msm8226-common: sepolicy: base bringup to Q

sepolicy/common/audioserver.te

@@ -0,0 +1 @@
+allow audioserver device:chr_file ioctl;

sepolicy/common/crash_dump.te

@@ -0,0 +1 @@
+allow crash_dump init:process ptrace;

sepolicy/common/device.te

@@ -1,2 +1,3 @@
 type bluetooth_device, dev_type;
 type efs_block_device, dev_type;
+type alarm_device, dev_type, mlstrustedobject;

sepolicy/common/domain.te

@@ -0,0 +1 @@
+allow domain alarm_device:chr_file r_file_perms;

sepolicy/common/file.te

@@ -1,7 +1,6 @@
 type proc_bt_sleep, fs_type, proc_type;
-
+# type proc_last_kmsg, fs_type, proc_type;
 type sysfs_camera, fs_type, sysfs_type;
-type sysfs_disk_stat, fs_type, sysfs_type;
 type sysfs_hal_pwr, fs_type, sysfs_type;
 type sysfs_iio, fs_type, sysfs_type;
 type sysfs_input, fs_type, sysfs_type;
@@ -18,7 +17,6 @@ type sysfs_sec_touchkey, fs_type, sysfs_type;
 type sysfs_sec_tsp, fs_type, sysfs_type;
 type sysfs_usb_otg, fs_type, sysfs_type;
 type sysfs_wifi_writeable, fs_type, sysfs_type;
-
 type bt_fw_file, file_type;
 type nfc_fw_file, file_type;
 type wifi_efs_file, file_type;

sepolicy/common/firmware_file.te

@@ -0,0 +1 @@
+allow firmware_file labeledfs:filesystem associate;

sepolicy/common/flags_health_check.te

@@ -0,0 +1,115 @@
+allow flags_health_check alarm_boot_prop:file { getattr open };
+allow flags_health_check alarm_handled_prop:file { getattr open };
+allow flags_health_check alarm_instance_prop:file { getattr open };
+allow flags_health_check apexd_prop:file { getattr open };
+allow flags_health_check bg_boot_complete_prop:file { getattr open };
+allow flags_health_check bg_daemon_prop:file { getattr open };
+allow flags_health_check bluetooth_prop:file { getattr open };
+allow flags_health_check boot_animation_prop:file { getattr open };
+allow flags_health_check boot_mode_prop:file { getattr open };
+allow flags_health_check bootloader_boot_reason_prop:file { getattr open };
+allow flags_health_check boottime_prop:file { getattr open };
+allow flags_health_check bpf_progs_loaded_prop:file { getattr open };
+allow flags_health_check bservice_prop:file { getattr open };
+allow flags_health_check camera_prop:file { getattr open };
+allow flags_health_check coresight_prop:file { getattr open };
+allow flags_health_check crash_prop:file { getattr open };
+allow flags_health_check ctl_LKCore_prop:file { getattr open };
+allow flags_health_check ctl_adbd_prop:file { getattr open };
+allow flags_health_check ctl_bootanim_prop:file { getattr open };
+allow flags_health_check ctl_bugreport_prop:file { getattr open };
+allow flags_health_check ctl_console_prop:file { getattr open };
+allow flags_health_check ctl_default_prop:file { getattr open };
+allow flags_health_check ctl_dumpstate_prop:file { getattr open };
+allow flags_health_check ctl_fuse_prop:file { getattr open };
+allow flags_health_check ctl_gsid_prop:file { getattr open };
+allow flags_health_check ctl_hbtp_prop:file { getattr open };
+allow flags_health_check ctl_interface_restart_prop:file { getattr open };
+allow flags_health_check ctl_interface_start_prop:file { getattr open };
+allow flags_health_check ctl_interface_stop_prop:file { getattr open };
+allow flags_health_check ctl_mdnsd_prop:file { getattr open };
+allow flags_health_check ctl_netmgrd_prop:file { getattr open };
+allow flags_health_check ctl_port-bridge_prop:file { getattr open };
+allow flags_health_check ctl_qmuxd_prop:file { getattr open };
+allow flags_health_check ctl_restart_prop:file { getattr open };
+allow flags_health_check ctl_rildaemon_prop:file { getattr open };
+allow flags_health_check ctl_sigstop_prop:file { getattr open };
+allow flags_health_check ctl_start_prop:file { getattr open };
+allow flags_health_check ctl_stop_prop:file { getattr open };
+allow flags_health_check ctl_vendor_imsrcsservice_prop:file { getattr open };
+allow flags_health_check ctl_vendor_wigigsvc_prop:file { getattr open };
+allow flags_health_check device_logging_prop:file { getattr open };
+allow flags_health_check diag_mdlog_prop:file { getattr open };
+allow flags_health_check dolby_prop:file { getattr open };
+allow flags_health_check dumpstate_options_prop:file { getattr open };
+allow flags_health_check dynamic_system_prop:file { getattr open };
+allow flags_health_check firstboot_prop:file { getattr open };
+allow flags_health_check fm_prop:file { getattr open };
+allow flags_health_check freq_prop:file { getattr open };
+allow flags_health_check fst_prop:file { getattr open };
+allow flags_health_check gamed_prop:file { getattr open };
+allow flags_health_check graphics_vulkan_prop:file { getattr open };
+allow flags_health_check gsid_prop:file { getattr open };
+allow flags_health_check heapprofd_enabled_prop:file { getattr open };
+allow flags_health_check hwservicemanager_prop:file { getattr open };
+allow flags_health_check hwui_prop:file { getattr open };
+allow flags_health_check ipacm-diag_prop:file { getattr open };
+allow flags_health_check ipacm_prop:file { getattr open };
+allow flags_health_check last_boot_reason_prop:file { getattr open };
+allow flags_health_check llkd_prop:file { getattr open };
+allow flags_health_check location_prop:file { getattr open };
+allow flags_health_check logpersistd_logging_prop:file { getattr open };
+allow flags_health_check lowpan_prop:file { getattr open };
+allow flags_health_check lpdumpd_prop:file { getattr open };
+allow flags_health_check mdm_helper_prop:file { getattr open };
+allow flags_health_check mmc_prop:file { getattr open };
+allow flags_health_check mmi_prop:file { getattr open };
+allow flags_health_check mpdecision_prop:file { getattr open };
+allow flags_health_check msm_irqbalance_prop:file { getattr open };
+allow flags_health_check msm_irqbl_sdm630_prop:file { getattr open };
+allow flags_health_check net_dns_prop:file { getattr open };
+allow flags_health_check netd_prop:file { getattr open };
+allow flags_health_check netd_stable_secret_prop:file { getattr open };
+allow flags_health_check nfc_nq_prop:file { getattr open };
+allow flags_health_check nnapi_ext_deny_product_prop:file { getattr open };
+allow flags_health_check opengles_prop:file { getattr open };
+allow flags_health_check overlay_prop:file { getattr open };
+allow flags_health_check per_mgr_state_prop:file { getattr open };
+allow flags_health_check perfd_prop:file { getattr open };
+allow flags_health_check persistent_properties_ready_prop:file { getattr open };
+allow flags_health_check postprocessing_prop:file { getattr open };
+allow flags_health_check ppd_prop:file { getattr open };
+allow flags_health_check qcom_ims_prop:file { getattr open };
+allow flags_health_check qdma_prop:file { getattr open };
+allow flags_health_check qemu_gles_prop:file { getattr open };
+allow flags_health_check qti_prop:file { getattr open };
+allow flags_health_check reschedule_service_prop:file { getattr open };
+allow flags_health_check rmnet_mux_prop:file { getattr open };
+allow flags_health_check safemode_prop:file { getattr open };
+allow flags_health_check scr_enabled_prop:file { getattr open };
+allow flags_health_check sdm_idle_time_prop:file { getattr open };
+allow flags_health_check sensors_prop:file { getattr open };
+allow flags_health_check serialno_prop:file { getattr open };
+allow flags_health_check spcomlib_prop:file { getattr open };
+allow flags_health_check sys_usb_configfs_prop:file { getattr open };
+allow flags_health_check sys_usb_controller_prop:file { getattr open };
+allow flags_health_check sys_usb_tethering_prop:file { getattr open };
+allow flags_health_check system_boot_reason_prop:file { getattr open };
+allow flags_health_check system_lmk_prop:file { getattr open };
+allow flags_health_check system_trace_prop:file { getattr open };
+allow flags_health_check test_boot_reason_prop:file { getattr open };
+allow flags_health_check theme_prop:file { getattr open };
+allow flags_health_check time_prop:file { getattr open };
+allow flags_health_check traced_enabled_prop:file { getattr open };
+allow flags_health_check traced_lazy_prop:file { getattr open };
+allow flags_health_check uicc_prop:file { getattr open };
+allow flags_health_check usf_prop:file { getattr open };
+allow flags_health_check vendor_mpctl_prop:file { getattr open };
+allow flags_health_check vendor_rild_libpath_prop:file { getattr open };
+allow flags_health_check vendor_system_prop:file { getattr open };
+allow flags_health_check vendor_wifi_prop:file { getattr open };
+allow flags_health_check vm_bms_prop:file { getattr open };
+allow flags_health_check wifi_prop:file { getattr open };
+allow flags_health_check wififtmd_prop:file { getattr open };
+allow flags_health_check wigig_prop:file { getattr open };
+allow flags_health_check xlat_prop:file { getattr open };

sepolicy/common/hal_graphics_composer_default.te

@@ -0,0 +1 @@
+allow hal_graphics_composer_default default_android_vndservice:service_manager add;

sepolicy/common/hal_lineage_touch_default.te

@@ -1,3 +1,4 @@
+allow hal_lineage_touch_default sysfs_sec_touchkey:dir search;
 allow hal_lineage_touch_default sysfs_sec_tsp:dir search;
 allow hal_lineage_touch_default sysfs_sec_tsp:file rw_file_perms;
 allow hal_lineage_touch_default sysfs_sec_touchkey:dir search;

sepolicy/common/hal_wifi_default.te

@@ -3,3 +3,4 @@ r_dir_file(hal_wifi_default, wifi_efs_file)
 allow hal_wifi_default efs_file:dir search;
 allow hal_wifi_default sysfs_wifi_writeable:file w_file_perms;
 allow hal_wifi_default wifi_data_file:file r_file_perms;
+allow hal_wifi_default default_prop:property_service set;

sepolicy/common/init.te

@@ -11,6 +11,7 @@ allow init {
 }:lnk_file read;
 
 allow init {
+    proc
     sysfs_audio
     sysfs_batteryinfo
     sysfs_bluetooth_writable
@@ -57,3 +58,8 @@ allow init {
 
 allow init sysfs:file setattr;
 allow init sysfs_devfreq:file setattr;
+allow init efs_file:dir mounton;
+allow init init:capability2 block_suspend;
+allow init system_file:file mounton;
+allow init sysfs_leds:lnk_file read;
+

sepolicy/common/installd.te

@@ -0,0 +1,2 @@
+allow installd device:file write;
+allow installd device:file open;

sepolicy/common/mediaserver.te

@@ -1,5 +1,13 @@
+allow mediaserver cameraproxy_service:service_manager find;
+allow mediaserver device:dir read;
+allow mediaserver hal_camera_default:binder { call transfer };
+allow mediaserver hal_camera_hwservice:hwservice_manager find;
+allow mediaserver sensor_privacy_service:service_manager find;
 allow mediaserver sysfs_camera:dir search;
 allow mediaserver sysfs_camera:file r_file_perms;
 allow mediaserver vendor_file:file execmod;
 allow mediaserver system_data_file:sock_file write;
 allow mediaserver hal_lineage_camera_motor_hwservice:hwservice_manager find;
+allow mediaserver cameraserver_service:service_manager add;
+allow mediaserver fwk_camera_hwservice:hwservice_manager add;
+allow mediaserver hidl_base_hwservice:hwservice_manager add;

sepolicy/common/mediaswcodec.te

@@ -0,0 +1 @@
+allow mediaswcodec servicemanager:binder call;

sepolicy/common/netd.te

@@ -1 +1,2 @@
 allow system_app netd:binder call; 
+allow netd device:file { open write };

sepolicy/common/qti_init_shell.te

@@ -0,0 +1,9 @@
+allow qti_init_shell bluetooth_loader_exec:file getattr;
+allow qti_init_shell bluetooth_loader_exec:file execute;
+allow qti_init_shell bluetooth_loader_exec:file { open read };
+allow qti_init_shell bluetooth_loader_exec:file execute_no_trans;
+allow qti_init_shell efs_file:dir search;
+allow qti_init_shell bluetooth_efs_file:dir search;
+allow qti_init_shell bluetooth_efs_file:file read;
+allow qti_init_shell bluetooth_efs_file:file open;
+allow qti_init_shell bluetooth_efs_file:file getattr;

sepolicy/common/radio.te

@@ -0,0 +1 @@
+allow radio alarm_device:chr_file rw_file_perms;

sepolicy/common/rild.te

@@ -6,6 +6,10 @@ allow rild radio_data_file:lnk_file read;
 
 allow rild proc_net:file w_file_perms;
 allow rild sysfs_sec_key:file rw_file_perms;
-allow rild unlabeled:dir search;
 
+allow rild unlabeled:dir search;
 allow rild unlabeled:file { getattr open read };
+
+allow rild device:chr_file read;
+allow rild device:chr_file open;
+allow rild device:chr_file ioctl;

sepolicy/common/servicemanager.te

@@ -0,0 +1,4 @@
+allow servicemanager mediaswcodec:dir search;
+allow servicemanager mediaswcodec:file { open read };
+allow servicemanager mediaswcodec:process getattr;
+allow surfaceflinger hal_graphics_allocator_hwservice:hwservice_manager add;

sepolicy/common/snap_app.te

@@ -0,0 +1,2 @@
+get_prop(appdomain, camera_prop)
+binder_call(appdomain, gpuservice)

sepolicy/common/system_app.te

@@ -1,2 +1,8 @@
+allow system_app apex_service:service_manager find;
+allow system_app proc_pagetypeinfo:file { open read };
 allow system_app sysfs_mdnie:dir search;
 allow system_app sysfs_mdnie:file rw_file_perms;
+allow system_app system_suspend_control_service:service_manager find;
+allow system_app apk_data_file:dir write;
+allow system_app proc_pagetypeinfo:file getattr;
+allow system_app sysfs_zram:dir search;

sepolicy/common/system_server.te

@@ -5,6 +5,7 @@ allow system_server {
 
 allow system_server {
     efs_file
+    proc_last_kmsg
     qti_debugfs
 }:file r_file_perms;
 
@@ -14,4 +15,7 @@ allow system_server {
     sysfs_sec_touchkey
 }:file w_file_perms;
 
+allow system_server init:binder call;
 allow system_server unlabeled:file unlink;
+allow system_server proc:file { getattr open read };
+allow system_server crash_dump:process getpgid;

sepolicy/common/tee.te

@@ -0,0 +1 @@
+allow tee rpmb_device:blk_file ioctl;

sepolicy/common/thermal-engine.te

@@ -3,3 +3,7 @@ type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-r
 type_transition thermal-engine socket_device:sock_file thermal_socket "thermal-recv-passive-client";
 
 allow thermal-engine self:capability chown;
+
+allow thermal-engine sysfs_batteryinfo:dir search;
+allow thermal-engine sysfs_batteryinfo:file read;
+allow thermal-engine sysfs_batteryinfo:file open;

sepolicy/common/time_daemon.te

@@ -0,0 +1,3 @@
+allow time_daemon device:chr_file { read write };
+allow time_daemon device:chr_file open;
+allow time_daemon device:chr_file ioctl;

sepolicy/common/ueventd.te

@@ -1,2 +1,9 @@
 allow ueventd vfat:dir search;
 allow ueventd vfat:file { getattr open read };
+
+allow ueventd exfat:dir search;
+allow ueventd exfat:file read;
+allow ueventd exfat:file open;
+allow ueventd exfat:file getattr;
+
+allow ueventd proc:file { read };

sepolicy/common/untrusted_app_25.te

@@ -0,0 +1,2 @@
+dontaudit untrusted_app_25 net_dns_prop:file read;
+dontaudit untrusted_app_25 proc:file read;

sepolicy/common/vendor_init.te

@@ -0,0 +1,26 @@
+allow vendor_init firmware_file:lnk_file { read };
+allow vendor_init kernel:security { check_context };
+allow vendor_init packages_list_file:file { getattr open read };
+allow vendor_init radio_data_file:lnk_file { relabelto unlink };
+allow vendor_init seapp_contexts_file:file { getattr open read };
+allow vendor_init selinuxfs:file { write };
+allow vendor_init sysfs:file { relabelfrom };
+allow vendor_init sysfs:dir { relabelfrom };
+allow vendor_init system_data_file:file { setattr write };
+allow vendor_init system_data_file:lnk_file { create getattr relabelfrom };
+allow vendor_init wifi_data_file:file { getattr setattr write };
+
+type_transition vendor_init system_data_file:file wifi_data_file;
+
+allow vendor_init packages_list_file:file r_file_perms;
+allow vendor_init proc_security:file rw_file_perms;
+allow vendor_init radio_data_file:lnk_file create_file_perms;
+allow vendor_init seapp_contexts_file:file r_file_perms;
+allow vendor_init wifi_data_file:dir rw_dir_perms;
+allow vendor_init wifi_data_file:file create_file_perms;
+allow vendor_init system_data_file:lnk_file unlink;
+allow vendor_init wcnss_device:chr_file write;
+allow vendor_init wcnss_device:chr_file open;
+allow vendor_init firmware_file:dir create;
+allow vendor_init firmware_file:dir setattr;
+allow vendor_init bluetooth_data_file:file setattr;

sepolicy/common/vold.te

@@ -2,6 +2,8 @@ allow vold efs_file:dir rw_dir_perms;
 allow vold efs_file:file create;
 allow vold persist_data_file:dir { open read };
 
+allow vold hal_bootctl_hwservice:hwservice_manager find;
+
 allow vold {
     block_device
     cache_block_device

sepolicy/common/webview_zygote.te

@@ -1 +1,3 @@
 allow webview_zygote zygote:unix_dgram_socket write; 
+
+allow webview_zygote app_data_file:dir getattr;

sepolicy/sepolicy.mk

@@ -15,5 +15,6 @@
 #
 
 include device/qcom/sepolicy-legacy/sepolicy.mk
+
 BOARD_SEPOLICY_DIRS += \
     device/samsung/msm8226-common/sepolicy/common