+++ /dev/null
-type vendor_ims_app, domain;
init_daemon_domain(netutils_wrapper)
allow netutils_wrapper pktrouter_device:chr_file rw_file_perms;
+
+allow netutils_wrapper self:packet_socket create_socket_perms_no_ioctl;
+allow netutils_wrapper node:rawip_socket node_bind;
+allow netutils_wrapper port:udp_socket name_bind;
+allow netutils_wrapper node:udp_socket node_bind;
+
+dontaudit netutils_wrapper self:capability dac_override;
+++ /dev/null
-user=radio seinfo=platform name=com.shannon.imsservice domain=vendor_ims_app
-user=radio seinfo=platform name=com.shannon.imsservice:remote domain=vendor_ims_app
type charonservice, domain, mlstrustedsubject;
type charonservice_exec, exec_type, file_type, vendor_file_type;
init_daemon_domain(charonservice)
+
+allow charonservice misc_vendor_data_file:dir create_dir_perms;
+allow charonservice misc_vendor_data_file:file create_file_perms;
+
+allow charonservice misc_vendor_data_file:sock_file create_file_perms;
+
+allow charonservice self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+allow charonservice self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+
+allow charonservice self:udp_socket create_socket_perms;
+allow charonservice port:udp_socket name_bind;
+allow charonservice node:udp_socket node_bind;
+allowxperm charonservice self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU };
+
+allow charonservice self:capability { chown net_admin net_bind_service net_raw };
+allow charonservice self:capability2 wake_alarm;
+
+allow charonservice proc_net:file rw_file_perms;
+
+allowxperm charonservice tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
+allow charonservice tun_device:chr_file rw_file_perms;
+allow charonservice self:tun_socket create;
+allow charonservice vendor_ims_app:unix_stream_socket connectto;
+
+# reading/writing net.dns* props is not allowed anymore
+# https://android-review.googlesource.com/c/platform/system/sepolicy/+/1226955
+dontaudit charonservice net_dns_prop:file read;
+dontaudit charonservice net_dns_prop:property_service set;
+
+unix_socket_connect(charonservice, property, init)
+
+set_prop(charonservice, vendor_ims_prop)
type camera_vendor_data_file, file_type, data_file_type;
type chargeonly_data_file, file_type, data_file_type;
type mediadrm_vendor_data_file, file_type, data_file_type;
+type misc_vendor_data_file, file_type, data_file_type;
type mobicore_data_registry_file, file_type, data_file_type;
type rild_vendor_data_file, file_type, data_file_type;
type sensor_vendor_data_file, file_type, data_file_type;
/data/vendor/camera(/.*)? u:object_r:camera_vendor_data_file:s0
/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0
+/data/vendor/misc(/.*)? u:object_r:misc_vendor_data_file:s0
/data/vendor/sensor(/.*)? u:object_r:sensor_vendor_data_file:s0
/data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0
/data/vendor/mcRegistry(/.*)? u:object_r:mobicore_data_registry_file:s0
type vendor_audio_prop, property_type;
type vendor_camera_prop, property_type;
type vendor_hwc_prop, property_type;
+type vendor_ims_prop, property_type;
type moto_boot_prop, property_type;
type rmnet_mux_prop, property_type;
type vendor_wifi_prop, property_type;
# Camera
persist.vendor.sys.camera. u:object_r:vendor_camera_prop:s0
+# Charon
+vendor.charon u:object_r:vendor_ims_prop:s0
+vendor.charon.route u:object_r:vendor_ims_prop:s0
+custom.charon.status u:object_r:vendor_ims_prop:s0
+
# HWC
ro.vendor.ddk.set.afbc u:object_r:vendor_hwc_prop:s0
# Radio
-persist.vendor.radio.cp. u:object_r:vendor_radio_prop:s0
+persist.vendor.radio. u:object_r:vendor_radio_prop:s0
persist.vendor.ril. u:object_r:vendor_radio_prop:s0
ro.product.model.dm u:object_r:vendor_radio_prop:s0
ro.radio.imei.sv u:object_r:vendor_radio_prop:s0
binder_call(rild, gpsd)
binder_call(rild, hal_audio_default)
binder_call(rild, hal_secure_element_default)
+binder_call(rild, vendor_ims_app)
get_prop(rild, system_boot_reason_prop)
set_prop(rild, vendor_radio_prop)
--- /dev/null
+user=radio seinfo=platform name=com.shannon.imsservice domain=vendor_ims_app
+user=radio seinfo=platform name=com.shannon.imsservice:remote domain=vendor_ims_app
+user=radio seinfo=platform name=com.shannon.rcsservice domain=vendor_rcs_app
+user=radio seinfo=platform name=com.shannon.rcsservice:remote domain=vendor_rcs_app
allow system_server proc_last_kmsg:file r_file_perms;
+get_prop(system_server, vendor_radio_prop)
get_prop(system_server, vendor_security_patch_level_prop)
--- /dev/null
+type vendor_ims_app, domain;
+app_domain(vendor_ims_app)
+
+allow vendor_ims_app {
+ app_api_service
+ radio_service
+ registry_service
+}:service_manager find;
+
+allow vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager find;
+allow vendor_ims_app audioserver_service:service_manager find;
+
+allow vendor_ims_app radio_data_file:dir rw_dir_perms;
+allow vendor_ims_app radio_data_file:file create_file_perms;
+
+allow vendor_ims_app misc_vendor_data_file:dir create_dir_perms;
+allow vendor_ims_app misc_vendor_data_file:file create_file_perms;
+
+allow vendor_ims_app misc_vendor_data_file:sock_file create_file_perms;
+
+allow vendor_ims_app dnsproxyd_socket:sock_file write;
+allow vendor_ims_app self:udp_socket create_socket_perms;
+
+allow vendor_ims_app netd:unix_stream_socket connectto;
+allow vendor_ims_app node:udp_socket node_bind;
+
+allow vendor_ims_app charonservice:unix_stream_socket connectto;
+allow vendor_ims_app self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read };
+
+# no idea why, /system/etc/hosts
+dontaudit vendor_ims_app system_file:file lock;
+
+set_prop(vendor_ims_app, radio_prop)
+set_prop(vendor_ims_app, vendor_ims_prop)
+set_prop(vendor_ims_app, vendor_radio_prop)
+
+binder_call(vendor_ims_app, rild)
set_prop(vendor_init, moto_boot_prop)
set_prop(vendor_init, rmnet_mux_prop)
+set_prop(vendor_init, vendor_radio_prop)
--- /dev/null
+type vendor_rcs_app, domain;
+app_domain(vendor_rcs_app)
projects / GitHub / LineageOS / android_device_motorola_exynos9610-common.git / commitdiff