diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-05-10 06:53:06 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-05-10 06:53:06 +0000 |
commit | bb0385357e291ee497821c6916d6c350ef7613b3 (patch) | |
tree | 8368e24c77e5cc642648107fd1737a78b2c010be | |
parent | 216fcd65c7be58344bacd7b6a3c9c6d72e724c32 (diff) | |
parent | 05a1b76da9b95260b0fc9583b6ad797016836fef (diff) | |
download | sunfish-sepolicy-bb0385357e291ee497821c6916d6c350ef7613b3.tar.gz |
Snap for 8564071 from 05a1b76da9b95260b0fc9583b6ad797016836fef to mainline-sdkext-release
Change-Id: Ib69aec2d57986eaa43bf6931802e96474c366f30
103 files changed, 596 insertions, 379 deletions
@@ -1,13 +1,3 @@ -adamshih@google.com -alanstokes@google.com -bowgotsai@google.com -jbires@google.com -jeffv@google.com -jgalenson@google.com -jiyong@google.com -nnk@google.com +include platform/system/sepolicy:/OWNERS + rurumihong@google.com -smoreland@google.com -sspatil@google.com -tomcherry@google.com -trong@google.com diff --git a/PREUPLOAD.cfg b/PREUPLOAD.cfg new file mode 100644 index 0000000..3591c7f --- /dev/null +++ b/PREUPLOAD.cfg @@ -0,0 +1,3 @@ +[Hook Scripts] +aosp_hook = ${REPO_ROOT}/frameworks/base/tools/aosp/aosp_sha.sh ${PREUPLOAD_COMMIT} "." + diff --git a/private/seapp_contexts b/private/seapp_contexts index 57a99de..045e114 100644 --- a/private/seapp_contexts +++ b/private/seapp_contexts @@ -1,2 +1,17 @@ # Domain for WfcActivation app user=_app seinfo=wfcactivation name=com.google.android.wfcactivation domain=wfc_activation_app levelFrom=all + +# Domain for vzw omadm trigger +user=_app isPrivApp=true seinfo=platform name=com.google.omadm.trigger domain=vzw_omadm_trigger type=app_data_file levelFrom=all + +# Domain for vzw omadm connmo +user=_app isPrivApp=true seinfo=platform name=com.android.sdm.plugins.connmo domain=vzw_omadm_connmo type=app_data_file levelFrom=all + +# Domain for vzw omadm dcmo +user=_app isPrivApp=true seinfo=platform name=com.android.sdm.plugins.dcmo domain=vzw_omadm_dcmo type=app_data_file levelFrom=all + +# Domain for vzw omadm diagmon +user=_app isPrivApp=true seinfo=platform name=com.android.sdm.plugins.diagmon domain=vzw_omadm_diagmon type=app_data_file levelFrom=all + +# Domain for uscc omadm +user=_app isPrivApp=true seinfo=platform name=com.android.sdm.plugins.usccdm domain=uscc_omadm type=app_data_file levelFrom=all diff --git a/private/toolbox.te b/private/toolbox.te new file mode 100644 index 0000000..ea841ad --- /dev/null +++ b/private/toolbox.te @@ -0,0 +1,6 @@ +# b/191834767 +dontaudit toolbox virtualizationservice_data_file:dir getattr; +# b/193365943 +dontaudit toolbox toolbox:capability dac_read_search; +dontaudit toolbox toolbox:capability dac_override; +dontaudit toolbox toolbox:capability fowner; diff --git a/private/uscc_omadm.te b/private/uscc_omadm.te new file mode 100644 index 0000000..b53d66c --- /dev/null +++ b/private/uscc_omadm.te @@ -0,0 +1,9 @@ +type uscc_omadm, domain, coredomain; + +app_domain(uscc_omadm) +net_domain(uscc_omadm) + +# Services +allow uscc_omadm app_api_service:service_manager find; +allow uscc_omadm qchook_service:service_manager find; +allow uscc_omadm radio_service:service_manager find;
\ No newline at end of file diff --git a/private/vzw_omadm_connmo.te b/private/vzw_omadm_connmo.te new file mode 100644 index 0000000..dda0dc8 --- /dev/null +++ b/private/vzw_omadm_connmo.te @@ -0,0 +1,9 @@ +type vzw_omadm_connmo, domain, coredomain; + +app_domain(vzw_omadm_connmo) +net_domain(vzw_omadm_connmo) + +# Services +allow vzw_omadm_connmo app_api_service:service_manager find; +allow vzw_omadm_connmo qchook_service:service_manager find; +allow vzw_omadm_connmo radio_service:service_manager find;
\ No newline at end of file diff --git a/private/vzw_omadm_dcmo.te b/private/vzw_omadm_dcmo.te new file mode 100644 index 0000000..8a27ef3 --- /dev/null +++ b/private/vzw_omadm_dcmo.te @@ -0,0 +1,9 @@ +type vzw_omadm_dcmo, domain, coredomain; + +app_domain(vzw_omadm_dcmo) +net_domain(vzw_omadm_dcmo) + +# Services +allow vzw_omadm_dcmo app_api_service:service_manager find; +allow vzw_omadm_dcmo qchook_service:service_manager find; +allow vzw_omadm_dcmo radio_service:service_manager find;
\ No newline at end of file diff --git a/private/vzw_omadm_diagmon.te b/private/vzw_omadm_diagmon.te new file mode 100644 index 0000000..5c2bb4b --- /dev/null +++ b/private/vzw_omadm_diagmon.te @@ -0,0 +1,9 @@ +type vzw_omadm_diagmon, domain, coredomain; + +app_domain(vzw_omadm_diagmon) +net_domain(vzw_omadm_diagmon) + +# Services +allow vzw_omadm_diagmon app_api_service:service_manager find; +allow vzw_omadm_diagmon qchook_service:service_manager find; +allow vzw_omadm_diagmon radio_service:service_manager find;
\ No newline at end of file diff --git a/private/vzw_omadm_trigger.te b/private/vzw_omadm_trigger.te new file mode 100644 index 0000000..aea7a93 --- /dev/null +++ b/private/vzw_omadm_trigger.te @@ -0,0 +1,9 @@ +type vzw_omadm_trigger, domain, coredomain; + +app_domain(vzw_omadm_trigger) +net_domain(vzw_omadm_trigger) + +# Services +allow vzw_omadm_trigger app_api_service:service_manager find; +allow vzw_omadm_trigger qchook_service:service_manager find; +allow vzw_omadm_trigger radio_service:service_manager find;
\ No newline at end of file diff --git a/public/property.te b/public/property.te index 1441642..b5b87f1 100644 --- a/public/property.te +++ b/public/property.te @@ -1,2 +1,2 @@ -type persist_dpm_prop, property_type; -type vendor_bt_prop, property_type; +vendor_internal_prop(persist_dpm_prop) +vendor_internal_prop(vendor_bt_prop) diff --git a/sunfish-sepolicy.mk b/sunfish-sepolicy.mk index 8fdaeaa..de0abea 100644 --- a/sunfish-sepolicy.mk +++ b/sunfish-sepolicy.mk @@ -9,5 +9,8 @@ BOARD_SEPOLICY_DIRS += device/google/sunfish-sepolicy/tracking_denials BOARD_SEPOLICY_DIRS += device/google/sunfish-sepolicy/vendor/st BOARD_SEPOLICY_DIRS += device/google/sunfish-sepolicy/vendor/verizon +# system_ext +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/sunfish-sepolicy/system_ext/private + # Pixel-wide sepolicy -BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_sniffer +BOARD_VENDOR_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats diff --git a/system_ext/private/platform_app.te b/system_ext/private/platform_app.te new file mode 100644 index 0000000..10d6bba --- /dev/null +++ b/system_ext/private/platform_app.te @@ -0,0 +1,2 @@ +# allow systemui to set boot animation colors +set_prop(platform_app, bootanim_system_prop); diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts new file mode 100644 index 0000000..abcdd41 --- /dev/null +++ b/system_ext/private/property_contexts @@ -0,0 +1,5 @@ +# Boot animation dynamic colors +persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te new file mode 100644 index 0000000..79a8d61 --- /dev/null +++ b/tracking_denials/incidentd.te @@ -0,0 +1,2 @@ +# b/187253611 +dontaudit incidentd apex_info_file:file getattr; diff --git a/tracking_denials/netmgrd.te b/tracking_denials/netmgrd.te new file mode 100644 index 0000000..b7cb0fe --- /dev/null +++ b/tracking_denials/netmgrd.te @@ -0,0 +1,2 @@ +# b/183070459 +dontaudit netmgrd vendor_default_prop:property_service set; diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te new file mode 100644 index 0000000..df7e700 --- /dev/null +++ b/tracking_denials/platform_app.te @@ -0,0 +1,2 @@ +# b/162700611 +dontaudit platform_app default_android_hwservice:hwservice_manager find; diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te new file mode 100644 index 0000000..40928c9 --- /dev/null +++ b/tracking_denials/surfaceflinger.te @@ -0,0 +1,3 @@ +# b/177624282 +dontaudit surfaceflinger hal_graphics_composer_default:dir search ; +dontaudit surfaceflinger hal_graphics_composer_default:dir search ; diff --git a/vendor/google/bug_map b/vendor/google/bug_map index ab656e7..acb3f80 100644 --- a/vendor/google/bug_map +++ b/vendor/google/bug_map @@ -1,3 +1,15 @@ +cnd wifi_hal_prop file b/162700455 +google_camera_app selinuxfs file b/175910397 hal_health_default unlabeled file b/156200409 -tee tee capability2 156045688 -platform_app default_android_hwservice hwservice_manager 156059972 +hal_neuralnetworks_default default_prop file b/159570217 +hal_vibrator_default default_prop file b/162700134 +init_qti_chg_policy sysfs_charge file b/162702119 +pixelstats_vendor sysfs file b/161875858 +platform_app default_android_hwservice hwservice_manager b/156059972 +shell debugfs file b/175106535 +shell device_config_runtime_native_boot_prop file b/175106535 +shell sysfs file b/175106535 +tee tee capability2 b/156045688 +mediaswcodec gpu_device chr_file b/194313013 +mediaswcodec sysfs_msm_subsys dir b/194313013 +mediaserver sysfs_msm_subsys dir b/194313013 diff --git a/vendor/google/citadel_provision.te b/vendor/google/citadel_provision.te deleted file mode 100644 index f707efd..0000000 --- a/vendor/google/citadel_provision.te +++ /dev/null @@ -1,3 +0,0 @@ -type citadel_provision, domain; -type citadel_provision_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(citadel_provision)
\ No newline at end of file diff --git a/vendor/google/citadeld.te b/vendor/google/citadeld.te index b31619d..d9e4a50 100644 --- a/vendor/google/citadeld.te +++ b/vendor/google/citadeld.te @@ -1,21 +1,3 @@ -type citadeld, domain; -type citadeld_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(citadeld) - -vndbinder_use(citadeld) -add_service(citadeld, citadeld_service) - -allow citadeld citadel_device:chr_file rw_file_perms; - -allow citadeld hal_power_stats_default:binder { call transfer }; -allow citadeld power_stats_service:service_manager find; - -# Let citadeld find and use statsd. -hwbinder_use(citadeld) -get_prop(citadeld, hwservicemanager_prop) -allow citadeld fwk_stats_hwservice:hwservice_manager find; -binder_call(citadeld, stats_service_server) - userdebug_or_eng(` allow citadeld debugfs_ipc:dir search; ') diff --git a/vendor/google/device.te b/vendor/google/device.te index 39eef55..db58020 100644 --- a/vendor/google/device.te +++ b/vendor/google/device.te @@ -1,8 +1,8 @@ type abc_tpu_device, dev_type; -type citadel_device, dev_type; type ipu_device, dev_type, mlstrustedobject; type ramoops_device, dev_type; type maxfg_device, dev_type; type pwrstats_device, dev_type; type dp_block_device, dev_type; type qg_device, dev_type; +type battery_history_device, dev_type; diff --git a/vendor/google/device_drop_monitor.te b/vendor/google/device_drop_monitor.te index 3f680f4..8c0c0b7 100644 --- a/vendor/google/device_drop_monitor.te +++ b/vendor/google/device_drop_monitor.te @@ -1,4 +1,4 @@ -type device_drop_monitor, domain; +type device_drop_monitor, domain, coredomain; userdebug_or_eng(` app_domain(device_drop_monitor) @@ -7,7 +7,9 @@ userdebug_or_eng(` allow device_drop_monitor fwk_stats_hwservice:hwservice_manager find; allow device_drop_monitor sysfs_msm_subsys:dir search; allow device_drop_monitor sysfs_msm_subsys:file r_file_perms; + allow device_drop_monitor fwk_stats_service:service_manager find; binder_call(device_drop_monitor, gpuservice); binder_call(device_drop_monitor, stats_service_server); + binder_use(device_drop_monitor) ') diff --git a/vendor/google/dumpstate.te b/vendor/google/dumpstate.te index 19d87ef..2869937 100644 --- a/vendor/google/dumpstate.te +++ b/vendor/google/dumpstate.te @@ -5,6 +5,7 @@ dump_hal(hal_power_stats) userdebug_or_eng(` allow dumpstate debugfs_dma_buf:file r_file_perms; + allow dumpstate media_rw_data_file:file append; ') # For collecting bugreports. diff --git a/vendor/google/fastbootd.te b/vendor/google/fastbootd.te index 996a114..9b54250 100644 --- a/vendor/google/fastbootd.te +++ b/vendor/google/fastbootd.te @@ -6,4 +6,5 @@ recovery_only(` allow fastbootd modem_block_device:blk_file getattr; allow fastbootd sysfs_scsi_devices_0000:dir r_dir_perms; allow fastbootd sg_device:chr_file rw_file_perms; + allow fastbootd citadel_device:chr_file rw_file_perms; ') diff --git a/vendor/google/file.te b/vendor/google/file.te index fd2bd46..633643c 100644 --- a/vendor/google/file.te +++ b/vendor/google/file.te @@ -9,11 +9,9 @@ type debugfs_batteryinfo, debugfs_type, fs_type; type sysfs_chargelevel, sysfs_type, fs_type; type sysfs_display, sysfs_type, fs_type; type sysfs_touch, sysfs_type, fs_type; -type sysfs_power_stats, sysfs_type, fs_type; type sysfs_power_stats_ignore, sysfs_type, fs_type; type sysfs_poweroff, sysfs_type, fs_type; type sysfs_msm_boardid, fs_type, sysfs_type; -type sysfs_iio_devices, fs_type, sysfs_type; type sysfs_pixelstats, fs_type, sysfs_type; type sysfs_wlc, sysfs_type, fs_type; type sysfs_pstore, sysfs_type, fs_type; @@ -25,16 +23,17 @@ type sysfs_esim, sysfs_type, fs_type; type debugfs_usb, debugfs_type, fs_type; type mediadrm_vendor_data_file, file_type, data_file_type; type diag_socket, file_type, mlstrustedobject; -type ese_vendor_data_file, file_type, data_file_type; type debugfs_dma_buf, debugfs_type, fs_type; type debugfs_clk, debugfs_type, fs_type; type debugfs_pmic, debugfs_type, fs_type; type sysfs_contaminant, sysfs_type, fs_type; type hal_neuralnetworks_darwinn_hal_camera_data_file, file_type, data_file_type; -type hal_rebootescrow_citadel_data_file, file_type, data_file_type; type sysfs_knowles_info, fs_type, sysfs_type; type sysfs_fingerprint, sysfs_type, fs_type; type per_boot_file, file_type, data_file_type, core_data_file_type; +type proc_sched_lib_mask_cpuinfo, proc_type, fs_type; +type sysfs_limit_power_transfer, sysfs_type, fs_type; +type sysfs_typec_info, sysfs_type, fs_type; # Dumpstates bootloader logs type proc_bldrlog, fs_type, proc_type; @@ -48,5 +47,6 @@ type debugfs_ipa_data_stall_detection, debugfs_type, fs_type; # Incremental file system driver type vendor_incremental_module, vendor_file_type, file_type; -# RamdumpFS -allow ramdump_vendor_mnt_file self:filesystem associate; +# Firmware mount +type firmware_file, file_type, contextmount_type, vendor_file_type; +allow firmware_file self:filesystem associate; diff --git a/vendor/google/file_contexts b/vendor/google/file_contexts index 1e80b98..0030286 100644 --- a/vendor/google/file_contexts +++ b/vendor/google/file_contexts @@ -3,7 +3,6 @@ /dev/access-metadata u:object_r:ramoops_device:s0 /dev/access-ramoops u:object_r:ramoops_device:s0 /dev/block/zram0 u:object_r:swap_block_device:s0 -/dev/citadel0 u:object_r:citadel_device:s0 /dev/ipu u:object_r:ipu_device:s0 /dev/maxfg_history u:object_r:maxfg_device:s0 /dev/iaxxx-module-celldrv u:object_r:pwrstats_device:s0 @@ -13,35 +12,26 @@ # system binaries /system/bin/hw/hardware\.google\.pixelstats@1\.0-service u:object_r:pixelstats_system_exec:s0 /vendor/bin/easelmanagerd u:object_r:easel_exec:s0 -/vendor/bin/pixelstats-vendor u:object_r:pixelstats_vendor_exec:s0 +/dev/battery_history u:object_r:battery_history_device:s0 # vendor binaries -/vendor/bin/hw/android\.hardware\.atrace@1\.0-service.pixel u:object_r:hal_atrace_default_exec:s0 -/vendor/bin/hw/android\.hardware\.camera\.provider@2\.6-service-google u:object_r:hal_camera_default_exec:s0 -/vendor/bin/hw/android\.hardware\.contexthub@1\.1-service\.generic u:object_r:hal_contexthub_default_exec:s0 +/vendor/bin/hw/android\.hardware\.camera\.provider@2\.7-service-google u:object_r:hal_camera_default_exec:s0 +/vendor/bin/hw/android\.hardware\.contexthub@1\.2-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/android\.hardware\.dumpstate@1\.1-service\.sunfish u:object_r:hal_dumpstate_impl_exec:s0 -/vendor/bin/hw/android\.hardware\.keymaster@4\.1-service\.citadel u:object_r:hal_keymaster_citadel_exec:s0 -/vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel u:object_r:hal_identity_citadel_exec:s0 /vendor/bin/hw/android\.hardware\.neuralnetworks@1\.0-service-paintbox u:object_r:hal_neuralnetworks_paintbox_exec:s0 /vendor/bin/hw/android\.hardware\.neuralnetworks@1\.2-service-noronha u:object_r:hal_neuralnetworks_darwinn_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats@1\.0-service\.pixel u:object_r:hal_power_stats_default_exec:s0 -/vendor/bin/hw/android\.hardware\.rebootescrow-service\.citadel u:object_r:hal_rebootescrow_citadel_exec:s0 -/vendor/bin/hw/android\.hardware\.usb@1\.2-service\.sunfish u:object_r:hal_usb_impl_exec:s0 +/vendor/bin/hw/android\.hardware\.usb-service\.sunfish u:object_r:hal_usb_impl_exec:s0 +/vendor/bin/hw/android\.hardware\.usb\.gadget-service\.sunfish u:object_r:hal_usb_gadget_impl_exec:s0 /vendor/bin/hw/android\.hardware\.vibrator@1\.3-service\.sunfish u:object_r:hal_vibrator_default_exec:s0 -/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0 -/vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0 -/vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0 -/vendor/bin/hw/citadel_updater u:object_r:citadel_updater_exec:s0 -/vendor/bin/CitadelProvision u:object_r:citadel_provision_exec:s0 /vendor/bin/hw/hardware\.google\.light@1\.1-service u:object_r:hal_light_default_exec:s0 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 -/vendor/bin/hw/wait_for_strongbox u:object_r:wait_for_strongbox_exec:s0 /vendor/bin/color_init u:object_r:color_init_exec:s0 /vendor/bin/init\.ramoops\.sh u:object_r:ramoops_exec:s0 /vendor/bin/modem_svc u:object_r:modem_svc_exec:s0 /vendor/bin/ramoops u:object_r:ramoops_exec:s0 -/vendor/bin/ramdump u:object_r:ramdump_exec:s0 /vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 +/vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 /vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor u:object_r:hal_wifi_ext_exec:s0 /vendor/bin/hw/vendor\.google\.wifi_ext@1\.0-service-vendor-lazy u:object_r:hal_wifi_ext_exec:s0 /vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 @@ -52,6 +42,12 @@ /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.2-service\.fpc u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/init\.qti\.chg_policy\.sh u:object_r:init_qti_chg_policy_exec:s0 /vendor/bin/hw/android\.hardware\.graphics\.composer@2\.4-service-sm8150 u:object_r:hal_graphics_composer_default_exec:s0 +/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 +/vendor/bin/hw/android\.hardware\.contexthub@1\.[0-9]-service\.generic u:object_r:hal_contexthub_default_exec:s0 +/vendor/bin/hw/android\.hardware\.usb@1\.[0-9]-service\.sunfish u:object_r:hal_usb_impl_exec:s0 + +# Vendor firmware +/vendor/firmware_mnt(/.*)? u:object_r:firmware_file:s0 /mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 /mnt/vendor/persist/haptics(/.*)? u:object_r:persist_haptics_file:s0 @@ -65,11 +61,62 @@ /data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 /data/vendor_ce/[0-9]+/ramoops(/.*)? u:object_r:ramoops_vendor_data_file:s0 /data/vendor/hal_neuralnetworks_darwinn/hal_camera(/.*)? u:object_r:hal_neuralnetworks_darwinn_hal_camera_data_file:s0 -/data/vendor/rebootescrow(/.*)? u:object_r:hal_rebootescrow_citadel_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 # dev socket node /dev/socket/diag_router u:object_r:diag_socket:s0 -#vendor_kernel_modules -/vendor/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0 +# vendor_kernel_modules +/vendor/lib/modules/adsp_loader_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/apr_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/atomic64_test\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/bolero_cdc_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/br_netfilter\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/gspca_main\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/hdmi_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/lcd\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/lkdtm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/llcc_perfmon\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/machine_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/mbhc_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/mmc_test\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/mpq-adapter\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/mpq-dmx-hw-plugin\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/msm_11ad_proxy\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/msm-geni-ir\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/native_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/pinctrl_lpi_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/pinctrl_wcd_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/platform_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/q6_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/q6_notifier_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/q6_pdr_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/rdbg\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/rx_macro_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/snd_event_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/stub_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/swr_ctrl_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/swr_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/test_user_copy\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/torture\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/tx_macro_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/usf_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/va_macro_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/wcd934x_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/wcd937x_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/wcd937x_slave_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/wcd9xxx_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/wcd_core_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/wcd_spi_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/wglink_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/wil6210\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/wlan\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/wsa881x_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/wsa_macro_dlkm\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/heatmap\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/ftm5\.ko u:object_r:vendor_kernel_modules:s0 +/vendor/lib/modules/drv2624\.ko u:object_r:vendor_kernel_modules:s0 + +# Vendor libs that are exposed to apps (those listed in /vendor/etc/public.libraries.txt +# and their dependencies) +/vendor/lib(64)?/vendor\.qti\.hardware\.dsp@1\.0\.so u:object_r:same_process_hal_file:s0 diff --git a/vendor/google/genfs_contexts b/vendor/google/genfs_contexts index a1866b7..de173a2 100644 --- a/vendor/google/genfs_contexts +++ b/vendor/google/genfs_contexts @@ -14,7 +14,6 @@ genfscon sysfs /devices/platform/soc/1d84000.ufshc/device_descriptor u:o genfscon proc /sys/vm/swappiness u:object_r:proc_swappiness:s0 genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 genfscon proc /irq u:object_r:proc_irq:s0 -genfscon sysfs /bus/iio/devices u:object_r:sysfs_iio_devices:s0 # Touch genfscon sysfs /devices/platform/soc/a84000.i2c/i2c-1/1-0049 u:object_r:sysfs_touch:s0 @@ -40,6 +39,8 @@ genfscon proc /sys/kernel/sched_upmigrate genfscon proc /sys/kernel/sched_downmigrate u:object_r:proc_sched_updown_migrate:s0 genfscon proc /sys/kernel/sched_upmigrate_boosted u:object_r:proc_sched_updown_migrate:s0 genfscon proc /sys/kernel/sched_downmigrate_boosted u:object_r:proc_sched_updown_migrate:s0 +genfscon proc /sys/kernel/sched_lib_name u:object_r:proc_sched_lib_mask_cpuinfo:s0 +genfscon proc /sys/kernel/sched_lib_mask_force u:object_r:proc_sched_lib_mask_cpuinfo:s0 # PowerStatsHal genfscon sysfs /power/system_sleep/stats u:object_r:sysfs_power_stats:s0 @@ -49,8 +50,11 @@ genfscon sysfs /devices/platform/soc/soc:abc-sm/state_stats u:object_r:sysfs_power_stats:s0 genfscon sysfs /devices/platform/soc/a8c000.i2c/i2c-2/2-0010/iio:device2 u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/soc/888000.i2c/i2c-0/0-0008/power_stats u:object_r:sysfs_power_stats:s0 # Not used by PowerStatsHal +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:vadc@3100/iio:device0 +u:object_r:sysfs_power_stats_ignore:s0 genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-04/c440000.qcom,spmi:qcom,pm6150l@4:vadc@3100/iio:device1 u:object_r:sysfs_power_stats_ignore:s0 @@ -76,6 +80,9 @@ genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.q genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qcom,usb-pdphy@1700/usbpd0/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:google,bms/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/soc/a8c000.i2c/i2c-2/2-0050/ u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qcom,usb-pdphy@1700/usbpd0/usb_limit_sink_current u:object_r:sysfs_limit_power_transfer:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qcom,usb-pdphy@1700/usbpd0/usb_limit_sink_enable u:object_r:sysfs_limit_power_transfer:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qcom,usb-pdphy@1700/usbpd0/usb_limit_source_enable u:object_r:sysfs_limit_power_transfer:s0 genfscon sysfs /class/qcom-battery u:object_r:sysfs_batteryinfo:s0 genfscon debugfs /logbuffer/ssoc u:object_r:debugfs_batteryinfo:s0 genfscon debugfs /logbuffer/ttf u:object_r:debugfs_batteryinfo:s0 @@ -83,6 +90,19 @@ genfscon debugfs /google_charger genfscon debugfs /google_battery u:object_r:debugfs_batteryinfo:s0 genfscon sysfs /devices/platform/soc/soc:google,charger/charge_start_level u:object_r:sysfs_chargelevel:s0 genfscon sysfs /devices/platform/soc/soc:google,charger/charge_stop_level u:object_r:sysfs_chargelevel:s0 +genfscon sysfs /devices/platform/soc/soc:google,charger/bd_drainto_soc u:object_r:sysfs_chargelevel:s0 +genfscon sysfs /devices/platform/soc/soc:google,charger/bd_recharge_soc u:object_r:sysfs_chargelevel:s0 +genfscon sysfs /devices/platform/soc/soc:google,charger/bd_recharge_voltage u:object_r:sysfs_chargelevel:s0 +genfscon sysfs /devices/platform/soc/soc:google,charger/bd_resume_abs_temp u:object_r:sysfs_chargelevel:s0 +genfscon sysfs /devices/platform/soc/soc:google,charger/bd_resume_soc u:object_r:sysfs_chargelevel:s0 +genfscon sysfs /devices/platform/soc/soc:google,charger/bd_resume_temp u:object_r:sysfs_chargelevel:s0 +genfscon sysfs /devices/platform/soc/soc:google,charger/bd_resume_time u:object_r:sysfs_chargelevel:s0 +genfscon sysfs /devices/platform/soc/soc:google,charger/bd_trigger_temp u:object_r:sysfs_chargelevel:s0 +genfscon sysfs /devices/platform/soc/soc:google,charger/bd_trigger_time u:object_r:sysfs_chargelevel:s0 +genfscon sysfs /devices/platform/soc/soc:google,charger/bd_trigger_voltage u:object_r:sysfs_chargelevel:s0 +genfscon sysfs /devices/platform/soc/soc:google,charger/bd_temp_enable u:object_r:sysfs_chargelevel:s0 +genfscon sysfs /devices/platform/soc/soc:google,charger/bd_temp_dry_run u:object_r:sysfs_chargelevel:s0 +genfscon sysfs /devices/platform/soc/soc:google,charger/bd_clear u:object_r:sysfs_chargelevel:s0 # Pixelstats genfscon sysfs /devices/platform/soc/soc:google,overheat_mitigation u:object_r:sysfs_pixelstats:s0 @@ -92,6 +112,9 @@ genfscon sysfs /devices/platform/codec_detect/codec_state u:object_ genfscon sysfs /devices/platform/codec_detect/wdsp_stat u:object_r:sysfs_pixelstats:s0 genfscon sysfs /devices/platform/codec_detect/headset_codec_state u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qcom,usb-pdphy@1700/usbpd0/typec/port0/port0-partner/identity/id_header u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qcom,usb-pdphy@1700/usbpd0/typec/port0/port0-partner/identity/product u:object_r:sysfs_pixelstats:s0 + # Audio Dsp for HardwareInfo genfscon sysfs /devices/platform/codec_detect/hwinfo_part_number u:object_r:sysfs_audio:s0 @@ -104,6 +127,7 @@ genfscon debugfs /tcpm/usbpd0 u:object_r:debugfs_usb:s0 genfscon debugfs /logbuffer/usbpd u:object_r:debugfs_usb:s0 genfscon debugfs /logbuffer/smblib u:object_r:debugfs_usb:s0 genfscon debugfs /logbuffer/pps u:object_r:debugfs_usb:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qcom,usb-pdphy@1700/usbpd0/typec u:object_r:sysfs_typec_info:s0 # Dumpstate hal genfscon debugfs /dma_buf/bufinfo u:object_r:debugfs_dma_buf:s0 @@ -144,6 +168,12 @@ genfscon debugfs /ipawwan/debug u:object_r:debugfs_ipa # Poweroff for warm_reset in recovery mode genfscon sysfs /module/msm_poweroff u:object_r:sysfs_poweroff:s0 +# Extcon +genfscon sysfs /devices/platform/soc/soc:qcom,msm-ext-disp/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/soc/88e0000.qcom,msm-eud/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qcom,qpnp-smb5/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qcom,usb-pdphy@1700/extcon u:object_r:sysfs_extcon:s0 + # Label wakeup nodes symlinks from /sys/class/wakeup genfscon sysfs /devices/virtual/misc/msm_aac/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/virtual/misc/msm_alac/wakeup u:object_r:sysfs_wakeup:s0 diff --git a/vendor/google/google_camera_app.te b/vendor/google/google_camera_app.te index b04fc93..b275f42 100644 --- a/vendor/google/google_camera_app.te +++ b/vendor/google/google_camera_app.te @@ -29,7 +29,6 @@ allow google_camera_app app_api_service:service_manager find; allow google_camera_app audioserver_service:service_manager find; allow google_camera_app cameraserver_service:service_manager find; allow google_camera_app drmserver_service:service_manager find; -allow google_camera_app gpu_service:service_manager find; allow google_camera_app mediaserver_service:service_manager find; allow google_camera_app mediaextractor_service:service_manager find; allow google_camera_app mediametrics_service:service_manager find; @@ -37,9 +36,6 @@ allow google_camera_app mediadrmserver_service:service_manager find; allow google_camera_app nfc_service:service_manager find; allow google_camera_app radio_service:service_manager find; -# Allow untrusted apps to interact with gpuservice -binder_call(google_camera_app, gpuservice) - # gdbserver for ndk-gdb ptrace attaches to app process. allow google_camera_app self:process ptrace; diff --git a/vendor/google/grilservice_app.te b/vendor/google/grilservice_app.te index ef2430f..4c8d81e 100644 --- a/vendor/google/grilservice_app.te +++ b/vendor/google/grilservice_app.te @@ -2,8 +2,13 @@ type grilservice_app, domain; app_domain(grilservice_app) +allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; allow grilservice_app hal_radioext_hwservice:hwservice_manager find; allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; -allow grilservice_app activity_service:service_manager find; +allow grilservice_app app_api_service:service_manager find; +binder_call(grilservice_app, hal_bluetooth_default) binder_call(grilservice_app, hal_radioext_default) binder_call(grilservice_app, hal_wifi_ext) + +# this denial on grilservice_app since this AudioMetric functionality is not used in legacy device. +dontaudit grilservice_app hal_audiometricext_hwservice:hwservice_manager find; diff --git a/vendor/google/hal_camera_default.te b/vendor/google/hal_camera_default.te index 01c21bf..104b9fe 100644 --- a/vendor/google/hal_camera_default.te +++ b/vendor/google/hal_camera_default.te @@ -9,7 +9,7 @@ binder_call(hal_camera_default, sensor_service_server) binder_call(sensor_service_server, hal_camera_default) # For camera hal to talk with gralloc -#hal_client_domain(hal_camera_default, hal_graphics_allocator) +hal_client_domain(hal_camera_default, hal_graphics_allocator) hal_client_domain(hal_camera_default, hal_graphics_composer) #For camera hal to talk with ECOService. diff --git a/vendor/google/hal_dumpstate_impl.te b/vendor/google/hal_dumpstate_impl.te index a3cdab7..11198c8 100644 --- a/vendor/google/hal_dumpstate_impl.te +++ b/vendor/google/hal_dumpstate_impl.te @@ -65,6 +65,9 @@ userdebug_or_eng(` allow hal_dumpstate_impl debugfs_ipa:file r_file_perms; ') +#Dumpstats fastrpc buffer +allow hal_dumpstate_impl sysfs_fastrpc:file r_file_perms; + # dump Battery/Charger/Guage allow hal_dumpstate_impl debugfs_batteryinfo:dir r_dir_perms; allow hal_dumpstate_impl debugfs_batteryinfo:file r_file_perms; @@ -73,6 +76,8 @@ allow hal_dumpstate_impl debugfs_pmic:file r_file_perms; userdebug_or_eng(` allow hal_dumpstate_impl debugfs_pmic:file rw_file_perms; ') +allow hal_dumpstate_impl sysfs_chargelevel:file r_file_perms; +allow hal_dumpstate_impl sysfs_batteryinfo:file r_file_perms; allow hal_dumpstate_impl debugfs_usb:dir r_dir_perms; allow hal_dumpstate_impl debugfs_usb:file r_file_perms; @@ -115,6 +120,9 @@ userdebug_or_eng(` allow hal_dumpstate_impl sensors_vendor_data_file:file r_file_perms; ') +# Access to /sys/devices/soc0/serial_number +r_dir_file(hal_dumpstate_impl, sysfs_soc) + # Access to modem stat domain_auto_trans(hal_dumpstate_impl, modem_svc_exec, modem_svc) allow hal_dumpstate_impl modem_stat_data_file:file r_file_perms; diff --git a/vendor/google/hal_health_default.te b/vendor/google/hal_health_default.te index 42a3aa4..4d79c14 100644 --- a/vendor/google/hal_health_default.te +++ b/vendor/google/hal_health_default.te @@ -4,9 +4,13 @@ r_dir_file(hal_health_default, sysfs_scsi_devices_0000) set_prop(hal_health_default, vendor_shutdown_prop) set_prop(hal_health_default, vendor_battery_defender_prop) -allow hal_health_default fwk_stats_hwservice:hwservice_manager find; +allow hal_health_default fwk_stats_service:service_manager find; +binder_use(hal_health_default) + allow hal_health_default persist_file:dir search; allow hal_health_default persist_battery_file:file create_file_perms; allow hal_health_default persist_battery_file:dir rw_dir_perms; allow hal_health_default mnt_vendor_file:dir search; allow hal_health_default sysfs_chargelevel:file rw_file_perms; + +r_dir_file(hal_health_default, sysfs_typec_info) diff --git a/vendor/google/hal_identity_citadel.te b/vendor/google/hal_identity_citadel.te deleted file mode 100644 index e29310c..0000000 --- a/vendor/google/hal_identity_citadel.te +++ /dev/null @@ -1,9 +0,0 @@ -type hal_identity_citadel, domain; -type hal_identity_citadel_exec, exec_type, vendor_file_type, file_type; - -vndbinder_use(hal_identity_citadel) -binder_call(hal_identity_citadel, citadeld) -allow hal_identity_citadel citadeld_service:service_manager find; - -hal_server_domain(hal_identity_citadel, hal_identity) -init_daemon_domain(hal_identity_citadel) diff --git a/vendor/google/hal_keymaster_citadel.te b/vendor/google/hal_keymaster_citadel.te deleted file mode 100644 index 3674cd0..0000000 --- a/vendor/google/hal_keymaster_citadel.te +++ /dev/null @@ -1,11 +0,0 @@ -type hal_keymaster_citadel, domain; -type hal_keymaster_citadel_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_keymaster_citadel) - -vndbinder_use(hal_keymaster_citadel) -binder_call(hal_keymaster_citadel, citadeld) -allow hal_keymaster_citadel citadeld_service:service_manager find; - -hal_server_domain(hal_keymaster_citadel, hal_keymaster) - -get_prop(hal_keymaster_citadel, vendor_security_patch_level_prop) diff --git a/vendor/google/hal_power_stats_default.te b/vendor/google/hal_power_stats_default.te index b5cc289..aec48e9 100644 --- a/vendor/google/hal_power_stats_default.te +++ b/vendor/google/hal_power_stats_default.te @@ -1,8 +1,9 @@ allow hal_power_stats_default sysfs_msm_wlan:dir search; # Needed to traverse to wlan stats file -get_prop(hal_power_stats_default, exported_wifi_prop) # Needed to detect wifi on/off +get_prop(hal_power_stats_default, wifi_hal_prop) # Needed to detect wifi on/off r_dir_file(hal_power_stats_default, sysfs_iio_devices) # Needed to traverse odpm files r_dir_file(hal_power_stats_default, sysfs_power_stats) # Needed to traverse platform low power stats r_dir_file(hal_power_stats_default, sysfs_msm_subsys) # Needed to traverse subsystem low power stats +r_dir_file(hal_power_stats_default, sysfs_leds) # Needed to track display stats # The following folders are incidentally accessed by hal_power_stats_default and are not needed. dontaudit hal_power_stats_default sysfs_power_stats_ignore:dir r_dir_perms; @@ -10,7 +11,4 @@ dontaudit hal_power_stats_default sysfs_power_stats_ignore:file r_file_perms; dontaudit hal_power_stats_default debugfs_wlan:dir search; dontaudit hal_power_stats_default sysfs:file read; -vndbinder_use(hal_power_stats) -add_service(hal_power_stats_server, power_stats_service) - binder_call(hal_power_stats, citadeld) diff --git a/vendor/google/hal_rebootescrow_citadel.te b/vendor/google/hal_rebootescrow_citadel.te deleted file mode 100644 index c85ce20..0000000 --- a/vendor/google/hal_rebootescrow_citadel.te +++ /dev/null @@ -1,15 +0,0 @@ -type hal_rebootescrow_citadel, domain; -type hal_rebootescrow_citadel_exec, exec_type, vendor_file_type, file_type; - -hal_server_domain(hal_rebootescrow_citadel, hal_rebootescrow) - -vndbinder_use(hal_rebootescrow_citadel) -binder_call(hal_rebootescrow_citadel, citadeld) -allow hal_rebootescrow_citadel citadeld_service:service_manager find; - -hal_client_domain(hal_rebootescrow_citadel, hal_keymaster) - -init_daemon_domain(hal_rebootescrow_citadel) - -allow hal_rebootescrow_citadel hal_rebootescrow_citadel_data_file:dir create_dir_perms; -allow hal_rebootescrow_citadel hal_rebootescrow_citadel_data_file:file create_file_perms; diff --git a/vendor/google/hal_sensors_default.te b/vendor/google/hal_sensors_default.te index bb194bb..5adebba 100644 --- a/vendor/google/hal_sensors_default.te +++ b/vendor/google/hal_sensors_default.te @@ -15,3 +15,9 @@ allow hal_sensors_default sysfs_leds:file r_file_perms; # For Suez metrics collection allow hal_sensors_default fwk_stats_hwservice:hwservice_manager find; binder_call(hal_sensors_default, system_server); +allow hal_sensors_default fwk_stats_service:service_manager find; +binder_use(hal_sensors_default) + +# Allow Suez nanoapp clients to connect to CHRE. +allow hal_sensors_default chre_socket:sock_file write; +allow hal_sensors_default chre:unix_stream_socket connectto; diff --git a/vendor/google/hal_usb_gadget_impl.te b/vendor/google/hal_usb_gadget_impl.te new file mode 100644 index 0000000..ddd90c2 --- /dev/null +++ b/vendor/google/hal_usb_gadget_impl.te @@ -0,0 +1,14 @@ +type hal_usb_gadget_impl, domain; +hal_server_domain(hal_usb_gadget_impl, hal_usb) +hal_server_domain(hal_usb_gadget_impl, hal_usb_gadget) + +type hal_usb_gadget_impl_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_usb_gadget_impl) + +allow hal_usb_gadget_impl configfs:dir { create rmdir }; +allow hal_usb_gadget_impl functionfs:dir { watch watch_reads }; +set_prop(hal_usb_gadget_impl, vendor_usb_prop) + +allow hal_usb_gadget_impl sysfs_batteryinfo:dir r_dir_perms; +allow hal_usb_gadget_impl sysfs_batteryinfo:file rw_file_perms; +allow hal_usb_gadget_impl sysfs_extcon:dir search; diff --git a/vendor/google/hal_usb_impl.te b/vendor/google/hal_usb_impl.te index cd782c5..c2e9e52 100644 --- a/vendor/google/hal_usb_impl.te +++ b/vendor/google/hal_usb_impl.te @@ -9,4 +9,9 @@ allow hal_usb_impl configfs:file create_file_perms; allow hal_usb_impl sysfs_batteryinfo:dir search; allow hal_usb_impl sysfs_batteryinfo:file r_file_perms; allow hal_usb_impl sysfs_contaminant:file rw_file_perms; +allow hal_usb_impl sysfs_limit_power_transfer:file rw_file_perms; set_prop(hal_usb_impl, vendor_usb_prop) +allow hal_usb_impl sysfs_extcon:dir search; + +r_dir_file(hal_usb_impl, sysfs_typec_info) +allow hal_usb_impl sysfs_typec_info:file rw_file_perms; diff --git a/vendor/google/hal_weaver_citadel.te b/vendor/google/hal_weaver_citadel.te deleted file mode 100644 index 40a0e14..0000000 --- a/vendor/google/hal_weaver_citadel.te +++ /dev/null @@ -1,11 +0,0 @@ -type hal_weaver_citadel, domain; -type hal_weaver_citadel_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_weaver_citadel) - -vndbinder_use(hal_weaver_citadel) -binder_call(hal_weaver_citadel, citadeld) -allow hal_weaver_citadel citadeld_service:service_manager find; - -hal_server_domain(hal_weaver_citadel, hal_weaver) -hal_server_domain(hal_weaver_citadel, hal_oemlock) -hal_server_domain(hal_weaver_citadel, hal_authsecret) diff --git a/vendor/google/hal_wifi_ext.te b/vendor/google/hal_wifi_ext.te index 1be706b..55ea19e 100644 --- a/vendor/google/hal_wifi_ext.te +++ b/vendor/google/hal_wifi_ext.te @@ -27,7 +27,7 @@ r_dir_file(hal_wifi_ext, proc_wifi_dbg) # Allow wifi_ext to report callbacks to gril-service app binder_call(hal_wifi_ext, grilservice_app) -allow hal_wifi_ext wlan_device:chr_file w_file_perms; +allow hal_wifi_ext wlan_device:chr_file rw_file_perms; userdebug_or_eng(` # debugfs entries are only needed in user-debug or eng builds diff --git a/vendor/google/hbmsvmanager_app.te b/vendor/google/hbmsvmanager_app.te index 25c06c0..a14930a 100644 --- a/vendor/google/hbmsvmanager_app.te +++ b/vendor/google/hbmsvmanager_app.te @@ -1,7 +1,9 @@ -type hbmsvmanager_app, domain; +type hbmsvmanager_app, domain, coredomain; app_domain(hbmsvmanager_app); hal_client_domain(hbmsvmanager_app, hal_light) # Standard system services allow hbmsvmanager_app app_api_service:service_manager find; + +allow hbmsvmanager_app hal_pixel_display_service:service_manager find; diff --git a/vendor/google/hwservice.te b/vendor/google/hwservice.te index 2e8e1a8..b8e9a67 100644 --- a/vendor/google/hwservice.te +++ b/vendor/google/hwservice.te @@ -1,5 +1,7 @@ -type hal_pixelstats_hwservice, hwservice_manager_type; -type hal_darwinn_hwservice, hwservice_manager_type; -type hal_radioext_hwservice, hwservice_manager_type; -type hal_wifi_ext_hwservice, hwservice_manager_type; -type hal_wlc_hwservice, hwservice_manager_type; +type hal_pixelstats_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_darwinn_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_radioext_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_wifi_ext_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_wlc_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_audiometricext_hwservice, hwservice_manager_type; diff --git a/vendor/google/hwservice_contexts b/vendor/google/hwservice_contexts index afe7b5f..15c0e7f 100644 --- a/vendor/google/hwservice_contexts +++ b/vendor/google/hwservice_contexts @@ -1,6 +1,9 @@ -hardware.google.pixelstats::IPixelStats u:object_r:hal_pixelstats_hwservice:s0 -hardware.google.light::ILight u:object_r:hal_light_hwservice:s0 -vendor.google.darwinn.service::IDarwinnService u:object_r:hal_darwinn_hwservice:s0 -vendor.google.radioext::IRadioExt u:object_r:hal_radioext_hwservice:s0 -vendor.google.wifi_ext::IWifiExt u:object_r:hal_wifi_ext_hwservice:s0 -vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_wlc_hwservice:s0 +hardware.google.pixelstats::IPixelStats u:object_r:hal_pixelstats_hwservice:s0 +hardware.google.light::ILight u:object_r:hal_light_hwservice:s0 +hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance u:object_r:hal_bluetooth_coexistence_hwservice:s0 +hardware.google.bluetooth.sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0 +vendor.google.darwinn.service::IDarwinnService u:object_r:hal_darwinn_hwservice:s0 +vendor.google.radioext::IRadioExt u:object_r:hal_radioext_hwservice:s0 +vendor.google.wifi_ext::IWifiExt u:object_r:hal_wifi_ext_hwservice:s0 +vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_wlc_hwservice:s0 +vendor.google.audiometricext::IAudioMetricExt u:object_r:hal_audiometricext_hwservice:s0 diff --git a/vendor/google/init-insmod-sh.te b/vendor/google/init-insmod-sh.te index 851ad3f..5f0f6dd 100644 --- a/vendor/google/init-insmod-sh.te +++ b/vendor/google/init-insmod-sh.te @@ -1,4 +1,12 @@ # Allow insmod +type init-insmod-sh, domain; +type init-insmod-sh_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init-insmod-sh) + +allow init-insmod-sh self:capability sys_module; +allow init-insmod-sh vendor_kernel_modules:system module_load; +allow init-insmod-sh vendor_toolbox_exec:file execute_no_trans; allow init-insmod-sh sysfs_msm_boot:file w_file_perms; userdebug_or_eng(` @@ -6,7 +14,9 @@ userdebug_or_eng(` allow init-insmod-sh debugfs_wlan:dir search; ') +set_prop(init-insmod-sh, vendor_device_prop) + dontaudit init-insmod-sh debugfs_ipc:dir search; dontaudit init-insmod-sh debugfs_wlan:dir search; dontaudit init-insmod-sh self:capability sys_admin; -dontaudit init-insmod-sh proc_cmdline:file read; +dontaudit init-insmod-sh proc_cmdline:file r_file_perms; diff --git a/vendor/google/init.te b/vendor/google/init.te index 5ed0eb9..cd16f4e 100644 --- a/vendor/google/init.te +++ b/vendor/google/init.te @@ -1,3 +1,7 @@ +# Allow init to mount firmware +allow init firmware_file:dir mounton; +allow init firmware_file:filesystem { getattr mount relabelfrom }; + allow init boot_block_device:lnk_file relabelto; allow init custom_ab_block_device:lnk_file relabelto; @@ -8,3 +12,6 @@ recovery_only(` allow init sysfs_thermal:file rw_file_perms; allow init sysfs_poweroff:file w_file_perms; ') + +allow init per_boot_file:file ioctl; +allowxperm init per_boot_file:file ioctl { F2FS_IOC_SET_PIN_FILE }; diff --git a/vendor/google/init_citadel.te b/vendor/google/init_citadel.te deleted file mode 100644 index 6583a3a..0000000 --- a/vendor/google/init_citadel.te +++ /dev/null @@ -1,16 +0,0 @@ -type init_citadel, domain; -type init_citadel_exec, exec_type, vendor_file_type, file_type; -type citadel_updater_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(init_citadel) - -vndbinder_use(init_citadel) -binder_call(init_citadel, citadeld) -allow init_citadel citadeld_service:service_manager find; - -# Many standard utils are actually vendor_toolbox (like xxd) -allow init_citadel vendor_toolbox_exec:file rx_file_perms; - -# init_citadel needs to invoke citadel_updater -allow init_citadel citadel_updater_exec:file rx_file_perms; -allow init_citadel citadel_device:chr_file rw_file_perms; diff --git a/vendor/google/init_qti_chg_policy.te b/vendor/google/init_qti_chg_policy.te index 44815ce..924d3d1 100644 --- a/vendor/google/init_qti_chg_policy.te +++ b/vendor/google/init_qti_chg_policy.te @@ -7,5 +7,12 @@ allow init_qti_chg_policy vendor_toolbox_exec:file rx_file_perms; allow init_qti_chg_policy sysfs_batteryinfo:file create_file_perms; allow init_qti_chg_policy sysfs_batteryinfo:dir r_dir_perms; allow init_qti_chg_policy sysfs_contaminant:file create_file_perms; +allow init_qti_chg_policy sysfs_wakeup:dir r_dir_perms; +allow init_qti_chg_policy sysfs_wakeup:file getattr; +allow init_qti_chg_policy sysfs_iio_devices:dir search; +allow init_qti_chg_policy sysfs_power_stats_ignore:dir search; +allow init_qti_chg_policy sysfs_power_stats_ignore:file r_file_perms; +allow init_qti_chg_policy sysfs_power_stats:dir search; +allow init_qti_chg_policy sysfs_power_stats:file r_file_perms; set_prop(init_qti_chg_policy, vendor_hvdcp_opti_prop) diff --git a/vendor/google/logger_app.te b/vendor/google/logger_app.te index c891758..1b7e6c5 100644 --- a/vendor/google/logger_app.te +++ b/vendor/google/logger_app.te @@ -1,11 +1,4 @@ -type logger_app, domain; - userdebug_or_eng(` - app_domain(logger_app) - net_domain(logger_app) - - allow logger_app app_api_service:service_manager find; - allow logger_app vendor_radio_data_file:file create_file_perms; allow logger_app vendor_radio_data_file:dir create_dir_perms; @@ -15,8 +8,17 @@ userdebug_or_eng(` allow logger_app tcpdump_vendor_data_file:dir create_dir_perms; allow logger_app tcpdump_vendor_data_file:file create_file_perms; + get_prop(logger_app, radio_prop) + + set_prop(logger_app, vendor_ramdump_prop) + set_prop(logger_app, logpersistd_logging_prop) + set_prop(logger_app, logd_prop) + set_prop(logger_app, vendor_ssr_prop) set_prop(logger_app, vendor_cnss_diag_prop) set_prop(logger_app, vendor_modem_diag_prop) set_prop(logger_app, vendor_tcpdump_log_prop) set_prop(logger_app, vendor_wifi_sniffer_prop) + set_prop(logger_app, vendor_usb_prop) + set_prop(logger_app, vendor_logging_prop) + set_prop(logger_app, vendor_logger_prop) ') diff --git a/vendor/google/modem_diagnostics.te b/vendor/google/modem_diagnostics.te index 75e8c51..a01d3af 100644 --- a/vendor/google/modem_diagnostics.te +++ b/vendor/google/modem_diagnostics.te @@ -9,9 +9,16 @@ userdebug_or_eng(` allow modem_diagnostic_app surfaceflinger_service:service_manager find; allow modem_diagnostic_app radio_service:service_manager find; allow modem_diagnostic_app diag_device:chr_file rw_file_perms; + allow modem_diagnostic_app sysfs_esim:file r_file_perms; + + allow modem_diagnostic_app ssr_log_file:dir r_dir_perms; + allow modem_diagnostic_app ssr_log_file:file r_file_perms; unix_socket_connect(modem_diagnostic_app, diag, qlogd); set_prop(modem_diagnostic_app, vendor_modem_diag_prop) - set_prop(modem_diagnostic_app, exported3_radio_prop) + set_prop(modem_diagnostic_app, radio_control_prop) + + allow modem_diagnostic_app sysfs_batteryinfo:file r_file_perms; + allow modem_diagnostic_app sysfs_batteryinfo:dir search; ') diff --git a/vendor/google/modem_svc.te b/vendor/google/modem_svc.te index 50f80b6..5f8cefa 100644 --- a/vendor/google/modem_svc.te +++ b/vendor/google/modem_svc.te @@ -8,15 +8,13 @@ allow modem_svc self:qipcrtr_socket create_socket_perms_no_ioctl; # For property service set_prop(modem_svc, vendor_modem_diag_prop) set_prop(modem_svc, vendor_modem_prop) -get_prop(modem_svc, exported3_radio_prop) +get_prop(modem_svc, radio_control_prop) get_prop(modem_svc, vendor_build_type_prop) # For bugreport collection -userdebug_or_eng(` - allow modem_svc hal_dumpstate_impl:fd use; - allow modem_svc dumpstate:fd use; - allow modem_svc shell_data_file:file write; -') +allow modem_svc hal_dumpstate_impl:fd use; +allow modem_svc dumpstate:fd use; +allow modem_svc shell_data_file:file write; dontaudit modem_svc sysfs_msm_subsys:dir r_dir_perms; dontaudit modem_svc sysfs_esoc:dir r_dir_perms; diff --git a/vendor/google/pixelstats_vendor.te b/vendor/google/pixelstats_vendor.te index 9ddc742..3015d3f 100644 --- a/vendor/google/pixelstats_vendor.te +++ b/vendor/google/pixelstats_vendor.te @@ -1,9 +1,3 @@ -# pixelstats vendor -type pixelstats_vendor, domain; - -type pixelstats_vendor_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(pixelstats_vendor) - unix_socket_connect(pixelstats_vendor, chre, chre) get_prop(pixelstats_vendor, hwservicemanager_prop) @@ -12,10 +6,13 @@ allow pixelstats_vendor hal_pixelstats_hwservice:hwservice_manager find; binder_call(pixelstats_vendor, pixelstats_system) allow pixelstats_vendor fwk_stats_hwservice:hwservice_manager find; -binder_call(pixelstats_vendor, stats_service_server) + +binder_use(pixelstats_vendor) +allow pixelstats_vendor fwk_stats_service:service_manager find; allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms; -r_dir_file(pixelstats_vendor, sysfs_batteryinfo) +allow pixelstats_vendor battery_history_device:chr_file r_file_perms; + # UeventListener -allow pixelstats_vendor self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; r_dir_file(pixelstats_vendor, sysfs_pixelstats) +r_dir_file(pixelstats_vendor, sysfs_typec_info) diff --git a/vendor/google/property.te b/vendor/google/property.te index 18633c6..1e789e3 100644 --- a/vendor/google/property.te +++ b/vendor/google/property.te @@ -1,13 +1,21 @@ -type vendor_tcpdump_log_prop, property_type; -type vendor_build_type_prop, property_type; -type vendor_aware_available_prop, property_type; -type vendor_modem_prop, property_type; -type camera_ro_prop, property_type; -type vendor_ramoops_prop, property_type; -type ecoservice_prop, property_type; -type vendor_shutdown_prop, property_type; -type vendor_battery_defender_prop, property_type; -type vendor_vibrator_prop, property_type; +vendor_internal_prop(ecoservice_prop) +vendor_internal_prop(vendor_battery_defender_prop) +vendor_internal_prop(vendor_battery_profile_prop) +vendor_internal_prop(vendor_build_type_prop) +vendor_internal_prop(vendor_modem_prop) +vendor_internal_prop(vendor_ramoops_prop) +vendor_internal_prop(vendor_shutdown_prop) +vendor_internal_prop(vendor_tcpdump_log_prop) +vendor_internal_prop(vendor_vibrator_prop) +vendor_internal_prop(vendor_device_prop) # vendor verbose logging property -type vendor_logging_prop, property_type; +vendor_internal_prop(vendor_logging_prop) + +vendor_restricted_prop(camera_ro_prop) + +# Vendor aware available type +vendor_restricted_prop(vendor_aware_available_prop) + +# Logger +vendor_internal_prop(vendor_logger_prop) diff --git a/vendor/google/property_contexts b/vendor/google/property_contexts index 34b20e7..409d57c 100644 --- a/vendor/google/property_contexts +++ b/vendor/google/property_contexts @@ -20,9 +20,15 @@ vendor.display.primary_blue u:object_r:vendor_display_prop:s vendor.display.primary_white u:object_r:vendor_display_prop:s0 vendor.display.native_display_primaries_ready u:object_r:vendor_display_prop:s0 +vendor.all.modules.ready u:object_r:vendor_device_prop:s0 +vendor.all.devices.ready u:object_r:vendor_device_prop:s0 + # battery vendor.battery.defender. u:object_r:vendor_battery_defender_prop:s0 +# test battery profile +persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_prop:s0 + # Tcpdump_logger persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 vendor.tcpdump.log.ondemand u:object_r:vendor_tcpdump_log_prop:s0 @@ -64,3 +70,7 @@ ro.vendor.vibrator.hal.lptrigger u:object_r:vendor_vibrator_prop: # Vendor verbose logging prop persist.vendor.verbose_logging_enabled u:object_r:vendor_logging_prop:s0 + +# Logger app +vendor.pixellogger. u:object_r:vendor_logger_prop:s0 +persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 diff --git a/vendor/google/ramdump.te b/vendor/google/ramdump.te deleted file mode 100644 index 0db625c..0000000 --- a/vendor/google/ramdump.te +++ /dev/null @@ -1,37 +0,0 @@ -type ramdump_exec, exec_type, vendor_file_type, file_type; -type ramdump, domain; - -userdebug_or_eng(` - init_daemon_domain(ramdump) - - set_prop(ramdump, vendor_ramdump_prop) - get_prop(ramdump, public_vendor_default_prop) - - # f2fs set pin file requires sys_admin - allow ramdump self:capability { sys_admin sys_rawio }; - - allow ramdump ramdump_vendor_data_file:dir create_dir_perms; - allow ramdump ramdump_vendor_data_file:file create_file_perms; - allow ramdump proc_cmdline:file r_file_perms; - - allow ramdump block_device:dir search; - allow ramdump misc_block_device:blk_file rw_file_perms; - allow ramdump userdata_block_device:blk_file rw_file_perms; - - dontaudit ramdump metadata_file:dir search; - - r_dir_file(ramdump, sysfs_type) - - # To access statsd. - hwbinder_use(ramdump) - get_prop(ramdump, hwservicemanager_prop) - allow ramdump fwk_stats_hwservice:hwservice_manager find; - binder_call(ramdump, stats_service_server) - - # To implement fusefs (ramdumpfs) under /mnt/vendor/ramdump. - allow ramdump fuse:filesystem relabelfrom; - allow ramdump fuse_device:chr_file rw_file_perms; - allow ramdump mnt_vendor_file:dir r_dir_perms; - allow ramdump ramdump_vendor_mnt_file:dir { getattr mounton }; - allow ramdump ramdump_vendor_mnt_file:filesystem { mount unmount relabelfrom relabelto }; -') diff --git a/vendor/google/recovery.te b/vendor/google/recovery.te index 7e7925c..39cb557 100644 --- a/vendor/google/recovery.te +++ b/vendor/google/recovery.te @@ -1,5 +1,4 @@ recovery_only(` - allow recovery citadel_device:chr_file rw_file_perms; allow recovery sg_device:chr_file rw_file_perms; allow recovery sysfs_scsi_devices_0000:dir r_dir_perms; ') diff --git a/vendor/google/seapp_contexts b/vendor/google/seapp_contexts index 1cc64e0..2279b62 100644 --- a/vendor/google/seapp_contexts +++ b/vendor/google/seapp_contexts @@ -1,16 +1,13 @@ # Domain for Ramdump -user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file +user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all # Domain for grilservice -user=_app isPrivApp=true seinfo=platform name=com.google.android.grilservice domain=grilservice_app levelFrom=all +user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all # Domain for Modem Diagnostic System user=_app seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user -# Domain for Pixel Logger -user=_app seinfo=platform name=com.android.pixellogger domain=logger_app type=app_data_file levelFrom=all - # Domain for GoogleCBRS app user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user @@ -21,7 +18,7 @@ user=_app seinfo=platform name=com.google.touch.touchinspector domain=google_tou user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all # Domain for UvExposureReporter service -user=_app seinfo=platform name=com.google.android.uvexposurereporter domain=uv_exposure_reporter type=app_data_file levelFrom=all +user=_app isPrivApp=true name=com.google.android.uvexposurereporter domain=uv_exposure_reporter type=app_data_file levelFrom=all # Domain for DeviceDropMonitor service user=_app seinfo=platform name=com.google.android.devicedropmonitor domain=device_drop_monitor type=app_data_file levelFrom=all diff --git a/vendor/google/service.te b/vendor/google/service.te new file mode 100644 index 0000000..9c935e9 --- /dev/null +++ b/vendor/google/service.te @@ -0,0 +1 @@ +type hal_pixel_display_service, service_manager_type, vendor_service; diff --git a/vendor/google/service_contexts b/vendor/google/service_contexts new file mode 100644 index 0000000..4bac73b --- /dev/null +++ b/vendor/google/service_contexts @@ -0,0 +1,2 @@ +android.hardware.drm.IDrmFactory/widevine u:object_r:hal_drm_service:s0 +com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 diff --git a/vendor/google/system_app.te b/vendor/google/system_app.te new file mode 100644 index 0000000..326d9fd --- /dev/null +++ b/vendor/google/system_app.te @@ -0,0 +1 @@ +get_prop(system_app, vendor_aware_available_prop) diff --git a/vendor/google/uv_exposure_reporter.te b/vendor/google/uv_exposure_reporter.te index 1d9ae56..0d7ec6b 100644 --- a/vendor/google/uv_exposure_reporter.te +++ b/vendor/google/uv_exposure_reporter.te @@ -1,13 +1,9 @@ -type uv_exposure_reporter, domain; +type uv_exposure_reporter, domain, coredomain; -userdebug_or_eng(` - app_domain(uv_exposure_reporter) - - allow uv_exposure_reporter app_api_service:service_manager find; - allow uv_exposure_reporter fwk_stats_hwservice:hwservice_manager find; - allow uv_exposure_reporter sysfs_msm_subsys:dir search; - allow uv_exposure_reporter sysfs_msm_subsys:file r_file_perms; - binder_call(uv_exposure_reporter, gpuservice); - binder_call(uv_exposure_reporter, stats_service_server); -') +app_domain(uv_exposure_reporter) +allow uv_exposure_reporter app_api_service:service_manager find; +allow uv_exposure_reporter sysfs_msm_subsys:dir search; +allow uv_exposure_reporter sysfs_msm_subsys:file r_file_perms; +allow uv_exposure_reporter fwk_stats_service:service_manager find; +binder_use(uv_exposure_reporter) diff --git a/vendor/google/vendor_init.te b/vendor/google/vendor_init.te index 8672d3f..dc0679b 100644 --- a/vendor/google/vendor_init.te +++ b/vendor/google/vendor_init.te @@ -35,6 +35,7 @@ allow vendor_init proc_sched_energy_aware:file w_file_perms; allow vendor_init proc_sched_updown_migrate:file w_file_perms; allow vendor_init proc_swappiness:file w_file_perms; allow vendor_init proc_dirty:file w_file_perms; +allow vendor_init proc_sched_lib_mask_cpuinfo:file w_file_perms; allow vendor_init self:global_capability2_class_set block_suspend; allow vendor_init sysfs_wake_lock:file rw_file_perms; @@ -45,3 +46,6 @@ userdebug_or_eng(` ') set_prop(vendor_init, vendor_logging_prop) +get_prop(vendor_init, test_harness_prop) +get_prop(vendor_init, vendor_battery_profile_prop) +set_prop(vendor_init, vendor_battery_defender_prop) diff --git a/vendor/google/vendor_shell.te b/vendor/google/vendor_shell.te new file mode 100644 index 0000000..2ace587 --- /dev/null +++ b/vendor/google/vendor_shell.te @@ -0,0 +1 @@ +set_prop(vendor_shell, vendor_battery_profile_prop) diff --git a/vendor/google/vndservice.te b/vendor/google/vndservice.te index 0e6b581..2dca1b2 100644 --- a/vendor/google/vndservice.te +++ b/vendor/google/vndservice.te @@ -1,3 +1 @@ -type citadeld_service, vndservice_manager_type; -type power_stats_service, vndservice_manager_type; type eco_service, vndservice_manager_type; diff --git a/vendor/google/vndservice_contexts b/vendor/google/vndservice_contexts index bf9fbbd..b6babcc 100644 --- a/vendor/google/vndservice_contexts +++ b/vendor/google/vndservice_contexts @@ -1,4 +1 @@ -android.hardware.citadel.ICitadeld u:object_r:citadeld_service:s0 -power.stats-vendor u:object_r:power_stats_service:s0 media.ecoservice u:object_r:eco_service:s0 - diff --git a/vendor/google/wait_for_strongbox.te b/vendor/google/wait_for_strongbox.te deleted file mode 100644 index 23ffa97..0000000 --- a/vendor/google/wait_for_strongbox.te +++ /dev/null @@ -1,7 +0,0 @@ -# wait_for_strongbox service -type wait_for_strongbox, domain; -type wait_for_strongbox_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(wait_for_strongbox) - -hal_client_domain(wait_for_strongbox, hal_keymaster) diff --git a/vendor/qcom/common/cameraserver.te b/vendor/qcom/common/cameraserver.te index 92aacf7..dfd4524 100644 --- a/vendor/qcom/common/cameraserver.te +++ b/vendor/qcom/common/cameraserver.te @@ -6,3 +6,5 @@ get_prop(cameraserver, vendor_display_prop) # are not essential, and access denial to it won't break any gralloc mapper # functionality. dontaudit cameraserver gpu_device:chr_file rw_file_perms; + +dontaudit cameraserver sysfs_msm_subsys:dir search; diff --git a/vendor/qcom/common/cnd.te b/vendor/qcom/common/cnd.te index 333ac60..30acc21 100644 --- a/vendor/qcom/common/cnd.te +++ b/vendor/qcom/common/cnd.te @@ -20,6 +20,7 @@ allow cnd cnd_data_file:dir rw_dir_perms; wakelock_use(cnd) # To register cnd to hwbinder add_hwservice(cnd, hal_datafactory_hwservice) +add_hwservice(cnd, hal_mwqemadapter_hwservice) userdebug_or_eng(` allow cnd diag_device:chr_file rw_file_perms; ') @@ -42,3 +43,5 @@ allow cnd self:{ netlink_generic_socket qipcrtr_socket } create_socket_perms_no_ioctl; + +dontaudit cnd wifi_hal_prop:file r_file_perms; diff --git a/vendor/qcom/common/con_monitor.te b/vendor/qcom/common/con_monitor.te index 64d0257..860c16e 100644 --- a/vendor/qcom/common/con_monitor.te +++ b/vendor/qcom/common/con_monitor.te @@ -1,10 +1,9 @@ # ConnectivityMonitor app -type con_monitor_app, domain; +type con_monitor_app, domain, coredomain; app_domain(con_monitor_app) set_prop(con_monitor_app, radio_prop) -set_prop(con_monitor_app, vendor_radio_prop) allow con_monitor_app app_api_service:service_manager find; allow con_monitor_app audioserver_service:service_manager find; allow con_monitor_app radio_service:service_manager find; diff --git a/vendor/qcom/common/file.te b/vendor/qcom/common/file.te index 33bb82e..23073eb 100644 --- a/vendor/qcom/common/file.te +++ b/vendor/qcom/common/file.te @@ -131,8 +131,6 @@ type sysfs_sectouch, sysfs_type, fs_type; type vendor_tui_data_file, file_type, data_file_type; type vendor_bt_data_file, file_type, data_file_type; type sysfs_jpeg, fs_type, sysfs_type; -type ramdump_vendor_data_file, file_type, data_file_type, mlstrustedobject; -type ramdump_vendor_mnt_file, file_type, data_file_type, mlstrustedobject; type sysfs_npu, fs_type, sysfs_type; type vendor_ramdump_data_file, file_type, data_file_type; type vendor_mdmhelperdata_data_file, file_type, data_file_type; diff --git a/vendor/qcom/common/file_contexts b/vendor/qcom/common/file_contexts index 907d5b9..a360e5a 100644 --- a/vendor/qcom/common/file_contexts +++ b/vendor/qcom/common/file_contexts @@ -52,7 +52,7 @@ /(vendor|system/vendor)/bin/ssr_diag u:object_r:vendor_ssr_diag_exec:s0 /(vendor|system/vendor)/bin/hw/qcrild u:object_r:rild_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.widevine u:object_r:hal_drm_widevine_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm(@[0-9]+\.[0-9]+)?-service\.widevine u:object_r:hal_drm_widevine_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@.*-service-qti u:object_r:hal_gnss_qti_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.gnss@.*-service u:object_r:hal_gnss_qti_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_default_exec:s0 @@ -67,6 +67,8 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service-qti u:object_r:hal_keymaster_qti_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service-qti u:object_r:hal_keymaster_qti_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-strongbox-service-qti u:object_r:hal_keymaster_qti_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service-qti u:object_r:hal_keymaster_qti_exec:s0 +/(vendor|system/vendor)/bin/init\.qti\.keymaster\.sh u:object_r:init-qti-keymaster-sh_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service-qti u:object_r:hal_gatekeeper_qti_exec:s0 /(vendor|system/vendor)/bin/imsrcsd u:object_r:hal_rcsservice_exec:s0 /(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.qteeconnector@1\.0-service u:object_r:hal_qteeconnector_qti_exec:s0 @@ -113,12 +115,6 @@ /mnt/vendor/persist/audio(/.*)? u:object_r:persist_audio_file:s0 ################################### -# ramdumpfs files -# -/mnt/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_mnt_file:s0 -/ramdump(/.*)? u:object_r:ramdump_vendor_mnt_file:s0 - -################################### # adsp files # /(vendor|system/vendor)/dsp(/.*)? u:object_r:adsprpcd_file:s0 @@ -144,12 +140,15 @@ /vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapperextensions@1\.1\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@3\.0-impl-qti-display\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@3\.0\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@4\.0-impl-qti-display\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/vendor\.qti\.hardware\.display\.mapper@4\.0\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libqdMetaData\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libgralloc\.qti\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/lib_aion_buffer\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libqservice\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libqdutils\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libadreno_utils\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libgsl\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libEGL_adreno\.so u:object_r:same_process_hal_file:s0 @@ -179,6 +178,10 @@ # libGLESv2_adreno depends on this /vendor/lib(64)?/libllvm-glnext\.so u:object_r:same_process_hal_file:s0 +# Game profiling library +/vendor/lib(64)?/libadreno_app_profiles\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/vendor\.qti\.qspmhal@1\.0\.so u:object_r:same_process_hal_file:s0 + # libOpenCL-pixel and its dependencies /vendor/lib(64)?/libOpenCL-pixel\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0 @@ -243,6 +246,7 @@ /dev/msm_.* u:object_r:audio_device:s0 /dev/ramdump_.* u:object_r:ramdump_device:s0 /dev/at_.* u:object_r:at_device:s0 +/dev/qce u:object_r:qce_device:s0 # dev socket nodes /dev/socket/ipacm_log_file u:object_r:ipacm_socket:s0 @@ -262,7 +266,6 @@ /data/vendor/modem_fdr(/.*)? u:object_r:modem_fdr_file:s0 /data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 /data/vendor/nnhal(/.*)? u:object_r:hal_neuralnetworks_data_file:s0 -/data/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_data_file:s0 /data/vendor/ssrdump(/.*)? u:object_r:ramdump_vendor_data_file:s0 /data/vendor/ssrlog(/.*)? u:object_r:ssr_log_file:s0 /data/vendor/camera(/.*)? u:object_r:camera_vendor_data_file:s0 diff --git a/vendor/qcom/common/genfs_contexts b/vendor/qcom/common/genfs_contexts index 8afbb14..d8158ec 100644 --- a/vendor/qcom/common/genfs_contexts +++ b/vendor/qcom/common/genfs_contexts @@ -26,3 +26,5 @@ genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws@1e08000 genfscon sysfs /devices/virtual/xt_hardidletimer/timers u:object_r:sysfs_data:s0 genfscon sysfs /devices/virtual/xt_idletimer/timers u:object_r:sysfs_data:s0 genfscon sysfs /module/subsystem_restart/parameters/enable_ramdumps u:object_r:sysfs_ssr:s0 +genfscon sysfs /devices/virtual/fastrpc/adsprpc-smd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/fastrpc/adsprpc-smd-secure/wakeup u:object_r:sysfs_wakeup:s0 diff --git a/vendor/qcom/common/hal_drm_widevine.te b/vendor/qcom/common/hal_drm_widevine.te index 4b52daf..2f8fbdd 100644 --- a/vendor/qcom/common/hal_drm_widevine.te +++ b/vendor/qcom/common/hal_drm_widevine.te @@ -10,4 +10,6 @@ allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms; allow hal_drm_widevine hal_display_config_hwservice:hwservice_manager find; binder_call(hal_drm_widevine, hal_graphics_composer_default) -allow hal_drm_widevine { appdomain -isolated_app }:fd use;
\ No newline at end of file +allow hal_drm_widevine { appdomain -isolated_app }:fd use; + +allow hal_drm_widevine qce_device:chr_file rw_file_perms; diff --git a/vendor/qcom/common/hal_gnss_qti.te b/vendor/qcom/common/hal_gnss_qti.te index c4481a7..80abd2e 100644 --- a/vendor/qcom/common/hal_gnss_qti.te +++ b/vendor/qcom/common/hal_gnss_qti.te @@ -24,5 +24,7 @@ allow hal_gnss_qti location:unix_dgram_socket sendto; allow hal_gnss_qti self:qipcrtr_socket create_socket_perms_no_ioctl; +allow hal_gnss_qti location_data_file:dir r_dir_perms; + # Allow Gnss HAL to get updates from health hal hal_client_domain(hal_gnss_qti, hal_health) diff --git a/vendor/qcom/common/hal_neuralnetworks.te b/vendor/qcom/common/hal_neuralnetworks.te index 1d20204..6ccdd39 100644 --- a/vendor/qcom/common/hal_neuralnetworks.te +++ b/vendor/qcom/common/hal_neuralnetworks.te @@ -17,3 +17,6 @@ r_dir_file(hal_neuralnetworks_default, sysfs_soc) r_dir_file(hal_neuralnetworks_default, adsprpcd_file) dontaudit hal_neuralnetworks_default vendor_display_prop:file read; + +# b/159570217 suppress warning related to zeroth.debuglog.logmask +dontaudit hal_neuralnetworks_default default_prop:file { open read }; diff --git a/vendor/qcom/common/hal_rcsservice.te b/vendor/qcom/common/hal_rcsservice.te index 9acd706..0c95f16 100644 --- a/vendor/qcom/common/hal_rcsservice.te +++ b/vendor/qcom/common/hal_rcsservice.te @@ -11,6 +11,8 @@ hwbinder_use(hal_rcsservice) # add IUceSerive and IService to Hidl interface add_hwservice(hal_rcsservice, hal_imsrcsd_hwservice) add_hwservice(hal_rcsservice, hal_imscallinfo_hwservice) +# add imsfactory to HIDl interface +add_hwservice(hal_rcsservice, hal_imsfactory_hwservice) get_prop(hal_rcsservice, hwservicemanager_prop) set_prop(hal_rcsservice, qcom_ims_prop) diff --git a/vendor/qcom/common/hvdcp.te b/vendor/qcom/common/hvdcp.te index 7cdae50..9c1b7eb 100644 --- a/vendor/qcom/common/hvdcp.te +++ b/vendor/qcom/common/hvdcp.te @@ -7,7 +7,7 @@ allow hvdcp sysfs_batteryinfo:dir r_dir_perms; allow hvdcp qg_device:chr_file rw_file_perms; allow hvdcp self:capability2 wake_alarm; allow hvdcp self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; -allow hvdcp kmsg_device:chr_file r_file_perms; +allow hvdcp kmsg_device:chr_file rw_file_perms; allow hvdcp mnt_vendor_file:dir r_dir_perms; allow hvdcp persist_file:dir search; allow hvdcp persist_hvdcp_file:dir search; diff --git a/vendor/qcom/common/hwservice.te b/vendor/qcom/common/hwservice.te index e681898..c17da13 100644 --- a/vendor/qcom/common/hwservice.te +++ b/vendor/qcom/common/hwservice.te @@ -1,24 +1,25 @@ -type hal_display_color_hwservice, hwservice_manager_type; -type hal_iwlan_hwservice, hwservice_manager_type; -type hal_display_config_hwservice, hwservice_manager_type; -type hal_display_postproc_hwservice, hwservice_manager_type; -type hal_dpmqmi_hwservice, hwservice_manager_type; -type hal_imsrtp_hwservice, hwservice_manager_type; -type hal_imscallinfo_hwservice, hwservice_manager_type; -type hal_datafactory_hwservice, hwservice_manager_type; -type hal_cne_hwservice, hwservice_manager_type; -type hal_latency_hwservice, hwservice_manager_type; -type hal_imsrcsd_hwservice, hwservice_manager_type; -type hal_ipacm_hwservice, hwservice_manager_type; -type hal_qteeconnector_hwservice, hwservice_manager_type; -type hal_voiceprint_hwservice, hwservice_manager_type; -type vendor_hal_factory_qti_hwservice, hwservice_manager_type; -type hal_tui_comm_hwservice, hwservice_manager_type; -type hal_qdutils_disp_hwservice, hwservice_manager_type; -type hal_sensorscalibrate_qti_hwservice, hwservice_manager_type; -type vnd_atcmdfwd_hwservice, hwservice_manager_type; -type hal_dataconnection_hwservice, hwservice_manager_type; -type hal_bluetooth_coexistence_hwservice, hwservice_manager_type; -type hal_cacert_hwservice, hwservice_manager_type; -type hal_capabilityconfigstore_qti_hwservice, hwservice_manager_type; -type hal_qseecom_hwservice, hwservice_manager_type, protected_hwservice; +type hal_display_color_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_iwlan_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_display_config_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_display_postproc_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_dpmqmi_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_imsrtp_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_imscallinfo_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_datafactory_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_cne_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_latency_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_imsrcsd_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_ipacm_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_qteeconnector_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_voiceprint_hwservice, hwservice_manager_type, vendor_hwservice_type; +type vendor_hal_factory_qti_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_tui_comm_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_qdutils_disp_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_sensorscalibrate_qti_hwservice, hwservice_manager_type, vendor_hwservice_type; +type vnd_atcmdfwd_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_dataconnection_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_cacert_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_capabilityconfigstore_qti_hwservice, hwservice_manager_type, vendor_hwservice_type; +type hal_qseecom_hwservice, hwservice_manager_type, protected_hwservice, vendor_hwservice_type; +type hal_mwqemadapter_hwservice, hwservice_manager_type, protected_hwservice; +type hal_imsfactory_hwservice, hwservice_manager_type, protected_hwservice, vendor_hwservice_type; diff --git a/vendor/qcom/common/hwservice_contexts b/vendor/qcom/common/hwservice_contexts index 2aecfbc..d6d205b 100644 --- a/vendor/qcom/common/hwservice_contexts +++ b/vendor/qcom/common/hwservice_contexts @@ -11,12 +11,11 @@ vendor.display.color::IDisplayColor u:object vendor.display.config::IDisplayConfig u:object_r:hal_display_config_hwservice:s0 vendor.display.postproc::IDisplayPostproc u:object_r:hal_display_postproc_hwservice:s0 vendor.qti.hardware.display.mapper::IQtiMapper u:object_r:hal_graphics_mapper_hwservice:s0 -vendor.qti.hardware.bluetooth_sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0 -vendor.qti.hardware.bt_channel_avoidance::IBTChannelAvoidance u:object_r:hal_bluetooth_coexistence_hwservice:s0 vendor.qti.hardware.qdutils_disp::IQdutilsDisp u:object_r:hal_qdutils_disp_hwservice:s0 vendor.qti.hardware.qteeconnector::IAppConnector u:object_r:hal_qteeconnector_hwservice:s0 vendor.qti.hardware.qteeconnector::IGPAppConnector u:object_r:hal_qteeconnector_hwservice:s0 vendor.qti.hardware.radio.am::IQcRilAudio u:object_r:hal_telephony_hwservice:s0 +vendor.qti.hardware.radio.internal.deviceinfo::IDeviceInfo u:object_r:hal_telephony_hwservice:s0 vendor.qti.hardware.radio.lpa::IUimLpa u:object_r:hal_telephony_hwservice:s0 vendor.qti.hardware.radio.qcrilhook::IQtiOemHook u:object_r:hal_telephony_hwservice:s0 vendor.qti.hardware.radio.qtiradio::IQtiRadio u:object_r:hal_telephony_hwservice:s0 @@ -29,6 +28,7 @@ vendor.qti.hardware.tui_comm::ITuiComm u:object vendor.qti.hardware.radio.atcmdfwd::IAtCmdFwd u:object_r:vnd_atcmdfwd_hwservice:s0 vendor.qti.hardware.data.latency::ILinkLatency u:object_r:hal_latency_hwservice:s0 vendor.qti.data.factory::IFactory u:object_r:hal_datafactory_hwservice:s0 +vendor.qti.ims.factory::IImsFactory u:object_r:hal_imsfactory_hwservice:s0 vendor.qti.imsrtpservice::IRTPService u:object_r:hal_imsrtp_hwservice:s0 vendor.qti.hardware.cacert::IService u:object_r:hal_cacert_hwservice:s0 hardware.google.media.c2::IConfigurable u:object_r:hal_codec2_hwservice:s0 @@ -37,3 +37,6 @@ vendor.qti.hardware.capabilityconfigstore::ICapabilityConfigStore u:object vendor.qti.hardware.display.allocator::IQtiAllocator u:object_r:hal_graphics_allocator_hwservice:s0 vendor.qti.ims.callinfo::IService u:object_r:hal_imscallinfo_hwservice:s0 vendor.qti.hardware.qseecom::IQSEECom u:object_r:hal_qseecom_hwservice:s0 +vendor.qti.hardware.mwqemadapter::IMwqemAdapter u:object_r:hal_mwqemadapter_hwservice:s0 +vendor.qti.hardware.bluetooth_sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0 +vendor.qti.hardware.bt_channel_avoidance::IBTChannelAvoidance u:object_r:hal_bluetooth_coexistence_hwservice:s0 diff --git a/vendor/qcom/common/init-qti-keymaster-sh.te b/vendor/qcom/common/init-qti-keymaster-sh.te new file mode 100644 index 0000000..f5a6c31 --- /dev/null +++ b/vendor/qcom/common/init-qti-keymaster-sh.te @@ -0,0 +1,37 @@ +# Copyright (c) 2020, The Linux Foundation. All rights reserved. + +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +type init-qti-keymaster-sh, domain; +type init-qti-keymaster-sh_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init-qti-keymaster-sh) + +# Set vendor.keymaster.strongbox.version to 40 or 41 +set_prop(init-qti-keymaster-sh, vendor_km_strongbox_version_prop); + +allow init-qti-keymaster-sh vendor_shell_exec:file rx_file_perms; +allow init-qti-keymaster-sh vendor_toolbox_exec:file rx_file_perms; diff --git a/vendor/qcom/common/mediacodec.te b/vendor/qcom/common/mediacodec.te index 5ef6b8f..bec15f6 100644 --- a/vendor/qcom/common/mediacodec.te +++ b/vendor/qcom/common/mediacodec.te @@ -3,3 +3,5 @@ get_prop(mediacodec, ecoservice_prop) allow mediacodec hal_camera_default:binder call; get_prop(mediacodec, vendor_display_prop) + +dontaudit mediacodec sysfs_msm_subsys:dir search; diff --git a/vendor/qcom/common/mediatranscoding.te b/vendor/qcom/common/mediatranscoding.te new file mode 100644 index 0000000..ab3f09d --- /dev/null +++ b/vendor/qcom/common/mediatranscoding.te @@ -0,0 +1,2 @@ +get_prop(domain, vendor_display_prop) + diff --git a/vendor/qcom/common/netmgrd.te b/vendor/qcom/common/netmgrd.te index 238a61b..4d53e7c 100644 --- a/vendor/qcom/common/netmgrd.te +++ b/vendor/qcom/common/netmgrd.te @@ -69,5 +69,6 @@ allow netmgrd self:netlink_xfrm_socket create_socket_perms_no_ioctl; #Allow set persist.vendor.data.shsusr_load #Allow set persist.vendor.data.perf_ko_load #Allow set persist.vendor.data.qmipriod_load +#Allow set persist.vendor.data.offload_ko_load set_prop(netmgrd, vendor_radio_prop) diff --git a/vendor/qcom/common/pd_services.te b/vendor/qcom/common/pd_services.te index 3f48cef..b504a16 100644 --- a/vendor/qcom/common/pd_services.te +++ b/vendor/qcom/common/pd_services.te @@ -6,7 +6,7 @@ init_daemon_domain(vendor_pd_mapper); allow vendor_pd_mapper self:qipcrtr_socket create_socket_perms_no_ioctl; userdebug_or_eng(` - allow vendor_pd_mapper kmsg_device:chr_file w_file_perms; + allow vendor_pd_mapper kmsg_device:chr_file rw_file_perms; ') dontaudit vendor_pd_mapper sysfs_esoc:dir search; diff --git a/vendor/qcom/common/peripheral_manager.te b/vendor/qcom/common/peripheral_manager.te index bd5f923..05e75bc 100644 --- a/vendor/qcom/common/peripheral_manager.te +++ b/vendor/qcom/common/peripheral_manager.te @@ -8,6 +8,7 @@ init_daemon_domain(vendor_per_mgr); vndbinder_use(vendor_per_mgr) binder_call(vendor_per_mgr, vendor_per_mgr) binder_call(vendor_per_mgr, wcnss_service) +binder_call(vendor_per_mgr, rild) set_prop(vendor_per_mgr, vendor_per_mgr_state_prop) allow vendor_per_mgr self:qipcrtr_socket create_socket_perms_no_ioctl; diff --git a/vendor/qcom/common/property.te b/vendor/qcom/common/property.te index e088dad..81b3b55 100644 --- a/vendor/qcom/common/property.te +++ b/vendor/qcom/common/property.te @@ -1,64 +1,64 @@ -type uicc_prop, property_type; -type qcom_ims_prop, property_type; -type ctl_vendor_netmgrd_prop, property_type; -type ctl_vendor_port-bridge_prop, property_type; -type ctl_qcrild_prop, property_type; -type vendor_tee_listener_prop, property_type; -type ctl_vendor_rild_prop, property_type; -type ctl_LKCore_prop, property_type; -type freq_prop, property_type; -type vendor_dataqti_prop, property_type; -type cnd_vendor_prop, property_type; -type sensors_prop, property_type; -type slpi_prop, property_type; -type msm_irqbalance_prop, property_type; -type msm_irqbl_sdm630_prop, property_type; -type camera_prop, property_type; -type spcomlib_prop, property_type; -type vendor_display_prop, property_type; -type scr_enabled_prop, property_type; -type bg_boot_complete_prop, property_type; -type opengles_prop, property_type; -type mdm_helper_prop, property_type; -type vendor_mpctl_prop, property_type; -type vendor_iop_prop, property_type; -type vendor_preobtain_prop, property_type; -type vendor_am_prop, property_type; -type vendor_gralloc_prop, property_type; -type fm_prop, property_type; -type chgdiabled_prop, property_type; -type vendor_xlat_prop, property_type; -type location_prop, property_type; -type qemu_hw_mainkeys_prop, property_type; -type vendor_usb_prop, property_type; -type public_vendor_system_prop, property_type; -type vendor_coresight_prop, property_type; -type public_vendor_default_prop, property_type; -type vendor_alarm_boot_prop, property_type; -type dolby_prop, property_type; -type hwui_prop, property_type; -type graphics_vulkan_prop, property_type; -type bservice_prop, property_type; -type reschedule_service_prop, property_type; -type vendor_boot_mode_prop, property_type; -type nfc_nq_prop, property_type; -type vendor_rild_libpath_prop, property_type; -type vendor_per_mgr_state_prop, property_type; -type vendor_system_prop, property_type; -type vendor_bluetooth_prop, property_type; -type ctl_vendor_imsrcsservice_prop, property_type; -type vendor_time_service_prop, property_type; -type vendor_radio_prop, property_type; -type vendor_audio_prop, property_type; -type vendor_ssr_prop, property_type; -type vendor_pd_locater_dbg_prop, property_type; -type vendor_qdcmss_prop, property_type; -type vendor_softap_prop, property_type; -type mm_parser_prop, property_type; -type mm_video_prop, property_type; -type ctl_vendor_rmt_storage_prop, property_type; -type vendor_wifi_version, property_type; -type vendor_cnss_diag_prop, property_type; -type vendor_modem_diag_prop, property_type; -type vendor_ramdump_prop, property_type; -type vendor_hvdcp_opti_prop, property_type; +vendor_internal_prop(uicc_prop) +vendor_restricted_prop(qcom_ims_prop) +vendor_internal_prop(ctl_vendor_netmgrd_prop) +vendor_internal_prop(ctl_vendor_port-bridge_prop) +vendor_internal_prop(ctl_qcrild_prop) +vendor_internal_prop(vendor_tee_listener_prop) +vendor_internal_prop(ctl_vendor_rild_prop) +vendor_internal_prop(ctl_LKCore_prop) +vendor_internal_prop(freq_prop) +vendor_internal_prop(vendor_dataqti_prop) +vendor_restricted_prop(cnd_vendor_prop) +vendor_internal_prop(sensors_prop) +vendor_internal_prop(slpi_prop) +vendor_internal_prop(msm_irqbalance_prop) +vendor_internal_prop(msm_irqbl_sdm630_prop) +vendor_restricted_prop(camera_prop) +vendor_internal_prop(spcomlib_prop) +vendor_restricted_prop(vendor_display_prop) +vendor_internal_prop(scr_enabled_prop) +vendor_internal_prop(bg_boot_complete_prop) +vendor_internal_prop(opengles_prop) +vendor_internal_prop(mdm_helper_prop) +vendor_internal_prop(vendor_mpctl_prop) +vendor_internal_prop(vendor_iop_prop) +vendor_internal_prop(vendor_preobtain_prop) +vendor_internal_prop(vendor_am_prop) +vendor_internal_prop(vendor_gralloc_prop) +vendor_internal_prop(fm_prop) +vendor_internal_prop(chgdiabled_prop) +vendor_internal_prop(vendor_xlat_prop) +vendor_internal_prop(location_prop) +vendor_internal_prop(qemu_hw_mainkeys_prop) +vendor_internal_prop(vendor_usb_prop) +vendor_internal_prop(public_vendor_system_prop) +vendor_internal_prop(vendor_coresight_prop) +vendor_restricted_prop(public_vendor_default_prop) +vendor_internal_prop(vendor_alarm_boot_prop) +vendor_internal_prop(dolby_prop) +vendor_internal_prop(hwui_prop) +vendor_internal_prop(graphics_vulkan_prop) +vendor_internal_prop(bservice_prop) +vendor_internal_prop(reschedule_service_prop) +vendor_internal_prop(vendor_boot_mode_prop) +vendor_internal_prop(nfc_nq_prop) +vendor_internal_prop(vendor_rild_libpath_prop) +vendor_internal_prop(vendor_per_mgr_state_prop) +vendor_internal_prop(vendor_system_prop) +vendor_internal_prop(vendor_bluetooth_prop) +vendor_internal_prop(ctl_vendor_imsrcsservice_prop) +vendor_internal_prop(vendor_time_service_prop) +vendor_restricted_prop(vendor_radio_prop) +vendor_internal_prop(vendor_audio_prop) +vendor_internal_prop(vendor_ssr_prop) +vendor_internal_prop(vendor_pd_locater_dbg_prop) +vendor_internal_prop(vendor_qdcmss_prop) +vendor_internal_prop(vendor_softap_prop) +vendor_internal_prop(mm_parser_prop) +vendor_internal_prop(mm_video_prop) +vendor_internal_prop(ctl_vendor_rmt_storage_prop) +vendor_internal_prop(vendor_wifi_version) +vendor_internal_prop(vendor_cnss_diag_prop) +vendor_internal_prop(vendor_modem_diag_prop) +vendor_restricted_prop(vendor_hvdcp_opti_prop) +vendor_restricted_prop(vendor_km_strongbox_version_prop) diff --git a/vendor/qcom/common/property_contexts b/vendor/qcom/common/property_contexts index cf09828..eebfb81 100644 --- a/vendor/qcom/common/property_contexts +++ b/vendor/qcom/common/property_contexts @@ -1,5 +1,6 @@ # vendor_audio_prop vendor.audio.snd_card.open.retries u:object_r:vendor_audio_prop:s0 +vendor.audio.adm.buffering.ms u:object_r:vendor_audio_prop:s0 vendor.audio.volume.listener.dump u:object_r:vendor_audio_prop:s0 vendor.audio.volume.headset.gain.depcal u:object_r:vendor_audio_prop:s0 @@ -38,7 +39,6 @@ persist.vendor.bt.soc.scram_freqs u:object_r:vendor_bluetooth_prop ro.vendor.audio.sdk.fluencetype u:object_r:vendor_audio_prop:s0 ro.vendor.ril. u:object_r:vendor_radio_prop:s0 -ro.boot.ramdump u:object_r:vendor_ramdump_prop:s0 # vendor display prop vendor.gralloc.disable_ahardware_buffer u:object_r:vendor_display_prop:s0 @@ -50,7 +50,6 @@ vendor.debug.prerotation.disable u:object_r:vendor_display_prop:s vendor.debug.egl.swapinterval u:object_r:vendor_display_prop:s0 ro.vendor.graphics.memory u:object_r:vendor_display_prop:s0 -vendor.debug.ramdump. u:object_r:vendor_ramdump_prop:s0 vendor.ims. u:object_r:qcom_ims_prop:s0 vendor.peripheral. u:object_r:vendor_per_mgr_state_prop:s0 vendor.sys.listeners.registered u:object_r:vendor_tee_listener_prop:s0 @@ -65,6 +64,7 @@ vendor.debug.ssrdump u:object_r:vendor_ssr_prop:s0 persist.vendor.sys.cnss. u:object_r:vendor_cnss_diag_prop:s0 persist.vendor.sys.crash_rcu u:object_r:vendor_ramdump_prop:s0 persist.vendor.sys.ssr. u:object_r:vendor_ssr_prop:s0 +vendor.sys.ssr. u:object_r:vendor_ssr_prop:s0 ctl.vendor.rmt_storage u:object_r:ctl_vendor_rmt_storage_prop:s0 @@ -85,3 +85,7 @@ persist.vendor.data.shs_ko_load u:object_r:vendor_radio_prop:s0 persist.vendor.data.shsusr_load u:object_r:vendor_radio_prop:s0 persist.vendor.data.perf_ko_load u:object_r:vendor_radio_prop:s0 persist.vendor.data.qmipriod_load u:object_r:vendor_radio_prop:s0 +persist.vendor.data.offload_ko_load u:object_r:vendor_radio_prop:s0 + +#keymaster strongbox service +vendor.keymaster.strongbox.version u:object_r:vendor_km_strongbox_version_prop:s0 diff --git a/vendor/qcom/common/qtelephony.te b/vendor/qcom/common/qtelephony.te index 315b1a2..29ce45f 100644 --- a/vendor/qcom/common/qtelephony.te +++ b/vendor/qcom/common/qtelephony.te @@ -7,6 +7,7 @@ add_hwservice(qtelephony, vnd_atcmdfwd_hwservice) allow qtelephony app_api_service:service_manager find; allow qtelephony hal_imsrtp_hwservice:hwservice_manager find; +allow qtelephony hal_telephony_service:service_manager find; allow qtelephony radio_service:service_manager find; allow qtelephony sysfs_diag:dir search; allow qtelephony sysfs_timestamp_switch:file r_file_perms; diff --git a/vendor/qcom/common/qtidataservices_app.te b/vendor/qcom/common/qtidataservices_app.te index f6a80fc..2869a54 100644 --- a/vendor/qcom/common/qtidataservices_app.te +++ b/vendor/qcom/common/qtidataservices_app.te @@ -18,6 +18,6 @@ allow qtidataservices_app sysfs_soc:file r_file_perms; allow qtidataservices_app sysfs_ssr:file r_file_perms; get_prop(qtidataservices_app, vendor_default_prop) -set_prop(qtidataservices_app, exported_radio_prop) +set_prop(qtidataservices_app, telephony_status_prop) binder_call(qtidataservices_app, cnd) diff --git a/vendor/qcom/common/rfs_access.te b/vendor/qcom/common/rfs_access.te index 97d138d..14cb6a7 100644 --- a/vendor/qcom/common/rfs_access.te +++ b/vendor/qcom/common/rfs_access.te @@ -17,3 +17,5 @@ allow rfs_access rfs_tombstone_data_file:file create_file_perms; allow rfs_access self:qipcrtr_socket create_socket_perms_no_ioctl; wakelock_use(rfs_access) + +dontaudit rfs_access self:capability { dac_override dac_read_search }; diff --git a/vendor/qcom/common/rmt_storage.te b/vendor/qcom/common/rmt_storage.te index f094ba9..70d9bce 100644 --- a/vendor/qcom/common/rmt_storage.te +++ b/vendor/qcom/common/rmt_storage.te @@ -6,7 +6,7 @@ wakelock_use(rmt_storage) r_dir_file(rmt_storage, sysfs_uio) -get_prop(rmt_storage, exported3_radio_prop) +get_prop(rmt_storage, radio_control_prop) set_prop(rmt_storage, vendor_modem_prop) allow rmt_storage kmsg_device:chr_file w_file_perms; diff --git a/vendor/qcom/common/seapp_contexts b/vendor/qcom/common/seapp_contexts index cb5dedf..fbf0b3a 100644 --- a/vendor/qcom/common/seapp_contexts +++ b/vendor/qcom/common/seapp_contexts @@ -1,11 +1,9 @@ -#TODO(b/126137625): moving dataservice app from system to radio process -user=radio seinfo=platform name=.dataservices domain=dataservice_app type=radio_data_file -#user=system seinfo=platform name=.dataservices domain=dataservice_app type=system_app_data_file +user=radio seinfo=platform name=.dataservices domain=dataservice_app type=radio_data_file levelFrom=user # Hardware Info Collection -user=_app seinfo=platform name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user +user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user -user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file +user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file levelFrom=all user=_app seinfo=platform name=.qtidataservices domain=qtidataservices_app type=app_data_file levelFrom=all @@ -15,7 +13,7 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymon user=_app seinfo=platform name=com.qualcomm.qti.services.secureui* domain=secure_ui_service_app levelFrom=all #Needed for time service apk -user=_app seinfo=platform name=com.qualcomm.timeservice domain=timeservice_app type=app_data_file +user=_app seinfo=platform name=com.qualcomm.timeservice domain=timeservice_app type=app_data_file levelFrom=all # Use a custom domain for GoogleCamera, to allow for Hexagon DSP / Easel access user=_app seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all @@ -31,3 +29,9 @@ user=_app seinfo=platform name=org.codeaurora.ims isPrivApp=true domain=qtelepho #Add DeviceInfoHidlClient to vendor_qtelephony user=_app seinfo=platform name=com.qualcomm.qti.devicestatisticsservice domain=qtelephony type=app_data_file levelFrom=all + +# QtiTelephonyService app +user=_app seinfo=platform name=com.qualcomm.qti.telephonyservice domain=qtelephony type=app_data_file levelFrom=all + +#Add ExtTelephonyService to vendor_qtelephony +user=_app seinfo=platform name=com.qti.phone domain=qtelephony type=app_data_file levelFrom=all diff --git a/vendor/qcom/common/secure_ui_service_app.te b/vendor/qcom/common/secure_ui_service_app.te index bcb3e97..f577653 100644 --- a/vendor/qcom/common/secure_ui_service_app.te +++ b/vendor/qcom/common/secure_ui_service_app.te @@ -5,8 +5,4 @@ binder_call(secure_ui_service_app, system_server) binder_call(secure_ui_service_app, hal_tui_comm_qti) allow secure_ui_service_app hal_tui_comm_hwservice:hwservice_manager find; -allow secure_ui_service_app surfaceflinger_service:service_manager find; -allow secure_ui_service_app telecom_service:service_manager find; -allow secure_ui_service_app trust_service:service_manager find; -allow secure_ui_service_app activity_service:service_manager find; -allow secure_ui_service_app thermal_service:service_manager find; +allow secure_ui_service_app app_api_service:service_manager find; diff --git a/vendor/qcom/common/sensors.te b/vendor/qcom/common/sensors.te index 95737d0..a423192 100644 --- a/vendor/qcom/common/sensors.te +++ b/vendor/qcom/common/sensors.te @@ -12,5 +12,7 @@ allow sensors self:qipcrtr_socket create; allow sensors sensors_persist_file:dir rw_dir_perms; r_dir_file(sensors, sysfs_msm_subsys) allow sensors sysfs_ssr:file r_file_perms; +allow sensors sensors_vendor_data_file:dir rw_dir_perms; +allow sensors sensors_vendor_data_file:file create_file_perms; dontaudit sensors sysfs_esoc:dir r_dir_perms; diff --git a/vendor/qcom/common/service.te b/vendor/qcom/common/service.te index c2ea2f6..cb00941 100644 --- a/vendor/qcom/common/service.te +++ b/vendor/qcom/common/service.te @@ -4,3 +4,4 @@ type imsrcs_service, service_manager_type; type improve_touch_service, service_manager_type; type gba_auth_service, service_manager_type; type qtitetherservice_service, service_manager_type; +type hal_telephony_service, service_manager_type, vendor_service, protected_service; diff --git a/vendor/qcom/common/service_contexts b/vendor/qcom/common/service_contexts new file mode 100644 index 0000000..c11263b --- /dev/null +++ b/vendor/qcom/common/service_contexts @@ -0,0 +1,3 @@ +vendor.qti.hardware.radio.ims.IImsRadio/default u:object_r:hal_telephony_service:s0 +vendor.qti.hardware.radio.ims.IImsRadio/imsradio0 u:object_r:hal_telephony_service:s0 +vendor.qti.hardware.radio.ims.IImsRadio/imsradio1 u:object_r:hal_telephony_service:s0 diff --git a/vendor/qcom/common/tee.te b/vendor/qcom/common/tee.te index b28b1b7..d1e8cc1 100644 --- a/vendor/qcom/common/tee.te +++ b/vendor/qcom/common/tee.te @@ -31,3 +31,6 @@ allow tee hal_graphics_allocator_default:fd use; allow tee sysfs_wake_lock:file append; allow tee time_daemon:unix_stream_socket connectto; + +# allow tee access for secure UI to work +allow tee graphics_device:chr_file rw_file_perms; diff --git a/vendor/st/file_contexts b/vendor/st/file_contexts index 594e74d..eddf11d 100644 --- a/vendor/st/file_contexts +++ b/vendor/st/file_contexts @@ -11,6 +11,5 @@ ################################### # data files -/data/vendor/ese(/.*)? u:object_r:ese_vendor_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 diff --git a/vendor/st/hal_nfc_default.te b/vendor/st/hal_nfc_default.te index 66ce177..5f0c7f6 100644 --- a/vendor/st/hal_nfc_default.te +++ b/vendor/st/hal_nfc_default.te @@ -1,3 +1,9 @@ +# NFC property +get_prop(hal_nfc_default, vendor_nfc_prop) + +# SecureElement property +set_prop(hal_nfc_default, vendor_secure_element_prop) + # Modem property set_prop(hal_nfc_default, vendor_modem_prop) diff --git a/vendor/st/hal_secure_element_default.te b/vendor/st/hal_secure_element_default.te index 94b811d..1c127ea 100644 --- a/vendor/st/hal_secure_element_default.te +++ b/vendor/st/hal_secure_element_default.te @@ -1,6 +1,5 @@ allow hal_secure_element_default secure_element_device:chr_file rw_file_perms; -allow hal_secure_element_default ese_vendor_data_file:dir create_dir_perms; -allow hal_secure_element_default ese_vendor_data_file:file create_file_perms; -allow hal_secure_element_default debugfs_ipc:dir search; +dontaudit hal_secure_element_default debugfs_ipc:dir search; set_prop(hal_secure_element_default, vendor_secure_element_prop) get_prop(hal_secure_element_default, vendor_modem_prop) + diff --git a/vendor/st/property.te b/vendor/st/property.te index d070080..723121a 100644 --- a/vendor/st/property.te +++ b/vendor/st/property.te @@ -1 +1,2 @@ -type vendor_secure_element_prop, property_type; +vendor_internal_prop(vendor_nfc_prop) +vendor_internal_prop(vendor_secure_element_prop) diff --git a/vendor/st/property_contexts b/vendor/st/property_contexts index 01a12e4..c6cd8a4 100644 --- a/vendor/st/property_contexts +++ b/vendor/st/property_contexts @@ -1,4 +1,6 @@ # SecureElement persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 +# NFC +persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0 diff --git a/vendor/st/vendor_init.te b/vendor/st/vendor_init.te new file mode 100644 index 0000000..7de90e2 --- /dev/null +++ b/vendor/st/vendor_init.te @@ -0,0 +1,2 @@ +# NFC vendor property +set_prop(vendor_init, vendor_nfc_prop) |