# Recovery
TARGET_RECOVERY_FSTAB := $(LOCAL_PATH)/ramdisk/etc/fstab.samsungexynos7580
+# SELinux
+BOARD_SEPOLICY_DIRS += device/samsung/universal7580-common/sepolicy
+BOARD_SEPOLICY_VERS := $(PLATFORM_SDK_VERSION).0
+
# Shims
TARGET_LD_SHIM_LIBS := \
/system/lib/omx/libOMX.Exynos.AVC.Decoder.so|/vendor/lib/libui_shim.so \
--- /dev/null
+# Allow rild to connect to gpsd
+unix_socket_connect(audioserver, property, rild)
+
+# /efs/maxim
+allow audioserver { efs_file sec_efs_file }:dir r_dir_perms;
+allow audioserver { efs_file sec_efs_file }:file r_file_perms;
+
+# TFA98xx amplifier
+allow audioserver amplifier_device:chr_file rw_file_perms;
--- /dev/null
+# /dev/ttySAC3
+allow bluetooth bluetooth_device:chr_file { rw_file_perms ioctl };
+allow hal_bluetooth_default bluetooth_device:chr_file { ioctl open read write };
+
+# /data/.cid.info
+allow bluetooth wifi_data_file:file r_file_perms;
+
+# /efs
+allow hal_bluetooth_default efs_file:dir { search };
+r_dir_file(hal_bluetooth_default, bluetooth_efs_file)
\ No newline at end of file
--- /dev/null
+# /dev/m2m1shot_jpeg
+allow cameraserver camera_device:chr_file rw_file_perms;
+
+# /sys/devices/virtual/camera/*/*_camfw
+allow cameraserver sysfs_camera_writable:file { rw_file_perms open getattr };
+
+# searching for syses nodes
+allow cameraserver sysfs_camera_writable:dir search;
+
+# /data/camera/ISP_CV
+allow cameraserver camera_data_file:file r_file_perms;
+
+# /data/media(/.*)?
+allow cameraserver media_rw_data_file:dir r_dir_perms;
+allow cameraserver media_rw_data_file:file r_file_perms;
--- /dev/null
+# modem daemon sec label
+type cpboot-daemon, domain;
+type cpboot-daemon_exec, exec_type, file_type;
+
+net_domain(cpboot-daemon)
+init_daemon_domain(cpboot-daemon)
+wakelock_use(cpboot-daemon)
+set_prop(cpboot-daemon, modemloader_prop)
+
+allow cpboot-daemon self:capability { dac_override setuid setgid };
+
+# FIXME neverallow rule
+# allow cpboot-daemon self:capability mknod;
+allow cpboot-daemon kernel:system syslog_read;
+allow cpboot-daemon cgroup:dir create_dir_perms;
+
+# /dev/log/*
+#allow cpboot-daemon log_device:dir r_dir_perms;
+#allow cpboot-daemon log_device:chr_file rw_file_perms;
+# /dev/kmsg (write to kernel log)
+allow cpboot-daemon kmsg_device:chr_file rw_file_perms;
+
+# /dev/umts_boot0
+allow cpboot-daemon mif_device:chr_file rw_file_perms;
+# /dev/mbin0
+allow cpboot-daemon emmcblk_device:blk_file r_file_perms;
+# /dev/spi_boot_link
+allow cpboot-daemon radio_device:chr_file rw_file_perms;
+# /dev/block/mmcblk0p13
+allow cpboot-daemon block_device:dir r_dir_perms;
+allow cpboot-daemon radio_block_device:blk_file r_file_perms;
+
+# /dev/mipi-lli/lli_control
+allow cpboot-daemon sysfs_mipi_writable:file rw_file_perms;
+
+# /efs
+allow cpboot-daemon efs_file:dir r_dir_perms;
+
+# /efs/nv_data.bin
+allow cpboot-daemon bin_nv_data_efs_file:file rw_file_perms;
+allow cpboot-daemon efs_file:file rw_file_perms;
+
+# /sys/bus/usb/devices/1-2/idVendor
+allow cpboot-daemon sysfs:file r_file_perms;
+
+# /proc/cmdline
+allow cpboot-daemon proc:file r_file_perms;
+
+# set properties on boot
+set_prop(cpboot-daemon, cpboot-daemon_prop)
+set_prop(cpboot-daemon, radio_prop)
+set_prop(cpboot-daemon, system_prop)
--- /dev/null
+# /dev/ttySAC3
+type bluetooth_device, dev_type;
+
+# /dev/block/mmcblk0p[0-9] (/dev/mbin0)
+type emmcblk_device, file_type;
+
+# Radio block device mounted on /efs.
+type radio_block_device, dev_type;
+
+# /dev/umts_boot*, /dev/ehci_power
+type mif_device, dev_type;
+
+# /dev/rfkill
+type rfkill_device, dev_type;
+
+# /dev/s5p-smem
+type secmem_device, dev_type;
+
+# /dev/bbd*, /dev/ttyBCM[0-9]*
+type bbd_device, dev_type;
+
+# /dev/vfsspi
+type fingerprint_device, dev_type;
+
+# /dev/batch_io
+type sensor_device, dev_type;
+
+# /dev/i2c-20 - TFA98xx amplifier
+type amplifier_device, dev_type;
+
+# /dev/knox_kap
+type knox_device, dev_type;
+
+# GPS
+type gps_device, dev_type;
--- /dev/null
+dontaudit domain kernel:system module_request;
--- /dev/null
+### efs types
+type app_efs_file, file_type;
+type battery_efs_file, file_type;
+type baro_delta_factoryapp_efs_file, file_type;
+type bin_nv_data_efs_file, file_type;
+type sec_efs_file, file_type;
+# widewine, drm
+type cpk_efs_file, file_type;
+type drm_efs_file, file_type;
+type factorymode_factoryapp_efs_file, file_type;
+type imei_efs_file, file_type;
+type prov_efs_file, file_type;
+type radio_factoryapp_efs_file, file_type;
+type sensor_efs_file, file_type;
+type sensor_factoryapp_efs_file, file_type;
+type wifi_efs_file, file_type;
+# gps
+type gps_data_file, file_type, data_file_type;
+type gps_socket, file_type;
+
+### sysfs types
+type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_mdnie_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_mipi_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_multipdp_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_sec, fs_type, fs_type, fs_type, mlstrustedobject;
+type sysfs_camera_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_gps, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_light_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_wifi_writable, fs_type, sysfs_type, mlstrustedobject;
+
+allow sysfs_type tmpfs:filesystem associate;
--- /dev/null
+##########################
+# Devices
+#
+/dev/mali[0-9]* u:object_r:gpu_device:s0
+
+/dev/bcm2079x u:object_r:nfc_device:s0
+/dev/sec-nfc u:object_r:nfc_device:s0
+
+/dev/ttySAC3 u:object_r:bluetooth_device:s0
+
+/dev/s5p-smem u:object_r:secmem_device:s0
+/dev/mobicore u:object_r:tee_device:s0
+/dev/mobicore-user u:object_r:tee_device:s0
+
+/dev/v4l-subdev[0-9]* u:object_r:video_device:s0
+/dev/m2m1shot_scaler[0-9]* u:object_r:video_device:s0
+/dev/media[0-3]* u:object_r:camera_device:s0
+/dev/m2m1shot_jpeg u:object_r:camera_device:s0
+
+/dev/mtp_usb* u:object_r:mtp_device:s0
+
+/dev/__cbd_msg_ u:object_r:mif_device:s0
+/dev/umts.* u:object_r:mif_device:s0
+/dev/ehci_power u:object_r:mif_device:s0
+/dev/mipi-lli/lli_control u:object_r:mif_device:s0
+
+/dev/gnss_ipc u:object_r:gps_device:s0
+/dev/ttySAC[0-1]* u:object_r:gps_device:s0
+
+/dev/block/mmcblk0p[0-9]* u:object_r:emmcblk_device:s0
+
+/dev/block/mmcblk0p10 u:object_r:boot_block_device:s0
+/dev/block/mmcblk0p11 u:object_r:recovery_block_device:s0
+/dev/block/mmcblk0p14 u:object_r:radio_block_device:s0
+/dev/block/mmcblk0p20 u:object_r:system_block_device:s0
+/dev/block/mmcblk0p21 u:object_r:cache_block_device:s0
+/dev/block/mmcblk0p23 u:object_r:userdata_block_device:s0
+
+/dev/rfkill u:object_r:rfkill_device:s0
+
+/dev/bbd_control u:object_r:bbd_device:s0
+/dev/bbd_packet u:object_r:bbd_device:s0
+/dev/bbd_patch u:object_r:bbd_device:s0
+/dev/bbd_reliable u:object_r:bbd_device:s0
+/dev/bbd_sensor u:object_r:bbd_device:s0
+/dev/bbd_sio u:object_r:bbd_device:s0
+/dev/ttyBCM[0-9]* u:object_r:bbd_device:s0
+
+/dev/esfp0 u:object_r:fingerprint_device:s0
+
+/dev/batch_io u:object_r:sensor_device:s0
+/dev/ssp_sensorhub u:object_r:sensor_device:s0
+
+# TFA98xx amplifier
+/dev/i2c-0 u:object_r:amplifier_device:s0
+
+# Knox status
+/dev/knox_kap u:object_r:knox_device:s0
+
+####################################
+# efs files
+/efs/FactoryApp(/.*)? u:object_r:app_efs_file:s0
+/efs/FactoryApp/baro_delta u:object_r:baro_delta_factoryapp_efs_file:s0
+/efs/FactoryApp/factorymode u:object_r:factorymode_factoryapp_efs_file:s0
+/efs/FactoryApp/fdata u:object_r:radio_factoryapp_efs_file:s0
+/efs/FactoryApp/hist_nv u:object_r:radio_factoryapp_efs_file:s0
+/efs/FactoryApp/prox_cal u:object_r:sensor_factoryapp_efs_file:s0
+/efs/FactoryApp/test_nv u:object_r:radio_factoryapp_efs_file:s0
+
+/efs/Battery(/.*)? u:object_r:battery_efs_file:s0
+/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0
+/efs/drm(/.*)? u:object_r:drm_efs_file:s0
+/efs/gyro_cal_data u:object_r:sensor_efs_file:s0
+/efs/h2k\.dat u:object_r:cpk_efs_file:s0
+/efs/imei(/.*)? u:object_r:imei_efs_file:s0
+/efs/nv_data.bin(.*) u:object_r:bin_nv_data_efs_file:s0
+/efs/nv.log u:object_r:bin_nv_data_efs_file:s0
+/efs/\.nv_core\.bak(.*) u:object_r:bin_nv_data_efs_file:s0
+/efs/prov(/.*)? u:object_r:prov_efs_file:s0
+/efs/prov_data(/.*)? u:object_r:prov_efs_file:s0
+/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0
+/efs/wv\.keys u:object_r:cpk_efs_file:s0
+
+####################################
+# data files
+/data/nfc(/.*)? u:object_r:nfc_data_file:s0
+/data/\.cid\.info u:object_r:wifi_data_file:s0
+/data/misc/conn/\.wifiver\.info u:object_r:wifi_data_file:s0
+
+/data/misc/radio(/.*)? u:object_r:radio_data_file:s0
+
+# gps
+/data/system/gps(/.*)? u:object_r:gps_data_file:s0
+/data/gps/ctrlpipe u:object_r:gps_data_file:s0
+/data/gps/\.gpslogd\.pipe u:object_r:gps_data_file:s0
+/data/gps/nmeapipe u:object_r:gps_data_file:s0
+
+# mobicore
+/data/misc/mcRegistry(/.*)? u:object_r:tee_data_file:s0
+
+/data/biometrics(/.*)? u:object_r:fingerprintd_data_file:s0
+
+# camera
+/data/camera/ISP_CV u:object_r:camera_data_file:s0
+
+####################################
+# sysfs files
+/sys/class/power_supply/battery/music -- u:object_r:sysfs_writable:s0
+/sys/class/devfreq/exynos5-busfreq-mif(/.*)? -- u:object_r:sysfs_writable:s0
+/sys/class/lcd(/.*)? -- u:object_r:sysfs_writable:s0
+/sys/class/sec(/.*)? -- u:object_r:sysfs_sec:s0
+
+
+# bluetooth
+/sys/devices/bluetooth.[0-9]*/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/bluetooth.[0-9]*/rfkill/rfkill0/type u:object_r:sysfs_bluetooth_writable:s0
+
+# camera
+/sys/devices/virtual/camera(/.*)? u:object_r:sysfs_camera_writable:s0
+
+# CP device
+/dev/spi_boot_link u:object_r:radio_device:s0
+
+# cbd
+/sys/devices/10f24000.mipi-lli/lli_control u:object_r:sysfs_mipi_writable:s0
+
+# gps
+/sys/devices/soc0/machine u:object_r:sysfs_gps:s0
+/sys/devices/soc0/revision u:object_r:sysfs_gps:s0
+/sys/devices/139c0000.pinctrl/gpio/gpio137/value u:object_r:sysfs_gps:s0
+
+# rild
+/sys/devices/virtual/misc/multipdp(/.*) u:object_r:sysfs_multipdp_writable:s0
+/dev/socket/rild2 u:object_r:rild_socket:s0
+/dev/socket/rild-debug2 u:object_r:rild_debug_socket:s0
+
+# mDNIe
+/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/mode u:object_r:sysfs_mdnie_writable:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/scenario u:object_r:sysfs_mdnie_writable:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/lux u:object_r:sysfs_mdnie_writable:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/sensorRGB u:object_r:sysfs_mdnie_writable:s0
+
+# Lights
+/sys/devices/virtual/sec/sec_touchkey/brightness u:object_r:sysfs_light_writable:s0
+/sys/devices/14800000.dsim/backlight/panel(/.*)? u:object_r:sysfs_light_writable:s0
+/sys/class/leds(/.*)? u:object_r:sysfs_light_writable:s0
+/sys/devices/virtual/sec/led(/.*)? u:object_r:sysfs_light_writable:s0
+
+# Wifi
+/sys/module/dhd/parameters/firmware_path u:object_r:sysfs_wifi_writable:s0
+
+####################################
+# deamons
+#
+
+/system/bin/mcDriverDaemon u:object_r:tee_exec:s0
+/system/bin/modemloader u:object_r:modemloader_exec:s0
+/system/bin/sensorhubservice u:object_r:sensorhubservice_exec:s0
+/system/bin/wifiloader u:object_r:wifiloader_exec:s0
+
+/system/vendor/bin/macloader u:object_r:macloader_exec:s0
+
+/system/bin/cbd u:object_r:cpboot-daemon_exec:s0
+/system/bin/gpsd u:object_r:gpsd_exec:s0
--- /dev/null
+# allow hal_fingerprint_default to communicate with various devices
+binder_call(system_app, hal_fingerprint_default);
+
+# kernel fp device
+allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms;
+
+# secure memory device
+allow hal_fingerprint_default secmem_device:chr_file rw_file_perms;
+
+# trust zone device
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_default tee:unix_stream_socket connectto;
+
+# /data/biometrics/*
+allow hal_fingerprint_default fingerprintd_data_file:dir create_dir_perms;
+allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
--- /dev/null
+# /dev/block/mmcblk0p3
+allow fsck emmcblk_device:blk_file rw_file_perms;
--- /dev/null
+type gpsd, domain;
+type gpsd_exec, exec_type, file_type;
+
+init_daemon_domain(gpsd);
+
+# Automatically label files created in /data/system/gps as gps_data_file
+file_type_auto_trans(gpsd, system_data_file, gps_data_file)
+
+# Allow rild and netd to connect to gpsd
+unix_socket_connect(gpsd, property, rild)
+unix_socket_connect(gpsd, property, netd)
+
+allow gpsd system_server:unix_stream_socket { read write setopt };
+
+binder_call(gpsd, system_server)
+binder_use(gpsd)
+
+# Sockets
+type_transition gpsd gps_data_file:sock_file gps_socket;
+
+allow gpsd dnsproxyd_socket:sock_file write;
+allow gpsd fwmarkd_socket:sock_file write;
+allow gpsd gps_socket:sock_file create_file_perms;
+allow gpsd self:udp_socket { create bind connect read setopt write };
+
+# sysfs_gps
+allow gpsd sysfs_gps:file { open rw_file_perms getattr };
+
+# /dev/ttySAC3
+allow gpsd gps_device:chr_file { getattr setattr rw_file_perms };
+allow gpsd gps_data_file:dir { search write add_name remove_name rw_dir_perms };
+allow gpsd gps_data_file:fifo_file { unlink create setattr getattr rw_file_perms };
+
+allow gpsd sysfs_wake_lock:file rw_file_perms;
+
+allow gpsd sensorservice_service:service_manager { find };
+
+# /dev/umts_boot0
+allow gpsd mif_device:chr_file r_file_perms;
+
+# TCP sockets
+allow gpsd port:tcp_socket { name_connect name_bind };
+allow gpsd self:tcp_socket { bind read write connect create getopt };
+allow gpsd node:tcp_socket node_bind;
--- /dev/null
+# hal_camera_default
+allow hal_camera_default sysfs_camera_writable:dir search;
+allow hal_camera_default sysfs_camera_writable:file { getattr open read };
+
+vndbinder_use(hal_camera_default)
--- /dev/null
+# hal_drm_default
+vndbinder_use(hal_drm_default)
--- /dev/null
+# hal_drm_default
+vndbinder_use(hal_gnss_default)
+
+# Allow gnss to access the gpsd data files
+allow hal_gnss_default gps_data_file:dir { add_name write };
+allow hal_gnss_default gps_data_file:fifo_file { create open read setattr write };
--- /dev/null
+# hal_light_default
+allow hal_light_default sysfs_light_writable:dir search;
+allow hal_light_default sysfs_light_writable:file { getattr write open read };
+allow hal_light_default sysfs_sec:dir search;
+allow hal_light_default sysfs_sec:file { getattr write open read };
--- /dev/null
+# hal_power_default
+allow hal_power_default sysfs:dir { open read search };
+allow hal_power_default sysfs:file { rw_file_perms };
+
+# CPU devices
+allow hal_power_default sysfs_devices_system_cpu:dir search;
+allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms;
+
+# Lights
+allow hal_power_default sysfs_light_writable:dir search;
+allow hal_power_default sysfs_light_writable:file rw_file_perms;
--- /dev/null
+# hal_wifi_default
+allow hal_wifi_default wifi_efs_file:dir search;
+allow hal_wifi_default wifi_efs_file:file { open read };
+allow hal_wifi_default sysfs_wifi_writable:file write;
--- /dev/null
+# hal_wifi_supplicant_default
+allow hal_wifi_supplicant_default proc_net:file write;
--- /dev/null
+# healthd
+allow healthd device:dir rw_dir_perms;
+allow healthd rtc_device:chr_file rw_file_perms;
--- /dev/null
+# Mount debugfs on /sys/kernel/debug.
+allow init debugfs:dir mounton;
+
+# Mount EFS on /efs
+allow init efs_file:dir mounton;
+
+# /dev/block/mmcblk0p[0-9]
+allow init emmcblk_device:blk_file rw_file_perms;
+
+allow init block_device:lnk_file { setattr };
+allow init tmpfs:lnk_file create_file_perms;
+
+# /sys/class/power_supply/battery and /sys/class/android_usb/android0
+allow init sysfs:dir w_dir_perms;
+
+# Shim libs
+allow init cameraserver:process noatsecure;
+allow init hal_fingerprint_default:process noatsecure;
+
+# /data
+allow init sdcardd_exec:file r_file_perms;
+
+# sysfs iio:device[0-9]
+allow init sysfs:lnk_file setattr;
+
+# read/chown mDNIE symlinks
+allow init sysfs_mdnie_writable:lnk_file { read setattr };
+
+# read/chown camera firmware
+allow init sysfs_camera_writable:file { relabelto setattr };
+allow init sysfs_camera_writable:filesystem associate;
+
+unix_socket_connect(init, property, rild)
--- /dev/null
+# TbStorage (mobicore)
+allow installd tee_data_file:dir { rw_dir_perms rmdir };
--- /dev/null
+allow kernel self:capability { chown mknod };
+
+# /dev/mbin0
+allow kernel emmcblk_device:blk_file r_file_perms;
+allow kernel device:blk_file { create setattr getattr unlink };
+# /bus/usb/001/001
+allow kernel device:dir { create write remove_name rmdir add_name };
+allow kernel device:chr_file { create setattr getattr unlink };
+
+# /sys/devices/system/cpu/cpu[0-9]/cpufreq/*
+allow kernel sysfs_devices_system_cpu:file { setattr };
+allow kernel sysfs:file { setattr };
+
+# /efs contents
+allow kernel { app_efs_file battery_efs_file efs_file sensor_efs_file }:dir r_dir_perms;
+allow kernel { app_efs_file battery_efs_file efs_file sensor_efs_file }:file rw_file_perms;
+
+# /efs/wifi/.mac.info
+allow kernel wifi_efs_file:dir r_dir_perms;
+allow kernel wifi_efs_file:file r_file_perms;
+
+# /data/misc/conn/.wifiver.info
+allow kernel wifi_data_file:file rw_file_perms;
--- /dev/null
+#### macloader
+#
+type macloader, domain;
+type macloader_exec, exec_type, file_type;
+
+init_daemon_domain(macloader)
+
+allow macloader self:capability { chown dac_override fowner fsetid };
+allow macloader self:process execmem;
+
+# Write into /data
+allow macloader system_data_file:dir { add_name search write };
+allow macloader system_file:file execute_no_trans;
+
+# /data/.cid.info
+# Automatically label files created in /data/ as wifi_data_file
+file_type_auto_trans(macloader, system_data_file, wifi_data_file)
+
+allow macloader wifi_data_file:dir create_dir_perms;
+allow macloader wifi_data_file:file { create_file_perms getattr setattr };
+
+# /sys/module/dhd/parameters/nvram_path
+allow macloader sysfs:file rw_file_perms;
+
+# /efs
+allow macloader efs_file:dir r_dir_perms;
+
+# /efs/wifi/.mac.info
+allow macloader wifi_efs_file:dir r_dir_perms;
+allow macloader wifi_efs_file:file r_file_perms;
--- /dev/null
+# /system/lib/omx/
+allow mediacodec system_file:dir r_dir_perms;
+
+# /sys/class/video4linux/video6/name
+allow mediacodec sysfs:file r_file_perms;
--- /dev/null
+allow mediaextractor fuse:file { read getattr };
--- /dev/null
+# /efs
+allow mediaserver efs_file:dir r_dir_perms;
+
+# /efs/wv.keys
+allow mediaserver efs_file:file r_file_perms;
+
+# /dev/m2m1shot_jpeg
+allow mediaserver camera_device:chr_file { read write open getattr ioctl };
+
+# Snap permissions
+allow mediaserver sensorservice_service:service_manager { find };
+allow mediaserver system_server:unix_stream_socket { read write };
--- /dev/null
+#### modemloader
+#
+type modemloader, domain;
+type modemloader_exec, exec_type, file_type;
+
+init_daemon_domain(modemloader)
+
+allow modemloader proc:file r_file_perms;
+
+set_prop(modemloader, modemloader_prop)
--- /dev/null
+allow netd self:capability sys_module;
+allow netd gpsd:fd use;
+allow netd gpsd:udp_socket { read write getopt setopt };
+allow netd gpsd:tcp_socket { read write getopt setopt };
--- /dev/null
+allow nfc sec_efs_file:dir search;
+allow nfc efs_file:dir search;
--- /dev/null
+# CP-Boot Daemon
+type cpboot-daemon_prop, property_type;
+
+# modemloader
+type modemloader_prop, property_type;
+
+# mobicore (tee)
+type tee_prop, property_type;
--- /dev/null
+# bluetooth
+persist.bluetooth_fw_ver u:object_r:bluetooth_prop:s0
+ro.bluetooth.tty u:object_r:bluetooth_prop:s0
+wc_transport. u:object_r:bluetooth_prop:s0
+
+# modemloader
+hw.revision u:object_r:modemloader_prop:s0
+ro.cbd.dt_revision u:object_r:modemloader_prop:s0
+ril.cbd.dt_revision u:object_r:modemloader_prop:s0
+ro.modemloader.done u:object_r:modemloader_prop:s0
+
+# mobicore
+sys.mobicoredaemon.enable u:object_r:tee_prop:s0
+
+# radio
+persist.ril.modem.board u:object_r:radio_prop:s0
+persist.ril.ims.eutranParam u:object_r:radio_prop:s0
+persist.ril.ims.utranParam u:object_r:radio_prop:s0
+persist.ril.interfaceconf.failed u:object_r:radio_prop:s0
--- /dev/null
+# Allow rild to change perms
+allow rild self:capability { chown };
+
+# Allow additiional efs access
+allow rild bin_nv_data_efs_file:file create_file_perms;
+allow rild imei_efs_file:dir r_dir_perms;
+allow rild imei_efs_file:file r_file_perms;
+allow rild app_efs_file:dir r_dir_perms;
+allow rild app_efs_file:file r_file_perms;
+
+# /dev
+allow rild audioserver:dir r_dir_perms;
+# /proc/<pid>/cmdline
+allow rild audioserver:file r_file_perms;
+
+# /dev/mbin0
+allow rild block_device:dir r_dir_perms;
+allow rild emmcblk_device:blk_file r_file_perms;
+
+# /dev/umts_boot0, /dev/umts_ipc0
+allow rild mif_device:chr_file rw_file_perms;
+
+# /sys/devices/virtual/misc/multipdp/waketime
+allow rild sysfs_multipdp_writable:file rw_file_perms;
+
+# /proc/sys/net/ipv6/conf/*/accept_ra_defrtr
+allow rild proc_net:file rw_file_perms;
+
+allow rild gpsd:dir r_dir_perms;
+allow rild gpsd:file r_file_perms;
+
+# rild reads /proc/pid/cmdline of mediaserver
+allow rild mediaserver:dir { open read search getattr };
+allow rild mediaserver:file { open read getattr };
+
+# /data/misc/radio/*
+allow rild radio_data_file:dir rw_dir_perms;
+allow rild radio_data_file:file create_file_perms;
+# /data/data/com.android.providers.telephony/databases/telephony.db
+allow rild radio_data_file:lnk_file r_file_perms;
+
+# sdcard/SDET_PLMN/input/MNCMCC.txt
+allow rild storage_file:dir { r_dir_perms };
+allow rild storage_file:lnk_file { r_file_perms };
+allow rild mnt_user_file:dir { r_dir_perms };
+allow rild mnt_user_file:lnk_file { r_file_perms };
+
+# Modem firmware download
+allow rild radio_block_device:blk_file r_file_perms;
+
+# persist.ril.modem.board
+set_prop(modemloader, radio_prop)
+
+# /dev/knox_kap
+allow rild knox_device:chr_file r_file_perms;
+
+# /data/media/0
+allow rild media_rw_data_file:dir { open read search };
--- /dev/null
+#### sensorhubservice
+#
+type sensorhubservice, domain;
+type sensorhubservice_exec, exec_type, file_type;
+type sensorhubservice_service, app_api_service, system_server_service, service_manager_type;
+
+init_daemon_domain(sensorhubservice)
+
+# /dev/input[0-9]*
+allow sensorhubservice input_device:dir r_dir_perms;
+allow sensorhubservice { input_device sensor_device }:chr_file rw_file_perms;
+
+# binder call
+allow sensorhubservice servicemanager:binder { call transfer };
--- /dev/null
+# HWC
+Exynos.HWCService u:object_r:surfaceflinger_service:s0
+sensorhubservice u:object_r:sensorhubservice_service:s0
--- /dev/null
+# HWC
+allow surfaceflinger secmem_device:chr_file rw_file_perms;
--- /dev/null
+allow system_app sysfs_mdnie_writable:{ file lnk_file } rw_file_perms;
+allow system_app sysfs_mdnie_writable:dir search;
+allow system_app wificond:binder call;
--- /dev/null
+# /dev/mbin0
+allow system_server emmcblk_device:dir search;
+allow system_server emmcblk_device:blk_file { getattr ioctl open read write };
+
+# /efs
+allow system_server efs_file:dir r_dir_perms;
+
+# /efs/gyro_cal_data
+allow system_server sensor_efs_file:file r_file_perms;
+
+# /data/system/gps/.gps.interface.pipe.*
+type_transition system_server system_data_file:fifo_file gps_data_file ".flp.interface.pipe.to_gpsd";
+type_transition system_server system_data_file:fifo_file gps_data_file ".gps.interface.pipe.to_gpsd";
+type_transition system_server system_data_file:fifo_file gps_data_file ".gps.interface.pipe.to_jni";
+allow system_server gps_data_file:fifo_file create_file_perms;
+allow system_server gps_data_file:dir rw_dir_perms;
+
+# /data/system/gps/chip.info
+allow system_server gps_data_file:file r_file_perms;
+
+# /efs/prox_cal
+allow system_server efs_file:file r_file_perms;
+
+# /efs/FactoryApp
+allow system_server app_efs_file:dir r_dir_perms;
+allow system_server app_efs_file:file r_file_perms;
+
+# WifiMachine
+allow system_server self:capability { sys_module };
+allow system_server wifi_efs_file:dir r_dir_perms;
+allow system_server wifi_efs_file:file r_file_perms;
+
+# mDNIE
+allow system_server sysfs_mdnie_writable:lnk_file rw_file_perms;
+allow system_server sysfs_mdnie_writable:dir rw_dir_perms;
+allow system_server sysfs_mdnie_writable:file rw_file_perms;
+
+# memtrack HAL
+allow system_server debugfs:dir r_dir_perms;
+allow system_server debugfs:file r_file_perms;
+
+# sensor HAL
+allow system_server sensor_device:chr_file rw_file_perms;
+allow system_server baro_delta_factoryapp_efs_file:file r_file_perms;
+allow system_server sensor_factoryapp_efs_file:file r_file_perms;
+
+# /data/system/gps/xtraee.bin
+allow system_server gps_data_file:file create_file_perms;
+
+unix_socket_connect(system_server, property, gpsd)
--- /dev/null
+# mobicore
+
+# Allow to create files and directories /data/app/mcRegistry
+file_type_auto_trans(tee, apk_data_file, tee_data_file);
+
+# /efs
+allow tee { efs_file prov_efs_file }:dir r_dir_perms;
+allow tee { efs_file prov_efs_file }:file r_file_perms;
+
+# sys.mobicore.enable
+set_prop(tee, tee_prop)
--- /dev/null
+# /dev/block/mmcblk0p[0-9]
+allow ueventd emmcblk_device:blk_file { ioctl read write create getattr setattr lock append unlink open };
+
+# /sys/devices/virtual/misc/multipdp/uevent
+allow ueventd sysfs_multipdp_writable:file rw_file_perms;
+
+allow ueventd emmcblk_device:blk_file { relabelfrom relabelto create setattr unlink };
+
+# read/chown camera firmware
+allow ueventd sysfs_camera_writable:file { relabelto getattr rw_file_perms };
+allow ueventd sysfs_camera_writable:filesystem associate;
--- /dev/null
+allow uncrypt emmcblk_device:blk_file w_file_perms;
+allow uncrypt emmcblk_device:dir r_dir_perms;
--- /dev/null
+allow untrusted_app_25 proc_stat:file { getattr open read };
+allow untrusted_app_25 sysfs:file { getattr open read };
+allow untrusted_app_25 sysfs:dir { getattr open read };
--- /dev/null
+# /efs
+allow vold efs_file:dir r_dir_perms;
+# /dev/block/mmcblk0p[0-9]
+allow vold emmcblk_device:dir create_dir_perms;
+allow vold emmcblk_device:blk_file { ioctl read write create getattr setattr lock append unlink open };
--- /dev/null
+#### wifiloader
+#
+type wifiloader, domain;
+type wifiloader_exec, exec_type, file_type;
+
+init_daemon_domain(wifiloader)
+unix_socket_connect(wifiloader, property, init)
+
+allow wifiloader proc:file r_file_perms;
+allow wifiloader sysfs_wlan_fwpath:file setattr;
+allow wifiloader wifi_prop:property_service set;
+allow wifiloader wifi_data_file:file { open read write };
+
+# /efs
+allow wifiloader efs_file:dir search;
+
+# /efs/wifi
+allow wifiloader wifi_efs_file:dir search;
+allow wifiloader wifi_efs_file:file { open read };
+
+# load .ko modules
+allow kernel self:capability sys_module;
+allow wifiloader self:capability { chown dac_override sys_module };
projects / GitHub / LineageOS / android_device_samsung_universal7580-common.git / commitdiff