diff options
| author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-05-10 06:52:23 +0000 |
|---|---|---|
| committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-05-10 06:52:23 +0000 |
| commit | 4c60f942f2b976ca157a389db37d9ca3f5830cc9 (patch) | |
| tree | 06efaeec64d08cf60811027609eb575e676979bd | |
| parent | 92551726694f8eb0c85930e7e3ab7586fe5c6153 (diff) | |
| parent | ff8cde2e81bd9209d1ba46c826fa2bab4d6f2d86 (diff) | |
| download | coral-sepolicy-4c60f942f2b976ca157a389db37d9ca3f5830cc9.tar.gz | |
Snap for 8564071 from ff8cde2e81bd9209d1ba46c826fa2bab4d6f2d86 to mainline-sdkext-release
Change-Id: Ica21c75372b46b1297243002d8100661e612ae8e
107 files changed, 557 insertions, 458 deletions
@@ -1,12 +1,3 @@ -adamshih@google.com -alanstokes@google.com -bowgotsai@google.com -jbires@google.com -jeffv@google.com -jgalenson@google.com -jiyong@google.com -nnk@google.com -sspatil@google.com -smoreland@google.com -tomcherry@google.com -trong@google.com +include platform/system/sepolicy:/OWNERS + +rurumihong@google.com diff --git a/PREUPLOAD.cfg b/PREUPLOAD.cfg new file mode 100644 index 0000000..3591c7f --- /dev/null +++ b/PREUPLOAD.cfg @@ -0,0 +1,3 @@ +[Hook Scripts] +aosp_hook = ${REPO_ROOT}/frameworks/base/tools/aosp/aosp_sha.sh ${PREUPLOAD_COMMIT} "." + diff --git a/coral-sepolicy.mk b/coral-sepolicy.mk index b4da01c..bdaa5b4 100644 --- a/coral-sepolicy.mk +++ b/coral-sepolicy.mk @@ -7,4 +7,12 @@ BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/qcom/common BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/qcom/sm8150 BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/knowles/common BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/tracking_denials +BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/st BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/verizon + +# Pixel-wide +BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats + +# system_ext +SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/coral-sepolicy/system_ext/public +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/coral-sepolicy/system_ext/private diff --git a/private/genfs_contexts b/private/genfs_contexts new file mode 100644 index 0000000..0baaf38 --- /dev/null +++ b/private/genfs_contexts @@ -0,0 +1,9 @@ +####### Coresight ETM ############### +genfscon sysfs /devices/platform/soc/7040000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/soc/7140000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/soc/7240000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/soc/7340000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/soc/7440000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/soc/7540000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/soc/7640000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/soc/7740000.etm u:object_r:sysfs_devices_cs_etm:s0 diff --git a/private/seapp_contexts b/private/seapp_contexts index 6b8b2cc..f97e9c8 100644 --- a/private/seapp_contexts +++ b/private/seapp_contexts @@ -3,3 +3,18 @@ user=_app seinfo=wfcactivation name=com.google.android.wfcactivation domain=wfc_ #Domain for Sprint Hidden Menu user=_app isPrivApp=true seinfo=platform name=com.google.android.hiddenmenu domain=sprint_hidden_menu type=app_data_file levelFrom=all + +# Domain for vzw omadm trigger +user=_app isPrivApp=true seinfo=platform name=com.google.omadm.trigger domain=vzw_omadm_trigger type=app_data_file levelFrom=all + +# Domain for vzw omadm connmo +user=_app isPrivApp=true seinfo=platform name=com.android.sdm.plugins.connmo domain=vzw_omadm_connmo type=app_data_file levelFrom=all + +# Domain for vzw omadm dcmo +user=_app isPrivApp=true seinfo=platform name=com.android.sdm.plugins.dcmo domain=vzw_omadm_dcmo type=app_data_file levelFrom=all + +# Domain for vzw omadm diagmon +user=_app isPrivApp=true seinfo=platform name=com.android.sdm.plugins.diagmon domain=vzw_omadm_diagmon type=app_data_file levelFrom=all + +# Domain for uscc omadm +user=_app isPrivApp=true seinfo=platform name=com.android.sdm.plugins.usccdm domain=uscc_omadm type=app_data_file levelFrom=all
\ No newline at end of file diff --git a/private/toolbox.te b/private/toolbox.te new file mode 100644 index 0000000..4b53645 --- /dev/null +++ b/private/toolbox.te @@ -0,0 +1,6 @@ +# b/191930563 +dontaudit toolbox virtualizationservice_data_file:dir getattr; +# b/193366162 +dontaudit toolbox toolbox:capability dac_read_search; +dontaudit toolbox toolbox:capability dac_override; +dontaudit toolbox toolbox:capability fowner; diff --git a/private/uscc_omadm.te b/private/uscc_omadm.te new file mode 100644 index 0000000..b53d66c --- /dev/null +++ b/private/uscc_omadm.te @@ -0,0 +1,9 @@ +type uscc_omadm, domain, coredomain; + +app_domain(uscc_omadm) +net_domain(uscc_omadm) + +# Services +allow uscc_omadm app_api_service:service_manager find; +allow uscc_omadm qchook_service:service_manager find; +allow uscc_omadm radio_service:service_manager find;
\ No newline at end of file diff --git a/private/vzw_omadm_connmo.te b/private/vzw_omadm_connmo.te new file mode 100644 index 0000000..dda0dc8 --- /dev/null +++ b/private/vzw_omadm_connmo.te @@ -0,0 +1,9 @@ +type vzw_omadm_connmo, domain, coredomain; + +app_domain(vzw_omadm_connmo) +net_domain(vzw_omadm_connmo) + +# Services +allow vzw_omadm_connmo app_api_service:service_manager find; +allow vzw_omadm_connmo qchook_service:service_manager find; +allow vzw_omadm_connmo radio_service:service_manager find;
\ No newline at end of file diff --git a/private/vzw_omadm_dcmo.te b/private/vzw_omadm_dcmo.te new file mode 100644 index 0000000..8a27ef3 --- /dev/null +++ b/private/vzw_omadm_dcmo.te @@ -0,0 +1,9 @@ +type vzw_omadm_dcmo, domain, coredomain; + +app_domain(vzw_omadm_dcmo) +net_domain(vzw_omadm_dcmo) + +# Services +allow vzw_omadm_dcmo app_api_service:service_manager find; +allow vzw_omadm_dcmo qchook_service:service_manager find; +allow vzw_omadm_dcmo radio_service:service_manager find;
\ No newline at end of file diff --git a/private/vzw_omadm_diagmon.te b/private/vzw_omadm_diagmon.te new file mode 100644 index 0000000..5c2bb4b --- /dev/null +++ b/private/vzw_omadm_diagmon.te @@ -0,0 +1,9 @@ +type vzw_omadm_diagmon, domain, coredomain; + +app_domain(vzw_omadm_diagmon) +net_domain(vzw_omadm_diagmon) + +# Services +allow vzw_omadm_diagmon app_api_service:service_manager find; +allow vzw_omadm_diagmon qchook_service:service_manager find; +allow vzw_omadm_diagmon radio_service:service_manager find;
\ No newline at end of file diff --git a/private/vzw_omadm_trigger.te b/private/vzw_omadm_trigger.te new file mode 100644 index 0000000..aea7a93 --- /dev/null +++ b/private/vzw_omadm_trigger.te @@ -0,0 +1,9 @@ +type vzw_omadm_trigger, domain, coredomain; + +app_domain(vzw_omadm_trigger) +net_domain(vzw_omadm_trigger) + +# Services +allow vzw_omadm_trigger app_api_service:service_manager find; +allow vzw_omadm_trigger qchook_service:service_manager find; +allow vzw_omadm_trigger radio_service:service_manager find;
\ No newline at end of file diff --git a/public/property.te b/public/property.te index 76a3ad6..6906ed4 100644 --- a/public/property.te +++ b/public/property.te @@ -1,4 +1,3 @@ -type persist_dpm_prop, property_type; # this is vendor defined property and added with prefix vendor # which is going to be working from system -type vendor_bt_prop, property_type; +vendor_internal_prop(vendor_bt_prop) diff --git a/system_ext/private/platform_app.te b/system_ext/private/platform_app.te new file mode 100644 index 0000000..10d6bba --- /dev/null +++ b/system_ext/private/platform_app.te @@ -0,0 +1,2 @@ +# allow systemui to set boot animation colors +set_prop(platform_app, bootanim_system_prop); diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts new file mode 100644 index 0000000..c9e51d6 --- /dev/null +++ b/system_ext/private/property_contexts @@ -0,0 +1,10 @@ +# Oslo debug properties +pixel.oslo.airplane_mode.allowed_override u:object_r:pixel_oslo_debug_prop:s0 +pixel.oslo.allowed_override u:object_r:pixel_oslo_debug_prop:s0 +pixel.oslo.gating u:object_r:pixel_oslo_debug_prop:s0 + +# Boot animation dynamic colors +persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int diff --git a/system_ext/public/property.te b/system_ext/public/property.te new file mode 100644 index 0000000..9620449 --- /dev/null +++ b/system_ext/public/property.te @@ -0,0 +1,2 @@ +# Oslo debug properties +vendor_internal_prop(pixel_oslo_debug_prop) diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te new file mode 100644 index 0000000..9990775 --- /dev/null +++ b/tracking_denials/incidentd.te @@ -0,0 +1,2 @@ +# b/187365845 +dontaudit incidentd apex_info_file:file getattr; diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te new file mode 100644 index 0000000..3526224 --- /dev/null +++ b/tracking_denials/surfaceflinger.te @@ -0,0 +1,3 @@ +# b/178757210 +dontaudit surfaceflinger hal_graphics_composer_default:file read ; +dontaudit surfaceflinger hal_graphics_composer_default:file read ; diff --git a/vendor/google/airbrush.te b/vendor/google/airbrush.te index a560f8a..275dd17 100644 --- a/vendor/google/airbrush.te +++ b/vendor/google/airbrush.te @@ -30,5 +30,7 @@ allow airbrush airbrush_data_file:dir rw_dir_perms; allow airbrush fwk_stats_hwservice:hwservice_manager find; binder_call(airbrush, stats_service_server) +allow airbrush fwk_stats_service:service_manager find; +binder_use(airbrush) vndbinder_use(airbrush) diff --git a/vendor/google/bug_map b/vendor/google/bug_map index 4e2cd76..dc68555 100644 --- a/vendor/google/bug_map +++ b/vendor/google/bug_map @@ -1 +1,7 @@ +google_camera_app selinuxfs file b/175910397 hal_health_default unlabeled file b/156200409 +hal_neuralnetworks_default default_prop file b/159570217 +pixelstats_vendor sysfs file b/161946931 +shell debugfs file b/175106535 +shell device_config_runtime_native_boot_prop file b/175106535 +shell sysfs file b/175106535 diff --git a/vendor/google/citadel_provision.te b/vendor/google/citadel_provision.te index d178a79..803195d 100644 --- a/vendor/google/citadel_provision.te +++ b/vendor/google/citadel_provision.te @@ -1,31 +1,25 @@ -type citadel_provision, domain; -type citadel_provision_exec, exec_type, vendor_file_type, file_type; - # Extra permissions for userdebug that allow lazy-provisioning of # keymaster preshared-keys, used for faceauth authtoken enforcement. # (i.e. for EVT devices that leave factory unprovisioned). userdebug_or_eng(` + vndbinder_use(citadel_provision) + binder_call(citadel_provision, citadeld) + allow citadel_provision citadeld_service:service_manager find; + hwbinder_use(citadel_provision) + get_prop(citadel_provision, hwservicemanager_prop) + allow citadel_provision hidl_manager_hwservice:hwservice_manager find; -init_daemon_domain(citadel_provision) - -vndbinder_use(citadel_provision) -binder_call(citadel_provision, citadeld) -allow citadel_provision citadeld_service:service_manager find; -hwbinder_use(citadel_provision) -get_prop(citadel_provision, hwservicemanager_prop) -allow citadel_provision hidl_manager_hwservice:hwservice_manager find; - -allow citadel_provision vndbinder_device:chr_file ioctl; -allow citadel_provision self:qipcrtr_socket create_socket_perms_no_ioctl; -allow citadel_provision ion_device:chr_file r_file_perms; -allow citadel_provision tee_device:chr_file rw_file_perms; -get_prop(citadel_provision, vendor_tee_listener_prop); + allow citadel_provision vndbinder_device:chr_file ioctl; + allow citadel_provision self:qipcrtr_socket create_socket_perms_no_ioctl; + allow citadel_provision ion_device:chr_file r_file_perms; + allow citadel_provision tee_device:chr_file rw_file_perms; + get_prop(citadel_provision, vendor_tee_listener_prop); -dontaudit citadel_provision sysfs_esoc:dir r_dir_perms; -dontaudit citadel_provision sysfs_esoc:file r_file_perms; -dontaudit citadel_provision sysfs_msm_subsys:dir r_dir_perms; -dontaudit citadel_provision sysfs_ssr:file r_file_perms; -dontaudit citadel_provision sysfs:file r_file_perms; -dontaudit citadel_provision sysfs_faceauth:dir r_dir_perms; -dontaudit citadel_provision sysfs_faceauth:file r_file_perms; + dontaudit citadel_provision sysfs_esoc:dir r_dir_perms; + dontaudit citadel_provision sysfs_esoc:file r_file_perms; + dontaudit citadel_provision sysfs_msm_subsys:dir r_dir_perms; + dontaudit citadel_provision sysfs_ssr:file r_file_perms; + dontaudit citadel_provision sysfs:file r_file_perms; + dontaudit citadel_provision sysfs_faceauth:dir r_dir_perms; + dontaudit citadel_provision sysfs_faceauth:file r_file_perms; ') diff --git a/vendor/google/citadeld.te b/vendor/google/citadeld.te index 7f6a31f..e042518 100644 --- a/vendor/google/citadeld.te +++ b/vendor/google/citadeld.te @@ -1,20 +1 @@ -type citadeld, domain; -type citadeld_exec, exec_type, vendor_file_type, file_type; - -vndbinder_use(citadeld) -add_service(citadeld, citadeld_service) - -allow citadeld citadel_device:chr_file rw_file_perms; - -allow citadeld hal_power_stats_default:binder { call transfer }; -allow citadeld power_stats_service:service_manager find; - allow citadeld debugfs_ipc:dir search; - -# Let citadeld find and use statsd. -hwbinder_use(citadeld) -get_prop(citadeld, hwservicemanager_prop) -allow citadeld fwk_stats_hwservice:hwservice_manager find; -binder_call(citadeld, stats_service_server) - -init_daemon_domain(citadeld) diff --git a/vendor/google/device.te b/vendor/google/device.te index 08e8154..1821791 100644 --- a/vendor/google/device.te +++ b/vendor/google/device.te @@ -1,10 +1,8 @@ type abc_tpu_device, dev_type; type airbrush_device, dev_type, mlstrustedobject; type airbrush_sm_device, dev_type, mlstrustedobject; -type citadel_device, dev_type; type faceauth_device, dev_type; type ipu_device, dev_type, mlstrustedobject; -type touch_offload_device, dev_type; type ramoops_device, dev_type; type maxfg_device, dev_type; type rls_device, dev_type; diff --git a/vendor/google/dumpstate.te b/vendor/google/dumpstate.te index 19d87ef..2869937 100644 --- a/vendor/google/dumpstate.te +++ b/vendor/google/dumpstate.te @@ -5,6 +5,7 @@ dump_hal(hal_power_stats) userdebug_or_eng(` allow dumpstate debugfs_dma_buf:file r_file_perms; + allow dumpstate media_rw_data_file:file append; ') # For collecting bugreports. diff --git a/vendor/google/fastbootd.te b/vendor/google/fastbootd.te index 6206e31..876d957 100644 --- a/vendor/google/fastbootd.te +++ b/vendor/google/fastbootd.te @@ -11,5 +11,6 @@ recovery_only(` # Allow to read /sys/class/power_supply directory. allow fastbootd sysfs:dir r_dir_perms; allow fastbootd sysfs_batteryinfo:dir search; + allow fastbootd citadel_device:chr_file rw_file_perms; ') diff --git a/vendor/google/file.te b/vendor/google/file.te index cfb5ef6..746318e 100644 --- a/vendor/google/file.te +++ b/vendor/google/file.te @@ -16,16 +16,15 @@ type sysfs_chargelevel, sysfs_type, fs_type; #sysfs files type sysfs_display, sysfs_type, fs_type; type sysfs_touch, sysfs_type, fs_type; -type sysfs_power_stats, sysfs_type, fs_type; type sysfs_power_stats_ignore, sysfs_type, fs_type; type sysfs_camera, sysfs_type, fs_type; type sysfs_devcfg, sysfs_type, fs_type; type sysfs_msm_boardid, fs_type, sysfs_type; -type sysfs_iio_devices, fs_type, sysfs_type; type sysfs_pixelstats, fs_type, sysfs_type; type sysfs_airbrush, sysfs_type, fs_type; type sysfs_wlc, sysfs_type, fs_type; type sysfs_pstore, sysfs_type, fs_type; +type sysfs_typec_info, sysfs_type, fs_type; #f2fs file type debugfs_f2fs, debugfs_type, fs_type; @@ -49,9 +48,6 @@ type mediadrm_vendor_data_file, file_type, data_file_type; #diag cmd socket type diag_socket, file_type, mlstrustedobject; -#eSE file -type ese_vendor_data_file, file_type, data_file_type; - # Dumpstats dmabuf info type debugfs_dma_buf, debugfs_type, fs_type; @@ -70,6 +66,7 @@ type sysfs_contaminant, sysfs_type, fs_type; # Darwinn HAL shared files. type hal_neuralnetworks_darwinn_hal_camera_data_file, file_type, data_file_type; +type proc_sched_lib_mask_cpuinfo, proc_type, fs_type; # Directory for camera autocalibration files type camera_calibration_vendor_data_file, file_type, data_file_type; @@ -80,11 +77,9 @@ type sysfs_knowles_info, fs_type, sysfs_type; # Dumpstats IPA statistics type debugfs_ipa, debugfs_type, fs_type; -# wifi_sniffer -type sysfs_wifi_conmode, sysfs_type, fs_type; - # Incremental file system driver type vendor_incremental_module, vendor_file_type, file_type; -# RamdumpFS -allow ramdump_vendor_mnt_file self:filesystem associate; +# Firmware mount +type firmware_file, file_type, contextmount_type, vendor_file_type; +allow firmware_file self:filesystem associate; diff --git a/vendor/google/file_contexts b/vendor/google/file_contexts index 4fd4689..77f20b9 100644 --- a/vendor/google/file_contexts +++ b/vendor/google/file_contexts @@ -6,68 +6,56 @@ /dev/access-metadata u:object_r:ramoops_device:s0 /dev/access-ramoops u:object_r:ramoops_device:s0 /dev/block/zram0 u:object_r:swap_block_device:s0 -/dev/citadel0 u:object_r:citadel_device:s0 /dev/faceauth u:object_r:faceauth_device:s0 /dev/ipu u:object_r:ipu_device:s0 /dev/maxfg_history u:object_r:maxfg_device:s0 /dev/vd6281 u:object_r:rls_device:s0 /dev/sensor_tunnel u:object_r:rls_device:s0 -/dev/st54j_se u:object_r:secure_element_device:s0 /dev/subsys_faceauth u:object_r:faceauth_device:s0 /dev/subsys_faceauth_b u:object_r:faceauth_device:s0 -/dev/touch_offload u:object_r:touch_offload_device:s0 /dev/lm36011_flood u:object_r:laser_device:s0 /dev/lm36011_dot u:object_r:laser_device:s0 /dev/iaxxx-module-celldrv u:object_r:pwrstats_device:s0 -# product binaries -/product/bin/twoshay u:object_r:twoshay_exec:s0 - # system binaries /system/bin/hw/hardware\.google\.pixelstats@1\.0-service u:object_r:pixelstats_system_exec:s0 -/vendor/bin/pixelstats-vendor u:object_r:pixelstats_vendor_exec:s0 # vendor binaries -/vendor/bin/hw/android\.hardware\.atrace@1\.0-service.pixel u:object_r:hal_atrace_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.face@1\.0-service\.google u:object_r:hal_face_default_exec:s0 -/vendor/bin/hw/android\.hardware\.camera\.provider@2\.6-service-google u:object_r:hal_camera_default_exec:s0 -/vendor/bin/hw/android\.hardware\.contexthub@1\.1-service\.generic u:object_r:hal_contexthub_default_exec:s0 -/vendor/bin/hw/android\.hardware\.keymaster@4\.1-service\.citadel u:object_r:hal_keymaster_citadel_exec:s0 -/vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel u:object_r:hal_identity_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.camera\.provider@2\.7-service-google u:object_r:hal_camera_default_exec:s0 +/vendor/bin/hw/android\.hardware\.contexthub@1\.2-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/android\.hardware\.neuralnetworks@1\.2-service-noronha u:object_r:hal_neuralnetworks_darwinn_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats@1\.0-service\.pixel u:object_r:hal_power_stats_default_exec:s0 -/vendor/bin/hw/android\.hardware\.rebootescrow-service\.citadel u:object_r:hal_rebootescrow_citadel_exec:s0 -/vendor/bin/hw/android\.hardware\.secure_element@1\.0-service\.st u:object_r:hal_secure_element_default_exec:s0 -/vendor/bin/hw/android\.hardware\.usb@1\.2-service\.coral u:object_r:hal_usb_impl_exec:s0 -/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0 -/vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0 -/vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0 -/vendor/bin/hw/citadel_updater u:object_r:citadel_updater_exec:s0 -/vendor/bin/CitadelProvision u:object_r:citadel_provision_exec:s0 +/vendor/bin/hw/android\.hardware\.usb@1\.3-service\.coral u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/hardware\.google\.light@1\.1-service u:object_r:hal_light_default_exec:s0 /vendor/bin/hw/vendor\.google\.airbrush@1\.0-service u:object_r:airbrush_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 -/vendor/bin/hw/wait_for_strongbox u:object_r:wait_for_strongbox_exec:s0 /vendor/bin/color_init u:object_r:color_init_exec:s0 /vendor/bin/init\.ramoops\.sh u:object_r:ramoops_exec:s0 +/vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 /vendor/bin/modem_svc u:object_r:modem_svc_exec:s0 /vendor/bin/ramoops u:object_r:ramoops_exec:s0 /vendor/bin/hw/android\.hardware\.dumpstate@1\.[01]-service\.coral u:object_r:hal_dumpstate_impl_exec:s0 -/vendor/bin/ramdump u:object_r:ramdump_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 /vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 /vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor u:object_r:hal_wifi_ext_exec:s0 /vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor-lazy u:object_r:hal_wifi_ext_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 -/vendor/bin/hw/vendor\.google\.wireless_charger@1\.2-service-vendor u:object_r:hal_wlc_exec:s0 +/vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 /vendor/bin/hw/android\.hardware\.graphics\.composer@2\.4-service-sm8150 u:object_r:hal_graphics_composer_default_exec:s0 /vendor/bin/hw/init_dp.sh u:object_r:init_dp_exec:s0 -/vendor/bin/wifi_sniffer u:object_r:wifi_sniffer_exec:s0 +/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 +/vendor/bin/hw/android\.hardware\.contexthub@1\.[0-9]-service\.generic u:object_r:hal_contexthub_default_exec:s0 +/vendor/bin/hw/android\.hardware\.usb@1\.[0-9]-service\.coral u:object_r:hal_usb_impl_exec:s0 + +# Vendor firmware +/vendor/firmware_mnt(/.*)? u:object_r:firmware_file:s0 # Vendor libs that are exposed to apps (those listed in /vendor/etc/public.libraries.txt # and their dependencies) /vendor/lib(64)?/libairbrush-pixel\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/vendor\.google\.airbrush\.manager@1\.0\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/vendor\.qti\.hardware\.dsp@1\.0\.so u:object_r:same_process_hal_file:s0 # Vendor kernel modules /vendor/lib/modules/adsp_loader_dlkm.ko u:object_r:vendor_kernel_modules:s0 @@ -114,11 +102,9 @@ /data/vendor/modem_dump(/.*)? u:object_r:modem_dump_file:s0 /data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 /data/vendor_ce/[0-9]+/ramoops(/.*)? u:object_r:ramoops_vendor_data_file:s0 -/data/vendor/ese(/.*)? u:object_r:ese_vendor_data_file:s0 /data/vendor/hal_neuralnetworks_darwinn/hal_camera(/.*)? u:object_r:hal_neuralnetworks_darwinn_hal_camera_data_file:s0 /data/vendor/camera_calibration(/.*)? u:object_r:camera_calibration_vendor_data_file:s0 /data/vendor/face(/.*)? u:object_r:face_vendor_data_file:s0 -/data/vendor/rebootescrow(/.*)? u:object_r:hal_rebootescrow_citadel_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 # dev socket node diff --git a/vendor/google/genfs_contexts b/vendor/google/genfs_contexts index 9531d61..2cca234 100644 --- a/vendor/google/genfs_contexts +++ b/vendor/google/genfs_contexts @@ -14,7 +14,6 @@ genfscon sysfs /devices/platform/soc/1d84000.ufshc/device_descriptor u:o genfscon proc /sys/vm/swappiness u:object_r:proc_swappiness:s0 genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 genfscon proc /irq u:object_r:proc_irq:s0 -genfscon sysfs /bus/iio/devices u:object_r:sysfs_iio_devices:s0 # Touch genfscon sysfs /devices/platform/soc/890000.spi/spi_master/spi1/spi1.0 u:object_r:sysfs_touch:s0 @@ -36,6 +35,8 @@ genfscon sysfs /devices/platform/soc/soc:qcom,cpu4-cpu-l3-lat/devfreq genfscon sysfs /devices/platform/soc/1d84000.ufshc/clkgate_enable u:object_r:sysfs_scsi_devices_0000:s0 genfscon sysfs /devices/platform/soc/1d84000.ufshc/hibern8_on_idle_enable u:object_r:sysfs_scsi_devices_0000:s0 genfscon proc /sys/kernel/sched_energy_aware u:object_r:proc_sched_energy_aware:s0 +genfscon proc /sys/kernel/sched_lib_name u:object_r:proc_sched_lib_mask_cpuinfo:s0 +genfscon proc /sys/kernel/sched_lib_mask_force u:object_r:proc_sched_lib_mask_cpuinfo:s0 # PowerStatsHal genfscon sysfs /power/system_sleep/stats u:object_r:sysfs_power_stats:s0 @@ -92,6 +93,9 @@ genfscon sysfs /firmware/devicetree/base/chosen/cdt/cdb2/devcfg # eSIM status genfscon sysfs /firmware/devicetree/base/chosen/cdt/cdb2/esim u:object_r:sysfs_esim:s0 +# Input +genfscon sysfs /devices/platform/soc/a600000.ssusb/a600000.dwc3/xhci-hcd.2.auto/usb1 u:object_r:sysfs_uhid:s0 + # Battery genfscon sysfs /devices/platform/soc/soc:google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/soc/880000.i2c/i2c-1/1-0036/power_supply/maxfg u:object_r:sysfs_batteryinfo:s0 @@ -108,11 +112,11 @@ genfscon debugfs /regmap/2-000b/ genfscon debugfs /logbuffer/ssoc u:object_r:debugfs_batteryinfo:s0 genfscon debugfs /logbuffer/ttf u:object_r:debugfs_batteryinfo:s0 genfscon debugfs /logbuffer/batt_ce u:object_r:debugfs_batteryinfo:s0 +genfscon debugfs /logbuffer/maxfg u:object_r:debugfs_batteryinfo:s0 genfscon debugfs /logbuffer/wireless u:object_r:debugfs_batteryinfo:s0 genfscon debugfs /google_charger u:object_r:debugfs_batteryinfo:s0 genfscon debugfs /google_battery u:object_r:debugfs_batteryinfo:s0 -genfscon sysfs /devices/platform/soc/soc:google,charger/charge_start_level u:object_r:sysfs_chargelevel:s0 -genfscon sysfs /devices/platform/soc/soc:google,charger/charge_stop_level u:object_r:sysfs_chargelevel:s0 +genfscon sysfs /devices/platform/soc/soc:google,charger/ u:object_r:sysfs_chargelevel:s0 # Pixelstats genfscon sysfs /devices/virtual/misc/msm_cirrus_playback/resistance_left_right u:object_r:sysfs_pixelstats:s0 @@ -121,6 +125,9 @@ genfscon sysfs /devices/platform/soc/a8c000.spi/spi_master/spi4/spi4.0/iaxxx-dev genfscon sysfs /devices/platform/soc/a8c000.spi/spi_master/spi4/spi4.0/iaxxx-dev/iaxxx_misc/wdsp_stat u:object_r:sysfs_pixelstats:s0 genfscon sysfs /devices/platform/soc/a8c000.spi/spi_master/spi5/spi5.0/iaxxx-dev/iaxxx_misc/codec_state u:object_r:sysfs_pixelstats:s0 genfscon sysfs /devices/platform/soc/a8c000.spi/spi_master/spi5/spi5.0/iaxxx-dev/iaxxx_misc/wdsp_stat u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,usb-pdphy@1700/usbpd0/typec/port0/port0-partner/identity/id_header u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,usb-pdphy@1700/usbpd0/typec/port0/port0-partner/identity/product u:object_r:sysfs_pixelstats:s0 + # Audio Dsp for HardwareInfo genfscon sysfs /devices/platform/soc/a8c000.spi/spi_master/spi4/spi4.0/iaxxx-dev/iaxxx_misc/hwinfo_part_number u:object_r:sysfs_audio:s0 @@ -140,6 +147,7 @@ genfscon debugfs /tcpm/usbpd0 u:object_r:debugfs_usb:s0 genfscon debugfs /logbuffer/usbpd u:object_r:debugfs_usb:s0 genfscon debugfs /logbuffer/smblib u:object_r:debugfs_usb:s0 genfscon debugfs /logbuffer/pps u:object_r:debugfs_usb:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,usb-pdphy@1700/usbpd0/typec u:object_r:sysfs_typec_info:s0 # Airbrush genfscon sysfs /devices/platform/soc/soc:abc-sm u:object_r:sysfs_airbrush:s0 @@ -171,9 +179,6 @@ genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.q # Dumpstats IPA statistics genfscon debugfs /ipa/ipa_statistics_msg u:object_r:debugfs_ipa:s0 -# wifi_sniffer -genfscon sysfs /module/wlan/parameters/con_mode u:object_r:sysfs_wifi_conmode:s0 - # Wakeup stats (new) # https://lkml.org/lkml/2019/8/6/1275 genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm8150@0:qcom,power-on@800/wakeup u:object_r:sysfs_wakeup:s0 @@ -216,7 +221,12 @@ genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.q genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm8150@0:qcom,pm8150_rtc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/a84000.i2c/i2c-2/2-0008/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/c94000.i2c/i2c-3/3-0043/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/89c000.i2c/i2c-2/2-0036/power_supply/maxfg/wakeup10 u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/soc/89c000.i2c/i2c-2/2-0036/power_supply/maxfg/wakeup11 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/89c000.i2c/i2c-2/2-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/c94000.i2c/i2c-4/4-0043/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/a84000.i2c/i2c-3/3-0008/wakeup u:object_r:sysfs_wakeup:s0 + +# Extcon +genfscon sysfs /devices/platform/soc/soc:qcom,msm-ext-disp/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/soc/88e0000.qcom,msm-eud/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,qpnp-smb5/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,usb-pdphy@1700/extcon u:object_r:sysfs_extcon:s0 diff --git a/vendor/google/google_camera_app.te b/vendor/google/google_camera_app.te index 195bef2..f62d4e7 100644 --- a/vendor/google/google_camera_app.te +++ b/vendor/google/google_camera_app.te @@ -36,10 +36,6 @@ allow google_camera_app mediadrmserver_service:service_manager find; allow google_camera_app radio_service:service_manager find; allow google_camera_app app_api_service:service_manager find; allow google_camera_app vr_manager_service:service_manager find; -allow google_camera_app gpu_service:service_manager find; - -# Allow untrusted apps to interact with gpuservice -binder_call(google_camera_app, gpuservice) # gdbserver for ndk-gdb ptrace attaches to app process. allow google_camera_app self:process ptrace; diff --git a/vendor/google/grilservice_app.te b/vendor/google/grilservice_app.te index a1adeab..f4e7da3 100644 --- a/vendor/google/grilservice_app.te +++ b/vendor/google/grilservice_app.te @@ -4,7 +4,12 @@ app_domain(grilservice_app) allow grilservice_app hal_radioext_hwservice:hwservice_manager find; allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; -allow grilservice_app activity_service:service_manager find; +allow grilservice_app app_api_service:service_manager find; +allow grilservice_app hal_bluetooth_sar_hwservice:hwservice_manager find; +binder_call(grilservice_app, hal_bluetooth_default) binder_call(grilservice_app, hal_radioext_default) binder_call(grilservice_app, hal_wifi_ext) + +# this denial on grilservice_app since this AudioMetric functionality is not used in legacy device. +dontaudit grilservice_app hal_audiometricext_hwservice:hwservice_manager find; diff --git a/vendor/google/hal_camera_default.te b/vendor/google/hal_camera_default.te index 5271732..50bb403 100644 --- a/vendor/google/hal_camera_default.te +++ b/vendor/google/hal_camera_default.te @@ -48,6 +48,8 @@ binder_call(hal_camera_default, rlsservice) # For camera hal to talk with statsd allow hal_camera_default fwk_stats_hwservice:hwservice_manager find; binder_call(hal_camera_default, stats_service_server) +allow hal_camera_default fwk_stats_service:service_manager find; +binder_use(hal_camera_default) # For camera hal to use system property set_prop(hal_camera_default, camera_prop) diff --git a/vendor/google/hal_dumpstate_impl.te b/vendor/google/hal_dumpstate_impl.te index ef49a6b..65e65fc 100644 --- a/vendor/google/hal_dumpstate_impl.te +++ b/vendor/google/hal_dumpstate_impl.te @@ -36,6 +36,9 @@ get_prop(hal_dumpstate_impl, boottime_public_prop) # Access to thermal debug data r_dir_file(hal_dumpstate_impl, sysfs_thermal) +# Access to /sys/devices/soc0/serial_number +r_dir_file(hal_dumpstate_impl, sysfs_soc) + # Access to files for dumping allow hal_dumpstate_impl sysfs:dir r_dir_perms; @@ -44,6 +47,11 @@ allow hal_dumpstate_impl debugfs_wlan:file r_file_perms; allow hal_dumpstate_impl sysfs_msm_wlan:dir r_dir_perms; allow hal_dumpstate_impl sysfs_power_stats:file r_file_perms; +# Allow to dump page_owner +userdebug_or_eng(` + allow hal_dumpstate_impl debugfs_page_owner:file r_file_perms; +') + allow hal_dumpstate_impl debugfs_icnss:dir r_dir_perms; allow hal_dumpstate_impl debugfs_icnss:file r_file_perms; @@ -52,6 +60,8 @@ allow hal_dumpstate_impl debugfs_dma_buf:file r_file_perms; # Battery/Charger/Guage allow hal_dumpstate_impl debugfs_batteryinfo:file r_file_perms; +allow hal_dumpstate_impl sysfs_chargelevel:file r_file_perms; +allow hal_dumpstate_impl sysfs_batteryinfo:file r_file_perms; # Dump PMIC data allow hal_dumpstate_impl debugfs_pmic:dir r_dir_perms; @@ -65,6 +75,9 @@ userdebug_or_eng(` allow hal_dumpstate_impl debugfs_ipa:file r_file_perms; ') +#Dumpstats fastrpc buffer +allow hal_dumpstate_impl sysfs_fastrpc:file r_file_perms; + # USB logs allow hal_dumpstate_impl debugfs_usb:file r_file_perms; diff --git a/vendor/google/hal_face_default.te b/vendor/google/hal_face_default.te index 2d74a2c..67582a5 100644 --- a/vendor/google/hal_face_default.te +++ b/vendor/google/hal_face_default.te @@ -46,6 +46,7 @@ userdebug_or_eng(` allow hal_face_default face_debug:fifo_file write; ') +get_prop(hal_face_default, camera_config_prop) get_prop(hal_face_default, camera_prop) get_prop(hal_face_default, vendor_faceauth_prop) @@ -54,6 +55,8 @@ hwbinder_use(hal_face_default); # Allow the face HAL to communicate with IStats. allow hal_face_default fwk_stats_hwservice:hwservice_manager find; binder_call(hal_face_default, stats_service_server) +allow hal_face_default fwk_stats_service:service_manager find; +binder_use(hal_face_default) # Allow writing new camera calibrations allow hal_face camera_calibration_vendor_data_file:dir rw_dir_perms; diff --git a/vendor/google/hal_health_default.te b/vendor/google/hal_health_default.te index 838a403..ea4f8f0 100644 --- a/vendor/google/hal_health_default.te +++ b/vendor/google/hal_health_default.te @@ -4,6 +4,8 @@ allow hal_health_default hal_pixelstats_hwservice:hwservice_manager find; binder_call(hal_health_default, pixelstats_system) allow hal_health_default fwk_stats_hwservice:hwservice_manager find; binder_call(hal_health_default, statsd) +allow hal_health_default fwk_stats_service:service_manager find; +binder_use(hal_health_default) allow hal_health_default persist_file:dir search; allow hal_health_default persist_battery_file:file create_file_perms; allow hal_health_default persist_battery_file:dir rw_dir_perms; @@ -19,3 +21,5 @@ allow hal_health_default sysfs_chargelevel:file rw_file_perms; set_prop(hal_health_default, vendor_shutdown_prop) set_prop(hal_health_default, vendor_battery_defender_prop) + +r_dir_file(hal_health_default, sysfs_typec_info) diff --git a/vendor/google/hal_identity_citadel.te b/vendor/google/hal_identity_citadel.te deleted file mode 100644 index e29310c..0000000 --- a/vendor/google/hal_identity_citadel.te +++ /dev/null @@ -1,9 +0,0 @@ -type hal_identity_citadel, domain; -type hal_identity_citadel_exec, exec_type, vendor_file_type, file_type; - -vndbinder_use(hal_identity_citadel) -binder_call(hal_identity_citadel, citadeld) -allow hal_identity_citadel citadeld_service:service_manager find; - -hal_server_domain(hal_identity_citadel, hal_identity) -init_daemon_domain(hal_identity_citadel) diff --git a/vendor/google/hal_keymaster_citadel.te b/vendor/google/hal_keymaster_citadel.te deleted file mode 100644 index dd0a735..0000000 --- a/vendor/google/hal_keymaster_citadel.te +++ /dev/null @@ -1,11 +0,0 @@ -type hal_keymaster_citadel, domain; -type hal_keymaster_citadel_exec, exec_type, vendor_file_type, file_type; - -vndbinder_use(hal_keymaster_citadel) -binder_call(hal_keymaster_citadel, citadeld) -allow hal_keymaster_citadel citadeld_service:service_manager find; - -hal_server_domain(hal_keymaster_citadel, hal_keymaster) -init_daemon_domain(hal_keymaster_citadel) - -get_prop(hal_keymaster_citadel, vendor_security_patch_level_prop) diff --git a/vendor/google/hal_neuralnetworks_darwinn.te b/vendor/google/hal_neuralnetworks_darwinn.te index 0162ceb..a64ba2d 100644 --- a/vendor/google/hal_neuralnetworks_darwinn.te +++ b/vendor/google/hal_neuralnetworks_darwinn.te @@ -31,6 +31,8 @@ hal_client_domain(hal_neuralnetworks_darwinn, hal_power); # Allow DarwiNN HAL to talk to stats service, and to make binder calls to it. allow hal_neuralnetworks_darwinn fwk_stats_hwservice:hwservice_manager find; binder_call(hal_neuralnetworks_darwinn, stats_service_server) +allow hal_neuralnetworks_darwinn fwk_stats_service:service_manager find; +binder_use(hal_neuralnetworks_darwinn) # Allow DarwiNN HAL full access to its shared files with Camera HAL. allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_hal_camera_data_file:file create_file_perms; diff --git a/vendor/google/hal_power_default.te b/vendor/google/hal_power_default.te index a1a925d..d984bd7 100644 --- a/vendor/google/hal_power_default.te +++ b/vendor/google/hal_power_default.te @@ -2,6 +2,8 @@ allow hal_power_default sysfs_msm_subsys:dir search; allow hal_power_default sysfs_msm_subsys:file rw_file_perms; allow hal_power_default proc_sched_energy_aware:file rw_file_perms; allow hal_power_default sysfs_scsi_devices_0000:file rw_file_perms; +allow hal_power_default sysfs_fs_f2fs:dir r_dir_perms; +allow hal_power_default sysfs_fs_f2fs:file rw_file_perms; # Rule for powerhal to write/dump cgroup allow hal_power_default cgroup:file rw_file_perms; diff --git a/vendor/google/hal_power_stats_default.te b/vendor/google/hal_power_stats_default.te index e74d384..7bdd7c0 100644 --- a/vendor/google/hal_power_stats_default.te +++ b/vendor/google/hal_power_stats_default.te @@ -1,5 +1,5 @@ allow hal_power_stats_default sysfs_msm_wlan:dir search; # Needed to traverse to wlan stats file -get_prop(hal_power_stats_default, exported_wifi_prop) # Needed to detect wifi on/off +get_prop(hal_power_stats_default, wifi_hal_prop) # Needed to detect wifi on/off r_dir_file(hal_power_stats_default, sysfs_iio_devices) # Needed to traverse to odpm files r_dir_file(hal_power_stats_default, sysfs_airbrush) # Needed to access airbrush files r_dir_file(hal_power_stats_default, sysfs_power_stats) @@ -10,7 +10,4 @@ allow hal_power_stats_default pwrstats_device:chr_file rw_file_perms; dontaudit hal_power_stats_default sysfs_power_stats_ignore:dir r_dir_perms; dontaudit hal_power_stats_default sysfs_power_stats_ignore:file r_file_perms; -vndbinder_use(hal_power_stats) -add_service(hal_power_stats_server, power_stats_service) - binder_call(hal_power_stats, citadeld) diff --git a/vendor/google/hal_rebootescrow_citadel.te b/vendor/google/hal_rebootescrow_citadel.te deleted file mode 100644 index 4ca8a1e..0000000 --- a/vendor/google/hal_rebootescrow_citadel.te +++ /dev/null @@ -1,17 +0,0 @@ -type hal_rebootescrow_citadel, domain; -type hal_rebootescrow_citadel_exec, exec_type, vendor_file_type, file_type; -type hal_rebootescrow_citadel_data_file, file_type, data_file_type; - -hal_server_domain(hal_rebootescrow_citadel, hal_rebootescrow) - -vndbinder_use(hal_rebootescrow_citadel) -binder_call(hal_rebootescrow_citadel, citadeld) -allow hal_rebootescrow_citadel citadeld_service:service_manager find; - -hal_client_domain(hal_rebootescrow_citadel, hal_keymaster) - -init_daemon_domain(hal_rebootescrow_citadel) - -allow hal_rebootescrow_citadel hal_rebootescrow_citadel_data_file:dir create_dir_perms; -allow hal_rebootescrow_citadel hal_rebootescrow_citadel_data_file:file create_file_perms; - diff --git a/vendor/google/hal_secure_element_default.te b/vendor/google/hal_secure_element_default.te deleted file mode 100644 index 94b811d..0000000 --- a/vendor/google/hal_secure_element_default.te +++ /dev/null @@ -1,6 +0,0 @@ -allow hal_secure_element_default secure_element_device:chr_file rw_file_perms; -allow hal_secure_element_default ese_vendor_data_file:dir create_dir_perms; -allow hal_secure_element_default ese_vendor_data_file:file create_file_perms; -allow hal_secure_element_default debugfs_ipc:dir search; -set_prop(hal_secure_element_default, vendor_secure_element_prop) -get_prop(hal_secure_element_default, vendor_modem_prop) diff --git a/vendor/google/hal_usb_impl.te b/vendor/google/hal_usb_impl.te index 4886e68..7f4d632 100644 --- a/vendor/google/hal_usb_impl.te +++ b/vendor/google/hal_usb_impl.te @@ -11,3 +11,7 @@ allow hal_usb_impl sysfs_batteryinfo:dir search; allow hal_usb_impl sysfs_batteryinfo:file r_file_perms; allow hal_usb_impl sysfs_contaminant:file rw_file_perms; set_prop(hal_usb_impl, vendor_usb_prop) +allow hal_usb_impl sysfs_extcon:dir search; + +r_dir_file(hal_usb_impl, sysfs_typec_info) +allow hal_usb_impl sysfs_typec_info:file rw_file_perms; diff --git a/vendor/google/hal_weaver_citadel.te b/vendor/google/hal_weaver_citadel.te deleted file mode 100644 index aa16960..0000000 --- a/vendor/google/hal_weaver_citadel.te +++ /dev/null @@ -1,11 +0,0 @@ -type hal_weaver_citadel, domain; -type hal_weaver_citadel_exec, exec_type, vendor_file_type, file_type; - -vndbinder_use(hal_weaver_citadel) -binder_call(hal_weaver_citadel, citadeld) -allow hal_weaver_citadel citadeld_service:service_manager find; - -hal_server_domain(hal_weaver_citadel, hal_weaver) -hal_server_domain(hal_weaver_citadel, hal_oemlock) -hal_server_domain(hal_weaver_citadel, hal_authsecret) -init_daemon_domain(hal_weaver_citadel) diff --git a/vendor/google/hbmsvmanager_app.te b/vendor/google/hbmsvmanager_app.te index 25c06c0..a14930a 100644 --- a/vendor/google/hbmsvmanager_app.te +++ b/vendor/google/hbmsvmanager_app.te @@ -1,7 +1,9 @@ -type hbmsvmanager_app, domain; +type hbmsvmanager_app, domain, coredomain; app_domain(hbmsvmanager_app); hal_client_domain(hbmsvmanager_app, hal_light) # Standard system services allow hbmsvmanager_app app_api_service:service_manager find; + +allow hbmsvmanager_app hal_pixel_display_service:service_manager find; diff --git a/vendor/google/hwservice.te b/vendor/google/hwservice.te index 4c82501..ffaf5a2 100644 --- a/vendor/google/hwservice.te +++ b/vendor/google/hwservice.te @@ -1,6 +1,8 @@ -type hal_pixelstats_hwservice, hwservice_manager_type; -type hal_airbrush_hwservice, hwservice_manager_type; -type hal_darwinn_hwservice, hwservice_manager_type; -type hal_radioext_hwservice, hwservice_manager_type; -type hal_wifi_ext_hwservice, hwservice_manager_type; -type hal_wlc_hwservice, hwservice_manager_type; +type hal_pixelstats_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_airbrush_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_darwinn_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_radioext_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_wifi_ext_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_wlc_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_bluetooth_sar_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_audiometricext_hwservice, hwservice_manager_type; diff --git a/vendor/google/hwservice_contexts b/vendor/google/hwservice_contexts index 4d2e8fd..cc19067 100644 --- a/vendor/google/hwservice_contexts +++ b/vendor/google/hwservice_contexts @@ -1,7 +1,9 @@ hardware.google.pixelstats::IPixelStats u:object_r:hal_pixelstats_hwservice:s0 hardware.google.light::ILight u:object_r:hal_light_hwservice:s0 vendor.google.airbrush.manager::IAirbrushManager u:object_r:hal_airbrush_hwservice:s0 +hardware.google.bluetooth.sar::IBluetoothSar u:object_r:hal_bluetooth_sar_hwservice:s0 vendor.google.darwinn.service::IDarwinnService u:object_r:hal_darwinn_hwservice:s0 vendor.google.radioext::IRadioExt u:object_r:hal_radioext_hwservice:s0 vendor.google.wifi_ext::IWifiExt u:object_r:hal_wifi_ext_hwservice:s0 vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_wlc_hwservice:s0 +vendor.google.audiometricext::IAudioMetricExt u:object_r:hal_audiometricext_hwservice:s0 diff --git a/vendor/google/init-insmod-sh.te b/vendor/google/init-insmod-sh.te index df9e87f..f96a0d4 100644 --- a/vendor/google/init-insmod-sh.te +++ b/vendor/google/init-insmod-sh.te @@ -1,6 +1,16 @@ # Allow insmod +type init-insmod-sh, domain; +type init-insmod-sh_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init-insmod-sh) + +allow init-insmod-sh self:capability sys_module; +allow init-insmod-sh vendor_kernel_modules:system module_load; +allow init-insmod-sh vendor_toolbox_exec:file execute_no_trans; allow init-insmod-sh sysfs_msm_boot:file w_file_perms; allow init-insmod-sh debugfs_ipc:dir search; allow init-insmod-sh debugfs_wlan:dir search; +set_prop(init-insmod-sh, vendor_device_prop) + dontaudit init-insmod-sh proc_cmdline:file r_file_perms; diff --git a/vendor/google/init.te b/vendor/google/init.te new file mode 100644 index 0000000..7a1765b --- /dev/null +++ b/vendor/google/init.te @@ -0,0 +1,6 @@ +# Allow init to mount firmware +allow init firmware_file:dir mounton; +allow init firmware_file:filesystem { getattr mount relabelfrom }; + +allow init per_boot_file:file ioctl; +allowxperm init per_boot_file:file ioctl { F2FS_IOC_SET_PIN_FILE }; diff --git a/vendor/google/init_citadel.te b/vendor/google/init_citadel.te index 3306804..f08ea1f 100644 --- a/vendor/google/init_citadel.te +++ b/vendor/google/init_citadel.te @@ -1,20 +1,3 @@ -type init_citadel, domain; -type init_citadel_exec, exec_type, vendor_file_type, file_type; -type citadel_updater_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(init_citadel) - -vndbinder_use(init_citadel) -binder_call(init_citadel, citadeld) -allow init_citadel citadeld_service:service_manager find; - -# Many standard utils are actually vendor_toolbox (like xxd) -allow init_citadel vendor_toolbox_exec:file rx_file_perms; - -# init_citadel needs to invoke citadel_updater -allow init_citadel citadel_updater_exec:file rx_file_perms; -allow init_citadel citadel_device:chr_file rw_file_perms; - -# We also might need to read the board-id from a sysfs file, if -# we can't determine it from getprop. +# init_citadel might need to read the board-id from a sysfs file, if we +# can't determine it from getprop. allow init_citadel sysfs_msm_boardid:file r_file_perms; diff --git a/vendor/google/logger_app.te b/vendor/google/logger_app.te index 92a9e37..55ec13c 100644 --- a/vendor/google/logger_app.te +++ b/vendor/google/logger_app.te @@ -1,12 +1,4 @@ -type logger_app, domain; - userdebug_or_eng(` - app_domain(logger_app) - net_domain(logger_app) - - allow logger_app app_api_service:service_manager find; - allow logger_app surfaceflinger_service:service_manager find; - allow logger_app vendor_radio_data_file:file create_file_perms; allow logger_app vendor_radio_data_file:dir create_dir_perms; @@ -16,8 +8,16 @@ userdebug_or_eng(` allow logger_app tcpdump_vendor_data_file:dir create_dir_perms; allow logger_app tcpdump_vendor_data_file:file create_file_perms; + get_prop(logger_app, radio_prop) + set_prop(logger_app, vendor_ramdump_prop) + set_prop(logger_app, logpersistd_logging_prop) + set_prop(logger_app, logd_prop) + set_prop(logger_app, vendor_ssr_prop) set_prop(logger_app, vendor_cnss_diag_prop) set_prop(logger_app, vendor_modem_diag_prop) set_prop(logger_app, vendor_tcpdump_log_prop) set_prop(logger_app, vendor_wifi_sniffer_prop) + set_prop(logger_app, vendor_usb_prop) + set_prop(logger_app, vendor_logging_prop) + set_prop(logger_app, vendor_logger_prop) ') diff --git a/vendor/google/modem_diagnostics.te b/vendor/google/modem_diagnostics.te index fcc327c..d0151c8 100644 --- a/vendor/google/modem_diagnostics.te +++ b/vendor/google/modem_diagnostics.te @@ -14,8 +14,14 @@ userdebug_or_eng(` allow modem_diagnostic_app sysfs_esim:file r_file_perms; + allow modem_diagnostic_app ssr_log_file:dir r_dir_perms; + allow modem_diagnostic_app ssr_log_file:file r_file_perms; + unix_socket_connect(modem_diagnostic_app, diag, qlogd); set_prop(modem_diagnostic_app, vendor_modem_diag_prop) - set_prop(modem_diagnostic_app, exported3_radio_prop) + set_prop(modem_diagnostic_app, radio_control_prop) + + allow modem_diagnostic_app sysfs_batteryinfo:file r_file_perms; + allow modem_diagnostic_app sysfs_batteryinfo:dir search; ') diff --git a/vendor/google/modem_svc.te b/vendor/google/modem_svc.te index 152c0fd..a19f555 100644 --- a/vendor/google/modem_svc.te +++ b/vendor/google/modem_svc.te @@ -10,8 +10,7 @@ allow modem_svc self:qipcrtr_socket create_socket_perms_no_ioctl; set_prop(modem_svc, vendor_modem_diag_prop) set_prop(modem_svc, vendor_modem_prop) get_prop(modem_svc, vendor_build_type_prop) -get_prop(modem_svc, exported2_default_prop) -get_prop(modem_svc, exported3_radio_prop) +get_prop(modem_svc, radio_control_prop) # For bugreport collection allow modem_svc hal_dumpstate_impl:fd use; diff --git a/vendor/google/nfc.te b/vendor/google/nfc.te deleted file mode 100644 index 90efccc..0000000 --- a/vendor/google/nfc.te +++ /dev/null @@ -1 +0,0 @@ -set_prop(hal_nfc_default, vendor_modem_prop) diff --git a/vendor/google/oslo_app.te b/vendor/google/oslo_app.te index dee69e0..cd32e85 100644 --- a/vendor/google/oslo_app.te +++ b/vendor/google/oslo_app.te @@ -3,7 +3,9 @@ type oslo_app, domain; app_domain(oslo_app) allow oslo_app fwk_stats_hwservice:hwservice_manager find; +allow oslo_app fwk_stats_service:service_manager find; binder_call(oslo_app, statsd) +binder_use(oslo_app) allow oslo_app app_api_service:service_manager find; allow oslo_app audioserver_service:service_manager find; @@ -13,3 +15,6 @@ allow oslo_app radio_service:service_manager find; r_dir_file(oslo_app, persist_oslo_file) allow oslo_app mnt_vendor_file:dir search; allow oslo_app persist_file:dir search; + +get_prop(oslo_app, vendor_aware_available_prop) +get_prop(oslo_app, pixel_oslo_debug_prop) diff --git a/vendor/google/pixelstats_vendor.te b/vendor/google/pixelstats_vendor.te index c8b7efa..bc8b05b 100644 --- a/vendor/google/pixelstats_vendor.te +++ b/vendor/google/pixelstats_vendor.te @@ -1,9 +1,3 @@ -# pixelstats vendor -type pixelstats_vendor, domain; - -type pixelstats_vendor_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(pixelstats_vendor) - get_prop(pixelstats_vendor, hwservicemanager_prop) hwbinder_use(pixelstats_vendor) allow pixelstats_vendor hal_pixelstats_hwservice:hwservice_manager find; @@ -12,13 +6,15 @@ binder_call(pixelstats_vendor, pixelstats_system) allow pixelstats_vendor fwk_stats_hwservice:hwservice_manager find; binder_call(pixelstats_vendor, stats_service_server) +binder_use(pixelstats_vendor) +allow pixelstats_vendor fwk_stats_service:service_manager find; + unix_socket_connect(pixelstats_vendor, chre, chre) allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms; r_dir_file(pixelstats_vendor, sysfs_pixelstats) -r_dir_file(pixelstats_vendor, sysfs_batteryinfo) -allow pixelstats_vendor self:netlink_kobject_uevent_socket { create getopt setopt bind read }; +r_dir_file(pixelstats_vendor, sysfs_typec_info) # wlc allow pixelstats_vendor sysfs_wlc:dir search; diff --git a/vendor/google/property.te b/vendor/google/property.te index b8ed500..cc45aa3 100644 --- a/vendor/google/property.te +++ b/vendor/google/property.te @@ -1,33 +1,35 @@ # Tcpdump_logger -type vendor_tcpdump_log_prop, property_type; +vendor_internal_prop(vendor_tcpdump_log_prop) #face HAL -type vendor_faceauth_prop, property_type; +vendor_internal_prop(vendor_faceauth_prop) # Vendor build type -type vendor_build_type_prop, property_type; +vendor_internal_prop(vendor_build_type_prop) # Vendor aware available type -type vendor_aware_available_prop, property_type; +vendor_restricted_prop(vendor_aware_available_prop) # Modem property -type vendor_modem_prop, property_type; +vendor_internal_prop(vendor_modem_prop) # Camera read only property -type camera_ro_prop, property_type; +vendor_restricted_prop(camera_ro_prop) #ramoops -type vendor_ramoops_prop, property_type; +vendor_internal_prop(vendor_ramoops_prop) + +# battery_profile +vendor_internal_prop(vendor_battery_profile_prop) #ecoservice -type ecoservice_prop, property_type; +vendor_internal_prop(ecoservice_prop) # hal_health -type vendor_shutdown_prop, property_type; -type vendor_battery_defender_prop, property_type; +vendor_internal_prop(vendor_shutdown_prop) +vendor_internal_prop(vendor_battery_defender_prop) -# SecureElement property -type vendor_secure_element_prop, property_type; +vendor_internal_prop(vendor_device_prop) -# wifi_sniffer -type vendor_wifi_sniffer_prop, property_type; +# Logger +vendor_internal_prop(vendor_logger_prop) diff --git a/vendor/google/property_contexts b/vendor/google/property_contexts index 262866e..993a356 100644 --- a/vendor/google/property_contexts +++ b/vendor/google/property_contexts @@ -22,6 +22,9 @@ vendor.display.native_display_primaries_ready u:object_r:vendor_display_prop:s # battery vendor.battery.defender. u:object_r:vendor_battery_defender_prop:s0 +# test battery profile +persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_prop:s0 + # Tcpdump_logger persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 vendor.tcpdump.log.ondemand u:object_r:vendor_tcpdump_log_prop:s0 @@ -67,10 +70,9 @@ persist.vendor.mdm. u:object_r:vendor_modem_prop:s0 # ramoops vendor.ramoops. u:object_r:vendor_ramoops_prop:s0 -# SecureElement -persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 +vendor.all.modules.ready u:object_r:vendor_device_prop:s0 +vendor.all.devices.ready u:object_r:vendor_device_prop:s0 -# wifi_sniffer -persist.vendor.wifi.sniffer.freq u:object_r:vendor_wifi_sniffer_prop:s0 -persist.vendor.wifi.sniffer.bandwidth u:object_r:vendor_wifi_sniffer_prop:s0 -vendor.wifi.sniffer.start u:object_r:vendor_wifi_sniffer_prop:s0 +# Logger app +vendor.pixellogger. u:object_r:vendor_logger_prop:s0 +persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 diff --git a/vendor/google/ramdump.te b/vendor/google/ramdump.te deleted file mode 100644 index 699c4a1..0000000 --- a/vendor/google/ramdump.te +++ /dev/null @@ -1,38 +0,0 @@ -type ramdump_exec, exec_type, vendor_file_type, file_type; - -userdebug_or_eng(` - type ramdump, domain; - init_daemon_domain(ramdump) - - set_prop(ramdump, vendor_ramdump_prop) - - # f2fs set pin file requires sys_admin - allow ramdump self:capability sys_admin; - - allow ramdump self:capability sys_rawio; - - allow ramdump ramdump_vendor_data_file:dir create_dir_perms; - allow ramdump ramdump_vendor_data_file:file create_file_perms; - allow ramdump proc_cmdline:file r_file_perms; - - allow ramdump block_device:dir search; - allow ramdump misc_block_device:blk_file rw_file_perms; - allow ramdump userdata_block_device:blk_file rw_file_perms; - - dontaudit ramdump metadata_file:dir search; - - r_dir_file(ramdump, sysfs_type) - - # To access statsd. - hwbinder_use(ramdump) - get_prop(ramdump, hwservicemanager_prop) - allow ramdump fwk_stats_hwservice:hwservice_manager find; - binder_call(ramdump, stats_service_server) - - # To implement fusefs (ramdumpfs) under /mnt/vendor/ramdump. - allow ramdump fuse:filesystem relabelfrom; - allow ramdump fuse_device:chr_file rw_file_perms; - allow ramdump mnt_vendor_file:dir r_dir_perms; - allow ramdump ramdump_vendor_mnt_file:dir { getattr mounton }; - allow ramdump ramdump_vendor_mnt_file:filesystem { mount unmount relabelfrom relabelto }; -') diff --git a/vendor/google/recovery.te b/vendor/google/recovery.te index 7e7925c..39cb557 100644 --- a/vendor/google/recovery.te +++ b/vendor/google/recovery.te @@ -1,5 +1,4 @@ recovery_only(` - allow recovery citadel_device:chr_file rw_file_perms; allow recovery sg_device:chr_file rw_file_perms; allow recovery sysfs_scsi_devices_0000:dir r_dir_perms; ') diff --git a/vendor/google/seapp_contexts b/vendor/google/seapp_contexts index 9736cf5..22a72f2 100644 --- a/vendor/google/seapp_contexts +++ b/vendor/google/seapp_contexts @@ -1,16 +1,13 @@ # Domain for Ramdump -user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file +user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all # Domain for grilservice -user=_app isPrivApp=true seinfo=platform name=com.google.android.grilservice domain=grilservice_app levelFrom=all +user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all # Domain for Modem Diagnostic System user=_app seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user -# Domain for Pixel Logger -user=_app seinfo=platform name=com.android.pixellogger domain=logger_app type=app_data_file levelFrom=all - # Domain for Oslo user=_app seinfo=platform name=com.google.oslo domain=oslo_app type=app_data_file levelFrom=all @@ -30,4 +27,4 @@ user=_app seinfo=platform name=com.google.touch.touchinspector domain=google_tou user=_app seinfo=platform name=com.google.android.devicedropmonitor domain=device_drop_monitor type=app_data_file levelFrom=all # Domain for UvExposureReporter service -user=_app seinfo=platform name=com.google.android.uvexposurereporter domain=uv_exposure_reporter type=app_data_file levelFrom=all +user=_app isPrivApp=true name=com.google.android.uvexposurereporter domain=uv_exposure_reporter type=app_data_file levelFrom=all diff --git a/vendor/google/service.te b/vendor/google/service.te new file mode 100644 index 0000000..9c935e9 --- /dev/null +++ b/vendor/google/service.te @@ -0,0 +1 @@ +type hal_pixel_display_service, service_manager_type, vendor_service; diff --git a/vendor/google/service_contexts b/vendor/google/service_contexts new file mode 100644 index 0000000..4bac73b --- /dev/null +++ b/vendor/google/service_contexts @@ -0,0 +1,2 @@ +android.hardware.drm.IDrmFactory/widevine u:object_r:hal_drm_service:s0 +com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 diff --git a/vendor/google/ssr_detector.te b/vendor/google/ssr_detector.te index 1f8da5b..6a9e32e 100644 --- a/vendor/google/ssr_detector.te +++ b/vendor/google/ssr_detector.te @@ -22,6 +22,8 @@ allow ssr_detector_app sysfs:lnk_file r_file_perms; r_dir_file(ssr_detector_app, sysfs_msm_subsys) +allow ssr_detector_app sysfs_ssr_writable:file getattr; + allow ssr_detector_app cgroup:file w_file_perms; r_dir_file(ssr_detector_app, sysfs_ssr) # set dontaudit for ssr_detector app to access faceauth subsys. diff --git a/vendor/google/twoshay.te b/vendor/google/twoshay.te deleted file mode 100644 index fc33822..0000000 --- a/vendor/google/twoshay.te +++ /dev/null @@ -1,6 +0,0 @@ -type twoshay, domain, coredomain; -type twoshay_exec, exec_type, file_type, system_file_type; - -init_daemon_domain(twoshay) - -allow twoshay touch_offload_device:chr_file rw_file_perms; diff --git a/vendor/google/uv_exposure_reporter.te b/vendor/google/uv_exposure_reporter.te index 1d9ae56..8aa682a 100644 --- a/vendor/google/uv_exposure_reporter.te +++ b/vendor/google/uv_exposure_reporter.te @@ -1,13 +1,11 @@ -type uv_exposure_reporter, domain; +type uv_exposure_reporter, domain, coredomain; -userdebug_or_eng(` - app_domain(uv_exposure_reporter) - - allow uv_exposure_reporter app_api_service:service_manager find; - allow uv_exposure_reporter fwk_stats_hwservice:hwservice_manager find; - allow uv_exposure_reporter sysfs_msm_subsys:dir search; - allow uv_exposure_reporter sysfs_msm_subsys:file r_file_perms; - binder_call(uv_exposure_reporter, gpuservice); - binder_call(uv_exposure_reporter, stats_service_server); -') +app_domain(uv_exposure_reporter) +allow uv_exposure_reporter app_api_service:service_manager find; +allow uv_exposure_reporter fwk_stats_hwservice:hwservice_manager find; +allow uv_exposure_reporter sysfs_msm_subsys:dir search; +allow uv_exposure_reporter sysfs_msm_subsys:file r_file_perms; +binder_call(uv_exposure_reporter, stats_service_server); +allow uv_exposure_reporter fwk_stats_service:service_manager find; +binder_use(uv_exposure_reporter) diff --git a/vendor/google/vendor_init.te b/vendor/google/vendor_init.te index 7ec076d..a1ce315 100644 --- a/vendor/google/vendor_init.te +++ b/vendor/google/vendor_init.te @@ -31,4 +31,9 @@ userdebug_or_eng(` set_prop(vendor_init, vendor_tcpdump_log_prop) ') +allow vendor_init proc_sched_lib_mask_cpuinfo:file w_file_perms; + set_prop(vendor_init, vendor_logging_prop) +get_prop(vendor_init, test_harness_prop) +get_prop(vendor_init, vendor_battery_profile_prop) +set_prop(vendor_init, vendor_battery_defender_prop) diff --git a/vendor/google/vendor_shell.te b/vendor/google/vendor_shell.te new file mode 100644 index 0000000..2ace587 --- /dev/null +++ b/vendor/google/vendor_shell.te @@ -0,0 +1 @@ +set_prop(vendor_shell, vendor_battery_profile_prop) diff --git a/vendor/google/vndservice.te b/vendor/google/vndservice.te index 8047846..3d188a0 100644 --- a/vendor/google/vndservice.te +++ b/vendor/google/vndservice.te @@ -1,6 +1,4 @@ -type citadeld_service, vndservice_manager_type; type rls_service, vndservice_manager_type; -type power_stats_service, vndservice_manager_type; type airbrush_faceauth_service, vndservice_manager_type; type airbrush_tpu_service, vndservice_manager_type; type eco_service, vndservice_manager_type; diff --git a/vendor/google/vndservice_contexts b/vendor/google/vndservice_contexts index f0744bd..d40c014 100644 --- a/vendor/google/vndservice_contexts +++ b/vendor/google/vndservice_contexts @@ -1,7 +1,5 @@ -android.hardware.citadel.ICitadeld u:object_r:citadeld_service:s0 rlsservice u:object_r:rls_service:s0 airbrush_faceauth u:object_r:airbrush_faceauth_service:s0 airbrush_tpu u:object_r:airbrush_tpu_service:s0 -power.stats-vendor u:object_r:power_stats_service:s0 media.ecoservice u:object_r:eco_service:s0 diff --git a/vendor/google/wait_for_strongbox.te b/vendor/google/wait_for_strongbox.te deleted file mode 100644 index c9586c8..0000000 --- a/vendor/google/wait_for_strongbox.te +++ /dev/null @@ -1,9 +0,0 @@ -# wait_for_strongbox service -type wait_for_strongbox, domain; -type wait_for_strongbox_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(wait_for_strongbox) - -hal_client_domain(wait_for_strongbox, hal_keymaster) - -allow wait_for_strongbox kmsg_device:chr_file w_file_perms;
\ No newline at end of file diff --git a/vendor/google/wifi_sniffer.te b/vendor/google/wifi_sniffer.te index b87a51f..17cdca8 100644 --- a/vendor/google/wifi_sniffer.te +++ b/vendor/google/wifi_sniffer.te @@ -1,20 +1,3 @@ -type wifi_sniffer, domain; -type wifi_sniffer_exec, exec_type, vendor_file_type, file_type; - userdebug_or_eng(` - # make transition from init to its domain - init_daemon_domain(wifi_sniffer) - net_domain(wifi_sniffer) - -# configurate con mode - allow wifi_sniffer self:capability net_admin; - allow wifi_sniffer sysfs_wifi_conmode:file rw_file_perms; - -# interface up - allowxperm wifi_sniffer self:udp_socket ioctl SIOCSIFFLAGS; - allow wifi_sniffer self:netlink_generic_socket create_socket_perms_no_ioctl; - - get_prop(wifi_sniffer, vendor_wifi_sniffer_prop) - dontaudit wifi_sniffer debugfs_wlan:dir search; ') diff --git a/vendor/qcom/common/cnd.te b/vendor/qcom/common/cnd.te index bb34e84..ba9a5fc 100644 --- a/vendor/qcom/common/cnd.te +++ b/vendor/qcom/common/cnd.te @@ -50,6 +50,7 @@ allow cnd ipa_vendor_data_file:file r_file_perms; # To register cnd to hwbinder add_hwservice(cnd, hal_datafactory_hwservice) +add_hwservice(cnd, hal_mwqemadapter_hwservice) hwbinder_use(cnd) get_prop(cnd, hwservicemanager_prop) binder_call(cnd, dataservice_app) @@ -63,3 +64,5 @@ userdebug_or_eng(` # For WFC call(RAT change into IWLAN) binder_call(cnd, qtidataservices_app) + +get_prop(cnd, wifi_hal_prop) diff --git a/vendor/qcom/common/con_monitor.te b/vendor/qcom/common/con_monitor.te index 5108d1c..6acd6dc 100644 --- a/vendor/qcom/common/con_monitor.te +++ b/vendor/qcom/common/con_monitor.te @@ -1,5 +1,5 @@ # ConnectivityMonitor app -type con_monitor_app, domain; +type con_monitor_app, domain, coredomain; app_domain(con_monitor_app) diff --git a/vendor/qcom/common/file.te b/vendor/qcom/common/file.te index 0284a07..aa14724 100644 --- a/vendor/qcom/common/file.te +++ b/vendor/qcom/common/file.te @@ -197,9 +197,6 @@ type persist_alarm_file, file_type, vendor_persist_type; type persist_time_file, file_type, vendor_persist_type; -# nfc file type for data vendor access -type nfc_vendor_data_file, file_type, data_file_type; - # kgsl file type for sysfs access type sysfs_kgsl, sysfs_type, fs_type; type sysfs_kgsl_proc, sysfs_type, fs_type; @@ -289,12 +286,6 @@ type vendor_bt_data_file, file_type, data_file_type; #sysfs jpeg type sysfs_jpeg, fs_type, sysfs_type; -#SSR Log Files -type ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject; - -# RamdumpFs files -type ramdump_vendor_mnt_file, file_type, data_file_type, mlstrustedobject; - # npu file type sysfs_npu, fs_type, sysfs_type; @@ -345,3 +336,6 @@ type cnss_vendor_data_file, file_type, data_file_type, mlstrustedobject; # modem factory data reset file type modem_fdr_file, file_type, data_file_type; + +# Warm reset +type sysfs_poweroff, sysfs_type, fs_type;
\ No newline at end of file diff --git a/vendor/qcom/common/file_contexts b/vendor/qcom/common/file_contexts index f329e37..cfbb63c 100644 --- a/vendor/qcom/common/file_contexts +++ b/vendor/qcom/common/file_contexts @@ -76,7 +76,7 @@ /(vendor|system/vendor)/bin/ssr_diag u:object_r:vendor_ssr_diag_exec:s0 /(vendor|system/vendor)/bin/hw/qcrild u:object_r:rild_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.widevine u:object_r:hal_drm_widevine_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm(@[0-9]+\.[0-9]+)?-service\.widevine u:object_r:hal_drm_widevine_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@.*-service-qti u:object_r:hal_gnss_qti_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.gnss@.*-service u:object_r:hal_gnss_qti_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_default_exec:s0 @@ -92,8 +92,9 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service-qti u:object_r:hal_keymaster_qti_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service-qti u:object_r:hal_keymaster_qti_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-strongbox-service-qti u:object_r:hal_keymaster_qti_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service-qti u:object_r:hal_keymaster_qti_exec:s0 +/(vendor|system/vendor)/bin/init\.qti\.keymaster\.sh u:object_r:init-qti-keymaster-sh_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service-qti u:object_r:hal_gatekeeper_qti_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 /(vendor|system/vendor)/bin/imsrcsd u:object_r:hal_rcsservice_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.qteeconnector@1\.0-service u:object_r:hal_qteeconnector_qti_exec:s0 /vendor/bin/hw/vendor\.qti\.hardware\.qseecom@1\.0-service u:object_r:hal_qseecom_default_exec:s0 @@ -136,12 +137,6 @@ /mnt/vendor/persist/audio(/.*)? u:object_r:persist_audio_file:s0 ################################### -# ramdumpfs files -# -/mnt/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_mnt_file:s0 -/ramdump(/.*)? u:object_r:ramdump_vendor_mnt_file:s0 - -################################### # adsp files # /(vendor|system/vendor)/dsp(/.*)? u:object_r:adsprpcd_file:s0 @@ -167,6 +162,8 @@ /vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapperextensions@1\.1\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@3\.0-impl-qti-display\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@3\.0\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@4\.0-impl-qti-display\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@4\.0\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libqdMetaData\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libgralloc\.qti\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/lib_aion_buffer\.so u:object_r:same_process_hal_file:s0 @@ -238,8 +235,6 @@ # /vendor/bt_firmware(/.*)? u:object_r:bt_firmware_file:s0 -/dev/st21nfc u:object_r:nfc_device:s0 -/data/nfc(/.*)? u:object_r:nfc_data_file:s0 #Android NN Driver /(vendor|system/vendor)/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-qti u:object_r:hal_neuralnetworks_default_exec:s0 @@ -275,6 +270,7 @@ /dev/msm_.* u:object_r:audio_device:s0 /dev/ramdump_.* u:object_r:ramdump_device:s0 /dev/at_.* u:object_r:at_device:s0 +/dev/qce u:object_r:qce_device:s0 # dev socket nodes /dev/socket/ipacm_log_file u:object_r:ipacm_socket:s0 @@ -293,7 +289,6 @@ /data/vendor/netmgr(/.*)? u:object_r:netmgrd_data_file:s0 /data/vendor/modem_fdr(/.*)? u:object_r:modem_fdr_file:s0 /data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 -/data/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_data_file:s0 /data/vendor/ssrdump(/.*)? u:object_r:ramdump_vendor_data_file:s0 /data/vendor/ssrlog(/.*)? u:object_r:ssr_log_file:s0 /data/vendor/camera(/.*)? u:object_r:camera_vendor_data_file:s0 diff --git a/vendor/qcom/common/genfs_contexts b/vendor/qcom/common/genfs_contexts index 667062e..72cdede 100644 --- a/vendor/qcom/common/genfs_contexts +++ b/vendor/qcom/common/genfs_contexts @@ -27,3 +27,8 @@ genfscon sysfs /module/diagchar/parameters/timestamp_switch genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws@1e08000 u:object_r:sysfs_data:s0 genfscon sysfs /devices/virtual/xt_hardidletimer/timers u:object_r:sysfs_data:s0 genfscon sysfs /devices/virtual/xt_idletimer/timers u:object_r:sysfs_data:s0 +genfscon sysfs /devices/virtual/fastrpc/adsprpc-smd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/fastrpc/adsprpc-smd-secure/wakeup u:object_r:sysfs_wakeup:s0 + +# Poweroff for warm_reset in recovery mode +genfscon sysfs /module/msm_poweroff u:object_r:sysfs_poweroff:s0 diff --git a/vendor/qcom/common/hal_drm_widevine.te b/vendor/qcom/common/hal_drm_widevine.te index 0b3e295..2f8fbdd 100644 --- a/vendor/qcom/common/hal_drm_widevine.te +++ b/vendor/qcom/common/hal_drm_widevine.te @@ -11,3 +11,5 @@ allow hal_drm_widevine hal_display_config_hwservice:hwservice_manager find; binder_call(hal_drm_widevine, hal_graphics_composer_default) allow hal_drm_widevine { appdomain -isolated_app }:fd use; + +allow hal_drm_widevine qce_device:chr_file rw_file_perms; diff --git a/vendor/qcom/common/hal_gnss_qti.te b/vendor/qcom/common/hal_gnss_qti.te index d9675cd..4e19250 100644 --- a/vendor/qcom/common/hal_gnss_qti.te +++ b/vendor/qcom/common/hal_gnss_qti.te @@ -26,5 +26,7 @@ allow hal_gnss_qti location:unix_dgram_socket sendto; allow hal_gnss_qti self:qipcrtr_socket create_socket_perms_no_ioctl; +allow hal_gnss_qti location_data_file:dir r_dir_perms; + # Allow Gnss HAL to get updates from health hal hal_client_domain(hal_gnss_qti, hal_health) diff --git a/vendor/qcom/common/hal_neuralnetworks.te b/vendor/qcom/common/hal_neuralnetworks.te index 5fc3015..2a4e676 100644 --- a/vendor/qcom/common/hal_neuralnetworks.te +++ b/vendor/qcom/common/hal_neuralnetworks.te @@ -15,3 +15,6 @@ allow hal_neuralnetworks_default gpu_device:chr_file rw_file_perms; r_dir_file(hal_neuralnetworks_default, sysfs_soc) r_dir_file(hal_neuralnetworks_default, adsprpcd_file) + +# b/159570217 suppress warning related to zeroth.debuglog.logmask +dontaudit hal_neuralnetworks_default default_prop:file { open read }; diff --git a/vendor/qcom/common/hal_nfc_default.te b/vendor/qcom/common/hal_nfc_default.te deleted file mode 100644 index 3044f1d..0000000 --- a/vendor/qcom/common/hal_nfc_default.te +++ /dev/null @@ -1,3 +0,0 @@ -# Data file accesses. -allow hal_nfc_default nfc_vendor_data_file:dir create_dir_perms; -allow hal_nfc_default nfc_vendor_data_file:file create_file_perms; diff --git a/vendor/qcom/common/hal_rcsservice.te b/vendor/qcom/common/hal_rcsservice.te index a298231..e88370a 100644 --- a/vendor/qcom/common/hal_rcsservice.te +++ b/vendor/qcom/common/hal_rcsservice.te @@ -10,6 +10,8 @@ hwbinder_use(hal_rcsservice) # add IUceSerive and IService to Hidl interface add_hwservice(hal_rcsservice, hal_imsrcsd_hwservice) add_hwservice(hal_rcsservice, hal_imscallinfo_hwservice) +# add imsfactory to HIDl interface +add_hwservice(hal_rcsservice, hal_imsfactory_hwservice) get_prop(hal_rcsservice, hwservicemanager_prop) get_prop(hal_rcsservice, qcom_ims_prop) diff --git a/vendor/qcom/common/hal_sensors_default.te b/vendor/qcom/common/hal_sensors_default.te index 39625f2..a278772 100644 --- a/vendor/qcom/common/hal_sensors_default.te +++ b/vendor/qcom/common/hal_sensors_default.te @@ -42,6 +42,8 @@ allow hal_sensors_default hal_graphics_mapper_hwservice:hwservice_manager find; # For Suez metrics collection allow hal_sensors_default fwk_stats_hwservice:hwservice_manager find; allow hal_sensors_default system_server:binder call; +allow hal_sensors_default fwk_stats_service:service_manager find; +binder_use(hal_sensors_default) dontaudit hal_sensors_default kernel:system module_request; dontaudit hal_sensors_default sysfs_esoc:dir r_dir_perms; diff --git a/vendor/qcom/common/hal_wifi_ext.te b/vendor/qcom/common/hal_wifi_ext.te index e9750ff..3a16e2e 100644 --- a/vendor/qcom/common/hal_wifi_ext.te +++ b/vendor/qcom/common/hal_wifi_ext.te @@ -1,4 +1,4 @@ -allow hal_wifi_ext wlan_device:chr_file w_file_perms; +allow hal_wifi_ext wlan_device:chr_file { w_file_perms read }; # Allow wifi hal access to LOWI allow hal_wifi_ext location:unix_stream_socket connectto; diff --git a/vendor/qcom/common/hwservice.te b/vendor/qcom/common/hwservice.te index f53ee3e..6fe589d 100644 --- a/vendor/qcom/common/hwservice.te +++ b/vendor/qcom/common/hwservice.te @@ -1,26 +1,27 @@ -type hal_display_color_hwservice, hwservice_manager_type; -type hal_iwlan_hwservice, hwservice_manager_type; -type hal_display_config_hwservice, hwservice_manager_type; -type hal_display_postproc_hwservice, hwservice_manager_type; -type hal_dpmqmi_hwservice, hwservice_manager_type; -type hal_imsrtp_hwservice, hwservice_manager_type; -type hal_imscallinfo_hwservice, hwservice_manager_type; -type wifidisplayhalservice_hwservice, hwservice_manager_type; -type hal_datafactory_hwservice, hwservice_manager_type; -type hal_cne_hwservice, hwservice_manager_type; -type hal_latency_hwservice, hwservice_manager_type; -type hal_imsrcsd_hwservice, hwservice_manager_type; -type hal_ipacm_hwservice, hwservice_manager_type; -type hal_wigig_hwservice, hwservice_manager_type; -type hal_qteeconnector_hwservice, hwservice_manager_type; -type hal_voiceprint_hwservice, hwservice_manager_type; -type vendor_hal_factory_qti_hwservice, hwservice_manager_type; -type hal_wigig_npt_hwservice, hwservice_manager_type; -type hal_tui_comm_hwservice, hwservice_manager_type; -type hal_qdutils_disp_hwservice, hwservice_manager_type; -type vnd_atcmdfwd_hwservice, hwservice_manager_type; -type hal_dataconnection_hwservice, hwservice_manager_type; -type hal_bluetooth_sar_hwservice, hwservice_manager_type; -type hal_cacert_hwservice, hwservice_manager_type; -type hal_capabilityconfigstore_qti_hwservice, hwservice_manager_type; -type hal_qseecom_hwservice, hwservice_manager_type, protected_hwservice; +type hal_display_color_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_iwlan_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_display_config_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_display_postproc_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_dpmqmi_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_imsrtp_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_imscallinfo_hwservice, hwservice_manager_type, vendor_hwservice_type; +type wifidisplayhalservice_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_datafactory_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_cne_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_latency_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_imsrcsd_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_ipacm_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_wigig_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_qteeconnector_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_voiceprint_hwservice, hwservice_manager_type, vendor_hwservice_type; +type vendor_hal_factory_qti_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_wigig_npt_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_tui_comm_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_qdutils_disp_hwservice, hwservice_manager_type, vendor_hwservice_type; +type vnd_atcmdfwd_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_dataconnection_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_cacert_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_capabilityconfigstore_qti_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_qseecom_hwservice, hwservice_manager_type, protected_hwservice, vendor_hwservice_type; +type hal_mwqemadapter_hwservice, hwservice_manager_type, protected_hwservice; +type hal_imsfactory_hwservice, hwservice_manager_type, protected_hwservice, vendor_hwservice_type; diff --git a/vendor/qcom/common/hwservice_contexts b/vendor/qcom/common/hwservice_contexts index b538720..8049b91 100644 --- a/vendor/qcom/common/hwservice_contexts +++ b/vendor/qcom/common/hwservice_contexts @@ -8,11 +8,11 @@ vendor.display.color::IDisplayColor u:object vendor.display.config::IDisplayConfig u:object_r:hal_display_config_hwservice:s0 vendor.display.postproc::IDisplayPostproc u:object_r:hal_display_postproc_hwservice:s0 vendor.qti.hardware.display.mapper::IQtiMapper u:object_r:hal_graphics_mapper_hwservice:s0 -vendor.qti.hardware.bluetooth_sar::IBluetoothSar u:object_r:hal_bluetooth_sar_hwservice:s0 vendor.qti.hardware.qdutils_disp::IQdutilsDisp u:object_r:hal_qdutils_disp_hwservice:s0 vendor.qti.hardware.qteeconnector::IAppConnector u:object_r:hal_qteeconnector_hwservice:s0 vendor.qti.hardware.qteeconnector::IGPAppConnector u:object_r:hal_qteeconnector_hwservice:s0 vendor.qti.hardware.radio.am::IQcRilAudio u:object_r:hal_telephony_hwservice:s0 +vendor.qti.hardware.radio.internal.deviceinfo::IDeviceInfo u:object_r:hal_telephony_hwservice:s0 vendor.qti.hardware.radio.lpa::IUimLpa u:object_r:hal_telephony_hwservice:s0 vendor.qti.hardware.radio.qcrilhook::IQtiOemHook u:object_r:hal_telephony_hwservice:s0 vendor.qti.hardware.radio.qtiradio::IQtiRadio u:object_r:hal_telephony_hwservice:s0 @@ -24,6 +24,7 @@ vendor.qti.hardware.tui_comm::ITuiComm u:object vendor.qti.hardware.radio.atcmdfwd::IAtCmdFwd u:object_r:vnd_atcmdfwd_hwservice:s0 vendor.qti.hardware.data.latency::ILinkLatency u:object_r:hal_latency_hwservice:s0 vendor.qti.data.factory::IFactory u:object_r:hal_datafactory_hwservice:s0 +vendor.qti.ims.factory::IImsFactory u:object_r:hal_imsfactory_hwservice:s0 vendor.qti.imsrtpservice::IRTPService u:object_r:hal_imsrtp_hwservice:s0 vendor.qti.hardware.cacert::IService u:object_r:hal_cacert_hwservice:s0 hardware.google.media.c2::IConfigurable u:object_r:hal_codec2_hwservice:s0 @@ -32,3 +33,5 @@ vendor.qti.hardware.capabilityconfigstore::ICapabilityConfigStore u:object vendor.qti.hardware.display.allocator::IQtiAllocator u:object_r:hal_graphics_allocator_hwservice:s0 vendor.qti.ims.callinfo::IService u:object_r:hal_imscallinfo_hwservice:s0 vendor.qti.hardware.qseecom::IQSEECom u:object_r:hal_qseecom_hwservice:s0 +vendor.qti.hardware.mwqemadapter::IMwqemAdapter u:object_r:hal_mwqemadapter_hwservice:s0 +vendor.qti.hardware.bluetooth_sar::IBluetoothSar u:object_r:hal_bluetooth_sar_hwservice:s0 diff --git a/vendor/qcom/common/init-qti-keymaster-sh.te b/vendor/qcom/common/init-qti-keymaster-sh.te new file mode 100644 index 0000000..f5a6c31 --- /dev/null +++ b/vendor/qcom/common/init-qti-keymaster-sh.te @@ -0,0 +1,37 @@ +# Copyright (c) 2020, The Linux Foundation. All rights reserved. + +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +type init-qti-keymaster-sh, domain; +type init-qti-keymaster-sh_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init-qti-keymaster-sh) + +# Set vendor.keymaster.strongbox.version to 40 or 41 +set_prop(init-qti-keymaster-sh, vendor_km_strongbox_version_prop); + +allow init-qti-keymaster-sh vendor_shell_exec:file rx_file_perms; +allow init-qti-keymaster-sh vendor_toolbox_exec:file rx_file_perms; diff --git a/vendor/qcom/common/init.te b/vendor/qcom/common/init.te index 53d11fa..816bf3d 100644 --- a/vendor/qcom/common/init.te +++ b/vendor/qcom/common/init.te @@ -1,2 +1,4 @@ allow init boot_block_device:lnk_file relabelto; allow init custom_ab_block_device:lnk_file relabelto; +allow init sysfs_poweroff:file w_file_perms; +allow init sysfs_scsi_devices_0000:file w_file_perms; diff --git a/vendor/qcom/common/location.te b/vendor/qcom/common/location.te index df981ec..816f7e6 100644 --- a/vendor/qcom/common/location.te +++ b/vendor/qcom/common/location.te @@ -64,3 +64,4 @@ userdebug_or_eng(` allow location diag_device:chr_file rw_file_perms; ') +get_prop(location, wifi_hal_prop) diff --git a/vendor/qcom/common/mediatranscoding.te b/vendor/qcom/common/mediatranscoding.te new file mode 100644 index 0000000..ab3f09d --- /dev/null +++ b/vendor/qcom/common/mediatranscoding.te @@ -0,0 +1,2 @@ +get_prop(domain, vendor_display_prop) + diff --git a/vendor/qcom/common/pd_services.te b/vendor/qcom/common/pd_services.te index d2f532b..4b06b5e 100644 --- a/vendor/qcom/common/pd_services.te +++ b/vendor/qcom/common/pd_services.te @@ -6,7 +6,7 @@ init_daemon_domain(vendor_pd_mapper); allow vendor_pd_mapper self:qipcrtr_socket create_socket_perms_no_ioctl; userdebug_or_eng(` - allow vendor_pd_mapper kmsg_device:chr_file w_file_perms; + allow vendor_pd_mapper kmsg_device:chr_file rw_file_perms; ') dontaudit vendor_pd_mapper sysfs_msm_subsys:dir search; diff --git a/vendor/qcom/common/peripheral_manager.te b/vendor/qcom/common/peripheral_manager.te index 5476827..c5478d1 100644 --- a/vendor/qcom/common/peripheral_manager.te +++ b/vendor/qcom/common/peripheral_manager.te @@ -9,6 +9,7 @@ vndbinder_use(vendor_per_mgr) binder_call(vendor_per_mgr, vendor_per_mgr) binder_call(vendor_per_mgr, wcnss_service) binder_call(vendor_per_mgr, rild) +binder_call(vendor_per_mgr, hal_gnss) set_prop(vendor_per_mgr, vendor_per_mgr_state_prop) allow vendor_per_mgr self:qipcrtr_socket create_socket_perms_no_ioctl; diff --git a/vendor/qcom/common/property.te b/vendor/qcom/common/property.te index 4bdf910..d0c1569 100644 --- a/vendor/qcom/common/property.te +++ b/vendor/qcom/common/property.te @@ -1,144 +1,143 @@ # property for uicc_daemon -type uicc_prop, property_type; -type qcom_ims_prop, property_type; -type ctl_vendor_netmgrd_prop, property_type; -type ctl_vendor_port-bridge_prop, property_type; -type ctl_qcrild_prop, property_type; -type vendor_tee_listener_prop, property_type; -type ctl_vendor_rild_prop, property_type; -type vendor_disable_spu_prop, property_type; +vendor_internal_prop(uicc_prop) +vendor_restricted_prop(qcom_ims_prop) +vendor_internal_prop(ctl_vendor_netmgrd_prop) +vendor_internal_prop(ctl_vendor_port-bridge_prop) +vendor_internal_prop(ctl_qcrild_prop) +vendor_internal_prop(vendor_tee_listener_prop) +vendor_internal_prop(ctl_vendor_rild_prop) +vendor_internal_prop(vendor_disable_spu_prop) # property for LKCore ctl start -type ctl_LKCore_prop, property_type; - -type freq_prop, property_type; -type vendor_dataqti_prop, property_type; -type cnd_vendor_prop, property_type; -type sensors_prop, property_type; -type slpi_prop, property_type; -type msm_irqbalance_prop, property_type; -type msm_irqbl_sdm630_prop, property_type; -type camera_prop, property_type; -type spcomlib_prop, property_type; -type vendor_display_prop, property_type; -type scr_enabled_prop, property_type; -type bg_boot_complete_prop, property_type; -type opengles_prop, property_type; -type mdm_helper_prop, property_type; -type vendor_mpctl_prop, property_type; -type vendor_iop_prop, property_type; +vendor_internal_prop(ctl_LKCore_prop) + +vendor_internal_prop(freq_prop) +vendor_internal_prop(vendor_dataqti_prop) +vendor_restricted_prop(cnd_vendor_prop) +vendor_internal_prop(sensors_prop) +vendor_internal_prop(slpi_prop) +vendor_internal_prop(msm_irqbalance_prop) +vendor_internal_prop(msm_irqbl_sdm630_prop) +vendor_restricted_prop(camera_prop) +vendor_internal_prop(spcomlib_prop) +vendor_restricted_prop(vendor_display_prop) +vendor_internal_prop(scr_enabled_prop) +vendor_internal_prop(bg_boot_complete_prop) +vendor_internal_prop(opengles_prop) +vendor_internal_prop(mdm_helper_prop) +vendor_internal_prop(vendor_mpctl_prop) +vendor_internal_prop(vendor_iop_prop) #Scroll Pre-obtain -type vendor_preobtain_prop, property_type; +vendor_internal_prop(vendor_preobtain_prop) # properties for ActivityManager tuning -type vendor_am_prop, property_type; +vendor_internal_prop(vendor_am_prop) #Needed for ubwc support -type vendor_gralloc_prop, property_type; +vendor_internal_prop(vendor_gralloc_prop) -type fm_prop, property_type; -type chgdiabled_prop, property_type; +vendor_internal_prop(fm_prop) +vendor_internal_prop(chgdiabled_prop) -type vendor_xlat_prop, property_type; +vendor_internal_prop(vendor_xlat_prop) # property for location -type location_prop, property_type; +vendor_internal_prop(location_prop) #properites for init.qcom.sh script -type qemu_hw_mainkeys_prop, property_type; -type vendor_usb_prop, property_type; -type public_vendor_system_prop, property_type; +vendor_internal_prop(qemu_hw_mainkeys_prop) +vendor_internal_prop(vendor_usb_prop) +vendor_internal_prop(public_vendor_system_prop) -type vendor_coresight_prop, property_type; +vendor_internal_prop(vendor_coresight_prop) -type public_vendor_default_prop, property_type; +vendor_restricted_prop(public_vendor_default_prop) -type vendor_alarm_boot_prop, property_type; +vendor_internal_prop(vendor_alarm_boot_prop) # DOLBY_START -type dolby_prop, property_type; +vendor_internal_prop(dolby_prop) # DOLBY_END # WIGIG -type wigig_prop, property_type; -type fst_prop, property_type; -type ctl_vendor_wigigsvc_prop, property_type; +vendor_internal_prop(wigig_prop) +vendor_internal_prop(fst_prop) +vendor_internal_prop(ctl_vendor_wigigsvc_prop) #HWUI property -type hwui_prop, property_type; +vendor_internal_prop(hwui_prop) -type graphics_vulkan_prop, property_type; +vendor_internal_prop(graphics_vulkan_prop) #Bservice property -type bservice_prop, property_type; +vendor_internal_prop(bservice_prop) #Delayed Service Reschedule property -type reschedule_service_prop, property_type; +vendor_internal_prop(reschedule_service_prop) #boot mode property -type vendor_boot_mode_prop, property_type; +vendor_internal_prop(vendor_boot_mode_prop) #properties for nfc -type nfc_nq_prop, property_type; +vendor_internal_prop(nfc_nq_prop) -type vendor_rild_libpath_prop, property_type; +vendor_internal_prop(vendor_rild_libpath_prop) #Peripheral manager -type vendor_per_mgr_state_prop, property_type; +vendor_internal_prop(vendor_per_mgr_state_prop) -type vendor_system_prop, property_type; +vendor_internal_prop(vendor_system_prop) # Bluetooth props -type vendor_bluetooth_prop, property_type; +vendor_internal_prop(vendor_bluetooth_prop) #WiFi Display -type wfd_service_prop, property_type; -type wfd_debug_prop, property_type; +vendor_internal_prop(wfd_service_prop) +vendor_internal_prop(wfd_debug_prop) #imsrcsservice -type ctl_vendor_imsrcsservice_prop, property_type; +vendor_internal_prop(ctl_vendor_imsrcsservice_prop) #time service -type vendor_time_service_prop, property_type; -type vendor_radio_prop, property_type; +vendor_internal_prop(vendor_time_service_prop) +vendor_restricted_prop(vendor_radio_prop) # Audio props -type vendor_audio_prop, property_type; +vendor_internal_prop(vendor_audio_prop) #ss-restart -type vendor_ssr_prop, property_type; +vendor_restricted_prop(vendor_ssr_prop) #ss-services (PD) -type vendor_pd_locater_dbg_prop, property_type; +vendor_internal_prop(vendor_pd_locater_dbg_prop) #qdcmss property -type vendor_qdcmss_prop, property_type; +vendor_internal_prop(vendor_qdcmss_prop) # Wifi Softap -type vendor_softap_prop, property_type; +vendor_internal_prop(vendor_softap_prop) #mm-parser -type mm_parser_prop, property_type; +vendor_internal_prop(mm_parser_prop) #mm-video -type mm_video_prop, property_type; +vendor_internal_prop(mm_video_prop) #rmt_storage -type ctl_vendor_rmt_storage_prop, property_type; +vendor_internal_prop(ctl_vendor_rmt_storage_prop) # Wifi version recorder -type vendor_wifi_version, property_type; +vendor_internal_prop(vendor_wifi_version) # CNSS-DIAG -type vendor_cnss_diag_prop, property_type; +vendor_internal_prop(vendor_cnss_diag_prop) # diag mdlog -type vendor_modem_diag_prop, property_type; - -# Ramdump properties -type vendor_ramdump_prop, property_type; +vendor_internal_prop(vendor_modem_diag_prop) # vendor logging property -type vendor_logging_prop, property_type; +vendor_internal_prop(vendor_logging_prop) +#Keymaster 4.1 +vendor_restricted_prop(vendor_km_strongbox_version_prop) diff --git a/vendor/qcom/common/property_contexts b/vendor/qcom/common/property_contexts index 68dc967..fb2da51 100644 --- a/vendor/qcom/common/property_contexts +++ b/vendor/qcom/common/property_contexts @@ -40,7 +40,6 @@ persist.vendor.bt.soc.scram_freqs u:object_r:vendor_bluetooth_prop ro.vendor.audio.sdk.fluencetype u:object_r:vendor_audio_prop:s0 ro.vendor.ril. u:object_r:vendor_radio_prop:s0 -ro.boot.ramdump u:object_r:vendor_ramdump_prop:s0 # vendor display prop vendor.gralloc.disable_ahardware_buffer u:object_r:vendor_display_prop:s0 @@ -52,7 +51,6 @@ vendor.debug.prerotation.disable u:object_r:vendor_display_prop:s vendor.debug.egl.swapinterval u:object_r:vendor_display_prop:s0 ro.vendor.graphics.memory u:object_r:vendor_display_prop:s0 -vendor.debug.ramdump. u:object_r:vendor_ramdump_prop:s0 vendor.ims. u:object_r:qcom_ims_prop:s0 vendor.peripheral. u:object_r:vendor_per_mgr_state_prop:s0 vendor.sys.listeners.registered u:object_r:vendor_tee_listener_prop:s0 @@ -68,6 +66,7 @@ vendor.debug.ssrdump u:object_r:vendor_ssr_prop:s0 persist.vendor.sys.cnss. u:object_r:vendor_cnss_diag_prop:s0 persist.vendor.sys.ssr. u:object_r:vendor_ssr_prop:s0 +vendor.sys.ssr. u:object_r:vendor_ssr_prop:s0 ctl.vendor.rmt_storage u:object_r:ctl_vendor_rmt_storage_prop:s0 @@ -87,3 +86,6 @@ persist.vendor.data.shs_ko_load u:object_r:vendor_radio_prop:s0 persist.vendor.data.shsusr_load u:object_r:vendor_radio_prop:s0 persist.vendor.data.perf_ko_load u:object_r:vendor_radio_prop:s0 persist.vendor.data.qmipriod_load u:object_r:vendor_radio_prop:s0 + +#keymaster strongbox service +vendor.keymaster.strongbox.version u:object_r:vendor_km_strongbox_version_prop:s0 diff --git a/vendor/qcom/common/qtelephony.te b/vendor/qcom/common/qtelephony.te index 2bf0641..030cdc3 100644 --- a/vendor/qcom/common/qtelephony.te +++ b/vendor/qcom/common/qtelephony.te @@ -3,6 +3,7 @@ app_domain(qtelephony) allow qtelephony app_api_service:service_manager find; allow qtelephony hal_imsrtp_hwservice:hwservice_manager find; +allow qtelephony hal_telephony_service:service_manager find; allow qtelephony radio_service:service_manager find; allow qtelephony sysfs_diag:dir search; allow qtelephony sysfs_timestamp_switch:file r_file_perms; diff --git a/vendor/qcom/common/qtidataservices_app.te b/vendor/qcom/common/qtidataservices_app.te index 8f5af32..d3d6dbe 100644 --- a/vendor/qcom/common/qtidataservices_app.te +++ b/vendor/qcom/common/qtidataservices_app.te @@ -7,7 +7,7 @@ hwbinder_use(qtidataservices_app) get_prop(qtidataservices_app, hwservicemanager_prop) get_prop(qtidataservices_app, vendor_default_prop) -set_prop(qtidataservices_app, exported_radio_prop) +set_prop(qtidataservices_app, telephony_status_prop) allow qtidataservices_app hal_datafactory_hwservice:hwservice_manager find; allow qtidataservices_app hal_iwlan_hwservice:hwservice_manager find; diff --git a/vendor/qcom/common/rfs_access.te b/vendor/qcom/common/rfs_access.te index 6450b8c..99c44a6 100644 --- a/vendor/qcom/common/rfs_access.te +++ b/vendor/qcom/common/rfs_access.te @@ -19,3 +19,5 @@ allow rfs_access self:qipcrtr_socket create_socket_perms_no_ioctl; r_dir_file(rfs_access, vendor_firmware_file); wakelock_use(rfs_access) + +dontaudit rfs_access self:capability { dac_override dac_read_search }; diff --git a/vendor/qcom/common/rmt_storage.te b/vendor/qcom/common/rmt_storage.te index 3a3a7ce..ec4dd5a 100644 --- a/vendor/qcom/common/rmt_storage.te +++ b/vendor/qcom/common/rmt_storage.te @@ -6,7 +6,7 @@ init_daemon_domain(rmt_storage) wakelock_use(rmt_storage) -get_prop(rmt_storage, exported3_radio_prop) +get_prop(rmt_storage, radio_control_prop) get_prop(rmt_storage, vendor_modem_prop) r_dir_file(rmt_storage, sysfs_uio) diff --git a/vendor/qcom/common/seapp_contexts b/vendor/qcom/common/seapp_contexts index a0c9524..c772f16 100644 --- a/vendor/qcom/common/seapp_contexts +++ b/vendor/qcom/common/seapp_contexts @@ -1,11 +1,11 @@ #TODO(b/126137625): moving dataservice app from system to radio process #user=radio seinfo=platform name=.dataservices domain=dataservice_app type=radio_data_file -user=system seinfo=platform name=.dataservices domain=dataservice_app type=system_app_data_file +user=system seinfo=platform name=.dataservices domain=dataservice_app type=system_app_data_file levelFrom=user # Hardware Info Collection -user=_app seinfo=platform name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user +user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user -user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file +user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file levelFrom=all user=_app seinfo=platform name=.qtidataservices domain=qtidataservices_app type=app_data_file levelFrom=all @@ -24,10 +24,16 @@ user=_app seinfo=google name=com.google.android.GoogleCamera domain=google_camer user=_app seinfo=googlepulse name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all #Needed for time service apk -user=_app seinfo=platform name=com.qualcomm.timeservice domain=timeservice_app type=app_data_file +user=_app seinfo=platform name=com.qualcomm.timeservice domain=timeservice_app type=app_data_file levelFrom=all #Add new domain for ims app user=_app seinfo=platform name=org.codeaurora.ims isPrivApp=true domain=qtelephony type=app_data_file levelFrom=all #Add DeviceInfoHidlClient to vendor_qtelephony user=_app seinfo=platform name=com.qualcomm.qti.devicestatisticsservice domain=qtelephony type=app_data_file levelFrom=all + +# QtiTelephonyService app +user=_app seinfo=platform name=com.qualcomm.qti.telephonyservice domain=qtelephony type=app_data_file levelFrom=all + +#Add ExtTelephonyService to vendor_qtelephony +user=_app seinfo=platform name=com.qti.phone domain=qtelephony type=app_data_file levelFrom=all diff --git a/vendor/qcom/common/sensors.te b/vendor/qcom/common/sensors.te index 01032b7..5f57a89 100644 --- a/vendor/qcom/common/sensors.te +++ b/vendor/qcom/common/sensors.te @@ -49,3 +49,6 @@ dontaudit sensors sysfs_faceauth:file r_file_perms; # Access to wakelock sysfs wakelock_use(sensors) + +allow sensors sensors_vendor_data_file:dir rw_dir_perms; +allow sensors sensors_vendor_data_file:file create_file_perms; diff --git a/vendor/qcom/common/service.te b/vendor/qcom/common/service.te index c2ea2f6..310c5a0 100644 --- a/vendor/qcom/common/service.te +++ b/vendor/qcom/common/service.te @@ -4,3 +4,4 @@ type imsrcs_service, service_manager_type; type improve_touch_service, service_manager_type; type gba_auth_service, service_manager_type; type qtitetherservice_service, service_manager_type; +type hal_telephony_service, service_manager_type, vendor_service, protected_service;
\ No newline at end of file diff --git a/vendor/qcom/common/service_contexts b/vendor/qcom/common/service_contexts new file mode 100644 index 0000000..c11263b --- /dev/null +++ b/vendor/qcom/common/service_contexts @@ -0,0 +1,3 @@ +vendor.qti.hardware.radio.ims.IImsRadio/default u:object_r:hal_telephony_service:s0 +vendor.qti.hardware.radio.ims.IImsRadio/imsradio0 u:object_r:hal_telephony_service:s0 +vendor.qti.hardware.radio.ims.IImsRadio/imsradio1 u:object_r:hal_telephony_service:s0 diff --git a/vendor/qcom/common/vendor_init.te b/vendor/qcom/common/vendor_init.te index f2fea36..e543bbf 100644 --- a/vendor/qcom/common/vendor_init.te +++ b/vendor/qcom/common/vendor_init.te @@ -1,5 +1,8 @@ userdebug_or_eng(` # Allow vendor_init to write to /proc/sysrq-trigger on userdebug and eng builds allow vendor_init proc_sysrq:file w_file_perms; + + # Allow vendor_init to write to /sys/kernel/debug/google_charger + allow vendor_init debugfs_batteryinfo:file write; ') diff --git a/vendor/st/file_contexts b/vendor/st/file_contexts new file mode 100644 index 0000000..eddf11d --- /dev/null +++ b/vendor/st/file_contexts @@ -0,0 +1,15 @@ +################################### +# vendor binaries +/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service\.st u:object_r:hal_secure_element_default_exec:s0 + + +################################### +# dev nodes +/dev/st54j_se u:object_r:secure_element_device:s0 +/dev/st21nfc u:object_r:nfc_device:s0 + +################################### +# data files +/data/nfc(/.*)? u:object_r:nfc_data_file:s0 + diff --git a/vendor/st/hal_nfc_default.te b/vendor/st/hal_nfc_default.te new file mode 100644 index 0000000..5f0c7f6 --- /dev/null +++ b/vendor/st/hal_nfc_default.te @@ -0,0 +1,9 @@ +# NFC property +get_prop(hal_nfc_default, vendor_nfc_prop) + +# SecureElement property +set_prop(hal_nfc_default, vendor_secure_element_prop) + +# Modem property +set_prop(hal_nfc_default, vendor_modem_prop) + diff --git a/vendor/st/hal_secure_element_default.te b/vendor/st/hal_secure_element_default.te new file mode 100644 index 0000000..1c127ea --- /dev/null +++ b/vendor/st/hal_secure_element_default.te @@ -0,0 +1,5 @@ +allow hal_secure_element_default secure_element_device:chr_file rw_file_perms; +dontaudit hal_secure_element_default debugfs_ipc:dir search; +set_prop(hal_secure_element_default, vendor_secure_element_prop) +get_prop(hal_secure_element_default, vendor_modem_prop) + diff --git a/vendor/st/property.te b/vendor/st/property.te new file mode 100644 index 0000000..723121a --- /dev/null +++ b/vendor/st/property.te @@ -0,0 +1,2 @@ +vendor_internal_prop(vendor_nfc_prop) +vendor_internal_prop(vendor_secure_element_prop) diff --git a/vendor/st/property_contexts b/vendor/st/property_contexts new file mode 100644 index 0000000..c6cd8a4 --- /dev/null +++ b/vendor/st/property_contexts @@ -0,0 +1,6 @@ +# SecureElement +persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 + +# NFC +persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0 + diff --git a/vendor/st/vendor_init.te b/vendor/st/vendor_init.te new file mode 100644 index 0000000..7de90e2 --- /dev/null +++ b/vendor/st/vendor_init.te @@ -0,0 +1,2 @@ +# NFC vendor property +set_prop(vendor_init, vendor_nfc_prop) |