From b799de3213f1d8e93b258f22d39988ca3cf704eb Mon Sep 17 00:00:00 2001 From: Alexandre Roux D'Anzi Date: Mon, 30 Mar 2020 10:19:58 +0200 Subject: [PATCH 1/9] sepolicies to enable selinux: needs to be tidy a bit --- BoardConfigCommon.mk | 2 + device-common.mk | 3 +- ramdisk/etc/vold.rc | 17 ++ sepolicy/attributes | 8 + sepolicy/audioserver.te | 13 ++ sepolicy/bluetooth.te | 8 + sepolicy/cameraserver.te | 18 ++ sepolicy/charger.te | 1 + sepolicy/cpboot-daemon.te | 54 +++++ sepolicy/crash_dump.te | 1 + sepolicy/device.te | 42 ++++ sepolicy/domain.te | 2 + sepolicy/file.te | 62 +++++ sepolicy/file_contexts | 259 +++++++++++++++++++++ sepolicy/fsck.te | 5 + sepolicy/gatekeeperd.te | 2 + sepolicy/genfs_contexts | 22 ++ sepolicy/gnss.te | 9 + sepolicy/gpsd.te | 74 ++++++ sepolicy/hal_audio_default.te | 8 + sepolicy/hal_drm_default.te | 4 + sepolicy/hal_fingerprint_default.te | 49 ++++ sepolicy/hal_gatekeeper.te | 1 + sepolicy/hal_graphics_composer.te | 24 ++ sepolicy/hal_keymaster_default.te | 3 + sepolicy/hal_light_default.te | 16 ++ sepolicy/hal_light_hwservice.te | 3 + sepolicy/hal_lineage_livedisplay_sysfs.te | 1 + sepolicy/hal_vendor_configstore_default.te | 13 ++ sepolicy/hal_vendor_hwcservice_default.te | 17 ++ sepolicy/hal_vibrator_default.te | 3 + sepolicy/hal_wifi_default.te | 15 ++ sepolicy/healthd.te | 8 + sepolicy/hwservice.te | 4 + sepolicy/hwservice_contexts | 13 ++ sepolicy/hwservicemanager.te | 3 + sepolicy/init.te | 123 ++++++++++ sepolicy/installd.te | 2 + sepolicy/kernel.te | 37 +++ sepolicy/keystore.te | 6 + sepolicy/lhd.te | 45 ++++ sepolicy/light.te | 20 ++ sepolicy/macloader.te | 68 ++++++ sepolicy/mediacodec.te | 12 + sepolicy/mediadrmserver.te | 2 + sepolicy/mediaextractor.te | 1 + sepolicy/mediaserver.te | 12 + sepolicy/modemloader.te | 10 + sepolicy/netd.te | 9 + sepolicy/nfc.te | 4 + sepolicy/power.te | 7 + sepolicy/property.te | 19 ++ sepolicy/property_contexts | 47 ++++ sepolicy/rild.te | 84 +++++++ sepolicy/sensorhubservice.te | 57 +++++ sepolicy/sepolicy.te | 67 ++++++ sepolicy/sepolicy2.te | 104 +++++++++ sepolicy/service_contexts | 3 + sepolicy/servicemanager.te | 8 + sepolicy/slsi.te | 14 ++ sepolicy/surfaceflinger.te | 3 + sepolicy/system_app.te | 5 + sepolicy/system_server.te | 76 ++++++ sepolicy/te_macros | 8 + sepolicy/tee.te | 16 ++ sepolicy/toolbox.te | 1 + sepolicy/tzdaemon.te | 22 ++ sepolicy/tztsdaemon.te | 10 + sepolicy/ueventd.te | 14 ++ sepolicy/uncrypt.te | 2 + sepolicy/vndservice.te | 1 + sepolicy/vndservice_contexts | 3 + sepolicy/vold.te | 8 + sepolicy/wcnss_filter.te | 8 + sepolicy/webview_zygote.te | 1 + sepolicy/zygnote.te | 1 + 76 files changed, 1726 insertions(+), 1 deletion(-) create mode 100755 ramdisk/etc/vold.rc create mode 100644 sepolicy/attributes create mode 100644 sepolicy/audioserver.te create mode 100644 sepolicy/bluetooth.te create mode 100644 sepolicy/cameraserver.te create mode 100644 sepolicy/charger.te create mode 100644 sepolicy/cpboot-daemon.te create mode 100644 sepolicy/crash_dump.te create mode 100644 sepolicy/device.te create mode 100644 sepolicy/domain.te create mode 100644 sepolicy/file.te create mode 100644 sepolicy/file_contexts create mode 100644 sepolicy/fsck.te create mode 100644 sepolicy/gatekeeperd.te create mode 100644 sepolicy/genfs_contexts create mode 100644 sepolicy/gnss.te create mode 100644 sepolicy/gpsd.te create mode 100644 sepolicy/hal_audio_default.te create mode 100644 sepolicy/hal_drm_default.te create mode 100644 sepolicy/hal_fingerprint_default.te create mode 100644 sepolicy/hal_gatekeeper.te create mode 100644 sepolicy/hal_graphics_composer.te create mode 100644 sepolicy/hal_keymaster_default.te create mode 100644 sepolicy/hal_light_default.te create mode 100644 sepolicy/hal_light_hwservice.te create mode 100644 sepolicy/hal_lineage_livedisplay_sysfs.te create mode 100644 sepolicy/hal_vendor_configstore_default.te create mode 100644 sepolicy/hal_vendor_hwcservice_default.te create mode 100644 sepolicy/hal_vibrator_default.te create mode 100644 sepolicy/hal_wifi_default.te create mode 100644 sepolicy/healthd.te create mode 100644 sepolicy/hwservice.te create mode 100644 sepolicy/hwservice_contexts create mode 100644 sepolicy/hwservicemanager.te create mode 100644 sepolicy/init.te create mode 100644 sepolicy/installd.te create mode 100644 sepolicy/kernel.te create mode 100644 sepolicy/keystore.te create mode 100644 sepolicy/lhd.te create mode 100644 sepolicy/light.te create mode 100644 sepolicy/macloader.te create mode 100644 sepolicy/mediacodec.te create mode 100644 sepolicy/mediadrmserver.te create mode 100644 sepolicy/mediaextractor.te create mode 100644 sepolicy/mediaserver.te create mode 100644 sepolicy/modemloader.te create mode 100644 sepolicy/netd.te create mode 100644 sepolicy/nfc.te create mode 100644 sepolicy/power.te create mode 100644 sepolicy/property.te create mode 100644 sepolicy/property_contexts create mode 100644 sepolicy/rild.te create mode 100644 sepolicy/sensorhubservice.te create mode 100644 sepolicy/sepolicy.te create mode 100644 sepolicy/sepolicy2.te create mode 100644 sepolicy/service_contexts create mode 100644 sepolicy/servicemanager.te create mode 100644 sepolicy/slsi.te create mode 100644 sepolicy/surfaceflinger.te create mode 100644 sepolicy/system_app.te create mode 100644 sepolicy/system_server.te create mode 100644 sepolicy/te_macros create mode 100644 sepolicy/tee.te create mode 100644 sepolicy/toolbox.te create mode 100644 sepolicy/tzdaemon.te create mode 100644 sepolicy/tztsdaemon.te create mode 100644 sepolicy/ueventd.te create mode 100644 sepolicy/uncrypt.te create mode 100644 sepolicy/vndservice.te create mode 100644 sepolicy/vndservice_contexts create mode 100644 sepolicy/vold.te create mode 100644 sepolicy/wcnss_filter.te create mode 100644 sepolicy/webview_zygote.te create mode 100644 sepolicy/zygnote.te diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk index 4d9cd07..3f671cd 100644 --- a/BoardConfigCommon.mk +++ b/BoardConfigCommon.mk @@ -133,3 +133,5 @@ BOARD_HAVE_SAMSUNG_WIFI := true TARGET_LD_SHIM_LIBS += \ /system/lib/libexynoscamera.so|/vendor/lib/libexynoscamera_shim.so \ /system/lib64/libexynoscamera.so|/vendor/lib64/libexynoscamera_shim.so + +BOARD_SEPOLICY_DIRS := device/samsung/universal8895-common/sepolicy diff --git a/device-common.mk b/device-common.mk index 4d7592b..51038a8 100644 --- a/device-common.mk +++ b/device-common.mk @@ -216,7 +216,8 @@ PRODUCT_PACKAGES += \ init.samsung.rc \ init.samsungexynos8895.rc \ init.samsungexynos8895.usb.rc \ - ueventd.samsungexynos8895.rc + ueventd.samsungexynos8895.rc \ + vold.rc # Remove unwanted packages PRODUCT_PACKAGES += \ diff --git a/ramdisk/etc/vold.rc b/ramdisk/etc/vold.rc new file mode 100755 index 0000000..54adce1 --- /dev/null +++ b/ramdisk/etc/vold.rc @@ -0,0 +1,17 @@ +service vold /system/bin/vold \ + --blkid_context=u:r:blkid:s0 --blkid_untrusted_context=u:r:blkid_untrusted:s0 \ + --fsck_context=u:r:fsck:s0 --fsck_untrusted_context=u:r:fsck_untrusted:s0 + class core + socket vold stream 0660 root mount + socket cryptd stream 0660 root mount + ioprio be 2 +## Frigatebird + socket frigate stream 0660 system system +## Knox + socket epm stream 0660 system system + socket ppm stream 0660 system system + writepid /dev/cpuset/foreground/tasks +## Samsung ODE >>> + socket dir_enc_report stream 0660 root mount +## Samsung ODE <<< + diff --git a/sepolicy/attributes b/sepolicy/attributes new file mode 100644 index 0000000..ef37023 --- /dev/null +++ b/sepolicy/attributes @@ -0,0 +1,8 @@ +# Tag for read only filesystem type +attribute r_fs_type; + +# Tag for read/write filesystem type +attribute rw_fs_type; + +# Tag for read/execute filesystem type +attribute rx_fs_type; diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te new file mode 100644 index 0000000..f259016 --- /dev/null +++ b/sepolicy/audioserver.te @@ -0,0 +1,13 @@ +# Allow rild to connect to gpsd +unix_socket_connect(audioserver, property, rild) + +# /efs/maxim +allow audioserver { efs_file sec_efs_file }:dir r_dir_perms; +allow audioserver { efs_file sec_efs_file }:file r_file_perms; + +# TFA98xx amplifier +allow audioserver amplifier_device:chr_file rw_file_perms; +allow hal_audio_default efs_file:file { open read }; + +allow hal_audio_default imei_efs_file:dir search; +allow hal_audio_default init:unix_stream_socket connectto; diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te new file mode 100644 index 0000000..c4dea7e --- /dev/null +++ b/sepolicy/bluetooth.te @@ -0,0 +1,8 @@ +# /dev/ttySAC0 +allow bluetooth bluetooth_device:chr_file { rw_file_perms ioctl }; + +# wcnss_filter +allow bluetooth wcnss_filter:unix_stream_socket connectto; + +# /data/.cid.info +allow bluetooth wifi_data_file:file r_file_perms; diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te new file mode 100644 index 0000000..302d5e0 --- /dev/null +++ b/sepolicy/cameraserver.te @@ -0,0 +1,18 @@ +# /dev/m2m1shot_jpeg +allow cameraserver camera_device:chr_file rw_file_perms; + +# /sys/devices/virtual/camera/*/*_camfw +allow cameraserver sysfs_camera:file rw_file_perms; + +# searching for syses nodes +allow cameraserver sysfs_camera:dir search; + +# /data/camera/ISP_CV +allow cameraserver camera_data_file:file r_file_perms; + +# /data/media(/.*)? +allow cameraserver media_rw_data_file:dir r_dir_perms; +allow cameraserver media_rw_data_file:file r_file_perms; + +# sysfs_virtual +allow cameraserver sysfs_virtual:dir search; diff --git a/sepolicy/charger.te b/sepolicy/charger.te new file mode 100644 index 0000000..61e5af8 --- /dev/null +++ b/sepolicy/charger.te @@ -0,0 +1 @@ +allow charger sysfs_charger:file { open read getattr }; diff --git a/sepolicy/cpboot-daemon.te b/sepolicy/cpboot-daemon.te new file mode 100644 index 0000000..56b5226 --- /dev/null +++ b/sepolicy/cpboot-daemon.te @@ -0,0 +1,54 @@ +# modem daemon sec label +type cpboot-daemon, domain; +type cpboot-daemon_exec, exec_type, file_type, mlstrustedsubject, coredomain; + +net_domain(cpboot-daemon) +init_daemon_domain(cpboot-daemon) +wakelock_use(cpboot-daemon) +set_prop(cpboot-daemon, modemloader_prop) +domain_trans(cpboot-daemon, vendor_shell_exec,vendor_shell) +allow cpboot-daemon self:capability { setuid setgid }; + +# FIXME neverallow rule +# allow cpboot-daemon self:capability mknod; +allow cpboot-daemon kernel:system syslog_read; +allow cpboot-daemon cgroup:dir create_dir_perms; + +# /dev/log/* +#allow cpboot-daemon log_device:dir r_dir_perms; +#allow cpboot-daemon log_device:chr_file rw_file_perms; +# /dev/kmsg (write to kernel log) +allow cpboot-daemon kmsg_device:chr_file rw_file_perms; + +# /dev/umts_boot0 +allow cpboot-daemon mif_device:chr_file rw_file_perms; +# /dev/mbin0 +allow cpboot-daemon emmcblk_device:blk_file r_file_perms; +# /dev/spi_boot_link +allow cpboot-daemon radio_device:chr_file rw_file_perms; +# /dev/block/mmcblk0p13 +allow cpboot-daemon block_device:dir r_dir_perms; +allow cpboot-daemon radio_block_device:blk_file r_file_perms; + +# /dev/mipi-lli/lli_control +allow cpboot-daemon sysfs_mipi:file rw_file_perms; + +# /efs +allow cpboot-daemon efs_file:dir r_dir_perms; + +# /efs/nv_data.bin +allow cpboot-daemon bin_nv_data_efs_file:file rw_file_perms; + +# /sys/bus/usb/devices/1-2/idVendor +allow cpboot-daemon sysfs:file r_file_perms; + +# /proc/cmdline +allow cpboot-daemon proc_cmdline:file r_file_perms; + +# set properties on boot +set_prop(cpboot-daemon, cpboot-daemon_prop) +set_prop(cpboot-daemon, radio_prop) +set_prop(cpboot-daemon, system_prop) +allow cpboot-daemon efs_file:file { open read }; +allow gpsd self:tcp_socket connect; +allow cpboot-daemon vendor_shell_exec:file execute_no_trans; diff --git a/sepolicy/crash_dump.te b/sepolicy/crash_dump.te new file mode 100644 index 0000000..8468550 --- /dev/null +++ b/sepolicy/crash_dump.te @@ -0,0 +1 @@ +#allow crash_dump keystore:process ptrace; diff --git a/sepolicy/device.te b/sepolicy/device.te new file mode 100644 index 0000000..b54d427 --- /dev/null +++ b/sepolicy/device.te @@ -0,0 +1,42 @@ +# /dev/ttySAC3 +type bluetooth_device, dev_type; + +# /dev/block/mmcblk0p[0-9] (/dev/mbin0) +type emmcblk_device, file_type; + +# Radio block device mounted on /efs. +type radio_block_device, dev_type; + +# /dev/umts_boot*, /dev/ehci_power +type mif_device, dev_type; + +# /dev/rfkill +type rfkill_device, dev_type; + +# /dev/s5p-smem +type secmem_device, dev_type; + +# /dev/bbd*, /dev/ttyBCM[0-9]* +type bbd_device, dev_type; + +# /dev/vfsspi +type fingerprint_device, dev_type; + +# /dev/batch_io +type sensor_device, dev_type; + +# /dev/i2c-20 - TFA98xx amplifier +type amplifier_device, dev_type; + +# /dev/knox_kap +type knox_device, dev_type; + +# GPS +type gps_device, dev_type; + +type vfs_device, dev_type; + +type fp_sensor_device, dev_type; + +type tz_device, dev_type; +type tz_user_device, dev_type; diff --git a/sepolicy/domain.te b/sepolicy/domain.te new file mode 100644 index 0000000..3165280 --- /dev/null +++ b/sepolicy/domain.te @@ -0,0 +1,2 @@ +dontaudit domain kernel:system module_request; +neverallow { domain -hal_graphics_composer_default -init } device:chr_file { open read write }; diff --git a/sepolicy/file.te b/sepolicy/file.te new file mode 100644 index 0000000..f842654 --- /dev/null +++ b/sepolicy/file.te @@ -0,0 +1,62 @@ +### efs types +type app_efs_file, file_type; +type battery_efs_file, file_type; +type baro_delta_factoryapp_efs_file, file_type; +type bin_nv_data_efs_file, file_type; +type sec_efs_file, file_type; +# widewine, drm +type cpk_efs_file, file_type; +type drm_efs_file, file_type; +type factorymode_factoryapp_efs_file, file_type; +type imei_efs_file, file_type; +type prov_efs_file, file_type; +type radio_factoryapp_efs_file, file_type; +type sensor_efs_file, file_type; +type sensor_factoryapp_efs_file, file_type; +type wifi_efs_file, file_type; +# gps +type gps_data_file, file_type, data_file_type, core_data_file_type; +type gps_socket, file_type; + +### sysfs types +type sysfs_mdnie, fs_type, sysfs_type, mlstrustedobject; +type sysfs_mipi, fs_type, sysfs_type, mlstrustedobject; +type sysfs_multipdp, fs_type, sysfs_type, mlstrustedobject; +type sysfs_sec, fs_type, sysfs_type, mlstrustedobject; +type sysfs_camera, fs_type, sysfs_type, mlstrustedobject; +type sysfs_charger, fs_type, sysfs_type, mlstrustedobject; +type sysfs_gps, fs_type, sysfs_type, mlstrustedobject; +type sysfs_brightness, fs_type, sysfs_type, mlstrustedobject; +type sysfs_input, fs_type, sysfs_type, mlstrustedobject; +type sysfs_svc, fs_type, sysfs_type, mlstrustedobject; +type sysfs_lcd, fs_type, sysfs_type, mlstrustedobject; +type sysfs_modem, fs_type, sysfs_type, mlstrustedobject; +type sysfs_virtual, fs_type, sysfs_type, mlstrustedobject; + +# file +type mobicore_data_file, file_type, data_file_type, core_data_file_type; + +allow sysfs_type tmpfs:filesystem associate; + +# file.te + +### DATA +type biometrics_vendor_data_file, file_type, data_file_type; +type conn_vendor_data_file, file_type, data_file_type; +type wifi_vendor_data_file, file_type, data_file_type; + +### SYSFS +type sysfs_fingerprint, sysfs_type, r_fs_type, fs_type; +type sysfs_wifi, sysfs_type, r_fs_type, fs_type; + +type sysfs_backlight_writable, sysfs_type, rw_fs_type, fs_type; +type sysfs_wifi_writable, sysfs_type, rw_fs_type, fs_type; + +### VENDOR +type vendor_firmware_file, file_type, vendor_file_type; + +# DATA +type tee_vendor_data_file, file_type, data_file_type; + +# DEV SOCKET +type tz_socket, file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts new file mode 100644 index 0000000..d910f28 --- /dev/null +++ b/sepolicy/file_contexts @@ -0,0 +1,259 @@ +########################## +# Devices +# +/dev/mali[0-9]* u:object_r:gpu_device:s0 + +/dev/bcm2079x u:object_r:nfc_device:s0 +/dev/sec-nfc u:object_r:nfc_device:s0 + +/dev/ttySAC0 u:object_r:bluetooth_device:s0 + +/dev/s5p-smem u:object_r:secmem_device:s0 +/dev/mobicore u:object_r:tee_device:s0 +/dev/mobicore-user u:object_r:tee_device:s0 + +/dev/v4l-subdev[0-9]* u:object_r:video_device:s0 +/dev/m2m1shot_scaler[0-9]* u:object_r:video_device:s0 +/dev/media[0-3]* u:object_r:camera_device:s0 +/dev/m2m1shot_jpeg u:object_r:camera_device:s0 + +/dev/mtp_usb* u:object_r:mtp_device:s0 + +/dev/__cbd_msg_ u:object_r:mif_device:s0 +/dev/umts.* u:object_r:mif_device:s0 +/dev/ehci_power u:object_r:mif_device:s0 +/dev/mipi-lli/lli_control u:object_r:mif_device:s0 + +/dev/gnss_ipc u:object_r:gps_device:s0 +/dev/ttySAC[1-9]* u:object_r:gps_device:s0 + +/dev/block/mmcblk0p[0-9]* u:object_r:emmcblk_device:s0 + +/dev/block/mmcblk0p10 u:object_r:boot_block_device:s0 +/dev/block/mmcblk0p11 u:object_r:recovery_block_device:s0 +/dev/block/sda17 u:object_r:system_block_device:s0 +/dev/block/sda18 u:object_r:cache_block_device:s0 +/dev/block/sda24 u:object_r:userdata_block_device:s0 +/dev/block/sda10 u:object_r:radio_block_device:s0 + +/dev/vfsspi u:object_r:vfs_device:s0 +/dev/fimg2d u:object_r:graphics_device:s0 +/dev/rfkill u:object_r:rfkill_device:s0 + +/dev/bbd_control u:object_r:bbd_device:s0 +/dev/bbd_packet u:object_r:bbd_device:s0 +/dev/bbd_patch u:object_r:bbd_device:s0 +/dev/bbd_reliable u:object_r:bbd_device:s0 +/dev/bbd_sensor u:object_r:bbd_device:s0 +/dev/bbd_sio u:object_r:bbd_device:s0 +/dev/ttyBCM[0-9]* u:object_r:bbd_device:s0 + +/dev/esfp0 u:object_r:fingerprint_device:s0 + +/dev/batch_io u:object_r:sensor_device:s0 +/dev/ssp_sensorhub u:object_r:sensor_device:s0 + +# TFA98xx amplifier +/dev/i2c-20 u:object_r:amplifier_device:s0 + +# Knox status +/dev/knox_kap u:object_r:knox_device:s0 + +#################################### +# efs files +/efs/FactoryApp(/.*)? u:object_r:app_efs_file:s0 +/efs/FactoryApp/baro_delta u:object_r:baro_delta_factoryapp_efs_file:s0 +/efs/FactoryApp/factorymode u:object_r:factorymode_factoryapp_efs_file:s0 +/efs/FactoryApp/fdata u:object_r:radio_factoryapp_efs_file:s0 +/efs/FactoryApp/hist_nv u:object_r:radio_factoryapp_efs_file:s0 +/efs/FactoryApp/prox_cal u:object_r:sensor_factoryapp_efs_file:s0 +/efs/FactoryApp/test_nv u:object_r:radio_factoryapp_efs_file:s0 + +/efs/Battery(/.*)? u:object_r:battery_efs_file:s0 +/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 +/efs/drm(/.*)? u:object_r:drm_efs_file:s0 +/efs/gyro_cal_data u:object_r:sensor_efs_file:s0 +/efs/h2k\.dat u:object_r:cpk_efs_file:s0 +/efs/imei(/.*)? u:object_r:imei_efs_file:s0 +/efs/nv_data.bin(.*) u:object_r:bin_nv_data_efs_file:s0 +/efs/nv.log u:object_r:bin_nv_data_efs_file:s0 +/efs/\.nv_core\.bak(.*) u:object_r:bin_nv_data_efs_file:s0 +/efs/prov(/.*)? u:object_r:prov_efs_file:s0 +/efs/prov_data(/.*)? u:object_r:prov_efs_file:s0 +/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0 +/efs/wv\.keys u:object_r:cpk_efs_file:s0 + +#################################### +# data files +/data/nfc(/.*)? u:object_r:nfc_data_file:s0 +/data/\.cid\.info u:object_r:wifi_data_file:s0 +/data/misc/conn/\.wifiver\.info u:object_r:wifi_data_file:s0 + +/data/misc/radio(/.*)? u:object_r:radio_data_file:s0 + +# gps +/data/system/gps(/.*)? u:object_r:gps_data_file:s0 +/data/gps/ctrlpipe u:object_r:gps_data_file:s0 +/data/gps/\.gpslogd\.pipe u:object_r:gps_data_file:s0 +/data/gps/nmeapipe u:object_r:gps_data_file:s0 + +# mobicore +/data/misc/mcRegistry(/.*)? u:object_r:mobicore_data_file:s0 +/data/vendor/mcRegistry(/.*)? u:object_r:mobicore_data_file:s0 + +/data/biometrics(/.*)? u:object_r:fingerprintd_data_file:s0 +/data/vendor/biometrics(/.*)? u:object_r:fingerprintd_data_file:s0 + +# camera +/data/camera/ISP_CV u:object_r:camera_data_file:s0 + +#################################### +# sysfs files +/sys/class/power_supply/battery/music -- u:object_r:sysfs:s0 +/sys/class/devfreq/exynos5-busfreq-mif(/.*)? -- u:object_r:sysfs:s0 + +# bluetooth +/sys/devices/bluetooth/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices/bluetooth/rfkill/rfkill0/type u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices/bluetooth/extldo u:object_r:sysfs_bluetooth_writable:s0 + +# brightness +/sys/devices/[0-9]*\.dsim/backlight/panel/brightness u:object_r:sysfs_brightness:s0 + +# camera +/sys/devices/virtual/camera(/.*)? u:object_r:sysfs_camera:s0 + +# charger +/sys/devices/battery/power_supply(/.*) u:object_r:sysfs_charger:s0 +/sys/devices/13870000.i2c/i2c-7/7-003d/s2mu004-charger/power_supply(/.*) u:object_r:sysfs_charger:s0 +/sys/devices/13830000.i2c/i2c-10/10-003b/power_supply(/.*) u:object_r:sysfs_charger:s0 + +# CP device +/dev/spi_boot_link u:object_r:radio_device:s0 + +# cbd +/sys/devices/10f24000.mipi-lli/lli_control u:object_r:sysfs_mipi:s0 + +# gps +/sys/devices/soc0/machine u:object_r:sysfs_gps:s0 +/sys/devices/soc0/revision u:object_r:sysfs_gps:s0 + +# input +/sys/devices/13890000.i2c/i2c-9/9-0048/input/input1/enabled u:object_r:sysfs_input:s0 +/sys/devices/i2c@20/i2c-6/6-0020/input/input0/enabled u:object_r:sysfs_input:s0 + +# lcd +/sys/devices/[0-9]*\.dsim/lcd/panel/adaptive_control u:object_r:sysfs_lcd:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/alpm u:object_r:sysfs_lcd:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/dpui u:object_r:sysfs_lcd:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/dpui_dbg u:object_r:sysfs_lcd:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/lcd_type u:object_r:sysfs_lcd:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/lux u:object_r:sysfs_lcd:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/manufacture_code u:object_r:sysfs_lcd:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/temperature u:object_r:sysfs_lcd:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/window_type u:object_r:sysfs_lcd:s0 + +# modem +/sys/module/modem_ctrl_ss310ap/parameters/ds_detect u:object_r:sysfs_modem:s0 + +# rild +/sys/devices/virtual/misc/multipdp(/.*) u:object_r:sysfs_multipdp:s0 +/dev/socket/rild2 u:object_r:rild_socket:s0 +/dev/socket/rild-debug2 u:object_r:rild_debug_socket:s0 + +# mDNIe +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/mode u:object_r:sysfs_mdnie:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/scenario u:object_r:sysfs_mdnie:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/lux u:object_r:sysfs_mdnie:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/sensorRGB u:object_r:sysfs_mdnie:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/accessibility u:object_r:sysfs_mdnie:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/night_mode u:object_r:sysfs_mdnie:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/mdnie_ldu u:object_r:sysfs_mdnie:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/whiteRGB u:object_r:sysfs_mdnie:s0 + +# sec +/sys/class/sec(/.*)? -- u:object_r:sysfs_sec:s0 + +# svc +/sys/devices/svc(/.*)? u:object_r:sysfs_svc:s0 + +# virtual +/sys/devices/virtual(/.*)? u:object_r:sysfs_virtual:s0 + + +#################################### +# deamons +# + +/system/vendor/bin/mcDriverDaemon u:object_r:tee_exec:s0 +/system/vendor/bin/hw/macloader u:object_r:macloader_exec:s0 +/system/bin/modemloader u:object_r:modemloader_exec:s0 +/system/bin/sensorhubservice u:object_r:sensorhubservice_exec:s0 +/system/bin/wcnss_filter u:object_r:wcnss_filter_exec:s0 + +/system/vendor/bin/cbd u:object_r:cpboot-daemon_exec:s0 +/system/vendor/bin/hw/gpsd u:object_r:gpsd_exec:s0 +/system/vendor/bin/hw/lhd u:object_r:lhd_exec:s0 + + + +/system/vendor/bin/hw/android\.hardware\.light@2\.0-service\.samsung u:object_r:hal_light_default_exec:s0 +/system/vendor/bin/hw/android\.hardware\.vibrator@1\.0-service\.universal8895 u:object_r:hal_vibrator_default_exec:s0 +/system/vendor/bin/hw/vendor\.samsung\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0 +/system/vendor/bin/hw/vendor\.samsung\.hardware\.radio\.configsvc@1\.0-service u:object_r:hal_radio_default_exec:s0 +/system/vendor/bin/hw/vendor\.samsung\.hardware\.gnss@1\.0-service u:object_r:hal_gnss_default_exec:s0 +/system/vendor/bin/hw/sec\.android\.hardware\.nfc@1\.1-service u:object_r:hal_nfc_default_exec:s0 +/system/vendor/bin/hw/vendor\.lineage\.livedisplay@2\.0-service\.universal8895 u:object_r:hal_lineage_livedisplay_sysfs_exec:s0 + +/system/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.samsung u:object_r:hal_fingerprint_default_exec:s0 + + + + + +/(vendor|system/vendor)/bin/mcDriverDaemon u:object_r:tee_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.1-service\.widevine u:object_r:hal_drm_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.1-service\.clearkey u:object_r:hal_drm_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.ExynosHWCServiceTW@1\.0-service u:object_r:slsi_exec:s0 + + + +# file_contexts from https://github.com/whatawurst/android_device_exynos_sepolicy.git + +### Vendor data +#/data/vendor/biometrics(/.*)? u:object_r:biometrics_vendor_data_file:s0 +/data/vendor/conn(/.*)? u:object_r:conn_vendor_data_file:s0 +/data/vendor/wifi(/.*)? u:object_r:wifi_vendor_data_file:s0 + +### Vendor DEV +/dev/esfp[0-9] u:object_r:fp_sensor_device:s0 + +### Vendor VENDOR +/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@[0-9].[0-9]-service\.samsung u:object_r:hal_fingerprint_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.light@[0-9].[0-9]-service\.samsung u:object_r:hal_light_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.power@[0-9].[0-9]-service\.exynos u:object_r:hal_power_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@[0-9].[0-9]-service\.samsung-haptic u:object_r:hal_vibrator_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.configstore@[0-9]\.[0-9]-service u:object_r:hal_vendor_configstore_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.ExynosHWCServiceTW@[0-9]\.[0-9]-service u:object_r:hal_vendor_hwcservice_default_exec:s0 + + +# Tee DATA +/data/vendor/tee(/.*)? u:object_r:tee_vendor_data_file:s0 + +# tee DEV +/dev/socket/tz u:object_r:tz_socket:s0 +/dev/tuihw u:object_r:tz_device:s0 +/dev/tzdev u:object_r:tz_user_device:s0 +/dev/tzic u:object_r:tz_device:s0 +/dev/tzirs u:object_r:tz_device:s0 +/dev/tziwsock u:object_r:tz_user_device:s0 + +# tee VENDOR +/(vendor|system/vendor)/bin/tzdaemon u:object_r:tzdaemon_exec:s0 +/(vendor|system/vendor)/bin/tzts_daemon u:object_r:tztsdaemon_exec:s0 + +/(vendor|system/vendor)/lib(64)?/libteecl\.so u:object_r:same_process_hal_file:s0 + + + +/(vendor|system/vendor)/firmware(/.*)? u:object_r:vendor_firmware_file:s0 diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te new file mode 100644 index 0000000..4e054fd --- /dev/null +++ b/sepolicy/fsck.te @@ -0,0 +1,5 @@ +# /dev/block/mmcblk0p3 +allow fsck emmcblk_device:blk_file rw_file_perms; +#allow fsck efs_block_device:blk_file rw_file_perms; +#allow fsck block_device:blk_file { read write open }; +allow fsck block_device:blk_file ioctl; diff --git a/sepolicy/gatekeeperd.te b/sepolicy/gatekeeperd.te new file mode 100644 index 0000000..a76b04f --- /dev/null +++ b/sepolicy/gatekeeperd.te @@ -0,0 +1,2 @@ +allow gatekeeperd efs_file:dir search; + diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts new file mode 100644 index 0000000..3b60017 --- /dev/null +++ b/sepolicy/genfs_contexts @@ -0,0 +1,22 @@ +# genfs_contexts + +### SYSFS +genfscon sysfs /class/backlight/ u:object_r:sysfs_backlight_writable:s0 +genfscon sysfs /class/fingerprint/fingerprint u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /class/timed_output/vibrator/intensity u:object_r:sysfs_vibrator:s0 +genfscon sysfs /class/timed_output/vibrator/multi_freq u:object_r:sysfs_vibrator:s0 + +genfscon sysfs /devices/platform/panel@0/backlight/panel/brightness u:object_r:sysfs_backlight_writable:s0 +genfscon sysfs /devices/platform/panel@0/backlight/panel/max_brightness u:object_r:sysfs_backlight_writable:s0 + +genfscon sysfs /devices/virtual/fingerprint/fingerprint u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/virtual/timed_output/vibrator/intensity u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/virtual/timed_output/vibrator/multi_freq u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/virtual/timed_output/vibrator/cp_trigger_index u:object_r:sysfs_vibrator:s0 + +genfscon sysfs /module/dhd/parameters u:object_r:sysfs_wifi_writable:s0 + +genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 +genfscon sysfs /wifi/cid u:object_r:sysfs_wifi_writable:s0 +genfscon sysfs /wifi/mac_addr u:object_r:sysfs_wifi_writable:s0 +genfscon sysfs /wifi/memdump u:object_r:sysfs_wifi_writable:s0 diff --git a/sepolicy/gnss.te b/sepolicy/gnss.te new file mode 100644 index 0000000..38573e3 --- /dev/null +++ b/sepolicy/gnss.te @@ -0,0 +1,9 @@ +allow hal_gnss_default vendor_data_file:fifo_file write; +allow hal_gnss_default vendor_data_file:fifo_file open; +allow hal_gnss_default vendor_data_file:fifo_file read; +allow hal_gnss_default vendor_data_file:dir write; +allow hal_gnss_default vendor_data_file:dir add_name; +allow hal_gnss_default vendor_data_file:fifo_file create; +allow hal_gnss_default vendor_data_file:fifo_file setattr; +allow hal_gnss_default vendor_data_file:fifo_file setattr; + diff --git a/sepolicy/gpsd.te b/sepolicy/gpsd.te new file mode 100644 index 0000000..fa85043 --- /dev/null +++ b/sepolicy/gpsd.te @@ -0,0 +1,74 @@ +type gpsd, domain; +type gpsd_exec, exec_type, file_type; + +init_daemon_domain(gpsd); + +# Automatically label files created in /data/system/gps as gps_data_file +file_type_auto_trans(gpsd, system_data_file, gps_data_file) + +# Allow rild and netd to connect to gpsd +unix_socket_connect(gpsd, property, rild) +unix_socket_connect(gpsd, property, netd) + +allow gpsd system_server:unix_stream_socket { read write setopt }; + +binder_call(gpsd, system_server) +binder_use(gpsd) + +# Sockets +type_transition gpsd gps_data_file:sock_file gps_socket; + +allow gpsd dnsproxyd_socket:sock_file write; +allow gpsd fwmarkd_socket:sock_file write; +allow gpsd gps_socket:sock_file create_file_perms; +allow gpsd self:udp_socket { create bind connect read setopt write }; + +# sysfs_gps +allow gpsd system_file:dir { open read getattr }; +allow gpsd sysfs_gps:file { open read getattr }; + +# /dev/ttySAC0 +allow gpsd bluetooth_device:chr_file { getattr setattr rw_file_perms }; +allow gpsd gps_device:chr_file { getattr setattr rw_file_perms }; +allow gpsd gps_data_file:dir { search write add_name remove_name rw_dir_perms }; +allow gpsd gps_data_file:fifo_file { unlink create setattr getattr rw_file_perms }; + +allow gpsd sysfs_wake_lock:file rw_file_perms; + +allow gpsd sensorservice_service:service_manager { find }; + +# /dev/umts_boot0 +allow gpsd mif_device:chr_file r_file_perms; +allow gpsd vendor_data_file:dir write; +allow gpsd vendor_data_file:dir add_name; +allow gpsd vendor_data_file:file create; +allow lhd vendor_data_file:dir add_name; +allow gpsd vendor_data_file:file { write open read lock }; +allow gpsd vendor_data_file:fifo_file create; +allow gpsd vendor_data_file:fifo_file { read write }; +allow gpsd vendor_data_file:fifo_file open; +allow gpsd self:netlink_kobject_uevent_socket create; +allow gpsd self:tcp_socket create; +allow gpsd vendor_data_file:fifo_file getattr; +allow gpsd vendor_data_file:file getattr; +allow gpsd self:netlink_kobject_uevent_socket { bind setopt }; +allow gpsd self:tcp_socket bind; +allow gpsd vendor_data_file:file append; +allow gpsd port:tcp_socket name_bind; +allow gpsd vendor_data_file:dir remove_name; +allow gpsd node:tcp_socket node_bind; +allow gpsd vendor_data_file:fifo_file unlink; +allow gpsd node:tcp_socket node_bind; +allow gpsd vendor_data_file:fifo_file unlink; +allow gpsd node:tcp_socket node_bind; +allow gpsd vendor_data_file:fifo_file unlink; +allow gpsd vendor_data_file:fifo_file setattr; +allow gpsd vendor_data_file:file unlink; +allow gpsd fwk_sensor_hwservice:hwservice_manager find; +allow gpsd hwservicemanager_prop:file read; +allow gpsd port:tcp_socket name_connect; +allow gpsd self:tcp_socket read; +allow gpsd self:tcp_socket { getopt write }; +allow gpsd hwservicemanager_prop:file open; +allow gpsd hwservicemanager_prop:file getattr; +allow gpsd hwservicemanager:binder call; diff --git a/sepolicy/hal_audio_default.te b/sepolicy/hal_audio_default.te new file mode 100644 index 0000000..e5b5297 --- /dev/null +++ b/sepolicy/hal_audio_default.te @@ -0,0 +1,8 @@ +allow hal_audio_default efs_file:dir search; +allow hal_audio_default property_socket:sock_file write; +allow hal_audio_default imei_efs_file:file read; +allow hal_audio_default rild:unix_stream_socket connectto; +allow hal_audio_default imei_efs_file:file open; +allow hal_audio_default imei_efs_file:file getattr; +allow hal_audio_default sysfs_wake_lock:file { read write }; +allow hal_audio_default sysfs_wake_lock:file open; diff --git a/sepolicy/hal_drm_default.te b/sepolicy/hal_drm_default.te new file mode 100644 index 0000000..9287df5 --- /dev/null +++ b/sepolicy/hal_drm_default.te @@ -0,0 +1,4 @@ +allow hal_drm_default vndbinder_device:chr_file read; +allow hal_drm_default vndbinder_device:chr_file write; +allow hal_drm_default vndbinder_device:chr_file open; +allow hal_drm_default vndbinder_device:chr_file ioctl; diff --git a/sepolicy/hal_fingerprint_default.te b/sepolicy/hal_fingerprint_default.te new file mode 100644 index 0000000..71b8d3a --- /dev/null +++ b/sepolicy/hal_fingerprint_default.te @@ -0,0 +1,49 @@ +# hal_fingerprint_default.te + +# /dev/esfp[0-9] +allow hal_fingerprint_default fp_sensor_device:chr_file rw_file_perms; + +# /data/vendor/ -> biometrics +file_type_auto_trans(hal_fingerprint_default, vendor_data_file, biometrics_vendor_data_file) + +# /data/vendor/biometrics/* +allow hal_fingerprint_default biometrics_vendor_data_file:file create_file_perms; + +# /sys/class/fingerprint/ +allow hal_fingerprint_default sysfs_fingerprint:dir r_dir_perms; +allow hal_fingerprint_default sysfs_fingerprint:file r_file_perms; + + +# allow hal_fingerprint_default to communicate with various devices +binder_call(system_app, hal_fingerprint_default); + +# kernel fp device +allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms; + +# secure memory device +allow hal_fingerprint_default secmem_device:chr_file rw_file_perms; + +# trust zone device +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; +allow hal_fingerprint_default tee:unix_stream_socket connectto; + +# /data/biometrics/* +allow hal_fingerprint_default fingerprintd_data_file:dir create_dir_perms; +allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms; + +# sysfs_virtual +allow hal_fingerprint_default sysfs_virtual:dir { read open search }; +allow hal_fingerprint_default sysfs_virtual:file { read open }; +allow hal_fingerprint_default vendor_data_file:file read; +allow hal_fingerprint_default vfs_device:chr_file { read write }; + +allow hal_fingerprint_default vendor_data_file:file open; +allow hal_fingerprint_default vfs_device:chr_file open; +allow hal_fingerprint_default vendor_data_file:file getattr; +allow hal_fingerprint_default vfs_device:chr_file ioctl; +allow hal_fingerprint_default vendor_data_file:dir write; +allow hal_fingerprint_default vendor_data_file:dir { add_name create read remove_name }; +allow hal_fingerprint_default vendor_data_file:file rename; + +teegris_use(hal_fingerprint_default) + diff --git a/sepolicy/hal_gatekeeper.te b/sepolicy/hal_gatekeeper.te new file mode 100644 index 0000000..217e3a1 --- /dev/null +++ b/sepolicy/hal_gatekeeper.te @@ -0,0 +1 @@ +allow hal_gatekeeper_default efs_file:file read; diff --git a/sepolicy/hal_graphics_composer.te b/sepolicy/hal_graphics_composer.te new file mode 100644 index 0000000..d5a3ea7 --- /dev/null +++ b/sepolicy/hal_graphics_composer.te @@ -0,0 +1,24 @@ +#allow hal_graphics_composer_default system_data_file:file append; +allow hal_graphics_composer_default vendor_data_file:file append; +allow hal_graphics_composer_default system_data_file:file open; +allow hal_graphics_composer_default vendor_data_file:file open; +allow hal_graphics_composer_default vendor_data_file:file getattr; + +allow hal_graphics_composer_default vndbinder_device:chr_file read; +allow hal_graphics_composer_default vndbinder_device:chr_file write; +allow hal_graphics_composer_default vndbinder_device:chr_file open; +allow hal_graphics_composer_default vndbinder_device:chr_file getattr; +allow hal_graphics_composer_default vndbinder_device:chr_file append; +allow hal_graphics_composer_default vndbinder_device:chr_file ioctl; + +#allow hal_graphics_composer_default device:chr_file { read write }; +#allow hal_graphics_composer_default device:chr_file { read write }; +neverallow { domain -hal_graphics_composer_default -init } device:chr_file { open read write }; +#allow hal_graphics_composer_default device:chr_file { read write }; +#allow hal_graphics_composer_default device:chr_file open; +#allow hal_graphics_composer_default device:chr_file ioctl; +#allow hal_graphics_composer_default hal_graphics_allocator_hwservice:hwservice_manager find; +#allow hal_graphics_composer_default hal_graphics_allocator_hwservice:hwservice_manager find; + +allow hal_graphics_composer_default self:netlink_kobject_uevent_socket read; +allow hal_graphics_composer_default hal_graphics_allocator_hwservice:hwservice_manager find; diff --git a/sepolicy/hal_keymaster_default.te b/sepolicy/hal_keymaster_default.te new file mode 100644 index 0000000..1f2691b --- /dev/null +++ b/sepolicy/hal_keymaster_default.te @@ -0,0 +1,3 @@ +allow hal_keymaster_default tee_prop:file read; +allow hal_keymaster_default tee_prop:file open; +allow hal_keymaster_default tee_prop:file getattr; diff --git a/sepolicy/hal_light_default.te b/sepolicy/hal_light_default.te new file mode 100644 index 0000000..44ec15d --- /dev/null +++ b/sepolicy/hal_light_default.te @@ -0,0 +1,16 @@ +# hal_light_default.te + +# /sys/devices/platform/panel@0/backlight/panel/brightness +# /sys/devices/platform/panel@0/backlight/panel/max_brightness +allow hal_light_default sysfs_backlight_writable:file rw_file_perms; + +allow hal_light_default sysfs:file { read write }; +allow hal_light_default sysfs:file open; +allow hal_light_default sysfs_virtual:dir search; + +allow hal_light_default sysfs:file getattr; +allow hal_light_default sysfs_virtual:file write; +allow hal_audio_default imei_efs_file:dir search; +allow hal_audio_default init:unix_stream_socket connectto; +allow hal_light_default sysfs_virtual:file open; +allow hal_light_default sysfs_virtual:file getattr; diff --git a/sepolicy/hal_light_hwservice.te b/sepolicy/hal_light_hwservice.te new file mode 100644 index 0000000..7ebf104 --- /dev/null +++ b/sepolicy/hal_light_hwservice.te @@ -0,0 +1,3 @@ +allow hal_light_hwservice sysfs:dir search; +allow hal_light_hwservice sysfs_virtual:dir search; +allow hal_light_hwservice sysfs_virtual:file { open write }; diff --git a/sepolicy/hal_lineage_livedisplay_sysfs.te b/sepolicy/hal_lineage_livedisplay_sysfs.te new file mode 100644 index 0000000..10be051 --- /dev/null +++ b/sepolicy/hal_lineage_livedisplay_sysfs.te @@ -0,0 +1 @@ +allow hal_lineage_livedisplay_sysfs sysfs:file { read open getattr write }; diff --git a/sepolicy/hal_vendor_configstore_default.te b/sepolicy/hal_vendor_configstore_default.te new file mode 100644 index 0000000..cb75640 --- /dev/null +++ b/sepolicy/hal_vendor_configstore_default.te @@ -0,0 +1,13 @@ +# hal_vendor_configstore_default.te + +type hal_vendor_configstore_default, domain; +type hal_vendor_configstore_default_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_vendor_configstore_default) + +add_hwservice(hal_vendor_configstore_default, hal_vendor_configstore_hwservice) + +hwbinder_use(hal_vendor_configstore_default) +get_prop(hal_vendor_configstore_default, hwservicemanager_prop) + +# /acct/tasks +allow hal_vendor_configstore_default cgroup:file getattr; diff --git a/sepolicy/hal_vendor_hwcservice_default.te b/sepolicy/hal_vendor_hwcservice_default.te new file mode 100644 index 0000000..24ecb3d --- /dev/null +++ b/sepolicy/hal_vendor_hwcservice_default.te @@ -0,0 +1,17 @@ +# hal_vendor_hwcservice_default.te + +type hal_vendor_hwcservice_default, domain; +hal_client_domain(hal_vendor_hwcservice_default, hal_graphics_composer) + +type hal_vendor_hwcservice_default_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_vendor_hwcservice_default) + +vndbinder_use(hal_vendor_hwcservice_default) +allow hal_vendor_hwcservice_default vendor_surfaceflinger_vndservice:service_manager { add find }; + +add_hwservice(hal_vendor_hwcservice_default, hal_vendor_surfaceflinger_hwservice) +hwbinder_use(hal_vendor_hwcservice_default) +get_prop(hal_vendor_hwcservice_default, hwservicemanager_prop) + +# /acct/tasks +allow hal_vendor_configstore_default cgroup:file getattr; diff --git a/sepolicy/hal_vibrator_default.te b/sepolicy/hal_vibrator_default.te new file mode 100644 index 0000000..fa25e15 --- /dev/null +++ b/sepolicy/hal_vibrator_default.te @@ -0,0 +1,3 @@ +allow hal_vibrator_default sysfs_virtual:dir search; +allow hal_vibrator_default sysfs_virtual:file { open write }; +allow hal_vibrator_default sysfs_virtual:file getattr; diff --git a/sepolicy/hal_wifi_default.te b/sepolicy/hal_wifi_default.te new file mode 100644 index 0000000..0fcb8a2 --- /dev/null +++ b/sepolicy/hal_wifi_default.te @@ -0,0 +1,15 @@ +#### hal_wifi_default +# + +# wifi_data_file +allow hal_wifi_default wifi_data_file:file { read write open }; + +# /efs +allow hal_wifi_default efs_file:dir search; + +# /efs/wifi +allow hal_wifi_default wifi_efs_file:dir search; +allow hal_wifi_default wifi_efs_file:file { open read }; + +# load .ko modules +allow hal_wifi_default self:capability sys_module; diff --git a/sepolicy/healthd.te b/sepolicy/healthd.te new file mode 100644 index 0000000..6e6abb0 --- /dev/null +++ b/sepolicy/healthd.te @@ -0,0 +1,8 @@ +# healthd +allow healthd device:dir rw_dir_perms; +allow healthd rtc_device:chr_file rw_file_perms; +allow healthd sysfs:file { open read getattr }; +allow healthd sysfs_charger:file { open read getattr }; +allow hal_health_default sysfs:file read; +allow hal_health_default sysfs:file open; +allow hal_health_default sysfs:file getattr; diff --git a/sepolicy/hwservice.te b/sepolicy/hwservice.te new file mode 100644 index 0000000..01f680f --- /dev/null +++ b/sepolicy/hwservice.te @@ -0,0 +1,4 @@ +# hwservice.te + +type hal_vendor_configstore_hwservice, hwservice_manager_type; +type hal_vendor_surfaceflinger_hwservice, hwservice_manager_type; diff --git a/sepolicy/hwservice_contexts b/sepolicy/hwservice_contexts new file mode 100644 index 0000000..6e73a51 --- /dev/null +++ b/sepolicy/hwservice_contexts @@ -0,0 +1,13 @@ +# hwservice_contexts + +vendor.samsung_slsi.hardware.ExynosHWCServiceTW::IExynosHWCServiceTW u:object_r:hal_vendor_surfaceflinger_hwservice:s0 +vendor.samsung_slsi.hardware.configstore::IExynosHWCConfigs u:object_r:hal_vendor_configstore_hwservice:s0 + +vendor.samsung.hardware.nfc::ISecNfc u:object_r:hal_nfc_hwservice:s0 +vendor.samsung.hardware.gnss::ISecGnss u:object_r:hal_gnss_hwservice:s0 +vendor.samsung.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0 +vendor.samsung.hardware.radio.configsvc::IConfigSvc u:object_r:hal_telephony_hwservice:s0 + +vendor.samsung.hardware.radio.channel::ISecChannel u:object_r:hal_telephony_hwservice:s0 +vendor.samsung.hardware.radio.secbridge::ISecBridge u:object_r:hal_telephony_hwservice:s0 +vendor.samsung.hardware.radio.sechook::IOemHook u:object_r:hal_telephony_hwservice:s0 diff --git a/sepolicy/hwservicemanager.te b/sepolicy/hwservicemanager.te new file mode 100644 index 0000000..8523c1b --- /dev/null +++ b/sepolicy/hwservicemanager.te @@ -0,0 +1,3 @@ +# gps +allow hwservicemanager gpsd:binder transfer; + diff --git a/sepolicy/init.te b/sepolicy/init.te new file mode 100644 index 0000000..7c08cf5 --- /dev/null +++ b/sepolicy/init.te @@ -0,0 +1,123 @@ +# Mount debugfs on /sys/kernel/debug. +allow init debugfs:dir mounton; + +# Mount EFS on /efs +allow init efs_file:dir mounton; + +# /dev/block/mmcblk0p[0-9] +allow init emmcblk_device:blk_file rw_file_perms; + +allow init block_device:lnk_file { setattr }; +allow init tmpfs:lnk_file create_file_perms; + +# /sys/class/power_supply/battery and /sys/class/android_usb/android0 +allow init proc:file { getattr setattr read write open }; + +# Shim libs +allow init cameraserver:process noatsecure; +allow init hal_fingerprint_default:process noatsecure; + +# /data +allow init sdcardd_exec:file r_file_perms; + +# sysfs iio:device[0-9] +allow init sysfs:lnk_file setattr; + +# read/chown mDNIE symlinks +allow init sysfs_mdnie:lnk_file { read setattr }; + +# read/chown camera firmware +allow init sysfs_camera:file { relabelto setattr }; +allow init sysfs_camera:filesystem associate; + +# sysfs +allow init sysfs_bluetooth_writable:file setattr; +allow init sysfs_mdnie:file setattr; +allow init sysfs_multipdp:file setattr; +allow init sysfs_devices_system_cpu:file write; +allow init sysfs_gps:file setattr; +allow init sysfs_sec:file setattr ; +allow init sysfs_brightness:file setattr; +allow init sysfs_input:file setattr; +allow init sysfs_lcd:file { setattr open }; +allow init sysfs_svc:file setattr; +allow init sysfs_modem:file { setattr open write }; +allow init sysfs_wlan_fwpath:file setattr; +allow init sysfs_virtual:file { open setattr write }; +allow init sysfs_virtual:lnk_file read; + +unix_socket_connect(init, property, rild) +allow init socket_device:sock_file { unlink create setattr }; + + + + + +allow init proc:file setattr; +allow init sysfs:file setattr; +#allow init vendor_file:file execute_no_trans; +allow init sysfs_wake_lock:file append; +#allow init sysfs:file write; +allow init sysfs_wake_lock:file open; +#allow init vfs_device:chr_file write; +#allow init sysfs_multipdp_writable:file setattr; +#allow init sysfs:file open; +allow init vendor_data_file:file lock; +#allow init sysfs:file read; +allow init vendor_data_file:fifo_file write; +allow init vendor_data_file:file append; + +allow init sysfs:file setattr; +#allow init vendor_file:file execute_no_trans; +allow init hwservicemanager:binder call; +allow init mif_device:chr_file write; +allow init tee_device:chr_file write; +allow init hal_gnss_hwservice:hwservice_manager find; +allow init hal_light_hwservice:process transition; + +#allow init device:chr_file { read write }; +allow init hwservicemanager:binder transfer; +allow init sysfs_virtual:file read; +allow init bbd_device:chr_file write; +allow init hal_light_hwservice:process transition; +allow init mif_device:chr_file ioctl; + +#allow init device:chr_file { read write }; +allow init hal_light_hwservice:process transition; +allow init vndbinder_device:chr_file read; + +#allow init device:chr_file open; +allow init hal_light_hwservice:process transition; +allow init device:chr_file ioctl; +#allow init default_android_hwservice:hwservice_manager add; +#allow init hal_fingerprint_hwservice:hwservice_manager add; +#allow init hal_gnss_hwservice:hwservice_manager add; +#allow init hal_lineage_livedisplay_hwservice:hwservice_manager add; +#allow init hal_vibrator_hwservice:hwservice_manager add; + +#allow init hal_nfc_hwservice:hwservice_manager add; +allow init hidl_base_hwservice:hwservice_manager add; +#allow init default_android_hwservice:hwservice_manager find; +allow init hal_light_hwservice:process transition; +#allow init hal_light_hwservice:process transition; +domain_trans(init, hal_light_default_exec,hal_light_hwservice) +#allow crash_dump init:process ptrace; +#allow init hal_light_hwservice:hwservice_manager add; +allow init system_server:binder transfer; +allow init system_server:binder call; +allow init self:tcp_socket create; +allow init fwmarkd_socket:sock_file write; +allow init self:tcp_socket { bind connect }; +#allow init vendor_shell_exec:file execute_no_trans; +allow init netd:unix_stream_socket connectto; +allow init port:tcp_socket { name_bind name_connect }; + +allow init node:tcp_socket node_bind; +allow init self:tcp_socket getopt; + +allow init tee_device:chr_file ioctl; +#fixed fingerprint +allow init vfs_device:chr_file write; +allow init vfs_device:chr_file ioctl; +allow init fwk_sensor_hwservice:hwservice_manager find; +allow init vndbinder_device:chr_file write; diff --git a/sepolicy/installd.te b/sepolicy/installd.te new file mode 100644 index 0000000..54c79e5 --- /dev/null +++ b/sepolicy/installd.te @@ -0,0 +1,2 @@ +# TbStorage (mobicore) +allow installd mobicore_data_file:dir { rw_dir_perms rmdir }; diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te new file mode 100644 index 0000000..7846361 --- /dev/null +++ b/sepolicy/kernel.te @@ -0,0 +1,37 @@ +# kernel.te + +# /vendor/firmware/ +allow kernel vendor_firmware_file:dir r_dir_perms; +allow kernel vendor_firmware_file:file r_file_perms; + +allow kernel self:capability { chown mknod }; + +# /dev/mbin0 +allow kernel emmcblk_device:blk_file r_file_perms; +allow kernel device:blk_file { create setattr getattr unlink }; +# /bus/usb/001/001 +allow kernel device:dir { create write remove_name rmdir add_name }; +allow kernel device:chr_file { create setattr getattr unlink }; + +# /sys/devices/system/cpu/cpu[0-9]/cpufreq/* +allow kernel sysfs_devices_system_cpu:file { setattr }; +allow kernel sysfs:file { setattr }; + +# /efs contents +allow kernel { app_efs_file battery_efs_file efs_file sensor_efs_file }:dir r_dir_perms; +allow kernel { app_efs_file battery_efs_file efs_file sensor_efs_file }:file rw_file_perms; + +# /efs/wifi/.mac.info +allow kernel wifi_efs_file:dir r_dir_perms; +allow kernel wifi_efs_file:file r_file_perms; + +# /data/misc/conn/.wifiver.info +allow kernel wifi_data_file:file rw_file_perms; + +# sysfs_lcd +allow kernel sysfs_lcd:file { open read }; + +allow kernel debugfs_mmc:dir search; +allow kernel sysfs_virtual:dir search; +allow kernel sysfs_virtual:file read; +allow kernel sysfs_virtual:file open; diff --git a/sepolicy/keystore.te b/sepolicy/keystore.te new file mode 100644 index 0000000..ad8a1dc --- /dev/null +++ b/sepolicy/keystore.te @@ -0,0 +1,6 @@ + +#============= keystore ============== +allow keystore tee_prop:file read; +allow keystore tee_prop:file { open read }; +allow keystore tee_prop:file { getattr open }; + diff --git a/sepolicy/lhd.te b/sepolicy/lhd.te new file mode 100644 index 0000000..fdc9960 --- /dev/null +++ b/sepolicy/lhd.te @@ -0,0 +1,45 @@ +#### lhd (sensorhubs) +# + +type lhd, domain; +type lhd_exec, exec_type, file_type; + +init_daemon_domain(lhd) + +net_domain(lhd) + +########## self and domain_type +allow lhd self:capability2 block_suspend; + +########## fs_type +allow lhd sysfs:file rw_file_perms; +allow lhd sysfs_sec:{ file lnk_file } rw_file_perms; +allow lhd sysfs_wake_lock:file rw_file_perms; + +########## dev_type +allow lhd bbd_device:chr_file rw_file_perms; + +########## file_type +allow lhd { efs_file sec_efs_file }:dir r_dir_perms; +allow lhd { efs_file sec_efs_file }:file r_file_perms; +allow lhd system_data_file:dir create_dir_perms; + +allow lhd system_data_file:file r_file_perms; +allow lhd system_data_file:fifo_file create_file_perms; + +allow lhd gps_data_file:dir create_dir_perms; +allow lhd gps_data_file:file create_file_perms; +allow lhd gps_data_file:fifo_file create_file_perms; + +########## etc_type +allow lhd port:tcp_socket name_bind; +allow lhd node:tcp_socket node_bind; + +allow lhd vendor_data_file:dir write; +allow lhd vendor_data_file:file create; +allow lhd vendor_data_file:file { open read write lock }; +allow lhd sysfs_virtual:dir search; +allow lhd sysfs_virtual:file { read write }; +allow lhd sysfs_virtual:lnk_file read; +allow lhd sysfs_virtual:file open; +allow lhd vendor_data_file:fifo_file { open read write lock }; diff --git a/sepolicy/light.te b/sepolicy/light.te new file mode 100644 index 0000000..0e95653 --- /dev/null +++ b/sepolicy/light.te @@ -0,0 +1,20 @@ +type hal_light_sdm660, coredomain, domain; + +# Allow a base set of permissions required for a domain to offer a +# HAL implementation of the specified type over HwBinder. +typeattribute hal_light_sdm660 halserverdomain; +typeattribute hal_light_sdm660 hal_light_server; + +# HwBinder IPC from client to server, and callbacks +binder_call(hal_light_client, hal_light_server) +binder_call(hal_light_server, hal_light_client) + +add_hwservice(hal_light_server, hal_light_hwservice) +allow hal_light_client hal_light_hwservice:hwservice_manager find; + +type hal_light_sdm660_exec, exec_type, file_type; +init_daemon_domain(hal_light_sdm660) + +#allow hal_light_sdm660 { sysfs_graphics sysfs_white_led }:lnk_file read; +#allow hal_light_sdm660 { sysfs_graphics sysfs_white_led }:file rw_file_perms; +#allow hal_light_sdm660 { sysfs_graphics sysfs_leds sysfs_white_led }:dir r_dir_perms; diff --git a/sepolicy/macloader.te b/sepolicy/macloader.te new file mode 100644 index 0000000..4fab133 --- /dev/null +++ b/sepolicy/macloader.te @@ -0,0 +1,68 @@ +#### macloader +# + + +type macloader, domain; +type macloader_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(macloader) + +allow macloader self:capability { net_admin }; + +allow macloader self:udp_socket create_socket_perms; +allowxperm macloader self:udp_socket ioctl { 0x8913 0x8914 }; + +# /data/vendor/conn +allow macloader conn_vendor_data_file:dir rw_dir_perms; +allow macloader conn_vendor_data_file:file create_file_perms; + +# /sys/class/net +allow macloader sysfs_net:dir r_dir_perms; +allow macloader sysfs_net:file r_file_perms; + +# /sys/module/dhd/parameters/firmware_path +allow macloader sysfs_wifi_writable:dir r_dir_perms; +allow macloader sysfs_wifi_writable:file rw_file_perms; + +# /sys/wifi +allow macloader sysfs_wifi:dir r_dir_perms; +allow macloader sysfs_wifi:file r_file_perms; + + + +allow macloader self:capability { chown fowner fsetid }; +allow macloader self:process execmem; + +# Write into /data +allow macloader system_data_file:dir { add_name search write }; +allow macloader system_file:file execute_no_trans; + +# /data/.cid.info +# Automatically label files created in /data/ as wifi_data_file +file_type_auto_trans(macloader, system_data_file, wifi_data_file) + +allow macloader wifi_data_file:dir create_dir_perms; +allow macloader wifi_data_file:file { create_file_perms getattr setattr }; + +# /sys/module/dhd/parameters/nvram_path +allow macloader sysfs:file rw_file_perms; + +# /efs +allow macloader efs_file:dir r_dir_perms; + +# /efs/wifi/.mac.info +allow macloader wifi_efs_file:dir r_dir_perms; +allow macloader wifi_efs_file:file r_file_perms; +allow macloader sysfs_net:dir search; +allow macloader sysfs_virtual:dir search; +allow macloader vendor_data_file:dir write; +allow macloader wifi_efs_file:dir write; +allow macloader self:capability sys_resource; +allow macloader vendor_data_file:dir add_name; +allow macloader vendor_data_file:file create; +allow macloader vendor_data_file:file { open read write }; +allow macloader self:udp_socket create; +allow macloader vendor_data_file:file { getattr setattr }; +allow macloader wifi_efs_file:file write; +allow macloader self:capability net_raw; +allow macloader self:udp_socket ioctl; diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te new file mode 100644 index 0000000..be4c4df --- /dev/null +++ b/sepolicy/mediacodec.te @@ -0,0 +1,12 @@ +# /system/lib/omx/ +allow mediacodec system_file:dir r_dir_perms; + +# /sys/class/video4linux/video6/name +allow mediacodec sysfs:file r_file_perms; + +allow mediacodec hal_power_hwservice:hwservice_manager find; +allow mediacodec sysfs:dir { open read }; + +# sysfs_virtual +allow mediacodec sysfs_virtual:dir { open read search }; +allow mediacodec sysfs_virtual:file { open read }; diff --git a/sepolicy/mediadrmserver.te b/sepolicy/mediadrmserver.te new file mode 100644 index 0000000..58b5bd7 --- /dev/null +++ b/sepolicy/mediadrmserver.te @@ -0,0 +1,2 @@ +allow mediadrmserver media_data_file:file { getattr open read create write }; +allow mediadrmserver media_data_file:dir { getattr write search add_name }; diff --git a/sepolicy/mediaextractor.te b/sepolicy/mediaextractor.te new file mode 100644 index 0000000..3d8072d --- /dev/null +++ b/sepolicy/mediaextractor.te @@ -0,0 +1 @@ +allow mediaextractor fuse:file { read getattr }; diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te new file mode 100644 index 0000000..52e86b0 --- /dev/null +++ b/sepolicy/mediaserver.te @@ -0,0 +1,12 @@ +# /efs +allow mediaserver efs_file:dir r_dir_perms; + +# /efs/wv.keys +allow mediaserver efs_file:file r_file_perms; + +# /dev/m2m1shot_jpeg +allow mediaserver camera_device:chr_file { read write open getattr ioctl }; + +# Snap permissions +allow mediaserver sensorservice_service:service_manager { find }; +allow mediaserver system_server:unix_stream_socket { read write }; diff --git a/sepolicy/modemloader.te b/sepolicy/modemloader.te new file mode 100644 index 0000000..b80869e --- /dev/null +++ b/sepolicy/modemloader.te @@ -0,0 +1,10 @@ +#### modemloader +# +type modemloader, domain; +type modemloader_exec, exec_type, file_type; + +init_daemon_domain(modemloader) + +allow modemloader proc:file r_file_perms; + +set_prop(modemloader, modemloader_prop) diff --git a/sepolicy/netd.te b/sepolicy/netd.te new file mode 100644 index 0000000..7a2cb42 --- /dev/null +++ b/sepolicy/netd.te @@ -0,0 +1,9 @@ +allow netd self:capability sys_module; +allow netd gpsd:fd use; +allow netd gpsd:udp_socket { read write getopt setopt }; +allow netd init:tcp_socket { read write }; +allow netd init:tcp_socket getopt; +allow netd init:tcp_socket setopt; +allow netd gpsd:tcp_socket { read write }; +allow netd gpsd:tcp_socket getopt; +allow netd gpsd:tcp_socket setopt; diff --git a/sepolicy/nfc.te b/sepolicy/nfc.te new file mode 100644 index 0000000..3ef887d --- /dev/null +++ b/sepolicy/nfc.te @@ -0,0 +1,4 @@ +allow nfc sec_efs_file:dir search; +allow nfc efs_file:dir search; +#allow hal_nfc_default default_android_hwservice:hwservice_manager add; +#allow hal_nfc_default default_android_hwservice:hwservice_manager add; diff --git a/sepolicy/power.te b/sepolicy/power.te new file mode 100644 index 0000000..52aade9 --- /dev/null +++ b/sepolicy/power.te @@ -0,0 +1,7 @@ +allow hal_power_default sysfs_devices_system_cpu:file write; +allow hal_power_default sysfs:dir read; +allow hal_power_default sysfs:dir open; +allow hal_power_default sysfs_virtual:dir search; +allow hal_power_default sysfs_virtual:dir read; +allow hal_power_default sysfs_virtual:dir open; +allow hal_power_default sysfs_virtual:file read; diff --git a/sepolicy/property.te b/sepolicy/property.te new file mode 100644 index 0000000..c825e6c --- /dev/null +++ b/sepolicy/property.te @@ -0,0 +1,19 @@ +# CP-Boot Daemon +type cpboot-daemon_prop, property_type; + +# modemloader +type modemloader_prop, property_type; + +# mobicore (tee) +type tee_prop, property_type; + +### CAMERA +type exported_camera_prop, property_type; + +### RFKILL +type rfkilldisabled_prop, property_type; + + +type vendor_secureos_prop, property_type; +type vendor_tzdaemon_prop, property_type; +type vendor_tztsdaemon_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts new file mode 100644 index 0000000..123af9b --- /dev/null +++ b/sepolicy/property_contexts @@ -0,0 +1,47 @@ +# bluetooth +persist.bluetooth_fw_ver u:object_r:bluetooth_prop:s0 +ro.bluetooth.tty u:object_r:bluetooth_prop:s0 +wc_transport. u:object_r:bluetooth_prop:s0 +sys.bluetooth.tty u:object_r:exported_bluetooth_prop:s0 + +# modemloader +hw.revision u:object_r:modemloader_prop:s0 +ro.cbd.dt_revision u:object_r:modemloader_prop:s0 +ril.cbd.dt_revision u:object_r:modemloader_prop:s0 +ro.modemloader.done u:object_r:modemloader_prop:s0 + +# mobicore +sys.mobicoredaemon.enable u:object_r:tee_prop:s0 + +# radio +persist.ril.modem.board u:object_r:radio_prop:s0 +persist.ril.ims.eutranParam u:object_r:radio_prop:s0 +persist.ril.ims.utranParam u:object_r:radio_prop:s0 +persist.ril.interfaceconf.failed u:object_r:radio_prop:s0 +ril.NwNmId u:object_r:exported_radio_prop:s0 +ril.NwNmId2 u:object_r:exported_radio_prop:s0 +ro.boot.cpboot u:object_r:exported_radio_prop:s0 + +### BUILD +ro.build.PDA u:object_r:exported2_default_prop:s0 + +### CAMERA +system.camera.CC. u:object_r:exported_camera_prop:s0 +service.camera. u:object_r:exported_camera_prop:s0 +sys.cameramode. u:object_r:exported_camera_prop:s0 +ro.camera.req.fmq.size u:object_r:exported_camera_prop:s0 +ro.camera.res.fmq.size u:object_r:exported_camera_prop:s0 + +### CSC +ro.csc. u:object_r:exported_config_prop:s0 + +### MDC +mdc. u:object_r:exported_config_prop:s0 + +### OMC +persist.sys.omc_support u:object_r:exported_config_prop:s0 +persist.sys.omc_etcpath u:object_r:exported_config_prop:s0 +ro.omc. u:object_r:exported_config_prop:s0 + +### RFKILL +ro.rfkilldisabled u:object_r:rfkilldisabled_prop:s0 diff --git a/sepolicy/rild.te b/sepolicy/rild.te new file mode 100644 index 0000000..1f7f96f --- /dev/null +++ b/sepolicy/rild.te @@ -0,0 +1,84 @@ +# Allow rild to change perms +allow rild self:capability { chown }; + +# Allow additiional efs access +allow rild bin_nv_data_efs_file:file create_file_perms; +allow rild imei_efs_file:dir r_dir_perms; +allow rild imei_efs_file:file r_file_perms; +allow rild app_efs_file:dir r_dir_perms; +allow rild app_efs_file:file r_file_perms; + +# /dev +allow rild audioserver:dir r_dir_perms; +# /proc//cmdline +allow rild audioserver:file r_file_perms; + +# /dev/mbin0 +allow rild block_device:dir r_dir_perms; +allow rild emmcblk_device:blk_file r_file_perms; + +# /dev/umts_boot0, /dev/umts_ipc0 +allow rild mif_device:chr_file rw_file_perms; + +# /sys/devices/virtual/misc/multipdp/waketime +allow rild sysfs_multipdp:file rw_file_perms; + +# /proc/sys/net/ipv6/conf/*/accept_ra_defrtr +allow rild proc_net:file rw_file_perms; + +allow rild gpsd:dir r_dir_perms; +allow rild gpsd:file r_file_perms; + +# rild reads /proc/pid/cmdline of mediaserver +allow rild mediaserver:dir { open read search getattr }; +allow rild mediaserver:file { open read getattr }; + +# /data/misc/radio/* +allow rild radio_data_file:dir rw_dir_perms; +allow rild radio_data_file:file create_file_perms; +# /data/data/com.android.providers.telephony/databases/telephony.db +allow rild radio_data_file:lnk_file r_file_perms; + +# sdcard/SDET_PLMN/input/MNCMCC.txt +allow rild storage_file:dir { r_dir_perms }; +allow rild storage_file:lnk_file { r_file_perms }; +allow rild mnt_user_file:dir { r_dir_perms }; +allow rild mnt_user_file:lnk_file { r_file_perms }; + +# Modem firmware download +allow rild radio_block_device:blk_file r_file_perms; + +# persist.ril.modem.board +set_prop(modemloader, radio_prop) + +# /dev/knox_kap +allow rild knox_device:chr_file r_file_perms; +#allow rild default_android_hwservice:hwservice_manager add; +allow rild init:dir search; +allow rild init:file read; +allow rild init:file open; +allow rild init:file getattr; + +allow rild hal_audio_default:dir search; + +allow rild hal_audio_default:file read; +allow rild hal_audio_default:file open; +allow rild hal_audio_default:file getattr; + + +#allow rild block_device:blk_file read; +allow rild imei_efs_file:file { setattr write }; +#allow rild block_device:blk_file open; +allow rild vendor_data_file:dir write; +allow rild vendor_data_file:dir add_name; +allow rild vendor_data_file:file create; +allow rild vendor_data_file:file getattr; +allow rild vendor_data_file:file { read write }; +allow rild vendor_data_file:file open; +allow rild vendor_data_file:file ioctl; +allow rild vendor_data_file:file lock; +allow rild vendor_data_file:dir remove_name; +allow rild vendor_data_file:file unlink; +allow rild vendor_data_file:dir read; +allow rild vendor_data_file:dir open; +#allow rild default_android_hwservice:hwservice_manager add; diff --git a/sepolicy/sensorhubservice.te b/sepolicy/sensorhubservice.te new file mode 100644 index 0000000..1844d92 --- /dev/null +++ b/sepolicy/sensorhubservice.te @@ -0,0 +1,57 @@ +#### sensorhubservice +# +type sensorhubservice, domain; +type sensorhubservice_exec, exec_type, file_type; +type sensorhubservice_service, app_api_service, system_server_service, service_manager_type; + +init_daemon_domain(sensorhubservice) + +# /dev/input[0-9]* +allow sensorhubservice input_device:dir r_dir_perms; +allow sensorhubservice { input_device sensor_device }:chr_file rw_file_perms; + +# binder call +allow sensorhubservice servicemanager:binder { call transfer }; + +allow sensorhubservice sysfs:file { getattr open read }; + +# sysfs_virtual +allow sensorhubservice sysfs_virtual:file { open read getattr setattr }; +allow sensorhubservice sysfs_virtual:dir { open read search }; +allow sensorhubservice sysfs_virtual:lnk_file read; +allow hal_sensors_default efs_file:dir search; + +allow hal_sensors_default app_efs_file:dir search; +allow hal_sensors_default app_efs_file:file setattr; +allow hal_sensors_default input_device:dir read; +allow hal_sensors_default sysfs_virtual:dir search; +allow hal_sensors_default input_device:dir open; +allow hal_sensors_default sysfs_virtual:lnk_file read; +allow hal_sensors_default input_device:dir search; +allow hal_sensors_default sysfs_virtual:dir read; + + +allow hal_sensors_default input_device:chr_file read; +allow hal_sensors_default sysfs_virtual:dir open; +allow hal_sensors_default input_device:chr_file open; +allow hal_sensors_default input_device:chr_file ioctl; +allow hal_sensors_default sysfs_virtual:file read; +allow hal_sensors_default sysfs_virtual:file open; +allow hal_sensors_default sysfs_virtual:file getattr; +allow hal_sensors_default sysfs:dir read; +allow hal_sensors_default sysfs:dir open; +allow hal_sensors_default sysfs:file read; +allow hal_sensors_default sysfs:file open; + +allow hal_sensors_default sysfs:file getattr; +allow hal_sensors_default iio_device:chr_file read; +allow hal_sensors_default iio_device:chr_file open; +allow hal_sensors_default sysfs:file write; +allow hal_sensors_default sensor_device:chr_file { read write }; +allow hal_sensors_default sysfs_virtual:file write; +allow hal_sensors_default app_efs_file:file read; +allow hal_sensors_default sensor_device:chr_file open; +allow hal_sensors_default app_efs_file:file { open write }; +allow hal_sensors_default baro_delta_factoryapp_efs_file:file read; +allow hal_sensors_default baro_delta_factoryapp_efs_file:file open; + diff --git a/sepolicy/sepolicy.te b/sepolicy/sepolicy.te new file mode 100644 index 0000000..7c0064c --- /dev/null +++ b/sepolicy/sepolicy.te @@ -0,0 +1,67 @@ + + +#============= bluetooth ============== +allow bluetooth rfkilldisabled_prop:file read; + +#============= hal_bluetooth_default ============== +allow hal_bluetooth_default efs_file:dir search; +allow hal_bluetooth_default rfkilldisabled_prop:file read; +allow hal_bluetooth_default sysfs:file write; + +#============= nfc ============== +#allow nfc init:binder call; + + +#============= bluetooth ============== +allow bluetooth rfkilldisabled_prop:file open; + +#============= hal_bluetooth_default ============== +allow hal_bluetooth_default gps_device:chr_file { read write }; +allow hal_bluetooth_default rfkilldisabled_prop:file open; + +#============= nfc ============== +#allow nfc init:binder transfer; + + +#============= bluetooth ============== +allow bluetooth rfkilldisabled_prop:file getattr; +allow bluetooth sysfs:file write; + +#============= hal_bluetooth_default ============== +allow hal_bluetooth_default rfkilldisabled_prop:file getattr; + +#============= toolbox ============== +allow toolbox ram_device:blk_file open; + + +#============= bluetooth ============== +allow bluetooth gps_device:chr_file { read write }; + +#============= hal_bluetooth_default ============== +allow hal_bluetooth_default gps_device:chr_file open; + +#============= priv_app ============== +allow priv_app sysfs_virtual:file read; + + +#============= bluetooth ============== +allow bluetooth gps_device:chr_file { read write }; + +#============= hal_bluetooth_default ============== +allow hal_bluetooth_default gps_device:chr_file open; + +#============= priv_app ============== +allow priv_app sysfs_virtual:file read; + + +#============= hal_sensors_default ============== +allow hal_sensors_default sensor_device:chr_file ioctl; + +#============= init ============== +allow init vendor_data_file:file rename; + +#============= priv_app ============== +allow priv_app sysfs_virtual:file open; + +#============= toolbox ============== +allow toolbox ram_device:blk_file getattr; diff --git a/sepolicy/sepolicy2.te b/sepolicy/sepolicy2.te new file mode 100644 index 0000000..eb6c99c --- /dev/null +++ b/sepolicy/sepolicy2.te @@ -0,0 +1,104 @@ + + +#============= cameraserver ============== +allow cameraserver exported_camera_prop:file read; + +#============= hal_bluetooth_default ============== +allow hal_bluetooth_default gps_device:chr_file ioctl; + +#============= hal_graphics_composer_default ============== +allow hal_graphics_composer_default system_data_file:dir write; +allow hal_graphics_composer_default vendor_data_file:dir write; +allow hal_graphics_composer_default video_device:chr_file { read write }; + +#============= init ============== +allow init dnsproxyd_socket:sock_file write; +allow init ram_device:blk_file write; +allow init self:udp_socket connect; + +#============= priv_app ============== +allow priv_app sysfs_virtual:file getattr; + + +#============= hal_bluetooth_default ============== +allow hal_bluetooth_default vendor_data_file:file read; + +#============= hal_graphics_composer_default ============== +allow hal_graphics_composer_default system_data_file:dir add_name; +allow hal_graphics_composer_default vendor_data_file:dir add_name; +allow hal_graphics_composer_default video_device:chr_file open; + +#============= hal_power_default ============== +allow hal_power_default sysfs:file read; + + +#============= hal_bluetooth_default ============== +allow hal_bluetooth_default vendor_data_file:file read; + +#============= hal_graphics_composer_default ============== +allow hal_graphics_composer_default system_data_file:dir add_name; +allow hal_graphics_composer_default vendor_data_file:dir add_name; +allow hal_graphics_composer_default video_device:chr_file open; + + +#============= cameraserver ============== +allow cameraserver exported_camera_prop:file open; + +#============= hal_bluetooth_default ============== +allow hal_bluetooth_default vendor_data_file:file open; + +#============= hal_graphics_composer_default ============== +#allow hal_graphics_composer_default system_data_file:file create; +allow hal_graphics_composer_default vendor_data_file:file create; +allow hal_graphics_composer_default video_device:chr_file ioctl; + +#============= hal_power_default ============== +allow hal_power_default sysfs:file open; + + +#============= cameraserver ============== +allow cameraserver exported_camera_prop:file getattr; + +#============= platform_app ============== +#allow platform_app init:binder call; + +#============= untrusted_app ============== +allow untrusted_app proc_version:file getattr; + +#============= vold ============== +allow vold self:capability sys_resource; + + + +#============= hal_power_default ============== +allow hal_power_default sysfs:file write; + +#============= rild ============== +allow rild proc_qtaguid_stat:file { getattr open read }; + + +#============= hal_bluetooth_default ============== +allow hal_bluetooth_default vendor_data_file:file getattr; + + +#============= netd ============== +allow netd sysfs_virtual:dir search; + + +#============= netd ============== +allow netd sysfs_virtual:file write; + + +#============= netd ============== +allow netd sysfs_virtual:file open; + +#============= hal_gatekeeper_default ============== +allow hal_gatekeeper_default efs_file:dir search; + + +#============= hal_gatekeeper_default ============== +allow hal_gatekeeper_default efs_file:file write; + + +#============= hal_gatekeeper_default ============== +allow hal_gatekeeper_default efs_file:file open; diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts new file mode 100644 index 0000000..79593e8 --- /dev/null +++ b/sepolicy/service_contexts @@ -0,0 +1,3 @@ +# HWC +Exynos.HWCService u:object_r:surfaceflinger_service:s0 +sensorhubservice u:object_r:sensorhubservice_service:s0 diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te new file mode 100644 index 0000000..1b16bd2 --- /dev/null +++ b/sepolicy/servicemanager.te @@ -0,0 +1,8 @@ +allow servicemanager sensorhubservice:dir search; +allow servicemanager sensorhubservice:file { getattr open read }; +allow servicemanager sensorhubservice:process getattr; +#allow hwservicemanager init:binder call; + + +#allow hwservicemanager init:binder call; +#allow hwservicemanager init:binder transfer; diff --git a/sepolicy/slsi.te b/sepolicy/slsi.te new file mode 100644 index 0000000..51973a9 --- /dev/null +++ b/sepolicy/slsi.te @@ -0,0 +1,14 @@ +type slsi, domain; +type slsi_exec, vendor_file_type, exec_type, file_type; + +init_daemon_domain(slsi); + + +allow slsi hwservicemanager_prop:file read; +allow slsi hwservicemanager_prop:file open; +allow slsi hwservicemanager_prop:file getattr; +allow slsi servicemanager:binder call; +allow slsi vndbinder_device:chr_file read; +allow slsi vndbinder_device:chr_file write; +allow slsi vndbinder_device:chr_file open; +allow slsi vndbinder_device:chr_file ioctl; diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te new file mode 100644 index 0000000..b83165c --- /dev/null +++ b/sepolicy/surfaceflinger.te @@ -0,0 +1,3 @@ +# HWC +allow surfaceflinger secmem_device:chr_file rw_file_perms; +allow surfaceflinger sysfs:file { getattr open read }; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te new file mode 100644 index 0000000..92d08d8 --- /dev/null +++ b/sepolicy/system_app.te @@ -0,0 +1,5 @@ +allow system_app sysfs_mdnie:{ file lnk_file } rw_file_perms; +allow system_app sysfs_mdnie:dir search; +allow system_app wificond:binder call; +allow system_app proc_pagetypeinfo:file { getattr open read }; + diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te new file mode 100644 index 0000000..f8e6104 --- /dev/null +++ b/sepolicy/system_server.te @@ -0,0 +1,76 @@ +# /dev/mbin0 +allow system_server emmcblk_device:dir search; + +# /efs +allow system_server efs_file:dir r_dir_perms; + +# /efs/gyro_cal_data +allow system_server sensor_efs_file:file r_file_perms; + +# /data/system/gps/.gps.interface.pipe.* +type_transition system_server system_data_file:fifo_file gps_data_file ".flp.interface.pipe.to_gpsd"; +type_transition system_server system_data_file:fifo_file gps_data_file ".gps.interface.pipe.to_gpsd"; +type_transition system_server system_data_file:fifo_file gps_data_file ".gps.interface.pipe.to_jni"; +allow system_server gps_data_file:fifo_file create_file_perms; +allow system_server gps_data_file:dir rw_dir_perms; + +# /data/system/gps/chip.info +allow system_server gps_data_file:file r_file_perms; + +# /efs/prox_cal +allow system_server efs_file:file r_file_perms; + +# /efs/FactoryApp +allow system_server app_efs_file:dir r_dir_perms; +allow system_server app_efs_file:file r_file_perms; + +# WifiMachine +allow system_server self:capability { sys_module }; +allow system_server wifi_efs_file:dir r_dir_perms; +allow system_server wifi_efs_file:file r_file_perms; + +# mDNIE +allow system_server sysfs_mdnie:lnk_file rw_file_perms; +allow system_server sysfs_mdnie:file rw_file_perms; + +# memtrack HAL +allow system_server debugfs:dir r_dir_perms; +allow system_server debugfs:file r_file_perms; + +# sensor HAL +allow system_server sensor_device:chr_file rw_file_perms; +allow system_server baro_delta_factoryapp_efs_file:file r_file_perms; +allow system_server sensor_factoryapp_efs_file:file r_file_perms; + +# sysfs +allow system_server sysfs_brightness:file write; +allow system_server sysfs_input:file write; +allow system_server sysfs_sec:file write; +allow system_server sysfs_devices_system_cpu:file write; +allow system_server sysfs_virtual:file write; + +# /data/system/gps/xtraee.bin +allow system_server gps_data_file:file create_file_perms; + +unix_socket_connect(system_server, property, gpsd) +#allow system_server block_device:blk_file { open write }; +allow system_server hal_light_hwservice:binder call; +#allow system_server block_device:blk_file { read write }; +#allow system_server block_device:blk_file open; +allow system_server block_device:blk_file getattr; +#allow system_server init:binder call; +#allow system_server block_device:blk_file ioctl; +#allow system_server init:binder transfer; +#allow system_server default_android_service:service_manager add; +allow system_server app_efs_file:file setattr; +allow system_server vendor_data_file:dir write; +#fixed fingerprint + +#allow system_server init:binder transfer; +#allow system_server init:binder call; +allow system_server vendor_data_file:fifo_file { read write }; +allow system_server vendor_data_file:fifo_file open; + +allow system_server vendor_data_file:dir add_name; + +allow system_server gpsd:binder call; diff --git a/sepolicy/te_macros b/sepolicy/te_macros new file mode 100644 index 0000000..b7ab51f --- /dev/null +++ b/sepolicy/te_macros @@ -0,0 +1,8 @@ +# teegris_use(domain) +# +# Allow domain to use teegris +define(`teegris_use', ` +get_prop($1, vendor_tztsdaemon_prop) +# /dev/tzdev +allow $1 tz_user_device:chr_file rw_file_perms; +') diff --git a/sepolicy/tee.te b/sepolicy/tee.te new file mode 100644 index 0000000..336f52f --- /dev/null +++ b/sepolicy/tee.te @@ -0,0 +1,16 @@ +# mobicore + +# Allow to create files and directories /data/app/mcRegistry +file_type_auto_trans(tee, apk_data_file, mobicore_data_file); + +# /efs +allow tee { efs_file prov_efs_file }:dir r_dir_perms; +allow tee { efs_file prov_efs_file }:file r_file_perms; + +allow tee vendor_data_file:file read; + +# sys.mobicore.enable +set_prop(tee, tee_prop) +#allow tee device:chr_file read; + +allow tee_device sysfs:filesystem associate; diff --git a/sepolicy/toolbox.te b/sepolicy/toolbox.te new file mode 100644 index 0000000..b5f75f4 --- /dev/null +++ b/sepolicy/toolbox.te @@ -0,0 +1 @@ +allow toolbox ram_device:blk_file { read write }; diff --git a/sepolicy/tzdaemon.te b/sepolicy/tzdaemon.te new file mode 100644 index 0000000..7293421 --- /dev/null +++ b/sepolicy/tzdaemon.te @@ -0,0 +1,22 @@ +type tzdaemon, domain; +type tzdaemon_exec, exec_type, vendor_file_type, file_type; + +# tzdaemon is started by init, type transit from init domain to tzdaemon domain +init_daemon_domain(tzdaemon) + +set_prop(tzdaemon, vendor_tzdaemon_prop) +set_prop(tzdaemon, vendor_secureos_prop) + +allow tzdaemon tz_device:chr_file rw_file_perms; +allow tzdaemon tz_user_device:chr_file rw_file_perms; +allow tzdaemon tz_socket:sock_file { write }; + +# /dev/kmsg +allow tzdaemon kmsg_device:chr_file rw_file_perms; + +# /data/vendor/tee +allow tzdaemon tee_vendor_data_file:dir create_dir_perms; +allow tzdaemon tee_vendor_data_file:file create_file_perms; + +# /proc/stat +allow tzdaemon proc_stat:file r_file_perms; diff --git a/sepolicy/tztsdaemon.te b/sepolicy/tztsdaemon.te new file mode 100644 index 0000000..0a442c4 --- /dev/null +++ b/sepolicy/tztsdaemon.te @@ -0,0 +1,10 @@ +type tztsdaemon, domain; +type tztsdaemon_exec, exec_type, vendor_file_type, file_type; + +# tztsdaemon is started by init, type transit from init domain to tztsdaemon domain +init_daemon_domain(tztsdaemon) + +set_prop(tztsdaemon, vendor_tztsdaemon_prop) + +# /dev/tziwsock +allow tztsdaemon tz_user_device:chr_file rw_file_perms; diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te new file mode 100644 index 0000000..cf057f2 --- /dev/null +++ b/sepolicy/ueventd.te @@ -0,0 +1,14 @@ +# /dev/block/mmcblk0p[0-9] +allow ueventd emmcblk_device:blk_file { ioctl read write create getattr setattr lock append unlink open }; + +# /sys/devices/virtual/misc/multipdp/uevent +allow ueventd sysfs_multipdp:file rw_file_perms; + +allow ueventd emmcblk_device:blk_file { relabelfrom relabelto create setattr unlink }; + +# read/chown camera firmware +allow ueventd sysfs_camera:file { relabelto getattr rw_file_perms }; +allow ueventd sysfs_camera:filesystem associate; +allow ueventd tee_device:dir relabelto; +allow ueventd tee_device:file relabelto; +allow ueventd tee_device:lnk_file relabelto; diff --git a/sepolicy/uncrypt.te b/sepolicy/uncrypt.te new file mode 100644 index 0000000..1f5142f --- /dev/null +++ b/sepolicy/uncrypt.te @@ -0,0 +1,2 @@ +allow uncrypt emmcblk_device:blk_file w_file_perms; +allow uncrypt emmcblk_device:dir r_dir_perms; diff --git a/sepolicy/vndservice.te b/sepolicy/vndservice.te new file mode 100644 index 0000000..12a4819 --- /dev/null +++ b/sepolicy/vndservice.te @@ -0,0 +1 @@ +type vendor_surfaceflinger_vndservice, vndservice_manager_type; diff --git a/sepolicy/vndservice_contexts b/sepolicy/vndservice_contexts new file mode 100644 index 0000000..f088001 --- /dev/null +++ b/sepolicy/vndservice_contexts @@ -0,0 +1,3 @@ +# vndservice_contexts + +Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0 diff --git a/sepolicy/vold.te b/sepolicy/vold.te new file mode 100644 index 0000000..dc2658a --- /dev/null +++ b/sepolicy/vold.te @@ -0,0 +1,8 @@ +# /efs +allow vold efs_file:dir r_dir_perms; +# /dev/block/mmcblk0p[0-9] +allow vold emmcblk_device:dir create_dir_perms; +allow vold emmcblk_device:blk_file { ioctl read write create getattr setattr lock append unlink open }; + +# sysfs_virtual +allow vold sysfs_virtual:file write; diff --git a/sepolicy/wcnss_filter.te b/sepolicy/wcnss_filter.te new file mode 100644 index 0000000..702280e --- /dev/null +++ b/sepolicy/wcnss_filter.te @@ -0,0 +1,8 @@ +type wcnss_filter, domain; +type wcnss_filter_exec, exec_type, file_type; + +init_daemon_domain(wcnss_filter) + +allow wcnss_filter bluetooth_device:chr_file rw_file_perms; + +set_prop(wcnss_filter, bluetooth_prop); diff --git a/sepolicy/webview_zygote.te b/sepolicy/webview_zygote.te new file mode 100644 index 0000000..c8a7ec2 --- /dev/null +++ b/sepolicy/webview_zygote.te @@ -0,0 +1 @@ +allow webview_zygote zygote:unix_dgram_socket write; diff --git a/sepolicy/zygnote.te b/sepolicy/zygnote.te new file mode 100644 index 0000000..e17b8cf --- /dev/null +++ b/sepolicy/zygnote.te @@ -0,0 +1 @@ +allow zygote proc_cmdline:file { getattr open read write }; -- GitLab From 9bfb200c36202d3f0accfb04446b03b9ca487203 Mon Sep 17 00:00:00 2001 From: Alexandre Roux D'Anzi Date: Mon, 30 Mar 2020 17:29:35 +0200 Subject: [PATCH 2/9] try to fix boot --- sepolicy/hal_graphics_composer.te | 2 ++ sepolicy/power.te | 1 + 2 files changed, 3 insertions(+) diff --git a/sepolicy/hal_graphics_composer.te b/sepolicy/hal_graphics_composer.te index d5a3ea7..c0c7aac 100644 --- a/sepolicy/hal_graphics_composer.te +++ b/sepolicy/hal_graphics_composer.te @@ -22,3 +22,5 @@ neverallow { domain -hal_graphics_composer_default -init } device:chr_file { ope allow hal_graphics_composer_default self:netlink_kobject_uevent_socket read; allow hal_graphics_composer_default hal_graphics_allocator_hwservice:hwservice_manager find; +allow hal_graphics_composer_default hal_graphics_allocator_default:binder call; + diff --git a/sepolicy/power.te b/sepolicy/power.te index 52aade9..dd895b7 100644 --- a/sepolicy/power.te +++ b/sepolicy/power.te @@ -5,3 +5,4 @@ allow hal_power_default sysfs_virtual:dir search; allow hal_power_default sysfs_virtual:dir read; allow hal_power_default sysfs_virtual:dir open; allow hal_power_default sysfs_virtual:file read; +allow hal_power_default sysfs_virtual:file open; -- GitLab From d95f0fc32395875de714dfdc9e56b44d1f018c96 Mon Sep 17 00:00:00 2001 From: Alexandre Roux D'Anzi Date: Mon, 30 Mar 2020 17:30:32 +0200 Subject: [PATCH 3/9] fix hotspot --- sepolicy/hal_bluetooth_default.te | 1 + sepolicy/hal_wifi_hostapd_default.te | 1 + sepolicy/hal_wifi_supplicant_default.te | 2 ++ sepolicy/system_app.te | 2 +- 4 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 sepolicy/hal_bluetooth_default.te create mode 100644 sepolicy/hal_wifi_hostapd_default.te create mode 100644 sepolicy/hal_wifi_supplicant_default.te diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te new file mode 100644 index 0000000..0c1d3b1 --- /dev/null +++ b/sepolicy/hal_bluetooth_default.te @@ -0,0 +1 @@ +allow hal_bluetooth_default conn_vendor_data_file:dir search; diff --git a/sepolicy/hal_wifi_hostapd_default.te b/sepolicy/hal_wifi_hostapd_default.te new file mode 100644 index 0000000..d3236b8 --- /dev/null +++ b/sepolicy/hal_wifi_hostapd_default.te @@ -0,0 +1 @@ +allow hal_wifi_hostapd_default wifi_vendor_data_file:dir search; diff --git a/sepolicy/hal_wifi_supplicant_default.te b/sepolicy/hal_wifi_supplicant_default.te new file mode 100644 index 0000000..a28b052 --- /dev/null +++ b/sepolicy/hal_wifi_supplicant_default.te @@ -0,0 +1,2 @@ +allow hal_wifi_supplicant_default wifi_vendor_data_file:dir search; + diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te index 92d08d8..f6a588e 100644 --- a/sepolicy/system_app.te +++ b/sepolicy/system_app.te @@ -2,4 +2,4 @@ allow system_app sysfs_mdnie:{ file lnk_file } rw_file_perms; allow system_app sysfs_mdnie:dir search; allow system_app wificond:binder call; allow system_app proc_pagetypeinfo:file { getattr open read }; - +allow system_app sysfs_virtual:dir search; -- GitLab From 0598f19d2bea345be4fdb0b357f975f6d9cf6de3 Mon Sep 17 00:00:00 2001 From: Alexandre Roux D'Anzi Date: Mon, 30 Mar 2020 17:41:36 +0200 Subject: [PATCH 4/9] forgotten rule for wifi hospot + boot --- sepolicy/hal_graphics_composer.te | 1 + sepolicy/hal_wifi_hostapd_default.te | 2 ++ 2 files changed, 3 insertions(+) diff --git a/sepolicy/hal_graphics_composer.te b/sepolicy/hal_graphics_composer.te index c0c7aac..645b83d 100644 --- a/sepolicy/hal_graphics_composer.te +++ b/sepolicy/hal_graphics_composer.te @@ -23,4 +23,5 @@ neverallow { domain -hal_graphics_composer_default -init } device:chr_file { ope allow hal_graphics_composer_default self:netlink_kobject_uevent_socket read; allow hal_graphics_composer_default hal_graphics_allocator_hwservice:hwservice_manager find; allow hal_graphics_composer_default hal_graphics_allocator_default:binder call; +allow hal_graphics_composer_default vendor_surfaceflinger_vndservice:service_manager { add find }; diff --git a/sepolicy/hal_wifi_hostapd_default.te b/sepolicy/hal_wifi_hostapd_default.te index d3236b8..d40b9bd 100644 --- a/sepolicy/hal_wifi_hostapd_default.te +++ b/sepolicy/hal_wifi_hostapd_default.te @@ -1 +1,3 @@ allow hal_wifi_hostapd_default wifi_vendor_data_file:dir search; +allow hal_wifi_hostapd_default sysfs_virtual:dir search; + -- GitLab From 11f6f9b20d3e4dbec19f6db4f4decdeec7c767cf Mon Sep 17 00:00:00 2001 From: Alexandre Roux D'Anzi Date: Mon, 30 Mar 2020 20:07:40 +0200 Subject: [PATCH 5/9] fix encryption --- sepolicy/file_contexts | 2 +- sepolicy/hal_graphics_composer.te | 2 ++ sepolicy/lhd.te | 1 + sepolicy/vold.te | 1 + 4 files changed, 5 insertions(+), 1 deletion(-) diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index d910f28..129aaa2 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -27,7 +27,7 @@ /dev/gnss_ipc u:object_r:gps_device:s0 /dev/ttySAC[1-9]* u:object_r:gps_device:s0 -/dev/block/mmcblk0p[0-9]* u:object_r:emmcblk_device:s0 +/dev/block/sda[0-9]* u:object_r:emmcblk_device:s0 /dev/block/mmcblk0p10 u:object_r:boot_block_device:s0 /dev/block/mmcblk0p11 u:object_r:recovery_block_device:s0 diff --git a/sepolicy/hal_graphics_composer.te b/sepolicy/hal_graphics_composer.te index 645b83d..3c9821b 100644 --- a/sepolicy/hal_graphics_composer.te +++ b/sepolicy/hal_graphics_composer.te @@ -25,3 +25,5 @@ allow hal_graphics_composer_default hal_graphics_allocator_hwservice:hwservice_m allow hal_graphics_composer_default hal_graphics_allocator_default:binder call; allow hal_graphics_composer_default vendor_surfaceflinger_vndservice:service_manager { add find }; +allow hal_graphics_composer_default sysfs:file read; + diff --git a/sepolicy/lhd.te b/sepolicy/lhd.te index fdc9960..af7eaed 100644 --- a/sepolicy/lhd.te +++ b/sepolicy/lhd.te @@ -43,3 +43,4 @@ allow lhd sysfs_virtual:file { read write }; allow lhd sysfs_virtual:lnk_file read; allow lhd sysfs_virtual:file open; allow lhd vendor_data_file:fifo_file { open read write lock }; +allow lhd vendor_data_file:fifo_file create; diff --git a/sepolicy/vold.te b/sepolicy/vold.te index dc2658a..e31722c 100644 --- a/sepolicy/vold.te +++ b/sepolicy/vold.te @@ -6,3 +6,4 @@ allow vold emmcblk_device:blk_file { ioctl read write create getattr setattr loc # sysfs_virtual allow vold sysfs_virtual:file write; +allow vold emmcblk_device:blk_file { read write }; -- GitLab From 355d46639df369bcfbc9bb8d3868c4aebb273bea Mon Sep 17 00:00:00 2001 From: Alexandre Roux D'Anzi Date: Fri, 3 Apr 2020 14:11:27 +0200 Subject: [PATCH 6/9] draft: fix low power mode sepolicy --- ramdisk/etc/init.samsung.rc | 4 +-- sepolicy/attributes | 2 ++ sepolicy/file.te | 30 +++++++++++---------- sepolicy/file_contexts | 10 ++++--- sepolicy/healthd.te | 17 ++++++++++++ sepolicy/lpm.te | 52 +++++++++++++++++++++++++++++++++++++ 6 files changed, 96 insertions(+), 19 deletions(-) create mode 100644 sepolicy/lpm.te diff --git a/ramdisk/etc/init.samsung.rc b/ramdisk/etc/init.samsung.rc index 377bf5e..b30f2ee 100644 --- a/ramdisk/etc/init.samsung.rc +++ b/ramdisk/etc/init.samsung.rc @@ -1089,13 +1089,13 @@ on property:sys.boot_completed=1 on property:persist.sys.setupwizard=FINISH pdp remove -# PDP <- # LPM service lpm /system/bin/lpm class sec-charger user root - group system radio input + seclabel u:r:lpm:s0 + group system radio input root critical # MobiCore startup diff --git a/sepolicy/attributes b/sepolicy/attributes index ef37023..15b69ec 100644 --- a/sepolicy/attributes +++ b/sepolicy/attributes @@ -6,3 +6,5 @@ attribute rw_fs_type; # Tag for read/execute filesystem type attribute rx_fs_type; + +attribute efs_type; diff --git a/sepolicy/file.te b/sepolicy/file.te index f842654..a13e45d 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,19 +1,21 @@ ### efs types -type app_efs_file, file_type; -type battery_efs_file, file_type; -type baro_delta_factoryapp_efs_file, file_type; -type bin_nv_data_efs_file, file_type; -type sec_efs_file, file_type; +type app_efs_file, efs_type, file_type, mlstrustedobject; +type battery_efs_file, efs_type, file_type; +type baro_delta_factoryapp_efs_file, efs_type, file_type; +type bin_nv_data_efs_file, efs_type, file_type; +type sec_efs_file, efs_type, file_type; +type efs_lpm, efs_type, file_type; + # widewine, drm -type cpk_efs_file, file_type; -type drm_efs_file, file_type; -type factorymode_factoryapp_efs_file, file_type; -type imei_efs_file, file_type; -type prov_efs_file, file_type; -type radio_factoryapp_efs_file, file_type; -type sensor_efs_file, file_type; -type sensor_factoryapp_efs_file, file_type; -type wifi_efs_file, file_type; +type cpk_efs_file, efs_type, file_type; +type drm_efs_file, efs_type, file_type; +type factorymode_factoryapp_efs_file, efs_type, file_type; +type imei_efs_file, efs_type, file_type; +type prov_efs_file, efs_type, file_type; +type radio_factoryapp_efs_file, efs_type, file_type; +type sensor_efs_file, efs_type, file_type; +type sensor_factoryapp_efs_file, efs_type, file_type; +type wifi_efs_file, efs_type, file_type; # gps type gps_data_file, file_type, data_file_type, core_data_file_type; type gps_socket, file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 129aaa2..dfa22b2 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -124,10 +124,11 @@ /sys/devices/virtual/camera(/.*)? u:object_r:sysfs_camera:s0 # charger -/sys/devices/battery/power_supply(/.*) u:object_r:sysfs_charger:s0 -/sys/devices/13870000.i2c/i2c-7/7-003d/s2mu004-charger/power_supply(/.*) u:object_r:sysfs_charger:s0 -/sys/devices/13830000.i2c/i2c-10/10-003b/power_supply(/.*) u:object_r:sysfs_charger:s0 +/sys/devices/platform/battery/power_supply(/.*) u:object_r:sysfs_charger:s0 +/sys/devices/platform/10940000.hsi2c/i2c-11/11-003b/power_supply(/.*) u:object_r:sysfs_charger:s0 +/sys/devices/platform/10970000.hsi2c/i2c-13/13-0066/max77865-charger/power_supply(/.*) u:object_r:sysfs_charger:s0 +/sys/devices/platform/10970000.hsi2c/i2c-13/13-0066/max77865-fuelgauge/power_supply(/.*) u:object_r:sysfs_charger:s0 # CP device /dev/spi_boot_link u:object_r:radio_device:s0 @@ -153,6 +154,9 @@ /sys/devices/[0-9]*\.dsim/lcd/panel/temperature u:object_r:sysfs_lcd:s0 /sys/devices/[0-9]*\.dsim/lcd/panel/window_type u:object_r:sysfs_lcd:s0 +/efs/lpm u:object_r:efs_lpm:s0 + +/system/bin/lpm u:object_r:lpm_exec:s0 # modem /sys/module/modem_ctrl_ss310ap/parameters/ds_detect u:object_r:sysfs_modem:s0 diff --git a/sepolicy/healthd.te b/sepolicy/healthd.te index 6e6abb0..331695a 100644 --- a/sepolicy/healthd.te +++ b/sepolicy/healthd.te @@ -3,6 +3,23 @@ allow healthd device:dir rw_dir_perms; allow healthd rtc_device:chr_file rw_file_perms; allow healthd sysfs:file { open read getattr }; allow healthd sysfs_charger:file { open read getattr }; +allow hal_health_default sysfs_charger:file { open read getattr }; +allow hal_health_default sysfs_charger:dir search; +#allow hal_health_default sysfs_charger:dir rw_dir_perms; allow hal_health_default sysfs:file read; allow hal_health_default sysfs:file open; allow hal_health_default sysfs:file getattr; +allow healthd sysfs:file rw_file_perms; +allow healthd app_efs_file:file { open create write read }; +allow hal_health_default sysfs:file rw_file_perms; + + +allow healthd efs_file:file rw_file_perms; +allow hal_health_default efs_file:file rw_file_perms; + + +allow healthd app_efs_file:file rw_file_perms; +allow hal_health_default app_efs_file:file rw_file_perms; + +allow healthd { efs_type }:dir create_dir_perms; +allow healthd { efs_type }:{ file lnk_file } create_file_perms; diff --git a/sepolicy/lpm.te b/sepolicy/lpm.te new file mode 100644 index 0000000..109e75a --- /dev/null +++ b/sepolicy/lpm.te @@ -0,0 +1,52 @@ +type lpm, domain, mlstrustedsubject; +type lpm_exec, exec_type, file_type, coredomain; +init_daemon_domain(lpm); + + +#being unable to find a proper fix for lpm... put it permissive + +permissive lpm; + + +########## self and domain_type +allow lpm self:netlink_kobject_uevent_socket { create setopt bind read }; +allow lpm self:capability { net_admin sys_tty_config sys_boot }; + +########## fs_type +allow lpm proc_sysrq:file rw_file_perms; +allow lpm sysfs:file rw_file_perms; +allow lpm sysfs_sec:file rw_file_perms; +allow lpm sysfs_input:file rw_file_perms; + + +allow lpm ashmem_device:chr_file execute; +allow lpm graphics_device:chr_file rw_file_perms; +allow lpm graphics_device:dir rw_dir_perms; +allow lpm input_device:chr_file rw_file_perms; +allow lpm input_device:dir rw_dir_perms; +allow lpm input_device:file rw_file_perms; +allow lpm tty_device:chr_file rw_file_perms; + + +allow lpm sysfs_charger:file rw_file_perms; +allow lpm sysfs_charger:dir r_dir_perms; + +allow lpm battery_efs_file:file { rw_file_perms open }; +allow lpm battery_efs_file:dir rw_dir_perms; + +allow lpm imei_efs_file:file { rw_file_perms open create }; + +allow lpm efs_file:file { open create write read }; +allow lpm app_efs_file:file { open create write read }; +allow lpm sysfs:file rw_file_perms; +allow lpm sysfs:dir r_dir_perms; +allow lpm sysfs_leds:file rw_file_perms; +allow lpm sysfs_leds:dir r_dir_perms; +allow lpm { sysfs_type -sysfs_usermodehelper }:file rw_file_perms; +allow lpm sysfs_type:dir r_dir_perms; + +allow lpm efs_file:file create_file_perms; + +allow lpm block_device:dir r_dir_perms; +allow lpm emmcblk_device:blk_file rw_file_perms; +allow lpm userdata_block_device:blk_file rw_file_perms; -- GitLab From 4064597fedd60a8e83067275833c5b9cfd9d17ec Mon Sep 17 00:00:00 2001 From: Alexandre Roux D'Anzi Date: Fri, 3 Apr 2020 14:15:09 +0200 Subject: [PATCH 7/9] forgotten nfc rule --- sepolicy/hal_nfc_default.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 sepolicy/hal_nfc_default.te diff --git a/sepolicy/hal_nfc_default.te b/sepolicy/hal_nfc_default.te new file mode 100644 index 0000000..3f90a03 --- /dev/null +++ b/sepolicy/hal_nfc_default.te @@ -0,0 +1,2 @@ +allow hal_nfc_default vendor_default_prop:property_service set; + -- GitLab From e43d537a8fe788ca9869f35fe9fbadb2c65393d5 Mon Sep 17 00:00:00 2001 From: Alexandre Roux D'Anzi Date: Fri, 10 Apr 2020 15:22:43 +0200 Subject: [PATCH 8/9] enable LTE by default --- system_prop.mk | 1 + 1 file changed, 1 insertion(+) diff --git a/system_prop.mk b/system_prop.mk index 8c94513..38de53a 100644 --- a/system_prop.mk +++ b/system_prop.mk @@ -34,6 +34,7 @@ PRODUCT_PROPERTY_OVERRIDES += \ ro.hardware.keystore=mdfpp \ ro.frp.pst=/dev/block/persistent \ ro.sf.lcd_density=560 \ + ro.telephony.default_network=9 \ sys.use_fifo_ui=0 \ ro.gfx.driver.0=com.samsung.gpudriver.S8MaliG71_90 \ ro.hardware.egl=mali \ -- GitLab From 4b24a45894b93fcbb7560a7eb0260ededa99bcc8 Mon Sep 17 00:00:00 2001 From: Alexandre Roux D'Anzi Date: Tue, 14 Apr 2020 11:46:16 +0200 Subject: [PATCH 9/9] fix signal level when selinux is enabled --- ramdisk/etc/init.samsung.rc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ramdisk/etc/init.samsung.rc b/ramdisk/etc/init.samsung.rc index b30f2ee..f278fdd 100644 --- a/ramdisk/etc/init.samsung.rc +++ b/ramdisk/etc/init.samsung.rc @@ -340,6 +340,9 @@ on post-fs-data chmod 0755 /data/snap/snap_gpu_kernel_64.bin rm /efs/snap/snap_gpu_kernel_64.bin rm /efs/snap/snap_gpu_kernel_32.bin + # fix signal level + rm /data/dalvik-cache/arm/system@framework@boot-telephony-common.art + rm /data/dalvik-cache/arm64/system@framework@boot-telephony-common.art # It is recommended to put unnecessary data/ initialization from post-fs-data # to start-zygote in device's init.rc to unblock zygote start. -- GitLab