diff --git a/boot-arch/project-celadon/cel_kbl/postinstall.te b/abota/efi/postinstall.te similarity index 79% rename from boot-arch/project-celadon/cel_kbl/postinstall.te rename to abota/efi/postinstall.te index b450db0e..1c5ee205 100644 --- a/boot-arch/project-celadon/cel_kbl/postinstall.te +++ b/abota/efi/postinstall.te @@ -1,6 +1,3 @@ -typeattribute postinstall system_writes_vendor_properties_violators; -typeattribute postinstall system_executes_vendor_violators; - recovery_only(` allow postinstall rootfs:file rx_file_perms; ') diff --git a/abota/fw_update/file_contexts b/abota/fw_update/file_contexts new file mode 100644 index 00000000..298e2343 --- /dev/null +++ b/abota/fw_update/file_contexts @@ -0,0 +1 @@ +(/system)?/vendor/bin/fw_update.sh u:object_r:fw_update_exec:s0 diff --git a/abota/fw_update/fw_update.te b/abota/fw_update/fw_update.te new file mode 100644 index 00000000..bf78abb2 --- /dev/null +++ b/abota/fw_update/fw_update.te @@ -0,0 +1,25 @@ +# seclabel is specified in init.rc +type fw_update, domain; +type fw_update_exec, exec_type, file_type, vendor_file_type; + +recovery_only(` + domain_trans(init, rootfs, fw_update) + allow fw_update rootfs:file rx_file_perms; +') + +init_daemon_domain(fw_update) + +not_full_treble(` + binder_use(fw_update) + add_service(fw_update, fw_update_service) +') + +allow fw_update proc:file r_file_perms; +allow fw_update userdata_block_device:{ lnk_file blk_file } w_file_perms; +allow fw_update vendor_toolbox_exec:file execute_no_trans; +allow fw_update vendor_file:file execute_no_trans; +allow fw_update block_device:dir search; +allow fw_update boot_block_device:blk_file r_file_perms; +allow fw_update tmpfs:dir w_dir_perms; +allow fw_update tmpfs:file w_file_perms; +allow fw_update proc_cmdline:file r_file_perms; diff --git a/abota/fw_update/no_vendor_prefix/fw_update.te b/abota/fw_update/no_vendor_prefix/fw_update.te new file mode 100644 index 00000000..42181cc8 --- /dev/null +++ b/abota/fw_update/no_vendor_prefix/fw_update.te @@ -0,0 +1 @@ +set_prop(fw_update, ota_prop) diff --git a/abota/fw_update/service.te b/abota/fw_update/service.te new file mode 100644 index 00000000..81e8fa6b --- /dev/null +++ b/abota/fw_update/service.te @@ -0,0 +1 @@ +type fw_update_service, service_manager_type; diff --git a/abota/fw_update/service_contexts b/abota/fw_update/service_contexts new file mode 100644 index 00000000..b1ac0555 --- /dev/null +++ b/abota/fw_update/service_contexts @@ -0,0 +1 @@ +fw_update u:object_r:fw_update_service:s0 diff --git a/abota/fw_update/vendor_prefix/fw_update.te b/abota/fw_update/vendor_prefix/fw_update.te new file mode 100644 index 00000000..0f36ae79 --- /dev/null +++ b/abota/fw_update/vendor_prefix/fw_update.te @@ -0,0 +1 @@ +set_prop(fw_update, vendor_ota_prop) diff --git a/boot-arch/abl/hal_bootctl_default.te b/abota/generic/hal_bootctl_default.te similarity index 100% rename from boot-arch/abl/hal_bootctl_default.te rename to abota/generic/hal_bootctl_default.te diff --git a/boot-arch/abl/init.te b/abota/generic/init.te similarity index 51% rename from boot-arch/abl/init.te rename to abota/generic/init.te index b86e5291..98b1cb26 100644 --- a/boot-arch/abl/init.te +++ b/abota/generic/init.te @@ -1,3 +1,2 @@ allow init system_file:system module_load; allow init tmpfs:file r_file_perms; -allow init { boot_block_device vendor_block_device }:lnk_file relabelto; diff --git a/abota/generic/no_vendor_prefix/postinstall.te b/abota/generic/no_vendor_prefix/postinstall.te new file mode 100644 index 00000000..2840f551 --- /dev/null +++ b/abota/generic/no_vendor_prefix/postinstall.te @@ -0,0 +1,4 @@ +typeattribute postinstall system_writes_vendor_properties_violators; +typeattribute postinstall system_executes_vendor_violators; +set_prop(postinstall, ota_prop) + diff --git a/abota/generic/no_vendor_prefix/property.te b/abota/generic/no_vendor_prefix/property.te new file mode 100644 index 00000000..0b672d81 --- /dev/null +++ b/abota/generic/no_vendor_prefix/property.te @@ -0,0 +1 @@ +type ota_prop, property_type; diff --git a/abota/generic/no_vendor_prefix/property_contexts b/abota/generic/no_vendor_prefix/property_contexts new file mode 100644 index 00000000..1686e0bb --- /dev/null +++ b/abota/generic/no_vendor_prefix/property_contexts @@ -0,0 +1,2 @@ +ota.update.abl u:object_r:ota_prop:s0 +ota.update.sbl u:object_r:ota_prop:s0 diff --git a/abota/generic/no_vendor_prefix/vendor_init.te b/abota/generic/no_vendor_prefix/vendor_init.te new file mode 100644 index 00000000..04878d35 --- /dev/null +++ b/abota/generic/no_vendor_prefix/vendor_init.te @@ -0,0 +1 @@ +set_prop(vendor_init, ota_prop) diff --git a/abota/generic/postinstall.te b/abota/generic/postinstall.te new file mode 100644 index 00000000..c87048d6 --- /dev/null +++ b/abota/generic/postinstall.te @@ -0,0 +1,4 @@ +recovery_only(` + allow postinstall rootfs:file rx_file_perms; +') + diff --git a/boot-arch/project-celadon/cel_kbl/update_engine.te b/abota/generic/update_engine.te similarity index 63% rename from boot-arch/project-celadon/cel_kbl/update_engine.te rename to abota/generic/update_engine.te index 9d845dac..032c352d 100644 --- a/boot-arch/project-celadon/cel_kbl/update_engine.te +++ b/abota/generic/update_engine.te @@ -1,15 +1,14 @@ allow update_engine vendor_block_device:blk_file rw_file_perms; +allow update_engine product_block_device:blk_file rw_file_perms; +allow update_engine odm_block_device:blk_file rw_file_perms; +allow update_engine acpi_block_device:blk_file rw_file_perms; +allow update_engine acpio_block_device:blk_file rw_file_perms; allow update_engine tmpfs:dir r_dir_perms; allow update_engine tmpfs:file r_file_perms; allow update_engine tmpfs:lnk_file r_file_perms; -allow update_engine vendor_shell_exec:file rx_file_perms; allow update_engine platform_app:binder call; allow update_engine vfat:dir search; allow update_engine vfat:file r_file_perms; -allow update_engine sdcardfs:dir search; -allow update_engine sdcardfs:file r_file_perms; allow update_engine mnt_media_rw_file:file r_file_perms; allow update_engine mnt_media_rw_file:dir r_dir_perms; -allow update_engine storage_file:file r_file_perms; -allow update_engine storage_file:dir r_dir_perms; diff --git a/boot-arch/abl/update_engine_common.te b/abota/generic/update_engine_common.te similarity index 100% rename from boot-arch/abl/update_engine_common.te rename to abota/generic/update_engine_common.te diff --git a/abota/generic/vendor_prefix/postinstall.te b/abota/generic/vendor_prefix/postinstall.te new file mode 100644 index 00000000..12eb5e8c --- /dev/null +++ b/abota/generic/vendor_prefix/postinstall.te @@ -0,0 +1,3 @@ +typeattribute postinstall system_writes_vendor_properties_violators; +typeattribute postinstall system_executes_vendor_violators; +set_prop(postinstall, vendor_ota_prop) diff --git a/abota/generic/vendor_prefix/property.te b/abota/generic/vendor_prefix/property.te new file mode 100644 index 00000000..fc36b084 --- /dev/null +++ b/abota/generic/vendor_prefix/property.te @@ -0,0 +1 @@ +type vendor_ota_prop, property_type; diff --git a/abota/generic/vendor_prefix/property_contexts b/abota/generic/vendor_prefix/property_contexts new file mode 100644 index 00000000..b94b3f50 --- /dev/null +++ b/abota/generic/vendor_prefix/property_contexts @@ -0,0 +1 @@ +vendor.ota.update.fw u:object_r:vendor_ota_prop:s0 diff --git a/abota/generic/vendor_prefix/vendor_init.te b/abota/generic/vendor_prefix/vendor_init.te new file mode 100644 index 00000000..ccb38c69 --- /dev/null +++ b/abota/generic/vendor_prefix/vendor_init.te @@ -0,0 +1 @@ +set_prop(vendor_init, vendor_ota_prop) diff --git a/boot-arch/abl/vold.te b/abota/generic/vold.te similarity index 100% rename from boot-arch/abl/vold.te rename to abota/generic/vold.te diff --git a/abota/xbl/drmrpc.te b/abota/xbl/drmrpc.te new file mode 100644 index 00000000..4b5aecad --- /dev/null +++ b/abota/xbl/drmrpc.te @@ -0,0 +1,20 @@ +# Abl_user_cmd service, which is set the drmrpc service property, +# would capsule the target slot info message and write it into +# /dev/mei interface to notice ABL to update itself. +# +# There are two types of abl_user_cmd service, the one is under the +# vendor partition in normal boot mode, and the another is under the +# ramdisk in the recovery mode. + +type drmrpc, domain; + +not_recovery_only(` + type drmrpc_exec, exec_type, file_type, vendor_file_type; + init_daemon_domain(drmrpc) +') + +recovery_only(` + typeattribute drmrpc coredomain; + domain_trans(init, rootfs, drmrpc) +') +allow drmrpc tee_device:chr_file rw_file_perms; diff --git a/abota/xbl/file_contexts b/abota/xbl/file_contexts new file mode 100644 index 00000000..dcf510fd --- /dev/null +++ b/abota/xbl/file_contexts @@ -0,0 +1,2 @@ +/vendor/bin/abl-user-cmd_vendor u:object_r:drmrpc_exec:s0 +/vendor/bin/sbl-user-cmd_vendor u:object_r:drmrpc_exec:s0 diff --git a/abota/xbl/init.te b/abota/xbl/init.te new file mode 100644 index 00000000..2faf2768 --- /dev/null +++ b/abota/xbl/init.te @@ -0,0 +1 @@ +allow init block_device:lnk_file relabelfrom; diff --git a/audio/project-celadon/audioserver.te b/audio/project-celadon/audioserver.te deleted file mode 100644 index 963506a4..00000000 --- a/audio/project-celadon/audioserver.te +++ /dev/null @@ -1,26 +0,0 @@ -ignore_adb_debug(audioserver) - -set_prop(audioserver, audio_prop) - -userdebug_or_eng(` - # audioserver exposes a remote debugging port - - # used for parameter framework (PFW) tuning and debug - dontaudit audioserver fwmarkd_socket:sock_file write; - dontaudit audioserver netd:unix_stream_socket connectto; - dontaudit audioserver node:tcp_socket node_bind; - dontaudit audioserver port:tcp_socket name_bind; - dontaudit audioserver self:tcp_socket { accept bind create getopt listen read setopt write }; -') - -# audioserver recovery mechanism through uevent -allow audioserver self:netlink_kobject_uevent_socket { create bind setopt read }; -allowxperm audioserver self:netlink_kobject_uevent_socket ioctl SIOCETHTOOL; - -# Ringbuffer data files & Runtime Communication with SmartXBar data files -allow audioserver audioserver_data_file:dir rw_dir_perms; -allow audioserver audioserver_data_file:{ file fifo_file } create_file_perms; - -# allow audioserver to set SCHED_FIFO for SmartXBar worker threads -allow audioserver self:capability sys_nice; -allow audioserver self:process { setsched }; diff --git a/audio/project-celadon/file_contexts b/audio/project-celadon/file_contexts deleted file mode 100644 index b197163f..00000000 --- a/audio/project-celadon/file_contexts +++ /dev/null @@ -1 +0,0 @@ -/dev/snd/.* u:object_r:audio_device:s0 diff --git a/audio/project-celadon/hal_audio_default.te b/audio/project-celadon/hal_audio_default.te deleted file mode 100644 index cac59385..00000000 --- a/audio/project-celadon/hal_audio_default.te +++ /dev/null @@ -1,37 +0,0 @@ -# -# hal_audio_default is provided by the base policy and mixin -# project-celadon defines the hal services. -# -# Audio uses the default implementations as defined in the product.mk: -# audio/project-celadon/product.mk: android.hardware.audio@2.0-impl \ -# audio/project-celadon/product.mk: android.hardware.audio@2.0-service \ -# audio/project-celadon/product.mk: android.hardware.audio.effect@2.0-impl \ -# -# Which can be found digging around: hardware/interfaces/audio/2.0 -# - -ignore_adb_debug(hal_audio_default) - -allow hal_audio_default self:capability sys_nice; - -allow hal_audio_default audioserver_data_file:dir create_dir_perms; -allow hal_audio_default audioserver_data_file:fifo_file create_file_perms; -allow hal_audio_default audioserver_data_file:file create_file_perms; - -allow hal_audio_default dumpstate:fd use; -allow hal_audio_default dumpstate:fifo_file write; - -set_prop(hal_audio_default, audiohal_prop) - -allow hal_audio_default self:netlink_kobject_uevent_socket { read bind create setopt }; - -userdebug_or_eng(` - # hal_audio_default exposes a remote debugging port - - # used for parameter framework (PFW) tuning and debug - dontaudit hal_audio_default fwmarkd_socket:sock_file write; - dontaudit hal_audio_default netd:unix_stream_socket connectto; - dontaudit hal_audio_default node:tcp_socket node_bind; - dontaudit hal_audio_default port:tcp_socket name_bind; - dontaudit hal_audio_default self:tcp_socket { accept bind create getopt listen read setopt write }; -') diff --git a/audio/project-celadon/netd.te b/audio/project-celadon/netd.te deleted file mode 100644 index 463f31b5..00000000 --- a/audio/project-celadon/netd.te +++ /dev/null @@ -1,7 +0,0 @@ -userdebug_or_eng(` - # used for parameter framework (PFW) tuning and debug - allow netd hal_audio_default:fd use; - allow netd hal_audio_default:tcp_socket { getopt read setopt write }; - allow netd audioserver:fd use; - allow netd audioserver:tcp_socket { getopt read setopt write }; -') diff --git a/audio/project-celadon/property.te b/audio/project-celadon/property.te deleted file mode 100644 index 4d79beac..00000000 --- a/audio/project-celadon/property.te +++ /dev/null @@ -1 +0,0 @@ -type audiohal_prop, property_type; diff --git a/audio/project-celadon/property_contexts b/audio/project-celadon/property_contexts deleted file mode 100644 index 7696111a..00000000 --- a/audio/project-celadon/property_contexts +++ /dev/null @@ -1,2 +0,0 @@ -audiohal. u:object_r:audiohal_prop:s0 -persist.audiohal. u:object_r:audiohal_prop:s0 diff --git a/audio/project-celadon/system_server.te b/audio/project-celadon/system_server.te deleted file mode 100644 index 8fcc5306..00000000 --- a/audio/project-celadon/system_server.te +++ /dev/null @@ -1,6 +0,0 @@ -# -# system_server -# - -allow system_server hal_audio_default:file write; -allow system_server audioserver:file w_file_perms; diff --git a/audio/project-celadon/violators_blacklist.te b/audio/project-celadon/violators_blacklist.te deleted file mode 100644 index f2230498..00000000 --- a/audio/project-celadon/violators_blacklist.te +++ /dev/null @@ -1 +0,0 @@ -typeattribute hal_audio_default data_between_core_and_vendor_violators; diff --git a/autodetect/false/init.te b/autodetect/false/init.te new file mode 100644 index 00000000..74b14005 --- /dev/null +++ b/autodetect/false/init.te @@ -0,0 +1 @@ +allow init self:capability sys_module; diff --git a/autodetect/true/adbd.te b/autodetect/true/adbd.te new file mode 100644 index 00000000..e4d2e657 --- /dev/null +++ b/autodetect/true/adbd.te @@ -0,0 +1,2 @@ +allow adbd hal_socket:sock_file write; +allow adbd hal:unix_stream_socket connectto; diff --git a/autodetect/true/appdomain.te b/autodetect/true/appdomain.te new file mode 100644 index 00000000..28839ff2 --- /dev/null +++ b/autodetect/true/appdomain.te @@ -0,0 +1 @@ +unix_socket_connect(appdomain, hal, hal) diff --git a/autodetect/true/bluetooth.te b/autodetect/true/bluetooth.te new file mode 100644 index 00000000..4bffb211 --- /dev/null +++ b/autodetect/true/bluetooth.te @@ -0,0 +1,6 @@ +allow bluetooth hal_socket:sock_file write; +allow bluetooth hal:fd use; +allow bluetooth hal:unix_stream_socket { connectto read write }; +allow bluetooth rfkill:fd use; +allow bluetooth self:netlink_socket create_socket_perms; + diff --git a/autodetect/true/bootanim.te b/autodetect/true/bootanim.te new file mode 100644 index 00000000..5520aaca --- /dev/null +++ b/autodetect/true/bootanim.te @@ -0,0 +1,6 @@ +# +# bootanim +# + +# hal access +unix_socket_connect(bootanim, hal, hal) diff --git a/autodetect/true/cameraserver.te b/autodetect/true/cameraserver.te new file mode 100644 index 00000000..dd7e8390 --- /dev/null +++ b/autodetect/true/cameraserver.te @@ -0,0 +1 @@ +unix_socket_connect(cameraserver, hal, hal) diff --git a/autodetect/true/device.te b/autodetect/true/device.te new file mode 100644 index 00000000..04563e03 --- /dev/null +++ b/autodetect/true/device.te @@ -0,0 +1 @@ +type hal_device, dev_type; diff --git a/autodetect/true/drmserver.te b/autodetect/true/drmserver.te new file mode 100644 index 00000000..006ce212 --- /dev/null +++ b/autodetect/true/drmserver.te @@ -0,0 +1 @@ +unix_socket_connect(drmserver, hal, hal) diff --git a/autodetect/true/file.te b/autodetect/true/file.te new file mode 100644 index 00000000..3b7e79e9 --- /dev/null +++ b/autodetect/true/file.te @@ -0,0 +1,7 @@ +# HAL +# Now that MLS is enabled on plat_app, we need to make the hal +# socket an mlstrustedsubject. +type hal_socket, file_type, mlstrustedobject; + +# Hal mounts a lot of filesystems, label the locations specifically +type hal_mnt_pnt, file_type; diff --git a/autodetect/true/file_contexts b/autodetect/true/file_contexts new file mode 100644 index 00000000..37d32041 --- /dev/null +++ b/autodetect/true/file_contexts @@ -0,0 +1,28 @@ +# Bluetooth +/dev/ttyBT[0-9] u:object_r:hci_attach_dev:s0 + +#HAL +/dev/socket/halbindings u:object_r:hal_socket:s0 + +/dev/hald.ready u:object_r:hal_device:s0 + +/system/bin/hald u:object_r:hal_exec:s0 +/system/bin/hald_media_hook u:object_r:hal_exec:s0 +/system/bin/halctl u:object_r:hal_exec:s0 + +/system/rt/hal_mnt_pnt(/.*)? u:object_r:hal_mnt_pnt:s0 +# hal mounts filesystems at: +# /system/etc/permissions +# /system/etc/atomisp +# /system/etc/modprobe.d +/system/etc/permissions(/.*)? u:object_r:hal_mnt_pnt:s0 +/system/etc/atomisp(/.*)? u:object_r:hal_mnt_pnt:s0 +/system/etc/modprobe.d(/.*)? u:object_r:hal_mnt_pnt:s0 +# dm device mounted here +/system/rt/gfx u:object_r:hal_mnt_pnt:s0 +/system/rt/hal_fuse u:object_r:hal_mnt_pnt:s0 +/system/rt/media u:object_r:hal_mnt_pnt:s0 +/system/rt/wifi u:object_r:hal_mnt_pnt:s0 + +#rfkill +(/system)?/vendor/bin/rfkillp u:object_r:rfkill_exec:s0 diff --git a/autodetect/true/gatekeeperd.te b/autodetect/true/gatekeeperd.te new file mode 100644 index 00000000..36929297 --- /dev/null +++ b/autodetect/true/gatekeeperd.te @@ -0,0 +1 @@ +unix_socket_connect(gatekeeperd, hal, hal) diff --git a/autodetect/true/hal.te b/autodetect/true/hal.te new file mode 100644 index 00000000..ab128b50 --- /dev/null +++ b/autodetect/true/hal.te @@ -0,0 +1,127 @@ +# HAL domain +type hal, domain; +type hal_exec, exec_type, file_type; + +# hal owns the context of its unix socket +# thus needs to be a trustedsubject for plat and +# untrusted app access. See the MLS contraints +# for how its enforced. +typeattribute hal mlstrustedsubject; + +userdebug_or_eng(` + # https://jira01.devtools.intel.com/browse/OAM-31273 + # https://jira01.devtools.intel.com/browse/OAM-31675 + # https://jira01.devtools.intel.com/browse/OAM-33260 + permissive hal; +') + +init_daemon_domain(hal); + +# execs +allow hal hal_exec:file rx_file_perms; +allow hal shell_exec:file rx_file_perms; + +allow hal system_file:dir r_dir_perms; +allow hal system_file:file rx_file_perms; + +# Capabilities +allow hal self:capability { sys_module sys_admin chown fsetid net_admin fowner }; + +# Device access +allow hal gps_device:chr_file { getattr setattr }; +allow hal hal_device:file create_file_perms; +allow hal device:dir create_dir_perms; +allow hal device:lnk_file create; +allow hal graphics_device:dir search; +allow hal graphics_device:chr_file rw_file_perms; +allow hal gpu_device:chr_file rw_file_perms; +type_transition hal device:file hal_device; + +#sockets +type_transition hal socket_device:sock_file hal_socket; +allow hal hal_socket:sock_file create_file_perms; +allow hal socket_device:dir { write remove_name add_name }; +allow hal self:netlink_kobject_uevent_socket { read bind create setopt }; +allowxperm hal self:netlink_kobject_uevent_socket ioctl SIOCETHTOOL; + +# sysfs +allow hal sysfs:dir rw_dir_perms; +allow hal sysfs:file rw_file_perms; + +allow hal sysfs_hwrandom:dir r_dir_perms; +allow hal sysfs_hwrandom:file w_file_perms; + +allow hal sysfs_zram:dir r_dir_perms; +allow hal sysfs_zram_uevent:file w_file_perms; + +#special fs +allow hal proc:file write; + +# /proc/cmdline +allow hal proc:file r_file_perms; + +allow hal proc_security:file { getattr open }; +allow hal sysfs_devices_system_cpu:file write; +allow hal tmpfs:chr_file { open write }; + +allow hal system_data_file:dir rw_dir_perms; +allow hal apk_data_file:dir w_dir_perms; +allow hal apk_data_file:file { unlink open }; +allow hal wpa:dir mounton; +allow hal system_file:filesystem { relabelto mount unmount }; + +allow hal kernel:key search; +allow hal kernel:system module_request; + +# Allow calling setfscreatecon +allow hal self:process setfscreate; + +# Set properties +# hal is weird and needs getattr on the prop socket +allow hal property_socket:sock_file getattr; +set_prop(hal, hal_prop) +set_prop(hal, sensor_prop) +set_prop(hal, bluetooth_prop) +set_prop(hal, audio_prop) +set_prop(hal, lcd_prop) + +#Fuse-related +allow hal hal_mnt_pnt:dir { create_dir_perms mounton }; + +allow hal hal_mnt_pnt:file create_file_perms; + +allow hal labeledfs:filesystem unmount; + +allow hal hci_attach_dev:chr_file create_file_perms; +allow hal hci_attach_exec:file rx_file_perms; + +allow hal rfkill_device:chr_file r_file_perms; + +allow hal oemfs:file r_file_perms; +allow hal oemfs:dir r_dir_perms; + +allow hal dhcp_data_file:dir r_dir_perms; + +# Hal is creating a netlink socket for kernel events +# allow it to do whatever on that socket +allow hal self:netlink_route_socket *; + +module_only(`thermal', ` + allow hal sysfs_thermal_management:dir r_dir_perms; + allow hal sysfs_thermal_management:file rw_file_perms; +') + +allow hal wifi_data_file:dir rw_dir_perms; +allow hal wifi_data_file:file create_file_perms; + +allow hal dhcp_data_file:dir setattr; +allow hal efs_file:dir create_dir_perms; + +module_only(`efiprop', ` + # HAL searches and uses possible efivarfs properties. + r_dir_file(hal, efivarfs) +') + +# XXX Does hal really need this? +# https://jira01.devtools.intel.com/browse/OAM-33149 +allow hal rootfs:file r_file_perms; diff --git a/autodetect/true/init.te b/autodetect/true/init.te new file mode 100644 index 00000000..92609179 --- /dev/null +++ b/autodetect/true/init.te @@ -0,0 +1,5 @@ +# +# init +# + +allow init hal_device:file getattr; diff --git a/autodetect/true/kernel.te b/autodetect/true/kernel.te new file mode 100644 index 00000000..51310ab3 --- /dev/null +++ b/autodetect/true/kernel.te @@ -0,0 +1,6 @@ +# +# kernel +# + +# modprobe usermode helper +allow kernel hal_mnt_pnt:dir r_dir_perms; diff --git a/autodetect/true/keystore.te b/autodetect/true/keystore.te new file mode 100644 index 00000000..ac422761 --- /dev/null +++ b/autodetect/true/keystore.te @@ -0,0 +1,2 @@ +allow keystore hal:unix_stream_socket connectto; +allow keystore hal_socket:sock_file write; diff --git a/autodetect/true/mediacodec.te b/autodetect/true/mediacodec.te new file mode 100644 index 00000000..09094bc8 --- /dev/null +++ b/autodetect/true/mediacodec.te @@ -0,0 +1 @@ +unix_socket_connect(mediacodec, hal, hal) diff --git a/autodetect/true/mediaserver.te b/autodetect/true/mediaserver.te new file mode 100644 index 00000000..983a6fe2 --- /dev/null +++ b/autodetect/true/mediaserver.te @@ -0,0 +1,10 @@ +# +# mediaserver +# + +unix_socket_connect(mediaserver, hal, hal) + +# Access various hal supplied configuration files, like: +# /system/etc/atomisp/00ov8858.slti20mr6.aiqb +allow mediaserver hal_mnt_pnt:dir r_dir_perms; +allow mediaserver hal_mnt_pnt:file r_file_perms; diff --git a/autodetect/true/nfc.te b/autodetect/true/nfc.te new file mode 100644 index 00000000..7d011505 --- /dev/null +++ b/autodetect/true/nfc.te @@ -0,0 +1 @@ +unix_socket_connect(nfc, hal, hal) diff --git a/autodetect/true/property.te b/autodetect/true/property.te new file mode 100644 index 00000000..f1e0a611 --- /dev/null +++ b/autodetect/true/property.te @@ -0,0 +1,11 @@ +# HAL + +type hal_prop, property_type; + +# LCD +type lcd_prop, property_type; + +# Sensors +# XXX Why here? I only see access from hald in sepolicy, +# but this should be in the proper mixin. +type sensor_prop, property_type; diff --git a/autodetect/true/property_contexts b/autodetect/true/property_contexts new file mode 100644 index 00000000..0b73526b --- /dev/null +++ b/autodetect/true/property_contexts @@ -0,0 +1,9 @@ +# HAL + +hal. u:object_r:hal_prop:s0 + +# LCD +sf. u:object_r:lcd_prop:s0 + +# Sensor +iio. u:object_r:sensor_prop:s0 diff --git a/autodetect/true/radio.te b/autodetect/true/radio.te new file mode 100644 index 00000000..5ac79016 --- /dev/null +++ b/autodetect/true/radio.te @@ -0,0 +1,2 @@ +allow radio hal:unix_stream_socket connectto; +allow radio hal_socket:sock_file write; diff --git a/autodetect/true/rfkill.te b/autodetect/true/rfkill.te new file mode 100644 index 00000000..e17a5651 --- /dev/null +++ b/autodetect/true/rfkill.te @@ -0,0 +1,17 @@ +# +# rfkill fdomain +# +# TODO: refactor with other rfkill domain + +# execs +domain_auto_trans(hal, rfkill_exec, rfkill) +domain_auto_trans(rfkill, hci_attach_exec, bluetooth) + +allow rfkill bluetooth:process sigkill; + +# devices +allow rfkill rfkill_device:chr_file { read open }; + +allow rfkill hal:fd use; +allow rfkill hal:unix_stream_socket { read write }; +allow rfkill hal:file read; diff --git a/autodetect/true/rservice.te b/autodetect/true/rservice.te new file mode 100644 index 00000000..231ee42c --- /dev/null +++ b/autodetect/true/rservice.te @@ -0,0 +1 @@ +# Rules for RService diff --git a/autodetect/true/shell.te b/autodetect/true/shell.te new file mode 100644 index 00000000..f32edaac --- /dev/null +++ b/autodetect/true/shell.te @@ -0,0 +1,2 @@ +allow shell hal:unix_stream_socket connectto; +allow shell hal_socket:sock_file write; diff --git a/autodetect/true/surfaceflinger.te b/autodetect/true/surfaceflinger.te new file mode 100644 index 00000000..6e1bc550 --- /dev/null +++ b/autodetect/true/surfaceflinger.te @@ -0,0 +1,2 @@ +allow surfaceflinger hal:unix_stream_socket connectto; +allow surfaceflinger hal_socket:sock_file write; diff --git a/autodetect/true/system_server.te b/autodetect/true/system_server.te new file mode 100644 index 00000000..fcf1e220 --- /dev/null +++ b/autodetect/true/system_server.te @@ -0,0 +1,3 @@ +allow system_server hal_socket:sock_file write; +allow system_server hal:unix_stream_socket connectto; + diff --git a/autodetect/true/toolbox.te b/autodetect/true/toolbox.te new file mode 100644 index 00000000..c9d7f843 --- /dev/null +++ b/autodetect/true/toolbox.te @@ -0,0 +1,5 @@ +# +# toolbox +# + +allow toolbox hal_mnt_pnt:dir search; diff --git a/autodetect/true/vold.te b/autodetect/true/vold.te new file mode 100644 index 00000000..c51a8c70 --- /dev/null +++ b/autodetect/true/vold.te @@ -0,0 +1,6 @@ +# +# hal +# + +unix_socket_connect(vold, hal, hal) +allow vold hal_mnt_pnt:dir search; diff --git a/autodetect/true/zygote.te b/autodetect/true/zygote.te new file mode 100644 index 00000000..42a88955 --- /dev/null +++ b/autodetect/true/zygote.te @@ -0,0 +1,2 @@ +allow zygote hal:unix_stream_socket connectto; +allow zygote hal_socket:sock_file write; diff --git a/bluetooth/ag620/hal.te b/bluetooth/ag620/hal.te new file mode 100644 index 00000000..4968cd4f --- /dev/null +++ b/bluetooth/ag620/hal.te @@ -0,0 +1,4 @@ +# hal script for ag620 mkdir's /nvm_fs_partition/bluetooth +# we don't do automatic so we can sepcify the named hint +file_type_trans(hal, efs_file, bluetooth_efs_file) +type_transition hal efs_file:dir bluetooth_efs_file "bluetooth"; diff --git a/bluetooth/ag620/property_contexts b/bluetooth/ag620/property_contexts new file mode 100644 index 00000000..05b6b10d --- /dev/null +++ b/bluetooth/ag620/property_contexts @@ -0,0 +1 @@ +ctl.init_bt_nvm u:object_r:bluetooth_prop:s0 diff --git a/bluetooth/autodetect/file_contexts b/bluetooth/autodetect/file_contexts new file mode 100644 index 00000000..77975410 --- /dev/null +++ b/bluetooth/autodetect/file_contexts @@ -0,0 +1 @@ +/dev/ttyS1 u:object_r:hci_attach_dev:s0 diff --git a/bluetooth/bcm43241/file_contexts b/bluetooth/bcm43241/file_contexts new file mode 100644 index 00000000..a8cc5ba4 --- /dev/null +++ b/bluetooth/bcm43241/file_contexts @@ -0,0 +1,2 @@ +/dev/ttyHSU0 u:object_r:hci_attach_dev:s0 +/system/bin/rfkill_bt.sh u:object_r:rfkill_exec:s0 diff --git a/bluetooth/bcm4356/file_contexts b/bluetooth/bcm4356/file_contexts new file mode 100644 index 00000000..d805b36a --- /dev/null +++ b/bluetooth/bcm4356/file_contexts @@ -0,0 +1,2 @@ +/dev/ttyHSU0 u:object_r:hci_attach_dev:s0 +/system/bin/rfkill_bt.sh u:object_r:rfkill_exec:s0 diff --git a/bluetooth/common/file_contexts b/bluetooth/common/file_contexts index 6e9f2793..4fec0608 100644 --- a/bluetooth/common/file_contexts +++ b/bluetooth/common/file_contexts @@ -1,4 +1,4 @@ -/system/etc/bluetooth(/.*)? u:object_r:bluetooth_config_file:s0 +# /system/etc/bluetooth(/.*)? u:object_r:bluetooth_config_file:s0 (/system)?/vendor/bin/bt_nvm_init.sh u:object_r:init_bt_nvm_exec:s0 /vendor/bin/hciattach u:object_r:hci_attach_exec:s0 /oem_config/bluetooth u:object_r:bluetooth_data_file:s0 diff --git a/bluetooth/common/hal_bluetooth_vbt.te b/bluetooth/common/hal_bluetooth_vbt.te index 1c0e8470..dafb4c18 100644 --- a/bluetooth/common/hal_bluetooth_vbt.te +++ b/bluetooth/common/hal_bluetooth_vbt.te @@ -54,8 +54,8 @@ allowxperm hal_bluetooth_vbt self:socket ioctl { allow hal_bluetooth_vbt self:bluetooth_socket create_socket_perms; allow hal_bluetooth_vbt device:dir read; -allow hal_bluetooth_vbt usb_device:chr_file { ioctl open write }; -allow hal_bluetooth_vbt usb_device:dir { open read search}; +allow hal_bluetooth_vbt usb_device:chr_file rw_file_perms; +allow hal_bluetooth_vbt usb_device:dir r_dir_perms; allow hal_bluetooth_vbt self:netlink_kobject_uevent_socket { create bind setopt read }; allowxperm hal_bluetooth_vbt self:bluetooth_socket ioctl { diff --git a/bluetooth/common/kernel.te b/bluetooth/common/kernel.te new file mode 100644 index 00000000..d53ddfad --- /dev/null +++ b/bluetooth/common/kernel.te @@ -0,0 +1,3 @@ +#allow read permission for Bluetooth firmware file +allow kernel vendor_file:file { open read }; + diff --git a/bluetooth/intel/file_contexts b/bluetooth/intel/file_contexts deleted file mode 100644 index 3b02413c..00000000 --- a/bluetooth/intel/file_contexts +++ /dev/null @@ -1 +0,0 @@ -/vendor/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_ia_exec:s0 diff --git a/bluetooth/intel/hal_bluetooth_ia.te b/bluetooth/intel/hal_bluetooth_ia.te deleted file mode 100644 index 8a30046b..00000000 --- a/bluetooth/intel/hal_bluetooth_ia.te +++ /dev/null @@ -1,51 +0,0 @@ -# For treble mode, the HAL is loaded by a excutable hal service, and -# framework need request the hal service if it want to operate the -# device by HAL. -# For bluetooth, the default hal service is created by Google named -# android.hardware.bluetooth@1.0-service -# Google also setup sepolicy types and rules for the hal services, and -# android.hardware.bluetooth@1.0-service is one of hal services. -# The sepolicy type and rules for the hal services are created by Google -# and locate at system/sepolicy/vendor/hal_xxx.te -# For bluetooth it is hal_bluetooth_default.te, and the content of this -# file is -# -# -# type hal_bluetooth_default, domain; -# hal_server_domain(hal_bluetooth_default, hal_bluetooth) -# -# type hal_bluetooth_default_exec, exec_type, file_type; -# init_daemon_domain(hal_bluetooth_default) -# -# # Logging for backward compatibility -# allow hal_bluetooth_default bluetooth_data_file:dir ra_dir_perms; -# allow hal_bluetooth_default bluetooth_data_file:file create_file_perms; -# -# Google allow vendor to write his own hal service, but do not suggest -# directly modify the default hal service code. Google also give the reference -# code(device/linaro/hikey/bluetooth) about how to write vendor's own hal -# service. -# For gordon peak, bluetooth hal service need to be changed because some -# message handling difference with Google's default one. Then the bluetooth -# hal service for gordon peak is created based on default one. -# The sepolicy types and rules for gordon peak bluetooth service needs to be -# created too based on the default one. -# The following setting are copied from hal_bluetooth_default.te except use -# extension "gordon_peak" to replace "default". - -type hal_bluetooth_ia, domain; -hal_server_domain(hal_bluetooth_ia, hal_bluetooth) - -type hal_bluetooth_ia_exec, exec_type, file_type, vendor_file_type; -init_daemon_domain(hal_bluetooth_ia) - -# Logging for backward compatibility -allow hal_bluetooth_ia bluetooth_data_file:dir ra_dir_perms; -allow hal_bluetooth_ia bluetooth_data_file:file create_file_perms; - -allow hal_bluetooth_ia self:socket create_socket_perms; - -allowxperm hal_bluetooth_ia self:socket ioctl { - unpriv_sock_ioctls - HCIDEVDOWN -}; diff --git a/bluetooth/intel/hal_bluetooth_icl.te b/bluetooth/intel/hal_bluetooth_icl.te deleted file mode 100644 index 58a22d74..00000000 --- a/bluetooth/intel/hal_bluetooth_icl.te +++ /dev/null @@ -1,51 +0,0 @@ -# For treble mode, the HAL is loaded by a excutable hal service, and -# framework need request the hal service if it want to operate the -# device by HAL. -# For bluetooth, the default hal service is created by Google named -# android.hardware.bluetooth@1.0-service -# Google also setup sepolicy types and rules for the hal services, and -# android.hardware.bluetooth@1.0-service is one of hal services. -# The sepolicy type and rules for the hal services are created by Google -# and locate at system/sepolicy/vendor/hal_xxx.te -# For bluetooth it is hal_bluetooth_default.te, and the content of this -# file is -# -# -# type hal_bluetooth_default, domain; -# hal_server_domain(hal_bluetooth_default, hal_bluetooth) -# -# type hal_bluetooth_default_exec, exec_type, file_type; -# init_daemon_domain(hal_bluetooth_default) -# -# # Logging for backward compatibility -# allow hal_bluetooth_default bluetooth_data_file:dir ra_dir_perms; -# allow hal_bluetooth_default bluetooth_data_file:file create_file_perms; -# -# Google allow vendor to write his own hal service, but do not suggest -# directly modify the default hal service code. Google also give the reference -# code(device/linaro/hikey/bluetooth) about how to write vendor's own hal -# service. -# For gordon peak, bluetooth hal service need to be changed because some -# message handling difference with Google's default one. Then the bluetooth -# hal service for gordon peak is created based on default one. -# The sepolicy types and rules for gordon peak bluetooth service needs to be -# created too based on the default one. -# The following setting are copied from hal_bluetooth_default.te except use -# extension "gordon_peak" to replace "default". - -type hal_bluetooth_icl, domain; -hal_server_domain(hal_bluetooth_icl, hal_bluetooth) - -type hal_bluetooth_icl_exec, exec_type, file_type, vendor_file_type; -init_daemon_domain(hal_bluetooth_icl) - -# Logging for backward compatibility -allow hal_bluetooth_icl bluetooth_data_file:dir ra_dir_perms; -allow hal_bluetooth_icl bluetooth_data_file:file create_file_perms; - -allow hal_bluetooth_icl self:socket create_socket_perms; - -allowxperm hal_bluetooth_icl self:socket ioctl { - unpriv_sock_ioctls - HCIDEVDOWN -}; diff --git a/bluetooth/lightningpeak/bt_first_boot.te b/bluetooth/lightningpeak/bt_first_boot.te new file mode 100644 index 00000000..e6c7476e --- /dev/null +++ b/bluetooth/lightningpeak/bt_first_boot.te @@ -0,0 +1,22 @@ +type bt_first_boot, domain; +type bt_first_boot_exec, exec_type, file_type; + +init_daemon_domain(bt_first_boot) + +allow bt_first_boot bluetooth_config_file:dir r_dir_perms; +allow bt_first_boot bluetooth_config_file:file r_file_perms; + +allow bt_first_boot efs_file:dir create_dir_perms; +allow bt_first_boot efs_file:file create_file_perms; + +allow bt_first_boot bluetooth_efs_file:dir w_dir_perms; +allow bt_first_boot bluetooth_efs_file:file create_file_perms; + +allow bt_first_boot bt_first_boot_exec:file {x_file_perms entrypoint}; + +allow bt_first_boot hci_attach_dev:chr_file rw_file_perms; + +allow bt_first_boot bluetooth_config_file:dir r_dir_perms; +allow bt_first_boot bluetooth_config_file:file r_file_perms; + +allow bt_first_boot bt_first_boot:netlink_socket create_socket_perms; diff --git a/bluetooth/lightningpeak/file_contexts b/bluetooth/lightningpeak/file_contexts new file mode 100644 index 00000000..91d44c90 --- /dev/null +++ b/bluetooth/lightningpeak/file_contexts @@ -0,0 +1,4 @@ +# m4 macro expands to mixin config of configured port +bt_lightning_peak_port u:object_r:hci_attach_dev:s0 +/system/bin/bt_first_boot u:object_r:bt_first_boot_exec:s0 + diff --git a/bluetooth/lightningpeak/init_bt_nvm.te b/bluetooth/lightningpeak/init_bt_nvm.te new file mode 100644 index 00000000..e9e2ada4 --- /dev/null +++ b/bluetooth/lightningpeak/init_bt_nvm.te @@ -0,0 +1,3 @@ +allow init_bt_nvm hci_attach_dev:chr_file rw_file_perms; + +allow init_bt_nvm bt_first_boot_exec:file rx_file_perms; diff --git a/bluetooth/marvellW8897/file_contexts b/bluetooth/marvellW8897/file_contexts new file mode 100644 index 00000000..d1cdb215 --- /dev/null +++ b/bluetooth/marvellW8897/file_contexts @@ -0,0 +1 @@ +/dev/ttyS0 u:object_r:hci_attach_dev:s0 diff --git a/bluetooth/marvellW8897_acrn/file_contexts b/bluetooth/marvellW8897_acrn/file_contexts new file mode 100644 index 00000000..0986b1ca --- /dev/null +++ b/bluetooth/marvellW8897_acrn/file_contexts @@ -0,0 +1 @@ +/dev/ttyS2 u:object_r:hci_attach_dev:s0 diff --git a/bluetooth/pulsar/bluetooth.te b/bluetooth/pulsar/bluetooth.te new file mode 100644 index 00000000..df3a890e --- /dev/null +++ b/bluetooth/pulsar/bluetooth.te @@ -0,0 +1,2 @@ +allow bluetooth self:netlink_socket create_socket_perms; + diff --git a/bluetooth/pulsar/file_contexts b/bluetooth/pulsar/file_contexts new file mode 100644 index 00000000..d26132e7 --- /dev/null +++ b/bluetooth/pulsar/file_contexts @@ -0,0 +1,4 @@ +# m4 macro expands to mixin config of configured port +bt_pulsar_port u:object_r:hci_attach_dev:s0 + + diff --git a/bluetooth/rtl8723bs/file_contexts b/bluetooth/rtl8723bs/file_contexts new file mode 100644 index 00000000..d805b36a --- /dev/null +++ b/bluetooth/rtl8723bs/file_contexts @@ -0,0 +1,2 @@ +/dev/ttyHSU0 u:object_r:hci_attach_dev:s0 +/system/bin/rfkill_bt.sh u:object_r:rfkill_exec:s0 diff --git a/bluetooth/sofia_nvm/file_contexts b/bluetooth/sofia_nvm/file_contexts new file mode 100644 index 00000000..e57dd542 --- /dev/null +++ b/bluetooth/sofia_nvm/file_contexts @@ -0,0 +1 @@ +/nvm_fs_partition/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 diff --git a/boot-arch/abl/device.te b/boot-arch/abl/device.te deleted file mode 100644 index b31ee195..00000000 --- a/boot-arch/abl/device.te +++ /dev/null @@ -1 +0,0 @@ -type vendor_block_device, dev_type; diff --git a/boot-arch/abl/file_contexts b/boot-arch/abl/file_contexts deleted file mode 100644 index 03f4101f..00000000 --- a/boot-arch/abl/file_contexts +++ /dev/null @@ -1,15 +0,0 @@ -# -# Block Devices -# -/dev/block/(pci|platform)(/.*)?/.*/by-name/boot(_(a|b))? u:object_r:boot_block_device:s0 -/dev/block/(pci|platform)(/.*)?/.*/by-name/system(_(a|b))? u:object_r:system_block_device:s0 -/dev/block/(pci|platform)(/.*)?/.*/by-name/vendor(_(a|b))? u:object_r:vendor_block_device:s0 -/dev/block/(pci|platform)(/.*)?/.*/by-name/vbmeta(_(a|b))? u:object_r:boot_block_device:s0 -/dev/block/(pci|platform)(/.*)?/.*/by-name/tos(_(a|b))? u:object_r:boot_block_device:s0 -/dev/block/(pci|platform)(/.*)?/.*/by-name/persistent u:object_r:frp_block_device:s0 -/dev/block/(pci|platform)(/.*)?/.*/by-name/recovery u:object_r:recovery_block_device:s0 -/dev/block/(pci|platform)(/.*)?/.*/by-name/metadata u:object_r:metadata_block_device:s0 -/dev/block/(pci|platform)(/.*)?/.*/by-name/cache u:object_r:cache_block_device:s0 -/dev/block/(pci|platform)(/.*)?/.*/by-name/data u:object_r:userdata_block_device:s0 -/dev/block/(pci|platform)(/.*)?/.*/by-name/misc u:object_r:misc_block_device:s0 -/dev/block/(pci|platform)(/.*)?/.*/by-name/teedata u:object_r:tee_device:s0 diff --git a/boot-arch/abl/update_engine.te b/boot-arch/abl/update_engine.te deleted file mode 100644 index c65dc121..00000000 --- a/boot-arch/abl/update_engine.te +++ /dev/null @@ -1,3 +0,0 @@ -allow update_engine vendor_block_device:blk_file rw_file_perms; -allow update_engine tmpfs:file r_file_perms; -allow update_engine tmpfs:lnk_file r_file_perms; diff --git a/boot-arch/efi/file_contexts b/boot-arch/efi/file_contexts deleted file mode 100644 index c551f431..00000000 --- a/boot-arch/efi/file_contexts +++ /dev/null @@ -1,12 +0,0 @@ -# -# Block Devices -# - -/dev/block/(pci|platform)(/.*)?/.*/by-name/boot u:object_r:boot_block_device:s0 -/dev/block/(pci|platform)(/.*)?/.*/by-name/persistent u:object_r:frp_block_device:s0 -/dev/block/(pci|platform)(/.*)?/.*/by-name/recovery u:object_r:recovery_block_device:s0 -/dev/block/(pci|platform)(/.*)?/.*/by-name/metadata u:object_r:metadata_block_device:s0 -/dev/block/(pci|platform)(/.*)?/.*/by-name/cache u:object_r:cache_block_device:s0 -/dev/block/(pci|platform)(/.*)?/.*/by-name/data u:object_r:userdata_block_device:s0 -/dev/block/(pci|platform)(/.*)?/.*/by-name/misc u:object_r:misc_block_device:s0 -/dev/block/(pci|platform)(/.*)?/.*/by-name/teedata u:object_r:tee_device:s0 diff --git a/boot-arch/generic/device.te b/boot-arch/generic/device.te new file mode 100644 index 00000000..a35611f1 --- /dev/null +++ b/boot-arch/generic/device.te @@ -0,0 +1,8 @@ +type acpi_block_device, dev_type; +type acpio_block_device, dev_type; +type vendor_block_device, dev_type; +type product_block_device, dev_type; +type odm_block_device, dev_type; +typeattribute system_block_device super_block_device_type; +typeattribute vendor_block_device super_block_device_type; +typeattribute product_block_device super_block_device_type; diff --git a/boot-arch/project-celadon/cel_apl/file_contexts b/boot-arch/generic/file_contexts similarity index 64% rename from boot-arch/project-celadon/cel_apl/file_contexts rename to boot-arch/generic/file_contexts index b6ad458a..c8fc1f3b 100644 --- a/boot-arch/project-celadon/cel_apl/file_contexts +++ b/boot-arch/generic/file_contexts @@ -1,11 +1,13 @@ # # Block Devices # - /dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/boot(_(a|b))? u:object_r:boot_block_device:s0 /dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/bootloader(_(a|b))? u:object_r:boot_block_device:s0 +/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/multiboot(_(a|b))? u:object_r:boot_block_device:s0 /dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/system(_(a|b))? u:object_r:system_block_device:s0 /dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/vendor(_(a|b))? u:object_r:vendor_block_device:s0 +/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/product(_(a|b))? u:object_r:product_block_device:s0 +/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/odm(_(a|b))? u:object_r:odm_block_device:s0 /dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/vbmeta(_(a|b))? u:object_r:boot_block_device:s0 /dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/tos(_(a|b))? u:object_r:boot_block_device:s0 /dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/persistent u:object_r:frp_block_device:s0 @@ -13,7 +15,9 @@ /dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/metadata u:object_r:metadata_block_device:s0 /dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/cache u:object_r:cache_block_device:s0 /dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/data u:object_r:userdata_block_device:s0 +/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/userdata u:object_r:userdata_block_device:s0 /dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/misc u:object_r:misc_block_device:s0 /dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/teedata u:object_r:tee_device:s0 - -/gpt.cel_apl.ini u:object_r:rootfs:s0 +/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/acpi(_(a|b))? u:object_r:acpi_block_device:s0 +/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/acpio(_(a|b))? u:object_r:acpio_block_device:s0 +/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/super u:object_r:super_block_device:s0 diff --git a/boot-arch/generic/genfs_contexts b/boot-arch/generic/genfs_contexts new file mode 100644 index 00000000..591cb972 --- /dev/null +++ b/boot-arch/generic/genfs_contexts @@ -0,0 +1 @@ +genfscon sysfs /devices/platform/ANDR0001:00/properties/android u:object_r:sysfs_dt_firmware_android:s0 diff --git a/boot-arch/generic/init.te b/boot-arch/generic/init.te new file mode 100644 index 00000000..5000423e --- /dev/null +++ b/boot-arch/generic/init.te @@ -0,0 +1,7 @@ +allow init { + boot_block_device + vendor_block_device + product_block_device +}:lnk_file relabelto; +allow init userdata_block_device:{ lnk_file blk_file } w_file_perms; +allowxperm init metadata_block_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD }; diff --git a/boot-arch/generic/ueventd.te b/boot-arch/generic/ueventd.te new file mode 100644 index 00000000..22b8305a --- /dev/null +++ b/boot-arch/generic/ueventd.te @@ -0,0 +1 @@ +allow ueventd tmpfs:lnk_file read; diff --git a/boot-arch/project-celadon/cel_apl/device.te b/boot-arch/project-celadon/cel_apl/device.te deleted file mode 100644 index b31ee195..00000000 --- a/boot-arch/project-celadon/cel_apl/device.te +++ /dev/null @@ -1 +0,0 @@ -type vendor_block_device, dev_type; diff --git a/boot-arch/project-celadon/cel_apl/hal_bootctl_default.te b/boot-arch/project-celadon/cel_apl/hal_bootctl_default.te deleted file mode 100644 index 2f1f82bc..00000000 --- a/boot-arch/project-celadon/cel_apl/hal_bootctl_default.te +++ /dev/null @@ -1,6 +0,0 @@ -allow hal_bootctl_default rootfs:file r_file_perms; -allow hal_bootctl_default proc:file r_file_perms; -allow hal_bootctl_default block_device:dir r_dir_perms; -allow hal_bootctl_default misc_block_device:blk_file rw_file_perms; -allow hal_bootctl_default tmpfs:file r_file_perms; -allow hal_bootctl_default tmpfs:dir r_dir_perms; diff --git a/boot-arch/project-celadon/cel_apl/init.te b/boot-arch/project-celadon/cel_apl/init.te deleted file mode 100644 index a2f993a8..00000000 --- a/boot-arch/project-celadon/cel_apl/init.te +++ /dev/null @@ -1,4 +0,0 @@ -allow init system_file:system module_load; -allow init tmpfs:file r_file_perms; -allow init { boot_block_device vendor_block_device }:lnk_file relabelto; -allow init userdata_block_device:{ lnk_file blk_file } w_file_perms; diff --git a/boot-arch/project-celadon/cel_apl/postinstall.te b/boot-arch/project-celadon/cel_apl/postinstall.te deleted file mode 100644 index b450db0e..00000000 --- a/boot-arch/project-celadon/cel_apl/postinstall.te +++ /dev/null @@ -1,16 +0,0 @@ -typeattribute postinstall system_writes_vendor_properties_violators; -typeattribute postinstall system_executes_vendor_violators; - -recovery_only(` - allow postinstall rootfs:file rx_file_perms; -') - -allow postinstall vendor_shell_exec:file rx_file_perms; -allow postinstall vendor_toolbox_exec:file rx_file_perms; -allow postinstall rootfs:dir mounton; -allow postinstall self:capability sys_admin; -allow postinstall vfat:filesystem { mount unmount }; -allow postinstall vfat:dir create_dir_perms; -allow postinstall vfat:file create_file_perms; -allow postinstall block_device:dir search; -allow postinstall boot_block_device:blk_file r_file_perms; diff --git a/boot-arch/project-celadon/cel_apl/recovery.te b/boot-arch/project-celadon/cel_apl/recovery.te deleted file mode 100644 index 15fb9512..00000000 --- a/boot-arch/project-celadon/cel_apl/recovery.te +++ /dev/null @@ -1 +0,0 @@ -allow recovery sysfs_thermal_management:dir { search }; diff --git a/boot-arch/project-celadon/cel_apl/update_engine.te b/boot-arch/project-celadon/cel_apl/update_engine.te deleted file mode 100644 index 9d845dac..00000000 --- a/boot-arch/project-celadon/cel_apl/update_engine.te +++ /dev/null @@ -1,15 +0,0 @@ -allow update_engine vendor_block_device:blk_file rw_file_perms; -allow update_engine tmpfs:dir r_dir_perms; -allow update_engine tmpfs:file r_file_perms; -allow update_engine tmpfs:lnk_file r_file_perms; -allow update_engine vendor_shell_exec:file rx_file_perms; - -allow update_engine platform_app:binder call; -allow update_engine vfat:dir search; -allow update_engine vfat:file r_file_perms; -allow update_engine sdcardfs:dir search; -allow update_engine sdcardfs:file r_file_perms; -allow update_engine mnt_media_rw_file:file r_file_perms; -allow update_engine mnt_media_rw_file:dir r_dir_perms; -allow update_engine storage_file:file r_file_perms; -allow update_engine storage_file:dir r_dir_perms; diff --git a/boot-arch/project-celadon/cel_apl/update_engine_common.te b/boot-arch/project-celadon/cel_apl/update_engine_common.te deleted file mode 100644 index eb5f3aab..00000000 --- a/boot-arch/project-celadon/cel_apl/update_engine_common.te +++ /dev/null @@ -1,3 +0,0 @@ -allow update_engine_common vendor_block_device:blk_file rw_file_perms; -allow update_engine_common tmpfs:file r_file_perms; -allow update_engine_common tmpfs:lnk_file r_file_perms; diff --git a/boot-arch/project-celadon/cel_apl/update_engine_sideload.te b/boot-arch/project-celadon/cel_apl/update_engine_sideload.te deleted file mode 100644 index 7ef4adf6..00000000 --- a/boot-arch/project-celadon/cel_apl/update_engine_sideload.te +++ /dev/null @@ -1,3 +0,0 @@ -type update_engine_sideload, domain; - -allow update_engine_sideload recovery:capability { sys_rawio }; diff --git a/boot-arch/project-celadon/cel_apl/vold.te b/boot-arch/project-celadon/cel_apl/vold.te deleted file mode 100644 index a7cd9484..00000000 --- a/boot-arch/project-celadon/cel_apl/vold.te +++ /dev/null @@ -1 +0,0 @@ -allow vold tmpfs:file r_file_perms; diff --git a/boot-arch/project-celadon/cel_kbl/device.te b/boot-arch/project-celadon/cel_kbl/device.te deleted file mode 100644 index b31ee195..00000000 --- a/boot-arch/project-celadon/cel_kbl/device.te +++ /dev/null @@ -1 +0,0 @@ -type vendor_block_device, dev_type; diff --git a/boot-arch/project-celadon/cel_kbl/file_contexts b/boot-arch/project-celadon/cel_kbl/file_contexts deleted file mode 100644 index 21ba4ead..00000000 --- a/boot-arch/project-celadon/cel_kbl/file_contexts +++ /dev/null @@ -1,19 +0,0 @@ -# -# Block Devices -# - -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/boot(_(a|b))? u:object_r:boot_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/bootloader(_(a|b))? u:object_r:boot_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/system(_(a|b))? u:object_r:system_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/vendor(_(a|b))? u:object_r:vendor_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/vbmeta(_(a|b))? u:object_r:boot_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/tos(_(a|b))? u:object_r:boot_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/persistent u:object_r:frp_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/recovery u:object_r:recovery_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/metadata u:object_r:metadata_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/cache u:object_r:cache_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/data u:object_r:userdata_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/misc u:object_r:misc_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/teedata u:object_r:tee_device:s0 - -/gpt.cel_kbl.ini u:object_r:rootfs:s0 diff --git a/boot-arch/project-celadon/cel_kbl/hal_bootctl_default.te b/boot-arch/project-celadon/cel_kbl/hal_bootctl_default.te deleted file mode 100644 index 2f1f82bc..00000000 --- a/boot-arch/project-celadon/cel_kbl/hal_bootctl_default.te +++ /dev/null @@ -1,6 +0,0 @@ -allow hal_bootctl_default rootfs:file r_file_perms; -allow hal_bootctl_default proc:file r_file_perms; -allow hal_bootctl_default block_device:dir r_dir_perms; -allow hal_bootctl_default misc_block_device:blk_file rw_file_perms; -allow hal_bootctl_default tmpfs:file r_file_perms; -allow hal_bootctl_default tmpfs:dir r_dir_perms; diff --git a/boot-arch/project-celadon/cel_kbl/init.te b/boot-arch/project-celadon/cel_kbl/init.te deleted file mode 100644 index a2f993a8..00000000 --- a/boot-arch/project-celadon/cel_kbl/init.te +++ /dev/null @@ -1,4 +0,0 @@ -allow init system_file:system module_load; -allow init tmpfs:file r_file_perms; -allow init { boot_block_device vendor_block_device }:lnk_file relabelto; -allow init userdata_block_device:{ lnk_file blk_file } w_file_perms; diff --git a/boot-arch/project-celadon/cel_kbl/recovery.te b/boot-arch/project-celadon/cel_kbl/recovery.te deleted file mode 100644 index 15fb9512..00000000 --- a/boot-arch/project-celadon/cel_kbl/recovery.te +++ /dev/null @@ -1 +0,0 @@ -allow recovery sysfs_thermal_management:dir { search }; diff --git a/boot-arch/project-celadon/cel_kbl/update_engine_common.te b/boot-arch/project-celadon/cel_kbl/update_engine_common.te deleted file mode 100644 index eb5f3aab..00000000 --- a/boot-arch/project-celadon/cel_kbl/update_engine_common.te +++ /dev/null @@ -1,3 +0,0 @@ -allow update_engine_common vendor_block_device:blk_file rw_file_perms; -allow update_engine_common tmpfs:file r_file_perms; -allow update_engine_common tmpfs:lnk_file r_file_perms; diff --git a/boot-arch/project-celadon/cel_kbl/update_engine_sideload.te b/boot-arch/project-celadon/cel_kbl/update_engine_sideload.te deleted file mode 100644 index 7ef4adf6..00000000 --- a/boot-arch/project-celadon/cel_kbl/update_engine_sideload.te +++ /dev/null @@ -1,3 +0,0 @@ -type update_engine_sideload, domain; - -allow update_engine_sideload recovery:capability { sys_rawio }; diff --git a/boot-arch/project-celadon/cel_kbl/vold.te b/boot-arch/project-celadon/cel_kbl/vold.te deleted file mode 100644 index a7cd9484..00000000 --- a/boot-arch/project-celadon/cel_kbl/vold.te +++ /dev/null @@ -1 +0,0 @@ -allow vold tmpfs:file r_file_perms; diff --git a/boot-arch/project-celadon/celadon/device.te b/boot-arch/project-celadon/celadon/device.te deleted file mode 100644 index b31ee195..00000000 --- a/boot-arch/project-celadon/celadon/device.te +++ /dev/null @@ -1 +0,0 @@ -type vendor_block_device, dev_type; diff --git a/boot-arch/project-celadon/celadon/file_contexts b/boot-arch/project-celadon/celadon/file_contexts deleted file mode 100644 index 5b4108a1..00000000 --- a/boot-arch/project-celadon/celadon/file_contexts +++ /dev/null @@ -1,19 +0,0 @@ -# -# Block Devices -# - -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/boot(_(a|b))? u:object_r:boot_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/bootloader(_(a|b))? u:object_r:boot_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/system(_(a|b))? u:object_r:system_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/vendor(_(a|b))? u:object_r:vendor_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/vbmeta(_(a|b))? u:object_r:boot_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/tos(_(a|b))? u:object_r:boot_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/persistent u:object_r:frp_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/recovery u:object_r:recovery_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/metadata u:object_r:metadata_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/cache u:object_r:cache_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/data u:object_r:userdata_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/misc u:object_r:misc_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/teedata u:object_r:tee_device:s0 - -/gpt.celadon.ini u:object_r:rootfs:s0 diff --git a/boot-arch/project-celadon/celadon/hal_bootctl_default.te b/boot-arch/project-celadon/celadon/hal_bootctl_default.te deleted file mode 100644 index 2f1f82bc..00000000 --- a/boot-arch/project-celadon/celadon/hal_bootctl_default.te +++ /dev/null @@ -1,6 +0,0 @@ -allow hal_bootctl_default rootfs:file r_file_perms; -allow hal_bootctl_default proc:file r_file_perms; -allow hal_bootctl_default block_device:dir r_dir_perms; -allow hal_bootctl_default misc_block_device:blk_file rw_file_perms; -allow hal_bootctl_default tmpfs:file r_file_perms; -allow hal_bootctl_default tmpfs:dir r_dir_perms; diff --git a/boot-arch/project-celadon/celadon/init.te b/boot-arch/project-celadon/celadon/init.te deleted file mode 100644 index a2f993a8..00000000 --- a/boot-arch/project-celadon/celadon/init.te +++ /dev/null @@ -1,4 +0,0 @@ -allow init system_file:system module_load; -allow init tmpfs:file r_file_perms; -allow init { boot_block_device vendor_block_device }:lnk_file relabelto; -allow init userdata_block_device:{ lnk_file blk_file } w_file_perms; diff --git a/boot-arch/project-celadon/celadon/postinstall.te b/boot-arch/project-celadon/celadon/postinstall.te deleted file mode 100644 index b450db0e..00000000 --- a/boot-arch/project-celadon/celadon/postinstall.te +++ /dev/null @@ -1,16 +0,0 @@ -typeattribute postinstall system_writes_vendor_properties_violators; -typeattribute postinstall system_executes_vendor_violators; - -recovery_only(` - allow postinstall rootfs:file rx_file_perms; -') - -allow postinstall vendor_shell_exec:file rx_file_perms; -allow postinstall vendor_toolbox_exec:file rx_file_perms; -allow postinstall rootfs:dir mounton; -allow postinstall self:capability sys_admin; -allow postinstall vfat:filesystem { mount unmount }; -allow postinstall vfat:dir create_dir_perms; -allow postinstall vfat:file create_file_perms; -allow postinstall block_device:dir search; -allow postinstall boot_block_device:blk_file r_file_perms; diff --git a/boot-arch/project-celadon/celadon/recovery.te b/boot-arch/project-celadon/celadon/recovery.te deleted file mode 100644 index 15fb9512..00000000 --- a/boot-arch/project-celadon/celadon/recovery.te +++ /dev/null @@ -1 +0,0 @@ -allow recovery sysfs_thermal_management:dir { search }; diff --git a/boot-arch/project-celadon/celadon/update_engine.te b/boot-arch/project-celadon/celadon/update_engine.te deleted file mode 100644 index 9d845dac..00000000 --- a/boot-arch/project-celadon/celadon/update_engine.te +++ /dev/null @@ -1,15 +0,0 @@ -allow update_engine vendor_block_device:blk_file rw_file_perms; -allow update_engine tmpfs:dir r_dir_perms; -allow update_engine tmpfs:file r_file_perms; -allow update_engine tmpfs:lnk_file r_file_perms; -allow update_engine vendor_shell_exec:file rx_file_perms; - -allow update_engine platform_app:binder call; -allow update_engine vfat:dir search; -allow update_engine vfat:file r_file_perms; -allow update_engine sdcardfs:dir search; -allow update_engine sdcardfs:file r_file_perms; -allow update_engine mnt_media_rw_file:file r_file_perms; -allow update_engine mnt_media_rw_file:dir r_dir_perms; -allow update_engine storage_file:file r_file_perms; -allow update_engine storage_file:dir r_dir_perms; diff --git a/boot-arch/project-celadon/celadon/update_engine_common.te b/boot-arch/project-celadon/celadon/update_engine_common.te deleted file mode 100644 index eb5f3aab..00000000 --- a/boot-arch/project-celadon/celadon/update_engine_common.te +++ /dev/null @@ -1,3 +0,0 @@ -allow update_engine_common vendor_block_device:blk_file rw_file_perms; -allow update_engine_common tmpfs:file r_file_perms; -allow update_engine_common tmpfs:lnk_file r_file_perms; diff --git a/boot-arch/project-celadon/celadon/update_engine_sideload.te b/boot-arch/project-celadon/celadon/update_engine_sideload.te deleted file mode 100644 index 7ef4adf6..00000000 --- a/boot-arch/project-celadon/celadon/update_engine_sideload.te +++ /dev/null @@ -1,3 +0,0 @@ -type update_engine_sideload, domain; - -allow update_engine_sideload recovery:capability { sys_rawio }; diff --git a/boot-arch/project-celadon/celadon/vold.te b/boot-arch/project-celadon/celadon/vold.te deleted file mode 100644 index a7cd9484..00000000 --- a/boot-arch/project-celadon/celadon/vold.te +++ /dev/null @@ -1 +0,0 @@ -allow vold tmpfs:file r_file_perms; diff --git a/boot-arch/project-celadon/clk/device.te b/boot-arch/project-celadon/clk/device.te deleted file mode 100644 index b31ee195..00000000 --- a/boot-arch/project-celadon/clk/device.te +++ /dev/null @@ -1 +0,0 @@ -type vendor_block_device, dev_type; diff --git a/boot-arch/project-celadon/clk/file_contexts b/boot-arch/project-celadon/clk/file_contexts deleted file mode 100644 index 047bd8fb..00000000 --- a/boot-arch/project-celadon/clk/file_contexts +++ /dev/null @@ -1,19 +0,0 @@ -# -# Block Devices -# - -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/boot(_(a|b))? u:object_r:boot_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/bootloader(_(a|b))? u:object_r:boot_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/system(_(a|b))? u:object_r:system_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/vendor(_(a|b))? u:object_r:vendor_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/vbmeta(_(a|b))? u:object_r:boot_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/tos(_(a|b))? u:object_r:boot_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/persistent u:object_r:frp_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/recovery u:object_r:recovery_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/metadata u:object_r:metadata_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/cache u:object_r:cache_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/data u:object_r:userdata_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/misc u:object_r:misc_block_device:s0 -/dev/block/(pci|platform|vbd)(/.*)?/.*/by-name/teedata u:object_r:tee_device:s0 - -/gpt.clk.ini u:object_r:rootfs:s0 diff --git a/boot-arch/project-celadon/clk/hal_bootctl_default.te b/boot-arch/project-celadon/clk/hal_bootctl_default.te deleted file mode 100644 index 2f1f82bc..00000000 --- a/boot-arch/project-celadon/clk/hal_bootctl_default.te +++ /dev/null @@ -1,6 +0,0 @@ -allow hal_bootctl_default rootfs:file r_file_perms; -allow hal_bootctl_default proc:file r_file_perms; -allow hal_bootctl_default block_device:dir r_dir_perms; -allow hal_bootctl_default misc_block_device:blk_file rw_file_perms; -allow hal_bootctl_default tmpfs:file r_file_perms; -allow hal_bootctl_default tmpfs:dir r_dir_perms; diff --git a/boot-arch/project-celadon/clk/init.te b/boot-arch/project-celadon/clk/init.te deleted file mode 100644 index a2f993a8..00000000 --- a/boot-arch/project-celadon/clk/init.te +++ /dev/null @@ -1,4 +0,0 @@ -allow init system_file:system module_load; -allow init tmpfs:file r_file_perms; -allow init { boot_block_device vendor_block_device }:lnk_file relabelto; -allow init userdata_block_device:{ lnk_file blk_file } w_file_perms; diff --git a/boot-arch/project-celadon/clk/postinstall.te b/boot-arch/project-celadon/clk/postinstall.te deleted file mode 100644 index b450db0e..00000000 --- a/boot-arch/project-celadon/clk/postinstall.te +++ /dev/null @@ -1,16 +0,0 @@ -typeattribute postinstall system_writes_vendor_properties_violators; -typeattribute postinstall system_executes_vendor_violators; - -recovery_only(` - allow postinstall rootfs:file rx_file_perms; -') - -allow postinstall vendor_shell_exec:file rx_file_perms; -allow postinstall vendor_toolbox_exec:file rx_file_perms; -allow postinstall rootfs:dir mounton; -allow postinstall self:capability sys_admin; -allow postinstall vfat:filesystem { mount unmount }; -allow postinstall vfat:dir create_dir_perms; -allow postinstall vfat:file create_file_perms; -allow postinstall block_device:dir search; -allow postinstall boot_block_device:blk_file r_file_perms; diff --git a/boot-arch/project-celadon/clk/recovery.te b/boot-arch/project-celadon/clk/recovery.te deleted file mode 100644 index 15fb9512..00000000 --- a/boot-arch/project-celadon/clk/recovery.te +++ /dev/null @@ -1 +0,0 @@ -allow recovery sysfs_thermal_management:dir { search }; diff --git a/boot-arch/project-celadon/clk/update_engine.te b/boot-arch/project-celadon/clk/update_engine.te deleted file mode 100644 index 9d845dac..00000000 --- a/boot-arch/project-celadon/clk/update_engine.te +++ /dev/null @@ -1,15 +0,0 @@ -allow update_engine vendor_block_device:blk_file rw_file_perms; -allow update_engine tmpfs:dir r_dir_perms; -allow update_engine tmpfs:file r_file_perms; -allow update_engine tmpfs:lnk_file r_file_perms; -allow update_engine vendor_shell_exec:file rx_file_perms; - -allow update_engine platform_app:binder call; -allow update_engine vfat:dir search; -allow update_engine vfat:file r_file_perms; -allow update_engine sdcardfs:dir search; -allow update_engine sdcardfs:file r_file_perms; -allow update_engine mnt_media_rw_file:file r_file_perms; -allow update_engine mnt_media_rw_file:dir r_dir_perms; -allow update_engine storage_file:file r_file_perms; -allow update_engine storage_file:dir r_dir_perms; diff --git a/boot-arch/project-celadon/clk/update_engine_common.te b/boot-arch/project-celadon/clk/update_engine_common.te deleted file mode 100644 index eb5f3aab..00000000 --- a/boot-arch/project-celadon/clk/update_engine_common.te +++ /dev/null @@ -1,3 +0,0 @@ -allow update_engine_common vendor_block_device:blk_file rw_file_perms; -allow update_engine_common tmpfs:file r_file_perms; -allow update_engine_common tmpfs:lnk_file r_file_perms; diff --git a/boot-arch/project-celadon/clk/update_engine_sideload.te b/boot-arch/project-celadon/clk/update_engine_sideload.te deleted file mode 100644 index 7ef4adf6..00000000 --- a/boot-arch/project-celadon/clk/update_engine_sideload.te +++ /dev/null @@ -1,3 +0,0 @@ -type update_engine_sideload, domain; - -allow update_engine_sideload recovery:capability { sys_rawio }; diff --git a/boot-arch/project-celadon/clk/vold.te b/boot-arch/project-celadon/clk/vold.te deleted file mode 100644 index a7cd9484..00000000 --- a/boot-arch/project-celadon/clk/vold.te +++ /dev/null @@ -1 +0,0 @@ -allow vold tmpfs:file r_file_perms; diff --git a/boot-arch/readme b/boot-arch/readme new file mode 100644 index 00000000..336886eb --- /dev/null +++ b/boot-arch/readme @@ -0,0 +1,5 @@ +"common" directory is used for Sofia devices. +"generic" directory is used for all platforms unless Sofia. +"xbl" directory is used for abl, sbl and vsbl platforms. +other directories "abl", "sbl", "vsbl" and "efi", if present, are used only for the related platforms. +"slotab_ota" directory is for platforms using slotab ota (it has generic, xbl and efi subdirectories). diff --git a/boot-arch/sofia/cg2k.te b/boot-arch/sofia/cg2k.te new file mode 100644 index 00000000..4c335e1d --- /dev/null +++ b/boot-arch/sofia/cg2k.te @@ -0,0 +1,9 @@ +#telephony specific permissions for cg2k +define(`cg2k_only', ifelse(sepolicy_module_gps, `cg2k', $1, )) + +cg2k_only(` + allow cg2k rpc_reg_socket:sock_file write; + allow cg2k rpc_recv_socket:sock_file write; + allow cg2k rpc_send_socket:sock_file write; + allow cg2k rpcdaemon:unix_stream_socket connectto; +') diff --git a/boot-arch/sofia/file_contexts b/boot-arch/sofia/file_contexts new file mode 100644 index 00000000..8f40160a --- /dev/null +++ b/boot-arch/sofia/file_contexts @@ -0,0 +1,15 @@ +# +# Block Devices +# + +/dev/block/(pci|platform)(/.*)?/.*/by-name/ImcPartID071 u:object_r:boot_block_device:s0 +/dev/block/(pci|platform)(/.*)?/.*/by-name/ImcPartID126 u:object_r:frp_block_device:s0 +/dev/block/(pci|platform)(/.*)?/.*/by-name/ImcPartID121 u:object_r:recovery_block_device:s0 +/dev/block/(pci|platform)(/.*)?/.*/by-name/ImcPartID068 u:object_r:system_block_device:s0 +/dev/block/(pci|platform)(/.*)?/.*/by-name/ImcPartID070 u:object_r:cache_block_device:s0 +/dev/block/(pci|platform)(/.*)?/.*/by-name/ImcPartID076 u:object_r:nvm_block_device:s0 +/dev/block/(pci|platform)(/.*)?/.*/by-name/ImcPartID069 u:object_r:userdata_block_device:s0 +/dev/block/(pci|platform)(/.*)?/.*/by-name/ImcPartID127 u:object_r:metadata_block_device:s0 +/dev/block/(pci|platform)(/.*)?/.*/by-name/ImcPartID022 u:object_r:rpc_block_device:s0 +/dev/block/(pci|platform)(/.*)?/.*/by-name/ImcPartID023 u:object_r:rpc_block_device:s0 +/dev/block/(pci|platform)(/.*)?/.*/by-name/ImcPartID024 u:object_r:rpc_block_device:s0 diff --git a/boot-arch/sofia/kernel.te b/boot-arch/sofia/kernel.te new file mode 100644 index 00000000..6fe35b2d --- /dev/null +++ b/boot-arch/sofia/kernel.te @@ -0,0 +1,15 @@ +# +# Kernel +# + +# OCT Trace kernel thread opens a USB Gadget TTY to send +# Modem trace information. This trace information is enabled +# or disabled by the customer and requires a key to interact +# with. +# XXX We only allow this on userdebug or eng +userdebug_or_eng(` + allow kernel serial_device:chr_file rw_file_perms; +') +# vnvm accesses +allow kernel rpc_block_device:blk_file rw_file_perms; +allow kernel rpc_block_device:dir search; diff --git a/boot-arch/sofia3gr/README b/boot-arch/sofia3gr/README new file mode 100644 index 00000000..8471c8b5 --- /dev/null +++ b/boot-arch/sofia3gr/README @@ -0,0 +1,3 @@ +All of this was commented out since boot-arch cannot be leveraged. Bootarch is in sofia_lte policy +for now, since that device is stable enough to bring up. Eventually, when sf3gr comes up, sofia LTE +policy can be pulled back up into bootarch. diff --git a/boot-arch/sofia3gr/file_contexts b/boot-arch/sofia3gr/file_contexts new file mode 100644 index 00000000..0338b452 --- /dev/null +++ b/boot-arch/sofia3gr/file_contexts @@ -0,0 +1,16 @@ +# +# Block Devices +# + +# Use by-name when possible +/dev/block/mmcblk0p9 u:object_r:boot_block_device:s0 +/dev/block/mmcblk0p10 u:object_r:recovery_block_device:s0 +/dev/block/mmcblk0p15 u:object_r:frp_block_device:s0 +/dev/block/(pci|platform)(/.*)?/.*/by-name/ImcPartID068 u:object_r:system_block_device:s0 +/dev/block/(pci|platform)(/.*)?/.*/by-name/ImcPartID070 u:object_r:cache_block_device:s0 +/dev/block/(pci|platform)(/.*)?/.*/by-name/ImcPartID076 u:object_r:nvm_block_device:s0 +/dev/block/(pci|platform)(/.*)?/.*/by-name/ImcPartID069 u:object_r:userdata_block_device:s0 +/dev/block/(pci|platform)(/.*)?/.*/by-name/ImcPartID127 u:object_r:metadata_block_device:s0 +/dev/block/(pci|platform)(/.*)?/.*/by-name/ImcPartID022 u:object_r:rpc_block_device:s0 +/dev/block/(pci|platform)(/.*)?/.*/by-name/ImcPartID023 u:object_r:rpc_block_device:s0 +/dev/block/(pci|platform)(/.*)?/.*/by-name/ImcPartID024 u:object_r:rpc_block_device:s0 diff --git a/boot-arch/sofia3gr/hal.te b/boot-arch/sofia3gr/hal.te new file mode 100644 index 00000000..a59932d2 --- /dev/null +++ b/boot-arch/sofia3gr/hal.te @@ -0,0 +1,12 @@ +# +# hal +# + +# We only see these requests on sofia3gr, possible refactor out +allow hal self:capability net_raw; +allow hal self:udp_socket create_socket_perms; + +# e.g. bluetooth, wifi, sensors nvm access for provisionning and ptest mode +allow hal efs_file:dir create_dir_perms; +allow hal efs_file:file create_file_perms; +allow hal efs_file:lnk_file create_file_perms; diff --git a/boot-arch/sofia3gr/kernel.te b/boot-arch/sofia3gr/kernel.te new file mode 100644 index 00000000..196af3e1 --- /dev/null +++ b/boot-arch/sofia3gr/kernel.te @@ -0,0 +1,20 @@ +# +# Kernel +# + +# OCT Trace kernel thread opens a USB Gadget TTY to send +# Modem trace information. This trace information is enabled +# or disabled by the customer and requires a key to interact +# with. +# XXX We only allow this on userdebug or eng +userdebug_or_eng(` + allow kernel serial_device:chr_file rw_file_perms; +') + +# Loading manufactured data (e.g. modprobe iwlwifi with nvmData file) +allow kernel efs_file:dir search; +allow kernel efs_file:file { read getattr open }; +allow kernel efs_file:lnk_file { read getattr open }; + +allow kernel rpc_block_device:blk_file rw_file_perms; +allow kernel rpc_block_device:dir search; diff --git a/boot-arch/sofia3gr/oars7/file_contexts b/boot-arch/sofia3gr/oars7/file_contexts new file mode 100644 index 00000000..47ac6970 --- /dev/null +++ b/boot-arch/sofia3gr/oars7/file_contexts @@ -0,0 +1,2 @@ +# UFO +(/system)?/vendor/gfx/ufo_byt/bin/coreu u:object_r:coreu_exec:s0 diff --git a/boot-arch/sofia3gr/property.te b/boot-arch/sofia3gr/property.te new file mode 100644 index 00000000..617d6648 --- /dev/null +++ b/boot-arch/sofia3gr/property.te @@ -0,0 +1 @@ +type modem_prop, property_type; diff --git a/boot-arch/sofia3gr/property_contexts b/boot-arch/sofia3gr/property_contexts new file mode 100644 index 00000000..425251a8 --- /dev/null +++ b/boot-arch/sofia3gr/property_contexts @@ -0,0 +1,4 @@ +##camera +# +## modem +modem. u:object_r:modem_prop:s0 diff --git a/boot-arch/sofia3gr/radio.te b/boot-arch/sofia3gr/radio.te new file mode 100644 index 00000000..082adda7 --- /dev/null +++ b/boot-arch/sofia3gr/radio.te @@ -0,0 +1,6 @@ +## +## radio +## +# +set_prop(radio, modem_prop) +# diff --git a/boot-arch/sofia3gr/rpcServer.te b/boot-arch/sofia3gr/rpcServer.te new file mode 100644 index 00000000..6f31c01b --- /dev/null +++ b/boot-arch/sofia3gr/rpcServer.te @@ -0,0 +1,2 @@ +set_prop(rpcServer, modem_prop) +allow rpcServer rpc_block_device:blk_file { read open }; diff --git a/bxt_usb/file.te b/bxt_usb/file.te new file mode 100644 index 00000000..0b783a6a --- /dev/null +++ b/bxt_usb/file.te @@ -0,0 +1 @@ +type sysfs_usb_writable, fs_type, sysfs_type; \ No newline at end of file diff --git a/bxt_usb/file_contexts b/bxt_usb/file_contexts new file mode 100644 index 00000000..5d5943c7 --- /dev/null +++ b/bxt_usb/file_contexts @@ -0,0 +1,3 @@ +# reset_usb service WA +/vendor/bin/reset_usb.sh u:object_r:reset_usb_script_exec:s0 +/sys/devices/pci0000:00/0000:00:15.1/intel-cht-otg.0(/.*) u:object_r:sysfs_usb_writable:s0 diff --git a/bxt_usb/reset_usb.te b/bxt_usb/reset_usb.te new file mode 100644 index 00000000..efa0bd60 --- /dev/null +++ b/bxt_usb/reset_usb.te @@ -0,0 +1,16 @@ +type reset_usb_script, domain; +type reset_usb_script_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(reset_usb_script) + +not_full_treble(` + allow reset_usb_script shell_exec:file rx_file_perms; + allow reset_usb_script toolbox_exec:file rx_file_perms; +') +full_treble_only(` + allow reset_usb_script vendor_shell_exec:file rx_file_perms; + allow reset_usb_script vendor_toolbox_exec:file rx_file_perms; +') + +allow reset_usb_script sysfs_usb_writable:dir search; +allow reset_usb_script sysfs_usb_writable:file rw_file_perms; diff --git a/bxt_usb/uevend.te b/bxt_usb/uevend.te new file mode 100644 index 00000000..3893c420 --- /dev/null +++ b/bxt_usb/uevend.te @@ -0,0 +1,2 @@ +# Load firmware to chip +allow ueventd sysfs_usb_writable:file w_file_perms; diff --git a/camera-ext/ext-camera-only/cameraserver.te b/camera-ext/ext-camera-only/cameraserver.te index b501ee86..a24f9bb6 100644 --- a/camera-ext/ext-camera-only/cameraserver.te +++ b/camera-ext/ext-camera-only/cameraserver.te @@ -1,4 +1,4 @@ #============= cameraserver ============== allow cameraserver gpu_device:dir search; -allow cameraserver gpu_device:chr_file { ioctl open read write }; +allow cameraserver gpu_device:chr_file rw_file_perms; allow cameraserver hal_graphics_allocator_default_tmpfs:file { read write map}; diff --git a/camera-ext/ext-camera-only/file_contexts b/camera-ext/ext-camera-only/file_contexts index 1435d5fd..31d7ef48 100644 --- a/camera-ext/ext-camera-only/file_contexts +++ b/camera-ext/ext-camera-only/file_contexts @@ -1,2 +1 @@ -/dev/video* u:object_r:video_device:s0 -/dev/media([0-9])+ u:object_r:video_device:s0 +/dev/media[0-9]+ u:object_r:video_device:s0 diff --git a/camera-ext/ext-camera-only/hal_camera_default.te b/camera-ext/ext-camera-only/hal_camera_default.te index bfb01c8c..a11d945c 100644 --- a/camera-ext/ext-camera-only/hal_camera_default.te +++ b/camera-ext/ext-camera-only/hal_camera_default.te @@ -1,7 +1,7 @@ #============= hal_camera_default ============== vndbinder_use(hal_camera_default); -allow hal_camera_default gpu_device:chr_file { ioctl open read write }; +allow hal_camera_default gpu_device:chr_file rw_file_perms; allow hal_camera_default gpu_device:dir search; allow hal_camera_default hal_graphics_allocator_default_tmpfs:file { map read write }; allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find; diff --git a/camera/hal.te b/camera/hal.te new file mode 100644 index 00000000..d249a271 --- /dev/null +++ b/camera/hal.te @@ -0,0 +1,3 @@ +module_only(`autodetect', + set_prop(hal, vendor_camera_prop) +') diff --git a/camera/hal_camera_default.te b/camera/hal_camera_default.te new file mode 100644 index 00000000..ee250481 --- /dev/null +++ b/camera/hal_camera_default.te @@ -0,0 +1,26 @@ +vndbinder_use(hal_camera_default) +not_full_treble(` + binder_call(hal_camera_default, surfaceflinger) +') +binder_call(hal_camera_default, hal_graphics_allocator_default) +binder_call(hal_camera_default, hal_graphics_composer_default) + +get_prop(hal_camera_default, vendor_cam_flash_thrtl_prop) +set_prop(hal_camera_default, vendor_camera_prop) + +allow hal_camera_default gpu_device:chr_file rw_file_perms; +allow hal_camera_default hal_graphics_allocator_default_tmpfs:file { read write map }; +allow hal_camera_default sysfs:dir r_dir_perms; +allow hal_camera_default sysfs:file r_file_perms; +allow hal_camera_default hal_graphics_composer_default:fd use; +allow hal_graphics_composer_default hal_camera_default:fd use; +allow hal_camera_default hwservicemanager:chr_file rw_file_perms; +allow hal_camera_default gpu_device:dir search; + +allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find; +hal_client_domain(hal_camera_default, hal_graphics_allocator) + +not_full_treble(` + allow hal_camera_default surfaceflinger_service:service_manager find; +') +allow hal_camera_default self:global_capability_class_set sys_nice; diff --git a/camera/ipu2/cameraserver.te b/camera/ipu2/cameraserver.te new file mode 100644 index 00000000..5ad4bbe2 --- /dev/null +++ b/camera/ipu2/cameraserver.te @@ -0,0 +1,5 @@ +# +# cameraserver +# + +get_prop(cameraserver, vendor_cam_flash_thrtl_prop) diff --git a/camera/usbcamera/init.te b/camera/ipu2/init.te similarity index 100% rename from camera/usbcamera/init.te rename to camera/ipu2/init.te diff --git a/camera/ipu2/property.te b/camera/ipu2/property.te new file mode 100644 index 00000000..5ff4657b --- /dev/null +++ b/camera/ipu2/property.te @@ -0,0 +1 @@ +type vendor_cam_flash_thrtl_prop, property_type; diff --git a/camera/ipu2/property_contexts b/camera/ipu2/property_contexts new file mode 100644 index 00000000..e8493a73 --- /dev/null +++ b/camera/ipu2/property_contexts @@ -0,0 +1 @@ +vendor.camera.flash.throt_levels u:object_r:vendor_cam_flash_thrtl_prop:s0 diff --git a/camera/ipu2/service_contexts b/camera/ipu2/service_contexts new file mode 100644 index 00000000..8590d1d3 --- /dev/null +++ b/camera/ipu2/service_contexts @@ -0,0 +1 @@ +media.ipu.acc u:object_r:mediaserver_service:s0 diff --git a/camera/ipu4/cameraserver.te b/camera/ipu4/cameraserver.te new file mode 100644 index 00000000..6c45c300 --- /dev/null +++ b/camera/ipu4/cameraserver.te @@ -0,0 +1,13 @@ +# +# cameraserver +# + +get_prop(cameraserver, vendor_cam_flash_thrtl_prop) + +# avc: denied { write } for pid=28601 comm="Binder:28599_2" name="enable_concurrency" dev="sysfs" ino=21158 scontext=u:r:cameraserver:s0 tcontext=u:object0 tclass=file permissive=0 +allow cameraserver system_server:fifo_file write; +allow cameraserver surfaceflinger:unix_stream_socket { read write }; +allow cameraserver untrusted_app_25:unix_stream_socket { read write }; + +allow cameraserver sysfs_ipu:dir r_dir_perms; +allow cameraserver sysfs_ipu:file r_file_perms; diff --git a/camera/ipu4/file.te b/camera/ipu4/file.te new file mode 100644 index 00000000..f4b71926 --- /dev/null +++ b/camera/ipu4/file.te @@ -0,0 +1,4 @@ +#Leafhill + +type sysfs_ipu, fs_type, sysfs_type; + diff --git a/camera/ipu4/file_contexts b/camera/ipu4/file_contexts new file mode 100644 index 00000000..3cf7497f --- /dev/null +++ b/camera/ipu4/file_contexts @@ -0,0 +1,4 @@ +/dev/ipu-psys0 u:object_r:video_device:s0 + +/dev/intel_pipeline u:object_r:video_device:s0 +/dev/intel_stream[0-9]+ u:object_r:video_device:s0 diff --git a/camera/ipu4/genfs_contexts b/camera/ipu4/genfs_contexts new file mode 100644 index 00000000..024b7465 --- /dev/null +++ b/camera/ipu4/genfs_contexts @@ -0,0 +1 @@ +genfscon sysfs /devices/pci0000:00/0000:00:03.0/intel-ipu4-mmu0/intel-ipu4-isys0/video4linux/video37/name u:object_r:sysfs_ipu:s0 diff --git a/camera/ipu4/hal_camera_default.te b/camera/ipu4/hal_camera_default.te new file mode 100644 index 00000000..a4ade416 --- /dev/null +++ b/camera/ipu4/hal_camera_default.te @@ -0,0 +1,3 @@ +allow hal_camera_default sysfs_ipu:file r_file_perms; +allow hal_camera_default sysfs_ipu:dir r_dir_perms; + diff --git a/camera/ipu4/init.te b/camera/ipu4/init.te new file mode 100644 index 00000000..51e39119 --- /dev/null +++ b/camera/ipu4/init.te @@ -0,0 +1,6 @@ +# +# init +# + +# insmod i2c:crlmodule +allow init kernel:system module_request; diff --git a/camera/ipu4/property.te b/camera/ipu4/property.te new file mode 100644 index 00000000..5ff4657b --- /dev/null +++ b/camera/ipu4/property.te @@ -0,0 +1 @@ +type vendor_cam_flash_thrtl_prop, property_type; diff --git a/camera/ipu4/property_contexts b/camera/ipu4/property_contexts new file mode 100644 index 00000000..e8493a73 --- /dev/null +++ b/camera/ipu4/property_contexts @@ -0,0 +1 @@ +vendor.camera.flash.throt_levels u:object_r:vendor_cam_flash_thrtl_prop:s0 diff --git a/camera/ipu_common/cameraserver.te b/camera/ipu_common/cameraserver.te new file mode 100644 index 00000000..1c61865a --- /dev/null +++ b/camera/ipu_common/cameraserver.te @@ -0,0 +1,41 @@ +# +# cameraserver +# + +allow cameraserver gpu_device:chr_file rw_file_perms; + +# Camera HAL uses sensor manager to get acceleration data +# to determine device orientation +allow cameraserver sensorservice_service:service_manager find; + +# Camera Acceleration Service (AccService) and Face Recognition +# services are started by camera HAL +# add_service(cameraserver, mediaserver_service) + +# Access to /system/vendor/etc/atomisp +allow cameraserver system_file:dir r_dir_perms; +allow cameraserver system_file:file r_file_perms; + +# path="socket:[217260]" +allow cameraserver system_server:unix_stream_socket rw_socket_perms; +# +# XXX Narrow sysfs access +# +# path="/sys/devices/pci0000:00/0000:00:03.0/video4linux/video0/name" +# path="/sys/bus/pci/drivers/i915" +# path="/sys/devices/pci0000:00/0000:00:02.0/config" +# path="/system/vendor/etc/atomisp" +allow cameraserver sysfs:dir r_dir_perms; +#cameraserver: type=1400 audit(0.0:16): avc: denied { read } for name="config" dev="sysfs" ino=21760 scontext=u:r:cameraserver:s0 tcontext=u:object_r:sysfs_app_readable:s0 tclass=file permissive=0 + +#avc: denied { write } for name="cameraserver" dev="dm-0" ino=507927 scontext=u:r:cameraserver:s0 tcontext=u:object_r:system_data_file:s0 tclass=dir permissive=0 +allow cameraserver system_data_file:dir { write add_name }; +allow cameraserver camera_data_file:file { read write }; + +allow cameraserver hal_graphics_allocator_default_tmpfs:file rw_file_perms; +allow cameraserver gpu_device:dir r_dir_perms; + +# Allow cameraserver to use fd from app,gralloc,and ashmem HAL +allow cameraserver { appdomain -isolated_app }:fd use; +allow cameraserver surfaceflinger:fd use; +allow cameraserver hal_allocator_server:fd use; diff --git a/camera/ipu_common/file_contexts b/camera/ipu_common/file_contexts new file mode 100644 index 00000000..d4e785e9 --- /dev/null +++ b/camera/ipu_common/file_contexts @@ -0,0 +1,4 @@ +/dev/v4l-subdev.* u:object_r:video_device:s0 +/dev/media([0-9])+ u:object_r:video_device:s0 + +/data/misc/cameraserver(/.*)? u:object_r:camera_data_file:s0 diff --git a/camera/ipu_common/service_contexts b/camera/ipu_common/service_contexts new file mode 100644 index 00000000..6fad7958 --- /dev/null +++ b/camera/ipu_common/service_contexts @@ -0,0 +1,17 @@ +# +# Macros are defined in this file since they cannot be placed into +# a file with any other name and be picked up by the build. +# + +##################################### +# fr_enabled(rules) +# Allow rules only on fr enabled devices +# controlled via mixins BoardConfig.mk to set +# this variable. +define(`fr_enabled', ifelse(camera_ipu2_enable_fr_service, `true', $1, )) +define(`fr_enabled', ifelse(camera_ipu4_enable_fr_service, `true', $1, )) + +fr_enabled(` + media.camera.fr u:object_r:mediaserver_service:s0 +') + diff --git a/car/system_server.te b/camera/ipu_common/te_macros similarity index 100% rename from car/system_server.te rename to camera/ipu_common/te_macros diff --git a/camera/usbcamera/file_contexts b/camera/isp/file_contexts similarity index 66% rename from camera/usbcamera/file_contexts rename to camera/isp/file_contexts index 300cccb5..28665ad1 100644 --- a/camera/usbcamera/file_contexts +++ b/camera/isp/file_contexts @@ -1,3 +1,2 @@ -/dev/video* u:object_r:video_device:s0 /dev/v4l-subdev.* u:object_r:video_device:s0 /dev/media([0-9])+ u:object_r:video_device:s0 diff --git a/camera/property.te b/camera/property.te new file mode 100644 index 00000000..028c77c2 --- /dev/null +++ b/camera/property.te @@ -0,0 +1 @@ +type vendor_camera_prop, property_type; diff --git a/camera/property_contexts b/camera/property_contexts new file mode 100644 index 00000000..c2bf2bc1 --- /dev/null +++ b/camera/property_contexts @@ -0,0 +1 @@ +vendor.camera. u:object_r:vendor_camera_prop:s0 diff --git a/camera/service_contexts b/camera/service_contexts new file mode 100644 index 00000000..a345b2e3 --- /dev/null +++ b/camera/service_contexts @@ -0,0 +1 @@ +com.intel.camera2.camerahal u:object_r:mediaserver_service:s0 diff --git a/camera/usbcamera/untrusted_app_25.te b/camera/usbcamera/untrusted_app_25.te deleted file mode 100644 index 25af7b5e..00000000 --- a/camera/usbcamera/untrusted_app_25.te +++ /dev/null @@ -1,11 +0,0 @@ -#============= untrusted_app_25 ============== - -allow untrusted_app_25 device:dir open; -allow untrusted_app_25 device:dir read; -allow untrusted_app_25 video_device:chr_file { ioctl map }; -allow untrusted_app_25 video_device:chr_file open; -#allow untrusted_app_25 video_device:chr_file read; -#allow untrusted_app_25 video_device:chr_file write; - -#avc: denied { write } for pid=6896 comm="pool-3-thread-1" path=2F64726D206D6D206 dev="tmpfs" ino=56699 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:hal_graphics_allocator_default_tmpfs:s0 tclass=file permissive=0 -allow untrusted_app_25 hal_graphics_allocator_default_tmpfs:file write; diff --git a/camera/vendor_init.te b/camera/vendor_init.te new file mode 100644 index 00000000..6d9b469b --- /dev/null +++ b/camera/vendor_init.te @@ -0,0 +1 @@ +set_prop(vendor_init, vendor_camera_prop) diff --git a/car/carservice_app.te b/car/carservice_app.te new file mode 100644 index 00000000..9ed49572 --- /dev/null +++ b/car/carservice_app.te @@ -0,0 +1,8 @@ +allow carservice_app sysfs:dir r_dir_perms; +allow carservice_app sysfs_fs_f2fs:dir r_dir_perms; +allow carservice_app sysfs_fs_ext4_features:dir r_dir_perms; + +# To allow carservice app to access sys.usb.cfg +module_only(`carservice_app', ` + set_prop(carservice_app, exported_system_radio_prop) +') diff --git a/car/file.te b/car/file.te index 0399da34..58cefc64 100644 --- a/car/file.te +++ b/car/file.te @@ -1,6 +1 @@ -# -# CarService.apk -# when system is going to suspend, by press ignition button, Carservice needs to write -# /sys/power/state to put system to suspend -# type sysfs_early_evs, fs_type, sysfs_type; diff --git a/car/file_contexts b/car/file_contexts index 589ff440..dfbebfae 100644 --- a/car/file_contexts +++ b/car/file_contexts @@ -2,3 +2,4 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle\.intel@2\.1-service u:object_r:hal_vehicle_default_exec:s0 /vendor/bin/hw/android.hardware.broadcastradio@intel-service u:object_r:hal_broadcastradio_default_exec:s0 +/vendor/bin/hw/android.hardware.automotive.audiocontrol@1.0-service.intel u:object_r:hal_audiocontrol_default_exec:s0 diff --git a/car/genfs_contexts b/car/genfs_contexts new file mode 100644 index 00000000..4ef63d49 --- /dev/null +++ b/car/genfs_contexts @@ -0,0 +1,11 @@ +genfscon sysfs /fs/ext4/dm-0/lifetime_write_kbytes u:object_r:sysfs_fs_lifetime_write:s0 +genfscon sysfs /fs/ext4/dm-1/lifetime_write_kbytes u:object_r:sysfs_fs_lifetime_write:s0 +genfscon sysfs /fs/ext4/loop0/lifetime_write_kbytes u:object_r:sysfs_fs_lifetime_write:s0 +genfscon sysfs /fs/ext4/loop1/lifetime_write_kbytes u:object_r:sysfs_fs_lifetime_write:s0 +genfscon sysfs /fs/ext4/loop2/lifetime_write_kbytes u:object_r:sysfs_fs_lifetime_write:s0 +genfscon sysfs /fs/ext4/loop3/lifetime_write_kbytes u:object_r:sysfs_fs_lifetime_write:s0 +genfscon sysfs /fs/ext4/loop4/lifetime_write_kbytes u:object_r:sysfs_fs_lifetime_write:s0 +genfscon sysfs /fs/ext4/loop5/lifetime_write_kbytes u:object_r:sysfs_fs_lifetime_write:s0 +genfscon sysfs /fs/ext4/sda8/lifetime_write_kbytes u:object_r:sysfs_fs_lifetime_write:s0 +genfscon sysfs /fs/ext4/sda13/lifetime_write_kbytes u:object_r:sysfs_fs_lifetime_write:s0 +genfscon sysfs /fs/ext4/sda18/lifetime_write_kbytes u:object_r:sysfs_fs_lifetime_write:s0 diff --git a/car/hal_broadcastradio_default.te b/car/hal_broadcastradio_default.te index 6549042b..a414c496 100644 --- a/car/hal_broadcastradio_default.te +++ b/car/hal_broadcastradio_default.te @@ -1,8 +1,7 @@ -typeattribute hal_broadcastradio_default binder_in_vendor_violators; -binder_use(hal_broadcastradio_default) -binder_call(hal_broadcastradio_default, system_server) - +allow hal_broadcastradio_default hal_broadcastradio_hwservice:hwservice_manager find; allow hal_broadcastradio_default i2c_device:chr_file rw_file_perms; allow hal_broadcastradio_default rootfs:dir r_dir_perms; allow hal_broadcastradio_default sysfs:dir r_dir_perms; + +binder_call(hal_broadcastradio_default, system_server) diff --git a/car/hal_vehicle_default.te b/car/hal_vehicle_default.te index 5a02c669..7aecf053 100644 --- a/car/hal_vehicle_default.te +++ b/car/hal_vehicle_default.te @@ -2,9 +2,10 @@ # Default hal vehicle service # oao/hardware/interfaces/automotive/vehicle # + binder_call(hal_audio_default, hal_vehicle_default) binder_call(hal_vehicle_default, hal_audio_default) -allow hal_vehicle_default hal_audio_hwservice:hwservice_manager find; +hal_client_domain(hal_vehicle_default, hal_audio) # # Allow hal_vehicle_default to create socket. @@ -19,3 +20,6 @@ allowxperm hal_vehicle_default self:can_socket ioctl { }; ignore_adb_debug(`hal_vehicle_default') + +allow hal_vehicle_default serial_device:chr_file rw_file_perms; +allow hal_vehicle_default sysfs_power:file rw_file_perms; diff --git a/car/kitchensink_app.te b/car/kitchensink_app.te index 343f6fb1..1e2ebc64 100644 --- a/car/kitchensink_app.te +++ b/car/kitchensink_app.te @@ -1,3 +1,8 @@ userdebug_or_eng(` - allow kitchensink_app { textservices_service bluetooth_manager_service }:service_manager find; + allow kitchensink_app { + textservices_service + bluetooth_manager_service + media_session_service + activity_task_service + }:service_manager find; ') diff --git a/car/platform_app.te b/car/platform_app.te index 213b89b4..53db4b58 100644 --- a/car/platform_app.te +++ b/car/platform_app.te @@ -1,4 +1,5 @@ allow platform_app broadcastradio_service:service_manager find; +allow platform_app carservice_service:service_manager find; #allow SystemUpdater app to call UpdateEngine allow platform_app update_engine:binder { call transfer }; diff --git a/car/system_app.te b/car/system_app.te new file mode 100644 index 00000000..0b96c2bb --- /dev/null +++ b/car/system_app.te @@ -0,0 +1 @@ +# allow CarService to write /sys/power/state to enter deep sleep. diff --git a/carplay/carplay-ipod-daemon-2.te b/carplay/carplay-ipod-daemon-2.te new file mode 100644 index 00000000..3673efb7 --- /dev/null +++ b/carplay/carplay-ipod-daemon-2.te @@ -0,0 +1,40 @@ +# carplay-ipod-daemon, Service which provides interface for +# iPod control/event based on Apple IAP/IAP2. +type carplay-ipod-daemon-2, domain; +type carplay-ipod-daemon-2_exec, exec_type, file_type; + +init_daemon_domain(carplay-ipod-daemon-2) +# carplay works via network connection, with using bonjour. +allow carplay-ipod-daemon-2 self:capability { net_admin net_raw }; +net_domain(carplay-ipod-daemon-2) + +allow carplay-ipod-daemon-2 system_data_file:dir r_dir_perms; +allow carplay-ipod-daemon-2 system_data_file:file r_file_perms; + +# grant set propoerty +set_prop(carplay-ipod-daemon-2, carplay_prop) +set_prop(carplay-ipod-daemon-2, ctl_mdnsd_prop) +set_prop(carplay-ipod-daemon-2, system_prop) + +allow carplay-ipod-daemon-2 iap2_device:chr_file rw_file_perms; +allow carplay-ipod-daemon-2 proc_net:file w_file_perms; +allow carplay-ipod-daemon-2 self:netlink_kobject_uevent_socket create_socket_perms; +allowxperm carplay-ipod-daemon-2 self:netlink_kobject_uevent_socket ioctl SIOCETHTOOL; + +binder_call(carplay-ipod-daemon-2, cpserver) +binder_use(carplay-ipod-daemon-2) + +allow carplay-ipod-daemon-2 shell_exec:file rx_file_perms; + +# sysfs access +# path="/sys/bus/platform/devices/intel-cht-otg.0/mux_state +allow carplay-ipod-daemon-2 sysfs:dir r_dir_perms; +allow carplay-ipod-daemon-2 sysfs:file r_file_perms; + +allow carplay-ipod-daemon-2 sysfs_usb_writable:dir r_dir_perms; +allow carplay-ipod-daemon-2 sysfs_usb_writable:file rw_file_perms; +allow carplay-ipod-daemon-2 usb_device:chr_file rw_file_perms; +allow carplay-ipod-daemon-2 usb_device:dir r_dir_perms; +allow carplay-ipod-daemon-2 usb_role_switch:dir r_dir_perms; +allow carplay-ipod-daemon-2 usb_role_switch:file rw_file_perms; +allow carplay-ipod-daemon-2 cp_service:service_manager find; diff --git a/carplay/carplaycoreserver.te b/carplay/carplaycoreserver.te new file mode 100644 index 00000000..498ecf87 --- /dev/null +++ b/carplay/carplaycoreserver.te @@ -0,0 +1,37 @@ +# Carplay core server, Core service implemented for Apple Carplay +# functionalities and interacted with carplay-ipod-daemon. + +define(`carplay_socket_perms', `{ bind create read setopt }') +type carplaycoreserver_app_data_file, file_type, data_file_type; +type carplaycoreserver_app, domain; + +app_domain(carplaycoreserver_app) +net_domain(carplaycoreserver_app) +binder_service(carplaycoreserver_app) + +allow carplaycoreserver_app mdnsd_carplay:unix_stream_socket connectto; +allow carplaycoreserver_app carplaycoreserver_app_data_file:dir create_dir_perms; +binder_call(carplaycoreserver_app, cpserver) + +set_prop(carplaycoreserver_app, system_prop) +set_prop(carplaycoreserver_app, carplay_prop) + +allow carplaycoreserver_app proc_meminfo:file r_file_perms; +allow carplaycoreserver_app proc_net:file r_file_perms; +allow carplaycoreserver_app self:netlink_kobject_uevent_socket carplay_socket_perms; +allowxperm carplaycoreserver self:netlink_kobject_uevent_socket ioctl SIOCETHTOOL; +allow carplaycoreserver_app sysfs:dir r_dir_perms; +allow carplaycoreserver_app sysfs:file r_file_perms; +allow carplaycoreserver_app activity_service:service_manager find; +allow carplaycoreserver_app display_service:service_manager find; +allow carplaycoreserver_app network_management_service:service_manager find; +allow carplaycoreserver_app connectivity_service:service_manager find; +allow carplaycoreserver_app batterystats_service:service_manager find; +allow carplaycoreserver_app mediacodec_service:service_manager find; +allow carplaycoreserver_app mediaserver_service:service_manager find; +allow carplaycoreserver_app surfaceflinger_service:service_manager find; +allow carplaycoreserver_app audioserver_service:service_manager find; +allow carplaycoreserver_app scheduling_policy_service:service_manager find; +allow carplaycoreserver_app appops_service:service_manager find; +allow carplaycoreserver_app cp_service:service_manager find; +allow carplaycoreserver_app bluetooth_manager_service:service_manager find; diff --git a/carplay/cpserver.te b/carplay/cpserver.te new file mode 100644 index 00000000..ae29d1de --- /dev/null +++ b/carplay/cpserver.te @@ -0,0 +1,17 @@ +# Service for Apple CP authenticate. +type cpserver, domain; +type cpserver_exec, exec_type, file_type; + +init_daemon_domain(cpserver) + +binder_use(cpserver) +binder_service(cpserver) +binder_call(cpserver, servicemanager) + +binder_use(cp_service) +binder_call(cp_service, servicemanager) + +add_service(cpserver, cp_service) + +allow cpserver i2c_device:chr_file rw_file_perms; +allow cp_service i2c_device:chr_file rw_file_perms; diff --git a/carplay/device.te b/carplay/device.te new file mode 100644 index 00000000..df69f55a --- /dev/null +++ b/carplay/device.te @@ -0,0 +1 @@ +type iap2_device, dev_type; diff --git a/carplay/file.te b/carplay/file.te new file mode 100644 index 00000000..b2d28371 --- /dev/null +++ b/carplay/file.te @@ -0,0 +1 @@ +type usb_role_switch, fs_type, debugfs_type; diff --git a/carplay/file_contexts b/carplay/file_contexts new file mode 100644 index 00000000..cce931a3 --- /dev/null +++ b/carplay/file_contexts @@ -0,0 +1,5 @@ +/dev/ttyIAP20 u:object_r:iap2_device:s0 +/system/bin/carplay-ipod-daemon-2 u:object_r:carplay-ipod-daemon-2_exec:s0 +/system/bin/mdnsd_carplay u:object_r:mdnsd_carplay_exec:s0 +/system/bin/cpserver u:object_r:cpserver_exec:s0 +/sys/bus/platform/devices/intel-cht-otg.0/mux_state u:object_r:usb_role_switch:s0 diff --git a/carplay/init.te b/carplay/init.te new file mode 100644 index 00000000..f9fdc5b1 --- /dev/null +++ b/carplay/init.te @@ -0,0 +1,4 @@ +# sysfs access +# path="/sys/bus/platform/devices/intel-cht-otg.0/mux_state +allow init sysfs:dir r_dir_perms; +allow init sysfs:file r_file_perms; diff --git a/carplay/installd.te b/carplay/installd.te new file mode 100644 index 00000000..2861f5c6 --- /dev/null +++ b/carplay/installd.te @@ -0,0 +1,5 @@ +allow installd carplaycoreserver_app_data_file:dir create_dir_perms; +allow installd carplaycoreserver_app_data_file:lnk_file create_file_perms; +allow installd carplaycoreserver_app_data_file:dir relabelto; +allow installd carplaycoreserver_app_data_file:file { create_file_perms relabelto }; +allow installd ipod2service_app_data_file:dir { create_dir_perms relabelto }; diff --git a/carplay/ipod2service.te b/carplay/ipod2service.te new file mode 100644 index 00000000..b00ccb96 --- /dev/null +++ b/carplay/ipod2service.te @@ -0,0 +1,19 @@ +# ipod2-service, Service which provides interface for iPod control/event based on Apple IAP/IAP2. +type ipod2service_app_data_file, file_type, data_file_type; +type ipod2service_app, domain; +app_domain(ipod2service_app) +net_domain(ipod2service_app) +binder_service(ipod2service_app) + +set_prop(ipod2service_app, carplay_prop) + +allow ipod2service_app carplay-ipod-daemon-2:unix_stream_socket connectto; + +allow ipod2service_app ipod2service_app_data_file:dir create_file_perms; +allow ipod2service_app ipod2service_app_data_file:file create_file_perms; +allow ipod2service_app activity_service:service_manager find; +allow ipod2service_app display_service:service_manager find; +allow ipod2service_app network_management_service:service_manager find; +allow ipod2service_app connectivity_service:service_manager find; +allow ipod2service_app location_service:service_manager find; +allow ipod2service_app usb_service:service_manager find; diff --git a/carplay/mdnsd_carplay.te b/carplay/mdnsd_carplay.te new file mode 100644 index 00000000..3f22705e --- /dev/null +++ b/carplay/mdnsd_carplay.te @@ -0,0 +1,11 @@ +# mdnsd service for carplay, carplay uses bonjour protocol. +type mdnsd_carplay, domain, mlstrustedsubject; +type mdnsd_carplay_exec, exec_type, file_type; + +init_daemon_domain(mdnsd_carplay) +net_domain(mdnsd_carplay) + +binder_call(mdnsd_carplay, carplaycoreserver_app) + +allow mdnsd_carplay proc_net:file r_file_perms; +allow mdnsd_carplay carplaycoreserver_app:unix_stream_socket rw_socket_perms; diff --git a/carplay/property.te b/carplay/property.te new file mode 100644 index 00000000..ef66114d --- /dev/null +++ b/carplay/property.te @@ -0,0 +1,3 @@ +type carplay_prop, property_type; + +allow system_server carplay_prop:file { getattr open read }; diff --git a/carplay/property_contexts b/carplay/property_contexts new file mode 100644 index 00000000..9205a873 --- /dev/null +++ b/carplay/property_contexts @@ -0,0 +1,5 @@ +carplay.usb.configured u:object_r:carplay_prop:s0 +carplay.usb.mode u:object_r:carplay_prop:s0 +persist.sys.carplay u:object_r:carplay_prop:s0 +persist.sys.iap2 u:object_r:carplay_prop:s0 +ctl.mdnsd_carplay u:object_r:carplay_prop:s0 diff --git a/carplay/seapp_contexts b/carplay/seapp_contexts new file mode 100644 index 00000000..c2fa169e --- /dev/null +++ b/carplay/seapp_contexts @@ -0,0 +1,3 @@ +user=system seinfo=platform name=com.windriver.carplaycoreserver domain=carplaycoreserver_app type=carplaycoreserver_app_data_file +user=system seinfo=platform name=com.windriver.ipod.iap2.service domain=ipod2service_app type=ipod2service_app_data_file + diff --git a/carplay/service.te b/carplay/service.te new file mode 100644 index 00000000..1b0dd625 --- /dev/null +++ b/carplay/service.te @@ -0,0 +1 @@ +type cp_service, system_api_service, service_manager_type; diff --git a/carplay/service_contexts b/carplay/service_contexts new file mode 100644 index 00000000..1987875d --- /dev/null +++ b/carplay/service_contexts @@ -0,0 +1 @@ +com.windriver.cpserver.CPService u:object_r:cp_service:s0 diff --git a/config-partition/dumpstate.te b/config-partition/dumpstate.te index b6f24494..305271d5 100644 --- a/config-partition/dumpstate.te +++ b/config-partition/dumpstate.te @@ -1,2 +1,2 @@ dontaudit dumpstate config_file:dir r_dir_perms; -dontaudit dumpstate config_file:file r_file_perms; +dontaudit dumpstate config_file:dir r_file_perms; diff --git a/config-partition/file_contexts b/config-partition/file_contexts index bdcd77b5..8f532c79 100644 --- a/config-partition/file_contexts +++ b/config-partition/file_contexts @@ -1,4 +1,4 @@ # Config partition /oem_config(/.*)? u:object_r:config_file:s0 -/dev/block/(pci|platform)(/.*)?/.*/by-name/android_config u:object_r:config_block_device:s0 +/dev/block/(pci|platform)(/.*)?/.*/by-name/config u:object_r:config_block_device:s0 diff --git a/config-partition/ueventd.te b/config-partition/ueventd.te new file mode 100644 index 00000000..5f0f3764 --- /dev/null +++ b/config-partition/ueventd.te @@ -0,0 +1,6 @@ +# +# ueventd +# + +allow ueventd config_file:dir search; +allow ueventd config_file:file { read getattr open }; diff --git a/config-partition/vendor_init.te b/config-partition/vendor_init.te new file mode 100644 index 00000000..236c413c --- /dev/null +++ b/config-partition/vendor_init.te @@ -0,0 +1 @@ +allow vendor_init unlabeled:dir { setattr getattr relabelfrom }; diff --git a/config-partition/violators_blacklist.te b/config-partition/violators_blacklist.te new file mode 100644 index 00000000..083b7fb7 --- /dev/null +++ b/config-partition/violators_blacklist.te @@ -0,0 +1,3 @@ +typeattribute vold data_between_core_and_vendor_violators; +typeattribute ueventd data_between_core_and_vendor_violators; + diff --git a/factory-partition/vold.te b/config-partition/vold.te similarity index 50% rename from factory-partition/vold.te rename to config-partition/vold.te index 79814331..78940f28 100644 --- a/factory-partition/vold.te +++ b/config-partition/vold.te @@ -1,7 +1,7 @@ # -# Vold +# vold # -allow vold factory_file:dir r_dir_perms; +allow vold config_file:dir r_dir_perms; # uapi/linux/fs.h:#define FITRIM _IOWR('X', 121, struct fstrim_range) /* Trim */ -#allow vold factory_file:dir 0x5879; +#allow vold config_file:dir 0x5879; diff --git a/config_cpuset/config_cpuset.te b/config_cpuset/config_cpuset.te new file mode 100644 index 00000000..4addf846 --- /dev/null +++ b/config_cpuset/config_cpuset.te @@ -0,0 +1,10 @@ +type config_cpuset, domain; +type config_cpuset_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(config_cpuset) + +not_full_treble(`allow config_cpuset shell_exec:file rx_file_perms;') +not_full_treble(`allow config_cpuset toolbox_exec:file rx_file_perms;') +allow config_cpuset vendor_shell_exec:file rx_file_perms; +allow config_cpuset vendor_toolbox_exec:file rx_file_perms; +allow config_cpuset cgroup:file r_file_perms; diff --git a/config_cpuset/file_contexts b/config_cpuset/file_contexts new file mode 100644 index 00000000..98d18523 --- /dev/null +++ b/config_cpuset/file_contexts @@ -0,0 +1,2 @@ +# /vendor/bin/config_cpuset.sh +/vendor/bin/config_cpuset\.sh u:object_r:config_cpuset_exec:s0 diff --git a/coredump/file.te b/coredump/file.te deleted file mode 100644 index 82355ca6..00000000 --- a/coredump/file.te +++ /dev/null @@ -1 +0,0 @@ -type coredump_log_file, mlstrustedobject, file_type, data_file_type, core_data_file_type; diff --git a/coredump/file_contexts b/coredump/file_contexts deleted file mode 100644 index 7070f6e2..00000000 --- a/coredump/file_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# Coredump path -/data/core(/.*)? u:object_r:coredump_log_file:s0 diff --git a/coredump/netd.te b/coredump/netd.te deleted file mode 100644 index 3840c329..00000000 --- a/coredump/netd.te +++ /dev/null @@ -1,4 +0,0 @@ -userdebug_or_eng(` - allow netd coredump_log_file:dir create_dir_perms; - allow netd coredump_log_file:file create_file_perms; -') diff --git a/crashlogd/crashlogd.te b/crashlogd/crashlogd.te index 796a0e9e..1c8fc29b 100644 --- a/crashlogd/crashlogd.te +++ b/crashlogd/crashlogd.te @@ -33,7 +33,6 @@ userdebug_or_eng(` dontaudit crashlogd domain:binder *; dontaudit crashlogd property_type:property_service *; dontaudit crashlogd property_type:file *; - # dontaudit crashlogd domain:debuggerd *; dontaudit crashlogd service_manager_type:service_manager *; dontaudit crashlogd servicemanager: binder *; ') diff --git a/crashlogd/dumpstate.te b/crashlogd/dumpstate.te index beb7c882..00059b93 100644 --- a/crashlogd/dumpstate.te +++ b/crashlogd/dumpstate.te @@ -1,3 +1,13 @@ -allow dumpstate block_device:blk_file getattr; -allow dumpstate debugfs_graphics_sync:dir r_dir_perms; -allow dumpstate self:netlink_xfrm_socket create; +# +# dumpstate +# +dontaudit dumpstate log_file:file r_file_perms; + +userdebug_or_eng(` + allow dumpstate sysfs_zram:file r_file_perms; + allow dumpstate unlabeled:dir getattr; + allow dumpstate userdata_block_device:dir getattr; + allow dumpstate userdata_block_device:blk_file getattr; + allow dumpstate config_block_device:blk_file getattr; + binder_call(dumpstate, update_engine); +') diff --git a/crashlogd/dumpstate_dropbox.te b/crashlogd/dumpstate_dropbox.te index d62b2448..b0fdb80e 100644 --- a/crashlogd/dumpstate_dropbox.te +++ b/crashlogd/dumpstate_dropbox.te @@ -6,22 +6,38 @@ userdebug_or_eng(` permissive dumpstate_dropbox; - dontaudit dumpstate_dropbox self:capability { chown dac_override }; - allow dumpstate_dropbox system_server:binder call; + allow dumpstate_dropbox self:capability { chown }; allow domain dumpstate_dropbox:fd use; + # breaks treble, but its a permisisve debug domain so just dontaudit it. dontaudit dumpstate_dropbox dropbox_service:service_manager find; set_prop(dumpstate_dropbox, ctl_dumpstate_prop) + # Breaks treble, just ignore it. + dontaudit dumpstate_dropbox dumpstate_socket:sock_file write; + dontaudit dumpstate_dropbox dumpstate:unix_stream_socket connectto; + + + # Breaks treble since its on system partition. Since this is + # a permissive domain, just dontaudit it. # Execute shell scripts, toolbox and system bin files. - dontaudit dumpstate_dropbox toolbox_exec:file rx_file_perms; + dontaudit dumpstate_dropbox vendor_toolbox_exec:file rx_file_perms; + + # breaks on treble, but since this is a permissive domain, + # just dontaudit them rather than allow. dontaudit dumpstate_dropbox shell_exec:file rx_file_perms; dontaudit dumpstate_dropbox system_file:file rx_file_perms; - dontaudit dumpstate_dropbox system_data_file:dir { add_name write }; - dontaudit dumpstate_dropbox domain:binder *; + dontaudit dumpstate_dropbox system_file:file rx_file_perms; + dontaudit dumpstate_dropbox self:capability *; + dontaudit dumpstate_dropbox servicemanager:binder *; dontaudit dumpstate_dropbox binder_device: chr_file *; dontaudit dumpstate_dropbox default_prop:file *; - dontaudit dumpstate_dropbox binder_device:chr_file *; + dontaudit dumpstate_dropbox {fs_type dev_type file_type}:dir_file_class_set *; + + module_only(`debug_crashlogd', ` + allow dumpstate_dropbox log_file:dir ra_dir_perms; + allow dumpstate_dropbox log_file:file create_file_perms; + ') ') diff --git a/debug-logs/file.te b/crashlogd/file.te similarity index 100% rename from debug-logs/file.te rename to crashlogd/file.te diff --git a/crashlogd/file_contexts b/crashlogd/file_contexts index 41ac72fb..3af78432 100644 --- a/crashlogd/file_contexts +++ b/crashlogd/file_contexts @@ -3,3 +3,18 @@ # Dumpstate dropbox script (/system)?/vendor/bin/dumpstate_dropbox.sh u:object_r:dumpstate_dropbox_exec:s0 + +# earlylogs entry point script +(/system)?/vendor/bin/elogs.sh u:object_r:logsvc_exec:s0 + +# earlylogs logs target +/cache/cache/elogs(/.*)? u:object_r:log_file:s0 + +# Logs +/data/logs(/.*)? u:object_r:log_file:s0 + +# aplog +/vendor/bin/aplog.sh u:object_r:logsvc_exec:s0 + +# logfs +/vendor/bin/logfs.sh u:object_r:logsvc_exec:s0 diff --git a/crashlogd/logsvc.te b/crashlogd/logsvc.te new file mode 100644 index 00000000..b16e06b1 --- /dev/null +++ b/crashlogd/logsvc.te @@ -0,0 +1,47 @@ +# Rules for aplogs specific services +type logsvc, domain; +type logsvc_exec, exec_type, file_type, vendor_file_type; +init_daemon_domain(logsvc); + +userdebug_or_eng(` + allow logsvc self:capability { sys_nice }; + allow logsvc self:capability2 syslog; + + allow logsvc log_file:file create_file_perms; + allow logsvc log_file:dir rw_dir_perms; + + allow logsvc logdr_socket:sock_file write; + allow logsvc logd:unix_stream_socket connectto; + + allow logsvc kmsg_device:chr_file { open read }; + allow logsvc kernel:system syslog_read; + allow logsvc vendor_toolbox_exec:file entrypoint; + + set_prop(logsvc, ctl_default_prop) + set_prop(logsvc, vendor_elogs_prop) + set_prop(logsvc, logpersistd_logging_prop) + + allow logsvc cache_file:dir r_dir_perms; + allow logsvc cache_file:file r_file_perms; + allow logsvc log_file:lnk_file create_file_perms; + allow logsvc misc_logd_file:file getattr; + permissive logsvc; + + dontaudit logsvc self:capability *; + dontaudit logsvc misc_logd_file:dir *; + dontaudit logsvc sysfs:file *; + + allow logsvc vendor_toolbox_exec:file execute_no_trans; + allow logsvc logd_socket:sock_file write; + + not_full_treble(` + # Execute toolbox/toybox commands + allow logsvc toolbox_exec:file rx_file_perms; + allow logsvc system_file:file x_file_perms; + allow logsvc shell_exec:file rx_file_perms; + ') + full_treble_only(` + allow logsvc vendor_toolbox_exec:file rx_file_perms; + allow logsvc vendor_shell_exec:file rx_file_perms; + ') +') diff --git a/crashlogd/property.te b/crashlogd/property.te index f5e9e60e..bed13ea8 100644 --- a/crashlogd/property.te +++ b/crashlogd/property.te @@ -1 +1,5 @@ type vendor_crashlogd_prop, property_type; +type vendor_core_prop, property_type; +type vendor_apklogfs_prop, property_type; +type vendor_aplogfs_prop, property_type; +type vendor_elogs_prop, property_type; diff --git a/crashlogd/property_contexts b/crashlogd/property_contexts index 37739866..3048dda3 100644 --- a/crashlogd/property_contexts +++ b/crashlogd/property_contexts @@ -1,2 +1,7 @@ # user changable crashlogd properties persist.vendor.crashlogd. u:object_r:vendor_crashlogd_prop:s0 +persist.vendor.core.enabled u:object_r:vendor_core_prop:s0 +# user changable aplog properties +persist.vendor.service.apklogfs.enable u:object_r:vendor_apklogfs_prop:s0 +persist.vendor.service.aplogfs.enable u:object_r:vendor_aplogfs_prop:s0 +persist.vendor.service.elogs.enable u:object_r:vendor_elogs_prop:s0 diff --git a/crashlogd/servicemanger.te b/crashlogd/servicemanger.te new file mode 100644 index 00000000..faa0ddb8 --- /dev/null +++ b/crashlogd/servicemanger.te @@ -0,0 +1,7 @@ +userdebug_or_eng(` + allow servicemanager crashlogd:dir search; + allow servicemanager crashlogd:process getattr; + allow servicemanager crashlogd:file {open read}; + allow servicemanager dumpstate_dropbox:dir search; + allow servicemanager dumpstate_dropbox:file r_file_perms; +') diff --git a/crashlogd/system_app.te b/crashlogd/system_app.te index c8c9b336..e4b494cf 100644 --- a/crashlogd/system_app.te +++ b/crashlogd/system_app.te @@ -4,5 +4,7 @@ get_prop(system_app, vendor_crashlogd_prop) -allow system_app debugfs:dir r_dir_perms; - +# for aplog +allow system_app log_file:dir create_dir_perms; +allow system_app log_file:file create_file_perms; +allow system_app log_file:filesystem getattr; diff --git a/crashlogd/vendor_init.te b/crashlogd/vendor_init.te new file mode 100644 index 00000000..59e0a53d --- /dev/null +++ b/crashlogd/vendor_init.te @@ -0,0 +1,17 @@ +set_prop(vendor_init, vendor_core_prop) +set_prop(vendor_init, vendor_crashlogd_prop) + +allow vendor_init log_file:dir create_dir_perms; +set_prop(vendor_init, vendor_apklogfs_prop) +set_prop(vendor_init, vendor_aplogfs_prop) +set_prop(vendor_init, logpersistd_logging_prop) + +userdebug_or_eng(` + allow vendor_init cache_file:lnk_file r_file_perms; + allow vendor_init cache_file:dir create_dir_perms; + allow vendor_init log_file:dir { relabelfrom relabelto }; + allow vendor_init log_file:lnk_file create_file_perms; + allow vendor_init cache_file:dir { relabelfrom relabelto }; +# data_between_core_and_vendor_violators + allow vendor_init system_data_file:dir create_dir_perms; +') diff --git a/crashlogd/vendor_shell.te b/crashlogd/vendor_shell.te index 02c567b4..8bab105a 100644 --- a/crashlogd/vendor_shell.te +++ b/crashlogd/vendor_shell.te @@ -1,5 +1,3 @@ -# enable the change of crashlog properties userdebug_or_eng(` set_prop(vendor_shell, vendor_crashlogd_prop) ') - diff --git a/crashlogd/violators_blacklist.te b/crashlogd/violators_blacklist.te new file mode 100644 index 00000000..2f56a4a2 --- /dev/null +++ b/crashlogd/violators_blacklist.te @@ -0,0 +1,7 @@ +userdebug_or_eng(` + + typeattribute dumpstate_dropbox data_between_core_and_vendor_violators; + +') + +typeattribute logsvc data_between_core_and_vendor_violators; diff --git a/usb-gadget/adbd.te b/dbc/adbd.te similarity index 100% rename from usb-gadget/adbd.te rename to dbc/adbd.te diff --git a/usb-gadget/device.te b/dbc/device.te similarity index 100% rename from usb-gadget/device.te rename to dbc/device.te diff --git a/dbc/file.te b/dbc/file.te new file mode 100644 index 00000000..d2e5c11d --- /dev/null +++ b/dbc/file.te @@ -0,0 +1 @@ +type dbc_sysfs, sysfs_type, fs_type; diff --git a/dbc/file_contexts b/dbc/file_contexts new file mode 100644 index 00000000..2cf59150 --- /dev/null +++ b/dbc/file_contexts @@ -0,0 +1 @@ +/dev/dbc_raw0 u:object_r:dbc_device:s0 diff --git a/dbc/genfs_contexts b/dbc/genfs_contexts new file mode 100644 index 00000000..78ccce0e --- /dev/null +++ b/dbc/genfs_contexts @@ -0,0 +1,6 @@ +genfscon sysfs /devices/pci0000:00/0000:00:14.0/dbc u:object_r:dbc_sysfs:s0 +genfscon sysfs /bus/pci/devices/0000:00:14.0/dbc u:object_r:dbc_sysfs:s0 +genfscon sysfs /devices/pci0000:00/0000:00:15.0/dbc u:object_r:dbc_sysfs:s0 +genfscon sysfs /bus/pci/devices/0000:00:15.0/dbc u:object_r:dbc_sysfs:s0 +genfscon sysfs /devices/pci0000:00/0000:39:00.0/dbc u:object_r:dbc_sysfs:s0 +genfscon sysfs /bus/pci/devices/0000:39:00.0/dbc u:object_r:dbc_sysfs:s0 diff --git a/usb-gadget/init.te b/dbc/init.te similarity index 100% rename from usb-gadget/init.te rename to dbc/init.te diff --git a/debug-logs/dumpstate.te b/debug-logs/dumpstate.te deleted file mode 100644 index 84a6ae54..00000000 --- a/debug-logs/dumpstate.te +++ /dev/null @@ -1,5 +0,0 @@ -# -# dumpstate -# - -allow dumpstate log_file:file r_file_perms; diff --git a/debug-logs/file_contexts b/debug-logs/file_contexts deleted file mode 100644 index 3ed4b3c9..00000000 --- a/debug-logs/file_contexts +++ /dev/null @@ -1,14 +0,0 @@ -# earlylogs entry point script -(/system)?/vendor/bin/elogs.sh u:object_r:logsvc_exec:s0 - -(/system)?/vendor/bin/start_log_srv.sh u:object_r:logsvc_exec:s0 - -# ap[k]_logfs entry point script -# this is also used by debug-npk, which is dependent on debug-logs -(/system)?/vendor/bin/logcat_ep.sh u:object_r:logsvc_exec:s0 - -# earlylogs logs target -/cache/elogs(/.*)? u:object_r:log_file:s0 - -# Logs -/data/logs(/.*)? u:object_r:log_file:s0 diff --git a/debug-logs/logsvc.te b/debug-logs/logsvc.te deleted file mode 100644 index 5073a233..00000000 --- a/debug-logs/logsvc.te +++ /dev/null @@ -1,41 +0,0 @@ -# Rules for debug-logs specific services -type logsvc, domain; -type logsvc_exec, exec_type, file_type, vendor_file_type; - -init_daemon_domain(logsvc); - -userdebug_or_eng(` - permissive logsvc; -') - -dontaudit logsvc self:capability { dac_override sys_nice }; -dontaudit logsvc self:capability2 syslog; - -dontaudit logsvc log_file:file create_file_perms; -dontaudit logsvc log_file:dir rw_dir_perms; - -dontaudit logsvc logdr_socket:sock_file write; -dontaudit logsvc logd:unix_stream_socket connectto; - -dontaudit logsvc kmsg_device:chr_file { open read }; -dontaudit logsvc kernel:system syslog_read; - -set_prop(logsvc, ctl_default_prop) - -dontaudit logsvc logsvc_exec:file execute_no_trans; - -# Execute toolbox/toybox commands - -dontaudit logsvc cache_file:dir r_dir_perms; -dontaudit logsvc cache_file:file r_file_perms; - -not_full_treble(` - dontaudit logsvc toolbox_exec:file rx_file_perms; - dontaudit logsvc shell_exec:file rx_file_perms; -') - -full_treble_only(` - dontaudit logsvc vendor_toolbox_exec:file rx_file_perms; - dontaudit logsvc vendor_shell_exec:file rx_file_perms; -') - diff --git a/debug-logs/nfc.te b/debug-logs/nfc.te deleted file mode 100644 index ef12e4a3..00000000 --- a/debug-logs/nfc.te +++ /dev/null @@ -1,5 +0,0 @@ -# -# nfc -# - -allow nfc log_file:file write; diff --git a/debug-logs/system_app.te b/debug-logs/system_app.te deleted file mode 100644 index 806ee693..00000000 --- a/debug-logs/system_app.te +++ /dev/null @@ -1,7 +0,0 @@ -# -# system_app -# - -allow system_app log_file:dir create_dir_perms; -allow system_app log_file:file create_file_perms; -allow system_app log_file:filesystem getattr; diff --git a/debug-logs/vdc.te b/debug-logs/vdc.te deleted file mode 100644 index d0a33993..00000000 --- a/debug-logs/vdc.te +++ /dev/null @@ -1,2 +0,0 @@ -allow vdc log_file:dir r_dir_perms; -allow vdc log_file:file r_file_perms; diff --git a/debug-phonedoctor/crashreport_app.te b/debug-phonedoctor/crashreport_app.te index 2fc8c122..10b951cd 100644 --- a/debug-phonedoctor/crashreport_app.te +++ b/debug-phonedoctor/crashreport_app.te @@ -11,10 +11,6 @@ userdebug_or_eng(` binder_service(crashreport_app) #============= crashreport_app ============== - module_only(`debug_crashlogd', ` - allow crashreport_app crashlogd_prop:file r_file_perms; - ') - allow crashreport_app crashreport_app_data_file:dir create_dir_perms; allow crashreport_app crashreport_app_data_file:file create_file_perms; allow crashreport_app crashreport_app_data_file:file r_file_perms; @@ -25,6 +21,11 @@ userdebug_or_eng(` dontaudit crashreport_app property_socket:sock_file w_file_perms; dontaudit crashreport_app system_prop:property_service set; + dontaudit crashreport_app vendor_default_prop: property_service set; + dontaudit crashreport_app vendor_default_prop:file *; + dontaudit crashreport_app vendor_core_prop:file *; + dontaudit crashreport_app runtime_event_log_tags_file:file *; + dontaudit crashreport_app vendor_crashlogd_prop:file *; # any rules that violate neverallows can go here dontaudit crashreport_app serialno_prop:file r_file_perms; diff --git a/debug-phonedoctor/file.te b/debug-phonedoctor/file.te index cb767ad1..a566f30a 100644 --- a/debug-phonedoctor/file.te +++ b/debug-phonedoctor/file.te @@ -1,2 +1,2 @@ # Always define since seapp contexts does not support m4 macro support. -type crashreport_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +type crashreport_app_data_file, file_type, data_file_type, mlstrustedobject; diff --git a/debug-phonedoctor/installd.te b/debug-phonedoctor/installd.te index 06fd78f7..1c32f397 100644 --- a/debug-phonedoctor/installd.te +++ b/debug-phonedoctor/installd.te @@ -1,5 +1,5 @@ userdebug_or_eng(` allow installd crashreport_app_data_file:dir create_dir_perms; allow installd crashreport_app_data_file:dir relabelto; - allow installd crashreport_app_data_file:file { relabelto unlink getattr }; + allow installd crashreport_app_data_file:file { relabelto unlink }; ') diff --git a/debug-phonedoctor/property.te b/debug-phonedoctor/property.te deleted file mode 100644 index 1da0ebad..00000000 --- a/debug-phonedoctor/property.te +++ /dev/null @@ -1 +0,0 @@ -type ctl_logconfig_prop, property_type; diff --git a/debug-phonedoctor/property_contexts b/debug-phonedoctor/property_contexts deleted file mode 100644 index c8364a51..00000000 --- a/debug-phonedoctor/property_contexts +++ /dev/null @@ -1 +0,0 @@ -ctl.logconfig u:object_r:ctl_logconfig_prop:s0 diff --git a/debug-phonedoctor/violators_blacklist.te b/debug-phonedoctor/violators_blacklist.te new file mode 100644 index 00000000..86e52c15 --- /dev/null +++ b/debug-phonedoctor/violators_blacklist.te @@ -0,0 +1,2 @@ +typeattribute installd data_between_core_and_vendor_violators; + diff --git a/debugfs/dumpstate.te b/debugfs/dumpstate.te index 6f50c895..d012fdf5 100644 --- a/debugfs/dumpstate.te +++ b/debugfs/dumpstate.te @@ -2,5 +2,4 @@ # dumpstate # -allow dumpstate debugfs_graphics_sync:file r_file_perms; dontaudit dumpstate debugfs_graphics_sync:file r_file_perms; diff --git a/debugfs/file_contexts b/debugfs/file_contexts index 971842b2..5ab0695d 100644 --- a/debugfs/file_contexts +++ b/debugfs/file_contexts @@ -1 +1 @@ -/sys/kernel/debug/sync(/.*)? u:object_r:debugfs_graphics_sync:s0 +/sys/kernel/debug/sync u:object_r:debugfs_graphics_sync:s0 diff --git a/device.te b/device.te index e284b159..918c7223 100644 --- a/device.te +++ b/device.te @@ -1,6 +1 @@ -type sw_sync_device, dev_type; -type persist_block_device, dev_type; -type rpmb_block_device, dev_type; -type cros_ec_device, dev_type; -type hidraw_device, dev_type; -type host1x_device, dev_type, mlstrustedobject; +type i2c_device, dev_type; diff --git a/domain.te b/domain.te deleted file mode 100644 index b2563453..00000000 --- a/domain.te +++ /dev/null @@ -1 +0,0 @@ -allow domain system_file:dir r_dir_perms; diff --git a/drm-default/file_contexts b/drm-default/file_contexts deleted file mode 100644 index 54b18232..00000000 --- a/drm-default/file_contexts +++ /dev/null @@ -1 +0,0 @@ -/vendor/bin/hw/android\.hardware\.drm@1\.1-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 diff --git a/drm-default/hal_drm_clearkey.te b/drm-default/hal_drm_clearkey.te deleted file mode 100644 index 976b9fab..00000000 --- a/drm-default/hal_drm_clearkey.te +++ /dev/null @@ -1,11 +0,0 @@ -# policy for /vendor/bin/hw/android.hardware.drm@1.1-service.clearkey -type hal_drm_clearkey, domain; -type hal_drm_clearkey_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(hal_drm_clearkey) - -hal_server_domain(hal_drm_clearkey, hal_drm) - -vndbinder_use(hal_drm_clearkey); - -allow hal_drm_clearkey { appdomain -isolated_app }:fd use; diff --git a/drm-default/hal_drm_default.te b/drm-default/hal_drm_default.te deleted file mode 100644 index 0acbc0d4..00000000 --- a/drm-default/hal_drm_default.te +++ /dev/null @@ -1 +0,0 @@ -vndbinder_use(hal_drm_default) diff --git a/factory-partition/drmserver.te b/factory-partition/drmserver.te deleted file mode 100644 index 957dcd31..00000000 --- a/factory-partition/drmserver.te +++ /dev/null @@ -1,6 +0,0 @@ -# -# drm -# - -allow drmserver factory_file:dir r_dir_perms; -allow drmserver factory_file:file r_file_perms; diff --git a/factory-partition/dumpstate.te b/factory-partition/dumpstate.te deleted file mode 100644 index 075da97c..00000000 --- a/factory-partition/dumpstate.te +++ /dev/null @@ -1 +0,0 @@ -dontaudit dumpstate factory_file:dir getattr; diff --git a/factory-partition/file.te b/factory-partition/file.te deleted file mode 100644 index 890e98c1..00000000 --- a/factory-partition/file.te +++ /dev/null @@ -1 +0,0 @@ -type factory_file, file_type; diff --git a/factory-partition/file_contexts b/factory-partition/file_contexts deleted file mode 100644 index b7dc84ad..00000000 --- a/factory-partition/file_contexts +++ /dev/null @@ -1 +0,0 @@ -/factory(/.*)? u:object_r:factory_file:s0 diff --git a/factory-partition/init.te b/factory-partition/init.te deleted file mode 100644 index c7efab0a..00000000 --- a/factory-partition/init.te +++ /dev/null @@ -1,6 +0,0 @@ -# -# init -# - -# mount /factory -allow init factory_file:dir mounton; diff --git a/file.te b/file.te deleted file mode 100644 index e4a68e8d..00000000 --- a/file.te +++ /dev/null @@ -1,9 +0,0 @@ -type bluetooth_control, dev_type; -type sysfs_bluetooth, fs_type, sysfs_type; -type sysfs_thermal_uevent, fs_type, sysfs_type; -type sysfs_thermal_writable, fs_type, sysfs_type; -type atvr_device, dev_type; -type sysfs_coretemp, fs_type, sysfs_type; -type gpu_pid_stats_file, fs_type, debugfs_type; -type dbc_sysfs, sysfs_type, fs_type; -type debugfs_pstate, fs_type, debugfs_type; diff --git a/file_contexts b/file_contexts index b68b9369..9c8bb7ca 100644 --- a/file_contexts +++ b/file_contexts @@ -1,25 +1,20 @@ -/sys/class/thermal(/.*)? u:object_r:sysfs_thermal:s0 -/sys/module/thermal(/.*)? u:object_r:sysfs_thermal:s0 - # USB Gadget Serial Devices /dev/ttyGS[0-9]* u:object_r:serial_device:s0 # Marvell wifi device socket /dev/socket/wpa_mlan[0-9] u:object_r:wpa_socket:s0 +/dev/i2c-[0-9]+ u:object_r:i2c_device:s0 + # slot-ab with ext4 /file_contexts.bin u:object_r:rootfs:s0 /fstab u:object_r:rootfs:s0 /hwc.lock u:object_r:rootfs:s0 /ioc-slcan-reboot-timestamp u:object_r:rootfs:s0 /ioc-cbc-reboot-timestamp u:object_r:rootfs:s0 -/metadata u:object_r:rootfs:s0 /oem_config u:object_r:config_file:s0 /preload_module u:object_r:rootfs:s0 /splash u:object_r:rootfs:s0 /misc u:object_r:rootfs:s0 /splash/splash.png u:object_r:rootfs:s0 /bootloader u:object_r:rootfs:s0 -/boot u:object_r:rootfs:s0 -/persistent u:object_r:rootfs:s0 -/tos u:object_r:rootfs:s0 diff --git a/fota/platform_app.te b/fota/platform_app.te new file mode 100644 index 00000000..df151aae --- /dev/null +++ b/fota/platform_app.te @@ -0,0 +1,3 @@ +allow platform_app recovery_service:service_manager find; +allow platform_app cache_recovery_file:file create_file_perms; +allow platform_app cache_recovery_file:dir create_dir_perms; diff --git a/graphics/goldsand/file_contexts b/graphics/goldsand/file_contexts new file mode 100644 index 00000000..b3e3bf8d --- /dev/null +++ b/graphics/goldsand/file_contexts @@ -0,0 +1,3 @@ +# devices +/dev/dri/card0 u:object_r:gpu_device:s0 +/dev/sw_sync u:object_r:graphics_device:s0 diff --git a/graphics/goldsand/surfaceflinger.te b/graphics/goldsand/surfaceflinger.te new file mode 100644 index 00000000..1d6be4b8 --- /dev/null +++ b/graphics/goldsand/surfaceflinger.te @@ -0,0 +1,4 @@ +# +# surfaceflinger +# +allow surfaceflinger graphics_device:chr_file rw_file_perms; diff --git a/graphics/mali-common/file.te b/graphics/mali-common/file.te new file mode 100644 index 00000000..dfe66e29 --- /dev/null +++ b/graphics/mali-common/file.te @@ -0,0 +1 @@ +type sysfs_graphics_writable, fs_type, sysfs_type; diff --git a/graphics/mali-common/file_contexts b/graphics/mali-common/file_contexts new file mode 100644 index 00000000..51158573 --- /dev/null +++ b/graphics/mali-common/file_contexts @@ -0,0 +1,12 @@ +# mali dev devices are system system 0666 thus we label as gpu device to accessable +# to appdomain +/dev/mali[0-9]* u:object_r:gpu_device:s0 + +# dcc is system system 0660 and as such is not accessable to all and it thus labeled +# as graphics device +/dev/dcc u:object_r:graphics_device:s0 + +# sw_sync is used by HW composer only, label as graphics device +/dev/sw_sync u:object_r:graphics_device:s0 + +/sys/devices/virtual/mali/pm/max_freq_level u:object_r:sysfs_graphics_writable:s0 diff --git a/graphics/mali-common/system_app.te b/graphics/mali-common/system_app.te new file mode 100644 index 00000000..71b55cb2 --- /dev/null +++ b/graphics/mali-common/system_app.te @@ -0,0 +1 @@ +allow system_app sysfs_graphics_writable:file rw_file_perms; diff --git a/graphics/mali-common/system_server.te b/graphics/mali-common/system_server.te new file mode 100644 index 00000000..ce4aef1c --- /dev/null +++ b/graphics/mali-common/system_server.te @@ -0,0 +1 @@ +allow system_server sysfs_graphics_writable:file rw_file_perms; diff --git a/graphics/mali-rockchip/file_contexts b/graphics/mali-rockchip/file_contexts new file mode 100644 index 00000000..c8dae9e5 --- /dev/null +++ b/graphics/mali-rockchip/file_contexts @@ -0,0 +1 @@ +/dev/rga u:object_r:gpu_device:s0 diff --git a/graphics/mesa/adbd.te b/graphics/mesa/adbd.te index e1e7b448..9243dc48 100644 --- a/graphics/mesa/adbd.te +++ b/graphics/mesa/adbd.te @@ -3,4 +3,4 @@ allow adbd graphics_device:dir search; allow adbd graphics_device:chr_file { read open }; allow adbd gpu_device:dir search; allow adbd gpu_device:chr_file r_file_perms; -allow adbd hal_graphics_allocator_default_tmpfs:file { read write map }; +allow adbd hal_graphics_allocator_default_tmpfs:file { read write }; diff --git a/graphics/mesa/appdomain.te b/graphics/mesa/appdomain.te index 8e085c69..616abc29 100644 --- a/graphics/mesa/appdomain.te +++ b/graphics/mesa/appdomain.te @@ -1,7 +1,5 @@ # graphics buffer passed to applications for screencap and rendering #allow appdomain surfaceflinger_tmpfs:file { read write }; allow appdomain hal_graphics_allocator_default_tmpfs:file { read write map }; -allow appdomain hal_graphics_composer_default_tmpfs:file { read write map }; allow appdomain gpu_device:dir r_dir_perms; allow { appdomain -isolated_app } sysfs_app_readable:file r_file_perms; -allow appdomain app_fuse_file:file map; diff --git a/graphics/mesa/bootanim.te b/graphics/mesa/bootanim.te index 347ccbcd..1d8d864f 100644 --- a/graphics/mesa/bootanim.te +++ b/graphics/mesa/bootanim.te @@ -1,3 +1,3 @@ -allow bootanim sysfs_app_readable:file r_file_perms; allow bootanim gpu_device:chr_file rw_file_perms; allow bootanim gpu_device:dir r_dir_perms; +allow bootanim sysfs_app_readable:file r_file_perms; diff --git a/graphics/mesa/coreu.te b/graphics/mesa/coreu.te new file mode 100644 index 00000000..aa7f6cab --- /dev/null +++ b/graphics/mesa/coreu.te @@ -0,0 +1,65 @@ +# +# coreu +# + +# Rules for vendor/intel/ufo +type coreu, domain; +type coreu_exec, exec_type, file_type, vendor_file_type; +init_daemon_domain(coreu); + +allow coreu self:capability { sys_admin sys_nice ipc_lock }; + +# Need to use vendor binder +vndbinder_use(coreu) +not_full_treble(` + binder_service(coreu) + binder_call(coreu, surfaceflinger) +') +binder_call(coreu, msync) +# Allow coreu to find the msync service +allow coreu msync_service:service_manager find; +# Find hwc.info service +allow coreu hwc_info_service:service_manager find; +# Register the coreu service with binder +add_service(coreu, coreu_service) + +allow coreu self:netlink_kobject_uevent_socket create_socket_perms; +allowxperm coreu self:netlink_kobject_uevent_socket ioctl SIOCETHTOOL; + +# character devices +allow coreu gpu_device:dir r_dir_perms; +allow coreu gpu_device:chr_file rw_file_perms; + +module_only(`debug_mpm', ` + allow coreu msr_device:chr_file rw_file_perms; +') + +allow coreu sysfs:file write; + +# create temp dirs +allow coreu tmpfs:dir w_dir_perms; + +# XXX Narrow sysfs access +# path="/sys/bus/pci/devices" +# path="/sys/devices/pci0000:00/0000:00:00.0/config" +allow coreu sysfs:dir r_dir_perms; +allow coreu sysfs:file rw_file_perms; + +# gfx access +allow coreu sysfs_gfx:file rw_file_perms; + +allow coreu proc_graphics:file r_file_perms; + +#debugfs +allow coreu debugfs_tracing:file rw_file_perms; +allow coreu debugfs_graphics:file rw_file_perms; + +# drm detecting +allow coreu mediadrmserver:process signull; + +#vendor data file +allow coreu coreu_data_file:dir create_dir_perms; +allow coreu coreu_data_file:file create_file_perms; + +#sysfs +allow coreu sysfs_app_readable:file { read write }; diff --git a/graphics/mesa/domain.te b/graphics/mesa/domain.te new file mode 100644 index 00000000..9e726eb7 --- /dev/null +++ b/graphics/mesa/domain.te @@ -0,0 +1 @@ +allow domain sysfs_app_readable:dir search; diff --git a/graphics/mesa/dumpstate.te b/graphics/mesa/dumpstate.te new file mode 100644 index 00000000..ea688fb3 --- /dev/null +++ b/graphics/mesa/dumpstate.te @@ -0,0 +1,4 @@ +dontaudit dumpstate graphics_device:dir search; +allow dumpstate debugfs_graphics_sync:dir r_dir_perms; +allow dumpstate debugfs_mmc:dir r_dir_perms; +allow dumpstate sysfs_zram:dir r_dir_perms; diff --git a/graphics/mesa/file.te b/graphics/mesa/file.te index 6899feec..e05a3747 100644 --- a/graphics/mesa/file.te +++ b/graphics/mesa/file.te @@ -1,2 +1,23 @@ +# GFX +# XXX Currently this file access was reverted in +# commit 523d705d8ce68f40a111e851f5d9f65788e1807b +# under the mixins directory. +# It was marked as a revert, so we don't ditch +# the sepolicy at this time. +# Reviewed-on: https://android.intel.com:443/438133 +type sysfs_gfx, fs_type, sysfs_type; + +# i915 videostatus +type sysfs_videostatus, fs_type, sysfs_type; + +# i915 related /proc/driver entry. +type proc_graphics, fs_type, proc_type; + +type debugfs_graphics, fs_type, debugfs_type; + type sysfs_app_readable, fs_type, sysfs_type; + typeattribute hal_graphics_allocator_default_tmpfs mlstrustedobject; + +#coreu data/vendor permission +type coreu_data_file, file_type, data_file_type; diff --git a/graphics/mesa/file_contexts b/graphics/mesa/file_contexts index 3c31ee84..de999e09 100644 --- a/graphics/mesa/file_contexts +++ b/graphics/mesa/file_contexts @@ -2,20 +2,32 @@ /dev/dri(/.*)? u:object_r:gpu_device:s0 /dev/sw_sync u:object_r:graphics_device:s0 -/sys/devices/pci0000\:00/0000\:00\:02.0/config u:object_r:sysfs_app_readable:s0 -/sys/devices/pci0000:00/0000:00:02.0/vendor u:object_r:sysfs_app_readable:s0 -/sys/devices/pci0000:00/0000:00:02.0/device u:object_r:sysfs_app_readable:s0 -/sys/devices/pci0000:00/0000:00:02.0/subsystem_vendor u:object_r:sysfs_app_readable:s0 -/sys/devices/pci0000:00/0000:00:02.0/subsystem_device u:object_r:sysfs_app_readable:s0 -/sys/devices/pci0000:00/0000:00:02.0/uevent u:object_r:sysfs_app_readable:s0 -/(vendor|system/vendor)/lib(64)?/libglapi\.so u:object_r:same_process_hal_file:s0 -/(vendor|system/vendor)/lib(64)?/libdrm_pri\.so u:object_r:same_process_hal_file:s0 -/(vendor|system/vendor)/lib(64)?/libdrm_intel_pri\.so u:object_r:same_process_hal_file:s0 -/(vendor|system/vendor)/lib(64)?/hw/gralloc\.project-celadon\.so u:object_r:same_process_hal_file:s0 -/(vendor|system/vendor)/lib(64)?/dri/i965_dri\.so u:object_r:same_process_hal_file:s0 -/(vendor|system/vendor)/lib(64)?/dri/iris_dri\.so u:object_r:same_process_hal_file:s0 -/(vendor|system/vendor)/lib(64)?/dri/gallium_dri\.so u:object_r:same_process_hal_file:s0 -/(vendor|system/vendor)/lib(64)?/hw/vulkan\.project-celadon\.so u:object_r:same_process_hal_file:s0 +# system or vendor binaries +(/system)?/vendor/bin/coreu u:object_r:coreu_exec:s0 +(/system)?/vendor/bin/gfxd u:object_r:gfxd_exec:s0 +(/system)?/vendor/bin/msync u:object_r:msync_exec:s0 + +# GFX +/sys/devices/pci0000\:00/0000\:00\:02.0/resource0 u:object_r:sysfs_gfx:s0 + +# i915 videostatus +/sys/devices/pci0000:00/0000:00:02.0/drm/card0/power/i915_videostatus u:object_r:sysfs_videostatus:s0 + +/sys/kernel/debug/dri/0/i915_frequency_info u:object_r:debugfs_graphics:s0 + /vendor/bin/hw/android\.hardware\.graphics\.composer\.allocator@2\.1-service u:object_r:hal_graphics_composer_default_exec:s0 +/(vendor|system/vendor)/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 /(vendor|system/vendor)/lib(64)?/libdrm_intel\.so u:object_r:same_process_hal_file:s0 /(vendor|system/vendor)/lib(64)?/libpciaccess\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libskuwa\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/hw/gralloc\.broxton\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libgrallocclient\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libglapi\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/dri/i965_dri\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/hw/vulkan\.broxton\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libmd\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libdrm_intel_pri\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libdrm_pri\.so u:object_r:same_process_hal_file:s0 + +#coreu /data/vendor permission +/data/vendor/coreu(/.*)? u:object_r:coreu_data_file:s0 diff --git a/graphics/mesa/genfs_contexts b/graphics/mesa/genfs_contexts new file mode 100644 index 00000000..34cd8afa --- /dev/null +++ b/graphics/mesa/genfs_contexts @@ -0,0 +1,2 @@ +genfscon proc /driver/i915rpm/i915_rpm_op u:object_r:proc_graphics:s0 +genfscon sysfs /devices/pci0000:00/0000:00:02.0/ u:object_r:sysfs_app_readable:s0 diff --git a/graphics/mesa/gfxd.te b/graphics/mesa/gfxd.te new file mode 100644 index 00000000..dc27e676 --- /dev/null +++ b/graphics/mesa/gfxd.te @@ -0,0 +1,44 @@ +# +# gfxd +# + +# Rules for vendor/intel/ufo +type gfxd_exec, exec_type, vendor_file_type, file_type; + +userdebug_or_eng(` + type gfxd, domain; + init_daemon_domain(gfxd); + + # Vendor apps are permited to use only stable public services. + # per domain.te in system/core + #binder_service(gfxd) + #binder_use(gfxd) + + # Register the gfxd service with binder + dontaudit gfxd gfxd_service:service_manager add; + + permissive gfxd; + dontaudit gfxd self:capability_class_set *; + dontaudit gfxd kernel:security *; + dontaudit gfxd kernel:system *; + dontaudit gfxd self:memprotect *; + dontaudit gfxd domain:process *; + dontaudit gfxd domain:fd *; + dontaudit gfxd domain:dir r_dir_perms; + dontaudit gfxd domain:lnk_file r_file_perms; + dontaudit gfxd domain:{ fifo_file file } rw_file_perms; + dontaudit gfxd domain:socket_class_set *; + dontaudit gfxd domain:ipc_class_set *; + dontaudit gfxd domain:key *; + dontaudit gfxd fs_type:filesystem *; + dontaudit gfxd {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } *; + dontaudit gfxd {fs_type dev_type file_type }:{ chr_file file } *; + dontaudit gfxd node_type:node *; + dontaudit gfxd node_type:{ tcp_socket udp_socket } node_bind; + dontaudit gfxd netif_type:netif *; + dontaudit gfxd port_type:socket_class_set name_bind; + dontaudit gfxd port_type:{ tcp_socket dccp_socket } name_connect; + dontaudit gfxd domain:peer recv; + dontaudit gfxd domain:binder { call transfer }; + dontaudit gfxd property_type:property_service set; +') diff --git a/graphics/mesa/hal_drm_widevine.te b/graphics/mesa/hal_drm_widevine.te new file mode 100644 index 00000000..7adde648 --- /dev/null +++ b/graphics/mesa/hal_drm_widevine.te @@ -0,0 +1,2 @@ +binder_call(hal_drm_default, coreu) +allow hal_drm_default coreu_service:service_manager find; diff --git a/graphics/mesa/hal_graphics_allocator_default.te b/graphics/mesa/hal_graphics_allocator_default.te index 42ef776b..94913db2 100644 --- a/graphics/mesa/hal_graphics_allocator_default.te +++ b/graphics/mesa/hal_graphics_allocator_default.te @@ -1,18 +1,3 @@ #============= hal_graphics_allocator_default ============== allow hal_graphics_allocator_default gpu_device:chr_file rw_file_perms; allow hal_graphics_allocator_default gpu_device:dir r_dir_perms; -allowxperm hal_graphics_allocator_default gpu_device:chr_file ioctl { - DRM_IOCTL_RADEON_SURF_FREE - DRM_IOCTL_I915_GEM_SET_TILING - DRM_IOCTL_PRIME_HANDLE_TO_FD - DRM_IOCTL_GEM_CLOSE - DRM_IOCTL_VERSION - VIDIOC_INT_RESET - DRM_IOCTL_GET_CAP - DRM_IOCTL_SET_CLIENT_CAP - DRM_IOCTL_RADEON_FULLSCREEN - DRM_IOCTL_MODE_GETPLANERESOURCES - DRM_IOCTL_MODE_GETPLANE - DRM_IOCTL_MODE_OBJ_GETPROPERTIES - DRM_IOCTL_MODE_GETPROPERTY -}; diff --git a/graphics/mesa/hal_graphics_composer_default.te b/graphics/mesa/hal_graphics_composer_default.te index 3a141372..a49c8c3c 100644 --- a/graphics/mesa/hal_graphics_composer_default.te +++ b/graphics/mesa/hal_graphics_composer_default.te @@ -1,18 +1,21 @@ -typeattribute hal_graphics_composer_default data_between_core_and_vendor_violators; - vndbinder_use(hal_graphics_composer_default) binder_call(hal_graphics_composer_default, hal_graphics_allocator_default) allow hal_graphics_composer_default cache_file:dir create_dir_perms; allow hal_graphics_composer_default cache_file:file create_file_perms; +allow hal_graphics_composer_default gpu_device:chr_file rw_file_perms; +allow hal_graphics_composer_default gpu_device:dir r_dir_perms; + +allow hal_graphics_composer_default self:capability sys_admin; allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { read bind create setopt }; -allow hal_graphics_composer_default hal_graphics_mapper_hwservice:hwservice_manager find; -allow hal_graphics_composer_default hal_graphics_allocator_hwservice:hwservice_manager find; +add_service(hal_graphics_composer_default, hwc_info_service) -allow hal_graphics_composer_default gpu_device:dir r_dir_perms; -allow hal_graphics_composer_default gpu_device:chr_file rw_file_perms; +hal_client_domain(hal_graphics_composer_default, hal_configstore) + +allow hal_graphics_composer_default hal_graphics_mapper_hwservice:hwservice_manager find; +hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator) allow hal_graphics_composer_default sysfs_app_readable:file r_file_perms; -allow hal_graphics_composer_default hwc_info_service:service_manager add; +allow hal_graphics_composer_default vendor_file:file r_file_perms; diff --git a/graphics/mesa/hal_memtrack_default.te b/graphics/mesa/hal_memtrack_default.te new file mode 100644 index 00000000..ff802b0c --- /dev/null +++ b/graphics/mesa/hal_memtrack_default.te @@ -0,0 +1,2 @@ +# /sys/devices/pci0000:00/0000:00:02.0/drm/card0/gfx_memtrack/3973 +allow hal_memtrack_default sysfs_app_readable:file r_file_perms; diff --git a/graphics/mesa/hal_power_service.te b/graphics/mesa/hal_power_service.te new file mode 100644 index 00000000..e117e0d7 --- /dev/null +++ b/graphics/mesa/hal_power_service.te @@ -0,0 +1 @@ +allow hal_power_service sysfs_app_readable:file rw_file_perms; diff --git a/graphics/mesa/hdcpd.te b/graphics/mesa/hdcpd.te new file mode 100644 index 00000000..5a2c7399 --- /dev/null +++ b/graphics/mesa/hdcpd.te @@ -0,0 +1,3 @@ +allow hdcpd proc_graphics:file r_file_perms; +binder_call(hdcpd, hal_graphics_composer_default); + diff --git a/graphics/mesa/init.te b/graphics/mesa/init.te new file mode 100644 index 00000000..ff46793b --- /dev/null +++ b/graphics/mesa/init.te @@ -0,0 +1,5 @@ +# +# init +# + +allow init { coreu_exec msync_exec }:lnk_file read; diff --git a/graphics/mesa/mediacodec.te b/graphics/mesa/mediacodec.te index 2451c12a..79b306ce 100644 --- a/graphics/mesa/mediacodec.te +++ b/graphics/mesa/mediacodec.te @@ -1,4 +1,15 @@ -allow mediacodec sysfs_app_readable:file r_file_perms; -allow mediacodec gpu_device:dir r_dir_perms; +# +# mediacodec +# +# XXX Refactor to mixin +# path="/sys/bus/pci/drivers/i915" +# path="/sys/devices/pci0000:00/0000:00:02.0/config" + +allow mediacodec sysfs:dir r_dir_perms; +allow mediacodec sysfs:file r_file_perms; +allow mediacodec graphics_device:dir search; allow mediacodec hal_graphics_allocator_default_tmpfs:file { read write map }; -allow mediacodec hal_graphics_composer_default_tmpfs:file { read write map}; + +allow mediacodec coreu_service:service_manager find; +allow mediacodec system_file:dir r_dir_perms; +allow mediacodec gpu_device:dir r_dir_perms; diff --git a/graphics/mesa/mediadrmserver.te b/graphics/mesa/mediadrmserver.te index 0dab914b..951923c5 100644 --- a/graphics/mesa/mediadrmserver.te +++ b/graphics/mesa/mediadrmserver.te @@ -1 +1,3 @@ -allow mediadrmserver sysfs_app_readable:file r_file_perms; +# +# mediadrmserver +# diff --git a/graphics/mesa/mediaextractor.te b/graphics/mesa/mediaextractor.te index caafd391..8ec8b5c6 100644 --- a/graphics/mesa/mediaextractor.te +++ b/graphics/mesa/mediaextractor.te @@ -1 +1,2 @@ -allow mediaextractor fuse:file r_file_perms; +allow mediaextractor vfat:file r_file_perms; + diff --git a/graphics/mesa/mediaserver.te b/graphics/mesa/mediaserver.te index 23c2bdab..42d5cdfa 100644 --- a/graphics/mesa/mediaserver.te +++ b/graphics/mesa/mediaserver.te @@ -1,4 +1,15 @@ -allow mediadrmserver sysfs_app_readable:file r_file_perms; -allow mediadrmserver gpu_device:dir r_dir_perms; -allow mediaserver hal_graphics_allocator_default_tmpfs:file { read write map }; +# +# mediaserver +# + +not_full_treble(` + binder_call(mediaserver, coreu) + allow mediaserver coreu_service:service_manager find; +') + +#allow mediaserver tee_device:chr_file rw_file_perms; +allow mediaserver proc_graphics:file r_file_perms; +allow mediaserver graphics_device:chr_file rw_file_perms; allow mediaserver gpu_device:dir r_dir_perms; + +allow mediaserver hal_graphics_allocator_default_tmpfs:file { read write map }; diff --git a/graphics/mesa/mediaswcodec.te b/graphics/mesa/mediaswcodec.te new file mode 100644 index 00000000..d44372ac --- /dev/null +++ b/graphics/mesa/mediaswcodec.te @@ -0,0 +1,10 @@ +# +# mediaswcodec +# +# XXX Refactor to mixin +# path="/sys/bus/pci/drivers/i915" +# path="/sys/devices/pci0000:00/0000:00:02.0/config" + +allow mediaswcodec hal_graphics_allocator_default_tmpfs:file { read write map }; +allow mediaswcodec gpu_device:dir search; +allow mediaswcodec gpu_device:chr_file { open read write ioctl }; diff --git a/graphics/mesa/msync.te b/graphics/mesa/msync.te new file mode 100644 index 00000000..6d3a5b59 --- /dev/null +++ b/graphics/mesa/msync.te @@ -0,0 +1,13 @@ +# Rules for vendor/intel/ufo +type msync, domain; +type msync_exec, exec_type, file_type, vendor_file_type; +init_daemon_domain(msync); + +# Need to use vendor binder +vndbinder_use(msync) +not_full_treble(` + binder_service(msync) +') +add_service(msync, msync_service) +binder_call(msync, coreu) +binder_call(msync, hdcpd) diff --git a/graphics/mesa/platform_app.te b/graphics/mesa/platform_app.te deleted file mode 100644 index 98cc9e2f..00000000 --- a/graphics/mesa/platform_app.te +++ /dev/null @@ -1,35 +0,0 @@ -allowxperm platform_app gpu_device:chr_file ioctl { - DRM_IOCTL_RADEON_IRQ_WAIT - DRM_IOCTL_PRIME_FD_TO_HANDLE - DRM_IOCTL_I915_GEM_THROTTLE - DRM_IOCTL_RADEON_SURF_FREE - DRM_IOCTL_GEM_CLOSE - DRM_IOCTL_EXYNOS_G2D_EXEC - DRM_IOCTL_PRIME_FD_TO_HANDLE - DRM_IOCTL_VERSION - DRM_IOCTL_I915_GEM_SET_DOMAIN - DRM_IOCTL_I915_GEM_MMAP - VIDIOC_INT_RESET - DRM_IOCTL_I915_GEM_SET_TILING - DRM_IOCTL_I915_GEM_EXECBUFFER2 - DRM_IOCTL_I915_GEM_WAIT - DRM_IOCTL_I915_GETPARAM - DRM_IOCTL_GET_CAP - DRM_IOCTL_SET_CLIENT_CAP - DRM_IOCTL_MODE_GETPLANERESOURCES - DRM_IOCTL_MODE_GETPLANE - DRM_IOCTL_I915_GEM_PWRITE - DRM_IOCTL_MODE_GETPROPERTY - DRM_IOCTL_MODE_OBJ_GETPROPERTIES - DRM_IOCTL_RADEON_GEM_SET_DOMAIN - DRM_IOCTL_I915_GEM_CONTEXT_CREATE - DRM_IOCTL_I915_GEM_CONTEXT_DESTROY - DRM_IOCTL_I915_GET_RESET_STATS - DRM_IOCTL_I915_REG_READ - DRM_IOCTL_I915_GEM_MMAP_GTT - 0x6475 - 0x6474 - 0x64bf - 0x64c0 - 0x64c3 -}; diff --git a/graphics/mesa/shell.te b/graphics/mesa/shell.te new file mode 100644 index 00000000..29fb3733 --- /dev/null +++ b/graphics/mesa/shell.te @@ -0,0 +1,2 @@ +# XXX Audit me BEFORE COMMITING +allow shell graphics_device:dir search; diff --git a/graphics/mesa/surfaceflinger.te b/graphics/mesa/surfaceflinger.te index 51274c02..c3276b7d 100644 --- a/graphics/mesa/surfaceflinger.te +++ b/graphics/mesa/surfaceflinger.te @@ -1,37 +1,25 @@ -allow surfaceflinger sysfs_app_readable:file r_file_perms; +# +# surfaceflinger +# +allow surfaceflinger device:dir r_dir_perms; +allow surfaceflinger self:capability sys_admin; + +type surfaceflinger_cache_file, data_file_type, file_type; + +not_full_treble(` + file_type_auto_trans(surfaceflinger, cache_file, surfaceflinger_cache_file); +') + +allow surfaceflinger cache_file:dir create_dir_perms; +allow surfaceflinger cache_file:file create_file_perms; + +not_full_treble(` + binder_call(surfaceflinger, coreu) + allow surfaceflinger coreu_service:service_manager find; +') + +allow surfaceflinger sysfs_videostatus:file { getattr w_file_perms }; + +allow surfaceflinger hal_graphics_allocator_default_tmpfs:file { read write map }; allow surfaceflinger gpu_device:dir r_dir_perms; -allowxperm surfaceflinger gpu_device:chr_file ioctl { - DRM_IOCTL_I915_GEM_EXECBUFFER2 - DRM_IOCTL_I915_GEM_ENTERVT - DRM_IOCTL_RADEON_IRQ_WAIT - DRM_IOCTL_I915_GEM_THROTTLE - VIDIOC_INT_RESET - DRM_IOCTL_RADEON_SURF_FREE - DRM_IOCTL_RADEON_GEM_PREAD - DRM_IOCTL_I915_GEM_PWRITE - DRM_IOCTL_I915_GEM_SET_DOMAIN - DRM_IOCTL_GEM_CLOSE - DRM_IOCTL_PRIME_FD_TO_HANDLE - DRM_IOCTL_I915_GEM_GET_TILING - DRM_IOCTL_I915_GEM_MMAP - DRM_IOCTL_VERSION - DRM_IOCTL_RADEON_FULLSCREEN - DRM_IOCTL_GET_CAP - DRM_IOCTL_SET_CLIENT_CAP - DRM_IOCTL_MODE_GETPLANERESOURCES - DRM_IOCTL_RADEON_GEM_SET_DOMAIN - DRM_IOCTL_MODE_GETPLANE - DRM_IOCTL_MODE_OBJ_GETPROPERTIES - DRM_IOCTL_EXYNOS_IPP_SET_PROPERTY - DRM_IOCTL_I915_GET_RESET_STATS - DRM_IOCTL_I915_GEM_CONTEXT_CREATE - DRM_IOCTL_I915_GEM_MMAP_GTT - DRM_IOCTL_MODE_GETPROPERTY - DRM_IOCTL_I915_GEM_WAIT - 0x6475 - 0x6474 - 0x64c3 - 0x64c1 - 0x64bf - 0x64c0 -}; +allow surfaceflinger sysfs_app_readable:file r_file_perms; diff --git a/graphics/mesa/system_server.te b/graphics/mesa/system_server.te index fcc8528a..8510f03b 100644 --- a/graphics/mesa/system_server.te +++ b/graphics/mesa/system_server.te @@ -1,4 +1,5 @@ allow system_server hal_graphics_allocator_default_tmpfs:file { read write map }; +allow system_server platform_app:file { read write }; +allow system_server priv_app:file { read write }; allow system_server gpu_device:dir r_dir_perms; -allow system_server hal_graphics_composer_default_tmpfs:file { read write map }; allow system_server sysfs_app_readable:file r_file_perms; diff --git a/graphics/mesa/ueventd.te b/graphics/mesa/ueventd.te deleted file mode 100644 index 36309c59..00000000 --- a/graphics/mesa/ueventd.te +++ /dev/null @@ -1 +0,0 @@ -allow ueventd sysfs_app_readable:file rw_file_perms; diff --git a/graphics/mesa/vendor_init.te b/graphics/mesa/vendor_init.te new file mode 100644 index 00000000..7565be1e --- /dev/null +++ b/graphics/mesa/vendor_init.te @@ -0,0 +1,7 @@ +allow vendor_init self:capability { sys_module net_raw }; +allow vendor_init vendor_file:system module_load; +allow vendor_init debugfs_tracing_instances:dir write; +allow vendor_init mediaserver:process setsched; +allow vendor_init system_data_file:dir create_dir_perms; +allow vendor_init self:udp_socket create; +allow vendor_init coreu_data_file:dir create_dir_perms; diff --git a/graphics/mesa/violators_blacklist.te b/graphics/mesa/violators_blacklist.te new file mode 100644 index 00000000..20a504ea --- /dev/null +++ b/graphics/mesa/violators_blacklist.te @@ -0,0 +1,2 @@ +typeattribute hal_graphics_composer_default data_between_core_and_vendor_violators; +typeattribute vendor_init data_between_core_and_vendor_violators; diff --git a/graphics/mesa/vndservice.te b/graphics/mesa/vndservice.te index 8d0d63c3..7f7d0d89 100644 --- a/graphics/mesa/vndservice.te +++ b/graphics/mesa/vndservice.te @@ -1 +1,4 @@ -type hwc_info_service, vndservice_manager_type; +type hwc_info_service, vndservice_manager_type; +type coreu_service, vndservice_manager_type; +type msync_service, vndservice_manager_type; +type gfxd_service, vndservice_manager_type; diff --git a/graphics/mesa/vndservice_contexts b/graphics/mesa/vndservice_contexts index 1a3e941e..1e049c83 100644 --- a/graphics/mesa/vndservice_contexts +++ b/graphics/mesa/vndservice_contexts @@ -1 +1,4 @@ -hwc.info u:object_r:hwc_info_service:s0 +hwc.info u:object_r:hwc_info_service:s0 +android.hardware.intel.msync u:object_r:msync_service:s0 +android.hardware.intel.coreu u:object_r:coreu_service:s0 +gfxd u:object_r:gfxd_service:s0 diff --git a/graphics/mesa_acrn/adbd.te b/graphics/mesa_acrn/adbd.te new file mode 100644 index 00000000..9243dc48 --- /dev/null +++ b/graphics/mesa_acrn/adbd.te @@ -0,0 +1,6 @@ +# to allow CTS/XTS screen capture through method getScreenshot. +allow adbd graphics_device:dir search; +allow adbd graphics_device:chr_file { read open }; +allow adbd gpu_device:dir search; +allow adbd gpu_device:chr_file r_file_perms; +allow adbd hal_graphics_allocator_default_tmpfs:file { read write }; diff --git a/graphics/mesa_acrn/appdomain.te b/graphics/mesa_acrn/appdomain.te new file mode 100644 index 00000000..616abc29 --- /dev/null +++ b/graphics/mesa_acrn/appdomain.te @@ -0,0 +1,5 @@ +# graphics buffer passed to applications for screencap and rendering +#allow appdomain surfaceflinger_tmpfs:file { read write }; +allow appdomain hal_graphics_allocator_default_tmpfs:file { read write map }; +allow appdomain gpu_device:dir r_dir_perms; +allow { appdomain -isolated_app } sysfs_app_readable:file r_file_perms; diff --git a/graphics/mesa_acrn/bootanim.te b/graphics/mesa_acrn/bootanim.te new file mode 100644 index 00000000..1952d408 --- /dev/null +++ b/graphics/mesa_acrn/bootanim.te @@ -0,0 +1,2 @@ +allow bootanim gpu_device:chr_file rw_file_perms; +allow bootanim gpu_device:dir r_dir_perms; diff --git a/graphics/mesa_acrn/domain.te b/graphics/mesa_acrn/domain.te new file mode 100644 index 00000000..9e726eb7 --- /dev/null +++ b/graphics/mesa_acrn/domain.te @@ -0,0 +1 @@ +allow domain sysfs_app_readable:dir search; diff --git a/graphics/mesa_acrn/dumpstate.te b/graphics/mesa_acrn/dumpstate.te new file mode 100644 index 00000000..ea688fb3 --- /dev/null +++ b/graphics/mesa_acrn/dumpstate.te @@ -0,0 +1,4 @@ +dontaudit dumpstate graphics_device:dir search; +allow dumpstate debugfs_graphics_sync:dir r_dir_perms; +allow dumpstate debugfs_mmc:dir r_dir_perms; +allow dumpstate sysfs_zram:dir r_dir_perms; diff --git a/graphics/mesa_acrn/file.te b/graphics/mesa_acrn/file.te new file mode 100644 index 00000000..76099255 --- /dev/null +++ b/graphics/mesa_acrn/file.te @@ -0,0 +1,22 @@ +# Coreu +# type coreu_data_file, file_type, data_file_type; +# GFX +# XXX Currently this file access was reverted in +# commit 523d705d8ce68f40a111e851f5d9f65788e1807b +# under the mixins directory. +# It was marked as a revert, so we don't ditch +# the sepolicy at this time. +# Reviewed-on: https://android.intel.com:443/438133 +type sysfs_gfx, fs_type, sysfs_type; + +# i915 videostatus +type sysfs_videostatus, fs_type, sysfs_type; + +# i915 related /proc/driver entry. +type proc_graphics, fs_type, proc_type; + +type debugfs_graphics, fs_type, debugfs_type; + +type sysfs_app_readable, fs_type, sysfs_type; + +typeattribute hal_graphics_allocator_default_tmpfs mlstrustedobject; diff --git a/graphics/mesa_acrn/file_contexts b/graphics/mesa_acrn/file_contexts new file mode 100644 index 00000000..855aeb8b --- /dev/null +++ b/graphics/mesa_acrn/file_contexts @@ -0,0 +1,28 @@ +# devices +/dev/dri(/.*)? u:object_r:gpu_device:s0 +/dev/sw_sync u:object_r:graphics_device:s0 + +# system or vendor binaries +(/system)?/vendor/bin/gfxd u:object_r:gfxd_exec:s0 + +# GFX +/sys/devices/pci0000\:00/0000\:00\:02.0/resource0 u:object_r:sysfs_gfx:s0 + +# i915 videostatus +/sys/devices/pci0000:00/0000:00:02.0/drm/card0/power/i915_videostatus u:object_r:sysfs_videostatus:s0 + +/sys/kernel/debug/dri/0/i915_frequency_info u:object_r:debugfs_graphics:s0 + +/vendor/bin/hw/android\.hardware\.graphics\.composer\.allocator@2\.1-service u:object_r:hal_graphics_composer_default_exec:s0 +/(vendor|system/vendor)/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libdrm_intel\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libpciaccess\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libskuwa\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/hw/gralloc\.broxton\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libgrallocclient\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libglapi\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/dri/i965_dri\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/hw/vulkan\.broxton\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libmd\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libdrm_intel_pri\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libdrm_pri\.so u:object_r:same_process_hal_file:s0 diff --git a/graphics/mesa_acrn/genfs_contexts b/graphics/mesa_acrn/genfs_contexts new file mode 100644 index 00000000..34cd8afa --- /dev/null +++ b/graphics/mesa_acrn/genfs_contexts @@ -0,0 +1,2 @@ +genfscon proc /driver/i915rpm/i915_rpm_op u:object_r:proc_graphics:s0 +genfscon sysfs /devices/pci0000:00/0000:00:02.0/ u:object_r:sysfs_app_readable:s0 diff --git a/graphics/mesa_acrn/gfxd.te b/graphics/mesa_acrn/gfxd.te new file mode 100644 index 00000000..dc27e676 --- /dev/null +++ b/graphics/mesa_acrn/gfxd.te @@ -0,0 +1,44 @@ +# +# gfxd +# + +# Rules for vendor/intel/ufo +type gfxd_exec, exec_type, vendor_file_type, file_type; + +userdebug_or_eng(` + type gfxd, domain; + init_daemon_domain(gfxd); + + # Vendor apps are permited to use only stable public services. + # per domain.te in system/core + #binder_service(gfxd) + #binder_use(gfxd) + + # Register the gfxd service with binder + dontaudit gfxd gfxd_service:service_manager add; + + permissive gfxd; + dontaudit gfxd self:capability_class_set *; + dontaudit gfxd kernel:security *; + dontaudit gfxd kernel:system *; + dontaudit gfxd self:memprotect *; + dontaudit gfxd domain:process *; + dontaudit gfxd domain:fd *; + dontaudit gfxd domain:dir r_dir_perms; + dontaudit gfxd domain:lnk_file r_file_perms; + dontaudit gfxd domain:{ fifo_file file } rw_file_perms; + dontaudit gfxd domain:socket_class_set *; + dontaudit gfxd domain:ipc_class_set *; + dontaudit gfxd domain:key *; + dontaudit gfxd fs_type:filesystem *; + dontaudit gfxd {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } *; + dontaudit gfxd {fs_type dev_type file_type }:{ chr_file file } *; + dontaudit gfxd node_type:node *; + dontaudit gfxd node_type:{ tcp_socket udp_socket } node_bind; + dontaudit gfxd netif_type:netif *; + dontaudit gfxd port_type:socket_class_set name_bind; + dontaudit gfxd port_type:{ tcp_socket dccp_socket } name_connect; + dontaudit gfxd domain:peer recv; + dontaudit gfxd domain:binder { call transfer }; + dontaudit gfxd property_type:property_service set; +') diff --git a/graphics/mesa_acrn/hal_graphics_allocator_default.te b/graphics/mesa_acrn/hal_graphics_allocator_default.te new file mode 100644 index 00000000..94913db2 --- /dev/null +++ b/graphics/mesa_acrn/hal_graphics_allocator_default.te @@ -0,0 +1,3 @@ +#============= hal_graphics_allocator_default ============== +allow hal_graphics_allocator_default gpu_device:chr_file rw_file_perms; +allow hal_graphics_allocator_default gpu_device:dir r_dir_perms; diff --git a/graphics/mesa_acrn/hal_graphics_composer_default.te b/graphics/mesa_acrn/hal_graphics_composer_default.te new file mode 100644 index 00000000..e012f509 --- /dev/null +++ b/graphics/mesa_acrn/hal_graphics_composer_default.te @@ -0,0 +1,18 @@ +vndbinder_use(hal_graphics_composer_default) + +binder_call(hal_graphics_composer_default, hal_graphics_allocator_default) + +allow hal_graphics_composer_default cache_file:dir create_dir_perms; +allow hal_graphics_composer_default cache_file:file create_file_perms; +allow hal_graphics_composer_default gpu_device:chr_file rw_file_perms; +allow hal_graphics_composer_default gpu_device:dir r_dir_perms; + +allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { read bind create setopt }; + +add_service(hal_graphics_composer_default, hwc_info_service) + +hal_client_domain(hal_graphics_composer_default, hal_configstore) +allow hal_graphics_composer_default hal_graphics_mapper_hwservice:hwservice_manager find; +hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator) + +allow hal_graphics_composer_default sysfs_app_readable:file r_file_perms; diff --git a/graphics/mesa_acrn/hal_memtrack_default.te b/graphics/mesa_acrn/hal_memtrack_default.te new file mode 100644 index 00000000..ff802b0c --- /dev/null +++ b/graphics/mesa_acrn/hal_memtrack_default.te @@ -0,0 +1,2 @@ +# /sys/devices/pci0000:00/0000:00:02.0/drm/card0/gfx_memtrack/3973 +allow hal_memtrack_default sysfs_app_readable:file r_file_perms; diff --git a/graphics/mesa_acrn/hal_power_service.te b/graphics/mesa_acrn/hal_power_service.te new file mode 100644 index 00000000..e117e0d7 --- /dev/null +++ b/graphics/mesa_acrn/hal_power_service.te @@ -0,0 +1 @@ +allow hal_power_service sysfs_app_readable:file rw_file_perms; diff --git a/graphics/mesa_acrn/hdcpd.te b/graphics/mesa_acrn/hdcpd.te new file mode 100644 index 00000000..ca51530a --- /dev/null +++ b/graphics/mesa_acrn/hdcpd.te @@ -0,0 +1,2 @@ +allow hdcpd proc_graphics:file r_file_perms; + diff --git a/graphics/mesa_acrn/mediacodec.te b/graphics/mesa_acrn/mediacodec.te new file mode 100644 index 00000000..c8bf22ee --- /dev/null +++ b/graphics/mesa_acrn/mediacodec.te @@ -0,0 +1,14 @@ +# +# mediacodec +# +# XXX Refactor to mixin +# path="/sys/bus/pci/drivers/i915" +# path="/sys/devices/pci0000:00/0000:00:02.0/config" + +allow mediacodec sysfs:dir r_dir_perms; +allow mediacodec sysfs:file r_file_perms; +allow mediacodec graphics_device:dir search; +allow mediacodec hal_graphics_allocator_default_tmpfs:file { read write }; + +allow mediacodec system_file:dir r_dir_perms; +allow mediacodec gpu_device:dir r_dir_perms; diff --git a/graphics/mesa_acrn/mediadrmserver.te b/graphics/mesa_acrn/mediadrmserver.te new file mode 100644 index 00000000..951923c5 --- /dev/null +++ b/graphics/mesa_acrn/mediadrmserver.te @@ -0,0 +1,3 @@ +# +# mediadrmserver +# diff --git a/graphics/mesa_acrn/mediaextractor.te b/graphics/mesa_acrn/mediaextractor.te new file mode 100644 index 00000000..8ec8b5c6 --- /dev/null +++ b/graphics/mesa_acrn/mediaextractor.te @@ -0,0 +1,2 @@ +allow mediaextractor vfat:file r_file_perms; + diff --git a/graphics/mesa_acrn/mediaserver.te b/graphics/mesa_acrn/mediaserver.te new file mode 100644 index 00000000..bca3c5fe --- /dev/null +++ b/graphics/mesa_acrn/mediaserver.te @@ -0,0 +1,10 @@ +# +# mediaserver +# + +#allow mediaserver tee_device:chr_file rw_file_perms; +allow mediaserver proc_graphics:file r_file_perms; +allow mediaserver graphics_device:chr_file rw_file_perms; +allow mediaserver gpu_device:dir r_dir_perms; + +allow mediaserver hal_graphics_allocator_default_tmpfs:file { read write }; diff --git a/graphics/mesa_acrn/shell.te b/graphics/mesa_acrn/shell.te new file mode 100644 index 00000000..29fb3733 --- /dev/null +++ b/graphics/mesa_acrn/shell.te @@ -0,0 +1,2 @@ +# XXX Audit me BEFORE COMMITING +allow shell graphics_device:dir search; diff --git a/graphics/mesa_acrn/surfaceflinger.te b/graphics/mesa_acrn/surfaceflinger.te new file mode 100644 index 00000000..4bead2dd --- /dev/null +++ b/graphics/mesa_acrn/surfaceflinger.te @@ -0,0 +1,19 @@ +# +# surfaceflinger +# +allow surfaceflinger device:dir r_dir_perms; + +type surfaceflinger_cache_file, data_file_type, file_type; + +not_full_treble(` + file_type_auto_trans(surfaceflinger, cache_file, surfaceflinger_cache_file); +') + +allow surfaceflinger cache_file:dir create_dir_perms; +allow surfaceflinger cache_file:file create_file_perms; + +allow surfaceflinger sysfs_videostatus:file { getattr w_file_perms }; + +allow surfaceflinger hal_graphics_allocator_default_tmpfs:file { read write }; +allow surfaceflinger gpu_device:dir r_dir_perms; +allow surfaceflinger sysfs_app_readable:file r_file_perms; diff --git a/graphics/mesa_acrn/system_server.te b/graphics/mesa_acrn/system_server.te new file mode 100644 index 00000000..b90eebd8 --- /dev/null +++ b/graphics/mesa_acrn/system_server.te @@ -0,0 +1,5 @@ +allow system_server hal_graphics_allocator_default_tmpfs:file { read write }; +allow system_server platform_app:file { read write }; +allow system_server priv_app:file { read write }; +allow system_server gpu_device:dir r_dir_perms; +allow system_server sysfs_app_readable:file r_file_perms; diff --git a/graphics/mesa_acrn/violators_blacklist.te b/graphics/mesa_acrn/violators_blacklist.te new file mode 100644 index 00000000..20a504ea --- /dev/null +++ b/graphics/mesa_acrn/violators_blacklist.te @@ -0,0 +1,2 @@ +typeattribute hal_graphics_composer_default data_between_core_and_vendor_violators; +typeattribute vendor_init data_between_core_and_vendor_violators; diff --git a/graphics/mesa_acrn/vndservice.te b/graphics/mesa_acrn/vndservice.te new file mode 100644 index 00000000..08d68ce3 --- /dev/null +++ b/graphics/mesa_acrn/vndservice.te @@ -0,0 +1,2 @@ +type hwc_info_service, vndservice_manager_type; +type gfxd_service, vndservice_manager_type; diff --git a/graphics/mesa_acrn/vndservice_contexts b/graphics/mesa_acrn/vndservice_contexts new file mode 100644 index 00000000..74a05508 --- /dev/null +++ b/graphics/mesa_acrn/vndservice_contexts @@ -0,0 +1,2 @@ +hwc.info u:object_r:hwc_info_service:s0 +gfxd u:object_r:gfxd_service:s0 diff --git a/graphics/mesa_xen/adbd.te b/graphics/mesa_xen/adbd.te new file mode 100644 index 00000000..4d22d74c --- /dev/null +++ b/graphics/mesa_xen/adbd.te @@ -0,0 +1,6 @@ +# to allow CTS/XTS screen capture through method getScreenshot. +allow adbd graphics_device:dir search; +allow adbd graphics_device:chr_file r_file_perms; +allow adbd gpu_device:dir search; +allow adbd gpu_device:chr_file r_file_perms; +allow adbd hal_graphics_allocator_default_tmpfs:file { read write }; diff --git a/graphics/mesa_xen/appdomain.te b/graphics/mesa_xen/appdomain.te new file mode 100644 index 00000000..09ee3538 --- /dev/null +++ b/graphics/mesa_xen/appdomain.te @@ -0,0 +1,4 @@ +# graphics buffer passed to applications for screencap and rendering +allow appdomain hal_graphics_allocator_default_tmpfs:file { read write map }; +allow appdomain sysfs_app_readable:file r_file_perms; +allow appdomain gpu_device:dir r_dir_perms; diff --git a/graphics/mesa_xen/bootanim.te b/graphics/mesa_xen/bootanim.te new file mode 100644 index 00000000..347ccbcd --- /dev/null +++ b/graphics/mesa_xen/bootanim.te @@ -0,0 +1,3 @@ +allow bootanim sysfs_app_readable:file r_file_perms; +allow bootanim gpu_device:chr_file rw_file_perms; +allow bootanim gpu_device:dir r_dir_perms; diff --git a/graphics/mesa_xen/dumpstate.te b/graphics/mesa_xen/dumpstate.te new file mode 100644 index 00000000..ea688fb3 --- /dev/null +++ b/graphics/mesa_xen/dumpstate.te @@ -0,0 +1,4 @@ +dontaudit dumpstate graphics_device:dir search; +allow dumpstate debugfs_graphics_sync:dir r_dir_perms; +allow dumpstate debugfs_mmc:dir r_dir_perms; +allow dumpstate sysfs_zram:dir r_dir_perms; diff --git a/graphics/mesa_xen/file.te b/graphics/mesa_xen/file.te new file mode 100644 index 00000000..dc8c1887 --- /dev/null +++ b/graphics/mesa_xen/file.te @@ -0,0 +1,23 @@ +# Coreu +# type coreu_data_file, file_type, data_file_type; +type gfxd_data_file, file_type, data_file_type; +# GFX +# XXX Currently this file access was reverted in +# commit 523d705d8ce68f40a111e851f5d9f65788e1807b +# under the mixins directory. +# It was marked as a revert, so we don't ditch +# the sepolicy at this time. +# Reviewed-on: https://android.intel.com:443/438133 +type sysfs_gfx, fs_type, sysfs_type; + +# i915 videostatus +type sysfs_videostatus, fs_type, sysfs_type; + +# i915 related /proc/driver entry. +type proc_graphics, fs_type, proc_type; + +type debugfs_graphics, fs_type, debugfs_type; + +type sysfs_app_readable, fs_type, sysfs_type; + +typeattribute hal_graphics_allocator_default_tmpfs mlstrustedobject; diff --git a/graphics/mesa_xen/file_contexts b/graphics/mesa_xen/file_contexts new file mode 100644 index 00000000..b38beeaa --- /dev/null +++ b/graphics/mesa_xen/file_contexts @@ -0,0 +1,34 @@ +# data +/data/logs/gfx u:object_r:gfxd_data_file:s0 + +# devices +/dev/dri(/.*)? u:object_r:gpu_device:s0 +/dev/sw_sync u:object_r:graphics_device:s0 + +# system or vendor binaries +(/system)?/vendor/bin/gfxd u:object_r:gfxd_exec:s0 + +# GFX +/sys/devices/pci0000\:00/0000\:00\:02.0/resource0 u:object_r:sysfs_gfx:s0 +/sys/devices/pci0000\:00/0000\:00\:02.0/config u:object_r:sysfs_app_readable:s0 +/sys/devices/pci0000:00/0000:00:02.0/vendor u:object_r:sysfs_app_readable:s0 +/sys/devices/pci0000:00/0000:00:02.0/device u:object_r:sysfs_app_readable:s0 +/sys/devices/pci0000:00/0000:00:02.0/subsystem_vendor u:object_r:sysfs_app_readable:s0 +/sys/devices/pci0000:00/0000:00:02.0/subsystem_device u:object_r:sysfs_app_readable:s0 +/sys/devices/pci0000:00/0000:00:02.0/uevent u:object_r:sysfs_app_readable:s0 + +# i915 videostatus +/sys/devices/pci0000:00/0000:00:02.0/drm/card0/power/i915_videostatus u:object_r:sysfs_videostatus:s0 + +/sys/kernel/debug/dri/0/i915_frequency_info u:object_r:debugfs_graphics:s0 + +/vendor/bin/hw/android\.hardware\.graphics\.composer\.allocator@2\.1-service u:object_r:hal_graphics_composer_default_exec:s0 +/(vendor|system/vendor)/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libdrm_intel\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libpciaccess\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libskuwa\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/hw/gralloc\.broxton\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libgrallocclient\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libglapi\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/dri/i965_dri\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/hw/vulkan\.broxton\.so u:object_r:same_process_hal_file:s0 diff --git a/graphics/mesa_xen/genfs_contexts b/graphics/mesa_xen/genfs_contexts new file mode 100644 index 00000000..e5eb946f --- /dev/null +++ b/graphics/mesa_xen/genfs_contexts @@ -0,0 +1 @@ +genfscon proc /driver/i915rpm/i915_rpm_op u:object_r:proc_graphics:s0 diff --git a/graphics/mesa_xen/gfxd.te b/graphics/mesa_xen/gfxd.te new file mode 100644 index 00000000..7529a7b2 --- /dev/null +++ b/graphics/mesa_xen/gfxd.te @@ -0,0 +1,45 @@ +# +# gfxd +# + +# Rules for vendor/intel/ufo +type gfxd_exec, exec_type, vendor_file_type, file_type; + +userdebug_or_eng(` + type gfxd, domain; + init_daemon_domain(gfxd); + + # Vendor apps are permited to use only stable public services. + # per domain.te in system/core + #binder_service(gfxd) + #binder_use(gfxd) + + # Register the gfxd service with binder + dontaudit gfxd gfxd_service:service_manager add; + allow gfxd sysfs_app_readable:file r_file_perms; + + permissive gfxd; + dontaudit gfxd self:capability_class_set *; + dontaudit gfxd kernel:security *; + dontaudit gfxd kernel:system *; + dontaudit gfxd self:memprotect *; + dontaudit gfxd domain:process *; + dontaudit gfxd domain:fd *; + dontaudit gfxd domain:dir r_dir_perms; + dontaudit gfxd domain:lnk_file r_file_perms; + dontaudit gfxd domain:{ fifo_file file } rw_file_perms; + dontaudit gfxd domain:socket_class_set *; + dontaudit gfxd domain:ipc_class_set *; + dontaudit gfxd domain:key *; + dontaudit gfxd fs_type:filesystem *; + dontaudit gfxd {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } *; + dontaudit gfxd {fs_type dev_type file_type }:{ chr_file file } *; + dontaudit gfxd node_type:node *; + dontaudit gfxd node_type:{ tcp_socket udp_socket } node_bind; + dontaudit gfxd netif_type:netif *; + dontaudit gfxd port_type:socket_class_set name_bind; + dontaudit gfxd port_type:{ tcp_socket dccp_socket } name_connect; + dontaudit gfxd domain:peer recv; + dontaudit gfxd domain:binder { call transfer }; + dontaudit gfxd property_type:property_service set; +') diff --git a/graphics/mesa_xen/hal_graphics_allocator_default.te b/graphics/mesa_xen/hal_graphics_allocator_default.te new file mode 100644 index 00000000..94913db2 --- /dev/null +++ b/graphics/mesa_xen/hal_graphics_allocator_default.te @@ -0,0 +1,3 @@ +#============= hal_graphics_allocator_default ============== +allow hal_graphics_allocator_default gpu_device:chr_file rw_file_perms; +allow hal_graphics_allocator_default gpu_device:dir r_dir_perms; diff --git a/graphics/mesa_xen/hal_graphics_composer_default.te b/graphics/mesa_xen/hal_graphics_composer_default.te new file mode 100644 index 00000000..1247d6df --- /dev/null +++ b/graphics/mesa_xen/hal_graphics_composer_default.te @@ -0,0 +1,21 @@ +vndbinder_use(hal_graphics_composer_default) + +typeattribute hal_graphics_composer_default hal_graphics_allocator_server; + +binder_call(hal_graphics_composer_default, hal_graphics_allocator_default) + +allow hal_graphics_composer_default cache_file:dir create_dir_perms; +allow hal_graphics_composer_default cache_file:file create_file_perms; + +allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { read bind create setopt }; + +add_service(hal_graphics_composer_default, hwc_info_service) + +allow hal_graphics_composer_default hal_graphics_mapper_hwservice:hwservice_manager find; +hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator) + +allow hal_graphics_composer_default gpu_device:chr_file rw_file_perms; +allow hal_graphics_composer_default gpu_device:dir r_dir_perms; +allow hal_graphics_composer_default sysfs_app_readable:file r_file_perms; +allow hal_graphics_composer_default rootfs:file r_file_perms; +allow hal_graphics_composer_default vendor_file:file r_file_perms; diff --git a/graphics/mesa_xen/hal_memtrack_default.te b/graphics/mesa_xen/hal_memtrack_default.te new file mode 100644 index 00000000..ff802b0c --- /dev/null +++ b/graphics/mesa_xen/hal_memtrack_default.te @@ -0,0 +1,2 @@ +# /sys/devices/pci0000:00/0000:00:02.0/drm/card0/gfx_memtrack/3973 +allow hal_memtrack_default sysfs_app_readable:file r_file_perms; diff --git a/graphics/mesa_xen/hal_power_service.te b/graphics/mesa_xen/hal_power_service.te new file mode 100644 index 00000000..e117e0d7 --- /dev/null +++ b/graphics/mesa_xen/hal_power_service.te @@ -0,0 +1 @@ +allow hal_power_service sysfs_app_readable:file rw_file_perms; diff --git a/graphics/mesa_xen/hdcpd.te b/graphics/mesa_xen/hdcpd.te new file mode 100644 index 00000000..ca51530a --- /dev/null +++ b/graphics/mesa_xen/hdcpd.te @@ -0,0 +1,2 @@ +allow hdcpd proc_graphics:file r_file_perms; + diff --git a/graphics/mesa_xen/mediacodec.te b/graphics/mesa_xen/mediacodec.te new file mode 100644 index 00000000..05d89eb6 --- /dev/null +++ b/graphics/mesa_xen/mediacodec.te @@ -0,0 +1,15 @@ +# +# mediacodec +# +# XXX Refactor to mixin +# path="/sys/bus/pci/drivers/i915" +# path="/sys/devices/pci0000:00/0000:00:02.0/config" + +allow mediacodec sysfs:dir r_dir_perms; +allow mediacodec sysfs:file r_file_perms; +allow mediacodec graphics_device:dir search; +allow mediacodec sysfs_app_readable:file r_file_perms; +allow mediacodec hal_graphics_allocator_default_tmpfs:file { read write }; + +allow mediacodec system_file:dir r_dir_perms; +allow mediacodec gpu_device:dir r_dir_perms; diff --git a/graphics/mesa_xen/mediadrmserver.te b/graphics/mesa_xen/mediadrmserver.te new file mode 100644 index 00000000..1a15c9be --- /dev/null +++ b/graphics/mesa_xen/mediadrmserver.te @@ -0,0 +1,4 @@ +# +# mediadrmserver +# +allow mediadrmserver sysfs_app_readable:file r_file_perms; diff --git a/graphics/mesa_xen/mediaextractor.te b/graphics/mesa_xen/mediaextractor.te new file mode 100644 index 00000000..8ec8b5c6 --- /dev/null +++ b/graphics/mesa_xen/mediaextractor.te @@ -0,0 +1,2 @@ +allow mediaextractor vfat:file r_file_perms; + diff --git a/graphics/mesa_xen/mediaserver.te b/graphics/mesa_xen/mediaserver.te new file mode 100644 index 00000000..039b85f1 --- /dev/null +++ b/graphics/mesa_xen/mediaserver.te @@ -0,0 +1,11 @@ +# +# mediaserver +# + +#allow mediaserver tee_device:chr_file rw_file_perms; +allow mediaserver proc_graphics:file r_file_perms; +allow mediaserver graphics_device:chr_file rw_file_perms; +allow mediaserver sysfs_app_readable:file r_file_perms; +allow mediaserver gpu_device:dir r_dir_perms; + +allow mediaserver hal_graphics_allocator_default_tmpfs:file { read write }; diff --git a/graphics/mesa_xen/shell.te b/graphics/mesa_xen/shell.te new file mode 100644 index 00000000..29fb3733 --- /dev/null +++ b/graphics/mesa_xen/shell.te @@ -0,0 +1,2 @@ +# XXX Audit me BEFORE COMMITING +allow shell graphics_device:dir search; diff --git a/graphics/mesa_xen/surfaceflinger.te b/graphics/mesa_xen/surfaceflinger.te new file mode 100644 index 00000000..33a4240c --- /dev/null +++ b/graphics/mesa_xen/surfaceflinger.te @@ -0,0 +1,19 @@ +# +# surfaceflinger +# +allow surfaceflinger device:dir r_dir_perms; + +type surfaceflinger_cache_file, data_file_type, file_type; + +not_full_treble(` + file_type_auto_trans(surfaceflinger, cache_file, surfaceflinger_cache_file); +') + +allow surfaceflinger cache_file:dir create_dir_perms; +allow surfaceflinger cache_file:file create_file_perms; + +allow surfaceflinger sysfs_videostatus:file { getattr w_file_perms }; +allow surfaceflinger sysfs_app_readable:file r_file_perms; + +allow surfaceflinger hal_graphics_allocator_default_tmpfs:file { read write }; +allow surfaceflinger gpu_device:dir r_dir_perms; diff --git a/graphics/mesa_xen/system_server.te b/graphics/mesa_xen/system_server.te new file mode 100644 index 00000000..a8e5e334 --- /dev/null +++ b/graphics/mesa_xen/system_server.te @@ -0,0 +1,5 @@ +allow system_server sysfs_app_readable:file r_file_perms; +allow system_server hal_graphics_allocator_default_tmpfs:file { read write }; +allow system_server platform_app:file { read write }; +allow system_server priv_app:file { read write }; +allow system_server gpu_device:dir r_dir_perms; diff --git a/graphics/mesa_xen/violators_blacklist.te b/graphics/mesa_xen/violators_blacklist.te new file mode 100644 index 00000000..90df0f21 --- /dev/null +++ b/graphics/mesa_xen/violators_blacklist.te @@ -0,0 +1,2 @@ +typeattribute hal_graphics_composer_default data_between_core_and_vendor_violators; + diff --git a/graphics/mesa_xen/vndservice.te b/graphics/mesa_xen/vndservice.te new file mode 100644 index 00000000..08d68ce3 --- /dev/null +++ b/graphics/mesa_xen/vndservice.te @@ -0,0 +1,2 @@ +type hwc_info_service, vndservice_manager_type; +type gfxd_service, vndservice_manager_type; diff --git a/graphics/mesa_xen/vndservice_contexts b/graphics/mesa_xen/vndservice_contexts new file mode 100644 index 00000000..74a05508 --- /dev/null +++ b/graphics/mesa_xen/vndservice_contexts @@ -0,0 +1,2 @@ +hwc.info u:object_r:hwc_info_service:s0 +gfxd u:object_r:gfxd_service:s0 diff --git a/graphics/software/bootanim.te b/graphics/software/bootanim.te new file mode 100644 index 00000000..18ea56e2 --- /dev/null +++ b/graphics/software/bootanim.te @@ -0,0 +1,2 @@ +set_prop(bootanim, exported_system_prop) +allow bootanim self:process execmem; diff --git a/graphics/software/domain.te b/graphics/software/domain.te new file mode 100644 index 00000000..b609b865 --- /dev/null +++ b/graphics/software/domain.te @@ -0,0 +1 @@ +get_prop(domain, exported_system_prop) diff --git a/graphics/software/hal_graphics_allocator_default.te b/graphics/software/hal_graphics_allocator_default.te new file mode 100644 index 00000000..e92ec759 --- /dev/null +++ b/graphics/software/hal_graphics_allocator_default.te @@ -0,0 +1,2 @@ +allow hal_graphics_allocator_default graphics_device:dir search; +allow hal_graphics_allocator_default graphics_device:chr_file rw_file_perms; diff --git a/graphics/software/hal_graphics_composer_default.te b/graphics/software/hal_graphics_composer_default.te new file mode 100644 index 00000000..7d7d3d55 --- /dev/null +++ b/graphics/software/hal_graphics_composer_default.te @@ -0,0 +1,18 @@ +vndbinder_use(hal_graphics_composer_default) + +binder_call(hal_graphics_composer_default, hal_graphics_allocator_default) + +allow hal_graphics_composer_default cache_file:dir create_dir_perms; +allow hal_graphics_composer_default cache_file:file create_file_perms; +allow hal_graphics_composer_default gpu_device:chr_file rw_file_perms; +allow hal_graphics_composer_default gpu_device:dir r_dir_perms; + +allow hal_graphics_composer_default self:capability sys_admin; + +allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { read bind create setopt }; + +hal_client_domain(hal_graphics_composer_default, hal_configstore) + +allow hal_graphics_composer_default hal_graphics_mapper_hwservice:hwservice_manager find; +hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator) +allow hal_graphics_composer_default vendor_file:file r_file_perms; diff --git a/graphics/software/init.te b/graphics/software/init.te new file mode 100644 index 00000000..6c558fd1 --- /dev/null +++ b/graphics/software/init.te @@ -0,0 +1 @@ +set_prop(init, exported_system_prop) diff --git a/graphics/software/netd.te b/graphics/software/netd.te new file mode 100644 index 00000000..b41e8843 --- /dev/null +++ b/graphics/software/netd.te @@ -0,0 +1,2 @@ +allow netd kernel:system module_request; +allow netd self:capability sys_module; diff --git a/graphics/software/platform_app.te b/graphics/software/platform_app.te new file mode 100644 index 00000000..4a84726b --- /dev/null +++ b/graphics/software/platform_app.te @@ -0,0 +1 @@ +allow platform_app graphics_device:dir search; diff --git a/graphics/software/property_contexts b/graphics/software/property_contexts new file mode 100644 index 00000000..d3bc04bf --- /dev/null +++ b/graphics/software/property_contexts @@ -0,0 +1,6 @@ +qemu. u:object_r:exported_system_prop:s0 +vendor.qemu u:object_r:exported_system_prop:s0 +ro.qemu u:object_r:exported_system_prop:s0 +ro.kernel.qemu u:object_r:exported_system_prop:s0 +ro.zygote.disable_gl_preload u:object_r:exported_system_prop:s0 + diff --git a/graphics/software/surfaceflinger.te b/graphics/software/surfaceflinger.te new file mode 100644 index 00000000..5d2966bc --- /dev/null +++ b/graphics/software/surfaceflinger.te @@ -0,0 +1,2 @@ +set_prop(surfaceflinger, exported_system_prop) +allow surfaceflinger self:process execmem; diff --git a/graphics/software/system_server.te b/graphics/software/system_server.te new file mode 100644 index 00000000..455c774b --- /dev/null +++ b/graphics/software/system_server.te @@ -0,0 +1,3 @@ +allow system_server graphics_device:dir search; +allow system_server graphics_device:chr_file rw_file_perms; +allow system_server self:process execmem; diff --git a/graphics/software/vendor_init.te b/graphics/software/vendor_init.te new file mode 100644 index 00000000..e44bb47a --- /dev/null +++ b/graphics/software/vendor_init.te @@ -0,0 +1 @@ +set_prop(vendor_init, exported_system_prop) diff --git a/graphics/software/violators_blacklist.te b/graphics/software/violators_blacklist.te new file mode 100644 index 00000000..084022ed --- /dev/null +++ b/graphics/software/violators_blacklist.te @@ -0,0 +1 @@ +typeattribute hal_graphics_composer_default data_between_core_and_vendor_violators; diff --git a/graphics/software/zygote.te b/graphics/software/zygote.te new file mode 100644 index 00000000..29c12280 --- /dev/null +++ b/graphics/software/zygote.te @@ -0,0 +1 @@ +set_prop(zygote, exported_system_prop) diff --git a/graphics/ufo_common/adbd.te b/graphics/ufo_common/adbd.te new file mode 100644 index 00000000..5505101f --- /dev/null +++ b/graphics/ufo_common/adbd.te @@ -0,0 +1,3 @@ +# to allow CTS/XTS screen capture through method getScreenshot. +allow adbd graphics_device:dir search; +allow adbd graphics_device:chr_file { read open }; diff --git a/graphics/ufo_common/appdomain.te b/graphics/ufo_common/appdomain.te new file mode 100644 index 00000000..bd679b55 --- /dev/null +++ b/graphics/ufo_common/appdomain.te @@ -0,0 +1,8 @@ +# +# surfaceflinger +# + +# graphics buffer passed to applications for screencap and rendering +#allow appdomain surfaceflinger_tmpfs:file { read write }; +allow appdomain hal_graphics_allocator_default_tmpfs:file { read write map }; +allow appdomain sysfs_app_readable:file r_file_perms; diff --git a/graphics/ufo_common/bootanim.te b/graphics/ufo_common/bootanim.te new file mode 100644 index 00000000..8c4d71ce --- /dev/null +++ b/graphics/ufo_common/bootanim.te @@ -0,0 +1 @@ +allow bootanim sysfs_app_readable:file r_file_perms; diff --git a/graphics/ufo_common/coreu.te b/graphics/ufo_common/coreu.te new file mode 100644 index 00000000..f1ab3841 --- /dev/null +++ b/graphics/ufo_common/coreu.te @@ -0,0 +1,67 @@ +# +# coreu +# + +# Rules for vendor/intel/ufo +type coreu, domain; +type coreu_exec, exec_type, file_type, vendor_file_type; +init_daemon_domain(coreu); + +allow coreu self:capability { sys_admin sys_nice ipc_lock }; + +# Need to use vendor binder +vndbinder_use(coreu) +not_full_treble(` + binder_service(coreu) + binder_call(coreu, surfaceflinger) +') +binder_call(coreu, msync) +# Allow coreu to find the msync service +allow coreu msync_service:service_manager find; +# Find hwc.info service +allow coreu hwc_info_service:service_manager find; +# Register the coreu service with binder +add_service(coreu, coreu_service) + +# /data/system/coreu data files are created by +# coreu daemon, thus a dynamic relabel as well +# as fc entry to catch relabels. +allow coreu system_data_file:dir ra_dir_perms; +allow coreu coreu_data_file:dir create_dir_perms; +allow coreu coreu_data_file:file create_file_perms; +type_transition coreu system_data_file:{ dir file } coreu_data_file; + +allow coreu self:netlink_kobject_uevent_socket create_socket_perms; +allowxperm coreu self:netlink_kobject_uevent_socket ioctl SIOCETHTOOL; + +# character devices +allow coreu gpu_device:chr_file rw_file_perms; + +module_only(`debug_mpm', ` + allow coreu msr_device:chr_file rw_file_perms; +') + +allow coreu sysfs:file write; + +# create temp dirs +allow coreu tmpfs:dir w_dir_perms; + +# XXX Narrow sysfs access +# path="/sys/bus/pci/devices" +# path="/sys/devices/pci0000:00/0000:00:00.0/config" +allow coreu sysfs:dir r_dir_perms; +allow coreu sysfs:file rw_file_perms; +allow coreu sysfs_app_readable:file r_file_perms; +allow coreu tracing_shell_writable:file rw_file_perms; + +# gfx access +allow coreu sysfs_gfx:file rw_file_perms; + +allow coreu proc_graphics:file r_file_perms; + +#debugfs +allow coreu debugfs_tracing:file rw_file_perms; +allow coreu debugfs_graphics:file rw_file_perms; + +# drm detecting +allow coreu mediadrmserver:process signull; diff --git a/graphics/ufo_common/dumpstate.te b/graphics/ufo_common/dumpstate.te new file mode 100644 index 00000000..e83195d7 --- /dev/null +++ b/graphics/ufo_common/dumpstate.te @@ -0,0 +1 @@ +dontaudit dumpstate graphics_device:dir search; diff --git a/graphics/ufo_common/file.te b/graphics/ufo_common/file.te new file mode 100644 index 00000000..5fed5c56 --- /dev/null +++ b/graphics/ufo_common/file.te @@ -0,0 +1,24 @@ +# Coreu +type coreu_data_file, file_type, data_file_type; +type gfxd_data_file, file_type, data_file_type, core_data_file_type; + +# GFX +# XXX Currently this file access was reverted in +# commit 523d705d8ce68f40a111e851f5d9f65788e1807b +# under the mixins directory. +# It was marked as a revert, so we don't ditch +# the sepolicy at this time. +# Reviewed-on: https://android.intel.com:443/438133 +type sysfs_gfx, fs_type, sysfs_type; + +# i915 videostatus +type sysfs_videostatus, fs_type, sysfs_type; + +# i915 related /proc/driver entry. +type proc_graphics, fs_type, proc_type; + +type debugfs_graphics, fs_type, debugfs_type; + +type sysfs_app_readable, fs_type, sysfs_type; + +typeattribute hal_graphics_allocator_default_tmpfs mlstrustedobject; diff --git a/graphics/ufo_common/file_contexts b/graphics/ufo_common/file_contexts new file mode 100644 index 00000000..84e5e858 --- /dev/null +++ b/graphics/ufo_common/file_contexts @@ -0,0 +1,29 @@ +# devices +/dev/dri/card0 u:object_r:gpu_device:s0 +/dev/dri/controlD64 u:object_r:gpu_device:s0 +/dev/sw_sync u:object_r:graphics_device:s0 + +# system or vendor binaries +(/system)?/vendor/bin/coreu u:object_r:coreu_exec:s0 +(/system)?/vendor/bin/gfxd u:object_r:gfxd_exec:s0 +(/system)?/vendor/bin/msync u:object_r:msync_exec:s0 + +# GFX +/sys/devices/pci0000\:00/0000\:00\:02.0/resource0 u:object_r:sysfs_gfx:s0 +/sys/devices/pci0000\:00/0000\:00\:02.0/config u:object_r:sysfs_app_readable:s0 + +# i915 videostatus +/sys/devices/pci0000:00/0000:00:02.0/drm/card0/power/i915_videostatus u:object_r:sysfs_videostatus:s0 + +/sys/kernel/debug/dri/0/i915_frequency_info u:object_r:debugfs_graphics:s0 + +/vendor/bin/hw/android\.hardware\.graphics\.composer\.allocator@2\.1-service u:object_r:hal_graphics_composer_default_exec:s0 +/(vendor|system/vendor)/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libdrm_intel\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libpciaccess\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libskuwa\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/hw/gralloc\.broxton\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libgrallocclient\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libigc\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libgrallocgmm\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libplatforminfo\.so u:object_r:same_process_hal_file:s0 diff --git a/graphics/ufo_common/genfs_contexts b/graphics/ufo_common/genfs_contexts new file mode 100644 index 00000000..e5eb946f --- /dev/null +++ b/graphics/ufo_common/genfs_contexts @@ -0,0 +1 @@ +genfscon proc /driver/i915rpm/i915_rpm_op u:object_r:proc_graphics:s0 diff --git a/graphics/ufo_common/gfxd.te b/graphics/ufo_common/gfxd.te new file mode 100644 index 00000000..7529a7b2 --- /dev/null +++ b/graphics/ufo_common/gfxd.te @@ -0,0 +1,45 @@ +# +# gfxd +# + +# Rules for vendor/intel/ufo +type gfxd_exec, exec_type, vendor_file_type, file_type; + +userdebug_or_eng(` + type gfxd, domain; + init_daemon_domain(gfxd); + + # Vendor apps are permited to use only stable public services. + # per domain.te in system/core + #binder_service(gfxd) + #binder_use(gfxd) + + # Register the gfxd service with binder + dontaudit gfxd gfxd_service:service_manager add; + allow gfxd sysfs_app_readable:file r_file_perms; + + permissive gfxd; + dontaudit gfxd self:capability_class_set *; + dontaudit gfxd kernel:security *; + dontaudit gfxd kernel:system *; + dontaudit gfxd self:memprotect *; + dontaudit gfxd domain:process *; + dontaudit gfxd domain:fd *; + dontaudit gfxd domain:dir r_dir_perms; + dontaudit gfxd domain:lnk_file r_file_perms; + dontaudit gfxd domain:{ fifo_file file } rw_file_perms; + dontaudit gfxd domain:socket_class_set *; + dontaudit gfxd domain:ipc_class_set *; + dontaudit gfxd domain:key *; + dontaudit gfxd fs_type:filesystem *; + dontaudit gfxd {fs_type dev_type file_type}:{ dir blk_file lnk_file sock_file fifo_file } *; + dontaudit gfxd {fs_type dev_type file_type }:{ chr_file file } *; + dontaudit gfxd node_type:node *; + dontaudit gfxd node_type:{ tcp_socket udp_socket } node_bind; + dontaudit gfxd netif_type:netif *; + dontaudit gfxd port_type:socket_class_set name_bind; + dontaudit gfxd port_type:{ tcp_socket dccp_socket } name_connect; + dontaudit gfxd domain:peer recv; + dontaudit gfxd domain:binder { call transfer }; + dontaudit gfxd property_type:property_service set; +') diff --git a/graphics/ufo_common/hal_drm_widevine.te b/graphics/ufo_common/hal_drm_widevine.te new file mode 100644 index 00000000..7adde648 --- /dev/null +++ b/graphics/ufo_common/hal_drm_widevine.te @@ -0,0 +1,2 @@ +binder_call(hal_drm_default, coreu) +allow hal_drm_default coreu_service:service_manager find; diff --git a/graphics/ufo_common/hal_graphics_composer_default.te b/graphics/ufo_common/hal_graphics_composer_default.te new file mode 100644 index 00000000..08d345c0 --- /dev/null +++ b/graphics/ufo_common/hal_graphics_composer_default.te @@ -0,0 +1,13 @@ +vndbinder_use(hal_graphics_composer_default) + +binder_call(hal_graphics_composer_default, hal_graphics_allocator_default) + +allow hal_graphics_composer_default cache_file:dir create_dir_perms; +allow hal_graphics_composer_default cache_file:file create_file_perms; + +allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { read bind create setopt }; + +add_service(hal_graphics_composer_default, hwc_info_service) + +allow hal_graphics_composer_default hal_graphics_mapper_hwservice:hwservice_manager find; +hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator) diff --git a/graphics/ufo_common/hal_memtrack_default.te b/graphics/ufo_common/hal_memtrack_default.te new file mode 100644 index 00000000..ff802b0c --- /dev/null +++ b/graphics/ufo_common/hal_memtrack_default.te @@ -0,0 +1,2 @@ +# /sys/devices/pci0000:00/0000:00:02.0/drm/card0/gfx_memtrack/3973 +allow hal_memtrack_default sysfs_app_readable:file r_file_perms; diff --git a/graphics/ufo_common/hal_power_service.te b/graphics/ufo_common/hal_power_service.te new file mode 100644 index 00000000..e117e0d7 --- /dev/null +++ b/graphics/ufo_common/hal_power_service.te @@ -0,0 +1 @@ +allow hal_power_service sysfs_app_readable:file rw_file_perms; diff --git a/graphics/ufo_common/hdcpd.te b/graphics/ufo_common/hdcpd.te new file mode 100644 index 00000000..ca51530a --- /dev/null +++ b/graphics/ufo_common/hdcpd.te @@ -0,0 +1,2 @@ +allow hdcpd proc_graphics:file r_file_perms; + diff --git a/graphics/ufo_common/init.te b/graphics/ufo_common/init.te new file mode 100644 index 00000000..ff46793b --- /dev/null +++ b/graphics/ufo_common/init.te @@ -0,0 +1,5 @@ +# +# init +# + +allow init { coreu_exec msync_exec }:lnk_file read; diff --git a/graphics/ufo_common/mediacodec.te b/graphics/ufo_common/mediacodec.te new file mode 100644 index 00000000..5ccdad0f --- /dev/null +++ b/graphics/ufo_common/mediacodec.te @@ -0,0 +1,15 @@ +# +# mediacodec +# +# XXX Refactor to mixin +# path="/sys/bus/pci/drivers/i915" +# path="/sys/devices/pci0000:00/0000:00:02.0/config" + +allow mediacodec sysfs:dir r_dir_perms; +allow mediacodec sysfs:file r_file_perms; +allow mediacodec graphics_device:dir search; +allow mediacodec sysfs_app_readable:file r_file_perms; +allow mediacodec hal_graphics_allocator_default_tmpfs:file { read write }; + +allow mediacodec coreu_service:service_manager find; +allow mediacodec system_file:dir r_dir_perms; diff --git a/graphics/ufo_common/mediadrmserver.te b/graphics/ufo_common/mediadrmserver.te new file mode 100644 index 00000000..cee77a54 --- /dev/null +++ b/graphics/ufo_common/mediadrmserver.te @@ -0,0 +1,7 @@ +# +# mediadrmserver +# +not_full_treble(` + allow mediadrmserver coreu_service:service_manager find; +') +allow mediadrmserver sysfs_app_readable:file r_file_perms; diff --git a/graphics/ufo_common/mediaextractor.te b/graphics/ufo_common/mediaextractor.te new file mode 100644 index 00000000..8ec8b5c6 --- /dev/null +++ b/graphics/ufo_common/mediaextractor.te @@ -0,0 +1,2 @@ +allow mediaextractor vfat:file r_file_perms; + diff --git a/graphics/ufo_common/mediaserver.te b/graphics/ufo_common/mediaserver.te new file mode 100644 index 00000000..082eae2c --- /dev/null +++ b/graphics/ufo_common/mediaserver.te @@ -0,0 +1,15 @@ +# +# mediaserver +# + +not_full_treble(` + binder_call(mediaserver, coreu) + allow mediaserver coreu_service:service_manager find; +') + +allow mediaserver tee_device:chr_file rw_file_perms; +allow mediaserver proc_graphics:file r_file_perms; +allow mediaserver graphics_device:chr_file rw_file_perms; +allow mediaserver sysfs_app_readable:file r_file_perms; + +allow mediaserver hal_graphics_allocator_default_tmpfs:file { read write }; diff --git a/graphics/ufo_common/msync.te b/graphics/ufo_common/msync.te new file mode 100644 index 00000000..6d3a5b59 --- /dev/null +++ b/graphics/ufo_common/msync.te @@ -0,0 +1,13 @@ +# Rules for vendor/intel/ufo +type msync, domain; +type msync_exec, exec_type, file_type, vendor_file_type; +init_daemon_domain(msync); + +# Need to use vendor binder +vndbinder_use(msync) +not_full_treble(` + binder_service(msync) +') +add_service(msync, msync_service) +binder_call(msync, coreu) +binder_call(msync, hdcpd) diff --git a/graphics/ufo_common/nfc.te b/graphics/ufo_common/nfc.te new file mode 100644 index 00000000..e69de29b diff --git a/graphics/ufo_common/shell.te b/graphics/ufo_common/shell.te new file mode 100644 index 00000000..29fb3733 --- /dev/null +++ b/graphics/ufo_common/shell.te @@ -0,0 +1,2 @@ +# XXX Audit me BEFORE COMMITING +allow shell graphics_device:dir search; diff --git a/graphics/ufo_common/surfaceflinger.te b/graphics/ufo_common/surfaceflinger.te new file mode 100644 index 00000000..6da6f128 --- /dev/null +++ b/graphics/ufo_common/surfaceflinger.te @@ -0,0 +1,23 @@ +# +# surfaceflinger +# +allow surfaceflinger device:dir r_dir_perms; + +type surfaceflinger_cache_file, data_file_type, file_type; + +not_full_treble(` + file_type_auto_trans(surfaceflinger, cache_file, surfaceflinger_cache_file); +') + +allow surfaceflinger cache_file:dir remove_name; +allow surfaceflinger cache_file:file create_file_perms; + +not_full_treble(` + binder_call(surfaceflinger, coreu) + allow surfaceflinger coreu_service:service_manager find; +') + +allow surfaceflinger sysfs_videostatus:file { getattr w_file_perms }; +allow surfaceflinger sysfs_app_readable:file r_file_perms; + +allow surfaceflinger hal_graphics_allocator_default_tmpfs:file { read write }; diff --git a/graphics/ufo_common/system_server.te b/graphics/ufo_common/system_server.te new file mode 100644 index 00000000..b8eff7cf --- /dev/null +++ b/graphics/ufo_common/system_server.te @@ -0,0 +1,3 @@ +allow system_server sysfs_app_readable:file r_file_perms; +allow system_server hal_graphics_allocator_default_tmpfs:file { read write }; +allow system_server untrusted_app_25:file { read write }; diff --git a/graphics/ufo_common/violators_blacklist.te b/graphics/ufo_common/violators_blacklist.te new file mode 100644 index 00000000..90df0f21 --- /dev/null +++ b/graphics/ufo_common/violators_blacklist.te @@ -0,0 +1,2 @@ +typeattribute hal_graphics_composer_default data_between_core_and_vendor_violators; + diff --git a/graphics/ufo_common/vndservice.te b/graphics/ufo_common/vndservice.te new file mode 100644 index 00000000..7f7d0d89 --- /dev/null +++ b/graphics/ufo_common/vndservice.te @@ -0,0 +1,4 @@ +type hwc_info_service, vndservice_manager_type; +type coreu_service, vndservice_manager_type; +type msync_service, vndservice_manager_type; +type gfxd_service, vndservice_manager_type; diff --git a/graphics/ufo_common/vndservice_contexts b/graphics/ufo_common/vndservice_contexts new file mode 100644 index 00000000..1e049c83 --- /dev/null +++ b/graphics/ufo_common/vndservice_contexts @@ -0,0 +1,4 @@ +hwc.info u:object_r:hwc_info_service:s0 +android.hardware.intel.msync u:object_r:msync_service:s0 +android.hardware.intel.coreu u:object_r:coreu_service:s0 +gfxd u:object_r:gfxd_service:s0 diff --git a/graphics/ufo_gen7/drmserver.te b/graphics/ufo_gen7/drmserver.te new file mode 100644 index 00000000..0caa3bd0 --- /dev/null +++ b/graphics/ufo_gen7/drmserver.te @@ -0,0 +1,2 @@ +# aaccess to /data/IntelCPHS.log +allow drmserver system_data_file:dir { write add_name }; diff --git a/graphics/ufo_gen7/file_contexts b/graphics/ufo_gen7/file_contexts new file mode 100644 index 00000000..b43b362c --- /dev/null +++ b/graphics/ufo_gen7/file_contexts @@ -0,0 +1,2 @@ +# DRM +/data/IntelCPHS.log u:object_r:drm_data_file:s0 diff --git a/graphics/ufo_gen9/borked.te b/graphics/ufo_gen9/borked.te new file mode 100644 index 00000000..37aafe0c --- /dev/null +++ b/graphics/ufo_gen9/borked.te @@ -0,0 +1,10 @@ +# ufo_gen9 also has a weird design where it setprops its version, +# causing tons of weird setprops accross the system. +# +# https://jira01.devtools.intel.com/browse/OAM-33150 +# +# When that is fixed, this needs to be corrected to be a get_prop() on a read +# only property. +set_prop(bootanim, system_prop) +set_prop(platform_app, system_prop) +set_prop(priv_app, system_prop) diff --git a/hdcpd/file.te b/hdcpd/file.te new file mode 100644 index 00000000..2cc16800 --- /dev/null +++ b/hdcpd/file.te @@ -0,0 +1,2 @@ + # hdcp + type hdcpd_data_file, file_type, data_file_type; diff --git a/hdcpd/file_contexts b/hdcpd/file_contexts new file mode 100644 index 00000000..380238a0 --- /dev/null +++ b/hdcpd/file_contexts @@ -0,0 +1,6 @@ +# hdcpd +(/system)?/vendor/bin/hdcpd u:object_r:hdcpd_exec:s0 + +# Even though hdcpd creates this itself, we keep a fc entry +# incase we need to relabel existing nodes +/data/vendor/hdcp(/.*)? u:object_r:hdcpd_data_file:s0 diff --git a/hdcpd/hal_drm_widevine.te b/hdcpd/hal_drm_widevine.te new file mode 100644 index 00000000..6e58f453 --- /dev/null +++ b/hdcpd/hal_drm_widevine.te @@ -0,0 +1,2 @@ +allow hal_drm_default hdcpd:unix_stream_socket connectto; +allow hal_drm_default hdcpd_data_file:sock_file write; diff --git a/hdcpd/hdcpd.te b/hdcpd/hdcpd.te new file mode 100644 index 00000000..0551481e --- /dev/null +++ b/hdcpd/hdcpd.te @@ -0,0 +1,31 @@ +# Rules for system/bin/dhcpd +type hdcpd, domain; +type hdcpd_exec, exec_type, file_type, vendor_file_type; +init_daemon_domain(hdcpd); + +# need use vendor binder to access msync service +vndbinder_use(hdcpd) +not_full_treble(` + binder_call(hdcpd, surfaceflinger) + + # Find hwc.info service from surfaceflinger + allow hdcpd surfaceflinger_service:service_manager find; +') + + +allow hdcpd self:netlink_kobject_uevent_socket create_socket_perms; +allowxperm hdcpd self:netlink_kobject_uevent_socket ioctl SIOCETHTOOL; + +# sysfs access +allow hdcpd sysfs:dir r_dir_perms; +allow hdcpd sysfs:file r_file_perms; + +# gpu_device +allow hdcpd gpu_device:dir r_dir_perms; +allow hdcpd gpu_device:chr_file rw_file_perms; + +allow hdcpd hdcpd_data_file:dir create_dir_perms; +allow hdcpd hdcpd_data_file:{ file sock_file } create_file_perms; + +# tmpfs +allow hdcpd tmpfs:dir w_dir_perms; diff --git a/hdcpd/mediadrmserver.te b/hdcpd/mediadrmserver.te new file mode 100644 index 00000000..d5f7280d --- /dev/null +++ b/hdcpd/mediadrmserver.te @@ -0,0 +1,11 @@ +# +# mediadrmserver +# + +# breaks treble as mediadrmserver should be instrumented to a +# vendor hal interface. +not_full_treble(` + allow mediadrmserver hdcpd:unix_stream_socket connectto; + allow mediadrmserver hdcpd_data_file:dir search; + allow mediadrmserver hdcpd_data_file:sock_file write; +') diff --git a/hdcpd/mediaserver.te b/hdcpd/mediaserver.te new file mode 100644 index 00000000..39c9be66 --- /dev/null +++ b/hdcpd/mediaserver.te @@ -0,0 +1,9 @@ +# +# mediaserver +# + +not_full_treble(` + allow mediaserver hdcpd:unix_stream_socket connectto; + allow mediaserver hdcpd_data_file:sock_file write; + allow mediaserver hdcpd_data_file:dir { search }; +') diff --git a/hdcpd/vendor_init.te b/hdcpd/vendor_init.te new file mode 100644 index 00000000..6577d736 --- /dev/null +++ b/hdcpd/vendor_init.te @@ -0,0 +1 @@ +allow vendor_init hdcpd_data_file:dir create_dir_perms; diff --git a/hdcpd/violators_blacklist.te b/hdcpd/violators_blacklist.te new file mode 100644 index 00000000..877fced7 --- /dev/null +++ b/hdcpd/violators_blacklist.te @@ -0,0 +1 @@ +typeattribute vendor_init data_between_core_and_vendor_violators; diff --git a/health_hal/file.te b/health_hal/file.te index 813d4f18..ba9fb481 100644 --- a/health_hal/file.te +++ b/health_hal/file.te @@ -1,3 +1,2 @@ # health_hal files type sysfs_health2_0_management, fs_type, sysfs_type; - diff --git a/health_hal/file_contexts b/health_hal/file_contexts index 988d0de8..bf5eeefd 100644 --- a/health_hal/file_contexts +++ b/health_hal/file_contexts @@ -1,2 +1 @@ -/vendor/bin/hw/android\.hardware\.health@2\.0-service\.celadon u:object_r:hal_health_default_exec:s0 - +/vendor/bin/hw/android\.hardware\.health@2\.0-service\.gordon_peak u:object_r:hal_health_default_exec:s0 diff --git a/health_hal/genfs_contexts b/health_hal/genfs_contexts index 2ef28178..77172024 100644 --- a/health_hal/genfs_contexts +++ b/health_hal/genfs_contexts @@ -1,9 +1 @@ genfscon sysfs /devices/pci0000:00/0000:00:1c.0/mmc_host/mmc1/mmc1:0001 u:object_r:sysfs_health2_0_management:s0 - -genfscon sysfs /devices/pci0000:00/0000:00:03.0/virtio0/block/vda u:object_r:sysfs_health2_0_management:s0 - -genfscon sysfs /devices/pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0/block/sda u:object_r:sysfs_health2_0_management:s0 - -genfscon sysfs /devices/pci0000:00/0000:00:17.0/ata3/host2/target2:0:0/2:0:0:0/block/sda u:object_r:sysfs_health2_0_management:s0 - -genfscon sysfs /devices/pci0000:00/0000:00:1d.0/0000:3c:00.0/nvme/nvme0/nvme0n1 u:object_r:sysfs_health2_0_management:s0 diff --git a/health_hal/hal_health2_0_default.te b/health_hal/hal_health2_0_default.te index 55b617fa..65500b79 100644 --- a/health_hal/hal_health2_0_default.te +++ b/health_hal/hal_health2_0_default.te @@ -3,7 +3,3 @@ allow hal_health_default sysfs_health2_0_management:dir r_dir_perms; allow hal_health_default sysfs_health2_0_management:file rw_file_perms; allow hal_health_default sysfs_health2_0_management:lnk_file r_file_perms; - -# Health Hal to read /proc/cmdline -#allow hal_health_default proc_cmdline:file r_file_perms; -get_prop(hal_health_default, diskbus_prop); diff --git a/health_hal/vold.te b/health_hal/vold.te new file mode 100644 index 00000000..8aba70b7 --- /dev/null +++ b/health_hal/vold.te @@ -0,0 +1 @@ +allow vold sysfs_health2_0_management:file write; diff --git a/i915_async/init.te b/i915_async/init.te new file mode 100644 index 00000000..e01f3556 --- /dev/null +++ b/i915_async/init.te @@ -0,0 +1,3 @@ +recovery_only(` + allow init graphics_device:chr_file getattr; +') diff --git a/init.te b/init.te deleted file mode 100644 index 79de5aba..00000000 --- a/init.te +++ /dev/null @@ -1,31 +0,0 @@ -allow init kmsg_device:chr_file write; -allow init tmpfs:file { open }; -allow init tmpfs:lnk_file { create setattr }; -allow init debugfs:dir mounton; -allow init kernel:system module_request; -allow init system_file:system module_load; -allow init gpu_device:file { setattr relabelto }; -allow init tmpfs:file { relabelfrom }; -allow init init:capability sys_module; -allow init device:chr_file { create unlink }; -allow init proc:dir mounton; -allow init binfmt_miscfs:file w_file_perms; -allow init tmpfs:lnk_file create_file_perms; -# set attributes on /sys/class/gpio sym link -# chmod 0770 /sys/class/gpio/gpio66 -allow init sysfs:lnk_file setattr; -# userspace cannot create files in sys. ignore denial -dontaudit init sysfs_devices_system_cpu:dir write; -allow init { cache_file storage_file }:dir mounton; -# /config -allow init configfs:{ file lnk_file } create_file_perms; -allow init sw_sync_device:file { relabelto setattr read write open ioctl }; -allow init sysfs:file create; -allow init devpts:chr_file { ioctl }; -allow init audio_device:chr_file { write ioctl }; -allow init platform_app:unix_stream_socket { read }; - -allow init debugfs_pstate:file w_file_perms; -allow init userdata_block_device:blk_file write; -allow init misc_block_device:blk_file write; -allow init kernel:key search; diff --git a/intel_prop/file_contexts b/intel_prop/file_contexts new file mode 100644 index 00000000..6207ce2e --- /dev/null +++ b/intel_prop/file_contexts @@ -0,0 +1,2 @@ +# intel_prop executable +(/system)?/vendor/bin/intel_prop u:object_r:intel_prop_exec:s0 diff --git a/intel_prop/intel_prop.te b/intel_prop/intel_prop.te new file mode 100644 index 00000000..7db8613b --- /dev/null +++ b/intel_prop/intel_prop.te @@ -0,0 +1,10 @@ +# Rules for intel_prop (read Android props from fw) +# Use ueventd.te as blueprint for this + +type intel_prop, domain; +type intel_prop_exec, exec_type, file_type, vendor_file_type; +init_daemon_domain(intel_prop) + +# XXX /sys/firmware/dmi/entries/0-0/raw +allow intel_prop sysfs:file r_file_perms; + diff --git a/kernel/appdomain.te b/kernel/appdomain.te new file mode 100644 index 00000000..9bc6f2a1 --- /dev/null +++ b/kernel/appdomain.te @@ -0,0 +1 @@ +allow appdomain app_fuse_file:file map; diff --git a/kernel/domain.te b/kernel/domain.te index 92d84902..4d1a52de 100644 --- a/kernel/domain.te +++ b/kernel/domain.te @@ -7,7 +7,6 @@ dontaudit { lmkd netd perfprofd - postinstall_dexopt recovery sdcardd tee diff --git a/kernel/dumpstate.te b/kernel/dumpstate.te index 551dfabc..e69de29b 100644 --- a/kernel/dumpstate.te +++ b/kernel/dumpstate.te @@ -1 +0,0 @@ -dontaudit dumpstate proc_version:file r_file_perms; diff --git a/kernel/file.te b/kernel/file.te index e69de29b..55c090e6 100644 --- a/kernel/file.te +++ b/kernel/file.te @@ -0,0 +1 @@ +type debugfs_pstate, fs_type, debugfs_type; diff --git a/kernel/file_contexts b/kernel/file_contexts new file mode 100644 index 00000000..fb5a1cd1 --- /dev/null +++ b/kernel/file_contexts @@ -0,0 +1 @@ +/sys/kernel/debug/pstate_snb/setpoint u:object_r:debugfs_pstate:s0 diff --git a/kernel/genfs_contexts b/kernel/genfs_contexts index e69de29b..8b137891 100644 --- a/kernel/genfs_contexts +++ b/kernel/genfs_contexts @@ -0,0 +1 @@ + diff --git a/kernel/hal_power_default.te b/kernel/hal_power_default.te deleted file mode 100644 index 9019aaba..00000000 --- a/kernel/hal_power_default.te +++ /dev/null @@ -1,2 +0,0 @@ -allow hal_power_default sysfs:file rw_file_perms; -allow hal_power_default sysfs:dir r_dir_perms; diff --git a/kernel/healthd.te b/kernel/healthd.te deleted file mode 100644 index d4f839d0..00000000 --- a/kernel/healthd.te +++ /dev/null @@ -1 +0,0 @@ -allow healthd self:capability2 wake_alarm; diff --git a/kernel/hwservice.te b/kernel/hwservice.te new file mode 100644 index 00000000..83d2c970 --- /dev/null +++ b/kernel/hwservice.te @@ -0,0 +1 @@ +type hal_automotive_evs_hwservice, hwservice_manager_type; diff --git a/kernel/hwservice_contexts b/kernel/hwservice_contexts new file mode 100644 index 00000000..e69de29b diff --git a/kernel/init.te b/kernel/init.te index 79d5ddb6..47d067e1 100644 --- a/kernel/init.te +++ b/kernel/init.te @@ -1,16 +1,22 @@ +# +# init +# + +# mixin kernel/init.rc write to /sys/kernel/debug/pstate_snb/setpoint +allow init debugfs_pstate:file w_file_perms; + +#avc: denied { write } for pid=1 comm="init" name="psys_force_freq" dev="debugfs" ino=8600 scontext=u:r:init:s0 tcontext=u:object_r:debugfs:s0 tclass=file permissive=0 allow init debugfs:file write; + +# allow init insmod keyword allow init kernel:key search; -allow init kernel:system module_request; allow init { rootfs vendor_file }:system module_load; -allow init sysfs_devices_system_cpu:dir r_dir_perms; -allow init sysfs_devices_system_cpu:file create_file_perms; -allow init tmpfs:lnk_file create_file_perms; -allow init configfs:{ file lnk_file } create_file_perms; -allow init self:capability sys_module; -allow init self:capability2 block_suspend; +#avc: denied { dac_read_search } for pid=1 comm="init" capability=2 scontext=u:r:init:s0 tcontext=u:r:init:s0 tclass=capability permissive=0 +#allow init self:capability dac_read_search; -dontaudit init cgroup:file create_file_perms; +#allow init sysfs_devices_system_cpu:dir w_dir_perms; +allow init sysfs_devices_system_cpu:file create; diff --git a/kernel/installd.te b/kernel/installd.te new file mode 100644 index 00000000..4a3cc40c --- /dev/null +++ b/kernel/installd.te @@ -0,0 +1,3 @@ +# installd +# avc: denied { dac_read_search } for pid=2182 comm="installd" capability=2 scontext=u:r:installd:s0 tcontext=u:r:installd:s0 tclass=capability permissive=0 +#allow installd self:capability dac_read_search; diff --git a/kernel/kernel.te b/kernel/kernel.te index 6559281d..b7f45dea 100644 --- a/kernel/kernel.te +++ b/kernel/kernel.te @@ -12,10 +12,6 @@ allow kernel kernel:capability sys_admin; # For loading /lib/modules/inet_diag.ko allow kernel rootfs:system module_load; allow kernel system_file:system module_load; -allow kernel self:system module_request; -# allow write permission for "/data/misc/vold/" -allow kernel vold_data_file:file write; - -# allow read permission for Bluetooth firmware file -allow kernel vendor_file:file { open read }; +# For adding mmc debugfs directory in the runtime +allow kernel debugfs_mmc:dir search; diff --git a/kernel/netd.te b/kernel/netd.te new file mode 100644 index 00000000..9c22c192 --- /dev/null +++ b/kernel/netd.te @@ -0,0 +1 @@ +allow netd untrusted_app:icmp_socket { read write getopt setopt getattr }; diff --git a/kernel/system_app.te b/kernel/system_app.te new file mode 100644 index 00000000..ff0bbd24 --- /dev/null +++ b/kernel/system_app.te @@ -0,0 +1,5 @@ + +# notify others we are ready through property + +# access gpio file to get reversing gear status +allow system_app hal_automotive_evs_hwservice:hwservice_manager find; diff --git a/kernel/untrusted_app.te b/kernel/untrusted_app.te new file mode 100644 index 00000000..888839d4 --- /dev/null +++ b/kernel/untrusted_app.te @@ -0,0 +1 @@ +allow untrusted_app self:icmp_socket create_socket_perms_no_ioctl; diff --git a/kernel/vendor_init.te b/kernel/vendor_init.te new file mode 100644 index 00000000..f406f4e8 --- /dev/null +++ b/kernel/vendor_init.te @@ -0,0 +1,6 @@ +allow vendor_init file_contexts_file:file map; +allow vendor_init kernel:key search; +userdebug_or_eng(` + allow vendor_init proc:file write; + allow vendor_init proc_hung_task:file write; +') diff --git a/kernel/vold.te b/kernel/vold.te new file mode 100644 index 00000000..9c3308fa --- /dev/null +++ b/kernel/vold.te @@ -0,0 +1,3 @@ +# vold +# avc: denied { dac_read_search } for pid=2029 comm="vold" capability=2 scontext=u:r:vold:s0 tcontext=u:r:vold:s0 tclass=capability permissive=0 +#allow vold self:capability dac_read_search; diff --git a/kernel/wificond.te b/kernel/wificond.te deleted file mode 100644 index 61a4f9cb..00000000 --- a/kernel/wificond.te +++ /dev/null @@ -1 +0,0 @@ -allow wificond kernel:system module_request; diff --git a/kernel/zygote.te b/kernel/zygote.te new file mode 100644 index 00000000..6bbd735c --- /dev/null +++ b/kernel/zygote.te @@ -0,0 +1,2 @@ +# zygote +#allow zygote self:capability dac_read_search; diff --git a/light/file.te b/light/file.te new file mode 100644 index 00000000..3633b21e --- /dev/null +++ b/light/file.te @@ -0,0 +1 @@ +type sysfs_backlight, fs_type, sysfs_type; diff --git a/light/genfs_contexts b/light/genfs_contexts new file mode 100644 index 00000000..189b73bd --- /dev/null +++ b/light/genfs_contexts @@ -0,0 +1,2 @@ +genfscon sysfs /devices/pci0000:00/0000:00:02.0/drm/card0/card0-eDP-1/intel_backlight/brightness u:object_r:sysfs_backlight:s0 +genfscon sysfs /devices/pci0000:00/0000:00:02.0/drm/card0/card0-eDP-1/intel_backlight/max_brightness u:object_r:sysfs_backlight:s0 diff --git a/light/hal_light_default.te b/light/hal_light_default.te new file mode 100644 index 00000000..7d9833e4 --- /dev/null +++ b/light/hal_light_default.te @@ -0,0 +1,2 @@ +# allow hal_light_default set brightness for light module +allow hal_light_default sysfs_backlight:file rw_file_perms; diff --git a/load_modules/file_contexts b/load_modules/file_contexts new file mode 100644 index 00000000..ae66e123 --- /dev/null +++ b/load_modules/file_contexts @@ -0,0 +1,2 @@ +/vendor/bin/load_modules.sh u:object_r:load_modules_exec:s0 + diff --git a/load_modules/kernel.te b/load_modules/kernel.te new file mode 100644 index 00000000..cbe8f96a --- /dev/null +++ b/load_modules/kernel.te @@ -0,0 +1 @@ +allow kernel self:system module_request; diff --git a/load_modules/load_modules.te b/load_modules/load_modules.te new file mode 100644 index 00000000..762512bb --- /dev/null +++ b/load_modules/load_modules.te @@ -0,0 +1,30 @@ +type load_modules, domain; +type load_modules_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(load_modules) + +set_prop(load_modules, vendor_modules_prop) + +allow load_modules sysfs:file write; +allow load_modules self:capability sys_module; +allow load_modules { + rootfs + vendor_file +}:system module_load; +allow load_modules kernel:key search; +allow load_modules kernel:system module_request; +allow load_modules self:key write; +allow load_modules rootfs:file r_file_perms; +allow load_modules system_data_file:dir getattr; +allow load_modules system_lib_file:file rx_file_perms; +allow load_modules vendor_file:file rx_file_perms; + +not_full_treble(` + allow load_modules shell_exec:file rx_file_perms; + allow load_modules toolbox_exec:file rx_file_perms; +') + +full_treble_only(` + allow load_modules vendor_shell_exec:file rx_file_perms; + allow load_modules vendor_toolbox_exec:file rx_file_perms; +') diff --git a/load_modules/property.te b/load_modules/property.te new file mode 100644 index 00000000..36cdab52 --- /dev/null +++ b/load_modules/property.te @@ -0,0 +1 @@ +type vendor_modules_prop, property_type; diff --git a/load_modules/property_contexts b/load_modules/property_contexts new file mode 100644 index 00000000..bb149a4b --- /dev/null +++ b/load_modules/property_contexts @@ -0,0 +1 @@ +vendor.modules. u:object_r:vendor_modules_prop:s0 diff --git a/low-mem/check_lowmem.te b/low-mem/check_lowmem.te new file mode 100644 index 00000000..9abc3be8 --- /dev/null +++ b/low-mem/check_lowmem.te @@ -0,0 +1,18 @@ +type check_lowmem, domain; +type check_lowmem_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(check_lowmem) + +allow check_lowmem vendor_file:file rx_file_perms; +allow check_lowmem proc_meminfo:file r_file_perms; +# allow the check_lowmem domain to set prop sys.low_ram +set_prop(check_lowmem, vendor_mem_prop) + +not_full_treble(` + allow check_lowmem system_file:file rx_file_perms; + allow check_lowmem shell_exec:file rx_file_perms; +') +full_treble_only(` + allow check_lowmem vendor_shell_exec:file rx_file_perms; + allow check_lowmem vendor_toolbox_exec:file rx_file_perms; +') diff --git a/low-mem/file_contexts b/low-mem/file_contexts new file mode 100644 index 00000000..02dafea1 --- /dev/null +++ b/low-mem/file_contexts @@ -0,0 +1 @@ +/vendor/bin/check_lowmem.sh u:object_r:check_lowmem_exec:s0 diff --git a/low-mem/property.te b/low-mem/property.te new file mode 100644 index 00000000..949ea950 --- /dev/null +++ b/low-mem/property.te @@ -0,0 +1 @@ +type vendor_mem_prop, property_type; diff --git a/low-mem/property_contexts b/low-mem/property_contexts new file mode 100644 index 00000000..54d233d6 --- /dev/null +++ b/low-mem/property_contexts @@ -0,0 +1 @@ +vendor.low_ram u:object_r:vendor_mem_prop:s0 diff --git a/memtrack/hal_memtrack_default.te b/memtrack/hal_memtrack_default.te index d5a5929f..1a793390 100644 --- a/memtrack/hal_memtrack_default.te +++ b/memtrack/hal_memtrack_default.te @@ -10,9 +10,6 @@ allow hal_memtrack_default domain:file r_file_perms; allow hal_memtrack_default proc_meminfo:file r_file_perms; -# /sys/devices/pci0000:00/0000:00:02.0/drm/card0/gfx_memtrack/3973 -allow hal_memtrack_default sysfs:file r_file_perms; - # /sys/devices/virtual/block/zram0/mem_used_total allow hal_memtrack_default sysfs_zram:dir search; allow hal_memtrack_default sysfs_zram:file r_file_perms; diff --git a/neuralnetworks/file_contexts b/neuralnetworks/file_contexts index e2649d2c..9e40e853 100644 --- a/neuralnetworks/file_contexts +++ b/neuralnetworks/file_contexts @@ -1,2 +1,3 @@ -/(vendor|system/vendor)/bin/hw/android\.hardware\.neuralnetworks@1.0-generic-service u:object_r:hal_neuralnetworks_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.neuralnetworks@1\.1-generic-service u:object_r:hal_neuralnetworks_default_exec:s0 /data/vendor/neuralnetworks(/.*)? u:object_r:nn_vendor_data_file:s0 + diff --git a/neuralnetworks/hal_neuralnetworks.te b/neuralnetworks/hal_neuralnetworks.te index 6f5ae6d9..aa43b2d0 100644 --- a/neuralnetworks/hal_neuralnetworks.te +++ b/neuralnetworks/hal_neuralnetworks.te @@ -9,8 +9,6 @@ allow hal_neuralnetworks_default self:process execmem; allow hal_neuralnetworks_default vendor_data_file:file { read write }; -allow shell hal_neuralnetworks_hwservice:hwservice_manager find; - # allow hal_neuralnetworks to access libusb allow hal_neuralnetworks_default usb_device:dir r_dir_perms; allow hal_neuralnetworks_default usb_device:chr_file rw_file_perms; @@ -21,4 +19,4 @@ dontaudit hal_neuralnetworks_default self:capability { dac_read_search dac_overr allow hal_neuralnetworks_default sysfs:dir r_dir_perms; allow hal_neuralnetworks_default sysfs:file rw_file_perms; allow hal_neuralnetworks_default nn_vendor_data_file:dir rw_dir_perms; -allow hal_neuralnetworks_default nn_vendor_data_file:file create_file_perms; +allow hal_neuralnetworks_default nn_vendor_data_file:file create_file_perms; diff --git a/power/file_contexts b/power/file_contexts index 4910ad53..c6cf2234 100644 --- a/power/file_contexts +++ b/power/file_contexts @@ -1,3 +1,4 @@ # Power HAL service /(vendor|system/vendor)/bin/hw/android\.hardware\.power@[0-9]+.?[0-9]*-service u:object_r:hal_power_service_exec:s0 - +# Power HAL helper +(/system)?/vendor/bin/power_hal_helper u:object_r:power_hal_helper_exec:s0 diff --git a/power/hal_power_default.te b/power/hal_power_default.te new file mode 100644 index 00000000..c1eaa161 --- /dev/null +++ b/power/hal_power_default.te @@ -0,0 +1,2 @@ +allow hal_power_default sysfs:file rw_file_perms; +allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms; diff --git a/power/hal_power_service.te b/power/hal_power_service.te index fd48358b..b2e052bb 100644 --- a/power/hal_power_service.te +++ b/power/hal_power_service.te @@ -5,6 +5,4 @@ type hal_power_service_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hal_power_service) allow hal_power_service cgroup:file rw_file_perms; -allow hal_power_service sysfs_app_readable:file rw_file_perms; allow hal_power_service sysfs_devices_system_cpu:file rw_file_perms; - diff --git a/power/power_hal_helper.te b/power/power_hal_helper.te new file mode 100644 index 00000000..5f361172 --- /dev/null +++ b/power/power_hal_helper.te @@ -0,0 +1,34 @@ +# +# power_hal +# + +# Rules for hardware/intel/power/helper +type power_hal_helper, domain; +type power_hal_helper_exec, exec_type, file_type, vendor_file_type; +init_daemon_domain(power_hal_helper) + +# allow to search through /proc/; +# only allow those that we are interested in; +allow power_hal_helper mediaserver:dir search; +allow power_hal_helper mediaserver:file { open read }; + +# no need to complain about denied access +# as it will clutter the log when probing +# all /proc/ where it cannot search/open/read +dontaudit power_hal_helper domain:dir search; + +# allow to set property ctl.power_hal.* +set_prop(power_hal_helper, vendor_power_hal_prop) + +# allow to read and open the command for usermode helper +# proc PID labels are labeled with context of process +# we only grant this on native priveleged domains to prevent +# an injection path to a priveleged process from appdomain. +allow power_hal_helper { domain -appdomain } :file { read open }; + +# ??? launch shell scripts as usermodehelpers +allow power_hal_helper shell:file r_file_perms; + +userdebug_or_eng(` + allow power_hal_helper su:file r_file_perms; +') diff --git a/power/property.te b/power/property.te new file mode 100644 index 00000000..631ca3f2 --- /dev/null +++ b/power/property.te @@ -0,0 +1 @@ +type vendor_power_hal_prop, property_type; diff --git a/power/property_contexts b/power/property_contexts new file mode 100644 index 00000000..1b412d42 --- /dev/null +++ b/power/property_contexts @@ -0,0 +1,2 @@ +# property for power HAL +vendor.power_hal. u:object_r:vendor_power_hal_prop:s0 diff --git a/power/vendor_init.te b/power/vendor_init.te new file mode 100644 index 00000000..00eea06e --- /dev/null +++ b/power/vendor_init.te @@ -0,0 +1 @@ +get_prop(vendor_init, vendor_power_hal_prop) diff --git a/psdapp/file_contexts b/psdapp/file_contexts new file mode 100644 index 00000000..0abc3f4b --- /dev/null +++ b/psdapp/file_contexts @@ -0,0 +1,2 @@ +/vendor/bin/psdapp u:object_r:psdapp_exec:s0 +/vendor/bin/logwrapper u:object_r:logwrapper_exec:s0 diff --git a/psdapp/logwrapper.te b/psdapp/logwrapper.te new file mode 100644 index 00000000..9c4dd086 --- /dev/null +++ b/psdapp/logwrapper.te @@ -0,0 +1,7 @@ +type logwrapper, domain; +type logwrapper_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(logwrapper) + +allow logwrapper devpts:chr_file rw_file_perms; +domain_auto_trans(logwrapper, psdapp_exec, psdapp) diff --git a/psdapp/property.te b/psdapp/property.te new file mode 100644 index 00000000..6bc44b02 --- /dev/null +++ b/psdapp/property.te @@ -0,0 +1 @@ +type vendor_psdapp_prop, property_type; diff --git a/psdapp/property_contexts b/psdapp/property_contexts new file mode 100644 index 00000000..1a38307e --- /dev/null +++ b/psdapp/property_contexts @@ -0,0 +1 @@ +vendor.module.psdapp. u:object_r:vendor_psdapp_prop:s0 diff --git a/psdapp/psdapp.te b/psdapp/psdapp.te new file mode 100644 index 00000000..1e9560a0 --- /dev/null +++ b/psdapp/psdapp.te @@ -0,0 +1,8 @@ +type psdapp, domain; +type psdapp_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(psdapp) + +allow psdapp sysfs:file r_file_perms; +allow psdapp logwrapper:fd use; +allow psdapp devpts:chr_file rw_file_perms; diff --git a/psdapp/vendor_shell.te b/psdapp/vendor_shell.te new file mode 100644 index 00000000..a733d7e5 --- /dev/null +++ b/psdapp/vendor_shell.te @@ -0,0 +1,2 @@ +set_prop(vendor_shell, vendor_psdapp_prop) + diff --git a/pstore/device.te b/pstore/device.te new file mode 100644 index 00000000..69bd4a9b --- /dev/null +++ b/pstore/device.te @@ -0,0 +1 @@ +type pstore_device, dev_type; diff --git a/pstore/dumpstate.te b/pstore/dumpstate.te new file mode 100644 index 00000000..e26095c6 --- /dev/null +++ b/pstore/dumpstate.te @@ -0,0 +1,5 @@ +# +# dumpstate +# + +dontaudit dumpstate pstore-clean_data_file:dir search; diff --git a/pstore/file.te b/pstore/file.te new file mode 100644 index 00000000..c3e13677 --- /dev/null +++ b/pstore/file.te @@ -0,0 +1 @@ +type pstore-clean_data_file, file_type, data_file_type, core_data_file_type; diff --git a/pstore/file_contexts b/pstore/file_contexts new file mode 100644 index 00000000..00ad84ad --- /dev/null +++ b/pstore/file_contexts @@ -0,0 +1,4 @@ +# Persistent Storage +/dev/pstore u:object_r:pstore_device:s0 +/data/dontpanic(/.*)? u:object_r:pstore-clean_data_file:s0 +(/system)?/vendor/bin/pstore-clean u:object_r:pstore-clean_exec:s0 diff --git a/pstore/init.te b/pstore/init.te new file mode 100644 index 00000000..2593f84f --- /dev/null +++ b/pstore/init.te @@ -0,0 +1,5 @@ +# +# init +# + +allow init pstore_device:dir mounton; diff --git a/pstore/pstore-clean.te b/pstore/pstore-clean.te new file mode 100644 index 00000000..350ce7ae --- /dev/null +++ b/pstore/pstore-clean.te @@ -0,0 +1,19 @@ +# Rules for vendor/intel/pstore-clean +type pstore-clean, domain; +type pstore-clean_exec, exec_type, file_type, vendor_file_type; +init_daemon_domain(pstore-clean); + +allow pstore-clean pstorefs:dir create_dir_perms; +allow pstore-clean pstorefs:file create_file_perms; + +# Create directories and files for the panic dumps +allow pstore-clean pstore-clean_data_file:dir create_dir_perms; +allow pstore-clean pstore-clean_data_file:file create_file_perms; + +# Copied from KK +allow pstore-clean cache_file:dir { add_name search write create }; +allow pstore-clean cache_file:file { create open write }; + +# Read from pstore (required from kernel 3.18) +allow pstore-clean self:capability2 syslog; +allow pstore-clean kernel:system syslog_read; diff --git a/pstore/system_server.te b/pstore/system_server.te new file mode 100644 index 00000000..03ca357b --- /dev/null +++ b/pstore/system_server.te @@ -0,0 +1,5 @@ +# +# system_server +# + +r_dir_file(system_server, pstore-clean_data_file) diff --git a/pstore/vendor_init.te b/pstore/vendor_init.te new file mode 100644 index 00000000..0a6bb147 --- /dev/null +++ b/pstore/vendor_init.te @@ -0,0 +1,3 @@ +userdebug_or_eng(` + allow vendor_init pstore-clean_data_file:dir create_dir_perms; +') diff --git a/pstore/violators_blacklist.te b/pstore/violators_blacklist.te new file mode 100644 index 00000000..e3f40655 --- /dev/null +++ b/pstore/violators_blacklist.te @@ -0,0 +1,2 @@ +typeattribute pstore-clean data_between_core_and_vendor_violators; + diff --git a/set_storage/file_contexts b/set_storage/file_contexts index ad32edb1..24f596d5 100644 --- a/set_storage/file_contexts +++ b/set_storage/file_contexts @@ -1 +1 @@ -/vendor/bin/set_storage.vendor u:object_r:set_storage_exec:s0 +/vendor/bin/set_storage\.vendor u:object_r:set_storage_exec:s0 diff --git a/shell.te b/shell.te deleted file mode 100644 index f75a3000..00000000 --- a/shell.te +++ /dev/null @@ -1,9 +0,0 @@ -allow shell efs_file:dir search; -allow shell efs_file:file r_file_perms; -allow shell bluetooth_efs_file:dir search; -allow shell bluetooth_efs_file:file r_file_perms; - -# Allow shell read access to sysfs_thermal -recovery_only(` -r_dir_file(shell, sysfs_thermal); -') diff --git a/swap/file.te b/swap/file.te deleted file mode 100644 index a8378651..00000000 --- a/swap/file.te +++ /dev/null @@ -1 +0,0 @@ -type proc_swappiness, fs_type, proc_type; diff --git a/swap/genfs_contexts b/swap/genfs_contexts deleted file mode 100644 index db74bc96..00000000 --- a/swap/genfs_contexts +++ /dev/null @@ -1 +0,0 @@ -genfscon proc /sys/vm/swappiness u:object_r:proc_swappiness:s0 diff --git a/swap/vendor_init.te b/swap/vendor_init.te deleted file mode 100644 index 639a52ea..00000000 --- a/swap/vendor_init.te +++ /dev/null @@ -1 +0,0 @@ -allow vendor_init proc_swappiness:file w_file_perms; diff --git a/te_macros b/te_macros index c2a4fb77..42d1484e 100644 --- a/te_macros +++ b/te_macros @@ -40,4 +40,4 @@ define(`ignore_adb_debug', ` ') ') -define(`user_build_only', ifelse(target_build_variant, `user', $1, )) +define(`not_recovery_only', ifelse(target_recovery, `true', , $1)) diff --git a/thermal/device.te b/thermal/device.te deleted file mode 100644 index d58ba6c5..00000000 --- a/thermal/device.te +++ /dev/null @@ -1 +0,0 @@ -type thermal_device, dev_type; diff --git a/thermal/dptf/dptf.te b/thermal/dptf/dptf.te deleted file mode 100644 index 9e324c10..00000000 --- a/thermal/dptf/dptf.te +++ /dev/null @@ -1,54 +0,0 @@ -# Rules for esif_ufd -type dptf, domain; -type dptf_exec, exec_type, file_type, vendor_file_type; -init_daemon_domain(dptf); - -# Need to use vendor binder -vndbinder_use(dptf) -binder_call(dptf, hal_thermal_default) - -# Allow dptf to find the thermal_hal_service service -allow dptf thermal_hal_service:service_manager find; - -# Allow raw socket -# Also requires DAC changes in device/intel/common/filesystem_config/android_filesystem_config.h -allow dptf self:capability { net_raw }; - -# Allow network access for DPTF UI -net_domain(dptf) - -# Allow create and listen to uevent socket -allow dptf self:netlink_kobject_uevent_socket create_socket_perms; -allowxperm dptf self:netlink_kobject_uevent_socket ioctl SIOCETHTOOL; - -# Vendor directory -# /vendor/lib64 -# /vendor/app and /vendor/etc/dptf/dv direcroty -allow dptf vendor_file:dir r_dir_perms; -allow dptf vendor_file:file rx_file_perms; - -# Data directory -allow dptf dptf_data_file:dir create_dir_perms; -allow dptf dptf_data_file:file create_file_perms; - -# -# Sysfs files -# -allow dptf sysfs:dir r_dir_perms; -allow dptf sysfs_devices_system_cpu:file rw_file_perms; -allow dptf sysfs_powercap:{ file lnk_file } rw_file_perms; -allow dptf sysfs_powercap:dir { read open search}; -allow dptf sysfs_powercap:dir r_dir_perms; -allow dptf sysfs_dptf_file:dir r_dir_perms; -allow dptf sysfs_dptf_file:file rw_file_perms; -allow dptf sysfs_thermal_management:dir r_dir_perms; -allow dptf sysfs_thermal_management:file rw_file_perms; -allow dptf sysfs_thermal:file r_file_perms; -allow dptf sysfs_thermal:file w_file_perms; - -# /sys/class/backlight/intel_backlight/brigthness -# /sys/class/power_supply/bq*/max_charge_current -allow dptf sysfs:file rw_file_perms; - -# Set properties -set_prop(dptf, powerctl_prop) diff --git a/thermal/dptf/file.te b/thermal/dptf/file.te deleted file mode 100644 index 08c3e1f0..00000000 --- a/thermal/dptf/file.te +++ /dev/null @@ -1,2 +0,0 @@ -type dptf_data_file, file_type, data_file_type; -type sysfs_dptf_file, fs_type, sysfs_type; diff --git a/thermal/dptf/file_contexts b/thermal/dptf/file_contexts deleted file mode 100644 index ec1606f2..00000000 --- a/thermal/dptf/file_contexts +++ /dev/null @@ -1,4 +0,0 @@ -/data/misc/dptf(/.*)? u:object_r:dptf_data_file:s0 -/etc/dptf(/.*)? u:object_r:dptf_data_file:s0 -(/system)?/vendor/bin/esif_ufd u:object_r:dptf_exec:s0 -/vendor/bin/thermal_lite u:object_r:thermal_lite_exec:s0 diff --git a/thermal/dptf/system_server.te b/thermal/dptf/system_server.te deleted file mode 100644 index 6a7492c6..00000000 --- a/thermal/dptf/system_server.te +++ /dev/null @@ -1,4 +0,0 @@ -# permission needed for sensor service to access thermal sensors -allow system_server sysfs_thermal_management:dir rw_dir_perms; -allow system_server sysfs_thermal_management:file rw_file_perms; -#for last_reboot_reason diff --git a/thermal/dptf/thermal_lite.te b/thermal/dptf/thermal_lite.te deleted file mode 100644 index 478dea7b..00000000 --- a/thermal/dptf/thermal_lite.te +++ /dev/null @@ -1,17 +0,0 @@ -# -# thermal_lite -# - -type thermal_lite, domain; -type thermal_lite_exec, exec_type, file_type, vendor_file_type; -init_daemon_domain(thermal_lite) - -allow thermal_lite sysfs:dir r_dir_perms; -allow thermal_lite sysfs_thermal_management:dir r_dir_perms; -allow thermal_lite sysfs_thermal_management:file r_file_perms; -allow thermal_lite sysfs_powercap:file rw_file_perms; -allow thermal_lite sysfs_powercap:dir r_dir_perms; -allow thermal_lite sysfs_thermal:file rw_file_perms; - -# properties -set_prop(thermal_lite, powerctl_prop) diff --git a/thermal/file.te b/thermal/file.te deleted file mode 100644 index 3a8ebd1e..00000000 --- a/thermal/file.te +++ /dev/null @@ -1,2 +0,0 @@ -type sysfs_thermal_management, fs_type, sysfs_type; -type sysfs_powercap, fs_type, sysfs_type; diff --git a/thermal/file_contexts b/thermal/file_contexts deleted file mode 100644 index 02d7664a..00000000 --- a/thermal/file_contexts +++ /dev/null @@ -1,12 +0,0 @@ -/sys/devices/virtual/thermal/thermal_zone[0-9]/trip_point_[0-9]_temp u:object_r:sysfs_thermal:s0 -/sys/devices/virtual/thermal/cooling_device[0-9]/cur_state u:object_r:sysfs_thermal:s0 -/sys/devices/virtual/thermal/thermal_zone[0-9]/policy u:object_r:sysfs_thermal:s0 -/sys/devices/virtual/thermal/thermal_zone[0-9]/temp u:object_r:sysfs_thermal:s0 -/sys/devices/system/cpu/cpu[0-4]/cpufreq/thermal_scaling_max_freq u:object_r:sysfs_thermal:s0 - -/dev/acpi_thermal_rel u:object_r:thermal_device:s0 - -# thermal management -/sys/devices/platform/coretemp.0(/.*)? u:object_r:sysfs_thermal_management:s0 -/sys/devices/virtual/thermal(/.*)? u:object_r:sysfs_thermal_management:s0 -/sys/devices/virtual/powercap(/.*)? u:object_r:sysfs_powercap:s0 diff --git a/thermal/hal_sensors_sefault.te b/thermal/hal_sensors_sefault.te deleted file mode 100644 index 63e24751..00000000 --- a/thermal/hal_sensors_sefault.te +++ /dev/null @@ -1,4 +0,0 @@ -allow hal_sensors_default sysfs_thermal_management:dir r_dir_perms; -allow hal_sensors_default sysfs_thermal_management:file rw_file_perms; - -allow system_server system_app:file w_file_perms; diff --git a/thermal/hal_thermal_default.te b/thermal/hal_thermal_default.te deleted file mode 100644 index 9f65440d..00000000 --- a/thermal/hal_thermal_default.te +++ /dev/null @@ -1,15 +0,0 @@ -#============= hal_thermal_default ============== -vndbinder_use(hal_thermal_default) - -add_service(hal_thermal_default, thermal_hal_service) - -allow hal_thermal_default thermal_hal_service:hwservice_manager find; -allow hal_thermal_default sysfs_thermal_management:dir r_dir_perms; -allow hal_thermal_default sysfs_thermal:file r_file_perms; -allow hal_thermal_default proc_stat:file r_file_perms; -allow hal_thermal_default self:can_socket create_socket_perms; -allowxperm hal_thermal_default self:can_socket ioctl { - SIOCGIFINDEX - SIOCSIFNAME - SIOCSIFFLAGS -}; diff --git a/thermal/platform_app.te b/thermal/platform_app.te deleted file mode 100644 index 57625dcd..00000000 --- a/thermal/platform_app.te +++ /dev/null @@ -1,7 +0,0 @@ -# -# platform_app -# - -# XXX Did the thermal apps drop out of the system app domain? -allow platform_app sysfs_powercap:dir search; -allow platform_app sysfs_powercap:file r_file_perms; diff --git a/thermal/system_app.te b/thermal/system_app.te deleted file mode 100644 index 882d0f64..00000000 --- a/thermal/system_app.te +++ /dev/null @@ -1,22 +0,0 @@ -# -# system_app.te -# - -# XXX Not sure which app this is for, so common for now -allow system_app sysfs_thermal:file rw_file_perms; -allow system_app thermal_device:chr_file rw_file_perms; -allow system_app sysfs_thermal_management:{ file lnk_file } rw_file_perms; -allow system_app sysfs_thermal_management:dir {read open search }; -allow system_app sysfs_devices_system_cpu:file rw_file_perms; -allow system_app kernel:capability net_admin; - -allow system_app sysfs_powercap:{ file lnk_file } rw_file_perms; -allow system_app sysfs_powercap:dir r_dir_perms; - -module_only(`camera_ipu2', ` - set_prop(system_app, cam_flash_thrtl_prop) -') - -module_only(`camera_ipu4', ` - set_prop(system_app, cam_flash_thrtl_prop) -') diff --git a/thermal/thermal-daemon/file.te b/thermal/thermal-daemon/file.te deleted file mode 100644 index 3214575c..00000000 --- a/thermal/thermal-daemon/file.te +++ /dev/null @@ -1,4 +0,0 @@ -type thermal-daemon_data_file, vendor_file_type, file_type; -type sysfs_dmi_id, fs_type, sysfs_type; -type sysfs_backlight_thermal, fs_type, sysfs_type; -type thermal-daemon_run_dir, file_type, data_file_type; diff --git a/thermal/thermal-daemon/file_contexts b/thermal/thermal-daemon/file_contexts deleted file mode 100644 index c5ab87f8..00000000 --- a/thermal/thermal-daemon/file_contexts +++ /dev/null @@ -1,3 +0,0 @@ -/vendor/bin/thermal-daemon u:object_r:thermal-daemon_exec:s0 -/vendor/etc/thermal-daemon(/.*)? u:object_r:thermal-daemon_data_file:s0 -/data/vendor/thermal-daemon(/.*)? u:object_r:thermal-daemon_run_dir:s0 diff --git a/thermal/thermal-daemon/genfs_contexts b/thermal/thermal-daemon/genfs_contexts deleted file mode 100644 index 2aa5ab5b..00000000 --- a/thermal/thermal-daemon/genfs_contexts +++ /dev/null @@ -1,3 +0,0 @@ -genfscon sysfs /devices/virtual/dmi/id/product_name u:object_r:sysfs_dmi_id:s0 -genfscon sysfs /devices/virtual/dmi/id/product_uuid u:object_r:sysfs_dmi_id:s0 -genfscon sysfs /class/backlight u:object_r:sysfs_backlight_thermal:s0 diff --git a/thermal/thermal-daemon/thermal-daemon.te b/thermal/thermal-daemon/thermal-daemon.te deleted file mode 100644 index 3ca2415b..00000000 --- a/thermal/thermal-daemon/thermal-daemon.te +++ /dev/null @@ -1,35 +0,0 @@ -# -# thermal-daemon -# - -type thermal-daemon, domain; -type thermal-daemon_exec, exec_type, file_type, vendor_file_type; -init_daemon_domain(thermal-daemon) - -allow thermal-daemon sysfs:dir r_dir_perms; -allow thermal-daemon sysfs_thermal_management:dir r_dir_perms; -allow thermal-daemon sysfs_thermal_management:{ file lnk_file } rw_file_perms; -allow thermal-daemon sysfs_thermal_management:{ file lnk_file } { getattr setattr }; -allow thermal-daemon sysfs:file { getattr open read }; -allow thermal-daemon sysfs_powercap:{ file lnk_file } rw_file_perms; -allow thermal-daemon sysfs_powercap:dir r_dir_perms; -allow thermal-daemon sysfs_thermal:dir r_dir_perms; -allow thermal-daemon sysfs_thermal:file rw_file_perms; -allow thermal-daemon sysfs_thermal:lnk_file read; -allow thermal-daemon sysfs_leds:dir r_dir_perms; -allow thermal-daemon sysfs_leds:file rw_file_perms; -allow thermal-daemon sysfs_backlight_thermal:dir r_dir_perms; -allow thermal-daemon sysfs_backlight_thermal:file rw_file_perms; -allow thermal-daemon sysfs_dmi_id:{ file lnk_file } rw_file_perms; -allow thermal-daemon vendor_data_file:dir create_dir_perms; -allow thermal-daemon vendor_data_file:dir rw_dir_perms; -allow thermal-daemon thermal-daemon_run_dir:dir create_dir_perms; -allow thermal-daemon thermal-daemon_run_dir:file create_file_perms; -allow thermal-daemon thermal-daemon_data_file:dir r_file_perms; -allow thermal-daemon thermal-daemon_data_file:file r_file_perms; -allow thermal-daemon thermal_device:chr_file rw_file_perms; -allow thermal-daemon self:netlink_kobject_uevent_socket create_socket_perms; -allowxperm thermal-daemon self:netlink_kobject_uevent_socket ioctl SIOCETHTOOL; - -# properties -set_prop(thermal-daemon, powerctl_prop) diff --git a/thermal/thermal-daemon/vendor_init.te b/thermal/thermal-daemon/vendor_init.te deleted file mode 100644 index 784bf54b..00000000 --- a/thermal/thermal-daemon/vendor_init.te +++ /dev/null @@ -1,8 +0,0 @@ -allow vendor_init sysfs_powercap:dir r_dir_perms; -allow vendor_init sysfs_powercap:file { read setattr }; -allow vendor_init thermal-daemon_data_file: dir r_dir_perms; -allow vendor_init thermal-daemon_data_file: file { read }; -allow vendor_init thermal-daemon_run_dir: dir create_dir_perms; -allow vendor_init thermal-daemon_run_dir: file { create read write setattr }; -allow vendor_init sysfs_dmi_id: file { read setattr }; -allow vendor_init sysfs_backlight_thermal: file { read write setattr }; diff --git a/thermal/ueventd.te b/thermal/ueventd.te deleted file mode 100644 index 8074fec7..00000000 --- a/thermal/ueventd.te +++ /dev/null @@ -1,6 +0,0 @@ -# -# ueventd -# - -allow ueventd sysfs_thermal_management:file rw_file_perms; -allow ueventd sysfs_powercap:file w_file_perms; diff --git a/thermal/vndservice.te b/thermal/vndservice.te deleted file mode 100644 index 18b2e46b..00000000 --- a/thermal/vndservice.te +++ /dev/null @@ -1 +0,0 @@ -type thermal_hal_service, vndservice_manager_type; diff --git a/thermal/vndservice_contexts b/thermal/vndservice_contexts deleted file mode 100644 index 8ed48541..00000000 --- a/thermal/vndservice_contexts +++ /dev/null @@ -1 +0,0 @@ -thermal.hal.service u:object_r:thermal_hal_service:s0 diff --git a/tools/caps.conf b/tools/caps.conf index 9b5fdecd..9571df51 100644 --- a/tools/caps.conf +++ b/tools/caps.conf @@ -3,71 +3,81 @@ caps : setuid setgid dac_override dac_read_search fowner sys_module chown sys_ad [AOSP_IGNORED] adbd : setuid setgid +apexd: sys_admin +app_zygote: setuid setgid +art_apex_postinstall: sys_admin +art_apex_preinstall: sys_admin +bpfloader: sys_admin clatd : setuid setgid dhcp : setuid setgid -dnsmasq : setuid setgid dac_override +dnsmasq : setuid setgid dac_override dac_read_search dumpstate : setuid fowner chown setgid dac_override dac_read_search +gsid: sys_admin +hal_radio_config_default : setuid setgid +hal_radio_default : setuid setgid hal_wifi_supplicant_default : setuid setgid +heapprofd: dac_read_search init : setuid sys_admin mknod dac_override chown setgid fowner -install_recovery : dac_override +install_recovery : dac_override dac_read_search installd : setuid sys_admin dac_override chown setgid fowner dac_read_search -lmkd : dac_override +llkd: dac_override dac_read_search +lmkd : dac_override dac_read_search logd : setuid setgid modprobe : sys_module -netd : fowner chown dac_override +netd : fowner chown dac_override dac_read_search otapreopt_chroot : sys_admin performanced : setuid setgid -perfprofd : sys_admin dac_override -postinstall_dexopt : setuid fowner chown setgid dac_override -postinstall : sys_admin +perfprofd : sys_admin dac_override dac_read_search +postinstall_dexopt : setuid fowner chown setgid dac_override dac_read_search rild : setuid setgid +rss_hwm_reset: dac_override runas : setuid setgid -sdcardd : setuid sys_admin setgid dac_override +sdcardd : setuid sys_admin setgid dac_override dac_read_search sgdisk : sys_admin +simpleperf_app_runner: setuid setgid storaged : setuid setgid system_server : setuid setgid tee : dac_override -ueventd : fowner chown mknod setgid dac_override sys_module -uncrypt : dac_override +traced_probes : dac_read_search +ueventd : fowner chown mknod setgid dac_override sys_module dac_read_search +uncrypt : dac_override dac_read_search update_engine : fowner sys_admin vendor_modprobe : sys_module +vendor_init : fowner chown sys_admin dac_override sys_module dac_read_search vold : chown mknod fowner sys_admin dac_override dac_read_search +vold_prepare_subdirs : fowner chown dac_override dac_read_search webview_zygote : setuid setgid wificond : setuid chown setgid zygote : setuid sys_admin dac_override chown setgid fowner dac_read_search -hal_radio_config_default : setuid setgid -vendor_init : fowner chown sys_admin dac_override sys_module -vold_prepare_subdirs : chown dac_override -hal_radio_default : setuid setgid -vold_prepare_subdirs : fowner chown dac_override -traced_probes : dac_read_search [DEVICE_BUG] +avb_streamhandler_service : dac_override https://jira01.devtools.intel.com/browse/OAM-44226 +dumpstate : sys_admin https://jira01.devtools.intel.com/browse/OAM-44012 +hci_attach : dac_override https://jira01.devtools.intel.com/browse/OAM-44226 hdcpd : chown sys_admin https://jira01.devtools.intel.com/browse/OAM-44007 pstore-clean : sys_admin https://jira01.devtools.intel.com/browse/OAM-44010 rfkill : chown https://jira01.devtools.intel.com/browse/OAM-44009 -dumpstate : sys_admin https://jira01.devtools.intel.com/browse/OAM-44012 -avb_streamhandler_service : dac_override https://jira01.devtools.intel.com/browse/OAM-44226 -hci_attach : dac_override https://jira01.devtools.intel.com/browse/OAM-44226 set_storage : fowner chown https://jira01.devtools.intel.com/browse/OAM-44332 [DEVICE_IGNORED] coreu : sys_admin +dirana_config : fowner chown ; Allow the use of chmod for dirana_config dumpstate_dropbox : * ; DEBUG WE DON"T CARE +early_evs: sys_module +evs_bxt_app: sys_admin dac_override +hal_graphics_composer_default: sys_admin ; Allow HWC be able to grab the DRM_MASTER role init : sys_module dac_read_search ; Allow the use of insmod keyword for init. -log-watch : * ; DEBUG WE DON"T CARE -kernel : sys_admin ; watchdog kernel option CONFIG_LOCKUP_DETECTOR -logsvc : * ; DEBUG WE DON"T CARE -usermode_helper : sys_module ; usermode helpers need to load modules -ioc_slcan : sys_module ; boot performance -ioc_slcan_usermode_helper : sys_module ; boot performance ioc_cbc : sys_module ; boot performance ioc_cbc_usermode_helper : sys_module ; boot performance -netd : sys_module ; boot performance +ioc_slcan : sys_module ; boot performance +ioc_slcan_usermode_helper : sys_module ; boot performance load_iwlwifi_script : sys_module ; Allow the use of insmod keyword for load_iwlwifi_script -early_evs: sys_module -evs_bxt_app: sys_admin dac_override -load_mwifiex : sys_module ; Allow the use of insmod for load_mwifiex script load_modules : sys_module ; Allow the use of insmod for load_modules -dirana_config : fowner chown ; Allow the use of chmod for dirana_config +load_mwifiex : sys_module ; Allow the use of insmod for load_mwifiex script +log-watch : * ; DEBUG WE DON"T CARE +logsvc : * ; DEBUG WE DON"T CARE +kernel : sys_admin ; watchdog kernel option CONFIG_LOCKUP_DETECTOR +netd : sys_module ; boot performance rngd : sys_admin +surfaceflinger: sys_admin ; Allow SurfaceFlinger be able to act as DRM render client +usermode_helper : sys_module ; usermode helpers need to load modules diff --git a/trusty/file_contexts b/trusty/file_contexts index 0823d60d..6bfb707f 100644 --- a/trusty/file_contexts +++ b/trusty/file_contexts @@ -3,6 +3,6 @@ # Trusty rpmb device /dev/rpmb[01] u:object_r:tee_device:s0 -/vendor/bin/storageproxyd u:object_r:tee_exec:s0 - +(/system)?/vendor/bin/intelstorageproxyd u:object_r:tee_exec:s0 +(/system)?/vendor/bin/cp_ss u:object_r:tee_exec:s0 /data/vendor/securestorage(/.*)? u:object_r:tee_data_file:s0 diff --git a/trusty/property.te b/trusty/property.te new file mode 100644 index 00000000..d86cd03f --- /dev/null +++ b/trusty/property.te @@ -0,0 +1,3 @@ +type tee_service_prop, property_type; + + diff --git a/trusty/property_contexts b/trusty/property_contexts new file mode 100644 index 00000000..f1fdb5ff --- /dev/null +++ b/trusty/property_contexts @@ -0,0 +1,2 @@ +ro.vendor.copy.ss u:object_r:tee_service_prop:s0 + diff --git a/trusty/storageproxyd.te b/trusty/storageproxyd.te deleted file mode 100644 index 98e268b8..00000000 --- a/trusty/storageproxyd.te +++ /dev/null @@ -1,11 +0,0 @@ -# storageproxyd is a daemon of secure storage to do operations on rpmb, -# which is a partition of eMMC, and provides encrypted and tamper proof -# storage to secure apps. storageproxyd service receives cmds from trusty -# storage app to execute read/write on rpmb and gives responses to trusty. - -# storageproxyd requires sys_rawio permission to call ioctl to execute -# read/write operations on /dev/rpmb*, which is in tee domain. - -allow tee self:capability { sys_rawio }; -allow tee block_device:dir search; -allow tee tee_device:blk_file rw_file_perms; \ No newline at end of file diff --git a/trusty/tee.te b/trusty/tee.te new file mode 100644 index 00000000..882eb731 --- /dev/null +++ b/trusty/tee.te @@ -0,0 +1,15 @@ +# intelstorageproxyd is a daemon of secure storage to do operations on rpmb, +# which is a partition of eMMC, and provides encrypted and tamper proof +# storage to secure apps. storageproxyd service receives cmds from trusty +# storage app to execute read/write on rpmb and gives responses to trusty. + +# intelstorageproxyd requires sys_rawio permission to call ioctl to execute +# read/write operations on /dev/rpmb*, which is in tee domain. + +allow tee self:capability sys_rawio; +allow tee block_device:dir search; +allow tee tee_device:blk_file rw_file_perms; +allow tee vendor_shell_exec:file execute_no_trans; +allow tee vendor_toolbox_exec:file execute_no_trans; +allow tee system_data_file:file read; +set_prop(tee, tee_service_prop); diff --git a/trusty/vendor_init.te b/trusty/vendor_init.te new file mode 100644 index 00000000..08136736 --- /dev/null +++ b/trusty/vendor_init.te @@ -0,0 +1 @@ +allow vendor_init system_data_file:file r_file_perms; diff --git a/usb-gadget/configfs/init.te b/usb-gadget/configfs/init.te new file mode 100644 index 00000000..b35aea3a --- /dev/null +++ b/usb-gadget/configfs/init.te @@ -0,0 +1,8 @@ +# configfs +allow init configfs:dir create_dir_perms; +allow init configfs:file create_file_perms; +allow init configfs:file write; +allow init configfs:lnk_file { create unlink }; + +# Allow init to mount on /dev/usb-ffs/adb. +allow init functionfs:dir mounton; diff --git a/usb-gadget/configfs/recovery.te b/usb-gadget/configfs/recovery.te new file mode 100644 index 00000000..847b6df2 --- /dev/null +++ b/usb-gadget/configfs/recovery.te @@ -0,0 +1,14 @@ +recovery_only(` + # set sys.usb.ffs.ready prop + set_prop(recovery, ffs_prop) + + # rules needed to access GPU + allow recovery gpu_device:chr_file rw_file_perms; + + # rules for ota update from udisk + allow recovery rootfs:dir w_dir_perms; + allow recovery block_device:dir w_dir_perms; + allow recovery block_device:blk_file { create unlink }; + allow recovery vfat:dir create_dir_perms; + allow recovery vfat:file create_file_perms; +') diff --git a/usb-gadget/file_contexts b/usb-gadget/file_contexts deleted file mode 100644 index b2cffb6d..00000000 --- a/usb-gadget/file_contexts +++ /dev/null @@ -1,7 +0,0 @@ -/dev/dbc_raw0 u:object_r:dbc_device:s0 -/sys/devices/pci0000:00/0000:00:14.0/dbc u:object_r:dbc_sysfs:s0 -/sys/bus/pci/devices/0000:00:14.0/dbc u:object_r:dbc_sysfs:s0 -/sys/devices/pci0000:00/0000:00:15.0/dbc u:object_r:dbc_sysfs:s0 -/sys/bus/pci/devices/0000:00:15.0/dbc u:object_r:dbc_sysfs:s0 -/sys/devices/pci0000:00/0000:39:00.0/dbc u:object_r:dbc_sysfs:s0 -/sys/bus/pci/devices/0000:39:00.0/dbc u:object_r:dbc_sysfs:s0 diff --git a/usb-role-switch/file.te b/usb-role-switch/file.te new file mode 100644 index 00000000..ba6080f6 --- /dev/null +++ b/usb-role-switch/file.te @@ -0,0 +1,2 @@ +type sysfs_usb_mux_writable, fs_type, sysfs_type; +type sysfs_usb_role_writeable, fs_type, sysfs_type; diff --git a/usb-role-switch/file_contexts b/usb-role-switch/file_contexts new file mode 100644 index 00000000..36ae11f8 --- /dev/null +++ b/usb-role-switch/file_contexts @@ -0,0 +1,2 @@ +# usb role switch service +/vendor/bin/usb_otg_switch.sh u:object_r:usb_roleswitch_exec:s0 diff --git a/usb-role-switch/genfs_contexts b/usb-role-switch/genfs_contexts new file mode 100644 index 00000000..183e7f9e --- /dev/null +++ b/usb-role-switch/genfs_contexts @@ -0,0 +1,5 @@ +# usb role switch service +genfscon sysfs /devices/pci0000:00/0000:00:15.1/intel-cht-otg.0/mux_state u:object_r:sysfs_usb_mux_writable:s0 +genfscon sysfs /devices/pci0000:00/0000:00:14.0/intel_xhci_usb_sw/usb_role/intel_xhci_usb_sw-role-switch/role u:object_r:sysfs_usb_role_writeable:s0 +genfscon sysfs /devices/pci0000:00/0000:00:15.0/intel_xhci_usb_sw/usb_role/intel_xhci_usb_sw-role-switch/role u:object_r:sysfs_usb_role_writeable:s0 + diff --git a/usb/init.te b/usb-role-switch/init.te similarity index 50% rename from usb/init.te rename to usb-role-switch/init.te index 39b56af6..6529cdd9 100644 --- a/usb/init.te +++ b/usb-role-switch/init.te @@ -1,2 +1,2 @@ +# Allow init to access USB role mux sysfs allow init sysfs_usb_role_writeable:file rw_file_perms; -allow init sysfs_usb_role_writeable:file { setattr }; diff --git a/usb-role-switch/property.te b/usb-role-switch/property.te new file mode 100644 index 00000000..346f0cf3 --- /dev/null +++ b/usb-role-switch/property.te @@ -0,0 +1 @@ +type vendor_usbrole_prop, property_type; diff --git a/usb-role-switch/property_contexts b/usb-role-switch/property_contexts new file mode 100644 index 00000000..78072978 --- /dev/null +++ b/usb-role-switch/property_contexts @@ -0,0 +1 @@ +persist.sys.usb.role u:object_r:vendor_usbrole_prop:s0 diff --git a/usb-role-switch/system_app.te b/usb-role-switch/system_app.te new file mode 100644 index 00000000..b3b5e340 --- /dev/null +++ b/usb-role-switch/system_app.te @@ -0,0 +1,3 @@ +typeattribute system_app system_writes_vendor_properties_violators; + +set_prop(system_app, vendor_usbrole_prop) diff --git a/usb-role-switch/ueventd.te b/usb-role-switch/ueventd.te new file mode 100644 index 00000000..c4bdd3a7 --- /dev/null +++ b/usb-role-switch/ueventd.te @@ -0,0 +1 @@ +allow ueventd sysfs_usb_role_writeable:file { setattr }; diff --git a/usb-role-switch/usb_roleswitch.te b/usb-role-switch/usb_roleswitch.te new file mode 100644 index 00000000..19e190b6 --- /dev/null +++ b/usb-role-switch/usb_roleswitch.te @@ -0,0 +1,31 @@ +type usb_roleswitch, domain; +type usb_roleswitch_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(usb_roleswitch) + +allow usb_roleswitch self:capability net_raw; + +#allow usb_roleswitch sysfs:dir w_dir_perms; +allow usb_roleswitch sysfs:file rw_file_perms; + +allow usb_roleswitch vendor_file:dir r_dir_perms; + +allow usb_roleswitch sysfs_usb_mux_writable:file rw_file_perms; +allow usb_roleswitch kernel:key search; + +allow usb_roleswitch serial_device:chr_file rw_file_perms; +allow usb_roleswitch sysfs_usb_role_writeable:file rw_file_perms; + +# allows needed for cansend utility +allow usb_roleswitch vendor_toolbox_exec:file rx_file_perms; +module_only(`ioc_slcan', ` + allow usb_roleswitch ioc_slcan_exec:file rx_file_perms; +') +allow usb_roleswitch self:udp_socket create_socket_perms; +allow usb_roleswitch self:socket create_socket_perms_no_ioctl; +allow usb_roleswitch self:can_socket create_socket_perms_no_ioctl; + +not_full_treble(` + allow usb_roleswitch shell_exec:file rx_file_perms; + allow usb_roleswitch toolbox_exec:file rx_file_perms; +') diff --git a/usb-role-switch/vendor_init.te b/usb-role-switch/vendor_init.te new file mode 100644 index 00000000..05d7188d --- /dev/null +++ b/usb-role-switch/vendor_init.te @@ -0,0 +1 @@ +set_prop(vendor_init, vendor_usbrole_prop) diff --git a/usb/file.te b/usb/file.te deleted file mode 100644 index 45ed06c6..00000000 --- a/usb/file.te +++ /dev/null @@ -1 +0,0 @@ -type sysfs_usb_role_writeable, fs_type, sysfs_type, mlstrustedobject; diff --git a/usb/file_contexts b/usb/file_contexts deleted file mode 100644 index f1d72fd1..00000000 --- a/usb/file_contexts +++ /dev/null @@ -1 +0,0 @@ -/sys/devices/pci0000:00/0000:00:14.0/intel_xhci_usb_sw/usb_role/intel_xhci_usb_sw-role-switch/role u:object_r:sysfs_usb_role_writeable:s0 diff --git a/usb/platform_app.te b/usb/platform_app.te deleted file mode 100644 index bc84251b..00000000 --- a/usb/platform_app.te +++ /dev/null @@ -1 +0,0 @@ -allow platform_app sysfs_usb_role_writeable:file rw_file_perms; diff --git a/vendor/dnsmasq.te b/vendor/dnsmasq.te deleted file mode 100644 index 54772c1d..00000000 --- a/vendor/dnsmasq.te +++ /dev/null @@ -1,2 +0,0 @@ -allow dnsmasq netd:fifo_file getattr; -allow dnsmasq netd:unix_stream_socket getattr; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts new file mode 100644 index 00000000..53fe0791 --- /dev/null +++ b/vendor/genfs_contexts @@ -0,0 +1,2 @@ +# sysfs +genfscon sysfs /devices/pnp0/00:04/rtc u:object_r:sysfs_rtc:s0 diff --git a/vendor/netd.te b/vendor/netd.te deleted file mode 100644 index 4ef8a614..00000000 --- a/vendor/netd.te +++ /dev/null @@ -1,3 +0,0 @@ -dontaudit netd kernel:system module_request; -dontaudit netd self:capability sys_module; -dontaudit netd system_file:dir write; diff --git a/vendor/system_server.te b/vendor/system_server.te deleted file mode 100644 index b05a6513..00000000 --- a/vendor/system_server.te +++ /dev/null @@ -1,2 +0,0 @@ -dontaudit system_server self:capability sys_module; -dontaudit system_server kernel:system syslog_read; diff --git a/vendor/untrusted_app_all.te b/vendor/untrusted_app_all.te deleted file mode 100644 index 70002b89..00000000 --- a/vendor/untrusted_app_all.te +++ /dev/null @@ -1,17 +0,0 @@ -dontaudit untrusted_app_all mnt_vendor_file:dir search; -dontaudit untrusted_app_all system_data_file:dir setattr; -dontaudit untrusted_app_all sysfs_zram:dir search; -dontaudit untrusted_app_all sysfs:dir r_dir_perms; -dontaudit untrusted_app_all backup_data_file:dir r_dir_perms; -dontaudit untrusted_app_all anr_data_file:dir r_dir_perms; -allow untrusted_app_all vendor_file:file r_file_perms; -allow untrusted_app_all fs_bpf:dir search; - -user_build_only(` - dontaudit untrusted_app_all block_device:dir getattr; - dontaudit untrusted_app_all configfs:dir search; - dontaudit untrusted_app_all kernel:dir search; - dontaudit untrusted_app_all proc_qtaguid_stat:file r_file_perms; - dontaudit untrusted_app_all qtaguid_proc:file r_file_perms; - dontaudit untrusted_app_all qtaguid_device:chr_file r_file_perms; -') diff --git a/vendor_init.te b/vendor_init.te deleted file mode 100644 index 8399acfc..00000000 --- a/vendor_init.te +++ /dev/null @@ -1,5 +0,0 @@ -allow vendor_init self:global_capability_class_set sys_module; -allow vendor_init vendor_file:system module_load; -allow vendor_init kernel:key search; -allow vendor_init file_contexts_file:file map; -set_prop(vendor_init, shell_prop) diff --git a/wlan/autodetect-sofia/change_mac_address.te b/wlan/autodetect-sofia/change_mac_address.te new file mode 100644 index 00000000..02f6ecf5 --- /dev/null +++ b/wlan/autodetect-sofia/change_mac_address.te @@ -0,0 +1,7 @@ +# +# change_mac_address +# +type change_mac_address, domain; +type change_mac_address_exec, file_type, exec_type; + +init_daemon_domain(change_mac_address) diff --git a/wlan/autodetect-sofia/file_contexts b/wlan/autodetect-sofia/file_contexts new file mode 100644 index 00000000..1ca9130e --- /dev/null +++ b/wlan/autodetect-sofia/file_contexts @@ -0,0 +1,2 @@ +/system/bin/change_mac_address u:object_r:change_mac_address_exec:s0 + diff --git a/wlan/bcm/file.te b/wlan/bcm/file.te new file mode 100644 index 00000000..ee98ec52 --- /dev/null +++ b/wlan/bcm/file.te @@ -0,0 +1,2 @@ +# Wifi MAC address in /oem_config/wifi/ +type wlan_prov_data_file, file_type, data_file_type; diff --git a/wlan/bcm/file_contexts b/wlan/bcm/file_contexts new file mode 100644 index 00000000..9936757b --- /dev/null +++ b/wlan/bcm/file_contexts @@ -0,0 +1,3 @@ + # wlan provisionning + /oem_config/wifi(/.*)? u:object_r:wlan_prov_data_file:s0 + (/system)?/vendor/bin/wlan_prov u:object_r:wlan_prov_exec:s0 diff --git a/wlan/bcm/wlan_prov.te b/wlan/bcm/wlan_prov.te new file mode 100644 index 00000000..8c3c94b6 --- /dev/null +++ b/wlan/bcm/wlan_prov.te @@ -0,0 +1,18 @@ +# +# wlan_prov.te +# + +type wlan_prov, domain; +type wlan_prov_exec, exec_type, file_type; +init_daemon_domain(wlan_prov) + +module_only(`config_partition', ` + allow wlan_prov config_file:dir search; +') + +allow wlan_prov wlan_prov_data_file:dir create_dir_perms; +allow wlan_prov wlan_prov_data_file:file create_file_perms; + +# rw access (including ioctl) is needed to access the /dev/mei partition where +# the MAC address is stored. +allow wlan_prov tee_device:chr_file rw_file_perms; diff --git a/wlan/bcm/wpa.te b/wlan/bcm/wpa.te new file mode 100644 index 00000000..468bdc8c --- /dev/null +++ b/wlan/bcm/wpa.te @@ -0,0 +1,6 @@ +# +# wpa.te +# + +allow wpa wlan_prov_data_file:dir search; +allow wpa wlan_prov_data_file:file r_file_perms; diff --git a/wlan/iwlwifi/file_contexts b/wlan/iwlwifi/file_contexts new file mode 100644 index 00000000..b678c7ca --- /dev/null +++ b/wlan/iwlwifi/file_contexts @@ -0,0 +1 @@ +/system/bin/wlan_intel_restore.sh u:object_r:wlan_intel_restore_exec:s0 diff --git a/wlan/iwlwifi/wlan_intel_restore.te b/wlan/iwlwifi/wlan_intel_restore.te new file mode 100644 index 00000000..deaa2da0 --- /dev/null +++ b/wlan/iwlwifi/wlan_intel_restore.te @@ -0,0 +1,16 @@ +# +# wlan_intel_restore - does what? +# + +type wlan_intel_restore, domain, coredomain; +type wlan_intel_restore_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(wlan_intel_restore) + +# Execute as a script and run toolbox and system commands +allow wlan_intel_restore shell_exec:file rx_file_perms; +allow wlan_intel_restore system_file:file rx_file_perms; +allow wlan_intel_restore toolbox_exec:file rx_file_perms; + +allow wlan_intel_restore block_device:dir search; + diff --git a/wlan/load_iwlwifi/file_contexts b/wlan/load_iwlwifi/file_contexts new file mode 100644 index 00000000..641f4ebd --- /dev/null +++ b/wlan/load_iwlwifi/file_contexts @@ -0,0 +1 @@ +/vendor/bin/load_iwlwifi.sh u:object_r:load_iwlwifi_script_exec:s0 diff --git a/wlan/load_iwlwifi/kernel.te b/wlan/load_iwlwifi/kernel.te new file mode 100644 index 00000000..cbe8f96a --- /dev/null +++ b/wlan/load_iwlwifi/kernel.te @@ -0,0 +1 @@ +allow kernel self:system module_request; diff --git a/wlan/load_iwlwifi/load_iwlwifi.te b/wlan/load_iwlwifi/load_iwlwifi.te new file mode 100644 index 00000000..0714102b --- /dev/null +++ b/wlan/load_iwlwifi/load_iwlwifi.te @@ -0,0 +1,15 @@ +type load_iwlwifi_script, domain; +type load_iwlwifi_script_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(load_iwlwifi_script) + +module_only(`thermal', ` + allow load_iwlwifi_script sysfs_thermal_management:dir r_dir_perms; + allow load_iwlwifi_script sysfs_thermal_management:{file lnk_file} r_file_perms; +') + +allow load_iwlwifi_script self:capability sys_module; +allow load_iwlwifi_script kernel:key search; +allow load_iwlwifi_script rootfs:file r_file_perms; +allow load_iwlwifi_script vendor_shell_exec:file rx_file_perms; +allow load_iwlwifi_script vendor_toolbox_exec:file rx_file_perms;