755157b7c61a6bd
 2020-06-05 16:27:16 +05:30
650 changed files with 3637 additions and 19989 deletions
Expand all files Collapse all files

1
.gitupstream Normal file
View File

@@ -0,0 +1 @@
https://git.codelinaro.org/clo/la/device/qcom/sepolicy

67
SEPolicy.mk
View File

@@ -1,20 +1,21 @@
# Board specific SELinux policy variable definitions
ifeq ($(call is-vendor-board-platform,QCOM),true)
SEPOLICY_PATH:= device/qcom/sepolicy
BOARD_PLAT_PUBLIC_SEPOLICY_DIR := \
$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR) \
$(SEPOLICY_PATH)/generic/public
SEPOLICY_PATH:= device/qcom/sepolicy-legacy-um
SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS := \
$(SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS) \
$(SEPOLICY_PATH)/generic/public \
$(SEPOLICY_PATH)/generic/public/attribute
BOARD_PLAT_PRIVATE_SEPOLICY_DIR := \
$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR) \
SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS := \
$(SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS) \
$(SEPOLICY_PATH)/generic/private
BOARD_PLAT_PUBLIC_SEPOLICY_DIR := \
$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR) \
$(SEPOLICY_PATH)/qva/public
SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS := \
$(SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS) \
$(SEPOLICY_PATH)/qva/public \
$(SEPOLICY_PATH)/qva/public/attribute
BOARD_PLAT_PRIVATE_SEPOLICY_DIR := \
$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR) \
SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS := \
$(SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS) \
$(SEPOLICY_PATH)/qva/private
#once all the services are moved to Product /ODM above lines will be removed.
@@ -29,44 +30,26 @@ PRODUCT_PRIVATE_SEPOLICY_DIRS := \
$(SEPOLICY_PATH)/generic/product/private \
$(SEPOLICY_PATH)/qva/product/private
ifeq (,$(filter sdm845 sdm710, $(TARGET_BOARD_PLATFORM)))
BOARD_SEPOLICY_DIRS := \
$(BOARD_SEPOLICY_DIRS) \
$(SEPOLICY_PATH) \
$(SEPOLICY_PATH)/generic/vendor/common \
$(SEPOLICY_PATH)/qva/vendor/common/sysmonapp \
$(SEPOLICY_PATH)/qva/vendor/ssg \
$(SEPOLICY_PATH)/qva/vendor/common
ifeq ($(TARGET_SEPOLICY_DIR),)
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/generic/vendor/$(TARGET_BOARD_PLATFORM)
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/$(TARGET_BOARD_PLATFORM)
else
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/generic/vendor/$(TARGET_SEPOLICY_DIR)
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/$(TARGET_SEPOLICY_DIR)
endif
ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT)))
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/generic/vendor/test
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/test
endif
endif
ifneq (,$(filter sdm845 sdm710, $(TARGET_BOARD_PLATFORM)))
BOARD_SEPOLICY_DIRS := \
$(BOARD_SEPOLICY_DIRS) \
ifneq (,$(filter sdm660 msm8937 msm8953 msm8996 msm8998, $(TARGET_BOARD_PLATFORM)))
BOARD_VENDOR_SEPOLICY_DIRS := \
$(BOARD_VENDOR_SEPOLICY_DIRS) \
$(SEPOLICY_PATH) \
$(SEPOLICY_PATH)/legacy/vendor/common/sysmonapp \
$(SEPOLICY_PATH)/legacy/vendor/ssg \
$(SEPOLICY_PATH)/legacy/vendor/common
ifeq ($(TARGET_SEPOLICY_DIR),)
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/legacy/vendor/$(TARGET_BOARD_PLATFORM)
BOARD_VENDOR_SEPOLICY_DIRS += $(SEPOLICY_PATH)/legacy/vendor/$(TARGET_BOARD_PLATFORM)
else
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/legacy/vendor/$(TARGET_SEPOLICY_DIR)
BOARD_VENDOR_SEPOLICY_DIRS += $(SEPOLICY_PATH)/legacy/vendor/$(TARGET_SEPOLICY_DIR)
endif
ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT)))
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/legacy/vendor/test
endif
ifneq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true)
BOARD_VENDOR_SEPOLICY_DIRS += $(SEPOLICY_PATH)/legacy/vendor/common/debugfs
BOARD_VENDOR_SEPOLICY_DIRS += $(SEPOLICY_PATH)/legacy/vendor/test/debugfs
endif
BOARD_VENDOR_SEPOLICY_DIRS += $(SEPOLICY_PATH)/legacy/vendor/test
endif
endif
-include device/lineage/sepolicy/qcom/sepolicy.mk

1
generic/private/dataservice_app.te
View File

@@ -26,6 +26,7 @@
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
typeattribute vendor_dataservice_app coredomain;
typeattribute vendor_dataservice_app mlstrustedsubject;
app_domain(vendor_dataservice_app)
net_domain(vendor_dataservice_app)

2
generic/private/file_contexts
View File

@@ -28,3 +28,5 @@
/data/misc/seemp(/.*)? u:object_r:vendor_seemp_data_file:s0
/(product|system/product)/etc/init\.qcom\.testscripts\.sh u:object_r:qti-testscripts_exec:s0
/storage/emulated(/.*)? u:object_r:media_rw_data_file:s0

6
generic/private/property_contexts
View File

@@ -27,3 +27,9 @@
ro.vendor.qti.va_aosp.support u:object_r:vendor_exported_system_prop:s0 exact bool
ro.vendor.qti.va_odm.support u:object_r:vendor_exported_odm_prop:s0 exact bool
ro.vendor.perf.scroll_opt u:object_r:vendor_exported_system_prop:s0 exact bool
ro.vendor.perf.scroll_opt.heavy_app u:object_r:vendor_exported_system_prop:s0 exact int
ro.netflix.bsp_rev u:object_r:vendor_exported_system_prop:s0 exact string
# Beluga
ro.vendor.beluga. u:object_r:vendor_exported_system_prop:s0

27
qva/private/qcc_app.te → generic/private/qcc_app.te
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2020 The Linux Foundation. All rights reserved.
# Copyright (c) 2020, 2021 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -30,19 +30,9 @@ app_domain(vendor_qcc_app)
net_domain(vendor_qcc_app)
binder_use(vendor_qcc_app)
# allow invoking activity and access app content to vendor_qcc_app
#allow vendor_qcc_app { activity_service content_service }:service_manager find;
# allow display service to vendor_qcc_app
#allow vendor_qcc_app { display_service }:service_manager find;
# allow access to wifi and data network to vendor_qcc_app
#allow vendor_qcc_app { connectivity_service network_management_service }:service_manager find;
# allow access telephony service info to vendor_qcc_app
#allow vendor_qcc_app { radio_service registry_service }:service_manager find;
hal_client_domain(vendor_qcc_app, vendor_qccsyshal);
allow vendor_qcc_app radio_service:service_manager find;
# allow acquire wakelock to vendor_qcc_app
#allow vendor_qcc_app { power_service }:service_manager find;
# allow to load native library
#allow vendor_qcc_app { mount_service }:service_manager find;
# for vendor_perf_service
allow vendor_qcc_app app_api_service:service_manager find;
@@ -52,14 +42,13 @@ allow vendor_qcc_app vendor_qcc_data_file:file create_file_perms;
# allow access to socket
unix_socket_connect(vendor_qcc_app, vendor_dpmtcm, vendor_dpmd)
# allow access to mediadrmserver for qdmastats/wvstats
allow vendor_qcc_app mediadrmserver_service:service_manager find;
# allow vendor_qcc_app to access system_app_data_file
# necessary for read and write /data/data subdirectory.
allow vendor_qcc_app system_app_data_file:dir create_dir_perms;
allow vendor_qcc_app system_app_data_file:file create_file_perms;
# allow vendor_qcc_app to access app_data_file
# necessary for read and write /data/user_de/0/ subdirectory.
allow vendor_qcc_app app_data_file:dir create_dir_perms;
allow vendor_qcc_app app_data_file:file create_file_perms;
# allow cgroup access
allow vendor_qcc_app cgroup:file rw_file_perms;
@@ -70,3 +59,5 @@ allow vendor_qcc_app mediametrics_service:service_manager find;
# Allow read-write permissions to qdma sockets under vendor_qcc_app_socket.
allow vendor_qcc_app vendor_qcc_app_socket:dir rw_dir_perms;
allow vendor_qcc_app vendor_qcc_app_socket:sock_file create_file_perms;

14
qva/vendor/common/bluetooth.te → generic/private/qcc_authmgr_app.te
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2021, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -25,11 +25,11 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#allow bluetooth to access btconfigstore hal
hal_client_domain(bluetooth, vendor_hal_btconfigstore);
typeattribute vendor_qcc_authmgr_app coredomain;
#allow bluetooth to access perf hal
hal_client_domain(bluetooth, vendor_hal_perf);
app_domain(vendor_qcc_authmgr_app)
binder_use(vendor_qcc_authmgr_app)
#allow bluetooth to access bluetooth_dun hal
hal_client_domain(bluetooth, vendor_hal_bluetooth_dun);
hal_client_domain(vendor_qcc_authmgr_app, vendor_hal_qccvndhal);
hal_client_domain(vendor_qcc_authmgr_app, vendor_hal_perf);
allow vendor_qcc_authmgr_app {app_api_service}:service_manager find;

59
generic/vendor/common/port-bridge.te → generic/private/qcc_lmtp_app.te
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2017-2020, 2021 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -24,31 +24,38 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_port-bridge, domain;
type vendor_port-bridge_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_port-bridge)
userdebug_or_eng(`
domain_auto_trans(shell, vendor_port-bridge_exec, vendor_netmgrd)
#domain_auto_trans(adbd, vendor_port-bridge_exec, netmgrd)
diag_use(vendor_port-bridge)
typeattribute vendor_qcc_lmtp_app mlstrustedsubject;
app_domain(vendor_qcc_lmtp_app)
net_domain(vendor_qcc_lmtp_app)
binder_use(vendor_qcc_lmtp_app)
hal_client_domain(vendor_qcc_lmtp_app, vendor_hal_perf);
allow vendor_qcc_lmtp_app {activity_service}:service_manager find;
allow vendor_qcc_lmtp_app location_service:service_manager find;
allow vendor_qcc_lmtp_app app_api_service:service_manager find;
# for vendor_perf_service
allow vendor_qcc_lmtp_app vendor_perf_service:service_manager find;
# allow access to socket
unix_socket_connect(vendor_qcc_lmtp_app, vendor_dpmtcm, vendor_dpmd)
# allow access to qcc dropbox
allow vendor_qcc_lmtp_app vendor_qcc_data_file:dir create_dir_perms;
allow vendor_qcc_lmtp_app vendor_qcc_data_file:file create_file_perms;
# allow vendor_qcc_lmtp_app to access system_app_data_file
# necessary for read and write /data/data subdirectory
allow vendor_qcc_lmtp_app system_app_data_file:dir create_dir_perms;
allow vendor_qcc_lmtp_app system_app_data_file:file create_file_perms;
# Allow read-write permissions to qdma sockets under vendor_qcc_app_socket.
unix_socket_connect(vendor_qcc_lmtp_app, vendor_qcc_app, vendor_qcc_app)
allow vendor_qcc_lmtp_app vendor_qcc_app_socket:dir rw_dir_perms;
allow vendor_qcc_lmtp_app vendor_qcc_app_socket:sock_file create_file_perms;
allow vendor_qcc_lmtp_app app_api_service:service_manager find;
')
# Allow operations on different types of sockets
allow vendor_port-bridge vendor_port-bridge:netlink_kobject_uevent_socket { create bind read };
allow vendor_port-bridge {
# Allow operations on mhi transport
vendor_mhi_device
# Allow operations on ATCoP g-link transport
vendor_at_device
}:chr_file rw_file_perms;
#access ipa sysfs node
allow vendor_port-bridge vendor_sysfs_data:file r_file_perms;
allow vendor_port-bridge vendor_port_bridge_data_file:file create_file_perms;
allow vendor_port-bridge vendor_port_bridge_data_file:dir w_dir_perms;
allow vendor_port-bridge vendor_port-bridge_socket:dir w_dir_perms;
allow vendor_port-bridge vendor_port-bridge_socket:sock_file create_file_perms;

19
generic/vendor/common/power_off_alarm.te → generic/private/qcc_netstat_app.te Executable file → Normal file
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2017-2019 Linux Foundation. All rights reserved.
# Copyright (c) 2021, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -25,14 +25,15 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_power_off_alarm, domain;
type vendor_power_off_alarm_exec, exec_type, vendor_file_type, file_type;
typeattribute vendor_qcc_netstat_app coredomain;
init_daemon_domain(vendor_power_off_alarm)
app_domain(vendor_qcc_netstat_app)
net_domain(vendor_qcc_netstat_app)
binder_use(vendor_qcc_netstat_app)
allow vendor_power_off_alarm rtc_device:chr_file r_file_perms;
allow vendor_power_off_alarm kmsg_device:chr_file w_file_perms;
hal_client_domain(vendor_qcc_netstat_app, vendor_hal_qccvndhal);
hal_client_domain(vendor_qcc_netstat_app, vendor_hal_perf);
allow vendor_qcc_netstat_app {app_api_service}:service_manager find;
allow vendor_power_off_alarm self:capability2 wake_alarm;
set_prop(vendor_power_off_alarm, powerctl_prop)
# Allow read-write permissions to qdma sockets under vendor_qcc_app_socket.
unix_socket_connect(vendor_qcc_netstat_app, vendor_qcc_app, vendor_qcc_app)

0
qva/private/qcc_trd.te → generic/private/qcc_trd.te
View File

3
qva/private/qcc_utils_app.te → generic/private/qcc_utils_app.te
View File

@@ -25,7 +25,8 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_qcc_utils_app, domain, coredomain;
typeattribute vendor_qcc_utils_app mlstrustedsubject;
app_domain(vendor_qcc_utils_app)
net_domain(vendor_qcc_utils_app)
binder_use(vendor_qcc_utils_app)

7
generic/private/qtelephony.te
View File

@@ -32,7 +32,12 @@ app_domain(vendor_qtelephony)
hwbinder_use(vendor_qtelephony);
get_prop(vendor_qtelephony, hwservicemanager_prop);
add_hwservice(vendor_qtelephony, vendor_hal_atfwd_hwservice);
userdebug_or_eng(`
hal_client_domain( vendor_qtelephony, vendor_hal_diaghal)
')
allow vendor_qtelephony { cameraserver_service mediaextractor_service mediaserver_service mediametrics_service radio_service drmserver_service audioserver_service}:service_manager find;
allow vendor_qtelephony system_api_service:service_manager find;
allow vendor_qtelephony app_api_service:service_manager find;
hal_client_domain(vendor_qtelephony, hal_telephony)

2
generic/private/qti-testscripts.te
View File

@@ -95,4 +95,6 @@ userdebug_or_eng(`
binder_call(platform_app, qti-testscripts)
binder_call(system_app, qti-testscripts)
# allow lmkd to kill tasks with positive oom_score_adj under memory pressure
allow lmkd qti-testscripts:process { setsched sigkill };
')

8
generic/vendor/common/hal_light.te → generic/private/radio.te
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Copyright (c) 2018, 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -24,5 +24,7 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow hal_light vendor_sysfs_graphics:dir search;
allow hal_light vendor_sysfs_graphics:file rw_file_perms;
hwbinder_use(radio)
allow radio mediaextractor_service:service_manager find;
add_hwservice(radio, vendor_hal_atfwd_hwservice);

9
generic/private/seapp_contexts
View File

@@ -28,3 +28,12 @@
#Add new domain for DataServices
# Needed for CNEService , uceShimService and other connectivity services
user=radio seinfo=platform name=.dataservices domain=vendor_dataservice_app type=radio_data_file
# AtFwd app
user=_app seinfo=platform name=com.qualcomm.telephony domain=vendor_qtelephony type=app_data_file levelFrom=all
#Add new domain for ims app
user=_app seinfo=platform name=org.codeaurora.ims isPrivApp=true domain=vendor_qtelephony type=app_data_file levelFrom=all
#Add DeviceInfoHidlClient to vendor_qtelephony
user=_app seinfo=platform name=com.qualcomm.qti.devicestatisticsservice domain=vendor_qtelephony type=app_data_file levelFrom=all

1
generic/private/service_contexts
View File

@@ -26,3 +26,4 @@
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
cneservice u:object_r:vendor_cne_service:s0
com.qualcomm.qti.ustaservice.USTAServiceImpl u:object_r:vendor_usta_app_service:s0
vendor.qti.hardware.radio.atcmdfwd.IAtCmdFwd/AtCmdFwdAidl u:object_r:radio_service:s0

3
generic/product/private/file_contexts
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2019-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -24,3 +24,4 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
/(product|system/product)/bin/init\.qti\.display\.sh u:object_r:vendor_sys_qti_display_exec:s0

3
generic/product/private/property_contexts
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2019 The Linux Foundation. All rights reserved.
# Copyright (c) 2019-2020 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -24,3 +24,4 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
vendor.display.disable_rounded_corner u:object_r:vendor_display_notch_prop:s0

16
qva/vendor/common/mmi_sys.te → generic/product/private/qti-display.te Executable file → Normal file
View File

@@ -1,5 +1,5 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Copyright (c) 2020 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
@@ -12,7 +12,7 @@
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
@@ -25,12 +25,10 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#mmi_sys basic
r_dir_file(vendor_mmi_sys, vendor_sysfs_graphics)
type vendor_sys_qti_display_exec, system_file_type, exec_type, file_type;
hal_client_domain(vendor_mmi_sys, vendor_hal_factory_qti);
#diag
userdebug_or_eng(`
diag_use(vendor_mmi_sys)
typeattribute vendor_sys_qti_display coredomain;
init_daemon_domain(vendor_sys_qti_display)
set_prop(vendor_sys_qti_display, vendor_display_notch_prop)
')

1
generic/product/private/systemhelper_app.te
View File

@@ -36,3 +36,4 @@ allow vendor_systemhelper_app { activity_service trust_service surfaceflinger_se
allow vendor_systemhelper_app app_data_file:dir rw_dir_perms;
allow vendor_systemhelper_app thermal_service:service_manager find;
allow vendor_systemhelper_app vendor_perf_service:service_manager find;

4
generic/product/public/attributes
View File

@@ -28,7 +28,3 @@
attribute vendor_hal_systemhelper;
attribute vendor_hal_systemhelper_client;
attribute vendor_hal_systemhelper_server;
attribute vendor_hal_perf;
attribute vendor_hal_perf_client;
attribute vendor_hal_perf_server;

4
generic/product/public/property.te
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2019-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -24,3 +24,5 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
product_restricted_prop(vendor_display_notch_prop)

9
qva/vendor/test/vendor_cta_app.te → generic/product/public/qti-display.te
View File

@@ -25,11 +25,10 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# This domain is for pdt apps and should always be in
# userdebug_or_eng macro
type vendor_sys_qti_display, domain, mlstrustedsubject;
#============= vendor_sys_qti_display ==============
userdebug_or_eng(`
type vendor_cta_app, domain;
app_domain(vendor_cta_app);
permissive vendor_cta_app;
allow vendor_sys_qti_display shell_exec:file rx_file_perms;
allow vendor_sys_qti_display toolbox_exec:file rx_file_perms;
')

18
generic/vendor/common/attributes → generic/public/attribute/attributes
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2016-2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2016-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -59,3 +59,19 @@ attribute vendor_hal_capabilityconfigstore_qti_server;
attribute vendor_hal_dataconnection_qti;
attribute vendor_hal_dataconnection_qti_client;
attribute vendor_hal_dataconnection_qti_server;
attribute vendor_hal_embmssl;
attribute vendor_hal_embmssl_client;
attribute vendor_hal_embmssl_server;
attribute vendor_hal_dspmanager;
attribute vendor_hal_dspmanager_client;
attribute vendor_hal_dspmanager_server;
attribute vendor_hal_diaghal;
attribute vendor_hal_diaghal_client;
attribute vendor_hal_diaghal_server;
attribute vendor_hal_perf;
attribute vendor_hal_perf_client;
attribute vendor_hal_perf_server;

0
qva/public/qcc_app.te → generic/public/qcc_app.te
View File

28
generic/public/qcc_authmgr_app.te Normal file
View File

@@ -0,0 +1,28 @@
# Copyright (c) 2021, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_qcc_authmgr_app, domain;

4
legacy/vendor/sdm710/device.te → generic/public/qcc_lmtp_app.te
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
# Copyright (c) 2017-2021, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -24,3 +24,5 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_qcc_lmtp_app, domain, coredomain;

28
generic/public/qcc_netstat_app.te Normal file
View File

@@ -0,0 +1,28 @@
# Copyright (c) 2021, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_qcc_netstat_app, domain;

0
qva/public/qcc_trd.te → generic/public/qcc_trd.te
View File

4
legacy/vendor/sdm845/device.te → generic/public/qcc_utils_app.te
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
# Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -24,3 +24,5 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_qcc_utils_app, domain, coredomain;

38
generic/vendor/common/app.te vendored
View File

@@ -1,38 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Allow all apps to open and send ioctl to qdsp device
allow appdomain vendor_qdsp_device:chr_file r_file_perms;
# For the camera app
get_prop(appdomain, vendor_camera_prop)
#Allow all apps to have read access to vendor_adsprpc_prop
get_prop(appdomain, vendor_adsprpc_prop)
# Allow all apps to open and send ioctl to npu device
allow appdomain vendor_npu_device:chr_file r_file_perms;

43
generic/vendor/common/atfwd.te vendored
View File

@@ -1,43 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_atfwd, domain;
type vendor_atfwd_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_atfwd)
allow vendor_atfwd self:socket create_socket_perms;
allow vendor_atfwd self:qipcrtr_socket create_socket_perms_no_ioctl;
allowxperm vendor_atfwd self:socket ioctl msm_sock_ipc_ioctls;
binder_call(vendor_atfwd, system_app);
r_dir_file(vendor_atfwd, vendor_sysfs_data);
set_prop(vendor_atfwd, vendor_radio_prop)
hwbinder_use(vendor_atfwd)
get_prop(vendor_atfwd, hwservicemanager_prop)

39
generic/vendor/common/audioadsprpcd.te vendored
View File

@@ -1,39 +0,0 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_audioadsprpcd, domain;
type vendor_audioadsprpcd_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_audioadsprpcd)
allow vendor_audioadsprpcd ion_device:chr_file r_file_perms;
allow vendor_audioadsprpcd vendor_qdsp_device:chr_file r_file_perms;
allow vendor_audioadsprpcd vendor_xdsp_device:chr_file r_file_perms;
r_dir_file(vendor_audioadsprpcd, adsprpcd_file)
get_prop(vendor_audioadsprpcd, vendor_adsprpc_prop)
allow vendor_audioadsprpcd mnt_vendor_file:dir r_dir_perms;

29
generic/vendor/common/bluetooth.te vendored
View File

@@ -1,29 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Allow access to net_admin ioctls
allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
get_prop(bluetooth, vendor_bluetooth_prop)

41
generic/vendor/common/cameraserver.te vendored
View File

@@ -1,41 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow cameraserver gpu_device:chr_file rw_file_perms;
get_prop(cameraserver, vendor_camera_prop)
allow cameraserver vendor_sysfs_camera:file r_file_perms;
allow cameraserver vendor_sysfs_camera:dir search;
allow cameraserver system_file:dir r_dir_perms;
allow cameraserver system_server:unix_stream_socket { read write };
# TODO (b/37688918) Verify that this is actually needed and not a violation of treble
binder_call(cameraserver, mediacodec)
#allow cameraserver to read adsprpc_prop
get_prop(cameraserver, vendor_adsprpc_prop)

47
generic/vendor/common/cdsprpcd.te vendored
View File

@@ -1,47 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# vendor_cdsprpcd daemon
type vendor_cdsprpcd, domain;
type vendor_cdsprpcd_exec, exec_type, vendor_file_type, file_type;
# Started by init
init_daemon_domain(vendor_cdsprpcd)
# For reading dir/files on /dsp
r_dir_file(vendor_cdsprpcd, adsprpcd_file)
# For reading adsprpc_prop
get_prop(vendor_cdsprpcd, vendor_adsprpc_prop)
allow vendor_cdsprpcd vendor_qdsp_device:chr_file r_file_perms;
allow vendor_cdsprpcd vendor_xdsp_device:chr_file r_file_perms;
allow vendor_cdsprpcd ion_device:chr_file r_file_perms;
r_dir_file(vendor_cdsprpcd, vendor_sysfs_devfreq)
allow vendor_cdsprpcd vendor_sysfs_devfreq_l3cdsp:dir r_dir_perms;
allow vendor_cdsprpcd vendor_sysfs_devfreq_l3cdsp:file rw_file_perms;

37
generic/vendor/common/charger.te vendored
View File

@@ -1,37 +0,0 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow charger self:capability2 wake_alarm;
r_dir_file(charger, vendor_sysfs_battery_supply)
r_dir_file(charger, vendor_sysfs_usb_supply)
allow charger {
vendor_sysfs_battery_supply
vendor_sysfs_usb_supply
}:file w_file_perms;
dontaudit charger device:dir r_dir_perms;
dontaudit charger self:capability sys_admin;

41
generic/vendor/common/chre.te vendored
View File

@@ -1,41 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# This daemon loads the Context Hub Runtime Environment (CHRE) dynamic modules
# onto the SLPI using FastRPC, and exposes a sockets interface for clients on
# the applications processor to interact CHRE
type vendor_chre, domain;
type vendor_chre_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_chre)
r_dir_file(vendor_chre, adsprpcd_file)
#allow vendor_chre to read adsprpc_prop
get_prop(vendor_chre, vendor_adsprpc_prop)
allow vendor_chre ion_device:chr_file r_file_perms;
allow vendor_chre vendor_qdsp_device:chr_file r_file_perms;
allow vendor_chre vendor_xdsp_device:chr_file r_file_perms;
allow vendor_chre vendor_dsp_device:chr_file r_file_perms;

86
generic/vendor/common/cnd.te vendored
View File

@@ -1,86 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_cnd, domain;
type vendor_cnd_exec, exec_type, vendor_file_type, file_type;
file_type_auto_trans(vendor_cnd, socket_device, vendor_cnd_socket);
# vendor_cnd is started by init, type transit from init domain to vendor_cnd domain
init_daemon_domain(vendor_cnd)
#communicating with QTI wlan driver for WFC/ VTiWLAN quality
allow vendor_cnd self:capability net_bind_service;
unix_socket_send(vendor_cnd, wpa, hal_wifi_supplicant)
allow vendor_cnd wpa_data_file:dir w_dir_perms;
allow vendor_cnd wpa_data_file:sock_file create_file_perms;
#allow processing of VoWifi indications from modem over QMI while dozing
allow vendor_cnd self:capability2 block_suspend;
allow vendor_cnd self:udp_socket create_socket_perms;
allow vendor_cnd self:{
# Allow receiving NETLINK responses from WLAN driver.
netlink_socket
netlink_generic_socket
qipcrtr_socket
} create_socket_perms_no_ioctl;
allowxperm vendor_cnd self:udp_socket ioctl SIOCGIFMTU;
allow vendor_cnd vendor_sysfs_timestamp_switch:file r_file_perms;
allow vendor_cnd vendor_sysfs_data:file r_file_perms;
allow vendor_cnd proc_meminfo:file r_file_perms;
set_prop(vendor_cnd, vendor_cnd_prop)
# allow vendor_cnd to access vendor_cnd_data_file
allow vendor_cnd vendor_cnd_data_file:file create_file_perms;
allow vendor_cnd vendor_cnd_data_file:sock_file { unlink create setattr };
allow vendor_cnd vendor_cnd_data_file:dir rw_dir_perms;
# allow vendor_cnd to obtain wakelock
wakelock_use(vendor_cnd)
allow vendor_cnd vendor_ipa_vendor_data_file:dir r_dir_perms;
allow vendor_cnd vendor_ipa_vendor_data_file:file r_file_perms;
# To register vendor_cnd to hwbinder
add_hwservice(vendor_cnd, vendor_hal_datafactory_hwservice)
hwbinder_use(vendor_cnd)
get_prop(vendor_cnd, hwservicemanager_prop)
binder_call(vendor_cnd, vendor_dataservice_app)
binder_call(vendor_cnd, vendor_qtidataservices_app)
binder_call(vendor_cnd, vendor_ims)
binder_call(vendor_cnd, vendor_location)
r_dir_file(vendor_cnd, vendor_sysfs_ssr)
#diag
userdebug_or_eng(`
diag_use(vendor_cnd)
r_dir_file(vendor_cnd, vendor_sysfs_diag)
')

40
generic/vendor/common/dataservice_app.te vendored
View File

@@ -1,40 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
get_prop(vendor_dataservice_app, vendor_cnd_prop)
allow vendor_dataservice_app vendor_hal_imsrcsd_hwservice:hwservice_manager find;
allow vendor_dataservice_app vendor_hal_datafactory_hwservice:hwservice_manager find;
allow vendor_dataservice_app vendor_sysfs_data:file r_file_perms;
binder_call(vendor_dataservice_app, vendor_cnd)
# imsrcsd to bind with UceShimService.apk
binder_call(vendor_dataservice_app, vendor_hal_rcsservice)
hal_client_domain(vendor_dataservice_app , vendor_hal_perf)

68
generic/vendor/common/device.te vendored
View File

@@ -1,68 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_ab_block_device, dev_type;
type vendor_at_device, dev_type;
type vendor_avtimer_device, dev_type;
type vendor_bt_device, dev_type;
type vendor_bu21150_device, dev_type;
type vendor_citadel_device, dev_type;
type vendor_custom_ab_block_device, dev_type;
type vendor_diag_device, dev_type, mlstrustedobject;
type vendor_dsp_device, dev_type;
type vendor_xdsp_device, dev_type;
type vendor_easel_device, dev_type;
type vendor_hbtp_device, dev_type;
type vendor_hvdcp_device, dev_type;
type vendor_ipa_dev, dev_type;
type vendor_latency_device, dev_type;
type vendor_limits_block_device, dev_type;
type vendor_modem_block_device, dev_type;
type vendor_modem_efs_partition_device, dev_type;
type vendor_mdtp_device, dev_type;
type vendor_persist_block_device, dev_type;
type vendor_vm_data_block_device, dev_type;
type vendor_qsee_ipc_irq_spss_device, dev_type;
type vendor_qdsp_device, dev_type, mlstrustedobject;
type vendor_ramdump_device, dev_type;
type vendor_ramdump_microdump_modem_device, dev_type;
type vendor_rmnet_device, dev_type;
type vendor_gpt_block_device, dev_type;
type vendor_ramdump_block_device, dev_type;
type vendor_rpmb_device, dev_type;
type vendor_seemplog_device, dev_type;
type vendor_sg_device, dev_type;
type vendor_bsg_device, dev_type;
type vendor_smd_device, dev_type;
type vendor_spcom_device, dev_type;
type vendor_ssd_block_device, dev_type;
type vendor_ssr_device, dev_type;
type vendor_synx_device, dev_type;
type vendor_wlan_device, dev_type;
type vendor_xbl_block_device, dev_type;
type vendor_uefi_block_device, dev_type;
type vendor_qce_device, dev_type;
type vendor_npu_device, dev_type;

37
generic/vendor/common/diag-router.te vendored
View File

@@ -1,37 +0,0 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_diag-router, domain;
type vendor_diag-router_exec, exec_type, vendor_file_type, file_type;
userdebug_or_eng(`
init_daemon_domain(vendor_diag-router)
allow vendor_diag-router functionfs:dir r_dir_perms;
allow vendor_diag-router functionfs:file rw_file_perms;
allow vendor_diag-router self:qipcrtr_socket create_socket_perms_no_ioctl;
allow vendor_diag-router vendor_mhi_diag_device:chr_file rw_file_perms;
allow { domain -coredomain -hal_configstore -vendor_init} vendor_diag-router:unix_stream_socket connectto;
')

70
generic/vendor/common/diag.te vendored
View File

@@ -1,70 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_diag, domain;
type vendor_diag_exec, exec_type, vendor_file_type, file_type;
userdebug_or_eng(`
domain_auto_trans(shell, vendor_diag_exec, vendor_diag)
#domain_auto_trans(adbd, vendor_diag_exec, vendor_diag)
allow vendor_diag {
vendor_diag_device
devpts
tty_device
# allow access to qseecom for drmdiagapp
tee_device
}:chr_file rw_file_perms;
allow vendor_diag {
shell
su
}:fd use;
allow vendor_diag {
cgroup
fuse
vendor_persist_drm_file
}:dir create_dir_perms;
allow vendor_diag port:tcp_socket name_connect;
allow vendor_diag self:capability { setuid net_raw sys_admin setgid };
allow vendor_diag self:capability2 syslog;
allow vendor_diag self:tcp_socket { create connect setopt};
wakelock_use(vendor_diag)
allow vendor_diag kernel:system syslog_mod;
# allow drmdiagapp access to drm related paths
allow vendor_diag mnt_vendor_file:dir r_dir_perms;
r_dir_file(vendor_diag, vendor_persist_data_file)
# Write to drm related pieces of persist partition
allow vendor_diag vendor_persist_drm_file:file create_file_perms;
# For DiagExample daemon
init_daemon_domain(vendor_diag)
net_domain(vendor_diag)
allow vendor_diag fuse:dir r_dir_perms;
allow vendor_diag fuse:file r_file_perms;
r_dir_file(vendor_diag, storage_file)
r_dir_file(vendor_diag, mnt_user_file)
')

61
generic/vendor/common/domain.te vendored
View File

@@ -1,61 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
userdebug_or_eng(`
allow domain vendor_diag_device:chr_file rw_file_perms;
')
# In order for /sys/kernel/debug/kgsl/proc/<pid>/mem
# to be created for memory tracking, the domain of
# the tracked process must have permission to search
# in /sys/kernel/debug/kgsl
allow domain vendor_debugfs_kgsl:dir search;
allow domain vendor_debugfs_ion:dir search;
get_prop(domain, vendor_gralloc_prop)
r_dir_file({domain - isolated_app}, vendor_sysfs_soc);
r_dir_file({domain - isolated_app}, vendor_sysfs_esoc);
r_dir_file({domain - isolated_app}, vendor_sysfs_ssr);
r_dir_file({domain - isolated_app}, sysfs_thermal);
get_prop(domain, vendor_public_vendor_default_prop)
dontaudit domain kernel:system module_request;
# For compliance testing test suite reads vendor_security_path_level
# Which is the public readable property “ ro.vendor.build.security_patch
get_prop(domain, vendor_security_patch_level_prop)
neverallow {
coredomain
-init
-ueventd
-vold
} vendor_persist_type: { dir file } *;
# Allow all context to read gpu model
allow { domain - isolated_app } vendor_sysfs_kgsl_gpu_model:file r_file_perms;

50
generic/vendor/common/fastbootd.te vendored
View File

@@ -1,50 +0,0 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#Allow fastbootd
recovery_only(`
allow fastbootd {
vendor_custom_ab_block_device
recovery_block_device
vendor_xbl_block_device
vendor_uefi_block_device
vendor_ssd_block_device
vendor_modem_block_device
vendor_mdtp_device
}:blk_file { rw_file_perms };
# Allow fastbootd to read /sys/class/power_supply directory
# and access to power supply, usb nodes.
allow fastbootd sysfs:dir r_dir_perms;
r_dir_file(fastbootd, vendor_sysfs_battery_supply)
r_dir_file(fastbootd, vendor_sysfs_usb_supply)
allow fastbootd {
vendor_sysfs_battery_supply
vendor_sysfs_usb_supply
}:file w_file_perms;
')

52
generic/vendor/common/feature_enabler_client.te vendored
View File

@@ -1,52 +0,0 @@
# Copyright (c) 2019 - 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_feature_enabler_client, domain;
type vendor_feature_enabler_client_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_feature_enabler_client)
allow vendor_feature_enabler_client tee_device:chr_file rw_file_perms;
allow vendor_feature_enabler_client ion_device:chr_file rw_file_perms;
allow vendor_feature_enabler_client vendor_smcinvoke_device:chr_file rw_file_perms;
unix_socket_connect(vendor_feature_enabler_client , vendor_ssgtzd, vendor_ssgtzd)
# Allow read permission to /mnt/vendor/persist/vendor_feature_enabler_client/*
allow vendor_feature_enabler_client mnt_vendor_file:dir search;
r_dir_file(vendor_feature_enabler_client, vendor_persist_feature_enabler_file)
# Allow read permission to /mnt/vendor/persist/data/*
r_dir_file(vendor_feature_enabler_client, vendor_persist_data_file)
# Binder access for featenab_client.service
vndbinder_use(vendor_feature_enabler_client)
allow vendor_feature_enabler_client vendor_qfeatenab_client_service:service_manager { add find };
#Allow access to display services and graphics_device for DRM
allow vendor_feature_enabler_client vendor_qdisplay_service:service_manager find;
hal_client_domain(vendor_feature_enabler_client, hal_graphics_composer)
allow vendor_feature_enabler_client graphics_device:chr_file rw_file_perms;

210
generic/vendor/common/file.te vendored
View File

@@ -1,210 +0,0 @@
# Copyright (c) 2018-2020 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_sysfs_audio, fs_type, sysfs_type;
type vendor_sysfs_battery_supply, sysfs_type, fs_type;
type vendor_sysfs_bond0, fs_type, sysfs_type;
type vendor_sysfs_boot_adsp, sysfs_type, fs_type;
type vendor_sysfs_camera, sysfs_type, fs_type;
type vendor_sysfs_cpu_boost, fs_type, sysfs_type;
type vendor_sysfs_devfreq, fs_type, sysfs_type;
type vendor_sysfs_easel, sysfs_type, fs_type;
type vendor_sysfs_esoc, sysfs_type, fs_type;
type vendor_sysfs_fingerprint, sysfs_type, fs_type;
type vendor_sysfs_graphics, sysfs_type, fs_type;
type vendor_sysfs_kgsl, sysfs_type, fs_type;
type vendor_sysfs_kgsl_proc, sysfs_type, fs_type;
type vendor_hbtp_kernel_sysfs, sysfs_type, fs_type;
type vendor_sysfs_irqbalance, sysfs_type, fs_type;
type vendor_sysfs_laser, sysfs_type, fs_type;
type vendor_sysfs_mdss_mdp_caps, sysfs_type, fs_type;
type vendor_sysfs_devfreq_l3cdsp, fs_type, sysfs_type;
type vendor_sysfs_mmc_host, fs_type, sysfs_type;
type vendor_sysfs_msm_perf, fs_type, sysfs_type;
type vendor_sysfs_msm_power, fs_type, sysfs_type;
type vendor_sysfs_msm_stats, fs_type, sysfs_type;
type vendor_sysfs_msm_subsys_restart, sysfs_type, fs_type;
type vendor_sysfs_sensors, sysfs_type, fs_type;
type vendor_sysfs_sectouch, sysfs_type, fs_type;
type vendor_sysfs_soc, sysfs_type, fs_type;
type vendor_sysfs_scsi_host, fs_type, sysfs_type;
type vendor_sysfs_scsi_target, fs_type, sysfs_type;
type vendor_sysfs_slpi, fs_type, sysfs_type;
type vendor_sysfs_spmi_dev, sysfs_type, fs_type;
type vendor_sysfs_ssr, sysfs_type, fs_type;
type vendor_sysfs_ssr_toggle, sysfs_type, fs_type;
type vendor_sysfs_timestamp_switch, sysfs_type, fs_type;
type vendor_sysfs_touch, sysfs_type, fs_type;
type vendor_sysfs_uio_file, sysfs_type, fs_type;
type vendor_sysfs_usb_c, sysfs_type, fs_type;
type vendor_sysfs_usb_device, sysfs_type, fs_type;
type vendor_sysfs_usb_supply, sysfs_type, fs_type;
type vendor_sysfs_usbpd_device, sysfs_type, fs_type;
type vendor_sysfs_vadc_dev, sysfs_type, fs_type;
type vendor_sysfs_lcd, sysfs_type, fs_type;
type vendor_sysfs_adsp_ssr, sysfs_type, fs_type;
type vendor_debugfs_clk, debugfs_type, fs_type;
type vendor_debugfs_ion, debugfs_type, fs_type;
type vendor_debugfs_ipc, debugfs_type, fs_type;
type vendor_debugfs_kgsl, debugfs_type, fs_type;
type vendor_debugfs_rpm, debugfs_type, fs_type;
type vendor_debugfs_rmt_storage, debugfs_type, fs_type;
type vendor_debugfs_usb, debugfs_type, fs_type;
type vendor_debugfs_wlan, debugfs_type, fs_type;
type vendor_debugfs_mdp, debugfs_type, fs_type;
type vendor_debugfs_icnss, debugfs_type, fs_type;
# /proc
type vendor_proc_wifi_dbg, fs_type, proc_type;
type vendor_proc_audiod, fs_type, proc_type;
type vendor_proc_shs, fs_type, proc_type;
type vendor_qmuxd_socket, file_type;
type vendor_netmgrd_socket, file_type;
type vendor_port-bridge_socket, file_type;
type vendor_thermal_socket, file_type;
#Define the qti socket type
type vendor_dataqti_socket, file_type;
type vendor_ims_socket, file_type;
type vendor_ipacm_socket, file_type;
type vendor_cnd_socket, file_type;
type vendor_chre_socket, file_type;
type vendor_hal_bootctl_socket, file_type;
type vendor_location_socket, file_type;
type vendor_wifihal_socket, file_type;
type vendor_pps_socket, file_type;
# imshelper_app file types
type vendor_imshelper_app_data_file, file_type, data_file_type;
type firmware_file, file_type, contextmount_type, vendor_file_type;
type vendor_cnd_data_file, file_type, data_file_type;
type vendor_location_data_file, file_type, data_file_type;
type vendor_audio_data_file, file_type, data_file_type;
type vendor_radio_data_file, file_type, data_file_type;
type vendor_wifi_vendor_log_data_file, file_type, data_file_type;
# for mount /persist
typeattribute mnt_vendor_file vendor_persist_type;
type vendor_persist_file, file_type, vendor_persist_type;
type vendor_persist_data_file, file_type , vendor_persist_type;
type vendor_persist_display_file, file_type;
type vendor_persist_drm_file, file_type, vendor_persist_type;
type vendor_persist_elabel_file, file_type, vendor_persist_type;
type vendor_persist_haptics_file, file_type, vendor_persist_type;
type vendor_persist_rfs_file, file_type, vendor_persist_type;
type vendor_persist_rfs_shared_hlos_file, file_type, vendor_persist_type;
type vendor_persist_sensors_file, file_type, vendor_persist_type;
type vendor_persist_time_file, file_type, vendor_persist_type;
type vendor_persist_audio_file, file_type, vendor_persist_type;
type vendor_persist_bluetooth_file, file_type, vendor_persist_type;
type vendor_persist_alarm_file, file_type, vendor_persist_type;
type vendor_persist_feature_enabler_file, file_type, vendor_persist_type;
type vendor_netmgr_data_file, file_type, data_file_type;
type vendor_netmgr_recovery_data_file, file_type, data_file_type;
type vendor_qmipriod_data_file, file_type, data_file_type;
type vendor_ipa_vendor_data_file, file_type, data_file_type;
type vendor_shsusr_data_file, file_type, data_file_type;
type vendor_tombstone_data_file, file_type, data_file_type;
type vendor_camera_data_file, file_type, data_file_type;
type vendor_display_vendor_data_file, file_type, data_file_type;
type vendor_nfc_vendor_data_file, file_type, data_file_type;
type vendor_radio_vendor_data_file, file_type, data_file_type, mlstrustedobject;
type vendor_ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
type vendor_modem_dump_file, file_type, data_file_type;
type vendor_sensors_vendor_data_file, file_type, data_file_type;
type vendor_port_bridge_data_file, file_type, data_file_type;
type bt_firmware_file, file_type, contextmount_type, vendor_file_type;
type vendor_firmware_file, vendor_file_type, file_type;
type vendor_mdmhelperdata_data_file, file_type, data_file_type;
type vendor_mbn_data_file, file_type, data_file_type;
#vendor capability configstore hal
type vendor_capabilityconfigstore_data_file, file_type, data_file_type;
#widevine data file
type vendor_mediadrm_vendor_data_file, file_type, data_file_type;
#time-services data file
type vendor_time_data_file, file_type, data_file_type;
#data sysfs files
type vendor_sysfs_data, fs_type, sysfs_type;
#diag sysfs files
type vendor_sysfs_diag, fs_type, sysfs_type;
type vendor_hexagon_halide_file, vendor_file_type, file_type;
# vendor media files
type vendor_media_data_file, file_type, data_file_type;
type adsprpcd_file, file_type, mlstrustedobject, vendor_file_type;
# vm system files
type vendor_vm_system_file, file_type, vendor_file_type;
type vendor_hbtp_log_file, file_type, data_file_type;
type vendor_hbtp_cfg_file, file_type, vendor_file_type;
#tloc data files
type vendor_tlocd_data_file, file_type, data_file_type;
#qseecom
type vendor_data_qsee_file, file_type, data_file_type;
#TUI Files
type vendor_tui_data_file, file_type, data_file_type;
# SFS listener data file
type vendor_data_tzstorage_file, file_type, data_file_type;
#NNHAL files
type vendor_hal_neuralnetworks_data_file, file_type, data_file_type;
#BT Files
type vendor_bt_data_file, file_type, data_file_type;
type vendor_sysfs_usb_controller, sysfs_type, fs_type;
#for qdss
type vendor_sysfs_qdss_dev, sysfs_type, fs_type;
#Define the qdcmss socket type
type vendor_qdcmsocket_socket, file_type;
type vendor_sysfs_mhi, sysfs_type, fs_type;
type vendor_sysfs_suspend, fs_type, sysfs_type;
# kgsl gpu model file type for sysfs access
type vendor_sysfs_kgsl_gpu_model, sysfs_type, fs_type;
type vendor_sysfs_kgsl_gpuclk, sysfs_type, fs_type;

487
generic/vendor/common/file_contexts vendored
View File

@@ -1,487 +0,0 @@
# Copyright (c) 2018-2020 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# dev nodes
/dev/btpower u:object_r:vendor_bt_device:s0
/dev/diag u:object_r:vendor_diag_device:s0
/dev/kgsl-3d0 u:object_r:gpu_device:s0
/dev/rtc0 u:object_r:rtc_device:s0
/dev/smd.* u:object_r:vendor_smd_device:s0
/dev/msm_npu u:object_r:vendor_npu_device:s0
# TODO: does ttyMSM0 need to be more specific
/dev/ttyMSM0 u:object_r:tty_device:s0
/dev/ipa u:object_r:vendor_ipa_dev:s0
/dev/wwan_ioctl u:object_r:vendor_ipa_dev:s0
/dev/ipaNatTable u:object_r:vendor_ipa_dev:s0
/dev/cpu_dma_latency u:object_r:vendor_latency_device:s0
/dev/dpl_ctrl u:object_r:vendor_rmnet_device:s0
/dev/rmnet_ctrl.* u:object_r:vendor_rmnet_device:s0
/dev/at_.* u:object_r:vendor_at_device:s0
/dev/video([0-9])+ u:object_r:video_device:s0
/dev/cvp* u:object_r:video_device:s0
/dev/media([0-9])+ u:object_r:video_device:s0
/dev/v4l-subdev.* u:object_r:video_device:s0
/dev/qseecom u:object_r:tee_device:s0
/dev/qsee_ipc_irq_spss u:object_r:vendor_qsee_ipc_irq_spss_device:s0
/dev/seemplog u:object_r:vendor_seemplog_device:s0
/dev/spcom u:object_r:vendor_spcom_device:s0
/dev/jpeg[0-9]* u:object_r:video_device:s0
/dev/adsprpc-smd u:object_r:vendor_qdsp_device:s0
/dev/adsprpc-smd-secure u:object_r:vendor_xdsp_device:s0
/dev/sdsprpc-smd u:object_r:vendor_dsp_device:s0
/dev/wcd-dsp-glink u:object_r:audio_device:s0
/dev/wcd_dsp0_control u:object_r:audio_device:s0
/dev/wcd-spi-ac-client u:object_r:audio_device:s0
/dev/msm_.* u:object_r:audio_device:s0
/dev/avtimer u:object_r:vendor_avtimer_device:s0
/dev/subsys_.* u:object_r:vendor_ssr_device:s0
/dev/ramdump_.* u:object_r:vendor_ramdump_device:s0
/dev/ramdump_microdump_modem u:object_r:vendor_ramdump_microdump_modem_device:s0
/dev/hbtp_input u:object_r:vendor_hbtp_device:s0
/dev/hbtp_vm u:object_r:vendor_hbtp_device:s0
/dev/sg[0-9]+ u:object_r:vendor_sg_device:s0
/dev/ufs-bsg.* u:object_r:vendor_bsg_device:s0
/dev/0:0:0:49476 u:object_r:vendor_bsg_device:s0
/dev/sensors u:object_r:sensors_device:s0
/dev/mnh_sm u:object_r:vendor_easel_device:s0
/dev/easelcomm-client u:object_r:vendor_easel_device:s0
/dev/citadel0 u:object_r:vendor_citadel_device:s0
/dev/jdi-bu21150 u:object_r:vendor_bu21150_device:s0
/dev/usb_ext_chg u:object_r:vendor_hvdcp_device:s0
/dev/synx_device u:object_r:vendor_synx_device:s0
/dev/ipa_odl_ctl u:object_r:vendor_ipa_dev:s0
/dev/ipa_adpl u:object_r:vendor_ipa_dev:s0
# dev socket nodes
/dev/socket/chre u:object_r:vendor_chre_socket:s0
/dev/socket/oemlock u:object_r:vendor_hal_bootctl_socket:s0
/dev/socket/ims_qmid u:object_r:vendor_ims_socket:s0
/dev/socket/ims_datad u:object_r:vendor_ims_socket:s0
/dev/socket/ipacm_log_file u:object_r:vendor_ipacm_socket:s0
/dev/socket/cnd u:object_r:vendor_cnd_socket:s0
/dev/socket/thermal-send-client u:object_r:vendor_thermal_socket:s0
/dev/socket/thermal-recv-client u:object_r:vendor_thermal_socket:s0
/dev/socket/thermal-recv-passive-client u:object_r:vendor_thermal_socket:s0
/dev/socket/thermal-send-rule u:object_r:vendor_thermal_socket:s0
/dev/socket/netmgr(/.*)? u:object_r:vendor_netmgrd_socket:s0
/dev/socket/port-bridge(/.*)? u:object_r:vendor_port-bridge_socket:s0
/dev/socket/qti_dpm_uds_file u:object_r:vendor_dataqti_socket:s0
/dev/socket/location(/.*)? u:object_r:vendor_location_socket:s0
/dev/socket/wifihal(/.*)? u:object_r:vendor_wifihal_socket:s0
/dev/socket/pps u:object_r:vendor_pps_socket:s0
/dev/nq-nci u:object_r:nfc_device:s0
/dev/ttyHS0 u:object_r:hci_attach_dev:s0
/dev/wlan u:object_r:vendor_wlan_device:s0
/dev/socket/qmux_radio(/.*)? u:object_r:vendor_qmuxd_socket:s0
/data/vendor/modem_config(/.*)? u:object_r:vendor_mbn_data_file:s0
/dev/socket/qdcmsocket u:object_r:vendor_qdcmsocket_socket:s0
/dev/qce u:object_r:vendor_qce_device:s0
# Block device holding the GPT, where the A/B attributes are stored.
/dev/block/sda u:object_r:vendor_gpt_block_device:s0
# Block devices for the drive that holds the xbl_a and xbl_b partitions.
/dev/block/sd[bc]1? u:object_r:vendor_xbl_block_device:s0
# Block device for hal_bootctl
/dev/block/sde u:object_r:boot_block_device:s0
# Block device for ZRAM
/dev/block/zram0 u:object_r:swap_block_device:s0
# files in /vendor
/vendor/firmware(/.*)? u:object_r:vendor_firmware_file:s0
/vendor/bt_firmware(/.*)? u:object_r:vendor_firmware_file:s0
/vendor/bin/ATFWD-daemon u:object_r:vendor_atfwd_exec:s0
/vendor/bin/hw/android\.hardware\.vr@1\.0-service.crosshatch u:object_r:hal_vr_default_exec:s0
/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:hal_fingerprint_default_exec:s0
/vendor/bin/thermal-engine u:object_r:vendor_thermal-engine_exec:s0
/vendor/bin/sensors.qcom u:object_r:vendor_sensors_exec:s0
/vendor/bin/sensors.qti u:object_r:vendor_sensors_exec:s0
/vendor/bin/ssr_setup u:object_r:vendor_ssr_setup_exec:s0
/vendor/bin/ssr_diag u:object_r:vendor_ssr_diag_exec:s0
/vendor/bin/pm-service u:object_r:vendor_per_mgr_exec:s0
/vendor/bin/pm-proxy u:object_r:vendor_per_proxy_exec:s0
/vendor/bin/qseecomd u:object_r:tee_exec:s0
/vendor/bin/subsystem_ramdump u:object_r:vendor_subsystem_ramdump_exec:s0
/vendor/bin/adsprpcd u:object_r:vendor_adsprpcd_exec:s0
/vendor/bin/cdsprpcd u:object_r:vendor_cdsprpcd_exec:s0
/vendor/bin/audioadsprpcd u:object_r:vendor_audioadsprpcd_exec:s0
/vendor/bin/irsc_util u:object_r:vendor_irsc_util_exec:s0
/vendor/bin/rmt_storage u:object_r:vendor_rmt_storage_exec:s0
/vendor/bin/tftp_server u:object_r:vendor_rfs_access_exec:s0
/vendor/bin/cnss-daemon u:object_r:vendor_wcnss_service_exec:s0
/vendor/bin/cnss_diag u:object_r:vendor_wcnss_service_exec:s0
/vendor/bin/diag_mdlog u:object_r:vendor_qlogd_exec:s0
/vendor/bin/netmgrd u:object_r:vendor_netmgrd_exec:s0
/vendor/bin/qmipriod u:object_r:vendor_qmipriod_exec:s0
/vendor/bin/shsusrd u:object_r:vendor_shsusrd_exec:s0
/vendor/bin/port-bridge u:object_r:vendor_port-bridge_exec:s0
/vendor/bin/qti u:object_r:vendor_qti_exec:s0
/vendor/bin/loc_launcher u:object_r:vendor_location_exec:s0
/vendor/bin/lowi-server u:object_r:vendor_location_exec:s0
/vendor/bin/xtra-daemon u:object_r:vendor_location_exec:s0
/vendor/bin/pd-mapper u:object_r:vendor_pd_mapper_exec:s0
/vendor/bin/imsqmidaemon u:object_r:vendor_ims_exec:s0
/vendor/bin/imsdatadaemon u:object_r:vendor_ims_exec:s0
/vendor/bin/ims_rtp_daemon u:object_r:vendor_hal_imsrtp_exec:s0
/vendor/bin/ipacm u:object_r:hal_tetheroffload_default_exec:s0
/vendor/bin/ipacm-diag u:object_r:hal_tetheroffload_default_exec:s0
/vendor/bin/cnd u:object_r:vendor_cnd_exec:s0
/vendor/bin/oemlock_provision u:object_r:hal_bootctl_default_exec:s0
/vendor/bin/oemlock-bridge u:object_r:hal_bootctl_default_exec:s0
/vendor/bin/diag-router u:object_r:vendor_diag-router_exec:s0
/(vendor|system/vendor)/bin/msm_irqbalance u:object_r:vendor_msm_irqbalanced_exec:s0
/vendor/bin/hw/android\.hardware\.usb@1\.1-service.crosshatch u:object_r:hal_usb_default_exec:s0
/vendor/bin/chre u:object_r:vendor_chre_exec:s0
/vendor/bin/time_daemon u:object_r:vendor_time_daemon_exec:s0
/vendor/bin/imsrcsd u:object_r:vendor_hal_rcsservice_exec:s0
/vendor/bin/tloc_daemon u:object_r:vendor_tlocd_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.2-service u:object_r:hal_power_default_exec:s0
/vendor/bin/hw/qcrild u:object_r:rild_exec:s0
/vendor/bin/hw/qcrilNrd u:object_r:rild_exec:s0
/vendor/bin/hw/android\.hardware\.drm@1\.0-service.widevine u:object_r:vendor_hal_drm_widevine_exec:s0
/vendor/bin/hw/android\.hardware\.vibrator@1\.1-service.crosshatch u:object_r:hal_vibrator_default_exec:s0
/vendor/bin/hw/android\.hardware\.keymaster@3\.0-service-qti u:object_r:vendor_hal_keymaster_qti_exec:s0
/vendor/bin/hw/android\.hardware\.keymaster@4\.0-service-qti u:object_r:vendor_hal_keymaster_qti_exec:s0
/vendor/bin/hw/android\.hardware\.keymaster@4\.1-service-qti u:object_r:vendor_hal_keymaster_qti_exec:s0
/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service-qti u:object_r:vendor_hal_gatekeeper_qti_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@.*-service-qti u:object_r:vendor_hal_gnss_qti_exec:s0
/vendor/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.1-service.widevine u:object_r:vendor_hal_drm_widevine_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.2-service.widevine u:object_r:vendor_hal_drm_widevine_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.2-service-lazy.widevine u:object_r:vendor_hal_drm_widevine_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.3-service.widevine u:object_r:vendor_hal_drm_widevine_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.3-service-lazy.widevine u:object_r:vendor_hal_drm_widevine_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.display\.allocator@1\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.display\.allocator-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.display\.composer@1\.0-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.display\.composer-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.tui_comm@1\.0-service-qti u:object_r:vendor_hal_tui_comm_qti_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.qdutils_disp@1\.0-service-qti u:object_r:vendor_hal_qdutils_disp_qti_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.trustedui@1\.0-service-qti u:object_r:vendor_hal_trustedui_qti_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.capabilityconfigstore@1\.0-service u:object_r:vendor_hal_capabilityconfigstore_qti_default_exec:s0
/(vendor|system/vendor)/bin/power_off_alarm u:object_r:vendor_power_off_alarm_exec:s0
/(vendor|system/vendor)/bin/grep u:object_r:vendor_toolbox_exec:s0
/vendor/bin/hw/vendor\.display\.color@1\.0-service u:object_r:vendor_hal_display_color_default_exec:s0
/vendor/bin/hw/vendor\.qti\.media\.c2@1\.0-service u:object_r:mediacodec_exec:s0
/vendor/bin/hw/hardware\.google\.media\.c2@1\.0-service-software u:object_r:mediacodec_exec:s0
/vendor/bin/feature_enabler_client u:object_r:vendor_feature_enabler_client_exec:s0
/(vendor|system/vendor)/bin/qdcmss u:object_r:vendor_qdcm-ss_exec:s0
###############################################
# same-process HAL files and their dependencies
#
/vendor/lib(64)?/hw/gralloc\.qcom\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl-qti-display\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@1\.0\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@1\.1\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@2\.0\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapperextensions@1\.0\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapperextensions@1\.1\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@3\.0-impl-qti-display\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@3\.0\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@4\.0-impl-qti-display\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@4\.0\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libcamxexternalformatutils\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libgralloccore\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libgrallocutils\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libqdMetaData\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libgralloc\.qti\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libqservice\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libqdutils\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libadreno_utils\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libgsl\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/hw/vulkan\.adreno\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libEGL_adreno\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libGLESv1_CM_adreno\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libGLESv2_adreno\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libadreno_app_profiles\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libdrmutils\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0
# /vendor/app/TimeService/TimeService.apk
/vendor/lib(64)?/libTimeService\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libtime_genoff\.so u:object_r:same_process_hal_file:s0
# hbtp dependencies
/vendor/lib(64)?/libhbtpitsjni\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libhbtpdbgclientjni\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libhbtpjni\.so u:object_r:same_process_hal_file:s0
# framework detect libs libvndfwk_detect_jni.qti and libqti_vndfwk_detect
/vendor/lib(64)?/libvndfwk_detect_jni\.qti\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libqti_vndfwk_detect\.so u:object_r:same_process_hal_file:s0
# NPU files
/vendor/lib(64)?/libnpu\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libhta_controller\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libhta_hexagon_runtime\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/unnhal-acc-hta\.so u:object_r:same_process_hal_file:s0
# RenderScript dependencies.
# To test: run cts -m CtsRenderscriptTestCases
/vendor/lib(64)?/libRSDriver_adreno\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libCB\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libllvm-qgl\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libbccQTI\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libllvm-qcom\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/librs_adreno\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/librs_adreno_sha1\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libqti-perfd-client\.so u:object_r:same_process_hal_file:s0
# TODO(b/36895509): remove the following 2 lines once this bug is resolved
# needed by radio
/vendor/lib(64)?/libimsmedia_jni\.so u:object_r:same_process_hal_file:s0
# libGLESv2_adreno depends on this
/vendor/lib(64)?/libllvm-glnext\.so u:object_r:same_process_hal_file:s0
# libOpenCL and its dependencies
/vendor/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libq3dtools_adreno\.so u:object_r:same_process_hal_file:s0
# Loaded by native loader (zygote) for all processes
/vendor/lib(64)?/libadsprpc\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libcdsprpc\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libsdsprpc\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libmdsprpc\.so u:object_r:same_process_hal_file:s0
/vendor/lib/dsp/fastrpc_shell_0 u:object_r:same_process_hal_file:s0
# Fastcv libs
/vendor/lib(64)?/libfastcvdsp_stub\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libfastcvadsp_stub\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libfastcvopt\.so u:object_r:same_process_hal_file:s0
# data files
/data/vendor/netmgr(/.*)? u:object_r:vendor_netmgr_data_file:s0
/data/vendor/netmgr/recovery(/.*)? u:object_r:vendor_netmgr_recovery_data_file:s0
/data/vendor/qmipriod(/.*)? u:object_r:vendor_qmipriod_data_file:s0
/data/vendor/shsusr(/.*)? u:object_r:vendor_shsusr_data_file:s0
/data/vendor/location(/.*)? u:object_r:vendor_location_data_file:s0
/data/vendor/camera(/.*)? u:object_r:vendor_camera_data_file:s0
/data/vendor/display(/.*)? u:object_r:vendor_display_vendor_data_file:s0
/data/vendor/nfc(/.*)? u:object_r:vendor_nfc_vendor_data_file:s0
/data/vendor/radio(/.*)? u:object_r:vendor_radio_vendor_data_file:s0
/data/vendor/wifi/wlan_logs(/.*)? u:object_r:vendor_wifi_vendor_log_data_file:s0
/data/vendor/ramdump(/.*)? u:object_r:vendor_ramdump_vendor_data_file:s0
/data/vendor/ssrdump(/.*)? u:object_r:vendor_ramdump_vendor_data_file:s0
/data/vendor/modem_dump(/.*)? u:object_r:vendor_modem_dump_file:s0
/data/vendor/ipa(/.*)? u:object_r:vendor_ipa_vendor_data_file:s0
/data/vendor/sensors(/.*)? u:object_r:vendor_sensors_vendor_data_file:s0
/data/vendor/port_bridge(/.*)? u:object_r:vendor_port_bridge_data_file:s0
/data/vendor/tloc(/.*)? u:object_r:vendor_tlocd_data_file:s0
/data/vendor/connectivity(/.*)? u:object_r:vendor_cnd_data_file:s0
/data/vendor/misc/qsee(/.*)? u:object_r:vendor_data_qsee_file:s0
/data/vendor/tui(/.*)? u:object_r:vendor_tui_data_file:s0
/data/vendor/tzstorage(/.*)? u:object_r:vendor_data_tzstorage_file:s0
/data/vendor/tombstones(/.*)? u:object_r:vendor_tombstone_data_file:s0
/data/vendor/time(/.*)? u:object_r:vendor_time_data_file:s0
/data/vendor/mdmhelperdata(/.*)? u:object_r:vendor_mdmhelperdata_data_file:s0
/data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0
# audio_data_file
/data/vendor/audio(/.*)? u:object_r:vendor_audio_data_file:s0
# /
/tombstones u:object_r:rootfs:s0
/vendor/dsp(/.*)? u:object_r:adsprpcd_file:s0
/vendor/vm-system(/.*)? u:object_r:vendor_vm_system_file:s0
# /persist
/mnt/vendor/persist/data(/.*)? u:object_r:vendor_persist_data_file:s0
/mnt/vendor/persist/display(/.*)? u:object_r:vendor_persist_display_file:s0
/mnt/vendor/persist/drm(/.*)? u:object_r:vendor_persist_drm_file:s0
/mnt/vendor/persist/elabel(/.*)? u:object_r:vendor_persist_elabel_file:s0
/mnt/vendor/persist/haptics(/.*)? u:object_r:vendor_persist_haptics_file:s0
/mnt/vendor/persist/hlos_rfs(/.*)? u:object_r:vendor_persist_rfs_shared_hlos_file:s0
/mnt/vendor/persist/rfs(/.*)? u:object_r:vendor_persist_rfs_file:s0
/mnt/vendor/persist/sensors(/.*)? u:object_r:vendor_persist_sensors_file:s0
/mnt/vendor/persist/time(/.*)? u:object_r:vendor_persist_time_file:s0
/mnt/vendor/persist/audio(/.*)? u:object_r:vendor_persist_audio_file:s0
/mnt/vendor/persist/feature_enabler_client(/.*)? u:object_r:vendor_persist_feature_enabler_file:s0
# graphics device
/dev/mdss_rotator u:object_r:graphics_device:s0
/dev/dri/card0 u:object_r:graphics_device:s0
/dev/dri/controlD64 u:object_r:graphics_device:s0
/dev/dri/renderD128 u:object_r:graphics_device:s0
#TODO: move this to genfs_context or target based file_context
# sysfs_leds
/sys/devices/platform/soc/[a-f0-9]+.qcom,spmi/spmi-0/spmi0-0[0-9]/[a-f0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,haptics@c000/leds/vibrator(/.*)? u:object_r:sysfs_leds:s0
# vendor_sysfs_devfreq
/sys/devices(/platform)?/soc/soc:qcom,l3-cpu[0-9]/devfreq/soc:qcom,l3-cpu[0-9](/.*)? u:object_r:vendor_sysfs_devfreq:s0
#vendor_sysfs_data
/sys/devices/virtual/xt_hardidletimer/timers(/.*)? u:object_r:vendor_sysfs_data:s0
/sys/devices/virtual/xt_idletimer/timers(/.*)? u:object_r:vendor_sysfs_data:s0
#persist_bluetooth_file
/mnt/vendor/persist/bluetooth(/.*)? u:object_r:vendor_persist_bluetooth_file:s0
#power off alarm file
/mnt/vendor/persist/alarm(/.*)? u:object_r:vendor_persist_alarm_file:s0
/(vendor|system/vendor)/bin/hbtp_daemon u:object_r:vendor_hbtp_exec:s0
/(vendor|system/vendor)/bin/sscrpcd u:object_r:vendor_sensors_exec:s0
# vendor_sysfs_graphics
/sys/class/graphics/fb0/mdp/caps u:object_r:vendor_sysfs_graphics:s0
/sys/class/thermal(/.*)? u:object_r:sysfs_thermal:s0
/sys/devices/virtual/graphics/fb([0-3])+/idle_time u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/dynamic_fps u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/product_description u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/vendor_name u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/hdcp/tp u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_panel_status u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/hpd u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/res_info u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/s3d_mode u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_panel_info u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_type u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_split u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/show_blank_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/bl_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/ad_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/ad_bl_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/hist_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/vsync_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/lineptr_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/idle_notify u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_thermal_level u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/idle_power_collapse u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/mode u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/name u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/connected u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_cmd_autorefresh_en u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/mdp/bw_mode_bitmap u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/edid_modes u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/hdcp2p2(/.*) u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/scan_info u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/edid_3d_modes u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_dfps_mode u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_src_split_info u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/hdr_stream u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/cec(/.*) u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msmfb_b10(/.*) u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/modes u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/edid_raw_data u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/packpattern u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/dyn_pu u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/ad u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/pp_bl_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/rotator/mdss_rotator/caps u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/hdcp/msm_hdcp/min_level_change u:object_r:vendor_sysfs_graphics:s0
/sys/class/lcd_bias/secure_mode u:object_r:vendor_sysfs_graphics:s0
/sys/class/leds/wled/secure_mode u:object_r:vendor_sysfs_graphics:s0
/sys/devices/platform/vfb.([0-3])+/graphics/fb([0-3])+/modes u:object_r:vendor_sysfs_graphics:s0
/sys/devices/platform/vfb.([0-3])+/graphics/fb([0-3])+/mode u:object_r:vendor_sysfs_graphics:s0
/sys/module/drm/parameters/vblankoffdelay u:object_r:vendor_sysfs_graphics:s0
/sys/devices/platform/soc/[a-f0-9]+.qcom,mdss_mdp/drm/card([0-3])+/card([0-3])+-DSI-1/modes u:object_r:vendor_sysfs_graphics:s0
/sys/devices/platform/soc/[a-f0-9]+.qcom,mdss_mdp/drm/card([0-3])+/card([0-3])+-DSI-1/status u:object_r:vendor_sysfs_graphics:s0
/sys/class/graphics/fb([0-3])+/mdp/caps u:object_r:vendor_sysfs_graphics:s0
/sys/class/graphics/fb([0-3])+/ad u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[0-9a-f]+.qcom,spmi/spmi-[0-9]+/spmi[0-9]+-[0-9]+/[0-9a-f]+.qcom,spmi:qcom,pmi[0-9]+@[0-9]+:qcom,leds@[a-f0-9]+(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices/platform/soc/ae00000.qcom,mdss_mdp/backlight(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/switch/hdmi(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,mdss_mdp/[a-f0-9]+.qcom,mdss_mdp:qcom,mdss_fb_primary/leds/lcd-backlight(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices/soc.0/[a-f0-9]+.qcom,mdss_mdp/qcom,mdss_fb_primary.+[a-f0-9]/leds/lcd-backlight(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,mdss_mdp/caps u:object_r:vendor_sysfs_graphics:s0
/sys/devices/soc/[a-f0-9]+.qcom,mdss_mdp/bw_mode_bitmap u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,mdss_mdp/bw_mode_bitmap u:object_r:vendor_sysfs_graphics:s0
/sys/devices/soc.0/[a-f0-9]+.qcom,mdss_mdp/bw_mode_bitmap u:object_r:vendor_sysfs_graphics:s0
/sys/devices/soc.0/[a-f0-9]+.qcom,mdss_mdp/caps u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,mdss_cam/video4linux/video[0-33]/name(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,mdss_rotator/video4linux/video[0-33]/name(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,mdss_rotator/caps u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,vidc/video4linux/video[0-33]/name(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,cci/[a-f0-9]+.qcom,cci:qcom,camera@[0-2]/video4linux/video[0-33]/name(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.sdhci/mmc_host/mmc0/clk_scaling(/.*)? u:object_r:vendor_sysfs_mmc_host:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.ufshc/clkscale_enable u:object_r:vendor_sysfs_scsi_host:s0
/sys/devices(/platform)?/soc/[a-f0-9]+/host0/scsi_host/host0(/.*)? u:object_r:vendor_sysfs_scsi_host:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.ufshc/host0/target0:0:0/0:0:0:[0-9]+/scsi_generic(/.*)? u:object_r:vendor_sysfs_scsi_target:s0
/data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0
/data/vendor/mediadrm(/.*)? u:object_r:vendor_mediadrm_vendor_data_file:s0
/data/vendor/nnhal(/.*)? u:object_r:vendor_hal_neuralnetworks_data_file:s0
# Moved to target specfic folder so removing this from common file
#/sys/devices(/platform)?/soc/[a-f0-9\.:]+,[a-f0-9\-\_]+/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/kgsl/kgsl-3d0(/.*)? u:object_r:vendor_sysfs_kgsl:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/devfreq/[a-f0-9]+.qcom,kgsl-3d0(/.*)? u:object_r:vendor_sysfs_kgsl:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpu_model u:object_r:vendor_sysfs_kgsl_gpu_model:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpuclk u:object_r:vendor_sysfs_kgsl_gpuclk:s0
/sys/devices/soc/[a-f0-9]+.ssusb/power_supply/usb(/.*)? u:object_r:vendor_sysfs_usb_supply:s0
/data/(misc|vendor)/hbtp(/.*)? u:object_r:vendor_hbtp_log_file:s0
/vendor/etc/hbtp/* u:object_r:vendor_hbtp_cfg_file:s0
/sys/devices/soc/qpnp-vadc-[0-9]+(/.*)? u:object_r:vendor_sysfs_vadc_dev:s0
#Android NN Driver
/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-qti u:object_r:vendor_hal_neuralnetworks_default_exec:s0
/(vendor|system/vendor)/bin/init\.class_main\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.crda\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.mdm\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.class_core\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.coex\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.crashdata\.sh u:object_r:vendor_init-qcom-crashdata-sh_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.debug\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.debug-sdm660\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.debug-sdm670\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.early_boot\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.efs\.sync\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.post_boot\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qti\.dcvs\.sh u:object_r:vendor_init-qti-dcvs-sh_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.sdio\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.sensors\.sh u:object_r:vendor_init-qcom-sensors-sh_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.syspart_fixup\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.usb\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.wifi\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qti\.ims\.sh u:object_r:vendor_init-qti-ims-sh_exec:s0
/(vendor|system/vendor)/bin/qca6234-service.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qti\.kernel\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.kernel\.post_boot\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qti\.qcv\.sh u:object_r:vendor_qti_init_shell_exec:s0
#Limits sysfs node
/sys/module/msm_isense_cdsp/data u:object_r:sysfs_thermal:s0
/(vendor|system/vendor)/bin/vendor_modprobe\.sh u:object_r:vendor_modinstall-sh_exec:s0

29
generic/vendor/common/fsck.te vendored
View File

@@ -1,29 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow fsck vendor_persist_block_device:blk_file rw_file_perms;

144
generic/vendor/common/genfs_contexts vendored
View File

@@ -1,144 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
genfscon proc /debug/fwdump u:object_r:vendor_proc_wifi_dbg:s0
genfscon proc /debugdriver/driverdump u:object_r:vendor_proc_wifi_dbg:s0
genfscon proc /ath_pktlog/cld u:object_r:vendor_proc_wifi_dbg:s0
genfscon proc /shs u:object_r:vendor_proc_shs:s0
genfscon sysfs /android_touch u:object_r:vendor_sysfs_touch:s0
genfscon sysfs /devices/virtual/input/ftm4_touch u:object_r:vendor_sysfs_touch:s0
#genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
genfscon sysfs /kernel/irq_helper/irq_blacklist_on u:object_r:vendor_sysfs_irqbalance:s0
genfscon sysfs /kernel/wcd_cpe0 u:object_r:vendor_sysfs_audio:s0
genfscon sysfs /class/uio u:object_r:sysfs_uio:s0
genfscon sysfs /devices/soc/soc:bt_wcn3990 u:object_r:sysfs_bluetooth_writable:s0
genfscon sysfs /class/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,cpubw/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,memlat-cpu0/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,memlat-cpu2/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,memlat-cpu4/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,memlat-cpu6/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,l3-cpu0/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,l3-cpu2/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,l3-cpu4/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,l3-cpu6/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,mincpubw/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,llccbw/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/soc/soc:qcom,cpubw/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/soc/soc:qcom,memlat-cpu0/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/soc/soc:qcom,memlat-cpu2/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/soc/soc:qcom,memlat-cpu4/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/soc/soc:qcom,memlat-cpu6/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/soc/soc:qcom,mincpubw/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/ae00000.qcom.qcom,mdss_mdp/caps u:object_r:vendor_sysfs_mdss_mdp_caps:s0
genfscon sysfs /devices/platform/soc/c17a000.i2c/i2c-6/6-005a/leds u:object_r:sysfs_leds:s0
genfscon sysfs /devices/platform/soc/c1b5000.i2c/i2c-7/7-0030/leds u:object_r:sysfs_leds:s0
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/c900000.qcom,mdss_mdp:qcom,mdss_fb_primary/leds u:object_r:sysfs_leds:s0
genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pmi8998@3:qcom,leds@d000/leds u:object_r:sysfs_leds:s0
genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws@1e08000 u:object_r:vendor_sysfs_data:s0
genfscon sysfs /devices/platform/soc/0.qcom,rmtfs_sharedmem/uio u:object_r:vendor_sysfs_uio_file:s0
genfscon sysfs /devices/platform/soc/soc:fp_fpc1020 u:object_r:vendor_sysfs_fingerprint:s0
genfscon sysfs /devices/virtual/wahoo_laser u:object_r:vendor_sysfs_laser:s0
genfscon sysfs /module/cpu_boost u:object_r:vendor_sysfs_cpu_boost:s0
genfscon sysfs /devices/virtual/thermal u:object_r:sysfs_thermal:s0
genfscon sysfs /class/thermal u:object_r:sysfs_thermal:s0
genfscon sysfs /class/lcd_bias u:object_r:vendor_sysfs_lcd:s0
genfscon sysfs /module/msm_thermal u:object_r:sysfs_thermal:s0
genfscon sysfs /devices/platform/battery_current_limit u:object_r:sysfs_thermal:s0
genfscon sysfs /module/diagchar/parameters/timestamp_switch u:object_r:vendor_sysfs_timestamp_switch:s0
genfscon sysfs /module/msm_performance u:object_r:vendor_sysfs_msm_perf:s0
genfscon sysfs /module/lpm_levels u:object_r:vendor_sysfs_msm_power:s0
genfscon sysfs /module/lpm_stats u:object_r:vendor_sysfs_msm_stats:s0
genfscon sysfs /devices/virtual/graphics/fb0 u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/virtual/graphics/fb1 u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/soc/8c0000.qcom,msm-cam u:object_r:vendor_sysfs_camera:s0
genfscon sysfs /devices/soc0 u:object_r:vendor_sysfs_soc:s0
genfscon sysfs /devices/soc/caa0000.qcom,jpeg u:object_r:vendor_sysfs_camera:s0
genfscon sysfs /devices/soc/caa4000.qcom,fd u:object_r:vendor_sysfs_camera:s0
genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-02/800f000.qcom,spmi:qcom,pmi8998@2:qpnp,fg/power_supply/bms/capacity u:object_r:sysfs_batteryinfo:s0
genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-02/800f000.qcom,spmi:qcom,pmi8998@2:qcom,qpnp-smb2/power_supply/battery/capacity u:object_r:sysfs_batteryinfo:s0
genfscon sysfs /bus/msm_subsys u:object_r:vendor_sysfs_ssr:s0
genfscon sysfs /module/subsystem_restart u:object_r:vendor_sysfs_msm_subsys_restart:s0
genfscon sysfs /kernel/boot_adsp/boot u:object_r:vendor_sysfs_boot_adsp:s0
genfscon sysfs /kernel/boot_slpi u:object_r:vendor_sysfs_slpi:s0
genfscon sysfs /devices/soc/c1b7000.i2c/i2c-9/9-0008 u:object_r:vendor_sysfs_easel:s0
genfscon sysfs /class/typec u:object_r:vendor_sysfs_usb_c:s0
genfscon sysfs /class/typec/usbc0 u:object_r:vendor_sysfs_usb_c:s0
genfscon sysfs /devices/soc/a800000.ssusb/a800000.dwc3/xhci-hcd.0.auto/usb1 u:object_r:vendor_sysfs_usb_device:s0
genfscon sysfs /devices/soc/a800000.ssusb/a800000.dwc3/xhci-hcd.0.auto/usb2 u:object_r:vendor_sysfs_usb_device:s0
genfscon sysfs /devices/platform/soc/a600000.ssusb/mode u:object_r:vendor_sysfs_usb_device:s0
genfscon sysfs /devices/platform/soc/a800000.ssusb/mode u:object_r:vendor_sysfs_usb_device:s0
genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-02/800f000.qcom,spmi:qcom,pmi8998@2:qcom,usb-pdphy@1700/usbpd0/typec u:object_r:vendor_sysfs_usb_c:s0
genfscon sysfs /module/diagchar u:object_r:vendor_sysfs_diag:s0
genfscon sysfs /devices/virtual/kgsl u:object_r:vendor_sysfs_kgsl:s0
genfscon sysfs /class/kgsl u:object_r:vendor_sysfs_kgsl:s0
genfscon sysfs /devices/virtual/kgsl/kgsl/proc u:object_r:vendor_sysfs_kgsl_proc:s0
genfscon sysfs /devices/virtual/workqueue/kgsl-events/cpumask u:object_r:vendor_sysfs_kgsl:s0
genfscon sysfs /devices/virtual/workqueue/kgsl-events/nice u:object_r:vendor_sysfs_kgsl:s0
genfscon sysfs /devices/virtual/workqueue/kgsl-workqueue/cpumask u:object_r:vendor_sysfs_kgsl:s0
genfscon sysfs /devices/virtual/workqueue/kgsl-workqueue/nice u:object_r:vendor_sysfs_kgsl:s0
genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /class/sensors u:object_r:vendor_sysfs_sensors:s0
genfscon sysfs /bus/esoc u:object_r:vendor_sysfs_esoc:s0
genfscon sysfs /devices/soc/soc:hbtp/secure_touch u:object_r:vendor_hbtp_kernel_sysfs:s0
genfscon sysfs /devices/soc/soc:hbtp/secure_touch_enable u:object_r:vendor_hbtp_kernel_sysfs:s0
genfscon sysfs /devices/soc/soc:hbtp/secure_touch_userspace u:object_r:vendor_hbtp_kernel_sysfs:s0
genfscon sysfs /kernel/hbtp/display_pwr u:object_r:vendor_hbtp_kernel_sysfs:s0
genfscon sysfs /devices/virtual/net/bond0/bonding/queue_id u:object_r:vendor_sysfs_bond0:s0
genfscon sysfs /devices/virtual/net/bond0/queues/rx-0/rps_cpus u:object_r:vendor_sysfs_bond0:s0
genfscon sysfs /firmware/devicetree/base/cpus u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /bus/spmi/devices u:object_r:vendor_sysfs_spmi_dev:s0
genfscon sysfs /power/mem_sleep u:object_r:vendor_sysfs_suspend:s0
genfscon sysfs /kernel/boot_adsp/ssr u:object_r:vendor_sysfs_adsp_ssr:s0
genfscon debugfs /kgsl/proc u:object_r:vendor_debugfs_kgsl:s0
genfscon debugfs /clk/debug_suspend u:object_r:vendor_debugfs_clk:s0
genfscon debugfs /wlan0 u:object_r:vendor_debugfs_wlan:s0
genfscon debugfs /rpm_stats u:object_r:vendor_debugfs_rpm:s0
genfscon debugfs /rpm_master_stats u:object_r:vendor_debugfs_rpm:s0
genfscon debugfs /ion u:object_r:vendor_debugfs_ion:s0
genfscon debugfs /ipc_logging u:object_r:vendor_debugfs_ipc:s0
genfscon debugfs /system_stats u:object_r:vendor_debugfs_rpm:s0
genfscon debugfs /tcpm/usbpd0 u:object_r:vendor_debugfs_usb:s0
genfscon debugfs /pd_engine/usbpd0 u:object_r:vendor_debugfs_usb:s0
genfscon debugfs /ipc_logging/smblib/log u:object_r:vendor_debugfs_usb:s0
genfscon debugfs /msm_ipc_router u:object_r:vendor_debugfs_ipc:s0
genfscon debugfs /mdp u:object_r:vendor_debugfs_mdp:s0
genfscon debugfs /rmt_storage u:object_r:vendor_debugfs_rmt_storage:s0
genfscon debugfs /icnss u:object_r:vendor_debugfs_icnss:s0

36
generic/vendor/common/hal_alarm_qti_default.te vendored
View File

@@ -1,36 +0,0 @@
# Copyright (c) 2017, 2019 The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_alarm_qti_default, domain;
hal_server_domain(vendor_hal_alarm_qti_default, vendor_hal_alarm_qti)
type vendor_hal_alarm_qti_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_hal_alarm_qti_default)
allow vendor_hal_alarm_qti_default rtc_device:chr_file r_file_perms;

30
generic/vendor/common/hal_atfwd.te vendored
View File

@@ -1,30 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
binder_call(vendor_atfwd, vendor_qtelephony);
allow vendor_atfwd vendor_hal_atfwd_hwservice:hwservice_manager find;

61
generic/vendor/common/hal_audio_default.te vendored
View File

@@ -1,61 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
userdebug_or_eng(`
allow hal_audio vendor_diag_device:chr_file rw_file_perms;
allow hal_audio_default debugfs:dir r_dir_perms;
')
hal_client_domain(hal_audio_default, vendor_hal_perf)
hal_client_domain(hal_audio_default, hal_power)
# read-only permission to obtain the calibration data
r_dir_file(hal_audio_default, vendor_persist_audio_file);
allow hal_audio_default mnt_vendor_file:dir search;
#Allow access to firmware
allow hal_audio firmware_file:dir r_dir_perms;
allow hal_audio firmware_file:file r_file_perms;
# Allow hal_audio to read soundcard state under /proc/asound
allow hal_audio vendor_proc_audiod:file r_file_perms;
allow hal_audio_default vendor_audio_data_file:dir rw_dir_perms;
allow hal_audio_default vendor_audio_data_file:file create_file_perms;
#Allow hal audio to use Binder IPC
vndbinder_use(hal_audio)
#allow acess to wcd_cpe
allow hal_audio vendor_sysfs_audio:file rw_file_perms;
allow hal_audio vendor_sysfs_audio:dir r_dir_perms ;
# audio properties
get_prop(hal_audio, vendor_audio_prop)
#to read bluetooth prop
get_prop(hal_audio, vendor_bluetooth_prop)

61
generic/vendor/common/hal_bluetooth_default.te vendored
View File

@@ -1,61 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow hal_bluetooth_default vendor_bt_device:chr_file rw_file_perms;
# talk to system_server to set priority
allow hal_bluetooth fwk_scheduler_hwservice:hwservice_manager find;
allow hal_bluetooth system_server:binder call;
# bluetooth properties
set_prop(hal_bluetooth, vendor_bluetooth_prop)
#For bluetooth firmware
r_dir_file(hal_bluetooth_default, bt_firmware_file)
allow hal_bluetooth_default vendor_persist_bluetooth_file:dir rw_dir_perms;
allow hal_bluetooth_default vendor_persist_bluetooth_file:file create_file_perms;
#For QMI socket
allow hal_bluetooth_default self:{ qipcrtr_socket } create_socket_perms_no_ioctl;
userdebug_or_eng(`
diag_use(hal_bluetooth)
allow hal_bluetooth_default vendor_ramdump_vendor_data_file:file create_file_perms;
allow hal_bluetooth_default vendor_ramdump_vendor_data_file:dir create_dir_perms;
allow hal_bluetooth_default proc_sysrq:file rw_file_perms;
allow hal_bluetooth_default vendor_debugfs_ipc:file rw_file_perms;
allow hal_bluetooth_default vendor_debugfs_ipc:dir rw_dir_perms;
allow hal_bluetooth_default vendor_bt_data_file:dir ra_dir_perms;
allow hal_bluetooth_default vendor_bt_data_file:file create_file_perms;
allow hal_bluetooth_default self:{ socket } create_socket_perms_no_ioctl;
')
r_dir_file(hal_bluetooth_default, mnt_vendor_file)
# Access lbsoc_helper to bluetooth
use_libsoc_helper(hal_bluetooth_default)

75
generic/vendor/common/hal_bootctl.te vendored
View File

@@ -1,75 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# These are the permissions required to use the boot_control HAL implemented
# here: hardware/qcom/bootctrl/boot_control.c
# Getting and setting GPT attributes for the bootloader iterates over all the
# partition names in the block_device directory /dev/block/.../by-name
allow hal_bootctl block_device:dir r_dir_perms;
#Opening /dev directory from bootctl to query /dev/ufs-bsg* filename
allow hal_bootctl device:dir r_dir_perms;
# Edit the attributes stored in the GPT.
allow hal_bootctl vendor_gpt_block_device:blk_file rw_file_perms;
allow hal_bootctl root_block_device:blk_file rw_file_perms;
# Allow boot_control_hal to get attributes on all the A/B partitions.
allow hal_bootctl boot_block_device:blk_file rw_file_perms;
allow hal_bootctl vendor_ab_block_device:blk_file getattr;
allow hal_bootctl vendor_xbl_block_device:blk_file getattr;
allow hal_bootctl vendor_modem_block_device:blk_file getattr;
allow hal_bootctl system_block_device:blk_file getattr;
allow hal_bootctl vendor_custom_ab_block_device:blk_file getattr;
allow hal_bootctl vendor_ab_block_device:blk_file getattr;
allow hal_bootctl recovery_block_device:blk_file getattr;
allow hal_bootctl vendor_mdtp_device:blk_file getattr;
allow hal_bootctl_server misc_block_device:blk_file rw_file_perms;
# Access /dev/sgN or /dev/ufs-bsg* devices (generic SCSI) to write the
# A/B slot selection for the XBL partition. Allow also to issue a
# UFS_IOCTL_QUERY or SG_IO ioctl.
allow hal_bootctl vendor_sg_device:chr_file rw_file_perms;
allow hal_bootctl vendor_bsg_device:chr_file rw_file_perms;
# The sys_rawio denial message is benign, and shows up due to a capability()
# call made by the scsi driver to check for CAP_SYS_RAWIO. Not having this
# does not result in a error
dontaudit hal_bootctl self:capability sys_rawio;
#scsi driver does a capability check (CAP_SYS_RAWIO) when bootctl does
# an ioctl to /dev/ufs-bsg .Adding this rule to avoid ioctl error.
allow hal_bootctl_server self:capability { sys_rawio };
# Read the sysfs to lookup what /dev/sgN device
# corresponds to the XBL partitions.
allow hal_bootctl vendor_sysfs_scsi_target:dir r_dir_perms;
# Write to the XBL devices.
allow hal_bootctl vendor_xbl_block_device:blk_file rw_file_perms;
# Read dir permission for dt_firmware
allow hal_bootctl sysfs_dt_firmware_android:dir r_dir_perms;

70
generic/vendor/common/hal_camera.te vendored
View File

@@ -1,70 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# This is needed to get priority for Camera process
allow hal_camera self:capability sys_nice;
# This is mandatory to open Camera Service
hal_client_domain(hal_camera_default, hal_graphics_allocator)
# This is needed to get performance boost
hal_client_domain(hal_camera_default, vendor_hal_perf)
set_prop(hal_camera, vendor_camera_prop)
# ignore spurious denial
dontaudit hal_camera graphics_device:dir search;
allow hal_camera vendor_camera_data_file:dir rw_dir_perms;
allow hal_camera vendor_camera_data_file:file create_file_perms;
unix_socket_connect(hal_camera, vendor_thermal, vendor_thermal-engine)
userdebug_or_eng(`
allow hal_camera vendor_diag_device:chr_file rw_file_perms;
')
# access hexagon
allow hal_camera vendor_qdsp_device:chr_file r_file_perms;
#Allow camera to access synx device
allow hal_camera vendor_synx_device:chr_file rw_file_perms;
#needed for full_treble
hal_client_domain(hal_camera_default, hal_graphics_composer)
r_dir_file(hal_camera_default, vendor_sysfs_graphics)
#allow camera to access /dsp
r_dir_file(hal_camera, adsprpcd_file);
#allow camera to access adsprpc_prop
get_prop(hal_camera, vendor_adsprpc_prop)
# This is needed to access GPU
allow hal_camera_default gpu_device:chr_file rw_file_perms;
# Postproc Service
hal_attribute_hwservice(hal_camera, vendor_hal_camera_postproc_hwservice);

29
generic/vendor/common/hal_contexthub.te vendored
View File

@@ -1,29 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Allow context hub HAL to communicate with daemon via socket
unix_socket_connect(hal_contexthub, vendor_chre, vendor_chre)

56
generic/vendor/common/hal_display_color.te vendored
View File

@@ -1,56 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Define domain
type vendor_hal_display_color_default, domain;
hal_server_domain(vendor_hal_display_color_default, vendor_hal_display_color)
type vendor_hal_display_color_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_hal_display_color_default)
# Allow hwbinder call from hal client to server
binder_call(vendor_hal_display_color_client, vendor_hal_display_color_server)
binder_call(platform_app, vendor_hal_display_color_server)
# Add hwservice related rules
add_hwservice(vendor_hal_display_color_server, vendor_hal_display_color_hwservice)
allow vendor_hal_display_color_client vendor_hal_display_color_hwservice:hwservice_manager find;
allow platform_app vendor_hal_display_color_hwservice:hwservice_manager find;
# Rule for display color to access graphics composer process
unix_socket_connect(vendor_hal_display_color, vendor_pps, hal_graphics_composer_default);
# Rule for vndbinder usage
allow vendor_hal_display_color vendor_qdisplay_service:service_manager find;
vndbinder_use(vendor_hal_display_color);
binder_call(vendor_hal_display_color, hal_graphics_composer)
#Add rules for postproc hal
add_hwservice(vendor_hal_display_color_server, vendor_hal_display_postproc_hwservice)
allow vendor_hal_display_postproc_client vendor_hal_display_postproc_hwservice:hwservice_manager find;
# Set vendor_qdcmss property
set_prop(vendor_hal_display_color, vendor_qdcmss_prop);

27
generic/vendor/common/hal_drm_default.te vendored
View File

@@ -1,27 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow hal_drm_default vndbinder_device:chr_file rw_file_perms;

49
generic/vendor/common/hal_drm_widevine.te vendored
View File

@@ -1,49 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# define SELinux domain
type vendor_hal_drm_widevine, domain;
hal_server_domain(vendor_hal_drm_widevine, hal_drm)
type vendor_hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_hal_drm_widevine)
allow vendor_hal_drm_widevine mediacodec:fd use;
allow vendor_hal_drm_widevine { appdomain -isolated_app }:fd use;
allow vendor_hal_drm_widevine vendor_qce_device:chr_file rw_file_perms;
#Allow access to smcinvoke device
allow vendor_hal_drm_widevine vendor_smcinvoke_device:chr_file rw_file_perms;
# The QTI DRM-HAL implementation uses a vendor-binder service provided
# by the HWC HAL.
vndbinder_use(vendor_hal_drm_widevine);
allow vendor_hal_drm_widevine vendor_qdisplay_service:service_manager { find };
#binder_call(vendor_hal_drm_widevine, hal_graphics_composer)
hal_client_domain(vendor_hal_drm_widevine, hal_graphics_composer);
allow vendor_hal_drm_widevine vendor_mediadrm_vendor_data_file:dir create_dir_perms;
allow vendor_hal_drm_widevine vendor_mediadrm_vendor_data_file:file create_file_perms;

35
generic/vendor/common/hal_gatekeeper_qti.te vendored
View File

@@ -1,35 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_gatekeeper_qti, domain;
hal_server_domain(vendor_hal_gatekeeper_qti, hal_gatekeeper)
type vendor_hal_gatekeeper_qti_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_hal_gatekeeper_qti)
dontaudit vendor_hal_gatekeeper_qti firmware_file:dir search;
get_prop(vendor_hal_gatekeeper_qti, vendor_tee_listener_prop)

64
generic/vendor/common/hal_gnss_qti.te vendored
View File

@@ -1,64 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# generic/vendor_hal_gnss_qti.te - generic sepolicy rules for vendor_location hidl
type vendor_hal_gnss_qti, domain;
hal_server_domain(vendor_hal_gnss_qti, hal_gnss)
type vendor_hal_gnss_qti_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_hal_gnss_qti)
# vendor binder
use_vendor_per_mgr(vendor_hal_gnss_qti)
# /data/vendor/vendor_location
allow vendor_hal_gnss_qti vendor_location_data_file:fifo_file { open read setattr write };
allow vendor_hal_gnss_qti vendor_location_data_file:dir create_dir_perms;
allow vendor_hal_gnss_qti vendor_location_data_file:file create_file_perms;
# /dev/socket/vendor_location
allow vendor_hal_gnss_qti vendor_location_socket:sock_file create_file_perms;
allow vendor_hal_gnss_qti vendor_location_socket:dir rw_dir_perms;
allow vendor_hal_gnss_qti vendor_location:unix_stream_socket connectto;
allow vendor_hal_gnss_qti vendor_location:unix_dgram_socket sendto;
# Allow Gnss HAL to get updates from health hal
hal_client_domain(vendor_hal_gnss_qti, hal_health)
# Most HALs are not allowed to use network sockets. QTI library
# libqdi is used across multiple processes which are clients of
# netmgrd including the GNSS HAL. libqdi first attempts to get the network
# interface using an IOCTL on a UDP INET socket, which isn't allowed here.
# If that fails, it falls back to using libc's if_nameindex() which requires
# a netlink route socket, which HALs may use. Due to the initial
# attempt to use a UDP socket, we still see a selinux denial,
# but it is safe to ignore.
# TODO (b/37730994) Remove udp_socket requirement from
# libqdi and have all its clients use netlink route
# sockets.
dontaudit vendor_hal_gnss_qti self:udp_socket create;

91
generic/vendor/common/hal_graphics_composer_default.te vendored
View File

@@ -1,91 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Binder access (for display.qservice)
vndbinder_use(hal_graphics_composer_default)
hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator);
allow hal_graphics_composer_default vendor_qdisplay_service:service_manager { add find };
allow hal_graphics_composer_default vendor_persist_display_file:dir search;
allow hal_graphics_composer_default vendor_persist_display_file:file r_file_perms;
# Allow reading/writing to '/mnt/vendor/persist/display/*'
allow hal_graphics_composer_default vendor_persist_display_file:dir rw_dir_perms;
allow hal_graphics_composer_default vendor_persist_display_file:file create_file_perms;
allow hal_graphics_composer vendor_sysfs_graphics:dir r_dir_perms;
allow hal_graphics_composer vendor_sysfs_graphics:file rw_file_perms;
allow hal_graphics_composer_default mnt_vendor_file:dir search;
allow hal_graphics_composer oemfs:dir r_dir_perms;
get_prop(hal_graphics_composer, vendor_display_prop)
allow hal_graphics_composer_default hal_graphics_mapper_hwservice:hwservice_manager find;
r_dir_file(hal_graphics_composer_default, sysfs_leds)
# TODO(b/37666508): Remove the following line upon resolution of the bug
allow hal_graphics_composer_default video_device:chr_file rw_file_perms;
allow hal_graphics_composer_default graphics_device:chr_file rw_file_perms;
# HWC_UeventThread
allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
# Allow ion_device read/write permission
allow hal_graphics_composer_default ion_device:chr_file rw_file_perms;
# Access /sys/devices/virtual/graphics/fb0
r_dir_file(hal_graphics_composer_default, sysfs_type)
# Allow reading/writing to '/data/vendor/display/*'
allow hal_graphics_composer_default vendor_display_vendor_data_file:dir create_dir_perms;
allow hal_graphics_composer_default vendor_display_vendor_data_file:file create_file_perms;
userdebug_or_eng(`
allow hal_graphics_composer_default vendor_debugfs_mdp:dir r_dir_perms;
allow hal_graphics_composer_default vendor_debugfs_mdp:file r_file_perms;
')
userdebug_or_eng(`
# Allow read to /sys/kernel/debug/*
allow hal_graphics_composer vendor_qti_display_debugfs:dir r_dir_perms;
allow hal_graphics_composer vendor_qti_display_debugfs:file r_file_perms;
allow hal_graphics_composer_default vendor_qti_display_debugfs:dir r_dir_perms;
allow hal_graphics_composer_default vendor_qti_display_debugfs:file r_file_perms;
')
# Allow sensor service access
allow hal_graphics_composer fwk_sensor_hwservice:hwservice_manager find;
binder_call(hal_graphics_composer, system_server)
# allow composer to register display config
add_hwservice(hal_graphics_composer_server, vendor_hal_display_config_hwservice);
# allow composer client to find display config service.
allow hal_graphics_composer_client vendor_hal_display_config_hwservice:hwservice_manager find;
# Allow qdcmss socket access
unix_socket_connect(hal_graphics_composer_default, vendor_qdcmsocket, vendor_qdcm-ss)

36
generic/vendor/common/hal_health.te vendored
View File

@@ -1,36 +0,0 @@
# Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
r_dir_file(hal_health, vendor_sysfs_battery_supply);
r_dir_file(hal_health, vendor_sysfs_usb_supply);
allow hal_health hal_health_default:dir search;
allow hal_health {
vendor_sysfs_battery_supply
vendor_sysfs_usb_supply
}:file rw_file_perms;

52
generic/vendor/common/hal_imsrtp.te vendored
View File

@@ -1,52 +0,0 @@
# Copyright (c) 2018,2020 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#vendor_ims rtp service
type vendor_hal_imsrtp, domain;
type vendor_hal_imsrtp_exec, exec_type, vendor_file_type, file_type;
# Started by init
init_daemon_domain(vendor_hal_imsrtp)
net_domain(vendor_hal_imsrtp)
hwbinder_use(vendor_hal_imsrtp)
get_prop(vendor_hal_imsrtp, hwservicemanager_prop)
add_hwservice(vendor_hal_imsrtp, vendor_hal_imsrtp_hwservice)
allow vendor_hal_imsrtp self: qipcrtr_socket create_socket_perms_no_ioctl;
unix_socket_connect(vendor_hal_imsrtp, vendor_ims, vendor_ims)
allow vendor_hal_imsrtp vendor_sysfs_timestamp_switch:file r_file_perms;
allow vendor_hal_imsrtp self:capability net_bind_service;
allow vendor_hal_imsrtp vendor_sysfs_timestamp_switch:file r_file_perms;
allow vendor_hal_imsrtp ion_device:chr_file r_file_perms;
allow vendor_hal_imsrtp vendor_sysfs_data:file r_file_perms;
r_dir_file(vendor_hal_imsrtp, vendor_sysfs_diag)
get_prop(vendor_hal_imsrtp, vendor_ims_prop)
binder_call(vendor_hal_imsrtp, vendor_qtelephony)

47
generic/vendor/common/hal_neuralnetworks.te vendored
View File

@@ -1,47 +0,0 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_neuralnetworks_default, domain;
hal_server_domain(vendor_hal_neuralnetworks_default, hal_neuralnetworks)
hal_client_domain(vendor_hal_neuralnetworks_default, hal_graphics_allocator)
type vendor_hal_neuralnetworks_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_hal_neuralnetworks_default)
allow vendor_hal_neuralnetworks_default fwk_sensor_hwservice:hwservice_manager find;
allow vendor_hal_neuralnetworks_default vendor_qdsp_device:chr_file r_file_perms;
allow vendor_hal_neuralnetworks_default vendor_xdsp_device:chr_file r_file_perms;
allow vendor_hal_neuralnetworks_default ion_device:chr_file r_file_perms;
allow vendor_hal_neuralnetworks_default app_data_file:file { read getattr map };
allow vendor_hal_neuralnetworks_default shell_data_file:file { read getattr map };
allow vendor_hal_neuralnetworks_default vendor_hal_neuralnetworks_data_file:dir create_dir_perms;
allow vendor_hal_neuralnetworks_default vendor_hal_neuralnetworks_data_file:{ file fifo_file } create_file_perms;
allow vendor_hal_neuralnetworks_default gpu_device:chr_file rw_file_perms;
allow vendor_hal_neuralnetworks_default vendor_npu_device:chr_file r_file_perms;
r_dir_file(vendor_hal_neuralnetworks_default, adsprpcd_file)

42
generic/vendor/common/hal_qdutils_disp_qti.te vendored
View File

@@ -1,42 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_qdutils_disp_qti, domain;
hal_server_domain(vendor_hal_qdutils_disp_qti, vendor_hal_qdutils_disp)
type vendor_hal_qdutils_disp_qti_exec, exec_type, file_type, vendor_file_type;
init_daemon_domain(vendor_hal_qdutils_disp_qti)
binder_call(vendor_hal_qdutils_disp_client, vendor_hal_qdutils_disp_server)
binder_call(vendor_hal_qdutils_disp_server, vendor_hal_qdutils_disp_client)
add_hwservice(vendor_hal_qdutils_disp_server, vendor_hal_qdutils_disp_hwservice)
allow vendor_hal_qdutils_disp_client vendor_hal_qdutils_disp_hwservice:hwservice_manager find;
vndbinder_use(vendor_hal_qdutils_disp_qti);
allow vendor_hal_qdutils_disp_qti vendor_qdisplay_service:service_manager find;
#hal_client_domain(vendor_hal_qdutils_disp_qti, hal_display_config);
hal_client_domain(vendor_hal_qdutils_disp_qti, hal_graphics_composer);

71
generic/vendor/common/hal_rcsservice.te vendored
View File

@@ -1,71 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_rcsservice, domain;
type vendor_hal_rcsservice_exec, exec_type, vendor_file_type, file_type;
# Started by init
init_daemon_domain(vendor_hal_rcsservice)
net_domain(vendor_hal_rcsservice)
get_prop(vendor_hal_rcsservice, vendor_ims_prop)
set_prop(vendor_hal_rcsservice, vendor_ims_prop)
# To register imsrcsd to hwBinder
hwbinder_use(vendor_hal_rcsservice)
# add IUceSerive and IService to Hidl interface
add_hwservice(vendor_hal_rcsservice, vendor_hal_imsrcsd_hwservice)
add_hwservice(vendor_hal_rcsservice, vendor_hal_imscallinfo_hwservice)
#add imsfactory to HIDl interface
add_hwservice(vendor_hal_rcsservice, vendor_hal_imsfactory_hwservice)
get_prop(vendor_hal_rcsservice, hwservicemanager_prop)
allow vendor_hal_rcsservice vendor_sysfs_timestamp_switch:file r_file_perms;
allow vendor_hal_rcsservice vendor_sysfs_data:file r_file_perms;
allow vendor_hal_rcsservice self: { socket qipcrtr_socket } create_socket_perms_no_ioctl;
#required for socket creation
unix_socket_connect(vendor_hal_rcsservice, vendor_ims, vendor_ims)
# imsrcsd to bind with UceShimService.apk
binder_call(vendor_hal_rcsservice, vendor_dataservice_app)
# imsrcsd needs read/write access to devpts
allow vendor_hal_rcsservice devpts:chr_file rw_file_perms;
# allow imsrcsd capabilities
wakelock_use(vendor_hal_rcsservice)
allow vendor_hal_rcsservice self:capability net_bind_service;
allow vendor_hal_rcsservice self:capability2 wake_alarm;
#diag
userdebug_or_eng(`
diag_use(vendor_hal_rcsservice)
binder_call(vendor_hal_rcsservice, radio)
')
set_prop(vendor_hal_rcsservice, vendor_ctl_vendor_imsrcsservice_prop)

65
generic/vendor/common/hal_sensors_default.te vendored
View File

@@ -1,65 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# read factory calibration and sensor configuration data
allow hal_sensors_default mnt_vendor_file:dir search;
r_dir_file(hal_sensors_default, vendor_persist_sensors_file)
get_prop(hal_sensors_default, vendor_sensors_prop)
# Access to tests from userdebug/eng builds
userdebug_or_eng(`
diag_use(hal_sensors_default)
get_prop(hal_sensors_default, vendor_sensors_dbg_prop)
allow hal_sensors_default vendor_sysfs_timestamp_switch:file r_file_perms;
')
allow hal_sensors_default vendor_qdsp_device:chr_file r_file_perms;
allow hal_sensors_default vendor_xdsp_device:chr_file r_file_perms;
allow hal_sensors vendor_sysfs_data:file r_file_perms;
allow hal_sensors vendor_sysfs_sensors:dir r_dir_perms;
allow hal_sensors vendor_sysfs_sensors:file rw_file_perms;
allow hal_sensors vendor_sysfs_sensors:lnk_file read;
#following to set the ssr
allow hal_sensors_default vendor_sysfs_slpi:dir search;
allow hal_sensors_default vendor_sysfs_slpi:file w_file_perms;
allow hal_sensors_default vendor_sysfs_adsp_ssr:file w_file_perms;
allow hal_sensors_default vendor_persist_sensors_file:dir rw_dir_perms;
allow hal_sensors_default vendor_persist_sensors_file:file create_file_perms;
allow hal_sensors_default mnt_vendor_file:dir rw_dir_perms;
allow hal_sensors_default mnt_vendor_file:file create_file_perms;
#interact with the sensors low power island (SLPI) CPU
allow hal_sensors_default self:{ socket qipcrtr_socket } create_socket_perms;
allowxperm hal_sensors_default self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
allow hal_sensors_default system_server:fd use;
hal_client_domain(hal_sensors_default, hal_graphics_allocator)
# allow to read adsprpc related properties
get_prop(hal_sensors_default, vendor_adsprpc_prop)

28
generic/vendor/common/hal_telephony.te vendored
View File

@@ -1,28 +0,0 @@
#Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
#Redistribution and use in source and binary forms, with or without
#modification, are permitted provided that the following conditions are
#met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
set_prop(hal_telephony_server, vendor_radio_prop);

40
generic/vendor/common/hal_tetheroffload_default.te vendored
View File

@@ -1,40 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow hal_tetheroffload_default vendor_ipa_dev:chr_file rw_file_perms;
allow hal_tetheroffload_default vendor_ipacm_socket:sock_file w_file_perms;
allow hal_tetheroffload_default vendor_ipa_vendor_data_file:dir w_dir_perms;
allow hal_tetheroffload_default vendor_ipa_vendor_data_file:file create_file_perms;
#add_hwservice(hal_tetheroffload_default, hal_tetheroffload_hwservice)
#diag
userdebug_or_eng(`
r_dir_file(hal_tetheroffload_default, vendor_sysfs_diag)
allow hal_tetheroffload_default vendor_sysfs_timestamp_switch:file r_file_perms;
')

28
generic/vendor/common/hal_thermal_default.te vendored
View File

@@ -1,28 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow hal_thermal_default sysfs_thermal:lnk_file read;
allow hal_thermal_default proc_stat:file { getattr open read };

51
generic/vendor/common/hal_trustedui_qti.te vendored
View File

@@ -1,51 +0,0 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_trustedui_qti, domain;
hal_server_domain(vendor_hal_trustedui_qti, vendor_hal_trustedui)
type vendor_hal_trustedui_qti_exec, exec_type, file_type, vendor_file_type;
init_daemon_domain(vendor_hal_trustedui_qti)
binder_call(vendor_hal_trustedui_client, vendor_hal_trustedui_server)
binder_call(vendor_hal_trustedui_server, vendor_hal_trustedui_client)
hal_attribute_hwservice(vendor_hal_trustedui, vendor_hal_trustedui_hwservice)
hal_client_domain(vendor_hal_trustedui_qti, hal_graphics_allocator);
hal_client_domain(vendor_hal_trustedui_qti, hal_graphics_composer);
hal_client_domain(vendor_hal_trustedui_qti, vendor_hal_systemhelper);
allow vendor_hal_trustedui_qti vendor_sysfs_sectouch:file rw_file_perms;
allow vendor_hal_trustedui_qti vendor_tui_data_file:file rw_file_perms;
allow vendor_hal_trustedui_qti vendor_tui_data_file:dir r_dir_perms;
allow vendor_hal_trustedui_qti ion_device:chr_file r_file_perms;
allow vendor_hal_trustedui_qti surfaceflinger:fd use;
allow vendor_hal_trustedui_qti tee_device:chr_file rw_file_perms;
binder_call(vendor_hal_trustedui_qti, vendor_systemhelper_app)

39
generic/vendor/common/hal_tui_comm_qti.te vendored
View File

@@ -1,39 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_tui_comm_qti, domain;
hal_server_domain(vendor_hal_tui_comm_qti, vendor_hal_tui_comm)
type vendor_hal_tui_comm_qti_exec, exec_type, file_type, vendor_file_type;
init_daemon_domain(vendor_hal_tui_comm_qti)
binder_call(vendor_hal_tui_comm_client, vendor_hal_tui_comm_server)
binder_call(vendor_hal_tui_comm_server, vendor_hal_tui_comm_client)
add_hwservice(vendor_hal_tui_comm_server, vendor_hal_tui_comm_hwservice)
allow vendor_hal_tui_comm_client vendor_hal_tui_comm_hwservice:hwservice_manager find;
hal_client_domain(vendor_hal_tui_comm_qti, hal_graphics_allocator);

31
generic/vendor/common/hal_usb_default.te vendored
View File

@@ -1,31 +0,0 @@
# Copyright (c) 2017, 2019 The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow hal_usb_default vendor_sysfs_usbpd_device:dir r_dir_perms;
allow hal_usb_default vendor_sysfs_usbpd_device:lnk_file r_file_perms;
allow hal_usb_default vendor_sysfs_usbpd_device:file rw_file_perms;
r_dir_file(hal_usb_default, vendor_sysfs_usb_supply);

32
generic/vendor/common/hal_vibrator_default.te vendored
View File

@@ -1,32 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
r_dir_file(hal_vibrator_default, sysfs_leds)
allow hal_vibrator_default sysfs_leds:file rw_file_perms;
# read-only permission to obtain the calibration data
r_dir_file(hal_vibrator_default, vendor_persist_haptics_file)
allow hal_vibrator_default mnt_vendor_file:dir search;

53
generic/vendor/common/hal_wifi.te vendored
View File

@@ -1,53 +0,0 @@
#Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
#Redistribution and use in source and binary forms, with or without
#modification, are permitted provided that the following conditions are
#met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
# allow hal_wifi to write into /proc/debugdriver/driverdump
r_dir_file(hal_wifi_default, vendor_proc_wifi_dbg)
# write to files owned by location daemon
allow hal_wifi_default vendor_location_socket:dir search;
allow hal_wifi_default vendor_location:unix_dgram_socket sendto;
# Connect to vendor_location via vendor_location socket.
unix_socket_connect(hal_wifi, vendor_location, vendor_location)
allow hal_wifi_default vendor_wifihal_socket:dir rw_dir_perms;
allow hal_wifi_default vendor_wifihal_socket:sock_file create_file_perms;
# Write wlan driver/fw version into property
set_prop(hal_wifi_default, vendor_wifi_version)
# allow hal_wifi to write into /proc/sys/net/ipv4
allow hal_wifi proc_net:file write;
# allow hal_wifi to write into /data/vendor/tombstones/wifi
userdebug_or_eng(`
allow hal_wifi_server vendor_tombstone_data_file:dir rw_dir_perms;
allow hal_wifi_server vendor_tombstone_data_file:file create_file_perms;
')

28
generic/vendor/common/hal_wifi_default.te vendored
View File

@@ -1,28 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow hal_wifi vendor_wlan_device:chr_file rw_file_perms;

32
generic/vendor/common/hal_wifi_hostapd.te vendored
View File

@@ -1,32 +0,0 @@
#Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
#
#Redistribution and use in source and binary forms, with or without
#modification, are permitted provided that the following conditions are
#met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
userdebug_or_eng(`
allow hal_wifi_hostapd vendor_wifi_vendor_log_data_file:dir search;
')

43
generic/vendor/common/hal_wifi_supplicant.te vendored
View File

@@ -1,43 +0,0 @@
#Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.
#
#Redistribution and use in source and binary forms, with or without
#modification, are permitted provided that the following conditions are
#met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
# Allow access to create socket and ioctl.
allow hal_wifi_supplicant_default self:socket create_socket_perms;
# ioctlcmd=c304, c302
allowxperm hal_wifi_supplicant_default self:socket ioctl msm_sock_ipc_ioctls;
allow hal_wifi_supplicant_default wpa_data_file:dir create_dir_perms;
allow hal_wifi_supplicant_default wpa_data_file:dir w_dir_perms;
allow hal_wifi_supplicant_default wpa_data_file:file create_file_perms;
# Permission for wpa socket which IMS use to communicate
# # Allow wpa_supplicant to send back wifi information to cnd
allow hal_wifi_supplicant_default { vendor_cnd vendor_ims vendor_mutualex}:unix_dgram_socket sendto;
# # Allow wpa_supplicant to send back wifi information to vendor_location
allow hal_wifi_supplicant_default vendor_location:unix_dgram_socket sendto;

83
generic/vendor/common/hbtp.te vendored
View File

@@ -1,83 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Policies for vendor_hbtp (host based touch processing)
type vendor_hbtp, domain;
type vendor_hbtp_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_hbtp)
hal_server_domain(vendor_hbtp, vendor_hal_hbtp)
# Allow access for /dev/vendor_hbtp_input and /dev/jdi-bu21150
allow vendor_hbtp { vendor_hbtp_device vendor_qdsp_device vendor_dsp_device vendor_bu21150_device vendor_xdsp_device }:chr_file rw_file_perms;
allow vendor_hbtp vendor_hbtp_log_file:dir rw_dir_perms;
allow vendor_hbtp vendor_hbtp_log_file:file create_file_perms;
allow vendor_hbtp vendor_hbtp_cfg_file:dir r_dir_perms;
allow vendor_hbtp vendor_hbtp_cfg_file:file r_file_perms;
allow vendor_hbtp firmware_file:dir r_dir_perms;
allow vendor_hbtp firmware_file:file r_file_perms;
allow vendor_hbtp vendor_firmware_file:dir r_dir_perms;
allow vendor_hbtp vendor_firmware_file:file r_file_perms;
allow vendor_hbtp vendor_sysfs_usb_supply:file r_file_perms;
allow vendor_hbtp vendor_sysfs_usb_supply:dir r_dir_perms;
allow vendor_hbtp vendor_hbtp_kernel_sysfs:file rw_file_perms;
allow vendor_hbtp vendor_sysfs_graphics:file r_file_perms;
allow vendor_hbtp vendor_sysfs_graphics:dir r_dir_perms;
allow vendor_hbtp vendor_sysfs_battery_supply:file r_file_perms;
allow vendor_hbtp vendor_sysfs_battery_supply:dir r_dir_perms;
allow vendor_hbtp ion_device:chr_file r_file_perms;
allow vendor_hbtp self:netlink_kobject_uevent_socket { create read setopt bind };
# Allow the service to access wakelock sysfs
allow vendor_hbtp sysfs_wake_lock:file r_file_perms;
# Allow the service to change to system from root
allow vendor_hbtp self:capability { setgid setuid sys_nice };
# Allow load touch driver as touchPD
r_dir_file(vendor_hbtp, adsprpcd_file)
#allow the service to read adsprpc_prop
get_prop(vendor_hbtp, vendor_adsprpc_prop)
# Allow the service to access wakelock capability
wakelock_use(vendor_hbtp)
# Allow hwbinder call from hal client to server and vice-versa
binder_call(vendor_hal_hbtp_client, vendor_hal_hbtp_server)
binder_call(vendor_hal_hbtp_server, vendor_hal_hbtp_client)
# Allow hwservice related rules
add_hwservice(vendor_hal_hbtp_server, vendor_hal_hbtp_hwservice)
allow vendor_hal_hbtp_client vendor_hal_hbtp_hwservice:hwservice_manager find;
hal_client_domain(vendor_hbtp, hal_allocator);

35
generic/vendor/common/healthd.te vendored
View File

@@ -1,35 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow healthd self:capability2 wake_alarm;
r_dir_file(healthd, vendor_sysfs_battery_supply)
r_dir_file(healthd, vendor_sysfs_usb_supply)
r_dir_file(healthd, sysfs_thermal);
allow healthd {
vendor_sysfs_battery_supply
vendor_sysfs_usb_supply
}:file rw_file_perms;

44
generic/vendor/common/hwservice.te vendored
View File

@@ -1,44 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_cne_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_cacert_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_dataconnection_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_iwlan_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_display_config_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_imsrcsd_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_imsrtp_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_imscallinfo_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_ipacm_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_hbtp_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_perf_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_tui_comm_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_qdutils_disp_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_trustedui_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_display_color_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_display_postproc_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_capabilityconfigstore_qti_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_camera_postproc_hwservice, hwservice_manager_type, protected_hwservice;

64
generic/vendor/common/hwservice_contexts vendored
View File

@@ -1,64 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
com.qualcomm.qti.ant::IAntHci u:object_r:hal_bluetooth_hwservice:s0
com.dsi.ant::IAnt u:object_r:hal_bluetooth_hwservice:s0
vendor.qti.hardware.data.iwlan::IIWlan u:object_r:vendor_hal_iwlan_hwservice:s0
com.qualcomm.qti.uceservice::IUceService u:object_r:vendor_hal_imsrcsd_hwservice:s0
com.qualcomm.qti.imscmservice::IImsCmService u:object_r:vendor_hal_imsrcsd_hwservice:s0
vendor.qti.ims.callinfo::IService u:object_r:vendor_hal_imscallinfo_hwservice:s0
vendor.qti.imsrtpservice::IRTPService u:object_r:vendor_hal_imsrtp_hwservice:s0
vendor.qti.data.factory::IFactory u:object_r:vendor_hal_datafactory_hwservice:s0
vendor.qti.ims.factory::IImsFactory u:object_r:vendor_hal_imsfactory_hwservice:s0
vendor.qti.hardware.data.connection::IDataConnection u:object_r:vendor_hal_dataconnection_hwservice:s0
vendor.qti.hardware.cacert::IService u:object_r:vendor_hal_cacert_hwservice:s0
vendor.display.config::IDisplayConfig u:object_r:vendor_hal_display_config_hwservice:s0
vendor.display.color::IDisplayColor u:object_r:vendor_hal_display_color_hwservice:s0
vendor.display.postproc::IDisplayPostproc u:object_r:vendor_hal_display_postproc_hwservice:s0
vendor.qti.hardware.data.iwlan::IIWlan u:object_r:vendor_hal_iwlan_hwservice:s0
vendor.qti.hardware.capabilityconfigstore::ICapabilityConfigStore u:object_r:vendor_hal_capabilityconfigstore_qti_hwservice:s0
vendor.qti.hardware.improvetouch.touchcompanion::ITouchCompanion u:object_r:vendor_hal_hbtp_hwservice:s0
vendor.qti.hardware.improvetouch.gesturemanager::IGestureManager u:object_r:vendor_hal_hbtp_hwservice:s0
vendor.qti.hardware.improvetouch.blobmanager::IBlobManager u:object_r:vendor_hal_hbtp_hwservice:s0
vendor.qti.hardware.perf::IPerf u:object_r:vendor_hal_perf_hwservice:s0
vendor.qti.hardware.radio.atcmdfwd::IAtCmdFwd u:object_r:vendor_hal_atfwd_hwservice:s0
vendor.qti.hardware.radio.qcrilhook::IQtiOemHook u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.radio.am::IQcRilAudio u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.radio.internal.deviceinfo::IDeviceInfo u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.radio.lpa::IUimLpa u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.radio.ims::IImsRadio u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.radio.uim::IUim u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.radio.uim_remote_client::IUimRemoteServiceClient u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.radio.uim_remote_server::IUimRemoteServiceServer u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.display.allocator::IQtiAllocator u:object_r:hal_graphics_allocator_hwservice:s0
vendor.qti.hardware.display.composer::IQtiComposer u:object_r:hal_graphics_composer_hwservice:s0
vendor.qti.hardware.tui_comm::ITuiComm u:object_r:vendor_hal_tui_comm_hwservice:s0
vendor.qti.hardware.qdutils_disp::IQdutilsDisp u:object_r:vendor_hal_qdutils_disp_hwservice:s0
vendor.qti.hardware.trustedui::ITrustedUI u:object_r:vendor_hal_trustedui_hwservice:s0
vendor.qti.hardware.trustedui::ITrustedInput u:object_r:vendor_hal_trustedui_hwservice:s0
android.hardware.media.c2::IConfigurable u:object_r:hal_codec2_hwservice:s0
vendor.qti.hardware.display.mapper::IQtiMapper u:object_r:hal_graphics_mapper_hwservice:s0
vendor.qti.hardware.camera.postproc::IPostProcService u:object_r:vendor_hal_camera_postproc_hwservice:s0

63
generic/vendor/common/ims.te vendored
View File

@@ -1,63 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_ims, domain;
type vendor_ims_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_ims)
net_domain(vendor_ims)
get_prop(vendor_ims, hwservicemanager_prop)
set_prop(vendor_ims, vendor_ims_prop)
get_prop(vendor_ims, vendor_ims_prop)
get_prop(vendor_ims, vendor_cnd_prop)
allow vendor_ims vendor_sysfs_timestamp_switch:file r_file_perms;
allow vendor_ims vendor_sysfs_data:file r_file_perms;
allow vendor_ims self:capability net_bind_service;
allow vendor_ims ion_device:chr_file r_file_perms;
unix_socket_connect(vendor_ims, vendor_cnd, vendor_cnd)
allow vendor_ims self:socket create_socket_perms_no_ioctl;
allow vendor_ims vendor_ims_socket:sock_file write;
allow vendor_ims self:{ qipcrtr_socket } create_socket_perms_no_ioctl;
allow vendor_ims self:{ netlink_generic_socket } create_socket_perms_no_ioctl;
netmgr_socket(vendor_ims);
allowxperm vendor_ims self:udp_socket ioctl RMNET_IOCTL_EXTENDED;
allow vendor_ims self:tipc_socket { create_socket_perms_no_ioctl };
#diag
userdebug_or_eng(`
diag_use(vendor_ims)
')
hwbinder_use(vendor_ims)
allow vendor_ims vendor_hal_cne_hwservice:hwservice_manager find;
allow vendor_ims vendor_hal_datafactory_hwservice:hwservice_manager find;
binder_call(vendor_ims, vendor_cnd)

37
generic/vendor/common/imshelper_app.te vendored
View File

@@ -1,37 +0,0 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_imshelper_app, domain;
app_domain(vendor_imshelper_app);
unix_socket_connect(vendor_imshelper_app, vendor_ims, vendor_ims)
allow vendor_imshelper_app app_api_service:service_manager find;
#allow qsee_svc_app vendor_imshelper_app_data_file:dir create_dir_perms;
#allow qsee_svc_app vendor_imshelper_app_data_file:file create_file_perms;
allow vendor_imshelper_app system_app_data_file:dir { getattr search };
allow vendor_imshelper_app vendor_radio_data_file:dir { getattr search };

37
generic/vendor/common/init-qcom-crashdata-sh.te vendored
View File

@@ -1,37 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_init-qcom-crashdata-sh, domain;
type vendor_init-qcom-crashdata-sh_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_init-qcom-crashdata-sh)
allow vendor_init-qcom-crashdata-sh vendor_shell_exec:file rx_file_perms;
allow vendor_init-qcom-crashdata-sh vendor_toolbox_exec:file rx_file_perms;
set_prop(vendor_init-qcom-crashdata-sh, vendor_crash_cnt_prop)
set_prop(vendor_init-qcom-crashdata-sh, vendor_crash_detect_prop)

43
generic/vendor/common/init-qcom-sensors-sh.te vendored
View File

@@ -1,43 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_init-qcom-sensors-sh, domain;
type vendor_init-qcom-sensors-sh_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_init-qcom-sensors-sh)
allow vendor_init-qcom-sensors-sh vendor_shell_exec:file rx_file_perms;
allow vendor_init-qcom-sensors-sh vendor_toolbox_exec:file rx_file_perms;
r_dir_file(vendor_init-qcom-sensors-sh, mnt_vendor_file)
r_dir_file(vendor_init-qcom-sensors-sh, vendor_persist_sensors_file)
allow vendor_init-qcom-sensors-sh vendor_persist_sensors_file:file setattr;
allow vendor_init-qcom-sensors-sh vendor_persist_sensors_file:dir setattr;
allow vendor_init-qcom-sensors-sh sensors_device:chr_file r_file_perms;
set_prop(vendor_init-qcom-sensors-sh, vendor_sensors_prop)

40
generic/vendor/common/init-qti-ims-sh.te vendored
View File

@@ -1,40 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_init-qti-ims-sh, domain;
type vendor_init-qti-ims-sh_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_init-qti-ims-sh)
allow vendor_init-qti-ims-sh vendor_shell_exec:file rx_file_perms;
allow vendor_init-qti-ims-sh vendor_toolbox_exec:file rx_file_perms;
set_prop(vendor_init-qti-ims-sh, vendor_ims_prop)
get_prop(vendor_init-qti-ims-sh, vendor_ims_prop)
# for ro.build.product
get_prop(vendor_init-qti-ims-sh, exported2_default_prop)

83
generic/vendor/common/init.te vendored
View File

@@ -1,83 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow init {
adsprpcd_file
cache_file
mnt_vendor_file
storage_file
vendor_vm_system_file
}:dir mounton;
# symlink /sdcard to backing block
allow init tmpfs:lnk_file create;
allow init tty_device:chr_file rw_file_perms;
allow init mnt_vendor_file:dir mounton;
allow init vendor_ab_block_device:lnk_file relabelto;
#Allow init to mount non-hlos partitions in A/B builds
allow init { bt_firmware_file vendor_firmware_file firmware_file } :dir mounton;
allow init { bt_firmware_file firmware_file }:filesystem { relabelfrom mount };
allow { bt_firmware_file firmware_file }self:filesystem associate;
dontaudit init kernel:system module_request;
allow init sysfs_leds:lnk_file r_file_perms;
allow init socket_device:sock_file create_file_perms;
#Needed for restorecon. Init already has these permissions
#for generic block devices, but is unable to access those
#which have a custom lable added by us.
allow init {
vendor_custom_ab_block_device
boot_block_device
vendor_xbl_block_device
vendor_ssd_block_device
vendor_modem_block_device
vendor_mdtp_device
vendor_vm_data_block_device
}:{ blk_file lnk_file } relabelto;
#Allow /sys access to write zram disksize
allow init sysfs_zram:dir r_dir_perms;
allow init sysfs_zram:file r_file_perms;
allow init vendor_sysfs_boot_adsp:file w_file_perms;
allow init bt_firmware_file:filesystem getattr;
allow init firmware_file:filesystem getattr;
# Search and write access for vendor_sysfs_graphics for backlight in recovery
recovery_only(`
allow init vendor_sysfs_graphics:file w_file_perms;
allow init vendor_sysfs_graphics:dir search;
allow init vendor_sysfs_usb_device:file w_file_perms;
')

187
generic/vendor/common/init_shell.te vendored
View File

@@ -1,187 +0,0 @@
# Copyright (c) 2018-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Restricted domain for shell processes spawned by init.
# Normally these are shell commands or scripts invoked via sh
# from an init*.rc file. No service should ever run in this domain.
type vendor_qti_init_shell, domain;
type vendor_qti_init_shell_exec, exec_type, vendor_file_type,file_type;
init_daemon_domain(vendor_qti_init_shell)
domain_auto_trans(init, vendor_shell_exec, vendor_qti_init_shell)
# For executing init shell scripts (init.qcom.early_boot.sh)
allow vendor_qti_init_shell vendor_qti_init_shell_exec:file { rx_file_perms entrypoint };
#execute init scripts
allow vendor_qti_init_shell vendor_shell_exec:file {rx_file_perms entrypoint };
allow vendor_qti_init_shell vendor_toolbox_exec:file rx_file_perms;
# For getting idle_time value
# this is needed for dynamic_fps and bw_mode_bitmap
allow vendor_qti_init_shell vendor_sysfs_graphics:file {rw_file_perms setattr};
allow vendor_qti_init_shell mnt_vendor_file:dir w_dir_perms;
allow vendor_qti_init_shell mnt_vendor_file:file create_file_perms;
allow vendor_qti_init_shell vendor_smd_device:chr_file rw_file_perms;
# Run helpers from / or /system without changing domain.
allow vendor_qti_init_shell { rootfs vendor_shell_exec }:file execute_no_trans;
allow vendor_qti_init_shell gpu_device:chr_file getattr;
allow vendor_qti_init_shell vendor_sysfs_cpu_boost:dir r_dir_perms;
allow vendor_qti_init_shell vendor_sysfs_cpu_boost:file rw_file_perms;
# for insmod of iris ko, this is needed.
# fowner and fsetid are needed for chmod display nodes.
allow vendor_qti_init_shell self:capability {
sys_module
net_admin
chown
fowner
fsetid
sys_admin
};
set_prop(vendor_qti_init_shell, vendor_ctl_netmgrd_prop)
set_prop(vendor_qti_init_shell, vendor_ctl_port-bridge_prop)
set_prop(vendor_qti_init_shell, vendor_ctl_qcrild_prop)
set_prop(vendor_qti_init_shell, vendor_ipacm-diag_prop)
set_prop(vendor_qti_init_shell, vendor_ipacm_prop)
set_prop(vendor_qti_init_shell, vendor_msm_irqbalance_prop)
set_prop(vendor_qti_init_shell, vendor_dataqti_prop)
set_prop(vendor_qti_init_shell, vendor_display_prop)
set_prop(vendor_qti_init_shell, vendor_alarm_boot_prop)
set_prop(vendor_qti_init_shell, vendor_gralloc_prop)
set_prop(vendor_qti_init_shell, vendor_usb_prop)
set_prop(vendor_qti_init_shell, vendor_system_prop)
set_prop(vendor_qti_init_shell, vendor_mpctl_prop)
set_prop(vendor_qti_init_shell, vendor_radio_prop)
set_prop(vendor_qti_init_shell, vendor_audio_prop)
get_prop(vendor_qti_init_shell, exported3_radio_prop)
set_prop(vendor_qti_init_shell, vendor_gpu_prop)
set_prop(vendor_qti_init_shell, vendor_sensors_prop)
allow vendor_qti_init_shell {
sysfs_devices_system_cpu
sysfs_lowmemorykiller
vendor_sysfs_mmc_host
vendor_sysfs_process_reclaim
}:file w_file_perms;
r_dir_file(vendor_qti_init_shell, sysfs_type)
r_dir_file(vendor_qti_init_shell, vendor_sysfs_devfreq)
allow vendor_qti_init_shell vendor_sysfs_devfreq:file w_file_perms;
allow vendor_qti_init_shell vendor_sysfs_soc:file write;
allow vendor_qti_init_shell sysfs:{ dir file lnk_file } relabelfrom;
allow vendor_qti_init_shell sysfs_devices_system_cpu: { dir file lnk_file } relabelto;
# To start sensors for DSPS enabled platforms
r_dir_file(vendor_qti_init_shell, mnt_vendor_file)
r_dir_file(vendor_qti_init_shell, vendor_persist_bluetooth_file)
allow vendor_qti_init_shell { proc proc_net}:file write;
allow vendor_qti_init_shell proc_net:file r_file_perms;
allow vendor_qti_init_shell graphics_device:dir create_dir_perms;
allow vendor_qti_init_shell graphics_device:lnk_file create_file_perms;
#insmod of ko from scripts need kernel key search
allow vendor_qti_init_shell kernel:key search;
allow vendor_qti_init_shell cgroup:dir add_name;
# To allow copy for mbn files
r_dir_file(vendor_qti_init_shell, firmware_file)
# /dev/block/zram0
allow vendor_qti_init_shell block_device:dir r_dir_perms;
allow vendor_qti_init_shell swap_block_device:blk_file rw_file_perms;
#For configfs permission
allow vendor_qti_init_shell configfs:dir r_dir_perms;
allow vendor_qti_init_shell configfs:file rw_file_perms;
#Allow /sys access to write zram disksize
allow vendor_qti_init_shell sysfs_zram:dir r_dir_perms;
allow vendor_qti_init_shell sysfs_zram:file rw_file_perms;
# To get GPU frequencies and set attributes
allow vendor_qti_init_shell vendor_sysfs_kgsl:file { r_file_perms setattr };
allow vendor_qti_init_shell proc:file r_file_perms;
allow vendor_qti_init_shell rootfs:file r_file_perms;
allow vendor_qti_init_shell vendor_radio_vendor_data_file:dir create_dir_perms;
allow vendor_qti_init_shell vendor_radio_vendor_data_file:file create_file_perms;
allow vendor_qti_init_shell vendor_mbn_data_file:dir create_dir_perms;
allow vendor_qti_init_shell vendor_mbn_data_file:file create_file_perms;
set_prop(vendor_qti_init_shell, vendor_ctl_vendor_hbtp_prop)
# rules for vm_bms
allow vendor_qti_init_shell {
vendor_sysfs_battery_supply
vendor_sysfs_usb_supply
vendor_sysfs_usbpd_device
}:dir r_dir_perms;
allow vendor_qti_init_shell {
vendor_sysfs_battery_supply
vendor_sysfs_usb_supply
vendor_sysfs_usbpd_device
}:file rw_file_perms;
allow vendor_qti_init_shell vendor_sysfs_battery_supply:file setattr;
allow vendor_qti_init_shell vendor_sysfs_usb_supply:file setattr;
allow vendor_qti_init_shell vendor_sysfs_usbpd_device:file setattr;
allow vendor_qti_init_shell sysfs_devices_system_cpu:file w_file_perms;
allow vendor_qti_init_shell vendor_sysfs_msm_power:file rw_file_perms;
allow vendor_qti_init_shell vendor_msm_irqbalanced_exec:file getattr;
set_prop(vendor_qti_init_shell, vendor_alarm_boot_prop)
set_prop(vendor_qti_init_shell, vendor_wifi_prop)
# To read /proc/meminfo
allow vendor_qti_init_shell proc_meminfo:file r_file_perms;
allow vendor_qti_init_shell vendor_sysfs_suspend:file w_file_perms;
# Set ro.vendor.qti.soc_id to soc_id in QCV init script
set_prop(vendor_qti_init_shell, vendor_soc_id_prop);
# Set ro.vendor.qti.soc_name to soc_name in QCV init script
set_prop(vendor_qti_init_shell, vendor_soc_name_prop);
# Get persist.console.silent.config for kernel console log level
get_prop(vendor_qti_init_shell, vendor_console_log_level_prop)
set_prop(vendor_qti_init_shell,vendor_dcvs_prop)

39
generic/vendor/common/ioctl_defines vendored
View File

@@ -1,39 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# socket ioctls
define(`RMNET_IOCTL_EXTENDED', `0x000089FD')
# socket ioctls defined in the kernel in include/uapi/linux/msm_ipc.h
define(`IPC_ROUTER_IOCTL_GET_VERSION', `0x0000c300')
define(`IPC_ROUTER_IOCTL_GET_MTU', `0x0000c301')
define(`IPC_ROUTER_IOCTL_LOOKUP_SERVER', `0x0000c302')
define(`IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE', `0x0000c303')
define(`IPC_ROUTER_IOCTL_BIND_CONTROL_PORT', `0x0000c304')
define(`IPC_ROUTER_IOCTL_CONFIG_SEC_RULES', `0x0000c305')
#mmc ioctls defined in the kernel in include/uapi/linux/mmc/ioctl.h
define(`MMC_IOC_MULTI_CMD', `0xc008b301')

93
generic/vendor/common/ioctl_macros vendored
View File

@@ -1,93 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
define(`gpu_ioctls', `{
IOCTL_KGSL_DEVICE_GETPROPERTY
IOCTL_KGSL_DEVICE_WAITTIMESTAMP_CTXTID
IOCTL_KGSL_DRAWCTXT_CREATE
IOCTL_KGSL_DRAWCTXT_DESTROY
IOCTL_KGSL_MAP_USER_MEM
IOCTL_KGSL_SHAREDMEM_FREE
IOCTL_KGSL_SETPROPERTY
IOCTL_KGSL_TIMESTAMP_EVENT
IOCTL_KGSL_PERFCOUNTER_GET
IOCTL_KGSL_PERFCOUNTER_PUT
IOCTL_KGSL_SYNCSOURCE_CREATE
IOCTL_KGSL_SYNCSOURCE_DESTROY
IOCTL_KGSL_SYNCSOURCE_CREATE_FENCE
IOCTL_KGSL_SYNCSOURCE_SIGNAL_FENCE
IOCTL_KGSL_GPUOBJ_ALLOC
IOCTL_KGSL_GPUOBJ_FREE
IOCTL_KGSL_GPUOBJ_INFO
IOCTL_KGSL_GPUOBJ_IMPORT
IOCTL_KGSL_GPUOBJ_SYNC
IOCTL_KGSL_GPU_COMMAND
}')
define(`msm_sock_ipc_ioctls', `{
IPC_ROUTER_IOCTL_GET_VERSION
IPC_ROUTER_IOCTL_GET_MTU
IPC_ROUTER_IOCTL_LOOKUP_SERVER
IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE
IPC_ROUTER_IOCTL_BIND_CONTROL_PORT
IPC_ROUTER_IOCTL_CONFIG_SEC_RULES
}')
define(`msm_sock_qrtr_ioctls', `{
TIOCOUTQ
}')
define(`rmnet_sock_ioctls', `{
SIOCDEVPRIVATE_1
SIOCDEVPRIVATE_2
SIOCDEVPRIVATE_3
SIOCDEVPRIVATE_4
SIOCDEVPRIVATE_5
SIOCDEVPRIVATE_6
SIOCDEVPRIVATE_7
SIOCDEVPRIVATE_8
SIOCDEVPRIVATE_9
SIOCDEVPRIVATE_A
SIOCDEVPRIVATE_B
SIOCDEVPRIVATE_C
SIOCDEVPRIVATE_D
}')
define(`wlan_sock_ioctls', `{
SIOCSIWPRIV
SIOCIWFIRSTPRIV_15
}')
define(`lowi_server_ioctls', `{
SIOCGIFINDEX
SIOCGIFHWADDR
SIOCGIFFLAGS
SIOCIWFIRSTPRIV_05
SIOCIWFIRSTPRIV_11
SIOCIWFIRSTPRIV_13
SIOCDEVPRIVATE_1
}')

69
generic/vendor/common/ipacm.te vendored
View File

@@ -1,69 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# General definitions
type vendor_ipacm, domain;
type vendor_ipacm-diag, domain;
type vendor_ipacm_exec, exec_type, vendor_file_type, file_type;
type vendor_ipacm-diag_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_ipacm)
init_daemon_domain(vendor_ipacm-diag)
# associate netdomain to use for accessing internet sockets
net_domain(vendor_ipacm)
hal_server_domain(vendor_ipacm, hal_tetheroffload)
userdebug_or_eng(`
# Allow using the logging file between vendor_ipacm and vendor_ipacm-diag
unix_socket_send(vendor_ipacm, vendor_ipacm, vendor_ipacm-diag)
')
# Allow operations with /dev/ipa, /dev/wwan_ioctl and /dev/ipaNatTable
allow hal_tetheroffload vendor_ipa_dev:chr_file rw_file_perms;
# Allow UDP socket create and ioctl
allow hal_tetheroffload self:udp_socket create_socket_perms;
allowxperm vendor_ipacm self:udp_socket ioctl SIOCGIFNAME;
# Allow receiving NETLINK messages
allow hal_tetheroffload self:netlink_route_socket { nlmsg_read nlmsg_readpriv create_socket_perms_no_ioctl };
# Allow receiving NETLINK messages
allow hal_tetheroffload self:{
netlink_socket
# Allow querying the network stack via IOCTLs
netlink_generic_socket
} create_socket_perms_no_ioctl;
# Allow creating and modifying the PID file
allow hal_tetheroffload vendor_ipa_vendor_data_file:dir w_dir_perms;
allow hal_tetheroffload vendor_ipa_vendor_data_file:file create_file_perms;
# To register vendor_ipacm to hwbinder
#add_hwservice(vendor_ipacm, hal_vendor_ipacm_hwservice)
#binder_call(vendor_ipacm, system_server)

33
generic/vendor/common/irsc_util.te vendored
View File

@@ -1,33 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_irsc_util, domain;
type vendor_irsc_util_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_irsc_util)
allow vendor_irsc_util self:socket create_socket_perms;
allowxperm vendor_irsc_util self:socket ioctl msm_sock_ipc_ioctls;

43
generic/vendor/common/kernel.te vendored
View File

@@ -1,43 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# for diag over socket
userdebug_or_eng(`
allow kernel self:socket create;
allow kernel self:qipcrtr_socket create;
allow kernel vendor_debugfs_wlan:dir search;
allow kernel vendor_debugfs_ipc:dir search;
allow kernel debugfs_mmc:dir search;
')
# Access firmware_file
r_dir_file(kernel, firmware_file)
# access vendor_firmware_file
r_dir_file(kernel, vendor_firmware_file)
dontaudit kernel kernel:system module_request;

99
generic/vendor/common/location.te vendored
View File

@@ -1,99 +0,0 @@
# Copyright (c) 2018-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# generic/vendor_location.te - sepolicy rules for generic vendor_location modules
# loc_launcher service
# which launches various other services supporting GPS & Wifi-RTT (LOWI) vendor_location
type vendor_location, domain;
type vendor_location_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_location)
allow vendor_location self:capability { setgid setuid };
hwbinder_use(vendor_location)
get_prop(vendor_location, hwservicemanager_prop)
get_prop(vendor_location, vendor_cnd_prop)
#xtra-daemon access to qcc properties
get_prop(vendor_location, vendor_qcc_prop)
allow vendor_location fwk_sensor_hwservice:hwservice_manager find;
binder_call(vendor_location, system_server)
binder_call(vendor_location, vendor_cnd)
# Enable standard network access (for XTRA download)
net_domain(vendor_location)
# required for xtra-daemon, slim-daemon.
allow vendor_location self:qipcrtr_socket create_socket_perms_no_ioctl;
dontaudit vendor_location kernel:system module_request;
# execute permission for vendor_location daemons in /vendor/bin/
allow vendor_location vendor_location_exec:file rx_file_perms;
# /data/vendor/vendor_location
allow vendor_location vendor_location_data_file:dir create_dir_perms;
allow vendor_location vendor_location_data_file:file create_file_perms;
# /dev/socket/vendor_location
allow vendor_location vendor_location_socket:sock_file create_file_perms;
allow vendor_location vendor_location_socket:dir rw_dir_perms;
allow vendor_location vendor_hal_gnss_qti:unix_dgram_socket sendto;
# permission for read execute vendor_location daemons in userdebug mode.
userdebug_or_eng(`
allow shell vendor_location_exec:file rx_file_perms;
')
## lowi-server
##############
# some additional network access
allow vendor_location self:netlink_generic_socket create_socket_perms_no_ioctl;
allow vendor_location self:netlink_socket create_socket_perms_no_ioctl;
allowxperm vendor_location self:udp_socket ioctl lowi_server_ioctls;
allow vendor_location hal_wifi:unix_stream_socket { read write };
# /data/vendor/wifi
allow vendor_location vendor_wifi_vendor_data_file:dir search;
# /data/vendor/wifi/wpa
allow vendor_location wpa_data_file:dir rw_dir_perms;
allow vendor_location wpa_data_file:sock_file create_file_perms;
allow vendor_location hal_wifi_supplicant_default:unix_dgram_socket sendto;
# /dev/socket/wifihal
allow vendor_location vendor_wifihal_socket:dir search;
unix_socket_send(vendor_location, vendor_wifihal, hal_wifi_default);
## xtra-daemon
##############
allow vendor_location {vendor_hal_cacert_hwservice vendor_hal_datafactory_hwservice vendor_hal_cne_hwservice}:hwservice_manager find;
binder_call(vendor_location, vendor_qtidataservices_app)

74
generic/vendor/common/mdm_helper.te vendored
View File

@@ -1,74 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#Policy for vendor_mdm_helper
#vendor_mdm_helper - vendor_mdm_helper domain
type vendor_mdm_helper, domain;
type vendor_mdm_helper_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_mdm_helper);
#block_suspend capability is needed by kickstart(ks)
wakelock_use(vendor_mdm_helper)
#Needed to power on the peripheral
allow vendor_mdm_helper vendor_ssr_device:chr_file r_file_perms;
#Needed to access the esoc device to control the mdm
allow vendor_mdm_helper vendor_esoc_device:dir r_dir_perms;
allow vendor_mdm_helper vendor_esoc_device:chr_file rw_file_perms;
#Needed in order to run kickstart
allow vendor_mdm_helper vendor_shell_exec:file rx_file_perms;
allow vendor_mdm_helper vendor_mdm_helper_exec :file x_file_perms;
#Rampdump config
#
# User variant
# Probe for write access to vendor tombstones as the
# presense of tombstones on subsystem does not correlate
# to Android user/userdebug config
allow vendor_mdm_helper vendor_tombstone_data_file:dir r_dir_perms;
dontaudit vendor_mdm_helper vendor_tombstone_data_file:dir write;
# Userdebug/eng variant
userdebug_or_eng(`
allow vendor_mdm_helper vendor_tombstone_data_file:dir create_dir_perms;
allow vendor_mdm_helper vendor_tombstone_data_file:file create_file_perms;
')
#Ramdump config END
#Needed to kill its own forked process on efs sync
allow vendor_mdm_helper self:capability kill;
#Needed by ks in order to access the efs sync partitions.
allow vendor_mdm_helper block_device:dir r_dir_perms;
allow vendor_mdm_helper vendor_efs_boot_dev:blk_file rw_file_perms;
#Needed in order to access the firmware partition
r_dir_file(vendor_mdm_helper, firmware_file)
#Needed to allow boot over PCIe
allow vendor_mdm_helper vendor_mhi_device:chr_file rw_file_perms;

39
generic/vendor/common/mediacodec.te vendored
View File

@@ -1,39 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow mediacodec system_file:dir r_dir_perms;
userdebug_or_eng(`
allow mediacodec dumpstate:fd use;
')
#Allow mediacodec to access vendor_media_data_file files
allow mediacodec vendor_media_data_file:dir create_dir_perms;
allow mediacodec vendor_media_data_file:file create_file_perms;
#Allow mediacodec to access configstore
hal_client_domain(mediacodec, vendor_hal_capabilityconfigstore_qti)
#allow mediacodec to read adsprpc_prop
get_prop(mediacodec, vendor_adsprpc_prop)

40
generic/vendor/common/msm_irqbalanced.te vendored
View File

@@ -1,40 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_msm_irqbalanced, domain;
type vendor_msm_irqbalanced_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_msm_irqbalanced)
allow vendor_msm_irqbalanced cgroup:dir { create add_name };
allow vendor_msm_irqbalanced { proc sysfs_devices_system_cpu }:file w_file_perms;
# access smp_affinity
allow vendor_msm_irqbalanced proc:file r_file_perms;
allow vendor_msm_irqbalanced proc_interrupts:file r_file_perms;
allow vendor_msm_irqbalanced proc_stat:file r_file_perms;
# irq_blacklist_on
allow vendor_msm_irqbalanced vendor_sysfs_irqbalance:file r_file_perms;

Some files were not shown because too many files have changed in this diff Show More