diff --git a/BoardConfig.mk b/BoardConfig.mk index dcf5061..681637e 100644 --- a/BoardConfig.mk +++ b/BoardConfig.mk @@ -160,6 +160,10 @@ ENABLE_VENDOR_RIL_SERVICE := true # Selinux include device/mediatek/sepolicy_vndr/SEPolicy.mk +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/private +SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/public +BOARD_VENDOR_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/vendor + # Vendor Security Patch VENDOR_SECURITY_PATCH := 2024-03-05 diff --git a/sepolicy/private/isolated_app.te b/sepolicy/private/isolated_app.te new file mode 100644 index 0000000..418e79b --- /dev/null +++ b/sepolicy/private/isolated_app.te @@ -0,0 +1 @@ +allow isolated_app app_data_file:file setattr; diff --git a/sepolicy/private/property_contexts b/sepolicy/private/property_contexts new file mode 100644 index 0000000..ddf36cc --- /dev/null +++ b/sepolicy/private/property_contexts @@ -0,0 +1,8 @@ +# Fingerprint +gf.debug. u:object_r:vendor_fingerprint_prop:s0 + +# Hardware +ro.hardware.chipname u:object_r:exported_default_prop:s0 + +# SVN +ro.product.svn u:object_r:build_prop:s0 diff --git a/sepolicy/private/radio.te b/sepolicy/private/radio.te new file mode 100644 index 0000000..4cf0e57 --- /dev/null +++ b/sepolicy/private/radio.te @@ -0,0 +1 @@ +get_prop(radio, system_mtk_vodata_prop) diff --git a/sepolicy/private/system_app.te b/sepolicy/private/system_app.te new file mode 100644 index 0000000..b21b347 --- /dev/null +++ b/sepolicy/private/system_app.te @@ -0,0 +1 @@ +allow system_app proc_pagetypeinfo:file r_file_perms; diff --git a/sepolicy/private/system_suspend.te b/sepolicy/private/system_suspend.te new file mode 100644 index 0000000..f4213b0 --- /dev/null +++ b/sepolicy/private/system_suspend.te @@ -0,0 +1,3 @@ +allow system_suspend sysfs_wakeup:dir r_dir_perms; +allow system_suspend sysfs_battery:dir { open read }; +allow system_suspend sysfs_extcon:dir r_dir_perms; diff --git a/sepolicy/private/vendor_init.te b/sepolicy/private/vendor_init.te new file mode 100644 index 0000000..aea4081 --- /dev/null +++ b/sepolicy/private/vendor_init.te @@ -0,0 +1 @@ +dontaudit vendor_init system_mtk_fd_prop:property_service set; diff --git a/sepolicy/private/vold_prepare_subdirs.te b/sepolicy/private/vold_prepare_subdirs.te new file mode 100644 index 0000000..a4e4cd4 --- /dev/null +++ b/sepolicy/private/vold_prepare_subdirs.te @@ -0,0 +1 @@ +allow vold_prepare_subdirs checkin_data_file:dir relabelfrom; diff --git a/sepolicy/public/file.te b/sepolicy/public/file.te new file mode 100644 index 0000000..ce5e375 --- /dev/null +++ b/sepolicy/public/file.te @@ -0,0 +1 @@ +type sysfs_battery, sysfs_type, fs_type; diff --git a/sepolicy/public/property.te b/sepolicy/public/property.te new file mode 100644 index 0000000..aa38bfe --- /dev/null +++ b/sepolicy/public/property.te @@ -0,0 +1,5 @@ +# Camera +vendor_public_prop(vendor_camera_prop) + +# Fingerprint +system_public_prop(vendor_fingerprint_prop) diff --git a/sepolicy/public/property_contexts b/sepolicy/public/property_contexts new file mode 100644 index 0000000..3d27bee --- /dev/null +++ b/sepolicy/public/property_contexts @@ -0,0 +1,5 @@ +jpeg.exif.icc.profile u:object_r:exported_default_prop:s0 + +gce.test u:object_r:exported_default_prop:s0 +vilte.test u:object_r:exported_default_prop:s0 +prepend.test u:object_r:exported_default_prop:s0 diff --git a/sepolicy/public/ueventd.te b/sepolicy/public/ueventd.te new file mode 100644 index 0000000..0ac406a --- /dev/null +++ b/sepolicy/public/ueventd.te @@ -0,0 +1 @@ +allow ueventd tmpfs:blk_file { getattr setattr relabelfrom }; diff --git a/sepolicy/vendor/awinic.te b/sepolicy/vendor/awinic.te new file mode 100644 index 0000000..d37820f --- /dev/null +++ b/sepolicy/vendor/awinic.te @@ -0,0 +1 @@ +allow mtk_hal_audio aw87xxx_vmax:file { read getattr open }; diff --git a/sepolicy/vendor/cameraserver.te b/sepolicy/vendor/cameraserver.te new file mode 100644 index 0000000..cf538e9 --- /dev/null +++ b/sepolicy/vendor/cameraserver.te @@ -0,0 +1 @@ +get_prop(cameraserver, vendor_camera_prop) diff --git a/sepolicy/vendor/ccci_mdinit.te b/sepolicy/vendor/ccci_mdinit.te new file mode 100644 index 0000000..3ede448 --- /dev/null +++ b/sepolicy/vendor/ccci_mdinit.te @@ -0,0 +1 @@ +get_prop(ccci_mdinit, vendor_mtk_service_nvram_restore_prop) diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te new file mode 100644 index 0000000..ea7d0cc --- /dev/null +++ b/sepolicy/vendor/device.te @@ -0,0 +1,6 @@ +# Camera +type cml421_ois_device, dev_type; +type cwvi5300_device, dev_type; + +# Tranfs +type tranfs_block_device, dev_type; diff --git a/sepolicy/vendor/dontaudit.te b/sepolicy/vendor/dontaudit.te new file mode 100644 index 0000000..8c01818 --- /dev/null +++ b/sepolicy/vendor/dontaudit.te @@ -0,0 +1,9 @@ +dontaudit { + mobicore + mtk_hal_camera +} shell_data_file:dir search; + +dontaudit ueventd tranfs_block_device:blk_file rw_file_perms; +dontaudit audioserver vendor_audio_prop:file read; +dontaudit stflashtool nfc_prop:file read; +dontaudit hal_audio_default hal_power_hwservice:hwservice_manager find; diff --git a/sepolicy/vendor/em_app.te b/sepolicy/vendor/em_app.te new file mode 100644 index 0000000..5ccc6ef --- /dev/null +++ b/sepolicy/vendor/em_app.te @@ -0,0 +1 @@ +dontaudit em_app mtk_hal_nvramagent_hwservice:hwservice_manager find; diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te new file mode 100644 index 0000000..7d92183 --- /dev/null +++ b/sepolicy/vendor/file.te @@ -0,0 +1,28 @@ +# Camera +type sysfs_tran_cam_file, fs_type, sysfs_type; +type transsion_camera_data_file, file_type, data_file_type, mlstrustedobject; +type vendor_watermark_data_file, file_type, data_file_type, mlstrustedobject; + +# Data +type storage_dbg_data_file, file_type, data_file_type; + +# Fingerprint +type sysfs_fp_name_path, fs_type, sysfs_type; +type vendor_gf_data_file, file_type, data_file_type; + +# NFC +type nfc_vendor_data_file, file_type, data_file_type; + +# Gesture +type proc_gesture_function, fs_type, proc_type, sysfs_type; +type proc_main_gesture_function, fs_type, proc_type, sysfs_type; + +# OTG +type sysfs_OTG_STATE_file, fs_type, sysfs_type; + +# Torch +type sysfs_sub_torch_file, fs_type, sysfs_type; +type sysfs_torch_file, fs_type, sysfs_type; + +# VMAX +type aw87xxx_vmax, fs_type, sysfs_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts new file mode 100644 index 0000000..6428bae --- /dev/null +++ b/sepolicy/vendor/file_contexts @@ -0,0 +1,48 @@ +# Camera +/dev/cml421_ois(/.*)? u:object_r:cml421_ois_device:s0 +/dev/cwvi5300 u:object_r:cwvi5300_device:s0 +/data/vendor/camera_watermark(/.*)? u:object_r:vendor_watermark_data_file:s0 +/data/vendor/multicam(/.*)? u:object_r:transsion_camera_data_file:s0 + +# Data +/data/storage_dbg(/.*)? u:object_r:storage_dbg_data_file:s0 + +# Extcon +/sys/devices/platform/extcon_usb/extcon/extcon0/cable.1/state u:object_r:sysfs_OTG_STATE_file:s0 + +# Fingerprint +/dev/fortsense_fp u:object_r:fingerprint_device:s0 +/(system\/vendor|vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.fptool\.fingerprint@2\.0-service u:object_r:hal_fingerprint_default_exec:s0 +/sys/kernel/tran_fp(/.*)? u:object_r:sysfs_fp_name_path:s0 +/data/vendor/goodix/gf_data(/.*)? u:object_r:vendor_gf_data_file:s0 + +# Health +/(vendor|system\/vendor)/bin/hw/android\.hardware\.health@2\.1-service u:object_r:hal_health_default_exec:s0 + +# NFC +/dev/pn54x u:object_r:nfc_device:s0 +/dev/pn553 u:object_r:nfc_device:s0 +/dev/nxpnfc u:object_r:nfc_device:s0 + +# Power +/sys/devices/platform/soc/11017000.i2c/i2c-5/5-0053/power_supply/charger(/.*)? u:object_r:sysfs_batteryinfo:s0 + +# Sensor stuff +/(vendor|system\/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0 + +# Trancam +/(system\/vendor|vendor)/bin/hw/vendor\.transsion\.hardware\.trancam\.trancamserver@1\.0-service u:object_r:trancamserver_exec:s0 +/sys/devices/platform/(odm/odm:tran_battery|tran_battery)/tran_cam u:object_r:sysfs_tran_cam_file:s0 + +# Tranfs +/dev/block/sdc62 u:object_r:tranfs_block_device:s0 + +# Vibrator +/(vendor|system\/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0 +/(vendor|system\/vendor)/bin/hw/android\.hardware\.vibrator-service.example u:object_r:hal_vibrator_default_exec:s0 +/(vendor|system\/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service-mediatek u:object_r:hal_vibrator_default_exec:s0 +/(vendor|system\/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service-mediatek-lazy u:object_r:hal_vibrator_default_exec:s0 +/(vendor|system\/vendor)/bin/hw/android\.hardware\.vibrator-service\.example u:object_r:hal_vibrator_default_exec:s0 +/(vendor|system\/vendor)/bin/hw/android\.hardware\.vibrator-service\.mediatek u:object_r:hal_vibrator_default_exec:s0 +/sys/devices/platform/soc/1101a000.i2c/i2c-6/6-005a/leds/vibrator_single(/.*)? u:object_r:sysfs_vibrator:s0 diff --git a/sepolicy/vendor/fsck.te b/sepolicy/vendor/fsck.te new file mode 100644 index 0000000..a829975 --- /dev/null +++ b/sepolicy/vendor/fsck.te @@ -0,0 +1,2 @@ +allow fsck tmpfs:blk_file { read write ioctl }; +allow fsck tranfs_block_device:blk_file rw_file_perms; diff --git a/sepolicy/vendor/fuelgauged_nvram.te b/sepolicy/vendor/fuelgauged_nvram.te new file mode 100644 index 0000000..281fa9c --- /dev/null +++ b/sepolicy/vendor/fuelgauged_nvram.te @@ -0,0 +1,2 @@ +allow fuelgauged_nvram sysfs_dt_firmware_android:dir search; +allow fuelgauged_nvram sysfs_dt_firmware_android:file r_file_perms; diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts new file mode 100644 index 0000000..ef0124c --- /dev/null +++ b/sepolicy/vendor/genfs_contexts @@ -0,0 +1,48 @@ +# Battery +genfscon sysfs /devices/platform/odm/odm:usb_switch/power_supply/usb_switch u:object_r:sysfs_battery:s0 + +# Devices +genfscon sysfs /devices/platform/11270000.ufshci/host0/target0:0:0/0:0:0:0/block/sda/queue u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/11270000.ufshci/host0/target0:0:0/0:0:0:0/block/sdb/queue u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/11270000.ufshci/host0/target0:0:0/0:0:0:0/block/sdc/queue u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/11270000.ufshci/host0/target0:0:0/0:0:0:1/block/sda/queue u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/11270000.ufshci/host0/target0:0:0/0:0:0:1/block/sdb/queue u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/11270000.ufshci/host0/target0:0:0/0:0:0:1/block/sdc/queue u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sda/queue u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdb/queue u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/queue u:object_r:sysfs_devices_block:s0 + +# Extcon +genfscon sysfs /devices/platform/extcon_usb u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/extcon_usb1 u:object_r:sysfs_extcon:s0 + +# Health +genfscon sysfs /devices/platform/soc/11017000.i2c/i2c-5/5-006b/power_supply/charger(/.*)? u:object_r:sysfs_batteryinfo:s0 + +# Gesture +genfscon proc /gesture_function u:object_r:proc_gesture_function:s0 +genfscon proc /main_gesture_function u:object_r:proc_main_gesture_function:s0 + +# Label wakeup nodes +genfscon sysfs /devices/platform/11cb0000.i2c3/i2c-3/3-0018/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11cb0000.i2c3/i2c-3/3-0028/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11d03000.i2c7/i2c-7/7-0008/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11f00000.i2c5/i2c-5/5-004e/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/15020000.imgsys/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/15020000.imgsys_config/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19030000.vpu_core0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19031000.vpu_core1/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/1a000000.camsys/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/extcon_usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:usb_switch/power_supply/usb_switch/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/pca_dv2_algo/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/usb0/11200000.xhci0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/usb0/wakeup u:object_r:sysfs_wakeup:s0 + +# Torch +genfscon sysfs /devices/virtual/sub_torch/sub_torch/sub_torch_level u:object_r:sysfs_sub_torch_file:s0 +genfscon sysfs /devices/virtual/torch/torch/torch_level u:object_r:sysfs_torch_file:s0 + +# aw87xxx vmax +genfscon sysfs /devices/platform/1101a000.i2c7/i2c-7/7-0058/vmax u:object_r:aw87xxx_vmax:s0 + diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te new file mode 100644 index 0000000..aecbef2 --- /dev/null +++ b/sepolicy/vendor/hal_audio_default.te @@ -0,0 +1,11 @@ +allow hal_audio_default ccci_aud_device:chr_file rw_file_perms; +allow hal_audio_default ebc_device:chr_file rw_file_perms; +allow hal_audio_default mtk_audiohal_data_file:dir create_dir_perms; +allow hal_audio_default mtk_audiohal_data_file:file create_file_perms; +allow hal_audio_default sysfs_boot_info:file r_file_perms; +allow hal_audio_default vow_device:chr_file rw_file_perms; + +dontaudit hal_audio_default hal_power_hwservice:hwservice_manager find; + +get_prop(hal_audio_default, vendor_audio_prop) +set_prop(hal_audio_default, vendor_mtk_audiohal_prop) diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te new file mode 100644 index 0000000..863aee6 --- /dev/null +++ b/sepolicy/vendor/hal_fingerprint_default.te @@ -0,0 +1,12 @@ +allow hal_fingerprint_default input_device:chr_file rw_file_perms; +allow hal_fingerprint_default input_device:dir r_dir_perms; +allow hal_fingerprint_default mnt_vendor_file:dir search; +allow hal_fingerprint_default persist_data_file:dir create_dir_perms; +allow hal_fingerprint_default persist_data_file:file create_file_perms; +allow hal_fingerprint_default self:netlink_kobject_uevent_socket { read create bind setopt }; +allow hal_fingerprint_default sysfs_fp_name_path:dir r_dir_perms; +allow hal_fingerprint_default sysfs_fp_name_path:file rw_file_perms; +allow hal_fingerprint_default vendor_gf_data_file:dir create_dir_perms; +allow hal_fingerprint_default vendor_gf_data_file:file create_file_perms; + +set_prop(hal_fingerprint_default, vendor_fingerprint_prop) diff --git a/sepolicy/vendor/hal_health_default.te b/sepolicy/vendor/hal_health_default.te new file mode 100644 index 0000000..68556ff --- /dev/null +++ b/sepolicy/vendor/hal_health_default.te @@ -0,0 +1,3 @@ +allow hal_health_default sysfs:file read; +allow hal_health_default sysfs_battery:file { getattr open read }; +allow hal_health_default sysfs_battery:dir search; diff --git a/sepolicy/vendor/hal_keymint_default.te b/sepolicy/vendor/hal_keymint_default.te new file mode 100644 index 0000000..0e69ec2 --- /dev/null +++ b/sepolicy/vendor/hal_keymint_default.te @@ -0,0 +1,2 @@ +# Allow Keymint to set MTK TEEI Props +set_prop(hal_keymint_default, vendor_mtk_soter_teei_prop) diff --git a/sepolicy/vendor/hal_nfc_default.te b/sepolicy/vendor/hal_nfc_default.te new file mode 100644 index 0000000..324566d --- /dev/null +++ b/sepolicy/vendor/hal_nfc_default.te @@ -0,0 +1,12 @@ +allow hal_nfc_default nxpnfc_hwservice:hwservice_manager { add find }; + +set_prop(hal_nfc, vendor_nfc_prop) + +allow hal_nfc_default nfc_device:chr_file { read write }; +allow hal_nfc_default nfc_data_file:file getattr; + +allow hal_nfc_default vendor_nfc_prop:file { read open map getattr }; +allow hal_nfc_default vendor_nfc_prop:property_service set; + +allow hal_nfc_default nfc_vendor_data_file:dir { getattr add_name read write search remove_name }; +allow hal_nfc_default nfc_vendor_data_file:file { getattr open create read write unlink setattr append }; diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te new file mode 100644 index 0000000..cf6f5c3 --- /dev/null +++ b/sepolicy/vendor/hal_sensors_default.te @@ -0,0 +1,35 @@ +# Allow to read sensor devices +allow hal_sensors_default hal_graphics_allocator_default:fd use; +allow hal_sensors_default gpu_device:dir create_dir_perms; +allow hal_sensors_default gpu_device:chr_file rw_file_perms; +allow hal_sensors_default dri_device:chr_file rw_file_perms; +allow hal_sensors_default ion_device:dir create_dir_perms; +allow hal_sensors_default ion_device:chr_file rw_file_perms; +allow hal_sensors_default system_file:dir r_dir_perms; +allow hal_sensors_default sysfs_sensor:dir r_dir_perms; +allow hal_sensors_default sysfs_sensor:file rw_file_perms; +allow hal_sensors_default hwmsensor_device:chr_file r_file_perms; +allow hal_sensors_default sensorlist_device:chr_file rw_file_perms; +allow hal_sensors_default m_acc_misc_device:chr_file rw_file_perms; +allow hal_sensors_default m_als_misc_device:chr_file rw_file_perms; +allow hal_sensors_default m_ps_misc_device:chr_file rw_file_perms; +allow hal_sensors_default m_mag_misc_device:chr_file rw_file_perms; +allow hal_sensors_default m_gyro_misc_device:chr_file rw_file_perms; +allow hal_sensors_default m_baro_misc_device:chr_file rw_file_perms; +allow hal_sensors_default m_hmdy_misc_device:chr_file rw_file_perms; +allow hal_sensors_default m_act_misc_device:chr_file rw_file_perms; +allow hal_sensors_default m_pedo_misc_device:chr_file rw_file_perms; +allow hal_sensors_default m_situ_misc_device:chr_file rw_file_perms; +allow hal_sensors_default m_step_c_misc_device:chr_file rw_file_perms; +allow hal_sensors_default m_fusion_misc_device:chr_file rw_file_perms; +allow hal_sensors_default m_bio_misc_device:chr_file rw_file_perms; +allow hal_sensors_default hf_manager_device:chr_file rw_file_perms; +allow hal_sensors_default sensor_data_file:file create_file_perms; +allow hal_sensors_default sensor_data_file:dir create_dir_perms; +allow hal_sensors_default nvcfg_file:file create_file_perms; +allow hal_sensors_default nvcfg_file:dir create_dir_perms; +allow hal_sensors_default mnt_vendor_file:dir search; +allow hal_sensors_default merged_hal_service:fd use; +allow hal_sensors_default sysfs_mtk_nanohub_state:file r_file_perms; + +allow hal_sensors_default system_server:binder call; diff --git a/sepolicy/vendor/hal_vibrator_default.te b/sepolicy/vendor/hal_vibrator_default.te new file mode 100644 index 0000000..0c290bf --- /dev/null +++ b/sepolicy/vendor/hal_vibrator_default.te @@ -0,0 +1,2 @@ +allow hal_vibrator_default sysfs_leds:dir search; +allow hal_vibrator_default sysfs_leds:file rw_file_perms; diff --git a/sepolicy/vendor/hal_wifi_default.te b/sepolicy/vendor/hal_wifi_default.te new file mode 100644 index 0000000..543978c --- /dev/null +++ b/sepolicy/vendor/hal_wifi_default.te @@ -0,0 +1 @@ +get_prop(hal_wifi_default, persist_vendor_debug_wifi_prop) diff --git a/sepolicy/vendor/hwservice.te b/sepolicy/vendor/hwservice.te new file mode 100644 index 0000000..5f294d1 --- /dev/null +++ b/sepolicy/vendor/hwservice.te @@ -0,0 +1,5 @@ +# Camera +type hal_trancamserver_hwservice, hwservice_manager_type; + +# NXP NFC +type nxpnfc_hwservice, hwservice_manager_type; diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts new file mode 100644 index 0000000..4079ee3 --- /dev/null +++ b/sepolicy/vendor/hwservice_contexts @@ -0,0 +1,17 @@ +# Camera +vendor.transsion.hardware.trancam.trancamserver::ITrancamserver u:object_r:hal_trancamserver_hwservice:s0 + +# Fingerprint +vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_hwservice:s0 +vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemonExt u:object_r:hal_fingerprint_hwservice:s0 +vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemonHbd u:object_r:hal_fingerprint_hwservice:s0 +vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemonFido u:object_r:hal_fingerprint_hwservice:s0 +vendor.mediatek.hardware.biometrics.fingerprint::ITranBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0 +vendor.fptool.fingerprint::IFptoolFingerprint u:object_r:hal_fingerprint_hwservice:s0 + +# NXP NFC +vendor.nxp.nxpnfc::INxpNfc u:object_r:nxpnfc_hwservice:s0 +vendor.nxp.nxpnfclegacy::INxpNfcLegacy u:object_r:nxpnfc_hwservice:s0 + +# Wi-Fi +vendor.transsion.hardware.wifi.hostapd::IHostapd u:object_r:hal_wifi_hostapd_hwservice:s0 diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te new file mode 100644 index 0000000..70e9a5f --- /dev/null +++ b/sepolicy/vendor/init.te @@ -0,0 +1,5 @@ +allow init sysfs_devices_block:file rw_file_perms; +allow init tranfs_block_device:blk_file { read relabelto }; + +get_prop(init, vendor_mtk_service_nvram_restore_prop) +get_prop(init, vts_status_prop) diff --git a/sepolicy/vendor/mediacodec.te b/sepolicy/vendor/mediacodec.te new file mode 100644 index 0000000..28ea638 --- /dev/null +++ b/sepolicy/vendor/mediacodec.te @@ -0,0 +1 @@ +get_prop(mediacodec, vendor_mtk_omx_core_prop) diff --git a/sepolicy/vendor/mtk_hal_camera.te b/sepolicy/vendor/mtk_hal_camera.te new file mode 100644 index 0000000..374a1f3 --- /dev/null +++ b/sepolicy/vendor/mtk_hal_camera.te @@ -0,0 +1,18 @@ +binder_call(mtk_hal_camera, trancamserver) + +allow mtk_hal_camera cml421_ois_device:chr_file rw_file_perms; +allow mtk_hal_camera cwvi5300_device:chr_file rw_file_perms; +allow mtk_hal_camera sysfs_dt_firmware_android:dir search; +allow mtk_hal_camera sysfs_dt_firmware_android:file r_file_perms; +allow mtk_hal_camera sysfs_sub_torch_file:file rw_file_perms; +allow mtk_hal_camera sysfs_torch_file:file rw_file_perms; +allow mtk_hal_camera sysfs_tran_cam_file:file rw_file_perms; +allow mtk_hal_camera transsion_camera_data_file:dir { write search add_name }; +allow mtk_hal_camera transsion_camera_data_file:file {read write create open }; +allow mtk_hal_camera vendor_watermark_data_file:dir { read write open add_name search }; +allow mtk_hal_camera vendor_watermark_data_file:file { read write create getattr open }; + +allow mtk_hal_camera hal_trancamserver_hwservice:hwservice_manager find; + +get_prop(mtk_hal_camera, vendor_camera_prop) +set_prop(mtk_hal_camera, vendor_mtk_camera_prop) diff --git a/sepolicy/vendor/mtk_hal_power.te b/sepolicy/vendor/mtk_hal_power.te new file mode 100644 index 0000000..9bf5eb0 --- /dev/null +++ b/sepolicy/vendor/mtk_hal_power.te @@ -0,0 +1,3 @@ +allow mtk_hal_power proc_meminfo:file r_file_perms; +allow mtk_hal_power proc_gesture_function:file rw_file_perms; +allow mtk_hal_power proc_main_gesture_function:file rw_file_perms; diff --git a/sepolicy/vendor/mtk_hal_pq.te b/sepolicy/vendor/mtk_hal_pq.te new file mode 100644 index 0000000..e5f4402 --- /dev/null +++ b/sepolicy/vendor/mtk_hal_pq.te @@ -0,0 +1 @@ +allow mtk_hal_pq ion_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/netdagent.te b/sepolicy/vendor/netdagent.te new file mode 100644 index 0000000..71fb897 --- /dev/null +++ b/sepolicy/vendor/netdagent.te @@ -0,0 +1 @@ +dontaudit netdagent self:udp_socket create_socket_perms; diff --git a/sepolicy/vendor/netutils_wrapper.te b/sepolicy/vendor/netutils_wrapper.te new file mode 100644 index 0000000..9861d46 --- /dev/null +++ b/sepolicy/vendor/netutils_wrapper.te @@ -0,0 +1,4 @@ +allow netutils_wrapper ccci_vts_device:chr_file rw_file_perms; +allow netutils_wrapper ccci_wifi_proxy_device:chr_file rw_file_perms; +allow netutils_wrapper rild:file r_file_perms; +allow netutils_wrapper ccci_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/nfc.te b/sepolicy/vendor/nfc.te new file mode 100644 index 0000000..fc1e317 --- /dev/null +++ b/sepolicy/vendor/nfc.te @@ -0,0 +1,5 @@ +# allow NFC process to call into the NFC HAL +allow nfc nfc_data_file:dir create_dir_perms; +allow nfc nxpnfc_hwservice:hwservice_manager find; +allow nfc nfc_vendor_data_file:dir { create_dir_perms add_name search read write create remove_name }; +allow nfc nfc_vendor_data_file:file create_file_perms; diff --git a/sepolicy/vendor/nvram_daemon.te b/sepolicy/vendor/nvram_daemon.te new file mode 100644 index 0000000..e32e129 --- /dev/null +++ b/sepolicy/vendor/nvram_daemon.te @@ -0,0 +1 @@ +set_prop(nvram_daemon, vendor_mtk_service_nvram_restore_prop) diff --git a/sepolicy/vendor/platform_app.te b/sepolicy/vendor/platform_app.te new file mode 100644 index 0000000..01c54c5 --- /dev/null +++ b/sepolicy/vendor/platform_app.te @@ -0,0 +1,2 @@ +#============= platform_app ============== +allow platform_app nfc_service:service_manager find; diff --git a/sepolicy/vendor/priv_app.te b/sepolicy/vendor/priv_app.te new file mode 100644 index 0000000..b2c9a62 --- /dev/null +++ b/sepolicy/vendor/priv_app.te @@ -0,0 +1 @@ +allow priv_app metadata_file:dir { read open getattr }; diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te new file mode 100644 index 0000000..df2d351 --- /dev/null +++ b/sepolicy/vendor/property.te @@ -0,0 +1,8 @@ +# Audio +vendor_internal_prop(vendor_audio_prop) + +# NVRAM +vendor_restricted_prop(vendor_mtk_service_nvram_restore_prop) + +# NFC +vendor_internal_prop(vendor_nfc_prop) diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts new file mode 100644 index 0000000..69d4376 --- /dev/null +++ b/sepolicy/vendor/property_contexts @@ -0,0 +1,35 @@ +# Audio +ro.vendor.qti.va_aosp.support u:object_r:vendor_audio_prop:s0 + +# Camera +persist.vendor.camera. u:object_r:vendor_camera_prop:s0 +ro.mtk_cam_dualzoom_support u:object_r:vendor_mtk_camera_prop:s0 +ro.mtk_cam_stereo_camera_support u:object_r:vendor_mtk_camera_prop:s0 +vendor.debug.seninf.hs_trail u:object_r:vendor_mtk_camera_prop:s0 + +st_repair.debug. u:object_r:exported_default_prop:s0 +RUNTIME_OVERRIDE_OPENCL_MEM_TYPE u:object_r:exported_default_prop:s0 +RUNTIME_OVERRIDE_LOG_LEVEL u:object_r:exported_default_prop:s0 +demo. u:object_r:exported_default_prop:s0 + +# Display +ro.vendor.mtk_hdr_video_support u:object_r:vendor_mtk_default_prop:s0 + +# Fingerprint +persist.vendor.goodix.dump_data u:object_r:vendor_fingerprint_prop:s0 +persist.vendor.sys.fp.goodix.spmt.flag u:object_r:vendor_fingerprint_prop:s0 +vendor.fp.goodix.X.offset u:object_r:vendor_fingerprint_prop:s0 +vendor.fp.goodix.Y.offset u:object_r:vendor_fingerprint_prop:s0 +vendor.fp.transsion.lcmname u:object_r:vendor_fingerprint_prop:s0 + +# Key manager +ro.mtk_key_manager_support u:object_r:vendor_mtk_default_prop:s0 + +# NFC properties +persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0 + +# NVRAM +vendor.service.nvram_restore u:object_r:vendor_mtk_service_nvram_restore_prop:s0 + +# VT +ro.vendor.vt. u:object_r:vendor_mtk_vendor_vt_prop:s0 diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te new file mode 100644 index 0000000..590b041 --- /dev/null +++ b/sepolicy/vendor/system_server.te @@ -0,0 +1,3 @@ +allow system_server sysfs_OTG_STATE_file:file { read write getattr open }; + +get_prop(system_server, wifi_hal_prop) diff --git a/sepolicy/vendor/thermal_core.te b/sepolicy/vendor/thermal_core.te new file mode 100644 index 0000000..34bbec7 --- /dev/null +++ b/sepolicy/vendor/thermal_core.te @@ -0,0 +1 @@ +allow thermal_core sysfs_thermal:dir search; diff --git a/sepolicy/vendor/trancamserver.te b/sepolicy/vendor/trancamserver.te new file mode 100644 index 0000000..308ef1d --- /dev/null +++ b/sepolicy/vendor/trancamserver.te @@ -0,0 +1,7 @@ +type trancamserver, domain, halserverdomain; +type trancamserver_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(trancamserver) + +allow trancamserver hal_trancamserver_hwservice:hwservice_manager { find add }; +allow trancamserver hidl_base_hwservice:hwservice_manager add; diff --git a/sepolicy/vendor/untrusted_app.te b/sepolicy/vendor/untrusted_app.te new file mode 100644 index 0000000..74a4849 --- /dev/null +++ b/sepolicy/vendor/untrusted_app.te @@ -0,0 +1,3 @@ +allow untrusted_app unlabeled:filesystem getattr; + +get_prop(untrusted_app, vendor_camera_prop) diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te new file mode 100644 index 0000000..c6007de --- /dev/null +++ b/sepolicy/vendor/vendor_init.te @@ -0,0 +1,6 @@ +allow vendor_init cgroup:file rw_file_perms; +allow vendor_init proc:file write; +allow vendor_init storage_dbg_data_file:dir create_dir_perms; + +set_prop(vendor_init, vendor_mtk_camera_prop) +get_prop(vendor_init, vts_status_prop) diff --git a/sepolicy/vendor/vtservice.te b/sepolicy/vendor/vtservice.te new file mode 100644 index 0000000..0112c00 --- /dev/null +++ b/sepolicy/vendor/vtservice.te @@ -0,0 +1 @@ +get_prop(vtservice, vendor_mtk_vendor_vt_prop)