diff --git a/legacy/whitechapel_pro/device.te b/legacy/whitechapel_pro/device.te index c45efc2..bf6f21c 100644 --- a/legacy/whitechapel_pro/device.te +++ b/legacy/whitechapel_pro/device.te @@ -1,4 +1,3 @@ -type sda_block_device, dev_type; type sg_device, dev_type; type vendor_toe_device, dev_type; type lwis_device, dev_type; @@ -6,4 +5,3 @@ type rls_device, dev_type; # Raw HID device type hidraw_device, dev_type; - diff --git a/legacy/whitechapel_pro/file.te b/legacy/whitechapel_pro/file.te index 38d3dc8..23d748b 100644 --- a/legacy/whitechapel_pro/file.te +++ b/legacy/whitechapel_pro/file.te @@ -1,15 +1,11 @@ # Data type updated_wifi_firmware_data_file, file_type, data_file_type; -type tcpdump_vendor_data_file, file_type, data_file_type; type vendor_misc_data_file, file_type, data_file_type; type per_boot_file, file_type, data_file_type, core_data_file_type; type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; type uwb_data_vendor, file_type, data_file_type; type powerstats_vendor_data_file, file_type, data_file_type; type sensor_debug_data_file, file_type, data_file_type; -userdebug_or_eng(` - typeattribute tcpdump_vendor_data_file mlstrustedobject; -') # sysfs type bootdevice_sysdev, dev_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index ea564ed..a9901c0 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -2,7 +2,6 @@ /vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 /vendor/bin/hw/android\.hardware\.gatekeeper-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 -/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 # Vendor libraries @@ -34,13 +33,11 @@ /dev/st21nfc u:object_r:nfc_device:s0 /dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 /dev/socket/chre u:object_r:chre_socket:s0 -/dev/block/sda u:object_r:sda_block_device:s0 # Data /data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 /data/nfc(/.*)? u:object_r:nfc_data_file:s0 /data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 -/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 /data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 /data/per_boot(/.*)? u:object_r:per_boot_file:s0 /data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 diff --git a/legacy/whitechapel_pro/hal_input_processor_default.te b/legacy/whitechapel_pro/hal_input_processor_default.te new file mode 100644 index 0000000..00d4c69 --- /dev/null +++ b/legacy/whitechapel_pro/hal_input_processor_default.te @@ -0,0 +1,2 @@ +# allow InputProcessor HAL to read the display resolution system property +get_prop(hal_input_processor_default, vendor_display_prop) diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index e3a8d4b..a62eef6 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -12,6 +12,3 @@ system_vendor_config_prop(vendor_uwb_calibration_prop) # Trusty storage FS ready vendor_internal_prop(vendor_trusty_storage_prop) - -# Mali Integration -vendor_public_prop(vendor_arm_runtime_option_prop) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index 6faf239..fa5c917 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -20,6 +20,3 @@ ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_pro # Trusty ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 - -# Mali GPU driver configuration and debug options -vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix diff --git a/private/odrefresh.te b/private/odrefresh.te deleted file mode 100644 index 83b1e63..0000000 --- a/private/odrefresh.te +++ /dev/null @@ -1,4 +0,0 @@ -userdebug_or_eng(` - permissive odrefresh; - dontaudit odrefresh property_type:file *; -') diff --git a/radio/file.te b/radio/file.te index d8d253a..daceb56 100644 --- a/radio/file.te +++ b/radio/file.te @@ -1,6 +1,7 @@ # Data type rild_vendor_data_file, file_type, data_file_type; type vendor_gps_file, file_type, data_file_type; +type modem_ml_data_file, file_type, data_file_type; type modem_stat_data_file, file_type, data_file_type; type vendor_log_file, file_type, data_file_type; type vendor_rfsd_log_file, file_type, data_file_type; diff --git a/radio/file_contexts b/radio/file_contexts index 82a519b..8d74be8 100644 --- a/radio/file_contexts +++ b/radio/file_contexts @@ -19,6 +19,7 @@ /data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 /data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 /data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 +/data/vendor/modem_ml(/.*)? u:object_r:modem_ml_data_file:s0 /data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 /data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 diff --git a/radio/grilservice_app.te b/radio/grilservice_app.te index 7809537..2525bab 100644 --- a/radio/grilservice_app.te +++ b/radio/grilservice_app.te @@ -8,6 +8,8 @@ allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; allow grilservice_app hal_wifi_ext_service:service_manager find; allow grilservice_app hal_audiometricext_hwservice:hwservice_manager find; allow grilservice_app hal_exynos_rild_hwservice:hwservice_manager find; +allow grilservice_app radio_vendor_data_file:dir create_dir_perms; +allow grilservice_app radio_vendor_data_file:file create_file_perms; binder_call(grilservice_app, hal_bluetooth_btlinux) binder_call(grilservice_app, hal_radioext_default) binder_call(grilservice_app, hal_wifi_ext) diff --git a/radio/modem_ml_svc_sit.te b/radio/modem_ml_svc_sit.te index e742dbf..d094fb6 100644 --- a/radio/modem_ml_svc_sit.te +++ b/radio/modem_ml_svc_sit.te @@ -11,6 +11,10 @@ allow modem_ml_svc_sit radio_device:chr_file rw_file_perms; allow modem_ml_svc_sit radio_vendor_data_file:dir create_dir_perms; allow modem_ml_svc_sit radio_vendor_data_file:file create_file_perms; +# Grant modem ml data file/dir creation permission +allow modem_ml_svc_sit modem_ml_data_file:dir create_dir_perms; +allow modem_ml_svc_sit modem_ml_data_file:file create_file_perms; + # Grant modem ml models config files access allow modem_ml_svc_sit modem_config_file:file r_file_perms; diff --git a/radio/property.te b/radio/property.te index 25d9454..16ccefc 100644 --- a/radio/property.te +++ b/radio/property.te @@ -1,4 +1,4 @@ -# P24 vendor properties +# P23 vendor properties vendor_internal_prop(vendor_carrier_prop) vendor_internal_prop(vendor_cbd_prop) vendor_internal_prop(vendor_slog_prop) diff --git a/radio/seapp_contexts b/radio/seapp_contexts index 9e74853..6d0de36 100644 --- a/radio/seapp_contexts +++ b/radio/seapp_contexts @@ -14,7 +14,11 @@ user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_ user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilservice_app levelFrom=all user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_qualifiednetworks_app levelFrom=all user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_service_app levelFrom=all user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all +user=_app isPrivApp=true name=.ShannonImsService domain=vendor_ims_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_remote_app levelFrom=all + # slsi logging apps user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_silentlogging_app levelFrom=all diff --git a/radio/vendor_ims_remote_app.te b/radio/vendor_ims_remote_app.te new file mode 100644 index 0000000..f5d3846 --- /dev/null +++ b/radio/vendor_ims_remote_app.te @@ -0,0 +1,4 @@ +type vendor_ims_remote_app, domain; +app_domain(vendor_ims_remote_app) + +allow vendor_ims_remote_app app_api_service:service_manager find; diff --git a/radio/vendor_rcs_service_app.te b/radio/vendor_rcs_service_app.te new file mode 100644 index 0000000..a7ae221 --- /dev/null +++ b/radio/vendor_rcs_service_app.te @@ -0,0 +1,5 @@ +type vendor_rcs_service_app, domain; +app_domain(vendor_rcs_service_app) + +allow vendor_rcs_service_app app_api_service:service_manager find; +allow vendor_rcs_service_app radio_service:service_manager find; diff --git a/tracking_denials/bootanim.te b/tracking_denials/bootanim.te deleted file mode 100644 index e15c110..0000000 --- a/tracking_denials/bootanim.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/260522279 -dontaudit bootanim system_data_file:dir { search }; diff --git a/tracking_denials/bug_map b/tracking_denials/bug_map index 8af6ec0..821f41d 100644 --- a/tracking_denials/bug_map +++ b/tracking_denials/bug_map @@ -4,8 +4,7 @@ con_monitor_app dalvikcache_data_file dir b/264483670 con_monitor_app dalvikcache_data_file file b/264483670 con_monitor_app mnt_expand_file dir b/264483670 con_monitor_app system_data_file lnk_file b/264483670 -dumpstate app_zygote process b/264483390 -dumpstate sysfs_scsi_devices_0000 file b/272166771 +dumpstate app_zygote process b/279680264 google_camera_app audio_service service_manager b/264600171 google_camera_app backup_service service_manager b/264483456 google_camera_app legacy_permission_service service_manager b/264600171 @@ -14,14 +13,10 @@ hal_audio_default hal_audio_default binder b/274374769 hal_bootctl_default hal_bootctl_default capability b/274727372 hal_camera_default edgetpu_app_server binder b/275001641 hal_camera_default edgetpu_app_service service_manager b/275001641 -hal_dumpstate_default vendor_displaycolor_service service_manager b/264482983 -hal_dumpstate_default vendor_displaycolor_service service_manager b/264600086 -hal_dumpstate_default vendor_modem_prop property_service b/264482983 -hal_dumpstate_default vendor_tcpdump_log_prop file b/273638940 -hal_power_default sysfs file b/273638876 +hal_input_processor_default vendor_display_prop file b/279680070 hal_secure_element_uicc hal_secure_element_hwservice hwservice_manager b/264483151 hal_secure_element_uicc hidl_base_hwservice hwservice_manager b/264483151 -hal_uwb_default debugfs file b/273639365 +hal_uwb_default debugfs file b/279680213 incidentd apex_art_data_file file b/272628762 incidentd incidentd anon_inode b/274374992 insmod-sh insmod-sh key b/274374722 @@ -32,16 +27,8 @@ mtectrl unlabeled dir b/264483752 platform_app bootanim_system_prop property_service b/264483532 servicemanager hal_fingerprint_default binder b/264483753 system_server default_android_service service_manager b/264483754 -systemui_app bootanim_system_prop property_service b/269964574 -systemui_app hal_googlebattery binder b/269964574 systemui_app init unix_stream_socket b/269964574 -systemui_app mediaextractor_service service_manager b/272628174 -systemui_app mediametrics_service service_manager b/272628174 -systemui_app mediaserver_service service_manager b/272628174 systemui_app property_socket sock_file b/269964574 -systemui_app qemu_hw_prop file b/269964574 -systemui_app twoshay binder b/269964574 -systemui_app vr_manager_service service_manager b/272628174 twoshay systemui_app binder b/269964558 untrusted_app default_android_service service_manager b/264599934 vendor_init device_config_configuration_prop property_service b/267714573 diff --git a/tracking_denials/chre.te b/tracking_denials/chre.te deleted file mode 100644 index beee716..0000000 --- a/tracking_denials/chre.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/261105224 -dontaudit chre hal_system_suspend_service:service_manager { find }; -dontaudit chre servicemanager:binder { call }; -dontaudit chre system_suspend_server:binder { call }; diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te deleted file mode 100644 index b6994f9..0000000 --- a/tracking_denials/google_camera_app.te +++ /dev/null @@ -1,7 +0,0 @@ -# b/264490031 -userdebug_or_eng(` - permissive google_camera_app; -') -# b/277300017 -dontaudit google_camera_app cameraserver_service:service_manager { find }; -dontaudit google_camera_app mediaserver_service:service_manager { find }; diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te deleted file mode 100644 index abc4811..0000000 --- a/tracking_denials/hal_camera_default.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489778 -userdebug_or_eng(` - permissive hal_camera_default; -') diff --git a/tracking_denials/hal_contexthub_default.te b/tracking_denials/hal_contexthub_default.te deleted file mode 100644 index 3c9a51f..0000000 --- a/tracking_denials/hal_contexthub_default.te +++ /dev/null @@ -1,7 +0,0 @@ -# b/261105182 -dontaudit hal_contexthub_default chre:unix_stream_socket { connectto }; -dontaudit hal_contexthub_default chre_socket:sock_file { write }; -# b/264489794 -userdebug_or_eng(` - permissive hal_contexthub_default; -') \ No newline at end of file diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te deleted file mode 100644 index 8f3138c..0000000 --- a/tracking_denials/hal_neuralnetworks_armnn.te +++ /dev/null @@ -1,16 +0,0 @@ -# b/260366177 -dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; -# b/260768359 -dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; -dontaudit hal_neuralnetworks_armnn default_prop:file { map }; -dontaudit hal_neuralnetworks_armnn default_prop:file { open }; -dontaudit hal_neuralnetworks_armnn default_prop:file { read }; -# b/260921579 -dontaudit hal_neuralnetworks_armnn default_prop:file { getattr }; -dontaudit hal_neuralnetworks_armnn default_prop:file { map }; -dontaudit hal_neuralnetworks_armnn default_prop:file { open }; -dontaudit hal_neuralnetworks_armnn default_prop:file { read }; -# b/264489188 -userdebug_or_eng(` - permissive hal_neuralnetworks_armnn; -') \ No newline at end of file diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te deleted file mode 100644 index 5925425..0000000 --- a/tracking_denials/hal_power_default.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/267261305 -dontaudit hal_power_default hal_power_default:capability { dac_override }; -dontaudit hal_power_default hal_power_default:capability { dac_read_search }; diff --git a/tracking_denials/hal_radioext_default.te b/tracking_denials/hal_radioext_default.te deleted file mode 100644 index d37fc60..0000000 --- a/tracking_denials/hal_radioext_default.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/275646098 -dontaudit hal_radioext_default service_manager_type:service_manager find; diff --git a/tracking_denials/hwservicemanager.te b/tracking_denials/hwservicemanager.te deleted file mode 100644 index 53222bd..0000000 --- a/tracking_denials/hwservicemanager.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264489781 -userdebug_or_eng(` - permissive hwservicemanager; -') diff --git a/tracking_denials/installd.te b/tracking_denials/installd.te deleted file mode 100644 index 95b0a2f..0000000 --- a/tracking_denials/installd.te +++ /dev/null @@ -1,6 +0,0 @@ -# b/260522202 -dontaudit installd modem_img_file:filesystem { quotaget }; -# b/264490035 -userdebug_or_eng(` - permissive installd; -') \ No newline at end of file diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te deleted file mode 100644 index 604cf7d..0000000 --- a/tracking_denials/priv_app.te +++ /dev/null @@ -1,21 +0,0 @@ -# b/260366281 -dontaudit priv_app privapp_data_file:dir { getattr }; -dontaudit priv_app privapp_data_file:dir { search }; -dontaudit priv_app vendor_default_prop:file { getattr }; -dontaudit priv_app vendor_default_prop:file { map }; -dontaudit priv_app vendor_default_prop:file { open }; -# b/260522282 -dontaudit priv_app privapp_data_file:file { open }; -dontaudit priv_app privapp_data_file:file { setattr }; -# b/260768358 -dontaudit priv_app default_android_service:service_manager { find }; -# b/260922442 -dontaudit priv_app default_android_service:service_manager { find }; -# b/263185432 -dontaudit priv_app privapp_data_file:file { unlink }; -# b/264490074 -userdebug_or_eng(` - permissive priv_app; -')# b/268572216 -dontaudit priv_app privapp_data_file:dir { add_name }; -dontaudit priv_app privapp_data_file:dir { remove_name }; diff --git a/tracking_denials/rebalance_interrupts_vendor.te b/tracking_denials/rebalance_interrupts_vendor.te index 26657eb..f38b36f 100644 --- a/tracking_denials/rebalance_interrupts_vendor.te +++ b/tracking_denials/rebalance_interrupts_vendor.te @@ -1,6 +1,2 @@ # b/260366278 dontaudit rebalance_interrupts_vendor rebalance_interrupts_vendor:capability { dac_override }; -# b/264489565 -userdebug_or_eng(` - permissive rebalance_interrupts_vendor; -') \ No newline at end of file diff --git a/tracking_denials/recovery.te b/tracking_denials/recovery.te deleted file mode 100644 index bd39922..0000000 --- a/tracking_denials/recovery.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264490092 -userdebug_or_eng(` - permissive recovery; -') \ No newline at end of file diff --git a/tracking_denials/servicemanager.te b/tracking_denials/servicemanager.te deleted file mode 100644 index 142b95b..0000000 --- a/tracking_denials/servicemanager.te +++ /dev/null @@ -1,6 +0,0 @@ -# b/263429985 -dontaudit servicemanager tee:binder { call }; -# b/264489962 -userdebug_or_eng(` - permissive servicemanager; -') \ No newline at end of file diff --git a/tracking_denials/system_suspend.te b/tracking_denials/system_suspend.te deleted file mode 100644 index b834b57..0000000 --- a/tracking_denials/system_suspend.te +++ /dev/null @@ -1,2 +0,0 @@ -# b/261105356 -dontaudit system_suspend_server chre:binder { transfer }; diff --git a/tracking_denials/tcpdump_logger.te b/tracking_denials/tcpdump_logger.te deleted file mode 100644 index b0a7046..0000000 --- a/tracking_denials/tcpdump_logger.te +++ /dev/null @@ -1,4 +0,0 @@ -# b/264490014 -userdebug_or_eng(` - permissive tcpdump_logger; -') \ No newline at end of file diff --git a/vendor/bootanim.te b/vendor/bootanim.te index cc36346..0289a4d 100644 --- a/vendor/bootanim.te +++ b/vendor/bootanim.te @@ -1 +1,2 @@ allow bootanim arm_mali_platform_service:service_manager find; +dontaudit bootanim system_data_file:dir { search }; diff --git a/vendor/charger_vendor.te b/vendor/charger_vendor.te new file mode 100644 index 0000000..d992247 --- /dev/null +++ b/vendor/charger_vendor.te @@ -0,0 +1,7 @@ +# charger_vendor for battery in off-mode charging +allow charger_vendor mnt_vendor_file:dir search; +allow charger_vendor persist_file:dir search; +allow charger_vendor sysfs_batteryinfo:file w_file_perms; +allow charger_vendor sysfs_scsi_devices_0000:file r_file_perms; +dontaudit charger_vendor default_prop:file r_file_perms; +set_prop(charger_vendor, vendor_battery_defender_prop) diff --git a/vendor/device.te b/vendor/device.te index 17a162c..695c54f 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -13,6 +13,10 @@ type uci_device, dev_type; type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vscaler_secure_heap_device, dmabuf_heap_device_type, dev_type; +type framebuffer_secure_heap_device, dmabuf_heap_device_type, dev_type; # SecureElement SPI device type st54spi_device, dev_type; + +# OTA +type sda_block_device, dev_type; diff --git a/vendor/dump_cma.te b/vendor/dump_cma.te deleted file mode 100644 index e69de29..0000000 diff --git a/vendor/dumpstate.te b/vendor/dumpstate.te index 03d0b40..dc0f6c9 100644 --- a/vendor/dumpstate.te +++ b/vendor/dumpstate.te @@ -3,6 +3,8 @@ dump_hal(hal_graphics_composer) dump_hal(hal_health) +dump_hal(hal_telephony) + dump_hal(hal_confirmationui) binder_call(dumpstate, hal_wireless_charger) diff --git a/vendor/file.te b/vendor/file.te index 6560298..cc0f2b9 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -30,6 +30,9 @@ type sysfs_wlc, sysfs_type, fs_type; # CHRE type chre_socket, file_type; +# BT +type vendor_bt_data_file, file_type, data_file_type; + # Data type sensor_reg_data_file, file_type, data_file_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 5de8b1e..547067b 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -3,7 +3,7 @@ /vendor/bin/hw/android\.hardware\.boot@1\.2-service-zumapro u:object_r:hal_bootctl_default_exec:s0 /vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats-service\.pixel u:object_r:hal_power_stats_default_exec:s0 -/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element-service\.thales u:object_r:hal_secure_element_st54spi_aidl_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 @@ -12,6 +12,7 @@ /vendor/bin/hw/android\.hardware\.secure_element-service.uicc u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 /vendor/bin/hw/android\.hardware\.composer\.hwc3-service\.pixel u:object_r:hal_graphics_composer_default_exec:s0 +/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@2\.0-service u:object_r:mediacodec_google_exec:s0 /vendor/bin/dump/dump_wlan\.sh u:object_r:dump_wlan_exec:s0 /vendor/bin/dump/dump_gsa\.sh u:object_r:dump_gsa_exec:s0 @@ -26,6 +27,7 @@ /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.rust\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/ufs_firmware_update\.sh u:object_r:ufs_firmware_update_exec:s0 +/vendor/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 # Vendor Firmwares /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 @@ -34,6 +36,8 @@ # Vendor libraries /vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 +# Vendor +/data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0 # persist /mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 @@ -44,6 +48,7 @@ # Devices /dev/bbd_pwrstat u:object_r:power_stats_device:s0 /dev/edgetpu-soc u:object_r:edgetpu_device:s0 +/dev/block/sda u:object_r:sda_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/persist u:object_r:persist_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/efs u:object_r:efs_block_device:s0 /dev/block/platform/13200000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 @@ -99,23 +104,29 @@ /dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 /dev/logbuffer_wc68 u:object_r:logbuffer_device:s0 +/dev/logbuffer_ln8411 u:object_r:logbuffer_device:s0 /dev/logbuffer_bd u:object_r:logbuffer_device:s0 -/dev/lwis-act-jotnar u:object_r:lwis_device:s0 -/dev/lwis-act-slenderman u:object_r:lwis_device:s0 -/dev/lwis-act-slenderman-sandworm u:object_r:lwis_device:s0 /dev/lwis-act-cornerfolk u:object_r:lwis_device:s0 /dev/lwis-act-cornerfolk-dokkaebi u:object_r:lwis_device:s0 /dev/lwis-act-cornerfolk-oksoko u:object_r:lwis_device:s0 /dev/lwis-act-cornerfolk-sandworm u:object_r:lwis_device:s0 +/dev/lwis-act-jotnar u:object_r:lwis_device:s0 +/dev/lwis-act-nessie u:object_r:lwis_device:s0 +/dev/lwis-act-slenderman u:object_r:lwis_device:s0 +/dev/lwis-act-slenderman-sandworm u:object_r:lwis_device:s0 /dev/lwis-be-core u:object_r:lwis_device:s0 /dev/lwis-csi u:object_r:lwis_device:s0 /dev/lwis-dpm u:object_r:lwis_device:s0 /dev/lwis-eeprom-djinn u:object_r:lwis_device:s0 /dev/lwis-eeprom-gargoyle u:object_r:lwis_device:s0 +/dev/lwis-eeprom-gt24p64e-imentet u:object_r:lwis_device:s0 /dev/lwis-eeprom-humbaba u:object_r:lwis_device:s0 /dev/lwis-eeprom-jotnar u:object_r:lwis_device:s0 +/dev/lwis-eeprom-nessie u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-buraq u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-dokkaebi u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-leshen u:object_r:lwis_device:s0 +/dev/lwis-eeprom-smaug-leshen-uw u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-sandworm u:object_r:lwis_device:s0 /dev/lwis-flash-lm3644 u:object_r:lwis_device:s0 /dev/lwis-g3aa u:object_r:lwis_device:s0 @@ -129,27 +140,31 @@ /dev/lwis-isp-fe u:object_r:lwis_device:s0 /dev/lwis-lme u:object_r:lwis_device:s0 /dev/lwis-mcsc u:object_r:lwis_device:s0 +/dev/lwis-ois-djinn u:object_r:lwis_device:s0 /dev/lwis-ois-gargoyle u:object_r:lwis_device:s0 /dev/lwis-ois-humbaba u:object_r:lwis_device:s0 /dev/lwis-ois-jotnar u:object_r:lwis_device:s0 -/dev/lwis-ois-djinn u:object_r:lwis_device:s0 +/dev/lwis-ois-nessie u:object_r:lwis_device:s0 /dev/lwis-pdp u:object_r:lwis_device:s0 /dev/lwis-scsc u:object_r:lwis_device:s0 /dev/lwis-sensor-boitata u:object_r:lwis_device:s0 /dev/lwis-sensor-buraq u:object_r:lwis_device:s0 /dev/lwis-sensor-dokkaebi u:object_r:lwis_device:s0 +/dev/lwis-sensor-imentet u:object_r:lwis_device:s0 /dev/lwis-sensor-kraken u:object_r:lwis_device:s0 /dev/lwis-sensor-lamassu u:object_r:lwis_device:s0 +/dev/lwis-sensor-leshen u:object_r:lwis_device:s0 +/dev/lwis-sensor-leshen-uw u:object_r:lwis_device:s0 /dev/lwis-sensor-nagual u:object_r:lwis_device:s0 /dev/lwis-sensor-oksoko u:object_r:lwis_device:s0 /dev/lwis-sensor-sandworm u:object_r:lwis_device:s0 /dev/lwis-slc u:object_r:lwis_device:s0 /dev/lwis-eeprom-smaug-oksoko u:object_r:lwis_device:s0 /dev/lwis-top u:object_r:lwis_device:s0 -/dev/lwis-tof-vl53l8 u:object_r:lwis_device:s0 -# Although stmvl53l1_ranging is not a real lwis_device but we treat it as an abstract lwis_device. -# Binding it here with lwis-tof-vl53l8 for a better maintenance instead of creating another device type. -/dev/stmvl53l1_ranging u:object_r:lwis_device:s0 +/dev/lwis-tof-tarasque u:object_r:lwis_device:s0 +# Although ispolin_ranging is not a real lwis_device but we treat it as an abstract lwis_device. +# Binding it here with lwis-tof-tarasque for a better maintenance instead of creating another device type. +/dev/ispolin_ranging u:object_r:lwis_device:s0 /dev/lwis-votf u:object_r:lwis_device:s0 /dev/st54spi u:object_r:st54spi_device:s0 /dev/trusty-ipc-dev0 u:object_r:tee_device:s0 @@ -160,6 +175,7 @@ /dev/dma_heap/famodel-secure u:object_r:faceauth_heap_device:s0 /dev/dma_heap/faprev-secure u:object_r:faceauth_heap_device:s0 /dev/dma_heap/farawimg-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/framebuffer-secure u:object_r:framebuffer_secure_heap_device:s0 /dev/dma_heap/vframe-secure u:object_r:dmabuf_system_secure_heap_device:s0 /dev/dma_heap/vscaler-secure u:object_r:vscaler_secure_heap_device:s0 /dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 6c42219..28ac6d2 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -11,6 +11,8 @@ genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo # Fabric genfscon sysfs /devices/platform/17000090.devfreq_dsu/devfreq/17000090.devfreq_dsu/min_freq u:object_r:sysfs_fabric:s0 genfscon sysfs /devices/platform/170000a0.devfreq_bci/devfreq/170000a0.devfreq_bci/min_freq u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/17000090.devfreq_dsu/devfreq/17000090.devfreq_dsu/max_freq u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/170000a0.devfreq_bci/devfreq/170000a0.devfreq_bci/max_freq u:object_r:sysfs_fabric:s0 # EdgeTPU genfscon sysfs /devices/platform/1a000000.rio u:object_r:sysfs_edgetpu:s0 @@ -446,6 +448,7 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup/wakeup genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/virtual/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0 # Trusty genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0 @@ -456,6 +459,9 @@ genfscon sysfs /kernel/pixel_em/active_profile u:obje # GPU genfscon sysfs /devices/platform/1f000000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/1f000000.mali/dma_buf_gpu_mem u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/1f000000.mali/total_gpu_mem u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/1f000000.mali/kprcs u:object_r:sysfs_gpu:s0 # GSA logs genfscon sysfs /devices/platform/16490000.gsa-ns/log_main u:object_r:sysfs_gsa_log:s0 diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index 9c233fe..8c030f4 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -1,15 +1,24 @@ type google_camera_app, domain, coredomain; app_domain(google_camera_app) +net_domain(google_camera_app) -# Allows camera app to access the GXP device. +allow google_camera_app app_api_service:service_manager find; +allow google_camera_app audioserver_service:service_manager find; +allow google_camera_app cameraserver_service:service_manager find; +allow google_camera_app mediaextractor_service:service_manager find; +allow google_camera_app mediametrics_service:service_manager find; +allow google_camera_app mediaserver_service:service_manager find; + +# Allows GCA to acccess the GXP device and search for the firmware file. allow google_camera_app gxp_device:chr_file rw_file_perms; +allow google_camera_app vendor_fw_file:dir search; -# Allows camera app to access the PowerHAL. +# Allows GCA to access the PowerHAL. hal_client_domain(google_camera_app, hal_power) -# Allow camera app to access the a subset of app services. -allow google_camera_app app_api_service:service_manager find; - -# Allows GCA to access the EdgeTPU device. +# Allows GCA to find and access the EdgeTPU. allow google_camera_app edgetpu_app_service:service_manager find; allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; + +# Library code may try to access vendor properties, but should be denied +dontaudit google_camera_app vendor_default_prop:file { getattr map open }; diff --git a/vendor/hal_bluetooth_btlinux.te b/vendor/hal_bluetooth_btlinux.te index 2167b3c..c496ea0 100644 --- a/vendor/hal_bluetooth_btlinux.te +++ b/vendor/hal_bluetooth_btlinux.te @@ -2,5 +2,8 @@ allow hal_bluetooth_btlinux aoc_device:chr_file rw_file_perms; allow hal_bluetooth_btlinux device:dir r_dir_perms; +allow hal_bluetooth_btlinux vendor_bt_data_file:dir rw_dir_perms; +allow hal_bluetooth_btlinux vendor_bt_data_file:file create_file_perms; + # allow the HAL to call cccdktimesync registered callbacks binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app) diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index 666ad73..a7d9db9 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -7,6 +7,8 @@ allow hal_camera_default lwis_device:chr_file rw_file_perms; # Face authentication code that is part of the camera HAL needs to allocate # dma_bufs and access the Trusted Execution Environment device node +allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms; +allow hal_camera_default tee_device:chr_file rw_file_perms; # Allow the camera hal to access the EdgeTPU service and the # Android shared memory allocated by the EdgeTPU service for @@ -82,6 +84,9 @@ binder_call(hal_camera_default, hal_radioext_default); allow hal_camera_default rls_service:service_manager find; binder_call(hal_camera_default, rlsservice) +# Allow access to always-on compute device node +allow hal_camera_default aoc_device:chr_file rw_file_perms; + # Allow camera HAL to send trace packets to Perfetto userdebug_or_eng(`perfetto_producer(hal_camera_default)') diff --git a/vendor/hal_contexthub_default.te b/vendor/hal_contexthub_default.te new file mode 100644 index 0000000..7e0eef2 --- /dev/null +++ b/vendor/hal_contexthub_default.te @@ -0,0 +1,2 @@ +# Allow context hub HAL to communicate with daemon via socket +unix_socket_connect(hal_contexthub_default, chre, chre) diff --git a/vendor/hal_graphics_allocator_default.te b/vendor/hal_graphics_allocator_default.te index f77d094..628329b 100644 --- a/vendor/hal_graphics_allocator_default.te +++ b/vendor/hal_graphics_allocator_default.te @@ -2,3 +2,4 @@ allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_p allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms; allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms; allow hal_graphics_allocator_default vscaler_secure_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default framebuffer_secure_heap_device:chr_file r_file_perms; diff --git a/vendor/hal_memtrack_default.te b/vendor/hal_memtrack_default.te new file mode 100644 index 0000000..7554c6f --- /dev/null +++ b/vendor/hal_memtrack_default.te @@ -0,0 +1 @@ +r_dir_file(hal_memtrack_default, sysfs_gpu) diff --git a/vendor/hal_secure_element_st54spi.te b/vendor/hal_secure_element_st54spi.te deleted file mode 100644 index 3cc726d..0000000 --- a/vendor/hal_secure_element_st54spi.te +++ /dev/null @@ -1,7 +0,0 @@ -type hal_secure_element_st54spi, domain; -type hal_secure_element_st54spi_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_secure_element_st54spi) -hal_server_domain(hal_secure_element_st54spi, hal_secure_element) -allow hal_secure_element_st54spi st54spi_device:chr_file rw_file_perms; -allow hal_secure_element_st54spi nfc_device:chr_file rw_file_perms; -set_prop(hal_secure_element_st54spi, vendor_secure_element_prop) diff --git a/vendor/hal_secure_element_st54spi_aidl.te b/vendor/hal_secure_element_st54spi_aidl.te new file mode 100644 index 0000000..5110b96 --- /dev/null +++ b/vendor/hal_secure_element_st54spi_aidl.te @@ -0,0 +1,7 @@ +type hal_secure_element_st54spi_aidl, domain; +type hal_secure_element_st54spi_aidl_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_secure_element_st54spi_aidl) +hal_server_domain(hal_secure_element_st54spi_aidl, hal_secure_element) +allow hal_secure_element_st54spi_aidl st54spi_device:chr_file rw_file_perms; +allow hal_secure_element_st54spi_aidl nfc_device:chr_file rw_file_perms; +set_prop(hal_secure_element_st54spi_aidl, vendor_secure_element_prop) diff --git a/vendor/installd.te b/vendor/installd.te new file mode 100644 index 0000000..44e74c6 --- /dev/null +++ b/vendor/installd.te @@ -0,0 +1 @@ +dontaudit installd modem_img_file:filesystem quotaget; diff --git a/vendor/ofl_app.te b/vendor/ofl_app.te deleted file mode 100644 index 69e166a..0000000 --- a/vendor/ofl_app.te +++ /dev/null @@ -1,17 +0,0 @@ -# OFLBasicAgent app - -type ofl_app, domain; - -userdebug_or_eng(` - app_domain(ofl_app) - net_domain(ofl_app) - - allow ofl_app app_api_service:service_manager find; - allow ofl_app nfc_service:service_manager find; - allow ofl_app radio_service:service_manager find; - allow ofl_app surfaceflinger_service:service_manager find; - - # Access to directly update firmware on st54spi_device - typeattribute st54spi_device mlstrustedobject; - allow ofl_app st54spi_device:chr_file rw_file_perms; -') \ No newline at end of file diff --git a/vendor/pixelstats_vendor.te b/vendor/pixelstats_vendor.te index 18a1472..2d0fb38 100644 --- a/vendor/pixelstats_vendor.te +++ b/vendor/pixelstats_vendor.te @@ -21,3 +21,7 @@ allow pixelstats_vendor sysfs_pcie:dir search; allow pixelstats_vendor sysfs_pcie:file rw_file_perms; allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; + +#Thermal +r_dir_file(pixelstats_vendor, sysfs_thermal) +allow pixelstats_vendor sysfs_thermal:lnk_file r_file_perms; diff --git a/vendor/property.te b/vendor/property.te index a7450c3..105574b 100644 --- a/vendor/property.te +++ b/vendor/property.te @@ -11,3 +11,8 @@ vendor_internal_prop(vendor_usb_config_prop) # Dynamic sensor vendor_internal_prop(vendor_dynamic_sensor_prop) +# Mali Integration +vendor_restricted_prop(vendor_arm_runtime_option_prop) + +# ArmNN +vendor_internal_prop(vendor_armnn_config_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts index b020540..e837a5c 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -18,3 +18,8 @@ vendor.usb. u:object_r:vendor_usb_config_prop:s0 # Dynamic sensor vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 +# Mali GPU driver configuration and debug options +vendor.mali. u:object_r:vendor_arm_runtime_option_prop:s0 prefix + +# ArmNN configuration +ro.vendor.armnn. u:object_r:vendor_armnn_config_prop:s0 prefix diff --git a/vendor/recovery.te b/vendor/recovery.te new file mode 100644 index 0000000..efbea53 --- /dev/null +++ b/vendor/recovery.te @@ -0,0 +1,8 @@ +recovery_only(` + allow recovery sysfs_ota:file rw_file_perms; + allow recovery st54spi_device:chr_file rw_file_perms; + allow recovery tee_device:chr_file rw_file_perms; + allow recovery sysfs_scsi_devices_0000:file r_file_perms; + allow recovery sysfs_scsi_devices_0000:dir r_dir_perms; + set_prop(recovery, boottime_prop) +') diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts index 8f5eea1..9c10fdd 100644 --- a/vendor/seapp_contexts +++ b/vendor/seapp_contexts @@ -4,9 +4,6 @@ user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel dom # coredump/ramdump user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all -# Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade -user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.omapi_agent domain=ofl_app type=app_data_file levelFrom=user - # Domain for connectivity monitor user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all diff --git a/vendor/systemui_app.te b/vendor/systemui_app.te index 312d8c8..b462eb3 100644 --- a/vendor/systemui_app.te +++ b/vendor/systemui_app.te @@ -7,10 +7,14 @@ allow systemui_app color_display_service:service_manager find; allow systemui_app audioserver_service:service_manager find; allow systemui_app cameraserver_service:service_manager find; allow systemui_app mediaserver_service:service_manager find; +allow systemui_app mediaextractor_service:service_manager find; +allow systemui_app mediametrics_service:service_manager find; allow systemui_app radio_service:service_manager find; +allow systemui_app vr_manager_service:service_manager find; get_prop(systemui_app, keyguard_config_prop) set_prop(systemui_app, bootanim_system_prop) +get_prop(systemui_app, qemu_hw_prop) allow systemui_app pixel_battery_service_type:service_manager find; binder_call(systemui_app, pixel_battery_domain) diff --git a/vendor/tcpdump_logger.te b/vendor/tcpdump_logger.te index 1018104..7cf0245 100644 --- a/vendor/tcpdump_logger.te +++ b/vendor/tcpdump_logger.te @@ -1,5 +1,21 @@ type tcpdump_logger, domain; type tcpdump_logger_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(tcpdump_logger) +userdebug_or_eng(` + # make transition from init to its domain + init_daemon_domain(tcpdump_logger) + allow tcpdump_logger self:capability net_raw; + allow tcpdump_logger self:packet_socket create_socket_perms; + allowxperm tcpdump_logger self:packet_socket ioctl 0x8933; + allow tcpdump_logger tcpdump_exec:file rx_file_perms; + allow tcpdump_logger tcpdump_vendor_data_file:dir create_dir_perms; + allow tcpdump_logger tcpdump_vendor_data_file:file create_file_perms; + allow tcpdump_logger tcpdump_vendor_data_file:dir search; + allow tcpdump_logger radio_vendor_data_file:file create_file_perms; + allow tcpdump_logger radio_vendor_data_file:dir create_dir_perms; + allow tcpdump_logger wifi_logging_data_file:file create_file_perms; + allow tcpdump_logger wifi_logging_data_file:dir create_dir_perms; + + set_prop(tcpdump_logger, vendor_tcpdump_log_prop) +') \ No newline at end of file diff --git a/vendor/update_engine.te b/vendor/update_engine.te index b4f3cf8..a403d9e 100644 --- a/vendor/update_engine.te +++ b/vendor/update_engine.te @@ -1,2 +1,3 @@ allow update_engine custom_ab_block_device:blk_file rw_file_perms; allow update_engine modem_block_device:blk_file rw_file_perms; +allow update_engine proc_bootconfig:file r_file_perms; diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te index 646aa0f..373eeaf 100644 --- a/vendor/vendor_init.te +++ b/vendor/vendor_init.te @@ -29,3 +29,9 @@ set_prop(vendor_init, vendor_usb_config_prop) # Mali set_prop(vendor_init, vendor_arm_runtime_option_prop) set_prop(vendor_init, vendor_ssrdump_prop) + +# ArmNN +set_prop(vendor_init, vendor_armnn_config_prop) + +# MM +allow vendor_init proc_watermark_scale_factor:file w_file_perms;