shinano-common: Cleanup sepolicy

Change-Id: If615758376413b16fcc80addd03a9ba5cd388e8a
author: Arian <arian.kulmer@web.de> 2020-12-11 00:07:18 +0100
committer: Arian <arian.kulmer@web.de> 2020-12-21 19:20:35 +0100
commit: f12ef27cb9fc9f9cda9078230c5ab5b4ce0d4d93 (patch)
tree: 6578430d6f24122fc5904c34220cb205345ba28a
parent: d3c930897d2429bedcfbd713dae369b53840f97b (diff)
37 files changed, 180 insertions, 260 deletions
diff --git a/rootdir/Android.mk b/rootdir/Android.mk
index b3314c4..d0d7d00 100644
--- a/rootdir/Android.mk
+++ b/rootdir/Android.mk
@@ -66,14 +66,6 @@ LOCAL_MODULE_PATH  := $(TARGET_OUT_VENDOR_EXECUTABLES)
 include $(BUILD_PREBUILT)
 
 include $(CLEAR_VARS)
-LOCAL_MODULE       := init.qcom-sensor.sh
-LOCAL_MODULE_TAGS  := optional
-LOCAL_MODULE_CLASS := EXECUTABLES
-LOCAL_SRC_FILES    := bin/init.qcom-sensor.sh
-LOCAL_MODULE_PATH  := $(TARGET_OUT_VENDOR_EXECUTABLES)
-include $(BUILD_PREBUILT)
-
-include $(CLEAR_VARS)
 LOCAL_MODULE       := tad_static
 LOCAL_MODULE_TAGS  := optional
 LOCAL_MODULE_CLASS := BIN
diff --git a/rootdir/bin/init.qcom-sensor.sh b/rootdir/bin/init.qcom-sensor.sh
deleted file mode 100644
index 21d24c7..0000000
--- a/rootdir/bin/init.qcom-sensor.sh
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/system/bin/sh
-# Copyright (C) 2013 Sony Mobile Communications AB.
-
-#
-# Function to start sensors for DSPS enabled platforms
-#
-start_sensors()
-{
-    if [ -c /dev/msm_dsps -o -c /dev/sensors ]; then
-        chmod -h 775 /persist/sensors
-        chmod -h 664 /persist/sensors/sensors_settings
-        chown -h system.root /persist/sensors/sensors_settings
-
-        mkdir -p /data/misc/sensors
-        chmod -h 775 /data/misc/sensors
-
-        echo 1 > /persist/sensors/settings
-        start sensors
-    fi
-}
-
-start_sensors
-
diff --git a/rootdir/etc/init.camera.rc b/rootdir/etc/init.camera.rc
index 7a6d857..ce77064 100644
--- a/rootdir/etc/init.camera.rc
+++ b/rootdir/etc/init.camera.rc
@@ -14,10 +14,6 @@
 # limitations under the License.
 #
 
-on early-fs
-    wait /dev/block/mmcblk0p1
-    class_start trimarea
-
 on early-boot
     #SONY early boot
     start ta_qmi_service
@@ -48,10 +44,15 @@ on post-fs-data
     mkdir /dev/socket/scd 0755 system system
     mkdir /data/scd 0755 system system
 
+    # Change to socket location on libkeyctrl/suntory for /data encryption
+    # Create suntory data directory
+    mkdir /dev/socket/suntory 0755 system system
+    mkdir /data/suntory 0755 system system
+
 on post-fs-data
     # SONY: Start early TA-users
     mkdir /data/etc 0755 root shell
-    exec -- /vendor/bin/taimport
+    start taimport
 
     # SONY: Create dir for Widevine keybox
     mkdir /data/persist/wv 0700 system system
@@ -65,21 +66,27 @@ on post-fs-data
     chmod 0660 /sys/devices/sony_camera_1/info
 
     # SONY: Import MiscTA to System properties
-    exec -- /vendor/bin/taimport property
+    start property_taimport
     setprop init.taimport.ready true
     # taimport ready, use this as trigger for multi-cdf-symlinker
 
 service taimport /vendor/bin/taimport
-    class late_start
-    user root
+    user system
     group system
     oneshot
+    disabled
+
+service property_taimport /vendor/bin/taimport property
+    user system
+    group system
+    oneshot
+    disabled
 
 # This script init /cache/CredentialManagerData if /data/credmgr doesn't meet our requirements
 service initcredmgr /vendor/bin/credmgrfirstboot.sh
     class late_start
-    user root
-    group root
+    user system
+    group system
     oneshot
 
 # When credmgrfirstboot is ready it set sys.credmgrdready=true.
@@ -102,7 +109,7 @@ service sct_service /vendor/bin/sct_service
 # Trim Area QMI service
 service ta_qmi_service /vendor/bin/ta_qmi_service
     user system
-    group system root net_raw wakelock
+    group system net_raw wakelock
     disabled
 
 service scd /vendor/bin/scd
@@ -126,7 +133,7 @@ on property:init.svc.servicemanager=restarting
 service tad_static /vendor/bin/tad_static /dev/block/bootdevice/by-name/TA 0,16
     class core
     user system
-    group system root camera media
+    group system camera media
     socket tad stream 0770 system system
 
 service updatemiscta /vendor/bin/updatemiscta
diff --git a/rootdir/etc/init.qcom.rc b/rootdir/etc/init.qcom.rc
index 6fb9141..a815a3b 100644
--- a/rootdir/etc/init.qcom.rc
+++ b/rootdir/etc/init.qcom.rc
@@ -46,9 +46,6 @@ on init
 
     write /sys/module/qpnp_rtc/parameters/poweron_alarm 1
 
-    # Enable panic on out of memory
-    write /proc/sys/vm/panic_on_oom 2
-
     # Setup zram options
     write /sys/block/zram0/comp_algorithm lz4
 
@@ -83,9 +80,6 @@ on early-boot
 
     write /sys/kernel/boot_adsp/boot 1
 
-    # Run pre_hw_config.sh before entering charge only mode.
-    exec /system/bin/sh /system/etc/pre_hw_config.sh
-
 on boot
     write /sys/module/qpnp_power_on/parameters/forcecrash_on 1
 
@@ -223,10 +217,6 @@ on boot
     # an ack packet comes out of order
     write /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal 1
 
-    # Set the console loglevel to < KERN_INFO
-    # Set the default message loglevel to KERN_INFO
-    write /proc/sys/kernel/printk "6 6 1 7"
-
     chown system /sys/devices/virtual/timed_output/vibrator/vtg_level
 
     # charger
@@ -250,11 +240,6 @@ on boot
     chown system system /sys/devices/virtual/input/max1187x/wakeup_gesture
 
 on post-fs
-    # Change to socket location on libkeyctrl/suntory for /data encryption
-    # Create suntory data directory
-    mkdir /dev/socket/suntory 0755 system system
-    mkdir /data/suntory 0755 system system
-
     # led RGB
     chown system system /sys/class/leds/rgb/sync_state
     chown system system /sys/class/leds/rgb/start_blink
@@ -360,10 +345,6 @@ on post-fs-data
     # SONY: Create dir for marlin sdata
     mkdir /data/persist/marlin 0700 system system
 
-    # SONY: Create a dir for pin-cache components
-    mkdir /data/pc 0600 radio radio
-    mkdir /cache/pc 0770 radio system
-
 on property:bluetooth.isEnabled=true
 #    start btwlancoex
     write /sys/class/bluetooth/hci0/idle_timeout 7000
@@ -380,8 +361,7 @@ service qmuxd /vendor/bin/qmuxd
 service netmgrd /vendor/bin/netmgrd
     class late_start
     user root
-    group root wifi wakelock radio inet system
-    seclabel u:r:netmgrd:s0
+    group root wifi wakelock radio inet oem_2950
 
 on property:ro.radio.noril=true
     stop ril-daemon
@@ -447,17 +427,11 @@ service sensors /vendor/bin/sensors.qcom
     user root
     group root wakelock
 
-service qcom-sensor-sh /vendor/bin/init.qcom-sensor.sh
-    class main
-    user root
-    oneshot
-
 # HexagonDSP FastRPC daemon
 service adsprpcd /vendor/bin/adsprpcd
    class main
    user media
    group media
-   seclabel u:r:adsprpcd:s0
 
 service charger /system/bin/charger
     class charger
@@ -503,7 +477,6 @@ service uim /vendor/bin/brcm-uim-sysfs
     class late_start
     user root
     group bluetooth net_bt
-    seclabel u:r:uim:s0
 
 # Quick Charge
 service hvdcp /vendor/bin/hvdcp
diff --git a/sepolicy/adsprpcd.te b/sepolicy/adsprpcd.te
deleted file mode 100644
index 8dcef13..0000000
--- a/sepolicy/adsprpcd.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# access to qseecom qdsp_device
-allow adsprpcd tee_device:chr_file rw_file_perms;
-allowxperm adsprpcd tee_device:chr_file ioctl qseecom_sock_ipc_ioctls;
-
-# access to qseecom qdsp_device
-allow adsprpcd qdsp_device:chr_file rw_file_perms;
-allowxperm adsprpcd qdsp_device:chr_file ioctl adsprpcd_ioctls;
diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te
deleted file mode 100644
index 67f2692..0000000
--- a/sepolicy/audioserver.te
+++ /dev/null
@@ -1,3 +0,0 @@
-allow audioserver tad_socket:sock_file write;
-allow audioserver tad:unix_stream_socket connectto;
-
diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te
deleted file mode 100644
index 1ae7ff4..0000000
--- a/sepolicy/bluetooth.te
+++ /dev/null
@@ -1,3 +0,0 @@
-allow bluetooth hci_attach_dev:chr_file { open read write };
-allow bluetooth ta_data_file:file { open read };
-allow bluetooth ta_data_file:dir { search };
diff --git a/sepolicy/brcm_uim.te b/sepolicy/brcm_uim.te
new file mode 100644
index 0000000..dbb84c4
--- /dev/null
+++ b/sepolicy/brcm_uim.te
@@ -0,0 +1,10 @@
+init_daemon_domain(brcm_uim)
+
+allow brcm_uim bluetooth_data_file:dir search;
+allow brcm_uim bluetooth_data_file:file r_file_perms;
+allow brcm_uim sysfs_bluetooth_writable:dir search;
+allow brcm_uim sysfs_bluetooth_writable:file rw_file_perms;
+allow brcm_uim serial_device:chr_file rw_file_perms;
+allow brcm_uim self:capability net_admin;
+
+get_prop(brcm_uim, bluetooth_prop)
diff --git a/sepolicy/credmgrd.te b/sepolicy/credmgrd.te
new file mode 100644
index 0000000..5d185e2
--- /dev/null
+++ b/sepolicy/credmgrd.te
@@ -0,0 +1,21 @@
+init_daemon_domain(credmgrd)
+
+allow credmgrd credmgrd_socket:dir rw_dir_perms;
+allow credmgrd credmgrd_socket:sock_file create_file_perms;
+allow credmgrd firmware_file:dir search;
+allow credmgrd firmware_file:file r_file_perms;
+allow credmgrd ion_device:chr_file rw_file_perms;
+allow credmgrd tad:unix_stream_socket connectto;
+allow credmgrd tad_socket:sock_file rw_file_perms;
+allow credmgrd tee_device:chr_file rw_file_perms;
+allow credmgrd vendor_toolbox_exec:file rx_file_perms;
+
+allow credmgrd cache_file:dir create_dir_perms;
+allow credmgrd cache_file:file create_file_perms;
+
+# Needed to create /data/credmgr
+allow credmgrd system_data_file:dir { create_dir_perms relabelfrom };
+allow credmgrd credmgrd_data_file:dir { create_dir_perms relabelto };
+allow credmgrd credmgrd_data_file:file create_file_perms;
+
+set_prop(credmgrd, credmgrd_prop)
diff --git a/sepolicy/dontaudit.te b/sepolicy/dontaudit.te
new file mode 100644
index 0000000..2ddef4b
--- /dev/null
+++ b/sepolicy/dontaudit.te
@@ -0,0 +1 @@
+dontaudit domain credmgrd_exec:file *;
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 89b414c..e119d27 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -1,4 +1,29 @@
-# BRCM BT FM
-type brcm_ldisc_sysfs, sysfs_type, fs_type;
+# Bluetooth
+type brcm_uim, domain;
 type brcm_uim_exec, exec_type, file_type;
 
+# Credential manager
+type credmgrd, domain;
+type credmgrd_exec, exec_type, file_type;
+type credmgrd_data_file, file_type, data_file_type, core_data_file_type;
+type credmgrd_socket, file_type;
+type credmgrd_firmware, file_type;
+
+# Modem
+type mlog_qmi, domain;
+type mlog_qmi_exec, exec_type, file_type;
+
+# SCD
+type scd, domain;
+type scd_exec, exec_type, file_type;
+type scd_data_file, file_type, data_file_type, core_data_file_type;
+
+# SCT
+type sct, domain;
+type sct_exec, exec_type, file_type;
+
+# Trim Area
+type tad, domain;
+type tad_socket, file_type;
+type ta_data_file, file_type;
+type tad_exec, exec_type, file_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index a055d4e..d95a492 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -1,28 +1,47 @@
 # Audio
-/dev/tfa98xx                             u:object_r:audio_device:s0
-/system/vendor/bin/tfa9890_amp           u:object_r:tfa_amp_exec:s0
+/dev/tfa98xx                                              u:object_r:audio_device:s0
 
 # Bluetooth
-/system/vendor/bin/brcm-uim-sysfs        u:object_r:brcm_uim_exec:s0
-
-# HCI
-/dev/ttyHS0                              u:object_r:hci_attach_dev:s0
-/dev/brcm_bt_drv                         u:object_r:hci_attach_dev:s0
+/dev/brcm_bt_drv                                          u:object_r:serial_device:s0
+/sys/devices/bcm4339\.82/rfkill/rfkill0(/.*)?             u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/platform/bcm_ldisc(/.*)?                     u:object_r:sysfs_bluetooth_writable:s0
+/(vendor|system/vendor)/bin/brcm-uim-sysfs                u:object_r:brcm_uim_exec:s0
+
+# Camera flash
+/sys/devices/pm8941-flash-[0-9]+(/.*)?                    u:object_r:sysfs_graphics:s0
+
+# Credential Manager
+/data/credmgr(/.*)?                                       u:object_r:credmgrd_data_file:s0
+/data/suntory(/.*)?                                       u:object_r:credmgrd_data_file:s0
+/dev/socket/credmgr                                       u:object_r:credmgrd_socket:s0
+/dev/socket/suntory(/.*)?                                 u:object_r:credmgrd_socket:s0
+/(vendor|system/vendor)/bin/credmgrd                      u:object_r:credmgrd_exec:s0
+/(vendor|system/vendor)/bin/credmgrfirstboot\.sh          u:object_r:credmgrd_exec:s0
+/(vendor|system/vendor)/bin/suntrold                      u:object_r:credmgrd_exec:s0
 
 # Lineage hardware
-/(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.shinano                  u:object_r:hal_lineage_touch_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.shinano u:object_r:hal_lineage_touch_default_exec:s0
 
 # Modem
-/system/vendor/bin/mlog_qmi_service      u:object_r:mlog_qmi_exec:s0
+/(vendor|system/vendor)/bin/mlog_qmi_service              u:object_r:mlog_qmi_exec:s0
 
 # NFC
-/dev/pn547                               u:object_r:nfc_device:s0
+/dev/pn547                                                u:object_r:nfc_device:s0
+
+# SCD
+/data/scd(/.*)?                                           u:object_r:scd_data_file:s0
+/dev/socket/scd(/.*)?                                     u:object_r:camera_socket:s0
+/(vendor|system/vendor)/bin/scd                           u:object_r:scd_exec:s0
 
-# Quick Charge
-/system/vendor/bin/hvdcp                 u:object_r:hvdcp_exec:s0
+# SCT
+/(vendor|system/vendor)/bin/sct_service                   u:object_r:sct_exec:s0
 
 # Trim Area daemon
-/system/vendor/bin/tad_static            u:object_r:tad_exec:s0
+/dev/socket/tad                                           u:object_r:tad_socket:s0
+/(vendor|system/vendor)/bin/tad_static                    u:object_r:tad_exec:s0
+/(vendor|system/vendor)/bin/ta_qmi_service                u:object_r:tad_exec:s0
+/(vendor|system/vendor)/bin/taimport                      u:object_r:tad_exec:s0
+/(vendor|system/vendor)/bin/updatemiscta                  u:object_r:tad_exec:s0
 
 # WIFI
-/sys/module/bcmdhd/parameters/firmware_path    u:object_r:sysfs_wlan_fwpath:s0
+/sys/module/bcmdhd/parameters/firmware_path               u:object_r:sysfs_wlan_fwpath:s0
diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te
new file mode 100644
index 0000000..8c2646b
--- /dev/null
+++ b/sepolicy/hal_bluetooth_default.te
@@ -0,0 +1 @@
+r_dir_file(hal_bluetooth_default, firmware_file)
diff --git a/sepolicy/hal_lineage_touch_default.te b/sepolicy/hal_lineage_touch_default.te
index d76d54b..a3a2185 100644
--- a/sepolicy/hal_lineage_touch_default.te
+++ b/sepolicy/hal_lineage_touch_default.te
@@ -1,2 +1,2 @@
-allow hal_lineage_touch_default sysfs_touch:dir search;
-allow hal_lineage_touch_default sysfs_touch:file rw_file_perms;
+allow hal_lineage_touch_default sysfs_securetouch:dir search;
+allow hal_lineage_touch_default sysfs_securetouch:file rw_file_perms;
diff --git a/sepolicy/hal_nfc_defaul.te b/sepolicy/hal_nfc_default.te
index da1a6c7..de6dea4 100644
--- a/sepolicy/hal_nfc_defaul.te
+++ b/sepolicy/hal_nfc_default.te
@@ -1,2 +1,2 @@
-allow hal_nfc_default nfc_data_file:dir rw_dir_perms;
+allow hal_nfc_default nfc_data_file:dir search;
 allow hal_nfc_default nfc_data_file:file create_file_perms;
diff --git a/sepolicy/hal_wifi_default.te b/sepolicy/hal_wifi_default.te
index 83649e5..d0e52d6 100644
--- a/sepolicy/hal_wifi_default.te
+++ b/sepolicy/hal_wifi_default.te
@@ -1,2 +1 @@
-allow hal_wifi_default firmware_file:dir r_dir_perms;
-allow hal_wifi_default firmware_file:file r_file_perms;
+r_dir_file(hal_wifi_default, firmware_file)
diff --git a/sepolicy/hci_attach.te b/sepolicy/hci_attach.te
deleted file mode 100644
index 02ce60c..0000000
--- a/sepolicy/hci_attach.te
+++ /dev/null
@@ -1,12 +0,0 @@
-type hci_attach, domain;
-type hci_attach_exec, exec_type, file_type;
-
-init_daemon_domain(hci_attach)
-
-set_prop(hci_attach, wifi_prop)
-
-allow hci_attach bluetooth_data_file:dir search;
-allow hci_attach bluetooth_data_file:file r_file_perms;
-allow hci_attach bluetooth_prop:property_service set;
-allow hci_attach hci_attach_dev:chr_file rw_file_perms;
-allow hci_attach hci_attach_exec:file execute_no_trans;
diff --git a/sepolicy/init.te b/sepolicy/init.te
deleted file mode 100644
index bda5e8b..0000000
--- a/sepolicy/init.te
+++ /dev/null
@@ -1,13 +0,0 @@
-# FM BCM
-allow init hci_attach_dev:chr_file rw_file_perms;
-allow init brcm_uim_exec:file { execute getattr read open };
-allow init brcm_ldisc_sysfs:lnk_file { read };
-allow init uim:process { siginh noatsecure transition rlimitinh };
-allow init tmpfs:lnk_file { relabelfrom };
-
-# adsprpcd access to qseecom and qdsp_device
-allow init tee_device:chr_file rw_file_perms;
-allow init qdsp_device:chr_file rw_file_perms;
-
-# Touch
-allow init sysfs_touch:file setattr;
diff --git a/sepolicy/ioctl_defines b/sepolicy/ioctl_defines
deleted file mode 100644
index 58c1243..0000000
--- a/sepolicy/ioctl_defines
+++ /dev/null
@@ -1,22 +0,0 @@
-# socket ioctls defined in the kernel in ? --> BT
-define(`TCGETS', `0x00005401')
-define(`TCSETS', `0x00005402')
-define(`TCFLSH', `0x0000540b')
-define(`TIOCSETD', `0x00005423')
-define(`IOCTLUNKNOWN', `0x000055c8')
-
-# ioctls for audio dsp defined in kernel in include/linux/msm_adsp.h
-define(`ADSP_IOCTL_ENABLE', `0x00005201')
-define(`ADSP_IOCTL_DISABLE', `0x00005202')
-define(`ADSP_IOCTL_DISABLE_ACK', `0x00005203')
-define(`ADSP_IOCTL_WRITE_COMMAND', `0x00005204')
-define(`ADSP_IOCTL_GET_EVENT', `0x00005205')
-define(`ADSP_IOCTL_SET_CLKRATE', `0x00005206')
-define(`ADSP_IOCTL_DISABLE_EVENT_RSP', `0x0000520a')
-define(`ADSP_IOCTL_REGISTER_PMEM', `0x0000520d')
-define(`ADSP_IOCTL_UNREGISTER_PMEM', `0x0000520e')
-define(`ADSP_IOCTL_ABORT_EVENT_READ', `0x0000520f')
-define(`ADSP_IOCTL_LINK_TASK', `0x00005210')
-
-# ioctls for mlog_qmi; extracted from the log
-define(`MLOG_QMI_UNKNOWN', `0x0000c304')
diff --git a/sepolicy/ioctl_macros b/sepolicy/ioctl_macros
deleted file mode 100644
index 6756faf..0000000
--- a/sepolicy/ioctl_macros
+++ /dev/null
@@ -1,25 +0,0 @@
-define(`uim_sock_ipc_ioctls', `{
-TCGETS
-TCSETS
-TCFLSH
-TIOCSETD
-IOCTLUNKNOWN
-}')
-
-define(`adsprpcd_ioctls', `{
-ADSP_IOCTL_ENABLE
-ADSP_IOCTL_DISABLE
-ADSP_IOCTL_DISABLE_ACK
-ADSP_IOCTL_WRITE_COMMAND
-ADSP_IOCTL_GET_EVENT
-ADSP_IOCTL_SET_CLKRATE
-ADSP_IOCTL_DISABLE_EVENT_RSP
-ADSP_IOCTL_REGISTER_PMEM
-ADSP_IOCTL_UNREGISTER_PMEM
-ADSP_IOCTL_ABORT_EVENT_READ
-ADSP_IOCTL_LINK_TASK
-}')
-
-define(`mlog_qmi_ioctls', `{
-MLOG_QMI_UNKNOWN
-}')
diff --git a/sepolicy/keystore.te b/sepolicy/keystore.te
deleted file mode 100644
index 8c2f6d1..0000000
--- a/sepolicy/keystore.te
+++ /dev/null
@@ -1,5 +0,0 @@
-allow keystore tee_device:chr_file rw_file_perms;
-allow keystore firmware_file:file r_file_perms;
-allow keystore tee_prop:file { getattr open read };
-
-allow vold keystore:keystore_key { get_state get insert delete exist list sign verify };
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
new file mode 100644
index 0000000..a722e75
--- /dev/null
+++ b/sepolicy/mediaserver.te
@@ -0,0 +1,11 @@
+allow mediaserver credmgrd_socket:sock_file rw_file_perms;
+allow mediaserver credmgrd:unix_stream_socket connectto;
+allow mediaserver mm-qcamerad:unix_stream_socket connectto;
+allow mediaserver sensorservice_service:service_manager find;
+allow mediaserver sysfs_battery_supply:dir search;
+allow mediaserver sysfs_battery_supply:file r_file_perms;
+allow mediaserver sysfs_graphics:dir search;
+allow mediaserver sysfs_graphics:{ file lnk_file } rw_file_perms;
+allow mediaserver system_server:unix_stream_socket rw_socket_perms;
+
+hal_client_domain(mediaserver, hal_configstore)
diff --git a/sepolicy/mlog_qmi.te b/sepolicy/mlog_qmi.te
index ed983fb..0b25daa 100644
--- a/sepolicy/mlog_qmi.te
+++ b/sepolicy/mlog_qmi.te
@@ -1,16 +1,3 @@
-type mlog_qmi, domain;
-type mlog_qmi_exec, exec_type, file_type;
-
-# Started by init
 init_daemon_domain(mlog_qmi)
 
-allow mlog_qmi self:capability { net_raw net_bind_service };
 allow mlog_qmi self:socket create_socket_perms;
-# NOTE: using self:socket for the ioctl results in a denial
-allowxperm mlog_qmi mlog_qmi:socket ioctl mlog_qmi_ioctls;
-
-# Access to /dev/smem_log
-allow mlog_qmi smem_log_device:chr_file rw_file_perms;
-
-# qseecom
-allow mlog_qmi tee_device:chr_file rw_file_perms;
diff --git a/sepolicy/property.te b/sepolicy/property.te
new file mode 100644
index 0000000..bb7e318
--- /dev/null
+++ b/sepolicy/property.te
@@ -0,0 +1,5 @@
+# Credential Manager
+type credmgrd_prop, property_type;
+
+# Trim Area
+type ta_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
new file mode 100644
index 0000000..413ed3c
--- /dev/null
+++ b/sepolicy/property_contexts
@@ -0,0 +1,11 @@
+# Camera
+hw.camera.0.status.                  u:object_r:camera_prop:s0
+hw.camera.1.status.                  u:object_r:camera_prop:s0
+
+# Credential Manager
+sys.credmgrdready                    u:object_r:credmgrd_prop:s0
+
+# Trim Area
+persist.tareset.                     u:object_r:ta_prop:s0
+ro.semc.version.                     u:object_r:ta_prop:s0
+ro.sony.                             u:object_r:ta_prop:s0
diff --git a/sepolicy/qseecomd.te b/sepolicy/qseecomd.te
deleted file mode 100644
index e3375cf..0000000
--- a/sepolicy/qseecomd.te
+++ /dev/null
@@ -1,23 +0,0 @@
-# tee starts as root, and drops privileges
-allow tee self:capability {
-    setuid
-    setgid
-};
-
-# Need to directly manipulate certain block devices
-# for anti-rollback protection
-allow tee block_device:dir r_dir_perms;
-allow tee rpmb_device:blk_file rw_file_perms;
-
-# Provide tee access to ssd partition for HW FDE
-allow tee ssd_device:blk_file rw_file_perms;
-
-# allow tee to load firmware images
-r_dir_file(tee, firmware_file)
-
-binder_use(tee)
-
-# Provide tee ability to access QMUXD/IPCRouter for QMI
-qmux_socket(tee);
-
-set_prop(tee, tee_prop)
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
deleted file mode 100644
index 5178ce8..0000000
--- a/sepolicy/rild.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Allow rild read to ro.semc
-allow rild ta_prop:file { read open getattr };
diff --git a/sepolicy/scd.te b/sepolicy/scd.te
new file mode 100644
index 0000000..6207541
--- /dev/null
+++ b/sepolicy/scd.te
@@ -0,0 +1,8 @@
+init_daemon_domain(scd)
+
+allow scd scd_data_file:dir create_dir_perms;
+allow scd scd_data_file:file create_file_perms;
+allow scd sysfs_rtc:dir search;
+allow scd sysfs_rtc:file r_file_perms;
+allow scd camera_socket:dir rw_dir_perms;
+allow scd camera_socket:sock_file create_file_perms;
diff --git a/sepolicy/sct.te b/sepolicy/sct.te
new file mode 100644
index 0000000..93d1ea4
--- /dev/null
+++ b/sepolicy/sct.te
@@ -0,0 +1,3 @@
+init_daemon_domain(sct)
+
+allow sct self:socket create_socket_perms;
diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te
new file mode 100644
index 0000000..06defff
--- /dev/null
+++ b/sepolicy/sensors.te
@@ -0,0 +1,4 @@
+allow sensors tad:unix_stream_socket connectto;
+allow sensors tad_socket:sock_file rw_file_perms;
+
+get_prop(sensors, ta_prop)
diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts
deleted file mode 100644
index e3d7dcf..0000000
--- a/sepolicy/service_contexts
+++ /dev/null
@@ -1,5 +0,0 @@
-#line 1 "vendor/semc/system/sepolicy/Camera_Extension_API/1.1.0/service_contexts"
-media.cameraextension                     u:object_r:mediaserver_service:s0
-
-#line 1 "vendor/semc/system/sepolicy/Image_Processor_API/1.1.0/service_contexts"
-media.cacao                               u:object_r:mediaserver_service:s0
diff --git a/sepolicy/tad.te b/sepolicy/tad.te
new file mode 100644
index 0000000..496dc9f
--- /dev/null
+++ b/sepolicy/tad.te
@@ -0,0 +1,14 @@
+init_daemon_domain(tad)
+
+allow tad block_device:dir search;
+allow tad proc_stat:file r_file_perms;
+allow tad self:capability setgid;
+allow tad self:socket create_socket_perms;
+allow tad self:unix_stream_socket create_socket_perms;
+allow tad tad_block_device:blk_file rw_file_perms;
+allow tad tad_socket:sock_file rw_file_perms;
+allow tad sysfs_wake_lock:file rw_file_perms;
+
+allowxperm tad tad_block_device:blk_file ioctl BLKGETSIZE;
+
+set_prop(tad, ta_prop)
diff --git a/sepolicy/tfa_amp.te b/sepolicy/tfa_amp.te
deleted file mode 100644
index ca64588..0000000
--- a/sepolicy/tfa_amp.te
+++ /dev/null
@@ -1,10 +0,0 @@
-type tfa_amp, domain;
-type tfa_amp_exec, exec_type, file_type;
-
-# Started by init
-init_daemon_domain(tfa_amp)
-
-allow tfa_amp self:capability dac_override;
-
-# Access to /dev/tfa98xx
-allow tfa_amp audio_device:chr_file rw_file_perms;
diff --git a/sepolicy/uim.te b/sepolicy/uim.te
deleted file mode 100644
index 6f8b30e..0000000
--- a/sepolicy/uim.te
+++ /dev/null
@@ -1,22 +0,0 @@
-type uim, domain;
-
-rw_dir_file(uim, sysfs)
-rw_dir_file(uim, brcm_ldisc_sysfs)
-rw_dir_file(uim, bluetooth_data_file)
-rw_dir_file(uim, sysfs_bluetooth_writable)
-allow uim brcm_uim_exec:file { entrypoint getattr read execute };
-allow uim self:capability { net_admin dac_override };
-allow uim rootfs:lnk_file getattr;
-allow uim ta_data_file:dir search;
-allow uim bluetooth_prop:sock_file write;
-allow uim ta_data_file:file r_file_perms;
-allow uim hci_attach_dev:chr_file ioctl; 
-
-# Access to qseecomd
-allow uim tee_device:chr_file rw_file_perms;
-
-# Access to serial port
-allow uim hci_attach_dev:chr_file rw_file_perms;
-allowxperm uim hci_attach_dev:chr_file ioctl uim_sock_ipc_ioctls;
-
-get_prop(uim, bluetooth_prop)
diff --git a/sepolicy/vendor_init.te b/sepolicy/vendor_init.te
new file mode 100644
index 0000000..ae03077
--- /dev/null
+++ b/sepolicy/vendor_init.te
@@ -0,0 +1,5 @@
+allow vendor_init tad_block_device:blk_file setattr;
+allow vendor_init {
+    credmgrd_data_file
+    scd_data_file
+}:dir create_dir_perms;
diff --git a/shinano.mk b/shinano.mk
index d54cde9..ab26b87 100644
--- a/shinano.mk
+++ b/shinano.mk
@@ -141,8 +141,7 @@ PRODUCT_PACKAGES += \
     ueventd.qcom.rc
 
 PRODUCT_PACKAGES += \
-    credmgrfirstboot.sh \
-    init.qcom-sensor.sh
+    credmgrfirstboot.sh
 
 # Include BCM Wifi
 $(call inherit-product-if-exists, hardware/broadcom/wlan/bcmdhd/config/config-bcm.mk)
diff --git a/system_prop.mk b/system_prop.mk
index 386b800..cca1a3b 100644
--- a/system_prop.mk
+++ b/system_prop.mk
@@ -50,7 +50,7 @@ PRODUCT_PROPERTY_OVERRIDES += \
 PRODUCT_PROPERTY_OVERRIDES += \
     bluetooth.a2dp.sink.enabled=false \
     ro.bluetooth.hfp.ver=1.6 \
-    ro.bt.bdaddr_path="/data/etc/bluetooth_bdaddr" \
+    ro.bt.bdaddr_path="/data/vendor/bluetooth/bluetooth_bdaddr" \
     ro.rfkilldisabled=1
 
 # macaddrsetup
author	Arian <arian.kulmer@web.de>	2020-12-11 00:07:18 +0100
committer	Arian <arian.kulmer@web.de>	2020-12-21 19:20:35 +0100
commit	f12ef27cb9fc9f9cda9078230c5ab5b4ce0d4d93 (patch)
tree	6578430d6f24122fc5904c34220cb205345ba28a
parent	d3c930897d2429bedcfbd713dae369b53840f97b (diff)