xiaomi-unicorn1/android_device_qcom_sepolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge "sepolicy : Upmerge changes."

Browse Source
This commit is contained in:
qctecmdr
2020-12-14 00:14:40 -08:00
committed by Gerrit - the friendly Code Review server
parent d5327a1a9d 0240ff9832
commit 6cfdc77609
210 changed files with 2847 additions and 334 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
SEPolicy.mk
View File

@@ -3,7 +3,8 @@ ifeq ($(call is-vendor-board-platform,QCOM),true)
SEPOLICY_PATH:= device/qcom/sepolicy
BOARD_PLAT_PUBLIC_SEPOLICY_DIR := \
$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR) \
$(SEPOLICY_PATH)/generic/public
$(SEPOLICY_PATH)/generic/public \
$(SEPOLICY_PATH)/generic/public/attribute
BOARD_PLAT_PRIVATE_SEPOLICY_DIR := \
$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR) \
@@ -11,7 +12,8 @@ BOARD_PLAT_PRIVATE_SEPOLICY_DIR := \
BOARD_PLAT_PUBLIC_SEPOLICY_DIR := \
$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR) \
$(SEPOLICY_PATH)/qva/public
$(SEPOLICY_PATH)/qva/public \
$(SEPOLICY_PATH)/qva/public/attribute
BOARD_PLAT_PRIVATE_SEPOLICY_DIR := \
$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR) \

2
generic/private/file_contexts
View File

@@ -28,3 +28,5 @@
/data/misc/seemp(/.*)? u:object_r:vendor_seemp_data_file:s0
/(product|system/product)/etc/init\.qcom\.testscripts\.sh u:object_r:qti-testscripts_exec:s0
/storage/emulated(/.*)? u:object_r:media_rw_data_file:s0

6
generic/private/property_contexts
View File

@@ -27,3 +27,9 @@
ro.vendor.qti.va_aosp.support u:object_r:vendor_exported_system_prop:s0 exact bool
ro.vendor.qti.va_odm.support u:object_r:vendor_exported_odm_prop:s0 exact bool
ro.vendor.perf.scroll_opt u:object_r:vendor_exported_system_prop:s0 exact bool
ro.vendor.perf.scroll_opt.heavy_app u:object_r:vendor_exported_system_prop:s0 exact int
ro.netflix.bsp_rev u:object_r:vendor_exported_system_prop:s0 exact string
# Beluga
ro.vendor.beluga. u:object_r:vendor_exported_system_prop:s0

6
generic/private/qtelephony.te
View File

@@ -34,5 +34,11 @@ hwbinder_use(vendor_qtelephony);
get_prop(vendor_qtelephony, hwservicemanager_prop);
add_hwservice(vendor_qtelephony, vendor_hal_atfwd_hwservice);
userdebug_or_eng(`
hal_client_domain( vendor_qtelephony, vendor_hal_diaghal)
')
allow vendor_qtelephony { cameraserver_service mediaextractor_service mediaserver_service mediametrics_service radio_service drmserver_service audioserver_service}:service_manager find;
allow vendor_qtelephony system_api_service:service_manager find;
allow vendor_qtelephony app_api_service:service_manager find;
hal_client_domain(vendor_qtelephony, hal_telephony)

2
generic/private/qti-testscripts.te
View File

@@ -95,4 +95,6 @@ userdebug_or_eng(`
binder_call(platform_app, qti-testscripts)
binder_call(system_app, qti-testscripts)
# allow lmkd to kill tasks with positive oom_score_adj under memory pressure
allow lmkd qti-testscripts:process { setsched sigkill };
')

8
generic/vendor/common/service_contexts → generic/private/radio.te
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Copyright (c) 2018, 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -24,6 +24,6 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
rcs u:object_r:vendor_radio_service:s0
com.fingerprints.extension.IFingerprintNavigation u:object_r:vendor_fingerprint_service:s0
com.qualcomm.qti.uceservice u:object_r:vendor_imsuce_service:s0
hwbinder_use(radio)
allow radio mediaextractor_service:service_manager find;

9
generic/private/seapp_contexts
View File

@@ -28,3 +28,12 @@
#Add new domain for DataServices
# Needed for CNEService , uceShimService and other connectivity services
user=radio seinfo=platform name=.dataservices domain=vendor_dataservice_app type=radio_data_file
# AtFwd app
user=_app seinfo=platform name=com.qualcomm.telephony domain=vendor_qtelephony type=app_data_file levelFrom=all
#Add new domain for ims app
user=_app seinfo=platform name=org.codeaurora.ims isPrivApp=true domain=vendor_qtelephony type=app_data_file levelFrom=all
#Add DeviceInfoHidlClient to vendor_qtelephony
user=_app seinfo=platform name=com.qualcomm.qti.devicestatisticsservice domain=vendor_qtelephony type=app_data_file levelFrom=all

3
generic/product/private/file_contexts
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2019-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -24,3 +24,4 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
/(product|system/product)/bin/init\.qti\.display\.sh u:object_r:vendor_sys_qti_display_exec:s0

3
generic/product/private/property_contexts
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2019 The Linux Foundation. All rights reserved.
# Copyright (c) 2019-2020 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -24,3 +24,4 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
vendor.display.disable_rounded_corner u:object_r:vendor_display_notch_prop:s0

34
generic/product/private/qti-display.te Normal file
View File

@@ -0,0 +1,34 @@
# Copyright (c) 2020 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_sys_qti_display_exec, system_file_type, exec_type, file_type;
userdebug_or_eng(`
typeattribute vendor_sys_qti_display coredomain;
init_daemon_domain(vendor_sys_qti_display)
set_prop(vendor_sys_qti_display, vendor_display_notch_prop)
')

1
generic/product/private/systemhelper_app.te
View File

@@ -36,3 +36,4 @@ allow vendor_systemhelper_app { activity_service trust_service surfaceflinger_se
allow vendor_systemhelper_app app_data_file:dir rw_dir_perms;
allow vendor_systemhelper_app thermal_service:service_manager find;
allow vendor_systemhelper_app vendor_perf_service:service_manager find;

4
generic/product/public/attributes
View File

@@ -28,7 +28,3 @@
attribute vendor_hal_systemhelper;
attribute vendor_hal_systemhelper_client;
attribute vendor_hal_systemhelper_server;
attribute vendor_hal_perf;
attribute vendor_hal_perf_client;
attribute vendor_hal_perf_server;

4
generic/product/public/property.te
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2019-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -24,3 +24,5 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_display_notch_prop, property_type, extended_core_property_type;

34
generic/product/public/qti-display.te Normal file
View File

@@ -0,0 +1,34 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_sys_qti_display, domain, mlstrustedsubject;
#============= vendor_sys_qti_display ==============
userdebug_or_eng(`
allow vendor_sys_qti_display shell_exec:file rx_file_perms;
allow vendor_sys_qti_display toolbox_exec:file rx_file_perms;
')

18
generic/vendor/common/attributes → generic/public/attribute/attributes
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2016-2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2016-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -59,3 +59,19 @@ attribute vendor_hal_capabilityconfigstore_qti_server;
attribute vendor_hal_dataconnection_qti;
attribute vendor_hal_dataconnection_qti_client;
attribute vendor_hal_dataconnection_qti_server;
attribute vendor_hal_embmssl;
attribute vendor_hal_embmssl_client;
attribute vendor_hal_embmssl_server;
attribute vendor_hal_dspmanager;
attribute vendor_hal_dspmanager_client;
attribute vendor_hal_dspmanager_server;
attribute vendor_hal_diaghal;
attribute vendor_hal_diaghal_client;
attribute vendor_hal_diaghal_server;
attribute vendor_hal_perf;
attribute vendor_hal_perf_client;
attribute vendor_hal_perf_server;

2
generic/vendor/common/app.te vendored
View File

@@ -36,3 +36,5 @@ get_prop(appdomain, vendor_adsprpc_prop)
# Allow all apps to open and send ioctl to npu device
allow appdomain vendor_npu_device:chr_file r_file_perms;
dontaudit appdomain vendor_hal_qspmhal_hwservice:hwservice_manager find;

5
generic/vendor/common/service.te → generic/vendor/common/attribute/attributes vendored
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Copyright (c) 2016-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -24,4 +24,5 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_imsuce_service, service_manager_type;
attribute vendor_qmcs_file_type;

3
generic/vendor/common/cnd.te vendored
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2018-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -75,6 +75,7 @@ get_prop(vendor_cnd, hwservicemanager_prop)
binder_call(vendor_cnd, vendor_dataservice_app)
binder_call(vendor_cnd, vendor_qtidataservices_app)
binder_call(vendor_cnd, vendor_ims)
binder_call(vendor_cnd, vendor_ims_service)
binder_call(vendor_cnd, vendor_location)
r_dir_file(vendor_cnd, vendor_sysfs_ssr)

4
generic/vendor/common/dataservice_app.te vendored
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2018-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -38,3 +38,5 @@ binder_call(vendor_dataservice_app, vendor_cnd)
binder_call(vendor_dataservice_app, vendor_hal_rcsservice)
hal_client_domain(vendor_dataservice_app , vendor_hal_perf)
# imsdaemon to bind with UceShimService.apk
binder_call(vendor_dataservice_app, vendor_ims_service)

1
generic/vendor/common/device.te vendored
View File

@@ -66,3 +66,4 @@ type vendor_xbl_block_device, dev_type;
type vendor_uefi_block_device, dev_type;
type vendor_qce_device, dev_type;
type vendor_npu_device, dev_type;
type vendor_qmcs_block_device, dev_type;

13
generic/vendor/common/domain.te vendored
View File

@@ -57,5 +57,16 @@ neverallow {
-vold
} vendor_persist_type: { dir file } *;
allow { domain - isolated_app } vendor_sysfs_kgsl:dir search;
# Allow all context to read gpu model
allow { domain - isolated_app } vendor_sysfs_kgsl_gpu_model:file r_file_perms;
allow { domain - isolated_app } vendor_sysfs_kgsl_gpu_model:file r_file_perms;
allow { domain - isolated_app } vendor_sysfs_kgsl_gpubusy:file r_file_perms;
allow { domain - isolated_app } vendor_sysfs_kgsl_max_gpuclk:file r_file_perms;
allow { domain - isolated_app } vendor_sysfs_gpu_max_clock:file r_file_perms;
neverallow {
coredomain
-init
-ueventd
-hal_graphics_composer_default
} vendor_qmcs_file_type: { dir file } *;

60
generic/vendor/common/dspservice.te vendored Normal file
View File

@@ -0,0 +1,60 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Policy for DSP HAL service
type vendor_dspservice, domain;
type vendor_dspservice_exec, exec_type, vendor_file_type, file_type;
# Started by init
init_daemon_domain(vendor_dspservice)
# Allow permissions required for this HAL server to offer a
# HAL implementation of the specified type over HwBinder
hal_server_domain(vendor_dspservice, vendor_hal_dspmanager)
# Allow DSP clients to perform binder IPC to DSP HAL server
binder_call(vendor_hal_dspmanager_client, vendor_hal_dspmanager_server)
binder_call(vendor_hal_dspmanager_server, vendor_hal_dspmanager_client)
# Add dspservice to hwservice_manager and allow it to be discovered
hal_attribute_hwservice(vendor_hal_dspmanager, vendor_hal_dspmanager_hwservice)
# For reading dir/files on "/vendor/dsp"
r_dir_file(vendor_dspservice, adsprpcd_file)
# For reading "vendor.fastrpc." properties
get_prop(vendor_dspservice, vendor_adsprpc_prop)
# Allow access to adsprpc secure and non-secure devices
allow vendor_dspservice vendor_qdsp_device:chr_file r_file_perms;
allow vendor_dspservice vendor_xdsp_device:chr_file r_file_perms;
# Allow access to adsprpc ION device
allow vendor_dspservice ion_device:chr_file r_file_perms;
# Access to wakelock sysfs
wakelock_use(vendor_dspservice)

38
generic/vendor/common/embmssl_app.te vendored Normal file
View File

@@ -0,0 +1,38 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_embmssl_app, domain;
app_domain(vendor_embmssl_app);
#============= vendor_embmssl_app ==============
net_domain(vendor_embmssl_app)
unix_socket_connect(vendor_embmssl_app, vendor_dpmtcm, vendor_dpmd)
allow vendor_embmssl_app { app_api_service radio_service }:service_manager find;
#allow embmssl app to access embmssl hal
hal_client_domain(vendor_embmssl_app, vendor_hal_embmssl);
hal_client_domain(vendor_embmssl_app, vendor_hal_perf);

23
generic/vendor/common/file.te vendored
View File

@@ -66,6 +66,9 @@ type vendor_sysfs_usbpd_device, sysfs_type, fs_type;
type vendor_sysfs_vadc_dev, sysfs_type, fs_type;
type vendor_sysfs_lcd, sysfs_type, fs_type;
type vendor_sysfs_adsp_ssr, sysfs_type, fs_type;
type vendor_sysfs_svm_neuron, sysfs_type, fs_type;
type vendor_sysfs_trusted_touch_enable, sysfs_type, fs_type;
type vendor_sysfs_trusted_touch_event, sysfs_type, fs_type;
type vendor_debugfs_clk, debugfs_type, fs_type;
type vendor_debugfs_ion, debugfs_type, fs_type;
@@ -84,6 +87,7 @@ type vendor_proc_audiod, fs_type, proc_type;
type vendor_proc_shs, fs_type, proc_type;
type vendor_qmuxd_socket, file_type;
type vendor_rild_socket, file_type;
type vendor_netmgrd_socket, file_type;
type vendor_port-bridge_socket, file_type;
type vendor_thermal_socket, file_type;
@@ -110,6 +114,7 @@ type vendor_location_data_file, file_type, data_file_type;
type vendor_audio_data_file, file_type, data_file_type;
type vendor_radio_data_file, file_type, data_file_type;
type vendor_wifi_vendor_log_data_file, file_type, data_file_type;
type vendor_log_wifi_data_file, file_type, data_file_type;
# for mount /persist
typeattribute mnt_vendor_file vendor_persist_type;
type vendor_persist_file, file_type, vendor_persist_type;
@@ -139,6 +144,7 @@ type vendor_display_vendor_data_file, file_type, data_file_type;
type vendor_nfc_vendor_data_file, file_type, data_file_type;
type vendor_radio_vendor_data_file, file_type, data_file_type, mlstrustedobject;
type vendor_ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
type vendor_pddump_data_file, file_type, data_file_type;
type vendor_modem_dump_file, file_type, data_file_type;
type vendor_sensors_vendor_data_file, file_type, data_file_type;
type vendor_port_bridge_data_file, file_type, data_file_type;
@@ -146,6 +152,9 @@ type bt_firmware_file, file_type, contextmount_type, vendor_file_type;
type vendor_firmware_file, vendor_file_type, file_type;
type vendor_mdmhelperdata_data_file, file_type, data_file_type;
type vendor_mbn_data_file, file_type, data_file_type;
type vendor_firmware_data_file, file_type, data_file_type;
type vendor_qmcs_file, file_type, vendor_qmcs_file_type;
allow { vendor_qmcs_file }self:filesystem associate;
#vendor capability configstore hal
type vendor_capabilityconfigstore_data_file, file_type, data_file_type;
@@ -207,4 +216,18 @@ type vendor_sysfs_suspend, fs_type, sysfs_type;
# kgsl gpu model file type for sysfs access
type vendor_sysfs_kgsl_gpu_model, sysfs_type, fs_type;
# kgsl max gpuclk file type for sysfs access
type vendor_sysfs_kgsl_max_gpuclk, sysfs_type, fs_type;
#gpu max clock file type for sysfs acces
type vendor_sysfs_gpu_max_clock, sysfs_type, fs_type;
type vendor_sysfs_kgsl_gpuclk, sysfs_type, fs_type;
type vendor_sysfs_kgsl_gpubusy, sysfs_type, fs_type;
type vendor_sysfs_devicetree_cpu, sysfs_type, fs_type;
type vendor_sysfs_devicetree_soc, sysfs_type, fs_type;
# for qfprom0 node access
type vendor_sysfs_qfprom, fs_type, sysfs_type;

33
generic/vendor/common/file_contexts vendored
View File

@@ -96,10 +96,10 @@
/dev/ttyHS0 u:object_r:hci_attach_dev:s0
/dev/wlan u:object_r:vendor_wlan_device:s0
/dev/socket/qmux_radio(/.*)? u:object_r:vendor_qmuxd_socket:s0
/dev/socket/qcrild(/.*)? u:object_r:vendor_rild_socket:s0
/data/vendor/modem_config(/.*)? u:object_r:vendor_mbn_data_file:s0
/dev/socket/qdcmsocket u:object_r:vendor_qdcmsocket_socket:s0
/dev/qce u:object_r:vendor_qce_device:s0
# Block device holding the GPT, where the A/B attributes are stored.
/dev/block/sda u:object_r:vendor_gpt_block_device:s0
@@ -119,6 +119,7 @@
/vendor/bin/ATFWD-daemon u:object_r:vendor_atfwd_exec:s0
/vendor/bin/hw/android\.hardware\.vr@1\.0-service.crosshatch u:object_r:hal_vr_default_exec:s0
/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:hal_fingerprint_default_exec:s0
/vendor/bin/hw/android.hardware.thermal@2.0-service.qti u:object_r:hal_thermal_default_exec:s0
/vendor/bin/thermal-engine u:object_r:vendor_thermal-engine_exec:s0
/vendor/bin/sensors.qcom u:object_r:vendor_sensors_exec:s0
/vendor/bin/sensors.qti u:object_r:vendor_sensors_exec:s0
@@ -126,11 +127,14 @@
/vendor/bin/ssr_diag u:object_r:vendor_ssr_diag_exec:s0
/vendor/bin/pm-service u:object_r:vendor_per_mgr_exec:s0
/vendor/bin/pm-proxy u:object_r:vendor_per_proxy_exec:s0
/vendor/bin/vmmgr u:object_r:vendor_vm_mgr_exec:s0
/vendor/bin/qseecomd u:object_r:tee_exec:s0
/vendor/bin/keymasterd u:object_r:vendor_keymasterd_exec:s0
/vendor/bin/subsystem_ramdump u:object_r:vendor_subsystem_ramdump_exec:s0
/vendor/bin/adsprpcd u:object_r:vendor_adsprpcd_exec:s0
/vendor/bin/cdsprpcd u:object_r:vendor_cdsprpcd_exec:s0
/vendor/bin/audioadsprpcd u:object_r:vendor_audioadsprpcd_exec:s0
/vendor/bin/dspservice u:object_r:vendor_dspservice_exec:s0
/vendor/bin/irsc_util u:object_r:vendor_irsc_util_exec:s0
/vendor/bin/rmt_storage u:object_r:vendor_rmt_storage_exec:s0
/vendor/bin/tftp_server u:object_r:vendor_rfs_access_exec:s0
@@ -149,6 +153,7 @@
/vendor/bin/imsqmidaemon u:object_r:vendor_ims_exec:s0
/vendor/bin/imsdatadaemon u:object_r:vendor_ims_exec:s0
/vendor/bin/ims_rtp_daemon u:object_r:vendor_hal_imsrtp_exec:s0
/vendor/bin/imsdaemon u:object_r:vendor_ims_service_exec:s0
/vendor/bin/ipacm u:object_r:hal_tetheroffload_default_exec:s0
/vendor/bin/ipacm-diag u:object_r:hal_tetheroffload_default_exec:s0
/vendor/bin/cnd u:object_r:vendor_cnd_exec:s0
@@ -162,6 +167,7 @@
/vendor/bin/imsrcsd u:object_r:vendor_hal_rcsservice_exec:s0
/vendor/bin/tloc_daemon u:object_r:vendor_tlocd_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.2-service u:object_r:hal_power_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power-service u:object_r:hal_power_default_exec:s0
/vendor/bin/hw/qcrild u:object_r:rild_exec:s0
/vendor/bin/hw/qcrilNrd u:object_r:rild_exec:s0
@@ -170,6 +176,7 @@
/vendor/bin/hw/android\.hardware\.keymaster@3\.0-service-qti u:object_r:vendor_hal_keymaster_qti_exec:s0
/vendor/bin/hw/android\.hardware\.keymaster@4\.0-service-qti u:object_r:vendor_hal_keymaster_qti_exec:s0
/vendor/bin/hw/android\.hardware\.keymaster@4\.1-service-qti u:object_r:vendor_hal_keymaster_qti_exec:s0
/vendor/bin/init\.qti\.keymaster\.sh u:object_r:vendor_init-qti-keymaster-sh_exec:s0
/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service-qti u:object_r:vendor_hal_gatekeeper_qti_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@.*-service-qti u:object_r:vendor_hal_gnss_qti_exec:s0
/vendor/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_default_exec:s0
@@ -182,6 +189,7 @@
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.display\.allocator-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.display\.composer@1\.0-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.display\.composer-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/init\.qti\.display_boot\.sh u:object_r:qti_display_boot_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.tui_comm@1\.0-service-qti u:object_r:vendor_hal_tui_comm_qti_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.qdutils_disp@1\.0-service-qti u:object_r:vendor_hal_qdutils_disp_qti_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.trustedui@1\.0-service-qti u:object_r:vendor_hal_trustedui_qti_exec:s0
@@ -276,6 +284,7 @@
/vendor/lib(64)?/libcdsprpc\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libsdsprpc\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libmdsprpc\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor.qti.hardware.dsp@1.0\.so u:object_r:same_process_hal_file:s0
/vendor/lib/dsp/fastrpc_shell_0 u:object_r:same_process_hal_file:s0
# Fastcv libs
@@ -294,8 +303,10 @@
/data/vendor/nfc(/.*)? u:object_r:vendor_nfc_vendor_data_file:s0
/data/vendor/radio(/.*)? u:object_r:vendor_radio_vendor_data_file:s0
/data/vendor/wifi/wlan_logs(/.*)? u:object_r:vendor_wifi_vendor_log_data_file:s0
/data/vendor/log/wifi(/.*)? u:object_r:vendor_log_wifi_data_file:s0
/data/vendor/ramdump(/.*)? u:object_r:vendor_ramdump_vendor_data_file:s0
/data/vendor/ssrdump(/.*)? u:object_r:vendor_ramdump_vendor_data_file:s0
/data/vendor/pddump(/.*)? u:object_r:vendor_pddump_data_file:s0
/data/vendor/modem_dump(/.*)? u:object_r:vendor_modem_dump_file:s0
/data/vendor/ipa(/.*)? u:object_r:vendor_ipa_vendor_data_file:s0
/data/vendor/sensors(/.*)? u:object_r:vendor_sensors_vendor_data_file:s0
@@ -307,6 +318,7 @@
/data/vendor/tzstorage(/.*)? u:object_r:vendor_data_tzstorage_file:s0
/data/vendor/tombstones(/.*)? u:object_r:vendor_tombstone_data_file:s0
/data/vendor/time(/.*)? u:object_r:vendor_time_data_file:s0
/data/vendor/firmware(/.*)? u:object_r:vendor_firmware_data_file:s0
/data/vendor/mdmhelperdata(/.*)? u:object_r:vendor_mdmhelperdata_data_file:s0
/data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0
@@ -331,6 +343,9 @@
/mnt/vendor/persist/audio(/.*)? u:object_r:vendor_persist_audio_file:s0
/mnt/vendor/persist/feature_enabler_client(/.*)? u:object_r:vendor_persist_feature_enabler_file:s0
# /qmcs
/mnt/vendor/qmcs(/.*)? u:object_r:vendor_qmcs_file:s0
# graphics device
/dev/mdss_rotator u:object_r:graphics_device:s0
/dev/dri/card0 u:object_r:graphics_device:s0
@@ -356,6 +371,7 @@
/(vendor|system/vendor)/bin/hbtp_daemon u:object_r:vendor_hbtp_exec:s0
/(vendor|system/vendor)/bin/sscrpcd u:object_r:vendor_sensors_exec:s0
/(vendor|system/vendor)/bin/lowirpcd u:object_r:vendor_lowirpcd_service_exec:s0
# vendor_sysfs_graphics
/sys/class/graphics/fb0/mdp/caps u:object_r:vendor_sysfs_graphics:s0
@@ -432,8 +448,13 @@
/sys/devices(/platform)?/soc/[a-f0-9]+.sdhci/mmc_host/mmc0/clk_scaling(/.*)? u:object_r:vendor_sysfs_mmc_host:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.ufshc/clkscale_enable u:object_r:vendor_sysfs_scsi_host:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.ufshc/auto_hibern8 u:object_r:vendor_sysfs_scsi_host:s0
/sys/devices(/platform)?/soc/[a-f0-9]+/host0/scsi_host/host0(/.*)? u:object_r:vendor_sysfs_scsi_host:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.ufshc/host0/target0:0:0/0:0:0:[0-9]+/scsi_generic(/.*)? u:object_r:vendor_sysfs_scsi_target:s0
# VM Neuron block device mapping node
/sys/devices/platform/soc/soc:qcom,svm_neuron_block/soc:qcom,svm_neuron_block:application/blk_name u:object_r:vendor_sysfs_svm_neuron:s0
/data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0
/data/vendor/mediadrm(/.*)? u:object_r:vendor_mediadrm_vendor_data_file:s0
/data/vendor/nnhal(/.*)? u:object_r:vendor_hal_neuralnetworks_data_file:s0
@@ -445,6 +466,8 @@
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/devfreq/[a-f0-9]+.qcom,kgsl-3d0(/.*)? u:object_r:vendor_sysfs_kgsl:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpu_model u:object_r:vendor_sysfs_kgsl_gpu_model:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpuclk u:object_r:vendor_sysfs_kgsl_gpuclk:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/kgsl/kgsl-3d0/max_gpuclk u:object_r:vendor_sysfs_kgsl_max_gpuclk:s0
/sys/devices/platform/soc/3d00000\.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpubusy u:object_r:vendor_sysfs_kgsl_gpubusy:s0
/sys/devices/soc/[a-f0-9]+.ssusb/power_supply/usb(/.*)? u:object_r:vendor_sysfs_usb_supply:s0
@@ -453,9 +476,15 @@
/sys/devices/soc/qpnp-vadc-[0-9]+(/.*)? u:object_r:vendor_sysfs_vadc_dev:s0
# Files in /sys/kernel/gpu/
/sys/kernel/gpu/gpu_max_clock u:object_r:vendor_sysfs_gpu_max_clock:s0
#Android NN Driver
/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-qti u:object_r:vendor_hal_neuralnetworks_default_exec:s0
#Light AIDL HAL
/(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.qti u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/init\.class_main\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.crda\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.mdm\.sh u:object_r:vendor_qti_init_shell_exec:s0
@@ -485,3 +514,5 @@
/sys/module/msm_isense_cdsp/data u:object_r:sysfs_thermal:s0
/(vendor|system/vendor)/bin/vendor_modprobe\.sh u:object_r:vendor_modinstall-sh_exec:s0
/vendor/bin/embmsslServer u:object_r:vendor_hal_embmssl_qti_exec:s0

2
generic/vendor/common/fsck.te vendored
View File

@@ -27,3 +27,5 @@
allow fsck vendor_persist_block_device:blk_file rw_file_perms;
allow fsck vendor_qmcs_block_device:blk_file rw_file_perms;
allowxperm fsck vendor_qmcs_block_device:blk_file ioctl { BLKGETSIZE };

9
generic/vendor/common/genfs_contexts vendored
View File

@@ -94,6 +94,12 @@ genfscon sysfs /devices/soc/a800000.ssusb/a800000.dwc3/xhci-hcd.0.auto/usb1 u:ob
genfscon sysfs /devices/soc/a800000.ssusb/a800000.dwc3/xhci-hcd.0.auto/usb2 u:object_r:vendor_sysfs_usb_device:s0
genfscon sysfs /devices/platform/soc/a600000.ssusb/mode u:object_r:vendor_sysfs_usb_device:s0
genfscon sysfs /devices/platform/soc/a800000.ssusb/mode u:object_r:vendor_sysfs_usb_device:s0
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/sde-crtc-0/retire_frame_event u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/sde-crtc-1/retire_frame_event u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/sde-crtc-2/retire_frame_event u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/platform/soc/5e00000.qcom,mdss_mdp/drm/card0/sde-crtc-0/retire_frame_event u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/platform/soc/5e00000.qcom,mdss_mdp/drm/card0/sde-crtc-1/retire_frame_event u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/platform/soc/5e00000.qcom,mdss_mdp/drm/card0/sde-crtc-2/retire_frame_event u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-02/800f000.qcom,spmi:qcom,pmi8998@2:qcom,usb-pdphy@1700/usbpd0/typec u:object_r:vendor_sysfs_usb_c:s0
genfscon sysfs /module/diagchar u:object_r:vendor_sysfs_diag:s0
@@ -119,12 +125,13 @@ genfscon sysfs /kernel/hbtp/display_pwr u:ob
genfscon sysfs /devices/virtual/net/bond0/bonding/queue_id u:object_r:vendor_sysfs_bond0:s0
genfscon sysfs /devices/virtual/net/bond0/queues/rx-0/rps_cpus u:object_r:vendor_sysfs_bond0:s0
genfscon sysfs /firmware/devicetree/base/cpus u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /firmware/devicetree/base/cpus u:object_r:vendor_sysfs_devicetree_cpu:s0
genfscon sysfs /bus/spmi/devices u:object_r:vendor_sysfs_spmi_dev:s0
genfscon sysfs /power/mem_sleep u:object_r:vendor_sysfs_suspend:s0
genfscon sysfs /kernel/boot_adsp/ssr u:object_r:vendor_sysfs_adsp_ssr:s0
genfscon sysfs /firmware/devicetree/base/soc u:object_r:vendor_sysfs_devicetree_soc:s0
genfscon debugfs /kgsl/proc u:object_r:vendor_debugfs_kgsl:s0
genfscon debugfs /clk/debug_suspend u:object_r:vendor_debugfs_clk:s0

2
generic/vendor/common/gmscore_app.te vendored
View File

@@ -28,3 +28,5 @@
dontaudit gmscore_app vendor_hal_qspmhal_default:binder {call};
unix_socket_connect(gmscore_app, vendor_dpmtcm, vendor_dpmd);
dontaudit gmscore_app vendor_hal_qspmhal_hwservice:hwservice_manager find;

2
generic/vendor/common/hal_camera.te vendored
View File

@@ -39,7 +39,7 @@ set_prop(hal_camera, vendor_camera_prop)
# ignore spurious denial
dontaudit hal_camera graphics_device:dir search;
allow hal_camera vendor_camera_data_file:dir rw_dir_perms;
allow hal_camera vendor_camera_data_file:dir create_dir_perms;
allow hal_camera vendor_camera_data_file:file create_file_perms;
unix_socket_connect(hal_camera, vendor_thermal, vendor_thermal-engine)

2
generic/vendor/common/hal_drm_widevine.te vendored
View File

@@ -37,7 +37,7 @@ allow vendor_hal_drm_widevine { appdomain -isolated_app }:fd use;
allow vendor_hal_drm_widevine vendor_qce_device:chr_file rw_file_perms;
#Allow access to smcinvoke device
allow vendor_hal_drm_widevine vendor_smcinvoke_device:chr_file rw_file_perms;
allow vendor_hal_drm_widevine tee_device:chr_file rw_file_perms;
# The QTI DRM-HAL implementation uses a vendor-binder service provided
# by the HWC HAL.

50
generic/vendor/common/hal_embmssl.te vendored Normal file
View File

@@ -0,0 +1,50 @@
# Copyright (c) 2019-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_embmssl_qti, domain;
type vendor_hal_embmssl_qti_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_hal_embmssl_qti)
hal_server_domain(vendor_hal_embmssl_qti, vendor_hal_embmssl)
# Allow hwbinder call from hal client to server
binder_call(vendor_hal_embmssl_client, vendor_hal_embmssl_server)
binder_call(vendor_hal_embmssl_server, vendor_hal_embmssl_client)
# Add hwservice related rules
add_hwservice(vendor_hal_embmssl_server, vendor_hal_embmssl_hwservice)
allow vendor_hal_embmssl_client vendor_hal_embmssl_hwservice:hwservice_manager find;
allow vendor_hal_embmssl_qti self:qipcrtr_socket create_socket_perms_no_ioctl;
allow vendor_hal_embmssl_qti vendor_time_daemon:unix_stream_socket connectto;
allow vendor_hal_embmssl_qti vendor_netmgrd_socket:dir search;
unix_socket_connect(vendor_hal_embmssl_qti, vendor_netmgrd, vendor_netmgrd)
allow vendor_hal_embmssl_qti self:netlink_generic_socket create_socket_perms_no_ioctl;
allow vendor_hal_embmssl_qti self:tipc_socket { create_socket_perms_no_ioctl };

6
generic/vendor/common/hal_gnss_qti.te vendored
View File

@@ -42,11 +42,15 @@ allow vendor_hal_gnss_qti vendor_location_data_file:dir create_dir_perms;
allow vendor_hal_gnss_qti vendor_location_data_file:file create_file_perms;
# /dev/socket/vendor_location
allow vendor_hal_gnss_qti vendor_location_socket:sock_file create_file_perms;
allow vendor_hal_gnss_qti vendor_location_socket: {sock_file lnk_file } create_file_perms;
allow vendor_hal_gnss_qti vendor_location_socket:dir rw_dir_perms;
allow vendor_hal_gnss_qti vendor_location:unix_stream_socket connectto;
allow vendor_hal_gnss_qti vendor_location:unix_dgram_socket sendto;
# allow reading /sys/bus/mhi/devices/.../time_us files, this files hold the
# time offset between local and remote for dual SoC architectures
allow vendor_hal_gnss_qti vendor_sysfs_mhi:file r_file_perms;
# Allow Gnss HAL to get updates from health hal
hal_client_domain(vendor_hal_gnss_qti, hal_health)

17
generic/vendor/common/hal_graphics_composer_default.te vendored
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2018-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -52,6 +52,10 @@ r_dir_file(hal_graphics_composer_default, sysfs_leds)
allow hal_graphics_composer_default video_device:chr_file rw_file_perms;
allow hal_graphics_composer_default graphics_device:chr_file rw_file_perms;
# Allow access to QMCS partition files
allow hal_graphics_composer_default vendor_qmcs_file:dir create_dir_perms;
allow hal_graphics_composer_default vendor_qmcs_file:file create_file_perms;
# HWC_UeventThread
allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
@@ -82,6 +86,9 @@ userdebug_or_eng(`
allow hal_graphics_composer fwk_sensor_hwservice:hwservice_manager find;
binder_call(hal_graphics_composer, system_server)
# Allow writing to pps socket
allow hal_graphics_composer_default vendor_pps_socket:sock_file write;
# allow composer to register display config
add_hwservice(hal_graphics_composer_server, vendor_hal_display_config_hwservice);
# allow composer client to find display config service.
@@ -89,3 +96,11 @@ allow hal_graphics_composer_client vendor_hal_display_config_hwservice:hwservice
# Allow qdcmss socket access
unix_socket_connect(hal_graphics_composer_default, vendor_qdcmsocket, vendor_qdcm-ss)
#allow composer to find hal_perf
hal_client_domain(hal_graphics_composer_default, vendor_hal_perf);
# Allow access to qipcrtr_socket
# Remove this when QMI service moves to pfmd
allow hal_graphics_composer self:{ socket qipcrtr_socket } create_socket_perms;
allowxperm hal_graphics_composer self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;

6
generic/vendor/common/hal_imsrtp.te vendored
View File

@@ -39,7 +39,8 @@ add_hwservice(vendor_hal_imsrtp, vendor_hal_imsrtp_hwservice)
allow vendor_hal_imsrtp self: qipcrtr_socket create_socket_perms_no_ioctl;
unix_socket_connect(vendor_hal_imsrtp, vendor_ims, vendor_ims)
allow vendor_hal_imsrtp vendor_sysfs_timestamp_switch:file r_file_perms;
#allow ims_rtp_daemon to connect to server socket hosted in imsdaemon
unix_socket_connect(vendor_hal_imsrtp, vendor_ims, vendor_ims_service)
allow vendor_hal_imsrtp self:capability net_bind_service;
@@ -50,3 +51,6 @@ r_dir_file(vendor_hal_imsrtp, vendor_sysfs_diag)
get_prop(vendor_hal_imsrtp, vendor_ims_prop)
binder_call(vendor_hal_imsrtp, vendor_qtelephony)
crash_dump_fallback(vendor_hal_imsrtp)

2
generic/vendor/common/hal_rcsservice.te vendored
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2018-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are

2
generic/vendor/common/hal_sensors_default.te vendored
View File

@@ -33,6 +33,8 @@ get_prop(hal_sensors_default, vendor_sensors_prop)
userdebug_or_eng(`
diag_use(hal_sensors_default)
get_prop(hal_sensors_default, vendor_sensors_dbg_prop)
# allow to trigger force crash to collect ramdump
allow hal_sensors_default proc_sysrq:file rw_file_perms;
allow hal_sensors_default vendor_sysfs_timestamp_switch:file r_file_perms;
')

11
generic/vendor/common/hal_thermal_default.te vendored Executable file → Normal file
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Copyright (c) 2018, 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -24,5 +24,12 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow hal_thermal_default sysfs_thermal:lnk_file read;
# This is required to access proc stat for fetching CPU usage
allow hal_thermal_default proc_stat:file { getattr open read };
# This is required for thermal sysfs access
allow hal_thermal_default sysfs_thermal:file w_file_perms;
# netlink access
allow hal_thermal_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;

8
generic/vendor/common/hal_trustedui_qti.te vendored
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2019-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -43,9 +43,15 @@ hal_client_domain(vendor_hal_trustedui_qti, vendor_hal_systemhelper);
allow vendor_hal_trustedui_qti vendor_sysfs_sectouch:file rw_file_perms;
allow vendor_hal_trustedui_qti vendor_tui_data_file:file rw_file_perms;
allow vendor_hal_trustedui_qti vendor_tui_data_file:dir r_dir_perms;
allow vendor_hal_trustedui_qti self:qipcrtr_socket create_socket_perms_no_ioctl;
allow vendor_hal_trustedui_qti sysfs:dir r_dir_perms;
allow vendor_hal_trustedui_qti vendor_sysfs_trusted_touch_enable:file rw_file_perms;
allow vendor_hal_trustedui_qti vendor_sysfs_trusted_touch_event:file rw_file_perms;
allow vendor_hal_trustedui_qti ion_device:chr_file r_file_perms;
allow vendor_hal_trustedui_qti surfaceflinger:fd use;
allow vendor_hal_trustedui_qti sysfs_devices_system_cpu:file rw_file_perms;
allow vendor_hal_trustedui_qti tee_device:chr_file rw_file_perms;
binder_call(vendor_hal_trustedui_qti, vendor_systemhelper_app)

4
generic/vendor/common/hwservice.te vendored
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2018-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -42,3 +42,5 @@ type vendor_hal_display_color_hwservice, hwservice_manager_type, protected_hwser
type vendor_hal_display_postproc_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_capabilityconfigstore_qti_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_camera_postproc_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_embmssl_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_dspmanager_hwservice, hwservice_manager_type;

4
generic/vendor/common/hwservice_contexts vendored
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2018-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -62,3 +62,5 @@ vendor.qti.hardware.trustedui::ITrustedInput u:object_r:vendor_hal_
android.hardware.media.c2::IConfigurable u:object_r:hal_codec2_hwservice:s0
vendor.qti.hardware.display.mapper::IQtiMapper u:object_r:hal_graphics_mapper_hwservice:s0
vendor.qti.hardware.camera.postproc::IPostProcService u:object_r:vendor_hal_camera_postproc_hwservice:s0
vendor.qti.hardware.embmssl::IEmbms u:object_r:vendor_hal_embmssl_hwservice:s0
vendor.qti.hardware.dsp::IDspService u:object_r:vendor_hal_dspmanager_hwservice:s0

4
generic/vendor/common/imshelper_app.te vendored
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2019-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -28,6 +28,8 @@
type vendor_imshelper_app, domain;
app_domain(vendor_imshelper_app);
unix_socket_connect(vendor_imshelper_app, vendor_ims, vendor_ims)
#allow imshelper_app to connect to server socket hosted in imsdaemon
unix_socket_connect(vendor_imshelper_app, vendor_ims, vendor_ims_service)
allow vendor_imshelper_app app_api_service:service_manager find;
#allow qsee_svc_app vendor_imshelper_app_data_file:dir create_dir_perms;

71
generic/vendor/common/imsservice.te vendored Normal file
View File

@@ -0,0 +1,71 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_ims_service, domain;
type vendor_ims_service_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_ims_service)
net_domain(vendor_ims_service)
set_prop(vendor_ims_service, vendor_ims_prop)
get_prop(vendor_ims_service, vendor_ims_prop)
get_prop(vendor_ims_service, vendor_cnd_prop)
allow vendor_ims_service vendor_sysfs_data:file r_file_perms;
wakelock_use(vendor_ims_service)
allow vendor_ims_service self:capability net_bind_service;
allow vendor_ims_service self:capability2 wake_alarm;
allow vendor_ims_service ion_device:chr_file r_file_perms;
unix_socket_connect(vendor_ims_service, vendor_cnd, vendor_cnd)
allow vendor_ims_service self: { socket qipcrtr_socket } create_socket_perms_no_ioctl;
allow vendor_ims_service vendor_ims_socket:sock_file write;
netmgr_socket(vendor_ims_service);
allowxperm vendor_ims_service self:udp_socket ioctl RMNET_IOCTL_EXTENDED;
allow vendor_ims_service self:tipc_socket { create_socket_perms_no_ioctl };
#diag
userdebug_or_eng(`
diag_use(vendor_ims_service)
binder_call(vendor_ims_service, radio)
')
set_prop(vendor_ims_service, vendor_ctl_vendor_imsrcsservice_prop)
hwbinder_use(vendor_ims_service)
allow vendor_ims_service vendor_hal_cne_hwservice:hwservice_manager find;
allow vendor_ims_service vendor_hal_datafactory_hwservice:hwservice_manager find;
binder_call(vendor_ims_service, vendor_cnd)
# imsdaemon to bind with UceShimService.apk
binder_call(vendor_ims_service, vendor_dataservice_app)
# imsdaemon needs read/write access to devpts
allow vendor_ims_service devpts:chr_file rw_file_perms;

9
generic/vendor/common/init-qcom-sensors-sh.te vendored
View File

@@ -30,14 +30,19 @@ type vendor_init-qcom-sensors-sh_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_init-qcom-sensors-sh)
get_prop(vendor_init-qcom-sensors-sh, vendor_sensors_prop)
allow vendor_init-qcom-sensors-sh vendor_shell_exec:file rx_file_perms;
allow vendor_init-qcom-sensors-sh vendor_toolbox_exec:file rx_file_perms;
r_dir_file(vendor_init-qcom-sensors-sh, mnt_vendor_file)
r_dir_file(vendor_init-qcom-sensors-sh, vendor_persist_sensors_file)
allow vendor_init-qcom-sensors-sh vendor_persist_sensors_file:file setattr;
allow vendor_init-qcom-sensors-sh vendor_persist_sensors_file:dir setattr;
allow vendor_init-qcom-sensors-sh vendor_sensors_vendor_data_file:dir create_dir_perms;
allow vendor_init-qcom-sensors-sh vendor_sensors_vendor_data_file:file create_file_perms;
allow vendor_init-qcom-sensors-sh sensors_device:chr_file r_file_perms;
r_dir_file(vendor_init-qcom-sensors-sh, vendor_sysfs_devicetree_soc)
set_prop(vendor_init-qcom-sensors-sh, vendor_sensors_prop)

1
generic/vendor/common/init-qti-dcvs-sh.te vendored
View File

@@ -39,3 +39,4 @@ neverallow vendor_init-qti-dcvs-sh self:perf_event ~{ open cpu };
allow vendor_init-qti-dcvs-sh sysfs:dir { open read };
allow vendor_init-qti-dcvs-sh vendor_sysfs_devfreq:dir r_dir_perms;
allow vendor_init-qti-dcvs-sh vendor_sysfs_devfreq:file w_file_perms;
allow vendor_init-qti-dcvs-sh sysfs_devices_system_cpu:file rw_file_perms;

38
generic/vendor/common/init-qti-keymaster-sh.te vendored Normal file
View File

@@ -0,0 +1,38 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_init-qti-keymaster-sh, domain;
type vendor_init-qti-keymaster-sh_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_init-qti-keymaster-sh)
# Set vendor.keymaster.strongbox.version to 40 or 41
set_prop(vendor_init-qti-keymaster-sh, vendor_km_strongbox_version_prop);
set_prop(vendor_init-qti-keymaster-sh, vendor_disable_spu_prop)
allow vendor_init-qti-keymaster-sh vendor_shell_exec:file rx_file_perms;
allow vendor_init-qti-keymaster-sh vendor_toolbox_exec:file rx_file_perms;

3
generic/vendor/common/init.te vendored
View File

@@ -47,6 +47,9 @@ allow init { bt_firmware_file vendor_firmware_file firmware_file } :dir mounton
allow init { bt_firmware_file firmware_file }:filesystem { relabelfrom mount };
allow { bt_firmware_file firmware_file }self:filesystem associate;
allow init vendor_qmcs_file:dir { mounton };
allow init vendor_qmcs_file:filesystem { relabelfrom mount relabelto };
dontaudit init kernel:system module_request;
allow init sysfs_leds:lnk_file r_file_perms;

5
generic/vendor/common/init_shell.te vendored
View File

@@ -69,6 +69,7 @@ allow vendor_qti_init_shell self:capability {
set_prop(vendor_qti_init_shell, vendor_ctl_netmgrd_prop)
set_prop(vendor_qti_init_shell, vendor_ctl_port-bridge_prop)
set_prop(vendor_qti_init_shell, vendor_ctl_rild_prop)
set_prop(vendor_qti_init_shell, vendor_ctl_qcrild_prop)
set_prop(vendor_qti_init_shell, vendor_ipacm-diag_prop)
set_prop(vendor_qti_init_shell, vendor_ipacm_prop)
@@ -85,6 +86,8 @@ set_prop(vendor_qti_init_shell, vendor_audio_prop)
get_prop(vendor_qti_init_shell, exported3_radio_prop)
set_prop(vendor_qti_init_shell, vendor_gpu_prop)
set_prop(vendor_qti_init_shell, vendor_sensors_prop)
set_prop(vendor_qti_init_shell, vendor_adsprpc_prop)
set_prop(vendor_qti_init_shell, vendor_opengles_prop)
allow vendor_qti_init_shell {
sysfs_devices_system_cpu
@@ -181,7 +184,7 @@ set_prop(vendor_qti_init_shell, vendor_soc_id_prop);
# Set ro.vendor.qti.soc_name to soc_name in QCV init script
set_prop(vendor_qti_init_shell, vendor_soc_name_prop);
# Get persist.console.silent.config for kernel console log level
# Get persist.vendor.console.silent.config for kernel console log level
get_prop(vendor_qti_init_shell, vendor_console_log_level_prop)
set_prop(vendor_qti_init_shell,vendor_dcvs_prop)

2
generic/vendor/common/location.te vendored
View File

@@ -63,7 +63,7 @@ allow vendor_location vendor_location_data_file:dir create_dir_perms;
allow vendor_location vendor_location_data_file:file create_file_perms;
# /dev/socket/vendor_location
allow vendor_location vendor_location_socket:sock_file create_file_perms;
allow vendor_location vendor_location_socket: {sock_file lnk_file } create_file_perms;
allow vendor_location vendor_location_socket:dir rw_dir_perms;
allow vendor_location vendor_hal_gnss_qti:unix_dgram_socket sendto;

1
generic/vendor/common/platform_app.te vendored
View File

@@ -26,3 +26,4 @@
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#allow embms app to access vendor radio property
get_prop(radio, vendor_radio_prop)
get_prop(platform_app, vendor_display_notch_prop)

5
generic/vendor/common/property.te vendored
View File

@@ -27,6 +27,7 @@
vendor_internal_prop(vendor_ctl_netmgrd_prop);
vendor_internal_prop(vendor_ctl_port-bridge_prop);
vendor_internal_prop(vendor_ctl_rild_prop);
vendor_internal_prop(vendor_ctl_qcrild_prop);
vendor_restricted_prop(vendor_camera_prop);
vendor_restricted_prop(vendor_cnd_prop);
@@ -43,6 +44,7 @@ vendor_internal_prop(vendor_dataqdp_prop);
vendor_internal_prop(vendor_ramdump_prop);
vendor_internal_prop(vendor_sensors_prop);
vendor_restricted_prop(vendor_tee_listener_prop);
vendor_restricted_prop(vendor_km_strongbox_version_prop);
vendor_restricted_prop(vendor_display_prop);
vendor_internal_prop(vendor_usb_prop);
vendor_restricted_prop(vendor_radio_prop);
@@ -50,6 +52,9 @@ vendor_restricted_prop(vendor_radio_prop);
#Needed for ubwc support
vendor_restricted_prop(vendor_gralloc_prop);
#Needed for opengles version support
vendor_restricted_prop(vendor_opengles_prop);
vendor_internal_prop(vendor_system_prop);
#imsrcsservice

11
generic/vendor/common/property_contexts vendored
View File

@@ -34,6 +34,7 @@ vendor.wc_transport. u:object_r:vendor_bluetooth_prop:s0
ctl.vendor.msm_irqbalance u:object_r:vendor_msm_irqbalance_prop:s0
ctl.vendor.netmgrd u:object_r:vendor_ctl_netmgrd_prop:s0
ctl.vendor.port-bridge u:object_r:vendor_ctl_port-bridge_prop:s0
ctl.vendor.ril-daemon u:object_r:vendor_ctl_rild_prop:s0
ctl.vendor.qcrild u:object_r:vendor_ctl_qcrild_prop:s0
ctl.vendor.ipacm u:object_r:vendor_ipacm_prop:s0
ctl.vendor.ipacm-diag u:object_r:vendor_ipacm-diag_prop:s0
@@ -45,6 +46,7 @@ vendor.audio. u:object_r:vendor_audio_prop:s0
vendor.voice. u:object_r:vendor_audio_prop:s0
persist.vendor.audio. u:object_r:vendor_audio_prop:s0
ro.vendor.audio. u:object_r:vendor_audio_prop:s0
persist.vendor.audio.spkr.cal.duration u:object_r:vendor_audio_prop:s0
ro.vendor.alarm_boot u:object_r:vendor_alarm_boot_prop:s0
ro.boot.alarmboot u:object_r:vendor_alarm_boot_prop:s0
vendor.debug.camera. u:object_r:vendor_camera_prop:s0
@@ -77,6 +79,7 @@ ro.vendor.build.software.version u:object_r:vendor_ims_prop:s0
persist.vendor.ims. u:object_r:vendor_ims_prop:s0
persist.vendor.qti.telephony.vt_cam_interface u:object_r:vendor_ims_prop:s0
ctl.vendor.imsrcsservice u:object_r:vendor_ctl_vendor_imsrcsservice_prop:s0
vendor.opengles.version u:object_r:vendor_opengles_prop:s0
# HBTP
ctl.vendor.hbtp u:object_r:vendor_ctl_vendor_hbtp_prop:s0
@@ -125,6 +128,12 @@ vendor.wlan. u:object_r:vendor_wifi_prop:s0
#qdcm socket service
vendor.display.qdcm_socket_service u:object_r:vendor_qdcmss_prop:s0
#keymaster strongbox service
vendor.keymaster.strongbox.version u:object_r:vendor_km_strongbox_version_prop:s0
ctl.keymaster-sb-4-0 u:object_r:vendor_km_strongbox_version_prop:s0
ctl.vendor.keymaster-sb-4-0 u:object_r:vendor_km_strongbox_version_prop:s0
ctl.vendor.authsecret.qti-1-0 u:object_r:vendor_km_strongbox_version_prop:s0
#vendor-adsprpc
vendor.fastrpc. u:object_r:vendor_adsprpc_prop:s0
@@ -133,6 +142,6 @@ ro.vendor.qti.soc_id u:object_r:vendor_soc_id_prop:s0
ro.vendor.qti.soc_name u:object_r:vendor_soc_name_prop:s0
#kernel console log level
persist.console.silent.config u:object_r:vendor_console_log_level_prop:s0
persist.vendor.console.silent.config u:object_r:vendor_console_log_level_prop:s0
vendor.dcvs.prop u:object_r:vendor_dcvs_prop:s0

2
generic/vendor/common/qtelephony.te vendored
View File

@@ -31,7 +31,5 @@ get_prop(vendor_qtelephony, vendor_persist_camera_prop)
get_prop(vendor_qtelephony, vendor_audio_prop)
get_prop(vendor_qtelephony, vendor_video_prop)
allow vendor_qtelephony { cameraserver_service mediaextractor_service mediaserver_service mediametrics_service radio_service drmserver_service audioserver_service}:service_manager find;
allow vendor_qtelephony vendor_hal_imsrtp_hwservice:hwservice_manager find;
hal_client_domain(vendor_qtelephony, hal_telephony)
binder_call(vendor_qtelephony, vendor_hal_imsrtp)

34
generic/vendor/common/qti_display_boot.te vendored Normal file
View File

@@ -0,0 +1,34 @@
# Copyright (c) 2020 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type qti_display_boot, domain;
type qti_display_boot_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(qti_display_boot)
allow qti_display_boot vendor_shell_exec:file rx_file_perms;
allow qti_display_boot vendor_toolbox_exec:file x_file_perms;
set_prop(qti_display_boot, vendor_display_prop)

4
generic/vendor/common/radio.te vendored
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Copyright (c) 2018, 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -43,6 +43,8 @@ allow radio vendor_avtimer_device:chr_file r_file_perms;
userdebug_or_eng(`
allow radio vendor_hal_imsrcsd_hwservice:hwservice_manager find;
binder_call(radio, vendor_hal_rcsservice);
#allow RCS clients to communicate with RCS vendor service hosted by imsdaemon
binder_call(radio, vendor_ims_service)
')
#perf

7
generic/vendor/common/rfs_access.te vendored
View File

@@ -39,6 +39,9 @@ type_transition vendor_rfs_access mnt_vendor_file:dir vendor_persist_rfs_shared_
r_dir_file(vendor_rfs_access, firmware_file);
allow vendor_rfs_access vendor_firmware_data_file:dir r_dir_perms;
allow vendor_rfs_access vendor_firmware_data_file:file r_file_perms;
allow vendor_rfs_access mnt_vendor_file:dir create_dir_perms;
allow vendor_rfs_access vendor_persist_rfs_file:dir search;
@@ -55,3 +58,7 @@ allow vendor_rfs_access vendor_tombstone_data_file:file create_file_perms;
#For access to the kmsg device
allow vendor_rfs_access kmsg_device:chr_file w_file_perms;
#For pddump write and create directory
allow vendor_rfs_access vendor_pddump_data_file:dir create_dir_perms;
allow vendor_rfs_access vendor_pddump_data_file:file create_file_perms;

3
generic/vendor/common/rild.te vendored
View File

@@ -60,5 +60,8 @@ get_prop(rild, vendor_dataqdp_prop)
allow rild vendor_qmuxd_socket:dir w_dir_perms;
allow rild vendor_qmuxd_socket:sock_file create_file_perms;
allow rild vendor_rild_socket:dir w_dir_perms;
allow rild vendor_rild_socket:sock_file create_file_perms;
r_dir_file(rild, vendor_mbn_data_file)
allow rild self:qipcrtr_socket create_socket_perms_no_ioctl;

13
generic/vendor/common/seapp_contexts vendored
View File

@@ -30,9 +30,6 @@ user=_app seinfo=tango name=com.google.tango:app domain=untrusted_app type=app_d
#Needed for time service apk
user=_app seinfo=platform name=com.qualcomm.timeservice domain=vendor_timeservice_app type=app_data_file levelFrom=all
# AtFwd app
user=_app seinfo=platform name=com.qualcomm.telephony domain=vendor_qtelephony type=app_data_file levelFrom=all
#add new domain for qtidataservices
user=_app seinfo=platform name=.qtidataservices domain=vendor_qtidataservices_app type=app_data_file levelFrom=all
@@ -40,10 +37,10 @@ user=_app seinfo=platform name=.qtidataservices domain=vendor_qtidataservices_ap
user=radio seinfo=platform name=.imshelperservice domain=vendor_imshelper_app type=vendor_imshelper_app_data_file
#Add new domain for power off alarm app
user=system seinfo=platform name=com.qualcomm.qti.poweroffalarm domain=vendor_poweroffalarm_app type=system_app_data_file
user=_app seinfo=platform name=com.qualcomm.qti.poweroffalarm domain=vendor_poweroffalarm_app type=app_data_file levelFrom=all
#Add new domain for ims app
user=_app seinfo=platform name=org.codeaurora.ims isPrivApp=true domain=vendor_qtelephony type=app_data_file levelFrom=all
#Add new domain for trustzone access app
user=_app seinfo=platform name=com.qualcomm.qti.qms.service.trustzoneaccess domain=vendor_tzas_app type=app_data_file levelfrom=all
#Add DeviceInfoHidlClient to vendor_qtelephony
user=_app seinfo=platform name=com.qualcomm.qti.devicestatisticsservice domain=vendor_qtelephony type=app_data_file levelFrom=all
#allow embms msdc app to access embmssl hal
user=_app seinfo=platform name=com.qti.ltebc domain=vendor_embmssl_app type=app_data_file levelFrom=all

7
generic/vendor/common/sensors.te vendored
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Copyright (c) 2018-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -72,8 +72,13 @@ r_dir_file(vendor_sensors, adsprpcd_file)
get_prop(vendor_sensors, vendor_adsprpc_prop)
allow vendor_sensors vendor_persist_sensors_file:fifo_file create_file_perms;
allow vendor_sensors vendor_sensors_vendor_data_file:fifo_file create_file_perms;
# Access to /persist/vendor_sensors
allow vendor_sensors vendor_persist_sensors_file:dir create_dir_perms;
allow vendor_sensors vendor_persist_sensors_file:file create_file_perms;
# Access to wakelock sysfs
wakelock_use(vendor_sensors)
#Allow to search SSR node directory
allow vendor_sensors vendor_sysfs_slpi:dir search;
allow vendor_sensors vendor_sysfs_slpi:file getattr;

6
generic/vendor/common/shell.te vendored
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Copyright (c) 2018, 2020 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -25,3 +25,7 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# allow any 3rd party shell app to be a client of DSP HAL
hal_client_domain(shell, vendor_hal_dspmanager)
get_prop(shell, vendor_opengles_prop)

1
generic/vendor/common/shsusrd.te vendored
View File

@@ -34,6 +34,7 @@ allow vendor_shsusrd vendor_proc_shs:dir r_dir_perms;
allow vendor_shsusrd self:netlink_generic_socket create_socket_perms_no_ioctl;
allow vendor_shsusrd self:qipcrtr_socket create_socket_perms_no_ioctl;
allow vendor_shsusrd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow vendor_shsusrd vendor_shsusr_data_file:dir rw_dir_perms;
allow vendor_shsusrd vendor_shsusr_data_file:file create_file_perms;

1
generic/vendor/common/subsystem_ramdump.te vendored
View File

@@ -33,6 +33,7 @@ userdebug_or_eng(`
allow vendor_subsystem_ramdump device:dir r_dir_perms;
allow vendor_subsystem_ramdump vendor_ramdump_device:chr_file r_file_perms;
allow vendor_subsystem_ramdump vendor_ramdump_microdump_modem_device:chr_file r_file_perms;
r_dir_file(vendor_subsystem_ramdump, sysfs_type);

5
generic/vendor/common/system_server.te vendored
View File

@@ -45,10 +45,13 @@ userdebug_or_eng(`
diag_use(system_server)
')
#OpenGLES version
get_prop(system_server, vendor_opengles_prop)
# allow system_server to access vendor display property.
get_prop(system_server, vendor_display_prop)
# allow system_server to read/acess peripheral manager.
get_prop(system_server, vendor_per_mgr_state_prop);
hal_client_domain(system_server, vendor_hal_dataconnection_qti)
hal_client_domain(system_server, vendor_hal_dataconnection_qti)

4
generic/vendor/common/tee.te vendored
View File

@@ -62,3 +62,7 @@ allow tee vendor_sysfs_sectouch:file rw_file_perms;
allow tee vendor_tui_data_file:file rw_file_perms;
allow tee vendor_tui_data_file:dir r_dir_perms;
allow tee graphics_device:chr_file rw_file_perms;
#OPS Listener
allow tee vendor_sysfs_graphics:dir r_dir_perms;
allow tee vendor_sysfs_graphics:file rw_file_perms;

38
generic/vendor/common/tzas_app.te vendored Normal file
View File

@@ -0,0 +1,38 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_tzas_app, domain;
app_domain(vendor_tzas_app)
net_domain(vendor_tzas_app)
unix_socket_connect(vendor_tzas_app, vendor_ssgtzd, vendor_ssgtzd)
binder_call(vendor_tzas_app,vendor_hal_perf_default)
allow vendor_tzas_app app_api_service:service_manager find;
allow vendor_tzas_app vendor_hal_perf_hwservice:hwservice_manager find;

3
generic/vendor/common/ueventd.te vendored
View File

@@ -52,3 +52,6 @@ allow ueventd vendor_vm_system_file:file r_file_perms;
# For wifi to access mnt_vendor_file
r_dir_file(ueventd, mnt_vendor_file)
# for VM firmware handler
domain_auto_trans(ueventd, vendor_vm_mgr_exec, vendor_vm_mgr)

1
generic/vendor/common/update_engine.te vendored
View File

@@ -31,4 +31,5 @@ allow update_engine storage_file:dir r_dir_perms;
allow update_engine fuse:dir r_dir_perms;
allow update_engine sdcard_type:dir r_dir_perms;
allow update_engine sdcard_type:file r_file_perms;
allow update_engine vendor_vm_system_file:dir search;
binder_call( update_engine, system_app )

7
generic/vendor/common/vendor_init.te vendored
View File

@@ -40,6 +40,9 @@ allow vendor_init kernel:system module_request;
allow vendor_init self:capability sys_module;
allow vendor_init kmsg_device:chr_file write;
#allow vendor GPU property
set_prop(vendor_init, vendor_opengles_prop)
#Allow triggering IPA FWs loading
allow vendor_init vendor_ipa_dev:chr_file write;
@@ -59,6 +62,8 @@ allow vendor_init vendor_sysfs_slpi:file write;
allow vendor_init vendor_file:system module_load;
allow vendor_init vendor_sysfs_scsi_host:file { setattr };
allow vendor_init {
vendor_camera_data_file
vendor_tui_data_file
@@ -99,3 +104,5 @@ set_prop(vendor_init,vendor_dcvs_prop)
# Allow vendor_init to read vendor_soc_name_prop
get_prop(vendor_init, vendor_soc_name_prop);
allow vendor_init tee_device:chr_file getattr;

40
generic/vendor/common/vendor_lowirpcd.te vendored Normal file
View File

@@ -0,0 +1,40 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_lowirpcd_service, domain;
type vendor_lowirpcd_service_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_lowirpcd_service)
allow vendor_lowirpcd_service ion_device:chr_file r_file_perms;
allow vendor_lowirpcd_service vendor_qdsp_device:chr_file r_file_perms;
allow vendor_lowirpcd_service vendor_xdsp_device:chr_file r_file_perms;
# For reading adsprpc_prop
get_prop(vendor_lowirpcd_service, vendor_adsprpc_prop)
# Access to wakelock sysfs
wakelock_use(vendor_lowirpcd_service)

70
generic/vendor/common/vm_mgr.te vendored Normal file
View File

@@ -0,0 +1,70 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#######################
# Policy for vmmgr
type vendor_vm_mgr, domain;
type vendor_vm_mgr_exec, exec_type, vendor_file_type, file_type;
#######################
# Main daemon flow
init_daemon_domain(vendor_vm_mgr);
# Scan thru and read vm images
allow vendor_vm_mgr vendor_vm_system_file:file r_file_perms;
allow vendor_vm_mgr vendor_vm_system_file:dir search;
# Execute toolbox to setup loopback block devices for VM's file system
allow vendor_vm_mgr self:global_capability_class_set { sys_admin };
allow vendor_vm_mgr { vendor_shell_exec vendor_toolbox_exec }:file rx_file_perms;
allow vendor_vm_mgr block_device:dir r_dir_perms;
allow vendor_vm_mgr block_device:blk_file getattr;
allow vendor_vm_mgr loop_control_device:chr_file rw_file_perms;
allowxperm vendor_vm_mgr loop_control_device:chr_file ioctl { LOOP_CTL_GET_FREE };
allow vendor_vm_mgr loop_device:blk_file rw_file_perms;
allowxperm vendor_vm_mgr loop_device:blk_file ioctl { LOOP_GET_STATUS64 LOOP_SET_FD LOOP_SET_STATUS64 LOOP_CLR_FD };
allow vendor_vm_mgr vendor_ssr_device:chr_file r_file_perms;
allow vendor_vm_mgr vendor_sysfs_bootguestvm:file w_file_perms;
# losetup used by vm-mgr scans for every block devices looking for loopbacks
# so ignore all denials during this scan
dontaudit vendor_vm_mgr dev_type:blk_file getattr;
# Invoking losetup executable from vm-mgr launch a shell process, which may make use of any
# AOSP debug-type properties. Ignore them all.
dontaudit vendor_vm_mgr default_prop:file read;
# Set neuron mapping block device
allow vendor_vm_mgr vendor_sysfs_svm_neuron:file rw_file_perms;
# allow kernel neuron driver to make use of the mapped block device and underlying file image
allow kernel vendor_vm_mgr:fd use;
allow kernel vendor_vm_system_file:file r_file_perms;
#######################
# Uevent firmware helper flow
allow vendor_vm_mgr ueventd:fd use;
allow vendor_vm_mgr ueventd:unix_stream_socket { read write getattr};

4
generic/vendor/common/wcnss_service.te vendored
View File

@@ -41,7 +41,7 @@ allow vendor_wcnss_service vendor_toolbox_exec:file rx_file_perms;
allow vendor_wcnss_service vendor_wifi_vendor_data_file:dir create_dir_perms;
allow vendor_wcnss_service vendor_wifi_vendor_data_file:file create_file_perms;
allow vendor_wcnss_service proc_net:file w_file_perms;
allow vendor_wcnss_service proc_net:file rw_file_perms;
allow vendor_wcnss_service self:{ socket qipcrtr_socket } create_socket_perms;
allowxperm vendor_wcnss_service self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
@@ -53,6 +53,8 @@ allow vendor_wcnss_service self:netlink_socket create_socket_perms_no_ioctl;
allow vendor_wcnss_service firmware_file:dir r_dir_perms;
allow vendor_wcnss_service firmware_file:file r_file_perms;
allow vendor_wcnss_service sysfs_net:dir search;
allow vendor_wcnss_service sysfs_net:file { write getattr open };
allow vendor_wcnss_service wpa_data_file:dir create_dir_perms;
allow vendor_wcnss_service wpa_data_file:file create_file_perms;

47
generic/vendor/test/diag-router.te vendored Normal file
View File

@@ -0,0 +1,47 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
userdebug_or_eng(`
type vendor_diag-router, domain;
type vendor_diag-router_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_diag-router)
hal_server_domain(vendor_diag-router, vendor_hal_diaghal)
hal_client_domain(vendor_diag-router, hal_allocator)
binder_call(vendor_hal_diaghal_client, vendor_hal_diaghal_server)
binder_call(vendor_hal_diaghal_server, vendor_hal_diaghal_client)
# Add hwservice related rules
hal_attribute_hwservice(vendor_hal_diaghal, vendor_hal_diaghal_hwservice)
allow vendor_diag-router functionfs:dir r_dir_perms;
allow vendor_diag-router functionfs:file rw_file_perms;
allowxperm vendor_diag-router functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
allow vendor_diag-router self:qipcrtr_socket create_socket_perms_no_ioctl;
allow vendor_diag-router vendor_mhi_diag_device:chr_file rw_file_perms;
allow vendor_diag-router self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow vendor_diag-router self:capability kill;
allow vendor_diag-router su:process signal;
allow { domain -coredomain -hal_configstore -vendor_init} vendor_diag-router:unix_stream_socket connectto;
')

4
generic/vendor/test/file.te vendored
View File

@@ -38,3 +38,7 @@ type vendor_qti_display_debugfs, fs_type, debugfs_type;
type vendor_sensors_data_file, file_type, data_file_type, core_data_file_type;
type vendor_gles_data_file, file_type, data_file_type;
type vendor_ts_loopback_data_file, file_type, data_file_type;
typeattribute vendor_sensors_vendor_data_file mlstrustedobject;

6
generic/vendor/test/file_contexts vendored
View File

@@ -30,7 +30,7 @@
/(vendor|system/vendor)/bin/qmi-framework-tests/qmi_test.* u:object_r:vendor_qmi_test_service_exec:s0
/(vendor|system/vendor)/bin/diag_dci_client u:object_r:vendor_diagdciclient_exec:s0
/vendor/bin/diag-router u:object_r:vendor_diag-router_exec:s0
/(vendor|system/vendor)/bin/ptt_socket_app u:object_r:vendor_wcnss_service_exec:s0
/(vendor|system/vendor)/bin/athdiag u:object_r:vendor_wcnss_service_exec:s0
/(vendor|system/vendor)/bin/cld-fwlog-netlink u:object_r:vendor_wcnss_service_exec:s0
@@ -81,8 +81,6 @@
/(vendor|system/vendor)/bin/init\.qti\.kernel\.debug\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/sns.* u:object_r:vendor_sensors_test_exec:s0
# Sensors scripts for test app
/data/sensors/scripts(/.*)? u:object_r:vendor_sensors_data_file:s0
#for testscripts support
/(vendor|system/vendor)/bin/init\.qcom\.vendor\.testscripts\.sh u:object_r:vendor-qti-testscripts_exec:s0
#TODO: coredump_file need have a attribute of data_file_type and
@@ -94,4 +92,4 @@
# Console via JTAG - debug only
/dev/hvc0 u:object_r:console_device:s0
/data/vendor/gpu(/.*)? u:object_r:vendor_gles_data_file:s0
/data/vendor/ts_loopback(/.*)? u:object_r:vendor_tui_data_file:s0
/data/vendor/ts_loopback(/.*)? u:object_r:vendor_ts_loopback_data_file:s0

29
generic/vendor/test/hwservice.te vendored Normal file
View File

@@ -0,0 +1,29 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_diaghal_hwservice, hwservice_manager_type, protected_hwservice;

28
generic/vendor/test/hwservice_contexts vendored Normal file
View File

@@ -0,0 +1,28 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
vendor.qti.diaghal::Idiag u:object_r:vendor_hal_diaghal_hwservice:s0

2
generic/vendor/test/property.te vendored
View File

@@ -26,3 +26,5 @@
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
vendor_restricted_prop(vendor_sensors_dbg_prop);
#WiFi Display
vendor_internal_prop(vendor_wfd_vendor_debug_prop);

5
generic/vendor/test/property_contexts vendored
View File

@@ -26,5 +26,10 @@
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
persist.vendor.debug.sensors. u:object_r:vendor_sensors_dbg_prop:s0
#Wifi Display
persist.vendor.debug.mux. u:object_r:vendor_wfd_vendor_debug_prop:s0
persist.vendor.debug.rtp. u:object_r:vendor_wfd_vendor_debug_prop:s0
persist.vendor.debug.wfd. u:object_r:vendor_wfd_vendor_debug_prop:s0
#CNE IWLAN Logging
persist.vendor.iwlan.logging.logcat u:object_r:vendor_cnd_prop:s0

1
generic/vendor/test/qsta_app.te vendored
View File

@@ -44,6 +44,7 @@ allow vendor_qsta_app {
}:service_manager find;
dontaudit vendor_qsta_app gpu_service:service_manager find;
dontaudit vendor_qsta_app gpuservice:binder call;
dontaudit vendor_qsta_app vendor_hal_qspmhal_hwservice:hwservice_manager find;
userdebug_or_eng(`

44
generic/vendor/test/qtidiagservices_app.te vendored Normal file
View File

@@ -0,0 +1,44 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
## qtidiagservices
##
## This file defines the permissions that qtidiagservices can carry
userdebug_or_eng(`
type qtidiagservices_app, domain;
app_domain(qtidiagservices_app)
hal_client_domain(qtidiagservices_app, vendor_hal_diaghal)
hal_client_domain(qtidiagservices_app, vendor_hal_perf)
allow qtidiagservices_app app_api_service:service_manager find;
allow qtidiagservices_app system_app_data_file: dir create_dir_perms;
allow qtidiagservices_app system_app_data_file: file create_file_perms;
')

5
generic/vendor/test/seapp_contexts vendored
View File

@@ -29,7 +29,7 @@
user=system seinfo=platform name=.pdtapps domain=vendor_pdt_app type=system_app_data_file
#Add new domain for usta app
user=system seinfo=platform name=com.qualcomm.qti.usta domain=vendor_usta_app type=system_app_data_file
user=_app seinfo=platform name=com.qualcomm.qti.usta domain=vendor_usta_app type=app_data_file levelFrom=all
#Add new domain for qsta app
user=_app seinfo=platform name=com.qualcomm.qti.sensors.qsensortest domain=vendor_qsta_app type=app_data_file
@@ -40,3 +40,6 @@ user=system seinfo=platform name=com.qualcomm.qti.ustaservice domain=vendor_usta
#Add new domain for LibsochelperTest app
user=_app seinfo=platform name=com.qualcomm.qti.libsochelpertest domain=vendor_libsochelpertest_app type=app_data_file levelFrom=all
#Add new domain for qtidiagservices app
user=system seinfo=platform name=com.qti.diagservices domain=qtidiagservices_app type=system_app_data_file

7
generic/vendor/test/system_app.te vendored
View File

@@ -33,3 +33,10 @@ userdebug_or_eng(`
allow system_app self:socket create_socket_perms_no_ioctl;
')
userdebug_or_eng(`
# allow system_app access diag hal
diag_use(system_app)
hal_client_domain(system_app, vendor_hal_diaghal)
hal_client_domain(system_app, hal_allocator)
')

29
generic/vendor/test/trustedui_test.te vendored Normal file
View File

@@ -0,0 +1,29 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow vendor_hal_trustedui_qti vendor_ts_loopback_data_file:dir r_dir_perms;
allow vendor_hal_trustedui_qti vendor_ts_loopback_data_file:file rw_file_perms;

5
generic/vendor/test/untrusted_app.te vendored
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2019-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -36,3 +36,6 @@ r_dir_file(untrusted_app, vendor_gles_data_file);
allow untrusted_app vendor_gles_data_file:dir rw_dir_perms;
allow untrusted_app vendor_gles_data_file:file rw_file_perms;
')
# allow app to be a client of DSP HAL
hal_client_domain(untrusted_app, vendor_hal_dspmanager)

5
generic/vendor/test/untrusted_app_25.te vendored
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2019-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -33,3 +33,6 @@ r_dir_file(untrusted_app_25, vendor_gles_data_file);
allow untrusted_app_25 vendor_gles_data_file:dir rw_dir_perms;
allow untrusted_app_25 vendor_gles_data_file:file rw_file_perms;
')
# allow app to be a client of DSP HAL
hal_client_domain(untrusted_app_25, vendor_hal_dspmanager)

5
generic/vendor/test/untrusted_app_27.te vendored
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2019-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -35,3 +35,6 @@ r_dir_file(untrusted_app_27, vendor_gles_data_file);
allow untrusted_app_27 vendor_gles_data_file:dir rw_dir_perms;
allow untrusted_app_27 vendor_gles_data_file:file rw_file_perms;
')
# allow app to be a client of DSP HAL
hal_client_domain(untrusted_app_27, vendor_hal_dspmanager)

29
generic/vendor/test/untrusted_app_29.te vendored Normal file
View File

@@ -0,0 +1,29 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# allow app to be a client of DSP HAL
hal_client_domain(untrusted_app_29, vendor_hal_dspmanager)

17
generic/vendor/test/usta_app.te vendored
View File

@@ -29,7 +29,7 @@
##
## This file defines the permissions that vendor_usta_apps can carry
type vendor_usta_app, domain;
type vendor_usta_app, domain, mlstrustedsubject;
app_domain(vendor_usta_app)
hal_client_domain(vendor_usta_app, vendor_hal_perf)
@@ -42,7 +42,6 @@ userdebug_or_eng(`
allowxperm vendor_usta_app self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
allow vendor_usta_app self:{ socket qipcrtr_socket } create_socket_perms;
allow vendor_usta_app vendor_xdsp_device:chr_file r_file_perms;
allow vendor_usta_app vendor_sysfs_timestamp_switch:file r_file_perms;
')
allow vendor_usta_app {
@@ -53,12 +52,14 @@ allow vendor_usta_app {
allow vendor_usta_app system_app_data_file:dir create_dir_perms;
allow vendor_usta_app system_app_data_file:file create_file_perms;
allow vendor_usta_app vendor_sensors_data_file:dir create_dir_perms;
allow vendor_usta_app vendor_sensors_data_file:file create_file_perms;
allow vendor_usta_app vendor_persist_sensors_file:dir create_dir_perms;
allow vendor_usta_app vendor_persist_sensors_file:file create_file_perms;
allow vendor_usta_app mnt_vendor_file:dir create_dir_perms;
allow vendor_usta_app vendor_sensors_vendor_data_file:dir create_dir_perms;
allow vendor_usta_app vendor_sensors_vendor_data_file:file create_file_perms;
dontaudit vendor_usta_app system_data_file:file open;
allow vendor_usta_app cgroup:file w_file_perms;
dontaudit vendor_usta_app vendor_hal_qspmhal_hwservice:hwservice_manager find;
dontaudit vendor_usta_app gpuservice:binder call;
userdebug_or_eng(`
dontaudit vendor_usta_app vendor_diag-router:unix_stream_socket connectto;
')

14
legacy/vendor/common/attributes vendored
View File

@@ -74,10 +74,6 @@ attribute hal_voiceprint;
attribute hal_voiceprint_server;
attribute hal_voiceprint_client;
attribute vendor_hal_factory_qti;
attribute vendor_hal_factory_qti_client;
attribute vendor_hal_factory_qti_server;
attribute hal_wigig_npt;
attribute hal_wigig_npt_client;
attribute hal_wigig_npt_server;
@@ -101,8 +97,6 @@ attribute hal_soter_server;
attribute hal_sensorscalibrate_qti;
attribute hal_sensorscalibrate_qti_client;
attribute hal_sensorscalibrate_qti_server;
# All types in /mnt/vendor/persist
attribute vendor_persist_type;
attribute hal_scve;
attribute hal_scve_client;
@@ -139,11 +133,3 @@ attribute hal_dataconnection_qti_server;
attribute hal_capabilityconfigstore_qti;
attribute hal_capabilityconfigstore_qti_client;
attribute hal_capabilityconfigstore_qti_server;
attribute vendor_hal_dspmanager;
attribute vendor_hal_dspmanager_client;
attribute vendor_hal_dspmanager_server;
attribute vendor_hal_qccvndhal;
attribute vendor_hal_qccvndhal_client;
attribute vendor_hal_qccvndhal_server;

2
legacy/vendor/common/qseecomd.te vendored
View File

@@ -121,3 +121,5 @@ allow tee graphics_device:chr_file rw_file_perms;
# Allow access to qsee data file
allow tee data_qsee_file:dir create_dir_perms;
allow tee data_qsee_file:file create_file_perms;
allow tee rpmb_device:chr_file { getattr open read write };

1
legacy/vendor/sdm660/file_contexts vendored
View File

@@ -76,6 +76,7 @@
/dev/block/platform/soc/1da4000.ufshc/by-name/super u:object_r:super_block_device:s0
#Primary storage device nodes
/dev/mmcblk0rpmb u:object_r:rpmb_device:s0
/dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0
/dev/block/mmcblk0 u:object_r:root_block_device:s0

28
legacy/vendor/sdm660/hal_graphics_composer.te vendored Normal file
View File

@@ -0,0 +1,28 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow hal_graphics_composer_default sysfs:file read;

29
legacy/vendor/sdm660/init.te vendored Normal file
View File

@@ -0,0 +1,29 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow init socket_device:sock_file { unlink setattr create };
allow init vendor_file:file execute;

3
legacy/vendor/sdm660/init_shell.te vendored
View File

@@ -31,3 +31,6 @@ allow qti_init_shell regionalization_file:file create_file_perms;
#Needed for starting cdsprpcd service post-boot
set_prop(qti_init_shell, vendor_cdsprpcd_prop)
#Needed for ctl property denials
allow qti_init_shell ctl_start_prop:property_service set;
allow qti_init_shell ctl_stop_prop:property_service set;

28
legacy/vendor/sdm660/location_app.te vendored Normal file
View File

@@ -0,0 +1,28 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow vendor_location_app sysfs_kgsl_gpu_model:file r_file_perms;

1
qva/private/audioserver.te
View File

@@ -25,6 +25,7 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
binder_call(audioserver,vendor_wfdservice);
#allow access to ALSA MMAP FDs for AAudio API
allow audioserver audio_service:service_manager find;

28
qva/private/bluetooth.te Normal file
View File

@@ -0,0 +1,28 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
unix_socket_connect(bluetooth, vendor_qvrd_controller, vendor_qvrd)

1
qva/private/dpmd.te
View File

@@ -72,3 +72,4 @@ vendor_dpmd_socket_perm(platform_app)
allow vendor_dpmd proc_net:file write;
#self kill rule to kill vendor_dpmd child process which executes iptable commands
allow vendor_dpmd self:capability kill;
set_prop(vendor_dpmd, ctl_dpmd_prop)

5
qva/private/file.te
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Copyright (c) 2018,2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -30,6 +30,9 @@ type vendor_dpmd_data_file, file_type, data_file_type, core_data_file_type;
type vendor_dpmwrapper_socket, file_type, coredomain_socket, mlstrustedobject;
type vendor_qvrd_data_file, file_type, data_file_type, core_data_file_type;
type vendor_qvrd_socket, file_type, mlstrustedobject, coredomain_socket;
type vendor_qvrd_controller_socket, file_type, coredomain_socket;
type vendor_qvrd_hvx_socket, file_type, coredomain_socket;
type vendor_sys_sxrd_data_file, file_type, data_file_type, core_data_file_type;
type vendor_sys_sxrd_socket, file_type, mlstrustedobject, coredomain_socket;
type vendor_qcc_data_file, file_type, data_file_type, core_data_file_type;
type vendor_qcc_app_socket, file_type, mlstrustedobject, coredomain_socket;

13
qva/private/file_contexts Executable file → Normal file
View File

@@ -34,29 +34,34 @@
/dev/socket/dpmd u:object_r:vendor_dpmd_socket:s0
/dev/socket/tcm u:object_r:vendor_dpmtcm_socket:s0
/dev/socket/qvrservice u:object_r:vendor_qvrd_socket:s0
/dev/socket/qvrservice_controller u:object_r:vendor_qvrd_controller_socket:s0
/dev/socket/qvrservice_camera u:object_r:vendor_qvrd_socket:s0
/dev/socket/qvrservice_hvx_camera u:object_r:vendor_qvrd_hvx_socket:s0
/dev/socket/sxrservice u:object_r:vendor_sys_sxrd_socket:s0
/dev/socket/qdma_app(/.*)? u:object_r:vendor_qcc_app_socket:s0
####### system file ###############
/system/bin/seempd u:object_r:vendor_seempd_exec:s0
/(product|system_ext|system/system_ext)/bin/dpmd u:object_r:vendor_dpmd_exec:s0
/system/bin/qvrservice u:object_r:vendor_qvrd_exec:s0
/system/bin/wfdservice u:object_r:wfdservice_exec:s0
/(system_ext|system/system_ext)/bin/dpmd u:object_r:vendor_dpmd_exec:s0
/(system_ext|system/system_ext)/bin/qvrservice u:object_r:vendor_qvrd_exec:s0
/(system_ext|system/system_ext)/bin/sxrservice u:object_r:vendor_sys_sxrd_exec:s0
/system/bin/vpsservice u:object_r:vendor_vpsservice_exec:s0
####### system_ext file ###############
/(system_ext|system/system_ext)/bin/dun-server u:object_r:vendor_dun-server_exec:s0
/(system_ext|system/system_ext)/bin/bt_logger u:object_r:vendor_bt_logger_exec:s0
/(system_ext|system/system_ext)/bin/perfservice u:object_r:vendor_perfservice_exec:s0
/(system_ext|system/system_ext)/bin/qdtservice u:object_r:vendor_qdtservice_exec:s0
/(system|system_ext|system/system_ext)/bin/wfdservice u:object_r:vendor_wfdservice_exec:s0
/(system|system_ext|system/system_ext)/bin/sigma_miracasthalservice u:object_r:vendor_sigmahal_qti_exec:s0
/(system_ext|system/system_ext)/bin/qccsyshalservice u:object_r:vendor_qccsyshal_qti_exec:s0
/(system_ext|system/system_ext)/bin/mmi u:object_r:vendor_mmi_sys_exec:s0
/(system_ext|system/system_ext)/bin/mmi_diag u:object_r:vendor_mmi_sys_exec:s0
/(system_ext|system/system_ext)/bin/qspmsvc u:object_r:vendor_qspmsvc_exec:s0
####### data files ################
/data/dpm(/.*)? u:object_r:vendor_dpmd_data_file:s0
/data/misc/qvr(/.*)? u:object_r:vendor_qvrd_data_file:s0
/data/misc/sxr(/.*)? u:object_r:vendor_sys_sxrd_data_file:s0
/data/nfc(/.*)? u:object_r:nfc_data_file:s0
/data/misc/qdma(/.*)? u:object_r:vendor_qcc_data_file:s0

4
qva/private/hal_qccsyshalservice.te
View File

@@ -53,3 +53,7 @@ allow vendor_qccsyshal_qti vendor_qcc_data_file:file create_file_perms;
unix_socket_connect(vendor_qccsyshal_qti, vendor_qcc_app, vendor_qcc_app)
allow vendor_qccsyshal_qti vendor_qcc_app_socket:dir r_dir_perms;
allow vendor_qccsyshal_qti vendor_qcc_app_socket:sock_file rw_file_perms;
userdebug_or_eng(`
allow vendor_qccsyshal_qti vendor_qcc_lmtp_app:unix_stream_socket connectto;
')

Some files were not shown because too many files have changed in this diff Show More