diff --git a/OWNERS b/OWNERS new file mode 100644 index 00000000..791abb4a --- /dev/null +++ b/OWNERS @@ -0,0 +1,3 @@ +include platform/system/sepolicy:/OWNERS + +rurumihong@google.com diff --git a/aoc/aocd.te b/aoc/aocd.te new file mode 100644 index 00000000..69b0af0d --- /dev/null +++ b/aoc/aocd.te @@ -0,0 +1,21 @@ +type aocd, domain; +type aocd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(aocd) + +# access persist files +allow aocd mnt_vendor_file:dir search; +allow aocd persist_file:dir search; +r_dir_file(aocd, persist_aoc_file); + +# sysfs operations +allow aocd sysfs_aoc:dir search; +allow aocd sysfs_aoc_firmware:file w_file_perms; + +# dev operations +allow aocd aoc_device:chr_file rw_file_perms; + +# allow inotify to watch for additions/removals from /dev +allow aocd device:dir r_dir_perms; + +# set properties +set_prop(aocd, vendor_aoc_prop) diff --git a/aoc/aocdump.te b/aoc/aocdump.te new file mode 100644 index 00000000..0801ec0e --- /dev/null +++ b/aoc/aocdump.te @@ -0,0 +1,18 @@ +type aocdump, domain; +type aocdump_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(aocdump) + +userdebug_or_eng(` + # Permit communication with AoC + allow aocdump aoc_device:chr_file rw_file_perms; + + allow aocdump radio_vendor_data_file:dir rw_dir_perms; + allow aocdump radio_vendor_data_file:file create_file_perms; + allow aocdump wifi_logging_data_file:dir create_dir_perms; + allow aocdump wifi_logging_data_file:file create_file_perms; + set_prop(aocdump, vendor_audio_prop); + r_dir_file(aocdump, proc_asound) + + allow aocdump self:unix_stream_socket create_stream_socket_perms; + allow aocdump audio_vendor_data_file:sock_file { create unlink }; +') diff --git a/aoc/device.te b/aoc/device.te new file mode 100644 index 00000000..fbd2b327 --- /dev/null +++ b/aoc/device.te @@ -0,0 +1,5 @@ +# AOC device +type aoc_device, dev_type; + +# AMCS device +type amcs_device, dev_type; diff --git a/aoc/file.te b/aoc/file.te new file mode 100644 index 00000000..3e0baf8a --- /dev/null +++ b/aoc/file.te @@ -0,0 +1,17 @@ +# sysfs +type sysfs_aoc_dumpstate, sysfs_type, fs_type; +type sysfs_aoc_boottime, sysfs_type, fs_type; +type sysfs_aoc_firmware, sysfs_type, fs_type; +type sysfs_aoc, sysfs_type, fs_type; +type sysfs_aoc_reset, sysfs_type, fs_type; +type sysfs_pixelstats, fs_type, sysfs_type; + +# persist +type persist_aoc_file, file_type, vendor_persist_type; +type persist_audio_file, file_type, vendor_persist_type; + +# vendor +type aoc_audio_file, file_type, vendor_file_type; + +# data +type audio_vendor_data_file, file_type, data_file_type; diff --git a/aoc/file_contexts b/aoc/file_contexts new file mode 100644 index 00000000..71fb097b --- /dev/null +++ b/aoc/file_contexts @@ -0,0 +1,34 @@ +# AoC devices +/dev/acd-audio_output_tuning u:object_r:aoc_device:s0 +/dev/acd-audio_bulk_tx u:object_r:aoc_device:s0 +/dev/acd-audio_bulk_rx u:object_r:aoc_device:s0 +/dev/acd-audio_input_tuning u:object_r:aoc_device:s0 +/dev/acd-audio_input_bulk_tx u:object_r:aoc_device:s0 +/dev/acd-audio_input_bulk_rx u:object_r:aoc_device:s0 +/dev/acd-sound_trigger u:object_r:aoc_device:s0 +/dev/acd-hotword_notification u:object_r:aoc_device:s0 +/dev/acd-hotword_pcm u:object_r:aoc_device:s0 +/dev/acd-ambient_pcm u:object_r:aoc_device:s0 +/dev/acd-model_data u:object_r:aoc_device:s0 +/dev/acd-debug u:object_r:aoc_device:s0 +/dev/acd-audio_tap[0-9]* u:object_r:aoc_device:s0 +/dev/acd-audio_dcdoff_ref u:object_r:aoc_device:s0 +/dev/acd-com.google.usf u:object_r:aoc_device:s0 +/dev/acd-logging u:object_r:aoc_device:s0 +/dev/aoc u:object_r:aoc_device:s0 +/dev/amcs u:object_r:amcs_device:s0 + +# AoC vendor binaries +/vendor/bin/aocd u:object_r:aocd_exec:s0 +/vendor/bin/aocdump u:object_r:aocdump_exec:s0 +/vendor/bin/hw/vendor\.google\.audiometricext@1\.0-service-vendor u:object_r:hal_audiometricext_default_exec:s0 + +# AoC audio files +/vendor/etc/aoc(/.*)? u:object_r:aoc_audio_file:s0 + +# Aoc persist files +/mnt/vendor/persist/aoc(/.*)? u:object_r:persist_aoc_file:s0 +/mnt/vendor/persist/audio(/.*)? u:object_r:persist_audio_file:s0 + +# Audio data files +/data/vendor/audio(/.*)? u:object_r:audio_vendor_data_file:s0 diff --git a/aoc/genfs_contexts b/aoc/genfs_contexts new file mode 100644 index 00000000..46773bb0 --- /dev/null +++ b/aoc/genfs_contexts @@ -0,0 +1,28 @@ +# AOC +genfscon sysfs /devices/platform/19000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0 +genfscon sysfs /devices/platform/19000000.aoc/firmware u:object_r:sysfs_aoc_firmware:s0 +genfscon sysfs /devices/platform/19000000.aoc u:object_r:sysfs_aoc:s0 +genfscon sysfs /devices/platform/19000000.aoc/reset u:object_r:sysfs_aoc_reset:s0 +genfscon sysfs /devices/platform/19000000.aoc/services u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/restart_count u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/coredump_count u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/ring_buffer_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/host_ipc_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/usf_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/audio_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes u:object_r:sysfs_aoc_dumpstate:s0 + +# pixelstat_vendor +genfscon sysfs /devices/platform/audiometrics/codec_state u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/hs_codec_state u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_impedance u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_excursion u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_heartbeat u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_temp u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/mic_broken_degrade u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/codec_crashed_counter u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/hwinfo_part_number u:object_r:sysfs_pixelstats:s0 + diff --git a/aoc/hal_audio_default.te b/aoc/hal_audio_default.te new file mode 100644 index 00000000..0755cba1 --- /dev/null +++ b/aoc/hal_audio_default.te @@ -0,0 +1,35 @@ +vndbinder_use(hal_audio_default) +hwbinder_use(hal_audio_default) + +allow hal_audio_default audio_vendor_data_file:dir rw_dir_perms; +allow hal_audio_default audio_vendor_data_file:file create_file_perms; + +r_dir_file(hal_audio_default, aoc_audio_file); +r_dir_file(hal_audio_default, mnt_vendor_file); +r_dir_file(hal_audio_default, persist_audio_file); + +allow hal_audio_default persist_file:dir search; +allow hal_audio_default aoc_device:file rw_file_perms; +allow hal_audio_default aoc_device:chr_file rw_file_perms; + +allow hal_audio_default hal_audio_ext_hwservice:hwservice_manager { find add }; + +allow hal_audio_default amcs_device:file rw_file_perms; +allow hal_audio_default amcs_device:chr_file rw_file_perms; +allow hal_audio_default sysfs_pixelstats:file rw_file_perms; + +#allow access to DMABUF Heaps for AAudio API +allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms; + +get_prop(hal_audio_default, vendor_audio_prop); + +hal_client_domain(hal_audio_default, hal_health); +hal_client_domain(hal_audio_default, hal_thermal); +allow hal_audio_default fwk_sensor_hwservice:hwservice_manager find; + +userdebug_or_eng(` + allow hal_audio_default self:unix_stream_socket create_stream_socket_perms; + allow hal_audio_default audio_vendor_data_file:sock_file { create unlink }; +') + +wakelock_use(hal_audio_default); diff --git a/aoc/hal_audiometricext_default.te b/aoc/hal_audiometricext_default.te new file mode 100644 index 00000000..5358eac4 --- /dev/null +++ b/aoc/hal_audiometricext_default.te @@ -0,0 +1,12 @@ +type hal_audiometricext_default, domain; +type hal_audiometricext_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_audiometricext_default) + +allow hal_audiometricext_default amcs_device:chr_file rw_file_perms; +allow hal_audiometricext_default sysfs_pixelstats:file rw_file_perms; + +get_prop(hal_audiometricext_default, vendor_audio_prop); +get_prop(hal_audiometricext_default, hwservicemanager_prop); + +hwbinder_use(hal_audiometricext_default); +add_hwservice(hal_audiometricext_default, hal_audiometricext_hwservice); diff --git a/aoc/hwservice.te b/aoc/hwservice.te new file mode 100644 index 00000000..b7bf5d92 --- /dev/null +++ b/aoc/hwservice.te @@ -0,0 +1,6 @@ +# Audio +type hal_audio_ext_hwservice, hwservice_manager_type; + +# AudioMetric +type hal_audiometricext_hwservice, hwservice_manager_type; + diff --git a/aoc/hwservice_contexts b/aoc/hwservice_contexts new file mode 100644 index 00000000..f06c8461 --- /dev/null +++ b/aoc/hwservice_contexts @@ -0,0 +1,4 @@ +# Audio +vendor.google.whitechapel.audio.audioext::IAudioExt u:object_r:hal_audio_ext_hwservice:s0 +vendor.google.audiometricext::IAudioMetricExt u:object_r:hal_audiometricext_hwservice:s0 + diff --git a/aoc/property.te b/aoc/property.te new file mode 100644 index 00000000..d38e3ec8 --- /dev/null +++ b/aoc/property.te @@ -0,0 +1,4 @@ +# AoC +vendor_internal_prop(vendor_aoc_prop) +# Audio +vendor_internal_prop(vendor_audio_prop) diff --git a/aoc/property_contexts b/aoc/property_contexts new file mode 100644 index 00000000..d5028300 --- /dev/null +++ b/aoc/property_contexts @@ -0,0 +1,11 @@ +# AoC +vendor.aoc.firmware.version u:object_r:vendor_aoc_prop:s0 + +# for audio +vendor.audio_hal.period_multiplier u:object_r:vendor_audio_prop:s0 +vendor.audiodump.enable u:object_r:vendor_audio_prop:s0 +persist.vendor.audio. u:object_r:vendor_audio_prop:s0 +vendor.audiodump.log.ondemand u:object_r:vendor_audio_prop:s0 +vendor.audiodump.log.config u:object_r:vendor_audio_prop:s0 +vendor.audiodump.output.dir u:object_r:vendor_audio_prop:s0 +vendor.audiodump.encode.disable u:object_r:vendor_audio_prop:s0 diff --git a/dauntless/citadel_provision.te b/dauntless/citadel_provision.te new file mode 100644 index 00000000..56050857 --- /dev/null +++ b/dauntless/citadel_provision.te @@ -0,0 +1,6 @@ +type citadel_provision, domain; +type citadel_provision_exec, exec_type, vendor_file_type, file_type; + +userdebug_or_eng(` + init_daemon_domain(citadel_provision) +') diff --git a/dauntless/citadeld.te b/dauntless/citadeld.te new file mode 100644 index 00000000..86cb61c7 --- /dev/null +++ b/dauntless/citadeld.te @@ -0,0 +1,13 @@ +type citadeld, domain; +type citadeld_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(citadeld) + +add_service(citadeld, citadeld_service) +binder_use(citadeld) +vndbinder_use(citadeld) +binder_call(citadeld, system_server) + +allow citadeld citadel_device:chr_file rw_file_perms; +allow citadeld fwk_stats_service:service_manager find; +allow citadeld hal_power_stats_vendor_service:service_manager find; diff --git a/dauntless/device.te b/dauntless/device.te new file mode 100644 index 00000000..f63186f4 --- /dev/null +++ b/dauntless/device.te @@ -0,0 +1 @@ +type citadel_device, dev_type; diff --git a/dauntless/file.te b/dauntless/file.te new file mode 100644 index 00000000..cfc0dea1 --- /dev/null +++ b/dauntless/file.te @@ -0,0 +1 @@ +type citadel_updater, vendor_file_type, file_type; diff --git a/dauntless/file_contexts b/dauntless/file_contexts new file mode 100644 index 00000000..76a25023 --- /dev/null +++ b/dauntless/file_contexts @@ -0,0 +1,9 @@ +/vendor/bin/CitadelProvision u:object_r:citadel_provision_exec:s0 +/vendor/bin/hw/init_citadel u:object_r:init_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.security\.keymint-service\.citadel u:object_r:hal_keymint_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0 +/vendor/bin/hw/android\.hardware\.identity@1\.0-service\.citadel u:object_r:hal_identity_citadel_exec:s0 +/vendor/bin/hw/citadel_updater u:object_r:citadel_updater:s0 +/vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0 + +/dev/gsc0 u:object_r:citadel_device:s0 diff --git a/dauntless/hal_identity_citadel.te b/dauntless/hal_identity_citadel.te new file mode 100644 index 00000000..c181e27c --- /dev/null +++ b/dauntless/hal_identity_citadel.te @@ -0,0 +1,11 @@ +type hal_identity_citadel, domain; +type hal_identity_citadel_exec, exec_type, vendor_file_type, file_type; + +vndbinder_use(hal_identity_citadel) +binder_call(hal_identity_citadel, citadeld) +allow hal_identity_citadel citadeld_service:service_manager find; +allow hal_identity_citadel hal_keymint_citadel:binder call; + +hal_server_domain(hal_identity_citadel, hal_identity) +hal_server_domain(hal_identity_citadel, hal_keymint) +init_daemon_domain(hal_identity_citadel) diff --git a/dauntless/hal_keymint_citadel.te b/dauntless/hal_keymint_citadel.te new file mode 100644 index 00000000..e1a6177d --- /dev/null +++ b/dauntless/hal_keymint_citadel.te @@ -0,0 +1,9 @@ +type hal_keymint_citadel, domain; +type hal_keymint_citadel_exec, exec_type, vendor_file_type, file_type; + +hal_server_domain(hal_keymint_citadel, hal_keymint) +init_daemon_domain(hal_keymint_citadel) +vndbinder_use(hal_keymint_citadel) +get_prop(hal_keymint_citadel, vendor_security_patch_level_prop) +allow hal_keymint_citadel citadeld_service:service_manager find; +binder_call(hal_keymint_citadel, citadeld) diff --git a/dauntless/hal_weaver_citadel.te b/dauntless/hal_weaver_citadel.te new file mode 100644 index 00000000..c47287b9 --- /dev/null +++ b/dauntless/hal_weaver_citadel.te @@ -0,0 +1,11 @@ +type hal_weaver_citadel, domain; +type hal_weaver_citadel_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_weaver_citadel) +hal_server_domain(hal_weaver_citadel, hal_weaver) +hal_server_domain(hal_weaver_citadel, hal_oemlock) +hal_server_domain(hal_weaver_citadel, hal_authsecret) +vndbinder_use(hal_weaver_citadel) +binder_call(hal_weaver_citadel, citadeld) + +allow hal_weaver_citadel citadeld_service:service_manager find; diff --git a/dauntless/init_citadel.te b/dauntless/init_citadel.te new file mode 100644 index 00000000..2e986d08 --- /dev/null +++ b/dauntless/init_citadel.te @@ -0,0 +1,15 @@ +type init_citadel, domain; +type init_citadel_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init_citadel) + +# Citadel communication must be via citadeld +vndbinder_use(init_citadel) +binder_call(init_citadel, citadeld) +allow init_citadel citadeld_service:service_manager find; + +# Many standard utils are actually vendor_toolbox (like xxd) +allow init_citadel vendor_toolbox_exec:file rx_file_perms; + +# init_citadel needs to invoke citadel_updater +allow init_citadel citadel_updater:file rx_file_perms; diff --git a/dauntless/service_contexts b/dauntless/service_contexts new file mode 100644 index 00000000..ac6a1867 --- /dev/null +++ b/dauntless/service_contexts @@ -0,0 +1,3 @@ +android.hardware.security.keymint.IKeyMintDevice/strongbox u:object_r:hal_keymint_service:s0 +android.hardware.security.sharedsecret.ISharedSecret/strongbox u:object_r:hal_sharedsecret_service:s0 +android.hardware.security.keymint.IRemotelyProvisionedComponent/strongbox u:object_r:hal_remotelyprovisionedcomponent_service:s0 diff --git a/dauntless/vndservice.te b/dauntless/vndservice.te new file mode 100644 index 00000000..880c09ca --- /dev/null +++ b/dauntless/vndservice.te @@ -0,0 +1 @@ +type citadeld_service, vndservice_manager_type; diff --git a/dauntless/vndservice_contexts b/dauntless/vndservice_contexts new file mode 100644 index 00000000..b4df996b --- /dev/null +++ b/dauntless/vndservice_contexts @@ -0,0 +1 @@ +android.hardware.citadel.ICitadeld u:object_r:citadeld_service:s0 diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts new file mode 100644 index 00000000..7b5d25ab --- /dev/null +++ b/edgetpu/file_contexts @@ -0,0 +1,2 @@ +# EdgeTPU device (DarwiNN) +/dev/janeiro u:object_r:edgetpu_device:s0 diff --git a/edgetpu/genfs_contexts b/edgetpu/genfs_contexts new file mode 100644 index 00000000..78e7e959 --- /dev/null +++ b/edgetpu/genfs_contexts @@ -0,0 +1,2 @@ +# EdgeTPU +genfscon sysfs /devices/platform/1ce00000.janeiro u:object_r:sysfs_edgetpu:s0 diff --git a/edgetpu/google_camera_app.te b/edgetpu/google_camera_app.te new file mode 100644 index 00000000..a0ad7316 --- /dev/null +++ b/edgetpu/google_camera_app.te @@ -0,0 +1,3 @@ +# Allows GCA to find and access the EdgeTPU. +allow google_camera_app edgetpu_app_service:service_manager find; +allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; diff --git a/gps/device.te b/gps/device.te new file mode 100644 index 00000000..15d049fa --- /dev/null +++ b/gps/device.te @@ -0,0 +1 @@ +type vendor_gnss_device, dev_type; diff --git a/gps/file.te b/gps/file.te new file mode 100644 index 00000000..4ed25013 --- /dev/null +++ b/gps/file.te @@ -0,0 +1,6 @@ +type vendor_gps_file, file_type, data_file_type; +userdebug_or_eng(` + typeattribute vendor_gps_file mlstrustedobject; +') + +type sysfs_gps, sysfs_type, fs_type; diff --git a/gps/file_contexts b/gps/file_contexts new file mode 100644 index 00000000..8ae128e1 --- /dev/null +++ b/gps/file_contexts @@ -0,0 +1,12 @@ +# gnss/gps data/log files +/data/vendor/gps(/.*)? u:object_r:vendor_gps_file:s0 + +# devices +/dev/bbd_control u:object_r:vendor_gnss_device:s0 +/dev/ttyBCM u:object_r:vendor_gnss_device:s0 + +# vendor binaries +/vendor/bin/hw/scd u:object_r:scd_exec:s0 +/vendor/bin/hw/lhd u:object_r:lhd_exec:s0 +/vendor/bin/hw/gpsd u:object_r:gpsd_exec:s0 +/vendor/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service-brcm u:object_r:hal_gnss_default_exec:s0 diff --git a/gps/genfs_contexts b/gps/genfs_contexts new file mode 100644 index 00000000..1eab75b1 --- /dev/null +++ b/gps/genfs_contexts @@ -0,0 +1,3 @@ +# GPS +genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0 + diff --git a/gps/gpsd.te b/gps/gpsd.te new file mode 100644 index 00000000..9757395b --- /dev/null +++ b/gps/gpsd.te @@ -0,0 +1,21 @@ +type gpsd, domain; +type gpsd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(gpsd) + +# Allow gpsd access PixelLogger unix socket in debug build only +userdebug_or_eng(` + typeattribute gpsd mlstrustedsubject; + allow gpsd logger_app:unix_stream_socket connectto; +') + +# Allow gpsd to obtain wakelock +wakelock_use(gpsd) + +# Allow gpsd access data vendor gps files +allow gpsd vendor_gps_file:dir create_dir_perms; +allow gpsd vendor_gps_file:file create_file_perms; +allow gpsd vendor_gps_file:fifo_file create_file_perms; + +# Allow gpsd to access sensor service +binder_call(gpsd, system_server); +allow gpsd fwk_sensor_hwservice:hwservice_manager find; diff --git a/gps/hal_gnss_default.te b/gps/hal_gnss_default.te new file mode 100644 index 00000000..e3004237 --- /dev/null +++ b/gps/hal_gnss_default.te @@ -0,0 +1,4 @@ +# Allow hal_gnss_default access data vendor gps files +allow hal_gnss_default vendor_gps_file:dir create_dir_perms; +allow hal_gnss_default vendor_gps_file:file create_file_perms; +allow hal_gnss_default vendor_gps_file:fifo_file create_file_perms; diff --git a/gps/lhd.te b/gps/lhd.te new file mode 100644 index 00000000..e980897c --- /dev/null +++ b/gps/lhd.te @@ -0,0 +1,23 @@ +type lhd, domain; +type lhd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(lhd) + +# Allow lhd access PixelLogger unix socket in debug build only +userdebug_or_eng(` + typeattribute lhd mlstrustedsubject; + allow lhd logger_app:unix_stream_socket connectto; +') + +# Allow lhd access data vendor gps files +allow lhd vendor_gps_file:dir create_dir_perms; +allow lhd vendor_gps_file:file create_file_perms; +allow lhd vendor_gps_file:fifo_file create_file_perms; + +# Allow lhd to obtain wakelock +wakelock_use(lhd) + +# Allow lhd access /dev/bbd_control file +allow lhd vendor_gnss_device:chr_file rw_file_perms; + +# Allow lhd access nstandby gpio +allow lhd sysfs_gps:file rw_file_perms; diff --git a/gps/scd.te b/gps/scd.te new file mode 100644 index 00000000..28aaee0a --- /dev/null +++ b/gps/scd.te @@ -0,0 +1,17 @@ +type scd, domain; +type scd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(scd) + +# Allow scd access PixelLogger unix socket in debug build only +userdebug_or_eng(` + typeattribute scd mlstrustedsubject; + allow scd logger_app:unix_stream_socket connectto; +') + +# Allow a base set of permissions required for network access. +net_domain(scd); + +# Allow scd access data vendor gps files +allow scd vendor_gps_file:dir create_dir_perms; +allow scd vendor_gps_file:file create_file_perms; +allow scd vendor_gps_file:fifo_file create_file_perms; diff --git a/gs201-sepolicy.mk b/gs201-sepolicy.mk new file mode 100644 index 00000000..664b851f --- /dev/null +++ b/gs201-sepolicy.mk @@ -0,0 +1,23 @@ +# sepolicy that are shared among devices using whitechapel +BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/whitechapel_pro + +# unresolved SELinux error log with bug tracking +BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/tracking_denials + +PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs201-sepolicy/private + +# system_ext +SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/gs201-sepolicy/system_ext/public +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs201-sepolicy/system_ext/private + +# +# Pixel-wide +# +# Dauntless sepolicy (b/199685763) +BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/dauntless + +# PowerStats HAL +BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats + +# Health HAL +BOARD_SEPOLICY_DIRS += device/google/gs201-sepolicy/health diff --git a/health/file_contexts b/health/file_contexts new file mode 100644 index 00000000..909de880 --- /dev/null +++ b/health/file_contexts @@ -0,0 +1 @@ +/vendor/bin/hw/android\.hardware\.health-service\.gs201 u:object_r:hal_health_default_exec:s0 diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te new file mode 100644 index 00000000..c5feec95 --- /dev/null +++ b/private/permissioncontroller_app.te @@ -0,0 +1,2 @@ +allow permissioncontroller_app proc_vendor_sched:dir r_dir_perms; +allow permissioncontroller_app proc_vendor_sched:file w_file_perms; diff --git a/private/property_contexts b/private/property_contexts new file mode 100644 index 00000000..abcdd419 --- /dev/null +++ b/private/property_contexts @@ -0,0 +1,5 @@ +# Boot animation dynamic colors +persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int diff --git a/private/radio.te b/private/radio.te new file mode 100644 index 00000000..a569b9c5 --- /dev/null +++ b/private/radio.te @@ -0,0 +1 @@ +add_service(radio, uce_service) diff --git a/private/service_contexts b/private/service_contexts new file mode 100644 index 00000000..8877518a --- /dev/null +++ b/private/service_contexts @@ -0,0 +1 @@ +telephony.oem.oemrilhook u:object_r:radio_service:s0 diff --git a/system_ext/private/property_contexts b/system_ext/private/property_contexts new file mode 100644 index 00000000..9f462bda --- /dev/null +++ b/system_ext/private/property_contexts @@ -0,0 +1,2 @@ +# Fingerprint (UDFPS) GHBM/LHBM toggle +persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool diff --git a/system_ext/public/property.te b/system_ext/public/property.te new file mode 100644 index 00000000..8908e485 --- /dev/null +++ b/system_ext/public/property.te @@ -0,0 +1,2 @@ +# Fingerprint (UDFPS) GHBM/LHBM toggle +system_vendor_config_prop(fingerprint_ghbm_prop) diff --git a/tracking_denials/README.txt b/tracking_denials/README.txt new file mode 100644 index 00000000..6cfc62df --- /dev/null +++ b/tracking_denials/README.txt @@ -0,0 +1,2 @@ +This folder stores known errors detected by PTS. Be sure to remove relevant +files to reproduce error log on latest ROMs. diff --git a/tracking_denials/clatd.te b/tracking_denials/clatd.te new file mode 100644 index 00000000..3c27ad97 --- /dev/null +++ b/tracking_denials/clatd.te @@ -0,0 +1,3 @@ +# b/210363983 +#dontaudit clatd netd:rawip_socket { read write }; +#dontaudit clatd netd:rawip_socket { setopt }; diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te new file mode 100644 index 00000000..aaff71e5 --- /dev/null +++ b/tracking_denials/dumpstate.te @@ -0,0 +1,6 @@ +# b/221384768 +dontaudit dumpstate app_zygote:process { signal }; +dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; +dontaudit dumpstate sysfs:file { read }; +# b/227694693 +dontaudit dumpstate incident:process { signal }; diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te new file mode 100644 index 00000000..72796c22 --- /dev/null +++ b/tracking_denials/google_camera_app.te @@ -0,0 +1,8 @@ +# b/209889068 +dontaudit google_camera_app edgetpu_app_service:service_manager { find }; +dontaudit google_camera_app edgetpu_device:chr_file { ioctl }; +dontaudit google_camera_app edgetpu_device:chr_file { map }; +dontaudit google_camera_app edgetpu_device:chr_file { read write }; +dontaudit google_camera_app vendor_default_prop:file { getattr }; +dontaudit google_camera_app vendor_default_prop:file { map }; +dontaudit google_camera_app vendor_default_prop:file { open }; diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te new file mode 100644 index 00000000..f423e497 --- /dev/null +++ b/tracking_denials/hal_camera_default.te @@ -0,0 +1,5 @@ +# b/205780065 +dontaudit hal_camera_default system_data_file:dir { search }; +# b/218585004 +dontaudit hal_camera_default traced:unix_stream_socket { connectto }; +dontaudit hal_camera_default traced_producer_socket:sock_file { write }; diff --git a/tracking_denials/hal_drm_widevine.te b/tracking_denials/hal_drm_widevine.te new file mode 100644 index 00000000..cfe7fcf7 --- /dev/null +++ b/tracking_denials/hal_drm_widevine.te @@ -0,0 +1,2 @@ +# b/229209076 +dontaudit hal_drm_widevine vndbinder_device:chr_file { read }; diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te new file mode 100644 index 00000000..b58f29fe --- /dev/null +++ b/tracking_denials/hal_neuralnetworks_armnn.te @@ -0,0 +1,8 @@ +# b/205073167 +dontaudit hal_neuralnetworks_armnn default_prop:file { open }; +dontaudit hal_neuralnetworks_armnn default_prop:file { read }; +# b/205202540 +dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; +dontaudit hal_neuralnetworks_armnn default_prop:file { map }; +# b/205779871 +dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te new file mode 100644 index 00000000..731d4baa --- /dev/null +++ b/tracking_denials/hal_power_default.te @@ -0,0 +1,4 @@ +# b/208909174 +dontaudit hal_power_default hal_power_default:capability { dac_read_search }; +# b/221384860 +dontaudit hal_power_default hal_power_default:capability { dac_override }; diff --git a/tracking_denials/hal_radioext_default.te b/tracking_denials/hal_radioext_default.te new file mode 100644 index 00000000..74a400df --- /dev/null +++ b/tracking_denials/hal_radioext_default.te @@ -0,0 +1,2 @@ +# b/227122249 +dontaudit hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager { find }; diff --git a/tracking_denials/hal_secure_element_st33spi.te b/tracking_denials/hal_secure_element_st33spi.te new file mode 100644 index 00000000..da4b099d --- /dev/null +++ b/tracking_denials/hal_secure_element_st33spi.te @@ -0,0 +1,2 @@ +# b/229167195 +dontaudit hal_secure_element_st33spi vendor_secure_element_prop:file { read }; diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te new file mode 100644 index 00000000..fb1bb237 --- /dev/null +++ b/tracking_denials/hal_sensors_default.te @@ -0,0 +1,2 @@ +# b/227695036 +dontaudit hal_sensors_default sensor_reg_data_file:dir { write }; diff --git a/tracking_denials/hal_thermal_default.te b/tracking_denials/hal_thermal_default.te new file mode 100644 index 00000000..abbd2f97 --- /dev/null +++ b/tracking_denials/hal_thermal_default.te @@ -0,0 +1,7 @@ +# b/205904328 +dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { bind }; +dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { create }; +dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { getattr }; +dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { read }; +dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { setopt }; +dontaudit hal_thermal_default hal_thermal_default:netlink_generic_socket { write }; diff --git a/tracking_denials/hal_uwb_vendor_default.te b/tracking_denials/hal_uwb_vendor_default.te new file mode 100644 index 00000000..2e0025fc --- /dev/null +++ b/tracking_denials/hal_uwb_vendor_default.te @@ -0,0 +1,3 @@ +# b/208721505 +dontaudit hal_uwb_vendor_default dumpstate:fd { use }; +dontaudit hal_uwb_vendor_default dumpstate:fifo_file { write }; diff --git a/tracking_denials/hardware_info_app.te b/tracking_denials/hardware_info_app.te new file mode 100644 index 00000000..2975d243 --- /dev/null +++ b/tracking_denials/hardware_info_app.te @@ -0,0 +1,2 @@ +# b/208909060 +dontaudit hardware_info_app vendor_maxfg_debugfs:dir search; diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te new file mode 100644 index 00000000..90b1025f --- /dev/null +++ b/tracking_denials/incidentd.te @@ -0,0 +1,2 @@ +# b/226850644 +dontaudit incidentd debugfs_wakeup_sources:file { read }; diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te new file mode 100644 index 00000000..d75b1fb1 --- /dev/null +++ b/tracking_denials/kernel.te @@ -0,0 +1,11 @@ +# b/213817227 +dontaudit kernel vendor_battery_debugfs:dir { search }; +# b/220801802 +allow kernel same_process_hal_file:file r_file_perms; +# b/227121550 +dontaudit kernel vendor_usb_debugfs:dir { search }; +dontaudit kernel vendor_votable_debugfs:dir { search }; +# b/227286343 +dontaudit kernel vendor_regmap_debugfs:dir { search }; +# b/228181404 +dontaudit kernel vendor_maxfg_debugfs:dir { search }; \ No newline at end of file diff --git a/tracking_denials/rebalance_interrupts_vendor.te b/tracking_denials/rebalance_interrupts_vendor.te new file mode 100644 index 00000000..b9b246ce --- /dev/null +++ b/tracking_denials/rebalance_interrupts_vendor.te @@ -0,0 +1,2 @@ +# b/214472867 +dontaudit rebalance_interrupts_vendor rebalance_interrupts_vendor:capability { dac_override }; diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te new file mode 100644 index 00000000..72e6e6e9 --- /dev/null +++ b/tracking_denials/servicemanager.te @@ -0,0 +1,2 @@ +# b/214122471 +dontaudit servicemanager hal_fingerprint_default:binder { call }; diff --git a/tracking_denials/ssr_detector_app.te b/tracking_denials/ssr_detector_app.te new file mode 100644 index 00000000..182b08e1 --- /dev/null +++ b/tracking_denials/ssr_detector_app.te @@ -0,0 +1,12 @@ +# b/205202542 +dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { getattr }; +dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { map }; +dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { open }; +dontaudit ssr_detector_app vendor_persist_sys_default_prop:file { read }; +# b/207571417 +dontaudit ssr_detector_app cgroup:file { open }; +dontaudit ssr_detector_app cgroup:file { write }; +dontaudit ssr_detector_app sysfs:file { getattr }; +dontaudit ssr_detector_app sysfs:file { open }; +dontaudit ssr_detector_app sysfs:file { read }; +dontaudit ssr_detector_app sysfs:file { write }; diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te new file mode 100644 index 00000000..cd7b63d9 --- /dev/null +++ b/tracking_denials/surfaceflinger.te @@ -0,0 +1,4 @@ +# b/215042694 +dontaudit surfaceflinger kernel:process { setsched }; +# b/208721808 +dontaudit surfaceflinger hal_graphics_composer_default:dir { search }; diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te new file mode 100644 index 00000000..3a56e037 --- /dev/null +++ b/tracking_denials/tee.te @@ -0,0 +1,5 @@ +# TODO(b/205904330): avoid using setuid, setgid permission +allow tee tee:capability { setuid setgid }; +# b/215649571 +dontaudit tee gsi_metadata_file:dir { search }; +dontaudit tee metadata_file:dir { search }; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te new file mode 100644 index 00000000..850099a9 --- /dev/null +++ b/tracking_denials/vendor_init.te @@ -0,0 +1,4 @@ +# b/205656950 +dontaudit vendor_init thermal_link_device:file { create }; +# b/226271913 +dontaudit vendor_init vendor_maxfg_debugfs:file setattr; diff --git a/tracking_denials/vendor_telephony_silentlogging_app.te b/tracking_denials/vendor_telephony_silentlogging_app.te new file mode 100644 index 00000000..a74e3e3a --- /dev/null +++ b/tracking_denials/vendor_telephony_silentlogging_app.te @@ -0,0 +1,3 @@ +# b/221384996 +dontaudit vendor_telephony_silentlogging_app system_app_data_file:dir { getattr }; +dontaudit vendor_telephony_silentlogging_app system_app_data_file:dir { search }; diff --git a/whitechapel_pro/attributes b/whitechapel_pro/attributes new file mode 100644 index 00000000..7e6def72 --- /dev/null +++ b/whitechapel_pro/attributes @@ -0,0 +1 @@ +attribute vendor_persist_type; diff --git a/whitechapel_pro/audioserver.te b/whitechapel_pro/audioserver.te new file mode 100644 index 00000000..c7d69097 --- /dev/null +++ b/whitechapel_pro/audioserver.te @@ -0,0 +1,3 @@ +# allow access to ALSA MMAP FDs for AAudio API +allow audioserver audio_device:chr_file r_file_perms; +allow audioserver audio_service:service_manager find; diff --git a/whitechapel_pro/bipchmgr.te b/whitechapel_pro/bipchmgr.te new file mode 100644 index 00000000..9298e322 --- /dev/null +++ b/whitechapel_pro/bipchmgr.te @@ -0,0 +1,9 @@ +type bipchmgr, domain; +type bipchmgr_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(bipchmgr) + +get_prop(bipchmgr, hwservicemanager_prop); + +allow bipchmgr hal_exynos_rild_hwservice:hwservice_manager find; +hwbinder_use(bipchmgr) +binder_call(bipchmgr, rild) diff --git a/whitechapel_pro/bluetooth.te b/whitechapel_pro/bluetooth.te new file mode 100644 index 00000000..3795e299 --- /dev/null +++ b/whitechapel_pro/bluetooth.te @@ -0,0 +1,5 @@ +allow bluetooth proc_vendor_sched:dir r_dir_perms; +allow bluetooth proc_vendor_sched:file w_file_perms; + +allow hal_bluetooth_btlinux aoc_device:chr_file { getattr open read write }; +allow hal_bluetooth_btlinux device:dir r_dir_perms; \ No newline at end of file diff --git a/whitechapel_pro/bootanim.te b/whitechapel_pro/bootanim.te new file mode 100644 index 00000000..7b3019df --- /dev/null +++ b/whitechapel_pro/bootanim.te @@ -0,0 +1,5 @@ +# TODO(b/62954877). On Android Wear, bootanim reads the time +# during boot to display. It currently gets that time from a file +# in /data/system. This should be moved. In the meantime, suppress +# this denial on phones since this functionality is not used. +dontaudit bootanim system_data_file:dir r_dir_perms; diff --git a/whitechapel_pro/bootdevice_sysdev.te b/whitechapel_pro/bootdevice_sysdev.te new file mode 100644 index 00000000..2ff0acb9 --- /dev/null +++ b/whitechapel_pro/bootdevice_sysdev.te @@ -0,0 +1 @@ +allow bootdevice_sysdev sysfs:filesystem associate; diff --git a/whitechapel_pro/cat_engine_service_app.te b/whitechapel_pro/cat_engine_service_app.te new file mode 100644 index 00000000..eacf9621 --- /dev/null +++ b/whitechapel_pro/cat_engine_service_app.te @@ -0,0 +1,8 @@ +type cat_engine_service_app, domain; + +userdebug_or_eng(` + app_domain(cat_engine_service_app) + get_prop(cat_engine_service_app, vendor_rild_prop) + allow cat_engine_service_app app_api_service:service_manager find; + allow cat_engine_service_app system_app_data_file:dir r_dir_perms; +') diff --git a/whitechapel_pro/cbd.te b/whitechapel_pro/cbd.te new file mode 100644 index 00000000..c4cfe7a6 --- /dev/null +++ b/whitechapel_pro/cbd.te @@ -0,0 +1,63 @@ +type cbd, domain; +type cbd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(cbd) + +set_prop(cbd, vendor_modem_prop) +set_prop(cbd, vendor_cbd_prop) +set_prop(cbd, vendor_rild_prop) + +# Allow cbd to set gid/uid from too to radio +allow cbd self:capability { setgid setuid }; + +allow cbd mnt_vendor_file:dir r_dir_perms; + +allow cbd kmsg_device:chr_file rw_file_perms; + +allow cbd vendor_shell_exec:file execute_no_trans; +allow cbd vendor_toolbox_exec:file execute_no_trans; + +# Allow cbd to access modem block device +allow cbd block_device:dir search; +allow cbd modem_block_device:blk_file r_file_perms; + +# Allow cbd to access sysfs chosen files +allow cbd sysfs_chosen:file r_file_perms; +allow cbd sysfs_chosen:dir r_dir_perms; + +allow cbd radio_device:chr_file rw_file_perms; + +allow cbd proc_cmdline:file r_file_perms; + +allow cbd persist_modem_file:dir create_dir_perms; +allow cbd persist_modem_file:file create_file_perms; +allow cbd persist_file:dir search; + +allow cbd radio_vendor_data_file:dir create_dir_perms; +allow cbd radio_vendor_data_file:file create_file_perms; + +# Allow cbd to operate with modem EFS file/dir +allow cbd modem_efs_file:dir create_dir_perms; +allow cbd modem_efs_file:file create_file_perms; + +# Allow cbd to operate with modem userdata file/dir +allow cbd modem_userdata_file:dir create_dir_perms; +allow cbd modem_userdata_file:file create_file_perms; + +# Allow cbd to access modem image file/dir +allow cbd modem_img_file:dir r_dir_perms; +allow cbd modem_img_file:file r_file_perms; +allow cbd modem_img_file:lnk_file r_file_perms; + +# Allow cbd to collect crash info +allow cbd sscoredump_vendor_data_crashinfo_file:dir create_dir_perms; +allow cbd sscoredump_vendor_data_crashinfo_file:file create_file_perms; + +userdebug_or_eng(` + r_dir_file(cbd, vendor_slog_file) + + allow cbd kernel:system syslog_read; + + allow cbd sscoredump_vendor_data_coredump_file:dir create_dir_perms; + allow cbd sscoredump_vendor_data_coredump_file:file create_file_perms; +') + diff --git a/whitechapel_pro/cbrs_setup.te b/whitechapel_pro/cbrs_setup.te new file mode 100644 index 00000000..1abbcff1 --- /dev/null +++ b/whitechapel_pro/cbrs_setup.te @@ -0,0 +1,13 @@ +# GoogleCBRS app +type cbrs_setup_app, domain; + +userdebug_or_eng(` + app_domain(cbrs_setup_app) + net_domain(cbrs_setup_app) + + allow cbrs_setup_app app_api_service:service_manager find; + allow cbrs_setup_app cameraserver_service:service_manager find; + allow cbrs_setup_app radio_service:service_manager find; + set_prop(cbrs_setup_app, radio_prop) + set_prop(cbrs_setup_app, vendor_rild_prop) +') diff --git a/whitechapel_pro/cccdk_timesync_app.te b/whitechapel_pro/cccdk_timesync_app.te new file mode 100644 index 00000000..f6e514d9 --- /dev/null +++ b/whitechapel_pro/cccdk_timesync_app.te @@ -0,0 +1,10 @@ +type vendor_cccdktimesync_app, domain; +app_domain(vendor_cccdktimesync_app) + +allow vendor_cccdktimesync_app app_api_service:service_manager find; + +binder_call(vendor_cccdktimesync_app, hal_bluetooth_btlinux) +allow vendor_cccdktimesync_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; + +# allow the HAL to call our registered callbacks +binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app) diff --git a/whitechapel_pro/certs/EuiccSupportPixel.x509.pem b/whitechapel_pro/certs/EuiccSupportPixel.x509.pem new file mode 100644 index 00000000..d11ad3d0 --- /dev/null +++ b/whitechapel_pro/certs/EuiccSupportPixel.x509.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIF2zCCA8OgAwIBAgIVAIFP2e+Gh4wn4YFsSI7fRB6AXjIsMA0GCSqGSIb3DQEBCwUAMH4xCzAJ +BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw +EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEaMBgGA1UEAxMRRXVpY2NTdXBw +b3J0UGl4ZWwwHhcNMTkwMjI4MTkyMjE4WhcNNDkwMjI4MTkyMjE4WjB+MQswCQYDVQQGEwJVUzET +MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29v +Z2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxGjAYBgNVBAMTEUV1aWNjU3VwcG9ydFBpeGVsMIIC +IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqklePqeltzqnyXVch9eJRXFBRQQIBIJWhcXb +WIP/kZ28ISnQ2SrZisdxqtvRIeInxb7lU1rRQDfqCFSp/vMZ3l25Ryn6OVLFP4bxV1vO797t7Ef/ +amYA1mFKBsD4KLaIGj0/2RpGesneCOb0jWl2yRgIO2Ez7Y4YgWU/IoickZDLp1u6/7e7E/Qq9OXK +aXvtBSzooGrYC7eyKn7O21FOfz5cQRo4BipjJqXG5Ez8Vi+m/dL1IFRZheYttEf3v390vBcb0oJ0 +oYPzLxmnb1LchjZC3yLAknRA0hNt8clvJ3tjXFjtzCGKsQsT4rnvvGFFABJTCf3EdEiwBNS5U4ho ++9+EtH7PpuoC+uVv2rLv/Gb7stlGQGx32KmK2CfKED3PdNqoT7WRx6nvVjCk3i7afdUcxQxcS9td +5r80CB1bQEhS2sWLWB21PJrfMugWUJO5Bwz6u0es8dP+4FAHojIaF6iwB5ZYIuHGcEaOviHm4jOK +rrGMlLqTwuEhq2aVIP55u7XRV98JLs2hlE5DJOWCIsPxybUDiddFvR+yzi/4FimsxJlEmaQAQcki +uJ9DceVP03StPzFJSDRlqa4yF6xkZW5piNoANQ4MyI67V2Qf8g/L1UPYAi4hUMxQGo7Clw2hBRag +ZTm65Xc7+ovBYxl5YaXAmNoJbss34Lw8tdrn4EECAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNV +HQ4EFgQU+hQdFrOGuCDI+bbebssw9TL5FcYwHwYDVR0jBBgwFoAU+hQdFrOGuCDI+bbebssw9TL5 +FcYwDQYJKoZIhvcNAQELBQADggIBAGmyZHXddei/zUUMowiyi/MTtqXf9hKDEN4zhAXkuiuHxqA9 +Ii0J1Sxz2dd5NkqMmtePKYFSGA884yVm1KAne/uoCWj57IK3jswiRYnKhXa293DxA/K9wY27IGbp +ulSuuxbpjjV2tqGUuoNQGKX7Oy6s0GcibyZFc+LpD7ttGk5QoLC9qQdpXZgUv/yG2B99ERSXLCaL +EWMNP/oVZQOCQGfsFM1fPLn3X0ZuCOQg9bljxFf3jTl+H6PIAhpCjKeeUQYLc41eQkCyR/f67aRB +GvO4YDpXLn9eH23B+26rjPyFiVtMJ/jJZ7UEPeJ3XBj1COS/X7p9gGRS5rtfr9z7XxuMxvG0JU9U +XA+bMfOOfCqflvw6IyUg+oxjBFIhgiP4fxna51+BqpctvB0OeRwUm6y4nN06AwqtD8SteQrEn0b0 +IDWOKlVeh0lJWrDDEHr55dXSF+CbOPUDmMxmGoulOEOy/qSWIQi8BfvdX+e88CmracNRYVffLuQj +pRYN3TeiCJd+6/X9/x1Q8VLW7vOAb6uRyE2lOjX40DYBxK3xSq6J7Vp38f6z0vtQm2sAAQ4xqqon +A9tB5p+nJlYHgSxXOZx3C13Rs/eMmiGCKkSpCTnGCgBC7PfJDdMK6SLw5Gn4oyGoZo4fXbADuHrU +0JD1T1qdCm3aUSEmFgEA4rOL/0K3 +-----END CERTIFICATE----- diff --git a/whitechapel_pro/certs/app.x509.pem b/whitechapel_pro/certs/app.x509.pem new file mode 100644 index 00000000..8e3e6273 --- /dev/null +++ b/whitechapel_pro/certs/app.x509.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEqDCCA5CgAwIBAgIJANWFuGx90071MA0GCSqGSIb3DQEBBAUAMIGUMQswCQYD +VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4g +VmlldzEQMA4GA1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UE +AxMHQW5kcm9pZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTAe +Fw0wODA0MTUyMzM2NTZaFw0zNTA5MDEyMzM2NTZaMIGUMQswCQYDVQQGEwJVUzET +MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4G +A1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9p +ZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTCCASAwDQYJKoZI +hvcNAQEBBQADggENADCCAQgCggEBANbOLggKv+IxTdGNs8/TGFy0PTP6DHThvbbR +24kT9ixcOd9W+EaBPWW+wPPKQmsHxajtWjmQwWfna8mZuSeJS48LIgAZlKkpFeVy +xW0qMBujb8X8ETrWy550NaFtI6t9+u7hZeTfHwqNvacKhp1RbE6dBRGWynwMVX8X +W8N1+UjFaq6GCJukT4qmpN2afb8sCjUigq0GuMwYXrFVee74bQgLHWGJwPmvmLHC +69EH6kWr22ijx4OKXlSIx2xT1AsSHee70w5iDBiK4aph27yH3TxkXy9V89TDdexA +cKk/cVHYNnDBapcavl7y0RiQ4biu8ymM8Ga/nmzhRKya6G0cGw8CAQOjgfwwgfkw +HQYDVR0OBBYEFI0cxb6VTEM8YYY6FbBMvAPyT+CyMIHJBgNVHSMEgcEwgb6AFI0c +xb6VTEM8YYY6FbBMvAPyT+CyoYGapIGXMIGUMQswCQYDVQQGEwJVUzETMBEGA1UE +CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4GA1UEChMH +QW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9pZDEiMCAG +CSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbYIJANWFuGx90071MAwGA1Ud +EwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADggEBABnTDPEF+3iSP0wNfdIjIz1AlnrP +zgAIHVvXxunW7SBrDhEglQZBbKJEk5kT0mtKoOD1JMrSu1xuTKEBahWRbqHsXcla +XjoBADb0kkjVEJu/Lh5hgYZnOjvlba8Ld7HCKePCVePoTJBdI4fvugnL8TsgK05a +IskyY0hKI9L8KfqfGTl1lzOv2KoWD0KWwtAWPoGChZxmQ+nBli+gwYMzM1vAkP+a +ayLe0a1EQimlOalO762r0GXO0ks+UeXde2Z4e+8S/pf7pITEI/tP+MxJTALw9QUW +Ev9lKTk+jkbqxbsh8nfBUapfKqYn0eidpwq2AzVp3juYl7//fKnaPhJD9gs= +-----END CERTIFICATE----- diff --git a/whitechapel_pro/certs/com_google_mds.x509.pem b/whitechapel_pro/certs/com_google_mds.x509.pem new file mode 100644 index 00000000..640c6fb9 --- /dev/null +++ b/whitechapel_pro/certs/com_google_mds.x509.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIF1TCCA72gAwIBAgIVAPZ4KZV2jpxRBCoVAidCu62l3cDqMA0GCSqGSIb3DQEBCwUAMHsxCzAJ +BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw +EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEXMBUGA1UEAwwOY29tX2dvb2ds +ZV9tZHMwHhcNMTkwNDIyMTQ1NzA1WhcNNDkwNDIyMTQ1NzA1WjB7MQswCQYDVQQGEwJVUzETMBEG +A1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xl +IEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxFzAVBgNVBAMMDmNvbV9nb29nbGVfbWRzMIICIjANBgkq +hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqgNC0hhI3NzaPUllJfe01hCTuEpl35D02+DKJ5prPFxv +6KGTk6skjZOwV87Zf2pyj/cbnv28ioDjwvqMBe4ntFdKtH9gl2tTAVl69HMKXF4Iny/wnrt2mxzh +WxFUd5PuW+mWug+UQw/NGUuaf5d/yys/RrchHKM1+zBV6aOzH6BXiwDoOF2i43d5GlNQ/tFuMySW +LJftJN0QULFelxNDFFJZhw2P3c4opxjmF2yCoIiDfBEIhTZFKUbHX6YDLXmtUpXl35q+cxK4TCxP +URyzwdfiyheF3TTxagfzhvXNg/ifrY67S4qCGfzoEMPxrTz02gS0u3D6r/2+hl9vAJChLKDNdIs6 +TqIw+YnABrELiZLLFnaABnjQ7xC3xv1s3W6dWxaxnoVMtC1YvdgwhC5gSpJ4A+AGcCLv96hoeB1I +IoGV9Yt0Z97MFpXeHFpAxFZ1F9feBqwOCDbu50dmdKZvqGHZ4Ts3uy7ukDQ08dquHpT+NmqkmmW5 +GGhkuyZS3HHpU/QeVsZiyJCJBbDe5lz6NGXK56ruuF9ILeGHtldjQm40oYRc01ESScyVjSU0kpMO +C7hn1B7rKAm8xxG7eH04ieQrNnbbee7atOO4C3157W5CqujfLMeo6OCRVtcYkYIuSi8hIPNySu/q +OaEtEP4owVNZR0H6mCHy5pANsyBofMkCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU +gk8pmLx8yP3RILwR5am1G10PBEowHwYDVR0jBBgwFoAUgk8pmLx8yP3RILwR5am1G10PBEowDQYJ +KoZIhvcNAQELBQADggIBAC9iQ1huo6CzjcsB1IIw3WYPYVfHtvG7fiB49QO6cjth8fxM36YOxnMz +K9Zh89cnFx7BeXG4MdbR3lAWO+wTbEpM/5azAQfqHB/ZEEAo1THtqS58C1bTwJ5zxkA+wL/x1ucT +EV0QZtPHC1K5nIV5FuICiJjui5FHfj2HYu2A5a5729rdZ7sL8Vgx6TUFKpEPs5iCrlx5X/E+/wJa +DM5iIjVvrGJJq0VWHHeDJEE+Sw1CDxWYRzvu1WvCvhk149hf4LlfrR0A5t8QJRGx0WwF10DLGgJx +7epMBpzhMIXc529FTIx4Rx2PcufjTZC9EN7PkLgVfYahWEkt/YIfV/0F6U6viLxdNC5O0pimSV57 +vT6HIthX1OC34eZca0cPqH1kOuhRDKOhbP4yIgdYX6knpvw8aXsYcyTfAmDyrt0EWffeBPedaxMo +xfijdlsBQUymviUQ8qBbfl1Ew9VoC+VEsiobK7Ubog0IK+82LQ7FOLMoNYnhk5wJ63i1kVvBVAgH +64PMME2KG//BwYFfKK6jUXibabyNke72+1Jr0xpw1BHJPxNJ8Q8yCBLF0wmXmFJSM+9lSDd10Bni +FJeMFMQ0T1Sf8GUSIxYYbMK5pDguRs+JOYkUID02ylJ3L6GAnxXCjGWzpdxw29/WWJc+qsYFEIbP +kKzTUNQHaaLHmcLK22Ht +-----END CERTIFICATE----- diff --git a/whitechapel_pro/certs/com_qorvo_uwb.x509.pem b/whitechapel_pro/certs/com_qorvo_uwb.x509.pem new file mode 100644 index 00000000..0e7c9ed5 --- /dev/null +++ b/whitechapel_pro/certs/com_qorvo_uwb.x509.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIF1TCCA72gAwIBAgIVALSpAFqvtr1ntTS7YgB0Y5R6WqEtMA0GCSqGSIb3DQEBCwUAMHoxCzAJ +BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw +EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEWMBQGA1UEAwwNY29tX3FvcnZv +X3V3YjAgFw0yMTA1MDQwNTAyMDlaGA8yMDUxMDUwNDA1MDIwOVowejELMAkGA1UEBhMCVVMxEzAR +BgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dvb2ds +ZSBJbmMuMRAwDgYDVQQLEwdBbmRyb2lkMRYwFAYDVQQDDA1jb21fcW9ydm9fdXdiMIICIjANBgkq +hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyoe1/UDAyMZd5iWqaKPDKN0cCESsWBTTkuLFpzMfcTEa +IyMORaIYriuAxvWhNzidPQvvRPyw0XQbl7GZLjXLF004G5xPTXFHIdtWv/scuC53INqTerppcHeW +fP4hfJPbZMQNcDB9EHa2bhA0wPdfoJD4cz8T7sgQcbRirdR8KoiOVWYe5UTSdk0df2IbiMZav2DJ +KhFql323emi4QHoDeUMAYy35mTh5vhfJ8NrCRAUwMh0zlw6LwZw/Dr8AbzDXl4Mo6Ij2pTn3/1zW +BPNkJonvONiMvuUUDl6LnP/41qhxYSg9RBp3wBJLknmfD/hEaXxTSLdkJyF43t61sU12mDQbLu4s +ZoiQKeKMJ0VpC56gUzkpnx3pzusq+/bAlTXf8Tfqrm7nizwR/69kntNYp8iaUJnvQQzlChc2lg2X +QNzf6zShPptpPqJIgmWawH6DL8JPHgkpguWyz47dWHCLnTfp8miEZPrQkPKL13SCMYCwxmlNYNWG +gUFPX5UJfnNVH4y2gPpXssROyKQKp/ArZkWb2zURrC1RUvNFADvvFt+hb2iXXVnfVeEtKAkSdhOj +RHwXhc/EtraSMMYUeO/uhUiPmPFR0FVLxCIm6i91/xqgWhKgRN0uatornO3lSNgzk4c7b0JCncEn +iArWJ516/nqWIvEdYjcqIBDAdSx8S1sCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU +EGKtCMO6w0UKLbAmd/laZERZZrkwHwYDVR0jBBgwFoAUEGKtCMO6w0UKLbAmd/laZERZZrkwDQYJ +KoZIhvcNAQELBQADggIBAIRowmuGiFeZdyDsbYi0iYISNW2HID4uLM3Pp8CEx5swlntJu1Z19R9t +fzzY9lvcMgdbdVJYnGrHzUGUCVqbhfDH7GxP9ybg1QUqYxi6AvZU3wrRqjoUoDw7HlecNBXFZI6z +0f2J3XSzST3kq5lCuUaEKGHkU8jVgwqVGMcz1foLGzBXQhMgIKl966c5DWoXsLToBCXrNgDokkHe +cj9tI1ufsWrSxl5/AT0/DMjHkcBmZk78RiTcGJtSZU8YwqNIQa+U2hpDE34iy2LC6YEqMKggjCm0 +6nOBbIH0EXnrr0iBX3YJmDM8O4a9eDpI7FSjabPx9YvfQne08pNwYkExOMafibyAwt7Du0cpxNkg +NE3xeDZ+TVr+4I10HF1gKpJ+rQsBOIYVTWLKATO4TMQxLNLY9oy2gt12PcsCdkOIThX4bAHXq1eY +ulAxoA7Hba2xq/wnh2JH5VZIjz3yZBJXX/GyFeHkqv7wFRVrx4DjZC1s5uTdqDh6y8pfM49w9/Zp +BKtz5B+37bC9FmM+ux39MElqx+kbsITzBDtDWa2Q8onWQR0R4WHI43n1mJSvW4cdR6Xf/a1msPXh +NHc3XCJYq4WvlMuXWEGVka20LPJXIjiuU3sB088YpjAG1+roSn//CL8N9iDWHCRXy+UKElIbhWLz +lHV8gmlwBAuAx9ITcTJr +-----END CERTIFICATE----- diff --git a/whitechapel_pro/charger_vendor.te b/whitechapel_pro/charger_vendor.te new file mode 100644 index 00000000..df59b717 --- /dev/null +++ b/whitechapel_pro/charger_vendor.te @@ -0,0 +1,10 @@ +allow charger_vendor mnt_vendor_file:dir search; +allow charger_vendor sysfs_batteryinfo:file w_file_perms; +allow charger_vendor persist_file:dir search; +allow charger_vendor persist_battery_file:dir search; +allow charger_vendor persist_battery_file:file rw_file_perms; +allow charger_vendor sysfs_scsi_devices_0000:file r_file_perms; +allow charger_vendor sysfs_thermal:file w_file_perms; +allow charger_vendor sysfs_thermal:lnk_file read; +allow charger_vendor thermal_link_device:dir search; +set_prop(charger_vendor, vendor_battery_defender_prop) diff --git a/whitechapel_pro/chre.te b/whitechapel_pro/chre.te new file mode 100644 index 00000000..319f17dd --- /dev/null +++ b/whitechapel_pro/chre.te @@ -0,0 +1,20 @@ +type chre, domain; +type chre_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(chre) + +# Permit communication with AoC +allow chre aoc_device:chr_file rw_file_perms; + +# Allow CHRE to determine AoC's current clock +allow chre sysfs_aoc:dir search; +allow chre sysfs_aoc_boottime:file r_file_perms; + +# Allow CHRE to create thread to watch AOC's device +allow chre device:dir r_dir_perms; + +# Allow CHRE to use the USF low latency transport +usf_low_latency_transport(chre) + +# Allow CHRE to talk to the WiFi HAL +allow chre hal_wifi_ext:binder { call transfer }; +allow chre hal_wifi_ext_hwservice:hwservice_manager find; \ No newline at end of file diff --git a/whitechapel_pro/con_monitor.te b/whitechapel_pro/con_monitor.te new file mode 100644 index 00000000..8695ccaa --- /dev/null +++ b/whitechapel_pro/con_monitor.te @@ -0,0 +1,10 @@ +# ConnectivityMonitor app +type con_monitor_app, domain, coredomain; + +app_domain(con_monitor_app) + +set_prop(con_monitor_app, radio_prop) +allow con_monitor_app app_api_service:service_manager find; +allow con_monitor_app radio_service:service_manager find; +allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms; +allow con_monitor_app radio_vendor_data_file:file create_file_perms; diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te new file mode 100644 index 00000000..6b81f2a1 --- /dev/null +++ b/whitechapel_pro/device.te @@ -0,0 +1,28 @@ +type sda_block_device, dev_type; +type devinfo_block_device, dev_type; +type modem_block_device, dev_type; +type custom_ab_block_device, dev_type; +type persist_block_device, dev_type; +type efs_block_device, dev_type; +type modem_userdata_block_device, dev_type; +type mfg_data_block_device, dev_type; +type sg_device, dev_type; +type vendor_toe_device, dev_type; +type lwis_device, dev_type; +type logbuffer_device, dev_type; +type rls_device, dev_type; +type fingerprint_device, dev_type; +type gxp_device, dev_type, mlstrustedobject; +type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; +type faceauth_heap_device, dmabuf_heap_device_type, dev_type; +type vframe_heap_device, dmabuf_heap_device_type, dev_type; +type vscaler_heap_device, dmabuf_heap_device_type, dev_type; +type battery_history_device, dev_type; + +# SecureElement SPI device +type st54spi_device, dev_type; +type st33spi_device, dev_type; + +# Raw HID device +type hidraw_device, dev_type; + diff --git a/whitechapel_pro/dmd.te b/whitechapel_pro/dmd.te new file mode 100644 index 00000000..76177b50 --- /dev/null +++ b/whitechapel_pro/dmd.te @@ -0,0 +1,32 @@ +type dmd, domain; +type dmd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(dmd) + +# Grant to access serial device for external logging tool +allow dmd serial_device:chr_file rw_file_perms; + +# Grant to access radio device +allow dmd radio_device:chr_file rw_file_perms; + +# Grant to access slog dir/file +allow dmd vendor_slog_file:dir create_dir_perms; +allow dmd vendor_slog_file:file create_file_perms; + +# Grant to access tcp socket +allow dmd node:tcp_socket node_bind; +allow dmd self:tcp_socket { create_socket_perms_no_ioctl listen accept bind }; + +# Grant to access log related properties +set_prop(dmd, vendor_diag_prop) +set_prop(dmd, vendor_slog_prop) +set_prop(dmd, vendor_modem_prop) +get_prop(dmd, vendor_persist_config_default_prop) + +# Grant to access hwservice manager +get_prop(dmd, hwservicemanager_prop) +allow dmd hidl_base_hwservice:hwservice_manager add; +allow dmd hal_vendor_oem_hwservice:hwservice_manager { add find }; +binder_call(dmd, hwservicemanager) +binder_call(dmd, modem_diagnostic_app) +binder_call(dmd, modem_logging_control) +binder_call(dmd, vendor_telephony_silentlogging_app) diff --git a/whitechapel_pro/domain.te b/whitechapel_pro/domain.te new file mode 100644 index 00000000..fd876e09 --- /dev/null +++ b/whitechapel_pro/domain.te @@ -0,0 +1,2 @@ +allow {domain -appdomain -rs} proc_vendor_sched:dir r_dir_perms; +allow {domain -appdomain -rs} proc_vendor_sched:file w_file_perms; diff --git a/whitechapel_pro/dumpstate.te b/whitechapel_pro/dumpstate.te new file mode 100644 index 00000000..8ff47509 --- /dev/null +++ b/whitechapel_pro/dumpstate.te @@ -0,0 +1,17 @@ +dump_hal(hal_health) +dump_hal(hal_graphics_composer) +dump_hal(hal_telephony) +dump_hal(hal_uwb_vendor) + +userdebug_or_eng(` + allow dumpstate media_rw_data_file:file append; +') + +allow dumpstate sysfs_scsi_devices_0000:file r_file_perms; +allow dumpstate persist_file:dir r_dir_perms; +allow dumpstate modem_efs_file:dir r_dir_perms; +allow dumpstate modem_userdata_file:dir r_dir_perms; +allow dumpstate modem_img_file:dir r_dir_perms; +allow dumpstate fuse:dir search; + +dontaudit dumpstate vendor_dmabuf_debugfs:file r_file_perms; diff --git a/whitechapel_pro/e2fs.te b/whitechapel_pro/e2fs.te new file mode 100644 index 00000000..a6664594 --- /dev/null +++ b/whitechapel_pro/e2fs.te @@ -0,0 +1,6 @@ +allow e2fs persist_block_device:blk_file rw_file_perms; +allow e2fs efs_block_device:blk_file rw_file_perms; +allow e2fs modem_userdata_block_device:blk_file rw_file_perms; +allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl { + BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET +}; diff --git a/whitechapel_pro/euiccpixel_app.te b/whitechapel_pro/euiccpixel_app.te new file mode 100644 index 00000000..303f8f36 --- /dev/null +++ b/whitechapel_pro/euiccpixel_app.te @@ -0,0 +1,26 @@ +# EuiccSupportPixel app + +type euiccpixel_app, domain; +app_domain(euiccpixel_app) + +allow euiccpixel_app app_api_service:service_manager find; +allow euiccpixel_app radio_service:service_manager find; +allow euiccpixel_app nfc_service:service_manager find; +allow euiccpixel_app sysfs_st33spi:dir search; +allow euiccpixel_app sysfs_st33spi:file rw_file_perms; + +set_prop(euiccpixel_app, vendor_secure_element_prop) +set_prop(euiccpixel_app, vendor_modem_prop) +get_prop(euiccpixel_app, dck_prop) + +userdebug_or_eng(` + net_domain(euiccpixel_app) + + # Access to directly upgrade firmware on st54spi_device used for engineering devices + typeattribute st54spi_device mlstrustedobject; + allow euiccpixel_app st54spi_device:chr_file rw_file_perms; + # Access to directly upgrade firmware on st33spi_device used for engineering devices + typeattribute st33spi_device mlstrustedobject; + allow euiccpixel_app st33spi_device:chr_file rw_file_perms; +') + diff --git a/whitechapel_pro/fastbootd.te b/whitechapel_pro/fastbootd.te new file mode 100644 index 00000000..0d215a84 --- /dev/null +++ b/whitechapel_pro/fastbootd.te @@ -0,0 +1,7 @@ +# Required by the bootcontrol HAL for the 'set_active' command. +recovery_only(` +allow fastbootd devinfo_block_device:blk_file rw_file_perms; +allow fastbootd sda_block_device:blk_file rw_file_perms; +allow fastbootd sysfs_ota:file rw_file_perms; +allow fastbootd citadel_device:chr_file rw_file_perms; +') diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te new file mode 100644 index 00000000..aa4db136 --- /dev/null +++ b/whitechapel_pro/file.te @@ -0,0 +1,114 @@ +# Data +type rild_vendor_data_file, file_type, data_file_type; +type vendor_log_file, file_type, data_file_type; +type vendor_rfsd_log_file, file_type, data_file_type; +type modem_stat_data_file, file_type, data_file_type; +type vendor_slog_file, file_type, data_file_type; +type radio_vendor_data_file, file_type, data_file_type; +type updated_wifi_firmware_data_file, file_type, data_file_type; +type tcpdump_vendor_data_file, file_type, data_file_type; +type vendor_camera_data_file, file_type, data_file_type; +type vendor_media_data_file, file_type, data_file_type; +type vendor_misc_data_file, file_type, data_file_type; +type sensor_reg_data_file, file_type, data_file_type; +type per_boot_file, file_type, data_file_type, core_data_file_type; +type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; +type uwb_data_vendor, file_type, data_file_type; +type powerstats_vendor_data_file, file_type, data_file_type; +userdebug_or_eng(` + typeattribute tcpdump_vendor_data_file mlstrustedobject; + typeattribute vendor_slog_file mlstrustedobject; + typeattribute radio_vendor_data_file mlstrustedobject; +') + +# Exynos Firmware +type vendor_fw_file, vendor_file_type, file_type; + +# sysfs +type sysfs_chosen, sysfs_type, fs_type; +type sysfs_ota, sysfs_type, fs_type; +type bootdevice_sysdev, dev_type; +type sysfs_display, sysfs_type, fs_type; +type sysfs_scsi_devices_0000, sysfs_type, fs_type; +type sysfs_fabric, sysfs_type, fs_type; +type sysfs_acpm_stats, sysfs_type, fs_type; +type sysfs_wifi, sysfs_type, fs_type; +type sysfs_exynos_bts, sysfs_type, fs_type; +type sysfs_exynos_bts_stats, sysfs_type, fs_type; +type sysfs_bcl, sysfs_type, fs_type; +type sysfs_chip_id, sysfs_type, fs_type; +type sysfs_touch, sysfs_type, fs_type; +type sysfs_bcmdhd, sysfs_type, fs_type; +type sysfs_wlc, sysfs_type, fs_type; +type sysfs_chargelevel, sysfs_type, fs_type; +type sysfs_mfc, sysfs_type, fs_type; +type sysfs_cpu, sysfs_type, fs_type; +type sysfs_odpm, sysfs_type, fs_type; +type sysfs_soc, sysfs_type, fs_type; +type sysfs_camera, sysfs_type, fs_type; +type sysfs_write_leds, sysfs_type, fs_type; + +# debugfs +type debugfs_f2fs, debugfs_type, fs_type; +type vendor_maxfg_debugfs, fs_type, debugfs_type; +type vendor_pm_genpd_debugfs, fs_type, debugfs_type; +type vendor_regmap_debugfs, fs_type, debugfs_type; +type vendor_usb_debugfs, fs_type, debugfs_type; +type vendor_charger_debugfs, fs_type, debugfs_type; +type vendor_votable_debugfs, fs_type, debugfs_type; +type vendor_battery_debugfs, fs_type, debugfs_type; +type vendor_dmabuf_debugfs, fs_type, debugfs_type; +type vendor_dri_debugfs, fs_type, debugfs_type; +type vendor_page_pinner_debugfs, fs_type, debugfs_type; + +# vendor extra images +type modem_img_file, contextmount_type, file_type, vendor_file_type; +allow modem_img_file self:filesystem associate; + +# persist +type persist_battery_file, file_type, vendor_persist_type; +type persist_camera_file, file_type, vendor_persist_type; +type persist_modem_file, file_type, vendor_persist_type; +type persist_sensor_reg_file, file_type, vendor_persist_type; +type persist_ss_file, file_type, vendor_persist_type; +type persist_uwb_file, file_type, vendor_persist_type; +type persist_display_file, file_type, vendor_persist_type; + +# CHRE +type chre_socket, file_type; + +# Storage Health HAL +type proc_f2fs, proc_type, fs_type; + +# Vendor tools +type vendor_usf_stats, vendor_file_type, file_type; +type vendor_usf_reg_edit, vendor_file_type, file_type; +type vendor_dumpsys, vendor_file_type, file_type; + +# Modem +type modem_efs_file, file_type; +type modem_userdata_file, file_type; + +# SecureElement +type sysfs_st33spi, sysfs_type, fs_type; +typeattribute sysfs_st33spi mlstrustedobject; + +# GPU +type sysfs_gpu, sysfs_type, fs_type; + +# Vendor sched files +userdebug_or_eng(` + typeattribute proc_vendor_sched mlstrustedobject; +') + +# SJTAG +type sysfs_sjtag, fs_type, sysfs_type; +userdebug_or_eng(` + typeattribute sysfs_sjtag mlstrustedobject; +') + +# USB-C throttling stats +type sysfs_usbc_throttling_stats, sysfs_type, fs_type; + +# Touch +type proc_touch, proc_type, fs_type; diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts new file mode 100644 index 00000000..ae1d4f23 --- /dev/null +++ b/whitechapel_pro/file_contexts @@ -0,0 +1,225 @@ +# Binaries +/vendor/bin/dmd u:object_r:dmd_exec:s0 +/vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 +/vendor/bin/sced u:object_r:sced_exec:s0 +/vendor/bin/vcd u:object_r:vcd_exec:s0 +/vendor/bin/chre u:object_r:chre_exec:s0 +/vendor/bin/cbd u:object_r:cbd_exec:s0 +/vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 +/vendor/bin/rfsd u:object_r:rfsd_exec:s0 +/vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0 +/vendor/bin/storageproxyd u:object_r:tee_exec:s0 +/vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 +/vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 +/vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 +/vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 +/vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 +/vendor/bin/usf_stats u:object_r:vendor_usf_stats:s0 +/vendor/bin/usf_reg_edit u:object_r:vendor_usf_reg_edit:s0 +/vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 +/vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 +/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 +/vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 +/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 +/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 +/vendor/bin/hw/android\.hardware\.boot@1\.2-service-gs201 u:object_r:hal_bootctl_default_exec:s0 +/vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 +/vendor/bin/hw/android\.hardware\.dumpstate@1\.1-service\.gs201 u:object_r:hal_dumpstate_default_exec:s0 +/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_samsung_exec:s0 +/vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_google_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_st33spi_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0 +/vendor/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 +/vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 +/vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 +/vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 +/vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 +/vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 + +# Vendor Firmwares +/vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 +/vendor/firmware/mali_csffw\.bin u:object_r:same_process_hal_file:s0 +/vendor/firmware/gxp_fw_core[0-3] u:object_r:same_process_hal_file:s0 + +# Vendor libraries +/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libion_google\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/arm\.graphics-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libOpenCL-pixel\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/lib_aion_buffer\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libGralloc4Wrapper\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/pixel-power-ext-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libprotobuf-cpp-lite-3\.9\.1\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 + +# Graphics +/vendor/lib(64)?/hw/gralloc\.gs201\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/vulkan\.mali\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 + +# Vendor kernel modules +/vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0 + +# Devices +/dev/trusty-log0 u:object_r:logbuffer_device:s0 +/dev/dma_heap/sensor_direct_heap u:object_r:sensor_direct_heap_device:s0 +/dev/ttySAC0 u:object_r:tty_device:s0 +/dev/dma_heap/faceauth_tpu-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/faimg-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/famodel-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/faprev-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/farawimg-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/vframe-secure u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/dma_heap/vscaler-secure u:object_r:vscaler_heap_device:s0 +/dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/bigocean u:object_r:video_device:s0 +/dev/goodix_fp u:object_r:fingerprint_device:s0 +/dev/stmvl53l1_ranging u:object_r:rls_device:s0 +/dev/watchdog0 u:object_r:watchdog_device:s0 +/dev/mali0 u:object_r:gpu_device:s0 +/dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 +/dev/logbuffer_ssoc u:object_r:logbuffer_device:s0 +/dev/logbuffer_wireless u:object_r:logbuffer_device:s0 +/dev/logbuffer_ttf u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxq u:object_r:logbuffer_device:s0 +/dev/logbuffer_rtx u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_base u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_flip u:object_r:logbuffer_device:s0 +/dev/logbuffer_pca9468_tcpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_pca9468 u:object_r:logbuffer_device:s0 +/dev/logbuffer_cpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 +/dev/bbd_pwrstat u:object_r:power_stats_device:s0 +/dev/lwis-act-jotnar u:object_r:lwis_device:s0 +/dev/lwis-act-slenderman u:object_r:lwis_device:s0 +/dev/lwis-act-slenderman-sandworm u:object_r:lwis_device:s0 +/dev/lwis-csi u:object_r:lwis_device:s0 +/dev/lwis-dpm u:object_r:lwis_device:s0 +/dev/lwis-eeprom-gargoyle u:object_r:lwis_device:s0 +/dev/lwis-eeprom-jotnar u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-buraq u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-dokkaebi u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-sandworm u:object_r:lwis_device:s0 +/dev/lwis-flash-lm3644 u:object_r:lwis_device:s0 +/dev/lwis-g3aa u:object_r:lwis_device:s0 +/dev/lwis-gdc0 u:object_r:lwis_device:s0 +/dev/lwis-gdc1 u:object_r:lwis_device:s0 +/dev/lwis-gtnr-align u:object_r:lwis_device:s0 +/dev/lwis-gtnr-merge u:object_r:lwis_device:s0 +/dev/lwis-ipp u:object_r:lwis_device:s0 +/dev/lwis-itp u:object_r:lwis_device:s0 +/dev/lwis-mcsc u:object_r:lwis_device:s0 +/dev/lwis-ois-gargoyle u:object_r:lwis_device:s0 +/dev/lwis-ois-jotnar u:object_r:lwis_device:s0 +/dev/lwis-pdp u:object_r:lwis_device:s0 +/dev/lwis-scsc u:object_r:lwis_device:s0 +/dev/lwis-sensor-buraq u:object_r:lwis_device:s0 +/dev/lwis-sensor-dokkaebi u:object_r:lwis_device:s0 +/dev/lwis-sensor-kraken u:object_r:lwis_device:s0 +/dev/lwis-sensor-lamassu u:object_r:lwis_device:s0 +/dev/lwis-sensor-nagual u:object_r:lwis_device:s0 +/dev/lwis-sensor-sandworm u:object_r:lwis_device:s0 +/dev/lwis-slc u:object_r:lwis_device:s0 +/dev/lwis-top u:object_r:lwis_device:s0 +/dev/lwis-votf u:object_r:lwis_device:s0 +/dev/dri/card0 u:object_r:graphics_device:s0 +/dev/fimg2d u:object_r:graphics_device:s0 +/dev/g2d u:object_r:graphics_device:s0 +/dev/gxp u:object_r:gxp_device:s0 +/dev/dit2 u:object_r:vendor_toe_device:s0 +/dev/trusty-ipc-dev0 u:object_r:tee_device:s0 +/dev/sg1 u:object_r:sg_device:s0 +/dev/st21nfc u:object_r:nfc_device:s0 +/dev/st54spi u:object_r:st54spi_device:s0 +/dev/st33spi u:object_r:st33spi_device:s0 +/dev/ttyGS[0-3] u:object_r:serial_device:s0 +/dev/oem_ipc[0-7] u:object_r:radio_device:s0 +/dev/umts_boot0 u:object_r:radio_device:s0 +/dev/umts_ipc0 u:object_r:radio_device:s0 +/dev/umts_ipc1 u:object_r:radio_device:s0 +/dev/umts_rfs0 u:object_r:radio_device:s0 +/dev/umts_dm0 u:object_r:radio_device:s0 +/dev/umts_router u:object_r:radio_device:s0 +/dev/logbuffer_tcpm u:object_r:logbuffer_device:s0 +/dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 +/dev/socket/chre u:object_r:chre_socket:s0 +/dev/block/sda u:object_r:sda_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl1_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/init_boot_[ab] u:object_r:boot_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/efs u:object_r:efs_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/mfg_data u:object_r:mfg_data_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/misc u:object_r:misc_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/persist u:object_r:persist_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/pvmfw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/super u:object_r:super_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vendor_kernel_boot_[ab] u:object_r:custom_ab_block_device:s0 + +# Data +/data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 +/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 +/data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 +/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 +/data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 +/data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 +/data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 +/data/nfc(/.*)? u:object_r:nfc_data_file:s0 +/data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 +/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 +/data/vendor/camera(/.*)? u:object_r:vendor_camera_data_file:s0 +/data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 +/data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 +/data/per_boot(/.*)? u:object_r:per_boot_file:s0 +/data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 +/data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 +/dev/battery_history u:object_r:battery_history_device:s0 +/data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0 + +# Persist +/mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 +/mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 +/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 +/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 +/mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 +/mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 +/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 + +# Extra mount images +/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 +/mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 +/mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 +/mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 + +# Raw HID device +/dev/hidraw[0-9]* u:object_r:hidraw_device:s0 diff --git a/whitechapel_pro/fsck.te b/whitechapel_pro/fsck.te new file mode 100644 index 00000000..d29555b3 --- /dev/null +++ b/whitechapel_pro/fsck.te @@ -0,0 +1,3 @@ +allow fsck persist_block_device:blk_file rw_file_perms; +allow fsck efs_block_device:blk_file rw_file_perms; +allow fsck modem_userdata_block_device:blk_file rw_file_perms; diff --git a/whitechapel_pro/genfs_contexts b/whitechapel_pro/genfs_contexts new file mode 100644 index 00000000..33f74779 --- /dev/null +++ b/whitechapel_pro/genfs_contexts @@ -0,0 +1,330 @@ +# Exynos +genfscon sysfs /devices/platform/exynos-bts u:object_r:sysfs_exynos_bts:s0 +genfscon sysfs /devices/platform/exynos-bts/bts_stats u:object_r:sysfs_exynos_bts_stats:s0 + +genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 +genfscon sysfs /devices/virtual/pmic/mitigation u:object_r:sysfs_bcl:s0 +genfscon sysfs /devices/system/chip-id/ap_hw_tune_str u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/evt_ver u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/lot_id u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/product_id u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/revision u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/raw_str u:object_r:sysfs_chip_id:s0 + +# CPU +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/cpupm/cpupm/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/28000000.mali/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/28000000.mali/uid_time_in_state u:object_r:sysfs_cpu:s0 + +genfscon sysfs /devices/soc0/machine u:object_r:sysfs_soc:s0 +genfscon sysfs /devices/soc0/revision u:object_r:sysfs_soc:s0 + +# Touch +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/sysfs u:object_r:sysfs_touch:s0 +genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 +genfscon proc /focaltech_touch u:object_r:proc_touch:s0 + +# tracefs +genfscon tracefs /events/dmabuf_heap/dma_heap_stat u:object_r:debugfs_tracing:s0 + +# WiFi +genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 + +# ACPM +genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 + +# Broadcom +genfscon sysfs /module/bcmdhd4389 u:object_r:sysfs_bcmdhd:s0 + +# GPU +genfscon sysfs /devices/platform/28000000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/28000000.mali/power_policy u:object_r:sysfs_gpu:s0 + +# Fabric +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/min_freq u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/interactive/target_load u:object_r:sysfs_fabric:s0 + +# sscoredump (per device) +genfscon sysfs /devices/platform/aoc/sscoredump/sscd_aoc/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/bigocean/sscoredump/sscd_bigocean/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/debugcore/sscoredump/sscd_debugcore/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 + +# Power Stats +genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/11920000.pcie/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/14520000.pcie/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10db0000.spi/spi_master/spi16/spi16.0/uwb/power_stats u:object_r:sysfs_power_stats:s0 + +# Power ODPM +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 + +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-meter/s2mpg12-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/s2mpg13-meter/s2mpg13-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 + +# Devfreq current frequency +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/cur_freq u:object_r:sysfs_devfreq_cur:s0 + +# OTA +genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 + +# Display +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c240000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c242000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 + +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 + +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 + +genfscon sysfs /devices/platform/1c240000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c241000.drmdecon/dqe1/atc u:object_r:sysfs_display:s0 + +genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 + +genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 + +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 + +# mediacodec_samsung +genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_mfc:s0 + +# Storage +genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 +genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0 +genfscon sysfs /devices/platform/14700000.ufs/slowio_read_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/slowio_write_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/slowio_unmap_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/slowio_sync_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/manual_gc u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/io_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/req_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/err_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/device_descriptor u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/clkgate_enable u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/hibern8_on_idle_enable u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/health_descriptor u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/host0/target0:0:0/0:0:0: u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/attributes/wb_avail_buf u:object_r:sysfs_scsi_devices_0000:s0 + +# debugfs +genfscon debugfs /f2fs u:object_r:debugfs_f2fs:s0 +genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 +genfscon debugfs /dma_buf/bufinfo u:object_r:vendor_dmabuf_debugfs:s0 +genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 +genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 +genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 +genfscon debugfs /google_charger u:object_r:vendor_charger_debugfs:s0 +genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 +genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 +genfscon debugfs /dri/0/crtc- u:object_r:vendor_dri_debugfs:s0 +genfscon debugfs /page_pinner u:object_r:vendor_page_pinner_debugfs:s0 + +# Battery +genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/google,cpm u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/google,charger u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c u:object_r:sysfs_batteryinfo:s0 + +# P22 battery +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/5-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/5-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/6-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/7-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/8-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply u:object_r:sysfs_batteryinfo:s0 + +# Extcon +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 + +# Haptics +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 + +# system suspend wakeup files +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d10000.spi/spi_master/spi0/spi0.0/synaptics_tcm.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-6/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/7-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d60000.hsi2c/i2c-8/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-3/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-4/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-5/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-6/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-7/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10da0000.hsi2c/i2c-8/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb2 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.4.auto/usb3 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb2 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/xhci-hcd-exynos.5.auto/usb3 u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-7/i2c-s2mpg12mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-8/i2c-s2mpg13mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-power-keys/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/s2mpg12-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18100000/i2c-0/i2c-s2mpg12mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@18110000/i2c-1/i2c-s2mpg13mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/cpif/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/gpio_keys/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/sound-aoc/wakeup u:object_r:sysfs_wakeup:s0 + +#SecureElement +genfscon sysfs /devices/platform/181c0000.spi/spi_master/spi17/spi17.0/st33spi u:object_r:sysfs_st33spi:s0 + +# Thermal +genfscon sysfs /devices/platform/100a0000.LITTLE u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100a0000.MID u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100a0000.BIG u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100a0000.ISP u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100b0000.G3D u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100b0000.TPU u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100b0000.AUR u:object_r:sysfs_thermal:s0 + +genfscon sysfs /module/gs_thermal/parameters/tmu_reg_dump_state u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs_thermal/parameters/tmu_reg_dump_current_temp u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs_thermal/parameters/tmu_top_reg_dump_rise_thres u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs_thermal/parameters/tmu_top_reg_dump_fall_thres u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_rise_thres u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_fall_thres u:object_r:sysfs_thermal:s0 + +genfscon sysfs /thermal_zone14/mode u:object_r:sysfs_thermal:s0 + +# Camera +genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq u:object_r:sysfs_camera:s0 + +# SJTAG +genfscon sysfs /devices/platform/sjtag_ap/interface u:object_r:sysfs_sjtag:s0 +genfscon sysfs /devices/platform/sjtag_gsa/interface u:object_r:sysfs_sjtag:s0 + +# USB-C throttling stats +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time u:object_r:sysfs_usbc_throttling_stats:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time u:object_r:sysfs_usbc_throttling_stats:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time u:object_r:sysfs_usbc_throttling_stats:s0 + +# Coresight ETM +genfscon sysfs /devices/platform/2b840000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2b940000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2ba40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bb40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bc40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bd40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2be40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bf40000.etm u:object_r:sysfs_devices_cs_etm:s0 diff --git a/whitechapel_pro/google_camera_app.te b/whitechapel_pro/google_camera_app.te new file mode 100644 index 00000000..ad097810 --- /dev/null +++ b/whitechapel_pro/google_camera_app.te @@ -0,0 +1,15 @@ +type google_camera_app, domain, coredomain; +app_domain(google_camera_app) + +allow google_camera_app app_api_service:service_manager find; +allow google_camera_app audioserver_service:service_manager find; +allow google_camera_app cameraserver_service:service_manager find; +allow google_camera_app mediaextractor_service:service_manager find; +allow google_camera_app mediametrics_service:service_manager find; +allow google_camera_app mediaserver_service:service_manager find; + +# Allows camera app to access the GXP device. +allow google_camera_app gxp_device:chr_file rw_file_perms; + +# Allows camera app to search for GXP firmware file. +allow google_camera_app vendor_fw_file:dir search; diff --git a/whitechapel_pro/gpsd.te b/whitechapel_pro/gpsd.te new file mode 100644 index 00000000..15a8ac36 --- /dev/null +++ b/whitechapel_pro/gpsd.te @@ -0,0 +1,3 @@ +# Allow gpsd to access rild +binder_call(gpsd, rild); +allow gpsd hal_exynos_rild_hwservice:hwservice_manager find; diff --git a/whitechapel_pro/grilservice_app.te b/whitechapel_pro/grilservice_app.te new file mode 100644 index 00000000..6e0dd667 --- /dev/null +++ b/whitechapel_pro/grilservice_app.te @@ -0,0 +1,14 @@ +type grilservice_app, domain; +app_domain(grilservice_app) + +allow grilservice_app app_api_service:service_manager find; +allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; +allow grilservice_app hal_radioext_hwservice:hwservice_manager find; +allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; +allow grilservice_app hal_audiometricext_hwservice:hwservice_manager find; +allow grilservice_app hal_exynos_rild_hwservice:hwservice_manager find; +binder_call(grilservice_app, hal_bluetooth_btlinux) +binder_call(grilservice_app, hal_radioext_default) +binder_call(grilservice_app, hal_wifi_ext) +binder_call(grilservice_app, hal_audiometricext_default) +binder_call(grilservice_app, rild) diff --git a/whitechapel_pro/hal_bootctl_default.te b/whitechapel_pro/hal_bootctl_default.te new file mode 100644 index 00000000..30db79bd --- /dev/null +++ b/whitechapel_pro/hal_bootctl_default.te @@ -0,0 +1,3 @@ +allow hal_bootctl_default sda_block_device:blk_file rw_file_perms; +allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms; +allow hal_bootctl_default sysfs_ota:file rw_file_perms; diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te new file mode 100644 index 00000000..92c629ed --- /dev/null +++ b/whitechapel_pro/hal_camera_default.te @@ -0,0 +1,93 @@ +type hal_camera_default_tmpfs, file_type; + +allow hal_camera_default self:global_capability_class_set sys_nice; +allow hal_camera_default kernel:process setsched; + +binder_use(hal_camera_default); +vndbinder_use(hal_camera_default); + +allow hal_camera_default lwis_device:chr_file rw_file_perms; +allow hal_camera_default gpu_device:chr_file rw_file_perms; +allow hal_camera_default sysfs_chip_id:file r_file_perms; + +# Face authentication code that is part of the camera HAL needs to allocate +# dma_bufs and access the Trusted Execution Environment device node +allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms; +allow hal_camera_default tee_device:chr_file rw_file_perms; + +# Allow the camera hal to access the EdgeTPU service and the +# Android shared memory allocated by the EdgeTPU service for +# on-device compilation. +allow hal_camera_default edgetpu_device:chr_file rw_file_perms; +allow hal_camera_default sysfs_edgetpu:dir r_dir_perms; +allow hal_camera_default sysfs_edgetpu:file r_file_perms; +allow hal_camera_default edgetpu_vendor_service:service_manager find; +binder_call(hal_camera_default, edgetpu_vendor_server) + +# Allow the camera hal to access the GXP device. +allow hal_camera_default gxp_device:chr_file rw_file_perms; + +# Allow access to data files used by the camera HAL +allow hal_camera_default mnt_vendor_file:dir search; +allow hal_camera_default persist_file:dir search; +allow hal_camera_default persist_camera_file:dir rw_dir_perms; +allow hal_camera_default persist_camera_file:file create_file_perms; +allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms; +allow hal_camera_default vendor_camera_data_file:file create_file_perms; + +# Allow creating dump files for debugging in non-release builds +userdebug_or_eng(` + allow hal_camera_default vendor_camera_data_file:dir create_dir_perms; + allow hal_camera_default vendor_camera_data_file:file create_file_perms; +') + +# tmpfs is used by google3 prebuilts linked by the HAL to unpack data files +# compiled into the shared libraries with cc_embed_data rules +tmpfs_domain(hal_camera_default); + +# Allow access to camera-related system properties +set_prop(hal_camera_default, vendor_camera_prop); +set_prop(hal_camera_default, log_tag_prop); +get_prop(hal_camera_default, vendor_camera_debug_prop); +userdebug_or_eng(` + set_prop(hal_camera_default, vendor_camera_fatp_prop); + set_prop(hal_camera_default, vendor_camera_debug_prop); +') + +# For camera hal to talk with rlsservice +allow hal_camera_default rls_service:service_manager find; +binder_call(hal_camera_default, rlsservice) + +hal_client_domain(hal_camera_default, hal_graphics_allocator); +hal_client_domain(hal_camera_default, hal_graphics_composer) +hal_client_domain(hal_camera_default, hal_power); +hal_client_domain(hal_camera_default, hal_thermal); + +# Allow access to sensor service for sensor_listener +binder_call(hal_camera_default, system_server); + +# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering +allow hal_camera_default eco_service:service_manager find; +binder_call(hal_camera_default, mediacodec); +binder_call(hal_camera_default, mediacodec_samsung); + +# Allow camera HAL to query preferred camera frequencies from the radio HAL +# extensions to avoid interference with cellular antennas. +allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; +binder_call(hal_camera_default, hal_radioext_default); + +# Allow camera HAL to connect to the stats service. +allow hal_camera_default fwk_stats_service:service_manager find; + +# For observing apex file changes +allow hal_camera_default apex_info_file:file r_file_perms; + +# Allow camera HAL to query current device clock frequencies. +allow hal_camera_default sysfs_devfreq_cur:file r_file_perms; + +# Allow camera HAL to read backlight of display +allow hal_camera_default sysfs_leds:dir r_dir_perms; +allow hal_camera_default sysfs_leds:file r_file_perms; + +# Allow camera HAL to send trace packets to Perfetto +userdebug_or_eng(`perfetto_producer(hal_camera_default)') diff --git a/whitechapel_pro/hal_contexthub.te b/whitechapel_pro/hal_contexthub.te new file mode 100644 index 00000000..ba776c89 --- /dev/null +++ b/whitechapel_pro/hal_contexthub.te @@ -0,0 +1,3 @@ +# Allow context hub HAL to communicate with daemon via socket +allow hal_contexthub_default chre:unix_stream_socket connectto; +allow hal_contexthub_default chre_socket:sock_file write; \ No newline at end of file diff --git a/whitechapel_pro/hal_dumpstate_default.te b/whitechapel_pro/hal_dumpstate_default.te new file mode 100644 index 00000000..4f0922fa --- /dev/null +++ b/whitechapel_pro/hal_dumpstate_default.te @@ -0,0 +1,142 @@ +allow hal_dumpstate_default vendor_camera_data_file:dir r_dir_perms; +allow hal_dumpstate_default vendor_camera_data_file:file r_file_perms; + +allow hal_dumpstate_default sysfs_cpu:file r_file_perms; + +allow hal_dumpstate_default vendor_usf_reg_edit:file execute_no_trans; +allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans; + +allow hal_dumpstate_default vendor_rfsd_log_file:dir r_dir_perms; +allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms; + +allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms; +allow hal_dumpstate_default vendor_gps_file:file r_file_perms; + +allow hal_dumpstate_default sysfs_chip_id:file r_file_perms; + +allow hal_dumpstate_default sysfs_wlc:dir r_dir_perms; +allow hal_dumpstate_default sysfs_wlc:file r_file_perms; + +allow hal_dumpstate_default sysfs_exynos_bts:dir r_dir_perms; +allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms; + +allow hal_dumpstate_default sysfs_aoc:dir r_dir_perms; +allow hal_dumpstate_default sysfs_aoc_dumpstate:file r_file_perms; + +allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; +allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:file r_file_perms; + +allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms; +allow hal_dumpstate_default sysfs_thermal:file r_file_perms; + +allow hal_dumpstate_default sysfs_wifi:dir r_dir_perms; +allow hal_dumpstate_default sysfs_wifi:file r_file_perms; + +allow hal_dumpstate_default sysfs_batteryinfo:dir r_dir_perms; +allow hal_dumpstate_default sysfs_batteryinfo:file r_file_perms; + +allow hal_dumpstate_default sysfs_acpm_stats:dir r_dir_perms; +allow hal_dumpstate_default sysfs_acpm_stats:file r_file_perms; + +allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms; +allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; + +allow hal_dumpstate_default modem_efs_file:dir search; +allow hal_dumpstate_default modem_efs_file:file r_file_perms; +allow hal_dumpstate_default modem_stat_data_file:dir r_dir_perms; +allow hal_dumpstate_default modem_stat_data_file:file r_file_perms; +allow hal_dumpstate_default vendor_slog_file:file r_file_perms; + +allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms; + +allow hal_dumpstate_default citadeld_service:service_manager find; +allow hal_dumpstate_default citadel_updater:file execute_no_trans; +binder_call(hal_dumpstate_default, citadeld); + +allow hal_dumpstate_default device:dir r_dir_perms; +allow hal_dumpstate_default aoc_device:chr_file rw_file_perms; + +allow hal_dumpstate_default proc_f2fs:dir r_dir_perms; +allow hal_dumpstate_default proc_f2fs:file r_file_perms; + +allow hal_dumpstate_default sysfs_scsi_devices_0000:dir r_dir_perms; +allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms; + +allow hal_dumpstate_default sysfs_touch:dir r_dir_perms; +allow hal_dumpstate_default sysfs_touch:file rw_file_perms; + +allow hal_dumpstate_default proc_touch:dir r_dir_perms; +allow hal_dumpstate_default proc_touch:file rw_file_perms; + +allow hal_dumpstate_default vendor_displaycolor_service:service_manager find; +binder_call(hal_dumpstate_default, hal_graphics_composer_default); +allow hal_dumpstate_default sysfs_display:dir r_dir_perms; +allow hal_dumpstate_default sysfs_display:file r_file_perms; + +vndbinder_use(hal_dumpstate_default) + +allow hal_dumpstate_default shell_data_file:file getattr; + +allow hal_dumpstate_default vendor_log_file:dir search; +allow hal_dumpstate_default vendor_dumpsys:file execute_no_trans; + +allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans; +allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans; + +allow hal_dumpstate_default proc_vendor_sched:dir r_dir_perms; +allow hal_dumpstate_default proc_vendor_sched:file r_file_perms; + +get_prop(hal_dumpstate_default, vendor_camera_debug_prop); +get_prop(hal_dumpstate_default, boottime_public_prop) +get_prop(hal_dumpstate_default, vendor_camera_prop) +get_prop(hal_dumpstate_default, vendor_gps_prop) +set_prop(hal_dumpstate_default, vendor_modem_prop) +get_prop(hal_dumpstate_default, vendor_rild_prop) +get_prop(hal_dumpstate_default, vendor_tcpdump_log_prop) +set_prop(hal_dumpstate_default, vendor_logger_prop) + +userdebug_or_eng(` + allow hal_dumpstate_default mnt_vendor_file:dir search; + allow hal_dumpstate_default ramdump_vendor_mnt_file:dir search; + allow hal_dumpstate_default ramdump_vendor_mnt_file:file r_file_perms; + allow hal_dumpstate_default sysfs_bcl:dir r_dir_perms; + allow hal_dumpstate_default sysfs_bcl:file r_file_perms; + allow hal_dumpstate_default debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; + allow hal_dumpstate_default debugfs_f2fs:dir r_dir_perms; + allow hal_dumpstate_default debugfs_f2fs:file r_file_perms; + allow hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; + allow hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_charger_debugfs:file r_file_perms; + allow hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms; + allow hal_dumpstate_default vendor_maxfg_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; + allow hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; + allow hal_dumpstate_default vendor_dri_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; + allow hal_dumpstate_default vendor_page_pinner_debugfs:dir search; + allow hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; +') + +dontaudit hal_dumpstate_default mnt_vendor_file:dir search; +dontaudit hal_dumpstate_default vendor_dri_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default debugfs_f2fs:dir r_dir_perms; +dontaudit hal_dumpstate_default debugfs_f2fs:file r_file_perms; +dontaudit hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_charger_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default vendor_maxfg_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default sysfs_bcl:dir r_dir_perms; +dontaudit hal_dumpstate_default sysfs_bcl:file r_file_perms; +dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:dir search; +dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; diff --git a/whitechapel_pro/hal_fingerprint_default.te b/whitechapel_pro/hal_fingerprint_default.te new file mode 100644 index 00000000..fa03d984 --- /dev/null +++ b/whitechapel_pro/hal_fingerprint_default.te @@ -0,0 +1,25 @@ +allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms; +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; +allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; +allow hal_fingerprint_default dmabuf_system_heap_device:chr_file r_file_perms; + +allow hal_fingerprint_default fwk_stats_service:service_manager find; +get_prop(hal_fingerprint_default, fingerprint_ghbm_prop) +set_prop(hal_fingerprint_default, vendor_fingerprint_prop) +add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice) + +# allow fingerprint to access power hal +hal_client_domain(hal_fingerprint_default, hal_power); + +# Allow access to the files of CDT information. +r_dir_file(hal_fingerprint_default, sysfs_chosen) + +# Allow fingerprint to access calibration blk device. +allow hal_fingerprint_default mfg_data_block_device:blk_file rw_file_perms; +allow hal_fingerprint_default block_device:dir search; + +# Allow fingerprint to access fwk_sensor_hwservice +allow hal_fingerprint_default fwk_sensor_hwservice:hwservice_manager find; + +# Allow fingerprint to read sysfs_display +allow hal_fingerprint_default sysfs_display:file r_file_perms; diff --git a/whitechapel_pro/hal_graphics_allocator_default.te b/whitechapel_pro/hal_graphics_allocator_default.te new file mode 100644 index 00000000..9791dae6 --- /dev/null +++ b/whitechapel_pro/hal_graphics_allocator_default.te @@ -0,0 +1,4 @@ +allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default vscaler_heap_device:chr_file r_file_perms; diff --git a/whitechapel_pro/hal_graphics_composer_default.te b/whitechapel_pro/hal_graphics_composer_default.te new file mode 100644 index 00000000..61972c75 --- /dev/null +++ b/whitechapel_pro/hal_graphics_composer_default.te @@ -0,0 +1,54 @@ +# allow HWC to access power hal +hal_client_domain(hal_graphics_composer_default, hal_power) + +hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator) + +# allow HWC to access vendor_displaycolor_service +add_service(hal_graphics_composer_default, vendor_displaycolor_service) + +add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice) + +add_service(hal_graphics_composer_default, hal_pixel_display_service) + +# access sysfs R/W +allow hal_graphics_composer_default sysfs_display:dir search; +allow hal_graphics_composer_default sysfs_display:file rw_file_perms; + +userdebug_or_eng(` +# allow HWC to access vendor log file + allow hal_graphics_composer_default vendor_log_file:dir create_dir_perms; + allow hal_graphics_composer_default vendor_log_file:file create_file_perms; +# For HWC/libdisplaycolor to generate calibration file. + allow hal_graphics_composer_default persist_display_file:file create_file_perms; + allow hal_graphics_composer_default persist_display_file:dir rw_dir_perms; +') + +# allow HWC/libdisplaycolor to read calibration data +allow hal_graphics_composer_default mnt_vendor_file:dir search; +allow hal_graphics_composer_default persist_file:dir search; +allow hal_graphics_composer_default persist_display_file:file r_file_perms; +allow hal_graphics_composer_default persist_display_file:dir search; + +# allow HWC to r/w backlight +allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms; +allow hal_graphics_composer_default sysfs_leds:file rw_file_perms; + +# allow HWC to get vendor_persist_sys_default_prop +get_prop(hal_graphics_composer_default, vendor_persist_sys_default_prop) + +# allow HWC to get/set vendor_display_prop +set_prop(hal_graphics_composer_default, vendor_display_prop) + +# boot stauts prop +get_prop(hal_graphics_composer_default, boot_status_prop); + +# allow HWC to output to dumpstate via pipe fd +allow hal_graphics_composer_default hal_dumpstate_default:fifo_file { append write }; +allow hal_graphics_composer_default hal_dumpstate_default:fd use; + +# socket / vnd service +allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +vndbinder_use(hal_graphics_composer_default) + +# allow HWC to get device_config_surface_flinger_native_boot_prop for adpf flags +get_prop(hal_graphics_composer_default, device_config_surface_flinger_native_boot_prop) diff --git a/whitechapel_pro/hal_health_default.te b/whitechapel_pro/hal_health_default.te new file mode 100644 index 00000000..e7406a76 --- /dev/null +++ b/whitechapel_pro/hal_health_default.te @@ -0,0 +1,14 @@ +allow hal_health_default mnt_vendor_file:dir search; +allow hal_health_default persist_file:dir search; + +set_prop(hal_health_default, vendor_battery_defender_prop) + +# Access to /sys/devices/platform/14700000.ufs/* +allow hal_health_default sysfs_scsi_devices_0000:dir r_dir_perms; +allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms; + +allow hal_health_default sysfs_wlc:dir search; +allow hal_health_default sysfs_batteryinfo:file w_file_perms; +allow hal_health_default sysfs_thermal:dir search; +allow hal_health_default sysfs_thermal:file w_file_perms; +allow hal_health_default thermal_link_device:dir search; diff --git a/whitechapel_pro/hal_health_storage_default.te b/whitechapel_pro/hal_health_storage_default.te new file mode 100644 index 00000000..2aa0881e --- /dev/null +++ b/whitechapel_pro/hal_health_storage_default.te @@ -0,0 +1,3 @@ +# Access to /sys/devices/platform/14700000.ufs/* +allow hal_health_storage_default sysfs_scsi_devices_0000:dir r_dir_perms; +allow hal_health_storage_default sysfs_scsi_devices_0000:file rw_file_perms; diff --git a/whitechapel_pro/hal_nfc_default.te b/whitechapel_pro/hal_nfc_default.te new file mode 100644 index 00000000..247ca3d7 --- /dev/null +++ b/whitechapel_pro/hal_nfc_default.te @@ -0,0 +1,15 @@ +# NFC property +set_prop(hal_nfc_default, vendor_nfc_prop) + +# SecureElement property +set_prop(hal_nfc_default, vendor_secure_element_prop) + +# Modem property +set_prop(hal_nfc_default, vendor_modem_prop) + +# Access uwb cal for SecureRanging Applet +allow hal_nfc_default uwb_data_vendor:dir r_dir_perms; +allow hal_nfc_default uwb_data_vendor:file r_file_perms; + +# allow nfc to read uwb calibration file +get_prop(hal_nfc_default, vendor_uwb_calibration_prop) diff --git a/whitechapel_pro/hal_power_default.te b/whitechapel_pro/hal_power_default.te new file mode 100644 index 00000000..076de46b --- /dev/null +++ b/whitechapel_pro/hal_power_default.te @@ -0,0 +1,9 @@ +allow hal_power_default sysfs_scsi_devices_0000:file rw_file_perms; +allow hal_power_default sysfs_fs_f2fs:dir r_dir_perms; +allow hal_power_default sysfs_fs_f2fs:file rw_file_perms; +allow hal_power_default sysfs_display:file rw_file_perms; +allow hal_power_default proc_vendor_sched:file r_file_perms; +allow hal_power_default sysfs_gpu:file rw_file_perms; +allow hal_power_default sysfs_fabric:file rw_file_perms; +allow hal_power_default sysfs_camera:file rw_file_perms; +set_prop(hal_power_default, vendor_camera_prop) diff --git a/whitechapel_pro/hal_power_stats_default.te b/whitechapel_pro/hal_power_stats_default.te new file mode 100644 index 00000000..4160fcda --- /dev/null +++ b/whitechapel_pro/hal_power_stats_default.te @@ -0,0 +1,21 @@ +# allowed to access dislay stats sysfs node +allow hal_power_stats_default sysfs_display:file r_file_perms; + +r_dir_file(hal_power_stats_default, sysfs_aoc) +r_dir_file(hal_power_stats_default, sysfs_aoc_dumpstate) +r_dir_file(hal_power_stats_default, sysfs_acpm_stats) +r_dir_file(hal_power_stats_default, sysfs_cpu) +r_dir_file(hal_power_stats_default, sysfs_edgetpu) +r_dir_file(hal_power_stats_default, sysfs_iio_devices) +r_dir_file(hal_power_stats_default, sysfs_leds) +r_dir_file(hal_power_stats_default, sysfs_odpm) +r_dir_file(hal_power_stats_default, sysfs_scsi_devices_0000) +r_dir_file(hal_power_stats_default, sysfs_wifi) +r_dir_file(hal_power_stats_default, powerstats_vendor_data_file) + +# Rail selection requires read/write permissions +allow hal_power_stats_default sysfs_odpm:dir search; +allow hal_power_stats_default sysfs_odpm:file rw_file_perms; + +# getStateResidency AIDL callback for Bluetooth HAL +binder_call(hal_power_stats_default, hal_bluetooth_btlinux) diff --git a/whitechapel_pro/hal_radioext_default.te b/whitechapel_pro/hal_radioext_default.te new file mode 100644 index 00000000..a5a0f3e8 --- /dev/null +++ b/whitechapel_pro/hal_radioext_default.te @@ -0,0 +1,18 @@ +type hal_radioext_default, domain; +type hal_radioext_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_radioext_default) + +hwbinder_use(hal_radioext_default) +get_prop(hal_radioext_default, hwservicemanager_prop) +add_hwservice(hal_radioext_default, hal_radioext_hwservice) + +binder_call(hal_radioext_default, grilservice_app) + +# RW /dev/oem_ipc0 +allow hal_radioext_default radio_device:chr_file rw_file_perms; + +# RW MIPI Freq files +allow hal_radioext_default radio_vendor_data_file:dir create_dir_perms; +allow hal_radioext_default radio_vendor_data_file:file create_file_perms; +allow hal_radioext_default sysfs_display:file rw_file_perms; + diff --git a/whitechapel_pro/hal_secure_element_gto.te b/whitechapel_pro/hal_secure_element_gto.te new file mode 100644 index 00000000..c7724c7c --- /dev/null +++ b/whitechapel_pro/hal_secure_element_gto.te @@ -0,0 +1,5 @@ +type hal_secure_element_gto, domain; +type hal_secure_element_gto_exec, exec_type, vendor_file_type, file_type; + +hal_server_domain(hal_secure_element_gto, hal_secure_element) +init_daemon_domain(hal_secure_element_gto) diff --git a/whitechapel_pro/hal_secure_element_gto_ese2.te b/whitechapel_pro/hal_secure_element_gto_ese2.te new file mode 100644 index 00000000..678810a4 --- /dev/null +++ b/whitechapel_pro/hal_secure_element_gto_ese2.te @@ -0,0 +1,5 @@ +type hal_secure_element_gto_ese2, domain; +type hal_secure_element_gto_ese2_exec, exec_type, vendor_file_type, file_type; + +hal_server_domain(hal_secure_element_gto_ese2, hal_secure_element) +init_daemon_domain(hal_secure_element_gto_ese2) diff --git a/whitechapel_pro/hal_secure_element_st33spi.te b/whitechapel_pro/hal_secure_element_st33spi.te new file mode 100644 index 00000000..cecc8fe8 --- /dev/null +++ b/whitechapel_pro/hal_secure_element_st33spi.te @@ -0,0 +1,6 @@ +type hal_secure_element_st33spi, domain; +hal_server_domain(hal_secure_element_st33spi, hal_secure_element) +type hal_secure_element_st33spi_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_secure_element_st33spi) +allow hal_secure_element_st33spi st33spi_device:chr_file rw_file_perms; + diff --git a/whitechapel_pro/hal_secure_element_st54spi.te b/whitechapel_pro/hal_secure_element_st54spi.te new file mode 100644 index 00000000..a3e74be3 --- /dev/null +++ b/whitechapel_pro/hal_secure_element_st54spi.te @@ -0,0 +1,8 @@ +type hal_secure_element_st54spi, domain; +hal_server_domain(hal_secure_element_st54spi, hal_secure_element) +type hal_secure_element_st54spi_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_secure_element_st54spi) +allow hal_secure_element_st54spi st54spi_device:chr_file rw_file_perms; +allow hal_secure_element_st54spi nfc_device:chr_file rw_file_perms; +set_prop(hal_secure_element_st54spi, vendor_secure_element_prop) + diff --git a/whitechapel_pro/hal_secure_element_uicc.te b/whitechapel_pro/hal_secure_element_uicc.te new file mode 100644 index 00000000..fe535320 --- /dev/null +++ b/whitechapel_pro/hal_secure_element_uicc.te @@ -0,0 +1,11 @@ +type hal_secure_element_uicc, domain; +type hal_secure_element_uicc_exec, exec_type, vendor_file_type, file_type; + +hal_server_domain(hal_secure_element_uicc, hal_secure_element) +init_daemon_domain(hal_secure_element_uicc) + +# Allow hal_secure_element_uicc to access rild +binder_call(hal_secure_element_uicc, rild); +allow hal_secure_element_uicc hal_exynos_rild_hwservice:hwservice_manager find; + + diff --git a/whitechapel_pro/hal_sensors_default.te b/whitechapel_pro/hal_sensors_default.te new file mode 100644 index 00000000..b33741e5 --- /dev/null +++ b/whitechapel_pro/hal_sensors_default.te @@ -0,0 +1,68 @@ +# +# USF sensor HAL SELinux type enforcements. +# + +# Allow access to the AoC communication driver. +allow hal_sensors_default aoc_device:chr_file rw_file_perms; + +# Allow access to CHRE socket to connect to nanoapps. +allow hal_sensors_default chre:unix_stream_socket connectto; +allow hal_sensors_default chre_socket:sock_file write; + +# Allow create thread to watch AOC's device. +allow hal_sensors_default device:dir r_dir_perms; + +# Allow access for dynamic sensor properties. +get_prop(hal_sensors_default, vendor_dynamic_sensor_prop) + +# Allow access to raw HID devices for dynamic sensors. +allow hal_sensors_default hidraw_device:chr_file rw_file_perms; + +# Allow SensorSuez to connect AIDL stats. +allow hal_sensors_default fwk_stats_service:service_manager find; + +# Allow reading of sensor registry persist files and camera persist files. +allow hal_sensors_default mnt_vendor_file:dir search; +allow hal_sensors_default persist_file:dir search; +allow hal_sensors_default persist_file:file r_file_perms; +allow hal_sensors_default persist_sensor_reg_file:dir r_dir_perms; +allow hal_sensors_default persist_sensor_reg_file:file r_file_perms; +r_dir_file(hal_sensors_default, persist_camera_file) + +# Allow creation and writing of sensor registry data files. +allow hal_sensors_default sensor_reg_data_file:dir r_dir_perms; +allow hal_sensors_default sensor_reg_data_file:file r_file_perms; + +# Allow access to the display info for ALS. +allow hal_sensors_default sysfs_display:file rw_file_perms; + +# Allow access to the AoC clock and kernel boot time sys FS node. This is needed +# to synchronize the AP and AoC clock timestamps. +allow hal_sensors_default sysfs_aoc:dir search; +allow hal_sensors_default sysfs_aoc_boottime:file r_file_perms; + +# Allow access to the files of CDT information. +allow hal_sensors_default sysfs_chosen:dir search; +allow hal_sensors_default sysfs_chosen:file r_file_perms; + +# Allow access to sensor service for sensor_listener. +binder_call(hal_sensors_default, system_server); + +# Allow sensor HAL to reset AOC. +allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms; + +# Allow sensor HAL to read AoC dumpstate. +allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms; + +# Allow sensor HAL to access the display service HAL +allow hal_sensors_default hal_pixel_display_service:service_manager find; + +# Allow display_info_service access to the backlight driver. +allow hal_sensors_default sysfs_leds:dir search; +allow hal_sensors_default sysfs_leds:file r_file_perms; + +# Allow sensor HAL to access the graphics composer. +binder_call(hal_sensors_default, hal_graphics_composer_default); + +# Allow display_info_service access to the backlight driver. +allow hal_sensors_default sysfs_write_leds:file rw_file_perms; diff --git a/whitechapel_pro/hal_thermal_default.te b/whitechapel_pro/hal_thermal_default.te new file mode 100644 index 00000000..9852a767 --- /dev/null +++ b/whitechapel_pro/hal_thermal_default.te @@ -0,0 +1,2 @@ +allow hal_thermal_default sysfs_iio_devices:dir r_dir_perms; +allow hal_thermal_default sysfs_odpm:file r_file_perms; diff --git a/whitechapel_pro/hal_usb_gadget_impl.te b/whitechapel_pro/hal_usb_gadget_impl.te new file mode 100644 index 00000000..30041467 --- /dev/null +++ b/whitechapel_pro/hal_usb_gadget_impl.te @@ -0,0 +1,17 @@ +type hal_usb_gadget_impl, domain; +hal_server_domain(hal_usb_gadget_impl, hal_usb) +hal_server_domain(hal_usb_gadget_impl, hal_usb_gadget) + +type hal_usb_gadget_impl_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_usb_gadget_impl) + +allow hal_usb_gadget_impl configfs:dir { create rmdir }; +allow hal_usb_gadget_impl functionfs:dir { watch watch_reads }; +set_prop(hal_usb_gadget_impl, vendor_usb_config_prop) + +# parser the number of dwc3 irq +allow hal_usb_gadget_impl proc_interrupts:file r_file_perms; + +# change irq to other cores +allow hal_usb_gadget_impl proc_irq:dir r_dir_perms; +allow hal_usb_gadget_impl proc_irq:file w_file_perms; diff --git a/whitechapel_pro/hal_usb_impl.te b/whitechapel_pro/hal_usb_impl.te new file mode 100644 index 00000000..a5da3ce1 --- /dev/null +++ b/whitechapel_pro/hal_usb_impl.te @@ -0,0 +1,26 @@ +type hal_usb_impl, domain; + +type hal_usb_impl_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_usb_impl) +hal_server_domain(hal_usb_impl, hal_usb) +hal_server_domain(hal_usb_impl, hal_usb_gadget) + +set_prop(hal_usb_impl, vendor_usb_config_prop) +allow hal_usb_impl functionfs:dir { watch watch_reads }; + +allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms; +allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms; + +# Needed for reporting Usb Overheat suez event through statsd +allow hal_usb_impl fwk_stats_service:service_manager find; +binder_call(hal_usb_impl, servicemanager) + +# Needed for monitoring usb port temperature +allow hal_usb_impl self:capability2 wake_alarm; +wakelock_use(hal_usb_impl); + +# For interfacing with ThermalHAL +hal_client_domain(hal_usb_impl, hal_thermal); + +# For reading the usb-c throttling stats +allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms; diff --git a/whitechapel_pro/hal_uwb_vendor.te b/whitechapel_pro/hal_uwb_vendor.te new file mode 100644 index 00000000..dc11d6b8 --- /dev/null +++ b/whitechapel_pro/hal_uwb_vendor.te @@ -0,0 +1,16 @@ +# HwBinder IPC from client to server +binder_call(hal_uwb_vendor_client, hal_uwb_vendor_server) +binder_call(hal_uwb_vendor_server, hal_uwb_vendor_client) + +hal_attribute_service(hal_uwb_vendor, hal_uwb_vendor_service) + +binder_call(hal_uwb_vendor_server, servicemanager) + +# allow hal_uwb_vendor to set wpan interfaces up and down +allow hal_uwb_vendor self:udp_socket create_socket_perms; +allowxperm hal_uwb_vendor self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL }; +# TODO(b/190461440): Find a long term solution for this. +allow hal_uwb_vendor self:global_capability_class_set { net_admin }; + +# allow hal_uwb_vendor to speak to nl802154 in the kernel +allow hal_uwb_vendor self:netlink_generic_socket create_socket_perms_no_ioctl; diff --git a/whitechapel_pro/hal_uwb_vendor_default.te b/whitechapel_pro/hal_uwb_vendor_default.te new file mode 100644 index 00000000..b287433f --- /dev/null +++ b/whitechapel_pro/hal_uwb_vendor_default.te @@ -0,0 +1,14 @@ +type hal_uwb_vendor_default, domain; +type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_uwb_vendor_default) + +hal_server_domain(hal_uwb_vendor_default, hal_uwb) +add_service(hal_uwb_vendor_default, hal_uwb_vendor_service) + +hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor) +binder_call(hal_uwb_vendor_default, uwb_vendor_app) + +allow hal_uwb_vendor_default uwb_data_vendor:dir create_dir_perms; +allow hal_uwb_vendor_default uwb_data_vendor:file create_file_perms; + +get_prop(hal_uwb_vendor_default, vendor_uwb_calibration_prop) diff --git a/whitechapel_pro/hal_wifi_ext.te b/whitechapel_pro/hal_wifi_ext.te new file mode 100644 index 00000000..9b52d7aa --- /dev/null +++ b/whitechapel_pro/hal_wifi_ext.te @@ -0,0 +1,9 @@ +# Allow wifi_ext to report callbacks to gril-service app +binder_call(hal_wifi_ext, grilservice_app) + +# Write wlan driver/fw version into property +set_prop(hal_wifi_ext, vendor_wifi_version) + +# Allow wifi_ext to read and write /data/vendor/firmware/wifi +allow hal_wifi_ext updated_wifi_firmware_data_file:dir rw_dir_perms; +allow hal_wifi_ext updated_wifi_firmware_data_file:file create_file_perms; diff --git a/whitechapel_pro/hal_wlc.te b/whitechapel_pro/hal_wlc.te new file mode 100644 index 00000000..80eb1674 --- /dev/null +++ b/whitechapel_pro/hal_wlc.te @@ -0,0 +1,16 @@ +type hal_wlc, domain; +type hal_wlc_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_wlc) +hwbinder_use(hal_wlc) +add_hwservice(hal_wlc, hal_wlc_hwservice) +get_prop(hal_wlc, hwservicemanager_prop) + +r_dir_file(hal_wlc, sysfs_batteryinfo) +allow hal_wlc sysfs_wlc:dir r_dir_perms; +allow hal_wlc sysfs_wlc:file rw_file_perms; + +allow hal_wlc self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +binder_call(hal_wlc, platform_app) +binder_call(hal_wlc, system_app) diff --git a/whitechapel_pro/hardware_info_app.te b/whitechapel_pro/hardware_info_app.te new file mode 100644 index 00000000..751bb885 --- /dev/null +++ b/whitechapel_pro/hardware_info_app.te @@ -0,0 +1,26 @@ +type hardware_info_app, domain; +app_domain(hardware_info_app) + +allow hardware_info_app app_api_service:service_manager find; + +# Storage +allow hardware_info_app sysfs_scsi_devices_0000:dir search; +allow hardware_info_app sysfs_scsi_devices_0000:file r_file_perms; + +# Audio +allow hardware_info_app sysfs_pixelstats:file r_file_perms; + +# Batteryinfo +allow hardware_info_app sysfs_batteryinfo:dir search; +allow hardware_info_app sysfs_batteryinfo:file r_file_perms; + +# Display +allow hardware_info_app sysfs_display:dir search; +allow hardware_info_app sysfs_display:file r_file_perms; + +# SoC +allow hardware_info_app sysfs_soc:file r_file_perms; +allow hardware_info_app sysfs_chip_id:file r_file_perms; + +# Batery history +allow hardware_info_app battery_history_device:chr_file r_file_perms; diff --git a/whitechapel_pro/hbmsvmanager_app.te b/whitechapel_pro/hbmsvmanager_app.te new file mode 100644 index 00000000..3ed4f823 --- /dev/null +++ b/whitechapel_pro/hbmsvmanager_app.te @@ -0,0 +1,14 @@ +type hbmsvmanager_app, domain; + +app_domain(hbmsvmanager_app); + +allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms; +allow hbmsvmanager_app proc_vendor_sched:file w_file_perms; + +allow hbmsvmanager_app hal_pixel_display_service:service_manager find; +binder_call(hbmsvmanager_app, hal_graphics_composer_default) + +# Standard system services +allow hbmsvmanager_app app_api_service:service_manager find; + +allow hbmsvmanager_app cameraserver_service:service_manager find; diff --git a/whitechapel_pro/hwservice.te b/whitechapel_pro/hwservice.te new file mode 100644 index 00000000..983e5a3f --- /dev/null +++ b/whitechapel_pro/hwservice.te @@ -0,0 +1,15 @@ +# dmd servcie +type hal_vendor_oem_hwservice, hwservice_manager_type; + +# GRIL service +type hal_radioext_hwservice, hwservice_manager_type; + +# WLC +type hal_wlc_hwservice, hwservice_manager_type; + +# rild service +type hal_exynos_rild_hwservice, hwservice_manager_type; + +# Fingerprint +type hal_fingerprint_ext_hwservice, hwservice_manager_type; + diff --git a/whitechapel_pro/hwservice_contexts b/whitechapel_pro/hwservice_contexts new file mode 100644 index 00000000..0035ed49 --- /dev/null +++ b/whitechapel_pro/hwservice_contexts @@ -0,0 +1,14 @@ +# dmd HAL +vendor.samsung_slsi.telephony.hardware.oemservice::IOemService u:object_r:hal_vendor_oem_hwservice:s0 + +# Fingerprint +vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_ext_hwservice:s0 + +# Wireless charger hal +vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_wlc_hwservice:s0 + +# rild HAL +vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal u:object_r:hal_exynos_rild_hwservice:s0 + +# GRIL HAL +vendor.google.radioext::IRadioExt u:object_r:hal_radioext_hwservice:s0 diff --git a/whitechapel_pro/hwservicemanager.te b/whitechapel_pro/hwservicemanager.te new file mode 100644 index 00000000..7b64499b --- /dev/null +++ b/whitechapel_pro/hwservicemanager.te @@ -0,0 +1 @@ +binder_call(hwservicemanager, bipchmgr) diff --git a/whitechapel_pro/incident.te b/whitechapel_pro/incident.te new file mode 100644 index 00000000..672606df --- /dev/null +++ b/whitechapel_pro/incident.te @@ -0,0 +1,4 @@ +userdebug_or_eng(` + allow incident logger_app:fd use; + allow incident media_rw_data_file:file append; +') diff --git a/whitechapel_pro/init-insmod-sh.te b/whitechapel_pro/init-insmod-sh.te new file mode 100644 index 00000000..ca98618c --- /dev/null +++ b/whitechapel_pro/init-insmod-sh.te @@ -0,0 +1,17 @@ +type init-insmod-sh, domain; +type init-insmod-sh_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(init-insmod-sh) + +allow init-insmod-sh self:capability sys_module; +allow init-insmod-sh vendor_kernel_modules:system module_load; +allow init-insmod-sh vendor_toolbox_exec:file execute_no_trans; + +allow init-insmod-sh self:capability sys_nice; +allow init-insmod-sh kernel:process setsched; + +set_prop(init-insmod-sh, vendor_device_prop) + +dontaudit init-insmod-sh proc_cmdline:file r_file_perms; + +allow init-insmod-sh debugfs_mgm:dir search; +allow init-insmod-sh vendor_regmap_debugfs:dir search; diff --git a/whitechapel_pro/init.te b/whitechapel_pro/init.te new file mode 100644 index 00000000..3175db8c --- /dev/null +++ b/whitechapel_pro/init.te @@ -0,0 +1,21 @@ +allow init modem_img_file:dir mounton; +allow init mnt_vendor_file:dir mounton; +allow init modem_img_file:filesystem { getattr mount relabelfrom }; +allow init custom_ab_block_device:lnk_file relabelto; + +# This is needed for chaining a boot partition vbmeta +# descriptor, where init will probe the boot partition +# to read the chained vbmeta in the first-stage, then +# relabel /dev/block/by-name/boot_[a|b] to block_device +# after loading sepolicy in the second stage. +allow init boot_block_device:lnk_file relabelto; + +allow init persist_file:dir mounton; +allow init modem_efs_file:dir mounton; +allow init modem_userdata_file:dir mounton; +allow init ram_device:blk_file w_file_perms; +allow init sysfs_scsi_devices_0000:file w_file_perms; + +# Workaround for b/193113005 that modem_img unlabeled after disable-verity +dontaudit init overlayfs_file:file rename; +dontaudit init overlayfs_file:chr_file unlink; diff --git a/whitechapel_pro/init_radio.te b/whitechapel_pro/init_radio.te new file mode 100644 index 00000000..3a29edf3 --- /dev/null +++ b/whitechapel_pro/init_radio.te @@ -0,0 +1,8 @@ +type init_radio, domain; +type init_radio_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init_radio); + +allow init_radio vendor_toolbox_exec:file execute_no_trans; +allow init_radio radio_vendor_data_file:dir create_dir_perms; +allow init_radio radio_vendor_data_file:file create_file_perms; diff --git a/whitechapel_pro/installd.te b/whitechapel_pro/installd.te new file mode 100644 index 00000000..44e74c63 --- /dev/null +++ b/whitechapel_pro/installd.te @@ -0,0 +1 @@ +dontaudit installd modem_img_file:filesystem quotaget; diff --git a/whitechapel_pro/kernel.te b/whitechapel_pro/kernel.te new file mode 100644 index 00000000..c34e7f72 --- /dev/null +++ b/whitechapel_pro/kernel.te @@ -0,0 +1,11 @@ +allow kernel vendor_fw_file:dir search; +allow kernel vendor_fw_file:file r_file_perms; + +# ZRam +allow kernel per_boot_file:file r_file_perms; + +# memlat needs permision to create/delete perf events when hotplug on/off +allow kernel self:capability2 perfmon; +allow kernel self:perf_event cpu; + +dontaudit kernel vendor_battery_debugfs:dir search; diff --git a/whitechapel_pro/keys.conf b/whitechapel_pro/keys.conf new file mode 100644 index 00000000..80522c4e --- /dev/null +++ b/whitechapel_pro/keys.conf @@ -0,0 +1,11 @@ +[@GOOGLE] +ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/app.x509.pem + +[@MDS] +ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_google_mds.x509.pem + +[@UWB] +ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem + +[@EUICCSUPPORTPIXEL] +ALL : device/google/gs201-sepolicy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem diff --git a/whitechapel_pro/logd.te b/whitechapel_pro/logd.te new file mode 100644 index 00000000..cc55e204 --- /dev/null +++ b/whitechapel_pro/logd.te @@ -0,0 +1,2 @@ +r_dir_file(logd, logbuffer_device) +allow logd logbuffer_device:chr_file r_file_perms; diff --git a/whitechapel_pro/logger_app.te b/whitechapel_pro/logger_app.te new file mode 100644 index 00000000..9809f309 --- /dev/null +++ b/whitechapel_pro/logger_app.te @@ -0,0 +1,29 @@ +userdebug_or_eng(` + allow logger_app radio_vendor_data_file:file create_file_perms; + allow logger_app radio_vendor_data_file:dir create_dir_perms; + allow logger_app vendor_slog_file:file {r_file_perms unlink}; + allow logger_app vendor_gps_file:file create_file_perms; + allow logger_app vendor_gps_file:dir create_dir_perms; + allow logger_app sysfs_sscoredump_level:file r_file_perms; + r_dir_file(logger_app, ramdump_vendor_data_file) + r_dir_file(logger_app, sscoredump_vendor_data_coredump_file) + r_dir_file(logger_app, sscoredump_vendor_data_crashinfo_file) + + get_prop(logger_app, usb_control_prop) + set_prop(logger_app, vendor_logger_prop) + set_prop(logger_app, vendor_modem_prop) + set_prop(logger_app, vendor_gps_prop) + set_prop(logger_app, vendor_audio_prop) + set_prop(logger_app, vendor_tcpdump_log_prop) + set_prop(logger_app, vendor_ramdump_prop) + set_prop(logger_app, vendor_ssrdump_prop) + set_prop(logger_app, vendor_rild_prop) + set_prop(logger_app, logpersistd_logging_prop) + set_prop(logger_app, logd_prop) + set_prop(logger_app, vendor_usb_config_prop) + set_prop(logger_app, vendor_wifi_sniffer_prop) + + dontaudit logger_app default_prop:file r_file_perms; + dontaudit logger_app proc_vendor_sched:dir search; + dontaudit logger_app proc_vendor_sched:file write; +') diff --git a/whitechapel_pro/mac_permissions.xml b/whitechapel_pro/mac_permissions.xml new file mode 100644 index 00000000..821f660c --- /dev/null +++ b/whitechapel_pro/mac_permissions.xml @@ -0,0 +1,36 @@ + + + + + + + + + + + + + + + + + + diff --git a/whitechapel_pro/mediacodec_google.te b/whitechapel_pro/mediacodec_google.te new file mode 100644 index 00000000..21aea333 --- /dev/null +++ b/whitechapel_pro/mediacodec_google.te @@ -0,0 +1,30 @@ +type mediacodec_google, domain; +type mediacodec_google_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(mediacodec_google) + +# can route /dev/binder traffic to /dev/vndbinder +vndbinder_use(mediacodec_google) + +hal_server_domain(mediacodec_google, hal_codec2) + +# mediacodec_google may use an input surface from a different Codec2 service +hal_client_domain(mediacodec_google, hal_codec2) + +hal_client_domain(mediacodec_google, hal_graphics_allocator) + +allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms; +allow mediacodec_google dmabuf_system_secure_heap_device:chr_file r_file_perms; +allow mediacodec_google video_device:chr_file rw_file_perms; + +crash_dump_fallback(mediacodec_google) + +# mediacodec_google should never execute any executable without a domain transition +neverallow mediacodec_google { file_type fs_type }:file execute_no_trans; + +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow mediacodec_google domain:{ udp_socket rawip_socket } *; +neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *; \ No newline at end of file diff --git a/whitechapel_pro/mediacodec_samsung.te b/whitechapel_pro/mediacodec_samsung.te new file mode 100644 index 00000000..2c5d7ede --- /dev/null +++ b/whitechapel_pro/mediacodec_samsung.te @@ -0,0 +1,33 @@ +type mediacodec_samsung, domain; +type mediacodec_samsung_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(mediacodec_samsung) + +hal_server_domain(mediacodec_samsung, hal_codec2) +add_service(mediacodec_samsung, eco_service) + +# can route /dev/binder traffic to /dev/vndbinder +vndbinder_use(mediacodec_samsung) + +allow mediacodec_samsung video_device:chr_file rw_file_perms; +allow mediacodec_samsung dmabuf_system_heap_device:chr_file r_file_perms; +allow mediacodec_samsung gpu_device:chr_file rw_file_perms; + +allow mediacodec_samsung sysfs_mfc:file r_file_perms; +allow mediacodec_samsung sysfs_mfc:dir r_dir_perms; + +# can use graphics allocator +hal_client_domain(mediacodec_samsung, hal_graphics_allocator) + +binder_call(mediacodec_samsung, hal_camera_default) + +crash_dump_fallback(mediacodec_samsung) + +# mediacodec_samsung should never execute any executable without a domain transition +neverallow mediacodec_samsung { file_type fs_type }:file execute_no_trans; + +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow mediacodec_samsung domain:{ udp_socket rawip_socket } *; +neverallow mediacodec_samsung { domain userdebug_or_eng(`-su') }:tcp_socket *; diff --git a/whitechapel_pro/modem_diagnostic_app.te b/whitechapel_pro/modem_diagnostic_app.te new file mode 100644 index 00000000..8c4a0cac --- /dev/null +++ b/whitechapel_pro/modem_diagnostic_app.te @@ -0,0 +1,37 @@ +type modem_diagnostic_app, domain; + +app_domain(modem_diagnostic_app) +net_domain(modem_diagnostic_app) + +allow modem_diagnostic_app app_api_service:service_manager find; +allow modem_diagnostic_app radio_service:service_manager find; + +userdebug_or_eng(` + binder_call(modem_diagnostic_app, dmd) + + set_prop(modem_diagnostic_app, vendor_cbd_prop) + set_prop(modem_diagnostic_app, vendor_rild_prop) + set_prop(modem_diagnostic_app, vendor_modem_prop) + + allow modem_diagnostic_app sysfs_chosen:dir r_dir_perms; + allow modem_diagnostic_app sysfs_chosen:file r_file_perms; + + allow modem_diagnostic_app vendor_fw_file:file r_file_perms; + + allow modem_diagnostic_app radio_vendor_data_file:dir create_dir_perms; + allow modem_diagnostic_app radio_vendor_data_file:file create_file_perms; + + allow modem_diagnostic_app mnt_vendor_file:dir r_dir_perms; + allow modem_diagnostic_app mnt_vendor_file:file r_file_perms; + + allow modem_diagnostic_app modem_img_file:dir r_dir_perms; + allow modem_diagnostic_app modem_img_file:file r_file_perms; + allow modem_diagnostic_app modem_img_file:lnk_file r_file_perms; + + allow modem_diagnostic_app hal_vendor_oem_hwservice:hwservice_manager find; + + allow modem_diagnostic_app sysfs_batteryinfo:file r_file_perms; + allow modem_diagnostic_app sysfs_batteryinfo:dir search; + + dontaudit modem_diagnostic_app default_prop:file r_file_perms; +') diff --git a/whitechapel_pro/modem_logging_control.te b/whitechapel_pro/modem_logging_control.te new file mode 100644 index 00000000..7392297f --- /dev/null +++ b/whitechapel_pro/modem_logging_control.te @@ -0,0 +1,17 @@ +type modem_logging_control, domain; +type modem_logging_control_exec, vendor_file_type, exec_type, file_type; + +init_daemon_domain(modem_logging_control) + +hwbinder_use(modem_logging_control) +binder_call(modem_logging_control, dmd) + +allow modem_logging_control radio_device:chr_file rw_file_perms; +allow modem_logging_control hal_vendor_oem_hwservice:hwservice_manager find; +allow modem_logging_control radio_vendor_data_file:dir create_dir_perms; +allow modem_logging_control radio_vendor_data_file:file create_file_perms; +allow modem_logging_control vendor_slog_file:dir create_dir_perms; +allow modem_logging_control vendor_slog_file:file create_file_perms; + +set_prop(modem_logging_control, vendor_modem_prop) +get_prop(modem_logging_control, hwservicemanager_prop) diff --git a/whitechapel_pro/modem_svc_sit.te b/whitechapel_pro/modem_svc_sit.te new file mode 100644 index 00000000..d3e79c93 --- /dev/null +++ b/whitechapel_pro/modem_svc_sit.te @@ -0,0 +1,26 @@ +type modem_svc_sit, domain; +type modem_svc_sit_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(modem_svc_sit) + +hwbinder_use(modem_svc_sit) +binder_call(modem_svc_sit, rild) + +# Grant radio device access +allow modem_svc_sit radio_device:chr_file rw_file_perms; + +# Grant vendor radio and modem file/dir creation permission +allow modem_svc_sit radio_vendor_data_file:dir create_dir_perms; +allow modem_svc_sit radio_vendor_data_file:file create_file_perms; +allow modem_svc_sit modem_stat_data_file:dir create_dir_perms; +allow modem_svc_sit modem_stat_data_file:file create_file_perms; + +allow modem_svc_sit mnt_vendor_file:dir search; +allow modem_svc_sit modem_userdata_file:dir create_dir_perms; +allow modem_svc_sit modem_userdata_file:file create_file_perms; + +# RIL property +get_prop(modem_svc_sit, vendor_rild_prop) + +# hwservice permission +allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; +get_prop(modem_svc_sit, hwservicemanager_prop) diff --git a/whitechapel_pro/nfc.te b/whitechapel_pro/nfc.te new file mode 100644 index 00000000..80784434 --- /dev/null +++ b/whitechapel_pro/nfc.te @@ -0,0 +1,2 @@ +allow nfc proc_vendor_sched:dir r_dir_perms; +allow nfc proc_vendor_sched:file w_file_perms; diff --git a/whitechapel_pro/oemrilservice_app.te b/whitechapel_pro/oemrilservice_app.te new file mode 100644 index 00000000..b055dbea --- /dev/null +++ b/whitechapel_pro/oemrilservice_app.te @@ -0,0 +1,9 @@ +type oemrilservice_app, domain; +app_domain(oemrilservice_app) + +allow oemrilservice_app app_api_service:service_manager find; +allow oemrilservice_app hal_exynos_rild_hwservice:hwservice_manager find; +allow oemrilservice_app radio_service:service_manager find; + +binder_call(oemrilservice_app, rild) +set_prop(oemrilservice_app, vendor_rild_prop) diff --git a/whitechapel_pro/ofl_app.te b/whitechapel_pro/ofl_app.te new file mode 100644 index 00000000..a9498165 --- /dev/null +++ b/whitechapel_pro/ofl_app.te @@ -0,0 +1,20 @@ +# OFLBasicAgent app + +type ofl_app, domain; + +userdebug_or_eng(` + app_domain(ofl_app) + net_domain(ofl_app) + + allow ofl_app app_api_service:service_manager find; + allow ofl_app nfc_service:service_manager find; + allow ofl_app radio_service:service_manager find; + allow ofl_app surfaceflinger_service:service_manager find; + + # Access to directly update firmware on st54spi_device + typeattribute st54spi_device mlstrustedobject; + allow ofl_app st54spi_device:chr_file rw_file_perms; + # Access to directly update firmware on st33spi_device + typeattribute st33spi_device mlstrustedobject; + allow ofl_app st33spi_device:chr_file rw_file_perms; +') diff --git a/whitechapel_pro/omadm.te b/whitechapel_pro/omadm.te new file mode 100644 index 00000000..3990dd7b --- /dev/null +++ b/whitechapel_pro/omadm.te @@ -0,0 +1,10 @@ +# OMADM app +type omadm_app, domain; + +app_domain(omadm_app) +net_domain(omadm_app) + +allow omadm_app radio_vendor_data_file:dir rw_dir_perms; +allow omadm_app radio_vendor_data_file:file create_file_perms; +allow omadm_app app_api_service:service_manager find; +allow omadm_app radio_service:service_manager find; diff --git a/whitechapel_pro/pixelstats_vendor.te b/whitechapel_pro/pixelstats_vendor.te new file mode 100644 index 00000000..db443835 --- /dev/null +++ b/whitechapel_pro/pixelstats_vendor.te @@ -0,0 +1,18 @@ +binder_use(pixelstats_vendor) + +allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms; +allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; + +# Wireless charge +allow pixelstats_vendor sysfs_wlc:dir search; +allow pixelstats_vendor sysfs_wlc:file rw_file_perms; +# Wireless charge/OrientationCollector +get_prop(pixelstats_vendor, hwservicemanager_prop); +hwbinder_use(pixelstats_vendor); +allow pixelstats_vendor fwk_sensor_hwservice:hwservice_manager find; + +# Batery history +allow pixelstats_vendor battery_history_device:chr_file r_file_perms; + +# storage smart idle maintenance +get_prop(pixelstats_vendor, smart_idle_maint_enabled_prop); diff --git a/whitechapel_pro/platform_app.te b/whitechapel_pro/platform_app.te new file mode 100644 index 00000000..356167ab --- /dev/null +++ b/whitechapel_pro/platform_app.te @@ -0,0 +1,16 @@ +allow platform_app hal_pixel_display_service:service_manager find; +allow platform_app hal_wlc_hwservice:hwservice_manager find; +allow platform_app nfc_service:service_manager find; +allow platform_app proc_vendor_sched:dir r_dir_perms; +allow platform_app proc_vendor_sched:file w_file_perms; + +# Fingerprint (UDFPS) GHBM/LHBM toggle +get_prop(platform_app, fingerprint_ghbm_prop) + +# allow systemui to set boot animation colors +set_prop(platform_app, bootanim_system_prop); + +binder_call(platform_app, hal_wlc) + +# allow udfps of systemui access lhbm +binder_call(platform_app, hal_graphics_composer_default) diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te new file mode 100644 index 00000000..bc898f47 --- /dev/null +++ b/whitechapel_pro/property.te @@ -0,0 +1,36 @@ +vendor_internal_prop(vendor_diag_prop) +vendor_internal_prop(vendor_slog_prop) +vendor_internal_prop(vendor_modem_prop) +vendor_internal_prop(vendor_persist_config_default_prop) +vendor_internal_prop(vendor_cbd_prop) +vendor_internal_prop(vendor_rild_prop) +vendor_internal_prop(vendor_carrier_prop) +vendor_internal_prop(vendor_ssrdump_prop) +vendor_internal_prop(vendor_wifi_version) +vendor_internal_prop(vendor_nfc_prop) +vendor_internal_prop(vendor_secure_element_prop) +vendor_internal_prop(vendor_battery_profile_prop) +vendor_internal_prop(vendor_battery_defender_prop) +vendor_internal_prop(vendor_imssvc_prop) +vendor_internal_prop(vendor_camera_prop) +vendor_internal_prop(vendor_camera_debug_prop) +vendor_internal_prop(vendor_camera_fatp_prop) +vendor_internal_prop(vendor_usb_config_prop) +vendor_internal_prop(vendor_tcpdump_log_prop) +vendor_internal_prop(vendor_device_prop) +vendor_internal_prop(vendor_ready_prop) +vendor_internal_prop(vendor_gps_prop) +vendor_internal_prop(vendor_ro_sys_default_prop) +vendor_internal_prop(vendor_persist_sys_default_prop) +vendor_internal_prop(vendor_logger_prop) +vendor_internal_prop(vendor_display_prop) + +# Fingerprint +vendor_internal_prop(vendor_fingerprint_prop) + +# UWB calibration +system_vendor_config_prop(vendor_uwb_calibration_prop) + +# Dynamic sensor +vendor_internal_prop(vendor_dynamic_sensor_prop) + diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts new file mode 100644 index 00000000..ce737004 --- /dev/null +++ b/whitechapel_pro/property_contexts @@ -0,0 +1,105 @@ +# for dmd +persist.vendor.sys.dm. u:object_r:vendor_diag_prop:s0 +persist.vendor.sys.diag. u:object_r:vendor_diag_prop:s0 +vendor.sys.dmd. u:object_r:vendor_diag_prop:s0 +vendor.sys.diag. u:object_r:vendor_diag_prop:s0 + +# Kernel modules related +vendor.common.modules.ready u:object_r:vendor_device_prop:s0 +vendor.device.modules.ready u:object_r:vendor_device_prop:s0 + +# Indicating signal that all modules and devices are ready +vendor.all.modules.ready u:object_r:vendor_ready_prop:s0 +vendor.all.devices.ready u:object_r:vendor_ready_prop:s0 + +# Tcpdump_logger +persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 +vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 + +# USB HAL +persist.vendor.usb. u:object_r:vendor_usb_config_prop:s0 +vendor.usb. u:object_r:vendor_usb_config_prop:s0 + +# for slog +vendor.sys.silentlog. u:object_r:vendor_slog_prop:s0 +vendor.sys.exynos.slog. u:object_r:vendor_slog_prop:s0 +persist.vendor.sys.silentlog u:object_r:vendor_slog_prop:s0 + +# for modem +persist.vendor.modem. u:object_r:vendor_modem_prop:s0 +vendor.modem. u:object_r:vendor_modem_prop:s0 +vendor.sys.modem. u:object_r:vendor_modem_prop:s0 +vendor.sys.modem_reset u:object_r:vendor_modem_prop:s0 +ro.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 +vendor.sys.exynos.modempath u:object_r:vendor_modem_prop:s0 +persist.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 + +# for cbd +vendor.cbd. u:object_r:vendor_cbd_prop:s0 +persist.vendor.cbd. u:object_r:vendor_cbd_prop:s0 + +# for rild +persist.vendor.ril. u:object_r:vendor_rild_prop:s0 +vendor.ril. u:object_r:vendor_rild_prop:s0 +vendor.radio. u:object_r:vendor_rild_prop:s0 +vendor.sys.rild_reset u:object_r:vendor_rild_prop:s0 +persist.vendor.radio. u:object_r:vendor_rild_prop:s0 +ro.vendor.config.build_carrier u:object_r:vendor_carrier_prop:s0 + +persist.vendor.config. u:object_r:vendor_persist_config_default_prop:s0 + +# SSR Detector +vendor.debug.ssrdump. u:object_r:vendor_ssrdump_prop:s0 +persist.vendor.sys.ssr. u:object_r:vendor_ssrdump_prop:s0 + +# test battery profile +persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_prop:s0 + +# Battery +vendor.battery.defender. u:object_r:vendor_battery_defender_prop:s0 + +# NFC +persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0 + +# SecureElement +persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 + +# WiFi +vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0 +vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 + +# for display +ro.vendor.hwc.drm.device u:object_r:vendor_display_prop:s0 +persist.vendor.display. u:object_r:vendor_display_prop:s0 + +# Camera +persist.vendor.camera. u:object_r:vendor_camera_prop:s0 +vendor.camera. u:object_r:vendor_camera_prop:s0 +vendor.camera.debug. u:object_r:vendor_camera_debug_prop:s0 +vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 + +# for logger app +vendor.pixellogger. u:object_r:vendor_logger_prop:s0 +persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 +persist.vendor.verbose_logging_enabled u:object_r:vendor_logger_prop:s0 + +# vendor default +ro.vendor.sys. u:object_r:vendor_ro_sys_default_prop:s0 +persist.vendor.sys. u:object_r:vendor_persist_sys_default_prop:s0 + +# for gps +vendor.gps. u:object_r:vendor_gps_prop:s0 +persist.vendor.gps. u:object_r:vendor_gps_prop:s0 + +# Fingerprint +vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0 +vendor.gf. u:object_r:vendor_fingerprint_prop:s0 + +#uwb +ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_prop:s0 exact string + +# Dynamic sensor +vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 + +# for ims service +persist.vendor.ims. u:object_r:vendor_imssvc_prop:s0 diff --git a/whitechapel_pro/radio.te b/whitechapel_pro/radio.te new file mode 100644 index 00000000..8cb144d9 --- /dev/null +++ b/whitechapel_pro/radio.te @@ -0,0 +1,2 @@ +allow radio proc_vendor_sched:dir r_dir_perms; +allow radio proc_vendor_sched:file w_file_perms; \ No newline at end of file diff --git a/whitechapel_pro/ramdump_app.te b/whitechapel_pro/ramdump_app.te new file mode 100644 index 00000000..308e9fb7 --- /dev/null +++ b/whitechapel_pro/ramdump_app.te @@ -0,0 +1,24 @@ +type ramdump_app, domain; + +userdebug_or_eng(` + app_domain(ramdump_app) + + allow ramdump_app app_api_service:service_manager find; + + allow ramdump_app ramdump_vendor_data_file:file create_file_perms; + allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms; + + set_prop(ramdump_app, vendor_ramdump_prop) + get_prop(ramdump_app, system_boot_reason_prop) + + # To access ramdumpfs. + allow ramdump_app mnt_vendor_file:dir search; + allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms; + allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms; + + # To access subsystem ramdump files and dirs. + allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; + allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; + allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; + allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms; +') diff --git a/whitechapel_pro/recovery.te b/whitechapel_pro/recovery.te new file mode 100644 index 00000000..bfa3c7dc --- /dev/null +++ b/whitechapel_pro/recovery.te @@ -0,0 +1,4 @@ +recovery_only(` + allow recovery sysfs_ota:file rw_file_perms; + allow recovery citadel_device:chr_file rw_file_perms; +') diff --git a/whitechapel_pro/rfsd.te b/whitechapel_pro/rfsd.te new file mode 100644 index 00000000..2d1f0928 --- /dev/null +++ b/whitechapel_pro/rfsd.te @@ -0,0 +1,39 @@ +type rfsd, domain; +type rfsd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(rfsd) + +# Allow to setuid from root to radio and chown of modem efs files +allow rfsd self:capability { chown setuid }; + +# Allow to search block device and mnt dir for modem EFS partitions +allow rfsd mnt_vendor_file:dir search; +allow rfsd block_device:dir search; + +# Allow to operate with modem EFS file/dir +allow rfsd modem_efs_file:dir create_dir_perms; +allow rfsd modem_efs_file:file create_file_perms; + +allow rfsd radio_vendor_data_file:dir r_dir_perms; +allow rfsd radio_vendor_data_file:file r_file_perms; + +r_dir_file(rfsd, vendor_fw_file) + +# Allow to access rfsd log file/dir +allow rfsd vendor_log_file:dir search; +allow rfsd vendor_rfsd_log_file:dir create_dir_perms; +allow rfsd vendor_rfsd_log_file:file create_file_perms; + +# Allow to read/write modem block device +allow rfsd modem_block_device:blk_file rw_file_perms; + +# Allow to operate with radio device +allow rfsd radio_device:chr_file rw_file_perms; + +# Allow to set rild and modem property +set_prop(rfsd, vendor_modem_prop) +set_prop(rfsd, vendor_rild_prop) + +# Allow rfsd to access modem image file/dir +allow rfsd modem_img_file:dir r_dir_perms; +allow rfsd modem_img_file:file r_file_perms; +allow rfsd modem_img_file:lnk_file r_file_perms; diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te new file mode 100644 index 00000000..d8c8c290 --- /dev/null +++ b/whitechapel_pro/rild.te @@ -0,0 +1,37 @@ +set_prop(rild, vendor_rild_prop) +set_prop(rild, vendor_modem_prop) +get_prop(rild, vendor_persist_config_default_prop) +get_prop(rild, vendor_carrier_prop) + +get_prop(rild, sota_prop) +get_prop(rild, system_boot_reason_prop) + +allow rild proc_net:file rw_file_perms; +allow rild radio_vendor_data_file:dir create_dir_perms; +allow rild radio_vendor_data_file:file create_file_perms; +allow rild rild_vendor_data_file:dir create_dir_perms; +allow rild rild_vendor_data_file:file create_file_perms; +allow rild vendor_fw_file:file r_file_perms; +allow rild mnt_vendor_file:dir r_dir_perms; + +r_dir_file(rild, modem_img_file) + +binder_call(rild, bipchmgr) +binder_call(rild, gpsd) +binder_call(rild, hal_audio_default) +binder_call(rild, modem_svc_sit) +binder_call(rild, vendor_ims_app) +binder_call(rild, vendor_rcs_app) +binder_call(rild, oemrilservice_app) +binder_call(rild, hal_secure_element_uicc) +binder_call(rild, grilservice_app) +binder_call(rild, vendor_engineermode_app) + +# for hal service +add_hwservice(rild, hal_exynos_rild_hwservice) +allow rild hal_audio_ext_hwservice:hwservice_manager find; + +# Allow rild to access files on modem img. +allow rild modem_img_file:dir r_dir_perms; +allow rild modem_img_file:file r_file_perms; +allow rild modem_img_file:lnk_file r_file_perms; diff --git a/whitechapel_pro/rlsservice.te b/whitechapel_pro/rlsservice.te new file mode 100644 index 00000000..2297900c --- /dev/null +++ b/whitechapel_pro/rlsservice.te @@ -0,0 +1,30 @@ +type rlsservice, domain; +type rlsservice_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(rlsservice) +vndbinder_use(rlsservice) +add_service(rlsservice, rls_service) + + +# access rainbow sensor calibration files +allow rlsservice persist_file:dir search; +allow rlsservice persist_camera_file:dir search; +allow rlsservice persist_camera_file:file r_file_perms; +allow rlsservice mnt_vendor_file:dir search; + +# access device files +allow rlsservice rls_device:chr_file rw_file_perms; + +binder_call(rlsservice, hal_camera_default) + +# Allow access to display backlight information +allow rlsservice sysfs_leds:dir search; +allow rlsservice sysfs_leds:file r_file_perms; + +# Allow access to always-on compute device node +allow rlsservice device:dir r_file_perms; +allow rlsservice aoc_device:chr_file rw_file_perms; + +# For observing apex file changes +allow rlsservice apex_info_file:file r_file_perms; + diff --git a/whitechapel_pro/sced.te b/whitechapel_pro/sced.te new file mode 100644 index 00000000..2b08973a --- /dev/null +++ b/whitechapel_pro/sced.te @@ -0,0 +1,23 @@ +type sced, domain; +type sced_exec, vendor_file_type, exec_type, file_type; + +userdebug_or_eng(` + init_daemon_domain(sced) + typeattribute sced vendor_executes_system_violators; + + hwbinder_use(sced) + binder_call(sced, dmd) + binder_call(sced, vendor_telephony_silentlogging_app) + + get_prop(sced, hwservicemanager_prop) + allow sced self:packet_socket create_socket_perms_no_ioctl; + + allow sced self:capability net_raw; + allow sced shell_exec:file rx_file_perms; + allow sced tcpdump_exec:file rx_file_perms; + allow sced vendor_shell_exec:file x_file_perms; + allow sced vendor_slog_file:dir create_dir_perms; + allow sced vendor_slog_file:file create_file_perms; + allow sced hidl_base_hwservice:hwservice_manager add; + allow sced hal_vendor_oem_hwservice:hwservice_manager { add find }; +') diff --git a/whitechapel_pro/seapp_contexts b/whitechapel_pro/seapp_contexts new file mode 100644 index 00000000..f2fd47f9 --- /dev/null +++ b/whitechapel_pro/seapp_contexts @@ -0,0 +1,64 @@ +# Samsung S.LSI IMS +user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_remote_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_qualifiednetworks_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_service_app levelFrom=all +user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilservice_app levelFrom=all + +# Samsung S.LSI telephony +user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_silentlogging_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging:remote domain=vendor_silentlogging_remote_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.testmode domain=vendor_telephony_test_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.uartswitch domain=vendor_telephony_uartswitch_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_debug_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode domain=vendor_telephony_network_test_app levelFrom=all + +# Samsung S.LSI engineer mode +user=_app seinfo=platform name=com.samsung.slsi.engineermode domain=vendor_engineermode_app levelFrom=all + +# Hardware Info Collection +user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user + +# coredump/ramdump +user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all + +# Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade +user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user + +# Domain for omadm +user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all + +# HbmSVManager +user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all + +# grilservice +user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all + +# Domain for connectivity monitor +user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all + +# Modem Diagnostic System +user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user + +# CBRS setup app +user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user + +# Qorvo UWB system app +# TODO(b/222204912): Should this run under uwb user? +user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all + +# Domain for EuiccSupportPixel +user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all + +# Sub System Ramdump +user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user + +# Google Camera +user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all + +# Domain for CatEngineService +user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all + +# CccDkTimeSyncService +user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all diff --git a/whitechapel_pro/service.te b/whitechapel_pro/service.te new file mode 100644 index 00000000..8d5dc1ee --- /dev/null +++ b/whitechapel_pro/service.te @@ -0,0 +1,2 @@ +type hal_pixel_display_service, service_manager_type, vendor_service; +type hal_uwb_vendor_service, service_manager_type, vendor_service; diff --git a/whitechapel_pro/service_contexts b/whitechapel_pro/service_contexts new file mode 100644 index 00000000..5df34411 --- /dev/null +++ b/whitechapel_pro/service_contexts @@ -0,0 +1,2 @@ +com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 +hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 diff --git a/whitechapel_pro/shell.te b/whitechapel_pro/shell.te new file mode 100644 index 00000000..978a5426 --- /dev/null +++ b/whitechapel_pro/shell.te @@ -0,0 +1,5 @@ +# Allow access to the SJTAG kernel interface from the shell +userdebug_or_eng(` + allow shell sysfs_sjtag:dir r_dir_perms; + allow shell sysfs_sjtag:file rw_file_perms; +') diff --git a/whitechapel_pro/ssr_detector.te b/whitechapel_pro/ssr_detector.te new file mode 100644 index 00000000..60ec1bb5 --- /dev/null +++ b/whitechapel_pro/ssr_detector.te @@ -0,0 +1,23 @@ +type ssr_detector_app, domain; + +app_domain(ssr_detector_app) +allow ssr_detector_app app_api_service:service_manager find; +allow ssr_detector_app radio_service:service_manager find; + +allow ssr_detector_app system_app_data_file:dir r_dir_perms; + +allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; +allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; +userdebug_or_eng(` + allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; + allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; + get_prop(ssr_detector_app, vendor_aoc_prop) + allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; + allow ssr_detector_app sysfs_sjtag:file rw_file_perms; + allow ssr_detector_app proc_vendor_sched:dir search; + allow ssr_detector_app proc_vendor_sched:file rw_file_perms; + allow ssr_detector_app cgroup:file write; +') + +get_prop(ssr_detector_app, vendor_ssrdump_prop) +get_prop(ssr_detector_app, vendor_wifi_version) diff --git a/whitechapel_pro/surfaceflinger.te b/whitechapel_pro/surfaceflinger.te new file mode 100644 index 00000000..9629299b --- /dev/null +++ b/whitechapel_pro/surfaceflinger.te @@ -0,0 +1 @@ +allow surfaceflinger vendor_fw_file:dir search; diff --git a/whitechapel_pro/system_server.te b/whitechapel_pro/system_server.te new file mode 100644 index 00000000..efc0a103 --- /dev/null +++ b/whitechapel_pro/system_server.te @@ -0,0 +1,7 @@ +binder_call(system_server, hal_camera_default); + +# Allow system server to send sensor data callbacks to GPS +binder_call(system_server, gpsd); + +# pixelstats_vendor/OrientationCollector +binder_call(system_server, pixelstats_vendor); diff --git a/whitechapel_pro/tcpdump_logger.te b/whitechapel_pro/tcpdump_logger.te new file mode 100644 index 00000000..f017cedf --- /dev/null +++ b/whitechapel_pro/tcpdump_logger.te @@ -0,0 +1,20 @@ +type tcpdump_logger, domain; +type tcpdump_logger_exec, exec_type, vendor_file_type, file_type; + +userdebug_or_eng(` + # make transition from init to its domain + init_daemon_domain(tcpdump_logger) + + allow tcpdump_logger self:capability net_raw; + allow tcpdump_logger self:packet_socket create_socket_perms; + allowxperm tcpdump_logger self:packet_socket ioctl 0x8933; + allow tcpdump_logger tcpdump_exec:file rx_file_perms; + allow tcpdump_logger tcpdump_vendor_data_file:dir create_dir_perms; + allow tcpdump_logger tcpdump_vendor_data_file:file create_file_perms; + allow tcpdump_logger radio_vendor_data_file:file create_file_perms; + allow tcpdump_logger radio_vendor_data_file:dir create_dir_perms; + allow tcpdump_logger wifi_logging_data_file:file create_file_perms; + allow tcpdump_logger wifi_logging_data_file:dir create_dir_perms; + + set_prop(tcpdump_logger, vendor_tcpdump_log_prop) +') diff --git a/whitechapel_pro/te_macros b/whitechapel_pro/te_macros new file mode 100644 index 00000000..01ac13c1 --- /dev/null +++ b/whitechapel_pro/te_macros @@ -0,0 +1,14 @@ +# +# USF SELinux type enforcement macros. +# + +# +# usf_low_latency_transport(domain) +# +# Allows domain use of the USF low latency transport. +# +define(`usf_low_latency_transport', ` + allow $1 hal_graphics_mapper_hwservice:hwservice_manager find; + hal_client_domain($1, hal_graphics_allocator) +') + diff --git a/whitechapel_pro/tee.te b/whitechapel_pro/tee.te new file mode 100644 index 00000000..58228b5a --- /dev/null +++ b/whitechapel_pro/tee.te @@ -0,0 +1,17 @@ +# Handle wake locks +wakelock_use(tee) + +allow tee persist_ss_file:file create_file_perms; +allow tee persist_ss_file:dir create_dir_perms; +allow tee persist_file:dir r_dir_perms; +allow tee mnt_vendor_file:dir r_dir_perms; +allow tee tee_data_file:dir rw_dir_perms; +allow tee tee_data_file:lnk_file r_file_perms; +allow tee sg_device:chr_file rw_file_perms; + +# Allow storageproxyd access to gsi_public_metadata_file +read_fstab(tee) + +# storageproxyd starts before /data is mounted. It handles /data not being there +# gracefully. However, attempts to access /data trigger a denial. +dontaudit tee unlabeled:dir { search }; diff --git a/whitechapel_pro/toolbox.te b/whitechapel_pro/toolbox.te new file mode 100644 index 00000000..9fbbb7ab --- /dev/null +++ b/whitechapel_pro/toolbox.te @@ -0,0 +1,3 @@ +allow toolbox ram_device:blk_file rw_file_perms; +allow toolbox per_boot_file:dir create_dir_perms; +allow toolbox per_boot_file:file create_file_perms; diff --git a/whitechapel_pro/trusty_apploader.te b/whitechapel_pro/trusty_apploader.te new file mode 100644 index 00000000..983e3a03 --- /dev/null +++ b/whitechapel_pro/trusty_apploader.te @@ -0,0 +1,7 @@ +type trusty_apploader, domain; +type trusty_apploader_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(trusty_apploader) + +allow trusty_apploader ion_device:chr_file r_file_perms; +allow trusty_apploader tee_device:chr_file rw_file_perms; +allow trusty_apploader dmabuf_system_heap_device:chr_file r_file_perms; diff --git a/whitechapel_pro/trusty_metricsd.te b/whitechapel_pro/trusty_metricsd.te new file mode 100644 index 00000000..63fc85b6 --- /dev/null +++ b/whitechapel_pro/trusty_metricsd.te @@ -0,0 +1,11 @@ +type trusty_metricsd, domain; +type trusty_metricsd_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(trusty_metricsd) + +allow trusty_metricsd tee_device:chr_file rw_file_perms; + +# For Suez metrics collection +binder_use(trusty_metricsd) +binder_call(trusty_metricsd, system_server) +allow trusty_metricsd fwk_stats_service:service_manager find; diff --git a/whitechapel_pro/untrusted_app_all.te b/whitechapel_pro/untrusted_app_all.te new file mode 100644 index 00000000..ec95276c --- /dev/null +++ b/whitechapel_pro/untrusted_app_all.te @@ -0,0 +1 @@ +dontaudit untrusted_app_all proc_vendor_sched:dir search; diff --git a/whitechapel_pro/update_engine.te b/whitechapel_pro/update_engine.te new file mode 100644 index 00000000..a403d9e4 --- /dev/null +++ b/whitechapel_pro/update_engine.te @@ -0,0 +1,3 @@ +allow update_engine custom_ab_block_device:blk_file rw_file_perms; +allow update_engine modem_block_device:blk_file rw_file_perms; +allow update_engine proc_bootconfig:file r_file_perms; diff --git a/whitechapel_pro/uwb_vendor_app.te b/whitechapel_pro/uwb_vendor_app.te new file mode 100644 index 00000000..364bee36 --- /dev/null +++ b/whitechapel_pro/uwb_vendor_app.te @@ -0,0 +1,21 @@ +type uwb_vendor_app, domain; + +app_domain(uwb_vendor_app) + +not_recovery(` +hal_client_domain(uwb_vendor_app, hal_uwb_vendor) + +allow uwb_vendor_app app_api_service:service_manager find; +allow uwb_vendor_app hal_uwb_vendor_service:service_manager find; +allow uwb_vendor_app nfc_service:service_manager find; +allow uwb_vendor_app radio_service:service_manager find; + +allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; +allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; + +allow hal_uwb_vendor_default self:global_capability_class_set sys_nice; +allow hal_uwb_vendor_default kernel:process setsched; + +get_prop(uwb_vendor_app, vendor_secure_element_prop) +binder_call(uwb_vendor_app, hal_uwb_vendor_default) +') diff --git a/whitechapel_pro/vcd.te b/whitechapel_pro/vcd.te new file mode 100644 index 00000000..c5c229ee --- /dev/null +++ b/whitechapel_pro/vcd.te @@ -0,0 +1,13 @@ +type vcd, domain; +type vcd_exec, vendor_file_type, exec_type, file_type; +userdebug_or_eng(` + init_daemon_domain(vcd) + + get_prop(vcd, vendor_rild_prop); + get_prop(vcd, vendor_persist_config_default_prop); + + allow vcd serial_device:chr_file rw_file_perms; + allow vcd radio_device:chr_file rw_file_perms; + allow vcd self:tcp_socket { create_socket_perms_no_ioctl listen accept }; + allow vcd node:tcp_socket node_bind; +') diff --git a/whitechapel_pro/vendor_engineermode_app.te b/whitechapel_pro/vendor_engineermode_app.te new file mode 100644 index 00000000..d35403a2 --- /dev/null +++ b/whitechapel_pro/vendor_engineermode_app.te @@ -0,0 +1,12 @@ +type vendor_engineermode_app, domain; +app_domain(vendor_engineermode_app) + +binder_call(vendor_engineermode_app, rild) + +allow vendor_engineermode_app app_api_service:service_manager find; +allow vendor_engineermode_app hal_exynos_rild_hwservice:hwservice_manager find; + +userdebug_or_eng(` + dontaudit vendor_engineermode_app default_prop:file r_file_perms; +') + diff --git a/whitechapel_pro/vendor_ims_app.te b/whitechapel_pro/vendor_ims_app.te new file mode 100644 index 00000000..38e63646 --- /dev/null +++ b/whitechapel_pro/vendor_ims_app.te @@ -0,0 +1,17 @@ +type vendor_ims_app, domain; +app_domain(vendor_ims_app) + +allow vendor_ims_app app_api_service:service_manager find; +allow vendor_ims_app audioserver_service:service_manager find; + +allow vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager find; +allow vendor_ims_app radio_service:service_manager find; + +allow vendor_ims_app mediaserver_service:service_manager find; +allow vendor_ims_app cameraserver_service:service_manager find; +allow vendor_ims_app mediametrics_service:service_manager find; + +binder_call(vendor_ims_app, rild) +set_prop(vendor_ims_app, vendor_rild_prop) +set_prop(vendor_ims_app, radio_prop) +get_prop(vendor_ims_app, vendor_imssvc_prop) diff --git a/whitechapel_pro/vendor_ims_remote_app.te b/whitechapel_pro/vendor_ims_remote_app.te new file mode 100644 index 00000000..f5d3846e --- /dev/null +++ b/whitechapel_pro/vendor_ims_remote_app.te @@ -0,0 +1,4 @@ +type vendor_ims_remote_app, domain; +app_domain(vendor_ims_remote_app) + +allow vendor_ims_remote_app app_api_service:service_manager find; diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te new file mode 100644 index 00000000..2b5e6740 --- /dev/null +++ b/whitechapel_pro/vendor_init.te @@ -0,0 +1,33 @@ +allow vendor_init bootdevice_sysdev:file create_file_perms; + +set_prop(vendor_init, vendor_ssrdump_prop) +set_prop(vendor_init, vendor_carrier_prop) +set_prop(vendor_init, vendor_cbd_prop) +set_prop(vendor_init, vendor_ready_prop) +get_prop(vendor_init, vendor_battery_profile_prop) +set_prop(vendor_init, vendor_device_prop) +set_prop(vendor_init, vendor_modem_prop) +set_prop(vendor_init, vendor_usb_config_prop) +set_prop(vendor_init, vendor_rild_prop) +set_prop(vendor_init, logpersistd_logging_prop) +set_prop(vendor_init, vendor_logger_prop) + +allow vendor_init proc_dirty:file w_file_perms; +allow vendor_init proc_sched:file w_file_perms; + +# NFC vendor property +set_prop(vendor_init, vendor_nfc_prop) +# SecureElement vendor property +set_prop(vendor_init, vendor_secure_element_prop) +allow vendor_init sysfs_st33spi:file w_file_perms; + +# Fingerprint property +set_prop(vendor_init, vendor_fingerprint_prop) + +# Touch +allow vendor_init proc_touch:file w_file_perms; + +allow vendor_init modem_img_file:filesystem { getattr }; + +# Battery +set_prop(vendor_init, vendor_battery_defender_prop) diff --git a/whitechapel_pro/vendor_qualifiednetworks_app.te b/whitechapel_pro/vendor_qualifiednetworks_app.te new file mode 100644 index 00000000..e48601a8 --- /dev/null +++ b/whitechapel_pro/vendor_qualifiednetworks_app.te @@ -0,0 +1,5 @@ +type vendor_qualifiednetworks_app, domain; +app_domain(vendor_qualifiednetworks_app) + +allow vendor_qualifiednetworks_app app_api_service:service_manager find; +allow vendor_qualifiednetworks_app radio_service:service_manager find; diff --git a/whitechapel_pro/vendor_rcs_app.te b/whitechapel_pro/vendor_rcs_app.te new file mode 100644 index 00000000..b0a46284 --- /dev/null +++ b/whitechapel_pro/vendor_rcs_app.te @@ -0,0 +1,8 @@ +type vendor_rcs_app, domain; +app_domain(vendor_rcs_app) + +allow vendor_rcs_app app_api_service:service_manager find; +allow vendor_rcs_app radio_service:service_manager find; +allow vendor_rcs_app hal_exynos_rild_hwservice:hwservice_manager find; + +binder_call(vendor_rcs_app, rild) diff --git a/whitechapel_pro/vendor_rcs_service_app.te b/whitechapel_pro/vendor_rcs_service_app.te new file mode 100644 index 00000000..a7ae221f --- /dev/null +++ b/whitechapel_pro/vendor_rcs_service_app.te @@ -0,0 +1,5 @@ +type vendor_rcs_service_app, domain; +app_domain(vendor_rcs_service_app) + +allow vendor_rcs_service_app app_api_service:service_manager find; +allow vendor_rcs_service_app radio_service:service_manager find; diff --git a/whitechapel_pro/vendor_shell.te b/whitechapel_pro/vendor_shell.te new file mode 100644 index 00000000..ae63f808 --- /dev/null +++ b/whitechapel_pro/vendor_shell.te @@ -0,0 +1,3 @@ +userdebug_or_eng(` + set_prop(vendor_shell, vendor_battery_profile_prop) +') diff --git a/whitechapel_pro/vendor_silentlogging_remote_app.te b/whitechapel_pro/vendor_silentlogging_remote_app.te new file mode 100644 index 00000000..885fb6a7 --- /dev/null +++ b/whitechapel_pro/vendor_silentlogging_remote_app.te @@ -0,0 +1,13 @@ +type vendor_silentlogging_remote_app, domain; +app_domain(vendor_silentlogging_remote_app) + +allow vendor_silentlogging_remote_app vendor_slog_file:dir create_dir_perms; +allow vendor_silentlogging_remote_app vendor_slog_file:file create_file_perms; + +allow vendor_silentlogging_remote_app app_api_service:service_manager find; + +userdebug_or_eng(` +# Silent Logging Remote +dontaudit vendor_silentlogging_remote_app system_app_data_file:dir create_dir_perms; +dontaudit vendor_silentlogging_remote_app system_app_data_file:file create_file_perms; +') diff --git a/whitechapel_pro/vendor_telephony_debug_app.te b/whitechapel_pro/vendor_telephony_debug_app.te new file mode 100644 index 00000000..946460cc --- /dev/null +++ b/whitechapel_pro/vendor_telephony_debug_app.te @@ -0,0 +1,4 @@ +type vendor_telephony_debug_app, domain; +app_domain(vendor_telephony_debug_app) + +allow vendor_telephony_debug_app app_api_service:service_manager find; diff --git a/whitechapel_pro/vendor_telephony_network_test_app.te b/whitechapel_pro/vendor_telephony_network_test_app.te new file mode 100644 index 00000000..3c34309e --- /dev/null +++ b/whitechapel_pro/vendor_telephony_network_test_app.te @@ -0,0 +1,4 @@ +type vendor_telephony_network_test_app, domain; +app_domain(vendor_telephony_network_test_app) + +allow vendor_telephony_network_test_app app_api_service:service_manager find; diff --git a/whitechapel_pro/vendor_telephony_silentlogging_app.te b/whitechapel_pro/vendor_telephony_silentlogging_app.te new file mode 100644 index 00000000..583f408f --- /dev/null +++ b/whitechapel_pro/vendor_telephony_silentlogging_app.te @@ -0,0 +1,21 @@ +type vendor_telephony_silentlogging_app, domain; +app_domain(vendor_telephony_silentlogging_app) + +set_prop(vendor_telephony_silentlogging_app, vendor_modem_prop) +set_prop(vendor_telephony_silentlogging_app, vendor_slog_prop) + +allow vendor_telephony_silentlogging_app vendor_slog_file:dir create_dir_perms; +allow vendor_telephony_silentlogging_app vendor_slog_file:file create_file_perms; + +allow vendor_telephony_silentlogging_app app_api_service:service_manager find; +allow vendor_telephony_silentlogging_app hal_vendor_oem_hwservice:hwservice_manager find; +binder_call(vendor_telephony_silentlogging_app, dmd) +binder_call(vendor_telephony_silentlogging_app, sced) + +userdebug_or_eng(` +# Silent Logging +dontaudit vendor_telephony_silentlogging_app system_app_data_file:dir create_dir_perms; +dontaudit vendor_telephony_silentlogging_app system_app_data_file:file create_file_perms; +dontaudit vendor_telephony_silentlogging_app default_prop:file { getattr open read map }; +allow vendor_telephony_silentlogging_app selinuxfs:file { read open }; +') diff --git a/whitechapel_pro/vendor_telephony_test_app.te b/whitechapel_pro/vendor_telephony_test_app.te new file mode 100644 index 00000000..ea182093 --- /dev/null +++ b/whitechapel_pro/vendor_telephony_test_app.te @@ -0,0 +1,4 @@ +type vendor_telephony_test_app, domain; +app_domain(vendor_telephony_test_app) + +allow vendor_telephony_test_app app_api_service:service_manager find; diff --git a/whitechapel_pro/vendor_telephony_uartswitch_app.te b/whitechapel_pro/vendor_telephony_uartswitch_app.te new file mode 100644 index 00000000..c0ad6054 --- /dev/null +++ b/whitechapel_pro/vendor_telephony_uartswitch_app.te @@ -0,0 +1,4 @@ +type vendor_telephony_uartswitch_app, domain; +app_domain(vendor_telephony_uartswitch_app) + +allow vendor_telephony_uartswitch_app app_api_service:service_manager find; diff --git a/whitechapel_pro/vendor_uwb_init.te b/whitechapel_pro/vendor_uwb_init.te new file mode 100644 index 00000000..f317b253 --- /dev/null +++ b/whitechapel_pro/vendor_uwb_init.te @@ -0,0 +1,10 @@ +type vendor_uwb_init, domain; +type vendor_uwb_init_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(vendor_uwb_init) + +allow vendor_uwb_init vendor_shell_exec:file rx_file_perms; +allow vendor_uwb_init vendor_toolbox_exec:file rx_file_perms; + +allow vendor_uwb_init uwb_data_vendor:file create_file_perms; +allow vendor_uwb_init uwb_data_vendor:dir w_dir_perms; diff --git a/whitechapel_pro/vndservice.te b/whitechapel_pro/vndservice.te new file mode 100644 index 00000000..d1483600 --- /dev/null +++ b/whitechapel_pro/vndservice.te @@ -0,0 +1,5 @@ +type hal_power_stats_vendor_service, vndservice_manager_type; +type rls_service, vndservice_manager_type; +type vendor_displaycolor_service, vndservice_manager_type; +type vendor_surfaceflinger_vndservice, vndservice_manager_type; +type eco_service, vndservice_manager_type; diff --git a/whitechapel_pro/vndservice_contexts b/whitechapel_pro/vndservice_contexts new file mode 100644 index 00000000..e7fb4338 --- /dev/null +++ b/whitechapel_pro/vndservice_contexts @@ -0,0 +1,4 @@ +rlsservice u:object_r:rls_service:s0 +displaycolor u:object_r:vendor_displaycolor_service:s0 +Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0 +media.ecoservice u:object_r:eco_service:s0 diff --git a/whitechapel_pro/vold.te b/whitechapel_pro/vold.te new file mode 100644 index 00000000..1306d7ca --- /dev/null +++ b/whitechapel_pro/vold.te @@ -0,0 +1,7 @@ +allow vold modem_efs_file:dir rw_dir_perms; +allow vold modem_userdata_file:dir rw_dir_perms; + +allow vold sysfs_scsi_devices_0000:file rw_file_perms; + +dontaudit vold dumpstate:fifo_file rw_file_perms; +dontaudit vold dumpstate:fd use ; diff --git a/widevine/file.te b/widevine/file.te new file mode 100644 index 00000000..a1e4e0ec --- /dev/null +++ b/widevine/file.te @@ -0,0 +1,3 @@ +# Widevine DRM +type mediadrm_vendor_data_file, file_type, data_file_type; + diff --git a/widevine/file_contexts b/widevine/file_contexts new file mode 100644 index 00000000..92aed3c3 --- /dev/null +++ b/widevine/file_contexts @@ -0,0 +1,5 @@ +/vendor/bin/hw/android\.hardware\.drm-service\.widevine u:object_r:hal_drm_widevine_exec:s0 +/vendor/bin/hw/android\.hardware\.drm-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 + +# Data +/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 diff --git a/widevine/hal_drm_clearkey.te b/widevine/hal_drm_clearkey.te new file mode 100644 index 00000000..0e0a5c24 --- /dev/null +++ b/widevine/hal_drm_clearkey.te @@ -0,0 +1,5 @@ +type hal_drm_clearkey, domain; +type hal_drm_clearkey_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_drm_clearkey) + +hal_server_domain(hal_drm_clearkey, hal_drm) diff --git a/widevine/hal_drm_widevine.te b/widevine/hal_drm_widevine.te new file mode 100644 index 00000000..1ecfa920 --- /dev/null +++ b/widevine/hal_drm_widevine.te @@ -0,0 +1,12 @@ +type hal_drm_widevine, domain; +type hal_drm_widevine_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_drm_widevine) + +hal_server_domain(hal_drm_widevine, hal_drm) + +# L3 +allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms; +allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms; + +# L1 +allow hal_drm_widevine dmabuf_system_heap_device:chr_file r_file_perms; diff --git a/widevine/service_contexts b/widevine/service_contexts new file mode 100644 index 00000000..6989dde8 --- /dev/null +++ b/widevine/service_contexts @@ -0,0 +1 @@ +android.hardware.drm.IDrmFactory/widevine u:object_r:hal_drm_service:s0