From bff99af2da95d93e8182fb54546a3fec956aa5d2 Mon Sep 17 00:00:00 2001 From: Robin Peng Date: Tue, 28 Mar 2023 10:20:50 +0000 Subject: [PATCH 1/5] init zumapro from zuma sha 43d5907677d0f Bug: 272725898 Change-Id: If35d9efdda9dd3b8d8b24008f0738a0cbbe5bd9b --- OWNERS | 3 + bug_map | 1 + legacy/private/property_contexts | 5 + legacy/system_ext/private/property_contexts | 2 + legacy/system_ext/public/property.te | 2 + legacy/whitechapel_pro/attributes | 1 + .../certs/EuiccSupportPixel.x509.pem | 29 ++ .../certs/com_qorvo_uwb.x509.pem | 29 ++ legacy/whitechapel_pro/device.te | 9 + legacy/whitechapel_pro/file.te | 36 ++ legacy/whitechapel_pro/file_contexts | 56 ++ legacy/whitechapel_pro/genfs_contexts | 78 +++ legacy/whitechapel_pro/keys.conf | 5 + legacy/whitechapel_pro/mac_permissions.xml | 30 ++ legacy/whitechapel_pro/property.te | 17 + legacy/whitechapel_pro/property_contexts | 25 + legacy/whitechapel_pro/service.te | 1 + legacy/whitechapel_pro/service_contexts | 1 + legacy/whitechapel_pro/te_macros | 14 + legacy/whitechapel_pro/vndservice.te | 1 + legacy/whitechapel_pro/vndservice_contexts | 1 + private/odrefresh.te | 4 + radio/bipchmgr.te | 9 + radio/cat_engine_service_app.te | 8 + radio/cbd.te | 60 +++ radio/cbrs_setup.te | 13 + radio/certs/com_google_mds.x509.pem | 29 ++ radio/device.te | 4 + radio/dmd.te | 32 ++ radio/file.te | 40 ++ radio/file_contexts | 41 ++ radio/fsck.te | 4 + radio/genfs_contexts | 11 + radio/gpsd.te | 7 + radio/grilservice_app.te | 15 + radio/hal_radioext_default.te | 21 + radio/hwservice.te | 9 + radio/hwservice_contexts | 8 + radio/hwservicemanager.te | 1 + radio/init.te | 4 + radio/init_radio.te | 8 + radio/keys.conf | 3 + radio/logger_app.te | 27 + radio/mac_permissions.xml | 27 + radio/modem_diagnostic_app.te | 37 ++ radio/modem_logging_control.te | 17 + radio/modem_ml_svc_sit.te | 22 + radio/modem_svc_sit.te | 35 ++ radio/oemrilservice_app.te | 9 + radio/private/radio.te | 1 + radio/private/service_contexts | 2 + radio/property.te | 16 + radio/property_contexts | 59 +++ radio/radio.te | 6 + radio/rfsd.te | 36 ++ radio/rild.te | 40 ++ radio/sced.te | 23 + radio/seapp_contexts | 30 ++ radio/ssr_detector.te | 24 + radio/vcd.te | 13 + radio/vendor_engineermode_app.te | 12 + radio/vendor_ims_app.te | 20 + radio/vendor_init.te | 6 + radio/vendor_qualifiednetworks_app.te | 5 + radio/vendor_rcs_app.te | 9 + radio/vendor_silentlogging_remote_app.te | 13 + radio/vendor_telephony_debug_app.te | 20 + radio/vendor_telephony_silentlogging_app.te | 21 + radio/vendor_telephony_test_app.te | 4 + radio/vold.te | 4 + system_ext/private/platform_app.te | 2 + tracking_denials/README.txt | 2 + tracking_denials/bootanim.te | 2 + tracking_denials/bug_map | 56 ++ tracking_denials/chre.te | 4 + tracking_denials/con_monitor_app.te | 36 ++ tracking_denials/fastbootd.te | 4 + tracking_denials/gmscore_app.te | 10 + tracking_denials/google_camera_app.te | 29 ++ tracking_denials/hal_camera_default.te | 4 + tracking_denials/hal_contexthub_default.te | 7 + tracking_denials/hal_neuralnetworks_armnn.te | 16 + tracking_denials/hal_power_default.te | 3 + tracking_denials/hal_sensors_default.te | 3 + tracking_denials/hal_usb_impl.te | 2 + tracking_denials/hwservicemanager.te | 4 + tracking_denials/incidentd.te | 3 + tracking_denials/installd.te | 6 + tracking_denials/kernel.te | 7 + tracking_denials/logd.te | 7 + tracking_denials/priv_app.te | 21 + .../rebalance_interrupts_vendor.te | 6 + tracking_denials/recovery.te | 4 + tracking_denials/servicemanager.te | 6 + tracking_denials/ssr_detector_app.te | 6 + tracking_denials/system_suspend.te | 2 + tracking_denials/systemui.te | 4 + tracking_denials/systemui_app.te | 2 + tracking_denials/tcpdump_logger.te | 4 + tracking_denials/update_engine.te | 2 + tracking_denials/vendor_init.te | 3 + vendor/audioserver.te | 2 + vendor/bootanim.te | 1 + vendor/cccdk_timesync_app.te | 7 + vendor/certs/app.x509.pem | 27 + vendor/certs/camera_eng.x509.pem | 17 + vendor/certs/camera_fishfood.x509.pem | 15 + vendor/chre.te | 16 + vendor/con_monitor_app.te | 3 + vendor/debug_camera_app.te | 23 + vendor/device.te | 18 + vendor/domain.te | 5 + vendor/dump_cma.te | 7 + vendor/dump_gsa.te | 6 + vendor/dump_power.te | 34 ++ vendor/dump_wlan.te | 3 + vendor/dumpstate.te | 12 + vendor/e2fs.te | 8 + vendor/euiccpixel_app.te | 21 + vendor/file.te | 48 ++ vendor/file_contexts | 167 ++++++ vendor/fsck.te | 5 + vendor/genfs_contexts | 484 ++++++++++++++++++ vendor/google_camera_app.te | 8 + vendor/gxp_logging.te | 10 + vendor/hal_bluetooth_btlinux.te | 6 + vendor/hal_bootctl_default.te | 3 + vendor/hal_camera_default.te | 90 ++++ vendor/hal_fingerprint_default.te | 39 ++ vendor/hal_graphics_allocator_default.te | 4 + vendor/hal_graphics_composer_default.te | 43 ++ vendor/hal_health_default.te | 16 + vendor/hal_nfc_default.te | 5 + vendor/hal_power_default.te | 7 + vendor/hal_power_stats_default.te | 18 + vendor/hal_radioext_default.te | 1 + vendor/hal_secure_element_st54spi.te | 7 + vendor/hal_secure_element_uicc.te | 12 + vendor/hal_sensors_default.te | 58 +++ vendor/hal_thermal_default.te | 2 + vendor/hal_usb_gadget_impl.te | 20 + vendor/hal_usb_impl.te | 16 + vendor/hal_uwb_vendor_default.te | 5 + vendor/hal_wifi_ext.te | 9 + vendor/hal_wireless_charger.te | 7 + vendor/hwservice.te | 2 + vendor/hwservice_contexts | 2 + vendor/init.te | 13 + vendor/insmod-sh.te | 2 + vendor/kernel.te | 15 + vendor/keys.conf | 8 + vendor/mac_permissions.xml | 33 ++ vendor/mediacodec_google.te | 35 ++ vendor/ofl_app.te | 17 + vendor/pixeldisplayservice_app.te | 14 + vendor/pixelstats_vendor.te | 23 + vendor/platform_app.te | 3 + vendor/property.te | 12 + vendor/property_contexts | 19 + vendor/ramdump_app.te | 24 + vendor/rlsservice.te | 32 ++ vendor/seapp_contexts | 38 ++ vendor/service.te | 6 + vendor/service_contexts | 5 + vendor/shell.te | 2 + vendor/surfaceflinger.te | 1 + vendor/system_app.te | 3 + vendor/system_server.te | 5 + vendor/systemui_app.te | 24 + vendor/tcpdump_logger.te | 5 + vendor/tee.te | 17 + vendor/toolbox.te | 3 + vendor/trusty_apploader.te | 7 + vendor/trusty_metricsd.te | 11 + vendor/twoshay.te | 2 + vendor/ufs_firmware_update.te | 12 + vendor/update_engine.te | 2 + vendor/uwb_vendor_app.te | 4 + vendor/vendor_init.te | 31 ++ vendor/vendor_uwb_init.te | 4 + vendor/vndservice.te | 1 + vendor/vndservice_contexts | 1 + vendor/wifi_sniffer.te | 4 + widevine/file.te | 3 + widevine/file_contexts | 5 + widevine/hal_drm_clearkey.te | 5 + widevine/hal_drm_widevine.te | 12 + widevine/service_contexts | 1 + zumapro-sepolicy.mk | 23 + 189 files changed, 3288 insertions(+) create mode 100644 OWNERS create mode 100644 bug_map create mode 100644 legacy/private/property_contexts create mode 100644 legacy/system_ext/private/property_contexts create mode 100644 legacy/system_ext/public/property.te create mode 100644 legacy/whitechapel_pro/attributes create mode 100644 legacy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem create mode 100644 legacy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem create mode 100644 legacy/whitechapel_pro/device.te create mode 100644 legacy/whitechapel_pro/file.te create mode 100644 legacy/whitechapel_pro/file_contexts create mode 100644 legacy/whitechapel_pro/genfs_contexts create mode 100644 legacy/whitechapel_pro/keys.conf create mode 100644 legacy/whitechapel_pro/mac_permissions.xml create mode 100644 legacy/whitechapel_pro/property.te create mode 100644 legacy/whitechapel_pro/property_contexts create mode 100644 legacy/whitechapel_pro/service.te create mode 100644 legacy/whitechapel_pro/service_contexts create mode 100644 legacy/whitechapel_pro/te_macros create mode 100644 legacy/whitechapel_pro/vndservice.te create mode 100644 legacy/whitechapel_pro/vndservice_contexts create mode 100644 private/odrefresh.te create mode 100644 radio/bipchmgr.te create mode 100644 radio/cat_engine_service_app.te create mode 100644 radio/cbd.te create mode 100644 radio/cbrs_setup.te create mode 100644 radio/certs/com_google_mds.x509.pem create mode 100644 radio/device.te create mode 100644 radio/dmd.te create mode 100644 radio/file.te create mode 100644 radio/file_contexts create mode 100644 radio/fsck.te create mode 100644 radio/genfs_contexts create mode 100644 radio/gpsd.te create mode 100644 radio/grilservice_app.te create mode 100644 radio/hal_radioext_default.te create mode 100644 radio/hwservice.te create mode 100644 radio/hwservice_contexts create mode 100644 radio/hwservicemanager.te create mode 100644 radio/init.te create mode 100644 radio/init_radio.te create mode 100644 radio/keys.conf create mode 100644 radio/logger_app.te create mode 100644 radio/mac_permissions.xml create mode 100644 radio/modem_diagnostic_app.te create mode 100644 radio/modem_logging_control.te create mode 100644 radio/modem_ml_svc_sit.te create mode 100644 radio/modem_svc_sit.te create mode 100644 radio/oemrilservice_app.te create mode 100644 radio/private/radio.te create mode 100644 radio/private/service_contexts create mode 100644 radio/property.te create mode 100644 radio/property_contexts create mode 100644 radio/radio.te create mode 100644 radio/rfsd.te create mode 100644 radio/rild.te create mode 100644 radio/sced.te create mode 100644 radio/seapp_contexts create mode 100644 radio/ssr_detector.te create mode 100644 radio/vcd.te create mode 100644 radio/vendor_engineermode_app.te create mode 100644 radio/vendor_ims_app.te create mode 100644 radio/vendor_init.te create mode 100644 radio/vendor_qualifiednetworks_app.te create mode 100644 radio/vendor_rcs_app.te create mode 100644 radio/vendor_silentlogging_remote_app.te create mode 100644 radio/vendor_telephony_debug_app.te create mode 100644 radio/vendor_telephony_silentlogging_app.te create mode 100644 radio/vendor_telephony_test_app.te create mode 100644 radio/vold.te create mode 100644 system_ext/private/platform_app.te create mode 100644 tracking_denials/README.txt create mode 100644 tracking_denials/bootanim.te create mode 100644 tracking_denials/bug_map create mode 100644 tracking_denials/chre.te create mode 100644 tracking_denials/con_monitor_app.te create mode 100644 tracking_denials/fastbootd.te create mode 100644 tracking_denials/gmscore_app.te create mode 100644 tracking_denials/google_camera_app.te create mode 100644 tracking_denials/hal_camera_default.te create mode 100644 tracking_denials/hal_contexthub_default.te create mode 100644 tracking_denials/hal_neuralnetworks_armnn.te create mode 100644 tracking_denials/hal_power_default.te create mode 100644 tracking_denials/hal_sensors_default.te create mode 100644 tracking_denials/hal_usb_impl.te create mode 100644 tracking_denials/hwservicemanager.te create mode 100644 tracking_denials/incidentd.te create mode 100644 tracking_denials/installd.te create mode 100644 tracking_denials/kernel.te create mode 100644 tracking_denials/logd.te create mode 100644 tracking_denials/priv_app.te create mode 100644 tracking_denials/rebalance_interrupts_vendor.te create mode 100644 tracking_denials/recovery.te create mode 100644 tracking_denials/servicemanager.te create mode 100644 tracking_denials/ssr_detector_app.te create mode 100644 tracking_denials/system_suspend.te create mode 100644 tracking_denials/systemui.te create mode 100644 tracking_denials/systemui_app.te create mode 100644 tracking_denials/tcpdump_logger.te create mode 100644 tracking_denials/update_engine.te create mode 100644 tracking_denials/vendor_init.te create mode 100644 vendor/audioserver.te create mode 100644 vendor/bootanim.te create mode 100644 vendor/cccdk_timesync_app.te create mode 100644 vendor/certs/app.x509.pem create mode 100644 vendor/certs/camera_eng.x509.pem create mode 100644 vendor/certs/camera_fishfood.x509.pem create mode 100644 vendor/chre.te create mode 100644 vendor/con_monitor_app.te create mode 100644 vendor/debug_camera_app.te create mode 100644 vendor/device.te create mode 100644 vendor/domain.te create mode 100644 vendor/dump_cma.te create mode 100644 vendor/dump_gsa.te create mode 100644 vendor/dump_power.te create mode 100644 vendor/dump_wlan.te create mode 100644 vendor/dumpstate.te create mode 100644 vendor/e2fs.te create mode 100644 vendor/euiccpixel_app.te create mode 100644 vendor/file.te create mode 100644 vendor/file_contexts create mode 100644 vendor/fsck.te create mode 100644 vendor/genfs_contexts create mode 100644 vendor/google_camera_app.te create mode 100644 vendor/gxp_logging.te create mode 100644 vendor/hal_bluetooth_btlinux.te create mode 100644 vendor/hal_bootctl_default.te create mode 100644 vendor/hal_camera_default.te create mode 100644 vendor/hal_fingerprint_default.te create mode 100644 vendor/hal_graphics_allocator_default.te create mode 100644 vendor/hal_graphics_composer_default.te create mode 100644 vendor/hal_health_default.te create mode 100644 vendor/hal_nfc_default.te create mode 100644 vendor/hal_power_default.te create mode 100644 vendor/hal_power_stats_default.te create mode 100644 vendor/hal_radioext_default.te create mode 100644 vendor/hal_secure_element_st54spi.te create mode 100644 vendor/hal_secure_element_uicc.te create mode 100644 vendor/hal_sensors_default.te create mode 100644 vendor/hal_thermal_default.te create mode 100644 vendor/hal_usb_gadget_impl.te create mode 100644 vendor/hal_usb_impl.te create mode 100644 vendor/hal_uwb_vendor_default.te create mode 100644 vendor/hal_wifi_ext.te create mode 100644 vendor/hal_wireless_charger.te create mode 100644 vendor/hwservice.te create mode 100644 vendor/hwservice_contexts create mode 100644 vendor/init.te create mode 100644 vendor/insmod-sh.te create mode 100644 vendor/kernel.te create mode 100644 vendor/keys.conf create mode 100644 vendor/mac_permissions.xml create mode 100644 vendor/mediacodec_google.te create mode 100644 vendor/ofl_app.te create mode 100644 vendor/pixeldisplayservice_app.te create mode 100644 vendor/pixelstats_vendor.te create mode 100644 vendor/platform_app.te create mode 100644 vendor/property.te create mode 100644 vendor/property_contexts create mode 100644 vendor/ramdump_app.te create mode 100644 vendor/rlsservice.te create mode 100644 vendor/seapp_contexts create mode 100644 vendor/service.te create mode 100644 vendor/service_contexts create mode 100644 vendor/shell.te create mode 100644 vendor/surfaceflinger.te create mode 100644 vendor/system_app.te create mode 100644 vendor/system_server.te create mode 100644 vendor/systemui_app.te create mode 100644 vendor/tcpdump_logger.te create mode 100644 vendor/tee.te create mode 100644 vendor/toolbox.te create mode 100644 vendor/trusty_apploader.te create mode 100644 vendor/trusty_metricsd.te create mode 100644 vendor/twoshay.te create mode 100644 vendor/ufs_firmware_update.te create mode 100644 vendor/update_engine.te create mode 100644 vendor/uwb_vendor_app.te create mode 100644 vendor/vendor_init.te create mode 100644 vendor/vendor_uwb_init.te create mode 100644 vendor/vndservice.te create mode 100644 vendor/vndservice_contexts create mode 100644 vendor/wifi_sniffer.te create mode 100644 widevine/file.te create mode 100644 widevine/file_contexts create mode 100644 widevine/hal_drm_clearkey.te create mode 100644 widevine/hal_drm_widevine.te create mode 100644 widevine/service_contexts create mode 100644 zumapro-sepolicy.mk diff --git a/OWNERS b/OWNERS new file mode 100644 index 0000000..791abb4 --- /dev/null +++ b/OWNERS @@ -0,0 +1,3 @@ +include platform/system/sepolicy:/OWNERS + +rurumihong@google.com diff --git a/bug_map b/bug_map new file mode 100644 index 0000000..c15cd11 --- /dev/null +++ b/bug_map @@ -0,0 +1 @@ +vendor_init device_config_configuration_prop property_service b/267843409 diff --git a/legacy/private/property_contexts b/legacy/private/property_contexts new file mode 100644 index 0000000..abcdd41 --- /dev/null +++ b/legacy/private/property_contexts @@ -0,0 +1,5 @@ +# Boot animation dynamic colors +persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int diff --git a/legacy/system_ext/private/property_contexts b/legacy/system_ext/private/property_contexts new file mode 100644 index 0000000..9f462bd --- /dev/null +++ b/legacy/system_ext/private/property_contexts @@ -0,0 +1,2 @@ +# Fingerprint (UDFPS) GHBM/LHBM toggle +persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool diff --git a/legacy/system_ext/public/property.te b/legacy/system_ext/public/property.te new file mode 100644 index 0000000..8908e48 --- /dev/null +++ b/legacy/system_ext/public/property.te @@ -0,0 +1,2 @@ +# Fingerprint (UDFPS) GHBM/LHBM toggle +system_vendor_config_prop(fingerprint_ghbm_prop) diff --git a/legacy/whitechapel_pro/attributes b/legacy/whitechapel_pro/attributes new file mode 100644 index 0000000..7e6def7 --- /dev/null +++ b/legacy/whitechapel_pro/attributes @@ -0,0 +1 @@ +attribute vendor_persist_type; diff --git a/legacy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem b/legacy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem new file mode 100644 index 0000000..d11ad3d --- /dev/null +++ b/legacy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIF2zCCA8OgAwIBAgIVAIFP2e+Gh4wn4YFsSI7fRB6AXjIsMA0GCSqGSIb3DQEBCwUAMH4xCzAJ +BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw +EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEaMBgGA1UEAxMRRXVpY2NTdXBw +b3J0UGl4ZWwwHhcNMTkwMjI4MTkyMjE4WhcNNDkwMjI4MTkyMjE4WjB+MQswCQYDVQQGEwJVUzET +MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29v +Z2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxGjAYBgNVBAMTEUV1aWNjU3VwcG9ydFBpeGVsMIIC +IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqklePqeltzqnyXVch9eJRXFBRQQIBIJWhcXb +WIP/kZ28ISnQ2SrZisdxqtvRIeInxb7lU1rRQDfqCFSp/vMZ3l25Ryn6OVLFP4bxV1vO797t7Ef/ +amYA1mFKBsD4KLaIGj0/2RpGesneCOb0jWl2yRgIO2Ez7Y4YgWU/IoickZDLp1u6/7e7E/Qq9OXK +aXvtBSzooGrYC7eyKn7O21FOfz5cQRo4BipjJqXG5Ez8Vi+m/dL1IFRZheYttEf3v390vBcb0oJ0 +oYPzLxmnb1LchjZC3yLAknRA0hNt8clvJ3tjXFjtzCGKsQsT4rnvvGFFABJTCf3EdEiwBNS5U4ho ++9+EtH7PpuoC+uVv2rLv/Gb7stlGQGx32KmK2CfKED3PdNqoT7WRx6nvVjCk3i7afdUcxQxcS9td +5r80CB1bQEhS2sWLWB21PJrfMugWUJO5Bwz6u0es8dP+4FAHojIaF6iwB5ZYIuHGcEaOviHm4jOK +rrGMlLqTwuEhq2aVIP55u7XRV98JLs2hlE5DJOWCIsPxybUDiddFvR+yzi/4FimsxJlEmaQAQcki +uJ9DceVP03StPzFJSDRlqa4yF6xkZW5piNoANQ4MyI67V2Qf8g/L1UPYAi4hUMxQGo7Clw2hBRag +ZTm65Xc7+ovBYxl5YaXAmNoJbss34Lw8tdrn4EECAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNV +HQ4EFgQU+hQdFrOGuCDI+bbebssw9TL5FcYwHwYDVR0jBBgwFoAU+hQdFrOGuCDI+bbebssw9TL5 +FcYwDQYJKoZIhvcNAQELBQADggIBAGmyZHXddei/zUUMowiyi/MTtqXf9hKDEN4zhAXkuiuHxqA9 +Ii0J1Sxz2dd5NkqMmtePKYFSGA884yVm1KAne/uoCWj57IK3jswiRYnKhXa293DxA/K9wY27IGbp +ulSuuxbpjjV2tqGUuoNQGKX7Oy6s0GcibyZFc+LpD7ttGk5QoLC9qQdpXZgUv/yG2B99ERSXLCaL +EWMNP/oVZQOCQGfsFM1fPLn3X0ZuCOQg9bljxFf3jTl+H6PIAhpCjKeeUQYLc41eQkCyR/f67aRB +GvO4YDpXLn9eH23B+26rjPyFiVtMJ/jJZ7UEPeJ3XBj1COS/X7p9gGRS5rtfr9z7XxuMxvG0JU9U +XA+bMfOOfCqflvw6IyUg+oxjBFIhgiP4fxna51+BqpctvB0OeRwUm6y4nN06AwqtD8SteQrEn0b0 +IDWOKlVeh0lJWrDDEHr55dXSF+CbOPUDmMxmGoulOEOy/qSWIQi8BfvdX+e88CmracNRYVffLuQj +pRYN3TeiCJd+6/X9/x1Q8VLW7vOAb6uRyE2lOjX40DYBxK3xSq6J7Vp38f6z0vtQm2sAAQ4xqqon +A9tB5p+nJlYHgSxXOZx3C13Rs/eMmiGCKkSpCTnGCgBC7PfJDdMK6SLw5Gn4oyGoZo4fXbADuHrU +0JD1T1qdCm3aUSEmFgEA4rOL/0K3 +-----END CERTIFICATE----- diff --git a/legacy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem b/legacy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem new file mode 100644 index 0000000..0e7c9ed --- /dev/null +++ b/legacy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIF1TCCA72gAwIBAgIVALSpAFqvtr1ntTS7YgB0Y5R6WqEtMA0GCSqGSIb3DQEBCwUAMHoxCzAJ +BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw +EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEWMBQGA1UEAwwNY29tX3FvcnZv +X3V3YjAgFw0yMTA1MDQwNTAyMDlaGA8yMDUxMDUwNDA1MDIwOVowejELMAkGA1UEBhMCVVMxEzAR +BgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dvb2ds +ZSBJbmMuMRAwDgYDVQQLEwdBbmRyb2lkMRYwFAYDVQQDDA1jb21fcW9ydm9fdXdiMIICIjANBgkq +hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyoe1/UDAyMZd5iWqaKPDKN0cCESsWBTTkuLFpzMfcTEa +IyMORaIYriuAxvWhNzidPQvvRPyw0XQbl7GZLjXLF004G5xPTXFHIdtWv/scuC53INqTerppcHeW +fP4hfJPbZMQNcDB9EHa2bhA0wPdfoJD4cz8T7sgQcbRirdR8KoiOVWYe5UTSdk0df2IbiMZav2DJ +KhFql323emi4QHoDeUMAYy35mTh5vhfJ8NrCRAUwMh0zlw6LwZw/Dr8AbzDXl4Mo6Ij2pTn3/1zW +BPNkJonvONiMvuUUDl6LnP/41qhxYSg9RBp3wBJLknmfD/hEaXxTSLdkJyF43t61sU12mDQbLu4s +ZoiQKeKMJ0VpC56gUzkpnx3pzusq+/bAlTXf8Tfqrm7nizwR/69kntNYp8iaUJnvQQzlChc2lg2X +QNzf6zShPptpPqJIgmWawH6DL8JPHgkpguWyz47dWHCLnTfp8miEZPrQkPKL13SCMYCwxmlNYNWG +gUFPX5UJfnNVH4y2gPpXssROyKQKp/ArZkWb2zURrC1RUvNFADvvFt+hb2iXXVnfVeEtKAkSdhOj +RHwXhc/EtraSMMYUeO/uhUiPmPFR0FVLxCIm6i91/xqgWhKgRN0uatornO3lSNgzk4c7b0JCncEn +iArWJ516/nqWIvEdYjcqIBDAdSx8S1sCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU +EGKtCMO6w0UKLbAmd/laZERZZrkwHwYDVR0jBBgwFoAUEGKtCMO6w0UKLbAmd/laZERZZrkwDQYJ +KoZIhvcNAQELBQADggIBAIRowmuGiFeZdyDsbYi0iYISNW2HID4uLM3Pp8CEx5swlntJu1Z19R9t +fzzY9lvcMgdbdVJYnGrHzUGUCVqbhfDH7GxP9ybg1QUqYxi6AvZU3wrRqjoUoDw7HlecNBXFZI6z +0f2J3XSzST3kq5lCuUaEKGHkU8jVgwqVGMcz1foLGzBXQhMgIKl966c5DWoXsLToBCXrNgDokkHe +cj9tI1ufsWrSxl5/AT0/DMjHkcBmZk78RiTcGJtSZU8YwqNIQa+U2hpDE34iy2LC6YEqMKggjCm0 +6nOBbIH0EXnrr0iBX3YJmDM8O4a9eDpI7FSjabPx9YvfQne08pNwYkExOMafibyAwt7Du0cpxNkg +NE3xeDZ+TVr+4I10HF1gKpJ+rQsBOIYVTWLKATO4TMQxLNLY9oy2gt12PcsCdkOIThX4bAHXq1eY +ulAxoA7Hba2xq/wnh2JH5VZIjz3yZBJXX/GyFeHkqv7wFRVrx4DjZC1s5uTdqDh6y8pfM49w9/Zp +BKtz5B+37bC9FmM+ux39MElqx+kbsITzBDtDWa2Q8onWQR0R4WHI43n1mJSvW4cdR6Xf/a1msPXh +NHc3XCJYq4WvlMuXWEGVka20LPJXIjiuU3sB088YpjAG1+roSn//CL8N9iDWHCRXy+UKElIbhWLz +lHV8gmlwBAuAx9ITcTJr +-----END CERTIFICATE----- diff --git a/legacy/whitechapel_pro/device.te b/legacy/whitechapel_pro/device.te new file mode 100644 index 0000000..c45efc2 --- /dev/null +++ b/legacy/whitechapel_pro/device.te @@ -0,0 +1,9 @@ +type sda_block_device, dev_type; +type sg_device, dev_type; +type vendor_toe_device, dev_type; +type lwis_device, dev_type; +type rls_device, dev_type; + +# Raw HID device +type hidraw_device, dev_type; + diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te new file mode 100644 index 0000000..38d3dc8 --- /dev/null +++ b/legacy/whitechapel_pro/file.te @@ -0,0 +1,36 @@ +# Data +type updated_wifi_firmware_data_file, file_type, data_file_type; +type tcpdump_vendor_data_file, file_type, data_file_type; +type vendor_misc_data_file, file_type, data_file_type; +type per_boot_file, file_type, data_file_type, core_data_file_type; +type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; +type uwb_data_vendor, file_type, data_file_type; +type powerstats_vendor_data_file, file_type, data_file_type; +type sensor_debug_data_file, file_type, data_file_type; +userdebug_or_eng(` + typeattribute tcpdump_vendor_data_file mlstrustedobject; +') + +# sysfs +type bootdevice_sysdev, dev_type; +type sysfs_wifi, sysfs_type, fs_type; +type sysfs_bcmdhd, sysfs_type, fs_type; +type sysfs_chargelevel, sysfs_type, fs_type; +type sysfs_camera, sysfs_type, fs_type; + +# debugfs +type vendor_regmap_debugfs, fs_type, debugfs_type; + +# persist +type persist_ss_file, file_type, vendor_persist_type; +type persist_uwb_file, file_type, vendor_persist_type; + +# Storage Health HAL +type proc_f2fs, proc_type, fs_type; + +# Vendor tools +type vendor_dumpsys, vendor_file_type, file_type; + +# USB-C throttling stats +type sysfs_usbc_throttling_stats, sysfs_type, fs_type; + diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts new file mode 100644 index 0000000..ea564ed --- /dev/null +++ b/legacy/whitechapel_pro/file_contexts @@ -0,0 +1,56 @@ +# Binaries +/vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 +/vendor/bin/hw/android\.hardware\.gatekeeper-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 +/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 +/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 +/vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 + +# Vendor libraries +/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libion_google\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/arm\.graphics-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libOpenCL-pixel\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/lib_aion_buffer\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libGralloc4Wrapper\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/pixel-power-ext-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libprotobuf-cpp-lite-(\d+\.){2,3}so u:object_r:same_process_hal_file:s0 + +# Graphics +/vendor/lib(64)?/hw/vulkan\.mali\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 + +# Devices +/dev/ttySAC0 u:object_r:tty_device:s0 +/dev/bigwave u:object_r:video_device:s0 +/dev/watchdog0 u:object_r:watchdog_device:s0 +/dev/dri/card0 u:object_r:graphics_device:s0 +/dev/fimg2d u:object_r:graphics_device:s0 +/dev/g2d u:object_r:graphics_device:s0 +/dev/dit2 u:object_r:vendor_toe_device:s0 +/dev/sg1 u:object_r:sg_device:s0 +/dev/st21nfc u:object_r:nfc_device:s0 +/dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 +/dev/socket/chre u:object_r:chre_socket:s0 +/dev/block/sda u:object_r:sda_block_device:s0 + +# Data +/data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 +/data/nfc(/.*)? u:object_r:nfc_data_file:s0 +/data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 +/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 +/data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 +/data/per_boot(/.*)? u:object_r:per_boot_file:s0 +/data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 +/data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 +/dev/battery_history u:object_r:battery_history_device:s0 +/data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0 + +# Persist +/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 +/mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 + +# Raw HID device +/dev/hidraw[0-9]* u:object_r:hidraw_device:s0 diff --git a/legacy/whitechapel_pro/genfs_contexts b/legacy/whitechapel_pro/genfs_contexts new file mode 100644 index 0000000..dccae4e --- /dev/null +++ b/legacy/whitechapel_pro/genfs_contexts @@ -0,0 +1,78 @@ +genfscon sysfs /devices/soc0/machine u:object_r:sysfs_soc:s0 +genfscon sysfs /devices/soc0/revision u:object_r:sysfs_soc:s0 + +# tracefs +genfscon tracefs /events/dmabuf_heap/dma_heap_stat u:object_r:debugfs_tracing:s0 + +# WiFi +genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 + +# Broadcom +genfscon sysfs /module/bcmdhd4389 u:object_r:sysfs_bcmdhd:s0 + +# GPU +genfscon sysfs /devices/platform/28000000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/28000000.mali/power_policy u:object_r:sysfs_gpu:s0 + +# Fabric +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/min_freq u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/interactive/target_load u:object_r:sysfs_fabric:s0 + +# sscoredump (per device) +genfscon sysfs /devices/platform/aoc/sscoredump/sscd_aoc/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/bigocean/sscoredump/sscd_bigocean/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/debugcore/sscoredump/sscd_debugcore/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 + +# Storage +genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 +genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0 + +# debugfs +genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 + +# Haptics +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l26a u:object_r:sysfs_vibrator:s0 + +# Thermal +genfscon sysfs /devices/platform/100a0000.LITTLE u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100a0000.MID u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100a0000.BIG u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100a0000.ISP u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100b0000.G3D u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100b0000.TPU u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100b0000.AUR u:object_r:sysfs_thermal:s0 + +genfscon sysfs /module/gs_thermal/parameters/tmu_reg_dump_state u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs_thermal/parameters/tmu_reg_dump_current_temp u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs_thermal/parameters/tmu_top_reg_dump_rise_thres u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs_thermal/parameters/tmu_top_reg_dump_fall_thres u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_rise_thres u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs_thermal/parameters/tmu_sub_reg_dump_fall_thres u:object_r:sysfs_thermal:s0 + +genfscon sysfs /thermal_zone14/mode u:object_r:sysfs_thermal:s0 + +# Camera +genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq u:object_r:sysfs_camera:s0 + +# USB-C throttling stats +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time u:object_r:sysfs_usbc_throttling_stats:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time u:object_r:sysfs_usbc_throttling_stats:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time u:object_r:sysfs_usbc_throttling_stats:s0 + +# Coresight ETM +genfscon sysfs /devices/platform/2b840000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2b940000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2ba40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bb40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bc40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bd40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2be40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/2bf40000.etm u:object_r:sysfs_devices_cs_etm:s0 + diff --git a/legacy/whitechapel_pro/keys.conf b/legacy/whitechapel_pro/keys.conf new file mode 100644 index 0000000..76ea843 --- /dev/null +++ b/legacy/whitechapel_pro/keys.conf @@ -0,0 +1,5 @@ +[@UWB] +ALL : device/google/zumapro-sepolicy/legacy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem + +[@EUICCSUPPORTPIXEL] +ALL : device/google/zumapro-sepolicy/legacy/whitechapel_pro/certs/EuiccSupportPixel.x509.pem diff --git a/legacy/whitechapel_pro/mac_permissions.xml b/legacy/whitechapel_pro/mac_permissions.xml new file mode 100644 index 0000000..956da95 --- /dev/null +++ b/legacy/whitechapel_pro/mac_permissions.xml @@ -0,0 +1,30 @@ + + + + + + + + + + + + diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te new file mode 100644 index 0000000..e3a8d4b --- /dev/null +++ b/legacy/whitechapel_pro/property.te @@ -0,0 +1,17 @@ +vendor_internal_prop(vendor_nfc_prop) +vendor_internal_prop(vendor_secure_element_prop) +vendor_internal_prop(vendor_battery_profile_prop) +vendor_internal_prop(vendor_camera_prop) +vendor_internal_prop(vendor_camera_fatp_prop) +vendor_internal_prop(vendor_ro_sys_default_prop) +vendor_internal_prop(vendor_persist_sys_default_prop) +vendor_internal_prop(vendor_display_prop) + +# UWB calibration +system_vendor_config_prop(vendor_uwb_calibration_prop) + +# Trusty storage FS ready +vendor_internal_prop(vendor_trusty_storage_prop) + +# Mali Integration +vendor_public_prop(vendor_arm_runtime_option_prop) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts new file mode 100644 index 0000000..6faf239 --- /dev/null +++ b/legacy/whitechapel_pro/property_contexts @@ -0,0 +1,25 @@ +# test battery profile +persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_prop:s0 + +# NFC +persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0 + +# SecureElement +persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 + +# for display +ro.vendor.hwc.drm.device u:object_r:vendor_display_prop:s0 +persist.vendor.display. u:object_r:vendor_display_prop:s0 + +# vendor default +ro.vendor.sys. u:object_r:vendor_ro_sys_default_prop:s0 +persist.vendor.sys. u:object_r:vendor_persist_sys_default_prop:s0 + +#uwb +ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_prop:s0 exact string + +# Trusty +ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 + +# Mali GPU driver configuration and debug options +vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix diff --git a/legacy/whitechapel_pro/service.te b/legacy/whitechapel_pro/service.te new file mode 100644 index 0000000..21f7c51 --- /dev/null +++ b/legacy/whitechapel_pro/service.te @@ -0,0 +1 @@ +type hal_uwb_vendor_service, service_manager_type, hal_service_type; diff --git a/legacy/whitechapel_pro/service_contexts b/legacy/whitechapel_pro/service_contexts new file mode 100644 index 0000000..d4777d1 --- /dev/null +++ b/legacy/whitechapel_pro/service_contexts @@ -0,0 +1 @@ +hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 diff --git a/legacy/whitechapel_pro/te_macros b/legacy/whitechapel_pro/te_macros new file mode 100644 index 0000000..01ac13c --- /dev/null +++ b/legacy/whitechapel_pro/te_macros @@ -0,0 +1,14 @@ +# +# USF SELinux type enforcement macros. +# + +# +# usf_low_latency_transport(domain) +# +# Allows domain use of the USF low latency transport. +# +define(`usf_low_latency_transport', ` + allow $1 hal_graphics_mapper_hwservice:hwservice_manager find; + hal_client_domain($1, hal_graphics_allocator) +') + diff --git a/legacy/whitechapel_pro/vndservice.te b/legacy/whitechapel_pro/vndservice.te new file mode 100644 index 0000000..4c4dd7a --- /dev/null +++ b/legacy/whitechapel_pro/vndservice.te @@ -0,0 +1 @@ +type rls_service, vndservice_manager_type; diff --git a/legacy/whitechapel_pro/vndservice_contexts b/legacy/whitechapel_pro/vndservice_contexts new file mode 100644 index 0000000..66cab48 --- /dev/null +++ b/legacy/whitechapel_pro/vndservice_contexts @@ -0,0 +1 @@ +rlsservice u:object_r:rls_service:s0 diff --git a/private/odrefresh.te b/private/odrefresh.te new file mode 100644 index 0000000..83b1e63 --- /dev/null +++ b/private/odrefresh.te @@ -0,0 +1,4 @@ +userdebug_or_eng(` + permissive odrefresh; + dontaudit odrefresh property_type:file *; +') diff --git a/radio/bipchmgr.te b/radio/bipchmgr.te new file mode 100644 index 0000000..9298e32 --- /dev/null +++ b/radio/bipchmgr.te @@ -0,0 +1,9 @@ +type bipchmgr, domain; +type bipchmgr_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(bipchmgr) + +get_prop(bipchmgr, hwservicemanager_prop); + +allow bipchmgr hal_exynos_rild_hwservice:hwservice_manager find; +hwbinder_use(bipchmgr) +binder_call(bipchmgr, rild) diff --git a/radio/cat_engine_service_app.te b/radio/cat_engine_service_app.te new file mode 100644 index 0000000..eacf962 --- /dev/null +++ b/radio/cat_engine_service_app.te @@ -0,0 +1,8 @@ +type cat_engine_service_app, domain; + +userdebug_or_eng(` + app_domain(cat_engine_service_app) + get_prop(cat_engine_service_app, vendor_rild_prop) + allow cat_engine_service_app app_api_service:service_manager find; + allow cat_engine_service_app system_app_data_file:dir r_dir_perms; +') diff --git a/radio/cbd.te b/radio/cbd.te new file mode 100644 index 0000000..6827772 --- /dev/null +++ b/radio/cbd.te @@ -0,0 +1,60 @@ +type cbd, domain; +type cbd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(cbd) + +set_prop(cbd, vendor_modem_prop) +set_prop(cbd, vendor_cbd_prop) +set_prop(cbd, vendor_rild_prop) + +allow cbd mnt_vendor_file:dir r_dir_perms; + +allow cbd kmsg_device:chr_file rw_file_perms; + +allow cbd vendor_shell_exec:file execute_no_trans; +allow cbd vendor_toolbox_exec:file execute_no_trans; + +# Allow cbd to access modem block device +allow cbd block_device:dir search; +allow cbd modem_block_device:blk_file r_file_perms; + +# Allow cbd to access sysfs chosen files +allow cbd sysfs_chosen:file r_file_perms; +allow cbd sysfs_chosen:dir r_dir_perms; + +allow cbd radio_device:chr_file rw_file_perms; + +allow cbd proc_cmdline:file r_file_perms; + +allow cbd persist_modem_file:dir create_dir_perms; +allow cbd persist_modem_file:file create_file_perms; +allow cbd persist_file:dir search; + +allow cbd radio_vendor_data_file:dir create_dir_perms; +allow cbd radio_vendor_data_file:file create_file_perms; + +# Allow cbd to operate with modem EFS file/dir +allow cbd modem_efs_file:dir create_dir_perms; +allow cbd modem_efs_file:file create_file_perms; + +# Allow cbd to operate with modem userdata file/dir +allow cbd modem_userdata_file:dir create_dir_perms; +allow cbd modem_userdata_file:file create_file_perms; + +# Allow cbd to access modem image file/dir +allow cbd modem_img_file:dir r_dir_perms; +allow cbd modem_img_file:file r_file_perms; +allow cbd modem_img_file:lnk_file r_file_perms; + +# Allow cbd to collect crash info +allow cbd sscoredump_vendor_data_crashinfo_file:dir create_dir_perms; +allow cbd sscoredump_vendor_data_crashinfo_file:file create_file_perms; + +userdebug_or_eng(` + r_dir_file(cbd, vendor_slog_file) + + allow cbd kernel:system syslog_read; + + allow cbd sscoredump_vendor_data_coredump_file:dir create_dir_perms; + allow cbd sscoredump_vendor_data_coredump_file:file create_file_perms; +') + diff --git a/radio/cbrs_setup.te b/radio/cbrs_setup.te new file mode 100644 index 0000000..1abbcff --- /dev/null +++ b/radio/cbrs_setup.te @@ -0,0 +1,13 @@ +# GoogleCBRS app +type cbrs_setup_app, domain; + +userdebug_or_eng(` + app_domain(cbrs_setup_app) + net_domain(cbrs_setup_app) + + allow cbrs_setup_app app_api_service:service_manager find; + allow cbrs_setup_app cameraserver_service:service_manager find; + allow cbrs_setup_app radio_service:service_manager find; + set_prop(cbrs_setup_app, radio_prop) + set_prop(cbrs_setup_app, vendor_rild_prop) +') diff --git a/radio/certs/com_google_mds.x509.pem b/radio/certs/com_google_mds.x509.pem new file mode 100644 index 0000000..640c6fb --- /dev/null +++ b/radio/certs/com_google_mds.x509.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIF1TCCA72gAwIBAgIVAPZ4KZV2jpxRBCoVAidCu62l3cDqMA0GCSqGSIb3DQEBCwUAMHsxCzAJ +BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw +EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEXMBUGA1UEAwwOY29tX2dvb2ds +ZV9tZHMwHhcNMTkwNDIyMTQ1NzA1WhcNNDkwNDIyMTQ1NzA1WjB7MQswCQYDVQQGEwJVUzETMBEG +A1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xl +IEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxFzAVBgNVBAMMDmNvbV9nb29nbGVfbWRzMIICIjANBgkq +hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqgNC0hhI3NzaPUllJfe01hCTuEpl35D02+DKJ5prPFxv +6KGTk6skjZOwV87Zf2pyj/cbnv28ioDjwvqMBe4ntFdKtH9gl2tTAVl69HMKXF4Iny/wnrt2mxzh +WxFUd5PuW+mWug+UQw/NGUuaf5d/yys/RrchHKM1+zBV6aOzH6BXiwDoOF2i43d5GlNQ/tFuMySW +LJftJN0QULFelxNDFFJZhw2P3c4opxjmF2yCoIiDfBEIhTZFKUbHX6YDLXmtUpXl35q+cxK4TCxP +URyzwdfiyheF3TTxagfzhvXNg/ifrY67S4qCGfzoEMPxrTz02gS0u3D6r/2+hl9vAJChLKDNdIs6 +TqIw+YnABrELiZLLFnaABnjQ7xC3xv1s3W6dWxaxnoVMtC1YvdgwhC5gSpJ4A+AGcCLv96hoeB1I +IoGV9Yt0Z97MFpXeHFpAxFZ1F9feBqwOCDbu50dmdKZvqGHZ4Ts3uy7ukDQ08dquHpT+NmqkmmW5 +GGhkuyZS3HHpU/QeVsZiyJCJBbDe5lz6NGXK56ruuF9ILeGHtldjQm40oYRc01ESScyVjSU0kpMO +C7hn1B7rKAm8xxG7eH04ieQrNnbbee7atOO4C3157W5CqujfLMeo6OCRVtcYkYIuSi8hIPNySu/q +OaEtEP4owVNZR0H6mCHy5pANsyBofMkCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU +gk8pmLx8yP3RILwR5am1G10PBEowHwYDVR0jBBgwFoAUgk8pmLx8yP3RILwR5am1G10PBEowDQYJ +KoZIhvcNAQELBQADggIBAC9iQ1huo6CzjcsB1IIw3WYPYVfHtvG7fiB49QO6cjth8fxM36YOxnMz +K9Zh89cnFx7BeXG4MdbR3lAWO+wTbEpM/5azAQfqHB/ZEEAo1THtqS58C1bTwJ5zxkA+wL/x1ucT +EV0QZtPHC1K5nIV5FuICiJjui5FHfj2HYu2A5a5729rdZ7sL8Vgx6TUFKpEPs5iCrlx5X/E+/wJa +DM5iIjVvrGJJq0VWHHeDJEE+Sw1CDxWYRzvu1WvCvhk149hf4LlfrR0A5t8QJRGx0WwF10DLGgJx +7epMBpzhMIXc529FTIx4Rx2PcufjTZC9EN7PkLgVfYahWEkt/YIfV/0F6U6viLxdNC5O0pimSV57 +vT6HIthX1OC34eZca0cPqH1kOuhRDKOhbP4yIgdYX6knpvw8aXsYcyTfAmDyrt0EWffeBPedaxMo +xfijdlsBQUymviUQ8qBbfl1Ew9VoC+VEsiobK7Ubog0IK+82LQ7FOLMoNYnhk5wJ63i1kVvBVAgH +64PMME2KG//BwYFfKK6jUXibabyNke72+1Jr0xpw1BHJPxNJ8Q8yCBLF0wmXmFJSM+9lSDd10Bni +FJeMFMQ0T1Sf8GUSIxYYbMK5pDguRs+JOYkUID02ylJ3L6GAnxXCjGWzpdxw29/WWJc+qsYFEIbP +kKzTUNQHaaLHmcLK22Ht +-----END CERTIFICATE----- diff --git a/radio/device.te b/radio/device.te new file mode 100644 index 0000000..f3df48a --- /dev/null +++ b/radio/device.te @@ -0,0 +1,4 @@ +type modem_block_device, dev_type; +type vendor_gnss_device, dev_type; +type modem_userdata_block_device, dev_type; +type efs_block_device, dev_type; diff --git a/radio/dmd.te b/radio/dmd.te new file mode 100644 index 0000000..76177b5 --- /dev/null +++ b/radio/dmd.te @@ -0,0 +1,32 @@ +type dmd, domain; +type dmd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(dmd) + +# Grant to access serial device for external logging tool +allow dmd serial_device:chr_file rw_file_perms; + +# Grant to access radio device +allow dmd radio_device:chr_file rw_file_perms; + +# Grant to access slog dir/file +allow dmd vendor_slog_file:dir create_dir_perms; +allow dmd vendor_slog_file:file create_file_perms; + +# Grant to access tcp socket +allow dmd node:tcp_socket node_bind; +allow dmd self:tcp_socket { create_socket_perms_no_ioctl listen accept bind }; + +# Grant to access log related properties +set_prop(dmd, vendor_diag_prop) +set_prop(dmd, vendor_slog_prop) +set_prop(dmd, vendor_modem_prop) +get_prop(dmd, vendor_persist_config_default_prop) + +# Grant to access hwservice manager +get_prop(dmd, hwservicemanager_prop) +allow dmd hidl_base_hwservice:hwservice_manager add; +allow dmd hal_vendor_oem_hwservice:hwservice_manager { add find }; +binder_call(dmd, hwservicemanager) +binder_call(dmd, modem_diagnostic_app) +binder_call(dmd, modem_logging_control) +binder_call(dmd, vendor_telephony_silentlogging_app) diff --git a/radio/file.te b/radio/file.te new file mode 100644 index 0000000..d8d253a --- /dev/null +++ b/radio/file.te @@ -0,0 +1,40 @@ +# Data +type rild_vendor_data_file, file_type, data_file_type; +type vendor_gps_file, file_type, data_file_type; +type modem_stat_data_file, file_type, data_file_type; +type vendor_log_file, file_type, data_file_type; +type vendor_rfsd_log_file, file_type, data_file_type; +type vendor_slog_file, file_type, data_file_type; +userdebug_or_eng(` + typeattribute vendor_gps_file mlstrustedobject; + typeattribute vendor_slog_file mlstrustedobject; +') + +# persist +type persist_modem_file, file_type, vendor_persist_type; + +# Modem +type modem_efs_file, file_type; +type modem_userdata_file, file_type; +type sysfs_modem, sysfs_type, fs_type; + +# Exynos Firmware +type vendor_fw_file, vendor_file_type, file_type; + +# vendor extra images +type modem_img_file, contextmount_type, file_type, vendor_file_type; +allow modem_img_file self:filesystem associate; +type modem_config_file, file_type, vendor_file_type; + +# sysfs +type sysfs_chosen, sysfs_type, fs_type; +type sysfs_sjtag, fs_type, sysfs_type; +userdebug_or_eng(` + typeattribute sysfs_sjtag mlstrustedobject; +') + +# Vendor sched files +userdebug_or_eng(` + typeattribute proc_vendor_sched mlstrustedobject; +') + diff --git a/radio/file_contexts b/radio/file_contexts new file mode 100644 index 0000000..82a519b --- /dev/null +++ b/radio/file_contexts @@ -0,0 +1,41 @@ +# Binaries +/vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 +/vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0 +/vendor/bin/vcd u:object_r:vcd_exec:s0 +/vendor/bin/dmd u:object_r:dmd_exec:s0 +/vendor/bin/sced u:object_r:sced_exec:s0 +/vendor/bin/rfsd u:object_r:rfsd_exec:s0 +/vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 +/vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 +/vendor/bin/modem_ml_svc_sit u:object_r:modem_ml_svc_sit_exec:s0 +/vendor/bin/cbd u:object_r:cbd_exec:s0 +/vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0 +/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 + +# Config files +/vendor/etc/modem_ml_models\.conf u:object_r:modem_config_file:s0 + +# Data +/data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 +/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 +/data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 +/data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 +/data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 + +# vendor extra images +/mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 +/mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 +/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 +/mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 +/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 + +# Devices +/dev/ttyGS[0-3] u:object_r:serial_device:s0 +/dev/oem_ipc[0-7] u:object_r:radio_device:s0 +/dev/oem_test u:object_r:radio_device:s0 +/dev/umts_boot0 u:object_r:radio_device:s0 +/dev/umts_ipc0 u:object_r:radio_device:s0 +/dev/umts_ipc1 u:object_r:radio_device:s0 +/dev/umts_rfs0 u:object_r:radio_device:s0 +/dev/umts_dm0 u:object_r:radio_device:s0 +/dev/umts_router u:object_r:radio_device:s0 diff --git a/radio/fsck.te b/radio/fsck.te new file mode 100644 index 0000000..1095107 --- /dev/null +++ b/radio/fsck.te @@ -0,0 +1,4 @@ +allow fsck persist_block_device:blk_file rw_file_perms; +allow fsck efs_block_device:blk_file rw_file_perms; +allow fsck modem_userdata_block_device:blk_file rw_file_perms; + diff --git a/radio/genfs_contexts b/radio/genfs_contexts new file mode 100644 index 0000000..347e461 --- /dev/null +++ b/radio/genfs_contexts @@ -0,0 +1,11 @@ +# SJTAG +genfscon sysfs /devices/platform/sjtag_ap/interface u:object_r:sysfs_sjtag:s0 +genfscon sysfs /devices/platform/sjtag_gsa/interface u:object_r:sysfs_sjtag:s0 + +genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 + +# GPS +genfscon sysfs /devices/platform/111e0000.spi/spi_master/spi21/spi21.0/nstandby u:object_r:sysfs_gps:s0 + +# Modem +genfscon sysfs /devices/platform/cp-tm1/cp_temp u:object_r:sysfs_modem:s0 diff --git a/radio/gpsd.te b/radio/gpsd.te new file mode 100644 index 0000000..79bf4ca --- /dev/null +++ b/radio/gpsd.te @@ -0,0 +1,7 @@ +type gpsd, domain; +type gpsd_exec, vendor_file_type, exec_type, file_type; +# Allow gpsd access PixelLogger unix socket in debug build only +userdebug_or_eng(` + typeattribute gpsd mlstrustedsubject; + allow gpsd logger_app:unix_stream_socket connectto; +') diff --git a/radio/grilservice_app.te b/radio/grilservice_app.te new file mode 100644 index 0000000..7809537 --- /dev/null +++ b/radio/grilservice_app.te @@ -0,0 +1,15 @@ +type grilservice_app, domain; +app_domain(grilservice_app) + +allow grilservice_app app_api_service:service_manager find; +allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; +allow grilservice_app hal_radioext_hwservice:hwservice_manager find; +allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; +allow grilservice_app hal_wifi_ext_service:service_manager find; +allow grilservice_app hal_audiometricext_hwservice:hwservice_manager find; +allow grilservice_app hal_exynos_rild_hwservice:hwservice_manager find; +binder_call(grilservice_app, hal_bluetooth_btlinux) +binder_call(grilservice_app, hal_radioext_default) +binder_call(grilservice_app, hal_wifi_ext) +binder_call(grilservice_app, hal_audiometricext_default) +binder_call(grilservice_app, rild) diff --git a/radio/hal_radioext_default.te b/radio/hal_radioext_default.te new file mode 100644 index 0000000..bbdd2a0 --- /dev/null +++ b/radio/hal_radioext_default.te @@ -0,0 +1,21 @@ +type hal_radioext_default, domain; +type hal_radioext_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_radioext_default) + +hwbinder_use(hal_radioext_default) +get_prop(hal_radioext_default, hwservicemanager_prop) +add_hwservice(hal_radioext_default, hal_radioext_hwservice) + +binder_call(hal_radioext_default, servicemanager) +binder_call(hal_radioext_default, grilservice_app) +binder_call(hal_radioext_default, hal_bluetooth_btlinux) + +# RW /dev/oem_ipc0 +allow hal_radioext_default radio_device:chr_file rw_file_perms; + +# RW MIPI Freq files +allow hal_radioext_default radio_vendor_data_file:dir create_dir_perms; +allow hal_radioext_default radio_vendor_data_file:file create_file_perms; + +# Bluetooth +allow hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager find; diff --git a/radio/hwservice.te b/radio/hwservice.te new file mode 100644 index 0000000..19320cb --- /dev/null +++ b/radio/hwservice.te @@ -0,0 +1,9 @@ +# dmd servcie +type hal_vendor_oem_hwservice, hwservice_manager_type; + +# GRIL service +type hal_radioext_hwservice, hwservice_manager_type; + +# rild service +type hal_exynos_rild_hwservice, hwservice_manager_type; + diff --git a/radio/hwservice_contexts b/radio/hwservice_contexts new file mode 100644 index 0000000..6453a56 --- /dev/null +++ b/radio/hwservice_contexts @@ -0,0 +1,8 @@ +# dmd HAL +vendor.samsung_slsi.telephony.hardware.oemservice::IOemService u:object_r:hal_vendor_oem_hwservice:s0 + +# rild HAL +vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal u:object_r:hal_exynos_rild_hwservice:s0 + +# GRIL HAL +vendor.google.radioext::IRadioExt u:object_r:hal_radioext_hwservice:s0 diff --git a/radio/hwservicemanager.te b/radio/hwservicemanager.te new file mode 100644 index 0000000..7b64499 --- /dev/null +++ b/radio/hwservicemanager.te @@ -0,0 +1 @@ +binder_call(hwservicemanager, bipchmgr) diff --git a/radio/init.te b/radio/init.te new file mode 100644 index 0000000..eb9e465 --- /dev/null +++ b/radio/init.te @@ -0,0 +1,4 @@ +allow init modem_efs_file:dir mounton; +allow init modem_userdata_file:dir mounton; +allow init modem_img_file:dir mounton; +allow init modem_img_file:filesystem { getattr mount relabelfrom }; diff --git a/radio/init_radio.te b/radio/init_radio.te new file mode 100644 index 0000000..3a29edf --- /dev/null +++ b/radio/init_radio.te @@ -0,0 +1,8 @@ +type init_radio, domain; +type init_radio_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init_radio); + +allow init_radio vendor_toolbox_exec:file execute_no_trans; +allow init_radio radio_vendor_data_file:dir create_dir_perms; +allow init_radio radio_vendor_data_file:file create_file_perms; diff --git a/radio/keys.conf b/radio/keys.conf new file mode 100644 index 0000000..4784c60 --- /dev/null +++ b/radio/keys.conf @@ -0,0 +1,3 @@ +[@MDS] +ALL : device/google/zuma-sepolicy/radio/certs/com_google_mds.x509.pem + diff --git a/radio/logger_app.te b/radio/logger_app.te new file mode 100644 index 0000000..098955d --- /dev/null +++ b/radio/logger_app.te @@ -0,0 +1,27 @@ +userdebug_or_eng(` + allow logger_app vendor_gps_file:file create_file_perms; + allow logger_app vendor_gps_file:dir create_dir_perms; + allow logger_app vendor_slog_file:file {r_file_perms unlink}; + allow logger_app radio_vendor_data_file:file create_file_perms; + allow logger_app radio_vendor_data_file:dir create_dir_perms; + allow logger_app sysfs_sscoredump_level:file r_file_perms; + + r_dir_file(logger_app, sscoredump_vendor_data_coredump_file) + r_dir_file(logger_app, sscoredump_vendor_data_crashinfo_file) + + set_prop(logger_app, vendor_audio_prop) + set_prop(logger_app, vendor_gps_prop) + set_prop(logger_app, vendor_logger_prop) + set_prop(logger_app, vendor_modem_prop) + set_prop(logger_app, vendor_ramdump_prop) + set_prop(logger_app, vendor_rild_prop) + set_prop(logger_app, vendor_ssrdump_prop) + set_prop(logger_app, vendor_tcpdump_log_prop) + set_prop(logger_app, vendor_usb_config_prop) + set_prop(logger_app, vendor_wifi_sniffer_prop) + set_prop(logger_app, logpersistd_logging_prop) + set_prop(logger_app, logd_prop) + + # b/269383459 framework UI rendering properties + dontaudit logger_app default_prop:file { read }; +') diff --git a/radio/mac_permissions.xml b/radio/mac_permissions.xml new file mode 100644 index 0000000..4b997c2 --- /dev/null +++ b/radio/mac_permissions.xml @@ -0,0 +1,27 @@ + + + + + + + + + diff --git a/radio/modem_diagnostic_app.te b/radio/modem_diagnostic_app.te new file mode 100644 index 0000000..8c4a0ca --- /dev/null +++ b/radio/modem_diagnostic_app.te @@ -0,0 +1,37 @@ +type modem_diagnostic_app, domain; + +app_domain(modem_diagnostic_app) +net_domain(modem_diagnostic_app) + +allow modem_diagnostic_app app_api_service:service_manager find; +allow modem_diagnostic_app radio_service:service_manager find; + +userdebug_or_eng(` + binder_call(modem_diagnostic_app, dmd) + + set_prop(modem_diagnostic_app, vendor_cbd_prop) + set_prop(modem_diagnostic_app, vendor_rild_prop) + set_prop(modem_diagnostic_app, vendor_modem_prop) + + allow modem_diagnostic_app sysfs_chosen:dir r_dir_perms; + allow modem_diagnostic_app sysfs_chosen:file r_file_perms; + + allow modem_diagnostic_app vendor_fw_file:file r_file_perms; + + allow modem_diagnostic_app radio_vendor_data_file:dir create_dir_perms; + allow modem_diagnostic_app radio_vendor_data_file:file create_file_perms; + + allow modem_diagnostic_app mnt_vendor_file:dir r_dir_perms; + allow modem_diagnostic_app mnt_vendor_file:file r_file_perms; + + allow modem_diagnostic_app modem_img_file:dir r_dir_perms; + allow modem_diagnostic_app modem_img_file:file r_file_perms; + allow modem_diagnostic_app modem_img_file:lnk_file r_file_perms; + + allow modem_diagnostic_app hal_vendor_oem_hwservice:hwservice_manager find; + + allow modem_diagnostic_app sysfs_batteryinfo:file r_file_perms; + allow modem_diagnostic_app sysfs_batteryinfo:dir search; + + dontaudit modem_diagnostic_app default_prop:file r_file_perms; +') diff --git a/radio/modem_logging_control.te b/radio/modem_logging_control.te new file mode 100644 index 0000000..7392297 --- /dev/null +++ b/radio/modem_logging_control.te @@ -0,0 +1,17 @@ +type modem_logging_control, domain; +type modem_logging_control_exec, vendor_file_type, exec_type, file_type; + +init_daemon_domain(modem_logging_control) + +hwbinder_use(modem_logging_control) +binder_call(modem_logging_control, dmd) + +allow modem_logging_control radio_device:chr_file rw_file_perms; +allow modem_logging_control hal_vendor_oem_hwservice:hwservice_manager find; +allow modem_logging_control radio_vendor_data_file:dir create_dir_perms; +allow modem_logging_control radio_vendor_data_file:file create_file_perms; +allow modem_logging_control vendor_slog_file:dir create_dir_perms; +allow modem_logging_control vendor_slog_file:file create_file_perms; + +set_prop(modem_logging_control, vendor_modem_prop) +get_prop(modem_logging_control, hwservicemanager_prop) diff --git a/radio/modem_ml_svc_sit.te b/radio/modem_ml_svc_sit.te new file mode 100644 index 0000000..e742dbf --- /dev/null +++ b/radio/modem_ml_svc_sit.te @@ -0,0 +1,22 @@ +type modem_ml_svc_sit, domain; +type modem_ml_svc_sit_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(modem_ml_svc_sit) + +binder_use(modem_ml_svc_sit) + +# Grant radio device access +allow modem_ml_svc_sit radio_device:chr_file rw_file_perms; + +# Grant vendor radio and modem file/dir creation permission +allow modem_ml_svc_sit radio_vendor_data_file:dir create_dir_perms; +allow modem_ml_svc_sit radio_vendor_data_file:file create_file_perms; + +# Grant modem ml models config files access +allow modem_ml_svc_sit modem_config_file:file r_file_perms; + +# RIL property +get_prop(modem_ml_svc_sit, vendor_rild_prop) + +# Access to NNAPI service +hal_client_domain(modem_ml_svc_sit, hal_neuralnetworks) +allow modem_ml_svc_sit edgetpu_nnapi_service:service_manager find; diff --git a/radio/modem_svc_sit.te b/radio/modem_svc_sit.te new file mode 100644 index 0000000..3b8b55e --- /dev/null +++ b/radio/modem_svc_sit.te @@ -0,0 +1,35 @@ +type modem_svc_sit, domain; +type modem_svc_sit_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(modem_svc_sit) + +hwbinder_use(modem_svc_sit) +binder_call(modem_svc_sit, rild) + +# Grant sysfs_modem access +allow modem_svc_sit sysfs_modem:file rw_file_perms; + +# Grant radio device access +allow modem_svc_sit radio_device:chr_file rw_file_perms; + +# Grant vendor radio and modem file/dir creation permission +allow modem_svc_sit radio_vendor_data_file:dir create_dir_perms; +allow modem_svc_sit radio_vendor_data_file:file create_file_perms; +allow modem_svc_sit modem_stat_data_file:dir create_dir_perms; +allow modem_svc_sit modem_stat_data_file:file create_file_perms; + +allow modem_svc_sit vendor_fw_file:dir search; +allow modem_svc_sit vendor_fw_file:file r_file_perms; + +allow modem_svc_sit mnt_vendor_file:dir search; +allow modem_svc_sit modem_userdata_file:dir create_dir_perms; +allow modem_svc_sit modem_userdata_file:file create_file_perms; + +# RIL property +get_prop(modem_svc_sit, vendor_rild_prop) + +# Modem property +set_prop(modem_svc_sit, vendor_modem_prop) + +# hwservice permission +allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; +get_prop(modem_svc_sit, hwservicemanager_prop) diff --git a/radio/oemrilservice_app.te b/radio/oemrilservice_app.te new file mode 100644 index 0000000..b055dbe --- /dev/null +++ b/radio/oemrilservice_app.te @@ -0,0 +1,9 @@ +type oemrilservice_app, domain; +app_domain(oemrilservice_app) + +allow oemrilservice_app app_api_service:service_manager find; +allow oemrilservice_app hal_exynos_rild_hwservice:hwservice_manager find; +allow oemrilservice_app radio_service:service_manager find; + +binder_call(oemrilservice_app, rild) +set_prop(oemrilservice_app, vendor_rild_prop) diff --git a/radio/private/radio.te b/radio/private/radio.te new file mode 100644 index 0000000..a569b9c --- /dev/null +++ b/radio/private/radio.te @@ -0,0 +1 @@ +add_service(radio, uce_service) diff --git a/radio/private/service_contexts b/radio/private/service_contexts new file mode 100644 index 0000000..84ef341 --- /dev/null +++ b/radio/private/service_contexts @@ -0,0 +1,2 @@ +telephony.oem.oemrilhook u:object_r:radio_service:s0 + diff --git a/radio/property.te b/radio/property.te new file mode 100644 index 0000000..b2027e5 --- /dev/null +++ b/radio/property.te @@ -0,0 +1,16 @@ +vendor_internal_prop(vendor_carrier_prop) +vendor_internal_prop(vendor_cbd_prop) +vendor_internal_prop(vendor_slog_prop) +vendor_internal_prop(vendor_persist_config_default_prop) +vendor_internal_prop(vendor_diag_prop) +vendor_internal_prop(vendor_modem_prop) +vendor_internal_prop(vendor_rild_prop) +vendor_internal_prop(vendor_ssrdump_prop) +vendor_internal_prop(vendor_wifi_version) +vendor_internal_prop(vendor_imssvc_prop) +vendor_internal_prop(vendor_gps_prop) +vendor_internal_prop(vendor_logger_prop) +vendor_internal_prop(vendor_tcpdump_log_prop) + +# Telephony debug app +vendor_internal_prop(vendor_telephony_app_prop) diff --git a/radio/property_contexts b/radio/property_contexts new file mode 100644 index 0000000..602b411 --- /dev/null +++ b/radio/property_contexts @@ -0,0 +1,59 @@ +# for cbd +vendor.cbd. u:object_r:vendor_cbd_prop:s0 +persist.vendor.cbd. u:object_r:vendor_cbd_prop:s0 + +# for ims service +persist.vendor.ims. u:object_r:vendor_imssvc_prop:s0 + +# for slog +vendor.sys.silentlog. u:object_r:vendor_slog_prop:s0 +vendor.sys.exynos.slog. u:object_r:vendor_slog_prop:s0 +persist.vendor.sys.silentlog u:object_r:vendor_slog_prop:s0 + +# for dmd +persist.vendor.sys.dm. u:object_r:vendor_diag_prop:s0 +persist.vendor.sys.diag. u:object_r:vendor_diag_prop:s0 +vendor.sys.dmd. u:object_r:vendor_diag_prop:s0 +vendor.sys.diag. u:object_r:vendor_diag_prop:s0 +persist.vendor.config. u:object_r:vendor_persist_config_default_prop:s0 + +# for logger app +vendor.pixellogger. u:object_r:vendor_logger_prop:s0 +persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 +persist.vendor.verbose_logging_enabled u:object_r:vendor_logger_prop:s0 + +# Modem +persist.vendor.modem. u:object_r:vendor_modem_prop:s0 +vendor.modem. u:object_r:vendor_modem_prop:s0 +vendor.sys.modem. u:object_r:vendor_modem_prop:s0 +vendor.sys.modem_reset u:object_r:vendor_modem_prop:s0 +ro.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 +vendor.sys.exynos.modempath u:object_r:vendor_modem_prop:s0 +persist.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 + +# for rild +persist.vendor.ril. u:object_r:vendor_rild_prop:s0 +vendor.ril. u:object_r:vendor_rild_prop:s0 +vendor.radio. u:object_r:vendor_rild_prop:s0 +vendor.sys.rild_reset u:object_r:vendor_rild_prop:s0 +persist.vendor.radio. u:object_r:vendor_rild_prop:s0 +ro.vendor.config.build_carrier u:object_r:vendor_carrier_prop:s0 + +# SSR Detector +vendor.debug.ssrdump. u:object_r:vendor_ssrdump_prop:s0 +persist.vendor.sys.ssr. u:object_r:vendor_ssrdump_prop:s0 + +# WiFi +vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0 +vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 + +# for vendor telephony debug app +vendor.config.debug. u:object_r:vendor_telephony_app_prop:s0 + +# for gps +vendor.gps. u:object_r:vendor_gps_prop:s0 +persist.vendor.gps. u:object_r:vendor_gps_prop:s0 + +# Tcpdump_logger +persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 +vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 diff --git a/radio/radio.te b/radio/radio.te new file mode 100644 index 0000000..5d13273 --- /dev/null +++ b/radio/radio.te @@ -0,0 +1,6 @@ +allow radio radio_vendor_data_file:dir rw_dir_perms; +allow radio radio_vendor_data_file:file create_file_perms; +allow radio vendor_ims_app:udp_socket { getattr read write setopt shutdown }; +allow radio aoc_device:chr_file rw_file_perms; +allow radio hal_audio_ext_hwservice:hwservice_manager find; +binder_call(radio, hal_audio_default) diff --git a/radio/rfsd.te b/radio/rfsd.te new file mode 100644 index 0000000..898e7fc --- /dev/null +++ b/radio/rfsd.te @@ -0,0 +1,36 @@ +type rfsd, domain; +type rfsd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(rfsd) + +# Allow to search block device and mnt dir for modem EFS partitions +allow rfsd mnt_vendor_file:dir search; +allow rfsd block_device:dir search; + +# Allow to operate with modem EFS file/dir +allow rfsd modem_efs_file:dir create_dir_perms; +allow rfsd modem_efs_file:file create_file_perms; + +allow rfsd radio_vendor_data_file:dir r_dir_perms; +allow rfsd radio_vendor_data_file:file r_file_perms; + +r_dir_file(rfsd, vendor_fw_file) + +# Allow to access rfsd log file/dir +allow rfsd vendor_log_file:dir search; +allow rfsd vendor_rfsd_log_file:dir create_dir_perms; +allow rfsd vendor_rfsd_log_file:file create_file_perms; + +# Allow to read/write modem block device +allow rfsd modem_block_device:blk_file rw_file_perms; + +# Allow to operate with radio device +allow rfsd radio_device:chr_file rw_file_perms; + +# Allow to set rild and modem property +set_prop(rfsd, vendor_modem_prop) +set_prop(rfsd, vendor_rild_prop) + +# Allow rfsd to access modem image file/dir +allow rfsd modem_img_file:dir r_dir_perms; +allow rfsd modem_img_file:file r_file_perms; +allow rfsd modem_img_file:lnk_file r_file_perms; diff --git a/radio/rild.te b/radio/rild.te new file mode 100644 index 0000000..a82e135 --- /dev/null +++ b/radio/rild.te @@ -0,0 +1,40 @@ +set_prop(rild, vendor_rild_prop) +set_prop(rild, vendor_modem_prop) +get_prop(rild, vendor_persist_config_default_prop) +get_prop(rild, vendor_carrier_prop) + +get_prop(rild, sota_prop) +get_prop(rild, system_boot_reason_prop) + +allow rild proc_net:file rw_file_perms; +allow rild radio_vendor_data_file:dir create_dir_perms; +allow rild radio_vendor_data_file:file create_file_perms; +allow rild rild_vendor_data_file:dir create_dir_perms; +allow rild rild_vendor_data_file:file create_file_perms; +allow rild vendor_fw_file:file r_file_perms; +allow rild mnt_vendor_file:dir r_dir_perms; + +r_dir_file(rild, modem_img_file) + +binder_call(rild, bipchmgr) +binder_call(rild, gpsd) +binder_call(rild, hal_audio_default) +binder_call(rild, modem_svc_sit) +binder_call(rild, vendor_ims_app) +binder_call(rild, vendor_rcs_app) +binder_call(rild, oemrilservice_app) +binder_call(rild, hal_secure_element_uicc) +binder_call(rild, grilservice_app) +binder_call(rild, vendor_engineermode_app) +binder_call(rild, vendor_telephony_debug_app) +binder_call(rild, logger_app) + +crash_dump_fallback(rild) + +# for hal service +add_hwservice(rild, hal_exynos_rild_hwservice) + +# Allow rild to access files on modem img. +allow rild modem_img_file:dir r_dir_perms; +allow rild modem_img_file:file r_file_perms; +allow rild modem_img_file:lnk_file r_file_perms; diff --git a/radio/sced.te b/radio/sced.te new file mode 100644 index 0000000..2b08973 --- /dev/null +++ b/radio/sced.te @@ -0,0 +1,23 @@ +type sced, domain; +type sced_exec, vendor_file_type, exec_type, file_type; + +userdebug_or_eng(` + init_daemon_domain(sced) + typeattribute sced vendor_executes_system_violators; + + hwbinder_use(sced) + binder_call(sced, dmd) + binder_call(sced, vendor_telephony_silentlogging_app) + + get_prop(sced, hwservicemanager_prop) + allow sced self:packet_socket create_socket_perms_no_ioctl; + + allow sced self:capability net_raw; + allow sced shell_exec:file rx_file_perms; + allow sced tcpdump_exec:file rx_file_perms; + allow sced vendor_shell_exec:file x_file_perms; + allow sced vendor_slog_file:dir create_dir_perms; + allow sced vendor_slog_file:file create_file_perms; + allow sced hidl_base_hwservice:hwservice_manager add; + allow sced hal_vendor_oem_hwservice:hwservice_manager { add find }; +') diff --git a/radio/seapp_contexts b/radio/seapp_contexts new file mode 100644 index 0000000..9e74853 --- /dev/null +++ b/radio/seapp_contexts @@ -0,0 +1,30 @@ +# Sub System Ramdump +user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user + +# CBRS setup app +user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user + +# Modem Diagnostic System +user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user + +# grilservice +user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all + +# exynos apps +user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilservice_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_qualifiednetworks_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all + +# slsi logging apps +user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_silentlogging_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging:remote domain=vendor_silentlogging_remote_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_debug_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.testmode domain=vendor_telephony_test_app levelFrom=all + +# Samsung S.LSI engineer mode +user=_app seinfo=platform name=com.samsung.slsi.engineermode domain=vendor_engineermode_app levelFrom=all + +# Domain for CatEngineService +user=system seinfo=platform name=com.google.android.CatEngine domain=cat_engine_service_app type=system_app_data_file levelFrom=all + diff --git a/radio/ssr_detector.te b/radio/ssr_detector.te new file mode 100644 index 0000000..2caf6d7 --- /dev/null +++ b/radio/ssr_detector.te @@ -0,0 +1,24 @@ +type ssr_detector_app, domain; + +app_domain(ssr_detector_app) +allow ssr_detector_app app_api_service:service_manager find; +allow ssr_detector_app radio_service:service_manager find; + +allow ssr_detector_app system_app_data_file:dir create_dir_perms; +allow ssr_detector_app system_app_data_file:file create_file_perms; + +allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; +allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; +userdebug_or_eng(` + allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; + allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; + get_prop(ssr_detector_app, vendor_aoc_prop) + allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; + allow ssr_detector_app sysfs_sjtag:file rw_file_perms; + allow ssr_detector_app proc_vendor_sched:dir search; + allow ssr_detector_app proc_vendor_sched:file rw_file_perms; + allow ssr_detector_app cgroup:file write; +') + +get_prop(ssr_detector_app, vendor_ssrdump_prop) +get_prop(ssr_detector_app, vendor_wifi_version) diff --git a/radio/vcd.te b/radio/vcd.te new file mode 100644 index 0000000..c5c229e --- /dev/null +++ b/radio/vcd.te @@ -0,0 +1,13 @@ +type vcd, domain; +type vcd_exec, vendor_file_type, exec_type, file_type; +userdebug_or_eng(` + init_daemon_domain(vcd) + + get_prop(vcd, vendor_rild_prop); + get_prop(vcd, vendor_persist_config_default_prop); + + allow vcd serial_device:chr_file rw_file_perms; + allow vcd radio_device:chr_file rw_file_perms; + allow vcd self:tcp_socket { create_socket_perms_no_ioctl listen accept }; + allow vcd node:tcp_socket node_bind; +') diff --git a/radio/vendor_engineermode_app.te b/radio/vendor_engineermode_app.te new file mode 100644 index 0000000..d35403a --- /dev/null +++ b/radio/vendor_engineermode_app.te @@ -0,0 +1,12 @@ +type vendor_engineermode_app, domain; +app_domain(vendor_engineermode_app) + +binder_call(vendor_engineermode_app, rild) + +allow vendor_engineermode_app app_api_service:service_manager find; +allow vendor_engineermode_app hal_exynos_rild_hwservice:hwservice_manager find; + +userdebug_or_eng(` + dontaudit vendor_engineermode_app default_prop:file r_file_perms; +') + diff --git a/radio/vendor_ims_app.te b/radio/vendor_ims_app.te new file mode 100644 index 0000000..ed65eae --- /dev/null +++ b/radio/vendor_ims_app.te @@ -0,0 +1,20 @@ +type vendor_ims_app, domain; +app_domain(vendor_ims_app) +net_domain(vendor_ims_app) + +allow vendor_ims_app app_api_service:service_manager find; +allow vendor_ims_app audioserver_service:service_manager find; + +allow vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager find; +allow vendor_ims_app radio_service:service_manager find; + +allow vendor_ims_app mediaserver_service:service_manager find; +allow vendor_ims_app cameraserver_service:service_manager find; +allow vendor_ims_app mediametrics_service:service_manager find; + +allow vendor_ims_app self:udp_socket { create_socket_perms_no_ioctl }; + +binder_call(vendor_ims_app, rild) +set_prop(vendor_ims_app, vendor_rild_prop) +set_prop(vendor_ims_app, radio_prop) +get_prop(vendor_ims_app, vendor_imssvc_prop) diff --git a/radio/vendor_init.te b/radio/vendor_init.te new file mode 100644 index 0000000..ed6f530 --- /dev/null +++ b/radio/vendor_init.te @@ -0,0 +1,6 @@ +set_prop(vendor_init, vendor_cbd_prop) +set_prop(vendor_init, vendor_carrier_prop) +set_prop(vendor_init, vendor_modem_prop) +set_prop(vendor_init, vendor_rild_prop) +set_prop(vendor_init, vendor_logger_prop) +set_prop(vendor_init, vendor_slog_prop) diff --git a/radio/vendor_qualifiednetworks_app.te b/radio/vendor_qualifiednetworks_app.te new file mode 100644 index 0000000..e48601a --- /dev/null +++ b/radio/vendor_qualifiednetworks_app.te @@ -0,0 +1,5 @@ +type vendor_qualifiednetworks_app, domain; +app_domain(vendor_qualifiednetworks_app) + +allow vendor_qualifiednetworks_app app_api_service:service_manager find; +allow vendor_qualifiednetworks_app radio_service:service_manager find; diff --git a/radio/vendor_rcs_app.te b/radio/vendor_rcs_app.te new file mode 100644 index 0000000..37cadef --- /dev/null +++ b/radio/vendor_rcs_app.te @@ -0,0 +1,9 @@ +type vendor_rcs_app, domain; +app_domain(vendor_rcs_app) +net_domain(vendor_rcs_app) + +allow vendor_rcs_app app_api_service:service_manager find; +allow vendor_rcs_app radio_service:service_manager find; +allow vendor_rcs_app hal_exynos_rild_hwservice:hwservice_manager find; + +binder_call(vendor_rcs_app, rild) diff --git a/radio/vendor_silentlogging_remote_app.te b/radio/vendor_silentlogging_remote_app.te new file mode 100644 index 0000000..885fb6a --- /dev/null +++ b/radio/vendor_silentlogging_remote_app.te @@ -0,0 +1,13 @@ +type vendor_silentlogging_remote_app, domain; +app_domain(vendor_silentlogging_remote_app) + +allow vendor_silentlogging_remote_app vendor_slog_file:dir create_dir_perms; +allow vendor_silentlogging_remote_app vendor_slog_file:file create_file_perms; + +allow vendor_silentlogging_remote_app app_api_service:service_manager find; + +userdebug_or_eng(` +# Silent Logging Remote +dontaudit vendor_silentlogging_remote_app system_app_data_file:dir create_dir_perms; +dontaudit vendor_silentlogging_remote_app system_app_data_file:file create_file_perms; +') diff --git a/radio/vendor_telephony_debug_app.te b/radio/vendor_telephony_debug_app.te new file mode 100644 index 0000000..539fffc --- /dev/null +++ b/radio/vendor_telephony_debug_app.te @@ -0,0 +1,20 @@ +type vendor_telephony_debug_app, domain; +app_domain(vendor_telephony_debug_app) + +allow vendor_telephony_debug_app app_api_service:service_manager find; +allow vendor_telephony_debug_app hal_exynos_rild_hwservice:hwservice_manager find; + +binder_call(vendor_telephony_debug_app, rild) + +# RIL property +set_prop(vendor_telephony_debug_app, vendor_rild_prop) + +# Debug property +set_prop(vendor_telephony_debug_app, vendor_telephony_app_prop) + +userdebug_or_eng(` +# System Debug Mode +dontaudit vendor_telephony_debug_app system_app_data_file:dir create_dir_perms; +dontaudit vendor_telephony_debug_app system_app_data_file:file create_file_perms; +dontaudit vendor_telephony_debug_app default_prop:file r_file_perms; +') diff --git a/radio/vendor_telephony_silentlogging_app.te b/radio/vendor_telephony_silentlogging_app.te new file mode 100644 index 0000000..583f408 --- /dev/null +++ b/radio/vendor_telephony_silentlogging_app.te @@ -0,0 +1,21 @@ +type vendor_telephony_silentlogging_app, domain; +app_domain(vendor_telephony_silentlogging_app) + +set_prop(vendor_telephony_silentlogging_app, vendor_modem_prop) +set_prop(vendor_telephony_silentlogging_app, vendor_slog_prop) + +allow vendor_telephony_silentlogging_app vendor_slog_file:dir create_dir_perms; +allow vendor_telephony_silentlogging_app vendor_slog_file:file create_file_perms; + +allow vendor_telephony_silentlogging_app app_api_service:service_manager find; +allow vendor_telephony_silentlogging_app hal_vendor_oem_hwservice:hwservice_manager find; +binder_call(vendor_telephony_silentlogging_app, dmd) +binder_call(vendor_telephony_silentlogging_app, sced) + +userdebug_or_eng(` +# Silent Logging +dontaudit vendor_telephony_silentlogging_app system_app_data_file:dir create_dir_perms; +dontaudit vendor_telephony_silentlogging_app system_app_data_file:file create_file_perms; +dontaudit vendor_telephony_silentlogging_app default_prop:file { getattr open read map }; +allow vendor_telephony_silentlogging_app selinuxfs:file { read open }; +') diff --git a/radio/vendor_telephony_test_app.te b/radio/vendor_telephony_test_app.te new file mode 100644 index 0000000..ea18209 --- /dev/null +++ b/radio/vendor_telephony_test_app.te @@ -0,0 +1,4 @@ +type vendor_telephony_test_app, domain; +app_domain(vendor_telephony_test_app) + +allow vendor_telephony_test_app app_api_service:service_manager find; diff --git a/radio/vold.te b/radio/vold.te new file mode 100644 index 0000000..3923e9c --- /dev/null +++ b/radio/vold.te @@ -0,0 +1,4 @@ +allow vold modem_efs_file:dir rw_dir_perms; +allow vold modem_userdata_file:dir rw_dir_perms; +allow vold efs_block_device:blk_file { getattr }; +allow vold modem_userdata_block_device:blk_file { getattr }; diff --git a/system_ext/private/platform_app.te b/system_ext/private/platform_app.te new file mode 100644 index 0000000..20042f2 --- /dev/null +++ b/system_ext/private/platform_app.te @@ -0,0 +1,2 @@ +# allow systemui access to fingerprint +hal_client_domain(platform_app, hal_fingerprint) diff --git a/tracking_denials/README.txt b/tracking_denials/README.txt new file mode 100644 index 0000000..6cfc62d --- /dev/null +++ b/tracking_denials/README.txt @@ -0,0 +1,2 @@ +This folder stores known errors detected by PTS. Be sure to remove relevant +files to reproduce error log on latest ROMs. diff --git a/tracking_denials/bootanim.te b/tracking_denials/bootanim.te new file mode 100644 index 0000000..e15c110 --- /dev/null +++ b/tracking_denials/bootanim.te @@ -0,0 +1,2 @@ +# b/260522279 +dontaudit bootanim system_data_file:dir { search }; diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map new file mode 100644 index 0000000..8903cdd --- /dev/null +++ b/tracking_denials/bug_map @@ -0,0 +1,56 @@ +con_monitor_app app_data_file dir b/264483670 +con_monitor_app app_data_file file b/264483670 +con_monitor_app dalvikcache_data_file dir b/264483670 +con_monitor_app dalvikcache_data_file file b/264483670 +con_monitor_app mnt_expand_file dir b/264483670 +con_monitor_app system_data_file lnk_file b/264483670 +dumpstate app_zygote process b/264483390 +dumpstate sysfs_scsi_devices_0000 file b/272166771 +google_camera_app audio_service service_manager b/264600171 +google_camera_app backup_service service_manager b/264483456 +google_camera_app legacy_permission_service service_manager b/264600171 +google_camera_app permission_checker_service service_manager b/264600171 +hal_audio_default hal_audio_default binder b/274374769 +hal_bootctl_default hal_bootctl_default capability b/274727372 +hal_camera_default edgetpu_app_server binder b/275001641 +hal_camera_default edgetpu_app_service service_manager b/275001641 +hal_dumpstate_default vendor_displaycolor_service service_manager b/264482983 +hal_dumpstate_default vendor_displaycolor_service service_manager b/264600086 +hal_dumpstate_default vendor_modem_prop property_service b/264482983 +hal_dumpstate_default vendor_tcpdump_log_prop file b/273638940 +hal_power_default sysfs file b/273638876 +hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 +hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 +hal_thermal_default sysfs file b/272166722 +hal_thermal_default sysfs file b/272166987 +hal_uwb_default debugfs file b/273639365 +incidentd apex_art_data_file file b/272628762 +incidentd incidentd anon_inode b/274374992 +insmod-sh insmod-sh key b/274374722 +insmod-sh vendor_regmap_debugfs dir b/274727542 +kernel vendor_fw_file dir b/272166737 +kernel vendor_fw_file dir b/272166787 +mtectrl unlabeled dir b/264483752 +platform_app bootanim_system_prop property_service b/264483532 +servicemanager hal_fingerprint_default binder b/264483753 +system_server default_android_service service_manager b/264483754 +systemui_app bootanim_system_prop property_service b/269964574 +systemui_app hal_googlebattery binder b/269964574 +systemui_app init unix_stream_socket b/269964574 +systemui_app mediaextractor_service service_manager b/272628174 +systemui_app mediametrics_service service_manager b/272628174 +systemui_app mediaserver_service service_manager b/272628174 +systemui_app property_socket sock_file b/269964574 +systemui_app qemu_hw_prop file b/269964574 +systemui_app twoshay binder b/269964574 +systemui_app vr_manager_service service_manager b/272628174 +twoshay systemui_app binder b/269964558 +untrusted_app default_android_service service_manager b/264599934 +vendor_init device_config_configuration_prop property_service b/267714573 +vendor_init device_config_configuration_prop property_service b/268566481 +vendor_init device_config_configuration_prop property_service b/273143844 +vendor_init tee_data_file lnk_file b/267714573 +vendor_init tee_data_file lnk_file b/272166664 +vendor_init vendor_camera_prop property_service b/267714573 +vendor_init vendor_camera_prop property_service b/268566481 +vendor_init vendor_camera_prop property_service b/273143844 diff --git a/tracking_denials/chre.te b/tracking_denials/chre.te new file mode 100644 index 0000000..beee716 --- /dev/null +++ b/tracking_denials/chre.te @@ -0,0 +1,4 @@ +# b/261105224 +dontaudit chre hal_system_suspend_service:service_manager { find }; +dontaudit chre servicemanager:binder { call }; +dontaudit chre system_suspend_server:binder { call }; diff --git a/tracking_denials/con_monitor_app.te b/tracking_denials/con_monitor_app.te new file mode 100644 index 0000000..3baf986 --- /dev/null +++ b/tracking_denials/con_monitor_app.te @@ -0,0 +1,36 @@ +# b/261518779 +dontaudit con_monitor_app activity_service:service_manager { find }; +dontaudit con_monitor_app content_capture_service:service_manager { find }; +dontaudit con_monitor_app game_service:service_manager { find }; +dontaudit con_monitor_app netstats_service:service_manager { find }; +dontaudit con_monitor_app system_server:binder { call }; +dontaudit con_monitor_app system_server:binder { transfer }; +dontaudit con_monitor_app system_server:fd { use }; +# b/261783158 +dontaudit con_monitor_app system_file:file { getattr }; +dontaudit con_monitor_app system_file:file { map }; +dontaudit con_monitor_app system_file:file { open }; +dontaudit con_monitor_app system_file:file { read }; +dontaudit con_monitor_app tmpfs:file { execute }; +dontaudit con_monitor_app tmpfs:file { map }; +dontaudit con_monitor_app tmpfs:file { read }; +dontaudit con_monitor_app tmpfs:file { write }; +# b/261933171 +dontaudit con_monitor_app dumpstate:fd { use }; +dontaudit con_monitor_app dumpstate:fifo_file { append }; +dontaudit con_monitor_app dumpstate:fifo_file { write }; +dontaudit con_monitor_app system_server:fifo_file { write }; +dontaudit con_monitor_app tombstoned:unix_stream_socket { connectto }; +dontaudit con_monitor_app tombstoned_java_trace_socket:sock_file { write }; +# b/262455571 +dontaudit con_monitor_app data_file_type:dir { search }; +dontaudit con_monitor_app servicemanager:binder { call }; +dontaudit con_monitor_app statsd:unix_dgram_socket { sendto }; +dontaudit con_monitor_app statsdw_socket:sock_file { write }; +dontaudit con_monitor_app system_file:file { execute }; +# b/264489520 +userdebug_or_eng(` + permissive con_monitor_app; +') +# b/267843291 +dontaudit con_monitor_app resourcecache_data_file:file { read }; diff --git a/tracking_denials/fastbootd.te b/tracking_denials/fastbootd.te new file mode 100644 index 0000000..4428b68 --- /dev/null +++ b/tracking_denials/fastbootd.te @@ -0,0 +1,4 @@ +# b/264489957 +userdebug_or_eng(` + permissive fastbootd; +') \ No newline at end of file diff --git a/tracking_denials/gmscore_app.te b/tracking_denials/gmscore_app.te new file mode 100644 index 0000000..a5a791b --- /dev/null +++ b/tracking_denials/gmscore_app.te @@ -0,0 +1,10 @@ +# b/259302023 +dontaudit gmscore_app property_type:file *; +# b/260365725 +dontaudit gmscore_app property_type:file *; +# b/260522434 +dontaudit gmscore_app modem_img_file:filesystem { getattr }; +# b/264489521 +userdebug_or_eng(` + permissive gmscore_app; +') diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te new file mode 100644 index 0000000..84c0aca --- /dev/null +++ b/tracking_denials/google_camera_app.te @@ -0,0 +1,29 @@ +# b/262455755 +dontaudit google_camera_app activity_service:service_manager { find }; +dontaudit google_camera_app cameraserver_service:service_manager { find }; +dontaudit google_camera_app content_capture_service:service_manager { find }; +dontaudit google_camera_app device_state_service:service_manager { find }; +dontaudit google_camera_app edgetpu_app_service:service_manager { find }; +dontaudit google_camera_app edgetpu_device:chr_file { ioctl }; +dontaudit google_camera_app edgetpu_device:chr_file { map }; +dontaudit google_camera_app edgetpu_device:chr_file { read write }; +dontaudit google_camera_app fwk_stats_service:service_manager { find }; +dontaudit google_camera_app game_service:service_manager { find }; +dontaudit google_camera_app mediaserver_service:service_manager { find }; +dontaudit google_camera_app netstats_service:service_manager { find }; +dontaudit google_camera_app sensorservice_service:service_manager { find }; +dontaudit google_camera_app surfaceflinger_service:service_manager { find }; +dontaudit google_camera_app thermal_service:service_manager { find }; +# b/264490031 +userdebug_or_eng(` + permissive google_camera_app; +')# b/264483456 +dontaudit google_camera_app backup_service:service_manager { find }; +# b/264600171 +dontaudit google_camera_app audio_service:service_manager { find }; +dontaudit google_camera_app legacy_permission_service:service_manager { find }; +dontaudit google_camera_app permission_checker_service:service_manager { find }; +# b/265220235 +dontaudit google_camera_app virtual_device_service:service_manager { find }; +# b/267843408 +dontaudit google_camera_app device_policy_service:service_manager { find }; diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te new file mode 100644 index 0000000..abc4811 --- /dev/null +++ b/tracking_denials/hal_camera_default.te @@ -0,0 +1,4 @@ +# b/264489778 +userdebug_or_eng(` + permissive hal_camera_default; +') diff --git a/tracking_denials/hal_contexthub_default.te b/tracking_denials/hal_contexthub_default.te new file mode 100644 index 0000000..3c9a51f --- /dev/null +++ b/tracking_denials/hal_contexthub_default.te @@ -0,0 +1,7 @@ +# b/261105182 +dontaudit hal_contexthub_default chre:unix_stream_socket { connectto }; +dontaudit hal_contexthub_default chre_socket:sock_file { write }; +# b/264489794 +userdebug_or_eng(` + permissive hal_contexthub_default; +') \ No newline at end of file diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te new file mode 100644 index 0000000..8f3138c --- /dev/null +++ b/tracking_denials/hal_neuralnetworks_armnn.te @@ -0,0 +1,16 @@ +# b/260366177 +dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; +# b/260768359 +dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; +dontaudit hal_neuralnetworks_armnn default_prop:file { map }; +dontaudit hal_neuralnetworks_armnn default_prop:file { open }; +dontaudit hal_neuralnetworks_armnn default_prop:file { read }; +# b/260921579 +dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; +dontaudit hal_neuralnetworks_armnn default_prop:file { map }; +dontaudit hal_neuralnetworks_armnn default_prop:file { open }; +dontaudit hal_neuralnetworks_armnn default_prop:file { read }; +# b/264489188 +userdebug_or_eng(` + permissive hal_neuralnetworks_armnn; +') \ No newline at end of file diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te new file mode 100644 index 0000000..5925425 --- /dev/null +++ b/tracking_denials/hal_power_default.te @@ -0,0 +1,3 @@ +# b/267261305 +dontaudit hal_power_default hal_power_default:capability { dac_override }; +dontaudit hal_power_default hal_power_default:capability { dac_read_search }; diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te new file mode 100644 index 0000000..601c2bb --- /dev/null +++ b/tracking_denials/hal_sensors_default.te @@ -0,0 +1,3 @@ +# b/267260619 +dontaudit hal_sensors_default dumpstate:fd { use }; +dontaudit hal_sensors_default dumpstate:fifo_file { write }; diff --git a/tracking_denials/hal_usb_impl.te b/tracking_denials/hal_usb_impl.te new file mode 100644 index 0000000..08db477 --- /dev/null +++ b/tracking_denials/hal_usb_impl.te @@ -0,0 +1,2 @@ +# b/267261163 +dontaudit hal_usb_impl dumpstate:fd { use }; diff --git a/tracking_denials/hwservicemanager.te b/tracking_denials/hwservicemanager.te new file mode 100644 index 0000000..53222bd --- /dev/null +++ b/tracking_denials/hwservicemanager.te @@ -0,0 +1,4 @@ +# b/264489781 +userdebug_or_eng(` + permissive hwservicemanager; +') diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te new file mode 100644 index 0000000..4bd4489 --- /dev/null +++ b/tracking_denials/incidentd.te @@ -0,0 +1,3 @@ +# b/261933310 +dontaudit incidentd debugfs_wakeup_sources:file { open }; +dontaudit incidentd debugfs_wakeup_sources:file { read }; diff --git a/tracking_denials/installd.te b/tracking_denials/installd.te new file mode 100644 index 0000000..95b0a2f --- /dev/null +++ b/tracking_denials/installd.te @@ -0,0 +1,6 @@ +# b/260522202 +dontaudit installd modem_img_file:filesystem { quotaget }; +# b/264490035 +userdebug_or_eng(` + permissive installd; +') \ No newline at end of file diff --git a/tracking_denials/kernel.te b/tracking_denials/kernel.te new file mode 100644 index 0000000..23d091b --- /dev/null +++ b/tracking_denials/kernel.te @@ -0,0 +1,7 @@ +# b/262794429 +dontaudit kernel sepolicy_file:file { getattr }; +dontaudit kernel system_bootstrap_lib_file:dir { getattr }; +dontaudit kernel system_bootstrap_lib_file:file { getattr }; +dontaudit kernel system_dlkm_file:dir { getattr }; +# b/263185161 +dontaudit kernel kernel:capability { net_bind_service }; diff --git a/tracking_denials/logd.te b/tracking_denials/logd.te new file mode 100644 index 0000000..ab19623 --- /dev/null +++ b/tracking_denials/logd.te @@ -0,0 +1,7 @@ +# b/261105354 +dontaudit logd trusty_log_device:chr_file { open }; +dontaudit logd trusty_log_device:chr_file { read }; +# b/264489639 +userdebug_or_eng(` + permissive logd; +') \ No newline at end of file diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te new file mode 100644 index 0000000..604cf7d --- /dev/null +++ b/tracking_denials/priv_app.te @@ -0,0 +1,21 @@ +# b/260366281 +dontaudit priv_app privapp_data_file:dir { getattr }; +dontaudit priv_app privapp_data_file:dir { search }; +dontaudit priv_app vendor_default_prop:file { getattr }; +dontaudit priv_app vendor_default_prop:file { map }; +dontaudit priv_app vendor_default_prop:file { open }; +# b/260522282 +dontaudit priv_app privapp_data_file:file { open }; +dontaudit priv_app privapp_data_file:file { setattr }; +# b/260768358 +dontaudit priv_app default_android_service:service_manager { find }; +# b/260922442 +dontaudit priv_app default_android_service:service_manager { find }; +# b/263185432 +dontaudit priv_app privapp_data_file:file { unlink }; +# b/264490074 +userdebug_or_eng(` + permissive priv_app; +')# b/268572216 +dontaudit priv_app privapp_data_file:dir { add_name }; +dontaudit priv_app privapp_data_file:dir { remove_name }; diff --git a/tracking_denials/rebalance_interrupts_vendor.te b/tracking_denials/rebalance_interrupts_vendor.te new file mode 100644 index 0000000..26657eb --- /dev/null +++ b/tracking_denials/rebalance_interrupts_vendor.te @@ -0,0 +1,6 @@ +# b/260366278 +dontaudit rebalance_interrupts_vendor rebalance_interrupts_vendor:capability { dac_override }; +# b/264489565 +userdebug_or_eng(` + permissive rebalance_interrupts_vendor; +') \ No newline at end of file diff --git a/tracking_denials/recovery.te b/tracking_denials/recovery.te new file mode 100644 index 0000000..bd39922 --- /dev/null +++ b/tracking_denials/recovery.te @@ -0,0 +1,4 @@ +# b/264490092 +userdebug_or_eng(` + permissive recovery; +') \ No newline at end of file diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te new file mode 100644 index 0000000..142b95b --- /dev/null +++ b/tracking_denials/servicemanager.te @@ -0,0 +1,6 @@ +# b/263429985 +dontaudit servicemanager tee:binder { call }; +# b/264489962 +userdebug_or_eng(` + permissive servicemanager; +') \ No newline at end of file diff --git a/tracking_denials/ssr_detector_app.te b/tracking_denials/ssr_detector_app.te new file mode 100644 index 0000000..d1c8b73 --- /dev/null +++ b/tracking_denials/ssr_detector_app.te @@ -0,0 +1,6 @@ +# b/261651131 +dontaudit ssr_detector_app system_app_data_file:file { open }; +# b/264489567 +userdebug_or_eng(` + permissive ssr_detector_app; +') \ No newline at end of file diff --git a/tracking_denials/system_suspend.te b/tracking_denials/system_suspend.te new file mode 100644 index 0000000..b834b57 --- /dev/null +++ b/tracking_denials/system_suspend.te @@ -0,0 +1,2 @@ +# b/261105356 +dontaudit system_suspend_server chre:binder { transfer }; diff --git a/tracking_denials/systemui.te b/tracking_denials/systemui.te new file mode 100644 index 0000000..3159dd9 --- /dev/null +++ b/tracking_denials/systemui.te @@ -0,0 +1,4 @@ +# b/264266705 +userdebug_or_eng(` + permissive systemui_app; +') diff --git a/tracking_denials/systemui_app.te b/tracking_denials/systemui_app.te new file mode 100644 index 0000000..35142bb --- /dev/null +++ b/tracking_denials/systemui_app.te @@ -0,0 +1,2 @@ +# b/272628396 +dontaudit systemui_app service_manager_type:service_manager find; diff --git a/tracking_denials/tcpdump_logger.te b/tracking_denials/tcpdump_logger.te new file mode 100644 index 0000000..b0a7046 --- /dev/null +++ b/tracking_denials/tcpdump_logger.te @@ -0,0 +1,4 @@ +# b/264490014 +userdebug_or_eng(` + permissive tcpdump_logger; +') \ No newline at end of file diff --git a/tracking_denials/update_engine.te b/tracking_denials/update_engine.te new file mode 100644 index 0000000..0de59ee --- /dev/null +++ b/tracking_denials/update_engine.te @@ -0,0 +1,2 @@ +# b/267261048 +dontaudit update_engine dumpstate:fd { use }; diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te new file mode 100644 index 0000000..abfba26 --- /dev/null +++ b/tracking_denials/vendor_init.te @@ -0,0 +1,3 @@ +# b/260366195 +dontaudit vendor_init debugfs_trace_marker:file { getattr }; +dontaudit vendor_init vendor_init:capability2 { block_suspend }; diff --git a/vendor/audioserver.te b/vendor/audioserver.te new file mode 100644 index 0000000..a0466ed --- /dev/null +++ b/vendor/audioserver.te @@ -0,0 +1,2 @@ +#allow access to ALSA MMAP FDs for AAudio API +allow audioserver audio_device:chr_file r_file_perms; diff --git a/vendor/bootanim.te b/vendor/bootanim.te new file mode 100644 index 0000000..cc36346 --- /dev/null +++ b/vendor/bootanim.te @@ -0,0 +1 @@ +allow bootanim arm_mali_platform_service:service_manager find; diff --git a/vendor/cccdk_timesync_app.te b/vendor/cccdk_timesync_app.te new file mode 100644 index 0000000..f34c5f3 --- /dev/null +++ b/vendor/cccdk_timesync_app.te @@ -0,0 +1,7 @@ +type vendor_cccdktimesync_app, domain; +app_domain(vendor_cccdktimesync_app) + +allow vendor_cccdktimesync_app app_api_service:service_manager find; + +binder_call(vendor_cccdktimesync_app, hal_bluetooth_btlinux) +allow vendor_cccdktimesync_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; diff --git a/vendor/certs/app.x509.pem b/vendor/certs/app.x509.pem new file mode 100644 index 0000000..8e3e627 --- /dev/null +++ b/vendor/certs/app.x509.pem @@ -0,0 +1,27 @@ +-----BEGIN CERTIFICATE----- +MIIEqDCCA5CgAwIBAgIJANWFuGx90071MA0GCSqGSIb3DQEBBAUAMIGUMQswCQYD +VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4g +VmlldzEQMA4GA1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UE +AxMHQW5kcm9pZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTAe +Fw0wODA0MTUyMzM2NTZaFw0zNTA5MDEyMzM2NTZaMIGUMQswCQYDVQQGEwJVUzET +MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4G +A1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9p +ZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTCCASAwDQYJKoZI +hvcNAQEBBQADggENADCCAQgCggEBANbOLggKv+IxTdGNs8/TGFy0PTP6DHThvbbR +24kT9ixcOd9W+EaBPWW+wPPKQmsHxajtWjmQwWfna8mZuSeJS48LIgAZlKkpFeVy +xW0qMBujb8X8ETrWy550NaFtI6t9+u7hZeTfHwqNvacKhp1RbE6dBRGWynwMVX8X +W8N1+UjFaq6GCJukT4qmpN2afb8sCjUigq0GuMwYXrFVee74bQgLHWGJwPmvmLHC +69EH6kWr22ijx4OKXlSIx2xT1AsSHee70w5iDBiK4aph27yH3TxkXy9V89TDdexA +cKk/cVHYNnDBapcavl7y0RiQ4biu8ymM8Ga/nmzhRKya6G0cGw8CAQOjgfwwgfkw +HQYDVR0OBBYEFI0cxb6VTEM8YYY6FbBMvAPyT+CyMIHJBgNVHSMEgcEwgb6AFI0c +xb6VTEM8YYY6FbBMvAPyT+CyoYGapIGXMIGUMQswCQYDVQQGEwJVUzETMBEGA1UE +CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4GA1UEChMH +QW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9pZDEiMCAG +CSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbYIJANWFuGx90071MAwGA1Ud +EwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADggEBABnTDPEF+3iSP0wNfdIjIz1AlnrP +zgAIHVvXxunW7SBrDhEglQZBbKJEk5kT0mtKoOD1JMrSu1xuTKEBahWRbqHsXcla +XjoBADb0kkjVEJu/Lh5hgYZnOjvlba8Ld7HCKePCVePoTJBdI4fvugnL8TsgK05a +IskyY0hKI9L8KfqfGTl1lzOv2KoWD0KWwtAWPoGChZxmQ+nBli+gwYMzM1vAkP+a +ayLe0a1EQimlOalO762r0GXO0ks+UeXde2Z4e+8S/pf7pITEI/tP+MxJTALw9QUW +Ev9lKTk+jkbqxbsh8nfBUapfKqYn0eidpwq2AzVp3juYl7//fKnaPhJD9gs= +-----END CERTIFICATE----- diff --git a/vendor/certs/camera_eng.x509.pem b/vendor/certs/camera_eng.x509.pem new file mode 100644 index 0000000..011a9ec --- /dev/null +++ b/vendor/certs/camera_eng.x509.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICpzCCAmWgAwIBAgIEUAV8QjALBgcqhkjOOAQDBQAwNzELMAkGA1UEBhMCVVMx +EDAOBgNVBAoTB0FuZHJvaWQxFjAUBgNVBAMTDUFuZHJvaWQgRGVidWcwHhcNMTIw +NzE3MTQ1MjUwWhcNMjIwNzE1MTQ1MjUwWjA3MQswCQYDVQQGEwJVUzEQMA4GA1UE +ChMHQW5kcm9pZDEWMBQGA1UEAxMNQW5kcm9pZCBEZWJ1ZzCCAbcwggEsBgcqhkjO +OAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR ++1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb ++DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdg +UI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlX +TAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCj +rh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQB +TDv+z0kqA4GEAAKBgGrRG9fVZtJ69DnALkForP1FtL6FvJmMe5uOHHdUaT+MDUKK +pPzhEISBOEJPpozRMFJO7/bxNzhjgi+mNymL/k1GoLhmZe7wQRc5AQNbHIBqoxgY +DTA6qMyeWSPgam+r+nVoPEU7sgd3fPL958+xmxQwOBSqHfe0PVsiK1cGtIuUMAsG +ByqGSM44BAMFAAMvADAsAhQJ0tGwRwIptb7SkCZh0RLycMXmHQIUZ1ACBqeAULp4 +rscXTxYEf4Tqovc= +-----END CERTIFICATE----- diff --git a/vendor/certs/camera_fishfood.x509.pem b/vendor/certs/camera_fishfood.x509.pem new file mode 100644 index 0000000..fb11572 --- /dev/null +++ b/vendor/certs/camera_fishfood.x509.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICUjCCAbsCBEk0mH4wDQYJKoZIhvcNAQEEBQAwcDELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtHb29n +bGUsIEluYzEUMBIGA1UECxMLR29vZ2xlLCBJbmMxEDAOBgNVBAMTB1Vua25vd24w +HhcNMDgxMjAyMDIwNzU4WhcNMzYwNDE5MDIwNzU4WjBwMQswCQYDVQQGEwJVUzEL +MAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dv +b2dsZSwgSW5jMRQwEgYDVQQLEwtHb29nbGUsIEluYzEQMA4GA1UEAxMHVW5rbm93 +bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAn0gDGZD5sUcmOE4EU9GPjAu/ +jcd7JQSksSB8TGxEurwArcZhD6a2qy2oDjPy7vFrJqP2uFua+sqQn/u+s/TJT36B +IqeY4OunXO090in6c2X0FRZBWqnBYX3Vg84Zuuigu9iF/BeptL0mQIBRIarbk3fe +tAATOBQYiC7FIoL8WA0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQBAhmae1jHaQ4Td +0GHSJuBzuYzEuZ34teS+njy+l1Aeg98cb6lZwM5gXE/SrG0chM7eIEdsurGb6PIg +Ov93F61lLY/MiQcI0SFtqERXWSZJ4OnTxLtM9Y2hnbHU/EG8uVhPZOZfQQ0FKf1b +aIOMFB0Km9HbEZHLKg33kOoMsS2zpA== +-----END CERTIFICATE----- diff --git a/vendor/chre.te b/vendor/chre.te new file mode 100644 index 0000000..a1d1ca5 --- /dev/null +++ b/vendor/chre.te @@ -0,0 +1,16 @@ +type chre, domain; +type chre_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(chre) + +# Permit communication with AoC +allow chre aoc_device:chr_file rw_file_perms; + +# Allow CHRE to determine AoC's current clock +allow chre sysfs_aoc:dir search; +allow chre sysfs_aoc_boottime:file r_file_perms; + +# Allow CHRE to create thread to watch AOC's device +allow chre device:dir r_dir_perms; + +# Allow CHRE to use WakeLock +wakelock_use(chre) diff --git a/vendor/con_monitor_app.te b/vendor/con_monitor_app.te new file mode 100644 index 0000000..814c5e8 --- /dev/null +++ b/vendor/con_monitor_app.te @@ -0,0 +1,3 @@ +# ConnectivityMonitor app +type con_monitor_app, domain; +app_domain(con_monitor_app); diff --git a/vendor/debug_camera_app.te b/vendor/debug_camera_app.te new file mode 100644 index 0000000..4199b07 --- /dev/null +++ b/vendor/debug_camera_app.te @@ -0,0 +1,23 @@ +type debug_camera_app, domain, coredomain; + +userdebug_or_eng(` + app_domain(debug_camera_app) + net_domain(debug_camera_app) + + allow debug_camera_app app_api_service:service_manager find; + allow debug_camera_app audioserver_service:service_manager find; + allow debug_camera_app cameraserver_service:service_manager find; + allow debug_camera_app mediaextractor_service:service_manager find; + allow debug_camera_app mediametrics_service:service_manager find; + allow debug_camera_app mediaserver_service:service_manager find; + + # Allows GCA-Eng & GCA-Next access the GXP device. + allow debug_camera_app gxp_device:chr_file rw_file_perms; + + # Allows GCA-Eng & GCA-Next to find and access the EdgeTPU. + allow debug_camera_app edgetpu_app_service:service_manager find; + allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; + + # Allows GCA_Eng & GCA-Next to access the PowerHAL. + hal_client_domain(debug_camera_app, hal_power) +') diff --git a/vendor/device.te b/vendor/device.te new file mode 100644 index 0000000..50510d6 --- /dev/null +++ b/vendor/device.te @@ -0,0 +1,18 @@ +type persist_block_device, dev_type; +type tee_persist_block_device, dev_type; +type custom_ab_block_device, dev_type; +type devinfo_block_device, dev_type; +type mfg_data_block_device, dev_type; +type ufs_internal_block_device, dev_type; +type logbuffer_device, dev_type; +type gxp_device, dev_type, mlstrustedobject; +type fingerprint_device, dev_type; +type uci_device, dev_type; + +# Dmabuf heaps +type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; +type faceauth_heap_device, dmabuf_heap_device_type, dev_type; +type video_secure_heap_device, dmabuf_heap_device_type, dev_type; + +# SecureElement SPI device +type st54spi_device, dev_type; diff --git a/vendor/domain.te b/vendor/domain.te new file mode 100644 index 0000000..a8bad53 --- /dev/null +++ b/vendor/domain.te @@ -0,0 +1,5 @@ +allow {domain -appdomain -rs} proc_vendor_sched:dir r_dir_perms; +allow {domain -appdomain -rs} proc_vendor_sched:file w_file_perms; + +# Mali +get_prop(domain, vendor_arm_runtime_option_prop) diff --git a/vendor/dump_cma.te b/vendor/dump_cma.te new file mode 100644 index 0000000..bf5edf2 --- /dev/null +++ b/vendor/dump_cma.te @@ -0,0 +1,7 @@ +pixel_bugreport(dump_cma) + +userdebug_or_eng(` + allow dump_cma vendor_toolbox_exec:file execute_no_trans; + allow dump_cma vendor_cma_debugfs:dir r_dir_perms; + allow dump_cma vendor_cma_debugfs:file r_file_perms; +') diff --git a/vendor/dump_gsa.te b/vendor/dump_gsa.te new file mode 100644 index 0000000..8cd230b --- /dev/null +++ b/vendor/dump_gsa.te @@ -0,0 +1,6 @@ +pixel_bugreport(dump_gsa) + +userdebug_or_eng(` + allow dump_gsa vendor_toolbox_exec:file execute_no_trans; + allow dump_gsa sysfs_gsa_log:file r_file_perms; +') diff --git a/vendor/dump_power.te b/vendor/dump_power.te new file mode 100644 index 0000000..e425214 --- /dev/null +++ b/vendor/dump_power.te @@ -0,0 +1,34 @@ +pixel_bugreport(dump_power) + +allow dump_power vendor_toolbox_exec:file execute_no_trans; +allow dump_power sysfs_acpm_stats:dir r_dir_perms; +allow dump_power sysfs_acpm_stats:file r_file_perms; +allow dump_power sysfs_cpu:file r_file_perms; +allow dump_power sysfs_bcl:dir r_dir_perms; +allow dump_power sysfs_bcl:file r_file_perms; +allow dump_power sysfs_odpm:dir r_dir_perms; +allow dump_power sysfs_odpm:file r_file_perms; +allow dump_power logbuffer_device:chr_file r_file_perms; +allow dump_power sysfs_batteryinfo:dir r_dir_perms; +allow dump_power sysfs_batteryinfo:file r_file_perms; +allow dump_power sysfs_wlc:dir search; +allow dump_power sysfs_wlc:file r_file_perms; +allow dump_power sysfs_power_dump:file r_file_perms; +allow dump_power mitigation_vendor_data_file:dir r_dir_perms; +allow dump_power mitigation_vendor_data_file:file rw_file_perms; + +userdebug_or_eng(` + allow dump_power debugfs:dir r_dir_perms; + allow dump_power vendor_battery_debugfs:dir r_dir_perms; + allow dump_power vendor_battery_debugfs:file r_file_perms; + allow dump_power vendor_pm_genpd_debugfs:file r_file_perms; + allow dump_power vendor_charger_debugfs:dir r_dir_perms; + allow dump_power vendor_charger_debugfs:file r_file_perms; + allow dump_power vendor_usb_debugfs:dir r_dir_perms; + allow dump_power vendor_votable_debugfs:dir r_dir_perms; + allow dump_power vendor_votable_debugfs:file r_file_perms; + allow dump_power vendor_maxfg_debugfs:dir r_dir_perms; + allow dump_power vendor_maxfg_debugfs:file r_file_perms; + allow dump_power self:lockdown integrity; +') + diff --git a/vendor/dump_wlan.te b/vendor/dump_wlan.te new file mode 100644 index 0000000..f743da0 --- /dev/null +++ b/vendor/dump_wlan.te @@ -0,0 +1,3 @@ +pixel_bugreport(dump_wlan) + +allow dump_wlan vendor_toolbox_exec:file execute_no_trans; diff --git a/vendor/dumpstate.te b/vendor/dumpstate.te new file mode 100644 index 0000000..03d0b40 --- /dev/null +++ b/vendor/dumpstate.te @@ -0,0 +1,12 @@ +# allow HWC to output to dumpstate via pipe fd +dump_hal(hal_graphics_composer) + +dump_hal(hal_health) + +dump_hal(hal_confirmationui) + +binder_call(dumpstate, hal_wireless_charger) + +dump_hal(hal_uwb) + +dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; diff --git a/vendor/e2fs.te b/vendor/e2fs.te new file mode 100644 index 0000000..3e72adf --- /dev/null +++ b/vendor/e2fs.te @@ -0,0 +1,8 @@ +allow e2fs persist_block_device:blk_file rw_file_perms; +allow e2fs efs_block_device:blk_file rw_file_perms; +allow e2fs modem_userdata_block_device:blk_file rw_file_perms; +allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl { + BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET +}; +allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms; +allow e2fs sysfs_scsi_devices_0000:file r_file_perms; diff --git a/vendor/euiccpixel_app.te b/vendor/euiccpixel_app.te new file mode 100644 index 0000000..0e4d65b --- /dev/null +++ b/vendor/euiccpixel_app.te @@ -0,0 +1,21 @@ +type euiccpixel_app, domain; +app_domain(euiccpixel_app) + +allow euiccpixel_app app_api_service:service_manager find; +allow euiccpixel_app radio_service:service_manager find; +allow euiccpixel_app nfc_service:service_manager find; + +set_prop(euiccpixel_app, vendor_secure_element_prop) +set_prop(euiccpixel_app, vendor_modem_prop) +get_prop(euiccpixel_app, dck_prop) + +userdebug_or_eng(` + net_domain(euiccpixel_app) + + # Access to directly upgrade firmware on st54spi_device used for engineering devices + typeattribute st54spi_device mlstrustedobject; + allow euiccpixel_app st54spi_device:chr_file rw_file_perms; +') + +# b/265286368 framework UI rendering properties +dontaudit euiccpixel_app default_prop:file { read }; \ No newline at end of file diff --git a/vendor/file.te b/vendor/file.te new file mode 100644 index 0000000..cf4ad9f --- /dev/null +++ b/vendor/file.te @@ -0,0 +1,48 @@ +# persist +type persist_display_file, file_type, vendor_persist_type; +type persist_battery_file, file_type, vendor_persist_type; +type persist_camera_file, file_type, vendor_persist_type; +type persist_sensor_reg_file, file_type, vendor_persist_type; + +#sysfs +type sysfs_power_dump, sysfs_type, fs_type; +type sysfs_acpm_stats, sysfs_type, fs_type; +type sysfs_write_leds, sysfs_type, fs_type; + +# Trusty +type sysfs_trusty, sysfs_type, fs_type; + +# mount FS +allow proc_vendor_sched proc:filesystem associate; +allow bootdevice_sysdev sysfs:filesystem associate; + +# debugfs +type vendor_charger_debugfs, fs_type, debugfs_type; +type vendor_votable_debugfs, fs_type, debugfs_type; +type vendor_battery_debugfs, fs_type, debugfs_type; +type vendor_pm_genpd_debugfs, fs_type, debugfs_type; +type vendor_usb_debugfs, fs_type, debugfs_type; +type vendor_maxfg_debugfs, fs_type, debugfs_type; +type vendor_cma_debugfs, fs_type, debugfs_type; + +# WLC +type sysfs_wlc, sysfs_type, fs_type; + +# CHRE +type chre_socket, file_type; + +# Data +type sensor_reg_data_file, file_type, data_file_type; + +# Vendor sched files +userdebug_or_eng(` + typeattribute proc_vendor_sched mlstrustedobject; +') + +# sysfs +type sysfs_fabric, sysfs_type, fs_type; +type sysfs_em_profile, sysfs_type, fs_type; +type sysfs_ota, sysfs_type, fs_type; + +# GSA +type sysfs_gsa_log, sysfs_type, fs_type; diff --git a/vendor/file_contexts b/vendor/file_contexts new file mode 100644 index 0000000..f08be98 --- /dev/null +++ b/vendor/file_contexts @@ -0,0 +1,167 @@ +# Binaries +/vendor/bin/hw/android\.hardware\.health-service\.zumapro u:object_r:hal_health_default_exec:s0 +/vendor/bin/hw/android\.hardware\.boot@1\.2-service-zumapro u:object_r:hal_bootctl_default_exec:s0 +/vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 +/vendor/bin/hw/android\.hardware\.power\.stats-service\.pixel u:object_r:hal_power_stats_default_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 +/vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element-service.uicc u:object_r:hal_secure_element_uicc_exec:s0 +/vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 +/vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 +/vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 +/vendor/bin/dump/dump_wlan\.sh u:object_r:dump_wlan_exec:s0 +/vendor/bin/dump/dump_cma\.sh u:object_r:dump_cma_exec:s0 +/vendor/bin/dump/dump_gsa\.sh u:object_r:dump_gsa_exec:s0 +/vendor/bin/dump/dump_power\.sh u:object_r:dump_power_exec:s0 +/vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 +/vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 +/vendor/bin/storageproxyd u:object_r:tee_exec:s0 +/vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 +/vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 +/vendor/bin/chre u:object_r:chre_exec:s0 +/vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 +/vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty u:object_r:hal_keymint_default_exec:s0 +/vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0 + +# Vendor Firmwares +/vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 +/vendor/lib64/arm\.mali\.platform-V1-ndk\.so u:object_r:same_process_hal_file:s0 + +# Vendor libraries +/vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 + + +# persist +/mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 +/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 +/mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 +/mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 + +# Devices +/dev/bbd_pwrstat u:object_r:power_stats_device:s0 +/dev/edgetpu-soc u:object_r:edgetpu_device:s0 +/dev/block/platform/13200000\.ufs/by-name/persist u:object_r:persist_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/efs u:object_r:efs_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/bl1_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/init_boot_[ab] u:object_r:boot_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/gsa_bl1_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/gcf_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/mfg_data u:object_r:mfg_data_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/misc u:object_r:misc_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/pvmfw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/super u:object_r:super_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/trusty_persist u:object_r:tee_persist_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/vendor_kernel_boot_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/13200000\.ufs/by-name/ufs_internal u:object_r:ufs_internal_block_device:s0 +/dev/gxp u:object_r:gxp_device:s0 +/dev/mali0 u:object_r:gpu_device:s0 +/dev/goodix_fp u:object_r:fingerprint_device:s0 +/dev/logbuffer_tcpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 +/dev/logbuffer_ssoc u:object_r:logbuffer_device:s0 +/dev/logbuffer_wireless u:object_r:logbuffer_device:s0 +/dev/logbuffer_ttf u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxq u:object_r:logbuffer_device:s0 +/dev/logbuffer_rtx u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_base u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_flip u:object_r:logbuffer_device:s0 +/dev/logbuffer_pca9468_tcpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_pca9468 u:object_r:logbuffer_device:s0 +/dev/logbuffer_cpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_wc68 u:object_r:logbuffer_device:s0 +/dev/logbuffer_bd u:object_r:logbuffer_device:s0 +/dev/lwis-act-jotnar u:object_r:lwis_device:s0 +/dev/lwis-act-slenderman u:object_r:lwis_device:s0 +/dev/lwis-act-slenderman-sandworm u:object_r:lwis_device:s0 +/dev/lwis-act-cornerfolk u:object_r:lwis_device:s0 +/dev/lwis-act-cornerfolk-dokkaebi u:object_r:lwis_device:s0 +/dev/lwis-act-cornerfolk-oksoko u:object_r:lwis_device:s0 +/dev/lwis-act-cornerfolk-sandworm u:object_r:lwis_device:s0 +/dev/lwis-be-core u:object_r:lwis_device:s0 +/dev/lwis-csi u:object_r:lwis_device:s0 +/dev/lwis-dpm u:object_r:lwis_device:s0 +/dev/lwis-eeprom-djinn u:object_r:lwis_device:s0 +/dev/lwis-eeprom-gargoyle u:object_r:lwis_device:s0 +/dev/lwis-eeprom-humbaba u:object_r:lwis_device:s0 +/dev/lwis-eeprom-jotnar u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-buraq u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-dokkaebi u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-sandworm u:object_r:lwis_device:s0 +/dev/lwis-flash-lm3644 u:object_r:lwis_device:s0 +/dev/lwis-g3aa u:object_r:lwis_device:s0 +/dev/lwis-gdc0 u:object_r:lwis_device:s0 +/dev/lwis-gdc1 u:object_r:lwis_device:s0 +/dev/lwis-gse u:object_r:lwis_device:s0 +/dev/lwis-gtnr-align u:object_r:lwis_device:s0 +/dev/lwis-gtnr-merge u:object_r:lwis_device:s0 +/dev/lwis-ipp u:object_r:lwis_device:s0 +/dev/lwis-itp u:object_r:lwis_device:s0 +/dev/lwis-isp-fe u:object_r:lwis_device:s0 +/dev/lwis-lme u:object_r:lwis_device:s0 +/dev/lwis-mcsc u:object_r:lwis_device:s0 +/dev/lwis-ois-gargoyle u:object_r:lwis_device:s0 +/dev/lwis-ois-humbaba u:object_r:lwis_device:s0 +/dev/lwis-ois-jotnar u:object_r:lwis_device:s0 +/dev/lwis-ois-djinn u:object_r:lwis_device:s0 +/dev/lwis-pdp u:object_r:lwis_device:s0 +/dev/lwis-scsc u:object_r:lwis_device:s0 +/dev/lwis-sensor-boitata u:object_r:lwis_device:s0 +/dev/lwis-sensor-buraq u:object_r:lwis_device:s0 +/dev/lwis-sensor-dokkaebi u:object_r:lwis_device:s0 +/dev/lwis-sensor-kraken u:object_r:lwis_device:s0 +/dev/lwis-sensor-lamassu u:object_r:lwis_device:s0 +/dev/lwis-sensor-nagual u:object_r:lwis_device:s0 +/dev/lwis-sensor-oksoko u:object_r:lwis_device:s0 +/dev/lwis-sensor-sandworm u:object_r:lwis_device:s0 +/dev/lwis-slc u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-oksoko u:object_r:lwis_device:s0 +/dev/lwis-top u:object_r:lwis_device:s0 +/dev/lwis-tof-vl53l8 u:object_r:lwis_device:s0 +# Although stmvl53l1_ranging is not a real lwis_device but we treat it as an abstract lwis_device. +# Binding it here with lwis-tof-vl53l8 for a better maintenance instead of creating another device type. +/dev/stmvl53l1_ranging u:object_r:lwis_device:s0 +/dev/lwis-votf u:object_r:lwis_device:s0 +/dev/st54spi u:object_r:st54spi_device:s0 +/dev/trusty-ipc-dev0 u:object_r:tee_device:s0 +/dev/dma_heap/sensor_direct_heap u:object_r:sensor_direct_heap_device:s0 +/dev/dma_heap/faceauth_dsp-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/faceauth_tpu-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/faimg-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/famodel-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/faprev-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/farawimg-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/vframe-secure u:object_r:video_secure_heap_device:s0 +/dev/dma_heap/vscaler-secure u:object_r:video_secure_heap_device:s0 +/dev/dma_heap/vstream-secure u:object_r:video_secure_heap_device:s0 +/dev/uci u:object_r:uci_device:s0 diff --git a/vendor/fsck.te b/vendor/fsck.te new file mode 100644 index 0000000..cb9470d --- /dev/null +++ b/vendor/fsck.te @@ -0,0 +1,5 @@ +allow fsck persist_block_device:blk_file rw_file_perms; +allow fsck efs_block_device:blk_file rw_file_perms; +allow fsck modem_userdata_block_device:blk_file rw_file_perms; +allow fsck sysfs_scsi_devices_0000:dir r_dir_perms; +allow fsck sysfs_scsi_devices_0000:file r_file_perms; diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts new file mode 100644 index 0000000..5acd7ba --- /dev/null +++ b/vendor/genfs_contexts @@ -0,0 +1,484 @@ +# Devfreq current frequency +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/cur_freq u:object_r:sysfs_devfreq_cur:s0 + +# Fabric +genfscon sysfs /devices/platform/17000090.devfreq_dsu/devfreq/17000090.devfreq_dsu/min_freq u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/170000a0.devfreq_bci/devfreq/170000a0.devfreq_bci/min_freq u:object_r:sysfs_fabric:s0 + +# EdgeTPU +genfscon sysfs /devices/platform/1a000000.rio u:object_r:sysfs_edgetpu:s0 + +# debugfs +genfscon debugfs /google_charger u:object_r:vendor_charger_debugfs:s0 +genfscon debugfs /max77729_pmic u:object_r:vendor_charger_debugfs:s0 +genfscon debugfs /max77759_chg u:object_r:vendor_charger_debugfs:s0 +genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 +genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 +genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 +genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 +genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 +genfscon debugfs /cma u:object_r:vendor_cma_debugfs:s0 + +# Extcon +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 + +# Storage +genfscon sysfs /devices/platform/13200000.ufs/slowio_read_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/slowio_write_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/slowio_unmap_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/slowio_sync_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/manual_gc u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/io_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/req_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/err_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/device_descriptor u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/clkgate_enable u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/hibern8_on_idle_enable u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/health_descriptor u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/host0/target0:0:0/0:0:0: u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/attributes/wb_avail_buf u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/vendor u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/model u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/13200000.ufs/rev u:object_r:sysfs_scsi_devices_0000:s0 + +# Display +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/op_hz u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/hs_clock u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19470000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19471000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19470000.drmdecon/counters u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19471000.drmdecon/counters u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19472000.drmdecon/counters u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/refresh_rate u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/panel_model u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19470000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19470000.drmdecon/hibernation u:object_r:sysfs_display:s0 +genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/19440000.drmdsim/19440000.drmdsim.0/backlight/panel0-backlight/als_table u:object_r:sysfs_write_leds:s0 + +# ACPM +genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 + +# Power ODPM +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/lpf_power u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/lpf_power u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/lpf_power u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/lpf_power u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/lpf_power u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/iio:device0/lpf_current u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/iio:device1/lpf_current u:object_r:sysfs_odpm:s0 + +# Power Stats +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-6/6-0008/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/12100000.pcie/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/13120000.pcie/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 + +# PCIe link stats +genfscon sysfs /devices/platform/12100000.pcie/link_stats/complete_timeout_irqs u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/platform/12100000.pcie/link_stats/link_down_irqs u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/platform/12100000.pcie/link_stats/link_recovery_failures u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/platform/12100000.pcie/link_stats/link_up_average u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/platform/12100000.pcie/link_stats/link_up_failures u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/platform/12100000.pcie/link_stats/pll_lock_average u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/platform/13120000.pcie/link_stats/complete_timeout_irqs u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/platform/13120000.pcie/link_stats/link_down_irqs u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/platform/13120000.pcie/link_stats/link_recovery_failures u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/platform/13120000.pcie/link_stats/link_up_average u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/platform/13120000.pcie/link_stats/link_up_failures u:object_r:sysfs_pcie:s0 +genfscon sysfs /devices/platform/13120000.pcie/link_stats/pll_lock_average u:object_r:sysfs_pcie:s0 + +# Battery +genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/google,cpm u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/google,charger u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003c/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-003b/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-003b/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-003b/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-003b/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-003b/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-003b/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-003b/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003b/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-003b/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-003b/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/0-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/1-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/2-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/3-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/4-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/5-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/6-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/8-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-9/9-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0069/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0057/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0057/registers_dump u:object_r:sysfs_power_dump:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0057/registers_dump u:object_r:sysfs_power_dump:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0057/registers_dump u:object_r:sysfs_power_dump:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0057/registers_dump u:object_r:sysfs_power_dump:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0057/registers_dump u:object_r:sysfs_power_dump:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0057/registers_dump u:object_r:sysfs_power_dump:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0057/registers_dump u:object_r:sysfs_power_dump:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0057/registers_dump u:object_r:sysfs_power_dump:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0057/registers_dump u:object_r:sysfs_power_dump:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0057/registers_dump u:object_r:sysfs_power_dump:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0065/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0065/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0065/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0065/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0065/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0065/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0065/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0065/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0065/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0065/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0025/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0025/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0025/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0025/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0025/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0025/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0025/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0025/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/typec u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0025/typec u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0025/typec u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0025/typec u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0025/typec u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0025/typec u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0025/typec u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0025/typec u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/typec u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0025/typec u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0036/power_supply u:object_r:sysfs_batteryinfo:s0 + +# wake up nodes +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-0/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-0/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-1/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-1/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-2/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-2/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-3/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-3/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-4/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-4/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-5/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-5/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-6/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-6/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-7/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-7/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c80000.hsi2c/i2c-8/6-0008/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/7-003c/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/7-003c/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/7-003b/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10c90000.hsi2c/i2c-8/7-003b/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/power_supply/tcpm-source-psy-8-0025/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0025/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0057/power_supply/pca94xx-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-1/1-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-2/2-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-3/3-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-4/4-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-5/5-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-6/6-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-7/7-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-8/8-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-9/9-0057/power_supply/dc-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11210000.usb/11210000.dwc3/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/13120000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000000.aoc/com.google.usf.non_wake_up/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000000.aoc/com.google.usf/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/17000000.aoc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-meter/s2mpg14-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/s2mpg14-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/1-001f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/s2mpg15-meter/s2mpg15-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/0-002f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-0/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-0/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-1/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-1/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-2/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-2/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-2/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-3/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-3/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-3/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-4/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-4/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-4/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-5/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-5/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-5/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-6/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-6/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-6/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-7/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-7/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-7/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/0-001f/s2mpg14-meter/s2mpg14-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/0-001f/s2mpg14-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/0-001f/s2mpg14-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15500000/i2c-8/0-001f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/1-002f/s2mpg15-meter/s2mpg15-odpm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@15510000/i2c-8/1-002f/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/cpif/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/wakeup/wakeup u:object_r:sysfs_wakeup:s0 + +# Trusty +genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0 +genfscon sysfs /module/trusty_core/parameters/use_high_wq u:object_r:sysfs_trusty:s0 + +# EM Profile +genfscon sysfs /kernel/pixel_em/active_profile u:object_r:sysfs_em_profile:s0 + +# GPU +genfscon sysfs /devices/platform/1f000000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 + +# GSA logs +genfscon sysfs /devices/platform/16490000.gsa-ns/log_main u:object_r:sysfs_gsa_log:s0 +genfscon sysfs /devices/platform/16490000.gsa-ns/log_intermediate u:object_r:sysfs_gsa_log:s0 + +# AOC +genfscon sysfs /devices/platform/17000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0 +genfscon sysfs /devices/platform/17000000.aoc/firmware u:object_r:sysfs_aoc_firmware:s0 +genfscon sysfs /devices/platform/17000000.aoc u:object_r:sysfs_aoc:s0 +genfscon sysfs /devices/platform/17000000.aoc/reset u:object_r:sysfs_aoc_reset:s0 +genfscon sysfs /devices/platform/17000000.aoc/services u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/restart_count u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/coredump_count u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/ring_buffer_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/host_ipc_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/usf_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/audio_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 + +# OTA +genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te new file mode 100644 index 0000000..b4ba6c1 --- /dev/null +++ b/vendor/google_camera_app.te @@ -0,0 +1,8 @@ +type google_camera_app, domain, coredomain; +app_domain(google_camera_app) + +# Allows camera app to access the GXP device. +allow google_camera_app gxp_device:chr_file rw_file_perms; + +# Allows camera app to access the PowerHAL. +hal_client_domain(google_camera_app, hal_power) diff --git a/vendor/gxp_logging.te b/vendor/gxp_logging.te new file mode 100644 index 0000000..000138a --- /dev/null +++ b/vendor/gxp_logging.te @@ -0,0 +1,10 @@ +type gxp_logging, domain; +type gxp_logging_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(gxp_logging) + +# The logging service accesses /dev/gxp +allow gxp_logging gxp_device:chr_file rw_file_perms; + +# Allow gxp tracing service to send packets to Perfetto +userdebug_or_eng(`perfetto_producer(gxp_logging)') + diff --git a/vendor/hal_bluetooth_btlinux.te b/vendor/hal_bluetooth_btlinux.te new file mode 100644 index 0000000..2167b3c --- /dev/null +++ b/vendor/hal_bluetooth_btlinux.te @@ -0,0 +1,6 @@ +# Allow access to always-on compute device node +allow hal_bluetooth_btlinux aoc_device:chr_file rw_file_perms; +allow hal_bluetooth_btlinux device:dir r_dir_perms; + +# allow the HAL to call cccdktimesync registered callbacks +binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app) diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te new file mode 100644 index 0000000..fe017f9 --- /dev/null +++ b/vendor/hal_bootctl_default.te @@ -0,0 +1,3 @@ +allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms; +allow hal_bootctl_default sda_block_device:blk_file rw_file_perms; +allow hal_bootctl_default sysfs_ota:file rw_file_perms; diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te new file mode 100644 index 0000000..7acd698 --- /dev/null +++ b/vendor/hal_camera_default.te @@ -0,0 +1,90 @@ +allow hal_camera_default self:global_capability_class_set sys_nice; +allow hal_camera_default kernel:process setsched; + +vndbinder_use(hal_camera_default); + +allow hal_camera_default lwis_device:chr_file rw_file_perms; + +# Face authentication code that is part of the camera HAL needs to allocate +# dma_bufs and access the Trusted Execution Environment device node + +# Allow the camera hal to access the EdgeTPU service and the +# Android shared memory allocated by the EdgeTPU service for +# on-device compilation. +allow hal_camera_default edgetpu_device:chr_file rw_file_perms; +allow hal_camera_default edgetpu_vendor_service:service_manager find; +binder_call(hal_camera_default, edgetpu_vendor_server) + +# Allow access to data files used by the camera HAL +allow hal_camera_default mnt_vendor_file:dir search; +allow hal_camera_default persist_file:dir search; +allow hal_camera_default persist_camera_file:dir rw_dir_perms; +allow hal_camera_default persist_camera_file:file create_file_perms; +allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms; +allow hal_camera_default vendor_camera_data_file:file create_file_perms; + +# Allow the camera hal to access the GXP device. +allow hal_camera_default gxp_device:chr_file rw_file_perms; + +# Allow creating dump files for debugging in non-release builds +userdebug_or_eng(` + allow hal_camera_default vendor_camera_data_file:dir create_dir_perms; + allow hal_camera_default vendor_camera_data_file:file create_file_perms; +') + +# Allow access to camera-related system properties +set_prop(hal_camera_default, vendor_camera_prop); +get_prop(hal_camera_default, vendor_camera_debug_prop); +userdebug_or_eng(` + set_prop(hal_camera_default, vendor_camera_fatp_prop); + set_prop(hal_camera_default, vendor_camera_debug_prop); +') + +# For camera hal to talk with rlsservice +allow hal_camera_default rls_service:service_manager find; +binder_call(hal_camera_default, rlsservice) + +hal_client_domain(hal_camera_default, hal_graphics_allocator); +hal_client_domain(hal_camera_default, hal_graphics_composer) +hal_client_domain(hal_camera_default, hal_power); +hal_client_domain(hal_camera_default, hal_thermal); + +# Allow access to sensor service for sensor_listener +binder_call(hal_camera_default, system_server); + +# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering +allow hal_camera_default eco_service:service_manager find; +binder_call(hal_camera_default, mediacodec_samsung); + +# Allow camera HAL to connect to the stats service. +allow hal_camera_default fwk_stats_service:service_manager find; + +# For observing apex file changes +allow hal_camera_default apex_info_file:file r_file_perms; + +# Allow camera HAL to query current device clock frequencies. +allow hal_camera_default sysfs_devfreq_cur:file r_file_perms; + +# Allow camera HAL to read backlight of display +allow hal_camera_default sysfs_leds:dir r_dir_perms; +allow hal_camera_default sysfs_leds:file r_file_perms; + +# Allow camera HAL to query preferred camera frequencies from the radio HAL +# extensions to avoid interference with cellular antennas. +allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; +binder_call(hal_camera_default, hal_radioext_default); + +# For camera hal to talk with rlsservice +allow hal_camera_default rls_service:service_manager find; +binder_call(hal_camera_default, rlsservice) + +# Allow camera HAL to send trace packets to Perfetto +userdebug_or_eng(`perfetto_producer(hal_camera_default)') + +# Some file searches attempt to access system data and are denied. +# This is benign and can be ignored. +dontaudit hal_camera_default system_data_file:dir { search }; + +# google3 prebuilts attempt to connect to the wrong trace socket, ignore them. +dontaudit hal_camera_default traced:unix_stream_socket { connectto }; +dontaudit hal_camera_default traced_producer_socket:sock_file { write }; diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te new file mode 100644 index 0000000..6aa57dd --- /dev/null +++ b/vendor/hal_fingerprint_default.te @@ -0,0 +1,39 @@ +allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms; +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; +allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; +allow hal_fingerprint_default dmabuf_system_heap_device:chr_file r_file_perms; + +allow hal_fingerprint_default fwk_stats_service:service_manager find; +get_prop(hal_fingerprint_default, fingerprint_ghbm_prop) +set_prop(hal_fingerprint_default, vendor_fingerprint_prop) +add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice) + +# allow fingerprint to access power hal +hal_client_domain(hal_fingerprint_default, hal_power); + +# Allow access to the files of CDT information. +r_dir_file(hal_fingerprint_default, sysfs_chosen) + +# Allow fingerprint to access calibration blk device. +allow hal_fingerprint_default mfg_data_block_device:blk_file rw_file_perms; +allow hal_fingerprint_default block_device:dir search; + +# Allow fingerprint to access fwk_sensor_hwservice +allow hal_fingerprint_default fwk_sensor_hwservice:hwservice_manager find; + +# Allow fingerprint to access sysfs_display +allow hal_fingerprint_default sysfs_display:file rw_file_perms; + +# Allow fingerprint to access trusty sysfs +allow hal_fingerprint_default sysfs_trusty:file rw_file_perms; + +# Allow fingerprint to access display hal +allow hal_fingerprint_default hal_pixel_display_service:service_manager find; +binder_call(hal_fingerprint_default, hal_graphics_composer_default) + +# allow fingerprint to access thermal hal +hal_client_domain(hal_fingerprint_default, hal_thermal); + +# allow fingerprint to read sysfs_leds +allow hal_fingerprint_default sysfs_leds:file r_file_perms; +allow hal_fingerprint_default sysfs_leds:dir r_dir_perms; diff --git a/vendor/hal_graphics_allocator_default.te b/vendor/hal_graphics_allocator_default.te new file mode 100644 index 0000000..e322c3a --- /dev/null +++ b/vendor/hal_graphics_allocator_default.te @@ -0,0 +1,4 @@ +allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default video_secure_heap_device:chr_file r_file_perms; diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te new file mode 100644 index 0000000..5c4aef4 --- /dev/null +++ b/vendor/hal_graphics_composer_default.te @@ -0,0 +1,43 @@ +# allow HWC to access power hal +hal_client_domain(hal_graphics_composer_default, hal_power) + +hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator) + +# access sysfs R/W +allow hal_graphics_composer_default sysfs_display:dir search; +allow hal_graphics_composer_default sysfs_display:file rw_file_perms; + +# allow HWC to r/w backlight +allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms; +allow hal_graphics_composer_default sysfs_leds:file rw_file_perms; + +# socket / vnd service +allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +vndbinder_use(hal_graphics_composer_default) + +# boot stauts prop +get_prop(hal_graphics_composer_default, boot_status_prop); + +# allow HWC to get device_config_surface_flinger_native_boot_prop for adpf flags +get_prop(hal_graphics_composer_default, device_config_surface_flinger_native_boot_prop) + +add_service(hal_graphics_composer_default, hal_pixel_display_service) + +# allow HWC/libdisplaycolor to read calibration data +allow hal_graphics_composer_default mnt_vendor_file:dir search; +allow hal_graphics_composer_default persist_file:dir search; +allow hal_graphics_composer_default persist_display_file:file r_file_perms; +allow hal_graphics_composer_default persist_display_file:dir search; + +# allow HWC to get/set vendor_display_prop +set_prop(hal_graphics_composer_default, vendor_display_prop) + +# allow HWC to access vendor_displaycolor_service +add_service(hal_graphics_composer_default, vendor_displaycolor_service) + +add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice) + +# allow HWC to read/write/search hwc_log_file +allow hal_graphics_composer_default vendor_hwc_log_file:dir rw_dir_perms; +allow hal_graphics_composer_default vendor_hwc_log_file:file create_file_perms; +allow hal_graphics_composer_default vendor_log_file:dir search; diff --git a/vendor/hal_health_default.te b/vendor/hal_health_default.te new file mode 100644 index 0000000..36e6cb1 --- /dev/null +++ b/vendor/hal_health_default.te @@ -0,0 +1,16 @@ +allow hal_health_default mnt_vendor_file:dir search; +allow hal_health_default persist_file:dir search; +allow hal_health_default persist_battery_file:file create_file_perms; +allow hal_health_default persist_battery_file:dir rw_dir_perms; + +set_prop(hal_health_default, vendor_battery_defender_prop) +set_prop(hal_health_default, vendor_shutdown_prop) + +allow hal_health_default fwk_stats_service:service_manager find; + +# Access to /sys/devices/platform/13200000.ufs/* +allow hal_health_default sysfs_scsi_devices_0000:dir r_dir_perms; +allow hal_health_default sysfs_scsi_devices_0000:file rw_file_perms; + +allow hal_health_default sysfs_wlc:dir search; +allow hal_health_default sysfs_batteryinfo:file w_file_perms; diff --git a/vendor/hal_nfc_default.te b/vendor/hal_nfc_default.te new file mode 100644 index 0000000..d71d9e2 --- /dev/null +++ b/vendor/hal_nfc_default.te @@ -0,0 +1,5 @@ +# HAL NFC property +get_prop(hal_nfc_default, vendor_nfc_prop) + +# SecureElement property +set_prop(hal_nfc_default, vendor_secure_element_prop) diff --git a/vendor/hal_power_default.te b/vendor/hal_power_default.te new file mode 100644 index 0000000..bb86aad --- /dev/null +++ b/vendor/hal_power_default.te @@ -0,0 +1,7 @@ +allow hal_power_default sysfs_gpu:file rw_file_perms; +allow hal_power_default sysfs_fabric:file rw_file_perms; +allow hal_power_default sysfs_camera:file rw_file_perms; +allow hal_power_default sysfs_em_profile:file rw_file_perms; +allow hal_power_default sysfs_display:file rw_file_perms; +allow hal_power_default sysfs_trusty:file rw_file_perms; +set_prop(hal_power_default, vendor_camera_prop); \ No newline at end of file diff --git a/vendor/hal_power_stats_default.te b/vendor/hal_power_stats_default.te new file mode 100644 index 0000000..2845a0a --- /dev/null +++ b/vendor/hal_power_stats_default.te @@ -0,0 +1,18 @@ +# Allowed to access required sysfs nodes +r_dir_file(hal_power_stats_default, sysfs_aoc) +r_dir_file(hal_power_stats_default, sysfs_aoc_dumpstate) +r_dir_file(hal_power_stats_default, sysfs_acpm_stats) +r_dir_file(hal_power_stats_default, sysfs_cpu) +r_dir_file(hal_power_stats_default, sysfs_iio_devices) +r_dir_file(hal_power_stats_default, sysfs_leds) +r_dir_file(hal_power_stats_default, sysfs_odpm) +r_dir_file(hal_power_stats_default, sysfs_scsi_devices_0000) +r_dir_file(hal_power_stats_default, sysfs_wifi) +r_dir_file(hal_power_stats_default, powerstats_vendor_data_file) + +# Rail selection requires read/write permissions +allow hal_power_stats_default sysfs_odpm:dir search; +allow hal_power_stats_default sysfs_odpm:file rw_file_perms; + +# getStateResidency AIDL callback for Bluetooth HAL +binder_call(hal_power_stats_default, hal_bluetooth_btlinux) diff --git a/vendor/hal_radioext_default.te b/vendor/hal_radioext_default.te new file mode 100644 index 0000000..d67f9e8 --- /dev/null +++ b/vendor/hal_radioext_default.te @@ -0,0 +1 @@ +allow hal_radioext_default sysfs_display:file rw_file_perms; diff --git a/vendor/hal_secure_element_st54spi.te b/vendor/hal_secure_element_st54spi.te new file mode 100644 index 0000000..3cc726d --- /dev/null +++ b/vendor/hal_secure_element_st54spi.te @@ -0,0 +1,7 @@ +type hal_secure_element_st54spi, domain; +type hal_secure_element_st54spi_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_secure_element_st54spi) +hal_server_domain(hal_secure_element_st54spi, hal_secure_element) +allow hal_secure_element_st54spi st54spi_device:chr_file rw_file_perms; +allow hal_secure_element_st54spi nfc_device:chr_file rw_file_perms; +set_prop(hal_secure_element_st54spi, vendor_secure_element_prop) diff --git a/vendor/hal_secure_element_uicc.te b/vendor/hal_secure_element_uicc.te new file mode 100644 index 0000000..8cd1cb3 --- /dev/null +++ b/vendor/hal_secure_element_uicc.te @@ -0,0 +1,12 @@ +type hal_secure_element_uicc, domain; +type hal_secure_element_uicc_exec, exec_type, vendor_file_type, file_type; + +hal_server_domain(hal_secure_element_uicc, hal_secure_element) +init_daemon_domain(hal_secure_element_uicc) + +# Allow writing to system_server pipes during crash dump +crash_dump_fallback(hal_secure_element_uicc) + +# Allow hal_secure_element_uicc to access rild +binder_call(hal_secure_element_uicc, rild); +allow hal_secure_element_uicc hal_exynos_rild_hwservice:hwservice_manager find; diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te new file mode 100644 index 0000000..b9f6a72 --- /dev/null +++ b/vendor/hal_sensors_default.te @@ -0,0 +1,58 @@ +# Allow access to the AoC communication driver. +allow hal_sensors_default aoc_device:chr_file rw_file_perms; + +# Allow create thread to watch AOC's device. +allow hal_sensors_default device:dir r_dir_perms; + +# Allow access to CHRE socket to connect to nanoapps. +allow hal_sensors_default chre:unix_stream_socket connectto; +allow hal_sensors_default chre_socket:sock_file write; + +# Allow SensorSuez to connect AIDL stats. +allow hal_sensors_default fwk_stats_service:service_manager find; + +# Allow sensor HAL to access the graphics composer. +binder_call(hal_sensors_default, hal_graphics_composer_default); + +# Allow sensor HAL to access the display service HAL +allow hal_sensors_default hal_pixel_display_service:service_manager find; + +# Allow reading of sensor registry persist files and camera persist files. +allow hal_sensors_default mnt_vendor_file:dir search; +allow hal_sensors_default persist_file:dir search; +allow hal_sensors_default persist_file:file r_file_perms; +allow hal_sensors_default persist_sensor_reg_file:dir r_dir_perms; +allow hal_sensors_default persist_sensor_reg_file:file r_file_perms; +r_dir_file(hal_sensors_default, persist_camera_file) + +# Allow creation and writing of sensor registry data files. +allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms; +allow hal_sensors_default sensor_reg_data_file:file create_file_perms; + +# Allow access to the sysfs_aoc. +allow hal_sensors_default sysfs_aoc:dir search; +allow hal_sensors_default sysfs_aoc:file r_file_perms; + +# Allow access to the AoC clock and kernel boot time sys FS node. This is needed +# to synchronize the AP and AoC clock timestamps. +allow hal_sensors_default sysfs_aoc_boottime:file r_file_perms; + +# Allow display_info_service access to the backlight driver. +allow hal_sensors_default sysfs_write_leds:file rw_file_perms; + +# Allow access to sensor service for sensor_listener. +binder_call(hal_sensors_default, system_server); + +# Allow access for dynamic sensor properties. +get_prop(hal_sensors_default, vendor_dynamic_sensor_prop) + +# Allow access to the display info for ALS. +allow hal_sensors_default sysfs_display:file rw_file_perms; + +# Allow access to the files of CDT information. +allow hal_sensors_default sysfs_chosen:dir search; +allow hal_sensors_default sysfs_chosen:file r_file_perms; + +# Allow display_info_service access to the backlight driver. +allow hal_sensors_default sysfs_leds:dir search; +allow hal_sensors_default sysfs_leds:file r_file_perms; diff --git a/vendor/hal_thermal_default.te b/vendor/hal_thermal_default.te new file mode 100644 index 0000000..a573a2a --- /dev/null +++ b/vendor/hal_thermal_default.te @@ -0,0 +1,2 @@ +r_dir_file(hal_thermal_default, sysfs_iio_devices) +r_dir_file(hal_thermal_default, sysfs_odpm) diff --git a/vendor/hal_usb_gadget_impl.te b/vendor/hal_usb_gadget_impl.te new file mode 100644 index 0000000..2b1494f --- /dev/null +++ b/vendor/hal_usb_gadget_impl.te @@ -0,0 +1,20 @@ +type hal_usb_gadget_impl, domain; +hal_server_domain(hal_usb_gadget_impl, hal_usb) +hal_server_domain(hal_usb_gadget_impl, hal_usb_gadget) + +type hal_usb_gadget_impl_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_usb_gadget_impl) + +allow hal_usb_gadget_impl configfs:dir { create rmdir }; +allow hal_usb_gadget_impl functionfs:dir { watch watch_reads }; +set_prop(hal_usb_gadget_impl, vendor_usb_config_prop) + +# parser the number of dwc3 irq +allow hal_usb_gadget_impl proc_interrupts:file r_file_perms; + +# change irq to other cores +allow hal_usb_gadget_impl proc_irq:dir r_dir_perms; +allow hal_usb_gadget_impl proc_irq:file w_file_perms; + +allow hal_usb_gadget_impl sysfs_batteryinfo:dir r_dir_perms; +allow hal_usb_gadget_impl sysfs_batteryinfo:file rw_file_perms; diff --git a/vendor/hal_usb_impl.te b/vendor/hal_usb_impl.te new file mode 100644 index 0000000..15d74c5 --- /dev/null +++ b/vendor/hal_usb_impl.te @@ -0,0 +1,16 @@ +type hal_usb_impl, domain; + +type hal_usb_impl_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_usb_impl) +hal_server_domain(hal_usb_impl, hal_usb) +hal_server_domain(hal_usb_impl, hal_usb_gadget) + +allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms; +allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms; + +# Needed for monitoring usb port temperature +allow hal_usb_impl self:capability2 wake_alarm; +wakelock_use(hal_usb_impl); + +# For interfacing with ThermalHAL +hal_client_domain(hal_usb_impl, hal_thermal); diff --git a/vendor/hal_uwb_vendor_default.te b/vendor/hal_uwb_vendor_default.te new file mode 100644 index 0000000..06a67d0 --- /dev/null +++ b/vendor/hal_uwb_vendor_default.te @@ -0,0 +1,5 @@ +type hal_uwb_vendor_default, domain; +type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type; +allow hal_uwb_default uci_device:chr_file rw_file_perms; +init_daemon_domain(hal_uwb_vendor_default) + diff --git a/vendor/hal_wifi_ext.te b/vendor/hal_wifi_ext.te new file mode 100644 index 0000000..9b52d7a --- /dev/null +++ b/vendor/hal_wifi_ext.te @@ -0,0 +1,9 @@ +# Allow wifi_ext to report callbacks to gril-service app +binder_call(hal_wifi_ext, grilservice_app) + +# Write wlan driver/fw version into property +set_prop(hal_wifi_ext, vendor_wifi_version) + +# Allow wifi_ext to read and write /data/vendor/firmware/wifi +allow hal_wifi_ext updated_wifi_firmware_data_file:dir rw_dir_perms; +allow hal_wifi_ext updated_wifi_firmware_data_file:file create_file_perms; diff --git a/vendor/hal_wireless_charger.te b/vendor/hal_wireless_charger.te new file mode 100644 index 0000000..17d704d --- /dev/null +++ b/vendor/hal_wireless_charger.te @@ -0,0 +1,7 @@ +type hal_wireless_charger, domain; +type hal_wireless_charger_exec, exec_type, vendor_file_type, file_type; + +allow hal_wireless_charger dumpstate:fd use; +allow hal_wireless_charger dumpstate:fifo_file rw_file_perms; + +binder_call(hal_wireless_charger, systemui_app) \ No newline at end of file diff --git a/vendor/hwservice.te b/vendor/hwservice.te new file mode 100644 index 0000000..68b8dd7 --- /dev/null +++ b/vendor/hwservice.te @@ -0,0 +1,2 @@ +# Fingerprint +type hal_fingerprint_ext_hwservice, hwservice_manager_type; diff --git a/vendor/hwservice_contexts b/vendor/hwservice_contexts new file mode 100644 index 0000000..9f86e04 --- /dev/null +++ b/vendor/hwservice_contexts @@ -0,0 +1,2 @@ +# Fingerprint +vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_ext_hwservice:s0 diff --git a/vendor/init.te b/vendor/init.te new file mode 100644 index 0000000..3d0a8f9 --- /dev/null +++ b/vendor/init.te @@ -0,0 +1,13 @@ +allow init mnt_vendor_file:dir mounton; +allow init custom_ab_block_device:lnk_file relabelto; + +# This is needed for chaining a boot partition vbmeta +# descriptor, where init will probe the boot partition +# to read the chained vbmeta in the first-stage, then +# relabel /dev/block/by-name/boot_[a|b] to block_device +# after loading sepolicy in the second stage. +allow init boot_block_device:lnk_file relabelto; + +allow init persist_file:dir mounton; +allow init ram_device:blk_file w_file_perms; + diff --git a/vendor/insmod-sh.te b/vendor/insmod-sh.te new file mode 100644 index 0000000..e09c248 --- /dev/null +++ b/vendor/insmod-sh.te @@ -0,0 +1,2 @@ +allow insmod-sh self:capability sys_nice; +allow insmod-sh kernel:process setsched; diff --git a/vendor/kernel.te b/vendor/kernel.te new file mode 100644 index 0000000..0f2e18e --- /dev/null +++ b/vendor/kernel.te @@ -0,0 +1,15 @@ +allow kernel vendor_fw_file:dir search; +allow kernel vendor_fw_file:file r_file_perms; + +# ZRam +allow kernel per_boot_file:file r_file_perms; + +# memlat needs permision to create/delete perf events when hotplug on/off +allow kernel self:capability2 perfmon; +allow kernel self:perf_event cpu; + +no_debugfs_restriction(` + allow kernel vendor_battery_debugfs:dir search; +') + +allow kernel vendor_regmap_debugfs:dir search; diff --git a/vendor/keys.conf b/vendor/keys.conf new file mode 100644 index 0000000..503d1f0 --- /dev/null +++ b/vendor/keys.conf @@ -0,0 +1,8 @@ +[@GOOGLE] +ALL : device/google/zumapro-sepolicy/vendor/certs/app.x509.pem + +[@CAMERAENG] +ALL : device/google/zumapro-sepolicy/vendor/certs/camera_eng.x509.pem + +[@CAMERAFISHFOOD] +ALL : device/google/zumapro-sepolicy/vendor/certs/camera_fishfood.x509.pem diff --git a/vendor/mac_permissions.xml b/vendor/mac_permissions.xml new file mode 100644 index 0000000..8e8c3c2 --- /dev/null +++ b/vendor/mac_permissions.xml @@ -0,0 +1,33 @@ + + + + + + + + + + + + + + + diff --git a/vendor/mediacodec_google.te b/vendor/mediacodec_google.te new file mode 100644 index 0000000..1c6413a --- /dev/null +++ b/vendor/mediacodec_google.te @@ -0,0 +1,35 @@ +type mediacodec_google, domain; +type mediacodec_google_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(mediacodec_google) + +vndbinder_use(mediacodec_google) + +hal_server_domain(mediacodec_google, hal_codec2) + +# mediacodec_google may use an input surface from a different Codec2 service +hal_client_domain(mediacodec_google, hal_codec2) + +hal_client_domain(mediacodec_google, hal_graphics_allocator) + +allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms; +allow mediacodec_google dmabuf_system_secure_heap_device:chr_file r_file_perms; +allow mediacodec_google video_device:chr_file rw_file_perms; +allow mediacodec_google gpu_device:chr_file rw_file_perms; + +crash_dump_fallback(mediacodec_google) + +# mediacodec_google should never execute any executable without a domain transition +neverallow mediacodec_google { file_type fs_type }:file execute_no_trans; + +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow mediacodec_google domain:{ udp_socket rawip_socket } *; +neverallow mediacodec_google { domain userdebug_or_eng(`-su') }:tcp_socket *; + +userdebug_or_eng(` + allow mediacodec_google vendor_media_data_file:dir rw_dir_perms; + allow mediacodec_google vendor_media_data_file:file create_file_perms; +') diff --git a/vendor/ofl_app.te b/vendor/ofl_app.te new file mode 100644 index 0000000..69e166a --- /dev/null +++ b/vendor/ofl_app.te @@ -0,0 +1,17 @@ +# OFLBasicAgent app + +type ofl_app, domain; + +userdebug_or_eng(` + app_domain(ofl_app) + net_domain(ofl_app) + + allow ofl_app app_api_service:service_manager find; + allow ofl_app nfc_service:service_manager find; + allow ofl_app radio_service:service_manager find; + allow ofl_app surfaceflinger_service:service_manager find; + + # Access to directly update firmware on st54spi_device + typeattribute st54spi_device mlstrustedobject; + allow ofl_app st54spi_device:chr_file rw_file_perms; +') \ No newline at end of file diff --git a/vendor/pixeldisplayservice_app.te b/vendor/pixeldisplayservice_app.te new file mode 100644 index 0000000..7320d00 --- /dev/null +++ b/vendor/pixeldisplayservice_app.te @@ -0,0 +1,14 @@ +type pixeldisplayservice_app, domain, coredomain; + +app_domain(pixeldisplayservice_app); + +allow pixeldisplayservice_app proc_vendor_sched:dir r_dir_perms; +allow pixeldisplayservice_app proc_vendor_sched:file w_file_perms; + +allow pixeldisplayservice_app hal_pixel_display_service:service_manager find; +binder_call(pixeldisplayservice_app, hal_graphics_composer_default) + +# Standard system services +allow pixeldisplayservice_app app_api_service:service_manager find; + +allow pixeldisplayservice_app cameraserver_service:service_manager find; diff --git a/vendor/pixelstats_vendor.te b/vendor/pixelstats_vendor.te new file mode 100644 index 0000000..18a1472 --- /dev/null +++ b/vendor/pixelstats_vendor.te @@ -0,0 +1,23 @@ +# Batery history +allow pixelstats_vendor battery_history_device:chr_file r_file_perms; + +# BCL +allow pixelstats_vendor sysfs_bcl:dir search; +allow pixelstats_vendor sysfs_bcl:file r_file_perms; +allow pixelstats_vendor mitigation_vendor_data_file:dir search; +allow pixelstats_vendor mitigation_vendor_data_file:file rw_file_perms; +get_prop(pixelstats_vendor, vendor_brownout_reason_prop); + +#vendor-metrics +r_dir_file(pixelstats_vendor, sysfs_vendor_metrics) +allow pixelstats_vendor sysfs_vendor_metrics:lnk_file r_file_perms; + +# Wireless charge +allow pixelstats_vendor sysfs_wlc:dir search; +allow pixelstats_vendor sysfs_wlc:file rw_file_perms; + +# PCIe Link Statistics +allow pixelstats_vendor sysfs_pcie:dir search; +allow pixelstats_vendor sysfs_pcie:file rw_file_perms; + +allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; diff --git a/vendor/platform_app.te b/vendor/platform_app.te new file mode 100644 index 0000000..f0586f3 --- /dev/null +++ b/vendor/platform_app.te @@ -0,0 +1,3 @@ +# WLC +allow platform_app hal_wireless_charger_service:service_manager find; +binder_call(platform_app, hal_wireless_charger) diff --git a/vendor/property.te b/vendor/property.te new file mode 100644 index 0000000..ed6caac --- /dev/null +++ b/vendor/property.te @@ -0,0 +1,12 @@ +# Fingerprint +vendor_internal_prop(vendor_fingerprint_prop) + +# Battery +vendor_internal_prop(vendor_battery_defender_prop) +vendor_internal_prop(vendor_shutdown_prop) + +# USB +vendor_internal_prop(vendor_usb_config_prop) + +# Dynamic sensor +vendor_internal_prop(vendor_dynamic_sensor_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts new file mode 100644 index 0000000..2d469d5 --- /dev/null +++ b/vendor/property_contexts @@ -0,0 +1,19 @@ +# Camera +persist.vendor.camera. u:object_r:vendor_camera_prop:s0 +vendor.camera. u:object_r:vendor_camera_prop:s0 +vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 + +# Fingerprint +vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0 +vendor.gf. u:object_r:vendor_fingerprint_prop:s0 + +# Battery +vendor.battery.defender. u:object_r:vendor_battery_defender_prop:s0 +persist.vendor.shutdown. u:object_r:vendor_shutdown_prop:s0 + +# USB +persist.vendor.usb. u:object_r:vendor_usb_config_prop:s0 +vendor.usb. u:object_r:vendor_usb_config_prop:s0 + +# Dynamic sensor +vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 diff --git a/vendor/ramdump_app.te b/vendor/ramdump_app.te new file mode 100644 index 0000000..308e9fb --- /dev/null +++ b/vendor/ramdump_app.te @@ -0,0 +1,24 @@ +type ramdump_app, domain; + +userdebug_or_eng(` + app_domain(ramdump_app) + + allow ramdump_app app_api_service:service_manager find; + + allow ramdump_app ramdump_vendor_data_file:file create_file_perms; + allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms; + + set_prop(ramdump_app, vendor_ramdump_prop) + get_prop(ramdump_app, system_boot_reason_prop) + + # To access ramdumpfs. + allow ramdump_app mnt_vendor_file:dir search; + allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms; + allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms; + + # To access subsystem ramdump files and dirs. + allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; + allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; + allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; + allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms; +') diff --git a/vendor/rlsservice.te b/vendor/rlsservice.te new file mode 100644 index 0000000..186471a --- /dev/null +++ b/vendor/rlsservice.te @@ -0,0 +1,32 @@ +type rlsservice, domain; +type rlsservice_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(rlsservice) +vndbinder_use(rlsservice) +add_service(rlsservice, rls_service) + +# access rainbow sensor calibration files +allow rlsservice persist_file:dir search; +allow rlsservice persist_camera_file:dir search; +allow rlsservice persist_camera_file:file r_file_perms; +allow rlsservice mnt_vendor_file:dir search; + +# access device files +allow rlsservice rls_device:chr_file rw_file_perms; + +binder_call(rlsservice, hal_camera_default) + +# Allow access to display backlight information +allow rlsservice sysfs_leds:dir search; +allow rlsservice sysfs_leds:file r_file_perms; + +# Allow access to always-on compute device node +allow rlsservice device:dir r_file_perms; +allow rlsservice aoc_device:chr_file rw_file_perms; + +# For observing apex file changes +allow rlsservice apex_info_file:file r_file_perms; + +# Allow read camera property +get_prop(rlsservice, vendor_camera_prop); + diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts new file mode 100644 index 0000000..8f5eea1 --- /dev/null +++ b/vendor/seapp_contexts @@ -0,0 +1,38 @@ +# Domain for EuiccSupportPixel +user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all + +# coredump/ramdump +user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all + +# Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade +user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.omapi_agent domain=ofl_app type=app_data_file levelFrom=user + +# Domain for connectivity monitor +user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all + +# PixelDisplayService +user=_app seinfo=platform name=com.android.pixeldisplayservice domain=pixeldisplayservice_app type=app_data_file levelFrom=all + +# Google Camera +user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all + +# Google Camera Eng +user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all + +# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera +user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all + +# Also label GoogleCameraNext, built with debug keys as debug_camera_app. +user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all + +# Qorvo UWB system app +# TODO(b/222204912): Should this run under uwb user? +user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all + +# CccDkTimeSyncService +user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all + +# SystemUI +user=_app seinfo=platform name=com.android.systemui domain=systemui_app type=app_data_file levelFrom=all +user=_app seinfo=platform name=com.android.systemui:* domain=systemui_app type=app_data_file levelFrom=all + diff --git a/vendor/service.te b/vendor/service.te new file mode 100644 index 0000000..85b1745 --- /dev/null +++ b/vendor/service.te @@ -0,0 +1,6 @@ +type hal_pixel_display_service, service_manager_type, hal_service_type; + +# WLC +type hal_wireless_charger_service, hal_service_type, protected_service, service_manager_type; + +type arm_mali_platform_service, app_api_service, service_manager_type; diff --git a/vendor/service_contexts b/vendor/service_contexts new file mode 100644 index 0000000..ffa2639 --- /dev/null +++ b/vendor/service_contexts @@ -0,0 +1,5 @@ +com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 + +vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0 + +arm.mali.platform.ICompression/default u:object_r:arm_mali_platform_service:s0 diff --git a/vendor/shell.te b/vendor/shell.te new file mode 100644 index 0000000..adc4eb6 --- /dev/null +++ b/vendor/shell.te @@ -0,0 +1,2 @@ +# wlc +dontaudit shell sysfs_wlc:dir search; \ No newline at end of file diff --git a/vendor/surfaceflinger.te b/vendor/surfaceflinger.te new file mode 100644 index 0000000..403734e --- /dev/null +++ b/vendor/surfaceflinger.te @@ -0,0 +1 @@ +allow surfaceflinger arm_mali_platform_service:service_manager find; diff --git a/vendor/system_app.te b/vendor/system_app.te new file mode 100644 index 0000000..4677e98 --- /dev/null +++ b/vendor/system_app.te @@ -0,0 +1,3 @@ +# WLC +allow system_app hal_wireless_charger_service:service_manager find; +binder_call(system_app, hal_wireless_charger) diff --git a/vendor/system_server.te b/vendor/system_server.te new file mode 100644 index 0000000..853e3cf --- /dev/null +++ b/vendor/system_server.te @@ -0,0 +1,5 @@ +# Allow system server to send sensor data callbacks to GPS +binder_call(system_server, gpsd); +binder_call(system_server, hal_camera_default); + +allow system_server arm_mali_platform_service:service_manager find; diff --git a/vendor/systemui_app.te b/vendor/systemui_app.te new file mode 100644 index 0000000..312d8c8 --- /dev/null +++ b/vendor/systemui_app.te @@ -0,0 +1,24 @@ +type systemui_app, domain, coredomain; +app_domain(systemui_app) +allow systemui_app app_api_service:service_manager find; +allow systemui_app network_score_service:service_manager find; +allow systemui_app overlay_service:service_manager find; +allow systemui_app color_display_service:service_manager find; +allow systemui_app audioserver_service:service_manager find; +allow systemui_app cameraserver_service:service_manager find; +allow systemui_app mediaserver_service:service_manager find; +allow systemui_app radio_service:service_manager find; + +get_prop(systemui_app, keyguard_config_prop) +set_prop(systemui_app, bootanim_system_prop) + +allow systemui_app pixel_battery_service_type:service_manager find; +binder_call(systemui_app, pixel_battery_domain) + +allow systemui_app screen_protector_detector_service:service_manager find; +allow systemui_app touch_context_service:service_manager find; +binder_call(systemui_app, twoshay) + +# WLC +allow systemui_app hal_wireless_charger_service:service_manager find; +binder_call(systemui_app, hal_wireless_charger) diff --git a/vendor/tcpdump_logger.te b/vendor/tcpdump_logger.te new file mode 100644 index 0000000..1018104 --- /dev/null +++ b/vendor/tcpdump_logger.te @@ -0,0 +1,5 @@ +type tcpdump_logger, domain; +type tcpdump_logger_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(tcpdump_logger) + diff --git a/vendor/tee.te b/vendor/tee.te new file mode 100644 index 0000000..67509b8 --- /dev/null +++ b/vendor/tee.te @@ -0,0 +1,17 @@ +# Handle wake locks +wakelock_use(tee) + +allow tee persist_ss_file:file create_file_perms; +allow tee persist_ss_file:dir create_dir_perms; +allow tee persist_file:dir r_dir_perms; +allow tee mnt_vendor_file:dir r_dir_perms; +allow tee tee_data_file:dir rw_dir_perms; +allow tee tee_data_file:lnk_file r_file_perms; +allow tee sg_device:chr_file rw_file_perms; +allow tee tee_persist_block_device:blk_file rw_file_perms; +allow tee block_device:dir search; + +# Allow storageproxyd access to gsi_public_metadata_file +read_fstab(tee) + +set_prop(tee, vendor_trusty_storage_prop) diff --git a/vendor/toolbox.te b/vendor/toolbox.te new file mode 100644 index 0000000..9fbbb7a --- /dev/null +++ b/vendor/toolbox.te @@ -0,0 +1,3 @@ +allow toolbox ram_device:blk_file rw_file_perms; +allow toolbox per_boot_file:dir create_dir_perms; +allow toolbox per_boot_file:file create_file_perms; diff --git a/vendor/trusty_apploader.te b/vendor/trusty_apploader.te new file mode 100644 index 0000000..983e3a0 --- /dev/null +++ b/vendor/trusty_apploader.te @@ -0,0 +1,7 @@ +type trusty_apploader, domain; +type trusty_apploader_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(trusty_apploader) + +allow trusty_apploader ion_device:chr_file r_file_perms; +allow trusty_apploader tee_device:chr_file rw_file_perms; +allow trusty_apploader dmabuf_system_heap_device:chr_file r_file_perms; diff --git a/vendor/trusty_metricsd.te b/vendor/trusty_metricsd.te new file mode 100644 index 0000000..63fc85b --- /dev/null +++ b/vendor/trusty_metricsd.te @@ -0,0 +1,11 @@ +type trusty_metricsd, domain; +type trusty_metricsd_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(trusty_metricsd) + +allow trusty_metricsd tee_device:chr_file rw_file_perms; + +# For Suez metrics collection +binder_use(trusty_metricsd) +binder_call(trusty_metricsd, system_server) +allow trusty_metricsd fwk_stats_service:service_manager find; diff --git a/vendor/twoshay.te b/vendor/twoshay.te new file mode 100644 index 0000000..09cc98e --- /dev/null +++ b/vendor/twoshay.te @@ -0,0 +1,2 @@ +# Allow ITouchContextService callback +binder_call(twoshay, systemui_app) diff --git a/vendor/ufs_firmware_update.te b/vendor/ufs_firmware_update.te new file mode 100644 index 0000000..04e532e --- /dev/null +++ b/vendor/ufs_firmware_update.te @@ -0,0 +1,12 @@ +type ufs_firmware_update, domain; +type ufs_firmware_update_exec, vendor_file_type, exec_type, file_type; + +userdebug_or_eng(` + init_daemon_domain(ufs_firmware_update) + + allow ufs_firmware_update vendor_toolbox_exec:file execute_no_trans; + allow ufs_firmware_update block_device:dir r_dir_perms; + allow ufs_firmware_update ufs_internal_block_device:blk_file rw_file_perms; + allow ufs_firmware_update sysfs:dir r_dir_perms; + allow ufs_firmware_update sysfs_scsi_devices_0000:file r_file_perms; +') diff --git a/vendor/update_engine.te b/vendor/update_engine.te new file mode 100644 index 0000000..b4f3cf8 --- /dev/null +++ b/vendor/update_engine.te @@ -0,0 +1,2 @@ +allow update_engine custom_ab_block_device:blk_file rw_file_perms; +allow update_engine modem_block_device:blk_file rw_file_perms; diff --git a/vendor/uwb_vendor_app.te b/vendor/uwb_vendor_app.te new file mode 100644 index 0000000..d249d36 --- /dev/null +++ b/vendor/uwb_vendor_app.te @@ -0,0 +1,4 @@ +type uwb_vendor_app, domain; + +app_domain(uwb_vendor_app) + diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te new file mode 100644 index 0000000..646aa0f --- /dev/null +++ b/vendor/vendor_init.te @@ -0,0 +1,31 @@ +# Fingerprint property +set_prop(vendor_init, vendor_fingerprint_prop) +# Battery harness mode property +set_prop(vendor_init, vendor_battery_defender_prop) + +set_prop(vendor_init, logpersistd_logging_prop) + +allow vendor_init proc_dirty:file w_file_perms; +allow vendor_init proc_sched:file w_file_perms; +allow vendor_init sg_device:chr_file r_file_perms; +allow vendor_init bootdevice_sysdev:file create_file_perms; +allow vendor_init modem_img_file:filesystem { getattr }; + +userdebug_or_eng(` +allow vendor_init vendor_init:lockdown { integrity }; +') + +# Camera vendor property +set_prop(vendor_init, vendor_camera_prop) + +# NFC vendor property +set_prop(vendor_init, vendor_nfc_prop) +# SecureElement vendor property +set_prop(vendor_init, vendor_secure_element_prop) + +# USB property +set_prop(vendor_init, vendor_usb_config_prop) + +# Mali +set_prop(vendor_init, vendor_arm_runtime_option_prop) +set_prop(vendor_init, vendor_ssrdump_prop) diff --git a/vendor/vendor_uwb_init.te b/vendor/vendor_uwb_init.te new file mode 100644 index 0000000..5216019 --- /dev/null +++ b/vendor/vendor_uwb_init.te @@ -0,0 +1,4 @@ +type vendor_uwb_init, domain; +type vendor_uwb_init_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(vendor_uwb_init) diff --git a/vendor/vndservice.te b/vendor/vndservice.te new file mode 100644 index 0000000..12a4819 --- /dev/null +++ b/vendor/vndservice.te @@ -0,0 +1 @@ +type vendor_surfaceflinger_vndservice, vndservice_manager_type; diff --git a/vendor/vndservice_contexts b/vendor/vndservice_contexts new file mode 100644 index 0000000..4f9f5a7 --- /dev/null +++ b/vendor/vndservice_contexts @@ -0,0 +1 @@ +Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0 diff --git a/vendor/wifi_sniffer.te b/vendor/wifi_sniffer.te new file mode 100644 index 0000000..1faffce --- /dev/null +++ b/vendor/wifi_sniffer.te @@ -0,0 +1,4 @@ +userdebug_or_eng(` +allow wifi_sniffer sysfs_wifi:dir search; +allow wifi_sniffer sysfs_wifi:file rw_file_perms; +') diff --git a/widevine/file.te b/widevine/file.te new file mode 100644 index 0000000..a1e4e0e --- /dev/null +++ b/widevine/file.te @@ -0,0 +1,3 @@ +# Widevine DRM +type mediadrm_vendor_data_file, file_type, data_file_type; + diff --git a/widevine/file_contexts b/widevine/file_contexts new file mode 100644 index 0000000..92aed3c --- /dev/null +++ b/widevine/file_contexts @@ -0,0 +1,5 @@ +/vendor/bin/hw/android\.hardware\.drm-service\.widevine u:object_r:hal_drm_widevine_exec:s0 +/vendor/bin/hw/android\.hardware\.drm-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 + +# Data +/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 diff --git a/widevine/hal_drm_clearkey.te b/widevine/hal_drm_clearkey.te new file mode 100644 index 0000000..0e0a5c2 --- /dev/null +++ b/widevine/hal_drm_clearkey.te @@ -0,0 +1,5 @@ +type hal_drm_clearkey, domain; +type hal_drm_clearkey_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_drm_clearkey) + +hal_server_domain(hal_drm_clearkey, hal_drm) diff --git a/widevine/hal_drm_widevine.te b/widevine/hal_drm_widevine.te new file mode 100644 index 0000000..1ecfa92 --- /dev/null +++ b/widevine/hal_drm_widevine.te @@ -0,0 +1,12 @@ +type hal_drm_widevine, domain; +type hal_drm_widevine_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_drm_widevine) + +hal_server_domain(hal_drm_widevine, hal_drm) + +# L3 +allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms; +allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms; + +# L1 +allow hal_drm_widevine dmabuf_system_heap_device:chr_file r_file_perms; diff --git a/widevine/service_contexts b/widevine/service_contexts new file mode 100644 index 0000000..6989dde --- /dev/null +++ b/widevine/service_contexts @@ -0,0 +1 @@ +android.hardware.drm.IDrmFactory/widevine u:object_r:hal_drm_service:s0 diff --git a/zumapro-sepolicy.mk b/zumapro-sepolicy.mk new file mode 100644 index 0000000..a5757bf --- /dev/null +++ b/zumapro-sepolicy.mk @@ -0,0 +1,23 @@ +# sepolicy that are shared among devices using zumapro +BOARD_SEPOLICY_DIRS += device/google/zumapro-sepolicy/vendor +BOARD_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio +PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zumapro-sepolicy/radio/private + +# unresolved SELinux error log with bug tracking +BOARD_SEPOLICY_DIRS += device/google/zumapro-sepolicy/tracking_denials + +PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zumapro-sepolicy/private + +# system_ext +SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/zumapro-sepolicy/system_ext/public +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/zumapro-sepolicy/system_ext/private + +# PowerStats HAL +BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats + +# To be reviewed and removed. +BOARD_SEPOLICY_DIRS += device/google/zumapro-sepolicy/legacy/whitechapel_pro +PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zumapro-sepolicy/legacy/private +SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/zumapro-sepolicy/legacy/system_ext/public +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/zumapro-sepolicy/legacy/system_ext/private + From d9e2e6aae986fd7ae293365058066e40aba00a1b Mon Sep 17 00:00:00 2001 From: Robin Peng Date: Tue, 11 Apr 2023 10:25:55 +0000 Subject: [PATCH 2/5] Sync with device/google/zuma-sepolicy cfa00dfc881e3 Bug: 272725898 Change-Id: I9125ed760c0b4c688cf37720f5d4a744f2484be7 --- private/vendor_init.te | 2 ++ radio/hal_radioext_default.te | 6 +++++ radio/keys.conf | 2 +- radio/property.te | 3 ++- radio/property_contexts | 2 +- tracking_denials/bug_map | 4 ++-- tracking_denials/dumpstate.te | 2 ++ tracking_denials/gmscore_app.te | 10 -------- tracking_denials/google_camera_app.te | 30 ++++-------------------- tracking_denials/hal_radioext_default.te | 2 ++ tracking_denials/logd.te | 7 ------ tracking_denials/systemui.te | 4 ---- vendor/file_contexts | 2 +- vendor/google_camera_app.te | 7 ++++++ vendor/hal_bootctl_default.te | 1 + vendor/hal_camera_default.te | 4 ++++ vendor/logd.te | 4 ++++ vendor/property.te | 1 + vendor/property_contexts | 1 + vendor/twoshay.te | 2 ++ 20 files changed, 43 insertions(+), 53 deletions(-) create mode 100644 private/vendor_init.te create mode 100644 tracking_denials/dumpstate.te delete mode 100644 tracking_denials/gmscore_app.te create mode 100644 tracking_denials/hal_radioext_default.te delete mode 100644 tracking_denials/logd.te delete mode 100644 tracking_denials/systemui.te create mode 100644 vendor/logd.te diff --git a/private/vendor_init.te b/private/vendor_init.te new file mode 100644 index 0000000..812f9e1 --- /dev/null +++ b/private/vendor_init.te @@ -0,0 +1,2 @@ +# b/277300125 +dontaudit vendor_init device_config_configuration_prop:property_service { set }; diff --git a/radio/hal_radioext_default.te b/radio/hal_radioext_default.te index bbdd2a0..6e17e19 100644 --- a/radio/hal_radioext_default.te +++ b/radio/hal_radioext_default.te @@ -19,3 +19,9 @@ allow hal_radioext_default radio_vendor_data_file:file create_file_perms; # Bluetooth allow hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager find; + +# Twoshay +binder_use(hal_radioext_default) +allow hal_radioext_default gril_antenna_tuning_service:service_manager find; +binder_call(hal_radioext_default, gril_antenna_tuning_service) +binder_call(hal_radioext_default, twoshay) diff --git a/radio/keys.conf b/radio/keys.conf index 4784c60..45db97d 100644 --- a/radio/keys.conf +++ b/radio/keys.conf @@ -1,3 +1,3 @@ [@MDS] -ALL : device/google/zuma-sepolicy/radio/certs/com_google_mds.x509.pem +ALL : device/google/zumapro-sepolicy/radio/certs/com_google_mds.x509.pem diff --git a/radio/property.te b/radio/property.te index b2027e5..25d9454 100644 --- a/radio/property.te +++ b/radio/property.te @@ -1,3 +1,4 @@ +# P24 vendor properties vendor_internal_prop(vendor_carrier_prop) vendor_internal_prop(vendor_cbd_prop) vendor_internal_prop(vendor_slog_prop) @@ -9,8 +10,8 @@ vendor_internal_prop(vendor_ssrdump_prop) vendor_internal_prop(vendor_wifi_version) vendor_internal_prop(vendor_imssvc_prop) vendor_internal_prop(vendor_gps_prop) -vendor_internal_prop(vendor_logger_prop) vendor_internal_prop(vendor_tcpdump_log_prop) # Telephony debug app vendor_internal_prop(vendor_telephony_app_prop) + diff --git a/radio/property_contexts b/radio/property_contexts index 602b411..0cad5bc 100644 --- a/radio/property_contexts +++ b/radio/property_contexts @@ -20,7 +20,6 @@ persist.vendor.config. u:object_r:vendor_persist_config_defa # for logger app vendor.pixellogger. u:object_r:vendor_logger_prop:s0 persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 -persist.vendor.verbose_logging_enabled u:object_r:vendor_logger_prop:s0 # Modem persist.vendor.modem. u:object_r:vendor_modem_prop:s0 @@ -57,3 +56,4 @@ persist.vendor.gps. u:object_r:vendor_gps_prop:s0 # Tcpdump_logger persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 vendor.tcpdump. u:object_r:vendor_tcpdump_log_prop:s0 + diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 8903cdd..8af6ec0 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -21,8 +21,6 @@ hal_dumpstate_default vendor_tcpdump_log_prop file b/273638940 hal_power_default sysfs file b/273638876 hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 -hal_thermal_default sysfs file b/272166722 -hal_thermal_default sysfs file b/272166987 hal_uwb_default debugfs file b/273639365 incidentd apex_art_data_file file b/272628762 incidentd incidentd anon_inode b/274374992 @@ -49,6 +47,8 @@ untrusted_app default_android_service service_manager b/264599934 vendor_init device_config_configuration_prop property_service b/267714573 vendor_init device_config_configuration_prop property_service b/268566481 vendor_init device_config_configuration_prop property_service b/273143844 +vendor_init device_config_configuration_prop property_service b/275645636 +vendor_init device_config_configuration_prop property_service b/275646003 vendor_init tee_data_file lnk_file b/267714573 vendor_init tee_data_file lnk_file b/272166664 vendor_init vendor_camera_prop property_service b/267714573 diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te new file mode 100644 index 0000000..3313642 --- /dev/null +++ b/tracking_denials/dumpstate.te @@ -0,0 +1,2 @@ +# b/277155496 +dontaudit dumpstate default_android_service:service_manager { find }; diff --git a/tracking_denials/gmscore_app.te b/tracking_denials/gmscore_app.te deleted file mode 100644 index a5a791b..0000000 --- a/tracking_denials/gmscore_app.te +++ /dev/null @@ -1,10 +0,0 @@ -# b/259302023 -dontaudit gmscore_app property_type:file *; -# b/260365725 -dontaudit gmscore_app property_type:file *; -# b/260522434 -dontaudit gmscore_app modem_img_file:filesystem { getattr }; -# b/264489521 -userdebug_or_eng(` - permissive gmscore_app; -') diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te index 84c0aca..b6994f9 100644 --- a/tracking_denials/google_camera_app.te +++ b/tracking_denials/google_camera_app.te @@ -1,29 +1,7 @@ -# b/262455755 -dontaudit google_camera_app activity_service:service_manager { find }; -dontaudit google_camera_app cameraserver_service:service_manager { find }; -dontaudit google_camera_app content_capture_service:service_manager { find }; -dontaudit google_camera_app device_state_service:service_manager { find }; -dontaudit google_camera_app edgetpu_app_service:service_manager { find }; -dontaudit google_camera_app edgetpu_device:chr_file { ioctl }; -dontaudit google_camera_app edgetpu_device:chr_file { map }; -dontaudit google_camera_app edgetpu_device:chr_file { read write }; -dontaudit google_camera_app fwk_stats_service:service_manager { find }; -dontaudit google_camera_app game_service:service_manager { find }; -dontaudit google_camera_app mediaserver_service:service_manager { find }; -dontaudit google_camera_app netstats_service:service_manager { find }; -dontaudit google_camera_app sensorservice_service:service_manager { find }; -dontaudit google_camera_app surfaceflinger_service:service_manager { find }; -dontaudit google_camera_app thermal_service:service_manager { find }; # b/264490031 userdebug_or_eng(` permissive google_camera_app; -')# b/264483456 -dontaudit google_camera_app backup_service:service_manager { find }; -# b/264600171 -dontaudit google_camera_app audio_service:service_manager { find }; -dontaudit google_camera_app legacy_permission_service:service_manager { find }; -dontaudit google_camera_app permission_checker_service:service_manager { find }; -# b/265220235 -dontaudit google_camera_app virtual_device_service:service_manager { find }; -# b/267843408 -dontaudit google_camera_app device_policy_service:service_manager { find }; +') +# b/277300017 +dontaudit google_camera_app cameraserver_service:service_manager { find }; +dontaudit google_camera_app mediaserver_service:service_manager { find }; diff --git a/tracking_denials/hal_radioext_default.te b/tracking_denials/hal_radioext_default.te new file mode 100644 index 0000000..d37fc60 --- /dev/null +++ b/tracking_denials/hal_radioext_default.te @@ -0,0 +1,2 @@ +# b/275646098 +dontaudit hal_radioext_default service_manager_type:service_manager find; diff --git a/tracking_denials/logd.te b/tracking_denials/logd.te deleted file mode 100644 index ab19623..0000000 --- a/tracking_denials/logd.te +++ /dev/null @@ -1,7 +0,0 @@ -# b/261105354 -dontaudit logd trusty_log_device:chr_file { open }; -dontaudit logd trusty_log_device:chr_file { read }; -# b/264489639 -userdebug_or_eng(` - permissive logd; -') \ No newline at end of file diff --git a/tracking_denials/systemui.te b/tracking_denials/systemui.te deleted file mode 100644 index 3159dd9..0000000 --- a/tracking_denials/systemui.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264266705 -userdebug_or_eng(` - permissive systemui_app; -') diff --git a/vendor/file_contexts b/vendor/file_contexts index f08be98..0a24947 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -163,5 +163,5 @@ /dev/dma_heap/farawimg-secure u:object_r:faceauth_heap_device:s0 /dev/dma_heap/vframe-secure u:object_r:video_secure_heap_device:s0 /dev/dma_heap/vscaler-secure u:object_r:video_secure_heap_device:s0 -/dev/dma_heap/vstream-secure u:object_r:video_secure_heap_device:s0 +/dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 /dev/uci u:object_r:uci_device:s0 diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index b4ba6c1..9c233fe 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -6,3 +6,10 @@ allow google_camera_app gxp_device:chr_file rw_file_perms; # Allows camera app to access the PowerHAL. hal_client_domain(google_camera_app, hal_power) + +# Allow camera app to access the a subset of app services. +allow google_camera_app app_api_service:service_manager find; + +# Allows GCA to access the EdgeTPU device. +allow google_camera_app edgetpu_app_service:service_manager find; +allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te index fe017f9..2db4651 100644 --- a/vendor/hal_bootctl_default.te +++ b/vendor/hal_bootctl_default.te @@ -1,3 +1,4 @@ allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms; allow hal_bootctl_default sda_block_device:blk_file rw_file_perms; allow hal_bootctl_default sysfs_ota:file rw_file_perms; +allow hal_bootctl_default tee_device:chr_file rw_file_perms; diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index 7acd698..666ad73 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -14,6 +14,10 @@ allow hal_camera_default lwis_device:chr_file rw_file_perms; allow hal_camera_default edgetpu_device:chr_file rw_file_perms; allow hal_camera_default edgetpu_vendor_service:service_manager find; binder_call(hal_camera_default, edgetpu_vendor_server) +# Allow edgetpu_app_service as well, due to the EdgeTpu metrics logging +# library has a dependency on edgetpu_app_service, see b/275016466. +allow hal_camera_default edgetpu_app_service:service_manager find; +binder_call(hal_camera_default, edgetpu_app_server) # Allow access to data files used by the camera HAL allow hal_camera_default mnt_vendor_file:dir search; diff --git a/vendor/logd.te b/vendor/logd.te new file mode 100644 index 0000000..ca969d8 --- /dev/null +++ b/vendor/logd.te @@ -0,0 +1,4 @@ +r_dir_file(logd, logbuffer_device) +allow logd logbuffer_device:chr_file r_file_perms; +allow logd trusty_log_device:chr_file r_file_perms; + diff --git a/vendor/property.te b/vendor/property.te index ed6caac..a7450c3 100644 --- a/vendor/property.te +++ b/vendor/property.te @@ -10,3 +10,4 @@ vendor_internal_prop(vendor_usb_config_prop) # Dynamic sensor vendor_internal_prop(vendor_dynamic_sensor_prop) + diff --git a/vendor/property_contexts b/vendor/property_contexts index 2d469d5..b020540 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -17,3 +17,4 @@ vendor.usb. u:object_r:vendor_usb_config_prop:s0 # Dynamic sensor vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 + diff --git a/vendor/twoshay.te b/vendor/twoshay.te index 09cc98e..219619a 100644 --- a/vendor/twoshay.te +++ b/vendor/twoshay.te @@ -1,2 +1,4 @@ # Allow ITouchContextService callback binder_call(twoshay, systemui_app) + +binder_call(twoshay, hal_radioext_default) From bc5690cd84248009bd6b46ea541296eabb434c1f Mon Sep 17 00:00:00 2001 From: Minchan Kim Date: Tue, 11 Apr 2023 21:56:34 +0000 Subject: [PATCH 3/5] remove dump_cma.sh We will introduce it into gs-common Bug: 276901078 Change-Id: I395e3ca45a3ad4aa346e56fd8746ffc70ae94107 Signed-off-by: Minchan Kim --- vendor/dump_cma.te | 7 ------- vendor/file.te | 1 - vendor/file_contexts | 1 - vendor/genfs_contexts | 1 - 4 files changed, 10 deletions(-) diff --git a/vendor/dump_cma.te b/vendor/dump_cma.te index bf5edf2..e69de29 100644 --- a/vendor/dump_cma.te +++ b/vendor/dump_cma.te @@ -1,7 +0,0 @@ -pixel_bugreport(dump_cma) - -userdebug_or_eng(` - allow dump_cma vendor_toolbox_exec:file execute_no_trans; - allow dump_cma vendor_cma_debugfs:dir r_dir_perms; - allow dump_cma vendor_cma_debugfs:file r_file_perms; -') diff --git a/vendor/file.te b/vendor/file.te index cf4ad9f..6560298 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -23,7 +23,6 @@ type vendor_battery_debugfs, fs_type, debugfs_type; type vendor_pm_genpd_debugfs, fs_type, debugfs_type; type vendor_usb_debugfs, fs_type, debugfs_type; type vendor_maxfg_debugfs, fs_type, debugfs_type; -type vendor_cma_debugfs, fs_type, debugfs_type; # WLC type sysfs_wlc, sysfs_type, fs_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index f08be98..c81c043 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -14,7 +14,6 @@ /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/dump/dump_wlan\.sh u:object_r:dump_wlan_exec:s0 -/vendor/bin/dump/dump_cma\.sh u:object_r:dump_cma_exec:s0 /vendor/bin/dump/dump_gsa\.sh u:object_r:dump_gsa_exec:s0 /vendor/bin/dump/dump_power\.sh u:object_r:dump_power_exec:s0 /vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 5acd7ba..6c42219 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -24,7 +24,6 @@ genfscon debugfs /google_battery u:object genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 -genfscon debugfs /cma u:object_r:vendor_cma_debugfs:s0 # Extcon genfscon sysfs /devices/platform/10cb0000.hsi2c/i2c-0/0-0025/extcon/extcon0 u:object_r:sysfs_extcon:s0 From 129741a26906259128da1f223da611a994a6f8d1 Mon Sep 17 00:00:00 2001 From: Ankit Goyal Date: Wed, 19 Apr 2023 11:50:47 -0700 Subject: [PATCH 4/5] Mark video secure devices as default dmabuf heaps Mali driver (and codec HAL as well) require direct access to video secure dmabuf devices. Mali driver being an SP-HAL cannot explicitly write blanket rules for all the scontext. So, we piggyback on dmabuf_system_secure_heap_device to allow all scontext to be able to use these device nodes. This is just as secure as dmabuf_system_secure_heap_device in that case. There is no additional security impact. An app can still use gralloc to allocate buffers from these heaps and disallowing access to these heaps to the intended users. Bug: 278513588 Test: Trusting result of ag/22743596 (no zumapro device yet) Change-Id: I2fd77e6694cdd4d1e51c9f01f4ae2b9f9670cea0 --- vendor/device.te | 2 +- vendor/file_contexts | 4 ++-- vendor/hal_graphics_allocator_default.te | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/vendor/device.te b/vendor/device.te index 50510d6..17a162c 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -12,7 +12,7 @@ type uci_device, dev_type; # Dmabuf heaps type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; type faceauth_heap_device, dmabuf_heap_device_type, dev_type; -type video_secure_heap_device, dmabuf_heap_device_type, dev_type; +type vscaler_secure_heap_device, dmabuf_heap_device_type, dev_type; # SecureElement SPI device type st54spi_device, dev_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index ae84231..5de8b1e 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -160,7 +160,7 @@ /dev/dma_heap/famodel-secure u:object_r:faceauth_heap_device:s0 /dev/dma_heap/faprev-secure u:object_r:faceauth_heap_device:s0 /dev/dma_heap/farawimg-secure u:object_r:faceauth_heap_device:s0 -/dev/dma_heap/vframe-secure u:object_r:video_secure_heap_device:s0 -/dev/dma_heap/vscaler-secure u:object_r:video_secure_heap_device:s0 +/dev/dma_heap/vframe-secure u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/dma_heap/vscaler-secure u:object_r:vscaler_secure_heap_device:s0 /dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 /dev/uci u:object_r:uci_device:s0 diff --git a/vendor/hal_graphics_allocator_default.te b/vendor/hal_graphics_allocator_default.te index e322c3a..f77d094 100644 --- a/vendor/hal_graphics_allocator_default.te +++ b/vendor/hal_graphics_allocator_default.te @@ -1,4 +1,4 @@ allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms; allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms; allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms; -allow hal_graphics_allocator_default video_secure_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default vscaler_secure_heap_device:chr_file r_file_perms; From 30ab75917728763191a461247baaf9f7c2386e32 Mon Sep 17 00:00:00 2001 From: Robin Peng Date: Sun, 30 Apr 2023 00:59:33 +0000 Subject: [PATCH 5/5] Sync with device/google/zuma-sepolicy a89fbcc4aa1ae fix build breakage: device/google/zumapro-sepolicy/legacy/whitechapel_pro/file.te:4:ERROR 'Duplicate declaration of type' at token ';' on line 104436: type tcpdump_vendor_data_file, file_type, data_file_type; type updated_wifi_firmware_data_file, file_type, data_file_type; Bug: 272725898 Change-Id: Ic17d18409c28760d172a4ee7a5beb6c90016a381 --- legacy/whitechapel_pro/device.te | 2 -- legacy/whitechapel_pro/file.te | 4 --- legacy/whitechapel_pro/file_contexts | 3 -- .../hal_input_processor_default.te | 2 ++ legacy/whitechapel_pro/property.te | 3 -- legacy/whitechapel_pro/property_contexts | 3 -- private/odrefresh.te | 4 --- radio/file.te | 1 + radio/file_contexts | 1 + radio/grilservice_app.te | 2 ++ radio/modem_ml_svc_sit.te | 4 +++ radio/property.te | 2 +- radio/seapp_contexts | 4 +++ radio/vendor_ims_remote_app.te | 4 +++ radio/vendor_rcs_service_app.te | 5 +++ tracking_denials/bootanim.te | 2 -- tracking_denials/bug_map | 19 ++--------- tracking_denials/chre.te | 4 --- tracking_denials/google_camera_app.te | 7 ---- tracking_denials/hal_camera_default.te | 4 --- tracking_denials/hal_contexthub_default.te | 7 ---- tracking_denials/hal_neuralnetworks_armnn.te | 16 --------- tracking_denials/hal_power_default.te | 3 -- tracking_denials/hal_radioext_default.te | 2 -- tracking_denials/hwservicemanager.te | 4 --- tracking_denials/installd.te | 6 ---- tracking_denials/priv_app.te | 21 ------------ .../rebalance_interrupts_vendor.te | 4 --- tracking_denials/recovery.te | 4 --- tracking_denials/servicemanager.te | 6 ---- tracking_denials/system_suspend.te | 2 -- tracking_denials/tcpdump_logger.te | 4 --- vendor/bootanim.te | 1 + vendor/charger_vendor.te | 7 ++++ vendor/device.te | 4 +++ vendor/dump_cma.te | 0 vendor/dumpstate.te | 2 ++ vendor/file.te | 3 ++ vendor/file_contexts | 34 ++++++++++++++----- vendor/genfs_contexts | 6 ++++ vendor/google_camera_app.te | 21 ++++++++---- vendor/hal_bluetooth_btlinux.te | 3 ++ vendor/hal_camera_default.te | 5 +++ vendor/hal_contexthub_default.te | 2 ++ vendor/hal_graphics_allocator_default.te | 1 + vendor/hal_memtrack_default.te | 1 + vendor/hal_secure_element_st54spi.te | 7 ---- vendor/hal_secure_element_st54spi_aidl.te | 7 ++++ vendor/installd.te | 1 + vendor/ofl_app.te | 17 ---------- vendor/pixelstats_vendor.te | 4 +++ vendor/property.te | 5 +++ vendor/property_contexts | 5 +++ vendor/recovery.te | 8 +++++ vendor/seapp_contexts | 3 -- vendor/systemui_app.te | 4 +++ vendor/tcpdump_logger.te | 18 +++++++++- vendor/update_engine.te | 1 + vendor/vendor_init.te | 6 ++++ 59 files changed, 160 insertions(+), 175 deletions(-) create mode 100644 legacy/whitechapel_pro/hal_input_processor_default.te delete mode 100644 private/odrefresh.te create mode 100644 radio/vendor_ims_remote_app.te create mode 100644 radio/vendor_rcs_service_app.te delete mode 100644 tracking_denials/bootanim.te delete mode 100644 tracking_denials/chre.te delete mode 100644 tracking_denials/google_camera_app.te delete mode 100644 tracking_denials/hal_camera_default.te delete mode 100644 tracking_denials/hal_contexthub_default.te delete mode 100644 tracking_denials/hal_neuralnetworks_armnn.te delete mode 100644 tracking_denials/hal_power_default.te delete mode 100644 tracking_denials/hal_radioext_default.te delete mode 100644 tracking_denials/hwservicemanager.te delete mode 100644 tracking_denials/installd.te delete mode 100644 tracking_denials/priv_app.te delete mode 100644 tracking_denials/recovery.te delete mode 100644 tracking_denials/servicemanager.te delete mode 100644 tracking_denials/system_suspend.te delete mode 100644 tracking_denials/tcpdump_logger.te create mode 100644 vendor/charger_vendor.te delete mode 100644 vendor/dump_cma.te create mode 100644 vendor/hal_contexthub_default.te create mode 100644 vendor/hal_memtrack_default.te delete mode 100644 vendor/hal_secure_element_st54spi.te create mode 100644 vendor/hal_secure_element_st54spi_aidl.te create mode 100644 vendor/installd.te delete mode 100644 vendor/ofl_app.te create mode 100644 vendor/recovery.te diff --git a/legacy/whitechapel_pro/device.te b/legacy/whitechapel_pro/device.te index c45efc2..bf6f21c 100644 --- a/legacy/whitechapel_pro/device.te +++ b/legacy/whitechapel_pro/device.te @@ -1,4 +1,3 @@ -type sda_block_device, dev_type; type sg_device, dev_type; type vendor_toe_device, dev_type; type lwis_device, dev_type; @@ -6,4 +5,3 @@ type rls_device, dev_type; # Raw HID device type hidraw_device, dev_type; - diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 38d3dc8..23d748b 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -1,15 +1,11 @@ # Data type updated_wifi_firmware_data_file, file_type, data_file_type; -type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; -userdebug_or_eng(` - typeattribute tcpdump_vendor_data_file mlstrustedobject; -') # sysfs type bootdevice_sysdev, dev_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index ea564ed..a9901c0 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -2,7 +2,6 @@ /vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 /vendor/bin/hw/android\.hardware\.gatekeeper-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 -/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 # Vendor libraries @@ -34,13 +33,11 @@ /dev/st21nfc u:object_r:nfc_device:s0 /dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 /dev/socket/chre u:object_r:chre_socket:s0 -/dev/block/sda u:object_r:sda_block_device:s0 # Data /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 -/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 /data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 diff --git a/legacy/whitechapel_pro/hal_input_processor_default.te b/legacy/whitechapel_pro/hal_input_processor_default.te new file mode 100644 index 0000000..00d4c69 --- /dev/null +++ b/legacy/whitechapel_pro/hal_input_processor_default.te @@ -0,0 +1,2 @@ +# allow InputProcessor HAL to read the display resolution system property +get_prop(hal_input_processor_default, vendor_display_prop) diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index e3a8d4b..a62eef6 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -12,6 +12,3 @@ system_vendor_config_prop(vendor_uwb_calibration_prop) # Trusty storage FS ready vendor_internal_prop(vendor_trusty_storage_prop) - -# Mali Integration -vendor_public_prop(vendor_arm_runtime_option_prop) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index 6faf239..fa5c917 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -20,6 +20,3 @@ ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_pro # Trusty ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 - -# Mali GPU driver configuration and debug options -vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix diff --git a/private/odrefresh.te b/private/odrefresh.te deleted file mode 100644 index 83b1e63..0000000 --- a/private/odrefresh.te +++ /dev/null @@ -1,4 +0,0 @@ -userdebug_or_eng(` - permissive odrefresh; - dontaudit odrefresh property_type:file *; -') diff --git a/radio/file.te b/radio/file.te index d8d253a..daceb56 100644 --- a/radio/file.te +++ b/radio/file.te @@ -1,6 +1,7 @@ # Data type rild_vendor_data_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; +type modem_ml_data_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; diff --git a/radio/file_contexts b/radio/file_contexts index 82a519b..8d74be8 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -19,6 +19,7 @@ /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 +/data/vendor/modem_ml(/.*)? u:object_r:modem_ml_data_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 diff --git a/radio/grilservice_app.te b/radio/grilservice_app.te index 7809537..2525bab 100644 --- a/radio/grilservice_app.te +++ b/radio/grilservice_app.te @@ -8,6 +8,8 @@ allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; allow grilservice_app hal_wifi_ext_service:service_manager find; allow grilservice_app hal_audiometricext_hwservice:hwservice_manager find; allow grilservice_app hal_exynos_rild_hwservice:hwservice_manager find; +allow grilservice_app radio_vendor_data_file:dir create_dir_perms; +allow grilservice_app radio_vendor_data_file:file create_file_perms; binder_call(grilservice_app, hal_bluetooth_btlinux) binder_call(grilservice_app, hal_radioext_default) binder_call(grilservice_app, hal_wifi_ext) diff --git a/radio/modem_ml_svc_sit.te b/radio/modem_ml_svc_sit.te index e742dbf..d094fb6 100644 --- a/radio/modem_ml_svc_sit.te +++ b/radio/modem_ml_svc_sit.te @@ -11,6 +11,10 @@ allow modem_ml_svc_sit radio_device:chr_file rw_file_perms; allow modem_ml_svc_sit radio_vendor_data_file:dir create_dir_perms; allow modem_ml_svc_sit radio_vendor_data_file:file create_file_perms; +# Grant modem ml data file/dir creation permission +allow modem_ml_svc_sit modem_ml_data_file:dir create_dir_perms; +allow modem_ml_svc_sit modem_ml_data_file:file create_file_perms; + # Grant modem ml models config files access allow modem_ml_svc_sit modem_config_file:file r_file_perms; diff --git a/radio/property.te b/radio/property.te index 25d9454..16ccefc 100644 --- a/radio/property.te +++ b/radio/property.te @@ -1,4 +1,4 @@ -# P24 vendor properties +# P23 vendor properties vendor_internal_prop(vendor_carrier_prop) vendor_internal_prop(vendor_cbd_prop) vendor_internal_prop(vendor_slog_prop) diff --git a/radio/seapp_contexts b/radio/seapp_contexts index 9e74853..6d0de36 100644 --- a/radio/seapp_contexts +++ b/radio/seapp_contexts @@ -14,7 +14,11 @@ user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_ user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilservice_app levelFrom=all user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_qualifiednetworks_app levelFrom=all user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_service_app levelFrom=all user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all +user=_app isPrivApp=true name=.ShannonImsService domain=vendor_ims_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_remote_app levelFrom=all + # slsi logging apps user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_silentlogging_app levelFrom=all diff --git a/radio/vendor_ims_remote_app.te b/radio/vendor_ims_remote_app.te new file mode 100644 index 0000000..f5d3846 --- /dev/null +++ b/radio/vendor_ims_remote_app.te @@ -0,0 +1,4 @@ +type vendor_ims_remote_app, domain; +app_domain(vendor_ims_remote_app) + +allow vendor_ims_remote_app app_api_service:service_manager find; diff --git a/radio/vendor_rcs_service_app.te b/radio/vendor_rcs_service_app.te new file mode 100644 index 0000000..a7ae221 --- /dev/null +++ b/radio/vendor_rcs_service_app.te @@ -0,0 +1,5 @@ +type vendor_rcs_service_app, domain; +app_domain(vendor_rcs_service_app) + +allow vendor_rcs_service_app app_api_service:service_manager find; +allow vendor_rcs_service_app radio_service:service_manager find; diff --git a/tracking_denials/bootanim.te b/tracking_denials/bootanim.te deleted file mode 100644 index e15c110..0000000 --- a/tracking_denials/bootanim.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/260522279 -dontaudit bootanim system_data_file:dir { search }; diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 8af6ec0..821f41d 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,8 +4,7 @@ con_monitor_app dalvikcache_data_file dir b/264483670 con_monitor_app dalvikcache_data_file file b/264483670 con_monitor_app mnt_expand_file dir b/264483670 con_monitor_app system_data_file lnk_file b/264483670 -dumpstate app_zygote process b/264483390 -dumpstate sysfs_scsi_devices_0000 file b/272166771 +dumpstate app_zygote process b/279680264 google_camera_app audio_service service_manager b/264600171 google_camera_app backup_service service_manager b/264483456 google_camera_app legacy_permission_service service_manager b/264600171 @@ -14,14 +13,10 @@ hal_audio_default hal_audio_default binder b/274374769 hal_bootctl_default hal_bootctl_default capability b/274727372 hal_camera_default edgetpu_app_server binder b/275001641 hal_camera_default edgetpu_app_service service_manager b/275001641 -hal_dumpstate_default vendor_displaycolor_service service_manager b/264482983 -hal_dumpstate_default vendor_displaycolor_service service_manager b/264600086 -hal_dumpstate_default vendor_modem_prop property_service b/264482983 -hal_dumpstate_default vendor_tcpdump_log_prop file b/273638940 -hal_power_default sysfs file b/273638876 +hal_input_processor_default vendor_display_prop file b/279680070 hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 -hal_uwb_default debugfs file b/273639365 +hal_uwb_default debugfs file b/279680213 incidentd apex_art_data_file file b/272628762 incidentd incidentd anon_inode b/274374992 insmod-sh insmod-sh key b/274374722 @@ -32,16 +27,8 @@ mtectrl unlabeled dir b/264483752 platform_app bootanim_system_prop property_service b/264483532 servicemanager hal_fingerprint_default binder b/264483753 system_server default_android_service service_manager b/264483754 -systemui_app bootanim_system_prop property_service b/269964574 -systemui_app hal_googlebattery binder b/269964574 systemui_app init unix_stream_socket b/269964574 -systemui_app mediaextractor_service service_manager b/272628174 -systemui_app mediametrics_service service_manager b/272628174 -systemui_app mediaserver_service service_manager b/272628174 systemui_app property_socket sock_file b/269964574 -systemui_app qemu_hw_prop file b/269964574 -systemui_app twoshay binder b/269964574 -systemui_app vr_manager_service service_manager b/272628174 twoshay systemui_app binder b/269964558 untrusted_app default_android_service service_manager b/264599934 vendor_init device_config_configuration_prop property_service b/267714573 diff --git a/tracking_denials/chre.te b/tracking_denials/chre.te deleted file mode 100644 index beee716..0000000 --- a/tracking_denials/chre.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/261105224 -dontaudit chre hal_system_suspend_service:service_manager { find }; -dontaudit chre servicemanager:binder { call }; -dontaudit chre system_suspend_server:binder { call }; diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te deleted file mode 100644 index b6994f9..0000000 --- a/tracking_denials/google_camera_app.te +++ /dev/null @@ -1,7 +0,0 @@ -# b/264490031 -userdebug_or_eng(` - permissive google_camera_app; -') -# b/277300017 -dontaudit google_camera_app cameraserver_service:service_manager { find }; -dontaudit google_camera_app mediaserver_service:service_manager { find }; diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te deleted file mode 100644 index abc4811..0000000 --- a/tracking_denials/hal_camera_default.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489778 -userdebug_or_eng(` - permissive hal_camera_default; -') diff --git a/tracking_denials/hal_contexthub_default.te b/tracking_denials/hal_contexthub_default.te deleted file mode 100644 index 3c9a51f..0000000 --- a/tracking_denials/hal_contexthub_default.te +++ /dev/null @@ -1,7 +0,0 @@ -# b/261105182 -dontaudit hal_contexthub_default chre:unix_stream_socket { connectto }; -dontaudit hal_contexthub_default chre_socket:sock_file { write }; -# b/264489794 -userdebug_or_eng(` - permissive hal_contexthub_default; -') \ No newline at end of file diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te deleted file mode 100644 index 8f3138c..0000000 --- a/tracking_denials/hal_neuralnetworks_armnn.te +++ /dev/null @@ -1,16 +0,0 @@ -# b/260366177 -dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; -# b/260768359 -dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; -dontaudit hal_neuralnetworks_armnn default_prop:file { map }; -dontaudit hal_neuralnetworks_armnn default_prop:file { open }; -dontaudit hal_neuralnetworks_armnn default_prop:file { read }; -# b/260921579 -dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; -dontaudit hal_neuralnetworks_armnn default_prop:file { map }; -dontaudit hal_neuralnetworks_armnn default_prop:file { open }; -dontaudit hal_neuralnetworks_armnn default_prop:file { read }; -# b/264489188 -userdebug_or_eng(` - permissive hal_neuralnetworks_armnn; -') \ No newline at end of file diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te deleted file mode 100644 index 5925425..0000000 --- a/tracking_denials/hal_power_default.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/267261305 -dontaudit hal_power_default hal_power_default:capability { dac_override }; -dontaudit hal_power_default hal_power_default:capability { dac_read_search }; diff --git a/tracking_denials/hal_radioext_default.te b/tracking_denials/hal_radioext_default.te deleted file mode 100644 index d37fc60..0000000 --- a/tracking_denials/hal_radioext_default.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/275646098 -dontaudit hal_radioext_default service_manager_type:service_manager find; diff --git a/tracking_denials/hwservicemanager.te b/tracking_denials/hwservicemanager.te deleted file mode 100644 index 53222bd..0000000 --- a/tracking_denials/hwservicemanager.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489781 -userdebug_or_eng(` - permissive hwservicemanager; -') diff --git a/tracking_denials/installd.te b/tracking_denials/installd.te deleted file mode 100644 index 95b0a2f..0000000 --- a/tracking_denials/installd.te +++ /dev/null @@ -1,6 +0,0 @@ -# b/260522202 -dontaudit installd modem_img_file:filesystem { quotaget }; -# b/264490035 -userdebug_or_eng(` - permissive installd; -') \ No newline at end of file diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te deleted file mode 100644 index 604cf7d..0000000 --- a/tracking_denials/priv_app.te +++ /dev/null @@ -1,21 +0,0 @@ -# b/260366281 -dontaudit priv_app privapp_data_file:dir { getattr }; -dontaudit priv_app privapp_data_file:dir { search }; -dontaudit priv_app vendor_default_prop:file { getattr }; -dontaudit priv_app vendor_default_prop:file { map }; -dontaudit priv_app vendor_default_prop:file { open }; -# b/260522282 -dontaudit priv_app privapp_data_file:file { open }; -dontaudit priv_app privapp_data_file:file { setattr }; -# b/260768358 -dontaudit priv_app default_android_service:service_manager { find }; -# b/260922442 -dontaudit priv_app default_android_service:service_manager { find }; -# b/263185432 -dontaudit priv_app privapp_data_file:file { unlink }; -# b/264490074 -userdebug_or_eng(` - permissive priv_app; -')# b/268572216 -dontaudit priv_app privapp_data_file:dir { add_name }; -dontaudit priv_app privapp_data_file:dir { remove_name }; diff --git a/tracking_denials/rebalance_interrupts_vendor.te b/tracking_denials/rebalance_interrupts_vendor.te index 26657eb..f38b36f 100644 --- a/tracking_denials/rebalance_interrupts_vendor.te +++ b/tracking_denials/rebalance_interrupts_vendor.te @@ -1,6 +1,2 @@ # b/260366278 dontaudit rebalance_interrupts_vendor rebalance_interrupts_vendor:capability { dac_override }; -# b/264489565 -userdebug_or_eng(` - permissive rebalance_interrupts_vendor; -') \ No newline at end of file diff --git a/tracking_denials/recovery.te b/tracking_denials/recovery.te deleted file mode 100644 index bd39922..0000000 --- a/tracking_denials/recovery.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264490092 -userdebug_or_eng(` - permissive recovery; -') \ No newline at end of file diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te deleted file mode 100644 index 142b95b..0000000 --- a/tracking_denials/servicemanager.te +++ /dev/null @@ -1,6 +0,0 @@ -# b/263429985 -dontaudit servicemanager tee:binder { call }; -# b/264489962 -userdebug_or_eng(` - permissive servicemanager; -') \ No newline at end of file diff --git a/tracking_denials/system_suspend.te b/tracking_denials/system_suspend.te deleted file mode 100644 index b834b57..0000000 --- a/tracking_denials/system_suspend.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/261105356 -dontaudit system_suspend_server chre:binder { transfer }; diff --git a/tracking_denials/tcpdump_logger.te b/tracking_denials/tcpdump_logger.te deleted file mode 100644 index b0a7046..0000000 --- a/tracking_denials/tcpdump_logger.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264490014 -userdebug_or_eng(` - permissive tcpdump_logger; -') \ No newline at end of file diff --git a/vendor/bootanim.te b/vendor/bootanim.te index cc36346..0289a4d 100644 --- a/vendor/bootanim.te +++ b/vendor/bootanim.te @@ -1 +1,2 @@ allow bootanim arm_mali_platform_service:service_manager find; +dontaudit bootanim system_data_file:dir { search }; diff --git a/vendor/charger_vendor.te b/vendor/charger_vendor.te new file mode 100644 index 0000000..d992247 --- /dev/null +++ b/vendor/charger_vendor.te @@ -0,0 +1,7 @@ +# charger_vendor for battery in off-mode charging +allow charger_vendor mnt_vendor_file:dir search; +allow charger_vendor persist_file:dir search; +allow charger_vendor sysfs_batteryinfo:file w_file_perms; +allow charger_vendor sysfs_scsi_devices_0000:file r_file_perms; +dontaudit charger_vendor default_prop:file r_file_perms; +set_prop(charger_vendor, vendor_battery_defender_prop) diff --git a/vendor/device.te b/vendor/device.te index 17a162c..695c54f 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -13,6 +13,10 @@ type uci_device, dev_type; type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vscaler_secure_heap_device, dmabuf_heap_device_type, dev_type; +type framebuffer_secure_heap_device, dmabuf_heap_device_type, dev_type; # SecureElement SPI device type st54spi_device, dev_type; + +# OTA +type sda_block_device, dev_type; diff --git a/vendor/dump_cma.te b/vendor/dump_cma.te deleted file mode 100644 index e69de29..0000000 diff --git a/vendor/dumpstate.te b/vendor/dumpstate.te index 03d0b40..dc0f6c9 100644 --- a/vendor/dumpstate.te +++ b/vendor/dumpstate.te @@ -3,6 +3,8 @@ dump_hal(hal_graphics_composer) dump_hal(hal_health) +dump_hal(hal_telephony) + dump_hal(hal_confirmationui) binder_call(dumpstate, hal_wireless_charger) diff --git a/vendor/file.te b/vendor/file.te index 6560298..cc0f2b9 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -30,6 +30,9 @@ type sysfs_wlc, sysfs_type, fs_type; # CHRE type chre_socket, file_type; +# BT +type vendor_bt_data_file, file_type, data_file_type; + # Data type sensor_reg_data_file, file_type, data_file_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 5de8b1e..547067b 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -3,7 +3,7 @@ /vendor/bin/hw/android\.hardware\.boot@1\.2-service-zumapro u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats-service\.pixel u:object_r:hal_power_stats_default_exec:s0 -/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element-service\.thales u:object_r:hal_secure_element_st54spi_aidl_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 @@ -12,6 +12,7 @@ /vendor/bin/hw/android\.hardware\.secure_element-service.uicc u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 +/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/dump/dump_wlan\.sh u:object_r:dump_wlan_exec:s0 /vendor/bin/dump/dump_gsa\.sh u:object_r:dump_gsa_exec:s0 @@ -26,6 +27,7 @@ /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0 +/vendor/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 @@ -34,6 +36,8 @@ # Vendor libraries /vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 +# Vendor +/data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0 # persist /mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 @@ -44,6 +48,7 @@ # Devices /dev/bbd_pwrstat u:object_r:power_stats_device:s0 /dev/edgetpu-soc u:object_r:edgetpu_device:s0 +/dev/block/sda u:object_r:sda_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/persist u:object_r:persist_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/efs u:object_r:efs_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 @@ -99,23 +104,29 @@ /dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_wc68 u:object_r:logbuffer_device:s0 +/dev/logbuffer_ln8411 u:object_r:logbuffer_device:s0 /dev/logbuffer_bd u:object_r:logbuffer_device:s0 -/dev/lwis-act-jotnar u:object_r:lwis_device:s0 -/dev/lwis-act-slenderman u:object_r:lwis_device:s0 -/dev/lwis-act-slenderman-sandworm u:object_r:lwis_device:s0 /dev/lwis-act-cornerfolk u:object_r:lwis_device:s0 /dev/lwis-act-cornerfolk-dokkaebi u:object_r:lwis_device:s0 /dev/lwis-act-cornerfolk-oksoko u:object_r:lwis_device:s0 /dev/lwis-act-cornerfolk-sandworm u:object_r:lwis_device:s0 +/dev/lwis-act-jotnar u:object_r:lwis_device:s0 +/dev/lwis-act-nessie u:object_r:lwis_device:s0 +/dev/lwis-act-slenderman u:object_r:lwis_device:s0 +/dev/lwis-act-slenderman-sandworm u:object_r:lwis_device:s0 /dev/lwis-be-core u:object_r:lwis_device:s0 /dev/lwis-csi u:object_r:lwis_device:s0 /dev/lwis-dpm u:object_r:lwis_device:s0 /dev/lwis-eeprom-djinn u:object_r:lwis_device:s0 /dev/lwis-eeprom-gargoyle u:object_r:lwis_device:s0 +/dev/lwis-eeprom-gt24p64e-imentet u:object_r:lwis_device:s0 /dev/lwis-eeprom-humbaba u:object_r:lwis_device:s0 /dev/lwis-eeprom-jotnar u:object_r:lwis_device:s0 +/dev/lwis-eeprom-nessie u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-buraq u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-dokkaebi u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-leshen u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-leshen-uw u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-sandworm u:object_r:lwis_device:s0 /dev/lwis-flash-lm3644 u:object_r:lwis_device:s0 /dev/lwis-g3aa u:object_r:lwis_device:s0 @@ -129,27 +140,31 @@ /dev/lwis-isp-fe u:object_r:lwis_device:s0 /dev/lwis-lme u:object_r:lwis_device:s0 /dev/lwis-mcsc u:object_r:lwis_device:s0 +/dev/lwis-ois-djinn u:object_r:lwis_device:s0 /dev/lwis-ois-gargoyle u:object_r:lwis_device:s0 /dev/lwis-ois-humbaba u:object_r:lwis_device:s0 /dev/lwis-ois-jotnar u:object_r:lwis_device:s0 -/dev/lwis-ois-djinn u:object_r:lwis_device:s0 +/dev/lwis-ois-nessie u:object_r:lwis_device:s0 /dev/lwis-pdp u:object_r:lwis_device:s0 /dev/lwis-scsc u:object_r:lwis_device:s0 /dev/lwis-sensor-boitata u:object_r:lwis_device:s0 /dev/lwis-sensor-buraq u:object_r:lwis_device:s0 /dev/lwis-sensor-dokkaebi u:object_r:lwis_device:s0 +/dev/lwis-sensor-imentet u:object_r:lwis_device:s0 /dev/lwis-sensor-kraken u:object_r:lwis_device:s0 /dev/lwis-sensor-lamassu u:object_r:lwis_device:s0 +/dev/lwis-sensor-leshen u:object_r:lwis_device:s0 +/dev/lwis-sensor-leshen-uw u:object_r:lwis_device:s0 /dev/lwis-sensor-nagual u:object_r:lwis_device:s0 /dev/lwis-sensor-oksoko u:object_r:lwis_device:s0 /dev/lwis-sensor-sandworm u:object_r:lwis_device:s0 /dev/lwis-slc u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-oksoko u:object_r:lwis_device:s0 /dev/lwis-top u:object_r:lwis_device:s0 -/dev/lwis-tof-vl53l8 u:object_r:lwis_device:s0 -# Although stmvl53l1_ranging is not a real lwis_device but we treat it as an abstract lwis_device. -# Binding it here with lwis-tof-vl53l8 for a better maintenance instead of creating another device type. -/dev/stmvl53l1_ranging u:object_r:lwis_device:s0 +/dev/lwis-tof-tarasque u:object_r:lwis_device:s0 +# Although ispolin_ranging is not a real lwis_device but we treat it as an abstract lwis_device. +# Binding it here with lwis-tof-tarasque for a better maintenance instead of creating another device type. +/dev/ispolin_ranging u:object_r:lwis_device:s0 /dev/lwis-votf u:object_r:lwis_device:s0 /dev/st54spi u:object_r:st54spi_device:s0 /dev/trusty-ipc-dev0 u:object_r:tee_device:s0 @@ -160,6 +175,7 @@ /dev/dma_heap/famodel-secure u:object_r:faceauth_heap_device:s0 /dev/dma_heap/faprev-secure u:object_r:faceauth_heap_device:s0 /dev/dma_heap/farawimg-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/framebuffer-secure u:object_r:framebuffer_secure_heap_device:s0 /dev/dma_heap/vframe-secure u:object_r:dmabuf_system_secure_heap_device:s0 /dev/dma_heap/vscaler-secure u:object_r:vscaler_secure_heap_device:s0 /dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 6c42219..28ac6d2 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -11,6 +11,8 @@ genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo # Fabric genfscon sysfs /devices/platform/17000090.devfreq_dsu/devfreq/17000090.devfreq_dsu/min_freq u:object_r:sysfs_fabric:s0 genfscon sysfs /devices/platform/170000a0.devfreq_bci/devfreq/170000a0.devfreq_bci/min_freq u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/17000090.devfreq_dsu/devfreq/17000090.devfreq_dsu/max_freq u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/170000a0.devfreq_bci/devfreq/170000a0.devfreq_bci/max_freq u:object_r:sysfs_fabric:s0 # EdgeTPU genfscon sysfs /devices/platform/1a000000.rio u:object_r:sysfs_edgetpu:s0 @@ -446,6 +448,7 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup/wakeup genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/virtual/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0 # Trusty genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0 @@ -456,6 +459,9 @@ genfscon sysfs /kernel/pixel_em/active_profile u:obje # GPU genfscon sysfs /devices/platform/1f000000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/1f000000.mali/dma_buf_gpu_mem u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/1f000000.mali/total_gpu_mem u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/1f000000.mali/kprcs u:object_r:sysfs_gpu:s0 # GSA logs genfscon sysfs /devices/platform/16490000.gsa-ns/log_main u:object_r:sysfs_gsa_log:s0 diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index 9c233fe..8c030f4 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -1,15 +1,24 @@ type google_camera_app, domain, coredomain; app_domain(google_camera_app) +net_domain(google_camera_app) -# Allows camera app to access the GXP device. +allow google_camera_app app_api_service:service_manager find; +allow google_camera_app audioserver_service:service_manager find; +allow google_camera_app cameraserver_service:service_manager find; +allow google_camera_app mediaextractor_service:service_manager find; +allow google_camera_app mediametrics_service:service_manager find; +allow google_camera_app mediaserver_service:service_manager find; + +# Allows GCA to acccess the GXP device and search for the firmware file. allow google_camera_app gxp_device:chr_file rw_file_perms; +allow google_camera_app vendor_fw_file:dir search; -# Allows camera app to access the PowerHAL. +# Allows GCA to access the PowerHAL. hal_client_domain(google_camera_app, hal_power) -# Allow camera app to access the a subset of app services. -allow google_camera_app app_api_service:service_manager find; - -# Allows GCA to access the EdgeTPU device. +# Allows GCA to find and access the EdgeTPU. allow google_camera_app edgetpu_app_service:service_manager find; allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; + +# Library code may try to access vendor properties, but should be denied +dontaudit google_camera_app vendor_default_prop:file { getattr map open }; diff --git a/vendor/hal_bluetooth_btlinux.te b/vendor/hal_bluetooth_btlinux.te index 2167b3c..c496ea0 100644 --- a/vendor/hal_bluetooth_btlinux.te +++ b/vendor/hal_bluetooth_btlinux.te @@ -2,5 +2,8 @@ allow hal_bluetooth_btlinux aoc_device:chr_file rw_file_perms; allow hal_bluetooth_btlinux device:dir r_dir_perms; +allow hal_bluetooth_btlinux vendor_bt_data_file:dir rw_dir_perms; +allow hal_bluetooth_btlinux vendor_bt_data_file:file create_file_perms; + # allow the HAL to call cccdktimesync registered callbacks binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app) diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index 666ad73..a7d9db9 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -7,6 +7,8 @@ allow hal_camera_default lwis_device:chr_file rw_file_perms; # Face authentication code that is part of the camera HAL needs to allocate # dma_bufs and access the Trusted Execution Environment device node +allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms; +allow hal_camera_default tee_device:chr_file rw_file_perms; # Allow the camera hal to access the EdgeTPU service and the # Android shared memory allocated by the EdgeTPU service for @@ -82,6 +84,9 @@ binder_call(hal_camera_default, hal_radioext_default); allow hal_camera_default rls_service:service_manager find; binder_call(hal_camera_default, rlsservice) +# Allow access to always-on compute device node +allow hal_camera_default aoc_device:chr_file rw_file_perms; + # Allow camera HAL to send trace packets to Perfetto userdebug_or_eng(`perfetto_producer(hal_camera_default)') diff --git a/vendor/hal_contexthub_default.te b/vendor/hal_contexthub_default.te new file mode 100644 index 0000000..7e0eef2 --- /dev/null +++ b/vendor/hal_contexthub_default.te @@ -0,0 +1,2 @@ +# Allow context hub HAL to communicate with daemon via socket +unix_socket_connect(hal_contexthub_default, chre, chre) diff --git a/vendor/hal_graphics_allocator_default.te b/vendor/hal_graphics_allocator_default.te index f77d094..628329b 100644 --- a/vendor/hal_graphics_allocator_default.te +++ b/vendor/hal_graphics_allocator_default.te @@ -2,3 +2,4 @@ allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_p allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms; allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms; allow hal_graphics_allocator_default vscaler_secure_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default framebuffer_secure_heap_device:chr_file r_file_perms; diff --git a/vendor/hal_memtrack_default.te b/vendor/hal_memtrack_default.te new file mode 100644 index 0000000..7554c6f --- /dev/null +++ b/vendor/hal_memtrack_default.te @@ -0,0 +1 @@ +r_dir_file(hal_memtrack_default, sysfs_gpu) diff --git a/vendor/hal_secure_element_st54spi.te b/vendor/hal_secure_element_st54spi.te deleted file mode 100644 index 3cc726d..0000000 --- a/vendor/hal_secure_element_st54spi.te +++ /dev/null @@ -1,7 +0,0 @@ -type hal_secure_element_st54spi, domain; -type hal_secure_element_st54spi_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_secure_element_st54spi) -hal_server_domain(hal_secure_element_st54spi, hal_secure_element) -allow hal_secure_element_st54spi st54spi_device:chr_file rw_file_perms; -allow hal_secure_element_st54spi nfc_device:chr_file rw_file_perms; -set_prop(hal_secure_element_st54spi, vendor_secure_element_prop) diff --git a/vendor/hal_secure_element_st54spi_aidl.te b/vendor/hal_secure_element_st54spi_aidl.te new file mode 100644 index 0000000..5110b96 --- /dev/null +++ b/vendor/hal_secure_element_st54spi_aidl.te @@ -0,0 +1,7 @@ +type hal_secure_element_st54spi_aidl, domain; +type hal_secure_element_st54spi_aidl_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_secure_element_st54spi_aidl) +hal_server_domain(hal_secure_element_st54spi_aidl, hal_secure_element) +allow hal_secure_element_st54spi_aidl st54spi_device:chr_file rw_file_perms; +allow hal_secure_element_st54spi_aidl nfc_device:chr_file rw_file_perms; +set_prop(hal_secure_element_st54spi_aidl, vendor_secure_element_prop) diff --git a/vendor/installd.te b/vendor/installd.te new file mode 100644 index 0000000..44e74c6 --- /dev/null +++ b/vendor/installd.te @@ -0,0 +1 @@ +dontaudit installd modem_img_file:filesystem quotaget; diff --git a/vendor/ofl_app.te b/vendor/ofl_app.te deleted file mode 100644 index 69e166a..0000000 --- a/vendor/ofl_app.te +++ /dev/null @@ -1,17 +0,0 @@ -# OFLBasicAgent app - -type ofl_app, domain; - -userdebug_or_eng(` - app_domain(ofl_app) - net_domain(ofl_app) - - allow ofl_app app_api_service:service_manager find; - allow ofl_app nfc_service:service_manager find; - allow ofl_app radio_service:service_manager find; - allow ofl_app surfaceflinger_service:service_manager find; - - # Access to directly update firmware on st54spi_device - typeattribute st54spi_device mlstrustedobject; - allow ofl_app st54spi_device:chr_file rw_file_perms; -') \ No newline at end of file diff --git a/vendor/pixelstats_vendor.te b/vendor/pixelstats_vendor.te index 18a1472..2d0fb38 100644 --- a/vendor/pixelstats_vendor.te +++ b/vendor/pixelstats_vendor.te @@ -21,3 +21,7 @@ allow pixelstats_vendor sysfs_pcie:dir search; allow pixelstats_vendor sysfs_pcie:file rw_file_perms; allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; + +#Thermal +r_dir_file(pixelstats_vendor, sysfs_thermal) +allow pixelstats_vendor sysfs_thermal:lnk_file r_file_perms; diff --git a/vendor/property.te b/vendor/property.te index a7450c3..105574b 100644 --- a/vendor/property.te +++ b/vendor/property.te @@ -11,3 +11,8 @@ vendor_internal_prop(vendor_usb_config_prop) # Dynamic sensor vendor_internal_prop(vendor_dynamic_sensor_prop) +# Mali Integration +vendor_restricted_prop(vendor_arm_runtime_option_prop) + +# ArmNN +vendor_internal_prop(vendor_armnn_config_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts index b020540..e837a5c 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -18,3 +18,8 @@ vendor.usb. u:object_r:vendor_usb_config_prop:s0 # Dynamic sensor vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 +# Mali GPU driver configuration and debug options +vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix + +# ArmNN configuration +ro.vendor.armnn. u:object_r:vendor_armnn_config_prop:s0 prefix diff --git a/vendor/recovery.te b/vendor/recovery.te new file mode 100644 index 0000000..efbea53 --- /dev/null +++ b/vendor/recovery.te @@ -0,0 +1,8 @@ +recovery_only(` + allow recovery sysfs_ota:file rw_file_perms; + allow recovery st54spi_device:chr_file rw_file_perms; + allow recovery tee_device:chr_file rw_file_perms; + allow recovery sysfs_scsi_devices_0000:file r_file_perms; + allow recovery sysfs_scsi_devices_0000:dir r_dir_perms; + set_prop(recovery, boottime_prop) +') diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index 8f5eea1..9c10fdd 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -4,9 +4,6 @@ user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel dom # coredump/ramdump user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all -# Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade -user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.omapi_agent domain=ofl_app type=app_data_file levelFrom=user - # Domain for connectivity monitor user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all diff --git a/vendor/systemui_app.te b/vendor/systemui_app.te index 312d8c8..b462eb3 100644 --- a/vendor/systemui_app.te +++ b/vendor/systemui_app.te @@ -7,10 +7,14 @@ allow systemui_app color_display_service:service_manager find; allow systemui_app audioserver_service:service_manager find; allow systemui_app cameraserver_service:service_manager find; allow systemui_app mediaserver_service:service_manager find; +allow systemui_app mediaextractor_service:service_manager find; +allow systemui_app mediametrics_service:service_manager find; allow systemui_app radio_service:service_manager find; +allow systemui_app vr_manager_service:service_manager find; get_prop(systemui_app, keyguard_config_prop) set_prop(systemui_app, bootanim_system_prop) +get_prop(systemui_app, qemu_hw_prop) allow systemui_app pixel_battery_service_type:service_manager find; binder_call(systemui_app, pixel_battery_domain) diff --git a/vendor/tcpdump_logger.te b/vendor/tcpdump_logger.te index 1018104..7cf0245 100644 --- a/vendor/tcpdump_logger.te +++ b/vendor/tcpdump_logger.te @@ -1,5 +1,21 @@ type tcpdump_logger, domain; type tcpdump_logger_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(tcpdump_logger) +userdebug_or_eng(` + # make transition from init to its domain + init_daemon_domain(tcpdump_logger) + allow tcpdump_logger self:capability net_raw; + allow tcpdump_logger self:packet_socket create_socket_perms; + allowxperm tcpdump_logger self:packet_socket ioctl 0x8933; + allow tcpdump_logger tcpdump_exec:file rx_file_perms; + allow tcpdump_logger tcpdump_vendor_data_file:dir create_dir_perms; + allow tcpdump_logger tcpdump_vendor_data_file:file create_file_perms; + allow tcpdump_logger tcpdump_vendor_data_file:dir search; + allow tcpdump_logger radio_vendor_data_file:file create_file_perms; + allow tcpdump_logger radio_vendor_data_file:dir create_dir_perms; + allow tcpdump_logger wifi_logging_data_file:file create_file_perms; + allow tcpdump_logger wifi_logging_data_file:dir create_dir_perms; + + set_prop(tcpdump_logger, vendor_tcpdump_log_prop) +') \ No newline at end of file diff --git a/vendor/update_engine.te b/vendor/update_engine.te index b4f3cf8..a403d9e 100644 --- a/vendor/update_engine.te +++ b/vendor/update_engine.te @@ -1,2 +1,3 @@ allow update_engine custom_ab_block_device:blk_file rw_file_perms; allow update_engine modem_block_device:blk_file rw_file_perms; +allow update_engine proc_bootconfig:file r_file_perms; diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 646aa0f..373eeaf 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -29,3 +29,9 @@ set_prop(vendor_init, vendor_usb_config_prop) # Mali set_prop(vendor_init, vendor_arm_runtime_option_prop) set_prop(vendor_init, vendor_ssrdump_prop) + +# ArmNN +set_prop(vendor_init, vendor_armnn_config_prop) + +# MM +allow vendor_init proc_watermark_scale_factor:file w_file_perms;