xiaomi-unicorn1/android_device_qcom_sepolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: xiaomi-unicorn1:unicorn-20.0
Branches Tags
xiaomi-unicorn1:unicorn-20.0 xiaomi-unicorn1:lineage-21.0-legacy-um xiaomi-unicorn1:lineage-21.0 xiaomi-unicorn1:lineage-20.0-legacy-um xiaomi-unicorn1:lineage-20.0 xiaomi-unicorn1:lineage-19.1-legacy-um xiaomi-unicorn1:lineage-19.1 xiaomi-unicorn1:lineage-19.0-legacy-um xiaomi-unicorn1:lineage-19.0 xiaomi-unicorn1:lineage-18.1-legacy-um xiaomi-unicorn1:lineage-18.1-legacy xiaomi-unicorn1:lineage-18.1 xiaomi-unicorn1:backup/lineage-18.1-legacy-um_20210424 xiaomi-unicorn1:lineage-18.0-legacy xiaomi-unicorn1:lineage-18.0-legacy-um xiaomi-unicorn1:lineage-18.0 xiaomi-unicorn1:lineage-17.1-legacy-um xiaomi-unicorn1:lineage-17.0-legacy-um xiaomi-unicorn1:lineage-17.1-legacy xiaomi-unicorn1:lineage-17.1 xiaomi-unicorn1:lineage-17.0 xiaomi-unicorn1:lineage-17.0-legacy xiaomi-unicorn1:lineage-16.0 xiaomi-unicorn1:lineage-15.1 xiaomi-unicorn1:staging/lineage-15.1 xiaomi-unicorn1:lineage-15.0 xiaomi-unicorn1:cm-14.1 xiaomi-unicorn1:staging/cm-14.1-cafmerge xiaomi-unicorn1:staging/cm-14.1-cafrebase xiaomi-unicorn1:cm-14.1_prerebase xiaomi-unicorn1:stable/cm-13.0-ZNH5Y xiaomi-unicorn1:stable/cm-13.0-ZNH2K xiaomi-unicorn1:cm-13.0 xiaomi-unicorn1:cm-14.0 xiaomi-unicorn1:LA.HB.1.3.1 xiaomi-unicorn1:caf/LA.HB.1.3.1 xiaomi-unicorn1:stable/cm-13.0-ZNH0E xiaomi-unicorn1:stable/cm-12.1-YOG7D xiaomi-unicorn1:stable/cm-12.1-YOG4P xiaomi-unicorn1:cm-12.1 xiaomi-unicorn1:staging/cm-12.1-amss-2.1-ims xiaomi-unicorn1:stable/cm-12.1-YOG3C xiaomi-unicorn1:cm-12.0 xiaomi-unicorn1:stable/cm-12.0-YNG3C xiaomi-unicorn1:stable/cm-12.0-YNG4N xiaomi-unicorn1:stable/cm-12.0-YNG1I xiaomi-unicorn1:stable/cm-12.0-YNG1T xiaomi-unicorn1:stable/cm-12.0-YNG1TA xiaomi-unicorn1:staging/cm-12.1 xiaomi-unicorn1:staging/caf/themes/cm-12.0
...
pull from: xiaomi-unicorn1:lineage-19.0-legacy-um
Branches Tags
xiaomi-unicorn1:unicorn-20.0 xiaomi-unicorn1:lineage-21.0-legacy-um xiaomi-unicorn1:lineage-21.0 xiaomi-unicorn1:lineage-20.0-legacy-um xiaomi-unicorn1:lineage-20.0 xiaomi-unicorn1:lineage-19.1-legacy-um xiaomi-unicorn1:lineage-19.1 xiaomi-unicorn1:lineage-19.0-legacy-um xiaomi-unicorn1:lineage-19.0 xiaomi-unicorn1:lineage-18.1-legacy-um xiaomi-unicorn1:lineage-18.1-legacy xiaomi-unicorn1:lineage-18.1 xiaomi-unicorn1:backup/lineage-18.1-legacy-um_20210424 xiaomi-unicorn1:lineage-18.0-legacy xiaomi-unicorn1:lineage-18.0-legacy-um xiaomi-unicorn1:lineage-18.0 xiaomi-unicorn1:lineage-17.1-legacy-um xiaomi-unicorn1:lineage-17.0-legacy-um xiaomi-unicorn1:lineage-17.1-legacy xiaomi-unicorn1:lineage-17.1 xiaomi-unicorn1:lineage-17.0 xiaomi-unicorn1:lineage-17.0-legacy xiaomi-unicorn1:lineage-16.0 xiaomi-unicorn1:lineage-15.1 xiaomi-unicorn1:staging/lineage-15.1 xiaomi-unicorn1:lineage-15.0 xiaomi-unicorn1:cm-14.1 xiaomi-unicorn1:staging/cm-14.1-cafmerge xiaomi-unicorn1:staging/cm-14.1-cafrebase xiaomi-unicorn1:cm-14.1_prerebase xiaomi-unicorn1:stable/cm-13.0-ZNH5Y xiaomi-unicorn1:stable/cm-13.0-ZNH2K xiaomi-unicorn1:cm-13.0 xiaomi-unicorn1:cm-14.0 xiaomi-unicorn1:LA.HB.1.3.1 xiaomi-unicorn1:caf/LA.HB.1.3.1 xiaomi-unicorn1:stable/cm-13.0-ZNH0E xiaomi-unicorn1:stable/cm-12.1-YOG7D xiaomi-unicorn1:stable/cm-12.1-YOG4P xiaomi-unicorn1:cm-12.1 xiaomi-unicorn1:staging/cm-12.1-amss-2.1-ims xiaomi-unicorn1:stable/cm-12.1-YOG3C xiaomi-unicorn1:cm-12.0 xiaomi-unicorn1:stable/cm-12.0-YNG3C xiaomi-unicorn1:stable/cm-12.0-YNG4N xiaomi-unicorn1:stable/cm-12.0-YNG1I xiaomi-unicorn1:stable/cm-12.0-YNG1T xiaomi-unicorn1:stable/cm-12.0-YNG1TA xiaomi-unicorn1:staging/cm-12.1 xiaomi-unicorn1:staging/caf/themes/cm-12.0

144 Commits
unicorn-20 ... lineage-19

Author SHA1 Message Date
Shashi Shekar Shankar
cd13410b31 sepolicy : msm8998: remove regexp for ssr node on sysfs 
Remove regexp & add target specific genfs_context

CRs-Fixed: 2166567

Change-Id: Ib950ca0d72bc7e5647410e1876a8ce9095ca9aba
 2022-02-14 14:39:10 +00:00
Bruno Martins
1cbf7e5334 sepolicy: Allow mm-qcamerad to access v4L "name" node 
Change-Id: I42b329d782795feed776b09d5c12d89be9bac868
 2022-02-14 14:39:10 +00:00
Bruno Martins
e0cb153e45 sepolicy: Fix video4linux "name" node labeling 
Do u even regex, br0?

Change-Id: If907448d394f967268c9f72051bec5a47220087b
 2022-02-14 14:39:10 +00:00
Michael Bestas
ffa464face msm8998: Label LED sysfs 
* Similar to sdm660

Change-Id: I691e0f7a7ea3fcf753a353cbe2171cc167bac3bf
 2022-02-14 11:54:47 +00:00
Michael Bestas
871b775610 msm8998: Label usbpd sysfs 
* Similar to sdm660

Change-Id: I069843bc98b742afe61b1b845a9874be0ee5f61f
 2022-02-14 11:54:47 +00:00
Michael Bestas
fe092c2c7c Merge tag 'LA.UM.10.2.1.r1-03200-sdm660.0' of https://source.codeaurora.org/quic/la/device/qcom/sepolicy into lineage-19.0-legacy-um 
"LA.UM.10.2.1.r1-03200-sdm660.0"

* tag 'LA.UM.10.2.1.r1-03200-sdm660.0' of https://source.codeaurora.org/quic/la/device/qcom/sepolicy:
  sepolicy: Add create socket file permission for wcnss_service
  sepolicy: Modified qcc files from qva to generic
  sepolicy: Address multiple avc denials during bootup
  sepolicy: Add device specific wakeup nodes
  Sepolicy : Fixes for multiple avc denial for sdm660
  Sepolicy : Fixes for Multiple denials
  sepolicy: adding getattr perm for init
  sepolicy: Add find permission to systemhelper_app.te
  sepolicy: support qmi based embms msdc on legacy targets
  Sepolicy: Fix avc denial seen during boot up.
  sepolicy: Allow access for /dev/qseecom from vendor_init
  sepolicy: Add read dir permission to hal_bootctl.te

Change-Id: I9a5f5dcbc2bbcc54fea00eaff0cccf52623dcf71
 2022-01-31 18:04:33 +02:00
Michael Bestas
ccc0410648 sepolicy: Switch to SYSTEM_EXT_{PUBLIC,PRIVATE}_SEPOLICY_DIRS 
Fixes:
warning: BOARD_PLAT_PRIVATE_SEPOLICY_DIR has been deprecated.
    Use SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS instead.
warning: BOARD_PLAT_PUBLIC_SEPOLICY_DIR has been deprecated.
    Use SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS instead.
Change-Id: I752602079de8ff4c5370fe3ec861b8746838d878
(cherry picked from commit 0212863d2b1b58189e1c88bb86e5479121bd8e4d)
 2022-01-08 10:55:58 +05:30
Michael Bestas
f4fd88acd3 Import msm8996 policy from lineage-18.1-legacy-um 
Imported as of 5205565e57

Change-Id: I94a6261260a3cb49da8fa7be910edac19efebb3a
 2022-01-04 18:49:23 +01:00
Bharat Pawar
ccd2504ebd sepolicy: Add create socket file permission for wcnss_service 
cnss_cli use unix socket to communicate with cnss-daemon.
cnss-daemon need create unix socket server file when init.

Change-Id: Ibbe1eb1f418da17c0155a0663f6a94d8777ef80f
 2022-01-03 16:57:59 +05:30
Jarl-Penguin
c6deff09b9 fixup! qcom: Label vendor files with (vendor|system/vendor) instead of vendor 
Signed-off-by: Jarl-Penguin <jarlpenguin@outlook.com>
Change-Id: I11d45dac1860ebaa6dc6bfbe1bc13d4c3852e7be
 2022-01-02 00:46:13 +03:00
Linux Build Service Account
1ce68a4aed Merge e1dd1dfb1a on remote branch 
Change-Id: I7869a6c59ce25d346ab93f24ae65e4e57948c2e0
 2021-12-22 04:00:04 -08:00
Himanshu Agrawal
e1dd1dfb1a sepolicy: Modified qcc files from qva to generic 
Change-Id: I637d4db79ee85cdf6e26d5cc6b446755f1be80d2
 2021-12-17 11:53:21 +05:30
Himanshu Agrawal
3970a6c9e5 sepolicy: Address multiple avc denials during bootup 
Change-Id: I9eb5510799b33ab17f56d0e1f1440f38b87fa2c3
 2021-12-09 15:16:04 +05:30
Rashed Abdel-Tawab
4526fe2d17 qcom: Label vendor files with (vendor|system/vendor) instead of vendor 
Not all devices have a vendor partition so these labels blatantly get
ignored without labelling system/vendor on those devices.

Change-Id: I244d667f6b3ddcf7eac71719a981dc25dc401873
 2021-12-09 10:00:30 +05:30
Michael Bestas
eb35ac54a3 sepolicy: Label persist partition for all SoCs 
Change-Id: I8db3acb9a1b958ec59c7f14c6ee16ea466548cc7
 2021-12-09 10:00:29 +05:30
dianlujitao
f955c0177e sepolicy: Unlabel aux camera whitelist prop 
* This will be properly labeled in device/lineage/sepolicy
   to make it readable to everything on every device

Change-Id: Idec6cad06c51ba73519f61e95c74e1c8915d301b
 2021-12-09 10:00:28 +05:30
Michael Bestas
a4bc717d4e sepolicy: Remove rules for non legacy platforms 
* All these platforms are not legacy and shall inherit from the proper
   branch (lineage-19.0)

Change-Id: I475ae930ac5b682b613a9b17dece7fa4a160a6ba
 2021-12-09 10:00:27 +05:30
Pig
a6a27dc4af sepolicy: Include Lineage-specific QCOM sepolicy 
Change-Id: Ibf70e4c8ab9d91b50c62c3e9f1263e1624e8ca00
 2021-12-09 10:00:26 +05:30
Volodymyr Zhdanov
8b2313e9ae legacy: Fix newline in file_contexts 
Change-Id: Ia1543799d5cf858053dd127c1e9ea9559236bd9e
 2021-12-09 10:00:25 +05:30
Michael Bestas
9f2aeeff82 sepolicy: Update paths for new repository location 
Change-Id: Ibdaed7b3ff6463c682c65091ffbc82c36bfff348
 2021-12-09 10:00:24 +05:30
Pig
b7527aad30 sepolicy: Remove QCOM guards 
Change-Id: I0efd0b96f45ecfa9eec0b98087f0582dcd282798
 2021-12-09 10:00:23 +05:30
Himanshu Agrawal
48290d633b sepolicy: Add device specific wakeup nodes 
Change-Id: I1f39b7e7d13920969f2573e157b217c05adf50fa
 2021-12-06 01:15:58 -08:00
Neelu Maheshwari
cd83ea175c Sepolicy : Fixes for multiple avc denial for sdm660 
Change-Id: If0df4244e417775503e524a8cd5a2212dde0748e
 2021-12-01 16:03:44 +05:30
Bharat Pawar
8e4f3f73e8 Merge commit 'f5b11b78873f9020b7b5073db4bab492c06ea0a2' into HEAD 
Change-Id: I74aa29107039188b14f7585d031483a9e4ef91db
 2021-11-26 12:51:12 +05:30
Neelu Maheshwari
3a39145fbd Sepolicy : Fixes for Multiple denials 
Change-Id: I51e915e0a41a1d24947f79a7d0128a934f02dcfa
 2021-11-17 03:39:10 -08:00
Linux Build Service Account
f5b11b7887 Merge "Sepolicy: Fix avc denial seen during boot up." into sepolicy.lnx.12.0.c2 2021-10-29 10:57:01 -07:00
Linux Build Service Account
9246e22f7a Merge "sepolicy: adding getattr perm for init" into sepolicy.lnx.12.0.c2 2021-10-29 10:56:01 -07:00
Sundhara Raja Usiripati
7353e15e06 sepolicy: adding getattr perm for init 
Change-Id: I4b7295066031aa838139dda203fec019a11386dd
 2021-10-28 07:52:55 -07:00
Neelu Maheshwari
27d9d234b4 sepolicy: Add find permission to systemhelper_app.te 
Change-Id: Ia2a650d5d77dd70b7e6044bfe914f6494c4ed06a
 2021-10-28 07:52:03 -07:00
Amritendu Biswas
183f2de411 sepolicy: support qmi based embms msdc on legacy targets 
Change-Id: I0cac6d60d636ce546f91764703faca468c0ce85f
 2021-10-28 13:52:17 +05:30
Himanshu Agrawal
a3b4f4e984 Sepolicy: Fix avc denial seen during boot up. 
avc: denied { search } for name="location" dev="dm-8" ino=514
scontext=u:r:tlocd:s0 tcontext=u:object_r:location_data_file:s0
tclass=dir permissive=0

avc: denied { write } for name="kmsg" dev="tmpfs" ino=1559
scontext=u:r:wcnss_service:s0 tcontext=u:object_r:kmsg_device:s0
tclass=chr_file permissive=0

- Added these policies as part of reduce avc deniels in boot up

Change-Id: I68868f5c3084bd10d8e74dd0623160a849dab5b9
 2021-10-28 11:12:46 +05:30
Amritendu Biswas
1d3d799a98 sepolicy: support qmi based embms msdc on legacy targets 
Change-Id: I0cac6d60d636ce546f91764703faca468c0ce85f
 2021-10-27 05:13:38 -07:00
Linux Build Service Account
a7cd38e552 Merge "sepolicy: Add read dir permission to hal_bootctl.te" into sepolicy.lnx.6.0.r19-rel 2021-10-21 22:33:24 -07:00
Sundhara Raja Usiripati
b5ffca926b sepolicy: Add read dir permission to hal_bootctl.te 
hal_bootctl needs read permission to sysfs_dt_firmware_android

Change-Id: I6e89b2db756d7070bc4b815cf15a6a4f241d137b
 2021-10-21 09:26:07 -07:00
Himanshu Agrawal
2541672377 sepolicy: Allow access for /dev/qseecom from vendor_init 
avc: denied { getattr } for path="/dev/qseecom" dev="tmpfs" ino=25714
scontext=u:r:vendor_init:s0 tcontext=u:object_r:tee_device:s0
tclass=chr_file permissive=0

Change-Id: Ia55d4e07c4596ab9d2f78cba91b22d84bf35dc5d
 2021-10-21 09:21:01 -07:00
Linux Build Service Account
064c4b07f1 Merge "sepolicy: Add read dir permission to hal_bootctl.te" into sepolicy.lnx.12.0.c2 2021-10-21 01:29:51 -07:00
Himanshu Agrawal
bd0d1c24e4 sepolicy: Allow access for /dev/qseecom from vendor_init 
avc: denied { getattr } for path="/dev/qseecom" dev="tmpfs" ino=25714
scontext=u:r:vendor_init:s0 tcontext=u:object_r:tee_device:s0
tclass=chr_file permissive=0

Change-Id: Ia55d4e07c4596ab9d2f78cba91b22d84bf35dc5d
 2021-10-12 22:08:32 +05:30
Bharat Pawar
5e7da35857 Merge commit '438292158d28d0bde335ba9b2c9aa7ab6d3d8cf0' into HEAD 
Change-Id: I3213fd07a382cf9d006eef8f34dd12c6b5f0f3fe
 2021-10-01 22:16:47 +05:30
Bharat Pawar
48156903a4 Revert "sepolicy: Fix compilation issue" 
This reverts commit 35b7f89f2b.

Change-Id: I789a827b405241d290cfd061df87d5d7fcf31442
 2021-10-01 22:16:16 +05:30
Sundhara Raja Usiripati
da451f1c9f sepolicy: Add read dir permission to hal_bootctl.te 
hal_bootctl needs read permission to sysfs_dt_firmware_android

Change-Id: I6e89b2db756d7070bc4b815cf15a6a4f241d137b
 2021-09-27 15:27:52 +05:30
Linux Build Service Account
438292158d Merge "sepolicy: Add drm clearkey policies" into sepolicy.lnx.12.0.c2 2021-09-21 02:18:49 -07:00
Bharat Pawar
f6f772dfb9 sepolicy: Add drm clearkey policies 
Add selinux rules for drm clearkey services. Refine and extend drm
widevine service rules for future updates.

Change-Id: I1f73fd97ba083085be898f39d96ce2e61e99ca7b
 2021-09-21 00:22:22 -07:00
Linux Build Service Account
fbbbf01dbf Merge "sepolicy: get radio_control_prop multisim property" into sepolicy.lnx.12.0.c2 2021-09-13 04:06:02 -07:00
Bharat Pawar
0c919f535a sepolicy: Add drm clearkey policies 
Add selinux rules for drm clearkey services. Refine and extend drm
widevine service rules for future updates.

Change-Id: I1f73fd97ba083085be898f39d96ce2e61e99ca7b
 2021-09-09 16:42:26 +05:30
Himanshu Agrawal
dd9c8c1825 sepolicy: making system/product and vendor restricted/internal prop 
making system/product and vendor to restricted and public
prop for all the extendeded core prop and property type defined in public

Change-Id: Icbfe02ecb49a70619d6aa03a45975b2db186f559
 2021-09-02 08:03:33 -07:00
Himanshu Agrawal
baa098a5bd sepolicy: Fix compilation issues 
Change-Id: I60fc0aec2f6d4e3330210d52529fba20eb403d92
 2021-08-13 12:35:04 +05:30
Linux Build Service Account
e601b28326 Merge "sepolicy: get radio_control_prop multisim property" into sepolicy.lnx.6.0.r19-rel 2021-08-10 23:34:40 -07:00
Sridhar Kasukurthi
9d1a538365 sepolicy: get radio_control_prop multisim property 
- Allow reading of persist.radio.multisim.config
  property
- Add qtiphone and telephonyservice policy to
  legacy folder

Change-Id: I6ecd57d18cb97760d8133e239940b1e2ad69e55c
 2021-08-10 05:13:53 -07:00
Himanshu Agrawal
7671ef762c sepolicy: making system/product and vendor restricted/internal prop 
making system/product and vendor to restricted and public
prop for all the extendeded core prop and property type defined in public

Change-Id: Icbfe02ecb49a70619d6aa03a45975b2db186f559
 2021-08-10 05:01:54 -07:00
Sridhar Kasukurthi
76f88bb757 sepolicy: get radio_control_prop multisim property 
- Allow reading of persist.radio.multisim.config
  property
- Add qtiphone and telephonyservice policy to
  legacy folder

Change-Id: I6ecd57d18cb97760d8133e239940b1e2ad69e55c
 2021-08-10 02:04:24 -07:00
Linux Build Service Account
8c7ce50ac1 Merge 6123a9d0e8 on remote branch 
Change-Id: Ib85cc04ae2a9affa1c16ac8592e3db679e94af33
 2021-07-08 12:50:02 -07:00
Bharat Pawar
35b7f89f2b sepolicy: Fix compilation issue 
Change-Id: I17fec6d00a4eea33bed1f669668e14d589b3d40f
 2021-06-07 18:24:46 +05:30
Himanshu Agrawal
6123a9d0e8 sepolicy: Add cpu4-ddr-latfloor devfreq node for K4.19 
cpu4-ddr-latfloor devfreq node for K4.19

Change-Id: I1b8462b45de419d79819288bab62f3d56cb84533
 2021-06-03 18:21:17 +05:30
Monika Singh
2a00ecb00b sepolicy: Update qseecomd sepolicy to access tmpfs 
Update policies for qseecomd so that it can access
SFS.

Change-Id: I9bfe8c242de441a4a4171af93481bf00eda7d8f7
 2021-05-25 03:09:23 -07:00
Himanshu Agrawal
a473048fb3 sepolicy: Addressing post-boot denials 
Change-Id: I5282c1acf9f096c6363c77afc0443b06f00a6c37
 2021-05-17 17:12:16 +05:30
Himanshu Agrawal
d7eb0cc6b6 sepolicy: Fix /sys/devices/soc0 read permission issue 
Change-Id: I189fea846191f6407d6c6b9fb767595466b7dc06
 2021-05-05 22:14:35 -07:00
qctecmdr
d418e08af1 Merge "sensors : Updating property name" 2021-05-03 09:18:08 -07:00
Eruvaram Kumar Raja Reddy
f575fdf52f sepolicy: msm8937: Add sysnode for imsdatadaemon 
Add a change to fix avc denial for the imsdatadaemon

Change-Id: I0f2eacf7ee08660b5dd8d39b0ed3a096a3813b38
 2021-04-30 08:20:43 -07:00
Akhil Manikoth Kallankandy
2906bf533d sensors : Updating property name 
changing property name according to VtsTrebleSysPropTest

Change-Id: I95bae88a4126606c4d5eef992d863e483766212f
 2021-04-30 05:45:21 -07:00
qctecmdr
98d6c29eae Merge "sepolicy: msm8937: Add label for wakeup sources" 2021-04-26 04:53:35 -07:00
Himanshu Agrawal
53203d8bfb sepolicy: Add sepolicy rules for vm_bms 
create vendor_vm_bms_debug_prop for debug properties.

Change-Id: I6ac3986af96bb50288e404c377613c6b0d4dc998
 2021-04-22 22:53:53 -07:00
Eruvaram Kumar Raja Reddy
892ac25bce sepolicy: msm8937: Add label for wakeup sources 
Add a change to fix the avc denials for the wakeup source
used for different nodes.

Change-Id: I3f51e966e33fdabdae8cb43bc425ee42d8b3356d
 2021-04-22 02:42:45 -07:00
qctecmdr
6ed2f466d1 Merge "sepolicy: Addressing multiple on-boot denials present" 2021-04-21 23:48:23 -07:00
Himanshu Agrawal
c5495488d8 sepolicy: Addressing multiple on-boot denials present 
Multiple on boot denials has been addressed for
improving device performance.

Change-Id: If0db0c0bd334da91c879d9170d03171c2bf4a91d
 2021-04-20 15:50:51 +05:30
Himanshu Agrawal
efc87f7815 sepolicy: sdm439: Add cpu-ddr-latfloor devfreq node for K4.19 
Add cpu-ddr-latfloor devfreq node for sdm439 target

Change-Id: Id0d84edc1d6474a09ef5c90f9ea5c4f59537728e
 2021-04-19 11:09:26 +05:30
Himanshu Agrawal
38419ce515 sepolicy: Add cpu-ddr-latfloor devfreq node for K4.19 
cpu-ddr-latfloor devfreq node for K4.19

Change-Id: I55e72f915d8de62d47adda386ffabe8421e5c502
 2021-04-14 17:27:31 +05:30
Prerna Kalla
debf881517 sepolicy: Add label for KM 4.1 service 
Add label for KM 4.1 service.

Change-Id: Iab41f356da6562c9c0b9ed942f20442cfc6ec8f2
 2021-04-02 03:55:53 -07:00
qctecmdr
bfca115857 Merge "sepolicy: cpu-ddr devfreq nodes for K4.19" 2021-04-01 03:51:10 -07:00
Karthik Gopalan
3bfa6d9474 sepolicy: cpu-ddr devfreq nodes for K4.19 
cpu-ddr devfreq nodes for K4.19

Change-Id: I2e270c2e89b19b6eda9a020ff6d35cd7f0d04d84
 2021-04-01 02:38:57 -07:00
qctecmdr
e8d0a199a9 Merge "sensros : changing property name" 2021-04-01 01:48:49 -07:00
Akhil Manikoth Kallankandy
7849fcf55f sensros : changing property name 
Change-Id: I17e71ca56e9fa050221972c846a9f99db8761283
 2021-03-31 14:24:32 +05:30
Himanshu Agrawal
bdbe69b3b8 sepolicy: msm8937: Add label for wakeup sources 
Add a change to fix the avc denials for the wakeup source
used for different nodes.

Change-Id: I9309363b04aac163364809083edf359dcab2ab0c
 2021-03-30 03:26:17 -07:00
Himanshu Agrawal
58dfef56b4 sepolicy: msm8937: Add selinux rules for update engine 
Change-Id: I8ba1ca16083613445b7642f83fdccc73a252f658
 2021-03-23 14:20:43 +05:30
Himanshu Agrawal
d7706eea69 sepolicy: Create subsys nodes for QM215GO on kernel 4.19 
Add subsystem handling mapping for mss and venus firmware
for QM215GO on kernel 4.19.

Change-Id: I26799baf24a58c6f80d60560e232f9e8709b1cc6
 2021-03-11 09:51:59 -08:00
Akhil Manikoth Kallankandy
025be09c29 sensor:adding label for new property 
adding label for property use to enable qrtr-ns service

Change-Id: I5634c0c85a0dae9d13151d99f984e22987705636
 2021-03-09 20:26:02 +05:30
Rajshekar Eashwarappa
39c3a61ec2 sepolicy: Adding vbmeta and dtbo dev/block path 
Change required for A/B, DAP build.

Change-Id: I43d91e029935f347ebd9cc00fd129dbc810c94a7
 2021-02-22 01:00:54 -08:00
qctecmdr
e373d6be26 Merge "sepolicy : add new qsta_app.te file for QSTA app" 2021-02-10 23:49:55 -08:00
Akhil Manikoth Kallankandy
86ab7112b8 sepolicy : add new qsta_app.te file for QSTA app 
Change-Id: I7c1086ef983a2a74415a5291b39dfc0305bcc601
 2021-02-11 10:40:40 +05:30
Shivam Agrawal
3b8db900e7 sepolicy: Revert WFD specific Upmerge changes 
Change-Id: I23ac8a7511f2c1c8133bdba8e1155177a51e0bc1
 2021-01-25 08:39:36 -08:00
qctecmdr
34ef27f337 Merge "sepolicy: msm8998: Add sepolicy labels for charger/fg nodes" 2021-01-06 22:31:07 -08:00
Guixiong Wei
b69efc2215 sepolicy: Remove poweroffalarm system uid and redundant rules 
remove poweroffalarm system uid and redundant rules

Change-Id: If51e9ae948b68f1187c66d748935fd1014e72e11
 2020-12-15 18:39:22 -08:00
Gurram Pravalika
ffb6c9041c sepolicy: Add policies for for video in HAL1 
Change-Id: I954b96582719e3e7145fd0ab1afd0425494c3ba7
 2020-12-14 22:57:44 -08:00
qctecmdr
6cfdc77609 Merge "sepolicy : Upmerge changes." 2020-12-14 00:14:39 -08:00
Nitin Shivpure
d5327a1a9d sepolicy: allow bluetooth to make binder call to gpuservice 
allow bluetooth to make binder call to gpuservice.

CRs-fixed: 2748533
Change-Id: Idff3f3c0377fc5dae3e715417556c696f7e4620e
 2020-12-14 10:33:49 +05:30
Himanshu Agrawal
0240ff9832 sepolicy : Upmerge changes. 
Change-Id: I90fb0d6eb70bd5e0e790f8bae7b6cd0501442338
 2020-12-11 06:07:39 -08:00
Shayak Biswas
1442222426 Allow dumpstate for a binder call with power Hal 
This allows dumpstate to have a binder call with power
Hal, this is needed for a CTS testcase:
SELinuxHostTest#testNoBugreportDenials

Change-Id: I646fdce79776083df74df48134e85c65dbee69dc
 2020-12-11 09:56:09 +05:30
Himanshu Agrawal
7fdf0be393 sepolicy: msm8998: Add sepolicy labels for charger/fg nodes 
Add sepolicy labels for charger/fg nodes,
to allow access permissions to userspace.

Change-Id: I74a193a6dd3be6ecceb5939ca814661029d8105b
 2020-12-10 18:31:36 +05:30
Kripa Bhat
5d40fe89f3 Allow dumpstate to have a binder call with Lights Hal 
This allows dumpstate to have a binder call with Lights
Hal, this is needed for a CTS testcase:
SELinuxHostTest#testNoBugreportDenials

Change-Id: Iec081b1069b2569c68b72ff009f12018c946a0a8
 2020-12-08 22:51:16 -08:00
Manjunatha Ramachandra
06bbb12f3f sepolicy: updating label on read_ahead_kb nodes 
Removing read_ahead_kb nodes from sysfs_mmc_host
node. And adding sysfs_dm to perf hal and
init_shell files' allow list.
This change is being made inorder to address
the bugnizer 161927268 for legacy msm8937_32go platforms.

CRs-Fixed: 2826612
Change-Id: I190b9891eaf52fc4eb7d4fd73567572101ee288e
 2020-12-02 23:27:09 -08:00
Himanshu Agrawal
7cde36f779 Add sepolices to update engine domain. 
While applying OTA update package, update engine
    loops through partitions entries/mountpoints.
    Add few policies and supress the dac ones.

- Allow update_engine to access recovery partition for OTA
- Allow update engine to access to metadata_file.
    With virtual-ab feature, update engine needs access
    to metadata_file, allow the same.

Change-Id: I07636f79870594a07755c54e55b5b6846e53c2e9
 2020-12-01 06:08:31 -08:00
Eruvaram Kumar Raja Reddy
f997082943 sepolicy: adding vendor prefix to avoid naming colision 
Update legacy properties with vendor prefix to void VTS failure
due to API30 changes

CRs-Fixed: 2825382

Change-Id: I39a5de4ad6450d805bf74e88aabc38c8347d89a4
 2020-11-30 17:01:29 +05:30
Himanshu Agrawal
9871e2edb6 Allow vendor_init to set ubwc property 
vendor.video.disable.ubwc is added to /vendor/build.prop,
allowing vendor_init to set this property to ensure the
property can be read by mm-video and through getprop

Change-Id: I99f658ea60cb83d4ebea6709db27e93166ad0667
 2020-11-27 11:51:38 +05:30
Milap Gajjar
2ef09c6613 genfs_context: Enabling Vibrator for msm8998 
Sepolicy: Added Access permission for vibrator

Change-Id: I38017a3641c84aa570d53c1e339082bc781c5187
CRs-Fixed: 2810219
 2020-11-24 20:36:33 -08:00
qctecmdr
aa7d66b220 Merge "genfs_context: Enabling Vibrator for sdm660" 2020-11-24 03:02:24 -08:00
Jeya R
29b1061aaa sepolicy: Add permissions in init for vendor_adsprpc_prop 
Add permissions in init shell to modify vendor_adsprpc_prop.
Change-Id: I5a4dcbf54686c3add9fa0756aff7bb694d96adcb
Acked-by: Deepika Singh <dsi@qti.qualcomm.com>
 2020-11-18 15:22:36 +05:30
Mandeep Singh
3de9ff4499 genfs_context: Enabling Vibrator for sdm660 
Sepolicy: Added Access permission for vibrator

Change-Id: I7152a77d676c8b97bd5da1f5c86446f42ac65c97
CRs-Fixed: 2810635
 2020-11-03 09:37:37 +05:30
Shawn Shin
ce33f422e7 sepolicy:qcc add to legacy 
Change-Id: I7031cd4070c478f1fccfe8e0b1e7053d6c57c36e
 2020-10-30 16:10:52 -07:00
qctecmdr
758b6d2b99 Merge "sepolicy: align fst-manager and wigig legacy rules" 2020-10-29 23:51:22 -07:00
qctecmdr
887dc95b06 Merge "sepolicy: allow block_suspend deniel for lmkd" 2020-10-28 00:12:18 -07:00
Dedy Lansky
046ff067d0 sepolicy: align fst-manager and wigig legacy rules 
Add legacy rules for enabling fst-manager to act
as a HAL service, and allow fst-manager and wigig
framework to access the capability config store.
These rules were missing in the legacy folder and
copied from the qva rules since there are still
platforms that need them.

Change-Id: I7a08bec9f3f84599a6392e8a5bd22c26e28e00a3
 2020-10-27 22:53:42 -07:00
Himanshu Agrawal
21fbe23415 sepolicy: allow block_suspend deniel for lmkd 
Avoid below deniel for lmkd:
avc: denied{ block_suspend }for comm="lmkd" capability=36
scontext=u:r:lmkd:s0 tcontext=u:r:lmkd:s0 tclass=capability2
permissive=0.

Change-Id: I332281110d4fa1fa208349a302fdc33a3a40d8ef
 2020-10-27 22:31:24 -07:00
Arvind Kumar
7af4487b0c Add file context for Light AIDL HAL Service 
Change-Id: I1e5a79a5846910f90362d97899e5fc0d7dbfadbb
 2020-10-27 00:54:23 -07:00
Ankur Sharma
ae9d933056 Sepolicy denials xtra for legacy R targets 
- Fix sepolicy denial when xtra-daemon access the cacert
service.
- Allow location clientdomain to perform binder IPC to
qtidataservices_app serverdomain.

Change-Id: I0aae254fb4b4a67336d67f96856a2cf0d70954fc
CRs-Fixed: 2778560
 2020-10-21 07:34:12 -07:00
c_gopir
7dff049400 Sepolicy : Add power AIDL to context 
Add power HAL exec to file contexts

Change-Id: Ib97298e739f030454256c88f78e6862c2f4838bb
 2020-10-19 21:44:18 -07:00
qctecmdr
1e9503d754 Merge "sepolicy: Add video property to get permission" 2020-10-15 22:17:56 -07:00
Milap Gajjar
78877b8b75 msm8998 inital bringup with enforce mode 
Change-Id: If8164daa32ca0ba796a4bf78e9c450ce1669b509
 2020-10-15 01:56:39 -07:00
Paras Nagda
44e4db86e8 sepolicy: Add video property to get permission 
Allow Zygote to read video property

Change-Id: Iac936e84549cde02e2b87309f32cdbd2d8a0fe5f
 2020-10-14 06:30:06 -07:00
Milap Gajjar
ef77a8cdd5 sdm660: Initial bring up sepolicy changes 
Change-Id: Ifa42b7bebd66884698697fecc538f1ff6057519d
 2020-10-14 03:27:54 -07:00
Paras Nagda
5bc47cdaf0 sepolicy: Add video property get permission 
Allow mediaserver to read video sys property

Change-Id: Id09d5fbcbacbba3130ca9d7759ff67ade3a839b3
 2020-10-06 22:26:31 -07:00
qctecmdr
b22751353a Merge "sepolicy: add policies for DSP HAL manager" 2020-09-30 00:50:57 -07:00
Jiten Patel
c4f5909333 sepolicy: Policy fix for rpmb partition 
On 4.19 kernel, due to upstream commit <97548575be>
(mmc: block: Convert RPMB to a character device),
Block device design for RPMB is now changed to char device.
This change add required permissions for qseecom daemon to
be able to access new device design for RPMB eMMC device.

Change-Id: I77a4ffc2107e61f66fe75cd2ccdc4d8da2685523
 2020-09-26 17:09:23 +05:30
Karthik Gopalan
bc3a9ace81 sepolicy: Add policies for beluga properties 
Add policies for beluga properties

Change-Id: I25283d9148166ad158181efddebd61277eebf8cb
 2020-09-24 01:36:11 -07:00
qctecmdr
e40220732a Merge "sepolicy: Allow all app domains to search sysfs_kgsl" 2020-09-23 01:51:40 -07:00
Vamsi Krishna Gattupalli
fa6d5b4fdc sepolicy: add policies for DSP HAL manager 
Add DSP HAL manager related attributes and policies. Allow untrusted
shell apps and APKs to be a client of the DSP HAL server. Mark the
DSP HAL interface library as same process HAL.

Change-Id: I7b2e5c716c6191d480d26d39a3adf188dc3aefb3
 2020-09-22 10:52:41 +05:30
Murthy Nidadavolu
8d4a25335b sepolicy: Updating sepolicy for DRM HAL 
Adding 1.3 drm HAL to file_contexts.

Change-Id: I59f87fb9eb4a1605cf299a973986164f6761dab2
 2020-09-18 13:39:59 +05:30
qctecmdr
ee00935244 Merge "sepolicy: Update thermal-engine sepolicy rules for legacy vendor file" 2020-09-16 03:30:27 -07:00
Nilesh Gharde
07cedab877 Sepolicy denials for location on legacy R targets 
Fix for denial when xtra-demon trying getting
qccsyshal service  instance

Change-Id: I522531dee26dd5ee426a7ae966e49a0a4e685481
CRs-fixed: 2765244
 2020-09-15 11:55:49 +05:30
Asha Magadi Venkateshamurthy
7ef030e945 sepolicy: Update thermal-engine sepolicy rules for legacy vendor file 
Update legacy thermal-engine sepolicy rule for SDM660 target by adding
access of sysfs nodes of thermal devices, kgsl and devfreq by adding
sepolicy rules.

Change-Id: I49c511d2dbc67169daa937102d58839eb799b977
 2020-09-14 12:14:23 +05:30
qctecmdr
7036682bb5 Merge "sepolicy: add support for separate dcvs script for sdm660" 2020-09-04 05:32:35 -07:00
Asha Magadi Venkateshamurthy
c7c8131f02 sepolicy: add support for separate dcvs script for sdm660 
Give sepolicy permission to dcvs node used to set
memlat parameters.

Change-Id: Iadddf5d11375a6d7cc48d523ed8c44baf4643be1
 2020-09-04 10:55:17 +05:30
Bharat Pawar
b4ca9cb07f sepolicy: Allow all app domains to search sysfs_kgsl 
Fixing below avc denails
type=1400 audit(0.0:86144): avc: denied { search } for
name="kgsl-3d0" dev="sysfs" ino=43551 scontext=u:r:mediaswcodec:s0

Change-Id: Ibf7a9a231119c23c4830538323587edbe95150a2
 2020-09-03 19:15:02 +05:30
Bharat Pawar
90dc370d64 sepolicy: Adding rules for servicetracker HAL for legacy target. 
Also adding file_context for servicetracker V1.2
Change-Id: I7145f86093c954376e6dd8bbcd8f6d2e6005a981
 2020-09-03 17:47:59 +05:30
Bharat Pawar
3bdddf83fd sepolicy: Add label for vibrator AIDL HAL service 
Add selinux label for vibrator AIDL HAL service
so that it can accessthe vibrator device correctly.

Change-Id: I6486b6cf399ce60a671b187c624993820c6f246c
 2020-08-21 15:48:02 +05:30
qctecmdr
f95a6b8611 Merge "perf: Fix sepolicy errors during boot" 2020-08-13 07:28:05 -07:00
qctecmdr
33281c7bda Merge "Sepolicy: ported all Wfd sepolicy from sepolicy.lnx.5.0" 2020-08-13 05:34:25 -07:00
qctecmdr
3c94562422 Merge "sepolicy: Remove all qssi specific WFD sepolicy change" 2020-08-13 03:40:25 -07:00
Shashi Shekar Shankar
ded4b6e973 perf: Fix sepolicy errors during boot 
Fix sepolicy errors on legacy targets.

Change-Id: Ia491e7e3330243d3ec70fba97c3beafc65f93afc
 2020-08-12 19:57:11 -07:00
Pavan Kumar M
b7b9097e20 sepolicy: Add sepolicy rules for IImsFactory HAL for legacy targets 
Change-Id: I371457018f309bb3a23138ac8d71d4628430f69e
 2020-08-07 04:26:38 -07:00
Rajeswari N
ae41118035 sepolicy: Add perf 2.2 hal 
Support for perf HAL 2.2 uprev

Change-Id: Ia6abea00751494803bf78839ef96608dfbc9b09d
 2020-08-04 15:15:36 +05:30
Shivam Agrawal
ff436b9716 Sepolicy: ported all Wfd sepolicy from sepolicy.lnx.5.0 
- WFD sepolicy fix.

Change-Id: I1000b0277318ca7439a5bb177787dffe8d51b7c9
 2020-07-29 14:10:43 +05:30
qctecmdr
d580bc7940 Merge "Allow BT LAZY HAL serivce to access bluetooth hal" 2020-07-28 08:46:15 -07:00
qctecmdr
8e93513c1d Merge "sepolicy: Add interface entry for Legacy HAL" 2020-07-28 06:48:53 -07:00
Bharat Pawar
b98304acab Allow BT LAZY HAL serivce to access bluetooth hal 
BT lazy service is a new shared object on go targets
which requires to access BT HAL.

Change-Id: I5b4248a35c52211e03da9f0f9410d967e2b2c602
 2020-07-22 22:54:28 +05:30
Tapas Dey
c6aece100b sepolicy: Add interface entry for Legacy HAL 
Added INxpNfcLegacy HAL interface entry
for Legacy HAL.

Change-Id: I8e241a7f13ce5d6431a47c3084384af6c0291cba
 2020-07-22 14:08:54 +05:30
Shivam Agrawal
05ae9e6df9 sepolicy: Remove all qssi specific WFD sepolicy change 
- revert all qssi specific WFD sepolicy changes on 6.0.c2
  to port WFD sepolicy changes from sepolicy.lnx.5.0

Change-Id: I22e335471e2877ce1c3fd24c1997ae037c4f38df
 2020-07-16 19:57:37 +05:30
Rajeswari N
5bab8c4b02 sepolicy: sepolicy changes for perf HAL Uprev 
Perf Hal Uprev 2.1 support added and IPerfcallback HAL added

Change-Id: Icd1cfba45e2a118de9a1944e6d9709ae458b9015
 2020-07-16 00:04:44 -07:00
Rajshekar Eashwarappa
dbb48aa54b SEPolicy: Adding sdm660 policies 
Change-Id: I71b5ec869475846e0c7b8f3ba00f6a018a631a50
 2020-07-10 01:00:59 -07:00
himta ram
10a90a8e77 sepolicy: add sepolicy rules for pronto based targets 
Add sepolicy rule for pronto based targets.

CRs-Fixed: 2724004
Change-Id: I64804f3dd532934d314cb5731fc7f1633d13a236
 2020-07-02 14:00:32 +05:30
qctecmdr
a55d07264e Merge "sepolicy: Adding vendor_qti_init_shell label to legacy" 2020-07-01 09:29:09 -07:00
qctecmdr
a123f4808c Merge "Remove QtiTetherService references" 2020-07-01 09:23:48 -07:00
Pavan Kumar M
5cffcfdf15 Remove QtiTetherService references 
QtiTetherService is not used anymore, remove all
the existing references

Change-Id: I9cf47507686907d29faef44c65d6e30dd584f19c
CRs-Fixed: 2710079
 2020-06-15 10:21:25 +05:30
Udipto Goswami
12fed7ec7d sepolicy: Adding vendor_qti_init_shell label to legacy 
There are some targets which uses legacy sepolicy but
USB uses vendor_qti_init_shell label for its rc file
execution which causes a mismatch as legacy uses
qti_init_shell. This stop the USB rc file from
executing the command for calling the script file
responsible for setting the composition.
Ultimately setting the default value which is adb
on bootup instead of default composition.

Fix this by setting an alias as vendor_qti_init_shell
in legacy sepolicy for qti_init_shell allowing USB
to use vendor label.

Change-Id: Ia8953ed61bb1b87d01b17d02fc7e4bf4b86e66eb
Signed-off-by: Udipto Goswami <ugoswami@codeaurora.org>
 2020-06-12 04:00:05 -07:00
Bharat Pawar
5fb71e0e4a sepolicy: Pick legacy sepolicies for 8953/37 targets 
Pick legacy sepolicy rules instaed of qva for 8953 and
8937 targets.

Change-Id: I509de01be51f1fc19ac3e1f49ffcf3f547c70457
 2020-06-12 14:25:51 +05:30
Bharat Pawar
327503aee9 sepolicy: Add support for 8937 and 8953 targets 
Change-Id: I22d8f079acfc59c16adb66e46755157b7c61a6bd
 2020-06-05 16:27:16 +05:30
600 changed files with 3507 additions and 19189 deletions
Expand all files Collapse all files

53
SEPolicy.mk
View File

@@ -1,20 +1,21 @@
# Board specific SELinux policy variable definitions
ifeq ($(call is-vendor-board-platform,QCOM),true)
SEPOLICY_PATH:= device/qcom/sepolicy
BOARD_PLAT_PUBLIC_SEPOLICY_DIR := \
$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR) \
$(SEPOLICY_PATH)/generic/public
SEPOLICY_PATH:= device/qcom/sepolicy-legacy-um
SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS := \
$(SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS) \
$(SEPOLICY_PATH)/generic/public \
$(SEPOLICY_PATH)/generic/public/attribute
BOARD_PLAT_PRIVATE_SEPOLICY_DIR := \
$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR) \
SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS := \
$(SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS) \
$(SEPOLICY_PATH)/generic/private
BOARD_PLAT_PUBLIC_SEPOLICY_DIR := \
$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR) \
$(SEPOLICY_PATH)/qva/public
SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS := \
$(SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS) \
$(SEPOLICY_PATH)/qva/public \
$(SEPOLICY_PATH)/qva/public/attribute
BOARD_PLAT_PRIVATE_SEPOLICY_DIR := \
$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR) \
SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS := \
$(SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS) \
$(SEPOLICY_PATH)/qva/private
#once all the services are moved to Product /ODM above lines will be removed.
@@ -29,30 +30,7 @@ PRODUCT_PRIVATE_SEPOLICY_DIRS := \
$(SEPOLICY_PATH)/generic/product/private \
$(SEPOLICY_PATH)/qva/product/private
ifeq (,$(filter sdm845 sdm710, $(TARGET_BOARD_PLATFORM)))
BOARD_SEPOLICY_DIRS := \
$(BOARD_SEPOLICY_DIRS) \
$(SEPOLICY_PATH) \
$(SEPOLICY_PATH)/generic/vendor/common \
$(SEPOLICY_PATH)/qva/vendor/common/sysmonapp \
$(SEPOLICY_PATH)/qva/vendor/ssg \
$(SEPOLICY_PATH)/qva/vendor/common
ifeq ($(TARGET_SEPOLICY_DIR),)
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/generic/vendor/$(TARGET_BOARD_PLATFORM)
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/$(TARGET_BOARD_PLATFORM)
else
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/generic/vendor/$(TARGET_SEPOLICY_DIR)
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/$(TARGET_SEPOLICY_DIR)
endif
ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT)))
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/generic/vendor/test
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/qva/vendor/test
endif
endif
ifneq (,$(filter sdm845 sdm710, $(TARGET_BOARD_PLATFORM)))
ifneq (,$(filter sdm845 sdm710 sdm660 msm8937 msm8953 msm8996 msm8998, $(TARGET_BOARD_PLATFORM)))
BOARD_SEPOLICY_DIRS := \
$(BOARD_SEPOLICY_DIRS) \
$(SEPOLICY_PATH) \
@@ -69,4 +47,5 @@ ifneq (,$(filter sdm845 sdm710, $(TARGET_BOARD_PLATFORM)))
BOARD_SEPOLICY_DIRS += $(SEPOLICY_PATH)/legacy/vendor/test
endif
endif
endif
-include device/lineage/sepolicy/qcom/sepolicy.mk

1
generic/private/dataservice_app.te
View File

@@ -26,6 +26,7 @@
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
typeattribute vendor_dataservice_app coredomain;
typeattribute vendor_dataservice_app mlstrustedsubject;
app_domain(vendor_dataservice_app)
net_domain(vendor_dataservice_app)

2
generic/private/file_contexts
View File

@@ -28,3 +28,5 @@
/data/misc/seemp(/.*)? u:object_r:vendor_seemp_data_file:s0
/(product|system/product)/etc/init\.qcom\.testscripts\.sh u:object_r:qti-testscripts_exec:s0
/storage/emulated(/.*)? u:object_r:media_rw_data_file:s0

6
generic/private/property_contexts
View File

@@ -27,3 +27,9 @@
ro.vendor.qti.va_aosp.support u:object_r:vendor_exported_system_prop:s0 exact bool
ro.vendor.qti.va_odm.support u:object_r:vendor_exported_odm_prop:s0 exact bool
ro.vendor.perf.scroll_opt u:object_r:vendor_exported_system_prop:s0 exact bool
ro.vendor.perf.scroll_opt.heavy_app u:object_r:vendor_exported_system_prop:s0 exact int
ro.netflix.bsp_rev u:object_r:vendor_exported_system_prop:s0 exact string
# Beluga
ro.vendor.beluga. u:object_r:vendor_exported_system_prop:s0

20
qva/private/qcc_app.te → generic/private/qcc_app.te
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2020 The Linux Foundation. All rights reserved.
# Copyright (c) 2020, 2021 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -25,24 +25,13 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
typeattribute vendor_qcc_app mlstrustedsubject;
app_domain(vendor_qcc_app)
net_domain(vendor_qcc_app)
binder_use(vendor_qcc_app)
# allow invoking activity and access app content to vendor_qcc_app
#allow vendor_qcc_app { activity_service content_service }:service_manager find;
# allow display service to vendor_qcc_app
#allow vendor_qcc_app { display_service }:service_manager find;
# allow access to wifi and data network to vendor_qcc_app
#allow vendor_qcc_app { connectivity_service network_management_service }:service_manager find;
# allow access telephony service info to vendor_qcc_app
#allow vendor_qcc_app { radio_service registry_service }:service_manager find;
allow vendor_qcc_app radio_service:service_manager find;
# allow acquire wakelock to vendor_qcc_app
#allow vendor_qcc_app { power_service }:service_manager find;
# allow to load native library
#allow vendor_qcc_app { mount_service }:service_manager find;
# for vendor_perf_service
allow vendor_qcc_app app_api_service:service_manager find;
@@ -52,12 +41,11 @@ allow vendor_qcc_app vendor_qcc_data_file:file create_file_perms;
# allow access to socket
unix_socket_connect(vendor_qcc_app, vendor_dpmtcm, vendor_dpmd)
# allow access to mediadrmserver for qdmastats/wvstats
allow vendor_qcc_app mediadrmserver_service:service_manager find;
# allow vendor_qcc_app to access system_app_data_file
# necessary for read and write /data/data subdirectory.
# necessary for read and write /data/user_de/0/com.---.qti.qdma subdirectory.
allow vendor_qcc_app system_app_data_file:dir create_dir_perms;
allow vendor_qcc_app system_app_data_file:file create_file_perms;
@@ -70,3 +58,5 @@ allow vendor_qcc_app mediametrics_service:service_manager find;
# Allow read-write permissions to qdma sockets under vendor_qcc_app_socket.
allow vendor_qcc_app vendor_qcc_app_socket:dir rw_dir_perms;
allow vendor_qcc_app vendor_qcc_app_socket:sock_file create_file_perms;

14
qva/vendor/common/bluetooth.te → generic/private/qcc_authmgr_app.te
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2021, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -25,11 +25,11 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#allow bluetooth to access btconfigstore hal
hal_client_domain(bluetooth, vendor_hal_btconfigstore);
typeattribute vendor_qcc_authmgr_app coredomain;
#allow bluetooth to access perf hal
hal_client_domain(bluetooth, vendor_hal_perf);
app_domain(vendor_qcc_authmgr_app)
binder_use(vendor_qcc_authmgr_app)
#allow bluetooth to access bluetooth_dun hal
hal_client_domain(bluetooth, vendor_hal_bluetooth_dun);
hal_client_domain(vendor_qcc_authmgr_app, vendor_hal_qccvndhal);
hal_client_domain(vendor_qcc_authmgr_app, vendor_hal_perf);
allow vendor_qcc_authmgr_app {app_api_service}:service_manager find;

59
generic/vendor/common/port-bridge.te → generic/private/qcc_lmtp_app.te
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2017-2020, 2021 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -24,31 +24,38 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_port-bridge, domain;
type vendor_port-bridge_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_port-bridge)
userdebug_or_eng(`
domain_auto_trans(shell, vendor_port-bridge_exec, vendor_netmgrd)
#domain_auto_trans(adbd, vendor_port-bridge_exec, netmgrd)
diag_use(vendor_port-bridge)
typeattribute vendor_qcc_lmtp_app mlstrustedsubject;
app_domain(vendor_qcc_lmtp_app)
net_domain(vendor_qcc_lmtp_app)
binder_use(vendor_qcc_lmtp_app)
hal_client_domain(vendor_qcc_lmtp_app, vendor_hal_perf);
allow vendor_qcc_lmtp_app {activity_service}:service_manager find;
allow vendor_qcc_lmtp_app location_service:service_manager find;
allow vendor_qcc_lmtp_app app_api_service:service_manager find;
# for vendor_perf_service
allow vendor_qcc_lmtp_app vendor_perf_service:service_manager find;
# allow access to socket
unix_socket_connect(vendor_qcc_lmtp_app, vendor_dpmtcm, vendor_dpmd)
# allow access to qcc dropbox
allow vendor_qcc_lmtp_app vendor_qcc_data_file:dir create_dir_perms;
allow vendor_qcc_lmtp_app vendor_qcc_data_file:file create_file_perms;
# allow vendor_qcc_lmtp_app to access system_app_data_file
# necessary for read and write /data/data subdirectory
allow vendor_qcc_lmtp_app system_app_data_file:dir create_dir_perms;
allow vendor_qcc_lmtp_app system_app_data_file:file create_file_perms;
# Allow read-write permissions to qdma sockets under vendor_qcc_app_socket.
unix_socket_connect(vendor_qcc_lmtp_app, vendor_qcc_app, vendor_qcc_app)
allow vendor_qcc_lmtp_app vendor_qcc_app_socket:dir rw_dir_perms;
allow vendor_qcc_lmtp_app vendor_qcc_app_socket:sock_file create_file_perms;
allow vendor_qcc_lmtp_app app_api_service:service_manager find;
')
# Allow operations on different types of sockets
allow vendor_port-bridge vendor_port-bridge:netlink_kobject_uevent_socket { create bind read };
allow vendor_port-bridge {
# Allow operations on mhi transport
vendor_mhi_device
# Allow operations on ATCoP g-link transport
vendor_at_device
}:chr_file rw_file_perms;
#access ipa sysfs node
allow vendor_port-bridge vendor_sysfs_data:file r_file_perms;
allow vendor_port-bridge vendor_port_bridge_data_file:file create_file_perms;
allow vendor_port-bridge vendor_port_bridge_data_file:dir w_dir_perms;
allow vendor_port-bridge vendor_port-bridge_socket:dir w_dir_perms;
allow vendor_port-bridge vendor_port-bridge_socket:sock_file create_file_perms;

19
generic/vendor/common/power_off_alarm.te → generic/private/qcc_netstat_app.te Executable file → Normal file
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2017-2019 Linux Foundation. All rights reserved.
# Copyright (c) 2021, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -25,14 +25,15 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_power_off_alarm, domain;
type vendor_power_off_alarm_exec, exec_type, vendor_file_type, file_type;
typeattribute vendor_qcc_netstat_app coredomain;
init_daemon_domain(vendor_power_off_alarm)
app_domain(vendor_qcc_netstat_app)
net_domain(vendor_qcc_netstat_app)
binder_use(vendor_qcc_netstat_app)
allow vendor_power_off_alarm rtc_device:chr_file r_file_perms;
allow vendor_power_off_alarm kmsg_device:chr_file w_file_perms;
hal_client_domain(vendor_qcc_netstat_app, vendor_hal_qccvndhal);
hal_client_domain(vendor_qcc_netstat_app, vendor_hal_perf);
allow vendor_qcc_netstat_app {app_api_service}:service_manager find;
allow vendor_power_off_alarm self:capability2 wake_alarm;
set_prop(vendor_power_off_alarm, powerctl_prop)
# Allow read-write permissions to qdma sockets under vendor_qcc_app_socket.
unix_socket_connect(vendor_qcc_netstat_app, vendor_qcc_app, vendor_qcc_app)

0
qva/private/qcc_trd.te → generic/private/qcc_trd.te
View File

3
qva/private/qcc_utils_app.te → generic/private/qcc_utils_app.te
View File

@@ -25,7 +25,8 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_qcc_utils_app, domain, coredomain;
typeattribute vendor_qcc_utils_app mlstrustedsubject;
app_domain(vendor_qcc_utils_app)
net_domain(vendor_qcc_utils_app)
binder_use(vendor_qcc_utils_app)

6
generic/private/qtelephony.te
View File

@@ -34,5 +34,11 @@ hwbinder_use(vendor_qtelephony);
get_prop(vendor_qtelephony, hwservicemanager_prop);
add_hwservice(vendor_qtelephony, vendor_hal_atfwd_hwservice);
userdebug_or_eng(`
hal_client_domain( vendor_qtelephony, vendor_hal_diaghal)
')
allow vendor_qtelephony { cameraserver_service mediaextractor_service mediaserver_service mediametrics_service radio_service drmserver_service audioserver_service}:service_manager find;
allow vendor_qtelephony system_api_service:service_manager find;
allow vendor_qtelephony app_api_service:service_manager find;
hal_client_domain(vendor_qtelephony, hal_telephony)

2
generic/private/qti-testscripts.te
View File

@@ -95,4 +95,6 @@ userdebug_or_eng(`
binder_call(platform_app, qti-testscripts)
binder_call(system_app, qti-testscripts)
# allow lmkd to kill tasks with positive oom_score_adj under memory pressure
allow lmkd qti-testscripts:process { setsched sigkill };
')

7
generic/vendor/common/platform_app.te → generic/private/radio.te
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Copyright (c) 2018, 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -24,5 +24,6 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#allow embms app to access vendor radio property
get_prop(radio, vendor_radio_prop)
hwbinder_use(radio)
allow radio mediaextractor_service:service_manager find;

9
generic/private/seapp_contexts
View File

@@ -28,3 +28,12 @@
#Add new domain for DataServices
# Needed for CNEService , uceShimService and other connectivity services
user=radio seinfo=platform name=.dataservices domain=vendor_dataservice_app type=radio_data_file
# AtFwd app
user=_app seinfo=platform name=com.qualcomm.telephony domain=vendor_qtelephony type=app_data_file levelFrom=all
#Add new domain for ims app
user=_app seinfo=platform name=org.codeaurora.ims isPrivApp=true domain=vendor_qtelephony type=app_data_file levelFrom=all
#Add DeviceInfoHidlClient to vendor_qtelephony
user=_app seinfo=platform name=com.qualcomm.qti.devicestatisticsservice domain=vendor_qtelephony type=app_data_file levelFrom=all

3
generic/product/private/file_contexts
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2019-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -24,3 +24,4 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
/(product|system/product)/bin/init\.qti\.display\.sh u:object_r:vendor_sys_qti_display_exec:s0

3
generic/product/private/property_contexts
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2019 The Linux Foundation. All rights reserved.
# Copyright (c) 2019-2020 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -24,3 +24,4 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
vendor.display.disable_rounded_corner u:object_r:vendor_display_notch_prop:s0

16
qva/vendor/common/mmi_sys.te → generic/product/private/qti-display.te Executable file → Normal file
View File

@@ -1,5 +1,5 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Copyright (c) 2020 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
@@ -12,7 +12,7 @@
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
@@ -25,12 +25,10 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#mmi_sys basic
r_dir_file(vendor_mmi_sys, vendor_sysfs_graphics)
type vendor_sys_qti_display_exec, system_file_type, exec_type, file_type;
hal_client_domain(vendor_mmi_sys, vendor_hal_factory_qti);
#diag
userdebug_or_eng(`
diag_use(vendor_mmi_sys)
typeattribute vendor_sys_qti_display coredomain;
init_daemon_domain(vendor_sys_qti_display)
set_prop(vendor_sys_qti_display, vendor_display_notch_prop)
')

1
generic/product/private/systemhelper_app.te
View File

@@ -36,3 +36,4 @@ allow vendor_systemhelper_app { activity_service trust_service surfaceflinger_se
allow vendor_systemhelper_app app_data_file:dir rw_dir_perms;
allow vendor_systemhelper_app thermal_service:service_manager find;
allow vendor_systemhelper_app vendor_perf_service:service_manager find;

4
generic/product/public/attributes
View File

@@ -28,7 +28,3 @@
attribute vendor_hal_systemhelper;
attribute vendor_hal_systemhelper_client;
attribute vendor_hal_systemhelper_server;
attribute vendor_hal_perf;
attribute vendor_hal_perf_client;
attribute vendor_hal_perf_server;

4
generic/product/public/property.te
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2019-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -24,3 +24,5 @@
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
product_restricted_prop(vendor_display_notch_prop)

9
qva/vendor/test/vendor_cta_app.te → generic/product/public/qti-display.te
View File

@@ -25,11 +25,10 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# This domain is for pdt apps and should always be in
# userdebug_or_eng macro
type vendor_sys_qti_display, domain, mlstrustedsubject;
#============= vendor_sys_qti_display ==============
userdebug_or_eng(`
type vendor_cta_app, domain;
app_domain(vendor_cta_app);
permissive vendor_cta_app;
allow vendor_sys_qti_display shell_exec:file rx_file_perms;
allow vendor_sys_qti_display toolbox_exec:file rx_file_perms;
')

18
generic/vendor/common/attributes → generic/public/attribute/attributes
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2016-2019, The Linux Foundation. All rights reserved.
# Copyright (c) 2016-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -59,3 +59,19 @@ attribute vendor_hal_capabilityconfigstore_qti_server;
attribute vendor_hal_dataconnection_qti;
attribute vendor_hal_dataconnection_qti_client;
attribute vendor_hal_dataconnection_qti_server;
attribute vendor_hal_embmssl;
attribute vendor_hal_embmssl_client;
attribute vendor_hal_embmssl_server;
attribute vendor_hal_dspmanager;
attribute vendor_hal_dspmanager_client;
attribute vendor_hal_dspmanager_server;
attribute vendor_hal_diaghal;
attribute vendor_hal_diaghal_client;
attribute vendor_hal_diaghal_server;
attribute vendor_hal_perf;
attribute vendor_hal_perf_client;
attribute vendor_hal_perf_server;

0
qva/public/qcc_app.te → generic/public/qcc_app.te
View File

28
generic/public/qcc_authmgr_app.te Normal file
View File

@@ -0,0 +1,28 @@
# Copyright (c) 2021, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_qcc_authmgr_app, domain;

5
qva/vendor/common/radio.te → generic/public/qcc_lmtp_app.te
View File

@@ -1,4 +1,4 @@
# Copyright (c) 2019-2020, The Linux Foundation. All rights reserved.
# Copyright (c) 2017-2021, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
@@ -25,5 +25,4 @@
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#qspm
hal_client_domain(radio, vendor_hal_qspmhal)
type vendor_qcc_lmtp_app, domain, coredomain;

28
generic/public/qcc_netstat_app.te Normal file
View File

@@ -0,0 +1,28 @@
# Copyright (c) 2021, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_qcc_netstat_app, domain;

0
qva/public/qcc_trd.te → generic/public/qcc_trd.te
View File

28
generic/public/qcc_utils_app.te Normal file
View File

@@ -0,0 +1,28 @@
# Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_qcc_utils_app, domain, coredomain;

39
generic/vendor/common/audioadsprpcd.te vendored
View File

@@ -1,39 +0,0 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_audioadsprpcd, domain;
type vendor_audioadsprpcd_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_audioadsprpcd)
allow vendor_audioadsprpcd ion_device:chr_file r_file_perms;
allow vendor_audioadsprpcd vendor_qdsp_device:chr_file r_file_perms;
allow vendor_audioadsprpcd vendor_xdsp_device:chr_file r_file_perms;
r_dir_file(vendor_audioadsprpcd, adsprpcd_file)
get_prop(vendor_audioadsprpcd, vendor_adsprpc_prop)
allow vendor_audioadsprpcd mnt_vendor_file:dir r_dir_perms;

41
generic/vendor/common/cameraserver.te vendored
View File

@@ -1,41 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow cameraserver gpu_device:chr_file rw_file_perms;
get_prop(cameraserver, vendor_camera_prop)
allow cameraserver vendor_sysfs_camera:file r_file_perms;
allow cameraserver vendor_sysfs_camera:dir search;
allow cameraserver system_file:dir r_dir_perms;
allow cameraserver system_server:unix_stream_socket { read write };
# TODO (b/37688918) Verify that this is actually needed and not a violation of treble
binder_call(cameraserver, mediacodec)
#allow cameraserver to read adsprpc_prop
get_prop(cameraserver, vendor_adsprpc_prop)

47
generic/vendor/common/cdsprpcd.te vendored
View File

@@ -1,47 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# vendor_cdsprpcd daemon
type vendor_cdsprpcd, domain;
type vendor_cdsprpcd_exec, exec_type, vendor_file_type, file_type;
# Started by init
init_daemon_domain(vendor_cdsprpcd)
# For reading dir/files on /dsp
r_dir_file(vendor_cdsprpcd, adsprpcd_file)
# For reading adsprpc_prop
get_prop(vendor_cdsprpcd, vendor_adsprpc_prop)
allow vendor_cdsprpcd vendor_qdsp_device:chr_file r_file_perms;
allow vendor_cdsprpcd vendor_xdsp_device:chr_file r_file_perms;
allow vendor_cdsprpcd ion_device:chr_file r_file_perms;
r_dir_file(vendor_cdsprpcd, vendor_sysfs_devfreq)
allow vendor_cdsprpcd vendor_sysfs_devfreq_l3cdsp:dir r_dir_perms;
allow vendor_cdsprpcd vendor_sysfs_devfreq_l3cdsp:file rw_file_perms;

37
generic/vendor/common/charger.te vendored
View File

@@ -1,37 +0,0 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow charger self:capability2 wake_alarm;
r_dir_file(charger, vendor_sysfs_battery_supply)
r_dir_file(charger, vendor_sysfs_usb_supply)
allow charger {
vendor_sysfs_battery_supply
vendor_sysfs_usb_supply
}:file w_file_perms;
dontaudit charger device:dir r_dir_perms;
dontaudit charger self:capability sys_admin;

41
generic/vendor/common/chre.te vendored
View File

@@ -1,41 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# This daemon loads the Context Hub Runtime Environment (CHRE) dynamic modules
# onto the SLPI using FastRPC, and exposes a sockets interface for clients on
# the applications processor to interact CHRE
type vendor_chre, domain;
type vendor_chre_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_chre)
r_dir_file(vendor_chre, adsprpcd_file)
#allow vendor_chre to read adsprpc_prop
get_prop(vendor_chre, vendor_adsprpc_prop)
allow vendor_chre ion_device:chr_file r_file_perms;
allow vendor_chre vendor_qdsp_device:chr_file r_file_perms;
allow vendor_chre vendor_xdsp_device:chr_file r_file_perms;
allow vendor_chre vendor_dsp_device:chr_file r_file_perms;

86
generic/vendor/common/cnd.te vendored
View File

@@ -1,86 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_cnd, domain;
type vendor_cnd_exec, exec_type, vendor_file_type, file_type;
file_type_auto_trans(vendor_cnd, socket_device, vendor_cnd_socket);
# vendor_cnd is started by init, type transit from init domain to vendor_cnd domain
init_daemon_domain(vendor_cnd)
#communicating with QTI wlan driver for WFC/ VTiWLAN quality
allow vendor_cnd self:capability net_bind_service;
unix_socket_send(vendor_cnd, wpa, hal_wifi_supplicant)
allow vendor_cnd wpa_data_file:dir w_dir_perms;
allow vendor_cnd wpa_data_file:sock_file create_file_perms;
#allow processing of VoWifi indications from modem over QMI while dozing
allow vendor_cnd self:capability2 block_suspend;
allow vendor_cnd self:udp_socket create_socket_perms;
allow vendor_cnd self:{
# Allow receiving NETLINK responses from WLAN driver.
netlink_socket
netlink_generic_socket
qipcrtr_socket
} create_socket_perms_no_ioctl;
allowxperm vendor_cnd self:udp_socket ioctl SIOCGIFMTU;
allow vendor_cnd vendor_sysfs_timestamp_switch:file r_file_perms;
allow vendor_cnd vendor_sysfs_data:file r_file_perms;
allow vendor_cnd proc_meminfo:file r_file_perms;
set_prop(vendor_cnd, vendor_cnd_prop)
# allow vendor_cnd to access vendor_cnd_data_file
allow vendor_cnd vendor_cnd_data_file:file create_file_perms;
allow vendor_cnd vendor_cnd_data_file:sock_file { unlink create setattr };
allow vendor_cnd vendor_cnd_data_file:dir rw_dir_perms;
# allow vendor_cnd to obtain wakelock
wakelock_use(vendor_cnd)
allow vendor_cnd vendor_ipa_vendor_data_file:dir r_dir_perms;
allow vendor_cnd vendor_ipa_vendor_data_file:file r_file_perms;
# To register vendor_cnd to hwbinder
add_hwservice(vendor_cnd, vendor_hal_datafactory_hwservice)
hwbinder_use(vendor_cnd)
get_prop(vendor_cnd, hwservicemanager_prop)
binder_call(vendor_cnd, vendor_dataservice_app)
binder_call(vendor_cnd, vendor_qtidataservices_app)
binder_call(vendor_cnd, vendor_ims)
binder_call(vendor_cnd, vendor_location)
r_dir_file(vendor_cnd, vendor_sysfs_ssr)
#diag
userdebug_or_eng(`
diag_use(vendor_cnd)
r_dir_file(vendor_cnd, vendor_sysfs_diag)
')

40
generic/vendor/common/dataservice_app.te vendored
View File

@@ -1,40 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
get_prop(vendor_dataservice_app, vendor_cnd_prop)
allow vendor_dataservice_app vendor_hal_imsrcsd_hwservice:hwservice_manager find;
allow vendor_dataservice_app vendor_hal_datafactory_hwservice:hwservice_manager find;
allow vendor_dataservice_app vendor_sysfs_data:file r_file_perms;
binder_call(vendor_dataservice_app, vendor_cnd)
# imsrcsd to bind with UceShimService.apk
binder_call(vendor_dataservice_app, vendor_hal_rcsservice)
hal_client_domain(vendor_dataservice_app , vendor_hal_perf)

68
generic/vendor/common/device.te vendored
View File

@@ -1,68 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_ab_block_device, dev_type;
type vendor_at_device, dev_type;
type vendor_avtimer_device, dev_type;
type vendor_bt_device, dev_type;
type vendor_bu21150_device, dev_type;
type vendor_citadel_device, dev_type;
type vendor_custom_ab_block_device, dev_type;
type vendor_diag_device, dev_type, mlstrustedobject;
type vendor_dsp_device, dev_type;
type vendor_xdsp_device, dev_type;
type vendor_easel_device, dev_type;
type vendor_hbtp_device, dev_type;
type vendor_hvdcp_device, dev_type;
type vendor_ipa_dev, dev_type;
type vendor_latency_device, dev_type;
type vendor_limits_block_device, dev_type;
type vendor_modem_block_device, dev_type;
type vendor_modem_efs_partition_device, dev_type;
type vendor_mdtp_device, dev_type;
type vendor_persist_block_device, dev_type;
type vendor_vm_data_block_device, dev_type;
type vendor_qsee_ipc_irq_spss_device, dev_type;
type vendor_qdsp_device, dev_type, mlstrustedobject;
type vendor_ramdump_device, dev_type;
type vendor_ramdump_microdump_modem_device, dev_type;
type vendor_rmnet_device, dev_type;
type vendor_gpt_block_device, dev_type;
type vendor_ramdump_block_device, dev_type;
type vendor_rpmb_device, dev_type;
type vendor_seemplog_device, dev_type;
type vendor_sg_device, dev_type;
type vendor_bsg_device, dev_type;
type vendor_smd_device, dev_type;
type vendor_spcom_device, dev_type;
type vendor_ssd_block_device, dev_type;
type vendor_ssr_device, dev_type;
type vendor_synx_device, dev_type;
type vendor_wlan_device, dev_type;
type vendor_xbl_block_device, dev_type;
type vendor_uefi_block_device, dev_type;
type vendor_qce_device, dev_type;
type vendor_npu_device, dev_type;

37
generic/vendor/common/diag-router.te vendored
View File

@@ -1,37 +0,0 @@
# Copyright (c) 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_diag-router, domain;
type vendor_diag-router_exec, exec_type, vendor_file_type, file_type;
userdebug_or_eng(`
init_daemon_domain(vendor_diag-router)
allow vendor_diag-router functionfs:dir r_dir_perms;
allow vendor_diag-router functionfs:file rw_file_perms;
allow vendor_diag-router self:qipcrtr_socket create_socket_perms_no_ioctl;
allow vendor_diag-router vendor_mhi_diag_device:chr_file rw_file_perms;
allow { domain -coredomain -hal_configstore -vendor_init} vendor_diag-router:unix_stream_socket connectto;
')

70
generic/vendor/common/diag.te vendored
View File

@@ -1,70 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_diag, domain;
type vendor_diag_exec, exec_type, vendor_file_type, file_type;
userdebug_or_eng(`
domain_auto_trans(shell, vendor_diag_exec, vendor_diag)
#domain_auto_trans(adbd, vendor_diag_exec, vendor_diag)
allow vendor_diag {
vendor_diag_device
devpts
tty_device
# allow access to qseecom for drmdiagapp
tee_device
}:chr_file rw_file_perms;
allow vendor_diag {
shell
su
}:fd use;
allow vendor_diag {
cgroup
fuse
vendor_persist_drm_file
}:dir create_dir_perms;
allow vendor_diag port:tcp_socket name_connect;
allow vendor_diag self:capability { setuid net_raw sys_admin setgid };
allow vendor_diag self:capability2 syslog;
allow vendor_diag self:tcp_socket { create connect setopt};
wakelock_use(vendor_diag)
allow vendor_diag kernel:system syslog_mod;
# allow drmdiagapp access to drm related paths
allow vendor_diag mnt_vendor_file:dir r_dir_perms;
r_dir_file(vendor_diag, vendor_persist_data_file)
# Write to drm related pieces of persist partition
allow vendor_diag vendor_persist_drm_file:file create_file_perms;
# For DiagExample daemon
init_daemon_domain(vendor_diag)
net_domain(vendor_diag)
allow vendor_diag fuse:dir r_dir_perms;
allow vendor_diag fuse:file r_file_perms;
r_dir_file(vendor_diag, storage_file)
r_dir_file(vendor_diag, mnt_user_file)
')

61
generic/vendor/common/domain.te vendored
View File

@@ -1,61 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
userdebug_or_eng(`
allow domain vendor_diag_device:chr_file rw_file_perms;
')
# In order for /sys/kernel/debug/kgsl/proc/<pid>/mem
# to be created for memory tracking, the domain of
# the tracked process must have permission to search
# in /sys/kernel/debug/kgsl
allow domain vendor_debugfs_kgsl:dir search;
allow domain vendor_debugfs_ion:dir search;
get_prop(domain, vendor_gralloc_prop)
r_dir_file({domain - isolated_app}, vendor_sysfs_soc);
r_dir_file({domain - isolated_app}, vendor_sysfs_esoc);
r_dir_file({domain - isolated_app}, vendor_sysfs_ssr);
r_dir_file({domain - isolated_app}, sysfs_thermal);
get_prop(domain, vendor_public_vendor_default_prop)
dontaudit domain kernel:system module_request;
# For compliance testing test suite reads vendor_security_path_level
# Which is the public readable property “ ro.vendor.build.security_patch
get_prop(domain, vendor_security_patch_level_prop)
neverallow {
coredomain
-init
-ueventd
-vold
} vendor_persist_type: { dir file } *;
# Allow all context to read gpu model
allow { domain - isolated_app } vendor_sysfs_kgsl_gpu_model:file r_file_perms;

50
generic/vendor/common/fastbootd.te vendored
View File

@@ -1,50 +0,0 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#Allow fastbootd
recovery_only(`
allow fastbootd {
vendor_custom_ab_block_device
recovery_block_device
vendor_xbl_block_device
vendor_uefi_block_device
vendor_ssd_block_device
vendor_modem_block_device
vendor_mdtp_device
}:blk_file { rw_file_perms };
# Allow fastbootd to read /sys/class/power_supply directory
# and access to power supply, usb nodes.
allow fastbootd sysfs:dir r_dir_perms;
r_dir_file(fastbootd, vendor_sysfs_battery_supply)
r_dir_file(fastbootd, vendor_sysfs_usb_supply)
allow fastbootd {
vendor_sysfs_battery_supply
vendor_sysfs_usb_supply
}:file w_file_perms;
')

52
generic/vendor/common/feature_enabler_client.te vendored
View File

@@ -1,52 +0,0 @@
# Copyright (c) 2019 - 2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_feature_enabler_client, domain;
type vendor_feature_enabler_client_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_feature_enabler_client)
allow vendor_feature_enabler_client tee_device:chr_file rw_file_perms;
allow vendor_feature_enabler_client ion_device:chr_file rw_file_perms;
allow vendor_feature_enabler_client vendor_smcinvoke_device:chr_file rw_file_perms;
unix_socket_connect(vendor_feature_enabler_client , vendor_ssgtzd, vendor_ssgtzd)
# Allow read permission to /mnt/vendor/persist/vendor_feature_enabler_client/*
allow vendor_feature_enabler_client mnt_vendor_file:dir search;
r_dir_file(vendor_feature_enabler_client, vendor_persist_feature_enabler_file)
# Allow read permission to /mnt/vendor/persist/data/*
r_dir_file(vendor_feature_enabler_client, vendor_persist_data_file)
# Binder access for featenab_client.service
vndbinder_use(vendor_feature_enabler_client)
allow vendor_feature_enabler_client vendor_qfeatenab_client_service:service_manager { add find };
#Allow access to display services and graphics_device for DRM
allow vendor_feature_enabler_client vendor_qdisplay_service:service_manager find;
hal_client_domain(vendor_feature_enabler_client, hal_graphics_composer)
allow vendor_feature_enabler_client graphics_device:chr_file rw_file_perms;

210
generic/vendor/common/file.te vendored
View File

@@ -1,210 +0,0 @@
# Copyright (c) 2018-2020 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_sysfs_audio, fs_type, sysfs_type;
type vendor_sysfs_battery_supply, sysfs_type, fs_type;
type vendor_sysfs_bond0, fs_type, sysfs_type;
type vendor_sysfs_boot_adsp, sysfs_type, fs_type;
type vendor_sysfs_camera, sysfs_type, fs_type;
type vendor_sysfs_cpu_boost, fs_type, sysfs_type;
type vendor_sysfs_devfreq, fs_type, sysfs_type;
type vendor_sysfs_easel, sysfs_type, fs_type;
type vendor_sysfs_esoc, sysfs_type, fs_type;
type vendor_sysfs_fingerprint, sysfs_type, fs_type;
type vendor_sysfs_graphics, sysfs_type, fs_type;
type vendor_sysfs_kgsl, sysfs_type, fs_type;
type vendor_sysfs_kgsl_proc, sysfs_type, fs_type;
type vendor_hbtp_kernel_sysfs, sysfs_type, fs_type;
type vendor_sysfs_irqbalance, sysfs_type, fs_type;
type vendor_sysfs_laser, sysfs_type, fs_type;
type vendor_sysfs_mdss_mdp_caps, sysfs_type, fs_type;
type vendor_sysfs_devfreq_l3cdsp, fs_type, sysfs_type;
type vendor_sysfs_mmc_host, fs_type, sysfs_type;
type vendor_sysfs_msm_perf, fs_type, sysfs_type;
type vendor_sysfs_msm_power, fs_type, sysfs_type;
type vendor_sysfs_msm_stats, fs_type, sysfs_type;
type vendor_sysfs_msm_subsys_restart, sysfs_type, fs_type;
type vendor_sysfs_sensors, sysfs_type, fs_type;
type vendor_sysfs_sectouch, sysfs_type, fs_type;
type vendor_sysfs_soc, sysfs_type, fs_type;
type vendor_sysfs_scsi_host, fs_type, sysfs_type;
type vendor_sysfs_scsi_target, fs_type, sysfs_type;
type vendor_sysfs_slpi, fs_type, sysfs_type;
type vendor_sysfs_spmi_dev, sysfs_type, fs_type;
type vendor_sysfs_ssr, sysfs_type, fs_type;
type vendor_sysfs_ssr_toggle, sysfs_type, fs_type;
type vendor_sysfs_timestamp_switch, sysfs_type, fs_type;
type vendor_sysfs_touch, sysfs_type, fs_type;
type vendor_sysfs_uio_file, sysfs_type, fs_type;
type vendor_sysfs_usb_c, sysfs_type, fs_type;
type vendor_sysfs_usb_device, sysfs_type, fs_type;
type vendor_sysfs_usb_supply, sysfs_type, fs_type;
type vendor_sysfs_usbpd_device, sysfs_type, fs_type;
type vendor_sysfs_vadc_dev, sysfs_type, fs_type;
type vendor_sysfs_lcd, sysfs_type, fs_type;
type vendor_sysfs_adsp_ssr, sysfs_type, fs_type;
type vendor_debugfs_clk, debugfs_type, fs_type;
type vendor_debugfs_ion, debugfs_type, fs_type;
type vendor_debugfs_ipc, debugfs_type, fs_type;
type vendor_debugfs_kgsl, debugfs_type, fs_type;
type vendor_debugfs_rpm, debugfs_type, fs_type;
type vendor_debugfs_rmt_storage, debugfs_type, fs_type;
type vendor_debugfs_usb, debugfs_type, fs_type;
type vendor_debugfs_wlan, debugfs_type, fs_type;
type vendor_debugfs_mdp, debugfs_type, fs_type;
type vendor_debugfs_icnss, debugfs_type, fs_type;
# /proc
type vendor_proc_wifi_dbg, fs_type, proc_type;
type vendor_proc_audiod, fs_type, proc_type;
type vendor_proc_shs, fs_type, proc_type;
type vendor_qmuxd_socket, file_type;
type vendor_netmgrd_socket, file_type;
type vendor_port-bridge_socket, file_type;
type vendor_thermal_socket, file_type;
#Define the qti socket type
type vendor_dataqti_socket, file_type;
type vendor_ims_socket, file_type;
type vendor_ipacm_socket, file_type;
type vendor_cnd_socket, file_type;
type vendor_chre_socket, file_type;
type vendor_hal_bootctl_socket, file_type;
type vendor_location_socket, file_type;
type vendor_wifihal_socket, file_type;
type vendor_pps_socket, file_type;
# imshelper_app file types
type vendor_imshelper_app_data_file, file_type, data_file_type;
type firmware_file, file_type, contextmount_type, vendor_file_type;
type vendor_cnd_data_file, file_type, data_file_type;
type vendor_location_data_file, file_type, data_file_type;
type vendor_audio_data_file, file_type, data_file_type;
type vendor_radio_data_file, file_type, data_file_type;
type vendor_wifi_vendor_log_data_file, file_type, data_file_type;
# for mount /persist
typeattribute mnt_vendor_file vendor_persist_type;
type vendor_persist_file, file_type, vendor_persist_type;
type vendor_persist_data_file, file_type , vendor_persist_type;
type vendor_persist_display_file, file_type;
type vendor_persist_drm_file, file_type, vendor_persist_type;
type vendor_persist_elabel_file, file_type, vendor_persist_type;
type vendor_persist_haptics_file, file_type, vendor_persist_type;
type vendor_persist_rfs_file, file_type, vendor_persist_type;
type vendor_persist_rfs_shared_hlos_file, file_type, vendor_persist_type;
type vendor_persist_sensors_file, file_type, vendor_persist_type;
type vendor_persist_time_file, file_type, vendor_persist_type;
type vendor_persist_audio_file, file_type, vendor_persist_type;
type vendor_persist_bluetooth_file, file_type, vendor_persist_type;
type vendor_persist_alarm_file, file_type, vendor_persist_type;
type vendor_persist_feature_enabler_file, file_type, vendor_persist_type;
type vendor_netmgr_data_file, file_type, data_file_type;
type vendor_netmgr_recovery_data_file, file_type, data_file_type;
type vendor_qmipriod_data_file, file_type, data_file_type;
type vendor_ipa_vendor_data_file, file_type, data_file_type;
type vendor_shsusr_data_file, file_type, data_file_type;
type vendor_tombstone_data_file, file_type, data_file_type;
type vendor_camera_data_file, file_type, data_file_type;
type vendor_display_vendor_data_file, file_type, data_file_type;
type vendor_nfc_vendor_data_file, file_type, data_file_type;
type vendor_radio_vendor_data_file, file_type, data_file_type, mlstrustedobject;
type vendor_ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject;
type vendor_modem_dump_file, file_type, data_file_type;
type vendor_sensors_vendor_data_file, file_type, data_file_type;
type vendor_port_bridge_data_file, file_type, data_file_type;
type bt_firmware_file, file_type, contextmount_type, vendor_file_type;
type vendor_firmware_file, vendor_file_type, file_type;
type vendor_mdmhelperdata_data_file, file_type, data_file_type;
type vendor_mbn_data_file, file_type, data_file_type;
#vendor capability configstore hal
type vendor_capabilityconfigstore_data_file, file_type, data_file_type;
#widevine data file
type vendor_mediadrm_vendor_data_file, file_type, data_file_type;
#time-services data file
type vendor_time_data_file, file_type, data_file_type;
#data sysfs files
type vendor_sysfs_data, fs_type, sysfs_type;
#diag sysfs files
type vendor_sysfs_diag, fs_type, sysfs_type;
type vendor_hexagon_halide_file, vendor_file_type, file_type;
# vendor media files
type vendor_media_data_file, file_type, data_file_type;
type adsprpcd_file, file_type, mlstrustedobject, vendor_file_type;
# vm system files
type vendor_vm_system_file, file_type, vendor_file_type;
type vendor_hbtp_log_file, file_type, data_file_type;
type vendor_hbtp_cfg_file, file_type, vendor_file_type;
#tloc data files
type vendor_tlocd_data_file, file_type, data_file_type;
#qseecom
type vendor_data_qsee_file, file_type, data_file_type;
#TUI Files
type vendor_tui_data_file, file_type, data_file_type;
# SFS listener data file
type vendor_data_tzstorage_file, file_type, data_file_type;
#NNHAL files
type vendor_hal_neuralnetworks_data_file, file_type, data_file_type;
#BT Files
type vendor_bt_data_file, file_type, data_file_type;
type vendor_sysfs_usb_controller, sysfs_type, fs_type;
#for qdss
type vendor_sysfs_qdss_dev, sysfs_type, fs_type;
#Define the qdcmss socket type
type vendor_qdcmsocket_socket, file_type;
type vendor_sysfs_mhi, sysfs_type, fs_type;
type vendor_sysfs_suspend, fs_type, sysfs_type;
# kgsl gpu model file type for sysfs access
type vendor_sysfs_kgsl_gpu_model, sysfs_type, fs_type;
type vendor_sysfs_kgsl_gpuclk, sysfs_type, fs_type;

487
generic/vendor/common/file_contexts vendored
View File

@@ -1,487 +0,0 @@
# Copyright (c) 2018-2020 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# dev nodes
/dev/btpower u:object_r:vendor_bt_device:s0
/dev/diag u:object_r:vendor_diag_device:s0
/dev/kgsl-3d0 u:object_r:gpu_device:s0
/dev/rtc0 u:object_r:rtc_device:s0
/dev/smd.* u:object_r:vendor_smd_device:s0
/dev/msm_npu u:object_r:vendor_npu_device:s0
# TODO: does ttyMSM0 need to be more specific
/dev/ttyMSM0 u:object_r:tty_device:s0
/dev/ipa u:object_r:vendor_ipa_dev:s0
/dev/wwan_ioctl u:object_r:vendor_ipa_dev:s0
/dev/ipaNatTable u:object_r:vendor_ipa_dev:s0
/dev/cpu_dma_latency u:object_r:vendor_latency_device:s0
/dev/dpl_ctrl u:object_r:vendor_rmnet_device:s0
/dev/rmnet_ctrl.* u:object_r:vendor_rmnet_device:s0
/dev/at_.* u:object_r:vendor_at_device:s0
/dev/video([0-9])+ u:object_r:video_device:s0
/dev/cvp* u:object_r:video_device:s0
/dev/media([0-9])+ u:object_r:video_device:s0
/dev/v4l-subdev.* u:object_r:video_device:s0
/dev/qseecom u:object_r:tee_device:s0
/dev/qsee_ipc_irq_spss u:object_r:vendor_qsee_ipc_irq_spss_device:s0
/dev/seemplog u:object_r:vendor_seemplog_device:s0
/dev/spcom u:object_r:vendor_spcom_device:s0
/dev/jpeg[0-9]* u:object_r:video_device:s0
/dev/adsprpc-smd u:object_r:vendor_qdsp_device:s0
/dev/adsprpc-smd-secure u:object_r:vendor_xdsp_device:s0
/dev/sdsprpc-smd u:object_r:vendor_dsp_device:s0
/dev/wcd-dsp-glink u:object_r:audio_device:s0
/dev/wcd_dsp0_control u:object_r:audio_device:s0
/dev/wcd-spi-ac-client u:object_r:audio_device:s0
/dev/msm_.* u:object_r:audio_device:s0
/dev/avtimer u:object_r:vendor_avtimer_device:s0
/dev/subsys_.* u:object_r:vendor_ssr_device:s0
/dev/ramdump_.* u:object_r:vendor_ramdump_device:s0
/dev/ramdump_microdump_modem u:object_r:vendor_ramdump_microdump_modem_device:s0
/dev/hbtp_input u:object_r:vendor_hbtp_device:s0
/dev/hbtp_vm u:object_r:vendor_hbtp_device:s0
/dev/sg[0-9]+ u:object_r:vendor_sg_device:s0
/dev/ufs-bsg.* u:object_r:vendor_bsg_device:s0
/dev/0:0:0:49476 u:object_r:vendor_bsg_device:s0
/dev/sensors u:object_r:sensors_device:s0
/dev/mnh_sm u:object_r:vendor_easel_device:s0
/dev/easelcomm-client u:object_r:vendor_easel_device:s0
/dev/citadel0 u:object_r:vendor_citadel_device:s0
/dev/jdi-bu21150 u:object_r:vendor_bu21150_device:s0
/dev/usb_ext_chg u:object_r:vendor_hvdcp_device:s0
/dev/synx_device u:object_r:vendor_synx_device:s0
/dev/ipa_odl_ctl u:object_r:vendor_ipa_dev:s0
/dev/ipa_adpl u:object_r:vendor_ipa_dev:s0
# dev socket nodes
/dev/socket/chre u:object_r:vendor_chre_socket:s0
/dev/socket/oemlock u:object_r:vendor_hal_bootctl_socket:s0
/dev/socket/ims_qmid u:object_r:vendor_ims_socket:s0
/dev/socket/ims_datad u:object_r:vendor_ims_socket:s0
/dev/socket/ipacm_log_file u:object_r:vendor_ipacm_socket:s0
/dev/socket/cnd u:object_r:vendor_cnd_socket:s0
/dev/socket/thermal-send-client u:object_r:vendor_thermal_socket:s0
/dev/socket/thermal-recv-client u:object_r:vendor_thermal_socket:s0
/dev/socket/thermal-recv-passive-client u:object_r:vendor_thermal_socket:s0
/dev/socket/thermal-send-rule u:object_r:vendor_thermal_socket:s0
/dev/socket/netmgr(/.*)? u:object_r:vendor_netmgrd_socket:s0
/dev/socket/port-bridge(/.*)? u:object_r:vendor_port-bridge_socket:s0
/dev/socket/qti_dpm_uds_file u:object_r:vendor_dataqti_socket:s0
/dev/socket/location(/.*)? u:object_r:vendor_location_socket:s0
/dev/socket/wifihal(/.*)? u:object_r:vendor_wifihal_socket:s0
/dev/socket/pps u:object_r:vendor_pps_socket:s0
/dev/nq-nci u:object_r:nfc_device:s0
/dev/ttyHS0 u:object_r:hci_attach_dev:s0
/dev/wlan u:object_r:vendor_wlan_device:s0
/dev/socket/qmux_radio(/.*)? u:object_r:vendor_qmuxd_socket:s0
/data/vendor/modem_config(/.*)? u:object_r:vendor_mbn_data_file:s0
/dev/socket/qdcmsocket u:object_r:vendor_qdcmsocket_socket:s0
/dev/qce u:object_r:vendor_qce_device:s0
# Block device holding the GPT, where the A/B attributes are stored.
/dev/block/sda u:object_r:vendor_gpt_block_device:s0
# Block devices for the drive that holds the xbl_a and xbl_b partitions.
/dev/block/sd[bc]1? u:object_r:vendor_xbl_block_device:s0
# Block device for hal_bootctl
/dev/block/sde u:object_r:boot_block_device:s0
# Block device for ZRAM
/dev/block/zram0 u:object_r:swap_block_device:s0
# files in /vendor
/vendor/firmware(/.*)? u:object_r:vendor_firmware_file:s0
/vendor/bt_firmware(/.*)? u:object_r:vendor_firmware_file:s0
/vendor/bin/ATFWD-daemon u:object_r:vendor_atfwd_exec:s0
/vendor/bin/hw/android\.hardware\.vr@1\.0-service.crosshatch u:object_r:hal_vr_default_exec:s0
/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:hal_fingerprint_default_exec:s0
/vendor/bin/thermal-engine u:object_r:vendor_thermal-engine_exec:s0
/vendor/bin/sensors.qcom u:object_r:vendor_sensors_exec:s0
/vendor/bin/sensors.qti u:object_r:vendor_sensors_exec:s0
/vendor/bin/ssr_setup u:object_r:vendor_ssr_setup_exec:s0
/vendor/bin/ssr_diag u:object_r:vendor_ssr_diag_exec:s0
/vendor/bin/pm-service u:object_r:vendor_per_mgr_exec:s0
/vendor/bin/pm-proxy u:object_r:vendor_per_proxy_exec:s0
/vendor/bin/qseecomd u:object_r:tee_exec:s0
/vendor/bin/subsystem_ramdump u:object_r:vendor_subsystem_ramdump_exec:s0
/vendor/bin/adsprpcd u:object_r:vendor_adsprpcd_exec:s0
/vendor/bin/cdsprpcd u:object_r:vendor_cdsprpcd_exec:s0
/vendor/bin/audioadsprpcd u:object_r:vendor_audioadsprpcd_exec:s0
/vendor/bin/irsc_util u:object_r:vendor_irsc_util_exec:s0
/vendor/bin/rmt_storage u:object_r:vendor_rmt_storage_exec:s0
/vendor/bin/tftp_server u:object_r:vendor_rfs_access_exec:s0
/vendor/bin/cnss-daemon u:object_r:vendor_wcnss_service_exec:s0
/vendor/bin/cnss_diag u:object_r:vendor_wcnss_service_exec:s0
/vendor/bin/diag_mdlog u:object_r:vendor_qlogd_exec:s0
/vendor/bin/netmgrd u:object_r:vendor_netmgrd_exec:s0
/vendor/bin/qmipriod u:object_r:vendor_qmipriod_exec:s0
/vendor/bin/shsusrd u:object_r:vendor_shsusrd_exec:s0
/vendor/bin/port-bridge u:object_r:vendor_port-bridge_exec:s0
/vendor/bin/qti u:object_r:vendor_qti_exec:s0
/vendor/bin/loc_launcher u:object_r:vendor_location_exec:s0
/vendor/bin/lowi-server u:object_r:vendor_location_exec:s0
/vendor/bin/xtra-daemon u:object_r:vendor_location_exec:s0
/vendor/bin/pd-mapper u:object_r:vendor_pd_mapper_exec:s0
/vendor/bin/imsqmidaemon u:object_r:vendor_ims_exec:s0
/vendor/bin/imsdatadaemon u:object_r:vendor_ims_exec:s0
/vendor/bin/ims_rtp_daemon u:object_r:vendor_hal_imsrtp_exec:s0
/vendor/bin/ipacm u:object_r:hal_tetheroffload_default_exec:s0
/vendor/bin/ipacm-diag u:object_r:hal_tetheroffload_default_exec:s0
/vendor/bin/cnd u:object_r:vendor_cnd_exec:s0
/vendor/bin/oemlock_provision u:object_r:hal_bootctl_default_exec:s0
/vendor/bin/oemlock-bridge u:object_r:hal_bootctl_default_exec:s0
/vendor/bin/diag-router u:object_r:vendor_diag-router_exec:s0
/(vendor|system/vendor)/bin/msm_irqbalance u:object_r:vendor_msm_irqbalanced_exec:s0
/vendor/bin/hw/android\.hardware\.usb@1\.1-service.crosshatch u:object_r:hal_usb_default_exec:s0
/vendor/bin/chre u:object_r:vendor_chre_exec:s0
/vendor/bin/time_daemon u:object_r:vendor_time_daemon_exec:s0
/vendor/bin/imsrcsd u:object_r:vendor_hal_rcsservice_exec:s0
/vendor/bin/tloc_daemon u:object_r:vendor_tlocd_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.2-service u:object_r:hal_power_default_exec:s0
/vendor/bin/hw/qcrild u:object_r:rild_exec:s0
/vendor/bin/hw/qcrilNrd u:object_r:rild_exec:s0
/vendor/bin/hw/android\.hardware\.drm@1\.0-service.widevine u:object_r:vendor_hal_drm_widevine_exec:s0
/vendor/bin/hw/android\.hardware\.vibrator@1\.1-service.crosshatch u:object_r:hal_vibrator_default_exec:s0
/vendor/bin/hw/android\.hardware\.keymaster@3\.0-service-qti u:object_r:vendor_hal_keymaster_qti_exec:s0
/vendor/bin/hw/android\.hardware\.keymaster@4\.0-service-qti u:object_r:vendor_hal_keymaster_qti_exec:s0
/vendor/bin/hw/android\.hardware\.keymaster@4\.1-service-qti u:object_r:vendor_hal_keymaster_qti_exec:s0
/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service-qti u:object_r:vendor_hal_gatekeeper_qti_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@.*-service-qti u:object_r:vendor_hal_gnss_qti_exec:s0
/vendor/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.1-service.widevine u:object_r:vendor_hal_drm_widevine_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.2-service.widevine u:object_r:vendor_hal_drm_widevine_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.2-service-lazy.widevine u:object_r:vendor_hal_drm_widevine_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.3-service.widevine u:object_r:vendor_hal_drm_widevine_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.3-service-lazy.widevine u:object_r:vendor_hal_drm_widevine_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.display\.allocator@1\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.display\.allocator-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.display\.composer@1\.0-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.display\.composer-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.tui_comm@1\.0-service-qti u:object_r:vendor_hal_tui_comm_qti_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.qdutils_disp@1\.0-service-qti u:object_r:vendor_hal_qdutils_disp_qti_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.trustedui@1\.0-service-qti u:object_r:vendor_hal_trustedui_qti_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.capabilityconfigstore@1\.0-service u:object_r:vendor_hal_capabilityconfigstore_qti_default_exec:s0
/(vendor|system/vendor)/bin/power_off_alarm u:object_r:vendor_power_off_alarm_exec:s0
/(vendor|system/vendor)/bin/grep u:object_r:vendor_toolbox_exec:s0
/vendor/bin/hw/vendor\.display\.color@1\.0-service u:object_r:vendor_hal_display_color_default_exec:s0
/vendor/bin/hw/vendor\.qti\.media\.c2@1\.0-service u:object_r:mediacodec_exec:s0
/vendor/bin/hw/hardware\.google\.media\.c2@1\.0-service-software u:object_r:mediacodec_exec:s0
/vendor/bin/feature_enabler_client u:object_r:vendor_feature_enabler_client_exec:s0
/(vendor|system/vendor)/bin/qdcmss u:object_r:vendor_qdcm-ss_exec:s0
###############################################
# same-process HAL files and their dependencies
#
/vendor/lib(64)?/hw/gralloc\.qcom\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl-qti-display\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@1\.0\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@1\.1\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@2\.0\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapperextensions@1\.0\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapperextensions@1\.1\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@3\.0-impl-qti-display\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@3\.0\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@4\.0-impl-qti-display\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@4\.0\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libcamxexternalformatutils\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libgralloccore\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libgrallocutils\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libqdMetaData\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libgralloc\.qti\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libqservice\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libqdutils\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libadreno_utils\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libgsl\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/hw/vulkan\.adreno\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libEGL_adreno\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libGLESv1_CM_adreno\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libGLESv2_adreno\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libadreno_app_profiles\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libdrmutils\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0
# /vendor/app/TimeService/TimeService.apk
/vendor/lib(64)?/libTimeService\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libtime_genoff\.so u:object_r:same_process_hal_file:s0
# hbtp dependencies
/vendor/lib(64)?/libhbtpitsjni\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libhbtpdbgclientjni\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libhbtpjni\.so u:object_r:same_process_hal_file:s0
# framework detect libs libvndfwk_detect_jni.qti and libqti_vndfwk_detect
/vendor/lib(64)?/libvndfwk_detect_jni\.qti\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libqti_vndfwk_detect\.so u:object_r:same_process_hal_file:s0
# NPU files
/vendor/lib(64)?/libnpu\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libhta_controller\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libhta_hexagon_runtime\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/unnhal-acc-hta\.so u:object_r:same_process_hal_file:s0
# RenderScript dependencies.
# To test: run cts -m CtsRenderscriptTestCases
/vendor/lib(64)?/libRSDriver_adreno\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libCB\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libllvm-qgl\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libbccQTI\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libllvm-qcom\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/librs_adreno\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/librs_adreno_sha1\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libqti-perfd-client\.so u:object_r:same_process_hal_file:s0
# TODO(b/36895509): remove the following 2 lines once this bug is resolved
# needed by radio
/vendor/lib(64)?/libimsmedia_jni\.so u:object_r:same_process_hal_file:s0
# libGLESv2_adreno depends on this
/vendor/lib(64)?/libllvm-glnext\.so u:object_r:same_process_hal_file:s0
# libOpenCL and its dependencies
/vendor/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libq3dtools_adreno\.so u:object_r:same_process_hal_file:s0
# Loaded by native loader (zygote) for all processes
/vendor/lib(64)?/libadsprpc\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libcdsprpc\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libsdsprpc\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libmdsprpc\.so u:object_r:same_process_hal_file:s0
/vendor/lib/dsp/fastrpc_shell_0 u:object_r:same_process_hal_file:s0
# Fastcv libs
/vendor/lib(64)?/libfastcvdsp_stub\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libfastcvadsp_stub\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libfastcvopt\.so u:object_r:same_process_hal_file:s0
# data files
/data/vendor/netmgr(/.*)? u:object_r:vendor_netmgr_data_file:s0
/data/vendor/netmgr/recovery(/.*)? u:object_r:vendor_netmgr_recovery_data_file:s0
/data/vendor/qmipriod(/.*)? u:object_r:vendor_qmipriod_data_file:s0
/data/vendor/shsusr(/.*)? u:object_r:vendor_shsusr_data_file:s0
/data/vendor/location(/.*)? u:object_r:vendor_location_data_file:s0
/data/vendor/camera(/.*)? u:object_r:vendor_camera_data_file:s0
/data/vendor/display(/.*)? u:object_r:vendor_display_vendor_data_file:s0
/data/vendor/nfc(/.*)? u:object_r:vendor_nfc_vendor_data_file:s0
/data/vendor/radio(/.*)? u:object_r:vendor_radio_vendor_data_file:s0
/data/vendor/wifi/wlan_logs(/.*)? u:object_r:vendor_wifi_vendor_log_data_file:s0
/data/vendor/ramdump(/.*)? u:object_r:vendor_ramdump_vendor_data_file:s0
/data/vendor/ssrdump(/.*)? u:object_r:vendor_ramdump_vendor_data_file:s0
/data/vendor/modem_dump(/.*)? u:object_r:vendor_modem_dump_file:s0
/data/vendor/ipa(/.*)? u:object_r:vendor_ipa_vendor_data_file:s0
/data/vendor/sensors(/.*)? u:object_r:vendor_sensors_vendor_data_file:s0
/data/vendor/port_bridge(/.*)? u:object_r:vendor_port_bridge_data_file:s0
/data/vendor/tloc(/.*)? u:object_r:vendor_tlocd_data_file:s0
/data/vendor/connectivity(/.*)? u:object_r:vendor_cnd_data_file:s0
/data/vendor/misc/qsee(/.*)? u:object_r:vendor_data_qsee_file:s0
/data/vendor/tui(/.*)? u:object_r:vendor_tui_data_file:s0
/data/vendor/tzstorage(/.*)? u:object_r:vendor_data_tzstorage_file:s0
/data/vendor/tombstones(/.*)? u:object_r:vendor_tombstone_data_file:s0
/data/vendor/time(/.*)? u:object_r:vendor_time_data_file:s0
/data/vendor/mdmhelperdata(/.*)? u:object_r:vendor_mdmhelperdata_data_file:s0
/data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0
# audio_data_file
/data/vendor/audio(/.*)? u:object_r:vendor_audio_data_file:s0
# /
/tombstones u:object_r:rootfs:s0
/vendor/dsp(/.*)? u:object_r:adsprpcd_file:s0
/vendor/vm-system(/.*)? u:object_r:vendor_vm_system_file:s0
# /persist
/mnt/vendor/persist/data(/.*)? u:object_r:vendor_persist_data_file:s0
/mnt/vendor/persist/display(/.*)? u:object_r:vendor_persist_display_file:s0
/mnt/vendor/persist/drm(/.*)? u:object_r:vendor_persist_drm_file:s0
/mnt/vendor/persist/elabel(/.*)? u:object_r:vendor_persist_elabel_file:s0
/mnt/vendor/persist/haptics(/.*)? u:object_r:vendor_persist_haptics_file:s0
/mnt/vendor/persist/hlos_rfs(/.*)? u:object_r:vendor_persist_rfs_shared_hlos_file:s0
/mnt/vendor/persist/rfs(/.*)? u:object_r:vendor_persist_rfs_file:s0
/mnt/vendor/persist/sensors(/.*)? u:object_r:vendor_persist_sensors_file:s0
/mnt/vendor/persist/time(/.*)? u:object_r:vendor_persist_time_file:s0
/mnt/vendor/persist/audio(/.*)? u:object_r:vendor_persist_audio_file:s0
/mnt/vendor/persist/feature_enabler_client(/.*)? u:object_r:vendor_persist_feature_enabler_file:s0
# graphics device
/dev/mdss_rotator u:object_r:graphics_device:s0
/dev/dri/card0 u:object_r:graphics_device:s0
/dev/dri/controlD64 u:object_r:graphics_device:s0
/dev/dri/renderD128 u:object_r:graphics_device:s0
#TODO: move this to genfs_context or target based file_context
# sysfs_leds
/sys/devices/platform/soc/[a-f0-9]+.qcom,spmi/spmi-0/spmi0-0[0-9]/[a-f0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,haptics@c000/leds/vibrator(/.*)? u:object_r:sysfs_leds:s0
# vendor_sysfs_devfreq
/sys/devices(/platform)?/soc/soc:qcom,l3-cpu[0-9]/devfreq/soc:qcom,l3-cpu[0-9](/.*)? u:object_r:vendor_sysfs_devfreq:s0
#vendor_sysfs_data
/sys/devices/virtual/xt_hardidletimer/timers(/.*)? u:object_r:vendor_sysfs_data:s0
/sys/devices/virtual/xt_idletimer/timers(/.*)? u:object_r:vendor_sysfs_data:s0
#persist_bluetooth_file
/mnt/vendor/persist/bluetooth(/.*)? u:object_r:vendor_persist_bluetooth_file:s0
#power off alarm file
/mnt/vendor/persist/alarm(/.*)? u:object_r:vendor_persist_alarm_file:s0
/(vendor|system/vendor)/bin/hbtp_daemon u:object_r:vendor_hbtp_exec:s0
/(vendor|system/vendor)/bin/sscrpcd u:object_r:vendor_sensors_exec:s0
# vendor_sysfs_graphics
/sys/class/graphics/fb0/mdp/caps u:object_r:vendor_sysfs_graphics:s0
/sys/class/thermal(/.*)? u:object_r:sysfs_thermal:s0
/sys/devices/virtual/graphics/fb([0-3])+/idle_time u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/dynamic_fps u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/product_description u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/vendor_name u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/hdcp/tp u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_panel_status u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/hpd u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/res_info u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/s3d_mode u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_panel_info u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_type u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_split u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/show_blank_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/bl_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/ad_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/ad_bl_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/hist_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/vsync_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/lineptr_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/idle_notify u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_thermal_level u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/idle_power_collapse u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/mode u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/name u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/connected u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_cmd_autorefresh_en u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/mdp/bw_mode_bitmap u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/edid_modes u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/hdcp2p2(/.*) u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/scan_info u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/edid_3d_modes u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_dfps_mode u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_src_split_info u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/hdr_stream u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/cec(/.*) u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/msmfb_b10(/.*) u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/modes u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/edid_raw_data u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/packpattern u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/dyn_pu u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/ad u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/graphics/fb([0-3])+/pp_bl_event u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/rotator/mdss_rotator/caps u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/hdcp/msm_hdcp/min_level_change u:object_r:vendor_sysfs_graphics:s0
/sys/class/lcd_bias/secure_mode u:object_r:vendor_sysfs_graphics:s0
/sys/class/leds/wled/secure_mode u:object_r:vendor_sysfs_graphics:s0
/sys/devices/platform/vfb.([0-3])+/graphics/fb([0-3])+/modes u:object_r:vendor_sysfs_graphics:s0
/sys/devices/platform/vfb.([0-3])+/graphics/fb([0-3])+/mode u:object_r:vendor_sysfs_graphics:s0
/sys/module/drm/parameters/vblankoffdelay u:object_r:vendor_sysfs_graphics:s0
/sys/devices/platform/soc/[a-f0-9]+.qcom,mdss_mdp/drm/card([0-3])+/card([0-3])+-DSI-1/modes u:object_r:vendor_sysfs_graphics:s0
/sys/devices/platform/soc/[a-f0-9]+.qcom,mdss_mdp/drm/card([0-3])+/card([0-3])+-DSI-1/status u:object_r:vendor_sysfs_graphics:s0
/sys/class/graphics/fb([0-3])+/mdp/caps u:object_r:vendor_sysfs_graphics:s0
/sys/class/graphics/fb([0-3])+/ad u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[0-9a-f]+.qcom,spmi/spmi-[0-9]+/spmi[0-9]+-[0-9]+/[0-9a-f]+.qcom,spmi:qcom,pmi[0-9]+@[0-9]+:qcom,leds@[a-f0-9]+(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices/platform/soc/ae00000.qcom,mdss_mdp/backlight(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices/virtual/switch/hdmi(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,mdss_mdp/[a-f0-9]+.qcom,mdss_mdp:qcom,mdss_fb_primary/leds/lcd-backlight(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices/soc.0/[a-f0-9]+.qcom,mdss_mdp/qcom,mdss_fb_primary.+[a-f0-9]/leds/lcd-backlight(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,mdss_mdp/caps u:object_r:vendor_sysfs_graphics:s0
/sys/devices/soc/[a-f0-9]+.qcom,mdss_mdp/bw_mode_bitmap u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,mdss_mdp/bw_mode_bitmap u:object_r:vendor_sysfs_graphics:s0
/sys/devices/soc.0/[a-f0-9]+.qcom,mdss_mdp/bw_mode_bitmap u:object_r:vendor_sysfs_graphics:s0
/sys/devices/soc.0/[a-f0-9]+.qcom,mdss_mdp/caps u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,mdss_cam/video4linux/video[0-33]/name(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,mdss_rotator/video4linux/video[0-33]/name(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,mdss_rotator/caps u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,vidc/video4linux/video[0-33]/name(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,cci/[a-f0-9]+.qcom,cci:qcom,camera@[0-2]/video4linux/video[0-33]/name(/.*)? u:object_r:vendor_sysfs_graphics:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.sdhci/mmc_host/mmc0/clk_scaling(/.*)? u:object_r:vendor_sysfs_mmc_host:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.ufshc/clkscale_enable u:object_r:vendor_sysfs_scsi_host:s0
/sys/devices(/platform)?/soc/[a-f0-9]+/host0/scsi_host/host0(/.*)? u:object_r:vendor_sysfs_scsi_host:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.ufshc/host0/target0:0:0/0:0:0:[0-9]+/scsi_generic(/.*)? u:object_r:vendor_sysfs_scsi_target:s0
/data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0
/data/vendor/mediadrm(/.*)? u:object_r:vendor_mediadrm_vendor_data_file:s0
/data/vendor/nnhal(/.*)? u:object_r:vendor_hal_neuralnetworks_data_file:s0
# Moved to target specfic folder so removing this from common file
#/sys/devices(/platform)?/soc/[a-f0-9\.:]+,[a-f0-9\-\_]+/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/kgsl/kgsl-3d0(/.*)? u:object_r:vendor_sysfs_kgsl:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/devfreq/[a-f0-9]+.qcom,kgsl-3d0(/.*)? u:object_r:vendor_sysfs_kgsl:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpu_model u:object_r:vendor_sysfs_kgsl_gpu_model:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpuclk u:object_r:vendor_sysfs_kgsl_gpuclk:s0
/sys/devices/soc/[a-f0-9]+.ssusb/power_supply/usb(/.*)? u:object_r:vendor_sysfs_usb_supply:s0
/data/(misc|vendor)/hbtp(/.*)? u:object_r:vendor_hbtp_log_file:s0
/vendor/etc/hbtp/* u:object_r:vendor_hbtp_cfg_file:s0
/sys/devices/soc/qpnp-vadc-[0-9]+(/.*)? u:object_r:vendor_sysfs_vadc_dev:s0
#Android NN Driver
/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-qti u:object_r:vendor_hal_neuralnetworks_default_exec:s0
/(vendor|system/vendor)/bin/init\.class_main\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.crda\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.mdm\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.class_core\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.coex\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.crashdata\.sh u:object_r:vendor_init-qcom-crashdata-sh_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.debug\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.debug-sdm660\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.debug-sdm670\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.early_boot\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.efs\.sync\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.post_boot\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qti\.dcvs\.sh u:object_r:vendor_init-qti-dcvs-sh_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.sdio\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.sensors\.sh u:object_r:vendor_init-qcom-sensors-sh_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.syspart_fixup\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.usb\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qcom\.wifi\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qti\.ims\.sh u:object_r:vendor_init-qti-ims-sh_exec:s0
/(vendor|system/vendor)/bin/qca6234-service.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qti\.kernel\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.kernel\.post_boot\.sh u:object_r:vendor_qti_init_shell_exec:s0
/(vendor|system/vendor)/bin/init\.qti\.qcv\.sh u:object_r:vendor_qti_init_shell_exec:s0
#Limits sysfs node
/sys/module/msm_isense_cdsp/data u:object_r:sysfs_thermal:s0
/(vendor|system/vendor)/bin/vendor_modprobe\.sh u:object_r:vendor_modinstall-sh_exec:s0

29
generic/vendor/common/fsck.te vendored
View File

@@ -1,29 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow fsck vendor_persist_block_device:blk_file rw_file_perms;

144
generic/vendor/common/genfs_contexts vendored
View File

@@ -1,144 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
genfscon proc /debug/fwdump u:object_r:vendor_proc_wifi_dbg:s0
genfscon proc /debugdriver/driverdump u:object_r:vendor_proc_wifi_dbg:s0
genfscon proc /ath_pktlog/cld u:object_r:vendor_proc_wifi_dbg:s0
genfscon proc /shs u:object_r:vendor_proc_shs:s0
genfscon sysfs /android_touch u:object_r:vendor_sysfs_touch:s0
genfscon sysfs /devices/virtual/input/ftm4_touch u:object_r:vendor_sysfs_touch:s0
#genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
genfscon sysfs /kernel/irq_helper/irq_blacklist_on u:object_r:vendor_sysfs_irqbalance:s0
genfscon sysfs /kernel/wcd_cpe0 u:object_r:vendor_sysfs_audio:s0
genfscon sysfs /class/uio u:object_r:sysfs_uio:s0
genfscon sysfs /devices/soc/soc:bt_wcn3990 u:object_r:sysfs_bluetooth_writable:s0
genfscon sysfs /class/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,cpubw/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,memlat-cpu0/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,memlat-cpu2/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,memlat-cpu4/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,memlat-cpu6/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,l3-cpu0/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,l3-cpu2/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,l3-cpu4/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,l3-cpu6/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,mincpubw/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/soc:qcom,llccbw/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/soc/soc:qcom,cpubw/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/soc/soc:qcom,memlat-cpu0/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/soc/soc:qcom,memlat-cpu2/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/soc/soc:qcom,memlat-cpu4/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/soc/soc:qcom,memlat-cpu6/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/soc/soc:qcom,mincpubw/devfreq u:object_r:vendor_sysfs_devfreq:s0
genfscon sysfs /devices/platform/soc/ae00000.qcom.qcom,mdss_mdp/caps u:object_r:vendor_sysfs_mdss_mdp_caps:s0
genfscon sysfs /devices/platform/soc/c17a000.i2c/i2c-6/6-005a/leds u:object_r:sysfs_leds:s0
genfscon sysfs /devices/platform/soc/c1b5000.i2c/i2c-7/7-0030/leds u:object_r:sysfs_leds:s0
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/c900000.qcom,mdss_mdp:qcom,mdss_fb_primary/leds u:object_r:sysfs_leds:s0
genfscon sysfs /devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pmi8998@3:qcom,leds@d000/leds u:object_r:sysfs_leds:s0
genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws@1e08000 u:object_r:vendor_sysfs_data:s0
genfscon sysfs /devices/platform/soc/0.qcom,rmtfs_sharedmem/uio u:object_r:vendor_sysfs_uio_file:s0
genfscon sysfs /devices/platform/soc/soc:fp_fpc1020 u:object_r:vendor_sysfs_fingerprint:s0
genfscon sysfs /devices/virtual/wahoo_laser u:object_r:vendor_sysfs_laser:s0
genfscon sysfs /module/cpu_boost u:object_r:vendor_sysfs_cpu_boost:s0
genfscon sysfs /devices/virtual/thermal u:object_r:sysfs_thermal:s0
genfscon sysfs /class/thermal u:object_r:sysfs_thermal:s0
genfscon sysfs /class/lcd_bias u:object_r:vendor_sysfs_lcd:s0
genfscon sysfs /module/msm_thermal u:object_r:sysfs_thermal:s0
genfscon sysfs /devices/platform/battery_current_limit u:object_r:sysfs_thermal:s0
genfscon sysfs /module/diagchar/parameters/timestamp_switch u:object_r:vendor_sysfs_timestamp_switch:s0
genfscon sysfs /module/msm_performance u:object_r:vendor_sysfs_msm_perf:s0
genfscon sysfs /module/lpm_levels u:object_r:vendor_sysfs_msm_power:s0
genfscon sysfs /module/lpm_stats u:object_r:vendor_sysfs_msm_stats:s0
genfscon sysfs /devices/virtual/graphics/fb0 u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/virtual/graphics/fb1 u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /devices/soc/8c0000.qcom,msm-cam u:object_r:vendor_sysfs_camera:s0
genfscon sysfs /devices/soc0 u:object_r:vendor_sysfs_soc:s0
genfscon sysfs /devices/soc/caa0000.qcom,jpeg u:object_r:vendor_sysfs_camera:s0
genfscon sysfs /devices/soc/caa4000.qcom,fd u:object_r:vendor_sysfs_camera:s0
genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-02/800f000.qcom,spmi:qcom,pmi8998@2:qpnp,fg/power_supply/bms/capacity u:object_r:sysfs_batteryinfo:s0
genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-02/800f000.qcom,spmi:qcom,pmi8998@2:qcom,qpnp-smb2/power_supply/battery/capacity u:object_r:sysfs_batteryinfo:s0
genfscon sysfs /bus/msm_subsys u:object_r:vendor_sysfs_ssr:s0
genfscon sysfs /module/subsystem_restart u:object_r:vendor_sysfs_msm_subsys_restart:s0
genfscon sysfs /kernel/boot_adsp/boot u:object_r:vendor_sysfs_boot_adsp:s0
genfscon sysfs /kernel/boot_slpi u:object_r:vendor_sysfs_slpi:s0
genfscon sysfs /devices/soc/c1b7000.i2c/i2c-9/9-0008 u:object_r:vendor_sysfs_easel:s0
genfscon sysfs /class/typec u:object_r:vendor_sysfs_usb_c:s0
genfscon sysfs /class/typec/usbc0 u:object_r:vendor_sysfs_usb_c:s0
genfscon sysfs /devices/soc/a800000.ssusb/a800000.dwc3/xhci-hcd.0.auto/usb1 u:object_r:vendor_sysfs_usb_device:s0
genfscon sysfs /devices/soc/a800000.ssusb/a800000.dwc3/xhci-hcd.0.auto/usb2 u:object_r:vendor_sysfs_usb_device:s0
genfscon sysfs /devices/platform/soc/a600000.ssusb/mode u:object_r:vendor_sysfs_usb_device:s0
genfscon sysfs /devices/platform/soc/a800000.ssusb/mode u:object_r:vendor_sysfs_usb_device:s0
genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-02/800f000.qcom,spmi:qcom,pmi8998@2:qcom,usb-pdphy@1700/usbpd0/typec u:object_r:vendor_sysfs_usb_c:s0
genfscon sysfs /module/diagchar u:object_r:vendor_sysfs_diag:s0
genfscon sysfs /devices/virtual/kgsl u:object_r:vendor_sysfs_kgsl:s0
genfscon sysfs /class/kgsl u:object_r:vendor_sysfs_kgsl:s0
genfscon sysfs /devices/virtual/kgsl/kgsl/proc u:object_r:vendor_sysfs_kgsl_proc:s0
genfscon sysfs /devices/virtual/workqueue/kgsl-events/cpumask u:object_r:vendor_sysfs_kgsl:s0
genfscon sysfs /devices/virtual/workqueue/kgsl-events/nice u:object_r:vendor_sysfs_kgsl:s0
genfscon sysfs /devices/virtual/workqueue/kgsl-workqueue/cpumask u:object_r:vendor_sysfs_kgsl:s0
genfscon sysfs /devices/virtual/workqueue/kgsl-workqueue/nice u:object_r:vendor_sysfs_kgsl:s0
genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:vendor_sysfs_graphics:s0
genfscon sysfs /class/sensors u:object_r:vendor_sysfs_sensors:s0
genfscon sysfs /bus/esoc u:object_r:vendor_sysfs_esoc:s0
genfscon sysfs /devices/soc/soc:hbtp/secure_touch u:object_r:vendor_hbtp_kernel_sysfs:s0
genfscon sysfs /devices/soc/soc:hbtp/secure_touch_enable u:object_r:vendor_hbtp_kernel_sysfs:s0
genfscon sysfs /devices/soc/soc:hbtp/secure_touch_userspace u:object_r:vendor_hbtp_kernel_sysfs:s0
genfscon sysfs /kernel/hbtp/display_pwr u:object_r:vendor_hbtp_kernel_sysfs:s0
genfscon sysfs /devices/virtual/net/bond0/bonding/queue_id u:object_r:vendor_sysfs_bond0:s0
genfscon sysfs /devices/virtual/net/bond0/queues/rx-0/rps_cpus u:object_r:vendor_sysfs_bond0:s0
genfscon sysfs /firmware/devicetree/base/cpus u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /bus/spmi/devices u:object_r:vendor_sysfs_spmi_dev:s0
genfscon sysfs /power/mem_sleep u:object_r:vendor_sysfs_suspend:s0
genfscon sysfs /kernel/boot_adsp/ssr u:object_r:vendor_sysfs_adsp_ssr:s0
genfscon debugfs /kgsl/proc u:object_r:vendor_debugfs_kgsl:s0
genfscon debugfs /clk/debug_suspend u:object_r:vendor_debugfs_clk:s0
genfscon debugfs /wlan0 u:object_r:vendor_debugfs_wlan:s0
genfscon debugfs /rpm_stats u:object_r:vendor_debugfs_rpm:s0
genfscon debugfs /rpm_master_stats u:object_r:vendor_debugfs_rpm:s0
genfscon debugfs /ion u:object_r:vendor_debugfs_ion:s0
genfscon debugfs /ipc_logging u:object_r:vendor_debugfs_ipc:s0
genfscon debugfs /system_stats u:object_r:vendor_debugfs_rpm:s0
genfscon debugfs /tcpm/usbpd0 u:object_r:vendor_debugfs_usb:s0
genfscon debugfs /pd_engine/usbpd0 u:object_r:vendor_debugfs_usb:s0
genfscon debugfs /ipc_logging/smblib/log u:object_r:vendor_debugfs_usb:s0
genfscon debugfs /msm_ipc_router u:object_r:vendor_debugfs_ipc:s0
genfscon debugfs /mdp u:object_r:vendor_debugfs_mdp:s0
genfscon debugfs /rmt_storage u:object_r:vendor_debugfs_rmt_storage:s0
genfscon debugfs /icnss u:object_r:vendor_debugfs_icnss:s0

36
generic/vendor/common/hal_alarm_qti_default.te vendored
View File

@@ -1,36 +0,0 @@
# Copyright (c) 2017, 2019 The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_alarm_qti_default, domain;
hal_server_domain(vendor_hal_alarm_qti_default, vendor_hal_alarm_qti)
type vendor_hal_alarm_qti_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_hal_alarm_qti_default)
allow vendor_hal_alarm_qti_default rtc_device:chr_file r_file_perms;

30
generic/vendor/common/hal_atfwd.te vendored
View File

@@ -1,30 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
binder_call(vendor_atfwd, vendor_qtelephony);
allow vendor_atfwd vendor_hal_atfwd_hwservice:hwservice_manager find;

61
generic/vendor/common/hal_audio_default.te vendored
View File

@@ -1,61 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
userdebug_or_eng(`
allow hal_audio vendor_diag_device:chr_file rw_file_perms;
allow hal_audio_default debugfs:dir r_dir_perms;
')
hal_client_domain(hal_audio_default, vendor_hal_perf)
hal_client_domain(hal_audio_default, hal_power)
# read-only permission to obtain the calibration data
r_dir_file(hal_audio_default, vendor_persist_audio_file);
allow hal_audio_default mnt_vendor_file:dir search;
#Allow access to firmware
allow hal_audio firmware_file:dir r_dir_perms;
allow hal_audio firmware_file:file r_file_perms;
# Allow hal_audio to read soundcard state under /proc/asound
allow hal_audio vendor_proc_audiod:file r_file_perms;
allow hal_audio_default vendor_audio_data_file:dir rw_dir_perms;
allow hal_audio_default vendor_audio_data_file:file create_file_perms;
#Allow hal audio to use Binder IPC
vndbinder_use(hal_audio)
#allow acess to wcd_cpe
allow hal_audio vendor_sysfs_audio:file rw_file_perms;
allow hal_audio vendor_sysfs_audio:dir r_dir_perms ;
# audio properties
get_prop(hal_audio, vendor_audio_prop)
#to read bluetooth prop
get_prop(hal_audio, vendor_bluetooth_prop)

61
generic/vendor/common/hal_bluetooth_default.te vendored
View File

@@ -1,61 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow hal_bluetooth_default vendor_bt_device:chr_file rw_file_perms;
# talk to system_server to set priority
allow hal_bluetooth fwk_scheduler_hwservice:hwservice_manager find;
allow hal_bluetooth system_server:binder call;
# bluetooth properties
set_prop(hal_bluetooth, vendor_bluetooth_prop)
#For bluetooth firmware
r_dir_file(hal_bluetooth_default, bt_firmware_file)
allow hal_bluetooth_default vendor_persist_bluetooth_file:dir rw_dir_perms;
allow hal_bluetooth_default vendor_persist_bluetooth_file:file create_file_perms;
#For QMI socket
allow hal_bluetooth_default self:{ qipcrtr_socket } create_socket_perms_no_ioctl;
userdebug_or_eng(`
diag_use(hal_bluetooth)
allow hal_bluetooth_default vendor_ramdump_vendor_data_file:file create_file_perms;
allow hal_bluetooth_default vendor_ramdump_vendor_data_file:dir create_dir_perms;
allow hal_bluetooth_default proc_sysrq:file rw_file_perms;
allow hal_bluetooth_default vendor_debugfs_ipc:file rw_file_perms;
allow hal_bluetooth_default vendor_debugfs_ipc:dir rw_dir_perms;
allow hal_bluetooth_default vendor_bt_data_file:dir ra_dir_perms;
allow hal_bluetooth_default vendor_bt_data_file:file create_file_perms;
allow hal_bluetooth_default self:{ socket } create_socket_perms_no_ioctl;
')
r_dir_file(hal_bluetooth_default, mnt_vendor_file)
# Access lbsoc_helper to bluetooth
use_libsoc_helper(hal_bluetooth_default)

75
generic/vendor/common/hal_bootctl.te vendored
View File

@@ -1,75 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# These are the permissions required to use the boot_control HAL implemented
# here: hardware/qcom/bootctrl/boot_control.c
# Getting and setting GPT attributes for the bootloader iterates over all the
# partition names in the block_device directory /dev/block/.../by-name
allow hal_bootctl block_device:dir r_dir_perms;
#Opening /dev directory from bootctl to query /dev/ufs-bsg* filename
allow hal_bootctl device:dir r_dir_perms;
# Edit the attributes stored in the GPT.
allow hal_bootctl vendor_gpt_block_device:blk_file rw_file_perms;
allow hal_bootctl root_block_device:blk_file rw_file_perms;
# Allow boot_control_hal to get attributes on all the A/B partitions.
allow hal_bootctl boot_block_device:blk_file rw_file_perms;
allow hal_bootctl vendor_ab_block_device:blk_file getattr;
allow hal_bootctl vendor_xbl_block_device:blk_file getattr;
allow hal_bootctl vendor_modem_block_device:blk_file getattr;
allow hal_bootctl system_block_device:blk_file getattr;
allow hal_bootctl vendor_custom_ab_block_device:blk_file getattr;
allow hal_bootctl vendor_ab_block_device:blk_file getattr;
allow hal_bootctl recovery_block_device:blk_file getattr;
allow hal_bootctl vendor_mdtp_device:blk_file getattr;
allow hal_bootctl_server misc_block_device:blk_file rw_file_perms;
# Access /dev/sgN or /dev/ufs-bsg* devices (generic SCSI) to write the
# A/B slot selection for the XBL partition. Allow also to issue a
# UFS_IOCTL_QUERY or SG_IO ioctl.
allow hal_bootctl vendor_sg_device:chr_file rw_file_perms;
allow hal_bootctl vendor_bsg_device:chr_file rw_file_perms;
# The sys_rawio denial message is benign, and shows up due to a capability()
# call made by the scsi driver to check for CAP_SYS_RAWIO. Not having this
# does not result in a error
dontaudit hal_bootctl self:capability sys_rawio;
#scsi driver does a capability check (CAP_SYS_RAWIO) when bootctl does
# an ioctl to /dev/ufs-bsg .Adding this rule to avoid ioctl error.
allow hal_bootctl_server self:capability { sys_rawio };
# Read the sysfs to lookup what /dev/sgN device
# corresponds to the XBL partitions.
allow hal_bootctl vendor_sysfs_scsi_target:dir r_dir_perms;
# Write to the XBL devices.
allow hal_bootctl vendor_xbl_block_device:blk_file rw_file_perms;
# Read dir permission for dt_firmware
allow hal_bootctl sysfs_dt_firmware_android:dir r_dir_perms;

70
generic/vendor/common/hal_camera.te vendored
View File

@@ -1,70 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# This is needed to get priority for Camera process
allow hal_camera self:capability sys_nice;
# This is mandatory to open Camera Service
hal_client_domain(hal_camera_default, hal_graphics_allocator)
# This is needed to get performance boost
hal_client_domain(hal_camera_default, vendor_hal_perf)
set_prop(hal_camera, vendor_camera_prop)
# ignore spurious denial
dontaudit hal_camera graphics_device:dir search;
allow hal_camera vendor_camera_data_file:dir rw_dir_perms;
allow hal_camera vendor_camera_data_file:file create_file_perms;
unix_socket_connect(hal_camera, vendor_thermal, vendor_thermal-engine)
userdebug_or_eng(`
allow hal_camera vendor_diag_device:chr_file rw_file_perms;
')
# access hexagon
allow hal_camera vendor_qdsp_device:chr_file r_file_perms;
#Allow camera to access synx device
allow hal_camera vendor_synx_device:chr_file rw_file_perms;
#needed for full_treble
hal_client_domain(hal_camera_default, hal_graphics_composer)
r_dir_file(hal_camera_default, vendor_sysfs_graphics)
#allow camera to access /dsp
r_dir_file(hal_camera, adsprpcd_file);
#allow camera to access adsprpc_prop
get_prop(hal_camera, vendor_adsprpc_prop)
# This is needed to access GPU
allow hal_camera_default gpu_device:chr_file rw_file_perms;
# Postproc Service
hal_attribute_hwservice(hal_camera, vendor_hal_camera_postproc_hwservice);

29
generic/vendor/common/hal_contexthub.te vendored
View File

@@ -1,29 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Allow context hub HAL to communicate with daemon via socket
unix_socket_connect(hal_contexthub, vendor_chre, vendor_chre)

56
generic/vendor/common/hal_display_color.te vendored
View File

@@ -1,56 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Define domain
type vendor_hal_display_color_default, domain;
hal_server_domain(vendor_hal_display_color_default, vendor_hal_display_color)
type vendor_hal_display_color_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_hal_display_color_default)
# Allow hwbinder call from hal client to server
binder_call(vendor_hal_display_color_client, vendor_hal_display_color_server)
binder_call(platform_app, vendor_hal_display_color_server)
# Add hwservice related rules
add_hwservice(vendor_hal_display_color_server, vendor_hal_display_color_hwservice)
allow vendor_hal_display_color_client vendor_hal_display_color_hwservice:hwservice_manager find;
allow platform_app vendor_hal_display_color_hwservice:hwservice_manager find;
# Rule for display color to access graphics composer process
unix_socket_connect(vendor_hal_display_color, vendor_pps, hal_graphics_composer_default);
# Rule for vndbinder usage
allow vendor_hal_display_color vendor_qdisplay_service:service_manager find;
vndbinder_use(vendor_hal_display_color);
binder_call(vendor_hal_display_color, hal_graphics_composer)
#Add rules for postproc hal
add_hwservice(vendor_hal_display_color_server, vendor_hal_display_postproc_hwservice)
allow vendor_hal_display_postproc_client vendor_hal_display_postproc_hwservice:hwservice_manager find;
# Set vendor_qdcmss property
set_prop(vendor_hal_display_color, vendor_qdcmss_prop);

49
generic/vendor/common/hal_drm_widevine.te vendored
View File

@@ -1,49 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# define SELinux domain
type vendor_hal_drm_widevine, domain;
hal_server_domain(vendor_hal_drm_widevine, hal_drm)
type vendor_hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_hal_drm_widevine)
allow vendor_hal_drm_widevine mediacodec:fd use;
allow vendor_hal_drm_widevine { appdomain -isolated_app }:fd use;
allow vendor_hal_drm_widevine vendor_qce_device:chr_file rw_file_perms;
#Allow access to smcinvoke device
allow vendor_hal_drm_widevine vendor_smcinvoke_device:chr_file rw_file_perms;
# The QTI DRM-HAL implementation uses a vendor-binder service provided
# by the HWC HAL.
vndbinder_use(vendor_hal_drm_widevine);
allow vendor_hal_drm_widevine vendor_qdisplay_service:service_manager { find };
#binder_call(vendor_hal_drm_widevine, hal_graphics_composer)
hal_client_domain(vendor_hal_drm_widevine, hal_graphics_composer);
allow vendor_hal_drm_widevine vendor_mediadrm_vendor_data_file:dir create_dir_perms;
allow vendor_hal_drm_widevine vendor_mediadrm_vendor_data_file:file create_file_perms;

35
generic/vendor/common/hal_gatekeeper_qti.te vendored
View File

@@ -1,35 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_gatekeeper_qti, domain;
hal_server_domain(vendor_hal_gatekeeper_qti, hal_gatekeeper)
type vendor_hal_gatekeeper_qti_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_hal_gatekeeper_qti)
dontaudit vendor_hal_gatekeeper_qti firmware_file:dir search;
get_prop(vendor_hal_gatekeeper_qti, vendor_tee_listener_prop)

64
generic/vendor/common/hal_gnss_qti.te vendored
View File

@@ -1,64 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# generic/vendor_hal_gnss_qti.te - generic sepolicy rules for vendor_location hidl
type vendor_hal_gnss_qti, domain;
hal_server_domain(vendor_hal_gnss_qti, hal_gnss)
type vendor_hal_gnss_qti_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_hal_gnss_qti)
# vendor binder
use_vendor_per_mgr(vendor_hal_gnss_qti)
# /data/vendor/vendor_location
allow vendor_hal_gnss_qti vendor_location_data_file:fifo_file { open read setattr write };
allow vendor_hal_gnss_qti vendor_location_data_file:dir create_dir_perms;
allow vendor_hal_gnss_qti vendor_location_data_file:file create_file_perms;
# /dev/socket/vendor_location
allow vendor_hal_gnss_qti vendor_location_socket:sock_file create_file_perms;
allow vendor_hal_gnss_qti vendor_location_socket:dir rw_dir_perms;
allow vendor_hal_gnss_qti vendor_location:unix_stream_socket connectto;
allow vendor_hal_gnss_qti vendor_location:unix_dgram_socket sendto;
# Allow Gnss HAL to get updates from health hal
hal_client_domain(vendor_hal_gnss_qti, hal_health)
# Most HALs are not allowed to use network sockets. QTI library
# libqdi is used across multiple processes which are clients of
# netmgrd including the GNSS HAL. libqdi first attempts to get the network
# interface using an IOCTL on a UDP INET socket, which isn't allowed here.
# If that fails, it falls back to using libc's if_nameindex() which requires
# a netlink route socket, which HALs may use. Due to the initial
# attempt to use a UDP socket, we still see a selinux denial,
# but it is safe to ignore.
# TODO (b/37730994) Remove udp_socket requirement from
# libqdi and have all its clients use netlink route
# sockets.
dontaudit vendor_hal_gnss_qti self:udp_socket create;

91
generic/vendor/common/hal_graphics_composer_default.te vendored
View File

@@ -1,91 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Binder access (for display.qservice)
vndbinder_use(hal_graphics_composer_default)
hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator);
allow hal_graphics_composer_default vendor_qdisplay_service:service_manager { add find };
allow hal_graphics_composer_default vendor_persist_display_file:dir search;
allow hal_graphics_composer_default vendor_persist_display_file:file r_file_perms;
# Allow reading/writing to '/mnt/vendor/persist/display/*'
allow hal_graphics_composer_default vendor_persist_display_file:dir rw_dir_perms;
allow hal_graphics_composer_default vendor_persist_display_file:file create_file_perms;
allow hal_graphics_composer vendor_sysfs_graphics:dir r_dir_perms;
allow hal_graphics_composer vendor_sysfs_graphics:file rw_file_perms;
allow hal_graphics_composer_default mnt_vendor_file:dir search;
allow hal_graphics_composer oemfs:dir r_dir_perms;
get_prop(hal_graphics_composer, vendor_display_prop)
allow hal_graphics_composer_default hal_graphics_mapper_hwservice:hwservice_manager find;
r_dir_file(hal_graphics_composer_default, sysfs_leds)
# TODO(b/37666508): Remove the following line upon resolution of the bug
allow hal_graphics_composer_default video_device:chr_file rw_file_perms;
allow hal_graphics_composer_default graphics_device:chr_file rw_file_perms;
# HWC_UeventThread
allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
# Allow ion_device read/write permission
allow hal_graphics_composer_default ion_device:chr_file rw_file_perms;
# Access /sys/devices/virtual/graphics/fb0
r_dir_file(hal_graphics_composer_default, sysfs_type)
# Allow reading/writing to '/data/vendor/display/*'
allow hal_graphics_composer_default vendor_display_vendor_data_file:dir create_dir_perms;
allow hal_graphics_composer_default vendor_display_vendor_data_file:file create_file_perms;
userdebug_or_eng(`
allow hal_graphics_composer_default vendor_debugfs_mdp:dir r_dir_perms;
allow hal_graphics_composer_default vendor_debugfs_mdp:file r_file_perms;
')
userdebug_or_eng(`
# Allow read to /sys/kernel/debug/*
allow hal_graphics_composer vendor_qti_display_debugfs:dir r_dir_perms;
allow hal_graphics_composer vendor_qti_display_debugfs:file r_file_perms;
allow hal_graphics_composer_default vendor_qti_display_debugfs:dir r_dir_perms;
allow hal_graphics_composer_default vendor_qti_display_debugfs:file r_file_perms;
')
# Allow sensor service access
allow hal_graphics_composer fwk_sensor_hwservice:hwservice_manager find;
binder_call(hal_graphics_composer, system_server)
# allow composer to register display config
add_hwservice(hal_graphics_composer_server, vendor_hal_display_config_hwservice);
# allow composer client to find display config service.
allow hal_graphics_composer_client vendor_hal_display_config_hwservice:hwservice_manager find;
# Allow qdcmss socket access
unix_socket_connect(hal_graphics_composer_default, vendor_qdcmsocket, vendor_qdcm-ss)

36
generic/vendor/common/hal_health.te vendored
View File

@@ -1,36 +0,0 @@
# Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
r_dir_file(hal_health, vendor_sysfs_battery_supply);
r_dir_file(hal_health, vendor_sysfs_usb_supply);
allow hal_health hal_health_default:dir search;
allow hal_health {
vendor_sysfs_battery_supply
vendor_sysfs_usb_supply
}:file rw_file_perms;

52
generic/vendor/common/hal_imsrtp.te vendored
View File

@@ -1,52 +0,0 @@
# Copyright (c) 2018,2020 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#vendor_ims rtp service
type vendor_hal_imsrtp, domain;
type vendor_hal_imsrtp_exec, exec_type, vendor_file_type, file_type;
# Started by init
init_daemon_domain(vendor_hal_imsrtp)
net_domain(vendor_hal_imsrtp)
hwbinder_use(vendor_hal_imsrtp)
get_prop(vendor_hal_imsrtp, hwservicemanager_prop)
add_hwservice(vendor_hal_imsrtp, vendor_hal_imsrtp_hwservice)
allow vendor_hal_imsrtp self: qipcrtr_socket create_socket_perms_no_ioctl;
unix_socket_connect(vendor_hal_imsrtp, vendor_ims, vendor_ims)
allow vendor_hal_imsrtp vendor_sysfs_timestamp_switch:file r_file_perms;
allow vendor_hal_imsrtp self:capability net_bind_service;
allow vendor_hal_imsrtp vendor_sysfs_timestamp_switch:file r_file_perms;
allow vendor_hal_imsrtp ion_device:chr_file r_file_perms;
allow vendor_hal_imsrtp vendor_sysfs_data:file r_file_perms;
r_dir_file(vendor_hal_imsrtp, vendor_sysfs_diag)
get_prop(vendor_hal_imsrtp, vendor_ims_prop)
binder_call(vendor_hal_imsrtp, vendor_qtelephony)

28
generic/vendor/common/hal_light.te vendored
View File

@@ -1,28 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow hal_light vendor_sysfs_graphics:dir search;
allow hal_light vendor_sysfs_graphics:file rw_file_perms;

47
generic/vendor/common/hal_neuralnetworks.te vendored
View File

@@ -1,47 +0,0 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_neuralnetworks_default, domain;
hal_server_domain(vendor_hal_neuralnetworks_default, hal_neuralnetworks)
hal_client_domain(vendor_hal_neuralnetworks_default, hal_graphics_allocator)
type vendor_hal_neuralnetworks_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_hal_neuralnetworks_default)
allow vendor_hal_neuralnetworks_default fwk_sensor_hwservice:hwservice_manager find;
allow vendor_hal_neuralnetworks_default vendor_qdsp_device:chr_file r_file_perms;
allow vendor_hal_neuralnetworks_default vendor_xdsp_device:chr_file r_file_perms;
allow vendor_hal_neuralnetworks_default ion_device:chr_file r_file_perms;
allow vendor_hal_neuralnetworks_default app_data_file:file { read getattr map };
allow vendor_hal_neuralnetworks_default shell_data_file:file { read getattr map };
allow vendor_hal_neuralnetworks_default vendor_hal_neuralnetworks_data_file:dir create_dir_perms;
allow vendor_hal_neuralnetworks_default vendor_hal_neuralnetworks_data_file:{ file fifo_file } create_file_perms;
allow vendor_hal_neuralnetworks_default gpu_device:chr_file rw_file_perms;
allow vendor_hal_neuralnetworks_default vendor_npu_device:chr_file r_file_perms;
r_dir_file(vendor_hal_neuralnetworks_default, adsprpcd_file)

42
generic/vendor/common/hal_qdutils_disp_qti.te vendored
View File

@@ -1,42 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_qdutils_disp_qti, domain;
hal_server_domain(vendor_hal_qdutils_disp_qti, vendor_hal_qdutils_disp)
type vendor_hal_qdutils_disp_qti_exec, exec_type, file_type, vendor_file_type;
init_daemon_domain(vendor_hal_qdutils_disp_qti)
binder_call(vendor_hal_qdutils_disp_client, vendor_hal_qdutils_disp_server)
binder_call(vendor_hal_qdutils_disp_server, vendor_hal_qdutils_disp_client)
add_hwservice(vendor_hal_qdutils_disp_server, vendor_hal_qdutils_disp_hwservice)
allow vendor_hal_qdutils_disp_client vendor_hal_qdutils_disp_hwservice:hwservice_manager find;
vndbinder_use(vendor_hal_qdutils_disp_qti);
allow vendor_hal_qdutils_disp_qti vendor_qdisplay_service:service_manager find;
#hal_client_domain(vendor_hal_qdutils_disp_qti, hal_display_config);
hal_client_domain(vendor_hal_qdutils_disp_qti, hal_graphics_composer);

71
generic/vendor/common/hal_rcsservice.te vendored
View File

@@ -1,71 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_rcsservice, domain;
type vendor_hal_rcsservice_exec, exec_type, vendor_file_type, file_type;
# Started by init
init_daemon_domain(vendor_hal_rcsservice)
net_domain(vendor_hal_rcsservice)
get_prop(vendor_hal_rcsservice, vendor_ims_prop)
set_prop(vendor_hal_rcsservice, vendor_ims_prop)
# To register imsrcsd to hwBinder
hwbinder_use(vendor_hal_rcsservice)
# add IUceSerive and IService to Hidl interface
add_hwservice(vendor_hal_rcsservice, vendor_hal_imsrcsd_hwservice)
add_hwservice(vendor_hal_rcsservice, vendor_hal_imscallinfo_hwservice)
#add imsfactory to HIDl interface
add_hwservice(vendor_hal_rcsservice, vendor_hal_imsfactory_hwservice)
get_prop(vendor_hal_rcsservice, hwservicemanager_prop)
allow vendor_hal_rcsservice vendor_sysfs_timestamp_switch:file r_file_perms;
allow vendor_hal_rcsservice vendor_sysfs_data:file r_file_perms;
allow vendor_hal_rcsservice self: { socket qipcrtr_socket } create_socket_perms_no_ioctl;
#required for socket creation
unix_socket_connect(vendor_hal_rcsservice, vendor_ims, vendor_ims)
# imsrcsd to bind with UceShimService.apk
binder_call(vendor_hal_rcsservice, vendor_dataservice_app)
# imsrcsd needs read/write access to devpts
allow vendor_hal_rcsservice devpts:chr_file rw_file_perms;
# allow imsrcsd capabilities
wakelock_use(vendor_hal_rcsservice)
allow vendor_hal_rcsservice self:capability net_bind_service;
allow vendor_hal_rcsservice self:capability2 wake_alarm;
#diag
userdebug_or_eng(`
diag_use(vendor_hal_rcsservice)
binder_call(vendor_hal_rcsservice, radio)
')
set_prop(vendor_hal_rcsservice, vendor_ctl_vendor_imsrcsservice_prop)

65
generic/vendor/common/hal_sensors_default.te vendored
View File

@@ -1,65 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# read factory calibration and sensor configuration data
allow hal_sensors_default mnt_vendor_file:dir search;
r_dir_file(hal_sensors_default, vendor_persist_sensors_file)
get_prop(hal_sensors_default, vendor_sensors_prop)
# Access to tests from userdebug/eng builds
userdebug_or_eng(`
diag_use(hal_sensors_default)
get_prop(hal_sensors_default, vendor_sensors_dbg_prop)
allow hal_sensors_default vendor_sysfs_timestamp_switch:file r_file_perms;
')
allow hal_sensors_default vendor_qdsp_device:chr_file r_file_perms;
allow hal_sensors_default vendor_xdsp_device:chr_file r_file_perms;
allow hal_sensors vendor_sysfs_data:file r_file_perms;
allow hal_sensors vendor_sysfs_sensors:dir r_dir_perms;
allow hal_sensors vendor_sysfs_sensors:file rw_file_perms;
allow hal_sensors vendor_sysfs_sensors:lnk_file read;
#following to set the ssr
allow hal_sensors_default vendor_sysfs_slpi:dir search;
allow hal_sensors_default vendor_sysfs_slpi:file w_file_perms;
allow hal_sensors_default vendor_sysfs_adsp_ssr:file w_file_perms;
allow hal_sensors_default vendor_persist_sensors_file:dir rw_dir_perms;
allow hal_sensors_default vendor_persist_sensors_file:file create_file_perms;
allow hal_sensors_default mnt_vendor_file:dir rw_dir_perms;
allow hal_sensors_default mnt_vendor_file:file create_file_perms;
#interact with the sensors low power island (SLPI) CPU
allow hal_sensors_default self:{ socket qipcrtr_socket } create_socket_perms;
allowxperm hal_sensors_default self:{ socket qipcrtr_socket } ioctl msm_sock_ipc_ioctls;
allow hal_sensors_default system_server:fd use;
hal_client_domain(hal_sensors_default, hal_graphics_allocator)
# allow to read adsprpc related properties
get_prop(hal_sensors_default, vendor_adsprpc_prop)

28
generic/vendor/common/hal_telephony.te vendored
View File

@@ -1,28 +0,0 @@
#Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
#Redistribution and use in source and binary forms, with or without
#modification, are permitted provided that the following conditions are
#met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
set_prop(hal_telephony_server, vendor_radio_prop);

40
generic/vendor/common/hal_tetheroffload_default.te vendored
View File

@@ -1,40 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow hal_tetheroffload_default vendor_ipa_dev:chr_file rw_file_perms;
allow hal_tetheroffload_default vendor_ipacm_socket:sock_file w_file_perms;
allow hal_tetheroffload_default vendor_ipa_vendor_data_file:dir w_dir_perms;
allow hal_tetheroffload_default vendor_ipa_vendor_data_file:file create_file_perms;
#add_hwservice(hal_tetheroffload_default, hal_tetheroffload_hwservice)
#diag
userdebug_or_eng(`
r_dir_file(hal_tetheroffload_default, vendor_sysfs_diag)
allow hal_tetheroffload_default vendor_sysfs_timestamp_switch:file r_file_perms;
')

28
generic/vendor/common/hal_thermal_default.te vendored
View File

@@ -1,28 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow hal_thermal_default sysfs_thermal:lnk_file read;
allow hal_thermal_default proc_stat:file { getattr open read };

51
generic/vendor/common/hal_trustedui_qti.te vendored
View File

@@ -1,51 +0,0 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_trustedui_qti, domain;
hal_server_domain(vendor_hal_trustedui_qti, vendor_hal_trustedui)
type vendor_hal_trustedui_qti_exec, exec_type, file_type, vendor_file_type;
init_daemon_domain(vendor_hal_trustedui_qti)
binder_call(vendor_hal_trustedui_client, vendor_hal_trustedui_server)
binder_call(vendor_hal_trustedui_server, vendor_hal_trustedui_client)
hal_attribute_hwservice(vendor_hal_trustedui, vendor_hal_trustedui_hwservice)
hal_client_domain(vendor_hal_trustedui_qti, hal_graphics_allocator);
hal_client_domain(vendor_hal_trustedui_qti, hal_graphics_composer);
hal_client_domain(vendor_hal_trustedui_qti, vendor_hal_systemhelper);
allow vendor_hal_trustedui_qti vendor_sysfs_sectouch:file rw_file_perms;
allow vendor_hal_trustedui_qti vendor_tui_data_file:file rw_file_perms;
allow vendor_hal_trustedui_qti vendor_tui_data_file:dir r_dir_perms;
allow vendor_hal_trustedui_qti ion_device:chr_file r_file_perms;
allow vendor_hal_trustedui_qti surfaceflinger:fd use;
allow vendor_hal_trustedui_qti tee_device:chr_file rw_file_perms;
binder_call(vendor_hal_trustedui_qti, vendor_systemhelper_app)

39
generic/vendor/common/hal_tui_comm_qti.te vendored
View File

@@ -1,39 +0,0 @@
# Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_tui_comm_qti, domain;
hal_server_domain(vendor_hal_tui_comm_qti, vendor_hal_tui_comm)
type vendor_hal_tui_comm_qti_exec, exec_type, file_type, vendor_file_type;
init_daemon_domain(vendor_hal_tui_comm_qti)
binder_call(vendor_hal_tui_comm_client, vendor_hal_tui_comm_server)
binder_call(vendor_hal_tui_comm_server, vendor_hal_tui_comm_client)
add_hwservice(vendor_hal_tui_comm_server, vendor_hal_tui_comm_hwservice)
allow vendor_hal_tui_comm_client vendor_hal_tui_comm_hwservice:hwservice_manager find;
hal_client_domain(vendor_hal_tui_comm_qti, hal_graphics_allocator);

31
generic/vendor/common/hal_usb_default.te vendored
View File

@@ -1,31 +0,0 @@
# Copyright (c) 2017, 2019 The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow hal_usb_default vendor_sysfs_usbpd_device:dir r_dir_perms;
allow hal_usb_default vendor_sysfs_usbpd_device:lnk_file r_file_perms;
allow hal_usb_default vendor_sysfs_usbpd_device:file rw_file_perms;
r_dir_file(hal_usb_default, vendor_sysfs_usb_supply);

32
generic/vendor/common/hal_vibrator_default.te vendored
View File

@@ -1,32 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
r_dir_file(hal_vibrator_default, sysfs_leds)
allow hal_vibrator_default sysfs_leds:file rw_file_perms;
# read-only permission to obtain the calibration data
r_dir_file(hal_vibrator_default, vendor_persist_haptics_file)
allow hal_vibrator_default mnt_vendor_file:dir search;

53
generic/vendor/common/hal_wifi.te vendored
View File

@@ -1,53 +0,0 @@
#Copyright (c) 2017, The Linux Foundation. All rights reserved.
#
#Redistribution and use in source and binary forms, with or without
#modification, are permitted provided that the following conditions are
#met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
# allow hal_wifi to write into /proc/debugdriver/driverdump
r_dir_file(hal_wifi_default, vendor_proc_wifi_dbg)
# write to files owned by location daemon
allow hal_wifi_default vendor_location_socket:dir search;
allow hal_wifi_default vendor_location:unix_dgram_socket sendto;
# Connect to vendor_location via vendor_location socket.
unix_socket_connect(hal_wifi, vendor_location, vendor_location)
allow hal_wifi_default vendor_wifihal_socket:dir rw_dir_perms;
allow hal_wifi_default vendor_wifihal_socket:sock_file create_file_perms;
# Write wlan driver/fw version into property
set_prop(hal_wifi_default, vendor_wifi_version)
# allow hal_wifi to write into /proc/sys/net/ipv4
allow hal_wifi proc_net:file write;
# allow hal_wifi to write into /data/vendor/tombstones/wifi
userdebug_or_eng(`
allow hal_wifi_server vendor_tombstone_data_file:dir rw_dir_perms;
allow hal_wifi_server vendor_tombstone_data_file:file create_file_perms;
')

28
generic/vendor/common/hal_wifi_default.te vendored
View File

@@ -1,28 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow hal_wifi vendor_wlan_device:chr_file rw_file_perms;

32
generic/vendor/common/hal_wifi_hostapd.te vendored
View File

@@ -1,32 +0,0 @@
#Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
#
#Redistribution and use in source and binary forms, with or without
#modification, are permitted provided that the following conditions are
#met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
userdebug_or_eng(`
allow hal_wifi_hostapd vendor_wifi_vendor_log_data_file:dir search;
')

43
generic/vendor/common/hal_wifi_supplicant.te vendored
View File

@@ -1,43 +0,0 @@
#Copyright (c) 2017-2020, The Linux Foundation. All rights reserved.
#
#Redistribution and use in source and binary forms, with or without
#modification, are permitted provided that the following conditions are
#met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
# Allow access to create socket and ioctl.
allow hal_wifi_supplicant_default self:socket create_socket_perms;
# ioctlcmd=c304, c302
allowxperm hal_wifi_supplicant_default self:socket ioctl msm_sock_ipc_ioctls;
allow hal_wifi_supplicant_default wpa_data_file:dir create_dir_perms;
allow hal_wifi_supplicant_default wpa_data_file:dir w_dir_perms;
allow hal_wifi_supplicant_default wpa_data_file:file create_file_perms;
# Permission for wpa socket which IMS use to communicate
# # Allow wpa_supplicant to send back wifi information to cnd
allow hal_wifi_supplicant_default { vendor_cnd vendor_ims vendor_mutualex}:unix_dgram_socket sendto;
# # Allow wpa_supplicant to send back wifi information to vendor_location
allow hal_wifi_supplicant_default vendor_location:unix_dgram_socket sendto;

83
generic/vendor/common/hbtp.te vendored
View File

@@ -1,83 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Policies for vendor_hbtp (host based touch processing)
type vendor_hbtp, domain;
type vendor_hbtp_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_hbtp)
hal_server_domain(vendor_hbtp, vendor_hal_hbtp)
# Allow access for /dev/vendor_hbtp_input and /dev/jdi-bu21150
allow vendor_hbtp { vendor_hbtp_device vendor_qdsp_device vendor_dsp_device vendor_bu21150_device vendor_xdsp_device }:chr_file rw_file_perms;
allow vendor_hbtp vendor_hbtp_log_file:dir rw_dir_perms;
allow vendor_hbtp vendor_hbtp_log_file:file create_file_perms;
allow vendor_hbtp vendor_hbtp_cfg_file:dir r_dir_perms;
allow vendor_hbtp vendor_hbtp_cfg_file:file r_file_perms;
allow vendor_hbtp firmware_file:dir r_dir_perms;
allow vendor_hbtp firmware_file:file r_file_perms;
allow vendor_hbtp vendor_firmware_file:dir r_dir_perms;
allow vendor_hbtp vendor_firmware_file:file r_file_perms;
allow vendor_hbtp vendor_sysfs_usb_supply:file r_file_perms;
allow vendor_hbtp vendor_sysfs_usb_supply:dir r_dir_perms;
allow vendor_hbtp vendor_hbtp_kernel_sysfs:file rw_file_perms;
allow vendor_hbtp vendor_sysfs_graphics:file r_file_perms;
allow vendor_hbtp vendor_sysfs_graphics:dir r_dir_perms;
allow vendor_hbtp vendor_sysfs_battery_supply:file r_file_perms;
allow vendor_hbtp vendor_sysfs_battery_supply:dir r_dir_perms;
allow vendor_hbtp ion_device:chr_file r_file_perms;
allow vendor_hbtp self:netlink_kobject_uevent_socket { create read setopt bind };
# Allow the service to access wakelock sysfs
allow vendor_hbtp sysfs_wake_lock:file r_file_perms;
# Allow the service to change to system from root
allow vendor_hbtp self:capability { setgid setuid sys_nice };
# Allow load touch driver as touchPD
r_dir_file(vendor_hbtp, adsprpcd_file)
#allow the service to read adsprpc_prop
get_prop(vendor_hbtp, vendor_adsprpc_prop)
# Allow the service to access wakelock capability
wakelock_use(vendor_hbtp)
# Allow hwbinder call from hal client to server and vice-versa
binder_call(vendor_hal_hbtp_client, vendor_hal_hbtp_server)
binder_call(vendor_hal_hbtp_server, vendor_hal_hbtp_client)
# Allow hwservice related rules
add_hwservice(vendor_hal_hbtp_server, vendor_hal_hbtp_hwservice)
allow vendor_hal_hbtp_client vendor_hal_hbtp_hwservice:hwservice_manager find;
hal_client_domain(vendor_hbtp, hal_allocator);

35
generic/vendor/common/healthd.te vendored
View File

@@ -1,35 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow healthd self:capability2 wake_alarm;
r_dir_file(healthd, vendor_sysfs_battery_supply)
r_dir_file(healthd, vendor_sysfs_usb_supply)
r_dir_file(healthd, sysfs_thermal);
allow healthd {
vendor_sysfs_battery_supply
vendor_sysfs_usb_supply
}:file rw_file_perms;

44
generic/vendor/common/hwservice.te vendored
View File

@@ -1,44 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_hal_cne_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_cacert_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_dataconnection_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_iwlan_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_display_config_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_imsrcsd_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_imsrtp_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_imscallinfo_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_ipacm_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_hbtp_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_perf_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_tui_comm_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_qdutils_disp_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_trustedui_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_display_color_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_display_postproc_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_capabilityconfigstore_qti_hwservice, hwservice_manager_type, protected_hwservice;
type vendor_hal_camera_postproc_hwservice, hwservice_manager_type, protected_hwservice;

64
generic/vendor/common/hwservice_contexts vendored
View File

@@ -1,64 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
com.qualcomm.qti.ant::IAntHci u:object_r:hal_bluetooth_hwservice:s0
com.dsi.ant::IAnt u:object_r:hal_bluetooth_hwservice:s0
vendor.qti.hardware.data.iwlan::IIWlan u:object_r:vendor_hal_iwlan_hwservice:s0
com.qualcomm.qti.uceservice::IUceService u:object_r:vendor_hal_imsrcsd_hwservice:s0
com.qualcomm.qti.imscmservice::IImsCmService u:object_r:vendor_hal_imsrcsd_hwservice:s0
vendor.qti.ims.callinfo::IService u:object_r:vendor_hal_imscallinfo_hwservice:s0
vendor.qti.imsrtpservice::IRTPService u:object_r:vendor_hal_imsrtp_hwservice:s0
vendor.qti.data.factory::IFactory u:object_r:vendor_hal_datafactory_hwservice:s0
vendor.qti.ims.factory::IImsFactory u:object_r:vendor_hal_imsfactory_hwservice:s0
vendor.qti.hardware.data.connection::IDataConnection u:object_r:vendor_hal_dataconnection_hwservice:s0
vendor.qti.hardware.cacert::IService u:object_r:vendor_hal_cacert_hwservice:s0
vendor.display.config::IDisplayConfig u:object_r:vendor_hal_display_config_hwservice:s0
vendor.display.color::IDisplayColor u:object_r:vendor_hal_display_color_hwservice:s0
vendor.display.postproc::IDisplayPostproc u:object_r:vendor_hal_display_postproc_hwservice:s0
vendor.qti.hardware.data.iwlan::IIWlan u:object_r:vendor_hal_iwlan_hwservice:s0
vendor.qti.hardware.capabilityconfigstore::ICapabilityConfigStore u:object_r:vendor_hal_capabilityconfigstore_qti_hwservice:s0
vendor.qti.hardware.improvetouch.touchcompanion::ITouchCompanion u:object_r:vendor_hal_hbtp_hwservice:s0
vendor.qti.hardware.improvetouch.gesturemanager::IGestureManager u:object_r:vendor_hal_hbtp_hwservice:s0
vendor.qti.hardware.improvetouch.blobmanager::IBlobManager u:object_r:vendor_hal_hbtp_hwservice:s0
vendor.qti.hardware.perf::IPerf u:object_r:vendor_hal_perf_hwservice:s0
vendor.qti.hardware.radio.atcmdfwd::IAtCmdFwd u:object_r:vendor_hal_atfwd_hwservice:s0
vendor.qti.hardware.radio.qcrilhook::IQtiOemHook u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.radio.am::IQcRilAudio u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.radio.internal.deviceinfo::IDeviceInfo u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.radio.lpa::IUimLpa u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.radio.ims::IImsRadio u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.radio.uim::IUim u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.radio.uim_remote_client::IUimRemoteServiceClient u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.radio.uim_remote_server::IUimRemoteServiceServer u:object_r:hal_telephony_hwservice:s0
vendor.qti.hardware.display.allocator::IQtiAllocator u:object_r:hal_graphics_allocator_hwservice:s0
vendor.qti.hardware.display.composer::IQtiComposer u:object_r:hal_graphics_composer_hwservice:s0
vendor.qti.hardware.tui_comm::ITuiComm u:object_r:vendor_hal_tui_comm_hwservice:s0
vendor.qti.hardware.qdutils_disp::IQdutilsDisp u:object_r:vendor_hal_qdutils_disp_hwservice:s0
vendor.qti.hardware.trustedui::ITrustedUI u:object_r:vendor_hal_trustedui_hwservice:s0
vendor.qti.hardware.trustedui::ITrustedInput u:object_r:vendor_hal_trustedui_hwservice:s0
android.hardware.media.c2::IConfigurable u:object_r:hal_codec2_hwservice:s0
vendor.qti.hardware.display.mapper::IQtiMapper u:object_r:hal_graphics_mapper_hwservice:s0
vendor.qti.hardware.camera.postproc::IPostProcService u:object_r:vendor_hal_camera_postproc_hwservice:s0

63
generic/vendor/common/ims.te vendored
View File

@@ -1,63 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_ims, domain;
type vendor_ims_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_ims)
net_domain(vendor_ims)
get_prop(vendor_ims, hwservicemanager_prop)
set_prop(vendor_ims, vendor_ims_prop)
get_prop(vendor_ims, vendor_ims_prop)
get_prop(vendor_ims, vendor_cnd_prop)
allow vendor_ims vendor_sysfs_timestamp_switch:file r_file_perms;
allow vendor_ims vendor_sysfs_data:file r_file_perms;
allow vendor_ims self:capability net_bind_service;
allow vendor_ims ion_device:chr_file r_file_perms;
unix_socket_connect(vendor_ims, vendor_cnd, vendor_cnd)
allow vendor_ims self:socket create_socket_perms_no_ioctl;
allow vendor_ims vendor_ims_socket:sock_file write;
allow vendor_ims self:{ qipcrtr_socket } create_socket_perms_no_ioctl;
allow vendor_ims self:{ netlink_generic_socket } create_socket_perms_no_ioctl;
netmgr_socket(vendor_ims);
allowxperm vendor_ims self:udp_socket ioctl RMNET_IOCTL_EXTENDED;
allow vendor_ims self:tipc_socket { create_socket_perms_no_ioctl };
#diag
userdebug_or_eng(`
diag_use(vendor_ims)
')
hwbinder_use(vendor_ims)
allow vendor_ims vendor_hal_cne_hwservice:hwservice_manager find;
allow vendor_ims vendor_hal_datafactory_hwservice:hwservice_manager find;
binder_call(vendor_ims, vendor_cnd)

37
generic/vendor/common/imshelper_app.te vendored
View File

@@ -1,37 +0,0 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_imshelper_app, domain;
app_domain(vendor_imshelper_app);
unix_socket_connect(vendor_imshelper_app, vendor_ims, vendor_ims)
allow vendor_imshelper_app app_api_service:service_manager find;
#allow qsee_svc_app vendor_imshelper_app_data_file:dir create_dir_perms;
#allow qsee_svc_app vendor_imshelper_app_data_file:file create_file_perms;
allow vendor_imshelper_app system_app_data_file:dir { getattr search };
allow vendor_imshelper_app vendor_radio_data_file:dir { getattr search };

37
generic/vendor/common/init-qcom-crashdata-sh.te vendored
View File

@@ -1,37 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_init-qcom-crashdata-sh, domain;
type vendor_init-qcom-crashdata-sh_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_init-qcom-crashdata-sh)
allow vendor_init-qcom-crashdata-sh vendor_shell_exec:file rx_file_perms;
allow vendor_init-qcom-crashdata-sh vendor_toolbox_exec:file rx_file_perms;
set_prop(vendor_init-qcom-crashdata-sh, vendor_crash_cnt_prop)
set_prop(vendor_init-qcom-crashdata-sh, vendor_crash_detect_prop)

43
generic/vendor/common/init-qcom-sensors-sh.te vendored
View File

@@ -1,43 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_init-qcom-sensors-sh, domain;
type vendor_init-qcom-sensors-sh_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_init-qcom-sensors-sh)
allow vendor_init-qcom-sensors-sh vendor_shell_exec:file rx_file_perms;
allow vendor_init-qcom-sensors-sh vendor_toolbox_exec:file rx_file_perms;
r_dir_file(vendor_init-qcom-sensors-sh, mnt_vendor_file)
r_dir_file(vendor_init-qcom-sensors-sh, vendor_persist_sensors_file)
allow vendor_init-qcom-sensors-sh vendor_persist_sensors_file:file setattr;
allow vendor_init-qcom-sensors-sh vendor_persist_sensors_file:dir setattr;
allow vendor_init-qcom-sensors-sh sensors_device:chr_file r_file_perms;
set_prop(vendor_init-qcom-sensors-sh, vendor_sensors_prop)

40
generic/vendor/common/init-qti-ims-sh.te vendored
View File

@@ -1,40 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_init-qti-ims-sh, domain;
type vendor_init-qti-ims-sh_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_init-qti-ims-sh)
allow vendor_init-qti-ims-sh vendor_shell_exec:file rx_file_perms;
allow vendor_init-qti-ims-sh vendor_toolbox_exec:file rx_file_perms;
set_prop(vendor_init-qti-ims-sh, vendor_ims_prop)
get_prop(vendor_init-qti-ims-sh, vendor_ims_prop)
# for ro.build.product
get_prop(vendor_init-qti-ims-sh, exported2_default_prop)

83
generic/vendor/common/init.te vendored
View File

@@ -1,83 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow init {
adsprpcd_file
cache_file
mnt_vendor_file
storage_file
vendor_vm_system_file
}:dir mounton;
# symlink /sdcard to backing block
allow init tmpfs:lnk_file create;
allow init tty_device:chr_file rw_file_perms;
allow init mnt_vendor_file:dir mounton;
allow init vendor_ab_block_device:lnk_file relabelto;
#Allow init to mount non-hlos partitions in A/B builds
allow init { bt_firmware_file vendor_firmware_file firmware_file } :dir mounton;
allow init { bt_firmware_file firmware_file }:filesystem { relabelfrom mount };
allow { bt_firmware_file firmware_file }self:filesystem associate;
dontaudit init kernel:system module_request;
allow init sysfs_leds:lnk_file r_file_perms;
allow init socket_device:sock_file create_file_perms;
#Needed for restorecon. Init already has these permissions
#for generic block devices, but is unable to access those
#which have a custom lable added by us.
allow init {
vendor_custom_ab_block_device
boot_block_device
vendor_xbl_block_device
vendor_ssd_block_device
vendor_modem_block_device
vendor_mdtp_device
vendor_vm_data_block_device
}:{ blk_file lnk_file } relabelto;
#Allow /sys access to write zram disksize
allow init sysfs_zram:dir r_dir_perms;
allow init sysfs_zram:file r_file_perms;
allow init vendor_sysfs_boot_adsp:file w_file_perms;
allow init bt_firmware_file:filesystem getattr;
allow init firmware_file:filesystem getattr;
# Search and write access for vendor_sysfs_graphics for backlight in recovery
recovery_only(`
allow init vendor_sysfs_graphics:file w_file_perms;
allow init vendor_sysfs_graphics:dir search;
allow init vendor_sysfs_usb_device:file w_file_perms;
')

187
generic/vendor/common/init_shell.te vendored
View File

@@ -1,187 +0,0 @@
# Copyright (c) 2018-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Restricted domain for shell processes spawned by init.
# Normally these are shell commands or scripts invoked via sh
# from an init*.rc file. No service should ever run in this domain.
type vendor_qti_init_shell, domain;
type vendor_qti_init_shell_exec, exec_type, vendor_file_type,file_type;
init_daemon_domain(vendor_qti_init_shell)
domain_auto_trans(init, vendor_shell_exec, vendor_qti_init_shell)
# For executing init shell scripts (init.qcom.early_boot.sh)
allow vendor_qti_init_shell vendor_qti_init_shell_exec:file { rx_file_perms entrypoint };
#execute init scripts
allow vendor_qti_init_shell vendor_shell_exec:file {rx_file_perms entrypoint };
allow vendor_qti_init_shell vendor_toolbox_exec:file rx_file_perms;
# For getting idle_time value
# this is needed for dynamic_fps and bw_mode_bitmap
allow vendor_qti_init_shell vendor_sysfs_graphics:file {rw_file_perms setattr};
allow vendor_qti_init_shell mnt_vendor_file:dir w_dir_perms;
allow vendor_qti_init_shell mnt_vendor_file:file create_file_perms;
allow vendor_qti_init_shell vendor_smd_device:chr_file rw_file_perms;
# Run helpers from / or /system without changing domain.
allow vendor_qti_init_shell { rootfs vendor_shell_exec }:file execute_no_trans;
allow vendor_qti_init_shell gpu_device:chr_file getattr;
allow vendor_qti_init_shell vendor_sysfs_cpu_boost:dir r_dir_perms;
allow vendor_qti_init_shell vendor_sysfs_cpu_boost:file rw_file_perms;
# for insmod of iris ko, this is needed.
# fowner and fsetid are needed for chmod display nodes.
allow vendor_qti_init_shell self:capability {
sys_module
net_admin
chown
fowner
fsetid
sys_admin
};
set_prop(vendor_qti_init_shell, vendor_ctl_netmgrd_prop)
set_prop(vendor_qti_init_shell, vendor_ctl_port-bridge_prop)
set_prop(vendor_qti_init_shell, vendor_ctl_qcrild_prop)
set_prop(vendor_qti_init_shell, vendor_ipacm-diag_prop)
set_prop(vendor_qti_init_shell, vendor_ipacm_prop)
set_prop(vendor_qti_init_shell, vendor_msm_irqbalance_prop)
set_prop(vendor_qti_init_shell, vendor_dataqti_prop)
set_prop(vendor_qti_init_shell, vendor_display_prop)
set_prop(vendor_qti_init_shell, vendor_alarm_boot_prop)
set_prop(vendor_qti_init_shell, vendor_gralloc_prop)
set_prop(vendor_qti_init_shell, vendor_usb_prop)
set_prop(vendor_qti_init_shell, vendor_system_prop)
set_prop(vendor_qti_init_shell, vendor_mpctl_prop)
set_prop(vendor_qti_init_shell, vendor_radio_prop)
set_prop(vendor_qti_init_shell, vendor_audio_prop)
get_prop(vendor_qti_init_shell, exported3_radio_prop)
set_prop(vendor_qti_init_shell, vendor_gpu_prop)
set_prop(vendor_qti_init_shell, vendor_sensors_prop)
allow vendor_qti_init_shell {
sysfs_devices_system_cpu
sysfs_lowmemorykiller
vendor_sysfs_mmc_host
vendor_sysfs_process_reclaim
}:file w_file_perms;
r_dir_file(vendor_qti_init_shell, sysfs_type)
r_dir_file(vendor_qti_init_shell, vendor_sysfs_devfreq)
allow vendor_qti_init_shell vendor_sysfs_devfreq:file w_file_perms;
allow vendor_qti_init_shell vendor_sysfs_soc:file write;
allow vendor_qti_init_shell sysfs:{ dir file lnk_file } relabelfrom;
allow vendor_qti_init_shell sysfs_devices_system_cpu: { dir file lnk_file } relabelto;
# To start sensors for DSPS enabled platforms
r_dir_file(vendor_qti_init_shell, mnt_vendor_file)
r_dir_file(vendor_qti_init_shell, vendor_persist_bluetooth_file)
allow vendor_qti_init_shell { proc proc_net}:file write;
allow vendor_qti_init_shell proc_net:file r_file_perms;
allow vendor_qti_init_shell graphics_device:dir create_dir_perms;
allow vendor_qti_init_shell graphics_device:lnk_file create_file_perms;
#insmod of ko from scripts need kernel key search
allow vendor_qti_init_shell kernel:key search;
allow vendor_qti_init_shell cgroup:dir add_name;
# To allow copy for mbn files
r_dir_file(vendor_qti_init_shell, firmware_file)
# /dev/block/zram0
allow vendor_qti_init_shell block_device:dir r_dir_perms;
allow vendor_qti_init_shell swap_block_device:blk_file rw_file_perms;
#For configfs permission
allow vendor_qti_init_shell configfs:dir r_dir_perms;
allow vendor_qti_init_shell configfs:file rw_file_perms;
#Allow /sys access to write zram disksize
allow vendor_qti_init_shell sysfs_zram:dir r_dir_perms;
allow vendor_qti_init_shell sysfs_zram:file rw_file_perms;
# To get GPU frequencies and set attributes
allow vendor_qti_init_shell vendor_sysfs_kgsl:file { r_file_perms setattr };
allow vendor_qti_init_shell proc:file r_file_perms;
allow vendor_qti_init_shell rootfs:file r_file_perms;
allow vendor_qti_init_shell vendor_radio_vendor_data_file:dir create_dir_perms;
allow vendor_qti_init_shell vendor_radio_vendor_data_file:file create_file_perms;
allow vendor_qti_init_shell vendor_mbn_data_file:dir create_dir_perms;
allow vendor_qti_init_shell vendor_mbn_data_file:file create_file_perms;
set_prop(vendor_qti_init_shell, vendor_ctl_vendor_hbtp_prop)
# rules for vm_bms
allow vendor_qti_init_shell {
vendor_sysfs_battery_supply
vendor_sysfs_usb_supply
vendor_sysfs_usbpd_device
}:dir r_dir_perms;
allow vendor_qti_init_shell {
vendor_sysfs_battery_supply
vendor_sysfs_usb_supply
vendor_sysfs_usbpd_device
}:file rw_file_perms;
allow vendor_qti_init_shell vendor_sysfs_battery_supply:file setattr;
allow vendor_qti_init_shell vendor_sysfs_usb_supply:file setattr;
allow vendor_qti_init_shell vendor_sysfs_usbpd_device:file setattr;
allow vendor_qti_init_shell sysfs_devices_system_cpu:file w_file_perms;
allow vendor_qti_init_shell vendor_sysfs_msm_power:file rw_file_perms;
allow vendor_qti_init_shell vendor_msm_irqbalanced_exec:file getattr;
set_prop(vendor_qti_init_shell, vendor_alarm_boot_prop)
set_prop(vendor_qti_init_shell, vendor_wifi_prop)
# To read /proc/meminfo
allow vendor_qti_init_shell proc_meminfo:file r_file_perms;
allow vendor_qti_init_shell vendor_sysfs_suspend:file w_file_perms;
# Set ro.vendor.qti.soc_id to soc_id in QCV init script
set_prop(vendor_qti_init_shell, vendor_soc_id_prop);
# Set ro.vendor.qti.soc_name to soc_name in QCV init script
set_prop(vendor_qti_init_shell, vendor_soc_name_prop);
# Get persist.console.silent.config for kernel console log level
get_prop(vendor_qti_init_shell, vendor_console_log_level_prop)
set_prop(vendor_qti_init_shell,vendor_dcvs_prop)

39
generic/vendor/common/ioctl_defines vendored
View File

@@ -1,39 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# socket ioctls
define(`RMNET_IOCTL_EXTENDED', `0x000089FD')
# socket ioctls defined in the kernel in include/uapi/linux/msm_ipc.h
define(`IPC_ROUTER_IOCTL_GET_VERSION', `0x0000c300')
define(`IPC_ROUTER_IOCTL_GET_MTU', `0x0000c301')
define(`IPC_ROUTER_IOCTL_LOOKUP_SERVER', `0x0000c302')
define(`IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE', `0x0000c303')
define(`IPC_ROUTER_IOCTL_BIND_CONTROL_PORT', `0x0000c304')
define(`IPC_ROUTER_IOCTL_CONFIG_SEC_RULES', `0x0000c305')
#mmc ioctls defined in the kernel in include/uapi/linux/mmc/ioctl.h
define(`MMC_IOC_MULTI_CMD', `0xc008b301')

93
generic/vendor/common/ioctl_macros vendored
View File

@@ -1,93 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
define(`gpu_ioctls', `{
IOCTL_KGSL_DEVICE_GETPROPERTY
IOCTL_KGSL_DEVICE_WAITTIMESTAMP_CTXTID
IOCTL_KGSL_DRAWCTXT_CREATE
IOCTL_KGSL_DRAWCTXT_DESTROY
IOCTL_KGSL_MAP_USER_MEM
IOCTL_KGSL_SHAREDMEM_FREE
IOCTL_KGSL_SETPROPERTY
IOCTL_KGSL_TIMESTAMP_EVENT
IOCTL_KGSL_PERFCOUNTER_GET
IOCTL_KGSL_PERFCOUNTER_PUT
IOCTL_KGSL_SYNCSOURCE_CREATE
IOCTL_KGSL_SYNCSOURCE_DESTROY
IOCTL_KGSL_SYNCSOURCE_CREATE_FENCE
IOCTL_KGSL_SYNCSOURCE_SIGNAL_FENCE
IOCTL_KGSL_GPUOBJ_ALLOC
IOCTL_KGSL_GPUOBJ_FREE
IOCTL_KGSL_GPUOBJ_INFO
IOCTL_KGSL_GPUOBJ_IMPORT
IOCTL_KGSL_GPUOBJ_SYNC
IOCTL_KGSL_GPU_COMMAND
}')
define(`msm_sock_ipc_ioctls', `{
IPC_ROUTER_IOCTL_GET_VERSION
IPC_ROUTER_IOCTL_GET_MTU
IPC_ROUTER_IOCTL_LOOKUP_SERVER
IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE
IPC_ROUTER_IOCTL_BIND_CONTROL_PORT
IPC_ROUTER_IOCTL_CONFIG_SEC_RULES
}')
define(`msm_sock_qrtr_ioctls', `{
TIOCOUTQ
}')
define(`rmnet_sock_ioctls', `{
SIOCDEVPRIVATE_1
SIOCDEVPRIVATE_2
SIOCDEVPRIVATE_3
SIOCDEVPRIVATE_4
SIOCDEVPRIVATE_5
SIOCDEVPRIVATE_6
SIOCDEVPRIVATE_7
SIOCDEVPRIVATE_8
SIOCDEVPRIVATE_9
SIOCDEVPRIVATE_A
SIOCDEVPRIVATE_B
SIOCDEVPRIVATE_C
SIOCDEVPRIVATE_D
}')
define(`wlan_sock_ioctls', `{
SIOCSIWPRIV
SIOCIWFIRSTPRIV_15
}')
define(`lowi_server_ioctls', `{
SIOCGIFINDEX
SIOCGIFHWADDR
SIOCGIFFLAGS
SIOCIWFIRSTPRIV_05
SIOCIWFIRSTPRIV_11
SIOCIWFIRSTPRIV_13
SIOCDEVPRIVATE_1
}')

69
generic/vendor/common/ipacm.te vendored
View File

@@ -1,69 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# General definitions
type vendor_ipacm, domain;
type vendor_ipacm-diag, domain;
type vendor_ipacm_exec, exec_type, vendor_file_type, file_type;
type vendor_ipacm-diag_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_ipacm)
init_daemon_domain(vendor_ipacm-diag)
# associate netdomain to use for accessing internet sockets
net_domain(vendor_ipacm)
hal_server_domain(vendor_ipacm, hal_tetheroffload)
userdebug_or_eng(`
# Allow using the logging file between vendor_ipacm and vendor_ipacm-diag
unix_socket_send(vendor_ipacm, vendor_ipacm, vendor_ipacm-diag)
')
# Allow operations with /dev/ipa, /dev/wwan_ioctl and /dev/ipaNatTable
allow hal_tetheroffload vendor_ipa_dev:chr_file rw_file_perms;
# Allow UDP socket create and ioctl
allow hal_tetheroffload self:udp_socket create_socket_perms;
allowxperm vendor_ipacm self:udp_socket ioctl SIOCGIFNAME;
# Allow receiving NETLINK messages
allow hal_tetheroffload self:netlink_route_socket { nlmsg_read nlmsg_readpriv create_socket_perms_no_ioctl };
# Allow receiving NETLINK messages
allow hal_tetheroffload self:{
netlink_socket
# Allow querying the network stack via IOCTLs
netlink_generic_socket
} create_socket_perms_no_ioctl;
# Allow creating and modifying the PID file
allow hal_tetheroffload vendor_ipa_vendor_data_file:dir w_dir_perms;
allow hal_tetheroffload vendor_ipa_vendor_data_file:file create_file_perms;
# To register vendor_ipacm to hwbinder
#add_hwservice(vendor_ipacm, hal_vendor_ipacm_hwservice)
#binder_call(vendor_ipacm, system_server)

33
generic/vendor/common/irsc_util.te vendored
View File

@@ -1,33 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_irsc_util, domain;
type vendor_irsc_util_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_irsc_util)
allow vendor_irsc_util self:socket create_socket_perms;
allowxperm vendor_irsc_util self:socket ioctl msm_sock_ipc_ioctls;

43
generic/vendor/common/kernel.te vendored
View File

@@ -1,43 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# for diag over socket
userdebug_or_eng(`
allow kernel self:socket create;
allow kernel self:qipcrtr_socket create;
allow kernel vendor_debugfs_wlan:dir search;
allow kernel vendor_debugfs_ipc:dir search;
allow kernel debugfs_mmc:dir search;
')
# Access firmware_file
r_dir_file(kernel, firmware_file)
# access vendor_firmware_file
r_dir_file(kernel, vendor_firmware_file)
dontaudit kernel kernel:system module_request;

99
generic/vendor/common/location.te vendored
View File

@@ -1,99 +0,0 @@
# Copyright (c) 2018-2020, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# generic/vendor_location.te - sepolicy rules for generic vendor_location modules
# loc_launcher service
# which launches various other services supporting GPS & Wifi-RTT (LOWI) vendor_location
type vendor_location, domain;
type vendor_location_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_location)
allow vendor_location self:capability { setgid setuid };
hwbinder_use(vendor_location)
get_prop(vendor_location, hwservicemanager_prop)
get_prop(vendor_location, vendor_cnd_prop)
#xtra-daemon access to qcc properties
get_prop(vendor_location, vendor_qcc_prop)
allow vendor_location fwk_sensor_hwservice:hwservice_manager find;
binder_call(vendor_location, system_server)
binder_call(vendor_location, vendor_cnd)
# Enable standard network access (for XTRA download)
net_domain(vendor_location)
# required for xtra-daemon, slim-daemon.
allow vendor_location self:qipcrtr_socket create_socket_perms_no_ioctl;
dontaudit vendor_location kernel:system module_request;
# execute permission for vendor_location daemons in /vendor/bin/
allow vendor_location vendor_location_exec:file rx_file_perms;
# /data/vendor/vendor_location
allow vendor_location vendor_location_data_file:dir create_dir_perms;
allow vendor_location vendor_location_data_file:file create_file_perms;
# /dev/socket/vendor_location
allow vendor_location vendor_location_socket:sock_file create_file_perms;
allow vendor_location vendor_location_socket:dir rw_dir_perms;
allow vendor_location vendor_hal_gnss_qti:unix_dgram_socket sendto;
# permission for read execute vendor_location daemons in userdebug mode.
userdebug_or_eng(`
allow shell vendor_location_exec:file rx_file_perms;
')
## lowi-server
##############
# some additional network access
allow vendor_location self:netlink_generic_socket create_socket_perms_no_ioctl;
allow vendor_location self:netlink_socket create_socket_perms_no_ioctl;
allowxperm vendor_location self:udp_socket ioctl lowi_server_ioctls;
allow vendor_location hal_wifi:unix_stream_socket { read write };
# /data/vendor/wifi
allow vendor_location vendor_wifi_vendor_data_file:dir search;
# /data/vendor/wifi/wpa
allow vendor_location wpa_data_file:dir rw_dir_perms;
allow vendor_location wpa_data_file:sock_file create_file_perms;
allow vendor_location hal_wifi_supplicant_default:unix_dgram_socket sendto;
# /dev/socket/wifihal
allow vendor_location vendor_wifihal_socket:dir search;
unix_socket_send(vendor_location, vendor_wifihal, hal_wifi_default);
## xtra-daemon
##############
allow vendor_location {vendor_hal_cacert_hwservice vendor_hal_datafactory_hwservice vendor_hal_cne_hwservice}:hwservice_manager find;
binder_call(vendor_location, vendor_qtidataservices_app)

74
generic/vendor/common/mdm_helper.te vendored
View File

@@ -1,74 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#Policy for vendor_mdm_helper
#vendor_mdm_helper - vendor_mdm_helper domain
type vendor_mdm_helper, domain;
type vendor_mdm_helper_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_mdm_helper);
#block_suspend capability is needed by kickstart(ks)
wakelock_use(vendor_mdm_helper)
#Needed to power on the peripheral
allow vendor_mdm_helper vendor_ssr_device:chr_file r_file_perms;
#Needed to access the esoc device to control the mdm
allow vendor_mdm_helper vendor_esoc_device:dir r_dir_perms;
allow vendor_mdm_helper vendor_esoc_device:chr_file rw_file_perms;
#Needed in order to run kickstart
allow vendor_mdm_helper vendor_shell_exec:file rx_file_perms;
allow vendor_mdm_helper vendor_mdm_helper_exec :file x_file_perms;
#Rampdump config
#
# User variant
# Probe for write access to vendor tombstones as the
# presense of tombstones on subsystem does not correlate
# to Android user/userdebug config
allow vendor_mdm_helper vendor_tombstone_data_file:dir r_dir_perms;
dontaudit vendor_mdm_helper vendor_tombstone_data_file:dir write;
# Userdebug/eng variant
userdebug_or_eng(`
allow vendor_mdm_helper vendor_tombstone_data_file:dir create_dir_perms;
allow vendor_mdm_helper vendor_tombstone_data_file:file create_file_perms;
')
#Ramdump config END
#Needed to kill its own forked process on efs sync
allow vendor_mdm_helper self:capability kill;
#Needed by ks in order to access the efs sync partitions.
allow vendor_mdm_helper block_device:dir r_dir_perms;
allow vendor_mdm_helper vendor_efs_boot_dev:blk_file rw_file_perms;
#Needed in order to access the firmware partition
r_dir_file(vendor_mdm_helper, firmware_file)
#Needed to allow boot over PCIe
allow vendor_mdm_helper vendor_mhi_device:chr_file rw_file_perms;

39
generic/vendor/common/mediacodec.te vendored
View File

@@ -1,39 +0,0 @@
# Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow mediacodec system_file:dir r_dir_perms;
userdebug_or_eng(`
allow mediacodec dumpstate:fd use;
')
#Allow mediacodec to access vendor_media_data_file files
allow mediacodec vendor_media_data_file:dir create_dir_perms;
allow mediacodec vendor_media_data_file:file create_file_perms;
#Allow mediacodec to access configstore
hal_client_domain(mediacodec, vendor_hal_capabilityconfigstore_qti)
#allow mediacodec to read adsprpc_prop
get_prop(mediacodec, vendor_adsprpc_prop)

40
generic/vendor/common/msm_irqbalanced.te vendored
View File

@@ -1,40 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_msm_irqbalanced, domain;
type vendor_msm_irqbalanced_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_msm_irqbalanced)
allow vendor_msm_irqbalanced cgroup:dir { create add_name };
allow vendor_msm_irqbalanced { proc sysfs_devices_system_cpu }:file w_file_perms;
# access smp_affinity
allow vendor_msm_irqbalanced proc:file r_file_perms;
allow vendor_msm_irqbalanced proc_interrupts:file r_file_perms;
allow vendor_msm_irqbalanced proc_stat:file r_file_perms;
# irq_blacklist_on
allow vendor_msm_irqbalanced vendor_sysfs_irqbalance:file r_file_perms;

28
generic/vendor/common/mtp.te vendored
View File

@@ -1,28 +0,0 @@
#Copyright (c) 2019, The Linux Foundation. All rights reserved.
#
#Redistribution and use in source and binary forms, with or without
#modification, are permitted provided that the following conditions are
#met:
#* Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#* Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
#* Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
#ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
allow mtp self:pppox_socket create_socket_perms_no_ioctl;

28
generic/vendor/common/netd.te vendored
View File

@@ -1,28 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
dontaudit netd kernel:system module_request;
dontaudit netd self:capability sys_module;

88
generic/vendor/common/netmgrd.te vendored
View File

@@ -1,88 +0,0 @@
# Copyright (c) 2018, 2020 The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_netmgrd, domain;
type vendor_netmgrd_exec, exec_type, vendor_file_type, file_type;
net_domain(vendor_netmgrd)
init_daemon_domain(vendor_netmgrd)
allow vendor_netmgrd vendor_netmgrd_socket:dir w_dir_perms;
allow vendor_netmgrd vendor_netmgrd_socket:sock_file create_file_perms;
allow vendor_netmgrd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write };
allow vendor_netmgrd self:netlink_generic_socket create_socket_perms_no_ioctl;
allow vendor_netmgrd self:netlink_route_socket nlmsg_write;
allow vendor_netmgrd self:netlink_socket create_socket_perms_no_ioctl;
allow vendor_netmgrd self:socket create_socket_perms;
allowxperm vendor_netmgrd self:socket ioctl msm_sock_ipc_ioctls;
allowxperm vendor_netmgrd self:udp_socket ioctl priv_sock_ioctls;
allow vendor_netmgrd self:tipc_socket { create_socket_perms_no_ioctl };
#Allow connections to qmipriod
unix_socket_connect(vendor_netmgrd, vendor_netmgrd, vendor_qmipriod);
allow vendor_netmgrd sysfs_net:dir r_dir_perms;
allow vendor_netmgrd sysfs_net:file rw_file_perms;
allow vendor_netmgrd vendor_sysfs_data:file r_file_perms;
wakelock_use(vendor_netmgrd)
#Allow netutils usage
domain_auto_trans(vendor_netmgrd, netutils_wrapper_exec, netutils_wrapper)
use_netutils(vendor_netmgrd)
#Allow diag logging
allow vendor_netmgrd vendor_sysfs_timestamp_switch:file { read open };
userdebug_or_eng(`
r_dir_file(vendor_netmgrd, vendor_sysfs_diag)
allow vendor_netmgrd vendor_debugfs_ipc:dir search;
')
#Ignore if device loading for private IOCTL failed
dontaudit vendor_netmgrd kernel:system { module_request };
allow vendor_netmgrd proc_net:file rw_file_perms;
allow vendor_netmgrd vendor_netmgr_data_file:dir rw_dir_perms;
allow vendor_netmgrd vendor_netmgr_data_file:file create_file_perms;
allow vendor_netmgrd vendor_netmgr_recovery_data_file:file create_file_perms;
allow vendor_netmgrd vendor_netmgr_recovery_data_file:dir rw_dir_perms;
get_prop(vendor_netmgrd, hwservicemanager_prop)
hwbinder_use(vendor_netmgrd)
binder_call(vendor_netmgrd, netd)
allow vendor_netmgrd system_net_netd_hwservice:hwservice_manager find;
# Allow netmgrd to use shsusrd properties
set_prop(vendor_netmgrd, vendor_data_shsusr_prop)
set_prop(vendor_netmgrd, vendor_data_qmipriod_prop)
allow vendor_netmgrd self:capability { net_admin net_raw setgid setpcap setuid kill };
allow vendor_netmgrd vendor_toolbox_exec:file rx_file_perms;
dontaudit vendor_netmgrd kernel:system module_request;
dontaudit vendor_netmgrd self:system module_request;

28
generic/vendor/common/netutils_wrapper.te vendored
View File

@@ -1,28 +0,0 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
dontaudit netutils_wrapper self:capability sys_module;
dontaudit netutils_wrapper system_file:dir write;

41
generic/vendor/common/pd_services.te vendored
View File

@@ -1,41 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
type vendor_pd_mapper, domain;
type vendor_pd_mapper_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(vendor_pd_mapper);
allow vendor_pd_mapper self:capability { setgid setpcap setuid net_bind_service };
allow vendor_pd_mapper firmware_file:dir r_dir_perms;
allow vendor_pd_mapper firmware_file:file r_file_perms;
allow vendor_pd_mapper self:socket create_socket_perms;
allowxperm vendor_pd_mapper self:socket ioctl IPC_ROUTER_IOCTL_BIND_CONTROL_PORT;
allow vendor_pd_mapper vendor_sysfs_data:file r_file_perms;
get_prop(vendor_pd_mapper, vendor_pd_locater_dbg_prop)

Some files were not shown because too many files have changed in this diff Show More