diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk index 27d186b..0fbf455 100644 --- a/BoardConfigCommon.mk +++ b/BoardConfigCommon.mk @@ -101,7 +101,7 @@ TARGET_USES_MKE2FS := true # Sepolicy TARGET_USES_PREBUILT_VENDOR_SEPOLICY := true TARGET_HAS_FUSEBLK_SEPOLICY_ON_VENDOR := true -BOARD_PLAT_PRIVATE_SEPOLICY_DIR := $(DEVICE_PATH)/sepolicy/private +BOARD_PLAT_PRIVATE_SEPOLICY_DIR := $(COMMON_DEVICE_PATH)/sepolicy/private BOARD_PLAT_PUBLIC_SEPOLICY_DIR := $(COMMON_DEVICE_PATH)/sepolicy/public BOARD_VENDOR_SEPOLICY_DIRS += $(COMMON_DEVICE_PATH)/sepolicy/vendor diff --git a/deviceCommon.mk b/deviceCommon.mk index 97097e3..21d3af6 100644 --- a/deviceCommon.mk +++ b/deviceCommon.mk @@ -123,6 +123,10 @@ PRODUCT_PACKAGES += \ android.hardware.radio@1.4 \ android.hardware.vibrator@1.0 \ android.hardware.vibrator@1.3 + +# Additional tools +PRODUCT_PACKAGES += \ + unpack_bootimg # Keylayouts PRODUCT_COPY_FILES += \ diff --git a/sepolicy/private/GoogleOtaBinder.te b/sepolicy/private/GoogleOtaBinder.te new file mode 100644 index 0000000..cfeeb0c --- /dev/null +++ b/sepolicy/private/GoogleOtaBinder.te @@ -0,0 +1,9 @@ +type GoogleOtaBinder_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(GoogleOtaBinder); +binder_use(GoogleOtaBinder); + +allow GoogleOtaBinder mota_proc_file:file {read}; +allow GoogleOtaBinder ota_package_file:dir {search}; +allow GoogleOtaBinder ota_package_file:file {read write getattr open}; +allow GoogleOtaBinder sysfs_dt_firmware_android:file {read}; diff --git a/sepolicy/private/aal.te b/sepolicy/private/aal.te new file mode 100644 index 0000000..aac570f --- /dev/null +++ b/sepolicy/private/aal.te @@ -0,0 +1,19 @@ +type aal, domain, binderservicedomain, coredomain; +type aal_exec, file_type, exec_type, system_file_type; +type mtk_aal_prop, property_type, extended_core_property_type; +type aal_service, service_manager_type; + +init_daemon_domain(aal); +binder_use(aal); +binder_call(aal,binderservicedomain); + +allow aal graphics_device:chr_file {ioctl read open}; +allow aal graphics_device:dir {search}; +allow aal aal_service:service_manager {add}; +allow aal permission_service:service_manager {find}; +allow aal sensorservice_service:service_manager {find}; +allow aal system_server:unix_stream_socket {read write}; +allow aal property_socket:sock_file {write}; +allow aal init:unix_stream_socket {connectto}; +allow aal mtk_aal_prop:property_service {set}; +allow aal mtk_aal_prop:file {read getattr map open}; diff --git a/sepolicy/private/access_sys_file.te b/sepolicy/private/access_sys_file.te new file mode 100644 index 0000000..e49064b --- /dev/null +++ b/sepolicy/private/access_sys_file.te @@ -0,0 +1 @@ +type access_sys_file, fs_type, sysfs_type; diff --git a/sepolicy/private/adbd.te b/sepolicy/private/adbd.te new file mode 100644 index 0000000..8ee6e7f --- /dev/null +++ b/sepolicy/private/adbd.te @@ -0,0 +1,2 @@ +allow adbd debuglog_data_file:dir {ioctl read getattr lock search open}; +allow adbd debuglog_data_file:file {ioctl read getattr lock map open}; diff --git a/sepolicy/private/aee_aed.te b/sepolicy/private/aee_aed.te new file mode 100644 index 0000000..1cac35f --- /dev/null +++ b/sepolicy/private/aee_aed.te @@ -0,0 +1,53 @@ +type aee_aed_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(aee_aed); + +type_transition aee_aed dumpstate_exec:process dumpstate; + +allow aee_aed block_device:dir {search}; +allow aee_aed sdcard_type:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow aee_aed sdcard_type:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow aee_aed anr_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow aee_aed anr_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow aee_aed domain:process {sigkill signal getsched getattr}; +allow aee_aed domain:lnk_file {getattr}; +allow aee_aed usermodehelper:file {ioctl read getattr lock map open}; +allow aee_aed system_file:file {execute_no_trans}; +allow aee_aed init:process {getsched}; +allow aee_aed kernel:process {getsched}; +allow aee_aed system_data_file:dir {write create add_name}; +allow aee_aed system_data_file:file {ioctl read getattr lock map open}; +allow aee_aed toolbox_exec:file {ioctl read getattr lock map execute execute_no_trans open}; +allow aee_aed mnt_user_file:dir {search}; +allow aee_aed mnt_user_file:lnk_file {read}; +allow aee_aed storage_file:dir {search}; +allow aee_aed storage_file:lnk_file {read}; +allow aee_aed dumpstate_exec:file {read getattr map execute open}; +allow aee_aed dumpstate:process {transition}; +dontaudit aee_aed dumpstate:process {noatsecure}; +allow aee_aed dumpstate:process {siginh rlimitinh}; +allow aee_aed tombstone_data_file:dir {write lock add_name remove_name search open}; +allow aee_aed tombstone_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow aee_aed self:capability {chown fowner fsetid kill setgid setuid net_admin sys_module sys_nice sys_resource}; +allow aee_aed shell_exec:file {ioctl read getattr lock map execute execute_no_trans open}; +allow aee_aed dumpstate:unix_stream_socket {ioctl read write}; +allow aee_aed dumpstate:dir {search}; +allow aee_aed dumpstate:file {ioctl read getattr lock map open}; +allow aee_aed logdr_socket:sock_file {write}; +allow aee_aed logd:unix_stream_socket {connectto}; +allow aee_aed sysfs_vibrator:file {write lock append map open}; +allow aee_aed domain:dir {ioctl read getattr lock search open}; +allow aee_aed domain:file {ioctl read getattr lock map open}; +allow aee_aed domain:lnk_file {ioctl read getattr lock map open}; +allow aee_aed dalvikcache_data_file:dir {ioctl read getattr lock search open}; +allow aee_aed crash_dump:dir {search}; +allow aee_aed crash_dump:file {ioctl read getattr lock map open}; +allow aee_aed proc_version:file {read open}; +allow aee_aed self:capability {chown fowner kill sys_nice}; +allow aee_aed dropbox_data_file:file {read getattr}; +allow aee_aed dropbox_service:service_manager {find}; +allow aee_aed servicemanager:binder {call}; +allow aee_aed system_server:binder {call}; +allow aee_aed packages_list_file:file {ioctl read getattr lock map open}; +allow aee_aed system_file_type:file {ioctl read getattr lock map open}; +allow aee_aed self:process {ptrace}; diff --git a/sepolicy/private/aee_core.te b/sepolicy/private/aee_core.te new file mode 100644 index 0000000..111d402 --- /dev/null +++ b/sepolicy/private/aee_core.te @@ -0,0 +1,28 @@ +type aee_core_forwarder_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(aee_core_forwarder); +domain_auto_trans(kernel,aee_core_forwarder_exec,aee_core_forwarder); + +allow aee_core_forwarder sdcard_type:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow aee_core_forwarder sdcard_type:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow aee_core_forwarder self:capability {fsetid setgid}; +allow aee_core_forwarder kernel:fifo_file {read}; +allow aee_core_forwarder domain:dir {ioctl read getattr lock search open}; +allow aee_core_forwarder domain:file {ioctl read getattr lock map open}; +allow aee_core_forwarder sysfs_wake_lock:file {ioctl read write getattr lock append map open}; +allow aee_core_forwarder self:capability2 {block_suspend}; +allow aee_core_forwarder mnt_user_file:dir {search}; +allow aee_core_forwarder mnt_user_file:lnk_file {read}; +allow aee_core_forwarder storage_file:dir {search}; +allow aee_core_forwarder storage_file:lnk_file {read}; +dontaudit aee_core_forwarder untrusted_app:dir {search}; +allow aee_core_forwarder kernel:fd {use}; +allow aee_core_forwarder tmpfs:dir {search}; +allow aee_core_forwarder rootfs:file {ioctl read getattr lock map open}; +dontaudit aee_core_forwarder self:capability {sys_ptrace}; +allow aee_core_forwarder media_rw_data_file:dir {write lock add_name remove_name search open}; +allow aee_core_forwarder media_rw_data_file:file {write create open}; +allow aee_core_forwarder self:capability {sys_nice}; +allow aee_core_forwarder hwservicemanager_prop:file {read getattr map open}; +allow aee_core_forwarder aee_aed:unix_stream_socket {connectto}; +allow aee_core_forwarder kernel:process {sigchld}; diff --git a/sepolicy/private/agui_network_manager.te b/sepolicy/private/agui_network_manager.te new file mode 100644 index 0000000..9e3397d --- /dev/null +++ b/sepolicy/private/agui_network_manager.te @@ -0,0 +1 @@ +type agui_network_manager_prop, property_type, extended_core_property_type; diff --git a/sepolicy/private/atci.te b/sepolicy/private/atci.te new file mode 100644 index 0000000..1297e6a --- /dev/null +++ b/sepolicy/private/atci.te @@ -0,0 +1,6 @@ +type atci_service_sys_exec, file_type, exec_type, system_file_type; +type atci_data_file, file_type, data_file_type, core_data_file_type; +type ctl_atci_service_prop, property_type, extended_core_property_type; +type mtk_atci_sys_prop, property_type, extended_core_property_type; + +init_daemon_domain(atci_service_sys); diff --git a/sepolicy/private/atcid.te b/sepolicy/private/atcid.te new file mode 100644 index 0000000..bcac1a1 --- /dev/null +++ b/sepolicy/private/atcid.te @@ -0,0 +1 @@ +type ctl_atcid-daemon-u_prop, property_type, extended_core_property_type; diff --git a/sepolicy/private/audioserver.te b/sepolicy/private/audioserver.te new file mode 100644 index 0000000..5b0bc3b --- /dev/null +++ b/sepolicy/private/audioserver.te @@ -0,0 +1,22 @@ +allow audioserver radio:dir {read search}; +allow audioserver radio:file {ioctl read getattr lock map open}; +allow audioserver radio_data_file:dir {search}; +allow audioserver radio_data_file:file {open}; +allow audioserver kmsg_device:chr_file {write open}; +allow audioserver bootanim:binder {call transfer}; +allow audioserver media_rw_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow audioserver media_rw_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow audioserver mnt_user_file:dir {read write search}; +allow audioserver mnt_user_file:lnk_file {read write}; +allow audioserver mtkbootanimation:binder {call transfer}; +allow audioserver sdcard_type:dir {remove_name}; +allow audioserver sdcard_type:dir {write create lock add_name remove_name search open}; +allow audioserver sdcard_type:file {append}; +allow audioserver sdcard_type:file {create}; +allow audioserver sdcard_type:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow audioserver sdcard_type:file {unlink}; +allow audioserver self:netlink_kobject_uevent_socket {read create}; +allow audioserver storage_file:dir {ioctl read getattr lock search open}; +allow audioserver storage_file:lnk_file {read write}; +allow audioserver system_data_file:file {open}; +allow audioserver untrusted_app:dir {search}; diff --git a/sepolicy/private/batterywarning.te b/sepolicy/private/batterywarning.te new file mode 100644 index 0000000..e0714d9 --- /dev/null +++ b/sepolicy/private/batterywarning.te @@ -0,0 +1,10 @@ +type batterywarning, domain, coredomain; +type batterywarning_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(batterywarning); +binder_use(batterywarning); + +allow batterywarning system_server:binder {call}; +allow batterywarning activity_service:service_manager {find}; +allow batterywarning sysfs_battery_warning:file {read getattr open}; +allow batterywarning self:netlink_kobject_uevent_socket {read write create getattr setattr lock append map bind connect getopt setopt shutdown}; diff --git a/sepolicy/private/bluetooth.te b/sepolicy/private/bluetooth.te new file mode 100644 index 0000000..4e4356f --- /dev/null +++ b/sepolicy/private/bluetooth.te @@ -0,0 +1,21 @@ +allow bluetooth debuglog_data_file:dir {ioctl read write create getattr setattr lock relabelto rename add_name remove_name reparent search rmdir open}; +allow bluetooth debuglog_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow bluetooth fuse:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow bluetooth fuse:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow bluetooth media_rw_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow bluetooth media_rw_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow bluetooth mnt_media_rw_file:dir {search}; +allow bluetooth mnt_user_file:dir {search}; +allow bluetooth mnt_user_file:lnk_file {read}; +allow bluetooth rootfs:lnk_file {getattr}; +allow bluetooth sdcard_type:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow bluetooth sdcard_type:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow bluetooth sdcardfs:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow bluetooth sdcardfs:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow bluetooth storage_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow bluetooth storage_file:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow bluetooth storage_file:lnk_file {read}; +allow bluetooth sysfs_wake_lock:file {ioctl read write getattr lock append map open}; +allow bluetooth tmpfs:lnk_file {read}; +allow bluetooth vfat:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow bluetooth vfat:file {ioctl read write create getattr setattr lock append map unlink rename open}; diff --git a/sepolicy/private/boot_logo_updater.te b/sepolicy/private/boot_logo_updater.te new file mode 100644 index 0000000..308c5bc --- /dev/null +++ b/sepolicy/private/boot_logo_updater.te @@ -0,0 +1,20 @@ +type boot_logo_updater_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(boot_logo_updater); + +allow boot_logo_updater system_prop:property_service {set}; +allow boot_logo_updater graphics_device:chr_file {ioctl read write getattr lock append map open}; +allow boot_logo_updater init:unix_stream_socket {connectto}; +allow boot_logo_updater property_socket:sock_file {write}; +allow boot_logo_updater block_device:dir {search}; +allow boot_logo_updater graphics_device:dir {search}; +allow boot_logo_updater mtd_device:chr_file {ioctl read getattr lock map open}; +allow boot_logo_updater mtd_device:dir {search}; +allow boot_logo_updater device:dir {write}; +allow boot_logo_updater kmsg_device:chr_file {write lock append map open}; +allow boot_logo_updater rootfs:file {ioctl read getattr lock map open}; +allow boot_logo_updater sysfs:dir {read}; +allow boot_logo_updater mtd_device:blk_file {read}; +allow boot_logo_updater sysfs:dir {open}; +allow boot_logo_updater system_data_file:dir {write}; +allow boot_logo_updater mtd_device:blk_file {open}; diff --git a/sepolicy/private/bootanim.te b/sepolicy/private/bootanim.te new file mode 100644 index 0000000..9447427 --- /dev/null +++ b/sepolicy/private/bootanim.te @@ -0,0 +1,12 @@ +typeattribute bootanim hal_gpu_client; + +allow bootanim debug_prop:property_service {set}; +allow bootanim gpu_device:dir {search}; +allow bootanim init:unix_stream_socket {connectto}; +allow bootanim mediaserver:binder {call transfer}; +allow bootanim mediaserver_service:service_manager {find}; +allow bootanim property_socket:sock_file {write}; +allow bootanim resourcecache_data_file:dir {search}; +allow bootanim resourcecache_data_file:file {read getattr open}; +allow bootanim resourcecache_data_file:file {read}; +allow bootanim surfaceflinger:fifo_file {ioctl read write getattr lock append map open}; diff --git a/sepolicy/private/camerapostalgo.te b/sepolicy/private/camerapostalgo.te new file mode 100644 index 0000000..5a51648 --- /dev/null +++ b/sepolicy/private/camerapostalgo.te @@ -0,0 +1,22 @@ +type camerapostalgo_exec, file_type, exec_type, system_file_type; +type camerapostalgo_service, service_manager_type; +type ctl_campostalgo_prop, property_type, extended_core_property_type; + +init_daemon_domain(camerapostalgo); +binder_use(camerapostalgo); +hwbinder_use(camerapostalgo); +binder_call(camerapostalgo,platform_app); +binder_call(camerapostalgo,surfaceflinger); + +allow camerapostalgo hwservicemanager_prop:file {read getattr map open}; +allow camerapostalgo camerapostalgo_service:service_manager {add find}; +allow camerapostalgo gpu_device:dir {search}; +allow camerapostalgo gpu_device:chr_file {ioctl read write getattr lock append map open}; +allow camerapostalgo ion_device:chr_file {ioctl read getattr lock map open}; +allow camerapostalgo sdcardfs:dir {search}; +allow camerapostalgo mnt_user_file:dir {search}; +allow camerapostalgo storage_file:lnk_file {ioctl read getattr lock map open}; +allow camerapostalgo mnt_user_file:lnk_file {ioctl read getattr lock map open}; +allow camerapostalgo sdcardfs:file {ioctl read getattr lock map open}; +allow camerapostalgo media_rw_data_file:dir {ioctl read write getattr lock add_name remove_name search open}; +allow camerapostalgo media_rw_data_file:file {ioctl read write getattr lock append map open}; diff --git a/sepolicy/private/cmddumper.te b/sepolicy/private/cmddumper.te new file mode 100644 index 0000000..f5433d8 --- /dev/null +++ b/sepolicy/private/cmddumper.te @@ -0,0 +1,19 @@ +type cmddumper_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(cmddumper); + +allow cmddumper system_data_file:dir {ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open}; +allow cmddumper system_data_file:fifo_file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow cmddumper sdcard_type:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow cmddumper sdcard_type:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow cmddumper init:unix_stream_socket {connectto}; +allow cmddumper property_socket:sock_file {read write}; +allow cmddumper platform_app:unix_stream_socket {connectto}; +allow cmddumper shell_exec:file {ioctl read getattr lock map execute execute_no_trans open}; +allow cmddumper system_file:file {getattr map execute execute_no_trans}; +allow cmddumper media_rw_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow cmddumper media_rw_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow cmddumper file_contexts_file:file {read getattr open}; +allow cmddumper debuglog_data_file:dir {ioctl read write create getattr setattr lock relabelto rename add_name remove_name reparent search rmdir open}; +allow cmddumper debuglog_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow cmddumper system_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; diff --git a/sepolicy/private/connsyslogger.te b/sepolicy/private/connsyslogger.te new file mode 100644 index 0000000..0e73746 --- /dev/null +++ b/sepolicy/private/connsyslogger.te @@ -0,0 +1,6 @@ +type connsyslogger_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(connsyslogger); + +allow connsyslogger debuglog_data_file:dir {ioctl read write create getattr setattr lock relabelto rename add_name remove_name reparent search rmdir open}; +allow connsyslogger debuglog_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open}; diff --git a/sepolicy/private/crash_dump.te b/sepolicy/private/crash_dump.te new file mode 100644 index 0000000..500c9a9 --- /dev/null +++ b/sepolicy/private/crash_dump.te @@ -0,0 +1 @@ +allow crash_dump aee_aed:unix_stream_socket {connectto}; diff --git a/sepolicy/private/debuglog.te b/sepolicy/private/debuglog.te new file mode 100644 index 0000000..2c6b192 --- /dev/null +++ b/sepolicy/private/debuglog.te @@ -0,0 +1 @@ +type debuglog_data_file, file_type, data_file_type, core_data_file_type; diff --git a/sepolicy/private/dnsmasq.te b/sepolicy/private/dnsmasq.te new file mode 100644 index 0000000..78b5c39 --- /dev/null +++ b/sepolicy/private/dnsmasq.te @@ -0,0 +1,2 @@ +allow dnsmasq netd:process {sigchld}; +allow dnsmasq netd:file {read}; diff --git a/sepolicy/private/domain.te b/sepolicy/private/domain.te new file mode 100644 index 0000000..79bbc1b --- /dev/null +++ b/sepolicy/private/domain.te @@ -0,0 +1 @@ +allow domain aee_aed:process {sigchld}; diff --git a/sepolicy/private/drmserver.te b/sepolicy/private/drmserver.te new file mode 100644 index 0000000..b5fa1bc --- /dev/null +++ b/sepolicy/private/drmserver.te @@ -0,0 +1,2 @@ +allow drmserver mtk_cta_set_prop:file {read getattr map open}; +allow drmserver access_sys_file:file {read open}; diff --git a/sepolicy/private/dumpstate.te b/sepolicy/private/dumpstate.te new file mode 100644 index 0000000..acb71ba --- /dev/null +++ b/sepolicy/private/dumpstate.te @@ -0,0 +1,20 @@ +typeattribute dumpstate hal_camera_client; + +allow dumpstate aee_aed:process {sigchld}; +allow dumpstate mobile_log_d:fd {use}; +allow dumpstate mobile_log_d:fifo_file {write}; +allow dumpstate mobile_log_d:process {sigchld}; +allow dumpstate mobile_log_d:unix_stream_socket {read write}; +allow dumpstate kmsg_device:chr_file {ioctl read getattr lock map open}; +allow dumpstate sysfs_vibrator:file {write}; +allow dumpstate fuse:dir {write lock add_name remove_name search open}; +allow dumpstate fuse:file {ioctl}; +allow dumpstate fuse:file {write create setattr append open}; +allow dumpstate debugfs_tracing:file {read write open}; +allow dumpstate gpu_device:dir {search}; +allow dumpstate hal_camera_hwservice:hwservice_manager {find}; +allow dumpstate logcat_exec:file {read getattr map execute entrypoint open}; +allow dumpstate mnt_user_file:dir {search}; +allow dumpstate mnt_user_file:lnk_file {read}; +allow dumpstate self:capability {sys_nice}; +allow dumpstate storage_file:lnk_file {read}; diff --git a/sepolicy/private/em_svr.te b/sepolicy/private/em_svr.te new file mode 100644 index 0000000..ebb05cb --- /dev/null +++ b/sepolicy/private/em_svr.te @@ -0,0 +1,22 @@ +type em_svr_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(em_svr); +binder_use(em_svr); +binder_call(em_svr,surfaceflinger); + +allow em_svr block_device:dir {search}; +allow em_svr sdcardfs:dir {write add_name search}; +allow em_svr sdcardfs:file {write create open}; +allow em_svr media_rw_data_file:dir {read write add_name search open}; +allow em_svr media_rw_data_file:file {write create open}; +allow em_svr graphics_device:dir {search}; +allow em_svr graphics_device:chr_file {ioctl read write open}; +allow em_svr surfaceflinger_service:service_manager {find}; +allow em_svr sysfs_leds:dir {search}; +allow em_svr self:capability {chown fsetid}; +allow em_svr shell_exec:file {ioctl read getattr lock map execute execute_no_trans open}; +allow em_svr toolbox_exec:file {read getattr execute execute_no_trans open}; +allow em_svr sysfs:dir {read open}; +allow em_svr sysfs_batteryinfo:dir {search}; +allow em_svr sysfs_dt_firmware_android:dir {read search open}; +allow em_svr sysfs_dt_firmware_android:file {read getattr open}; diff --git a/sepolicy/private/emdlogger.te b/sepolicy/private/emdlogger.te new file mode 100644 index 0000000..75c756e --- /dev/null +++ b/sepolicy/private/emdlogger.te @@ -0,0 +1,36 @@ +type emdlogger_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(emdlogger); +binder_use(emdlogger); + +allow emdlogger sdcard_type:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow emdlogger sdcard_type:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow emdlogger platform_app:unix_stream_socket {connectto}; +allow emdlogger shell_exec:file {ioctl read getattr lock map execute execute_no_trans open}; +allow emdlogger system_file:file {execute_no_trans}; +allow emdlogger zygote_exec:file {ioctl read getattr lock map execute execute_no_trans open}; +allow emdlogger vfat:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow emdlogger vfat:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow emdlogger mnt_user_file:dir {search}; +allow emdlogger mnt_user_file:lnk_file {read}; +allow emdlogger storage_file:lnk_file {read}; +allow emdlogger mnt_media_rw_file:dir {search}; +allow emdlogger rootfs:file {ioctl read getattr lock map open}; +allow emdlogger storage_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow emdlogger tmpfs:lnk_file {read}; +allow emdlogger storage_file:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow emdlogger system_file:dir {read}; +allow emdlogger toolbox_exec:file {ioctl read getattr lock map execute execute_no_trans open}; +allow emdlogger media_rw_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow emdlogger media_rw_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow emdlogger proc_cmdline:file {read getattr open}; +allow emdlogger sysfs_dt_firmware_android:dir {read search open}; +allow emdlogger tmpfs:dir {write}; +allow emdlogger sysfs_dt_firmware_android:file {read getattr open}; +allow emdlogger system_file:dir {open}; +allow emdlogger vendor_default_prop:file {read getattr open}; +allow emdlogger mddb_filter_data_file:dir {ioctl read getattr lock search open}; +allow emdlogger mddb_filter_data_file:file {ioctl read getattr lock map open}; +allow emdlogger debuglog_data_file:dir {ioctl read write create getattr setattr lock relabelto rename add_name remove_name reparent search rmdir open}; +allow emdlogger debuglog_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow emdlogger system_prop:file {read getattr map open}; diff --git a/sepolicy/private/fastbootd.te b/sepolicy/private/fastbootd.te new file mode 100644 index 0000000..3468309 --- /dev/null +++ b/sepolicy/private/fastbootd.te @@ -0,0 +1,5 @@ +recovery_only(` + userdebug_or_eng(` + permissive fastbootd; + ') +') diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts new file mode 100644 index 0000000..39d9d40 --- /dev/null +++ b/sepolicy/private/file_contexts @@ -0,0 +1,43 @@ +/system/bin/aee_aed u:object_r:aee_aed_exec:s0 +/system/bin/aee_aed64 u:object_r:aee_aed_exec:s0 +/system/bin/atci_service_sys u:object_r:atci_service_sys_exec:s0 +/data/ramdump(/.*)? u:object_r:debuglog_data_file:s0 +/data/debuglogger(/.*)? u:object_r:debuglog_data_file:s0 +/system/bin/emdlogger[0-9]+ u:object_r:emdlogger_exec:s0 +/data/system_de/mdfilter(/.*)? u:object_r:mddb_filter_data_file:s0 +/system/bin/mdlogger u:object_r:mdlogger_exec:s0 +/dev/ubi[_0-9]* u:object_r:mtd_device:s0 +/dev/block/mtd(.*)? u:object_r:mtd_device:s0 +/dev/block/mntlblk(.*)? u:object_r:mtd_device:s0 +/dev/ubi_ctrl u:object_r:mtd_device:s0 +/system/bin/mtk_advcamserver u:object_r:mtk_advcamserver_exec:s0 +/system/bin/storagemanagerd u:object_r:vold_exec:s0 +/system/bin/mdi_redirector u:object_r:mdi_redirector_exec:s0 +/system/bin/mdmi_redirector u:object_r:mdmi_redirector_exec:s0 +/system/bin/aal u:object_r:aal_exec:s0 +/system/bin/aee_core_forwarder u:object_r:aee_core_forwarder_exec:s0 +/system/bin/boot_logo_updater u:object_r:boot_logo_updater_exec:s0 +/system/bin/cmddumper u:object_r:cmddumper_exec:s0 +/system/bin/connsyslogger u:object_r:connsyslogger_exec:s0 +/system/bin/em_svr u:object_r:em_svr_exec:s0 +/system/bin/kpoc_charger u:object_r:kpoc_charger_exec:s0 +/system/bin/batterywarning u:object_r:batterywarning_exec:s0 +/system/bin/loghidlsysservice u:object_r:loghidlsysservice_exec:s0 +/system/bin/mobile_log_d u:object_r:mobile_log_d_exec:s0 +/dev/mcupm(/.*)? u:object_r:mcupm_device:s0 +/system/bin/modemdbfilter_client u:object_r:modemdbfilter_client_exec:s0 +/system/bin/netdiag u:object_r:netdiag_exec:s0 +/system/bin/sn u:object_r:sn_exec:s0 +/system/bin/usp_service u:object_r:usp_service_exec:s0 +/system/bin/camerapostalgo u:object_r:camerapostalgo_exec:s0 +/system/bin/terservice u:object_r:terservice_exec:s0 +/system/bin/thermald u:object_r:thermald_exec:s0 +/system/bin/GoogleOtaBinder u:object_r:GoogleOtaBinder_exec:s0 +/system/bin/lbs_dbg u:object_r:lbs_dbg_exec:s0 +/system/bin/aee_dumpstate u:object_r:dumpstate_exec:s0 +/system/bin/mtkbootanimation u:object_r:mtkbootanimation_exec:s0 +/system/bin/met_log_d u:object_r:met_log_d_exec:s0 +/system/bin/resize.f2fs u:object_r:fsck_exec:s0 +/system/bin/resize2fs u:object_r:fsck_exec:s0 +/eng u:object_r:rootfs:s0 +/system/bin/mmp u:object_r:mmp_exec:s0 diff --git a/sepolicy/private/genfs_contexts b/sepolicy/private/genfs_contexts new file mode 100644 index 0000000..157b856 --- /dev/null +++ b/sepolicy/private/genfs_contexts @@ -0,0 +1,18 @@ +genfscon sysfs /devices/platform/vibrator@0/leds/vibrator u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/musb-mtu3d/musb-hdrc/portmode u:object_r:sysfs_portmode:s0 +genfscon sysfs /devices/platform/11201000.mtu3_0/portmode u:object_r:sysfs_portmode:s0 +genfscon sysfs /bus/platform/devices/musb-hdrc/portmode u:object_r:sysfs_portmode:s0 +genfscon sysfs /class/udc/musb-hdrc/device/portmode u:object_r:sysfs_portmode:s0 +genfscon sysfs /devices/platform/mt_usb/portmode u:object_r:sysfs_portmode:s0 +genfscon sysfs /class/android_usb/android0 u:object_r:sysfs_android0_usb:s0 +genfscon sysfs /devices/platform/11270000.usb3/musb-hdrc/udc/musb-hdrc u:object_r:sysfs_musb_hdrc:s0 +genfscon sysfs /devices/platform/mt_usb/musb-hdrc/udc/musb-hdrc u:object_r:sysfs_musb_hdrc:s0 +genfscon sysfs /devices/platform/11201000.mtu3_0/udc/musb-hdrc u:object_r:sysfs_musb_hdrc:s0 +genfscon sysfs /devices/platform/11201000.usb3/udc/musb-hdrc u:object_r:sysfs_musb_hdrc:s0 +genfscon sysfs /class/udc/musb-hdrc/device/comde u:object_r:sysfs_musb_hdrc:s0 +genfscon sysfs /devices/platform/mt-battery/BatteryNotify u:object_r:sysfs_battery_warning:s0 +genfscon sysfs /devices/platform/charger/BatteryNotify u:object_r:sysfs_battery_warning:s0 +genfscon sysfs /devices/virtual/misc/mcupm u:object_r:sysfs_mcupm:s0 +genfscon sysfs /devices/platform/mt_usb/cmode u:object_r:sysfs_mt_usb:s0 +genfscon sysfs /block/mmcblk0rpmb/size u:object_r:access_sys_file:s0 +genfscon proc /driver/cl_cam_status u:object_r:proc_cl_cam_status:s0 diff --git a/sepolicy/private/hal_graphics_allocator.te b/sepolicy/private/hal_graphics_allocator.te new file mode 100644 index 0000000..41ec278 --- /dev/null +++ b/sepolicy/private/hal_graphics_allocator.te @@ -0,0 +1 @@ +allow hal_graphics_allocator proc:file {ioctl read getattr open}; diff --git a/sepolicy/private/init.te b/sepolicy/private/init.te new file mode 100644 index 0000000..1775588 --- /dev/null +++ b/sepolicy/private/init.te @@ -0,0 +1,11 @@ +allow init vendor_configs_file:{ dir file } mounton; +allow init vendor_overlay_file:{ dir file } mounton; +allow init mtk_cta_set_prop:property_service {set}; +allow init mtk_cta_set_prop:file {read getattr map open}; +allow init mtk_rsc_sys_prop:property_service {set}; +allow init mtk_rsc_sys_prop:file {read getattr map open}; +allow init sysfs_devices_system_cpu:file {relabelfrom}; +allow init debugfs_tracing:dir {write}; +allow init debugfs_tracing:file {write}; +allow init self:capability {sys_module}; +allow init system_file:system {module_load}; diff --git a/sepolicy/private/kpoc_charger.te b/sepolicy/private/kpoc_charger.te new file mode 100644 index 0000000..e4b5029 --- /dev/null +++ b/sepolicy/private/kpoc_charger.te @@ -0,0 +1,31 @@ +type kpoc_charger_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(kpoc_charger); + +allow kpoc_charger block_device:dir {search}; +allow kpoc_charger graphics_device:dir {search}; +allow kpoc_charger graphics_device:chr_file {ioctl read write getattr lock append map open}; +allow kpoc_charger input_device:dir {read search open}; +allow kpoc_charger input_device:chr_file {ioctl read write open}; +allow kpoc_charger property_socket:sock_file {write}; +allow kpoc_charger self:capability {sys_nice}; +allow kpoc_charger self:capability {net_admin}; +allow kpoc_charger self:netlink_kobject_uevent_socket {read create bind setopt}; +allow kpoc_charger sysfs:dir {ioctl read getattr lock search open}; +allow kpoc_charger kmsg_device:chr_file {write open}; +allow kpoc_charger rtc_device:chr_file {read write open}; +allow kpoc_charger init:unix_stream_socket {connectto}; +allow kpoc_charger self:capability {sys_boot}; +allow kpoc_charger mtd_device:dir {search}; +allow kpoc_charger mtd_device:chr_file {read}; +allow kpoc_charger mtd_device:chr_file {read open}; +allow kpoc_charger rootfs:file {ioctl read getattr lock map open}; +allow kpoc_charger sysfs_leds:dir {ioctl read getattr lock search open}; +allow kpoc_charger sysfs_batteryinfo:dir {ioctl read getattr lock search open}; +allow kpoc_charger sysfs_power:file {read write getattr open}; +allow kpoc_charger sysfs_dt_firmware_android:dir {ioctl read getattr lock search open}; +allow kpoc_charger sysfs_dt_firmware_android:file {ioctl read getattr lock map open}; +allow kpoc_charger sysfs_dt_firmware_android:lnk_file {ioctl read getattr lock map open}; +allow kpoc_charger sysfs_dt_firmware_android:dir {read search open}; +allow kpoc_charger proc_cmdline:file {ioctl read getattr lock map open}; +allow kpoc_charger sysfs_battery_warning:file {ioctl read getattr lock map open}; diff --git a/sepolicy/private/lmkd.te b/sepolicy/private/lmkd.te new file mode 100644 index 0000000..d8751a5 --- /dev/null +++ b/sepolicy/private/lmkd.te @@ -0,0 +1 @@ +allow lmkd proc_vmstat:file {ioctl read getattr lock map open}; diff --git a/sepolicy/private/loghidlsysservice.te b/sepolicy/private/loghidlsysservice.te new file mode 100644 index 0000000..735df82 --- /dev/null +++ b/sepolicy/private/loghidlsysservice.te @@ -0,0 +1,6 @@ +type loghidlsysservice_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(loghidlsysservice); + +allow loghidlsysservice emdlogger:unix_stream_socket {connectto}; +allow loghidlsysservice mobile_log_d:unix_stream_socket {connectto}; diff --git a/sepolicy/private/ls_dbg.te b/sepolicy/private/ls_dbg.te new file mode 100644 index 0000000..e809486 --- /dev/null +++ b/sepolicy/private/ls_dbg.te @@ -0,0 +1,44 @@ +type lbs_dbg, domain, coredomain, halclientdomain, mtk_hal_lbs_client; +type lbs_dbg_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(lbs_dbg); + +type_transition lbs_dbg system_data_file:dir lbs_dbg_data_file; +type_transition lbs_dbg system_data_file:fifo_file lbs_dbg_data_file; +type_transition lbs_dbg system_data_file:sock_file lbs_dbg_data_file; +type_transition lbs_dbg system_data_file:lnk_file lbs_dbg_data_file; +type_transition lbs_dbg system_data_file:file lbs_dbg_data_file; + +allow lbs_dbg hwservicemanager_prop:file {read}; +allow lbs_dbg lbs_dbg_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow lbs_dbg lbs_dbg_data_file:fifo_file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow lbs_dbg lbs_dbg_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow lbs_dbg lbs_dbg_data_file:lnk_file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow lbs_dbg lbs_dbg_data_file:sock_file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow lbs_dbg media_rw_data_file:dir {create add_name}; +allow lbs_dbg media_rw_data_file:dir {read open}; +allow lbs_dbg media_rw_data_file:dir {search}; +allow lbs_dbg media_rw_data_file:dir {write remove_name}; +allow lbs_dbg media_rw_data_file:file {getattr}; +allow lbs_dbg media_rw_data_file:file {unlink}; +allow lbs_dbg media_rw_data_file:file {write create rename open}; +allow lbs_dbg sdcard_type:dir {ioctl read getattr lock search open}; +allow lbs_dbg sdcard_type:filesystem {unmount}; +allow lbs_dbg sdcardfs:dir {write create add_name remove_name}; +allow lbs_dbg sdcardfs:file {getattr rename}; +allow lbs_dbg sdcardfs:file {unlink}; +allow lbs_dbg sdcardfs:file {write create open}; +allow lbs_dbg self:netlink_route_socket {read write create getattr bind nlmsg_read nlmsg_write}; +allow lbs_dbg self:tcp_socket {ioctl read write create getattr setattr lock append map bind connect listen accept getopt setopt shutdown}; +allow lbs_dbg self:udp_socket {ioctl read write create getattr setattr lock append map bind connect getopt setopt shutdown}; +allow lbs_dbg storage_file:dir {write create mounton add_name search}; +allow lbs_dbg storage_file:lnk_file {read}; +allow lbs_dbg sysfs:dir {read open}; +allow lbs_dbg sysfs_leds:dir {search}; +allow lbs_dbg sysfs_leds:lnk_file {read}; +allow lbs_dbg sysfs_vibrator:file {read write open}; +allow lbs_dbg system_data_file:dir {ioctl read write getattr lock add_name search open}; +allow lbs_dbg system_data_file:lnk_file {read}; +allow lbs_dbg tmpfs:filesystem {unmount}; +allow lbs_dbg vfat:dir {write create add_name remove_name}; +allow lbs_dbg vfat:file {write create getattr unlink rename open}; diff --git a/sepolicy/private/mddb.te b/sepolicy/private/mddb.te new file mode 100644 index 0000000..c43e01c --- /dev/null +++ b/sepolicy/private/mddb.te @@ -0,0 +1 @@ +type mddb_filter_data_file, file_type, data_file_type, core_data_file_type; diff --git a/sepolicy/private/mdi_redirector.te b/sepolicy/private/mdi_redirector.te new file mode 100644 index 0000000..dd638c4 --- /dev/null +++ b/sepolicy/private/mdi_redirector.te @@ -0,0 +1,12 @@ +type mdi_redirector, domain, netdomain, coredomain, halclientdomain, mtk_hal_dmc_client; +type mdi_redirector_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(mdi_redirector); + +allow mdi_redirector fwmarkd_socket:sock_file {write}; +allow mdi_redirector self:tcp_socket {ioctl read write create getattr setattr lock append map bind connect listen accept getopt setopt shutdown}; +allow mdi_redirector self:udp_socket {ioctl read write create getattr setattr lock append map bind connect listen accept getopt setopt shutdown}; +allow mdi_redirector node:tcp_socket {node_bind}; +allow mdi_redirector port:tcp_socket {name_bind}; +allow mdi_redirector netd:unix_stream_socket {connectto}; +allow mdi_redirector mtk_dmc_prop:file {read getattr map open}; diff --git a/sepolicy/private/mdlogger.te b/sepolicy/private/mdlogger.te new file mode 100644 index 0000000..381ccd7 --- /dev/null +++ b/sepolicy/private/mdlogger.te @@ -0,0 +1,31 @@ +type mdlogger_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(mdlogger); +binder_use(mdlogger); + +allow mdlogger platform_app:unix_stream_socket {connectto}; +allow mdlogger shell_exec:file {ioctl read getattr lock map execute execute_no_trans open}; +allow mdlogger system_file:file {getattr map execute execute_no_trans}; +allow mdlogger zygote_exec:file {ioctl read getattr lock map open}; +allow mdlogger node:tcp_socket {node_bind}; +allow mdlogger port:tcp_socket {name_bind}; +allow mdlogger self:tcp_socket {ioctl read write create getattr setattr lock append map bind connect listen accept getopt setopt shutdown}; +allow mdlogger vfat:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow mdlogger vfat:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow mdlogger tmpfs:lnk_file {read}; +allow mdlogger storage_file:lnk_file {ioctl read write getattr lock append map open}; +allow mdlogger mnt_user_file:dir {search}; +allow mdlogger mnt_user_file:lnk_file {ioctl read write getattr lock append map open}; +allow mdlogger sdcard_type:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow mdlogger sdcard_type:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow mdlogger media_rw_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow mdlogger media_rw_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow mdlogger storage_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow mdlogger storage_file:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow mdlogger file_contexts_file:file {read getattr open}; +allow mdlogger system_file:dir {read}; +allow mdlogger mddb_filter_data_file:dir {ioctl read getattr lock search open}; +allow mdlogger mddb_filter_data_file:file {ioctl read getattr lock map open}; +allow mdlogger debuglog_data_file:dir {ioctl read write create getattr setattr lock relabelto rename add_name remove_name reparent search rmdir open}; +allow mdlogger debuglog_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow mdlogger system_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; diff --git a/sepolicy/private/mdmi_redirector.te b/sepolicy/private/mdmi_redirector.te new file mode 100644 index 0000000..295975d --- /dev/null +++ b/sepolicy/private/mdmi_redirector.te @@ -0,0 +1,12 @@ +type mdmi_redirector, domain, netdomain, coredomain, halclientdomain, mtk_hal_dmc_client; +type mdmi_redirector_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(mdmi_redirector); + +allow mdmi_redirector fwmarkd_socket:sock_file {write}; +allow mdmi_redirector self:tcp_socket {ioctl read write create getattr setattr lock append map bind connect listen accept getopt setopt shutdown}; +allow mdmi_redirector self:udp_socket {ioctl read write create getattr setattr lock append map bind connect listen accept getopt setopt shutdown}; +allow mdmi_redirector node:tcp_socket {node_bind}; +allow mdmi_redirector port:tcp_socket {name_bind}; +allow mdmi_redirector netd:unix_stream_socket {connectto}; +allow mdmi_redirector mtk_dmc_prop:file {read getattr map open}; diff --git a/sepolicy/private/met_log_d.te b/sepolicy/private/met_log_d.te new file mode 100644 index 0000000..1daa8e5 --- /dev/null +++ b/sepolicy/private/met_log_d.te @@ -0,0 +1,9 @@ +type met_log_d_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(met_log_d); + +allow met_log_d debug_prop:file {read getattr map open}; +allow met_log_d debug_prop:property_service {set}; +allow met_log_d init:unix_stream_socket {connectto}; +allow met_log_d property_socket:sock_file {write}; +allow met_log_d system_file:file {ioctl read getattr lock map execute execute_no_trans open}; diff --git a/sepolicy/private/mmp.te b/sepolicy/private/mmp.te new file mode 100644 index 0000000..6e8e8f4 --- /dev/null +++ b/sepolicy/private/mmp.te @@ -0,0 +1,4 @@ +type mmp, domain, coredomain; +type mmp_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(mmp); diff --git a/sepolicy/private/mobile_log_d.te b/sepolicy/private/mobile_log_d.te new file mode 100644 index 0000000..3b4d8cd --- /dev/null +++ b/sepolicy/private/mobile_log_d.te @@ -0,0 +1,51 @@ +type mobile_log_d_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(mobile_log_d); + +type_transition mobile_log_d logcat_exec:process dumpstate; + +allow mobile_log_d kernel:system {syslog_mod}; +dontaudit mobile_log_d untrusted_app:fd {use}; +dontaudit mobile_log_d isolated_app:fd {use}; +allow mobile_log_d property_socket:sock_file {write}; +allow mobile_log_d init:unix_stream_socket {connectto}; +allow mobile_log_d debug_prop:property_service {set}; +allow mobile_log_d debug_prop:file {read getattr map open}; +allow mobile_log_d logdr_socket:sock_file {write}; +allow mobile_log_d logd:unix_stream_socket {connectto}; +allow mobile_log_d self:capability {chown fowner fsetid setgid setuid}; +allow mobile_log_d self:capability {chown setgid setuid}; +allow mobile_log_d self:capability2 {syslog}; +allow mobile_log_d system_file:file {execute_no_trans}; +allow mobile_log_d shell_exec:file {ioctl read getattr lock map execute execute_no_trans open}; +allow mobile_log_d logcat_exec:file {ioctl read getattr lock map execute execute_no_trans open}; +allow mobile_log_d logcat_exec:file {read getattr map execute open}; +allow mobile_log_d dumpstate:process {transition}; +dontaudit mobile_log_d dumpstate:process {noatsecure}; +allow mobile_log_d dumpstate:process {siginh rlimitinh}; +allow mobile_log_d storage_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow mobile_log_d storage_file:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow mobile_log_d storage_file:lnk_file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow mobile_log_d mnt_user_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow mobile_log_d mnt_user_file:lnk_file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow mobile_log_d sdcard_type:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow mobile_log_d sdcard_type:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow mobile_log_d vfat:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow mobile_log_d vfat:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow mobile_log_d mnt_media_rw_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow mobile_log_d mnt_media_rw_file:lnk_file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow mobile_log_d toolbox_exec:file {ioctl read getattr lock map execute execute_no_trans open}; +allow mobile_log_d rootfs:file {ioctl read getattr lock map open}; +allow mobile_log_d device_logging_prop:file {getattr open}; +allow mobile_log_d mmc_prop:file {getattr open}; +allow mobile_log_d safemode_prop:file {getattr open}; +allow mobile_log_d media_rw_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow mobile_log_d media_rw_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow mobile_log_d debugfs_tracing:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow mobile_log_d debugfs_tracing_instances:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow mobile_log_d debugfs_tracing_instances:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow mobile_log_d debuglog_data_file:dir {ioctl read write create getattr setattr lock relabelto rename add_name remove_name reparent search rmdir open}; +allow mobile_log_d debuglog_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow mobile_log_d mcupm_device:chr_file {ioctl read getattr lock map open}; +allow mobile_log_d sysfs_mcupm:file {write lock append map open}; +allow mobile_log_d sysfs_mcupm:dir {search}; diff --git a/sepolicy/private/modemdbfilter.te b/sepolicy/private/modemdbfilter.te new file mode 100644 index 0000000..a3bb719 --- /dev/null +++ b/sepolicy/private/modemdbfilter.te @@ -0,0 +1,6 @@ +type modemdbfilter_client_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(modemdbfilter_client); + +allow modemdbfilter_client mddb_filter_data_file:dir {ioctl read write create getattr setattr lock relabelto rename add_name remove_name reparent search rmdir open}; +allow modemdbfilter_client mddb_filter_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open}; diff --git a/sepolicy/private/mota_proc.te b/sepolicy/private/mota_proc.te new file mode 100644 index 0000000..72c2293 --- /dev/null +++ b/sepolicy/private/mota_proc.te @@ -0,0 +1 @@ +type mota_proc_file, fs_type, proc_type; diff --git a/sepolicy/private/mtk_advcamserver.te b/sepolicy/private/mtk_advcamserver.te new file mode 100644 index 0000000..e33e95c --- /dev/null +++ b/sepolicy/private/mtk_advcamserver.te @@ -0,0 +1,11 @@ +type mtk_advcamserver_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(mtk_advcamserver); +binder_use(mtk_advcamserver); +hwbinder_use(mtk_advcamserver); +binder_call(mtk_advcamserver,mtk_advcamserver); +binder_call(mtk_advcamserver,binderservicedomain); +binder_call(mtk_advcamserver,appdomain); + +allow mtk_advcamserver mtk_advcamserver_service:service_manager {add find}; +allow mtk_advcamserver hwservicemanager_prop:file {read getattr map open}; diff --git a/sepolicy/private/mtk_bootanimation.te b/sepolicy/private/mtk_bootanimation.te new file mode 100644 index 0000000..abd459d --- /dev/null +++ b/sepolicy/private/mtk_bootanimation.te @@ -0,0 +1,32 @@ +type mtkbootanimation_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(mtkbootanimation); +binder_use(mtkbootanimation); +binder_call(mtkbootanimation,audioserver) +binder_call(mtkbootanimation,surfaceflinger) +hwbinder_use(mtkbootanimation); + +allow mtkbootanimation audio_device:chr_file {ioctl read write getattr lock append map open}; +allow mtkbootanimation audio_device:dir {ioctl read getattr lock search open}; +allow mtkbootanimation audioserver_service:service_manager {find}; +allow mtkbootanimation cgroup:dir {ioctl read getattr lock search open}; +allow mtkbootanimation cgroup:file {ioctl read getattr lock map open}; +allow mtkbootanimation cgroup:lnk_file {ioctl read getattr lock map open}; +allow mtkbootanimation debug_prop:property_service {set}; +allow mtkbootanimation gpu_device:chr_file {ioctl read write getattr lock append map open}; +allow mtkbootanimation gpu_device:dir {search}; +allow mtkbootanimation hal_graphics_allocator:fd {use}; +allow mtkbootanimation hal_graphics_composer:fd {use}; +allow mtkbootanimation init:unix_stream_socket {connectto}; +allow mtkbootanimation ion_device:chr_file {ioctl read write getattr lock append map open}; +allow mtkbootanimation mediaserver:binder {call transfer}; +allow mtkbootanimation mediaserver_service:service_manager {find}; +allow mtkbootanimation oemfs:dir {search}; +allow mtkbootanimation oemfs:file {ioctl read getattr lock map open}; +allow mtkbootanimation proc_meminfo:file {ioctl read getattr lock map open}; +allow mtkbootanimation property_socket:sock_file {write}; +allow mtkbootanimation resourcecache_data_file:dir {search}; +allow mtkbootanimation resourcecache_data_file:file {read getattr open}; +allow mtkbootanimation surfaceflinger:fifo_file {ioctl read write getattr lock append map open}; +allow mtkbootanimation surfaceflinger_service:service_manager {find}; +allow mtkbootanimation system_file:dir {ioctl read getattr lock search open}; diff --git a/sepolicy/private/mtk_prop.te b/sepolicy/private/mtk_prop.te new file mode 100644 index 0000000..ac894f3 --- /dev/null +++ b/sepolicy/private/mtk_prop.te @@ -0,0 +1,3 @@ +type mtk_cta_set_prop, property_type, extended_core_property_type; +type mtk_rsc_sys_prop, property_type, extended_core_property_type; +type mtk_permission_control_prop, property_type, extended_core_property_type; diff --git a/sepolicy/private/mtk_service.te b/sepolicy/private/mtk_service.te new file mode 100644 index 0000000..ed122c7 --- /dev/null +++ b/sepolicy/private/mtk_service.te @@ -0,0 +1 @@ +type mtk_connmetrics_service, service_manager_type; diff --git a/sepolicy/private/netd.te b/sepolicy/private/netd.te new file mode 100644 index 0000000..893c99c --- /dev/null +++ b/sepolicy/private/netd.te @@ -0,0 +1,10 @@ +allow netd dhcp_data_file:dir {read write add_name remove_name search}; +allow netd dhcp_data_file:file {read write create getattr unlink open}; +allow netd self:capability {setgid setuid net_bind_service}; +allow netd servicemanager:binder {call}; +allow netd system_prop:property_service {set}; +allowxperm netd self:unix_stream_socket ioctl {0x8941 0x89a0 0x89a2 0x89f0}; +allow netd mdi_redirector:fd {use}; +allow netd mdi_redirector:tcp_socket {read write getattr setattr lock append map bind connect getopt setopt shutdown}; +allow netd mdmi_redirector:fd {use}; +allow netd mdmi_redirector:tcp_socket {read write getattr setattr lock append map bind connect getopt setopt shutdown}; diff --git a/sepolicy/private/netdiag.te b/sepolicy/private/netdiag.te new file mode 100644 index 0000000..ef30f67 --- /dev/null +++ b/sepolicy/private/netdiag.te @@ -0,0 +1,60 @@ +type netdiag_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(netdiag); +binder_use(netdiag); + +allow netdiag sdcard_type:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow netdiag sdcard_type:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow netdiag domain:dir {search}; +allow netdiag domain:file {read open}; +allow netdiag net_data_file:file {ioctl read getattr lock map open}; +allow netdiag net_data_file:dir {search}; +allow netdiag storage_file:dir {search}; +allow netdiag storage_file:lnk_file {read}; +allow netdiag mnt_user_file:dir {search}; +allow netdiag mnt_user_file:lnk_file {read}; +allow netdiag platform_app:dir {search}; +allow netdiag untrusted_app:dir {search}; +allow netdiag mnt_media_rw_file:dir {search}; +allow netdiag vfat:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow netdiag vfat:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow netdiag tmpfs:lnk_file {read}; +allow netdiag system_file:file {ioctl read getattr lock map execute execute_no_trans open}; +allow netdiag self:capability {setgid setuid net_admin net_raw}; +allow netdiag shell_exec:file {ioctl read getattr lock map execute execute_no_trans open}; +allow netdiag proc_net:file {ioctl read getattr lock map open}; +allow netdiag dnsproxyd_socket:sock_file {write}; +allow netdiag fwmarkd_socket:sock_file {write}; +allow netdiag netd:unix_stream_socket {connectto}; +allow netdiag self:udp_socket {connect}; +allow netdiag connectivity_service:service_manager {find}; +allow netdiag netstats_service:service_manager {find}; +allow netdiag system_server:binder {call}; +allow netdiag connmetrics_service:service_manager {find}; +allow netdiag netpolicy_service:service_manager {find}; +allow netdiag network_management_service:service_manager {find}; +allow netdiag settings_service:service_manager {find}; +allow netdiag device_logging_prop:file {getattr open}; +allow netdiag mmc_prop:file {getattr open}; +allow netdiag proc_net:dir {read open}; +allow netdiag safemode_prop:file {getattr open}; +allow netdiag toolbox_exec:file {ioctl read getattr lock map execute execute_no_trans open}; +allow netdiag media_rw_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow netdiag media_rw_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow netdiag self:netlink_xfrm_socket {read write create getattr bind setopt nlmsg_read}; +allow netdiag self:packet_socket {read create getopt setopt}; +allowxperm netdiag self:packet_socket ioctl {0x8906 0x8933}; +allow netdiag self:packet_socket {ioctl write map}; +allow netdiag self:netlink_route_socket {read write create getattr bind setopt nlmsg_read}; +allow netdiag kernel:system {module_request}; +allow netdiag self:rawip_socket {create getopt}; +allow netdiag self:udp_socket {ioctl create}; +allow netdiag proc_qtaguid_stat:dir {read search open}; +allow netdiag proc_qtaguid_stat:file {read getattr open}; +allow netdiag vendor_default_prop:file {read getattr map open}; +allow netdiag proc_net_tcp_udp:file {getattr}; +allow netdiag netd:binder {call}; +allow netdiag apexd_prop:file {read getattr map open}; +allow netdiag debuglog_data_file:dir {ioctl read write create getattr setattr lock relabelto rename add_name remove_name reparent search rmdir open}; +allow netdiag debuglog_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow netdiag servicemanager:binder {call}; diff --git a/sepolicy/private/netdomain.te b/sepolicy/private/netdomain.te new file mode 100644 index 0000000..7eb38a5 --- /dev/null +++ b/sepolicy/private/netdomain.te @@ -0,0 +1,7 @@ +allow netdomain node_type:tcp_socket {node_bind}; +allow netdomain node_type:udp_socket {node_bind}; +allow netdomain port_type:tcp_socket {name_bind}; +allow netdomain port_type:udp_socket {name_bind}; +allow netdomain self:netlink_route_socket {read create bind nlmsg_read}; +allow netdomain self:tcp_socket {ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect}; +allow netdomain self:udp_socket {ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind}; diff --git a/sepolicy/private/netflix_bsp_rev.te b/sepolicy/private/netflix_bsp_rev.te new file mode 100644 index 0000000..b65ca27 --- /dev/null +++ b/sepolicy/private/netflix_bsp_rev.te @@ -0,0 +1 @@ +type netflix_bsp_rev_prop, property_type; diff --git a/sepolicy/private/netutils.te b/sepolicy/private/netutils.te new file mode 100644 index 0000000..20ee026 --- /dev/null +++ b/sepolicy/private/netutils.te @@ -0,0 +1 @@ +allow netutils_wrapper netd:binder {call transfer}; diff --git a/sepolicy/private/platform_app.te b/sepolicy/private/platform_app.te new file mode 100644 index 0000000..cedf8c9 --- /dev/null +++ b/sepolicy/private/platform_app.te @@ -0,0 +1,17 @@ +typeattribute platform_app hal_power_client; +typeattribute platform_app hal_gpu_client; + +allow platform_app aal_service:service_manager {find}; +allow platform_app debuglog_data_file:dir {ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open}; +allow platform_app debuglog_data_file:file {ioctl read write create getattr setattr lock append map unlink rename open}; +allow platform_app mtk_cta_set_prop:file {read getattr map open}; +allow platform_app mtk_rsc_sys_prop:file {read getattr map open}; +allow platform_app camerapostalgo_service:service_manager {find}; +allow platform_app system_app_data_file:file {read write}; +allow platform_app system_app_service:service_manager {find}; +allow platform_app ctl_campostalgo_prop:file {read getattr map open}; +allow platform_app ctl_campostalgo_prop:property_service {set}; +allow platform_app mtk_connmetrics_service:service_manager {find}; +allow platform_app proc_cl_cam_status:file {ioctl read getattr lock map open}; +allow platform_app system_app_data_file:file {read write}; +allow platform_app system_app_service:service_manager {find}; diff --git a/sepolicy/private/ppp.te b/sepolicy/private/ppp.te new file mode 100644 index 0000000..3a22c59 --- /dev/null +++ b/sepolicy/private/ppp.te @@ -0,0 +1 @@ +allow ppp mtp:file {read}; diff --git a/sepolicy/private/priv_app.te b/sepolicy/private/priv_app.te new file mode 100644 index 0000000..fb11ed4 --- /dev/null +++ b/sepolicy/private/priv_app.te @@ -0,0 +1,5 @@ +typeattribute priv_app halclientdomain; +typeattribute priv_app hal_gpu_client; + +allow priv_app mtk_cta_set_prop:file {read getattr map open}; +dontaudit priv_app system_data_file:dir {write}; diff --git a/sepolicy/private/proc_cl_cam.te b/sepolicy/private/proc_cl_cam.te new file mode 100644 index 0000000..1f037e6 --- /dev/null +++ b/sepolicy/private/proc_cl_cam.te @@ -0,0 +1 @@ +type proc_cl_cam_status, fs_type, proc_type; diff --git a/sepolicy/private/property_contexts b/sepolicy/private/property_contexts new file mode 100644 index 0000000..65a8a89 --- /dev/null +++ b/sepolicy/private/property_contexts @@ -0,0 +1,42 @@ +ctl.android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0 +init.svc.aee_aedv u:object_r:init_svc_aee_aedv_prop:s0 +ctl.atci_service u:object_r:ctl_atci_service_prop:s0 +persist.vendor.radio.port_index u:object_r:mtk_atci_sys_prop:s0 +vendor.ril.atci.flightmode u:object_r:mtk_atci_sys_prop:s0 +persist.vendor.service.atci.autostart u:object_r:mtk_atci_sys_prop:s0 +persist.vendor.service.atci.usermode u:object_r:mtk_atci_sys_prop:s0 +ctl.atcid-daemon-u u:object_r:ctl_atcid-daemon-u_prop:s0 +ctl.emdlogger1 u:object_r:ctl_emdlogger1_prop:s0 +init.svc.emdlogger1 u:object_r:init_svc_emdlogger1_prop:s0 +ctl.emdlogger2 u:object_r:ctl_emdlogger2_prop:s0 +ctl.emdlogger3 u:object_r:ctl_emdlogger3_prop:s0 +ro.lmk.psi_partial_stall_ms u:object_r:exported3_default_prop:s0 exact int +ro.lmk.psi_complete_stall_ms u:object_r:exported3_default_prop:s0 exact int +ro.lmk.thrashing_limit u:object_r:exported3_default_prop:s0 exact int +ro.lmk.thrashing_limit_decay u:object_r:exported3_default_prop:s0 exact int +ro.lmk.thrashing_min_score_adj u:object_r:exported3_default_prop:s0 exact int +ro.lmk.use_new_strategy u:object_r:exported3_default_prop:s0 exact bool +ro.lmk.log_stats u:object_r:exported3_default_prop:s0 exact bool +ro.lmk.use_psi u:object_r:exported3_default_prop:s0 exact bool +ro.system.build.fingerprint u:object_r:exported_fingerprint_prop:s0 exact string +ctl.mdlogger u:object_r:ctl_mdlogger_prop:s0 +ro.vendor.mtk_cta_set u:object_r:mtk_cta_set_prop:s0 +ro.vendor.mtk_dmc_support u:object_r:mtk_dmc_prop:s0 +ro.vendor.mtk_mapi_support u:object_r:mtk_dmc_prop:s0 +vendor.dmc.apm.active u:object_r:mtk_dmc_prop:s0 +persist.vendor.sys.aal. u:object_r:mtk_aal_prop:s0 +ro.sys.current_rsc_path u:object_r:mtk_rsc_sys_prop:s0 +ro.product.current_rsc_path u:object_r:mtk_rsc_sys_prop:s0 +init.svc.md_monitor u:object_r:init_svc_md_monitor_prop:s0 +persist.vendor.ter u:object_r:terservice_prop:s0 +vendor.ter.service u:object_r:terservice_prop:s0 +ctl.restart$camerapostalgo u:object_r:ctl_campostalgo_prop:s0 +ctl.start$camerapostalgo u:object_r:ctl_campostalgo_prop:s0 +ctl.stop$camerapostalgo u:object_r:ctl_campostalgo_prop:s0 +vendor.com.agui.networkmanager.policy.set u:object_r:agui_network_manager_prop:s0 +vendor.moms.permission.control.policy.set u:object_r:mtk_permission_control_prop:s0 +ro.netflix.bsp_rev u:object_r:netflix_bsp_rev_prop:s0 +persist.adb.nonblocking_ffs u:object_r:exported_default_prop:s0 exact int +init.svc.pkm_service u:object_r:mtk_pkm_init_prop:s0 +ro.audio.usb.period_us u:object_r:exported_default_prop:s0 exact int +persist.sys.sw.dbg.en u:object_r:ctl_default_prop:s0 diff --git a/sepolicy/private/radio.te b/sepolicy/private/radio.te new file mode 100644 index 0000000..8e504d7 --- /dev/null +++ b/sepolicy/private/radio.te @@ -0,0 +1,21 @@ +allow radio ppl_agent_service:service_manager {find}; +allow radio ctl_atcid-daemon-u_prop:property_service {set}; +allow radio ctl_atcid-daemon-u_prop:file {read getattr map open}; +allow radio ctl_atci_service_prop:property_service {set}; +allow radio ctl_atci_service_prop:file {read getattr map open}; +allow radio mtk_atci_sys_prop:property_service {set}; +allow radio mtk_atci_sys_prop:file {read getattr map open}; +allow radio sysfs_portmode:file {ioctl read getattr lock map open}; +allow radio sysfs_android0_usb:dir {search}; +allow radio sysfs_android0_usb:file {ioctl read getattr lock map open}; +allow radio sysfs_android_usb:dir {search}; +allow radio sysfs_android_usb:file {ioctl read getattr lock map open}; +allow radio mtk_aal_prop:property_service {set}; +allow radio mtk_aal_prop:file {read getattr map open}; +allow radio aal_service:service_manager {find}; +allow radio mtk_cta_set_prop:file {read getattr map open}; +allow radio mtk_rsc_sys_prop:file {read getattr map open}; +allow radio init_svc_md_monitor_prop:file {read getattr map open}; +allow radio sysfs_musb_hdrc:dir {search}; +allow radio sysfs_musb_hdrc:file {ioctl read getattr lock map open}; +allow radio mtk_dmc_prop:file {read getattr map open}; diff --git a/sepolicy/private/recovery.te b/sepolicy/private/recovery.te new file mode 100644 index 0000000..d47e237 --- /dev/null +++ b/sepolicy/private/recovery.te @@ -0,0 +1,3 @@ +allow recovery mtd_device:dir {search}; +allow recovery mtd_device:chr_file {ioctl read write getattr open}; +allow recovery self:capability {sys_resource}; diff --git a/sepolicy/private/sdcardd.te b/sepolicy/private/sdcardd.te new file mode 100644 index 0000000..627ce2f --- /dev/null +++ b/sepolicy/private/sdcardd.te @@ -0,0 +1,5 @@ +typeattribute sdcardd mlstrustedsubject; + +allow sdcardd untrusted_app:fd {use}; +allow sdcardd platform_app:fd {use}; +allow sdcardd sdcardfs:dir {mounton}; diff --git a/sepolicy/private/service_contexts b/sepolicy/private/service_contexts new file mode 100644 index 0000000..a385afb --- /dev/null +++ b/sepolicy/private/service_contexts @@ -0,0 +1,54 @@ +fm_radio_service u:object_r:mtk_fm_radio_service:s0 +media.mmsdk u:object_r:mtk_advcamserver_service:s0 +media.advcam u:object_r:mtk_advcamserver_service:s0 +imsa u:object_r:radio_service:s0 +mtkIms u:object_r:radio_service:s0 +GbaService u:object_r:radio_service:s0 +phoneEx u:object_r:mtk_radio_service:s0 +capctrl u:object_r:mtk_radio_service:s0 +isubstub u:object_r:radio_service:s0 +wfo u:object_r:radio_service:s0 +imtksms u:object_r:radio_service:s0 +mwis u:object_r:radio_service:s0 +PPLAgent u:object_r:ppl_agent_service:s0 +AAL u:object_r:aal_service:s0 +media.VTS u:object_r:vtservice_service:s0 +media.VTS.HiDL u:object_r:vtservice_hidl_service:s0 +NvRAMAgent u:object_r:nvram_agent_service:s0 +mediatek.campostalgo u:object_r:camerapostalgo_service:s0 +terservice u:object_r:terservice_service:s0 +mtkconnmetrics u:object_r:mtk_connmetrics_service:s0 +autoboot u:object_r:mtk_autoboot_service:s0 +permrecords u:object_r:mtk_permrecords_service:s0 +felica u:object_r:nfc_service:s0 +nfc.st_ext u:object_r:nfc_service:s0 +nfc_settings u:object_r:nfc_service:s0 +memory_dumper u:object_r:mediaserver_service:s0 +anrmanager u:object_r:mtk_anrmanager_service:s0 +mobile u:object_r:mtk_mobile_service:s0 +msgmonitorservice u:object_r:mtk_msg_monitor_service:s0 +mtk-perfservice u:object_r:mtk_perf_service:s0 +power_hal_mgr_service u:object_r:mtk_power_hal_mgr_service:s0 +epdg_service u:object_r:mtk_epdg_service:s0 +rns u:object_r:mtk_rns_service:s0 +telephony.mtkregistry u:object_r:mtk_registry_service:s0 +iphonesubinfoEx u:object_r:mtk_phonesubinfo_service:s0 +mtk_telecom u:object_r:mtk_telecom_service:s0 +mtksimphonebook u:object_r:mtk_simphonebook_service:s0 +data_shaping u:object_r:mtk_data_shaping_service:s0 +search_engine_service u:object_r:mtk_search_engine_service:s0 +omadm_service u:object_r:mtk_omadm_service:s0 +duraspeed u:object_r:mtk_duraspeed_service:s0 +FullscreenSwitchService u:object_r:mtk_fullscreen_switch_service:s0 +vow_bridge u:object_r:mtk_vowbridge_service:s0 +GoogleOtaBinder u:object_r:ota_agent_service:s0 +GpuAppSpectatorService u:object_r:gas_srv_service:s0 +FpsPolicyService u:object_r:fpspolicy-server_service:s0 +appdetection u:object_r:mtk_appdetection_service:s0 +carrierexpress u:object_r:mtk_carrierexpress_service:s0 +gwsd u:object_r:mtk_gwsd_service:s0 +uce u:object_r:mtk_presence_service:s0 +vendor.trustonic.teeservice.ITeeService u:object_r:tee_service:s0 +vendor.trustonic.teeregistryservice.ITeeRegistryService u:object_r:teeregistry_service:s0 +AService u:object_r:agold_service:s0 +LeptonCameraService u:object_r:lepton_service:s0 diff --git a/sepolicy/private/shell.te b/sepolicy/private/shell.te new file mode 100644 index 0000000..31ea5a7 --- /dev/null +++ b/sepolicy/private/shell.te @@ -0,0 +1,2 @@ +allow shell debuglog_data_file:dir {ioctl read getattr lock search open}; +allow shell debuglog_data_file:file {ioctl read getattr lock map open}; diff --git a/sepolicy/private/sn.te b/sepolicy/private/sn.te new file mode 100644 index 0000000..95c7472 --- /dev/null +++ b/sepolicy/private/sn.te @@ -0,0 +1,16 @@ +type sn, domain, coredomain; +type sn_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(sn); + +allow sn sdcard_type:dir {search}; +allow sn sdcard_type:file {read getattr open}; +allow sn sysfs_android0_usb:file {ioctl read write getattr lock append map open}; +allow sn sysfs_mt_usb:file {ioctl read write getattr lock append map open}; +allow sn sysfs_musb_hdrc:file {ioctl read write getattr lock append map open}; +allow sn mnt_user_file:dir {search}; +allow sn mnt_user_file:lnk_file {read}; +allow sn storage_file:lnk_file {read}; +allow sn media_rw_data_file:dir {search}; +allow sn media_rw_data_file:file {read open}; +allow sn media_rw_data_file:dir {read open}; diff --git a/sepolicy/private/surfaceflinger.te b/sepolicy/private/surfaceflinger.te new file mode 100644 index 0000000..70d28dc --- /dev/null +++ b/sepolicy/private/surfaceflinger.te @@ -0,0 +1 @@ +allow surfaceflinger file_contexts_file:file {ioctl read getattr lock map open}; diff --git a/sepolicy/private/sysfs.te b/sepolicy/private/sysfs.te new file mode 100644 index 0000000..c6cd98d --- /dev/null +++ b/sepolicy/private/sysfs.te @@ -0,0 +1,6 @@ +type sysfs_portmode, fs_type, sysfs_type; +type sysfs_android0_usb, fs_type, sysfs_type; +type sysfs_musb_hdrc, fs_type, sysfs_type; +type sysfs_battery_warning, fs_type, sysfs_type; +type sysfs_mt_usb, fs_type, sysfs_type; +type sysfs_mcupm, fs_type, sysfs_type; diff --git a/sepolicy/private/system_app.te b/sepolicy/private/system_app.te new file mode 100644 index 0000000..4f25892 --- /dev/null +++ b/sepolicy/private/system_app.te @@ -0,0 +1,19 @@ +allow system_app mtk_aal_prop:file {read getattr map open}; +allow system_app aee_aed:unix_stream_socket {connectto}; +allow system_app mtk_atci_sys_prop:property_service {set}; +allow system_app mtk_atci_sys_prop:file {read getattr map open}; +allow system_app init_svc_md_monitor_prop:file {read getattr map open}; +allow system_app mtk_cta_set_prop:file {read getattr map open}; +allow system_app mtk_rsc_sys_prop:file {read getattr map open}; +allow system_app agui_network_manager_prop:file {read getattr map open}; +allow system_app agui_network_manager_prop:property_service {set}; +allow system_app config_prop:file {read getattr map open}; +allow system_app config_prop:property_service {set}; +allow system_app media_rw_data_file:dir {ioctl read write getattr lock add_name remove_name search open}; +allow system_app media_rw_data_file:file {ioctl read write getattr lock append map open}; +allow system_app mtk_permission_control_prop:file {read getattr map open}; +allow system_app mtk_permission_control_prop:property_service {set}; +allow system_app net_dns_prop:file {read getattr map open}; +allow system_app net_dns_prop:property_service {set}; +allow system_app system_data_file:dir {read open}; +allow system_app vfat:dir {create}; diff --git a/sepolicy/private/system_server.te b/sepolicy/private/system_server.te new file mode 100644 index 0000000..b8cf2be --- /dev/null +++ b/sepolicy/private/system_server.te @@ -0,0 +1,13 @@ +allow system_server aal_service:service_manager {find}; +allow system_server aee_aed:fifo_file {write lock append map open}; +allow system_server aee_aed:fd {use}; +allow system_server aee_aed:unix_stream_socket {connectto}; +allow system_server mddb_filter_data_file:dir {getattr}; +allow system_server mtk_rsc_sys_prop:file {read getattr map open}; +allow system_server netdiag:fd {use}; +allow system_server mtk_autoboot_service:service_manager {add}; +allow system_server mtk_connmetrics_service:service_manager {add}; +allow system_server mtk_permrecords_service:service_manager {add}; +allow system_server ota_package_file:dir {getattr}; +allow system_server proc_loadavg:file {ioctl read getattr lock map open}; +dontaudit system_server appdomain:file {write lock append map open}; diff --git a/sepolicy/private/te_macros b/sepolicy/private/te_macros new file mode 100644 index 0000000..be0d92f --- /dev/null +++ b/sepolicy/private/te_macros @@ -0,0 +1,2 @@ +# Adapted from the "recovery_only" macro +define(`system_only', ifelse(target_recovery, `true', , $1)) diff --git a/sepolicy/private/terservice.te b/sepolicy/private/terservice.te new file mode 100644 index 0000000..1e36618 --- /dev/null +++ b/sepolicy/private/terservice.te @@ -0,0 +1,12 @@ +type terservice_exec, file_type, exec_type, system_file_type; +type terservice_prop, property_type, extended_core_property_type; +type terservice_service, service_manager_type; + +init_daemon_domain(terservice); +binder_use(terservice); + +allow terservice terservice_service:service_manager {add}; +allow terservice property_socket:sock_file {write}; +allow terservice init:unix_stream_socket {connectto}; +allow terservice terservice_prop:property_service {set}; +allow terservice terservice_prop:file {read getattr map open}; diff --git a/sepolicy/private/thermald.te b/sepolicy/private/thermald.te new file mode 100644 index 0000000..21330e3 --- /dev/null +++ b/sepolicy/private/thermald.te @@ -0,0 +1,7 @@ +type thermald_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(thermald); +binder_use(thermald); + +allow thermald system_server:binder {call}; +allow thermald activity_service:service_manager {find}; diff --git a/sepolicy/private/toolbox.te b/sepolicy/private/toolbox.te new file mode 100644 index 0000000..9ed88b5 --- /dev/null +++ b/sepolicy/private/toolbox.te @@ -0,0 +1 @@ +allow toolbox system_data_file:file {getattr unlink}; diff --git a/sepolicy/private/uncrypt.te b/sepolicy/private/uncrypt.te new file mode 100644 index 0000000..1f202fc --- /dev/null +++ b/sepolicy/private/uncrypt.te @@ -0,0 +1 @@ +allow uncrypt uncrypt:capability {fowner}; diff --git a/sepolicy/private/untrusted_app.te b/sepolicy/private/untrusted_app.te new file mode 100644 index 0000000..d9026f0 --- /dev/null +++ b/sepolicy/private/untrusted_app.te @@ -0,0 +1,6 @@ +allow untrusted_app mtk_connmetrics_service:service_manager {find}; + +allow untrusted_app_all netflix_bsp_rev_prop:file {read getattr map open}; +allow untrusted_app_all mtk_radio_service:service_manager {find}; +allow untrusted_app mtk_connmetrics_service:service_manager {find}; +dontaudit untrusted_app_all system_data_file:dir {write}; diff --git a/sepolicy/private/usp_service.te b/sepolicy/private/usp_service.te new file mode 100644 index 0000000..97c881b --- /dev/null +++ b/sepolicy/private/usp_service.te @@ -0,0 +1,9 @@ +type usp_service_exec, file_type, exec_type, system_file_type; + +init_daemon_domain(usp_service); + +allow usp_service block_device:dir {search}; +allow usp_service property_socket:sock_file {write}; +allow usp_service init:unix_stream_socket {connectto}; +allow usp_service radio_prop:property_service {set}; +allow usp_service radio_prop:file {read getattr map open}; diff --git a/sepolicy/private/vendor_init.te b/sepolicy/private/vendor_init.te new file mode 100644 index 0000000..59ab9fe --- /dev/null +++ b/sepolicy/private/vendor_init.te @@ -0,0 +1,4 @@ +allow vendor_init terservice_prop:file {read getattr map open}; +allow vendor_init terservice_prop:property_service {set}; +allow vendor_init netflix_bsp_rev_prop:file {read getattr map open}; +allow vendor_init netflix_bsp_rev_prop:property_service {set}; diff --git a/sepolicy/private/vendor_shell.te b/sepolicy/private/vendor_shell.te new file mode 100644 index 0000000..5d049f6 --- /dev/null +++ b/sepolicy/private/vendor_shell.te @@ -0,0 +1,4 @@ +allow vendor_shell init:unix_stream_socket {connectto}; +allow vendor_shell netflix_bsp_rev_prop:file {read getattr map open}; +allow vendor_shell netflix_bsp_rev_prop:property_service {set}; +allow vendor_shell property_socket:sock_file {write}; diff --git a/sepolicy/private/vold.te b/sepolicy/private/vold.te new file mode 100644 index 0000000..4b6a796 --- /dev/null +++ b/sepolicy/private/vold.te @@ -0,0 +1,5 @@ +allow vold platform_app:fd {use}; +allow vold block_device:file {create}; +allow vold mtd_device:dir {search}; +allow vold mtd_device:chr_file {read write open}; +allow vold kernel:system {module_request}; diff --git a/sepolicy/private/zygote.te b/sepolicy/private/zygote.te new file mode 100644 index 0000000..01ba9b3 --- /dev/null +++ b/sepolicy/private/zygote.te @@ -0,0 +1 @@ +allow zygote mtk_rsc_sys_prop:file {read getattr map open};