From 08bdf7c020eaa875077546c330e026f2ca271fa9 Mon Sep 17 00:00:00 2001 From: Nehemiah Date: Mon, 9 Oct 2023 13:46:01 -0400 Subject: [PATCH] Try again --- cat/cat_s22.mk | 2 +- cat/sepolicy/asus.te | 5 + cat/sepolicy/board_properties.te | 4 + cat/sepolicy/bootanim.te | 3 + cat/sepolicy/file_contexts | 22 +++++ cat/sepolicy/genfs_contexts | 1 + cat/sepolicy/hal.te | 10 ++ cat/sepolicy/hardware_overlay.te | 1 + cat/sepolicy/hostapd.te | 4 + cat/sepolicy/huawei.te | 17 ++++ cat/sepolicy/init.te | 13 +++ cat/sepolicy/lenovo.te | 4 + cat/sepolicy/lmkd.te | 1 + cat/sepolicy/mediatek.te | 19 ++++ cat/sepolicy/oppo.te | 6 ++ cat/sepolicy/qualcomm.te | 30 ++++++ cat/sepolicy/samsung.te | 4 + cat/sepolicy/service_contexts | 10 ++ cat/sepolicy/su.te | 151 +++++++++++++++++++++++++++++++ cat/sepolicy/treble_app.te | 44 +++++++++ cat/sepolicy/vndk_detect.te | 27 ++++++ cat/sepolicy/vold.te | 2 + 22 files changed, 379 insertions(+), 1 deletion(-) create mode 100644 cat/sepolicy/asus.te create mode 100644 cat/sepolicy/board_properties.te create mode 100644 cat/sepolicy/bootanim.te create mode 100644 cat/sepolicy/file_contexts create mode 100644 cat/sepolicy/genfs_contexts create mode 100644 cat/sepolicy/hal.te create mode 100644 cat/sepolicy/hardware_overlay.te create mode 100644 cat/sepolicy/hostapd.te create mode 100644 cat/sepolicy/huawei.te create mode 100644 cat/sepolicy/init.te create mode 100644 cat/sepolicy/lenovo.te create mode 100644 cat/sepolicy/lmkd.te create mode 100644 cat/sepolicy/mediatek.te create mode 100644 cat/sepolicy/oppo.te create mode 100644 cat/sepolicy/qualcomm.te create mode 100644 cat/sepolicy/samsung.te create mode 100644 cat/sepolicy/service_contexts create mode 100644 cat/sepolicy/su.te create mode 100644 cat/sepolicy/treble_app.te create mode 100644 cat/sepolicy/vndk_detect.te create mode 100644 cat/sepolicy/vold.te diff --git a/cat/cat_s22.mk b/cat/cat_s22.mk index 37cfb74..65b8f25 100644 --- a/cat/cat_s22.mk +++ b/cat/cat_s22.mk @@ -22,7 +22,7 @@ $(call inherit-product, $(SRC_TARGET_DIR)/product/aosp_product.mk) # $(call inherit-product, $(SRC_TARGET_DIR)/product/gsi_release.mk) -#BOARD_PLAT_PRIVATE_SEPOLICY_DIR += device/wephone/cat/sepolicy +BOARD_PLAT_PRIVATE_SEPOLICY_DIR += device/wephone/cat/sepolicy # Don't build super.img. #PRODUCT_BUILD_SUPER_PARTITION := false diff --git a/cat/sepolicy/asus.te b/cat/sepolicy/asus.te new file mode 100644 index 0000000..64ff117 --- /dev/null +++ b/cat/sepolicy/asus.te @@ -0,0 +1,5 @@ +allow cameraserver phhsu_exec:file rx_file_perms; + +type asus_motor_device, file_type; +allow cameraserver asus_motor_device:chr_file { open read write ioctl }; +allowxperm cameraserver asus_motor_device:chr_file ioctl { 0x4d02 }; diff --git a/cat/sepolicy/board_properties.te b/cat/sepolicy/board_properties.te new file mode 100644 index 0000000..4ed75dc --- /dev/null +++ b/cat/sepolicy/board_properties.te @@ -0,0 +1,4 @@ +type sysfs_board_properties, fs_type, sysfs_type; + +allow system_server sysfs_board_properties:dir search; +allow system_server sysfs_board_properties:file r_file_perms; diff --git a/cat/sepolicy/bootanim.te b/cat/sepolicy/bootanim.te new file mode 100644 index 0000000..bba8c50 --- /dev/null +++ b/cat/sepolicy/bootanim.te @@ -0,0 +1,3 @@ +#11-14 21:15:02.748 477 477 I auditd : type=1400 audit(0.0:104): avc: denied { search } for comm="BootAnimation" name="dri" dev="tmpfs" ino=1108 scontext=u:r:bootanim:s0 tcontext=u:object_r:gpu_device:s0 tclass=dir permissive=0 +#Seen on some MTK devices +allow bootanim gpu_device:dir r_dir_perms; diff --git a/cat/sepolicy/file_contexts b/cat/sepolicy/file_contexts new file mode 100644 index 0000000..4ae5095 --- /dev/null +++ b/cat/sepolicy/file_contexts @@ -0,0 +1,22 @@ +/system/bin/phh-su u:object_r:phhsu_exec:s0 +/system/bin/vndk-detect u:object_r:vndk_detect_exec:s0 +/system/etc/usb_audio_policy_configuration.xml u:object_r:vendor_configs_file:s0 +/system/bin/rw-system.sh u:object_r:phhsu_exec:s0 +/system/bin/phh-on-boot.sh u:object_r:phhsu_exec:s0 +/system/bin/phh-on-data.sh u:object_r:phhsu_exec:s0 +/system/bin/asus-motor u:object_r:phhsu_exec:s0 + +#/system/bin/fsck\.exfat u:object_r:fsck_exec:s0 +/system/bin/fsck\.ntfs u:object_r:fsck_exec:s0 + +/bt_firmware(/.*)? u:object_r:bt_firmware_file:s0 + +/sec_storage(/.*)? u:object_r:teecd_data_file:s0 +/dev/dsm u:object_r:dmd_device:s0 + +/system/bin/hw/android.hardware.biometrics.fingerprint@2.1-service.oppo.compat u:object_r:hal_fingerprint_oppo_compat_exec:s0 +/system/bin/hw/android.hardware.biometrics.fingerprint@2.1-service.oplus.compat u:object_r:hal_fingerprint_oppo_compat_exec:s0 + +/efs u:object_r:efs_file:s0 + +/dev/smcinvoke u:object_r:smcinvoke_device:s0 diff --git a/cat/sepolicy/genfs_contexts b/cat/sepolicy/genfs_contexts new file mode 100644 index 0000000..56e8950 --- /dev/null +++ b/cat/sepolicy/genfs_contexts @@ -0,0 +1 @@ +genfscon sysfs /board_properties u:object_r:sysfs_board_properties:s0 diff --git a/cat/sepolicy/hal.te b/cat/sepolicy/hal.te new file mode 100644 index 0000000..cb44422 --- /dev/null +++ b/cat/sepolicy/hal.te @@ -0,0 +1,10 @@ +type hal_fingerprint_oppo_compat, domain; +hal_client_domain(hal_fingerprint_oppo_compat, hal_fingerprint) +hal_server_domain(hal_fingerprint_oppo_compat, hal_fingerprint) + +type hal_fingerprint_oppo_compat_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_fingerprint_oppo_compat) + + +type hal_fingerprint_oppo, domain; +allow hal_fingerprint_oppo vendor_default_prop:property_service { set }; diff --git a/cat/sepolicy/hardware_overlay.te b/cat/sepolicy/hardware_overlay.te new file mode 100644 index 0000000..d3bb487 --- /dev/null +++ b/cat/sepolicy/hardware_overlay.te @@ -0,0 +1 @@ +allow priv_app overlay_service:service_manager find; diff --git a/cat/sepolicy/hostapd.te b/cat/sepolicy/hostapd.te new file mode 100644 index 0000000..fd37b61 --- /dev/null +++ b/cat/sepolicy/hostapd.te @@ -0,0 +1,4 @@ +type hostapd, domain; + +allow hostapd wifi_data_file:dir create_dir_perms; +allow hostapd wifi_data_file:file create_file_perms; diff --git a/cat/sepolicy/huawei.te b/cat/sepolicy/huawei.te new file mode 100644 index 0000000..e912528 --- /dev/null +++ b/cat/sepolicy/huawei.te @@ -0,0 +1,17 @@ +allow ueventd proc:file r_file_perms; +permissive ueventd; + +type teecd_data_file, file_type; +type dmd_device, file_type; +allow hal_fingerprint_server dmd_device:chr_file rw_file_perms; +allow hal_fingerprint_server sysfs:file rw_file_perms; +allow tee hal_fingerprint_default:process { getattr }; +allow tee teecd_data_file:dir { search read write create getattr add_name open }; +allow tee teecd_data_file:file { read write create getattr open }; +allow tee system_data_file:dir { getattr }; + +type oeminfo_nvm, domain; +type oeminfo_nvm_device, file_type; +allowxperm oeminfo_nvm oeminfo_nvm_device:blk_file ioctl { 0x1260 }; + +allow charger rootfs:file { ioctl read getattr lock map execute entrypoint open }; diff --git a/cat/sepolicy/init.te b/cat/sepolicy/init.te new file mode 100644 index 0000000..42f5bf5 --- /dev/null +++ b/cat/sepolicy/init.te @@ -0,0 +1,13 @@ +#This is in Android 8.0, but not 8.1 +domain_trans(init, rootfs, adbd) + +#This is used on Huawei devices to f2fs data partition +allow init userdata_block_device:blk_file relabelto; +allow init userdata_block_device:lnk_file relabelto; + +allow vendor_init vendor_init:capability { sys_module }; + +allow init system_file:lnk_file create_file_perms; + +#fix adb in some cases +allow init adbd_exec:lnk_file read; diff --git a/cat/sepolicy/lenovo.te b/cat/sepolicy/lenovo.te new file mode 100644 index 0000000..19e3314 --- /dev/null +++ b/cat/sepolicy/lenovo.te @@ -0,0 +1,4 @@ +type sysfs_tp, file_type; + +#Allow treble_app access to /sys/devices/virtual/touch/tp_dev/gesture_on +allow system_app sysfs_tp:file rw_file_perms; diff --git a/cat/sepolicy/lmkd.te b/cat/sepolicy/lmkd.te new file mode 100644 index 0000000..46e1a61 --- /dev/null +++ b/cat/sepolicy/lmkd.te @@ -0,0 +1 @@ +allow lmkd self:capability sys_ptrace; diff --git a/cat/sepolicy/mediatek.te b/cat/sepolicy/mediatek.te new file mode 100644 index 0000000..1577411 --- /dev/null +++ b/cat/sepolicy/mediatek.te @@ -0,0 +1,19 @@ +type hal_graphics_allocator_default, domain; +type proc_ged, file_type; +allowxperm domain proc_ged:file ioctl { 0x6700-0x67ff }; + +allow init mnt_product_file:dir mounton; + +type mtk_hal_audio, domain; +typeattribute mtk_hal_audio hal_broadcastradio_client; + +type mtk_hal_power, domain; +allow mtk_hal_power system_data_root_file:file create_file_perms; +allow zygote ashmem_device:chr_file execute; + +attribute hal_mms_server; +binder_call({appdomain -isolated_app}, hal_mms_server) +binder_call(hal_mms_server, {appdomain -isolated_app}) + +type mtk_hal_mms_hwservice, hwservice_manager_type; +allow { appdomain -isolated_app } mtk_hal_mms_hwservice:hwservice_manager find; diff --git a/cat/sepolicy/oppo.te b/cat/sepolicy/oppo.te new file mode 100644 index 0000000..216ba3c --- /dev/null +++ b/cat/sepolicy/oppo.te @@ -0,0 +1,6 @@ +type sysfs_usb_supply, file_type; + +allow system_app sysfs_usb_supply:file rw_file_perms; + +type hal_fingerprint_oplus, domain; +allow hal_fingerprint_oplus vendor_default_prop:property_service set; diff --git a/cat/sepolicy/qualcomm.te b/cat/sepolicy/qualcomm.te new file mode 100644 index 0000000..2669694 --- /dev/null +++ b/cat/sepolicy/qualcomm.te @@ -0,0 +1,30 @@ +type bt_firmware_file, file_type; +type rild, domain; + +#me.phh.treble.qti.audio is system-signed +allow system_app hal_telephony_hwservice:hwservice_manager { find }; +allow { rild system_app } { rild system_app }:binder { call transfer }; + +#Pixel 1 +type vnd_qcril_audio_hwservice, hwservice_manager_type; +allow system_app vnd_qcril_audio_hwservice:hwservice_manager { find }; + +#Pixel 2 +type vnd_qcrilhook_hwservice, hwservice_manager_type; +allow system_app vnd_qcrilhook_hwservice:hwservice_manager { find }; + +#OP6 +allow system_app hal_telephony_hwservice:hwservice_manager { find }; + +# cf https://github.com/phhusson/treble_experimentations/issues/131 +# SELinux : avc: denied { add } for interface=android.hardware.tetheroffload.control::IOffloadControl pid=15220 scontext=u:r:ipacm:s0 tcontext=u:object_r:hal_tetheroffload_hwservice:s0 tclass=hwservice_manager permissive=0 +type ipacm, hwservice_manager_type; +allow ipacm hal_tetheroffload_hwservice:hwservice_manager { add }; + +type rpmb_device, file_type; +allow tee rpmb_device:blk_file rw_file_perms; +allowxperm tee rpmb_device:blk_file ioctl { 0xb300-0xbfff }; + +attribute smcinvoke_device_29_0; +type smcinvoke_device, dev_type; +typeattribute smcinvoke_device smcinvoke_device_29_0; diff --git a/cat/sepolicy/samsung.te b/cat/sepolicy/samsung.te new file mode 100644 index 0000000..63f4edc --- /dev/null +++ b/cat/sepolicy/samsung.te @@ -0,0 +1,4 @@ +type boot_prop, property_type; + +set_prop(system_server, boot_prop); + diff --git a/cat/sepolicy/service_contexts b/cat/sepolicy/service_contexts new file mode 100644 index 0000000..7680633 --- /dev/null +++ b/cat/sepolicy/service_contexts @@ -0,0 +1,10 @@ +qti.ims.ext u:object_r:radio_service:s0 +# SPRD IMS +ims_ex u:object_r:radio_service:s0 +ims_ut_ex u:object_r:radio_service:s0 +ims_doze_manager u:object_r:radio_service:s0 +irit u:object_r:radio_service:s0 + +# MTK IMS +mwis u:object_r:radio_service:s0 +mtkIms u:object_r:radio_service:s0 diff --git a/cat/sepolicy/su.te b/cat/sepolicy/su.te new file mode 100644 index 0000000..f8829cd --- /dev/null +++ b/cat/sepolicy/su.te @@ -0,0 +1,151 @@ +type phhsu_daemon, domain, mlstrustedsubject; +type phhsu_exec, exec_type, file_type; +type phhsu_daemon_tmpfs, file_type; + +typeattribute phhsu_daemon coredomain; +permissive phhsu_daemon; + +tmpfs_domain(phhsu_daemon); +domain_auto_trans(init, phhsu_exec, phhsu_daemon); +file_type_auto_trans(phhsu_daemon, device, phhsu_daemon); + +allow { appdomain shell } phhsu_daemon:unix_stream_socket { connectto write read }; +allow { appdomain shell } phhsu_daemon:sock_file { write read }; +allow { appdomain shell } phhsu_exec:file { getattr read open execute execute_no_trans }; + +create_pty(shell) +allowxperm shell devpts:chr_file ioctl { TCSETSF TCGETS unpriv_tty_ioctls }; +allowxperm { phhsu_daemon untrusted_app untrusted_app_27 } untrusted_app_all_devpts:chr_file ioctl { TCSETSF TCGETS unpriv_tty_ioctls }; + +allow servicemanager phhsu_daemon:dir { search read }; +allow servicemanager phhsu_daemon:file { open read }; +allow servicemanager phhsu_daemon:process { getattr }; +allow servicemanager phhsu_daemon:binder { call transfer }; + +typeattribute phhsu_daemon mlstrustedobject; +typeattribute phhsu_daemon mlstrustedsubject; + +allow shell su_exec:file getattr; +typeattribute su mlstrustedsubject; + +allow phhsu_daemon { system_api_service app_api_service system_server_service }:service_manager find; + +allow system_server phhsu_daemon:fifo_file { read write getattr }; +allow system_server phhsu_daemon:fd use; +allow system_server phhsu_daemon:binder { call transfer }; +allow system_server shell_devpts:chr_file { read write }; + +# Add su to various domains +net_domain(phhsu_daemon) + +hwbinder_use(phhsu_daemon) + +allow domain untrusted_app_all_devpts:chr_file { getattr read write }; +allow phhsu_daemon untrusted_app_all_devpts:chr_file { getattr read write open ioctl }; +allow phhsu_daemon untrusted_app_all:fifo_file { getattr read write open ioctl }; +allow phhsu_daemon zygote_exec:file { execute read open execute_no_trans getattr }; + +allow appdomain phhsu_daemon:dir { search }; + +allow phhsu_daemon self:global_capability_class_set { sys_resource sys_ptrace }; + +allow phhsu_daemon self:dir rw_dir_perms; +allow phhsu_daemon self:file { rwx_file_perms create rename setattr unlink }; +allow phhsu_daemon self:lnk_file { r_file_perms execmod }; + +allow phhsu_daemon adbd_exec:file { getattr read }; +allow phhsu_daemon { rootfs same_process_hal_file system_file tmpfs }:file { mounton getattr }; +allow phhsu_daemon self:capability { sys_admin chown setuid setgid net_raw dac_override dac_read_search kill fowner mknod }; +allow phhsu_daemon self:capability2 { syslog }; +allow phhsu_daemon shell_exec:file rx_file_perms; +allow phhsu_daemon system_file:file { rx_file_perms entrypoint }; +allow phhsu_daemon kmsg_device:chr_file { ioctl w_file_perms }; +allow phhsu_daemon toolbox_exec:file rx_file_perms; +allow phhsu_daemon system_block_device:{ lnk_file file } r_file_perms; + +allow { phhsu_daemon shell } domain:dir rw_dir_perms; +allow { phhsu_daemon shell } domain:file rw_file_perms; +allow { phhsu_daemon shell } domain:lnk_file rw_file_perms; +allow { phhsu_daemon shell } rootfs:file { rwx_file_perms create rename setattr unlink }; +allow { phhsu_daemon shell } rootfs:dir rw_dir_perms; +allow phhsu_daemon asec_apk_file:dir rw_dir_perms; + +allow phhsu_daemon shell_devpts:chr_file rw_file_perms; + +allow phhsu_daemon app_data_file:dir rw_dir_perms; +allow phhsu_daemon app_data_file:file { rwx_file_perms create rename setattr unlink }; +allow phhsu_daemon dalvikcache_data_file:dir rw_dir_perms; +allow phhsu_daemon dalvikcache_data_file:file { rwx_file_perms create rename setattr unlink }; +allow phhsu_daemon dalvikcache_data_file:lnk_file { r_file_perms execmod }; +allow phhsu_daemon system_data_file:file { rwx_file_perms create rename setattr unlink }; +allow phhsu_daemon system_data_file:dir rw_dir_perms; +allow phhsu_daemon system_data_file:file { rwx_file_perms create rename setattr unlink }; +allow phhsu_daemon system_file:dir rw_dir_perms; +allow phhsu_daemon system_file:file { rwx_file_perms create rename setattr unlink }; +allow phhsu_daemon init:unix_stream_socket { connectto }; +allow phhsu_daemon self:process { ptrace setexec execmem setfscreate }; +allow phhsu_daemon app_data_file:file { rwx_file_perms create rename setattr unlink }; +allow phhsu_daemon app_data_file:dir rw_dir_perms; +allow phhsu_daemon ashmem_device:chr_file { execute }; +allow phhsu_daemon dex2oat_exec:file rx_file_perms; + + +allow phhsu_daemon phhsu_daemon_tmpfs:file rwx_file_perms; + +allow phhsu_daemon { proc_type dev_type exec_type file_type sysfs_type fs_type phhsu_daemon }:file { rwx_file_perms create mounton setattr getattr relabelto relabelfrom unlink rename }; +allow phhsu_daemon { proc_type dev_type exec_type file_type sysfs_type fs_type phhsu_daemon }:lnk_file { rw_file_perms create mounton setattr getattr relabelto relabelfrom unlink rename}; +allow phhsu_daemon { proc_type dev_type exec_type file_type sysfs_type fs_type phhsu_daemon }:dir { rw_dir_perms create mounton setattr getattr relabelto relabelfrom unlink rename}; +allow phhsu_daemon { proc_type dev_type exec_type file_type sysfs_type fs_type phhsu_daemon }:chr_file { rwx_file_perms unlink rename ioctl}; +allow phhsu_daemon { proc_type dev_type exec_type file_type sysfs_type fs_type phhsu_daemon }:blk_file { rw_file_perms create unlink rename ioctl}; + +allow phhsu_daemon device:file rwx_file_perms; +allow phhsu_daemon device:dir rw_dir_perms; + +allow phhsu_daemon domain:process { ptrace signal signull getattr }; +allow phhsu_daemon selinuxfs:file rwx_file_perms; +allow domain phhsu_daemon:process { sigchld }; +allow phhsu_daemon domain:binder { call transfer }; +allow phhsu_daemon kernel:system { syslog_read syslog_mod }; +allow phhsu_daemon kernel:security { setenforce compute_av }; +allow phhsu_daemon domain:unix_stream_socket { getattr }; + +allow phhsu_daemon logdr_socket:sock_file write; +allow phhsu_daemon logd:unix_stream_socket connectto; + +allow phhsu_daemon property_type:property_service { set }; +allow phhsu_daemon property_socket:sock_file { write }; +allow phhsu_daemon property_type:file rw_file_perms; +allow phhsu_daemon { hwservicemanager hwservice_manager_type }:hwservice_manager { list add find }; +allow phhsu_daemon domain:unix_dgram_socket rw_socket_perms; + +allow phhsu_daemon tombstoned_intercept_socket:sock_file { write }; +allow phhsu_daemon tombstoned:unix_stream_socket { connectto }; + +allow phhsu_daemon { property_data_file data_file_type tmpfs }:file create_file_perms; +allow phhsu_daemon { property_data_file data_file_type tmpfs }:dir create_dir_perms; + +allow phhsu_daemon { tmpfs fs_type }:filesystem { mount remount unmount associate }; + +allow phhsu_daemon phhsu_daemon:file relabelfrom; + +allow phhsu_daemon properties_device:dir { map }; +allow phhsu_daemon { tmpfs }:dir { mounton }; +allow phhsu_daemon { file_type shell_data_file system_file}:file { relabelto relabelfrom} ; + +allow phhsu_daemon domain:fd { use }; +allow phhsu_daemon domain:unix_stream_socket { connectto ioctl getattr getopt read write shutdown }; +allow phhsu_daemon self:netlink_kobject_uevent_socket create_socket_perms; +allow phhsu_daemon self:{ netlink_tcpdiag_socket } { create_socket_perms nlmsg_write nlmsg_read }; +allow phhsu_daemon self:{ netlink_selinux_socket } { create_socket_perms }; + +allow phhsu_daemon file_type:file create_file_perms; +allow phhsu_daemon file_type:dir create_dir_perms; + +allow phhsu_daemon domain:process { transition }; + + +# 05-09 00:05:30.149 18450 18450 W lprename: type=1400 audit(0.0:40923): avc: denied { ioctl } for path="/dev/block/sda25" dev="tmpfs" ino=19441 ioctlcmd=0x1278 scontext=u:r:phhsu_daemon:s0 tcontext=u:object_r:super_block_device:s0 tclass=blk_file permissive=0 +# 06-06 12:59:53.775 30150 30150 I auditd : type=1400 audit(0.0:35585): avc: denied { ioctl } for comm="blockdev" path="/dev/block/dm-3" dev="tmpfs" ino=12687 ioctlcmd=0x125d scontext=u:r:phhsu_daemon:s0 tcontext=u:object_r:dm_device:s0 tclass=blk_file permissive=0 + +allowxperm phhsu_daemon { file_type block_device }:blk_file ioctl { 0-0xffff }; +allowxperm phhsu_daemon { system_block_device super_block_device dm_device }:blk_file ioctl { 0x1278-0x127a 0x125d }; diff --git a/cat/sepolicy/treble_app.te b/cat/sepolicy/treble_app.te new file mode 100644 index 0000000..6bb46a8 --- /dev/null +++ b/cat/sepolicy/treble_app.te @@ -0,0 +1,44 @@ +allow system_app hal_wifi_hostapd_hwservice:hwservice_manager { add find }; +allow system_app hidl_base_hwservice:hwservice_manager { add }; +allow system_app wifi_data_file:dir create_dir_perms; +allow system_app wifi_data_file:file create_file_perms; + +allow system_app sysfs_batteryinfo:file rw_file_perms; + +type vendor_camera_prop, property_type; +set_prop(system_app, vendor_camera_prop); +type camera_prop, property_type; +set_prop(system_app, camera_prop); + +type hal_ext_fingerprint_hwservice, hwservice_manager_type; +allow system_app hal_ext_fingerprint_hwservice:hwservice_manager { find }; +type hal_fingerprint_default, domain; +allow system_app hal_fingerprint_default:binder { call }; +allow system_app sysfs_power:dir r_dir_perms; +allow system_app sysfs_power:file rw_file_perms; +allow system_app sysfs_power:lnk_file read; + +type default_hisi_hwservice, hwservice_manager_type; +allow system_app default_hisi_hwservice:hwservice_manager { find }; + +type hal_tp_default, domain; +allow system_app hal_tp_default:binder { call }; + +#cam2api +allow system_app vendor_default_prop:property_service { set }; + +set_prop(system_app, default_prop); +set_prop(system_app, exported3_default_prop); + +type mtk_hal_rild_hwservice, hwservice_manager_type; +allow system_app mtk_hal_rild_hwservice:hwservice_manager { find}; + +type mtk_vilte_support_prop, property_type; +allow system_app mtk_vilte_support_prop:property_service set; + +type hal_gesturewake_hwservice, hwservice_manager_type; +type hal_gesturewake_default, domain; +allow system_app hal_gesturewake_hwservice:hwservice_manager { find }; +allow system_app hal_gesturewake_default:binder { call transfer }; +allow hal_gesturewake_default system_app:binder { call transfer }; + diff --git a/cat/sepolicy/vndk_detect.te b/cat/sepolicy/vndk_detect.te new file mode 100644 index 0000000..797094a --- /dev/null +++ b/cat/sepolicy/vndk_detect.te @@ -0,0 +1,27 @@ +type vndk_detect, coredomain, domain; +type vndk_detect_exec, exec_type, file_type; + +init_daemon_domain(vndk_detect); +allow vndk_detect sepolicy_file:file r_file_perms; +set_prop(vndk_detect,system_prop); +set_prop(vndk_detect,debug_prop); + +allow vndk_detect shell_exec:file rx_file_perms; +allow vndk_detect toolbox_exec:file rx_file_perms; +#/system/bin/grep +allow vndk_detect system_file:file rx_file_perms; + +#mount -o bind /system/bin/adbd /sbin/adbd +allow vndk_detect adbd_exec:file { getattr read }; +allow vndk_detect rootfs:file { mounton getattr }; +allow vndk_detect self:capability { sys_admin }; + +#mount -o bind /system/etc/usb_audio_policy_configuration.xml /vendor/etc/usb_audio_policy_configuration.xml +allow init vendor_configs_file:file { getattr mounton }; + +#/sys/module/five +allow vndk_detect sysfs:file r_file_perms; +allow vndk_detect sysfs:dir r_dir_perms; + +#/proc/filesystems +allow vndk_detect proc_filesystems:file r_file_perms; diff --git a/cat/sepolicy/vold.te b/cat/sepolicy/vold.te new file mode 100644 index 0000000..7cbd585 --- /dev/null +++ b/cat/sepolicy/vold.te @@ -0,0 +1,2 @@ +allow vold system_data_file:lnk_file { unlink }; +allow mediaextractor sdcard_type:file read;