summaryrefslogtreecommitdiff
path: root/sepolicy
diff options
context:
space:
mode:
authorIsaac Chen <isaacchen@isaacchen.cn>2018-07-27 14:27:16 +0200
committerIsaac Chen <isaacchen@isaacchen.cn>2018-07-27 00:00:11 +0000
commita59e765afb37bea328408bc6ceb9787afbfd3ecf (patch)
tree0ddb1a34c8f9cf98a12ed2148261f45bb439c9c5 /sepolicy
parent39445a3026aa961bdd372607c2e35168a643b990 (diff)
wayne: sepolicy: Initial denials
Signed-off-by: Isaac Chen <isaacchen@isaacchen.cn>
Diffstat (limited to 'sepolicy')
-rw-r--r--sepolicy/bt_firmware_file.te2
-rw-r--r--sepolicy/device.te1
-rw-r--r--sepolicy/dpmd.te2
-rw-r--r--sepolicy/file.te2
-rw-r--r--sepolicy/file_contexts18
-rw-r--r--sepolicy/firmware_file.te2
-rw-r--r--sepolicy/hal_camera_default.te1
-rw-r--r--sepolicy/hal_cas_default.te2
-rw-r--r--sepolicy/hal_fingerprint_wayne.te36
-rw-r--r--sepolicy/hal_graphics_composer_default.te2
-rw-r--r--sepolicy/hal_power_default.te1
-rw-r--r--sepolicy/hvdcp.te2
-rw-r--r--sepolicy/hwservice.te2
-rw-r--r--sepolicy/hwservice_contexts1
-rw-r--r--sepolicy/hwservicemanager.te5
-rw-r--r--sepolicy/init.te2
-rw-r--r--sepolicy/per_mgr.te2
-rw-r--r--sepolicy/property.te1
-rw-r--r--sepolicy/property_contexts4
-rw-r--r--sepolicy/qti_init_shell.te3
-rw-r--r--sepolicy/radio.te2
-rw-r--r--sepolicy/rild.te2
-rw-r--r--sepolicy/system_server.te2
-rw-r--r--sepolicy/tee.te6
-rw-r--r--sepolicy/vndservice.te1
-rw-r--r--sepolicy/vndservice_contexts1
-rw-r--r--sepolicy/vndservicemanager.te3
27 files changed, 108 insertions, 0 deletions
diff --git a/sepolicy/bt_firmware_file.te b/sepolicy/bt_firmware_file.te
new file mode 100644
index 0000000..a6a13a1
--- /dev/null
+++ b/sepolicy/bt_firmware_file.te
@@ -0,0 +1,2 @@
+#============= bt_firmware_file ==============
+allow bt_firmware_file rootfs:filesystem associate;
diff --git a/sepolicy/device.te b/sepolicy/device.te
new file mode 100644
index 0000000..8ec31c9
--- /dev/null
+++ b/sepolicy/device.te
@@ -0,0 +1 @@
+type fingerprint_device, dev_type;
diff --git a/sepolicy/dpmd.te b/sepolicy/dpmd.te
new file mode 100644
index 0000000..e73c6fe
--- /dev/null
+++ b/sepolicy/dpmd.te
@@ -0,0 +1,2 @@
+#============= dpmd ==============
+allow dpmd vendor_file:file { execute getattr open read };
diff --git a/sepolicy/file.te b/sepolicy/file.te
new file mode 100644
index 0000000..7aed2d6
--- /dev/null
+++ b/sepolicy/file.te
@@ -0,0 +1,2 @@
+type fingerprint_data_file, file_type, data_file_type;
+type fingerprint_sysfs, fs_type, sysfs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
new file mode 100644
index 0000000..a35066a
--- /dev/null
+++ b/sepolicy/file_contexts
@@ -0,0 +1,18 @@
+# Biometric
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_wayne u:object_r:hal_fingerprint_wayne_exec:s0
+
+# Fpc Fingerprint
+/sys/devices/soc/soc:fpc1020(/.*)? u:object_r:fingerprint_sysfs:s0
+
+# For Goodix fingerprint
+/dev/goodix_fp* u:object_r:fingerprint_device:s0
+
+# Goodix Fingerprint data
+/data/gf_data/frr_database.db u:object_r:fingerprint_data_file:s0
+/persist/data/gf* u:object_r:fingerprint_data_file:s0
+
+# HVDCP
+/sys/devices(/platform)?/soc/[a-z0-9]+\.i2c/i2c-[0-9]+/[0-9]+-[a-z0-9]+/[a-z0-9]+\.i2c:qcom,[a-z0-9]+@[a-z0-9]:qcom,smb[a-z0-9]+-parallel-slave@[0-9]+/power_supply/parallel(/.*)? u:object_r:sysfs_usb_supply:s0
+
+# Light HAL
+/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_wayne u:object_r:hal_light_default_exec:s0
diff --git a/sepolicy/firmware_file.te b/sepolicy/firmware_file.te
new file mode 100644
index 0000000..57f6c2d
--- /dev/null
+++ b/sepolicy/firmware_file.te
@@ -0,0 +1,2 @@
+#============= firmware_file ==============
+allow firmware_file rootfs:filesystem associate;
diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te
new file mode 100644
index 0000000..6a3d424
--- /dev/null
+++ b/sepolicy/hal_camera_default.te
@@ -0,0 +1 @@
+allow hal_camera_default sysfs_kgsl:file r_file_perms;
diff --git a/sepolicy/hal_cas_default.te b/sepolicy/hal_cas_default.te
new file mode 100644
index 0000000..fec0fc4
--- /dev/null
+++ b/sepolicy/hal_cas_default.te
@@ -0,0 +1,2 @@
+#============= hal_cas_default ==============
+allow hal_cas_default vndbinder_device:chr_file { ioctl open read write };
diff --git a/sepolicy/hal_fingerprint_wayne.te b/sepolicy/hal_fingerprint_wayne.te
new file mode 100644
index 0000000..470c6d8
--- /dev/null
+++ b/sepolicy/hal_fingerprint_wayne.te
@@ -0,0 +1,36 @@
+type hal_fingerprint_wayne, domain, binder_in_vendor_violators;
+hal_server_domain(hal_fingerprint_wayne, hal_fingerprint)
+
+type hal_fingerprint_wayne_exec, exec_type, vendor_file_type, file_type;
+binder_use(hal_fingerprint_wayne)
+init_daemon_domain(hal_fingerprint_wayne)
+
+allow hal_fingerprint_wayne fingerprint_device:chr_file { read write open ioctl };
+allow hal_fingerprint_wayne { tee_device uhid_device }:chr_file { read write open ioctl };
+allow hal_fingerprint_wayne fingerprint_data_file:file rw_file_perms;
+allow hal_fingerprint_wayne { fuse mnt_user_file storage_file }:dir search;
+allow hal_fingerprint_wayne { mnt_user_file storage_file }:lnk_file read;
+allow hal_fingerprint_wayne fingerprint_sysfs:dir rw_dir_perms;
+allow hal_fingerprint_wayne fingerprint_sysfs:file rw_file_perms;
+
+allow hal_fingerprint_wayne hal_fingerprint_wayne:netlink_socket { create bind write read };
+
+binder_call(hal_fingerprint_wayne, vndservicemanager)
+binder_call(hal_fingerprint_wayne, hal_perf_default)
+
+binder_use(hal_fingerprint_wayne)
+
+r_dir_file(hal_fingerprint_wayne, firmware_file)
+
+add_service(hal_fingerprint_wayne, goodixvnd_service)
+add_hwservice(hal_fingerprint_wayne, goodixhw_service)
+
+allow hal_fingerprint_wayne vndbinder_device:chr_file ioctl;
+
+get_prop(hal_fingerprint_wayne, hal_fingerprint_prop)
+set_prop(hal_fingerprint_wayne, hal_fingerprint_prop)
+
+vndbinder_use(hal_fingerprint_wayne)
+
+dontaudit hal_fingerprint_wayne { media_rw_data_file sdcardfs}:dir search;
+dontaudit hal_fingerprint_wayne media_rw_data_file:dir { read open };
diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te
new file mode 100644
index 0000000..c8c0e02
--- /dev/null
+++ b/sepolicy/hal_graphics_composer_default.te
@@ -0,0 +1,2 @@
+#============= hal_graphics_composer_default ==============
+allow hal_graphics_composer_default sysfs:file { getattr open read };
diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te
new file mode 100644
index 0000000..7e0a992
--- /dev/null
+++ b/sepolicy/hal_power_default.te
@@ -0,0 +1 @@
+allow hal_power_default proc:file rw_file_perms;
diff --git a/sepolicy/hvdcp.te b/sepolicy/hvdcp.te
new file mode 100644
index 0000000..894bb5f
--- /dev/null
+++ b/sepolicy/hvdcp.te
@@ -0,0 +1,2 @@
+#============= hvdcp ==============
+allow hvdcp sysfs:file { open read };
diff --git a/sepolicy/hwservice.te b/sepolicy/hwservice.te
new file mode 100644
index 0000000..8f19cf3
--- /dev/null
+++ b/sepolicy/hwservice.te
@@ -0,0 +1,2 @@
+
+type goodixhw_service, hwservice_manager_type;
diff --git a/sepolicy/hwservice_contexts b/sepolicy/hwservice_contexts
new file mode 100644
index 0000000..6fdbcd8
--- /dev/null
+++ b/sepolicy/hwservice_contexts
@@ -0,0 +1 @@
+vendor.goodix.hardware.fingerprint::IGoodixBiometricsFingerprint u:object_r:goodixhw_service:s0
diff --git a/sepolicy/hwservicemanager.te b/sepolicy/hwservicemanager.te
new file mode 100644
index 0000000..cc438b8
--- /dev/null
+++ b/sepolicy/hwservicemanager.te
@@ -0,0 +1,5 @@
+#============= hwservicemanager ==============
+allow hwservicemanager init:dir search;
+allow hwservicemanager init:file { open read };
+allow hwservicemanager init:process getattr;
+
diff --git a/sepolicy/init.te b/sepolicy/init.te
new file mode 100644
index 0000000..a54a2f6
--- /dev/null
+++ b/sepolicy/init.te
@@ -0,0 +1,2 @@
+#============= init ==============
+allow init hwservicemanager:binder { call transfer };
diff --git a/sepolicy/per_mgr.te b/sepolicy/per_mgr.te
new file mode 100644
index 0000000..1882a34
--- /dev/null
+++ b/sepolicy/per_mgr.te
@@ -0,0 +1,2 @@
+#============= per_mgr ==============
+allow per_mgr self:capability { dac_override net_raw };
diff --git a/sepolicy/property.te b/sepolicy/property.te
new file mode 100644
index 0000000..0d82962
--- /dev/null
+++ b/sepolicy/property.te
@@ -0,0 +1 @@
+type hal_fingerprint_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
new file mode 100644
index 0000000..6ac6236
--- /dev/null
+++ b/sepolicy/property_contexts
@@ -0,0 +1,4 @@
+sys.fp.goodix u:object_r:hal_fingerprint_prop:s0
+sys.fp.vendor u:object_r:hal_fingerprint_prop:s0
+persist.sys.fp.info u:object_r:hal_fingerprint_prop:s0
+persist.sys.fp.vendor u:object_r:hal_fingerprint_prop:s0
diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te
new file mode 100644
index 0000000..6967fc4
--- /dev/null
+++ b/sepolicy/qti_init_shell.te
@@ -0,0 +1,3 @@
+#============= qti_init_shell ==============
+allow qti_init_shell sysfs_cpu_boost:file write;
+allow qti_init_shell sysfs_lowmemorykiller:dir write;
diff --git a/sepolicy/radio.te b/sepolicy/radio.te
new file mode 100644
index 0000000..4d6fc0f
--- /dev/null
+++ b/sepolicy/radio.te
@@ -0,0 +1,2 @@
+#============= radio ==============
+allow radio vendor_file:file { execute getattr open read };
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
new file mode 100644
index 0000000..d66bc7c
--- /dev/null
+++ b/sepolicy/rild.te
@@ -0,0 +1,2 @@
+#============= rild ==============
+allow rild vendor_file:file ioctl;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
new file mode 100644
index 0000000..c658e69
--- /dev/null
+++ b/sepolicy/system_server.te
@@ -0,0 +1,2 @@
+#============= system_server ==============
+allow system_server vendor_file:file { execute getattr open read };
diff --git a/sepolicy/tee.te b/sepolicy/tee.te
new file mode 100644
index 0000000..85c98a8
--- /dev/null
+++ b/sepolicy/tee.te
@@ -0,0 +1,6 @@
+# /data/goodix labeling
+type_transition tee system_data_file:{ dir file } fingerprint_data_file;
+
+allow tee fingerprint_data_file:dir create_dir_perms;
+allow tee fingerprint_data_file:file create_file_perms;
+allow tee system_data_file:dir create_dir_perms;
diff --git a/sepolicy/vndservice.te b/sepolicy/vndservice.te
new file mode 100644
index 0000000..ebc594c
--- /dev/null
+++ b/sepolicy/vndservice.te
@@ -0,0 +1 @@
+type goodixvnd_service, vndservice_manager_type;
diff --git a/sepolicy/vndservice_contexts b/sepolicy/vndservice_contexts
new file mode 100644
index 0000000..92d3f21
--- /dev/null
+++ b/sepolicy/vndservice_contexts
@@ -0,0 +1 @@
+android.hardware.fingerprint.IGoodixFingerprintDaemon u:object_r:goodixvnd_service:s0
diff --git a/sepolicy/vndservicemanager.te b/sepolicy/vndservicemanager.te
new file mode 100644
index 0000000..8d04dea
--- /dev/null
+++ b/sepolicy/vndservicemanager.te
@@ -0,0 +1,3 @@
+allow vndservicemanager hal_fingerprint_default:dir { search read open };
+allow vndservicemanager hal_fingerprint_default:file { read open };
+allow vndservicemanager hal_fingerprint_default:process getattr;