From 9b828d96673248befa83f35e393c6819a3c232d3 Mon Sep 17 00:00:00 2001 From: Dan Cashman Date: Thu, 1 Jun 2017 15:25:22 -0700 Subject: wayne-common: Add BOARD_PLAT_[PUBLIC|PRIVATE]_SEPOLICY_DIR Move vendor policy to vendor and add a place for system extensions. Also add such an extension: a labeling of the qti.ims.ext service. Bug: 38151691 Bug: 62041272 Test: Policy binary identical before and after, except plat_service_contexts has new service added. Change-Id: I1493c4c8876c4446a1de46b39942098bf49c79f8 --- sepolicy/app.te | 6 ---- sepolicy/atfwd.te | 1 - sepolicy/device.te | 2 -- sepolicy/file.te | 8 ----- sepolicy/file_contexts | 45 ------------------------ sepolicy/genfs_contexts | 2 -- sepolicy/hal_audio_default.te | 2 -- sepolicy/hal_camera_default.te | 6 ---- sepolicy/hal_cas_default.te | 1 - sepolicy/hal_fingerprint_wayne.te | 39 -------------------- sepolicy/hal_gnss_qti.te | 1 - sepolicy/hal_graphics_composer_default.te | 2 -- sepolicy/hal_ir_default.te | 1 - sepolicy/hal_light_default.te | 1 - sepolicy/hal_mlipay_default.te | 16 --------- sepolicy/hal_power_default.te | 2 -- sepolicy/hal_sensors_default.te | 1 - sepolicy/hvdcp.te | 1 - sepolicy/hwservice.te | 2 -- sepolicy/hwservice_contexts | 2 -- sepolicy/hwservicemanager.te | 4 --- sepolicy/init.te | 6 ---- sepolicy/init_fingerprint.te | 14 -------- sepolicy/kernel.te | 1 - sepolicy/location.te | 1 - sepolicy/netmgrd.te | 1 - sepolicy/priv_app.te | 1 - sepolicy/property.te | 3 -- sepolicy/property_contexts | 12 ------- sepolicy/qti_init_shell.te | 4 --- sepolicy/rild.te | 1 - sepolicy/system_app.te | 3 -- sepolicy/system_server.te | 4 --- sepolicy/tee.te | 6 ---- sepolicy/thermal-engine.te | 6 ---- sepolicy/vendor/app.te | 6 ++++ sepolicy/vendor/atfwd.te | 1 + sepolicy/vendor/device.te | 2 ++ sepolicy/vendor/file.te | 8 +++++ sepolicy/vendor/file_contexts | 45 ++++++++++++++++++++++++ sepolicy/vendor/genfs_contexts | 2 ++ sepolicy/vendor/hal_audio_default.te | 2 ++ sepolicy/vendor/hal_camera_default.te | 6 ++++ sepolicy/vendor/hal_cas_default.te | 1 + sepolicy/vendor/hal_fingerprint_wayne.te | 39 ++++++++++++++++++++ sepolicy/vendor/hal_gnss_qti.te | 1 + sepolicy/vendor/hal_graphics_composer_default.te | 2 ++ sepolicy/vendor/hal_ir_default.te | 1 + sepolicy/vendor/hal_light_default.te | 1 + sepolicy/vendor/hal_mlipay_default.te | 16 +++++++++ sepolicy/vendor/hal_power_default.te | 2 ++ sepolicy/vendor/hal_sensors_default.te | 1 + sepolicy/vendor/hvdcp.te | 1 + sepolicy/vendor/hwservice.te | 2 ++ sepolicy/vendor/hwservice_contexts | 2 ++ sepolicy/vendor/hwservicemanager.te | 4 +++ sepolicy/vendor/init.te | 6 ++++ sepolicy/vendor/init_fingerprint.te | 14 ++++++++ sepolicy/vendor/kernel.te | 1 + sepolicy/vendor/location.te | 1 + sepolicy/vendor/netmgrd.te | 1 + sepolicy/vendor/priv_app.te | 1 + sepolicy/vendor/property.te | 3 ++ sepolicy/vendor/property_contexts | 12 +++++++ sepolicy/vendor/qti_init_shell.te | 4 +++ sepolicy/vendor/rild.te | 1 + sepolicy/vendor/system_app.te | 3 ++ sepolicy/vendor/system_server.te | 4 +++ sepolicy/vendor/tee.te | 6 ++++ sepolicy/vendor/thermal-engine.te | 6 ++++ sepolicy/vendor/vendor_init.te | 13 +++++++ sepolicy/vendor/vndservice.te | 1 + sepolicy/vendor/vndservice_contexts | 1 + sepolicy/vendor/vndservicemanager.te | 3 ++ sepolicy/vendor_init.te | 13 ------- sepolicy/vndservice.te | 1 - sepolicy/vndservice_contexts | 1 - sepolicy/vndservicemanager.te | 3 -- 78 files changed, 226 insertions(+), 226 deletions(-) delete mode 100644 sepolicy/app.te delete mode 100644 sepolicy/atfwd.te delete mode 100644 sepolicy/device.te delete mode 100644 sepolicy/file.te delete mode 100644 sepolicy/file_contexts delete mode 100644 sepolicy/genfs_contexts delete mode 100644 sepolicy/hal_audio_default.te delete mode 100644 sepolicy/hal_camera_default.te delete mode 100644 sepolicy/hal_cas_default.te delete mode 100644 sepolicy/hal_fingerprint_wayne.te delete mode 100644 sepolicy/hal_gnss_qti.te delete mode 100644 sepolicy/hal_graphics_composer_default.te delete mode 100644 sepolicy/hal_ir_default.te delete mode 100644 sepolicy/hal_light_default.te delete mode 100644 sepolicy/hal_mlipay_default.te delete mode 100644 sepolicy/hal_power_default.te delete mode 100644 sepolicy/hal_sensors_default.te delete mode 100644 sepolicy/hvdcp.te delete mode 100644 sepolicy/hwservice.te delete mode 100644 sepolicy/hwservice_contexts delete mode 100644 sepolicy/hwservicemanager.te delete mode 100644 sepolicy/init.te delete mode 100644 sepolicy/init_fingerprint.te delete mode 100644 sepolicy/kernel.te delete mode 100644 sepolicy/location.te delete mode 100644 sepolicy/netmgrd.te delete mode 100644 sepolicy/priv_app.te delete mode 100644 sepolicy/property.te delete mode 100644 sepolicy/property_contexts delete mode 100644 sepolicy/qti_init_shell.te delete mode 100644 sepolicy/rild.te delete mode 100644 sepolicy/system_app.te delete mode 100644 sepolicy/system_server.te delete mode 100644 sepolicy/tee.te delete mode 100644 sepolicy/thermal-engine.te create mode 100644 sepolicy/vendor/app.te create mode 100644 sepolicy/vendor/atfwd.te create mode 100644 sepolicy/vendor/device.te create mode 100644 sepolicy/vendor/file.te create mode 100644 sepolicy/vendor/file_contexts create mode 100644 sepolicy/vendor/genfs_contexts create mode 100644 sepolicy/vendor/hal_audio_default.te create mode 100644 sepolicy/vendor/hal_camera_default.te create mode 100644 sepolicy/vendor/hal_cas_default.te create mode 100644 sepolicy/vendor/hal_fingerprint_wayne.te create mode 100644 sepolicy/vendor/hal_gnss_qti.te create mode 100644 sepolicy/vendor/hal_graphics_composer_default.te create mode 100644 sepolicy/vendor/hal_ir_default.te create mode 100644 sepolicy/vendor/hal_light_default.te create mode 100644 sepolicy/vendor/hal_mlipay_default.te create mode 100644 sepolicy/vendor/hal_power_default.te create mode 100644 sepolicy/vendor/hal_sensors_default.te create mode 100644 sepolicy/vendor/hvdcp.te create mode 100644 sepolicy/vendor/hwservice.te create mode 100644 sepolicy/vendor/hwservice_contexts create mode 100644 sepolicy/vendor/hwservicemanager.te create mode 100644 sepolicy/vendor/init.te create mode 100644 sepolicy/vendor/init_fingerprint.te create mode 100644 sepolicy/vendor/kernel.te create mode 100644 sepolicy/vendor/location.te create mode 100644 sepolicy/vendor/netmgrd.te create mode 100644 sepolicy/vendor/priv_app.te create mode 100644 sepolicy/vendor/property.te create mode 100644 sepolicy/vendor/property_contexts create mode 100644 sepolicy/vendor/qti_init_shell.te create mode 100644 sepolicy/vendor/rild.te create mode 100644 sepolicy/vendor/system_app.te create mode 100644 sepolicy/vendor/system_server.te create mode 100644 sepolicy/vendor/tee.te create mode 100644 sepolicy/vendor/thermal-engine.te create mode 100644 sepolicy/vendor/vendor_init.te create mode 100644 sepolicy/vendor/vndservice.te create mode 100644 sepolicy/vendor/vndservice_contexts create mode 100644 sepolicy/vendor/vndservicemanager.te delete mode 100644 sepolicy/vendor_init.te delete mode 100644 sepolicy/vndservice.te delete mode 100644 sepolicy/vndservice_contexts delete mode 100644 sepolicy/vndservicemanager.te (limited to 'sepolicy') diff --git a/sepolicy/app.te b/sepolicy/app.te deleted file mode 100644 index c61957b..0000000 --- a/sepolicy/app.te +++ /dev/null @@ -1,6 +0,0 @@ -# Allow appdomain to get vendor_camera_prop -get_prop(appdomain, vendor_camera_prop) -allow { appdomain -isolated_app } hal_mlipay_hwservice:hwservice_manager find; -binder_call({ appdomain -isolated_app }, hal_mlipay_default) -get_prop({ appdomain -isolated_app }, mlipay_prop) -get_prop({ appdomain -isolated_app }, hal_fingerprint_prop) diff --git a/sepolicy/atfwd.te b/sepolicy/atfwd.te deleted file mode 100644 index a60277a..0000000 --- a/sepolicy/atfwd.te +++ /dev/null @@ -1 +0,0 @@ -allow atfwd sysfs:file read; diff --git a/sepolicy/device.te b/sepolicy/device.te deleted file mode 100644 index b84e726..0000000 --- a/sepolicy/device.te +++ /dev/null @@ -1,2 +0,0 @@ -type fingerprint_device, dev_type; -type spidev_device, dev_type; diff --git a/sepolicy/file.te b/sepolicy/file.te deleted file mode 100644 index 2ca38b9..0000000 --- a/sepolicy/file.te +++ /dev/null @@ -1,8 +0,0 @@ -type debugfs_wlan, debugfs_type, fs_type; -type ir_dev_file, file_type; -type proc_dt2w, fs_type, proc_type; -type fingerprint_data_file, file_type, data_file_type, core_data_file_type; -type fingerprint_sysfs, fs_type, sysfs_type; -type vendor_keylayout_file, file_type, vendor_file_type; -type sysfs_light, fs_type, sysfs_type; -type thermal_data_file, file_type, data_file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts deleted file mode 100644 index 6939ff5..0000000 --- a/sepolicy/file_contexts +++ /dev/null @@ -1,45 +0,0 @@ -# Biometric -/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_wayne u:object_r:hal_fingerprint_wayne_exec:s0 - -# Fpc Fingerprint -/sys/devices/soc/soc:fpc1020(/.*)? u:object_r:fingerprint_sysfs:s0 - -# For Goodix fingerprint -/dev/goodix_fp* u:object_r:fingerprint_device:s0 - -# Goodix Fingerprint data -/data/gf_data/frr_database.db u:object_r:fingerprint_data_file:s0 -/data/misc/gf_data(/.*)? u:object_r:fingerprint_data_file:s0 -/data/misc/goodix(/.*)? u:object_r:fingerprint_data_file:s0 -/persist/data/gf* u:object_r:fingerprint_data_file:s0 - -# Fpc Fingerprint data -/persist/fpc(/.*)? u:object_r:fingerprint_data_file:s0 - -# HVDCP -/sys/devices(/platform)?/soc/[a-z0-9]+\.i2c/i2c-[0-9]+/[0-9]+-[a-z0-9]+/[a-z0-9]+\.i2c:qcom,[a-z0-9]+@[a-z0-9]:qcom,smb[a-z0-9]+-parallel-slave@[0-9]+/power_supply/parallel(/.*)? u:object_r:sysfs_usb_supply:s0 - -# IR -/dev/spidev7.1 u:object_r:spidev_device:s0 - -# Keylayout -/vendor/usr/idc(/.*)? u:object_r:vendor_keylayout_file:s0 -/vendor/usr/keylayout(/.*)? u:object_r:vendor_keylayout_file:s0 - -# Light HAL -/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_wayne u:object_r:hal_light_default_exec:s0 - -# Mlipay -/(vendor|system/vendor)/bin/mlipayd@1.1 u:object_r:hal_mlipay_default_exec:s0 - -# Persist -/persist/PRSensorData\.txt u:object_r:sensors_persist_file:s0 - -# RTC -/sys/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:qcom,pm660_rtc/rtc/rtc0(/.*)? u:object_r:sysfs_rtc:s0 - -# Shell Script -/(vendor|system/vendor)/bin/init\.goodix\.sh u:object_r:init_fingerprint_exec:s0 - -# Thermal -/data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0 diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts deleted file mode 100644 index 638c917..0000000 --- a/sepolicy/genfs_contexts +++ /dev/null @@ -1,2 +0,0 @@ -genfscon proc /nvt_wake_gesture u:object_r:proc_dt2w:s0 -genfscon debugfs /wlan0 u:object_r:debugfs_wlan:s0 diff --git a/sepolicy/hal_audio_default.te b/sepolicy/hal_audio_default.te deleted file mode 100644 index 128920f..0000000 --- a/sepolicy/hal_audio_default.te +++ /dev/null @@ -1,2 +0,0 @@ -allow hal_audio_default vendor_data_file:dir { create write add_name }; -allow hal_audio_default vendor_data_file:file { append create getattr open read }; diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te deleted file mode 100644 index 0f40bbd..0000000 --- a/sepolicy/hal_camera_default.te +++ /dev/null @@ -1,6 +0,0 @@ -binder_call(hal_camera_default, hal_configstore_default) -binder_call(hal_camera_default, hal_graphics_allocator_default) - -allow hal_camera_default { hal_configstore_ISurfaceFlingerConfigs hal_graphics_allocator_hwservice }:hwservice_manager find; -allow hal_camera_default sysfs:file { getattr open read }; -allow hal_camera_default sysfs_kgsl:file { getattr open read }; diff --git a/sepolicy/hal_cas_default.te b/sepolicy/hal_cas_default.te deleted file mode 100644 index 18b00de..0000000 --- a/sepolicy/hal_cas_default.te +++ /dev/null @@ -1 +0,0 @@ -vndbinder_use(hal_cas_default) diff --git a/sepolicy/hal_fingerprint_wayne.te b/sepolicy/hal_fingerprint_wayne.te deleted file mode 100644 index 11a99de..0000000 --- a/sepolicy/hal_fingerprint_wayne.te +++ /dev/null @@ -1,39 +0,0 @@ -type hal_fingerprint_wayne, domain, binder_in_vendor_violators; -hal_server_domain(hal_fingerprint_wayne, hal_fingerprint) - -type hal_fingerprint_wayne_exec, exec_type, vendor_file_type, file_type; -typeattribute hal_fingerprint_wayne data_between_core_and_vendor_violators; -binder_use(hal_fingerprint_wayne) -init_daemon_domain(hal_fingerprint_wayne) - -allow hal_fingerprint_wayne fingerprint_device:chr_file { read write open ioctl }; -allow hal_fingerprint_wayne { tee_device uhid_device }:chr_file { read write open ioctl }; -allow hal_fingerprint_wayne fingerprint_data_file:file rw_file_perms; -allow hal_fingerprint_wayne fingerprintd_data_file:dir rw_dir_perms; -allow hal_fingerprint_wayne fingerprintd_data_file:file create_file_perms; -allow hal_fingerprint_wayne { fuse mnt_user_file storage_file }:dir search; -allow hal_fingerprint_wayne { mnt_user_file storage_file }:lnk_file read; -allow hal_fingerprint_wayne fingerprint_sysfs:dir r_dir_perms; -allow hal_fingerprint_wayne fingerprint_sysfs:file rw_file_perms; - -allow hal_fingerprint_wayne hal_fingerprint_wayne:netlink_socket { create bind write read }; - -binder_call(hal_fingerprint_wayne, vndservicemanager) -binder_call(hal_fingerprint_wayne, hal_perf_default) - -binder_use(hal_fingerprint_wayne) - -r_dir_file(hal_fingerprint_wayne, firmware_file) - -add_service(hal_fingerprint_wayne, goodixvnd_service) -add_hwservice(hal_fingerprint_wayne, goodixhw_service) - -allow hal_fingerprint_wayne vndbinder_device:chr_file ioctl; - -get_prop(hal_fingerprint_wayne, hal_fingerprint_prop) -set_prop(hal_fingerprint_wayne, hal_fingerprint_prop) - -vndbinder_use(hal_fingerprint_wayne) - -dontaudit hal_fingerprint_wayne { media_rw_data_file sdcardfs}:dir search; -dontaudit hal_fingerprint_wayne media_rw_data_file:dir { read open }; diff --git a/sepolicy/hal_gnss_qti.te b/sepolicy/hal_gnss_qti.te deleted file mode 100644 index 711c8bb..0000000 --- a/sepolicy/hal_gnss_qti.te +++ /dev/null @@ -1 +0,0 @@ -allow hal_gnss_qti sysfs:file { read open }; diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te deleted file mode 100644 index 39e8fb4..0000000 --- a/sepolicy/hal_graphics_composer_default.te +++ /dev/null @@ -1,2 +0,0 @@ -allow hal_graphics_composer_default sysfs_graphics:file r_file_perms; -allow hal_graphics_composer_default sysfs_graphics:lnk_file read; diff --git a/sepolicy/hal_ir_default.te b/sepolicy/hal_ir_default.te deleted file mode 100644 index 2f9f2b6..0000000 --- a/sepolicy/hal_ir_default.te +++ /dev/null @@ -1 +0,0 @@ -allow hal_ir_default spidev_device:chr_file rw_file_perms; diff --git a/sepolicy/hal_light_default.te b/sepolicy/hal_light_default.te deleted file mode 100644 index e0592d7..0000000 --- a/sepolicy/hal_light_default.te +++ /dev/null @@ -1 +0,0 @@ -allow hal_light_default sysfs_light:file rw_file_perms; diff --git a/sepolicy/hal_mlipay_default.te b/sepolicy/hal_mlipay_default.te deleted file mode 100644 index c6f721c..0000000 --- a/sepolicy/hal_mlipay_default.te +++ /dev/null @@ -1,16 +0,0 @@ -type hal_mlipay_default, domain; - -type hal_mlipay_default_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_mlipay_default) - -hwbinder_use(hal_mlipay_default) -get_prop(hal_mlipay_default, hwservicemanager_prop) -add_hwservice(hal_mlipay_default, hal_mlipay_hwservice) - -allow hal_mlipay_default tee_device:chr_file rw_file_perms; -allow hal_mlipay_default ion_device:chr_file r_file_perms; - -r_dir_file(hal_mlipay_default, firmware_file) -set_prop(hal_mlipay_default, mlipay_prop); - -get_prop(hal_mlipay_default, hal_fingerprint_prop); diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te deleted file mode 100644 index 2df04b0..0000000 --- a/sepolicy/hal_power_default.te +++ /dev/null @@ -1,2 +0,0 @@ -allow hal_power_default proc_dt2w:file rw_file_perms; -r_dir_file(hal_power_default, debugfs_wlan) diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te deleted file mode 100644 index 28414f9..0000000 --- a/sepolicy/hal_sensors_default.te +++ /dev/null @@ -1 +0,0 @@ -allow hal_sensors_default sysfs:file { read open }; diff --git a/sepolicy/hvdcp.te b/sepolicy/hvdcp.te deleted file mode 100644 index 49a6b78..0000000 --- a/sepolicy/hvdcp.te +++ /dev/null @@ -1 +0,0 @@ -allow hvdcp sysfs:file { open read }; diff --git a/sepolicy/hwservice.te b/sepolicy/hwservice.te deleted file mode 100644 index 32adecb..0000000 --- a/sepolicy/hwservice.te +++ /dev/null @@ -1,2 +0,0 @@ -type goodixhw_service, hwservice_manager_type; -type hal_mlipay_hwservice, hwservice_manager_type, untrusted_app_visible_hwservice; diff --git a/sepolicy/hwservice_contexts b/sepolicy/hwservice_contexts deleted file mode 100644 index 8ff7ae7..0000000 --- a/sepolicy/hwservice_contexts +++ /dev/null @@ -1,2 +0,0 @@ -vendor.goodix.hardware.fingerprint::IGoodixBiometricsFingerprint u:object_r:goodixhw_service:s0 -vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0 diff --git a/sepolicy/hwservicemanager.te b/sepolicy/hwservicemanager.te deleted file mode 100644 index 3262afb..0000000 --- a/sepolicy/hwservicemanager.te +++ /dev/null @@ -1,4 +0,0 @@ -#============= hwservicemanager ============== -allow hwservicemanager init:dir search; -allow hwservicemanager init:file { open read }; -allow hwservicemanager init:process getattr; diff --git a/sepolicy/init.te b/sepolicy/init.te deleted file mode 100644 index 734baea..0000000 --- a/sepolicy/init.te +++ /dev/null @@ -1,6 +0,0 @@ -allow init hwservicemanager:binder { call transfer }; -allow init ipa_dev:chr_file open; -allow init ion_device:chr_file ioctl; -allow init property_socket:sock_file write; -allow init sysfs_dm:file { open write }; -allow init tee_device:chr_file { write ioctl }; diff --git a/sepolicy/init_fingerprint.te b/sepolicy/init_fingerprint.te deleted file mode 100644 index b45cdd6..0000000 --- a/sepolicy/init_fingerprint.te +++ /dev/null @@ -1,14 +0,0 @@ -type init_fingerprint, domain; -type init_fingerprint_exec, exec_type, vendor_file_type, file_type; - -# Allow for transition from init domain to init_fingerprint -init_daemon_domain(init_fingerprint) - -# Shell script needs to execute /vendor/bin/sh -allow init_fingerprint vendor_shell_exec:file rx_file_perms; -allow init_fingerprint vendor_toolbox_exec:file rx_file_perms; - -# Allow to delete file -allow init_fingerprint persist_file:dir search; -allow init_fingerprint persist_drm_file:dir { read search open write remove_name }; -allow init_fingerprint persist_drm_file:file { getattr unlink }; \ No newline at end of file diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te deleted file mode 100644 index 9ba3537..0000000 --- a/sepolicy/kernel.te +++ /dev/null @@ -1 +0,0 @@ -allow kernel debugfs_wlan:dir search; diff --git a/sepolicy/location.te b/sepolicy/location.te deleted file mode 100644 index 4333581..0000000 --- a/sepolicy/location.te +++ /dev/null @@ -1 +0,0 @@ -allow location sysfs:file { read open }; diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te deleted file mode 100644 index 47ce266..0000000 --- a/sepolicy/netmgrd.te +++ /dev/null @@ -1 +0,0 @@ -allow netmgrd property_socket:sock_file write; diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te deleted file mode 100644 index 7ae851d..0000000 --- a/sepolicy/priv_app.te +++ /dev/null @@ -1 +0,0 @@ -allow priv_app sysfs_graphics:file { getattr open read }; \ No newline at end of file diff --git a/sepolicy/property.te b/sepolicy/property.te deleted file mode 100644 index 313445c..0000000 --- a/sepolicy/property.te +++ /dev/null @@ -1,3 +0,0 @@ -type hal_fingerprint_prop, property_type; -type mlipay_prop, property_type; -type thermal_engine_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts deleted file mode 100644 index 037565e..0000000 --- a/sepolicy/property_contexts +++ /dev/null @@ -1,12 +0,0 @@ -persist.camera. u:object_r:camera_prop:s0 -persist.vendor.camera. u:object_r:camera_prop:s0 -sys.fp.goodix u:object_r:hal_fingerprint_prop:s0 -sys.fp.vendor u:object_r:hal_fingerprint_prop:s0 -persist.sys.fp.info u:object_r:hal_fingerprint_prop:s0 -persist.vendor.sys.fp.vendor u:object_r:hal_fingerprint_prop:s0 -persist.vendor.sys.pay.fido u:object_r:mlipay_prop:s0 -persist.vendor.sys.pay.ifaa u:object_r:mlipay_prop:s0 -persist.vendor.sys.pay.soter u:object_r:mlipay_prop:s0 -persist.vendor.sys.provision.status u:object_r:mlipay_prop:s0 -persist.sys.thermal. u:object_r:thermal_engine_prop:s0 -sys.thermal. u:object_r:thermal_engine_prop:s0 diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te deleted file mode 100644 index aa81398..0000000 --- a/sepolicy/qti_init_shell.te +++ /dev/null @@ -1,4 +0,0 @@ -allow qti_init_shell sysfs_cpu_boost:file write; -allow qti_init_shell sysfs:file write; -allow qti_init_shell vendor_radio_data_file:dir { getattr read search }; -allow qti_init_shell vendor_radio_data_file:file { getattr read setattr write }; diff --git a/sepolicy/rild.te b/sepolicy/rild.te deleted file mode 100644 index 06625de..0000000 --- a/sepolicy/rild.te +++ /dev/null @@ -1 +0,0 @@ -allow rild vendor_file:file ioctl; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te deleted file mode 100644 index c7d0026..0000000 --- a/sepolicy/system_app.te +++ /dev/null @@ -1,3 +0,0 @@ -allow system_app vendor_default_prop:file { getattr open read }; -allow system_app wificond:binder call; -add_service(system_app, goodixhw_service) diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te deleted file mode 100644 index c9135cf..0000000 --- a/sepolicy/system_server.te +++ /dev/null @@ -1,4 +0,0 @@ -allow system_server vendor_keylayout_file:dir search; -allow system_server vendor_keylayout_file:file r_file_perms; -allow system_server sysfs_vibrator:file rw_file_perms; -allow system_server sysfs_rtc:file r_file_perms; diff --git a/sepolicy/tee.te b/sepolicy/tee.te deleted file mode 100644 index 0a124bc..0000000 --- a/sepolicy/tee.te +++ /dev/null @@ -1,6 +0,0 @@ -# TODO(b/36644492): Remove data_between_core_and_vendor_violators once -# tee no longer directly accesses /data owned by the frameworks. -typeattribute tee data_between_core_and_vendor_violators; -allow tee system_data_file:dir r_dir_perms; -allow tee fingerprintd_data_file:dir rw_dir_perms; -allow tee fingerprintd_data_file:file create_file_perms; diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te deleted file mode 100644 index 0e03308..0000000 --- a/sepolicy/thermal-engine.te +++ /dev/null @@ -1,6 +0,0 @@ -allow thermal-engine thermal_data_file:dir rw_dir_perms; -allow thermal-engine thermal_data_file:file create_file_perms; -allow thermal-engine self:capability { chown fowner }; -dontaudit thermal-engine self:capability dac_override; - -set_prop(thermal-engine, thermal_engine_prop); diff --git a/sepolicy/vendor/app.te b/sepolicy/vendor/app.te new file mode 100644 index 0000000..c61957b --- /dev/null +++ b/sepolicy/vendor/app.te @@ -0,0 +1,6 @@ +# Allow appdomain to get vendor_camera_prop +get_prop(appdomain, vendor_camera_prop) +allow { appdomain -isolated_app } hal_mlipay_hwservice:hwservice_manager find; +binder_call({ appdomain -isolated_app }, hal_mlipay_default) +get_prop({ appdomain -isolated_app }, mlipay_prop) +get_prop({ appdomain -isolated_app }, hal_fingerprint_prop) diff --git a/sepolicy/vendor/atfwd.te b/sepolicy/vendor/atfwd.te new file mode 100644 index 0000000..a60277a --- /dev/null +++ b/sepolicy/vendor/atfwd.te @@ -0,0 +1 @@ +allow atfwd sysfs:file read; diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te new file mode 100644 index 0000000..b84e726 --- /dev/null +++ b/sepolicy/vendor/device.te @@ -0,0 +1,2 @@ +type fingerprint_device, dev_type; +type spidev_device, dev_type; diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te new file mode 100644 index 0000000..2ca38b9 --- /dev/null +++ b/sepolicy/vendor/file.te @@ -0,0 +1,8 @@ +type debugfs_wlan, debugfs_type, fs_type; +type ir_dev_file, file_type; +type proc_dt2w, fs_type, proc_type; +type fingerprint_data_file, file_type, data_file_type, core_data_file_type; +type fingerprint_sysfs, fs_type, sysfs_type; +type vendor_keylayout_file, file_type, vendor_file_type; +type sysfs_light, fs_type, sysfs_type; +type thermal_data_file, file_type, data_file_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts new file mode 100644 index 0000000..6939ff5 --- /dev/null +++ b/sepolicy/vendor/file_contexts @@ -0,0 +1,45 @@ +# Biometric +/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_wayne u:object_r:hal_fingerprint_wayne_exec:s0 + +# Fpc Fingerprint +/sys/devices/soc/soc:fpc1020(/.*)? u:object_r:fingerprint_sysfs:s0 + +# For Goodix fingerprint +/dev/goodix_fp* u:object_r:fingerprint_device:s0 + +# Goodix Fingerprint data +/data/gf_data/frr_database.db u:object_r:fingerprint_data_file:s0 +/data/misc/gf_data(/.*)? u:object_r:fingerprint_data_file:s0 +/data/misc/goodix(/.*)? u:object_r:fingerprint_data_file:s0 +/persist/data/gf* u:object_r:fingerprint_data_file:s0 + +# Fpc Fingerprint data +/persist/fpc(/.*)? u:object_r:fingerprint_data_file:s0 + +# HVDCP +/sys/devices(/platform)?/soc/[a-z0-9]+\.i2c/i2c-[0-9]+/[0-9]+-[a-z0-9]+/[a-z0-9]+\.i2c:qcom,[a-z0-9]+@[a-z0-9]:qcom,smb[a-z0-9]+-parallel-slave@[0-9]+/power_supply/parallel(/.*)? u:object_r:sysfs_usb_supply:s0 + +# IR +/dev/spidev7.1 u:object_r:spidev_device:s0 + +# Keylayout +/vendor/usr/idc(/.*)? u:object_r:vendor_keylayout_file:s0 +/vendor/usr/keylayout(/.*)? u:object_r:vendor_keylayout_file:s0 + +# Light HAL +/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_wayne u:object_r:hal_light_default_exec:s0 + +# Mlipay +/(vendor|system/vendor)/bin/mlipayd@1.1 u:object_r:hal_mlipay_default_exec:s0 + +# Persist +/persist/PRSensorData\.txt u:object_r:sensors_persist_file:s0 + +# RTC +/sys/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:qcom,pm660_rtc/rtc/rtc0(/.*)? u:object_r:sysfs_rtc:s0 + +# Shell Script +/(vendor|system/vendor)/bin/init\.goodix\.sh u:object_r:init_fingerprint_exec:s0 + +# Thermal +/data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0 diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts new file mode 100644 index 0000000..638c917 --- /dev/null +++ b/sepolicy/vendor/genfs_contexts @@ -0,0 +1,2 @@ +genfscon proc /nvt_wake_gesture u:object_r:proc_dt2w:s0 +genfscon debugfs /wlan0 u:object_r:debugfs_wlan:s0 diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te new file mode 100644 index 0000000..128920f --- /dev/null +++ b/sepolicy/vendor/hal_audio_default.te @@ -0,0 +1,2 @@ +allow hal_audio_default vendor_data_file:dir { create write add_name }; +allow hal_audio_default vendor_data_file:file { append create getattr open read }; diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te new file mode 100644 index 0000000..0f40bbd --- /dev/null +++ b/sepolicy/vendor/hal_camera_default.te @@ -0,0 +1,6 @@ +binder_call(hal_camera_default, hal_configstore_default) +binder_call(hal_camera_default, hal_graphics_allocator_default) + +allow hal_camera_default { hal_configstore_ISurfaceFlingerConfigs hal_graphics_allocator_hwservice }:hwservice_manager find; +allow hal_camera_default sysfs:file { getattr open read }; +allow hal_camera_default sysfs_kgsl:file { getattr open read }; diff --git a/sepolicy/vendor/hal_cas_default.te b/sepolicy/vendor/hal_cas_default.te new file mode 100644 index 0000000..18b00de --- /dev/null +++ b/sepolicy/vendor/hal_cas_default.te @@ -0,0 +1 @@ +vndbinder_use(hal_cas_default) diff --git a/sepolicy/vendor/hal_fingerprint_wayne.te b/sepolicy/vendor/hal_fingerprint_wayne.te new file mode 100644 index 0000000..11a99de --- /dev/null +++ b/sepolicy/vendor/hal_fingerprint_wayne.te @@ -0,0 +1,39 @@ +type hal_fingerprint_wayne, domain, binder_in_vendor_violators; +hal_server_domain(hal_fingerprint_wayne, hal_fingerprint) + +type hal_fingerprint_wayne_exec, exec_type, vendor_file_type, file_type; +typeattribute hal_fingerprint_wayne data_between_core_and_vendor_violators; +binder_use(hal_fingerprint_wayne) +init_daemon_domain(hal_fingerprint_wayne) + +allow hal_fingerprint_wayne fingerprint_device:chr_file { read write open ioctl }; +allow hal_fingerprint_wayne { tee_device uhid_device }:chr_file { read write open ioctl }; +allow hal_fingerprint_wayne fingerprint_data_file:file rw_file_perms; +allow hal_fingerprint_wayne fingerprintd_data_file:dir rw_dir_perms; +allow hal_fingerprint_wayne fingerprintd_data_file:file create_file_perms; +allow hal_fingerprint_wayne { fuse mnt_user_file storage_file }:dir search; +allow hal_fingerprint_wayne { mnt_user_file storage_file }:lnk_file read; +allow hal_fingerprint_wayne fingerprint_sysfs:dir r_dir_perms; +allow hal_fingerprint_wayne fingerprint_sysfs:file rw_file_perms; + +allow hal_fingerprint_wayne hal_fingerprint_wayne:netlink_socket { create bind write read }; + +binder_call(hal_fingerprint_wayne, vndservicemanager) +binder_call(hal_fingerprint_wayne, hal_perf_default) + +binder_use(hal_fingerprint_wayne) + +r_dir_file(hal_fingerprint_wayne, firmware_file) + +add_service(hal_fingerprint_wayne, goodixvnd_service) +add_hwservice(hal_fingerprint_wayne, goodixhw_service) + +allow hal_fingerprint_wayne vndbinder_device:chr_file ioctl; + +get_prop(hal_fingerprint_wayne, hal_fingerprint_prop) +set_prop(hal_fingerprint_wayne, hal_fingerprint_prop) + +vndbinder_use(hal_fingerprint_wayne) + +dontaudit hal_fingerprint_wayne { media_rw_data_file sdcardfs}:dir search; +dontaudit hal_fingerprint_wayne media_rw_data_file:dir { read open }; diff --git a/sepolicy/vendor/hal_gnss_qti.te b/sepolicy/vendor/hal_gnss_qti.te new file mode 100644 index 0000000..711c8bb --- /dev/null +++ b/sepolicy/vendor/hal_gnss_qti.te @@ -0,0 +1 @@ +allow hal_gnss_qti sysfs:file { read open }; diff --git a/sepolicy/vendor/hal_graphics_composer_default.te b/sepolicy/vendor/hal_graphics_composer_default.te new file mode 100644 index 0000000..39e8fb4 --- /dev/null +++ b/sepolicy/vendor/hal_graphics_composer_default.te @@ -0,0 +1,2 @@ +allow hal_graphics_composer_default sysfs_graphics:file r_file_perms; +allow hal_graphics_composer_default sysfs_graphics:lnk_file read; diff --git a/sepolicy/vendor/hal_ir_default.te b/sepolicy/vendor/hal_ir_default.te new file mode 100644 index 0000000..2f9f2b6 --- /dev/null +++ b/sepolicy/vendor/hal_ir_default.te @@ -0,0 +1 @@ +allow hal_ir_default spidev_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/hal_light_default.te b/sepolicy/vendor/hal_light_default.te new file mode 100644 index 0000000..e0592d7 --- /dev/null +++ b/sepolicy/vendor/hal_light_default.te @@ -0,0 +1 @@ +allow hal_light_default sysfs_light:file rw_file_perms; diff --git a/sepolicy/vendor/hal_mlipay_default.te b/sepolicy/vendor/hal_mlipay_default.te new file mode 100644 index 0000000..c6f721c --- /dev/null +++ b/sepolicy/vendor/hal_mlipay_default.te @@ -0,0 +1,16 @@ +type hal_mlipay_default, domain; + +type hal_mlipay_default_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_mlipay_default) + +hwbinder_use(hal_mlipay_default) +get_prop(hal_mlipay_default, hwservicemanager_prop) +add_hwservice(hal_mlipay_default, hal_mlipay_hwservice) + +allow hal_mlipay_default tee_device:chr_file rw_file_perms; +allow hal_mlipay_default ion_device:chr_file r_file_perms; + +r_dir_file(hal_mlipay_default, firmware_file) +set_prop(hal_mlipay_default, mlipay_prop); + +get_prop(hal_mlipay_default, hal_fingerprint_prop); diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te new file mode 100644 index 0000000..2df04b0 --- /dev/null +++ b/sepolicy/vendor/hal_power_default.te @@ -0,0 +1,2 @@ +allow hal_power_default proc_dt2w:file rw_file_perms; +r_dir_file(hal_power_default, debugfs_wlan) diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te new file mode 100644 index 0000000..28414f9 --- /dev/null +++ b/sepolicy/vendor/hal_sensors_default.te @@ -0,0 +1 @@ +allow hal_sensors_default sysfs:file { read open }; diff --git a/sepolicy/vendor/hvdcp.te b/sepolicy/vendor/hvdcp.te new file mode 100644 index 0000000..49a6b78 --- /dev/null +++ b/sepolicy/vendor/hvdcp.te @@ -0,0 +1 @@ +allow hvdcp sysfs:file { open read }; diff --git a/sepolicy/vendor/hwservice.te b/sepolicy/vendor/hwservice.te new file mode 100644 index 0000000..32adecb --- /dev/null +++ b/sepolicy/vendor/hwservice.te @@ -0,0 +1,2 @@ +type goodixhw_service, hwservice_manager_type; +type hal_mlipay_hwservice, hwservice_manager_type, untrusted_app_visible_hwservice; diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts new file mode 100644 index 0000000..8ff7ae7 --- /dev/null +++ b/sepolicy/vendor/hwservice_contexts @@ -0,0 +1,2 @@ +vendor.goodix.hardware.fingerprint::IGoodixBiometricsFingerprint u:object_r:goodixhw_service:s0 +vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0 diff --git a/sepolicy/vendor/hwservicemanager.te b/sepolicy/vendor/hwservicemanager.te new file mode 100644 index 0000000..3262afb --- /dev/null +++ b/sepolicy/vendor/hwservicemanager.te @@ -0,0 +1,4 @@ +#============= hwservicemanager ============== +allow hwservicemanager init:dir search; +allow hwservicemanager init:file { open read }; +allow hwservicemanager init:process getattr; diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te new file mode 100644 index 0000000..734baea --- /dev/null +++ b/sepolicy/vendor/init.te @@ -0,0 +1,6 @@ +allow init hwservicemanager:binder { call transfer }; +allow init ipa_dev:chr_file open; +allow init ion_device:chr_file ioctl; +allow init property_socket:sock_file write; +allow init sysfs_dm:file { open write }; +allow init tee_device:chr_file { write ioctl }; diff --git a/sepolicy/vendor/init_fingerprint.te b/sepolicy/vendor/init_fingerprint.te new file mode 100644 index 0000000..b45cdd6 --- /dev/null +++ b/sepolicy/vendor/init_fingerprint.te @@ -0,0 +1,14 @@ +type init_fingerprint, domain; +type init_fingerprint_exec, exec_type, vendor_file_type, file_type; + +# Allow for transition from init domain to init_fingerprint +init_daemon_domain(init_fingerprint) + +# Shell script needs to execute /vendor/bin/sh +allow init_fingerprint vendor_shell_exec:file rx_file_perms; +allow init_fingerprint vendor_toolbox_exec:file rx_file_perms; + +# Allow to delete file +allow init_fingerprint persist_file:dir search; +allow init_fingerprint persist_drm_file:dir { read search open write remove_name }; +allow init_fingerprint persist_drm_file:file { getattr unlink }; \ No newline at end of file diff --git a/sepolicy/vendor/kernel.te b/sepolicy/vendor/kernel.te new file mode 100644 index 0000000..9ba3537 --- /dev/null +++ b/sepolicy/vendor/kernel.te @@ -0,0 +1 @@ +allow kernel debugfs_wlan:dir search; diff --git a/sepolicy/vendor/location.te b/sepolicy/vendor/location.te new file mode 100644 index 0000000..4333581 --- /dev/null +++ b/sepolicy/vendor/location.te @@ -0,0 +1 @@ +allow location sysfs:file { read open }; diff --git a/sepolicy/vendor/netmgrd.te b/sepolicy/vendor/netmgrd.te new file mode 100644 index 0000000..47ce266 --- /dev/null +++ b/sepolicy/vendor/netmgrd.te @@ -0,0 +1 @@ +allow netmgrd property_socket:sock_file write; diff --git a/sepolicy/vendor/priv_app.te b/sepolicy/vendor/priv_app.te new file mode 100644 index 0000000..7ae851d --- /dev/null +++ b/sepolicy/vendor/priv_app.te @@ -0,0 +1 @@ +allow priv_app sysfs_graphics:file { getattr open read }; \ No newline at end of file diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te new file mode 100644 index 0000000..313445c --- /dev/null +++ b/sepolicy/vendor/property.te @@ -0,0 +1,3 @@ +type hal_fingerprint_prop, property_type; +type mlipay_prop, property_type; +type thermal_engine_prop, property_type; diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts new file mode 100644 index 0000000..037565e --- /dev/null +++ b/sepolicy/vendor/property_contexts @@ -0,0 +1,12 @@ +persist.camera. u:object_r:camera_prop:s0 +persist.vendor.camera. u:object_r:camera_prop:s0 +sys.fp.goodix u:object_r:hal_fingerprint_prop:s0 +sys.fp.vendor u:object_r:hal_fingerprint_prop:s0 +persist.sys.fp.info u:object_r:hal_fingerprint_prop:s0 +persist.vendor.sys.fp.vendor u:object_r:hal_fingerprint_prop:s0 +persist.vendor.sys.pay.fido u:object_r:mlipay_prop:s0 +persist.vendor.sys.pay.ifaa u:object_r:mlipay_prop:s0 +persist.vendor.sys.pay.soter u:object_r:mlipay_prop:s0 +persist.vendor.sys.provision.status u:object_r:mlipay_prop:s0 +persist.sys.thermal. u:object_r:thermal_engine_prop:s0 +sys.thermal. u:object_r:thermal_engine_prop:s0 diff --git a/sepolicy/vendor/qti_init_shell.te b/sepolicy/vendor/qti_init_shell.te new file mode 100644 index 0000000..aa81398 --- /dev/null +++ b/sepolicy/vendor/qti_init_shell.te @@ -0,0 +1,4 @@ +allow qti_init_shell sysfs_cpu_boost:file write; +allow qti_init_shell sysfs:file write; +allow qti_init_shell vendor_radio_data_file:dir { getattr read search }; +allow qti_init_shell vendor_radio_data_file:file { getattr read setattr write }; diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te new file mode 100644 index 0000000..06625de --- /dev/null +++ b/sepolicy/vendor/rild.te @@ -0,0 +1 @@ +allow rild vendor_file:file ioctl; diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te new file mode 100644 index 0000000..c7d0026 --- /dev/null +++ b/sepolicy/vendor/system_app.te @@ -0,0 +1,3 @@ +allow system_app vendor_default_prop:file { getattr open read }; +allow system_app wificond:binder call; +add_service(system_app, goodixhw_service) diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te new file mode 100644 index 0000000..c9135cf --- /dev/null +++ b/sepolicy/vendor/system_server.te @@ -0,0 +1,4 @@ +allow system_server vendor_keylayout_file:dir search; +allow system_server vendor_keylayout_file:file r_file_perms; +allow system_server sysfs_vibrator:file rw_file_perms; +allow system_server sysfs_rtc:file r_file_perms; diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te new file mode 100644 index 0000000..0a124bc --- /dev/null +++ b/sepolicy/vendor/tee.te @@ -0,0 +1,6 @@ +# TODO(b/36644492): Remove data_between_core_and_vendor_violators once +# tee no longer directly accesses /data owned by the frameworks. +typeattribute tee data_between_core_and_vendor_violators; +allow tee system_data_file:dir r_dir_perms; +allow tee fingerprintd_data_file:dir rw_dir_perms; +allow tee fingerprintd_data_file:file create_file_perms; diff --git a/sepolicy/vendor/thermal-engine.te b/sepolicy/vendor/thermal-engine.te new file mode 100644 index 0000000..0e03308 --- /dev/null +++ b/sepolicy/vendor/thermal-engine.te @@ -0,0 +1,6 @@ +allow thermal-engine thermal_data_file:dir rw_dir_perms; +allow thermal-engine thermal_data_file:file create_file_perms; +allow thermal-engine self:capability { chown fowner }; +dontaudit thermal-engine self:capability dac_override; + +set_prop(thermal-engine, thermal_engine_prop); diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te new file mode 100644 index 0000000..9f602b1 --- /dev/null +++ b/sepolicy/vendor/vendor_init.te @@ -0,0 +1,13 @@ +typeattribute vendor_init data_between_core_and_vendor_violators; + +allow vendor_init { + system_data_file + tombstone_data_file +}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom }; + +set_prop(vendor_init, camera_prop) +allow vendor_init rootfs:dir { add_name create setattr write }; +allow vendor_init persist_debug_prop:property_service set; +allow vendor_init persist_dpm_prop:property_service set; +allow vendor_init qcom_ims_prop:property_service set; +allow vendor_init rootfs:lnk_file setattr; diff --git a/sepolicy/vendor/vndservice.te b/sepolicy/vendor/vndservice.te new file mode 100644 index 0000000..ebc594c --- /dev/null +++ b/sepolicy/vendor/vndservice.te @@ -0,0 +1 @@ +type goodixvnd_service, vndservice_manager_type; diff --git a/sepolicy/vendor/vndservice_contexts b/sepolicy/vendor/vndservice_contexts new file mode 100644 index 0000000..92d3f21 --- /dev/null +++ b/sepolicy/vendor/vndservice_contexts @@ -0,0 +1 @@ +android.hardware.fingerprint.IGoodixFingerprintDaemon u:object_r:goodixvnd_service:s0 diff --git a/sepolicy/vendor/vndservicemanager.te b/sepolicy/vendor/vndservicemanager.te new file mode 100644 index 0000000..8d04dea --- /dev/null +++ b/sepolicy/vendor/vndservicemanager.te @@ -0,0 +1,3 @@ +allow vndservicemanager hal_fingerprint_default:dir { search read open }; +allow vndservicemanager hal_fingerprint_default:file { read open }; +allow vndservicemanager hal_fingerprint_default:process getattr; diff --git a/sepolicy/vendor_init.te b/sepolicy/vendor_init.te deleted file mode 100644 index 9f602b1..0000000 --- a/sepolicy/vendor_init.te +++ /dev/null @@ -1,13 +0,0 @@ -typeattribute vendor_init data_between_core_and_vendor_violators; - -allow vendor_init { - system_data_file - tombstone_data_file -}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom }; - -set_prop(vendor_init, camera_prop) -allow vendor_init rootfs:dir { add_name create setattr write }; -allow vendor_init persist_debug_prop:property_service set; -allow vendor_init persist_dpm_prop:property_service set; -allow vendor_init qcom_ims_prop:property_service set; -allow vendor_init rootfs:lnk_file setattr; diff --git a/sepolicy/vndservice.te b/sepolicy/vndservice.te deleted file mode 100644 index ebc594c..0000000 --- a/sepolicy/vndservice.te +++ /dev/null @@ -1 +0,0 @@ -type goodixvnd_service, vndservice_manager_type; diff --git a/sepolicy/vndservice_contexts b/sepolicy/vndservice_contexts deleted file mode 100644 index 92d3f21..0000000 --- a/sepolicy/vndservice_contexts +++ /dev/null @@ -1 +0,0 @@ -android.hardware.fingerprint.IGoodixFingerprintDaemon u:object_r:goodixvnd_service:s0 diff --git a/sepolicy/vndservicemanager.te b/sepolicy/vndservicemanager.te deleted file mode 100644 index 8d04dea..0000000 --- a/sepolicy/vndservicemanager.te +++ /dev/null @@ -1,3 +0,0 @@ -allow vndservicemanager hal_fingerprint_default:dir { search read open }; -allow vndservicemanager hal_fingerprint_default:file { read open }; -allow vndservicemanager hal_fingerprint_default:process getattr; -- cgit v1.2.3