BOARD_SEPOLICY_TEE_FLAVOR := mobicore
include device/samsung_slsi/sepolicy/sepolicy.mk
-BOARD_PLAT_PRIVATE_SEPOLICY_DIR := $(COMMON_PATH)/sepolicy/private
+BOARD_PLAT_PRIVATE_SEPOLICY_DIR += $(COMMON_PATH)/sepolicy/private
+BOARD_VENDOR_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/vendor
# Properties
TARGET_SYSTEM_PROP += $(COMMON_PATH)/system.prop
--- /dev/null
+type clean_scratch_files, domain;
+type clean_scratch_files_exec, exec_type, file_type, system_file_type;
+typeattribute clean_scratch_files coredomain;
+
+init_daemon_domain(clean_scratch_files)
+
+allow clean_scratch_files metadata_file:dir search;
--- /dev/null
+type fm_device, dev_type;
+type pktrouter_device, dev_type;
--- /dev/null
+get_prop(domain, vendor_exported_system_prop)
--- /dev/null
+####################################
+# Daemons
+#
+
+/system/bin/clean_scratch_files u:object_r:clean_scratch_files_exec:s0
+/system/bin/wfc-pkt-router u:object_r:netutils_wrapper_exec:s0
+
+##########################
+# Devices
+#
+
+/dev/radio0 u:object_r:fm_device:s0
+/dev/umts_wfc0 u:object_r:pktrouter_device:s0
+/dev/umts_wfc1 u:object_r:pktrouter_device:s0
--- /dev/null
+init_daemon_domain(netutils_wrapper)
+allow netutils_wrapper pktrouter_device:chr_file rw_file_perms;
--- /dev/null
+dontaudit otapreopt_chroot system_file:dir mounton;
--- /dev/null
+type vendor_exported_system_prop, property_type;
--- /dev/null
+ro.vendor.qti.va_aosp.support u:object_r:vendor_exported_system_prop:s0 exact bool
--- /dev/null
+allow system_app fm_device:chr_file rw_file_perms;
+
+binder_call(system_app, storaged)
--- /dev/null
+type abox, domain, mlstrustedsubject;
+type abox_exec, exec_type, file_type, vendor_file_type;
+init_daemon_domain(abox)
+
+allow abox sysfs_abox_writable:file rw_file_perms;
+
+allow abox self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
--- /dev/null
+attribute vendor_persist_type;
--- /dev/null
+get_prop(bluetooth, vendor_audio_prop)
--- /dev/null
+allow cbd modem_block_device:blk_file r_file_perms;
+
+get_prop(cbd, exported3_radio_prop)
+set_prop(cbd, vendor_radio_prop)
--- /dev/null
+type charge_only, domain;
+type charge_only_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(charge_only)
+
+allow charge_only chargeonly_data_file:dir rw_dir_perms;
+allow charge_only chargeonly_data_file:file create_file_perms;
+
+allow charge_only {
+ graphics_device
+ input_device
+}:dir r_dir_perms;
+
+allow charge_only {
+ graphics_device
+ input_device
+ kmsg_device
+}:chr_file rw_file_perms;
+
+r_dir_file(charge_only, sysfs_battery)
+r_dir_file(charge_only, sysfs_battery_writable)
+r_dir_file(charge_only, sysfs_leds)
+
+allow charge_only {
+ sysfs_backlight_writable
+ sysfs_power
+}:file rw_file_perms;
+
+allow charge_only self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+unix_socket_connect(charge_only, property, init)
+
+binder_call(charge_only, hwservicemanager)
+
+get_prop(charge_only, hwservicemanager_prop)
+set_prop(charge_only, powerctl_prop)
+
+dontaudit charge_only self:capability { dac_override net_admin };
--- /dev/null
+type charonservice, domain, mlstrustedsubject;
+type charonservice_exec, exec_type, file_type, vendor_file_type;
+init_daemon_domain(charonservice)
--- /dev/null
+type bl_block_device, dev_type;
+type bllogs_block_device, dev_type;
+type bootloader_block_device, dev_type;
+type carrier_block_device, dev_type;
+type cid_block_device, dev_type;
+type fat_block_device, dev_type;
+type gnss_device, dev_type;
+type hw_block_device, dev_type;
+type keystorage_block_device, dev_type;
+type kpan_block_device, dev_type;
+type ldfw_block_device, dev_type;
+type logo_block_device, dev_type;
+type oem_block_device, dev_type;
+type persist_block_device, dev_type;
+type proinfo_block_device, dev_type;
+type slotinfo_block_device, dev_type;
+type utags_block_device, dev_type;
+type vbmeta_block_device, dev_type;
+type vendor_block_device, dev_type;
+type vendor_nanohub_device, dev_type;
+type vendor_secmem_device, dev_type;
--- /dev/null
+allow domain {
+ debugfs_ion_dma
+ debugfs_mali
+ debugfs_mali_mem
+}:dir search;
--- /dev/null
+type exynos-thermald, domain, mlstrustedsubject;
+type exynos-thermald_exec, exec_type, file_type, vendor_file_type;
+init_daemon_domain(exynos-thermald)
+
+r_dir_file(exynos-thermald, sysfs_battery)
+r_dir_file(exynos-thermald, sysfs_thermal)
+
+allow exynos-thermald {
+ sysfs_backlight_writable
+ sysfs_battery_writable
+ sysfs_cpuhotplug_writable
+ sysfs_devices_system_cpu
+ sysfs_fimc_writable
+ sysfs_mali_writable
+}:file rw_file_perms;
+
+allow exynos-thermald log_vendor_data_file:dir ra_dir_perms;
+allow exynos-thermald log_vendor_data_file:file create_file_perms;
--- /dev/null
+# data types
+type camera_vendor_data_file, file_type, data_file_type;
+type chargeonly_data_file, file_type, data_file_type;
+type mediadrm_vendor_data_file, file_type, data_file_type;
+type mobicore_data_registry_file, file_type, data_file_type;
+type rild_vendor_data_file, file_type, data_file_type;
+type sensor_vendor_data_file, file_type, data_file_type;
+type thermal_vendor_data_file, file_type, data_file_type;
+
+# debug types
+type debugfs_mali, fs_type, debugfs_type;
+type debugfs_mali_mem, fs_type, debugfs_type;
+type debugfs_ion, fs_type, debugfs_type;
+type debugfs_ion_dma, fs_type, debugfs_type;
+
+# persist types
+type persist_file, file_type, vendor_persist_type;
+type persist_audio_file, file_type, vendor_persist_type;
+type persist_camera_file, file_type, vendor_persist_type;
+type persist_gk_file, file_type, vendor_persist_type;
+type persist_keymaster_file, file_type, vendor_persist_type;
+type persist_mobicore_file, file_type, vendor_persist_type;
+type persist_security_file, file_type, vendor_persist_type;
+type persist_sensor_file, file_type, vendor_persist_type;
+
+# proc types
+type proc_last_kmsg, fs_type, proc_type;
+type proc_printk, fs_type, proc_type;
+type proc_reap_mem_on_sigkill, fs_type, proc_type;
+type proc_swappiness, fs_type, proc_type;
+
+# sysfs types
+type sysfs_abox_writable, sysfs_type, rw_fs_type, fs_type;
+type sysfs_chipid, sysfs_type, r_fs_type, fs_type;
+type sysfs_cpuhotplug_writable, sysfs_type, rw_fs_type, fs_type;
+type sysfs_decon, sysfs_type, r_fs_type, fs_type;
+type sysfs_decon_writable, sysfs_type, rw_fs_type, fs_type;
+type sysfs_fimc_writable, sysfs_type, rw_fs_type, fs_type;
+type sysfs_mali_writable, sysfs_type, rw_fs_type, fs_type;
+type sysfs_nanohub, sysfs_type, r_fs_type, fs_type;
+type sysfs_rbs, fs_type, sysfs_type;
+type sysfs_scheduler, fs_type, sysfs_type;
+type sysfs_socinfo, fs_type, sysfs_type;
+type sysfs_v4l, sysfs_type, r_fs_type, fs_type;
--- /dev/null
+####################################
+# Daemons
+#
+
+/(vendor|system/vendor)/bin/main_abox u:object_r:abox_exec:s0
+/(vendor|system/vendor)/bin/charge_only_mode u:object_r:charge_only_exec:s0
+/(vendor|system/vendor)/bin/charon u:object_r:charonservice_exec:s0
+/(vendor|system/vendor)/bin/exynos-thermald u:object_r:exynos-thermald_exec:s0
+/(vendor|system/vendor)/bin/mcDriverDaemon u:object_r:tee_exec:s0
+/(vendor|system/vendor)/bin/hw/rild_exynos u:object_r:rild_exec:s0
+/(vendor|system/vendor)/bin/hw/gpsd u:object_r:gpsd_exec:s0
+
+####################################
+# Data Files
+
+/data/vendor/camera(/.*)? u:object_r:camera_vendor_data_file:s0
+/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0
+/data/vendor/sensor(/.*)? u:object_r:sensor_vendor_data_file:s0
+/data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0
+/data/vendor/mcRegistry(/.*)? u:object_r:mobicore_data_registry_file:s0
+/data/nfc(/.*)? u:object_r:nfc_data_file:s0
+/data/chargeonlymode(/.*)? u:object_r:chargeonly_data_file:s0
+
+##########################
+# Devices
+#
+
+/dev/block/(.*/)?by-name/boot(_[ab])? u:object_r:boot_block_device:s0
+/dev/block/(.*/)?by-name/bootloader(_[ab])? u:object_r:bootloader_block_device:s0
+/dev/block/(.*/)?by-name/carrier u:object_r:carrier_block_device:s0
+/dev/block/(.*/)?by-name/cid u:object_r:cid_block_device:s0
+/dev/block/(.*/)?by-name/dtbo(_[ab])? u:object_r:dtbo_block_device:s0
+/dev/block/(.*/)?by-name/efsbk u:object_r:efs_block_device:s0
+/dev/block/(.*/)?by-name/efs u:object_r:efs_block_device:s0
+/dev/block/(.*/)?by-name/fat u:object_r:fat_block_device:s0
+/dev/block/(.*/)?by-name/frp u:object_r:frp_block_device:s0
+/dev/block/(.*/)?by-name/hw u:object_r:hw_block_device:s0
+/dev/block/(.*/)?by-name/keystorage(_[ab])? u:object_r:keystorage_block_device:s0
+/dev/block/(.*/)?by-name/kpan u:object_r:kpan_block_device:s0
+/dev/block/(.*/)?by-name/ldfw(_[ab])? u:object_r:ldfw_block_device:s0
+/dev/block/(.*/)?by-name/logo(_[ab])? u:object_r:logo_block_device:s0
+/dev/block/(.*/)?by-name/logs u:object_r:bllogs_block_device:s0
+/dev/block/(.*/)?by-name/metadata u:object_r:metadata_block_device:s0
+/dev/block/(.*/)?by-name/misc u:object_r:misc_block_device:s0
+/dev/block/(.*/)?by-name/modem(_[ab])? u:object_r:modem_block_device:s0
+/dev/block/(.*/)?by-name/oem(_[ab])? u:object_r:oem_block_device:s0
+/dev/block/(.*/)?by-name/persist([0-9])? u:object_r:persist_block_device:s0
+/dev/block/(.*/)?by-name/persist u:object_r:persist_block_device:s0
+/dev/block/(.*/)?by-name/proinfo u:object_r:proinfo_block_device:s0
+/dev/block/(.*/)?by-name/proinfo_backup u:object_r:proinfo_block_device:s0
+/dev/block/(.*/)?by-name/slotinfo u:object_r:slotinfo_block_device:s0
+/dev/block/(.*/)?by-name/sp u:object_r:bl_block_device:s0
+/dev/block/(.*/)?by-name/system(_[ab])? u:object_r:system_block_device:s0
+/dev/block/(.*/)?by-name/userdata u:object_r:userdata_block_device:s0
+/dev/block/(.*/)?by-name/utagsBackup u:object_r:utags_block_device:s0
+/dev/block/(.*/)?by-name/utags u:object_r:utags_block_device:s0
+/dev/block/(.*/)?by-name/vbmeta(_[ab])? u:object_r:vbmeta_block_device:s0
+/dev/block/(.*/)?by-name/vendor(_[ab])? u:object_r:vendor_block_device:s0
+
+/dev/block/zram0 u:object_r:swap_block_device:s0
+
+/dev/chub_dev u:object_r:vendor_nanohub_device:s0
+
+/dev/g2d u:object_r:graphics_device:s0
+
+/dev/gnss_ipc u:object_r:gnss_device:s0
+
+/dev/mali[0-9] u:object_r:gpu_device:s0
+
+/dev/nanohub u:object_r:vendor_nanohub_device:s0
+
+/dev/s5p-smem u:object_r:vendor_secmem_device:s0
+
+/dev/scsc_h4_0 u:object_r:bt_device:s0
+
+/dev/sec-nfc u:object_r:nfc_device:s0
+
+/dev/ttyGS[0-3]* u:object_r:serial_device:s0
+
+####################################
+# HIDL
+#
+
+/(vendor|system/vendor)/bin/hw/android.hardware.biometrics.fingerprint@2.1-service-rbs u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android.hardware.drm@1.3-service.clearkey u:object_r:hal_drm_clearkey_exec:s0
+/(vendor|system/vendor)/bin/hw/android.hardware.drm@1.2-service.widevine u:object_r:hal_drm_widevine_exec:s0
+/(vendor|system/vendor)/bin/hw/android.hardware.nfc@1.2-service.samsung u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android.hardware.secure_element@1.1-service-uicc u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android.hardware.vibrator@1.0-service.exynos9610 u:object_r:hal_vibrator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor.samsung.hardware.gnss@1.0-service u:object_r:hal_gnss_default_exec:s0
+
+####################################
+# Persist Files
+
+/mnt/vendor/persist(/.*)? u:object_r:persist_file:s0
+/mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0
+/mnt/vendor/persist/factory/audio(/.*)? u:object_r:persist_audio_file:s0
+/mnt/vendor/persist/gk(/.*)? u:object_r:persist_gk_file:s0
+/mnt/vendor/persist/mobicore(/.*)? u:object_r:persist_mobicore_file:s0
+/mnt/vendor/persist/security(/.*)? u:object_r:persist_security_file:s0
+/mnt/vendor/persist/sensor(/.*)? u:object_r:persist_sensor_file:s0
+/mnt/vendor/persist/sensortype u:object_r:persist_sensor_file:s0
+/mnt/vendor/persist/sensorcal.json u:object_r:persist_sensor_file:s0
+/mnt/vendor/persist/security/attest_keybox.so u:object_r:persist_keymaster_file:s0
+/mnt/vendor/persist/wv.keys u:object_r:persist_security_file:s0
+
+####################################
+# Same-process HAL files and their dependencies
+#
+
+/(vendor|system/vendor)/lib(64)?/hw/[a-zA-Z0-9_\-.]+\.exynos[0-9]*\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libion_exynos.so u:object_r:same_process_hal_file:s0
--- /dev/null
+allow fsck self:capability kill;
--- /dev/null
+####################################
+# DebugFS
+#
+
+genfscon debugfs /mali/ u:object_r:debugfs_mali:s0
+genfscon debugfs /mali/mem/ u:object_r:debugfs_mali_mem:s0
+genfscon debugfs /ion u:object_r:debugfs_ion:s0
+genfscon debugfs /dma_buf u:object_r:debugfs_ion_dma:s0
+
+####################################
+# Proc
+#
+
+genfscon proc /last_kmsg u:object_r:proc_last_kmsg:s0
+genfscon proc /sys/kernel/printk u:object_r:proc_printk:s0
+genfscon proc /sys/vm/reap_mem_on_sigkill u:object_r:proc_reap_mem_on_sigkill:s0
+genfscon proc /sys/vm/swappiness u:object_r:proc_swappiness:s0
+
+####################################
+# Sysfs
+#
+
+genfscon sysfs /class/power_supply/battery/charge_temp u:object_r:sysfs_battery_writable:s0
+genfscon sysfs /devices/platform/11500000.mali/dvfs_max_lock u:object_r:sysfs_mali_writable:s0
+genfscon sysfs /devices/platform/11500000.mali/dvfs_min_lock u:object_r:sysfs_mali_writable:s0
+genfscon sysfs /devices/platform/11a10000.speedy/i2c-6/6-0000/s2mpu09-rtc/rtc/rtc0/hctosys u:object_r:sysfs_rtc:s0
+genfscon sysfs /devices/platform/11a10000.speedy/i2c-7/7-0000/s2mpu09-rtc/rtc/rtc0/hctosys u:object_r:sysfs_rtc:s0
+genfscon sysfs /devices/platform/11c30000.adc/iio:device1/11c30000.adc:battery_thermistor/hwmon/hwmon1/temp1_input u:object_r:sysfs_thermal:s0
+genfscon sysfs /devices/platform/11c30000.adc/iio:device1/11c30000.adc:board_thermistor/hwmon/hwmon3/temp1_input u:object_r:sysfs_thermal:s0
+genfscon sysfs /devices/platform/11c30000.adc/iio:device1/11c30000.adc:cpu_thermistor/hwmon/hwmon0/temp1_input u:object_r:sysfs_thermal:s0
+genfscon sysfs /devices/platform/11c30000.adc/iio:device1/11c30000.adc:pa_thermistor/hwmon/hwmon2/temp1_input u:object_r:sysfs_thermal:s0
+genfscon sysfs /devices/platform/11c30000.adc/iio:device1/11c30000.adc:usb_con_thermistor/hwmon/hwmon4/temp1_input u:object_r:sysfs_thermal:s0
+genfscon sysfs /devices/platform/11d40000.hsi2c/i2c-1/1-005a/leds/vibrator u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/12c30000.mfc0/video4linux/video6/name u:object_r:sysfs_v4l:s0
+genfscon sysfs /devices/platform/12c30000.mfc0/video4linux/video7/name u:object_r:sysfs_v4l:s0
+genfscon sysfs /devices/platform/13520000.ufs/host0/target0:0:0/0:0:0:0/block/sda/queue/scheduler u:object_r:sysfs_scheduler:s0
+genfscon sysfs /devices/platform/13830000.i2c/i2c-7/7-003b/power_supply u:object_r:sysfs_battery:s0
+genfscon sysfs /devices/platform/13830000.i2c/i2c-7/7-003c/power_supply u:object_r:sysfs_battery:s0
+genfscon sysfs /devices/platform/13830000.i2c/i2c-8/8-003b/power_supply u:object_r:sysfs_battery:s0
+genfscon sysfs /devices/platform/13830000.i2c/i2c-8/8-003c/power_supply u:object_r:sysfs_battery:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-8/8-003d/leds-s2mu106/leds u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-8/8-003d/s2mu00x-battery/power_supply u:object_r:sysfs_battery:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-8/8-003d/s2mu00x-battery/power_supply/battery/charge_control_limit u:object_r:sysfs_battery_writable:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-8/8-003d/s2mu00x-battery/power_supply/battery/technology u:object_r:sysfs_battery_writable:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-8/8-003d/s2mu00x-battery/power_supply/battery/temp u:object_r:sysfs_battery_writable:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-8/8-003d/s2mu106-charger/power_supply u:object_r:sysfs_battery:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-8/8-003d/s2mu106-powermeter/power_supply/s2mu106_pmeter/type u:object_r:sysfs_battery:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-8/8-0041/power_supply/s2mcs02-charger/type u:object_r:sysfs_battery:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-9/9-003d/leds-s2mu106/leds u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-9/9-003d/s2mu00x-battery/factory_charge_upper u:object_r:sysfs_battery:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-9/9-003d/s2mu00x-battery/power_supply u:object_r:sysfs_battery:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-9/9-003d/s2mu00x-battery/power_supply/battery/charge_control_limit u:object_r:sysfs_battery_writable:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-9/9-003d/s2mu00x-battery/power_supply/battery/technology u:object_r:sysfs_battery_writable:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-9/9-003d/s2mu00x-battery/power_supply/battery/temp u:object_r:sysfs_battery_writable:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-9/9-003d/s2mu106-charger/power_supply u:object_r:sysfs_battery:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-9/9-003d/s2mu106-powermeter/power_supply/s2mu106_pmeter/type u:object_r:sysfs_battery:s0
+genfscon sysfs /devices/platform/14490000.fimc_is/debug/fixed_sensor_fps u:object_r:sysfs_fimc_writable:s0
+genfscon sysfs /devices/platform/148b0000.decon_f/psr_info u:object_r:sysfs_decon:s0
+genfscon sysfs /devices/platform/148b0000.decon_f/vsync u:object_r:sysfs_decon_writable:s0
+genfscon sysfs /devices/platform/148e0000.dsim/panel/panel/max_brightness u:object_r:sysfs_backlight_writable:s0
+genfscon sysfs /devices/platform/14a50000.abox/service u:object_r:sysfs_abox_writable:s0
+genfscon sysfs /devices/platform/egis_input/navigation_event u:object_r:sysfs_rbs:s0
+genfscon sysfs /devices/soc0/machine u:object_r:sysfs_socinfo:s0
+genfscon sysfs /devices/soc0/revision u:object_r:sysfs_socinfo:s0
+genfscon sysfs /devices/system/chip-id/revision u:object_r:sysfs_chipid:s0
+genfscon sysfs /devices/virtual/backlight/backlight_0/brightness u:object_r:sysfs_backlight_writable:s0
+genfscon sysfs /devices/virtual/backlight/backlight_0/max_brightness u:object_r:sysfs_backlight_writable:s0
+genfscon sysfs /devices/virtual/nanohub/nanohub/sensortype u:object_r:sysfs_nanohub:s0
+genfscon sysfs /module/scsc_bt/parameters/bluetooth_address u:object_r:sysfs_bt_writable:s0
+genfscon sysfs /power/cpuhp/set_online_cpu u:object_r:sysfs_cpuhotplug_writable:s0
--- /dev/null
+dontaudit gmscore_app mnt_product_file:dir search;
+dontaudit gmscore_app hal_memtrack_hwservice:hwservice_manager find;
--- /dev/null
+allow gpsd gnss_device:chr_file rw_file_perms;
+
+allow gpsd gps_vendor_data_file:dir create_dir_perms;
+allow gpsd gps_vendor_data_file:file create_file_perms;
+allow gpsd gps_vendor_data_file:fifo_file create_file_perms;
+
+allow gpsd self:capability net_raw;
+
+allow gpsd sysfs_socinfo:file r_file_perms;
+
+allow gpsd hal_exynos_rild_hwservice:hwservice_manager find;
+
+binder_call(gpsd, rild)
+
+get_prop(gpsd, exported3_radio_prop)
+
+wakelock_use(gpsd)
--- /dev/null
+r_dir_file(hal_audio_default, persist_audio_file)
+
+allow hal_audio_default hal_exynos_rild_hwservice:hwservice_manager find;
+
+allow hal_audio_default {
+ mnt_vendor_file
+ persist_file
+}:dir search;
+
+binder_call(hal_audio_default, rild)
+
+vndbinder_use(hal_audio_default);
--- /dev/null
+allow hal_bootctl_default slotinfo_block_device:blk_file rw_file_perms;
--- /dev/null
+allow hal_camera_default camera_vendor_data_file:dir ra_dir_perms;
+allow hal_camera_default camera_vendor_data_file:file create_file_perms;
+
+r_dir_file(hal_camera_default, persist_camera_file)
+
+allow hal_camera_default sysfs_battery:dir search;
+r_dir_file(hal_camera_default, sysfs_battery)
+allow hal_camera_default sysfs_battery_writable:file r_file_perms;
+
+allow hal_camera_default sysfs_leds:dir search;
+allow hal_camera_default sysfs_leds:file rw_file_perms;
+
+allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
+
+allow hal_camera_default {
+ mnt_vendor_file
+ persist_file
+}:dir search;
+
+binder_call(hal_camera_default, hal_graphics_composer_default)
+binder_call(hal_camera_default, system_server)
+binder_call(system_server, hal_camera_default)
+
+get_prop(hal_camera_default, exported_camera_prop)
+set_prop(hal_camera_default, vendor_camera_prop);
+
+unix_socket_connect(hal_camera_default, property, init)
+
+vndbinder_use(hal_camera_default);
--- /dev/null
+type hal_drm_clearkey, domain;
+hal_server_domain(hal_drm_clearkey, hal_drm);
+
+type hal_drm_clearkey_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_drm_clearkey);
--- /dev/null
+type hal_drm_widevine, domain;
+hal_server_domain(hal_drm_widevine, hal_drm);
+
+type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_drm_widevine);
+
+allow hal_drm_widevine {
+ mnt_vendor_file
+ persist_file
+ persist_security_file
+}:dir search;
+
+allow hal_drm_widevine vendor_secmem_device:chr_file rw_file_perms;
+
+allow hal_drm_widevine persist_security_file:file r_file_perms;
+
+allow hal_drm_widevine {
+ mnt_vendor_file
+ persist_security_file
+}:lnk_file r_file_perms;
+
+allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
+allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;
--- /dev/null
+allow hal_fingerprint_default fingerprint_vendor_data_file:dir create_dir_perms;
+allow hal_fingerprint_default fingerprint_vendor_data_file:file create_file_perms;
+
+allow hal_fingerprint_default sysfs_rbs:file rw_file_perms;
--- /dev/null
+allow hal_gatekeeper_default {
+ mnt_vendor_file
+ persist_file
+ persist_gk_file
+}:dir search;
+
+allow hal_gatekeeper_default {
+ mnt_vendor_file
+ persist_gk_file
+}:file rw_file_perms;
--- /dev/null
+allow hal_gnss_default gpsd:unix_stream_socket connectto;
--- /dev/null
+get_prop(hal_graphics_allocator_default, vendor_hwc_prop)
--- /dev/null
+hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator);
+
+allow hal_graphics_composer_default log_vendor_data_file:dir { rw_file_perms add_name search };
+allow hal_graphics_composer_default log_vendor_data_file:file create_file_perms;
+
+allow hal_graphics_composer_default sysfs_chipid:file r_file_perms;
+allow hal_graphics_composer_default sysfs_decon:file r_file_perms;
+allow hal_graphics_composer_default sysfs_decon_writable:file rw_file_perms;
+
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { bind create read setopt };
+
+allow hal_graphics_composer_default vendor_surfaceflinger_vndservice:service_manager { add find };
+
+get_prop(hal_graphics_composer_default, vendor_camera_prop)
+get_prop(hal_graphics_composer_default, vendor_hwc_prop)
+
+vndbinder_use(hal_graphics_composer_default);
--- /dev/null
+r_dir_file(hal_health_default, sysfs_battery);
+r_dir_file(hal_health_default, sysfs_battery_writable);
--- /dev/null
+allow hal_keymaster_default {
+ mnt_vendor_file
+ persist_file
+ persist_security_file
+}:dir search;
+
+allow hal_keymaster_default {
+ persist_keymaster_file
+ persist_security_file
+}:file r_file_perms;
--- /dev/null
+r_dir_file(hal_memtrack_default, debugfs_mali);
+r_dir_file(hal_memtrack_default, debugfs_mali_mem);
+r_dir_file(hal_memtrack_default, debugfs_ion);
+r_dir_file(hal_memtrack_default, debugfs_ion_dma);
--- /dev/null
+allow hal_power_default sysfs_mali_writable:file rw_file_perms;
--- /dev/null
+allow hal_secure_element_default hal_exynos_rild_hwservice:hwservice_manager find;
+
+binder_call(hal_secure_element_default, rild)
+
+get_prop(hal_secure_element_default, exported3_radio_prop)
--- /dev/null
+allow hal_sensors_default vendor_nanohub_device:chr_file rw_file_perms;
+
+allow hal_sensors_default persist_sensor_file:file r_file_perms;
+
+allow hal_sensors_default sensor_vendor_data_file:dir create_dir_perms;
+allow hal_sensors_default sensor_vendor_data_file:file create_file_perms;
+
+allow hal_sensors_default {
+ mnt_vendor_file
+ persist_file
+ persist_sensor_file
+}:dir search;
+
+allow hal_sensors_default {
+ sysfs_input
+ sysfs_nanohub
+}:file r_file_perms;
+
+allow hal_sensors_default mnt_vendor_file:file rw_file_perms;
+
+hal_client_domain(hal_sensors_default, hal_power)
+
+allow hal_sensors_default hal_power_hwservice:hwservice_manager find;
+binder_call(hal_sensors_default, hal_power_default)
--- /dev/null
+r_dir_file(hal_vibrator_default, sysfs_leds)
--- /dev/null
+allow hal_wifi_default wifi_vendor_data_file:dir r_dir_perms;
+allow hal_wifi_default wifi_vendor_data_file:file create_file_perms;
+
+set_prop(hal_wifi_default, vendor_wifi_prop)
--- /dev/null
+type hal_exynos_rild_hwservice, hwservice_manager_type;
--- /dev/null
+vendor.egistec.hardware.fingerprint::IBiometricsFingerprintRbs u:object_r:hal_fingerprint_hwservice:s0
+vendor.samsung.hardware.gnss::ISlsiGnss u:object_r:hal_gnss_hwservice:s0
+vendor.samsung_slsi.hardware.radio::IOemSamsungslsi u:object_r:hal_telephony_hwservice:s0
+vendor.samsung_slsi.telephony.hardware.radio::IOemSamsungslsi u:object_r:hal_exynos_rild_hwservice:s0
+vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal u:object_r:hal_exynos_rild_hwservice:s0
--- /dev/null
+allow init {
+ boot_block_device
+ dtbo_block_device
+ vbmeta_block_device
+ vendor_block_device
+}:lnk_file relabelto;
+
+allow init {
+ efs_file
+ persist_file
+ mnt_product_file
+ mnt_vendor_file
+}:dir mounton;
+
+allow init proc_last_kmsg:file create_file_perms;
+allow init proc_printk:file w_file_perms;
+
+allow init sysfs_scheduler:file create_file_perms;
--- /dev/null
+allow kernel self:capability mknod;
+
+# macros would grant too many perms which run into neverallows
+allow kernel device:chr_file { create getattr setattr unlink };
+allow kernel device:dir { add_name remove_name rmdir write };
--- /dev/null
+hal_client_domain(mediacodec, hal_power);
+r_dir_file(mediacodec, sysfs_v4l);
--- /dev/null
+allow proc_net proc:filesystem associate;
--- /dev/null
+type vendor_audio_prop, property_type;
+type vendor_camera_prop, property_type;
+type vendor_hwc_prop, property_type;
+type moto_boot_prop, property_type;
+type rmnet_mux_prop, property_type;
+type vendor_wifi_prop, property_type;
--- /dev/null
+# Audio
+vendor.audio_hal. u:object_r:vendor_audio_prop:s0
+
+# Boot
+ro.boot.carrier u:object_r:moto_boot_prop:s0
+
+# Camera
+persist.vendor.sys.camera. u:object_r:vendor_camera_prop:s0
+
+# HWC
+ro.vendor.ddk.set.afbc u:object_r:vendor_hwc_prop:s0
+
+# Radio
+persist.vendor.radio.cp. u:object_r:vendor_radio_prop:s0
+persist.vendor.ril. u:object_r:vendor_radio_prop:s0
+ro.product.model.dm u:object_r:vendor_radio_prop:s0
+ro.radio.imei.sv u:object_r:vendor_radio_prop:s0
+vendor.radio.ril. u:object_r:vendor_radio_prop:s0
+vendor.radio.cp. u:object_r:vendor_radio_prop:s0
+vendor.ril. u:object_r:vendor_radio_prop:s0
+
+# Rmnet
+persist.rmnet.mux u:object_r:rmnet_mux_prop:s0
+persist.rmnet.data.enable u:object_r:vendor_default_prop:s0
+
+# Wlan
+vendor.wlan. u:object_r:vendor_wifi_prop:s0
+
+persist.data.wda.enable u:object_r:vendor_default_prop:s0
+persist.data.df. u:object_r:vendor_default_prop:s0
--- /dev/null
+binder_call(radio, gpuservice)
--- /dev/null
+allow rild rild_vendor_data_file:dir create_dir_perms;
+allow rild rild_vendor_data_file:file create_file_perms;
+
+add_hwservice(rild, hal_exynos_rild_hwservice)
+
+binder_call(rild, gpsd)
+binder_call(rild, hal_audio_default)
+binder_call(rild, hal_secure_element_default)
+
+get_prop(rild, system_boot_reason_prop)
+set_prop(rild, vendor_radio_prop)
--- /dev/null
+r_dir_file(system_app, proc_pagetypeinfo)
+r_dir_file(system_app, proc_vmallocinfo)
+
+allow system_app sysfs_zram:dir search;
+
+allow system_app sysfs_zram:file rw_file_perms;
+
+dontaudit system_app system_suspend_control_service:service_manager find;
+
+binder_call(system_app, update_engine)
+binder_call(system_app, wificond)
--- /dev/null
+allow system_server proc_last_kmsg:file r_file_perms;
+
+get_prop(system_server, vendor_security_patch_level_prop)
--- /dev/null
+allow tee log_vendor_data_file:dir search;
+
+allow tee {
+ mnt_vendor_file
+ persist_file
+}:dir search;
+
+r_dir_file(tee, persist_mobicore_file)
+
+allow tee mobicore_data_registry_file:dir create_dir_perms;
+allow tee mobicore_data_registry_file:file create_file_perms;
+
+allow tee log_vendor_data_file:file create_file_perms;
+allow tee log_vendor_data_file:dir rw_dir_perms;
--- /dev/null
+allow toolbox self:capability kill;
--- /dev/null
+allow ueventd metadata_file:dir search;
--- /dev/null
+# /dev/blkio/background/tasks
+dontaudit update_engine device:file rw_file_perms;
+
+allow update_engine {
+ dtbo_block_device
+ vbmeta_block_device
+ vendor_block_device
+}:blk_file rw_file_perms;
+
+allow update_engine proc_filesystems:file r_file_perms;
--- /dev/null
+allow vdc vdc:capability kill;
--- /dev/null
+allow vendor_init {
+ debugfs_trace_marker
+ functionfs
+}:file r_file_perms;
+
+allow vendor_init {
+ proc_printk
+ proc_reap_mem_on_sigkill
+ proc_swappiness
+}:file rw_file_perms;
+
+allow vendor_init block_device:lnk_file relabelfrom;
+allow vendor_init proinfo_block_device:lnk_file relabelto;
+
+# symlink /storage/sdcard /mnt/ext_sd
+allow vendor_init tmpfs:dir ra_dir_perms;
+allow vendor_init tmpfs:lnk_file create_file_perms;
+
+allow vendor_init system_data_root_file:dir { relabelto setattr };
+
+allow vendor_init unlabeled:{ dir file } { read getattr relabelfrom };
+
+set_prop(vendor_init, moto_boot_prop)
+set_prop(vendor_init, rmnet_mux_prop)
--- /dev/null
+allow vold {
+ efs_file
+ mnt_product_file
+ mnt_vendor_file
+}:dir r_dir_perms;
projects / GitHub / LineageOS / android_device_motorola_exynos9610-common.git / commitdiff