Simon1511
3 years ago
parent
4ff7f2bc80
commit
49c927e6d4
@ -0,0 +1,8 @@ |
||||
# Tag for read only filesystem type |
||||
attribute r_fs_type; |
||||
|
||||
# Tag for read/write filesystem type |
||||
attribute rw_fs_type; |
||||
|
||||
# Tag for read/execute filesystem type |
||||
attribute rx_fs_type; |
||||
@ -1,2 +1,12 @@ |
||||
# /dev/goodix_fp |
||||
type fingerprint_device, dev_type; |
||||
# device.te |
||||
type efs_block_device, dev_type; |
||||
type dtbo_block_device, dev_type; |
||||
type modem_block_device, dev_type; |
||||
type omr_block_device, dev_type; |
||||
type firmware_block_device, dev_type; |
||||
type dsp_block_device, dev_type; |
||||
type sec_efs_block_device, dev_type; |
||||
|
||||
type drb_device, dev_type; |
||||
type fp_sensor_device, dev_type; |
||||
type radio_qos_device, dev_type; |
||||
|
||||
@ -1,6 +1,44 @@ |
||||
type sysfs_sec_switch, fs_type, sysfs_type; |
||||
# SYSFS |
||||
type sysfs_battery, sysfs_type, r_fs_type, fs_type; |
||||
type sysfs_camera, sysfs_type, r_fs_type, fs_type; |
||||
type sysfs_fingerprint, sysfs_type, r_fs_type, fs_type; |
||||
type sysfs_iio, sysfs_type, r_fs_type, fs_type; |
||||
type sysfs_input, sysfs_type, r_fs_type, fs_type; |
||||
type sysfs_mdnie_writable, fs_type, sysfs_type; |
||||
type sysfs_lcd_writable, fs_type, sysfs_type; |
||||
type sysfs_npu, fs_type, sysfs_type; |
||||
type sysfs_sec_key, sysfs_type, r_fs_type, fs_type; |
||||
type sysfs_sec_switch, sysfs_type, r_fs_type, fs_type; |
||||
type sysfs_sec_touchscreen, sysfs_type, r_fs_type, fs_type; |
||||
type sysfs_sensors, sysfs_type, r_fs_type, fs_type; |
||||
type sysfs_wifi, sysfs_type, r_fs_type, fs_type; |
||||
|
||||
type sysfs_backlight_writable, sysfs_type, rw_fs_type, fs_type; |
||||
type sysfs_camera_writable, sysfs_type, r_fs_type, fs_type; |
||||
type sysfs_battery_writable, sysfs_type, rw_fs_type, fs_type; |
||||
type sysfs_lcd_writable, sysfs_type, rw_fs_type, fs_type; |
||||
type sysfs_power_writable, sysfs_type, rw_fs_type, fs_type; |
||||
type sysfs_sensors_writable, sysfs_type, rw_fs_type, fs_type; |
||||
type sysfs_sec_switch_writable, sysfs_type, rw_fs_type, fs_type; |
||||
type sysfs_touchscreen_writable, sysfs_type, rw_fs_type, fs_type; |
||||
type sysfs_wifi_writable, sysfs_type, rw_fs_type, fs_type; |
||||
|
||||
### DATA |
||||
type biometrics_vendor_data_file, file_type, data_file_type; |
||||
type conn_vendor_data_file, file_type, data_file_type; |
||||
type radio_vendor_data_file, file_type, data_file_type; |
||||
type gatekeeper_vendor_data_file, file_type, data_file_type; |
||||
|
||||
# EFS types |
||||
type app_efs_file, file_type; |
||||
type audio_efs_file, file_type; |
||||
type battery_efs_file, file_type; |
||||
type biometrics_efs_file, file_type; |
||||
type cpk_efs_file, file_type; |
||||
type imei_efs_file, file_type; |
||||
type nfc_efs_file, file_type; |
||||
type pfw_efs_file, file_type; |
||||
type prov_efs_file, file_type; |
||||
type wifi_efs_file, file_type; |
||||
|
||||
# PROC |
||||
type proc_last_kmsg, fs_type, proc_type; |
||||
|
||||
@ -1,21 +1,66 @@ |
||||
# sysfs |
||||
/sys/devices/virtual/sec/switch(/.*)? u:object_r:sysfs_sec_switch:s0 |
||||
/sys/class/lcd(/.*)? -- u:object_r:sysfs_lcd_writable:s0 |
||||
/sys/devices/virtual/lcd/panel(/.*)? u:object_r:sysfs_lcd_writable:s0 |
||||
/sys/devices/virtual/mdnie(/.*)? -- u:object_r:sysfs_mdnie_writable:s0 |
||||
|
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.3-service\.widevine u:object_r:vendor_hal_drm_widevine_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@2\.1-service.samsung-multihal u:object_r:hal_sensors_default_exec:s0 |
||||
/(vendor|system/vendor)/bin/factory\.ssc u:object_r:factory_ssc_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/macloader u:object_r:macloader_exec:s0 |
||||
/(vendor|system/vendor)/bin/secril_config_svc u:object_r:vendor_secril_config_svc_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/android.hardware.keymaster@4.0-service.samsung u:object_r:hal_keymaster_default_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/vendor.samsung.hardware.camera.provider@4.0-service u:object_r:hal_camera_default_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/vendor\.lineage\.fastcharge@1\.0-service\.samsung u:object_r:hal_lineage_fastcharge_default_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.samsung u:object_r:hal_lineage_touch_default_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/vendor\.lineage\.livedisplay@2\.0-service.samsung-qcom\.sm7125 u:object_r:hal_lineage_livedisplay_sysfs_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/vendor.samsung.hardware.biometrics.fingerprint@3.0-service.sm7125 u:object_r:hal_fingerprint_default_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/android.hardware.vibrator-service.sm7125 u:object_r:hal_vibrator_default_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.samsung u:object_r:hal_nfc_default_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.power-service\.samsung-libperfmgr u:object_r:hal_power_default_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service-samsung u:object_r:hal_health_default_exec:s0 |
||||
# DATA |
||||
/data/vendor/biometrics(/.*)? u:object_r:biometrics_vendor_data_file:s0 |
||||
/data/vendor/conn(/.*)? u:object_r:conn_vendor_data_file:s0 |
||||
/data/vendor/secradio(/.*)? u:object_r:radio_vendor_data_file:s0 |
||||
/data/nfc_log(/.*)? u:object_r:nfc_data_file:s0 |
||||
/data/vendor/gatekeeper(/.*)? u:object_r:gatekeeper_vendor_data_file:s0 |
||||
|
||||
# DEV |
||||
/dev/block/platform/soc/1d84000.ufshc/by-name/dsp u:object_r:dsp_block_device:s0 |
||||
/dev/block/platform/soc/1d84000.ufshc/by-name/dtbo u:object_r:dtbo_block_device:s0 |
||||
/dev/block/platform/soc/1d84000.ufshc/by-name/efs u:object_r:efs_block_device:s0 |
||||
/dev/block/platform/soc/1d84000.ufshc/by-name/firmware u:object_r:firmware_block_device:s0 |
||||
/dev/block/platform/soc/1d84000.ufshc/by-name/modem u:object_r:vendor_modem_block_device:s0 |
||||
/dev/block/platform/soc/1d84000.ufshc/by-name/omr u:object_r:omr_block_device:s0 |
||||
/dev/block/platform/soc/1d84000.ufshc/by-name/persistent u:object_r:frp_block_device:s0 |
||||
/dev/block/platform/soc/1d84000.ufshc/by-name/sec_efs u:object_r:sec_efs_block_device:s0 |
||||
/dev/block/platform/soc/1d84000.ufshc/by-name/bluetooth u:object_r:vendor_modem_block_device:s0 |
||||
|
||||
/dev/ttyGS[0-9]* u:object_r:serial_device:s0 |
||||
|
||||
# Fingerprint |
||||
/dev/esfp[0-9] u:object_r:fp_sensor_device:s0 |
||||
/dev/goodix_fp u:object_r:fp_sensor_device:s0 |
||||
|
||||
# NFC |
||||
/dev/sec-nfc u:object_r:nfc_device:s0 |
||||
|
||||
# qos |
||||
/dev/network_throughput u:object_r:radio_qos_device:s0 |
||||
|
||||
# radio |
||||
/dev/drb u:object_r:drb_device:s0 |
||||
|
||||
# EFS |
||||
/efs/Battery(/.*)? u:object_r:battery_efs_file:s0 |
||||
/efs/biometrics(/.*)? u:object_r:biometrics_efs_file:s0 |
||||
/efs/FactoryApp(/.*)? u:object_r:app_efs_file:s0 |
||||
/efs/cpk(/.*)? u:object_r:cpk_efs_file:s0 |
||||
/efs/imei(/.*)? u:object_r:imei_efs_file:s0 |
||||
/efs/nfc(/.*)? u:object_r:nfc_efs_file:s0 |
||||
/efs/pfw_data(/.*)? u:object_r:pfw_efs_file:s0 |
||||
/efs/tas25xx(/.*)? u:object_r:audio_efs_file:s0 |
||||
|
||||
/mnt/vendor/efs(/.*)? u:object_r:efs_file:s0 |
||||
/mnt/vendor/efs/bluetooth(/.*)? u:object_r:bluetooth_efs_file:s0 |
||||
/mnt/vendor/efs/DAK(/.*)? u:object_r:prov_efs_file:s0 |
||||
/mnt/vendor/efs/prov(/.*)? u:object_r:prov_efs_file:s0 |
||||
/mnt/vendor/efs/prov_data(/.*)? u:object_r:prov_efs_file:s0 |
||||
/mnt/vendor/efs/wifi(/.*)? u:object_r:wifi_efs_file:s0 |
||||
|
||||
# VENDOR |
||||
/(vendor|system/vendor)/bin/factory\.ssc u:object_r:factory_ssc_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/macloader u:object_r:macloader_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/vendor.samsung.hardware.camera.provider@4.0-service u:object_r:hal_camera_default_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]\.[0-9]-service\.widevine u:object_r:hal_drm_widevine_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@[0-9]\.[0-9]-service\.samsung u:object_r:hal_keymaster_default_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.power(@[0-9]\.[0-9])?-service\.samsung-libperfmgr u:object_r:hal_power_default_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@[0-9]\.[0-9]-service\.samsung u:object_r:hal_nfc_default_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/vendor\.lineage\.fastcharge@[0-9]\.[0-9]-service\.samsung u:object_r:hal_lineage_fastcharge_default_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch\@[0-9]\.[0-9]-service.samsung u:object_r:hal_lineage_touch_default_exec:s0 |
||||
/(vendor|system/vendor)/bin/secril_config_svc u:object_r:secril_config_svc_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/vendor\.lineage\.livedisplay@2\.0-service.samsung-qcom\.sm7125 u:object_r:hal_lineage_livedisplay_sysfs_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/vendor.samsung.hardware.biometrics.fingerprint@3.0-service.sm7125 u:object_r:hal_fingerprint_default_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/android.hardware.sensors@[0-9].[0-9]-service.samsung-multihal u:object_r:hal_sensors_default_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/android.hardware.vibrator-service.sm7125 u:object_r:hal_vibrator_default_exec:s0 |
||||
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service-samsung u:object_r:hal_health_default_exec:s0 |
||||
|
||||
@ -0,0 +1,4 @@ |
||||
allow fsck self:capability kill; |
||||
|
||||
# EFS |
||||
allow fsck { efs_block_device sec_efs_block_device }:blk_file rw_file_perms; |
||||
@ -0,0 +1,3 @@ |
||||
# /sys/devices/platform/soc/8804000.sdhci/mmc_host/mmc0/mmc0:0001/block/mmcblk0/ |
||||
allow fsck_untrusted vendor_sysfs_mmc_host:file { read open getattr }; |
||||
allow fsck_untrusted vendor_sysfs_mmc_host:dir search; |
||||
@ -0,0 +1,47 @@ |
||||
# proc |
||||
genfscon proc /last_kmsg u:object_r:proc_last_kmsg:s0 |
||||
|
||||
# sysfs |
||||
genfscon sysfs /bus/iio/devices u:object_r:sysfs_iio:s0 |
||||
|
||||
genfscon sysfs /class/input u:object_r:sysfs_input:s0 |
||||
genfscon sysfs /class/sec/tsp u:object_r:sysfs_sec_touchscreen:s0 |
||||
genfscon sysfs /class/sensor_event u:object_r:sysfs_sensors:s0 |
||||
genfscon sysfs /class/fingerprint/fingerprint u:object_r:sysfs_fingerprint:s0 |
||||
genfscon sysfs /kernel/boot_wlan/ u:object_r:sysfs_wifi_writable:s0 |
||||
|
||||
genfscon sysfs /devices/virtual/mdnie u:object_r:sysfs_mdnie_writable:s0 |
||||
genfscon sysfs /devices/virtual/input/ u:object_r:sysfs_input:s0 |
||||
genfscon sysfs /devices/platform/soc/a84000.i2c/i2c-23/23-0049/input/ u:object_r:sysfs_power_writable:s0 |
||||
genfscon sysfs /module/qpnp_power_on/parameters/ u:object_r:sysfs_power_writable:s0 |
||||
genfscon sysfs /module/lpm_levels/parameters/ u:object_r:sysfs_power_writable:s0 |
||||
genfscon sysfs /devices/platform/soc/8804000.sdhci/mmc_host/mmc0/mmc0:0001/block/mmcblk0/ u:object_r:vendor_sysfs_mmc_host:s0 |
||||
genfscon sysfs /devices/virtual/lcd/panel/ u:object_r:sysfs_lcd_writable:s0 |
||||
genfscon sysfs /devices/platform/soc/9800000.qcom,npu/subsys6/ u:object_r:sysfs_npu:s0 |
||||
genfscon sysfs /devices/platform/soc/soc:battery/power_supply/ u:object_r:sysfs_battery:s0 |
||||
genfscon sysfs /devices/platform/soc/soc:battery/power_supply/battery/lcd u:object_r:sysfs_battery_writable:s0 |
||||
genfscon sysfs /devices/platform/soc/soc:sec-direct-charger/power_supply/ u:object_r:sysfs_battery:s0 |
||||
genfscon sysfs /devices/platform/soc/890000.i2c/i2c-22/22-0049/ u:object_r:sysfs_battery:s0 |
||||
genfscon sysfs /devices/platform/soc/890000.i2c/i2c-22/22-0057/ u:object_r:sysfs_battery:s0 |
||||
genfscon sysfs /devices/platform/soc/88c000.qcom,qup_uart/wakeup/ u:object_r:sysfs_wakeup:s0 |
||||
genfscon sysfs /devices/virtual/misc/msm_mp3/wakeup28 u:object_r:sysfs_wakeup:s0 |
||||
genfscon sysfs /devices/virtual/sensors/ u:object_r:sysfs_sensors:s0 |
||||
genfscon sysfs /devices/virtual/fingerprint/fingerprint u:object_r:sysfs_fingerprint:s0 |
||||
genfscon sysfs /devices/virtual/sec/hall_ic/ u:object_r:sysfs_sensors:s0 |
||||
genfscon sysfs /devices/virtual/sec/sec_key u:object_r:sysfs_sec_key:s0 |
||||
genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_sec_touchscreen:s0 |
||||
genfscon sysfs /devices/virtual/sec/tsp/cmd u:object_r:sysfs_touchscreen_writable:s0 |
||||
genfscon sysfs /devices/virtual/sec/tsp/prox_power_off u:object_r:sysfs_touchscreen_writable:s0 |
||||
genfscon sysfs /devices/virtual/sec/tsp/input/enabled u:object_r:sysfs_touchscreen_writable:s0 |
||||
genfscon sysfs /devices/virtual/sec/switch u:object_r:sysfs_sec_switch:s0 |
||||
genfscon sysfs /devices/virtual/sec/switch/afc_disable u:object_r:sysfs_sec_switch_writable:s0 |
||||
genfscon sysfs /devices/virtual/camera/ u:object_r:sysfs_camera:s0 |
||||
genfscon sysfs /devices/virtual/camera/rear/ssrm_camera_info u:object_r:sysfs_camera_writable:s0 |
||||
genfscon sysfs /devices/virtual/camera/flash/rear_flash u:object_r:sysfs_camera_writable:s0 |
||||
genfscon sysfs /kernel/mm/vmscan/mem_boost_mode u:object_r:sysfs_camera_writable:s0 |
||||
|
||||
genfscon sysfs /power/ u:object_r:sysfs_power_writable:s0 |
||||
|
||||
genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 |
||||
genfscon sysfs /wifi/mac_addr u:object_r:sysfs_wifi_writable:s0 |
||||
genfscon sysfs /wifi/memdump u:object_r:sysfs_wifi_writable:s0 |
||||
@ -0,0 +1,7 @@ |
||||
allow hal_audio_default audio_efs_file:file { read open }; |
||||
allow hal_audio_default audio_efs_file:dir search; |
||||
|
||||
allow hal_audio_default imei_efs_file:dir search; |
||||
allow hal_audio_default imei_efs_file:file { read open getattr }; |
||||
|
||||
allow hal_audio_default efs_file:dir search; |
||||
@ -0,0 +1,37 @@ |
||||
# /mnt/vendor/efs/bluetooth/ |
||||
allow hal_bluetooth_default bluetooth_efs_file:file { read open getattr }; |
||||
allow hal_bluetooth_default efs_file:dir search; |
||||
|
||||
set_prop(hal_bluetooth_default, vendor_bluetooth_prop) |
||||
get_prop(hal_bluetooth_default, vendor_bluetooth_prop) |
||||
get_prop(hal_bluetooth_default, exported_bluetooth_prop) |
||||
|
||||
allow hal_bluetooth_default self:file { read getattr map open }; |
||||
|
||||
allow hal_bluetooth_default hci_attach_dev:chr_file { ioctl read write getattr lock append map open watch watch_reads }; |
||||
allow hal_bluetooth_default serial_device:chr_file { ioctl read write getattr lock append map open watch watch_reads }; |
||||
allow hal_bluetooth_default tun_device:chr_file { ioctl read write getattr lock append map open watch watch_reads }; |
||||
|
||||
allow hal_bluetooth_default app_efs_file:dir { ioctl read getattr lock open watch watch_reads search }; |
||||
allow hal_bluetooth_default app_efs_file:file { ioctl read getattr lock map open watch watch_reads }; |
||||
|
||||
allow hal_bluetooth_default conn_vendor_data_file:dir { ioctl read getattr lock open watch watch_reads search }; |
||||
allow hal_bluetooth_default conn_vendor_data_file:file { ioctl read write getattr lock append map open watch watch_reads }; |
||||
|
||||
allow hal_bluetooth_default self:process ptrace; |
||||
allow hal_bluetooth_default sysfs_wake_lock:file { ioctl read write getattr lock append map open watch watch_reads }; |
||||
allow hal_bluetooth_default system_app_data_file:file { read getattr }; |
||||
|
||||
allow hal_bluetooth_default mediaextractor_service:service_manager find; |
||||
allow hal_bluetooth_default hal_bluetooth_a2dp_hwservice:hwservice_manager find; |
||||
|
||||
allow hal_bluetooth_default kmsg_device:chr_file { ioctl read getattr lock map open watch watch_reads }; |
||||
|
||||
allow hal_bluetooth_default property_socket:sock_file write; |
||||
|
||||
allow hal_bluetooth_default init:unix_stream_socket connectto; |
||||
|
||||
allow hal_bluetooth_default hwservicemanager_prop:file { read getattr map open }; |
||||
|
||||
binder_call(hal_bluetooth_default, gpuservice) |
||||
allow hal_bluetooth_default gpuservice:fd use; |
||||
@ -0,0 +1,14 @@ |
||||
# /efs/FactoryApp/ |
||||
allow hal_camera_default app_efs_file:file { read open getattr }; |
||||
allow hal_camera_default app_efs_file:dir search; |
||||
|
||||
# /sys/devices/virtual/camera/ |
||||
allow hal_camera_default sysfs_camera:file { read open getattr }; |
||||
allow hal_camera_default sysfs_camera:dir search; |
||||
allow hal_camera_default sysfs_camera_writable:file { read write open getattr }; |
||||
|
||||
binder_call(hal_camera_default, system_server) |
||||
get_prop(hal_camera_default, vendor_mpctl_prop) |
||||
|
||||
# EFS |
||||
allow hal_camera_default efs_file:dir search; |
||||
@ -0,0 +1,16 @@ |
||||
type hal_drm_widevine, domain; |
||||
hal_server_domain(hal_drm_widevine, hal_drm); |
||||
|
||||
type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type; |
||||
init_daemon_domain(hal_drm_widevine); |
||||
|
||||
allow hal_drm_widevine vendor_mediadrm_vendor_data_file:dir { read write add_name create getattr search }; |
||||
allow hal_drm_widevine vendor_mediadrm_vendor_data_file:file { read write open create getattr }; |
||||
|
||||
allow hal_drm_widevine vendor_qce_device:chr_file { read write ioctl open }; |
||||
|
||||
allow hal_drm_widevine vendor_hal_display_config_hwservice:hwservice_manager find; |
||||
binder_call(hal_drm_widevine, hal_graphics_composer_default) |
||||
allow hal_drm_widevine hal_graphics_composer_default:binder transfer; |
||||
|
||||
allow hal_drm_widevine mediacodec:fd use; |
||||
@ -0,0 +1 @@ |
||||
allow hal_gatekeeper_default gatekeeper_vendor_data_file:dir { read open }; |
||||
@ -0,0 +1 @@ |
||||
get_prop(hal_graphics_composer_default, vendor_mpctl_prop) |
||||
@ -0,0 +1,13 @@ |
||||
# /sys/devices/platform/soc/soc:battery/power_supply/* |
||||
allow hal_health_default sysfs_battery:file r_file_perms; |
||||
allow hal_health_default sysfs_battery:dir search; |
||||
|
||||
# /efs/Battery |
||||
allow hal_health_default battery_efs_file:dir r_dir_perms; |
||||
allow hal_health_default battery_efs_file:file { rw_file_perms setattr }; |
||||
|
||||
# /efs/FactoryApp |
||||
allow hal_health_default app_efs_file:dir { read write add_name search }; |
||||
allow hal_health_default app_efs_file:file { read write open create getattr setattr }; |
||||
|
||||
allow hal_health_default efs_file:dir search; |
||||
@ -0,0 +1,11 @@ |
||||
# hal_keymaster_default |
||||
|
||||
# /mnt/vendor |
||||
allow hal_keymaster_default mnt_vendor_file:dir search; |
||||
|
||||
# /mnt/vendor/efs |
||||
allow hal_keymaster_default efs_file:dir search; |
||||
|
||||
# /mnt/vendor/efs/DAK/ |
||||
allow hal_keymaster_default prov_efs_file:dir search; |
||||
allow hal_keymaster_default prov_efs_file:file { read open getattr }; |
||||
@ -0,0 +1,6 @@ |
||||
# hal_lineage_fastcharge_default |
||||
|
||||
set_prop(hal_lineage_fastcharge, vendor_fastcharge_prop) |
||||
|
||||
allow hal_lineage_fastcharge_default sysfs_sec_switch:dir search; |
||||
allow hal_lineage_fastcharge_default sysfs_sec_switch_writable:file rw_file_perms; |
||||
@ -0,0 +1,10 @@ |
||||
# /sys/devices/virtual/lcd/panel |
||||
allow hal_lineage_livedisplay_sysfs sysfs_lcd_writable:file { read write open }; |
||||
|
||||
# /sys/devices/virtual/mdnie/mdnie/ |
||||
allow hal_lineage_livedisplay_sysfs sysfs_mdnie_writable:dir search; |
||||
allow hal_lineage_livedisplay_sysfs sysfs_mdnie_writable:file { read write open getattr }; |
||||
allow hal_lineage_livedisplay_sysfs vendor_sysfs_graphics:file write; |
||||
|
||||
allow hal_lineage_livedisplay_sysfs vendor_display_vendor_data_file:dir { write add_name search }; |
||||
allow hal_lineage_livedisplay_sysfs vendor_display_vendor_data_file:file { write open create getattr }; |
||||
@ -0,0 +1,5 @@ |
||||
# hal_lineage_touch_default.te |
||||
|
||||
allow hal_lineage_touch_default sysfs_sec_touchscreen:dir search; |
||||
allow hal_lineage_touch_default sysfs_sec_touchscreen:file r_file_perms; |
||||
allow hal_lineage_touch_default sysfs_touchscreen_writable:file rw_file_perms; |
||||
@ -0,0 +1,2 @@ |
||||
# /dev/sec-nfc |
||||
allow hal_nfc_default nfc_device:chr_file { read write open ioctl }; |
||||
@ -0,0 +1,40 @@ |
||||
# hal_power_default.te |
||||
|
||||
# /dev/cpu_dma_latency |
||||
allow hal_power_default vendor_latency_device:chr_file rw_file_perms; |
||||
|
||||
# /dev/stune/top-app/schedtune.boost |
||||
allow hal_power_default cgroup:file rw_file_perms; |
||||
|
||||
# /sys/class/input/ |
||||
allow hal_power_default sysfs_input:dir r_dir_perms; |
||||
|
||||
# /sys/class/power/ |
||||
allow hal_power_default sysfs_power:dir r_dir_perms; |
||||
allow hal_power_default sysfs_power:file r_file_perms; |
||||
allow hal_power_default sysfs_power_writable:file rw_file_perms; |
||||
|
||||
# /sys/class/sec/tsp/input/ |
||||
allow hal_power_default sysfs_sec_touchscreen:dir r_dir_perms; |
||||
allow hal_power_default sysfs_sec_touchscreen:lnk_file r_file_perms; |
||||
|
||||
# /sys/class/sec/tsp/input/{cmd,enabled} |
||||
allow hal_power_default sysfs_touchscreen_writable:file rw_file_perms; |
||||
|
||||
# /sys/devices/system/cpu/cpu[0-9]/cpufreq/scaling_max_freq |
||||
allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms; |
||||
|
||||
# /sys/devices/platform/soc/5000000.qcom,kgsl-3d0/kgsl/kgsl-3d0/max_pwrlevel |
||||
allow hal_power_default vendor_sysfs_kgsl:file { write open }; |
||||
|
||||
# /sys/devices/platform/soc/a84000.i2c/i2c-23/23-0049/input/ |
||||
allow hal_power_default sysfs_power_writable:file { write open }; |
||||
allow hal_power_default sysfs_power_writable:dir search; |
||||
|
||||
# /sys/devices/platform/soc/soc:qcom,cpu-cpu-llcc-bw/devfreq/soc:qcom,cpu-cpu-llcc-bw/bw_hwmon/hyst_trigger_count |
||||
allow hal_power_default vendor_sysfs_devfreq:dir search; |
||||
allow hal_power_default vendor_sysfs_devfreq:file { write open }; |
||||
|
||||
allow hal_power_default property_socket:sock_file write; |
||||
unix_socket_connect(hal_power_default, property, init) |
||||
set_prop(hal_power_default, vendor_power_prop) |
||||
@ -0,0 +1,43 @@ |
||||
# hal_sensors_default.te |
||||
|
||||
# /dev/iio:device1 |
||||
allow hal_sensors_default iio_device:chr_file r_file_perms; |
||||
|
||||
# /efs |
||||
allow hal_sensors_default efs_file:dir r_dir_perms; |
||||
|
||||
# /efs/FactoryApp/ |
||||
allow hal_sensors_default app_efs_file:dir rw_dir_perms; |
||||
allow hal_sensors_default app_efs_file:file { setattr rw_file_perms }; |
||||
|
||||
# /sys/bus/iio/devices |
||||
allow hal_sensors_default sysfs_iio:dir r_dir_perms; |
||||
allow hal_sensors_default sysfs_iio:file r_file_perms; |
||||
|
||||
# /sys/devices/virtual/sensors/ |
||||
allow hal_sensors_default sysfs_sensors:dir r_dir_perms; |
||||
allow hal_sensors_default sysfs_sensors:file rw_file_perms; |
||||
|
||||
# /sys/devices/virtual/lcd/panel/window_type |
||||
allow hal_sensors_default sysfs_lcd_writable:dir r_dir_perms; |
||||
allow hal_sensors_default sysfs_lcd_writable:file r_file_perms; |
||||
|
||||
# /sys/class/input |
||||
allow hal_sensors_default sysfs_input:dir r_dir_perms; |
||||
allow hal_sensors_default sysfs_input:file { read write open }; |
||||
|
||||
# /sys/devices/virtual/sec/sec_key/ |
||||
allow hal_sensors_default sysfs_sec_key:dir r_dir_perms; |
||||
allow hal_sensors_default sysfs_sec_key:file r_file_perms; |
||||
|
||||
# /sys/class/sec/tsp/ |
||||
allow hal_sensors_default sysfs_sec_touchscreen:dir r_dir_perms; |
||||
allow hal_sensors_default sysfs_sec_touchscreen:file r_file_perms; |
||||
allow hal_sensors_default sysfs_sec_touchscreen:lnk_file r_file_perms; |
||||
|
||||
# /sys/class/sec/tsp/cmd |
||||
allow hal_sensors_default sysfs_touchscreen_writable:file rw_file_perms; |
||||
|
||||
# props |
||||
allow hal_sensors_default property_socket:sock_file write; |
||||
unix_socket_connect(hal_sensors_default, property, init) |
||||
@ -0,0 +1,6 @@ |
||||
# hal_wifi_default.te |
||||
|
||||
# Needed for wifi hotspot to read sap interface |
||||
get_prop(hal_wifi_default, vendor_wifi_prop) |
||||
|
||||
allow hal_wifi_default self:capability sys_module; |
||||
@ -0,0 +1,4 @@ |
||||
# hal_wifi_hostapd_default.te |
||||
|
||||
# /data/vendor/wifi/hostapd/hostapd_wlan0.conf |
||||
r_dir_file(hal_wifi_hostapd_default, vendor_wifi_vendor_data_file) |
||||
@ -0,0 +1,5 @@ |
||||
# hal_wifi_supplicant_default.te |
||||
|
||||
# /data/vendor/wifi |
||||
allow hal_wifi_supplicant_default vendor_wifi_vendor_data_file:dir rw_dir_perms; |
||||
allow hal_wifi_supplicant_default vendor_wifi_vendor_data_file:file rw_file_perms; |
||||
@ -0,0 +1 @@ |
||||
type hal_bluetooth_a2dp_hwservice, hwservice_manager_type; |
||||
@ -1,10 +1,22 @@ |
||||
# Bluetooth |
||||
vendor.samsung.hardware.bluetooth::ISehBluetooth u:object_r:hal_bluetooth_hwservice:s0 |
||||
vendor.samsung.hardware.bluetooth.a2dp::ISehBluetoothAudioOffload u:object_r:hal_bluetooth_a2dp_hwservice:s0 |
||||
vendor.samsung.hardware.bluetooth.a2dpsink::ISehBluetoothA2dpSinkProvidersFactory u:object_r:hal_bluetooth_a2dp_hwservice:s0 |
||||
vendor.samsung.hardware.bluetooth.audio::ISehBluetoothAudioProvidersFactory u:object_r:hal_audio_hwservice:s0 |
||||
|
||||
# Camera |
||||
vendor.samsung.hardware.camera.provider::ISehCameraProvider u:object_r:hal_camera_hwservice:s0 |
||||
vendor.samsung.hardware.camera.provider::ISehCameraProvider u:object_r:hal_camera_hwservice:s0 |
||||
|
||||
# Fingerprint |
||||
vendor.samsung.hardware.biometrics.fingerprint::ISehBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0 |
||||
vendor.samsung.hardware.biometrics.fingerprint::ISehBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0 |
||||
|
||||
# GNSS |
||||
vendor.samsung.hardware.gnss::ISehGnss u:object_r:hal_gnss_hwservice:s0 |
||||
|
||||
# Health |
||||
vendor.samsung.hardware.health::ISehHealth u:object_r:hal_health_hwservice:s0 |
||||
|
||||
# RIL |
||||
vendor.samsung.hardware.radio.bridge::ISehBridge u:object_r:hal_telephony_hwservice:s0 |
||||
vendor.samsung.hardware.radio::ISehRadio u:object_r:hal_telephony_hwservice:s0 |
||||
vendor.samsung.hardware.radio.channel::ISehChannel u:object_r:hal_telephony_hwservice:s0 |
||||
vendor.samsung.hardware.radio.bridge::ISehBridge u:object_r:hal_telephony_hwservice:s0 |
||||
vendor.samsung.hardware.radio::ISehRadio u:object_r:hal_telephony_hwservice:s0 |
||||
vendor.samsung.hardware.radio.channel::ISehChannel u:object_r:hal_telephony_hwservice:s0 |
||||
|
||||
@ -0,0 +1,9 @@ |
||||
# init.te |
||||
|
||||
allow init proc_last_kmsg:file setattr; |
||||
|
||||
# /sys/kernel/tracing |
||||
allow init debugfs_tracing_debug:dir mounton; |
||||
|
||||
# /mnt/vendor/efs |
||||
allow init efs_file:dir mounton; |
||||
@ -0,0 +1,21 @@ |
||||
# kernel.te |
||||
|
||||
# /vendor/firmware/ |
||||
allow kernel vendor_firmware_file:dir r_dir_perms; |
||||
allow kernel vendor_firmware_file:file r_file_perms; |
||||
|
||||
allow kernel block_device:blk_file { read write open }; |
||||
allow kernel block_device:dir search; |
||||
|
||||
# /sys/devices/virtual/sec/hall_ic/hall_detect |
||||
allow kernel sysfs_sensors:file { read open }; |
||||
|
||||
allow kernel { |
||||
sysfs_sensors |
||||
vendor_sysfs_sensors |
||||
}:dir search; |
||||
|
||||
# /efs/FactoryApp/ |
||||
allow kernel efs_file:dir search; |
||||
allow kernel app_efs_file:dir search; |
||||
allow kernel app_efs_file:file { read open getattr }; |
||||
@ -1,4 +1,42 @@ |
||||
# macloader.te |
||||
|
||||
type macloader, domain; |
||||
type macloader_exec, exec_type, file_type, vendor_file_type; |
||||
type macloader_exec, exec_type, vendor_file_type, file_type; |
||||
|
||||
# macloader is started by init, type transit from init domain to macloader domain |
||||
init_daemon_domain(macloader) |
||||
|
||||
set_prop(macloader, vendor_wifi_prop); |
||||
|
||||
allow macloader self:capability { net_admin sys_module }; |
||||
|
||||
allow macloader self:udp_socket create_socket_perms; |
||||
allowxperm macloader self:udp_socket ioctl { 0x8913 0x8914 }; |
||||
|
||||
# /data/vendor/conn |
||||
allow macloader conn_vendor_data_file:dir rw_dir_perms; |
||||
allow macloader conn_vendor_data_file:file create_file_perms; |
||||
|
||||
# /mnt/vendor |
||||
allow macloader mnt_vendor_file:dir search; |
||||
|
||||
# /mnt/vendor/efs |
||||
allow macloader efs_file:dir rw_dir_perms; |
||||
|
||||
# /mnt/vendor/efs/wifi |
||||
allow macloader wifi_efs_file:dir rw_dir_perms; |
||||
allow macloader wifi_efs_file:file rw_file_perms; |
||||
|
||||
# /sys/class/net |
||||
allow macloader sysfs_net:dir r_dir_perms; |
||||
allow macloader sysfs_net:file r_file_perms; |
||||
|
||||
allow macloader sysfs_wifi_writable:dir r_dir_perms; |
||||
allow macloader sysfs_wifi_writable:file rw_file_perms; |
||||
|
||||
# /sys/wifi |
||||
allow macloader sysfs_wifi:dir r_dir_perms; |
||||
allow macloader sysfs_wifi:file r_file_perms; |
||||
|
||||
# /sys/kernel/boot_wlan |
||||
allow macloader sysfs_wifi_writable:file { write open }; |
||||
|
||||
@ -0,0 +1,3 @@ |
||||
binder_call(mediacodec, vendor_hal_perf_default) |
||||
get_prop(mediacodec, vendor_mpctl_prop) |
||||
allow mediacodec vendor_hal_perf_hwservice:hwservice_manager find; |
||||
@ -0,0 +1 @@ |
||||
allow mediaserver package_native_service:service_manager find; |
||||
@ -0,0 +1,16 @@ |
||||
allow netutils_wrapper rild:fd use; |
||||
allow netutils_wrapper rild:fifo_file { write read }; |
||||
allow netutils_wrapper rild:file read; |
||||
allow netutils_wrapper rild:unix_stream_socket { read write }; |
||||
allow netutils_wrapper tun_device:chr_file { read write }; |
||||
allow netutils_wrapper rild:netlink_route_socket { read write }; |
||||
allow netutils_wrapper rild:udp_socket { read write }; |
||||
|
||||
# /dev/drb |
||||
allow netutils_wrapper drb_device:chr_file { read write }; |
||||
|
||||
# /proc/sys/net/ipv*/ |
||||
allow netutils_wrapper proc_net:file write; |
||||
|
||||
# /mnt/vendor/efs/mps_code.dat |
||||
allow netutils_wrapper efs_file:file { read write }; |
||||
@ -0,0 +1,8 @@ |
||||
# Fastcharge |
||||
vendor_internal_prop(vendor_fastcharge_prop) |
||||
|
||||
# power |
||||
vendor_internal_prop(vendor_power_prop) |
||||
|
||||
# qseecom |
||||
vendor_internal_prop(vendor_qseecomd_prop) |
||||
@ -1,6 +1,32 @@ |
||||
# audio |
||||
vendor.audio_hal. u:object_r:vendor_audio_prop:s0 |
||||
|
||||
# Bluetooth |
||||
vendor.bluetooth_fw_ver u:object_r:vendor_bluetooth_prop:s0 |
||||
persist.vendor.bt. u:object_r:vendor_bluetooth_prop:s0 |
||||
|
||||
# fastcharge |
||||
persist.vendor.sec.fastchg_enabled u:object_r:vendor_fastcharge_prop:s0 |
||||
|
||||
# Perf |
||||
ro.vendor.extension_library u:object_r:vendor_mpctl_prop:s0 |
||||
|
||||
# Power |
||||
vendor.powerhal. u:object_r:vendor_power_prop:s0 |
||||
|
||||
# RIL |
||||
ro.vendor.multisim. u:object_r:vendor_radio_prop:s0 |
||||
ro.vendor.radio. u:object_r:vendor_radio_prop:s0 |
||||
vendor.sec.rild. u:object_r:vendor_radio_prop:s0 |
||||
ro.vendor.sec.radio. u:object_r:vendor_radio_prop:s0 |
||||
ro.vendor.use_data_netmgrd u:object_r:vendor_radio_prop:s0 |
||||
ro.vendor.epdg.support u:object_r:vendor_radio_prop:s0 |
||||
|
||||
# Sensors |
||||
vendor.sensor.file.permission u:object_r:vendor_sensors_prop:s0 |
||||
|
||||
# RIL |
||||
ro.vendor.multisim. u:object_r:vendor_radio_prop:s0 |
||||
ro.vendor.radio. u:object_r:vendor_radio_prop:s0 |
||||
# Tee |
||||
vendor.sys.qseecomd.enable u:object_r:vendor_qseecomd_prop:s0 |
||||
|
||||
# wifi |
||||
vendor.wifi. u:object_r:vendor_wifi_prop:s0 |
||||
|
||||
@ -0,0 +1,43 @@ |
||||
# rild.te |
||||
|
||||
get_prop(rild, vendor_radio_prop) |
||||
get_prop(rild, radio_prop) |
||||
|
||||
allow rild block_device:dir search; |
||||
allow rild mnt_vendor_file:dir { getattr search }; |
||||
|
||||
# audio hal |
||||
allow rild hal_audio_default:dir search; |
||||
allow rild hal_audio_default:file r_file_perms; |
||||
|
||||
# /data |
||||
allow rild system_data_file:dir getattr; |
||||
|
||||
# /dev/drb |
||||
allow rild drb_device:chr_file rw_file_perms; |
||||
|
||||
# /data/vendor/secradio |
||||
allow rild radio_vendor_data_file:dir rw_dir_perms; |
||||
allow rild radio_vendor_data_file:file create_file_perms; |
||||
|
||||
# /efs/FactoryApp/ |
||||
allow rild app_efs_file:dir r_dir_perms; |
||||
allow rild app_efs_file:file { rw_file_perms setattr }; |
||||
|
||||
# /efs/imei |
||||
allow rild imei_efs_file:dir r_dir_perms; |
||||
allow rild imei_efs_file:file r_file_perms; |
||||
|
||||
# /mnt/vendor/efs/ |
||||
allow rild prov_efs_file:dir r_dir_perms; |
||||
allow rild prov_efs_file:file r_file_perms; |
||||
|
||||
# /proc/net/xt_qtaguid/iface_stat_fmt |
||||
allow rild proc_qtaguid_stat:file r_file_perms; |
||||
|
||||
# /proc/sys/net/ipv6/conf/*/accept_ra_defrtr |
||||
allow rild proc_net:file rw_file_perms; |
||||
|
||||
allow rild tun_device:chr_file rw_file_perms; |
||||
allowxperm rild tun_device:chr_file ioctl { 0x54ca 0x54cb }; |
||||
allow rild self:tun_socket create; |
||||
@ -0,0 +1,26 @@ |
||||
# secril_config_svc.te |
||||
|
||||
type secril_config_svc, domain, halserverdomain, hal_telephony, hal_telephony_server; |
||||
type secril_config_svc_exec, exec_type, vendor_file_type, file_type; |
||||
|
||||
# secril_config_svc is started by init, type transit from init domain to secril_config_svc domain |
||||
init_daemon_domain(secril_config_svc) |
||||
|
||||
unix_socket_connect(secril_config_svc, property, init) |
||||
|
||||
# /mnt/vendor/ |
||||
allow secril_config_svc mnt_vendor_file:dir search; |
||||
|
||||
# /mnt/vendor/efs/factory.prop |
||||
# /mnt/vendor/efs/telephony.prop |
||||
allow secril_config_svc efs_file:dir search; |
||||
allow secril_config_svc efs_file:file r_file_perms; |
||||
|
||||
# ro.multisim. |
||||
# ro.vendor.multisim. |
||||
# ro.vendor.radio.default_network |
||||
get_prop(secril_config_svc, exported_system_prop) |
||||
set_prop(secril_config_svc, radio_prop) |
||||
set_prop(secril_config_svc, vendor_radio_prop) |
||||
|
||||
get_prop(secril_config_svc, vendor_radio_prop) |
||||
@ -0,0 +1,8 @@ |
||||
allow system_app proc_pagetypeinfo:file { read open getattr }; |
||||
|
||||
# ZRAM |
||||
allow system_app sysfs_zram:dir search; |
||||
allow system_app sysfs_zram:file { read open getattr }; |
||||
|
||||
binder_call(system_app, hal_power_default) |
||||
binder_call(system_app, hal_vibrator_default) |
||||
@ -0,0 +1,3 @@ |
||||
# system_server.te |
||||
|
||||
allow system_server proc_last_kmsg:file r_file_perms; |
||||
@ -0,0 +1,9 @@ |
||||
# Tee |
||||
set_prop(tee, vendor_qseecomd_prop) |
||||
|
||||
allow tee gatekeeper_vendor_data_file:dir { write add_name read open search }; |
||||
allow tee gatekeeper_vendor_data_file:file { create write open read getattr }; |
||||
|
||||
# This is for randomly generated TEE directories in /efs |
||||
allow tee efs_file:dir { search read write open add_name }; |
||||
allow tee efs_file:file { read write open getattr create }; |
||||
@ -0,0 +1 @@ |
||||
allow vdc self:capability kill; |
||||
@ -0,0 +1,2 @@ |
||||
allow vendor_hal_gnss_qti sysfs_npu:file { read open }; |
||||
allow vendor_hal_gnss_qti sysfs_battery:dir search; |
||||
@ -0,0 +1,4 @@ |
||||
allow vendor_hal_usb_qti sysfs_battery:dir search; |
||||
allow vendor_hal_usb_qti sysfs_iio:dir search; |
||||
|
||||
dontaudit vendor_hal_usb_qti self:capability dac_override; |
||||
@ -0,0 +1,10 @@ |
||||
# EFS |
||||
allow vendor_init tmpfs:dir rw_dir_perms; |
||||
|
||||
allow vendor_init cgroup:file getattr; |
||||
|
||||
allow vendor_init system_file:file { read getattr open }; |
||||
|
||||
allow vendor_init block_device:lnk_file setattr; |
||||
|
||||
set_prop(vendor_init, vendor_power_prop) |
||||
@ -0,0 +1 @@ |
||||
allow vendor_per_mgr sysfs_npu:file { read open }; |
||||
@ -0,0 +1 @@ |
||||
allow vendor_per_proxy sysfs_npu:file { read open }; |
||||
@ -0,0 +1 @@ |
||||
allow vendor_qti_init_shell sysfs_power_writable:file { write setattr }; |
||||
@ -0,0 +1 @@ |
||||
allow vendor_rmt_storage sysfs_npu:file { read open }; |
||||
@ -1,4 +0,0 @@ |
||||
type vendor_secril_config_svc, domain; |
||||
type vendor_secril_config_svc_exec, exec_type, file_type, vendor_file_type; |
||||
|
||||
init_daemon_domain(vendor_secril_config_svc) |
||||
@ -0,0 +1,9 @@ |
||||
allow vendor_sensors { |
||||
vendor_sysfs_sensors |
||||
sysfs_sensors |
||||
}:dir search; |
||||
|
||||
allow vendor_sensors { |
||||
vendor_sysfs_sensors |
||||
sysfs_sensors |
||||
}:file { read open getattr }; |
||||
@ -0,0 +1,3 @@ |
||||
allow vendor_thermal-engine sysfs_battery:dir search; |
||||
|
||||
get_prop(vendor_thermal-engine, vendor_mpctl_prop) |
||||
@ -0,0 +1,8 @@ |
||||
allow vendor_time_daemon rild:dir search; |
||||
allow vendor_time_daemon rild:file { read open }; |
||||
|
||||
allow vendor_time_daemon vendor_timeservice_app:dir search; |
||||
allow vendor_time_daemon vendor_timeservice_app:file { read open }; |
||||
|
||||
allow vendor_time_daemon tee:dir search; |
||||
allow vendor_time_daemon tee:file { read open }; |
||||
@ -0,0 +1,5 @@ |
||||
allow vendor_wcnss_service sysfs_npu:file { read open }; |
||||
|
||||
get_prop(vendor_wcnss_service, vendor_mpctl_prop) |
||||
|
||||
allow vendor_wcnss_service conn_vendor_data_file:dir search; |
||||
@ -0,0 +1 @@ |
||||
allow vold efs_file:dir { read open ioctl }; |
||||
Loading…
Reference in new issue