allow cameraserver camera_device:chr_file rw_file_perms;
# /sys/devices/virtual/camera/*/*_camfw
-allow cameraserver sysfs_camera_writable:file { rw_file_perms open getattr };
+allow cameraserver sysfs_camera:file { rw_file_perms open getattr };
# searching for syses nodes
-allow cameraserver sysfs_camera_writable:dir search;
+allow cameraserver sysfs_camera:dir search;
# /data/camera/ISP_CV
allow cameraserver camera_data_file:file r_file_perms;
--- /dev/null
+# charger
+allow charger sysfs_usb_supply:file rw_file_perms;
wakelock_use(cpboot-daemon)
set_prop(cpboot-daemon, modemloader_prop)
-allow cpboot-daemon self:capability { dac_override setuid setgid };
+allow cpboot-daemon self:capability { setuid setgid };
# FIXME neverallow rule
# allow cpboot-daemon self:capability mknod;
allow cpboot-daemon radio_block_device:blk_file r_file_perms;
# /dev/mipi-lli/lli_control
-allow cpboot-daemon sysfs_mipi_writable:file rw_file_perms;
+allow cpboot-daemon sysfs_mipi:file rw_file_perms;
# /efs
allow cpboot-daemon efs_file:dir r_dir_perms;
type baro_delta_factoryapp_efs_file, file_type;
type bin_nv_data_efs_file, file_type;
type sec_efs_file, file_type;
+
# widewine, drm
type cpk_efs_file, file_type;
type drm_efs_file, file_type;
type sensor_efs_file, file_type;
type sensor_factoryapp_efs_file, file_type;
type wifi_efs_file, file_type;
+
# gps
-type gps_data_file, file_type, data_file_type;
+type gps_data_file, file_type, data_file_type, core_data_file_type;
type gps_socket, file_type;
+# proc
+type proc_dirty_ratio, fs_type, proc_type;
+type proc_dt_firmware, fs_type, proc_type;
+type proc_reset_reason, fs_type, proc_type;
+type proc_simslot_count, fs_type, proc_type;
+
### sysfs types
-type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_mdnie_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_mipi_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_multipdp_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_sec, fs_type, fs_type, fs_type, mlstrustedobject;
-type sysfs_camera_writable, fs_type, sysfs_type, mlstrustedobject;
+#type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_mdnie, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_mipi, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_multipdp, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_sec, fs_type, sysfs_type, fs_type, mlstrustedobject;
+type sysfs_sensors, fs_type, sysfs_type, fs_type, mlstrustedobject;
+type sysfs_input, fs_type, sysfs_type, fs_type, mlstrustedobject;
+type sysfs_camera, fs_type, sysfs_type, mlstrustedobject;
type sysfs_gps, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_light_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_wifi_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_light, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_wifi, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_usb_supply, sysfs_type, fs_type, mlstrustedobject;
+type sysfs_mmc, sysfs_type, fs_type, mlstrustedobject;
+type sysfs_graphics, sysfs_type, fs_type, mlstrustedobject;
+type sysfs_ion, sysfs_type, fs_type, mlstrustedobject;
+type sysfs_block, sysfs_type, fs_type, mlstrustedobject;
+type sysfs_jack, sysfs_type, fs_type, mlstrustedobject;
allow sysfs_type tmpfs:filesystem associate;
/data/gps/\.gpslogd\.pipe u:object_r:gps_data_file:s0
/data/gps/nmeapipe u:object_r:gps_data_file:s0
-# mobicore
-/data/misc/mcRegistry(/.*)? u:object_r:tee_data_file:s0
-
/data/biometrics(/.*)? u:object_r:fingerprintd_data_file:s0
# camera
####################################
# sysfs files
-/sys/class/power_supply/battery/music -- u:object_r:sysfs_writable:s0
-/sys/class/devfreq/exynos5-busfreq-mif(/.*)? -- u:object_r:sysfs_writable:s0
-/sys/class/lcd(/.*)? -- u:object_r:sysfs_writable:s0
-/sys/class/sec(/.*)? -- u:object_r:sysfs_sec:s0
-
+#/sys/class/power_supply/battery/music -- u:object_r:sysfs_writable:s0
+#/sys/class/devfreq/exynos5-busfreq-mif(/.*)? -- u:object_r:sysfs_writable:s0
+#/sys/class/lcd(/.*)? -- u:object_r:sysfs_writable:s0
# bluetooth
/sys/devices/bluetooth.[0-9]*/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
/sys/devices/bluetooth.[0-9]*/rfkill/rfkill0/type u:object_r:sysfs_bluetooth_writable:s0
-
-# camera
-/sys/devices/virtual/camera(/.*)? u:object_r:sysfs_camera_writable:s0
+/sys/class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
+/sys/class/rfkill/rfkill0/type u:object_r:sysfs_bluetooth_writable:s0
# CP device
/dev/spi_boot_link u:object_r:radio_device:s0
# cbd
-/sys/devices/10f24000.mipi-lli/lli_control u:object_r:sysfs_mipi_writable:s0
+/sys/devices/10f24000.mipi-lli/lli_control u:object_r:sysfs_mipi:s0
# gps
+/sys/class/sec/gps u:object_r:sysfs_gps:s0
/sys/devices/soc0/machine u:object_r:sysfs_gps:s0
/sys/devices/soc0/revision u:object_r:sysfs_gps:s0
/sys/devices/139c0000.pinctrl/gpio/gpio137/value u:object_r:sysfs_gps:s0
# rild
-/sys/devices/virtual/misc/multipdp(/.*) u:object_r:sysfs_multipdp_writable:s0
+/sys/devices/virtual/misc/multipdp(/.*) u:object_r:sysfs_multipdp:s0
/dev/socket/rild2 u:object_r:rild_socket:s0
/dev/socket/rild-debug2 u:object_r:rild_debug_socket:s0
# mDNIe
-/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/accessibility u:object_r:sysfs_mdnie_writable:s0
-/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/mode u:object_r:sysfs_mdnie_writable:s0
-/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/scenario u:object_r:sysfs_mdnie_writable:s0
-/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/lux u:object_r:sysfs_mdnie_writable:s0
-/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/sensorRGB u:object_r:sysfs_mdnie_writable:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/accessibility u:object_r:sysfs_mdnie:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/mode u:object_r:sysfs_mdnie:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/scenario u:object_r:sysfs_mdnie:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/lux u:object_r:sysfs_mdnie:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/sensorRGB u:object_r:sysfs_mdnie:s0
# Lights
-/sys/devices/virtual/sec/sec_touchkey/brightness u:object_r:sysfs_light_writable:s0
-/sys/devices/14800000.dsim/backlight/panel(/.*)? u:object_r:sysfs_light_writable:s0
-/sys/class/leds(/.*)? u:object_r:sysfs_light_writable:s0
-/sys/devices/virtual/sec/led(/.*)? u:object_r:sysfs_light_writable:s0
+/sys/devices/virtual/sec/sec_touchkey/brightness u:object_r:sysfs_light:s0
+/sys/devices/14800000.dsim/backlight/panel(/.*)? u:object_r:sysfs_light:s0
+/sys/class/leds(/.*)? u:object_r:sysfs_light:s0
+/sys/devices/virtual/sec/led(/.*)? u:object_r:sysfs_light:s0
+/sys/class/lcd/panel/power_reduce u:object_r:sysfs_light:s0
# Wifi
-/sys/module/dhd/parameters/firmware_path u:object_r:sysfs_wifi_writable:s0
+/sys/module/dhd/parameters/firmware_path u:object_r:sysfs_wifi:s0
####################################
# deamons
--- /dev/null
+genfscon proc /device-tree u:object_r:proc_dt_firmware:s0
+
+genfscon proc /sys/vm/dirty_ratio u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/dirty_bytes u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/dirty_background_bytes u:object_r:proc_dirty:s0
+
+genfscon proc /reset_reason u:object_r:proc_reset_reason:s0
+genfscon proc /simslot_count u:object_r:proc_simslot_count:s0
+
+# SEC devices
+#genfscon sysfs /class/sec/ u:object_r:sysfs_sec:s0
+
+# Power supply devices
+genfscon sysfs /devices/battery.20/power_supply u:object_r:sysfs_usb_supply:s0
+genfscon sysfs /devices/i2c.26/i2c-8/8-0034/s2mu003-charger/power_supply u:object_r:sysfs_usb_supply:s0
+genfscon sysfs /devices/13890000.hsi2c/i2c-2/2-0035/power_supply u:object_r:sysfs_usb_supply:s0
+genfscon sysfs /devices/i2c.21/i2c-4/4-0035/power_supply u:object_r:sysfs_usb_supply:s0
+genfscon sysfs /devices/13890000.hsi2c/i2c-2/2-0034/s2mu003-charger/power_supply u:object_r:sysfs_usb_supply:s0
+genfscon sysfs /devices/platform/htc_battery/power_supply/ps u:object_r:sysfs_usb_supply:s0
+
+# Input devices
+genfscon sysfs /devices/i2c.23/i2c-5/5-0020/input/input2/enabled u:object_r:sysfs_input:s0
+genfscon sysfs /devices/13850000.i2c/i2c-10/10-0050/input/input3/enabled u:object_r:sysfs_input:s0
+genfscon sysfs /devices/virtual/sec/sec_touchkey/ u:object_r:sysfs_input:s0
+genfscon sysfs /devices/virtual/sec/sec_key/ u:object_r:sysfs_input:s0
+genfscon sysfs /devices/virtual/sec/tsp/ u:object_r:sysfs_input:s0
+
+# Camera
+genfscon sysfs /devices/virtual/camera/ u:object_r:sysfs_camera:s0
+
+# GPS
+genfscon sysfs /devices/virtual/sec/gps/ u:object_r:sysfs_gps:s0
+
+# Audio sysfs
+genfscon sysfs /devices/virtual/audio/earjack/ u:object_r:sysfs_jack:s0
+
+# USB lun device
+genfscon sysfs /devices/13580000.usb/gadget/lun0/ u:object_r:sysfs_android_usb:s0
+
+# MMC block device cache files
+genfscon sysfs /devices/virtual/bdi/179:0/read_ahead_kb u:object_r:sysfs_block:s0
+genfscon sysfs /devices/virtual/bdi/179:32/read_ahead_kb u:object_r:sysfs_block:s0
+
+# ION
+genfscon sysfs /devices/virtual/ion_cma/ u:object_r:sysfs_ion:s0
+
+# Sensors
+genfscon sysfs /devices/virtual/sensors/ u:object_r:sysfs_sensors:s0
+genfscon sysfs /devices/13870000.hsi2c/i2c-0/0-0068/iio:device1/ u:object_r:sysfs_sensors:s0
+genfscon sysfs /devices/13870000.hsi2c/i2c-0/0-0028/iio:device0/ u:object_r:sysfs_sensors:s0
+
+genfscon sysfs /devices/13540000.dwmmc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_mmc:s0
+
+genfscon sysfs /devices/virtual/net/rmnet0 u:object_r:sysfs_net:s0
+genfscon sysfs /devices/virtual/net/rmnet1 u:object_r:sysfs_net:s0
+genfscon sysfs /devices/virtual/net/rmnet2 u:object_r:sysfs_net:s0
+genfscon sysfs /devices/virtual/net/rmnet3 u:object_r:sysfs_net:s0
+
+genfscon sysfs /devices/14830000.decon_fb u:object_r:sysfs_graphics:s0
+genfscon sysfs /devices/14800000.dsim u:object_r:sysfs_graphics:s0
allow gpsd self:udp_socket { create bind connect read setopt write };
# sysfs_gps
+allow gpsd sysfs_gps:lnk_file read;
allow gpsd sysfs_gps:file { open rw_file_perms getattr };
# /dev/ttySAC3
allow gpsd port:tcp_socket { name_connect name_bind };
allow gpsd self:tcp_socket { bind read write connect create getopt };
allow gpsd node:tcp_socket node_bind;
+
+# sec sysfs files
+#allow gpsd sysfs_sec:dir search;
# hal_camera_default
-allow hal_camera_default sysfs_camera_writable:dir search;
-allow hal_camera_default sysfs_camera_writable:file { getattr open read };
+allow hal_camera_default sysfs_camera:dir search;
+allow hal_camera_default sysfs_camera:file rw_file_perms;
+
+allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
vndbinder_use(hal_camera_default)
allow hal_drm_default tee:unix_stream_socket connectto;
allow hal_drm_default efs_file:dir search;
allow hal_drm_default cpk_efs_file:file { getattr open read };
+
+allow hal_drm_default media_data_file:file create_file_perms;
+allow hal_drm_default media_data_file:dir create_dir_perms;
# hal_light_default
-allow hal_light_default sysfs_light_writable:dir search;
-allow hal_light_default sysfs_light_writable:file { getattr write open read };
+allow hal_light_default sysfs_light:dir search;
+allow hal_light_default sysfs_light:file { getattr write open read };
+allow hal_light_default sysfs_graphics:dir search;
+allow hal_light_default sysfs_graphics:file { getattr write open read };
allow hal_light_default sysfs_sec:dir search;
+allow hal_light_default sysfs_sec:lnk_file read;
allow hal_light_default sysfs_sec:file { getattr write open read };
allow hal_power_default sysfs:dir { open read search };
allow hal_power_default sysfs:file { rw_file_perms };
+# Input devices
+allow hal_power_default sysfs_input:file { rw_file_perms };
+
# CPU devices
allow hal_power_default sysfs_devices_system_cpu:dir search;
allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms;
# Lights
-allow hal_power_default sysfs_light_writable:dir search;
-allow hal_power_default sysfs_light_writable:file rw_file_perms;
+allow hal_power_default sysfs_light:dir search;
+allow hal_power_default sysfs_light:file rw_file_perms;
+
+# Graphics
+allow hal_power_default sysfs_graphics:dir search;
+allow hal_power_default sysfs_graphics:file rw_file_perms;
allow hal_wifi_default wifi_efs_file:dir search;
allow hal_wifi_default wifi_efs_file:file { open read };
allow hal_wifi_default wifi_data_file:file r_file_perms;
-allow hal_wifi_default sysfs_wifi_writable:file write;
+allow hal_wifi_default sysfs_wifi:file write;
# healthd
allow healthd device:dir rw_dir_perms;
allow healthd rtc_device:chr_file rw_file_perms;
+
+allow healthd sysfs_usb_supply:file rw_file_perms;
allow init tmpfs:lnk_file create_file_perms;
# /sys/class/power_supply/battery and /sys/class/android_usb/android0
-allow init sysfs:dir w_dir_perms;
+allow init sysfs_usb_supply:file { rw_file_perms setattr };
# Shim libs
allow init cameraserver:process noatsecure;
# sysfs iio:device[0-9]
allow init sysfs:lnk_file setattr;
+# sysfs ion device
+allow init sysfs_ion:file setattr;
+
+# sysfs usb device
+allow init sysfs_android_usb:file setattr;
+
# read/chown mDNIE symlinks
-allow init sysfs_mdnie_writable:lnk_file { read setattr };
+allow init sysfs_mdnie:lnk_file { read setattr };
+allow init sysfs_mdnie:file { open write };
# read/chown camera firmware
-allow init sysfs_camera_writable:file { relabelto setattr };
-allow init sysfs_camera_writable:filesystem associate;
+allow init sysfs_camera:file { relabelto setattr };
+allow init sysfs_camera:filesystem associate;
+
+# WiFi firmware permissions
+allow init sysfs_wifi:file setattr;
+
+# Input devices
+allow init sysfs_input:file { rw_file_perms setattr };
+
+# BT permissions
+allow init sysfs_bluetooth_writable:file setattr;
+
+# GPS permissions
+allow init sysfs_gps:lnk_file read;
+allow init sysfs_gps:file setattr;
+
+# CPU permissions
+allow init sysfs_devices_system_cpu:file rw_file_perms;
+
+# Block device sysfs
+allow init sysfs_block:file rw_file_perms;
+
+# Audio Jack
+allow init sysfs_jack:file setattr;
unix_socket_connect(init, property, rild)
allow init { domain -lmkd -crash_dump }:process noatsecure;
+
+# Allow access to /proc/device-tree nodes
+r_dir_file(init, proc_dt_firmware)
+
+allow init sysfs_mmc:file { w_file_perms setattr };
+allow init sysfs_net:file rw_file_perms;
+allow init sysfs_graphics:file { rw_file_perms setattr };
+allow init sysfs_light:file { rw_file_perms setattr };
+allow init sysfs_mdnie:file { setattr };
+allow init sysfs_sec:file { rw_file_perms setattr };
+allow init sysfs_sec:lnk_file read;
+allow init sysfs_sensors:file { rw_file_perms setattr };
+allow init sysfs_sensors:lnk_file read;
+allow init sysfs_multipdp:file setattr;
+
+# Proc files
+allow init proc_reset_reason:file rw_file_perms;
+allow init proc_dirty:file rw_file_perms;
+allow init proc_simslot_count:file rw_file_perms;
+
+# Sockets
+allow init socket_device:sock_file create;
-# TbStorage (mobicore)
-allow installd tee_data_file:dir { rw_dir_perms rmdir };
+#
# mobicore (tee)
type tee_prop, property_type;
+
+# sswap
+type sswap_prop, property_type;
persist.ril.ims.eutranParam u:object_r:radio_prop:s0
persist.ril.ims.utranParam u:object_r:radio_prop:s0
persist.ril.interfaceconf.failed u:object_r:radio_prop:s0
+
+# sswap
+persist.sys.swapoff u:object_r:sswap_prop:s0
allow rild mif_device:chr_file rw_file_perms;
# /sys/devices/virtual/misc/multipdp/waketime
-allow rild sysfs_multipdp_writable:file rw_file_perms;
+allow rild sysfs_multipdp:file rw_file_perms;
# /proc/sys/net/ipv6/conf/*/accept_ra_defrtr
allow rild proc_net:file rw_file_perms;
allow rild gpsd:dir r_dir_perms;
allow rild gpsd:file r_file_perms;
+allow rild proc_qtaguid_stat:file r_file_perms;
+
# rild reads /proc/pid/cmdline of mediaserver
allow rild mediaserver:dir { open read search getattr };
allow rild mediaserver:file { open read getattr };
allow sswap properties_device:dir { read open };
allow sswap proc_stat:dir { read open getattr };
allow sswap proc_stat:file { read open getattr };
+
+set_prop(sswap, sswap_prop)
--- /dev/null
+#TODO: r_dir_file(storaged, sysfs_mmc)
# HWC
allow surfaceflinger secmem_device:chr_file rw_file_perms;
+allow surfaceflinger sysfs_graphics:file { rw_file_perms };
+r_dir_file(surfaceflinger, sysfs_graphics)
\ No newline at end of file
-allow system_app sysfs_mdnie_writable:{ file lnk_file } rw_file_perms;
-allow system_app sysfs_mdnie_writable:dir search;
+allow system_app sysfs_mdnie:{ file lnk_file } rw_file_perms;
+allow system_app sysfs_mdnie:dir search;
allow system_app wificond:binder call;
allow system_server wifi_efs_file:file r_file_perms;
# mDNIE
-allow system_server sysfs_mdnie_writable:lnk_file rw_file_perms;
-allow system_server sysfs_mdnie_writable:dir rw_dir_perms;
-allow system_server sysfs_mdnie_writable:file rw_file_perms;
+allow system_server sysfs_mdnie:lnk_file rw_file_perms;
+#allow system_server sysfs_mdnie:dir rw_dir_perms;
+allow system_server sysfs_mdnie:file rw_file_perms;
+
+# Lights
+allow system_server sysfs_light:file rw_file_perms;
# memtrack HAL
allow system_server debugfs:dir r_dir_perms;
# /data/system/gps/xtraee.bin
allow system_server gps_data_file:file create_file_perms;
+# Bluetooth buildprop
+allow system_server bluetooth_prop:file read;
+
+# Grpahics sysfs
+allow system_server sysfs_graphics:file rw_file_perms;
+
+# Input sysfs
+allow system_server sysfs_input:file rw_file_perms;
+
unix_socket_connect(system_server, property, gpsd)
# mobicore
-# Allow to create files and directories /data/app/mcRegistry
-file_type_auto_trans(tee, apk_data_file, tee_data_file);
-
# /efs
allow tee { efs_file prov_efs_file }:dir r_dir_perms;
allow tee { efs_file prov_efs_file }:file r_file_perms;
+# Allow mobicore to search apk data
+allow tee apk_data_file:dir search;
+
# sys.mobicore.enable
set_prop(tee, tee_prop)
allow ueventd emmcblk_device:blk_file { ioctl read write create getattr setattr lock append unlink open };
# /sys/devices/virtual/misc/multipdp/uevent
-allow ueventd sysfs_multipdp_writable:file rw_file_perms;
+allow ueventd sysfs_multipdp:file rw_file_perms;
allow ueventd emmcblk_device:blk_file { relabelfrom relabelto create setattr unlink };
# read/chown camera firmware
-allow ueventd sysfs_camera_writable:file { relabelto getattr rw_file_perms };
-allow ueventd sysfs_camera_writable:filesystem associate;
+allow ueventd sysfs_camera:file { relabelto getattr rw_file_perms };
+allow ueventd sysfs_camera:filesystem associate;
+
+allow ueventd sysfs_usb_supply:file w_file_perms;
+
+# Allow access to /proc/device-tree nodes
+r_dir_file(ueventd, proc_dt_firmware)
+++ /dev/null
-allow untrusted_app_25 proc_stat:file { getattr open read };
-allow untrusted_app_25 sysfs:file { getattr open read };
-allow untrusted_app_25 sysfs:dir { getattr open read };
# /dev/block/mmcblk0p[0-9]
allow vold emmcblk_device:dir create_dir_perms;
allow vold emmcblk_device:blk_file { ioctl read write create getattr setattr lock append unlink open };
+
+allow vold sysfs_mmc:file w_file_perms;
+r_dir_file(vold, proc_dt_firmware)
# load .ko modules
allow kernel self:capability sys_module;
-allow wifiloader self:capability { chown dac_override sys_module };
+allow wifiloader self:capability { chown sys_module };
projects / GitHub / LineageOS / android_device_samsung_universal7580-common.git / commitdiff