From c1a504889130f8b5ae64e9c2ee39ca845363703e Mon Sep 17 00:00:00 2001 From: Danny Wood Date: Thu, 4 Oct 2018 09:12:58 +0200 Subject: [PATCH] universal7580: sepolicy: Add initial universal7580 SELinux policy Change-Id: I8dd2eefba25e500edcb08b453fff6da1a33fbe30 --- BoardConfigCommon.mk | 4 + sepolicy/audioserver.te | 9 ++ sepolicy/bluetooth.te | 10 ++ sepolicy/cameraserver.te | 15 +++ sepolicy/cpboot-daemon.te | 52 ++++++++ sepolicy/device.te | 35 +++++ sepolicy/domain.te | 1 + sepolicy/file.te | 32 +++++ sepolicy/file_contexts | 164 ++++++++++++++++++++++++ sepolicy/fingerprintd.te | 16 +++ sepolicy/fsck.te | 2 + sepolicy/gpsd.te | 44 +++++++ sepolicy/hal_camera_default.te | 5 + sepolicy/hal_drm_default.te | 2 + sepolicy/hal_gnss_default.te | 6 + sepolicy/hal_light_default.te | 5 + sepolicy/hal_power_default.te | 11 ++ sepolicy/hal_wifi_default.te | 4 + sepolicy/hal_wifi_supplicant_default.te | 2 + sepolicy/healthd.te | 3 + sepolicy/init.te | 33 +++++ sepolicy/installd.te | 2 + sepolicy/kernel.te | 23 ++++ sepolicy/macloader.te | 30 +++++ sepolicy/mediacodec.te | 5 + sepolicy/mediaextractor.te | 1 + sepolicy/mediaserver.te | 12 ++ sepolicy/modemloader.te | 10 ++ sepolicy/netd.te | 4 + sepolicy/nfc.te | 2 + sepolicy/property.te | 8 ++ sepolicy/property_contexts | 19 +++ sepolicy/rild.te | 58 +++++++++ sepolicy/sensorhubservice.te | 14 ++ sepolicy/service_contexts | 3 + sepolicy/surfaceflinger.te | 2 + sepolicy/system_app.te | 3 + sepolicy/system_server.te | 50 ++++++++ sepolicy/tee.te | 11 ++ sepolicy/ueventd.te | 11 ++ sepolicy/uncrypt.te | 2 + sepolicy/untrusted_app_25.te | 3 + sepolicy/vold.te | 5 + sepolicy/wifiloader.te | 23 ++++ 44 files changed, 756 insertions(+) create mode 100644 sepolicy/audioserver.te create mode 100644 sepolicy/bluetooth.te create mode 100644 sepolicy/cameraserver.te create mode 100644 sepolicy/cpboot-daemon.te create mode 100644 sepolicy/device.te create mode 100644 sepolicy/domain.te create mode 100644 sepolicy/file.te create mode 100644 sepolicy/file_contexts create mode 100644 sepolicy/fingerprintd.te create mode 100644 sepolicy/fsck.te create mode 100644 sepolicy/gpsd.te create mode 100644 sepolicy/hal_camera_default.te create mode 100644 sepolicy/hal_drm_default.te create mode 100644 sepolicy/hal_gnss_default.te create mode 100644 sepolicy/hal_light_default.te create mode 100644 sepolicy/hal_power_default.te create mode 100644 sepolicy/hal_wifi_default.te create mode 100644 sepolicy/hal_wifi_supplicant_default.te create mode 100644 sepolicy/healthd.te create mode 100644 sepolicy/init.te create mode 100644 sepolicy/installd.te create mode 100644 sepolicy/kernel.te create mode 100644 sepolicy/macloader.te create mode 100644 sepolicy/mediacodec.te create mode 100644 sepolicy/mediaextractor.te create mode 100644 sepolicy/mediaserver.te create mode 100644 sepolicy/modemloader.te create mode 100644 sepolicy/netd.te create mode 100644 sepolicy/nfc.te create mode 100644 sepolicy/property.te create mode 100644 sepolicy/property_contexts create mode 100644 sepolicy/rild.te create mode 100644 sepolicy/sensorhubservice.te create mode 100644 sepolicy/service_contexts create mode 100644 sepolicy/surfaceflinger.te create mode 100644 sepolicy/system_app.te create mode 100644 sepolicy/system_server.te create mode 100644 sepolicy/tee.te create mode 100644 sepolicy/ueventd.te create mode 100644 sepolicy/uncrypt.te create mode 100644 sepolicy/untrusted_app_25.te create mode 100644 sepolicy/vold.te create mode 100644 sepolicy/wifiloader.te diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk index 278c7a0..391c0c6 100644 --- a/BoardConfigCommon.mk +++ b/BoardConfigCommon.mk @@ -153,6 +153,10 @@ BACKLIGHT_PATH := "/sys/class/backlight/panel/brightness" # Recovery TARGET_RECOVERY_FSTAB := $(LOCAL_PATH)/ramdisk/etc/fstab.samsungexynos7580 +# SELinux +BOARD_SEPOLICY_DIRS += device/samsung/universal7580-common/sepolicy +BOARD_SEPOLICY_VERS := $(PLATFORM_SDK_VERSION).0 + # Shims TARGET_LD_SHIM_LIBS := \ /system/lib/omx/libOMX.Exynos.AVC.Decoder.so|/vendor/lib/libui_shim.so \ diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te new file mode 100644 index 0000000..197a74e --- /dev/null +++ b/sepolicy/audioserver.te @@ -0,0 +1,9 @@ +# Allow rild to connect to gpsd +unix_socket_connect(audioserver, property, rild) + +# /efs/maxim +allow audioserver { efs_file sec_efs_file }:dir r_dir_perms; +allow audioserver { efs_file sec_efs_file }:file r_file_perms; + +# TFA98xx amplifier +allow audioserver amplifier_device:chr_file rw_file_perms; diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te new file mode 100644 index 0000000..6aaa8ab --- /dev/null +++ b/sepolicy/bluetooth.te @@ -0,0 +1,10 @@ +# /dev/ttySAC3 +allow bluetooth bluetooth_device:chr_file { rw_file_perms ioctl }; +allow hal_bluetooth_default bluetooth_device:chr_file { ioctl open read write }; + +# /data/.cid.info +allow bluetooth wifi_data_file:file r_file_perms; + +# /efs +allow hal_bluetooth_default efs_file:dir { search }; +r_dir_file(hal_bluetooth_default, bluetooth_efs_file) \ No newline at end of file diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te new file mode 100644 index 0000000..efdafed --- /dev/null +++ b/sepolicy/cameraserver.te @@ -0,0 +1,15 @@ +# /dev/m2m1shot_jpeg +allow cameraserver camera_device:chr_file rw_file_perms; + +# /sys/devices/virtual/camera/*/*_camfw +allow cameraserver sysfs_camera_writable:file { rw_file_perms open getattr }; + +# searching for syses nodes +allow cameraserver sysfs_camera_writable:dir search; + +# /data/camera/ISP_CV +allow cameraserver camera_data_file:file r_file_perms; + +# /data/media(/.*)? +allow cameraserver media_rw_data_file:dir r_dir_perms; +allow cameraserver media_rw_data_file:file r_file_perms; diff --git a/sepolicy/cpboot-daemon.te b/sepolicy/cpboot-daemon.te new file mode 100644 index 0000000..3596073 --- /dev/null +++ b/sepolicy/cpboot-daemon.te @@ -0,0 +1,52 @@ +# modem daemon sec label +type cpboot-daemon, domain; +type cpboot-daemon_exec, exec_type, file_type; + +net_domain(cpboot-daemon) +init_daemon_domain(cpboot-daemon) +wakelock_use(cpboot-daemon) +set_prop(cpboot-daemon, modemloader_prop) + +allow cpboot-daemon self:capability { dac_override setuid setgid }; + +# FIXME neverallow rule +# allow cpboot-daemon self:capability mknod; +allow cpboot-daemon kernel:system syslog_read; +allow cpboot-daemon cgroup:dir create_dir_perms; + +# /dev/log/* +#allow cpboot-daemon log_device:dir r_dir_perms; +#allow cpboot-daemon log_device:chr_file rw_file_perms; +# /dev/kmsg (write to kernel log) +allow cpboot-daemon kmsg_device:chr_file rw_file_perms; + +# /dev/umts_boot0 +allow cpboot-daemon mif_device:chr_file rw_file_perms; +# /dev/mbin0 +allow cpboot-daemon emmcblk_device:blk_file r_file_perms; +# /dev/spi_boot_link +allow cpboot-daemon radio_device:chr_file rw_file_perms; +# /dev/block/mmcblk0p13 +allow cpboot-daemon block_device:dir r_dir_perms; +allow cpboot-daemon radio_block_device:blk_file r_file_perms; + +# /dev/mipi-lli/lli_control +allow cpboot-daemon sysfs_mipi_writable:file rw_file_perms; + +# /efs +allow cpboot-daemon efs_file:dir r_dir_perms; + +# /efs/nv_data.bin +allow cpboot-daemon bin_nv_data_efs_file:file rw_file_perms; +allow cpboot-daemon efs_file:file rw_file_perms; + +# /sys/bus/usb/devices/1-2/idVendor +allow cpboot-daemon sysfs:file r_file_perms; + +# /proc/cmdline +allow cpboot-daemon proc:file r_file_perms; + +# set properties on boot +set_prop(cpboot-daemon, cpboot-daemon_prop) +set_prop(cpboot-daemon, radio_prop) +set_prop(cpboot-daemon, system_prop) diff --git a/sepolicy/device.te b/sepolicy/device.te new file mode 100644 index 0000000..89cfe5d --- /dev/null +++ b/sepolicy/device.te @@ -0,0 +1,35 @@ +# /dev/ttySAC3 +type bluetooth_device, dev_type; + +# /dev/block/mmcblk0p[0-9] (/dev/mbin0) +type emmcblk_device, file_type; + +# Radio block device mounted on /efs. +type radio_block_device, dev_type; + +# /dev/umts_boot*, /dev/ehci_power +type mif_device, dev_type; + +# /dev/rfkill +type rfkill_device, dev_type; + +# /dev/s5p-smem +type secmem_device, dev_type; + +# /dev/bbd*, /dev/ttyBCM[0-9]* +type bbd_device, dev_type; + +# /dev/vfsspi +type fingerprint_device, dev_type; + +# /dev/batch_io +type sensor_device, dev_type; + +# /dev/i2c-20 - TFA98xx amplifier +type amplifier_device, dev_type; + +# /dev/knox_kap +type knox_device, dev_type; + +# GPS +type gps_device, dev_type; diff --git a/sepolicy/domain.te b/sepolicy/domain.te new file mode 100644 index 0000000..c8d8d53 --- /dev/null +++ b/sepolicy/domain.te @@ -0,0 +1 @@ +dontaudit domain kernel:system module_request; diff --git a/sepolicy/file.te b/sepolicy/file.te new file mode 100644 index 0000000..2bfe5f0 --- /dev/null +++ b/sepolicy/file.te @@ -0,0 +1,32 @@ +### efs types +type app_efs_file, file_type; +type battery_efs_file, file_type; +type baro_delta_factoryapp_efs_file, file_type; +type bin_nv_data_efs_file, file_type; +type sec_efs_file, file_type; +# widewine, drm +type cpk_efs_file, file_type; +type drm_efs_file, file_type; +type factorymode_factoryapp_efs_file, file_type; +type imei_efs_file, file_type; +type prov_efs_file, file_type; +type radio_factoryapp_efs_file, file_type; +type sensor_efs_file, file_type; +type sensor_factoryapp_efs_file, file_type; +type wifi_efs_file, file_type; +# gps +type gps_data_file, file_type, data_file_type; +type gps_socket, file_type; + +### sysfs types +type sysfs_writable, fs_type, sysfs_type, mlstrustedobject; +type sysfs_mdnie_writable, fs_type, sysfs_type, mlstrustedobject; +type sysfs_mipi_writable, fs_type, sysfs_type, mlstrustedobject; +type sysfs_multipdp_writable, fs_type, sysfs_type, mlstrustedobject; +type sysfs_sec, fs_type, fs_type, fs_type, mlstrustedobject; +type sysfs_camera_writable, fs_type, sysfs_type, mlstrustedobject; +type sysfs_gps, fs_type, sysfs_type, mlstrustedobject; +type sysfs_light_writable, fs_type, sysfs_type, mlstrustedobject; +type sysfs_wifi_writable, fs_type, sysfs_type, mlstrustedobject; + +allow sysfs_type tmpfs:filesystem associate; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts new file mode 100644 index 0000000..6df9525 --- /dev/null +++ b/sepolicy/file_contexts @@ -0,0 +1,164 @@ +########################## +# Devices +# +/dev/mali[0-9]* u:object_r:gpu_device:s0 + +/dev/bcm2079x u:object_r:nfc_device:s0 +/dev/sec-nfc u:object_r:nfc_device:s0 + +/dev/ttySAC3 u:object_r:bluetooth_device:s0 + +/dev/s5p-smem u:object_r:secmem_device:s0 +/dev/mobicore u:object_r:tee_device:s0 +/dev/mobicore-user u:object_r:tee_device:s0 + +/dev/v4l-subdev[0-9]* u:object_r:video_device:s0 +/dev/m2m1shot_scaler[0-9]* u:object_r:video_device:s0 +/dev/media[0-3]* u:object_r:camera_device:s0 +/dev/m2m1shot_jpeg u:object_r:camera_device:s0 + +/dev/mtp_usb* u:object_r:mtp_device:s0 + +/dev/__cbd_msg_ u:object_r:mif_device:s0 +/dev/umts.* u:object_r:mif_device:s0 +/dev/ehci_power u:object_r:mif_device:s0 +/dev/mipi-lli/lli_control u:object_r:mif_device:s0 + +/dev/gnss_ipc u:object_r:gps_device:s0 +/dev/ttySAC[0-1]* u:object_r:gps_device:s0 + +/dev/block/mmcblk0p[0-9]* u:object_r:emmcblk_device:s0 + +/dev/block/mmcblk0p10 u:object_r:boot_block_device:s0 +/dev/block/mmcblk0p11 u:object_r:recovery_block_device:s0 +/dev/block/mmcblk0p14 u:object_r:radio_block_device:s0 +/dev/block/mmcblk0p20 u:object_r:system_block_device:s0 +/dev/block/mmcblk0p21 u:object_r:cache_block_device:s0 +/dev/block/mmcblk0p23 u:object_r:userdata_block_device:s0 + +/dev/rfkill u:object_r:rfkill_device:s0 + +/dev/bbd_control u:object_r:bbd_device:s0 +/dev/bbd_packet u:object_r:bbd_device:s0 +/dev/bbd_patch u:object_r:bbd_device:s0 +/dev/bbd_reliable u:object_r:bbd_device:s0 +/dev/bbd_sensor u:object_r:bbd_device:s0 +/dev/bbd_sio u:object_r:bbd_device:s0 +/dev/ttyBCM[0-9]* u:object_r:bbd_device:s0 + +/dev/esfp0 u:object_r:fingerprint_device:s0 + +/dev/batch_io u:object_r:sensor_device:s0 +/dev/ssp_sensorhub u:object_r:sensor_device:s0 + +# TFA98xx amplifier +/dev/i2c-0 u:object_r:amplifier_device:s0 + +# Knox status +/dev/knox_kap u:object_r:knox_device:s0 + +#################################### +# efs files +/efs/FactoryApp(/.*)? u:object_r:app_efs_file:s0 +/efs/FactoryApp/baro_delta u:object_r:baro_delta_factoryapp_efs_file:s0 +/efs/FactoryApp/factorymode u:object_r:factorymode_factoryapp_efs_file:s0 +/efs/FactoryApp/fdata u:object_r:radio_factoryapp_efs_file:s0 +/efs/FactoryApp/hist_nv u:object_r:radio_factoryapp_efs_file:s0 +/efs/FactoryApp/prox_cal u:object_r:sensor_factoryapp_efs_file:s0 +/efs/FactoryApp/test_nv u:object_r:radio_factoryapp_efs_file:s0 + +/efs/Battery(/.*)? u:object_r:battery_efs_file:s0 +/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 +/efs/drm(/.*)? u:object_r:drm_efs_file:s0 +/efs/gyro_cal_data u:object_r:sensor_efs_file:s0 +/efs/h2k\.dat u:object_r:cpk_efs_file:s0 +/efs/imei(/.*)? u:object_r:imei_efs_file:s0 +/efs/nv_data.bin(.*) u:object_r:bin_nv_data_efs_file:s0 +/efs/nv.log u:object_r:bin_nv_data_efs_file:s0 +/efs/\.nv_core\.bak(.*) u:object_r:bin_nv_data_efs_file:s0 +/efs/prov(/.*)? u:object_r:prov_efs_file:s0 +/efs/prov_data(/.*)? u:object_r:prov_efs_file:s0 +/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0 +/efs/wv\.keys u:object_r:cpk_efs_file:s0 + +#################################### +# data files +/data/nfc(/.*)? u:object_r:nfc_data_file:s0 +/data/\.cid\.info u:object_r:wifi_data_file:s0 +/data/misc/conn/\.wifiver\.info u:object_r:wifi_data_file:s0 + +/data/misc/radio(/.*)? u:object_r:radio_data_file:s0 + +# gps +/data/system/gps(/.*)? u:object_r:gps_data_file:s0 +/data/gps/ctrlpipe u:object_r:gps_data_file:s0 +/data/gps/\.gpslogd\.pipe u:object_r:gps_data_file:s0 +/data/gps/nmeapipe u:object_r:gps_data_file:s0 + +# mobicore +/data/misc/mcRegistry(/.*)? u:object_r:tee_data_file:s0 + +/data/biometrics(/.*)? u:object_r:fingerprintd_data_file:s0 + +# camera +/data/camera/ISP_CV u:object_r:camera_data_file:s0 + +#################################### +# sysfs files +/sys/class/power_supply/battery/music -- u:object_r:sysfs_writable:s0 +/sys/class/devfreq/exynos5-busfreq-mif(/.*)? -- u:object_r:sysfs_writable:s0 +/sys/class/lcd(/.*)? -- u:object_r:sysfs_writable:s0 +/sys/class/sec(/.*)? -- u:object_r:sysfs_sec:s0 + + +# bluetooth +/sys/devices/bluetooth.[0-9]*/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices/bluetooth.[0-9]*/rfkill/rfkill0/type u:object_r:sysfs_bluetooth_writable:s0 + +# camera +/sys/devices/virtual/camera(/.*)? u:object_r:sysfs_camera_writable:s0 + +# CP device +/dev/spi_boot_link u:object_r:radio_device:s0 + +# cbd +/sys/devices/10f24000.mipi-lli/lli_control u:object_r:sysfs_mipi_writable:s0 + +# gps +/sys/devices/soc0/machine u:object_r:sysfs_gps:s0 +/sys/devices/soc0/revision u:object_r:sysfs_gps:s0 +/sys/devices/139c0000.pinctrl/gpio/gpio137/value u:object_r:sysfs_gps:s0 + +# rild +/sys/devices/virtual/misc/multipdp(/.*) u:object_r:sysfs_multipdp_writable:s0 +/dev/socket/rild2 u:object_r:rild_socket:s0 +/dev/socket/rild-debug2 u:object_r:rild_debug_socket:s0 + +# mDNIe +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/mode u:object_r:sysfs_mdnie_writable:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/scenario u:object_r:sysfs_mdnie_writable:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/lux u:object_r:sysfs_mdnie_writable:s0 +/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/sensorRGB u:object_r:sysfs_mdnie_writable:s0 + +# Lights +/sys/devices/virtual/sec/sec_touchkey/brightness u:object_r:sysfs_light_writable:s0 +/sys/devices/14800000.dsim/backlight/panel(/.*)? u:object_r:sysfs_light_writable:s0 +/sys/class/leds(/.*)? u:object_r:sysfs_light_writable:s0 +/sys/devices/virtual/sec/led(/.*)? u:object_r:sysfs_light_writable:s0 + +# Wifi +/sys/module/dhd/parameters/firmware_path u:object_r:sysfs_wifi_writable:s0 + +#################################### +# deamons +# + +/system/bin/mcDriverDaemon u:object_r:tee_exec:s0 +/system/bin/modemloader u:object_r:modemloader_exec:s0 +/system/bin/sensorhubservice u:object_r:sensorhubservice_exec:s0 +/system/bin/wifiloader u:object_r:wifiloader_exec:s0 + +/system/vendor/bin/macloader u:object_r:macloader_exec:s0 + +/system/bin/cbd u:object_r:cpboot-daemon_exec:s0 +/system/bin/gpsd u:object_r:gpsd_exec:s0 diff --git a/sepolicy/fingerprintd.te b/sepolicy/fingerprintd.te new file mode 100644 index 0000000..12770f7 --- /dev/null +++ b/sepolicy/fingerprintd.te @@ -0,0 +1,16 @@ +# allow hal_fingerprint_default to communicate with various devices +binder_call(system_app, hal_fingerprint_default); + +# kernel fp device +allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms; + +# secure memory device +allow hal_fingerprint_default secmem_device:chr_file rw_file_perms; + +# trust zone device +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; +allow hal_fingerprint_default tee:unix_stream_socket connectto; + +# /data/biometrics/* +allow hal_fingerprint_default fingerprintd_data_file:dir create_dir_perms; +allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms; diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te new file mode 100644 index 0000000..fe4fe2e --- /dev/null +++ b/sepolicy/fsck.te @@ -0,0 +1,2 @@ +# /dev/block/mmcblk0p3 +allow fsck emmcblk_device:blk_file rw_file_perms; diff --git a/sepolicy/gpsd.te b/sepolicy/gpsd.te new file mode 100644 index 0000000..42aea4d --- /dev/null +++ b/sepolicy/gpsd.te @@ -0,0 +1,44 @@ +type gpsd, domain; +type gpsd_exec, exec_type, file_type; + +init_daemon_domain(gpsd); + +# Automatically label files created in /data/system/gps as gps_data_file +file_type_auto_trans(gpsd, system_data_file, gps_data_file) + +# Allow rild and netd to connect to gpsd +unix_socket_connect(gpsd, property, rild) +unix_socket_connect(gpsd, property, netd) + +allow gpsd system_server:unix_stream_socket { read write setopt }; + +binder_call(gpsd, system_server) +binder_use(gpsd) + +# Sockets +type_transition gpsd gps_data_file:sock_file gps_socket; + +allow gpsd dnsproxyd_socket:sock_file write; +allow gpsd fwmarkd_socket:sock_file write; +allow gpsd gps_socket:sock_file create_file_perms; +allow gpsd self:udp_socket { create bind connect read setopt write }; + +# sysfs_gps +allow gpsd sysfs_gps:file { open rw_file_perms getattr }; + +# /dev/ttySAC3 +allow gpsd gps_device:chr_file { getattr setattr rw_file_perms }; +allow gpsd gps_data_file:dir { search write add_name remove_name rw_dir_perms }; +allow gpsd gps_data_file:fifo_file { unlink create setattr getattr rw_file_perms }; + +allow gpsd sysfs_wake_lock:file rw_file_perms; + +allow gpsd sensorservice_service:service_manager { find }; + +# /dev/umts_boot0 +allow gpsd mif_device:chr_file r_file_perms; + +# TCP sockets +allow gpsd port:tcp_socket { name_connect name_bind }; +allow gpsd self:tcp_socket { bind read write connect create getopt }; +allow gpsd node:tcp_socket node_bind; diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te new file mode 100644 index 0000000..6aa7d0a --- /dev/null +++ b/sepolicy/hal_camera_default.te @@ -0,0 +1,5 @@ +# hal_camera_default +allow hal_camera_default sysfs_camera_writable:dir search; +allow hal_camera_default sysfs_camera_writable:file { getattr open read }; + +vndbinder_use(hal_camera_default) diff --git a/sepolicy/hal_drm_default.te b/sepolicy/hal_drm_default.te new file mode 100644 index 0000000..cbb7052 --- /dev/null +++ b/sepolicy/hal_drm_default.te @@ -0,0 +1,2 @@ +# hal_drm_default +vndbinder_use(hal_drm_default) diff --git a/sepolicy/hal_gnss_default.te b/sepolicy/hal_gnss_default.te new file mode 100644 index 0000000..13fb595 --- /dev/null +++ b/sepolicy/hal_gnss_default.te @@ -0,0 +1,6 @@ +# hal_drm_default +vndbinder_use(hal_gnss_default) + +# Allow gnss to access the gpsd data files +allow hal_gnss_default gps_data_file:dir { add_name write }; +allow hal_gnss_default gps_data_file:fifo_file { create open read setattr write }; diff --git a/sepolicy/hal_light_default.te b/sepolicy/hal_light_default.te new file mode 100644 index 0000000..6033061 --- /dev/null +++ b/sepolicy/hal_light_default.te @@ -0,0 +1,5 @@ +# hal_light_default +allow hal_light_default sysfs_light_writable:dir search; +allow hal_light_default sysfs_light_writable:file { getattr write open read }; +allow hal_light_default sysfs_sec:dir search; +allow hal_light_default sysfs_sec:file { getattr write open read }; diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te new file mode 100644 index 0000000..f8283b6 --- /dev/null +++ b/sepolicy/hal_power_default.te @@ -0,0 +1,11 @@ +# hal_power_default +allow hal_power_default sysfs:dir { open read search }; +allow hal_power_default sysfs:file { rw_file_perms }; + +# CPU devices +allow hal_power_default sysfs_devices_system_cpu:dir search; +allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms; + +# Lights +allow hal_power_default sysfs_light_writable:dir search; +allow hal_power_default sysfs_light_writable:file rw_file_perms; diff --git a/sepolicy/hal_wifi_default.te b/sepolicy/hal_wifi_default.te new file mode 100644 index 0000000..06f585c --- /dev/null +++ b/sepolicy/hal_wifi_default.te @@ -0,0 +1,4 @@ +# hal_wifi_default +allow hal_wifi_default wifi_efs_file:dir search; +allow hal_wifi_default wifi_efs_file:file { open read }; +allow hal_wifi_default sysfs_wifi_writable:file write; diff --git a/sepolicy/hal_wifi_supplicant_default.te b/sepolicy/hal_wifi_supplicant_default.te new file mode 100644 index 0000000..8ba881a --- /dev/null +++ b/sepolicy/hal_wifi_supplicant_default.te @@ -0,0 +1,2 @@ +# hal_wifi_supplicant_default +allow hal_wifi_supplicant_default proc_net:file write; diff --git a/sepolicy/healthd.te b/sepolicy/healthd.te new file mode 100644 index 0000000..89432c8 --- /dev/null +++ b/sepolicy/healthd.te @@ -0,0 +1,3 @@ +# healthd +allow healthd device:dir rw_dir_perms; +allow healthd rtc_device:chr_file rw_file_perms; diff --git a/sepolicy/init.te b/sepolicy/init.te new file mode 100644 index 0000000..7b47cdc --- /dev/null +++ b/sepolicy/init.te @@ -0,0 +1,33 @@ +# Mount debugfs on /sys/kernel/debug. +allow init debugfs:dir mounton; + +# Mount EFS on /efs +allow init efs_file:dir mounton; + +# /dev/block/mmcblk0p[0-9] +allow init emmcblk_device:blk_file rw_file_perms; + +allow init block_device:lnk_file { setattr }; +allow init tmpfs:lnk_file create_file_perms; + +# /sys/class/power_supply/battery and /sys/class/android_usb/android0 +allow init sysfs:dir w_dir_perms; + +# Shim libs +allow init cameraserver:process noatsecure; +allow init hal_fingerprint_default:process noatsecure; + +# /data +allow init sdcardd_exec:file r_file_perms; + +# sysfs iio:device[0-9] +allow init sysfs:lnk_file setattr; + +# read/chown mDNIE symlinks +allow init sysfs_mdnie_writable:lnk_file { read setattr }; + +# read/chown camera firmware +allow init sysfs_camera_writable:file { relabelto setattr }; +allow init sysfs_camera_writable:filesystem associate; + +unix_socket_connect(init, property, rild) diff --git a/sepolicy/installd.te b/sepolicy/installd.te new file mode 100644 index 0000000..fcffb8a --- /dev/null +++ b/sepolicy/installd.te @@ -0,0 +1,2 @@ +# TbStorage (mobicore) +allow installd tee_data_file:dir { rw_dir_perms rmdir }; diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te new file mode 100644 index 0000000..324eb19 --- /dev/null +++ b/sepolicy/kernel.te @@ -0,0 +1,23 @@ +allow kernel self:capability { chown mknod }; + +# /dev/mbin0 +allow kernel emmcblk_device:blk_file r_file_perms; +allow kernel device:blk_file { create setattr getattr unlink }; +# /bus/usb/001/001 +allow kernel device:dir { create write remove_name rmdir add_name }; +allow kernel device:chr_file { create setattr getattr unlink }; + +# /sys/devices/system/cpu/cpu[0-9]/cpufreq/* +allow kernel sysfs_devices_system_cpu:file { setattr }; +allow kernel sysfs:file { setattr }; + +# /efs contents +allow kernel { app_efs_file battery_efs_file efs_file sensor_efs_file }:dir r_dir_perms; +allow kernel { app_efs_file battery_efs_file efs_file sensor_efs_file }:file rw_file_perms; + +# /efs/wifi/.mac.info +allow kernel wifi_efs_file:dir r_dir_perms; +allow kernel wifi_efs_file:file r_file_perms; + +# /data/misc/conn/.wifiver.info +allow kernel wifi_data_file:file rw_file_perms; diff --git a/sepolicy/macloader.te b/sepolicy/macloader.te new file mode 100644 index 0000000..161e793 --- /dev/null +++ b/sepolicy/macloader.te @@ -0,0 +1,30 @@ +#### macloader +# +type macloader, domain; +type macloader_exec, exec_type, file_type; + +init_daemon_domain(macloader) + +allow macloader self:capability { chown dac_override fowner fsetid }; +allow macloader self:process execmem; + +# Write into /data +allow macloader system_data_file:dir { add_name search write }; +allow macloader system_file:file execute_no_trans; + +# /data/.cid.info +# Automatically label files created in /data/ as wifi_data_file +file_type_auto_trans(macloader, system_data_file, wifi_data_file) + +allow macloader wifi_data_file:dir create_dir_perms; +allow macloader wifi_data_file:file { create_file_perms getattr setattr }; + +# /sys/module/dhd/parameters/nvram_path +allow macloader sysfs:file rw_file_perms; + +# /efs +allow macloader efs_file:dir r_dir_perms; + +# /efs/wifi/.mac.info +allow macloader wifi_efs_file:dir r_dir_perms; +allow macloader wifi_efs_file:file r_file_perms; diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te new file mode 100644 index 0000000..39d6840 --- /dev/null +++ b/sepolicy/mediacodec.te @@ -0,0 +1,5 @@ +# /system/lib/omx/ +allow mediacodec system_file:dir r_dir_perms; + +# /sys/class/video4linux/video6/name +allow mediacodec sysfs:file r_file_perms; diff --git a/sepolicy/mediaextractor.te b/sepolicy/mediaextractor.te new file mode 100644 index 0000000..3d8072d --- /dev/null +++ b/sepolicy/mediaextractor.te @@ -0,0 +1 @@ +allow mediaextractor fuse:file { read getattr }; diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te new file mode 100644 index 0000000..52e86b0 --- /dev/null +++ b/sepolicy/mediaserver.te @@ -0,0 +1,12 @@ +# /efs +allow mediaserver efs_file:dir r_dir_perms; + +# /efs/wv.keys +allow mediaserver efs_file:file r_file_perms; + +# /dev/m2m1shot_jpeg +allow mediaserver camera_device:chr_file { read write open getattr ioctl }; + +# Snap permissions +allow mediaserver sensorservice_service:service_manager { find }; +allow mediaserver system_server:unix_stream_socket { read write }; diff --git a/sepolicy/modemloader.te b/sepolicy/modemloader.te new file mode 100644 index 0000000..b80869e --- /dev/null +++ b/sepolicy/modemloader.te @@ -0,0 +1,10 @@ +#### modemloader +# +type modemloader, domain; +type modemloader_exec, exec_type, file_type; + +init_daemon_domain(modemloader) + +allow modemloader proc:file r_file_perms; + +set_prop(modemloader, modemloader_prop) diff --git a/sepolicy/netd.te b/sepolicy/netd.te new file mode 100644 index 0000000..f819a97 --- /dev/null +++ b/sepolicy/netd.te @@ -0,0 +1,4 @@ +allow netd self:capability sys_module; +allow netd gpsd:fd use; +allow netd gpsd:udp_socket { read write getopt setopt }; +allow netd gpsd:tcp_socket { read write getopt setopt }; diff --git a/sepolicy/nfc.te b/sepolicy/nfc.te new file mode 100644 index 0000000..70f7fd2 --- /dev/null +++ b/sepolicy/nfc.te @@ -0,0 +1,2 @@ +allow nfc sec_efs_file:dir search; +allow nfc efs_file:dir search; diff --git a/sepolicy/property.te b/sepolicy/property.te new file mode 100644 index 0000000..8161cea --- /dev/null +++ b/sepolicy/property.te @@ -0,0 +1,8 @@ +# CP-Boot Daemon +type cpboot-daemon_prop, property_type; + +# modemloader +type modemloader_prop, property_type; + +# mobicore (tee) +type tee_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts new file mode 100644 index 0000000..9505a3c --- /dev/null +++ b/sepolicy/property_contexts @@ -0,0 +1,19 @@ +# bluetooth +persist.bluetooth_fw_ver u:object_r:bluetooth_prop:s0 +ro.bluetooth.tty u:object_r:bluetooth_prop:s0 +wc_transport. u:object_r:bluetooth_prop:s0 + +# modemloader +hw.revision u:object_r:modemloader_prop:s0 +ro.cbd.dt_revision u:object_r:modemloader_prop:s0 +ril.cbd.dt_revision u:object_r:modemloader_prop:s0 +ro.modemloader.done u:object_r:modemloader_prop:s0 + +# mobicore +sys.mobicoredaemon.enable u:object_r:tee_prop:s0 + +# radio +persist.ril.modem.board u:object_r:radio_prop:s0 +persist.ril.ims.eutranParam u:object_r:radio_prop:s0 +persist.ril.ims.utranParam u:object_r:radio_prop:s0 +persist.ril.interfaceconf.failed u:object_r:radio_prop:s0 diff --git a/sepolicy/rild.te b/sepolicy/rild.te new file mode 100644 index 0000000..89304fb --- /dev/null +++ b/sepolicy/rild.te @@ -0,0 +1,58 @@ +# Allow rild to change perms +allow rild self:capability { chown }; + +# Allow additiional efs access +allow rild bin_nv_data_efs_file:file create_file_perms; +allow rild imei_efs_file:dir r_dir_perms; +allow rild imei_efs_file:file r_file_perms; +allow rild app_efs_file:dir r_dir_perms; +allow rild app_efs_file:file r_file_perms; + +# /dev +allow rild audioserver:dir r_dir_perms; +# /proc//cmdline +allow rild audioserver:file r_file_perms; + +# /dev/mbin0 +allow rild block_device:dir r_dir_perms; +allow rild emmcblk_device:blk_file r_file_perms; + +# /dev/umts_boot0, /dev/umts_ipc0 +allow rild mif_device:chr_file rw_file_perms; + +# /sys/devices/virtual/misc/multipdp/waketime +allow rild sysfs_multipdp_writable:file rw_file_perms; + +# /proc/sys/net/ipv6/conf/*/accept_ra_defrtr +allow rild proc_net:file rw_file_perms; + +allow rild gpsd:dir r_dir_perms; +allow rild gpsd:file r_file_perms; + +# rild reads /proc/pid/cmdline of mediaserver +allow rild mediaserver:dir { open read search getattr }; +allow rild mediaserver:file { open read getattr }; + +# /data/misc/radio/* +allow rild radio_data_file:dir rw_dir_perms; +allow rild radio_data_file:file create_file_perms; +# /data/data/com.android.providers.telephony/databases/telephony.db +allow rild radio_data_file:lnk_file r_file_perms; + +# sdcard/SDET_PLMN/input/MNCMCC.txt +allow rild storage_file:dir { r_dir_perms }; +allow rild storage_file:lnk_file { r_file_perms }; +allow rild mnt_user_file:dir { r_dir_perms }; +allow rild mnt_user_file:lnk_file { r_file_perms }; + +# Modem firmware download +allow rild radio_block_device:blk_file r_file_perms; + +# persist.ril.modem.board +set_prop(modemloader, radio_prop) + +# /dev/knox_kap +allow rild knox_device:chr_file r_file_perms; + +# /data/media/0 +allow rild media_rw_data_file:dir { open read search }; diff --git a/sepolicy/sensorhubservice.te b/sepolicy/sensorhubservice.te new file mode 100644 index 0000000..5ec1aea --- /dev/null +++ b/sepolicy/sensorhubservice.te @@ -0,0 +1,14 @@ +#### sensorhubservice +# +type sensorhubservice, domain; +type sensorhubservice_exec, exec_type, file_type; +type sensorhubservice_service, app_api_service, system_server_service, service_manager_type; + +init_daemon_domain(sensorhubservice) + +# /dev/input[0-9]* +allow sensorhubservice input_device:dir r_dir_perms; +allow sensorhubservice { input_device sensor_device }:chr_file rw_file_perms; + +# binder call +allow sensorhubservice servicemanager:binder { call transfer }; diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts new file mode 100644 index 0000000..79593e8 --- /dev/null +++ b/sepolicy/service_contexts @@ -0,0 +1,3 @@ +# HWC +Exynos.HWCService u:object_r:surfaceflinger_service:s0 +sensorhubservice u:object_r:sensorhubservice_service:s0 diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te new file mode 100644 index 0000000..0c8687e --- /dev/null +++ b/sepolicy/surfaceflinger.te @@ -0,0 +1,2 @@ +# HWC +allow surfaceflinger secmem_device:chr_file rw_file_perms; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te new file mode 100644 index 0000000..2f8a6ae --- /dev/null +++ b/sepolicy/system_app.te @@ -0,0 +1,3 @@ +allow system_app sysfs_mdnie_writable:{ file lnk_file } rw_file_perms; +allow system_app sysfs_mdnie_writable:dir search; +allow system_app wificond:binder call; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te new file mode 100644 index 0000000..daddc81 --- /dev/null +++ b/sepolicy/system_server.te @@ -0,0 +1,50 @@ +# /dev/mbin0 +allow system_server emmcblk_device:dir search; +allow system_server emmcblk_device:blk_file { getattr ioctl open read write }; + +# /efs +allow system_server efs_file:dir r_dir_perms; + +# /efs/gyro_cal_data +allow system_server sensor_efs_file:file r_file_perms; + +# /data/system/gps/.gps.interface.pipe.* +type_transition system_server system_data_file:fifo_file gps_data_file ".flp.interface.pipe.to_gpsd"; +type_transition system_server system_data_file:fifo_file gps_data_file ".gps.interface.pipe.to_gpsd"; +type_transition system_server system_data_file:fifo_file gps_data_file ".gps.interface.pipe.to_jni"; +allow system_server gps_data_file:fifo_file create_file_perms; +allow system_server gps_data_file:dir rw_dir_perms; + +# /data/system/gps/chip.info +allow system_server gps_data_file:file r_file_perms; + +# /efs/prox_cal +allow system_server efs_file:file r_file_perms; + +# /efs/FactoryApp +allow system_server app_efs_file:dir r_dir_perms; +allow system_server app_efs_file:file r_file_perms; + +# WifiMachine +allow system_server self:capability { sys_module }; +allow system_server wifi_efs_file:dir r_dir_perms; +allow system_server wifi_efs_file:file r_file_perms; + +# mDNIE +allow system_server sysfs_mdnie_writable:lnk_file rw_file_perms; +allow system_server sysfs_mdnie_writable:dir rw_dir_perms; +allow system_server sysfs_mdnie_writable:file rw_file_perms; + +# memtrack HAL +allow system_server debugfs:dir r_dir_perms; +allow system_server debugfs:file r_file_perms; + +# sensor HAL +allow system_server sensor_device:chr_file rw_file_perms; +allow system_server baro_delta_factoryapp_efs_file:file r_file_perms; +allow system_server sensor_factoryapp_efs_file:file r_file_perms; + +# /data/system/gps/xtraee.bin +allow system_server gps_data_file:file create_file_perms; + +unix_socket_connect(system_server, property, gpsd) diff --git a/sepolicy/tee.te b/sepolicy/tee.te new file mode 100644 index 0000000..969b0e5 --- /dev/null +++ b/sepolicy/tee.te @@ -0,0 +1,11 @@ +# mobicore + +# Allow to create files and directories /data/app/mcRegistry +file_type_auto_trans(tee, apk_data_file, tee_data_file); + +# /efs +allow tee { efs_file prov_efs_file }:dir r_dir_perms; +allow tee { efs_file prov_efs_file }:file r_file_perms; + +# sys.mobicore.enable +set_prop(tee, tee_prop) diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te new file mode 100644 index 0000000..bd8b3b4 --- /dev/null +++ b/sepolicy/ueventd.te @@ -0,0 +1,11 @@ +# /dev/block/mmcblk0p[0-9] +allow ueventd emmcblk_device:blk_file { ioctl read write create getattr setattr lock append unlink open }; + +# /sys/devices/virtual/misc/multipdp/uevent +allow ueventd sysfs_multipdp_writable:file rw_file_perms; + +allow ueventd emmcblk_device:blk_file { relabelfrom relabelto create setattr unlink }; + +# read/chown camera firmware +allow ueventd sysfs_camera_writable:file { relabelto getattr rw_file_perms }; +allow ueventd sysfs_camera_writable:filesystem associate; diff --git a/sepolicy/uncrypt.te b/sepolicy/uncrypt.te new file mode 100644 index 0000000..1f5142f --- /dev/null +++ b/sepolicy/uncrypt.te @@ -0,0 +1,2 @@ +allow uncrypt emmcblk_device:blk_file w_file_perms; +allow uncrypt emmcblk_device:dir r_dir_perms; diff --git a/sepolicy/untrusted_app_25.te b/sepolicy/untrusted_app_25.te new file mode 100644 index 0000000..b6a2f4b --- /dev/null +++ b/sepolicy/untrusted_app_25.te @@ -0,0 +1,3 @@ +allow untrusted_app_25 proc_stat:file { getattr open read }; +allow untrusted_app_25 sysfs:file { getattr open read }; +allow untrusted_app_25 sysfs:dir { getattr open read }; diff --git a/sepolicy/vold.te b/sepolicy/vold.te new file mode 100644 index 0000000..4d77638 --- /dev/null +++ b/sepolicy/vold.te @@ -0,0 +1,5 @@ +# /efs +allow vold efs_file:dir r_dir_perms; +# /dev/block/mmcblk0p[0-9] +allow vold emmcblk_device:dir create_dir_perms; +allow vold emmcblk_device:blk_file { ioctl read write create getattr setattr lock append unlink open }; diff --git a/sepolicy/wifiloader.te b/sepolicy/wifiloader.te new file mode 100644 index 0000000..8e68843 --- /dev/null +++ b/sepolicy/wifiloader.te @@ -0,0 +1,23 @@ +#### wifiloader +# +type wifiloader, domain; +type wifiloader_exec, exec_type, file_type; + +init_daemon_domain(wifiloader) +unix_socket_connect(wifiloader, property, init) + +allow wifiloader proc:file r_file_perms; +allow wifiloader sysfs_wlan_fwpath:file setattr; +allow wifiloader wifi_prop:property_service set; +allow wifiloader wifi_data_file:file { open read write }; + +# /efs +allow wifiloader efs_file:dir search; + +# /efs/wifi +allow wifiloader wifi_efs_file:dir search; +allow wifiloader wifi_efs_file:file { open read }; + +# load .ko modules +allow kernel self:capability sys_module; +allow wifiloader self:capability { chown dac_override sys_module }; -- 2.20.1