diff --git a/sepolicy/attributes b/sepolicy/attributes new file mode 100644 index 0000000..b7cc346 --- /dev/null +++ b/sepolicy/attributes @@ -0,0 +1 @@ +attribute mtk_property_type; diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te new file mode 100644 index 0000000..2dd472f --- /dev/null +++ b/sepolicy/audioserver.te @@ -0,0 +1,15 @@ +# nvram +allow audioserver nvdata_file:dir rw_dir_perms; +allow audioserver nvdata_file:file create_file_perms; +allow audioserver nvdata_file:lnk_file r_file_perms; +allow audioserver ccci_device:chr_file rw_file_perms; + +# fm radio +allow audioserver fm_device:chr_file rw_file_perms; + +# Audio +allow audioserver sysfs:file { open read write }; +allow audioserver sysfs_devinfo:file { open read write }; +allow audioserver sysfs_ccci:file r_file_perms; +allow audioserver sysfs_ccci:dir search; +allow audioserver audiohal_prop:property_service set; diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te new file mode 100644 index 0000000..9671019 --- /dev/null +++ b/sepolicy/bluetooth.te @@ -0,0 +1,9 @@ +# Allow access to the hardware node +allow bluetooth stpbt_device:chr_file rw_file_perms; + +# Allow nvram access +allow bluetooth nvdata_file:dir search; +allow bluetooth nvdata_file:file rw_file_perms; +allow bluetooth nvdata_file:lnk_file r_file_perms; + +allow bluetooth block_device:dir search; diff --git a/sepolicy/ccci_fsd.te b/sepolicy/ccci_fsd.te new file mode 100644 index 0000000..1f77080 --- /dev/null +++ b/sepolicy/ccci_fsd.te @@ -0,0 +1,18 @@ +type ccci_fsd_exec, exec_type, file_type; +type ccci_fsd, domain, domain_deprecated; + +init_daemon_domain(ccci_fsd) + +allow ccci_fsd ccci_device:chr_file rw_file_perms; +allow ccci_fsd ccci_cfg_file:dir create_dir_perms; +allow ccci_fsd ccci_cfg_file:file create_file_perms; +allow ccci_fsd nvdata_file:dir create_dir_perms; +allow ccci_fsd nvdata_file:file create_file_perms; +allow ccci_fsd nvdata_file:lnk_file r_file_perms; +allow ccci_fsd protect_f_data_file:dir create_dir_perms; +allow ccci_fsd protect_f_data_file:file create_file_perms; +allow ccci_fsd protect_s_data_file:dir create_dir_perms; +allow ccci_fsd protect_s_data_file:file create_file_perms; +allow ccci_fsd sysfs_ccci:file rw_file_perms; +allow ccci_fsd sysfs_ccci:dir search; +allow ccci_fsd sysfs_wake_lock:file rw_file_perms; diff --git a/sepolicy/ccci_mdinit.te b/sepolicy/ccci_mdinit.te new file mode 100644 index 0000000..69679ba --- /dev/null +++ b/sepolicy/ccci_mdinit.te @@ -0,0 +1,29 @@ +type ccci_mdinit_exec, exec_type, file_type; +type ccci_mdinit, domain, domain_deprecated; + +init_daemon_domain(ccci_mdinit) + +allow ccci_mdinit ccci_device:chr_file rw_file_perms; +allow ccci_mdinit ccci_cfg_file:dir create_dir_perms; +allow ccci_mdinit ccci_cfg_file:file create_file_perms; +allow ccci_mdinit nvdata_file:dir rw_dir_perms; +allow ccci_mdinit nvdata_file:file create_file_perms; +allow ccci_mdinit nvdata_file:lnk_file r_file_perms; +allow ccci_mdinit sysfs_ccci:dir search; +allow ccci_mdinit sysfs_ccci:file rw_file_perms; +allow ccci_mdinit sysfs_wake_lock:file rw_file_perms; +allow ccci_mdinit sysfs_devinfo:file r_file_perms; + +allow ccci_mdinit nvram_device:blk_file rw_file_perms; +allow ccci_mdinit mtk_md_prop:property_service set; + +allow ccci_mdinit ctl_ccci_fsd_prop:property_service set; +allow ccci_mdinit ctl_gsm0710muxd_prop:property_service set; +allow ccci_mdinit ctl_rildaemon_prop:property_service set; +allow ccci_mdinit radio_prop:property_service set; +allow ccci_mdinit ril_mux_report_case_prop:property_service set; + +allow ccci_mdinit mdlog_data_file:file r_file_perms; +allow ccci_mdinit mdlog_data_file:dir r_dir_perms; + +unix_socket_connect(ccci_mdinit, property, init) diff --git a/sepolicy/conn_launcher.te b/sepolicy/conn_launcher.te new file mode 100644 index 0000000..d75e9e5 --- /dev/null +++ b/sepolicy/conn_launcher.te @@ -0,0 +1,9 @@ +type conn_launcher_exec, exec_type, file_type; +type conn_launcher, domain, domain_deprecated; + +init_daemon_domain(conn_launcher) + +allow conn_launcher stpwmt_device:chr_file rw_file_perms; +allow conn_launcher wmt_prop:property_service set; + +unix_socket_connect(conn_launcher, property, init) diff --git a/sepolicy/device.te b/sepolicy/device.te new file mode 100644 index 0000000..3ecb5cf --- /dev/null +++ b/sepolicy/device.te @@ -0,0 +1,49 @@ +# Radio devices +type ccci_device, dev_type; +type stpbt_device, dev_type; +type stpgps_device, dev_type; +type stpwmt_device, dev_type; +type hwmsensor_device, dev_type; +type wmtWifi_device, dev_type; +type wmtdetect_device, dev_type; +type gsm0710muxd_device, dev_type; +type mdlog_device, dev_type; +type pmic_adc_device, dev_type; + +# Sensors +type als_ps_device, dev_type; +type mtk-adc-cali_device, dev_type; +type gsensor_device, dev_type; +type msensor_device, dev_type; +type gyroscope_device, dev_type; + +# Media +type accdet_device, dev_type; +type devmap_device, dev_type; +type fm_device, dev_type; +type Vcodec_device, dev_type; +type M4U_device_device, dev_type; +type mtk_smi_device, dev_type; + +# SPM +type spm_device, dev_type; + +# NFC +type mt6605_device, dev_type; + +# Fingerprint +type esfp0_device, dev_type; +type madev0_device, dev_type; + +# IR +type irtx_device, dev_type; + +# Block devices +type proinfo_device, dev_type; +type nvram_device, dev_type; +type nvdata_device, dev_type; +type protect1_device, dev_type; +type protect2_device, dev_type; +type logo_block_device, dev_type; +type para_block_device, dev_type; +type mmc_device, dev_type; diff --git a/sepolicy/domain.te b/sepolicy/domain.te new file mode 100644 index 0000000..faaf49e --- /dev/null +++ b/sepolicy/domain.te @@ -0,0 +1 @@ +get_prop(domain, mtk_property_type) diff --git a/sepolicy/drmserver.te b/sepolicy/drmserver.te new file mode 100644 index 0000000..9d4ccab --- /dev/null +++ b/sepolicy/drmserver.te @@ -0,0 +1 @@ +allow drmserver sysfs_devinfo:file { open read write }; \ No newline at end of file diff --git a/sepolicy/em_svr.te b/sepolicy/em_svr.te new file mode 100644 index 0000000..5844b50 --- /dev/null +++ b/sepolicy/em_svr.te @@ -0,0 +1,9 @@ +type em_svr_exec, exec_type, file_type; +type em_svr, domain, domain_deprecated; + +init_daemon_domain(em_svr) + +allow em_svr gsensor_device:chr_file { read ioctl open }; +allow em_svr gyroscope_device:chr_file { read ioctl open }; +allow em_svr nvdata_file:dir { write read open add_name search }; +allow em_svr nvdata_file:file { write getattr setattr read create open }; \ No newline at end of file diff --git a/sepolicy/etsd.te b/sepolicy/etsd.te new file mode 100644 index 0000000..f97f143 --- /dev/null +++ b/sepolicy/etsd.te @@ -0,0 +1,14 @@ +type etsd_exec, exec_type, file_type; +type etsd, domain, domain_deprecated; + +init_daemon_domain(etsd) +binder_use(etsd) + +allow etsd etsd_service:service_manager { add find }; + +allow etsd esfp0_device:chr_file rw_file_perms; + +use_keystore(etsd) +allow etsd keystore:keystore_key { add_auth }; + +allow etsd self:capability { dac_override dac_read_search }; \ No newline at end of file diff --git a/sepolicy/factory.te b/sepolicy/factory.te new file mode 100644 index 0000000..d9bf10d --- /dev/null +++ b/sepolicy/factory.te @@ -0,0 +1,67 @@ +type factory_exec, exec_type, file_type; +type factory, domain, domain_deprecated; + +init_daemon_domain(factory) +net_domain(factory) + +allow factory serial_device:chr_file rw_file_perms; + +# Hardware nodes +allow factory accdet_device:chr_file r_file_perms; +allow factory ashmem_device:chr_file execute; +allow factory audio_device:dir r_dir_perms; +allow factory audio_device:chr_file rw_file_perms; +allow factory camera_device:chr_file rw_file_perms; +allow factory ccci_device:chr_file rw_file_perms; +allow factory devmap_device:chr_file r_file_perms; +allow factory fm_device:chr_file rwx_file_perms; +allow factory gsm0710muxd_device:chr_file rw_file_perms; +allow factory graphics_device:dir search; +allow factory graphics_device:chr_file rw_file_perms; +allow factory input_device:dir r_dir_perms; +allow factory input_device:chr_file r_file_perms; +allow factory pmic_adc_device:chr_file rw_file_perms; +allow factory rtc_device:chr_file rw_file_perms; +allow factory stpbt_device:chr_file rw_file_perms; +allow factory wmtWifi_device:chr_file rw_file_perms; + +# NVRAM +allow factory nvdata_file:dir create_dir_perms; +allow factory nvdata_file:file create_file_perms; +allow factory nvdata_device:blk_file rw_file_perms; +allow factory nvram_device:blk_file rw_file_perms; +allow factory proinfo_device:blk_file rw_file_perms; + +# Storage +allow factory mnt_user_file:dir search; +allow factory mmc_device:blk_file rw_file_perms; +allow factory storage_file:dir r_dir_perms; +allow factory storage_file:lnk_file r_file_perms; +allow factory storage_file:file r_file_perms; + +# Configuration +allow factory sysfs:file write; +allow factory sysfs_gps_file:dir r_dir_perms; +allow factory sysfs_gps_file:file rw_file_perms; + +# Sensors +allow factory als_ps_device:chr_file r_file_perms; +allow factory gsensor_device:chr_file rw_file_perms; +allow factory msensor_device:chr_file rw_file_perms; + +# GPS +allow factory agpsd_data_file:dir r_dir_perms; +allow factory agpsd_data_file:sock_file write; +allow factory stpgps_device:chr_file rw_file_perms; +allow factory gps_device:chr_file rw_file_perms; +allow factory mnld_data_file:dir rw_dir_perms; +allow factory mnld_data_file:file rw_file_perms; +allow factory mnld_exec:file rx_file_perms; +allow factory mnld_prop:property_service set; + +# Other capabilities +allow factory self:capability { dac_override net_admin net_raw sys_nice sys_time }; +allow factory self:process execmem; +allow factory audiohal_prop:property_service set; + +unix_socket_connect(factory, property, init); diff --git a/sepolicy/file.te b/sepolicy/file.te new file mode 100644 index 0000000..b38bcd8 --- /dev/null +++ b/sepolicy/file.te @@ -0,0 +1,38 @@ +type protect_s_data_file, file_type, data_file_type; +type protect_f_data_file, file_type, data_file_type; + +type nvdata_file, file_type, data_file_type; + +type agpsd_data_file, file_type, data_file_type; +type mnld_data_file, file_type, data_file_type; +type ccci_cfg_file, file_type, data_file_type; +type logmisc_data_file, file_type, data_file_type; +type mdlog_data_file, file_type, data_file_type; +type thermal_manager_data_file, file_type, data_file_type; + +type sysfs_gps_file, fs_type, sysfs_type; +type sysfs_ccci, fs_type, sysfs_type; +type sysfs_devinfo, fs_type, sysfs_type; +type sysfs_membw, fs_type, sysfs_type; +type sysfs_boot_mode, fs_type, sysfs_type; +type sysfs_ddr_type, fs_type, sysfs_type; + +type msensord_daemon_sysfs, fs_type, sysfs_type; + +type display_color_sysfs, fs_type, sysfs_type; +type gyro_orientation_sysfs, fs_type, sysfs_type; +type fast_charge_sysfs, fs_type, sysfs_type; +type smartwake_sysfs, fs_type, sysfs_type; +type perf_control_sysfs, fs_type, sysfs_type; + +type proc_mtkcooler, fs_type; +type proc_mtktz, fs_type; +type proc_thermal, fs_type; +type proc_wmt, fs_type; + +type agpsd_socket, file_type; +type mnld_socket, file_type; +type mal_mfi_socket, file_type; + +type nfc_socket, file_type; + diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts new file mode 100644 index 0000000..34cb641 --- /dev/null +++ b/sepolicy/file_contexts @@ -0,0 +1,160 @@ +# Services +/(system|system\/vendor|vendor)/bin/6620_launcher u:object_r:conn_launcher_exec:s0 +/(system|system\/vendor|vendor)/bin/ccci_fsd u:object_r:ccci_fsd_exec:s0 +/(system|system\/vendor|vendor)/bin/ccci_mdinit u:object_r:ccci_mdinit_exec:s0 +/(system|system\/vendor|vendor)/bin/md_ctrl u:object_r:md_ctrl_exec:s0 +/(system|system\/vendor|vendor)/bin/fuelgauged u:object_r:fuelgauged_exec:s0 +/(system|system\/vendor|vendor)/bin/gsm0710muxd u:object_r:gsm0710muxd_exec:s0 +/(system|system\/vendor|vendor)/xbin/mnld u:object_r:mnld_exec:s0 +/(system|system\/vendor|vendor)/bin/mnld u:object_r:mnld_exec:s0 +/(system|system\/vendor|vendor)/bin/muxreport u:object_r:muxreport_exec:s0 +/(system|system\/vendor|vendor)/bin/msensord u:object_r:msensord_exec:s0 +/(system|system\/vendor|vendor)/bin/qmc6983d u:object_r:qmc6983d_exec:s0 +/(system|system\/vendor|vendor)/bin/mxg2320d u:object_r:mxg2320d_exec:s0 +/(system|system\/vendor|vendor)/bin/memsicd3416x u:object_r:memsicd3416x_exec:s0 +/(system|system\/vendor|vendor)/bin/mtk_agpsd u:object_r:mtk_agpsd_exec:s0 +/(system|system\/vendor|vendor)/bin/nvram_daemon u:object_r:nvram_daemon_exec:s0 +/(system|system\/vendor|vendor)/bin/pq u:object_r:pq_exec:s0 +/(system|system\/vendor|vendor)/bin/terservice u:object_r:terservice_exec:s0 +/(system|system\/vendor|vendor)/bin/thermal u:object_r:thermal_exec:s0 +/(system|system\/vendor|vendor)/bin/thermald u:object_r:thermald_exec:s0 +/(system|system\/vendor|vendor)/bin/thermal_manager u:object_r:thermal_manager_exec:s0 +/(system|system\/vendor|vendor)/bin/thermalloadalgod u:object_r:thermalloadalgo_exec:s0 +/(system|system\/vendor|vendor)/bin/mtkrild u:object_r:ril-daemon-mtk_exec:s0 +/(system|system\/vendor|vendor)/bin/mtkmal u:object_r:mtkmal_exec:s0 +/(system|system\/vendor|vendor)/bin/wifi2agps u:object_r:wifi2agps_exec:s0 +/(system|system\/vendor|vendor)/bin/wmt_loader u:object_r:wmt_loader_exec:s0 +/(system|system\/vendor|vendor)/bin/wmt_launcher u:object_r:conn_launcher_exec:s0 +/(system|system\/vendor|vendor)/bin/em_svr u:object_r:em_svr_exec:s0 +/(system|system\/vendor|vendor)/bin/kpoc_charger u:object_r:kpoc_charger_exec:s0 +/(system|system\/vendor|vendor)/bin/etsd u:object_r:etsd_exec:s0 +/(system|system\/vendor|vendor)/bin/ged_srv u:object_r:ged_srv_exec:s0 +/(system|system\/vendor|vendor)/bin/spm_loader u:object_r:spm_loader_exec:s0 + + +# Meta mode +/(system|system\/vendor|vendor)/bin/meta_tst u:object_r:meta_tst_exec:s0 +/(system|system\/vendor|vendor)/bin/factory u:object_r:factory_exec:s0 + +# Files from firmware/nv partitions +/protect_f(/.*)? u:object_r:protect_f_data_file:s0 +/protect_s(/.*)? u:object_r:protect_s_data_file:s0 +/nvdata(/.*)? u:object_r:nvdata_file:s0 +/data/nvram(/.*)? u:object_r:nvdata_file:s0 + +# Hardware nodes +/dev/accdet u:object_r:accdet_device:s0 +/dev/devmap u:object_r:devmap_device:s0 +/dev/ttyC2 u:object_r:gps_device:s0 +/dev/ttyGS0 u:object_r:serial_device:s0 +/dev/gps(/.*)? u:object_r:gps_device:s0 +/dev/mali[0-9]* u:object_r:gpu_device:s0 +/dev/mali.* u:object_r:gpu_device:s0 +/dev/mtk_disp.* u:object_r:graphics_device:s0 +/dev/sw_sync u:object_r:graphics_device:s0 +/dev/stpbt(/.*)? u:object_r:stpbt_device:s0 +/dev/hwmsensor(/.*)? u:object_r:hwmsensor_device:s0 +/dev/wmtWifi(/.*)? u:object_r:wmtWifi_device:s0 +/dev/camera-isp u:object_r:camera_device:s0 +/dev/camera-fdvt u:object_r:camera_device:s0 +/dev/kd_camera_hw u:object_r:camera_device:s0 +/dev/kd_camera_flashlight u:object_r:camera_device:s0 +/dev/MAINAF u:object_r:camera_device:s0 +/dev/mtk_jpeg(/.*) u:object_r:camera_device:s0 +/dev/DW9714AF(/.*)? u:object_r:camera_device:s0 +/dev/FM50AF(/.*)? u:object_r:camera_device:s0 +/dev/CAM_CAL_DRV(/.*)? u:object_r:camera_device:s0 +/dev/MTK_SMI u:object_r:mtk_smi_device:s0 +/dev/MT_pmic_adc_cali u:object_r:pmic_adc_device:s0 +/dev/als_ps(/.*)? u:object_r:als_ps_device:s0 +/dev/mtk-adc-cali(/.*)? u:object_r:mtk-adc-cali_device:s0 +/dev/ccci.* u:object_r:ccci_device:s0 +/dev/gsensor(/.*)? u:object_r:gsensor_device:s0 +/dev/msensor(/.*)? u:object_r:msensor_device:s0 +/dev/gyroscope(/.*)? u:object_r:gyroscope_device:s0 +/dev/stpgps(/.*)? u:object_r:stpgps_device:s0 +/dev/stpwmt(/.*)? u:object_r:stpwmt_device:s0 +/dev/wmtdetect u:object_r:wmtdetect_device:s0 +/dev/ttyC0 u:object_r:gsm0710muxd_device:s0 +/dev/ttyC1 u:object_r:mdlog_device:s0 +/dev/radio(/.*)? u:object_r:radio_device:s0 +/dev/fm u:object_r:fm_device:s0 +/dev/Vcodec u:object_r:Vcodec_device:s0 +/dev/M4U_device(/.*)? u:object_r:M4U_device_device:s0 +/dev/spm u:object_r:spm_device:s0 +/dev/mt6605 u:object_r:mt6605_device:s0 +/dev/esfp0 u:object_r:esfp0_device:s0 +/dev/madev0 u:object_r:madev0_device:s0 +/dev/irtx u:object_r:irtx_device:s0 + +# Sockets +/dev/socket/rild[2-4] u:object_r:rild_socket:s0 +/dev/socket/rild-atci u:object_r:rild_socket:s0 +/dev/socket/rild-ims u:object_r:rild_socket:s0 +/dev/socket/rild-mtk-modem u:object_r:rild_socket:s0 +/dev/socket/rild-mtk-ut u:object_r:rild_socket:s0 +/dev/socket/rild-mtk-ut-2 u:object_r:rild_socket:s0 +/dev/socket/rild-oem u:object_r:rild_socket:s0 +/dev/socket/mal-mfi u:object_r:mal_mfi_socket:s0 +/dev/socket/agpsd u:object_r:agpsd_socket:s0 +/dev/socket/agpsd[2-3] u:object_r:agpsd_socket:s0 +/dev/socket/mnld u:object_r:mnld_socket:s0 + +# Block devices +/dev/block/platform/mtk-msdc\.0/[0-9]+\.(msdc|MSDC)0/by-name/boot u:object_r:boot_block_device:s0 +/dev/block/platform/mtk-msdc\.0/[0-9]+\.(msdc|MSDC)0/by-name/proinfo u:object_r:proinfo_device:s0 +/dev/block/platform/mtk-msdc\.0/by-name/proinfo u:object_r:proinfo_device:s0 +/dev/block/platform/mtk-msdc\.0/[0-9]+\.(msdc|MSDC)0/by-name/nvram u:object_r:nvram_device:s0 +/dev/block/platform/mtk-msdc\.0/by-name/nvram u:object_r:nvram_device:s0 +/dev/block/platform/mtk-msdc\.0/[0-9]+\.(msdc|MSDC)0/by-name/nvdata u:object_r:nvdata_device:s0 +/dev/block/platform/mtk-msdc\.0/[0-9]+\.(msdc|MSDC)0/by-name/logo u:object_r:logo_block_device:s0 +/dev/block/platform/mtk-msdc\.0/by-name/logo u:object_r:logo_block_device:s0 +/dev/block/platform/mtk-msdc\.0/[0-9]+\.(msdc|MSDC)0/by-name/protect1 u:object_r:protect1_device:s0 +/dev/block/platform/mtk-msdc\.0/[0-9]+\.(msdc|MSDC)0/by-name/protect2 u:object_r:protect2_device:s0 +/dev/block/platform/mtk-msdc\.0/[0-9]+\.(msdc|MSDC)0/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/mtk-msdc\.0/[0-9]+\.(msdc|MSDC)0/by-name/cache u:object_r:cache_block_device:s0 +/dev/block/platform/mtk-msdc\.0/[0-9]+\.(msdc|MSDC)0/by-name/recovery u:object_r:recovery_block_device:s0 +/dev/block/platform/mtk-msdc\.0/[0-9]+\.(msdc|MSDC)0/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/mtk-msdc\.0/[0-9]+\.(msdc|MSDC)0/by-name/metadata u:object_r:metadata_block_device:s0 +/dev/block/platform/mtk-msdc\.0/[0-9]+\.(msdc|MSDC)0/by-name/para u:object_r:para_block_device:s0 +/dev/block/mmcblk1 u:object_r:mmc_device:s0 +/dev/block/zram0 u:object_r:swap_block_device:s0 + +# Sysfs nodes +/sys/devices/virtual/gpsdrv(/.*)? u:object_r:sysfs_gps_file:s0 +/sys/kernel/ccci(/.*)? u:object_r:sysfs_ccci:s0 +/sys/bus/platform/drivers/dev_info/dev_info u:object_r:sysfs_devinfo:s0 +/sys/bus/platform/drivers/mem_bw_ctrl/concurrency_scenario u:object_r:sysfs_membw:s0 +/sys/bus/platform/drivers/ddr_type/ddr_type u:object_r:sysfs_ddr_type:s0 +/sys/devices/virtual/BOOT/BOOT/boot/boot_mode u:object_r:sysfs_boot_mode:s0 +/sys/devices/platform/mtk_disp_mgr.0/rgb u:object_r:livedisplay_sysfs:s0 +/sys/bus/platform/drivers/msensor/daemon u:object_r:msensord_daemon_sysfs:s0 +/sys/bus/platform/drivers/gyroscope/gyro_orientation u:object_r:gyro_orientation_sysfs:s0 +/sys/kernel/charge_levels/quick_charge_enable u:object_r:fast_charge_sysfs:s0 +/sys/kernel/charge_levels/charge_level_ac u:object_r:fast_charge_sysfs:s0 +/sys/kernel/charge_levels/charge_level_usb u:object_r:fast_charge_sysfs:s0 +/sys/devices/system/cpu/cpu0/cpufreq/scaling_min_freq u:object_r:perf_control_sysfs:s0 +/sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq u:object_r:perf_control_sysfs:s0 +/sys/devices/system/cpu/cpu0/cpufreq/scaling_governor u:object_r:perf_control_sysfs:s0 +/sys/block/mmcblk0/queue/scheduler u:object_r:perf_control_sysfs:s0 +/sys/devices/.*/queue/scheduler u:object_r:perf_control_sysfs:s0 + +# Config/Runtime files +/data/agps_supl(/.*)? u:object_r:agpsd_data_file:s0 +/data/app/cache.dat u:object_r:mnld_data_file:s0 +/data/gps_mnl(/.*)? u:object_r:mnld_data_file:s0 +/data/misc/gps(/.*)? u:object_r:mnld_data_file:s0 +/data/misc/GPS_CHIP.cfg u:object_r:mnld_data_file:s0 +/data/misc/gps.conf u:object_r:mnld_data_file:s0 +/data/misc/mnl_nlp.dat u:object_r:mnld_data_file:s0 +/data/misc/mblog(/.*)? u:object_r:logmisc_data_file:s0 +/data/log_temp(/.*)? u:object_r:logmisc_data_file:s0 +/data/mdlog(/.*)? u:object_r:mdlog_data_file:s0 +/data/mdl(/.*)? u:object_r:mdlog_data_file:s0 +/data/ccci_cfg(/.*)? u:object_r:ccci_cfg_file:s0 +/data/.tp(/.*)? u:object_r:thermal_manager_data_file:s0 +/data/nfc_socket(/.*)? u:object_r:nfc_socket:s0 + +# Sysfs nodes +/sys/devices/soc/soc:touch@/smartwake_active u:object_r:smartwake_sysfs:s0 +/sys/devices/soc/soc:touch@/wakeup_gesture u:object_r:smartwake_sysfs:s0 \ No newline at end of file diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te new file mode 100644 index 0000000..58a6021 --- /dev/null +++ b/sepolicy/fsck.te @@ -0,0 +1,3 @@ +allow fsck protect1_device:blk_file rw_file_perms; +allow fsck protect2_device:blk_file rw_file_perms; +allow fsck nvdata_device:blk_file rw_file_perms; diff --git a/sepolicy/fsck_untrusted.te b/sepolicy/fsck_untrusted.te new file mode 100644 index 0000000..4bb5047 --- /dev/null +++ b/sepolicy/fsck_untrusted.te @@ -0,0 +1,2 @@ +# External storage +allow fsck_untrusted self:capability sys_admin; \ No newline at end of file diff --git a/sepolicy/fuelgauged.te b/sepolicy/fuelgauged.te new file mode 100644 index 0000000..cf9912c --- /dev/null +++ b/sepolicy/fuelgauged.te @@ -0,0 +1,7 @@ +type fuelgauged_exec, exec_type, file_type; +type fuelgauged, domain, domain_deprecated; + +init_daemon_domain(fuelgauged) + +allow fuelgauged self:netlink_socket create_socket_perms; +allow fuelgauged kmsg_device:chr_file w_file_perms; diff --git a/sepolicy/ged_srv.te b/sepolicy/ged_srv.te new file mode 100644 index 0000000..06a2263 --- /dev/null +++ b/sepolicy/ged_srv.te @@ -0,0 +1,14 @@ +type ged_srv, domain, domain_deprecated; +type ged_srv_exec, exec_type, file_type; + +init_daemon_domain(ged_srv) + +binder_use(ged_srv) +binder_service(ged_srv) +binder_call(ged_srv, system_server) + +allow ged_srv servicemanager:binder call; +allow ged_srv surfaceflinger:binder call; +allow ged_srv surfaceflinger_service:service_manager find; +allow ged_srv self:netlink_kobject_uevent_socket { bind create setopt read}; +allow ged_srv sysfs_boot_mode:file r_file_perms; diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts new file mode 100644 index 0000000..80ac449 --- /dev/null +++ b/sepolicy/genfs_contexts @@ -0,0 +1,4 @@ +genfscon proc /driver/thermal u:object_r:proc_thermal:s0 +genfscon proc /driver/wmt u:object_r:proc_wmt:s0 +genfscon proc /mtkcooler u:object_r:proc_mtkcooler:s0 +genfscon proc /mtktz u:object_r:proc_mtktz:s0 diff --git a/sepolicy/gsm0710muxd.te b/sepolicy/gsm0710muxd.te new file mode 100644 index 0000000..3c0a149 --- /dev/null +++ b/sepolicy/gsm0710muxd.te @@ -0,0 +1,18 @@ +type gsm0710muxd_exec, exec_type, file_type; +type gsm0710muxd, domain, domain_deprecated; + +init_daemon_domain(gsm0710muxd) + +allow gsm0710muxd gsm0710muxd_device:chr_file rw_file_perms; +allow gsm0710muxd radio_device:dir w_dir_perms; +allow gsm0710muxd radio_device:lnk_file create_file_perms; +allow gsm0710muxd devpts:chr_file setattr; +allow gsm0710muxd self:capability { setuid fowner chown }; +allow gsm0710muxd sysfs_ccci:dir search; +allow gsm0710muxd sysfs_ccci:file r_file_perms; + +allow gsm0710muxd ctl_rildaemon_prop:property_service set; +allow gsm0710muxd radio_prop:property_service set; +allow gsm0710muxd ril_mux_report_case_prop:property_service set; + +unix_socket_connect(gsm0710muxd, property, init) diff --git a/sepolicy/healthd.te b/sepolicy/healthd.te new file mode 100644 index 0000000..a7ec774 --- /dev/null +++ b/sepolicy/healthd.te @@ -0,0 +1 @@ +allow healthd device:dir r_dir_perms; diff --git a/sepolicy/init.te b/sepolicy/init.te new file mode 100644 index 0000000..cb35bcd --- /dev/null +++ b/sepolicy/init.te @@ -0,0 +1,9 @@ +allow init ccci_device:chr_file { write ioctl }; +allow init devpts:chr_file ioctl; + +# Allow init to format formattable partitions…partitions +allow init nvdata_device:blk_file write; +allow init protect1_device:blk_file write; +allow init protect2_device:blk_file write; + +allow init socket_device:sock_file { create setattr unlink }; diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te new file mode 100644 index 0000000..d87c6e7 --- /dev/null +++ b/sepolicy/kernel.te @@ -0,0 +1,6 @@ +allow kernel nvdata_file:dir search; +allow kernel nvdata_file:file r_file_perms; +allow kernel self:capability dac_override; +allow kernel wifi_data_file:dir search; +allow kernel wifi_data_file:file r_file_perms; + diff --git a/sepolicy/kpoc_charger.te b/sepolicy/kpoc_charger.te new file mode 100644 index 0000000..1b0b533 --- /dev/null +++ b/sepolicy/kpoc_charger.te @@ -0,0 +1,25 @@ +type kpoc_charger, domain, domain_deprecated; +type kpoc_charger_exec, exec_type, file_type; + +init_daemon_domain(kpoc_charger) + +allow kpoc_charger block_device:dir search; +allow kpoc_charger graphics_device:dir search; +allow kpoc_charger input_device:dir { open read search }; +allow kpoc_charger input_device:chr_file { open read write ioctl }; +allow kpoc_charger property_socket:sock_file write; +allow kpoc_charger self:capability sys_nice; +allow kpoc_charger self:capability net_admin; +allow kpoc_charger self:capability dac_override; +allow kpoc_charger self:netlink_kobject_uevent_socket { create bind read setopt }; +allow kpoc_charger sysfs:file write; +allow kpoc_charger graphics_device:chr_file { read write ioctl open }; +allow kpoc_charger kmsg_device:chr_file { write open }; +allow kpoc_charger logo_block_device:blk_file { read open }; +allow kpoc_charger rtc_device:chr_file { open read write }; +allow kpoc_charger init:unix_stream_socket connectto; +allow healthd self:capability dac_override; +allow healthd app_data_file:file write; +allow healthd device:dir {open read write}; +allow kpoc_charger self:capability sys_boot; +allow kpoc_charger alarm_device:chr_file write; \ No newline at end of file diff --git a/sepolicy/md_ctrl.te b/sepolicy/md_ctrl.te new file mode 100644 index 0000000..ee57225 --- /dev/null +++ b/sepolicy/md_ctrl.te @@ -0,0 +1,11 @@ +type md_ctrl_exec, exec_type, file_type; +type md_ctrl, domain, domain_deprecated; + +init_daemon_domain(md_ctrl) + +allow md_ctrl ccci_device:chr_file rw_file_perms; +allow md_ctrl devpts:chr_file rw_file_perms; +allow md_ctrl muxreport_exec:file rx_file_perms; +allow md_ctrl self:capability dac_override; + +set_prop(md_ctrl,vold_encryption_type_prop); diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te new file mode 100644 index 0000000..ada062a --- /dev/null +++ b/sepolicy/mediaserver.te @@ -0,0 +1,9 @@ +# nvram +allow mediaserver nvdata_file:dir rw_dir_perms; +allow mediaserver nvdata_file:file create_file_perms; +allow mediaserver ccci_device:chr_file rw_file_perms; + +# PQ +allow mediaserver pq_service:service_manager find; + +allow mediaserver sysfs_devinfo:file r_file_perms; diff --git a/sepolicy/memsicd3416x.te b/sepolicy/memsicd3416x.te new file mode 100644 index 0000000..7d5cc9a --- /dev/null +++ b/sepolicy/memsicd3416x.te @@ -0,0 +1,7 @@ +type memsicd3416x_exec, exec_type, file_type; +type memsicd3416x, domain, domain_deprecated; + +init_daemon_domain(memsicd3416x) + +allow memsicd3416x msensor_device:chr_file rw_file_perms; +allow memsicd3416x gsensor_device:chr_file rw_file_perms; \ No newline at end of file diff --git a/sepolicy/meta_tst.te b/sepolicy/meta_tst.te new file mode 100644 index 0000000..6536d06 --- /dev/null +++ b/sepolicy/meta_tst.te @@ -0,0 +1,47 @@ +type meta_tst_exec, exec_type, file_type; +type meta_tst, domain, domain_deprecated; + +init_daemon_domain(meta_tst) + +allow meta_tst ccci_device:chr_file rw_file_perms; +allow meta_tst serial_device:chr_file rw_file_perms; +allow meta_tst mdlog_device:chr_file rw_file_perms; + +allow meta_tst nvdata_file:dir create_dir_perms; +allow meta_tst nvdata_file:file create_file_perms; + +allow meta_tst nvdata_device:blk_file rw_file_perms; +allow meta_tst nvram_device:blk_file rw_file_perms; +allow meta_tst proinfo_device:blk_file rw_file_perms; + +allow meta_tst fm_device:chr_file { read write open ioctl }; + +allow meta_tst sysfs_gps_file:dir search; +allow meta_tst sysfs_gps_file:file rw_file_perms; + +allow meta_tst gps_device:chr_file { read write open }; +allow meta_tst agpsd_data_file:dir search; +allow meta_tst agpsd_data_file:sock_file write; +allow meta_tst gps_data_file:file create_file_perms; +allow meta_tst gps_data_file:dir rw_dir_perms; + +allow meta_tst mnld_exec:file { execute read open }; +allow meta_tst mnld_exec:file execute_no_trans; +allow meta_tst stpgps_device:chr_file { open read write ioctl }; +allow meta_tst mnld_prop:property_service set; +allow meta_tst mnld_data_file:file create_file_perms; +allow meta_tst mnld_data_file:dir rw_dir_perms; + +# For GPS +allow meta_tst port:tcp_socket { name_connect name_bind }; +allow meta_tst self:tcp_socket { create connect setopt bind }; +allow meta_tst self:tcp_socket { bind setopt listen accept read write }; +allow meta_tst node:tcp_socket node_bind; + + +allow meta_tst sysfs:file write; + +allow meta_tst powerctl_prop:property_service set; +unix_socket_connect(meta_tst, property, init) + +allow meta_tst self:capability { net_raw chown fsetid sys_nice net_admin fowner dac_override sys_admin }; diff --git a/sepolicy/mkfs.te b/sepolicy/mkfs.te new file mode 100644 index 0000000..a1fc0ff --- /dev/null +++ b/sepolicy/mkfs.te @@ -0,0 +1,4 @@ +# Allow formatting userdata or cache partitions +allow mkfs block_device:dir search; +allow mkfs userdata_block_device:blk_file rw_file_perms; +allow mkfs cache_block_device:blk_file rw_file_perms; diff --git a/sepolicy/mnld.te b/sepolicy/mnld.te new file mode 100644 index 0000000..8e86efc --- /dev/null +++ b/sepolicy/mnld.te @@ -0,0 +1,46 @@ +type mnld_exec, exec_type, file_type; +type mnld, domain, domain_deprecated; + +init_daemon_domain(mnld) +net_domain(mnld) + +allow mnld gps_device:chr_file rw_file_perms; +allow mnld stpgps_device:chr_file rw_file_perms; + +allow mnld gps_data_file:dir create_dir_perms; +allow mnld gps_data_file:file create_file_perms; + +allow mnld agpsd_data_file:dir create_dir_perms; +allow mnld agpsd_data_file:sock_file create_file_perms; +allow mnld mtk_agpsd:unix_dgram_socket sendto; + +allow mnld mnld_data_file:dir rw_dir_perms; +allow mnld mnld_data_file:sock_file create_file_perms; +allow mnld mnld_data_file:file create_file_perms; + +allow mnld nvdata_file:dir rw_dir_perms; +allow mnld nvdata_file:file create_file_perms; +allow mnld nvdata_file:lnk_file r_file_perms; +allow mnld nvram_device:blk_file rw_file_perms; + +allow mnld sysfs_gps_file:dir search; +allow mnld sysfs_gps_file:file rw_file_perms; + +allow mnld mnld_prop:property_service set; +allow mnld property_socket:sock_file write; + +allow mnld init:unix_stream_socket connectto; +allow mnld system_server:unix_dgram_socket { sendto write }; + +allow mnld fuse:dir create_dir_perms; +allow mnld fuse:file create_file_perms; + +allow mnld storage_file:dir search; +allow mnld storage_file:lnk_file read; + +allow mnld mdlog_device:chr_file { read write }; + +allow mnld block_device:dir search; + +file_type_auto_trans(mnld,system_data_file,mnld_data_file); +file_type_auto_trans(mnld,apk_data_file,mnld_data_file); diff --git a/sepolicy/msensord.te b/sepolicy/msensord.te new file mode 100644 index 0000000..14f5e70 --- /dev/null +++ b/sepolicy/msensord.te @@ -0,0 +1,12 @@ +type msensord_exec, exec_type, file_type; +type msensord, domain, domain_deprecated; + +init_daemon_domain(msensord) + +allow msensord msensord_daemon_sysfs:file r_file_perms; + +allow msensord ctl_qmc6983d_prop:property_service set; +allow msensord ctl_mxg2320d_prop:property_service set; +allow msensord ctl_memsicd3416x_prop:property_service set; + +unix_socket_connect(msensord, property, init) diff --git a/sepolicy/mtk_agpsd.te b/sepolicy/mtk_agpsd.te new file mode 100644 index 0000000..fb9bc93 --- /dev/null +++ b/sepolicy/mtk_agpsd.te @@ -0,0 +1,21 @@ +type mtk_agpsd_exec, exec_type, file_type; +type mtk_agpsd, domain, domain_deprecated; + +init_daemon_domain(mtk_agpsd) +net_domain(mtk_agpsd) + +allow mtk_agpsd agpsd_data_file:dir create_dir_perms; +allow mtk_agpsd agpsd_data_file:sock_file create_file_perms; +allow mtk_agpsd gps_device:chr_file rw_file_perms; +allow mtk_agpsd self:udp_socket create; + +allow mtk_agpsd storage_file:dir search; +allow mtk_agpsd storage_file:lnk_file read; + +allow mtk_agpsd mnt_user_file:dir create_dir_perms; +allow mtk_agpsd mnt_user_file:lnk_file create_file_perms; + +allow mtk_agpsd fuse:dir create_dir_perms; +allow mtk_agpsd fuse:file create_file_perms; + +unix_socket_send(mtk_agpsd, mnld, mnld); diff --git a/sepolicy/mtkmal.te b/sepolicy/mtkmal.te new file mode 100644 index 0000000..15fd834 --- /dev/null +++ b/sepolicy/mtkmal.te @@ -0,0 +1,10 @@ +type mtkmal_exec, exec_type, file_type; +type mtkmal, domain, domain_deprecated; + +init_daemon_domain(mtkmal) + +allow mtkmal init:unix_stream_socket connectto; +allow mtkmal property_socket:sock_file write; +allow mtkmal mal_mfi_socket:sock_file write; + +allow mtkmal self:capability { setuid setgid }; diff --git a/sepolicy/muxreport.te b/sepolicy/muxreport.te new file mode 100644 index 0000000..e17a075 --- /dev/null +++ b/sepolicy/muxreport.te @@ -0,0 +1,13 @@ +type muxreport_exec, exec_type, file_type; +type muxreport, domain, domain_deprecated; + +init_daemon_domain(muxreport) + +allow muxreport ccci_device:chr_file { read write ioctl open }; +allow muxreport ril_mux_report_case_prop:property_service set; +allow muxreport init:unix_stream_socket connectto; +allow muxreport property_socket:sock_file write; +allow muxreport devpts:chr_file { read write getattr ioctl }; +allow muxreport self:capability dac_override; +allow muxreport sysfs_ccci:dir search; +allow muxreport sysfs_ccci:file r_file_perms; \ No newline at end of file diff --git a/sepolicy/mxg2320d.te b/sepolicy/mxg2320d.te new file mode 100644 index 0000000..878ca31 --- /dev/null +++ b/sepolicy/mxg2320d.te @@ -0,0 +1,7 @@ +type mxg2320d_exec, exec_type, file_type; +type mxg2320d, domain, domain_deprecated; + +init_daemon_domain(mxg2320d) + +allow mxg2320d msensor_device:chr_file rw_file_perms; +allow mxg2320d gsensor_device:chr_file rw_file_perms; \ No newline at end of file diff --git a/sepolicy/netd.te b/sepolicy/netd.te new file mode 100644 index 0000000..e70363e --- /dev/null +++ b/sepolicy/netd.te @@ -0,0 +1,4 @@ +# Wifi +allow netd wmtWifi_device:chr_file w_file_perms; + +allow netd self:capability sys_module; diff --git a/sepolicy/nvram_daemon.te b/sepolicy/nvram_daemon.te new file mode 100644 index 0000000..18af42f --- /dev/null +++ b/sepolicy/nvram_daemon.te @@ -0,0 +1,26 @@ +type nvram_daemon_exec, exec_type, file_type; +type nvram_daemon, domain, domain_deprecated; + +init_daemon_domain(nvram_daemon) + +allow nvram_daemon self:capability { fowner dac_override dac_read_search chown fsetid }; +allow nvram_daemon nvram_device:blk_file rw_file_perms; +allow nvram_daemon nvdata_device:blk_file rw_file_perms; +allow nvram_daemon nvdata_file:dir create_dir_perms; +allow nvram_daemon nvdata_file:file create_file_perms; +allow nvram_daemon nvdata_file:lnk_file r_file_perms; +allow nvram_daemon shell_exec:file { read execute open execute_no_trans getattr }; +allow nvram_daemon als_ps_device:chr_file r_file_perms; +allow nvram_daemon mtk-adc-cali_device:chr_file rw_file_perms; +allow nvram_daemon gsensor_device:chr_file r_file_perms; +allow nvram_daemon msensor_device:chr_file r_file_perms; +allow nvram_daemon gyroscope_device:chr_file r_file_perms; +allow nvram_daemon toolbox_exec:file rx_file_perms; + +allow nvram_daemon proinfo_device:blk_file rw_file_perms; +allow nvram_daemon nvram_prop:property_service set; +allow nvram_daemon wmt_prop:property_service set; + +allow nvram_daemon block_device:dir search; + +unix_socket_connect(nvram_daemon, property, init) diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te new file mode 100644 index 0000000..84a30ea --- /dev/null +++ b/sepolicy/platform_app.te @@ -0,0 +1,11 @@ +# Fingerprint +allow platform_app esfp0_device:chr_file rw_file_perms; +allow platform_app esfp0_device:chr_file rw_file_perms; +allow platform_app etsd_service:service_manager find; +allow platform_app etsd:binder { call transfer }; + +# Guiext +allow platform_app guiext-server_service:service_manager find; + +# PQ +allow platform_app pq_service:service_manager find; diff --git a/sepolicy/pq.te b/sepolicy/pq.te new file mode 100644 index 0000000..85ada8f --- /dev/null +++ b/sepolicy/pq.te @@ -0,0 +1,15 @@ +type pq_exec, exec_type, file_type; +type pq, domain, domain_deprecated; + +init_daemon_domain(pq) + +binder_use(pq) +binder_call(pq, binderservicedomain) +binder_service(pq) + +allow pq pq_service:service_manager add; +unix_socket_connect(pq, property, init) + +allow pq pq_conf_prop:property_service set; + +allow pq graphics_device:chr_file { open read ioctl }; diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te new file mode 100644 index 0000000..7874778 --- /dev/null +++ b/sepolicy/priv_app.te @@ -0,0 +1,5 @@ +# Guiext +allow priv_app guiext-server_service:service_manager find; + +# PQ +allow priv_app pq_service:service_manager find; diff --git a/sepolicy/property.te b/sepolicy/property.te new file mode 100644 index 0000000..2b8d6b8 --- /dev/null +++ b/sepolicy/property.te @@ -0,0 +1,18 @@ +type wmt_prop, property_type, mtk_property_type; +type mtk_md_prop, property_type, mtk_property_type; +type mnld_prop, property_type, mtk_property_type; +type ctl_qmc6983d_prop, property_type; +type ctl_mxg2320d_prop, property_type; +type ctl_memsicd3416x_prop, property_type; +type ctl_ccci_fsd_prop, property_type; +type ctl_gsm0710muxd_prop, property_type; +type ctl_gsm0710muxdmd2_prop, property_type; +type ctl_muxreport-daemon_prop, property_type; +type nvram_prop, property_type, mtk_property_type; +type pq_conf_prop, property_type, mtk_property_type; +type audiohal_prop, property_type, mtk_property_type; +type ril_mux_report_case_prop, property_type, mtk_property_type; +type ril_msim_power_prop, property_type, mtk_property_type; +type ril_sim_inserted_status, property_type, mtk_property_type; +type serial_number_prop, property_type, mtk_property_type; +type vold_encryption_type_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts new file mode 100644 index 0000000..aff6dc0 --- /dev/null +++ b/sepolicy/property_contexts @@ -0,0 +1,26 @@ +service.wcn u:object_r:wmt_prop:s0 +persist.mtk.wcn u:object_r:wmt_prop:s0 +wlan.mtk.wifi.5g u:object_r:wmt_prop:s0 +mtk.md u:object_r:mtk_md_prop:s0 +gps.clock.type u:object_r:mnld_prop:s0 +gps.gps.version u:object_r:mnld_prop:s0 +ctl.qmc6983d u:object_r:ctl_qmc6983d_prop:s0 +ctl.mxg2320d u:object_r:ctl_mxg2320d_prop:s0 +ctl.memsicd3416x u:object_r:ctl_memsicd3416x_prop:s0 +ctl.ccci_fsd u:object_r:ctl_ccci_fsd_prop:s0 +ctl.gsm0710muxd u:object_r:ctl_gsm0710muxd_prop:s0 +ctl.gsm0710muxd-s u:object_r:ctl_gsm0710muxd_prop:s0 +ctl.gsm0710muxd-d u:object_r:ctl_gsm0710muxd_prop:s0 +ctl.gsm0710muxdmd2 u:object_r:ctl_gsm0710muxdmd2_prop:s0 +ctl.muxreport-daemon u:object_r:ctl_muxreport-daemon_prop:s0 +service.nvram_init u:object_r:nvram_prop:s0 +persist.sys.pq u:object_r:pq_conf_prop:s0 +af. u:object_r:audiohal_prop:s0 +persist.af. u:object_r:audiohal_prop:s0 +ril.mux.report.case u:object_r:ril_mux_report_case_prop:s0 +sys.msim.power.slot0 u:object_r:ril_msim_power_prop:s0 +sys.msim.power.slot1 u:object_r:ril_msim_power_prop:s0 +sys.sim_inserted_status_0 u:object_r:ril_sim_inserted_status:s0 +sys.sim_inserted_status_1 u:object_r:ril_sim_inserted_status:s0 +ro.serialno u:object_r:serial_number_prop:s0 +vold.encryption.type u:object_r:vold_encryption_type_prop:s0 diff --git a/sepolicy/qmc6983d.te b/sepolicy/qmc6983d.te new file mode 100644 index 0000000..57b11e0 --- /dev/null +++ b/sepolicy/qmc6983d.te @@ -0,0 +1,7 @@ +type qmc6983d_exec, exec_type, file_type; +type qmc6983d, domain, domain_deprecated; + +init_daemon_domain(qmc6983d) + +allow qmc6983d msensor_device:chr_file rw_file_perms; +allow qmc6983d gsensor_device:chr_file rw_file_perms; \ No newline at end of file diff --git a/sepolicy/radio.te b/sepolicy/radio.te new file mode 100644 index 0000000..5f2f249 --- /dev/null +++ b/sepolicy/radio.te @@ -0,0 +1,4 @@ +unix_socket_connect(radio, rild, ril-daemon-mtk) + +allow radio ril_mux_report_case_prop:property_service set; +allow radio ril_msim_power_prop:property_service set; diff --git a/sepolicy/ril-daemon-mtk.te b/sepolicy/ril-daemon-mtk.te new file mode 100644 index 0000000..c1b5c86 --- /dev/null +++ b/sepolicy/ril-daemon-mtk.te @@ -0,0 +1,33 @@ +type ril-daemon-mtk_exec, exec_type, file_type; +type ril-daemon-mtk, domain, domain_deprecated; + +init_daemon_domain(ril-daemon-mtk) +net_domain(ril-daemon-mtk) + +allow ril-daemon-mtk ccci_device:chr_file rw_file_perms; +allow ril-daemon-mtk devpts:chr_file rw_file_perms; +allow ril-daemon-mtk self:capability setuid; +allow ril-daemon-mtk sysfs_wake_lock:file rw_file_perms; +allow ril-daemon-mtk sysfs_ccci:dir search; +allow ril-daemon-mtk sysfs_ccci:file r_file_perms; +allow ril-daemon-mtk block_device:dir search; +allow ril-daemon-mtk para_block_device:blk_file rw_file_perms; + +allow ril-daemon-mtk self:udp_socket create_socket_perms; +allow ril-daemon-mtk self:capability { setuid net_admin net_raw }; + +allow ril-daemon-mtk mal_mfi_socket:sock_file { w_file_perms }; +allow ril-daemon-mtk mtkmal:unix_stream_socket connectto; + +allow ril-daemon-mtk radio_device:dir search; +allow ril-daemon-mtk radio_prop:property_service set; + +allow ril-daemon-mtk ctl_muxreport-daemon_prop:property_service set; +allow ril-daemon-mtk ril_mux_report_case_prop:property_service set; +allow ril-daemon-mtk ril_sim_inserted_status:property_service set; +allow ril-daemon-mtk serial_number_prop:property_service set; + +unix_socket_connect(ril-daemon-mtk, property, init) + +# Access to wake locks +wakelock_use(ril-daemon-mtk) diff --git a/sepolicy/service.te b/sepolicy/service.te new file mode 100644 index 0000000..70d33cb --- /dev/null +++ b/sepolicy/service.te @@ -0,0 +1,5 @@ +type pq_service, service_manager_type; +type guiext-server_service, service_manager_type; +type nvram_agent_service, service_manager_type; +type etsd_service, service_manager_type; +#type edge_gesture_service, system_api_service, system_server_service, service_manager_type; diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts new file mode 100644 index 0000000..d84c17d --- /dev/null +++ b/sepolicy/service_contexts @@ -0,0 +1,5 @@ +PQ u:object_r:pq_service:s0 +GuiExtService u:object_r:guiext-server_service:s0 +NvRAMAgent u:object_r:nvram_agent_service:s0 +egistec.ets.service.daemon u:object_r:etsd_service:s0 + diff --git a/sepolicy/spm_loader.te b/sepolicy/spm_loader.te new file mode 100644 index 0000000..fd08ce5 --- /dev/null +++ b/sepolicy/spm_loader.te @@ -0,0 +1,6 @@ +type spm_loader_exec, exec_type, file_type; +type spm_loader, domain, domain_deprecated; + +init_daemon_domain(spm_loader) + +allow spm_loader spm_device:chr_file r_file_perms; diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te new file mode 100644 index 0000000..cc6f0db --- /dev/null +++ b/sepolicy/surfaceflinger.te @@ -0,0 +1,9 @@ +allow surfaceflinger pq_service:service_manager find; + +allow surfaceflinger guiext-server_service:service_manager { find add }; + +allow surfaceflinger debug_prop:property_service set; + +allow surfaceflinger mtk_smi_device:chr_file { read write open ioctl }; + +allow surfaceflinger gpu_device:chr_file rw_file_perms; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te new file mode 100644 index 0000000..95fdd9e --- /dev/null +++ b/sepolicy/system_app.te @@ -0,0 +1,8 @@ +allow system_app fm_device:chr_file rw_file_perms; + +allow system_app gyro_orientation_sysfs:file rw_file_perms; +allow system_app fast_charge_sysfs:file rw_file_perms; +allow system_app smartwake_sysfs:file rw_file_perms; +allow system_app perf_control_sysfs:file rw_file_perms; + +allow system_app em_svr:unix_stream_socket connectto; \ No newline at end of file diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te new file mode 100644 index 0000000..a99f314 --- /dev/null +++ b/sepolicy/system_server.te @@ -0,0 +1,32 @@ +# GPS +allow system_server mnld:unix_dgram_socket sendto; +allow system_server mnld_data_file:dir w_dir_perms; +allow system_server mnld_data_file:sock_file create_file_perms; +allow system_server mnld_data_file:file create_file_perms; + +# Persist +allow system_server protect_s_data_file:dir r_dir_perms; + +# Sensors +allow system_server hwmsensor_device:chr_file r_file_perms; + +# Wifi +allow system_server wmtWifi_device:chr_file w_file_perms; + +# RGB Display Color +allow system_server display_color_sysfs:file rw_file_perms; + +# Fast Charge +allow system_server fast_charge_sysfs:file rw_file_perms; + +# Smart Wake +allow system_server smartwake_sysfs:file rw_file_perms; + +# IR +allow system_server irtx_device:chr_file rw_file_perms; + +# External storage +allow system_server storage_stub_file:dir { getattr }; + +# Guiext +allow system_server guiext-server_service:service_manager find; diff --git a/sepolicy/terservice.te b/sepolicy/terservice.te new file mode 100644 index 0000000..466a013 --- /dev/null +++ b/sepolicy/terservice.te @@ -0,0 +1,4 @@ +type terservice_exec, exec_type, file_type; +type terservice, domain, domain_deprecated; + +init_daemon_domain(terservice) diff --git a/sepolicy/thermal.te b/sepolicy/thermal.te new file mode 100644 index 0000000..3a53730 --- /dev/null +++ b/sepolicy/thermal.te @@ -0,0 +1,10 @@ +type thermal_exec, exec_type, file_type; +type thermal, domain, domain_deprecated; + +init_daemon_domain(thermal) + +allow thermal proc_thermal:dir search; +allow thermal proc_thermal:file rw_file_perms; +allow thermal rild_socket:sock_file w_file_perms; + +allow thermal ril-daemon-mtk:unix_stream_socket connectto; diff --git a/sepolicy/thermal_manager.te b/sepolicy/thermal_manager.te new file mode 100644 index 0000000..c79ce8e --- /dev/null +++ b/sepolicy/thermal_manager.te @@ -0,0 +1,14 @@ +type thermal_manager_exec, exec_type, file_type; +type thermal_manager, domain, domain_deprecated; + +init_daemon_domain(thermal_manager) + +allow thermal_manager self:capability { fowner fsetid chown fsetid dac_override }; +allow thermal_manager proc_thermal:dir search; +allow thermal_manager proc_thermal:file rw_file_perms; +allow thermal_manager proc_mtkcooler:dir search; +allow thermal_manager proc_mtkcooler:file rw_file_perms; +allow thermal_manager proc_mtktz:dir search; +allow thermal_manager proc_mtktz:file rw_file_perms; +allow thermal_manager thermal_manager_data_file:dir rw_dir_perms; +allow thermal_manager thermal_manager_data_file:file create_file_perms; diff --git a/sepolicy/thermald.te b/sepolicy/thermald.te new file mode 100644 index 0000000..a4b53b1 --- /dev/null +++ b/sepolicy/thermald.te @@ -0,0 +1,7 @@ +type thermald_exec, exec_type, file_type; +type thermald, domain, domain_deprecated; + +init_daemon_domain(thermald) + +allow thermald proc_thermal:dir search; +allow thermald proc_thermal:file rw_file_perms; diff --git a/sepolicy/thermalloadalgo.te b/sepolicy/thermalloadalgo.te new file mode 100644 index 0000000..27a3dbd --- /dev/null +++ b/sepolicy/thermalloadalgo.te @@ -0,0 +1,6 @@ +type thermalloadalgo_exec, exec_type, file_type; +type thermalloadalgo, domain, domain_deprecated; + +init_daemon_domain(thermalloadalgo) + +allow thermalloadalgo thermalloadalgo:netlink_socket { create bind write read }; diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te new file mode 100644 index 0000000..7bacf63 --- /dev/null +++ b/sepolicy/ueventd.te @@ -0,0 +1 @@ +allow ueventd sysfs_gps_file:file w_file_perms; diff --git a/sepolicy/untrusted_app.te b/sepolicy/untrusted_app.te new file mode 100644 index 0000000..3eccfac --- /dev/null +++ b/sepolicy/untrusted_app.te @@ -0,0 +1,2 @@ +# PQ +allow untrusted_app pq_service:service_manager find; diff --git a/sepolicy/vold.te b/sepolicy/vold.te new file mode 100644 index 0000000..5fc9d70 --- /dev/null +++ b/sepolicy/vold.te @@ -0,0 +1,22 @@ +allow vold nvdata_device:blk_file rw_file_perms; +allow vold cache_block_device:blk_file rw_file_perms; +allow vold protect1_device:blk_file rw_file_perms; +allow vold protect2_device:blk_file rw_file_perms; + +allow vold nvdata_file:dir create_dir_perms; +allow vold nvdata_file:file create_file_perms; +allow vold protect_f_data_file:dir create_dir_perms; +allow vold protect_f_data_file:file create_file_perms; +allow vold protect_s_data_file:dir create_dir_perms; +allow vold protect_s_data_file:file create_file_perms; + +allow vold proc_mtkcooler:dir r_dir_perms; +allow vold proc_mtktz:dir r_dir_perms; + +# Allow vold to access fuse for fuse-based fs +allow vold fuse:chr_file rw_file_perms; + +# External storage +allow vold storage_stub_file:dir { rw_file_perms search add_name }; +allow vold mnt_media_rw_stub_file:dir r_dir_perms; +allow vold mkfs_exec:file { execute read open getattr execute_no_trans }; \ No newline at end of file diff --git a/sepolicy/wifi2agps.te b/sepolicy/wifi2agps.te new file mode 100644 index 0000000..f0c4068 --- /dev/null +++ b/sepolicy/wifi2agps.te @@ -0,0 +1,9 @@ +type wifi2agps_exec, exec_type, file_type; +type wifi2agps, domain, domain_deprecated; + +init_daemon_domain(wifi2agps) + +allow wifi2agps agpsd_data_file:sock_file write; +allow wifi2agps agpsd_data_file:dir search; +allow wifi2agps mtk_agpsd:unix_dgram_socket sendto; +allow wifi2agps self:netlink_socket create_socket_perms; diff --git a/sepolicy/wmt_loader.te b/sepolicy/wmt_loader.te new file mode 100644 index 0000000..33da926 --- /dev/null +++ b/sepolicy/wmt_loader.te @@ -0,0 +1,11 @@ +type wmt_loader_exec, exec_type, file_type; +type wmt_loader, domain, domain_deprecated; + +init_daemon_domain(wmt_loader) + +allow wmt_loader wmtdetect_device:chr_file create_file_perms; +allow wmt_loader self:capability { chown dac_override }; +allow wmt_loader proc_wmt:file setattr; +allow wmt_loader wmt_prop:property_service set; + +unix_socket_connect(wmt_loader, property, init) diff --git a/sepolicy/zygote.te b/sepolicy/zygote.te new file mode 100644 index 0000000..aa101ce --- /dev/null +++ b/sepolicy/zygote.te @@ -0,0 +1 @@ +allow zygote sysfs_devinfo:file r_file_perms;