wephone/device_wephone
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Try again

Browse Source
This commit is contained in:
Nehemiah of Zebulun 2023-10-09 14:14:16 -04:00
parent 161868053f
commit 88c03f6bcd
22 changed files with 1 additions and 381 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cat/cat_s22/BoardConfig.mk
View File

@ -13,8 +13,7 @@ TARGET_CPU_ABI2 := armeabi
# TODO(b/36764215): remove this setting when the generic system image
# no longer has QCOM-specific directories under /.
#BOARD_SEPOLICY_DIRS += build/make/target/board/generic_arm64/sepolicy
BOARD_SEPOLICY_DIRS += device/wephone/cat/sepolicy
BOARD_SEPOLICY_DIRS += build/make/target/board/generic_arm64/sepolicy
TARGET_ENABLE_MEDIADRM_64 :=

5
cat/sepolicy/asus.te
View File

@ -1,5 +0,0 @@
allow cameraserver phhsu_exec:file rx_file_perms;
type asus_motor_device, file_type;
allow cameraserver asus_motor_device:chr_file { open read write ioctl };
allowxperm cameraserver asus_motor_device:chr_file ioctl { 0x4d02 };

4
cat/sepolicy/board_properties.te
View File

@ -1,4 +0,0 @@
type sysfs_board_properties, fs_type, sysfs_type;
allow system_server sysfs_board_properties:dir search;
allow system_server sysfs_board_properties:file r_file_perms;

3
cat/sepolicy/bootanim.te
View File

@ -1,3 +0,0 @@
#11-14 21:15:02.748 477 477 I auditd : type=1400 audit(0.0:104): avc: denied { search } for comm="BootAnimation" name="dri" dev="tmpfs" ino=1108 scontext=u:r:bootanim:s0 tcontext=u:object_r:gpu_device:s0 tclass=dir permissive=0
#Seen on some MTK devices
allow bootanim gpu_device:dir r_dir_perms;

22
cat/sepolicy/file_contexts
View File

@ -1,22 +0,0 @@
/system/bin/phh-su u:object_r:phhsu_exec:s0
/system/bin/vndk-detect u:object_r:vndk_detect_exec:s0
/system/etc/usb_audio_policy_configuration.xml u:object_r:vendor_configs_file:s0
/system/bin/rw-system.sh u:object_r:phhsu_exec:s0
/system/bin/phh-on-boot.sh u:object_r:phhsu_exec:s0
/system/bin/phh-on-data.sh u:object_r:phhsu_exec:s0
/system/bin/asus-motor u:object_r:phhsu_exec:s0
#/system/bin/fsck\.exfat u:object_r:fsck_exec:s0
/system/bin/fsck\.ntfs u:object_r:fsck_exec:s0
/bt_firmware(/.*)? u:object_r:bt_firmware_file:s0
/sec_storage(/.*)? u:object_r:teecd_data_file:s0
/dev/dsm u:object_r:dmd_device:s0
/system/bin/hw/android.hardware.biometrics.fingerprint@2.1-service.oppo.compat u:object_r:hal_fingerprint_oppo_compat_exec:s0
/system/bin/hw/android.hardware.biometrics.fingerprint@2.1-service.oplus.compat u:object_r:hal_fingerprint_oppo_compat_exec:s0
/efs u:object_r:efs_file:s0
/dev/smcinvoke u:object_r:smcinvoke_device:s0

1
cat/sepolicy/genfs_contexts
View File

@ -1 +0,0 @@
genfscon sysfs /board_properties u:object_r:sysfs_board_properties:s0

10
cat/sepolicy/hal.te
View File

@ -1,10 +0,0 @@
type hal_fingerprint_oppo_compat, domain;
hal_client_domain(hal_fingerprint_oppo_compat, hal_fingerprint)
hal_server_domain(hal_fingerprint_oppo_compat, hal_fingerprint)
type hal_fingerprint_oppo_compat_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_fingerprint_oppo_compat)
type hal_fingerprint_oppo, domain;
allow hal_fingerprint_oppo vendor_default_prop:property_service { set };

1
cat/sepolicy/hardware_overlay.te
View File

@ -1 +0,0 @@
allow priv_app overlay_service:service_manager find;

4
cat/sepolicy/hostapd.te
View File

@ -1,4 +0,0 @@
type hostapd, domain;
allow hostapd wifi_data_file:dir create_dir_perms;
allow hostapd wifi_data_file:file create_file_perms;

17
cat/sepolicy/huawei.te
View File

@ -1,17 +0,0 @@
allow ueventd proc:file r_file_perms;
permissive ueventd;
type teecd_data_file, file_type;
type dmd_device, file_type;
allow hal_fingerprint_server dmd_device:chr_file rw_file_perms;
allow hal_fingerprint_server sysfs:file rw_file_perms;
allow tee hal_fingerprint_default:process { getattr };
allow tee teecd_data_file:dir { search read write create getattr add_name open };
allow tee teecd_data_file:file { read write create getattr open };
allow tee system_data_file:dir { getattr };
type oeminfo_nvm, domain;
type oeminfo_nvm_device, file_type;
allowxperm oeminfo_nvm oeminfo_nvm_device:blk_file ioctl { 0x1260 };
allow charger rootfs:file { ioctl read getattr lock map execute entrypoint open };

13
cat/sepolicy/init.te
View File

@ -1,13 +0,0 @@
#This is in Android 8.0, but not 8.1
domain_trans(init, rootfs, adbd)
#This is used on Huawei devices to f2fs data partition
allow init userdata_block_device:blk_file relabelto;
allow init userdata_block_device:lnk_file relabelto;
allow vendor_init vendor_init:capability { sys_module };
allow init system_file:lnk_file create_file_perms;
#fix adb in some cases
allow init adbd_exec:lnk_file read;

4
cat/sepolicy/lenovo.te
View File

@ -1,4 +0,0 @@
type sysfs_tp, file_type;
#Allow treble_app access to /sys/devices/virtual/touch/tp_dev/gesture_on
allow system_app sysfs_tp:file rw_file_perms;

1
cat/sepolicy/lmkd.te
View File

@ -1 +0,0 @@
allow lmkd self:capability sys_ptrace;

20
cat/sepolicy/mediatek.te
View File

@ -1,20 +0,0 @@
type hal_graphics_allocator_default, domain;
type proc_ged, file_type;
allowxperm domain proc_ged:file ioctl { 0x6700-0x67ff };
allow init mnt_product_file:dir mounton;
type mtk_hal_audio, domain;
typeattribute mtk_hal_audio hal_broadcastradio_client;
type mtk_hal_power, domain;
allow mtk_hal_power system_data_root_file:file create_file_perms;
allow zygote ashmem_device:chr_file execute;
attribute hal_mms_server;
binder_call({appdomain -isolated_app}, hal_mms_server)
binder_call(hal_mms_server, {appdomain -isolated_app})
type mtk_hal_mms_hwservice, hwservice_manager_type;
allow { appdomain -isolated_app } mtk_hal_mms_hwservice:hwservice_manager find;

6
cat/sepolicy/oppo.te
View File

@ -1,6 +0,0 @@
type sysfs_usb_supply, file_type;
allow system_app sysfs_usb_supply:file rw_file_perms;
type hal_fingerprint_oplus, domain;
allow hal_fingerprint_oplus vendor_default_prop:property_service set;

30
cat/sepolicy/qualcomm.te
View File

@ -1,30 +0,0 @@
type bt_firmware_file, file_type;
type rild, domain;
#me.phh.treble.qti.audio is system-signed
allow system_app hal_telephony_hwservice:hwservice_manager { find };
allow { rild system_app } { rild system_app }:binder { call transfer };
#Pixel 1
type vnd_qcril_audio_hwservice, hwservice_manager_type;
allow system_app vnd_qcril_audio_hwservice:hwservice_manager { find };
#Pixel 2
type vnd_qcrilhook_hwservice, hwservice_manager_type;
allow system_app vnd_qcrilhook_hwservice:hwservice_manager { find };
#OP6
allow system_app hal_telephony_hwservice:hwservice_manager { find };
# cf https://github.com/phhusson/treble_experimentations/issues/131
# SELinux : avc: denied { add } for interface=android.hardware.tetheroffload.control::IOffloadControl pid=15220 scontext=u:r:ipacm:s0 tcontext=u:object_r:hal_tetheroffload_hwservice:s0 tclass=hwservice_manager permissive=0
type ipacm, hwservice_manager_type;
allow ipacm hal_tetheroffload_hwservice:hwservice_manager { add };
type rpmb_device, file_type;
allow tee rpmb_device:blk_file rw_file_perms;
allowxperm tee rpmb_device:blk_file ioctl { 0xb300-0xbfff };
attribute smcinvoke_device_29_0;
type smcinvoke_device, dev_type;
typeattribute smcinvoke_device smcinvoke_device_29_0;

4
cat/sepolicy/samsung.te
View File

@ -1,4 +0,0 @@
type boot_prop, property_type;
set_prop(system_server, boot_prop);

10
cat/sepolicy/service_contexts
View File

@ -1,10 +0,0 @@
qti.ims.ext u:object_r:radio_service:s0
# SPRD IMS
ims_ex u:object_r:radio_service:s0
ims_ut_ex u:object_r:radio_service:s0
ims_doze_manager u:object_r:radio_service:s0
irit u:object_r:radio_service:s0
# MTK IMS
mwis u:object_r:radio_service:s0
mtkIms u:object_r:radio_service:s0

151
cat/sepolicy/su.te
View File

@ -1,151 +0,0 @@
type phhsu_daemon, domain, mlstrustedsubject;
type phhsu_exec, exec_type, file_type;
type phhsu_daemon_tmpfs, file_type;
typeattribute phhsu_daemon coredomain;
permissive phhsu_daemon;
tmpfs_domain(phhsu_daemon);
domain_auto_trans(init, phhsu_exec, phhsu_daemon);
file_type_auto_trans(phhsu_daemon, device, phhsu_daemon);
allow { appdomain shell } phhsu_daemon:unix_stream_socket { connectto write read };
allow { appdomain shell } phhsu_daemon:sock_file { write read };
allow { appdomain shell } phhsu_exec:file { getattr read open execute execute_no_trans };
create_pty(shell)
allowxperm shell devpts:chr_file ioctl { TCSETSF TCGETS unpriv_tty_ioctls };
allowxperm { phhsu_daemon untrusted_app untrusted_app_27 } untrusted_app_all_devpts:chr_file ioctl { TCSETSF TCGETS unpriv_tty_ioctls };
allow servicemanager phhsu_daemon:dir { search read };
allow servicemanager phhsu_daemon:file { open read };
allow servicemanager phhsu_daemon:process { getattr };
allow servicemanager phhsu_daemon:binder { call transfer };
typeattribute phhsu_daemon mlstrustedobject;
typeattribute phhsu_daemon mlstrustedsubject;
allow shell su_exec:file getattr;
typeattribute su mlstrustedsubject;
allow phhsu_daemon { system_api_service app_api_service system_server_service }:service_manager find;
allow system_server phhsu_daemon:fifo_file { read write getattr };
allow system_server phhsu_daemon:fd use;
allow system_server phhsu_daemon:binder { call transfer };
allow system_server shell_devpts:chr_file { read write };
# Add su to various domains
net_domain(phhsu_daemon)
hwbinder_use(phhsu_daemon)
allow domain untrusted_app_all_devpts:chr_file { getattr read write };
allow phhsu_daemon untrusted_app_all_devpts:chr_file { getattr read write open ioctl };
allow phhsu_daemon untrusted_app_all:fifo_file { getattr read write open ioctl };
allow phhsu_daemon zygote_exec:file { execute read open execute_no_trans getattr };
allow appdomain phhsu_daemon:dir { search };
allow phhsu_daemon self:global_capability_class_set { sys_resource sys_ptrace };
allow phhsu_daemon self:dir rw_dir_perms;
allow phhsu_daemon self:file { rwx_file_perms create rename setattr unlink };
allow phhsu_daemon self:lnk_file { r_file_perms execmod };
allow phhsu_daemon adbd_exec:file { getattr read };
allow phhsu_daemon { rootfs same_process_hal_file system_file tmpfs }:file { mounton getattr };
allow phhsu_daemon self:capability { sys_admin chown setuid setgid net_raw dac_override dac_read_search kill fowner mknod };
allow phhsu_daemon self:capability2 { syslog };
allow phhsu_daemon shell_exec:file rx_file_perms;
allow phhsu_daemon system_file:file { rx_file_perms entrypoint };
allow phhsu_daemon kmsg_device:chr_file { ioctl w_file_perms };
allow phhsu_daemon toolbox_exec:file rx_file_perms;
allow phhsu_daemon system_block_device:{ lnk_file file } r_file_perms;
allow { phhsu_daemon shell } domain:dir rw_dir_perms;
allow { phhsu_daemon shell } domain:file rw_file_perms;
allow { phhsu_daemon shell } domain:lnk_file rw_file_perms;
allow { phhsu_daemon shell } rootfs:file { rwx_file_perms create rename setattr unlink };
allow { phhsu_daemon shell } rootfs:dir rw_dir_perms;
allow phhsu_daemon asec_apk_file:dir rw_dir_perms;
allow phhsu_daemon shell_devpts:chr_file rw_file_perms;
allow phhsu_daemon app_data_file:dir rw_dir_perms;
allow phhsu_daemon app_data_file:file { rwx_file_perms create rename setattr unlink };
allow phhsu_daemon dalvikcache_data_file:dir rw_dir_perms;
allow phhsu_daemon dalvikcache_data_file:file { rwx_file_perms create rename setattr unlink };
allow phhsu_daemon dalvikcache_data_file:lnk_file { r_file_perms execmod };
allow phhsu_daemon system_data_file:file { rwx_file_perms create rename setattr unlink };
allow phhsu_daemon system_data_file:dir rw_dir_perms;
allow phhsu_daemon system_data_file:file { rwx_file_perms create rename setattr unlink };
allow phhsu_daemon system_file:dir rw_dir_perms;
allow phhsu_daemon system_file:file { rwx_file_perms create rename setattr unlink };
allow phhsu_daemon init:unix_stream_socket { connectto };
allow phhsu_daemon self:process { ptrace setexec execmem setfscreate };
allow phhsu_daemon app_data_file:file { rwx_file_perms create rename setattr unlink };
allow phhsu_daemon app_data_file:dir rw_dir_perms;
allow phhsu_daemon ashmem_device:chr_file { execute };
allow phhsu_daemon dex2oat_exec:file rx_file_perms;
allow phhsu_daemon phhsu_daemon_tmpfs:file rwx_file_perms;
allow phhsu_daemon { proc_type dev_type exec_type file_type sysfs_type fs_type phhsu_daemon }:file { rwx_file_perms create mounton setattr getattr relabelto relabelfrom unlink rename };
allow phhsu_daemon { proc_type dev_type exec_type file_type sysfs_type fs_type phhsu_daemon }:lnk_file { rw_file_perms create mounton setattr getattr relabelto relabelfrom unlink rename};
allow phhsu_daemon { proc_type dev_type exec_type file_type sysfs_type fs_type phhsu_daemon }:dir { rw_dir_perms create mounton setattr getattr relabelto relabelfrom unlink rename};
allow phhsu_daemon { proc_type dev_type exec_type file_type sysfs_type fs_type phhsu_daemon }:chr_file { rwx_file_perms unlink rename ioctl};
allow phhsu_daemon { proc_type dev_type exec_type file_type sysfs_type fs_type phhsu_daemon }:blk_file { rw_file_perms create unlink rename ioctl};
allow phhsu_daemon device:file rwx_file_perms;
allow phhsu_daemon device:dir rw_dir_perms;
allow phhsu_daemon domain:process { ptrace signal signull getattr };
allow phhsu_daemon selinuxfs:file rwx_file_perms;
allow domain phhsu_daemon:process { sigchld };
allow phhsu_daemon domain:binder { call transfer };
allow phhsu_daemon kernel:system { syslog_read syslog_mod };
allow phhsu_daemon kernel:security { setenforce compute_av };
allow phhsu_daemon domain:unix_stream_socket { getattr };
allow phhsu_daemon logdr_socket:sock_file write;
allow phhsu_daemon logd:unix_stream_socket connectto;
allow phhsu_daemon property_type:property_service { set };
allow phhsu_daemon property_socket:sock_file { write };
allow phhsu_daemon property_type:file rw_file_perms;
allow phhsu_daemon { hwservicemanager hwservice_manager_type }:hwservice_manager { list add find };
allow phhsu_daemon domain:unix_dgram_socket rw_socket_perms;
allow phhsu_daemon tombstoned_intercept_socket:sock_file { write };
allow phhsu_daemon tombstoned:unix_stream_socket { connectto };
allow phhsu_daemon { property_data_file data_file_type tmpfs }:file create_file_perms;
allow phhsu_daemon { property_data_file data_file_type tmpfs }:dir create_dir_perms;
allow phhsu_daemon { tmpfs fs_type }:filesystem { mount remount unmount associate };
allow phhsu_daemon phhsu_daemon:file relabelfrom;
allow phhsu_daemon properties_device:dir { map };
allow phhsu_daemon { tmpfs }:dir { mounton };
allow phhsu_daemon { file_type shell_data_file system_file}:file { relabelto relabelfrom} ;
allow phhsu_daemon domain:fd { use };
allow phhsu_daemon domain:unix_stream_socket { connectto ioctl getattr getopt read write shutdown };
allow phhsu_daemon self:netlink_kobject_uevent_socket create_socket_perms;
allow phhsu_daemon self:{ netlink_tcpdiag_socket } { create_socket_perms nlmsg_write nlmsg_read };
allow phhsu_daemon self:{ netlink_selinux_socket } { create_socket_perms };
allow phhsu_daemon file_type:file create_file_perms;
allow phhsu_daemon file_type:dir create_dir_perms;
allow phhsu_daemon domain:process { transition };
# 05-09 00:05:30.149 18450 18450 W lprename: type=1400 audit(0.0:40923): avc: denied { ioctl } for path="/dev/block/sda25" dev="tmpfs" ino=19441 ioctlcmd=0x1278 scontext=u:r:phhsu_daemon:s0 tcontext=u:object_r:super_block_device:s0 tclass=blk_file permissive=0
# 06-06 12:59:53.775 30150 30150 I auditd : type=1400 audit(0.0:35585): avc: denied { ioctl } for comm="blockdev" path="/dev/block/dm-3" dev="tmpfs" ino=12687 ioctlcmd=0x125d scontext=u:r:phhsu_daemon:s0 tcontext=u:object_r:dm_device:s0 tclass=blk_file permissive=0
allowxperm phhsu_daemon { file_type block_device }:blk_file ioctl { 0-0xffff };
allowxperm phhsu_daemon { system_block_device super_block_device dm_device }:blk_file ioctl { 0x1278-0x127a 0x125d };

44
cat/sepolicy/treble_app.te
View File

@ -1,44 +0,0 @@
allow system_app hal_wifi_hostapd_hwservice:hwservice_manager { add find };
allow system_app hidl_base_hwservice:hwservice_manager { add };
allow system_app wifi_data_file:dir create_dir_perms;
allow system_app wifi_data_file:file create_file_perms;
allow system_app sysfs_batteryinfo:file rw_file_perms;
type vendor_camera_prop, property_type;
set_prop(system_app, vendor_camera_prop);
type camera_prop, property_type;
set_prop(system_app, camera_prop);
type hal_ext_fingerprint_hwservice, hwservice_manager_type;
allow system_app hal_ext_fingerprint_hwservice:hwservice_manager { find };
type hal_fingerprint_default, domain;
allow system_app hal_fingerprint_default:binder { call };
allow system_app sysfs_power:dir r_dir_perms;
allow system_app sysfs_power:file rw_file_perms;
allow system_app sysfs_power:lnk_file read;
type default_hisi_hwservice, hwservice_manager_type;
allow system_app default_hisi_hwservice:hwservice_manager { find };
type hal_tp_default, domain;
allow system_app hal_tp_default:binder { call };
#cam2api
allow system_app vendor_default_prop:property_service { set };
set_prop(system_app, default_prop);
set_prop(system_app, exported3_default_prop);
type mtk_hal_rild_hwservice, hwservice_manager_type;
allow system_app mtk_hal_rild_hwservice:hwservice_manager { find};
type mtk_vilte_support_prop, property_type;
allow system_app mtk_vilte_support_prop:property_service set;
type hal_gesturewake_hwservice, hwservice_manager_type;
type hal_gesturewake_default, domain;
allow system_app hal_gesturewake_hwservice:hwservice_manager { find };
allow system_app hal_gesturewake_default:binder { call transfer };
allow hal_gesturewake_default system_app:binder { call transfer };

27
cat/sepolicy/vndk_detect.te
View File

@ -1,27 +0,0 @@
type vndk_detect, coredomain, domain;
type vndk_detect_exec, exec_type, file_type;
init_daemon_domain(vndk_detect);
allow vndk_detect sepolicy_file:file r_file_perms;
set_prop(vndk_detect,system_prop);
set_prop(vndk_detect,debug_prop);
allow vndk_detect shell_exec:file rx_file_perms;
allow vndk_detect toolbox_exec:file rx_file_perms;
#/system/bin/grep
allow vndk_detect system_file:file rx_file_perms;
#mount -o bind /system/bin/adbd /sbin/adbd
allow vndk_detect adbd_exec:file { getattr read };
allow vndk_detect rootfs:file { mounton getattr };
allow vndk_detect self:capability { sys_admin };
#mount -o bind /system/etc/usb_audio_policy_configuration.xml /vendor/etc/usb_audio_policy_configuration.xml
allow init vendor_configs_file:file { getattr mounton };
#/sys/module/five
allow vndk_detect sysfs:file r_file_perms;
allow vndk_detect sysfs:dir r_dir_perms;
#/proc/filesystems
allow vndk_detect proc_filesystems:file r_file_perms;

2
cat/sepolicy/vold.te
View File

@ -1,2 +0,0 @@
allow vold system_data_file:lnk_file { unlink };
allow mediaextractor sdcard_type:file read;