From f12ef27cb9fc9f9cda9078230c5ab5b4ce0d4d93 Mon Sep 17 00:00:00 2001 From: Arian Date: Fri, 11 Dec 2020 00:07:18 +0100 Subject: shinano-common: Cleanup sepolicy Change-Id: If615758376413b16fcc80addd03a9ba5cd388e8a --- rootdir/Android.mk | 8 ------ rootdir/bin/init.qcom-sensor.sh | 23 ----------------- rootdir/etc/init.camera.rc | 31 ++++++++++++++--------- rootdir/etc/init.qcom.rc | 29 +-------------------- sepolicy/adsprpcd.te | 7 ------ sepolicy/audioserver.te | 3 --- sepolicy/bluetooth.te | 3 --- sepolicy/brcm_uim.te | 10 ++++++++ sepolicy/credmgrd.te | 21 ++++++++++++++++ sepolicy/dontaudit.te | 1 + sepolicy/file.te | 29 +++++++++++++++++++-- sepolicy/file_contexts | 47 ++++++++++++++++++++++++----------- sepolicy/hal_bluetooth_default.te | 1 + sepolicy/hal_lineage_touch_default.te | 4 +-- sepolicy/hal_nfc_defaul.te | 2 -- sepolicy/hal_nfc_default.te | 2 ++ sepolicy/hal_wifi_default.te | 3 +-- sepolicy/hci_attach.te | 12 --------- sepolicy/init.te | 13 ---------- sepolicy/ioctl_defines | 22 ---------------- sepolicy/ioctl_macros | 25 ------------------- sepolicy/keystore.te | 5 ---- sepolicy/mediaserver.te | 11 ++++++++ sepolicy/mlog_qmi.te | 13 ---------- sepolicy/property.te | 5 ++++ sepolicy/property_contexts | 11 ++++++++ sepolicy/qseecomd.te | 23 ----------------- sepolicy/rild.te | 2 -- sepolicy/scd.te | 8 ++++++ sepolicy/sct.te | 3 +++ sepolicy/sensors.te | 4 +++ sepolicy/service_contexts | 5 ---- sepolicy/tad.te | 14 +++++++++++ sepolicy/tfa_amp.te | 10 -------- sepolicy/uim.te | 22 ---------------- sepolicy/vendor_init.te | 5 ++++ shinano.mk | 3 +-- system_prop.mk | 2 +- 38 files changed, 181 insertions(+), 261 deletions(-) delete mode 100644 rootdir/bin/init.qcom-sensor.sh delete mode 100644 sepolicy/adsprpcd.te delete mode 100644 sepolicy/audioserver.te delete mode 100644 sepolicy/bluetooth.te create mode 100644 sepolicy/brcm_uim.te create mode 100644 sepolicy/credmgrd.te create mode 100644 sepolicy/dontaudit.te create mode 100644 sepolicy/hal_bluetooth_default.te delete mode 100644 sepolicy/hal_nfc_defaul.te create mode 100644 sepolicy/hal_nfc_default.te delete mode 100644 sepolicy/hci_attach.te delete mode 100644 sepolicy/init.te delete mode 100644 sepolicy/ioctl_defines delete mode 100644 sepolicy/ioctl_macros delete mode 100644 sepolicy/keystore.te create mode 100644 sepolicy/mediaserver.te create mode 100644 sepolicy/property.te create mode 100644 sepolicy/property_contexts delete mode 100644 sepolicy/qseecomd.te delete mode 100644 sepolicy/rild.te create mode 100644 sepolicy/scd.te create mode 100644 sepolicy/sct.te create mode 100644 sepolicy/sensors.te delete mode 100644 sepolicy/service_contexts create mode 100644 sepolicy/tad.te delete mode 100644 sepolicy/tfa_amp.te delete mode 100644 sepolicy/uim.te create mode 100644 sepolicy/vendor_init.te diff --git a/rootdir/Android.mk b/rootdir/Android.mk index b3314c4..d0d7d00 100644 --- a/rootdir/Android.mk +++ b/rootdir/Android.mk @@ -65,14 +65,6 @@ LOCAL_SRC_FILES := bin/credmgrfirstboot.sh LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR_EXECUTABLES) include $(BUILD_PREBUILT) -include $(CLEAR_VARS) -LOCAL_MODULE := init.qcom-sensor.sh -LOCAL_MODULE_TAGS := optional -LOCAL_MODULE_CLASS := EXECUTABLES -LOCAL_SRC_FILES := bin/init.qcom-sensor.sh -LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR_EXECUTABLES) -include $(BUILD_PREBUILT) - include $(CLEAR_VARS) LOCAL_MODULE := tad_static LOCAL_MODULE_TAGS := optional diff --git a/rootdir/bin/init.qcom-sensor.sh b/rootdir/bin/init.qcom-sensor.sh deleted file mode 100644 index 21d24c7..0000000 --- a/rootdir/bin/init.qcom-sensor.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/system/bin/sh -# Copyright (C) 2013 Sony Mobile Communications AB. - -# -# Function to start sensors for DSPS enabled platforms -# -start_sensors() -{ - if [ -c /dev/msm_dsps -o -c /dev/sensors ]; then - chmod -h 775 /persist/sensors - chmod -h 664 /persist/sensors/sensors_settings - chown -h system.root /persist/sensors/sensors_settings - - mkdir -p /data/misc/sensors - chmod -h 775 /data/misc/sensors - - echo 1 > /persist/sensors/settings - start sensors - fi -} - -start_sensors - diff --git a/rootdir/etc/init.camera.rc b/rootdir/etc/init.camera.rc index 7a6d857..ce77064 100644 --- a/rootdir/etc/init.camera.rc +++ b/rootdir/etc/init.camera.rc @@ -14,10 +14,6 @@ # limitations under the License. # -on early-fs - wait /dev/block/mmcblk0p1 - class_start trimarea - on early-boot #SONY early boot start ta_qmi_service @@ -48,10 +44,15 @@ on post-fs-data mkdir /dev/socket/scd 0755 system system mkdir /data/scd 0755 system system + # Change to socket location on libkeyctrl/suntory for /data encryption + # Create suntory data directory + mkdir /dev/socket/suntory 0755 system system + mkdir /data/suntory 0755 system system + on post-fs-data # SONY: Start early TA-users mkdir /data/etc 0755 root shell - exec -- /vendor/bin/taimport + start taimport # SONY: Create dir for Widevine keybox mkdir /data/persist/wv 0700 system system @@ -65,21 +66,27 @@ on post-fs-data chmod 0660 /sys/devices/sony_camera_1/info # SONY: Import MiscTA to System properties - exec -- /vendor/bin/taimport property + start property_taimport setprop init.taimport.ready true # taimport ready, use this as trigger for multi-cdf-symlinker service taimport /vendor/bin/taimport - class late_start - user root + user system group system oneshot + disabled + +service property_taimport /vendor/bin/taimport property + user system + group system + oneshot + disabled # This script init /cache/CredentialManagerData if /data/credmgr doesn't meet our requirements service initcredmgr /vendor/bin/credmgrfirstboot.sh class late_start - user root - group root + user system + group system oneshot # When credmgrfirstboot is ready it set sys.credmgrdready=true. @@ -102,7 +109,7 @@ service sct_service /vendor/bin/sct_service # Trim Area QMI service service ta_qmi_service /vendor/bin/ta_qmi_service user system - group system root net_raw wakelock + group system net_raw wakelock disabled service scd /vendor/bin/scd @@ -126,7 +133,7 @@ on property:init.svc.servicemanager=restarting service tad_static /vendor/bin/tad_static /dev/block/bootdevice/by-name/TA 0,16 class core user system - group system root camera media + group system camera media socket tad stream 0770 system system service updatemiscta /vendor/bin/updatemiscta diff --git a/rootdir/etc/init.qcom.rc b/rootdir/etc/init.qcom.rc index 6fb9141..a815a3b 100644 --- a/rootdir/etc/init.qcom.rc +++ b/rootdir/etc/init.qcom.rc @@ -46,9 +46,6 @@ on init write /sys/module/qpnp_rtc/parameters/poweron_alarm 1 - # Enable panic on out of memory - write /proc/sys/vm/panic_on_oom 2 - # Setup zram options write /sys/block/zram0/comp_algorithm lz4 @@ -83,9 +80,6 @@ on early-boot write /sys/kernel/boot_adsp/boot 1 - # Run pre_hw_config.sh before entering charge only mode. - exec /system/bin/sh /system/etc/pre_hw_config.sh - on boot write /sys/module/qpnp_power_on/parameters/forcecrash_on 1 @@ -223,10 +217,6 @@ on boot # an ack packet comes out of order write /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal 1 - # Set the console loglevel to < KERN_INFO - # Set the default message loglevel to KERN_INFO - write /proc/sys/kernel/printk "6 6 1 7" - chown system /sys/devices/virtual/timed_output/vibrator/vtg_level # charger @@ -250,11 +240,6 @@ on boot chown system system /sys/devices/virtual/input/max1187x/wakeup_gesture on post-fs - # Change to socket location on libkeyctrl/suntory for /data encryption - # Create suntory data directory - mkdir /dev/socket/suntory 0755 system system - mkdir /data/suntory 0755 system system - # led RGB chown system system /sys/class/leds/rgb/sync_state chown system system /sys/class/leds/rgb/start_blink @@ -360,10 +345,6 @@ on post-fs-data # SONY: Create dir for marlin sdata mkdir /data/persist/marlin 0700 system system - # SONY: Create a dir for pin-cache components - mkdir /data/pc 0600 radio radio - mkdir /cache/pc 0770 radio system - on property:bluetooth.isEnabled=true # start btwlancoex write /sys/class/bluetooth/hci0/idle_timeout 7000 @@ -380,8 +361,7 @@ service qmuxd /vendor/bin/qmuxd service netmgrd /vendor/bin/netmgrd class late_start user root - group root wifi wakelock radio inet system - seclabel u:r:netmgrd:s0 + group root wifi wakelock radio inet oem_2950 on property:ro.radio.noril=true stop ril-daemon @@ -447,17 +427,11 @@ service sensors /vendor/bin/sensors.qcom user root group root wakelock -service qcom-sensor-sh /vendor/bin/init.qcom-sensor.sh - class main - user root - oneshot - # HexagonDSP FastRPC daemon service adsprpcd /vendor/bin/adsprpcd class main user media group media - seclabel u:r:adsprpcd:s0 service charger /system/bin/charger class charger @@ -503,7 +477,6 @@ service uim /vendor/bin/brcm-uim-sysfs class late_start user root group bluetooth net_bt - seclabel u:r:uim:s0 # Quick Charge service hvdcp /vendor/bin/hvdcp diff --git a/sepolicy/adsprpcd.te b/sepolicy/adsprpcd.te deleted file mode 100644 index 8dcef13..0000000 --- a/sepolicy/adsprpcd.te +++ /dev/null @@ -1,7 +0,0 @@ -# access to qseecom qdsp_device -allow adsprpcd tee_device:chr_file rw_file_perms; -allowxperm adsprpcd tee_device:chr_file ioctl qseecom_sock_ipc_ioctls; - -# access to qseecom qdsp_device -allow adsprpcd qdsp_device:chr_file rw_file_perms; -allowxperm adsprpcd qdsp_device:chr_file ioctl adsprpcd_ioctls; diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te deleted file mode 100644 index 67f2692..0000000 --- a/sepolicy/audioserver.te +++ /dev/null @@ -1,3 +0,0 @@ -allow audioserver tad_socket:sock_file write; -allow audioserver tad:unix_stream_socket connectto; - diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te deleted file mode 100644 index 1ae7ff4..0000000 --- a/sepolicy/bluetooth.te +++ /dev/null @@ -1,3 +0,0 @@ -allow bluetooth hci_attach_dev:chr_file { open read write }; -allow bluetooth ta_data_file:file { open read }; -allow bluetooth ta_data_file:dir { search }; diff --git a/sepolicy/brcm_uim.te b/sepolicy/brcm_uim.te new file mode 100644 index 0000000..dbb84c4 --- /dev/null +++ b/sepolicy/brcm_uim.te @@ -0,0 +1,10 @@ +init_daemon_domain(brcm_uim) + +allow brcm_uim bluetooth_data_file:dir search; +allow brcm_uim bluetooth_data_file:file r_file_perms; +allow brcm_uim sysfs_bluetooth_writable:dir search; +allow brcm_uim sysfs_bluetooth_writable:file rw_file_perms; +allow brcm_uim serial_device:chr_file rw_file_perms; +allow brcm_uim self:capability net_admin; + +get_prop(brcm_uim, bluetooth_prop) diff --git a/sepolicy/credmgrd.te b/sepolicy/credmgrd.te new file mode 100644 index 0000000..5d185e2 --- /dev/null +++ b/sepolicy/credmgrd.te @@ -0,0 +1,21 @@ +init_daemon_domain(credmgrd) + +allow credmgrd credmgrd_socket:dir rw_dir_perms; +allow credmgrd credmgrd_socket:sock_file create_file_perms; +allow credmgrd firmware_file:dir search; +allow credmgrd firmware_file:file r_file_perms; +allow credmgrd ion_device:chr_file rw_file_perms; +allow credmgrd tad:unix_stream_socket connectto; +allow credmgrd tad_socket:sock_file rw_file_perms; +allow credmgrd tee_device:chr_file rw_file_perms; +allow credmgrd vendor_toolbox_exec:file rx_file_perms; + +allow credmgrd cache_file:dir create_dir_perms; +allow credmgrd cache_file:file create_file_perms; + +# Needed to create /data/credmgr +allow credmgrd system_data_file:dir { create_dir_perms relabelfrom }; +allow credmgrd credmgrd_data_file:dir { create_dir_perms relabelto }; +allow credmgrd credmgrd_data_file:file create_file_perms; + +set_prop(credmgrd, credmgrd_prop) diff --git a/sepolicy/dontaudit.te b/sepolicy/dontaudit.te new file mode 100644 index 0000000..2ddef4b --- /dev/null +++ b/sepolicy/dontaudit.te @@ -0,0 +1 @@ +dontaudit domain credmgrd_exec:file *; diff --git a/sepolicy/file.te b/sepolicy/file.te index 89b414c..e119d27 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,4 +1,29 @@ -# BRCM BT FM -type brcm_ldisc_sysfs, sysfs_type, fs_type; +# Bluetooth +type brcm_uim, domain; type brcm_uim_exec, exec_type, file_type; +# Credential manager +type credmgrd, domain; +type credmgrd_exec, exec_type, file_type; +type credmgrd_data_file, file_type, data_file_type, core_data_file_type; +type credmgrd_socket, file_type; +type credmgrd_firmware, file_type; + +# Modem +type mlog_qmi, domain; +type mlog_qmi_exec, exec_type, file_type; + +# SCD +type scd, domain; +type scd_exec, exec_type, file_type; +type scd_data_file, file_type, data_file_type, core_data_file_type; + +# SCT +type sct, domain; +type sct_exec, exec_type, file_type; + +# Trim Area +type tad, domain; +type tad_socket, file_type; +type ta_data_file, file_type; +type tad_exec, exec_type, file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index a055d4e..d95a492 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -1,28 +1,47 @@ # Audio -/dev/tfa98xx u:object_r:audio_device:s0 -/system/vendor/bin/tfa9890_amp u:object_r:tfa_amp_exec:s0 +/dev/tfa98xx u:object_r:audio_device:s0 # Bluetooth -/system/vendor/bin/brcm-uim-sysfs u:object_r:brcm_uim_exec:s0 - -# HCI -/dev/ttyHS0 u:object_r:hci_attach_dev:s0 -/dev/brcm_bt_drv u:object_r:hci_attach_dev:s0 +/dev/brcm_bt_drv u:object_r:serial_device:s0 +/sys/devices/bcm4339\.82/rfkill/rfkill0(/.*)? u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices/platform/bcm_ldisc(/.*)? u:object_r:sysfs_bluetooth_writable:s0 +/(vendor|system/vendor)/bin/brcm-uim-sysfs u:object_r:brcm_uim_exec:s0 + +# Camera flash +/sys/devices/pm8941-flash-[0-9]+(/.*)? u:object_r:sysfs_graphics:s0 + +# Credential Manager +/data/credmgr(/.*)? u:object_r:credmgrd_data_file:s0 +/data/suntory(/.*)? u:object_r:credmgrd_data_file:s0 +/dev/socket/credmgr u:object_r:credmgrd_socket:s0 +/dev/socket/suntory(/.*)? u:object_r:credmgrd_socket:s0 +/(vendor|system/vendor)/bin/credmgrd u:object_r:credmgrd_exec:s0 +/(vendor|system/vendor)/bin/credmgrfirstboot\.sh u:object_r:credmgrd_exec:s0 +/(vendor|system/vendor)/bin/suntrold u:object_r:credmgrd_exec:s0 # Lineage hardware -/(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.shinano u:object_r:hal_lineage_touch_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.shinano u:object_r:hal_lineage_touch_default_exec:s0 # Modem -/system/vendor/bin/mlog_qmi_service u:object_r:mlog_qmi_exec:s0 +/(vendor|system/vendor)/bin/mlog_qmi_service u:object_r:mlog_qmi_exec:s0 # NFC -/dev/pn547 u:object_r:nfc_device:s0 +/dev/pn547 u:object_r:nfc_device:s0 + +# SCD +/data/scd(/.*)? u:object_r:scd_data_file:s0 +/dev/socket/scd(/.*)? u:object_r:camera_socket:s0 +/(vendor|system/vendor)/bin/scd u:object_r:scd_exec:s0 -# Quick Charge -/system/vendor/bin/hvdcp u:object_r:hvdcp_exec:s0 +# SCT +/(vendor|system/vendor)/bin/sct_service u:object_r:sct_exec:s0 # Trim Area daemon -/system/vendor/bin/tad_static u:object_r:tad_exec:s0 +/dev/socket/tad u:object_r:tad_socket:s0 +/(vendor|system/vendor)/bin/tad_static u:object_r:tad_exec:s0 +/(vendor|system/vendor)/bin/ta_qmi_service u:object_r:tad_exec:s0 +/(vendor|system/vendor)/bin/taimport u:object_r:tad_exec:s0 +/(vendor|system/vendor)/bin/updatemiscta u:object_r:tad_exec:s0 # WIFI -/sys/module/bcmdhd/parameters/firmware_path u:object_r:sysfs_wlan_fwpath:s0 +/sys/module/bcmdhd/parameters/firmware_path u:object_r:sysfs_wlan_fwpath:s0 diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te new file mode 100644 index 0000000..8c2646b --- /dev/null +++ b/sepolicy/hal_bluetooth_default.te @@ -0,0 +1 @@ +r_dir_file(hal_bluetooth_default, firmware_file) diff --git a/sepolicy/hal_lineage_touch_default.te b/sepolicy/hal_lineage_touch_default.te index d76d54b..a3a2185 100644 --- a/sepolicy/hal_lineage_touch_default.te +++ b/sepolicy/hal_lineage_touch_default.te @@ -1,2 +1,2 @@ -allow hal_lineage_touch_default sysfs_touch:dir search; -allow hal_lineage_touch_default sysfs_touch:file rw_file_perms; +allow hal_lineage_touch_default sysfs_securetouch:dir search; +allow hal_lineage_touch_default sysfs_securetouch:file rw_file_perms; diff --git a/sepolicy/hal_nfc_defaul.te b/sepolicy/hal_nfc_defaul.te deleted file mode 100644 index da1a6c7..0000000 --- a/sepolicy/hal_nfc_defaul.te +++ /dev/null @@ -1,2 +0,0 @@ -allow hal_nfc_default nfc_data_file:dir rw_dir_perms; -allow hal_nfc_default nfc_data_file:file create_file_perms; diff --git a/sepolicy/hal_nfc_default.te b/sepolicy/hal_nfc_default.te new file mode 100644 index 0000000..de6dea4 --- /dev/null +++ b/sepolicy/hal_nfc_default.te @@ -0,0 +1,2 @@ +allow hal_nfc_default nfc_data_file:dir search; +allow hal_nfc_default nfc_data_file:file create_file_perms; diff --git a/sepolicy/hal_wifi_default.te b/sepolicy/hal_wifi_default.te index 83649e5..d0e52d6 100644 --- a/sepolicy/hal_wifi_default.te +++ b/sepolicy/hal_wifi_default.te @@ -1,2 +1 @@ -allow hal_wifi_default firmware_file:dir r_dir_perms; -allow hal_wifi_default firmware_file:file r_file_perms; +r_dir_file(hal_wifi_default, firmware_file) diff --git a/sepolicy/hci_attach.te b/sepolicy/hci_attach.te deleted file mode 100644 index 02ce60c..0000000 --- a/sepolicy/hci_attach.te +++ /dev/null @@ -1,12 +0,0 @@ -type hci_attach, domain; -type hci_attach_exec, exec_type, file_type; - -init_daemon_domain(hci_attach) - -set_prop(hci_attach, wifi_prop) - -allow hci_attach bluetooth_data_file:dir search; -allow hci_attach bluetooth_data_file:file r_file_perms; -allow hci_attach bluetooth_prop:property_service set; -allow hci_attach hci_attach_dev:chr_file rw_file_perms; -allow hci_attach hci_attach_exec:file execute_no_trans; diff --git a/sepolicy/init.te b/sepolicy/init.te deleted file mode 100644 index bda5e8b..0000000 --- a/sepolicy/init.te +++ /dev/null @@ -1,13 +0,0 @@ -# FM BCM -allow init hci_attach_dev:chr_file rw_file_perms; -allow init brcm_uim_exec:file { execute getattr read open }; -allow init brcm_ldisc_sysfs:lnk_file { read }; -allow init uim:process { siginh noatsecure transition rlimitinh }; -allow init tmpfs:lnk_file { relabelfrom }; - -# adsprpcd access to qseecom and qdsp_device -allow init tee_device:chr_file rw_file_perms; -allow init qdsp_device:chr_file rw_file_perms; - -# Touch -allow init sysfs_touch:file setattr; diff --git a/sepolicy/ioctl_defines b/sepolicy/ioctl_defines deleted file mode 100644 index 58c1243..0000000 --- a/sepolicy/ioctl_defines +++ /dev/null @@ -1,22 +0,0 @@ -# socket ioctls defined in the kernel in ? --> BT -define(`TCGETS', `0x00005401') -define(`TCSETS', `0x00005402') -define(`TCFLSH', `0x0000540b') -define(`TIOCSETD', `0x00005423') -define(`IOCTLUNKNOWN', `0x000055c8') - -# ioctls for audio dsp defined in kernel in include/linux/msm_adsp.h -define(`ADSP_IOCTL_ENABLE', `0x00005201') -define(`ADSP_IOCTL_DISABLE', `0x00005202') -define(`ADSP_IOCTL_DISABLE_ACK', `0x00005203') -define(`ADSP_IOCTL_WRITE_COMMAND', `0x00005204') -define(`ADSP_IOCTL_GET_EVENT', `0x00005205') -define(`ADSP_IOCTL_SET_CLKRATE', `0x00005206') -define(`ADSP_IOCTL_DISABLE_EVENT_RSP', `0x0000520a') -define(`ADSP_IOCTL_REGISTER_PMEM', `0x0000520d') -define(`ADSP_IOCTL_UNREGISTER_PMEM', `0x0000520e') -define(`ADSP_IOCTL_ABORT_EVENT_READ', `0x0000520f') -define(`ADSP_IOCTL_LINK_TASK', `0x00005210') - -# ioctls for mlog_qmi; extracted from the log -define(`MLOG_QMI_UNKNOWN', `0x0000c304') diff --git a/sepolicy/ioctl_macros b/sepolicy/ioctl_macros deleted file mode 100644 index 6756faf..0000000 --- a/sepolicy/ioctl_macros +++ /dev/null @@ -1,25 +0,0 @@ -define(`uim_sock_ipc_ioctls', `{ -TCGETS -TCSETS -TCFLSH -TIOCSETD -IOCTLUNKNOWN -}') - -define(`adsprpcd_ioctls', `{ -ADSP_IOCTL_ENABLE -ADSP_IOCTL_DISABLE -ADSP_IOCTL_DISABLE_ACK -ADSP_IOCTL_WRITE_COMMAND -ADSP_IOCTL_GET_EVENT -ADSP_IOCTL_SET_CLKRATE -ADSP_IOCTL_DISABLE_EVENT_RSP -ADSP_IOCTL_REGISTER_PMEM -ADSP_IOCTL_UNREGISTER_PMEM -ADSP_IOCTL_ABORT_EVENT_READ -ADSP_IOCTL_LINK_TASK -}') - -define(`mlog_qmi_ioctls', `{ -MLOG_QMI_UNKNOWN -}') diff --git a/sepolicy/keystore.te b/sepolicy/keystore.te deleted file mode 100644 index 8c2f6d1..0000000 --- a/sepolicy/keystore.te +++ /dev/null @@ -1,5 +0,0 @@ -allow keystore tee_device:chr_file rw_file_perms; -allow keystore firmware_file:file r_file_perms; -allow keystore tee_prop:file { getattr open read }; - -allow vold keystore:keystore_key { get_state get insert delete exist list sign verify }; diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te new file mode 100644 index 0000000..a722e75 --- /dev/null +++ b/sepolicy/mediaserver.te @@ -0,0 +1,11 @@ +allow mediaserver credmgrd_socket:sock_file rw_file_perms; +allow mediaserver credmgrd:unix_stream_socket connectto; +allow mediaserver mm-qcamerad:unix_stream_socket connectto; +allow mediaserver sensorservice_service:service_manager find; +allow mediaserver sysfs_battery_supply:dir search; +allow mediaserver sysfs_battery_supply:file r_file_perms; +allow mediaserver sysfs_graphics:dir search; +allow mediaserver sysfs_graphics:{ file lnk_file } rw_file_perms; +allow mediaserver system_server:unix_stream_socket rw_socket_perms; + +hal_client_domain(mediaserver, hal_configstore) diff --git a/sepolicy/mlog_qmi.te b/sepolicy/mlog_qmi.te index ed983fb..0b25daa 100644 --- a/sepolicy/mlog_qmi.te +++ b/sepolicy/mlog_qmi.te @@ -1,16 +1,3 @@ -type mlog_qmi, domain; -type mlog_qmi_exec, exec_type, file_type; - -# Started by init init_daemon_domain(mlog_qmi) -allow mlog_qmi self:capability { net_raw net_bind_service }; allow mlog_qmi self:socket create_socket_perms; -# NOTE: using self:socket for the ioctl results in a denial -allowxperm mlog_qmi mlog_qmi:socket ioctl mlog_qmi_ioctls; - -# Access to /dev/smem_log -allow mlog_qmi smem_log_device:chr_file rw_file_perms; - -# qseecom -allow mlog_qmi tee_device:chr_file rw_file_perms; diff --git a/sepolicy/property.te b/sepolicy/property.te new file mode 100644 index 0000000..bb7e318 --- /dev/null +++ b/sepolicy/property.te @@ -0,0 +1,5 @@ +# Credential Manager +type credmgrd_prop, property_type; + +# Trim Area +type ta_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts new file mode 100644 index 0000000..413ed3c --- /dev/null +++ b/sepolicy/property_contexts @@ -0,0 +1,11 @@ +# Camera +hw.camera.0.status. u:object_r:camera_prop:s0 +hw.camera.1.status. u:object_r:camera_prop:s0 + +# Credential Manager +sys.credmgrdready u:object_r:credmgrd_prop:s0 + +# Trim Area +persist.tareset. u:object_r:ta_prop:s0 +ro.semc.version. u:object_r:ta_prop:s0 +ro.sony. u:object_r:ta_prop:s0 diff --git a/sepolicy/qseecomd.te b/sepolicy/qseecomd.te deleted file mode 100644 index e3375cf..0000000 --- a/sepolicy/qseecomd.te +++ /dev/null @@ -1,23 +0,0 @@ -# tee starts as root, and drops privileges -allow tee self:capability { - setuid - setgid -}; - -# Need to directly manipulate certain block devices -# for anti-rollback protection -allow tee block_device:dir r_dir_perms; -allow tee rpmb_device:blk_file rw_file_perms; - -# Provide tee access to ssd partition for HW FDE -allow tee ssd_device:blk_file rw_file_perms; - -# allow tee to load firmware images -r_dir_file(tee, firmware_file) - -binder_use(tee) - -# Provide tee ability to access QMUXD/IPCRouter for QMI -qmux_socket(tee); - -set_prop(tee, tee_prop) diff --git a/sepolicy/rild.te b/sepolicy/rild.te deleted file mode 100644 index 5178ce8..0000000 --- a/sepolicy/rild.te +++ /dev/null @@ -1,2 +0,0 @@ -# Allow rild read to ro.semc -allow rild ta_prop:file { read open getattr }; diff --git a/sepolicy/scd.te b/sepolicy/scd.te new file mode 100644 index 0000000..6207541 --- /dev/null +++ b/sepolicy/scd.te @@ -0,0 +1,8 @@ +init_daemon_domain(scd) + +allow scd scd_data_file:dir create_dir_perms; +allow scd scd_data_file:file create_file_perms; +allow scd sysfs_rtc:dir search; +allow scd sysfs_rtc:file r_file_perms; +allow scd camera_socket:dir rw_dir_perms; +allow scd camera_socket:sock_file create_file_perms; diff --git a/sepolicy/sct.te b/sepolicy/sct.te new file mode 100644 index 0000000..93d1ea4 --- /dev/null +++ b/sepolicy/sct.te @@ -0,0 +1,3 @@ +init_daemon_domain(sct) + +allow sct self:socket create_socket_perms; diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te new file mode 100644 index 0000000..06defff --- /dev/null +++ b/sepolicy/sensors.te @@ -0,0 +1,4 @@ +allow sensors tad:unix_stream_socket connectto; +allow sensors tad_socket:sock_file rw_file_perms; + +get_prop(sensors, ta_prop) diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts deleted file mode 100644 index e3d7dcf..0000000 --- a/sepolicy/service_contexts +++ /dev/null @@ -1,5 +0,0 @@ -#line 1 "vendor/semc/system/sepolicy/Camera_Extension_API/1.1.0/service_contexts" -media.cameraextension u:object_r:mediaserver_service:s0 - -#line 1 "vendor/semc/system/sepolicy/Image_Processor_API/1.1.0/service_contexts" -media.cacao u:object_r:mediaserver_service:s0 diff --git a/sepolicy/tad.te b/sepolicy/tad.te new file mode 100644 index 0000000..496dc9f --- /dev/null +++ b/sepolicy/tad.te @@ -0,0 +1,14 @@ +init_daemon_domain(tad) + +allow tad block_device:dir search; +allow tad proc_stat:file r_file_perms; +allow tad self:capability setgid; +allow tad self:socket create_socket_perms; +allow tad self:unix_stream_socket create_socket_perms; +allow tad tad_block_device:blk_file rw_file_perms; +allow tad tad_socket:sock_file rw_file_perms; +allow tad sysfs_wake_lock:file rw_file_perms; + +allowxperm tad tad_block_device:blk_file ioctl BLKGETSIZE; + +set_prop(tad, ta_prop) diff --git a/sepolicy/tfa_amp.te b/sepolicy/tfa_amp.te deleted file mode 100644 index ca64588..0000000 --- a/sepolicy/tfa_amp.te +++ /dev/null @@ -1,10 +0,0 @@ -type tfa_amp, domain; -type tfa_amp_exec, exec_type, file_type; - -# Started by init -init_daemon_domain(tfa_amp) - -allow tfa_amp self:capability dac_override; - -# Access to /dev/tfa98xx -allow tfa_amp audio_device:chr_file rw_file_perms; diff --git a/sepolicy/uim.te b/sepolicy/uim.te deleted file mode 100644 index 6f8b30e..0000000 --- a/sepolicy/uim.te +++ /dev/null @@ -1,22 +0,0 @@ -type uim, domain; - -rw_dir_file(uim, sysfs) -rw_dir_file(uim, brcm_ldisc_sysfs) -rw_dir_file(uim, bluetooth_data_file) -rw_dir_file(uim, sysfs_bluetooth_writable) -allow uim brcm_uim_exec:file { entrypoint getattr read execute }; -allow uim self:capability { net_admin dac_override }; -allow uim rootfs:lnk_file getattr; -allow uim ta_data_file:dir search; -allow uim bluetooth_prop:sock_file write; -allow uim ta_data_file:file r_file_perms; -allow uim hci_attach_dev:chr_file ioctl; - -# Access to qseecomd -allow uim tee_device:chr_file rw_file_perms; - -# Access to serial port -allow uim hci_attach_dev:chr_file rw_file_perms; -allowxperm uim hci_attach_dev:chr_file ioctl uim_sock_ipc_ioctls; - -get_prop(uim, bluetooth_prop) diff --git a/sepolicy/vendor_init.te b/sepolicy/vendor_init.te new file mode 100644 index 0000000..ae03077 --- /dev/null +++ b/sepolicy/vendor_init.te @@ -0,0 +1,5 @@ +allow vendor_init tad_block_device:blk_file setattr; +allow vendor_init { + credmgrd_data_file + scd_data_file +}:dir create_dir_perms; diff --git a/shinano.mk b/shinano.mk index d54cde9..ab26b87 100644 --- a/shinano.mk +++ b/shinano.mk @@ -141,8 +141,7 @@ PRODUCT_PACKAGES += \ ueventd.qcom.rc PRODUCT_PACKAGES += \ - credmgrfirstboot.sh \ - init.qcom-sensor.sh + credmgrfirstboot.sh # Include BCM Wifi $(call inherit-product-if-exists, hardware/broadcom/wlan/bcmdhd/config/config-bcm.mk) diff --git a/system_prop.mk b/system_prop.mk index 386b800..cca1a3b 100644 --- a/system_prop.mk +++ b/system_prop.mk @@ -50,7 +50,7 @@ PRODUCT_PROPERTY_OVERRIDES += \ PRODUCT_PROPERTY_OVERRIDES += \ bluetooth.a2dp.sink.enabled=false \ ro.bluetooth.hfp.ver=1.6 \ - ro.bt.bdaddr_path="/data/etc/bluetooth_bdaddr" \ + ro.bt.bdaddr_path="/data/vendor/bluetooth/bluetooth_bdaddr" \ ro.rfkilldisabled=1 # macaddrsetup -- cgit v1.2.3