Try again

cat/cat_s22.mk

@@ -22,6 +22,8 @@ $(call inherit-product, $(SRC_TARGET_DIR)/product/aosp_product.mk)
 #
 $(call inherit-product, $(SRC_TARGET_DIR)/product/gsi_release.mk)
 
+BOARD_PLAT_PRIVATE_SEPOLICY_DIR += device/wephone/cat/sepolicy
+
 # Don't build super.img.
 #PRODUCT_BUILD_SUPER_PARTITION := false
 

cat/sepolicy/asus.te

@@ -0,0 +1,5 @@
+allow cameraserver phhsu_exec:file rx_file_perms;
+
+type asus_motor_device, file_type;
+allow cameraserver asus_motor_device:chr_file { open read write ioctl };
+allowxperm cameraserver asus_motor_device:chr_file ioctl { 0x4d02 };

cat/sepolicy/board_properties.te

@@ -0,0 +1,4 @@
+type sysfs_board_properties, fs_type, sysfs_type;
+
+allow system_server sysfs_board_properties:dir search;
+allow system_server sysfs_board_properties:file r_file_perms;

cat/sepolicy/bootanim.te

@@ -0,0 +1,3 @@
+#11-14 21:15:02.748   477   477 I auditd  : type=1400 audit(0.0:104): avc: denied { search } for comm="BootAnimation" name="dri" dev="tmpfs" ino=1108 scontext=u:r:bootanim:s0 tcontext=u:object_r:gpu_device:s0 tclass=dir permissive=0
+#Seen on some MTK devices
+allow bootanim gpu_device:dir r_dir_perms;

cat/sepolicy/file_contexts

@@ -0,0 +1,22 @@
+/system/bin/phh-su                   u:object_r:phhsu_exec:s0
+/system/bin/vndk-detect			u:object_r:vndk_detect_exec:s0
+/system/etc/usb_audio_policy_configuration.xml	u:object_r:vendor_configs_file:s0
+/system/bin/rw-system.sh u:object_r:phhsu_exec:s0
+/system/bin/phh-on-boot.sh u:object_r:phhsu_exec:s0
+/system/bin/phh-on-data.sh u:object_r:phhsu_exec:s0
+/system/bin/asus-motor u:object_r:phhsu_exec:s0
+
+#/system/bin/fsck\.exfat                 u:object_r:fsck_exec:s0
+/system/bin/fsck\.ntfs                  u:object_r:fsck_exec:s0
+
+/bt_firmware(/.*)?      u:object_r:bt_firmware_file:s0
+
+/sec_storage(/.*)?      u:object_r:teecd_data_file:s0
+/dev/dsm                u:object_r:dmd_device:s0
+
+/system/bin/hw/android.hardware.biometrics.fingerprint@2.1-service.oppo.compat u:object_r:hal_fingerprint_oppo_compat_exec:s0
+/system/bin/hw/android.hardware.biometrics.fingerprint@2.1-service.oplus.compat u:object_r:hal_fingerprint_oppo_compat_exec:s0
+
+/efs u:object_r:efs_file:s0
+
+/dev/smcinvoke u:object_r:smcinvoke_device:s0

cat/sepolicy/genfs_contexts

@@ -0,0 +1 @@
+genfscon sysfs /board_properties u:object_r:sysfs_board_properties:s0

cat/sepolicy/hal.te

@@ -0,0 +1,10 @@
+type hal_fingerprint_oppo_compat, domain;
+hal_client_domain(hal_fingerprint_oppo_compat, hal_fingerprint)
+hal_server_domain(hal_fingerprint_oppo_compat, hal_fingerprint)
+
+type hal_fingerprint_oppo_compat_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_fingerprint_oppo_compat)
+
+
+type hal_fingerprint_oppo, domain;
+allow hal_fingerprint_oppo vendor_default_prop:property_service { set };

cat/sepolicy/hardware_overlay.te

@@ -0,0 +1 @@
+allow priv_app overlay_service:service_manager find;

cat/sepolicy/hostapd.te

@@ -0,0 +1,4 @@
+type hostapd, domain;
+
+allow hostapd wifi_data_file:dir create_dir_perms;
+allow hostapd wifi_data_file:file create_file_perms;

cat/sepolicy/huawei.te

@@ -0,0 +1,17 @@
+allow ueventd proc:file r_file_perms;
+permissive ueventd;
+
+type teecd_data_file, file_type;
+type dmd_device, file_type;
+allow hal_fingerprint_server dmd_device:chr_file rw_file_perms;
+allow hal_fingerprint_server sysfs:file rw_file_perms;
+allow tee hal_fingerprint_default:process { getattr };
+allow tee teecd_data_file:dir { search read write create getattr add_name open };
+allow tee teecd_data_file:file { read write create getattr open };
+allow tee system_data_file:dir { getattr };
+
+type oeminfo_nvm, domain;
+type oeminfo_nvm_device, file_type;
+allowxperm oeminfo_nvm oeminfo_nvm_device:blk_file ioctl { 0x1260 };
+
+allow charger rootfs:file { ioctl read getattr lock map execute entrypoint open };

cat/sepolicy/init.te

@@ -0,0 +1,13 @@
+#This is in Android 8.0, but not 8.1
+domain_trans(init, rootfs, adbd)
+
+#This is used on Huawei devices to f2fs data partition
+allow init userdata_block_device:blk_file relabelto;
+allow init userdata_block_device:lnk_file relabelto;
+
+allow vendor_init vendor_init:capability { sys_module };
+
+allow init system_file:lnk_file create_file_perms;
+
+#fix adb in some cases
+allow init adbd_exec:lnk_file read;

cat/sepolicy/lenovo.te

@@ -0,0 +1,4 @@
+type sysfs_tp, file_type;
+
+#Allow treble_app access to /sys/devices/virtual/touch/tp_dev/gesture_on
+allow system_app sysfs_tp:file rw_file_perms;

cat/sepolicy/lmkd.te

@@ -0,0 +1 @@
+allow lmkd self:capability sys_ptrace;

cat/sepolicy/mediatek.te

@@ -0,0 +1,19 @@
+type hal_graphics_allocator_default, domain; 
+type proc_ged, file_type; 
+allowxperm domain proc_ged:file ioctl { 0x6700-0x67ff };
+
+allow init mnt_product_file:dir mounton;
+
+type mtk_hal_audio, domain;
+typeattribute mtk_hal_audio hal_broadcastradio_client;
+
+type mtk_hal_power, domain;
+allow mtk_hal_power system_data_root_file:file create_file_perms;
+allow zygote ashmem_device:chr_file execute;
+
+attribute hal_mms_server;
+binder_call({appdomain -isolated_app}, hal_mms_server)
+binder_call(hal_mms_server, {appdomain -isolated_app})
+
+type mtk_hal_mms_hwservice, hwservice_manager_type;
+allow { appdomain -isolated_app }  mtk_hal_mms_hwservice:hwservice_manager find;

cat/sepolicy/oppo.te

@@ -0,0 +1,6 @@
+type sysfs_usb_supply, file_type;
+
+allow system_app sysfs_usb_supply:file rw_file_perms;
+
+type hal_fingerprint_oplus, domain;
+allow hal_fingerprint_oplus vendor_default_prop:property_service set;

cat/sepolicy/qualcomm.te

@@ -0,0 +1,30 @@
+type bt_firmware_file, file_type;
+type rild, domain;
+
+#me.phh.treble.qti.audio is system-signed
+allow system_app hal_telephony_hwservice:hwservice_manager { find };
+allow { rild system_app } { rild system_app }:binder { call transfer };
+
+#Pixel 1
+type vnd_qcril_audio_hwservice, hwservice_manager_type;
+allow system_app vnd_qcril_audio_hwservice:hwservice_manager { find };
+
+#Pixel 2
+type vnd_qcrilhook_hwservice, hwservice_manager_type;
+allow system_app vnd_qcrilhook_hwservice:hwservice_manager { find };
+
+#OP6
+allow system_app hal_telephony_hwservice:hwservice_manager { find };
+
+# cf https://github.com/phhusson/treble_experimentations/issues/131
+# SELinux : avc:  denied  { add } for interface=android.hardware.tetheroffload.control::IOffloadControl pid=15220 scontext=u:r:ipacm:s0 tcontext=u:object_r:hal_tetheroffload_hwservice:s0 tclass=hwservice_manager permissive=0
+type ipacm, hwservice_manager_type;
+allow ipacm hal_tetheroffload_hwservice:hwservice_manager { add };
+
+type rpmb_device, file_type;
+allow tee rpmb_device:blk_file rw_file_perms;
+allowxperm tee rpmb_device:blk_file ioctl { 0xb300-0xbfff };
+
+attribute smcinvoke_device_29_0;
+type smcinvoke_device, dev_type;
+typeattribute smcinvoke_device smcinvoke_device_29_0;

cat/sepolicy/samsung.te

@@ -0,0 +1,4 @@
+type boot_prop, property_type;
+
+set_prop(system_server, boot_prop);
+

cat/sepolicy/service_contexts

@@ -0,0 +1,10 @@
+qti.ims.ext                                          u:object_r:radio_service:s0
+# SPRD IMS
+ims_ex                                               u:object_r:radio_service:s0
+ims_ut_ex                                            u:object_r:radio_service:s0
+ims_doze_manager                                     u:object_r:radio_service:s0
+irit                                                 u:object_r:radio_service:s0
+
+# MTK IMS
+mwis                                    u:object_r:radio_service:s0
+mtkIms                                    u:object_r:radio_service:s0

cat/sepolicy/su.te

@@ -0,0 +1,151 @@
+type phhsu_daemon, domain, mlstrustedsubject;
+type phhsu_exec, exec_type, file_type;
+type phhsu_daemon_tmpfs, file_type;
+
+typeattribute phhsu_daemon coredomain;
+permissive phhsu_daemon;
+
+tmpfs_domain(phhsu_daemon);
+domain_auto_trans(init, phhsu_exec, phhsu_daemon);
+file_type_auto_trans(phhsu_daemon, device, phhsu_daemon);
+
+allow { appdomain shell } phhsu_daemon:unix_stream_socket { connectto write read };
+allow { appdomain shell } phhsu_daemon:sock_file { write read };
+allow { appdomain shell } phhsu_exec:file { getattr read open execute execute_no_trans };
+
+create_pty(shell)
+allowxperm shell devpts:chr_file ioctl { TCSETSF TCGETS unpriv_tty_ioctls };
+allowxperm { phhsu_daemon untrusted_app untrusted_app_27 } untrusted_app_all_devpts:chr_file ioctl { TCSETSF TCGETS unpriv_tty_ioctls };
+
+allow servicemanager phhsu_daemon:dir { search read };
+allow servicemanager phhsu_daemon:file { open read };
+allow servicemanager phhsu_daemon:process { getattr };
+allow servicemanager phhsu_daemon:binder { call transfer };
+
+typeattribute phhsu_daemon mlstrustedobject;
+typeattribute phhsu_daemon mlstrustedsubject;
+
+allow shell su_exec:file getattr;
+typeattribute su mlstrustedsubject;
+
+allow phhsu_daemon { system_api_service app_api_service system_server_service }:service_manager find;
+
+allow system_server phhsu_daemon:fifo_file { read write getattr };
+allow system_server phhsu_daemon:fd use;
+allow system_server phhsu_daemon:binder { call transfer };
+allow system_server shell_devpts:chr_file { read write };
+
+# Add su to various domains
+net_domain(phhsu_daemon)
+
+hwbinder_use(phhsu_daemon)
+
+allow domain untrusted_app_all_devpts:chr_file { getattr read write };
+allow phhsu_daemon untrusted_app_all_devpts:chr_file { getattr read write open ioctl };
+allow phhsu_daemon untrusted_app_all:fifo_file { getattr read write open ioctl };
+allow phhsu_daemon zygote_exec:file { execute read open execute_no_trans getattr };
+
+allow appdomain phhsu_daemon:dir { search };
+
+allow phhsu_daemon self:global_capability_class_set { sys_resource sys_ptrace };
+
+allow phhsu_daemon self:dir rw_dir_perms;
+allow phhsu_daemon self:file { rwx_file_perms create rename setattr unlink };
+allow phhsu_daemon self:lnk_file { r_file_perms execmod };
+
+allow phhsu_daemon adbd_exec:file { getattr read };
+allow phhsu_daemon { rootfs same_process_hal_file system_file tmpfs }:file { mounton getattr };
+allow phhsu_daemon self:capability { sys_admin chown setuid setgid net_raw dac_override dac_read_search kill fowner mknod };
+allow phhsu_daemon self:capability2 { syslog };
+allow phhsu_daemon shell_exec:file rx_file_perms;
+allow phhsu_daemon system_file:file { rx_file_perms entrypoint };
+allow phhsu_daemon kmsg_device:chr_file { ioctl w_file_perms };
+allow phhsu_daemon toolbox_exec:file rx_file_perms;
+allow phhsu_daemon system_block_device:{ lnk_file file } r_file_perms;
+
+allow { phhsu_daemon shell } domain:dir rw_dir_perms;
+allow { phhsu_daemon shell } domain:file rw_file_perms;
+allow { phhsu_daemon shell } domain:lnk_file rw_file_perms;
+allow { phhsu_daemon shell } rootfs:file { rwx_file_perms create rename setattr unlink };
+allow { phhsu_daemon shell } rootfs:dir rw_dir_perms;
+allow phhsu_daemon asec_apk_file:dir rw_dir_perms;
+
+allow phhsu_daemon shell_devpts:chr_file rw_file_perms;
+
+allow phhsu_daemon app_data_file:dir rw_dir_perms;
+allow phhsu_daemon app_data_file:file { rwx_file_perms create rename setattr unlink };
+allow phhsu_daemon dalvikcache_data_file:dir rw_dir_perms;
+allow phhsu_daemon dalvikcache_data_file:file { rwx_file_perms create rename setattr unlink };
+allow phhsu_daemon dalvikcache_data_file:lnk_file { r_file_perms execmod };
+allow phhsu_daemon system_data_file:file { rwx_file_perms create rename setattr unlink };
+allow phhsu_daemon system_data_file:dir rw_dir_perms;
+allow phhsu_daemon system_data_file:file { rwx_file_perms create rename setattr unlink };
+allow phhsu_daemon system_file:dir rw_dir_perms;
+allow phhsu_daemon system_file:file { rwx_file_perms create rename setattr unlink };
+allow phhsu_daemon init:unix_stream_socket { connectto };
+allow phhsu_daemon self:process { ptrace setexec execmem setfscreate };
+allow phhsu_daemon app_data_file:file { rwx_file_perms create rename setattr unlink };
+allow phhsu_daemon app_data_file:dir rw_dir_perms;
+allow phhsu_daemon ashmem_device:chr_file { execute };
+allow phhsu_daemon dex2oat_exec:file rx_file_perms;
+
+
+allow phhsu_daemon phhsu_daemon_tmpfs:file rwx_file_perms;
+
+allow phhsu_daemon { proc_type dev_type exec_type file_type sysfs_type fs_type phhsu_daemon }:file { rwx_file_perms create mounton setattr getattr relabelto relabelfrom unlink rename };
+allow phhsu_daemon { proc_type dev_type exec_type file_type sysfs_type fs_type phhsu_daemon }:lnk_file { rw_file_perms create mounton setattr getattr relabelto relabelfrom unlink rename};
+allow phhsu_daemon { proc_type dev_type exec_type file_type sysfs_type fs_type phhsu_daemon }:dir { rw_dir_perms create mounton setattr getattr relabelto relabelfrom unlink rename};
+allow phhsu_daemon { proc_type dev_type exec_type file_type sysfs_type fs_type phhsu_daemon }:chr_file { rwx_file_perms unlink rename ioctl};
+allow phhsu_daemon { proc_type dev_type exec_type file_type sysfs_type fs_type phhsu_daemon }:blk_file { rw_file_perms create unlink rename ioctl};
+
+allow phhsu_daemon device:file rwx_file_perms;
+allow phhsu_daemon device:dir rw_dir_perms;
+
+allow phhsu_daemon domain:process { ptrace signal signull getattr };
+allow phhsu_daemon selinuxfs:file rwx_file_perms;
+allow domain phhsu_daemon:process { sigchld };
+allow phhsu_daemon domain:binder { call transfer };
+allow phhsu_daemon kernel:system { syslog_read syslog_mod };
+allow phhsu_daemon kernel:security { setenforce compute_av };
+allow phhsu_daemon domain:unix_stream_socket { getattr };
+
+allow phhsu_daemon logdr_socket:sock_file write;
+allow phhsu_daemon logd:unix_stream_socket connectto;
+
+allow phhsu_daemon property_type:property_service { set };
+allow phhsu_daemon property_socket:sock_file { write };
+allow phhsu_daemon property_type:file rw_file_perms;
+allow phhsu_daemon { hwservicemanager hwservice_manager_type }:hwservice_manager { list add find };
+allow phhsu_daemon domain:unix_dgram_socket rw_socket_perms;
+
+allow phhsu_daemon tombstoned_intercept_socket:sock_file { write };
+allow phhsu_daemon tombstoned:unix_stream_socket { connectto };
+
+allow phhsu_daemon { property_data_file data_file_type tmpfs }:file create_file_perms;
+allow phhsu_daemon { property_data_file data_file_type tmpfs }:dir create_dir_perms;
+
+allow phhsu_daemon { tmpfs fs_type }:filesystem { mount remount unmount associate };
+
+allow phhsu_daemon phhsu_daemon:file relabelfrom;
+
+allow phhsu_daemon properties_device:dir { map };
+allow phhsu_daemon { tmpfs }:dir { mounton };
+allow phhsu_daemon { file_type shell_data_file system_file}:file { relabelto relabelfrom} ;
+
+allow phhsu_daemon domain:fd { use };
+allow phhsu_daemon domain:unix_stream_socket { connectto ioctl getattr getopt read write shutdown };
+allow phhsu_daemon self:netlink_kobject_uevent_socket create_socket_perms;
+allow phhsu_daemon self:{ netlink_tcpdiag_socket } { create_socket_perms nlmsg_write nlmsg_read };
+allow phhsu_daemon self:{ netlink_selinux_socket } { create_socket_perms };
+
+allow phhsu_daemon file_type:file create_file_perms;
+allow phhsu_daemon file_type:dir create_dir_perms;
+
+allow phhsu_daemon domain:process { transition };
+
+
+# 05-09 00:05:30.149 18450 18450 W lprename: type=1400 audit(0.0:40923): avc: denied { ioctl } for path="/dev/block/sda25" dev="tmpfs" ino=19441 ioctlcmd=0x1278 scontext=u:r:phhsu_daemon:s0 tcontext=u:object_r:super_block_device:s0 tclass=blk_file permissive=0
+# 06-06 12:59:53.775 30150 30150 I auditd  : type=1400 audit(0.0:35585): avc: denied { ioctl } for comm="blockdev" path="/dev/block/dm-3" dev="tmpfs" ino=12687 ioctlcmd=0x125d scontext=u:r:phhsu_daemon:s0 tcontext=u:object_r:dm_device:s0 tclass=blk_file permissive=0
+
+allowxperm phhsu_daemon { file_type block_device }:blk_file ioctl { 0-0xffff };
+allowxperm phhsu_daemon { system_block_device super_block_device dm_device }:blk_file ioctl { 0x1278-0x127a 0x125d };

cat/sepolicy/treble_app.te

@@ -0,0 +1,44 @@
+allow system_app hal_wifi_hostapd_hwservice:hwservice_manager { add find };
+allow system_app hidl_base_hwservice:hwservice_manager { add };
+allow system_app wifi_data_file:dir create_dir_perms;
+allow system_app wifi_data_file:file create_file_perms;
+
+allow system_app sysfs_batteryinfo:file rw_file_perms;
+
+type vendor_camera_prop, property_type;
+set_prop(system_app, vendor_camera_prop);
+type camera_prop, property_type;
+set_prop(system_app, camera_prop);
+
+type hal_ext_fingerprint_hwservice, hwservice_manager_type;
+allow system_app hal_ext_fingerprint_hwservice:hwservice_manager { find };
+type hal_fingerprint_default, domain;
+allow system_app hal_fingerprint_default:binder { call };
+allow system_app sysfs_power:dir r_dir_perms;
+allow system_app sysfs_power:file rw_file_perms;
+allow system_app sysfs_power:lnk_file read;
+
+type default_hisi_hwservice, hwservice_manager_type;
+allow system_app default_hisi_hwservice:hwservice_manager { find };
+
+type hal_tp_default, domain;
+allow system_app hal_tp_default:binder { call };
+
+#cam2api
+allow system_app vendor_default_prop:property_service { set };
+
+set_prop(system_app, default_prop);
+set_prop(system_app, exported3_default_prop);
+
+type mtk_hal_rild_hwservice, hwservice_manager_type;
+allow system_app mtk_hal_rild_hwservice:hwservice_manager { find};
+
+type mtk_vilte_support_prop, property_type;
+allow system_app mtk_vilte_support_prop:property_service set;
+
+type hal_gesturewake_hwservice, hwservice_manager_type;
+type hal_gesturewake_default, domain;
+allow system_app hal_gesturewake_hwservice:hwservice_manager { find };
+allow system_app hal_gesturewake_default:binder { call transfer };
+allow hal_gesturewake_default system_app:binder { call transfer };
+

cat/sepolicy/vndk_detect.te

@@ -0,0 +1,27 @@
+type vndk_detect, coredomain, domain;
+type vndk_detect_exec, exec_type, file_type;
+
+init_daemon_domain(vndk_detect);
+allow vndk_detect sepolicy_file:file r_file_perms;
+set_prop(vndk_detect,system_prop);
+set_prop(vndk_detect,debug_prop);
+
+allow vndk_detect shell_exec:file rx_file_perms;
+allow vndk_detect toolbox_exec:file rx_file_perms;
+#/system/bin/grep
+allow vndk_detect system_file:file rx_file_perms;
+
+#mount -o bind /system/bin/adbd /sbin/adbd
+allow vndk_detect adbd_exec:file { getattr read };
+allow vndk_detect rootfs:file { mounton getattr };
+allow vndk_detect self:capability { sys_admin };
+
+#mount -o bind /system/etc/usb_audio_policy_configuration.xml /vendor/etc/usb_audio_policy_configuration.xml
+allow init vendor_configs_file:file { getattr mounton };
+
+#/sys/module/five
+allow vndk_detect sysfs:file r_file_perms;
+allow vndk_detect sysfs:dir r_dir_perms;
+
+#/proc/filesystems
+allow vndk_detect proc_filesystems:file r_file_perms;

cat/sepolicy/vold.te

@@ -0,0 +1,2 @@
+allow vold system_data_file:lnk_file { unlink };
+allow mediaextractor sdcard_type:file read;