Enabled SELinux in enforced mode

This is an important security feature!

Change-Id: Ie0cef85575aeff77bbf7b638ef1dd149c511c14f

Android.mk

 #
 # Copyright (C) 2016 The CyanogenMod Project
+# Copyright (C) 2017-2020 The LineageOS Project
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

BoardConfigCommon.mk

 #
 # Copyright (C) 2016 The CyanogenMod Project
+# Copyright (C) 2017-2020 The LineageOS Project
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -47,7 +48,8 @@ TARGET_USES_64_BIT_BCMDHD := true
 ENABLE_CPUSETS := true
 
 # Boot image/kernel
-BOARD_KERNEL_CMDLINE := androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x237 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 boot_cpus=0-5 loop.max_part=7 dwc3_msm.hvdcp_max_current=1500 dwc3_msm.prop_chg_detect=Y coherent_pool=2M androidboot.selinux=permissive
+BOARD_KERNEL_CMDLINE := androidboot.hardware=qcom user_debug=31 msm_rtb.filter=0x237 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 boot_cpus=0-5 loop.max_part=7 dwc3_msm.hvdcp_max_current=1500 dwc3_msm.prop_chg_detect=Y coherent_pool=2M
+# BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive
 BOARD_KERNEL_IMAGE_NAME := Image.gz-dtb
 BOARD_KERNEL_PAGESIZE := 4096
 BOARD_KERNEL_BASE := 0x00000000
@@ -193,9 +195,7 @@ TARGET_LD_SHIM_LIBS := \
 
 # SELinux
 include device/qcom/sepolicy-legacy/sepolicy.mk
-
-BOARD_SEPOLICY_DIRS += \
-    $(COMMON_PATH)/sepolicy-minimal
+BOARD_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy
 
 # WiFi
 BOARD_WLAN_DEVICE           := bcmdhd

device-common.mk

 #
 # Copyright (C) 2016 The CyanogenMod Project
-# Copyright (C) 2017 The LineageOS Project
+# Copyright (C) 2017-2020 The LineageOS Project
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -326,7 +326,4 @@ PRODUCT_PACKAGES += \
     wpa_supplicant \
     wpa_supplicant.conf
 
-PRODUCT_PACKAGES += \
-   macaddrsetup
-
 $(call inherit-product, hardware/broadcom/wlan/bcmdhd/config/config-bcm.mk)

rootdir/init.qcom.rc

@@ -238,7 +238,7 @@ on boot
     mkdir /data/nfc 0770 nfc nfc
     mkdir /data/nfc/param 0770 nfc nfc
 
-    # Set the console loglevel to < KERN_INFO
+    # Set the console loglevel to lt. KERN_INFO
     # Set the default message loglevel to KERN_INFO
     write /proc/sys/kernel/printk "6 6 1 7"
 
@@ -556,7 +556,7 @@ service adsprpcd /system/bin/adsprpcd
    group media drmrpc
 
 # SONY misc
-service tad_static /system/bin/tad_static /dev/block/bootdevice/by-name/TA 0,16
+service tad /system/bin/tad_static /dev/block/bootdevice/by-name/TA 0,16
     class core
     user oem_2997
     group oem_2997 root
@@ -650,19 +650,18 @@ service per_proxy /system/bin/pm-proxy
     group system net_raw
     disabled
 
-service ppd /system/vendor/bin/mm-pp-daemon
-    class hal
-    user system
-    socket pps stream 0660 system system
-    group system graphics
-    writepid /dev/cpuset/system-background/tasks
-
 on property:init.svc.per_mgr=running
     start per_proxy
 
 on property:sys.shutdown.requested=*
     stop per_proxy
 
+service ppd /system/vendor/bin/mm-pp-daemon
+    class hal
+    user system
+    socket pps stream 0660 system system
+    group system graphics
+
 # brcm-uim-sysfs (BT/FM/ANT+)
 #service uim /system/vendor/bin/brcm-uim-sysfs
 #    class late_start

sepolicy-minimal/file.te

-type idd_file, file_type;
-type rca_file, file_type;

sepolicy-minimal/file_contexts

-/idd(/.*)?              u:object_r:firmware_file:s0
-/rca(/.*)?              u:object_r:firmware_file:s0

sepolicy/addrsetup.te

-type addrsetup, domain, domain_deprecated;
-type addrsetup_exec, exec_type, file_type;
-
-# Started by init
-init_daemon_domain(addrsetup)
-
-# Connect to /dev/socket/tad
-unix_socket_connect(addrsetup, tad, tad)
-
-allow addrsetup bluetooth_data_file:dir rw_dir_perms;
-allow addrsetup bluetooth_data_file:file create_file_perms;
-
-allow addrsetup sysfs_addrsetup:file rw_file_perms;
-
-allow addrsetup urandom_device:file read;
-allow addrsetup tad_socket:sock_file { write };
-
-

sepolicy/audioserver.te

-allow audioserver tad:unix_stream_socket connectto;
 allow audioserver tad_socket:sock_file write;
+allow audioserver perfd:unix_stream_socket connectto;
+allow audioserver socket_device:sock_file write;

sepolicy/bluetooth.te

-allow bluetooth hci_attach_dev:chr_file { open read write };
-allow bluetooth ta_data_file:file { open read };
-allow bluetooth ta_data_file:dir { search };
-

sepolicy/cameraserver.te

-allow cameraserver mm-qcamerad:unix_dgram_socket sendto;
-allow cameraserver mm-qcamerad:unix_stream_socket connectto;
 allow cameraserver camera_data_file:sock_file write;
 allow cameraserver gpu_device:chr_file rw_file_perms;
+allow cameraserver perfd:unix_stream_socket connectto;
 allow cameraserver rootfs:lnk_file getattr;
 allow cameraserver sysfs_camera_torch:file rw_file_perms;
 allow cameraserver sysfs_camera_torch:dir search;
 allow cameraserver sysfs_camera_torch:lnk_file read;
 allow cameraserver ta_data_file:dir search;
-allow cameraserver secd:unix_stream_socket connectto;
 allow cameraserver secd_socket:sock_file write;
-
+allow cameraserver hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+allow cameraserver hal_configstore_default:binder call;
+allow cameraserver socket_device:sock_file write;
+allow cameraserver sysfs_graphics:file { getattr open read };
+allow cameraserver init:unix_dgram_socket sendto;
+allow cameraserver qcamerasvr:unix_dgram_socket sendto;
+allow cameraserver qcamerasvr:unix_stream_socket connectto;

sepolicy/clatd.te

+allow clatd system_file:file lock;

sepolicy/device.te

 type trim_area_partition_device, dev_type;
 type diag_partition_device, dev_type;
+type subsys_modem_device, dev_type;

sepolicy/file.te

-# BRCM BT FM
-type brcm_ldisc_sysfs, sysfs_type, fs_type;
-type brcm_uim_exec, exec_type, file_type;
-
 # TAD
 type tad_socket, file_type;
 type ta_data_file, file_type;
@@ -14,10 +10,14 @@ type sysfs_timekeep, fs_type, sysfs_type;
 
 # Macaddr
 type sysfs_addrsetup, fs_type, sysfs_type;
-
 type proc_kernel_sched, fs_type;
-
 type sysfs_camera_torch, sysfs_type, file_type;
+type sysfs_performance, sysfs_type, fs_type;
+type sysfs_msm_subsys, sysfs_type, fs_type;
 
+# Fingerprint
+type fpc_data_file, file_type;
+
+# Camera
+type sysfs_camera, sysfs_type, fs_type;
 
-type sysfs_performance, sysfs_type, fs_type;

sepolicy/file_contexts

 # NFC
-/dev/pn54x                               u:object_r:nfc_device:s0
+/dev/pn54x                                                 u:object_r:nfc_device:s0
 
-/system/bin/macaddrsetup                 u:object_r:addrsetup_exec:s0
-/system/bin/timekeep                     u:object_r:timekeep_exec:s0
-/system/bin/mlog_qmi_service             u:object_r:mlog_qmi_exec:s0
-/system/bin/sct_service                  u:object_r:sct_exec:s0
-/system/bin/tad_static                   u:object_r:tad_exec:s0
-/system/bin/ta_qmi_service               u:object_r:ta_qmi_exec:s0
-/system/bin/taimport                     u:object_r:taimport_exec:s0
-/system/bin/init\.qcom\.power\.sh        u:object_r:init-power-sh_exec:s0
-/system/bin/updatemiscta                 u:object_r:ta_qmi_exec:s0
-/system/bin/secd                         u:object_r:secd_exec:s0
-
-/system/vendor/bin/brcm-uim-sysfs        u:object_r:brcm_uim_exec:s0
-/system/vendor/bin/mlog_qmi_service      u:object_r:mlog_qmi_exec:s0
-/system/vendor/bin/sct_service           u:object_r:sct_exec:s0
-/system/vendor/bin/tad_static            u:object_r:tad_exec:s0
-/system/vendor/bin/ta_qmi_service        u:object_r:ta_qmi_exec:s0
-/system/vendor/bin/taimport              u:object_r:taimport_exec:s0
-/system/vendor/bin/updatemiscta          u:object_r:ta_qmi_exec:s0
-/system/vendor/bin/secd                  u:object_r:secd_exec:s0
-
-/dev/block/mmcblk0p1                                           u:object_r:trim_area_partition_device:s0
-/dev/block/platform/soc\.0/7824900\.sdhci/by-name/TA           u:object_r:trim_area_partition_device:s0
-/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/TA          u:object_r:trim_area_partition_device:s0
-/dev/block/platform/msm_sdcc\.1/by-name/TA                     u:object_r:trim_area_partition_device:s0
-/dev/block/bootdevice/by-name/TA                               u:object_r:trim_area_partition_device:s0
-/dev/block/platform/soc\.0/7824900\.sdhci/by-name/diag         u:object_r:diag_partition_device:s0
-/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/diag        u:object_r:diag_partition_device:s0
-/dev/block/platform/soc\.0/f9824900\.sdhci/by-num/p39          u:object_r:diag_partition_device:s0
-/dev/block/platform/soc\.0/f9824900\.sdhci/mmcblk0p39          u:object_r:diag_partition_device:s0
-/dev/block/bootdevice/by-name/diag                             u:object_r:diag_partition_device:s0
-/dev/block/bootdevice/by-num/p39                               u:object_r:diag_partition_device:s0
-/dev/block/bootdevice/mmcblk0p39                               u:object_r:diag_partition_device:s0
-/dev/block/mmcblk0p39                                          u:object_r:diag_partition_device:s0
+/dev/block/mmcblk0p1                                       u:object_r:trim_area_partition_device:s0
+/dev/block/platform/soc\.0/7824900\.sdhci/by-name/TA       u:object_r:trim_area_partition_device:s0
+/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/TA      u:object_r:trim_area_partition_device:s0
+/dev/block/platform/msm_sdcc\.1/by-name/TA                 u:object_r:trim_area_partition_device:s0
+/dev/block/bootdevice/by-name/TA                           u:object_r:trim_area_partition_device:s0
+/dev/block/platform/soc\.0/7824900\.sdhci/by-name/diag     u:object_r:diag_partition_device:s0
+/dev/block/platform/soc\.0/f9824900\.sdhci/by-name/diag    u:object_r:diag_partition_device:s0
+/dev/block/platform/soc\.0/f9824900\.sdhci/by-num/p39      u:object_r:diag_partition_device:s0
+/dev/block/platform/soc\.0/f9824900\.sdhci/mmcblk0p39      u:object_r:diag_partition_device:s0
+/dev/block/bootdevice/by-name/diag                         u:object_r:diag_partition_device:s0
+/dev/block/bootdevice/by-num/p39                           u:object_r:diag_partition_device:s0
+/dev/block/bootdevice/mmcblk0p39                           u:object_r:diag_partition_device:s0
+/dev/block/mmcblk0p39                                      u:object_r:diag_partition_device:s0
 
 # WiFi MAC address
-/sys/devices/platform/bcmdhd_wlan/macaddr                                                u:object_r:sysfs_addrsetup:s0
-/sys/devices(/soc\.0)?/bcmdhd_wlan.83/macaddr                                            u:object_r:sysfs_addrsetup:s0
+/sys/devices/platform/bcmdhd_wlan/macaddr                  u:object_r:sysfs_addrsetup:s0
+/sys/devices(/soc\.0)?/bcmdhd_wlan.83/macaddr              u:object_r:sysfs_addrsetup:s0
 
 # Camera
-/sys/devices(/soc\.0)?/pmi8994-flash-27(/.*)?  u:object_r:sysfs_camera_torch:s0
-
-# MSM Performance
-/sys/module/msm_performance(/.*)?                                   u:object_r:sysfs_performance:s0
+/sys/devices(/soc\.0)?/pmi8994-flash-27(/.*)?              u:object_r:sysfs_camera_torch:s0
 
 # HCI
-/dev/ttyHS0                              u:object_r:hci_attach_dev:s0
-/dev/brcm_bt_drv                         u:object_r:hci_attach_dev:s0
+/dev/ttyHS0                                                u:object_r:hci_attach_dev:s0
+/dev/brcm_bt_drv                                           u:object_r:hci_attach_dev:s0
+
+/dev/subsys_modem                                          u:object_r:subsys_modem_device:s0
 
 # Taimport
-/data/etc                                u:object_r:ta_data_file:s0
-/data/etc(/.*)                           u:object_r:ta_data_file:s0
+/data/etc                                                  u:object_r:ta_data_file:s0
+/data/etc(/.*)                                             u:object_r:ta_data_file:s0
 
-#TA
-/dev/socket/tad                          u:object_r:tad_socket:s0
-/dev/socket/secd_credmgr_sock            u:object_r:secd_socket:s0
-/dev/socket/secd_devsec_sock             u:object_r:secd_socket:s0
-/dev/socket/secd_ebl_sock                u:object_r:secd_socket:s0
-/data/credmgr                            u:object_r:secd_data_file:s0
-/data/credmgr(/.*)                       u:object_r:secd_data_file:s0
-/idd                                     u:object_r:diag_data_file:s0
-/idd(/.*)?                               u:object_r:diag_data_file:s0
+# Fingerprint sensor SPI device
+/data/fpc(/.*)?                                            u:object_r:fpc_data_file:s0
+/data/fpcd(/.*)?                                           u:object_r:fpc_data_file:s0
 
-# TimeKeep
-/data/time(/.*)                          u:object_r:timekeep_data_file:s0
+# TA
+/dev/socket/tad                                            u:object_r:tad_socket:s0
+/dev/socket/secd_credmgr_sock                              u:object_r:secd_socket:s0
+/dev/socket/secd_devsec_sock                               u:object_r:secd_socket:s0
+/dev/socket/secd_ebl_sock                                  u:object_r:secd_socket:s0
+/data/credmgr                                              u:object_r:secd_data_file:s0
+/data/credmgr(/.*)                                         u:object_r:secd_data_file:s0
+/idd                                                       u:object_r:diag_data_file:s0
+/idd(/.*)?                                                 u:object_r:diag_data_file:s0
+/rca(/.*)?                                                 u:object_r:firmware_file:s0
 
-# Fingerprint sensor SPI device
+# TimeKeep
+/data/time(/.*)                                            u:object_r:timekeep_data_file:s0
 
-/data/fpcd(/.*)?                                                         u:object_r:fpcd_old_data_file:s0
+# Misc
+/system/bin/adsprpcd                                       u:object_r:adsprpcd_exec:s0
+/system/bin/iddd                                           u:object_r:iddd_exec:s0
+/system/bin/init\.qcom\.power\.sh                          u:object_r:init-power-sh_exec:s0
+/system/bin/irsc_util                                      u:object_r:irsc_util_exec:s0
+/system/bin/loc_launcher                                   u:object_r:loc_launcher_exec:s0
+/system/bin/mlog_qmi_service                               u:object_r:mlog_qmi_service_exec:s0
+/system/bin/mm-qcamera-daemon                              u:object_r:qcamerasvr_exec:s0
+/system/bin/msm_irqbalance                                 u:object_r:msm_irqbalance_exec:s0
+/system/bin/netmgrd                                        u:object_r:netmgrd_exec:s0
+/system/bin/pm-proxy                                       u:object_r:per_proxy_exec:s0
+/system/bin/pm-service                                     u:object_r:per_mgr_exec:s0
+/system/bin/qmuxd                                          u:object_r:qmuxd_exec:s0
+/system/bin/qseecomd                                       u:object_r:tee_exec:s0
+/system/bin/rmt_storage                                    u:object_r:rmt_storage_exec:s0
+/system/bin/sct_service                                    u:object_r:sct_service_exec:s0
+/system/bin/secd                                           u:object_r:secd_exec:s0
+/system/bin/sensors\.qcom                                  u:object_r:sensors_exec:s0
+/system/bin/tad_static                                     u:object_r:tad_exec:s0
+/system/bin/taimport                                       u:object_r:taimport_exec:s0
+/system/bin/ta_qmi_service                                 u:object_r:ta_qmi_service_exec:s0
+/system/bin/updatemiscta                                   u:object_r:updatemiscta_exec:s0
+/system/vendor/bin/mm-pp-daemon                            u:object_r:ppd_exec:s0
+/system/vendor/bin/perfd                                   u:object_r:perfd_exec:s0
+/system/vendor/bin/timekeep                                u:object_r:timekeep_exec:s0
 
-/data/fpc(/.*)?                                                          u:object_r:fpcd_data_file:s0
-/data/fpc/socket(/.*)?                                                   u:object_r:fpcd_socket:s0
+/system/vendor/(lib|lib64)/libril-wrapper\.so              u:object_r:hal_ril_wrapper_exec:s0
 
-/sys/devices/soc\.0/f9923000\.spi/spi_master/spi0/spi0\.1/irq            u:object_r:sysfs_fpcd_irq:s0
-/sys/devices/soc\.0/f9923000\.spi/spi_master/spi0/spi0\.1/clk_enable     u:object_r:sysfs_fpcd_clk_enable:s0
-/sys/devices/soc\.0/f9923000\.spi/spi_master/spi0/spi0\.1/spi_prepare    u:object_r:sysfs_fpcd_spi_prepare:s0
-/sys/devices/soc\.0/f9923000\.spi/spi_master/spi0/spi0\.1/wakeup_enable  u:object_r:sysfs_fpcd_wakeup:s0

sepolicy/fingerprintd.te

-allow fingerprintd tee_device:chr_file rw_file_perms;
-allow fingerprintd sysfs:file w_file_perms;
-
-type fpcd_old_data_file, file_type, data_file_type;
-type fpcd_data_file,file_type, data_file_type;
-type fpcd_socket, file_type;
-
-type sysfs_fpcd_clk_enable, fs_type, sysfs_type;
-type sysfs_fpcd_irq, fs_type, sysfs_type;
-type sysfs_fpcd_spi_prepare, fs_type, sysfs_type;
-type sysfs_fpcd_wakeup, fs_type, sysfs_type;
-
-allow fingerprintd diag_data_file:dir search;
-allow fingerprintd diag_data_file:dir rw_dir_perms;
-allow fingerprintd diag_data_file:file rw_file_perms;
-allow fingerprintd diag_data_file:sock_file { write create unlink };
-
-allow fingerprintd fpcd_old_data_file:file rw_file_perms;
-
-allow fingerprintd fpcd_data_file:dir rw_dir_perms;
-allow fingerprintd fpcd_data_file:file rw_file_perms;
-allow fingerprintd fpcd_data_file:sock_file { write create unlink };
-
-allow fingerprintd fpcd_socket:file rw_file_perms;
-
-allow fingerprintd input_device:dir r_dir_perms;
-allow fingerprintd input_device:chr_file r_file_perms;
-
-allow fingerprintd sysfs_fpcd_irq:file rw_file_perms;
-allow fingerprintd sysfs_fpcd_clk_enable:file rw_file_perms;
-allow fingerprintd sysfs_fpcd_spi_prepare:file rw_file_perms;
-allow fingerprintd sysfs_fpcd_wakeup:file rw_file_perms;

sepolicy/fsck.te

-allow fsck urandom_device:file getattr;

sepolicy/gatekeeperd.te

-allow gatekeeperd firmware_file:file r_file_perms;
-allow gatekeeperd firmware_file:dir search;
-set_prop(gatekeeperd, tee_prop)
+allow gatekeeperd tee_prop:file { getattr open read };

sepolicy/hal_bluetooth_default.te

+allow hal_bluetooth_default firmware_file:file { open read };
+allow hal_bluetooth_default sysfs:file write;
+allow hal_bluetooth_default system_data_file:file { open read };
+allow hal_bluetooth_default firmware_file:dir search;
+allow hal_bluetooth_default ta_data_file:dir search;
+allow hal_bluetooth_default ta_data_file:file { open read };

sepolicy/hal_camera_default.te

+allow hal_camera_default camera_data_file:sock_file write;
+allow hal_camera_default hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+allow hal_camera_default hal_configstore_default:binder call;
+allow hal_camera_default socket_device:sock_file write;

sepolicy/hal_fingerprint_default.te

+allow hal_fingerprint_default tee_device:chr_file ioctl;
+allow hal_fingerprint_default firmware_file:dir search;
+allow hal_fingerprint_default sysfs:file write;
+allow hal_fingerprint_default tee_device:chr_file { open read write };
+allow hal_fingerprint_default firmware_file:file { getattr open read };
+allow hal_fingerprint_default input_device:chr_file { ioctl open read };
+allow hal_fingerprint_default input_device:dir { open read };
+allow hal_fingerprint_default system_data_file:dir { add_name remove_name write };
+allow hal_fingerprint_default system_data_file:sock_file { create unlink };
+allow hal_fingerprint_default diag_data_file:sock_file write;
+allow hal_fingerprint_default fpc_data_file:dir { add_name remove_name write };
+allow hal_fingerprint_default fpc_data_file:sock_file { create unlink };
+allow hal_fingerprint_default init:unix_dgram_socket sendto;
+allow hal_fingerprint_default iddd:unix_dgram_socket sendto;
+allow hal_fingerprint_default firmware_file:lnk_file read;
+allow hal_fingerprint_default fpc_data_file:dir search;
+allow hal_fingerprint_default input_device:dir search;
+allow hal_fingerprint_default diag_data_file:dir search;