diff --git a/BoardConfig-common.mk b/BoardConfig-common.mk index 52f51b52..ab067c12 100644 --- a/BoardConfig-common.mk +++ b/BoardConfig-common.mk @@ -208,7 +208,26 @@ $(error vendor_dlkm.modules.load not found or empty) endif BOARD_VENDOR_KERNEL_MODULES += $(KERNEL_MODULES) -include device/google/gs101/sepolicy/gs101-sepolicy.mk +# SEPolicy +BOARD_VENDOR_SEPOLICY_DIRS += \ + hardware/google/pixel-sepolicy/googlebattery \ + hardware/google/pixel-sepolicy/input \ + hardware/google/pixel-sepolicy/powerstats \ + device/google/gs101/sepolicy/certificates \ + device/google/gs101/sepolicy/recovery \ + device/google/gs101/sepolicy/vendor + +PRODUCT_PRIVATE_SEPOLICY_DIRS += \ + device/google/gs101/sepolicy/product/private + +PRODUCT_PUBLIC_SEPOLICY_DIRS += \ + device/google/gs101/sepolicy/product/public + +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += \ + device/google/gs101/sepolicy/system_ext/private + +SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += \ + device/google/gs101/sepolicy/system_ext/public # Battery options BOARD_KERNEL_CMDLINE += at24.write_timeout=100 diff --git a/sepolicy/OWNERS b/sepolicy/OWNERS deleted file mode 100644 index 5232bc31..00000000 --- a/sepolicy/OWNERS +++ /dev/null @@ -1,4 +0,0 @@ -include device/google/gs-common:/sepolicy/OWNERS - -adamshih@google.com - diff --git a/sepolicy/whitechapel/vendor/google/certs/EuiccSupportPixel.x509.pem b/sepolicy/certificates/certs/EuiccSupportPixel.x509.pem similarity index 100% rename from sepolicy/whitechapel/vendor/google/certs/EuiccSupportPixel.x509.pem rename to sepolicy/certificates/certs/EuiccSupportPixel.x509.pem diff --git a/sepolicy/whitechapel/vendor/google/certs/com_google_android_apps_camera_services.x509.pem b/sepolicy/certificates/certs/com_google_android_apps_camera_services.x509.pem similarity index 100% rename from sepolicy/whitechapel/vendor/google/certs/com_google_android_apps_camera_services.x509.pem rename to sepolicy/certificates/certs/com_google_android_apps_camera_services.x509.pem diff --git a/sepolicy/whitechapel/vendor/google/certs/com_google_mds.x509.pem b/sepolicy/certificates/certs/com_google_mds.x509.pem similarity index 100% rename from sepolicy/whitechapel/vendor/google/certs/com_google_mds.x509.pem rename to sepolicy/certificates/certs/com_google_mds.x509.pem diff --git a/sepolicy/whitechapel/vendor/google/certs/com_qorvo_uwb.x509.pem b/sepolicy/certificates/certs/com_qorvo_uwb.x509.pem similarity index 100% rename from sepolicy/whitechapel/vendor/google/certs/com_qorvo_uwb.x509.pem rename to sepolicy/certificates/certs/com_qorvo_uwb.x509.pem diff --git a/sepolicy/certificates/keys.conf b/sepolicy/certificates/keys.conf new file mode 100644 index 00000000..24510901 --- /dev/null +++ b/sepolicy/certificates/keys.conf @@ -0,0 +1,11 @@ +[@CAMERASERVICES] +ALL : device/google/gs101/sepolicy/certificates/certs/com_google_android_apps_camera_services.x509.pem + +[@MDS] +ALL : device/google/gs101/sepolicy/certificates/certs/com_google_mds.x509.pem + +[@UWB] +ALL : device/google/gs101/sepolicy/certificates/certs/com_qorvo_uwb.x509.pem + +[@EUICCSUPPORTPIXEL] +ALL : device/google/gs101/sepolicy/certificates/certs/EuiccSupportPixel.x509.pem diff --git a/sepolicy/whitechapel/vendor/google/mac_permissions.xml b/sepolicy/certificates/mac_permissions.xml similarity index 97% rename from sepolicy/whitechapel/vendor/google/mac_permissions.xml rename to sepolicy/certificates/mac_permissions.xml index b51e565e..1ab84939 100644 --- a/sepolicy/whitechapel/vendor/google/mac_permissions.xml +++ b/sepolicy/certificates/mac_permissions.xml @@ -1,8 +1,6 @@ - + + + @@ -30,7 +31,4 @@ - - - diff --git a/sepolicy/confirmationui/device.te b/sepolicy/confirmationui/device.te deleted file mode 100644 index 54fe349f..00000000 --- a/sepolicy/confirmationui/device.te +++ /dev/null @@ -1 +0,0 @@ -type tui_device, dev_type; diff --git a/sepolicy/confirmationui/file_contexts b/sepolicy/confirmationui/file_contexts deleted file mode 100644 index 377857d0..00000000 --- a/sepolicy/confirmationui/file_contexts +++ /dev/null @@ -1,4 +0,0 @@ -/vendor/bin/securedpud\.slider u:object_r:securedpud_slider_exec:s0 -/vendor/bin/hw/android\.hardware\.confirmationui-service\.trusty\.vendor u:object_r:hal_confirmationui_default_exec:s0 - -/dev/tui-driver u:object_r:tui_device:s0 diff --git a/sepolicy/confirmationui/hal_confirmationui.te b/sepolicy/confirmationui/hal_confirmationui.te deleted file mode 100644 index a8f4ae8c..00000000 --- a/sepolicy/confirmationui/hal_confirmationui.te +++ /dev/null @@ -1,13 +0,0 @@ -allow hal_confirmationui_default tee_device:chr_file rw_file_perms; - -binder_call(hal_confirmationui_default, keystore) - -vndbinder_use(hal_confirmationui_default) -binder_call(hal_confirmationui_default, citadeld) -allow hal_confirmationui_default citadeld_service:service_manager find; - -allow hal_confirmationui_default input_device:chr_file rw_file_perms; -allow hal_confirmationui_default input_device:dir r_dir_perms; - -allow hal_confirmationui_default dmabuf_system_heap_device:chr_file r_file_perms; -allow hal_confirmationui_default ion_device:chr_file r_file_perms; diff --git a/sepolicy/confirmationui/securedpud.slider.te b/sepolicy/confirmationui/securedpud.slider.te deleted file mode 100644 index e0d272f1..00000000 --- a/sepolicy/confirmationui/securedpud.slider.te +++ /dev/null @@ -1,11 +0,0 @@ -type securedpud_slider, domain; -type securedpud_slider_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(securedpud_slider) - -wakelock_use(securedpud_slider) - -allow securedpud_slider dmabuf_heap_device:chr_file r_file_perms; -allow securedpud_slider ion_device:chr_file r_file_perms; -allow securedpud_slider tee_device:chr_file rw_file_perms; -allow securedpud_slider tui_device:chr_file rw_file_perms; diff --git a/sepolicy/display/common/file.te b/sepolicy/display/common/file.te deleted file mode 100644 index 3734e33c..00000000 --- a/sepolicy/display/common/file.te +++ /dev/null @@ -1 +0,0 @@ -type persist_display_file, file_type, vendor_persist_type; diff --git a/sepolicy/display/common/file_contexts b/sepolicy/display/common/file_contexts deleted file mode 100644 index bca77466..00000000 --- a/sepolicy/display/common/file_contexts +++ /dev/null @@ -1 +0,0 @@ -/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 diff --git a/sepolicy/display/gs101/genfs_contexts b/sepolicy/display/gs101/genfs_contexts deleted file mode 100644 index 6144af66..00000000 --- a/sepolicy/display/gs101/genfs_contexts +++ /dev/null @@ -1,20 +0,0 @@ -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/power_state u:object_r:sysfs_display:s0 -genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2C0000/panel@0/compatible u:object_r:sysfs_display:s0 - -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/power_state u:object_r:sysfs_display:s0 -genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2D0000/panel@0/compatible u:object_r:sysfs_display:s0 - -genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 - -genfscon sysfs /devices/platform/1c300000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c300000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 - -genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 diff --git a/sepolicy/gs101-sepolicy.mk b/sepolicy/gs101-sepolicy.mk deleted file mode 100644 index a56e010a..00000000 --- a/sepolicy/gs101-sepolicy.mk +++ /dev/null @@ -1,94 +0,0 @@ -# ConnectivityThermalPowerManager -BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/connectivity_thermal_power_manager - -# twoshay -BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/input - -# google_battery service -BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/googlebattery - -# sepolicy that are shared among devices using whitechapel -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs101/sepolicy/whitechapel/vendor/google - -# unresolved SELinux error log with bug tracking -BOARD_SEPOLICY_DIRS += device/google/gs101/sepolicy/tracking_denials - -PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs101/sepolicy/private - -# Display -BOARD_SEPOLICY_DIRS += device/google/gs101/sepolicy/display/common -BOARD_SEPOLICY_DIRS += device/google/gs101/sepolicy/display/gs101 - -# system_ext -SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/gs101/sepolicy/system_ext/public -SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs101/sepolicy/system_ext/private - -# -# Pixel-wide -# -# PowerStats HAL -BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats - -# Public -PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs101/sepolicy/public - -# Health HAL -BOARD_SEPOLICY_DIRS += device/google/gs101/sepolicy/health - -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs101/sepolicy/modem/user -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs101/sepolicy/telephony/user/ -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs101/sepolicy/trusty_metricsd - -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/aoc/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/audio/sepolicy/common -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/audio/sepolicy/hidl -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/battery_mitigation/sepolicy/vendor -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/bcmbt/dump/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/bootctrl/sepolicy/aidl -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/vendor -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/chre/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/dauntless/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/display/sepolicy/exynos -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/edgetpu/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/fingerprint/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gear/dumpstate/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gps/brcm/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gps/dump/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gpu/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gxp/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/insmod/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/mediacodec/common/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/mediacodec/samsung/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/misc_writer -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/modem/dump_modemlog/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/modem/modem_svc_sit/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/nfc/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/performance/experiments/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/performance/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/pixel_metrics/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/pixel_ril/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/radio/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/ramdump_and_coredump/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/sensors/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/soc/sepolicy/freq -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/soc/sepolicy/soc -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/storage/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/storage/sepolicy/tracking_denials -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/telephony/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/thermal/sepolicy/dump -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/thermal/sepolicy/thermal_hal -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/touch/twoshay/sepolicy -BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/trusty/sepolicy - -PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/product/public -PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/product/private - -PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/betterbug/sepolicy/product/public -PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/betterbug/sepolicy/product/private - -SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/battery_mitigation/sepolicy/system_ext/private -SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/battery_mitigation/sepolicy/system_ext/public - -SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/gs_watchdogd/sepolicy - -SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/sota_app/sepolicy/system_ext \ No newline at end of file diff --git a/sepolicy/health/file_contexts b/sepolicy/health/file_contexts deleted file mode 100644 index 55321741..00000000 --- a/sepolicy/health/file_contexts +++ /dev/null @@ -1 +0,0 @@ -/vendor/bin/hw/android\.hardware\.health-service\.gs101 u:object_r:hal_health_default_exec:s0 diff --git a/sepolicy/modem/user/file.te b/sepolicy/modem/user/file.te deleted file mode 100644 index e2beb8bc..00000000 --- a/sepolicy/modem/user/file.te +++ /dev/null @@ -1 +0,0 @@ -type vendor_slog_file, file_type, data_file_type, mlstrustedobject; diff --git a/sepolicy/modem/user/file_contexts b/sepolicy/modem/user/file_contexts deleted file mode 100644 index ff1482bc..00000000 --- a/sepolicy/modem/user/file_contexts +++ /dev/null @@ -1,2 +0,0 @@ -/data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 -/vendor/bin/dmd u:object_r:dmd_exec:s0 diff --git a/sepolicy/modem/user/property.te b/sepolicy/modem/user/property.te deleted file mode 100644 index 353b1c8a..00000000 --- a/sepolicy/modem/user/property.te +++ /dev/null @@ -1,3 +0,0 @@ -vendor_internal_prop(vendor_diag_prop) -vendor_internal_prop(vendor_slog_prop) -vendor_internal_prop(vendor_modem_prop) diff --git a/sepolicy/modem/user/property_contexts b/sepolicy/modem/user/property_contexts deleted file mode 100644 index 0be942b8..00000000 --- a/sepolicy/modem/user/property_contexts +++ /dev/null @@ -1,14 +0,0 @@ -# for dmd -persist.vendor.sys.dm. u:object_r:vendor_diag_prop:s0 -persist.vendor.sys.diag. u:object_r:vendor_diag_prop:s0 -vendor.sys.dmd. u:object_r:vendor_diag_prop:s0 -vendor.sys.diag. u:object_r:vendor_diag_prop:s0 - -# for modem -persist.vendor.modem. u:object_r:vendor_modem_prop:s0 -vendor.modem. u:object_r:vendor_modem_prop:s0 -vendor.sys.modem. u:object_r:vendor_modem_prop:s0 -ro.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 -vendor.sys.exynos.modempath u:object_r:vendor_modem_prop:s0 -persist.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 - diff --git a/sepolicy/modem/userdebug/file_contexts b/sepolicy/modem/userdebug/file_contexts deleted file mode 100644 index 20b74c64..00000000 --- a/sepolicy/modem/userdebug/file_contexts +++ /dev/null @@ -1 +0,0 @@ -/vendor/bin/vcd u:object_r:vcd_exec:s0 diff --git a/sepolicy/modem/userdebug/vcd.te b/sepolicy/modem/userdebug/vcd.te deleted file mode 100644 index c4af485f..00000000 --- a/sepolicy/modem/userdebug/vcd.te +++ /dev/null @@ -1,11 +0,0 @@ -type vcd, domain; -type vcd_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(vcd) - -get_prop(vcd, vendor_rild_prop); -get_prop(vcd, vendor_persist_config_default_prop); - -allow vcd serial_device:chr_file rw_file_perms; -allow vcd radio_device:chr_file rw_file_perms; -allow vcd self:tcp_socket { create_socket_perms_no_ioctl listen accept }; -allow vcd node:tcp_socket node_bind; diff --git a/sepolicy/private/gmscore_app.te b/sepolicy/private/gmscore_app.te deleted file mode 100644 index e52eb551..00000000 --- a/sepolicy/private/gmscore_app.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/177389198 -dontaudit gmscore_app adbd_prop:file *; -dontaudit gmscore_app proc_vendor_sched:file write; diff --git a/sepolicy/private/hal_dumpstate_default.te b/sepolicy/private/hal_dumpstate_default.te deleted file mode 100644 index 83c75689..00000000 --- a/sepolicy/private/hal_dumpstate_default.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/176868217 -dontaudit hal_dumpstate adbd_prop:file *; diff --git a/sepolicy/private/incidentd.te b/sepolicy/private/incidentd.te deleted file mode 100644 index 1557f065..00000000 --- a/sepolicy/private/incidentd.te +++ /dev/null @@ -1,14 +0,0 @@ -# b/174961589 -dontaudit incidentd adbd_config_prop:file open ; -dontaudit incidentd adbd_prop:file getattr ; -dontaudit incidentd adbd_prop:file open ; -dontaudit incidentd adbd_config_prop:file open ; -dontaudit incidentd adbd_config_prop:file getattr ; -dontaudit incidentd adbd_config_prop:file map ; -dontaudit incidentd adbd_prop:file open ; -dontaudit incidentd adbd_prop:file getattr ; -dontaudit incidentd adbd_prop:file map ; -dontaudit incidentd apexd_prop:file open ; -dontaudit incidentd adbd_config_prop:file getattr ; -dontaudit incidentd adbd_config_prop:file map ; -dontaudit incidentd adbd_prop:file map ; diff --git a/sepolicy/private/lpdumpd.te b/sepolicy/private/lpdumpd.te deleted file mode 100644 index 86a101c5..00000000 --- a/sepolicy/private/lpdumpd.te +++ /dev/null @@ -1,7 +0,0 @@ -# b/177176997 -dontaudit lpdumpd block_device:blk_file getattr ; -dontaudit lpdumpd block_device:blk_file getattr ; -dontaudit lpdumpd block_device:blk_file read ; -dontaudit lpdumpd block_device:blk_file getattr ; -dontaudit lpdumpd block_device:blk_file read ; -dontaudit lpdumpd block_device:blk_file read ; diff --git a/sepolicy/private/priv_app.te b/sepolicy/private/priv_app.te deleted file mode 100644 index c77a18da..00000000 --- a/sepolicy/private/priv_app.te +++ /dev/null @@ -1,20 +0,0 @@ -# b/178433525 -dontaudit priv_app adbd_prop:file { map }; -dontaudit priv_app adbd_prop:file { getattr }; -dontaudit priv_app adbd_prop:file { open }; -dontaudit priv_app ab_update_gki_prop:file { map }; -dontaudit priv_app ab_update_gki_prop:file { getattr }; -dontaudit priv_app ab_update_gki_prop:file { open }; -dontaudit priv_app aac_drc_prop:file { map }; -dontaudit priv_app aac_drc_prop:file { getattr }; -dontaudit priv_app aac_drc_prop:file { open }; -dontaudit priv_app adbd_prop:file { map }; -dontaudit priv_app aac_drc_prop:file { open }; -dontaudit priv_app aac_drc_prop:file { getattr }; -dontaudit priv_app aac_drc_prop:file { map }; -dontaudit priv_app ab_update_gki_prop:file { open }; -dontaudit priv_app ab_update_gki_prop:file { getattr }; -dontaudit priv_app ab_update_gki_prop:file { map }; -dontaudit priv_app adbd_prop:file { open }; -dontaudit priv_app adbd_prop:file { getattr }; -dontaudit priv_app proc_vendor_sched:file write; diff --git a/sepolicy/private/service_contexts b/sepolicy/private/service_contexts deleted file mode 100644 index 8877518a..00000000 --- a/sepolicy/private/service_contexts +++ /dev/null @@ -1 +0,0 @@ -telephony.oem.oemrilhook u:object_r:radio_service:s0 diff --git a/sepolicy/private/untrusted_app_25.te b/sepolicy/private/untrusted_app_25.te deleted file mode 100644 index f26e0815..00000000 --- a/sepolicy/private/untrusted_app_25.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/177389321 -dontaudit untrusted_app_25 adbd_prop:file *; diff --git a/sepolicy/private/wait_for_keymaster.te b/sepolicy/private/wait_for_keymaster.te deleted file mode 100644 index 0e29999c..00000000 --- a/sepolicy/private/wait_for_keymaster.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/188114822 -dontaudit wait_for_keymaster servicemanager:binder transfer; diff --git a/sepolicy/product/private/pbcs_app.te b/sepolicy/product/private/pbcs_app.te new file mode 100644 index 00000000..89e99aa7 --- /dev/null +++ b/sepolicy/product/private/pbcs_app.te @@ -0,0 +1,12 @@ +typeattribute vendor_pbcs_app coredomain; + +add_service(vendor_pbcs_app, camera_binder_service) +add_service(vendor_pbcs_app, camera_cameraidremapper_service) +add_service(vendor_pbcs_app, camera_lyricconfigprovider_service) + +app_domain(vendor_pbcs_app) + +allow vendor_pbcs_app app_api_service:service_manager find; +allow vendor_pbcs_app cameraserver_service:service_manager find; + +dontaudit vendor_pbcs_app system_app_data_file:dir *; diff --git a/sepolicy/product/private/pcs_app.te b/sepolicy/product/private/pcs_app.te new file mode 100644 index 00000000..2a064ba7 --- /dev/null +++ b/sepolicy/product/private/pcs_app.te @@ -0,0 +1,31 @@ +typeattribute vendor_pcs_app coredomain; + +app_domain(vendor_pcs_app) + +bluetooth_domain(vendor_pcs_app) + +net_domain(vendor_pcs_app) + +r_dir_file(vendor_pcs_app, preloads_data_file) +r_dir_file(vendor_pcs_app, preloads_media_file) + +allow vendor_pcs_app app_api_service:service_manager find; +allow vendor_pcs_app audioserver_service:service_manager find; +allow vendor_pcs_app cache_file:dir create_dir_perms; +allow vendor_pcs_app cache_file:file create_file_perms; +allow vendor_pcs_app cache_file:lnk_file r_file_perms; +allow vendor_pcs_app cache_recovery_file:dir create_dir_perms; +allow vendor_pcs_app cache_recovery_file:file create_file_perms; +allow vendor_pcs_app camera_cameraidremapper_service:service_manager find; +allow vendor_pcs_app camera_lyricconfigprovider_service:service_manager find; +allow vendor_pcs_app cameraserver_service:service_manager find; +allow vendor_pcs_app drmserver_service:service_manager find; +allow vendor_pcs_app media_rw_data_file:dir create_dir_perms; +allow vendor_pcs_app media_rw_data_file:file create_file_perms; +allow vendor_pcs_app mediametrics_service:service_manager find; +allow vendor_pcs_app mediaserver_service:service_manager find; +allow vendor_pcs_app nfc_service:service_manager find; +allow vendor_pcs_app radio_service:service_manager find; + +dontaudit vendor_pcs_app device:dir read; +dontaudit vendor_pcs_app usb_device:dir { open read search }; diff --git a/sepolicy/private/permissioncontroller_app.te b/sepolicy/product/private/permissioncontroller_app.te similarity index 99% rename from sepolicy/private/permissioncontroller_app.te rename to sepolicy/product/private/permissioncontroller_app.te index 4619571c..c5feec95 100644 --- a/sepolicy/private/permissioncontroller_app.te +++ b/sepolicy/product/private/permissioncontroller_app.te @@ -1,3 +1,2 @@ allow permissioncontroller_app proc_vendor_sched:dir r_dir_perms; allow permissioncontroller_app proc_vendor_sched:file w_file_perms; - diff --git a/sepolicy/private/radio.te b/sepolicy/product/private/radio.te similarity index 100% rename from sepolicy/private/radio.te rename to sepolicy/product/private/radio.te diff --git a/sepolicy/product/private/seapp_contexts b/sepolicy/product/private/seapp_contexts new file mode 100644 index 00000000..7a392cdf --- /dev/null +++ b/sepolicy/product/private/seapp_contexts @@ -0,0 +1,4 @@ +user=_app seinfo=CameraServices name=com.google.android.apps.camera.services domain=vendor_pcs_app type=app_data_file levelFrom=all +user=_app seinfo=CameraServices name=com.google.android.apps.camera.services:* domain=vendor_pcs_app type=app_data_file levelFrom=all +user=system seinfo=platform name=com.google.pixel.camera.services domain=vendor_pbcs_app type=system_app_data_file levelFrom=all +user=system seinfo=platform name=com.google.pixel.camera.services:* domain=vendor_pbcs_app type=system_app_data_file levelFrom=all diff --git a/sepolicy/product/private/service_contexts b/sepolicy/product/private/service_contexts new file mode 100644 index 00000000..8cc27845 --- /dev/null +++ b/sepolicy/product/private/service_contexts @@ -0,0 +1,4 @@ +com.google.pixel.camera.services.binder.IServiceBinder/default u:object_r:camera_binder_service:s0 +com.google.pixel.camera.services.cameraidremapper.ICameraIdRemapper/default u:object_r:camera_cameraidremapper_service:s0 +com.google.pixel.camera.services.lyricconfigprovider.ILyricConfigProvider/default u:object_r:camera_lyricconfigprovider_service:s0 +telephony.oem.oemrilhook u:object_r:radio_service:s0 diff --git a/sepolicy/product/public/pbcs_app.te b/sepolicy/product/public/pbcs_app.te new file mode 100644 index 00000000..71807192 --- /dev/null +++ b/sepolicy/product/public/pbcs_app.te @@ -0,0 +1 @@ +type vendor_pbcs_app, domain; diff --git a/sepolicy/product/public/pcs_app.te b/sepolicy/product/public/pcs_app.te new file mode 100644 index 00000000..fb8b0a10 --- /dev/null +++ b/sepolicy/product/public/pcs_app.te @@ -0,0 +1 @@ +type vendor_pcs_app, domain; diff --git a/sepolicy/product/public/service.te b/sepolicy/product/public/service.te new file mode 100644 index 00000000..e5836b9c --- /dev/null +++ b/sepolicy/product/public/service.te @@ -0,0 +1,3 @@ +type camera_binder_service, hal_service_type, protected_service, service_manager_type; +type camera_cameraidremapper_service, hal_service_type, protected_service, service_manager_type; +type camera_lyricconfigprovider_service, hal_service_type, protected_service, service_manager_type; diff --git a/sepolicy/recovery/fastbootd.te b/sepolicy/recovery/fastbootd.te new file mode 100644 index 00000000..490e2af0 --- /dev/null +++ b/sepolicy/recovery/fastbootd.te @@ -0,0 +1,8 @@ +recovery_only(` + allow fastbootd citadel_device:chr_file rw_file_perms; + allow fastbootd custom_ab_block_device:blk_file rw_file_perms; + allow fastbootd devinfo_block_device:blk_file rw_file_perms; + allow fastbootd sda_block_device:blk_file rw_file_perms; + allow fastbootd st54spi_device:chr_file rw_file_perms; + allow fastbootd sysfs_ota:file rw_file_perms; +') diff --git a/sepolicy/recovery/hal_bootctl_default.te b/sepolicy/recovery/hal_bootctl_default.te new file mode 100644 index 00000000..cc85ae1b --- /dev/null +++ b/sepolicy/recovery/hal_bootctl_default.te @@ -0,0 +1,3 @@ +recovery_only(` + allow hal_bootctl_default rootfs:dir r_dir_perms; +') diff --git a/sepolicy/recovery/recovery.te b/sepolicy/recovery/recovery.te new file mode 100644 index 00000000..7e1f4abe --- /dev/null +++ b/sepolicy/recovery/recovery.te @@ -0,0 +1,7 @@ +recovery_only(` + allow recovery citadel_device:chr_file rw_file_perms; + allow recovery st54spi_device:chr_file rw_file_perms; + allow recovery sysfs_ota:file rw_file_perms; + allow recovery sysfs_scsi_devices_0000:file r_file_perms; + allow recovery sysfs_scsi_devices_0000:dir r_dir_perms; +') diff --git a/sepolicy/system_ext/private/bluetooth_gci.te b/sepolicy/system_ext/private/bluetooth_gci.te new file mode 100644 index 00000000..e0c6abf4 --- /dev/null +++ b/sepolicy/system_ext/private/bluetooth_gci.te @@ -0,0 +1,9 @@ +init_daemon_domain(bluetooth_gci) + +allow bluetooth_gci bluetooth_data_file:dir ra_dir_perms; +allow bluetooth_gci bluetooth_data_file:file create_file_perms; +allow bluetooth_gci fuse:dir r_dir_perms; +allow bluetooth_gci fuse:file r_file_perms; +allow bluetooth_gci media_rw_data_file:dir ra_dir_perms; +allow bluetooth_gci media_rw_data_file:file r_file_perms; +allow bluetooth_gci mnt_user_file:dir search; diff --git a/sepolicy/system_ext/private/con_monitor.te b/sepolicy/system_ext/private/con_monitor_app.te similarity index 99% rename from sepolicy/system_ext/private/con_monitor.te rename to sepolicy/system_ext/private/con_monitor_app.te index c68ec1f8..d0667d29 100644 --- a/sepolicy/system_ext/private/con_monitor.te +++ b/sepolicy/system_ext/private/con_monitor_app.te @@ -3,5 +3,6 @@ typeattribute con_monitor_app coredomain; app_domain(con_monitor_app) set_prop(con_monitor_app, radio_prop) + allow con_monitor_app app_api_service:service_manager find; allow con_monitor_app radio_service:service_manager find; diff --git a/sepolicy/system_ext/private/connectivity_thermal_power_manager.te b/sepolicy/system_ext/private/connectivity_thermal_power_manager.te new file mode 100644 index 00000000..be59c65c --- /dev/null +++ b/sepolicy/system_ext/private/connectivity_thermal_power_manager.te @@ -0,0 +1,9 @@ +type connectivity_thermal_power_manager, coredomain, domain, system_suspend_internal_server; + +app_domain(connectivity_thermal_power_manager) + +hal_client_domain(connectivity_thermal_power_manager, hal_power_stats) + +allow connectivity_thermal_power_manager app_api_service:service_manager find; +allow connectivity_thermal_power_manager radio_service:service_manager find; +allow connectivity_thermal_power_manager system_api_service:service_manager find; diff --git a/sepolicy/system_ext/private/dcservice_app.te b/sepolicy/system_ext/private/dcservice_app.te new file mode 100644 index 00000000..e0a9b974 --- /dev/null +++ b/sepolicy/system_ext/private/dcservice_app.te @@ -0,0 +1,16 @@ +typeattribute dcservice_app coredomain; + +app_domain(dcservice_app) + +get_prop(dcservice_app, bluetooth_lea_prop) + +net_domain(dcservice_app) + +set_prop(dcservice_app, ctl_start_prop) + +allow dcservice_app app_api_service:service_manager find; +allow dcservice_app audioserver_service:service_manager find; +allow dcservice_app nfc_service:service_manager find; +allow dcservice_app privapp_data_file:file execute; +allow dcservice_app privapp_data_file:lnk_file r_file_perms; +allow dcservice_app radio_service:service_manager find; diff --git a/sepolicy/system_ext/private/euicc_app.te b/sepolicy/system_ext/private/euicc_app.te index 842f1ec7..87740951 100644 --- a/sepolicy/system_ext/private/euicc_app.te +++ b/sepolicy/system_ext/private/euicc_app.te @@ -1,13 +1,16 @@ -type euicc_app, domain, coredomain; +type euicc_app, coredomain, domain; + app_domain(euicc_app) -net_domain(euicc_app) + bluetooth_domain(euicc_app) -allow euicc_app app_api_service:service_manager find; -allow euicc_app radio_service:service_manager find; -allow euicc_app cameraserver_service:service_manager find; - -get_prop(euicc_app, camera_config_prop) get_prop(euicc_app, bootloader_prop) -get_prop(euicc_app, exported_default_prop) +get_prop(euicc_app, camera_config_prop) get_prop(euicc_app, esim_modem_prop) +get_prop(euicc_app, exported_default_prop) + +net_domain(euicc_app) + +allow euicc_app app_api_service:service_manager find; +allow euicc_app cameraserver_service:service_manager find; +allow euicc_app radio_service:service_manager find; diff --git a/sepolicy/system_ext/private/file.te b/sepolicy/system_ext/private/file.te new file mode 100644 index 00000000..1e338a24 --- /dev/null +++ b/sepolicy/system_ext/private/file.te @@ -0,0 +1 @@ +type repair_mode_metadata_config_file, file_type, mlstrustedobject; diff --git a/sepolicy/system_ext/private/file_contexts b/sepolicy/system_ext/private/file_contexts new file mode 100644 index 00000000..9b304684 --- /dev/null +++ b/sepolicy/system_ext/private/file_contexts @@ -0,0 +1,4 @@ +/dev/watchdog[0-9] u:object_r:watchdog_device:s0 +/metadata/repair-mode/config(/.*)? u:object_r:repair_mode_metadata_config_file:s0 +/system_ext/bin/bluetooth_gci u:object_r:bluetooth_gci_exec:s0 +/system_ext/bin/gs_watchdogd u:object_r:gs_watchdogd_exec:s0 diff --git a/sepolicy/system_ext/private/gs_watchdogd.te b/sepolicy/system_ext/private/gs_watchdogd.te new file mode 100644 index 00000000..d1ba1482 --- /dev/null +++ b/sepolicy/system_ext/private/gs_watchdogd.te @@ -0,0 +1,8 @@ +type gs_watchdogd, coredomain, domain; +type gs_watchdogd_exec, exec_type, file_type, system_file_type; + +init_daemon_domain(gs_watchdogd) + +allow gs_watchdogd kmsg_device:chr_file rw_file_perms; +allow gs_watchdogd sysfs:dir r_dir_perms; +allow gs_watchdogd watchdog_device:chr_file rw_file_perms; diff --git a/sepolicy/system_ext/private/hbmsvmanager_app.te b/sepolicy/system_ext/private/hbmsvmanager_app.te index 6f5ff7ac..4ec8a88f 100644 --- a/sepolicy/system_ext/private/hbmsvmanager_app.te +++ b/sepolicy/system_ext/private/hbmsvmanager_app.te @@ -1,11 +1,8 @@ typeattribute hbmsvmanager_app coredomain; -app_domain(hbmsvmanager_app); +app_domain(hbmsvmanager_app) +allow hbmsvmanager_app app_api_service:service_manager find; +allow hbmsvmanager_app cameraserver_service:service_manager find; allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms; allow hbmsvmanager_app proc_vendor_sched:file w_file_perms; - -# Standard system services -allow hbmsvmanager_app app_api_service:service_manager find; - -allow hbmsvmanager_app cameraserver_service:service_manager find; diff --git a/sepolicy/system_ext/private/pixelntnservice_app.te b/sepolicy/system_ext/private/pixelntnservice_app.te index 8bf71cc9..7c98c24e 100644 --- a/sepolicy/system_ext/private/pixelntnservice_app.te +++ b/sepolicy/system_ext/private/pixelntnservice_app.te @@ -1,5 +1,7 @@ typeattribute pixelntnservice_app coredomain; -app_domain(pixelntnservice_app); -allow pixelntnservice_app app_api_service:service_manager find; +app_domain(pixelntnservice_app) + set_prop(pixelntnservice_app, telephony_modem_prop) + +allow pixelntnservice_app app_api_service:service_manager find; diff --git a/sepolicy/system_ext/private/platform_app.te b/sepolicy/system_ext/private/platform_app.te index e9dcc76b..a80d567d 100644 --- a/sepolicy/system_ext/private/platform_app.te +++ b/sepolicy/system_ext/private/platform_app.te @@ -1,5 +1,5 @@ -# allow systemui to set boot animation colors -set_prop(platform_app, bootanim_system_prop); +get_prop(platform_app, bluetooth_lea_prop) -# allow systemui to access fingerprint hal_client_domain(platform_app, hal_fingerprint) + +set_prop(platform_app, bootanim_system_prop) diff --git a/sepolicy/system_ext/private/property.te b/sepolicy/system_ext/private/property.te index 714108b1..d60bf105 100644 --- a/sepolicy/system_ext/private/property.te +++ b/sepolicy/system_ext/private/property.te @@ -1,5 +1 @@ -neverallow { - domain - -init - -vendor_init -} esim_modem_prop:property_service set; +system_internal_prop(repair_mode_init_prop) diff --git a/sepolicy/system_ext/private/property_contexts b/sepolicy/system_ext/private/property_contexts index 1bc593cc..86eee7db 100644 --- a/sepolicy/system_ext/private/property_contexts +++ b/sepolicy/system_ext/private/property_contexts @@ -1,9 +1,5 @@ -# Fingerprint (UDFPS) GHBM/LHBM toggle -persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool - -# Properties for euicc -persist.modem.esim_profiles_exist u:object_r:esim_modem_prop:s0 exact string - -# Telephony -telephony.TnNtn.image_switch u:object_r:telephony_modem_prop:s0 exact enum ntn tn -telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool +persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool +persist.modem.esim_profiles_exist u:object_r:esim_modem_prop:s0 exact string +repair_mode.init_completed. u:object_r:repair_mode_init_prop:s0 prefix bool +telephony.TnNtn.image_switch u:object_r:telephony_modem_prop:s0 exact enum ntn tn +telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool diff --git a/sepolicy/system_ext/private/repair_mode_app.te b/sepolicy/system_ext/private/repair_mode_app.te new file mode 100644 index 00000000..cf7a9e29 --- /dev/null +++ b/sepolicy/system_ext/private/repair_mode_app.te @@ -0,0 +1,14 @@ +type repair_mode_app, coredomain, domain; + +app_domain(repair_mode_app) + +get_prop(repair_mode_app, gsid_prop) + +set_prop(repair_mode_app, repair_mode_init_prop) + +allow repair_mode_app app_api_service:service_manager find; +allow repair_mode_app metadata_file:dir search; +allow repair_mode_app repair_mode_metadata_config_file:dir rw_dir_perms; +allow repair_mode_app repair_mode_metadata_config_file:file create_file_perms; +allow repair_mode_app repair_mode_metadata_file:dir search; +allow repair_mode_app system_api_service:service_manager find; diff --git a/sepolicy/system_ext/private/seapp_contexts b/sepolicy/system_ext/private/seapp_contexts index 2f3c6785..380d8fac 100644 --- a/sepolicy/system_ext/private/seapp_contexts +++ b/sepolicy/system_ext/private/seapp_contexts @@ -1,11 +1,8 @@ -# Domain for EuiccGoogle -user=_app isPrivApp=true name=com.google.android.euicc domain=euicc_app type=privapp_data_file levelFrom=user - -# Domain for connectivity monitor +user=_app isPrivApp=true name=com.google.android.apps.pixel.dcservice domain=dcservice_app type=privapp_data_file levelFrom=user +user=_app isPrivApp=true name=com.google.android.apps.pixel.dcservice.ui domain=dcservice_app type=privapp_data_file levelFrom=user +user=_app isPrivApp=true name=com.google.android.euicc domain=euicc_app type=privapp_data_file levelFrom=user user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all - -# HbmSVManager user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all - -# PixelNtnService +user=_app seinfo=platform name=com.google.android.connectivitythermalpowermanager domain=connectivity_thermal_power_manager type=app_data_file levelFrom=all +user=system seinfo=platform name=com.google.android.repairmode domain=repair_mode_app type=app_data_file levelFrom=user user=system seinfo=platform name=com.google.android.satellite domain=pixelntnservice_app type=app_data_file levelFrom=all diff --git a/sepolicy/system_ext/public/bluetooth_gci.te b/sepolicy/system_ext/public/bluetooth_gci.te new file mode 100644 index 00000000..823a51af --- /dev/null +++ b/sepolicy/system_ext/public/bluetooth_gci.te @@ -0,0 +1,2 @@ +type bluetooth_gci, coredomain, domain; +type bluetooth_gci_exec, exec_type, file_type, system_file_type; diff --git a/sepolicy/system_ext/public/con_monitor.te b/sepolicy/system_ext/public/con_monitor_app.te similarity index 53% rename from sepolicy/system_ext/public/con_monitor.te rename to sepolicy/system_ext/public/con_monitor_app.te index 6a4d1dac..db7009b3 100644 --- a/sepolicy/system_ext/public/con_monitor.te +++ b/sepolicy/system_ext/public/con_monitor_app.te @@ -1,2 +1 @@ -# ConnectivityMonitor app type con_monitor_app, domain; diff --git a/sepolicy/system_ext/public/dcservice_app.te b/sepolicy/system_ext/public/dcservice_app.te new file mode 100644 index 00000000..924f29cb --- /dev/null +++ b/sepolicy/system_ext/public/dcservice_app.te @@ -0,0 +1 @@ +type dcservice_app, domain; diff --git a/sepolicy/system_ext/public/property.te b/sepolicy/system_ext/public/property.te index bf64eaad..c7257aa0 100644 --- a/sepolicy/system_ext/public/property.te +++ b/sepolicy/system_ext/public/property.te @@ -1,13 +1,6 @@ -# Fingerprint (UDFPS) GHBM/LHBM toggle -system_vendor_config_prop(fingerprint_ghbm_prop) - -# eSIM properties -system_vendor_config_prop(esim_modem_prop) - -# Telephony system_public_prop(telephony_ril_prop) + system_restricted_prop(telephony_modem_prop) -userdebug_or_eng(` - set_prop(shell, telephony_ril_prop) -') +system_vendor_config_prop(esim_modem_prop) +system_vendor_config_prop(fingerprint_ghbm_prop) diff --git a/sepolicy/telephony/user/file_contexts b/sepolicy/telephony/user/file_contexts deleted file mode 100644 index 1aafb7e3..00000000 --- a/sepolicy/telephony/user/file_contexts +++ /dev/null @@ -1,3 +0,0 @@ -# ECC List -/vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 - diff --git a/sepolicy/tracking_denials/bluetooth.te b/sepolicy/tracking_denials/bluetooth.te deleted file mode 100644 index fa48fcb3..00000000 --- a/sepolicy/tracking_denials/bluetooth.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/382362462 -dontaudit bluetooth default_android_service:service_manager { find }; diff --git a/sepolicy/tracking_denials/dmd.te b/sepolicy/tracking_denials/dmd.te deleted file mode 100644 index 68719b9b..00000000 --- a/sepolicy/tracking_denials/dmd.te +++ /dev/null @@ -1,2 +0,0 @@ -#b/303391666 -dontaudit dmd servicemanager:binder { call }; diff --git a/sepolicy/tracking_denials/dumpstate.te b/sepolicy/tracking_denials/dumpstate.te deleted file mode 100644 index 9d082cb8..00000000 --- a/sepolicy/tracking_denials/dumpstate.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/277155042 -dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; diff --git a/sepolicy/trusty_metricsd/file_contexts b/sepolicy/trusty_metricsd/file_contexts deleted file mode 100644 index bedf7437..00000000 --- a/sepolicy/trusty_metricsd/file_contexts +++ /dev/null @@ -1 +0,0 @@ -/vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 diff --git a/sepolicy/vendor/aocd.te b/sepolicy/vendor/aocd.te new file mode 100644 index 00000000..321e5b4f --- /dev/null +++ b/sepolicy/vendor/aocd.te @@ -0,0 +1,19 @@ +type aocd, domain; +type aocd_exec, exec_type, file_type, vendor_file_type; + +get_prop(aocd, vendor_volte_mif_off) + +init_daemon_domain(aocd) + +r_dir_file(aocd, persist_aoc_file) + +set_prop(aocd, vendor_aoc_prop) +set_prop(aocd, vendor_timeout_aoc_prop) + +allow aocd aoc_device:chr_file rw_file_perms; +allow aocd device:dir r_dir_perms; +allow aocd mnt_vendor_file:dir search; +allow aocd persist_file:dir search; +allow aocd sysfs_aoc:dir search; +allow aocd sysfs_aoc_firmware:file w_file_perms; +allow aocd sysfs_aoc_notifytimeout:file r_file_perms; diff --git a/sepolicy/vendor/aocdump.te b/sepolicy/vendor/aocdump.te new file mode 100644 index 00000000..08751180 --- /dev/null +++ b/sepolicy/vendor/aocdump.te @@ -0,0 +1,4 @@ +type aocdump, domain; +type aocdump_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(aocdump) diff --git a/sepolicy/vendor/aocx.te b/sepolicy/vendor/aocx.te new file mode 100644 index 00000000..502b28d6 --- /dev/null +++ b/sepolicy/vendor/aocx.te @@ -0,0 +1 @@ +type aocx, service_manager_type; diff --git a/sepolicy/vendor/aocxd.te b/sepolicy/vendor/aocxd.te new file mode 100644 index 00000000..3b7795d8 --- /dev/null +++ b/sepolicy/vendor/aocxd.te @@ -0,0 +1,21 @@ +type aocxd, domain; +type aocxd_exec, exec_type, file_type, vendor_file_type; + +add_service(aocxd, aocx) + +binder_call(aocxd, dcservice_app) + +init_daemon_domain(aocxd) + +set_prop(aocxd, vendor_aoc_prop) + +vndbinder_use(aocxd) + +wakelock_use(aocxd) + +allow aocxd aoc_device:chr_file rw_file_perms; +allow aocxd device:dir r_dir_perms; +allow aocxd dumpstate:fd use; +allow aocxd dumpstate:fifo_file write; +allow aocxd self:global_capability_class_set sys_nice; +allow aocxd sysfs_aoc:dir search; diff --git a/sepolicy/vendor/appdomain.te b/sepolicy/vendor/appdomain.te new file mode 100644 index 00000000..7912252b --- /dev/null +++ b/sepolicy/vendor/appdomain.te @@ -0,0 +1,5 @@ +get_prop(appdomain, vendor_edgetpu_runtime_prop) +get_prop(appdomain, vendor_hetero_runtime_prop) +get_prop(appdomain, vendor_tflite_delegate_prop) + +neverallow appdomain edgetpu_device:chr_file open; diff --git a/sepolicy/vendor/attributes b/sepolicy/vendor/attributes new file mode 100644 index 00000000..136a8dc9 --- /dev/null +++ b/sepolicy/vendor/attributes @@ -0,0 +1,3 @@ +hal_attribute(shared_modem_platform) + +attribute vendor_persist_type; diff --git a/sepolicy/vendor/audio_prop_restricted.te b/sepolicy/vendor/audio_prop_restricted.te new file mode 100644 index 00000000..a1430324 --- /dev/null +++ b/sepolicy/vendor/audio_prop_restricted.te @@ -0,0 +1 @@ +vendor_restricted_prop(vendor_audio_prop_restricted) diff --git a/sepolicy/vendor/audioserver.te b/sepolicy/vendor/audioserver.te new file mode 100644 index 00000000..9802cb2c --- /dev/null +++ b/sepolicy/vendor/audioserver.te @@ -0,0 +1 @@ +allow audioserver audio_device:chr_file r_file_perms; diff --git a/sepolicy/vendor/battery_mitigation.te b/sepolicy/vendor/battery_mitigation.te new file mode 100644 index 00000000..420f659a --- /dev/null +++ b/sepolicy/vendor/battery_mitigation.te @@ -0,0 +1,39 @@ +type battery_mitigation, domain; +type battery_mitigation_exec, exec_type, file_type, vendor_file_type; + +add_service(battery_mitigation, hal_battery_mitigation_service) + +binder_call(battery_mitigation, hal_audio_default) +binder_call(battery_mitigation, servicemanager) + +get_prop(battery_mitigation, boot_status_prop) +get_prop(battery_mitigation, system_boot_reason_prop) +get_prop(battery_mitigation, vendor_brownout_reason_prop) + +hal_client_domain(battery_mitigation, hal_health) +hal_client_domain(battery_mitigation, hal_thermal) + +init_daemon_domain(battery_mitigation) + +r_dir_file(battery_mitigation, sysfs_acpm_stats) +r_dir_file(battery_mitigation, sysfs_batteryinfo) +r_dir_file(battery_mitigation, sysfs_gpu) +r_dir_file(battery_mitigation, sysfs_iio_devices) +r_dir_file(battery_mitigation, sysfs_odpm) +r_dir_file(battery_mitigation, sysfs_power_stats) +r_dir_file(battery_mitigation, sysfs_thermal) +r_dir_file(battery_mitigation, thermal_link_device) + +set_prop(battery_mitigation, vendor_brownout_br_feasible_prop) +set_prop(battery_mitigation, vendor_mitigation_ready_prop) + +wakelock_use(battery_mitigation) + +allow battery_mitigation dumpstate:fd use; +allow battery_mitigation dumpstate:fifo_file rw_file_perms; +allow battery_mitigation fwk_stats_service:service_manager find; +allow battery_mitigation mitigation_vendor_data_file:dir rw_dir_perms; +allow battery_mitigation mitigation_vendor_data_file:file create_file_perms; +allow battery_mitigation sysfs_bcl:dir r_dir_perms; +allow battery_mitigation sysfs_bcl:file rw_file_perms; +allow battery_mitigation sysfs_bcl:lnk_file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/bipchmgr.te b/sepolicy/vendor/bipchmgr.te similarity index 61% rename from sepolicy/whitechapel/vendor/google/bipchmgr.te rename to sepolicy/vendor/bipchmgr.te index 9298e322..0bb2da05 100644 --- a/sepolicy/whitechapel/vendor/google/bipchmgr.te +++ b/sepolicy/vendor/bipchmgr.te @@ -1,9 +1,12 @@ type bipchmgr, domain; -type bipchmgr_exec, vendor_file_type, exec_type, file_type; +type bipchmgr_exec, exec_type, file_type, vendor_file_type; + +binder_call(bipchmgr, rild) + +get_prop(bipchmgr, hwservicemanager_prop) + +hwbinder_use(bipchmgr) + init_daemon_domain(bipchmgr) -get_prop(bipchmgr, hwservicemanager_prop); - allow bipchmgr hal_exynos_rild_hwservice:hwservice_manager find; -hwbinder_use(bipchmgr) -binder_call(bipchmgr, rild) diff --git a/sepolicy/whitechapel/vendor/google/bluetooth.te b/sepolicy/vendor/bluetooth.te similarity index 60% rename from sepolicy/whitechapel/vendor/google/bluetooth.te rename to sepolicy/vendor/bluetooth.te index 92737abe..cd4e500b 100644 --- a/sepolicy/whitechapel/vendor/google/bluetooth.te +++ b/sepolicy/vendor/bluetooth.te @@ -1,3 +1,4 @@ allow bluetooth proc_vendor_sched:dir search; allow bluetooth proc_vendor_sched:file w_file_perms; +dontaudit bluetooth default_android_service:service_manager find; diff --git a/sepolicy/vendor/bootanim.te b/sepolicy/vendor/bootanim.te new file mode 100644 index 00000000..9f20466a --- /dev/null +++ b/sepolicy/vendor/bootanim.te @@ -0,0 +1 @@ +dontaudit bootanim system_data_file:dir r_dir_perms; diff --git a/sepolicy/whitechapel/vendor/google/bootdevice_sysdev.te b/sepolicy/vendor/bootdevice_sysdev.te similarity index 59% rename from sepolicy/whitechapel/vendor/google/bootdevice_sysdev.te rename to sepolicy/vendor/bootdevice_sysdev.te index 2ff0acb9..543b11f4 100644 --- a/sepolicy/whitechapel/vendor/google/bootdevice_sysdev.te +++ b/sepolicy/vendor/bootdevice_sysdev.te @@ -1 +1,3 @@ +type bootdevice_sysdev, dev_type; + allow bootdevice_sysdev sysfs:filesystem associate; diff --git a/sepolicy/tracking_denials/bug_map b/sepolicy/vendor/bug_map similarity index 74% rename from sepolicy/tracking_denials/bug_map rename to sepolicy/vendor/bug_map index e45a3138..35c63f74 100644 --- a/sepolicy/tracking_denials/bug_map +++ b/sepolicy/vendor/bug_map @@ -1,36 +1,40 @@ - battery_mitigation sysfs file b/364446534 dump_display sysfs file b/340722772 dump_modem sscoredump_vendor_data_coredump_file dir b/366115873 dump_modem sscoredump_vendor_data_logcat_file dir b/366115873 -fsck modem_block_device blk_file b/397548310 hal_camera_default aconfig_storage_metadata_file dir b/383013727 hal_contexthub_default hal_bluetooth_service service_manager b/396573314 -hal_drm_widevine system_userdir_file dir b/401397837 +hal_fingerprint_default default_prop property_service b/215640468 hal_power_default hal_power_default capability b/240632824 hal_sensors_default sysfs file b/340723303 incidentd debugfs_wakeup_sources file b/282626428 incidentd incidentd anon_inode b/282626428 init init capability b/379591559 +insmod-sh kmsg_debug_device chr_file b/410739268 kernel dm_device blk_file b/315907959 kernel kernel capability b/340722537 kernel kernel capability b/340723030 kernel tmpfs chr_file b/315907959 modem_svc_sit hal_radioext_default process b/372348067 +permissioncontroller_app proc_vendor_sched file b/190671898 pixelstats_vendor block_device dir b/369537606 -pixelstats_vendor block_device dir b/369735407 -platform_app bluetooth_lea_mode_prop file b/402594680 +pixelstats_vendor sysfs_pixel_stat dir b/422900204 +pixelstats_vendor sysfs_pixel_stat file b/422900204 platform_app vendor_fw_file dir b/372122654 platform_app vendor_rild_prop file b/372122654 priv_app audio_config_prop file b/379226710 priv_app audio_config_prop file b/379246066 radio audio_config_prop file b/379227275 +ramdump proc_bootconfig file b/181615626 +ramdump public_vendor_default_prop file b/161103878 ramdump ramdump capability b/369538457 -ramdump_app default_prop file b/386149238 +ramdump vendor_hw_plat_prop file b/161103878 +ramdump_app default_prop file b/386149375 rfsd vendor_cbd_prop file b/317734418 -shell sysfs_net file b/329380904 -ssr_detector_app default_prop file b/350831964 +shell vendor_intelligence_prop file b/378120929 surfaceflinger selinuxfs file b/313804340 +system_server build_bootimage_prop file b/413561454 +system_server system_userdir_file file b/410508703 system_server vendor_default_prop file b/366115457 system_server vendor_default_prop file b/366116435 system_server vendor_default_prop file b/366116587 @@ -41,14 +45,10 @@ untrusted_app shell_test_data_file dir b/305600845 untrusted_app system_data_root_file dir b/305600845 untrusted_app userdebug_or_eng_prop file b/305600845 untrusted_app_29 audio_config_prop file b/379246143 +vendor_ims_app default_prop file b/194281028 vendor_init debugfs_trace_marker file b/340723222 vendor_init default_prop file b/315104713 vendor_init default_prop file b/316817111 -vendor_init default_prop property_service b/315104713 -vendor_init default_prop property_service b/366115458 -vendor_init default_prop property_service b/366116214 -vendor_init default_prop property_service b/369735133 -vendor_init default_prop property_service b/369735170 zygote aconfig_storage_metadata_file dir b/383949055 zygote media_config_prop file b/394433509 zygote zygote capability b/379591519 diff --git a/sepolicy/whitechapel/vendor/google/cbd.te b/sepolicy/vendor/cbd.te similarity index 61% rename from sepolicy/whitechapel/vendor/google/cbd.te rename to sepolicy/vendor/cbd.te index 6b41f57e..a7520796 100644 --- a/sepolicy/whitechapel/vendor/google/cbd.te +++ b/sepolicy/vendor/cbd.te @@ -1,65 +1,35 @@ type cbd, domain; -type cbd_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(cbd) +type cbd_exec, exec_type, file_type, vendor_file_type; -set_prop(cbd, vendor_modem_prop) -set_prop(cbd, vendor_cbd_prop) -set_prop(cbd, vendor_rild_prop) get_prop(cbd, telephony_modem_prop) -# Allow cbd to setuid from root to radio -# TODO: confirming with vendor via b/182334947 -allow cbd self:capability { setgid setuid }; +init_daemon_domain(cbd) -allow cbd mnt_vendor_file:dir r_dir_perms; +r_dir_file(cbd, modem_img_file) -allow cbd kmsg_device:chr_file rw_file_perms; +set_prop(cbd, vendor_cbd_prop) +set_prop(cbd, vendor_modem_prop) +set_prop(cbd, vendor_rild_prop) -allow cbd vendor_shell_exec:file execute_no_trans; -allow cbd vendor_toolbox_exec:file execute_no_trans; - -# Allow cbd to access modem block device allow cbd block_device:dir search; +allow cbd kmsg_device:chr_file rw_file_perms; +allow cbd mnt_vendor_file:dir r_dir_perms; allow cbd modem_block_device:blk_file r_file_perms; - -# Allow cbd to access sysfs chosen files -allow cbd sysfs_chosen:file r_file_perms; -allow cbd sysfs_chosen:dir r_dir_perms; - -allow cbd radio_device:chr_file rw_file_perms; - -allow cbd proc_cmdline:file r_file_perms; - -allow cbd persist_modem_file:dir create_dir_perms; -allow cbd persist_modem_file:file create_file_perms; -allow cbd persist_file:dir search; - -allow cbd radio_vendor_data_file:dir create_dir_perms; -allow cbd radio_vendor_data_file:file create_file_perms; - -# Allow cbd to operate with modem EFS file/dir allow cbd modem_efs_file:dir create_dir_perms; allow cbd modem_efs_file:file create_file_perms; - -# Allow cbd to operate with modem userdata file/dir allow cbd modem_userdata_file:dir create_dir_perms; allow cbd modem_userdata_file:file create_file_perms; - -# Allow cbd to access modem image file/dir -allow cbd modem_img_file:dir r_dir_perms; -allow cbd modem_img_file:file r_file_perms; -allow cbd modem_img_file:lnk_file r_file_perms; - -# Allow cbd to collect crash info +allow cbd persist_file:dir search; +allow cbd persist_modem_file:dir create_dir_perms; +allow cbd persist_modem_file:file create_file_perms; +allow cbd proc_cmdline:file r_file_perms; +allow cbd radio_device:chr_file rw_file_perms; +allow cbd radio_vendor_data_file:dir create_dir_perms; +allow cbd radio_vendor_data_file:file create_file_perms; +allow cbd self:capability { setgid setuid }; allow cbd sscoredump_vendor_data_crashinfo_file:dir create_dir_perms; allow cbd sscoredump_vendor_data_crashinfo_file:file create_file_perms; - -userdebug_or_eng(` - r_dir_file(cbd, vendor_slog_file) - - allow cbd kernel:system syslog_read; - - allow cbd sscoredump_vendor_data_coredump_file:dir create_dir_perms; - allow cbd sscoredump_vendor_data_coredump_file:file create_file_perms; -') - +allow cbd sysfs_chosen:dir r_dir_perms; +allow cbd sysfs_chosen:file r_file_perms; +allow cbd vendor_shell_exec:file execute_no_trans; +allow cbd vendor_toolbox_exec:file execute_no_trans; diff --git a/sepolicy/vendor/cbrs_setup_app.te b/sepolicy/vendor/cbrs_setup_app.te new file mode 100644 index 00000000..1babb590 --- /dev/null +++ b/sepolicy/vendor/cbrs_setup_app.te @@ -0,0 +1 @@ +type cbrs_setup_app, domain; diff --git a/sepolicy/whitechapel/vendor/google/cccdk_timesync_app.te b/sepolicy/vendor/cccdktimesync_app.te similarity index 73% rename from sepolicy/whitechapel/vendor/google/cccdk_timesync_app.te rename to sepolicy/vendor/cccdktimesync_app.te index f6e514d9..48c856a6 100644 --- a/sepolicy/whitechapel/vendor/google/cccdk_timesync_app.te +++ b/sepolicy/vendor/cccdktimesync_app.te @@ -1,10 +1,8 @@ type vendor_cccdktimesync_app, domain; + app_domain(vendor_cccdktimesync_app) -allow vendor_cccdktimesync_app app_api_service:service_manager find; - binder_call(vendor_cccdktimesync_app, hal_bluetooth_btlinux) -allow vendor_cccdktimesync_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; -# allow the HAL to call our registered callbacks -binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app) +allow vendor_cccdktimesync_app app_api_service:service_manager find; +allow vendor_cccdktimesync_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; diff --git a/sepolicy/whitechapel/vendor/google/charger_vendor.te b/sepolicy/vendor/charger_vendor.te similarity index 99% rename from sepolicy/whitechapel/vendor/google/charger_vendor.te rename to sepolicy/vendor/charger_vendor.te index df59b717..79c7d069 100644 --- a/sepolicy/whitechapel/vendor/google/charger_vendor.te +++ b/sepolicy/vendor/charger_vendor.te @@ -1,10 +1,11 @@ +set_prop(charger_vendor, vendor_battery_defender_prop) + allow charger_vendor mnt_vendor_file:dir search; -allow charger_vendor sysfs_batteryinfo:file w_file_perms; -allow charger_vendor persist_file:dir search; allow charger_vendor persist_battery_file:dir search; allow charger_vendor persist_battery_file:file rw_file_perms; +allow charger_vendor persist_file:dir search; +allow charger_vendor sysfs_batteryinfo:file w_file_perms; allow charger_vendor sysfs_scsi_devices_0000:file r_file_perms; allow charger_vendor sysfs_thermal:file w_file_perms; allow charger_vendor sysfs_thermal:lnk_file read; allow charger_vendor thermal_link_device:dir search; -set_prop(charger_vendor, vendor_battery_defender_prop) diff --git a/sepolicy/vendor/chre.te b/sepolicy/vendor/chre.te new file mode 100644 index 00000000..64966bf2 --- /dev/null +++ b/sepolicy/vendor/chre.te @@ -0,0 +1,20 @@ +type chre, domain; +type chre_exec, exec_type, file_type, vendor_file_type; + +binder_call(chre, stats_service_server) + +hal_client_domain(chre, hal_graphics_allocator) + +init_daemon_domain(chre) + +wakelock_use(chre) + +allow chre aoc_device:chr_file rw_file_perms; +allow chre device:dir r_dir_perms; +allow chre fwk_stats_service:service_manager find; +allow chre hal_graphics_mapper_hwservice:hwservice_manager find; +allow chre hal_wifi_ext:binder { call transfer }; +allow chre hal_wifi_ext_hwservice:hwservice_manager find; +allow chre hal_wifi_ext_service:service_manager find; +allow chre sysfs_aoc:dir search; +allow chre sysfs_aoc_boottime:file r_file_perms; diff --git a/sepolicy/vendor/citadeld.te b/sepolicy/vendor/citadeld.te new file mode 100644 index 00000000..cd80a4e4 --- /dev/null +++ b/sepolicy/vendor/citadeld.te @@ -0,0 +1,20 @@ +type citadeld, domain; +type citadeld_exec, exec_type, file_type, vendor_file_type; +type citadeld_service, vndservice_manager_type; + +add_service(citadeld, citadeld_service) + +binder_call(citadeld, system_server) + +binder_use(citadeld) + +init_daemon_domain(citadeld) + +set_prop(citadeld, vendor_nos_citadel_version) + +vndbinder_use(citadeld) + +allow citadeld citadel_device:chr_file rw_file_perms; +allow citadeld fwk_stats_service:service_manager find; +allow citadeld hal_power_stats_vendor_service:service_manager find; +allow citadeld hal_weaver_citadel:binder call; diff --git a/sepolicy/whitechapel/vendor/google/con_monitor.te b/sepolicy/vendor/con_monitor_app.te similarity index 100% rename from sepolicy/whitechapel/vendor/google/con_monitor.te rename to sepolicy/vendor/con_monitor_app.te diff --git a/sepolicy/vendor/dcservice_app.te b/sepolicy/vendor/dcservice_app.te new file mode 100644 index 00000000..9446fa6f --- /dev/null +++ b/sepolicy/vendor/dcservice_app.te @@ -0,0 +1,5 @@ +binder_call(dcservice_app, aocxd) +binder_call(dcservice_app, twoshay) + +allow dcservice_app aocx:service_manager find; +allow dcservice_app touch_context_service:service_manager find; diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te new file mode 100644 index 00000000..3c895824 --- /dev/null +++ b/sepolicy/vendor/device.te @@ -0,0 +1,33 @@ +type amcs_device, dev_type; +type aoc_device, dev_type; +type citadel_device, dev_type; +type cpuctl_device, dev_type; +type custom_ab_block_device, dev_type; +type devinfo_block_device, dev_type; +type edgetpu_device, dev_type, isolated_compute_allowed_device, mlstrustedobject; +type efs_block_device, dev_type; +type faceauth_heap_device, dev_type, dmabuf_heap_device_type; +type fingerprint_device, dev_type; +type logbuffer_device, dev_type; +type lwis_device, dev_type; +type mfg_data_block_device, dev_type; +type modem_block_device, dev_type; +type modem_userdata_block_device, dev_type; +type persist_block_device, dev_type; +type pktrouter_device, dev_type; +type rls_device, dev_type; +type sda_block_device, dev_type; +type sensor_direct_heap_device, dev_type, dmabuf_heap_device_type; +type sg_device, dev_type; +type sscoredump_device, dev_type; +type st33spi_device, dev_type; +type st54spi_device, dev_type; +type thermal_link_device, dev_type; +type touch_offload_device, dev_type; +type trusty_log_device, dev_type; +type ufs_internal_block_device, dev_type; +type userdata_exp_block_device, dev_type; +type vendor_gnss_device, dev_type; +type vendor_toe_device, dev_type; +type vscaler_heap_device, dev_type, dmabuf_heap_device_type; +type wb_coexistence_dev, dev_type; diff --git a/sepolicy/whitechapel/vendor/google/disable-contaminant-detection-sh.te b/sepolicy/vendor/disable-contaminant-detection-sh.te similarity index 79% rename from sepolicy/whitechapel/vendor/google/disable-contaminant-detection-sh.te rename to sepolicy/vendor/disable-contaminant-detection-sh.te index 95845a18..21f60653 100644 --- a/sepolicy/whitechapel/vendor/google/disable-contaminant-detection-sh.te +++ b/sepolicy/vendor/disable-contaminant-detection-sh.te @@ -1,7 +1,8 @@ type disable-contaminant-detection-sh, domain; -type disable-contaminant-detection-sh_exec, vendor_file_type, exec_type, file_type; +type disable-contaminant-detection-sh_exec, exec_type, file_type, vendor_file_type; + init_daemon_domain(disable-contaminant-detection-sh) -allow disable-contaminant-detection-sh vendor_toolbox_exec:file execute_no_trans; allow disable-contaminant-detection-sh sysfs_batteryinfo:dir r_dir_perms; allow disable-contaminant-detection-sh sysfs_batteryinfo:file rw_file_perms; +allow disable-contaminant-detection-sh vendor_toolbox_exec:file execute_no_trans; diff --git a/sepolicy/modem/user/dmd.te b/sepolicy/vendor/dmd.te similarity index 54% rename from sepolicy/modem/user/dmd.te rename to sepolicy/vendor/dmd.te index eabf8930..200a9e60 100644 --- a/sepolicy/modem/user/dmd.te +++ b/sepolicy/vendor/dmd.te @@ -1,29 +1,27 @@ type dmd, domain; -type dmd_exec, vendor_file_type, exec_type, file_type; +type dmd_exec, exec_type, file_type, vendor_file_type; + +binder_call(dmd, hwservicemanager) +binder_call(dmd, modem_diagnostic_app) +binder_call(dmd, modem_logging_control) +binder_call(dmd, vendor_telephony_app) + +get_prop(dmd, hwservicemanager_prop) +get_prop(dmd, vendor_persist_config_default_prop) + init_daemon_domain(dmd) -# Grant to access serial device for external logging tool -allow dmd serial_device:chr_file rw_file_perms; +set_prop(dmd, vendor_diag_prop) +set_prop(dmd, vendor_modem_prop) +set_prop(dmd, vendor_slog_prop) -# Grant to access radio device +allow dmd hal_vendor_oem_hwservice:hwservice_manager { add find }; +allow dmd hidl_base_hwservice:hwservice_manager add; +allow dmd node:tcp_socket node_bind; allow dmd radio_device:chr_file rw_file_perms; - -# Grant to access slog dir/file +allow dmd self:tcp_socket { accept create_socket_perms_no_ioctl listen }; +allow dmd serial_device:chr_file rw_file_perms; allow dmd vendor_slog_file:dir create_dir_perms; allow dmd vendor_slog_file:file create_file_perms; -# Grant to access tcp socket -allow dmd node:tcp_socket node_bind; -allow dmd self:tcp_socket { create_socket_perms_no_ioctl listen accept bind }; - -# Grant to access log related properties -set_prop(dmd, vendor_diag_prop) -set_prop(dmd, vendor_slog_prop) -set_prop(dmd, vendor_modem_prop) - -get_prop(dmd, vendor_persist_config_default_prop) - -# Grant to access hwservice manager -get_prop(dmd, hwservicemanager_prop) - -binder_call(dmd, hwservicemanager) +dontaudit dmd servicemanager:binder call; diff --git a/sepolicy/vendor/domain.te b/sepolicy/vendor/domain.te new file mode 100644 index 00000000..8cc047bb --- /dev/null +++ b/sepolicy/vendor/domain.te @@ -0,0 +1 @@ +get_prop(domain, vendor_arm_runtime_option_prop) diff --git a/sepolicy/vendor/dump_aoc.te b/sepolicy/vendor/dump_aoc.te new file mode 100644 index 00000000..1783ba4a --- /dev/null +++ b/sepolicy/vendor/dump_aoc.te @@ -0,0 +1,8 @@ +pixel_bugreport(dump_aoc) + +allow dump_aoc aoc_device:chr_file rw_file_perms; +allow dump_aoc sysfs:dir r_dir_perms; +allow dump_aoc sysfs_aoc:dir search; +allow dump_aoc sysfs_aoc_dumpstate:file r_file_perms; +allow dump_aoc vendor_shell_exec:file execute_no_trans; +allow dump_aoc vendor_toolbox_exec:file execute_no_trans; diff --git a/sepolicy/vendor/dump_bcmbt.te b/sepolicy/vendor/dump_bcmbt.te new file mode 100644 index 00000000..8f6891f5 --- /dev/null +++ b/sepolicy/vendor/dump_bcmbt.te @@ -0,0 +1 @@ +pixel_bugreport(dump_bcmbt) diff --git a/sepolicy/vendor/dump_camera.te b/sepolicy/vendor/dump_camera.te new file mode 100644 index 00000000..8dfb03d7 --- /dev/null +++ b/sepolicy/vendor/dump_camera.te @@ -0,0 +1 @@ +pixel_bugreport(dump_camera) diff --git a/sepolicy/vendor/dump_devfreq.te b/sepolicy/vendor/dump_devfreq.te new file mode 100644 index 00000000..5e8ee573 --- /dev/null +++ b/sepolicy/vendor/dump_devfreq.te @@ -0,0 +1,5 @@ +pixel_bugreport(dump_devfreq) + +allow dump_devfreq sysfs_cpu:file r_file_perms; +allow dump_devfreq sysfs_exynos_bts:dir r_dir_perms; +allow dump_devfreq sysfs_exynos_bts_stats:file r_file_perms; diff --git a/sepolicy/vendor/dump_exynos_display.te b/sepolicy/vendor/dump_exynos_display.te new file mode 100644 index 00000000..b6240010 --- /dev/null +++ b/sepolicy/vendor/dump_exynos_display.te @@ -0,0 +1,12 @@ +binder_call(dump_exynos_display, hal_graphics_composer_default) + +pixel_bugreport(dump_exynos_display) + +vndbinder_use(dump_exynos_display) + +allow dump_exynos_display sysfs_display:file r_file_perms; +allow dump_exynos_display vendor_displaycolor_service:service_manager find; +allow dump_exynos_display vendor_dumpsys:file execute_no_trans; +allow dump_exynos_display vendor_shell_exec:file execute_no_trans; + +dontaudit dump_exynos_display sysfs:file read; diff --git a/sepolicy/vendor/dump_exynos_display_userdebug.te b/sepolicy/vendor/dump_exynos_display_userdebug.te new file mode 100644 index 00000000..796ef753 --- /dev/null +++ b/sepolicy/vendor/dump_exynos_display_userdebug.te @@ -0,0 +1 @@ +pixel_bugreport(dump_exynos_display_userdebug) diff --git a/sepolicy/vendor/dump_fingerprint.te b/sepolicy/vendor/dump_fingerprint.te new file mode 100644 index 00000000..0589adb5 --- /dev/null +++ b/sepolicy/vendor/dump_fingerprint.te @@ -0,0 +1,4 @@ +pixel_bugreport(dump_fingerprint) + +allow dump_fingerprint fingerprint_vendor_data_file:dir r_dir_perms; +allow dump_fingerprint fingerprint_vendor_data_file:file r_file_perms; diff --git a/sepolicy/vendor/dump_gps.te b/sepolicy/vendor/dump_gps.te new file mode 100644 index 00000000..6d07d988 --- /dev/null +++ b/sepolicy/vendor/dump_gps.te @@ -0,0 +1 @@ +pixel_bugreport(dump_gps) diff --git a/sepolicy/whitechapel/vendor/google/dump_gs101.te b/sepolicy/vendor/dump_gs101.te similarity index 54% rename from sepolicy/whitechapel/vendor/google/dump_gs101.te rename to sepolicy/vendor/dump_gs101.te index d1eb528c..4352f19b 100644 --- a/sepolicy/whitechapel/vendor/google/dump_gs101.te +++ b/sepolicy/vendor/dump_gs101.te @@ -1,32 +1,18 @@ pixel_bugreport(dump_gs101) -allow dump_gs101 sysfs_pixel_stat:dir r_dir_perms; -allow dump_gs101 sysfs_pixel_stat:file r_file_perms; -allow dump_gs101 vendor_toolbox_exec:file execute_no_trans; -allow dump_gs101 vendor_camera_data_file:dir r_dir_perms; -allow dump_gs101 vendor_camera_data_file:file r_file_perms; + +allow dump_gs101 logbuffer_device:chr_file r_file_perms; +allow dump_gs101 sysfs:dir r_dir_perms; allow dump_gs101 sysfs_acpm_stats:dir r_dir_perms; allow dump_gs101 sysfs_acpm_stats:file r_file_perms; allow dump_gs101 sysfs_batteryinfo:dir r_dir_perms; +allow dump_gs101 sysfs_batteryinfo:file r_file_perms; allow dump_gs101 sysfs_bcl:dir r_dir_perms; allow dump_gs101 sysfs_bcl:file r_file_perms; allow dump_gs101 sysfs_cpu:file r_file_perms; -allow dump_gs101 logbuffer_device:chr_file r_file_perms; -allow dump_gs101 sysfs_batteryinfo:file r_file_perms; -allow dump_gs101 sysfs:dir r_dir_perms; +allow dump_gs101 sysfs_pixel_stat:dir r_dir_perms; +allow dump_gs101 sysfs_pixel_stat:file r_file_perms; allow dump_gs101 sysfs_wlc:dir r_dir_perms; allow dump_gs101 sysfs_wlc:file r_file_perms; -userdebug_or_eng(` - allow dump_gs101 vendor_battery_debugfs:dir r_dir_perms; - allow dump_gs101 vendor_battery_debugfs:file r_file_perms; - allow dump_gs101 vendor_charger_debugfs:dir r_dir_perms; - allow dump_gs101 vendor_charger_debugfs:file r_file_perms; - allow dump_gs101 vendor_pm_genpd_debugfs:file r_file_perms; - allow dump_gs101 vendor_usb_debugfs:dir r_dir_perms; - allow dump_gs101 vendor_usb_debugfs:file r_file_perms; - allow dump_gs101 debugfs:dir r_dir_perms; - allow dump_gs101 vendor_maxfg_debugfs:dir r_dir_perms; - allow dump_gs101 vendor_maxfg_debugfs:file r_file_perms; - allow dump_gs101 vendor_votable_debugfs:dir r_dir_perms; - allow dump_gs101 vendor_votable_debugfs:file r_file_perms; -') - +allow dump_gs101 vendor_camera_data_file:dir r_dir_perms; +allow dump_gs101 vendor_camera_data_file:file r_file_perms; +allow dump_gs101 vendor_toolbox_exec:file execute_no_trans; diff --git a/sepolicy/vendor/dump_gsc.te b/sepolicy/vendor/dump_gsc.te new file mode 100644 index 00000000..cfacacc1 --- /dev/null +++ b/sepolicy/vendor/dump_gsc.te @@ -0,0 +1,14 @@ +type dump_gsc, domain; +type dump_gsc_exec, exec_type, file_type, vendor_file_type; + +binder_call(dump_gsc, citadeld) + +hal_client_domain(dump_gsc, hal_dumpstate) + +vndbinder_use(dump_gsc) + +allow dump_gsc citadel_updater:file execute_no_trans; +allow dump_gsc citadeld_service:service_manager find; +allow dump_gsc dumpstate:fd use; +allow dump_gsc dumpstate:fifo_file { getattr write }; +allow dump_gsc shell_data_file:file { getattr write }; diff --git a/sepolicy/vendor/dump_memory.te b/sepolicy/vendor/dump_memory.te new file mode 100644 index 00000000..7a22b19c --- /dev/null +++ b/sepolicy/vendor/dump_memory.te @@ -0,0 +1,3 @@ +pixel_bugreport(dump_memory) + +allow dump_memory vendor_toolbox_exec:file execute_no_trans; diff --git a/sepolicy/vendor/dump_modem.te b/sepolicy/vendor/dump_modem.te new file mode 100644 index 00000000..b558ff78 --- /dev/null +++ b/sepolicy/vendor/dump_modem.te @@ -0,0 +1,14 @@ +pixel_bugreport(dump_modem) + +allow dump_modem logbuffer_device:chr_file r_file_perms; +allow dump_modem modem_stat_data_file:dir search; +allow dump_modem modem_stat_data_file:file r_file_perms; +allow dump_modem radio_vendor_data_file:dir search; +allow dump_modem radio_vendor_data_file:file r_file_perms; +allow dump_modem sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; +allow dump_modem sscoredump_vendor_data_crashinfo_file:file r_file_perms; +allow dump_modem sysfs_dump_modem:file r_file_perms; +allow dump_modem vendor_log_file:dir search; +allow dump_modem vendor_rfsd_log_file:dir r_dir_perms; +allow dump_modem vendor_rfsd_log_file:file r_file_perms; +allow dump_modem vendor_toolbox_exec:file execute_no_trans; diff --git a/sepolicy/vendor/dump_modemlog.te b/sepolicy/vendor/dump_modemlog.te new file mode 100644 index 00000000..c339cd73 --- /dev/null +++ b/sepolicy/vendor/dump_modemlog.te @@ -0,0 +1,11 @@ +pixel_bugreport(dump_modemlog) + +set_prop(dump_modemlog, vendor_modem_prop) + +allow dump_modemlog mnt_vendor_file:dir search; +allow dump_modemlog modem_efs_file:dir search; +allow dump_modemlog modem_efs_file:file r_file_perms; +allow dump_modemlog radio_vendor_data_file:dir create_dir_perms; +allow dump_modemlog radio_vendor_data_file:file create_file_perms; +allow dump_modemlog vendor_slog_file:dir r_dir_perms; +allow dump_modemlog vendor_slog_file:file r_file_perms; diff --git a/sepolicy/vendor/dump_perf.te b/sepolicy/vendor/dump_perf.te new file mode 100644 index 00000000..15c4f6e5 --- /dev/null +++ b/sepolicy/vendor/dump_perf.te @@ -0,0 +1,3 @@ +pixel_bugreport(dump_perf) + +allow dump_perf proc_vendor_sched:file r_file_perms; diff --git a/sepolicy/vendor/dump_pixel_metrics.te b/sepolicy/vendor/dump_pixel_metrics.te new file mode 100644 index 00000000..dd4dbe9a --- /dev/null +++ b/sepolicy/vendor/dump_pixel_metrics.te @@ -0,0 +1,5 @@ +pixel_bugreport(dump_pixel_metrics) + +r_dir_file(dump_pixel_metrics, sysfs_vendor_metrics) + +allow dump_pixel_metrics vendor_dumpsys:file execute_no_trans; diff --git a/sepolicy/whitechapel/vendor/google/dump_power.te b/sepolicy/vendor/dump_power.te similarity index 61% rename from sepolicy/whitechapel/vendor/google/dump_power.te rename to sepolicy/vendor/dump_power.te index cf7c14ed..0a53ab1e 100644 --- a/sepolicy/whitechapel/vendor/google/dump_power.te +++ b/sepolicy/vendor/dump_power.te @@ -1,24 +1,14 @@ -# Allow dumpstate to execute dump_power -pixel_bugreport(dump_power); +pixel_bugreport(dump_power) -allow dump_power sysfs_acpm_stats:dir r_dir_perms; -allow dump_power sysfs_acpm_stats:file r_file_perms; -allow dump_power sysfs_cpu:file r_file_perms; -allow dump_power sysfs_wlc:file r_file_perms; -allow dump_power sysfs_wlc:dir search; -allow dump_power sysfs_batteryinfo:dir r_dir_perms; -allow dump_power sysfs_batteryinfo:file r_file_perms; allow dump_power logbuffer_device:chr_file r_file_perms; allow dump_power mitigation_vendor_data_file:dir r_dir_perms; allow dump_power mitigation_vendor_data_file:file r_file_perms; +allow dump_power sysfs_acpm_stats:dir r_dir_perms; +allow dump_power sysfs_acpm_stats:file r_file_perms; +allow dump_power sysfs_batteryinfo:dir r_dir_perms; +allow dump_power sysfs_batteryinfo:file r_file_perms; allow dump_power sysfs_bcl:dir r_dir_perms; allow dump_power sysfs_bcl:file r_file_perms; - -userdebug_or_eng(` - r_dir_file(dump_power, vendor_battery_debugfs) - r_dir_file(dump_power, vendor_maxfg_debugfs) - r_dir_file(dump_power, vendor_charger_debugfs) - r_dir_file(dump_power, vendor_votable_debugfs) - allow dump_power debugfs:dir r_dir_perms; - allow dump_power vendor_usb_debugfs:dir { search }; -') +allow dump_power sysfs_cpu:file r_file_perms; +allow dump_power sysfs_wlc:dir search; +allow dump_power sysfs_wlc:file r_file_perms; diff --git a/sepolicy/vendor/dump_radio.te b/sepolicy/vendor/dump_radio.te new file mode 100644 index 00000000..42a6ec49 --- /dev/null +++ b/sepolicy/vendor/dump_radio.te @@ -0,0 +1 @@ +pixel_bugreport(dump_radio) diff --git a/sepolicy/vendor/dump_ramdump.te b/sepolicy/vendor/dump_ramdump.te new file mode 100644 index 00000000..9c615bb1 --- /dev/null +++ b/sepolicy/vendor/dump_ramdump.te @@ -0,0 +1 @@ +pixel_bugreport(dump_ramdump) diff --git a/sepolicy/vendor/dump_sensors.te b/sepolicy/vendor/dump_sensors.te new file mode 100644 index 00000000..767a6c84 --- /dev/null +++ b/sepolicy/vendor/dump_sensors.te @@ -0,0 +1,6 @@ +pixel_bugreport(dump_sensors) + +allow dump_sensors aoc_device:chr_file rw_file_perms; +allow dump_sensors device:dir r_dir_perms; +allow dump_sensors vendor_shell_exec:file execute_no_trans; +allow dump_sensors vendor_usf_stats:file execute_no_trans; diff --git a/sepolicy/vendor/dump_soc.te b/sepolicy/vendor/dump_soc.te new file mode 100644 index 00000000..a69b189e --- /dev/null +++ b/sepolicy/vendor/dump_soc.te @@ -0,0 +1,3 @@ +pixel_bugreport(dump_soc) + +allow dump_soc sysfs_chip_id:file r_file_perms; diff --git a/sepolicy/vendor/dump_storage.te b/sepolicy/vendor/dump_storage.te new file mode 100644 index 00000000..40338892 --- /dev/null +++ b/sepolicy/vendor/dump_storage.te @@ -0,0 +1,12 @@ +get_prop(dump_storage, boottime_public_prop) + +pixel_bugreport(dump_storage) + +allow dump_storage proc_f2fs:dir r_dir_perms; +allow dump_storage proc_f2fs:file r_file_perms; +allow dump_storage sysfs:file r_file_perms; +allow dump_storage sysfs_scsi_devices_0000:dir r_dir_perms; +allow dump_storage sysfs_scsi_devices_0000:file r_file_perms; + +dontaudit dump_storage debugfs_f2fs:dir r_dir_perms; +dontaudit dump_storage debugfs_f2fs:file r_file_perms; diff --git a/sepolicy/vendor/dump_thermal.te b/sepolicy/vendor/dump_thermal.te new file mode 100644 index 00000000..c9719680 --- /dev/null +++ b/sepolicy/vendor/dump_thermal.te @@ -0,0 +1,5 @@ +pixel_bugreport(dump_thermal) + +r_dir_file(dump_thermal, sysfs_thermal) + +allow dump_thermal vendor_toolbox_exec:file execute_no_trans; diff --git a/sepolicy/vendor/dump_trusty.te b/sepolicy/vendor/dump_trusty.te new file mode 100644 index 00000000..d4e0d6ef --- /dev/null +++ b/sepolicy/vendor/dump_trusty.te @@ -0,0 +1,4 @@ +pixel_bugreport(dump_trusty) + +allow dump_trusty trusty_log_device:chr_file r_file_perms; +allow dump_trusty vendor_toolbox_exec:file execute_no_trans; diff --git a/sepolicy/vendor/dumpstate.te b/sepolicy/vendor/dumpstate.te new file mode 100644 index 00000000..9e351176 --- /dev/null +++ b/sepolicy/vendor/dumpstate.te @@ -0,0 +1,21 @@ +binder_call(dumpstate, aocxd) +binder_call(dumpstate, battery_mitigation) +binder_call(dumpstate, flood_control) +binder_call(dumpstate, twoshay) + +allow dumpstate fuse:dir search; +allow dumpstate hal_battery_mitigation_service:service_manager find; +allow dumpstate modem_efs_file:dir getattr; +allow dumpstate modem_img_file:dir getattr; +allow dumpstate modem_userdata_file:dir getattr; +allow dumpstate persist_file:dir getattr; +allow dumpstate persist_file:dir r_dir_perms; +allow dumpstate rlsservice:binder call; +allow dumpstate sysfs_scsi_devices_0000:file r_file_perms; +allow dumpstate touch_context_service:service_manager find; +allow dumpstate twoshay_file_dump_service:service_manager find; +allow dumpstate vold:binder call; + +dontaudit dumpstate hal_power_stats_vendor_service:service_manager find; +dontaudit dumpstate intelligence_data_file:dir getattr; +dontaudit dumpstate vendor_dmabuf_debugfs:file r_file_perms; diff --git a/sepolicy/vendor/e2fs.te b/sepolicy/vendor/e2fs.te new file mode 100644 index 00000000..b35811aa --- /dev/null +++ b/sepolicy/vendor/e2fs.te @@ -0,0 +1,11 @@ +allow e2fs efs_block_device:blk_file rw_file_perms; +allow e2fs modem_userdata_block_device:blk_file rw_file_perms; +allow e2fs persist_block_device:blk_file { ioctl open read write }; +allow e2fs persist_block_device:blk_file rw_file_perms; +allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms; +allow e2fs sysfs_scsi_devices_0000:file r_file_perms; +allow e2fs userdata_exp_block_device:blk_file rw_file_perms; + +allowxperm e2fs efs_block_device:blk_file ioctl { BLKDISCARD BLKDISCARDZEROES BLKPBSZGET BLKROGET BLKSECDISCARD }; +allowxperm e2fs modem_userdata_block_device:blk_file ioctl { BLKDISCARD BLKDISCARDZEROES BLKPBSZGET BLKROGET BLKSECDISCARD }; +allowxperm e2fs persist_block_device:blk_file ioctl { BLKDISCARD BLKDISCARDZEROES BLKPBSZGET BLKROGET BLKSECDISCARD }; diff --git a/sepolicy/vendor/edgetpu_app.te b/sepolicy/vendor/edgetpu_app.te new file mode 100644 index 00000000..170f08a6 --- /dev/null +++ b/sepolicy/vendor/edgetpu_app.te @@ -0,0 +1,29 @@ +type edgetpu_app_server, coredomain, domain; +type edgetpu_app_server_exec, exec_type, file_type, system_file_type; +type edgetpu_app_service, app_api_service, isolated_compute_allowed_service, service_manager_type; + +add_service(edgetpu_app_server, edgetpu_app_service) + +binder_call(edgetpu_app_server, edgetpu_vendor_server) +binder_call(edgetpu_app_server, system_server) + +binder_service(edgetpu_app_server) + +binder_use(edgetpu_app_server) + +get_prop(edgetpu_app_server, device_config_edgetpu_native_prop) +get_prop(edgetpu_app_server, vendor_edgetpu_service_prop) + +init_daemon_domain(edgetpu_app_server) + +perfetto_producer(edgetpu_app_server) + +allow edgetpu_app_server edgetpu_device:chr_file rw_file_perms; +allow edgetpu_app_server edgetpu_vendor_service:service_manager find; +allow edgetpu_app_server fwk_stats_service:service_manager find; +allow edgetpu_app_server package_native_service:service_manager find; +allow edgetpu_app_server privapp_data_file:file { map read }; +allow edgetpu_app_server self:capability ipc_lock; +allow edgetpu_app_server shell_data_file:file { map read }; +allow edgetpu_app_server sysfs_edgetpu:dir r_dir_perms; +allow edgetpu_app_server sysfs_edgetpu:file rw_file_perms; diff --git a/sepolicy/vendor/edgetpu_dba.te b/sepolicy/vendor/edgetpu_dba.te new file mode 100644 index 00000000..80112b1f --- /dev/null +++ b/sepolicy/vendor/edgetpu_dba.te @@ -0,0 +1,32 @@ +type edgetpu_dba_server, domain; +type edgetpu_dba_server_exec, exec_type, file_type, vendor_file_type; +type edgetpu_dba_service, app_api_service, isolated_compute_allowed_service, service_manager_type; + +add_service(edgetpu_dba_server, edgetpu_dba_service) + +binder_call(edgetpu_dba_server, edgetpu_app_server) + +binder_service(edgetpu_dba_server) + +binder_use(edgetpu_dba_server) + +get_prop(edgetpu_dba_server, vendor_edgetpu_cpu_scheduler_prop) +get_prop(edgetpu_dba_server, vendor_edgetpu_runtime_prop) +get_prop(edgetpu_dba_server, vendor_hetero_runtime_prop) +get_prop(edgetpu_dba_server, vendor_tflite_delegate_prop) + +hal_client_domain(edgetpu_dba_server, hal_power) + +init_daemon_domain(edgetpu_dba_server) + +allow edgetpu_dba_server dmabuf_system_heap_device:chr_file r_file_perms; +allow edgetpu_dba_server edgetpu_app_service:service_manager find; +allow edgetpu_dba_server edgetpu_device:chr_file rw_file_perms; +allow edgetpu_dba_server gpu_device:chr_file rw_file_perms; +allow edgetpu_dba_server gpu_device:dir r_dir_perms; +allow edgetpu_dba_server hal_allocator:fd use; +allow edgetpu_dba_server hal_graphics_allocator:fd use; +allow edgetpu_dba_server hal_graphics_mapper_hwservice:hwservice_manager find; +allow edgetpu_dba_server ion_device:chr_file r_file_perms; +allow edgetpu_dba_server proc_overcommit_memory:file r_file_perms; +allow edgetpu_dba_server proc_version:file r_file_perms; diff --git a/sepolicy/vendor/edgetpu_logging.te b/sepolicy/vendor/edgetpu_logging.te new file mode 100644 index 00000000..34b705dd --- /dev/null +++ b/sepolicy/vendor/edgetpu_logging.te @@ -0,0 +1,13 @@ +type edgetpu_logging, domain; +type edgetpu_logging_exec, exec_type, file_type, vendor_file_type; + +binder_call(edgetpu_logging, system_server) + +binder_use(edgetpu_logging) + +init_daemon_domain(edgetpu_logging) + +allow edgetpu_logging edgetpu_device:chr_file rw_file_perms; +allow edgetpu_logging fwk_stats_service:service_manager find; +allow edgetpu_logging sysfs_edgetpu:dir search; +allow edgetpu_logging sysfs_edgetpu:file rw_file_perms; diff --git a/sepolicy/vendor/edgetpu_tachyon.te b/sepolicy/vendor/edgetpu_tachyon.te new file mode 100644 index 00000000..90280531 --- /dev/null +++ b/sepolicy/vendor/edgetpu_tachyon.te @@ -0,0 +1,39 @@ +type edgetpu_tachyon_server, domain; +type edgetpu_tachyon_server_exec, exec_type, file_type, vendor_file_type; +type edgetpu_tachyon_service, app_api_service, isolated_compute_allowed_service, service_manager_type; + +add_service(edgetpu_tachyon_server, edgetpu_tachyon_service) + +binder_call(edgetpu_tachyon_server, edgetpu_app_server) +binder_call(edgetpu_tachyon_server, hal_camera_default) +binder_call(edgetpu_tachyon_server, platform_app) +binder_call(edgetpu_tachyon_server, priv_app) +binder_call(edgetpu_tachyon_server, shell) +binder_call(edgetpu_tachyon_server, untrusted_app_all) + +binder_service(edgetpu_tachyon_server) + +binder_use(edgetpu_tachyon_server) + +get_prop(edgetpu_tachyon_server, vendor_edgetpu_cpu_scheduler_prop) +get_prop(edgetpu_tachyon_server, vendor_edgetpu_runtime_prop) +get_prop(edgetpu_tachyon_server, vendor_hetero_runtime_prop) +get_prop(edgetpu_tachyon_server, vendor_tflite_delegate_prop) + +init_daemon_domain(edgetpu_tachyon_server) + +perfetto_producer(edgetpu_tachyon_server) + +allow edgetpu_tachyon_server dmabuf_system_heap_device:chr_file r_file_perms; +allow edgetpu_tachyon_server edgetpu_app_service:service_manager find; +allow edgetpu_tachyon_server edgetpu_device:chr_file rw_file_perms; +allow edgetpu_tachyon_server gpu_device:chr_file rw_file_perms; +allow edgetpu_tachyon_server gpu_device:dir r_dir_perms; +allow edgetpu_tachyon_server hal_allocator:fd use; +allow edgetpu_tachyon_server hal_graphics_allocator:fd use; +allow edgetpu_tachyon_server hal_graphics_mapper_hwservice:hwservice_manager find; +allow edgetpu_tachyon_server ion_device:chr_file r_file_perms; +allow edgetpu_tachyon_server privapp_data_file:file { map read }; +allow edgetpu_tachyon_server proc_overcommit_memory:file r_file_perms; +allow edgetpu_tachyon_server proc_version:file r_file_perms; +allow edgetpu_tachyon_server self:capability ipc_lock; diff --git a/sepolicy/vendor/edgetpu_vendor.te b/sepolicy/vendor/edgetpu_vendor.te new file mode 100644 index 00000000..7e35b610 --- /dev/null +++ b/sepolicy/vendor/edgetpu_vendor.te @@ -0,0 +1,20 @@ +type edgetpu_vendor_server, domain; +type edgetpu_vendor_server_exec, exec_type, file_type, vendor_file_type; +type edgetpu_vendor_service, hal_service_type, service_manager_type; + +add_service(edgetpu_vendor_server, edgetpu_vendor_service) + +binder_service(edgetpu_vendor_server) + +binder_use(edgetpu_vendor_server) + +get_prop(edgetpu_vendor_server, vendor_hetero_runtime_prop) + +init_daemon_domain(edgetpu_vendor_server) + +allow edgetpu_vendor_server edgetpu_vendor_service_data_file:dir create_dir_perms; +allow edgetpu_vendor_server edgetpu_vendor_service_data_file:file create_file_perms; +allow edgetpu_vendor_server hal_camera_default:fd use; +allow edgetpu_vendor_server proc_overcommit_memory:file r_file_perms; +allow edgetpu_vendor_server proc_version:file r_file_perms; +allow edgetpu_vendor_server vndbinder_device:chr_file { ioctl map open read write }; diff --git a/sepolicy/vendor/euiccpixel_app.te b/sepolicy/vendor/euiccpixel_app.te new file mode 100644 index 00000000..1cd663a0 --- /dev/null +++ b/sepolicy/vendor/euiccpixel_app.te @@ -0,0 +1,13 @@ +type euiccpixel_app, domain; + +app_domain(euiccpixel_app) + +get_prop(euiccpixel_app, dck_prop) + +set_prop(euiccpixel_app, vendor_modem_prop) +set_prop(euiccpixel_app, vendor_secure_element_prop) + +allow euiccpixel_app app_api_service:service_manager find; +allow euiccpixel_app nfc_service:service_manager find; +allow euiccpixel_app radio_service:service_manager find; +allow euiccpixel_app surfaceflinger_service:service_manager find; diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te new file mode 100644 index 00000000..f3b0ac69 --- /dev/null +++ b/sepolicy/vendor/file.te @@ -0,0 +1,125 @@ +type aoc_audio_file, file_type, vendor_file_type; +type audio_vendor_data_file, data_file_type, file_type; +type chre_data_file, data_file_type, file_type; +type chre_socket, file_type; +type citadel_provision_exec, exec_type, file_type, vendor_file_type; +type citadel_updater, file_type, vendor_file_type; +type debugfs_f2fs, debugfs_type, fs_type; +type debugfs_thermal, debugfs_type, fs_type; +type dump_storage_data_file, data_file_type, file_type; +type edgetpu_vendor_service_data_file, data_file_type, file_type; +type hal_camera_default_tmpfs, file_type; +type hal_neuralnetworks_darwinn_data_file, data_file_type, file_type; +type intelligence_data_file, data_file_type, file_type; +type mediadrm_vendor_data_file, data_file_type, file_type; +type mitigation_vendor_data_file, data_file_type, file_type; +type modem_efs_file, file_type; +type modem_stat_data_file, data_file_type, file_type; +type modem_userdata_file, file_type; +type per_boot_file, core_data_file_type, data_file_type, file_type; +type persist_aoc_file, file_type, vendor_persist_type; +type persist_audio_file, file_type, vendor_persist_type; +type persist_battery_file, file_type, vendor_persist_type; +type persist_camera_file, file_type; +type persist_display_file, file_type, vendor_persist_type; +type persist_modem_file, file_type, vendor_persist_type; +type persist_sensor_reg_file, file_type, vendor_persist_type; +type persist_ss_file, file_type, vendor_persist_type; +type persist_uwb_file, file_type, vendor_persist_type; +type powerstats_vendor_data_file, data_file_type, file_type; +type proc_compaction_proactiveness, fs_type, proc_type; +type proc_f2fs, fs_type, proc_type; +type proc_vendor_mm, fs_type, proc_type; +type radio_vendor_data_file, data_file_type, file_type; +type ramdump_vendor_data_file, data_file_type, file_type, mlstrustedobject; +type ramdump_vendor_mnt_file, data_file_type, file_type, mlstrustedobject; +type rild_vendor_data_file, data_file_type, file_type; +type sensor_debug_data_file, data_file_type, file_type; +type sensor_reg_data_file, data_file_type, file_type; +type sensor_vendor_data_file, data_file_type, file_type, mlstrustedobject; +type sensors_cal_file, file_type; +type sg_util_exec, exec_type, file_type, vendor_file_type; +type sscoredump_vendor_data_coredump_file, data_file_type, file_type, mlstrustedobject; +type sscoredump_vendor_data_crashinfo_file, data_file_type, file_type, mlstrustedobject; +type sscoredump_vendor_data_logcat_file, data_file_type, file_type, mlstrustedobject; +type sysfs_acpm_stats, fs_type, sysfs_type; +type sysfs_aoc, fs_type, sysfs_type; +type sysfs_aoc_boottime, fs_type, sysfs_type; +type sysfs_aoc_dumpstate, fs_type, sysfs_type; +type sysfs_aoc_firmware, fs_type, sysfs_type; +type sysfs_aoc_notifytimeout, fs_type, sysfs_type; +type sysfs_aoc_reset, fs_type, sysfs_type; +type sysfs_backlight, fs_type, sysfs_type; +type sysfs_bcl, fs_type, sysfs_type; +type sysfs_bcmdhd, fs_type, sysfs_type; +type sysfs_bootctl, fs_type, sysfs_type; +type sysfs_camera, fs_type, sysfs_type; +type sysfs_chargelevel, fs_type, sysfs_type; +type sysfs_chosen, fs_type, sysfs_type; +type sysfs_cpu, fs_type, sysfs_type; +type sysfs_dump_modem, fs_type, sysfs_type; +type sysfs_edgetpu, fs_type, sysfs_type; +type sysfs_exynos_bts, fs_type, sysfs_type; +type sysfs_exynos_bts_stats, fs_type, sysfs_type; +type sysfs_fabric, fs_type, sysfs_type; +type sysfs_fingerprint, fs_type, sysfs_type; +type sysfs_force_empty, fs_type, sysfs_type; +type sysfs_gps, fs_type, sysfs_type; +type sysfs_gps_assert, fs_type, sysfs_type; +type sysfs_memory, fs_type, sysfs_type; +type sysfs_mfc, fs_type, sysfs_type; +type sysfs_modem, fs_type, sysfs_type; +type sysfs_modem_state, fs_type, sysfs_type; +type sysfs_odpm, fs_type, sysfs_type; +type sysfs_ota, fs_type, sysfs_type; +type sysfs_pakills, fs_type, sysfs_type; +type sysfs_pca, fs_type, sysfs_type; +type sysfs_sjtag, fs_type, sysfs_type; +type sysfs_sscoredump_level, fs_type, sysfs_type; +type sysfs_sscoredump_subsystem_report_count, fs_type, sysfs_type; +type sysfs_st33spi, fs_type, sysfs_type; +type sysfs_touch, fs_type, sysfs_type; +type sysfs_trusty, fs_type, sysfs_type; +type sysfs_usbc_throttling_stats, fs_type, sysfs_type; +type sysfs_vendor_metrics, fs_type, sysfs_type; +type sysfs_wifi, fs_type, sysfs_type; +type sysfs_wlc, fs_type, sysfs_type; +type tcpdump_logger_exec, exec_type, file_type, vendor_file_type; +type tcpdump_vendor_data_file, data_file_type, file_type; +type updated_wifi_firmware_data_file, data_file_type, file_type; +type uwb_data_vendor, data_file_type, file_type; +type uwb_vendor_data_file, app_data_file_type, data_file_type, file_type; +type vendor_battery_debugfs, debugfs_type, fs_type; +type vendor_bt_data_file, data_file_type, file_type; +type vendor_bts_debugfs, debugfs_type, fs_type; +type vendor_camera_data_file, data_file_type, file_type; +type vendor_camera_tuning_file, file_type, vendor_file_type; +type vendor_cbd_log_file, data_file_type, file_type; +type vendor_charger_debugfs, debugfs_type, fs_type; +type vendor_cma_debugfs, debugfs_type, fs_type; +type vendor_dmabuf_debugfs, debugfs_type, fs_type; +type vendor_dmd_log_file, data_file_type, file_type; +type vendor_dri_debugfs, debugfs_type, fs_type; +type vendor_dump_log_file, data_file_type, file_type; +type vendor_dumpsys, file_type, vendor_file_type; +type vendor_fw_file, file_type, vendor_file_type; +type vendor_gps_file, data_file_type, file_type; +type vendor_hwc_log_file, data_file_type, file_type; +type vendor_ims_data_file, data_file_type, file_type; +type vendor_ion_debugfs, debugfs_type, fs_type; +type vendor_log_file, data_file_type, file_type; +type vendor_maxfg_debugfs, debugfs_type, fs_type; +type vendor_media_data_file, data_file_type, file_type; +type vendor_misc_data_file, data_file_type, file_type; +type vendor_nfc_vendor_data_file, data_file_type, file_type; +type vendor_page_pinner_debugfs, debugfs_type, fs_type; +type vendor_pm_genpd_debugfs, debugfs_type, fs_type; +type vendor_regmap_debugfs, debugfs_type, fs_type; +type vendor_rfsd_log_file, data_file_type, file_type; +type vendor_rild_log_file, data_file_type, file_type; +type vendor_slog_file, data_file_type, file_type, mlstrustedobject; +type vendor_usb_debugfs, debugfs_type, fs_type; +type vendor_usf_reg_edit, file_type, vendor_file_type; +type vendor_usf_stats, file_type, vendor_file_type; +type vendor_votable_debugfs, debugfs_type, fs_type; +type vendor_wlc_fwupdata_file, file_type, vendor_file_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts new file mode 100644 index 00000000..b832d55e --- /dev/null +++ b/sepolicy/vendor/file_contexts @@ -0,0 +1,418 @@ +/(vendor|system/vendor)/bin/bipchmgr u:object_r:bipchmgr_exec:s0 +/(vendor|system/vendor)/bin/cbd u:object_r:cbd_exec:s0 +/(vendor|system/vendor)/bin/chre u:object_r:chre_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth-service\.bcmbtlinux u:object_r:hal_bluetooth_btlinux_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm(@[0-9]+\.[0-9]+)?-service\.widevine u:object_r:hal_drm_widevine_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate-service\.gs101 u:object_r:hal_dumpstate_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.gs101 u:object_r:hal_power_stats_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_st33spi_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.usb-service\.gs101 u:object_r:hal_usb_impl_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service32 u:object_r:hal_usb_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget-service\.gs101 u:object_r:hal_usb_gadget_impl_exec:s0 +/(vendor|system/vendor)/bin/hw/rild_exynos u:object_r:rild_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.ExynosHWCServiceTW@1\.0-service u:object_r:hal_vendor_hwcservice_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.configstore@1\.0-service u:object_r:hal_configstore_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0 +/(vendor|system/vendor)/bin/rfsd u:object_r:rfsd_exec:s0 +/(vendor|system/vendor)/firmware(/.*)? u:object_r:vendor_fw_file:s0 +/(vendor|system/vendor)/lib(64)?/hw/mapper\.pixel\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libOpenCL-pixel\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libion_exynos\.so u:object_r:same_process_hal_file:s0 +/data/nfc(/.*)? u:object_r:nfc_data_file:s0 +/data/per_boot(/.*)? u:object_r:per_boot_file:s0 +/data/vendor/VoWiFi(/.*)? u:object_r:vendor_ims_data_file:s0 +/data/vendor/audio(/.*)? u:object_r:audio_vendor_data_file:s0 +/data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0 +/data/vendor/camera(/.*)? u:object_r:vendor_camera_data_file:s0 +/data/vendor/chre(/.*)? u:object_r:chre_data_file:s0 +/data/vendor/edgetpu(/.*)? u:object_r:edgetpu_vendor_service_data_file:s0 +/data/vendor/fingerprint(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 +/data/vendor/gps(/.*)? u:object_r:vendor_gps_file:s0 +/data/vendor/hal_neuralnetworks_darwinn(/.*)? u:object_r:hal_neuralnetworks_darwinn_data_file:s0 +/data/vendor/intelligence(/.*)? u:object_r:intelligence_data_file:s0 +/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 +/data/vendor/log/cbd(/.*)? u:object_r:vendor_cbd_log_file:s0 +/data/vendor/log/dmd(/.*)? u:object_r:vendor_dmd_log_file:s0 +/data/vendor/log/dump(/.*)? u:object_r:vendor_dump_log_file:s0 +/data/vendor/log/hwc(/.*)? u:object_r:vendor_hwc_log_file:s0 +/data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 +/data/vendor/log/rild(/.*)? u:object_r:vendor_rild_log_file:s0 +/data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 +/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 +/data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 +/data/vendor/mitigation(/.*)? u:object_r:mitigation_vendor_data_file:s0 +/data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 +/data/vendor/nfc(/.*)? u:object_r:vendor_nfc_vendor_data_file:s0 +/data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0 +/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 +/data/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_data_file:s0 +/data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 +/data/vendor/sensor(/.*)? u:object_r:sensor_vendor_data_file:s0 +/data/vendor/sensors/debug(/.*)? u:object_r:sensor_debug_data_file:s0 +/data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 +/data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 +/data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 +/data/vendor/ssrdump(/.*)? u:object_r:sscoredump_vendor_data_crashinfo_file:s0 +/data/vendor/ssrdump/coredump(/.*)? u:object_r:sscoredump_vendor_data_coredump_file:s0 +/data/vendor/ssrdump/logcat(/.*)? u:object_r:sscoredump_vendor_data_logcat_file:s0 +/data/vendor/storage(/.*)? u:object_r:dump_storage_data_file:s0 +/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 +/data/vendor/tombstones/fingerprint(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 +/dev/abrolhos u:object_r:edgetpu_device:s0 +/dev/acd-ambient_pcm u:object_r:aoc_device:s0 +/dev/acd-aocx_control u:object_r:aoc_device:s0 +/dev/acd-aocx_inject[0-9]* u:object_r:aoc_device:s0 +/dev/acd-aocx_tapout[0-9]* u:object_r:aoc_device:s0 +/dev/acd-audio_ap_offload_rx u:object_r:aoc_device:s0 +/dev/acd-audio_ap_offload_tx u:object_r:aoc_device:s0 +/dev/acd-audio_bulk_rx u:object_r:aoc_device:s0 +/dev/acd-audio_bulk_tx u:object_r:aoc_device:s0 +/dev/acd-audio_dcdoff_ref u:object_r:aoc_device:s0 +/dev/acd-audio_input_bulk_rx u:object_r:aoc_device:s0 +/dev/acd-audio_input_bulk_tx u:object_r:aoc_device:s0 +/dev/acd-audio_input_tuning u:object_r:aoc_device:s0 +/dev/acd-audio_output_tuning u:object_r:aoc_device:s0 +/dev/acd-audio_rtp_rx u:object_r:aoc_device:s0 +/dev/acd-audio_rtp_tx u:object_r:aoc_device:s0 +/dev/acd-audio_tap[0-9]* u:object_r:aoc_device:s0 +/dev/acd-chre_bt_offload_ctl u:object_r:aoc_device:s0 +/dev/acd-chre_bt_offload_data_rx u:object_r:aoc_device:s0 +/dev/acd-chre_bt_offload_data_tx u:object_r:aoc_device:s0 +/dev/acd-chre_ctl u:object_r:aoc_device:s0 +/dev/acd-chre_data_rx u:object_r:aoc_device:s0 +/dev/acd-chre_data_tx u:object_r:aoc_device:s0 +/dev/acd-com.google.bt u:object_r:aoc_device:s0 +/dev/acd-com.google.bt.non_wake_up u:object_r:aoc_device:s0 +/dev/acd-com.google.chre u:object_r:aoc_device:s0 +/dev/acd-com.google.chre.non_wake_up u:object_r:aoc_device:s0 +/dev/acd-com.google.umfw_stat u:object_r:aoc_device:s0 +/dev/acd-com.google.usf u:object_r:aoc_device:s0 +/dev/acd-com.google.usf.non_wake_up u:object_r:aoc_device:s0 +/dev/acd-debug u:object_r:aoc_device:s0 +/dev/acd-hotword_notification u:object_r:aoc_device:s0 +/dev/acd-hotword_pcm u:object_r:aoc_device:s0 +/dev/acd-logging u:object_r:aoc_device:s0 +/dev/acd-mc_headpos u:object_r:aoc_device:s0 +/dev/acd-mel_processor u:object_r:aoc_device:s0 +/dev/acd-model_data u:object_r:aoc_device:s0 +/dev/acd-sound_trigger u:object_r:aoc_device:s0 +/dev/amcs u:object_r:amcs_device:s0 +/dev/aoc u:object_r:aoc_device:s0 +/dev/battery_history u:object_r:battery_history_device:s0 +/dev/bbd_control u:object_r:vendor_gnss_device:s0 +/dev/bbd_pwrstat u:object_r:power_stats_device:s0 +/dev/bigocean u:object_r:video_device:s0 +/dev/block/by-name/userdata_exp.* u:object_r:userdata_exp_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/acpm_test_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl1_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/cache u:object_r:cache_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dtb_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/ect_test_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/efs u:object_r:efs_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/hypervisor_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/keystorage_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/mfg_data u:object_r:mfg_data_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/misc u:object_r:misc_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/modem u:object_r:modem_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/persist u:object_r:persist_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/pvmfw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/reclaim_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/super u:object_r:super_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/system u:object_r:system_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/sda u:object_r:sda_block_device:s0 +/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0 +/dev/dit2 u:object_r:vendor_toe_device:s0 +/dev/dma_heap/faceauth_tpu-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/faimg-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/famodel-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/faprev-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/farawimg-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/sensor_direct_heap u:object_r:sensor_direct_heap_device:s0 +/dev/dma_heap/vframe-secure u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/dma_heap/vscaler-secure u:object_r:vscaler_heap_device:s0 +/dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/dri/card0 u:object_r:graphics_device:s0 +/dev/fimg2d u:object_r:graphics_device:s0 +/dev/fth_fd u:object_r:fingerprint_device:s0 +/dev/g2d u:object_r:graphics_device:s0 +/dev/gnss_ipc u:object_r:vendor_gnss_device:s0 +/dev/goodix_fp u:object_r:fingerprint_device:s0 +/dev/gsc0 u:object_r:citadel_device:s0 +/dev/ispolin_ranging u:object_r:rls_device:s0 +/dev/logbuffer_bd u:object_r:logbuffer_device:s0 +/dev/logbuffer_btlpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_cpif u:object_r:logbuffer_device:s0 +/dev/logbuffer_cpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_base u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_flip u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxq u:object_r:logbuffer_device:s0 +/dev/logbuffer_pca9468 u:object_r:logbuffer_device:s0 +/dev/logbuffer_pca9468_tcpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_pogo_transport u:object_r:logbuffer_device:s0 +/dev/logbuffer_rtx u:object_r:logbuffer_device:s0 +/dev/logbuffer_ssoc u:object_r:logbuffer_device:s0 +/dev/logbuffer_tcpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_ttf u:object_r:logbuffer_device:s0 +/dev/logbuffer_tty16 u:object_r:logbuffer_device:s0 +/dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 +/dev/logbuffer_wireless u:object_r:logbuffer_device:s0 +/dev/lwis-act-ak7377 u:object_r:lwis_device:s0 +/dev/lwis-act-lc898129 u:object_r:lwis_device:s0 +/dev/lwis-act-sem1215sa u:object_r:lwis_device:s0 +/dev/lwis-act0 u:object_r:lwis_device:s0 +/dev/lwis-act1 u:object_r:lwis_device:s0 +/dev/lwis-csi u:object_r:lwis_device:s0 +/dev/lwis-dpm u:object_r:lwis_device:s0 +/dev/lwis-eeprom-lc898128 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-lc898129 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64s u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64s-front u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64s-imx355-inner u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64s-imx355-outer u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64s-rear u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64x u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64x-imx386 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64x-imx663 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-sem1215sa u:object_r:lwis_device:s0 +/dev/lwis-eeprom0 u:object_r:lwis_device:s0 +/dev/lwis-eeprom1 u:object_r:lwis_device:s0 +/dev/lwis-eeprom2 u:object_r:lwis_device:s0 +/dev/lwis-flash-lm3644 u:object_r:lwis_device:s0 +/dev/lwis-flash0 u:object_r:lwis_device:s0 +/dev/lwis-g3aa u:object_r:lwis_device:s0 +/dev/lwis-gdc0 u:object_r:lwis_device:s0 +/dev/lwis-gdc1 u:object_r:lwis_device:s0 +/dev/lwis-gtnr-align u:object_r:lwis_device:s0 +/dev/lwis-gtnr-merge u:object_r:lwis_device:s0 +/dev/lwis-ipp u:object_r:lwis_device:s0 +/dev/lwis-itp u:object_r:lwis_device:s0 +/dev/lwis-mcsc u:object_r:lwis_device:s0 +/dev/lwis-ois-lc898128 u:object_r:lwis_device:s0 +/dev/lwis-ois-lc898129 u:object_r:lwis_device:s0 +/dev/lwis-ois-sem1215sa u:object_r:lwis_device:s0 +/dev/lwis-pdp u:object_r:lwis_device:s0 +/dev/lwis-scsc u:object_r:lwis_device:s0 +/dev/lwis-sensor-gn1 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx355 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx355-front u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx355-inner u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx355-outer u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx355-rear u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx363 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx386 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx471 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx586 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx663 u:object_r:lwis_device:s0 +/dev/lwis-sensor0 u:object_r:lwis_device:s0 +/dev/lwis-sensor1 u:object_r:lwis_device:s0 +/dev/lwis-sensor2 u:object_r:lwis_device:s0 +/dev/lwis-slc u:object_r:lwis_device:s0 +/dev/lwis-top u:object_r:lwis_device:s0 +/dev/lwis-votf u:object_r:lwis_device:s0 +/dev/mali0 u:object_r:gpu_device:s0 +/dev/oem_ipc[0-7] u:object_r:radio_device:s0 +/dev/radio0 u:object_r:radio_device:s0 +/dev/repeater u:object_r:video_device:s0 +/dev/scsc_h4_0 u:object_r:radio_device:s0 +/dev/sg[0-9] u:object_r:sg_device:s0 +/dev/socket/chre u:object_r:chre_socket:s0 +/dev/sscd_.* u:object_r:sscoredump_device:s0 +/dev/st21nfc u:object_r:nfc_device:s0 +/dev/st33spi u:object_r:st33spi_device:s0 +/dev/st54spi u:object_r:st54spi_device:s0 +/dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 +/dev/thermal(/.*)? u:object_r:thermal_link_device:s0 +/dev/touch_offload u:object_r:touch_offload_device:s0 +/dev/trusty-ipc-dev0 u:object_r:tee_device:s0 +/dev/trusty-log0 u:object_r:trusty_log_device:s0 +/dev/tsmux u:object_r:video_device:s0 +/dev/ttyBCM u:object_r:vendor_gnss_device:s0 +/dev/ttyGS[0-3] u:object_r:serial_device:s0 +/dev/ttySAC0 u:object_r:tty_device:s0 +/dev/ttySAC16 u:object_r:hci_attach_dev:s0 +/dev/umts_boot0 u:object_r:radio_device:s0 +/dev/umts_dm0 u:object_r:radio_device:s0 +/dev/umts_ipc0 u:object_r:radio_device:s0 +/dev/umts_ipc1 u:object_r:radio_device:s0 +/dev/umts_rfs0 u:object_r:radio_device:s0 +/dev/umts_router u:object_r:radio_device:s0 +/dev/umts_wfc[01] u:object_r:pktrouter_device:s0 +/dev/watchdog0 u:object_r:watchdog_device:s0 +/dev/wbrc u:object_r:wb_coexistence_dev:s0 +/mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 +/mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 +/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 +/mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 +/mnt/vendor/persist/aoc(/.*)? u:object_r:persist_aoc_file:s0 +/mnt/vendor/persist/audio(/.*)? u:object_r:persist_audio_file:s0 +/mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 +/mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 +/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 +/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 +/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 +/mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 +/mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 +/mnt/vendor/ramdump(/.*)? u:object_r:ramdump_vendor_mnt_file:s0 +/persist/sensorcal\.json u:object_r:sensors_cal_file:s0 +/sys/devices/platform/[0-9a-z]+\.ufs/pixel/enable_pixel_ufs_logging u:object_r:sysfs_scsi_devices_0000:s0 +/system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0 +/vendor/bin/CitadelProvision u:object_r:citadel_provision_exec:s0 +/vendor/bin/aocd u:object_r:aocd_exec:s0 +/vendor/bin/aocdump u:object_r:aocdump_exec:s0 +/vendor/bin/aocxd u:object_r:aocxd_exec:s0 +/vendor/bin/dmd u:object_r:dmd_exec:s0 +/vendor/bin/dump/dump_aoc u:object_r:dump_aoc_exec:s0 +/vendor/bin/dump/dump_bcmbt u:object_r:dump_bcmbt_exec:s0 +/vendor/bin/dump/dump_camera u:object_r:dump_camera_exec:s0 +/vendor/bin/dump/dump_devfreq u:object_r:dump_devfreq_exec:s0 +/vendor/bin/dump/dump_display_userdebug\.sh u:object_r:dump_exynos_display_userdebug_exec:s0 +/vendor/bin/dump/dump_exynos_display u:object_r:dump_exynos_display_exec:s0 +/vendor/bin/dump/dump_fingerprint u:object_r:dump_fingerprint_exec:s0 +/vendor/bin/dump/dump_gps u:object_r:dump_gps_exec:s0 +/vendor/bin/dump/dump_gsc\.sh u:object_r:dump_gsc_exec:s0 +/vendor/bin/dump/dump_memory u:object_r:dump_memory_exec:s0 +/vendor/bin/dump/dump_modem u:object_r:dump_modem_exec:s0 +/vendor/bin/dump/dump_modemlog u:object_r:dump_modemlog_exec:s0 +/vendor/bin/dump/dump_perf u:object_r:dump_perf_exec:s0 +/vendor/bin/dump/dump_pixel_metrics u:object_r:dump_pixel_metrics_exec:s0 +/vendor/bin/dump/dump_power u:object_r:dump_power_exec:s0 +/vendor/bin/dump/dump_radio u:object_r:dump_radio_exec:s0 +/vendor/bin/dump/dump_ramdump u:object_r:dump_ramdump_exec:s0 +/vendor/bin/dump/dump_sensors u:object_r:dump_sensors_exec:s0 +/vendor/bin/dump/dump_soc u:object_r:dump_soc_exec:s0 +/vendor/bin/dump/dump_storage u:object_r:dump_storage_exec:s0 +/vendor/bin/dump/dump_thermal\.sh u:object_r:dump_thermal_exec:s0 +/vendor/bin/dump/dump_trusty\.sh u:object_r:dump_trusty_exec:s0 +/vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 +/vendor/bin/flood\.control\.hal u:object_r:flood_control_exec:s0 +/vendor/bin/gpu_probe u:object_r:gpu_probe_exec:s0 +/vendor/bin/hw/android\.hardware\.authsecret-service\.citadel u:object_r:hal_authsecret_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.fpc u:object_r:hal_fingerprint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:hal_fingerprint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.boot-service\.default-pixel u:object_r:hal_bootctl_default_exec:s0 +/vendor/bin/hw/android\.hardware\.camera\.provider@2\.7-service-google u:object_r:hal_camera_default_exec:s0 +/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 +/vendor/bin/hw/android\.hardware\.dumpstate-service u:object_r:hal_dumpstate_default_exec:s0 +/vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0 +/vendor/bin/hw/android\.hardware\.gatekeeper-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 +/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 +/vendor/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service-brcm u:object_r:hal_gnss_default_exec:s0 +/vendor/bin/hw/android\.hardware\.health-service\.gs101 u:object_r:hal_health_default_exec:s0 +/vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel u:object_r:hal_identity_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.keymaster@4\.0-service\.trusty u:object_r:hal_keymaster_default_exec:s0 +/vendor/bin/hw/android\.hardware\.neuralnetworks@service-darwinn-aidl u:object_r:hal_neuralnetworks_darwinn_exec:s0 +/vendor/bin/hw/android\.hardware\.oemlock-service\.citadel u:object_r:hal_oemlock_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 +/vendor/bin/hw/android\.hardware\.security\.keymint-service\.citadel u:object_r:hal_keymint_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.security\.secretkeeper\.trusty u:object_r:hal_secretkeeper_default_exec:s0 +/vendor/bin/hw/android\.hardware\.thermal-service\.pixel u:object_r:hal_thermal_default_exec:s0 +/vendor/bin/hw/android\.hardware\.thermal@2\.0-service\.pixel u:object_r:hal_thermal_default_exec:s0 +/vendor/bin/hw/android\.hardware\.weaver-service\.citadel u:object_r:hal_weaver_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0 +/vendor/bin/hw/battery_mitigation u:object_r:battery_mitigation_exec:s0 +/vendor/bin/hw/citadel_updater u:object_r:citadel_updater:s0 +/vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0 +/vendor/bin/hw/com\.google\.edgetpu.dba-service u:object_r:edgetpu_dba_server_exec:s0 +/vendor/bin/hw/com\.google\.edgetpu.tachyon-service u:object_r:edgetpu_tachyon_server_exec:s0 +/vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 +/vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_exec:s0 +/vendor/bin/hw/gpsd u:object_r:gpsd_exec:s0 +/vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0 +/vendor/bin/hw/lhd u:object_r:lhd_exec:s0 +/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.2-service u:object_r:mediacodec_samsung_exec:s0 +/vendor/bin/hw/scd u:object_r:scd_exec:s0 +/vendor/bin/hw/vendor\.google\.audiometricext@1\.0-service-vendor u:object_r:hal_audiometricext_default_exec:s0 +/vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0 +/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 +/vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.[0-9]-service u:object_r:hal_tetheroffload_default_exec:s0 +/vendor/bin/init\.camera\.set-interrupts-ownership u:object_r:init-camera-set-interrupts-ownership_exec:s0 +/vendor/bin/init\.display\.sh u:object_r:init-display-sh_exec:s0 +/vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 +/vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 +/vendor/bin/insmod\.sh u:object_r:insmod-sh_exec:s0 +/vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 +/vendor/bin/pixelstats-vendor u:object_r:pixelstats_vendor_exec:s0 +/vendor/bin/ramdump u:object_r:ramdump_exec:s0 +/vendor/bin/ramdump32 u:object_r:ramdump_exec:s0 +/vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 +/vendor/bin/sg_read_buffer u:object_r:sg_util_exec:s0 +/vendor/bin/shared_modem_platform u:object_r:modem_svc_sit_exec:s0 +/vendor/bin/sscoredump u:object_r:sscoredump_exec:s0 +/vendor/bin/storage_init\.sh u:object_r:storage_init_exec:s0 +/vendor/bin/storage_intelligence\.sh u:object_r:storage_intelligence_exec:s0 +/vendor/bin/storageproxyd u:object_r:tee_exec:s0 +/vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 +/vendor/bin/thermal_controld u:object_r:pixel-thermal-control-sh_exec:s0 +/vendor/bin/thermal_logd u:object_r:init-thermal-logging-sh_exec:s0 +/vendor/bin/thermal_symlinks u:object_r:init-thermal-symlinks-sh_exec:s0 +/vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 +/vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 +/vendor/bin/twoshay u:object_r:twoshay_exec:s0 +/vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0 +/vendor/bin/usf_reg_edit u:object_r:vendor_usf_reg_edit:s0 +/vendor/bin/usf_stats u:object_r:vendor_usf_stats:s0 +/vendor/bin/wfc-pkt-router u:object_r:pktrouter_exec:s0 +/vendor/bin/wlc_upt/p9412_mtp u:object_r:vendor_wlc_fwupdata_file:s0 +/vendor/bin/wlc_upt/wlc_fw_update\.sh u:object_r:wlcfwupdate_exec:s0 +/vendor/etc/aoc(/.*)? u:object_r:aoc_audio_file:s0 +/vendor/lib(64)?/arm\.graphics-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/gralloc\.gs101\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/vulkan\.mali\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libGralloc4Wrapper\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/lib_aion_buffer\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libion_google\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/pixel-power-ext-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/android\.frameworks\.stats-V2-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/camera u:object_r:vendor_camera_tuning_file:s0 +/vendor/lib64/camera/ghawb_para_lut\.bin u:object_r:vendor_camera_tuning_file:s0 +/vendor/lib64/camera/slider_.*\.binarypb u:object_r:vendor_camera_tuning_file:s0 +/vendor/lib64/com\.google\.edgetpu_app_service-V[1-4]-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/com\.google\.edgetpu_vendor_service-V[1-2]-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/libedgetpu_tachyon\.google\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/libfmq\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/libmetrics_logger\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/libprotobuf-cpp-lite-(\d+\.){2,3}so u:object_r:same_process_hal_file:s0 +/vendor/lib64/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 +/vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0 diff --git a/sepolicy/vendor/flood_control.te b/sepolicy/vendor/flood_control.te new file mode 100644 index 00000000..a255f0bd --- /dev/null +++ b/sepolicy/vendor/flood_control.te @@ -0,0 +1,22 @@ +type flood_control, domain; +type flood_control_exec, exec_type, file_type, vendor_file_type; +type flood_control_service, app_api_service, hal_service_type, service_manager_type; + +add_service(flood_control, flood_control_service) + +binder_use(flood_control) + +domain_auto_trans(flood_control, vendor_misc_writer_exec, vendor_misc_writer) + +get_prop(flood_control, system_boot_reason_prop) + +init_daemon_domain(flood_control) + +set_prop(flood_control, vendor_flood_prop) + +allow flood_control dumpstate:fd use; +allow flood_control dumpstate:fifo_file w_file_perms; +allow flood_control pstorefs:dir r_dir_perms; +allow flood_control pstorefs:file r_file_perms; +allow flood_control ramdump_vendor_data_file:dir r_dir_perms; +allow flood_control ramdump_vendor_data_file:file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/fsck.te b/sepolicy/vendor/fsck.te similarity index 70% rename from sepolicy/whitechapel/vendor/google/fsck.te rename to sepolicy/vendor/fsck.te index cb9470d0..ccdca42a 100644 --- a/sepolicy/whitechapel/vendor/google/fsck.te +++ b/sepolicy/vendor/fsck.te @@ -1,5 +1,7 @@ -allow fsck persist_block_device:blk_file rw_file_perms; allow fsck efs_block_device:blk_file rw_file_perms; +allow fsck modem_block_device:blk_file rw_file_perms; allow fsck modem_userdata_block_device:blk_file rw_file_perms; +allow fsck persist_block_device:blk_file rw_file_perms; allow fsck sysfs_scsi_devices_0000:dir r_dir_perms; allow fsck sysfs_scsi_devices_0000:file r_file_perms; +allow fsck userdata_exp_block_device:blk_file rw_file_perms; diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts new file mode 100644 index 00000000..4f600001 --- /dev/null +++ b/sepolicy/vendor/genfs_contexts @@ -0,0 +1,382 @@ +genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 +genfscon debugfs /dma_buf/bufinfo u:object_r:vendor_dmabuf_debugfs:s0 +genfscon debugfs /google_charger u:object_r:vendor_charger_debugfs:s0 +genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 +genfscon debugfs /max77729_pmic u:object_r:vendor_charger_debugfs:s0 +genfscon debugfs /gs101-thermal u:object_r:debugfs_thermal:s0 +genfscon debugfs /max77759_chg u:object_r:vendor_charger_debugfs:s0 +genfscon debugfs /page_pinner u:object_r:vendor_page_pinner_debugfs:s0 +genfscon debugfs /dri/0/crtc- u:object_r:vendor_dri_debugfs:s0 +genfscon debugfs /maxfg_base u:object_r:vendor_maxfg_debugfs:s0 +genfscon debugfs /maxfg_flip u:object_r:vendor_maxfg_debugfs:s0 +genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 +genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 +genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 +genfscon debugfs /f2fs u:object_r:debugfs_f2fs:s0 +genfscon debugfs /cma u:object_r:vendor_cma_debugfs:s0 +genfscon debugfs /bts u:object_r:vendor_bts_debugfs:s0 +genfscon debugfs /ion u:object_r:vendor_ion_debugfs:s0 +genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 +genfscon proc /sys/kernel/sched_pelt_multiplier u:object_r:proc_sched:s0 +genfscon proc /sys/vm/compaction_proactiveness u:object_r:proc_compaction_proactiveness:s0 +genfscon proc /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0 +genfscon proc /bluetooth/sleep/btwake u:object_r:proc_bluetooth_writable:s0 +genfscon proc /bluetooth/sleep/lpm u:object_r:proc_bluetooth_writable:s0 +genfscon proc /bluetooth/timesync u:object_r:proc_bluetooth_writable:s0 +genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0 +genfscon proc /vendor_mm u:object_r:proc_vendor_mm:s0 +genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_current0_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_current1_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_current2_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_current3_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_current4_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_current5_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_current6_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_current7_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_current0_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_current1_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_current2_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_current3_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_current4_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_current5_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_current6_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_current7_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_power0_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_power1_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_power2_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_power3_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_power4_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_power5_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_power6_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_power7_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_power0_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_power1_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_power2_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_power3_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_power4_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_power5_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_power6_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_power7_scale u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0025/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0025/power_supply/tcpm-source-psy-12-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/interactive/target_load u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/trans_stat u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000090.devfreq_dsu/devfreq/17000090.devfreq_dsu/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/170000a0.devfreq_bci/devfreq/170000a0.devfreq_bci/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0057/power_supply/pca9468-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/trans_stat u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/bluetooth/hci0/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +genfscon sysfs /devices/platform/17000080.devfreq_bw/devfreq/17000080.devfreq_bw/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/trans_stat u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/trans_stat u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/trans_stat u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/trans_stat u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/trans_stat u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000090.devfreq_dsu/devfreq/17000090.devfreq_dsu/trans_stat u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/170000a0.devfreq_bci/devfreq/170000a0.devfreq_bci/trans_stat u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0036/power_supply/maxfg_base/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000080.devfreq_bw/devfreq/17000080.devfreq_bw/trans_stat u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/trans_stat u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb2/2-1 u:object_r:sysfs_uhid:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb2/2-1 u:object_r:sysfs_uhid:s0 +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/min_freq u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq u:object_r:sysfs_camera:s0 +genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/ieee802154/phy0/net u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/available_disp_stats u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/available_disp_stats u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb2 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb3 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb2 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb3 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/udc/11110000.dwc3/state u:object_r:sysfs_udc:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_pwr_vreg u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/time_in_state u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/time_in_state u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/debugcore/sscoredump/sscd_debugcore/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/power_state u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/power_state u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.usf.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/power_mode u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/power_mode u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/abrolhos/sscoredump/sscd_abrolhos/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/bigocean/sscoredump/sscd_bigocean/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/175c0000.spi/spi_master/spi15/spi15.0/st33spi u:object_r:sysfs_st33spi:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2C0000/panel@0/compatible u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2D0000/panel@0/compatible u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time u:object_r:sysfs_usbc_throttling_stats:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0036/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0069/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0/st33spi u:object_r:sysfs_st33spi:s0 +genfscon sysfs /devices/platform/19000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0 +genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/audiometrics/adapted_info_active_duration u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0050/8-00500/nvmem u:object_r:sysfs_memory:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time u:object_r:sysfs_usbc_throttling_stats:s0 +genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-0/0-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/ring_buffer_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-7/7-0008/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/audiometrics/adapted_info_active_count u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/19000000.aoc/notify_timeout_aoc_status u:object_r:sysfs_aoc_notifytimeout:s0 +genfscon sysfs /devices/platform/odm/odm:fps_touch_handler/power/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time u:object_r:sysfs_usbc_throttling_stats:s0 +genfscon sysfs /devices/platform/audiometrics/offload_effects_duration u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/14700000.ufs/host0/target0:0:0/0:0:0: u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/gadget/net u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/host_ipc_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/14700000.ufs/attributes/wb_avail_buf u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/aoc/sscoredump/sscd_aoc/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0025/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /kernel/metrics/resume_latency/resume_latency_metrics u:object_r:sysfs_vendor_metrics:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/14700000.ufs/hibern8_on_idle_enable u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 +genfscon sysfs /devices/platform/audiometrics/codec_crashed_counter u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-7/7-0008/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0043/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-003c/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill2/state u:object_r:sysfs_bluetooth_writable:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/audio_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/audiometrics/cca_count_read_once u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/odm/odm:fps_touch_handler/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/1f000000.mali/uid_time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/audiometrics/mic_broken_degrade u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/hwinfo_part_number u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/ams_rate_read_once u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/cca_rate_read_once u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/offload_effects_id u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/usf_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/1c500000.mali/uid_time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_impedance u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_excursion u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_heartbeat u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/14700000.ufs/device_descriptor u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/health_descriptor u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/1c300000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 +genfscon sysfs /kernel/metrics/thermal/tr_by_group/spmic/stats u:object_r:sysfs_vendor_metrics:s0 +genfscon sysfs /devices/platform/google,dock/power_supply/dock u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/14700000.ufs/slowio_write_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/slowio_unmap_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/1c500000.mali/dma_buf_gpu_mem u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_version u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/14700000.ufs/slowio_read_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/slowio_sync_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/1f000000.mali/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/cpif/modem/pcie_event_stats u:object_r:sysfs_dump_modem:s0 +genfscon sysfs /kernel/metrics/thermal/tr_by_group/tmu/stats u:object_r:sysfs_vendor_metrics:s0 +genfscon sysfs /devices/platform/audiometrics/hs_codec_state u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/19000000.aoc/coredump_count u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-0/0-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-003c u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/14700000.ufs/clkgate_enable u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-005a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0042 u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0043 u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/1c500000.mali/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/1c500000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/1c500000.mali/total_gpu_mem u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/19000000.aoc/restart_count u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/1c300000.drmdecon/counters u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c301000.drmdecon/counters u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c302000.drmdecon/counters u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c500000.mali/power_policy u:object_r:sysfs_gpu:s0 +genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0 +genfscon sysfs /devices/platform/1c300000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/cpupm/cpupm/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_temp u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /class/power_supply/wireless/device/version u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/11920000.pcie/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/14520000.pcie/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/audiometrics/codec_state u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/pcm_latency u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /class/power_supply/wireless/device/status u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /class/power_supply/wireless/device/fw_rev u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /module/trusty_core/parameters/use_high_wq u:object_r:sysfs_trusty:s0 +genfscon sysfs /devices/platform/audiometrics/call_count u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/google,cpm/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /kernel/vendor_mm/cma/vframe/force_empty u:object_r:sysfs_force_empty:s0 +genfscon sysfs /devices/virtual/pps/pps0/assert_elapsed u:object_r:sysfs_gps_assert:s0 +genfscon sysfs /devices/platform/audiometrics/pdm_state u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/pcm_count u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/14700000.ufs/manual_gc u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/req_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/err_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/1c500000.mali/cur_freq u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_mfc:s0 +genfscon sysfs /devices/platform/audiometrics/bt_usage u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/19000000.aoc/firmware u:object_r:sysfs_aoc_firmware:s0 +genfscon sysfs /devices/platform/19000000.aoc/services u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/14700000.ufs/io_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 +genfscon sysfs /devices/system/chip-id/ap_hw_tune_str u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/platform/exynos-bts/bts_stats u:object_r:sysfs_exynos_bts_stats:s0 +genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /kernel/metrics/irq/storm_irq_metrics u:object_r:sysfs_vendor_metrics:s0 +genfscon sysfs /devices/platform/11110000.usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/1c500000.mali/kprcs u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/sjtag_gsa/interface u:object_r:sysfs_sjtag:s0 +genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 +genfscon sysfs /devices/system/chip-id/dvfs_version u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/pkg_revision u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/platform/cpif/wakeup_events u:object_r:sysfs_dump_modem:s0 +genfscon sysfs /kernel/metrics/irq/long_irq_metrics u:object_r:sysfs_vendor_metrics:s0 +genfscon sysfs /kernel/metrics/runnable/stats_reset u:object_r:sysfs_vendor_metrics:s0 +genfscon sysfs /devices/platform/bbd_pps/pps_assert u:object_r:sysfs_gps_assert:s0 +genfscon sysfs /devices/platform/audiometrics/waves u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/19000000.aoc/reset u:object_r:sysfs_aoc_reset:s0 +genfscon sysfs /devices/platform/odm/odm:fp_fpc1020 u:object_r:sysfs_fingerprint:s0 +genfscon sysfs /devices/platform/sjtag_ap/interface u:object_r:sysfs_sjtag:s0 +genfscon sysfs /devices/platform/1ce00000.abrolhos u:object_r:sysfs_edgetpu:s0 +genfscon sysfs /devices/system/chip-id/product_id u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/platform/cpif/modem_state u:object_r:sysfs_modem_state:s0 +genfscon sysfs /devices/platform/gpio_keys/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/sound-aoc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/system/chip-id/unique_id u:object_r:sysfs_soc:s0 +genfscon sysfs /devices/platform/100a0000.LITTLE u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/system/chip-id/revision u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/virtual/pmic/mitigation u:object_r:sysfs_bcl:s0 +genfscon sysfs /devices/platform/google,charger u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/cp-tm1/cp_temp u:object_r:sysfs_modem:s0 +genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 +genfscon sysfs /devices/system/chip-id/evt_ver u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/raw_str u:object_r:sysfs_chip_id:s0 +genfscon sysfs /kernel/metrics/irq/stats_reset u:object_r:sysfs_vendor_metrics:s0 +genfscon sysfs /devices/system/chip-id/lot_id u:object_r:sysfs_chip_id:s0 +genfscon sysfs /kernel/metrics/runnable/stats u:object_r:sysfs_vendor_metrics:s0 +genfscon sysfs /devices/platform/19000000.aoc u:object_r:sysfs_aoc:s0 +genfscon sysfs /devices/platform/100a0000.MID u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100a0000.BIG u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100b0000.G3D u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100b0000.ISP u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100b0000.TPU u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/25840000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/25940000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/25a40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/25b40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/25c40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/25d40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/25e40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/25f40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /module/gs_thermal/parameters u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/google,cpm/ u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/cpif/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/exynos-bts u:object_r:sysfs_exynos_bts:s0 +genfscon sysfs /module/drm/parameters/debug u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 +genfscon sysfs /kernel/boot_control/blow_ar u:object_r:sysfs_bootctl:s0 +genfscon sysfs /devices/platform/abrolhos u:object_r:sysfs_edgetpu:s0 +genfscon sysfs /kernel/vendor_mm/pa_kill u:object_r:sysfs_pakills:s0 +genfscon sysfs /devices/virtual/powercap u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/virtual/thermal u:object_r:sysfs_thermal:s0 +genfscon sysfs /class/sscoredump/level u:object_r:sysfs_sscoredump_level:s0 +genfscon sysfs /devices/soc0/revision u:object_r:sysfs_soc:s0 +genfscon sysfs /devices/soc0/machine u:object_r:sysfs_soc:s0 +genfscon sysfs /kernel/pixel_stat u:object_r:sysfs_pixel_stat:s0 +genfscon sysfs /module/bcmdhd4389 u:object_r:sysfs_bcmdhd:s0 +genfscon sysfs /kernel/vendor_mm u:object_r:sysfs_vendor_mm:s0 +genfscon sysfs /class/powercap u:object_r:sysfs_thermal:s0 +genfscon sysfs /class/devfreq u:object_r:sysfs_devfreq_dir:s0 +genfscon sysfs /class/thermal u:object_r:sysfs_thermal:s0 +genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 +genfscon tracefs /events/dmabuf_heap/dma_heap_stat u:object_r:debugfs_tracing:s0 diff --git a/sepolicy/vendor/gpsd.te b/sepolicy/vendor/gpsd.te new file mode 100644 index 00000000..c1991a49 --- /dev/null +++ b/sepolicy/vendor/gpsd.te @@ -0,0 +1,16 @@ +type gpsd, domain; +type gpsd_exec, exec_type, file_type, vendor_file_type; + +binder_call(gpsd, rild) +binder_call(gpsd, system_server) + +init_daemon_domain(gpsd) + +wakelock_use(gpsd) + +allow gpsd fwk_sensor_hwservice:hwservice_manager find; +allow gpsd fwk_sensor_service:service_manager find; +allow gpsd hal_exynos_rild_hwservice:hwservice_manager find; +allow gpsd sysfs_gps_assert:file r_file_perms; +allow gpsd vendor_gps_file:dir create_dir_perms; +allow gpsd vendor_gps_file:{ fifo_file file } create_file_perms; diff --git a/sepolicy/vendor/gpu_probe.te b/sepolicy/vendor/gpu_probe.te new file mode 100644 index 00000000..6389c640 --- /dev/null +++ b/sepolicy/vendor/gpu_probe.te @@ -0,0 +1,8 @@ +type gpu_probe, domain; +type gpu_probe_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(gpu_probe) + +perfetto_producer(gpu_probe) + +allow gpu_probe gpu_device:chr_file rw_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/grilservice_app.te b/sepolicy/vendor/grilservice_app.te similarity index 90% rename from sepolicy/whitechapel/vendor/google/grilservice_app.te rename to sepolicy/vendor/grilservice_app.te index d22bc010..582626e2 100644 --- a/sepolicy/whitechapel/vendor/google/grilservice_app.te +++ b/sepolicy/vendor/grilservice_app.te @@ -1,14 +1,18 @@ type grilservice_app, domain; + app_domain(grilservice_app) -allow grilservice_app app_api_service:service_manager find; -allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; -allow grilservice_app hal_radioext_hwservice:hwservice_manager find; -allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; -allow grilservice_app hal_wifi_ext_service:service_manager find; -allow grilservice_app hal_audiometricext_hwservice:hwservice_manager find; +binder_call(grilservice_app, hal_audiometricext_default) binder_call(grilservice_app, hal_bluetooth_btlinux) binder_call(grilservice_app, hal_radioext_default) binder_call(grilservice_app, hal_wifi_ext) -binder_call(grilservice_app, hal_audiometricext_default) + hal_client_domain(grilservice_app, hal_power_stats) + +allow grilservice_app app_api_service:service_manager find; +allow grilservice_app hal_audiometricext_hwservice:hwservice_manager find; +allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; +allow grilservice_app hal_bluetooth_coexistence_service:service_manager find; +allow grilservice_app hal_radioext_hwservice:hwservice_manager find; +allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; +allow grilservice_app hal_wifi_ext_service:service_manager find; diff --git a/sepolicy/vendor/hal_audio.te b/sepolicy/vendor/hal_audio.te new file mode 100644 index 00000000..a24e66c3 --- /dev/null +++ b/sepolicy/vendor/hal_audio.te @@ -0,0 +1,49 @@ +add_hwservice(hal_audio_default, hal_audio_ext_hwservice) + +binder_call(hal_audio_default, aocxd) +binder_call(hal_audio_default, edgetpu_app_server) +binder_call(hal_audio_default, edgetpu_vendor_server) + +get_prop(hal_audio_default, vendor_edgetpu_runtime_prop) +get_prop(hal_audio_default, vendor_hetero_runtime_prop) +get_prop(hal_audio_default, vendor_tflite_delegate_prop) + +hal_client_domain(hal_audio_default, hal_graphics_allocator) +hal_client_domain(hal_audio_default, hal_health) +hal_client_domain(hal_audio_default, hal_thermal) + +perfetto_producer(hal_audio_default) + +r_dir_file(hal_audio_default, aoc_audio_file) +r_dir_file(hal_audio_default, mnt_vendor_file) +r_dir_file(hal_audio_default, persist_audio_file) + +set_prop(hal_audio_default, vendor_audio_prop) +set_prop(hal_audio_default, vendor_audio_prop_restricted) + +unix_socket_connect(hal_audio_default, property, traced) +unix_socket_connect(hal_audio_default, traced_producer, init) + +vndbinder_use(hal_audio_default) + +wakelock_use(hal_audio_default) + +allow hal_audio_default amcs_device:{ chr_file file } rw_file_perms; +allow hal_audio_default aoc_device:{ chr_file file } rw_file_perms; +allow hal_audio_default aocx:service_manager find; +allow hal_audio_default audio_vendor_data_file:dir rw_dir_perms; +allow hal_audio_default audio_vendor_data_file:file create_file_perms; +allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms; +allow hal_audio_default dmabuf_system_heap_device:chr_file r_file_perms; +allow hal_audio_default edgetpu_app_service:service_manager find; +allow hal_audio_default edgetpu_device:chr_file rw_file_perms; +allow hal_audio_default edgetpu_vendor_service:service_manager find; +allow hal_audio_default fwk_sensor_hwservice:hwservice_manager find; +allow hal_audio_default fwk_stats_service:service_manager find; +allow hal_audio_default persist_file:dir search; +allow hal_audio_default sysfs_aoc:dir search; +allow hal_audio_default sysfs_aoc_boottime:file r_file_perms; +allow hal_audio_default sysfs_extcon:dir search; +allow hal_audio_default sysfs_extcon:file r_file_perms; +allow hal_audio_default sysfs_pixelstats:file rw_file_perms; +allow hal_audio_default vendor_usb_debugfs:dir search; diff --git a/sepolicy/vendor/hal_audiometricext.te b/sepolicy/vendor/hal_audiometricext.te new file mode 100644 index 00000000..61102d85 --- /dev/null +++ b/sepolicy/vendor/hal_audiometricext.te @@ -0,0 +1,15 @@ +type hal_audiometricext_default, domain; +type hal_audiometricext_default_exec, exec_type, file_type, vendor_file_type; +type hal_audiometricext_hwservice, hwservice_manager_type; + +add_hwservice(hal_audiometricext_default, hal_audiometricext_hwservice) + +get_prop(hal_audiometricext_default, hwservicemanager_prop) +get_prop(hal_audiometricext_default, vendor_audio_prop) + +hwbinder_use(hal_audiometricext_default) + +init_daemon_domain(hal_audiometricext_default) + +allow hal_audiometricext_default amcs_device:chr_file rw_file_perms; +allow hal_audiometricext_default sysfs_pixelstats:file rw_file_perms; diff --git a/sepolicy/vendor/hal_authsecret_citadel.te b/sepolicy/vendor/hal_authsecret_citadel.te new file mode 100644 index 00000000..b048f972 --- /dev/null +++ b/sepolicy/vendor/hal_authsecret_citadel.te @@ -0,0 +1,12 @@ +type hal_authsecret_citadel, domain; +type hal_authsecret_citadel_exec, exec_type, file_type, vendor_file_type; + +binder_call(hal_authsecret_citadel, citadeld) + +hal_server_domain(hal_authsecret_citadel, hal_authsecret) + +init_daemon_domain(hal_authsecret_citadel) + +vndbinder_use(hal_authsecret_citadel) + +allow hal_authsecret_citadel citadeld_service:service_manager find; diff --git a/sepolicy/vendor/hal_bluetooth_btlinux.te b/sepolicy/vendor/hal_bluetooth_btlinux.te new file mode 100644 index 00000000..bbf2fa28 --- /dev/null +++ b/sepolicy/vendor/hal_bluetooth_btlinux.te @@ -0,0 +1,21 @@ +add_hwservice(hal_bluetooth_btlinux, hal_bluetooth_coexistence_hwservice) + +add_service(hal_bluetooth_btlinux, hal_bluetooth_coexistence_service) + +binder_call(hal_bluetooth_btlinux, hal_power_stats_default) +binder_call(hal_bluetooth_btlinux, servicemanager) +binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app) + +get_prop(hal_bluetooth_btlinux, boot_status_prop) + +vndbinder_use(hal_bluetooth_btlinux) + +allow hal_bluetooth_btlinux hal_power_stats_vendor_service:service_manager find; +allow hal_bluetooth_btlinux hci_attach_dev:chr_file rw_file_perms; +allow hal_bluetooth_btlinux proc_bluetooth_writable:file rw_file_perms; +allow hal_bluetooth_btlinux sscoredump_vendor_data_crashinfo_file:dir create_dir_perms; +allow hal_bluetooth_btlinux sscoredump_vendor_data_crashinfo_file:file create_file_perms; +allow hal_bluetooth_btlinux sysfs_bluetooth_writable:file rw_file_perms; +allow hal_bluetooth_btlinux vendor_bt_data_file:dir rw_dir_perms; +allow hal_bluetooth_btlinux vendor_bt_data_file:file create_file_perms; +allow hal_bluetooth_btlinux wb_coexistence_dev:chr_file rw_file_perms; diff --git a/sepolicy/vendor/hal_bootctl.te b/sepolicy/vendor/hal_bootctl.te new file mode 100644 index 00000000..21867f4d --- /dev/null +++ b/sepolicy/vendor/hal_bootctl.te @@ -0,0 +1,5 @@ +allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms; +allow hal_bootctl_default sda_block_device:blk_file rw_file_perms; +allow hal_bootctl_default sysfs_bootctl:file rw_file_perms; +allow hal_bootctl_default sysfs_ota:file rw_file_perms; +allow hal_bootctl_default tee_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/hal_camera.te b/sepolicy/vendor/hal_camera.te new file mode 100644 index 00000000..55c0789e --- /dev/null +++ b/sepolicy/vendor/hal_camera.te @@ -0,0 +1,72 @@ +add_service(hal_camera_default, vendor_image_processing_hal_service) + +binder_call(hal_camera_default, edgetpu_app_server) +binder_call(hal_camera_default, edgetpu_tachyon_server) +binder_call(hal_camera_default, edgetpu_vendor_server) +binder_call(hal_camera_default, hal_radioext_default) +binder_call(hal_camera_default, mediacodec_samsung) +binder_call(hal_camera_default, rlsservice) +binder_call(hal_camera_default, system_server) +binder_call(hal_camera_default, vendor_pbcs_app) +binder_call(hal_camera_default, vendor_pcs_app) + +get_prop(hal_camera_default, vendor_camera_debug_prop) +get_prop(hal_camera_default, vendor_edgetpu_runtime_prop) +get_prop(hal_camera_default, vendor_hetero_runtime_prop) +get_prop(hal_camera_default, vendor_tflite_delegate_prop) + +hal_client_domain(hal_camera_default, hal_graphics_allocator) +hal_client_domain(hal_camera_default, hal_graphics_composer) +hal_client_domain(hal_camera_default, hal_power) +hal_client_domain(hal_camera_default, hal_thermal) + +set_prop(hal_camera_default, log_tag_prop) +set_prop(hal_camera_default, vendor_camera_prop) + +tmpfs_domain(hal_camera_default) + +vndbinder_use(hal_camera_default) + +wakelock_use(hal_camera_default) + +allow hal_camera_default aoc_device:chr_file rw_file_perms; +allow hal_camera_default apex_info_file:file r_file_perms; +allow hal_camera_default camera_binder_service:service_manager find; +allow hal_camera_default camera_lyricconfigprovider_service:service_manager find; +allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms; +allow hal_camera_default eco_service:service_manager find; +allow hal_camera_default edgetpu_app_service:service_manager find; +allow hal_camera_default edgetpu_device:chr_file rw_file_perms; +allow hal_camera_default edgetpu_tachyon_service:service_manager find; +allow hal_camera_default edgetpu_vendor_service:service_manager find; +allow hal_camera_default fwk_stats_service:service_manager find; +allow hal_camera_default hal_pixel_remote_camera_service:service_manager find; +allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; +allow hal_camera_default kernel:process setsched; +allow hal_camera_default lwis_device:chr_file rw_file_perms; +allow hal_camera_default mnt_vendor_file:dir search; +allow hal_camera_default persist_camera_file:dir rw_dir_perms; +allow hal_camera_default persist_camera_file:file create_file_perms; +allow hal_camera_default persist_file:dir search; +allow hal_camera_default proc_interrupts:dir r_dir_perms; +allow hal_camera_default proc_interrupts:file r_file_perms; +allow hal_camera_default proc_irq:dir r_dir_perms; +allow hal_camera_default proc_irq:file rw_file_perms; +allow hal_camera_default rls_service:service_manager find; +allow hal_camera_default self:global_capability_class_set sys_nice; +allow hal_camera_default sysfs_chip_id:file r_file_perms; +allow hal_camera_default sysfs_devfreq_cur:file r_file_perms; +allow hal_camera_default sysfs_display:file r_file_perms; +allow hal_camera_default sysfs_edgetpu:dir r_dir_perms; +allow hal_camera_default sysfs_edgetpu:file r_file_perms; +allow hal_camera_default sysfs_leds:dir r_dir_perms; +allow hal_camera_default sysfs_leds:file r_file_perms; +allow hal_camera_default tee_device:chr_file rw_file_perms; +allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms; +allow hal_camera_default vendor_camera_data_file:file create_file_perms; +allow hal_camera_default vendor_camera_tuning_file:dir r_dir_perms; +allow hal_camera_default vendor_camera_tuning_file:file r_file_perms; + +dontaudit hal_camera_default system_data_file:dir search; +dontaudit hal_camera_default traced:unix_stream_socket connectto; +dontaudit hal_camera_default traced_producer_socket:sock_file write; diff --git a/sepolicy/vendor/hal_contexthub.te b/sepolicy/vendor/hal_contexthub.te new file mode 100644 index 00000000..f84a56d4 --- /dev/null +++ b/sepolicy/vendor/hal_contexthub.te @@ -0,0 +1,20 @@ +binder_call(hal_contexthub_default, hal_sensors_default) +binder_call(hal_contexthub_default, hal_wifi_ext) + +get_prop(hal_contexthub_default, vendor_aoc_prop) + +hal_client_domain(hal_contexthub_default, hal_graphics_allocator) + +unix_socket_connect(hal_contexthub_default, chre, chre) + +wakelock_use(hal_contexthub_default) + +allow hal_contexthub_default aoc_device:chr_file rw_file_perms; +allow hal_contexthub_default aoc_device:dir r_dir_perms; +allow hal_contexthub_default chre_data_file:dir create_dir_perms; +allow hal_contexthub_default chre_data_file:file create_file_perms; +allow hal_contexthub_default device:dir r_dir_perms; +allow hal_contexthub_default hal_graphics_mapper_hwservice:hwservice_manager find; +allow hal_contexthub_default hal_wifi_ext_service:service_manager find; +allow hal_contexthub_default sysfs_aoc:dir search; +allow hal_contexthub_default sysfs_aoc_boottime:file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_drm_default.te b/sepolicy/vendor/hal_drm.te similarity index 95% rename from sepolicy/whitechapel/vendor/google/hal_drm_default.te rename to sepolicy/vendor/hal_drm.te index 30e443a8..6310cded 100644 --- a/sepolicy/whitechapel/vendor/google/hal_drm_default.te +++ b/sepolicy/vendor/hal_drm.te @@ -1,6 +1,3 @@ -# L3 -allow hal_drm_default mediadrm_vendor_data_file:file create_file_perms; -allow hal_drm_default mediadrm_vendor_data_file:dir create_dir_perms; - -# L1 allow hal_drm_default dmabuf_system_heap_device:chr_file r_file_perms; +allow hal_drm_default mediadrm_vendor_data_file:dir create_dir_perms; +allow hal_drm_default mediadrm_vendor_data_file:file create_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_drm_clearkey.te b/sepolicy/vendor/hal_drm_clearkey.te similarity index 64% rename from sepolicy/whitechapel/vendor/google/hal_drm_clearkey.te rename to sepolicy/vendor/hal_drm_clearkey.te index 0e0a5c24..0d37cf2f 100644 --- a/sepolicy/whitechapel/vendor/google/hal_drm_clearkey.te +++ b/sepolicy/vendor/hal_drm_clearkey.te @@ -1,5 +1,6 @@ type hal_drm_clearkey, domain; -type hal_drm_clearkey_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(hal_drm_clearkey) +type hal_drm_clearkey_exec, exec_type, file_type, vendor_file_type; hal_server_domain(hal_drm_clearkey, hal_drm) + +init_daemon_domain(hal_drm_clearkey) diff --git a/sepolicy/whitechapel/vendor/google/hal_drm_widevine.te b/sepolicy/vendor/hal_drm_widevine.te similarity index 80% rename from sepolicy/whitechapel/vendor/google/hal_drm_widevine.te rename to sepolicy/vendor/hal_drm_widevine.te index 753f5e66..2b51c9a6 100644 --- a/sepolicy/whitechapel/vendor/google/hal_drm_widevine.te +++ b/sepolicy/vendor/hal_drm_widevine.te @@ -1,12 +1,10 @@ type hal_drm_widevine, domain; -type hal_drm_widevine_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(hal_drm_widevine) +type hal_drm_widevine_exec, exec_type, file_type, vendor_file_type; hal_server_domain(hal_drm_widevine, hal_drm) -# L3 -allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms; -allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms; +init_daemon_domain(hal_drm_widevine) -# L1 -allow hal_drm_widevine dmabuf_system_heap_device:chr_file r_file_perms; \ No newline at end of file +allow hal_drm_widevine dmabuf_system_heap_device:chr_file r_file_perms; +allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms; +allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms; diff --git a/sepolicy/vendor/hal_dumpstate.te b/sepolicy/vendor/hal_dumpstate.te new file mode 100644 index 00000000..0c0fa82f --- /dev/null +++ b/sepolicy/vendor/hal_dumpstate.te @@ -0,0 +1,13 @@ +binder_call(hal_dumpstate_default, twoshay) + +domain_auto_trans(hal_dumpstate_default, dump_gsc_exec, dump_gsc) + +set_prop(hal_dumpstate_default, vendor_logger_prop) + +allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms; +allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; +allow hal_dumpstate_default shell_data_file:file getattr; +allow hal_dumpstate_default touch_context_service:service_manager find; +allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans; + +neverallow hal_dumpstate_default { vendor_file_type -vendor_toolbox_exec }:file execute_no_trans; diff --git a/sepolicy/whitechapel/vendor/google/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint.te similarity index 73% rename from sepolicy/whitechapel/vendor/google/hal_fingerprint_default.te rename to sepolicy/vendor/hal_fingerprint.te index 69549701..ebe83ca3 100644 --- a/sepolicy/whitechapel/vendor/google/hal_fingerprint_default.te +++ b/sepolicy/vendor/hal_fingerprint.te @@ -1,39 +1,30 @@ -allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms; -allow hal_fingerprint_default tee_device:chr_file rw_file_perms; -allow hal_fingerprint_default sysfs_batteryinfo:file r_file_perms; -allow hal_fingerprint_default sysfs_batteryinfo:dir search; -allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; -allow hal_fingerprint_default dmabuf_system_heap_device:chr_file r_file_perms; -allow hal_fingerprint_default sysfs_fingerprint:dir r_dir_perms; -allow hal_fingerprint_default sysfs_fingerprint:file rw_file_perms; -allow hal_fingerprint_default fwk_stats_service:service_manager find; -get_prop(hal_fingerprint_default, fingerprint_ghbm_prop) -set_prop(hal_fingerprint_default, vendor_fingerprint_prop) add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice) -# allow fingerprint to access power hal -hal_client_domain(hal_fingerprint_default, hal_power); - -# Allow access to the files of CDT information. -r_dir_file(hal_fingerprint_default, sysfs_chosen) - -# Allow fingerprint to access calibration blk device. -allow hal_fingerprint_default mfg_data_block_device:blk_file { rw_file_perms }; -allow hal_fingerprint_default block_device:dir search; - -# Allow fingerprint to access fwk_sensor_hwservice -allow hal_fingerprint_default fwk_sensor_hwservice:hwservice_manager find; - -# Allow fingerprint to read sysfs_display -allow hal_fingerprint_default sysfs_display:file r_file_perms; - -# Allow fingerprint to access trusty sysfs -allow hal_fingerprint_default sysfs_trusty:file rw_file_perms; - -# Allow fingerprint to access display hal -allow hal_fingerprint_default hal_pixel_display_service:service_manager find; binder_call(hal_fingerprint_default, hal_graphics_composer_default) -# allow fingerprint to read sysfs_leds -allow hal_fingerprint_default sysfs_leds:file r_file_perms; +get_prop(hal_fingerprint_default, fingerprint_ghbm_prop) + +hal_client_domain(hal_fingerprint_default, hal_power) + +r_dir_file(hal_fingerprint_default, sysfs_chosen) + +set_prop(hal_fingerprint_default, vendor_fingerprint_prop) + +allow hal_fingerprint trusty_log_device:chr_file r_file_perms; +allow hal_fingerprint_default block_device:dir search; +allow hal_fingerprint_default dmabuf_system_heap_device:chr_file r_file_perms; +allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms; +allow hal_fingerprint_default fwk_sensor_hwservice:hwservice_manager find; +allow hal_fingerprint_default fwk_stats_service:service_manager find; +allow hal_fingerprint_default hal_pixel_display_service:service_manager find; +allow hal_fingerprint_default mfg_data_block_device:blk_file rw_file_perms; +allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; +allow hal_fingerprint_default sysfs_batteryinfo:dir search; +allow hal_fingerprint_default sysfs_batteryinfo:file r_file_perms; +allow hal_fingerprint_default sysfs_display:file r_file_perms; +allow hal_fingerprint_default sysfs_fingerprint:dir r_dir_perms; +allow hal_fingerprint_default sysfs_fingerprint:file rw_file_perms; allow hal_fingerprint_default sysfs_leds:dir r_dir_perms; +allow hal_fingerprint_default sysfs_leds:file r_file_perms; +allow hal_fingerprint_default sysfs_trusty:file rw_file_perms; +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/hal_gnss.te b/sepolicy/vendor/hal_gnss.te new file mode 100644 index 00000000..2b9502fd --- /dev/null +++ b/sepolicy/vendor/hal_gnss.te @@ -0,0 +1,2 @@ +allow hal_gnss_default vendor_gps_file:dir create_dir_perms; +allow hal_gnss_default vendor_gps_file:{ fifo_file file } create_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_graphics_allocator_default.te b/sepolicy/vendor/hal_graphics_allocator.te similarity index 100% rename from sepolicy/whitechapel/vendor/google/hal_graphics_allocator_default.te rename to sepolicy/vendor/hal_graphics_allocator.te index 9791dae6..17a8139b 100644 --- a/sepolicy/whitechapel/vendor/google/hal_graphics_allocator_default.te +++ b/sepolicy/vendor/hal_graphics_allocator.te @@ -1,4 +1,4 @@ -allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms; -allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms; allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms; allow hal_graphics_allocator_default vscaler_heap_device:chr_file r_file_perms; diff --git a/sepolicy/display/gs101/hal_graphics_composer_default.te b/sepolicy/vendor/hal_graphics_composer.te similarity index 64% rename from sepolicy/display/gs101/hal_graphics_composer_default.te rename to sepolicy/vendor/hal_graphics_composer.te index dccddf0e..d3111325 100644 --- a/sepolicy/display/gs101/hal_graphics_composer_default.te +++ b/sepolicy/vendor/hal_graphics_composer.te @@ -1,46 +1,36 @@ -allow hal_graphics_composer_default video_device:chr_file rw_file_perms; +add_service(hal_graphics_composer_default, hal_pixel_display_service) +add_service(hal_graphics_composer_default, vendor_displaycolor_service) add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice) -hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator) -allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; -vndbinder_use(hal_graphics_composer_default) -userdebug_or_eng(` - allow hal_graphics_composer_default vendor_log_file:dir create_dir_perms; +binder_call(hal_graphics_composer_default, hal_power_default) - # For HWC/libdisplaycolor to generate calibration file. - allow hal_graphics_composer_default persist_display_file:file create_file_perms; - allow hal_graphics_composer_default persist_display_file:dir rw_dir_perms; -') +binder_use(hal_graphics_composer_default) -# allow HWC/libdisplaycolor to read calibration data -allow hal_graphics_composer_default mnt_vendor_file:dir search; -allow hal_graphics_composer_default persist_file:dir search; -allow hal_graphics_composer_default persist_display_file:file r_file_perms; -allow hal_graphics_composer_default persist_display_file:dir search; - -# allow HWC to r/w backlight -allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms; -allow hal_graphics_composer_default sysfs_leds:file rw_file_perms; - -# allow HWC to get vendor_persist_sys_default_prop +get_prop(hal_graphics_composer_default, boot_status_prop) +get_prop(hal_graphics_composer_default, device_config_surface_flinger_native_boot_prop) get_prop(hal_graphics_composer_default, vendor_persist_sys_default_prop) -# allow HWC to get/set vendor_display_prop +hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator) +hal_client_domain(hal_graphics_composer_default, hal_power) + set_prop(hal_graphics_composer_default, vendor_display_prop) -# allow HWC to get device_config_surface_flinger_native_boot_prop for adpf flags -get_prop(hal_graphics_composer_default, device_config_surface_flinger_native_boot_prop) +vndbinder_use(hal_graphics_composer_default) -# allow HWC to access vendor_displaycolor_service -add_service(hal_graphics_composer_default, vendor_displaycolor_service) - -add_service(hal_graphics_composer_default, hal_pixel_display_service) -binder_use(hal_graphics_composer_default) -get_prop(hal_graphics_composer_default, boot_status_prop); - -# allow HWC to access vendor log file -allow hal_graphics_composer_default vendor_log_file:file create_file_perms; - -# allow HWC to output to dumpstate via pipe fd -allow hal_graphics_composer_default hal_dumpstate_default:fifo_file { append write }; +allow hal_graphics_composer_default dump_exynos_display:fd use; +allow hal_graphics_composer_default dump_exynos_display:fifo_file { append write }; allow hal_graphics_composer_default hal_dumpstate_default:fd use; +allow hal_graphics_composer_default hal_dumpstate_default:fifo_file { append write }; +allow hal_graphics_composer_default mnt_vendor_file:dir search; +allow hal_graphics_composer_default persist_display_file:dir search; +allow hal_graphics_composer_default persist_display_file:file r_file_perms; +allow hal_graphics_composer_default persist_file:dir search; +allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +allow hal_graphics_composer_default sysfs_display:dir search; +allow hal_graphics_composer_default sysfs_display:file rw_file_perms; +allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms; +allow hal_graphics_composer_default sysfs_leds:file rw_file_perms; +allow hal_graphics_composer_default vendor_hwc_log_file:dir rw_dir_perms; +allow hal_graphics_composer_default vendor_hwc_log_file:file create_file_perms; +allow hal_graphics_composer_default vendor_log_file:file create_file_perms; +allow hal_graphics_composer_default video_device:chr_file rw_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_health_default.te b/sepolicy/vendor/hal_health.te similarity index 99% rename from sepolicy/whitechapel/vendor/google/hal_health_default.te rename to sepolicy/vendor/hal_health.te index 9954bee0..677a24b7 100644 --- a/sepolicy/whitechapel/vendor/google/hal_health_default.te +++ b/sepolicy/vendor/hal_health.te @@ -1,19 +1,18 @@ -allow hal_health_default mnt_vendor_file:dir search; -allow hal_health_default persist_file:dir search; -allow hal_health_default persist_battery_file:file create_file_perms; -allow hal_health_default persist_battery_file:dir rw_dir_perms; +binder_use(hal_health_default) + +r_dir_file(hal_health_default, sysfs_scsi_devices_0000) set_prop(hal_health_default, vendor_battery_defender_prop) set_prop(hal_health_default, vendor_shutdown_prop) -r_dir_file(hal_health_default, sysfs_scsi_devices_0000) allow hal_health_default fwk_stats_service:service_manager find; -binder_use(hal_health_default) - +allow hal_health_default mnt_vendor_file:dir search; +allow hal_health_default persist_battery_file:dir rw_dir_perms; +allow hal_health_default persist_battery_file:file create_file_perms; +allow hal_health_default persist_file:dir search; allow hal_health_default sysfs_batteryinfo:file w_file_perms; allow hal_health_default sysfs_thermal:dir search; allow hal_health_default sysfs_thermal:file w_file_perms; allow hal_health_default sysfs_thermal:lnk_file read; -allow hal_health_default thermal_link_device:dir search; - allow hal_health_default sysfs_wlc:dir search; +allow hal_health_default thermal_link_device:dir search; diff --git a/sepolicy/whitechapel/vendor/google/hal_health_storage_default.te b/sepolicy/vendor/hal_health_storage.te similarity index 75% rename from sepolicy/whitechapel/vendor/google/hal_health_storage_default.te rename to sepolicy/vendor/hal_health_storage.te index 2aa0881e..f25299f6 100644 --- a/sepolicy/whitechapel/vendor/google/hal_health_storage_default.te +++ b/sepolicy/vendor/hal_health_storage.te @@ -1,3 +1,2 @@ -# Access to /sys/devices/platform/14700000.ufs/* allow hal_health_storage_default sysfs_scsi_devices_0000:dir r_dir_perms; allow hal_health_storage_default sysfs_scsi_devices_0000:file rw_file_perms; diff --git a/sepolicy/vendor/hal_identity_citadel.te b/sepolicy/vendor/hal_identity_citadel.te new file mode 100644 index 00000000..e913ee33 --- /dev/null +++ b/sepolicy/vendor/hal_identity_citadel.te @@ -0,0 +1,14 @@ +type hal_identity_citadel, domain; +type hal_identity_citadel_exec, exec_type, file_type, vendor_file_type; + +binder_call(hal_identity_citadel, citadeld) + +hal_server_domain(hal_identity_citadel, hal_identity) +hal_server_domain(hal_identity_citadel, hal_keymint) + +init_daemon_domain(hal_identity_citadel) + +vndbinder_use(hal_identity_citadel) + +allow hal_identity_citadel citadeld_service:service_manager find; +allow hal_identity_citadel hal_keymint_citadel:binder call; diff --git a/sepolicy/vendor/hal_input_processor.te b/sepolicy/vendor/hal_input_processor.te new file mode 100644 index 00000000..df054b47 --- /dev/null +++ b/sepolicy/vendor/hal_input_processor.te @@ -0,0 +1 @@ +get_prop(hal_input_processor_default, vendor_display_prop) diff --git a/sepolicy/vendor/hal_keymint_citadel.te b/sepolicy/vendor/hal_keymint_citadel.te new file mode 100644 index 00000000..d707ea72 --- /dev/null +++ b/sepolicy/vendor/hal_keymint_citadel.te @@ -0,0 +1,14 @@ +type hal_keymint_citadel, domain; +type hal_keymint_citadel_exec, exec_type, file_type, vendor_file_type; + +binder_call(hal_keymint_citadel, citadeld) + +get_prop(hal_keymint_citadel, vendor_security_patch_level_prop) + +hal_server_domain(hal_keymint_citadel, hal_keymint) + +init_daemon_domain(hal_keymint_citadel) + +vndbinder_use(hal_keymint_citadel) + +allow hal_keymint_citadel citadeld_service:service_manager find; diff --git a/sepolicy/whitechapel/vendor/google/hal_memtrack_default.te b/sepolicy/vendor/hal_memtrack.te similarity index 100% rename from sepolicy/whitechapel/vendor/google/hal_memtrack_default.te rename to sepolicy/vendor/hal_memtrack.te diff --git a/sepolicy/vendor/hal_neuralnetworks_darwinn.te b/sepolicy/vendor/hal_neuralnetworks_darwinn.te new file mode 100644 index 00000000..7434cdbd --- /dev/null +++ b/sepolicy/vendor/hal_neuralnetworks_darwinn.te @@ -0,0 +1,37 @@ +type hal_neuralnetworks_darwinn, domain; +type hal_neuralnetworks_darwinn_exec, exec_type, file_type, vendor_file_type; + +add_service(hal_neuralnetworks_darwinn, edgetpu_nnapi_service) + +binder_call(hal_neuralnetworks_darwinn, edgetpu_app_server) +binder_call(hal_neuralnetworks_darwinn, system_server) + +binder_use(hal_neuralnetworks_darwinn) + +get_prop(hal_neuralnetworks_darwinn, hwservicemanager_prop) +get_prop(hal_neuralnetworks_darwinn, vendor_edgetpu_runtime_prop) +get_prop(hal_neuralnetworks_darwinn, vendor_hetero_runtime_prop) +get_prop(hal_neuralnetworks_darwinn, vendor_tflite_delegate_prop) + +hal_client_domain(hal_neuralnetworks_darwinn, hal_graphics_allocator) +hal_client_domain(hal_neuralnetworks_darwinn, hal_power) + +hal_server_domain(hal_neuralnetworks_darwinn, hal_neuralnetworks) + +hwbinder_use(hal_neuralnetworks_darwinn) + +init_daemon_domain(hal_neuralnetworks_darwinn) + +allow hal_neuralnetworks_darwinn dmabuf_system_heap_device:chr_file r_file_perms; +allow hal_neuralnetworks_darwinn edgetpu_app_service:service_manager find; +allow hal_neuralnetworks_darwinn edgetpu_device:chr_file rw_file_perms; +allow hal_neuralnetworks_darwinn fwk_stats_service:service_manager find; +allow hal_neuralnetworks_darwinn hal_graphics_allocator_service:service_manager find; +allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:dir rw_dir_perms; +allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:file create_file_perms; +allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:sock_file { create rw_file_perms unlink }; +allow hal_neuralnetworks_darwinn proc_overcommit_memory:file r_file_perms; +allow hal_neuralnetworks_darwinn proc_version:file r_file_perms; +allow hal_neuralnetworks_darwinn sysfs_edgetpu:dir r_dir_perms; +allow hal_neuralnetworks_darwinn sysfs_edgetpu:file r_file_perms; +allow hal_neuralnetworks_darwinn vendor_configs_file:file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_nfc_default.te b/sepolicy/vendor/hal_nfc.te similarity index 72% rename from sepolicy/whitechapel/vendor/google/hal_nfc_default.te rename to sepolicy/vendor/hal_nfc.te index 56b6e2e2..3f803711 100644 --- a/sepolicy/whitechapel/vendor/google/hal_nfc_default.te +++ b/sepolicy/vendor/hal_nfc.te @@ -1,16 +1,11 @@ -# NFC property -set_prop(hal_nfc_default, vendor_nfc_prop) +get_prop(hal_nfc_default, vendor_uwb_calibration_country_code) +get_prop(hal_nfc_default, vendor_uwb_calibration_prop) -# SecureElement property +set_prop(hal_nfc_default, vendor_modem_prop) +set_prop(hal_nfc_default, vendor_nfc_prop) set_prop(hal_nfc_default, vendor_secure_element_prop) -# Modem property -set_prop(hal_nfc_default, vendor_modem_prop) - -# Access uwb cal for SecureRanging Applet allow hal_nfc_default uwb_data_vendor:dir r_dir_perms; allow hal_nfc_default uwb_data_vendor:file r_file_perms; - -# allow nfc to read uwb calibration file -get_prop(hal_nfc_default, vendor_uwb_calibration_prop) -get_prop(hal_nfc_default, vendor_uwb_calibration_country_code) +allow hal_nfc_default vendor_nfc_vendor_data_file:dir rw_dir_perms; +allow hal_nfc_default vendor_nfc_vendor_data_file:file create_file_perms; diff --git a/sepolicy/vendor/hal_oemlock_citadel.te b/sepolicy/vendor/hal_oemlock_citadel.te new file mode 100644 index 00000000..379e1e71 --- /dev/null +++ b/sepolicy/vendor/hal_oemlock_citadel.te @@ -0,0 +1,12 @@ +type hal_oemlock_citadel, domain; +type hal_oemlock_citadel_exec, exec_type, file_type, vendor_file_type; + +binder_call(hal_oemlock_citadel, citadeld) + +hal_server_domain(hal_oemlock_citadel, hal_oemlock) + +init_daemon_domain(hal_oemlock_citadel) + +vndbinder_use(hal_oemlock_citadel) + +allow hal_oemlock_citadel citadeld_service:service_manager find; diff --git a/sepolicy/whitechapel/vendor/google/hal_power_default.te b/sepolicy/vendor/hal_power.te similarity index 69% rename from sepolicy/whitechapel/vendor/google/hal_power_default.te rename to sepolicy/vendor/hal_power.te index 122661ae..a92ba641 100644 --- a/sepolicy/whitechapel/vendor/google/hal_power_default.te +++ b/sepolicy/vendor/hal_power.te @@ -1,16 +1,26 @@ -allow hal_power_default sysfs_scsi_devices_0000:file rw_file_perms; -allow hal_power_default sysfs_fs_f2fs:dir r_dir_perms; -allow hal_power_default sysfs_fs_f2fs:file rw_file_perms; -allow hal_power_default proc_vendor_sched:file rw_file_perms; -allow hal_power_default cpuctl_device:file rw_file_perms; -allow hal_power_default sysfs_gpu:file rw_file_perms; -allow hal_power_default sysfs_devfreq_dir:dir r_dir_perms; -allow hal_power_default sysfs_fabric:file rw_file_perms; -allow hal_power_default sysfs_camera:file rw_file_perms; -allow hal_power_default sysfs_display:file rw_file_perms; -allow hal_power_default sysfs_bcl:dir r_dir_perms; -allow hal_power_default sysfs_bcl:file rw_file_perms; -allow hal_power_default sysfs_trusty:file rw_file_perms; -set_prop(hal_power_default, vendor_camera_prop) +hal_client_domain(hal_power_default, hal_thermal) + +r_dir_file(hal_power_default, sysfs_vendor_mm) + set_prop(hal_power_default, vendor_camera_debug_prop) set_prop(hal_power_default, vendor_camera_fatp_prop) +set_prop(hal_power_default, vendor_camera_prop) + +allow hal_power_default cpuctl_device:file rw_file_perms; +allow hal_power_default hal_thermal_service:service_manager find; +allow hal_power_default proc_vendor_sched:file rw_file_perms; +allow hal_power_default sysfs_bcl:dir r_dir_perms; +allow hal_power_default sysfs_bcl:file rw_file_perms; +allow hal_power_default sysfs_camera:file rw_file_perms; +allow hal_power_default sysfs_devfreq_dir:dir r_dir_perms; +allow hal_power_default sysfs_display:file rw_file_perms; +allow hal_power_default sysfs_fabric:file rw_file_perms; +allow hal_power_default sysfs_fs_f2fs:dir r_dir_perms; +allow hal_power_default sysfs_fs_f2fs:dir search; +allow hal_power_default sysfs_fs_f2fs:file rw_file_perms; +allow hal_power_default sysfs_gpu:file rw_file_perms; +allow hal_power_default sysfs_pakills:dir r_dir_perms; +allow hal_power_default sysfs_pakills:file rw_file_perms; +allow hal_power_default sysfs_scsi_devices_0000:file rw_file_perms; +allow hal_power_default sysfs_trusty:file rw_file_perms; +allow hal_power_default sysfs_vendor_mm:file rw_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_power_stats_default.te b/sepolicy/vendor/hal_power_stats.te similarity index 84% rename from sepolicy/whitechapel/vendor/google/hal_power_stats_default.te rename to sepolicy/vendor/hal_power_stats.te index 90a78492..687be44a 100644 --- a/sepolicy/whitechapel/vendor/google/hal_power_stats_default.te +++ b/sepolicy/vendor/hal_power_stats.te @@ -1,25 +1,20 @@ -allow hal_power_stats_default sysfs_scsi_devices_0000:dir r_dir_perms; -allow hal_power_stats_default sysfs_scsi_devices_0000:file r_file_perms; - -# getStats AIDL callback to each power entry +binder_call(hal_power_stats_default, citadeld) binder_call(hal_power_stats_default, hal_bluetooth_btlinux) -r_dir_file(hal_power_stats_default, sysfs_iio_devices) -allow hal_power_stats_default powerstats_vendor_data_file:dir search; -allow hal_power_stats_default powerstats_vendor_data_file:file r_file_perms; -allow hal_power_stats_default sysfs_odpm:dir search; -allow hal_power_stats_default sysfs_odpm:file rw_file_perms; - -allow hal_power_stats_default sysfs_edgetpu:dir search; -allow hal_power_stats_default sysfs_edgetpu:file r_file_perms; - -binder_call(hal_power_stats_default, citadeld) +r_dir_file(hal_power_stats_default, sysfs_acpm_stats) r_dir_file(hal_power_stats_default, sysfs_aoc) r_dir_file(hal_power_stats_default, sysfs_aoc_dumpstate) +r_dir_file(hal_power_stats_default, sysfs_backlight) r_dir_file(hal_power_stats_default, sysfs_cpu) r_dir_file(hal_power_stats_default, sysfs_display) +r_dir_file(hal_power_stats_default, sysfs_iio_devices) r_dir_file(hal_power_stats_default, sysfs_leds) -r_dir_file(hal_power_stats_default, sysfs_acpm_stats) -r_dir_file(hal_power_stats_default, sysfs_wifi) -r_dir_file(hal_power_stats_default, sysfs_backlight) r_dir_file(hal_power_stats_default, sysfs_scsi_devices_0000) +r_dir_file(hal_power_stats_default, sysfs_wifi) + +allow hal_power_stats_default powerstats_vendor_data_file:dir search; +allow hal_power_stats_default powerstats_vendor_data_file:file r_file_perms; +allow hal_power_stats_default sysfs_edgetpu:dir search; +allow hal_power_stats_default sysfs_edgetpu:file r_file_perms; +allow hal_power_stats_default sysfs_odpm:dir search; +allow hal_power_stats_default sysfs_odpm:file rw_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_radioext_default.te b/sepolicy/vendor/hal_radioext.te similarity index 86% rename from sepolicy/whitechapel/vendor/google/hal_radioext_default.te rename to sepolicy/vendor/hal_radioext.te index 0f561ac0..0fdeaa90 100644 --- a/sepolicy/whitechapel/vendor/google/hal_radioext_default.te +++ b/sepolicy/vendor/hal_radioext.te @@ -1,22 +1,22 @@ type hal_radioext_default, domain; -type hal_radioext_default_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(hal_radioext_default) +type hal_radioext_default_exec, exec_type, file_type, vendor_file_type; +type hal_radioext_hwservice, hwservice_manager_type; -hwbinder_use(hal_radioext_default) -get_prop(hal_radioext_default, hwservicemanager_prop) -set_prop(hal_radioext_default, vendor_gril_prop) add_hwservice(hal_radioext_default, hal_radioext_hwservice) binder_call(hal_radioext_default, grilservice_app) binder_call(hal_radioext_default, hal_bluetooth_btlinux) -# RW /dev/oem_ipc0 -allow hal_radioext_default radio_device:chr_file rw_file_perms; +get_prop(hal_radioext_default, hwservicemanager_prop) -# RW MIPI Freq files +hwbinder_use(hal_radioext_default) + +init_daemon_domain(hal_radioext_default) + +set_prop(hal_radioext_default, vendor_gril_prop) + +allow hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager find; +allow hal_radioext_default radio_device:chr_file rw_file_perms; allow hal_radioext_default radio_vendor_data_file:dir create_dir_perms; allow hal_radioext_default radio_vendor_data_file:file create_file_perms; allow hal_radioext_default sysfs_display:file rw_file_perms; - -# Bluetooth -allow hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager find; diff --git a/sepolicy/whitechapel/vendor/google/hal_secure_element_default.te b/sepolicy/vendor/hal_secure_element.te similarity index 53% rename from sepolicy/whitechapel/vendor/google/hal_secure_element_default.te rename to sepolicy/vendor/hal_secure_element.te index 17a679d2..3bd8cc1a 100644 --- a/sepolicy/whitechapel/vendor/google/hal_secure_element_default.te +++ b/sepolicy/vendor/hal_secure_element.te @@ -1,8 +1,6 @@ -allow hal_secure_element_default secure_element_device:chr_file rw_file_perms; -set_prop(hal_secure_element_default, vendor_secure_element_prop) +binder_call(hal_secure_element_default, rild) + set_prop(hal_secure_element_default, vendor_modem_prop) +set_prop(hal_secure_element_default, vendor_secure_element_prop) -# Allow hal_secure_element_default to access rild -binder_call(hal_secure_element_default, rild); allow hal_secure_element_default hal_exynos_rild_hwservice:hwservice_manager find; - diff --git a/sepolicy/whitechapel/vendor/google/hal_secure_element_st33spi.te b/sepolicy/vendor/hal_secure_element_st33spi.te similarity index 78% rename from sepolicy/whitechapel/vendor/google/hal_secure_element_st33spi.te rename to sepolicy/vendor/hal_secure_element_st33spi.te index a5978f20..35df83f0 100644 --- a/sepolicy/whitechapel/vendor/google/hal_secure_element_st33spi.te +++ b/sepolicy/vendor/hal_secure_element_st33spi.te @@ -1,8 +1,10 @@ type hal_secure_element_st33spi, domain; -hal_server_domain(hal_secure_element_st33spi, hal_secure_element) -type hal_secure_element_st33spi_exec, exec_type, vendor_file_type, file_type; +type hal_secure_element_st33spi_exec, exec_type, file_type, vendor_file_type; -allow hal_secure_element_st33spi st33spi_device:chr_file rw_file_perms; -set_prop(hal_secure_element_st33spi, vendor_secure_element_prop) +hal_server_domain(hal_secure_element_st33spi, hal_secure_element) init_daemon_domain(hal_secure_element_st33spi) + +set_prop(hal_secure_element_st33spi, vendor_secure_element_prop) + +allow hal_secure_element_st33spi st33spi_device:chr_file rw_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_secure_element_st54spi.te b/sepolicy/vendor/hal_secure_element_st54spi.te similarity index 85% rename from sepolicy/whitechapel/vendor/google/hal_secure_element_st54spi.te rename to sepolicy/vendor/hal_secure_element_st54spi.te index 7f6ea41b..0b2011d6 100644 --- a/sepolicy/whitechapel/vendor/google/hal_secure_element_st54spi.te +++ b/sepolicy/vendor/hal_secure_element_st54spi.te @@ -1,9 +1,13 @@ type hal_secure_element_st54spi, domain; +type hal_secure_element_st54spi_exec, exec_type, file_type, vendor_file_type; + hal_server_domain(hal_secure_element_st54spi, hal_secure_element) -type hal_secure_element_st54spi_exec, exec_type, vendor_file_type, file_type; -allow hal_secure_element_st54spi st54spi_device:chr_file rw_file_perms; -allow hal_secure_element_st54spi nfc_device:chr_file rw_file_perms; -set_prop(hal_secure_element_st54spi, vendor_secure_element_prop) -set_prop(hal_secure_element_st54spi, vendor_nfc_prop) -set_prop(hal_secure_element_st54spi, vendor_modem_prop) + init_daemon_domain(hal_secure_element_st54spi) + +set_prop(hal_secure_element_st54spi, vendor_modem_prop) +set_prop(hal_secure_element_st54spi, vendor_nfc_prop) +set_prop(hal_secure_element_st54spi, vendor_secure_element_prop) + +allow hal_secure_element_st54spi nfc_device:chr_file rw_file_perms; +allow hal_secure_element_st54spi st54spi_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/hal_sensors.te b/sepolicy/vendor/hal_sensors.te new file mode 100644 index 00000000..8127ffa4 --- /dev/null +++ b/sepolicy/vendor/hal_sensors.te @@ -0,0 +1,39 @@ +binder_call(hal_sensors_default, hal_contexthub_default) +binder_call(hal_sensors_default, hal_graphics_composer_default) +binder_call(hal_sensors_default, system_server) + +get_prop(hal_sensors_default, vendor_aoc_prop) +get_prop(hal_sensors_default, vendor_chre_hal_prop) +get_prop(hal_sensors_default, vendor_dynamic_sensor_prop) + +hal_client_domain(hal_sensors_default, hal_graphics_allocator) + +r_dir_file(hal_sensors_default, persist_camera_file) +r_dir_file(hal_sensors_default, persist_sensor_reg_file) +r_dir_file(hal_sensors_default, sysfs_batteryinfo) +r_dir_file(hal_sensors_default, sysfs_chosen) + +unix_socket_connect(hal_sensors_default, chre, chre) +unix_socket_connect(hal_sensors_default, chre, hal_contexthub_default) + +allow hal_sensors_default aoc_device:chr_file rw_file_perms; +allow hal_sensors_default device:dir r_dir_perms; +allow hal_sensors_default fwk_stats_service:service_manager find; +allow hal_sensors_default hal_contexthub_service:service_manager find; +allow hal_sensors_default hal_graphics_mapper_hwservice:hwservice_manager find; +allow hal_sensors_default hal_pixel_display_service:service_manager find; +allow hal_sensors_default hidraw_device:chr_file rw_file_perms; +allow hal_sensors_default mnt_vendor_file:dir search; +allow hal_sensors_default persist_file:dir search; +allow hal_sensors_default persist_file:file r_file_perms; +allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms; +allow hal_sensors_default sensor_reg_data_file:file create_file_perms; +allow hal_sensors_default sysfs_aoc:dir search; +allow hal_sensors_default sysfs_aoc:file r_file_perms; +allow hal_sensors_default sysfs_aoc_boottime:file rw_file_perms; +allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms; +allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms; +allow hal_sensors_default sysfs_display:file r_file_perms; +allow hal_sensors_default sysfs_leds:dir search; +allow hal_sensors_default sysfs_leds:file rw_file_perms; +allow hal_sensors_default sysfs_wlc:dir r_dir_perms; diff --git a/sepolicy/vendor/hal_shared_modem_platform.te b/sepolicy/vendor/hal_shared_modem_platform.te new file mode 100644 index 00000000..40715e4d --- /dev/null +++ b/sepolicy/vendor/hal_shared_modem_platform.te @@ -0,0 +1,8 @@ +type hal_shared_modem_platform_service, hal_service_type, protected_service, service_manager_type; + +binder_call(hal_shared_modem_platform_client, hal_shared_modem_platform_server) +binder_call(hal_shared_modem_platform_server, hal_shared_modem_platform_client) + +binder_use(hal_shared_modem_platform_server) + +hal_attribute_service(hal_shared_modem_platform, hal_shared_modem_platform_service) diff --git a/sepolicy/vendor/hal_telephony.te b/sepolicy/vendor/hal_telephony.te new file mode 100644 index 00000000..880edae3 --- /dev/null +++ b/sepolicy/vendor/hal_telephony.te @@ -0,0 +1 @@ +dump_hal(hal_telephony) diff --git a/sepolicy/vendor/hal_tetheroffload.te b/sepolicy/vendor/hal_tetheroffload.te new file mode 100644 index 00000000..93144cd7 --- /dev/null +++ b/sepolicy/vendor/hal_tetheroffload.te @@ -0,0 +1,10 @@ +add_hwservice(hal_tetheroffload_default, hal_tetheroffload_hwservice) + +get_prop(hal_tetheroffload_default, hwservicemanager_prop) + +hwbinder_use(hal_tetheroffload_default) + +net_domain(hal_tetheroffload_default) + +allow hal_tetheroffload_default self:{ netlink_generic_socket netlink_socket unix_dgram_socket } create_socket_perms_no_ioctl; +allow hal_tetheroffload_default vendor_toe_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/hal_thermal.te b/sepolicy/vendor/hal_thermal.te new file mode 100644 index 00000000..e4803414 --- /dev/null +++ b/sepolicy/vendor/hal_thermal.te @@ -0,0 +1,16 @@ +binder_call(hal_thermal_default, servicemanager) + +get_prop(hal_thermal_default, vendor_thermal_prop) + +hal_client_domain(hal_thermal_default, hal_power) + +allow hal_thermal_default fwk_stats_service:service_manager find; +allow hal_thermal_default proc_stat:file r_file_perms; +allow hal_thermal_default self:{ netlink_generic_socket netlink_kobject_uevent_socket } create_socket_perms_no_ioctl; +allow hal_thermal_default sysfs_gpu:file r_file_perms; +allow hal_thermal_default sysfs_iio_devices:dir r_dir_perms; +allow hal_thermal_default sysfs_odpm:file r_file_perms; +allow hal_thermal_default sysfs_thermal:dir r_dir_perms; +allow hal_thermal_default sysfs_thermal:file rw_file_perms; +allow hal_thermal_default sysfs_thermal:lnk_file r_file_perms; +allow hal_thermal_default thermal_link_device:dir r_dir_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_usb_gadget_impl.te b/sepolicy/vendor/hal_usb_gadget_impl.te similarity index 84% rename from sepolicy/whitechapel/vendor/google/hal_usb_gadget_impl.te rename to sepolicy/vendor/hal_usb_gadget_impl.te index 7eb0f632..c39f963f 100644 --- a/sepolicy/whitechapel/vendor/google/hal_usb_gadget_impl.te +++ b/sepolicy/vendor/hal_usb_gadget_impl.te @@ -1,21 +1,18 @@ type hal_usb_gadget_impl, domain; +type hal_usb_gadget_impl_exec, exec_type, file_type, vendor_file_type; + hal_server_domain(hal_usb_gadget_impl, hal_usb) hal_server_domain(hal_usb_gadget_impl, hal_usb_gadget) -type hal_usb_gadget_impl_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(hal_usb_gadget_impl) +set_prop(hal_usb_gadget_impl, vendor_usb_config_prop) + allow hal_usb_gadget_impl configfs:dir { create rmdir }; allow hal_usb_gadget_impl functionfs:dir { watch watch_reads }; -set_prop(hal_usb_gadget_impl, vendor_usb_config_prop) - +allow hal_usb_gadget_impl proc_interrupts:file r_file_perms; +allow hal_usb_gadget_impl proc_irq:dir r_dir_perms; +allow hal_usb_gadget_impl proc_irq:file w_file_perms; allow hal_usb_gadget_impl sysfs_batteryinfo:dir r_dir_perms; allow hal_usb_gadget_impl sysfs_batteryinfo:file rw_file_perms; allow hal_usb_gadget_impl sysfs_extcon:dir search; - -# parser the number of dwc3 irq -allow hal_usb_gadget_impl proc_interrupts:file r_file_perms; - -# change irq to other cores -allow hal_usb_gadget_impl proc_irq:dir r_dir_perms; -allow hal_usb_gadget_impl proc_irq:file w_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_usb_impl.te b/sepolicy/vendor/hal_usb_impl.te similarity index 61% rename from sepolicy/whitechapel/vendor/google/hal_usb_impl.te rename to sepolicy/vendor/hal_usb_impl.te index f72412e6..291bbcd3 100644 --- a/sepolicy/whitechapel/vendor/google/hal_usb_impl.te +++ b/sepolicy/vendor/hal_usb_impl.te @@ -1,33 +1,26 @@ type hal_usb_impl, domain; +type hal_usb_impl_exec, exec_type, file_type, vendor_file_type; + +binder_call(hal_usb_impl, servicemanager) + +get_prop(hal_usb_impl, vendor_usb_config_prop) + +hal_client_domain(hal_usb_impl, hal_thermal) + hal_server_domain(hal_usb_impl, hal_usb) -type hal_usb_impl_exec, vendor_file_type, exec_type, file_type; init_daemon_domain(hal_usb_impl) +wakelock_use(hal_usb_impl) + allow hal_usb_impl configfs:dir rw_dir_perms; allow hal_usb_impl configfs:file create_file_perms; +allow hal_usb_impl fwk_stats_service:service_manager find; +allow hal_usb_impl self:capability2 wake_alarm; allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms; allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms; allow hal_usb_impl sysfs_extcon:dir search; - -# Needed for reporting Usb Overheat suez event through statsd -allow hal_usb_impl fwk_stats_service:service_manager find; -binder_call(hal_usb_impl, servicemanager) - -# Needed for monitoring usb port temperature -allow hal_usb_impl self:capability2 wake_alarm; -wakelock_use(hal_usb_impl); - -# For interfacing with ThermalHAL -hal_client_domain(hal_usb_impl, hal_thermal); - -# For reading the usb-c throttling stats +allow hal_usb_impl sysfs_udc:file r_file_perms; allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms; - -# For checking contaminant detection status -get_prop(hal_usb_impl, vendor_usb_config_prop); - -# For monitoring usb sysfs attributes allow hal_usb_impl sysfs_wakeup:dir search; allow hal_usb_impl sysfs_wakeup:file r_file_perms; -allow hal_usb_impl sysfs_udc:file r_file_perms; diff --git a/sepolicy/vendor/hal_uwb_vendor.te b/sepolicy/vendor/hal_uwb_vendor.te new file mode 100644 index 00000000..723b899a --- /dev/null +++ b/sepolicy/vendor/hal_uwb_vendor.te @@ -0,0 +1,31 @@ +type hal_uwb_vendor_default, domain; +type hal_uwb_vendor_default_exec, exec_type, file_type, vendor_file_type; +type hal_uwb_vendor_service, hal_service_type, service_manager_type; + +add_service(hal_uwb_vendor_default, hal_uwb_vendor_service) + +binder_call(hal_uwb_vendor_client, hal_uwb_vendor_server) +binder_call(hal_uwb_vendor_default, uwb_vendor_app) +binder_call(hal_uwb_vendor_server, hal_uwb_vendor_client) +binder_call(hal_uwb_vendor_server, servicemanager) + +dump_hal(hal_uwb_vendor) + +get_prop(hal_uwb_vendor_default, vendor_uwb_calibration_prop) + +hal_attribute_service(hal_uwb_vendor, hal_uwb_vendor_service) + +hal_server_domain(hal_uwb_vendor_default, hal_uwb) +hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor) + +init_daemon_domain(hal_uwb_vendor_default) + +allow hal_uwb_vendor self:global_capability_class_set net_admin; +allow hal_uwb_vendor self:netlink_generic_socket create_socket_perms_no_ioctl; +allow hal_uwb_vendor self:udp_socket create_socket_perms; +allow hal_uwb_vendor_default kernel:process setsched; +allow hal_uwb_vendor_default self:global_capability_class_set sys_nice; +allow hal_uwb_vendor_default uwb_data_vendor:dir create_dir_perms; +allow hal_uwb_vendor_default uwb_data_vendor:file create_file_perms; + +allowxperm hal_uwb_vendor self:udp_socket ioctl { SIOCETHTOOL SIOCSIFFLAGS SIOCSIFHWADDR }; diff --git a/sepolicy/whitechapel/vendor/google/hal_vendor_hwcservice_default.te b/sepolicy/vendor/hal_vendor_hwcservice.te similarity index 53% rename from sepolicy/whitechapel/vendor/google/hal_vendor_hwcservice_default.te rename to sepolicy/vendor/hal_vendor_hwcservice.te index 0cd13b33..53799a30 100644 --- a/sepolicy/whitechapel/vendor/google/hal_vendor_hwcservice_default.te +++ b/sepolicy/vendor/hal_vendor_hwcservice.te @@ -1,4 +1,4 @@ type hal_vendor_hwcservice_default, domain; -type hal_vendor_hwcservice_default_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(hal_vendor_hwcservice_default) +type hal_vendor_hwcservice_default_exec, exec_type, file_type, vendor_file_type; +init_daemon_domain(hal_vendor_hwcservice_default) diff --git a/sepolicy/vendor/hal_weaver_citadel.te b/sepolicy/vendor/hal_weaver_citadel.te new file mode 100644 index 00000000..661d7ec9 --- /dev/null +++ b/sepolicy/vendor/hal_weaver_citadel.te @@ -0,0 +1,14 @@ +type hal_weaver_citadel, domain; +type hal_weaver_citadel_exec, exec_type, file_type, vendor_file_type; + +binder_call(hal_weaver_citadel, citadeld) + +hal_server_domain(hal_weaver_citadel, hal_authsecret) +hal_server_domain(hal_weaver_citadel, hal_oemlock) +hal_server_domain(hal_weaver_citadel, hal_weaver) + +init_daemon_domain(hal_weaver_citadel) + +vndbinder_use(hal_weaver_citadel) + +allow hal_weaver_citadel citadeld_service:service_manager find; diff --git a/sepolicy/whitechapel/vendor/google/hal_wifi.te b/sepolicy/vendor/hal_wifi.te similarity index 77% rename from sepolicy/whitechapel/vendor/google/hal_wifi.te rename to sepolicy/vendor/hal_wifi.te index e7f657ec..913a6ba1 100644 --- a/sepolicy/whitechapel/vendor/google/hal_wifi.te +++ b/sepolicy/vendor/hal_wifi.te @@ -1,3 +1,2 @@ -# files in /data/vendor/firmware/wifi allow hal_wifi updated_wifi_firmware_data_file:dir r_dir_perms; allow hal_wifi updated_wifi_firmware_data_file:file r_file_perms; diff --git a/sepolicy/vendor/hal_wifi_ext.te b/sepolicy/vendor/hal_wifi_ext.te new file mode 100644 index 00000000..01765942 --- /dev/null +++ b/sepolicy/vendor/hal_wifi_ext.te @@ -0,0 +1,8 @@ +binder_call(hal_wifi_ext, grilservice_app) + +set_prop(hal_wifi_ext, vendor_wifi_version) + +allow hal_wifi_ext priv_app:fd use; +allow hal_wifi_ext privapp_data_file:file { map read }; +allow hal_wifi_ext updated_wifi_firmware_data_file:dir rw_dir_perms; +allow hal_wifi_ext updated_wifi_firmware_data_file:file create_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_wireless_charger.te b/sepolicy/vendor/hal_wireless_charger.te similarity index 66% rename from sepolicy/whitechapel/vendor/google/hal_wireless_charger.te rename to sepolicy/vendor/hal_wireless_charger.te index 8d6c0118..9166ad0b 100644 --- a/sepolicy/whitechapel/vendor/google/hal_wireless_charger.te +++ b/sepolicy/vendor/hal_wireless_charger.te @@ -1,5 +1,5 @@ type hal_wireless_charger, domain; -type hal_wireless_charger_exec, exec_type, vendor_file_type, file_type; +type hal_wireless_charger_service, hal_service_type, protected_service, service_manager_type; r_dir_file(hal_wireless_charger, sysfs_wlc) diff --git a/sepolicy/whitechapel/vendor/google/hal_wlc.te b/sepolicy/vendor/hal_wlc.te similarity index 73% rename from sepolicy/whitechapel/vendor/google/hal_wlc.te rename to sepolicy/vendor/hal_wlc.te index 891853c9..c40545ba 100644 --- a/sepolicy/whitechapel/vendor/google/hal_wlc.te +++ b/sepolicy/vendor/hal_wlc.te @@ -1,16 +1,20 @@ type hal_wlc, domain; -type hal_wlc_exec, exec_type, vendor_file_type, file_type; +type hal_wlc_exec, exec_type, file_type, vendor_file_type; +type hal_wlc_hwservice, hwservice_manager_type; -init_daemon_domain(hal_wlc) -hwbinder_use(hal_wlc) add_hwservice(hal_wlc, hal_wlc_hwservice) -get_prop(hal_wlc, hwservicemanager_prop) - -r_dir_file(hal_wlc, sysfs_batteryinfo) -allow hal_wlc sysfs_wlc:dir r_dir_perms; -allow hal_wlc sysfs_wlc:file rw_file_perms; - -allow hal_wlc self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; binder_call(hal_wlc, platform_app) -binder_call(hal_wlc, system_app) \ No newline at end of file +binder_call(hal_wlc, system_app) + +get_prop(hal_wlc, hwservicemanager_prop) + +hwbinder_use(hal_wlc) + +init_daemon_domain(hal_wlc) + +r_dir_file(hal_wlc, sysfs_batteryinfo) + +allow hal_wlc self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +allow hal_wlc sysfs_wlc:dir r_dir_perms; +allow hal_wlc sysfs_wlc:file rw_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hbmsvmanager_app.te b/sepolicy/vendor/hbmsvmanager_app.te similarity index 99% rename from sepolicy/whitechapel/vendor/google/hbmsvmanager_app.te rename to sepolicy/vendor/hbmsvmanager_app.te index bbedea8c..da9ea389 100644 --- a/sepolicy/whitechapel/vendor/google/hbmsvmanager_app.te +++ b/sepolicy/vendor/hbmsvmanager_app.te @@ -1,2 +1,3 @@ -allow hbmsvmanager_app hal_pixel_display_service:service_manager find; binder_call(hbmsvmanager_app, hal_graphics_composer_default) + +allow hbmsvmanager_app hal_pixel_display_service:service_manager find; diff --git a/sepolicy/whitechapel/vendor/google/hwservice.te b/sepolicy/vendor/hwservice.te similarity index 50% rename from sepolicy/whitechapel/vendor/google/hwservice.te rename to sepolicy/vendor/hwservice.te index 8afa89a5..99328630 100644 --- a/sepolicy/whitechapel/vendor/google/hwservice.te +++ b/sepolicy/vendor/hwservice.te @@ -1,18 +1,6 @@ -type hal_vendor_telephony_hwservice, hwservice_manager_type; -type hal_vendor_surfaceflinger_hwservice, hwservice_manager_type; - -# dmd servcie -type hal_vendor_oem_hwservice, hwservice_manager_type; - -# rild service +type hal_audio_ext_hwservice, hwservice_manager_type; +type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type; type hal_exynos_rild_hwservice, hwservice_manager_type; - -# GRIL service -type hal_radioext_hwservice, hwservice_manager_type; - -# WLC -type hal_wlc_hwservice, hwservice_manager_type; - -# Fingerprint type hal_fingerprint_ext_hwservice, hwservice_manager_type; - +type hal_vendor_oem_hwservice, hwservice_manager_type; +type hal_vendor_surfaceflinger_hwservice, hwservice_manager_type; diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts new file mode 100644 index 00000000..4f119961 --- /dev/null +++ b/sepolicy/vendor/hwservice_contexts @@ -0,0 +1,18 @@ +android.hardware.media.c2::IConfigurable u:object_r:hal_codec2_hwservice:s0 +android.vendor.samsung_slsi.telephony.hardware.radio::IOemSamsungslsi u:object_r:hal_exynos_rild_hwservice:s0 +hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance u:object_r:hal_bluetooth_coexistence_hwservice:s0 +hardware.google.bluetooth.ccc::IBluetoothCcc u:object_r:hal_bluetooth_coexistence_hwservice:s0 +hardware.google.bluetooth.ewp::IBluetoothEwp u:object_r:hal_bluetooth_coexistence_hwservice:s0 +hardware.google.bluetooth.ext::IBluetoothExt u:object_r:hal_bluetooth_coexistence_hwservice:s0 +hardware.google.bluetooth.sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0 +vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_ext_hwservice:s0 +vendor.google.audiometricext::IAudioMetricExt u:object_r:hal_audiometricext_hwservice:s0 +vendor.google.radioext::IRadioExt u:object_r:hal_radioext_hwservice:s0 +vendor.google.whitechapel.audio.audioext::IAudioExt u:object_r:hal_audio_ext_hwservice:s0 +vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_wlc_hwservice:s0 +vendor.samsung_slsi.hardware.ExynosHWCServiceTW::IExynosHWCServiceTW u:object_r:hal_vendor_surfaceflinger_hwservice:s0 +vendor.samsung_slsi.hardware.configstore::IExynosHWCConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0 +vendor.samsung_slsi.hardware.radio::IOemSamsungslsi u:object_r:hal_telephony_hwservice:s0 +vendor.samsung_slsi.telephony.hardware.oemservice::IOemService u:object_r:hal_vendor_oem_hwservice:s0 +vendor.samsung_slsi.telephony.hardware.radio::IOemSamsungslsi u:object_r:hal_exynos_rild_hwservice:s0 +vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal u:object_r:hal_exynos_rild_hwservice:s0 diff --git a/sepolicy/whitechapel/vendor/google/hwservicemanager.te b/sepolicy/vendor/hwservicemanager.te similarity index 100% rename from sepolicy/whitechapel/vendor/google/hwservicemanager.te rename to sepolicy/vendor/hwservicemanager.te diff --git a/sepolicy/whitechapel/vendor/google/vendor_ims_app.te b/sepolicy/vendor/ims_app.te similarity index 90% rename from sepolicy/whitechapel/vendor/google/vendor_ims_app.te rename to sepolicy/vendor/ims_app.te index 140d9c25..98fb8a36 100644 --- a/sepolicy/whitechapel/vendor/google/vendor_ims_app.te +++ b/sepolicy/vendor/ims_app.te @@ -1,19 +1,19 @@ type vendor_ims_app, domain; + app_domain(vendor_ims_app) + +binder_call(vendor_ims_app, rild) + net_domain(vendor_ims_app) +set_prop(vendor_ims_app, radio_prop) +set_prop(vendor_ims_app, vendor_rild_prop) + allow vendor_ims_app app_api_service:service_manager find; allow vendor_ims_app audioserver_service:service_manager find; - -allow vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager find; -allow vendor_ims_app radio_service:service_manager find; - -allow vendor_ims_app mediaserver_service:service_manager find; allow vendor_ims_app cameraserver_service:service_manager find; +allow vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager find; allow vendor_ims_app mediametrics_service:service_manager find; - -allow vendor_ims_app self:udp_socket { create_socket_perms_no_ioctl }; - -binder_call(vendor_ims_app, rild) -set_prop(vendor_ims_app, vendor_rild_prop) -set_prop(vendor_ims_app, radio_prop) +allow vendor_ims_app mediaserver_service:service_manager find; +allow vendor_ims_app radio_service:service_manager find; +allow vendor_ims_app self:udp_socket create_socket_perms_no_ioctl; diff --git a/sepolicy/vendor/init-camera-set-interrupts-ownership.te b/sepolicy/vendor/init-camera-set-interrupts-ownership.te new file mode 100644 index 00000000..06b42a46 --- /dev/null +++ b/sepolicy/vendor/init-camera-set-interrupts-ownership.te @@ -0,0 +1,10 @@ +type init-camera-set-interrupts-ownership, domain; +type init-camera-set-interrupts-ownership_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(init-camera-set-interrupts-ownership) + +allow init-camera-set-interrupts-ownership proc_interrupts:file r_file_perms; +allow init-camera-set-interrupts-ownership proc_irq:dir r_dir_perms; +allow init-camera-set-interrupts-ownership proc_irq:file { r_file_perms setattr }; +allow init-camera-set-interrupts-ownership self:capability { chown setgid setuid }; +allow init-camera-set-interrupts-ownership vendor_toolbox_exec:file rx_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/init-display-sh.te b/sepolicy/vendor/init-display-sh.te similarity index 79% rename from sepolicy/whitechapel/vendor/google/init-display-sh.te rename to sepolicy/vendor/init-display-sh.te index 7f64b782..d462cb1b 100644 --- a/sepolicy/whitechapel/vendor/google/init-display-sh.te +++ b/sepolicy/vendor/init-display-sh.te @@ -1,12 +1,11 @@ type init-display-sh, domain; -type init-display-sh_exec, vendor_file_type, exec_type, file_type; +type init-display-sh_exec, exec_type, file_type, vendor_file_type; + init_daemon_domain(init-display-sh) +allow init-display-sh kmsg_device:chr_file w_file_perms; allow init-display-sh self:capability sys_module; allow init-display-sh vendor_kernel_modules:system module_load; allow init-display-sh vendor_toolbox_exec:file execute_no_trans; dontaudit init-display-sh proc_cmdline:file r_file_perms; - -# Allow modprobe to log to kmsg. -allow init-display-sh kmsg_device:chr_file w_file_perms; diff --git a/sepolicy/vendor/init-thermal-logging-sh.te b/sepolicy/vendor/init-thermal-logging-sh.te new file mode 100644 index 00000000..d6f5572a --- /dev/null +++ b/sepolicy/vendor/init-thermal-logging-sh.te @@ -0,0 +1,4 @@ +type init-thermal-logging-sh, domain; +type init-thermal-logging-sh_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(init-thermal-logging-sh) diff --git a/sepolicy/vendor/init-thermal-symlinks-sh.te b/sepolicy/vendor/init-thermal-symlinks-sh.te new file mode 100644 index 00000000..495c1934 --- /dev/null +++ b/sepolicy/vendor/init-thermal-symlinks-sh.te @@ -0,0 +1,12 @@ +type init-thermal-symlinks-sh, domain; +type init-thermal-symlinks-sh_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(init-thermal-symlinks-sh) + +r_dir_file(init-thermal-symlinks-sh, sysfs_thermal) + +set_prop(init-thermal-symlinks-sh, vendor_thermal_prop) + +allow init-thermal-symlinks-sh thermal_link_device:dir rw_dir_perms; +allow init-thermal-symlinks-sh thermal_link_device:lnk_file create_file_perms; +allow init-thermal-symlinks-sh vendor_toolbox_exec:file rx_file_perms; diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te new file mode 100644 index 00000000..6942c3ea --- /dev/null +++ b/sepolicy/vendor/init.te @@ -0,0 +1,66 @@ +get_prop(vendor_init, gesture_prop) +get_prop(vendor_init, system_boot_reason_prop) +get_prop(vendor_init, telephony_modem_prop) +get_prop(vendor_init, vendor_battery_profile_prop) +get_prop(vendor_init, vendor_brownout_br_feasible_prop) +get_prop(vendor_init, vendor_touchpanel_prop) +get_prop(vendor_init, vendor_trusty_storage_prop) + +set_prop(vendor_init, vendor_arm_runtime_option_prop) +set_prop(vendor_init, vendor_audio_prop) +set_prop(vendor_init, vendor_audio_prop_restricted) +set_prop(vendor_init, vendor_battery_defender_prop) +set_prop(vendor_init, vendor_brownout_reason_prop) +set_prop(vendor_init, vendor_camera_prop) +set_prop(vendor_init, vendor_cbd_prop) +set_prop(vendor_init, vendor_chre_hal_prop) +set_prop(vendor_init, vendor_device_prop) +set_prop(vendor_init, vendor_display_prop) +set_prop(vendor_init, vendor_fingerprint_prop) +set_prop(vendor_init, vendor_ims_prop) +set_prop(vendor_init, vendor_intelligence_prop) +set_prop(vendor_init, vendor_logger_prop) +set_prop(vendor_init, vendor_modem_prop) +set_prop(vendor_init, vendor_nfc_prop) +set_prop(vendor_init, vendor_rcs_prop) +set_prop(vendor_init, vendor_rild_prop) +set_prop(vendor_init, vendor_ro_config_default_prop) +set_prop(vendor_init, vendor_secure_element_prop) +set_prop(vendor_init, vendor_slog_prop) +set_prop(vendor_init, vendor_ssrdump_prop) +set_prop(vendor_init, vendor_sys_default_prop) +set_prop(vendor_init, vendor_tcpdump_log_prop) +set_prop(vendor_init, vendor_thermal_prop) +set_prop(vendor_init, vendor_usb_config_prop) + +allow init boot_block_device:lnk_file relabelto; +allow init custom_ab_block_device:lnk_file relabelto; +allow init intelligence_data_file:dir mounton; +allow init mnt_vendor_file:dir mounton; +allow init modem_efs_file:dir mounton; +allow init modem_img_file:dir mounton; +allow init modem_img_file:filesystem { getattr mount relabelfrom }; +allow init modem_userdata_file:dir mounton; +allow init per_boot_file:file ioctl; +allow init persist_file:dir mounton; +allow init ram_device:blk_file w_file_perms; +allow init sysfs_scsi_devices_0000:file w_file_perms; +allow init userdata_exp_block_device:blk_file write; +allow vendor_init block_device:lnk_file setattr; +allow vendor_init bootdevice_sysdev:file create_file_perms; +allow vendor_init proc_compaction_proactiveness:file w_file_perms; +allow vendor_init proc_dirty:file w_file_perms; +allow vendor_init proc_percpu_pagelist_high_fraction:file w_file_perms; +allow vendor_init proc_sched:file write; +allow vendor_init sg_device:chr_file r_file_perms; +allow vendor_init sysfs_st33spi:file w_file_perms; +allow vendor_init tee_data_file:lnk_file read; +allow vendor_init thermal_link_device:dir r_dir_perms; +allow vendor_init thermal_link_device:lnk_file r_file_perms; + +allowxperm init per_boot_file:file ioctl F2FS_IOC_SET_PIN_FILE; + +dontaudit init overlayfs_file:chr_file unlink; +dontaudit init overlayfs_file:file rename; +dontaudit vendor_init default_prop:file read; +dontaudit vendor_init default_prop:property_service set; diff --git a/sepolicy/vendor/init_citadel.te b/sepolicy/vendor/init_citadel.te new file mode 100644 index 00000000..7f5f2541 --- /dev/null +++ b/sepolicy/vendor/init_citadel.te @@ -0,0 +1,12 @@ +type init_citadel, domain; +type init_citadel_exec, exec_type, file_type, vendor_file_type; + +binder_call(init_citadel, citadeld) + +init_daemon_domain(init_citadel) + +vndbinder_use(init_citadel) + +allow init_citadel citadel_updater:file rx_file_perms; +allow init_citadel citadeld_service:service_manager find; +allow init_citadel vendor_toolbox_exec:file rx_file_perms; diff --git a/sepolicy/telephony/user/init_radio.te b/sepolicy/vendor/init_radio.te similarity index 69% rename from sepolicy/telephony/user/init_radio.te rename to sepolicy/vendor/init_radio.te index 3a29edf3..dcda9e9b 100644 --- a/sepolicy/telephony/user/init_radio.te +++ b/sepolicy/vendor/init_radio.te @@ -1,8 +1,8 @@ type init_radio, domain; -type init_radio_exec, exec_type, vendor_file_type, file_type; +type init_radio_exec, exec_type, file_type, vendor_file_type; -init_daemon_domain(init_radio); +init_daemon_domain(init_radio) -allow init_radio vendor_toolbox_exec:file execute_no_trans; allow init_radio radio_vendor_data_file:dir create_dir_perms; allow init_radio radio_vendor_data_file:file create_file_perms; +allow init_radio vendor_toolbox_exec:file execute_no_trans; diff --git a/sepolicy/vendor/insmod-sh.te b/sepolicy/vendor/insmod-sh.te new file mode 100644 index 00000000..99c6a151 --- /dev/null +++ b/sepolicy/vendor/insmod-sh.te @@ -0,0 +1,20 @@ +type insmod-sh, domain; +type insmod-sh_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(insmod-sh) + +set_prop(insmod-sh, vendor_device_prop) + +allow insmod-sh kernel:process setsched; +allow insmod-sh kmsg_debug_device:chr_file rw_file_perms; +allow insmod-sh self:capability sys_module; +allow insmod-sh self:capability sys_nice; +allow insmod-sh sysfs_leds:dir r_dir_perms; +allow insmod-sh system_dlkm_file:dir r_dir_perms; +allow insmod-sh system_dlkm_file:file r_file_perms; +allow insmod-sh system_dlkm_file:system module_load; +allow insmod-sh vendor_kernel_modules:system module_load; +allow insmod-sh vendor_toolbox_exec:file execute_no_trans; + +dontaudit insmod-sh proc_cmdline:file r_file_perms; +dontaudit insmod-sh self:key write; diff --git a/sepolicy/whitechapel/vendor/google/installd.te b/sepolicy/vendor/installd.te similarity index 100% rename from sepolicy/whitechapel/vendor/google/installd.te rename to sepolicy/vendor/installd.te diff --git a/sepolicy/vendor/kernel.te b/sepolicy/vendor/kernel.te new file mode 100644 index 00000000..c3745e75 --- /dev/null +++ b/sepolicy/vendor/kernel.te @@ -0,0 +1,10 @@ +allow kernel per_boot_file:file r_file_perms; +allow kernel self:capability2 perfmon; +allow kernel self:perf_event cpu; +allow kernel userdata_exp_block_device:blk_file { read write }; +allow kernel vendor_fw_file:dir search; +allow kernel vendor_fw_file:file r_file_perms; + +dontaudit kernel sepolicy_file:file getattr; +dontaudit kernel system_bootstrap_lib_file:{ dir file } getattr; +dontaudit kernel system_dlkm_file:dir getattr; diff --git a/sepolicy/vendor/lhd.te b/sepolicy/vendor/lhd.te new file mode 100644 index 00000000..a77a2638 --- /dev/null +++ b/sepolicy/vendor/lhd.te @@ -0,0 +1,11 @@ +type lhd, domain; +type lhd_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(lhd) + +wakelock_use(lhd) + +allow lhd sysfs_gps:file rw_file_perms; +allow lhd vendor_gnss_device:chr_file rw_file_perms; +allow lhd vendor_gps_file:dir create_dir_perms; +allow lhd vendor_gps_file:{ fifo_file file } create_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/logd.te b/sepolicy/vendor/logd.te similarity index 100% rename from sepolicy/whitechapel/vendor/google/logd.te rename to sepolicy/vendor/logd.te index ca969d80..0e67ccd5 100644 --- a/sepolicy/whitechapel/vendor/google/logd.te +++ b/sepolicy/vendor/logd.te @@ -1,4 +1,4 @@ r_dir_file(logd, logbuffer_device) + allow logd logbuffer_device:chr_file r_file_perms; allow logd trusty_log_device:chr_file r_file_perms; - diff --git a/sepolicy/whitechapel/vendor/google/mediacodec.te b/sepolicy/vendor/mediacodec.te similarity index 100% rename from sepolicy/whitechapel/vendor/google/mediacodec.te rename to sepolicy/vendor/mediacodec.te diff --git a/sepolicy/vendor/mediacodec_samsung.te b/sepolicy/vendor/mediacodec_samsung.te new file mode 100644 index 00000000..82de3950 --- /dev/null +++ b/sepolicy/vendor/mediacodec_samsung.te @@ -0,0 +1,30 @@ +type mediacodec_samsung, domain; +type mediacodec_samsung_exec, exec_type, file_type, vendor_file_type; + +add_service(mediacodec_samsung, eco_service) + +binder_call(mediacodec_samsung, hal_camera_default) + +binder_use(mediacodec_samsung) + +crash_dump_fallback(mediacodec_samsung) + +hal_client_domain(mediacodec_samsung, hal_graphics_allocator) + +hal_server_domain(mediacodec_samsung, hal_codec2) + +init_daemon_domain(mediacodec_samsung) + +vndbinder_use(mediacodec_samsung) + +allow mediacodec_samsung dmabuf_system_heap_device:chr_file r_file_perms; +allow mediacodec_samsung gpu_device:chr_file rw_file_perms; +allow mediacodec_samsung sysfs_force_empty:dir { getattr ioctl lock map open read watch watch_reads }; +allow mediacodec_samsung sysfs_force_empty:file rw_file_perms; +allow mediacodec_samsung sysfs_mfc:dir r_dir_perms; +allow mediacodec_samsung sysfs_mfc:file r_file_perms; +allow mediacodec_samsung video_device:chr_file rw_file_perms; + +neverallow mediacodec_samsung domain:{ rawip_socket tcp_socket udp_socket } *; +neverallow mediacodec_samsung file_type:file execute_no_trans; +neverallow mediacodec_samsung fs_type:file execute_no_trans; diff --git a/sepolicy/whitechapel/vendor/google/mediaprovider.te b/sepolicy/vendor/mediaprovider.te similarity index 100% rename from sepolicy/whitechapel/vendor/google/mediaprovider.te rename to sepolicy/vendor/mediaprovider.te diff --git a/sepolicy/vendor/misc_writer.te b/sepolicy/vendor/misc_writer.te new file mode 100644 index 00000000..8c75a172 --- /dev/null +++ b/sepolicy/vendor/misc_writer.te @@ -0,0 +1,4 @@ +get_prop(vendor_misc_writer, sota_prop) + +allow vendor_misc_writer flood_control:fd use; +allow vendor_misc_writer flood_control:fifo_file { getattr write }; diff --git a/sepolicy/vendor/modem_diagnostic_app.te b/sepolicy/vendor/modem_diagnostic_app.te new file mode 100644 index 00000000..ec8df100 --- /dev/null +++ b/sepolicy/vendor/modem_diagnostic_app.te @@ -0,0 +1,8 @@ +type modem_diagnostic_app, domain; + +app_domain(modem_diagnostic_app) + +net_domain(modem_diagnostic_app) + +allow modem_diagnostic_app app_api_service:service_manager find; +allow modem_diagnostic_app radio_service:service_manager find; diff --git a/sepolicy/vendor/modem_img_file.te b/sepolicy/vendor/modem_img_file.te new file mode 100644 index 00000000..e9560f50 --- /dev/null +++ b/sepolicy/vendor/modem_img_file.te @@ -0,0 +1,3 @@ +type modem_img_file, contextmount_type, file_type, vendor_file_type; + +allow modem_img_file self:filesystem associate; diff --git a/sepolicy/whitechapel/vendor/google/modem_logging_control.te b/sepolicy/vendor/modem_logging_control.te similarity index 91% rename from sepolicy/whitechapel/vendor/google/modem_logging_control.te rename to sepolicy/vendor/modem_logging_control.te index 7392297f..a0dc02f3 100644 --- a/sepolicy/whitechapel/vendor/google/modem_logging_control.te +++ b/sepolicy/vendor/modem_logging_control.te @@ -1,17 +1,19 @@ type modem_logging_control, domain; -type modem_logging_control_exec, vendor_file_type, exec_type, file_type; +type modem_logging_control_exec, exec_type, file_type, vendor_file_type; + +binder_call(modem_logging_control, dmd) + +get_prop(modem_logging_control, hwservicemanager_prop) + +hwbinder_use(modem_logging_control) init_daemon_domain(modem_logging_control) -hwbinder_use(modem_logging_control) -binder_call(modem_logging_control, dmd) +set_prop(modem_logging_control, vendor_modem_prop) -allow modem_logging_control radio_device:chr_file rw_file_perms; allow modem_logging_control hal_vendor_oem_hwservice:hwservice_manager find; +allow modem_logging_control radio_device:chr_file rw_file_perms; allow modem_logging_control radio_vendor_data_file:dir create_dir_perms; allow modem_logging_control radio_vendor_data_file:file create_file_perms; allow modem_logging_control vendor_slog_file:dir create_dir_perms; allow modem_logging_control vendor_slog_file:file create_file_perms; - -set_prop(modem_logging_control, vendor_modem_prop) -get_prop(modem_logging_control, hwservicemanager_prop) diff --git a/sepolicy/whitechapel/vendor/google/modem_svc_sit.te b/sepolicy/vendor/modem_svc_sit.te similarity index 58% rename from sepolicy/whitechapel/vendor/google/modem_svc_sit.te rename to sepolicy/vendor/modem_svc_sit.te index 8f6c240f..cafe99d2 100644 --- a/sepolicy/whitechapel/vendor/google/modem_svc_sit.te +++ b/sepolicy/vendor/modem_svc_sit.te @@ -1,49 +1,35 @@ -# Selinux rule for modem_svc_sit daemon type modem_svc_sit, domain; -type modem_svc_sit_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(modem_svc_sit) +type modem_svc_sit_exec, exec_type, file_type, vendor_file_type; -hwbinder_use(modem_svc_sit) binder_call(modem_svc_sit, rild) -# Grant sysfs_modem access -allow modem_svc_sit sysfs_modem:file rw_file_perms; - -# Grant radio device access -allow modem_svc_sit radio_device:chr_file rw_file_perms; - -# Grant vendor radio and modem file/dir creation permission -allow modem_svc_sit radio_vendor_data_file:dir create_dir_perms; -allow modem_svc_sit radio_vendor_data_file:file create_file_perms; -allow modem_svc_sit modem_stat_data_file:dir create_dir_perms; -allow modem_svc_sit modem_stat_data_file:file create_file_perms; - -allow modem_svc_sit mnt_vendor_file:dir r_dir_perms; -allow modem_svc_sit modem_userdata_file:dir create_dir_perms; -allow modem_svc_sit modem_userdata_file:file create_file_perms; - -# RIL property +get_prop(modem_svc_sit, hwservicemanager_prop) +get_prop(modem_svc_sit, vendor_logger_prop) get_prop(modem_svc_sit, vendor_rild_prop) -# hwservice permission -allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; -get_prop(modem_svc_sit, hwservicemanager_prop) +hal_server_domain(modem_svc_sit, hal_shared_modem_platform) -# logging property -get_prop(modem_svc_sit, vendor_logger_prop) +hwbinder_use(modem_svc_sit) -# Modem property -set_prop(modem_svc_sit, vendor_modem_prop) +init_daemon_domain(modem_svc_sit) -# Write trace data to the Perfetto traced daemon. This requires connecting to -# its producer socket and obtaining a (per-process) tmpfs fd. perfetto_producer(modem_svc_sit) -# Allow modem_svc_sit to access modem image file/dir -allow modem_svc_sit modem_img_file:dir r_dir_perms; -allow modem_svc_sit modem_img_file:file r_file_perms; -allow modem_svc_sit modem_img_file:lnk_file r_file_perms; +r_dir_file(modem_svc_sit, modem_img_file) -# Allow modem_svc_sit to access socket for UMI -allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink write}; +set_prop(modem_svc_sit, vendor_modem_prop) +unix_socket_connect(modem_svc_sit, property, traced) +unix_socket_connect(modem_svc_sit, traced_producer, init) + +allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; +allow modem_svc_sit mnt_vendor_file:dir r_dir_perms; +allow modem_svc_sit modem_stat_data_file:dir create_dir_perms; +allow modem_svc_sit modem_stat_data_file:file create_file_perms; +allow modem_svc_sit modem_userdata_file:dir create_dir_perms; +allow modem_svc_sit modem_userdata_file:file create_file_perms; +allow modem_svc_sit radio_device:chr_file rw_file_perms; +allow modem_svc_sit radio_vendor_data_file:dir create_dir_perms; +allow modem_svc_sit radio_vendor_data_file:file create_file_perms; +allow modem_svc_sit radio_vendor_data_file:sock_file { create unlink write }; +allow modem_svc_sit sysfs_modem:file rw_file_perms; diff --git a/sepolicy/vendor/netd.te b/sepolicy/vendor/netd.te new file mode 100644 index 00000000..948fa898 --- /dev/null +++ b/sepolicy/vendor/netd.te @@ -0,0 +1,2 @@ +allow netd vendor_pcs_app:fd use; +allow netd vendor_pcs_app:unpriv_socket_class_set create_socket_perms_no_ioctl; diff --git a/sepolicy/vendor/netutils_wrapper.te b/sepolicy/vendor/netutils_wrapper.te new file mode 100644 index 00000000..7de26b2f --- /dev/null +++ b/sepolicy/vendor/netutils_wrapper.te @@ -0,0 +1,4 @@ +allow netutils_wrapper pktrouter:fd use; +allow netutils_wrapper pktrouter:fifo_file write; +allow netutils_wrapper pktrouter:{ netlink_route_socket packet_socket rawip_socket udp_socket } { read write }; +allow netutils_wrapper pktrouter_device:chr_file rw_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/nfc.te b/sepolicy/vendor/nfc.te similarity index 64% rename from sepolicy/whitechapel/vendor/google/nfc.te rename to sepolicy/vendor/nfc.te index 80784434..a3a4f669 100644 --- a/sepolicy/whitechapel/vendor/google/nfc.te +++ b/sepolicy/vendor/nfc.te @@ -1,2 +1,3 @@ allow nfc proc_vendor_sched:dir r_dir_perms; allow nfc proc_vendor_sched:file w_file_perms; +allow nfc vendor_nfc_vendor_data_file:dir search; diff --git a/sepolicy/vendor/nos_citadel_version.te b/sepolicy/vendor/nos_citadel_version.te new file mode 100644 index 00000000..2e1c4eca --- /dev/null +++ b/sepolicy/vendor/nos_citadel_version.te @@ -0,0 +1 @@ +vendor_internal_prop(vendor_nos_citadel_version) diff --git a/sepolicy/whitechapel/vendor/google/oemrilservice_app.te b/sepolicy/vendor/oemrilservice_app.te similarity index 86% rename from sepolicy/whitechapel/vendor/google/oemrilservice_app.te rename to sepolicy/vendor/oemrilservice_app.te index ca8257a1..916b7d67 100644 --- a/sepolicy/whitechapel/vendor/google/oemrilservice_app.te +++ b/sepolicy/vendor/oemrilservice_app.te @@ -1,9 +1,11 @@ type oemrilservice_app, domain; + app_domain(oemrilservice_app) -set_prop(oemrilservice_app, vendor_rild_prop); +binder_call(oemrilservice_app, rild) + +set_prop(oemrilservice_app, vendor_rild_prop) allow oemrilservice_app app_api_service:service_manager find; -allow oemrilservice_app radio_service:service_manager find; allow oemrilservice_app hal_exynos_rild_hwservice:hwservice_manager find; -binder_call(oemrilservice_app, rild) +allow oemrilservice_app radio_service:service_manager find; diff --git a/sepolicy/vendor/ofl_app.te b/sepolicy/vendor/ofl_app.te new file mode 100644 index 00000000..bd592c55 --- /dev/null +++ b/sepolicy/vendor/ofl_app.te @@ -0,0 +1 @@ +type ofl_app, domain; diff --git a/sepolicy/whitechapel/vendor/google/omadm.te b/sepolicy/vendor/omadm_app.te similarity index 96% rename from sepolicy/whitechapel/vendor/google/omadm.te rename to sepolicy/vendor/omadm_app.te index 3990dd7b..5537f99b 100644 --- a/sepolicy/whitechapel/vendor/google/omadm.te +++ b/sepolicy/vendor/omadm_app.te @@ -1,10 +1,10 @@ -# OMADM app type omadm_app, domain; app_domain(omadm_app) + net_domain(omadm_app) -allow omadm_app radio_vendor_data_file:dir rw_dir_perms; -allow omadm_app radio_vendor_data_file:file create_file_perms; allow omadm_app app_api_service:service_manager find; allow omadm_app radio_service:service_manager find; +allow omadm_app radio_vendor_data_file:dir rw_dir_perms; +allow omadm_app radio_vendor_data_file:file create_file_perms; diff --git a/sepolicy/vendor/pbcs_app.te b/sepolicy/vendor/pbcs_app.te new file mode 100644 index 00000000..761e8ef2 --- /dev/null +++ b/sepolicy/vendor/pbcs_app.te @@ -0,0 +1,7 @@ +add_service(vendor_pbcs_app, camera_binder_service) +add_service(vendor_pbcs_app, camera_cameraidremapper_service) +add_service(vendor_pbcs_app, camera_lyricconfigprovider_service) + +binder_call(vendor_pbcs_app, hal_camera_default) + +get_prop(vendor_pbcs_app, vendor_camera_pbcs_debug_prop) diff --git a/sepolicy/vendor/pcs_app.te b/sepolicy/vendor/pcs_app.te new file mode 100644 index 00000000..234bcc87 --- /dev/null +++ b/sepolicy/vendor/pcs_app.te @@ -0,0 +1,13 @@ +binder_call(vendor_pcs_app, hal_camera_default) + +unix_socket_connect(vendor_pcs_app, fwmarkd, netd) + +allow vendor_pcs_app camera_cameraidremapper_service:service_manager find; +allow vendor_pcs_app camera_lyricconfigprovider_service:service_manager find; +allow vendor_pcs_app edgetpu_app_service:service_manager find; +allow vendor_pcs_app edgetpu_device:chr_file { getattr ioctl map read write }; +allow vendor_pcs_app hal_pixel_remote_camera_service:service_manager add; +allow vendor_pcs_app node:udp_socket node_bind; +allow vendor_pcs_app port:tcp_socket name_connect; +allow vendor_pcs_app port:udp_socket name_bind; +allow vendor_pcs_app vendor_pcs_app:unpriv_socket_class_set create_socket_perms_no_ioctl; diff --git a/sepolicy/vendor/pixel-thermal-control-sh.te b/sepolicy/vendor/pixel-thermal-control-sh.te new file mode 100644 index 00000000..4912b41b --- /dev/null +++ b/sepolicy/vendor/pixel-thermal-control-sh.te @@ -0,0 +1,4 @@ +type pixel-thermal-control-sh, domain; +type pixel-thermal-control-sh_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(pixel-thermal-control-sh) diff --git a/sepolicy/vendor/pixelstats_vendor.te b/sepolicy/vendor/pixelstats_vendor.te new file mode 100644 index 00000000..2d6a6066 --- /dev/null +++ b/sepolicy/vendor/pixelstats_vendor.te @@ -0,0 +1,59 @@ +binder_call(pixelstats_vendor, stats_service_server) + +binder_use(pixelstats_vendor) + +get_prop(pixelstats_vendor, boottime_public_prop) +get_prop(pixelstats_vendor, hwservicemanager_prop) +get_prop(pixelstats_vendor, smart_idle_maint_enabled_prop) + +hwbinder_use(pixelstats_vendor) + +init_daemon_domain(pixelstats_vendor) + +r_dir_file(pixelstats_vendor, proc_vendor_mm) +r_dir_file(pixelstats_vendor, sysfs_batteryinfo) +r_dir_file(pixelstats_vendor, sysfs_vendor_metrics) +r_dir_file(pixelstats_vendor, sysfs_vendor_mm) + +unix_socket_connect(pixelstats_vendor, chre, chre) +unix_socket_connect(pixelstats_vendor, chre, hal_contexthub_default) + +allow pixelstats_vendor battery_history_device:chr_file r_file_perms; +allow pixelstats_vendor block_device:dir search; +allow pixelstats_vendor dm_device:blk_file getattr; +allow pixelstats_vendor fwk_sensor_hwservice:hwservice_manager find; +allow pixelstats_vendor fwk_sensor_service:service_manager find; +allow pixelstats_vendor fwk_stats_service:service_manager find; +allow pixelstats_vendor kernel:dir search; +allow pixelstats_vendor kernel:file r_file_perms; +allow pixelstats_vendor logbuffer_device:chr_file r_file_perms; +allow pixelstats_vendor mnt_vendor_file:dir search; +allow pixelstats_vendor proc_meminfo:file r_file_perms; +allow pixelstats_vendor proc_pressure_cpu:file r_file_perms; +allow pixelstats_vendor proc_pressure_io:file r_file_perms; +allow pixelstats_vendor proc_pressure_mem:file r_file_perms; +allow pixelstats_vendor proc_stat:file r_file_perms; +allow pixelstats_vendor proc_vmstat:file r_file_perms; +allow pixelstats_vendor self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +allow pixelstats_vendor sysfs_batteryinfo:file w_file_perms; +allow pixelstats_vendor sysfs_bcl:dir search; +allow pixelstats_vendor sysfs_bcl:file r_file_perms; +allow pixelstats_vendor sysfs_dm:dir search; +allow pixelstats_vendor sysfs_dm:file { getattr open read }; +allow pixelstats_vendor sysfs_dma_heap:dir search; +allow pixelstats_vendor sysfs_dma_heap:file r_file_perms; +allow pixelstats_vendor sysfs_fs_f2fs:dir search; +allow pixelstats_vendor sysfs_fs_f2fs:file rw_file_perms; +allow pixelstats_vendor sysfs_ion:dir search; +allow pixelstats_vendor sysfs_ion:file r_file_perms; +allow pixelstats_vendor sysfs_pca:file rw_file_perms; +allow pixelstats_vendor sysfs_pixel_stat:dir search; +allow pixelstats_vendor sysfs_pixel_stat:file getattr; +allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; +allow pixelstats_vendor sysfs_scsi_devices_0000:dir search; +allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms; +allow pixelstats_vendor sysfs_vendor_metrics:file w_file_perms; +allow pixelstats_vendor sysfs_wlc:dir search; +allow pixelstats_vendor sysfs_wlc:file rw_file_perms; +allow pixelstats_vendor sysfs_zram:dir search; +allow pixelstats_vendor sysfs_zram:file r_file_perms; diff --git a/sepolicy/vendor/pktrouter.te b/sepolicy/vendor/pktrouter.te new file mode 100644 index 00000000..4824d901 --- /dev/null +++ b/sepolicy/vendor/pktrouter.te @@ -0,0 +1,16 @@ +type pktrouter, domain; +type pktrouter_exec, exec_type, file_type, vendor_file_type; + +domain_auto_trans(pktrouter, netutils_wrapper_exec, netutils_wrapper) + +get_prop(pktrouter, vendor_ims_prop) + +init_daemon_domain(pktrouter) + +net_domain(pktrouter) + +allow pktrouter pktrouter_device:chr_file rw_file_perms; +allow pktrouter radio_device:chr_file r_file_perms; +allow pktrouter self:capability net_raw; +allow pktrouter self:netlink_route_socket nlmsg_write; +allow pktrouter self:packet_socket { bind create getattr read shutdown write }; diff --git a/sepolicy/whitechapel/vendor/google/platform_app.te b/sepolicy/vendor/platform_app.te similarity index 64% rename from sepolicy/whitechapel/vendor/google/platform_app.te rename to sepolicy/vendor/platform_app.te index 4f0f89a2..856eb939 100644 --- a/sepolicy/whitechapel/vendor/google/platform_app.te +++ b/sepolicy/vendor/platform_app.te @@ -1,20 +1,22 @@ +binder_call(platform_app, hal_graphics_composer_default) +binder_call(platform_app, hal_wireless_charger) binder_call(platform_app, rild) -allow platform_app hal_exynos_rild_hwservice:hwservice_manager find; +binder_call(platform_app, twoshay) -allow platform_app proc_vendor_sched:dir r_dir_perms; -allow platform_app proc_vendor_sched:file w_file_perms; - -allow platform_app nfc_service:service_manager find; -allow platform_app uwb_service:service_manager find; - -allow platform_app fwk_stats_service:service_manager find; binder_use(platform_app) -# Fingerprint (UDFPS) GHBM/LHBM toggle get_prop(platform_app, fingerprint_ghbm_prop) +allow platform_app edgetpu_device:chr_file { getattr ioctl map read write }; +allow platform_app fwk_stats_service:service_manager find; +allow platform_app gril_antenna_tuning_service:service_manager find; +allow platform_app hal_exynos_rild_hwservice:hwservice_manager find; allow platform_app hal_pixel_display_service:service_manager find; -binder_call(platform_app, hal_graphics_composer_default) - allow platform_app hal_wireless_charger_service:service_manager find; -binder_call(platform_app, hal_wireless_charger) +allow platform_app nfc_service:service_manager find; +allow platform_app proc_vendor_sched:dir r_dir_perms; +allow platform_app proc_vendor_sched:file w_file_perms; +allow platform_app screen_protector_detector_service:service_manager find; +allow platform_app touch_context_service:service_manager find; +allow platform_app twoshay_notification_service:service_manager find; +allow platform_app uwb_service:service_manager find; diff --git a/sepolicy/vendor/priv_app.te b/sepolicy/vendor/priv_app.te new file mode 100644 index 00000000..45bc8d3b --- /dev/null +++ b/sepolicy/vendor/priv_app.te @@ -0,0 +1,5 @@ +hal_client_domain(priv_app, hal_power) + +allow priv_app edgetpu_app_service:service_manager find; +allow priv_app edgetpu_device:chr_file { getattr ioctl map read write }; +allow priv_app edgetpu_nnapi_service:service_manager find; diff --git a/sepolicy/vendor/proc_vendor_sched.te b/sepolicy/vendor/proc_vendor_sched.te new file mode 100644 index 00000000..af038620 --- /dev/null +++ b/sepolicy/vendor/proc_vendor_sched.te @@ -0,0 +1,3 @@ +allow proc_vendor_sched proc:filesystem associate; +allow { domain -appdomain -rs } proc_vendor_sched:dir r_dir_perms; +allow { domain -appdomain -rs } proc_vendor_sched:file w_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/property.te b/sepolicy/vendor/property.te similarity index 54% rename from sepolicy/whitechapel/vendor/google/property.te rename to sepolicy/vendor/property.te index bbdce973..4d95458c 100644 --- a/sepolicy/whitechapel/vendor/google/property.te +++ b/sepolicy/vendor/property.te @@ -1,59 +1,60 @@ -# For Exynos Properties +system_internal_prop(vendor_pss_systemphenotype_prop) + +system_public_prop(vendor_edgetpu_service_prop) +system_public_prop(vendor_intelligence_prop) + +system_vendor_config_prop(vendor_camera_pbcs_debug_prop) +system_vendor_config_prop(vendor_edgetpu_cpu_scheduler_prop) +system_vendor_config_prop(vendor_edgetpu_runtime_prop) +system_vendor_config_prop(vendor_hetero_runtime_prop) +system_vendor_config_prop(vendor_tflite_delegate_prop) +system_vendor_config_prop(vendor_uwb_calibration_prop) + +vendor_internal_prop(sensors_prop) +vendor_internal_prop(vendor_aoc_prop) +vendor_internal_prop(vendor_audio_prop) +vendor_internal_prop(vendor_battery_defender_prop) +vendor_internal_prop(vendor_battery_profile_prop) +vendor_internal_prop(vendor_brownout_br_feasible_prop) +vendor_internal_prop(vendor_camera_debug_prop) +vendor_internal_prop(vendor_camera_fatp_prop) +vendor_internal_prop(vendor_camera_prop) +vendor_internal_prop(vendor_cbd_prop) +vendor_internal_prop(vendor_chre_hal_prop) +vendor_internal_prop(vendor_config_default_prop) +vendor_internal_prop(vendor_device_prop) +vendor_internal_prop(vendor_diag_prop) +vendor_internal_prop(vendor_display_prop) +vendor_internal_prop(vendor_dynamic_sensor_prop) +vendor_internal_prop(vendor_flood_prop) +vendor_internal_prop(vendor_gps_prop) +vendor_internal_prop(vendor_gril_prop) +vendor_internal_prop(vendor_ims_prop) +vendor_internal_prop(vendor_logger_prop) +vendor_internal_prop(vendor_mitigation_ready_prop) +vendor_internal_prop(vendor_modem_prop) +vendor_internal_prop(vendor_nfc_prop) +vendor_internal_prop(vendor_persist_config_default_prop) +vendor_internal_prop(vendor_persist_sys_default_prop) vendor_internal_prop(vendor_prop) +vendor_internal_prop(vendor_ramdump_prop) vendor_internal_prop(vendor_rcs_prop) vendor_internal_prop(vendor_rild_prop) -vendor_internal_prop(vendor_gril_prop) -vendor_internal_prop(sensors_prop) -vendor_internal_prop(vendor_ssrdump_prop) -vendor_internal_prop(vendor_usb_config_prop) -vendor_internal_prop(vendor_secure_element_prop) -vendor_internal_prop(vendor_cbd_prop) -# vendor defaults -vendor_internal_prop(vendor_config_default_prop) vendor_internal_prop(vendor_ro_config_default_prop) -vendor_internal_prop(vendor_persist_config_default_prop) -vendor_internal_prop(vendor_sys_default_prop) vendor_internal_prop(vendor_ro_sys_default_prop) -vendor_internal_prop(vendor_persist_sys_default_prop) -vendor_internal_prop(vendor_display_prop) -vendor_internal_prop(vendor_camera_prop) -vendor_internal_prop(vendor_camera_fatp_prop) -vendor_internal_prop(vendor_gps_prop) - -# Battery defender -vendor_internal_prop(vendor_battery_defender_prop) - -# Battery profile for harness mode -vendor_internal_prop(vendor_battery_profile_prop) - -# hal_health +vendor_internal_prop(vendor_secure_element_prop) vendor_internal_prop(vendor_shutdown_prop) - -# NFC -vendor_internal_prop(vendor_nfc_prop) - -# WiFi -vendor_internal_prop(vendor_wifi_version) - -# Touchpanel -vendor_internal_prop(vendor_touchpanel_prop) - -# TCP logging +vendor_internal_prop(vendor_slog_prop) +vendor_internal_prop(vendor_ssrdump_prop) +vendor_internal_prop(vendor_sys_default_prop) vendor_internal_prop(vendor_tcpdump_log_prop) - -# Fingerprint -vendor_restricted_prop(vendor_fingerprint_prop) - -# Dynamic sensor -vendor_internal_prop(vendor_dynamic_sensor_prop) - -# UWB calibration -system_vendor_config_prop(vendor_uwb_calibration_prop) -# Country code must be vendor_public to be written by UwbVendorService and read by NFC HAL -vendor_internal_prop(vendor_uwb_calibration_country_code) - -# Trusty storage FS ready +vendor_internal_prop(vendor_thermal_prop) +vendor_internal_prop(vendor_timeout_aoc_prop) +vendor_internal_prop(vendor_touchpanel_prop) vendor_internal_prop(vendor_trusty_storage_prop) +vendor_internal_prop(vendor_usb_config_prop) + +vendor_public_prop(vendor_brownout_reason_prop) -# Mali Integration vendor_restricted_prop(vendor_arm_runtime_option_prop) +vendor_restricted_prop(vendor_fingerprint_prop) diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts new file mode 100644 index 00000000..c73d613a --- /dev/null +++ b/sepolicy/vendor/property_contexts @@ -0,0 +1,104 @@ +persist.vendor.aoc.status_request_timed_out u:object_r:vendor_timeout_aoc_prop:s0 +persist.vendor.app.audio. u:object_r:vendor_audio_prop_restricted:s0 +persist.vendor.audio. u:object_r:vendor_audio_prop:s0 +persist.vendor.camera. u:object_r:vendor_camera_prop:s0 +persist.vendor.camera.pbcs.debug. u:object_r:vendor_camera_pbcs_debug_prop:s0 +persist.vendor.cbd. u:object_r:vendor_cbd_prop:s0 +persist.vendor.config. u:object_r:vendor_persist_config_default_prop:s0 +persist.vendor.debug_level u:object_r:vendor_rild_prop:s0 +persist.vendor.display. u:object_r:vendor_display_prop:s0 +persist.vendor.gps. u:object_r:vendor_gps_prop:s0 +persist.vendor.intelligence u:object_r:vendor_intelligence_prop:s0 +persist.vendor.modem. u:object_r:vendor_modem_prop:s0 +persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0 +persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 +persist.vendor.radio. u:object_r:vendor_rild_prop:s0 +persist.vendor.radio.volte_mif_off u:object_r:vendor_volte_mif_off:s0 +persist.vendor.ril. u:object_r:vendor_rild_prop:s0 +persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 +persist.vendor.shutdown. u:object_r:vendor_shutdown_prop:s0 +persist.vendor.sys. u:object_r:vendor_persist_sys_default_prop:s0 +persist.vendor.sys.crash_rcu u:object_r:vendor_ramdump_prop:s0 +persist.vendor.sys.diag. u:object_r:vendor_diag_prop:s0 +persist.vendor.sys.dm. u:object_r:vendor_diag_prop:s0 +persist.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 +persist.vendor.sys.silentlog u:object_r:vendor_slog_prop:s0 +persist.vendor.sys.ssr. u:object_r:vendor_ssrdump_prop:s0 +persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 +persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_prop:s0 +persist.vendor.udfps. u:object_r:vendor_fingerprint_prop:s0 +persist.vendor.usb. u:object_r:vendor_usb_config_prop:s0 +persist.vendor.verbose_logging_enabled u:object_r:vendor_logger_prop:s0 +ro.boot.ramdump u:object_r:vendor_ramdump_prop:s0 +ro.vendor.build.svn u:object_r:vendor_rild_prop:s0 +ro.vendor.config. u:object_r:vendor_ro_config_default_prop:s0 +ro.vendor.flood. u:object_r:vendor_flood_prop:s0 +ro.vendor.hwc.drm.device u:object_r:vendor_display_prop:s0 +ro.vendor.sys. u:object_r:vendor_ro_sys_default_prop:s0 +ro.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 +ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 +ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_prop:s0 exact string +vendor.all.devices.ready u:object_r:vendor_device_prop:s0 +vendor.all.modules.ready u:object_r:vendor_device_prop:s0 +vendor.aoc.firmware.version u:object_r:vendor_aoc_prop:s0 +vendor.audio_hal.aidl.enable u:object_r:vendor_audio_prop:s0 +vendor.audio_hal.device.serialno u:object_r:vendor_audio_prop:s0 +vendor.audio_hal.period_multiplier u:object_r:vendor_audio_prop:s0 +vendor.audiodump.cca.config u:object_r:vendor_audio_prop:s0 +vendor.audiodump.enable u:object_r:vendor_audio_prop:s0 +vendor.audiodump.encode.disable u:object_r:vendor_audio_prop:s0 +vendor.audiodump.log.cca.updated u:object_r:vendor_audio_prop:s0 +vendor.audiodump.log.config u:object_r:vendor_audio_prop:s0 +vendor.audiodump.log.ondemand u:object_r:vendor_audio_prop:s0 +vendor.audiodump.output.dir u:object_r:vendor_audio_prop:s0 +vendor.battery.defender. u:object_r:vendor_battery_defender_prop:s0 +vendor.brownout.br.feasible u:object_r:vendor_brownout_br_feasible_prop:s0 +vendor.brownout.mitigation.ready u:object_r:vendor_mitigation_ready_prop:s0 +vendor.brownout_reason u:object_r:vendor_brownout_reason_prop:s0 +vendor.camera. u:object_r:vendor_camera_prop:s0 +vendor.camera.debug. u:object_r:vendor_camera_debug_prop:s0 +vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 +vendor.camera.pbcs.debug. u:object_r:vendor_camera_pbcs_debug_prop:s0 +vendor.cbd. u:object_r:vendor_cbd_prop:s0 +vendor.chre.multiclient_hal u:object_r:vendor_chre_hal_prop:s0 +vendor.common.modules.ready u:object_r:vendor_device_prop:s0 +vendor.config. u:object_r:vendor_config_default_prop:s0 +vendor.debug.ramdump. u:object_r:vendor_ramdump_prop:s0 +vendor.debug.ssrdump. u:object_r:vendor_ssrdump_prop:s0 +vendor.device.modules.ready u:object_r:vendor_device_prop:s0 +vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 +vendor.edgetpu.cpu_scheduler. u:object_r:vendor_edgetpu_cpu_scheduler_prop:s0 +vendor.edgetpu.runtime. u:object_r:vendor_edgetpu_runtime_prop:s0 +vendor.edgetpu.service. u:object_r:vendor_edgetpu_service_prop:s0 +vendor.edgetpu.tflite_delegate. u:object_r:vendor_tflite_delegate_prop:s0 +vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0 +vendor.gf. u:object_r:vendor_fingerprint_prop:s0 +vendor.google.silicon. u:object_r:vendor_hetero_runtime_prop:s0 +vendor.gps. u:object_r:vendor_gps_prop:s0 +vendor.gril. u:object_r:vendor_gril_prop:s0 +vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix +vendor.mfgapi.touchpanel.permission u:object_r:vendor_touchpanel_prop:s0 +vendor.modem. u:object_r:vendor_modem_prop:s0 +vendor.nos.citadel.version u:object_r:vendor_nos_citadel_version:s0 +vendor.pixel.system.phenotype. u:object_r:vendor_pss_systemphenotype_prop:s0 +vendor.pixellogger. u:object_r:vendor_logger_prop:s0 +vendor.pktrouter u:object_r:vendor_ims_prop:s0 +vendor.radio. u:object_r:vendor_rild_prop:s0 +vendor.radio.ril. u:object_r:vendor_rild_prop:s0 +vendor.ril. u:object_r:vendor_rild_prop:s0 +vendor.sys. u:object_r:vendor_sys_default_prop:s0 +vendor.sys.diag. u:object_r:vendor_diag_prop:s0 +vendor.sys.dmd. u:object_r:vendor_diag_prop:s0 +vendor.sys.exynos.modempath u:object_r:vendor_modem_prop:s0 +vendor.sys.exynos.slog. u:object_r:vendor_slog_prop:s0 +vendor.sys.modem. u:object_r:vendor_modem_prop:s0 +vendor.sys.rild_reset u:object_r:vendor_rild_prop:s0 +vendor.sys.silentlog. u:object_r:vendor_slog_prop:s0 +vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 +vendor.tcpdump.log.ondemand u:object_r:vendor_tcpdump_log_prop:s0 +vendor.tcpdump.output.dir u:object_r:vendor_tcpdump_log_prop:s0 +vendor.thermal. u:object_r:vendor_thermal_prop:s0 +vendor.usb. u:object_r:vendor_usb_config_prop:s0 +vendor.uwb.calibration.country_code u:object_r:vendor_uwb_calibration_country_code:s0 exact string +vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0 +vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 diff --git a/sepolicy/whitechapel/vendor/google/radio.te b/sepolicy/vendor/radio.te similarity index 53% rename from sepolicy/whitechapel/vendor/google/radio.te rename to sepolicy/vendor/radio.te index a604c720..a5790d38 100644 --- a/sepolicy/whitechapel/vendor/google/radio.te +++ b/sepolicy/vendor/radio.te @@ -1,9 +1,11 @@ +binder_call(radio, hal_audio_default) + set_prop(radio, telephony_ril_prop) +allow radio hal_audio_ext_hwservice:hwservice_manager find; allow radio hal_exynos_rild_hwservice:hwservice_manager find; +allow radio priv_app:tcp_socket { read write }; allow radio proc_vendor_sched:dir r_dir_perms; allow radio proc_vendor_sched:file w_file_perms; - -# Allow telephony to access file descriptor of the QOS socket -# so it can make sure the QOS is meant for the intended addresses -allow radio priv_app:tcp_socket { read write }; +allow radio radio_vendor_data_file:dir rw_dir_perms; +allow radio radio_vendor_data_file:file create_file_perms; diff --git a/sepolicy/vendor/ramdump.te b/sepolicy/vendor/ramdump.te new file mode 100644 index 00000000..c6de8729 --- /dev/null +++ b/sepolicy/vendor/ramdump.te @@ -0,0 +1,2 @@ +type ramdump, domain; +type ramdump_exec, exec_type, file_type, vendor_file_type; diff --git a/sepolicy/vendor/ramdump_app.te b/sepolicy/vendor/ramdump_app.te new file mode 100644 index 00000000..d918f91f --- /dev/null +++ b/sepolicy/vendor/ramdump_app.te @@ -0,0 +1 @@ +type ramdump_app, domain; diff --git a/sepolicy/whitechapel/vendor/google/vendor_rcs_app.te b/sepolicy/vendor/rcs_app.te similarity index 99% rename from sepolicy/whitechapel/vendor/google/vendor_rcs_app.te rename to sepolicy/vendor/rcs_app.te index e67727cc..74c2a055 100644 --- a/sepolicy/whitechapel/vendor/google/vendor_rcs_app.te +++ b/sepolicy/vendor/rcs_app.te @@ -1,15 +1,17 @@ type vendor_rcs_app, domain; + app_domain(vendor_rcs_app) + +binder_call(vendor_rcs_app, rild) + net_domain(vendor_rcs_app) +set_prop(vendor_rcs_app, radio_prop) +set_prop(vendor_rcs_app, vendor_rild_prop) + allow vendor_rcs_app app_api_service:service_manager find; allow vendor_rcs_app audioserver_service:service_manager find; -allow vendor_rcs_app radio_service:service_manager find; -allow vendor_rcs_app mediaserver_service:service_manager find; allow vendor_rcs_app cameraserver_service:service_manager find; - allow vendor_rcs_app hal_exynos_rild_hwservice:hwservice_manager find; - -binder_call(vendor_rcs_app, rild) -set_prop(vendor_rcs_app, vendor_rild_prop) -set_prop(vendor_rcs_app, radio_prop) +allow vendor_rcs_app mediaserver_service:service_manager find; +allow vendor_rcs_app radio_service:service_manager find; diff --git a/sepolicy/tracking_denials/rebalance_interrupts_vendor.te b/sepolicy/vendor/rebalance_interrupts_vendor.te similarity index 86% rename from sepolicy/tracking_denials/rebalance_interrupts_vendor.te rename to sepolicy/vendor/rebalance_interrupts_vendor.te index f6cec9e1..71286ceb 100644 --- a/sepolicy/tracking_denials/rebalance_interrupts_vendor.te +++ b/sepolicy/vendor/rebalance_interrupts_vendor.te @@ -1,2 +1 @@ -# b/189275648 dontaudit rebalance_interrupts_vendor rebalance_interrupts_vendor:capability dac_override; diff --git a/sepolicy/whitechapel/vendor/google/rfsd.te b/sepolicy/vendor/rfsd.te similarity index 55% rename from sepolicy/whitechapel/vendor/google/rfsd.te rename to sepolicy/vendor/rfsd.te index f51ba865..bc1b4efc 100644 --- a/sepolicy/whitechapel/vendor/google/rfsd.te +++ b/sepolicy/vendor/rfsd.te @@ -1,40 +1,23 @@ type rfsd, domain; -type rfsd_exec, vendor_file_type, exec_type, file_type; +type rfsd_exec, exec_type, file_type, vendor_file_type; + init_daemon_domain(rfsd) -# Allow to setuid from root to radio -allow rfsd self:capability { chown setuid }; - -# Allow to search block device and mnt dir for modem EFS partitions -allow rfsd mnt_vendor_file:dir search; -allow rfsd block_device:dir search; - -# Allow to operate with modem EFS file/dir -allow rfsd modem_efs_file:dir create_dir_perms; -allow rfsd modem_efs_file:file create_file_perms; - -allow rfsd radio_vendor_data_file:dir r_dir_perms; -allow rfsd radio_vendor_data_file:file r_file_perms; - +r_dir_file(rfsd, modem_img_file) r_dir_file(rfsd, vendor_fw_file) -# Allow to access rfsd log file/dir +set_prop(rfsd, vendor_modem_prop) +set_prop(rfsd, vendor_rild_prop) + +allow rfsd block_device:dir search; +allow rfsd mnt_vendor_file:dir search; +allow rfsd modem_block_device:blk_file rw_file_perms; +allow rfsd modem_efs_file:dir create_dir_perms; +allow rfsd modem_efs_file:file create_file_perms; +allow rfsd radio_device:chr_file rw_file_perms; +allow rfsd radio_vendor_data_file:dir r_dir_perms; +allow rfsd radio_vendor_data_file:file r_file_perms; +allow rfsd self:capability { chown setuid }; allow rfsd vendor_log_file:dir search; allow rfsd vendor_rfsd_log_file:dir create_dir_perms; allow rfsd vendor_rfsd_log_file:file create_file_perms; - -# Allow to read/write modem block device -allow rfsd modem_block_device:blk_file rw_file_perms; - -# Allow to operate with radio device -allow rfsd radio_device:chr_file rw_file_perms; - -# Allow to set rild and modem property -set_prop(rfsd, vendor_modem_prop) -set_prop(rfsd, vendor_rild_prop) -set_prop(cbd, vendor_cbd_prop) - -# Allow rfsd to access modem image file/dir -allow rfsd modem_img_file:dir r_dir_perms; -allow rfsd modem_img_file:file r_file_perms; -allow rfsd modem_img_file:lnk_file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/rild.te b/sepolicy/vendor/rild.te similarity index 75% rename from sepolicy/whitechapel/vendor/google/rild.te rename to sepolicy/vendor/rild.te index e578ec4c..0cbf2c94 100644 --- a/sepolicy/whitechapel/vendor/google/rild.te +++ b/sepolicy/vendor/rild.te @@ -1,44 +1,32 @@ -set_prop(rild, vendor_rild_prop) +add_hwservice(rild, hal_exynos_rild_hwservice) -get_prop(rild, vendor_persist_config_default_prop) -get_prop(rild, vendor_ro_config_default_prop) -set_prop(rild, vendor_sys_default_prop) +binder_call(rild, bipchmgr) +binder_call(rild, gpsd) +binder_call(rild, hal_audio_default) +binder_call(rild, hal_secure_element_default) +binder_call(rild, modem_svc_sit) +binder_call(rild, oemrilservice_app) +binder_call(rild, platform_app) +binder_call(rild, vendor_ims_app) +binder_call(rild, vendor_rcs_app) get_prop(rild, sota_prop) get_prop(rild, system_boot_reason_prop) +get_prop(rild, vendor_audio_prop) +get_prop(rild, vendor_persist_config_default_prop) +get_prop(rild, vendor_ro_config_default_prop) + +r_dir_file(rild, modem_img_file) set_prop(rild, telephony_ril_prop) +set_prop(rild, vendor_rild_prop) +set_prop(rild, vendor_sys_default_prop) +allow rild hal_audio_ext_hwservice:hwservice_manager find; +allow rild mnt_vendor_file:dir r_dir_perms; allow rild proc_net:file rw_file_perms; allow rild radio_vendor_data_file:dir create_dir_perms; allow rild radio_vendor_data_file:file create_file_perms; allow rild rild_vendor_data_file:dir create_dir_perms; allow rild rild_vendor_data_file:file create_file_perms; allow rild vendor_fw_file:file r_file_perms; -allow rild mnt_vendor_file:dir r_dir_perms; - -r_dir_file(rild, modem_img_file) - -binder_call(rild, bipchmgr) -binder_call(rild, gpsd) -binder_call(rild, hal_audio_default) -binder_call(rild, hal_secure_element_default) -binder_call(rild, platform_app) -binder_call(rild, modem_svc_sit) -binder_call(rild, vendor_ims_app) -binder_call(rild, vendor_rcs_app) -binder_call(rild, oemrilservice_app) -binder_call(rild, logger_app) - -# for hal service -add_hwservice(rild, hal_exynos_rild_hwservice) - -# Allow rild to access files on modem img. -allow rild modem_img_file:dir r_dir_perms; -allow rild modem_img_file:file r_file_perms; -allow rild modem_img_file:lnk_file r_file_perms; - -# Allow rild to ptrace for memory leak detection -userdebug_or_eng(` -allow rild self:process ptrace; -') diff --git a/sepolicy/whitechapel/vendor/google/rlsservice.te b/sepolicy/vendor/rlsservice.te similarity index 60% rename from sepolicy/whitechapel/vendor/google/rlsservice.te rename to sepolicy/vendor/rlsservice.te index 0705e5db..dcb46030 100644 --- a/sepolicy/whitechapel/vendor/google/rlsservice.te +++ b/sepolicy/vendor/rlsservice.te @@ -1,42 +1,30 @@ type rlsservice, domain; -type rlsservice_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(rlsservice) - -vndbinder_use(rlsservice) +type rlsservice_exec, exec_type, file_type, vendor_file_type; add_service(rlsservice, rls_service) -# access rainbow sensor calibration files -allow rlsservice persist_file:dir search; -allow rlsservice persist_camera_file:dir search; -allow rlsservice persist_camera_file:file r_file_perms; -allow rlsservice mnt_vendor_file:dir search; - -# access device files -allow rlsservice rls_device:chr_file rw_file_perms; - binder_call(rlsservice, hal_camera_default) binder_call(rlsservice, hal_sensors_default) binder_call(rlsservice, servicemanager) -# Allow access to always-on compute device node -allow rlsservice device:dir { read watch }; -allow rlsservice aoc_device:chr_file rw_file_perms; +get_prop(rlsservice, vendor_camera_prop) -# Allow access to display backlight information +hal_client_domain(rlsservice, hal_graphics_allocator) + +init_daemon_domain(rlsservice) + +vndbinder_use(rlsservice) + +allow rlsservice aoc_device:chr_file rw_file_perms; +allow rlsservice apex_info_file:file r_file_perms; +allow rlsservice device:dir { read watch }; +allow rlsservice dumpstate:fd use; +allow rlsservice dumpstate:fifo_file write; +allow rlsservice hal_graphics_mapper_hwservice:hwservice_manager find; +allow rlsservice mnt_vendor_file:dir search; +allow rlsservice persist_camera_file:dir search; +allow rlsservice persist_camera_file:file r_file_perms; +allow rlsservice persist_file:dir search; +allow rlsservice rls_device:chr_file rw_file_perms; allow rlsservice sysfs_leds:dir search; allow rlsservice sysfs_leds:file r_file_perms; - -# Allow use of the USF low latency transport -usf_low_latency_transport(rlsservice) - -# For observing apex file changes -allow rlsservice apex_info_file:file r_file_perms; - -# Allow read camera property -get_prop(rlsservice, vendor_camera_prop); - -# Allow rlsservice bugreport generation -allow rlsservice dumpstate:fd use; -allow rlsservice dumpstate:fifo_file write; \ No newline at end of file diff --git a/sepolicy/vendor/scd.te b/sepolicy/vendor/scd.te new file mode 100644 index 00000000..8a36c9dc --- /dev/null +++ b/sepolicy/vendor/scd.te @@ -0,0 +1,9 @@ +type scd, domain; +type scd_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(scd) + +net_domain(scd) + +allow scd vendor_gps_file:dir create_dir_perms; +allow scd vendor_gps_file:{ fifo_file file } create_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/seapp_contexts b/sepolicy/vendor/seapp_contexts similarity index 78% rename from sepolicy/whitechapel/vendor/google/seapp_contexts rename to sepolicy/vendor/seapp_contexts index 804c36ce..0ecb84bb 100644 --- a/sepolicy/whitechapel/vendor/google/seapp_contexts +++ b/sepolicy/vendor/seapp_contexts @@ -1,47 +1,24 @@ -# Samsung S.LSI telephony +user=_app isPrivApp=true name=.ShannonImsService domain=vendor_ims_app levelFrom=all +user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all +user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all +user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilservice_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_ims_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_app levelFrom=all +user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all +user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user +user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all +user=_app isPrivApp=true seinfo=platform name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user +user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user +user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all +user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all +user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user +user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user +user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode domain=vendor_telephony_app levelFrom=all user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_app levelFrom=all user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging:remote domain=vendor_telephony_app levelFrom=all user=system seinfo=platform name=com.samsung.slsi.telephony.testmode domain=vendor_telephony_app levelFrom=all user=system seinfo=platform name=com.samsung.slsi.telephony.uartswitch domain=vendor_telephony_app levelFrom=all -user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_app levelFrom=all -user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode domain=vendor_telephony_app levelFrom=all - -# oemrilservice -user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilservice_app levelFrom=all - -# Samsung S.LSI IMS -user=_app isPrivApp=true name=.ShannonImsService domain=vendor_ims_app levelFrom=all -user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all -user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_app levelFrom=all -user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all -user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_app levelFrom=all -user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_ims_app levelFrom=all - -# grilservice -user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all - -# Domain for omadm -user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all - -# Modem Diagnostic System -user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user -user=_app isPrivApp=true seinfo=platform name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user - -# RIL Config Service -user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file - -# CBRS setup app -user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user - -# Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade -user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user - -# Qorvo UWB system app -# TODO(b/222204912): Should this run under uwb user? -user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all - -# Domain for EuiccSupportPixel -user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all - -# CccDkTimeSyncService -user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all diff --git a/sepolicy/whitechapel/vendor/google/secure_element.te b/sepolicy/vendor/secure_element.te similarity index 100% rename from sepolicy/whitechapel/vendor/google/secure_element.te rename to sepolicy/vendor/secure_element.te diff --git a/sepolicy/vendor/service.te b/sepolicy/vendor/service.te new file mode 100644 index 00000000..2f2b2d65 --- /dev/null +++ b/sepolicy/vendor/service.te @@ -0,0 +1,14 @@ +type eco_service, service_manager_type; +type edgetpu_nnapi_service, app_api_service, isolated_compute_allowed_service, service_manager_type; +type gril_antenna_tuning_service, hal_service_type, service_manager_type; +type hal_battery_mitigation_service, hal_service_type, service_manager_type; +type hal_bluetooth_coexistence_service, hal_service_type, pixel_bluetooth_service_type, service_manager_type; +type hal_pixel_display_service, hal_service_type, service_manager_type; +type hal_pixel_remote_camera_service, hal_service_type, protected_service, service_manager_type; +type rls_service, service_manager_type; +type screen_protector_detector_service, hal_service_type, service_manager_type; +type touch_context_service, hal_service_type, service_manager_type; +type twoshay_file_dump_service, hal_service_type, service_manager_type; +type twoshay_notification_service, hal_service_type, service_manager_type; +type vendor_displaycolor_service, vndservice_manager_type; +type vendor_image_processing_hal_service, hal_service_type, protected_service, service_manager_type; diff --git a/sepolicy/vendor/service_contexts b/sepolicy/vendor/service_contexts new file mode 100644 index 00000000..63c43748 --- /dev/null +++ b/sepolicy/vendor/service_contexts @@ -0,0 +1,36 @@ +android.hardware.drm.IDrmFactory/widevine u:object_r:hal_drm_service:s0 +android.hardware.neuralnetworks.IDevice/google-edgetpu u:object_r:edgetpu_nnapi_service:s0 +android.hardware.security.keymint.IKeyMintDevice/strongbox u:object_r:hal_keymint_service:s0 +android.hardware.security.keymint.IRemotelyProvisionedComponent/strongbox u:object_r:hal_remotelyprovisionedcomponent_service:s0 +android.hardware.security.sharedsecret.ISharedSecret/strongbox u:object_r:hal_sharedsecret_service:s0 +aocx.IAocx/default u:object_r:aocx:s0 +com.google.android.imageprocessing.hal.IImageProcessingHal/default u:object_r:vendor_image_processing_hal_service:s0 +com.google.edgetpu.IEdgeTpuAppService/default u:object_r:edgetpu_app_service:s0 +com.google.edgetpu.IEdgeTpuVendorService/default u:object_r:edgetpu_vendor_service:s0 +com.google.edgetpu.dba.IDevice/default u:object_r:edgetpu_dba_service:s0 +com.google.edgetpu.tachyon.IComputeService/default u:object_r:edgetpu_tachyon_service:s0 +com.google.flood.IFloodService/default u:object_r:flood_control_service:s0 +com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 +com.google.input.ITouchContextService/default u:object_r:touch_context_service:s0 +com.google.input.ITwoshayFileDumpService/touchflow_default u:object_r:twoshay_file_dump_service:s0 +com.google.input.ITwoshayFileDumpService/touchflow_outer u:object_r:twoshay_file_dump_service:s0 +com.google.input.ITwoshayFileDumpService/twoshay u:object_r:twoshay_file_dump_service:s0 +com.google.input.ITwoshayNotificationService/default u:object_r:twoshay_notification_service:s0 +com.google.input.algos.gril.IGrilAntennaTuningService/default u:object_r:gril_antenna_tuning_service:s0 +com.google.input.algos.spd.IScreenProtectorDetectorService/default u:object_r:screen_protector_detector_service:s0 +com.google.pixel.camera.connectivity.hal.provider.ICameraProvider/default u:object_r:hal_pixel_remote_camera_service:s0 +com.google.pixel.shared_modem_platform.ISharedModemPlatform/default u:object_r:hal_shared_modem_platform_service:s0 +hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 +mapper/pixel u:object_r:hal_graphics_mapper_service:s0 +media.ecoservice u:object_r:eco_service:s0 +rlsservice u:object_r:rls_service:s0 +vendor.goodix.hardware.biometrics.fingerprint.IGoodixFingerprintDaemon/default u:object_r:hal_fingerprint_service:s0 +vendor.google.battery_mitigation.IBatteryMitigation/default u:object_r:hal_battery_mitigation_service:s0 +vendor.google.bluetooth_ext.IBTChannelAvoidance/default u:object_r:hal_bluetooth_coexistence_service:s0 +vendor.google.bluetooth_ext.IBluetoothCcc/default u:object_r:hal_bluetooth_coexistence_service:s0 +vendor.google.bluetooth_ext.IBluetoothCco/default u:object_r:hal_bluetooth_coexistence_service:s0 +vendor.google.bluetooth_ext.IBluetoothEwp/default u:object_r:hal_bluetooth_coexistence_service:s0 +vendor.google.bluetooth_ext.IBluetoothExt/default u:object_r:hal_bluetooth_coexistence_service:s0 +vendor.google.bluetooth_ext.IBluetoothFinder/default u:object_r:hal_bluetooth_coexistence_service:s0 +vendor.google.bluetooth_ext.IBluetoothSar/default u:object_r:hal_bluetooth_coexistence_service:s0 +vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0 diff --git a/sepolicy/tracking_denials/servicemanager.te b/sepolicy/vendor/servicemanager.te similarity index 51% rename from sepolicy/tracking_denials/servicemanager.te rename to sepolicy/vendor/servicemanager.te index a6b549ff..4388b744 100644 --- a/sepolicy/tracking_denials/servicemanager.te +++ b/sepolicy/vendor/servicemanager.te @@ -1,2 +1,3 @@ -# b/305600595 +binder_call(servicemanager, hal_fingerprint_default) + dontaudit servicemanager hal_thermal_default:binder call; diff --git a/sepolicy/whitechapel/vendor/google/shell.te b/sepolicy/vendor/shell.te similarity index 51% rename from sepolicy/whitechapel/vendor/google/shell.te rename to sepolicy/vendor/shell.te index e13e744e..9a62bf52 100644 --- a/sepolicy/whitechapel/vendor/google/shell.te +++ b/sepolicy/vendor/shell.te @@ -1,10 +1,6 @@ -allow shell eco_service:service_manager find; +set_prop(vendor_shell, vendor_battery_profile_prop) -# Allow access to the SJTAG kernel interface from the shell -userdebug_or_eng(` - allow shell sysfs_sjtag:dir r_dir_perms; - allow shell sysfs_sjtag:file rw_file_perms; -') +allow shell eco_service:service_manager find; dontaudit shell proc_vendor_sched:dir search; dontaudit shell proc_vendor_sched:file write; diff --git a/sepolicy/vendor/sscoredump.te b/sepolicy/vendor/sscoredump.te new file mode 100644 index 00000000..15cb58d1 --- /dev/null +++ b/sepolicy/vendor/sscoredump.te @@ -0,0 +1,12 @@ +type sscoredump, domain; +type sscoredump_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(sscoredump) + +set_prop(sscoredump, vendor_ssrdump_prop) + +allow sscoredump device:dir r_dir_perms; +allow sscoredump sscoredump_device:chr_file rw_file_perms; +allow sscoredump sscoredump_vendor_data_crashinfo_file:dir create_dir_perms; +allow sscoredump sscoredump_vendor_data_crashinfo_file:file create_file_perms; +allow sscoredump sysfs_sscoredump_subsystem_report_count:file r_file_perms; diff --git a/sepolicy/vendor/ssr_detector_app.te b/sepolicy/vendor/ssr_detector_app.te new file mode 100644 index 00000000..84ab3117 --- /dev/null +++ b/sepolicy/vendor/ssr_detector_app.te @@ -0,0 +1,13 @@ +type ssr_detector_app, domain; + +app_domain(ssr_detector_app) + +get_prop(ssr_detector_app, vendor_ssrdump_prop) +get_prop(ssr_detector_app, vendor_wifi_version) + +allow ssr_detector_app app_api_service:service_manager find; +allow ssr_detector_app radio_service:service_manager find; +allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; +allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; +allow ssr_detector_app system_app_data_file:dir create_dir_perms; +allow ssr_detector_app system_app_data_file:file create_file_perms; diff --git a/sepolicy/vendor/storage_init.te b/sepolicy/vendor/storage_init.te new file mode 100644 index 00000000..f7059908 --- /dev/null +++ b/sepolicy/vendor/storage_init.te @@ -0,0 +1,10 @@ +type storage_init, domain; +type storage_init_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(storage_init) + +allow storage_init proc_f2fs:dir search; +allow storage_init proc_f2fs:file { getattr open read }; +allow storage_init sysfs_fs_f2fs:dir search; +allow storage_init sysfs_fs_f2fs:file { getattr open read write }; +allow storage_init vendor_toolbox_exec:file execute_no_trans; diff --git a/sepolicy/vendor/storage_intelligence.te b/sepolicy/vendor/storage_intelligence.te new file mode 100644 index 00000000..190ae470 --- /dev/null +++ b/sepolicy/vendor/storage_intelligence.te @@ -0,0 +1,10 @@ +type storage_intelligence, domain; +type storage_intelligence_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(storage_intelligence) + +set_prop(storage_intelligence, vendor_intelligence_prop) + +allow storage_intelligence block_device:dir search; +allow storage_intelligence userdata_exp_block_device:blk_file rw_file_perms; +allow storage_intelligence vendor_toolbox_exec:file execute_no_trans; diff --git a/sepolicy/whitechapel/vendor/google/vndservice.te b/sepolicy/vendor/surfaceflinger_vndservice.te similarity index 100% rename from sepolicy/whitechapel/vendor/google/vndservice.te rename to sepolicy/vendor/surfaceflinger_vndservice.te diff --git a/sepolicy/vendor/system.te b/sepolicy/vendor/system.te new file mode 100644 index 00000000..5405c1d8 --- /dev/null +++ b/sepolicy/vendor/system.te @@ -0,0 +1,3 @@ +binder_call(system_server, gpsd) +binder_call(system_server, hal_camera_default) +binder_call(system_server, pixelstats_vendor) diff --git a/sepolicy/whitechapel/vendor/google/system_app.te b/sepolicy/vendor/system_app.te similarity index 99% rename from sepolicy/whitechapel/vendor/google/system_app.te rename to sepolicy/vendor/system_app.te index 735d1c67..31c77125 100644 --- a/sepolicy/whitechapel/vendor/google/system_app.te +++ b/sepolicy/vendor/system_app.te @@ -1,8 +1,7 @@ -allow system_app proc_vendor_sched:dir r_dir_perms; -allow system_app proc_vendor_sched:file w_file_perms; +binder_call(system_app, hal_wireless_charger) allow system_app fwk_stats_hwservice:hwservice_manager find; allow system_app hal_exynos_rild_hwservice:hwservice_manager find; - allow system_app hal_wireless_charger_service:service_manager find; -binder_call(system_app, hal_wireless_charger) +allow system_app proc_vendor_sched:dir r_dir_perms; +allow system_app proc_vendor_sched:file w_file_perms; diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te new file mode 100644 index 00000000..8652eea5 --- /dev/null +++ b/sepolicy/vendor/tee.te @@ -0,0 +1,14 @@ +read_fstab(tee) + +set_prop(tee, vendor_trusty_storage_prop) + +wakelock_use(tee) + +allow tee mnt_vendor_file:dir r_dir_perms; +allow tee persist_file:dir r_dir_perms; +allow tee persist_ss_file:dir create_dir_perms; +allow tee persist_ss_file:file create_file_perms; +allow tee sg_device:chr_file rw_file_perms; +allow tee tee_data_file:lnk_file r_file_perms; + +dontaudit tee unlabeled:dir search; diff --git a/sepolicy/whitechapel/vendor/google/vendor_telephony_app.te b/sepolicy/vendor/telephony_app.te similarity index 65% rename from sepolicy/whitechapel/vendor/google/vendor_telephony_app.te rename to sepolicy/vendor/telephony_app.te index b046e60b..857b290a 100644 --- a/sepolicy/whitechapel/vendor/google/vendor_telephony_app.te +++ b/sepolicy/vendor/telephony_app.te @@ -1,22 +1,16 @@ type vendor_telephony_app, domain; + app_domain(vendor_telephony_app) -get_prop(vendor_telephony_app, vendor_rild_prop) -set_prop(vendor_telephony_app, vendor_persist_sys_default_prop) -set_prop(vendor_telephony_app, vendor_modem_prop) -set_prop(vendor_telephony_app, vendor_slog_prop) +binder_call(vendor_telephony_app, dmd) -allow vendor_telephony_app vendor_slog_file:dir create_dir_perms; -allow vendor_telephony_app vendor_slog_file:file create_file_perms; +get_prop(vendor_telephony_app, vendor_rild_prop) + +set_prop(vendor_telephony_app, vendor_modem_prop) +set_prop(vendor_telephony_app, vendor_persist_sys_default_prop) +set_prop(vendor_telephony_app, vendor_slog_prop) allow vendor_telephony_app app_api_service:service_manager find; allow vendor_telephony_app hal_vendor_oem_hwservice:hwservice_manager find; -binder_call(vendor_telephony_app, dmd) - -userdebug_or_eng(` -# Silent Logging -dontaudit vendor_telephony_app system_app_data_file:dir create_dir_perms; -dontaudit vendor_telephony_app system_app_data_file:file create_file_perms; -dontaudit vendor_telephony_app default_prop:file { getattr open read map }; -allow vendor_telephony_app selinuxfs:file { read open }; -') +allow vendor_telephony_app vendor_slog_file:dir create_dir_perms; +allow vendor_telephony_app vendor_slog_file:file create_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/toolbox.te b/sepolicy/vendor/toolbox.te similarity index 100% rename from sepolicy/whitechapel/vendor/google/toolbox.te rename to sepolicy/vendor/toolbox.te index 9fbbb7ab..452408de 100644 --- a/sepolicy/whitechapel/vendor/google/toolbox.te +++ b/sepolicy/vendor/toolbox.te @@ -1,3 +1,3 @@ -allow toolbox ram_device:blk_file rw_file_perms; allow toolbox per_boot_file:dir create_dir_perms; allow toolbox per_boot_file:file create_file_perms; +allow toolbox ram_device:blk_file rw_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/trusty_apploader.te b/sepolicy/vendor/trusty_apploader.te similarity index 80% rename from sepolicy/whitechapel/vendor/google/trusty_apploader.te rename to sepolicy/vendor/trusty_apploader.te index 983e3a03..962e14ff 100644 --- a/sepolicy/whitechapel/vendor/google/trusty_apploader.te +++ b/sepolicy/vendor/trusty_apploader.te @@ -1,7 +1,8 @@ type trusty_apploader, domain; -type trusty_apploader_exec, exec_type, vendor_file_type, file_type; +type trusty_apploader_exec, exec_type, file_type, vendor_file_type; + init_daemon_domain(trusty_apploader) +allow trusty_apploader dmabuf_system_heap_device:chr_file r_file_perms; allow trusty_apploader ion_device:chr_file r_file_perms; allow trusty_apploader tee_device:chr_file rw_file_perms; -allow trusty_apploader dmabuf_system_heap_device:chr_file r_file_perms; diff --git a/sepolicy/trusty_metricsd/trusty_metricsd.te b/sepolicy/vendor/trusty_metricsd.te similarity index 73% rename from sepolicy/trusty_metricsd/trusty_metricsd.te rename to sepolicy/vendor/trusty_metricsd.te index 63fc85b6..71858d6c 100644 --- a/sepolicy/trusty_metricsd/trusty_metricsd.te +++ b/sepolicy/vendor/trusty_metricsd.te @@ -1,11 +1,11 @@ type trusty_metricsd, domain; -type trusty_metricsd_exec, exec_type, vendor_file_type, file_type; +type trusty_metricsd_exec, exec_type, file_type, vendor_file_type; + +binder_call(trusty_metricsd, system_server) + +binder_use(trusty_metricsd) init_daemon_domain(trusty_metricsd) -allow trusty_metricsd tee_device:chr_file rw_file_perms; - -# For Suez metrics collection -binder_use(trusty_metricsd) -binder_call(trusty_metricsd, system_server) allow trusty_metricsd fwk_stats_service:service_manager find; +allow trusty_metricsd tee_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/twoshay.te b/sepolicy/vendor/twoshay.te new file mode 100644 index 00000000..8bb2e063 --- /dev/null +++ b/sepolicy/vendor/twoshay.te @@ -0,0 +1,24 @@ +type twoshay, domain; +type twoshay_exec, exec_type, file_type, vendor_file_type; + +add_service(twoshay, gril_antenna_tuning_service) +add_service(twoshay, screen_protector_detector_service) +add_service(twoshay, touch_context_service) +add_service(twoshay, twoshay_file_dump_service) +add_service(twoshay, twoshay_notification_service) + +binder_call(twoshay, platform_app) +binder_call(twoshay, stats_service_server) + +binder_use(twoshay) + +init_daemon_domain(twoshay) + +allow twoshay dumpstate:fd use; +allow twoshay dumpstate:fifo_file write; +allow twoshay fwk_stats_service:service_manager find; +allow twoshay touch_offload_device:chr_file rw_file_perms; +allow twoshay twoshay:capability sys_nice; + +dontaudit twoshay boot_status_prop:file read; +dontaudit twoshay twoshay:capability dac_override; diff --git a/sepolicy/vendor/ufs_firmware_update.te b/sepolicy/vendor/ufs_firmware_update.te new file mode 100644 index 00000000..e08d5ac8 --- /dev/null +++ b/sepolicy/vendor/ufs_firmware_update.te @@ -0,0 +1,9 @@ +type ufs_firmware_update, domain; +type ufs_firmware_update_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(ufs_firmware_update) + +allow ufs_firmware_update block_device:dir search; +allow ufs_firmware_update sysfs_scsi_devices_0000:file r_file_perms; +allow ufs_firmware_update ufs_internal_block_device:blk_file rw_file_perms; +allow ufs_firmware_update vendor_toolbox_exec:file execute_no_trans; diff --git a/sepolicy/whitechapel/vendor/google/untrusted_app_all.te b/sepolicy/vendor/untrusted_app_all.te similarity index 57% rename from sepolicy/whitechapel/vendor/google/untrusted_app_all.te rename to sepolicy/vendor/untrusted_app_all.te index 642ee175..d6e0c743 100644 --- a/sepolicy/whitechapel/vendor/google/untrusted_app_all.te +++ b/sepolicy/vendor/untrusted_app_all.te @@ -1,6 +1,6 @@ -# Allows Exoplayer(and other applications) access to the vstream-secure DMA-BUF heap -# for secure video playback allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms; +allow untrusted_app_all edgetpu_app_service:service_manager find; +allow untrusted_app_all edgetpu_device:chr_file { getattr ioctl map read write }; dontaudit untrusted_app_all proc_vendor_sched:dir search; dontaudit untrusted_app_all proc_vendor_sched:file write; diff --git a/sepolicy/whitechapel/vendor/google/update_engine.te b/sepolicy/vendor/update_engine.te similarity index 56% rename from sepolicy/whitechapel/vendor/google/update_engine.te rename to sepolicy/vendor/update_engine.te index 8342f126..c4fbbfbb 100644 --- a/sepolicy/whitechapel/vendor/google/update_engine.te +++ b/sepolicy/vendor/update_engine.te @@ -1,6 +1,4 @@ allow update_engine custom_ab_block_device:blk_file rw_file_perms; allow update_engine modem_block_device:blk_file rw_file_perms; -allow update_engine proc_bootconfig:file r_file_perms; -# update_engine probe mnt_vendor_file during OTA, which is a permission not required dontaudit update_engine mnt_vendor_file:dir search; diff --git a/sepolicy/vendor/uwb_calibration_country_code.te b/sepolicy/vendor/uwb_calibration_country_code.te new file mode 100644 index 00000000..a1205857 --- /dev/null +++ b/sepolicy/vendor/uwb_calibration_country_code.te @@ -0,0 +1 @@ +vendor_internal_prop(vendor_uwb_calibration_country_code) diff --git a/sepolicy/whitechapel/vendor/google/vendor_uwb_init.te b/sepolicy/vendor/uwb_init.te similarity index 65% rename from sepolicy/whitechapel/vendor/google/vendor_uwb_init.te rename to sepolicy/vendor/uwb_init.te index 716af19c..9fd87a6d 100644 --- a/sepolicy/whitechapel/vendor/google/vendor_uwb_init.te +++ b/sepolicy/vendor/uwb_init.te @@ -1,10 +1,9 @@ type vendor_uwb_init, domain; -type vendor_uwb_init_exec, exec_type, vendor_file_type, file_type; +type vendor_uwb_init_exec, exec_type, file_type, vendor_file_type; init_daemon_domain(vendor_uwb_init) -allow vendor_uwb_init vendor_shell_exec:file rx_file_perms; -allow vendor_uwb_init vendor_toolbox_exec:file rx_file_perms; - -allow vendor_uwb_init uwb_data_vendor:file create_file_perms; allow vendor_uwb_init uwb_data_vendor:dir w_dir_perms; +allow vendor_uwb_init uwb_data_vendor:file create_file_perms; +allow vendor_uwb_init vendor_shell_exec:file rx_file_perms; +allow vendor_uwb_init vendor_toolbox_exec:file rx_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/uwb_vendor_app.te b/sepolicy/vendor/uwb_vendor_app.te similarity index 68% rename from sepolicy/whitechapel/vendor/google/uwb_vendor_app.te rename to sepolicy/vendor/uwb_vendor_app.te index 9db45475..1e9e3544 100644 --- a/sepolicy/whitechapel/vendor/google/uwb_vendor_app.te +++ b/sepolicy/vendor/uwb_vendor_app.te @@ -2,23 +2,17 @@ type uwb_vendor_app, domain; app_domain(uwb_vendor_app) -not_recovery(` +binder_call(uwb_vendor_app, hal_uwb_vendor_default) + +get_prop(uwb_vendor_app, vendor_secure_element_prop) + hal_client_domain(uwb_vendor_app, hal_uwb_vendor) +set_prop(uwb_vendor_app, vendor_uwb_calibration_country_code) + allow uwb_vendor_app app_api_service:service_manager find; allow uwb_vendor_app hal_uwb_vendor_service:service_manager find; allow uwb_vendor_app nfc_service:service_manager find; allow uwb_vendor_app radio_service:service_manager find; - -allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; - -allow hal_uwb_vendor_default self:global_capability_class_set { sys_nice }; -allow hal_uwb_vendor_default kernel:process { setsched }; -# UwbVendorService must be able to read USRA version from vendor_secure_element_prop -get_prop(uwb_vendor_app, vendor_secure_element_prop) -# UwbVendorService must be able to write country code prop -set_prop(uwb_vendor_app, vendor_uwb_calibration_country_code) - -binder_call(uwb_vendor_app, hal_uwb_vendor_default) -') +allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; diff --git a/sepolicy/vendor/vndservice_contexts b/sepolicy/vendor/vndservice_contexts new file mode 100644 index 00000000..e9879645 --- /dev/null +++ b/sepolicy/vendor/vndservice_contexts @@ -0,0 +1,3 @@ +Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0 +android.hardware.citadel.ICitadeld u:object_r:citadeld_service:s0 +displaycolor u:object_r:vendor_displaycolor_service:s0 diff --git a/sepolicy/vendor/vndservicemanager.te b/sepolicy/vendor/vndservicemanager.te new file mode 100644 index 00000000..335cd2bc --- /dev/null +++ b/sepolicy/vendor/vndservicemanager.te @@ -0,0 +1 @@ +binder_call(vndservicemanager, hal_keymint_citadel) diff --git a/sepolicy/vendor/vold.te b/sepolicy/vendor/vold.te new file mode 100644 index 00000000..98cf1bef --- /dev/null +++ b/sepolicy/vendor/vold.te @@ -0,0 +1,13 @@ +allow vold efs_block_device:blk_file getattr; +allow vold modem_efs_file:dir { ioctl open read }; +allow vold modem_efs_file:dir rw_dir_perms; +allow vold modem_userdata_block_device:blk_file getattr; +allow vold modem_userdata_file:dir { ioctl open read }; +allow vold modem_userdata_file:dir rw_dir_perms; +allow vold sysfs_scsi_devices_0000:file rw_file_perms; +allow vold userdata_exp_block_device:blk_file rw_file_perms; + +allowxperm vold userdata_exp_block_device:blk_file ioctl BLKSECDISCARD; + +dontaudit vold dumpstate:fd use; +dontaudit vold dumpstate:fifo_file rw_file_perms; diff --git a/sepolicy/vendor/volte_mif_off.te b/sepolicy/vendor/volte_mif_off.te new file mode 100644 index 00000000..fa94bd7d --- /dev/null +++ b/sepolicy/vendor/volte_mif_off.te @@ -0,0 +1 @@ +vendor_internal_prop(vendor_volte_mif_off) diff --git a/sepolicy/vendor/wifi_version.te b/sepolicy/vendor/wifi_version.te new file mode 100644 index 00000000..433a4ab5 --- /dev/null +++ b/sepolicy/vendor/wifi_version.te @@ -0,0 +1 @@ +vendor_internal_prop(vendor_wifi_version) diff --git a/sepolicy/whitechapel/vendor/google/wlcfwupdate.te b/sepolicy/vendor/wlcfwupdate.te similarity index 81% rename from sepolicy/whitechapel/vendor/google/wlcfwupdate.te rename to sepolicy/vendor/wlcfwupdate.te index 37c29484..618d9f60 100644 --- a/sepolicy/whitechapel/vendor/google/wlcfwupdate.te +++ b/sepolicy/vendor/wlcfwupdate.te @@ -1,6 +1,5 @@ -# wlcfwupdate service type wlcfwupdate, domain; -type wlcfwupdate_exec, vendor_file_type, exec_type, file_type; +type wlcfwupdate_exec, exec_type, file_type, vendor_file_type; init_daemon_domain(wlcfwupdate) diff --git a/sepolicy/whitechapel/vendor/google/attributes b/sepolicy/whitechapel/vendor/google/attributes deleted file mode 100644 index 7e6def72..00000000 --- a/sepolicy/whitechapel/vendor/google/attributes +++ /dev/null @@ -1 +0,0 @@ -attribute vendor_persist_type; diff --git a/sepolicy/whitechapel/vendor/google/audioserver.te b/sepolicy/whitechapel/vendor/google/audioserver.te deleted file mode 100644 index c7d69097..00000000 --- a/sepolicy/whitechapel/vendor/google/audioserver.te +++ /dev/null @@ -1,3 +0,0 @@ -# allow access to ALSA MMAP FDs for AAudio API -allow audioserver audio_device:chr_file r_file_perms; -allow audioserver audio_service:service_manager find; diff --git a/sepolicy/whitechapel/vendor/google/bootanim.te b/sepolicy/whitechapel/vendor/google/bootanim.te deleted file mode 100644 index 7b3019df..00000000 --- a/sepolicy/whitechapel/vendor/google/bootanim.te +++ /dev/null @@ -1,5 +0,0 @@ -# TODO(b/62954877). On Android Wear, bootanim reads the time -# during boot to display. It currently gets that time from a file -# in /data/system. This should be moved. In the meantime, suppress -# this denial on phones since this functionality is not used. -dontaudit bootanim system_data_file:dir r_dir_perms; diff --git a/sepolicy/whitechapel/vendor/google/bug_map b/sepolicy/whitechapel/vendor/google/bug_map deleted file mode 100644 index b7c26b57..00000000 --- a/sepolicy/whitechapel/vendor/google/bug_map +++ /dev/null @@ -1,3 +0,0 @@ -permissioncontroller_app proc_vendor_sched file b/190671898 -vendor_ims_app default_prop file b/194281028 -hal_fingerprint_default default_prop property_service b/215640468 diff --git a/sepolicy/whitechapel/vendor/google/cbrs_setup.te b/sepolicy/whitechapel/vendor/google/cbrs_setup.te deleted file mode 100644 index 1abbcff1..00000000 --- a/sepolicy/whitechapel/vendor/google/cbrs_setup.te +++ /dev/null @@ -1,13 +0,0 @@ -# GoogleCBRS app -type cbrs_setup_app, domain; - -userdebug_or_eng(` - app_domain(cbrs_setup_app) - net_domain(cbrs_setup_app) - - allow cbrs_setup_app app_api_service:service_manager find; - allow cbrs_setup_app cameraserver_service:service_manager find; - allow cbrs_setup_app radio_service:service_manager find; - set_prop(cbrs_setup_app, radio_prop) - set_prop(cbrs_setup_app, vendor_rild_prop) -') diff --git a/sepolicy/whitechapel/vendor/google/chre.te b/sepolicy/whitechapel/vendor/google/chre.te deleted file mode 100644 index 2531af89..00000000 --- a/sepolicy/whitechapel/vendor/google/chre.te +++ /dev/null @@ -1,31 +0,0 @@ -type chre, domain; -type chre_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(chre) - -# Permit communication with AoC -allow chre aoc_device:chr_file rw_file_perms; - -# Allow CHRE to determine AoC's current clock -allow chre sysfs_aoc:dir search; -allow chre sysfs_aoc_boottime:file r_file_perms; - -# Allow CHRE to create thread to watch AOC's device -allow chre device:dir r_dir_perms; - -# Allow CHRE to use the USF low latency transport -usf_low_latency_transport(chre) - -# Allow CHRE to talk to the WiFi HAL -allow chre hal_wifi_ext:binder { call transfer }; -allow chre hal_wifi_ext_hwservice:hwservice_manager find; -allow chre hal_wifi_ext_service:service_manager find; - -# Allow CHRE host to talk to stats service -allow chre fwk_stats_service:service_manager find; -binder_call(chre, stats_service_server) - -# Allow CHRE to use WakeLock -wakelock_use(chre) - -# Allow CHRE to block suspend, which is required to use EPOLLWAKEUP. -allow chre self:global_capability2_class_set block_suspend; diff --git a/sepolicy/whitechapel/vendor/google/device.te b/sepolicy/whitechapel/vendor/google/device.te deleted file mode 100644 index 1e1f25db..00000000 --- a/sepolicy/whitechapel/vendor/google/device.te +++ /dev/null @@ -1,39 +0,0 @@ -# Block Devices -type modem_block_device, dev_type; -type mfg_data_block_device, dev_type; - -# Exynos devices -type vendor_toe_device, dev_type; -type custom_ab_block_device, dev_type; - -# usbpd -type logbuffer_device, dev_type; - -#cpuctl -type cpuctl_device, dev_type; - -# LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL -type lwis_device, dev_type; - -# RLS device -type rls_device, dev_type; - -# sensor direct DMA-BUF heap -type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; - -#faceauth DMA-BUF heaps -type faceauth_heap_device, dmabuf_heap_device_type, dev_type; - -#vscaler-secure DMA-BUF heap -type vscaler_heap_device, dmabuf_heap_device_type, dev_type; - -# Fingerprint device -type fingerprint_device, dev_type; - -# SecureElement SPI device -type st54spi_device, dev_type; -type st33spi_device, dev_type; - -# GPS -type vendor_gnss_device, dev_type; - diff --git a/sepolicy/whitechapel/vendor/google/dmd.te b/sepolicy/whitechapel/vendor/google/dmd.te deleted file mode 100644 index b51c34d6..00000000 --- a/sepolicy/whitechapel/vendor/google/dmd.te +++ /dev/null @@ -1,5 +0,0 @@ -allow dmd hidl_base_hwservice:hwservice_manager add; -allow dmd hal_vendor_oem_hwservice:hwservice_manager { add find }; -binder_call(dmd, modem_diagnostic_app) -binder_call(dmd, modem_logging_control) -binder_call(dmd, vendor_telephony_app) diff --git a/sepolicy/whitechapel/vendor/google/domain.te b/sepolicy/whitechapel/vendor/google/domain.te deleted file mode 100644 index ad32036f..00000000 --- a/sepolicy/whitechapel/vendor/google/domain.te +++ /dev/null @@ -1,6 +0,0 @@ -allow {domain -appdomain -rs} proc_vendor_sched:dir r_dir_perms; -allow {domain -appdomain -rs} proc_vendor_sched:file w_file_perms; - -# Mali -get_prop(domain, vendor_arm_runtime_option_prop) - diff --git a/sepolicy/whitechapel/vendor/google/dumpstate.te b/sepolicy/whitechapel/vendor/google/dumpstate.te deleted file mode 100644 index f5be2a83..00000000 --- a/sepolicy/whitechapel/vendor/google/dumpstate.te +++ /dev/null @@ -1,16 +0,0 @@ -dump_hal(hal_telephony) -dump_hal(hal_graphics_composer) -dump_hal(hal_uwb_vendor) - -userdebug_or_eng(` - allow dumpstate media_rw_data_file:file append; -') - -allow dumpstate sysfs_scsi_devices_0000:file r_file_perms; -allow dumpstate persist_file:dir r_dir_perms; - -allow dumpstate modem_efs_file:dir getattr; -allow dumpstate modem_img_file:dir getattr; -allow dumpstate modem_userdata_file:dir getattr; -allow dumpstate fuse:dir search; -allow dumpstate rlsservice:binder call; \ No newline at end of file diff --git a/sepolicy/whitechapel/vendor/google/e2fs.te b/sepolicy/whitechapel/vendor/google/e2fs.te deleted file mode 100644 index 3e72adfb..00000000 --- a/sepolicy/whitechapel/vendor/google/e2fs.te +++ /dev/null @@ -1,8 +0,0 @@ -allow e2fs persist_block_device:blk_file rw_file_perms; -allow e2fs efs_block_device:blk_file rw_file_perms; -allow e2fs modem_userdata_block_device:blk_file rw_file_perms; -allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl { - BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET -}; -allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms; -allow e2fs sysfs_scsi_devices_0000:file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/euiccpixel_app.te b/sepolicy/whitechapel/vendor/google/euiccpixel_app.te deleted file mode 100644 index c276cb9b..00000000 --- a/sepolicy/whitechapel/vendor/google/euiccpixel_app.te +++ /dev/null @@ -1,28 +0,0 @@ -# EuiccSupportPixel app - -type euiccpixel_app, domain; -app_domain(euiccpixel_app) - -allow euiccpixel_app app_api_service:service_manager find; -allow euiccpixel_app radio_service:service_manager find; -allow euiccpixel_app nfc_service:service_manager find; -allow euiccpixel_app surfaceflinger_service:service_manager find; - -set_prop(euiccpixel_app, vendor_secure_element_prop) -set_prop(euiccpixel_app, vendor_modem_prop) -get_prop(euiccpixel_app, dck_prop) - -userdebug_or_eng(` - net_domain(euiccpixel_app) - - # Access to directly upgrade firmware on st54spi_device used for engineering devices - typeattribute st54spi_device mlstrustedobject; - allow euiccpixel_app st54spi_device:chr_file rw_file_perms; - # Access to directly upgrade firmware on st33spi_device used for engineering devices - typeattribute st33spi_device mlstrustedobject; - allow euiccpixel_app st33spi_device:chr_file rw_file_perms; - - allow euiccpixel_app sysfs_st33spi:dir search; - allow euiccpixel_app sysfs_st33spi:file rw_file_perms; -') - diff --git a/sepolicy/whitechapel/vendor/google/exo_camera_injection/dumpstate.te b/sepolicy/whitechapel/vendor/google/exo_camera_injection/dumpstate.te deleted file mode 100644 index 1a5b393d..00000000 --- a/sepolicy/whitechapel/vendor/google/exo_camera_injection/dumpstate.te +++ /dev/null @@ -1,2 +0,0 @@ -# For collecting bugreports. -dump_hal(hal_camera) diff --git a/sepolicy/whitechapel/vendor/google/exo_camera_injection/exo_app.te b/sepolicy/whitechapel/vendor/google/exo_camera_injection/exo_app.te deleted file mode 100644 index a90de48e..00000000 --- a/sepolicy/whitechapel/vendor/google/exo_camera_injection/exo_app.te +++ /dev/null @@ -1,3 +0,0 @@ -# Allow exo app to find and bind exo camera injection hal. -allow exo_app hal_exo_camera_injection_hwservice:hwservice_manager find; -binder_call(exo_app, hal_exo_camera_injection) diff --git a/sepolicy/whitechapel/vendor/google/exo_camera_injection/file_contexts b/sepolicy/whitechapel/vendor/google/exo_camera_injection/file_contexts deleted file mode 100644 index 98627c63..00000000 --- a/sepolicy/whitechapel/vendor/google/exo_camera_injection/file_contexts +++ /dev/null @@ -1 +0,0 @@ -/vendor/bin/hw/vendor\.google\.exo_camera_injection@1\.1-service u:object_r:hal_exo_camera_injection_exec:s0 diff --git a/sepolicy/whitechapel/vendor/google/exo_camera_injection/hal_exo_camera_injection.te b/sepolicy/whitechapel/vendor/google/exo_camera_injection/hal_exo_camera_injection.te deleted file mode 100644 index 138d1b1d..00000000 --- a/sepolicy/whitechapel/vendor/google/exo_camera_injection/hal_exo_camera_injection.te +++ /dev/null @@ -1,10 +0,0 @@ -# TODO(b/180558115): It will moved to pixel-sepolicy after pixel 6 launches. -type hal_exo_camera_injection, domain; -hal_server_domain(hal_exo_camera_injection, hal_camera) - -type hal_exo_camera_injection_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_exo_camera_injection) - -hwbinder_use(hal_exo_camera_injection) -add_hwservice(hal_exo_camera_injection, hal_exo_camera_injection_hwservice) -allow hal_exo_camera_injection hal_graphics_mapper_hwservice:hwservice_manager find; diff --git a/sepolicy/whitechapel/vendor/google/exo_camera_injection/hwservice.te b/sepolicy/whitechapel/vendor/google/exo_camera_injection/hwservice.te deleted file mode 100644 index cea97689..00000000 --- a/sepolicy/whitechapel/vendor/google/exo_camera_injection/hwservice.te +++ /dev/null @@ -1 +0,0 @@ -type hal_exo_camera_injection_hwservice, hwservice_manager_type; diff --git a/sepolicy/whitechapel/vendor/google/exo_camera_injection/hwservice_contexts b/sepolicy/whitechapel/vendor/google/exo_camera_injection/hwservice_contexts deleted file mode 100644 index 59ccfe67..00000000 --- a/sepolicy/whitechapel/vendor/google/exo_camera_injection/hwservice_contexts +++ /dev/null @@ -1 +0,0 @@ -vendor.google.exo_camera_injection::IExoCameraInjection u:object_r:hal_exo_camera_injection_hwservice:s0 diff --git a/sepolicy/whitechapel/vendor/google/fastbootd.te b/sepolicy/whitechapel/vendor/google/fastbootd.te deleted file mode 100644 index d6cf7315..00000000 --- a/sepolicy/whitechapel/vendor/google/fastbootd.te +++ /dev/null @@ -1,8 +0,0 @@ -# Required by the bootcontrol HAL for the 'set_active' command. -recovery_only(` -allow fastbootd st54spi_device:chr_file rw_file_perms; -allow fastbootd devinfo_block_device:blk_file rw_file_perms; -allow fastbootd sda_block_device:blk_file rw_file_perms; -allow fastbootd sysfs_ota:file rw_file_perms; -allow fastbootd custom_ab_block_device:blk_file rw_file_perms; -') diff --git a/sepolicy/whitechapel/vendor/google/file.te b/sepolicy/whitechapel/vendor/google/file.te deleted file mode 100644 index 616aad27..00000000 --- a/sepolicy/whitechapel/vendor/google/file.te +++ /dev/null @@ -1,163 +0,0 @@ -# Exynos Data Files -#type vendor_data_file, file_type, data_file_type; -type vendor_cbd_boot_file, file_type, data_file_type; - -# Exynos Log Files -type vendor_log_file, file_type, data_file_type; -type vendor_cbd_log_file, file_type, data_file_type; -type vendor_dmd_log_file, file_type, data_file_type; -type vendor_rfsd_log_file, file_type, data_file_type; -type vendor_dump_log_file, file_type, data_file_type; -type vendor_rild_log_file, file_type, data_file_type; -type vendor_telephony_log_file, file_type, data_file_type; - -# app data files -type vendor_test_data_file, file_type, data_file_type; -type vendor_telephony_data_file, file_type, data_file_type; -type vendor_ims_data_file, file_type, data_file_type; -type vendor_misc_data_file, file_type, data_file_type; -type vendor_rpmbmock_data_file, file_type, data_file_type; - -# Exynos debugfs -type vendor_ion_debugfs, fs_type, debugfs_type; -type vendor_mali_debugfs, fs_type, debugfs_type; -type vendor_pm_genpd_debugfs, fs_type, debugfs_type; -type vendor_regmap_debugfs, fs_type, debugfs_type; -type vendor_usb_debugfs, fs_type, debugfs_type; -type vendor_maxfg_debugfs, fs_type, debugfs_type; -type vendor_charger_debugfs, fs_type, debugfs_type; -type vendor_votable_debugfs, fs_type, debugfs_type; -type vendor_battery_debugfs, fs_type, debugfs_type; - -# Exynos Firmware -type vendor_fw_file, vendor_file_type, file_type; - -# ACPM -type sysfs_acpm_stats, sysfs_type, fs_type; - -# Vendor tools -type vendor_dumpsys, vendor_file_type, file_type; - -# Sensors -type nanohub_lock_file, file_type, data_file_type; -type sensor_vendor_data_file, file_type, data_file_type, mlstrustedobject; -type sensors_cal_file, file_type; -type sysfs_nanoapp_cmd, sysfs_type, fs_type; - -# Fingerprint -type sysfs_fingerprint, sysfs_type, fs_type; - -# CHRE -type chre_data_file, file_type, data_file_type; -type chre_socket, file_type; - -# BT -type vendor_bt_data_file, file_type, data_file_type; - -# IOMMU -type sysfs_iommu, sysfs_type, fs_type; - -type sysfs_devicetree, sysfs_type, fs_type; -type sysfs_mem, sysfs_type, fs_type; - -# WiFi -type sysfs_wifi, sysfs_type, fs_type; - -# All files under /data/vendor/firmware/wifi -type updated_wifi_firmware_data_file, file_type, data_file_type; - -# Widevine DRM -type mediadrm_vendor_data_file, file_type, data_file_type; - -# Storage Health HAL -type proc_f2fs, proc_type, fs_type; - -type bootdevice_sysdev, dev_type; - -# ZRam -type per_boot_file, file_type, data_file_type, core_data_file_type; - -# RILD -type rild_vendor_data_file, file_type, data_file_type; - -# Modem -type modem_stat_data_file, file_type, data_file_type; -type modem_efs_file, file_type; -type modem_userdata_file, file_type; -type sysfs_modem, sysfs_type, fs_type; -type persist_modem_file, file_type, vendor_persist_type; - - -type modem_img_file, contextmount_type, file_type, vendor_file_type; -allow modem_img_file self:filesystem associate; - -# Pca -type sysfs_pca, sysfs_type, fs_type; - -# Camera -type persist_camera_file, file_type; -type vendor_camera_tuning_file, vendor_file_type, file_type; -type sysfs_camera, sysfs_type, fs_type; - -# GPS -type vendor_gps_file, file_type, data_file_type; -userdebug_or_eng(` - typeattribute vendor_gps_file mlstrustedobject; -') - -# Backlight -type sysfs_backlight, sysfs_type, fs_type; - -# Charger -type sysfs_chargelevel, sysfs_type, fs_type; - -# ODPM -type powerstats_vendor_data_file, file_type, data_file_type; - -# Chosen -type sysfs_chosen, sysfs_type, fs_type; - -# Battery -type persist_battery_file, file_type, vendor_persist_type; - -# Fabric -type sysfs_fabric, sysfs_type, fs_type; - -# Memory -type sysfs_memory, sysfs_type, fs_type; - -# bcmdhd (Broadcom FullMAC wireless cards support) -type sysfs_bcmdhd, sysfs_type, fs_type; - -# UWB vendor -type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; -type persist_uwb_file, file_type, vendor_persist_type; -type uwb_data_vendor, file_type, data_file_type; - -# WLC FW -type vendor_wlc_fwupdata_file, vendor_file_type, file_type; - -#USB-C throttling stats -type sysfs_usbc_throttling_stats, sysfs_type, fs_type; - -# SJTAG -type sysfs_sjtag, fs_type, sysfs_type; -userdebug_or_eng(` - typeattribute sysfs_sjtag mlstrustedobject; -') - -# SecureElement -type sysfs_st33spi, sysfs_type, fs_type; -userdebug_or_eng(` - typeattribute sysfs_st33spi mlstrustedobject; -') - -# Trusty -type sysfs_trusty, sysfs_type, fs_type; - -# BootControl -type sysfs_bootctl, sysfs_type, fs_type; - -# WLC -type sysfs_wlc, sysfs_type, fs_type; - diff --git a/sepolicy/whitechapel/vendor/google/file_contexts b/sepolicy/whitechapel/vendor/google/file_contexts deleted file mode 100644 index b24e6cca..00000000 --- a/sepolicy/whitechapel/vendor/google/file_contexts +++ /dev/null @@ -1,376 +0,0 @@ -# -# Exynos HAL -# -/(vendor|system/vendor)/bin/hw/android\.hardware\.drm(@[0-9]+\.[0-9]+)?-service\.widevine u:object_r:hal_drm_widevine_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service32 u:object_r:hal_usb_default_exec:s0 -/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.ExynosHWCServiceTW@1\.0-service u:object_r:hal_vendor_hwcservice_default_exec:s0 -/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0 -/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.configstore@1\.0-service u:object_r:hal_configstore_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.usb-service\.gs101 u:object_r:hal_usb_impl_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget-service\.gs101 u:object_r:hal_usb_gadget_impl_exec:s0 -/(vendor|system/vendor)/lib(64)?/libion_exynos\.so u:object_r:same_process_hal_file:s0 - -/(vendor|system/vendor)/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0 -/(vendor|system/vendor)/lib(64)?/libOpenCL-pixel\.so u:object_r:same_process_hal_file:s0 -/(vendor|system/vendor)/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 - -/vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 -/vendor/bin/dump/dump_power u:object_r:dump_power_exec:s0 -# -# HALs -# -/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate-service\.gs101 u:object_r:hal_dumpstate_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.gs101 u:object_r:hal_power_stats_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 - -# Wireless charger HAL -/(vendor|system/vendor)/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 - -# Vendor Firmwares -/(vendor|system/vendor)/firmware(/.*)? u:object_r:vendor_fw_file:s0 - -# Gralloc -/(vendor|system/vendor)/lib(64)?/hw/mapper\.pixel\.so u:object_r:same_process_hal_file:s0 - -# -# Exynos Block Devices -# -/dev/block/platform/14700000\.ufs/by-name/cache u:object_r:cache_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/efs u:object_r:efs_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/modem u:object_r:modem_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/persist u:object_r:persist_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/system u:object_r:system_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/frp u:object_r:frp_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/misc u:object_r:misc_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/acpm_test_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/bl1_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/dtb_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/ect_test_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/hypervisor_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/keystorage_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/pvmfw_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/reclaim_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/super u:object_r:super_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 -/dev/block/platform/14700000\.ufs/by-name/mfg_data u:object_r:mfg_data_block_device:s0 -/dev/block/sda u:object_r:sda_block_device:s0 -/dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 - -# -# Exynos Devices -# -/dev/gnss_ipc u:object_r:vendor_gnss_device:s0 -/dev/bbd_pwrstat u:object_r:power_stats_device:s0 -/dev/radio0 u:object_r:radio_device:s0 -/dev/dri/card0 u:object_r:graphics_device:s0 -/dev/fimg2d u:object_r:graphics_device:s0 -/dev/g2d u:object_r:graphics_device:s0 -/dev/tsmux u:object_r:video_device:s0 -/dev/repeater u:object_r:video_device:s0 -/dev/scsc_h4_0 u:object_r:radio_device:s0 -/dev/umts_boot0 u:object_r:radio_device:s0 -/dev/logbuffer_tcpm u:object_r:logbuffer_device:s0 -/dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 -/dev/logbuffer_pogo_transport u:object_r:logbuffer_device:s0 -/dev/logbuffer_ssoc u:object_r:logbuffer_device:s0 -/dev/logbuffer_wireless u:object_r:logbuffer_device:s0 -/dev/logbuffer_ttf u:object_r:logbuffer_device:s0 -/dev/logbuffer_maxq u:object_r:logbuffer_device:s0 -/dev/logbuffer_rtx u:object_r:logbuffer_device:s0 -/dev/logbuffer_maxfg u:object_r:logbuffer_device:s0 -/dev/logbuffer_maxfg_base u:object_r:logbuffer_device:s0 -/dev/logbuffer_maxfg_flip u:object_r:logbuffer_device:s0 -/dev/logbuffer_pca9468_tcpm u:object_r:logbuffer_device:s0 -/dev/logbuffer_pca9468 u:object_r:logbuffer_device:s0 -/dev/logbuffer_cpm u:object_r:logbuffer_device:s0 -/dev/logbuffer_bd u:object_r:logbuffer_device:s0 -/dev/logbuffer_cpif u:object_r:logbuffer_device:s0 - -/dev/logbuffer_maxfg_monitor u:object_r:logbuffer_device:s0 -/dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 -/dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 - -# DM tools device -/dev/umts_dm0 u:object_r:radio_device:s0 -/dev/umts_router u:object_r:radio_device:s0 - -# EdgeTPU device (DarwiNN) -/dev/abrolhos u:object_r:edgetpu_device:s0 - -# OEM IPC device -/dev/oem_ipc[0-7] u:object_r:radio_device:s0 - -# SIPC RIL device -/dev/umts_ipc0 u:object_r:radio_device:s0 -/dev/umts_ipc1 u:object_r:radio_device:s0 -/dev/umts_rfs0 u:object_r:radio_device:s0 -/dev/ttyGS[0-3] u:object_r:serial_device:s0 -/dev/watchdog0 u:object_r:watchdog_device:s0 - -# GPU device -/dev/mali0 u:object_r:gpu_device:s0 - -# -# Exynos Daemon Exec -# -/(vendor|system/vendor)/bin/cbd u:object_r:cbd_exec:s0 -/(vendor|system/vendor)/bin/hw/rild_exynos u:object_r:rild_exec:s0 -/(vendor|system/vendor)/bin/rfsd u:object_r:rfsd_exec:s0 -/(vendor|system/vendor)/bin/bipchmgr u:object_r:bipchmgr_exec:s0 - -# -# Exynos Log Files -# -/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 -/data/vendor/log/cbd(/.*)? u:object_r:vendor_cbd_log_file:s0 -/data/vendor/log/dmd(/.*)? u:object_r:vendor_dmd_log_file:s0 -/data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 -/data/vendor/log/dump(/.*)? u:object_r:vendor_dump_log_file:s0 -/data/vendor/log/rild(/.*)? u:object_r:vendor_rild_log_file:s0 - -/persist/sensorcal\.json u:object_r:sensors_cal_file:s0 - -# data files -/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 -/data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0 - -# Camera -/vendor/bin/hw/android\.hardware\.camera\.provider@2\.7-service-google u:object_r:hal_camera_default_exec:s0 -/vendor/lib64/camera u:object_r:vendor_camera_tuning_file:s0 -/vendor/lib64/camera/ghawb_para_lut\.bin u:object_r:vendor_camera_tuning_file:s0 -/vendor/lib64/camera/slider_.*\.binarypb u:object_r:vendor_camera_tuning_file:s0 -/vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 -/mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 -/vendor/lib(64)?/lib_aion_buffer\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libGralloc4Wrapper\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/pixel-power-ext-V1-ndk\.so u:object_r:same_process_hal_file:s0 - -/dev/ispolin_ranging u:object_r:rls_device:s0 - -/dev/lwis-act0 u:object_r:lwis_device:s0 -/dev/lwis-act1 u:object_r:lwis_device:s0 -/dev/lwis-act-ak7377 u:object_r:lwis_device:s0 -/dev/lwis-act-lc898129 u:object_r:lwis_device:s0 -/dev/lwis-act-sem1215sa u:object_r:lwis_device:s0 -/dev/lwis-csi u:object_r:lwis_device:s0 -/dev/lwis-dpm u:object_r:lwis_device:s0 -/dev/lwis-eeprom0 u:object_r:lwis_device:s0 -/dev/lwis-eeprom1 u:object_r:lwis_device:s0 -/dev/lwis-eeprom2 u:object_r:lwis_device:s0 -/dev/lwis-eeprom-lc898128 u:object_r:lwis_device:s0 -/dev/lwis-eeprom-lc898129 u:object_r:lwis_device:s0 -/dev/lwis-eeprom-m24c64s u:object_r:lwis_device:s0 -/dev/lwis-eeprom-m24c64s-imx355-inner u:object_r:lwis_device:s0 -/dev/lwis-eeprom-m24c64s-imx355-outer u:object_r:lwis_device:s0 -/dev/lwis-eeprom-m24c64s-rear u:object_r:lwis_device:s0 -/dev/lwis-eeprom-m24c64s-front u:object_r:lwis_device:s0 -/dev/lwis-eeprom-m24c64x u:object_r:lwis_device:s0 -/dev/lwis-eeprom-m24c64x-imx386 u:object_r:lwis_device:s0 -/dev/lwis-eeprom-m24c64x-imx663 u:object_r:lwis_device:s0 -/dev/lwis-eeprom-sem1215sa u:object_r:lwis_device:s0 -/dev/lwis-flash0 u:object_r:lwis_device:s0 -/dev/lwis-flash-lm3644 u:object_r:lwis_device:s0 -/dev/lwis-g3aa u:object_r:lwis_device:s0 -/dev/lwis-gdc0 u:object_r:lwis_device:s0 -/dev/lwis-gdc1 u:object_r:lwis_device:s0 -/dev/lwis-gtnr-align u:object_r:lwis_device:s0 -/dev/lwis-gtnr-merge u:object_r:lwis_device:s0 -/dev/lwis-ipp u:object_r:lwis_device:s0 -/dev/lwis-itp u:object_r:lwis_device:s0 -/dev/lwis-mcsc u:object_r:lwis_device:s0 -/dev/lwis-ois-lc898128 u:object_r:lwis_device:s0 -/dev/lwis-ois-lc898129 u:object_r:lwis_device:s0 -/dev/lwis-ois-sem1215sa u:object_r:lwis_device:s0 -/dev/lwis-pdp u:object_r:lwis_device:s0 -/dev/lwis-scsc u:object_r:lwis_device:s0 -/dev/lwis-sensor0 u:object_r:lwis_device:s0 -/dev/lwis-sensor1 u:object_r:lwis_device:s0 -/dev/lwis-sensor2 u:object_r:lwis_device:s0 -/dev/lwis-sensor-gn1 u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx355 u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx355-inner u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx355-outer u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx355-rear u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx355-front u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx363 u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx386 u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx471 u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx586 u:object_r:lwis_device:s0 -/dev/lwis-sensor-imx663 u:object_r:lwis_device:s0 -/dev/lwis-slc u:object_r:lwis_device:s0 -/dev/lwis-top u:object_r:lwis_device:s0 -/dev/lwis-votf u:object_r:lwis_device:s0 - -# VIDEO -/vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_exec:s0 -/vendor/bin/hw/vendor\.dolby\.media\.c2@1\.0-service u:object_r:mediacodec_exec:s0 - -# IMS VoWiFi -/data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 -/data/vendor/VoWiFi(/.*)? u:object_r:vendor_ims_data_file:s0 - -# Sensors -/data/vendor/sensor(/.*)? u:object_r:sensor_vendor_data_file:s0 - -# Contexthub -/(vendor|system/vendor)/bin/chre u:object_r:chre_exec:s0 -/dev/socket/chre u:object_r:chre_socket:s0 -/data/vendor/chre(/.*)? u:object_r:chre_data_file:s0 - -# Modem logging -/vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 - -# TCP logging -/vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 - -# shared_modem_platform files -/data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 - -# modem mnt files -/mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 -/mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 -/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 -/mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 -/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 - -# Kernel modules related -/vendor/bin/init\.display\.sh u:object_r:init-display-sh_exec:s0 - -# USB -/vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 - -# NFC -/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 -/dev/st21nfc u:object_r:nfc_device:s0 -/data/nfc(/.*)? u:object_r:nfc_data_file:s0 - -# SecureElement -/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_st33spi_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_default_exec:s0 -/dev/st54spi u:object_r:st54spi_device:s0 -/dev/st33spi u:object_r:st33spi_device:s0 - -# Bluetooth -/dev/logbuffer_btlpm u:object_r:logbuffer_device:s0 -/dev/logbuffer_tty16 u:object_r:logbuffer_device:s0 - -# Trusty -/vendor/bin/storageproxyd u:object_r:tee_exec:s0 -/vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 -/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 -/vendor/bin/hw/android\.hardware\.gatekeeper-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 -/vendor/bin/hw/android\.hardware\.keymaster@4\.0-service\.trusty u:object_r:hal_keymaster_default_exec:s0 -/vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 -/vendor/bin/hw/android\.hardware\.security\.secretkeeper\.trusty u:object_r:hal_secretkeeper_default_exec:s0 -/dev/trusty-ipc-dev0 u:object_r:tee_device:s0 -/data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 -/mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 - -# Battery -/mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 - -# GRIL -/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 - -# Uwb -# R4 -/vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 -/vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 -/mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 -/data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 - -# RILD files -/data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 - -# Tetheroffload Service -/dev/dit2 u:object_r:vendor_toe_device:s0 -/vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.[0-9]-service u:object_r:hal_tetheroffload_default_exec:s0 - -# battery history -/dev/battery_history u:object_r:battery_history_device:s0 - -# Display -/vendor/lib(64)?/libion_google\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/hw/gralloc\.gs101\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/hw/vulkan\.mali\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/arm\.graphics-V1-ndk\.so u:object_r:same_process_hal_file:s0 - -# Fingerprint -/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 -/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 -/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:hal_fingerprint_default_exec:s0 -/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.fpc u:object_r:hal_fingerprint_default_exec:s0 - -# Zram -/data/per_boot(/.*)? u:object_r:per_boot_file:s0 - -# cpuctl -/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0 - -# ODPM -/data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0 - -# sensor direct DMA-BUF heap -/dev/dma_heap/sensor_direct_heap u:object_r:sensor_direct_heap_device:s0 - -# Console -/dev/ttySAC0 u:object_r:tty_device:s0 - -# faceauth DMA-BUF heaps -/dev/dma_heap/faceauth_tpu-secure u:object_r:faceauth_heap_device:s0 -/dev/dma_heap/faimg-secure u:object_r:faceauth_heap_device:s0 -/dev/dma_heap/famodel-secure u:object_r:faceauth_heap_device:s0 -/dev/dma_heap/faprev-secure u:object_r:faceauth_heap_device:s0 -/dev/dma_heap/farawimg-secure u:object_r:faceauth_heap_device:s0 - -# vframe-secure DMA-BUF heap -/dev/dma_heap/vframe-secure u:object_r:dmabuf_system_secure_heap_device:s0 - -# vscaler-secure DMA-BUF heap -/dev/dma_heap/vscaler-secure u:object_r:vscaler_heap_device:s0 - -# vstream-secure DMA-BUF heap -/dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 - -# BigOcean -/dev/bigocean u:object_r:video_device:s0 - -# Fingerprint -/dev/fth_fd u:object_r:fingerprint_device:s0 -/dev/goodix_fp u:object_r:fingerprint_device:s0 -/data/vendor/fingerprint(/.*)? u:object_r:fingerprint_vendor_data_file:s0 - -# Wifi Firmware config update -/data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 - -# WLC FW update -/vendor/bin/wlc_upt/p9412_mtp u:object_r:vendor_wlc_fwupdata_file:s0 -/vendor/bin/wlc_upt/wlc_fw_update\.sh u:object_r:wlcfwupdate_exec:s0 - -# Statsd service to support EdgeTPU metrics logging service. -/vendor/lib64/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0 -/vendor/lib64/android\.frameworks\.stats-V2-ndk\.so u:object_r:same_process_hal_file:s0 -/vendor/lib64/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 -/vendor/lib64/libprotobuf-cpp-lite-(\d+\.){2,3}so u:object_r:same_process_hal_file:s0 diff --git a/sepolicy/whitechapel/vendor/google/genfs_contexts b/sepolicy/whitechapel/vendor/google/genfs_contexts deleted file mode 100644 index 2cdc2ace..00000000 --- a/sepolicy/whitechapel/vendor/google/genfs_contexts +++ /dev/null @@ -1,357 +0,0 @@ -# AOC -genfscon sysfs /devices/platform/19000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0 -genfscon sysfs /devices/platform/19000000.aoc/firmware u:object_r:sysfs_aoc_firmware:s0 -genfscon sysfs /devices/platform/19000000.aoc u:object_r:sysfs_aoc:s0 -genfscon sysfs /devices/platform/19000000.aoc/reset u:object_r:sysfs_aoc_reset:s0 - -genfscon sysfs /devices/platform/19000000.aoc/services u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/restart_count u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/coredump_count u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/ring_buffer_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/host_ipc_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/usf_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/audio_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 -genfscon sysfs /devices/platform/19000000.aoc/notify_timeout_aoc_status u:object_r:sysfs_aoc_notifytimeout:s0 - -# EdgeTPU -genfscon sysfs /devices/platform/1ce00000.abrolhos u:object_r:sysfs_edgetpu:s0 -genfscon sysfs /devices/platform/abrolhos u:object_r:sysfs_edgetpu:s0 - -# WiFi -genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 -# Battery -genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/google,cpm/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/google,cpm/ u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/google,charger u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/google,dock/power_supply/dock u:object_r:sysfs_batteryinfo:s0 - -genfscon sysfs /devices/platform/10d50000.hsi2c u:object_r:sysfs_batteryinfo:s0 - -genfscon sysfs /class/power_supply/wireless/device/version u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /class/power_supply/wireless/device/status u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /class/power_supply/wireless/device/fw_rev u:object_r:sysfs_batteryinfo:s0 - -# Slider -genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-0/0-003c u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-0/0-003c/power_supply u:object_r:sysfs_batteryinfo:s0 - -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-003c u:object_r:sysfs_wlc:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-003c/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0050/eeprom u:object_r:sysfs_batteryinfo:s0 - -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0036/power_supply/maxfg_base/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0036/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0057/chg_stats u:object_r:sysfs_pca:s0 - -genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power_stats u:object_r:sysfs_power_stats:s0 - -# Storage -genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 -genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0 -genfscon sysfs /devices/platform/14700000.ufs/slowio_read_cnt u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/slowio_write_cnt u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/slowio_unmap_cnt u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/slowio_sync_cnt u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/manual_gc u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/io_stats u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/req_stats u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/err_stats u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/device_descriptor u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/clkgate_enable u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/hibern8_on_idle_enable u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/health_descriptor u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/host0/target0:0:0/0:0:0: u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0 -genfscon sysfs /devices/platform/14700000.ufs/attributes/wb_avail_buf u:object_r:sysfs_scsi_devices_0000:s0 - -# Networking / Tethering -genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/ieee802154/phy0/net u:object_r:sysfs_net:s0 -genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/gadget/net u:object_r:sysfs_net:s0 - -# Vibrator -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-005a u:object_r:sysfs_vibrator:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0042 u:object_r:sysfs_vibrator:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0043 u:object_r:sysfs_vibrator:s0 - -# Fingerprint -genfscon sysfs /devices/platform/odm/odm:fp_fpc1020 u:object_r:sysfs_fingerprint:s0 - -# System_suspend -genfscon sysfs /devices/platform/10960000.hsi2c/i2c-7/7-0008/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0043/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-003c/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0057/power_supply/pca9468-mains/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0069/wakeup/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0025/power_supply/tcpm-source-psy-12-0025/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0025/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0025/wakeup u:object_r:sysfs_wakeup:s0 - -genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb2 u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb3 u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb2 u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb3 u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/11110000.usb/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/19000000.aoc/com.google.usf.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/19000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.0.auto/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/wakeup u:object_r:sysfs_wakeup:s0 - -genfscon sysfs /devices/platform/cpif/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/gpio_keys/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/sound-aoc/wakeup u:object_r:sysfs_wakeup:s0 - -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/wakeup u:object_r:sysfs_wakeup:s0 - -genfscon sysfs /devices/platform/odm/odm:fps_touch_handler/power/wakeup u:object_r:sysfs_wakeup:s0 -genfscon sysfs /devices/platform/odm/odm:fps_touch_handler/wakeup u:object_r:sysfs_wakeup:s0 - -# Input -genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb2/2-1 u:object_r:sysfs_uhid:s0 -genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb2/2-1 u:object_r:sysfs_uhid:s0 - -# GPS -genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0 - -# Display -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/available_disp_stats u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/available_disp_stats u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/time_in_state u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/time_in_state u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/power_mode u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/power_mode u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c300000.drmdecon/counters u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c301000.drmdecon/counters u:object_r:sysfs_display:s0 -genfscon sysfs /devices/platform/1c302000.drmdecon/counters u:object_r:sysfs_display:s0 - -# Modem -genfscon sysfs /devices/platform/cp-tm1/cp_temp u:object_r:sysfs_modem:s0 - -# Bluetooth -genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/bluetooth/hci0/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 - -# ODPM -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/wakeup u:object_r:sysfs_wakeup:s0 - -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/wakeup u:object_r:sysfs_wakeup:s0 - -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_power0_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_power1_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_power2_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_power3_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_power4_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_power5_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_power6_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_power7_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_power0_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_power1_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_power2_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_power3_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_power4_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_power5_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_power6_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_power7_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_current0_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_current1_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_current2_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_current3_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_current4_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_current5_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_current6_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-20/20-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/in_current7_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_current0_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_current1_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_current2_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_current3_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_current4_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_current5_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_current6_scale u:object_r:sysfs_odpm:s0 -genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-21/21-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/in_current7_scale u:object_r:sysfs_odpm:s0 - -# Chosen -genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 - -# OTA -genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 - -# ACPM -genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 - -# CPU -genfscon sysfs /devices/platform/1c500000.mali/time_in_state u:object_r:sysfs_cpu:s0 -genfscon sysfs /devices/platform/1c500000.mali/uid_time_in_state u:object_r:sysfs_cpu:s0 - -genfscon sysfs /devices/system/chip-id/unique_id u:object_r:sysfs_soc:s0 -genfscon sysfs /devices/soc0/machine u:object_r:sysfs_soc:s0 -genfscon sysfs /devices/soc0/revision u:object_r:sysfs_soc:s0 - -# Devfreq directory -genfscon sysfs /class/devfreq u:object_r:sysfs_devfreq_dir:s0 - -# Devfreq current frequency -genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 -genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/cur_freq u:object_r:sysfs_devfreq_cur:s0 -genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/cur_freq u:object_r:sysfs_devfreq_cur:s0 -genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/cur_freq u:object_r:sysfs_devfreq_cur:s0 -genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/cur_freq u:object_r:sysfs_devfreq_cur:s0 -genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/cur_freq u:object_r:sysfs_devfreq_cur:s0 -genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/cur_freq u:object_r:sysfs_devfreq_cur:s0 -genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/cur_freq u:object_r:sysfs_devfreq_cur:s0 - -# Fabric -genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/interactive/target_load u:object_r:sysfs_fabric:s0 -genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq u:object_r:sysfs_fabric:s0 -genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/min_freq u:object_r:sysfs_fabric:s0 - -# GPU -genfscon sysfs /devices/platform/1c500000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 -genfscon sysfs /devices/platform/1c500000.mali/dma_buf_gpu_mem u:object_r:sysfs_gpu:s0 -genfscon sysfs /devices/platform/1c500000.mali/total_gpu_mem u:object_r:sysfs_gpu:s0 -genfscon sysfs /devices/platform/1c500000.mali/kprcs u:object_r:sysfs_gpu:s0 -genfscon sysfs /devices/platform/1c500000.mali/power_policy u:object_r:sysfs_gpu:s0 -genfscon sysfs /devices/platform/1c500000.mali/cur_freq u:object_r:sysfs_gpu:s0 - -# nvmem (Non Volatile Memory layer) -genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0050/8-00500/nvmem u:object_r:sysfs_memory:s0 - -# Broadcom -genfscon sysfs /module/bcmdhd4389 u:object_r:sysfs_bcmdhd:s0 - -# Power Stats -genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/10960000.hsi2c/i2c-7/7-0008/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/11920000.pcie/power_stats u:object_r:sysfs_power_stats:s0 -genfscon sysfs /devices/platform/14520000.pcie/power_stats u:object_r:sysfs_power_stats:s0 - -# debugfs - -genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 -genfscon debugfs /maxfg_base u:object_r:vendor_maxfg_debugfs:s0 -genfscon debugfs /maxfg_flip u:object_r:vendor_maxfg_debugfs:s0 -genfscon debugfs /ion u:object_r:vendor_ion_debugfs:s0 -genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 -genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 -genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 -genfscon debugfs /google_charger u:object_r:vendor_charger_debugfs:s0 -genfscon debugfs /max77759_chg u:object_r:vendor_charger_debugfs:s0 -genfscon debugfs /max77729_pmic u:object_r:vendor_charger_debugfs:s0 -genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 -genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 - -# tracefs -genfscon tracefs /events/dmabuf_heap/dma_heap_stat u:object_r:debugfs_tracing:s0 - -# sscoredump (per device) -genfscon sysfs /devices/platform/abrolhos/sscoredump/sscd_abrolhos/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 -genfscon sysfs /devices/platform/aoc/sscoredump/sscd_aoc/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 -genfscon sysfs /devices/platform/bigocean/sscoredump/sscd_bigocean/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 -genfscon sysfs /devices/platform/debugcore/sscoredump/sscd_debugcore/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 -genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 -genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 - -# SJTAG -genfscon sysfs /devices/platform/sjtag_ap/interface u:object_r:sysfs_sjtag:s0 -genfscon sysfs /devices/platform/sjtag_gsa/interface u:object_r:sysfs_sjtag:s0 - -# Camera -genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 -genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq u:object_r:sysfs_camera:s0 - -# USB-C throttling stats -genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time u:object_r:sysfs_usbc_throttling_stats:s0 -genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time u:object_r:sysfs_usbc_throttling_stats:s0 -genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time u:object_r:sysfs_usbc_throttling_stats:s0 - -# Extcon -genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-12/12-0025/extcon u:object_r:sysfs_extcon:s0 - -# SecureElement -genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0/st33spi u:object_r:sysfs_st33spi:s0 -genfscon sysfs /devices/platform/175c0000.spi/spi_master/spi15/spi15.0/st33spi u:object_r:sysfs_st33spi:s0 - -# Thermal -genfscon sysfs /devices/platform/100a0000.LITTLE u:object_r:sysfs_thermal:s0 -genfscon sysfs /devices/platform/100a0000.MID u:object_r:sysfs_thermal:s0 -genfscon sysfs /devices/platform/100a0000.BIG u:object_r:sysfs_thermal:s0 -genfscon sysfs /devices/platform/100b0000.G3D u:object_r:sysfs_thermal:s0 -genfscon sysfs /devices/platform/100b0000.ISP u:object_r:sysfs_thermal:s0 -genfscon sysfs /devices/platform/100b0000.TPU u:object_r:sysfs_thermal:s0 - -# Trusty -genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0 -genfscon sysfs /module/trusty_core/parameters/use_high_wq u:object_r:sysfs_trusty:s0 - -# Coresight ETM -genfscon sysfs /devices/platform/25840000.etm u:object_r:sysfs_devices_cs_etm:s0 -genfscon sysfs /devices/platform/25940000.etm u:object_r:sysfs_devices_cs_etm:s0 -genfscon sysfs /devices/platform/25a40000.etm u:object_r:sysfs_devices_cs_etm:s0 -genfscon sysfs /devices/platform/25b40000.etm u:object_r:sysfs_devices_cs_etm:s0 -genfscon sysfs /devices/platform/25c40000.etm u:object_r:sysfs_devices_cs_etm:s0 -genfscon sysfs /devices/platform/25d40000.etm u:object_r:sysfs_devices_cs_etm:s0 -genfscon sysfs /devices/platform/25e40000.etm u:object_r:sysfs_devices_cs_etm:s0 -genfscon sysfs /devices/platform/25f40000.etm u:object_r:sysfs_devices_cs_etm:s0 - -# BootControl -genfscon sysfs /kernel/boot_control/blow_ar u:object_r:sysfs_bootctl:s0 - -# USB -genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/udc/11110000.dwc3/state u:object_r:sysfs_udc:s0 diff --git a/sepolicy/whitechapel/vendor/google/gpsd.te b/sepolicy/whitechapel/vendor/google/gpsd.te deleted file mode 100644 index 79055ecc..00000000 --- a/sepolicy/whitechapel/vendor/google/gpsd.te +++ /dev/null @@ -1,9 +0,0 @@ -type gpsd, domain; -type gpsd_exec, vendor_file_type, exec_type, file_type; -# Allow gpsd access PixelLogger unix socket in debug build only -userdebug_or_eng(` - typeattribute gpsd mlstrustedsubject; - allow gpsd logger_app:unix_stream_socket connectto; -') - - diff --git a/sepolicy/whitechapel/vendor/google/hal_bluetooth_btlinux.te b/sepolicy/whitechapel/vendor/google/hal_bluetooth_btlinux.te deleted file mode 100644 index 851dc894..00000000 --- a/sepolicy/whitechapel/vendor/google/hal_bluetooth_btlinux.te +++ /dev/null @@ -1,3 +0,0 @@ -allow hal_bluetooth_btlinux vendor_bt_data_file:dir rw_dir_perms; -allow hal_bluetooth_btlinux vendor_bt_data_file:file create_file_perms; - diff --git a/sepolicy/whitechapel/vendor/google/hal_bootctl_default.te b/sepolicy/whitechapel/vendor/google/hal_bootctl_default.te deleted file mode 100644 index fe4ba2e0..00000000 --- a/sepolicy/whitechapel/vendor/google/hal_bootctl_default.te +++ /dev/null @@ -1 +0,0 @@ -allow hal_bootctl_default sysfs_bootctl:file rw_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_camera_default.te b/sepolicy/whitechapel/vendor/google/hal_camera_default.te deleted file mode 100644 index 5697afef..00000000 --- a/sepolicy/whitechapel/vendor/google/hal_camera_default.te +++ /dev/null @@ -1,117 +0,0 @@ -type hal_camera_default_tmpfs, file_type; - -allow hal_camera_default self:global_capability_class_set sys_nice; -allow hal_camera_default kernel:process setsched; - -binder_use(hal_camera_default); -vndbinder_use(hal_camera_default); - -allow hal_camera_default lwis_device:chr_file rw_file_perms; -allow hal_camera_default gpu_device:chr_file rw_file_perms; -allow hal_camera_default sysfs_chip_id:file r_file_perms; - -# Tuscany (face auth) code that is part of the camera HAL needs to allocate -# dma_bufs and access the Trusted Execution Environment device node -allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms; -allow hal_camera_default tee_device:chr_file rw_file_perms; - -# Allow the camera hal to access the EdgeTPU service and the -# Android shared memory allocated by the EdgeTPU service for -# on-device compilation. -allow hal_camera_default edgetpu_device:chr_file rw_file_perms; -allow hal_camera_default sysfs_edgetpu:dir r_dir_perms; -allow hal_camera_default sysfs_edgetpu:file r_file_perms; -allow hal_camera_default edgetpu_vendor_service:service_manager find; -binder_call(hal_camera_default, edgetpu_vendor_server) -# Allow edgetpu_app_service as well, due to the EdgeTpu metrics logging -# library has a dependency on edgetpu_app_service, see b/275016466. -allow hal_camera_default edgetpu_app_service:service_manager find; -binder_call(hal_camera_default, edgetpu_app_server) - -# Allow access to data files used by the camera HAL -allow hal_camera_default mnt_vendor_file:dir search; -allow hal_camera_default persist_file:dir search; -allow hal_camera_default persist_camera_file:dir rw_dir_perms; -allow hal_camera_default persist_camera_file:file create_file_perms; -allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms; -allow hal_camera_default vendor_camera_data_file:file create_file_perms; -allow hal_camera_default vendor_camera_tuning_file:dir r_dir_perms; -allow hal_camera_default vendor_camera_tuning_file:file r_file_perms; - -# Allow creating dump files for debugging in non-release builds -userdebug_or_eng(` - allow hal_camera_default vendor_camera_data_file:dir create_dir_perms; - allow hal_camera_default vendor_camera_data_file:file create_file_perms; -') - -# tmpfs is used by google3 prebuilts linked by the HAL to unpack data files -# compiled into the shared libraries with cc_embed_data rules -tmpfs_domain(hal_camera_default); - -# Allow access to camera-related system properties -set_prop(hal_camera_default, vendor_camera_prop); -set_prop(hal_camera_default, log_tag_prop); -get_prop(hal_camera_default, vendor_camera_debug_prop); -userdebug_or_eng(` - set_prop(hal_camera_default, vendor_camera_fatp_prop); - set_prop(hal_camera_default, vendor_camera_debug_prop); -') - - -# For camera hal to talk with rlsservice -allow hal_camera_default rls_service:service_manager find; -binder_call(hal_camera_default, rlsservice) - -hal_client_domain(hal_camera_default, hal_graphics_allocator); -hal_client_domain(hal_camera_default, hal_graphics_composer) -hal_client_domain(hal_camera_default, hal_power); -hal_client_domain(hal_camera_default, hal_thermal); - -# Allow access to sensor service for sensor_listener -binder_call(hal_camera_default, system_server); - -# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering -allow hal_camera_default eco_service:service_manager find; -binder_call(hal_camera_default, mediacodec_samsung); - -# Allow camera HAL to query preferred camera frequencies from the radio HAL -# extensions to avoid interference with cellular antennas. -allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; -binder_call(hal_camera_default, hal_radioext_default); - -# Allow camera HAL to connect to the stats service. -allow hal_camera_default fwk_stats_service:service_manager find; - -# For observing apex file changes -allow hal_camera_default apex_info_file:file r_file_perms; - -# Allow camera HAL to query current device clock frequencies. -allow hal_camera_default sysfs_devfreq_cur:file r_file_perms; - -# Allow camera HAL to read backlight of display -allow hal_camera_default sysfs_leds:dir r_dir_perms; -allow hal_camera_default sysfs_leds:file r_file_perms; -allow hal_camera_default sysfs_display:file r_file_perms; - -# Allow camera HAL to query interrupts and set interrupt affinity -allow hal_camera_default proc_irq:dir r_dir_perms; -allow hal_camera_default proc_irq:file rw_file_perms; -allow hal_camera_default proc_interrupts:dir r_dir_perms; -allow hal_camera_default proc_interrupts:file r_file_perms; - -# Allow camera HAL to send trace packets to Perfetto -userdebug_or_eng(`perfetto_producer(hal_camera_default)') - -# Some file searches attempt to access system data and are denied. -# This is benign and can be ignored. -dontaudit hal_camera_default system_data_file:dir { search }; - -# google3 prebuilts attempt to connect to the wrong trace socket, ignore them. -dontaudit hal_camera_default traced:unix_stream_socket { connectto }; -dontaudit hal_camera_default traced_producer_socket:sock_file { write }; - -# Allow access to always-on compute device node -allow hal_camera_default aoc_device:chr_file rw_file_perms; - -# Allow the Camera HAL to acquire wakelocks for buffer pre-allocation purposes -wakelock_use(hal_camera_default) diff --git a/sepolicy/whitechapel/vendor/google/hal_contexthub.te b/sepolicy/whitechapel/vendor/google/hal_contexthub.te deleted file mode 100644 index 4175b444..00000000 --- a/sepolicy/whitechapel/vendor/google/hal_contexthub.te +++ /dev/null @@ -1,30 +0,0 @@ -# Allow context hub HAL to communicate with daemon via socket -allow hal_contexthub_default chre:unix_stream_socket connectto; -allow hal_contexthub_default chre_socket:sock_file write; - -# Permit communication with AoC -allow hal_contexthub_default aoc_device:chr_file rw_file_perms; - -# Allow CHRE to determine AoC's current clock -allow hal_contexthub_default sysfs_aoc:dir search; -allow hal_contexthub_default sysfs_aoc_boottime:file r_file_perms; - -# Allow CHRE to create thread to watch AOC's device -allow hal_contexthub_default aoc_device:dir r_dir_perms; - -# Allow CHRE to use the USF low latency transport -usf_low_latency_transport(hal_contexthub_default) - -# Allow CHRE to talk to the WiFi HAL -allow hal_contexthub_default hal_wifi_ext:binder { call transfer }; -allow hal_contexthub_default hal_wifi_ext_service:service_manager find; - -# Allow CHRE host to talk to stats service -allow hal_contexthub_default fwk_stats_service:service_manager find; -binder_call(hal_contexthub_default, stats_service_server) - -# Allow CHRE to use WakeLock -wakelock_use(hal_contexthub_default) - -# Allow CHRE to block suspend, which is required to use EPOLLWAKEUP -allow hal_contexthub_default self:global_capability2_class_set block_suspend; diff --git a/sepolicy/whitechapel/vendor/google/hal_graphics_composer_default.te b/sepolicy/whitechapel/vendor/google/hal_graphics_composer_default.te deleted file mode 100644 index 2cf6140d..00000000 --- a/sepolicy/whitechapel/vendor/google/hal_graphics_composer_default.te +++ /dev/null @@ -1,10 +0,0 @@ -allow hal_graphics_composer_default sysfs_display:dir search; -allow hal_graphics_composer_default sysfs_display:file rw_file_perms; - -# allow HWC to access power hal -binder_call(hal_graphics_composer_default, hal_power_default); -hal_client_domain(hal_graphics_composer_default, hal_power); - -# allow HWC to write log file -allow hal_graphics_composer_default vendor_hwc_log_file:dir rw_dir_perms; -allow hal_graphics_composer_default vendor_hwc_log_file:file create_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_input_processor_default.te b/sepolicy/whitechapel/vendor/google/hal_input_processor_default.te deleted file mode 100644 index 00d4c695..00000000 --- a/sepolicy/whitechapel/vendor/google/hal_input_processor_default.te +++ /dev/null @@ -1,2 +0,0 @@ -# allow InputProcessor HAL to read the display resolution system property -get_prop(hal_input_processor_default, vendor_display_prop) diff --git a/sepolicy/whitechapel/vendor/google/hal_sensors_default.te b/sepolicy/whitechapel/vendor/google/hal_sensors_default.te deleted file mode 100644 index 57763d14..00000000 --- a/sepolicy/whitechapel/vendor/google/hal_sensors_default.te +++ /dev/null @@ -1,24 +0,0 @@ -# -# USF sensor HAL SELinux type enforcements. -# - -# Allow reading of camera persist files. -r_dir_file(hal_sensors_default, persist_camera_file) - -# Allow access to the files of CDT information. -r_dir_file(hal_sensors_default, sysfs_chosen) - -# Allow access for dynamic sensor properties. -get_prop(hal_sensors_default, vendor_dynamic_sensor_prop) - -# Allow access to raw HID devices for dynamic sensors. -allow hal_sensors_default hidraw_device:chr_file rw_file_perms; - -# Allow sensor HAL to access the display service HAL -allow hal_sensors_default hal_pixel_display_service:service_manager find; - -# Allow sensor HAL to access the graphics composer. -binder_call(hal_sensors_default, hal_graphics_composer_default) - -# Allow access to the power supply files for MagCC. -allow hal_sensors_default sysfs_wlc:dir r_dir_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_tetheroffload_default.te b/sepolicy/whitechapel/vendor/google/hal_tetheroffload_default.te deleted file mode 100644 index 00ae3214..00000000 --- a/sepolicy/whitechapel/vendor/google/hal_tetheroffload_default.te +++ /dev/null @@ -1,17 +0,0 @@ -# associate netdomain to use for accessing internet sockets -net_domain(hal_tetheroffload_default) - -# Allow operations with TOE device -allow hal_tetheroffload_default vendor_toe_device:chr_file rw_file_perms; - -# Allow NETLINK and socket -allow hal_tetheroffload_default self:{ - netlink_socket - netlink_generic_socket - unix_dgram_socket -} create_socket_perms_no_ioctl; - -# Register to hwbinder service -add_hwservice(hal_tetheroffload_default, hal_tetheroffload_hwservice) -hwbinder_use(hal_tetheroffload_default) -get_prop(hal_tetheroffload_default, hwservicemanager_prop) diff --git a/sepolicy/whitechapel/vendor/google/hal_thermal_default.te b/sepolicy/whitechapel/vendor/google/hal_thermal_default.te deleted file mode 100644 index 9852a767..00000000 --- a/sepolicy/whitechapel/vendor/google/hal_thermal_default.te +++ /dev/null @@ -1,2 +0,0 @@ -allow hal_thermal_default sysfs_iio_devices:dir r_dir_perms; -allow hal_thermal_default sysfs_odpm:file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_uwb_vendor.te b/sepolicy/whitechapel/vendor/google/hal_uwb_vendor.te deleted file mode 100644 index ccfc1705..00000000 --- a/sepolicy/whitechapel/vendor/google/hal_uwb_vendor.te +++ /dev/null @@ -1,15 +0,0 @@ -# HwBinder IPC from client to server -binder_call(hal_uwb_vendor_client, hal_uwb_vendor_server) -binder_call(hal_uwb_vendor_server, hal_uwb_vendor_client) - -hal_attribute_service(hal_uwb_vendor, hal_uwb_vendor_service) - -binder_call(hal_uwb_vendor_server, servicemanager) - -# allow hal_uwb_vendor to set wpan interfaces up and down -allow hal_uwb_vendor self:udp_socket create_socket_perms; -allowxperm hal_uwb_vendor self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL }; -allow hal_uwb_vendor self:global_capability_class_set { net_admin }; - -# allow hal_uwb_vendor to speak to nl802154 in the kernel -allow hal_uwb_vendor self:netlink_generic_socket create_socket_perms_no_ioctl; diff --git a/sepolicy/whitechapel/vendor/google/hal_uwb_vendor_default.te b/sepolicy/whitechapel/vendor/google/hal_uwb_vendor_default.te deleted file mode 100644 index b287433f..00000000 --- a/sepolicy/whitechapel/vendor/google/hal_uwb_vendor_default.te +++ /dev/null @@ -1,14 +0,0 @@ -type hal_uwb_vendor_default, domain; -type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type; -init_daemon_domain(hal_uwb_vendor_default) - -hal_server_domain(hal_uwb_vendor_default, hal_uwb) -add_service(hal_uwb_vendor_default, hal_uwb_vendor_service) - -hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor) -binder_call(hal_uwb_vendor_default, uwb_vendor_app) - -allow hal_uwb_vendor_default uwb_data_vendor:dir create_dir_perms; -allow hal_uwb_vendor_default uwb_data_vendor:file create_file_perms; - -get_prop(hal_uwb_vendor_default, vendor_uwb_calibration_prop) diff --git a/sepolicy/whitechapel/vendor/google/hal_wifi_ext.te b/sepolicy/whitechapel/vendor/google/hal_wifi_ext.te deleted file mode 100644 index 959f71b6..00000000 --- a/sepolicy/whitechapel/vendor/google/hal_wifi_ext.te +++ /dev/null @@ -1,13 +0,0 @@ -# Allow wifi_ext to report callbacks to gril-service app -binder_call(hal_wifi_ext, grilservice_app) - -# Write wlan driver/fw version into property -set_prop(hal_wifi_ext, vendor_wifi_version) - -# Allow wifi_ext to read and write /data/vendor/firmware/wifi -allow hal_wifi_ext updated_wifi_firmware_data_file:dir rw_dir_perms; -allow hal_wifi_ext updated_wifi_firmware_data_file:file create_file_perms; - -# Allow wifi_ext to read the updated firmware files from app -allow hal_wifi_ext priv_app:fd use; -allow hal_wifi_ext privapp_data_file:file { read map }; diff --git a/sepolicy/whitechapel/vendor/google/hwservice_contexts b/sepolicy/whitechapel/vendor/google/hwservice_contexts deleted file mode 100644 index 577a678f..00000000 --- a/sepolicy/whitechapel/vendor/google/hwservice_contexts +++ /dev/null @@ -1,24 +0,0 @@ -vendor.samsung_slsi.hardware.radio::IOemSamsungslsi u:object_r:hal_telephony_hwservice:s0 -vendor.samsung_slsi.hardware.ExynosHWCServiceTW::IExynosHWCServiceTW u:object_r:hal_vendor_surfaceflinger_hwservice:s0 -vendor.samsung_slsi.hardware.configstore::IExynosHWCConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0 - -# dmd HAL -vendor.samsung_slsi.telephony.hardware.oemservice::IOemService u:object_r:hal_vendor_oem_hwservice:s0 - -# rild HAL -vendor.samsung_slsi.telephony.hardware.radio::IOemSamsungslsi u:object_r:hal_exynos_rild_hwservice:s0 -android.vendor.samsung_slsi.telephony.hardware.radio::IOemSamsungslsi u:object_r:hal_exynos_rild_hwservice:s0 -vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal u:object_r:hal_exynos_rild_hwservice:s0 - -# VIDEO -android.hardware.media.c2::IConfigurable u:object_r:hal_codec2_hwservice:s0 - -# GRIL HAL -vendor.google.radioext::IRadioExt u:object_r:hal_radioext_hwservice:s0 - -# Wireless charger hal -vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_wlc_hwservice:s0 - -# Fingerprint -vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_ext_hwservice:s0 - diff --git a/sepolicy/whitechapel/vendor/google/incident.te b/sepolicy/whitechapel/vendor/google/incident.te deleted file mode 100644 index 672606df..00000000 --- a/sepolicy/whitechapel/vendor/google/incident.te +++ /dev/null @@ -1,4 +0,0 @@ -userdebug_or_eng(` - allow incident logger_app:fd use; - allow incident media_rw_data_file:file append; -') diff --git a/sepolicy/whitechapel/vendor/google/init.te b/sepolicy/whitechapel/vendor/google/init.te deleted file mode 100644 index 11726894..00000000 --- a/sepolicy/whitechapel/vendor/google/init.te +++ /dev/null @@ -1,24 +0,0 @@ -allow init custom_ab_block_device:lnk_file relabelto; - -# This is needed for chaining a boot partition vbmeta -# descriptor, where init will probe the boot partition -# to read the chained vbmeta in the first-stage, then -# relabel /dev/block/by-name/boot_[a|b] to block_device -# after loading sepolicy in the second stage. -allow init boot_block_device:lnk_file relabelto; - -allow init modem_img_file:dir mounton; -allow init mnt_vendor_file:dir mounton; -allow init modem_img_file:filesystem { getattr mount relabelfrom }; - -allow init persist_file:dir mounton; -allow init modem_efs_file:dir mounton; -allow init modem_userdata_file:dir mounton; -allow init ram_device:blk_file w_file_perms; -allow init per_boot_file:file ioctl; -allowxperm init per_boot_file:file ioctl { F2FS_IOC_SET_PIN_FILE }; -allow init sysfs_scsi_devices_0000:file w_file_perms; - -# Workaround for b/193113005 that modem_img unlabeled after disable-verity -dontaudit init overlayfs_file:file { rename }; -dontaudit init overlayfs_file:chr_file { unlink }; diff --git a/sepolicy/whitechapel/vendor/google/insmod-sh.te b/sepolicy/whitechapel/vendor/google/insmod-sh.te deleted file mode 100644 index 3c430ffb..00000000 --- a/sepolicy/whitechapel/vendor/google/insmod-sh.te +++ /dev/null @@ -1,11 +0,0 @@ -allow insmod-sh sysfs_leds:dir r_dir_perms; - -allow insmod-sh self:capability sys_nice; -allow insmod-sh kernel:process setsched; - -userdebug_or_eng(` - allow insmod-sh vendor_regmap_debugfs:dir search; -') - -dontaudit insmod-sh proc_cmdline:file r_file_perms; -dontaudit insmod-sh self:key write; diff --git a/sepolicy/whitechapel/vendor/google/kernel.te b/sepolicy/whitechapel/vendor/google/kernel.te deleted file mode 100644 index d44eed68..00000000 --- a/sepolicy/whitechapel/vendor/google/kernel.te +++ /dev/null @@ -1,18 +0,0 @@ -allow kernel vendor_fw_file:dir search; -allow kernel vendor_fw_file:file r_file_perms; - -# ZRam -allow kernel per_boot_file:file r_file_perms; - -# memlat needs permision to create/delete perf events when hotplug on/off -allow kernel self:capability2 perfmon; -allow kernel self:perf_event cpu; - -userdebug_or_eng(` - allow kernel vendor_battery_debugfs:dir search; - allow kernel vendor_regmap_debugfs:dir search; - allow kernel vendor_usb_debugfs:dir search; - allow kernel vendor_votable_debugfs:dir search; - allow kernel vendor_charger_debugfs:dir search; - allow kernel vendor_maxfg_debugfs:dir search; -') diff --git a/sepolicy/whitechapel/vendor/google/keys.conf b/sepolicy/whitechapel/vendor/google/keys.conf deleted file mode 100644 index 17f47e4d..00000000 --- a/sepolicy/whitechapel/vendor/google/keys.conf +++ /dev/null @@ -1,11 +0,0 @@ -[@MDS] -ALL : device/google/gs101/sepolicy/whitechapel/vendor/google/certs/com_google_mds.x509.pem - -[@UWB] -ALL : device/google/gs101/sepolicy/whitechapel/vendor/google/certs/com_qorvo_uwb.x509.pem - -[@EUICCSUPPORTPIXEL] -ALL : device/google/gs101/sepolicy/whitechapel/vendor/google/certs/EuiccSupportPixel.x509.pem - -[@CAMERASERVICES] -ALL : device/google/gs101/sepolicy/whitechapel/vendor/google/certs/com_google_android_apps_camera_services.x509.pem diff --git a/sepolicy/whitechapel/vendor/google/logger_app.te b/sepolicy/whitechapel/vendor/google/logger_app.te deleted file mode 100644 index 14196600..00000000 --- a/sepolicy/whitechapel/vendor/google/logger_app.te +++ /dev/null @@ -1,33 +0,0 @@ -userdebug_or_eng(` - allow logger_app radio_vendor_data_file:file create_file_perms; - allow logger_app radio_vendor_data_file:dir create_dir_perms; - allow logger_app vendor_slog_file:file {r_file_perms unlink}; - allow logger_app vendor_gps_file:file create_file_perms; - allow logger_app vendor_gps_file:dir create_dir_perms; - allow logger_app sysfs_sscoredump_level:file r_file_perms; - allow logger_app hal_exynos_rild_hwservice:hwservice_manager find; - - binder_call(logger_app, rild) - - r_dir_file(logger_app, ramdump_vendor_data_file) - r_dir_file(logger_app, sscoredump_vendor_data_coredump_file) - r_dir_file(logger_app, sscoredump_vendor_data_crashinfo_file) - - get_prop(logger_app, usb_control_prop) - set_prop(logger_app, vendor_logger_prop) - set_prop(logger_app, vendor_modem_prop) - set_prop(logger_app, vendor_gps_prop) - set_prop(logger_app, vendor_audio_prop) - set_prop(logger_app, vendor_tcpdump_log_prop) - set_prop(logger_app, vendor_ramdump_prop) - set_prop(logger_app, vendor_ssrdump_prop) - set_prop(logger_app, vendor_rild_prop) - set_prop(logger_app, logpersistd_logging_prop) - set_prop(logger_app, logd_prop) - set_prop(logger_app, vendor_usb_config_prop) - set_prop(logger_app, vendor_wifi_sniffer_prop) - - dontaudit logger_app default_prop:file { read }; - dontaudit logger_app proc_vendor_sched:dir search; - dontaudit logger_app proc_vendor_sched:file write; -') diff --git a/sepolicy/whitechapel/vendor/google/modem_diagnostics.te b/sepolicy/whitechapel/vendor/google/modem_diagnostics.te deleted file mode 100644 index 9fa772b4..00000000 --- a/sepolicy/whitechapel/vendor/google/modem_diagnostics.te +++ /dev/null @@ -1,35 +0,0 @@ -type modem_diagnostic_app, domain; - -app_domain(modem_diagnostic_app) -net_domain(modem_diagnostic_app) - -allow modem_diagnostic_app app_api_service:service_manager find; -allow modem_diagnostic_app radio_service:service_manager find; - -userdebug_or_eng(` - binder_call(modem_diagnostic_app, dmd) - - set_prop(modem_diagnostic_app, vendor_cbd_prop) - set_prop(modem_diagnostic_app, vendor_rild_prop) - set_prop(modem_diagnostic_app, vendor_modem_prop) - - allow modem_diagnostic_app sysfs_chosen:dir r_dir_perms; - allow modem_diagnostic_app sysfs_chosen:file r_file_perms; - - allow modem_diagnostic_app vendor_fw_file:file r_file_perms; - - allow modem_diagnostic_app radio_vendor_data_file:dir create_dir_perms; - allow modem_diagnostic_app radio_vendor_data_file:file create_file_perms; - - allow modem_diagnostic_app mnt_vendor_file:dir r_dir_perms; - allow modem_diagnostic_app mnt_vendor_file:file r_file_perms; - - allow modem_diagnostic_app modem_img_file:dir r_dir_perms; - allow modem_diagnostic_app modem_img_file:file r_file_perms; - allow modem_diagnostic_app modem_img_file:lnk_file r_file_perms; - - allow modem_diagnostic_app hal_vendor_oem_hwservice:hwservice_manager find; - - allow modem_diagnostic_app sysfs_batteryinfo:file r_file_perms; - allow modem_diagnostic_app sysfs_batteryinfo:dir search; -') diff --git a/sepolicy/whitechapel/vendor/google/ofl_app.te b/sepolicy/whitechapel/vendor/google/ofl_app.te deleted file mode 100644 index a9498165..00000000 --- a/sepolicy/whitechapel/vendor/google/ofl_app.te +++ /dev/null @@ -1,20 +0,0 @@ -# OFLBasicAgent app - -type ofl_app, domain; - -userdebug_or_eng(` - app_domain(ofl_app) - net_domain(ofl_app) - - allow ofl_app app_api_service:service_manager find; - allow ofl_app nfc_service:service_manager find; - allow ofl_app radio_service:service_manager find; - allow ofl_app surfaceflinger_service:service_manager find; - - # Access to directly update firmware on st54spi_device - typeattribute st54spi_device mlstrustedobject; - allow ofl_app st54spi_device:chr_file rw_file_perms; - # Access to directly update firmware on st33spi_device - typeattribute st33spi_device mlstrustedobject; - allow ofl_app st33spi_device:chr_file rw_file_perms; -') diff --git a/sepolicy/whitechapel/vendor/google/pixelstats_vendor.te b/sepolicy/whitechapel/vendor/google/pixelstats_vendor.te deleted file mode 100644 index 33e9511c..00000000 --- a/sepolicy/whitechapel/vendor/google/pixelstats_vendor.te +++ /dev/null @@ -1,37 +0,0 @@ -unix_socket_connect(pixelstats_vendor, chre, chre) - -get_prop(pixelstats_vendor, hwservicemanager_prop) -hwbinder_use(pixelstats_vendor) - -binder_call(pixelstats_vendor, stats_service_server) -binder_use(pixelstats_vendor); -allow pixelstats_vendor fwk_stats_service:service_manager find; - -allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms; -allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; - -# Wireless charge -allow pixelstats_vendor sysfs_wlc:dir search; -allow pixelstats_vendor sysfs_wlc:file rw_file_perms; - -# Pca charge -allow pixelstats_vendor sysfs_pca:file rw_file_perms; - -# OrientationCollector -# HIDL sensorservice -allow pixelstats_vendor fwk_sensor_hwservice:hwservice_manager find; -# AIDL sensorservice -allow pixelstats_vendor fwk_sensor_service:service_manager find; - -# Batery history -allow pixelstats_vendor battery_history_device:chr_file r_file_perms; -allow pixelstats_vendor logbuffer_device:chr_file r_file_perms; - -#vendor-metrics -r_dir_file(pixelstats_vendor, sysfs_vendor_metrics) -allow pixelstats_vendor sysfs_vendor_metrics:lnk_file r_file_perms; -allow pixelstats_vendor sysfs_vendor_metrics:file w_file_perms; - -# BCL -allow pixelstats_vendor sysfs_bcl:dir search; -allow pixelstats_vendor sysfs_bcl:file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/priv_app.te b/sepolicy/whitechapel/vendor/google/priv_app.te deleted file mode 100644 index a6e6bb68..00000000 --- a/sepolicy/whitechapel/vendor/google/priv_app.te +++ /dev/null @@ -1,2 +0,0 @@ -# Allows privileged applications to access the PowerHAL. -hal_client_domain(priv_app, hal_power) diff --git a/sepolicy/whitechapel/vendor/google/property_contexts b/sepolicy/whitechapel/vendor/google/property_contexts deleted file mode 100644 index ba41d6a9..00000000 --- a/sepolicy/whitechapel/vendor/google/property_contexts +++ /dev/null @@ -1,101 +0,0 @@ -# for rild -persist.vendor.debug_level u:object_r:vendor_rild_prop:s0 -persist.vendor.ril. u:object_r:vendor_rild_prop:s0 -persist.vendor.radio. u:object_r:vendor_rild_prop:s0 -vendor.radio.ril. u:object_r:vendor_rild_prop:s0 -vendor.sys.rild_reset u:object_r:vendor_rild_prop:s0 -vendor.ril. u:object_r:vendor_rild_prop:s0 -vendor.radio. u:object_r:vendor_rild_prop:s0 -ro.vendor.build.svn u:object_r:vendor_rild_prop:s0 - -# for GRIL -vendor.gril. u:object_r:vendor_gril_prop:s0 - -# Ramdump -persist.vendor.sys.crash_rcu u:object_r:vendor_ramdump_prop:s0 - -# SSR Detector -vendor.debug.ssrdump. u:object_r:vendor_ssrdump_prop:s0 -persist.vendor.sys.ssr. u:object_r:vendor_ssrdump_prop:s0 - -# USB HAL -persist.vendor.usb. u:object_r:vendor_usb_config_prop:s0 -vendor.usb. u:object_r:vendor_usb_config_prop:s0 - -# for logger app -vendor.pixellogger. u:object_r:vendor_logger_prop:s0 -persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 - -# for cbd -vendor.cbd. u:object_r:vendor_cbd_prop:s0 -persist.vendor.cbd. u:object_r:vendor_cbd_prop:s0 - -# for slog -vendor.sys.silentlog. u:object_r:vendor_slog_prop:s0 -vendor.sys.exynos.slog. u:object_r:vendor_slog_prop:s0 -persist.vendor.sys.silentlog u:object_r:vendor_slog_prop:s0 - -# vendor default -vendor.config. u:object_r:vendor_config_default_prop:s0 -ro.vendor.config. u:object_r:vendor_ro_config_default_prop:s0 -persist.vendor.config. u:object_r:vendor_persist_config_default_prop:s0 -vendor.sys. u:object_r:vendor_sys_default_prop:s0 -ro.vendor.sys. u:object_r:vendor_ro_sys_default_prop:s0 -persist.vendor.sys. u:object_r:vendor_persist_sys_default_prop:s0 - -# for display -ro.vendor.hwc.drm.device u:object_r:vendor_display_prop:s0 -persist.vendor.display. u:object_r:vendor_display_prop:s0 - -# for camera -persist.vendor.camera. u:object_r:vendor_camera_prop:s0 -vendor.camera. u:object_r:vendor_camera_prop:s0 -vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 - -# for gps -vendor.gps. u:object_r:vendor_gps_prop:s0 -persist.vendor.gps. u:object_r:vendor_gps_prop:s0 - -# SecureElement -persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 - -# NFC -persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0 - -# Battery -vendor.battery.defender. u:object_r:vendor_battery_defender_prop:s0 -persist.vendor.shutdown. u:object_r:vendor_shutdown_prop:s0 - -# test battery profile -persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_prop:s0 - -# WiFi -vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0 -vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 - -# Touchpanel -vendor.mfgapi.touchpanel.permission u:object_r:vendor_touchpanel_prop:s0 - -# Tcpdump_logger -persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 -vendor.tcpdump.log.ondemand u:object_r:vendor_tcpdump_log_prop:s0 -vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 -vendor.tcpdump.output.dir u:object_r:vendor_tcpdump_log_prop:s0 - -# Fingerprint -vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0 -vendor.gf. u:object_r:vendor_fingerprint_prop:s0 -persist.vendor.udfps. u:object_r:vendor_fingerprint_prop:s0 - -# Dynamic sensor -vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 - -# uwb -ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_prop:s0 exact string -vendor.uwb.calibration.country_code u:object_r:vendor_uwb_calibration_country_code:s0 exact string - -# Trusty -ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 - -# Mali GPU driver configuration and debug options -vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix diff --git a/sepolicy/whitechapel/vendor/google/recovery.te b/sepolicy/whitechapel/vendor/google/recovery.te deleted file mode 100644 index 1974ebb1..00000000 --- a/sepolicy/whitechapel/vendor/google/recovery.te +++ /dev/null @@ -1,4 +0,0 @@ -recovery_only(` - allow recovery sysfs_ota:file rw_file_perms; - allow recovery st54spi_device:chr_file rw_file_perms; -') diff --git a/sepolicy/whitechapel/vendor/google/ril_config_service.te b/sepolicy/whitechapel/vendor/google/ril_config_service.te deleted file mode 100644 index 0ac43317..00000000 --- a/sepolicy/whitechapel/vendor/google/ril_config_service.te +++ /dev/null @@ -1,10 +0,0 @@ -type ril_config_service_app, domain; -app_domain(ril_config_service_app) - -set_prop(ril_config_service_app, vendor_rild_prop) -allow ril_config_service_app app_api_service:service_manager find; -allow ril_config_service_app radio_service:service_manager find; -allow ril_config_service_app radio_vendor_data_file:dir rw_dir_perms; -allow ril_config_service_app radio_vendor_data_file:file create_file_perms; -dontaudit ril_config_service_app system_data_file:dir search; -dontaudit ril_config_service_app user_profile_root_file:dir search; diff --git a/sepolicy/whitechapel/vendor/google/service.te b/sepolicy/whitechapel/vendor/google/service.te deleted file mode 100644 index 7218e40c..00000000 --- a/sepolicy/whitechapel/vendor/google/service.te +++ /dev/null @@ -1,6 +0,0 @@ -type hal_pixel_display_service, service_manager_type, hal_service_type; -type hal_uwb_vendor_service, service_manager_type, hal_service_type; -# WLC -type hal_wireless_charger_service, hal_service_type, protected_service, service_manager_type; - -type rls_service, service_manager_type; diff --git a/sepolicy/whitechapel/vendor/google/service_contexts b/sepolicy/whitechapel/vendor/google/service_contexts deleted file mode 100644 index d35c0e40..00000000 --- a/sepolicy/whitechapel/vendor/google/service_contexts +++ /dev/null @@ -1,4 +0,0 @@ -com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 -hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 -android.hardware.drm.IDrmFactory/widevine u:object_r:hal_drm_service:s0 -rlsservice u:object_r:rls_service:s0 diff --git a/sepolicy/whitechapel/vendor/google/servicemanager.te b/sepolicy/whitechapel/vendor/google/servicemanager.te deleted file mode 100644 index efddd92c..00000000 --- a/sepolicy/whitechapel/vendor/google/servicemanager.te +++ /dev/null @@ -1 +0,0 @@ -binder_call(servicemanager, hal_fingerprint_default) diff --git a/sepolicy/whitechapel/vendor/google/storageproxyd.te b/sepolicy/whitechapel/vendor/google/storageproxyd.te deleted file mode 100644 index 453caad1..00000000 --- a/sepolicy/whitechapel/vendor/google/storageproxyd.te +++ /dev/null @@ -1,20 +0,0 @@ -type persist_ss_file, file_type, vendor_persist_type; - -# Handle wake locks -wakelock_use(tee) - -allow tee persist_ss_file:file create_file_perms; -allow tee persist_ss_file:dir create_dir_perms; -allow tee persist_file:dir r_dir_perms; -allow tee mnt_vendor_file:dir r_dir_perms; -allow tee tee_data_file:dir create_dir_perms; -allow tee tee_data_file:lnk_file r_file_perms; - -# Allow storageproxyd access to gsi_public_metadata_file -read_fstab(tee) - -# storageproxyd starts before /data is mounted. It handles /data not being there -# gracefully. However, attempts to access /data trigger a denial. -dontaudit tee unlabeled:dir { search }; - -set_prop(tee, vendor_trusty_storage_prop) diff --git a/sepolicy/whitechapel/vendor/google/system_server.te b/sepolicy/whitechapel/vendor/google/system_server.te deleted file mode 100644 index d064cb73..00000000 --- a/sepolicy/whitechapel/vendor/google/system_server.te +++ /dev/null @@ -1,6 +0,0 @@ -# Allow system server to send sensor data callbacks to GPS and camera HALs -binder_call(system_server, gpsd); -binder_call(system_server, hal_camera_default); - -# pixelstats_vendor/OrientationCollector -binder_call(system_server, pixelstats_vendor) diff --git a/sepolicy/whitechapel/vendor/google/tcpdump_logger.te b/sepolicy/whitechapel/vendor/google/tcpdump_logger.te deleted file mode 100644 index f017cedf..00000000 --- a/sepolicy/whitechapel/vendor/google/tcpdump_logger.te +++ /dev/null @@ -1,20 +0,0 @@ -type tcpdump_logger, domain; -type tcpdump_logger_exec, exec_type, vendor_file_type, file_type; - -userdebug_or_eng(` - # make transition from init to its domain - init_daemon_domain(tcpdump_logger) - - allow tcpdump_logger self:capability net_raw; - allow tcpdump_logger self:packet_socket create_socket_perms; - allowxperm tcpdump_logger self:packet_socket ioctl 0x8933; - allow tcpdump_logger tcpdump_exec:file rx_file_perms; - allow tcpdump_logger tcpdump_vendor_data_file:dir create_dir_perms; - allow tcpdump_logger tcpdump_vendor_data_file:file create_file_perms; - allow tcpdump_logger radio_vendor_data_file:file create_file_perms; - allow tcpdump_logger radio_vendor_data_file:dir create_dir_perms; - allow tcpdump_logger wifi_logging_data_file:file create_file_perms; - allow tcpdump_logger wifi_logging_data_file:dir create_dir_perms; - - set_prop(tcpdump_logger, vendor_tcpdump_log_prop) -') diff --git a/sepolicy/whitechapel/vendor/google/vendor_init.te b/sepolicy/whitechapel/vendor/google/vendor_init.te deleted file mode 100644 index 3771394b..00000000 --- a/sepolicy/whitechapel/vendor/google/vendor_init.te +++ /dev/null @@ -1,50 +0,0 @@ -get_prop(vendor_init, gesture_prop) -set_prop(vendor_init, vendor_camera_prop) -set_prop(vendor_init, vendor_device_prop) -set_prop(vendor_init, vendor_modem_prop) -set_prop(vendor_init, vendor_cbd_prop) -set_prop(vendor_init, vendor_rild_prop) -set_prop(vendor_init, vendor_usb_config_prop) -set_prop(vendor_init, vendor_slog_prop) -set_prop(vendor_init, vendor_sys_default_prop) -set_prop(vendor_init, vendor_rcs_prop) -set_prop(vendor_init, vendor_ssrdump_prop) -set_prop(vendor_init, vendor_ro_config_default_prop) -get_prop(vendor_init, vendor_touchpanel_prop) -set_prop(vendor_init, vendor_tcpdump_log_prop) -set_prop(vendor_init, vendor_logger_prop) -set_prop(vendor_init, esim_modem_prop) -get_prop(vendor_init, telephony_modem_prop) - - -allow vendor_init proc_dirty:file w_file_perms; -allow vendor_init proc_sched:file write; -allow vendor_init bootdevice_sysdev:file create_file_perms; -allow vendor_init block_device:lnk_file setattr; -allow vendor_init sysfs_st33spi:file w_file_perms; - -userdebug_or_eng(` - set_prop(vendor_init, logpersistd_logging_prop) -') - -# NFC vendor property -set_prop(vendor_init, vendor_nfc_prop) -# SecureElement vendor property -set_prop(vendor_init, vendor_secure_element_prop) -# Battery defender/harness/profile -get_prop(vendor_init, test_harness_prop) -get_prop(vendor_init, vendor_battery_profile_prop) -set_prop(vendor_init, vendor_battery_defender_prop) - -# Fingerprint property -set_prop(vendor_init, vendor_fingerprint_prop) - -# Display -set_prop(vendor_init, vendor_display_prop) - -# Trusty storage FS ready -get_prop(vendor_init, vendor_trusty_storage_prop) -allow vendor_init tee_data_file:lnk_file read; - -# Mali -set_prop(vendor_init, vendor_arm_runtime_option_prop) diff --git a/sepolicy/whitechapel/vendor/google/vendor_shell.te b/sepolicy/whitechapel/vendor/google/vendor_shell.te deleted file mode 100644 index 2ace587a..00000000 --- a/sepolicy/whitechapel/vendor/google/vendor_shell.te +++ /dev/null @@ -1 +0,0 @@ -set_prop(vendor_shell, vendor_battery_profile_prop) diff --git a/sepolicy/whitechapel/vendor/google/vndservice_contexts b/sepolicy/whitechapel/vendor/google/vndservice_contexts deleted file mode 100644 index 4f9f5a70..00000000 --- a/sepolicy/whitechapel/vendor/google/vndservice_contexts +++ /dev/null @@ -1 +0,0 @@ -Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0 diff --git a/sepolicy/whitechapel/vendor/google/vold.te b/sepolicy/whitechapel/vendor/google/vold.te deleted file mode 100644 index ecea1946..00000000 --- a/sepolicy/whitechapel/vendor/google/vold.te +++ /dev/null @@ -1,6 +0,0 @@ -allow vold sysfs_scsi_devices_0000:file rw_file_perms; -allow vold modem_efs_file:dir rw_dir_perms; -allow vold modem_userdata_file:dir rw_dir_perms; - -dontaudit vold dumpstate:fifo_file rw_file_perms; -dontaudit vold dumpstate:fd { use }; diff --git a/sepolicy/whitechapel/vendor/google/wifi_sniffer.te b/sepolicy/whitechapel/vendor/google/wifi_sniffer.te deleted file mode 100644 index 491162a0..00000000 --- a/sepolicy/whitechapel/vendor/google/wifi_sniffer.te +++ /dev/null @@ -1,6 +0,0 @@ -userdebug_or_eng(` - allow wifi_sniffer sysfs_wifi:dir search; - allow wifi_sniffer sysfs_wifi:file w_file_perms; - allow wifi_sniffer self:capability sys_module; - dontaudit wifi_sniffer sysfs_wifi:file getattr; -')