diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk index 1bac978..9b57b8e 100644 --- a/BoardConfigCommon.mk +++ b/BoardConfigCommon.mk @@ -207,6 +207,9 @@ ENABLE_VENDOR_RIL_SERVICE := true # SELinux include device/qcom/sepolicy_vndr/SEPolicy.mk +BOARD_VENDOR_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/vendor +PRODUCT_PRIVATE_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/private +PRODUCT_PUBLIC_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/public # Verified Boot BOARD_AVB_ENABLE := true diff --git a/sepolicy/private/permissioncontroller_app.te b/sepolicy/private/permissioncontroller_app.te new file mode 100644 index 0000000..f006c72 --- /dev/null +++ b/sepolicy/private/permissioncontroller_app.te @@ -0,0 +1 @@ +allow permissioncontroller_app tethering_service:service_manager find; diff --git a/sepolicy/private/platform_app.te b/sepolicy/private/platform_app.te new file mode 100644 index 0000000..1b220a3 --- /dev/null +++ b/sepolicy/private/platform_app.te @@ -0,0 +1,2 @@ +hal_client_domain(platform_app, hal_ifaa); +hal_client_domain(platform_app, vendor_hal_soter); diff --git a/sepolicy/private/radio.te b/sepolicy/private/radio.te new file mode 100644 index 0000000..d2d11f2 --- /dev/null +++ b/sepolicy/private/radio.te @@ -0,0 +1,2 @@ +allow radio mot_radio_service:service_manager { add find }; +allow radio mot_system_service:service_manager find; diff --git a/sepolicy/private/service.te b/sepolicy/private/service.te new file mode 100644 index 0000000..3568a3e --- /dev/null +++ b/sepolicy/private/service.te @@ -0,0 +1,2 @@ +type mot_radio_service, service_manager_type; +type mot_system_service, service_manager_type; diff --git a/sepolicy/private/service_contexts b/sepolicy/private/service_contexts new file mode 100644 index 0000000..a51d140 --- /dev/null +++ b/sepolicy/private/service_contexts @@ -0,0 +1,2 @@ +motoexttelephony u:object_r:mot_radio_service:s0 +moto_ext_telephony.registry u:object_r:mot_system_service:s0 diff --git a/sepolicy/private/vendor_qtelephony.te b/sepolicy/private/vendor_qtelephony.te new file mode 100644 index 0000000..610e1dc --- /dev/null +++ b/sepolicy/private/vendor_qtelephony.te @@ -0,0 +1,2 @@ +allow vendor_qtelephony mot_radio_service:service_manager find; +allow vendor_qtelephony mot_system_service:service_manager find; diff --git a/sepolicy/public/attributes b/sepolicy/public/attributes new file mode 100644 index 0000000..7425200 --- /dev/null +++ b/sepolicy/public/attributes @@ -0,0 +1,2 @@ +hal_attribute_lineage(cameradesktop) +hal_attribute_lineage(ifaa) diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te new file mode 100644 index 0000000..98e594d --- /dev/null +++ b/sepolicy/vendor/device.te @@ -0,0 +1,10 @@ +# Fingerprint +type etsd_device, dev_type; + +# Moto partitions +type vendor_hw_block_device, dev_type; +type vendor_prodpersist_block_device, dev_type; +type vendor_utags_block_device, dev_type; + +# Thermal +type vendor_thermal_device, dev_type; diff --git a/sepolicy/vendor/domain.te b/sepolicy/vendor/domain.te new file mode 100644 index 0000000..327521c --- /dev/null +++ b/sepolicy/vendor/domain.te @@ -0,0 +1 @@ +get_prop({domain -coredomain -appdomain}, vendor_mot_hw_prop) diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te new file mode 100644 index 0000000..368a668 --- /dev/null +++ b/sepolicy/vendor/file.te @@ -0,0 +1,26 @@ +# Camera +type vendor_persist_camera_file, file_type, vendor_persist_type; + +# Cutback +type cutback_data_file, file_type, data_file_type; +type cutback_socket, file_type; + +# Fingerprint +type vendor_persist_fps_file, file_type, vendor_persist_type; + +# Input Devices +type vendor_sysfs_input, sysfs_type, fs_type; + +# Motorola +type proc_moto_boot, proc_type, fs_type; +type vendor_motobox_exec, exec_type, vendor_file_type, file_type; +type vendor_proc_hw, proc_type, fs_type; + +# Partitions +type fsg_file, file_type, contextmount_type, vendor_file_type; + +# Power +type proc_sched_lib_mask_cpuinfo, proc_type, fs_type; + +# Touchscreen +type vendor_sysfs_touchpanel, fs_type, sysfs_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts new file mode 100644 index 0000000..9703cbe --- /dev/null +++ b/sepolicy/vendor/file_contexts @@ -0,0 +1,80 @@ +# A/B partitions +/dev/block/platform/soc/1d84000\.ufshc/by-name/fsg_[ab] u:object_r:vendor_modem_efs_partition_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/logo_[ab] u:object_r:vendor_custom_ab_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/mdm1m9kefs3_[ab] u:object_r:vendor_efs_boot_dev:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/prov_[ab] u:object_r:vendor_custom_ab_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/spss_[ab] u:object_r:vendor_custom_ab_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/storsec_[ab] u:object_r:vendor_custom_ab_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/vendor_boot_[ab] u:object_r:boot_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/sd[df] u:object_r:vendor_gpt_block_device:s0 + +# UFS Devices +/dev/block/platform/soc/1d84000\.ufshc/by-name/hw u:object_r:vendor_hw_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/prodpersist u:object_r:vendor_prodpersist_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/utags u:object_r:vendor_utags_block_device:s0 +/dev/block/platform/soc/1d84000\.ufshc/by-name/utagsBackup u:object_r:vendor_utags_block_device:s0 + +# Partition Mountpoints +/(vendor|system/vendor)/fsg u:object_r:fsg_file:s0 +/(vendor|system/vendor)/super_fsg u:object_r:fsg_file:s0 +/(vendor|system/vendor)/super_modem u:object_r:firmware_file:s0 + +# Awinic +/(mnt/vendor/persist|persist)/factory/audio/aw_cali.bin u:object_r:vendor_persist_audio_file:s0 + +# Camera +/(mnt/vendor/persist|persist)/camera(/.*)? u:object_r:vendor_persist_camera_file:s0 +/(vendor|system/vendor)/bin/hw/motorola\.hardware\.camera\.desktop@2\.0-service u:object_r:hal_cameradesktop_default_exec:s0 +/(vendor|system/vendor)/bin/vl53l1_daemon u:object_r:vl53l1_exec:s0 +/(vendor|system/vendor)/lib64/libipebpsstriping\.so u:object_r:same_process_hal_file:s0 +/data/vendor/misc/imager u:object_r:vendor_camera_data_file:s0 +/sys/devices/platform/soc/soc:qcom,cam-req-mgr/video4linux/video[0-33]/name(/.*)? u:object_r:vendor_sysfs_jpeg:s0 +/sys/devices/virtual/input/input[0-9]+/calibration_data u:object_r:vendor_sysfs_laser:s0 +/sys/devices/virtual/input/input[0-9]+/do_flush u:object_r:vendor_sysfs_laser:s0 +/sys/devices/virtual/input/input[0-9]+/enable_ps_sensor u:object_r:vendor_sysfs_laser:s0 +/sys/devices/virtual/input/input[0-9]+/offset u:object_r:vendor_sysfs_laser:s0 +/sys/devices/virtual/input/input[0-9]+/xtalk u:object_r:vendor_sysfs_laser:s0 + +# Fingerprint +/(mnt/vendor/persist|persist)/fps(/.*)? u:object_r:vendor_persist_fps_file:s0 +/(vendor|system/vendor)/bin/fpc_ident u:object_r:hal_fingerprint_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service-ets u:object_r:hal_fingerprint_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service-fpc u:object_r:hal_fingerprint_default_exec:s0 +/data/vendor/.fps(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/dev/esfp0 u:object_r:etsd_device:s0 +/sys/devices/soc/0\.et320(/.*)? u:object_r:vendor_sysfs_fingerprint:s0 + +# IFAA +/(vendor|system/vendor)/bin/hw/vendor\.zui\.hardware\.ifaa@1\.0-service u:object_r:hal_ifaa_default_exec:s0 + +# Lights +/(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.motokona u:object_r:hal_light_default_exec:s0 + +# Motobox +/(vendor|system/vendor)/bin/motobox u:object_r:vendor_motobox_exec:s0 + +#poweropt-service +/(vendor|system/vendor)/bin/poweropt-service u:object_r:vendor_poweroptservice_exec:s0 + +# Radio +/data/vendor/misc/cutback(/.*)? u:object_r:cutback_data_file:s0 +/dev/socket/cutback u:object_r:cutback_socket:s0 + +# Touch +/(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.nio u:object_r:hal_lineage_touch_default_exec:s0 + +# Thermal +/dev/mmi_sys_temp u:object_r:vendor_thermal_device:s0 + +# Vendor init scripts +/(vendor|system/vendor)/bin/init\.mmi\.laser\.sh u:object_r:vendor_mmi_laser_exec:s0 +/(vendor|system/vendor)/bin/init\.mmi\.touch\.sh u:object_r:vendor_init_touch_exec:s0 +/(vendor|system/vendor)/bin/init\.oem\.fingerprint2\.sh u:object_r:vendor_init_fingerprint_exec:s0 +/(vendor|system/vendor)/bin/init\.oem\.fingerprint\.overlay\.sh u:object_r:vendor_init_fingerprint_exec:s0 +/(vendor|system/vendor)/bin/init\.oem\.hw\.sh u:object_r:vendor_init_hw_exec:s0 + +# Wakeups +/sys/devices/virtual/input/input[0-9]+/wakeup[0-9]+(/.*)? u:object_r:sysfs_wakeup:s0 +/sys/devices/platform/soc/[^*]+/wakeup/wakeup[0-9]+(/.*)? u:object_r:sysfs_wakeup:s0 +/sys/devices/virtual/misc/[^*]+/wakeup[0-9]+(/.*)? u:object_r:sysfs_wakeup:s0 diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts new file mode 100644 index 0000000..76864a9 --- /dev/null +++ b/sepolicy/vendor/genfs_contexts @@ -0,0 +1,57 @@ +# Camera +genfscon sysfs /devices/platform/cam_sync/video4linux/video1/name u:object_r:sysfs_graphics:s0 + +# Fingerprint +genfscon sysfs /devices/platform/egis_input u:object_r:vendor_sysfs_fingerprint:s0 + +# Health +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,qpnp-smb5-mmi/power_supply/battery u:object_r:vendor_sysfs_battery_supply:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,qpnp-smb5-mmi/power_supply/mmi_battery u:object_r:vendor_sysfs_battery_supply:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,qpnp-smb5/power_supply/qcom_battery u:object_r:vendor_sysfs_battery_supply:s0 + +# Input Devices +genfscon sysfs /devices/virtual/input u:object_r:vendor_sysfs_input:s0 + +# Lights +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-05/c440000.qcom,spmi:qcom,pm8150l@5:qcom,leds@d000/leds/charging u:object_r:sysfs_leds:s0 + +# Motorola +genfscon proc /bootinfo u:object_r:proc_moto_boot:s0 +genfscon proc /config u:object_r:vendor_proc_hw:s0 +genfscon proc /hw u:object_r:vendor_proc_hw:s0 + +# PowerHal +genfscon proc /sys/kernel/sched_lib_name u:object_r:proc_sched_lib_mask_cpuinfo:s0 +genfscon proc /sys/kernel/sched_lib_mask_force u:object_r:proc_sched_lib_mask_cpuinfo:s0 + +# RTC +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm8150@0:qcom,pm8150_rtc/rtc/rtc0 u:object_r:sysfs_rtc:s0 + +# Sensors +genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/panelName u:object_r:vendor_sysfs_data:s0 +genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/panelRegDA u:object_r:vendor_sysfs_data:s0 + +# STM Prox Sensor +genfscon sysfs /devices/virtual/laser u:object_r:vendor_sysfs_laser:s0 +genfscon sysfs /module/stmvl53l1 u:object_r:vendor_sysfs_laser:s0 + +# Touchscreen +genfscon sysfs /class/touchscreen u:object_r:vendor_sysfs_touchpanel:s0 +genfscon sysfs /devices/virtual/touchscreen u:object_r:vendor_sysfs_touchpanel:s0 + +# Vibrator +genfscon sysfs /devices/platform/soc/884000.i2c/i2c-1/1-005a/leds/vibrator u:object_r:sysfs_vibrator:s0 + +# Wakeup +genfscon sysfs /devices/0306_02.01.00/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/1c00000.qcom,pcie/pci0000:00/0000:00:00.0/0000:01:00.0/1101_00.01.00/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/1e00000.qcom,ipa/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/984000.i2c/i2c-0/0-0028/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,qpnp-smb5-mmi/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,qpnp-smb5-mmi/power_supply/mmi_battery/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,qpnp-smb5-mmi/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,qpnp-smb5/power_supply/qcom_battery/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-04/c440000.qcom,spmi:qcom,pm8150l@4:qcom,power-on@800/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,msm-audio-apr/soc:qcom,msm-audio-apr:qcom,q6core-audio/soc:qcom,msm-audio-apr:qcom,q6core-audio:bolero-cdc/rx-macro/rx_swr_ctrl/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-npu/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/diag/diag/wakeup u:object_r:sysfs_wakeup:s0 diff --git a/sepolicy/vendor/hal_bootctl_default.te b/sepolicy/vendor/hal_bootctl_default.te new file mode 100644 index 0000000..6333ffd --- /dev/null +++ b/sepolicy/vendor/hal_bootctl_default.te @@ -0,0 +1,8 @@ +allow hal_bootctl_default vendor_uefi_block_device:blk_file getattr; +allow hal_bootctl_default { + vendor_efs_boot_dev + vendor_modem_efs_partition_device +}:blk_file rw_file_perms; + +# We never apply OTAs when GSI is running +dontaudit hal_bootctl_default gsi_metadata_file:dir search; diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te new file mode 100644 index 0000000..f4d3333 --- /dev/null +++ b/sepolicy/vendor/hal_camera_default.te @@ -0,0 +1,25 @@ +# Allow hal_camera_default to read to mnt/vendor/persist +allow hal_camera_default mnt_vendor_file:dir search; + +# Allow hal_camera_default to call system_server +binder_call(hal_camera_default, system_server) + +# Camera props +get_prop(hal_camera_default, exported_radio_prop) + +# STM Prox Sensor +allow hal_camera_default vendor_sysfs_laser:file rw_file_perms; +allow hal_camera_default input_device:chr_file r_file_perms; +allow hal_camera_default input_device:dir r_dir_perms; + +r_dir_file(hal_camera_default, vendor_sysfs_input) +r_dir_file(hal_camera_default, vendor_persist_camera_file) +r_dir_file(hal_camera_default, vendor_sysfs_battery_supply) + +# (X)DSP +allow hal_camera_default vendor_xdsp_device:chr_file r_file_perms; + +# QSPM hal service for accessing camera info +hal_client_domain(hal_camera_default, vendor_hal_qspmhal) + +hal_client_domain(hal_camera_default, hal_cameradesktop) diff --git a/sepolicy/vendor/hal_cameradesktop.te b/sepolicy/vendor/hal_cameradesktop.te new file mode 100644 index 0000000..c397158 --- /dev/null +++ b/sepolicy/vendor/hal_cameradesktop.te @@ -0,0 +1,17 @@ +type hal_cameradesktop_default, domain; +hal_server_domain(hal_cameradesktop_default, hal_cameradesktop) + +type hal_cameradesktop_default_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_cameradesktop_default) + +# Allow hwbinder call from hal client to server +binder_call(hal_cameradesktop_client, hal_cameradesktop_server) + +# Add hwservice related rules +add_hwservice(hal_cameradesktop_server, hal_cameradesktop_hwservice) +allow hal_cameradesktop_client hal_cameradesktop_hwservice:hwservice_manager find; + +allow hal_cameradesktop_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +allow hal_cameradesktop_server vendor_sysfs_graphics:file r_file_perms; +allow hal_cameradesktop_server vendor_sysfs_jpeg:file r_file_perms; +allow hal_cameradesktop_server video_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te new file mode 100644 index 0000000..12995a8 --- /dev/null +++ b/sepolicy/vendor/hal_fingerprint_default.te @@ -0,0 +1,11 @@ +allow hal_fingerprint_default { + etsd_device + tee_device +}: chr_file rw_file_perms; + +allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; +r_dir_file(hal_fingerprint_default, firmware_file) +set_prop(hal_fingerprint_default, vendor_mot_fingerprint_prop) +allow hal_fingerprint_default vendor_sysfs_fingerprint:dir r_dir_perms; +allow hal_fingerprint_default vendor_sysfs_fingerprint:file rw_file_perms; +allow hal_fingerprint_default uhid_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/hal_ifaa.te b/sepolicy/vendor/hal_ifaa.te new file mode 100644 index 0000000..41695e7 --- /dev/null +++ b/sepolicy/vendor/hal_ifaa.te @@ -0,0 +1,18 @@ +type hal_ifaa_default, domain; +hal_server_domain(hal_ifaa_default, hal_ifaa) + +type hal_ifaa_default_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_ifaa_default) + +# Allow hwbinder call from hal client to server +binder_call(hal_ifaa_client, hal_ifaa_server) + +# Add hwservice related rules +add_hwservice(hal_ifaa_server, hal_ifaa_hwservice) +allow hal_ifaa_client hal_ifaa_hwservice:hwservice_manager find; + +#Allow access to tee device +allow hal_ifaa_server tee_device:chr_file rw_file_perms; + +#Allow access to ion device +allow hal_ifaa_server ion_device:chr_file r_file_perms; diff --git a/sepolicy/vendor/hal_lineage_touch_default.te b/sepolicy/vendor/hal_lineage_touch_default.te new file mode 100644 index 0000000..861500b --- /dev/null +++ b/sepolicy/vendor/hal_lineage_touch_default.te @@ -0,0 +1,2 @@ +allow hal_lineage_touch_default vendor_sysfs_touchpanel:dir search; +allow hal_lineage_touch_default vendor_sysfs_touchpanel:file rw_file_perms; diff --git a/sepolicy/vendor/hal_nfc_default.te b/sepolicy/vendor/hal_nfc_default.te new file mode 100644 index 0000000..e5466b2 --- /dev/null +++ b/sepolicy/vendor/hal_nfc_default.te @@ -0,0 +1,4 @@ +add_hwservice(hal_nfc_default, nxpese_hwservice) +add_hwservice(hal_nfc_default, nxpnfc_hwservice) +allow hal_nfc_default vendor_nfc_vendor_data_file:dir create_dir_perms; +allow hal_nfc_default vendor_nfc_vendor_data_file:file create_file_perms; diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te new file mode 100644 index 0000000..c69157d --- /dev/null +++ b/sepolicy/vendor/hal_power_default.te @@ -0,0 +1,2 @@ +allow hal_power_default vendor_sysfs_touchpanel:dir search; +allow hal_power_default vendor_sysfs_touchpanel:file rw_file_perms; diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te new file mode 100644 index 0000000..9be265e --- /dev/null +++ b/sepolicy/vendor/hal_sensors_default.te @@ -0,0 +1,5 @@ +allow hal_sensors_default vendor_sysfs_laser:dir r_dir_perms; +allow hal_sensors_default vendor_sysfs_laser:file { setattr rw_file_perms }; + +allow hal_sensors_default vendor_sysfs_input:dir r_dir_perms; +allow hal_sensors_default vendor_sysfs_input:file rw_file_perms; diff --git a/sepolicy/vendor/hwservice.te b/sepolicy/vendor/hwservice.te new file mode 100644 index 0000000..042f288 --- /dev/null +++ b/sepolicy/vendor/hwservice.te @@ -0,0 +1,4 @@ +type hal_cameradesktop_hwservice, hwservice_manager_type; +type hal_ifaa_hwservice, hwservice_manager_type; +type nxpese_hwservice, hwservice_manager_type; +type nxpnfc_hwservice, hwservice_manager_type; diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts new file mode 100644 index 0000000..4bf62a9 --- /dev/null +++ b/sepolicy/vendor/hwservice_contexts @@ -0,0 +1,13 @@ +# Camera +motorola.hardware.camera.desktop::ICameraDesktop u:object_r:hal_cameradesktop_hwservice:s0 + +# Fingerprint +com.motorola.hardware.biometric.fingerprint::IMotoFingerPrint u:object_r:hal_fingerprint_hwservice:s0 +com.motorola.hardware.biometric.fingerprint::IMotoFingerPrintSensorTest u:object_r:hal_fingerprint_hwservice:s0 + +# IFAA +vendor.zui.hardware.ifaa::IIFAADevice u:object_r:hal_ifaa_hwservice:s0 + +# NFC +vendor.nxp.nxpese::INxpEse u:object_r:nxpese_hwservice:s0 +vendor.nxp.nxpnfc::INxpNfc u:object_r:nxpnfc_hwservice:s0 diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te new file mode 100644 index 0000000..76767dd --- /dev/null +++ b/sepolicy/vendor/init.te @@ -0,0 +1,23 @@ +# Super modem mounting +allow fsg_file self:filesystem associate; +allow init fsg_file:dir mounton; +allow init fsg_file:filesystem { getattr mount relabelfrom unmount }; +allow init firmware_file:filesystem unmount; + +# Allow init to access loop devices +allow init loop_device:blk_file { create setattr unlink }; +allowxperm init loop_device:blk_file ioctl { + LOOP_GET_STATUS64 + LOOP_GET_STATUS + LOOP_SET_STATUS64 + LOOP_SET_STATUS + BLKFLSBUF +}; + +# Product persist +allow init mnt_product_file:dir mounton; + +recovery_only(` + allow init self:capability sys_module; + allow init rootfs:system module_load; +') diff --git a/sepolicy/vendor/installd.te b/sepolicy/vendor/installd.te new file mode 100644 index 0000000..452a06b --- /dev/null +++ b/sepolicy/vendor/installd.te @@ -0,0 +1,3 @@ +allow installd bt_firmware_file:filesystem quotaget; +allow installd firmware_file:filesystem quotaget; +allow installd fsg_file:filesystem quotaget; diff --git a/sepolicy/vendor/kernel.te b/sepolicy/vendor/kernel.te new file mode 100644 index 0000000..139166a --- /dev/null +++ b/sepolicy/vendor/kernel.te @@ -0,0 +1,7 @@ +allow kernel block_device:dir search; + +allow kernel kernel:capability kill; +allow kernel { + vendor_hw_block_device + vendor_utags_block_device +}:blk_file rw_file_perms; diff --git a/sepolicy/vendor/poweroptservice.te b/sepolicy/vendor/poweroptservice.te new file mode 100644 index 0000000..b0facdd --- /dev/null +++ b/sepolicy/vendor/poweroptservice.te @@ -0,0 +1,47 @@ +# Copyright (c) 2019-2020, The Linux Foundation. All rights reserved. + +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials provided +# with the distribution. +# * Neither the name of The Linux Foundation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT +# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS +# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +type vendor_poweroptservice, domain; +type vendor_poweroptservice_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(vendor_poweroptservice) + +hwbinder_use(vendor_poweroptservice) + +hal_client_domain(vendor_poweroptservice, vendor_hal_perf) +hal_client_domain(vendor_poweroptservice, hal_graphics_composer) + +get_prop(vendor_poweroptservice, vendor_mpctl_prop) + +r_dir_file(vendor_poweroptservice, vendor_sysfs_graphics) +r_dir_file(vendor_poweroptservice, vendor_sysfs_kgsl) +r_dir_file(vendor_poweroptservice, sysfs_android_usb) + +allow vendor_poweroptservice vendor_qdisplay_service:service_manager find; +allow vendor_poweroptservice input_device:dir r_dir_perms; +allow vendor_poweroptservice input_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te new file mode 100644 index 0000000..3838ef3 --- /dev/null +++ b/sepolicy/vendor/property.te @@ -0,0 +1,7 @@ +# Motorola +type vendor_mot_fingerprint_prop, property_type; +type vendor_mot_hw_prop, property_type; +type vendor_mot_touch_prop, property_type; + +# Power +type power_prop, property_type; diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts new file mode 100644 index 0000000..6a86b8e --- /dev/null +++ b/sepolicy/vendor/property_contexts @@ -0,0 +1,35 @@ +# Camera +camera.mot.is.coming.cts u:object_r:vendor_camera_prop:s0 + +# Radio +vendor.ril. u:object_r:vendor_radio_prop:s0 +gsm.operator.iso-country u:object_r:exported_radio_prop:s0 + +# USB +vendor.rmnet_vnd.rps_mask u:object_r:vendor_usb_prop:s0 + +# Motorola +ro.mot.build.customerid u:object_r:exported_default_prop:s0 +ro.vendor.hw. u:object_r:vendor_mot_hw_prop:s0 +ro.vendor.mot.gki. u:object_r:vendor_mot_hw_prop:s0 +ro.vendor.product.device u:object_r:vendor_mot_hw_prop:s0 +ro.vendor.product.display u:object_r:vendor_mot_hw_prop:s0 +ro.vendor.product.hardware.sku.variant u:object_r:vendor_mot_hw_prop:s0 +ro.vendor.product.model u:object_r:vendor_mot_hw_prop:s0 +ro.vendor.product.name u:object_r:vendor_mot_hw_prop:s0 +vendor.hw.touch.status u:object_r:vendor_mot_touch_prop:s0 + +# Motorola fingerprint +persist.vendor.hardware.fingerprint u:object_r:vendor_mot_fingerprint_prop:s0 +vendor.hw.fps.ident u:object_r:vendor_mot_fingerprint_prop:s0 +vendor.hw.fingerprint.status u:object_r:vendor_mot_fingerprint_prop:s0 + +# Power +vendor.powerhal.state u:object_r:power_prop:s0 +vendor.powerhal.audio u:object_r:power_prop:s0 +vendor.powerhal.lpm u:object_r:power_prop:s0 +vendor.powerhal.init u:object_r:power_prop:s0 +vendor.powerhal.rendering u:object_r:power_prop:s0 + +# GFX +ro.gfx.driver.1 u:object_r:exported_default_prop:s0 diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te new file mode 100644 index 0000000..10f3070 --- /dev/null +++ b/sepolicy/vendor/rild.te @@ -0,0 +1,7 @@ +get_prop(rild, vendor_radio_prop) +allow rild fwk_sensor_hwservice:hwservice_manager find; +allow rild input_device:chr_file r_file_perms; +allow rild input_device:dir rw_dir_perms; +allow rild proc_moto_boot:file r_file_perms; +allow rild cutback_data_file:dir rw_dir_perms; +allow rild cutback_data_file:sock_file create_file_perms; diff --git a/sepolicy/vendor/ueventd.te b/sepolicy/vendor/ueventd.te new file mode 100644 index 0000000..f0c4e75 --- /dev/null +++ b/sepolicy/vendor/ueventd.te @@ -0,0 +1 @@ +allow ueventd vendor_persist_audio_file:file r_file_perms; diff --git a/sepolicy/vendor/update_engine_common.te b/sepolicy/vendor/update_engine_common.te new file mode 100644 index 0000000..a05ccaa --- /dev/null +++ b/sepolicy/vendor/update_engine_common.te @@ -0,0 +1,5 @@ +allow update_engine_common fsg_file:filesystem getattr; +allow update_engine_common { + vendor_efs_boot_dev + vendor_modem_efs_partition_device +}:blk_file rw_file_perms; diff --git a/sepolicy/vendor/vendor_hal_perf_default.te b/sepolicy/vendor/vendor_hal_perf_default.te new file mode 100644 index 0000000..6f9a8fb --- /dev/null +++ b/sepolicy/vendor/vendor_hal_perf_default.te @@ -0,0 +1,2 @@ +allow vendor_hal_perf_default proc_sched_lib_mask_cpuinfo:file rw_file_perms; +binder_call(vendor_hal_perf_default, vendor_poweroptservice) diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te new file mode 100644 index 0000000..c200425 --- /dev/null +++ b/sepolicy/vendor/vendor_init.te @@ -0,0 +1,5 @@ +set_prop(vendor_init, vendor_camera_prop) +set_prop(vendor_init, vendor_ims_prop) +set_prop(vendor_init, vendor_mot_hw_prop) + +allow vendor_init proc_sched_lib_mask_cpuinfo:file w_file_perms; diff --git a/sepolicy/vendor/vendor_init_fingerprint.te b/sepolicy/vendor/vendor_init_fingerprint.te new file mode 100644 index 0000000..eccc602 --- /dev/null +++ b/sepolicy/vendor/vendor_init_fingerprint.te @@ -0,0 +1,13 @@ +type vendor_init_fingerprint, domain; +type vendor_init_fingerprint_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(vendor_init_fingerprint) + +allow vendor_init_fingerprint self:capability { kill sys_module }; +allow vendor_init_fingerprint vendor_file:system module_load; +allow vendor_init_fingerprint vendor_toolbox_exec:file rx_file_perms; +allow vendor_init_fingerprint vendor_persist_fps_file:file create_file_perms; +allow vendor_init_fingerprint vendor_persist_fps_file:dir rw_dir_perms; +allow vendor_init_fingerprint mnt_vendor_file:dir search; + +set_prop(vendor_init_fingerprint, ctl_start_prop) +set_prop(vendor_init_fingerprint, vendor_mot_fingerprint_prop) diff --git a/sepolicy/vendor/vendor_init_hw.te b/sepolicy/vendor/vendor_init_hw.te new file mode 100644 index 0000000..4f453f6 --- /dev/null +++ b/sepolicy/vendor/vendor_init_hw.te @@ -0,0 +1,15 @@ +type vendor_init_hw, domain; +type vendor_init_hw_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(vendor_init_hw) + +allow vendor_init_hw self:capability sys_module; +allow vendor_init_hw vendor_file:system module_load; + +allow vendor_init_hw vendor_proc_hw:dir r_dir_perms; +allow vendor_init_hw vendor_proc_hw:file rw_file_perms; + +allow vendor_init_hw vendor_motobox_exec:file rx_file_perms; +allow vendor_init_hw vendor_toolbox_exec:file rx_file_perms; + +set_prop(vendor_init_hw, vendor_mot_hw_prop) +set_prop(vendor_init_hw, vendor_mot_touch_prop) diff --git a/sepolicy/vendor/vendor_init_touch.te b/sepolicy/vendor/vendor_init_touch.te new file mode 100644 index 0000000..8ee6621 --- /dev/null +++ b/sepolicy/vendor/vendor_init_touch.te @@ -0,0 +1,8 @@ +type vendor_init_touch, domain; +type vendor_init_touch_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(vendor_init_touch) + +allow vendor_init_touch vendor_toolbox_exec:file rx_file_perms; + +r_dir_file(vendor_init_touch , vendor_sysfs_touchpanel) +set_prop(vendor_init_touch, vendor_mot_touch_prop) diff --git a/sepolicy/vendor/vendor_mdm_helper.te b/sepolicy/vendor/vendor_mdm_helper.te new file mode 100644 index 0000000..81d74f1 --- /dev/null +++ b/sepolicy/vendor/vendor_mdm_helper.te @@ -0,0 +1,4 @@ +get_prop(vendor_mdm_helper, vendor_radio_prop) + +allow vendor_mdm_helper { mnt_vendor_file vendor_persist_rfs_file }:dir search; +allow vendor_mdm_helper vendor_persist_rfs_file:file rw_file_perms; diff --git a/sepolicy/vendor/vendor_mmi_laser.te b/sepolicy/vendor/vendor_mmi_laser.te new file mode 100644 index 0000000..5263baf --- /dev/null +++ b/sepolicy/vendor/vendor_mmi_laser.te @@ -0,0 +1,16 @@ +type vendor_mmi_laser, domain; +type vendor_mmi_laser_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(vendor_mmi_laser) + +allow vendor_mmi_laser vendor_sysfs_laser:dir r_dir_perms; +allow vendor_mmi_laser vendor_sysfs_laser:file { setattr rw_file_perms }; + +allow vendor_mmi_laser self:capability { chown fsetid }; + +allow vendor_mmi_laser vendor_sysfs_input:dir r_dir_perms; + +allow vendor_mmi_laser mnt_vendor_file:dir search; +allow vendor_mmi_laser vendor_persist_camera_file:dir search; +allow vendor_mmi_laser vendor_persist_camera_file:file { setattr r_file_perms }; + +allow vendor_mmi_laser vendor_toolbox_exec:file rx_file_perms; diff --git a/sepolicy/vendor/vendor_qti_init_shell.te b/sepolicy/vendor/vendor_qti_init_shell.te new file mode 100644 index 0000000..7b789ed --- /dev/null +++ b/sepolicy/vendor/vendor_qti_init_shell.te @@ -0,0 +1,4 @@ +allow vendor_qti_init_shell configfs:dir create_dir_perms; +allow vendor_qti_init_shell configfs:file create_file_perms; +allow vendor_qti_init_shell configfs:lnk_file create_file_perms; +allow vendor_qti_init_shell proc_page_cluster:file w_file_perms; diff --git a/sepolicy/vendor/vendor_rmt_storage.te b/sepolicy/vendor/vendor_rmt_storage.te new file mode 100644 index 0000000..5d70a65 --- /dev/null +++ b/sepolicy/vendor/vendor_rmt_storage.te @@ -0,0 +1 @@ +get_prop(vendor_rmt_storage, vendor_radio_prop) diff --git a/sepolicy/vendor/vendor_thermal-engine.te b/sepolicy/vendor/vendor_thermal-engine.te new file mode 100644 index 0000000..92fada9 --- /dev/null +++ b/sepolicy/vendor/vendor_thermal-engine.te @@ -0,0 +1,2 @@ +allow vendor_thermal-engine { proc_stat proc_loadavg }:file r_file_perms; +allow vendor_thermal-engine vendor_thermal_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/vendor_wcnss_service.te b/sepolicy/vendor/vendor_wcnss_service.te new file mode 100644 index 0000000..6540511 --- /dev/null +++ b/sepolicy/vendor/vendor_wcnss_service.te @@ -0,0 +1 @@ +allow vendor_wcnss_service rootfs:dir r_dir_perms; diff --git a/sepolicy/vendor/vl53l1.te b/sepolicy/vendor/vl53l1.te new file mode 100644 index 0000000..8a680bc --- /dev/null +++ b/sepolicy/vendor/vl53l1.te @@ -0,0 +1,9 @@ +type vl53l1, domain; +type vl53l1_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(vl53l1) + +allow vl53l1 self:netlink_socket { read write create bind }; +allow vl53l1 self:netlink_iscsi_socket { bind create read write }; +allow vl53l1 vendor_sysfs_laser:dir r_dir_perms; +allow vl53l1 vendor_sysfs_laser:file rw_file_perms;