From ecfd88c92956a405e576e2bf43296ebadd1e0dc7 Mon Sep 17 00:00:00 2001 From: Henrik Grimler Date: Thu, 20 Aug 2020 12:44:29 +0200 Subject: [PATCH] Sepolicy: add more file and device labels and fix denials Have verified that they exist on dream2lte. Heavily inspired by universal7880-common, exynos9820-common and universal9810-common's sepolicies. --- sepolicy/bootanim.te | 1 - sepolicy/device.te | 14 ++ sepolicy/file.te | 50 ++++++- sepolicy/file_contexts | 164 +++++++++++++++++++++- sepolicy/genfs_contexts | 21 ++- sepolicy/hal_audio_default.te | 7 +- sepolicy/hal_bluetooth_default.te | 1 - sepolicy/hal_camera_default.te | 7 + sepolicy/hal_drm_clearkey.te | 14 ++ sepolicy/hal_drm_widevine.te | 24 ++++ sepolicy/hal_fingerprint_default.te | 20 +++ sepolicy/hal_gatekeeper_default.te | 3 +- sepolicy/hal_graphics_composer_default.te | 5 +- sepolicy/hal_health_default.te | 4 +- sepolicy/hal_keymaster_default.te | 1 - sepolicy/hal_light_default.te | 4 + sepolicy/hal_lineage_livedisplay_sysfs.te | 6 + sepolicy/hal_power_default.te | 15 ++ sepolicy/hal_sensors_default.te | 22 ++- sepolicy/hal_wifi_hostapd_default.te | 2 + sepolicy/init.te | 16 ++- sepolicy/installd.te | 1 - sepolicy/kernel.te | 9 +- sepolicy/mediacodec.te | 6 +- sepolicy/netd.te | 6 +- sepolicy/nfc.te | 1 + sepolicy/platform_app.te | 3 + sepolicy/priv_app.te | 4 + sepolicy/rild.te | 13 +- sepolicy/shell.te | 1 - sepolicy/system_app.te | 8 +- sepolicy/system_server.te | 13 +- sepolicy/untrusted_app.te | 5 + sepolicy/untrusted_app_27.te | 8 ++ sepolicy/vold.te | 2 + sepolicy/zygote.te | 1 - 36 files changed, 443 insertions(+), 39 deletions(-) delete mode 100644 sepolicy/bootanim.te create mode 100644 sepolicy/device.te delete mode 100644 sepolicy/hal_bluetooth_default.te create mode 100644 sepolicy/hal_drm_clearkey.te create mode 100644 sepolicy/hal_drm_widevine.te create mode 100644 sepolicy/hal_fingerprint_default.te delete mode 100644 sepolicy/hal_keymaster_default.te create mode 100644 sepolicy/hal_light_default.te create mode 100644 sepolicy/hal_lineage_livedisplay_sysfs.te create mode 100644 sepolicy/hal_power_default.te create mode 100644 sepolicy/hal_wifi_hostapd_default.te delete mode 100644 sepolicy/installd.te create mode 100644 sepolicy/nfc.te delete mode 100644 sepolicy/shell.te create mode 100644 sepolicy/vold.te delete mode 100644 sepolicy/zygote.te diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te deleted file mode 100644 index 0aad1ec..0000000 --- a/sepolicy/bootanim.te +++ /dev/null @@ -1 +0,0 @@ -allow bootanim device:chr_file { getattr ioctl }; diff --git a/sepolicy/device.te b/sepolicy/device.te new file mode 100644 index 0000000..e7fb8fa --- /dev/null +++ b/sepolicy/device.te @@ -0,0 +1,14 @@ +# /dev/vfsspi +type fingerprint_device, dev_type; + +# /dev/batch_io +type sensor_device, dev_type; + +# /dev/s5p-smem +type secmem_device, dev_type; + +# /dev/m2m1shot_scaler0 +type m2m1shot_device, dev_type; + +# gps +type gps_device, dev_type; diff --git a/sepolicy/file.te b/sepolicy/file.te index b73f830..2a71164 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,4 +1,52 @@ -type batch_io_device, dev_type; +### efs types +type app_efs_file, file_type; +type battery_efs_file, file_type; +type cpk_efs_file, file_type; +type gatekeeper_efs_file, file_type; +type radio_factoryapp_efs_file, file_type; +type imei_efs_file, file_type; +type bin_nv_data_efs_file, file_type; +type prov_efs_file, file_type; +type sec_efs_file, file_type; +type wifi_efs_file, file_type; +type factoryprop_efs_file, file_type; +type sensor_factoryapp_efs_file, file_type; +type factorymode_factoryapp_efs_file, file_type; +type baro_delta_factoryapp_efs_file, file_type; + +# gps +type gps_vendor_data_file, file_type, data_file_type; +type gps_socket, file_type; + +# debugfs types +type debugfs_mali, fs_type, debugfs_type; +type debugfs_mali_mem, fs_type, debugfs_type; +type debugfs_ion, fs_type, debugfs_type; +type debugfs_ion_dma, fs_type, debugfs_type; + +# proc +type proc_extra, fs_type, proc_type; +type proc_reset_reason, fs_type, proc_type; +type proc_swapiness, fs_type, proc_type; + +# data types +type display_vendor_data_file, file_type, data_file_type; +type fingerprintd_vendor_data_file, data_file_type, file_type; +type mediadrm_data_file, file_type, data_file_type; +type radio_vendor_data_file, data_file_type, file_type; +type mobicore_data_file, data_file_type, core_data_file_type, file_type; # sysfs types type sysfs_graphics, fs_type, sysfs_type; +type sysfs_mdnie, fs_type, sysfs_type, mlstrustedobject; +type sysfs_multipdp, fs_type, sysfs_type, mlstrustedobject; +type sysfs_sec, fs_type, sysfs_type, mlstrustedobject; +type sysfs_gps, fs_type, sysfs_type, mlstrustedobject; +type sysfs_brightness, fs_type, sysfs_type, mlstrustedobject; +type sysfs_input, fs_type, sysfs_type, mlstrustedobject; +type sysfs_virtual, fs_type, sysfs_type, mlstrustedobject; +type sysfs_iio, fs_type, sysfs_type, mlstrustedobject; +type sysfs_charger, fs_type, sysfs_type, mlstrustedobject; +type sysfs_modem, fs_type, sysfs_type, mlstrustedobject; +type sysfs_lcd, fs_type, sysfs_type, mlstrustedobject; +type sysfs_camera, fs_type, sysfs_type, mlstrustedobject; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 480f580..658f92f 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -1,7 +1,159 @@ -/cpefs(/.*)? u:object_r:efs_file:s0 -/dev/mali0 u:object_r:gpu_device:s0 -/dev/umts_ipc0 u:object_r:radio_device:s0 -/dev/fimg2d u:object_r:video_device:s0 +#################################### +# Devices +/cpefs(/.*)? u:object_r:efs_file:s0 +/dev/mali[0-9]* u:object_r:gpu_device:s0 +/dev/umts_ipc0 u:object_r:radio_device:s0 +/dev/fimg2d u:object_r:video_device:s0 +/dev/vfsspi u:object_r:fingerprint_device:s0 +/dev/sec-nfc u:object_r:nfc_device:s0 -# Sensors -/dev/batch_io u:object_r:batch_io_device:s0 +/dev/cpuset(/.*)? u:object_r:cgroup:s0 + +/dev/mobicore u:object_r:tee_device:s0 +/dev/mobicore-user u:object_r:tee_device:s0 + +# camera +/dev/m2m1shot_scaler0 u:object_r:m2m1shot_device:s0 + +# usb +/dev/android_ssusbcon(/.*)? u:object_r:usb_device:s0 +/dev/mtp_usb* u:object_r:mtp_device:s0 +/dev/usb(/.*)? u:object_r:usb_device:s0 + +# sensors +/dev/batch_io u:object_r:sensor_device:s0 +/dev/ssp_sensorhub u:object_r:sensor_device:s0 + +# adbroot and storaged +/dev/stune(/.*)? u:object_r:cgroup:s0 + +# zram +/dev/block/zram0 u:object_r:swap_block_device:s0 + +#################################### +# efs files +/efs/FactoryApp(/.*)? u:object_r:app_efs_file:s0 +/efs/FactoryApp/baro_delta u:object_r:baro_delta_factoryapp_efs_file:s0 +/efs/FactoryApp/factorymode u:object_r:factorymode_factoryapp_efs_file:s0 +/efs/FactoryApp/fdata u:object_r:radio_factoryapp_efs_file:s0 +/efs/FactoryApp/hist_nv u:object_r:radio_factoryapp_efs_file:s0 +/efs/FactoryApp/test_nv u:object_r:radio_factoryapp_efs_file:s0 +/efs/FactoryApp/gyro_cal_data u:object_r:sensor_factoryapp_efs_file:s0 + +/efs/Battery(/.*)? u:object_r:battery_efs_file:s0 +/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 +/efs/imei(/.*)? u:object_r:imei_efs_file:s0 +/efs/nv_data.bin(.*) u:object_r:bin_nv_data_efs_file:s0 +/efs/nv.log u:object_r:bin_nv_data_efs_file:s0 +/efs/\.nv_core\.bak(.*) u:object_r:bin_nv_data_efs_file:s0 +/efs/prov(/.*)? u:object_r:prov_efs_file:s0 +/efs/prov_data(/.*)? u:object_r:prov_efs_file:s0 +/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0 +/efs/wv\.keys u:object_r:cpk_efs_file:s0 +/efs/factory\.prop u:object_r:factoryprop_efs_file:s0 +/efs/TEE(/.*)? u:object_r:gatekeeper_efs_file:s0 + +#################################### +# data files +/data/nfc(/.*)? u:object_r:nfc_data_file:s0 + +/data/misc/radio(/.*)? u:object_r:radio_data_file:s0 +/data/vendor/secradio(/.*)? u:object_r:radio_vendor_data_file:s0 + +# gps +/data/vendor/gps(/.*)? u:object_r:gps_vendor_data_file:s0 + +# livedisplay +/data/vendor/display(/.*)? u:object_r:display_vendor_data_file:s0 + +# drm +/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_data_file:s0 + +# mobicore +/data/misc/mcRegistry(/.*)? u:object_r:mobicore_data_file:s0 + +# biometrics +/data/vendor/biometrics(/.*)? u:object_r:fingerprintd_vendor_data_file:s0 + +# camera +/data/camera(/.*)? u:object_r:camera_data_file:s0 + +#################################### +# sysfs files +/sys/class/power_supply/battery/music -- u:object_r:sysfs:s0 +/sys/class/devfreq/17000010.devfreq_mif(/.*)? -- u:object_r:sysfs:s0 + +# gps +/sys/class/sec/gps/GPS_PWR_EN/value u:object_r:sysfs_gps:s0 + +# charger +/sys/devices/platform/battery/power_supply(/.*) u:object_r:sysfs_charger:s0 +/sys/devices/battery/power_supply(/.*) u:object_r:sysfs_charger:s0 +/sys/class/power_supply/max77865-charger(/.*) u:object_r:sysfs_charger:s0 +/sys/devices/platform/10940000\.hsi2c/i2c-11/11-003b/power_supply/mfc-charger(/.*) u:object_r:sysfs_charger:s0 +/sys/devices/platform/10970000\.hsi2c/i2c-13/13-0066/max77865-charger/power_supply/otg(/.*)? u:object_r:sysfs_charger:s0 +/sys/devices/platform/10970000\.hsi2c/i2c-13/13-0066/max77865-charger/power_supply/max77865-charger(/.*)? u:object_r:sysfs_charger:s0 +/sys/devices/platform/10970000\.hsi2c/i2c-13/13-0066/max77865-fuelgauge/power_supply/max77865-fuelgauge(/.*)? u:object_r:sysfs_charger:s0 + +# sec +/sys/class/sec(/.*)? -- u:object_r:sysfs_sec:s0 + +# virtual +/sys/devices/virtual(/.*)? u:object_r:sysfs_virtual:s0 + +# iio +/sys/devices/platform/108c0000\.spi/spi_master/spi10/spi10\.0/iio:device[0-9](/.*)? u:object_r:sysfs_iio:s0 +/sys/bus/iio/devices(/.*)? u:object_r:sysfs_iio:s0 + +# Backlight/Notification LED control +/sys/devices/platform/panel_drv@001/backlight/panel/brightness u:object_r:sysfs_graphics:s0 +/sys/devices/platform/panel_drv@001/backlight/panel/max_brightness u:object_r:sysfs_graphics:s0 + +# camera +/sys/devices/virtual/camera(/.*)? u:object_r:sysfs_camera:s0 + +# rild +/sys/devices/virtual/misc/multipdp(/.*) u:object_r:sysfs_multipdp:s0 + +# mDNIe +/sys/devices/platform/panel_drv@001/lcd/panel/mdnie/mode u:object_r:sysfs_mdnie:s0 +/sys/devices/platform/panel_drv@001/lcd/panel/mdnie/scenario u:object_r:sysfs_mdnie:s0 +/sys/devices/platform/panel_drv@001/lcd/panel/mdnie/lux u:object_r:sysfs_mdnie:s0 +/sys/devices/platform/panel_drv@001/lcd/panel/mdnie/sensorRGB u:object_r:sysfs_mdnie:s0 +/sys/devices/platform/panel_drv@001/lcd/panel/mdnie/accessibility u:object_r:sysfs_mdnie:s0 +/sys/devices/platform/panel_drv@001/lcd/panel/mdnie/night_mode u:object_r:sysfs_mdnie:s0 +/sys/devices/platform/panel_drv@001/lcd/panel/mdnie/mdnie_ldu u:object_r:sysfs_mdnie:s0 +/sys/devices/platform/panel_drv@001/lcd/panel/mdnie/whiteRGB u:object_r:sysfs_mdnie:s0 + +# input +/sys/devices/platform/108e0000\.hsi2c/i2c-5/5-0049/input/input0(/.*)? u:object_r:sysfs_input:s0 +/sys/devices/platform/108e0000\.hsi2c/i2c-5/5-0049/input/input1(/.*)? u:object_r:sysfs_input:s0 +/sys/devices/platform/10460000\.spi/spi_master/spi3/spi3\.0/madera-extcon/input/input5(/.*)? u:object_r:sysfs_input:s0 +/sys/devices/platform/gpio_keys/input/input6(/.*)? u:object_r:sysfs_input:s0 +/sys/devices/platform/hall/input/input7(/.*)? u:object_r:sysfs_input:s0 +/sys/devices/platform/certify_hall/input/input8(/.*)? u:object_r:sysfs_input:s0 + +# lcd +/sys/devices/platform/panel_drv@001/lcd/panel/adaptive_control u:object_r:sysfs_lcd:s0 +/sys/devices/platform/panel_drv@001/lcd/panel/alpm u:object_r:sysfs_lcd:s0 +/sys/devices/platform/panel_drv@001/lcd/panel/dpui u:object_r:sysfs_lcd:s0 +/sys/devices/platform/panel_drv@001/lcd/panel/dpui_dbg u:object_r:sysfs_lcd:s0 +/sys/devices/platform/panel_drv@001/lcd/panel/lcd_type u:object_r:sysfs_lcd:s0 +/sys/devices/platform/panel_drv@001/lcd/panel/lux u:object_r:sysfs_lcd:s0 +/sys/devices/platform/panel_drv@001/lcd/panel/manufacture_code u:object_r:sysfs_lcd:s0 +/sys/devices/platform/panel_drv@001/lcd/panel/temperature u:object_r:sysfs_lcd:s0 +/sys/devices/platform/panel_drv@001/lcd/panel/window_type u:object_r:sysfs_lcd:s0 + +# modem +/sys/module/modem_ctrl_ss310ap/parameters/ds_detect u:object_r:sysfs_modem:s0 + +#################################### +# Lineage hals +/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.samsung u:object_r:hal_fingerprint_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.samsung u:object_r:hal_light_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service\.exynos u:object_r:hal_power_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.lineage\.livedisplay@2\.0-service\.universal8895 u:object_r:hal_lineage_livedisplay_sysfs_exec:s0 + +# hidl services +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.2-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.1-service\.widevine u:object_r:hal_drm_widevine_exec:s0 diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts index c961f81..81a9680 100644 --- a/sepolicy/genfs_contexts +++ b/sepolicy/genfs_contexts @@ -1,2 +1,21 @@ -# LED +# mali debugfs +genfscon debugfs /mali/ u:object_r:debugfs_mali:s0 +genfscon debugfs /mali/mem/ u:object_r:debugfs_mali_mem:s0 + +# ion debugfs +genfscon debugfs /ion/ u:object_r:debugfs_ion:s0 +genfscon debugfs /dma_buf u:object_r:debugfs_ion_dma:s0 + +# PROC +genfscon proc /extra u:object_r:proc_extra:s0 +genfscon proc /reset_reason u:object_r:proc_reset_reason:s0 +genfscon proc /sys/vm/swappiness u:object_r:proc_swapiness:s0 + +# SYSFS + +# class +genfscon sysfs /class/android_usb/android0 u:object_r:sysfs_android_usb:s0 +genfscon sysfs /class/camera u:object_r:sysfs_camera:s0 + +# devices genfscon sysfs /devices/virtual/sec/led/led_blink u:object_r:sysfs_graphics:s0 diff --git a/sepolicy/hal_audio_default.te b/sepolicy/hal_audio_default.te index 8755bcd..5b0f7f6 100644 --- a/sepolicy/hal_audio_default.te +++ b/sepolicy/hal_audio_default.te @@ -1,3 +1,6 @@ -allow hal_audio_default efs_file:dir search; -allow hal_audio_default efs_file:file { open read }; allow hal_audio_default property_socket:sock_file write; +allow hal_audio_default rild:unix_stream_socket connectto; +allow hal_audio_default system_suspend_hwservice:hwservice_manager find; + +# /efs/maxim/rdc_cal +allow hal_audio_default efs_file:file { read open }; diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te deleted file mode 100644 index c9ea2de..0000000 --- a/sepolicy/hal_bluetooth_default.te +++ /dev/null @@ -1 +0,0 @@ -allow hal_bluetooth_default efs_file:file { open read }; diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te index c1adea5..619554d 100644 --- a/sepolicy/hal_camera_default.te +++ b/sepolicy/hal_camera_default.te @@ -1 +1,8 @@ allow hal_camera_default vndbinder_device:chr_file read; +allow hal_camera_default debugfs_ion:dir search; +allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find; +allow hal_camera_default hal_graphics_composer_default:fd use; +allow hal_camera_default sysfs_virtual:dir search; +allow hal_camera_default sysfs_virtual:file { getattr open read write }; +allow hal_camera_default sysfs_camera:dir search; +allow hal_camera_default sysfs_camera:file { getattr open read write }; diff --git a/sepolicy/hal_drm_clearkey.te b/sepolicy/hal_drm_clearkey.te new file mode 100644 index 0000000..92af96d --- /dev/null +++ b/sepolicy/hal_drm_clearkey.te @@ -0,0 +1,14 @@ +# policy for /vendor/bin/hw/android.hardware.drm clearkey service +type hal_drm_clearkey, domain; +type hal_drm_clearkey_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_drm_clearkey) + +hal_server_domain(hal_drm_clearkey, hal_drm) + +vndbinder_use(hal_drm_clearkey); + +allow hal_drm_clearkey { appdomain -isolated_app }:fd use; + +allow hal_drm_clearkey mediadrm_data_file:dir create_dir_perms; +allow hal_drm_clearkey mediadrm_data_file:file create_file_perms; diff --git a/sepolicy/hal_drm_widevine.te b/sepolicy/hal_drm_widevine.te new file mode 100644 index 0000000..210fdb7 --- /dev/null +++ b/sepolicy/hal_drm_widevine.te @@ -0,0 +1,24 @@ +type hal_drm_widevine, domain; +type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_drm_widevine) + +hal_server_domain(hal_drm_widevine, hal_drm) + +vndbinder_use(hal_drm_widevine); + +allow hal_drm_widevine mediacodec:fd use; +allow hal_drm_widevine { appdomain -isolated_app }:fd use; + +allow hal_drm_widevine hal_allocator_server:fd use; + +allow hal_drm_widevine mediadrm_data_file:dir create_dir_perms; +allow hal_drm_widevine mediadrm_data_file:file create_file_perms; +allow hal_drm_widevine media_data_file:dir search; +allow hal_drm_widevine vendor_data_file:dir { write create add_name } ; +allow hal_drm_widevine vendor_data_file:file { create open read write getattr } ; + +allow hal_drm_widevine cpk_efs_file:file { open read getattr }; +allow hal_drm_widevine efs_file:dir search; + +allow hal_drm_widevine secmem_device:chr_file { open read write ioctl }; diff --git a/sepolicy/hal_fingerprint_default.te b/sepolicy/hal_fingerprint_default.te new file mode 100644 index 0000000..113bde7 --- /dev/null +++ b/sepolicy/hal_fingerprint_default.te @@ -0,0 +1,20 @@ +# allow hal_fingerprint_default to communicate with various devices +binder_call(system_app, hal_fingerprint_default) + +# kernel fp device +allow hal_fingerprint_default fingerprint_device:chr_file { open read write ioctl getattr }; + +# secure memory device +allow hal_fingerprint_default secmem_device:chr_file { open read write ioctl }; + +# trust zone device +allow hal_fingerprint_default tee_device:chr_file { open read write ioctl }; +allow hal_fingerprint_default tee:unix_stream_socket connectto; + +# /data/vendor/biometrics/* +allow hal_fingerprint_default fingerprintd_vendor_data_file:dir { rmdir read write remove_name create open add_name search }; +allow hal_fingerprint_default fingerprintd_vendor_data_file:file { write create read rename open getattr unlink }; + +# sysfs_virtual +allow hal_fingerprint_default sysfs_virtual:dir search; +allow hal_fingerprint_default sysfs_virtual:file { open read }; diff --git a/sepolicy/hal_gatekeeper_default.te b/sepolicy/hal_gatekeeper_default.te index c3ce50e..e3ff813 100644 --- a/sepolicy/hal_gatekeeper_default.te +++ b/sepolicy/hal_gatekeeper_default.te @@ -1,2 +1,3 @@ -allow hal_gatekeeper_default efs_file:file { open read }; +allow hal_gatekeeper_default gatekeeper_efs_file:file { write open read }; +allow hal_gatekeeper_default gatekeeper_efs_file:dir search; allow hal_gatekeeper_default tee_device:chr_file { open read write }; diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te index 0d67dbd..1ba9a3c 100644 --- a/sepolicy/hal_graphics_composer_default.te +++ b/sepolicy/hal_graphics_composer_default.te @@ -1,8 +1,7 @@ allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { create read }; allow hal_graphics_composer_default servicemanager:binder call; -allow hal_graphics_composer_default sysfs:file read; -allow hal_graphics_composer_default vendor_data_file:file append; +allow hal_graphics_composer_default vendor_data_file:file { append getattr open }; allow hal_graphics_composer_default vndbinder_device:chr_file read; # /dev/fimg2d -allow hal_graphics_composer_default video_device:chr_file ioctl; +allow hal_graphics_composer_default video_device:chr_file { open read write ioctl }; diff --git a/sepolicy/hal_health_default.te b/sepolicy/hal_health_default.te index 64e4b19..57672cd 100644 --- a/sepolicy/hal_health_default.te +++ b/sepolicy/hal_health_default.te @@ -1 +1,3 @@ -allow hal_health_default sysfs:file { getattr open read }; +r_dir_file(hal_health_default, sysfs_charger) + +allow hal_health_default sysfs_charger:file rw_file_perms; diff --git a/sepolicy/hal_keymaster_default.te b/sepolicy/hal_keymaster_default.te deleted file mode 100644 index ce78258..0000000 --- a/sepolicy/hal_keymaster_default.te +++ /dev/null @@ -1 +0,0 @@ -allow hal_keymaster_default device:chr_file ioctl; diff --git a/sepolicy/hal_light_default.te b/sepolicy/hal_light_default.te new file mode 100644 index 0000000..ad0b43e --- /dev/null +++ b/sepolicy/hal_light_default.te @@ -0,0 +1,4 @@ +allow hal_light_default sysfs_brightness:file { open read write getattr }; +allow hal_light_default sysfs_virtual:dir search; +allow hal_light_default sysfs_virtual:file { read write open getattr }; +allow hal_light_default sysfs_graphics:file { open read getattr write }; diff --git a/sepolicy/hal_lineage_livedisplay_sysfs.te b/sepolicy/hal_lineage_livedisplay_sysfs.te new file mode 100644 index 0000000..1f4db7b --- /dev/null +++ b/sepolicy/hal_lineage_livedisplay_sysfs.te @@ -0,0 +1,6 @@ +# Allow LiveDisplay to store files under /data/vendor/display and access them +allow hal_lineage_livedisplay_sysfs display_vendor_data_file:dir rw_dir_perms; +allow hal_lineage_livedisplay_sysfs display_vendor_data_file:file create_file_perms; +# Allow LiveDisplay to read and write to files in sysfs_graphics, sysfs_mdnie +allow hal_lineage_livedisplay_sysfs sysfs_mdnie:dir search; +allow hal_lineage_livedisplay_sysfs sysfs_mdnie:file rw_file_perms; diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te new file mode 100644 index 0000000..9aeeace --- /dev/null +++ b/sepolicy/hal_power_default.te @@ -0,0 +1,15 @@ +# Allow reading of sysfs nodes to find input devices + +allow hal_power_default sysfs_devices_system_cpu:file write; + +allow hal_power_default sysfs_input:dir { open read search getattr }; +allow hal_power_default sysfs_input:file { open read write getattr }; + +allow hal_power_default sysfs_virtual:dir { open read search }; +allow hal_power_default sysfs_virtual:file { open read write getattr }; + +allow hal_power_default sysfs:dir { read open }; +allow hal_power_default sysfs:file { read write open }; + +allow hal_power_default sysfs_brightness:file rw_file_perms; +allow hal_power_default sysfs_graphics:file { getattr read open }; \ No newline at end of file diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te index 452fcde..5cc56bf 100644 --- a/sepolicy/hal_sensors_default.te +++ b/sepolicy/hal_sensors_default.te @@ -1,5 +1,23 @@ -allow hal_sensors_default efs_file:dir search; -allow hal_sensors_default sysfs:file { read write getattr open }; +# /efs/FactoryApp/ +allow hal_sensors_default app_efs_file:dir rw_dir_perms; +allow hal_sensors_default app_efs_file:file { rw_file_perms setattr }; + +# /efs +allow hal_sensors_default efs_file:dir r_dir_perms; # sensor_device allow hal_sensors_default sensor_device:chr_file rw_file_perms; + +# iio_device +allow hal_sensors_default iio_device:chr_file { open read }; + +# sysfs_iio +allow hal_sensors_default sysfs_iio:file { open read getattr write }; +allow hal_sensors_default sysfs_iio:dir { open read search }; +allow hal_sensors_default sysfs_iio:lnk_file read; + +# sysfs_virtual +allow hal_sensors_default sysfs_virtual:dir r_dir_perms; +allow hal_sensors_default sysfs_virtual:file rw_file_perms; + +allow hal_sensors_default sysfs:file { open read getattr write }; diff --git a/sepolicy/hal_wifi_hostapd_default.te b/sepolicy/hal_wifi_hostapd_default.te new file mode 100644 index 0000000..8f0592f --- /dev/null +++ b/sepolicy/hal_wifi_hostapd_default.te @@ -0,0 +1,2 @@ +allow hal_wifi_hostapd_default sysfs_virtual:dir search; +allow hal_wifi_hostapd_default sysfs_virtual:lnk_file { getattr read }; diff --git a/sepolicy/init.te b/sepolicy/init.te index ee399e9..069fe16 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -1,4 +1,3 @@ -allow init device:chr_file ioctl; allow init rild:unix_stream_socket connectto; allow init self:netlink_kobject_uevent_socket { create setopt }; allow init socket_device:sock_file create; @@ -9,7 +8,20 @@ allow init dnsproxyd_socket:sock_file write; allow init fwk_sensor_hwservice:hwservice_manager find; allow init hwservicemanager:binder call; allow init netd:unix_stream_socket connectto; -allow init self:tcp_socket create; +allow init fwmarkd_socket:sock_file write; +allow init nfc:binder call; +allow init nfc_device:chr_file ioctl; +allow init sysfs_virtual:file { open write }; +allow init system_server:binder { transfer call }; +allow init tee_device:chr_file ioctl; +allow init device:chr_file ioctl; +allow init self:tcp_socket { getopt create bind connect }; +allow init node:tcp_socket node_bind; +allow init port:tcp_socket { name_bind name_connect }; +allow init gps_vendor_data_file:fifo_file write; +allow init gps_vendor_data_file:file lock; # LED allow init sysfs_graphics:file { open read write }; + +unix_socket_connect(init, property, rild) diff --git a/sepolicy/installd.te b/sepolicy/installd.te deleted file mode 100644 index 702e5ad..0000000 --- a/sepolicy/installd.te +++ /dev/null @@ -1 +0,0 @@ -allow installd device:file write; diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te index 9f9de3a..07530ef 100644 --- a/sepolicy/kernel.te +++ b/sepolicy/kernel.te @@ -1,2 +1,7 @@ -allow kernel device:dir write; -allow kernel efs_file:file open; +allow kernel app_efs_file:dir search; +allow kernel app_efs_file:file open; +allow kernel sensor_factoryapp_efs_file:file open; + +allow kernel device:chr_file { getattr setattr unlink }; +allow kernel device:dir { add_name remove_name rmdir write }; +allow kernel self:capability { mknod }; diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te index 0be4af4..abc71bc 100644 --- a/sepolicy/mediacodec.te +++ b/sepolicy/mediacodec.te @@ -1 +1,5 @@ -allow mediacodec sysfs:file { getattr open read }; +allow mediacodec debugfs_ion:dir search; + +# /sys/class/video4linux/video6/name +allow mediacodec sysfs:file r_file_perms; +allow mediacodec sysfs:dir { open read }; \ No newline at end of file diff --git a/sepolicy/netd.te b/sepolicy/netd.te index 5051d72..0b8df2c 100644 --- a/sepolicy/netd.te +++ b/sepolicy/netd.te @@ -1,3 +1,5 @@ -allow netd device:file write; allow netd self:capability sys_module; -allow netd init:tcp_socket { read write }; +allow netd init:tcp_socket { setopt getopt read write }; + +allow netd sysfs_virtual:dir search; +allow netd sysfs_virtual:file { write open }; diff --git a/sepolicy/nfc.te b/sepolicy/nfc.te new file mode 100644 index 0000000..6c8e449 --- /dev/null +++ b/sepolicy/nfc.te @@ -0,0 +1 @@ +allow nfc sec_efs_file:dir search; diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te index 8a50549..12f80f8 100644 --- a/sepolicy/platform_app.te +++ b/sepolicy/platform_app.te @@ -1,2 +1,5 @@ # /dev/mali0 allow platform_app gpu_device:chr_file { ioctl read write }; + +allow platform_app debugfs_ion:dir search; +allow platform_app debugfs_mali:dir search; diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te index 9bd1bc6..07156c9 100644 --- a/sepolicy/priv_app.te +++ b/sepolicy/priv_app.te @@ -1,2 +1,6 @@ # /dev/mali0 allow priv_app gpu_device:chr_file { ioctl read write }; + +allow priv_app debugfs_ion:dir search; +allow priv_app debugfs_mali:dir search; +allow priv_app debugfs_mali_mem:dir search; diff --git a/sepolicy/rild.te b/sepolicy/rild.te index b660636..75990d6 100644 --- a/sepolicy/rild.te +++ b/sepolicy/rild.te @@ -1,6 +1,15 @@ -allow rild init:file read; allow rild proc_net:file write; -allow rild vendor_data_file:file { getattr read write open }; +allow rild vendor_data_file:file { getattr setattr read write open }; # /dev/umts_ipc0 allow rild radio_device:chr_file ioctl; + +allow rild bin_nv_data_efs_file:file { setattr getattr read open write }; + +allow rild hal_audio_default:dir search; +allow rild hal_audio_default:file { getattr open read }; + +allow rild radio_vendor_data_file:file { create ioctl lock getattr read write open unlink }; +allow rild radio_vendor_data_file:dir { add_name write open read remove_name }; + +allow rild proc_qtaguid_stat:file read; diff --git a/sepolicy/shell.te b/sepolicy/shell.te deleted file mode 100644 index fe57529..0000000 --- a/sepolicy/shell.te +++ /dev/null @@ -1 +0,0 @@ -allow shell proc:file getattr; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te index bfee089..3b7294c 100644 --- a/sepolicy/system_app.te +++ b/sepolicy/system_app.te @@ -1,4 +1,8 @@ -allow system_app proc_pagetypeinfo:file { getattr open read }; - # /dev/mali0 allow system_app gpu_device:chr_file { ioctl read write }; + +allow system_app proc_pagetypeinfo:file { getattr open read }; +allow system_app debugfs_ion:dir search; +allow system_app debugfs_mali:dir search; +allow system_app debugfs_mali_mem:dir search; +allow system_app sysfs_virtual:dir search; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index 685cfce..3a48fdf 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -1,11 +1,14 @@ -# /sys/kernel/debug/mali/mem -# allow system_server debugfs:dir { open read }; -# allow system_server debugfs:file { open read }; - # /dev/mali0 allow system_server gpu_device:chr_file { ioctl read write }; # memtrack HAL -allow system_server debugfs:dir r_dir_perms; +# allow system_server debugfs:dir r_dir_perms; allow system_server debugfs_mali:dir r_dir_perms; allow system_server debugfs_mali:file r_file_perms; + +allow system_server debugfs_ion:dir search; +allow system_server debugfs_ion:file { getattr open read }; + +allow system_server debugfs_ion_dma:dir search; +allow system_server debugfs_mali_mem:dir search; +allow system_server debugfs_mali_mem:file { getattr open read }; diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te index 71b786b..e87b40a 100644 --- a/sepolicy/untrusted_app.te +++ b/sepolicy/untrusted_app.te @@ -1,2 +1,7 @@ # /dev/mali0 allow untrusted_app gpu_device:chr_file { ioctl open read write }; + +allow untrusted_app debugfs_ion:dir search; +allow untrusted_app debugfs_ion_dma:dir search; +allow untrusted_app debugfs_mali:dir search; +allow untrusted_app debugfs_mali_mem:dir search; diff --git a/sepolicy/untrusted_app_27.te b/sepolicy/untrusted_app_27.te index 037e6c6..8624b24 100644 --- a/sepolicy/untrusted_app_27.te +++ b/sepolicy/untrusted_app_27.te @@ -1,2 +1,10 @@ # /dev/mali0 allow untrusted_app_27 gpu_device:chr_file { ioctl read write }; + +allow untrusted_app_27 debugfs_ion:dir search; +allow untrusted_app_27 debugfs_mali:dir search; +allow untrusted_app_27 debugfs_mali_mem:dir search; + +allow untrusted_app_27 sysfs_net:dir search; +allow untrusted_app_27 sysfs_virtual:file { open read getattr }; +allow untrusted_app_27 sysfs_virtual:dir search; diff --git a/sepolicy/vold.te b/sepolicy/vold.te new file mode 100644 index 0000000..a4967c9 --- /dev/null +++ b/sepolicy/vold.te @@ -0,0 +1,2 @@ +# /efs +allow vold efs_file:dir r_dir_perms; diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te deleted file mode 100644 index 25ee73f..0000000 --- a/sepolicy/zygote.te +++ /dev/null @@ -1 +0,0 @@ -allow zygote device:file { open write }; -- 2.20.1