diff --git a/sepolicy/OWNERS b/sepolicy/OWNERS new file mode 100644 index 0000000..791abb4 --- /dev/null +++ b/sepolicy/OWNERS @@ -0,0 +1,3 @@ +include platform/system/sepolicy:/OWNERS + +rurumihong@google.com diff --git a/sepolicy/PREUPLOAD.cfg b/sepolicy/PREUPLOAD.cfg new file mode 100644 index 0000000..3591c7f --- /dev/null +++ b/sepolicy/PREUPLOAD.cfg @@ -0,0 +1,3 @@ +[Hook Scripts] +aosp_hook = ${REPO_ROOT}/frameworks/base/tools/aosp/aosp_sha.sh ${PREUPLOAD_COMMIT} "." + diff --git a/sepolicy/redfin-sepolicy.mk b/sepolicy/redfin-sepolicy.mk new file mode 100644 index 0000000..30ba5ce --- /dev/null +++ b/sepolicy/redfin-sepolicy.mk @@ -0,0 +1,3 @@ +# vendors +BOARD_SEPOLICY_DIRS += device/google/redfin-sepolicy/vendor/google +BOARD_SEPOLICY_DIRS += device/google/redfin-sepolicy/tracking_denials diff --git a/sepolicy/tracking_denials/bug_map b/sepolicy/tracking_denials/bug_map new file mode 100644 index 0000000..7537c74 --- /dev/null +++ b/sepolicy/tracking_denials/bug_map @@ -0,0 +1,9 @@ +adbd sysfs_msm_subsys dir b/269369858 +derive_sdk system_app dir b/269044764 +dumpstate hal_input_processor_default process b/238263647 +dumpstate incident process b/238263647 +dumpstate system_data_file dir b/264600011 +hal_camera_default graphics_config_prop file b/268147541 +hal_drm_widevine default_prop file b/238263747 +shell build_attestation_prop file b/269370035 +system_server vendor_incremental_module file b/264483807 diff --git a/sepolicy/tracking_denials/dumpstate.te b/sepolicy/tracking_denials/dumpstate.te new file mode 100644 index 0000000..87e51ff --- /dev/null +++ b/sepolicy/tracking_denials/dumpstate.te @@ -0,0 +1,2 @@ +# b/277155912 +dontaudit dumpstate default_android_service:service_manager { find }; diff --git a/sepolicy/tracking_denials/hal_power_default.te b/sepolicy/tracking_denials/hal_power_default.te new file mode 100644 index 0000000..37f09d2 --- /dev/null +++ b/sepolicy/tracking_denials/hal_power_default.te @@ -0,0 +1,3 @@ +# b/178988508 +dontaudit hal_power_default hal_power_default:capability dac_override ; +dontaudit hal_power_default hal_power_default:capability dac_override ; diff --git a/sepolicy/tracking_denials/shell.te b/sepolicy/tracking_denials/shell.te new file mode 100644 index 0000000..8bbbda7 --- /dev/null +++ b/sepolicy/tracking_denials/shell.te @@ -0,0 +1,10 @@ +# b/269370035 +dontaudit shell incident_service:service_manager { find }; +dontaudit shell installd_service:service_manager { find }; +dontaudit shell mdns_service:service_manager { find }; +dontaudit shell netd_service:service_manager { find }; +dontaudit shell system_suspend_control_service:service_manager { find }; +dontaudit shell system_suspend_control_internal_service:service_manager { find }; +dontaudit shell vold_service:service_manager { find }; +dontaudit shell dnsresolver_service:service_manager { find }; +dontaudit shell gatekeeper_service:service_manager { find }; diff --git a/sepolicy/vendor/google/file_contexts b/sepolicy/vendor/google/file_contexts new file mode 100644 index 0000000..cd5a515 --- /dev/null +++ b/sepolicy/vendor/google/file_contexts @@ -0,0 +1,5 @@ +# vendor binaries +/vendor/bin/hw/android\.hardware\.usb-service\.redfin u:object_r:hal_usb_impl_exec:s0 +/vendor/bin/hw/android\.hardware\.usb\.gadget-service\.redfin u:object_r:hal_usb_gadget_impl_exec:s0 +/vendor/bin/hw/android\.hardware\.vibrator-service\.redfin u:object_r:hal_vibrator_default_exec:s0 +/vendor/bin/hw/android\.hardware\.dumpstate@1\.1-service\.redfin u:object_r:hal_dumpstate_impl_exec:s0 diff --git a/sepolicy/vendor/google/genfs_contexts b/sepolicy/vendor/google/genfs_contexts new file mode 100644 index 0000000..9c3ee01 --- /dev/null +++ b/sepolicy/vendor/google/genfs_contexts @@ -0,0 +1 @@ +genfscon sysfs /devices/platform/soc/98c000.i2c/i2c-1/1-003b u:object_r:sysfs_wlc:s0 diff --git a/sepolicy/vendor/google/hal_dumpstate_impl.te b/sepolicy/vendor/google/hal_dumpstate_impl.te new file mode 100644 index 0000000..83d1673 --- /dev/null +++ b/sepolicy/vendor/google/hal_dumpstate_impl.te @@ -0,0 +1,3 @@ +# Access to WLC firmware info +allow hal_dumpstate_impl sysfs_wlc:dir r_dir_perms; +allow hal_dumpstate_impl sysfs_wlc:file r_file_perms; diff --git a/sepolicy/vendor/google/hal_health_default.te b/sepolicy/vendor/google/hal_health_default.te new file mode 100644 index 0000000..1bf05c1 --- /dev/null +++ b/sepolicy/vendor/google/hal_health_default.te @@ -0,0 +1,2 @@ +r_dir_file(hal_health_default, sysfs_wlc) +allow hal_health_default sysfs_wlc:dir r_dir_perms; diff --git a/sepolicy/vendor/google/hal_usb_gadget_impl.te b/sepolicy/vendor/google/hal_usb_gadget_impl.te new file mode 100644 index 0000000..ddd90c2 --- /dev/null +++ b/sepolicy/vendor/google/hal_usb_gadget_impl.te @@ -0,0 +1,14 @@ +type hal_usb_gadget_impl, domain; +hal_server_domain(hal_usb_gadget_impl, hal_usb) +hal_server_domain(hal_usb_gadget_impl, hal_usb_gadget) + +type hal_usb_gadget_impl_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_usb_gadget_impl) + +allow hal_usb_gadget_impl configfs:dir { create rmdir }; +allow hal_usb_gadget_impl functionfs:dir { watch watch_reads }; +set_prop(hal_usb_gadget_impl, vendor_usb_prop) + +allow hal_usb_gadget_impl sysfs_batteryinfo:dir r_dir_perms; +allow hal_usb_gadget_impl sysfs_batteryinfo:file rw_file_perms; +allow hal_usb_gadget_impl sysfs_extcon:dir search; diff --git a/sepolicy/vendor/google/pixelstats_vendor.te b/sepolicy/vendor/google/pixelstats_vendor.te new file mode 100644 index 0000000..0b0e6ed --- /dev/null +++ b/sepolicy/vendor/google/pixelstats_vendor.te @@ -0,0 +1,22 @@ +r_dir_file(pixelstats_vendor, sysfs_pixelstats) + +unix_socket_connect(pixelstats_vendor, chre, chre) + +get_prop(pixelstats_vendor, hwservicemanager_prop) +hwbinder_use(pixelstats_vendor) +allow pixelstats_vendor hal_pixelstats_hwservice:hwservice_manager find; + +allow pixelstats_vendor fwk_stats_hwservice:hwservice_manager find; +binder_call(pixelstats_vendor, statsd) + +binder_use(pixelstats_vendor) +allow pixelstats_vendor fwk_stats_service:service_manager find; + +allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms; + +# OrientationCollector +# HIDL sensorservice +allow pixelstats_vendor fwk_sensor_hwservice:hwservice_manager find; +# AIDL sensorservice +allow pixelstats_vendor fwk_sensor_service:service_manager find; +binder_call(pixelstats_vendor, system_server) diff --git a/sepolicy/vendor/google/shell.te b/sepolicy/vendor/google/shell.te new file mode 100644 index 0000000..cd4fb18 --- /dev/null +++ b/sepolicy/vendor/google/shell.te @@ -0,0 +1,2 @@ +# wlc +dontaudit shell sysfs_wlc:dir search; diff --git a/sepolicy/vendor/google/system_server.te b/sepolicy/vendor/google/system_server.te new file mode 100644 index 0000000..2adcf05 --- /dev/null +++ b/sepolicy/vendor/google/system_server.te @@ -0,0 +1,2 @@ +# pixelstats_vendor/OrientationCollector +binder_call(system_server, pixelstats_vendor) diff --git a/sepolicy/wireless_charger/file_contexts b/sepolicy/wireless_charger/file_contexts new file mode 100644 index 0000000..004c7a1 --- /dev/null +++ b/sepolicy/wireless_charger/file_contexts @@ -0,0 +1 @@ +/vendor/bin/hw/vendor\.google\.wireless_charger-default u:object_r:hal_wireless_charger_exec:s0 diff --git a/sepolicy/wireless_charger/hal_dumpstate_default.te b/sepolicy/wireless_charger/hal_dumpstate_default.te new file mode 100644 index 0000000..748345c --- /dev/null +++ b/sepolicy/wireless_charger/hal_dumpstate_default.te @@ -0,0 +1,3 @@ +allow hal_dumpstate_default sysfs_wlc:dir search; +allow hal_dumpstate_default sysfs_wlc:dir r_dir_perms; +allow hal_dumpstate_default sysfs_wlc:file r_file_perms; diff --git a/sepolicy/wireless_charger/hal_googlebattery.te b/sepolicy/wireless_charger/hal_googlebattery.te new file mode 100644 index 0000000..6fda60f --- /dev/null +++ b/sepolicy/wireless_charger/hal_googlebattery.te @@ -0,0 +1,2 @@ +r_dir_file(hal_googlebattery, sysfs_wlc) +allow hal_googlebattery sysfs_wlc:file rw_file_perms; diff --git a/sepolicy/wireless_charger/hal_health_default.te b/sepolicy/wireless_charger/hal_health_default.te new file mode 100644 index 0000000..51ef352 --- /dev/null +++ b/sepolicy/wireless_charger/hal_health_default.te @@ -0,0 +1 @@ +allow hal_health_default sysfs_wlc:dir search; diff --git a/sepolicy/wireless_charger/hal_sensors_default.te b/sepolicy/wireless_charger/hal_sensors_default.te new file mode 100644 index 0000000..ed0efd0 --- /dev/null +++ b/sepolicy/wireless_charger/hal_sensors_default.te @@ -0,0 +1 @@ +allow hal_sensors_default sysfs_wlc:dir r_dir_perms; diff --git a/sepolicy/wireless_charger/hal_wireless_charger.te b/sepolicy/wireless_charger/hal_wireless_charger.te new file mode 100644 index 0000000..75021d7 --- /dev/null +++ b/sepolicy/wireless_charger/hal_wireless_charger.te @@ -0,0 +1,20 @@ + +init_daemon_domain(hal_wireless_charger) + +r_dir_file(hal_wireless_charger, sysfs_batteryinfo) +r_dir_file(hal_wireless_charger, sysfs_wlc) + +allow hal_wireless_charger sysfs_batteryinfo:file rw_file_perms; +allow hal_wireless_charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +allow hal_wireless_charger sysfs_wlc:file rw_file_perms; + + +binder_call(hal_wireless_charger, servicemanager) +add_service(hal_wireless_charger, hal_wireless_charger_service) + +userdebug_or_eng(` + domain_auto_trans(shell, hal_wireless_charger_exec, hal_wireless_charger) +') + +binder_call(hal_wireless_charger, platform_app) +binder_call(hal_wireless_charger, system_app) diff --git a/sepolicy/wireless_charger/pixelstats_vendor.te b/sepolicy/wireless_charger/pixelstats_vendor.te new file mode 100644 index 0000000..cc2bd92 --- /dev/null +++ b/sepolicy/wireless_charger/pixelstats_vendor.te @@ -0,0 +1,3 @@ +# Wireless charge +allow pixelstats_vendor sysfs_wlc:dir search; +allow pixelstats_vendor sysfs_wlc:file rw_file_perms; diff --git a/sepolicy/wireless_charger/service_contexts b/sepolicy/wireless_charger/service_contexts new file mode 100644 index 0000000..5813e35 --- /dev/null +++ b/sepolicy/wireless_charger/service_contexts @@ -0,0 +1 @@ +vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0