Use device/samsung_slsi/sepolicy and device/lineage/sepolicy

No reason to re-do these policies from scratch.. Also address some
more denials.

diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk
index a1c0abd5abdc96300e235853b7a37589438f43b3..1d9c1ef7eb863632392cce957725388eb00316a1 100644 (file)
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@@ -140,6 +140,12 @@ WIFI_HIDL_FEATURE_DISABLE_AP_MAC_RANDOMIZATION := true
 # MACLOADER
 BOARD_HAVE_SAMSUNG_WIFI          := true
 
+# SEPOLICY
+include device/lineage/sepolicy/exynos/sepolicy.mk
+
+# HAL sepolicy
+include device/samsung_slsi/sepolicy/sepolicy.mk
+
 BOARD_SEPOLICY_DIRS += device/samsung/universal8895-common/sepolicy
 BOARD_SEPOLICY_VERS := $(PLATFORM_SDK_VERSION).0
 

diff --git a/sepolicy/adbd.te b/sepolicy/adbd.te
index bb8232011365402fac77d7b2f4a19ef79190063c..29571b7c7b955b40d3ac212f0dd97b359baa91c7 100644 (file)
--- a/sepolicy/adbd.te
+++ b/sepolicy/adbd.te
@@ -1 +1 @@
-allow adbd proc_last_kmsg:file { getattr read };
+allow adbd proc_last_kmsg:file { getattr read open };

diff --git a/sepolicy/apexd.te b/sepolicy/apexd.te
new file mode 100644 (file)
index 0000000..461512f
--- /dev/null
+++ b/sepolicy/apexd.te
@@ -0,0 +1 @@
+allow apexd sysfs_virtual:file { read write };

diff --git a/sepolicy/file.te b/sepolicy/file.te
index 2a71164ad6abd4e7bbde3097325ca180940f9e68..7d50af4a370cdeb2126aab6472ddd1b914807792 100644 (file)
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -1,21 +1,12 @@
 ### efs types
-type app_efs_file, file_type;
-type battery_efs_file, file_type;
-type cpk_efs_file, file_type;
 type gatekeeper_efs_file, file_type;
 type radio_factoryapp_efs_file, file_type;
-type imei_efs_file, file_type;
-type bin_nv_data_efs_file, file_type;
-type prov_efs_file, file_type;
-type sec_efs_file, file_type;
-type wifi_efs_file, file_type;
 type factoryprop_efs_file, file_type;
 type sensor_factoryapp_efs_file, file_type;
 type factorymode_factoryapp_efs_file, file_type;
 type baro_delta_factoryapp_efs_file, file_type;
 
 # gps
-type gps_vendor_data_file, file_type, data_file_type;
 type gps_socket, file_type;
 
 # debugfs types
@@ -33,7 +24,6 @@ type proc_swapiness, fs_type, proc_type;
 type display_vendor_data_file, file_type, data_file_type;
 type fingerprintd_vendor_data_file, data_file_type, file_type;
 type mediadrm_data_file, file_type, data_file_type;
-type radio_vendor_data_file, data_file_type, file_type;
 type mobicore_data_file, data_file_type, core_data_file_type, file_type;
 
 # sysfs types
@@ -43,9 +33,7 @@ type sysfs_multipdp, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_sec, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_gps, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_brightness, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_input, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_virtual, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_iio, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_charger, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_modem, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_lcd, fs_type, sysfs_type, mlstrustedobject;

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 658f92f42d5078bf2bd53503438fbbe161f1a8c6..670a374de418b10e52c03bdff32b3063025f5e23 100644 (file)
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -20,10 +20,6 @@
 /dev/mtp_usb*               u:object_r:mtp_device:s0
 /dev/usb(/.*)?              u:object_r:usb_device:s0
 
-# sensors
-/dev/batch_io               u:object_r:sensor_device:s0
-/dev/ssp_sensorhub          u:object_r:sensor_device:s0
-
 # adbroot and storaged
 /dev/stune(/.*)?            u:object_r:cgroup:s0
 
@@ -40,15 +36,9 @@
 /efs/FactoryApp/test_nv        u:object_r:radio_factoryapp_efs_file:s0
 /efs/FactoryApp/gyro_cal_data  u:object_r:sensor_factoryapp_efs_file:s0
 
-/efs/Battery(/.*)?             u:object_r:battery_efs_file:s0
-/efs/bluetooth(/.*)?           u:object_r:bluetooth_efs_file:s0
-/efs/imei(/.*)?                u:object_r:imei_efs_file:s0
 /efs/nv_data.bin(.*)           u:object_r:bin_nv_data_efs_file:s0
 /efs/nv.log                    u:object_r:bin_nv_data_efs_file:s0
 /efs/\.nv_core\.bak(.*)        u:object_r:bin_nv_data_efs_file:s0
-/efs/prov(/.*)?                u:object_r:prov_efs_file:s0
-/efs/prov_data(/.*)?           u:object_r:prov_efs_file:s0
-/efs/wifi(/.*)?                u:object_r:wifi_efs_file:s0
 /efs/wv\.keys                  u:object_r:cpk_efs_file:s0
 /efs/factory\.prop             u:object_r:factoryprop_efs_file:s0
 /efs/TEE(/.*)?                 u:object_r:gatekeeper_efs_file:s0
@@ -58,10 +48,6 @@
 /data/nfc(/.*)?                    u:object_r:nfc_data_file:s0
 
 /data/misc/radio(/.*)?             u:object_r:radio_data_file:s0
-/data/vendor/secradio(/.*)?        u:object_r:radio_vendor_data_file:s0
-
-# gps
-/data/vendor/gps(/.*)?             u:object_r:gps_vendor_data_file:s0
 
 # livedisplay
 /data/vendor/display(/.*)?         u:object_r:display_vendor_data_file:s0
@@ -72,9 +58,6 @@
 # mobicore
 /data/misc/mcRegistry(/.*)?        u:object_r:mobicore_data_file:s0
 
-# biometrics
-/data/vendor/biometrics(/.*)?      u:object_r:fingerprintd_vendor_data_file:s0
-
 # camera
 /data/camera(/.*)?                 u:object_r:camera_data_file:s0
 
@@ -147,13 +130,10 @@
 # modem
 /sys/module/modem_ctrl_ss310ap/parameters/ds_detect                                             u:object_r:sysfs_modem:s0
 
-####################################
 # Lineage hals
-/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.samsung u:object_r:hal_fingerprint_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.samsung                   u:object_r:hal_light_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service\.exynos                    u:object_r:hal_power_default_exec:s0
-/(vendor|system/vendor)/bin/hw/vendor\.lineage\.livedisplay@2\.0-service\.universal8895         u:object_r:hal_lineage_livedisplay_sysfs_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.lineage\.livedisplay@[0-9]\.[0-9]-service\.universal8895         u:object_r:hal_lineage_livedisplay_sysfs_exec:s0
+
 
 # hidl services
-/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.2-service\.clearkey                    u:object_r:hal_drm_clearkey_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.1-service\.widevine                    u:object_r:hal_drm_widevine_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]\.[0-9]-service\.clearkey                    u:object_r:hal_drm_clearkey_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]\.[0-9]-service\.widevine                    u:object_r:hal_drm_widevine_exec:s0

diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te
new file mode 100644 (file)
index 0000000..540462a
--- /dev/null
+++ b/sepolicy/hal_bluetooth_default.te
@@ -0,0 +1,3 @@
+allow hal_bluetooth_default sysfs:file write;
+allow hal_bluetooth_default vendor_default_prop:property_service set;
+allow hal_bluetooth_default vendor_firmware_file:dir { open read };

diff --git a/sepolicy/hal_fingerprint_default.te b/sepolicy/hal_fingerprint_default.te
index 113bde7365045264193fed4a7dafa76b7ff5b0b5..830e7fbf1cb53885e2cb2c449bdb7726d6823dd5 100644 (file)
--- a/sepolicy/hal_fingerprint_default.te
+++ b/sepolicy/hal_fingerprint_default.te
@@ -1,20 +1,3 @@
-# allow hal_fingerprint_default to communicate with various devices
-binder_call(system_app, hal_fingerprint_default)
-
-# kernel fp device
-allow hal_fingerprint_default fingerprint_device:chr_file { open read write ioctl getattr };
-
-# secure memory device
-allow hal_fingerprint_default secmem_device:chr_file { open read write ioctl };
-
-# trust zone device
-allow hal_fingerprint_default tee_device:chr_file { open read write ioctl };
-allow hal_fingerprint_default tee:unix_stream_socket connectto;
-
-# /data/vendor/biometrics/*
-allow hal_fingerprint_default fingerprintd_vendor_data_file:dir { rmdir read write remove_name create open add_name search };
-allow hal_fingerprint_default fingerprintd_vendor_data_file:file { write create read rename open getattr unlink };
-
-# sysfs_virtual
-allow hal_fingerprint_default sysfs_virtual:dir search;
-allow hal_fingerprint_default sysfs_virtual:file { open read };
+allow hal_fingerprint_default fingerprint_device:chr_file ioctl;
+allow hal_fingerprint_default fingerprintd_data_file:dir write;
+allow hal_fingerprint_default tee_device:chr_file { ioctl open read write };

diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te
index 1ba9a3ce35fa6f217aa178451199a23a0bab5619..d36a755974a05e5c48a7f8374fb6074c1a05c6dc 100644 (file)
--- a/sepolicy/hal_graphics_composer_default.te
+++ b/sepolicy/hal_graphics_composer_default.te
@@ -1,7 +1,38 @@
-allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { create read };
-allow hal_graphics_composer_default servicemanager:binder call;
-allow hal_graphics_composer_default vendor_data_file:file { append getattr open };
-allow hal_graphics_composer_default vndbinder_device:chr_file read;
+# hal_graphics_composer_default.te
 
-# /dev/fimg2d
-allow hal_graphics_composer_default video_device:chr_file { open read write ioctl };
+hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator);
+
+vndbinder_use(hal_graphics_composer_default)
+
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+allow hal_graphics_composer_default vendor_surfaceflinger_vndservice:service_manager { add find };
+
+# cgroup tasks
+allow hal_graphics_composer_default cgroup:file getattr;
+
+# /data/vendor/log/hwc
+allow hal_graphics_composer_default log_vendor_data_file:dir rw_dir_perms;
+allow hal_graphics_composer_default log_vendor_data_file:file create_file_perms;
+
+# /dev/g2d
+allow hal_graphics_composer_default graphics_device:chr_file rw_file_perms;
+
+# /dev/video50
+allow hal_graphics_composer_default video_device:chr_file rw_file_perms;
+
+# /sys/devices/soc0/revision
+allow hal_graphics_composer_default sysfs_socinfo:dir r_dir_perms;
+allow hal_graphics_composer_default sysfs_socinfo:file r_file_perms;
+
+# /sys/devices/platform/19030000.decon_f/psr_info
+allow hal_graphics_composer_default sysfs_decon:dir r_dir_perms;
+allow hal_graphics_composer_default sysfs_decon:file r_file_perms;
+
+# /sys/devices/platform/19030000.decon_f/vsync
+allow hal_graphics_composer_default sysfs_ss_writable:dir r_dir_perms;
+allow hal_graphics_composer_default sysfs_ss_writable:file r_file_perms;
+
+# /sys/kernel/debug/dma_buf/footprint/[0-9]+
+allow hal_graphics_composer_default debugfs_ion_dma:dir r_dir_perms;
+allow hal_graphics_composer_default debugfs_ion_dma:file r_file_perms;

diff --git a/sepolicy/hal_health_default.te b/sepolicy/hal_health_default.te
index 57672cdf87f246917182cc6948522aadeee385d7..2730563cc5dfe9f83a9370aac9b3727bb663326f 100644 (file)
--- a/sepolicy/hal_health_default.te
+++ b/sepolicy/hal_health_default.te
@@ -1,3 +1,4 @@
 r_dir_file(hal_health_default, sysfs_charger)
 
 allow hal_health_default sysfs_charger:file rw_file_perms;
+allow hal_health_default sysfs_battery:dir { open read search };

diff --git a/sepolicy/hal_light_default.te b/sepolicy/hal_light_default.te
index ad0b43ed9c62758fbe3a08b3b20c93feb2f8e278..c1200d14d205ccff6ef661d8fc4526bf819332c9 100644 (file)
--- a/sepolicy/hal_light_default.te
+++ b/sepolicy/hal_light_default.te
@@ -1,4 +1,3 @@
-allow hal_light_default sysfs_brightness:file { open read write getattr };
+allow hal_light_default sysfs_graphics:file { getattr open read write };
 allow hal_light_default sysfs_virtual:dir search;
-allow hal_light_default sysfs_virtual:file { read write open getattr };
-allow hal_light_default sysfs_graphics:file { open read getattr write };
+allow hal_light_default sysfs_virtual:file { open write getattr };

diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te
index 9aeeace45dd07ac9a3429e7d276598a5e397aab6..7637cdfa36e326f53c916cd60db696e13eec8fe0 100644 (file)
--- a/sepolicy/hal_power_default.te
+++ b/sepolicy/hal_power_default.te
@@ -1,15 +1 @@
-# Allow reading of sysfs nodes to find input devices
-
-allow hal_power_default sysfs_devices_system_cpu:file write;
-
-allow hal_power_default sysfs_input:dir { open read search getattr };
-allow hal_power_default sysfs_input:file { open read write getattr };
-
-allow hal_power_default sysfs_virtual:dir { open read search };
-allow hal_power_default sysfs_virtual:file { open read write getattr };
-
-allow hal_power_default sysfs:dir { read open };
-allow hal_power_default sysfs:file { read write open };
-
-allow hal_power_default sysfs_brightness:file rw_file_perms;
-allow hal_power_default sysfs_graphics:file { getattr read open };
\ No newline at end of file
+allow hal_power_default sysfs_graphics:file read;

diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te
index 5cc56bfd3d037e56cd0fa9306b794f4b2ba5f8ff..82e2856ab6ac67cc2d2832cdfa80233f8deaa381 100644 (file)
--- a/sepolicy/hal_sensors_default.te
+++ b/sepolicy/hal_sensors_default.te
@@ -1,23 +1,4 @@
-# /efs/FactoryApp/
-allow hal_sensors_default app_efs_file:dir rw_dir_perms;
-allow hal_sensors_default app_efs_file:file { rw_file_perms setattr };
-
-# /efs
-allow hal_sensors_default efs_file:dir r_dir_perms;
-
-# sensor_device
-allow hal_sensors_default sensor_device:chr_file rw_file_perms;
-
-# iio_device
-allow hal_sensors_default iio_device:chr_file { open read };
-
-# sysfs_iio
-allow hal_sensors_default sysfs_iio:file { open read getattr write };
-allow hal_sensors_default sysfs_iio:dir { open read search };
+allow hal_sensors_default sysfs:file { open read write };
 allow hal_sensors_default sysfs_iio:lnk_file read;
-
-# sysfs_virtual
-allow hal_sensors_default sysfs_virtual:dir r_dir_perms;
-allow hal_sensors_default sysfs_virtual:file rw_file_perms;
-
-allow hal_sensors_default sysfs:file { open read getattr write };
+allow hal_sensors_default sysfs_virtual:dir search;
+allow hal_sensors_default sysfs_virtual:file { read write open };

diff --git a/sepolicy/hal_vibrator_default.te b/sepolicy/hal_vibrator_default.te
new file mode 100644 (file)
index 0000000..d4b5e86
--- /dev/null
+++ b/sepolicy/hal_vibrator_default.te
@@ -0,0 +1,2 @@
+allow hal_vibrator_default sysfs_virtual:dir search;
+allow hal_vibrator_default sysfs_virtual:file { open write getattr };

diff --git a/sepolicy/hal_wifi_hostapd_default.te b/sepolicy/hal_wifi_hostapd_default.te
deleted file mode 100644 (file)
index 8f0592f..0000000
--- a/sepolicy/hal_wifi_hostapd_default.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow hal_wifi_hostapd_default sysfs_virtual:dir search;
-allow hal_wifi_hostapd_default sysfs_virtual:lnk_file { getattr read };

diff --git a/sepolicy/init.te b/sepolicy/init.te
index 069fe16efc47a7e7aa1668d85f093377ddf3779a..156a97a6bd50a3bc993e6140e002375e44e14e29 100644 (file)
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -1,6 +1,6 @@
 allow init rild:unix_stream_socket connectto;
 allow init self:netlink_kobject_uevent_socket { create setopt };
-allow init socket_device:sock_file create;
+allow init socket_device:sock_file { create setattr unlink };
 allow init sysfs_devices_system_cpu:file write;
 allow init vendor_data_file:fifo_file write;
 allow init vendor_data_file:file append;
@@ -11,7 +11,18 @@ allow init netd:unix_stream_socket connectto;
 allow init fwmarkd_socket:sock_file write;
 allow init nfc:binder call;
 allow init nfc_device:chr_file ioctl;
-allow init sysfs_virtual:file { open write };
+
+allow init sysfs_virtual:file { open write setattr };
+allow init sysfs_virtual:lnk_file { read };
+allow init sysfs:file setattr;
+allow init sysfs_multipdp:file setattr;
+allow init sysfs_camera:file setattr;
+allow init sysfs_charger:file setattr;
+allow init sysfs_input:file setattr;
+allow init sysfs_lcd:file setattr;
+allow init sysfs_mdnie:file setattr;
+allow init sysfs_modem:file write;
+
 allow init system_server:binder { transfer call };
 allow init tee_device:chr_file ioctl;
 allow init device:chr_file ioctl;
@@ -20,8 +31,12 @@ allow init node:tcp_socket node_bind;
 allow init port:tcp_socket { name_bind name_connect };
 allow init gps_vendor_data_file:fifo_file write;
 allow init gps_vendor_data_file:file lock;
+allow init socket_device:sock_file { setattr unlink };
+
+allow init proc:file setattr;
+allow init proc_swapiness:file write;
 
-# LED
 allow init sysfs_graphics:file { open read write };
+allow init sysfs_virtual:file read;
 
 unix_socket_connect(init, property, rild)

diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te
index 07530ef114f84b4d795d6580491a1b70164b13f8..026eeef8c5feb610f56582f0af7dce7d944a48c6 100644 (file)
--- a/sepolicy/kernel.te
+++ b/sepolicy/kernel.te
@@ -2,6 +2,6 @@ allow kernel app_efs_file:dir search;
 allow kernel app_efs_file:file open;
 allow kernel sensor_factoryapp_efs_file:file open;
 
-allow kernel device:chr_file { getattr setattr unlink };
+allow kernel device:chr_file { getattr setattr unlink create };
 allow kernel device:dir { add_name remove_name rmdir write };
 allow kernel self:capability { mknod };

diff --git a/sepolicy/rild.te b/sepolicy/rild.te
index 75990d6033ce79ef9fcb8124620f9cdf7c0e70d0..c50b744cf345782e5fb1756472c5275fa71603ab 100644 (file)
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -11,5 +11,10 @@ allow rild hal_audio_default:file { getattr open read };
 
 allow rild radio_vendor_data_file:file { create ioctl lock getattr read write open unlink };
 allow rild radio_vendor_data_file:dir { add_name write open read remove_name };
+allow rild radio_data_file:file { open read };
 
 allow rild proc_qtaguid_stat:file read;
+
+allow rild factoryprop_efs_file:file { open read write };
+
+allow rild init:file getattr;

diff --git a/sepolicy/vendor_init.te b/sepolicy/vendor_init.te
new file mode 100644 (file)
index 0000000..57f9235
--- /dev/null
+++ b/sepolicy/vendor_init.te
@@ -0,0 +1 @@
+allow vendor_init mobicore_data_file:dir setattr;