diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk index bf9a66b..6535f10 100644 --- a/BoardConfigCommon.mk +++ b/BoardConfigCommon.mk @@ -143,14 +143,11 @@ TARGET_USERIMAGES_USE_EXT4 := true TARGET_USERIMAGES_USE_F2FS := true TARGET_USES_MKE2FS := true -# Root -BOARD_ROOT_EXTRA_FOLDERS := op1 op2 - # Telephony TARGET_PROVIDES_QTI_TELEPHONY_JAR := true # Sepolicy -include device/qcom/sepolicy/SEPolicy.mk +include device/qcom/sepolicy_vndr/SEPolicy.mk BOARD_PLAT_PRIVATE_SEPOLICY_DIR += $(COMMON_PATH)/sepolicy/private BOARD_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/vendor diff --git a/sepolicy/private/app.te b/sepolicy/private/app.te deleted file mode 100644 index 9f418bd..0000000 --- a/sepolicy/private/app.te +++ /dev/null @@ -1,2 +0,0 @@ -# Allow appdomain to get vendor_camera_prop -get_prop(appdomain, vendor_camera_prop) diff --git a/sepolicy/private/attributes b/sepolicy/private/attributes deleted file mode 100644 index bf94d93..0000000 --- a/sepolicy/private/attributes +++ /dev/null @@ -1,3 +0,0 @@ -attribute hal_display; -attribute hal_display_client; -attribute hal_display_server; diff --git a/sepolicy/private/file.te b/sepolicy/private/file.te deleted file mode 100644 index e5bd784..0000000 --- a/sepolicy/private/file.te +++ /dev/null @@ -1,21 +0,0 @@ -# rootfs -type op1_file, file_type; -type op2_file, file_type; - -# proc -type proc_touchpanel, fs_type, proc_type; -type procfs_oem_wireless, fs_type, proc_type; - -# sysfs -type sysfs_battery_supply, sysfs_type, fs_type; -type sysfs_fod, sysfs_type, fs_type; -type sysfs_fpc_proximity, sysfs_type, fs_type; -type sysfs_graphics, sysfs_type, fs_type; -type sysfs_oem, sysfs_type, fs_type; -type sysfs_ssr, sysfs_type, fs_type; -type sysfs_ssr_toggle, sysfs_type, fs_type; -type sysfs_usb_supply, sysfs_type, fs_type; - -# data -type display_misc_file, file_type, data_file_type, core_data_file_type; -type vendor_qmipriod_data_file, file_type, data_file_type; \ No newline at end of file diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts index 214adae..0d4843d 100644 --- a/sepolicy/private/file_contexts +++ b/sepolicy/private/file_contexts @@ -1,28 +1,2 @@ -# Devices -/dev/smcinvoke u:object_r:tee_device:s0 - -# Data files -/data/misc/display(/.*)? u:object_r:display_misc_file:s0 - -# Files in rootfs -/op1(/.*)? u:object_r:op1_file:s0 -/op2(/.*)? u:object_r:op2_file:s0 - -# Files in sysfs -/sys/devices/platform/soc/soc:goodix_fp/proximity_state u:object_r:sysfs_fpc_proximity:s0 - -# HALs -/(product|system/product)/vendor_overlay/[0-9]+/bin/hw/android\.hardware\.power-service u:object_r:hal_power_default_exec:s0 -/(product|system/product)/vendor_overlay/[0-9]+/bin/hw/vendor\.qti\.hardware\.vibrator\.service u:object_r:hal_vibrator_default_exec:s0 -/system/bin/hw/lineage\.biometrics\.fingerprint\.inscreen@1.0-service\.oneplus_kona u:object_r:hal_fod_kona_exec:s0 -/system/bin/hw/lineage\.livedisplay@2\.0-service\.oneplus_kona u:object_r:hal_livedisplay_kona_exec:s0 -/system/bin/hw/lineage\.powershare@1\.0-service\.oneplus_kona u:object_r:hal_powershare_kona_exec:s0 -/system/bin/hw/lineage\.touch@1\.0-service\.oneplus_kona u:object_r:hal_touch_kona_exec:s0 - # tri-state-key /system/bin/tri-state-key_daemon u:object_r:tri-state-key_daemon_exec:s0 - -# Vendor overlay -/(product|system/product)/vendor_overlay/[0-9]+/etc(/.*)? u:object_r:vendor_configs_file:s0 -/(product|system/product)/vendor_overlay/[0-9]+/lib(64)?/hw u:object_r:vendor_hal_file:s0 -/(product|system/product)/vendor_overlay/[0-9]+/overlay(/.*)? u:object_r:vendor_overlay_file:s0 diff --git a/sepolicy/private/genfs_contexts b/sepolicy/private/genfs_contexts deleted file mode 100644 index 45d476b..0000000 --- a/sepolicy/private/genfs_contexts +++ /dev/null @@ -1,52 +0,0 @@ -# Display -genfscon proc /touchpanel u:object_r:proc_touchpanel:s0 -genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/DCI_P3 u:object_r:sysfs_livedisplay_tuneable:s0 -genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/dim_alpha u:object_r:sysfs_fod:s0 -genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/hbm u:object_r:sysfs_livedisplay_tuneable:s0 -genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/native_display_loading_effect_mode u:object_r:sysfs_livedisplay_tuneable:s0 -genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/native_display_p3_mode u:object_r:sysfs_livedisplay_tuneable:s0 -genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/native_display_srgb_color_mode u:object_r:sysfs_livedisplay_tuneable:s0 -genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/native_display_wide_color_mode u:object_r:sysfs_livedisplay_tuneable:s0 -genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/night_mode u:object_r:sysfs_livedisplay_tuneable:s0 -genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/op_friginer_print_hbm u:object_r:sysfs_fod:s0 - -# Power supply -genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,qpnp-smb2/power_supply/dc u:object_r:sysfs_battery_supply:s0 -genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,qpnp-smb2/power_supply/main u:object_r:sysfs_battery_supply:s0 - -# SSR -genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys0/name u:object_r:sysfs_ssr:s0 -genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys0/restart_level u:object_r:sysfs_ssr_toggle:s0 - -genfscon sysfs /devices/platform/soc/soc:qcom,ipa_uc/subsys1/name u:object_r:sysfs_ssr:s0 -genfscon sysfs /devices/platform/soc/soc:qcom,ipa_uc/subsys1/restart_level u:object_r:sysfs_ssr_toggle:s0 - -genfscon sysfs /devices/platform/soc/17300000.qcom,lpass/subsys2/name u:object_r:sysfs_ssr:s0 -genfscon sysfs /devices/platform/soc/17300000.qcom,lpass/subsys2/restart_level u:object_r:sysfs_ssr_toggle:s0 - -genfscon sysfs /devices/platform/soc/8300000.qcom,turing/subsys3/name u:object_r:sysfs_ssr:s0 -genfscon sysfs /devices/platform/soc/8300000.qcom,turing/subsys3/restart_level u:object_r:sysfs_ssr_toggle:s0 - -genfscon sysfs /devices/platform/soc/aab0000.qcom,venus/subsys4/name u:object_r:sysfs_ssr:s0 -genfscon sysfs /devices/platform/soc/aab0000.qcom,venus/subsys4/restart_level u:object_r:sysfs_ssr_toggle:s0 - -genfscon sysfs /devices/platform/soc/188101c.qcom,spss/subsys5/name u:object_r:sysfs_ssr:s0 -genfscon sysfs /devices/platform/soc/188101c.qcom,spss/subsys5/restart_level u:object_r:sysfs_ssr_toggle:s0 - -genfscon sysfs /devices/platform/soc/abb0000.qcom,cvpss/subsys6/name u:object_r:sysfs_ssr:s0 -genfscon sysfs /devices/platform/soc/abb0000.qcom,cvpss/subsys6/restart_level u:object_r:sysfs_ssr_toggle:s0 - -genfscon sysfs /devices/platform/soc/5c00000.qcom,ssc/subsys7/name u:object_r:sysfs_ssr:s0 -genfscon sysfs /devices/platform/soc/5c00000.qcom,ssc/subsys7/restart_level u:object_r:sysfs_ssr_toggle:s0 - -genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/subsys8/name u:object_r:sysfs_ssr:s0 -genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/subsys8/restart_level u:object_r:sysfs_ssr_toggle:s0 - -genfscon sysfs /devices/platform/soc/b0000000.qcom,cnss-qca6390/subsys9/name u:object_r:sysfs_ssr:s0 -genfscon sysfs /devices/platform/soc/b0000000.qcom,cnss-qca6390/subsys9/restart_level u:object_r:sysfs_ssr_toggle:s0 - -genfscon sysfs /devices/platform/soc/soc:qcom,mdm0/subsys10/name u:object_r:sysfs_ssr:s0 -genfscon sysfs /devices/platform/soc/soc:qcom,mdm0/subsys10/restart_level u:object_r:sysfs_ssr_toggle:s0 - -genfscon sysfs /devices/platform/soc/9800000.qcom,npu/subsys11/name u:object_r:sysfs_ssr:s0 -genfscon sysfs /devices/platform/soc/9800000.qcom,npu/subsys11/restart_level u:object_r:sysfs_ssr_toggle:s0 diff --git a/sepolicy/private/hal_display_default.te b/sepolicy/private/hal_display_default.te deleted file mode 100644 index f0d48c3..0000000 --- a/sepolicy/private/hal_display_default.te +++ /dev/null @@ -1 +0,0 @@ -type hal_display_default, domain; diff --git a/sepolicy/private/hal_fod_kona.te b/sepolicy/private/hal_fod_kona.te deleted file mode 100644 index ac38af2..0000000 --- a/sepolicy/private/hal_fod_kona.te +++ /dev/null @@ -1,23 +0,0 @@ -type hal_fod_kona, coredomain, domain; -hal_server_domain(hal_fod_kona, hal_lineage_fod) - -type hal_fod_kona_exec, system_file_type, exec_type, file_type; -init_daemon_domain(hal_fod_kona) - -# Allow access to the HALs -hal_client_domain(hal_fod_kona, hal_fingerprint) - -# Allow binder communication with hal_display_default -binder_call(hal_fod_kona, hal_display_default) - -# Allow binder communication with hal_fingerprint -binder_call(hal_fod_kona, hal_fingerprint) - -# Allow hal_fod_kona to hal_display_hwservice -allow hal_fod_kona hal_display_hwservice:hwservice_manager find; - -# Allow hal_fod_kona to hal_fingerprint_hwservice -allow hal_fod_kona hal_fingerprint_hwservice:hwservice_manager find; - -# Allow hal_fod_kona to read and write to sysfs_fod -allow hal_fod_kona sysfs_fod:file rw_file_perms; diff --git a/sepolicy/private/hal_livedisplay_kona.te b/sepolicy/private/hal_livedisplay_kona.te deleted file mode 100644 index f400b82..0000000 --- a/sepolicy/private/hal_livedisplay_kona.te +++ /dev/null @@ -1,26 +0,0 @@ -type hal_livedisplay_kona, coredomain, domain; -hal_server_domain(hal_livedisplay_kona, hal_lineage_livedisplay) - -type hal_livedisplay_kona_exec, system_file_type, exec_type, file_type; -init_daemon_domain(hal_livedisplay_kona) - -# Allow hal_livedisplay_kona to find vendor_hal_display_color_hwservice -type vendor_hal_display_color_hwservice, hwservice_manager_type; -allow hal_livedisplay_kona vendor_hal_display_color_hwservice:hwservice_manager find; - -# Allow binder communication with vendor_hal_display_color_default -type vendor_hal_display_color_default, domain; -binder_call(hal_livedisplay_kona, vendor_hal_display_color_default) - -# Allow hal_livedisplay_kona to use binder service -binder_use(hal_livedisplay_kona) - -# Allow LiveDisplay to store files under /data/misc/display and access them -allow hal_livedisplay_kona display_misc_file:dir rw_dir_perms; -allow hal_livedisplay_kona display_misc_file:file create_file_perms; - -# Grant access over LiveDisplay tuneables -allow hal_livedisplay_kona { sysfs_livedisplay_tuneable sysfs_oem }:file rw_file_perms; - -# Allow hal_livedisplay_kona to set config_prop -set_prop(hal_livedisplay_kona, config_prop) diff --git a/sepolicy/private/hal_power.te b/sepolicy/private/hal_power.te deleted file mode 100644 index aee843b..0000000 --- a/sepolicy/private/hal_power.te +++ /dev/null @@ -1,2 +0,0 @@ -allow hal_power proc_touchpanel:dir search; -allow hal_power proc_touchpanel:file w_file_perms; diff --git a/sepolicy/private/hal_powershare_kona.te b/sepolicy/private/hal_powershare_kona.te deleted file mode 100644 index ee87ee1..0000000 --- a/sepolicy/private/hal_powershare_kona.te +++ /dev/null @@ -1,9 +0,0 @@ -type hal_powershare_kona, coredomain, domain; -hal_server_domain(hal_powershare_kona, hal_lineage_powershare) - -type hal_powershare_kona_exec, system_file_type, exec_type, file_type; -init_daemon_domain(hal_powershare_kona) - -# Allow access to wireless rx enable nodes -allow hal_powershare_kona procfs_oem_wireless:dir search; -allow hal_powershare_kona procfs_oem_wireless:file rw_file_perms; diff --git a/sepolicy/private/hal_touch_kona.te b/sepolicy/private/hal_touch_kona.te deleted file mode 100644 index f4a646e..0000000 --- a/sepolicy/private/hal_touch_kona.te +++ /dev/null @@ -1,9 +0,0 @@ -type hal_touch_kona, coredomain, domain; -hal_server_domain(hal_touch_kona, hal_lineage_touch) - -type hal_touch_kona_exec, system_file_type, exec_type, file_type; -init_daemon_domain(hal_touch_kona) - -# Allow access to gesture enable nodes -allow hal_touch_kona proc_touchpanel:dir search; -allow hal_touch_kona proc_touchpanel:file rw_file_perms; diff --git a/sepolicy/private/hal_usb.te b/sepolicy/private/hal_usb.te deleted file mode 100644 index 91e851a..0000000 --- a/sepolicy/private/hal_usb.te +++ /dev/null @@ -1,2 +0,0 @@ -# Allow hal_usb to read and write to sysfs_oem -allow hal_usb sysfs_oem:file rw_file_perms; diff --git a/sepolicy/private/hwservice.te b/sepolicy/private/hwservice.te deleted file mode 100644 index ef1ca66..0000000 --- a/sepolicy/private/hwservice.te +++ /dev/null @@ -1 +0,0 @@ -type hal_display_hwservice, hwservice_manager_type; diff --git a/sepolicy/private/init.te b/sepolicy/private/init.te deleted file mode 100644 index 69c90c3..0000000 --- a/sepolicy/private/init.te +++ /dev/null @@ -1,15 +0,0 @@ -# Allow init to mount vendor configs -allow init vendor_configs_file:dir mounton; - -# Allow init to mount vendor overlays -allow init vendor_overlay_file:dir mounton; - -# Allow init to chown/chmod on pseudo files in /sys -allow init { - sysfs_fod - sysfs_fpc_proximity - sysfs_graphics -}:file { open read setattr }; - -# Allow init to write to otg_switch -allow init sysfs_usb_supply:file w_file_perms; diff --git a/sepolicy/private/property.te b/sepolicy/private/property.te deleted file mode 100644 index 028c77c..0000000 --- a/sepolicy/private/property.te +++ /dev/null @@ -1 +0,0 @@ -type vendor_camera_prop, property_type; diff --git a/sepolicy/private/property_contexts b/sepolicy/private/property_contexts deleted file mode 100644 index 8882946..0000000 --- a/sepolicy/private/property_contexts +++ /dev/null @@ -1 +0,0 @@ -sys.display.mode u:object_r:config_prop:s0 diff --git a/sepolicy/private/vendor_init.te b/sepolicy/private/vendor_init.te deleted file mode 100644 index 5387eda..0000000 --- a/sepolicy/private/vendor_init.te +++ /dev/null @@ -1,2 +0,0 @@ -# Allow vendor_init to set vendor_camera_prop -set_prop(vendor_init, vendor_camera_prop) diff --git a/sepolicy/private/vendor_qmipriod.te b/sepolicy/private/vendor_qmipriod.te deleted file mode 100644 index 1ea6293..0000000 --- a/sepolicy/private/vendor_qmipriod.te +++ /dev/null @@ -1,6 +0,0 @@ -type vendor_qmipriod, domain; - -userdebug_or_eng(` - allow vendor_qmipriod vendor_qmipriod_data_file:dir rw_dir_perms; - allow vendor_qmipriod vendor_qmipriod_data_file:file create_file_perms; -') diff --git a/sepolicy/vendor/dashd.te b/sepolicy/vendor/dashd.te new file mode 100644 index 0000000..80fc0ba --- /dev/null +++ b/sepolicy/vendor/dashd.te @@ -0,0 +1,4 @@ +type dashd, domain; +type dashd_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(dashd) diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te deleted file mode 100644 index 26bec60..0000000 --- a/sepolicy/vendor/device.te +++ /dev/null @@ -1,14 +0,0 @@ -type ab_block_device, dev_type; -type custom_ab_block_device, dev_type; -type efs_boot_dev, dev_type; -type gpt_block_device, dev_type; -type limits_block_device, dev_type; -type mdtp_device, dev_type; -type modem_block_device, dev_type; -type modem_efs_partition_device, dev_type; -type persist_block_device, dev_type; -type rpmb_device, dev_type; -type sg_device, dev_type; -type ssd_block_device, dev_type; -type uefi_block_device, dev_type; -type xbl_block_device, dev_type; diff --git a/sepolicy/vendor/fastbootd.te b/sepolicy/vendor/fastbootd.te deleted file mode 100644 index dcc0a18..0000000 --- a/sepolicy/vendor/fastbootd.te +++ /dev/null @@ -1,12 +0,0 @@ -recovery_only(` -allow fastbootd { - custom_ab_block_device - recovery_block_device - xbl_block_device - uefi_block_device - modem_block_device - mdtp_device -}:blk_file { rw_file_perms }; -') - -allow fastbootd tmpfs:lnk_file { getattr read }; diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te deleted file mode 100644 index aa1ea19..0000000 --- a/sepolicy/vendor/file.te +++ /dev/null @@ -1,2 +0,0 @@ -# sysfs -type sysfs_scsi_target, fs_type, sysfs_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts deleted file mode 100644 index e3fe8e6..0000000 --- a/sepolicy/vendor/file_contexts +++ /dev/null @@ -1,88 +0,0 @@ -# devices -/dev/sg[0-9]+ u:object_r:sg_device:s0 - -# graphics device -/dev/mdss_rotator u:object_r:graphics_device:s0 -/dev/dri/card0 u:object_r:graphics_device:s0 -/dev/dri/controlD64 u:object_r:graphics_device:s0 -/dev/dri/renderD128 u:object_r:graphics_device:s0 - -# sysfs files -/sys/class/thermal(/.*)? u:object_r:sysfs_thermal:s0 -/sys/devices(/platform)?/soc/[a-f0-9]+.ufshc/host0/target0:0:0/0:0:0:[0-9]+/scsi_generic(/.*)? u:object_r:sysfs_scsi_target:s0 -/sys/devices/platform/soc/ae00000.qcom,mdss_mdp/backlight(/.*)? u:object_r:sysfs_graphics:s0 -/sys/devices/virtual/thermal(/.*)? u:object_r:sysfs_thermal:s0 - -# UFS Devices -/dev/block/platform/soc/1d84000\.ufshc/by-name/system u:object_r:system_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/vendor u:object_r:system_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/product u:object_r:system_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/odm u:object_r:system_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/metadata u:object_r:metadata_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/userdata u:object_r:userdata_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/boot u:object_r:boot_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/fsc u:object_r:modem_efs_partition_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/fsg u:object_r:modem_efs_partition_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/modemst1 u:object_r:modem_efs_partition_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/modemst2 u:object_r:modem_efs_partition_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/ssd u:object_r:ssd_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/misc u:object_r:misc_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/rpm u:object_r:rpmb_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/recovery u:object_r:recovery_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/cache u:object_r:cache_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/frp u:object_r:frp_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/mdtp u:object_r:mdtp_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/mdm1m9kefs1 u:object_r:efs_boot_dev:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/mdm1m9kefs2 u:object_r:efs_boot_dev:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/mdm1m9kefs3 u:object_r:efs_boot_dev:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/mdmddr u:object_r:efs_boot_dev:s0 - -# A/B partitions. -/dev/block/platform/soc/1d84000\.ufshc/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/aop_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/apdp_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/bluetooth_[ab] u:object_r:modem_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/boot_[ab] u:object_r:boot_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/cmnlib_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/cmnlib64_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/core_nhlos_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/devcfg_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/dsp_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/featenabler_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/hyp_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/keymaster_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/mdtp_[ab] u:object_r:mdtp_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/mdtpsecapp_[ab] u:object_r:mdtp_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/modem_[ab] u:object_r:modem_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/msadp_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/multiimgqti_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/persist u:object_r:persist_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/pmic_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/qupfw_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/rpm_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/system_[ab] u:object_r:system_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/tz_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/vendor_[ab] u:object_r:system_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/product_[ab] u:object_r:system_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/odm_[ab] u:object_r:system_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/xbl_[ab] u:object_r:xbl_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/xbl_config_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/imagefv_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/multiimgoem_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/uefisecapp_[ab] u:object_r:uefi_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/recovery_[ab] u:object_r:recovery_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/vbmeta_product_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/super u:object_r:super_block_device:s0 - -# Block device holding the GPT, where the A/B attributes are stored. -/dev/block/platform/soc/1d84000\.ufshc/sd[ade] u:object_r:gpt_block_device:s0 - -# Block devices for the drive that holds the xbl_a and xbl_b partitions. -/dev/block/platform/soc/1d84000\.ufshc/sd[bc] u:object_r:xbl_block_device:s0 - -# limits Partitions -/dev/block/platform/soc/1d84000\.ufshc/by-name/limits u:object_r:limits_block_device:s0 -/dev/block/platform/soc/1d84000\.ufshc/by-name/limits-cdsp u:object_r:limits_block_device:s0 diff --git a/sepolicy/vendor/hal_bootctl.te b/sepolicy/vendor/hal_bootctl.te deleted file mode 100644 index 7e6e3e1..0000000 --- a/sepolicy/vendor/hal_bootctl.te +++ /dev/null @@ -1,64 +0,0 @@ -# Copyright (c) 2018, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -# These are the permissions required to use the boot_control HAL implemented -# here: hardware/qcom/bootctrl/boot_control.c - -# Getting and setting GPT attributes for the bootloader iterates over all the -# partition names in the block_device directory /dev/block/.../by-name -allow hal_bootctl block_device:dir r_dir_perms; - -# Edit the attributes stored in the GPT. -allow hal_bootctl gpt_block_device:blk_file rw_file_perms; -allow hal_bootctl root_block_device:blk_file rw_file_perms; - -# Allow boot_control_hal to get attributes on all the A/B partitions. -allow hal_bootctl boot_block_device:blk_file rw_file_perms; -allow hal_bootctl ab_block_device:blk_file getattr; -allow hal_bootctl xbl_block_device:blk_file getattr; -allow hal_bootctl modem_block_device:blk_file getattr; -allow hal_bootctl system_block_device:blk_file getattr; -allow hal_bootctl custom_ab_block_device:blk_file getattr; -allow hal_bootctl recovery_block_device:blk_file getattr; -allow hal_bootctl mdtp_device:blk_file getattr; -allow hal_bootctl_server misc_block_device:blk_file rw_file_perms; - -# Access /dev/sgN devices (generic SCSI) to write the -# A/B slot selection for the XBL partition. Allow also to issue a -# UFS_IOCTL_QUERY ioctl. -allow hal_bootctl sg_device:chr_file rw_file_perms; - -# The sys_rawio denial message is benign, and shows up due to a capability() -# call made by the scsi driver to check for CAP_SYS_RAWIO. Not having this -# does not result in a error -dontaudit hal_bootctl self:capability sys_rawio; - -# Read the sysfs to lookup what /dev/sgN device -# corresponds to the XBL partitions. -allow hal_bootctl sysfs_scsi_target:dir r_dir_perms; - -# Write to the XBL devices. -allow hal_bootctl xbl_block_device:blk_file rw_file_perms; diff --git a/sepolicy/vendor/update_engine_common.te b/sepolicy/vendor/update_engine_common.te deleted file mode 100644 index 62d5602..0000000 --- a/sepolicy/vendor/update_engine_common.te +++ /dev/null @@ -1,39 +0,0 @@ -# Copyright (c) 2019, The Linux Foundation. All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are -# met: -# * Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials provided -# with the distribution. -# * Neither the name of The Linux Foundation nor the names of its -# contributors may be used to endorse or promote products derived -# from this software without specific prior written permission. -# -# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED -# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT -# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN -# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - -# Allow update_engine and update_engine_sideload (recovery) read/write on the -# device-specific partitions it should update. -allow update_engine_common { - custom_ab_block_device - xbl_block_device - ssd_block_device - modem_block_device - uefi_block_device - recovery_block_device -}:blk_file rw_file_perms; - -allow update_engine_common tmpfs:lnk_file r_file_perms; diff --git a/sepolicy/vendor/wlchgd.te b/sepolicy/vendor/wlchgd.te new file mode 100644 index 0000000..6063476 --- /dev/null +++ b/sepolicy/vendor/wlchgd.te @@ -0,0 +1,4 @@ +type wlchgd, domain; +type wlchgd_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(wlchgd)