diff --git a/sepolicy/OWNERS b/sepolicy/OWNERS new file mode 100644 index 0000000..5232bc3 --- /dev/null +++ b/sepolicy/OWNERS @@ -0,0 +1,4 @@ +include device/google/gs-common:/sepolicy/OWNERS + +adamshih@google.com + diff --git a/sepolicy/felix-sepolicy.mk b/sepolicy/felix-sepolicy.mk new file mode 100644 index 0000000..9e88a7d --- /dev/null +++ b/sepolicy/felix-sepolicy.mk @@ -0,0 +1,6 @@ +# sepolicy that are shared among devices using whitechapel +BOARD_SEPOLICY_DIRS += device/google/felix-sepolicy/vendor +BOARD_SEPOLICY_DIRS += device/google/felix-sepolicy/tracking_denials + +# Fingerprint +BOARD_SEPOLICY_DIRS += device/google/felix-sepolicy/fingerprint_capacitance diff --git a/sepolicy/fingerprint_capacitance/file.te b/sepolicy/fingerprint_capacitance/file.te new file mode 100644 index 0000000..0218b46 --- /dev/null +++ b/sepolicy/fingerprint_capacitance/file.te @@ -0,0 +1 @@ +type sysfs_fingerprint, sysfs_type, fs_type; diff --git a/sepolicy/fingerprint_capacitance/file_contexts b/sepolicy/fingerprint_capacitance/file_contexts new file mode 100644 index 0000000..aa6d801 --- /dev/null +++ b/sepolicy/fingerprint_capacitance/file_contexts @@ -0,0 +1 @@ +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.fpc42 u:object_r:hal_fingerprint_capacitance_exec:s0 diff --git a/sepolicy/fingerprint_capacitance/genfs_contexts b/sepolicy/fingerprint_capacitance/genfs_contexts new file mode 100644 index 0000000..9fe2a86 --- /dev/null +++ b/sepolicy/fingerprint_capacitance/genfs_contexts @@ -0,0 +1 @@ +genfscon sysfs /devices/platform/odm/odm:fp_fpc1020 u:object_r:sysfs_fingerprint:s0 diff --git a/sepolicy/fingerprint_capacitance/hal_fingerprint_capacitance.te b/sepolicy/fingerprint_capacitance/hal_fingerprint_capacitance.te new file mode 100644 index 0000000..e12e3d9 --- /dev/null +++ b/sepolicy/fingerprint_capacitance/hal_fingerprint_capacitance.te @@ -0,0 +1,35 @@ +# hal_fingerprint_capacitance definition +type hal_fingerprint_capacitance, domain; +hal_server_domain(hal_fingerprint_capacitance, hal_fingerprint) + +type hal_fingerprint_capacitance_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_fingerprint_capacitance) + +set_prop(hal_fingerprint_capacitance, vendor_fingerprint_prop) + +# allow fingerprint to access file +allow hal_fingerprint_capacitance fingerprint_device:chr_file rw_file_perms; +allow hal_fingerprint_capacitance tee_device:chr_file rw_file_perms; +allow hal_fingerprint_capacitance sysfs_fingerprint:dir r_dir_perms; +allow hal_fingerprint_capacitance sysfs_fingerprint:file rw_file_perms; + +# allow fingerprint to access power hal +hal_client_domain(hal_fingerprint_capacitance, hal_power); + +# allow fingerprint to find fwk service +allow hal_fingerprint_capacitance fwk_stats_service:service_manager find; + +# allow fingerprint to access sysfs_leds +allow hal_fingerprint_capacitance sysfs_leds:dir search; +allow hal_fingerprint_capacitance sysfs_leds:file rw_file_perms; + +# allow fingerprint to access input_device +allow hal_fingerprint_capacitance input_device:dir r_dir_perms; +allow hal_fingerprint_capacitance input_device:chr_file rw_file_perms; + +# allow fingerprint to access hwservice +hwbinder_use(hal_fingerprint_capacitance) +add_hwservice(hal_fingerprint_capacitance, hal_fingerprint_capacitance_ext_hwservice) + +# allow fingerprint to access fwk sensor hwservice +allow hal_fingerprint_capacitance fwk_sensor_service:service_manager find; diff --git a/sepolicy/fingerprint_capacitance/hwservice.te b/sepolicy/fingerprint_capacitance/hwservice.te new file mode 100644 index 0000000..68c51ab --- /dev/null +++ b/sepolicy/fingerprint_capacitance/hwservice.te @@ -0,0 +1 @@ +type hal_fingerprint_capacitance_ext_hwservice, hwservice_manager_type; diff --git a/sepolicy/fingerprint_capacitance/hwservice_contexts b/sepolicy/fingerprint_capacitance/hwservice_contexts new file mode 100644 index 0000000..ed09300 --- /dev/null +++ b/sepolicy/fingerprint_capacitance/hwservice_contexts @@ -0,0 +1,2 @@ +com.fingerprints42.extension::IFingerprintEngineering u:object_r:hal_fingerprint_capacitance_ext_hwservice:s0 +com.fingerprints42.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_capacitance_ext_hwservice:s0 diff --git a/sepolicy/fingerprint_capacitance/servicemanager.te b/sepolicy/fingerprint_capacitance/servicemanager.te new file mode 100644 index 0000000..6e1afe9 --- /dev/null +++ b/sepolicy/fingerprint_capacitance/servicemanager.te @@ -0,0 +1 @@ +binder_call(servicemanager, hal_fingerprint_capacitance) diff --git a/sepolicy/fingerprint_capacitance/system_app.te b/sepolicy/fingerprint_capacitance/system_app.te new file mode 100644 index 0000000..f583431 --- /dev/null +++ b/sepolicy/fingerprint_capacitance/system_app.te @@ -0,0 +1,3 @@ +# TODO (b/264266705) Remove this and make it specific to the app +# allow SystemUIGoogle to access fingerprint hal +hal_client_domain(system_app, hal_fingerprint) diff --git a/sepolicy/tracking_denials/README.txt b/sepolicy/tracking_denials/README.txt new file mode 100644 index 0000000..6cfc62d --- /dev/null +++ b/sepolicy/tracking_denials/README.txt @@ -0,0 +1,2 @@ +This folder stores known errors detected by PTS. Be sure to remove relevant +files to reproduce error log on latest ROMs. diff --git a/sepolicy/tracking_denials/bug_map b/sepolicy/tracking_denials/bug_map new file mode 100644 index 0000000..ff25510 --- /dev/null +++ b/sepolicy/tracking_denials/bug_map @@ -0,0 +1,2 @@ +kernel vendor_votable_debugfs dir b/305600372 +system_server sysfs_batteryinfo file b/306344097 diff --git a/sepolicy/vendor/README.txt b/sepolicy/vendor/README.txt new file mode 100644 index 0000000..67a320f --- /dev/null +++ b/sepolicy/vendor/README.txt @@ -0,0 +1,2 @@ +This folder holds sepolicy exclusively for one device. For example, genfs_contexts +paths that are affected by device tree. diff --git a/sepolicy/vendor/cccdk_timesync_app.te b/sepolicy/vendor/cccdk_timesync_app.te new file mode 100644 index 0000000..1a4264d --- /dev/null +++ b/sepolicy/vendor/cccdk_timesync_app.te @@ -0,0 +1 @@ +allow vendor_cccdktimesync_app hal_bluetooth_coexistence_service:service_manager find; diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te new file mode 100644 index 0000000..1a969b6 --- /dev/null +++ b/sepolicy/vendor/device.te @@ -0,0 +1 @@ +type vibrator_device, dev_type; diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te new file mode 100644 index 0000000..6e3395b --- /dev/null +++ b/sepolicy/vendor/file.te @@ -0,0 +1,3 @@ +# BT +type vendor_bt_data_file, file_type, data_file_type; + diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts new file mode 100644 index 0000000..70a3ff2 --- /dev/null +++ b/sepolicy/vendor/file_contexts @@ -0,0 +1,26 @@ +# Devices +/dev/lwis-act-nessie u:object_r:lwis_device:s0 +/dev/lwis-eeprom-nessie u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-medusa u:object_r:lwis_device:s0 +/dev/lwis-ois-nessie u:object_r:lwis_device:s0 +/dev/lwis-sensor-dokkaebi-tele u:object_r:lwis_device:s0 +/dev/lwis-sensor-medusa u:object_r:lwis_device:s0 +/dev/lwis-sensor-oksoko u:object_r:lwis_device:s0 + +# Bluetooth +/dev/ttySAC18 u:object_r:hci_attach_dev:s0 +/dev/logbuffer_btlpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_tty18 u:object_r:logbuffer_device:s0 +/data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0 + +# Haptics +/vendor/bin/hw/android\.hardware\.vibrator-service\.cs40l26-private u:object_r:hal_vibrator_default_exec:s0 +/dev/gpiochip44 u:object_r:vibrator_device:s0 + +# Logbuffer +/dev/logbuffer_dual_batt u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_secondary u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_secondary_monitor u:object_r:logbuffer_device:s0 + +# Touch +/dev/touch_offload_fts_ext u:object_r:touch_offload_device:s0 diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts new file mode 100644 index 0000000..a3f01c8 --- /dev/null +++ b/sepolicy/vendor/genfs_contexts @@ -0,0 +1,37 @@ + +# BMS +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-0061 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-0061/power_supply u:object_r:sysfs_batteryinfo:s0 + +genfscon sysfs /devices/platform/google,dual_batt_gauge/power_supply u:object_r:sysfs_batteryinfo:s0 +# maxfg_base +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-13/13-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +# maxfg_secondary +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-0036/power_supply u:object_r:sysfs_batteryinfo:s0 + +# Display +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/available_disp_stats u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/osc2_clk_khz u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/time_in_state u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c241000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 + +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight/panel1-backlight/als_table u:object_r:sysfs_write_leds:s0 + +# Haptics +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-0043 u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-0042 u:object_r:sysfs_vibrator:s0 + +# Power System Suspend +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-13/13-0036/power_supply/maxfg_base/wakeup u:object_r:sysfs_wakeup:s0 + +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-0036/power_supply/maxfg_flip/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-0036/power_supply/maxfg_secondary/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-0061/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-15/15-0061/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,dual_batt_gauge/power_supply/dualbatt/wakeup u:object_r:sysfs_wakeup:s0 diff --git a/sepolicy/vendor/grilservice_app.te b/sepolicy/vendor/grilservice_app.te new file mode 100644 index 0000000..ad0a779 --- /dev/null +++ b/sepolicy/vendor/grilservice_app.te @@ -0,0 +1 @@ +allow grilservice_app hal_bluetooth_coexistence_service:service_manager find; diff --git a/sepolicy/vendor/hal_bluetooth_btlinux.te b/sepolicy/vendor/hal_bluetooth_btlinux.te new file mode 100644 index 0000000..851dc89 --- /dev/null +++ b/sepolicy/vendor/hal_bluetooth_btlinux.te @@ -0,0 +1,3 @@ +allow hal_bluetooth_btlinux vendor_bt_data_file:dir rw_dir_perms; +allow hal_bluetooth_btlinux vendor_bt_data_file:file create_file_perms; + diff --git a/sepolicy/vendor/hal_vibrator_default.te b/sepolicy/vendor/hal_vibrator_default.te new file mode 100644 index 0000000..7858155 --- /dev/null +++ b/sepolicy/vendor/hal_vibrator_default.te @@ -0,0 +1,3 @@ +# For gpio dev node +vndbinder_use(hal_vibrator_default); +allow hal_vibrator_default vibrator_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/service_contexts b/sepolicy/vendor/service_contexts new file mode 100644 index 0000000..3a83109 --- /dev/null +++ b/sepolicy/vendor/service_contexts @@ -0,0 +1 @@ +com.google.hardware.pixel.display.IDisplay/secondary u:object_r:hal_pixel_display_service:s0