xiaomi-unicorn1/android_device_qcom_sepolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: xiaomi-unicorn1:unicorn-20.0
Branches Tags
xiaomi-unicorn1:unicorn-20.0 xiaomi-unicorn1:lineage-21.0-legacy-um xiaomi-unicorn1:lineage-21.0 xiaomi-unicorn1:lineage-20.0-legacy-um xiaomi-unicorn1:lineage-20.0 xiaomi-unicorn1:lineage-19.1-legacy-um xiaomi-unicorn1:lineage-19.1 xiaomi-unicorn1:lineage-19.0-legacy-um xiaomi-unicorn1:lineage-19.0 xiaomi-unicorn1:lineage-18.1-legacy-um xiaomi-unicorn1:lineage-18.1-legacy xiaomi-unicorn1:lineage-18.1 xiaomi-unicorn1:backup/lineage-18.1-legacy-um_20210424 xiaomi-unicorn1:lineage-18.0-legacy xiaomi-unicorn1:lineage-18.0-legacy-um xiaomi-unicorn1:lineage-18.0 xiaomi-unicorn1:lineage-17.1-legacy-um xiaomi-unicorn1:lineage-17.0-legacy-um xiaomi-unicorn1:lineage-17.1-legacy xiaomi-unicorn1:lineage-17.1 xiaomi-unicorn1:lineage-17.0 xiaomi-unicorn1:lineage-17.0-legacy xiaomi-unicorn1:lineage-16.0 xiaomi-unicorn1:lineage-15.1 xiaomi-unicorn1:staging/lineage-15.1 xiaomi-unicorn1:lineage-15.0 xiaomi-unicorn1:cm-14.1 xiaomi-unicorn1:staging/cm-14.1-cafmerge xiaomi-unicorn1:staging/cm-14.1-cafrebase xiaomi-unicorn1:cm-14.1_prerebase xiaomi-unicorn1:stable/cm-13.0-ZNH5Y xiaomi-unicorn1:stable/cm-13.0-ZNH2K xiaomi-unicorn1:cm-13.0 xiaomi-unicorn1:cm-14.0 xiaomi-unicorn1:LA.HB.1.3.1 xiaomi-unicorn1:caf/LA.HB.1.3.1 xiaomi-unicorn1:stable/cm-13.0-ZNH0E xiaomi-unicorn1:stable/cm-12.1-YOG7D xiaomi-unicorn1:stable/cm-12.1-YOG4P xiaomi-unicorn1:cm-12.1 xiaomi-unicorn1:staging/cm-12.1-amss-2.1-ims xiaomi-unicorn1:stable/cm-12.1-YOG3C xiaomi-unicorn1:cm-12.0 xiaomi-unicorn1:stable/cm-12.0-YNG3C xiaomi-unicorn1:stable/cm-12.0-YNG4N xiaomi-unicorn1:stable/cm-12.0-YNG1I xiaomi-unicorn1:stable/cm-12.0-YNG1T xiaomi-unicorn1:stable/cm-12.0-YNG1TA xiaomi-unicorn1:staging/cm-12.1 xiaomi-unicorn1:staging/caf/themes/cm-12.0
...
pull from: xiaomi-unicorn1:lineage-18.1-legacy-um
Branches Tags
xiaomi-unicorn1:unicorn-20.0 xiaomi-unicorn1:lineage-21.0-legacy-um xiaomi-unicorn1:lineage-21.0 xiaomi-unicorn1:lineage-20.0-legacy-um xiaomi-unicorn1:lineage-20.0 xiaomi-unicorn1:lineage-19.1-legacy-um xiaomi-unicorn1:lineage-19.1 xiaomi-unicorn1:lineage-19.0-legacy-um xiaomi-unicorn1:lineage-19.0 xiaomi-unicorn1:lineage-18.1-legacy-um xiaomi-unicorn1:lineage-18.1-legacy xiaomi-unicorn1:lineage-18.1 xiaomi-unicorn1:backup/lineage-18.1-legacy-um_20210424 xiaomi-unicorn1:lineage-18.0-legacy xiaomi-unicorn1:lineage-18.0-legacy-um xiaomi-unicorn1:lineage-18.0 xiaomi-unicorn1:lineage-17.1-legacy-um xiaomi-unicorn1:lineage-17.0-legacy-um xiaomi-unicorn1:lineage-17.1-legacy xiaomi-unicorn1:lineage-17.1 xiaomi-unicorn1:lineage-17.0 xiaomi-unicorn1:lineage-17.0-legacy xiaomi-unicorn1:lineage-16.0 xiaomi-unicorn1:lineage-15.1 xiaomi-unicorn1:staging/lineage-15.1 xiaomi-unicorn1:lineage-15.0 xiaomi-unicorn1:cm-14.1 xiaomi-unicorn1:staging/cm-14.1-cafmerge xiaomi-unicorn1:staging/cm-14.1-cafrebase xiaomi-unicorn1:cm-14.1_prerebase xiaomi-unicorn1:stable/cm-13.0-ZNH5Y xiaomi-unicorn1:stable/cm-13.0-ZNH2K xiaomi-unicorn1:cm-13.0 xiaomi-unicorn1:cm-14.0 xiaomi-unicorn1:LA.HB.1.3.1 xiaomi-unicorn1:caf/LA.HB.1.3.1 xiaomi-unicorn1:stable/cm-13.0-ZNH0E xiaomi-unicorn1:stable/cm-12.1-YOG7D xiaomi-unicorn1:stable/cm-12.1-YOG4P xiaomi-unicorn1:cm-12.1 xiaomi-unicorn1:staging/cm-12.1-amss-2.1-ims xiaomi-unicorn1:stable/cm-12.1-YOG3C xiaomi-unicorn1:cm-12.0 xiaomi-unicorn1:stable/cm-12.0-YNG3C xiaomi-unicorn1:stable/cm-12.0-YNG4N xiaomi-unicorn1:stable/cm-12.0-YNG1I xiaomi-unicorn1:stable/cm-12.0-YNG1T xiaomi-unicorn1:stable/cm-12.0-YNG1TA xiaomi-unicorn1:staging/cm-12.1 xiaomi-unicorn1:staging/caf/themes/cm-12.0

129 Commits
unicorn-20 ... lineage-18

Author SHA1 Message Date
Mao Jinlong
7e1793820d sepolicy-legacy-um: poweroffalarm_app: Add power off alarm app 
Make power off alarm app as an independent app domain so that
the sepolies will not affect other apps.
[Giovix92]: Adapt it to lineage-18.1

CRs-Fixed: 2113144
Original Change-Id: Ia80575b6dea893bde30636b9a814a6f20ea54b6f

Change-Id: Ie56c5cbade7332a145f10cd5fff0955bcfc724ef
 2022-01-10 22:49:11 -07:00
himta ram
5205565e57 sepolicy-legacy-um: Add sepolicy support for FM domain switch 
Switch FM app's domain from system to platform app.
Add sepolicy rules for fm in platform_app domain.
Reomve fm sepolicy rules from system_app domain.

CRs-fixed: 2595596
Original change-Id: I40a4f68eb8ded948d44653d3bc0209bbb3d9ef35

Change-Id: Ic889597e504379e6b3e302a9be33f87842b4e7ea
 2021-07-19 15:56:32 +02:00
Timi Rautamäki
d5646c9a11 Revert "sepolicy-legacy-um: Add sepolicy support for FM domain switch" 
This violated a neverallow:
set_prop(vendor_fm_app, vendor_fm_prop)
at system/sepolicy/public/property.te:565

This reverts commit b01a3e6a84.

Change-Id: Icca8d503a7114b0a3d05729c29d125d0248c0cb3
 2021-07-16 19:34:32 +00:00
himta ram
b01a3e6a84 sepolicy-legacy-um: Add sepolicy support for FM domain switch 
Switch FM app's domain from system to platform app.
Add sepolicy rules for fm in platform_app domain.
Reomve fm sepolicy rules from system_app domain.

CRs-fixed: 2595596
Change-Id: I40a4f68eb8ded948d44653d3bc0209bbb3d9ef35
 2021-06-13 00:53:49 +03:00
Jarl-Penguin
bf514b8086 common: Allow system_app to read fm_radio_device 
* This was moved to platform_app in c0d7a5ce1d, but AOSP FM app is still system_app

Fixes:
I auditd  : type=1400 audit(0.0:74): avc: denied { read } for comm="android.fmradio" uid=1000 name="radio0" dev="tmpfs" ino=15585 scontext=u:r:system_app:s0 tcontext=u:object_r:fm_radio_device:s0 tclass=chr_file permissive=0

Signed-off-by: Jarl-Penguin <jarlpenguin@outlook.com>
Change-Id: I9f662803390697b9456d18a4186ee7d7d6ac2e50
 2021-04-19 20:34:08 +03:00
Michael Bestas
3f031ba8c5 sdm660: Remove overly broad init rule 
* The services should be labelled properly instead

Change-Id: I401790e6b0f7bd3bcbc2dd185ced30c28ea5ad91
 2021-04-19 20:34:08 +03:00
Aayush Gupta
77caf56988 Address init denials regarding socket_device 
[    9.346918] type=1400 audit(71454275.960:7): avc: denied { create } for comm="init" name="dpmwrapper" scontext=u:r:init:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file permissive=0

Ref:
[0]: https://source.codeaurora.org/quic/la/device/qcom/sepolicy/commit/?h=LA.UM.9.2.1.r1-03800-sdm660.0&id=79488292273efa5ab89bc405a5f6ae4dec5d011d

Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I262b06821c0625978b3685d0666bd2cf599fbf98
 2021-04-19 20:34:08 +03:00
Michael Bestas
04808cae75 Use set_prop() macro for property sets 
Change-Id: Id67a05f8ed718cad5856613c2700f4ce1e404cf0
 2021-04-19 20:34:08 +03:00
Aayush Gupta
61b6695e2f sepolicy: Switch to BOARD_VENDOR_SEPOLICY_DIRS 
- BOARD_SEPOLICY_DIRS is deprecated and gives compile-time
  errors when used in unison with a device using BOARD_VENDOR_SEPOLICY_DIRS

Ref:
[0]: ec3ac470a9

Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: Icefb062cc8cdef532b4310684d9a66afe97e49c4
 2021-04-19 20:34:08 +03:00
Aayush Gupta
72f52b00f0 legacy-um: qva: Label dpmd in /system/product/ again 
[   10.221175] init: File /system/product/bin/dpmd (labeled "u:object_r:system_file:s0") has incorrect label or no domain transition from u:r:init:s0 to another SELinux domain defined. Have you configured your service correctly? https://source.android.com/security/selinux/device-policy#label_new_services_and_address_denials

This was removed in [0] while labeling system_ext

Ref:
[0]: e296a06d9d

Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I53b8a1e3fcd0cb746d999512a85b8f2da4026764
 2021-04-19 20:34:08 +03:00
Aayush Gupta
c589f054fd sdm660: Generate contexts for rtc 
[   14.612920] type=1400 audit(1601989375.643:13): avc: denied { open } for comm="system_server" path="/sys/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:qcom,pm660_rtc/rtc/rtc0/hctosys" dev="sysfs" ino=33519 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1
[   14.612933] type=1400 audit(1601989375.643:14): avc: denied { getattr } for comm="system_server" path="/sys/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:qcom,pm660_rtc/rtc/rtc0/hctosys" dev="sysfs" ino=33519 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: If6b278de0a67086595cee21395d1ceaf52fbef28
 2021-04-19 20:34:08 +03:00
Michael Bestas
277f836bef Label old telephony extension 
* It was renamed in bb15e90b05

Change-Id: I0a4ac559c2fe1b9e8c3267a8afa4ebc7a3a17600
 2021-04-19 20:34:08 +03:00
Michael Bestas
14cb6bce6c Label persist.vendor.bluetooth. properties 
* As seen on non legacy

Change-Id: I06c8b554256565f536fc643e3a743272c841cdef
 2021-04-19 20:34:08 +03:00
Vinay Gannevaram
c2263567eb sepolicy : Add rule to set property for wlan driver/fw ver info 
wlan driver/fw version are set at property at enforcing mode.
Add rules to allow to set wlan driver/fw version info

CRs-Fixed: 2460816
Change-Id: Ic0bb570cd53fe450512496c5864f432ce3219bbe
 2021-04-19 20:34:08 +03:00
Michael Bestas
1f12a66898 Allow hal_sensors read vendor_sensors_dbg_prop 
* As seen on non-legacy sepolicy

Change-Id: I1647ff9e5eaff018545bce0d4999faffaa2d83c3
 2021-04-19 20:34:01 +03:00
Nolen Johnson
46738193d7 sepolicy: cnd: Conditionally allow access to wifi_prop 
Author: Nolen Johnson <johnsonnolen@gmail.com>
Date:   Fri Jun 26 15:46:09 2020 -0400

    sepolicy: cnd: Allow access to wifi_prop

    [    9.846720] type=1400 audit(61515473.570:12): avc: denied { read } for comm="cnd" name="u:object_r:wifi_prop:s0" dev="tmpfs" ino=13866 scontext=u:r:cnd:s0 tcontext=u:object_r:wifi_prop:s0 tclass=file permissive=1
    [    9.847037] type=1400 audit(61515473.570:13): avc: denied { open } for comm="cnd" path="/dev/__properties__/u:object_r:wifi_prop:s0" dev="tmpfs" ino=13866 scontext=u:r:cnd:s0 tcontext=u:object_r:wifi_prop:s0 tclass=file permissive=1
    [   11.598514] type=1400 audit(61515473.570:14): avc: denied { getattr } for comm="cnd" path="/dev/__properties__/u:object_r:wifi_prop:s0" dev="tmpfs" ino=13866 scontext=u:r:cnd:s0 tcontext=u:object_r:wifi_prop:s0 tclass=file permissive=1

    Change-Id: Ie88ab998f7a139f118c4ceb5192579644222e162

Author: dianlujitao <dianlujitao@lineageos.org>
Date:   Wed Jul 8 05:17:11 2020 +0200

    sepolicy: cnd: Fix wifi_prop neverallow for compatible props

    Not needed and hits a neverallow when compatible props enabled

    Change-Id: Ie7980473ecc6444e88c026cef0080fda46c20fdd

Change-Id: I0f97dd0a117c77c4a74bac13d1f36181d72d3663
 2021-04-19 17:06:15 +03:00
Arthur Shuai
0ed559b657 Sepolicy: add define for lksecapp vbmeta and dtbo 
Change-Id: Ibdfad127f8d537c94f99420dfa9f843381f38207
 2021-04-19 17:06:15 +03:00
Bruno Martins
e6ac732e30 sepolicy-legacy-um: Allow Snap to read camera props 
02-25 21:38:31.023  2757  2757 W .lineageos.snap: type=1400 audit(0.0:43): avc: denied { read } for name="u:object_r:camera_prop:s0" dev="tmpfs" ino=7213 scontext=u:r:snap_app:s0:c512,c768 tcontext=u:object_r:camera_prop:s0 tclass=file permissive=0 app=org.lineageos.snap
02-25 21:38:31.028  2757  2757 E libc    : Access denied finding property "camera.qcom.misc.disable"

Change-Id: I0c554b9785b28aa276ffd7864905a07f67b33aba
 2021-04-19 17:06:15 +03:00
Michael Bestas
223774b42c msm8953: Label additional SSR sysfs 
* 3.18 paths are different

Change-Id: I52355977495d81e26a086f60e03f7a43d8d97748
 2021-04-19 17:06:15 +03:00
Chirayu Desai
38bbed09bb Label persist/rfs recursively 
* restorecon_recursive silenty fails otherwise.

Change-Id: If31d9b55dc68f39ee6b43d784167e7233b8e07c8
 2021-04-19 17:06:15 +03:00
Michael Bestas
830728cc10 Allow vendor_init set vendor_time_service_prop 
* Required to set persist.vendor.delta_time.enable=true
  in vendor build.prop with property isolation enabled

Change-Id: I180f236c6aac2a7266f4d49dfe9c1ca9e5582c5c
 2021-04-19 17:06:15 +03:00
Michael Bestas
ef57b0daf9 sdm660: Label sysfs_uio_file 
Change-Id: I10d90a4dd01ec86f6d371685e7669b7b8f676529
 2021-04-19 17:06:15 +03:00
Michael Bestas
32e1a944cf sdm660: Label sysfs_ssr_toggle 
Change-Id: If24855f5e72d904043e69893fa5590ac26b46ff5
 2021-04-19 17:06:15 +03:00
Max Weffers
85876f88e5 common: Fix sysfs_socinfo Label for sensors 
Change-Id: Ibae8f1b28c3d902b3bfe1ca015633b3bb0c12375
 2021-04-19 17:06:15 +03:00
Michael Bestas
79bbaeb242 common: Label persist.vendor.camera.debug.logfile 
* Used in recent camera HALs

Change-Id: I81ac7c9bf262365a6baabde3fac5ce652c8e683c
 2021-04-19 17:06:15 +03:00
Shashi Shekar Shankar
f83b4826c7 sepolicy : msm8998: remove regexp for ssr node on sysfs 
Remove regexp & add target specific genfs_context

CRs-Fixed: 2166567

Change-Id: Ib950ca0d72bc7e5647410e1876a8ce9095ca9aba
 2021-04-19 17:05:28 +03:00
Mohit Aggarwal
62662a5979 sepolicy: setting secontext to rtc node 
Change-Id: I0235cd63bfa7fc46aca1a047e40d1fc4b71d4ea0
 2021-04-19 16:57:20 +03:00
Amit P Choudhari
d5b97a90ff sepolicy: Add rw permission for i2c touch sys node 
Change-Id: Ife56a3253bd97c2da2d7b70c0553627d32d153ba
 2021-04-19 16:56:23 +03:00
Michael Bestas
457a62f758 msm8998: Label LED sysfs 
* Similar to sdm660

Change-Id: I691e0f7a7ea3fcf753a353cbe2171cc167bac3bf
 2021-04-19 16:53:16 +03:00
Michael Bestas
136be2777f msm8998: Label usbpd sysfs 
* Similar to sdm660

Change-Id: I069843bc98b742afe61b1b845a9874be0ee5f61f
 2021-04-19 16:52:28 +03:00
jrior001
9bcf8e2c4e sepolicy: allow vold to read persist dirs 
* Needed for fsck

Change-Id: Ibff5485fcaebc181d9aa17fcea38cf4ae3146193
 2021-04-19 16:33:17 +03:00
Michael Bestas
6305336212 Import msm8996 policy from lineage-17.1-legacy-um 
* Removed automotive & qvrd policy
* Removed commented out rules

Change-Id: I94a6261260a3cb49da8fa7be910edac19efebb3a
 2021-04-19 16:33:17 +03:00
Bruno Martins
e05c326e2c sepolicy: Allow mm-qcamerad to access v4L "name" node 
Change-Id: I42b329d782795feed776b09d5c12d89be9bac868
 2021-04-19 16:33:17 +03:00
Bruno Martins
30e84ccb5a sepolicy: Fix video4linux "name" node labeling 
Do u even regex, br0?

Change-Id: If907448d394f967268c9f72051bec5a47220087b
 2021-04-19 16:33:15 +03:00
Michael Bestas
2b143f3c48 Use set_prop() macro for property sets 
Change-Id: Id67a05f8ed718cad5856613c2700f4ce1e404cf0
 2021-04-19 16:32:52 +03:00
Rashed Abdel-Tawab
a826c0b542 qcom: Label vendor files with (vendor|system/vendor) instead of vendor 
Not all devices have a vendor partition so these labels blatantly get
ignored without labelling system/vendor on those devices.

Change-Id: I244d667f6b3ddcf7eac71719a981dc25dc401873
 2021-04-19 16:32:51 +03:00
Michael Bestas
fdbed5d8bd sepolicy: Label persist partition for all SoCs 
Change-Id: I8db3acb9a1b958ec59c7f14c6ee16ea466548cc7
 2021-04-19 16:31:14 +03:00
dianlujitao
eb83f6bf18 sepolicy: Unlabel aux camera whitelist prop 
* This will be properly labeled in device/lineage/sepolicy
   to make it readable to everything on every device

Change-Id: Idec6cad06c51ba73519f61e95c74e1c8915d301b
 2021-04-19 16:31:14 +03:00
Michael Bestas
dc1cf5bce8 sepolicy: Remove rules for non legacy platforms 
* All these platforms are not legacy and shall inherit from the proper
   branch (lineage-18.0)

Change-Id: I475ae930ac5b682b613a9b17dece7fa4a160a6ba
 2021-04-19 16:31:13 +03:00
Pig
1837c8048f sepolicy: Include Lineage-specific QCOM sepolicy 
Change-Id: Ibf70e4c8ab9d91b50c62c3e9f1263e1624e8ca00
 2021-04-19 16:28:50 +03:00
Volodymyr Zhdanov
7c71fe419e legacy: Fix newline in file_contexts 
Change-Id: Ia1543799d5cf858053dd127c1e9ea9559236bd9e
 2021-04-19 16:28:50 +03:00
Michael Bestas
50983df3e3 sepolicy: Update paths for new repository location 
Change-Id: Ibdaed7b3ff6463c682c65091ffbc82c36bfff348
 2021-04-19 16:28:50 +03:00
Pig
c0ebb88955 sepolicy: Remove QCOM guards 
Change-Id: I0efd0b96f45ecfa9eec0b98087f0582dcd282798
 2021-04-19 16:28:50 +03:00
Linux Build Service Account
59c227e2f7 Merge e373d6be26 on remote branch 
Change-Id: Iad35e2d1073ca6ba1a95e2892ec2d1b2f0c9a048
 2021-03-01 01:43:22 -08:00
qctecmdr
e373d6be26 Merge "sepolicy : add new qsta_app.te file for QSTA app" 2021-02-10 23:49:55 -08:00
Akhil Manikoth Kallankandy
86ab7112b8 sepolicy : add new qsta_app.te file for QSTA app 
Change-Id: I7c1086ef983a2a74415a5291b39dfc0305bcc601
 2021-02-11 10:40:40 +05:30
Shreyas Narayan
e41e2605d6 Merge commit '34ef27f337653f5e641d33af1362311e530d6cc5' into HEAD 
Change-Id: Ica30ee354aec7cbda064f9e612ce7189a60a54df
 2021-02-10 18:53:23 +05:30
Shivam Agrawal
3b8db900e7 sepolicy: Revert WFD specific Upmerge changes 
Change-Id: I23ac8a7511f2c1c8133bdba8e1155177a51e0bc1
 2021-01-25 08:39:36 -08:00
Shreyas Narayan
3f36e40b58 Merge commit 'b69efc22159aba49a9f5323f06c9cb8a3181ec43' into HEAD 
Change-Id: I2b2443f1516a85214c240c74a7ea2e0445d72f94
 2021-01-11 13:52:40 +05:30
qctecmdr
34ef27f337 Merge "sepolicy: msm8998: Add sepolicy labels for charger/fg nodes" 2021-01-06 22:31:07 -08:00
Himanshu Agrawal
6fc906052f sepolicy : Add sysfs_net path entries 
Update the secontexts for sysfs_net for
sdm630 and msm8998 targets.

Change-Id: Id5bac9a1b3534ff9f14be606b31fd3b881f5b9f1
 2020-12-16 16:46:43 +05:30
Guixiong Wei
b69efc2215 sepolicy: Remove poweroffalarm system uid and redundant rules 
remove poweroffalarm system uid and redundant rules

Change-Id: If51e9ae948b68f1187c66d748935fd1014e72e11
 2020-12-15 18:39:22 -08:00
Gurram Pravalika
ffb6c9041c sepolicy: Add policies for for video in HAL1 
Change-Id: I954b96582719e3e7145fd0ab1afd0425494c3ba7
 2020-12-14 22:57:44 -08:00
qctecmdr
6cfdc77609 Merge "sepolicy : Upmerge changes." 2020-12-14 00:14:39 -08:00
Himanshu Agrawal
847a96868b sepolicy: msm8998: Add sepolicy labels for charger/fg nodes 
Add sepolicy labels for charger/fg nodes,
to allow access permissions to userspace.

Change-Id: I74a193a6dd3be6ecceb5939ca814661029d8105b
 2020-12-13 22:21:22 -08:00
Nitin Shivpure
d5327a1a9d sepolicy: allow bluetooth to make binder call to gpuservice 
allow bluetooth to make binder call to gpuservice.

CRs-fixed: 2748533
Change-Id: Idff3f3c0377fc5dae3e715417556c696f7e4620e
 2020-12-14 10:33:49 +05:30
Gurram Pravalika
9c244d7ff9 Fix for avc denials for video on HAL1 
Change-Id: Id60d4c7907f50fc0326a788256f843bb820bdafe
 2020-12-13 19:54:20 -08:00
Himanshu Agrawal
0240ff9832 sepolicy : Upmerge changes. 
Change-Id: I90fb0d6eb70bd5e0e790f8bae7b6cd0501442338
 2020-12-11 06:07:39 -08:00
Shayak Biswas
1442222426 Allow dumpstate for a binder call with power Hal 
This allows dumpstate to have a binder call with power
Hal, this is needed for a CTS testcase:
SELinuxHostTest#testNoBugreportDenials

Change-Id: I646fdce79776083df74df48134e85c65dbee69dc
 2020-12-11 09:56:09 +05:30
Himanshu Agrawal
7fdf0be393 sepolicy: msm8998: Add sepolicy labels for charger/fg nodes 
Add sepolicy labels for charger/fg nodes,
to allow access permissions to userspace.

Change-Id: I74a193a6dd3be6ecceb5939ca814661029d8105b
 2020-12-10 18:31:36 +05:30
Kripa Bhat
5d40fe89f3 Allow dumpstate to have a binder call with Lights Hal 
This allows dumpstate to have a binder call with Lights
Hal, this is needed for a CTS testcase:
SELinuxHostTest#testNoBugreportDenials

Change-Id: Iec081b1069b2569c68b72ff009f12018c946a0a8
 2020-12-08 22:51:16 -08:00
Shreyas Narayan
d7c91be21c Merge commit 'f99708294337c9e92f35cf6ec3ab2bfd999603cc' into HEAD 
Change-Id: I620062aaf36c78c2f7b00e070f3f58ee07f42b36
 2020-12-06 16:58:12 +05:30
Manjunatha Ramachandra
06bbb12f3f sepolicy: updating label on read_ahead_kb nodes 
Removing read_ahead_kb nodes from sysfs_mmc_host
node. And adding sysfs_dm to perf hal and
init_shell files' allow list.
This change is being made inorder to address
the bugnizer 161927268 for legacy msm8937_32go platforms.

CRs-Fixed: 2826612
Change-Id: I190b9891eaf52fc4eb7d4fd73567572101ee288e
 2020-12-02 23:27:09 -08:00
Himanshu Agrawal
7cde36f779 Add sepolices to update engine domain. 
While applying OTA update package, update engine
    loops through partitions entries/mountpoints.
    Add few policies and supress the dac ones.

- Allow update_engine to access recovery partition for OTA
- Allow update engine to access to metadata_file.
    With virtual-ab feature, update engine needs access
    to metadata_file, allow the same.

Change-Id: I07636f79870594a07755c54e55b5b6846e53c2e9
 2020-12-01 06:08:31 -08:00
Eruvaram Kumar Raja Reddy
f997082943 sepolicy: adding vendor prefix to avoid naming colision 
Update legacy properties with vendor prefix to void VTS failure
due to API30 changes

CRs-Fixed: 2825382

Change-Id: I39a5de4ad6450d805bf74e88aabc38c8347d89a4
 2020-11-30 17:01:29 +05:30
Himanshu Agrawal
9871e2edb6 Allow vendor_init to set ubwc property 
vendor.video.disable.ubwc is added to /vendor/build.prop,
allowing vendor_init to set this property to ensure the
property can be read by mm-video and through getprop

Change-Id: I99f658ea60cb83d4ebea6709db27e93166ad0667
 2020-11-27 11:51:38 +05:30
Himanshu Agrawal
9828005327 Allow vendor_init to set ubwc property 
vendor.video.disable.ubwc is added to /vendor/build.prop,
allowing vendor_init to set this property to ensure the
property can be read by mm-video and through getprop

Change-Id: I01d27cd1af7abde5a9fef84fd8814e94d93c8a7d
 2020-11-26 02:24:18 -08:00
Linux Build Service Account
b7a56e089e Merge "genfs_context: Enabling Vibrator for sdm660" into sepolicy.lnx.6.0.r13-rel 2020-11-24 23:48:07 -08:00
Milap Gajjar
9c3a633d1e genfs_context: Enabling Vibrator for msm8998 
Sepolicy: Added Access permission for vibrator

Change-Id: I38017a3641c84aa570d53c1e339082bc781c5187
CRs-Fixed: 2810219
 2020-11-24 23:38:11 -08:00
Mandeep Singh
fc645d50b4 genfs_context: Enabling Vibrator for sdm660 
Sepolicy: Added Access permission for vibrator

Change-Id: I7152a77d676c8b97bd5da1f5c86446f42ac65c97
CRs-Fixed: 2810635
 2020-11-24 23:37:51 -08:00
Jeya R
ca2c52ef3f sepolicy: Add permissions in init for vendor_adsprpc_prop 
Add permissions in init shell to modify vendor_adsprpc_prop.
Change-Id: I5a4dcbf54686c3add9fa0756aff7bb694d96adcb
Acked-by: Deepika Singh <dsi@qti.qualcomm.com>
 2020-11-24 22:39:42 -08:00
Milap Gajjar
2ef09c6613 genfs_context: Enabling Vibrator for msm8998 
Sepolicy: Added Access permission for vibrator

Change-Id: I38017a3641c84aa570d53c1e339082bc781c5187
CRs-Fixed: 2810219
 2020-11-24 20:36:33 -08:00
qctecmdr
aa7d66b220 Merge "genfs_context: Enabling Vibrator for sdm660" 2020-11-24 03:02:24 -08:00
Shreyas Narayan
9d4cb9bc9e Merge commit 'ae9d9330566ae185c8485e6237d94c2091defe87' into HEAD 
Change-Id: Ieb7db3a2df28fbc090b9b71cec10d70d9dacbae0
 2020-11-19 20:52:51 +05:30
Jeya R
29b1061aaa sepolicy: Add permissions in init for vendor_adsprpc_prop 
Add permissions in init shell to modify vendor_adsprpc_prop.
Change-Id: I5a4dcbf54686c3add9fa0756aff7bb694d96adcb
Acked-by: Deepika Singh <dsi@qti.qualcomm.com>
 2020-11-18 15:22:36 +05:30
Mandeep Singh
3de9ff4499 genfs_context: Enabling Vibrator for sdm660 
Sepolicy: Added Access permission for vibrator

Change-Id: I7152a77d676c8b97bd5da1f5c86446f42ac65c97
CRs-Fixed: 2810635
 2020-11-03 09:37:37 +05:30
Shawn Shin
ce33f422e7 sepolicy:qcc add to legacy 
Change-Id: I7031cd4070c478f1fccfe8e0b1e7053d6c57c36e
 2020-10-30 16:10:52 -07:00
qctecmdr
758b6d2b99 Merge "sepolicy: align fst-manager and wigig legacy rules" 2020-10-29 23:51:22 -07:00
qctecmdr
887dc95b06 Merge "sepolicy: allow block_suspend deniel for lmkd" 2020-10-28 00:12:18 -07:00
Dedy Lansky
046ff067d0 sepolicy: align fst-manager and wigig legacy rules 
Add legacy rules for enabling fst-manager to act
as a HAL service, and allow fst-manager and wigig
framework to access the capability config store.
These rules were missing in the legacy folder and
copied from the qva rules since there are still
platforms that need them.

Change-Id: I7a08bec9f3f84599a6392e8a5bd22c26e28e00a3
 2020-10-27 22:53:42 -07:00
Himanshu Agrawal
21fbe23415 sepolicy: allow block_suspend deniel for lmkd 
Avoid below deniel for lmkd:
avc: denied{ block_suspend }for comm="lmkd" capability=36
scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability2
permissive=0.

Change-Id: I332281110d4fa1fa208349a302fdc33a3a40d8ef
 2020-10-27 22:31:24 -07:00
Arvind Kumar
7af4487b0c Add file context for Light AIDL HAL Service 
Change-Id: I1e5a79a5846910f90362d97899e5fc0d7dbfadbb
 2020-10-27 00:54:23 -07:00
Ankur Sharma
ae9d933056 Sepolicy denials xtra for legacy R targets 
- Fix sepolicy denial when xtra-daemon access the cacert
service.
- Allow location clientdomain to perform binder IPC to
qtidataservices_app serverdomain.

Change-Id: I0aae254fb4b4a67336d67f96856a2cf0d70954fc
CRs-Fixed: 2778560
 2020-10-21 07:34:12 -07:00
c_gopir
7dff049400 Sepolicy : Add power AIDL to context 
Add power HAL exec to file contexts

Change-Id: Ib97298e739f030454256c88f78e6862c2f4838bb
 2020-10-19 21:44:18 -07:00
qctecmdr
1e9503d754 Merge "sepolicy: Add video property to get permission" 2020-10-15 22:17:56 -07:00
Milap Gajjar
78877b8b75 msm8998 inital bringup with enforce mode 
Change-Id: If8164daa32ca0ba796a4bf78e9c450ce1669b509
 2020-10-15 01:56:39 -07:00
Paras Nagda
44e4db86e8 sepolicy: Add video property to get permission 
Allow Zygote to read video property

Change-Id: Iac936e84549cde02e2b87309f32cdbd2d8a0fe5f
 2020-10-14 06:30:06 -07:00
Milap Gajjar
ef77a8cdd5 sdm660: Initial bring up sepolicy changes 
Change-Id: Ifa42b7bebd66884698697fecc538f1ff6057519d
 2020-10-14 03:27:54 -07:00
Linux Build Service Account
de5358fe9b Merge 7036682bb5 on remote branch 
Change-Id: I15ec39714239f040101e3b8e2af70488e9f5ed50
 2020-10-09 03:53:42 -07:00
Paras Nagda
5bc47cdaf0 sepolicy: Add video property get permission 
Allow mediaserver to read video sys property

Change-Id: Id09d5fbcbacbba3130ca9d7759ff67ade3a839b3
 2020-10-06 22:26:31 -07:00
qctecmdr
b22751353a Merge "sepolicy: add policies for DSP HAL manager" 2020-09-30 00:50:57 -07:00
Jiten Patel
c4f5909333 sepolicy: Policy fix for rpmb partition 
On 4.19 kernel, due to upstream commit <97548575be>
(mmc: block: Convert RPMB to a character device),
Block device design for RPMB is now changed to char device.
This change add required permissions for qseecom daemon to
be able to access new device design for RPMB eMMC device.

Change-Id: I77a4ffc2107e61f66fe75cd2ccdc4d8da2685523
 2020-09-26 17:09:23 +05:30
Karthik Gopalan
bc3a9ace81 sepolicy: Add policies for beluga properties 
Add policies for beluga properties

Change-Id: I25283d9148166ad158181efddebd61277eebf8cb
 2020-09-24 01:36:11 -07:00
qctecmdr
e40220732a Merge "sepolicy: Allow all app domains to search sysfs_kgsl" 2020-09-23 01:51:40 -07:00
Murthy Nidadavolu
5093741240 sepolicy: Updating sepolicy for DRM HAL 
Adding 1.3 drm HAL to file_contexts.

Change-Id: I59f87fb9eb4a1605cf299a973986164f6761dab2
 2020-09-21 23:27:53 -07:00
Vamsi Krishna Gattupalli
fa6d5b4fdc sepolicy: add policies for DSP HAL manager 
Add DSP HAL manager related attributes and policies. Allow untrusted
shell apps and APKs to be a client of the DSP HAL server. Mark the
DSP HAL interface library as same process HAL.

Change-Id: I7b2e5c716c6191d480d26d39a3adf188dc3aefb3
 2020-09-22 10:52:41 +05:30
Murthy Nidadavolu
8d4a25335b sepolicy: Updating sepolicy for DRM HAL 
Adding 1.3 drm HAL to file_contexts.

Change-Id: I59f87fb9eb4a1605cf299a973986164f6761dab2
 2020-09-18 13:39:59 +05:30
qctecmdr
ee00935244 Merge "sepolicy: Update thermal-engine sepolicy rules for legacy vendor file" 2020-09-16 03:30:27 -07:00
Linux Build Service Account
29a537043c Merge 3bdddf83fd on remote branch 
Change-Id: I21cc51f8e17930a8d9dea985d436ecda74b0de01
 2020-09-15 04:44:24 -07:00
Nilesh Gharde
07cedab877 Sepolicy denials for location on legacy R targets 
Fix for denial when xtra-demon trying getting
qccsyshal service  instance

Change-Id: I522531dee26dd5ee426a7ae966e49a0a4e685481
CRs-fixed: 2765244
 2020-09-15 11:55:49 +05:30
Asha Magadi Venkateshamurthy
7ef030e945 sepolicy: Update thermal-engine sepolicy rules for legacy vendor file 
Update legacy thermal-engine sepolicy rule for SDM660 target by adding
access of sysfs nodes of thermal devices, kgsl and devfreq by adding
sepolicy rules.

Change-Id: I49c511d2dbc67169daa937102d58839eb799b977
 2020-09-14 12:14:23 +05:30
qctecmdr
7036682bb5 Merge "sepolicy: add support for separate dcvs script for sdm660" 2020-09-04 05:32:35 -07:00
Asha Magadi Venkateshamurthy
c7c8131f02 sepolicy: add support for separate dcvs script for sdm660 
Give sepolicy permission to dcvs node used to set
memlat parameters.

Change-Id: Iadddf5d11375a6d7cc48d523ed8c44baf4643be1
 2020-09-04 10:55:17 +05:30
Bharat Pawar
b4ca9cb07f sepolicy: Allow all app domains to search sysfs_kgsl 
Fixing below avc denails
type=1400 audit(0.0:86144): avc: denied { search } for
name="kgsl-3d0" dev="sysfs" ino=43551 scontext=u:r:mediaswcodec:s0

Change-Id: Ibf7a9a231119c23c4830538323587edbe95150a2
 2020-09-03 19:15:02 +05:30
Bharat Pawar
90dc370d64 sepolicy: Adding rules for servicetracker HAL for legacy target. 
Also adding file_context for servicetracker V1.2
Change-Id: I7145f86093c954376e6dd8bbcd8f6d2e6005a981
 2020-09-03 17:47:59 +05:30
Bharat Pawar
3bdddf83fd sepolicy: Add label for vibrator AIDL HAL service 
Add selinux label for vibrator AIDL HAL service
so that it can accessthe vibrator device correctly.

Change-Id: I6486b6cf399ce60a671b187c624993820c6f246c
 2020-08-21 15:48:02 +05:30
qctecmdr
f95a6b8611 Merge "perf: Fix sepolicy errors during boot" 2020-08-13 07:28:05 -07:00
qctecmdr
33281c7bda Merge "Sepolicy: ported all Wfd sepolicy from sepolicy.lnx.5.0" 2020-08-13 05:34:25 -07:00
qctecmdr
3c94562422 Merge "sepolicy: Remove all qssi specific WFD sepolicy change" 2020-08-13 03:40:25 -07:00
Shashi Shekar Shankar
ded4b6e973 perf: Fix sepolicy errors during boot 
Fix sepolicy errors on legacy targets.

Change-Id: Ia491e7e3330243d3ec70fba97c3beafc65f93afc
 2020-08-12 19:57:11 -07:00
Pavan Kumar M
b7b9097e20 sepolicy: Add sepolicy rules for IImsFactory HAL for legacy targets 
Change-Id: I371457018f309bb3a23138ac8d71d4628430f69e
 2020-08-07 04:26:38 -07:00
Rajeswari N
ae41118035 sepolicy: Add perf 2.2 hal 
Support for perf HAL 2.2 uprev

Change-Id: Ia6abea00751494803bf78839ef96608dfbc9b09d
 2020-08-04 15:15:36 +05:30
Rajshekar Eashwarappa
e8744377c0 msm8998 inital bringup with enforce mode 
Change-Id: If8164daa32ca0ba796a4bf78e9c450ce1669b509
 2020-08-04 12:56:10 +05:30
Linux Build Service Account
b7f7ab6102 Merge d580bc7940 on remote branch 
Change-Id: I22397a9575fd81b765602ddff93ef51449d878c3
 2020-08-03 07:42:35 -07:00
Shivam Agrawal
ff436b9716 Sepolicy: ported all Wfd sepolicy from sepolicy.lnx.5.0 
- WFD sepolicy fix.

Change-Id: I1000b0277318ca7439a5bb177787dffe8d51b7c9
 2020-07-29 14:10:43 +05:30
qctecmdr
d580bc7940 Merge "Allow BT LAZY HAL serivce to access bluetooth hal" 2020-07-28 08:46:15 -07:00
qctecmdr
8e93513c1d Merge "sepolicy: Add interface entry for Legacy HAL" 2020-07-28 06:48:53 -07:00
Bharat Pawar
b98304acab Allow BT LAZY HAL serivce to access bluetooth hal 
BT lazy service is a new shared object on go targets
which requires to access BT HAL.

Change-Id: I5b4248a35c52211e03da9f0f9410d967e2b2c602
 2020-07-22 22:54:28 +05:30
Tapas Dey
c6aece100b sepolicy: Add interface entry for Legacy HAL 
Added INxpNfcLegacy HAL interface entry
for Legacy HAL.

Change-Id: I8e241a7f13ce5d6431a47c3084384af6c0291cba
 2020-07-22 14:08:54 +05:30
Shivam Agrawal
05ae9e6df9 sepolicy: Remove all qssi specific WFD sepolicy change 
- revert all qssi specific WFD sepolicy changes on 6.0.c2
  to port WFD sepolicy changes from sepolicy.lnx.5.0

Change-Id: I22e335471e2877ce1c3fd24c1997ae037c4f38df
 2020-07-16 19:57:37 +05:30
Rajeswari N
5bab8c4b02 sepolicy: sepolicy changes for perf HAL Uprev 
Perf Hal Uprev 2.1 support added and IPerfcallback HAL added

Change-Id: Icd1cfba45e2a118de9a1944e6d9709ae458b9015
 2020-07-16 00:04:44 -07:00
Rajshekar Eashwarappa
dbb48aa54b SEPolicy: Adding sdm660 policies 
Change-Id: I71b5ec869475846e0c7b8f3ba00f6a018a631a50
 2020-07-10 01:00:59 -07:00
himta ram
10a90a8e77 sepolicy: add sepolicy rules for pronto based targets 
Add sepolicy rule for pronto based targets.

CRs-Fixed: 2724004
Change-Id: I64804f3dd532934d314cb5731fc7f1633d13a236
 2020-07-02 14:00:32 +05:30
qctecmdr
a55d07264e Merge "sepolicy: Adding vendor_qti_init_shell label to legacy" 2020-07-01 09:29:09 -07:00
qctecmdr
a123f4808c Merge "Remove QtiTetherService references" 2020-07-01 09:23:48 -07:00
Pavan Kumar M
5cffcfdf15 Remove QtiTetherService references 
QtiTetherService is not used anymore, remove all
the existing references

Change-Id: I9cf47507686907d29faef44c65d6e30dd584f19c
CRs-Fixed: 2710079
 2020-06-15 10:21:25 +05:30
Udipto Goswami
12fed7ec7d sepolicy: Adding vendor_qti_init_shell label to legacy 
There are some targets which uses legacy sepolicy but
USB uses vendor_qti_init_shell label for its rc file
execution which causes a mismatch as legacy uses
qti_init_shell. This stop the USB rc file from
executing the command for calling the script file
responsible for setting the composition.
Ultimately setting the default value which is adb
on bootup instead of default composition.

Fix this by setting an alias as vendor_qti_init_shell
in legacy sepolicy for qti_init_shell allowing USB
to use vendor label.

Change-Id: Ia8953ed61bb1b87d01b17d02fc7e4bf4b86e66eb
Signed-off-by: Udipto Goswami <ugoswami@codeaurora.org>
 2020-06-12 04:00:05 -07:00
Bharat Pawar
5fb71e0e4a sepolicy: Pick legacy sepolicies for 8953/37 targets 
Pick legacy sepolicy rules instaed of qva for 8953 and
8937 targets.

Change-Id: I509de01be51f1fc19ac3e1f49ffcf3f547c70457
 2020-06-12 14:25:51 +05:30
Bharat Pawar
327503aee9 sepolicy: Add support for 8937 and 8953 targets 
Change-Id: I22d8f079acfc59c16adb66e46755157b7c61a6bd
 2020-06-05 16:27:16 +05:30
596 changed files with 2808 additions and 20274 deletions
Expand all files Collapse all files

49
SEPolicy.mk
View File

@@ -1,9 +1,9 @@
# Board specific SELinux policy variable definitions
ifeq ($(call is-vendor-board-platform,QCOM),true)
SEPOLICY_PATH:= device/qcom/sepolicy
SEPOLICY_PATH:= device/qcom/sepolicy-legacy-um
BOARD_PLAT_PUBLIC_SEPOLICY_DIR := \
$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR) \
$(SEPOLICY_PATH)/generic/public
$(SEPOLICY_PATH)/generic/public \
$(SEPOLICY_PATH)/generic/public/attribute
BOARD_PLAT_PRIVATE_SEPOLICY_DIR := \
$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR) \
@@ -11,7 +11,8 @@ BOARD_PLAT_PRIVATE_SEPOLICY_DIR := \
BOARD_PLAT_PUBLIC_SEPOLICY_DIR := \
$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR) \
$(SEPOLICY_PATH)/qva/public
$(SEPOLICY_PATH)/qva/public \
$(SEPOLICY_PATH)/qva/public/attribute
BOARD_PLAT_PRIVATE_SEPOLICY_DIR := \
$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR) \
@@ -22,51 +23,29 @@ BOARD_PLAT_PRIVATE_SEPOLICY_DIR := \
PRODUCT_PUBLIC_SEPOLICY_DIRS := \
$(PRODUCT_PUBLIC_SEPOLICY_DIRS) \
$(SEPOLICY_PATH)/generic/product/public \
$(SEPOLICY_PATH)/qva/product/public
$(SEPOLICY_PATH)/qva/product/public
PRODUCT_PRIVATE_SEPOLICY_DIRS := \
$(PRODUCT_PRIVATE_SEPOLICY_DIRS) \
$(SEPOLICY_PATH)/generic/product/private \
$(SEPOLICY_PATH)/qva/product/private
ifeq (,$(filter sdm845 sdm710, $(TARGET_BOARD_PLATFORM)))
BOARD_SEPOLICY_DIRS := \
$(BOARD_SEPOLICY_DIRS) \
$(SEPOLICY_PATH) \
$(SEPOLICY_PATH)/generic/vendor/common \
$(SEPOLICY_PATH)/qva/vendor/common/sysmonapp \
$(SEPOLICY_PATH)/qva/vendor/ssg \
$(SEPOLICY_PATH)/qva/vendor/common
ifeq ($(TARGET_SEPOLICY_DIR),)
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/generic/vendor/$(TARGET_BOARD_PLATFORM)
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/$(TARGET_BOARD_PLATFORM)
else
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/generic/vendor/$(TARGET_SEPOLICY_DIR)
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/$(TARGET_SEPOLICY_DIR)
endif
ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT)))
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/generic/vendor/test
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/test
endif
endif
ifneq (,$(filter sdm845 sdm710, $(TARGET_BOARD_PLATFORM)))
BOARD_SEPOLICY_DIRS := \
$(BOARD_SEPOLICY_DIRS) \
ifneq (,$(filter sdm660 msm8937 msm8953 msm8996 msm8998, $(TARGET_BOARD_PLATFORM)))
BOARD_VENDOR_SEPOLICY_DIRS := \
$(BOARD_VENDOR_SEPOLICY_DIRS) \
$(SEPOLICY_PATH) \
$(SEPOLICY_PATH)/legacy/vendor/common/sysmonapp \
$(SEPOLICY_PATH)/legacy/vendor/ssg \
$(SEPOLICY_PATH)/legacy/vendor/common
ifeq ($(TARGET_SEPOLICY_DIR),)
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/legacy/vendor/$(TARGET_BOARD_PLATFORM)
BOARD_VENDOR_SEPOLICY_DIRS += $(SEPOLICY_PATH)/legacy/vendor/$(TARGET_BOARD_PLATFORM)
else
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/legacy/vendor/$(TARGET_SEPOLICY_DIR)
BOARD_VENDOR_SEPOLICY_DIRS += $(SEPOLICY_PATH)/legacy/vendor/$(TARGET_SEPOLICY_DIR)
endif
ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT)))
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/legacy/vendor/test
BOARD_VENDOR_SEPOLICY_DIRS += $(SEPOLICY_PATH)/legacy/vendor/test
endif
endif
endif
-include device/lineage/sepolicy/qcom/sepolicy.mk

2
generic/private/file_contexts
View File

@@ -28,3 +28,5 @@
/data/misc/seemp(/.*)? u:object_r:vendor_seemp_data_file:s0
/(product|system/product)/etc/init\.qcom\.testscripts\.sh u:object_r:qti-testscripts_exec:s0
/storage/emulated(/.*)? u:object_r:media_rw_data_file:s0

6
generic/private/property_contexts
View File

@@ -27,3 +27,9 @@
ro.vendor.qti.va_aosp.support u:object_r:vendor_exported_system_prop:s0 exact bool
ro.vendor.qti.va_odm.support u:object_r:vendor_exported_odm_prop:s0 exact bool
ro.vendor.perf.scroll_opt u:object_r:vendor_exported_system_prop:s0 exact bool
ro.vendor.perf.scroll_opt.heavy_app u:object_r:vendor_exported_system_prop:s0 exact int
ro.netflix.bsp_rev u:object_r:vendor_exported_system_prop:s0 exact string
# Beluga
ro.vendor.beluga. u:object_r:vendor_exported_system_prop:s0

6
generic/private/qtelephony.te
View File

@@ -34,5 +34,11 @@ hwbinder_use(vendor_qtelephony);
get_prop(vendor_qtelephony, hwservicemanager_prop);
add_hwservice(vendor_qtelephony, vendor_hal_atfwd_hwservice);
userdebug_or_eng(`
hal_client_domain( vendor_qtelephony, vendor_hal_diaghal)
')
allow vendor_qtelephony { cameraserver_service mediaextractor_service mediaserver_service mediametrics_service radio_service drmserver_service audioserver_service}:service_manager find;
allow vendor_qtelephony system_api_service:service_manager find;
allow vendor_qtelephony app_api_service:service_manager find;
hal_client_domain(vendor_qtelephony, hal_telephony)

2
generic/private/qti-testscripts.te
View File

@@ -95,4 +95,6 @@ userdebug_or_eng(`
binder_call(platform_app, qti-testscripts)
binder_call(system_app, qti-testscripts)
# allow lmkd to kill tasks with positive oom_score_adj under memory pressure
allow lmkd qti-testscripts:process { setsched sigkill };
')

6
qva/vendor/common/radio.te → generic/private/radio.te
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2019-2020, The Linux Foundation. All rights reserved.
# Copyright (c) 2018, 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -25,5 +25,5 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#qspm
hal_client_domain(radio, vendor_hal_qspmhal)
hwbinder_use(radio)
allow radio mediaextractor_service:service_manager find;

9
generic/private/seapp_contexts
View File

@@ -28,3 +28,12 @@
#Add new domain for DataServices
# Needed for CNEService , uceShimService and other connectivity services
user=radio seinfo=platform name=.dataservices domain=vendor_dataservice_app type=radio_data_file
# AtFwd app
user=_app seinfo=platform name=com.qualcomm.telephony domain=vendor_qtelephony type=app_data_file levelFrom=all
#Add new domain for ims app
user=_app seinfo=platform name=org.codeaurora.ims isPrivApp=true domain=vendor_qtelephony type=app_data_file levelFrom=all
#Add DeviceInfoHidlClient to vendor_qtelephony
user=_app seinfo=platform name=com.qualcomm.qti.devicestatisticsservice domain=vendor_qtelephony type=app_data_file levelFrom=all

3
generic/product/private/file_contexts
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2019-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -24,3 +24,4 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
/(product|system/product)/bin/init\.qti\.display\.sh u:object_r:vendor_sys_qti_display_exec:s0

3
generic/product/private/property_contexts
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2019 The Linux Foundation. All rights reserved.
# Copyright (c) 2019-2020 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -24,3 +24,4 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
vendor.display.disable_rounded_corner u:object_r:vendor_display_notch_prop:s0

16
qva/vendor/common/mmi_sys.te → generic/product/private/qti-display.te Executable file → Normal file
View File

@@ -1,5 +1,5 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Copyright (c) 2020 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
@@ -12,7 +12,7 @@
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
@@ -25,12 +25,10 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#mmi_sys basic
r_dir_file(vendor_mmi_sys, vendor_sysfs_graphics)
type vendor_sys_qti_display_exec, system_file_type, exec_type, file_type;
hal_client_domain(vendor_mmi_sys, vendor_hal_factory_qti);
#diag
userdebug_or_eng(`
diag_use(vendor_mmi_sys)
typeattribute vendor_sys_qti_display coredomain;
init_daemon_domain(vendor_sys_qti_display)
set_prop(vendor_sys_qti_display, vendor_display_notch_prop)
')

1
generic/product/private/systemhelper_app.te
View File

@@ -36,3 +36,4 @@ allow vendor_systemhelper_app { activity_service trust_service surfaceflinger_se
allow vendor_systemhelper_app app_data_file:dir rw_dir_perms;
allow vendor_systemhelper_app thermal_service:service_manager find;
allow vendor_systemhelper_app vendor_perf_service:service_manager find;

4
generic/product/public/attributes
View File

@@ -28,7 +28,3 @@
attribute vendor_hal_systemhelper;
attribute vendor_hal_systemhelper_client;
attribute vendor_hal_systemhelper_server;
attribute vendor_hal_perf;
attribute vendor_hal_perf_client;
attribute vendor_hal_perf_server;

4
generic/product/public/property.te
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2019-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -24,3 +24,5 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_display_notch_prop, property_type, extended_core_property_type;

9
qva/vendor/test/vendor_cta_app.te → generic/product/public/qti-display.te
View File

@@ -25,11 +25,10 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# This domain is for pdt apps and should always be in
# userdebug_or_eng macro
type vendor_sys_qti_display, domain, mlstrustedsubject;
#============= vendor_sys_qti_display ==============
userdebug_or_eng(`
type vendor_cta_app, domain;
app_domain(vendor_cta_app);
permissive vendor_cta_app;
allow vendor_sys_qti_display shell_exec:file rx_file_perms;
allow vendor_sys_qti_display toolbox_exec:file rx_file_perms;
')

18
generic/vendor/common/attributes → generic/public/attribute/attributes
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2016-2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2016-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -59,3 +59,19 @@ attribute vendor_hal_capabilityconfigstore_qti_server;
attribute vendor_hal_dataconnection_qti;
attribute vendor_hal_dataconnection_qti_client;
attribute vendor_hal_dataconnection_qti_server;
attribute vendor_hal_embmssl;
attribute vendor_hal_embmssl_client;
attribute vendor_hal_embmssl_server;
attribute vendor_hal_dspmanager;
attribute vendor_hal_dspmanager_client;
attribute vendor_hal_dspmanager_server;
attribute vendor_hal_diaghal;
attribute vendor_hal_diaghal_client;
attribute vendor_hal_diaghal_server;
attribute vendor_hal_perf;
attribute vendor_hal_perf_client;
attribute vendor_hal_perf_server;

38
generic/vendor/common/app.te vendored
View File

@@ -1,38 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Allow all apps to open and send ioctl to qdsp device
allow appdomain vendor_qdsp_device:chr_file r_file_perms;
# For the camera app
get_prop(appdomain, vendor_camera_prop)
#Allow all apps to have read access to vendor_adsprpc_prop
get_prop(appdomain, vendor_adsprpc_prop)
# Allow all apps to open and send ioctl to npu device
allow appdomain vendor_npu_device:chr_file r_file_perms;

43
generic/vendor/common/atfwd.te vendored
View File

@@ -1,43 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_atfwd, domain;
type vendor_atfwd_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_atfwd)
allow vendor_atfwd self:socket create_socket_perms;
allow vendor_atfwd self:qipcrtr_socket create_socket_perms_no_ioctl;
allowxperm vendor_atfwd self:socket ioctl msm_sock_ipc_ioctls;
binder_call(vendor_atfwd, system_app);
r_dir_file(vendor_atfwd, vendor_sysfs_data);
set_prop(vendor_atfwd, vendor_radio_prop)
hwbinder_use(vendor_atfwd)
get_prop(vendor_atfwd, hwservicemanager_prop)

39
generic/vendor/common/audioadsprpcd.te vendored
View File

@@ -1,39 +0,0 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_audioadsprpcd, domain;
type vendor_audioadsprpcd_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_audioadsprpcd)
allow vendor_audioadsprpcd ion_device:chr_file r_file_perms;
allow vendor_audioadsprpcd vendor_qdsp_device:chr_file r_file_perms;
allow vendor_audioadsprpcd vendor_xdsp_device:chr_file r_file_perms;
r_dir_file(vendor_audioadsprpcd, adsprpcd_file)
get_prop(vendor_audioadsprpcd, vendor_adsprpc_prop)
allow vendor_audioadsprpcd mnt_vendor_file:dir r_dir_perms;

29
generic/vendor/common/bluetooth.te vendored
View File

@@ -1,29 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Allow access to net_admin ioctls
allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
get_prop(bluetooth, vendor_bluetooth_prop)

41
generic/vendor/common/cameraserver.te vendored
View File

@@ -1,41 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow cameraserver gpu_device:chr_file rw_file_perms;
get_prop(cameraserver, vendor_camera_prop)
allow cameraserver vendor_sysfs_camera:file r_file_perms;
allow cameraserver vendor_sysfs_camera:dir search;
allow cameraserver system_file:dir r_dir_perms;
allow cameraserver system_server:unix_stream_socket { read write };
# TODO (b/37688918) Verify that this is actually needed and not a violation of treble
binder_call(cameraserver, mediacodec)
#allow cameraserver to read adsprpc_prop
get_prop(cameraserver, vendor_adsprpc_prop)

47
generic/vendor/common/cdsprpcd.te vendored
View File

@@ -1,47 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# vendor_cdsprpcd daemon
type vendor_cdsprpcd, domain;
type vendor_cdsprpcd_exec, exec_type, vendor_file_type, file_type;
# Started by init
init_daemon_domain(vendor_cdsprpcd)
# For reading dir/files on /dsp
r_dir_file(vendor_cdsprpcd, adsprpcd_file)
# For reading adsprpc_prop
get_prop(vendor_cdsprpcd, vendor_adsprpc_prop)
allow vendor_cdsprpcd vendor_qdsp_device:chr_file r_file_perms;
allow vendor_cdsprpcd vendor_xdsp_device:chr_file r_file_perms;
allow vendor_cdsprpcd ion_device:chr_file r_file_perms;
r_dir_file(vendor_cdsprpcd, vendor_sysfs_devfreq)
allow vendor_cdsprpcd vendor_sysfs_devfreq_l3cdsp:dir r_dir_perms;
allow vendor_cdsprpcd vendor_sysfs_devfreq_l3cdsp:file rw_file_perms;

37
generic/vendor/common/charger.te vendored
View File

@@ -1,37 +0,0 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow charger self:capability2 wake_alarm;
r_dir_file(charger, vendor_sysfs_battery_supply)
r_dir_file(charger, vendor_sysfs_usb_supply)
allow charger {
vendor_sysfs_battery_supply
vendor_sysfs_usb_supply
}:file w_file_perms;
dontaudit charger device:dir r_dir_perms;
dontaudit charger self:capability sys_admin;

41
generic/vendor/common/chre.te vendored
View File

@@ -1,41 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# This daemon loads the Context Hub Runtime Environment (CHRE) dynamic modules
# onto the SLPI using FastRPC, and exposes a sockets interface for clients on
# the applications processor to interact CHRE
type vendor_chre, domain;
type vendor_chre_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_chre)
r_dir_file(vendor_chre, adsprpcd_file)
#allow vendor_chre to read adsprpc_prop
get_prop(vendor_chre, vendor_adsprpc_prop)
allow vendor_chre ion_device:chr_file r_file_perms;
allow vendor_chre vendor_qdsp_device:chr_file r_file_perms;
allow vendor_chre vendor_xdsp_device:chr_file r_file_perms;
allow vendor_chre vendor_dsp_device:chr_file r_file_perms;

86
generic/vendor/common/cnd.te vendored
View File

@@ -1,86 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_cnd, domain;
type vendor_cnd_exec, exec_type, vendor_file_type, file_type;
file_type_auto_trans(vendor_cnd, socket_device, vendor_cnd_socket);
# vendor_cnd is started by init, type transit from init domain to vendor_cnd domain
init_daemon_domain(vendor_cnd)
#communicating with QTI wlan driver for WFC/ VTiWLAN quality
allow vendor_cnd self:capability net_bind_service;
unix_socket_send(vendor_cnd, wpa, hal_wifi_supplicant)
allow vendor_cnd wpa_data_file:dir w_dir_perms;
allow vendor_cnd wpa_data_file:sock_file create_file_perms;
#allow processing of VoWifi indications from modem over QMI while dozing
allow vendor_cnd self:capability2 block_suspend;
allow vendor_cnd self:udp_socket create_socket_perms;
allow vendor_cnd self:{
# Allow receiving NETLINK responses from WLAN driver.
netlink_socket
netlink_generic_socket
qipcrtr_socket
} create_socket_perms_no_ioctl;
allowxperm vendor_cnd self:udp_socket ioctl SIOCGIFMTU;
allow vendor_cnd vendor_sysfs_timestamp_switch:file r_file_perms;
allow vendor_cnd vendor_sysfs_data:file r_file_perms;
allow vendor_cnd proc_meminfo:file r_file_perms;
set_prop(vendor_cnd, vendor_cnd_prop)
# allow vendor_cnd to access vendor_cnd_data_file
allow vendor_cnd vendor_cnd_data_file:file create_file_perms;
allow vendor_cnd vendor_cnd_data_file:sock_file { unlink create setattr };
allow vendor_cnd vendor_cnd_data_file:dir rw_dir_perms;
# allow vendor_cnd to obtain wakelock
wakelock_use(vendor_cnd)
allow vendor_cnd vendor_ipa_vendor_data_file:dir r_dir_perms;
allow vendor_cnd vendor_ipa_vendor_data_file:file r_file_perms;
# To register vendor_cnd to hwbinder
add_hwservice(vendor_cnd, vendor_hal_datafactory_hwservice)
hwbinder_use(vendor_cnd)
get_prop(vendor_cnd, hwservicemanager_prop)
binder_call(vendor_cnd, vendor_dataservice_app)
binder_call(vendor_cnd, vendor_qtidataservices_app)
binder_call(vendor_cnd, vendor_ims)
binder_call(vendor_cnd, vendor_location)
r_dir_file(vendor_cnd, vendor_sysfs_ssr)
#diag
userdebug_or_eng(`
diag_use(vendor_cnd)
r_dir_file(vendor_cnd, vendor_sysfs_diag)
')

40
generic/vendor/common/dataservice_app.te vendored
View File

@@ -1,40 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
get_prop(vendor_dataservice_app, vendor_cnd_prop)
allow vendor_dataservice_app vendor_hal_imsrcsd_hwservice:hwservice_manager find;
allow vendor_dataservice_app vendor_hal_datafactory_hwservice:hwservice_manager find;
allow vendor_dataservice_app vendor_sysfs_data:file r_file_perms;
binder_call(vendor_dataservice_app, vendor_cnd)
# imsrcsd to bind with UceShimService.apk
binder_call(vendor_dataservice_app, vendor_hal_rcsservice)
hal_client_domain(vendor_dataservice_app , vendor_hal_perf)

68
generic/vendor/common/device.te vendored
View File

@@ -1,68 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_ab_block_device, dev_type;
type vendor_at_device, dev_type;
type vendor_avtimer_device, dev_type;
type vendor_bt_device, dev_type;
type vendor_bu21150_device, dev_type;
type vendor_citadel_device, dev_type;
type vendor_custom_ab_block_device, dev_type;
type vendor_diag_device, dev_type, mlstrustedobject;
type vendor_dsp_device, dev_type;
type vendor_xdsp_device, dev_type;
type vendor_easel_device, dev_type;
type vendor_hbtp_device, dev_type;
type vendor_hvdcp_device, dev_type;
type vendor_ipa_dev, dev_type;
type vendor_latency_device, dev_type;
type vendor_limits_block_device, dev_type;
type vendor_modem_block_device, dev_type;
type vendor_modem_efs_partition_device, dev_type;
type vendor_mdtp_device, dev_type;
type vendor_persist_block_device, dev_type;
type vendor_vm_data_block_device, dev_type;
type vendor_qsee_ipc_irq_spss_device, dev_type;
type vendor_qdsp_device, dev_type, mlstrustedobject;
type vendor_ramdump_device, dev_type;
type vendor_ramdump_microdump_modem_device, dev_type;
type vendor_rmnet_device, dev_type;
type vendor_gpt_block_device, dev_type;
type vendor_ramdump_block_device, dev_type;
type vendor_rpmb_device, dev_type;
type vendor_seemplog_device, dev_type;
type vendor_sg_device, dev_type;
type vendor_bsg_device, dev_type;
type vendor_smd_device, dev_type;
type vendor_spcom_device, dev_type;
type vendor_ssd_block_device, dev_type;
type vendor_ssr_device, dev_type;
type vendor_synx_device, dev_type;
type vendor_wlan_device, dev_type;
type vendor_xbl_block_device, dev_type;
type vendor_uefi_block_device, dev_type;
type vendor_qce_device, dev_type;
type vendor_npu_device, dev_type;

37
generic/vendor/common/diag-router.te vendored
View File

@@ -1,37 +0,0 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_diag-router, domain;
type vendor_diag-router_exec, exec_type, vendor_file_type, file_type;
userdebug_or_eng(`
init_daemon_domain(vendor_diag-router)
allow vendor_diag-router functionfs:dir r_dir_perms;
allow vendor_diag-router functionfs:file rw_file_perms;
allow vendor_diag-router self:qipcrtr_socket create_socket_perms_no_ioctl;
allow vendor_diag-router vendor_mhi_diag_device:chr_file rw_file_perms;
allow { domain -coredomain -hal_configstore -vendor_init} vendor_diag-router:unix_stream_socket connectto;
')

70
generic/vendor/common/diag.te vendored
View File

@@ -1,70 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_diag, domain;
type vendor_diag_exec, exec_type, vendor_file_type, file_type;
userdebug_or_eng(`
domain_auto_trans(shell, vendor_diag_exec, vendor_diag)
#domain_auto_trans(adbd, vendor_diag_exec, vendor_diag)
allow vendor_diag {
vendor_diag_device
devpts
tty_device
# allow access to qseecom for drmdiagapp
tee_device
}:chr_file rw_file_perms;
allow vendor_diag {
shell
su
}:fd use;
allow vendor_diag {
cgroup
fuse
vendor_persist_drm_file
}:dir create_dir_perms;
allow vendor_diag port:tcp_socket name_connect;
allow vendor_diag self:capability { setuid net_raw sys_admin setgid };
allow vendor_diag self:capability2 syslog;
allow vendor_diag self:tcp_socket { create connect setopt};
wakelock_use(vendor_diag)
allow vendor_diag kernel:system syslog_mod;
# allow drmdiagapp access to drm related paths
allow vendor_diag mnt_vendor_file:dir r_dir_perms;
r_dir_file(vendor_diag, vendor_persist_data_file)
# Write to drm related pieces of persist partition
allow vendor_diag vendor_persist_drm_file:file create_file_perms;
# For DiagExample daemon
init_daemon_domain(vendor_diag)
net_domain(vendor_diag)
allow vendor_diag fuse:dir r_dir_perms;
allow vendor_diag fuse:file r_file_perms;
r_dir_file(vendor_diag, storage_file)
r_dir_file(vendor_diag, mnt_user_file)
')

61
generic/vendor/common/domain.te vendored
View File

@@ -1,61 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
userdebug_or_eng(`
allow domain vendor_diag_device:chr_file rw_file_perms;
')
# In order for /sys/kernel/debug/kgsl/proc/<pid>/mem
# to be created for memory tracking, the domain of
# the tracked process must have permission to search
# in /sys/kernel/debug/kgsl
allow domain vendor_debugfs_kgsl:dir search;
allow domain vendor_debugfs_ion:dir search;
get_prop(domain, vendor_gralloc_prop)
r_dir_file({domain - isolated_app}, vendor_sysfs_soc);
r_dir_file({domain - isolated_app}, vendor_sysfs_esoc);
r_dir_file({domain - isolated_app}, vendor_sysfs_ssr);
r_dir_file({domain - isolated_app}, sysfs_thermal);
get_prop(domain, vendor_public_vendor_default_prop)
dontaudit domain kernel:system module_request;
# For compliance testing test suite reads vendor_security_path_level
# Which is the public readable property “ ro.vendor.build.security_patch
get_prop(domain, vendor_security_patch_level_prop)
neverallow {
coredomain
-init
-ueventd
-vold
} vendor_persist_type: { dir file } *;
# Allow all context to read gpu model
allow { domain - isolated_app } vendor_sysfs_kgsl_gpu_model:file r_file_perms;

50
generic/vendor/common/fastbootd.te vendored
View File

@@ -1,50 +0,0 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#Allow fastbootd
recovery_only(`
allow fastbootd {
vendor_custom_ab_block_device
recovery_block_device
vendor_xbl_block_device
vendor_uefi_block_device
vendor_ssd_block_device
vendor_modem_block_device
vendor_mdtp_device
}:blk_file { rw_file_perms };
# Allow fastbootd to read /sys/class/power_supply directory
# and access to power supply, usb nodes.
allow fastbootd sysfs:dir r_dir_perms;
r_dir_file(fastbootd, vendor_sysfs_battery_supply)
r_dir_file(fastbootd, vendor_sysfs_usb_supply)
allow fastbootd {
vendor_sysfs_battery_supply
vendor_sysfs_usb_supply
}:file w_file_perms;
')

52
generic/vendor/common/feature_enabler_client.te vendored
View File

@@ -1,52 +0,0 @@
# Copyright (c) 2019 - 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_feature_enabler_client, domain;
type vendor_feature_enabler_client_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_feature_enabler_client)
allow vendor_feature_enabler_client tee_device:chr_file rw_file_perms;
allow vendor_feature_enabler_client ion_device:chr_file rw_file_perms;
allow vendor_feature_enabler_client vendor_smcinvoke_device:chr_file rw_file_perms;
unix_socket_connect(vendor_feature_enabler_client , vendor_ssgtzd, vendor_ssgtzd)
# Allow read permission to /mnt/vendor/persist/vendor_feature_enabler_client/*
allow vendor_feature_enabler_client mnt_vendor_file:dir search;
r_dir_file(vendor_feature_enabler_client, vendor_persist_feature_enabler_file)
# Allow read permission to /mnt/vendor/persist/data/*
r_dir_file(vendor_feature_enabler_client, vendor_persist_data_file)
# Binder access for featenab_client.service
vndbinder_use(vendor_feature_enabler_client)
allow vendor_feature_enabler_client vendor_qfeatenab_client_service:service_manager { add find };
#Allow access to display services and graphics_device for DRM
allow vendor_feature_enabler_client vendor_qdisplay_service:service_manager find;
hal_client_domain(vendor_feature_enabler_client, hal_graphics_composer)
allow vendor_feature_enabler_client graphics_device:chr_file rw_file_perms;

210
generic/vendor/common/file.te vendored
View File

@@ -1,210 +0,0 @@
# Copyright (c) 2018-2020 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_sysfs_audio, fs_type, sysfs_type;
type vendor_sysfs_battery_supply, sysfs_type, fs_type;
type vendor_sysfs_bond0, fs_type, sysfs_type;
type vendor_sysfs_boot_adsp, sysfs_type, fs_type;
type vendor_sysfs_camera, sysfs_type, fs_type;
type vendor_sysfs_cpu_boost, fs_type, sysfs_type;
type vendor_sysfs_devfreq, fs_type, sysfs_type;
type vendor_sysfs_easel, sysfs_type, fs_type;
type vendor_sysfs_esoc, sysfs_type, fs_type;
type vendor_sysfs_fingerprint, sysfs_type, fs_type;
type vendor_sysfs_graphics, sysfs_type, fs_type;
type vendor_sysfs_kgsl, sysfs_type, fs_type;
type vendor_sysfs_kgsl_proc, sysfs_type, fs_type;
type vendor_hbtp_kernel_sysfs, sysfs_type, fs_type;
type vendor_sysfs_irqbalance, sysfs_type, fs_type;
type vendor_sysfs_laser, sysfs_type, fs_type;
type vendor_sysfs_mdss_mdp_caps, sysfs_type, fs_type;
type vendor_sysfs_devfreq_l3cdsp, fs_type, sysfs_type;
type vendor_sysfs_mmc_host, fs_type, sysfs_type;
type vendor_sysfs_msm_perf, fs_type, sysfs_type;
type vendor_sysfs_msm_power, fs_type, sysfs_type;
type vendor_sysfs_msm_stats, fs_type, sysfs_type;
type vendor_sysfs_msm_subsys_restart, sysfs_type, fs_type;
type vendor_sysfs_sensors, sysfs_type, fs_type;
type vendor_sysfs_sectouch, sysfs_type, fs_type;
type vendor_sysfs_soc, sysfs_type, fs_type;
type vendor_sysfs_scsi_host, fs_type, sysfs_type;
type vendor_sysfs_scsi_target, fs_type, sysfs_type;
type vendor_sysfs_slpi, fs_type, sysfs_type;
type vendor_sysfs_spmi_dev, sysfs_type, fs_type;
type vendor_sysfs_ssr, sysfs_type, fs_type;
type vendor_sysfs_ssr_toggle, sysfs_type, fs_type;
type vendor_sysfs_timestamp_switch, sysfs_type, fs_type;
type vendor_sysfs_touch, sysfs_type, fs_type;
type vendor_sysfs_uio_file, sysfs_type, fs_type;
type vendor_sysfs_usb_c, sysfs_type, fs_type;
type vendor_sysfs_usb_device, sysfs_type, fs_type;
type vendor_sysfs_usb_supply, sysfs_type, fs_type;
type vendor_sysfs_usbpd_device, sysfs_type, fs_type;
type vendor_sysfs_vadc_dev, sysfs_type, fs_type;
type vendor_sysfs_lcd, sysfs_type, fs_type;
type vendor_sysfs_adsp_ssr, sysfs_type, fs_type;
type vendor_debugfs_clk, debugfs_type, fs_type;
type vendor_debugfs_ion, debugfs_type, fs_type;
type vendor_debugfs_ipc, debugfs_type, fs_type;
type vendor_debugfs_kgsl, debugfs_type, fs_type;
type vendor_debugfs_rpm, debugfs_type, fs_type;
type vendor_debugfs_rmt_storage, debugfs_type, fs_type;
type vendor_debugfs_usb, debugfs_type, fs_type;
type vendor_debugfs_wlan, debugfs_type, fs_type;
type vendor_debugfs_mdp, debugfs_type, fs_type;
type vendor_debugfs_icnss, debugfs_type, fs_type;
# /proc
type vendor_proc_wifi_dbg, fs_type, proc_type;
type vendor_proc_audiod, fs_type, proc_type;
type vendor_proc_shs, fs_type, proc_type;
type vendor_qmuxd_socket, file_type;
type vendor_netmgrd_socket, file_type;
type vendor_port-bridge_socket, file_type;
type vendor_thermal_socket, file_type;
#Define the qti socket type
type vendor_dataqti_socket, file_type;
type vendor_ims_socket, file_type;
type vendor_ipacm_socket, file_type;
type vendor_cnd_socket, file_type;
type vendor_chre_socket, file_type;
type vendor_hal_bootctl_socket, file_type;
type vendor_location_socket, file_type;
type vendor_wifihal_socket, file_type;
type vendor_pps_socket, file_type;
# imshelper_app file types
type vendor_imshelper_app_data_file, file_type, data_file_type;
type firmware_file, file_type, contextmount_type, vendor_file_type;
type vendor_cnd_data_file, file_type, data_file_type;
type vendor_location_data_file, file_type, data_file_type;
type vendor_audio_data_file, file_type, data_file_type;
type vendor_radio_data_file, file_type, data_file_type;
type vendor_wifi_vendor_log_data_file, file_type, data_file_type;
# for mount /persist
typeattribute mnt_vendor_file vendor_persist_type;
type vendor_persist_file, file_type, vendor_persist_type;
type vendor_persist_data_file, file_type , vendor_persist_type;
type vendor_persist_display_file, file_type;
type vendor_persist_drm_file, file_type, vendor_persist_type;
type vendor_persist_elabel_file, file_type, vendor_persist_type;
type vendor_persist_haptics_file, file_type, vendor_persist_type;
type vendor_persist_rfs_file, file_type, vendor_persist_type;
type vendor_persist_rfs_shared_hlos_file, file_type, vendor_persist_type;
type vendor_persist_sensors_file, file_type, vendor_persist_type;
type vendor_persist_time_file, file_type, vendor_persist_type;
type vendor_persist_audio_file, file_type, vendor_persist_type;
type vendor_persist_bluetooth_file, file_type, vendor_persist_type;
type vendor_persist_alarm_file, file_type, vendor_persist_type;
type vendor_persist_feature_enabler_file, file_type, vendor_persist_type;
type vendor_netmgr_data_file, file_type, data_file_type;
type vendor_netmgr_recovery_data_file, file_type, data_file_type;
type vendor_qmipriod_data_file, file_type, data_file_type;
type vendor_ipa_vendor_data_file, file_type, data_file_type;
type vendor_shsusr_data_file, file_type, data_file_type;
type vendor_tombstone_data_file, file_type, data_file_type;
type vendor_camera_data_file, file_type, data_file_type;
type vendor_display_vendor_data_file, file_type, data_file_type;
type vendor_nfc_vendor_data_file, file_type, data_file_type;
type vendor_radio_vendor_data_file, file_type, data_file_type, mlstrustedobject;
type vendor_ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
type vendor_modem_dump_file, file_type, data_file_type;
type vendor_sensors_vendor_data_file, file_type, data_file_type;
type vendor_port_bridge_data_file, file_type, data_file_type;
type bt_firmware_file, file_type, contextmount_type, vendor_file_type;
type vendor_firmware_file, vendor_file_type, file_type;
type vendor_mdmhelperdata_data_file, file_type, data_file_type;
type vendor_mbn_data_file, file_type, data_file_type;
#vendor capability configstore hal
type vendor_capabilityconfigstore_data_file, file_type, data_file_type;
#widevine data file
type vendor_mediadrm_vendor_data_file, file_type, data_file_type;
#time-services data file
type vendor_time_data_file, file_type, data_file_type;
#data sysfs files
type vendor_sysfs_data, fs_type, sysfs_type;
#diag sysfs files
type vendor_sysfs_diag, fs_type, sysfs_type;
type vendor_hexagon_halide_file, vendor_file_type, file_type;
# vendor media files
type vendor_media_data_file, file_type, data_file_type;
type adsprpcd_file, file_type, mlstrustedobject, vendor_file_type;
# vm system files
type vendor_vm_system_file, file_type, vendor_file_type;
type vendor_hbtp_log_file, file_type, data_file_type;
type vendor_hbtp_cfg_file, file_type, vendor_file_type;
#tloc data files
type vendor_tlocd_data_file, file_type, data_file_type;
#qseecom
type vendor_data_qsee_file, file_type, data_file_type;
#TUI Files
type vendor_tui_data_file, file_type, data_file_type;
# SFS listener data file
type vendor_data_tzstorage_file, file_type, data_file_type;
#NNHAL files
type vendor_hal_neuralnetworks_data_file, file_type, data_file_type;
#BT Files
type vendor_bt_data_file, file_type, data_file_type;
type vendor_sysfs_usb_controller, sysfs_type, fs_type;
#for qdss
type vendor_sysfs_qdss_dev, sysfs_type, fs_type;
#Define the qdcmss socket type
type vendor_qdcmsocket_socket, file_type;
type vendor_sysfs_mhi, sysfs_type, fs_type;
type vendor_sysfs_suspend, fs_type, sysfs_type;
# kgsl gpu model file type for sysfs access
type vendor_sysfs_kgsl_gpu_model, sysfs_type, fs_type;
type vendor_sysfs_kgsl_gpuclk, sysfs_type, fs_type;

487
generic/vendor/common/file_contexts vendored
View File

@@ -1,487 +0,0 @@
# Copyright (c) 2018-2020 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# dev nodes
/dev/btpower u:object_r:vendor_bt_device:s0
/dev/diag u:object_r:vendor_diag_device:s0
/dev/kgsl-3d0 u:object_r:gpu_device:s0
/dev/rtc0 u:object_r:rtc_device:s0
/dev/smd.* u:object_r:vendor_smd_device:s0
/dev/msm_npu u:object_r:vendor_npu_device:s0
# TODO: does ttyMSM0 need to be more specific
/dev/ttyMSM0 u:object_r:tty_device:s0
/dev/ipa u:object_r:vendor_ipa_dev:s0
/dev/wwan_ioctl u:object_r:vendor_ipa_dev:s0
/dev/ipaNatTable u:object_r:vendor_ipa_dev:s0
/dev/cpu_dma_latency u:object_r:vendor_latency_device:s0
/dev/dpl_ctrl u:object_r:vendor_rmnet_device:s0
/dev/rmnet_ctrl.* u:object_r:vendor_rmnet_device:s0
/dev/at_.* u:object_r:vendor_at_device:s0
/dev/video([0-9])+ u:object_r:video_device:s0
/dev/cvp* u:object_r:video_device:s0
/dev/media([0-9])+ u:object_r:video_device:s0
/dev/v4l-subdev.* u:object_r:video_device:s0
/dev/qseecom u:object_r:tee_device:s0
/dev/qsee_ipc_irq_spss u:object_r:vendor_qsee_ipc_irq_spss_device:s0
/dev/seemplog u:object_r:vendor_seemplog_device:s0
/dev/spcom u:object_r:vendor_spcom_device:s0
/dev/jpeg[0-9]* u:object_r:video_device:s0
/dev/adsprpc-smd u:object_r:vendor_qdsp_device:s0
/dev/adsprpc-smd-secure u:object_r:vendor_xdsp_device:s0
/dev/sdsprpc-smd u:object_r:vendor_dsp_device:s0
/dev/wcd-dsp-glink u:object_r:audio_device:s0
/dev/wcd_dsp0_control u:object_r:audio_device:s0
/dev/wcd-spi-ac-client u:object_r:audio_device:s0
/dev/msm_.* u:object_r:audio_device:s0
/dev/avtimer u:object_r:vendor_avtimer_device:s0
/dev/subsys_.* u:object_r:vendor_ssr_device:s0
/dev/ramdump_.* u:object_r:vendor_ramdump_device:s0
/dev/ramdump_microdump_modem u:object_r:vendor_ramdump_microdump_modem_device:s0
/dev/hbtp_input u:object_r:vendor_hbtp_device:s0
/dev/hbtp_vm u:object_r:vendor_hbtp_device:s0
/dev/sg[0-9]+ u:object_r:vendor_sg_device:s0
/dev/ufs-bsg.* u:object_r:vendor_bsg_device:s0
/dev/0:0:0:49476 u:object_r:vendor_bsg_device:s0
/dev/sensors u:object_r:sensors_device:s0
/dev/mnh_sm u:object_r:vendor_easel_device:s0
/dev/easelcomm-client u:object_r:vendor_easel_device:s0
/dev/citadel0 u:object_r:vendor_citadel_device:s0
/dev/jdi-bu21150 u:object_r:vendor_bu21150_device:s0
/dev/usb_ext_chg u:object_r:vendor_hvdcp_device:s0
/dev/synx_device u:object_r:vendor_synx_device:s0
/dev/ipa_odl_ctl u:object_r:vendor_ipa_dev:s0
/dev/ipa_adpl u:object_r:vendor_ipa_dev:s0
# dev socket nodes
/dev/socket/chre u:object_r:vendor_chre_socket:s0
/dev/socket/oemlock u:object_r:vendor_hal_bootctl_socket:s0
/dev/socket/ims_qmid u:object_r:vendor_ims_socket:s0
/dev/socket/ims_datad u:object_r:vendor_ims_socket:s0
/dev/socket/ipacm_log_file u:object_r:vendor_ipacm_socket:s0
/dev/socket/cnd u:object_r:vendor_cnd_socket:s0
/dev/socket/thermal-send-client u:object_r:vendor_thermal_socket:s0
/dev/socket/thermal-recv-client u:object_r:vendor_thermal_socket:s0
/dev/socket/thermal-recv-passive-client u:object_r:vendor_thermal_socket:s0
/dev/socket/thermal-send-rule u:object_r:vendor_thermal_socket:s0
/dev/socket/netmgr(/.*)? u:object_r:vendor_netmgrd_socket:s0
/dev/socket/port-bridge(/.*)? u:object_r:vendor_port-bridge_socket:s0
/dev/socket/qti_dpm_uds_file u:object_r:vendor_dataqti_socket:s0
/dev/socket/location(/.*)? u:object_r:vendor_location_socket:s0
/dev/socket/wifihal(/.*)? u:object_r:vendor_wifihal_socket:s0
/dev/socket/pps u:object_r:vendor_pps_socket:s0
/dev/nq-nci u:object_r:nfc_device:s0
/dev/ttyHS0 u:object_r:hci_attach_dev:s0
/dev/wlan u:object_r:vendor_wlan_device:s0
/dev/socket/qmux_radio(/.*)? u:object_r:vendor_qmuxd_socket:s0
/data/vendor/modem_config(/.*)? u:object_r:vendor_mbn_data_file:s0
/dev/socket/qdcmsocket u:object_r:vendor_qdcmsocket_socket:s0
/dev/qce u:object_r:vendor_qce_device:s0
# Block device holding the GPT, where the A/B attributes are stored.
/dev/block/sda u:object_r:vendor_gpt_block_device:s0
# Block devices for the drive that holds the xbl_a and xbl_b partitions.
/dev/block/sd[bc]1? u:object_r:vendor_xbl_block_device:s0
# Block device for hal_bootctl
/dev/block/sde u:object_r:boot_block_device:s0
# Block device for ZRAM
/dev/block/zram0 u:object_r:swap_block_device:s0
# files in /vendor
/vendor/firmware(/.*)? u:object_r:vendor_firmware_file:s0
/vendor/bt_firmware(/.*)? u:object_r:vendor_firmware_file:s0
/vendor/bin/ATFWD-daemon u:object_r:vendor_atfwd_exec:s0
/vendor/bin/hw/android\.hardware\.vr@1\.0-service.crosshatch u:object_r:hal_vr_default_exec:s0
/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:hal_fingerprint_default_exec:s0
/vendor/bin/thermal-engine u:object_r:vendor_thermal-engine_exec:s0
/vendor/bin/sensors.qcom u:object_r:vendor_sensors_exec:s0
/vendor/bin/sensors.qti u:object_r:vendor_sensors_exec:s0
/vendor/bin/ssr_setup u:object_r:vendor_ssr_setup_exec:s0
/vendor/bin/ssr_diag u:object_r:vendor_ssr_diag_exec:s0
/vendor/bin/pm-service u:object_r:vendor_per_mgr_exec:s0
/vendor/bin/pm-proxy u:object_r:vendor_per_proxy_exec:s0
/vendor/bin/qseecomd u:object_r:tee_exec:s0
/vendor/bin/subsystem_ramdump u:object_r:vendor_subsystem_ramdump_exec:s0
/vendor/bin/adsprpcd u:object_r:vendor_adsprpcd_exec:s0
/vendor/bin/cdsprpcd u:object_r:vendor_cdsprpcd_exec:s0
/vendor/bin/audioadsprpcd u:object_r:vendor_audioadsprpcd_exec:s0
/vendor/bin/irsc_util u:object_r:vendor_irsc_util_exec:s0
/vendor/bin/rmt_storage u:object_r:vendor_rmt_storage_exec:s0
/vendor/bin/tftp_server u:object_r:vendor_rfs_access_exec:s0
/vendor/bin/cnss-daemon u:object_r:vendor_wcnss_service_exec:s0
/vendor/bin/cnss_diag u:object_r:vendor_wcnss_service_exec:s0
/vendor/bin/diag_mdlog u:object_r:vendor_qlogd_exec:s0
/vendor/bin/netmgrd u:object_r:vendor_netmgrd_exec:s0
/vendor/bin/qmipriod u:object_r:vendor_qmipriod_exec:s0
/vendor/bin/shsusrd u:object_r:vendor_shsusrd_exec:s0
/vendor/bin/port-bridge u:object_r:vendor_port-bridge_exec:s0
/vendor/bin/qti u:object_r:vendor_qti_exec:s0
/vendor/bin/loc_launcher u:object_r:vendor_location_exec:s0
/vendor/bin/lowi-server u:object_r:vendor_location_exec:s0
/vendor/bin/xtra-daemon u:object_r:vendor_location_exec:s0
/vendor/bin/pd-mapper u:object_r:vendor_pd_mapper_exec:s0
/vendor/bin/imsqmidaemon u:object_r:vendor_ims_exec:s0
/vendor/bin/imsdatadaemon u:object_r:vendor_ims_exec:s0
/vendor/bin/ims_rtp_daemon u:object_r:vendor_hal_imsrtp_exec:s0
/vendor/bin/ipacm u:object_r:hal_tetheroffload_default_exec:s0
/vendor/bin/ipacm-diag u:object_r:hal_tetheroffload_default_exec:s0
/vendor/bin/cnd u:object_r:vendor_cnd_exec:s0
/vendor/bin/oemlock_provision u:object_r:hal_bootctl_default_exec:s0
/vendor/bin/oemlock-bridge u:object_r:hal_bootctl_default_exec:s0
/vendor/bin/diag-router u:object_r:vendor_diag-router_exec:s0
/(vendor|system/vendor)/bin/msm_irqbalance u:object_r:vendor_msm_irqbalanced_exec:s0
/vendor/bin/hw/android\.hardware\.usb@1\.1-service.crosshatch u:object_r:hal_usb_default_exec:s0
/vendor/bin/chre u:object_r:vendor_chre_exec:s0
/vendor/bin/time_daemon u:object_r:vendor_time_daemon_exec:s0
/vendor/bin/imsrcsd u:object_r:vendor_hal_rcsservice_exec:s0
/vendor/bin/tloc_daemon u:object_r:vendor_tlocd_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.2-service u:object_r:hal_power_default_exec:s0
/vendor/bin/hw/qcrild u:object_r:rild_exec:s0
/vendor/bin/hw/qcrilNrd u:object_r:rild_exec:s0
/vendor/bin/hw/android\.hardware\.drm@1\.0-service.widevine u:object_r:vendor_hal_drm_widevine_exec:s0
/vendor/bin/hw/android\.hardware\.vibrator@1\.1-service.crosshatch u:object_r:hal_vibrator_default_exec:s0
/vendor/bin/hw/android\.hardware\.keymaster@3\.0-service-qti u:object_r:vendor_hal_keymaster_qti_exec:s0
/vendor/bin/hw/android\.hardware\.keymaster@4\.0-service-qti u:object_r:vendor_hal_keymaster_qti_exec:s0
/vendor/bin/hw/android\.hardware\.keymaster@4\.1-service-qti u:object_r:vendor_hal_keymaster_qti_exec:s0
/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service-qti u:object_r:vendor_hal_gatekeeper_qti_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@.*-service-qti u:object_r:vendor_hal_gnss_qti_exec:s0
/vendor/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.1-service.widevine u:object_r:vendor_hal_drm_widevine_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.2-service.widevine u:object_r:vendor_hal_drm_widevine_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.2-service-lazy.widevine u:object_r:vendor_hal_drm_widevine_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.3-service.widevine u:object_r:vendor_hal_drm_widevine_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.3-service-lazy.widevine u:object_r:vendor_hal_drm_widevine_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.display\.allocator@1\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.display\.allocator-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.display\.composer@1\.0-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.display\.composer-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.tui_comm@1\.0-service-qti u:object_r:vendor_hal_tui_comm_qti_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.qdutils_disp@1\.0-service-qti u:object_r:vendor_hal_qdutils_disp_qti_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.trustedui@1\.0-service-qti u:object_r:vendor_hal_trustedui_qti_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.capabilityconfigstore@1\.0-service u:object_r:vendor_hal_capabilityconfigstore_qti_default_exec:s0
/(vendor|system/vendor)/bin/power_off_alarm u:object_r:vendor_power_off_alarm_exec:s0
/(vendor|system/vendor)/bin/grep u:object_r:vendor_toolbox_exec:s0
/vendor/bin/hw/vendor\.display\.color@1\.0-service u:object_r:vendor_hal_display_color_default_exec:s0
/vendor/bin/hw/vendor\.qti\.media\.c2@1\.0-service u:object_r:mediacodec_exec:s0
/vendor/bin/hw/hardware\.google\.media\.c2@1\.0-service-software u:object_r:mediacodec_exec:s0
/vendor/bin/feature_enabler_client u:object_r:vendor_feature_enabler_client_exec:s0
/(vendor|system/vendor)/bin/qdcmss u:object_r:vendor_qdcm-ss_exec:s0
###############################################
# same-process HAL files and their dependencies
#
/vendor/lib(64)?/hw/gralloc\.qcom\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl-qti-display\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@1\.0\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@1\.1\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@2\.0\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapperextensions@1\.0\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapperextensions@1\.1\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@3\.0-impl-qti-display\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@3\.0\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@4\.0-impl-qti-display\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@4\.0\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libcamxexternalformatutils\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libgralloccore\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libgrallocutils\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libqdMetaData\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libgralloc\.qti\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libqservice\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libqdutils\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libadreno_utils\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libgsl\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/hw/vulkan\.adreno\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libEGL_adreno\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libGLESv1_CM_adreno\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libGLESv2_adreno\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libadreno_app_profiles\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libdrmutils\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0
# /vendor/app/TimeService/TimeService.apk
/vendor/lib(64)?/libTimeService\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libtime_genoff\.so u:object_r:same_process_hal_file:s0
# hbtp dependencies
/vendor/lib(64)?/libhbtpitsjni\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libhbtpdbgclientjni\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libhbtpjni\.so u:object_r:same_process_hal_file:s0
# framework detect libs libvndfwk_detect_jni.qti and libqti_vndfwk_detect
/vendor/lib(64)?/libvndfwk_detect_jni\.qti\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libqti_vndfwk_detect\.so u:object_r:same_process_hal_file:s0
# NPU files
/vendor/lib(64)?/libnpu\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libhta_controller\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libhta_hexagon_runtime\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/unnhal-acc-hta\.so u:object_r:same_process_hal_file:s0
# RenderScript dependencies.
# To test: run cts -m CtsRenderscriptTestCases
/vendor/lib(64)?/libRSDriver_adreno\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libCB\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libllvm-qgl\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libbccQTI\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libllvm-qcom\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/librs_adreno\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/librs_adreno_sha1\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libqti-perfd-client\.so u:object_r:same_process_hal_file:s0
# TODO(b/36895509): remove the following 2 lines once this bug is resolved
# needed by radio
/vendor/lib(64)?/libimsmedia_jni\.so u:object_r:same_process_hal_file:s0
# libGLESv2_adreno depends on this
/vendor/lib(64)?/libllvm-glnext\.so u:object_r:same_process_hal_file:s0
# libOpenCL and its dependencies
/vendor/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libq3dtools_adreno\.so u:object_r:same_process_hal_file:s0
# Loaded by native loader (zygote) for all processes
/vendor/lib(64)?/libadsprpc\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libcdsprpc\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libsdsprpc\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libmdsprpc\.so u:object_r:same_process_hal_file:s0
/vendor/lib/dsp/fastrpc_shell_0 u:object_r:same_process_hal_file:s0
# Fastcv libs
/vendor/lib(64)?/libfastcvdsp_stub\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libfastcvadsp_stub\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libfastcvopt\.so u:object_r:same_process_hal_file:s0
# data files
/data/vendor/netmgr(/.*)? u:object_r:vendor_netmgr_data_file:s0
/data/vendor/netmgr/recovery(/.*)? u:object_r:vendor_netmgr_recovery_data_file:s0
/data/vendor/qmipriod(/.*)? u:object_r:vendor_qmipriod_data_file:s0
/data/vendor/shsusr(/.*)? u:object_r:vendor_shsusr_data_file:s0
/data/vendor/location(/.*)? u:object_r:vendor_location_data_file:s0
/data/vendor/camera(/.*)? u:object_r:vendor_camera_data_file:s0
/data/vendor/display(/.*)? u:object_r:vendor_display_vendor_data_file:s0
/data/vendor/nfc(/.*)? u:object_r:vendor_nfc_vendor_data_file:s0
/data/vendor/radio(/.*)? u:object_r:vendor_radio_vendor_data_file:s0
/data/vendor/wifi/wlan_logs(/.*)? u:object_r:vendor_wifi_vendor_log_data_file:s0
/data/vendor/ramdump(/.*)? u:object_r:vendor_ramdump_vendor_data_file:s0
/data/vendor/ssrdump(/.*)? u:object_r:vendor_ramdump_vendor_data_file:s0
/data/vendor/modem_dump(/.*)? u:object_r:vendor_modem_dump_file:s0
/data/vendor/ipa(/.*)? u:object_r:vendor_ipa_vendor_data_file:s0
/data/vendor/sensors(/.*)? u:object_r:vendor_sensors_vendor_data_file:s0
/data/vendor/port_bridge(/.*)? u:object_r:vendor_port_bridge_data_file:s0
/data/vendor/tloc(/.*)? u:object_r:vendor_tlocd_data_file:s0
/data/vendor/connectivity(/.*)? u:object_r:vendor_cnd_data_file:s0
/data/vendor/misc/qsee(/.*)? u:object_r:vendor_data_qsee_file:s0
/data/vendor/tui(/.*)? u:object_r:vendor_tui_data_file:s0
/data/vendor/tzstorage(/.*)? u:object_r:vendor_data_tzstorage_file:s0
/data/vendor/tombstones(/.*)? u:object_r:vendor_tombstone_data_file:s0
/data/vendor/time(/.*)? u:object_r:vendor_time_data_file:s0
/data/vendor/mdmhelperdata(/.*)? u:object_r:vendor_mdmhelperdata_data_file:s0
/data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0
# audio_data_file
/data/vendor/audio(/.*)? u:object_r:vendor_audio_data_file:s0
# /
/tombstones u:object_r:rootfs:s0
/vendor/dsp(/.*)? u:object_r:adsprpcd_file:s0
/vendor/vm-system(/.*)? u:object_r:vendor_vm_system_file:s0
# /persist
/mnt/vendor/persist/data(/.*)? u:object_r:vendor_persist_data_file:s0
/mnt/vendor/persist/display(/.*)? u:object_r:vendor_persist_display_file:s0
/mnt/vendor/persist/drm(/.*)? u:object_r:vendor_persist_drm_file:s0
/mnt/vendor/persist/elabel(/.*)? u:object_r:vendor_persist_elabel_file:s0
/mnt/vendor/persist/haptics(/.*)? u:object_r:vendor_persist_haptics_file:s0
/mnt/vendor/persist/hlos_rfs(/.*)? u:object_r:vendor_persist_rfs_shared_hlos_file:s0
/mnt/vendor/persist/rfs(/.*)? u:object_r:vendor_persist_rfs_file:s0
/mnt/vendor/persist/sensors(/.*)? u:object_r:vendor_persist_sensors_file:s0
/mnt/vendor/persist/time(/.*)? u:object_r:vendor_persist_time_file:s0
/mnt/vendor/persist/audio(/.*)? u:object_r:vendor_persist_audio_file:s0
/mnt/vendor/persist/feature_enabler_client(/.*)? u:object_r:vendor_persist_feature_enabler_file:s0
# graphics device
/dev/mdss_rotator u:object_r:graphics_device:s0
/dev/dri/card0 u:object_r:graphics_device:s0
/dev/dri/controlD64 u:object_r:graphics_device:s0
/dev/dri/renderD128 u:object_r:graphics_device:s0
#TODO: move this to genfs_context or target based file_context
# sysfs_leds
/sys/devices/platform/soc/[a-f0-9]+.qcom,spmi/spmi-0/spmi0-0[0-9]/[a-f0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,haptics@c000/leds/vibrator(/.*)? u:object_r:sysfs_leds:s0
# vendor_sysfs_devfreq
/sys/devices(/platform)?/soc/soc:qcom,l3-cpu[0-9]/devfreq/soc:qcom,l3-cpu[0-9](/.*)? u:object_r:vendor_sysfs_devfreq:s0
#vendor_sysfs_data
/sys/devices/virtual/xt_hardidletimer/timers(/.*)? u:object_r:vendor_sysfs_data:s0
/sys/devices/virtual/xt_idletimer/timers(/.*)? u:object_r:vendor_sysfs_data:s0
#persist_bluetooth_file
/mnt/vendor/persist/bluetooth(/.*)? u:object_r:vendor_persist_bluetooth_file:s0
#power off alarm file
/mnt/vendor/persist/alarm(/.*)? u:object_r:vendor_persist_alarm_file:s0
/(vendor|system/vendor)/bin/hbtp_daemon u:object_r:vendor_hbtp_exec:s0
/(vendor|system/vendor)/bin/sscrpcd u:object_r:vendor_sensors_exec:s0
# vendor_sysfs_graphics
/sys/class/graphics/fb0/mdp/caps u:object_r:vendor_sysfs_graphics:s0
/sys/class/thermal(/.*)? u:object_r:sysfs_thermal:s0
/sys/devices/virtual/graphics/fb([0-3])+/idle_time u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/dynamic_fps u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/product_description u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/vendor_name u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/hdcp/tp u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_panel_status u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/hpd u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/res_info u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/s3d_mode u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_panel_info u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_type u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_split u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/show_blank_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/bl_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/ad_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/ad_bl_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/hist_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/vsync_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/lineptr_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/idle_notify u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_thermal_level u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/idle_power_collapse u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/mode u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/name u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/connected u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_cmd_autorefresh_en u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/mdp/bw_mode_bitmap u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/edid_modes u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/hdcp2p2(/.*) u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/scan_info u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/edid_3d_modes u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_dfps_mode u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_src_split_info u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/hdr_stream u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/cec(/.*) u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msmfb_b10(/.*) u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/modes u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/edid_raw_data u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/packpattern u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/dyn_pu u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/ad u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/pp_bl_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/rotator/mdss_rotator/caps u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/hdcp/msm_hdcp/min_level_change u:object_r:vendor_sysfs_graphics:s0
/sys/class/lcd_bias/secure_mode u:object_r:vendor_sysfs_graphics:s0
/sys/class/leds/wled/secure_mode u:object_r:vendor_sysfs_graphics:s0
/sys/devices/platform/vfb.([0-3])+/graphics/fb([0-3])+/modes u:object_r:vendor_sysfs_graphics:s0
/sys/devices/platform/vfb.([0-3])+/graphics/fb([0-3])+/mode u:object_r:vendor_sysfs_graphics:s0
/sys/module/drm/parameters/vblankoffdelay u:object_r:vendor_sysfs_graphics:s0
/sys/devices/platform/soc/[a-f0-9]+.qcom,mdss_mdp/drm/card([0-3])+/card([0-3])+-DSI-1/modes u:object_r:vendor_sysfs_graphics:s0
/sys/devices/platform/soc/[a-f0-9]+.qcom,mdss_mdp/drm/card([0-3])+/card([0-3])+-DSI-1/status u:object_r:vendor_sysfs_graphics:s0
/sys/class/graphics/fb([0-3])+/mdp/caps u:object_r:vendor_sysfs_graphics:s0
/sys/class/graphics/fb([0-3])+/ad u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[0-9a-f]+.qcom,spmi/spmi-[0-9]+/spmi[0-9]+-[0-9]+/[0-9a-f]+.qcom,spmi:qcom,pmi[0-9]+@[0-9]+:qcom,leds@[a-f0-9]+(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices/platform/soc/ae00000.qcom,mdss_mdp/backlight(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/switch/hdmi(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,mdss_mdp/[a-f0-9]+.qcom,mdss_mdp:qcom,mdss_fb_primary/leds/lcd-backlight(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices/soc.0/[a-f0-9]+.qcom,mdss_mdp/qcom,mdss_fb_primary.+[a-f0-9]/leds/lcd-backlight(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,mdss_mdp/caps u:object_r:vendor_sysfs_graphics:s0
/sys/devices/soc/[a-f0-9]+.qcom,mdss_mdp/bw_mode_bitmap u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,mdss_mdp/bw_mode_bitmap u:object_r:vendor_sysfs_graphics:s0
/sys/devices/soc.0/[a-f0-9]+.qcom,mdss_mdp/bw_mode_bitmap u:object_r:vendor_sysfs_graphics:s0
/sys/devices/soc.0/[a-f0-9]+.qcom,mdss_mdp/caps u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,mdss_cam/video4linux/video[0-33]/name(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,mdss_rotator/video4linux/video[0-33]/name(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,mdss_rotator/caps u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,vidc/video4linux/video[0-33]/name(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,cci/[a-f0-9]+.qcom,cci:qcom,camera@[0-2]/video4linux/video[0-33]/name(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.sdhci/mmc_host/mmc0/clk_scaling(/.*)? u:object_r:vendor_sysfs_mmc_host:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.ufshc/clkscale_enable u:object_r:vendor_sysfs_scsi_host:s0
/sys/devices(/platform)?/soc/[a-f0-9]+/host0/scsi_host/host0(/.*)? u:object_r:vendor_sysfs_scsi_host:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.ufshc/host0/target0:0:0/0:0:0:[0-9]+/scsi_generic(/.*)? u:object_r:vendor_sysfs_scsi_target:s0
/data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0
/data/vendor/mediadrm(/.*)? u:object_r:vendor_mediadrm_vendor_data_file:s0
/data/vendor/nnhal(/.*)? u:object_r:vendor_hal_neuralnetworks_data_file:s0
# Moved to target specfic folder so removing this from common file
#/sys/devices(/platform)?/soc/[a-f0-9\.:]+,[a-f0-9\-\_]+/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/kgsl/kgsl-3d0(/.*)? u:object_r:vendor_sysfs_kgsl:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/devfreq/[a-f0-9]+.qcom,kgsl-3d0(/.*)? u:object_r:vendor_sysfs_kgsl:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpu_model u:object_r:vendor_sysfs_kgsl_gpu_model:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpuclk u:object_r:vendor_sysfs_kgsl_gpuclk:s0
/sys/devices/soc/[a-f0-9]+.ssusb/power_supply/usb(/.*)? u:object_r:vendor_sysfs_usb_supply:s0
/data/(misc|vendor)/hbtp(/.*)? u:object_r:vendor_hbtp_log_file:s0
/vendor/etc/hbtp/* u:object_r:vendor_hbtp_cfg_file:s0
/sys/devices/soc/qpnp-vadc-[0-9]+(/.*)? u:object_r:vendor_sysfs_vadc_dev:s0
#Android NN Driver
/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-qti u:object_r:vendor_hal_neuralnetworks_default_exec:s0
/(vendor|system/vendor)/bin/init\.class_main\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.crda\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.mdm\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.class_core\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.coex\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.crashdata\.sh u:object_r:vendor_init-qcom-crashdata-sh_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.debug\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.debug-sdm660\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.debug-sdm670\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.early_boot\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.efs\.sync\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.post_boot\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qti\.dcvs\.sh u:object_r:vendor_init-qti-dcvs-sh_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.sdio\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.sensors\.sh u:object_r:vendor_init-qcom-sensors-sh_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.syspart_fixup\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.usb\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.wifi\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qti\.ims\.sh u:object_r:vendor_init-qti-ims-sh_exec:s0
/(vendor|system/vendor)/bin/qca6234-service.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qti\.kernel\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.kernel\.post_boot\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qti\.qcv\.sh u:object_r:vendor_qti_init_shell_exec:s0
#Limits sysfs node
/sys/module/msm_isense_cdsp/data u:object_r:sysfs_thermal:s0
/(vendor|system/vendor)/bin/vendor_modprobe\.sh u:object_r:vendor_modinstall-sh_exec:s0

29
generic/vendor/common/fsck.te vendored
View File

@@ -1,29 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow fsck vendor_persist_block_device:blk_file rw_file_perms;

144
generic/vendor/common/genfs_contexts vendored
View File

@@ -1,144 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
genfscon proc /debug/fwdump u:object_r:vendor_proc_wifi_dbg:s0
genfscon proc /debugdriver/driverdump u:object_r:vendor_proc_wifi_dbg:s0
genfscon proc /ath_pktlog/cld u:object_r:vendor_proc_wifi_dbg:s0
genfscon proc /shs u:object_r:vendor_proc_shs:s0
genfscon sysfs /android_touch u:object_r:vendor_sysfs_touch:s0
genfscon sysfs /devices/virtual/input/ftm4_touch u:object_r:vendor_sysfs_touch:s0
#genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
genfscon sysfs /kernel/irq_helper/irq_blacklist_on u:object_r:vendor_sysfs_irqbalance:s0
genfscon sysfs /kernel/wcd_cpe0 u:object_r:vendor_sysfs_audio:s0
genfscon sysfs /class/uio u:object_r:sysfs_uio:s0
genfscon sysfs /devices/soc/soc:bt_wcn3990 u:object_r:sysfs_bluetooth_writable:s0
genfscon sysfs /class/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,cpubw/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,memlat-cpu0/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,memlat-cpu2/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,memlat-cpu4/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,memlat-cpu6/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,l3-cpu0/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,l3-cpu2/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,l3-cpu4/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,l3-cpu6/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,mincpubw/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,llccbw/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/soc/soc:qcom,cpubw/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/soc/soc:qcom,memlat-cpu0/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/soc/soc:qcom,memlat-cpu2/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/soc/soc:qcom,memlat-cpu4/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/soc/soc:qcom,memlat-cpu6/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/soc/soc:qcom,mincpubw/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/ae00000.qcom.qcom,mdss_mdp/caps u:object_r:vendor_sysfs_mdss_mdp_caps:s0
genfscon sysfs /devices/platform/soc/c17a000.i2c/i2c-6/6-005a/leds u:object_r:sysfs_leds:s0
genfscon sysfs /devices/platform/soc/c1b5000.i2c/i2c-7/7-0030/leds u:object_r:sysfs_leds:s0
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/c900000.qcom,mdss_mdp:qcom,mdss_fb_primary/leds u:object_r:sysfs_leds:s0
genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pmi8998@3:qcom,leds@d000/leds u:object_r:sysfs_leds:s0
genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws@1e08000 u:object_r:vendor_sysfs_data:s0
genfscon sysfs /devices/platform/soc/0.qcom,rmtfs_sharedmem/uio u:object_r:vendor_sysfs_uio_file:s0
genfscon sysfs /devices/platform/soc/soc:fp_fpc1020 u:object_r:vendor_sysfs_fingerprint:s0
genfscon sysfs /devices/virtual/wahoo_laser u:object_r:vendor_sysfs_laser:s0
genfscon sysfs /module/cpu_boost u:object_r:vendor_sysfs_cpu_boost:s0
genfscon sysfs /devices/virtual/thermal u:object_r:sysfs_thermal:s0
genfscon sysfs /class/thermal u:object_r:sysfs_thermal:s0
genfscon sysfs /class/lcd_bias u:object_r:vendor_sysfs_lcd:s0
genfscon sysfs /module/msm_thermal u:object_r:sysfs_thermal:s0
genfscon sysfs /devices/platform/battery_current_limit u:object_r:sysfs_thermal:s0
genfscon sysfs /module/diagchar/parameters/timestamp_switch u:object_r:vendor_sysfs_timestamp_switch:s0
genfscon sysfs /module/msm_performance u:object_r:vendor_sysfs_msm_perf:s0
genfscon sysfs /module/lpm_levels u:object_r:vendor_sysfs_msm_power:s0
genfscon sysfs /module/lpm_stats u:object_r:vendor_sysfs_msm_stats:s0
genfscon sysfs /devices/virtual/graphics/fb0 u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/virtual/graphics/fb1 u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/soc/8c0000.qcom,msm-cam u:object_r:vendor_sysfs_camera:s0
genfscon sysfs /devices/soc0 u:object_r:vendor_sysfs_soc:s0
genfscon sysfs /devices/soc/caa0000.qcom,jpeg u:object_r:vendor_sysfs_camera:s0
genfscon sysfs /devices/soc/caa4000.qcom,fd u:object_r:vendor_sysfs_camera:s0
genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-02/800f000.qcom,spmi:qcom,pmi8998@2:qpnp,fg/power_supply/bms/capacity u:object_r:sysfs_batteryinfo:s0
genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-02/800f000.qcom,spmi:qcom,pmi8998@2:qcom,qpnp-smb2/power_supply/battery/capacity u:object_r:sysfs_batteryinfo:s0
genfscon sysfs /bus/msm_subsys u:object_r:vendor_sysfs_ssr:s0
genfscon sysfs /module/subsystem_restart u:object_r:vendor_sysfs_msm_subsys_restart:s0
genfscon sysfs /kernel/boot_adsp/boot u:object_r:vendor_sysfs_boot_adsp:s0
genfscon sysfs /kernel/boot_slpi u:object_r:vendor_sysfs_slpi:s0
genfscon sysfs /devices/soc/c1b7000.i2c/i2c-9/9-0008 u:object_r:vendor_sysfs_easel:s0
genfscon sysfs /class/typec u:object_r:vendor_sysfs_usb_c:s0
genfscon sysfs /class/typec/usbc0 u:object_r:vendor_sysfs_usb_c:s0
genfscon sysfs /devices/soc/a800000.ssusb/a800000.dwc3/xhci-hcd.0.auto/usb1 u:object_r:vendor_sysfs_usb_device:s0
genfscon sysfs /devices/soc/a800000.ssusb/a800000.dwc3/xhci-hcd.0.auto/usb2 u:object_r:vendor_sysfs_usb_device:s0
genfscon sysfs /devices/platform/soc/a600000.ssusb/mode u:object_r:vendor_sysfs_usb_device:s0
genfscon sysfs /devices/platform/soc/a800000.ssusb/mode u:object_r:vendor_sysfs_usb_device:s0
genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-02/800f000.qcom,spmi:qcom,pmi8998@2:qcom,usb-pdphy@1700/usbpd0/typec u:object_r:vendor_sysfs_usb_c:s0
genfscon sysfs /module/diagchar u:object_r:vendor_sysfs_diag:s0
genfscon sysfs /devices/virtual/kgsl u:object_r:vendor_sysfs_kgsl:s0
genfscon sysfs /class/kgsl u:object_r:vendor_sysfs_kgsl:s0
genfscon sysfs /devices/virtual/kgsl/kgsl/proc u:object_r:vendor_sysfs_kgsl_proc:s0
genfscon sysfs /devices/virtual/workqueue/kgsl-events/cpumask u:object_r:vendor_sysfs_kgsl:s0
genfscon sysfs /devices/virtual/workqueue/kgsl-events/nice u:object_r:vendor_sysfs_kgsl:s0
genfscon sysfs /devices/virtual/workqueue/kgsl-workqueue/cpumask u:object_r:vendor_sysfs_kgsl:s0
genfscon sysfs /devices/virtual/workqueue/kgsl-workqueue/nice u:object_r:vendor_sysfs_kgsl:s0
genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /class/sensors u:object_r:vendor_sysfs_sensors:s0
genfscon sysfs /bus/esoc u:object_r:vendor_sysfs_esoc:s0
genfscon sysfs /devices/soc/soc:hbtp/secure_touch u:object_r:vendor_hbtp_kernel_sysfs:s0
genfscon sysfs /devices/soc/soc:hbtp/secure_touch_enable u:object_r:vendor_hbtp_kernel_sysfs:s0
genfscon sysfs /devices/soc/soc:hbtp/secure_touch_userspace u:object_r:vendor_hbtp_kernel_sysfs:s0
genfscon sysfs /kernel/hbtp/display_pwr u:object_r:vendor_hbtp_kernel_sysfs:s0
genfscon sysfs /devices/virtual/net/bond0/bonding/queue_id u:object_r:vendor_sysfs_bond0:s0
genfscon sysfs /devices/virtual/net/bond0/queues/rx-0/rps_cpus u:object_r:vendor_sysfs_bond0:s0
genfscon sysfs /firmware/devicetree/base/cpus u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /bus/spmi/devices u:object_r:vendor_sysfs_spmi_dev:s0
genfscon sysfs /power/mem_sleep u:object_r:vendor_sysfs_suspend:s0
genfscon sysfs /kernel/boot_adsp/ssr u:object_r:vendor_sysfs_adsp_ssr:s0
genfscon debugfs /kgsl/proc u:object_r:vendor_debugfs_kgsl:s0
genfscon debugfs /clk/debug_suspend u:object_r:vendor_debugfs_clk:s0
genfscon debugfs /wlan0 u:object_r:vendor_debugfs_wlan:s0
genfscon debugfs /rpm_stats u:object_r:vendor_debugfs_rpm:s0
genfscon debugfs /rpm_master_stats u:object_r:vendor_debugfs_rpm:s0
genfscon debugfs /ion u:object_r:vendor_debugfs_ion:s0
genfscon debugfs /ipc_logging u:object_r:vendor_debugfs_ipc:s0
genfscon debugfs /system_stats u:object_r:vendor_debugfs_rpm:s0
genfscon debugfs /tcpm/usbpd0 u:object_r:vendor_debugfs_usb:s0
genfscon debugfs /pd_engine/usbpd0 u:object_r:vendor_debugfs_usb:s0
genfscon debugfs /ipc_logging/smblib/log u:object_r:vendor_debugfs_usb:s0
genfscon debugfs /msm_ipc_router u:object_r:vendor_debugfs_ipc:s0
genfscon debugfs /mdp u:object_r:vendor_debugfs_mdp:s0
genfscon debugfs /rmt_storage u:object_r:vendor_debugfs_rmt_storage:s0
genfscon debugfs /icnss u:object_r:vendor_debugfs_icnss:s0

36
generic/vendor/common/hal_alarm_qti_default.te vendored
View File

@@ -1,36 +0,0 @@
# Copyright (c) 2017, 2019 The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_alarm_qti_default, domain;
hal_server_domain(vendor_hal_alarm_qti_default, vendor_hal_alarm_qti)
type vendor_hal_alarm_qti_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_hal_alarm_qti_default)
allow vendor_hal_alarm_qti_default rtc_device:chr_file r_file_perms;

30
generic/vendor/common/hal_atfwd.te vendored
View File

@@ -1,30 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
binder_call(vendor_atfwd, vendor_qtelephony);
allow vendor_atfwd vendor_hal_atfwd_hwservice:hwservice_manager find;

61
generic/vendor/common/hal_audio_default.te vendored
View File

@@ -1,61 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
userdebug_or_eng(`
allow hal_audio vendor_diag_device:chr_file rw_file_perms;
allow hal_audio_default debugfs:dir r_dir_perms;
')
hal_client_domain(hal_audio_default, vendor_hal_perf)
hal_client_domain(hal_audio_default, hal_power)
# read-only permission to obtain the calibration data
r_dir_file(hal_audio_default, vendor_persist_audio_file);
allow hal_audio_default mnt_vendor_file:dir search;
#Allow access to firmware
allow hal_audio firmware_file:dir r_dir_perms;
allow hal_audio firmware_file:file r_file_perms;
# Allow hal_audio to read soundcard state under /proc/asound
allow hal_audio vendor_proc_audiod:file r_file_perms;
allow hal_audio_default vendor_audio_data_file:dir rw_dir_perms;
allow hal_audio_default vendor_audio_data_file:file create_file_perms;
#Allow hal audio to use Binder IPC
vndbinder_use(hal_audio)
#allow acess to wcd_cpe
allow hal_audio vendor_sysfs_audio:file rw_file_perms;
allow hal_audio vendor_sysfs_audio:dir r_dir_perms ;
# audio properties
get_prop(hal_audio, vendor_audio_prop)
#to read bluetooth prop
get_prop(hal_audio, vendor_bluetooth_prop)

61
generic/vendor/common/hal_bluetooth_default.te vendored
View File

@@ -1,61 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow hal_bluetooth_default vendor_bt_device:chr_file rw_file_perms;
# talk to system_server to set priority
allow hal_bluetooth fwk_scheduler_hwservice:hwservice_manager find;
allow hal_bluetooth system_server:binder call;
# bluetooth properties
set_prop(hal_bluetooth, vendor_bluetooth_prop)
#For bluetooth firmware
r_dir_file(hal_bluetooth_default, bt_firmware_file)
allow hal_bluetooth_default vendor_persist_bluetooth_file:dir rw_dir_perms;
allow hal_bluetooth_default vendor_persist_bluetooth_file:file create_file_perms;
#For QMI socket
allow hal_bluetooth_default self:{ qipcrtr_socket } create_socket_perms_no_ioctl;
userdebug_or_eng(`
diag_use(hal_bluetooth)
allow hal_bluetooth_default vendor_ramdump_vendor_data_file:file create_file_perms;
allow hal_bluetooth_default vendor_ramdump_vendor_data_file:dir create_dir_perms;
allow hal_bluetooth_default proc_sysrq:file rw_file_perms;
allow hal_bluetooth_default vendor_debugfs_ipc:file rw_file_perms;
allow hal_bluetooth_default vendor_debugfs_ipc:dir rw_dir_perms;
allow hal_bluetooth_default vendor_bt_data_file:dir ra_dir_perms;
allow hal_bluetooth_default vendor_bt_data_file:file create_file_perms;
allow hal_bluetooth_default self:{ socket } create_socket_perms_no_ioctl;
')
r_dir_file(hal_bluetooth_default, mnt_vendor_file)
# Access lbsoc_helper to bluetooth
use_libsoc_helper(hal_bluetooth_default)

75
generic/vendor/common/hal_bootctl.te vendored
View File

@@ -1,75 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# These are the permissions required to use the boot_control HAL implemented
# here: hardware/qcom/bootctrl/boot_control.c
# Getting and setting GPT attributes for the bootloader iterates over all the
# partition names in the block_device directory /dev/block/.../by-name
allow hal_bootctl block_device:dir r_dir_perms;
#Opening /dev directory from bootctl to query /dev/ufs-bsg* filename
allow hal_bootctl device:dir r_dir_perms;
# Edit the attributes stored in the GPT.
allow hal_bootctl vendor_gpt_block_device:blk_file rw_file_perms;
allow hal_bootctl root_block_device:blk_file rw_file_perms;
# Allow boot_control_hal to get attributes on all the A/B partitions.
allow hal_bootctl boot_block_device:blk_file rw_file_perms;
allow hal_bootctl vendor_ab_block_device:blk_file getattr;
allow hal_bootctl vendor_xbl_block_device:blk_file getattr;
allow hal_bootctl vendor_modem_block_device:blk_file getattr;
allow hal_bootctl system_block_device:blk_file getattr;
allow hal_bootctl vendor_custom_ab_block_device:blk_file getattr;
allow hal_bootctl vendor_ab_block_device:blk_file getattr;
allow hal_bootctl recovery_block_device:blk_file getattr;
allow hal_bootctl vendor_mdtp_device:blk_file getattr;
allow hal_bootctl_server misc_block_device:blk_file rw_file_perms;
# Access /dev/sgN or /dev/ufs-bsg* devices (generic SCSI) to write the
# A/B slot selection for the XBL partition. Allow also to issue a
# UFS_IOCTL_QUERY or SG_IO ioctl.
allow hal_bootctl vendor_sg_device:chr_file rw_file_perms;
allow hal_bootctl vendor_bsg_device:chr_file rw_file_perms;
# The sys_rawio denial message is benign, and shows up due to a capability()
# call made by the scsi driver to check for CAP_SYS_RAWIO. Not having this
# does not result in a error
dontaudit hal_bootctl self:capability sys_rawio;
#scsi driver does a capability check (CAP_SYS_RAWIO) when bootctl does
# an ioctl to /dev/ufs-bsg .Adding this rule to avoid ioctl error.
allow hal_bootctl_server self:capability { sys_rawio };
# Read the sysfs to lookup what /dev/sgN device
# corresponds to the XBL partitions.
allow hal_bootctl vendor_sysfs_scsi_target:dir r_dir_perms;
# Write to the XBL devices.
allow hal_bootctl vendor_xbl_block_device:blk_file rw_file_perms;
# Read dir permission for dt_firmware
allow hal_bootctl sysfs_dt_firmware_android:dir r_dir_perms;

70
generic/vendor/common/hal_camera.te vendored
View File

@@ -1,70 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# This is needed to get priority for Camera process
allow hal_camera self:capability sys_nice;
# This is mandatory to open Camera Service
hal_client_domain(hal_camera_default, hal_graphics_allocator)
# This is needed to get performance boost
hal_client_domain(hal_camera_default, vendor_hal_perf)
set_prop(hal_camera, vendor_camera_prop)
# ignore spurious denial
dontaudit hal_camera graphics_device:dir search;
allow hal_camera vendor_camera_data_file:dir rw_dir_perms;
allow hal_camera vendor_camera_data_file:file create_file_perms;
unix_socket_connect(hal_camera, vendor_thermal, vendor_thermal-engine)
userdebug_or_eng(`
allow hal_camera vendor_diag_device:chr_file rw_file_perms;
')
# access hexagon
allow hal_camera vendor_qdsp_device:chr_file r_file_perms;
#Allow camera to access synx device
allow hal_camera vendor_synx_device:chr_file rw_file_perms;
#needed for full_treble
hal_client_domain(hal_camera_default, hal_graphics_composer)
r_dir_file(hal_camera_default, vendor_sysfs_graphics)
#allow camera to access /dsp
r_dir_file(hal_camera, adsprpcd_file);
#allow camera to access adsprpc_prop
get_prop(hal_camera, vendor_adsprpc_prop)
# This is needed to access GPU
allow hal_camera_default gpu_device:chr_file rw_file_perms;
# Postproc Service
hal_attribute_hwservice(hal_camera, vendor_hal_camera_postproc_hwservice);

27
generic/vendor/common/hal_camera_default.te vendored
View File

@@ -1,27 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
vndbinder_use(hal_camera_default);

29
generic/vendor/common/hal_contexthub.te vendored
View File

@@ -1,29 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Allow context hub HAL to communicate with daemon via socket
unix_socket_connect(hal_contexthub, vendor_chre, vendor_chre)

56
generic/vendor/common/hal_display_color.te vendored
View File

@@ -1,56 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Define domain
type vendor_hal_display_color_default, domain;
hal_server_domain(vendor_hal_display_color_default, vendor_hal_display_color)
type vendor_hal_display_color_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_hal_display_color_default)
# Allow hwbinder call from hal client to server
binder_call(vendor_hal_display_color_client, vendor_hal_display_color_server)
binder_call(platform_app, vendor_hal_display_color_server)
# Add hwservice related rules
add_hwservice(vendor_hal_display_color_server, vendor_hal_display_color_hwservice)
allow vendor_hal_display_color_client vendor_hal_display_color_hwservice:hwservice_manager find;
allow platform_app vendor_hal_display_color_hwservice:hwservice_manager find;
# Rule for display color to access graphics composer process
unix_socket_connect(vendor_hal_display_color, vendor_pps, hal_graphics_composer_default);
# Rule for vndbinder usage
allow vendor_hal_display_color vendor_qdisplay_service:service_manager find;
vndbinder_use(vendor_hal_display_color);
binder_call(vendor_hal_display_color, hal_graphics_composer)
#Add rules for postproc hal
add_hwservice(vendor_hal_display_color_server, vendor_hal_display_postproc_hwservice)
allow vendor_hal_display_postproc_client vendor_hal_display_postproc_hwservice:hwservice_manager find;
# Set vendor_qdcmss property
set_prop(vendor_hal_display_color, vendor_qdcmss_prop);

27
generic/vendor/common/hal_drm_default.te vendored
View File

@@ -1,27 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow hal_drm_default vndbinder_device:chr_file rw_file_perms;

49
generic/vendor/common/hal_drm_widevine.te vendored
View File

@@ -1,49 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# define SELinux domain
type vendor_hal_drm_widevine, domain;
hal_server_domain(vendor_hal_drm_widevine, hal_drm)
type vendor_hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_hal_drm_widevine)
allow vendor_hal_drm_widevine mediacodec:fd use;
allow vendor_hal_drm_widevine { appdomain -isolated_app }:fd use;
allow vendor_hal_drm_widevine vendor_qce_device:chr_file rw_file_perms;
#Allow access to smcinvoke device
allow vendor_hal_drm_widevine vendor_smcinvoke_device:chr_file rw_file_perms;
# The QTI DRM-HAL implementation uses a vendor-binder service provided
# by the HWC HAL.
vndbinder_use(vendor_hal_drm_widevine);
allow vendor_hal_drm_widevine vendor_qdisplay_service:service_manager { find };
#binder_call(vendor_hal_drm_widevine, hal_graphics_composer)
hal_client_domain(vendor_hal_drm_widevine, hal_graphics_composer);
allow vendor_hal_drm_widevine vendor_mediadrm_vendor_data_file:dir create_dir_perms;
allow vendor_hal_drm_widevine vendor_mediadrm_vendor_data_file:file create_file_perms;

35
generic/vendor/common/hal_gatekeeper_qti.te vendored
View File

@@ -1,35 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_gatekeeper_qti, domain;
hal_server_domain(vendor_hal_gatekeeper_qti, hal_gatekeeper)
type vendor_hal_gatekeeper_qti_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_hal_gatekeeper_qti)
dontaudit vendor_hal_gatekeeper_qti firmware_file:dir search;
get_prop(vendor_hal_gatekeeper_qti, vendor_tee_listener_prop)

64
generic/vendor/common/hal_gnss_qti.te vendored
View File

@@ -1,64 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# generic/vendor_hal_gnss_qti.te - generic sepolicy rules for vendor_location hidl
type vendor_hal_gnss_qti, domain;
hal_server_domain(vendor_hal_gnss_qti, hal_gnss)
type vendor_hal_gnss_qti_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_hal_gnss_qti)
# vendor binder
use_vendor_per_mgr(vendor_hal_gnss_qti)
# /data/vendor/vendor_location
allow vendor_hal_gnss_qti vendor_location_data_file:fifo_file { open read setattr write };
allow vendor_hal_gnss_qti vendor_location_data_file:dir create_dir_perms;
allow vendor_hal_gnss_qti vendor_location_data_file:file create_file_perms;
# /dev/socket/vendor_location
allow vendor_hal_gnss_qti vendor_location_socket:sock_file create_file_perms;
allow vendor_hal_gnss_qti vendor_location_socket:dir rw_dir_perms;
allow vendor_hal_gnss_qti vendor_location:unix_stream_socket connectto;
allow vendor_hal_gnss_qti vendor_location:unix_dgram_socket sendto;
# Allow Gnss HAL to get updates from health hal
hal_client_domain(vendor_hal_gnss_qti, hal_health)
# Most HALs are not allowed to use network sockets. QTI library
# libqdi is used across multiple processes which are clients of
# netmgrd including the GNSS HAL. libqdi first attempts to get the network
# interface using an IOCTL on a UDP INET socket, which isn't allowed here.
# If that fails, it falls back to using libc's if_nameindex() which requires
# a netlink route socket, which HALs may use. Due to the initial
# attempt to use a UDP socket, we still see a selinux denial,
# but it is safe to ignore.
# TODO (b/37730994) Remove udp_socket requirement from
# libqdi and have all its clients use netlink route
# sockets.
dontaudit vendor_hal_gnss_qti self:udp_socket create;

91
generic/vendor/common/hal_graphics_composer_default.te vendored
View File

@@ -1,91 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Binder access (for display.qservice)
vndbinder_use(hal_graphics_composer_default)
hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator);
allow hal_graphics_composer_default vendor_qdisplay_service:service_manager { add find };
allow hal_graphics_composer_default vendor_persist_display_file:dir search;
allow hal_graphics_composer_default vendor_persist_display_file:file r_file_perms;
# Allow reading/writing to '/mnt/vendor/persist/display/*'
allow hal_graphics_composer_default vendor_persist_display_file:dir rw_dir_perms;
allow hal_graphics_composer_default vendor_persist_display_file:file create_file_perms;
allow hal_graphics_composer vendor_sysfs_graphics:dir r_dir_perms;
allow hal_graphics_composer vendor_sysfs_graphics:file rw_file_perms;
allow hal_graphics_composer_default mnt_vendor_file:dir search;
allow hal_graphics_composer oemfs:dir r_dir_perms;
get_prop(hal_graphics_composer, vendor_display_prop)
allow hal_graphics_composer_default hal_graphics_mapper_hwservice:hwservice_manager find;
r_dir_file(hal_graphics_composer_default, sysfs_leds)
# TODO(b/37666508): Remove the following line upon resolution of the bug
allow hal_graphics_composer_default video_device:chr_file rw_file_perms;
allow hal_graphics_composer_default graphics_device:chr_file rw_file_perms;
# HWC_UeventThread
allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
# Allow ion_device read/write permission
allow hal_graphics_composer_default ion_device:chr_file rw_file_perms;
# Access /sys/devices/virtual/graphics/fb0
r_dir_file(hal_graphics_composer_default, sysfs_type)
# Allow reading/writing to '/data/vendor/display/*'
allow hal_graphics_composer_default vendor_display_vendor_data_file:dir create_dir_perms;
allow hal_graphics_composer_default vendor_display_vendor_data_file:file create_file_perms;
userdebug_or_eng(`
allow hal_graphics_composer_default vendor_debugfs_mdp:dir r_dir_perms;
allow hal_graphics_composer_default vendor_debugfs_mdp:file r_file_perms;
')
userdebug_or_eng(`
# Allow read to /sys/kernel/debug/*
allow hal_graphics_composer vendor_qti_display_debugfs:dir r_dir_perms;
allow hal_graphics_composer vendor_qti_display_debugfs:file r_file_perms;
allow hal_graphics_composer_default vendor_qti_display_debugfs:dir r_dir_perms;
allow hal_graphics_composer_default vendor_qti_display_debugfs:file r_file_perms;
')
# Allow sensor service access
allow hal_graphics_composer fwk_sensor_hwservice:hwservice_manager find;
binder_call(hal_graphics_composer, system_server)
# allow composer to register display config
add_hwservice(hal_graphics_composer_server, vendor_hal_display_config_hwservice);
# allow composer client to find display config service.
allow hal_graphics_composer_client vendor_hal_display_config_hwservice:hwservice_manager find;
# Allow qdcmss socket access
unix_socket_connect(hal_graphics_composer_default, vendor_qdcmsocket, vendor_qdcm-ss)

36
generic/vendor/common/hal_health.te vendored
View File

@@ -1,36 +0,0 @@
# Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
r_dir_file(hal_health, vendor_sysfs_battery_supply);
r_dir_file(hal_health, vendor_sysfs_usb_supply);
allow hal_health hal_health_default:dir search;
allow hal_health {
vendor_sysfs_battery_supply
vendor_sysfs_usb_supply
}:file rw_file_perms;

52
generic/vendor/common/hal_imsrtp.te vendored
View File

@@ -1,52 +0,0 @@
# Copyright (c) 2018,2020 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#vendor_ims rtp service
type vendor_hal_imsrtp, domain;
type vendor_hal_imsrtp_exec, exec_type, vendor_file_type, file_type;
# Started by init
init_daemon_domain(vendor_hal_imsrtp)
net_domain(vendor_hal_imsrtp)
hwbinder_use(vendor_hal_imsrtp)
get_prop(vendor_hal_imsrtp, hwservicemanager_prop)
add_hwservice(vendor_hal_imsrtp, vendor_hal_imsrtp_hwservice)
allow vendor_hal_imsrtp self: qipcrtr_socket create_socket_perms_no_ioctl;
unix_socket_connect(vendor_hal_imsrtp, vendor_ims, vendor_ims)
allow vendor_hal_imsrtp vendor_sysfs_timestamp_switch:file r_file_perms;
allow vendor_hal_imsrtp self:capability net_bind_service;
allow vendor_hal_imsrtp vendor_sysfs_timestamp_switch:file r_file_perms;
allow vendor_hal_imsrtp ion_device:chr_file r_file_perms;
allow vendor_hal_imsrtp vendor_sysfs_data:file r_file_perms;
r_dir_file(vendor_hal_imsrtp, vendor_sysfs_diag)
get_prop(vendor_hal_imsrtp, vendor_ims_prop)
binder_call(vendor_hal_imsrtp, vendor_qtelephony)

35
generic/vendor/common/hal_keymaster_qti.te vendored
View File

@@ -1,35 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_keymaster_qti, domain;
hal_server_domain(vendor_hal_keymaster_qti, hal_keymaster)
type vendor_hal_keymaster_qti_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_hal_keymaster_qti)
dontaudit vendor_hal_keymaster_qti firmware_file:dir search;
get_prop(vendor_hal_keymaster_qti, vendor_tee_listener_prop)

28
generic/vendor/common/hal_light.te vendored
View File

@@ -1,28 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow hal_light vendor_sysfs_graphics:dir search;
allow hal_light vendor_sysfs_graphics:file rw_file_perms;

47
generic/vendor/common/hal_neuralnetworks.te vendored
View File

@@ -1,47 +0,0 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_neuralnetworks_default, domain;
hal_server_domain(vendor_hal_neuralnetworks_default, hal_neuralnetworks)
hal_client_domain(vendor_hal_neuralnetworks_default, hal_graphics_allocator)
type vendor_hal_neuralnetworks_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_hal_neuralnetworks_default)
allow vendor_hal_neuralnetworks_default fwk_sensor_hwservice:hwservice_manager find;
allow vendor_hal_neuralnetworks_default vendor_qdsp_device:chr_file r_file_perms;
allow vendor_hal_neuralnetworks_default vendor_xdsp_device:chr_file r_file_perms;
allow vendor_hal_neuralnetworks_default ion_device:chr_file r_file_perms;
allow vendor_hal_neuralnetworks_default app_data_file:file { read getattr map };
allow vendor_hal_neuralnetworks_default shell_data_file:file { read getattr map };
allow vendor_hal_neuralnetworks_default vendor_hal_neuralnetworks_data_file:dir create_dir_perms;
allow vendor_hal_neuralnetworks_default vendor_hal_neuralnetworks_data_file:{ file fifo_file } create_file_perms;
allow vendor_hal_neuralnetworks_default gpu_device:chr_file rw_file_perms;
allow vendor_hal_neuralnetworks_default vendor_npu_device:chr_file r_file_perms;
r_dir_file(vendor_hal_neuralnetworks_default, adsprpcd_file)

42
generic/vendor/common/hal_qdutils_disp_qti.te vendored
View File

@@ -1,42 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_qdutils_disp_qti, domain;
hal_server_domain(vendor_hal_qdutils_disp_qti, vendor_hal_qdutils_disp)
type vendor_hal_qdutils_disp_qti_exec, exec_type, file_type, vendor_file_type;
init_daemon_domain(vendor_hal_qdutils_disp_qti)
binder_call(vendor_hal_qdutils_disp_client, vendor_hal_qdutils_disp_server)
binder_call(vendor_hal_qdutils_disp_server, vendor_hal_qdutils_disp_client)
add_hwservice(vendor_hal_qdutils_disp_server, vendor_hal_qdutils_disp_hwservice)
allow vendor_hal_qdutils_disp_client vendor_hal_qdutils_disp_hwservice:hwservice_manager find;
vndbinder_use(vendor_hal_qdutils_disp_qti);
allow vendor_hal_qdutils_disp_qti vendor_qdisplay_service:service_manager find;
#hal_client_domain(vendor_hal_qdutils_disp_qti, hal_display_config);
hal_client_domain(vendor_hal_qdutils_disp_qti, hal_graphics_composer);

71
generic/vendor/common/hal_rcsservice.te vendored
View File

@@ -1,71 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_rcsservice, domain;
type vendor_hal_rcsservice_exec, exec_type, vendor_file_type, file_type;
# Started by init
init_daemon_domain(vendor_hal_rcsservice)
net_domain(vendor_hal_rcsservice)
get_prop(vendor_hal_rcsservice, vendor_ims_prop)
set_prop(vendor_hal_rcsservice, vendor_ims_prop)
# To register imsrcsd to hwBinder
hwbinder_use(vendor_hal_rcsservice)
# add IUceSerive and IService to Hidl interface
add_hwservice(vendor_hal_rcsservice, vendor_hal_imsrcsd_hwservice)
add_hwservice(vendor_hal_rcsservice, vendor_hal_imscallinfo_hwservice)
#add imsfactory to HIDl interface
add_hwservice(vendor_hal_rcsservice, vendor_hal_imsfactory_hwservice)
get_prop(vendor_hal_rcsservice, hwservicemanager_prop)
allow vendor_hal_rcsservice vendor_sysfs_timestamp_switch:file r_file_perms;
allow vendor_hal_rcsservice vendor_sysfs_data:file r_file_perms;
allow vendor_hal_rcsservice self: { socket qipcrtr_socket } create_socket_perms_no_ioctl;
#required for socket creation
unix_socket_connect(vendor_hal_rcsservice, vendor_ims, vendor_ims)
# imsrcsd to bind with UceShimService.apk
binder_call(vendor_hal_rcsservice, vendor_dataservice_app)
# imsrcsd needs read/write access to devpts
allow vendor_hal_rcsservice devpts:chr_file rw_file_perms;
# allow imsrcsd capabilities
wakelock_use(vendor_hal_rcsservice)
allow vendor_hal_rcsservice self:capability net_bind_service;
allow vendor_hal_rcsservice self:capability2 wake_alarm;
#diag
userdebug_or_eng(`
diag_use(vendor_hal_rcsservice)
binder_call(vendor_hal_rcsservice, radio)
')
set_prop(vendor_hal_rcsservice, vendor_ctl_vendor_imsrcsservice_prop)

65
generic/vendor/common/hal_sensors_default.te vendored
View File

@@ -1,65 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# read factory calibration and sensor configuration data
allow hal_sensors_default mnt_vendor_file:dir search;
r_dir_file(hal_sensors_default, vendor_persist_sensors_file)
get_prop(hal_sensors_default, vendor_sensors_prop)
# Access to tests from userdebug/eng builds
userdebug_or_eng(`
diag_use(hal_sensors_default)
get_prop(hal_sensors_default, vendor_sensors_dbg_prop)
allow hal_sensors_default vendor_sysfs_timestamp_switch:file r_file_perms;
')
allow hal_sensors_default vendor_qdsp_device:chr_file r_file_perms;
allow hal_sensors_default vendor_xdsp_device:chr_file r_file_perms;
allow hal_sensors vendor_sysfs_data:file r_file_perms;
allow hal_sensors vendor_sysfs_sensors:dir r_dir_perms;
allow hal_sensors vendor_sysfs_sensors:file rw_file_perms;
allow hal_sensors vendor_sysfs_sensors:lnk_file read;
#following to set the ssr
allow hal_sensors_default vendor_sysfs_slpi:dir search;
allow hal_sensors_default vendor_sysfs_slpi:file w_file_perms;
allow hal_sensors_default vendor_sysfs_adsp_ssr:file w_file_perms;
allow hal_sensors_default vendor_persist_sensors_file:dir rw_dir_perms;
allow hal_sensors_default vendor_persist_sensors_file:file create_file_perms;
allow hal_sensors_default mnt_vendor_file:dir rw_dir_perms;
allow hal_sensors_default mnt_vendor_file:file create_file_perms;
#interact with the sensors low power island (SLPI) CPU
allow hal_sensors_default self:{ socket qipcrtr_socket } create_socket_perms;
allowxperm hal_sensors_default self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
allow hal_sensors_default system_server:fd use;
hal_client_domain(hal_sensors_default, hal_graphics_allocator)
# allow to read adsprpc related properties
get_prop(hal_sensors_default, vendor_adsprpc_prop)

28
generic/vendor/common/hal_telephony.te vendored
View File

@@ -1,28 +0,0 @@
#Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
#Redistribution and use in source and binary forms, with or without
#modification, are permitted provided that the following conditions are
#met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
set_prop(hal_telephony_server, vendor_radio_prop);

40
generic/vendor/common/hal_tetheroffload_default.te vendored
View File

@@ -1,40 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow hal_tetheroffload_default vendor_ipa_dev:chr_file rw_file_perms;
allow hal_tetheroffload_default vendor_ipacm_socket:sock_file w_file_perms;
allow hal_tetheroffload_default vendor_ipa_vendor_data_file:dir w_dir_perms;
allow hal_tetheroffload_default vendor_ipa_vendor_data_file:file create_file_perms;
#add_hwservice(hal_tetheroffload_default, hal_tetheroffload_hwservice)
#diag
userdebug_or_eng(`
r_dir_file(hal_tetheroffload_default, vendor_sysfs_diag)
allow hal_tetheroffload_default vendor_sysfs_timestamp_switch:file r_file_perms;
')

28
generic/vendor/common/hal_thermal_default.te vendored
View File

@@ -1,28 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow hal_thermal_default sysfs_thermal:lnk_file read;
allow hal_thermal_default proc_stat:file { getattr open read };

51
generic/vendor/common/hal_trustedui_qti.te vendored
View File

@@ -1,51 +0,0 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_trustedui_qti, domain;
hal_server_domain(vendor_hal_trustedui_qti, vendor_hal_trustedui)
type vendor_hal_trustedui_qti_exec, exec_type, file_type, vendor_file_type;
init_daemon_domain(vendor_hal_trustedui_qti)
binder_call(vendor_hal_trustedui_client, vendor_hal_trustedui_server)
binder_call(vendor_hal_trustedui_server, vendor_hal_trustedui_client)
hal_attribute_hwservice(vendor_hal_trustedui, vendor_hal_trustedui_hwservice)
hal_client_domain(vendor_hal_trustedui_qti, hal_graphics_allocator);
hal_client_domain(vendor_hal_trustedui_qti, hal_graphics_composer);
hal_client_domain(vendor_hal_trustedui_qti, vendor_hal_systemhelper);
allow vendor_hal_trustedui_qti vendor_sysfs_sectouch:file rw_file_perms;
allow vendor_hal_trustedui_qti vendor_tui_data_file:file rw_file_perms;
allow vendor_hal_trustedui_qti vendor_tui_data_file:dir r_dir_perms;
allow vendor_hal_trustedui_qti ion_device:chr_file r_file_perms;
allow vendor_hal_trustedui_qti surfaceflinger:fd use;
allow vendor_hal_trustedui_qti tee_device:chr_file rw_file_perms;
binder_call(vendor_hal_trustedui_qti, vendor_systemhelper_app)

39
generic/vendor/common/hal_tui_comm_qti.te vendored
View File

@@ -1,39 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_tui_comm_qti, domain;
hal_server_domain(vendor_hal_tui_comm_qti, vendor_hal_tui_comm)
type vendor_hal_tui_comm_qti_exec, exec_type, file_type, vendor_file_type;
init_daemon_domain(vendor_hal_tui_comm_qti)
binder_call(vendor_hal_tui_comm_client, vendor_hal_tui_comm_server)
binder_call(vendor_hal_tui_comm_server, vendor_hal_tui_comm_client)
add_hwservice(vendor_hal_tui_comm_server, vendor_hal_tui_comm_hwservice)
allow vendor_hal_tui_comm_client vendor_hal_tui_comm_hwservice:hwservice_manager find;
hal_client_domain(vendor_hal_tui_comm_qti, hal_graphics_allocator);

31
generic/vendor/common/hal_usb_default.te vendored
View File

@@ -1,31 +0,0 @@
# Copyright (c) 2017, 2019 The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow hal_usb_default vendor_sysfs_usbpd_device:dir r_dir_perms;
allow hal_usb_default vendor_sysfs_usbpd_device:lnk_file r_file_perms;
allow hal_usb_default vendor_sysfs_usbpd_device:file rw_file_perms;
r_dir_file(hal_usb_default, vendor_sysfs_usb_supply);

32
generic/vendor/common/hal_vibrator_default.te vendored
View File

@@ -1,32 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
r_dir_file(hal_vibrator_default, sysfs_leds)
allow hal_vibrator_default sysfs_leds:file rw_file_perms;
# read-only permission to obtain the calibration data
r_dir_file(hal_vibrator_default, vendor_persist_haptics_file)
allow hal_vibrator_default mnt_vendor_file:dir search;

53
generic/vendor/common/hal_wifi.te vendored
View File

@@ -1,53 +0,0 @@
#Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
#Redistribution and use in source and binary forms, with or without
#modification, are permitted provided that the following conditions are
#met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
# allow hal_wifi to write into /proc/debugdriver/driverdump
r_dir_file(hal_wifi_default, vendor_proc_wifi_dbg)
# write to files owned by location daemon
allow hal_wifi_default vendor_location_socket:dir search;
allow hal_wifi_default vendor_location:unix_dgram_socket sendto;
# Connect to vendor_location via vendor_location socket.
unix_socket_connect(hal_wifi, vendor_location, vendor_location)
allow hal_wifi_default vendor_wifihal_socket:dir rw_dir_perms;
allow hal_wifi_default vendor_wifihal_socket:sock_file create_file_perms;
# Write wlan driver/fw version into property
set_prop(hal_wifi_default, vendor_wifi_version)
# allow hal_wifi to write into /proc/sys/net/ipv4
allow hal_wifi proc_net:file write;
# allow hal_wifi to write into /data/vendor/tombstones/wifi
userdebug_or_eng(`
allow hal_wifi_server vendor_tombstone_data_file:dir rw_dir_perms;
allow hal_wifi_server vendor_tombstone_data_file:file create_file_perms;
')

28
generic/vendor/common/hal_wifi_default.te vendored
View File

@@ -1,28 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow hal_wifi vendor_wlan_device:chr_file rw_file_perms;

32
generic/vendor/common/hal_wifi_hostapd.te vendored
View File

@@ -1,32 +0,0 @@
#Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
#
#Redistribution and use in source and binary forms, with or without
#modification, are permitted provided that the following conditions are
#met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
userdebug_or_eng(`
allow hal_wifi_hostapd vendor_wifi_vendor_log_data_file:dir search;
')

43
generic/vendor/common/hal_wifi_supplicant.te vendored
View File

@@ -1,43 +0,0 @@
#Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.
#
#Redistribution and use in source and binary forms, with or without
#modification, are permitted provided that the following conditions are
#met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
# Allow access to create socket and ioctl.
allow hal_wifi_supplicant_default self:socket create_socket_perms;
# ioctlcmd=c304, c302
allowxperm hal_wifi_supplicant_default self:socket ioctl msm_sock_ipc_ioctls;
allow hal_wifi_supplicant_default wpa_data_file:dir create_dir_perms;
allow hal_wifi_supplicant_default wpa_data_file:dir w_dir_perms;
allow hal_wifi_supplicant_default wpa_data_file:file create_file_perms;
# Permission for wpa socket which IMS use to communicate
# # Allow wpa_supplicant to send back wifi information to cnd
allow hal_wifi_supplicant_default { vendor_cnd vendor_ims vendor_mutualex}:unix_dgram_socket sendto;
# # Allow wpa_supplicant to send back wifi information to vendor_location
allow hal_wifi_supplicant_default vendor_location:unix_dgram_socket sendto;

83
generic/vendor/common/hbtp.te vendored
View File

@@ -1,83 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Policies for vendor_hbtp (host based touch processing)
type vendor_hbtp, domain;
type vendor_hbtp_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_hbtp)
hal_server_domain(vendor_hbtp, vendor_hal_hbtp)
# Allow access for /dev/vendor_hbtp_input and /dev/jdi-bu21150
allow vendor_hbtp { vendor_hbtp_device vendor_qdsp_device vendor_dsp_device vendor_bu21150_device vendor_xdsp_device }:chr_file rw_file_perms;
allow vendor_hbtp vendor_hbtp_log_file:dir rw_dir_perms;
allow vendor_hbtp vendor_hbtp_log_file:file create_file_perms;
allow vendor_hbtp vendor_hbtp_cfg_file:dir r_dir_perms;
allow vendor_hbtp vendor_hbtp_cfg_file:file r_file_perms;
allow vendor_hbtp firmware_file:dir r_dir_perms;
allow vendor_hbtp firmware_file:file r_file_perms;
allow vendor_hbtp vendor_firmware_file:dir r_dir_perms;
allow vendor_hbtp vendor_firmware_file:file r_file_perms;
allow vendor_hbtp vendor_sysfs_usb_supply:file r_file_perms;
allow vendor_hbtp vendor_sysfs_usb_supply:dir r_dir_perms;
allow vendor_hbtp vendor_hbtp_kernel_sysfs:file rw_file_perms;
allow vendor_hbtp vendor_sysfs_graphics:file r_file_perms;
allow vendor_hbtp vendor_sysfs_graphics:dir r_dir_perms;
allow vendor_hbtp vendor_sysfs_battery_supply:file r_file_perms;
allow vendor_hbtp vendor_sysfs_battery_supply:dir r_dir_perms;
allow vendor_hbtp ion_device:chr_file r_file_perms;
allow vendor_hbtp self:netlink_kobject_uevent_socket { create read setopt bind };
# Allow the service to access wakelock sysfs
allow vendor_hbtp sysfs_wake_lock:file r_file_perms;
# Allow the service to change to system from root
allow vendor_hbtp self:capability { setgid setuid sys_nice };
# Allow load touch driver as touchPD
r_dir_file(vendor_hbtp, adsprpcd_file)
#allow the service to read adsprpc_prop
get_prop(vendor_hbtp, vendor_adsprpc_prop)
# Allow the service to access wakelock capability
wakelock_use(vendor_hbtp)
# Allow hwbinder call from hal client to server and vice-versa
binder_call(vendor_hal_hbtp_client, vendor_hal_hbtp_server)
binder_call(vendor_hal_hbtp_server, vendor_hal_hbtp_client)
# Allow hwservice related rules
add_hwservice(vendor_hal_hbtp_server, vendor_hal_hbtp_hwservice)
allow vendor_hal_hbtp_client vendor_hal_hbtp_hwservice:hwservice_manager find;
hal_client_domain(vendor_hbtp, hal_allocator);

35
generic/vendor/common/healthd.te vendored
View File

@@ -1,35 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow healthd self:capability2 wake_alarm;
r_dir_file(healthd, vendor_sysfs_battery_supply)
r_dir_file(healthd, vendor_sysfs_usb_supply)
r_dir_file(healthd, sysfs_thermal);
allow healthd {
vendor_sysfs_battery_supply
vendor_sysfs_usb_supply
}:file rw_file_perms;

44
generic/vendor/common/hwservice.te vendored
View File

@@ -1,44 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_cne_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_cacert_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_dataconnection_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_iwlan_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_display_config_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_imsrcsd_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_imsrtp_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_imscallinfo_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_ipacm_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_hbtp_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_perf_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_tui_comm_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_qdutils_disp_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_trustedui_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_display_color_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_display_postproc_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_capabilityconfigstore_qti_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_camera_postproc_hwservice, hwservice_manager_type, protected_hwservice;

64
generic/vendor/common/hwservice_contexts vendored
View File

@@ -1,64 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
com.qualcomm.qti.ant::IAntHci u:object_r:hal_bluetooth_hwservice:s0
com.dsi.ant::IAnt u:object_r:hal_bluetooth_hwservice:s0
vendor.qti.hardware.data.iwlan::IIWlan u:object_r:vendor_hal_iwlan_hwservice:s0
com.qualcomm.qti.uceservice::IUceService u:object_r:vendor_hal_imsrcsd_hwservice:s0
com.qualcomm.qti.imscmservice::IImsCmService u:object_r:vendor_hal_imsrcsd_hwservice:s0
vendor.qti.ims.callinfo::IService u:object_r:vendor_hal_imscallinfo_hwservice:s0
vendor.qti.imsrtpservice::IRTPService u:object_r:vendor_hal_imsrtp_hwservice:s0
vendor.qti.data.factory::IFactory u:object_r:vendor_hal_datafactory_hwservice:s0
vendor.qti.ims.factory::IImsFactory u:object_r:vendor_hal_imsfactory_hwservice:s0
vendor.qti.hardware.data.connection::IDataConnection u:object_r:vendor_hal_dataconnection_hwservice:s0
vendor.qti.hardware.cacert::IService u:object_r:vendor_hal_cacert_hwservice:s0
vendor.display.config::IDisplayConfig u:object_r:vendor_hal_display_config_hwservice:s0
vendor.display.color::IDisplayColor u:object_r:vendor_hal_display_color_hwservice:s0
vendor.display.postproc::IDisplayPostproc u:object_r:vendor_hal_display_postproc_hwservice:s0
vendor.qti.hardware.data.iwlan::IIWlan u:object_r:vendor_hal_iwlan_hwservice:s0
vendor.qti.hardware.capabilityconfigstore::ICapabilityConfigStore u:object_r:vendor_hal_capabilityconfigstore_qti_hwservice:s0
vendor.qti.hardware.improvetouch.touchcompanion::ITouchCompanion u:object_r:vendor_hal_hbtp_hwservice:s0
vendor.qti.hardware.improvetouch.gesturemanager::IGestureManager u:object_r:vendor_hal_hbtp_hwservice:s0
vendor.qti.hardware.improvetouch.blobmanager::IBlobManager u:object_r:vendor_hal_hbtp_hwservice:s0
vendor.qti.hardware.perf::IPerf u:object_r:vendor_hal_perf_hwservice:s0
vendor.qti.hardware.radio.atcmdfwd::IAtCmdFwd u:object_r:vendor_hal_atfwd_hwservice:s0
vendor.qti.hardware.radio.qcrilhook::IQtiOemHook u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.radio.am::IQcRilAudio u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.radio.internal.deviceinfo::IDeviceInfo u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.radio.lpa::IUimLpa u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.radio.ims::IImsRadio u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.radio.uim::IUim u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.radio.uim_remote_client::IUimRemoteServiceClient u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.radio.uim_remote_server::IUimRemoteServiceServer u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.display.allocator::IQtiAllocator u:object_r:hal_graphics_allocator_hwservice:s0
vendor.qti.hardware.display.composer::IQtiComposer u:object_r:hal_graphics_composer_hwservice:s0
vendor.qti.hardware.tui_comm::ITuiComm u:object_r:vendor_hal_tui_comm_hwservice:s0
vendor.qti.hardware.qdutils_disp::IQdutilsDisp u:object_r:vendor_hal_qdutils_disp_hwservice:s0
vendor.qti.hardware.trustedui::ITrustedUI u:object_r:vendor_hal_trustedui_hwservice:s0
vendor.qti.hardware.trustedui::ITrustedInput u:object_r:vendor_hal_trustedui_hwservice:s0
android.hardware.media.c2::IConfigurable u:object_r:hal_codec2_hwservice:s0
vendor.qti.hardware.display.mapper::IQtiMapper u:object_r:hal_graphics_mapper_hwservice:s0
vendor.qti.hardware.camera.postproc::IPostProcService u:object_r:vendor_hal_camera_postproc_hwservice:s0

63
generic/vendor/common/ims.te vendored
View File

@@ -1,63 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_ims, domain;
type vendor_ims_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_ims)
net_domain(vendor_ims)
get_prop(vendor_ims, hwservicemanager_prop)
set_prop(vendor_ims, vendor_ims_prop)
get_prop(vendor_ims, vendor_ims_prop)
get_prop(vendor_ims, vendor_cnd_prop)
allow vendor_ims vendor_sysfs_timestamp_switch:file r_file_perms;
allow vendor_ims vendor_sysfs_data:file r_file_perms;
allow vendor_ims self:capability net_bind_service;
allow vendor_ims ion_device:chr_file r_file_perms;
unix_socket_connect(vendor_ims, vendor_cnd, vendor_cnd)
allow vendor_ims self:socket create_socket_perms_no_ioctl;
allow vendor_ims vendor_ims_socket:sock_file write;
allow vendor_ims self:{ qipcrtr_socket } create_socket_perms_no_ioctl;
allow vendor_ims self:{ netlink_generic_socket } create_socket_perms_no_ioctl;
netmgr_socket(vendor_ims);
allowxperm vendor_ims self:udp_socket ioctl RMNET_IOCTL_EXTENDED;
allow vendor_ims self:tipc_socket { create_socket_perms_no_ioctl };
#diag
userdebug_or_eng(`
diag_use(vendor_ims)
')
hwbinder_use(vendor_ims)
allow vendor_ims vendor_hal_cne_hwservice:hwservice_manager find;
allow vendor_ims vendor_hal_datafactory_hwservice:hwservice_manager find;
binder_call(vendor_ims, vendor_cnd)

37
generic/vendor/common/imshelper_app.te vendored
View File

@@ -1,37 +0,0 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_imshelper_app, domain;
app_domain(vendor_imshelper_app);
unix_socket_connect(vendor_imshelper_app, vendor_ims, vendor_ims)
allow vendor_imshelper_app app_api_service:service_manager find;
#allow qsee_svc_app vendor_imshelper_app_data_file:dir create_dir_perms;
#allow qsee_svc_app vendor_imshelper_app_data_file:file create_file_perms;
allow vendor_imshelper_app system_app_data_file:dir { getattr search };
allow vendor_imshelper_app vendor_radio_data_file:dir { getattr search };

37
generic/vendor/common/init-qcom-crashdata-sh.te vendored
View File

@@ -1,37 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_init-qcom-crashdata-sh, domain;
type vendor_init-qcom-crashdata-sh_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_init-qcom-crashdata-sh)
allow vendor_init-qcom-crashdata-sh vendor_shell_exec:file rx_file_perms;
allow vendor_init-qcom-crashdata-sh vendor_toolbox_exec:file rx_file_perms;
set_prop(vendor_init-qcom-crashdata-sh, vendor_crash_cnt_prop)
set_prop(vendor_init-qcom-crashdata-sh, vendor_crash_detect_prop)

43
generic/vendor/common/init-qcom-sensors-sh.te vendored
View File

@@ -1,43 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_init-qcom-sensors-sh, domain;
type vendor_init-qcom-sensors-sh_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_init-qcom-sensors-sh)
allow vendor_init-qcom-sensors-sh vendor_shell_exec:file rx_file_perms;
allow vendor_init-qcom-sensors-sh vendor_toolbox_exec:file rx_file_perms;
r_dir_file(vendor_init-qcom-sensors-sh, mnt_vendor_file)
r_dir_file(vendor_init-qcom-sensors-sh, vendor_persist_sensors_file)
allow vendor_init-qcom-sensors-sh vendor_persist_sensors_file:file setattr;
allow vendor_init-qcom-sensors-sh vendor_persist_sensors_file:dir setattr;
allow vendor_init-qcom-sensors-sh sensors_device:chr_file r_file_perms;
set_prop(vendor_init-qcom-sensors-sh, vendor_sensors_prop)

40
generic/vendor/common/init-qti-ims-sh.te vendored
View File

@@ -1,40 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_init-qti-ims-sh, domain;
type vendor_init-qti-ims-sh_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_init-qti-ims-sh)
allow vendor_init-qti-ims-sh vendor_shell_exec:file rx_file_perms;
allow vendor_init-qti-ims-sh vendor_toolbox_exec:file rx_file_perms;
set_prop(vendor_init-qti-ims-sh, vendor_ims_prop)
get_prop(vendor_init-qti-ims-sh, vendor_ims_prop)
# for ro.build.product
get_prop(vendor_init-qti-ims-sh, exported2_default_prop)

83
generic/vendor/common/init.te vendored
View File

@@ -1,83 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow init {
adsprpcd_file
cache_file
mnt_vendor_file
storage_file
vendor_vm_system_file
}:dir mounton;
# symlink /sdcard to backing block
allow init tmpfs:lnk_file create;
allow init tty_device:chr_file rw_file_perms;
allow init mnt_vendor_file:dir mounton;
allow init vendor_ab_block_device:lnk_file relabelto;
#Allow init to mount non-hlos partitions in A/B builds
allow init { bt_firmware_file vendor_firmware_file firmware_file } :dir mounton;
allow init { bt_firmware_file firmware_file }:filesystem { relabelfrom mount };
allow { bt_firmware_file firmware_file }self:filesystem associate;
dontaudit init kernel:system module_request;
allow init sysfs_leds:lnk_file r_file_perms;
allow init socket_device:sock_file create_file_perms;
#Needed for restorecon. Init already has these permissions
#for generic block devices, but is unable to access those
#which have a custom lable added by us.
allow init {
vendor_custom_ab_block_device
boot_block_device
vendor_xbl_block_device
vendor_ssd_block_device
vendor_modem_block_device
vendor_mdtp_device
vendor_vm_data_block_device
}:{ blk_file lnk_file } relabelto;
#Allow /sys access to write zram disksize
allow init sysfs_zram:dir r_dir_perms;
allow init sysfs_zram:file r_file_perms;
allow init vendor_sysfs_boot_adsp:file w_file_perms;
allow init bt_firmware_file:filesystem getattr;
allow init firmware_file:filesystem getattr;
# Search and write access for vendor_sysfs_graphics for backlight in recovery
recovery_only(`
allow init vendor_sysfs_graphics:file w_file_perms;
allow init vendor_sysfs_graphics:dir search;
allow init vendor_sysfs_usb_device:file w_file_perms;
')

187
generic/vendor/common/init_shell.te vendored
View File

@@ -1,187 +0,0 @@
# Copyright (c) 2018-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Restricted domain for shell processes spawned by init.
# Normally these are shell commands or scripts invoked via sh
# from an init*.rc file. No service should ever run in this domain.
type vendor_qti_init_shell, domain;
type vendor_qti_init_shell_exec, exec_type, vendor_file_type,file_type;
init_daemon_domain(vendor_qti_init_shell)
domain_auto_trans(init, vendor_shell_exec, vendor_qti_init_shell)
# For executing init shell scripts (init.qcom.early_boot.sh)
allow vendor_qti_init_shell vendor_qti_init_shell_exec:file { rx_file_perms entrypoint };
#execute init scripts
allow vendor_qti_init_shell vendor_shell_exec:file {rx_file_perms entrypoint };
allow vendor_qti_init_shell vendor_toolbox_exec:file rx_file_perms;
# For getting idle_time value
# this is needed for dynamic_fps and bw_mode_bitmap
allow vendor_qti_init_shell vendor_sysfs_graphics:file {rw_file_perms setattr};
allow vendor_qti_init_shell mnt_vendor_file:dir w_dir_perms;
allow vendor_qti_init_shell mnt_vendor_file:file create_file_perms;
allow vendor_qti_init_shell vendor_smd_device:chr_file rw_file_perms;
# Run helpers from / or /system without changing domain.
allow vendor_qti_init_shell { rootfs vendor_shell_exec }:file execute_no_trans;
allow vendor_qti_init_shell gpu_device:chr_file getattr;
allow vendor_qti_init_shell vendor_sysfs_cpu_boost:dir r_dir_perms;
allow vendor_qti_init_shell vendor_sysfs_cpu_boost:file rw_file_perms;
# for insmod of iris ko, this is needed.
# fowner and fsetid are needed for chmod display nodes.
allow vendor_qti_init_shell self:capability {
sys_module
net_admin
chown
fowner
fsetid
sys_admin
};
set_prop(vendor_qti_init_shell, vendor_ctl_netmgrd_prop)
set_prop(vendor_qti_init_shell, vendor_ctl_port-bridge_prop)
set_prop(vendor_qti_init_shell, vendor_ctl_qcrild_prop)
set_prop(vendor_qti_init_shell, vendor_ipacm-diag_prop)
set_prop(vendor_qti_init_shell, vendor_ipacm_prop)
set_prop(vendor_qti_init_shell, vendor_msm_irqbalance_prop)
set_prop(vendor_qti_init_shell, vendor_dataqti_prop)
set_prop(vendor_qti_init_shell, vendor_display_prop)
set_prop(vendor_qti_init_shell, vendor_alarm_boot_prop)
set_prop(vendor_qti_init_shell, vendor_gralloc_prop)
set_prop(vendor_qti_init_shell, vendor_usb_prop)
set_prop(vendor_qti_init_shell, vendor_system_prop)
set_prop(vendor_qti_init_shell, vendor_mpctl_prop)
set_prop(vendor_qti_init_shell, vendor_radio_prop)
set_prop(vendor_qti_init_shell, vendor_audio_prop)
get_prop(vendor_qti_init_shell, exported3_radio_prop)
set_prop(vendor_qti_init_shell, vendor_gpu_prop)
set_prop(vendor_qti_init_shell, vendor_sensors_prop)
allow vendor_qti_init_shell {
sysfs_devices_system_cpu
sysfs_lowmemorykiller
vendor_sysfs_mmc_host
vendor_sysfs_process_reclaim
}:file w_file_perms;
r_dir_file(vendor_qti_init_shell, sysfs_type)
r_dir_file(vendor_qti_init_shell, vendor_sysfs_devfreq)
allow vendor_qti_init_shell vendor_sysfs_devfreq:file w_file_perms;
allow vendor_qti_init_shell vendor_sysfs_soc:file write;
allow vendor_qti_init_shell sysfs:{ dir file lnk_file } relabelfrom;
allow vendor_qti_init_shell sysfs_devices_system_cpu: { dir file lnk_file } relabelto;
# To start sensors for DSPS enabled platforms
r_dir_file(vendor_qti_init_shell, mnt_vendor_file)
r_dir_file(vendor_qti_init_shell, vendor_persist_bluetooth_file)
allow vendor_qti_init_shell { proc proc_net}:file write;
allow vendor_qti_init_shell proc_net:file r_file_perms;
allow vendor_qti_init_shell graphics_device:dir create_dir_perms;
allow vendor_qti_init_shell graphics_device:lnk_file create_file_perms;
#insmod of ko from scripts need kernel key search
allow vendor_qti_init_shell kernel:key search;
allow vendor_qti_init_shell cgroup:dir add_name;
# To allow copy for mbn files
r_dir_file(vendor_qti_init_shell, firmware_file)
# /dev/block/zram0
allow vendor_qti_init_shell block_device:dir r_dir_perms;
allow vendor_qti_init_shell swap_block_device:blk_file rw_file_perms;
#For configfs permission
allow vendor_qti_init_shell configfs:dir r_dir_perms;
allow vendor_qti_init_shell configfs:file rw_file_perms;
#Allow /sys access to write zram disksize
allow vendor_qti_init_shell sysfs_zram:dir r_dir_perms;
allow vendor_qti_init_shell sysfs_zram:file rw_file_perms;
# To get GPU frequencies and set attributes
allow vendor_qti_init_shell vendor_sysfs_kgsl:file { r_file_perms setattr };
allow vendor_qti_init_shell proc:file r_file_perms;
allow vendor_qti_init_shell rootfs:file r_file_perms;
allow vendor_qti_init_shell vendor_radio_vendor_data_file:dir create_dir_perms;
allow vendor_qti_init_shell vendor_radio_vendor_data_file:file create_file_perms;
allow vendor_qti_init_shell vendor_mbn_data_file:dir create_dir_perms;
allow vendor_qti_init_shell vendor_mbn_data_file:file create_file_perms;
set_prop(vendor_qti_init_shell, vendor_ctl_vendor_hbtp_prop)
# rules for vm_bms
allow vendor_qti_init_shell {
vendor_sysfs_battery_supply
vendor_sysfs_usb_supply
vendor_sysfs_usbpd_device
}:dir r_dir_perms;
allow vendor_qti_init_shell {
vendor_sysfs_battery_supply
vendor_sysfs_usb_supply
vendor_sysfs_usbpd_device
}:file rw_file_perms;
allow vendor_qti_init_shell vendor_sysfs_battery_supply:file setattr;
allow vendor_qti_init_shell vendor_sysfs_usb_supply:file setattr;
allow vendor_qti_init_shell vendor_sysfs_usbpd_device:file setattr;
allow vendor_qti_init_shell sysfs_devices_system_cpu:file w_file_perms;
allow vendor_qti_init_shell vendor_sysfs_msm_power:file rw_file_perms;
allow vendor_qti_init_shell vendor_msm_irqbalanced_exec:file getattr;
set_prop(vendor_qti_init_shell, vendor_alarm_boot_prop)
set_prop(vendor_qti_init_shell, vendor_wifi_prop)
# To read /proc/meminfo
allow vendor_qti_init_shell proc_meminfo:file r_file_perms;
allow vendor_qti_init_shell vendor_sysfs_suspend:file w_file_perms;
# Set ro.vendor.qti.soc_id to soc_id in QCV init script
set_prop(vendor_qti_init_shell, vendor_soc_id_prop);
# Set ro.vendor.qti.soc_name to soc_name in QCV init script
set_prop(vendor_qti_init_shell, vendor_soc_name_prop);
# Get persist.console.silent.config for kernel console log level
get_prop(vendor_qti_init_shell, vendor_console_log_level_prop)
set_prop(vendor_qti_init_shell,vendor_dcvs_prop)

39
generic/vendor/common/ioctl_defines vendored
View File

@@ -1,39 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# socket ioctls
define(`RMNET_IOCTL_EXTENDED', `0x000089FD')
# socket ioctls defined in the kernel in include/uapi/linux/msm_ipc.h
define(`IPC_ROUTER_IOCTL_GET_VERSION', `0x0000c300')
define(`IPC_ROUTER_IOCTL_GET_MTU', `0x0000c301')
define(`IPC_ROUTER_IOCTL_LOOKUP_SERVER', `0x0000c302')
define(`IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE', `0x0000c303')
define(`IPC_ROUTER_IOCTL_BIND_CONTROL_PORT', `0x0000c304')
define(`IPC_ROUTER_IOCTL_CONFIG_SEC_RULES', `0x0000c305')
#mmc ioctls defined in the kernel in include/uapi/linux/mmc/ioctl.h
define(`MMC_IOC_MULTI_CMD', `0xc008b301')

93
generic/vendor/common/ioctl_macros vendored
View File

@@ -1,93 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
define(`gpu_ioctls', `{
IOCTL_KGSL_DEVICE_GETPROPERTY
IOCTL_KGSL_DEVICE_WAITTIMESTAMP_CTXTID
IOCTL_KGSL_DRAWCTXT_CREATE
IOCTL_KGSL_DRAWCTXT_DESTROY
IOCTL_KGSL_MAP_USER_MEM
IOCTL_KGSL_SHAREDMEM_FREE
IOCTL_KGSL_SETPROPERTY
IOCTL_KGSL_TIMESTAMP_EVENT
IOCTL_KGSL_PERFCOUNTER_GET
IOCTL_KGSL_PERFCOUNTER_PUT
IOCTL_KGSL_SYNCSOURCE_CREATE
IOCTL_KGSL_SYNCSOURCE_DESTROY
IOCTL_KGSL_SYNCSOURCE_CREATE_FENCE
IOCTL_KGSL_SYNCSOURCE_SIGNAL_FENCE
IOCTL_KGSL_GPUOBJ_ALLOC
IOCTL_KGSL_GPUOBJ_FREE
IOCTL_KGSL_GPUOBJ_INFO
IOCTL_KGSL_GPUOBJ_IMPORT
IOCTL_KGSL_GPUOBJ_SYNC
IOCTL_KGSL_GPU_COMMAND
}')
define(`msm_sock_ipc_ioctls', `{
IPC_ROUTER_IOCTL_GET_VERSION
IPC_ROUTER_IOCTL_GET_MTU
IPC_ROUTER_IOCTL_LOOKUP_SERVER
IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE
IPC_ROUTER_IOCTL_BIND_CONTROL_PORT
IPC_ROUTER_IOCTL_CONFIG_SEC_RULES
}')
define(`msm_sock_qrtr_ioctls', `{
TIOCOUTQ
}')
define(`rmnet_sock_ioctls', `{
SIOCDEVPRIVATE_1
SIOCDEVPRIVATE_2
SIOCDEVPRIVATE_3
SIOCDEVPRIVATE_4
SIOCDEVPRIVATE_5
SIOCDEVPRIVATE_6
SIOCDEVPRIVATE_7
SIOCDEVPRIVATE_8
SIOCDEVPRIVATE_9
SIOCDEVPRIVATE_A
SIOCDEVPRIVATE_B
SIOCDEVPRIVATE_C
SIOCDEVPRIVATE_D
}')
define(`wlan_sock_ioctls', `{
SIOCSIWPRIV
SIOCIWFIRSTPRIV_15
}')
define(`lowi_server_ioctls', `{
SIOCGIFINDEX
SIOCGIFHWADDR
SIOCGIFFLAGS
SIOCIWFIRSTPRIV_05
SIOCIWFIRSTPRIV_11
SIOCIWFIRSTPRIV_13
SIOCDEVPRIVATE_1
}')

69
generic/vendor/common/ipacm.te vendored
View File

@@ -1,69 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# General definitions
type vendor_ipacm, domain;
type vendor_ipacm-diag, domain;
type vendor_ipacm_exec, exec_type, vendor_file_type, file_type;
type vendor_ipacm-diag_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_ipacm)
init_daemon_domain(vendor_ipacm-diag)
# associate netdomain to use for accessing internet sockets
net_domain(vendor_ipacm)
hal_server_domain(vendor_ipacm, hal_tetheroffload)
userdebug_or_eng(`
# Allow using the logging file between vendor_ipacm and vendor_ipacm-diag
unix_socket_send(vendor_ipacm, vendor_ipacm, vendor_ipacm-diag)
')
# Allow operations with /dev/ipa, /dev/wwan_ioctl and /dev/ipaNatTable
allow hal_tetheroffload vendor_ipa_dev:chr_file rw_file_perms;
# Allow UDP socket create and ioctl
allow hal_tetheroffload self:udp_socket create_socket_perms;
allowxperm vendor_ipacm self:udp_socket ioctl SIOCGIFNAME;
# Allow receiving NETLINK messages
allow hal_tetheroffload self:netlink_route_socket { nlmsg_read nlmsg_readpriv create_socket_perms_no_ioctl };
# Allow receiving NETLINK messages
allow hal_tetheroffload self:{
netlink_socket
# Allow querying the network stack via IOCTLs
netlink_generic_socket
} create_socket_perms_no_ioctl;
# Allow creating and modifying the PID file
allow hal_tetheroffload vendor_ipa_vendor_data_file:dir w_dir_perms;
allow hal_tetheroffload vendor_ipa_vendor_data_file:file create_file_perms;
# To register vendor_ipacm to hwbinder
#add_hwservice(vendor_ipacm, hal_vendor_ipacm_hwservice)
#binder_call(vendor_ipacm, system_server)

33
generic/vendor/common/irsc_util.te vendored
View File

@@ -1,33 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_irsc_util, domain;
type vendor_irsc_util_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_irsc_util)
allow vendor_irsc_util self:socket create_socket_perms;
allowxperm vendor_irsc_util self:socket ioctl msm_sock_ipc_ioctls;

43
generic/vendor/common/kernel.te vendored
View File

@@ -1,43 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# for diag over socket
userdebug_or_eng(`
allow kernel self:socket create;
allow kernel self:qipcrtr_socket create;
allow kernel vendor_debugfs_wlan:dir search;
allow kernel vendor_debugfs_ipc:dir search;
allow kernel debugfs_mmc:dir search;
')
# Access firmware_file
r_dir_file(kernel, firmware_file)
# access vendor_firmware_file
r_dir_file(kernel, vendor_firmware_file)
dontaudit kernel kernel:system module_request;

99
generic/vendor/common/location.te vendored
View File

@@ -1,99 +0,0 @@
# Copyright (c) 2018-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# generic/vendor_location.te - sepolicy rules for generic vendor_location modules
# loc_launcher service
# which launches various other services supporting GPS & Wifi-RTT (LOWI) vendor_location
type vendor_location, domain;
type vendor_location_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_location)
allow vendor_location self:capability { setgid setuid };
hwbinder_use(vendor_location)
get_prop(vendor_location, hwservicemanager_prop)
get_prop(vendor_location, vendor_cnd_prop)
#xtra-daemon access to qcc properties
get_prop(vendor_location, vendor_qcc_prop)
allow vendor_location fwk_sensor_hwservice:hwservice_manager find;
binder_call(vendor_location, system_server)
binder_call(vendor_location, vendor_cnd)
# Enable standard network access (for XTRA download)
net_domain(vendor_location)
# required for xtra-daemon, slim-daemon.
allow vendor_location self:qipcrtr_socket create_socket_perms_no_ioctl;
dontaudit vendor_location kernel:system module_request;
# execute permission for vendor_location daemons in /vendor/bin/
allow vendor_location vendor_location_exec:file rx_file_perms;
# /data/vendor/vendor_location
allow vendor_location vendor_location_data_file:dir create_dir_perms;
allow vendor_location vendor_location_data_file:file create_file_perms;
# /dev/socket/vendor_location
allow vendor_location vendor_location_socket:sock_file create_file_perms;
allow vendor_location vendor_location_socket:dir rw_dir_perms;
allow vendor_location vendor_hal_gnss_qti:unix_dgram_socket sendto;
# permission for read execute vendor_location daemons in userdebug mode.
userdebug_or_eng(`
allow shell vendor_location_exec:file rx_file_perms;
')
## lowi-server
##############
# some additional network access
allow vendor_location self:netlink_generic_socket create_socket_perms_no_ioctl;
allow vendor_location self:netlink_socket create_socket_perms_no_ioctl;
allowxperm vendor_location self:udp_socket ioctl lowi_server_ioctls;
allow vendor_location hal_wifi:unix_stream_socket { read write };
# /data/vendor/wifi
allow vendor_location vendor_wifi_vendor_data_file:dir search;
# /data/vendor/wifi/wpa
allow vendor_location wpa_data_file:dir rw_dir_perms;
allow vendor_location wpa_data_file:sock_file create_file_perms;
allow vendor_location hal_wifi_supplicant_default:unix_dgram_socket sendto;
# /dev/socket/wifihal
allow vendor_location vendor_wifihal_socket:dir search;
unix_socket_send(vendor_location, vendor_wifihal, hal_wifi_default);
## xtra-daemon
##############
allow vendor_location {vendor_hal_cacert_hwservice vendor_hal_datafactory_hwservice vendor_hal_cne_hwservice}:hwservice_manager find;
binder_call(vendor_location, vendor_qtidataservices_app)

74
generic/vendor/common/mdm_helper.te vendored
View File

@@ -1,74 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#Policy for vendor_mdm_helper
#vendor_mdm_helper - vendor_mdm_helper domain
type vendor_mdm_helper, domain;
type vendor_mdm_helper_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_mdm_helper);
#block_suspend capability is needed by kickstart(ks)
wakelock_use(vendor_mdm_helper)
#Needed to power on the peripheral
allow vendor_mdm_helper vendor_ssr_device:chr_file r_file_perms;
#Needed to access the esoc device to control the mdm
allow vendor_mdm_helper vendor_esoc_device:dir r_dir_perms;
allow vendor_mdm_helper vendor_esoc_device:chr_file rw_file_perms;
#Needed in order to run kickstart
allow vendor_mdm_helper vendor_shell_exec:file rx_file_perms;
allow vendor_mdm_helper vendor_mdm_helper_exec :file x_file_perms;
#Rampdump config
#
# User variant
# Probe for write access to vendor tombstones as the
# presense of tombstones on subsystem does not correlate
# to Android user/userdebug config
allow vendor_mdm_helper vendor_tombstone_data_file:dir r_dir_perms;
dontaudit vendor_mdm_helper vendor_tombstone_data_file:dir write;
# Userdebug/eng variant
userdebug_or_eng(`
allow vendor_mdm_helper vendor_tombstone_data_file:dir create_dir_perms;
allow vendor_mdm_helper vendor_tombstone_data_file:file create_file_perms;
')
#Ramdump config END
#Needed to kill its own forked process on efs sync
allow vendor_mdm_helper self:capability kill;
#Needed by ks in order to access the efs sync partitions.
allow vendor_mdm_helper block_device:dir r_dir_perms;
allow vendor_mdm_helper vendor_efs_boot_dev:blk_file rw_file_perms;
#Needed in order to access the firmware partition
r_dir_file(vendor_mdm_helper, firmware_file)
#Needed to allow boot over PCIe
allow vendor_mdm_helper vendor_mhi_device:chr_file rw_file_perms;

39
generic/vendor/common/mediacodec.te vendored
View File

@@ -1,39 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow mediacodec system_file:dir r_dir_perms;
userdebug_or_eng(`
allow mediacodec dumpstate:fd use;
')
#Allow mediacodec to access vendor_media_data_file files
allow mediacodec vendor_media_data_file:dir create_dir_perms;
allow mediacodec vendor_media_data_file:file create_file_perms;
#Allow mediacodec to access configstore
hal_client_domain(mediacodec, vendor_hal_capabilityconfigstore_qti)
#allow mediacodec to read adsprpc_prop
get_prop(mediacodec, vendor_adsprpc_prop)

40
generic/vendor/common/msm_irqbalanced.te vendored
View File

@@ -1,40 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_msm_irqbalanced, domain;
type vendor_msm_irqbalanced_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_msm_irqbalanced)
allow vendor_msm_irqbalanced cgroup:dir { create add_name };
allow vendor_msm_irqbalanced { proc sysfs_devices_system_cpu }:file w_file_perms;
# access smp_affinity
allow vendor_msm_irqbalanced proc:file r_file_perms;
allow vendor_msm_irqbalanced proc_interrupts:file r_file_perms;
allow vendor_msm_irqbalanced proc_stat:file r_file_perms;
# irq_blacklist_on
allow vendor_msm_irqbalanced vendor_sysfs_irqbalance:file r_file_perms;

28
generic/vendor/common/mtp.te vendored
View File

@@ -1,28 +0,0 @@
#Copyright (c) 2019, The Linux Foundation. All rights reserved.
#
#Redistribution and use in source and binary forms, with or without
#modification, are permitted provided that the following conditions are
#met:
#* Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#* Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
#* Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow mtp self:pppox_socket create_socket_perms_no_ioctl;

28
generic/vendor/common/netd.te vendored
View File

@@ -1,28 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
dontaudit netd kernel:system module_request;
dontaudit netd self:capability sys_module;

88
generic/vendor/common/netmgrd.te vendored
View File

@@ -1,88 +0,0 @@
# Copyright (c) 2018, 2020 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_netmgrd, domain;
type vendor_netmgrd_exec, exec_type, vendor_file_type, file_type;
net_domain(vendor_netmgrd)
init_daemon_domain(vendor_netmgrd)
allow vendor_netmgrd vendor_netmgrd_socket:dir w_dir_perms;
allow vendor_netmgrd vendor_netmgrd_socket:sock_file create_file_perms;
allow vendor_netmgrd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write };
allow vendor_netmgrd self:netlink_generic_socket create_socket_perms_no_ioctl;
allow vendor_netmgrd self:netlink_route_socket nlmsg_write;
allow vendor_netmgrd self:netlink_socket create_socket_perms_no_ioctl;
allow vendor_netmgrd self:socket create_socket_perms;
allowxperm vendor_netmgrd self:socket ioctl msm_sock_ipc_ioctls;
allowxperm vendor_netmgrd self:udp_socket ioctl priv_sock_ioctls;
allow vendor_netmgrd self:tipc_socket { create_socket_perms_no_ioctl };
#Allow connections to qmipriod
unix_socket_connect(vendor_netmgrd, vendor_netmgrd, vendor_qmipriod);
allow vendor_netmgrd sysfs_net:dir r_dir_perms;
allow vendor_netmgrd sysfs_net:file rw_file_perms;
allow vendor_netmgrd vendor_sysfs_data:file r_file_perms;
wakelock_use(vendor_netmgrd)
#Allow netutils usage
domain_auto_trans(vendor_netmgrd, netutils_wrapper_exec, netutils_wrapper)
use_netutils(vendor_netmgrd)
#Allow diag logging
allow vendor_netmgrd vendor_sysfs_timestamp_switch:file { read open };
userdebug_or_eng(`
r_dir_file(vendor_netmgrd, vendor_sysfs_diag)
allow vendor_netmgrd vendor_debugfs_ipc:dir search;
')
#Ignore if device loading for private IOCTL failed
dontaudit vendor_netmgrd kernel:system { module_request };
allow vendor_netmgrd proc_net:file rw_file_perms;
allow vendor_netmgrd vendor_netmgr_data_file:dir rw_dir_perms;
allow vendor_netmgrd vendor_netmgr_data_file:file create_file_perms;
allow vendor_netmgrd vendor_netmgr_recovery_data_file:file create_file_perms;
allow vendor_netmgrd vendor_netmgr_recovery_data_file:dir rw_dir_perms;
get_prop(vendor_netmgrd, hwservicemanager_prop)
hwbinder_use(vendor_netmgrd)
binder_call(vendor_netmgrd, netd)
allow vendor_netmgrd system_net_netd_hwservice:hwservice_manager find;
# Allow netmgrd to use shsusrd properties
set_prop(vendor_netmgrd, vendor_data_shsusr_prop)
set_prop(vendor_netmgrd, vendor_data_qmipriod_prop)
allow vendor_netmgrd self:capability { net_admin net_raw setgid setpcap setuid kill };
allow vendor_netmgrd vendor_toolbox_exec:file rx_file_perms;
dontaudit vendor_netmgrd kernel:system module_request;
dontaudit vendor_netmgrd self:system module_request;

28
generic/vendor/common/netutils_wrapper.te vendored
View File

@@ -1,28 +0,0 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
dontaudit netutils_wrapper self:capability sys_module;
dontaudit netutils_wrapper system_file:dir write;

41
generic/vendor/common/pd_services.te vendored
View File

@@ -1,41 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_pd_mapper, domain;
type vendor_pd_mapper_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_pd_mapper);
allow vendor_pd_mapper self:capability { setgid setpcap setuid net_bind_service };
allow vendor_pd_mapper firmware_file:dir r_dir_perms;
allow vendor_pd_mapper firmware_file:file r_file_perms;
allow vendor_pd_mapper self:socket create_socket_perms;
allowxperm vendor_pd_mapper self:socket ioctl IPC_ROUTER_IOCTL_BIND_CONTROL_PORT;
allow vendor_pd_mapper vendor_sysfs_data:file r_file_perms;
get_prop(vendor_pd_mapper, vendor_pd_locater_dbg_prop)

58
generic/vendor/common/peripheral_manager.te vendored
View File

@@ -1,58 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Policy for pm-service and pm-proxy
type vendor_per_mgr, domain;
type vendor_per_mgr_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_per_mgr);
add_service(vendor_per_mgr, vendor_per_mgr_service)
vndbinder_use(vendor_per_mgr)
binder_call(vendor_per_mgr, hal_gnss)
binder_call(vendor_per_mgr, vendor_per_proxy)
binder_call(vendor_per_mgr, vendor_wcnss_service)
binder_call(vendor_per_mgr, rild)
allow vendor_per_mgr self:capability net_bind_service;
allow vendor_per_mgr firmware_file:file r_file_perms;
allow vendor_per_mgr firmware_file:dir search;
allow vendor_per_mgr self:socket create_socket_perms;
allowxperm vendor_per_mgr self:socket ioctl msm_sock_ipc_ioctls;
allow vendor_per_mgr vendor_ssr_device:chr_file { open read };
# Needed by libmdmdetect to get subsystem info and to check their states
allow vendor_per_mgr vendor_sysfs_data:file r_file_perms;
# Set the peripheral state property
set_prop(vendor_per_mgr, vendor_per_mgr_state_prop);
userdebug_or_eng(`
allow vendor_per_mgr vendor_debugfs_ipc:dir search;
')

28
generic/vendor/common/platform_app.te vendored
View File

@@ -1,28 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#allow embms app to access vendor radio property
get_prop(radio, vendor_radio_prop)

54
generic/vendor/common/port-bridge.te vendored
View File

@@ -1,54 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_port-bridge, domain;
type vendor_port-bridge_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_port-bridge)
userdebug_or_eng(`
domain_auto_trans(shell, vendor_port-bridge_exec, vendor_netmgrd)
#domain_auto_trans(adbd, vendor_port-bridge_exec, netmgrd)
diag_use(vendor_port-bridge)
')
# Allow operations on different types of sockets
allow vendor_port-bridge vendor_port-bridge:netlink_kobject_uevent_socket { create bind read };
allow vendor_port-bridge {
# Allow operations on mhi transport
vendor_mhi_device
# Allow operations on ATCoP g-link transport
vendor_at_device
}:chr_file rw_file_perms;
#access ipa sysfs node
allow vendor_port-bridge vendor_sysfs_data:file r_file_perms;
allow vendor_port-bridge vendor_port_bridge_data_file:file create_file_perms;
allow vendor_port-bridge vendor_port_bridge_data_file:dir w_dir_perms;
allow vendor_port-bridge vendor_port-bridge_socket:dir w_dir_perms;
allow vendor_port-bridge vendor_port-bridge_socket:sock_file create_file_perms;

38
generic/vendor/common/power_off_alarm.te vendored
View File

@@ -1,38 +0,0 @@
# Copyright (c) 2017-2019 Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_power_off_alarm, domain;
type vendor_power_off_alarm_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_power_off_alarm)
allow vendor_power_off_alarm rtc_device:chr_file r_file_perms;
allow vendor_power_off_alarm kmsg_device:chr_file w_file_perms;
allow vendor_power_off_alarm self:capability2 wake_alarm;
set_prop(vendor_power_off_alarm, powerctl_prop)

51
generic/vendor/common/poweroffalarm_app.te vendored
View File

@@ -1,51 +0,0 @@
# Copyright (c) 2017-2019 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_poweroffalarm_app, domain;
app_domain(vendor_poweroffalarm_app);
allow vendor_poweroffalarm_app app_api_service:service_manager find;
allow vendor_poweroffalarm_app mnt_vendor_file:dir r_dir_perms;
allow vendor_poweroffalarm_app vendor_persist_alarm_file:dir rw_dir_perms;
allow vendor_poweroffalarm_app vendor_persist_alarm_file:file create_file_perms;
hal_client_domain(vendor_poweroffalarm_app, vendor_hal_alarm_qti);
hal_client_domain(vendor_poweroffalarm_app, vendor_hal_perf);
binder_call(vendor_poweroffalarm_app, vendor_hal_alarm_qti_default);
allow vendor_poweroffalarm_app system_app_data_file:dir create_dir_perms;
allow vendor_poweroffalarm_app system_app_data_file:{ file lnk_file } create_file_perms;
allow vendor_poweroffalarm_app surfaceflinger_service:service_manager find;
allow vendor_poweroffalarm_app audioserver_service:service_manager find;
allow vendor_poweroffalarm_app mediaserver_service:service_manager find;
get_prop(vendor_poweroffalarm_app, vendor_alarm_boot_prop);
#get_prop(vendor_poweroffalarm_app, vendor_iop_prop)

32
generic/vendor/common/ppp.te vendored
View File

@@ -1,32 +0,0 @@
#Copyright (c) 2019, The Linux Foundation. All rights reserved.
#
#Redistribution and use in source and binary forms, with or without
#modification, are permitted provided that the following conditions are
#met:
#* Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#* Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
#* Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# allow VPN connection via L2TP
allow ppp mtp:pppox_socket rw_socket_perms;
# ioctls needed for VPN
allowxperm ppp mtp:pppox_socket ioctl ppp_ioctls;

32
generic/vendor/common/priv_app.te vendored
View File

@@ -1,32 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
hal_client_domain(priv_app, vendor_hal_perf)
# TODO(b/123050471): this grants renderscript exec permissions to the
# priv_app domain
allow priv_app rs_exec:file rx_file_perms;

Some files were not shown because too many files have changed in this diff Show More