From 3df5cd506cee0f4f91c957b37f58bba72f34fd39 Mon Sep 17 00:00:00 2001 From: basamaryan Date: Sun, 1 Sep 2024 23:43:33 +0200 Subject: [PATCH] sm6150-common: Commonize sepolicy Taken from davinci, courbet, surya, sweet, and sweet2 Change-Id: Ie9bd3354d42a36e88004ee77343e0da5397a0eba --- BoardConfigCommon.mk | 1 + sepolicy/private/property_contexts | 5 +++ sepolicy/public/attributes | 3 ++ sepolicy/vendor/batterysecret.te | 51 ++++++++++++++++++++++ sepolicy/vendor/cameraserver.te | 1 + sepolicy/vendor/file_contexts | 22 ++++++++++ sepolicy/vendor/genfs_contexts | 31 +++++++++++++ sepolicy/vendor/hal_audio_default.te | 2 + sepolicy/vendor/hal_fingerprint_default.te | 1 + sepolicy/vendor/hal_motor_default.te | 26 +++++++++++ sepolicy/vendor/hal_sensors_default.te | 8 ++++ sepolicy/vendor/hwservice_contexts | 1 + sepolicy/vendor/property.te | 2 + sepolicy/vendor/service_contexts | 2 + sepolicy/vendor/system_app.te | 8 ++++ 15 files changed, 164 insertions(+) create mode 100644 sepolicy/public/attributes create mode 100644 sepolicy/vendor/batterysecret.te create mode 100644 sepolicy/vendor/cameraserver.te create mode 100644 sepolicy/vendor/hal_motor_default.te create mode 100644 sepolicy/vendor/property.te create mode 100644 sepolicy/vendor/service_contexts diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk index 600f895..fcee2b3 100644 --- a/BoardConfigCommon.mk +++ b/BoardConfigCommon.mk @@ -150,6 +150,7 @@ include device/lineage/sepolicy/libperfmgr/sepolicy.mk include device/qcom/sepolicy_vndr/SEPolicy.mk SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/private +SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/public BOARD_VENDOR_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/vendor # Soong diff --git a/sepolicy/private/property_contexts b/sepolicy/private/property_contexts index 3e70a99..5364306 100644 --- a/sepolicy/private/property_contexts +++ b/sepolicy/private/property_contexts @@ -2,6 +2,11 @@ ro.camera.req.fmq.size u:object_r:exported_default_prop:s0 ro.camera.res.fmq.size u:object_r:exported_default_prop:s0 +# Elliptic ultrasound proximity +elliptic.ultrasound.multiple_mics. u:object_r:elliptic_ultrasound_prop:s0 +elliptic.ultrasound. u:object_r:vendor_sensors_prop:s0 +invn.hal u:object_r:vendor_sensors_prop:s0 + # Sensors persist.sensor. u:object_r:persist_sensors_prop:s0 diff --git a/sepolicy/public/attributes b/sepolicy/public/attributes new file mode 100644 index 0000000..8e9bb8a --- /dev/null +++ b/sepolicy/public/attributes @@ -0,0 +1,3 @@ +attribute hal_motor; +attribute hal_motor_client; +attribute hal_motor_server; diff --git a/sepolicy/vendor/batterysecret.te b/sepolicy/vendor/batterysecret.te new file mode 100644 index 0000000..de90b04 --- /dev/null +++ b/sepolicy/vendor/batterysecret.te @@ -0,0 +1,51 @@ +type batterysecret, domain; +type batterysecret_exec, exec_type, vendor_file_type, file_type; +type persist_subsys_file, vendor_persist_type, file_type; + +init_daemon_domain(batterysecret) + +r_dir_file(batterysecret, cgroup) +r_dir_file(batterysecret, mnt_vendor_file) +r_dir_file(batterysecret, vendor_sysfs_battery_supply) +r_dir_file(batterysecret, sysfs_batteryinfo) +r_dir_file(batterysecret, sysfs_type) +r_dir_file(batterysecret, vendor_sysfs_usb_supply) +r_dir_file(batterysecret, vendor_sysfs_usbpd_device) + +allow batterysecret { + mnt_vendor_file + persist_subsys_file + rootfs +}:dir rw_dir_perms; + +allow batterysecret { + persist_subsys_file + sysfs + vendor_sysfs_battery_supply + sysfs_usb + vendor_sysfs_usb_supply + vendor_sysfs_usbpd_device +}:file w_file_perms; + +allow batterysecret kmsg_device:chr_file rw_file_perms; + +allow batterysecret self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +allow batterysecret self:global_capability_class_set { + sys_tty_config + sys_boot +}; + +allow batterysecret self:capability { + chown + fsetid +}; + +allow batterysecret { + system_suspend_hwservice + hidl_manager_hwservice +}:hwservice_manager find; + +binder_call(batterysecret, system_suspend_server) + +wakelock_use(batterysecret) diff --git a/sepolicy/vendor/cameraserver.te b/sepolicy/vendor/cameraserver.te new file mode 100644 index 0000000..1f31860 --- /dev/null +++ b/sepolicy/vendor/cameraserver.te @@ -0,0 +1 @@ +hal_client_domain(cameraserver, hal_motor) diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts index 78704a8..bc1ea23 100644 --- a/sepolicy/vendor/file_contexts +++ b/sepolicy/vendor/file_contexts @@ -1,6 +1,9 @@ # Audio /dev/socket/audio_hw_socket u:object_r:audio_socket:s0 +# Battery secret +/vendor/bin/batterysecret u:object_r:batterysecret_exec:s0 + # Block devices /dev/block/mmcblk0p1 u:object_r:sdcard_block_device:s0 /dev/block/platform/soc/1d84000\.ufshc/by-name/cust u:object_r:system_block_device:s0 @@ -37,9 +40,28 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.3-service\.xiaomi u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.light-service\.xiaomi u:object_r:hal_light_default_exec:s0 /vendor/bin/hw/vendor\.lineage\.livedisplay@2\.1-service\.xiaomi_sm6150 u:object_r:hal_lineage_livedisplay_qti_exec:s0 +/vendor/bin/hw/vendor\.xiaomi\.hardware\.motor@1\.0-service u:object_r:hal_motor_default_exec:s0 # IR +/dev/lirc[0-9]+ u:object_r:lirc_device:s0 /dev/spidev[0-9]\.1 u:object_r:lirc_device:s0 +/vendor/bin/hw/android\.hardware\.ir-service\.xiaomi u:object_r:hal_ir_default_exec:s0 + +# Motor +/dev/akm09970 u:object_r:hall_device:s0 +/dev/drv8846_dev u:object_r:motor_device:s0 + +# NFC +/vendor/bin/hw/android\.hardware\.nfc-service\.nxp u:object_r:hal_nfc_default_exec:s0 + +# Persist subsystem +/mnt/vendor/persist/subsys(/.*)? u:object_r:persist_subsys_file:s0 + +# Proximity +/dev/elliptic0 u:object_r:vendor_elliptic_device:s0 +/sys/bus/iio/devices u:object_r:vendor_sysfs_iio:s0 +/sys/devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-04/c440000.qcom,spmi:qcom,pm6150l@4:vadc@3100/iio:device1(/.*)? u:object_r:vendor_sysfs_iio:s0 +/sys/devices/platform/us_prox.0/iio:device2(/.*)? u:object_r:vendor_sysfs_iio:s0 # Remosaic /vendor/bin/remosaic_daemon u:object_r:remosaic_daemon_exec:s0 diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts index d3f2ca5..9e3e41c 100644 --- a/sepolicy/vendor/genfs_contexts +++ b/sepolicy/vendor/genfs_contexts @@ -1,8 +1,30 @@ +# BMS +genfscon sysfs /devices/platform/soc/884000.i2c/i2c-3/3-0055/power_supply/bms u:object_r:vendor_sysfs_battery_supply:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qpnp,qg/power_supply/qcom-bms u:object_r:vendor_sysfs_battery_supply:s0 + +# bq2597x charge pump +genfscon sysfs /devices/platform/soc/890000.i2c/i2c-4/4-0066/power_supply/bq2597x-slave u:object_r:vendor_sysfs_usb_supply:s0 +genfscon sysfs /devices/platform/soc/a8c000.i2c/i2c-2/2-0051/power_supply/bq2597x-standalone u:object_r:vendor_sysfs_usb_supply:s0 +genfscon sysfs /devices/platform/soc/a8c000.i2c/i2c-2/2-0066/power_supply/bq2597x-master u:object_r:vendor_sysfs_usb_supply:s0 +genfscon sysfs /devices/platform/soc/a8c000.i2c/i2c-2/2-0066/power_supply/bq2597x-standalone u:object_r:vendor_sysfs_usb_supply:s0 + # Display genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/idle_encoder_mask u:object_r:vendor_sysfs_graphics:s0 genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/idle_state u:object_r:vendor_sysfs_graphics:s0 genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/idle_timeout_ms u:object_r:vendor_sysfs_graphics:s0 +# ds28e16 battery verify +genfscon sysfs /devices/platform/soc/soc:maxim_ds28e16/power_supply/batt_verify u:object_r:vendor_sysfs_battery_supply:s0 + +# Fingerprint +genfscon sysfs /devices/platform/soc/soc:fingerprint_fpc/compatible_all u:object_r:vendor_sysfs_fingerprint:s0 +genfscon sysfs /devices/platform/soc/soc:fingerprint_fpc/device_prepare u:object_r:vendor_sysfs_fingerprint:s0 +genfscon sysfs /devices/platform/soc/soc:fingerprint_fpc/fingerdown_wait u:object_r:vendor_sysfs_fingerprint:s0 +genfscon sysfs /devices/platform/soc/soc:fingerprint_fpc/irq u:object_r:vendor_sysfs_fingerprint:s0 +genfscon sysfs /devices/platform/soc/soc:fingerprint_fpc/power_cfg u:object_r:vendor_sysfs_fingerprint:s0 +genfscon sysfs /devices/platform/soc/soc:fingerprint_fpc/request_vreg u:object_r:vendor_sysfs_fingerprint:s0 +genfscon sysfs /devices/platform/soc/soc:fingerprint_fpc/wakeup_enable u:object_r:vendor_sysfs_fingerprint:s0 + # LED genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-05/c440000.qcom,spmi:qcom,pm6150l@5:qcom,leds@d000/leds/left u:object_r:vendor_sysfs_graphics:s0 genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-05/c440000.qcom,spmi:qcom,pm6150l@5:qcom,leds@d000/leds/right u:object_r:vendor_sysfs_graphics:s0 @@ -14,8 +36,14 @@ genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-04/c440000.q genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qcom,qpnp-smb5/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/88e0000.qcom,msm-eud/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qcom,pm6150_rtc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/884000.i2c/i2c-3/3-005a/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/884000.i2c/i2c-3/3-0055/power_supply/bms/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/884000.i2c/i2c-3/3-0055/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/888000.i2c/i2c-0/0-0028/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/890000.i2c/i2c-4/4-0066/power_supply/bq2597x-slave/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/890000.i2c/i2c-4/4-0066/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/18800000.qcom,icnss/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qpnp,qg/power_supply/qcom-bms/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qcom,qpnp-smb5/power_supply/dc/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qcom,qpnp-smb5/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm6150@0:qcom,qpnp-smb5/power_supply/main/wakeup u:object_r:sysfs_wakeup:s0 @@ -30,10 +58,13 @@ genfscon sysfs /devices/platform/soc/a8c000.i2c/i2c-2/2-005a/wakeup genfscon sysfs /devices/platform/soc/a8c000.i2c/i2c-2/2-0010/a8c000.i2c:qcom,smb1390@10:qcom,charge_pump/power_supply/charge_pump_master/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/a8c000.i2c/i2c-2/2-0051/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/a8c000.i2c/i2c-2/2-0051/power_supply/bq2597x-standalone/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/a8c000.i2c/i2c-2/2-0065/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/a8c000.i2c/i2c-2/2-0066/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/a8c000.i2c/i2c-2/2-0066/power_supply/bq2597x-standalone/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/a8c000.i2c/i2c-2/2-0066/power_supply/bq2597x-master/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/soc:maxim_ds28e16/power_supply/batt_verify/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/platform/soc/soc:fingerprint_fpc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/input/input1/wakeup u:object_r:sysfs_wakeup:s0 # Touchpanel genfscon sysfs /devices/virtual/touch/touch_dev/ u:object_r:sysfs_touchpanel:s0 diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te index c26515e..f54c115 100644 --- a/sepolicy/vendor/hal_audio_default.te +++ b/sepolicy/vendor/hal_audio_default.te @@ -5,6 +5,8 @@ r_dir_file(hal_audio_default, vendor_persist_audio_file) set_prop(hal_audio_default, vendor_audio_prop) +get_prop(hal_audio_default, elliptic_ultrasound_prop) + allow hal_audio_default audio_socket:sock_file rw_file_perms; dontaudit hal_audio_default sysfs:dir read; diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te index f0236c5..2613c57 100644 --- a/sepolicy/vendor/hal_fingerprint_default.te +++ b/sepolicy/vendor/hal_fingerprint_default.te @@ -17,6 +17,7 @@ allow hal_fingerprint_default tee_device:chr_file rw_file_perms; allow hal_fingerprint_default touchfeature_device:chr_file rw_file_perms; allow hal_fingerprint_default uhid_device:chr_file rw_file_perms; allow hal_fingerprint_default vendor_qdsp_device:chr_file r_file_perms; +allow hal_fingerprint_default vendor_sysfs_fingerprint:file rw_file_perms; allow hal_fingerprint_default vendor_sysfs_fod:file rw_file_perms; allow hal_fingerprint_default vendor_sysfs_graphics:file rw_file_perms; allow hal_fingerprint_default vendor_xdsp_device:chr_file r_file_perms; diff --git a/sepolicy/vendor/hal_motor_default.te b/sepolicy/vendor/hal_motor_default.te new file mode 100644 index 0000000..75df086 --- /dev/null +++ b/sepolicy/vendor/hal_motor_default.te @@ -0,0 +1,26 @@ +type hal_motor_hwservice_xiaomi, hwservice_manager_type; +type hall_device, dev_type; +type motor_device, dev_type; + +type hal_motor_default, domain; +hal_server_domain(hal_motor_default, hal_motor) + +binder_call(hal_motor_client, hal_motor_server) + +binder_call(hal_motor_default, system_app) + +type hal_motor_default_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_motor_default) + +add_hwservice(hal_motor_server, hal_motor_hwservice_xiaomi) +allow hal_motor_client hal_motor_hwservice_xiaomi:hwservice_manager find; + +allow hal_motor_default hall_device:chr_file rw_file_perms; +allow hal_motor_default motor_device:chr_file rw_file_perms; + +allow hal_motor_default vendor_persist_sensors_file:dir rw_dir_perms; +allow hal_motor_default vendor_persist_sensors_file:file rw_file_perms; + +allow hal_motor_default mnt_vendor_file:dir { search }; + +vndbinder_use(hal_motor_default) diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te index 9dc63f0..58cd930 100644 --- a/sepolicy/vendor/hal_sensors_default.te +++ b/sepolicy/vendor/hal_sensors_default.te @@ -1,7 +1,15 @@ +type vendor_sysfs_iio, fs_type, sysfs_type; +type vendor_elliptic_device, dev_type; + vendor_internal_prop(persist_sensors_prop) allow hal_sensors_default hal_audio_default:unix_stream_socket connectto; allow hal_sensors_default audio_socket:sock_file rw_file_perms; +allow hal_sensors_default iio_device:chr_file rw_file_perms; +allow hal_sensors_default vendor_elliptic_device:chr_file rw_file_perms; +allow hal_sensors_default vendor_sysfs_iio:dir r_dir_perms; +allow hal_sensors_default vendor_sysfs_iio:file rw_file_perms; + get_prop(hal_sensors_default, persist_sensors_prop) get_prop(hal_sensors_default, vendor_adsprpc_prop) diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts index 49592df..8ade151 100644 --- a/sepolicy/vendor/hwservice_contexts +++ b/sepolicy/vendor/hwservice_contexts @@ -1,3 +1,4 @@ vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_hwservice_xiaomi:s0 vendor.sw.swfingerprint::ISwfingerprint u:object_r:hal_swfingerprint_hwservice:s0 vendor.xiaomi.hardware.fingerprintextension::IXiaomiFingerprint u:object_r:hal_fingerprint_hwservice_xiaomi:s0 +vendor.xiaomi.hardware.motor::IMotor u:object_r:hal_motor_hwservice_xiaomi:s0 diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te new file mode 100644 index 0000000..5431b52 --- /dev/null +++ b/sepolicy/vendor/property.te @@ -0,0 +1,2 @@ +# Ultrasound +vendor_public_prop(elliptic_ultrasound_prop) diff --git a/sepolicy/vendor/service_contexts b/sepolicy/vendor/service_contexts new file mode 100644 index 0000000..2e7eb73 --- /dev/null +++ b/sepolicy/vendor/service_contexts @@ -0,0 +1,2 @@ +# NFC +vendor.nxp.nxpnfc_aidl.INxpNfc/default u:object_r:hal_nfc_service:s0 diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te index 34ef8e5..909427a 100644 --- a/sepolicy/vendor/system_app.te +++ b/sepolicy/vendor/system_app.te @@ -1,3 +1,11 @@ type sysfs_doze, sysfs_type, fs_type; +allow system_app hal_motor_hwservice_xiaomi:hwservice_manager find; + +binder_call(system_app, hal_motor) + allow system_app sysfs_doze:file rw_file_perms; + +allow system_app { motor_device vendor_sysfs_graphics sysfs_leds }:dir search; +allow system_app { cgroup vendor_sysfs_graphics }:file rw_file_perms; +allow system_app { motor_device vendor_sysfs_graphics hall_device }:chr_file rw_file_perms;