diff options
| author | Arian <arian.kulmer@web.de> | 2020-12-11 00:07:18 +0100 |
|---|---|---|
| committer | Arian <arian.kulmer@web.de> | 2020-12-21 19:20:35 +0100 |
| commit | f12ef27cb9fc9f9cda9078230c5ab5b4ce0d4d93 (patch) | |
| tree | 6578430d6f24122fc5904c34220cb205345ba28a /sepolicy | |
| parent | d3c930897d2429bedcfbd713dae369b53840f97b (diff) | |
shinano-common: Cleanup sepolicy
Change-Id: If615758376413b16fcc80addd03a9ba5cd388e8a
Diffstat (limited to 'sepolicy')
31 files changed, 158 insertions, 186 deletions
diff --git a/sepolicy/adsprpcd.te b/sepolicy/adsprpcd.te deleted file mode 100644 index 8dcef13..0000000 --- a/sepolicy/adsprpcd.te +++ /dev/null @@ -1,7 +0,0 @@ -# access to qseecom qdsp_device -allow adsprpcd tee_device:chr_file rw_file_perms; -allowxperm adsprpcd tee_device:chr_file ioctl qseecom_sock_ipc_ioctls; - -# access to qseecom qdsp_device -allow adsprpcd qdsp_device:chr_file rw_file_perms; -allowxperm adsprpcd qdsp_device:chr_file ioctl adsprpcd_ioctls; diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te deleted file mode 100644 index 67f2692..0000000 --- a/sepolicy/audioserver.te +++ /dev/null @@ -1,3 +0,0 @@ -allow audioserver tad_socket:sock_file write; -allow audioserver tad:unix_stream_socket connectto; - diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te deleted file mode 100644 index 1ae7ff4..0000000 --- a/sepolicy/bluetooth.te +++ /dev/null @@ -1,3 +0,0 @@ -allow bluetooth hci_attach_dev:chr_file { open read write }; -allow bluetooth ta_data_file:file { open read }; -allow bluetooth ta_data_file:dir { search }; diff --git a/sepolicy/brcm_uim.te b/sepolicy/brcm_uim.te new file mode 100644 index 0000000..dbb84c4 --- /dev/null +++ b/sepolicy/brcm_uim.te @@ -0,0 +1,10 @@ +init_daemon_domain(brcm_uim) + +allow brcm_uim bluetooth_data_file:dir search; +allow brcm_uim bluetooth_data_file:file r_file_perms; +allow brcm_uim sysfs_bluetooth_writable:dir search; +allow brcm_uim sysfs_bluetooth_writable:file rw_file_perms; +allow brcm_uim serial_device:chr_file rw_file_perms; +allow brcm_uim self:capability net_admin; + +get_prop(brcm_uim, bluetooth_prop) diff --git a/sepolicy/credmgrd.te b/sepolicy/credmgrd.te new file mode 100644 index 0000000..5d185e2 --- /dev/null +++ b/sepolicy/credmgrd.te @@ -0,0 +1,21 @@ +init_daemon_domain(credmgrd) + +allow credmgrd credmgrd_socket:dir rw_dir_perms; +allow credmgrd credmgrd_socket:sock_file create_file_perms; +allow credmgrd firmware_file:dir search; +allow credmgrd firmware_file:file r_file_perms; +allow credmgrd ion_device:chr_file rw_file_perms; +allow credmgrd tad:unix_stream_socket connectto; +allow credmgrd tad_socket:sock_file rw_file_perms; +allow credmgrd tee_device:chr_file rw_file_perms; +allow credmgrd vendor_toolbox_exec:file rx_file_perms; + +allow credmgrd cache_file:dir create_dir_perms; +allow credmgrd cache_file:file create_file_perms; + +# Needed to create /data/credmgr +allow credmgrd system_data_file:dir { create_dir_perms relabelfrom }; +allow credmgrd credmgrd_data_file:dir { create_dir_perms relabelto }; +allow credmgrd credmgrd_data_file:file create_file_perms; + +set_prop(credmgrd, credmgrd_prop) diff --git a/sepolicy/dontaudit.te b/sepolicy/dontaudit.te new file mode 100644 index 0000000..2ddef4b --- /dev/null +++ b/sepolicy/dontaudit.te @@ -0,0 +1 @@ +dontaudit domain credmgrd_exec:file *; diff --git a/sepolicy/file.te b/sepolicy/file.te index 89b414c..e119d27 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,4 +1,29 @@ -# BRCM BT FM -type brcm_ldisc_sysfs, sysfs_type, fs_type; +# Bluetooth +type brcm_uim, domain; type brcm_uim_exec, exec_type, file_type; +# Credential manager +type credmgrd, domain; +type credmgrd_exec, exec_type, file_type; +type credmgrd_data_file, file_type, data_file_type, core_data_file_type; +type credmgrd_socket, file_type; +type credmgrd_firmware, file_type; + +# Modem +type mlog_qmi, domain; +type mlog_qmi_exec, exec_type, file_type; + +# SCD +type scd, domain; +type scd_exec, exec_type, file_type; +type scd_data_file, file_type, data_file_type, core_data_file_type; + +# SCT +type sct, domain; +type sct_exec, exec_type, file_type; + +# Trim Area +type tad, domain; +type tad_socket, file_type; +type ta_data_file, file_type; +type tad_exec, exec_type, file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index a055d4e..d95a492 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -1,28 +1,47 @@ # Audio -/dev/tfa98xx u:object_r:audio_device:s0 -/system/vendor/bin/tfa9890_amp u:object_r:tfa_amp_exec:s0 +/dev/tfa98xx u:object_r:audio_device:s0 # Bluetooth -/system/vendor/bin/brcm-uim-sysfs u:object_r:brcm_uim_exec:s0 - -# HCI -/dev/ttyHS0 u:object_r:hci_attach_dev:s0 -/dev/brcm_bt_drv u:object_r:hci_attach_dev:s0 +/dev/brcm_bt_drv u:object_r:serial_device:s0 +/sys/devices/bcm4339\.82/rfkill/rfkill0(/.*)? u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices/platform/bcm_ldisc(/.*)? u:object_r:sysfs_bluetooth_writable:s0 +/(vendor|system/vendor)/bin/brcm-uim-sysfs u:object_r:brcm_uim_exec:s0 + +# Camera flash +/sys/devices/pm8941-flash-[0-9]+(/.*)? u:object_r:sysfs_graphics:s0 + +# Credential Manager +/data/credmgr(/.*)? u:object_r:credmgrd_data_file:s0 +/data/suntory(/.*)? u:object_r:credmgrd_data_file:s0 +/dev/socket/credmgr u:object_r:credmgrd_socket:s0 +/dev/socket/suntory(/.*)? u:object_r:credmgrd_socket:s0 +/(vendor|system/vendor)/bin/credmgrd u:object_r:credmgrd_exec:s0 +/(vendor|system/vendor)/bin/credmgrfirstboot\.sh u:object_r:credmgrd_exec:s0 +/(vendor|system/vendor)/bin/suntrold u:object_r:credmgrd_exec:s0 # Lineage hardware -/(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.shinano u:object_r:hal_lineage_touch_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.shinano u:object_r:hal_lineage_touch_default_exec:s0 # Modem -/system/vendor/bin/mlog_qmi_service u:object_r:mlog_qmi_exec:s0 +/(vendor|system/vendor)/bin/mlog_qmi_service u:object_r:mlog_qmi_exec:s0 # NFC -/dev/pn547 u:object_r:nfc_device:s0 +/dev/pn547 u:object_r:nfc_device:s0 + +# SCD +/data/scd(/.*)? u:object_r:scd_data_file:s0 +/dev/socket/scd(/.*)? u:object_r:camera_socket:s0 +/(vendor|system/vendor)/bin/scd u:object_r:scd_exec:s0 -# Quick Charge -/system/vendor/bin/hvdcp u:object_r:hvdcp_exec:s0 +# SCT +/(vendor|system/vendor)/bin/sct_service u:object_r:sct_exec:s0 # Trim Area daemon -/system/vendor/bin/tad_static u:object_r:tad_exec:s0 +/dev/socket/tad u:object_r:tad_socket:s0 +/(vendor|system/vendor)/bin/tad_static u:object_r:tad_exec:s0 +/(vendor|system/vendor)/bin/ta_qmi_service u:object_r:tad_exec:s0 +/(vendor|system/vendor)/bin/taimport u:object_r:tad_exec:s0 +/(vendor|system/vendor)/bin/updatemiscta u:object_r:tad_exec:s0 # WIFI -/sys/module/bcmdhd/parameters/firmware_path u:object_r:sysfs_wlan_fwpath:s0 +/sys/module/bcmdhd/parameters/firmware_path u:object_r:sysfs_wlan_fwpath:s0 diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te new file mode 100644 index 0000000..8c2646b --- /dev/null +++ b/sepolicy/hal_bluetooth_default.te @@ -0,0 +1 @@ +r_dir_file(hal_bluetooth_default, firmware_file) diff --git a/sepolicy/hal_lineage_touch_default.te b/sepolicy/hal_lineage_touch_default.te index d76d54b..a3a2185 100644 --- a/sepolicy/hal_lineage_touch_default.te +++ b/sepolicy/hal_lineage_touch_default.te @@ -1,2 +1,2 @@ -allow hal_lineage_touch_default sysfs_touch:dir search; -allow hal_lineage_touch_default sysfs_touch:file rw_file_perms; +allow hal_lineage_touch_default sysfs_securetouch:dir search; +allow hal_lineage_touch_default sysfs_securetouch:file rw_file_perms; diff --git a/sepolicy/hal_nfc_defaul.te b/sepolicy/hal_nfc_default.te index da1a6c7..de6dea4 100644 --- a/sepolicy/hal_nfc_defaul.te +++ b/sepolicy/hal_nfc_default.te @@ -1,2 +1,2 @@ -allow hal_nfc_default nfc_data_file:dir rw_dir_perms; +allow hal_nfc_default nfc_data_file:dir search; allow hal_nfc_default nfc_data_file:file create_file_perms; diff --git a/sepolicy/hal_wifi_default.te b/sepolicy/hal_wifi_default.te index 83649e5..d0e52d6 100644 --- a/sepolicy/hal_wifi_default.te +++ b/sepolicy/hal_wifi_default.te @@ -1,2 +1 @@ -allow hal_wifi_default firmware_file:dir r_dir_perms; -allow hal_wifi_default firmware_file:file r_file_perms; +r_dir_file(hal_wifi_default, firmware_file) diff --git a/sepolicy/hci_attach.te b/sepolicy/hci_attach.te deleted file mode 100644 index 02ce60c..0000000 --- a/sepolicy/hci_attach.te +++ /dev/null @@ -1,12 +0,0 @@ -type hci_attach, domain; -type hci_attach_exec, exec_type, file_type; - -init_daemon_domain(hci_attach) - -set_prop(hci_attach, wifi_prop) - -allow hci_attach bluetooth_data_file:dir search; -allow hci_attach bluetooth_data_file:file r_file_perms; -allow hci_attach bluetooth_prop:property_service set; -allow hci_attach hci_attach_dev:chr_file rw_file_perms; -allow hci_attach hci_attach_exec:file execute_no_trans; diff --git a/sepolicy/init.te b/sepolicy/init.te deleted file mode 100644 index bda5e8b..0000000 --- a/sepolicy/init.te +++ /dev/null @@ -1,13 +0,0 @@ -# FM BCM -allow init hci_attach_dev:chr_file rw_file_perms; -allow init brcm_uim_exec:file { execute getattr read open }; -allow init brcm_ldisc_sysfs:lnk_file { read }; -allow init uim:process { siginh noatsecure transition rlimitinh }; -allow init tmpfs:lnk_file { relabelfrom }; - -# adsprpcd access to qseecom and qdsp_device -allow init tee_device:chr_file rw_file_perms; -allow init qdsp_device:chr_file rw_file_perms; - -# Touch -allow init sysfs_touch:file setattr; diff --git a/sepolicy/ioctl_defines b/sepolicy/ioctl_defines deleted file mode 100644 index 58c1243..0000000 --- a/sepolicy/ioctl_defines +++ /dev/null @@ -1,22 +0,0 @@ -# socket ioctls defined in the kernel in ? --> BT -define(`TCGETS', `0x00005401') -define(`TCSETS', `0x00005402') -define(`TCFLSH', `0x0000540b') -define(`TIOCSETD', `0x00005423') -define(`IOCTLUNKNOWN', `0x000055c8') - -# ioctls for audio dsp defined in kernel in include/linux/msm_adsp.h -define(`ADSP_IOCTL_ENABLE', `0x00005201') -define(`ADSP_IOCTL_DISABLE', `0x00005202') -define(`ADSP_IOCTL_DISABLE_ACK', `0x00005203') -define(`ADSP_IOCTL_WRITE_COMMAND', `0x00005204') -define(`ADSP_IOCTL_GET_EVENT', `0x00005205') -define(`ADSP_IOCTL_SET_CLKRATE', `0x00005206') -define(`ADSP_IOCTL_DISABLE_EVENT_RSP', `0x0000520a') -define(`ADSP_IOCTL_REGISTER_PMEM', `0x0000520d') -define(`ADSP_IOCTL_UNREGISTER_PMEM', `0x0000520e') -define(`ADSP_IOCTL_ABORT_EVENT_READ', `0x0000520f') -define(`ADSP_IOCTL_LINK_TASK', `0x00005210') - -# ioctls for mlog_qmi; extracted from the log -define(`MLOG_QMI_UNKNOWN', `0x0000c304') diff --git a/sepolicy/ioctl_macros b/sepolicy/ioctl_macros deleted file mode 100644 index 6756faf..0000000 --- a/sepolicy/ioctl_macros +++ /dev/null @@ -1,25 +0,0 @@ -define(`uim_sock_ipc_ioctls', `{ -TCGETS -TCSETS -TCFLSH -TIOCSETD -IOCTLUNKNOWN -}') - -define(`adsprpcd_ioctls', `{ -ADSP_IOCTL_ENABLE -ADSP_IOCTL_DISABLE -ADSP_IOCTL_DISABLE_ACK -ADSP_IOCTL_WRITE_COMMAND -ADSP_IOCTL_GET_EVENT -ADSP_IOCTL_SET_CLKRATE -ADSP_IOCTL_DISABLE_EVENT_RSP -ADSP_IOCTL_REGISTER_PMEM -ADSP_IOCTL_UNREGISTER_PMEM -ADSP_IOCTL_ABORT_EVENT_READ -ADSP_IOCTL_LINK_TASK -}') - -define(`mlog_qmi_ioctls', `{ -MLOG_QMI_UNKNOWN -}') diff --git a/sepolicy/keystore.te b/sepolicy/keystore.te deleted file mode 100644 index 8c2f6d1..0000000 --- a/sepolicy/keystore.te +++ /dev/null @@ -1,5 +0,0 @@ -allow keystore tee_device:chr_file rw_file_perms; -allow keystore firmware_file:file r_file_perms; -allow keystore tee_prop:file { getattr open read }; - -allow vold keystore:keystore_key { get_state get insert delete exist list sign verify }; diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te new file mode 100644 index 0000000..a722e75 --- /dev/null +++ b/sepolicy/mediaserver.te @@ -0,0 +1,11 @@ +allow mediaserver credmgrd_socket:sock_file rw_file_perms; +allow mediaserver credmgrd:unix_stream_socket connectto; +allow mediaserver mm-qcamerad:unix_stream_socket connectto; +allow mediaserver sensorservice_service:service_manager find; +allow mediaserver sysfs_battery_supply:dir search; +allow mediaserver sysfs_battery_supply:file r_file_perms; +allow mediaserver sysfs_graphics:dir search; +allow mediaserver sysfs_graphics:{ file lnk_file } rw_file_perms; +allow mediaserver system_server:unix_stream_socket rw_socket_perms; + +hal_client_domain(mediaserver, hal_configstore) diff --git a/sepolicy/mlog_qmi.te b/sepolicy/mlog_qmi.te index ed983fb..0b25daa 100644 --- a/sepolicy/mlog_qmi.te +++ b/sepolicy/mlog_qmi.te @@ -1,16 +1,3 @@ -type mlog_qmi, domain; -type mlog_qmi_exec, exec_type, file_type; - -# Started by init init_daemon_domain(mlog_qmi) -allow mlog_qmi self:capability { net_raw net_bind_service }; allow mlog_qmi self:socket create_socket_perms; -# NOTE: using self:socket for the ioctl results in a denial -allowxperm mlog_qmi mlog_qmi:socket ioctl mlog_qmi_ioctls; - -# Access to /dev/smem_log -allow mlog_qmi smem_log_device:chr_file rw_file_perms; - -# qseecom -allow mlog_qmi tee_device:chr_file rw_file_perms; diff --git a/sepolicy/property.te b/sepolicy/property.te new file mode 100644 index 0000000..bb7e318 --- /dev/null +++ b/sepolicy/property.te @@ -0,0 +1,5 @@ +# Credential Manager +type credmgrd_prop, property_type; + +# Trim Area +type ta_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts new file mode 100644 index 0000000..413ed3c --- /dev/null +++ b/sepolicy/property_contexts @@ -0,0 +1,11 @@ +# Camera +hw.camera.0.status. u:object_r:camera_prop:s0 +hw.camera.1.status. u:object_r:camera_prop:s0 + +# Credential Manager +sys.credmgrdready u:object_r:credmgrd_prop:s0 + +# Trim Area +persist.tareset. u:object_r:ta_prop:s0 +ro.semc.version. u:object_r:ta_prop:s0 +ro.sony. u:object_r:ta_prop:s0 diff --git a/sepolicy/qseecomd.te b/sepolicy/qseecomd.te deleted file mode 100644 index e3375cf..0000000 --- a/sepolicy/qseecomd.te +++ /dev/null @@ -1,23 +0,0 @@ -# tee starts as root, and drops privileges -allow tee self:capability { - setuid - setgid -}; - -# Need to directly manipulate certain block devices -# for anti-rollback protection -allow tee block_device:dir r_dir_perms; -allow tee rpmb_device:blk_file rw_file_perms; - -# Provide tee access to ssd partition for HW FDE -allow tee ssd_device:blk_file rw_file_perms; - -# allow tee to load firmware images -r_dir_file(tee, firmware_file) - -binder_use(tee) - -# Provide tee ability to access QMUXD/IPCRouter for QMI -qmux_socket(tee); - -set_prop(tee, tee_prop) diff --git a/sepolicy/rild.te b/sepolicy/rild.te deleted file mode 100644 index 5178ce8..0000000 --- a/sepolicy/rild.te +++ /dev/null @@ -1,2 +0,0 @@ -# Allow rild read to ro.semc -allow rild ta_prop:file { read open getattr }; diff --git a/sepolicy/scd.te b/sepolicy/scd.te new file mode 100644 index 0000000..6207541 --- /dev/null +++ b/sepolicy/scd.te @@ -0,0 +1,8 @@ +init_daemon_domain(scd) + +allow scd scd_data_file:dir create_dir_perms; +allow scd scd_data_file:file create_file_perms; +allow scd sysfs_rtc:dir search; +allow scd sysfs_rtc:file r_file_perms; +allow scd camera_socket:dir rw_dir_perms; +allow scd camera_socket:sock_file create_file_perms; diff --git a/sepolicy/sct.te b/sepolicy/sct.te new file mode 100644 index 0000000..93d1ea4 --- /dev/null +++ b/sepolicy/sct.te @@ -0,0 +1,3 @@ +init_daemon_domain(sct) + +allow sct self:socket create_socket_perms; diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te new file mode 100644 index 0000000..06defff --- /dev/null +++ b/sepolicy/sensors.te @@ -0,0 +1,4 @@ +allow sensors tad:unix_stream_socket connectto; +allow sensors tad_socket:sock_file rw_file_perms; + +get_prop(sensors, ta_prop) diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts deleted file mode 100644 index e3d7dcf..0000000 --- a/sepolicy/service_contexts +++ /dev/null @@ -1,5 +0,0 @@ -#line 1 "vendor/semc/system/sepolicy/Camera_Extension_API/1.1.0/service_contexts" -media.cameraextension u:object_r:mediaserver_service:s0 - -#line 1 "vendor/semc/system/sepolicy/Image_Processor_API/1.1.0/service_contexts" -media.cacao u:object_r:mediaserver_service:s0 diff --git a/sepolicy/tad.te b/sepolicy/tad.te new file mode 100644 index 0000000..496dc9f --- /dev/null +++ b/sepolicy/tad.te @@ -0,0 +1,14 @@ +init_daemon_domain(tad) + +allow tad block_device:dir search; +allow tad proc_stat:file r_file_perms; +allow tad self:capability setgid; +allow tad self:socket create_socket_perms; +allow tad self:unix_stream_socket create_socket_perms; +allow tad tad_block_device:blk_file rw_file_perms; +allow tad tad_socket:sock_file rw_file_perms; +allow tad sysfs_wake_lock:file rw_file_perms; + +allowxperm tad tad_block_device:blk_file ioctl BLKGETSIZE; + +set_prop(tad, ta_prop) diff --git a/sepolicy/tfa_amp.te b/sepolicy/tfa_amp.te deleted file mode 100644 index ca64588..0000000 --- a/sepolicy/tfa_amp.te +++ /dev/null @@ -1,10 +0,0 @@ -type tfa_amp, domain; -type tfa_amp_exec, exec_type, file_type; - -# Started by init -init_daemon_domain(tfa_amp) - -allow tfa_amp self:capability dac_override; - -# Access to /dev/tfa98xx -allow tfa_amp audio_device:chr_file rw_file_perms; diff --git a/sepolicy/uim.te b/sepolicy/uim.te deleted file mode 100644 index 6f8b30e..0000000 --- a/sepolicy/uim.te +++ /dev/null @@ -1,22 +0,0 @@ -type uim, domain; - -rw_dir_file(uim, sysfs) -rw_dir_file(uim, brcm_ldisc_sysfs) -rw_dir_file(uim, bluetooth_data_file) -rw_dir_file(uim, sysfs_bluetooth_writable) -allow uim brcm_uim_exec:file { entrypoint getattr read execute }; -allow uim self:capability { net_admin dac_override }; -allow uim rootfs:lnk_file getattr; -allow uim ta_data_file:dir search; -allow uim bluetooth_prop:sock_file write; -allow uim ta_data_file:file r_file_perms; -allow uim hci_attach_dev:chr_file ioctl; - -# Access to qseecomd -allow uim tee_device:chr_file rw_file_perms; - -# Access to serial port -allow uim hci_attach_dev:chr_file rw_file_perms; -allowxperm uim hci_attach_dev:chr_file ioctl uim_sock_ipc_ioctls; - -get_prop(uim, bluetooth_prop) diff --git a/sepolicy/vendor_init.te b/sepolicy/vendor_init.te new file mode 100644 index 0000000..ae03077 --- /dev/null +++ b/sepolicy/vendor_init.te @@ -0,0 +1,5 @@ +allow vendor_init tad_block_device:blk_file setattr; +allow vendor_init { + credmgrd_data_file + scd_data_file +}:dir create_dir_perms; |