diff options
Diffstat (limited to 'sepolicy/vendor')
32 files changed, 402 insertions, 0 deletions
diff --git a/sepolicy/vendor/adsprpcd.te b/sepolicy/vendor/adsprpcd.te new file mode 100644 index 0000000..58fe3e7 --- /dev/null +++ b/sepolicy/vendor/adsprpcd.te @@ -0,0 +1 @@ +r_dir_file(vendor_adsprpcd, vendor_sysfs_graphics) diff --git a/sepolicy/vendor/app.te b/sepolicy/vendor/app.te new file mode 100644 index 0000000..60325ab --- /dev/null +++ b/sepolicy/vendor/app.te @@ -0,0 +1 @@ +get_prop({ appdomain -isolated_app }, vendor_mlipay_prop) diff --git a/sepolicy/vendor/batterysecret.te b/sepolicy/vendor/batterysecret.te new file mode 100644 index 0000000..b55fc19 --- /dev/null +++ b/sepolicy/vendor/batterysecret.te @@ -0,0 +1,49 @@ +type batterysecret, domain; +type batterysecret_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(batterysecret) + +r_dir_file(batterysecret, cgroup) +r_dir_file(batterysecret, mnt_vendor_file) +r_dir_file(batterysecret, vendor_sysfs_battery_supply) +r_dir_file(batterysecret, sysfs_batteryinfo) +r_dir_file(batterysecret, sysfs_type) +r_dir_file(batterysecret, vendor_sysfs_usb_supply) +r_dir_file(batterysecret, vendor_sysfs_usbpd_device) + +allow batterysecret { + mnt_vendor_file + persist_subsys_file + rootfs +}:dir rw_dir_perms; + +allow batterysecret { + persist_subsys_file + sysfs + vendor_sysfs_battery_supply + sysfs_usb + vendor_sysfs_usb_supply + vendor_sysfs_usbpd_device +}:file w_file_perms; + +allow batterysecret kmsg_device:chr_file rw_file_perms; + +allow batterysecret self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +allow batterysecret self:global_capability_class_set { + sys_tty_config + sys_boot +}; + +allow batterysecret self:capability { + chown + fsetid +}; + +allow batterysecret { + system_suspend_hwservice + hidl_manager_hwservice +}:hwservice_manager find; + +binder_call(batterysecret, system_suspend_server) + +wakelock_use(batterysecret)
\ No newline at end of file diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te new file mode 100644 index 0000000..99f0186 --- /dev/null +++ b/sepolicy/vendor/device.te @@ -0,0 +1,8 @@ +# Audio device +type sound_device, dev_type; + +# Fingerprint device +type vendor_fingerprint_device, dev_type; + +# IR device +type ir_spi_device, dev_type; diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te new file mode 100644 index 0000000..8faaa33 --- /dev/null +++ b/sepolicy/vendor/file.te @@ -0,0 +1,17 @@ +# Audio +type audio_socket, file_type; + +# Battery +type persist_subsys_file, vendor_persist_type, file_type; + +# Camera +type camera_persist_file, vendor_persist_type, file_type; + +# Fingerprint +type vendor_fingerprint_data_file, data_file_type, file_type; + +# Thermal +type thermal_data_file, data_file_type, file_type; + +# Touchpanel +type proc_touchpanel, fs_type, proc_type; diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts new file mode 100644 index 0000000..7afaa3a --- /dev/null +++ b/sepolicy/vendor/file_contexts @@ -0,0 +1,56 @@ + # Audio +/dev/socket/audio_hw_socket u:object_r:audio_socket:s0 +/dev/elliptic(.*)? u:object_r:sound_device:s0 +/mnt/vendor/persist/audio/cali_test.bin u:object_r:vendor_persist_audio_file:s0 +/mnt/vendor/persist/audio/fsm_calib.bin u:object_r:vendor_persist_audio_file:s0 +/mnt/vendor/persist/audio/aw_cali.bin u:object_r:vendor_persist_audio_file:s0 + +# Battery +/vendor/bin/batterysecret u:object_r:batterysecret_exec:s0 +/mnt/vendor/persist/subsys(/.*)? u:object_r:persist_subsys_file:s0 + +# Bluetooth +/vendor/bin/init\.mi\.btmac\.sh u:object_r:vendor_qti_init_shell_exec:s0 + +# Camera +/mnt/vendor/persist/camera(/.*)? u:object_r:camera_persist_file:s0 + +# Fingerprint +/dev/goodix_fp u:object_r:vendor_fingerprint_device:s0 +/dev/silead_fp u:object_r:vendor_fingerprint_device:s0 +/dev/silead_s.* u:object_r:vendor_fingerprint_device:s0 +/dev/silead_stub u:object_r:vendor_fingerprint_device:s0 +/dev/spidev.* u:object_r:vendor_fingerprint_device:s0 +/mnt/vendor/persist/silead(/.*)? u:object_r:vendor_fingerprint_data_file:s0 +/mnt/vendor/persist/goodix(/.*)? u:object_r:vendor_fingerprint_data_file:s0 +/data/vendor/fpc(/.*)? u:object_r:vendor_fingerprint_data_file:s0 +/data/vendor/fpdump(/.*)? u:object_r:vendor_fingerprint_data_file:s0 +/data/vendor/goodix(/.*)? u:object_r:vendor_fingerprint_data_file:s0 +/data/vendor/goodix/gf_data(/.*)? u:object_r:vendor_fingerprint_data_file:s0 +/data/vendor/silead(/.*)? u:object_r:vendor_fingerprint_data_file:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2.1-service\.xiaomi_holi u:object_r:hal_fingerprint_default_exec:s0 +/vendor/bin/hw/vendor\.silead\.hardware\.fingerprintext@1\.0-service u:object_r:hal_fingerprint_default_exec:s0 + +# IR +/dev/ir_spi u:object_r:ir_spi_device:s0 + +# Mlipay +/vendor/bin/mlipayd@1.1 u:object_r:hal_mlipay_default_exec:s0 + +# NFC +/dev/pn553 u:object_r:nfc_device:s0 +/dev/pn54x u:object_r:nfc_device:s0 + +# Sensors +/vendor/bin/hw/android\.hardware\.sensors@2.1-service\.xiaomi_holi-multihal u:object_r:hal_sensors_default_exec:s0 + +# Thermal +/data/vendor/thermal(/.*)? u:object_r:thermal_data_file:s0 +/vendor/bin/mi_thermald u:object_r:mi_thermald_exec:s0 + +# Vibrator +/vendor/bin/hw/vendor\.qti\.hardware\.vibrator\.service\.xiaomi_holi u:object_r:hal_vibrator_default_exec:s0 + +# Xiaomi MAC +/data/vendor/mac_addr(/.*)? u:object_r:vendor_wifi_vendor_data_file:s0 +/data/vendor/wlan_logs(/.*)? u:object_r:vendor_wifi_vendor_data_file:s0 diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts new file mode 100644 index 0000000..80aa773 --- /dev/null +++ b/sepolicy/vendor/genfs_contexts @@ -0,0 +1,58 @@ +# Battery +genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/power_supply u:object_r:vendor_sysfs_battery_supply:s0 +genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/power_supply/battery u:object_r:vendor_sysfs_battery_supply:s0 + +# Fingerprint +genfscon sysfs /devices/platform/soc/soc:fpc1020 u:object_r:vendor_sysfs_fingerprint:s0 +genfscon sysfs /devices/platform/soc/soc:goodix_fp u:object_r:vendor_sysfs_fingerprint:s0 +genfscon sysfs /devices/platform/soc/soc:silead_fp u:object_r:vendor_sysfs_fingerprint:s0 + +# SSR +genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0 +genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0 +genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0 +genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0 +genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0 +genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0 +genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys[0-9]+/name u:object_r:vendor_sysfs_ssr:s0 +genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys[0-9]+/restart_level u:object_r:vendor_sysfs_ssr_toggle:s0 + +# Touchpanel +genfscon proc /tp_gesture u:object_r:proc_touchpanel:s0 + +# Wakeup nodes +genfscon sysfs /devices/platform/soc/soc:goodix_fp/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:silead_fp/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-adsp/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-modem/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-0066/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-0055/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/4a80000.i2c/i2c-4/4-005a/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-0066/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-0028/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-004e/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/4c90000.i2c/i2c-3/3-006a/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-cdsp/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys3/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,msm-audio-apr/soc:qcom,msm-audio-apr:qcom,q6core-audio/soc:qcom,msm-audio-apr:qcom,q6core-audio:bolero-cdc/va-macro/va_swr_ctrl/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/6000000.qcom,mss/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/6000000.qcom,mss/subsys2/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/b000000.qcom,turing/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/b000000.qcom,turing/subsys1/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/4a84000.qcom,qup_uart/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:gpio_keys/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/a400000.qcom,lpass/subsys0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/subsys4/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom_wt_chg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/1628000.qcom,msm-eud/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/5ab0000.qcom,venus/subsys5/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/5800000.qcom,ipa/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/c800000.qcom,icnss/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:qcom,smp2p_sleepstate/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/4e00000.ssusb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-00/1c40000.qcom,spmi:qcom,pm6125@0:qcom,power-on@800/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/1c40000.qcom,spmi/spmi-0/spmi0-06/1c40000.qcom,spmi:qcom,pmk8350@0:rtc@6100/wakeup u:object_r:sysfs_wakeup:s0 diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te new file mode 100644 index 0000000..7e6e5a4 --- /dev/null +++ b/sepolicy/vendor/hal_audio_default.te @@ -0,0 +1,13 @@ +# Allow hal_audio_default to read vendor_persist_audio_file +r_dir_file(hal_audio_default, vendor_persist_audio_file) + +r_dir_file(hal_audio_default, sysfs) + +binder_call(hal_audio_default, system_suspend_server) + +allow hal_audio_default system_suspend_hwservice:hwservice_manager find; + +set_prop(hal_audio_default, vendor_audio_prop) + +allow hal_audio_default audio_socket:sock_file rw_file_perms; +allow hal_audio_default sound_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/hal_bluetooth_default.te b/sepolicy/vendor/hal_bluetooth_default.te new file mode 100644 index 0000000..82c6ef2 --- /dev/null +++ b/sepolicy/vendor/hal_bluetooth_default.te @@ -0,0 +1,6 @@ +# Allow hal_bluetooth_default to read files in vendor_wifi_vendor_data_file +r_dir_file(hal_bluetooth_default, vendor_wifi_vendor_data_file) +allow hal_bluetooth_default vendor_wifi_vendor_data_file:dir rw_dir_perms; +allow hal_bluetooth_default vendor_wifi_vendor_data_file:file create_file_perms; + +get_prop(hal_bluetooth_default, vendor_wifi_prop) diff --git a/sepolicy/vendor/hal_bootctl_default.te b/sepolicy/vendor/hal_bootctl_default.te new file mode 100644 index 0000000..e5c73b6 --- /dev/null +++ b/sepolicy/vendor/hal_bootctl_default.te @@ -0,0 +1 @@ +allow hal_bootctl_default vendor_uefi_block_device:blk_file getattr; diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te new file mode 100644 index 0000000..d97b6ee --- /dev/null +++ b/sepolicy/vendor/hal_camera_default.te @@ -0,0 +1,2 @@ +r_dir_file(hal_camera_default, camera_persist_file) +set_prop(hal_camera_default, vendor_camera_sensor_prop) diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te new file mode 100644 index 0000000..55c920f --- /dev/null +++ b/sepolicy/vendor/hal_fingerprint_default.te @@ -0,0 +1,37 @@ +# Binder +allow hal_fingerprint_default vendor_hal_perf_default:binder call; +allow hal_fingerprint_default vendor_hal_perf_hwservice:hwservice_manager find; + +# Props +set_prop(hal_fingerprint_default, vendor_fp_prop) +get_prop(system_server, vendor_fp_prop); + +# Sysfs +allow hal_fingerprint_default { + sysfs_rtc + vendor_sysfs_fingerprint + vendor_sysfs_spss +}: file rw_file_perms; + +allow hal_fingerprint_default { + input_device + sysfs_rtc + vendor_sysfs_fingerprint + vendor_sysfs_spss +}: dir r_dir_perms; + +# Dev nodes +allow hal_fingerprint_default { + input_device + tee_device + uhid_device + vendor_fingerprint_device +}: chr_file rw_file_perms; + +# Data +allow hal_fingerprint_default vendor_fingerprint_data_file:dir rw_dir_perms; +allow hal_fingerprint_default vendor_fingerprint_data_file:file create_file_perms; + +allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; + +r_dir_file(hal_fingerprint_default, firmware_file) diff --git a/sepolicy/vendor/hal_health_default.te b/sepolicy/vendor/hal_health_default.te new file mode 100644 index 0000000..6cecf70 --- /dev/null +++ b/sepolicy/vendor/hal_health_default.te @@ -0,0 +1,2 @@ +allow hal_health_default sysfs_wakeup:dir r_dir_perms; +allow hal_health_default sysfs_wakeup:file r_file_perms; diff --git a/sepolicy/vendor/hal_ir_default.te b/sepolicy/vendor/hal_ir_default.te new file mode 100644 index 0000000..46663b7 --- /dev/null +++ b/sepolicy/vendor/hal_ir_default.te @@ -0,0 +1 @@ +allow hal_ir_default ir_spi_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/hal_mlipay.te b/sepolicy/vendor/hal_mlipay.te new file mode 100644 index 0000000..5f4787f --- /dev/null +++ b/sepolicy/vendor/hal_mlipay.te @@ -0,0 +1,22 @@ +type hal_mlipay_hwservice, hwservice_manager_type; + +type hal_mlipay_default, domain; +hal_server_domain(hal_mlipay_default, hal_mlipay) + +type hal_mlipay_default_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_mlipay_default) + +# Allow hwbinder call from hal client to server +binder_call(hal_mlipay_client, hal_mlipay_server) + +# Add hwservice related rules +add_hwservice(hal_mlipay_server, hal_mlipay_hwservice) +allow hal_mlipay_client hal_mlipay_hwservice:hwservice_manager find; + +allow hal_mlipay_default tee_device:chr_file rw_file_perms; +allow hal_mlipay_default ion_device:chr_file r_file_perms; + +r_dir_file(hal_mlipay_default, firmware_file) +set_prop(hal_mlipay_default, vendor_mlipay_prop); + +get_prop(hal_mlipay_default, vendor_fp_prop) diff --git a/sepolicy/vendor/hal_nfc_default.te b/sepolicy/vendor/hal_nfc_default.te new file mode 100644 index 0000000..9486137 --- /dev/null +++ b/sepolicy/vendor/hal_nfc_default.te @@ -0,0 +1,2 @@ +allow hal_nfc_default vendor_nfc_vendor_data_file:dir create_dir_perms; +allow hal_nfc_default vendor_nfc_vendor_data_file:file create_file_perms; diff --git a/sepolicy/vendor/hal_perf_default.te b/sepolicy/vendor/hal_perf_default.te new file mode 100644 index 0000000..5d19e84 --- /dev/null +++ b/sepolicy/vendor/hal_perf_default.te @@ -0,0 +1,5 @@ +allow vendor_hal_perf_default hal_audio_default:dir r_dir_perms; +allow vendor_hal_perf_default hal_audio_default:file r_file_perms; +allow vendor_hal_perf_default hal_fingerprint_default:dir r_dir_perms; +allow vendor_hal_perf_default hal_fingerprint_default:file r_file_perms; +allow vendor_hal_perf_default hal_camera_default:dir r_dir_perms; diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te new file mode 100644 index 0000000..d9ef52d --- /dev/null +++ b/sepolicy/vendor/hal_power_default.te @@ -0,0 +1,3 @@ +# Allow hal_power_default to write to dt2w node +allow hal_power_default proc_touchpanel:dir search; +allow hal_power_default proc_touchpanel:file rw_file_perms; diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te new file mode 100644 index 0000000..1d3339e --- /dev/null +++ b/sepolicy/vendor/hal_sensors_default.te @@ -0,0 +1,10 @@ +binder_call(hal_sensors_default, hal_audio_default) + +hal_client_domain(hal_sensors_default, hal_audio) + +allow hal_sensors_default audio_socket:sock_file rw_file_perms; +allow hal_sensors_default socket_device:sock_file rw_file_perms; +allow hal_sensors_default sound_device:chr_file rw_file_perms; +allow hal_sensors_default iio_device:chr_file rw_file_perms; + +get_prop(hal_sensors_default, vendor_adsprpc_prop) diff --git a/sepolicy/vendor/hal_wifi_default.te b/sepolicy/vendor/hal_wifi_default.te new file mode 100644 index 0000000..c6580df --- /dev/null +++ b/sepolicy/vendor/hal_wifi_default.te @@ -0,0 +1 @@ +allow hal_wifi_default self:capability sys_module; diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts new file mode 100644 index 0000000..7af07e3 --- /dev/null +++ b/sepolicy/vendor/hwservice_contexts @@ -0,0 +1,15 @@ +# Fingerprint +com.fingerprints.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_hwservice:s0 +com.fingerprints.extension::IFingerprintNavigation u:object_r:hal_fingerprint_hwservice:s0 +com.fingerprints.extension::IFingerprintEngineering u:object_r:hal_fingerprint_hwservice:s0 +vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_hwservice:s0 +vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemonExt u:object_r:hal_fingerprint_hwservice:s0 +vendor.silead.hardware.fingerprintext::ISileadFingerprint u:object_r:hal_fingerprint_hwservice:s0 +vendor.xiaomi.hardware.fingerprintextension::IXiaomiFingerprint u:object_r:hal_fingerprint_hwservice:s0 + +# Mlipay +vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0 + +# NFC +vendor.nxp.nxpnfc::INxpNfc u:object_r:hal_nfc_hwservice:s0 +vendor.nxp.nxpnfclegacy::INxpNfcLegacy u:object_r:hal_nfc_hwservice:s0 diff --git a/sepolicy/vendor/mi_thermald.te b/sepolicy/vendor/mi_thermald.te new file mode 100644 index 0000000..4209b38 --- /dev/null +++ b/sepolicy/vendor/mi_thermald.te @@ -0,0 +1,35 @@ +type mi_thermald, domain; +type mi_thermald_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(mi_thermald) + +set_prop(mi_thermald, vendor_thermal_normal_prop) + +allow mi_thermald thermal_data_file:dir rw_dir_perms; +allow mi_thermald thermal_data_file:file create_file_perms; + +allow mi_thermald self:capability { fsetid sys_boot }; +allow mi_thermald mi_thermald:capability { chown fowner }; +allow mi_thermald mi_thermald:capability2 { wake_alarm block_suspend }; + +allow mi_thermald sysfs_devices_system_cpu:file rw_file_perms; + +r_dir_file(mi_thermald, sysfs_thermal) +allow mi_thermald sysfs_thermal:file w_file_perms; + +r_dir_file(mi_thermald, sysfs) +allow mi_thermald sysfs:file w_file_perms; + +r_dir_file(mi_thermald, sysfs_leds) + +allow mi_thermald vendor_sysfs_kgsl:dir r_dir_perms; +allow mi_thermald vendor_sysfs_kgsl:file rw_file_perms; +allow mi_thermald vendor_sysfs_kgsl:lnk_file r_file_perms; + +allow mi_thermald vendor_sysfs_battery_supply:dir r_dir_perms; +allow mi_thermald vendor_sysfs_battery_supply:file rw_file_perms; +allow mi_thermald vendor_sysfs_battery_supply:lnk_file r_file_perms; + +allow mi_thermald vendor_sysfs_graphics:dir r_dir_perms; +allow mi_thermald vendor_sysfs_graphics:file rw_file_perms; +allow mi_thermald vendor_sysfs_graphics:lnk_file r_file_perms;
\ No newline at end of file diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te new file mode 100644 index 0000000..d647ff7 --- /dev/null +++ b/sepolicy/vendor/property.te @@ -0,0 +1,5 @@ +# Camera +vendor_internal_prop(vendor_camera_sensor_prop); + +# Thermal +vendor_internal_prop(vendor_thermal_normal_prop); diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts new file mode 100644 index 0000000..00a5068 --- /dev/null +++ b/sepolicy/vendor/property_contexts @@ -0,0 +1,26 @@ +# Camera +persist.camera. u:object_r:vendor_camera_prop:s0 +ro.boot.camera.config u:object_r:vendor_camera_sensor_prop:s0 +vendor.camera.config. u:object_r:vendor_camera_sensor_prop:s0 + +# Fingerprint +persist.vendor.sys.fp. u:object_r:vendor_fp_prop:s0 +ro.hardware.fp. u:object_r:vendor_fp_prop:s0 +vendor.fps_hal. u:object_r:vendor_fp_prop:s0 +vendor.silead.fp.ext. u:object_r:vendor_fp_prop:s0 + +# Mlipay +persist.vendor.sys.pay. u:object_r:vendor_mlipay_prop:s0 +persist.vendor.sys.provision.status u:object_r:vendor_mlipay_prop:s0 + +# RIL +odm.ril.radio.status. u:object_r:vendor_radio_prop:s0 +odm.ril.radio.status.sim1 u:object_r:vendor_radio_prop:s0 +odm.ril.radio.status.sim2 u:object_r:vendor_radio_prop:s0 + +# Thermal +vendor.sys.thermal. u:object_r:vendor_thermal_normal_prop:s0 + +# Wi-Fi +ro.vendor.ril.oem.btmac u:object_r:vendor_wifi_prop:s0 +ro.vendor.ril.oem.wifimac u:object_r:vendor_wifi_prop:s0 diff --git a/sepolicy/vendor/qti_init_shell.te b/sepolicy/vendor/qti_init_shell.te new file mode 100644 index 0000000..0d6641f --- /dev/null +++ b/sepolicy/vendor/qti_init_shell.te @@ -0,0 +1 @@ +allow vendor_qti_init_shell proc_page_cluster:file rw_file_perms; diff --git a/sepolicy/vendor/recovery.te b/sepolicy/vendor/recovery.te new file mode 100644 index 0000000..afc4845 --- /dev/null +++ b/sepolicy/vendor/recovery.te @@ -0,0 +1 @@ +allow recovery pstorefs:dir r_dir_perms; diff --git a/sepolicy/vendor/sensors.te b/sepolicy/vendor/sensors.te new file mode 100644 index 0000000..0b0d84d --- /dev/null +++ b/sepolicy/vendor/sensors.te @@ -0,0 +1 @@ +r_dir_file(vendor_sensors, vendor_sysfs_graphics) diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te new file mode 100644 index 0000000..e33161e --- /dev/null +++ b/sepolicy/vendor/system_app.te @@ -0,0 +1,2 @@ +# Xiaomi Parts +allow system_app sysfs_thermal:file rw_file_perms;
\ No newline at end of file diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te new file mode 100644 index 0000000..d2556fb --- /dev/null +++ b/sepolicy/vendor/tee.te @@ -0,0 +1,2 @@ +allow tee vendor_fingerprint_data_file:dir create_dir_perms; +allow tee vendor_fingerprint_data_file:file create_file_perms; diff --git a/sepolicy/vendor/thermal-engine.te b/sepolicy/vendor/thermal-engine.te new file mode 100644 index 0000000..6e59f5b --- /dev/null +++ b/sepolicy/vendor/thermal-engine.te @@ -0,0 +1,11 @@ +allow vendor_thermal-engine { + vendor_sysfs_devfreq + thermal_data_file +}:dir r_dir_perms; + +allow vendor_thermal-engine vendor_sysfs_devfreq:file rw_file_perms; + +# Rule for vendor_thermal-engine to access init process +unix_socket_connect(vendor_thermal-engine, property, init); + +set_prop(vendor_thermal-engine, vendor_thermal_normal_prop)
\ No newline at end of file diff --git a/sepolicy/vendor/vendor_modprobe.te b/sepolicy/vendor/vendor_modprobe.te new file mode 100644 index 0000000..4a6f93e --- /dev/null +++ b/sepolicy/vendor/vendor_modprobe.te @@ -0,0 +1,4 @@ +allow vendor_modprobe self:capability sys_module; +allow vendor_modprobe self:cap_userns sys_module; +allow vendor_modprobe vendor_file:system module_load; +r_dir_file(vendor_modprobe, vendor_file) diff --git a/sepolicy/vendor/vendor_qti_init_shell.te b/sepolicy/vendor/vendor_qti_init_shell.te new file mode 100644 index 0000000..1b25678 --- /dev/null +++ b/sepolicy/vendor/vendor_qti_init_shell.te @@ -0,0 +1,4 @@ +# allow init.mi.btmac.sh to read hex-encoded mac address and set it +allow vendor_qti_init_shell vendor_bluetooth_prop:property_service set; +allow vendor_qti_init_shell vendor_wifi_vendor_data_file:dir search; +allow vendor_qti_init_shell vendor_wifi_vendor_data_file:file r_file_perms; |