diff --git a/sepolicy/OWNERS b/sepolicy/OWNERS new file mode 100644 index 0000000..5232bc3 --- /dev/null +++ b/sepolicy/OWNERS @@ -0,0 +1,4 @@ +include device/google/gs-common:/sepolicy/OWNERS + +adamshih@google.com + diff --git a/sepolicy/bluetooth/file_contexts b/sepolicy/bluetooth/file_contexts new file mode 100644 index 0000000..66d690f --- /dev/null +++ b/sepolicy/bluetooth/file_contexts @@ -0,0 +1,4 @@ +# Bluetooth +/vendor/bin/hw/android\.hardware\.bluetooth@1\.1-service\.synabtlinux u:object_r:hal_bluetooth_synabtlinux_exec:s0 + +/dev/ttySAC18 u:object_r:hci_attach_dev:s0 diff --git a/sepolicy/bluetooth/genfs_contexts b/sepolicy/bluetooth/genfs_contexts new file mode 100644 index 0000000..fbad5b3 --- /dev/null +++ b/sepolicy/bluetooth/genfs_contexts @@ -0,0 +1,4 @@ +genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill2/state u:object_r:sysfs_bluetooth_writable:s0 +genfscon proc /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0 +genfscon proc /bluetooth/sleep/lpm u:object_r:proc_bluetooth_writable:s0 diff --git a/sepolicy/bluetooth/hal_bluetooth_default.te b/sepolicy/bluetooth/hal_bluetooth_default.te new file mode 100644 index 0000000..c764133 --- /dev/null +++ b/sepolicy/bluetooth/hal_bluetooth_default.te @@ -0,0 +1,23 @@ +type hal_bluetooth_synabtlinux, domain; +type hal_bluetooth_synabtlinux_exec, exec_type, file_type, vendor_file_type; + +hal_server_domain(hal_bluetooth_synabtlinux, hal_bluetooth) +init_daemon_domain(hal_bluetooth_synabtlinux) + +allow hal_bluetooth_synabtlinux self:socket { create bind read write }; +allow hal_bluetooth_synabtlinux self:bluetooth_socket { create bind read write }; +allow hal_bluetooth_synabtlinux hci_attach_dev:chr_file rw_file_perms; +allow hal_bluetooth_synabtlinux hal_power_stats_vendor_service:service_manager find; +add_hwservice(hal_bluetooth_synabtlinux, hal_bluetooth_coexistence_hwservice) +vndbinder_use(hal_bluetooth_synabtlinux) +binder_call(hal_bluetooth_synabtlinux, hal_power_stats_default) +get_prop(hal_bluetooth_synabtlinux, boot_status_prop) + +allow hal_bluetooth_synabtlinux sscoredump_vendor_data_crashinfo_file:dir create_dir_perms; +allow hal_bluetooth_synabtlinux sscoredump_vendor_data_crashinfo_file:file create_file_perms; + + userdebug_or_eng(` + allow hal_bluetooth_synabtlinux logbuffer_device:chr_file r_file_perms; + allow hal_bluetooth_synabtlinux sscoredump_vendor_data_coredump_file:dir create_dir_perms; + allow hal_bluetooth_synabtlinux sscoredump_vendor_data_coredump_file:file create_file_perms; + ') diff --git a/sepolicy/bluetooth/hwservice.te b/sepolicy/bluetooth/hwservice.te new file mode 100644 index 0000000..8a5ae49 --- /dev/null +++ b/sepolicy/bluetooth/hwservice.te @@ -0,0 +1,2 @@ +# Bluetooth HAL extension +type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type; diff --git a/sepolicy/bluetooth/hwservice_contexts b/sepolicy/bluetooth/hwservice_contexts new file mode 100644 index 0000000..edd952b --- /dev/null +++ b/sepolicy/bluetooth/hwservice_contexts @@ -0,0 +1,3 @@ +# Bluetooth HAL extension +hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance u:object_r:hal_bluetooth_coexistence_hwservice:s0 +hardware.google.bluetooth.sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0 diff --git a/sepolicy/fingerprint_capacitance/file.te b/sepolicy/fingerprint_capacitance/file.te new file mode 100644 index 0000000..0218b46 --- /dev/null +++ b/sepolicy/fingerprint_capacitance/file.te @@ -0,0 +1 @@ +type sysfs_fingerprint, sysfs_type, fs_type; diff --git a/sepolicy/fingerprint_capacitance/file_contexts b/sepolicy/fingerprint_capacitance/file_contexts new file mode 100644 index 0000000..aa6d801 --- /dev/null +++ b/sepolicy/fingerprint_capacitance/file_contexts @@ -0,0 +1 @@ +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.fpc42 u:object_r:hal_fingerprint_capacitance_exec:s0 diff --git a/sepolicy/fingerprint_capacitance/genfs_contexts b/sepolicy/fingerprint_capacitance/genfs_contexts new file mode 100644 index 0000000..9fe2a86 --- /dev/null +++ b/sepolicy/fingerprint_capacitance/genfs_contexts @@ -0,0 +1 @@ +genfscon sysfs /devices/platform/odm/odm:fp_fpc1020 u:object_r:sysfs_fingerprint:s0 diff --git a/sepolicy/fingerprint_capacitance/hal_fingerprint_capacitance.te b/sepolicy/fingerprint_capacitance/hal_fingerprint_capacitance.te new file mode 100644 index 0000000..f35912f --- /dev/null +++ b/sepolicy/fingerprint_capacitance/hal_fingerprint_capacitance.te @@ -0,0 +1,39 @@ +# hal_fingerprint_capacitance definition +type hal_fingerprint_capacitance, domain; +hal_server_domain(hal_fingerprint_capacitance, hal_fingerprint) + +type hal_fingerprint_capacitance_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_fingerprint_capacitance) + +set_prop(hal_fingerprint_capacitance, vendor_fingerprint_prop) + +# allow fingerprint to access file +allow hal_fingerprint_capacitance fingerprint_device:chr_file rw_file_perms; +allow hal_fingerprint_capacitance tee_device:chr_file rw_file_perms; +allow hal_fingerprint_capacitance sysfs_fingerprint:dir r_dir_perms; +allow hal_fingerprint_capacitance sysfs_fingerprint:file rw_file_perms; + +# allow fingerprint to access power hal +hal_client_domain(hal_fingerprint_capacitance, hal_power); + +# allow fingerprint to find fwk service +allow hal_fingerprint_capacitance fwk_stats_service:service_manager find; + +# allow fingerprint to access sysfs_leds +allow hal_fingerprint_capacitance sysfs_leds:dir search; +allow hal_fingerprint_capacitance sysfs_leds:file rw_file_perms; + +# allow fingerprint to access sysfs_batteryinfo +allow hal_fingerprint_capacitance sysfs_batteryinfo:dir search; +allow hal_fingerprint_capacitance sysfs_batteryinfo:file rw_file_perms; + +# allow fingerprint to access input_device +allow hal_fingerprint_capacitance input_device:dir r_dir_perms; +allow hal_fingerprint_capacitance input_device:chr_file rw_file_perms; + +# allow fingerprint to access hwservice +hwbinder_use(hal_fingerprint_capacitance) +add_hwservice(hal_fingerprint_capacitance, hal_fingerprint_capacitance_ext_hwservice) + +# allow fingerprint to access fwk sensor hwservice +allow hal_fingerprint_capacitance fwk_sensor_service:service_manager find; diff --git a/sepolicy/fingerprint_capacitance/hwservice.te b/sepolicy/fingerprint_capacitance/hwservice.te new file mode 100644 index 0000000..68c51ab --- /dev/null +++ b/sepolicy/fingerprint_capacitance/hwservice.te @@ -0,0 +1 @@ +type hal_fingerprint_capacitance_ext_hwservice, hwservice_manager_type; diff --git a/sepolicy/fingerprint_capacitance/hwservice_contexts b/sepolicy/fingerprint_capacitance/hwservice_contexts new file mode 100644 index 0000000..ed09300 --- /dev/null +++ b/sepolicy/fingerprint_capacitance/hwservice_contexts @@ -0,0 +1,2 @@ +com.fingerprints42.extension::IFingerprintEngineering u:object_r:hal_fingerprint_capacitance_ext_hwservice:s0 +com.fingerprints42.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_capacitance_ext_hwservice:s0 diff --git a/sepolicy/fingerprint_capacitance/servicemanager.te b/sepolicy/fingerprint_capacitance/servicemanager.te new file mode 100644 index 0000000..6e1afe9 --- /dev/null +++ b/sepolicy/fingerprint_capacitance/servicemanager.te @@ -0,0 +1 @@ +binder_call(servicemanager, hal_fingerprint_capacitance) diff --git a/sepolicy/fingerprint_capacitance/system_app.te b/sepolicy/fingerprint_capacitance/system_app.te new file mode 100644 index 0000000..f583431 --- /dev/null +++ b/sepolicy/fingerprint_capacitance/system_app.te @@ -0,0 +1,3 @@ +# TODO (b/264266705) Remove this and make it specific to the app +# allow SystemUIGoogle to access fingerprint hal +hal_client_domain(system_app, hal_fingerprint) diff --git a/sepolicy/system_ext/private/platform_app.te b/sepolicy/system_ext/private/platform_app.te new file mode 100644 index 0000000..cd094a3 --- /dev/null +++ b/sepolicy/system_ext/private/platform_app.te @@ -0,0 +1,2 @@ +# Allow platform apps to access system_update_service (e.g. check if update info is available). +allow platform_app system_update_service:service_manager find; \ No newline at end of file diff --git a/sepolicy/system_ext/private/property_contexts b/sepolicy/system_ext/private/property_contexts new file mode 100644 index 0000000..f08d9e4 --- /dev/null +++ b/sepolicy/system_ext/private/property_contexts @@ -0,0 +1,6 @@ +# TODO(b/246793311): Clean up a temporary property once pa/2342172 lands +debug.sf.ignore_hwc_physical_display_orientation u:object_r:surfaceflinger_prop:s0 exact bool + +# Default orienation for boot animation counted from natural orienation of the device +# Id at the end corresponds to the display id on the device. See b/246793311 for context. +ro.bootanim.set_orientation_4619827677550801152 u:object_r:surfaceflinger_prop:s0 exact enum ORIENTATION_0 ORIENTATION_90 ORIENTATION_180 ORIENTATION_270 diff --git a/sepolicy/tangorpro-sepolicy.mk b/sepolicy/tangorpro-sepolicy.mk new file mode 100644 index 0000000..c771713 --- /dev/null +++ b/sepolicy/tangorpro-sepolicy.mk @@ -0,0 +1,13 @@ +# sepolicy that are shared among devices using whitechapel +BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/vendor +BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/tracking_denials + +# fingerprint +BOARD_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/fingerprint_capacitance + +# for mediashell +PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/atv/audio_proxy/sepolicy/public +BOARD_VENDOR_SEPOLICY_DIRS += device/google/atv/audio_proxy/sepolicy/vendor + +# system_ext +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/tangorpro-sepolicy/system_ext/private diff --git a/sepolicy/tracking_denials/README.txt b/sepolicy/tracking_denials/README.txt new file mode 100644 index 0000000..6cfc62d --- /dev/null +++ b/sepolicy/tracking_denials/README.txt @@ -0,0 +1,2 @@ +This folder stores known errors detected by PTS. Be sure to remove relevant +files to reproduce error log on latest ROMs. diff --git a/sepolicy/tracking_denials/bug_map b/sepolicy/tracking_denials/bug_map new file mode 100644 index 0000000..bae1538 --- /dev/null +++ b/sepolicy/tracking_denials/bug_map @@ -0,0 +1,5 @@ + +audioserver vendor_file file b/312069156 +platform_app system_data_file dir b/289358324 +shell sysfs_touch dir b/264823366 +system_app proc_pagetypeinfo file b/312375728 diff --git a/sepolicy/vendor/README.txt b/sepolicy/vendor/README.txt new file mode 100644 index 0000000..67a320f --- /dev/null +++ b/sepolicy/vendor/README.txt @@ -0,0 +1,2 @@ +This folder holds sepolicy exclusively for one device. For example, genfs_contexts +paths that are affected by device tree. diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te new file mode 100644 index 0000000..3e16875 --- /dev/null +++ b/sepolicy/vendor/device.te @@ -0,0 +1,2 @@ +# Wifi +type vendor_wlan_device, dev_type; \ No newline at end of file diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te new file mode 100644 index 0000000..a863220 --- /dev/null +++ b/sepolicy/vendor/file.te @@ -0,0 +1,8 @@ +#Pogo USB control & status +type sysfs_pogo_usb, sysfs_type, fs_type; + +# Cast device certificate +type device_cert_file, file_type, vendor_persist_type; + +# Avoid GPS se failed +type sysfs_gps, sysfs_type, fs_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts new file mode 100644 index 0000000..792f30a --- /dev/null +++ b/sepolicy/vendor/file_contexts @@ -0,0 +1,15 @@ +# Devices +/dev/lwis-eeprom-smaug-front u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-rear u:object_r:lwis_device:s0 +/dev/lwis-sensor-medusa-front u:object_r:lwis_device:s0 +/dev/lwis-sensor-medusa-rear u:object_r:lwis_device:s0 + +# Wifi +/dev/wlan u:object_r:vendor_wlan_device:s0 + +# Privacy LED +/vendor/bin/hw/android\.hardware\.lights-service\.tangorpro u:object_r:hal_light_default_exec:s0 + +# Cast Factory Credentials +/vendor/bin/hw/android\.hardware\.drm-service\.castkey u:object_r:hal_drm_cast_exec:s0 +/mnt/vendor/persist/nest/cast_auth\.crt u:object_r:device_cert_file:s0 diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts new file mode 100644 index 0000000..91f9912 --- /dev/null +++ b/sepolicy/vendor/genfs_contexts @@ -0,0 +1,23 @@ +# Dock +genfscon sysfs /devices/platform/google,dock/power_supply/dock u:object_r:sysfs_batteryinfo:s0 + +# Touch +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0 u:object_r:sysfs_touch:s0 + +# system suspend wakeup files +genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/power_supply/nvt-pen-battery/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/power_supply/USI_Stylus_Battery/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/input/input2/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/wakeup u:object_r:sysfs_wakeup:s0 + +# Pogo usb control & status +genfscon sysfs /devices/platform/google,pogo/pogo_usb_active u:object_r:sysfs_pogo_usb:s0 +genfscon sysfs /devices/platform/google,pogo/pogo_usb_capable u:object_r:sysfs_pogo_usb:s0 +genfscon sysfs /devices/platform/google,pogo/pogo_docked u:object_r:sysfs_pogo_usb:s0 +genfscon sysfs /devices/platform/google,pogo/equal_priority u:object_r:sysfs_pogo_usb:s0 +genfscon sysfs /devices/platform/google,pogo/move_data_to_usb u:object_r:sysfs_pogo_usb:s0 +genfscon sysfs /devices/platform/google,pogo/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/google,pogo/hall1_s u:object_r:sysfs_pogo_usb:s0 +genfscon sysfs /devices/platform/google,pogo/hall1_n u:object_r:sysfs_pogo_usb:s0 +genfscon sysfs /devices/platform/google,pogo/hall2_s u:object_r:sysfs_pogo_usb:s0 diff --git a/sepolicy/vendor/grilservice_app.te b/sepolicy/vendor/grilservice_app.te new file mode 100644 index 0000000..763121c --- /dev/null +++ b/sepolicy/vendor/grilservice_app.te @@ -0,0 +1,2 @@ +# setBluetoothModeBasedTxPowerCap for SAR +binder_call(grilservice_app, hal_bluetooth_synabtlinux) diff --git a/sepolicy/vendor/hal_drm_cast.te b/sepolicy/vendor/hal_drm_cast.te new file mode 100644 index 0000000..800a231 --- /dev/null +++ b/sepolicy/vendor/hal_drm_cast.te @@ -0,0 +1,9 @@ +type hal_drm_cast, domain; +type hal_drm_cast_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_drm_cast) +hal_server_domain(hal_drm_cast, hal_drm) + +allow hal_drm_cast mnt_vendor_file:dir search; +allow hal_drm_cast persist_file:dir search; +allow hal_drm_cast device_cert_file:file r_file_perms; diff --git a/sepolicy/vendor/hal_health_default.te b/sepolicy/vendor/hal_health_default.te new file mode 100644 index 0000000..f75cab4 --- /dev/null +++ b/sepolicy/vendor/hal_health_default.te @@ -0,0 +1 @@ +dontaudit hal_health_default sysfs_touch:dir *; \ No newline at end of file diff --git a/sepolicy/vendor/hal_lights.te b/sepolicy/vendor/hal_lights.te new file mode 100644 index 0000000..7c43a93 --- /dev/null +++ b/sepolicy/vendor/hal_lights.te @@ -0,0 +1,7 @@ +allow hal_light_default sysfs_leds:dir search; +allow hal_light_default sysfs_leds:file rw_file_perms; +allow hal_light_default mnt_vendor_file:dir search; +allow hal_light_default persist_file:dir search; +allow hal_light_default hal_pixel_display_service:service_manager find; +binder_call(hal_light_default, hal_graphics_composer_default); +r_dir_file(hal_light_default, persist_leds_file); diff --git a/sepolicy/vendor/hal_power_stats_default.te b/sepolicy/vendor/hal_power_stats_default.te new file mode 100644 index 0000000..a81c9ba --- /dev/null +++ b/sepolicy/vendor/hal_power_stats_default.te @@ -0,0 +1,2 @@ +# getStateResidency AIDL callback for Bluetooth HAL +binder_call(hal_power_stats_default, hal_bluetooth_synabtlinux) diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te new file mode 100644 index 0000000..da6b54e --- /dev/null +++ b/sepolicy/vendor/hal_sensors_default.te @@ -0,0 +1,9 @@ +# +# USF sensor HAL SELinux type enforcements. +# + +# Allow sensor HAL to access pogo driver hall file node. +allow hal_sensors_default sysfs_pogo_usb:file rw_file_perms; + +# Allow access to the uhid devices. +allow hal_sensors_default uhid_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/hal_usb_impl.te b/sepolicy/vendor/hal_usb_impl.te new file mode 100644 index 0000000..4f1bfbc --- /dev/null +++ b/sepolicy/vendor/hal_usb_impl.te @@ -0,0 +1,2 @@ +# For Pogo usb management +allow hal_usb_impl sysfs_pogo_usb:file rw_file_perms; diff --git a/sepolicy/vendor/hal_wifi_ext.te b/sepolicy/vendor/hal_wifi_ext.te new file mode 100644 index 0000000..c5cf260 --- /dev/null +++ b/sepolicy/vendor/hal_wifi_ext.te @@ -0,0 +1 @@ +allow hal_wifi_ext vendor_wlan_device:chr_file w_file_perms; diff --git a/sepolicy/vendor/service_contexts b/sepolicy/vendor/service_contexts new file mode 100644 index 0000000..f93a0e0 --- /dev/null +++ b/sepolicy/vendor/service_contexts @@ -0,0 +1,2 @@ +# Cast Factory Credentials +android.hardware.drm.IDrmFactory/castkey u:object_r:hal_drm_service:s0 diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te new file mode 100644 index 0000000..ba82449 --- /dev/null +++ b/sepolicy/vendor/system_server.te @@ -0,0 +1 @@ +allow system_server sysfs_touch_gti:file r_file_perms; diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te new file mode 100644 index 0000000..de38b6f --- /dev/null +++ b/sepolicy/vendor/vendor_init.te @@ -0,0 +1 @@ +get_prop(vendor_init, gesture_prop)