BOBtheBlinker/android_device_oneplus_dre
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sm8250-common: Re:Start sepolicy

Browse source 
* Drop all old rules, but keep tri-state-key.
* Also introduce dashd/wlchgd domain as they are needed for seclabels.

Change-Id: I0a7121f51d106d927866aead746a49b3dea6a149
This commit is contained in:
LuK1337 2021-01-04 22:30:04 +01:00
parent 5e1e5980eb
commit da018dd3c6
27 changed files with 9 additions and 425 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
BoardConfigCommon.mk
View file

@ -143,14 +143,11 @@ TARGET_USERIMAGES_USE_EXT4 := true
TARGET_USERIMAGES_USE_F2FS := true TARGET_USERIMAGES_USE_F2FS := true
TARGET_USES_MKE2FS := true TARGET_USES_MKE2FS := true
# Root
BOARD_ROOT_EXTRA_FOLDERS := op1 op2
# Telephony # Telephony
TARGET_PROVIDES_QTI_TELEPHONY_JAR := true TARGET_PROVIDES_QTI_TELEPHONY_JAR := true
# Sepolicy # Sepolicy
include device/qcom/sepolicy/SEPolicy.mk include device/qcom/sepolicy_vndr/SEPolicy.mk
BOARD_PLAT_PRIVATE_SEPOLICY_DIR += $(COMMON_PATH)/sepolicy/private BOARD_PLAT_PRIVATE_SEPOLICY_DIR += $(COMMON_PATH)/sepolicy/private
BOARD_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/vendor BOARD_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/vendor

2
sepolicy/private/app.te
View file

@ -1,2 +0,0 @@
# Allow appdomain to get vendor_camera_prop
get_prop(appdomain, vendor_camera_prop)

3
sepolicy/private/attributes
View file

@ -1,3 +0,0 @@
attribute hal_display;
attribute hal_display_client;
attribute hal_display_server;

21
sepolicy/private/file.te
View file

@ -1,21 +0,0 @@
# rootfs
type op1_file, file_type;
type op2_file, file_type;
# proc
type proc_touchpanel, fs_type, proc_type;
type procfs_oem_wireless, fs_type, proc_type;
# sysfs
type sysfs_battery_supply, sysfs_type, fs_type;
type sysfs_fod, sysfs_type, fs_type;
type sysfs_fpc_proximity, sysfs_type, fs_type;
type sysfs_graphics, sysfs_type, fs_type;
type sysfs_oem, sysfs_type, fs_type;
type sysfs_ssr, sysfs_type, fs_type;
type sysfs_ssr_toggle, sysfs_type, fs_type;
type sysfs_usb_supply, sysfs_type, fs_type;
# data
type display_misc_file, file_type, data_file_type, core_data_file_type;
type vendor_qmipriod_data_file, file_type, data_file_type;

26
sepolicy/private/file_contexts
View file

@ -1,28 +1,2 @@
# Devices
/dev/smcinvoke u:object_r:tee_device:s0
# Data files
/data/misc/display(/.*)? u:object_r:display_misc_file:s0
# Files in rootfs
/op1(/.*)? u:object_r:op1_file:s0
/op2(/.*)? u:object_r:op2_file:s0
# Files in sysfs
/sys/devices/platform/soc/soc:goodix_fp/proximity_state u:object_r:sysfs_fpc_proximity:s0
# HALs
/(product|system/product)/vendor_overlay/[0-9]+/bin/hw/android\.hardware\.power-service u:object_r:hal_power_default_exec:s0
/(product|system/product)/vendor_overlay/[0-9]+/bin/hw/vendor\.qti\.hardware\.vibrator\.service u:object_r:hal_vibrator_default_exec:s0
/system/bin/hw/lineage\.biometrics\.fingerprint\.inscreen@1.0-service\.oneplus_kona u:object_r:hal_fod_kona_exec:s0
/system/bin/hw/lineage\.livedisplay@2\.0-service\.oneplus_kona u:object_r:hal_livedisplay_kona_exec:s0
/system/bin/hw/lineage\.powershare@1\.0-service\.oneplus_kona u:object_r:hal_powershare_kona_exec:s0
/system/bin/hw/lineage\.touch@1\.0-service\.oneplus_kona u:object_r:hal_touch_kona_exec:s0
# tri-state-key # tri-state-key
/system/bin/tri-state-key_daemon u:object_r:tri-state-key_daemon_exec:s0 /system/bin/tri-state-key_daemon u:object_r:tri-state-key_daemon_exec:s0
# Vendor overlay
/(product|system/product)/vendor_overlay/[0-9]+/etc(/.*)? u:object_r:vendor_configs_file:s0
/(product|system/product)/vendor_overlay/[0-9]+/lib(64)?/hw u:object_r:vendor_hal_file:s0
/(product|system/product)/vendor_overlay/[0-9]+/overlay(/.*)? u:object_r:vendor_overlay_file:s0

52
sepolicy/private/genfs_contexts
View file

@ -1,52 +0,0 @@
# Display
genfscon proc /touchpanel u:object_r:proc_touchpanel:s0
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/DCI_P3 u:object_r:sysfs_livedisplay_tuneable:s0
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/dim_alpha u:object_r:sysfs_fod:s0
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/hbm u:object_r:sysfs_livedisplay_tuneable:s0
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/native_display_loading_effect_mode u:object_r:sysfs_livedisplay_tuneable:s0
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/native_display_p3_mode u:object_r:sysfs_livedisplay_tuneable:s0
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/native_display_srgb_color_mode u:object_r:sysfs_livedisplay_tuneable:s0
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/native_display_wide_color_mode u:object_r:sysfs_livedisplay_tuneable:s0
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/night_mode u:object_r:sysfs_livedisplay_tuneable:s0
genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/op_friginer_print_hbm u:object_r:sysfs_fod:s0
# Power supply
genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,qpnp-smb2/power_supply/dc u:object_r:sysfs_battery_supply:s0
genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,qpnp-smb2/power_supply/main u:object_r:sysfs_battery_supply:s0
# SSR
genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys0/name u:object_r:sysfs_ssr:s0
genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys0/restart_level u:object_r:sysfs_ssr_toggle:s0
genfscon sysfs /devices/platform/soc/soc:qcom,ipa_uc/subsys1/name u:object_r:sysfs_ssr:s0
genfscon sysfs /devices/platform/soc/soc:qcom,ipa_uc/subsys1/restart_level u:object_r:sysfs_ssr_toggle:s0
genfscon sysfs /devices/platform/soc/17300000.qcom,lpass/subsys2/name u:object_r:sysfs_ssr:s0
genfscon sysfs /devices/platform/soc/17300000.qcom,lpass/subsys2/restart_level u:object_r:sysfs_ssr_toggle:s0
genfscon sysfs /devices/platform/soc/8300000.qcom,turing/subsys3/name u:object_r:sysfs_ssr:s0
genfscon sysfs /devices/platform/soc/8300000.qcom,turing/subsys3/restart_level u:object_r:sysfs_ssr_toggle:s0
genfscon sysfs /devices/platform/soc/aab0000.qcom,venus/subsys4/name u:object_r:sysfs_ssr:s0
genfscon sysfs /devices/platform/soc/aab0000.qcom,venus/subsys4/restart_level u:object_r:sysfs_ssr_toggle:s0
genfscon sysfs /devices/platform/soc/188101c.qcom,spss/subsys5/name u:object_r:sysfs_ssr:s0
genfscon sysfs /devices/platform/soc/188101c.qcom,spss/subsys5/restart_level u:object_r:sysfs_ssr_toggle:s0
genfscon sysfs /devices/platform/soc/abb0000.qcom,cvpss/subsys6/name u:object_r:sysfs_ssr:s0
genfscon sysfs /devices/platform/soc/abb0000.qcom,cvpss/subsys6/restart_level u:object_r:sysfs_ssr_toggle:s0
genfscon sysfs /devices/platform/soc/5c00000.qcom,ssc/subsys7/name u:object_r:sysfs_ssr:s0
genfscon sysfs /devices/platform/soc/5c00000.qcom,ssc/subsys7/restart_level u:object_r:sysfs_ssr_toggle:s0
genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/subsys8/name u:object_r:sysfs_ssr:s0
genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/subsys8/restart_level u:object_r:sysfs_ssr_toggle:s0
genfscon sysfs /devices/platform/soc/b0000000.qcom,cnss-qca6390/subsys9/name u:object_r:sysfs_ssr:s0
genfscon sysfs /devices/platform/soc/b0000000.qcom,cnss-qca6390/subsys9/restart_level u:object_r:sysfs_ssr_toggle:s0
genfscon sysfs /devices/platform/soc/soc:qcom,mdm0/subsys10/name u:object_r:sysfs_ssr:s0
genfscon sysfs /devices/platform/soc/soc:qcom,mdm0/subsys10/restart_level u:object_r:sysfs_ssr_toggle:s0
genfscon sysfs /devices/platform/soc/9800000.qcom,npu/subsys11/name u:object_r:sysfs_ssr:s0
genfscon sysfs /devices/platform/soc/9800000.qcom,npu/subsys11/restart_level u:object_r:sysfs_ssr_toggle:s0

1
sepolicy/private/hal_display_default.te
View file

@ -1 +0,0 @@
type hal_display_default, domain;

23
sepolicy/private/hal_fod_kona.te
View file

@ -1,23 +0,0 @@
type hal_fod_kona, coredomain, domain;
hal_server_domain(hal_fod_kona, hal_lineage_fod)
type hal_fod_kona_exec, system_file_type, exec_type, file_type;
init_daemon_domain(hal_fod_kona)
# Allow access to the HALs
hal_client_domain(hal_fod_kona, hal_fingerprint)
# Allow binder communication with hal_display_default
binder_call(hal_fod_kona, hal_display_default)
# Allow binder communication with hal_fingerprint
binder_call(hal_fod_kona, hal_fingerprint)
# Allow hal_fod_kona to hal_display_hwservice
allow hal_fod_kona hal_display_hwservice:hwservice_manager find;
# Allow hal_fod_kona to hal_fingerprint_hwservice
allow hal_fod_kona hal_fingerprint_hwservice:hwservice_manager find;
# Allow hal_fod_kona to read and write to sysfs_fod
allow hal_fod_kona sysfs_fod:file rw_file_perms;

26
sepolicy/private/hal_livedisplay_kona.te
View file

@ -1,26 +0,0 @@
type hal_livedisplay_kona, coredomain, domain;
hal_server_domain(hal_livedisplay_kona, hal_lineage_livedisplay)
type hal_livedisplay_kona_exec, system_file_type, exec_type, file_type;
init_daemon_domain(hal_livedisplay_kona)
# Allow hal_livedisplay_kona to find vendor_hal_display_color_hwservice
type vendor_hal_display_color_hwservice, hwservice_manager_type;
allow hal_livedisplay_kona vendor_hal_display_color_hwservice:hwservice_manager find;
# Allow binder communication with vendor_hal_display_color_default
type vendor_hal_display_color_default, domain;
binder_call(hal_livedisplay_kona, vendor_hal_display_color_default)
# Allow hal_livedisplay_kona to use binder service
binder_use(hal_livedisplay_kona)
# Allow LiveDisplay to store files under /data/misc/display and access them
allow hal_livedisplay_kona display_misc_file:dir rw_dir_perms;
allow hal_livedisplay_kona display_misc_file:file create_file_perms;
# Grant access over LiveDisplay tuneables
allow hal_livedisplay_kona { sysfs_livedisplay_tuneable sysfs_oem }:file rw_file_perms;
# Allow hal_livedisplay_kona to set config_prop
set_prop(hal_livedisplay_kona, config_prop)

2
sepolicy/private/hal_power.te
View file

@ -1,2 +0,0 @@
allow hal_power proc_touchpanel:dir search;
allow hal_power proc_touchpanel:file w_file_perms;

9
sepolicy/private/hal_powershare_kona.te
View file

@ -1,9 +0,0 @@
type hal_powershare_kona, coredomain, domain;
hal_server_domain(hal_powershare_kona, hal_lineage_powershare)
type hal_powershare_kona_exec, system_file_type, exec_type, file_type;
init_daemon_domain(hal_powershare_kona)
# Allow access to wireless rx enable nodes
allow hal_powershare_kona procfs_oem_wireless:dir search;
allow hal_powershare_kona procfs_oem_wireless:file rw_file_perms;

9
sepolicy/private/hal_touch_kona.te
View file

@ -1,9 +0,0 @@
type hal_touch_kona, coredomain, domain;
hal_server_domain(hal_touch_kona, hal_lineage_touch)
type hal_touch_kona_exec, system_file_type, exec_type, file_type;
init_daemon_domain(hal_touch_kona)
# Allow access to gesture enable nodes
allow hal_touch_kona proc_touchpanel:dir search;
allow hal_touch_kona proc_touchpanel:file rw_file_perms;

2
sepolicy/private/hal_usb.te
View file

@ -1,2 +0,0 @@
# Allow hal_usb to read and write to sysfs_oem
allow hal_usb sysfs_oem:file rw_file_perms;

1
sepolicy/private/hwservice.te
View file

@ -1 +0,0 @@
type hal_display_hwservice, hwservice_manager_type;

15
sepolicy/private/init.te
View file

@ -1,15 +0,0 @@
# Allow init to mount vendor configs
allow init vendor_configs_file:dir mounton;
# Allow init to mount vendor overlays
allow init vendor_overlay_file:dir mounton;
# Allow init to chown/chmod on pseudo files in /sys
allow init {
sysfs_fod
sysfs_fpc_proximity
sysfs_graphics
}:file { open read setattr };
# Allow init to write to otg_switch
allow init sysfs_usb_supply:file w_file_perms;

1
sepolicy/private/property.te
View file

@ -1 +0,0 @@
type vendor_camera_prop, property_type;

1
sepolicy/private/property_contexts
View file

@ -1 +0,0 @@
sys.display.mode u:object_r:config_prop:s0

2
sepolicy/private/vendor_init.te
View file

@ -1,2 +0,0 @@
# Allow vendor_init to set vendor_camera_prop
set_prop(vendor_init, vendor_camera_prop)

6
sepolicy/private/vendor_qmipriod.te
View file

@ -1,6 +0,0 @@
type vendor_qmipriod, domain;
userdebug_or_eng(`
allow vendor_qmipriod vendor_qmipriod_data_file:dir rw_dir_perms;
allow vendor_qmipriod vendor_qmipriod_data_file:file create_file_perms;
')

4
sepolicy/vendor/dashd.te vendored Normal file
View file

@ -0,0 +1,4 @@
type dashd, domain;
type dashd_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(dashd)

14
sepolicy/vendor/device.te vendored
View file

@ -1,14 +0,0 @@
type ab_block_device, dev_type;
type custom_ab_block_device, dev_type;
type efs_boot_dev, dev_type;
type gpt_block_device, dev_type;
type limits_block_device, dev_type;
type mdtp_device, dev_type;
type modem_block_device, dev_type;
type modem_efs_partition_device, dev_type;
type persist_block_device, dev_type;
type rpmb_device, dev_type;
type sg_device, dev_type;
type ssd_block_device, dev_type;
type uefi_block_device, dev_type;
type xbl_block_device, dev_type;

12
sepolicy/vendor/fastbootd.te vendored
View file

@ -1,12 +0,0 @@
recovery_only(`
allow fastbootd {
custom_ab_block_device
recovery_block_device
xbl_block_device
uefi_block_device
modem_block_device
mdtp_device
}:blk_file { rw_file_perms };
')
allow fastbootd tmpfs:lnk_file { getattr read };

2
sepolicy/vendor/file.te vendored
View file

@ -1,2 +0,0 @@
# sysfs
type sysfs_scsi_target, fs_type, sysfs_type;

88
sepolicy/vendor/file_contexts vendored
View file

@ -1,88 +0,0 @@
# devices
/dev/sg[0-9]+ u:object_r:sg_device:s0
# graphics device
/dev/mdss_rotator u:object_r:graphics_device:s0
/dev/dri/card0 u:object_r:graphics_device:s0
/dev/dri/controlD64 u:object_r:graphics_device:s0
/dev/dri/renderD128 u:object_r:graphics_device:s0
# sysfs files
/sys/class/thermal(/.*)? u:object_r:sysfs_thermal:s0
/sys/devices(/platform)?/soc/[a-f0-9]+.ufshc/host0/target0:0:0/0:0:0:[0-9]+/scsi_generic(/.*)? u:object_r:sysfs_scsi_target:s0
/sys/devices/platform/soc/ae00000.qcom,mdss_mdp/backlight(/.*)? u:object_r:sysfs_graphics:s0
/sys/devices/virtual/thermal(/.*)? u:object_r:sysfs_thermal:s0
# UFS Devices
/dev/block/platform/soc/1d84000\.ufshc/by-name/system u:object_r:system_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/vendor u:object_r:system_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/product u:object_r:system_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/odm u:object_r:system_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/metadata u:object_r:metadata_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/userdata u:object_r:userdata_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/boot u:object_r:boot_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/fsc u:object_r:modem_efs_partition_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/fsg u:object_r:modem_efs_partition_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/modemst1 u:object_r:modem_efs_partition_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/modemst2 u:object_r:modem_efs_partition_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/ssd u:object_r:ssd_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/misc u:object_r:misc_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/rpm u:object_r:rpmb_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/recovery u:object_r:recovery_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/cache u:object_r:cache_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/frp u:object_r:frp_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/mdtp u:object_r:mdtp_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/mdm1m9kefs1 u:object_r:efs_boot_dev:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/mdm1m9kefs2 u:object_r:efs_boot_dev:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/mdm1m9kefs3 u:object_r:efs_boot_dev:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/mdmddr u:object_r:efs_boot_dev:s0
# A/B partitions.
/dev/block/platform/soc/1d84000\.ufshc/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/aop_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/apdp_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/bluetooth_[ab] u:object_r:modem_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/boot_[ab] u:object_r:boot_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/cmnlib_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/cmnlib64_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/core_nhlos_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/devcfg_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/dsp_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/featenabler_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/hyp_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/keymaster_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/mdtp_[ab] u:object_r:mdtp_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/mdtpsecapp_[ab] u:object_r:mdtp_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/modem_[ab] u:object_r:modem_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/msadp_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/multiimgqti_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/persist u:object_r:persist_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/pmic_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/qupfw_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/rpm_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/system_[ab] u:object_r:system_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/tz_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/vendor_[ab] u:object_r:system_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/product_[ab] u:object_r:system_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/odm_[ab] u:object_r:system_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/xbl_[ab] u:object_r:xbl_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/xbl_config_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/imagefv_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/multiimgoem_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/uefisecapp_[ab] u:object_r:uefi_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/recovery_[ab] u:object_r:recovery_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/vbmeta_product_[ab] u:object_r:custom_ab_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/super u:object_r:super_block_device:s0
# Block device holding the GPT, where the A/B attributes are stored.
/dev/block/platform/soc/1d84000\.ufshc/sd[ade] u:object_r:gpt_block_device:s0
# Block devices for the drive that holds the xbl_a and xbl_b partitions.
/dev/block/platform/soc/1d84000\.ufshc/sd[bc] u:object_r:xbl_block_device:s0
# limits Partitions
/dev/block/platform/soc/1d84000\.ufshc/by-name/limits u:object_r:limits_block_device:s0
/dev/block/platform/soc/1d84000\.ufshc/by-name/limits-cdsp u:object_r:limits_block_device:s0

64
sepolicy/vendor/hal_bootctl.te vendored
View file

@ -1,64 +0,0 @@
# Copyright (c) 2018, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# These are the permissions required to use the boot_control HAL implemented
# here: hardware/qcom/bootctrl/boot_control.c
# Getting and setting GPT attributes for the bootloader iterates over all the
# partition names in the block_device directory /dev/block/.../by-name
allow hal_bootctl block_device:dir r_dir_perms;
# Edit the attributes stored in the GPT.
allow hal_bootctl gpt_block_device:blk_file rw_file_perms;
allow hal_bootctl root_block_device:blk_file rw_file_perms;
# Allow boot_control_hal to get attributes on all the A/B partitions.
allow hal_bootctl boot_block_device:blk_file rw_file_perms;
allow hal_bootctl ab_block_device:blk_file getattr;
allow hal_bootctl xbl_block_device:blk_file getattr;
allow hal_bootctl modem_block_device:blk_file getattr;
allow hal_bootctl system_block_device:blk_file getattr;
allow hal_bootctl custom_ab_block_device:blk_file getattr;
allow hal_bootctl recovery_block_device:blk_file getattr;
allow hal_bootctl mdtp_device:blk_file getattr;
allow hal_bootctl_server misc_block_device:blk_file rw_file_perms;
# Access /dev/sgN devices (generic SCSI) to write the
# A/B slot selection for the XBL partition. Allow also to issue a
# UFS_IOCTL_QUERY ioctl.
allow hal_bootctl sg_device:chr_file rw_file_perms;
# The sys_rawio denial message is benign, and shows up due to a capability()
# call made by the scsi driver to check for CAP_SYS_RAWIO. Not having this
# does not result in a error
dontaudit hal_bootctl self:capability sys_rawio;
# Read the sysfs to lookup what /dev/sgN device
# corresponds to the XBL partitions.
allow hal_bootctl sysfs_scsi_target:dir r_dir_perms;
# Write to the XBL devices.
allow hal_bootctl xbl_block_device:blk_file rw_file_perms;

39
sepolicy/vendor/update_engine_common.te vendored
View file

@ -1,39 +0,0 @@
# Copyright (c) 2019, The Linux Foundation. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials provided
# with the distribution.
# * Neither the name of The Linux Foundation nor the names of its
# contributors may be used to endorse or promote products derived
# from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# Allow update_engine and update_engine_sideload (recovery) read/write on the
# device-specific partitions it should update.
allow update_engine_common {
custom_ab_block_device
xbl_block_device
ssd_block_device
modem_block_device
uefi_block_device
recovery_block_device
}:blk_file rw_file_perms;
allow update_engine_common tmpfs:lnk_file r_file_perms;

4
sepolicy/vendor/wlchgd.te vendored Normal file
View file

@ -0,0 +1,4 @@
type wlchgd, domain;
type wlchgd_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(wlchgd)