diff options
author | Xin Li <delphij@google.com> | 2019-07-01 20:59:11 +0000 |
---|---|---|
committer | Xin Li <delphij@google.com> | 2019-07-01 20:59:11 +0000 |
commit | 7079bb5d75470f5689b889083129a1a3bf9cebbe (patch) | |
tree | ab1358bd32decaef2aff49a5693703849df5f235 /sepolicy | |
parent | ec2781bb1596145fcdb7ca5e1c6ea0eced778418 (diff) | |
parent | b1f5d957079cc77a7cc7c50f77abee2eb0a156d8 (diff) | |
download | wahoo-7079bb5d75470f5689b889083129a1a3bf9cebbe.tar.gz |
DO NOT MERGE - Merge qt-dev-plus-aosp-without-vendor (5699924) into stage-aosp-master
Bug: 134405016
Change-Id: Iabc35a41afa0d200bb126abc10a809f36bd4a46a
Diffstat (limited to 'sepolicy')
30 files changed, 80 insertions, 56 deletions
diff --git a/sepolicy/private/mediaswcodec.te b/sepolicy/private/mediaswcodec.te new file mode 100644 index 00000000..36907500 --- /dev/null +++ b/sepolicy/private/mediaswcodec.te @@ -0,0 +1,2 @@ +allow mediaswcodec gpu_device:chr_file { ioctl open read write }; + diff --git a/sepolicy/public/init.te b/sepolicy/public/init.te new file mode 100644 index 00000000..e93b2e89 --- /dev/null +++ b/sepolicy/public/init.te @@ -0,0 +1 @@ +allow init vold_data_file:dir { relabelfrom }; diff --git a/sepolicy/public/ueventd.te b/sepolicy/public/ueventd.te new file mode 100644 index 00000000..985c8ec4 --- /dev/null +++ b/sepolicy/public/ueventd.te @@ -0,0 +1 @@ +allow ueventd metadata_file:dir search; diff --git a/sepolicy/vendor/cameraserver.te b/sepolicy/vendor/cameraserver.te index 594f22a9..b9adc4c5 100644 --- a/sepolicy/vendor/cameraserver.te +++ b/sepolicy/vendor/cameraserver.te @@ -8,5 +8,4 @@ allow cameraserver sysfs_camera:dir search; allow cameraserver system_server:unix_stream_socket { read write }; -# TODO (b/37688918) Verify that this is actually needed and not a violation of treble binder_call(cameraserver, mediacodec) diff --git a/sepolicy/vendor/con_monitor.te b/sepolicy/vendor/con_monitor.te index 8730e566..e1ba346c 100644 --- a/sepolicy/vendor/con_monitor.te +++ b/sepolicy/vendor/con_monitor.te @@ -9,4 +9,4 @@ allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms; allow con_monitor_app radio_vendor_data_file:file create_file_perms; allow con_monitor_app radio_service:service_manager find; allow con_monitor_app audioserver_service:service_manager find; -hal_client_domain(con_monitor_app, hal_power);
\ No newline at end of file +hal_client_domain(con_monitor_app, hal_power_stats);
\ No newline at end of file diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te index 6f859044..8e8e364d 100644 --- a/sepolicy/vendor/file.te +++ b/sepolicy/vendor/file.te @@ -37,6 +37,7 @@ type debugfs_tzdbg, debugfs_type, fs_type; # /proc type proc_wifi_dbg, fs_type, proc_type; +type proc_swappiness, fs_type, proc_type; type qmuxd_socket, file_type; type netmgrd_socket, file_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts index 345527ef..b66f65ae 100644 --- a/sepolicy/vendor/file_contexts +++ b/sepolicy/vendor/file_contexts @@ -167,35 +167,40 @@ /vendor/bin/oemlock_provision u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/oemlock-bridge u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.usb@1\.1-service\.wahoo u:object_r:hal_usb_impl_exec:s0 -/vendor/bin/hw/android\.hardware\.power@1\.2-service\.wahoo-libperfmgr u:object_r:hal_power_default_exec:s0 +/vendor/bin/hw/android\.hardware\.power@1\.3-service\.pixel-libperfmgr u:object_r:hal_power_default_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats@1\.0-service\.pixel u:object_r:hal_power_stats_default_exec:s0 /vendor/bin/chre u:object_r:chre_exec:s0 /vendor/bin/time_daemon u:object_r:time_daemon_exec:s0 /vendor/bin/imsrcsd u:object_r:hal_rcsservice_exec:s0 /vendor/bin/init\.qcom\.devstart\.sh u:object_r:init-qcom-devstart-sh_exec:s0 /vendor/bin/init\.qcom\.ipastart\.sh u:object_r:init-qcom-ipastart-sh_exec:s0 -/vendor/bin/init\.qcom\.wlan\.sh u:object_r:init-qcom-wlan-sh_exec:s0 /vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 /vendor/etc/init\.insmod\.cfg u:object_r:init-insmod-sh_exec:s0 /vendor/bin/init\.power\.sh u:object_r:init_power_exec:s0 /vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 /vendor/bin/ramoops u:object_r:ramoops_exec:s0 /vendor/bin/init\.ramoops\.sh u:object_r:ramoops_exec:s0 +/vendor/bin/init\.fingerprint\.sh u:object_r:init-fingerprint_exec:s0 /vendor/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti u:object_r:hal_bluetooth_default_exec:s0 -/vendor/bin/hw/android\.hardware\.drm@1\.1-service\.widevine u:object_r:hal_drm_widevine_exec:s0 -/vendor/bin/hw/android\.hardware\.drm@1\.1-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 +/vendor/bin/hw/android\.hardware\.drm@1\.2-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 +/vendor/bin/hw/android\.hardware\.drm@1\.2-service-lazy\.clearkey u:object_r:hal_drm_clearkey_exec:s0 +/vendor/bin/hw/android\.hardware\.drm@1\.2-service\.widevine u:object_r:hal_drm_widevine_exec:s0 +/vendor/bin/hw/android\.hardware\.drm@1\.2-service-lazy\.widevine u:object_r:hal_drm_widevine_exec:s0 /vendor/bin/hw/android\.hardware\.vibrator@1\.2-service\.wahoo u:object_r:hal_vibrator_default_exec:s0 /vendor/bin/hw/android\.hardware\.health@2\.0-service\.wahoo u:object_r:hal_health_default_exec:s0 /vendor/bin/hw/android\.hardware\.keymaster@3\.0-service-qti u:object_r:hal_keymaster_qti_exec:s0 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service-qti u:object_r:hal_gatekeeper_qti_exec:s0 /vendor/bin/hw/android\.hardware\.gnss@1\.0-service-qti u:object_r:hal_gnss_qti_exec:s0 +/vendor/bin/hw/android\.hardware\.thermal@2\.0-service\.pixel u:object_r:hal_thermal_default_exec:s0 ############################################### # same-process HAL files and their dependencies # +/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl-2\.1\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/hw/gralloc\.msm8998\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libqdMetaData\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/lib_aion_buffer\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libqservice\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libqdutils\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libadreno_utils\.so u:object_r:same_process_hal_file:s0 diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts index 28d1f7a0..46b5afff 100644 --- a/sepolicy/vendor/genfs_contexts +++ b/sepolicy/vendor/genfs_contexts @@ -3,6 +3,7 @@ genfscon proc /debug/fwdump u:object_r:proc_wifi_dbg:s genfscon proc /debugdriver/driverdump u:object_r:proc_wifi_dbg:s0 genfscon proc /ath_pktlog/cld u:object_r:proc_wifi_dbg:s0 genfscon proc /irq u:object_r:proc_irq:s0 +genfscon proc /sys/vm/swappiness u:object_r:proc_swappiness:s0 genfscon sysfs /devices/soc/soc:qcom,cpubw u:object_r:sysfs_msm_subsys:s0 genfscon sysfs /devices/soc/soc:qcom,mincpubw u:object_r:sysfs_msm_subsys:s0 diff --git a/sepolicy/vendor/hal_drm_clearkey.te b/sepolicy/vendor/hal_drm_clearkey.te index 5632c3b2..6d4a8152 100644 --- a/sepolicy/vendor/hal_drm_clearkey.te +++ b/sepolicy/vendor/hal_drm_clearkey.te @@ -1,4 +1,4 @@ -# policy for /vendor/bin/hw/android.hardware.drm@1.1-service.clearkey +# policy for /vendor/bin/hw/android.hardware.drm clearkey service type hal_drm_clearkey, domain; type hal_drm_clearkey_exec, exec_type, vendor_file_type, file_type; diff --git a/sepolicy/vendor/hal_drm_widevine.te b/sepolicy/vendor/hal_drm_widevine.te index 8e6eca1b..bfa6a6b2 100644 --- a/sepolicy/vendor/hal_drm_widevine.te +++ b/sepolicy/vendor/hal_drm_widevine.te @@ -1,4 +1,3 @@ -# policy for /vendor/bin/hw/android.hardware.drm@1.1-service.widevine type hal_drm_widevine, domain; type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type; diff --git a/sepolicy/vendor/hal_dumpstate_impl.te b/sepolicy/vendor/hal_dumpstate_impl.te index 60c781bd..a2f8ffce 100644 --- a/sepolicy/vendor/hal_dumpstate_impl.te +++ b/sepolicy/vendor/hal_dumpstate_impl.te @@ -8,6 +8,10 @@ init_daemon_domain(hal_dumpstate_impl) allow hal_dumpstate_impl vendor_shell_exec:file rx_file_perms; allow hal_dumpstate_impl vendor_toolbox_exec:file rx_file_perms; +# Allow to read pixel-trace trace file +allow hal_dumpstate_impl debugfs_tracing_instances:dir search; +allow hal_dumpstate_impl debugfs_tracing_instances:file r_file_perms; + userdebug_or_eng(` # smlog_dump domain_auto_trans(hal_dumpstate_impl, smlog_dump_exec, smlog_dump) diff --git a/sepolicy/vendor/hal_graphics_composer_default.te b/sepolicy/vendor/hal_graphics_composer_default.te index 42aa3935..c5e36687 100644 --- a/sepolicy/vendor/hal_graphics_composer_default.te +++ b/sepolicy/vendor/hal_graphics_composer_default.te @@ -16,7 +16,6 @@ allow hal_graphics_composer_default hal_graphics_mapper_hwservice:hwservice_mana r_dir_file(hal_graphics_composer_default, sysfs_leds) -# TODO(b/37666508): Remove the following line upon resolution of the bug allow hal_graphics_composer_default video_device:chr_file rw_file_perms; # HWC_UeventThread diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te index dce10ed5..7e6f60d3 100644 --- a/sepolicy/vendor/hal_power_default.te +++ b/sepolicy/vendor/hal_power_default.te @@ -1,15 +1,6 @@ allow hal_power_default sysfs_graphics:dir search; allow hal_power_default sysfs_graphics:file r_file_perms; -allow hal_power_default debugfs_rpm:file r_file_perms; - -allow hal_power_default debugfs_wlan:dir r_dir_perms; -allow hal_power_default debugfs_wlan:file r_file_perms; - -allow hal_power_default sysfs_easel:dir search; -allow hal_power_default sysfs_easel:file r_file_perms; - - # To do powerhint on nodes defined in powerhint.json allow hal_power_default sysfs_msm_subsys:dir search; allow hal_power_default sysfs_msm_subsys:file rw_file_perms; @@ -17,6 +8,11 @@ allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms; allow hal_power_default latency_device:chr_file rw_file_perms; allow hal_power_default cgroup:dir search; allow hal_power_default cgroup:file rw_file_perms; +allow hal_power_default sysfs_touch:file w_file_perms; +allow hal_power_default sysfs_touch:dir search; # To get/set powerhal state property set_prop(hal_power_default, power_prop) + +# interact with thermal_config +set_prop(hal_power_default, thermal_prop) diff --git a/sepolicy/vendor/hal_power_stats_default.te b/sepolicy/vendor/hal_power_stats_default.te index da4c2989..5c773db3 100644 --- a/sepolicy/vendor/hal_power_stats_default.te +++ b/sepolicy/vendor/hal_power_stats_default.te @@ -1,6 +1,7 @@ # power.stats HAL needs access to rpm, and wlan sysfs nodes in /d/ r_dir_file(hal_power_stats_default, debugfs_rpm) r_dir_file(hal_power_stats_default, debugfs_wlan) +get_prop(hal_power_stats_default, exported_wifi_prop) # Needed to detect wifi on/off # power.stats HAL needs access to the easel sysfs node r_dir_file(hal_power_stats_default, sysfs_easel) diff --git a/sepolicy/vendor/hal_thermal_default.te b/sepolicy/vendor/hal_thermal_default.te new file mode 100644 index 00000000..13c129f6 --- /dev/null +++ b/sepolicy/vendor/hal_thermal_default.te @@ -0,0 +1,7 @@ +allow hal_thermal_default sysfs_thermal:dir r_dir_perms; +allow hal_thermal_default sysfs_thermal:file r_file_perms; +allow hal_thermal_default sysfs_thermal:lnk_file read; +allow hal_thermal_default proc_stat:file r_file_perms; + +# read thermal_config +get_prop(hal_thermal_default, thermal_prop) diff --git a/sepolicy/vendor/hal_vr.te b/sepolicy/vendor/hal_vr.te deleted file mode 100644 index a88dcb82..00000000 --- a/sepolicy/vendor/hal_vr.te +++ /dev/null @@ -1,6 +0,0 @@ -# interact with thermal_config -set_prop(hal_vr, thermal_prop) - -# Access to touch vrmode node -allow hal_vr sysfs_touch:dir r_dir_perms; -allow hal_vr sysfs_touch:file rw_file_perms; diff --git a/sepolicy/vendor/hal_wifi_default.te b/sepolicy/vendor/hal_wifi_default.te index a0155584..d6f02d59 100644 --- a/sepolicy/vendor/hal_wifi_default.te +++ b/sepolicy/vendor/hal_wifi_default.te @@ -11,6 +11,9 @@ allow hal_wifi_default wlan_device:chr_file w_file_perms; # Allow wifi hal to read debug info from the driver. r_dir_file(hal_wifi_default, proc_wifi_dbg) +# Write wlan driver/fw version into property +set_prop(hal_wifi_default, vendor_wifi_version) + dontaudit hal_wifi_default kernel:system module_request; dontaudit hal_wifi_default self:capability sys_module; @@ -19,4 +22,4 @@ userdebug_or_eng(` # Allow wifi hal to access wlan debugfs files and directories allow hal_wifi_default debugfs_wlan:dir r_dir_perms; -')
\ No newline at end of file +') diff --git a/sepolicy/vendor/init-fingerprint.te b/sepolicy/vendor/init-fingerprint.te new file mode 100644 index 00000000..7053f0da --- /dev/null +++ b/sepolicy/vendor/init-fingerprint.te @@ -0,0 +1,10 @@ +type init-fingerprint, domain; +type init-fingerprint_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init-fingerprint) + +allow init-fingerprint vendor_shell_exec:file rx_file_perms; +allow init-fingerprint vendor_toolbox_exec:file rx_file_perms; + +set_prop(init-fingerprint, vendor_fingerprint_prop) +set_prop(init-fingerprint, ctl_start_prop) diff --git a/sepolicy/vendor/init-wlan-sh.te b/sepolicy/vendor/init-wlan-sh.te deleted file mode 100644 index 3380c861..00000000 --- a/sepolicy/vendor/init-wlan-sh.te +++ /dev/null @@ -1,14 +0,0 @@ -type init-qcom-wlan-sh, domain; -type init-qcom-wlan-sh_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(init-qcom-wlan-sh) - -allow init-qcom-wlan-sh vendor_shell_exec:file rx_file_perms; -allow init-qcom-wlan-sh vendor_toolbox_exec:file rx_file_perms; - -# Set the vendor.wlan.driver.version and vendor.wlan.firmware.version property -set_prop(init-qcom-wlan-sh, vendor_wifi_version) - -# /sys/kernel/wifi/wlan/driver_version and /sys/kernel/wifi/wlan/fw/0/version -allow init-qcom-wlan-sh sysfs_msm_wlan:dir r_dir_perms; -allow init-qcom-wlan-sh sysfs_msm_wlan:file r_file_perms; diff --git a/sepolicy/vendor/location.te b/sepolicy/vendor/location.te index 67471df6..02f8d4a1 100644 --- a/sepolicy/vendor/location.te +++ b/sepolicy/vendor/location.te @@ -35,7 +35,7 @@ r_dir_file(location, sysfs_type) dontaudit location kernel:system module_request; -allow location proc_net:file r_file_perms; +allow location proc_net_type:file r_file_perms; # execute /vendor/bin/lowi-server allow location location_exec:file rx_file_perms; @@ -46,4 +46,4 @@ allow location location_data_file:{ file sock_file } create_file_perms; userdebug_or_eng(` allow location diag_device:chr_file rw_file_perms; -')
\ No newline at end of file +') diff --git a/sepolicy/vendor/netmgrd.te b/sepolicy/vendor/netmgrd.te index 7bbcc592..2dce2413 100644 --- a/sepolicy/vendor/netmgrd.te +++ b/sepolicy/vendor/netmgrd.te @@ -43,7 +43,7 @@ dontaudit netmgrd diag_device:chr_file rw_file_perms; #Ignore if device loading for private IOCTL failed dontaudit netmgrd kernel:system { module_request }; -allow netmgrd proc_net:file rw_file_perms; +allow netmgrd proc_net_type:file rw_file_perms; allow netmgrd netmgr_data_file:dir rw_dir_perms; allow netmgrd netmgr_data_file:file create_file_perms; diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te index 594a4f56..f6628b03 100644 --- a/sepolicy/vendor/property.te +++ b/sepolicy/vendor/property.te @@ -25,3 +25,6 @@ type vendor_usb_config_prop, property_type; type vendor_charge_prop, property_type; type vendor_nfc_prop, property_type; type vendor_ramoops_prop, property_type; + +# fingerprint +type vendor_fingerprint_prop, property_type; diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts index a8c28e77..83081751 100644 --- a/sepolicy/vendor/property_contexts +++ b/sepolicy/vendor/property_contexts @@ -17,15 +17,18 @@ vendor.debug.ssrdump u:object_r:vendor_ssr_prop:s0 persist.sys.cnss. u:object_r:cnss_diag_prop:s0 sys.listeners.registered u:object_r:tee_listener_prop:s0 wc_transport. u:object_r:wc_prop:s0 -sys.qcom.thermalcfg u:object_r:thermal_prop:s0 -ctl.vendor.thermal-engine u:object_r:thermal_prop:s0 +vendor.qcom.thermalcfg u:object_r:thermal_prop:s0 +vendor.thermal.config u:object_r:thermal_prop:s0 persist.sys.modem.diag. u:object_r:modem_diag_prop:s0 sys.modem.diag. u:object_r:modem_diag_prop:s0 sys.time.set u:object_r:sys_time_prop:s0 persist.radio.atfwd.start u:object_r:atfwd_start_prop:s0 sys.logger.bluetooth u:object_r:bluetooth_log_prop:s0 -vendor.powerhal.state u:object_r:power_prop:s0 -vendor.powerhal.audio u:object_r:power_prop:s0 +vendor.powerhal.state u:object_r:power_prop:s0 +vendor.powerhal.audio u:object_r:power_prop:s0 +vendor.powerhal.lpm u:object_r:power_prop:s0 +vendor.powerhal.init u:object_r:power_prop:s0 +vendor.powerhal.rendering u:object_r:power_prop:s0 vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0 vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 persist.vendor.usb.config u:object_r:vendor_usb_config_prop:s0 @@ -53,6 +56,9 @@ vendor.debug.egl.changepixelformat u:object_r:public_vendor_default_prop:s0 vendor.debug.prerotation.disable u:object_r:public_vendor_default_prop:s0 vendor.debug.rs. u:object_r:public_vendor_default_prop:s0 vendor.debug.egl.swapinterval u:object_r:public_vendor_default_prop:s0 +vendor.gralloc.disable_ubwc u:object_r:public_vendor_default_prop:s0 +vendor.debug.egl.profiler u:object_r:public_vendor_default_prop:s0 +vendor.gralloc.enable_ahardware_buffer u:object_r:public_vendor_default_prop:s0 # public_vendor_system_prop # They are public_vendor_system_props for vendor-specific extension. @@ -214,3 +220,7 @@ persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0 # ramoops vendor.ramoops. u:object_r:vendor_ramoops_prop:s0 + +# fingerprint +vendor.fps.init.succeed u:object_r:vendor_fingerprint_prop:s0 +vendor.fps.init_retry.count u:object_r:vendor_fingerprint_prop:s0 diff --git a/sepolicy/vendor/ramdump.te b/sepolicy/vendor/ramdump.te index 7514dead..e0592272 100644 --- a/sepolicy/vendor/ramdump.te +++ b/sepolicy/vendor/ramdump.te @@ -22,5 +22,7 @@ userdebug_or_eng(` # read from /fstab.taimen allow ramdump rootfs:file r_file_perms; + dontaudit ramdump metadata_file:dir search; + r_dir_file(ramdump, sysfs_type) ') diff --git a/sepolicy/vendor/seapp_contexts b/sepolicy/vendor/seapp_contexts index a4f429ba..e1f512c9 100644 --- a/sepolicy/vendor/seapp_contexts +++ b/sepolicy/vendor/seapp_contexts @@ -1,7 +1,7 @@ user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file user=_app seinfo=platform name=com.android.pixellogger domain=logger_app type=app_data_file levelFrom=all user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all -user=_app seinfo=platform name=com.google.mds domain=mds_app type=app_data_file levelFrom=all +user=_app seinfo=google name=com.google.mds domain=mds_app type=app_data_file levelFrom=all #TODO Remove user "system" when b/63588267 is resolved user=system seinfo=platform name=com.qualcomm.telephony domain=qtelephony type=system_app_data_file @@ -29,4 +29,4 @@ user=_app seinfo=platform name=com.qualcomm.timeservice domain=timeservice_app t user=_app seinfo=easel name=com.google.android.imaging.easel.service domain=easelservice_app type=app_data_file levelFrom=user #Domain for connectivity monitor -user=radio seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all +user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te index 31c7ff72..d7b84619 100644 --- a/sepolicy/vendor/system_server.te +++ b/sepolicy/vendor/system_server.te @@ -23,5 +23,3 @@ typeattribute system_server system_writes_vendor_properties_violators; set_prop(system_server, public_vendor_system_prop) dontaudit system_server self:capability sys_module; - -allow system_server thermal_service:service_manager find; diff --git a/sepolicy/vendor/thermal-engine.te b/sepolicy/vendor/thermal-engine.te index bc1ab540..2bd2bd95 100644 --- a/sepolicy/vendor/thermal-engine.te +++ b/sepolicy/vendor/thermal-engine.te @@ -19,8 +19,6 @@ allow thermal-engine sysfs_rmtfs:dir search; allow thermal-engine sysfs_rmtfs:file r_file_perms; # to read /proc/stat allow thermal-engine proc_stat:file { getattr open read }; -# IThermal Thermal HAL -hal_server_domain(thermal-engine, hal_thermal) allow thermal-engine thermal_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/thermalserviced.te b/sepolicy/vendor/thermalserviced.te deleted file mode 100644 index aa6a0857..00000000 --- a/sepolicy/vendor/thermalserviced.te +++ /dev/null @@ -1 +0,0 @@ -binder_call(thermalserviced, system_server) diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te index b74bba47..0953dcb0 100644 --- a/sepolicy/vendor/vendor_init.te +++ b/sepolicy/vendor/vendor_init.te @@ -11,6 +11,7 @@ allow vendor_init { allow vendor_init debugfs_clk:file w_file_perms; allow vendor_init proc_uid_cpupower:file write; +allow vendor_init proc_swappiness:file w_file_perms; dontaudit vendor_init kernel:system module_request; # Allow vendor_init to write to /proc/sysrq-trigger on userdebug and eng builds @@ -29,3 +30,9 @@ set_prop(vendor_init, vendor_charge_prop) dontaudit vendor_init unlabeled:dir getattr; dontaudit vendor_init unlabeled:file getattr; + +allow vendor_init debugfs_tracing_instances:dir create_dir_perms; +allow vendor_init debugfs_tracing_instances:file w_file_perms; + +# Write to touch vrmode node +allow vendor_init sysfs_touch:file w_file_perms; diff --git a/sepolicy/vendor/wcnss_service.te b/sepolicy/vendor/wcnss_service.te index a6f143c2..a6123328 100644 --- a/sepolicy/vendor/wcnss_service.te +++ b/sepolicy/vendor/wcnss_service.te @@ -12,7 +12,7 @@ allow wcnss_service per_mgr_service:service_manager find; allow wcnss_service vendor_shell_exec:file rx_file_perms; allow wcnss_service vendor_toolbox_exec:file rx_file_perms; -allow wcnss_service proc_net:file w_file_perms; +allow wcnss_service proc_net_type:file { getattr w_file_perms }; allow wcnss_service self:socket create_socket_perms; allowxperm wcnss_service self:socket ioctl msm_sock_ipc_ioctls; @@ -23,8 +23,6 @@ allow wcnss_service self:netlink_socket create_socket_perms_no_ioctl; allow wcnss_service cnss_vendor_data_file:dir create_dir_perms; allow wcnss_service cnss_vendor_data_file:file create_file_perms; -allow wcnss_service proc_net:file getattr; - r_dir_file(wcnss_service, sysfs_msm_subsys) # pkt logging for cnss_diag userdebug_or_eng(` |