xiaomi-unicorn1/android_device_qcom_sepolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Delete not needed te files

Browse Source 
Change-Id: If5d48ea45f10cd880b76497581f30c6c5acad0e2
This commit is contained in:
Sridhar Parasuram
2018-01-23 14:08:55 -08:00
parent dd0edaa506
commit 168d612523
160 changed files with 1 additions and 6315 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
Android.mk
View File

@@ -4,15 +4,9 @@ LOCAL_PATH:= $(call my-dir)
BOARD_SEPOLICY_DIRS := \
$(BOARD_SEPOLICY_DIRS) \
$(LOCAL_PATH) \
$(LOCAL_PATH)/vendor/common \
$(LOCAL_PATH)/vendor/ssg \
$(LOCAL_PATH)/vendor \
$(LOCAL_PATH)/$(TARGET_BOARD_PLATFORM)
ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT)))
BOARD_SEPOLICY_DIRS += \
$(LOCAL_PATH)/vendor/test
endif
BOARD_PLAT_PUBLIC_SEPOLICY_DIR := \
$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR) \
$(LOCAL_PATH)/public

30
private/app.te
View File

@@ -1,30 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow appdomain persist_dpm_prop:file r_file_perms;
unix_socket_send(appdomain, seempdw, seempd)

33
private/device.te
View File

@@ -1,33 +0,0 @@
# Copyright (c) 2015, 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#Define seemplog device
type seemplog_device, dev_type;
#Define smd7 device
type smd7_device, dev_type;

68
private/dpmd.te
View File

@@ -1,68 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
typeattribute dpmd coredomain;
typeattribute dpmd mlstrustedsubject;
type dpmd_exec, exec_type, file_type;
init_daemon_domain(dpmd)
net_domain(dpmd)
allow dpmd {
dpmd_exec
system_file
}:file x_file_perms;
allow dpmd dpmd_data_file:file create_file_perms;
allow dpmd dpmd_data_file:dir create_dir_perms;
r_dir_file(dpmd,proc_net)
allow dpmd self:capability {
setuid
net_raw
net_admin
};
allow dpmd appdomain:dir r_dir_perms;
allow dpmd appdomain:file r_file_perms;
wakelock_use(dpmd)
allow dpmd shell_exec:file rx_file_perms;
dontaudit dpmd self:capability sys_module;
set_prop(dpmd, persist_dpm_prop)
get_prop(dpmd, persist_dpm_prop)
#allow dpmd to create socket
allow dpmd self:socket create_socket_perms_no_ioctl;
allow dpmd self:{ netlink_socket netlink_generic_socket } create_socket_perms_no_ioctl;
dpmd_socket_perm(priv_app)
dpmd_socket_perm(system_server)
dpmd_socket_perm(system_app)
dpmd_socket_perm(untrusted_app)
dpmd_socket_perm(untrusted_app_25)
dpmd_socket_perm(platform_app)
#allow dpmd to write to /proc/net/sys
allow dpmd proc_net:file write;

40
private/dun-server.te
View File

@@ -1,40 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type dun-server_exec, exec_type, file_type;
typeattribute dun-server bluetoothdomain;
typeattribute dun-server coredomain;
allow bluetooth dun-server:unix_stream_socket connectto;
allow dun-server {
serial_device
smd7_device
}:chr_file rw_file_perms;
init_daemon_domain(dun-server)
bluetooth_domain(dun-server)

34
private/ioctl_defines
View File

@@ -1,34 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# socket ioctls defined in the kernel in include/uapi/linux/msm_ipc.h
define(`IPC_ROUTER_IOCTL_GET_VERSION', `0x0000c300')
define(`IPC_ROUTER_IOCTL_GET_MTU', `0x0000c301')
define(`IPC_ROUTER_IOCTL_LOOKUP_SERVER', `0x0000c302')
define(`IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE', `0x0000c303')
define(`IPC_ROUTER_IOCTL_BIND_CONTROL_PORT', `0x0000c304')
define(`IPC_ROUTER_IOCTL_CONFIG_SEC_RULES', `0x0000c305')

35
private/ioctl_macros
View File

@@ -1,35 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
define(`msm_sock_ipc_ioctls_system', `{
IPC_ROUTER_IOCTL_GET_VERSION
IPC_ROUTER_IOCTL_GET_MTU
IPC_ROUTER_IOCTL_LOOKUP_SERVER
IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE
IPC_ROUTER_IOCTL_BIND_CONTROL_PORT
IPC_ROUTER_IOCTL_CONFIG_SEC_RULES
}')

30
private/priv_app.te
View File

@@ -1,30 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow priv_app dpmtcm_socket:sock_file w_file_perms;
allow priv_app dpmwrapper_socket:sock_file w_file_perms;
allow priv_app dpmd:unix_stream_socket connectto;

28
private/property_contexts
View File

@@ -1,28 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
persist.vendor.dpm. u:object_r:persist_dpm_prop:s0

95
private/qti-testscripts.te
View File

@@ -1,95 +0,0 @@
# Copyright (c) 2015,2017 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#as the exec is defined in file_context it is hitting build
# error in user build so moving out of the macro
type qti-testscripts_exec, exec_type, file_type;
userdebug_or_eng(`
typeattribute qti-testscripts coredomain;
permissive qti-testscripts;
init_daemon_domain(qti-testscripts)
#this is shell scripts and need /system/bin/sh
allow qti-testscripts shell_exec:file rx_file_perms;
#super_user - start
# Add qti-testscripts to various domains
net_domain(qti-testscripts)
dontaudit qti-testscripts self:capability_class_set *;
dontaudit qti-testscripts kernel:security *;
dontaudit qti-testscripts kernel:system *;
dontaudit qti-testscripts self:memprotect *;
dontaudit qti-testscripts domain:process *;
dontaudit qti-testscripts domain:fd *;
dontaudit qti-testscripts domain:dir *;
dontaudit qti-testscripts domain:lnk_file *;
dontaudit qti-testscripts domain:{ fifo_file file } *;
dontaudit qti-testscripts domain:socket_class_set *;
dontaudit qti-testscripts domain:ipc_class_set *;
dontaudit qti-testscripts domain:key *;
dontaudit qti-testscripts fs_type:filesystem *;
dontaudit qti-testscripts {fs_type dev_type file_type}:dir_file_class_set *;
dontaudit qti-testscripts node_type:node *;
dontaudit qti-testscripts node_type:{ tcp_socket udp_socket rawip_socket } *;
dontaudit qti-testscripts netif_type:netif *;
dontaudit qti-testscripts port_type:socket_class_set *;
dontaudit qti-testscripts port_type:{ tcp_socket dccp_socket } *;
dontaudit qti-testscripts domain:peer *;
dontaudit qti-testscripts domain:binder *;
dontaudit qti-testscripts property_type:property_service *;
dontaudit qti-testscripts property_type:file *;
dontaudit qti-testscripts service_manager_type:service_manager *;
dontaudit qti-testscripts keystore:keystore_key *;
# dontaudit qti-testscripts domain:debuggerd *;
dontaudit qti-testscripts domain:drmservice *;
dontaudit qti-testscripts unlabeled:filesystem *;
#super_user - end
#Added below rule in same file to keep all debug policies
#under one common file.
# All domains can read proc enrty of qti-testscripts
# r_dir_file(domain, qti-testscripts)
# r_dir_file(qti-testscripts, domain)
# allow adbd qti-testscripts:process dyntransition;
#allow { domain -mediaextractor -mediacodec } qti-testscripts:unix_stream_socket connectto;
allow domain qti-testscripts:fd use;
allow { domain -mediaextractor -mediacodec -hal_configstore_server } qti-testscripts:unix_stream_socket { getattr getopt read write shutdown };
# binder_call({ domain -init -netd }, qti-testscripts)
allow domain qti-testscripts:fifo_file { write getattr };
allow domain qti-testscripts:process sigchld;
binder_use(qti-testscripts)
allow platform_app qti-testscripts:unix_stream_socket { read write connectto};
allow system_app qti-testscripts:unix_stream_socket { read write connectto};
allow system_server qti-testscripts:binder { transfer call };
allow untrusted_app_25 qti-testscripts:binder { transfer call };
allow priv_app qti-testscripts:binder { transfer call };
allow surfaceflinger qti-testscripts:binder { transfer call };
allow system_server qti-testscripts:fifo_file read;
')

88
private/qvrd.te
View File

@@ -1,88 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
typeattribute qvrd coredomain;
typeattribute qvrd mlstrustedsubject;
type qvrd_exec, exec_type, file_type;
init_daemon_domain(qvrd)
#
# General
#
# Allow interracting with qvrd directory
allow qvrd qvrd_data_file:dir create_dir_perms;
allow qvrd qvrd_data_file:file create_file_perms;
#Allow hardware binder use
hwbinder_use(qvrd)
get_prop(qvrd, hwservicemanager_prop)
# Allow access to our socket
allow qvrd qvrd_socket:sock_file rw_file_perms;
#
# Sensors
#
# Allow access to adsprpcd
allow qvrd system_file:dir read;
# Allow access to sensor1 API
allow qvrd self:socket create_socket_perms_no_ioctl;
#
# Display
#
# Allow access to /dev/graphics/fb0 for configuring vsync interrupts
allow qvrd graphics_device:dir r_dir_perms;
allow qvrd graphics_device:chr_file rw_file_perms;
#
# Graphics
#
#Allow hal graphics mapper permissions
hal_client_domain(qvrd, hal_graphics_composer);
#Allow hal graphics allocator permissions
hal_client_domain(qvrd, hal_graphics_allocator);
#
# Scheduler
#
allow qvrd self:capability { sys_nice };
userdebug_or_eng(`
allow qvrd su:process setsched;
')
allow qvrd appdomain:process setsched;
# whitelisting ioctlcmd c302
allowxperm qvrd self:socket ioctl msm_sock_ipc_ioctls_system;
allow qvrd self:socket ioctl;

2
private/seapp_contexts
View File

@@ -1,2 +0,0 @@
#add new domain for DataServices
user=system seinfo=platform name=.dataservices domain=dataservice_app type=system_app_data_file

69
private/seempd.te
View File

@@ -1,69 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type seempd, domain, mlstrustedsubject, coredomain;
type seempd_exec, exec_type, file_type;
init_daemon_domain(seempd)
allow seempd tee_device:chr_file rw_file_perms;
allow seempd seemplog_device:chr_file rw_file_perms;
#TODO: create the dir from init.rc instead.
allow seempd seemp_data_file:dir create_dir_perms;
allow seempd seemp_data_file:{ file fifo_file } create_file_perms;
# allow seempd to load firmware images
#r_dir_file(seempd, firmware_file)
#allow access to packages.list
allow seempd system_data_file:file r_file_perms;
#allow binder calls
binder_use(seempd)
binder_call(seempd, system_server)
binder_call(seempd, appdomain)
binder_call(seempd, smcinvoke_daemon)
allow seempd MinkBinderSvc:service_manager { find };
#for seemp
allow seempd seemp_service:service_manager { find add };
allow seempd self:binder call;
allow seempd ion_device:chr_file r_file_perms;
#for package verifier
allow seempd { apk_data_file apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow seempd { apk_data_file apk_tmp_file apk_private_tmp_file }:file r_file_perms;
allow seempd storage_file:dir r_dir_perms;
allow seempd storage_file:lnk_file r_file_perms;
allow seempd mnt_user_file:dir r_dir_perms;
allow seempd mnt_user_file:lnk_file r_file_perms;
allow seempd fuse:dir r_dir_perms;
allow seempd fuse:file r_file_perms;
#for read network state data
allow seempd proc_net:file r_file_perms;

46
private/smcinvoked.te
View File

@@ -1,46 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type smcinvoke_daemon, domain, coredomain;
type smcinvoke_daemon_exec, exec_type, file_type;
init_daemon_domain(smcinvoke_daemon)
#Allow smcinvoke_daemon to use Binder IPC
binder_use(smcinvoke_daemon)
#Allow apps to interact with smcinvoke_daemon
binder_call(smcinvoke_daemon, system_app)
#Mark smcinvoke_daemon as a Binder service domain
binder_service(smcinvoke_daemon)
#Allow access to smcinvoke device
allow smcinvoke_daemon smcinvoke_device:chr_file rw_file_perms;
add_service(smcinvoke_daemon, MinkBinderSvc)
allow smcinvoke_daemon system_app:unix_stream_socket connectto;

39
private/system_app.te
View File

@@ -1,39 +0,0 @@
# Copyright (c) 2015, 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# access to seemp folder
allow system_app seemp_data_file:dir r_dir_perms;
allow system_app seemp_data_file:{ file fifo_file } rw_file_perms;
binder_call(system_app, seempd)
allow system_app dpmtcm_socket:sock_file w_file_perms;
allow system_app dpmwrapper_socket:sock_file w_file_perms;
allow system_app dpmd:unix_stream_socket connectto;
allow system_app color_service:service_manager add;
# allow system_app to interact with smcinvoke daemon
binder_call(system_app, smcinvoke_daemon)

35
private/te_macros
View File

@@ -1,35 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#####################################
# dpmd_socket_perm(clientdomain)
# allow dpmd to use inet socket created by app.
define(`dpmd_socket_perm', `
allow dpmd $1:fd use;
allow dpmd $1:tcp_socket rw_socket_perms;
')
#####################################

36
private/untrusted_app.te
View File

@@ -1,36 +0,0 @@
# Copyright (c) 2015, 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
unix_socket_connect(untrusted_app,dpmtcm, dpmd);
allow untrusted_app dpmtcm_socket:sock_file w_file_perms;
allow untrusted_app dpmwrapper_socket:sock_file w_file_perms;
allow untrusted_app dpmd:unix_stream_socket connectto;
userdebug_or_eng(`
r_dir_file(untrusted_app, seemp_data_file)
allow untrusted_app seemp_data_file: file w_file_perms;
')

32
private/untrusted_app_25.te
View File

@@ -1,32 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
unix_socket_connect(untrusted_app_25,dpmtcm, dpmd);
allow untrusted_app_25 dpmtcm_socket:sock_file w_file_perms;
allow untrusted_app_25 dpmwrapper_socket:sock_file w_file_perms;
allow untrusted_app_25 dpmd:unix_stream_socket connectto;
unix_socket_connect(untrusted_app_25, qvrd, qvrd);

128
private/wfdservice.te
View File

@@ -1,128 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
typeattribute wfdservice coredomain;
#Allow for transition from init domain to wfdservice
init_daemon_domain(wfdservice)
#Inherit base socket permissions from netd domain
net_domain(wfdservice)
#Allow wfdservice to use Binder IPC
binder_use(wfdservice)
#Allow for interaction with Display HAL
binder_call(wfdservice, surfaceflinger)
binder_call(surfaceflinger, wfdservice)
#Allow apps to interact with wfdservice
binder_call(wfdservice, platform_app)
binder_call(platform_app, wfdservice)
binder_call(wfdservice, system_app)
binder_call(system_app, wfdservice)
#Allow access to Audio Flinger APIs
binder_call(wfdservice, audioserver)
#Allow access to Permission Controller in System Server
binder_call(wfdservice, system_server)
# Mark wfdservice as a Binder service domain
binder_service(wfdservice)
#Allow wfdservice to be registered with service manager
allow wfdservice wfdservice_service:service_manager add;
#Allow access to PCM sound card
allow wfdservice audio_device:chr_file rw_file_perms;
allow wfdservice audio_device:dir r_dir_perms;
#Allow access to /dev/graphics/fb* for screen capture
allow wfdservice graphics_device:chr_file rw_file_perms;
#Allow access to encoder for YUV statistics
allow wfdservice gpu_device:chr_file rw_file_perms;
#Allow communication with init over property server
unix_socket_connect(wfdservice, property, init);
#Allow access to /dev/video/* devices for encoding/decoding
allow wfdservice video_device:chr_file rw_file_perms;
allow wfdservice video_device:dir r_dir_perms;
#Allow access to tee device for HDCP sessions
allow wfdservice tee_device:chr_file rw_file_perms;
#Allow access to uhid driver for HID event injection
allow wfdservice uhid_device:chr_file rw_file_perms;
#Allow PROT_EXEC for 3rd party library loaded by wfdservice
allow wfdservice self:process execmem;
userdebug_or_eng(`
#Allow access to read mmosal_logmask file in /data partition
allow wfdservice system_data_file:file r_file_perms;
#Allow access to dump encoder/decoder dumps in /data/misc/media
allow wfdservice media_data_file:dir w_dir_perms;
allow wfdservice media_data_file:file create_file_perms;
')
#Allow access to /data/media for dumping
allow wfdservice media_rw_data_file:dir create_dir_perms;
allow wfdservice media_rw_data_file:file create_file_perms;
allow wfdservice self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
# Allow access to input_device for touch input detection
allow wfdservice input_device:dir r_dir_perms;
allow wfdservice input_device:chr_file r_file_perms;
# Allow access to mediaserver, surfaceflinger and permissionmanager
# for interaction of wfdservice
allow wfdservice {audioserver_service permission_service surfaceflinger_service wfdservice_service}: service_manager find;
#Allow setting of net_admin capability so that libnl API's can be used
allow wfdservice self:capability net_admin;
#allow binder call to mediacodec from wfdservice
binder_call(wfdservice, mediacodec);
#Allow wfdservice to query interface name of network (p2p etc.)
allow wfdservice self:netlink_socket create_socket_perms_no_ioctl;
#Allow ion device access
allow wfdservice ion_device:chr_file r_file_perms;
#Allow udp socket ioctl
allow wfdservice self:udp_socket ioctl;
# ioctlcmd=8bff
allowxperm wfdservice self:udp_socket ioctl priv_sock_ioctls;
#Allow access to proc/net/arp
allow wfdservice proc_net:file r_file_perms;

28
private/zygote.te
View File

@@ -1,28 +0,0 @@
# Copyright (c) 2015, 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
unix_socket_send(zygote, seempdw, seempd)

29
public/device.te
View File

@@ -1,29 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#define smcinvoke device
type smcinvoke_device, dev_type;

28
public/dpmd.te
View File

@@ -1,28 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type dpmd,domain;

28
public/dun-server.te
View File

@@ -1,28 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type dun-server, domain;

28
public/property.te
View File

@@ -1,28 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type persist_dpm_prop, property_type;

28
public/property_contexts
View File

@@ -1,28 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
persist.dpm.feature u:object_r:persist_dpm_prop:s0

28
public/qtelephony.te
View File

@@ -1,28 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type qtelephony, domain;

30
public/qti-testscripts.te
View File

@@ -1,30 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
userdebug_or_eng(`
type qti-testscripts, domain, mlstrustedsubject;
')

28
public/qvrd.te
View File

@@ -1,28 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type qvrd, domain;

28
public/service.te
View File

@@ -1,28 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type wfdservice_service, service_manager_type;

29
public/wfdservice.te
View File

@@ -1,29 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type wfdservice, domain;
type wfdservice_exec, exec_type, file_type;

8
vendor/adbd.te vendored
View File

@@ -1,8 +0,0 @@
allow adbd tombstone_data_file:dir getattr;
# allow read access for adb
r_dir_file(adbd, RIDL_data_file)
# allow read access for adb
r_dir_file(adbd, qti_logkit_priv_data_file)
r_dir_file(adbd, qti_logkit_pub_data_file)

9
vendor/audiod.te vendored
View File

@@ -1,9 +0,0 @@
# audio daemon
type audiod, domain;
type audiod_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(audiod)
allow audiod proc_audiod:file r_file_perms;
allow audiod audio_device:chr_file rw_file_perms;
#allow audiod audioserver_service:service_manager find;
#binder_use(audiod)
binder_call(audiod, audioserver)

41
vendor/bg_daemon.te vendored
View File

@@ -1,41 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#policy for bg daemon
type bg_daemon, domain;
type bg_daemon_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(bg_daemon)
#Needed to bg communication
allow bg_daemon bg_daemon_device:chr_file rw_file_perms;
#Needed to pil loading
allow bg_daemon ssr_device:chr_file r_file_perms;
allow bg_daemon self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
set_prop(bg_daemon, bg_daemon_prop)
set_prop(bg_daemon, bg_boot_complete_prop)

17
vendor/charger_monitor.te vendored
View File

@@ -1,17 +0,0 @@
#integrated process
type charger_monitor, domain;
type charger_monitor_exec, exec_type, vendor_file_type, file_type;
#started by init
init_daemon_domain(charger_monitor)
#charger monitor will use uevent, visit sysfs and use the wake lock
allow charger_monitor self:netlink_kobject_uevent_socket { read create setopt bind };
allow charger_monitor{
sysfs_wake_lock
sysfs_battery_supply
}:file rw_file_perms;
allow charger_monitor sysfs:file w_file_perms;
allow charger_monitor sysfs_battery_supply:dir r_dir_perms;
r_dir_file(charger_monitor, sysfs_usb_supply)

1
vendor/dhcp.te vendored
View File

@@ -1 +0,0 @@
#unix_socket_connect(dhcp, cnd, cnd)

2
vendor/dnsmasq.te vendored
View File

@@ -1,2 +0,0 @@
# allow dnsmasq access to netd fifo_file
allow dnsmasq netd:fifo_file getattr;

83
vendor/dpmd.te vendored
View File

@@ -1,83 +0,0 @@
#dpmd as domain
#type dpmd, domain, mlstrustedsubject;
#type dpmd_exec, exec_type, vendor_file_type, file_type;
#file_type_auto_trans(dpmd, socket_device, dpmwrapper_socket);
#init_daemon_domain(dpmd)
#net_domain(dpmd)
#allow dpmd {
# dpmd_exec
# system_file
#}:file x_file_perms;
#allow dpmd to access dpm_data_file
#allow dpmd dpmd_data_file:file create_file_perms;
#allow dpmd dpmd_data_file:dir create_dir_perms;
allow dpmd persist_dpm_prop:file r_file_perms;
allow dpmd sysfs_wake_lock:file rw_file_perms;
allow dpmd sysfs_data:dir r_dir_perms;
allow dpmd sysfs_data:file r_file_perms;
#r_dir_file(dpmd,proc_net)
#allow dpmd self:capability {
# setuid
# setgid
# dac_override
# net_raw chown
# fsetid
# net_admin
# sys_module
#}; #Need to check on it . It was present earlier
#socket, self
allow dpmd smem_log_device:chr_file rw_file_perms;
#wakelock_use(dpmd) # it was present earlier
set_prop(dpmd, system_prop)
set_prop(dpmd, ctl_default_prop)
#misc.
#allow dpmd vendor_shell_exec:file rx_file_perms;
#permission to unlink dpmwrapper socket
#allow dpmd socket_device:dir remove_name;
#permission to communicate with cnd_socket for installing iptable rules
#unix_socket_connect(dpmd, cnd, cnd);
#allow dpmd to create socket
#allow dpmd self:socket create_socket_perms_no_ioctl;
#allow dpmd self:{ netlink_socket netlink_generic_socket } create_socket_perms_no_ioctl;
#allow dpmd to write to /proc/net/sys
#allow dpmd proc_net:file write;
#allow dpmd get appname and use inet socket.
#dpmd_socket_perm(appdomain)
#dpmd_socket_perm(system_server)
#dpmd_socket_perm(mediaserver)
#dpmd_socket_perm(mtp)
#dpmd_socket_perm(wfdservice)
#dpmd_socket_perm(drmserver)
#dpmd_socket_perm(netd)
#explicitly allow udp socket permissions for appdomain
#allow dpmd appdomain:udp_socket rw_socket_perms;
#Allow dpmd to acquire lock for iptables
allow dpmd system_file:file lock;
#Allow dpmd to connect to hal_dpmQMiMgr
allow dpmd hal_dpmqmi_hwservice:hwservice_manager find;
get_prop(dpmd, hwservicemanager_prop)
binder_call(dpmd,hal_dpmQmiMgr)
hwbinder_use(dpmd)
#diag
userdebug_or_eng(`
diag_use(dpmd)
')

8
vendor/dtsconfigurator.te vendored
View File

@@ -1,8 +0,0 @@
type dtsconfigurator, domain;
type dtsconfigurator_exec, exec_type, vendor_file_type, file_type;
#started by init
init_daemon_domain(dtsconfigurator)
allow dtsconfigurator audio_device:dir r_dir_perms;
allow dtsconfigurator audio_device:chr_file rw_file_perms;

22
vendor/dtseagleservice.te vendored
View File

@@ -1,22 +0,0 @@
type dtseagleservice, domain;
type dtseagleservice_exec, exec_type, vendor_file_type, file_type;
#Allow for transition from init domain to dtseagleservice
init_daemon_domain(dtseagleservice)
#Allow dtseagleservice to use Binder IPC
#binder_use(dtseagleservice)
#Allow dtseagleservice to interact with apps
binder_call(dtseagleservice, platform_app)
binder_call(dtseagleservice, system_app)
# Mark dtseagleservice as a Binder service domain
#binder_service(dtseagleservice)
#Allow dtseagleservice to be registered with service manager
allow dtseagleservice dtseagleservice_service:service_manager add;
#Allow access to audio drivers
allow dtseagleservice audio_device:dir r_dir_perms;
allow dtseagleservice audio_device:chr_file rw_file_perms;

16
vendor/energyawareness.te vendored
View File

@@ -1,16 +0,0 @@
type energyawareness, domain;
type energyawareness_exec, exec_type, vendor_file_type, file_type;
#started by init
init_daemon_domain(energyawareness)
#allow access to pta and uio interface
allow energyawareness { pta_device uio_device }:chr_file rw_file_perms;
allow energyawareness self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow energyawareness self:capability net_admin;
allow energyawareness sysfs_ea:file w_file_perms;
r_dir_file(energyawareness, sysfs_ea)

56
vendor/esepmdaemon.te vendored
View File

@@ -1,56 +0,0 @@
# Copyright (c) 2016, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type esepmdaemon, domain;
type esepmdaemon_exec, exec_type, vendor_file_type, file_type;
#Allow for transition from init domain to esepmdaemon
init_daemon_domain(esepmdaemon)
#Allow esepmdaemon to use Binder IPC
vndbinder_use(esepmdaemon)
#Allow apps to interact with esepmdaemon
binder_call(esepmdaemon, system_app)
#Mark esepmdaemon as a Binder service domain
#binder_service(esepmdaemon)
#Allow esepmdaemon to be registered with service manager
allow esepmdaemon esepmdaemon_service:service_manager add;
#Allow access to nfc device
allow esepmdaemon nfc_device:chr_file rw_file_perms;
# Allow esepmdaemon to load firmware images
r_dir_file(esepmdaemon, firmware_file);
# Allow esepmdaemon to interract with ion_device
allow esepmdaemon ion_device:chr_file r_file_perms;
# Allow esepmdaemon to interract with qseecom
allow esepmdaemon tee_device:chr_file rw_file_perms;

27
vendor/fidodaemon.te vendored
View File

@@ -1,27 +0,0 @@
type fidodaemon, domain;
type fidodaemon_exec, exec_type, vendor_file_type, file_type;
#Allow for transition from init domain to fidodaemon
init_daemon_domain(fidodaemon)
#Allow fidodaemon to use Binder IPC
#binder_use(fidodaemon)
#Allow apps to interact with fidodaemon
binder_call(fidodaemon, platform_app)
binder_call(fidodaemon, system_app)
#Mark fidodaemon as a Binder service domain
#binder_service(fidodaemon)
#Allow fidodaemon to be registered with service manager
allow fidodaemon fidodaemon_service:service_manager add;
#Allow communication with init over property server
unix_socket_connect(fidodaemon, property, init);
#Allow access to tee device
allow fidodaemon tee_device:chr_file rw_file_perms;
#Allow access to firmware
r_dir_file(fidodaemon, firmware_file)

30
vendor/fingerprintd.te vendored
View File

@@ -1,30 +0,0 @@
# Copyright (c) 2015, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#==========================fingerprintd================================
allow fingerprintd iqfp_service:service_manager find;
binder_call(fingerprintd, qfp-daemon);

29
vendor/fm.te vendored
View File

@@ -1,29 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type fm_qsoc_patches, domain;
type fm_qsoc_patches_exec, exec_type, vendor_file_type, file_type;

39
vendor/fps_hal.te vendored
View File

@@ -1,39 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#==========================fps_hal================================
type fps_hal, domain;
type fps_hal_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(fps_hal)
#binder_use(fps_hal)
#allow fps_hal iqfp_service:service_manager find;
binder_call(fps_hal, system_server);
binder_call(fps_hal, qfp-daemon);

71
vendor/fstman.te vendored
View File

@@ -1,71 +0,0 @@
# Copyright (c) 2015,2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type fstman, domain;
type fstman_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(fstman)
net_domain(fstman)
# fstman requires special network privileges.
# access traffic control (TC) for marking packets to identify from
# which slave interface they arrive, drop multicast packets and
# duplicate packets. This requires the net_raw capability.
# network admin operations mainly on the bonding driver:
# interface up/down, add/remove slave interfaces, set queue parameters
# This requires the net_admin capability.
allow fstman self:capability { net_admin net_raw };
# netlink socket is used to access traffic control (TC)
allow fstman self:netlink_route_socket nlmsg_write;
# allow privileged socket operations: interface up/down, bond interface management
allowxperm fstman self:udp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS SIOCSIFTXQLEN SIOCBONDENSLAVE SIOCBONDRELEASE SIOCETHTOOL};
# need access to bond0 sysfs in order to manage attached interfaces
allow fstman sysfs_bond0:file rw_file_perms;
# need access to wigig sysfs in order to control fst_link_loss
allow fstman sysfs_wigig:file rw_file_perms;
# create/read fstman configuration file (/data/vendor/wifi/fstman.ini)
r_dir_file(fstman, wifi_vendor_data_file)
allow fstman wifi_vendor_data_file:dir rw_dir_perms;
allow fstman wifi_vendor_data_file:file create_file_perms;
# fstman needs to communicate with wpa_supplicant and hostapd using socket
# for managing FST state
allow fstman { hal_wifi_supplicant hostapd }:unix_dgram_socket sendto;
# supplicant interface sockets
allow fstman wifi_vendor_wpa_socket:dir rw_dir_perms;
allow fstman wifi_vendor_wpa_socket:sock_file create_file_perms;
# supplicant global socket
allow fstman wpa_socket:dir rw_dir_perms;
allow fstman wpa_socket:sock_file create_file_perms;
# hostapd global socket
allow fstman wifi_vendor_hostapd_socket:dir rw_dir_perms;
allow fstman wifi_vendor_hostapd_socket:sock_file create_file_perms;

33
vendor/gamed.te vendored
View File

@@ -1,33 +0,0 @@
# Copyright (c) 2016, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# GAMED
type gamed, domain;
type gamed_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(gamed)

33
vendor/gatekeeper.te vendored
View File

@@ -1,33 +0,0 @@
# Copyright (c) 2016, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Allow interacting with esepmdaemon
#allow gatekeeperd esepmdaemon_service:service_manager find;
# Allow gatekeeper to bind to esepmdaemon
#binder_call(gatekeeperd, esepmdaemon)

33
vendor/hal_alarm_qti.te vendored
View File

@@ -1,33 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
binder_call(hal_alarm_qti_client, hal_alarm_qti_server)
binder_call(hal_alarm_qti_server, hal_alarm_qti_client)
add_hwservice(hal_alarm_qti_server, hal_alarm_qti_hwservice)
allow hal_alarm_qti_client hal_alarm_qti_hwservice:hwservice_manager find;

34
vendor/hal_alarm_qti_default.te vendored
View File

@@ -1,34 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type hal_alarm_qti_default, domain;
hal_server_domain(hal_alarm_qti_default, hal_alarm_qti)
type hal_alarm_qti_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_alarm_qti_default)
allow hal_alarm_qti_default rtc_device:chr_file r_file_perms;

59
vendor/hal_audio.te vendored
View File

@@ -1,59 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Allow hal_audio to read soundcard state under /proc/asound
allow hal_audio proc_audiod:file r_file_perms;
allow hal_audio_default audio_data_file:dir rw_dir_perms;
allow hal_audio_default audio_data_file:file create_file_perms;
# Allow hal_audio_default to read sysfs_thermal dir/files for speaker protection
r_dir_file(hal_audio_default, sysfs_thermal)
#Allow hal audio to use Binder IPC
vndbinder_use(hal_audio)
userdebug_or_eng(`
diag_use(hal_audio)
#Allow access to debug fs
allow hal_audio_default debugfs:dir r_dir_perms;
allow hal_audio_default qti_debugfs:dir r_dir_perms;
allow hal_audio_default qti_debugfs:file rw_file_perms;
')
#Allow access to firmware
allow hal_audio firmware_file:dir r_dir_perms;
allow hal_audio firmware_file:file r_file_perms;
#Split A2dp specific
binder_call(hal_audio,bluetooth)
#for perf hal call
hal_client_domain(hal_audio_default, hal_perf)
#allow acess to wcd_cpe
allow hal_audio sysfs_audio:file rw_file_perms;
allow hal_audio sysfs_audio:dir r_dir_perms ;

30
vendor/hal_bluetooth.te vendored
View File

@@ -1,30 +0,0 @@
# Copyright (c) 2017 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow hal_bluetooth {
smd_device
}:chr_file rw_file_perms;

73
vendor/hal_bluetooth_qti.te vendored
View File

@@ -1,73 +0,0 @@
# Copyright (c) 2017 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type hal_bluetooth_qti, domain;
hal_server_domain(hal_bluetooth_qti, hal_bluetooth)
type hal_bluetooth_qti_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_bluetooth_qti)
# Logging for backward compatibility
allow hal_bluetooth_qti bluetooth_data_file:dir ra_dir_perms;
allow hal_bluetooth_qti bluetooth_data_file:file create_file_perms;
r_dir_file(hal_bluetooth_qti, firmware_file)
allow hal_bluetooth {
serial_device
smd_device
}:chr_file rw_file_perms;
#For bluetooth firmware
r_dir_file(hal_bluetooth, bt_firmware_file)
allow hal_bluetooth persist_bluetooth_file:dir r_dir_perms;
allow hal_bluetooth persist_bluetooth_file:file r_file_perms;
r_dir_file(hal_bluetooth, persist_file)
#bt power node access
allow hal_bluetooth {
smd_device
bt_device
}:chr_file rw_file_perms;
#diag access
userdebug_or_eng(`
diag_use(hal_bluetooth)
')
userdebug_or_eng(`
allow hal_bluetooth proc_sysrq:file w_file_perms;
allow hal_bluetooth_qti qti_debugfs:file r_file_perms;
allow hal_bluetooth_qti qti_debugfs:dir rw_dir_perms;
')
allow system_app hal_bluetooth_hwservice :hwservice_manager find;
#FM IPC with BT/FM hal daemon
binder_call(system_app, hal_bluetooth);
binder_call(hal_bluetooth, system_app);

51
vendor/hal_display_color.te vendored
View File

@@ -1,51 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Define domain
type hal_display_color_default, domain;
hal_server_domain(hal_display_color_default, hal_display_color)
type hal_display_color_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_display_color_default)
# Allow hwbinder call from hal client to server
binder_call(hal_display_color_client, hal_display_color_server)
# Add hwservice related rules
add_hwservice(hal_display_color_server, hal_display_color_hwservice)
allow hal_display_color_client hal_display_color_hwservice:hwservice_manager find;
# Rule for vndbinder usage
allow hal_display_color qdisplay_service:service_manager find;
vndbinder_use(hal_display_color);
binder_call(hal_display_color, hal_graphics_composer)
# Rule for pps socket usage
unix_socket_connect(hal_display_color, pps, mm-pp-daemon)
#Add rules for postproc hal
add_hwservice(hal_display_color_server, hal_display_postproc_hwservice)
allow hal_display_postproc_client hal_display_postproc_hwservice:hwservice_manager find;

67
vendor/hal_dpmQmiMgr.te vendored
View File

@@ -1,67 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#dpmQmiMgr as domain
type hal_dpmQmiMgr, domain;
type hal_dpmQmiMgr_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_dpmQmiMgr)
net_domain(hal_dpmQmiMgr)
#Add hal_dpmQMiMgr as hwservice
add_hwservice(hal_dpmQmiMgr, hal_dpmqmi_hwservice)
#Allow hwbinder usage
hwbinder_use(hal_dpmQmiMgr)
#Allow to get hwservice_prop
get_prop(hal_dpmQmiMgr, hwservicemanager_prop)
#Allow binder call from dpmd
binder_call(hal_dpmQmiMgr,dpmd)
#sysfs_data file permissions
allow hal_dpmQmiMgr sysfs_data:file r_file_perms;
allow hal_dpmQmiMgr sysfs_ssr:file r_file_perms;
#Allow reading proc/net entries
r_dir_file(hal_dpmQmiMgr,proc_net)
#Allow creating socket and IOCTLs
allow hal_dpmQmiMgr self:socket create_socket_perms;
#Rules below are needed to communicate with IPC_ROUTER for QMI
allowxperm hal_dpmQmiMgr self:socket ioctl msm_sock_ipc_ioctls;
allow hal_dpmQmiMgr self:capability net_bind_service;
allow hal_dpmQmiMgr self:udp_socket create_socket_perms;
allowxperm hal_dpmQmiMgr self:udp_socket ioctl priv_sock_ioctls;
userdebug_or_eng(`
diag_use(hal_dpmQmiMgr)
')

33
vendor/hal_drm.te vendored
View File

@@ -1,33 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
vndbinder_use(hal_drm_default);
#Allow firmware file access
allow hal_drm firmware_file:dir r_dir_perms;
allow hal_drm firmware_file:file r_file_perms;

57
vendor/hal_esepowermanager_qti.te vendored
View File

@@ -1,57 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type hal_esepowermanager_qti, domain;
hal_server_domain(hal_esepowermanager_qti, hal_esepowermanager)
type hal_esepowermanager_qti_exec, exec_type, file_type, vendor_file_type;
init_daemon_domain(hal_esepowermanager_qti)
hwbinder_use(hal_esepowermanager_qti)
add_hwservice(hal_esepowermanager_qti, hal_esepowermanager_hwservice)
hal_client_domain(hal_esepowermanager_qti, hal_allocator)
#Allow access to nfc device
allow hal_esepowermanager_qti {
nfc_device
}:chr_file rw_file_perms;
# allow esepmdaemon to load firmware images
r_dir_file(hal_esepowermanager_qti, firmware_file)
# Allow esepmdaemon to interract with ion_device
allow hal_esepowermanager_qti ion_device:chr_file r_file_perms;
# Allow esepmdaemon to interract with qseecom
allow hal_esepowermanager_qti tee_device:chr_file rw_file_perms;
#Allow hal_esepowermanager_client client domain apps to find hwservice
binder_call(hal_esepowermanager_client, hal_esepowermanager_server)
binder_call(hal_esepowermanager_server, hal_esepowermanager_client)
allow hal_esepowermanager_client hal_esepowermanager_hwservice:hwservice_manager find;

89
vendor/hal_graphics_composer.te vendored
View File

@@ -1,89 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# This should be using hw binder. Added now for smoother UI
#userdebug_or_eng(`
#binder_use(hal_graphics_composer)
#')
userdebug_or_eng(`
diag_use(hal_graphics_composer)
')
allow hal_graphics_composer sdm_idle_time_prop:file r_file_perms;
allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow hal_graphics_composer sysfs_graphics:dir r_dir_perms;
allow hal_graphics_composer sysfs_graphics:file rw_file_perms;
# Rules for brightness change during display calibration
allow hal_graphics_composer sysfs_leds:dir r_dir_perms;
allow hal_graphics_composer sysfs_leds:file rw_file_perms;
allow hal_graphics_composer sysfs_leds:lnk_file read;
# Rules for vdnbinder
allow hal_graphics_composer_default qdisplay_service:service_manager { add find };
#binder_service(hal_graphics_composer_default);
vndbinder_use(hal_graphics_composer_default);
# Allow video node access
allow hal_graphics_composer video_device:chr_file rw_file_perms;
allow hal_graphics_composer video_device:dir r_dir_perms;
# Allow reading/writing to '/data/vendor/display/*'
allow hal_graphics_composer display_misc_file:dir create_dir_perms;
allow hal_graphics_composer display_misc_file:file create_file_perms;
# Allow reading/writing to 'persist/display/*'
allow hal_graphics_composer persist_display_file:dir rw_dir_perms;
allow hal_graphics_composer persist_display_file:file create_file_perms;
# Allow only directory search to '/persist'
allow hal_graphics_composer persist_file:dir r_dir_perms;
# Allow dir search in '/oem'
allow hal_graphics_composer oemfs:dir r_dir_perms;
# Allow pps socket access
#unix_socket_connect(hal_graphics_composer, pps, mm-pp-daemon)
# TBD: remove when dependency on libpowermanager is removed
#allow hal_graphics_composer power_service:service_manager find;
# allow composer client to find display config service.
allow hal_display_config_client hal_display_config_hwservice:hwservice_manager find;
# allow composer to register display config
add_hwservice(hal_graphics_composer_server, hal_display_config_hwservice);
# Allow hwbinder call from hal client to server
binder_call(hal_display_config_client, hal_display_config_server)
# Allow composer access to perf
hal_client_domain(hal_graphics_composer_default, hal_perf)
# Access /dev/graphics/fb0.
allow hal_graphics_composer graphics_device:chr_file rw_file_perms;
allow hal_graphics_composer graphics_device:dir r_dir_perms;

57
vendor/hal_iop_default.te vendored
View File

@@ -1,57 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type hal_iop_default, domain, mlstrustedsubject;
hal_server_domain(hal_iop_default, hal_iop)
type hal_iop_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_iop_default)
# Allow hwbinder call from hal client to server
binder_call(hal_iop_client, hal_iop_server)
# Add hwservice related rules
add_hwservice(hal_iop_server, hal_iop_hwservice)
allow hal_iop_client hal_iop_hwservice:hwservice_manager find;
# Allow access for /proc
allow hal_iop_default proc:file rw_file_perms;
#Allow Access for /data/vendor/iop
allow hal_iop iop_data_file:dir rw_dir_perms;
allow hal_iop iop_data_file:file create_file_perms;
#Allow access for /data/app
allow hal_iop_default app_data_file:dir r_dir_perms;
allow hal_iop_default app_data_file:file r_file_perms ;
allow hal_iop self:capability {
dac_override # for database operations
dac_read_search # For database operations
};

32
vendor/hal_memtrack.te vendored
View File

@@ -1,32 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# # Redistribution and use in source and binary forms, with or without
# # modification, are permitted provided that the following conditions are
# # met:
# # * Redistributions of source code must retain the above copyright
# # notice, this list of conditions and the following disclaimer.
# # * Redistributions in binary form must reproduce the above
# # copyright notice, this list of conditions and the following
# # disclaimer in the documentation and/or other materials provided
# # with the distribution.
# # * Neither the name of The Linux Foundation nor the names of its
# # contributors may be used to endorse or promote products derived
# # from this software without specific prior written permission.
# #
# # THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# # WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#debugfs access to audio
userdebug_or_eng(`
allow hal_memtrack_default qti_debugfs:dir r_dir_perms;
allow hal_memtrack_default qti_debugfs:file rw_file_perms;
')

33
vendor/hal_nfc.te vendored
View File

@@ -1,33 +0,0 @@
#Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
#Redistribution and use in source and binary forms, with or without
#modification, are permitted provided that the following conditions are
#met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Set NFC properties
set_prop(hal_nfc, nfc_nq_prop)
#Allow access to firmware
allow hal_nfc firmware_file:dir r_dir_perms;
allow hal_nfc firmware_file:file r_file_perms;

31
vendor/hal_power.te vendored
View File

@@ -1,31 +0,0 @@
# Copyright (c) 2017 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
hal_client_domain(hal_power_default, hal_perf)
allow hal_power {
hbtp_kernel_sysfs
}:file rw_file_perms;

64
vendor/hal_qteeconnector_qti.te vendored
View File

@@ -1,64 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#define the type
type hal_qteeconnector_qti, domain;
#mark the type as hal_server_domain
hal_server_domain(hal_qteeconnector_qti, hal_qteeconnector)
#allow the service to be started by init
type hal_qteeconnector_qti_exec, exec_type, file_type, vendor_file_type;
init_daemon_domain(hal_qteeconnector_qti)
#allow the service to be added to hwservice list
add_hwservice(hal_qteeconnector_qti, hal_qteeconnector_hwservice)
#allow access to hal_allocator
hal_client_domain(hal_qteeconnector_qti, hal_allocator)
#allow access to ion device
allow hal_qteeconnector ion_device:chr_file rw_file_perms;
#Allow access to tee device
allow hal_qteeconnector_qti tee_device:chr_file rw_file_perms;
#Allow access to firmware
allow hal_qteeconnector firmware_file:dir r_dir_perms;
allow hal_qteeconnector firmware_file:file r_file_perms;
#Allow access to session files
allow hal_qteeconnector data_qtee_file:dir create_dir_perms;
allow hal_qteeconnector data_qtee_file:file create_file_perms;
#Allow access to qp_reqcancel socket
allow hal_qteeconnector tee:unix_dgram_socket sendto;
#Allow hal_qteeconnector client domain apps to find hwservice
binder_call(hal_qteeconnector_client, hal_qteeconnector_server)
binder_call(hal_qteeconnector_server, hal_qteeconnector_client)
allow hal_qteeconnector_client hal_qteeconnector_hwservice:hwservice_manager find;

53
vendor/hal_sensors.te vendored
View File

@@ -1,53 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
userdebug_or_eng(`
diag_use(hal_sensors)
allow hal_sensors debugfs_tracing:file { open write };
')
allow hal_sensors persist_file:dir r_dir_perms;
allow hal_sensors self:socket create_socket_perms;
allowxperm hal_sensors self:socket ioctl msm_sock_ipc_ioctls;
allow hal_sensors sysfs_socinfo:file r_file_perms;
allow hal_sensors sensors_persist_file:dir create_dir_perms;
allow hal_sensors sensors_persist_file:file create_file_perms;
allow hal_sensors sysfs_data:file r_file_perms;
# Allow access to ion memory allocation device
allow hal_sensors ion_device:chr_file rw_file_perms;
allow hal_sensors hal_graphics_allocator:fd use;
# Allow access to FastRPC
allow hal_sensors qdsp_device:chr_file r_file_perms;
allow hal_sensors sysfs_sensors:dir r_dir_perms;
allow hal_sensors sysfs_sensors:file rw_file_perms;
allow hal_sensors sysfs_sensors:lnk_file read;
allow hal_sensors input_device:dir r_dir_perms;
allow hal_sensors input_device:chr_file r_file_perms;

29
vendor/hal_vibrator.te vendored
View File

@@ -1,29 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
r_dir_file(hal_vibrator, sysfs_leds)
allow hal_vibrator sysfs_leds:file w_file_perms;

44
vendor/hal_voiceprint.te vendored
View File

@@ -1,44 +0,0 @@
# Copyright (c) 2017 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# IPC
binder_call(hal_voiceprint_client, hal_voiceprint_server)
binder_call(hal_voiceprint_server, hal_voiceprint_client)
add_hwservice(hal_voiceprint_server, hal_voiceprint_hwservice)
allow hal_voiceprint_client hal_voiceprint_hwservice:hwservice_manager find;
# read dir
allow hal_voiceprint qvop-daemon_data_file: file create_file_perms;
# r/w/u contents
allow hal_voiceprint qvop-daemon_data_file: dir rw_dir_perms;
# memory alloc
allow hal_voiceprint ion_device:chr_file r_file_perms;
r_dir_file(hal_voiceprint, cgroup)

28
vendor/hal_vr_default.te vendored
View File

@@ -1,28 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
unix_socket_connect(hal_vr, thermal, thermal-engine)

35
vendor/hal_wifi.te vendored
View File

@@ -1,35 +0,0 @@
#Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
#Redistribution and use in source and binary forms, with or without
#modification, are permitted provided that the following conditions are
#met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
allow hal_wifi wlan_device:chr_file rw_file_perms;
allow hal_wifi self:capability sys_module;
allow hal_wifi kernel:key search;
allow hal_wifi vendor_file:system module_load;
not_full_treble(`allow hal_wifi system_file:system module_load';)
allow hal_wifi proc_modules:file r_file_perms;

59
vendor/hostapd.te vendored
View File

@@ -1,59 +0,0 @@
# Copyright (c) 2015,2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Allow hostapd_cli to work. hostapd_cli creates a socket in
# /data/misc/wifi/sockets which hostapd communicates with.
userdebug_or_eng(`
unix_socket_send(hostapd, wifi_vendor_wpa, su)
')
binder_call(hostapd, cnd)
unix_socket_connect(hostapd, cnd, cnd)
unix_socket_send(hostapd, cnd, cnd)
allow hostapd cnd:{
fifo_file
netlink_route_socket
netlink_tcpdiag_socket
unix_stream_socket} { read write };
allow hostapd cnd:fifo_file r_file_perms;
allow hostapd smem_log_device:chr_file rw_file_perms;
allow hostapd fstman:unix_dgram_socket sendto;
allow hostapd wifi_vendor_data_file:dir w_dir_perms;
allow hostapd wifi_vendor_data_file:file create_file_perms;
allow hostapd wifi_vendor_hostapd_socket:dir w_dir_perms;
allow hostapd wifi_vendor_hostapd_socket:sock_file create_file_perms;
# wigig_hostapd has its own directory for sockets,
# in order to prevent conflicts with wifi hostapd
# allow wigig_hostapd to create the directory holding its control socket
allow hostapd wigig_hostapd_socket:dir create_dir_perms;
# wigig_hostapd needs to create, bind to, read and write its control socket
allow hostapd wigig_hostapd_socket:sock_file create_file_perms;
# allow wigig_hostapd to send replies to wigighalsvc
allow hostapd wigighalsvc:unix_dgram_socket sendto;
# allow hostapd to attach to fstman socket
allow hostapd wpa_socket:dir r_dir_perms;
allow hostapd wpa_socket:sock_file rw_file_perms;

35
vendor/imshelper_app.te vendored
View File

@@ -1,35 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type imshelper_app, domain;
app_domain(imshelper_app);
unix_socket_connect(imshelper_app, ims, ims)
allow imshelper_app app_api_service:service_manager find;
allow qsee_svc_app imshelper_app_data_file:dir create_dir_perms;
allow qsee_svc_app imshelper_app_data_file:file create_file_perms;
allow imshelper_app system_app_data_file:dir { getattr search };

3
vendor/installd.te vendored
View File

@@ -1,3 +0,0 @@
allow installd { imshelper_app_data_file location_app_data_file qsee_svc_app_data_file mdtp_svc_app_data_file qdma_app_data_file} :dir { create_dir_perms relabelfrom relabelto };
allow installd { imshelper_app_data_file location_app_data_file qsee_svc_app_data_file mdtp_svc_app_data_file qdma_app_data_file} :lnk_file { create_file_perms relabelfrom relabelto };
allow installd { imshelper_app_data_file location_app_data_file qsee_svc_app_data_file mdtp_svc_app_data_file qdma_app_data_file} :{ file fifo_file } { getattr unlink rename relabelfrom relabelto setattr };

2
vendor/keystore.te vendored
View File

@@ -1,2 +0,0 @@
# Allow keystore to operate using qseecom_device
allow keystore tee_device:chr_file rw_file_perms;

33
vendor/location_app.te vendored
View File

@@ -1,33 +0,0 @@
type location_app, domain;
app_domain(location_app)
binder_use(location_app)
hal_client_domain(location_app, hal_gnss)
qmux_socket(location_app)
net_domain(location_app)
#Permissions for JDWP
userdebug_or_eng(`
allow location_app { adbd su }:unix_stream_socket connectto;
allow location_app mediaserver_service:service_manager find;
allow location_app audioserver_service:service_manager find;
diag_use(location_app)
')
allow location_app surfaceflinger_service:service_manager find;
allow location_app location_app_data_file:dir create_dir_perms;
allow location_app location_app_data_file:file create_file_perms ;
allow location_app location_data_file:dir rw_dir_perms;
allow location_app location_data_file:sock_file create_file_perms;
allow location_app self:socket create_socket_perms;
#allow location_app system_app_data_file:dir r_dir_perms;
allow location_app anr_data_file:dir rw_dir_perms;
allow location_app anr_data_file:file rw_file_perms;
allow location_app { app_api_service activity_service }:service_manager find;
# ioctlcmd=c302
allowxperm location_app self:socket ioctl msm_sock_ipc_ioctls;
allow location_app sysfs:file r_file_perms;
allow location_app sysfs_data:file r_file_perms;
get_prop(location_app, debug_gralloc_prop)
unix_socket_connect(location_app, dpmtcm, dpmd)

1
vendor/logd.te vendored
View File

@@ -1 +0,0 @@
r_dir_file(logd, location_app)

43
vendor/logdumpd.te vendored
View File

@@ -1,43 +0,0 @@
# Copyright (c) 2016, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type logdumpd, domain;
type logdumpd_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(logdumpd)
# To set ctl property
set_prop(logdumpd, ctl_default_prop)
userdebug_or_eng(`
#logcat
#allow logdumpd logcat_exec:file entrypoint;
#read_logd( logdumpd );
#logdump partition access
allow logdumpd block_device:dir r_dir_perms;
allow logdumpd logdump_partition:blk_file rw_file_perms;
')

10
vendor/mcStarter.te vendored
View File

@@ -1,10 +0,0 @@
# mobicore daemon
type mcStarter, domain;
type mcStarter_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(mcStarter)
# Allow Mobicore to use qseecom services for loading the app
allow mcStarter tee_device:chr_file rw_file_perms;
# Allow Mobicore to access the firmware files
r_dir_file(mcStarter, firmware_file)

54
vendor/mdm_helper.te vendored
View File

@@ -1,54 +0,0 @@
#Policy for mdm_helper
#mdm_helper - mdm_helper domain
type mdm_helper, domain;
type mdm_helper_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(mdm_helper);
#block_suspend capability is needed by kickstart(ks)
wakelock_use(mdm_helper)
#Needed to power on the peripheral
allow mdm_helper ssr_device:chr_file r_file_perms;
#Needed to access the esoc device to control the mdm
allow mdm_helper esoc_device:dir r_dir_perms;
allow mdm_helper esoc_device:chr_file rw_file_perms;
#Needed to detect presence of hsic bridge and to xfer images
allow mdm_helper ksbridgehsic_device:chr_file rw_file_perms;
#Needed to detect efs sync and for kickstart to run the efs sync server
allow mdm_helper efsbridgehsic_device:chr_file rw_file_perms;
#Needed for communication with the HSIC driver
r_dir_file(mdm_helper, sysfs_hsic)
allow mdm_helper sysfs_hsic:file w_file_perms;
#Needed by libmdmdetect to figure out the system configuration
r_dir_file(mdm_helper, sysfs_esoc)
#Needed by libmdmdetect to get system information regarding subsystems and to check their states
r_dir_file(mdm_helper, sysfs_ssr)
#Needed in order to run kickstart
allow mdm_helper shell:fd use;
allow mdm_helper vendor_shell_exec:file rx_file_perms;
allow mdm_helper { system_file mdm_helper_exec }:file x_file_perms;
#Needed by ks in order to access the efs sync partitions.
allow mdm_helper block_device:dir rw_dir_perms;
allow mdm_helper efs_boot_dev:blk_file rw_file_perms;
#Needed to inform the hsic driver that mdm has booted up
allow mdm_helper sysfs:file w_file_perms;
#Needed in order to access the firmware partition
r_dir_file(mdm_helper, firmware_file)
#Needed in order to collect ramdumps
allow mdm_helper tombstone_data_file:dir create_dir_perms;
allow mdm_helper tombstone_data_file:file create_file_perms;
#Needed to allow boot over PCIe
allow mdm_helper bhi_device:chr_file rw_file_perms;
allow mdm_helper mhi_device:chr_file rw_file_perms;

92
vendor/mdtp.te vendored
View File

@@ -1,92 +0,0 @@
# Copyright (c) 2015, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type mdtpdaemon, domain;
type mdtpdaemon_exec, exec_type, vendor_file_type, file_type;
allow mdtpdaemon self:capability {
setuid
setgid
};
userdebug_or_eng(`
#Needed for kill(pid, 0) existance test
allow mdtpdaemon su:process signull;
allow mdtpdaemon self:capability kill;
diag_use(mdtpdaemon)
')
#Allow for transition from init domain to mdtpdaemon
init_daemon_domain(mdtpdaemon)
#Allow mdtpdaemon to use Binder IPC
#binder_use(mdtpdaemon)
#Mark mdtpdaemon as a Binder service domain
#binder_service(mdtpdaemon)
#Allow mdtpdaemon to be registered with service manager
#allow mdtpdaemon mdtpdaemon_service:service_manager { add find };
#Allow apps to interact with mdtpdaemon
binder_call(mdtpdaemon, platform_app)
#Allow access to firmware
r_dir_file(mdtpdaemon, firmware_file)
#Allow access to qsee directories
allow mdtpdaemon data_qsee_file:dir create_dir_perms;
allow mdtpdaemon data_qsee_file:file create_file_perms;
#Allow access to qsee fifos
allow mdtpdaemon data_qsee_file:fifo_file create_file_perms;
#Allow access to tee device
allow mdtpdaemon tee_device:chr_file rw_file_perms;
# Provide access to block devices
allow mdtpdaemon block_device:dir r_dir_perms;
allow mdtpdaemon mdtp_device:blk_file rw_file_perms;
allow mdtpdaemon system_block_device:blk_file r_file_perms;
# Provide access to QTI Crypto driver for MDTP
# allow mdtpdaemon qce_device:chr_file rw_file_perms;
# Provide read access to all /system files for MDTP file-to-block-mapping
r_dir_file(mdtpdaemon, exec_type)
r_dir_file(mdtpdaemon, system_file)
# Provide mdtpd ability to access QMUXD/IPCRouter for QMI
qmux_socket(mdtpdaemon);
allow mdtpdaemon self:socket create_socket_perms;
allowxperm mdtpdaemon self:socket ioctl msm_sock_ipc_ioctls;
# Provide tee ability to run executables in rootfs for MDTP
allow mdtpdaemon rootfs:file x_file_perms;
allow mdtpdaemon ion_device:chr_file r_file_perms;
allow mdtpdaemon sysfs:file r_file_perms;
allow mdtpdaemon sysfs_data:file r_file_perms;

37
vendor/mdtpservice_app.te vendored
View File

@@ -1,37 +0,0 @@
# Copyright (c) 2015, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type mdtpservice_app, domain;
app_domain(mdtpservice_app)
binder_use(mdtpservice_app)
# allow mdtpservice_app to interact with proxy daemon
binder_call(mdtpservice_app, mdtpdaemon_service)
# file permissions
allow mdtpservice_app mdtp_svc_app_data_file:dir create_dir_perms;
allow mdtpservice_app mdtp_svc_app_data_file:file create_file_perms;

66
vendor/mediaserver.te vendored
View File

@@ -1,66 +0,0 @@
# allow mediaserver to communicate with cnd
#unix_socket_connect(mediaserver, cnd, cnd)
#unix_socket_send(mediaserver, camera, mm-qcamerad)
allow mediaserver tee_device:chr_file rw_file_perms;
allow mediaserver qdsp_device:chr_file r_file_perms;
allow mediaserver self:socket create_socket_perms_no_ioctl;
binder_call(mediaserver, rild)
#qmux_socket(mediaserver)
allow mediaserver camera_data_file:sock_file w_file_perms;
userdebug_or_eng(`
allow mediaserver camera_data_file:dir rw_dir_perms;
allow mediaserver camera_data_file:file create_file_perms;
# Access to audio
allow mediaserver qti_debugfs:file rw_file_perms;
')
r_dir_file(mediaserver, sysfs_esoc)
#allow mediaserver system_app_data_file:file rw_file_perms;
# allow mediaserver to write DTS files
allow mediaserver dts_data_file:dir rw_dir_perms;
allow mediaserver dts_data_file:file create_file_perms;
# allow poweroffhandler to binder mediaserver
binder_call(mediaserver, poweroffhandler);
# for thermal sock files
#unix_socket_connect(mediaserver, thermal, thermal-engine)
#This is required for thermal sysfs access
r_dir_file(mediaserver, sysfs_thermal);
#allow mediaserver to communicate with timedaemon
#allow mediaserver time_daemon:unix_stream_socket connectto;
# Allow mediaserver to create socket files for audio arbitration
allow mediaserver audio_data_file:sock_file { create setattr unlink };
allow mediaserver audio_data_file:dir remove_name;
# Allow mediaserver to create audio pp files
allow mediaserver audio_pp_data_file:dir rw_dir_perms;
allow mediaserver audio_pp_data_file:file create_file_perms;
#Allow mediaserver to set camera properties
allow mediaserver camera_prop:property_service set;
#Allow mediaserver access mmi_data_file
allow mediaserver mmi_data_file:file r_file_perms;
#allow mediaserver to access wfdservice
binder_call(mediaserver, wfdservice)
#allow mediaserver to access adsprpcd
r_dir_file(mediaserver, adsprpcd_file);
# allow mediaserver to communicate with bootanim
binder_call(mediaserver, bootanim);
allow mediaserver surfaceflinger:unix_stream_socket rw_socket_perms;

36
vendor/mlid.te vendored
View File

@@ -1,36 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# mlid - Mink-Lowi Interface daemon
type mlid, domain, mlstrustedsubject;
type mlid_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(mlid)
# Allow access to location socket
allow mlid location_data_file:dir r_dir_perms;
unix_socket_connect(mlid, location, location)

77
vendor/mm-pp-daemon.te vendored
View File

@@ -1,77 +0,0 @@
type mm-pp-daemon, domain;
type mm-pp-daemon_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(mm-pp-daemon)
#Need to use fb ioctls to communicate with kernel
allow mm-pp-daemon graphics_device:chr_file rw_file_perms;
allow mm-pp-daemon graphics_device:dir r_dir_perms;
# Allow reading/writing to '/persist/display/*'
# The color config file is dynamically created
allow mm-pp-daemon persist_display_file:dir rw_dir_perms;
allow mm-pp-daemon persist_display_file:file create_file_perms;
# Allow for directory search only to '/persist'
allow mm-pp-daemon persist_file:dir search;
# Allow reading/writing data config files
allow mm-pp-daemon display_misc_file:dir create_dir_perms;
allow mm-pp-daemon display_misc_file:file create_file_perms;
# Allow read to sensor device and read/write to sensor socket
allow mm-pp-daemon sensors_device:chr_file r_file_perms;
allow mm-pp-daemon sensors_socket:sock_file rw_file_perms;
allow mm-pp-daemon sensors:unix_stream_socket connectto;
# Rule for IPC communication
allow mm-pp-daemon qdisplay_service:service_manager find;
vndbinder_use(mm-pp-daemon)
hal_client_domain(mm-pp-daemon, hal_graphics_composer)
allow mm-pp-daemon fwk_sensor_hwservice:hwservice_manager find;
# Allow service manager to find surface flinger service,
# sensorservice service, permission_service, and power service (for
# acquire wakelock)
#allow mm-pp-daemon { surfaceflinger_service sensorservice_service
# permission_service power_service }:service_manager find;
# Allow mm-pp-daemon to call binder for screen refresh
#binder_use(mm-pp-daemon)
binder_call(mm-pp-daemon, system_server)
userdebug_or_eng(`
# This allows pp-daemon to use shell commands to blank
# the display - it uses input keyevent to do this
allow mm-pp-daemon { vendor_shell_exec
#zygote_exec
}:file rx_file_perms;
allow mm-pp-daemon system_file:file x_file_perms;
allow mm-pp-daemon self:process ptrace;
# This allow pp-daemon access to diag
diag_use(mm-pp-daemon)
')
# Allow mm-pp-daemon to change the brightness
allow mm-pp-daemon sysfs_leds:dir r_dir_perms;
allow mm-pp-daemon sysfs_leds:file rw_file_perms;
allow mm-pp-daemon sysfs_leds:lnk_file read;
allow mm-pp-daemon sysfs_graphics:dir r_dir_perms;
allow mm-pp-daemon sysfs_graphics:file rw_file_perms;
allow mm-pp-daemon sysfs_data:file r_file_perms;
userdebug_or_eng(`
set_prop(mm-pp-daemon, debug_prop)
')
# Allow socket calls in pp-daemon
unix_socket_connect(mm-pp-daemon, pps, init)
allow mm-pp-daemon init:unix_stream_socket { listen accept };
# Allow connections between sensor manager and mm-pp-daemon
#allow mm-pp-daemon system_server:unix_stream_socket rw_socket_perms;
# access lcd-backlight
r_dir_file(mm-pp-daemon, sysfs_leds)

82
vendor/mm-qcamerad.te vendored
View File

@@ -1,82 +0,0 @@
type mm-qcamerad, domain;
type mm-qcamerad_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(mm-qcamerad)
#added to support EZTune for camera
userdebug_or_eng(`
allow mm-qcamerad qti_debugfs:dir r_dir_perms;
allow mm-qcamerad qti_debugfs:file read;
allow mm-qcamerad camera_data_file:file create_file_perms;
#allow mm-qcamerad self:tcp_socket create_stream_socket_perms;
allow mm-qcamerad node:tcp_socket node_bind;
# IMS use camera daemon to make VT call
allow mm-qcamerad port:tcp_socket name_bind;
allow mm-qcamerad self:tcp_socket { accept listen };
allow mm-qcamerad camera_data_file:file create_file_perms;
# mm-qcamerad needs to set persist.camera. property
set_prop(mm-qcamerad, camera_prop)
')
#Communicate with user land process through domain socket
#allow mm-qcamerad camera_socket:sock_file { create unlink write };
allow mm-qcamerad camera_socket:dir w_dir_perms;
unix_socket_connect(mm-qcamerad, sensors, sensors)
#Allow connections between sensor manager and mm-qcamerad
#allow mm-qcamerad system_server:unix_stream_socket rw_socket_perms;
binder_call(mm-qcamerad, system_server);
#binder_use(mm-qcamerad);
allow mm-qcamerad self:socket create_socket_perms_no_ioctl;
allow mm-qcamerad persist_file:dir r_dir_perms;
allow mm-qcamerad sensors_persist_file:dir r_dir_perms;
allow mm-qcamerad sensors_persist_file:file r_file_perms;
allow mm-qcamerad self:process execmem;
# Interact with other media devices
allow mm-qcamerad video_device:dir r_dir_perms;
allow mm-qcamerad { gpu_device video_device sensors_device }:chr_file rw_file_perms;
allow mm-qcamerad { surfaceflinger mediaserver cameraserver hal_camera }:fd use;
allow mm-qcamerad camera_data_file:dir w_dir_perms;
#allow mm-qcamerad camera_data_file:sock_file { create unlink };
allow mm-qcamerad vendor_camera_data_file:dir w_dir_perms;
allow mm-qcamerad vendor_camera_data_file:sock_file { create unlink };
#Allows camera to call ADSP QDSP6 functionality
allow mm-qcamerad qdsp_device:chr_file rw_file_perms;
#Allows sensor service(running in camera daemon) to invoke service manager API
#allow mm-qcamerad sensorservice_service:service_manager find;
#allow mm-qcamerad to access /dsp
r_dir_file(mm-qcamerad, adsprpcd_file);
r_dir_file(mm-qcamerad, firmware_file)
allow mm-qcamerad graphics_device:dir r_dir_perms;
#Allow access to /dev/graphics/fb* for screen capture
allow mm-qcamerad graphics_device:chr_file rw_file_perms;
#Allow camera work normally in FFBM
binder_call(mm-qcamerad, mmi);
#Allow camera to access laser nodes
allow mm-qcamerad input_device:dir r_dir_perms;
allow mm-qcamerad input_device:chr_file r_file_perms;
allow mm-qcamerad sysfs:file rw_file_perms;
hal_client_domain(mm-qcamerad, hal_graphics_allocator)
allow mm-qcamerad ion_device:chr_file rw_file_perms;
# from sensors team
allow mm-qcamerad self:socket create_socket_perms;
allowxperm mm-qcamerad self:socket ioctl msm_sock_ipc_ioctls;
allow mm-qcamerad sysfs_data:file r_file_perms;

143
vendor/mmi.te vendored
View File

@@ -1,143 +0,0 @@
#integrated process
type mmi, domain;
type mmi_exec, exec_type, vendor_file_type, file_type;
#started by init
init_daemon_domain(mmi)
#self capability
allow mmi self:socket create_socket_perms_no_ioctl;
allow mmi self:{ netlink_socket netlink_generic_socket } create_socket_perms_no_ioctl;
allow mmi self:udp_socket create_socket_perms_no_ioctl;
allow mmi self:capability { sys_nice dac_override setuid setgid fowner chown fsetid kill net_admin sys_module net_raw};
allow mmi self:capability2 wake_alarm;
#For various devices
allow mmi sysfs:file w_file_perms;
allow mmi graphics_device:dir r_dir_perms;
allow mmi graphics_device:chr_file rw_file_perms;
allow mmi input_device:chr_file r_file_perms;
allow mmi input_device:dir r_dir_perms;
allow mmi nfc_device:chr_file rw_file_perms;
allow mmi vendor_shell_exec:file rx_file_perms;
wakelock_use(mmi)
#FTM_AP folder permissions
file_type_auto_trans(mmi, cache_file, mmi_data_file);
allow mmi mmi_data_file:dir rw_dir_perms;
allow mmi mmi_data_file:file create_file_perms;
#socket
allow mmi socket_device:dir w_dir_perms;
#allow mmi set system prop,sensor need write persist
set_prop(mmi, powerctl_prop)
allow mmi persist_file:dir r_dir_perms;
allow mmi sensors_persist_file:dir create_dir_perms;
allow mmi sensors_persist_file:file create_file_perms;
#wifi case
allow mmi system_file:file x_file_perms;
#allow mmi wpa_exec:file rx_file_perms;
allow mmi wcnss_service_exec:file rx_file_perms;
allow mmi kernel:key search;
allow mmi kernel:system module_request;
allow mmi vendor_toolbox_exec:file rx_file_perms;
allow mmi system_file:system module_load;
#audio case
allow mmi audio_device:dir r_dir_perms;
allow mmi audio_device:chr_file rw_file_perms;
#FM case
allow mmi fm_radio_device:chr_file r_file_perms;
allow mmi fm_data_file:file r_file_perms;
set_prop(mmi, fm_prop)
set_prop(mmi, ctl_default_prop)
#bluetooth case
allow mmi bluetooth_data_file:dir rw_dir_perms;
allow mmi bluetooth_data_file:file create_file_perms;
set_prop(mmi, bluetooth_prop)
allow mmi smd_device:chr_file rw_file_perms;
allow mmi persist_bluetooth_file:file r_file_perms;
allow mmi wcnss_filter:unix_stream_socket connectto;
#GPS case
allow mmi location_data_file:fifo_file create_file_perms;
allow mmi location_data_file:dir create_dir_perms;
allow mmi location_data_file:file create_file_perms;
allow mmi mmi_socket:sock_file create_file_perms;
type_transition mmi socket_device:sock_file mmi_socket;
allow mmi location_exec:file rx_file_perms;
allow mmi smem_log_device:chr_file rw_file_perms;
allow mmi ssr_device:chr_file r_file_perms;
#SD card case
allow mmi sd_device:blk_file rw_file_perms;
allow mmi block_device:blk_file getattr;
allow mmi block_device:dir r_dir_perms;
#camera
allow mmi video_device:chr_file rw_file_perms;
allow mmi camera_data_file:sock_file write;
allow mmi camera_data_file:dir r_dir_perms;
allow mmi mm-qcamerad:unix_dgram_socket sendto;
#nfc case
allow mmi nfc_data_file:dir rw_dir_perms;
allow mmi nfc_data_file:file create_file_perms;
#simcard
qmux_socket(mmi);
#allow mmi access chgdiabled prop
set_prop(mmi, chgdiabled_prop)
#Allow mmi operate on surfaceflinger
allow mmi surfaceflinger:fd use;
#allow mmi surfaceflinger_service:service_manager find;
#Allow mmi operate on graphics
hal_client_domain(mmi, hal_graphics_allocator);
#Allow mmi operate on hwservicemanager
hwbinder_use(hwservicemanager);
get_prop(mmi, hwservicemanager_prop);
#Allow mmi operate ion_device
allow mmi ion_device:chr_file r_file_perms;
#Allow mmi operate on graphics
hal_client_domain(mmi, hal_graphics_allocator);
#Allow mmi operate on hwservicemanager
hwbinder_use(hwservicemanager);
get_prop(mmi, hwservicemanager_prop);
#Allow mmi operate ion_device
allow mmi ion_device:chr_file r_file_perms;
#Allow mmi to use IPC
#binder_use(mmi)
binder_call(mmi,surfaceflinger)
#sensor cases
unix_socket_connect(mmi, sensors, sensors);
allow mmi sensors_device:chr_file r_file_perms;
#logcat
#domain_auto_trans(mmi, logcat_exec, logd);
#access kmsg device for logging
allow mmi kmsg_device:chr_file rw_file_perms;
#mmi test
unix_socket_connect(mmi, cnd, cnd);
unix_socket_connect(mmi, netmgrd, netmgrd);
net_domain(mmi);
#allow mmi access boot mode switch
set_prop(mmi, boot_mode_prop)
#diag
userdebug_or_eng(`
diag_use(mmi)
')

29
vendor/modprobe.te vendored
View File

@@ -1,29 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
# #
# # Redistribution and use in source and binary forms, with or without
# # modification, are permitted provided that the following conditions are
# # met:
# # * Redistributions of source code must retain the above copyright
# # notice, this list of conditions and the following disclaimer.
# # * Redistributions in binary form must reproduce the above
# # copyright notice, this list of conditions and the following
# # disclaimer in the documentation and/or other materials provided
# # with the distribution.
# # * Neither the name of The Linux Foundation nor the names of its
# # contributors may be used to endorse or promote products derived
# # from this software without specific prior written permission.
# #
# # THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# # WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# loading modules
allow modprobe kernel:key search;

44
vendor/mpdecision.te vendored
View File

@@ -1,44 +0,0 @@
type mpdecision, domain, mlstrustedsubject;
type mpdecision_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(mpdecision)
allow mpdecision {
sysfs_mpdecision
sysfs_devices_system_cpu
sysfs_cpu_online
}:file rw_file_perms;
#Allow mpdecision set cpu affinity
allow mpdecision kernel:process setsched;
#Allow writes to /dev/cpu_dma_latency
allow mpdecision self: {
netlink_kobject_uevent_socket
socket
} create_socket_perms_no_ioctl;
allow mpdecision device_latency:chr_file w_file_perms;
r_dir_file(mpdecision, sysfs_rqstats)
allow mpdecision sysfs_rqstats:file w_file_perms;
r_dir_file(mpdecision, sysfs_thermal)
allow mpdecision sysfs_thermal:file write;
#policies for mpctl
#mpctl socket
allow mpdecision self:capability { net_admin chown dac_override fsetid sys_nice };
allow mpdecision mpctl_socket:dir rw_dir_perms;
allow mpdecision mpctl_socket:sock_file create_file_perms;
allow mpdecision sysfs:file w_file_perms;
#default_values file
allow mpdecision mpctl_data_file:dir rw_dir_perms;
allow mpdecision mpctl_data_file:file create_file_perms;
#allow poll of system_server status
r_dir_file(mpdecision, system_server)
#mpdecision set properties
set_prop(mpdecision, mpdecision_prop)

16
vendor/msm_irqbalanced.te vendored
View File

@@ -1,16 +0,0 @@
type msm_irqbalanced, domain;
type msm_irqbalanced_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(msm_irqbalanced)
allow msm_irqbalanced cgroup:dir { create add_name };
allow msm_irqbalanced { proc sysfs_devices_system_cpu }:file w_file_perms;
allow msm_irqbalanced self:capability { setuid setgid dac_override };
r_dir_file(msm_irqbalanced, sysfs_rqstats);
# access smp_affinity
allow msm_irqbalanced proc:file r_file_perms;
allow msm_irqbalanced proc_interrupts:file r_file_perms;
allow msm_irqbalanced proc_stat:file r_file_perms;
# irq_blacklist_on
allow msm_irqbalanced sysfs_irqbalance:file r_file_perms;

5
vendor/net.te vendored
View File

@@ -1,5 +0,0 @@
# allow netdomain access to cnd
#unix_socket_connect(netdomain, cnd, cnd)
# allow netdomain access to dpmd
#unix_socket_connect(netdomain, dpmwrapper, dpmd)

32
vendor/nfc.te vendored
View File

@@ -1,32 +0,0 @@
#Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
#Redistribution and use in source and binary forms, with or without
#modification, are permitted provided that the following conditions are
#met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Set NFC properties
set_prop(nfc, nfc_nq_prop)
#qmux_socket(nfc);
#allow nfc nfc_data_file:file x_file_perms;
allow nfc self:socket create_socket_perms_no_ioctl;

39
vendor/nqnfcinfo.te vendored
View File

@@ -1,39 +0,0 @@
#Copyright (c) 2016, The Linux Foundation. All rights reserved.
#
#Redistribution and use in source and binary forms, with or without
#modification, are permitted provided that the following conditions are
#met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type nqnfcinfo, domain;
type nqnfcinfo_exec, exec_type, vendor_file_type, file_type;
# Started by init
init_daemon_domain(nqnfcinfo)
r_dir_file(nqnfcinfo, sysfs_socinfo);
set_prop(nqnfcinfo, nfc_nq_prop);
# Access device nodes inside /dev/nq-nci
allow nqnfcinfo nfc_device:chr_file rw_file_perms;

32
vendor/peripheral_manager.te vendored
View File

@@ -1,32 +0,0 @@
# Policy for peripheral_manager
# per_mgr - peripheral_manager domain
type per_mgr, domain;
type per_mgr_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(per_mgr);
# Needed for binder transactions
use_per_mgr(per_mgr)
allow per_mgr per_mgr_service:service_manager { add };
allow per_mgr self:socket create_socket_perms;
allowxperm per_mgr self:socket ioctl msm_sock_ipc_ioctls;
# Needed by ipc_router
allow per_mgr self:capability net_bind_service;
# Needed to power on the peripheral
allow per_mgr ssr_device:chr_file r_file_perms;
# Needed by libmdmdetect to figure out the system configuration
r_dir_file(per_mgr, sysfs_esoc)
# Needed by libmdmdetect to get subsystem info and to check their states
r_dir_file(per_mgr, sysfs_ssr)
r_dir_file(per_mgr, firmware_file)
r_dir_file(per_mgr, sysfs)
allow per_mgr sysfs_data:file r_file_perms;
# Set the peripheral state property
set_prop(per_mgr, per_mgr_state_prop);

50
vendor/poweroffhandler.te vendored
View File

@@ -1,50 +0,0 @@
# Copyright (c) 2016, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# poweroffhandler oneshot service
type poweroffhandler, domain;
type poweroffhandler_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(poweroffhandler)
#binder_use(poweroffhandler)
binder_call(poweroffhandler, surfaceflinger)
allow poweroffhandler gpu_device:chr_file rw_file_perms;
# /oem access
allow poweroffhandler oemfs:dir r_dir_perms;
allow poweroffhandler oemfs:file r_file_perms;
allow poweroffhandler audio_device:dir r_dir_perms;
allow poweroffhandler audio_device:chr_file rw_file_perms;
# For regionalization
allow poweroffhandler persist_file:dir r_dir_perms;
allow poweroffhandler regionalization_file:dir r_dir_perms;
allow poweroffhandler regionalization_file:file r_file_perms;
#allow poweroffhandler {surfaceflinger_service mediaserver_service}:service_manager find;
binder_call(poweroffhandler, mediaserver);

29
vendor/ppp.te vendored
View File

@@ -1,29 +0,0 @@
#Copyright (c) 2015, The Linux Foundation. All rights reserved.
#
#Redistribution and use in source and binary forms, with or without
#modification, are permitted provided that the following conditions are
#met:
#* Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#* Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
#* Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# allow VPN connection via L2TP
allow ppp mtp:unix_stream_socket rw_socket_perms;

32
vendor/qcomsysd.te vendored
View File

@@ -1,32 +0,0 @@
#Policy file for qcom-system-daemon
#qcomsysd = qcom-system-daemon domain
type qcomsysd, domain;
type qcomsysd_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(qcomsysd);
#Needed for logging
allow qcomsysd smem_log_device:chr_file rw_file_perms;
#Needed to read/write cookies to the misc partition
allow qcomsysd block_device:dir r_dir_perms;
allow qcomsysd {
#Needed to access the bootselect partition
bootselect_device
}:blk_file rw_file_perms;
#Needed to get image info from socinfo
r_dir_file(qcomsysd, sysfs_socinfo)
allow qcomsysd sysfs_socinfo:file w_file_perms;
allow qcomsysd self:capability { dac_override sys_boot };
use_per_mgr(qcomsysd);
#allow qcomsysd access boot mode switch
set_prop(qcomsysd, boot_mode_prop);
#diag
userdebug_or_eng(`
diag_use(qcomsysd)
set_prop(qcomsysd, powerctl_prop)
allow qcomsysd sysfs:file rw_file_perms;
allow qcomsysd sysfs_data:file r_file_perms;
')

57
vendor/qdma_app.te vendored
View File

@@ -1,57 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type qdma_app, domain;
app_domain(qdma_app)
net_domain(qdma_app)
binder_use(qdma_app)
# read and write /data/data subdirectory.
allow qdma_app qdma_app_data_file:dir create_dir_perms;
allow qdma_app qdma_app_data_file:{ file lnk_file } create_file_perms;
# allow invoking activity and access app content to qdma_app
allow qdma_app { activity_service content_service }:service_manager find;
# allow display service to qdma_app
allow qdma_app { display_service }:service_manager find;
# allow access to wifi and data network to qdma_app
allow qdma_app { connectivity_service network_management_service }:service_manager find;
# allow access telephony service info to qdma_app
allow qdma_app { radio_service registry_service }:service_manager find;
# allow acquire wakelock to qdma_app
allow qdma_app { power_service }:service_manager find;
# allow to load native library
allow qdma_app { mount_service }:service_manager find;
# allow access to qdma dropbox
allow qdma_app qdma_data_file:dir create_dir_perms;
allow qdma_app qdma_data_file:file create_file_perms;
allow qdma_app user_service:service_manager find;
# allow access to socket
unix_socket_connect(qdma_app, dpmtcm, dpmd)

89
vendor/qdmastatsd.te vendored
View File

@@ -1,89 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type qdmastatsd, domain, mlstrustedsubject;
type qdmastatsd_exec, file_type, vendor_file_type, exec_type;
init_daemon_domain(qdmastatsd)
allow qdmastatsd qdma_data_file:file create_file_perms;
allow qdmastatsd qdma_data_file:dir create_dir_perms;
# access to /sys/class/power_supply/bms/charge_counter
# access to /sys/class/power_supply/battery/capacity
# access to /sys/class/power_supply/battery/status
allow qdmastatsd sysfs_battery_supply:{file lnk_file} r_file_perms;
allow qdmastatsd sysfs_battery_supply:dir r_dir_perms;
# /sys/class/kgsl/kgsl-3d0/gpu_busy_percentage
# /sys/class/kgsl/kgsl-3d0/gpuclk
# /sys/class/kgsl/kgsl-3d0/gpu_clock_stats
# /sys/class/kgsl/kgsl-3d0/num_pwrlevels
# /sys/class/kgsl/kgsl-3d0/gpu_available_frequencies
allow qdmastatsd sysfs_kgsl:{file lnk_file} r_file_perms;
allow qdmastatsd sysfs_kgsl:dir r_dir_perms;
# /sys/class/leds/lcd-backlight/brightness
allow qdmastatsd sysfs_leds:{file lnk_file} r_file_perms;
allow qdmastatsd sysfs_leds:dir r_dir_perms;
allow qdmastatsd sysfs_graphics:{file lnk_file} r_file_perms;
allow qdmastatsd sysfs_graphics:dir r_dir_perms;
# access to /sys/devices/system/cpu/possible
allow qdmastatsd sysfs_devices_system_cpu:file r_file_perms;
allow qdmastatsd sysfs_devices_system_cpu:dir r_dir_perms;
# access to /sys/module/lpm_stats/cpu%d/total_sleep_time_secs
#allow qdmastatsd sysfs_lpm_stats:{file lnk_file} r_file_perms;
#allow qdmastatsd sysfs_lpm_stats:dir r_dir_perms;
# access to /sys/class/thermal/thermal_zone%d
allow qdmastatsd sysfs_thermal:{file lnk_file} r_file_perms;
allow qdmastatsd sysfs_thermal:dir r_dir_perms;
# access to /sys/power/wake_lock, wake_unlock
allow qdmastatsd sysfs_wake_lock:file r_file_perms;
allow qdmastatsd sysfs_wake_lock:dir r_dir_perms;
# access to /proc/stat
allow qdmastatsd proc_stat:file r_file_perms;
allow qdmastatsd proc_stat:dir r_dir_perms;
# access to /proc/net/xt_qtaguid/stats
allow qdmastatsd proc_net:file r_file_perms;
allow qdmastatsd proc_net:dir r_dir_perms;
# access to /proc/<pid>/
r_dir_file(qdmastatsd, domain);
# qmi
qmux_socket(qdmastatsd);
allow qdmastatsd self:socket create_socket_perms;
allowxperm qdmastatsd self:socket ioctl msm_sock_ipc_ioctls;
# for dmesg
#read_logd(qdmastatsd);

7
vendor/qfips.te vendored
View File

@@ -1,7 +0,0 @@
# add domain for qfintverify,
#type qfips, domain;
#domain_trans(init, rootfs, qfips)
# Allow qfips read/write access to qce and rng devices.
#allow qfips {qce_device rng_device}:chr_file rw_file_perms;

69
vendor/qfp-daemon.te vendored
View File

@@ -1,69 +0,0 @@
# Copyright (c) 2017 Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#qfp daemon for ultrasonic fingerprint sensor
type qfp-daemon, domain;
type qfp-daemon_exec, exec_type, vendor_file_type, file_type;
hal_server_domain(qfp-daemon, hal_fingerprint)
init_daemon_domain(qfp-daemon)
#binder_call(qfp-daemon, servicemanager)
binder_call(qfp-daemon, system_app)
binder_call(qfp-daemon, fps_hal)
#binder_use(qfp-daemon)
allow qfp-daemon qfp-daemon_data_file:dir { rw_dir_perms setattr };
allow qfp-daemon qfp-daemon_data_file:file create_file_perms;
# Access to tee_device
allow qfp-daemon tee_device:chr_file rw_file_perms;
# Access QFP Android Proxy
#allow qfp-daemon qfp_proxy_service:service_manager find;
# Read system property
allow qfp-daemon property_socket:sock_file write;
# RW to device driver
allow qfp-daemon qbt1000_device:chr_file rw_file_perms;
# R dir perms for firmware dir
r_dir_file(qfp-daemon, firmware_file)
# R dir perms for persist qc_senseid dir
r_dir_file(qfp-daemon, persist_file)
r_dir_file(qfp-daemon, persist_qti_fp_file)
# Allow listing input devices and sending input events
allow qfp-daemon input_device:chr_file rw_file_perms;
allow qfp-daemon input_device:dir r_dir_perms;
#diag
userdebug_or_eng(`
diag_use(qfp-daemon)
')

39
vendor/qsee_svc_app.te vendored
View File

@@ -1,39 +0,0 @@
# Copyright (c) 2015, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type qsee_svc_app, domain;
app_domain(qsee_svc_app)
# allow qsee_svc_app to interact with qteeconnector
hal_client_domain(qsee_svc_app, hal_qteeconnector)
# file permission
allow qsee_svc_app qsee_svc_app_data_file:dir create_dir_perms;
allow qsee_svc_app qsee_svc_app_data_file:file create_file_perms;
# allow service manager find
allow qsee_svc_app app_api_service:service_manager find;

86
vendor/qseecomd.te vendored
View File

@@ -1,86 +0,0 @@
# tee starts as root, and drops privileges
allow tee self:capability {
setuid
setgid
sys_admin
chown
dac_override
sys_rawio
};
# Need to directly manipulate certain block devices
# for anti-rollback protection
allow tee block_device:dir r_dir_perms;
allow tee rpmb_device:blk_file rw_file_perms;
# Need to figure out how many scsi generic devices are preset
# before being able to identify which one is rpmb device
allow tee device:dir r_dir_perms;
allow tee sg_device:chr_file { rw_file_perms setattr };
# Allow qseecom to qsee folder so that listeners can create
# respective directories
allow tee data_qsee_file:dir create_dir_perms;
allow tee data_qsee_file:file create_file_perms;
allow tee system_data_file:dir r_dir_perms;
allow tee persist_file:dir r_dir_perms;
r_dir_file(tee, persist_data_file)
# Write to drm related pieces of persist partition
allow tee persist_drm_file:dir create_dir_perms;
allow tee persist_drm_file:file create_file_perms;
# Provide tee access to ssd partition for HW FDE
allow tee ssd_device:blk_file rw_file_perms;
# allow tee to operate tee device
allow tee tee_device:chr_file rw_file_perms;
# allow tee to load firmware images
r_dir_file(tee, firmware_file)
# allow qseecom access to time domain
allow tee time_daemon:unix_stream_socket connectto;
# allow tee access for secure UI to work
allow tee graphics_device:dir r_dir_perms;
allow tee graphics_device:chr_file r_file_perms;
#allow tee access for secure touch to work
allow tee sysfs_securetouch:file rw_file_perms;
#allow tee surfaceflinger_service : service_manager find;
binder_call(tee, surfaceflinger)
#binder_use(tee)
#allow tee system_app:unix_dgram_socket sendto;
unix_socket_connect(tee, property, init)
set_prop(tee, system_prop);
userdebug_or_eng(`
allow tee su:unix_dgram_socket sendto;
#allow tee shell_data_file:file rw_file_perms;
#allow tee shell_data_file:dir search;
')
#allow access to qfp-daemon
allow tee qfp-daemon_data_file:dir create_dir_perms;
allow tee qfp-daemon_data_file:file create_file_perms;
allow tee persist_qti_fp_file:dir create_dir_perms;
allow tee persist_qti_fp_file:file create_file_perms;
# Provide access to Q VoicePrint
allow tee qvop-daemon_data_file:dir create_dir_perms;
allow tee qvop-daemon_data_file:file create_file_perms;
# Allow access to qsee_ipc_irq_spss device
allow tee qsee_ipc_irq_spss_device:chr_file rw_file_perms;
#allow access to fingerprintd data file
allow tee fingerprintd_data_file:dir create_dir_perms;
allow tee fingerprintd_data_file:file create_file_perms;

Some files were not shown because too many files have changed in this diff Show More