diff options
225 files changed, 4444 insertions, 0 deletions
diff --git a/sepolicy/OWNERS b/sepolicy/OWNERS new file mode 100644 index 00000000..791abb4a --- /dev/null +++ b/sepolicy/OWNERS @@ -0,0 +1,3 @@ +include platform/system/sepolicy:/OWNERS + +rurumihong@google.com diff --git a/sepolicy/ambient/exo_app.te b/sepolicy/ambient/exo_app.te new file mode 100644 index 00000000..3a88eebb --- /dev/null +++ b/sepolicy/ambient/exo_app.te @@ -0,0 +1,21 @@ +type exo_app, coredomain, domain; + +app_domain(exo_app) +net_domain(exo_app) + +allow exo_app app_api_service:service_manager find; +allow exo_app audioserver_service:service_manager find; +allow exo_app cameraserver_service:service_manager find; +allow exo_app mediaserver_service:service_manager find; +allow exo_app radio_service:service_manager find; +allow exo_app fwk_stats_service:service_manager find; +allow exo_app mediametrics_service:service_manager find; +allow exo_app virtual_device_service:service_manager find; +allow exo_app gpu_device:dir search; + +allow exo_app uhid_device:chr_file rw_file_perms; + +binder_call(exo_app, statsd) +binder_use(exo_app) + +get_prop(exo_app, device_config_runtime_native_boot_prop) diff --git a/sepolicy/ambient/seapp_contexts b/sepolicy/ambient/seapp_contexts new file mode 100644 index 00000000..8024688c --- /dev/null +++ b/sepolicy/ambient/seapp_contexts @@ -0,0 +1,2 @@ +# Domain for Exo app +user=_app seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all diff --git a/sepolicy/bluetooth/device.te b/sepolicy/bluetooth/device.te new file mode 100644 index 00000000..a2563322 --- /dev/null +++ b/sepolicy/bluetooth/device.te @@ -0,0 +1,3 @@ +# Bt Wifi Coexistence device +type wb_coexistence_dev, dev_type; + diff --git a/sepolicy/bluetooth/file_contexts b/sepolicy/bluetooth/file_contexts new file mode 100644 index 00000000..d4681dbd --- /dev/null +++ b/sepolicy/bluetooth/file_contexts @@ -0,0 +1,6 @@ +# Bluetooth +/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service\.bcmbtlinux u:object_r:hal_bluetooth_btlinux_exec:s0 + +/dev/wbrc u:object_r:wb_coexistence_dev:s0 +/dev/ttySAC16 u:object_r:hci_attach_dev:s0 + diff --git a/sepolicy/bluetooth/genfs_contexts b/sepolicy/bluetooth/genfs_contexts new file mode 100644 index 00000000..607e1462 --- /dev/null +++ b/sepolicy/bluetooth/genfs_contexts @@ -0,0 +1,7 @@ +genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill2/state u:object_r:sysfs_bluetooth_writable:s0 +genfscon proc /bluetooth/sleep/lpm u:object_r:proc_bluetooth_writable:s0 +genfscon proc /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0 +genfscon proc /bluetooth/sleep/btwake u:object_r:proc_bluetooth_writable:s0 +genfscon proc /bluetooth/timesync u:object_r:proc_bluetooth_writable:s0 + diff --git a/sepolicy/bluetooth/hal_bluetooth_btlinux.te b/sepolicy/bluetooth/hal_bluetooth_btlinux.te new file mode 100644 index 00000000..f348099e --- /dev/null +++ b/sepolicy/bluetooth/hal_bluetooth_btlinux.te @@ -0,0 +1,22 @@ +add_hwservice(hal_bluetooth_btlinux, hal_bluetooth_coexistence_hwservice); +get_prop(hal_bluetooth_btlinux, boot_status_prop) + +allow hal_bluetooth_btlinux sysfs_bluetooth_writable:file rw_file_perms; +allow hal_bluetooth_btlinux proc_bluetooth_writable:file rw_file_perms; +allow hal_bluetooth_btlinux hci_attach_dev:chr_file rw_file_perms; +allow hal_bluetooth_btlinux wb_coexistence_dev:chr_file rw_file_perms; +binder_call(hal_bluetooth_btlinux, servicemanager) + +# power stats +vndbinder_use(hal_bluetooth_btlinux) +allow hal_bluetooth_btlinux hal_power_stats_vendor_service:service_manager find; +binder_call(hal_bluetooth_btlinux, hal_power_stats_default) + +allow hal_bluetooth_btlinux sscoredump_vendor_data_crashinfo_file:dir create_dir_perms; +allow hal_bluetooth_btlinux sscoredump_vendor_data_crashinfo_file:file create_file_perms; + +userdebug_or_eng(` + allow hal_bluetooth_btlinux sscoredump_vendor_data_coredump_file:dir create_dir_perms; + allow hal_bluetooth_btlinux sscoredump_vendor_data_coredump_file:file create_file_perms; + allow hal_bluetooth_btlinux logbuffer_device:chr_file r_file_perms; +') diff --git a/sepolicy/bluetooth/hwservice.te b/sepolicy/bluetooth/hwservice.te new file mode 100644 index 00000000..5e36cd0c --- /dev/null +++ b/sepolicy/bluetooth/hwservice.te @@ -0,0 +1,3 @@ +# Bluetooth HAL extension +type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type; + diff --git a/sepolicy/bluetooth/hwservice_contexts b/sepolicy/bluetooth/hwservice_contexts new file mode 100644 index 00000000..8480b4e1 --- /dev/null +++ b/sepolicy/bluetooth/hwservice_contexts @@ -0,0 +1,6 @@ +# Bluetooth HAL extension +hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance u:object_r:hal_bluetooth_coexistence_hwservice:s0 +hardware.google.bluetooth.sar::IBluetoothSar u:object_r:hal_bluetooth_coexistence_hwservice:s0 +hardware.google.bluetooth.ccc::IBluetoothCcc u:object_r:hal_bluetooth_coexistence_hwservice:s0 +hardware.google.bluetooth.ewp::IBluetoothEwp u:object_r:hal_bluetooth_coexistence_hwservice:s0 +hardware.google.bluetooth.ext::IBluetoothExt u:object_r:hal_bluetooth_coexistence_hwservice:s0 diff --git a/sepolicy/confirmationui/device.te b/sepolicy/confirmationui/device.te new file mode 100644 index 00000000..54fe349f --- /dev/null +++ b/sepolicy/confirmationui/device.te @@ -0,0 +1 @@ +type tui_device, dev_type; diff --git a/sepolicy/confirmationui/file_contexts b/sepolicy/confirmationui/file_contexts new file mode 100644 index 00000000..49db4171 --- /dev/null +++ b/sepolicy/confirmationui/file_contexts @@ -0,0 +1,4 @@ +/vendor/bin/securedpud\.slider u:object_r:securedpud_slider_exec:s0 +/vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service\.trusty\.vendor u:object_r:hal_confirmationui_default_exec:s0 + +/dev/tui-driver u:object_r:tui_device:s0 diff --git a/sepolicy/confirmationui/hal_confirmationui.te b/sepolicy/confirmationui/hal_confirmationui.te new file mode 100644 index 00000000..a8f4ae8c --- /dev/null +++ b/sepolicy/confirmationui/hal_confirmationui.te @@ -0,0 +1,13 @@ +allow hal_confirmationui_default tee_device:chr_file rw_file_perms; + +binder_call(hal_confirmationui_default, keystore) + +vndbinder_use(hal_confirmationui_default) +binder_call(hal_confirmationui_default, citadeld) +allow hal_confirmationui_default citadeld_service:service_manager find; + +allow hal_confirmationui_default input_device:chr_file rw_file_perms; +allow hal_confirmationui_default input_device:dir r_dir_perms; + +allow hal_confirmationui_default dmabuf_system_heap_device:chr_file r_file_perms; +allow hal_confirmationui_default ion_device:chr_file r_file_perms; diff --git a/sepolicy/confirmationui/securedpud.slider.te b/sepolicy/confirmationui/securedpud.slider.te new file mode 100644 index 00000000..fd553a30 --- /dev/null +++ b/sepolicy/confirmationui/securedpud.slider.te @@ -0,0 +1,9 @@ +type securedpud_slider, domain; +type securedpud_slider_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(securedpud_slider) + +allow securedpud_slider dmabuf_heap_device:chr_file r_file_perms; +allow securedpud_slider ion_device:chr_file r_file_perms; +allow securedpud_slider tee_device:chr_file rw_file_perms; +allow securedpud_slider tui_device:chr_file rw_file_perms; diff --git a/sepolicy/display/common/file.te b/sepolicy/display/common/file.te new file mode 100644 index 00000000..3734e33c --- /dev/null +++ b/sepolicy/display/common/file.te @@ -0,0 +1 @@ +type persist_display_file, file_type, vendor_persist_type; diff --git a/sepolicy/display/common/file_contexts b/sepolicy/display/common/file_contexts new file mode 100644 index 00000000..bca77466 --- /dev/null +++ b/sepolicy/display/common/file_contexts @@ -0,0 +1 @@ +/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 diff --git a/sepolicy/display/gs101/genfs_contexts b/sepolicy/display/gs101/genfs_contexts new file mode 100644 index 00000000..8ea3b669 --- /dev/null +++ b/sepolicy/display/gs101/genfs_contexts @@ -0,0 +1,16 @@ +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 +genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2C0000/panel@0/compatible u:object_r:sysfs_display:s0 + +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number u:object_r:sysfs_display:s0 +genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2D0000/panel@0/compatible u:object_r:sysfs_display:s0 + +genfscon sysfs /module/drm/parameters/vblankoffdelay u:object_r:sysfs_display:s0 + +genfscon sysfs /devices/platform/1c300000.drmdecon/dqe0/atc u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c300000.drmdecon/early_wakeup u:object_r:sysfs_display:s0 + +genfscon sysfs /devices/platform/exynos-drm/tui_status u:object_r:sysfs_display:s0 diff --git a/sepolicy/display/gs101/hal_graphics_composer_default.te b/sepolicy/display/gs101/hal_graphics_composer_default.te new file mode 100644 index 00000000..dccddf0e --- /dev/null +++ b/sepolicy/display/gs101/hal_graphics_composer_default.te @@ -0,0 +1,46 @@ +allow hal_graphics_composer_default video_device:chr_file rw_file_perms; +add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice) +hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator) +allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +vndbinder_use(hal_graphics_composer_default) + +userdebug_or_eng(` + allow hal_graphics_composer_default vendor_log_file:dir create_dir_perms; + + # For HWC/libdisplaycolor to generate calibration file. + allow hal_graphics_composer_default persist_display_file:file create_file_perms; + allow hal_graphics_composer_default persist_display_file:dir rw_dir_perms; +') + +# allow HWC/libdisplaycolor to read calibration data +allow hal_graphics_composer_default mnt_vendor_file:dir search; +allow hal_graphics_composer_default persist_file:dir search; +allow hal_graphics_composer_default persist_display_file:file r_file_perms; +allow hal_graphics_composer_default persist_display_file:dir search; + +# allow HWC to r/w backlight +allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms; +allow hal_graphics_composer_default sysfs_leds:file rw_file_perms; + +# allow HWC to get vendor_persist_sys_default_prop +get_prop(hal_graphics_composer_default, vendor_persist_sys_default_prop) + +# allow HWC to get/set vendor_display_prop +set_prop(hal_graphics_composer_default, vendor_display_prop) + +# allow HWC to get device_config_surface_flinger_native_boot_prop for adpf flags +get_prop(hal_graphics_composer_default, device_config_surface_flinger_native_boot_prop) + +# allow HWC to access vendor_displaycolor_service +add_service(hal_graphics_composer_default, vendor_displaycolor_service) + +add_service(hal_graphics_composer_default, hal_pixel_display_service) +binder_use(hal_graphics_composer_default) +get_prop(hal_graphics_composer_default, boot_status_prop); + +# allow HWC to access vendor log file +allow hal_graphics_composer_default vendor_log_file:file create_file_perms; + +# allow HWC to output to dumpstate via pipe fd +allow hal_graphics_composer_default hal_dumpstate_default:fifo_file { append write }; +allow hal_graphics_composer_default hal_dumpstate_default:fd use; diff --git a/sepolicy/edgetpu/device.te b/sepolicy/edgetpu/device.te new file mode 100644 index 00000000..9296ba50 --- /dev/null +++ b/sepolicy/edgetpu/device.te @@ -0,0 +1,2 @@ +# EdgeTPU device (DarwiNN) +type edgetpu_device, dev_type, mlstrustedobject; diff --git a/sepolicy/edgetpu/edgetpu_app_service.te b/sepolicy/edgetpu/edgetpu_app_service.te new file mode 100644 index 00000000..58ce2464 --- /dev/null +++ b/sepolicy/edgetpu/edgetpu_app_service.te @@ -0,0 +1,38 @@ +# EdgeTPU app server process which runs the EdgeTPU binder service. +type edgetpu_app_server, coredomain, domain; +type edgetpu_app_server_exec, exec_type, system_file_type, file_type; +init_daemon_domain(edgetpu_app_server) + +# The server will use binder calls. +binder_use(edgetpu_app_server); + +# The server will serve a binder service. +binder_service(edgetpu_app_server); + +# EdgeTPU server to register the service to service_manager. +add_service(edgetpu_app_server, edgetpu_app_service); + +# EdgeTPU service needs to access /dev/abrolhos. +allow edgetpu_app_server edgetpu_device:chr_file rw_file_perms; +allow edgetpu_app_server sysfs_edgetpu:dir r_dir_perms; +allow edgetpu_app_server sysfs_edgetpu:file rw_file_perms; + +# Applications are not allowed to open the EdgeTPU device directly. +neverallow appdomain edgetpu_device:chr_file { open }; + +# Allow EdgeTPU service to access the Package Manager service. +allow edgetpu_app_server package_native_service:service_manager find; +binder_call(edgetpu_app_server, system_server); + +# Allow EdgeTPU service to read EdgeTPU service related system properties. +get_prop(edgetpu_app_server, vendor_edgetpu_service_prop); + +# Allow EdgeTPU service to generate Perfetto traces. +perfetto_producer(edgetpu_app_server); + +# Allow EdgeTPU service to connect to the EdgeTPU vendor version of the service. +allow edgetpu_app_server edgetpu_vendor_service:service_manager find; +binder_call(edgetpu_app_server, edgetpu_vendor_server); + +# Allow EdgeTPU service to log to stats service. (metrics) +allow edgetpu_app_server fwk_stats_service:service_manager find; diff --git a/sepolicy/edgetpu/edgetpu_logging.te b/sepolicy/edgetpu/edgetpu_logging.te new file mode 100644 index 00000000..8c2f0dc7 --- /dev/null +++ b/sepolicy/edgetpu/edgetpu_logging.te @@ -0,0 +1,15 @@ +type edgetpu_logging, domain; +type edgetpu_logging_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(edgetpu_logging) + +# The logging service accesses /dev/abrolhos +allow edgetpu_logging edgetpu_device:chr_file rw_file_perms; + +# Allows the logging service to access /sys/class/edgetpu +allow edgetpu_logging sysfs_edgetpu:dir search; +allow edgetpu_logging sysfs_edgetpu:file rw_file_perms; + +# Allow TPU logging service to log to stats service. (metrics) +allow edgetpu_logging fwk_stats_service:service_manager find; +binder_call(edgetpu_logging, system_server); +binder_use(edgetpu_logging) diff --git a/sepolicy/edgetpu/edgetpu_vendor_service.te b/sepolicy/edgetpu/edgetpu_vendor_service.te new file mode 100644 index 00000000..10605107 --- /dev/null +++ b/sepolicy/edgetpu/edgetpu_vendor_service.te @@ -0,0 +1,31 @@ +# EdgeTPU vendor service. +type edgetpu_vendor_server, domain; +type edgetpu_vendor_server_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(edgetpu_vendor_server) + +# The vendor service will use binder calls. +binder_use(edgetpu_vendor_server); + +# The vendor service will serve a binder service. +binder_service(edgetpu_vendor_server); + +# EdgeTPU vendor service to register the service to service_manager. +add_service(edgetpu_vendor_server, edgetpu_vendor_service); + +# Allow communications between other vendor services. +allow edgetpu_vendor_server vndbinder_device:chr_file { read write open ioctl map }; + +# Allow EdgeTPU vendor service to access its data files. +allow edgetpu_vendor_server edgetpu_vendor_service_data_file:file create_file_perms; +allow edgetpu_vendor_server edgetpu_vendor_service_data_file:dir create_dir_perms; + +# Allow EdgeTPU vendor service to access Android shared memory allocated +# by the camera hal for on-device compilation. +allow edgetpu_vendor_server hal_camera_default:fd use; + +# Allow EdgeTPU vendor service to read the kernel version. +# This is done inside the InitGoogle. +allow edgetpu_vendor_server proc_version:file r_file_perms; + +# Allow EdgeTPU vendor service to read the overcommit_memory info. +allow edgetpu_vendor_server proc_overcommit_memory:file r_file_perms; diff --git a/sepolicy/edgetpu/file.te b/sepolicy/edgetpu/file.te new file mode 100644 index 00000000..2482dbf3 --- /dev/null +++ b/sepolicy/edgetpu/file.te @@ -0,0 +1,9 @@ +# EdgeTPU sysfs +type sysfs_edgetpu, sysfs_type, fs_type; + +# EdgeTPU hal data file +type hal_neuralnetworks_darwinn_data_file, file_type, data_file_type; + +# EdgeTPU vendor service data file +type edgetpu_vendor_service_data_file, file_type, data_file_type; + diff --git a/sepolicy/edgetpu/file_contexts b/sepolicy/edgetpu/file_contexts new file mode 100644 index 00000000..04f8491f --- /dev/null +++ b/sepolicy/edgetpu/file_contexts @@ -0,0 +1,27 @@ +# EdgeTPU logging service +/vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0 + +# EdgeTPU device (DarwiNN) +/dev/abrolhos u:object_r:edgetpu_device:s0 + +# EdgeTPU service binaries and libraries +/system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0 +/vendor/lib64/com\.google\.edgetpu_app_service-V[1-2]-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0 + +# EdgeTPU vendor service +/vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0 +/vendor/lib64/com\.google\.edgetpu_vendor_service-V[1-2]-ndk\.so u:object_r:same_process_hal_file:s0 + +# EdgeTPU runtime libraries +/vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0 + +# EdgeTPU data files +/data/vendor/edgetpu(/.*)? u:object_r:edgetpu_vendor_service_data_file:s0 +/data/vendor/hal_neuralnetworks_darwinn(/.*)? u:object_r:hal_neuralnetworks_darwinn_data_file:s0 + +# NeuralNetworks file contexts +/vendor/bin/hw/android\.hardware\.neuralnetworks@service-darwinn-aidl u:object_r:hal_neuralnetworks_darwinn_exec:s0 + +# EdgeTPU metrics logging service. +/vendor/lib64/libmetrics_logger\.so u:object_r:same_process_hal_file:s0 diff --git a/sepolicy/edgetpu/genfs_contexts b/sepolicy/edgetpu/genfs_contexts new file mode 100644 index 00000000..345d2990 --- /dev/null +++ b/sepolicy/edgetpu/genfs_contexts @@ -0,0 +1,4 @@ +# EdgeTPU +genfscon sysfs /devices/platform/1ce00000.abrolhos u:object_r:sysfs_edgetpu:s0 +genfscon sysfs /devices/platform/abrolhos u:object_r:sysfs_edgetpu:s0 + diff --git a/sepolicy/edgetpu/hal_neuralnetworks_darwinn.te b/sepolicy/edgetpu/hal_neuralnetworks_darwinn.te new file mode 100644 index 00000000..f301a729 --- /dev/null +++ b/sepolicy/edgetpu/hal_neuralnetworks_darwinn.te @@ -0,0 +1,53 @@ +type hal_neuralnetworks_darwinn, domain; +hal_server_domain(hal_neuralnetworks_darwinn, hal_neuralnetworks) + +type hal_neuralnetworks_darwinn_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_neuralnetworks_darwinn) + +# The TPU HAL looks for TPU instance in /dev/abrolhos +allow hal_neuralnetworks_darwinn edgetpu_device:chr_file rw_file_perms; + +# Allow DawriNN service to use a client-provided fd residing in /vendor/etc/. +allow hal_neuralnetworks_darwinn vendor_configs_file:file r_file_perms; + +# Allow DarwiNN service to access data files. +allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:file create_file_perms; +allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:dir rw_dir_perms; + +# Allow DarwiNN service to access unix sockets for IPC. +allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:sock_file { create unlink rw_file_perms }; + +# Register to hwbinder service. +# add_hwservice() is granted by hal_server_domain + hal_neuralnetworks.te +hwbinder_use(hal_neuralnetworks_darwinn) +get_prop(hal_neuralnetworks_darwinn, hwservicemanager_prop) + +# Allow TPU HAL to read the kernel version. +# This is done inside the InitGoogle. +allow hal_neuralnetworks_darwinn proc_version:file r_file_perms; + +# Allow TPU NNAPI HAL to log to stats service. (metrics) +allow hal_neuralnetworks_darwinn fwk_stats_service:service_manager find; +binder_call(hal_neuralnetworks_darwinn, system_server); +binder_use(hal_neuralnetworks_darwinn) + +# Allow TPU NNAPI HAL to request power hints from the Power Service +hal_client_domain(hal_neuralnetworks_darwinn, hal_power) + +# TPU NNAPI to register the service to service_manager. +add_service(hal_neuralnetworks_darwinn, edgetpu_nnapi_service); + +# Allow TPU NNAPI HAL to read the overcommit_memory info. +allow hal_neuralnetworks_darwinn proc_overcommit_memory:file r_file_perms; + +# Allows the logging service to access /sys/class/edgetpu +allow hal_neuralnetworks_darwinn sysfs_edgetpu:dir r_dir_perms; +allow hal_neuralnetworks_darwinn sysfs_edgetpu:file r_file_perms; + +# Allows the NNAPI HAL to access the edgetpu_app_service +allow hal_neuralnetworks_darwinn edgetpu_app_service:service_manager find; +binder_call(hal_neuralnetworks_darwinn, edgetpu_app_server); + +# Allow NNAPI HAL to send trace packets to Perfetto with SELinux enabled +# under userdebug builds. +userdebug_or_eng(`perfetto_producer(hal_neuralnetworks_darwinn)') diff --git a/sepolicy/edgetpu/priv_app.te b/sepolicy/edgetpu/priv_app.te new file mode 100644 index 00000000..db6e0a27 --- /dev/null +++ b/sepolicy/edgetpu/priv_app.te @@ -0,0 +1,12 @@ +# Allows privileged applications to discover the EdgeTPU service. +allow priv_app edgetpu_app_service:service_manager find; + +# Allows privileged applications to discover the NNAPI TPU service. +allow priv_app edgetpu_nnapi_service:service_manager find; + +# Allows privileged applications to access the EdgeTPU device, except open, +# which is guarded by the EdgeTPU service. +allow priv_app edgetpu_device:chr_file { getattr read write ioctl map }; + +# Allows privileged applications to access the PowerHAL. +hal_client_domain(priv_app, hal_power) diff --git a/sepolicy/edgetpu/property.te b/sepolicy/edgetpu/property.te new file mode 100644 index 00000000..ed93d448 --- /dev/null +++ b/sepolicy/edgetpu/property.te @@ -0,0 +1,4 @@ +# EdgeTPU service requires system public properties +# since it lives under /system_ext/. +system_public_prop(vendor_edgetpu_service_prop) + diff --git a/sepolicy/edgetpu/property_contexts b/sepolicy/edgetpu/property_contexts new file mode 100644 index 00000000..130cfefe --- /dev/null +++ b/sepolicy/edgetpu/property_contexts @@ -0,0 +1,3 @@ +# for EdgeTPU +vendor.edgetpu.service. u:object_r:vendor_edgetpu_service_prop:s0 + diff --git a/sepolicy/edgetpu/service.te b/sepolicy/edgetpu/service.te new file mode 100644 index 00000000..46bee033 --- /dev/null +++ b/sepolicy/edgetpu/service.te @@ -0,0 +1,5 @@ +# EdgeTPU binder service type declaration. +type edgetpu_app_service, service_manager_type; + +type edgetpu_vendor_service, service_manager_type, vendor_service; +type edgetpu_nnapi_service, app_api_service, service_manager_type, vendor_service; diff --git a/sepolicy/edgetpu/service_contexts b/sepolicy/edgetpu/service_contexts new file mode 100644 index 00000000..76fe43da --- /dev/null +++ b/sepolicy/edgetpu/service_contexts @@ -0,0 +1,7 @@ +# EdgeTPU service +com.google.edgetpu.IEdgeTpuAppService/default u:object_r:edgetpu_app_service:s0 +com.google.edgetpu.IEdgeTpuVendorService/default u:object_r:edgetpu_vendor_service:s0 + +# TPU NNAPI Service +android.hardware.neuralnetworks.IDevice/google-edgetpu u:object_r:edgetpu_nnapi_service:s0 + diff --git a/sepolicy/edgetpu/untrusted_app_all.te b/sepolicy/edgetpu/untrusted_app_all.te new file mode 100644 index 00000000..9abec616 --- /dev/null +++ b/sepolicy/edgetpu/untrusted_app_all.te @@ -0,0 +1,7 @@ +# Allows applications to discover the EdgeTPU service. +allow untrusted_app_all edgetpu_app_service:service_manager find; + +# Allows applications to access the EdgeTPU device, except open, which is guarded +# by the EdgeTPU service. +allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map }; + diff --git a/sepolicy/edgetpu/vendor_init.te b/sepolicy/edgetpu/vendor_init.te new file mode 100644 index 00000000..aec79583 --- /dev/null +++ b/sepolicy/edgetpu/vendor_init.te @@ -0,0 +1 @@ +set_prop(vendor_init, vendor_edgetpu_service_prop) diff --git a/sepolicy/gs101-sepolicy.mk b/sepolicy/gs101-sepolicy.mk new file mode 100644 index 00000000..d33fcd4e --- /dev/null +++ b/sepolicy/gs101-sepolicy.mk @@ -0,0 +1,41 @@ +# sepolicy that are shared among devices using whitechapel +BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/whitechapel/vendor/google + +# unresolved SELinux error log with bug tracking +BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/tracking_denials + +PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs101-sepolicy/private + +# Display +BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/display/common +BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/display/gs101 + +# Micro sensor framework (usf) +BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/usf + +# system_ext +SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/gs101-sepolicy/system_ext/public +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs101-sepolicy/system_ext/private + +# +# Pixel-wide +# +# Dauntless (uses Citadel policy currently) +BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/citadel + +# PowerStats HAL +BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats + +# sscoredump +BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/sscoredump + +# Public +PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs101-sepolicy/public + +# pKVM +ifeq ($(TARGET_PKVM_ENABLED),true) +BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/pkvm +endif + +# Health HAL +BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/health diff --git a/sepolicy/health/file_contexts b/sepolicy/health/file_contexts new file mode 100644 index 00000000..55321741 --- /dev/null +++ b/sepolicy/health/file_contexts @@ -0,0 +1 @@ +/vendor/bin/hw/android\.hardware\.health-service\.gs101 u:object_r:hal_health_default_exec:s0 diff --git a/sepolicy/modem/user/dmd.te b/sepolicy/modem/user/dmd.te new file mode 100644 index 00000000..eabf8930 --- /dev/null +++ b/sepolicy/modem/user/dmd.te @@ -0,0 +1,29 @@ +type dmd, domain; +type dmd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(dmd) + +# Grant to access serial device for external logging tool +allow dmd serial_device:chr_file rw_file_perms; + +# Grant to access radio device +allow dmd radio_device:chr_file rw_file_perms; + +# Grant to access slog dir/file +allow dmd vendor_slog_file:dir create_dir_perms; +allow dmd vendor_slog_file:file create_file_perms; + +# Grant to access tcp socket +allow dmd node:tcp_socket node_bind; +allow dmd self:tcp_socket { create_socket_perms_no_ioctl listen accept bind }; + +# Grant to access log related properties +set_prop(dmd, vendor_diag_prop) +set_prop(dmd, vendor_slog_prop) +set_prop(dmd, vendor_modem_prop) + +get_prop(dmd, vendor_persist_config_default_prop) + +# Grant to access hwservice manager +get_prop(dmd, hwservicemanager_prop) + +binder_call(dmd, hwservicemanager) diff --git a/sepolicy/modem/user/file.te b/sepolicy/modem/user/file.te new file mode 100644 index 00000000..e2beb8bc --- /dev/null +++ b/sepolicy/modem/user/file.te @@ -0,0 +1 @@ +type vendor_slog_file, file_type, data_file_type, mlstrustedobject; diff --git a/sepolicy/modem/user/file_contexts b/sepolicy/modem/user/file_contexts new file mode 100644 index 00000000..ff1482bc --- /dev/null +++ b/sepolicy/modem/user/file_contexts @@ -0,0 +1,2 @@ +/data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0 +/vendor/bin/dmd u:object_r:dmd_exec:s0 diff --git a/sepolicy/modem/user/property.te b/sepolicy/modem/user/property.te new file mode 100644 index 00000000..353b1c8a --- /dev/null +++ b/sepolicy/modem/user/property.te @@ -0,0 +1,3 @@ +vendor_internal_prop(vendor_diag_prop) +vendor_internal_prop(vendor_slog_prop) +vendor_internal_prop(vendor_modem_prop) diff --git a/sepolicy/modem/user/property_contexts b/sepolicy/modem/user/property_contexts new file mode 100644 index 00000000..0be942b8 --- /dev/null +++ b/sepolicy/modem/user/property_contexts @@ -0,0 +1,14 @@ +# for dmd +persist.vendor.sys.dm. u:object_r:vendor_diag_prop:s0 +persist.vendor.sys.diag. u:object_r:vendor_diag_prop:s0 +vendor.sys.dmd. u:object_r:vendor_diag_prop:s0 +vendor.sys.diag. u:object_r:vendor_diag_prop:s0 + +# for modem +persist.vendor.modem. u:object_r:vendor_modem_prop:s0 +vendor.modem. u:object_r:vendor_modem_prop:s0 +vendor.sys.modem. u:object_r:vendor_modem_prop:s0 +ro.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 +vendor.sys.exynos.modempath u:object_r:vendor_modem_prop:s0 +persist.vendor.sys.modem. u:object_r:vendor_modem_prop:s0 + diff --git a/sepolicy/modem/userdebug/file_contexts b/sepolicy/modem/userdebug/file_contexts new file mode 100644 index 00000000..20b74c64 --- /dev/null +++ b/sepolicy/modem/userdebug/file_contexts @@ -0,0 +1 @@ +/vendor/bin/vcd u:object_r:vcd_exec:s0 diff --git a/sepolicy/modem/userdebug/vcd.te b/sepolicy/modem/userdebug/vcd.te new file mode 100644 index 00000000..c4af485f --- /dev/null +++ b/sepolicy/modem/userdebug/vcd.te @@ -0,0 +1,11 @@ +type vcd, domain; +type vcd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(vcd) + +get_prop(vcd, vendor_rild_prop); +get_prop(vcd, vendor_persist_config_default_prop); + +allow vcd serial_device:chr_file rw_file_perms; +allow vcd radio_device:chr_file rw_file_perms; +allow vcd self:tcp_socket { create_socket_perms_no_ioctl listen accept }; +allow vcd node:tcp_socket node_bind; diff --git a/sepolicy/neuralnetworks/file_contexts b/sepolicy/neuralnetworks/file_contexts new file mode 100644 index 00000000..fc151ab9 --- /dev/null +++ b/sepolicy/neuralnetworks/file_contexts @@ -0,0 +1 @@ +/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-armnn u:object_r:hal_neuralnetworks_armnn_exec:s0 diff --git a/sepolicy/neuralnetworks/hal_neuralnetworks_armnn.te b/sepolicy/neuralnetworks/hal_neuralnetworks_armnn.te new file mode 100644 index 00000000..c9872853 --- /dev/null +++ b/sepolicy/neuralnetworks/hal_neuralnetworks_armnn.te @@ -0,0 +1,9 @@ +type hal_neuralnetworks_armnn, domain; +hal_server_domain(hal_neuralnetworks_armnn, hal_neuralnetworks) + +type hal_neuralnetworks_armnn_exec, vendor_file_type, exec_type, file_type; + +allow hal_neuralnetworks_armnn gpu_device:chr_file rw_file_perms; + +init_daemon_domain(hal_neuralnetworks_armnn) + diff --git a/sepolicy/pkvm/file_contexts b/sepolicy/pkvm/file_contexts new file mode 100644 index 00000000..310aad4d --- /dev/null +++ b/sepolicy/pkvm/file_contexts @@ -0,0 +1 @@ +/vendor/bin/pkvm_enabler u:object_r:vendor_misc_writer_exec:s0 diff --git a/sepolicy/pkvm/vendor_misc_writer.te b/sepolicy/pkvm/vendor_misc_writer.te new file mode 100644 index 00000000..b9b4ceb1 --- /dev/null +++ b/sepolicy/pkvm/vendor_misc_writer.te @@ -0,0 +1,2 @@ +# Allow pkvm_enabler to execute misc_writer. +allow vendor_misc_writer vendor_misc_writer_exec:file execute_no_trans; diff --git a/sepolicy/private/dex2oat.te b/sepolicy/private/dex2oat.te new file mode 100644 index 00000000..50d7852c --- /dev/null +++ b/sepolicy/private/dex2oat.te @@ -0,0 +1,59 @@ +# b/187016929 +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat proc_filesystems:file read ; +dontaudit dex2oat postinstall_apex_mnt_dir:file getattr ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat proc_filesystems:file read ; +dontaudit dex2oat postinstall_apex_mnt_dir:file getattr ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; +dontaudit dex2oat vendor_overlay_file:file read ; diff --git a/sepolicy/private/fsverity_init.te b/sepolicy/private/fsverity_init.te new file mode 100644 index 00000000..ed3728d6 --- /dev/null +++ b/sepolicy/private/fsverity_init.te @@ -0,0 +1,2 @@ +# b/193474772 +dontaudit fsverity_init domain:key view; diff --git a/sepolicy/private/gmscore_app.te b/sepolicy/private/gmscore_app.te new file mode 100644 index 00000000..e52eb551 --- /dev/null +++ b/sepolicy/private/gmscore_app.te @@ -0,0 +1,3 @@ +# b/177389198 +dontaudit gmscore_app adbd_prop:file *; +dontaudit gmscore_app proc_vendor_sched:file write; diff --git a/sepolicy/private/hal_dumpstate_default.te b/sepolicy/private/hal_dumpstate_default.te new file mode 100644 index 00000000..83c75689 --- /dev/null +++ b/sepolicy/private/hal_dumpstate_default.te @@ -0,0 +1,2 @@ +# b/176868217 +dontaudit hal_dumpstate adbd_prop:file *; diff --git a/sepolicy/private/incidentd.te b/sepolicy/private/incidentd.te new file mode 100644 index 00000000..1557f065 --- /dev/null +++ b/sepolicy/private/incidentd.te @@ -0,0 +1,14 @@ +# b/174961589 +dontaudit incidentd adbd_config_prop:file open ; +dontaudit incidentd adbd_prop:file getattr ; +dontaudit incidentd adbd_prop:file open ; +dontaudit incidentd adbd_config_prop:file open ; +dontaudit incidentd adbd_config_prop:file getattr ; +dontaudit incidentd adbd_config_prop:file map ; +dontaudit incidentd adbd_prop:file open ; +dontaudit incidentd adbd_prop:file getattr ; +dontaudit incidentd adbd_prop:file map ; +dontaudit incidentd apexd_prop:file open ; +dontaudit incidentd adbd_config_prop:file getattr ; +dontaudit incidentd adbd_config_prop:file map ; +dontaudit incidentd adbd_prop:file map ; diff --git a/sepolicy/private/lpdumpd.te b/sepolicy/private/lpdumpd.te new file mode 100644 index 00000000..86a101c5 --- /dev/null +++ b/sepolicy/private/lpdumpd.te @@ -0,0 +1,7 @@ +# b/177176997 +dontaudit lpdumpd block_device:blk_file getattr ; +dontaudit lpdumpd block_device:blk_file getattr ; +dontaudit lpdumpd block_device:blk_file read ; +dontaudit lpdumpd block_device:blk_file getattr ; +dontaudit lpdumpd block_device:blk_file read ; +dontaudit lpdumpd block_device:blk_file read ; diff --git a/sepolicy/private/permissioncontroller_app.te b/sepolicy/private/permissioncontroller_app.te new file mode 100644 index 00000000..4619571c --- /dev/null +++ b/sepolicy/private/permissioncontroller_app.te @@ -0,0 +1,3 @@ +allow permissioncontroller_app proc_vendor_sched:dir r_dir_perms; +allow permissioncontroller_app proc_vendor_sched:file w_file_perms; + diff --git a/sepolicy/private/postinstall_dexopt.te b/sepolicy/private/postinstall_dexopt.te new file mode 100644 index 00000000..2b51e8b7 --- /dev/null +++ b/sepolicy/private/postinstall_dexopt.te @@ -0,0 +1,2 @@ +# b/194142604 +dontaudit postinstall_dexopt odsign_prop:file read; diff --git a/sepolicy/private/priv_app.te b/sepolicy/private/priv_app.te new file mode 100644 index 00000000..c77a18da --- /dev/null +++ b/sepolicy/private/priv_app.te @@ -0,0 +1,20 @@ +# b/178433525 +dontaudit priv_app adbd_prop:file { map }; +dontaudit priv_app adbd_prop:file { getattr }; +dontaudit priv_app adbd_prop:file { open }; +dontaudit priv_app ab_update_gki_prop:file { map }; +dontaudit priv_app ab_update_gki_prop:file { getattr }; +dontaudit priv_app ab_update_gki_prop:file { open }; +dontaudit priv_app aac_drc_prop:file { map }; +dontaudit priv_app aac_drc_prop:file { getattr }; +dontaudit priv_app aac_drc_prop:file { open }; +dontaudit priv_app adbd_prop:file { map }; +dontaudit priv_app aac_drc_prop:file { open }; +dontaudit priv_app aac_drc_prop:file { getattr }; +dontaudit priv_app aac_drc_prop:file { map }; +dontaudit priv_app ab_update_gki_prop:file { open }; +dontaudit priv_app ab_update_gki_prop:file { getattr }; +dontaudit priv_app ab_update_gki_prop:file { map }; +dontaudit priv_app adbd_prop:file { open }; +dontaudit priv_app adbd_prop:file { getattr }; +dontaudit priv_app proc_vendor_sched:file write; diff --git a/sepolicy/private/radio.te b/sepolicy/private/radio.te new file mode 100644 index 00000000..a569b9c5 --- /dev/null +++ b/sepolicy/private/radio.te @@ -0,0 +1 @@ +add_service(radio, uce_service) diff --git a/sepolicy/private/service_contexts b/sepolicy/private/service_contexts new file mode 100644 index 00000000..8877518a --- /dev/null +++ b/sepolicy/private/service_contexts @@ -0,0 +1 @@ +telephony.oem.oemrilhook u:object_r:radio_service:s0
diff --git a/sepolicy/private/untrusted_app_25.te b/sepolicy/private/untrusted_app_25.te new file mode 100644 index 00000000..f26e0815 --- /dev/null +++ b/sepolicy/private/untrusted_app_25.te @@ -0,0 +1,2 @@ +# b/177389321 +dontaudit untrusted_app_25 adbd_prop:file *; diff --git a/sepolicy/private/wait_for_keymaster.te b/sepolicy/private/wait_for_keymaster.te new file mode 100644 index 00000000..0e29999c --- /dev/null +++ b/sepolicy/private/wait_for_keymaster.te @@ -0,0 +1,2 @@ +# b/188114822 +dontaudit wait_for_keymaster servicemanager:binder transfer; diff --git a/sepolicy/system_ext/private/platform_app.te b/sepolicy/system_ext/private/platform_app.te new file mode 100644 index 00000000..e9dcc76b --- /dev/null +++ b/sepolicy/system_ext/private/platform_app.te @@ -0,0 +1,5 @@ +# allow systemui to set boot animation colors +set_prop(platform_app, bootanim_system_prop); + +# allow systemui to access fingerprint +hal_client_domain(platform_app, hal_fingerprint) diff --git a/sepolicy/system_ext/private/property_contexts b/sepolicy/system_ext/private/property_contexts new file mode 100644 index 00000000..9cf97280 --- /dev/null +++ b/sepolicy/system_ext/private/property_contexts @@ -0,0 +1,8 @@ +# Fingerprint (UDFPS) GHBM/LHBM toggle +persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool + +# Boot animation dynamic colors +persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 exact int +persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 exact int diff --git a/sepolicy/system_ext/public/property.te b/sepolicy/system_ext/public/property.te new file mode 100644 index 00000000..8908e485 --- /dev/null +++ b/sepolicy/system_ext/public/property.te @@ -0,0 +1,2 @@ +# Fingerprint (UDFPS) GHBM/LHBM toggle +system_vendor_config_prop(fingerprint_ghbm_prop) diff --git a/sepolicy/telephony/pktrouter/device.te b/sepolicy/telephony/pktrouter/device.te new file mode 100644 index 00000000..3225bac6 --- /dev/null +++ b/sepolicy/telephony/pktrouter/device.te @@ -0,0 +1 @@ +type pktrouter_device, dev_type; diff --git a/sepolicy/telephony/pktrouter/file_contexts b/sepolicy/telephony/pktrouter/file_contexts new file mode 100644 index 00000000..f6e73dbf --- /dev/null +++ b/sepolicy/telephony/pktrouter/file_contexts @@ -0,0 +1,4 @@ +# WFC +/vendor/bin/wfc-pkt-router u:object_r:pktrouter_exec:s0 + +/dev/umts_wfc[01] u:object_r:pktrouter_device:s0 diff --git a/sepolicy/telephony/pktrouter/netutils_wrapper.te b/sepolicy/telephony/pktrouter/netutils_wrapper.te new file mode 100644 index 00000000..ff1be58e --- /dev/null +++ b/sepolicy/telephony/pktrouter/netutils_wrapper.te @@ -0,0 +1,7 @@ +allow netutils_wrapper pktrouter:fd use; +allow netutils_wrapper pktrouter:fifo_file write; +allow netutils_wrapper pktrouter:netlink_route_socket { read write }; +allow netutils_wrapper pktrouter:packet_socket { read write }; +allow netutils_wrapper pktrouter:rawip_socket { read write }; +allow netutils_wrapper pktrouter:udp_socket { read write }; +allow netutils_wrapper pktrouter_device:chr_file rw_file_perms; diff --git a/sepolicy/telephony/pktrouter/pktrouter.te b/sepolicy/telephony/pktrouter/pktrouter.te new file mode 100644 index 00000000..e06c8db6 --- /dev/null +++ b/sepolicy/telephony/pktrouter/pktrouter.te @@ -0,0 +1,13 @@ +type pktrouter, domain; +type pktrouter_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(pktrouter) +net_domain(pktrouter) + +domain_auto_trans(pktrouter, netutils_wrapper_exec, netutils_wrapper); + +allow pktrouter pktrouter_device:chr_file rw_file_perms; +allow pktrouter self:netlink_route_socket nlmsg_write; +allow pktrouter self:packet_socket { bind create read write getattr shutdown}; +allow pktrouter self:capability net_raw; + +get_prop(pktrouter, vendor_ims_prop); diff --git a/sepolicy/telephony/pktrouter/property.te b/sepolicy/telephony/pktrouter/property.te new file mode 100644 index 00000000..a3d6a392 --- /dev/null +++ b/sepolicy/telephony/pktrouter/property.te @@ -0,0 +1 @@ +vendor_internal_prop(vendor_ims_prop) diff --git a/sepolicy/telephony/pktrouter/property_contexts b/sepolicy/telephony/pktrouter/property_contexts new file mode 100644 index 00000000..4165d92c --- /dev/null +++ b/sepolicy/telephony/pktrouter/property_contexts @@ -0,0 +1,3 @@ +# for ims service +vendor.pktrouter u:object_r:vendor_ims_prop:s0 + diff --git a/sepolicy/telephony/pktrouter/vendor_init.te b/sepolicy/telephony/pktrouter/vendor_init.te new file mode 100644 index 00000000..3a867815 --- /dev/null +++ b/sepolicy/telephony/pktrouter/vendor_init.te @@ -0,0 +1 @@ +set_prop(vendor_init, vendor_ims_prop) diff --git a/sepolicy/telephony/user/file_contexts b/sepolicy/telephony/user/file_contexts new file mode 100644 index 00000000..1aafb7e3 --- /dev/null +++ b/sepolicy/telephony/user/file_contexts @@ -0,0 +1,3 @@ +# ECC List +/vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0 + diff --git a/sepolicy/telephony/user/init_radio.te b/sepolicy/telephony/user/init_radio.te new file mode 100644 index 00000000..3a29edf3 --- /dev/null +++ b/sepolicy/telephony/user/init_radio.te @@ -0,0 +1,8 @@ +type init_radio, domain; +type init_radio_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init_radio); + +allow init_radio vendor_toolbox_exec:file execute_no_trans; +allow init_radio radio_vendor_data_file:dir create_dir_perms; +allow init_radio radio_vendor_data_file:file create_file_perms; diff --git a/sepolicy/tracking_denials/dumpstate.te b/sepolicy/tracking_denials/dumpstate.te new file mode 100644 index 00000000..fc4afa4d --- /dev/null +++ b/sepolicy/tracking_denials/dumpstate.te @@ -0,0 +1,6 @@ +# b/185723618 +dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find }; +# b/190337283 +dontaudit dumpstate debugfs_wakeup_sources:file read; +# b/226717475 +dontaudit dumpstate app_zygote:process { signal }; diff --git a/sepolicy/tracking_denials/hal_drm_default.te b/sepolicy/tracking_denials/hal_drm_default.te new file mode 100644 index 00000000..ee4ed089 --- /dev/null +++ b/sepolicy/tracking_denials/hal_drm_default.te @@ -0,0 +1,2 @@ +# b/223502652 +dontaudit hal_drm_default vndbinder_device:chr_file { read }; diff --git a/sepolicy/tracking_denials/hal_fingerprint_default.te b/sepolicy/tracking_denials/hal_fingerprint_default.te new file mode 100644 index 00000000..9a2d37e5 --- /dev/null +++ b/sepolicy/tracking_denials/hal_fingerprint_default.te @@ -0,0 +1,9 @@ +# b/183338543 +dontaudit hal_fingerprint_default system_data_root_file:file { read }; +dontaudit hal_fingerprint_default default_prop:file { getattr }; +dontaudit hal_fingerprint_default default_prop:file { map }; +dontaudit hal_fingerprint_default default_prop:file { open }; +dontaudit hal_fingerprint_default default_prop:file { read }; +dontaudit hal_fingerprint_default system_data_root_file:file { open }; +# b/187015705 +dontaudit hal_fingerprint_default property_socket:sock_file write; diff --git a/sepolicy/tracking_denials/hal_neuralnetworks_armnn.te b/sepolicy/tracking_denials/hal_neuralnetworks_armnn.te new file mode 100644 index 00000000..120510fd --- /dev/null +++ b/sepolicy/tracking_denials/hal_neuralnetworks_armnn.te @@ -0,0 +1,5 @@ +# b/180550063 +dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; +dontaudit hal_neuralnetworks_armnn system_data_file:dir { search }; +# b/190563897 +dontaudit hal_neuralnetworks_armnn default_prop:file read; diff --git a/sepolicy/tracking_denials/hal_power_default.te b/sepolicy/tracking_denials/hal_power_default.te new file mode 100644 index 00000000..47f5162e --- /dev/null +++ b/sepolicy/tracking_denials/hal_power_default.te @@ -0,0 +1,3 @@ +# b/192617242 +dontaudit hal_power_default hal_power_default:capability dac_read_search; +dontaudit hal_power_default hal_power_default:capability dac_override; diff --git a/sepolicy/tracking_denials/incidentd.te b/sepolicy/tracking_denials/incidentd.te new file mode 100644 index 00000000..2187eab4 --- /dev/null +++ b/sepolicy/tracking_denials/incidentd.te @@ -0,0 +1,4 @@ +# b/187015816 +dontaudit incidentd apex_info_file:file getattr; +# b/190337296 +dontaudit incidentd debugfs_wakeup_sources:file read; diff --git a/sepolicy/tracking_denials/init-insmod-sh.te b/sepolicy/tracking_denials/init-insmod-sh.te new file mode 100644 index 00000000..8b2358b2 --- /dev/null +++ b/sepolicy/tracking_denials/init-insmod-sh.te @@ -0,0 +1,4 @@ +# b/193474772 +dontaudit init-insmod-sh self:key write; +# b/193726003 +dontaudit init-insmod-sh debugfs_bootreceiver_tracing:dir search; diff --git a/sepolicy/tracking_denials/kernel.te b/sepolicy/tracking_denials/kernel.te new file mode 100644 index 00000000..7901bdcf --- /dev/null +++ b/sepolicy/tracking_denials/kernel.te @@ -0,0 +1,4 @@ +#b/228181404 +dontaudit kernel vendor_maxfg_debugfs:dir { search }; +#b/247905787 +dontaudit kernel vendor_votable_debugfs:dir { search }; diff --git a/sepolicy/tracking_denials/rebalance_interrupts_vendor.te b/sepolicy/tracking_denials/rebalance_interrupts_vendor.te new file mode 100644 index 00000000..f6cec9e1 --- /dev/null +++ b/sepolicy/tracking_denials/rebalance_interrupts_vendor.te @@ -0,0 +1,2 @@ +# b/189275648 +dontaudit rebalance_interrupts_vendor rebalance_interrupts_vendor:capability dac_override; diff --git a/sepolicy/tracking_denials/surfaceflinger.te b/sepolicy/tracking_denials/surfaceflinger.te new file mode 100644 index 00000000..2db24d73 --- /dev/null +++ b/sepolicy/tracking_denials/surfaceflinger.te @@ -0,0 +1,2 @@ +# b/176868297 +dontaudit surfaceflinger hal_graphics_composer_default:dir search ; diff --git a/sepolicy/tracking_denials/untrusted_app.te b/sepolicy/tracking_denials/untrusted_app.te new file mode 100644 index 00000000..9b098f88 --- /dev/null +++ b/sepolicy/tracking_denials/untrusted_app.te @@ -0,0 +1,4 @@ +# b/184593993 +dontaudit untrusted_app vendor_camera_prop:file { read }; +dontaudit untrusted_app vendor_camera_prop:file { read }; +dontaudit untrusted_app vendor_camera_prop:file { read }; diff --git a/sepolicy/tracking_denials/update_engine.te b/sepolicy/tracking_denials/update_engine.te new file mode 100644 index 00000000..98e7b851 --- /dev/null +++ b/sepolicy/tracking_denials/update_engine.te @@ -0,0 +1,2 @@ +# b/187016910 +dontaudit update_engine mnt_vendor_file:dir search ; diff --git a/sepolicy/tracking_denials/uwb_vendor_app.te b/sepolicy/tracking_denials/uwb_vendor_app.te new file mode 100644 index 00000000..91933c0d --- /dev/null +++ b/sepolicy/tracking_denials/uwb_vendor_app.te @@ -0,0 +1,2 @@ +# b/193009345 +dontaudit uwb_vendor_app radio_service:service_manager find; diff --git a/sepolicy/tracking_denials/vendor_init.te b/sepolicy/tracking_denials/vendor_init.te new file mode 100644 index 00000000..d27b8e95 --- /dev/null +++ b/sepolicy/tracking_denials/vendor_init.te @@ -0,0 +1,2 @@ +# b/190337297 +dontaudit vendor_init vendor_page_pinner_debugfs:file setattr; diff --git a/sepolicy/trusty_metricsd/file_contexts b/sepolicy/trusty_metricsd/file_contexts new file mode 100644 index 00000000..bedf7437 --- /dev/null +++ b/sepolicy/trusty_metricsd/file_contexts @@ -0,0 +1 @@ +/vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0 diff --git a/sepolicy/trusty_metricsd/trusty_metricsd.te b/sepolicy/trusty_metricsd/trusty_metricsd.te new file mode 100644 index 00000000..63fc85b6 --- /dev/null +++ b/sepolicy/trusty_metricsd/trusty_metricsd.te @@ -0,0 +1,11 @@ +type trusty_metricsd, domain; +type trusty_metricsd_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(trusty_metricsd) + +allow trusty_metricsd tee_device:chr_file rw_file_perms; + +# For Suez metrics collection +binder_use(trusty_metricsd) +binder_call(trusty_metricsd, system_server) +allow trusty_metricsd fwk_stats_service:service_manager find; diff --git a/sepolicy/usf/file.te b/sepolicy/usf/file.te new file mode 100644 index 00000000..8f49e32b --- /dev/null +++ b/sepolicy/usf/file.te @@ -0,0 +1,16 @@ +# +# USF file SELinux type enforcements. +# + +# Declare the sensor registry persist file type. By convention, persist file +# types begin with "persist_". +type persist_sensor_reg_file, file_type, vendor_persist_type; + +# Declare the sensor registry data file type. By convention, data file types +# end with "data_file". +type sensor_reg_data_file, file_type, data_file_type; + +# Declare the sensor debug data file type. By convention, data file types +# end with "data_file". +type sensor_debug_data_file, file_type, data_file_type; + diff --git a/sepolicy/usf/file_contexts b/sepolicy/usf/file_contexts new file mode 100644 index 00000000..3c7833b1 --- /dev/null +++ b/sepolicy/usf/file_contexts @@ -0,0 +1,12 @@ +# +# USF SELinux file security contexts. +# + +# Sensor registry persist files. +/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0 + +# Sensor registry data files. +/data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0 + +# Sensor debug data files. +/data/vendor/sensors/debug(/.*)? u:object_r:sensor_debug_data_file:s0 diff --git a/sepolicy/usf/sensor_hal.te b/sepolicy/usf/sensor_hal.te new file mode 100644 index 00000000..491d6403 --- /dev/null +++ b/sepolicy/usf/sensor_hal.te @@ -0,0 +1,80 @@ +# +# USF sensor HAL SELinux type enforcements. +# + +# Allow reading of sensor registry persist files and camera persist files. +allow hal_sensors_default persist_file:dir search; +allow hal_sensors_default mnt_vendor_file:dir search; +r_dir_file(hal_sensors_default, persist_sensor_reg_file) +r_dir_file(hal_sensors_default, persist_camera_file) + +# Allow creation and writing of sensor registry data files. +allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms; +allow hal_sensors_default sensor_reg_data_file:file create_file_perms; + +userdebug_or_eng(` + # Allow creation and writing of sensor debug data files. + allow hal_sensors_default sensor_debug_data_file:dir rw_dir_perms; + allow hal_sensors_default sensor_debug_data_file:file create_file_perms; +') + +# Allow access to the AoC communication driver. +allow hal_sensors_default aoc_device:chr_file rw_file_perms; + +# Allow access to the AoC clock and kernel boot time sys FS node. This is needed +# to synchronize the AP and AoC clock timestamps. +allow hal_sensors_default sysfs_aoc_boottime:file rw_file_perms; + +# Allow create thread to watch AOC's device. +allow hal_sensors_default device:dir r_dir_perms; + +# Allow access to the files of CDT information. +r_dir_file(hal_sensors_default, sysfs_chosen) + +# Allow display_info_service access to the backlight driver. +allow hal_sensors_default sysfs_leds:dir search; +allow hal_sensors_default sysfs_leds:file rw_file_perms; + +# Allow access to the power supply files for MagCC. +r_dir_file(hal_sensors_default, sysfs_batteryinfo) +allow hal_sensors_default sysfs_wlc:dir r_dir_perms; + +# Allow access to sensor service for sensor_listener. +binder_call(hal_sensors_default, system_server); + +# Allow access to the sysfs_aoc. +allow hal_sensors_default sysfs_aoc:dir search; +allow hal_sensors_default sysfs_aoc:file r_file_perms; + +# Allow use of the USF low latency transport. +usf_low_latency_transport(hal_sensors_default) + +# Allow sensor HAL to reset AOC. +allow hal_sensors_default sysfs_aoc_reset:file rw_file_perms; + +# Allow sensor HAL to read AoC dumpstate. +allow hal_sensors_default sysfs_aoc_dumpstate:file r_file_perms; + +# Allow access for dynamic sensor properties. +get_prop(hal_sensors_default, vendor_dynamic_sensor_prop) + +# Allow access to raw HID devices for dynamic sensors. +allow hal_sensors_default hidraw_device:chr_file rw_file_perms; + +# Allow sensor HAL to access the display service HAL +allow hal_sensors_default hal_pixel_display_service:service_manager find; +binder_call(hal_sensors_default, hal_graphics_composer_default) + +# Allow sensor HAL to access to display sysfs. +allow hal_sensors_default sysfs_display:file r_file_perms; + +# +# Suez type enforcements. +# + +# Allow SensorSuez to connect AIDL stats. +binder_use(hal_sensors_default); +allow hal_sensors_default fwk_stats_service:service_manager find; + +# Allow access to CHRE socket to connect to nanoapps. +unix_socket_connect(hal_sensors_default, chre, chre) diff --git a/sepolicy/usf/te_macros b/sepolicy/usf/te_macros new file mode 100644 index 00000000..01ac13c1 --- /dev/null +++ b/sepolicy/usf/te_macros @@ -0,0 +1,14 @@ +# +# USF SELinux type enforcement macros. +# + +# +# usf_low_latency_transport(domain) +# +# Allows domain use of the USF low latency transport. +# +define(`usf_low_latency_transport', ` + allow $1 hal_graphics_mapper_hwservice:hwservice_manager find; + hal_client_domain($1, hal_graphics_allocator) +') + diff --git a/sepolicy/whitechapel/vendor/google/aocd.te b/sepolicy/whitechapel/vendor/google/aocd.te new file mode 100644 index 00000000..69b0af0d --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/aocd.te @@ -0,0 +1,21 @@ +type aocd, domain; +type aocd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(aocd) + +# access persist files +allow aocd mnt_vendor_file:dir search; +allow aocd persist_file:dir search; +r_dir_file(aocd, persist_aoc_file); + +# sysfs operations +allow aocd sysfs_aoc:dir search; +allow aocd sysfs_aoc_firmware:file w_file_perms; + +# dev operations +allow aocd aoc_device:chr_file rw_file_perms; + +# allow inotify to watch for additions/removals from /dev +allow aocd device:dir r_dir_perms; + +# set properties +set_prop(aocd, vendor_aoc_prop) diff --git a/sepolicy/whitechapel/vendor/google/aocdump.te b/sepolicy/whitechapel/vendor/google/aocdump.te new file mode 100644 index 00000000..ca468a35 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/aocdump.te @@ -0,0 +1,19 @@ +type aocdump, domain; +type aocdump_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(aocdump) + +userdebug_or_eng(` + # Permit communication with AoC + allow aocdump aoc_device:chr_file rw_file_perms; + + allow aocdump radio_vendor_data_file:dir rw_dir_perms; + allow aocdump radio_vendor_data_file:file create_file_perms; + allow aocdump wifi_logging_data_file:dir create_dir_perms; + allow aocdump wifi_logging_data_file:file create_file_perms; + set_prop(aocdump, vendor_audio_prop); + r_dir_file(aocdump, proc_asound) + + allow aocdump self:unix_stream_socket create_stream_socket_perms; + allow aocdump property_socket:sock_file { write }; + allow aocdump audio_vendor_data_file:sock_file { create unlink }; +') diff --git a/sepolicy/whitechapel/vendor/google/attributes b/sepolicy/whitechapel/vendor/google/attributes new file mode 100644 index 00000000..7e6def72 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/attributes @@ -0,0 +1 @@ +attribute vendor_persist_type; diff --git a/sepolicy/whitechapel/vendor/google/audioserver.te b/sepolicy/whitechapel/vendor/google/audioserver.te new file mode 100644 index 00000000..c7d69097 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/audioserver.te @@ -0,0 +1,3 @@ +# allow access to ALSA MMAP FDs for AAudio API +allow audioserver audio_device:chr_file r_file_perms; +allow audioserver audio_service:service_manager find; diff --git a/sepolicy/whitechapel/vendor/google/bipchmgr.te b/sepolicy/whitechapel/vendor/google/bipchmgr.te new file mode 100644 index 00000000..9298e322 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/bipchmgr.te @@ -0,0 +1,9 @@ +type bipchmgr, domain; +type bipchmgr_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(bipchmgr) + +get_prop(bipchmgr, hwservicemanager_prop); + +allow bipchmgr hal_exynos_rild_hwservice:hwservice_manager find; +hwbinder_use(bipchmgr) +binder_call(bipchmgr, rild) diff --git a/sepolicy/whitechapel/vendor/google/bluetooth.te b/sepolicy/whitechapel/vendor/google/bluetooth.te new file mode 100644 index 00000000..92737abe --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/bluetooth.te @@ -0,0 +1,3 @@ +allow bluetooth proc_vendor_sched:dir search; +allow bluetooth proc_vendor_sched:file w_file_perms; + diff --git a/sepolicy/whitechapel/vendor/google/bootanim.te b/sepolicy/whitechapel/vendor/google/bootanim.te new file mode 100644 index 00000000..7b3019df --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/bootanim.te @@ -0,0 +1,5 @@ +# TODO(b/62954877). On Android Wear, bootanim reads the time +# during boot to display. It currently gets that time from a file +# in /data/system. This should be moved. In the meantime, suppress +# this denial on phones since this functionality is not used. +dontaudit bootanim system_data_file:dir r_dir_perms; diff --git a/sepolicy/whitechapel/vendor/google/bootdevice_sysdev.te b/sepolicy/whitechapel/vendor/google/bootdevice_sysdev.te new file mode 100644 index 00000000..2ff0acb9 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/bootdevice_sysdev.te @@ -0,0 +1 @@ +allow bootdevice_sysdev sysfs:filesystem associate; diff --git a/sepolicy/whitechapel/vendor/google/bug_map b/sepolicy/whitechapel/vendor/google/bug_map new file mode 100644 index 00000000..b7c26b57 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/bug_map @@ -0,0 +1,3 @@ +permissioncontroller_app proc_vendor_sched file b/190671898 +vendor_ims_app default_prop file b/194281028 +hal_fingerprint_default default_prop property_service b/215640468 diff --git a/sepolicy/whitechapel/vendor/google/cbd.te b/sepolicy/whitechapel/vendor/google/cbd.te new file mode 100644 index 00000000..cbd222ff --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/cbd.te @@ -0,0 +1,64 @@ +type cbd, domain; +type cbd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(cbd) + +set_prop(cbd, vendor_modem_prop) +set_prop(cbd, vendor_cbd_prop) +set_prop(cbd, vendor_rild_prop) + +# Allow cbd to setuid from root to radio +# TODO: confirming with vendor via b/182334947 +allow cbd self:capability { setgid setuid }; + +allow cbd mnt_vendor_file:dir r_dir_perms; + +allow cbd kmsg_device:chr_file rw_file_perms; + +allow cbd vendor_shell_exec:file execute_no_trans; +allow cbd vendor_toolbox_exec:file execute_no_trans; + +# Allow cbd to access modem block device +allow cbd block_device:dir search; +allow cbd modem_block_device:blk_file r_file_perms; + +# Allow cbd to access sysfs chosen files +allow cbd sysfs_chosen:file r_file_perms; +allow cbd sysfs_chosen:dir r_dir_perms; + +allow cbd radio_device:chr_file rw_file_perms; + +allow cbd proc_cmdline:file r_file_perms; + +allow cbd persist_modem_file:dir create_dir_perms; +allow cbd persist_modem_file:file create_file_perms; +allow cbd persist_file:dir search; + +allow cbd radio_vendor_data_file:dir create_dir_perms; +allow cbd radio_vendor_data_file:file create_file_perms; + +# Allow cbd to operate with modem EFS file/dir +allow cbd modem_efs_file:dir create_dir_perms; +allow cbd modem_efs_file:file create_file_perms; + +# Allow cbd to operate with modem userdata file/dir +allow cbd modem_userdata_file:dir create_dir_perms; +allow cbd modem_userdata_file:file create_file_perms; + +# Allow cbd to access modem image file/dir +allow cbd modem_img_file:dir r_dir_perms; +allow cbd modem_img_file:file r_file_perms; +allow cbd modem_img_file:lnk_file r_file_perms; + +# Allow cbd to collect crash info +allow cbd sscoredump_vendor_data_crashinfo_file:dir create_dir_perms; +allow cbd sscoredump_vendor_data_crashinfo_file:file create_file_perms; + +userdebug_or_eng(` + r_dir_file(cbd, vendor_slog_file) + + allow cbd kernel:system syslog_read; + + allow cbd sscoredump_vendor_data_coredump_file:dir create_dir_perms; + allow cbd sscoredump_vendor_data_coredump_file:file create_file_perms; +') + diff --git a/sepolicy/whitechapel/vendor/google/cbrs_setup.te b/sepolicy/whitechapel/vendor/google/cbrs_setup.te new file mode 100644 index 00000000..1abbcff1 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/cbrs_setup.te @@ -0,0 +1,13 @@ +# GoogleCBRS app +type cbrs_setup_app, domain; + +userdebug_or_eng(` + app_domain(cbrs_setup_app) + net_domain(cbrs_setup_app) + + allow cbrs_setup_app app_api_service:service_manager find; + allow cbrs_setup_app cameraserver_service:service_manager find; + allow cbrs_setup_app radio_service:service_manager find; + set_prop(cbrs_setup_app, radio_prop) + set_prop(cbrs_setup_app, vendor_rild_prop) +') diff --git a/sepolicy/whitechapel/vendor/google/cccdk_timesync_app.te b/sepolicy/whitechapel/vendor/google/cccdk_timesync_app.te new file mode 100644 index 00000000..f6e514d9 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/cccdk_timesync_app.te @@ -0,0 +1,10 @@ +type vendor_cccdktimesync_app, domain; +app_domain(vendor_cccdktimesync_app) + +allow vendor_cccdktimesync_app app_api_service:service_manager find; + +binder_call(vendor_cccdktimesync_app, hal_bluetooth_btlinux) +allow vendor_cccdktimesync_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; + +# allow the HAL to call our registered callbacks +binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app) diff --git a/sepolicy/whitechapel/vendor/google/certs/EuiccSupportPixel.x509.pem b/sepolicy/whitechapel/vendor/google/certs/EuiccSupportPixel.x509.pem new file mode 100644 index 00000000..d11ad3d0 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/certs/EuiccSupportPixel.x509.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE-----
+MIIF2zCCA8OgAwIBAgIVAIFP2e+Gh4wn4YFsSI7fRB6AXjIsMA0GCSqGSIb3DQEBCwUAMH4xCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw
+EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEaMBgGA1UEAxMRRXVpY2NTdXBw
+b3J0UGl4ZWwwHhcNMTkwMjI4MTkyMjE4WhcNNDkwMjI4MTkyMjE4WjB+MQswCQYDVQQGEwJVUzET
+MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29v
+Z2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxGjAYBgNVBAMTEUV1aWNjU3VwcG9ydFBpeGVsMIIC
+IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqklePqeltzqnyXVch9eJRXFBRQQIBIJWhcXb
+WIP/kZ28ISnQ2SrZisdxqtvRIeInxb7lU1rRQDfqCFSp/vMZ3l25Ryn6OVLFP4bxV1vO797t7Ef/
+amYA1mFKBsD4KLaIGj0/2RpGesneCOb0jWl2yRgIO2Ez7Y4YgWU/IoickZDLp1u6/7e7E/Qq9OXK
+aXvtBSzooGrYC7eyKn7O21FOfz5cQRo4BipjJqXG5Ez8Vi+m/dL1IFRZheYttEf3v390vBcb0oJ0
+oYPzLxmnb1LchjZC3yLAknRA0hNt8clvJ3tjXFjtzCGKsQsT4rnvvGFFABJTCf3EdEiwBNS5U4ho
++9+EtH7PpuoC+uVv2rLv/Gb7stlGQGx32KmK2CfKED3PdNqoT7WRx6nvVjCk3i7afdUcxQxcS9td
+5r80CB1bQEhS2sWLWB21PJrfMugWUJO5Bwz6u0es8dP+4FAHojIaF6iwB5ZYIuHGcEaOviHm4jOK
+rrGMlLqTwuEhq2aVIP55u7XRV98JLs2hlE5DJOWCIsPxybUDiddFvR+yzi/4FimsxJlEmaQAQcki
+uJ9DceVP03StPzFJSDRlqa4yF6xkZW5piNoANQ4MyI67V2Qf8g/L1UPYAi4hUMxQGo7Clw2hBRag
+ZTm65Xc7+ovBYxl5YaXAmNoJbss34Lw8tdrn4EECAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNV
+HQ4EFgQU+hQdFrOGuCDI+bbebssw9TL5FcYwHwYDVR0jBBgwFoAU+hQdFrOGuCDI+bbebssw9TL5
+FcYwDQYJKoZIhvcNAQELBQADggIBAGmyZHXddei/zUUMowiyi/MTtqXf9hKDEN4zhAXkuiuHxqA9
+Ii0J1Sxz2dd5NkqMmtePKYFSGA884yVm1KAne/uoCWj57IK3jswiRYnKhXa293DxA/K9wY27IGbp
+ulSuuxbpjjV2tqGUuoNQGKX7Oy6s0GcibyZFc+LpD7ttGk5QoLC9qQdpXZgUv/yG2B99ERSXLCaL
+EWMNP/oVZQOCQGfsFM1fPLn3X0ZuCOQg9bljxFf3jTl+H6PIAhpCjKeeUQYLc41eQkCyR/f67aRB
+GvO4YDpXLn9eH23B+26rjPyFiVtMJ/jJZ7UEPeJ3XBj1COS/X7p9gGRS5rtfr9z7XxuMxvG0JU9U
+XA+bMfOOfCqflvw6IyUg+oxjBFIhgiP4fxna51+BqpctvB0OeRwUm6y4nN06AwqtD8SteQrEn0b0
+IDWOKlVeh0lJWrDDEHr55dXSF+CbOPUDmMxmGoulOEOy/qSWIQi8BfvdX+e88CmracNRYVffLuQj
+pRYN3TeiCJd+6/X9/x1Q8VLW7vOAb6uRyE2lOjX40DYBxK3xSq6J7Vp38f6z0vtQm2sAAQ4xqqon
+A9tB5p+nJlYHgSxXOZx3C13Rs/eMmiGCKkSpCTnGCgBC7PfJDdMK6SLw5Gn4oyGoZo4fXbADuHrU
+0JD1T1qdCm3aUSEmFgEA4rOL/0K3
+-----END CERTIFICATE-----
diff --git a/sepolicy/whitechapel/vendor/google/certs/com_google_mds.x509.pem b/sepolicy/whitechapel/vendor/google/certs/com_google_mds.x509.pem new file mode 100644 index 00000000..640c6fb9 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/certs/com_google_mds.x509.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE-----
+MIIF1TCCA72gAwIBAgIVAPZ4KZV2jpxRBCoVAidCu62l3cDqMA0GCSqGSIb3DQEBCwUAMHsxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw
+EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEXMBUGA1UEAwwOY29tX2dvb2ds
+ZV9tZHMwHhcNMTkwNDIyMTQ1NzA1WhcNNDkwNDIyMTQ1NzA1WjB7MQswCQYDVQQGEwJVUzETMBEG
+A1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xl
+IEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxFzAVBgNVBAMMDmNvbV9nb29nbGVfbWRzMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqgNC0hhI3NzaPUllJfe01hCTuEpl35D02+DKJ5prPFxv
+6KGTk6skjZOwV87Zf2pyj/cbnv28ioDjwvqMBe4ntFdKtH9gl2tTAVl69HMKXF4Iny/wnrt2mxzh
+WxFUd5PuW+mWug+UQw/NGUuaf5d/yys/RrchHKM1+zBV6aOzH6BXiwDoOF2i43d5GlNQ/tFuMySW
+LJftJN0QULFelxNDFFJZhw2P3c4opxjmF2yCoIiDfBEIhTZFKUbHX6YDLXmtUpXl35q+cxK4TCxP
+URyzwdfiyheF3TTxagfzhvXNg/ifrY67S4qCGfzoEMPxrTz02gS0u3D6r/2+hl9vAJChLKDNdIs6
+TqIw+YnABrELiZLLFnaABnjQ7xC3xv1s3W6dWxaxnoVMtC1YvdgwhC5gSpJ4A+AGcCLv96hoeB1I
+IoGV9Yt0Z97MFpXeHFpAxFZ1F9feBqwOCDbu50dmdKZvqGHZ4Ts3uy7ukDQ08dquHpT+NmqkmmW5
+GGhkuyZS3HHpU/QeVsZiyJCJBbDe5lz6NGXK56ruuF9ILeGHtldjQm40oYRc01ESScyVjSU0kpMO
+C7hn1B7rKAm8xxG7eH04ieQrNnbbee7atOO4C3157W5CqujfLMeo6OCRVtcYkYIuSi8hIPNySu/q
+OaEtEP4owVNZR0H6mCHy5pANsyBofMkCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU
+gk8pmLx8yP3RILwR5am1G10PBEowHwYDVR0jBBgwFoAUgk8pmLx8yP3RILwR5am1G10PBEowDQYJ
+KoZIhvcNAQELBQADggIBAC9iQ1huo6CzjcsB1IIw3WYPYVfHtvG7fiB49QO6cjth8fxM36YOxnMz
+K9Zh89cnFx7BeXG4MdbR3lAWO+wTbEpM/5azAQfqHB/ZEEAo1THtqS58C1bTwJ5zxkA+wL/x1ucT
+EV0QZtPHC1K5nIV5FuICiJjui5FHfj2HYu2A5a5729rdZ7sL8Vgx6TUFKpEPs5iCrlx5X/E+/wJa
+DM5iIjVvrGJJq0VWHHeDJEE+Sw1CDxWYRzvu1WvCvhk149hf4LlfrR0A5t8QJRGx0WwF10DLGgJx
+7epMBpzhMIXc529FTIx4Rx2PcufjTZC9EN7PkLgVfYahWEkt/YIfV/0F6U6viLxdNC5O0pimSV57
+vT6HIthX1OC34eZca0cPqH1kOuhRDKOhbP4yIgdYX6knpvw8aXsYcyTfAmDyrt0EWffeBPedaxMo
+xfijdlsBQUymviUQ8qBbfl1Ew9VoC+VEsiobK7Ubog0IK+82LQ7FOLMoNYnhk5wJ63i1kVvBVAgH
+64PMME2KG//BwYFfKK6jUXibabyNke72+1Jr0xpw1BHJPxNJ8Q8yCBLF0wmXmFJSM+9lSDd10Bni
+FJeMFMQ0T1Sf8GUSIxYYbMK5pDguRs+JOYkUID02ylJ3L6GAnxXCjGWzpdxw29/WWJc+qsYFEIbP
+kKzTUNQHaaLHmcLK22Ht
+-----END CERTIFICATE-----
diff --git a/sepolicy/whitechapel/vendor/google/certs/com_qorvo_uwb.x509.pem b/sepolicy/whitechapel/vendor/google/certs/com_qorvo_uwb.x509.pem new file mode 100644 index 00000000..0e7c9ed5 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/certs/com_qorvo_uwb.x509.pem @@ -0,0 +1,29 @@ +-----BEGIN CERTIFICATE----- +MIIF1TCCA72gAwIBAgIVALSpAFqvtr1ntTS7YgB0Y5R6WqEtMA0GCSqGSIb3DQEBCwUAMHoxCzAJ +BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw +EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEWMBQGA1UEAwwNY29tX3FvcnZv +X3V3YjAgFw0yMTA1MDQwNTAyMDlaGA8yMDUxMDUwNDA1MDIwOVowejELMAkGA1UEBhMCVVMxEzAR +BgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dvb2ds +ZSBJbmMuMRAwDgYDVQQLEwdBbmRyb2lkMRYwFAYDVQQDDA1jb21fcW9ydm9fdXdiMIICIjANBgkq +hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyoe1/UDAyMZd5iWqaKPDKN0cCESsWBTTkuLFpzMfcTEa +IyMORaIYriuAxvWhNzidPQvvRPyw0XQbl7GZLjXLF004G5xPTXFHIdtWv/scuC53INqTerppcHeW +fP4hfJPbZMQNcDB9EHa2bhA0wPdfoJD4cz8T7sgQcbRirdR8KoiOVWYe5UTSdk0df2IbiMZav2DJ +KhFql323emi4QHoDeUMAYy35mTh5vhfJ8NrCRAUwMh0zlw6LwZw/Dr8AbzDXl4Mo6Ij2pTn3/1zW +BPNkJonvONiMvuUUDl6LnP/41qhxYSg9RBp3wBJLknmfD/hEaXxTSLdkJyF43t61sU12mDQbLu4s +ZoiQKeKMJ0VpC56gUzkpnx3pzusq+/bAlTXf8Tfqrm7nizwR/69kntNYp8iaUJnvQQzlChc2lg2X +QNzf6zShPptpPqJIgmWawH6DL8JPHgkpguWyz47dWHCLnTfp8miEZPrQkPKL13SCMYCwxmlNYNWG +gUFPX5UJfnNVH4y2gPpXssROyKQKp/ArZkWb2zURrC1RUvNFADvvFt+hb2iXXVnfVeEtKAkSdhOj +RHwXhc/EtraSMMYUeO/uhUiPmPFR0FVLxCIm6i91/xqgWhKgRN0uatornO3lSNgzk4c7b0JCncEn +iArWJ516/nqWIvEdYjcqIBDAdSx8S1sCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU +EGKtCMO6w0UKLbAmd/laZERZZrkwHwYDVR0jBBgwFoAUEGKtCMO6w0UKLbAmd/laZERZZrkwDQYJ +KoZIhvcNAQELBQADggIBAIRowmuGiFeZdyDsbYi0iYISNW2HID4uLM3Pp8CEx5swlntJu1Z19R9t +fzzY9lvcMgdbdVJYnGrHzUGUCVqbhfDH7GxP9ybg1QUqYxi6AvZU3wrRqjoUoDw7HlecNBXFZI6z +0f2J3XSzST3kq5lCuUaEKGHkU8jVgwqVGMcz1foLGzBXQhMgIKl966c5DWoXsLToBCXrNgDokkHe +cj9tI1ufsWrSxl5/AT0/DMjHkcBmZk78RiTcGJtSZU8YwqNIQa+U2hpDE34iy2LC6YEqMKggjCm0 +6nOBbIH0EXnrr0iBX3YJmDM8O4a9eDpI7FSjabPx9YvfQne08pNwYkExOMafibyAwt7Du0cpxNkg +NE3xeDZ+TVr+4I10HF1gKpJ+rQsBOIYVTWLKATO4TMQxLNLY9oy2gt12PcsCdkOIThX4bAHXq1eY +ulAxoA7Hba2xq/wnh2JH5VZIjz3yZBJXX/GyFeHkqv7wFRVrx4DjZC1s5uTdqDh6y8pfM49w9/Zp +BKtz5B+37bC9FmM+ux39MElqx+kbsITzBDtDWa2Q8onWQR0R4WHI43n1mJSvW4cdR6Xf/a1msPXh +NHc3XCJYq4WvlMuXWEGVka20LPJXIjiuU3sB088YpjAG1+roSn//CL8N9iDWHCRXy+UKElIbhWLz +lHV8gmlwBAuAx9ITcTJr +-----END CERTIFICATE----- diff --git a/sepolicy/whitechapel/vendor/google/charger_vendor.te b/sepolicy/whitechapel/vendor/google/charger_vendor.te new file mode 100644 index 00000000..df59b717 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/charger_vendor.te @@ -0,0 +1,10 @@ +allow charger_vendor mnt_vendor_file:dir search; +allow charger_vendor sysfs_batteryinfo:file w_file_perms; +allow charger_vendor persist_file:dir search; +allow charger_vendor persist_battery_file:dir search; +allow charger_vendor persist_battery_file:file rw_file_perms; +allow charger_vendor sysfs_scsi_devices_0000:file r_file_perms; +allow charger_vendor sysfs_thermal:file w_file_perms; +allow charger_vendor sysfs_thermal:lnk_file read; +allow charger_vendor thermal_link_device:dir search; +set_prop(charger_vendor, vendor_battery_defender_prop) diff --git a/sepolicy/whitechapel/vendor/google/chre.te b/sepolicy/whitechapel/vendor/google/chre.te new file mode 100644 index 00000000..26c1675f --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/chre.te @@ -0,0 +1,27 @@ +type chre, domain; +type chre_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(chre) + +# Permit communication with AoC +allow chre aoc_device:chr_file rw_file_perms; + +# Allow CHRE to determine AoC's current clock +allow chre sysfs_aoc:dir search; +allow chre sysfs_aoc_boottime:file r_file_perms; + +# Allow CHRE to create thread to watch AOC's device +allow chre device:dir r_dir_perms; + +# Allow CHRE to use the USF low latency transport +usf_low_latency_transport(chre) + +# Allow CHRE to talk to the WiFi HAL +allow chre hal_wifi_ext:binder { call transfer }; +allow chre hal_wifi_ext_hwservice:hwservice_manager find; + +# Allow CHRE host to talk to stats service +allow chre fwk_stats_service:service_manager find; +binder_call(chre, stats_service_server) + +# Allow CHRE to block suspend, which is required to use EPOLLWAKEUP. +allow chre self:global_capability2_class_set block_suspend; diff --git a/sepolicy/whitechapel/vendor/google/con_monitor.te b/sepolicy/whitechapel/vendor/google/con_monitor.te new file mode 100644 index 00000000..8695ccaa --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/con_monitor.te @@ -0,0 +1,10 @@ +# ConnectivityMonitor app +type con_monitor_app, domain, coredomain; + +app_domain(con_monitor_app) + +set_prop(con_monitor_app, radio_prop) +allow con_monitor_app app_api_service:service_manager find; +allow con_monitor_app radio_service:service_manager find; +allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms; +allow con_monitor_app radio_vendor_data_file:file create_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/device.te b/sepolicy/whitechapel/vendor/google/device.te new file mode 100644 index 00000000..94ec0bb4 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/device.te @@ -0,0 +1,54 @@ +# Block Devices +type efs_block_device, dev_type; +type modem_block_device, dev_type; +type modem_userdata_block_device, dev_type; +type persist_block_device, dev_type; +type sda_block_device, dev_type; +type mfg_data_block_device, dev_type; + +# Exynos devices +type vendor_gnss_device, dev_type; +type vendor_toe_device, dev_type; +type custom_ab_block_device, dev_type; +type devinfo_block_device, dev_type; + +# usbpd +type logbuffer_device, dev_type; + +#cpuctl +type cpuctl_device, dev_type; + +# LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL +type lwis_device, dev_type; + +# RLS device +type rls_device, dev_type; + +# sensor direct DMA-BUF heap +type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; + +#faceauth DMA-BUF heaps +type faceauth_heap_device, dmabuf_heap_device_type, dev_type; + +#vscaler-secure DMA-BUF heap +type vscaler_heap_device, dmabuf_heap_device_type, dev_type; + +# AOC device +type aoc_device, dev_type; + +# Fingerprint device +type fingerprint_device, dev_type; + +# AMCS device +type amcs_device, dev_type; + +# Battery history +type battery_history_device, dev_type; + +# Raw HID device +type hidraw_device, dev_type; + +# SecureElement SPI device +type st54spi_device, dev_type; +type st33spi_device, dev_type; + diff --git a/sepolicy/whitechapel/vendor/google/disable-contaminant-detection-sh.te b/sepolicy/whitechapel/vendor/google/disable-contaminant-detection-sh.te new file mode 100644 index 00000000..95845a18 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/disable-contaminant-detection-sh.te @@ -0,0 +1,7 @@ +type disable-contaminant-detection-sh, domain; +type disable-contaminant-detection-sh_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(disable-contaminant-detection-sh) + +allow disable-contaminant-detection-sh vendor_toolbox_exec:file execute_no_trans; +allow disable-contaminant-detection-sh sysfs_batteryinfo:dir r_dir_perms; +allow disable-contaminant-detection-sh sysfs_batteryinfo:file rw_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/dmd.te b/sepolicy/whitechapel/vendor/google/dmd.te new file mode 100644 index 00000000..b51c34d6 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/dmd.te @@ -0,0 +1,5 @@ +allow dmd hidl_base_hwservice:hwservice_manager add; +allow dmd hal_vendor_oem_hwservice:hwservice_manager { add find }; +binder_call(dmd, modem_diagnostic_app) +binder_call(dmd, modem_logging_control) +binder_call(dmd, vendor_telephony_app) diff --git a/sepolicy/whitechapel/vendor/google/domain.te b/sepolicy/whitechapel/vendor/google/domain.te new file mode 100644 index 00000000..fd876e09 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/domain.te @@ -0,0 +1,2 @@ +allow {domain -appdomain -rs} proc_vendor_sched:dir r_dir_perms; +allow {domain -appdomain -rs} proc_vendor_sched:file w_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/dumpstate.te b/sepolicy/whitechapel/vendor/google/dumpstate.te new file mode 100644 index 00000000..cdf6e8ef --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/dumpstate.te @@ -0,0 +1,17 @@ +dump_hal(hal_telephony) +dump_hal(hal_graphics_composer) +dump_hal(hal_uwb_vendor) + +userdebug_or_eng(` + allow dumpstate media_rw_data_file:file append; +') + +allow dumpstate sysfs_scsi_devices_0000:file r_file_perms; +allow dumpstate persist_file:dir r_dir_perms; + +allow dumpstate modem_efs_file:dir getattr; +allow dumpstate modem_img_file:dir getattr; +allow dumpstate modem_userdata_file:dir getattr; +allow dumpstate fuse:dir search; + +dontaudit dumpstate vendor_dmabuf_debugfs:file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/e2fs.te b/sepolicy/whitechapel/vendor/google/e2fs.te new file mode 100644 index 00000000..a6664594 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/e2fs.te @@ -0,0 +1,6 @@ +allow e2fs persist_block_device:blk_file rw_file_perms; +allow e2fs efs_block_device:blk_file rw_file_perms; +allow e2fs modem_userdata_block_device:blk_file rw_file_perms; +allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl { + BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET +}; diff --git a/sepolicy/whitechapel/vendor/google/euiccpixel_app.te b/sepolicy/whitechapel/vendor/google/euiccpixel_app.te new file mode 100644 index 00000000..8763117f --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/euiccpixel_app.te @@ -0,0 +1,29 @@ +# EuiccSupportPixel app + +type euiccpixel_app, domain; +app_domain(euiccpixel_app) + +allow euiccpixel_app app_api_service:service_manager find; +allow euiccpixel_app radio_service:service_manager find; +allow euiccpixel_app nfc_service:service_manager find; +allow euiccpixel_app surfaceflinger_service:service_manager find; + +set_prop(euiccpixel_app, vendor_secure_element_prop) +set_prop(euiccpixel_app, vendor_modem_prop) +get_prop(euiccpixel_app, dck_prop) + +userdebug_or_eng(` + net_domain(euiccpixel_app) + + # Access to directly upgrade firmware on st54spi_device used for engineering devices + typeattribute st54spi_device mlstrustedobject; + allow euiccpixel_app st54spi_device:chr_file rw_file_perms; + # Access to directly upgrade firmware on st33spi_device used for engineering devices + typeattribute st33spi_device mlstrustedobject; + allow euiccpixel_app st33spi_device:chr_file rw_file_perms; + + allow euiccpixel_app sysfs_st33spi:dir search; + allow euiccpixel_app sysfs_st33spi:file rw_file_perms; + allow euiccpixel_app sysfs_touch:dir search; +') + diff --git a/sepolicy/whitechapel/vendor/google/exo_camera_injection/dumpstate.te b/sepolicy/whitechapel/vendor/google/exo_camera_injection/dumpstate.te new file mode 100644 index 00000000..1a5b393d --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/exo_camera_injection/dumpstate.te @@ -0,0 +1,2 @@ +# For collecting bugreports. +dump_hal(hal_camera) diff --git a/sepolicy/whitechapel/vendor/google/exo_camera_injection/exo_app.te b/sepolicy/whitechapel/vendor/google/exo_camera_injection/exo_app.te new file mode 100644 index 00000000..a90de48e --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/exo_camera_injection/exo_app.te @@ -0,0 +1,3 @@ +# Allow exo app to find and bind exo camera injection hal. +allow exo_app hal_exo_camera_injection_hwservice:hwservice_manager find; +binder_call(exo_app, hal_exo_camera_injection) diff --git a/sepolicy/whitechapel/vendor/google/exo_camera_injection/file_contexts b/sepolicy/whitechapel/vendor/google/exo_camera_injection/file_contexts new file mode 100644 index 00000000..98627c63 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/exo_camera_injection/file_contexts @@ -0,0 +1 @@ +/vendor/bin/hw/vendor\.google\.exo_camera_injection@1\.1-service u:object_r:hal_exo_camera_injection_exec:s0 diff --git a/sepolicy/whitechapel/vendor/google/exo_camera_injection/hal_exo_camera_injection.te b/sepolicy/whitechapel/vendor/google/exo_camera_injection/hal_exo_camera_injection.te new file mode 100644 index 00000000..138d1b1d --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/exo_camera_injection/hal_exo_camera_injection.te @@ -0,0 +1,10 @@ +# TODO(b/180558115): It will moved to pixel-sepolicy after pixel 6 launches. +type hal_exo_camera_injection, domain; +hal_server_domain(hal_exo_camera_injection, hal_camera) + +type hal_exo_camera_injection_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_exo_camera_injection) + +hwbinder_use(hal_exo_camera_injection) +add_hwservice(hal_exo_camera_injection, hal_exo_camera_injection_hwservice) +allow hal_exo_camera_injection hal_graphics_mapper_hwservice:hwservice_manager find; diff --git a/sepolicy/whitechapel/vendor/google/exo_camera_injection/hwservice.te b/sepolicy/whitechapel/vendor/google/exo_camera_injection/hwservice.te new file mode 100644 index 00000000..cea97689 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/exo_camera_injection/hwservice.te @@ -0,0 +1 @@ +type hal_exo_camera_injection_hwservice, hwservice_manager_type; diff --git a/sepolicy/whitechapel/vendor/google/exo_camera_injection/hwservice_contexts b/sepolicy/whitechapel/vendor/google/exo_camera_injection/hwservice_contexts new file mode 100644 index 00000000..59ccfe67 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/exo_camera_injection/hwservice_contexts @@ -0,0 +1 @@ +vendor.google.exo_camera_injection::IExoCameraInjection u:object_r:hal_exo_camera_injection_hwservice:s0 diff --git a/sepolicy/whitechapel/vendor/google/fastbootd.te b/sepolicy/whitechapel/vendor/google/fastbootd.te new file mode 100644 index 00000000..e350e0f3 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/fastbootd.te @@ -0,0 +1,9 @@ +# Required by the bootcontrol HAL for the 'set_active' command. +recovery_only(` +allow fastbootd st54spi_device:chr_file rw_file_perms; +allow fastbootd devinfo_block_device:blk_file rw_file_perms; +allow fastbootd sda_block_device:blk_file rw_file_perms; +allow fastbootd sysfs_ota:file rw_file_perms; +allow fastbootd custom_ab_block_device:blk_file rw_file_perms; +allow fastbootd citadel_device:chr_file rw_file_perms; +') diff --git a/sepolicy/whitechapel/vendor/google/file.te b/sepolicy/whitechapel/vendor/google/file.te new file mode 100644 index 00000000..48cb759d --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/file.te @@ -0,0 +1,223 @@ +# Exynos Data Files +#type vendor_data_file, file_type, data_file_type; +type vendor_cbd_boot_file, file_type, data_file_type; +type vendor_media_data_file, file_type, data_file_type; + +# Exynos Log Files +type vendor_log_file, file_type, data_file_type; +type vendor_cbd_log_file, file_type, data_file_type; +type vendor_dmd_log_file, file_type, data_file_type; +type vendor_rfsd_log_file, file_type, data_file_type; +type vendor_dump_log_file, file_type, data_file_type; +type vendor_rild_log_file, file_type, data_file_type; +type vendor_sced_log_file, file_type, data_file_type; +type vendor_telephony_log_file, file_type, data_file_type; + +# app data files +type vendor_test_data_file, file_type, data_file_type; +type vendor_telephony_data_file, file_type, data_file_type; +type vendor_ims_data_file, file_type, data_file_type; +type vendor_misc_data_file, file_type, data_file_type; +type vendor_rpmbmock_data_file, file_type, data_file_type; + +# Exynos debugfs +type vendor_ion_debugfs, fs_type, debugfs_type; +type vendor_dmabuf_debugfs, fs_type, debugfs_type; +type vendor_page_pinner_debugfs, fs_type, debugfs_type; +type vendor_mali_debugfs, fs_type, debugfs_type; +type vendor_dri_debugfs, fs_type, debugfs_type; +type vendor_pm_genpd_debugfs, fs_type, debugfs_type; +type vendor_regmap_debugfs, fs_type, debugfs_type; +type vendor_usb_debugfs, fs_type, debugfs_type; +type vendor_maxfg_debugfs, fs_type, debugfs_type; +type vendor_charger_debugfs, fs_type, debugfs_type; +type vendor_votable_debugfs, fs_type, debugfs_type; +type vendor_battery_debugfs, fs_type, debugfs_type; + +# Exynos sysfs +type sysfs_exynos_bts, sysfs_type, fs_type; +type sysfs_exynos_bts_stats, sysfs_type, fs_type; +type sysfs_ota, sysfs_type, fs_type; + +# Exynos Firmware +type vendor_fw_file, vendor_file_type, file_type; + +# ACPM +type sysfs_acpm_stats, sysfs_type, fs_type; + +# Vendor tools +type vendor_usf_stats, vendor_file_type, file_type; +type vendor_usf_reg_edit, vendor_file_type, file_type; +type vendor_dumpsys, vendor_file_type, file_type; + +# Sensors +type nanohub_lock_file, file_type, data_file_type; +type sensor_vendor_data_file, file_type, data_file_type, mlstrustedobject; +type sensors_cal_file, file_type; +type sysfs_nanoapp_cmd, sysfs_type, fs_type; + +# Fingerprint +type sysfs_fingerprint, sysfs_type, fs_type; + +# CHRE +type chre_socket, file_type; + +# IOMMU +type sysfs_iommu, sysfs_type, fs_type; + +type sysfs_devicetree, sysfs_type, fs_type; +type sysfs_mem, sysfs_type, fs_type; + +# WiFi +type sysfs_wifi, sysfs_type, fs_type; + +# All files under /data/vendor/firmware/wifi +type updated_wifi_firmware_data_file, file_type, data_file_type; + +# Widevine DRM +type mediadrm_vendor_data_file, file_type, data_file_type; + +# Storage Health HAL +type sysfs_scsi_devices_0000, sysfs_type, fs_type; +type debugfs_f2fs, debugfs_type, fs_type; +type proc_f2fs, proc_type, fs_type; + +type bootdevice_sysdev, dev_type; + +# ZRam +type per_boot_file, file_type, data_file_type, core_data_file_type; + +# Touch +type proc_touch, proc_type, fs_type, mlstrustedobject; +type sysfs_touch, sysfs_type, fs_type; + +# AOC +type sysfs_aoc_dumpstate, sysfs_type, fs_type; +type sysfs_aoc_boottime, sysfs_type, fs_type; +type sysfs_aoc_firmware, sysfs_type, fs_type; +type sysfs_aoc, sysfs_type, fs_type; +type sysfs_aoc_reset, sysfs_type, fs_type; + +# Audio +type persist_audio_file, file_type, vendor_persist_type; +type persist_aoc_file, file_type, vendor_persist_type; +type audio_vendor_data_file, file_type, data_file_type; +type aoc_audio_file, file_type, vendor_file_type; + +# RILD +type rild_vendor_data_file, file_type, data_file_type; + +# Modem +type modem_stat_data_file, file_type, data_file_type; +type modem_efs_file, file_type; +type modem_userdata_file, file_type; +type sysfs_modem, sysfs_type, fs_type; +type persist_modem_file, file_type, vendor_persist_type; + + +type modem_img_file, contextmount_type, file_type, vendor_file_type; +allow modem_img_file self:filesystem associate; + +# TCP logging +type tcpdump_vendor_data_file, file_type, data_file_type, mlstrustedobject; + +# Wireless +type sysfs_wlc, sysfs_type, fs_type; + +# Pca +type sysfs_pca, sysfs_type, fs_type; + +# Camera +type persist_camera_file, file_type; +type vendor_camera_tuning_file, vendor_file_type, file_type; +type vendor_camera_data_file, file_type, data_file_type; +type sysfs_camera, sysfs_type, fs_type; + +# GPS +type vendor_gps_file, file_type, data_file_type; +userdebug_or_eng(` + typeattribute vendor_gps_file mlstrustedobject; +') +type sysfs_gps, sysfs_type, fs_type; +type sysfs_gps_assert, sysfs_type, fs_type; + +# Display +type sysfs_display, sysfs_type, fs_type; + +# Backlight +type sysfs_backlight, sysfs_type, fs_type; + +# Charger +type sysfs_chargelevel, sysfs_type, fs_type; + +# ODPM +type powerstats_vendor_data_file, file_type, data_file_type; +type sysfs_odpm, sysfs_type, fs_type; + +# bcl +type sysfs_bcl, sysfs_type, fs_type; + +# Chosen +type sysfs_chosen, sysfs_type, fs_type; + +type sysfs_chip_id, sysfs_type, fs_type; +type sysfs_spi, sysfs_type, fs_type; + +# Battery +type persist_battery_file, file_type, vendor_persist_type; + +# CPU +type sysfs_cpu, sysfs_type, fs_type; + +# Fabric +type sysfs_fabric, sysfs_type, fs_type; + +# Memory +type sysfs_memory, sysfs_type, fs_type; + +# bcmdhd (Broadcom FullMAC wireless cards support) +type sysfs_bcmdhd, sysfs_type, fs_type; + +# Video +type sysfs_video, sysfs_type, fs_type; + +# UWB vendor +type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type; +type persist_uwb_file, file_type, vendor_persist_type; +type uwb_data_vendor, file_type, data_file_type; + +# PixelStats_vendor +type sysfs_pixelstats, fs_type, sysfs_type; + +# WLC FW +type vendor_wlc_fwupdata_file, vendor_file_type, file_type; + +#USB-C throttling stats +type sysfs_usbc_throttling_stats, sysfs_type, fs_type; + +# SJTAG +type sysfs_sjtag, fs_type, sysfs_type; +userdebug_or_eng(` + typeattribute sysfs_sjtag mlstrustedobject; +') + +# SecureElement +type sysfs_st33spi, sysfs_type, fs_type; +userdebug_or_eng(` + typeattribute sysfs_st33spi mlstrustedobject; +') + +# Trusty +type sysfs_trusty, sysfs_type, fs_type; + +# BootControl +type sysfs_bootctl, sysfs_type, fs_type; + +#vendor-metrics +type sysfs_vendor_metrics, fs_type, sysfs_type; + +# Radio +type radio_vendor_data_file, file_type, data_file_type; +userdebug_or_eng(` + typeattribute radio_vendor_data_file mlstrustedobject; +') diff --git a/sepolicy/whitechapel/vendor/google/file_contexts b/sepolicy/whitechapel/vendor/google/file_contexts new file mode 100644 index 00000000..a75eff9e --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/file_contexts @@ -0,0 +1,441 @@ +# +# Exynos HAL +# +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm(@[0-9]+\.[0-9]+)?-service\.widevine u:object_r:hal_drm_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service32 u:object_r:hal_usb_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.ExynosHWCServiceTW@1\.0-service u:object_r:hal_vendor_hwcservice_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.configstore@1\.0-service u:object_r:hal_configstore_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.usb-service\.gs101 u:object_r:hal_usb_impl_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget-service\.gs101 u:object_r:hal_usb_gadget_impl_exec:s0 +/(vendor|system/vendor)/lib(64)?/libion_exynos\.so u:object_r:same_process_hal_file:s0 + +/(vendor|system/vendor)/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libOpenCL-pixel\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libdmabufheap\.so u:object_r:same_process_hal_file:s0 +/(vendor|system/vendor)/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 + +/vendor/bin/usf_stats u:object_r:vendor_usf_stats:s0 +/vendor/bin/usf_reg_edit u:object_r:vendor_usf_reg_edit:s0 +/vendor/bin/dumpsys u:object_r:vendor_dumpsys:s0 + +# +# HALs +# +/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-2]-service-gs101 u:object_r:hal_bootctl_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@1\.1-service-brcm u:object_r:hal_gnss_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@2\.0-service-brcm u:object_r:hal_gnss_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service-brcm u:object_r:hal_gnss_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.1-service\.gs101 u:object_r:hal_dumpstate_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.gs101 u:object_r:hal_power_stats_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 +# Wireless charger HAL +/(vendor|system/vendor)/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 + +# Vendor Firmwares +/(vendor|system/vendor)/firmware(/.*)? u:object_r:vendor_fw_file:s0 + +# +# Exynos Block Devices +# +/dev/block/platform/14700000\.ufs/by-name/cache u:object_r:cache_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/efs u:object_r:efs_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/modem u:object_r:modem_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/persist u:object_r:persist_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/system u:object_r:system_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/misc u:object_r:misc_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/acpm_test_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl1_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dtb_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/ect_test_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/hypervisor_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/keystorage_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/pvmfw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/reclaim_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/super u:object_r:super_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0 +/dev/block/platform/14700000\.ufs/by-name/mfg_data u:object_r:mfg_data_block_device:s0 +/dev/block/sda u:object_r:sda_block_device:s0 +/dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0 + +# +# Exynos Devices +# +/dev/gnss_ipc u:object_r:vendor_gnss_device:s0 +/dev/bbd_control u:object_r:vendor_gnss_device:s0 +/dev/bbd_pwrstat u:object_r:power_stats_device:s0 +/dev/ttyBCM u:object_r:vendor_gnss_device:s0 +/dev/radio0 u:object_r:radio_device:s0 +/dev/dri/card0 u:object_r:graphics_device:s0 +/dev/fimg2d u:object_r:graphics_device:s0 +/dev/g2d u:object_r:graphics_device:s0 +/dev/tsmux u:object_r:video_device:s0 +/dev/repeater u:object_r:video_device:s0 +/dev/scsc_h4_0 u:object_r:radio_device:s0 +/dev/umts_boot0 u:object_r:radio_device:s0 +/dev/logbuffer_tcpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 +/dev/logbuffer_pogo_transport u:object_r:logbuffer_device:s0 +/dev/logbuffer_ssoc u:object_r:logbuffer_device:s0 +/dev/logbuffer_wireless u:object_r:logbuffer_device:s0 +/dev/logbuffer_ttf u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxq u:object_r:logbuffer_device:s0 +/dev/logbuffer_rtx u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_base u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_flip u:object_r:logbuffer_device:s0 +/dev/logbuffer_pca9468_tcpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_pca9468 u:object_r:logbuffer_device:s0 +/dev/logbuffer_cpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_bd u:object_r:logbuffer_device:s0 + +/dev/logbuffer_maxfg_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0 +/dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0 + +# DM tools device +/dev/umts_dm0 u:object_r:radio_device:s0 +/dev/umts_router u:object_r:radio_device:s0 + +# OEM IPC device +/dev/oem_ipc[0-7] u:object_r:radio_device:s0 + +# SIPC RIL device +/dev/umts_ipc0 u:object_r:radio_device:s0 +/dev/umts_ipc1 u:object_r:radio_device:s0 +/dev/umts_rfs0 u:object_r:radio_device:s0 +/dev/ttyGS[0-3] u:object_r:serial_device:s0 +/dev/watchdog0 u:object_r:watchdog_device:s0 + +# GPU device +/dev/mali0 u:object_r:gpu_device:s0 + +# +# Exynos Daemon Exec +# +/(vendor|system/vendor)/bin/cbd u:object_r:cbd_exec:s0 +/(vendor|system/vendor)/bin/hw/scd u:object_r:scd_exec:s0 +/(vendor|system/vendor)/bin/hw/gpsd u:object_r:gpsd_exec:s0 +/(vendor|system/vendor)/bin/hw/lhd u:object_r:lhd_exec:s0 +/(vendor|system/vendor)/bin/hw/rild_exynos u:object_r:rild_exec:s0 +/(vendor|system/vendor)/bin/rfsd u:object_r:rfsd_exec:s0 +/(vendor|system/vendor)/bin/sced u:object_r:sced_exec:s0 +/(vendor|system/vendor)/bin/bipchmgr u:object_r:bipchmgr_exec:s0 + +# +# Exynos Data Files +# +# gnss/gps data/log files +/data/vendor/gps(/.*)? u:object_r:vendor_gps_file:s0 + +# +# Exynos Log Files +# +/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0 +/data/vendor/log/cbd(/.*)? u:object_r:vendor_cbd_log_file:s0 +/data/vendor/log/dmd(/.*)? u:object_r:vendor_dmd_log_file:s0 +/data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0 +/data/vendor/log/dump(/.*)? u:object_r:vendor_dump_log_file:s0 +/data/vendor/log/rild(/.*)? u:object_r:vendor_rild_log_file:s0 +/data/vendor/log/sced(/.*)? u:object_r:vendor_sced_log_file:s0 + +/persist/sensorcal\.json u:object_r:sensors_cal_file:s0 + +# data files +/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 + +# Camera +/vendor/bin/hw/android\.hardware\.camera\.provider@2\.7-service-google u:object_r:hal_camera_default_exec:s0 +/vendor/lib64/camera u:object_r:vendor_camera_tuning_file:s0 +/vendor/lib64/camera/ghawb_para_lut\.bin u:object_r:vendor_camera_tuning_file:s0 +/vendor/lib64/camera/slider_.*\.binarypb u:object_r:vendor_camera_tuning_file:s0 +/vendor/bin/rlsservice u:object_r:rlsservice_exec:s0 +/mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 +/data/vendor/camera(/.*)? u:object_r:vendor_camera_data_file:s0 +/vendor/lib(64)?/lib_aion_buffer\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libGralloc4Wrapper\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/pixel-power-ext-V1-ndk\.so u:object_r:same_process_hal_file:s0 + +/dev/stmvl53l1_ranging u:object_r:rls_device:s0 + +/dev/lwis-act0 u:object_r:lwis_device:s0 +/dev/lwis-act1 u:object_r:lwis_device:s0 +/dev/lwis-act-ak7377 u:object_r:lwis_device:s0 +/dev/lwis-act-lc898129 u:object_r:lwis_device:s0 +/dev/lwis-act-sem1215sa u:object_r:lwis_device:s0 +/dev/lwis-csi u:object_r:lwis_device:s0 +/dev/lwis-dpm u:object_r:lwis_device:s0 +/dev/lwis-eeprom0 u:object_r:lwis_device:s0 +/dev/lwis-eeprom1 u:object_r:lwis_device:s0 +/dev/lwis-eeprom2 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-lc898128 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-lc898129 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64s u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64s-imx355-inner u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64s-imx355-outer u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64s-rear u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64s-front u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64x u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64x-imx386 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-m24c64x-imx663 u:object_r:lwis_device:s0 +/dev/lwis-eeprom-sem1215sa u:object_r:lwis_device:s0 +/dev/lwis-flash0 u:object_r:lwis_device:s0 +/dev/lwis-flash-lm3644 u:object_r:lwis_device:s0 +/dev/lwis-g3aa u:object_r:lwis_device:s0 +/dev/lwis-gdc0 u:object_r:lwis_device:s0 +/dev/lwis-gdc1 u:object_r:lwis_device:s0 +/dev/lwis-gtnr-align u:object_r:lwis_device:s0 +/dev/lwis-gtnr-merge u:object_r:lwis_device:s0 +/dev/lwis-ipp u:object_r:lwis_device:s0 +/dev/lwis-itp u:object_r:lwis_device:s0 +/dev/lwis-mcsc u:object_r:lwis_device:s0 +/dev/lwis-ois-lc898128 u:object_r:lwis_device:s0 +/dev/lwis-ois-lc898129 u:object_r:lwis_device:s0 +/dev/lwis-ois-sem1215sa u:object_r:lwis_device:s0 +/dev/lwis-pdp u:object_r:lwis_device:s0 +/dev/lwis-scsc u:object_r:lwis_device:s0 +/dev/lwis-sensor0 u:object_r:lwis_device:s0 +/dev/lwis-sensor1 u:object_r:lwis_device:s0 +/dev/lwis-sensor2 u:object_r:lwis_device:s0 +/dev/lwis-sensor-gn1 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx355 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx355-inner u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx355-outer u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx355-rear u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx355-front u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx363 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx386 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx586 u:object_r:lwis_device:s0 +/dev/lwis-sensor-imx663 u:object_r:lwis_device:s0 +/dev/lwis-slc u:object_r:lwis_device:s0 +/dev/lwis-top u:object_r:lwis_device:s0 +/dev/lwis-votf u:object_r:lwis_device:s0 + +# VIDEO +/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_exec:s0 +/vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_exec:s0 +/data/vendor/media(/.*)? u:object_r:vendor_media_data_file:s0 + +# thermal sysfs files +/sys/class/thermal(/.*)? u:object_r:sysfs_thermal:s0 +/sys/devices/virtual/thermal(/.*)? u:object_r:sysfs_thermal:s0 + + +# IMS VoWiFi +/data/vendor/misc(/.*)? u:object_r:vendor_misc_data_file:s0 +/data/vendor/VoWiFi(/.*)? u:object_r:vendor_ims_data_file:s0 + +# Sensors +/data/vendor/sensor(/.*)? u:object_r:sensor_vendor_data_file:s0 +/dev/acd-com.google.usf u:object_r:aoc_device:s0 +/dev/acd-com.google.usf.non_wake_up u:object_r:aoc_device:s0 +/dev/acd-logging u:object_r:aoc_device:s0 +/dev/aoc u:object_r:aoc_device:s0 + +# Contexthub +/vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 +/(vendor|system/vendor)/bin/chre u:object_r:chre_exec:s0 +/dev/socket/chre u:object_r:chre_socket:s0 + +# Modem logging +/vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0 + +# TCP logging +/vendor/bin/tcpdump_logger u:object_r:tcpdump_logger_exec:s0 +/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0 + +# Audio logging +/vendor/bin/aocdump u:object_r:aocdump_exec:s0 + +# modem_svc_sit files +/vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0 +/data/vendor/modem_stat(/.*)? u:object_r:modem_stat_data_file:s0 + +# modem mnt files +/mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0 +/mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0 +/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0 +/mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0 +/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0 + +# Kernel modules related +/vendor/bin/init\.insmod\.sh u:object_r:init-insmod-sh_exec:s0 + +# USB +/vendor/bin/hw/disable_contaminant_detection\.sh u:object_r:disable-contaminant-detection-sh_exec:s0 + +# NFC +/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 +/dev/st21nfc u:object_r:nfc_device:s0 +/data/nfc(/.*)? u:object_r:nfc_data_file:s0 + +# SecureElement +/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_st33spi_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_default_exec:s0 +/dev/st54spi u:object_r:st54spi_device:s0 +/dev/st33spi u:object_r:st33spi_device:s0 + +# Bluetooth +/dev/logbuffer_btlpm u:object_r:logbuffer_device:s0 +/dev/logbuffer_tty16 u:object_r:logbuffer_device:s0 + +# Audio +/mnt/vendor/persist/aoc(/.*)? u:object_r:persist_aoc_file:s0 +/mnt/vendor/persist/audio(/.*)? u:object_r:persist_audio_file:s0 +/data/vendor/audio(/.*)? u:object_r:audio_vendor_data_file:s0 +/vendor/etc/aoc(/.*)? u:object_r:aoc_audio_file:s0 +/dev/acd-audio_output_tuning u:object_r:aoc_device:s0 +/dev/acd-audio_bulk_tx u:object_r:aoc_device:s0 +/dev/acd-audio_bulk_rx u:object_r:aoc_device:s0 +/dev/acd-audio_input_tuning u:object_r:aoc_device:s0 +/dev/acd-audio_input_bulk_tx u:object_r:aoc_device:s0 +/dev/acd-audio_input_bulk_rx u:object_r:aoc_device:s0 +/dev/acd-sound_trigger u:object_r:aoc_device:s0 +/dev/acd-hotword_notification u:object_r:aoc_device:s0 +/dev/acd-hotword_pcm u:object_r:aoc_device:s0 +/dev/acd-ambient_pcm u:object_r:aoc_device:s0 +/dev/acd-model_data u:object_r:aoc_device:s0 +/dev/acd-debug u:object_r:aoc_device:s0 +/dev/acd-audio_tap[0-9]* u:object_r:aoc_device:s0 +/dev/acd-audio_dcdoff_ref u:object_r:aoc_device:s0 +/dev/acd-audio_ap_offload_rx u:object_r:aoc_device:s0 +/dev/acd-audio_ap_offload_tx u:object_r:aoc_device:s0 +/dev/amcs u:object_r:amcs_device:s0 + +# AudioMetric +/(vendor|system/vendor)/bin/hw/vendor\.google\.audiometricext@1\.0-service-vendor u:object_r:hal_audiometricext_default_exec:s0 + + +# Trusty +/vendor/bin/storageproxyd u:object_r:tee_exec:s0 +/vendor/bin/trusty_apploader u:object_r:trusty_apploader_exec:s0 +/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 +/vendor/bin/hw/android\.hardware\.keymaster@4\.0-service\.trusty u:object_r:hal_keymaster_default_exec:s0 +/vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 +/dev/trusty-ipc-dev0 u:object_r:tee_device:s0 +/data/vendor/ss(/.*)? u:object_r:tee_data_file:s0 +/mnt/vendor/persist/ss(/.*)? u:object_r:persist_ss_file:s0 +/dev/sg1 u:object_r:sg_device:s0 +/dev/trusty-log0 u:object_r:logbuffer_device:s0 + +# Battery +/mnt/vendor/persist/battery(/.*)? u:object_r:persist_battery_file:s0 + +# AoC file contexts. +/vendor/bin/aocd u:object_r:aocd_exec:s0 + +# GRIL +/vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 + +# Uwb +# R4 +/vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service u:object_r:hal_uwb_vendor_default_exec:s0 +/vendor/bin/init\.uwb\.calib\.sh u:object_r:vendor_uwb_init_exec:s0 +/mnt/vendor/persist/uwb(/.*)? u:object_r:persist_uwb_file:s0 +/data/vendor/uwb(/.*)? u:object_r:uwb_data_vendor:s0 + +# RILD files +/data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0 + +# Citadel StrongBox +/dev/gsc0 u:object_r:citadel_device:s0 + +# Tetheroffload Service +/dev/dit2 u:object_r:vendor_toe_device:s0 +/vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.[0-9]-service u:object_r:hal_tetheroffload_default_exec:s0 + +# battery history +/dev/battery_history u:object_r:battery_history_device:s0 + +# Vendor_kernel_modules +/vendor_dlkm/lib/modules/.*\.ko u:object_r:vendor_kernel_modules:s0 + +# Display +/vendor/lib(64)?/libion_google\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/gralloc\.gs101\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/vulkan\.mali\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/arm\.graphics-V1-ndk\.so u:object_r:same_process_hal_file:s0 + +# Fingerprint +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:hal_fingerprint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.fpc u:object_r:hal_fingerprint_default_exec:s0 + +# Zram +/data/per_boot(/.*)? u:object_r:per_boot_file:s0 + +# cpuctl +/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0 + +# ODPM +/data/vendor/powerstats(/.*)? u:object_r:powerstats_vendor_data_file:s0 + +# sensor direct DMA-BUF heap +/dev/dma_heap/sensor_direct_heap u:object_r:sensor_direct_heap_device:s0 + +# Console +/dev/ttySAC0 u:object_r:tty_device:s0 + +# faceauth DMA-BUF heaps +/dev/dma_heap/faceauth_tpu-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/faimg-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/famodel-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/faprev-secure u:object_r:faceauth_heap_device:s0 +/dev/dma_heap/farawimg-secure u:object_r:faceauth_heap_device:s0 + +# vframe-secure DMA-BUF heap +/dev/dma_heap/vframe-secure u:object_r:dmabuf_system_secure_heap_device:s0 + +# vscaler-secure DMA-BUF heap +/dev/dma_heap/vscaler-secure u:object_r:vscaler_heap_device:s0 + +# vstream-secure DMA-BUF heap +/dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 + +# BigOcean +/dev/bigocean u:object_r:video_device:s0 + +# Fingerprint +/dev/goodix_fp u:object_r:fingerprint_device:s0 + +# Wifi Firmware config update +/data/vendor/firmware/wifi(/.*)? u:object_r:updated_wifi_firmware_data_file:s0 + +# WLC FW update +/vendor/bin/wlc_upt/p9412_mtp u:object_r:vendor_wlc_fwupdata_file:s0 +/vendor/bin/wlc_upt/wlc_fw_update\.sh u:object_r:wlcfwupdate_exec:s0 + +# Statsd service to support EdgeTPU metrics logging service. +/vendor/lib64/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/libprotobuf-cpp-lite-3\.9\.1\.so u:object_r:same_process_hal_file:s0 + +# Raw HID device +/dev/hidraw[0-9]* u:object_r:hidraw_device:s0 + +# Radio files. +/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0 diff --git a/sepolicy/whitechapel/vendor/google/fsck.te b/sepolicy/whitechapel/vendor/google/fsck.te new file mode 100644 index 00000000..d29555b3 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/fsck.te @@ -0,0 +1,3 @@ +allow fsck persist_block_device:blk_file rw_file_perms; +allow fsck efs_block_device:blk_file rw_file_perms; +allow fsck modem_userdata_block_device:blk_file rw_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/genfs_contexts b/sepolicy/whitechapel/vendor/google/genfs_contexts new file mode 100644 index 00000000..bd291349 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/genfs_contexts @@ -0,0 +1,577 @@ +# AOC +genfscon sysfs /devices/platform/19000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0 +genfscon sysfs /devices/platform/19000000.aoc/firmware u:object_r:sysfs_aoc_firmware:s0 +genfscon sysfs /devices/platform/19000000.aoc u:object_r:sysfs_aoc:s0 +genfscon sysfs /devices/platform/19000000.aoc/reset u:object_r:sysfs_aoc_reset:s0 + +genfscon sysfs /devices/platform/19000000.aoc/services u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/restart_count u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/coredump_count u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/ring_buffer_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/host_ipc_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/usf_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/audio_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/logging_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/hotword_wakeup u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 +genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 + +# WiFi +genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 +# Battery +genfscon sysfs /devices/platform/google,battery/power_supply/battery u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/google,cpm/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/google,cpm/ u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/google,charger u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/google,dock/power_supply/dock u:object_r:sysfs_batteryinfo:s0 + +genfscon sysfs /devices/platform/10d50000.hsi2c u:object_r:sysfs_batteryinfo:s0 +# Slider +genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 + + +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-2/2-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-3/3-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0061/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0036/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412 u:object_r:sysfs_wlc:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0050/eeprom u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/uwb/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0057/chg_stats u:object_r:sysfs_pca:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0057/chg_stats u:object_r:sysfs_pca:s0 + +# Storage +genfscon debugfs /f2fs u:object_r:debugfs_f2fs:s0 +genfscon proc /fs/f2fs u:object_r:proc_f2fs:s0 +genfscon proc /sys/vm/swappiness u:object_r:proc_dirty:s0 +genfscon sysfs /devices/platform/14700000.ufs/slowio_read_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/slowio_write_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/slowio_unmap_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/slowio_sync_cnt u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/manual_gc u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/io_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/req_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/err_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/device_descriptor u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/clkgate_enable u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/hibern8_on_idle_enable u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/health_descriptor u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/host0/target0:0:0/0:0:0: u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/ufs_stats u:object_r:sysfs_scsi_devices_0000:s0 +genfscon sysfs /devices/platform/14700000.ufs/attributes/wb_avail_buf u:object_r:sysfs_scsi_devices_0000:s0 + +# Networking / Tethering +genfscon sysfs /devices/platform/10d30000.spi/spi_master/spi10/spi10.0/ieee802154/phy0/net u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/gadget/net u:object_r:sysfs_net:s0 + +# Vibrator +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043 u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043 u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-005a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-005a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0043 u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-005a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0043 u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-005a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0043 u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-005a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l25a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l25a-dual u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l25a u:object_r:sysfs_vibrator:s0 + +# Fingerprint +genfscon sysfs /devices/platform/odm/odm:fp_fpc1020 u:object_r:sysfs_fingerprint:s0 + +# System_suspend +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-5/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-6/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-7/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-8/i2c-st21nfc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-cs40l25a/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0043/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-cs40l25a/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0043/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-cs40l25a/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0043/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-cs40l25a/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0043/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-cs40l25a/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/i2c-p9412/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0057/power_supply/pca9468-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/2-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0057/power_supply/pca9468-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/3-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0057/power_supply/pca9468-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/4-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg_base/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-source-psy-5-0050/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply/pca9468-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0036/power_supply/maxfg_base/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0057/power_supply/pca9468-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0036/power_supply/maxfg_base/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0057/power_supply/pca9468-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/7-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/power_supply/maxfg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0036/power_supply/maxfg_base/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0057/power_supply/pca9468-mains/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0069/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/tcpm-source-psy-i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb2/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.4.auto/usb3/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb2/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/11110000.dwc3/xhci-hcd-exynos.5.auto/usb3/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11110000.usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.usf/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/com.google.usf.non_wake_up/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/0-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/0-001f/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/0-001f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/0-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/0-001f/s2mpg10-rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/0-001f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/cpif/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,dock/power_supply/dock/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/gpio_keys/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/sound-aoc/wakeup u:object_r:sysfs_wakeup:s0 + +# Touch +genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0 u:object_r:sysfs_touch:s0 +genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0 u:object_r:sysfs_touch:s0 +genfscon proc /fts/driver_test u:object_r:proc_touch:s0 +genfscon proc /fts_ext/driver_test u:object_r:proc_touch:s0 +genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 +genfscon sysfs /devices/virtual/input/input2 u:object_r:sysfs_touch:s0 +genfscon sysfs /devices/virtual/input/input3 u:object_r:sysfs_touch:s0 +genfscon sysfs /devices/virtual/input/nvt_touch u:object_r:sysfs_touch:s0 +genfscon proc /nvt_baseline u:object_r:proc_touch:s0 +genfscon proc /nvt_cc_uniformity u:object_r:proc_touch:s0 +genfscon proc /nvt_diff u:object_r:proc_touch:s0 +genfscon proc /nvt_fw_version u:object_r:proc_touch:s0 +genfscon proc /nvt_heatmap u:object_r:proc_touch:s0 +genfscon proc /nvt_pen_diff u:object_r:proc_touch:s0 +genfscon proc /nvt_raw u:object_r:proc_touch:s0 +genfscon proc /nvt_selftest u:object_r:proc_touch:s0 + +# GPS +genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby u:object_r:sysfs_gps:s0 +genfscon sysfs /devices/virtual/pps/pps0/assert_elapsed u:object_r:sysfs_gps_assert:s0 + +# Display +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/min_vrefresh u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/idle_delay_ms u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_extinfo u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_idle u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_need_handle_idle_exit u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2c0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c2d0000.drmdsim/hs_clock u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c300000.drmdecon/counters u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c301000.drmdecon/counters u:object_r:sysfs_display:s0 +genfscon sysfs /devices/platform/1c302000.drmdecon/counters u:object_r:sysfs_display:s0 + +# Modem +genfscon sysfs /devices/platform/cp-tm1/cp_temp u:object_r:sysfs_modem:s0 + +# Bluetooth +genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/bluetooth/hci0/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 + +# ODPM +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 + +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 + +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 + +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/0-001f/s2mpg10-meter/s2mpg10-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/name u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/energy_value u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/sampling_rate u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/1-002f/s2mpg11-meter/s2mpg11-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0 + +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-0/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-1/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-2/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-3/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-4/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-5/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-8/i2c-s2mpg10mfd/s2mpg10-meter/s2mpg10-odpm/wakeup u:object_r:sysfs_wakeup:s0 + +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-0/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-1/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-2/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-3/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-4/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-5/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-6/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/i2c-s2mpg11mfd/s2mpg11-meter/s2mpg11-odpm/wakeup u:object_r:sysfs_wakeup:s0 + +# bcl sysfs files +genfscon sysfs /devices/virtual/pmic/mitigation u:object_r:sysfs_bcl:s0 +genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/tpu_heavy_clk_ratio u:object_r:sysfs_bcl:s0 +genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/gpu_heavy_clk_ratio u:object_r:sysfs_bcl:s0 +genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/cpu2_heavy_clk_ratio u:object_r:sysfs_bcl:s0 +genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/cpu2_light_clk_ratio u:object_r:sysfs_bcl:s0 +genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/tpu_light_clk_ratio u:object_r:sysfs_bcl:s0 +genfscon sysfs /devices/virtual/pmic/mitigation/clock_ratio/gpu_light_clk_ratio u:object_r:sysfs_bcl:s0 + +# Chosen +genfscon sysfs /firmware/devicetree/base/chosen u:object_r:sysfs_chosen:s0 + +genfscon sysfs /devices/system/chip-id/ap_hw_tune_str u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/evt_ver u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/lot_id u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/product_id u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/revision u:object_r:sysfs_chip_id:s0 +genfscon sysfs /devices/system/chip-id/raw_str u:object_r:sysfs_chip_id:s0 + +# OTA +genfscon sysfs /devices/platform/14700000.ufs/pixel/boot_lun_enabled u:object_r:sysfs_ota:s0 + +# ACPM +genfscon sysfs /devices/platform/acpm_stats u:object_r:sysfs_acpm_stats:s0 + +genfscon sysfs /devices/platform/10d40000.spi/spi_master u:object_r:sysfs_spi:s0 + +# Exynos +genfscon sysfs /devices/platform/exynos-bts u:object_r:sysfs_exynos_bts:s0 +genfscon sysfs /devices/platform/exynos-bts/bts_stats u:object_r:sysfs_exynos_bts_stats:s0 + +# CPU +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/cpupm/cpupm/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/1c500000.mali/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/1c500000.mali/uid_time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/time_in_state u:object_r:sysfs_cpu:s0 +genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/time_in_state u:object_r:sysfs_cpu:s0 + +# Devfreq directory +genfscon sysfs /class/devfreq u:object_r:sysfs_devfreq_dir:s0 + +# Devfreq current frequency +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/cur_freq u:object_r:sysfs_devfreq_cur:s0 +genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/cur_freq u:object_r:sysfs_devfreq_cur:s0 + +# Fabric +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/interactive/target_load u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/min_freq u:object_r:sysfs_fabric:s0 +genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/min_freq u:object_r:sysfs_fabric:s0 + +# GPU +genfscon sysfs /devices/platform/1c500000.mali/hint_min_freq u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/1c500000.mali/dma_buf_gpu_mem u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/1c500000.mali/total_gpu_mem u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/1c500000.mali/kprcs u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/1c500000.mali/power_policy u:object_r:sysfs_gpu:s0 + +# nvmem (Non Volatile Memory layer) +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/4-00500/nvmem u:object_r:sysfs_memory:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-0050/5-00500/nvmem u:object_r:sysfs_memory:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-6/6-0050/6-00500/nvmem u:object_r:sysfs_memory:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-7/7-0050/7-00500/nvmem u:object_r:sysfs_memory:s0 +genfscon sysfs /devices/platform/10970000.hsi2c/i2c-8/8-0050/8-00500/nvmem u:object_r:sysfs_memory:s0 + +# Broadcom +genfscon sysfs /module/bcmdhd4389 u:object_r:sysfs_bcmdhd:s0 + +# Power Stats +genfscon sysfs /devices/platform/cpif/modem/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-4/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-5/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-6/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-7/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/10960000.hsi2c/i2c-8/i2c-st21nfc/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/11920000.pcie/power_stats u:object_r:sysfs_power_stats:s0 +genfscon sysfs /devices/platform/14520000.pcie/power_stats u:object_r:sysfs_power_stats:s0 + +# debugfs + +genfscon debugfs /maxfg u:object_r:vendor_maxfg_debugfs:s0 +genfscon debugfs /maxfg_base u:object_r:vendor_maxfg_debugfs:s0 +genfscon debugfs /maxfg_flip u:object_r:vendor_maxfg_debugfs:s0 +genfscon debugfs /dma_buf/bufinfo u:object_r:vendor_dmabuf_debugfs:s0 +genfscon debugfs /dri/0/crtc- u:object_r:vendor_dri_debugfs:s0 +genfscon debugfs /ion u:object_r:vendor_ion_debugfs:s0 +genfscon debugfs /page_pinner u:object_r:vendor_page_pinner_debugfs:s0 +genfscon debugfs /pm_genpd/pm_genpd_summary u:object_r:vendor_pm_genpd_debugfs:s0 +genfscon debugfs /regmap u:object_r:vendor_regmap_debugfs:s0 +genfscon debugfs /usb u:object_r:vendor_usb_debugfs:s0 +genfscon debugfs /google_charger u:object_r:vendor_charger_debugfs:s0 +genfscon debugfs /max77759_chg u:object_r:vendor_charger_debugfs:s0 +genfscon debugfs /max77729_pmic u:object_r:vendor_charger_debugfs:s0 +genfscon debugfs /gvotables u:object_r:vendor_votable_debugfs:s0 +genfscon debugfs /google_battery u:object_r:vendor_battery_debugfs:s0 + +# tracefs +genfscon tracefs /events/dmabuf_heap/dma_heap_stat u:object_r:debugfs_tracing:s0 + +# sscoredump (per device) +genfscon sysfs /devices/platform/abrolhos/sscoredump/sscd_abrolhos/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/aoc/sscoredump/sscd_aoc/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/bigocean/sscoredump/sscd_bigocean/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/debugcore/sscoredump/sscd_debugcore/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/mfc-core/sscoredump/sscd_mfc-core/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 +genfscon sysfs /devices/platform/wlan/sscoredump/sscd_wlan/report_count u:object_r:sysfs_sscoredump_subsystem_report_count:s0 + +# mediacodec +genfscon sysfs /devices/platform/mfc/video4linux/video u:object_r:sysfs_video:s0 + +# pixelstat_vendor +genfscon sysfs /devices/platform/audiometrics/codec_state u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/hs_codec_state u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_impedance u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_excursion u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_heartbeat u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/speaker_temp u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/mic_broken_degrade u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/codec_crashed_counter u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/hwinfo_part_number u:object_r:sysfs_pixelstats:s0 +genfscon sysfs /devices/platform/audiometrics/ams_rate_read_once u:object_r:sysfs_pixelstats:s0 + +# SJTAG +genfscon sysfs /devices/platform/sjtag_ap/interface u:object_r:sysfs_sjtag:s0 +genfscon sysfs /devices/platform/sjtag_gsa/interface u:object_r:sysfs_sjtag:s0 + +# Camera +genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/min_freq u:object_r:sysfs_camera:s0 +genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/min_freq u:object_r:sysfs_camera:s0 + +# thermal sysfs files +genfscon sysfs /module/gs101_thermal/parameters/tmu_reg_dump_state u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs101_thermal/parameters/tmu_reg_dump_current_temp u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs101_thermal/parameters/tmu_top_reg_dump_rise_thres u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs101_thermal/parameters/tmu_top_reg_dump_fall_thres u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs101_thermal/parameters/tmu_sub_reg_dump_rise_thres u:object_r:sysfs_thermal:s0 +genfscon sysfs /module/gs101_thermal/parameters/tmu_sub_reg_dump_fall_thres u:object_r:sysfs_thermal:s0 + +# USB-C throttling stats +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/cleared_time u:object_r:sysfs_usbc_throttling_stats:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/hysteresis_time u:object_r:sysfs_usbc_throttling_stats:s0 +genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time u:object_r:sysfs_usbc_throttling_stats:s0 + +# Extcon +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-2/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-3/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-4/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-7/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/i2c-max77759tcpc/extcon u:object_r:sysfs_extcon:s0 + +# SecureElement +genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0/st33spi u:object_r:sysfs_st33spi:s0 +genfscon sysfs /devices/platform/175c0000.spi/spi_master/spi15/spi15.0/st33spi u:object_r:sysfs_st33spi:s0 + +# Thermal +genfscon sysfs /devices/platform/100a0000.LITTLE u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100a0000.MID u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100a0000.BIG u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100b0000.G3D u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100b0000.ISP u:object_r:sysfs_thermal:s0 +genfscon sysfs /devices/platform/100b0000.TPU u:object_r:sysfs_thermal:s0 + +#vendor-metrics +genfscon sysfs /kernel/metrics/temp_residency/temp_residency_all/stats u:object_r:sysfs_vendor_metrics:s0 +genfscon sysfs /kernel/metrics/resume_latency/resume_latency_metrics u:object_r:sysfs_vendor_metrics:s0 +genfscon sysfs /kernel/metrics/irq/long_irq_metrics u:object_r:sysfs_vendor_metrics:s0 + +# Trusty +genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0 +genfscon sysfs /module/trusty_core/parameters/use_high_wq u:object_r:sysfs_trusty:s0 + +# Coresight ETM +genfscon sysfs /devices/platform/25840000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/25940000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/25a40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/25b40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/25c40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/25d40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/25e40000.etm u:object_r:sysfs_devices_cs_etm:s0 +genfscon sysfs /devices/platform/25f40000.etm u:object_r:sysfs_devices_cs_etm:s0 + +# BootControl +genfscon sysfs /kernel/boot_control/blow_ar u:object_r:sysfs_bootctl:s0 diff --git a/sepolicy/whitechapel/vendor/google/gpsd.te b/sepolicy/whitechapel/vendor/google/gpsd.te new file mode 100644 index 00000000..791a02e4 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/gpsd.te @@ -0,0 +1,28 @@ +type gpsd, domain; +type gpsd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(gpsd) + +# Allow gpsd access PixelLogger unix socket in debug build only +userdebug_or_eng(` + typeattribute gpsd mlstrustedsubject; + allow gpsd logger_app:unix_stream_socket connectto; +') + +# Allow gpsd to obtain wakelock +wakelock_use(gpsd) + +# Allow gpsd access data vendor gps files +allow gpsd vendor_gps_file:dir create_dir_perms; +allow gpsd vendor_gps_file:file create_file_perms; +allow gpsd vendor_gps_file:fifo_file create_file_perms; + +# Allow gpsd to access rild +binder_call(gpsd, rild); +allow gpsd hal_exynos_rild_hwservice:hwservice_manager find; + +# Allow gpsd to access sensor service +binder_call(gpsd, system_server); +allow gpsd fwk_sensor_hwservice:hwservice_manager find; + +# Allow gpsd to access pps gpio +allow gpsd sysfs_gps_assert:file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/grilservice_app.te b/sepolicy/whitechapel/vendor/google/grilservice_app.te new file mode 100644 index 00000000..50ff22a5 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/grilservice_app.te @@ -0,0 +1,12 @@ +type grilservice_app, domain; +app_domain(grilservice_app) + +allow grilservice_app app_api_service:service_manager find; +allow grilservice_app hal_bluetooth_coexistence_hwservice:hwservice_manager find; +allow grilservice_app hal_radioext_hwservice:hwservice_manager find; +allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find; +allow grilservice_app hal_audiometricext_hwservice:hwservice_manager find; +binder_call(grilservice_app, hal_bluetooth_btlinux) +binder_call(grilservice_app, hal_radioext_default) +binder_call(grilservice_app, hal_wifi_ext) +binder_call(grilservice_app, hal_audiometricext_default) diff --git a/sepolicy/whitechapel/vendor/google/hal_audio_default.te b/sepolicy/whitechapel/vendor/google/hal_audio_default.te new file mode 100644 index 00000000..0755cba1 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_audio_default.te @@ -0,0 +1,35 @@ +vndbinder_use(hal_audio_default) +hwbinder_use(hal_audio_default) + +allow hal_audio_default audio_vendor_data_file:dir rw_dir_perms; +allow hal_audio_default audio_vendor_data_file:file create_file_perms; + +r_dir_file(hal_audio_default, aoc_audio_file); +r_dir_file(hal_audio_default, mnt_vendor_file); +r_dir_file(hal_audio_default, persist_audio_file); + +allow hal_audio_default persist_file:dir search; +allow hal_audio_default aoc_device:file rw_file_perms; +allow hal_audio_default aoc_device:chr_file rw_file_perms; + +allow hal_audio_default hal_audio_ext_hwservice:hwservice_manager { find add }; + +allow hal_audio_default amcs_device:file rw_file_perms; +allow hal_audio_default amcs_device:chr_file rw_file_perms; +allow hal_audio_default sysfs_pixelstats:file rw_file_perms; + +#allow access to DMABUF Heaps for AAudio API +allow hal_audio_default dmabuf_heap_device:chr_file r_file_perms; + +get_prop(hal_audio_default, vendor_audio_prop); + +hal_client_domain(hal_audio_default, hal_health); +hal_client_domain(hal_audio_default, hal_thermal); +allow hal_audio_default fwk_sensor_hwservice:hwservice_manager find; + +userdebug_or_eng(` + allow hal_audio_default self:unix_stream_socket create_stream_socket_perms; + allow hal_audio_default audio_vendor_data_file:sock_file { create unlink }; +') + +wakelock_use(hal_audio_default); diff --git a/sepolicy/whitechapel/vendor/google/hal_audiometricext_default.te b/sepolicy/whitechapel/vendor/google/hal_audiometricext_default.te new file mode 100644 index 00000000..5358eac4 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_audiometricext_default.te @@ -0,0 +1,12 @@ +type hal_audiometricext_default, domain; +type hal_audiometricext_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_audiometricext_default) + +allow hal_audiometricext_default amcs_device:chr_file rw_file_perms; +allow hal_audiometricext_default sysfs_pixelstats:file rw_file_perms; + +get_prop(hal_audiometricext_default, vendor_audio_prop); +get_prop(hal_audiometricext_default, hwservicemanager_prop); + +hwbinder_use(hal_audiometricext_default); +add_hwservice(hal_audiometricext_default, hal_audiometricext_hwservice); diff --git a/sepolicy/whitechapel/vendor/google/hal_bootctl_default.te b/sepolicy/whitechapel/vendor/google/hal_bootctl_default.te new file mode 100644 index 00000000..a9f9cdea --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_bootctl_default.te @@ -0,0 +1,4 @@ +allow hal_bootctl_default sda_block_device:blk_file rw_file_perms; +allow hal_bootctl_default devinfo_block_device:blk_file rw_file_perms; +allow hal_bootctl_default sysfs_ota:file rw_file_perms; +allow hal_bootctl_default sysfs_bootctl:file rw_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_camera_default.te b/sepolicy/whitechapel/vendor/google/hal_camera_default.te new file mode 100644 index 00000000..2e36e4a8 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_camera_default.te @@ -0,0 +1,106 @@ +type hal_camera_default_tmpfs, file_type; + +allow hal_camera_default self:global_capability_class_set sys_nice; +allow hal_camera_default kernel:process setsched; + +binder_use(hal_camera_default); +vndbinder_use(hal_camera_default); + +allow hal_camera_default lwis_device:chr_file rw_file_perms; +allow hal_camera_default gpu_device:chr_file rw_file_perms; +allow hal_camera_default sysfs_chip_id:file r_file_perms; + +# Tuscany (face auth) code that is part of the camera HAL needs to allocate +# dma_bufs and access the Trusted Execution Environment device node +allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms; +allow hal_camera_default tee_device:chr_file rw_file_perms; + +# Allow the camera hal to access the EdgeTPU service and the +# Android shared memory allocated by the EdgeTPU service for +# on-device compilation. +allow hal_camera_default edgetpu_device:chr_file rw_file_perms; +allow hal_camera_default sysfs_edgetpu:dir r_dir_perms; +allow hal_camera_default sysfs_edgetpu:file r_file_perms; +allow hal_camera_default edgetpu_vendor_service:service_manager find; +binder_call(hal_camera_default, edgetpu_vendor_server) + +# Allow access to data files used by the camera HAL +allow hal_camera_default mnt_vendor_file:dir search; +allow hal_camera_default persist_file:dir search; +allow hal_camera_default persist_camera_file:dir rw_dir_perms; +allow hal_camera_default persist_camera_file:file create_file_perms; +allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms; +allow hal_camera_default vendor_camera_data_file:file create_file_perms; +allow hal_camera_default vendor_camera_tuning_file:dir r_dir_perms; +allow hal_camera_default vendor_camera_tuning_file:file r_file_perms; + +# Allow creating dump files for debugging in non-release builds +userdebug_or_eng(` + allow hal_camera_default vendor_camera_data_file:dir create_dir_perms; + allow hal_camera_default vendor_camera_data_file:file create_file_perms; +') + +# tmpfs is used by google3 prebuilts linked by the HAL to unpack data files +# compiled into the shared libraries with cc_embed_data rules +tmpfs_domain(hal_camera_default); + +# Allow access to camera-related system properties +set_prop(hal_camera_default, vendor_camera_prop); +set_prop(hal_camera_default, log_tag_prop); +get_prop(hal_camera_default, vendor_camera_debug_prop); +userdebug_or_eng(` + set_prop(hal_camera_default, vendor_camera_fatp_prop); + set_prop(hal_camera_default, vendor_camera_debug_prop); +') + + +# For camera hal to talk with rlsservice +allow hal_camera_default rls_service:service_manager find; +binder_call(hal_camera_default, rlsservice) + +hal_client_domain(hal_camera_default, hal_graphics_allocator); +hal_client_domain(hal_camera_default, hal_graphics_composer) +hal_client_domain(hal_camera_default, hal_power); +hal_client_domain(hal_camera_default, hal_thermal); + +# Allow access to sensor service for sensor_listener +binder_call(hal_camera_default, system_server); + +# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering +allow hal_camera_default eco_service:service_manager find; +binder_call(hal_camera_default, mediacodec); + +# Allow camera HAL to query preferred camera frequencies from the radio HAL +# extensions to avoid interference with cellular antennas. +allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; +binder_call(hal_camera_default, hal_radioext_default); + +# Allow camera HAL to connect to the stats service. +allow hal_camera_default fwk_stats_service:service_manager find; + +# For observing apex file changes +allow hal_camera_default apex_info_file:file r_file_perms; + +# Allow camera HAL to query current device clock frequencies. +allow hal_camera_default sysfs_devfreq_cur:file r_file_perms; + +# Allow camera HAL to read backlight of display +allow hal_camera_default sysfs_leds:dir r_dir_perms; +allow hal_camera_default sysfs_leds:file r_file_perms; + +# Allow camera HAL to query interrupts and set interrupt affinity +allow hal_camera_default proc_irq:dir r_dir_perms; +allow hal_camera_default proc_irq:file rw_file_perms; +allow hal_camera_default proc_interrupts:dir r_dir_perms; +allow hal_camera_default proc_interrupts:file r_file_perms; + +# Allow camera HAL to send trace packets to Perfetto +userdebug_or_eng(`perfetto_producer(hal_camera_default)') + +# Some file searches attempt to access system data and are denied. +# This is benign and can be ignored. +dontaudit hal_camera_default system_data_file:dir { search }; + +# google3 prebuilts attempt to connect to the wrong trace socket, ignore them. +dontaudit hal_camera_default traced:unix_stream_socket { connectto }; +dontaudit hal_camera_default traced_producer_socket:sock_file { write };
\ No newline at end of file diff --git a/sepolicy/whitechapel/vendor/google/hal_contexthub.te b/sepolicy/whitechapel/vendor/google/hal_contexthub.te new file mode 100644 index 00000000..ba776c89 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_contexthub.te @@ -0,0 +1,3 @@ +# Allow context hub HAL to communicate with daemon via socket +allow hal_contexthub_default chre:unix_stream_socket connectto; +allow hal_contexthub_default chre_socket:sock_file write;
\ No newline at end of file diff --git a/sepolicy/whitechapel/vendor/google/hal_drm_clearkey.te b/sepolicy/whitechapel/vendor/google/hal_drm_clearkey.te new file mode 100644 index 00000000..0e0a5c24 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_drm_clearkey.te @@ -0,0 +1,5 @@ +type hal_drm_clearkey, domain; +type hal_drm_clearkey_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_drm_clearkey) + +hal_server_domain(hal_drm_clearkey, hal_drm) diff --git a/sepolicy/whitechapel/vendor/google/hal_drm_default.te b/sepolicy/whitechapel/vendor/google/hal_drm_default.te new file mode 100644 index 00000000..30e443a8 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_drm_default.te @@ -0,0 +1,6 @@ +# L3 +allow hal_drm_default mediadrm_vendor_data_file:file create_file_perms; +allow hal_drm_default mediadrm_vendor_data_file:dir create_dir_perms; + +# L1 +allow hal_drm_default dmabuf_system_heap_device:chr_file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_dumpstate_default.te b/sepolicy/whitechapel/vendor/google/hal_dumpstate_default.te new file mode 100644 index 00000000..314546f2 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_dumpstate_default.te @@ -0,0 +1,219 @@ +allow hal_dumpstate_default sysfs_exynos_bts:dir search; +allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms; + +allow hal_dumpstate_default sysfs_bcmdhd:dir search; +allow hal_dumpstate_default sysfs_bcmdhd:file r_file_perms; + +allow hal_dumpstate_default sysfs_memory:file r_file_perms; +allow hal_dumpstate_default sysfs_cpu:file r_file_perms; + +vndbinder_use(hal_dumpstate_default) + +allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms; +allow hal_dumpstate_default vendor_gps_file:file r_file_perms; + +allow hal_dumpstate_default sysfs_wlc:dir search; +allow hal_dumpstate_default sysfs_wlc:file r_file_perms; + +allow hal_dumpstate_default shell_data_file:file getattr; + +allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms; +allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms; + +allow hal_dumpstate_default vendor_rfsd_log_file:dir r_dir_perms; +allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms; + +# camera debugging dump file access +allow hal_dumpstate_default vendor_camera_data_file:dir r_dir_perms; +allow hal_dumpstate_default vendor_camera_data_file:file r_file_perms; + +# camera prop access +get_prop(hal_dumpstate_default, vendor_camera_debug_prop); + +allow hal_dumpstate_default vendor_log_file:dir search; + +allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans; +allow hal_dumpstate_default vendor_usf_reg_edit:file execute_no_trans; +allow hal_dumpstate_default vendor_dumpsys:file execute_no_trans; +userdebug_or_eng(` + allow hal_dumpstate_default sensor_debug_data_file:dir r_dir_perms; + allow hal_dumpstate_default sensor_debug_data_file:file r_file_perms; +') + +allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; +allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:file r_file_perms; + +allow hal_dumpstate_default sysfs_acpm_stats:dir r_dir_perms; +allow hal_dumpstate_default sysfs_acpm_stats:file r_file_perms; + +allow hal_dumpstate_default sysfs_aoc:dir r_dir_perms; +allow hal_dumpstate_default sysfs_aoc_dumpstate:file r_file_perms; + +allow hal_dumpstate_default sysfs_spi:dir search; +allow hal_dumpstate_default sysfs_spi:file rw_file_perms; + +allow hal_dumpstate_default device:dir r_dir_perms; +allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms; +allow hal_dumpstate_default aoc_device:chr_file rw_file_perms; + +allow hal_dumpstate_default sysfs_wifi:dir search; +allow hal_dumpstate_default sysfs_wifi:file r_file_perms; + +# Touch sysfs interface +allow hal_dumpstate_default sysfs_touch:dir r_dir_perms; +allow hal_dumpstate_default sysfs_touch:file rw_file_perms; +allow hal_dumpstate_default proc_touch:file rw_file_perms; + +allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms; +allow hal_dumpstate_default sysfs_thermal:file r_file_perms; +allow hal_dumpstate_default sysfs_thermal:lnk_file read; + +# Modem logs +allow hal_dumpstate_default modem_efs_file:dir search; +allow hal_dumpstate_default modem_efs_file:file r_file_perms; +allow hal_dumpstate_default modem_stat_data_file:dir r_dir_perms; +allow hal_dumpstate_default modem_stat_data_file:file r_file_perms; +allow hal_dumpstate_default vendor_slog_file:file r_file_perms; + +allow hal_dumpstate_default block_device:dir r_dir_perms; + +allow hal_dumpstate_default proc_f2fs:dir r_dir_perms; +allow hal_dumpstate_default proc_f2fs:file r_file_perms; +allow hal_dumpstate_default proc_touch:file rw_file_perms; + +allow hal_dumpstate_default sysfs_batteryinfo:dir search; +allow hal_dumpstate_default sysfs_batteryinfo:dir r_dir_perms; +allow hal_dumpstate_default sysfs_batteryinfo:file r_file_perms; +allow hal_dumpstate_default sysfs_chip_id:file r_file_perms; + +allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans; +allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans; + +allow hal_dumpstate_default sysfs_scsi_devices_0000:dir r_dir_perms; +allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms; + +allow hal_dumpstate_default citadeld_service:service_manager find; +allow hal_dumpstate_default citadel_updater_exec:file execute_no_trans; +binder_call(hal_dumpstate_default, citadeld); + +allow hal_dumpstate_default vendor_displaycolor_service:service_manager find; +binder_call(hal_dumpstate_default, hal_graphics_composer_default); +allow hal_dumpstate_default sysfs_display:dir r_dir_perms; +allow hal_dumpstate_default sysfs_display:file r_file_perms; + +allow hal_dumpstate_default proc_vendor_sched:file read; +allow hal_dumpstate_default proc_vendor_sched:dir r_dir_perms; +allow hal_dumpstate_default proc_vendor_sched:file r_file_perms; + +userdebug_or_eng(` + allow hal_dumpstate_default mnt_vendor_file:dir search; + allow hal_dumpstate_default ramdump_vendor_mnt_file:dir search; + allow hal_dumpstate_default ramdump_vendor_mnt_file:file r_file_perms; +') + +get_prop(hal_dumpstate_default, boottime_public_prop) +get_prop(hal_dumpstate_default, vendor_gps_prop) +set_prop(hal_dumpstate_default, vendor_modem_prop) +get_prop(hal_dumpstate_default, vendor_rild_prop) +set_prop(hal_dumpstate_default, vendor_logger_prop) + +userdebug_or_eng(` + allow hal_dumpstate_default vendor_ion_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_ion_debugfs:file r_file_perms; + + allow hal_dumpstate_default vendor_page_pinner_debugfs:dir search; + allow hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; + + allow hal_dumpstate_default sysfs_pixel_stat:dir r_dir_perms; + allow hal_dumpstate_default sysfs_pixel_stat:file r_file_perms; + + allow hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; + allow hal_dumpstate_default vendor_dri_debugfs:dir search; + + allow hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; + + allow hal_dumpstate_default vendor_usb_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_usb_debugfs:file r_file_perms; + + allow hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms; + + allow hal_dumpstate_default vendor_regmap_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_regmap_debugfs:file r_file_perms; + + allow hal_dumpstate_default vendor_maxfg_debugfs:dir search; + allow hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; + + allow hal_dumpstate_default sysfs_vendor_metrics:dir search; + allow hal_dumpstate_default sysfs_vendor_metrics:file r_file_perms; + + allow hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_charger_debugfs:file r_file_perms; + + allow hal_dumpstate_default debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; + + allow hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; + allow hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; + + allow hal_dumpstate_default sysfs_bcl:dir r_dir_perms; + allow hal_dumpstate_default sysfs_bcl:file r_file_perms; + allow hal_dumpstate_default sysfs_bcl:lnk_file read; + allow hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; + allow hal_dumpstate_default tcpdump_vendor_data_file:file create_file_perms; + allow hal_dumpstate_default debugfs_f2fs:dir r_dir_perms; + allow hal_dumpstate_default debugfs_f2fs:file r_file_perms; + + set_prop(hal_dumpstate_default, vendor_tcpdump_log_prop) +') + +dontaudit hal_dumpstate_default vendor_ion_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_ion_debugfs:file r_file_perms; + +dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:dir search; +dontaudit hal_dumpstate_default vendor_page_pinner_debugfs:file r_file_perms; + +dontaudit hal_dumpstate_default sysfs_pixel_stat:dir r_dir_perms; +dontaudit hal_dumpstate_default sysfs_pixel_stat:file r_file_perms; + +dontaudit hal_dumpstate_default sysfs_vendor_metrics:dir search; +dontaudit hal_dumpstate_default sysfs_vendor_metrics:file r_file_perms; + +dontaudit hal_dumpstate_default vendor_dri_debugfs:file r_file_perms; +dontaudit hal_dumpstate_default vendor_dri_debugfs:dir search; + +dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms; + +dontaudit hal_dumpstate_default vendor_usb_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_usb_debugfs:file r_file_perms; + +dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms; + +dontaudit hal_dumpstate_default vendor_regmap_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_regmap_debugfs:file r_file_perms; + +dontaudit hal_dumpstate_default vendor_maxfg_debugfs:dir search; +dontaudit hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms; + +dontaudit hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_charger_debugfs:file r_file_perms; + +dontaudit hal_dumpstate_default debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_battery_debugfs:file r_file_perms; + +dontaudit hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms; +dontaudit hal_dumpstate_default vendor_votable_debugfs:file r_file_perms; + +dontaudit hal_dumpstate_default mnt_vendor_file:dir r_dir_perms; +dontaudit hal_dumpstate_default ramdump_vendor_mnt_file:dir search; +dontaudit hal_dumpstate_default ramdump_vendor_mnt_file:file r_file_perms; + +dontaudit hal_dumpstate_default sysfs_bcl:dir r_dir_perms; +dontaudit hal_dumpstate_default sysfs_bcl:file r_file_perms; + +dontaudit hal_dumpstate_default rootfs:dir r_dir_perms; + +dontaudit hal_dumpstate_default tcpdump_vendor_data_file:dir create_dir_perms; +dontaudit hal_dumpstate_default tcpdump_vendor_data_file:file create_file_perms; +dontaudit hal_dumpstate_default vendor_tcpdump_log_prop:file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_fingerprint_default.te b/sepolicy/whitechapel/vendor/google/hal_fingerprint_default.te new file mode 100644 index 00000000..aee24633 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_fingerprint_default.te @@ -0,0 +1,35 @@ +allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms; +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; +allow hal_fingerprint_default sysfs_batteryinfo:file r_file_perms; +allow hal_fingerprint_default sysfs_batteryinfo:dir search; +allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; +allow hal_fingerprint_default dmabuf_system_heap_device:chr_file r_file_perms; +allow hal_fingerprint_default sysfs_fingerprint:dir r_dir_perms; +allow hal_fingerprint_default sysfs_fingerprint:file rw_file_perms; +allow hal_fingerprint_default fwk_stats_service:service_manager find; +get_prop(hal_fingerprint_default, fingerprint_ghbm_prop) +set_prop(hal_fingerprint_default, vendor_fingerprint_prop) +add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice) + +# allow fingerprint to access power hal +hal_client_domain(hal_fingerprint_default, hal_power); + +# Allow access to the files of CDT information. +r_dir_file(hal_fingerprint_default, sysfs_chosen) + +# Allow fingerprint to access calibration blk device. +allow hal_fingerprint_default mfg_data_block_device:blk_file { rw_file_perms }; +allow hal_fingerprint_default block_device:dir search; + +# Allow fingerprint to access fwk_sensor_hwservice +allow hal_fingerprint_default fwk_sensor_hwservice:hwservice_manager find; + +# Allow fingerprint to read sysfs_display +allow hal_fingerprint_default sysfs_display:file r_file_perms; + +# Allow fingerprint to access trusty sysfs +allow hal_fingerprint_default sysfs_trusty:file rw_file_perms; + +# Allow fingerprint to access display hal +allow hal_fingerprint_default hal_pixel_display_service:service_manager find; +binder_call(hal_fingerprint_default, hal_graphics_composer_default) diff --git a/sepolicy/whitechapel/vendor/google/hal_gnss_default.te b/sepolicy/whitechapel/vendor/google/hal_gnss_default.te new file mode 100644 index 00000000..e3004237 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_gnss_default.te @@ -0,0 +1,4 @@ +# Allow hal_gnss_default access data vendor gps files +allow hal_gnss_default vendor_gps_file:dir create_dir_perms; +allow hal_gnss_default vendor_gps_file:file create_file_perms; +allow hal_gnss_default vendor_gps_file:fifo_file create_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_graphics_allocator_default.te b/sepolicy/whitechapel/vendor/google/hal_graphics_allocator_default.te new file mode 100644 index 00000000..9791dae6 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_graphics_allocator_default.te @@ -0,0 +1,4 @@ +allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default vscaler_heap_device:chr_file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_graphics_composer_default.te b/sepolicy/whitechapel/vendor/google/hal_graphics_composer_default.te new file mode 100644 index 00000000..0562aa0e --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_graphics_composer_default.te @@ -0,0 +1,6 @@ +allow hal_graphics_composer_default sysfs_display:dir search; +allow hal_graphics_composer_default sysfs_display:file rw_file_perms; + +# allow HWC to access power hal +binder_call(hal_graphics_composer_default, hal_power_default); +hal_client_domain(hal_graphics_composer_default, hal_power); diff --git a/sepolicy/whitechapel/vendor/google/hal_health_default.te b/sepolicy/whitechapel/vendor/google/hal_health_default.te new file mode 100644 index 00000000..65a5d483 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_health_default.te @@ -0,0 +1,18 @@ +allow hal_health_default mnt_vendor_file:dir search; +allow hal_health_default persist_file:dir search; +allow hal_health_default persist_battery_file:file create_file_perms; +allow hal_health_default persist_battery_file:dir rw_dir_perms; + +set_prop(hal_health_default, vendor_battery_defender_prop) +set_prop(hal_health_default, vendor_shutdown_prop) +r_dir_file(hal_health_default, sysfs_scsi_devices_0000) + +allow hal_health_default fwk_stats_service:service_manager find; +binder_use(hal_health_default) + +allow hal_health_default sysfs_wlc:dir search; +allow hal_health_default sysfs_batteryinfo:file w_file_perms; +allow hal_health_default sysfs_thermal:dir search; +allow hal_health_default sysfs_thermal:file w_file_perms; +allow hal_health_default sysfs_thermal:lnk_file read; +allow hal_health_default thermal_link_device:dir search; diff --git a/sepolicy/whitechapel/vendor/google/hal_health_storage_default.te b/sepolicy/whitechapel/vendor/google/hal_health_storage_default.te new file mode 100644 index 00000000..2aa0881e --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_health_storage_default.te @@ -0,0 +1,3 @@ +# Access to /sys/devices/platform/14700000.ufs/* +allow hal_health_storage_default sysfs_scsi_devices_0000:dir r_dir_perms; +allow hal_health_storage_default sysfs_scsi_devices_0000:file rw_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_input_processor_default.te b/sepolicy/whitechapel/vendor/google/hal_input_processor_default.te new file mode 100644 index 00000000..00d4c695 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_input_processor_default.te @@ -0,0 +1,2 @@ +# allow InputProcessor HAL to read the display resolution system property +get_prop(hal_input_processor_default, vendor_display_prop) diff --git a/sepolicy/whitechapel/vendor/google/hal_memtrack_default.te b/sepolicy/whitechapel/vendor/google/hal_memtrack_default.te new file mode 100644 index 00000000..7554c6ff --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_memtrack_default.te @@ -0,0 +1 @@ +r_dir_file(hal_memtrack_default, sysfs_gpu) diff --git a/sepolicy/whitechapel/vendor/google/hal_nfc_default.te b/sepolicy/whitechapel/vendor/google/hal_nfc_default.te new file mode 100644 index 00000000..247ca3d7 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_nfc_default.te @@ -0,0 +1,15 @@ +# NFC property +set_prop(hal_nfc_default, vendor_nfc_prop) + +# SecureElement property +set_prop(hal_nfc_default, vendor_secure_element_prop) + +# Modem property +set_prop(hal_nfc_default, vendor_modem_prop) + +# Access uwb cal for SecureRanging Applet +allow hal_nfc_default uwb_data_vendor:dir r_dir_perms; +allow hal_nfc_default uwb_data_vendor:file r_file_perms; + +# allow nfc to read uwb calibration file +get_prop(hal_nfc_default, vendor_uwb_calibration_prop) diff --git a/sepolicy/whitechapel/vendor/google/hal_power_default.te b/sepolicy/whitechapel/vendor/google/hal_power_default.te new file mode 100644 index 00000000..122661ae --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_power_default.te @@ -0,0 +1,16 @@ +allow hal_power_default sysfs_scsi_devices_0000:file rw_file_perms; +allow hal_power_default sysfs_fs_f2fs:dir r_dir_perms; +allow hal_power_default sysfs_fs_f2fs:file rw_file_perms; +allow hal_power_default proc_vendor_sched:file rw_file_perms; +allow hal_power_default cpuctl_device:file rw_file_perms; +allow hal_power_default sysfs_gpu:file rw_file_perms; +allow hal_power_default sysfs_devfreq_dir:dir r_dir_perms; +allow hal_power_default sysfs_fabric:file rw_file_perms; +allow hal_power_default sysfs_camera:file rw_file_perms; +allow hal_power_default sysfs_display:file rw_file_perms; +allow hal_power_default sysfs_bcl:dir r_dir_perms; +allow hal_power_default sysfs_bcl:file rw_file_perms; +allow hal_power_default sysfs_trusty:file rw_file_perms; +set_prop(hal_power_default, vendor_camera_prop) +set_prop(hal_power_default, vendor_camera_debug_prop) +set_prop(hal_power_default, vendor_camera_fatp_prop) diff --git a/sepolicy/whitechapel/vendor/google/hal_power_stats_default.te b/sepolicy/whitechapel/vendor/google/hal_power_stats_default.te new file mode 100644 index 00000000..13a0487f --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_power_stats_default.te @@ -0,0 +1,24 @@ +allow hal_power_stats_default sysfs_scsi_devices_0000:dir r_dir_perms; +allow hal_power_stats_default sysfs_scsi_devices_0000:file r_file_perms; + +# getStats AIDL callback to each power entry +binder_call(hal_power_stats_default, hal_bluetooth_btlinux) + +r_dir_file(hal_power_stats_default, sysfs_iio_devices) +allow hal_power_stats_default powerstats_vendor_data_file:dir search; +allow hal_power_stats_default powerstats_vendor_data_file:file r_file_perms; +allow hal_power_stats_default sysfs_odpm:dir search; +allow hal_power_stats_default sysfs_odpm:file rw_file_perms; + +allow hal_power_stats_default sysfs_edgetpu:dir search; +allow hal_power_stats_default sysfs_edgetpu:file r_file_perms; + +binder_call(hal_power_stats_default, citadeld) +r_dir_file(hal_power_stats_default, sysfs_aoc) +r_dir_file(hal_power_stats_default, sysfs_aoc_dumpstate) +r_dir_file(hal_power_stats_default, sysfs_cpu) +r_dir_file(hal_power_stats_default, sysfs_leds) +r_dir_file(hal_power_stats_default, sysfs_acpm_stats) +r_dir_file(hal_power_stats_default, sysfs_wifi) +r_dir_file(hal_power_stats_default, sysfs_backlight) +r_dir_file(hal_power_stats_default, sysfs_scsi_devices_0000) diff --git a/sepolicy/whitechapel/vendor/google/hal_radioext_default.te b/sepolicy/whitechapel/vendor/google/hal_radioext_default.te new file mode 100644 index 00000000..eef71cf6 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_radioext_default.te @@ -0,0 +1,21 @@ +type hal_radioext_default, domain; +type hal_radioext_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_radioext_default) + +hwbinder_use(hal_radioext_default) +get_prop(hal_radioext_default, hwservicemanager_prop) +add_hwservice(hal_radioext_default, hal_radioext_hwservice) + +binder_call(hal_radioext_default, grilservice_app) +binder_call(hal_radioext_default, hal_bluetooth_btlinux) + +# RW /dev/oem_ipc0 +allow hal_radioext_default radio_device:chr_file rw_file_perms; + +# RW MIPI Freq files +allow hal_radioext_default radio_vendor_data_file:dir create_dir_perms; +allow hal_radioext_default radio_vendor_data_file:file create_file_perms; +allow hal_radioext_default sysfs_display:file rw_file_perms; + +# Bluetooth +allow hal_radioext_default hal_bluetooth_coexistence_hwservice:hwservice_manager find; diff --git a/sepolicy/whitechapel/vendor/google/hal_secure_element_default.te b/sepolicy/whitechapel/vendor/google/hal_secure_element_default.te new file mode 100644 index 00000000..17a679d2 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_secure_element_default.te @@ -0,0 +1,8 @@ +allow hal_secure_element_default secure_element_device:chr_file rw_file_perms; +set_prop(hal_secure_element_default, vendor_secure_element_prop) +set_prop(hal_secure_element_default, vendor_modem_prop) + +# Allow hal_secure_element_default to access rild +binder_call(hal_secure_element_default, rild); +allow hal_secure_element_default hal_exynos_rild_hwservice:hwservice_manager find; + diff --git a/sepolicy/whitechapel/vendor/google/hal_secure_element_st33spi.te b/sepolicy/whitechapel/vendor/google/hal_secure_element_st33spi.te new file mode 100644 index 00000000..a5978f20 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_secure_element_st33spi.te @@ -0,0 +1,8 @@ +type hal_secure_element_st33spi, domain; +hal_server_domain(hal_secure_element_st33spi, hal_secure_element) +type hal_secure_element_st33spi_exec, exec_type, vendor_file_type, file_type; + +allow hal_secure_element_st33spi st33spi_device:chr_file rw_file_perms; +set_prop(hal_secure_element_st33spi, vendor_secure_element_prop) + +init_daemon_domain(hal_secure_element_st33spi) diff --git a/sepolicy/whitechapel/vendor/google/hal_secure_element_st54spi.te b/sepolicy/whitechapel/vendor/google/hal_secure_element_st54spi.te new file mode 100644 index 00000000..7f6ea41b --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_secure_element_st54spi.te @@ -0,0 +1,9 @@ +type hal_secure_element_st54spi, domain; +hal_server_domain(hal_secure_element_st54spi, hal_secure_element) +type hal_secure_element_st54spi_exec, exec_type, vendor_file_type, file_type; +allow hal_secure_element_st54spi st54spi_device:chr_file rw_file_perms; +allow hal_secure_element_st54spi nfc_device:chr_file rw_file_perms; +set_prop(hal_secure_element_st54spi, vendor_secure_element_prop) +set_prop(hal_secure_element_st54spi, vendor_nfc_prop) +set_prop(hal_secure_element_st54spi, vendor_modem_prop) +init_daemon_domain(hal_secure_element_st54spi) diff --git a/sepolicy/whitechapel/vendor/google/hal_tetheroffload_default.te b/sepolicy/whitechapel/vendor/google/hal_tetheroffload_default.te new file mode 100644 index 00000000..00ae3214 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_tetheroffload_default.te @@ -0,0 +1,17 @@ +# associate netdomain to use for accessing internet sockets +net_domain(hal_tetheroffload_default) + +# Allow operations with TOE device +allow hal_tetheroffload_default vendor_toe_device:chr_file rw_file_perms; + +# Allow NETLINK and socket +allow hal_tetheroffload_default self:{ + netlink_socket + netlink_generic_socket + unix_dgram_socket +} create_socket_perms_no_ioctl; + +# Register to hwbinder service +add_hwservice(hal_tetheroffload_default, hal_tetheroffload_hwservice) +hwbinder_use(hal_tetheroffload_default) +get_prop(hal_tetheroffload_default, hwservicemanager_prop) diff --git a/sepolicy/whitechapel/vendor/google/hal_thermal_default.te b/sepolicy/whitechapel/vendor/google/hal_thermal_default.te new file mode 100644 index 00000000..9852a767 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_thermal_default.te @@ -0,0 +1,2 @@ +allow hal_thermal_default sysfs_iio_devices:dir r_dir_perms; +allow hal_thermal_default sysfs_odpm:file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_usb_gadget_impl.te b/sepolicy/whitechapel/vendor/google/hal_usb_gadget_impl.te new file mode 100644 index 00000000..31216c98 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_usb_gadget_impl.te @@ -0,0 +1,24 @@ +type hal_usb_gadget_impl, domain; +hal_server_domain(hal_usb_gadget_impl, hal_usb) +hal_server_domain(hal_usb_gadget_impl, hal_usb_gadget) + +type hal_usb_gadget_impl_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_usb_gadget_impl) + +allow hal_usb_gadget_impl configfs:dir { create rmdir }; +allow hal_usb_gadget_impl functionfs:dir { watch watch_reads }; +set_prop(hal_usb_gadget_impl, vendor_usb_config_prop) + +allow hal_usb_gadget_impl sysfs_batteryinfo:dir r_dir_perms; +allow hal_usb_gadget_impl sysfs_batteryinfo:file rw_file_perms; +allow hal_usb_gadget_impl sysfs_extcon:dir search; + +# parser the number of dwc3 irq +allow hal_usb_gadget_impl proc_interrupts:file r_file_perms; + +# change irq to other cores +allow hal_usb_gadget_impl proc_irq:dir r_dir_perms; +allow hal_usb_gadget_impl proc_irq:file w_file_perms; + +# allow gadget hal to access extcon node +allow hal_usb_gadget_impl sysfs_extcon:file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_usb_impl.te b/sepolicy/whitechapel/vendor/google/hal_usb_impl.te new file mode 100644 index 00000000..97ec1c7c --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_usb_impl.te @@ -0,0 +1,28 @@ +type hal_usb_impl, domain; +hal_server_domain(hal_usb_impl, hal_usb) + +type hal_usb_impl_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_usb_impl) + +allow hal_usb_impl configfs:dir rw_dir_perms; +allow hal_usb_impl configfs:file create_file_perms; +allow hal_usb_impl sysfs_batteryinfo:dir r_dir_perms; +allow hal_usb_impl sysfs_batteryinfo:file rw_file_perms; +allow hal_usb_impl sysfs_extcon:dir search; + +# Needed for reporting Usb Overheat suez event through statsd +allow hal_usb_impl fwk_stats_service:service_manager find; +binder_call(hal_usb_impl, servicemanager) + +# Needed for monitoring usb port temperature +allow hal_usb_impl self:capability2 wake_alarm; +wakelock_use(hal_usb_impl); + +# For interfacing with ThermalHAL +hal_client_domain(hal_usb_impl, hal_thermal); + +# For reading the usb-c throttling stats +allow hal_usb_impl sysfs_usbc_throttling_stats:file r_file_perms; + +# For checking contaminant detection status +get_prop(hal_usb_impl, vendor_usb_config_prop); diff --git a/sepolicy/whitechapel/vendor/google/hal_uwb_vendor.te b/sepolicy/whitechapel/vendor/google/hal_uwb_vendor.te new file mode 100644 index 00000000..ccfc1705 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_uwb_vendor.te @@ -0,0 +1,15 @@ +# HwBinder IPC from client to server +binder_call(hal_uwb_vendor_client, hal_uwb_vendor_server) +binder_call(hal_uwb_vendor_server, hal_uwb_vendor_client) + +hal_attribute_service(hal_uwb_vendor, hal_uwb_vendor_service) + +binder_call(hal_uwb_vendor_server, servicemanager) + +# allow hal_uwb_vendor to set wpan interfaces up and down +allow hal_uwb_vendor self:udp_socket create_socket_perms; +allowxperm hal_uwb_vendor self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL }; +allow hal_uwb_vendor self:global_capability_class_set { net_admin }; + +# allow hal_uwb_vendor to speak to nl802154 in the kernel +allow hal_uwb_vendor self:netlink_generic_socket create_socket_perms_no_ioctl; diff --git a/sepolicy/whitechapel/vendor/google/hal_uwb_vendor_default.te b/sepolicy/whitechapel/vendor/google/hal_uwb_vendor_default.te new file mode 100644 index 00000000..b287433f --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_uwb_vendor_default.te @@ -0,0 +1,14 @@ +type hal_uwb_vendor_default, domain; +type hal_uwb_vendor_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_uwb_vendor_default) + +hal_server_domain(hal_uwb_vendor_default, hal_uwb) +add_service(hal_uwb_vendor_default, hal_uwb_vendor_service) + +hal_server_domain(hal_uwb_vendor_default, hal_uwb_vendor) +binder_call(hal_uwb_vendor_default, uwb_vendor_app) + +allow hal_uwb_vendor_default uwb_data_vendor:dir create_dir_perms; +allow hal_uwb_vendor_default uwb_data_vendor:file create_file_perms; + +get_prop(hal_uwb_vendor_default, vendor_uwb_calibration_prop) diff --git a/sepolicy/whitechapel/vendor/google/hal_vendor_hwcservice_default.te b/sepolicy/whitechapel/vendor/google/hal_vendor_hwcservice_default.te new file mode 100644 index 00000000..0cd13b33 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_vendor_hwcservice_default.te @@ -0,0 +1,4 @@ +type hal_vendor_hwcservice_default, domain; +type hal_vendor_hwcservice_default_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(hal_vendor_hwcservice_default) + diff --git a/sepolicy/whitechapel/vendor/google/hal_wifi.te b/sepolicy/whitechapel/vendor/google/hal_wifi.te new file mode 100644 index 00000000..e7f657ec --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_wifi.te @@ -0,0 +1,3 @@ +# files in /data/vendor/firmware/wifi +allow hal_wifi updated_wifi_firmware_data_file:dir r_dir_perms; +allow hal_wifi updated_wifi_firmware_data_file:file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hal_wifi_ext.te b/sepolicy/whitechapel/vendor/google/hal_wifi_ext.te new file mode 100644 index 00000000..959f71b6 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_wifi_ext.te @@ -0,0 +1,13 @@ +# Allow wifi_ext to report callbacks to gril-service app +binder_call(hal_wifi_ext, grilservice_app) + +# Write wlan driver/fw version into property +set_prop(hal_wifi_ext, vendor_wifi_version) + +# Allow wifi_ext to read and write /data/vendor/firmware/wifi +allow hal_wifi_ext updated_wifi_firmware_data_file:dir rw_dir_perms; +allow hal_wifi_ext updated_wifi_firmware_data_file:file create_file_perms; + +# Allow wifi_ext to read the updated firmware files from app +allow hal_wifi_ext priv_app:fd use; +allow hal_wifi_ext privapp_data_file:file { read map }; diff --git a/sepolicy/whitechapel/vendor/google/hal_wlc.te b/sepolicy/whitechapel/vendor/google/hal_wlc.te new file mode 100644 index 00000000..891853c9 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hal_wlc.te @@ -0,0 +1,16 @@ +type hal_wlc, domain; +type hal_wlc_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_wlc) +hwbinder_use(hal_wlc) +add_hwservice(hal_wlc, hal_wlc_hwservice) +get_prop(hal_wlc, hwservicemanager_prop) + +r_dir_file(hal_wlc, sysfs_batteryinfo) +allow hal_wlc sysfs_wlc:dir r_dir_perms; +allow hal_wlc sysfs_wlc:file rw_file_perms; + +allow hal_wlc self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +binder_call(hal_wlc, platform_app) +binder_call(hal_wlc, system_app)
\ No newline at end of file diff --git a/sepolicy/whitechapel/vendor/google/hardware_info_app.te b/sepolicy/whitechapel/vendor/google/hardware_info_app.te new file mode 100644 index 00000000..80b53377 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hardware_info_app.te @@ -0,0 +1,24 @@ +type hardware_info_app, domain; + +app_domain(hardware_info_app) + +allow hardware_info_app app_api_service:service_manager find; + +# Display +allow hardware_info_app sysfs_display:dir search; +allow hardware_info_app sysfs_display:file r_file_perms; + +# Audio +allow hardware_info_app sysfs_pixelstats:dir search; +allow hardware_info_app sysfs_pixelstats:file r_file_perms; + +# Storage +allow hardware_info_app sysfs_scsi_devices_0000:dir search; +allow hardware_info_app sysfs_scsi_devices_0000:file r_file_perms; + +# Battery +allow hardware_info_app sysfs_batteryinfo:file r_file_perms; +allow hardware_info_app sysfs_batteryinfo:dir search; + +# SoC +allow hardware_info_app sysfs:file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/hbmsvmanager_app.te b/sepolicy/whitechapel/vendor/google/hbmsvmanager_app.te new file mode 100644 index 00000000..b7058090 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hbmsvmanager_app.te @@ -0,0 +1,14 @@ +type hbmsvmanager_app, domain, coredomain; + +app_domain(hbmsvmanager_app); + +allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms; +allow hbmsvmanager_app proc_vendor_sched:file w_file_perms; + +allow hbmsvmanager_app hal_pixel_display_service:service_manager find; +binder_call(hbmsvmanager_app, hal_graphics_composer_default) + +# Standard system services +allow hbmsvmanager_app app_api_service:service_manager find; + +allow hbmsvmanager_app cameraserver_service:service_manager find; diff --git a/sepolicy/whitechapel/vendor/google/hwservice.te b/sepolicy/whitechapel/vendor/google/hwservice.te new file mode 100644 index 00000000..a3a3ead1 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hwservice.te @@ -0,0 +1,24 @@ +type hal_vendor_telephony_hwservice, hwservice_manager_type; +type hal_vendor_surfaceflinger_hwservice, hwservice_manager_type; + +# dmd servcie +type hal_vendor_oem_hwservice, hwservice_manager_type; + +# rild service +type hal_exynos_rild_hwservice, hwservice_manager_type; + +# GRIL service +type hal_radioext_hwservice, hwservice_manager_type; + +# Audio +type hal_audio_ext_hwservice, hwservice_manager_type; + +# WLC +type hal_wlc_hwservice, hwservice_manager_type; + +# Fingerprint +type hal_fingerprint_ext_hwservice, hwservice_manager_type; + +# AudioMetric +type hal_audiometricext_hwservice, hwservice_manager_type; + diff --git a/sepolicy/whitechapel/vendor/google/hwservice_contexts b/sepolicy/whitechapel/vendor/google/hwservice_contexts new file mode 100644 index 00000000..30207772 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hwservice_contexts @@ -0,0 +1,31 @@ +vendor.samsung_slsi.hardware.radio::IOemSamsungslsi u:object_r:hal_telephony_hwservice:s0 +vendor.samsung_slsi.hardware.ExynosHWCServiceTW::IExynosHWCServiceTW u:object_r:hal_vendor_surfaceflinger_hwservice:s0 +vendor.samsung_slsi.hardware.configstore::IExynosHWCConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0 + +# dmd HAL +vendor.samsung_slsi.telephony.hardware.oemservice::IOemService u:object_r:hal_vendor_oem_hwservice:s0 + +# rild HAL +vendor.samsung_slsi.telephony.hardware.radio::IOemSamsungslsi u:object_r:hal_exynos_rild_hwservice:s0 +android.vendor.samsung_slsi.telephony.hardware.radio::IOemSamsungslsi u:object_r:hal_exynos_rild_hwservice:s0 +vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal u:object_r:hal_exynos_rild_hwservice:s0 + +# VIDEO +android.hardware.media.c2::IComponentStore u:object_r:hal_codec2_hwservice:s0 +android.hardware.media.c2::IConfigurable u:object_r:hal_codec2_hwservice:s0 + +# GRIL HAL +vendor.google.radioext::IRadioExt u:object_r:hal_radioext_hwservice:s0 + +#Audio +vendor.google.whitechapel.audio.audioext::IAudioExt u:object_r:hal_audio_ext_hwservice:s0 + +# Wireless charger hal +vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_wlc_hwservice:s0 + +# Fingerprint +vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_ext_hwservice:s0 + +#Audio +vendor.google.audiometricext::IAudioMetricExt u:object_r:hal_audiometricext_hwservice:s0 + diff --git a/sepolicy/whitechapel/vendor/google/hwservicemanager.te b/sepolicy/whitechapel/vendor/google/hwservicemanager.te new file mode 100644 index 00000000..7b64499b --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/hwservicemanager.te @@ -0,0 +1 @@ +binder_call(hwservicemanager, bipchmgr) diff --git a/sepolicy/whitechapel/vendor/google/incident.te b/sepolicy/whitechapel/vendor/google/incident.te new file mode 100644 index 00000000..672606df --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/incident.te @@ -0,0 +1,4 @@ +userdebug_or_eng(` + allow incident logger_app:fd use; + allow incident media_rw_data_file:file append; +') diff --git a/sepolicy/whitechapel/vendor/google/init-insmod-sh.te b/sepolicy/whitechapel/vendor/google/init-insmod-sh.te new file mode 100644 index 00000000..0e60196e --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/init-insmod-sh.te @@ -0,0 +1,19 @@ +type init-insmod-sh, domain; +type init-insmod-sh_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(init-insmod-sh) + +allow init-insmod-sh self:capability sys_module; +allow init-insmod-sh sysfs_leds:dir r_dir_perms; +allow init-insmod-sh vendor_kernel_modules:system module_load; +allow init-insmod-sh vendor_toolbox_exec:file execute_no_trans; + +allow init-insmod-sh self:capability sys_nice; +allow init-insmod-sh kernel:process setsched; + +set_prop(init-insmod-sh, vendor_device_prop) + +userdebug_or_eng(` + allow init-insmod-sh vendor_regmap_debugfs:dir search; +') + +dontaudit init-insmod-sh proc_cmdline:file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/init.te b/sepolicy/whitechapel/vendor/google/init.te new file mode 100644 index 00000000..11726894 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/init.te @@ -0,0 +1,24 @@ +allow init custom_ab_block_device:lnk_file relabelto; + +# This is needed for chaining a boot partition vbmeta +# descriptor, where init will probe the boot partition +# to read the chained vbmeta in the first-stage, then +# relabel /dev/block/by-name/boot_[a|b] to block_device +# after loading sepolicy in the second stage. +allow init boot_block_device:lnk_file relabelto; + +allow init modem_img_file:dir mounton; +allow init mnt_vendor_file:dir mounton; +allow init modem_img_file:filesystem { getattr mount relabelfrom }; + +allow init persist_file:dir mounton; +allow init modem_efs_file:dir mounton; +allow init modem_userdata_file:dir mounton; +allow init ram_device:blk_file w_file_perms; +allow init per_boot_file:file ioctl; +allowxperm init per_boot_file:file ioctl { F2FS_IOC_SET_PIN_FILE }; +allow init sysfs_scsi_devices_0000:file w_file_perms; + +# Workaround for b/193113005 that modem_img unlabeled after disable-verity +dontaudit init overlayfs_file:file { rename }; +dontaudit init overlayfs_file:chr_file { unlink }; diff --git a/sepolicy/whitechapel/vendor/google/installd.te b/sepolicy/whitechapel/vendor/google/installd.te new file mode 100644 index 00000000..44e74c63 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/installd.te @@ -0,0 +1 @@ +dontaudit installd modem_img_file:filesystem quotaget; diff --git a/sepolicy/whitechapel/vendor/google/kernel.te b/sepolicy/whitechapel/vendor/google/kernel.te new file mode 100644 index 00000000..c34e7f72 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/kernel.te @@ -0,0 +1,11 @@ +allow kernel vendor_fw_file:dir search; +allow kernel vendor_fw_file:file r_file_perms; + +# ZRam +allow kernel per_boot_file:file r_file_perms; + +# memlat needs permision to create/delete perf events when hotplug on/off +allow kernel self:capability2 perfmon; +allow kernel self:perf_event cpu; + +dontaudit kernel vendor_battery_debugfs:dir search; diff --git a/sepolicy/whitechapel/vendor/google/keys.conf b/sepolicy/whitechapel/vendor/google/keys.conf new file mode 100644 index 00000000..fb6e52b6 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/keys.conf @@ -0,0 +1,8 @@ +[@MDS] +ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/com_google_mds.x509.pem + +[@UWB] +ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/com_qorvo_uwb.x509.pem + +[@EUICCSUPPORTPIXEL] +ALL : device/google/gs101-sepolicy/whitechapel/vendor/google/certs/EuiccSupportPixel.x509.pem diff --git a/sepolicy/whitechapel/vendor/google/lhd.te b/sepolicy/whitechapel/vendor/google/lhd.te new file mode 100644 index 00000000..e980897c --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/lhd.te @@ -0,0 +1,23 @@ +type lhd, domain; +type lhd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(lhd) + +# Allow lhd access PixelLogger unix socket in debug build only +userdebug_or_eng(` + typeattribute lhd mlstrustedsubject; + allow lhd logger_app:unix_stream_socket connectto; +') + +# Allow lhd access data vendor gps files +allow lhd vendor_gps_file:dir create_dir_perms; +allow lhd vendor_gps_file:file create_file_perms; +allow lhd vendor_gps_file:fifo_file create_file_perms; + +# Allow lhd to obtain wakelock +wakelock_use(lhd) + +# Allow lhd access /dev/bbd_control file +allow lhd vendor_gnss_device:chr_file rw_file_perms; + +# Allow lhd access nstandby gpio +allow lhd sysfs_gps:file rw_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/logd.te b/sepolicy/whitechapel/vendor/google/logd.te new file mode 100644 index 00000000..cc55e204 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/logd.te @@ -0,0 +1,2 @@ +r_dir_file(logd, logbuffer_device) +allow logd logbuffer_device:chr_file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/logger_app.te b/sepolicy/whitechapel/vendor/google/logger_app.te new file mode 100644 index 00000000..14196600 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/logger_app.te @@ -0,0 +1,33 @@ +userdebug_or_eng(` + allow logger_app radio_vendor_data_file:file create_file_perms; + allow logger_app radio_vendor_data_file:dir create_dir_perms; + allow logger_app vendor_slog_file:file {r_file_perms unlink}; + allow logger_app vendor_gps_file:file create_file_perms; + allow logger_app vendor_gps_file:dir create_dir_perms; + allow logger_app sysfs_sscoredump_level:file r_file_perms; + allow logger_app hal_exynos_rild_hwservice:hwservice_manager find; + + binder_call(logger_app, rild) + + r_dir_file(logger_app, ramdump_vendor_data_file) + r_dir_file(logger_app, sscoredump_vendor_data_coredump_file) + r_dir_file(logger_app, sscoredump_vendor_data_crashinfo_file) + + get_prop(logger_app, usb_control_prop) + set_prop(logger_app, vendor_logger_prop) + set_prop(logger_app, vendor_modem_prop) + set_prop(logger_app, vendor_gps_prop) + set_prop(logger_app, vendor_audio_prop) + set_prop(logger_app, vendor_tcpdump_log_prop) + set_prop(logger_app, vendor_ramdump_prop) + set_prop(logger_app, vendor_ssrdump_prop) + set_prop(logger_app, vendor_rild_prop) + set_prop(logger_app, logpersistd_logging_prop) + set_prop(logger_app, logd_prop) + set_prop(logger_app, vendor_usb_config_prop) + set_prop(logger_app, vendor_wifi_sniffer_prop) + + dontaudit logger_app default_prop:file { read }; + dontaudit logger_app proc_vendor_sched:dir search; + dontaudit logger_app proc_vendor_sched:file write; +') diff --git a/sepolicy/whitechapel/vendor/google/mac_permissions.xml b/sepolicy/whitechapel/vendor/google/mac_permissions.xml new file mode 100644 index 00000000..6cb7113c --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/mac_permissions.xml @@ -0,0 +1,33 @@ +<?xml version="1.0" encoding="utf-8"?> +<policy> + +<!-- + + * A signature is a hex encoded X.509 certificate or a tag defined in + keys.conf and is required for each signer tag. + * A signer tag may contain a seinfo tag and multiple package stanzas. + * A default tag is allowed that can contain policy for all apps not signed with a + previously listed cert. It may not contain any inner package stanzas. + * Each signer/default/package tag is allowed to contain one seinfo tag. This tag + represents additional info that each app can use in setting a SELinux security + context on the eventual process. + * When a package is installed the following logic is used to determine what seinfo + value, if any, is assigned. + - All signatures used to sign the app are checked first. + - If a signer stanza has inner package stanzas, those stanza will be checked + to try and match the package name of the app. If the package name matches + then that seinfo tag is used. If no inner package matches then the outer + seinfo tag is assigned. + - The default tag is consulted last if needed. +--> + <!-- google apps key --> + <signer signature="@MDS" > + <seinfo value="mds" /> + </signer> + <signer signature="@UWB" > + <seinfo value="uwb" /> + </signer> + <signer signature="@EUICCSUPPORTPIXEL" > + <seinfo value="EuiccSupportPixel" /> + </signer> +</policy> diff --git a/sepolicy/whitechapel/vendor/google/mediacodec.te b/sepolicy/whitechapel/vendor/google/mediacodec.te new file mode 100644 index 00000000..0c22d5bf --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/mediacodec.te @@ -0,0 +1,11 @@ +userdebug_or_eng(` + set_prop(mediacodec, vendor_codec2_debug_prop) + allow mediacodec vendor_media_data_file:dir rw_dir_perms; + allow mediacodec vendor_media_data_file:file create_file_perms; +') + +add_service(mediacodec, eco_service) +allow mediacodec hal_camera_default:binder call; +allow mediacodec sysfs_video:file r_file_perms; +allow mediacodec sysfs_video:dir r_dir_perms; +allow mediacodec dmabuf_system_secure_heap_device:chr_file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/mediaprovider.te b/sepolicy/whitechapel/vendor/google/mediaprovider.te new file mode 100644 index 00000000..dc3e1c01 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/mediaprovider.te @@ -0,0 +1,2 @@ +dontaudit mediaprovider proc_vendor_sched:dir search; +dontaudit mediaprovider proc_vendor_sched:file write; diff --git a/sepolicy/whitechapel/vendor/google/modem_diagnostics.te b/sepolicy/whitechapel/vendor/google/modem_diagnostics.te new file mode 100644 index 00000000..9fa772b4 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/modem_diagnostics.te @@ -0,0 +1,35 @@ +type modem_diagnostic_app, domain; + +app_domain(modem_diagnostic_app) +net_domain(modem_diagnostic_app) + +allow modem_diagnostic_app app_api_service:service_manager find; +allow modem_diagnostic_app radio_service:service_manager find; + +userdebug_or_eng(` + binder_call(modem_diagnostic_app, dmd) + + set_prop(modem_diagnostic_app, vendor_cbd_prop) + set_prop(modem_diagnostic_app, vendor_rild_prop) + set_prop(modem_diagnostic_app, vendor_modem_prop) + + allow modem_diagnostic_app sysfs_chosen:dir r_dir_perms; + allow modem_diagnostic_app sysfs_chosen:file r_file_perms; + + allow modem_diagnostic_app vendor_fw_file:file r_file_perms; + + allow modem_diagnostic_app radio_vendor_data_file:dir create_dir_perms; + allow modem_diagnostic_app radio_vendor_data_file:file create_file_perms; + + allow modem_diagnostic_app mnt_vendor_file:dir r_dir_perms; + allow modem_diagnostic_app mnt_vendor_file:file r_file_perms; + + allow modem_diagnostic_app modem_img_file:dir r_dir_perms; + allow modem_diagnostic_app modem_img_file:file r_file_perms; + allow modem_diagnostic_app modem_img_file:lnk_file r_file_perms; + + allow modem_diagnostic_app hal_vendor_oem_hwservice:hwservice_manager find; + + allow modem_diagnostic_app sysfs_batteryinfo:file r_file_perms; + allow modem_diagnostic_app sysfs_batteryinfo:dir search; +') diff --git a/sepolicy/whitechapel/vendor/google/modem_logging_control.te b/sepolicy/whitechapel/vendor/google/modem_logging_control.te new file mode 100644 index 00000000..7392297f --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/modem_logging_control.te @@ -0,0 +1,17 @@ +type modem_logging_control, domain; +type modem_logging_control_exec, vendor_file_type, exec_type, file_type; + +init_daemon_domain(modem_logging_control) + +hwbinder_use(modem_logging_control) +binder_call(modem_logging_control, dmd) + +allow modem_logging_control radio_device:chr_file rw_file_perms; +allow modem_logging_control hal_vendor_oem_hwservice:hwservice_manager find; +allow modem_logging_control radio_vendor_data_file:dir create_dir_perms; +allow modem_logging_control radio_vendor_data_file:file create_file_perms; +allow modem_logging_control vendor_slog_file:dir create_dir_perms; +allow modem_logging_control vendor_slog_file:file create_file_perms; + +set_prop(modem_logging_control, vendor_modem_prop) +get_prop(modem_logging_control, hwservicemanager_prop) diff --git a/sepolicy/whitechapel/vendor/google/modem_svc_sit.te b/sepolicy/whitechapel/vendor/google/modem_svc_sit.te new file mode 100644 index 00000000..63dec363 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/modem_svc_sit.te @@ -0,0 +1,35 @@ +type modem_svc_sit, domain; +type modem_svc_sit_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(modem_svc_sit) + +hwbinder_use(modem_svc_sit) +binder_call(modem_svc_sit, rild) + +# Grant sysfs_modem access +allow modem_svc_sit sysfs_modem:file rw_file_perms; + +# Grant radio device access +allow modem_svc_sit radio_device:chr_file rw_file_perms; + +# Grant vendor radio and modem file/dir creation permission +allow modem_svc_sit radio_vendor_data_file:dir create_dir_perms; +allow modem_svc_sit radio_vendor_data_file:file create_file_perms; +allow modem_svc_sit modem_stat_data_file:dir create_dir_perms; +allow modem_svc_sit modem_stat_data_file:file create_file_perms; + +allow modem_svc_sit mnt_vendor_file:dir search; +allow modem_svc_sit modem_userdata_file:dir create_dir_perms; +allow modem_svc_sit modem_userdata_file:file create_file_perms; + +# RIL property +get_prop(modem_svc_sit, vendor_rild_prop) + +# hwservice permission +allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find; +get_prop(modem_svc_sit, hwservicemanager_prop) + +# logging property +get_prop(modem_svc_sit, vendor_logger_prop) + +# Modem property +set_prop(modem_svc_sit, vendor_modem_prop) diff --git a/sepolicy/whitechapel/vendor/google/nfc.te b/sepolicy/whitechapel/vendor/google/nfc.te new file mode 100644 index 00000000..80784434 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/nfc.te @@ -0,0 +1,2 @@ +allow nfc proc_vendor_sched:dir r_dir_perms; +allow nfc proc_vendor_sched:file w_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/oemrilservice_app.te b/sepolicy/whitechapel/vendor/google/oemrilservice_app.te new file mode 100644 index 00000000..ca8257a1 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/oemrilservice_app.te @@ -0,0 +1,9 @@ +type oemrilservice_app, domain; +app_domain(oemrilservice_app) + +set_prop(oemrilservice_app, vendor_rild_prop); + +allow oemrilservice_app app_api_service:service_manager find; +allow oemrilservice_app radio_service:service_manager find; +allow oemrilservice_app hal_exynos_rild_hwservice:hwservice_manager find; +binder_call(oemrilservice_app, rild) diff --git a/sepolicy/whitechapel/vendor/google/ofl_app.te b/sepolicy/whitechapel/vendor/google/ofl_app.te new file mode 100644 index 00000000..a9498165 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/ofl_app.te @@ -0,0 +1,20 @@ +# OFLBasicAgent app + +type ofl_app, domain; + +userdebug_or_eng(` + app_domain(ofl_app) + net_domain(ofl_app) + + allow ofl_app app_api_service:service_manager find; + allow ofl_app nfc_service:service_manager find; + allow ofl_app radio_service:service_manager find; + allow ofl_app surfaceflinger_service:service_manager find; + + # Access to directly update firmware on st54spi_device + typeattribute st54spi_device mlstrustedobject; + allow ofl_app st54spi_device:chr_file rw_file_perms; + # Access to directly update firmware on st33spi_device + typeattribute st33spi_device mlstrustedobject; + allow ofl_app st33spi_device:chr_file rw_file_perms; +') diff --git a/sepolicy/whitechapel/vendor/google/omadm.te b/sepolicy/whitechapel/vendor/google/omadm.te new file mode 100644 index 00000000..3990dd7b --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/omadm.te @@ -0,0 +1,10 @@ +# OMADM app +type omadm_app, domain; + +app_domain(omadm_app) +net_domain(omadm_app) + +allow omadm_app radio_vendor_data_file:dir rw_dir_perms; +allow omadm_app radio_vendor_data_file:file create_file_perms; +allow omadm_app app_api_service:service_manager find; +allow omadm_app radio_service:service_manager find; diff --git a/sepolicy/whitechapel/vendor/google/pixelstats_vendor.te b/sepolicy/whitechapel/vendor/google/pixelstats_vendor.te new file mode 100644 index 00000000..eb255475 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/pixelstats_vendor.te @@ -0,0 +1,31 @@ +unix_socket_connect(pixelstats_vendor, chre, chre) + +get_prop(pixelstats_vendor, hwservicemanager_prop) +hwbinder_use(pixelstats_vendor) + +binder_call(pixelstats_vendor, stats_service_server) +binder_use(pixelstats_vendor); +allow pixelstats_vendor fwk_stats_service:service_manager find; + +allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms; +allow pixelstats_vendor sysfs_pixelstats:file r_file_perms; + +# Wireless charge +allow pixelstats_vendor sysfs_wlc:dir search; +allow pixelstats_vendor sysfs_wlc:file rw_file_perms; + +# Pca charge +allow pixelstats_vendor sysfs_pca:file rw_file_perms; + +# OrientationCollector +allow pixelstats_vendor fwk_sensor_hwservice:hwservice_manager find; + +# Batery history +allow pixelstats_vendor battery_history_device:chr_file r_file_perms; + +#vendor-metrics +r_dir_file(pixelstats_vendor, sysfs_vendor_metrics) + +# BCL +allow pixelstats_vendor sysfs_bcl:dir search; +allow pixelstats_vendor sysfs_bcl:file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/platform_app.te b/sepolicy/whitechapel/vendor/google/platform_app.te new file mode 100644 index 00000000..49fb531b --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/platform_app.te @@ -0,0 +1,20 @@ +binder_call(platform_app, rild) +allow platform_app hal_exynos_rild_hwservice:hwservice_manager find; + +allow platform_app hal_wlc_hwservice:hwservice_manager find; +binder_call(platform_app, hal_wlc) + +allow platform_app proc_vendor_sched:dir r_dir_perms; +allow platform_app proc_vendor_sched:file w_file_perms; + +allow platform_app nfc_service:service_manager find; +allow platform_app uwb_service:service_manager find; + +allow platform_app fwk_stats_service:service_manager find; +binder_use(platform_app) + +# Fingerprint (UDFPS) GHBM/LHBM toggle +get_prop(platform_app, fingerprint_ghbm_prop) + +allow platform_app hal_pixel_display_service:service_manager find; +binder_call(platform_app, hal_graphics_composer_default) diff --git a/sepolicy/whitechapel/vendor/google/property.te b/sepolicy/whitechapel/vendor/google/property.te new file mode 100644 index 00000000..f1430adf --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/property.te @@ -0,0 +1,63 @@ +# For Exynos Properties +vendor_internal_prop(vendor_prop) +vendor_internal_prop(vendor_rcs_prop) +vendor_internal_prop(vendor_rild_prop) +vendor_internal_prop(sensors_prop) +vendor_internal_prop(vendor_ssrdump_prop) +vendor_internal_prop(vendor_device_prop) +vendor_internal_prop(vendor_usb_config_prop) +vendor_internal_prop(vendor_secure_element_prop) +vendor_internal_prop(vendor_cbd_prop) +# vendor defaults +vendor_internal_prop(vendor_config_default_prop) +vendor_internal_prop(vendor_ro_config_default_prop) +vendor_internal_prop(vendor_persist_config_default_prop) +vendor_internal_prop(vendor_sys_default_prop) +vendor_internal_prop(vendor_ro_sys_default_prop) +vendor_internal_prop(vendor_persist_sys_default_prop) +vendor_internal_prop(vendor_audio_prop) +vendor_internal_prop(vendor_codec2_debug_prop) +vendor_internal_prop(vendor_display_prop) +vendor_internal_prop(vendor_camera_prop) +vendor_internal_prop(vendor_camera_debug_prop) +vendor_internal_prop(vendor_camera_fatp_prop) +vendor_internal_prop(vendor_gps_prop) + +# Battery defender +vendor_internal_prop(vendor_battery_defender_prop) + +# Battery profile for harness mode +vendor_internal_prop(vendor_battery_profile_prop) + +# hal_health +vendor_internal_prop(vendor_shutdown_prop) + +# AoC +vendor_internal_prop(vendor_aoc_prop) + +# Logger +vendor_internal_prop(vendor_logger_prop) + +# NFC +vendor_internal_prop(vendor_nfc_prop) + +# WiFi +vendor_internal_prop(vendor_wifi_version) + +# Touchpanel +vendor_internal_prop(vendor_touchpanel_prop) + +# TCP logging +vendor_internal_prop(vendor_tcpdump_log_prop) + +# Fingerprint +vendor_internal_prop(vendor_fingerprint_prop) + +# Dynamic sensor +vendor_internal_prop(vendor_dynamic_sensor_prop) + +# UWB calibration +system_vendor_config_prop(vendor_uwb_calibration_prop) + +# Trusty storage FS ready +vendor_internal_prop(vendor_trusty_storage_prop) diff --git a/sepolicy/whitechapel/vendor/google/property_contexts b/sepolicy/whitechapel/vendor/google/property_contexts new file mode 100644 index 00000000..c9e16156 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/property_contexts @@ -0,0 +1,123 @@ +# for rild +persist.vendor.debug_level u:object_r:vendor_rild_prop:s0 +persist.vendor.ril. u:object_r:vendor_rild_prop:s0 +persist.vendor.radio. u:object_r:vendor_rild_prop:s0 +vendor.radio.ril. u:object_r:vendor_rild_prop:s0 +vendor.sys.rild_reset u:object_r:vendor_rild_prop:s0 +vendor.ril. u:object_r:vendor_rild_prop:s0 +vendor.radio. u:object_r:vendor_rild_prop:s0 +ro.vendor.build.svn u:object_r:vendor_rild_prop:s0 + +# Ramdump +persist.vendor.sys.crash_rcu u:object_r:vendor_ramdump_prop:s0 + +# SSR Detector +vendor.debug.ssrdump. u:object_r:vendor_ssrdump_prop:s0 +persist.vendor.sys.ssr. u:object_r:vendor_ssrdump_prop:s0 + +# Kernel modules related +vendor.common.modules.ready u:object_r:vendor_device_prop:s0 +vendor.device.modules.ready u:object_r:vendor_device_prop:s0 +vendor.all.modules.ready u:object_r:vendor_device_prop:s0 +vendor.all.devices.ready u:object_r:vendor_device_prop:s0 + +# for codec2 +vendor.debug.c2.level u:object_r:vendor_codec2_debug_prop:s0 +vendor.debug.c2.dump u:object_r:vendor_codec2_debug_prop:s0 +vendor.debug.c2.dump.opt u:object_r:vendor_codec2_debug_prop:s0 + +# USB HAL +persist.vendor.usb. u:object_r:vendor_usb_config_prop:s0 +vendor.usb. u:object_r:vendor_usb_config_prop:s0 + +# for logger app +vendor.pixellogger. u:object_r:vendor_logger_prop:s0 +persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0 +persist.vendor.verbose_logging_enabled u:object_r:vendor_logger_prop:s0 + +# for cbd +vendor.cbd. u:object_r:vendor_cbd_prop:s0 +persist.vendor.cbd. u:object_r:vendor_cbd_prop:s0 + +# for slog +vendor.sys.silentlog. u:object_r:vendor_slog_prop:s0 +vendor.sys.exynos.slog. u:object_r:vendor_slog_prop:s0 +persist.vendor.sys.silentlog u:object_r:vendor_slog_prop:s0 + +# vendor default +vendor.config. u:object_r:vendor_config_default_prop:s0 +ro.vendor.config. u:object_r:vendor_ro_config_default_prop:s0 +persist.vendor.config. u:object_r:vendor_persist_config_default_prop:s0 +vendor.sys. u:object_r:vendor_sys_default_prop:s0 +ro.vendor.sys. u:object_r:vendor_ro_sys_default_prop:s0 +persist.vendor.sys. u:object_r:vendor_persist_sys_default_prop:s0 + + +# for audio +vendor.audio_hal.period_multiplier u:object_r:vendor_audio_prop:s0 +vendor.audiodump.enable u:object_r:vendor_audio_prop:s0 +persist.vendor.audio. u:object_r:vendor_audio_prop:s0 +vendor.audiodump.log.ondemand u:object_r:vendor_audio_prop:s0 +vendor.audiodump.log.config u:object_r:vendor_audio_prop:s0 +vendor.audiodump.output.dir u:object_r:vendor_audio_prop:s0 +vendor.audiodump.encode.disable u:object_r:vendor_audio_prop:s0 +vendor.audiodump.log.cca.updated u:object_r:vendor_audio_prop:s0 +vendor.audiodump.cca.config u:object_r:vendor_audio_prop:s0 + + +# for display +ro.vendor.hwc.drm.device u:object_r:vendor_display_prop:s0 +persist.vendor.display. u:object_r:vendor_display_prop:s0 + +# for camera +persist.vendor.camera. u:object_r:vendor_camera_prop:s0 +vendor.camera. u:object_r:vendor_camera_prop:s0 +vendor.camera.debug. u:object_r:vendor_camera_debug_prop:s0 +vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 + +# for gps +vendor.gps. u:object_r:vendor_gps_prop:s0 +persist.vendor.gps. u:object_r:vendor_gps_prop:s0 + +# SecureElement +persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 + +# NFC +persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0 + +# Battery +vendor.battery.defender. u:object_r:vendor_battery_defender_prop:s0 +persist.vendor.shutdown. u:object_r:vendor_shutdown_prop:s0 + +# test battery profile +persist.vendor.testing_battery_profile u:object_r:vendor_battery_profile_prop:s0 + +# AoC +vendor.aoc.firmware.version u:object_r:vendor_aoc_prop:s0 + +# WiFi +vendor.wlan.driver.version u:object_r:vendor_wifi_version:s0 +vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0 + +# Touchpanel +vendor.mfgapi.touchpanel.permission u:object_r:vendor_touchpanel_prop:s0 + +# Tcpdump_logger +persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 +vendor.tcpdump.log.ondemand u:object_r:vendor_tcpdump_log_prop:s0 +vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 +vendor.tcpdump.output.dir u:object_r:vendor_tcpdump_log_prop:s0 + +# Fingerprint +vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0 +vendor.gf. u:object_r:vendor_fingerprint_prop:s0 +persist.vendor.udfps. u:object_r:vendor_fingerprint_prop:s0 + +# Dynamic sensor +vendor.dynamic_sensor. u:object_r:vendor_dynamic_sensor_prop:s0 + +# uwb +ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_prop:s0 exact string + +# Trusty +ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 diff --git a/sepolicy/whitechapel/vendor/google/radio.te b/sepolicy/whitechapel/vendor/google/radio.te new file mode 100644 index 00000000..baa356bd --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/radio.te @@ -0,0 +1,7 @@ +allow radio hal_exynos_rild_hwservice:hwservice_manager find; +allow radio proc_vendor_sched:dir r_dir_perms; +allow radio proc_vendor_sched:file w_file_perms; + +# Allow telephony to access file descriptor of the QOS socket +# so it can make sure the QOS is meant for the intended addresses +allow radio priv_app:tcp_socket { read write }; diff --git a/sepolicy/whitechapel/vendor/google/ramdump_app.te b/sepolicy/whitechapel/vendor/google/ramdump_app.te new file mode 100644 index 00000000..308e9fb7 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/ramdump_app.te @@ -0,0 +1,24 @@ +type ramdump_app, domain; + +userdebug_or_eng(` + app_domain(ramdump_app) + + allow ramdump_app app_api_service:service_manager find; + + allow ramdump_app ramdump_vendor_data_file:file create_file_perms; + allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms; + + set_prop(ramdump_app, vendor_ramdump_prop) + get_prop(ramdump_app, system_boot_reason_prop) + + # To access ramdumpfs. + allow ramdump_app mnt_vendor_file:dir search; + allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms; + allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms; + + # To access subsystem ramdump files and dirs. + allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; + allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; + allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; + allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms; +') diff --git a/sepolicy/whitechapel/vendor/google/recovery.te b/sepolicy/whitechapel/vendor/google/recovery.te new file mode 100644 index 00000000..1974ebb1 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/recovery.te @@ -0,0 +1,4 @@ +recovery_only(` + allow recovery sysfs_ota:file rw_file_perms; + allow recovery st54spi_device:chr_file rw_file_perms; +') diff --git a/sepolicy/whitechapel/vendor/google/rfsd.te b/sepolicy/whitechapel/vendor/google/rfsd.te new file mode 100644 index 00000000..2f7102fc --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/rfsd.te @@ -0,0 +1,39 @@ +type rfsd, domain; +type rfsd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(rfsd) + +# Allow to setuid from root to radio +allow rfsd self:capability { chown setuid }; + +# Allow to search block device and mnt dir for modem EFS partitions +allow rfsd mnt_vendor_file:dir search; +allow rfsd block_device:dir search; + +# Allow to operate with modem EFS file/dir +allow rfsd modem_efs_file:dir create_dir_perms; +allow rfsd modem_efs_file:file create_file_perms; + +allow rfsd radio_vendor_data_file:dir r_dir_perms; +allow rfsd radio_vendor_data_file:file r_file_perms; + +r_dir_file(rfsd, vendor_fw_file) + +# Allow to access rfsd log file/dir +allow rfsd vendor_log_file:dir search; +allow rfsd vendor_rfsd_log_file:dir create_dir_perms; +allow rfsd vendor_rfsd_log_file:file create_file_perms; + +# Allow to read/write modem block device +allow rfsd modem_block_device:blk_file rw_file_perms; + +# Allow to operate with radio device +allow rfsd radio_device:chr_file rw_file_perms; + +# Allow to set rild and modem property +set_prop(rfsd, vendor_modem_prop) +set_prop(rfsd, vendor_rild_prop) + +# Allow rfsd to access modem image file/dir +allow rfsd modem_img_file:dir r_dir_perms; +allow rfsd modem_img_file:file r_file_perms; +allow rfsd modem_img_file:lnk_file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/ril_config_service.te b/sepolicy/whitechapel/vendor/google/ril_config_service.te new file mode 100644 index 00000000..0ac43317 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/ril_config_service.te @@ -0,0 +1,10 @@ +type ril_config_service_app, domain; +app_domain(ril_config_service_app) + +set_prop(ril_config_service_app, vendor_rild_prop) +allow ril_config_service_app app_api_service:service_manager find; +allow ril_config_service_app radio_service:service_manager find; +allow ril_config_service_app radio_vendor_data_file:dir rw_dir_perms; +allow ril_config_service_app radio_vendor_data_file:file create_file_perms; +dontaudit ril_config_service_app system_data_file:dir search; +dontaudit ril_config_service_app user_profile_root_file:dir search; diff --git a/sepolicy/whitechapel/vendor/google/rild.te b/sepolicy/whitechapel/vendor/google/rild.te new file mode 100644 index 00000000..78b14e51 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/rild.te @@ -0,0 +1,38 @@ +set_prop(rild, vendor_rild_prop) + +get_prop(rild, vendor_persist_config_default_prop) +get_prop(rild, vendor_ro_config_default_prop) +set_prop(rild, vendor_sys_default_prop) + +get_prop(rild, sota_prop) +get_prop(rild, system_boot_reason_prop) + +allow rild proc_net:file rw_file_perms; +allow rild radio_vendor_data_file:dir create_dir_perms; +allow rild radio_vendor_data_file:file create_file_perms; +allow rild rild_vendor_data_file:dir create_dir_perms; +allow rild rild_vendor_data_file:file create_file_perms; +allow rild vendor_fw_file:file r_file_perms; +allow rild mnt_vendor_file:dir r_dir_perms; + +r_dir_file(rild, modem_img_file) + +binder_call(rild, bipchmgr) +binder_call(rild, gpsd) +binder_call(rild, hal_audio_default) +binder_call(rild, hal_secure_element_default) +binder_call(rild, platform_app) +binder_call(rild, modem_svc_sit) +binder_call(rild, vendor_ims_app) +binder_call(rild, vendor_rcs_app) +binder_call(rild, oemrilservice_app) +binder_call(rild, logger_app) + +# for hal service +add_hwservice(rild, hal_exynos_rild_hwservice) +allow rild hal_audio_ext_hwservice:hwservice_manager find; + +# Allow rild to access files on modem img. +allow rild modem_img_file:dir r_dir_perms; +allow rild modem_img_file:file r_file_perms; +allow rild modem_img_file:lnk_file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/rlsservice.te b/sepolicy/whitechapel/vendor/google/rlsservice.te new file mode 100644 index 00000000..3086bcad --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/rlsservice.te @@ -0,0 +1,37 @@ +type rlsservice, domain; +type rlsservice_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(rlsservice) + +vndbinder_use(rlsservice) + +add_service(rlsservice, rls_service) + +# access rainbow sensor calibration files +allow rlsservice persist_file:dir search; +allow rlsservice persist_camera_file:dir search; +allow rlsservice persist_camera_file:file r_file_perms; +allow rlsservice mnt_vendor_file:dir search; + +# access device files +allow rlsservice rls_device:chr_file rw_file_perms; + +binder_call(rlsservice, hal_sensors_default) +binder_call(rlsservice, hal_camera_default) + +# Allow access to always-on compute device node +allow rlsservice device:dir { read watch }; +allow rlsservice aoc_device:chr_file rw_file_perms; + +# Allow access to display backlight information +allow rlsservice sysfs_leds:dir search; +allow rlsservice sysfs_leds:file r_file_perms; + +# Allow use of the USF low latency transport +usf_low_latency_transport(rlsservice) + +# For observing apex file changes +allow rlsservice apex_info_file:file r_file_perms; + +# Allow read camera property +get_prop(rlsservice, vendor_camera_prop); diff --git a/sepolicy/whitechapel/vendor/google/scd.te b/sepolicy/whitechapel/vendor/google/scd.te new file mode 100644 index 00000000..28aaee0a --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/scd.te @@ -0,0 +1,17 @@ +type scd, domain; +type scd_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(scd) + +# Allow scd access PixelLogger unix socket in debug build only +userdebug_or_eng(` + typeattribute scd mlstrustedsubject; + allow scd logger_app:unix_stream_socket connectto; +') + +# Allow a base set of permissions required for network access. +net_domain(scd); + +# Allow scd access data vendor gps files +allow scd vendor_gps_file:dir create_dir_perms; +allow scd vendor_gps_file:file create_file_perms; +allow scd vendor_gps_file:fifo_file create_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/sced.te b/sepolicy/whitechapel/vendor/google/sced.te new file mode 100644 index 00000000..43292621 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/sced.te @@ -0,0 +1,23 @@ +type sced, domain; +type sced_exec, vendor_file_type, exec_type, file_type; +init_daemon_domain(sced) + +userdebug_or_eng(` +typeattribute sced vendor_executes_system_violators; + +hwbinder_use(sced) +binder_call(sced, dmd) +binder_call(sced, vendor_telephony_app) + +get_prop(sced, hwservicemanager_prop) +allow sced self:packet_socket create_socket_perms_no_ioctl; + +allow sced self:capability net_raw; +allow sced shell_exec:file rx_file_perms; +allow sced tcpdump_exec:file rx_file_perms; +allow sced vendor_shell_exec:file x_file_perms; +allow sced vendor_slog_file:dir create_dir_perms; +allow sced vendor_slog_file:file create_file_perms; +allow sced hidl_base_hwservice:hwservice_manager add; +allow sced hal_vendor_oem_hwservice:hwservice_manager { add find }; +') diff --git a/sepolicy/whitechapel/vendor/google/seapp_contexts b/sepolicy/whitechapel/vendor/google/seapp_contexts new file mode 100644 index 00000000..f866e37a --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/seapp_contexts @@ -0,0 +1,58 @@ +# Samsung S.LSI telephony +user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging:remote domain=vendor_telephony_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.testmode domain=vendor_telephony_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.uartswitch domain=vendor_telephony_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_app levelFrom=all +user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode domain=vendor_telephony_app levelFrom=all + +# oemrilservice +user=_app isPrivApp=true name=com.samsung.slsi.telephony.oemril domain=oemrilservice_app levelFrom=all + +# Samsung S.LSI IMS +user=_app isPrivApp=true name=com.shannon.imsservice domain=vendor_ims_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.imsservice:remote domain=vendor_ims_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.rcsservice domain=vendor_rcs_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.rcsservice:shannonrcsservice domain=vendor_rcs_app levelFrom=all +user=_app isPrivApp=true name=com.shannon.qualifiednetworksservice domain=vendor_ims_app levelFrom=all + +# coredump/ramdump +user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user +user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all + +# grilservice +user=_app isPrivApp=true name=com.google.android.grilservice domain=grilservice_app levelFrom=all + +# HbmSVManager +user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all + +# Hardware Info Collection +user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user + +# Domain for omadm +user=_app isPrivApp=true seinfo=platform name=com.android.omadm.service domain=omadm_app type=app_data_file levelFrom=all + +# Modem Diagnostic System +user=_app isPrivApp=true seinfo=mds name=com.google.mds domain=modem_diagnostic_app type=app_data_file levelFrom=user + +# Domain for connectivity monitor +user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all + +# RIL Config Service +user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file + +# CBRS setup app +user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user + +# Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade +user=_app isPrivApp=true seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user + +# Qorvo UWB system app +# TODO(b/222204912): Should this run under uwb user? +user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all + +# Domain for EuiccSupportPixel +user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all + +# CccDkTimeSyncService +user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all diff --git a/sepolicy/whitechapel/vendor/google/secure_element.te b/sepolicy/whitechapel/vendor/google/secure_element.te new file mode 100644 index 00000000..cb6c1396 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/secure_element.te @@ -0,0 +1,2 @@ +allow secure_element proc_vendor_sched:dir r_dir_perms; +allow secure_element proc_vendor_sched:file w_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/service.te b/sepolicy/whitechapel/vendor/google/service.te new file mode 100644 index 00000000..8d5dc1ee --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/service.te @@ -0,0 +1,2 @@ +type hal_pixel_display_service, service_manager_type, vendor_service; +type hal_uwb_vendor_service, service_manager_type, vendor_service; diff --git a/sepolicy/whitechapel/vendor/google/service_contexts b/sepolicy/whitechapel/vendor/google/service_contexts new file mode 100644 index 00000000..25108867 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/service_contexts @@ -0,0 +1,3 @@ +com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 +hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 +android.hardware.drm.IDrmFactory/widevine u:object_r:hal_drm_service:s0 diff --git a/sepolicy/whitechapel/vendor/google/servicemanager.te b/sepolicy/whitechapel/vendor/google/servicemanager.te new file mode 100644 index 00000000..efddd92c --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/servicemanager.te @@ -0,0 +1 @@ +binder_call(servicemanager, hal_fingerprint_default) diff --git a/sepolicy/whitechapel/vendor/google/shell.te b/sepolicy/whitechapel/vendor/google/shell.te new file mode 100644 index 00000000..e13e744e --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/shell.te @@ -0,0 +1,11 @@ +allow shell eco_service:service_manager find; + +# Allow access to the SJTAG kernel interface from the shell +userdebug_or_eng(` + allow shell sysfs_sjtag:dir r_dir_perms; + allow shell sysfs_sjtag:file rw_file_perms; +') + +dontaudit shell proc_vendor_sched:dir search; +dontaudit shell proc_vendor_sched:file write; +dontaudit shell sysfs_wlc:dir search; diff --git a/sepolicy/whitechapel/vendor/google/ssr_detector.te b/sepolicy/whitechapel/vendor/google/ssr_detector.te new file mode 100644 index 00000000..f27fcc5b --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/ssr_detector.te @@ -0,0 +1,24 @@ +type ssr_detector_app, domain; + +app_domain(ssr_detector_app) +allow ssr_detector_app app_api_service:service_manager find; +allow ssr_detector_app radio_service:service_manager find; + +allow ssr_detector_app system_app_data_file:dir create_dir_perms; +allow ssr_detector_app system_app_data_file:file create_file_perms; + +allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms; +allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms; +userdebug_or_eng(` + allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms; + allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms; + allow ssr_detector_app sysfs_sjtag:dir r_dir_perms; + allow ssr_detector_app sysfs_sjtag:file rw_file_perms; + allow ssr_detector_app proc_vendor_sched:dir search; + allow ssr_detector_app proc_vendor_sched:file rw_file_perms; + allow ssr_detector_app cgroup:file write; +') + +get_prop(ssr_detector_app, vendor_ssrdump_prop) +get_prop(ssr_detector_app, vendor_wifi_version) +get_prop(ssr_detector_app, vendor_aoc_prop) diff --git a/sepolicy/whitechapel/vendor/google/storageproxyd.te b/sepolicy/whitechapel/vendor/google/storageproxyd.te new file mode 100644 index 00000000..bf29cbf2 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/storageproxyd.te @@ -0,0 +1,23 @@ +type sg_device, dev_type; +type persist_ss_file, file_type, vendor_persist_type; + +# Handle wake locks +wakelock_use(tee) + +allow tee persist_ss_file:file create_file_perms; +allow tee persist_ss_file:dir create_dir_perms; +allow tee persist_file:dir r_dir_perms; +allow tee mnt_vendor_file:dir r_dir_perms; +allow tee tee_data_file:dir create_dir_perms; +allow tee tee_data_file:lnk_file r_file_perms; +allow tee sg_device:chr_file rw_file_perms; +allow tee self:capability { setgid setuid }; + +# Allow storageproxyd access to gsi_public_metadata_file +read_fstab(tee) + +# storageproxyd starts before /data is mounted. It handles /data not being there +# gracefully. However, attempts to access /data trigger a denial. +dontaudit tee unlabeled:dir { search }; + +set_prop(tee, vendor_trusty_storage_prop) diff --git a/sepolicy/whitechapel/vendor/google/system_app.te b/sepolicy/whitechapel/vendor/google/system_app.te new file mode 100644 index 00000000..8c9d5345 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/system_app.te @@ -0,0 +1,8 @@ +allow system_app proc_vendor_sched:dir r_dir_perms; +allow system_app proc_vendor_sched:file w_file_perms; + +allow system_app hal_wlc_hwservice:hwservice_manager find; +binder_call(system_app, hal_wlc) + +allow system_app fwk_stats_hwservice:hwservice_manager find; +allow system_app hal_exynos_rild_hwservice:hwservice_manager find; diff --git a/sepolicy/whitechapel/vendor/google/system_server.te b/sepolicy/whitechapel/vendor/google/system_server.te new file mode 100644 index 00000000..d064cb73 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/system_server.te @@ -0,0 +1,6 @@ +# Allow system server to send sensor data callbacks to GPS and camera HALs +binder_call(system_server, gpsd); +binder_call(system_server, hal_camera_default); + +# pixelstats_vendor/OrientationCollector +binder_call(system_server, pixelstats_vendor) diff --git a/sepolicy/whitechapel/vendor/google/tcpdump_logger.te b/sepolicy/whitechapel/vendor/google/tcpdump_logger.te new file mode 100644 index 00000000..f017cedf --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/tcpdump_logger.te @@ -0,0 +1,20 @@ +type tcpdump_logger, domain; +type tcpdump_logger_exec, exec_type, vendor_file_type, file_type; + +userdebug_or_eng(` + # make transition from init to its domain + init_daemon_domain(tcpdump_logger) + + allow tcpdump_logger self:capability net_raw; + allow tcpdump_logger self:packet_socket create_socket_perms; + allowxperm tcpdump_logger self:packet_socket ioctl 0x8933; + allow tcpdump_logger tcpdump_exec:file rx_file_perms; + allow tcpdump_logger tcpdump_vendor_data_file:dir create_dir_perms; + allow tcpdump_logger tcpdump_vendor_data_file:file create_file_perms; + allow tcpdump_logger radio_vendor_data_file:file create_file_perms; + allow tcpdump_logger radio_vendor_data_file:dir create_dir_perms; + allow tcpdump_logger wifi_logging_data_file:file create_file_perms; + allow tcpdump_logger wifi_logging_data_file:dir create_dir_perms; + + set_prop(tcpdump_logger, vendor_tcpdump_log_prop) +') diff --git a/sepolicy/whitechapel/vendor/google/toolbox.te b/sepolicy/whitechapel/vendor/google/toolbox.te new file mode 100644 index 00000000..9fbbb7ab --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/toolbox.te @@ -0,0 +1,3 @@ +allow toolbox ram_device:blk_file rw_file_perms; +allow toolbox per_boot_file:dir create_dir_perms; +allow toolbox per_boot_file:file create_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/trusty_apploader.te b/sepolicy/whitechapel/vendor/google/trusty_apploader.te new file mode 100644 index 00000000..983e3a03 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/trusty_apploader.te @@ -0,0 +1,7 @@ +type trusty_apploader, domain; +type trusty_apploader_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(trusty_apploader) + +allow trusty_apploader ion_device:chr_file r_file_perms; +allow trusty_apploader tee_device:chr_file rw_file_perms; +allow trusty_apploader dmabuf_system_heap_device:chr_file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/untrusted_app_all.te b/sepolicy/whitechapel/vendor/google/untrusted_app_all.te new file mode 100644 index 00000000..642ee175 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/untrusted_app_all.te @@ -0,0 +1,6 @@ +# Allows Exoplayer(and other applications) access to the vstream-secure DMA-BUF heap +# for secure video playback +allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms; + +dontaudit untrusted_app_all proc_vendor_sched:dir search; +dontaudit untrusted_app_all proc_vendor_sched:file write; diff --git a/sepolicy/whitechapel/vendor/google/update_engine.te b/sepolicy/whitechapel/vendor/google/update_engine.te new file mode 100644 index 00000000..a403d9e4 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/update_engine.te @@ -0,0 +1,3 @@ +allow update_engine custom_ab_block_device:blk_file rw_file_perms; +allow update_engine modem_block_device:blk_file rw_file_perms; +allow update_engine proc_bootconfig:file r_file_perms; diff --git a/sepolicy/whitechapel/vendor/google/uwb_vendor_app.te b/sepolicy/whitechapel/vendor/google/uwb_vendor_app.te new file mode 100644 index 00000000..68edcb1b --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/uwb_vendor_app.te @@ -0,0 +1,21 @@ +type uwb_vendor_app, domain; + +app_domain(uwb_vendor_app) + +not_recovery(` +hal_client_domain(uwb_vendor_app, hal_uwb_vendor) + +allow uwb_vendor_app app_api_service:service_manager find; +allow uwb_vendor_app hal_uwb_vendor_service:service_manager find; +allow uwb_vendor_app nfc_service:service_manager find; +allow uwb_vendor_app radio_service:service_manager find; + +allow uwb_vendor_app uwb_vendor_data_file:file create_file_perms; +allow uwb_vendor_app uwb_vendor_data_file:dir create_dir_perms; + +allow hal_uwb_vendor_default self:global_capability_class_set { sys_nice }; +allow hal_uwb_vendor_default kernel:process { setsched }; +get_prop(uwb_vendor_app, vendor_secure_element_prop) + +binder_call(uwb_vendor_app, hal_uwb_vendor_default) +') diff --git a/sepolicy/whitechapel/vendor/google/vendor_ims_app.te b/sepolicy/whitechapel/vendor/google/vendor_ims_app.te new file mode 100644 index 00000000..140d9c25 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/vendor_ims_app.te @@ -0,0 +1,19 @@ +type vendor_ims_app, domain; +app_domain(vendor_ims_app) +net_domain(vendor_ims_app) + +allow vendor_ims_app app_api_service:service_manager find; +allow vendor_ims_app audioserver_service:service_manager find; + +allow vendor_ims_app hal_exynos_rild_hwservice:hwservice_manager find; +allow vendor_ims_app radio_service:service_manager find; + +allow vendor_ims_app mediaserver_service:service_manager find; +allow vendor_ims_app cameraserver_service:service_manager find; +allow vendor_ims_app mediametrics_service:service_manager find; + +allow vendor_ims_app self:udp_socket { create_socket_perms_no_ioctl }; + +binder_call(vendor_ims_app, rild) +set_prop(vendor_ims_app, vendor_rild_prop) +set_prop(vendor_ims_app, radio_prop) diff --git a/sepolicy/whitechapel/vendor/google/vendor_init.te b/sepolicy/whitechapel/vendor/google/vendor_init.te new file mode 100644 index 00000000..8ebe5e52 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/vendor_init.te @@ -0,0 +1,43 @@ +get_prop(vendor_init, gesture_prop) +set_prop(vendor_init, vendor_camera_prop) +set_prop(vendor_init, vendor_device_prop) +set_prop(vendor_init, vendor_modem_prop) +set_prop(vendor_init, vendor_cbd_prop) +set_prop(vendor_init, vendor_rild_prop) +set_prop(vendor_init, vendor_usb_config_prop) +set_prop(vendor_init, vendor_slog_prop) +set_prop(vendor_init, vendor_sys_default_prop) +set_prop(vendor_init, vendor_rcs_prop) +set_prop(vendor_init, vendor_ssrdump_prop) +set_prop(vendor_init, vendor_ro_config_default_prop) +get_prop(vendor_init, vendor_touchpanel_prop) +set_prop(vendor_init, vendor_tcpdump_log_prop) +set_prop(vendor_init, vendor_logger_prop) + +allow vendor_init proc_dirty:file w_file_perms; +allow vendor_init proc_sched:file write; +allow vendor_init bootdevice_sysdev:file create_file_perms; +allow vendor_init block_device:lnk_file setattr; +allow vendor_init sysfs_st33spi:file w_file_perms; + +userdebug_or_eng(` + set_prop(vendor_init, logpersistd_logging_prop) +') + +# NFC vendor property +set_prop(vendor_init, vendor_nfc_prop) +# SecureElement vendor property +set_prop(vendor_init, vendor_secure_element_prop) +# Battery defender/harness/profile +get_prop(vendor_init, test_harness_prop) +get_prop(vendor_init, vendor_battery_profile_prop) +set_prop(vendor_init, vendor_battery_defender_prop) + +# Fingerprint property +set_prop(vendor_init, vendor_fingerprint_prop) + +# Display +set_prop(vendor_init, vendor_display_prop) + +# Trusty storage FS ready +get_prop(vendor_init, vendor_trusty_storage_prop) diff --git a/sepolicy/whitechapel/vendor/google/vendor_rcs_app.te b/sepolicy/whitechapel/vendor/google/vendor_rcs_app.te new file mode 100644 index 00000000..e67727cc --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/vendor_rcs_app.te @@ -0,0 +1,15 @@ +type vendor_rcs_app, domain; +app_domain(vendor_rcs_app) +net_domain(vendor_rcs_app) + +allow vendor_rcs_app app_api_service:service_manager find; +allow vendor_rcs_app audioserver_service:service_manager find; +allow vendor_rcs_app radio_service:service_manager find; +allow vendor_rcs_app mediaserver_service:service_manager find; +allow vendor_rcs_app cameraserver_service:service_manager find; + +allow vendor_rcs_app hal_exynos_rild_hwservice:hwservice_manager find; + +binder_call(vendor_rcs_app, rild) +set_prop(vendor_rcs_app, vendor_rild_prop) +set_prop(vendor_rcs_app, radio_prop) diff --git a/sepolicy/whitechapel/vendor/google/vendor_shell.te b/sepolicy/whitechapel/vendor/google/vendor_shell.te new file mode 100644 index 00000000..2ace587a --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/vendor_shell.te @@ -0,0 +1 @@ +set_prop(vendor_shell, vendor_battery_profile_prop) diff --git a/sepolicy/whitechapel/vendor/google/vendor_telephony_app.te b/sepolicy/whitechapel/vendor/google/vendor_telephony_app.te new file mode 100644 index 00000000..499764b2 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/vendor_telephony_app.te @@ -0,0 +1,23 @@ +type vendor_telephony_app, domain; +app_domain(vendor_telephony_app) + +get_prop(vendor_telephony_app, vendor_rild_prop) +set_prop(vendor_telephony_app, vendor_persist_sys_default_prop) +set_prop(vendor_telephony_app, vendor_modem_prop) +set_prop(vendor_telephony_app, vendor_slog_prop) + +allow vendor_telephony_app vendor_slog_file:dir create_dir_perms; +allow vendor_telephony_app vendor_slog_file:file create_file_perms; + +allow vendor_telephony_app app_api_service:service_manager find; +allow vendor_telephony_app hal_vendor_oem_hwservice:hwservice_manager find; +binder_call(vendor_telephony_app, dmd) +binder_call(vendor_telephony_app, sced) + +userdebug_or_eng(` +# Silent Logging +dontaudit vendor_telephony_app system_app_data_file:dir create_dir_perms; +dontaudit vendor_telephony_app system_app_data_file:file create_file_perms; +dontaudit vendor_telephony_app default_prop:file { getattr open read map }; +allow vendor_telephony_app selinuxfs:file { read open }; +') diff --git a/sepolicy/whitechapel/vendor/google/vendor_uwb_init.te b/sepolicy/whitechapel/vendor/google/vendor_uwb_init.te new file mode 100644 index 00000000..716af19c --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/vendor_uwb_init.te @@ -0,0 +1,10 @@ +type vendor_uwb_init, domain; +type vendor_uwb_init_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(vendor_uwb_init) + +allow vendor_uwb_init vendor_shell_exec:file rx_file_perms; +allow vendor_uwb_init vendor_toolbox_exec:file rx_file_perms; + +allow vendor_uwb_init uwb_data_vendor:file create_file_perms; +allow vendor_uwb_init uwb_data_vendor:dir w_dir_perms; diff --git a/sepolicy/whitechapel/vendor/google/vndservice.te b/sepolicy/whitechapel/vendor/google/vndservice.te new file mode 100644 index 00000000..f70a26fe --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/vndservice.te @@ -0,0 +1,4 @@ +type rls_service, vndservice_manager_type; +type vendor_surfaceflinger_vndservice, vndservice_manager_type; +type vendor_displaycolor_service, vndservice_manager_type; +type eco_service, vndservice_manager_type; diff --git a/sepolicy/whitechapel/vendor/google/vndservice_contexts b/sepolicy/whitechapel/vendor/google/vndservice_contexts new file mode 100644 index 00000000..d44e1cb8 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/vndservice_contexts @@ -0,0 +1,4 @@ +Exynos.HWCService u:object_r:vendor_surfaceflinger_vndservice:s0 +rlsservice u:object_r:rls_service:s0 +displaycolor u:object_r:vendor_displaycolor_service:s0 +media.ecoservice u:object_r:eco_service:s0 diff --git a/sepolicy/whitechapel/vendor/google/vold.te b/sepolicy/whitechapel/vendor/google/vold.te new file mode 100644 index 00000000..ecea1946 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/vold.te @@ -0,0 +1,6 @@ +allow vold sysfs_scsi_devices_0000:file rw_file_perms; +allow vold modem_efs_file:dir rw_dir_perms; +allow vold modem_userdata_file:dir rw_dir_perms; + +dontaudit vold dumpstate:fifo_file rw_file_perms; +dontaudit vold dumpstate:fd { use }; diff --git a/sepolicy/whitechapel/vendor/google/wifi_sniffer.te b/sepolicy/whitechapel/vendor/google/wifi_sniffer.te new file mode 100644 index 00000000..491162a0 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/wifi_sniffer.te @@ -0,0 +1,6 @@ +userdebug_or_eng(` + allow wifi_sniffer sysfs_wifi:dir search; + allow wifi_sniffer sysfs_wifi:file w_file_perms; + allow wifi_sniffer self:capability sys_module; + dontaudit wifi_sniffer sysfs_wifi:file getattr; +') diff --git a/sepolicy/whitechapel/vendor/google/wlcfwupdate.te b/sepolicy/whitechapel/vendor/google/wlcfwupdate.te new file mode 100644 index 00000000..37c29484 --- /dev/null +++ b/sepolicy/whitechapel/vendor/google/wlcfwupdate.te @@ -0,0 +1,12 @@ +# wlcfwupdate service +type wlcfwupdate, domain; +type wlcfwupdate_exec, vendor_file_type, exec_type, file_type; + +init_daemon_domain(wlcfwupdate) + +allow wlcfwupdate sysfs_batteryinfo:dir search; +allow wlcfwupdate sysfs_batteryinfo:file r_file_perms; +allow wlcfwupdate sysfs_wlc:dir search; +allow wlcfwupdate sysfs_wlc:file rw_file_perms; +allow wlcfwupdate vendor_toolbox_exec:file execute_no_trans; +allow wlcfwupdate vendor_wlc_fwupdata_file:file execute_no_trans; |