mirror/android_device_Unihertz_Jelly2
1
0
Fork 0
mirror of https://github.com/Meetoul/android_device_Unihertz_Jelly2.git synced 2025-12-23 15:18:06 -05:00
Code Issues Packages Projects Releases Wiki Activity

Also move private sepolicy to common

Browse Source
This commit is contained in:
Matthias Leitl
2021-03-26 16:47:17 +01:00
parent 406555db94
commit 1e83892eba
80 changed files with 1013 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
BoardConfigCommon.mk
View File

@@ -101,7 +101,7 @@ TARGET_USES_MKE2FS := true
# Sepolicy
TARGET_USES_PREBUILT_VENDOR_SEPOLICY := true
TARGET_HAS_FUSEBLK_SEPOLICY_ON_VENDOR := true
BOARD_PLAT_PRIVATE_SEPOLICY_DIR := $(DEVICE_PATH)/sepolicy/private
BOARD_PLAT_PRIVATE_SEPOLICY_DIR := $(COMMON_DEVICE_PATH)/sepolicy/private
BOARD_PLAT_PUBLIC_SEPOLICY_DIR := $(COMMON_DEVICE_PATH)/sepolicy/public
BOARD_VENDOR_SEPOLICY_DIRS += $(COMMON_DEVICE_PATH)/sepolicy/vendor

4
deviceCommon.mk
View File

@@ -123,6 +123,10 @@ PRODUCT_PACKAGES += \
android.hardware.radio@1.4 \
android.hardware.vibrator@1.0 \
android.hardware.vibrator@1.3
# Additional tools
PRODUCT_PACKAGES += \
unpack_bootimg
# Keylayouts
PRODUCT_COPY_FILES += \

9
sepolicy/private/GoogleOtaBinder.te Normal file
View File

@@ -0,0 +1,9 @@
type GoogleOtaBinder_exec, file_type, exec_type, system_file_type;
init_daemon_domain(GoogleOtaBinder);
binder_use(GoogleOtaBinder);
allow GoogleOtaBinder mota_proc_file:file {read};
allow GoogleOtaBinder ota_package_file:dir {search};
allow GoogleOtaBinder ota_package_file:file {read write getattr open};
allow GoogleOtaBinder sysfs_dt_firmware_android:file {read};

19
sepolicy/private/aal.te Normal file
View File

@@ -0,0 +1,19 @@
type aal, domain, binderservicedomain, coredomain;
type aal_exec, file_type, exec_type, system_file_type;
type mtk_aal_prop, property_type, extended_core_property_type;
type aal_service, service_manager_type;
init_daemon_domain(aal);
binder_use(aal);
binder_call(aal,binderservicedomain);
allow aal graphics_device:chr_file {ioctl read open};
allow aal graphics_device:dir {search};
allow aal aal_service:service_manager {add};
allow aal permission_service:service_manager {find};
allow aal sensorservice_service:service_manager {find};
allow aal system_server:unix_stream_socket {read write};
allow aal property_socket:sock_file {write};
allow aal init:unix_stream_socket {connectto};
allow aal mtk_aal_prop:property_service {set};
allow aal mtk_aal_prop:file {read getattr map open};

1
sepolicy/private/access_sys_file.te Normal file
View File

@@ -0,0 +1 @@
type access_sys_file, fs_type, sysfs_type;

2
sepolicy/private/adbd.te Normal file
View File

@@ -0,0 +1,2 @@
allow adbd debuglog_data_file:dir {ioctl read getattr lock search open};
allow adbd debuglog_data_file:file {ioctl read getattr lock map open};

53
sepolicy/private/aee_aed.te Normal file
View File

@@ -0,0 +1,53 @@
type aee_aed_exec, file_type, exec_type, system_file_type;
init_daemon_domain(aee_aed);
type_transition aee_aed dumpstate_exec:process dumpstate;
allow aee_aed block_device:dir {search};
allow aee_aed sdcard_type:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow aee_aed sdcard_type:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow aee_aed anr_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow aee_aed anr_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow aee_aed domain:process {sigkill signal getsched getattr};
allow aee_aed domain:lnk_file {getattr};
allow aee_aed usermodehelper:file {ioctl read getattr lock map open};
allow aee_aed system_file:file {execute_no_trans};
allow aee_aed init:process {getsched};
allow aee_aed kernel:process {getsched};
allow aee_aed system_data_file:dir {write create add_name};
allow aee_aed system_data_file:file {ioctl read getattr lock map open};
allow aee_aed toolbox_exec:file {ioctl read getattr lock map execute execute_no_trans open};
allow aee_aed mnt_user_file:dir {search};
allow aee_aed mnt_user_file:lnk_file {read};
allow aee_aed storage_file:dir {search};
allow aee_aed storage_file:lnk_file {read};
allow aee_aed dumpstate_exec:file {read getattr map execute open};
allow aee_aed dumpstate:process {transition};
dontaudit aee_aed dumpstate:process {noatsecure};
allow aee_aed dumpstate:process {siginh rlimitinh};
allow aee_aed tombstone_data_file:dir {write lock add_name remove_name search open};
allow aee_aed tombstone_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow aee_aed self:capability {chown fowner fsetid kill setgid setuid net_admin sys_module sys_nice sys_resource};
allow aee_aed shell_exec:file {ioctl read getattr lock map execute execute_no_trans open};
allow aee_aed dumpstate:unix_stream_socket {ioctl read write};
allow aee_aed dumpstate:dir {search};
allow aee_aed dumpstate:file {ioctl read getattr lock map open};
allow aee_aed logdr_socket:sock_file {write};
allow aee_aed logd:unix_stream_socket {connectto};
allow aee_aed sysfs_vibrator:file {write lock append map open};
allow aee_aed domain:dir {ioctl read getattr lock search open};
allow aee_aed domain:file {ioctl read getattr lock map open};
allow aee_aed domain:lnk_file {ioctl read getattr lock map open};
allow aee_aed dalvikcache_data_file:dir {ioctl read getattr lock search open};
allow aee_aed crash_dump:dir {search};
allow aee_aed crash_dump:file {ioctl read getattr lock map open};
allow aee_aed proc_version:file {read open};
allow aee_aed self:capability {chown fowner kill sys_nice};
allow aee_aed dropbox_data_file:file {read getattr};
allow aee_aed dropbox_service:service_manager {find};
allow aee_aed servicemanager:binder {call};
allow aee_aed system_server:binder {call};
allow aee_aed packages_list_file:file {ioctl read getattr lock map open};
allow aee_aed system_file_type:file {ioctl read getattr lock map open};
allow aee_aed self:process {ptrace};

28
sepolicy/private/aee_core.te Normal file
View File

@@ -0,0 +1,28 @@
type aee_core_forwarder_exec, file_type, exec_type, system_file_type;
init_daemon_domain(aee_core_forwarder);
domain_auto_trans(kernel,aee_core_forwarder_exec,aee_core_forwarder);
allow aee_core_forwarder sdcard_type:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow aee_core_forwarder sdcard_type:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow aee_core_forwarder self:capability {fsetid setgid};
allow aee_core_forwarder kernel:fifo_file {read};
allow aee_core_forwarder domain:dir {ioctl read getattr lock search open};
allow aee_core_forwarder domain:file {ioctl read getattr lock map open};
allow aee_core_forwarder sysfs_wake_lock:file {ioctl read write getattr lock append map open};
allow aee_core_forwarder self:capability2 {block_suspend};
allow aee_core_forwarder mnt_user_file:dir {search};
allow aee_core_forwarder mnt_user_file:lnk_file {read};
allow aee_core_forwarder storage_file:dir {search};
allow aee_core_forwarder storage_file:lnk_file {read};
dontaudit aee_core_forwarder untrusted_app:dir {search};
allow aee_core_forwarder kernel:fd {use};
allow aee_core_forwarder tmpfs:dir {search};
allow aee_core_forwarder rootfs:file {ioctl read getattr lock map open};
dontaudit aee_core_forwarder self:capability {sys_ptrace};
allow aee_core_forwarder media_rw_data_file:dir {write lock add_name remove_name search open};
allow aee_core_forwarder media_rw_data_file:file {write create open};
allow aee_core_forwarder self:capability {sys_nice};
allow aee_core_forwarder hwservicemanager_prop:file {read getattr map open};
allow aee_core_forwarder aee_aed:unix_stream_socket {connectto};
allow aee_core_forwarder kernel:process {sigchld};

1
sepolicy/private/agui_network_manager.te Normal file
View File

@@ -0,0 +1 @@
type agui_network_manager_prop, property_type, extended_core_property_type;

6
sepolicy/private/atci.te Normal file
View File

@@ -0,0 +1,6 @@
type atci_service_sys_exec, file_type, exec_type, system_file_type;
type atci_data_file, file_type, data_file_type, core_data_file_type;
type ctl_atci_service_prop, property_type, extended_core_property_type;
type mtk_atci_sys_prop, property_type, extended_core_property_type;
init_daemon_domain(atci_service_sys);

1
sepolicy/private/atcid.te Normal file
View File

@@ -0,0 +1 @@
type ctl_atcid-daemon-u_prop, property_type, extended_core_property_type;

22
sepolicy/private/audioserver.te Normal file
View File

@@ -0,0 +1,22 @@
allow audioserver radio:dir {read search};
allow audioserver radio:file {ioctl read getattr lock map open};
allow audioserver radio_data_file:dir {search};
allow audioserver radio_data_file:file {open};
allow audioserver kmsg_device:chr_file {write open};
allow audioserver bootanim:binder {call transfer};
allow audioserver media_rw_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow audioserver media_rw_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow audioserver mnt_user_file:dir {read write search};
allow audioserver mnt_user_file:lnk_file {read write};
allow audioserver mtkbootanimation:binder {call transfer};
allow audioserver sdcard_type:dir {remove_name};
allow audioserver sdcard_type:dir {write create lock add_name remove_name search open};
allow audioserver sdcard_type:file {append};
allow audioserver sdcard_type:file {create};
allow audioserver sdcard_type:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow audioserver sdcard_type:file {unlink};
allow audioserver self:netlink_kobject_uevent_socket {read create};
allow audioserver storage_file:dir {ioctl read getattr lock search open};
allow audioserver storage_file:lnk_file {read write};
allow audioserver system_data_file:file {open};
allow audioserver untrusted_app:dir {search};

10
sepolicy/private/batterywarning.te Normal file
View File

@@ -0,0 +1,10 @@
type batterywarning, domain, coredomain;
type batterywarning_exec, file_type, exec_type, system_file_type;
init_daemon_domain(batterywarning);
binder_use(batterywarning);
allow batterywarning system_server:binder {call};
allow batterywarning activity_service:service_manager {find};
allow batterywarning sysfs_battery_warning:file {read getattr open};
allow batterywarning self:netlink_kobject_uevent_socket {read write create getattr setattr lock append map bind connect getopt setopt shutdown};

21
sepolicy/private/bluetooth.te Normal file
View File

@@ -0,0 +1,21 @@
allow bluetooth debuglog_data_file:dir {ioctl read write create getattr setattr lock relabelto rename add_name remove_name reparent search rmdir open};
allow bluetooth debuglog_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow bluetooth fuse:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow bluetooth fuse:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow bluetooth media_rw_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow bluetooth media_rw_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow bluetooth mnt_media_rw_file:dir {search};
allow bluetooth mnt_user_file:dir {search};
allow bluetooth mnt_user_file:lnk_file {read};
allow bluetooth rootfs:lnk_file {getattr};
allow bluetooth sdcard_type:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow bluetooth sdcard_type:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow bluetooth sdcardfs:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow bluetooth sdcardfs:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow bluetooth storage_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow bluetooth storage_file:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow bluetooth storage_file:lnk_file {read};
allow bluetooth sysfs_wake_lock:file {ioctl read write getattr lock append map open};
allow bluetooth tmpfs:lnk_file {read};
allow bluetooth vfat:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow bluetooth vfat:file {ioctl read write create getattr setattr lock append map unlink rename open};

20
sepolicy/private/boot_logo_updater.te Normal file
View File

@@ -0,0 +1,20 @@
type boot_logo_updater_exec, file_type, exec_type, system_file_type;
init_daemon_domain(boot_logo_updater);
allow boot_logo_updater system_prop:property_service {set};
allow boot_logo_updater graphics_device:chr_file {ioctl read write getattr lock append map open};
allow boot_logo_updater init:unix_stream_socket {connectto};
allow boot_logo_updater property_socket:sock_file {write};
allow boot_logo_updater block_device:dir {search};
allow boot_logo_updater graphics_device:dir {search};
allow boot_logo_updater mtd_device:chr_file {ioctl read getattr lock map open};
allow boot_logo_updater mtd_device:dir {search};
allow boot_logo_updater device:dir {write};
allow boot_logo_updater kmsg_device:chr_file {write lock append map open};
allow boot_logo_updater rootfs:file {ioctl read getattr lock map open};
allow boot_logo_updater sysfs:dir {read};
allow boot_logo_updater mtd_device:blk_file {read};
allow boot_logo_updater sysfs:dir {open};
allow boot_logo_updater system_data_file:dir {write};
allow boot_logo_updater mtd_device:blk_file {open};

12
sepolicy/private/bootanim.te Normal file
View File

@@ -0,0 +1,12 @@
typeattribute bootanim hal_gpu_client;
allow bootanim debug_prop:property_service {set};
allow bootanim gpu_device:dir {search};
allow bootanim init:unix_stream_socket {connectto};
allow bootanim mediaserver:binder {call transfer};
allow bootanim mediaserver_service:service_manager {find};
allow bootanim property_socket:sock_file {write};
allow bootanim resourcecache_data_file:dir {search};
allow bootanim resourcecache_data_file:file {read getattr open};
allow bootanim resourcecache_data_file:file {read};
allow bootanim surfaceflinger:fifo_file {ioctl read write getattr lock append map open};

22
sepolicy/private/camerapostalgo.te Normal file
View File

@@ -0,0 +1,22 @@
type camerapostalgo_exec, file_type, exec_type, system_file_type;
type camerapostalgo_service, service_manager_type;
type ctl_campostalgo_prop, property_type, extended_core_property_type;
init_daemon_domain(camerapostalgo);
binder_use(camerapostalgo);
hwbinder_use(camerapostalgo);
binder_call(camerapostalgo,platform_app);
binder_call(camerapostalgo,surfaceflinger);
allow camerapostalgo hwservicemanager_prop:file {read getattr map open};
allow camerapostalgo camerapostalgo_service:service_manager {add find};
allow camerapostalgo gpu_device:dir {search};
allow camerapostalgo gpu_device:chr_file {ioctl read write getattr lock append map open};
allow camerapostalgo ion_device:chr_file {ioctl read getattr lock map open};
allow camerapostalgo sdcardfs:dir {search};
allow camerapostalgo mnt_user_file:dir {search};
allow camerapostalgo storage_file:lnk_file {ioctl read getattr lock map open};
allow camerapostalgo mnt_user_file:lnk_file {ioctl read getattr lock map open};
allow camerapostalgo sdcardfs:file {ioctl read getattr lock map open};
allow camerapostalgo media_rw_data_file:dir {ioctl read write getattr lock add_name remove_name search open};
allow camerapostalgo media_rw_data_file:file {ioctl read write getattr lock append map open};

19
sepolicy/private/cmddumper.te Normal file
View File

@@ -0,0 +1,19 @@
type cmddumper_exec, file_type, exec_type, system_file_type;
init_daemon_domain(cmddumper);
allow cmddumper system_data_file:dir {ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open};
allow cmddumper system_data_file:fifo_file {ioctl read write create getattr setattr lock append map unlink rename open};
allow cmddumper sdcard_type:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow cmddumper sdcard_type:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow cmddumper init:unix_stream_socket {connectto};
allow cmddumper property_socket:sock_file {read write};
allow cmddumper platform_app:unix_stream_socket {connectto};
allow cmddumper shell_exec:file {ioctl read getattr lock map execute execute_no_trans open};
allow cmddumper system_file:file {getattr map execute execute_no_trans};
allow cmddumper media_rw_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow cmddumper media_rw_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow cmddumper file_contexts_file:file {read getattr open};
allow cmddumper debuglog_data_file:dir {ioctl read write create getattr setattr lock relabelto rename add_name remove_name reparent search rmdir open};
allow cmddumper debuglog_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow cmddumper system_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};

6
sepolicy/private/connsyslogger.te Normal file
View File

@@ -0,0 +1,6 @@
type connsyslogger_exec, file_type, exec_type, system_file_type;
init_daemon_domain(connsyslogger);
allow connsyslogger debuglog_data_file:dir {ioctl read write create getattr setattr lock relabelto rename add_name remove_name reparent search rmdir open};
allow connsyslogger debuglog_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open};

1
sepolicy/private/crash_dump.te Normal file
View File

@@ -0,0 +1 @@
allow crash_dump aee_aed:unix_stream_socket {connectto};

1
sepolicy/private/debuglog.te Normal file
View File

@@ -0,0 +1 @@
type debuglog_data_file, file_type, data_file_type, core_data_file_type;

2
sepolicy/private/dnsmasq.te Normal file
View File

@@ -0,0 +1,2 @@
allow dnsmasq netd:process {sigchld};
allow dnsmasq netd:file {read};

1
sepolicy/private/domain.te Normal file
View File

@@ -0,0 +1 @@
allow domain aee_aed:process {sigchld};

2
sepolicy/private/drmserver.te Normal file
View File

@@ -0,0 +1,2 @@
allow drmserver mtk_cta_set_prop:file {read getattr map open};
allow drmserver access_sys_file:file {read open};

20
sepolicy/private/dumpstate.te Normal file
View File

@@ -0,0 +1,20 @@
typeattribute dumpstate hal_camera_client;
allow dumpstate aee_aed:process {sigchld};
allow dumpstate mobile_log_d:fd {use};
allow dumpstate mobile_log_d:fifo_file {write};
allow dumpstate mobile_log_d:process {sigchld};
allow dumpstate mobile_log_d:unix_stream_socket {read write};
allow dumpstate kmsg_device:chr_file {ioctl read getattr lock map open};
allow dumpstate sysfs_vibrator:file {write};
allow dumpstate fuse:dir {write lock add_name remove_name search open};
allow dumpstate fuse:file {ioctl};
allow dumpstate fuse:file {write create setattr append open};
allow dumpstate debugfs_tracing:file {read write open};
allow dumpstate gpu_device:dir {search};
allow dumpstate hal_camera_hwservice:hwservice_manager {find};
allow dumpstate logcat_exec:file {read getattr map execute entrypoint open};
allow dumpstate mnt_user_file:dir {search};
allow dumpstate mnt_user_file:lnk_file {read};
allow dumpstate self:capability {sys_nice};
allow dumpstate storage_file:lnk_file {read};

22
sepolicy/private/em_svr.te Normal file
View File

@@ -0,0 +1,22 @@
type em_svr_exec, file_type, exec_type, system_file_type;
init_daemon_domain(em_svr);
binder_use(em_svr);
binder_call(em_svr,surfaceflinger);
allow em_svr block_device:dir {search};
allow em_svr sdcardfs:dir {write add_name search};
allow em_svr sdcardfs:file {write create open};
allow em_svr media_rw_data_file:dir {read write add_name search open};
allow em_svr media_rw_data_file:file {write create open};
allow em_svr graphics_device:dir {search};
allow em_svr graphics_device:chr_file {ioctl read write open};
allow em_svr surfaceflinger_service:service_manager {find};
allow em_svr sysfs_leds:dir {search};
allow em_svr self:capability {chown fsetid};
allow em_svr shell_exec:file {ioctl read getattr lock map execute execute_no_trans open};
allow em_svr toolbox_exec:file {read getattr execute execute_no_trans open};
allow em_svr sysfs:dir {read open};
allow em_svr sysfs_batteryinfo:dir {search};
allow em_svr sysfs_dt_firmware_android:dir {read search open};
allow em_svr sysfs_dt_firmware_android:file {read getattr open};

36
sepolicy/private/emdlogger.te Normal file
View File

@@ -0,0 +1,36 @@
type emdlogger_exec, file_type, exec_type, system_file_type;
init_daemon_domain(emdlogger);
binder_use(emdlogger);
allow emdlogger sdcard_type:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow emdlogger sdcard_type:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow emdlogger platform_app:unix_stream_socket {connectto};
allow emdlogger shell_exec:file {ioctl read getattr lock map execute execute_no_trans open};
allow emdlogger system_file:file {execute_no_trans};
allow emdlogger zygote_exec:file {ioctl read getattr lock map execute execute_no_trans open};
allow emdlogger vfat:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow emdlogger vfat:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow emdlogger mnt_user_file:dir {search};
allow emdlogger mnt_user_file:lnk_file {read};
allow emdlogger storage_file:lnk_file {read};
allow emdlogger mnt_media_rw_file:dir {search};
allow emdlogger rootfs:file {ioctl read getattr lock map open};
allow emdlogger storage_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow emdlogger tmpfs:lnk_file {read};
allow emdlogger storage_file:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow emdlogger system_file:dir {read};
allow emdlogger toolbox_exec:file {ioctl read getattr lock map execute execute_no_trans open};
allow emdlogger media_rw_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow emdlogger media_rw_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow emdlogger proc_cmdline:file {read getattr open};
allow emdlogger sysfs_dt_firmware_android:dir {read search open};
allow emdlogger tmpfs:dir {write};
allow emdlogger sysfs_dt_firmware_android:file {read getattr open};
allow emdlogger system_file:dir {open};
allow emdlogger vendor_default_prop:file {read getattr open};
allow emdlogger mddb_filter_data_file:dir {ioctl read getattr lock search open};
allow emdlogger mddb_filter_data_file:file {ioctl read getattr lock map open};
allow emdlogger debuglog_data_file:dir {ioctl read write create getattr setattr lock relabelto rename add_name remove_name reparent search rmdir open};
allow emdlogger debuglog_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow emdlogger system_prop:file {read getattr map open};

5
sepolicy/private/fastbootd.te Normal file
View File

@@ -0,0 +1,5 @@
recovery_only(`
userdebug_or_eng(`
permissive fastbootd;
')
')

43
sepolicy/private/file_contexts Normal file
View File

@@ -0,0 +1,43 @@
/system/bin/aee_aed u:object_r:aee_aed_exec:s0
/system/bin/aee_aed64 u:object_r:aee_aed_exec:s0
/system/bin/atci_service_sys u:object_r:atci_service_sys_exec:s0
/data/ramdump(/.*)? u:object_r:debuglog_data_file:s0
/data/debuglogger(/.*)? u:object_r:debuglog_data_file:s0
/system/bin/emdlogger[0-9]+ u:object_r:emdlogger_exec:s0
/data/system_de/mdfilter(/.*)? u:object_r:mddb_filter_data_file:s0
/system/bin/mdlogger u:object_r:mdlogger_exec:s0
/dev/ubi[_0-9]* u:object_r:mtd_device:s0
/dev/block/mtd(.*)? u:object_r:mtd_device:s0
/dev/block/mntlblk(.*)? u:object_r:mtd_device:s0
/dev/ubi_ctrl u:object_r:mtd_device:s0
/system/bin/mtk_advcamserver u:object_r:mtk_advcamserver_exec:s0
/system/bin/storagemanagerd u:object_r:vold_exec:s0
/system/bin/mdi_redirector u:object_r:mdi_redirector_exec:s0
/system/bin/mdmi_redirector u:object_r:mdmi_redirector_exec:s0
/system/bin/aal u:object_r:aal_exec:s0
/system/bin/aee_core_forwarder u:object_r:aee_core_forwarder_exec:s0
/system/bin/boot_logo_updater u:object_r:boot_logo_updater_exec:s0
/system/bin/cmddumper u:object_r:cmddumper_exec:s0
/system/bin/connsyslogger u:object_r:connsyslogger_exec:s0
/system/bin/em_svr u:object_r:em_svr_exec:s0
/system/bin/kpoc_charger u:object_r:kpoc_charger_exec:s0
/system/bin/batterywarning u:object_r:batterywarning_exec:s0
/system/bin/loghidlsysservice u:object_r:loghidlsysservice_exec:s0
/system/bin/mobile_log_d u:object_r:mobile_log_d_exec:s0
/dev/mcupm(/.*)? u:object_r:mcupm_device:s0
/system/bin/modemdbfilter_client u:object_r:modemdbfilter_client_exec:s0
/system/bin/netdiag u:object_r:netdiag_exec:s0
/system/bin/sn u:object_r:sn_exec:s0
/system/bin/usp_service u:object_r:usp_service_exec:s0
/system/bin/camerapostalgo u:object_r:camerapostalgo_exec:s0
/system/bin/terservice u:object_r:terservice_exec:s0
/system/bin/thermald u:object_r:thermald_exec:s0
/system/bin/GoogleOtaBinder u:object_r:GoogleOtaBinder_exec:s0
/system/bin/lbs_dbg u:object_r:lbs_dbg_exec:s0
/system/bin/aee_dumpstate u:object_r:dumpstate_exec:s0
/system/bin/mtkbootanimation u:object_r:mtkbootanimation_exec:s0
/system/bin/met_log_d u:object_r:met_log_d_exec:s0
/system/bin/resize.f2fs u:object_r:fsck_exec:s0
/system/bin/resize2fs u:object_r:fsck_exec:s0
/eng u:object_r:rootfs:s0
/system/bin/mmp u:object_r:mmp_exec:s0

18
sepolicy/private/genfs_contexts Normal file
View File

@@ -0,0 +1,18 @@
genfscon sysfs /devices/platform/vibrator@0/leds/vibrator u:object_r:sysfs_vibrator:s0
genfscon sysfs /devices/platform/musb-mtu3d/musb-hdrc/portmode u:object_r:sysfs_portmode:s0
genfscon sysfs /devices/platform/11201000.mtu3_0/portmode u:object_r:sysfs_portmode:s0
genfscon sysfs /bus/platform/devices/musb-hdrc/portmode u:object_r:sysfs_portmode:s0
genfscon sysfs /class/udc/musb-hdrc/device/portmode u:object_r:sysfs_portmode:s0
genfscon sysfs /devices/platform/mt_usb/portmode u:object_r:sysfs_portmode:s0
genfscon sysfs /class/android_usb/android0 u:object_r:sysfs_android0_usb:s0
genfscon sysfs /devices/platform/11270000.usb3/musb-hdrc/udc/musb-hdrc u:object_r:sysfs_musb_hdrc:s0
genfscon sysfs /devices/platform/mt_usb/musb-hdrc/udc/musb-hdrc u:object_r:sysfs_musb_hdrc:s0
genfscon sysfs /devices/platform/11201000.mtu3_0/udc/musb-hdrc u:object_r:sysfs_musb_hdrc:s0
genfscon sysfs /devices/platform/11201000.usb3/udc/musb-hdrc u:object_r:sysfs_musb_hdrc:s0
genfscon sysfs /class/udc/musb-hdrc/device/comde u:object_r:sysfs_musb_hdrc:s0
genfscon sysfs /devices/platform/mt-battery/BatteryNotify u:object_r:sysfs_battery_warning:s0
genfscon sysfs /devices/platform/charger/BatteryNotify u:object_r:sysfs_battery_warning:s0
genfscon sysfs /devices/virtual/misc/mcupm u:object_r:sysfs_mcupm:s0
genfscon sysfs /devices/platform/mt_usb/cmode u:object_r:sysfs_mt_usb:s0
genfscon sysfs /block/mmcblk0rpmb/size u:object_r:access_sys_file:s0
genfscon proc /driver/cl_cam_status u:object_r:proc_cl_cam_status:s0

1
sepolicy/private/hal_graphics_allocator.te Normal file
View File

@@ -0,0 +1 @@
allow hal_graphics_allocator proc:file {ioctl read getattr open};

11
sepolicy/private/init.te Normal file
View File

@@ -0,0 +1,11 @@
allow init vendor_configs_file:{ dir file } mounton;
allow init vendor_overlay_file:{ dir file } mounton;
allow init mtk_cta_set_prop:property_service {set};
allow init mtk_cta_set_prop:file {read getattr map open};
allow init mtk_rsc_sys_prop:property_service {set};
allow init mtk_rsc_sys_prop:file {read getattr map open};
allow init sysfs_devices_system_cpu:file {relabelfrom};
allow init debugfs_tracing:dir {write};
allow init debugfs_tracing:file {write};
allow init self:capability {sys_module};
allow init system_file:system {module_load};

31
sepolicy/private/kpoc_charger.te Normal file
View File

@@ -0,0 +1,31 @@
type kpoc_charger_exec, file_type, exec_type, system_file_type;
init_daemon_domain(kpoc_charger);
allow kpoc_charger block_device:dir {search};
allow kpoc_charger graphics_device:dir {search};
allow kpoc_charger graphics_device:chr_file {ioctl read write getattr lock append map open};
allow kpoc_charger input_device:dir {read search open};
allow kpoc_charger input_device:chr_file {ioctl read write open};
allow kpoc_charger property_socket:sock_file {write};
allow kpoc_charger self:capability {sys_nice};
allow kpoc_charger self:capability {net_admin};
allow kpoc_charger self:netlink_kobject_uevent_socket {read create bind setopt};
allow kpoc_charger sysfs:dir {ioctl read getattr lock search open};
allow kpoc_charger kmsg_device:chr_file {write open};
allow kpoc_charger rtc_device:chr_file {read write open};
allow kpoc_charger init:unix_stream_socket {connectto};
allow kpoc_charger self:capability {sys_boot};
allow kpoc_charger mtd_device:dir {search};
allow kpoc_charger mtd_device:chr_file {read};
allow kpoc_charger mtd_device:chr_file {read open};
allow kpoc_charger rootfs:file {ioctl read getattr lock map open};
allow kpoc_charger sysfs_leds:dir {ioctl read getattr lock search open};
allow kpoc_charger sysfs_batteryinfo:dir {ioctl read getattr lock search open};
allow kpoc_charger sysfs_power:file {read write getattr open};
allow kpoc_charger sysfs_dt_firmware_android:dir {ioctl read getattr lock search open};
allow kpoc_charger sysfs_dt_firmware_android:file {ioctl read getattr lock map open};
allow kpoc_charger sysfs_dt_firmware_android:lnk_file {ioctl read getattr lock map open};
allow kpoc_charger sysfs_dt_firmware_android:dir {read search open};
allow kpoc_charger proc_cmdline:file {ioctl read getattr lock map open};
allow kpoc_charger sysfs_battery_warning:file {ioctl read getattr lock map open};

1
sepolicy/private/lmkd.te Normal file
View File

@@ -0,0 +1 @@
allow lmkd proc_vmstat:file {ioctl read getattr lock map open};

6
sepolicy/private/loghidlsysservice.te Normal file
View File

@@ -0,0 +1,6 @@
type loghidlsysservice_exec, file_type, exec_type, system_file_type;
init_daemon_domain(loghidlsysservice);
allow loghidlsysservice emdlogger:unix_stream_socket {connectto};
allow loghidlsysservice mobile_log_d:unix_stream_socket {connectto};

44
sepolicy/private/ls_dbg.te Normal file
View File

@@ -0,0 +1,44 @@
type lbs_dbg, domain, coredomain, halclientdomain, mtk_hal_lbs_client;
type lbs_dbg_exec, file_type, exec_type, system_file_type;
init_daemon_domain(lbs_dbg);
type_transition lbs_dbg system_data_file:dir lbs_dbg_data_file;
type_transition lbs_dbg system_data_file:fifo_file lbs_dbg_data_file;
type_transition lbs_dbg system_data_file:sock_file lbs_dbg_data_file;
type_transition lbs_dbg system_data_file:lnk_file lbs_dbg_data_file;
type_transition lbs_dbg system_data_file:file lbs_dbg_data_file;
allow lbs_dbg hwservicemanager_prop:file {read};
allow lbs_dbg lbs_dbg_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow lbs_dbg lbs_dbg_data_file:fifo_file {ioctl read write create getattr setattr lock append map unlink rename open};
allow lbs_dbg lbs_dbg_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow lbs_dbg lbs_dbg_data_file:lnk_file {ioctl read write create getattr setattr lock append map unlink rename open};
allow lbs_dbg lbs_dbg_data_file:sock_file {ioctl read write create getattr setattr lock append map unlink rename open};
allow lbs_dbg media_rw_data_file:dir {create add_name};
allow lbs_dbg media_rw_data_file:dir {read open};
allow lbs_dbg media_rw_data_file:dir {search};
allow lbs_dbg media_rw_data_file:dir {write remove_name};
allow lbs_dbg media_rw_data_file:file {getattr};
allow lbs_dbg media_rw_data_file:file {unlink};
allow lbs_dbg media_rw_data_file:file {write create rename open};
allow lbs_dbg sdcard_type:dir {ioctl read getattr lock search open};
allow lbs_dbg sdcard_type:filesystem {unmount};
allow lbs_dbg sdcardfs:dir {write create add_name remove_name};
allow lbs_dbg sdcardfs:file {getattr rename};
allow lbs_dbg sdcardfs:file {unlink};
allow lbs_dbg sdcardfs:file {write create open};
allow lbs_dbg self:netlink_route_socket {read write create getattr bind nlmsg_read nlmsg_write};
allow lbs_dbg self:tcp_socket {ioctl read write create getattr setattr lock append map bind connect listen accept getopt setopt shutdown};
allow lbs_dbg self:udp_socket {ioctl read write create getattr setattr lock append map bind connect getopt setopt shutdown};
allow lbs_dbg storage_file:dir {write create mounton add_name search};
allow lbs_dbg storage_file:lnk_file {read};
allow lbs_dbg sysfs:dir {read open};
allow lbs_dbg sysfs_leds:dir {search};
allow lbs_dbg sysfs_leds:lnk_file {read};
allow lbs_dbg sysfs_vibrator:file {read write open};
allow lbs_dbg system_data_file:dir {ioctl read write getattr lock add_name search open};
allow lbs_dbg system_data_file:lnk_file {read};
allow lbs_dbg tmpfs:filesystem {unmount};
allow lbs_dbg vfat:dir {write create add_name remove_name};
allow lbs_dbg vfat:file {write create getattr unlink rename open};

1
sepolicy/private/mddb.te Normal file
View File

@@ -0,0 +1 @@
type mddb_filter_data_file, file_type, data_file_type, core_data_file_type;

12
sepolicy/private/mdi_redirector.te Normal file
View File

@@ -0,0 +1,12 @@
type mdi_redirector, domain, netdomain, coredomain, halclientdomain, mtk_hal_dmc_client;
type mdi_redirector_exec, file_type, exec_type, system_file_type;
init_daemon_domain(mdi_redirector);
allow mdi_redirector fwmarkd_socket:sock_file {write};
allow mdi_redirector self:tcp_socket {ioctl read write create getattr setattr lock append map bind connect listen accept getopt setopt shutdown};
allow mdi_redirector self:udp_socket {ioctl read write create getattr setattr lock append map bind connect listen accept getopt setopt shutdown};
allow mdi_redirector node:tcp_socket {node_bind};
allow mdi_redirector port:tcp_socket {name_bind};
allow mdi_redirector netd:unix_stream_socket {connectto};
allow mdi_redirector mtk_dmc_prop:file {read getattr map open};

31
sepolicy/private/mdlogger.te Normal file
View File

@@ -0,0 +1,31 @@
type mdlogger_exec, file_type, exec_type, system_file_type;
init_daemon_domain(mdlogger);
binder_use(mdlogger);
allow mdlogger platform_app:unix_stream_socket {connectto};
allow mdlogger shell_exec:file {ioctl read getattr lock map execute execute_no_trans open};
allow mdlogger system_file:file {getattr map execute execute_no_trans};
allow mdlogger zygote_exec:file {ioctl read getattr lock map open};
allow mdlogger node:tcp_socket {node_bind};
allow mdlogger port:tcp_socket {name_bind};
allow mdlogger self:tcp_socket {ioctl read write create getattr setattr lock append map bind connect listen accept getopt setopt shutdown};
allow mdlogger vfat:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow mdlogger vfat:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow mdlogger tmpfs:lnk_file {read};
allow mdlogger storage_file:lnk_file {ioctl read write getattr lock append map open};
allow mdlogger mnt_user_file:dir {search};
allow mdlogger mnt_user_file:lnk_file {ioctl read write getattr lock append map open};
allow mdlogger sdcard_type:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow mdlogger sdcard_type:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow mdlogger media_rw_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow mdlogger media_rw_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow mdlogger storage_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow mdlogger storage_file:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow mdlogger file_contexts_file:file {read getattr open};
allow mdlogger system_file:dir {read};
allow mdlogger mddb_filter_data_file:dir {ioctl read getattr lock search open};
allow mdlogger mddb_filter_data_file:file {ioctl read getattr lock map open};
allow mdlogger debuglog_data_file:dir {ioctl read write create getattr setattr lock relabelto rename add_name remove_name reparent search rmdir open};
allow mdlogger debuglog_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow mdlogger system_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};

12
sepolicy/private/mdmi_redirector.te Normal file
View File

@@ -0,0 +1,12 @@
type mdmi_redirector, domain, netdomain, coredomain, halclientdomain, mtk_hal_dmc_client;
type mdmi_redirector_exec, file_type, exec_type, system_file_type;
init_daemon_domain(mdmi_redirector);
allow mdmi_redirector fwmarkd_socket:sock_file {write};
allow mdmi_redirector self:tcp_socket {ioctl read write create getattr setattr lock append map bind connect listen accept getopt setopt shutdown};
allow mdmi_redirector self:udp_socket {ioctl read write create getattr setattr lock append map bind connect listen accept getopt setopt shutdown};
allow mdmi_redirector node:tcp_socket {node_bind};
allow mdmi_redirector port:tcp_socket {name_bind};
allow mdmi_redirector netd:unix_stream_socket {connectto};
allow mdmi_redirector mtk_dmc_prop:file {read getattr map open};

9
sepolicy/private/met_log_d.te Normal file
View File

@@ -0,0 +1,9 @@
type met_log_d_exec, file_type, exec_type, system_file_type;
init_daemon_domain(met_log_d);
allow met_log_d debug_prop:file {read getattr map open};
allow met_log_d debug_prop:property_service {set};
allow met_log_d init:unix_stream_socket {connectto};
allow met_log_d property_socket:sock_file {write};
allow met_log_d system_file:file {ioctl read getattr lock map execute execute_no_trans open};

4
sepolicy/private/mmp.te Normal file
View File

@@ -0,0 +1,4 @@
type mmp, domain, coredomain;
type mmp_exec, file_type, exec_type, system_file_type;
init_daemon_domain(mmp);

51
sepolicy/private/mobile_log_d.te Normal file
View File

@@ -0,0 +1,51 @@
type mobile_log_d_exec, file_type, exec_type, system_file_type;
init_daemon_domain(mobile_log_d);
type_transition mobile_log_d logcat_exec:process dumpstate;
allow mobile_log_d kernel:system {syslog_mod};
dontaudit mobile_log_d untrusted_app:fd {use};
dontaudit mobile_log_d isolated_app:fd {use};
allow mobile_log_d property_socket:sock_file {write};
allow mobile_log_d init:unix_stream_socket {connectto};
allow mobile_log_d debug_prop:property_service {set};
allow mobile_log_d debug_prop:file {read getattr map open};
allow mobile_log_d logdr_socket:sock_file {write};
allow mobile_log_d logd:unix_stream_socket {connectto};
allow mobile_log_d self:capability {chown fowner fsetid setgid setuid};
allow mobile_log_d self:capability {chown setgid setuid};
allow mobile_log_d self:capability2 {syslog};
allow mobile_log_d system_file:file {execute_no_trans};
allow mobile_log_d shell_exec:file {ioctl read getattr lock map execute execute_no_trans open};
allow mobile_log_d logcat_exec:file {ioctl read getattr lock map execute execute_no_trans open};
allow mobile_log_d logcat_exec:file {read getattr map execute open};
allow mobile_log_d dumpstate:process {transition};
dontaudit mobile_log_d dumpstate:process {noatsecure};
allow mobile_log_d dumpstate:process {siginh rlimitinh};
allow mobile_log_d storage_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow mobile_log_d storage_file:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow mobile_log_d storage_file:lnk_file {ioctl read write create getattr setattr lock append map unlink rename open};
allow mobile_log_d mnt_user_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow mobile_log_d mnt_user_file:lnk_file {ioctl read write create getattr setattr lock append map unlink rename open};
allow mobile_log_d sdcard_type:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow mobile_log_d sdcard_type:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow mobile_log_d vfat:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow mobile_log_d vfat:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow mobile_log_d mnt_media_rw_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow mobile_log_d mnt_media_rw_file:lnk_file {ioctl read write create getattr setattr lock append map unlink rename open};
allow mobile_log_d toolbox_exec:file {ioctl read getattr lock map execute execute_no_trans open};
allow mobile_log_d rootfs:file {ioctl read getattr lock map open};
allow mobile_log_d device_logging_prop:file {getattr open};
allow mobile_log_d mmc_prop:file {getattr open};
allow mobile_log_d safemode_prop:file {getattr open};
allow mobile_log_d media_rw_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow mobile_log_d media_rw_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow mobile_log_d debugfs_tracing:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow mobile_log_d debugfs_tracing_instances:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow mobile_log_d debugfs_tracing_instances:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow mobile_log_d debuglog_data_file:dir {ioctl read write create getattr setattr lock relabelto rename add_name remove_name reparent search rmdir open};
allow mobile_log_d debuglog_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow mobile_log_d mcupm_device:chr_file {ioctl read getattr lock map open};
allow mobile_log_d sysfs_mcupm:file {write lock append map open};
allow mobile_log_d sysfs_mcupm:dir {search};

6
sepolicy/private/modemdbfilter.te Normal file
View File

@@ -0,0 +1,6 @@
type modemdbfilter_client_exec, file_type, exec_type, system_file_type;
init_daemon_domain(modemdbfilter_client);
allow modemdbfilter_client mddb_filter_data_file:dir {ioctl read write create getattr setattr lock relabelto rename add_name remove_name reparent search rmdir open};
allow modemdbfilter_client mddb_filter_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open};

1
sepolicy/private/mota_proc.te Normal file
View File

@@ -0,0 +1 @@
type mota_proc_file, fs_type, proc_type;

11
sepolicy/private/mtk_advcamserver.te Normal file
View File

@@ -0,0 +1,11 @@
type mtk_advcamserver_exec, file_type, exec_type, system_file_type;
init_daemon_domain(mtk_advcamserver);
binder_use(mtk_advcamserver);
hwbinder_use(mtk_advcamserver);
binder_call(mtk_advcamserver,mtk_advcamserver);
binder_call(mtk_advcamserver,binderservicedomain);
binder_call(mtk_advcamserver,appdomain);
allow mtk_advcamserver mtk_advcamserver_service:service_manager {add find};
allow mtk_advcamserver hwservicemanager_prop:file {read getattr map open};

32
sepolicy/private/mtk_bootanimation.te Normal file
View File

@@ -0,0 +1,32 @@
type mtkbootanimation_exec, file_type, exec_type, system_file_type;
init_daemon_domain(mtkbootanimation);
binder_use(mtkbootanimation);
binder_call(mtkbootanimation,audioserver)
binder_call(mtkbootanimation,surfaceflinger)
hwbinder_use(mtkbootanimation);
allow mtkbootanimation audio_device:chr_file {ioctl read write getattr lock append map open};
allow mtkbootanimation audio_device:dir {ioctl read getattr lock search open};
allow mtkbootanimation audioserver_service:service_manager {find};
allow mtkbootanimation cgroup:dir {ioctl read getattr lock search open};
allow mtkbootanimation cgroup:file {ioctl read getattr lock map open};
allow mtkbootanimation cgroup:lnk_file {ioctl read getattr lock map open};
allow mtkbootanimation debug_prop:property_service {set};
allow mtkbootanimation gpu_device:chr_file {ioctl read write getattr lock append map open};
allow mtkbootanimation gpu_device:dir {search};
allow mtkbootanimation hal_graphics_allocator:fd {use};
allow mtkbootanimation hal_graphics_composer:fd {use};
allow mtkbootanimation init:unix_stream_socket {connectto};
allow mtkbootanimation ion_device:chr_file {ioctl read write getattr lock append map open};
allow mtkbootanimation mediaserver:binder {call transfer};
allow mtkbootanimation mediaserver_service:service_manager {find};
allow mtkbootanimation oemfs:dir {search};
allow mtkbootanimation oemfs:file {ioctl read getattr lock map open};
allow mtkbootanimation proc_meminfo:file {ioctl read getattr lock map open};
allow mtkbootanimation property_socket:sock_file {write};
allow mtkbootanimation resourcecache_data_file:dir {search};
allow mtkbootanimation resourcecache_data_file:file {read getattr open};
allow mtkbootanimation surfaceflinger:fifo_file {ioctl read write getattr lock append map open};
allow mtkbootanimation surfaceflinger_service:service_manager {find};
allow mtkbootanimation system_file:dir {ioctl read getattr lock search open};

3
sepolicy/private/mtk_prop.te Normal file
View File

@@ -0,0 +1,3 @@
type mtk_cta_set_prop, property_type, extended_core_property_type;
type mtk_rsc_sys_prop, property_type, extended_core_property_type;
type mtk_permission_control_prop, property_type, extended_core_property_type;

1
sepolicy/private/mtk_service.te Normal file
View File

@@ -0,0 +1 @@
type mtk_connmetrics_service, service_manager_type;

10
sepolicy/private/netd.te Normal file
View File

@@ -0,0 +1,10 @@
allow netd dhcp_data_file:dir {read write add_name remove_name search};
allow netd dhcp_data_file:file {read write create getattr unlink open};
allow netd self:capability {setgid setuid net_bind_service};
allow netd servicemanager:binder {call};
allow netd system_prop:property_service {set};
allowxperm netd self:unix_stream_socket ioctl {0x8941 0x89a0 0x89a2 0x89f0};
allow netd mdi_redirector:fd {use};
allow netd mdi_redirector:tcp_socket {read write getattr setattr lock append map bind connect getopt setopt shutdown};
allow netd mdmi_redirector:fd {use};
allow netd mdmi_redirector:tcp_socket {read write getattr setattr lock append map bind connect getopt setopt shutdown};

60
sepolicy/private/netdiag.te Normal file
View File

@@ -0,0 +1,60 @@
type netdiag_exec, file_type, exec_type, system_file_type;
init_daemon_domain(netdiag);
binder_use(netdiag);
allow netdiag sdcard_type:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow netdiag sdcard_type:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow netdiag domain:dir {search};
allow netdiag domain:file {read open};
allow netdiag net_data_file:file {ioctl read getattr lock map open};
allow netdiag net_data_file:dir {search};
allow netdiag storage_file:dir {search};
allow netdiag storage_file:lnk_file {read};
allow netdiag mnt_user_file:dir {search};
allow netdiag mnt_user_file:lnk_file {read};
allow netdiag platform_app:dir {search};
allow netdiag untrusted_app:dir {search};
allow netdiag mnt_media_rw_file:dir {search};
allow netdiag vfat:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow netdiag vfat:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow netdiag tmpfs:lnk_file {read};
allow netdiag system_file:file {ioctl read getattr lock map execute execute_no_trans open};
allow netdiag self:capability {setgid setuid net_admin net_raw};
allow netdiag shell_exec:file {ioctl read getattr lock map execute execute_no_trans open};
allow netdiag proc_net:file {ioctl read getattr lock map open};
allow netdiag dnsproxyd_socket:sock_file {write};
allow netdiag fwmarkd_socket:sock_file {write};
allow netdiag netd:unix_stream_socket {connectto};
allow netdiag self:udp_socket {connect};
allow netdiag connectivity_service:service_manager {find};
allow netdiag netstats_service:service_manager {find};
allow netdiag system_server:binder {call};
allow netdiag connmetrics_service:service_manager {find};
allow netdiag netpolicy_service:service_manager {find};
allow netdiag network_management_service:service_manager {find};
allow netdiag settings_service:service_manager {find};
allow netdiag device_logging_prop:file {getattr open};
allow netdiag mmc_prop:file {getattr open};
allow netdiag proc_net:dir {read open};
allow netdiag safemode_prop:file {getattr open};
allow netdiag toolbox_exec:file {ioctl read getattr lock map execute execute_no_trans open};
allow netdiag media_rw_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow netdiag media_rw_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow netdiag self:netlink_xfrm_socket {read write create getattr bind setopt nlmsg_read};
allow netdiag self:packet_socket {read create getopt setopt};
allowxperm netdiag self:packet_socket ioctl {0x8906 0x8933};
allow netdiag self:packet_socket {ioctl write map};
allow netdiag self:netlink_route_socket {read write create getattr bind setopt nlmsg_read};
allow netdiag kernel:system {module_request};
allow netdiag self:rawip_socket {create getopt};
allow netdiag self:udp_socket {ioctl create};
allow netdiag proc_qtaguid_stat:dir {read search open};
allow netdiag proc_qtaguid_stat:file {read getattr open};
allow netdiag vendor_default_prop:file {read getattr map open};
allow netdiag proc_net_tcp_udp:file {getattr};
allow netdiag netd:binder {call};
allow netdiag apexd_prop:file {read getattr map open};
allow netdiag debuglog_data_file:dir {ioctl read write create getattr setattr lock relabelto rename add_name remove_name reparent search rmdir open};
allow netdiag debuglog_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow netdiag servicemanager:binder {call};

7
sepolicy/private/netdomain.te Normal file
View File

@@ -0,0 +1,7 @@
allow netdomain node_type:tcp_socket {node_bind};
allow netdomain node_type:udp_socket {node_bind};
allow netdomain port_type:tcp_socket {name_bind};
allow netdomain port_type:udp_socket {name_bind};
allow netdomain self:netlink_route_socket {read create bind nlmsg_read};
allow netdomain self:tcp_socket {ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect};
allow netdomain self:udp_socket {ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind};

1
sepolicy/private/netflix_bsp_rev.te Normal file
View File

@@ -0,0 +1 @@
type netflix_bsp_rev_prop, property_type;

1
sepolicy/private/netutils.te Normal file
View File

@@ -0,0 +1 @@
allow netutils_wrapper netd:binder {call transfer};

17
sepolicy/private/platform_app.te Normal file
View File

@@ -0,0 +1,17 @@
typeattribute platform_app hal_power_client;
typeattribute platform_app hal_gpu_client;
allow platform_app aal_service:service_manager {find};
allow platform_app debuglog_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open};
allow platform_app debuglog_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open};
allow platform_app mtk_cta_set_prop:file {read getattr map open};
allow platform_app mtk_rsc_sys_prop:file {read getattr map open};
allow platform_app camerapostalgo_service:service_manager {find};
allow platform_app system_app_data_file:file {read write};
allow platform_app system_app_service:service_manager {find};
allow platform_app ctl_campostalgo_prop:file {read getattr map open};
allow platform_app ctl_campostalgo_prop:property_service {set};
allow platform_app mtk_connmetrics_service:service_manager {find};
allow platform_app proc_cl_cam_status:file {ioctl read getattr lock map open};
allow platform_app system_app_data_file:file {read write};
allow platform_app system_app_service:service_manager {find};

1
sepolicy/private/ppp.te Normal file
View File

@@ -0,0 +1 @@
allow ppp mtp:file {read};

5
sepolicy/private/priv_app.te Normal file
View File

@@ -0,0 +1,5 @@
typeattribute priv_app halclientdomain;
typeattribute priv_app hal_gpu_client;
allow priv_app mtk_cta_set_prop:file {read getattr map open};
dontaudit priv_app system_data_file:dir {write};

1
sepolicy/private/proc_cl_cam.te Normal file
View File

@@ -0,0 +1 @@
type proc_cl_cam_status, fs_type, proc_type;

42
sepolicy/private/property_contexts Normal file
View File

@@ -0,0 +1,42 @@
ctl.android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
init.svc.aee_aedv u:object_r:init_svc_aee_aedv_prop:s0
ctl.atci_service u:object_r:ctl_atci_service_prop:s0
persist.vendor.radio.port_index u:object_r:mtk_atci_sys_prop:s0
vendor.ril.atci.flightmode u:object_r:mtk_atci_sys_prop:s0
persist.vendor.service.atci.autostart u:object_r:mtk_atci_sys_prop:s0
persist.vendor.service.atci.usermode u:object_r:mtk_atci_sys_prop:s0
ctl.atcid-daemon-u u:object_r:ctl_atcid-daemon-u_prop:s0
ctl.emdlogger1 u:object_r:ctl_emdlogger1_prop:s0
init.svc.emdlogger1 u:object_r:init_svc_emdlogger1_prop:s0
ctl.emdlogger2 u:object_r:ctl_emdlogger2_prop:s0
ctl.emdlogger3 u:object_r:ctl_emdlogger3_prop:s0
ro.lmk.psi_partial_stall_ms u:object_r:exported3_default_prop:s0 exact int
ro.lmk.psi_complete_stall_ms u:object_r:exported3_default_prop:s0 exact int
ro.lmk.thrashing_limit u:object_r:exported3_default_prop:s0 exact int
ro.lmk.thrashing_limit_decay u:object_r:exported3_default_prop:s0 exact int
ro.lmk.thrashing_min_score_adj u:object_r:exported3_default_prop:s0 exact int
ro.lmk.use_new_strategy u:object_r:exported3_default_prop:s0 exact bool
ro.lmk.log_stats u:object_r:exported3_default_prop:s0 exact bool
ro.lmk.use_psi u:object_r:exported3_default_prop:s0 exact bool
ro.system.build.fingerprint u:object_r:exported_fingerprint_prop:s0 exact string
ctl.mdlogger u:object_r:ctl_mdlogger_prop:s0
ro.vendor.mtk_cta_set u:object_r:mtk_cta_set_prop:s0
ro.vendor.mtk_dmc_support u:object_r:mtk_dmc_prop:s0
ro.vendor.mtk_mapi_support u:object_r:mtk_dmc_prop:s0
vendor.dmc.apm.active u:object_r:mtk_dmc_prop:s0
persist.vendor.sys.aal. u:object_r:mtk_aal_prop:s0
ro.sys.current_rsc_path u:object_r:mtk_rsc_sys_prop:s0
ro.product.current_rsc_path u:object_r:mtk_rsc_sys_prop:s0
init.svc.md_monitor u:object_r:init_svc_md_monitor_prop:s0
persist.vendor.ter u:object_r:terservice_prop:s0
vendor.ter.service u:object_r:terservice_prop:s0
ctl.restart$camerapostalgo u:object_r:ctl_campostalgo_prop:s0
ctl.start$camerapostalgo u:object_r:ctl_campostalgo_prop:s0
ctl.stop$camerapostalgo u:object_r:ctl_campostalgo_prop:s0
vendor.com.agui.networkmanager.policy.set u:object_r:agui_network_manager_prop:s0
vendor.moms.permission.control.policy.set u:object_r:mtk_permission_control_prop:s0
ro.netflix.bsp_rev u:object_r:netflix_bsp_rev_prop:s0
persist.adb.nonblocking_ffs u:object_r:exported_default_prop:s0 exact int
init.svc.pkm_service u:object_r:mtk_pkm_init_prop:s0
ro.audio.usb.period_us u:object_r:exported_default_prop:s0 exact int
persist.sys.sw.dbg.en u:object_r:ctl_default_prop:s0

21
sepolicy/private/radio.te Normal file
View File

@@ -0,0 +1,21 @@
allow radio ppl_agent_service:service_manager {find};
allow radio ctl_atcid-daemon-u_prop:property_service {set};
allow radio ctl_atcid-daemon-u_prop:file {read getattr map open};
allow radio ctl_atci_service_prop:property_service {set};
allow radio ctl_atci_service_prop:file {read getattr map open};
allow radio mtk_atci_sys_prop:property_service {set};
allow radio mtk_atci_sys_prop:file {read getattr map open};
allow radio sysfs_portmode:file {ioctl read getattr lock map open};
allow radio sysfs_android0_usb:dir {search};
allow radio sysfs_android0_usb:file {ioctl read getattr lock map open};
allow radio sysfs_android_usb:dir {search};
allow radio sysfs_android_usb:file {ioctl read getattr lock map open};
allow radio mtk_aal_prop:property_service {set};
allow radio mtk_aal_prop:file {read getattr map open};
allow radio aal_service:service_manager {find};
allow radio mtk_cta_set_prop:file {read getattr map open};
allow radio mtk_rsc_sys_prop:file {read getattr map open};
allow radio init_svc_md_monitor_prop:file {read getattr map open};
allow radio sysfs_musb_hdrc:dir {search};
allow radio sysfs_musb_hdrc:file {ioctl read getattr lock map open};
allow radio mtk_dmc_prop:file {read getattr map open};

3
sepolicy/private/recovery.te Normal file
View File

@@ -0,0 +1,3 @@
allow recovery mtd_device:dir {search};
allow recovery mtd_device:chr_file {ioctl read write getattr open};
allow recovery self:capability {sys_resource};

5
sepolicy/private/sdcardd.te Normal file
View File

@@ -0,0 +1,5 @@
typeattribute sdcardd mlstrustedsubject;
allow sdcardd untrusted_app:fd {use};
allow sdcardd platform_app:fd {use};
allow sdcardd sdcardfs:dir {mounton};

54
sepolicy/private/service_contexts Normal file
View File

@@ -0,0 +1,54 @@
fm_radio_service u:object_r:mtk_fm_radio_service:s0
media.mmsdk u:object_r:mtk_advcamserver_service:s0
media.advcam u:object_r:mtk_advcamserver_service:s0
imsa u:object_r:radio_service:s0
mtkIms u:object_r:radio_service:s0
GbaService u:object_r:radio_service:s0
phoneEx u:object_r:mtk_radio_service:s0
capctrl u:object_r:mtk_radio_service:s0
isubstub u:object_r:radio_service:s0
wfo u:object_r:radio_service:s0
imtksms u:object_r:radio_service:s0
mwis u:object_r:radio_service:s0
PPLAgent u:object_r:ppl_agent_service:s0
AAL u:object_r:aal_service:s0
media.VTS u:object_r:vtservice_service:s0
media.VTS.HiDL u:object_r:vtservice_hidl_service:s0
NvRAMAgent u:object_r:nvram_agent_service:s0
mediatek.campostalgo u:object_r:camerapostalgo_service:s0
terservice u:object_r:terservice_service:s0
mtkconnmetrics u:object_r:mtk_connmetrics_service:s0
autoboot u:object_r:mtk_autoboot_service:s0
permrecords u:object_r:mtk_permrecords_service:s0
felica u:object_r:nfc_service:s0
nfc.st_ext u:object_r:nfc_service:s0
nfc_settings u:object_r:nfc_service:s0
memory_dumper u:object_r:mediaserver_service:s0
anrmanager u:object_r:mtk_anrmanager_service:s0
mobile u:object_r:mtk_mobile_service:s0
msgmonitorservice u:object_r:mtk_msg_monitor_service:s0
mtk-perfservice u:object_r:mtk_perf_service:s0
power_hal_mgr_service u:object_r:mtk_power_hal_mgr_service:s0
epdg_service u:object_r:mtk_epdg_service:s0
rns u:object_r:mtk_rns_service:s0
telephony.mtkregistry u:object_r:mtk_registry_service:s0
iphonesubinfoEx u:object_r:mtk_phonesubinfo_service:s0
mtk_telecom u:object_r:mtk_telecom_service:s0
mtksimphonebook u:object_r:mtk_simphonebook_service:s0
data_shaping u:object_r:mtk_data_shaping_service:s0
search_engine_service u:object_r:mtk_search_engine_service:s0
omadm_service u:object_r:mtk_omadm_service:s0
duraspeed u:object_r:mtk_duraspeed_service:s0
FullscreenSwitchService u:object_r:mtk_fullscreen_switch_service:s0
vow_bridge u:object_r:mtk_vowbridge_service:s0
GoogleOtaBinder u:object_r:ota_agent_service:s0
GpuAppSpectatorService u:object_r:gas_srv_service:s0
FpsPolicyService u:object_r:fpspolicy-server_service:s0
appdetection u:object_r:mtk_appdetection_service:s0
carrierexpress u:object_r:mtk_carrierexpress_service:s0
gwsd u:object_r:mtk_gwsd_service:s0
uce u:object_r:mtk_presence_service:s0
vendor.trustonic.teeservice.ITeeService u:object_r:tee_service:s0
vendor.trustonic.teeregistryservice.ITeeRegistryService u:object_r:teeregistry_service:s0
AService u:object_r:agold_service:s0
LeptonCameraService u:object_r:lepton_service:s0

2
sepolicy/private/shell.te Normal file
View File

@@ -0,0 +1,2 @@
allow shell debuglog_data_file:dir {ioctl read getattr lock search open};
allow shell debuglog_data_file:file {ioctl read getattr lock map open};

16
sepolicy/private/sn.te Normal file
View File

@@ -0,0 +1,16 @@
type sn, domain, coredomain;
type sn_exec, file_type, exec_type, system_file_type;
init_daemon_domain(sn);
allow sn sdcard_type:dir {search};
allow sn sdcard_type:file {read getattr open};
allow sn sysfs_android0_usb:file {ioctl read write getattr lock append map open};
allow sn sysfs_mt_usb:file {ioctl read write getattr lock append map open};
allow sn sysfs_musb_hdrc:file {ioctl read write getattr lock append map open};
allow sn mnt_user_file:dir {search};
allow sn mnt_user_file:lnk_file {read};
allow sn storage_file:lnk_file {read};
allow sn media_rw_data_file:dir {search};
allow sn media_rw_data_file:file {read open};
allow sn media_rw_data_file:dir {read open};

1
sepolicy/private/surfaceflinger.te Normal file
View File

@@ -0,0 +1 @@
allow surfaceflinger file_contexts_file:file {ioctl read getattr lock map open};

6
sepolicy/private/sysfs.te Normal file
View File

@@ -0,0 +1,6 @@
type sysfs_portmode, fs_type, sysfs_type;
type sysfs_android0_usb, fs_type, sysfs_type;
type sysfs_musb_hdrc, fs_type, sysfs_type;
type sysfs_battery_warning, fs_type, sysfs_type;
type sysfs_mt_usb, fs_type, sysfs_type;
type sysfs_mcupm, fs_type, sysfs_type;

19
sepolicy/private/system_app.te Normal file
View File

@@ -0,0 +1,19 @@
allow system_app mtk_aal_prop:file {read getattr map open};
allow system_app aee_aed:unix_stream_socket {connectto};
allow system_app mtk_atci_sys_prop:property_service {set};
allow system_app mtk_atci_sys_prop:file {read getattr map open};
allow system_app init_svc_md_monitor_prop:file {read getattr map open};
allow system_app mtk_cta_set_prop:file {read getattr map open};
allow system_app mtk_rsc_sys_prop:file {read getattr map open};
allow system_app agui_network_manager_prop:file {read getattr map open};
allow system_app agui_network_manager_prop:property_service {set};
allow system_app config_prop:file {read getattr map open};
allow system_app config_prop:property_service {set};
allow system_app media_rw_data_file:dir {ioctl read write getattr lock add_name remove_name search open};
allow system_app media_rw_data_file:file {ioctl read write getattr lock append map open};
allow system_app mtk_permission_control_prop:file {read getattr map open};
allow system_app mtk_permission_control_prop:property_service {set};
allow system_app net_dns_prop:file {read getattr map open};
allow system_app net_dns_prop:property_service {set};
allow system_app system_data_file:dir {read open};
allow system_app vfat:dir {create};

13
sepolicy/private/system_server.te Normal file
View File

@@ -0,0 +1,13 @@
allow system_server aal_service:service_manager {find};
allow system_server aee_aed:fifo_file {write lock append map open};
allow system_server aee_aed:fd {use};
allow system_server aee_aed:unix_stream_socket {connectto};
allow system_server mddb_filter_data_file:dir {getattr};
allow system_server mtk_rsc_sys_prop:file {read getattr map open};
allow system_server netdiag:fd {use};
allow system_server mtk_autoboot_service:service_manager {add};
allow system_server mtk_connmetrics_service:service_manager {add};
allow system_server mtk_permrecords_service:service_manager {add};
allow system_server ota_package_file:dir {getattr};
allow system_server proc_loadavg:file {ioctl read getattr lock map open};
dontaudit system_server appdomain:file {write lock append map open};

2
sepolicy/private/te_macros Normal file
View File

@@ -0,0 +1,2 @@
# Adapted from the "recovery_only" macro
define(`system_only', ifelse(target_recovery, `true', , $1))

12
sepolicy/private/terservice.te Normal file
View File

@@ -0,0 +1,12 @@
type terservice_exec, file_type, exec_type, system_file_type;
type terservice_prop, property_type, extended_core_property_type;
type terservice_service, service_manager_type;
init_daemon_domain(terservice);
binder_use(terservice);
allow terservice terservice_service:service_manager {add};
allow terservice property_socket:sock_file {write};
allow terservice init:unix_stream_socket {connectto};
allow terservice terservice_prop:property_service {set};
allow terservice terservice_prop:file {read getattr map open};

7
sepolicy/private/thermald.te Normal file
View File

@@ -0,0 +1,7 @@
type thermald_exec, file_type, exec_type, system_file_type;
init_daemon_domain(thermald);
binder_use(thermald);
allow thermald system_server:binder {call};
allow thermald activity_service:service_manager {find};

1
sepolicy/private/toolbox.te Normal file
View File

@@ -0,0 +1 @@
allow toolbox system_data_file:file {getattr unlink};

1
sepolicy/private/uncrypt.te Normal file
View File

@@ -0,0 +1 @@
allow uncrypt uncrypt:capability {fowner};

6
sepolicy/private/untrusted_app.te Normal file
View File

@@ -0,0 +1,6 @@
allow untrusted_app mtk_connmetrics_service:service_manager {find};
allow untrusted_app_all netflix_bsp_rev_prop:file {read getattr map open};
allow untrusted_app_all mtk_radio_service:service_manager {find};
allow untrusted_app mtk_connmetrics_service:service_manager {find};
dontaudit untrusted_app_all system_data_file:dir {write};

9
sepolicy/private/usp_service.te Normal file
View File

@@ -0,0 +1,9 @@
type usp_service_exec, file_type, exec_type, system_file_type;
init_daemon_domain(usp_service);
allow usp_service block_device:dir {search};
allow usp_service property_socket:sock_file {write};
allow usp_service init:unix_stream_socket {connectto};
allow usp_service radio_prop:property_service {set};
allow usp_service radio_prop:file {read getattr map open};

4
sepolicy/private/vendor_init.te Normal file
View File

@@ -0,0 +1,4 @@
allow vendor_init terservice_prop:file {read getattr map open};
allow vendor_init terservice_prop:property_service {set};
allow vendor_init netflix_bsp_rev_prop:file {read getattr map open};
allow vendor_init netflix_bsp_rev_prop:property_service {set};

4
sepolicy/private/vendor_shell.te Normal file
View File

@@ -0,0 +1,4 @@
allow vendor_shell init:unix_stream_socket {connectto};
allow vendor_shell netflix_bsp_rev_prop:file {read getattr map open};
allow vendor_shell netflix_bsp_rev_prop:property_service {set};
allow vendor_shell property_socket:sock_file {write};

5
sepolicy/private/vold.te Normal file
View File

@@ -0,0 +1,5 @@
allow vold platform_app:fd {use};
allow vold block_device:file {create};
allow vold mtd_device:dir {search};
allow vold mtd_device:chr_file {read write open};
allow vold kernel:system {module_request};

1
sepolicy/private/zygote.te Normal file
View File

@@ -0,0 +1 @@
allow zygote mtk_rsc_sys_prop:file {read getattr map open};