Sync Marlin AOSP sepolicy
Test: Build and boot aosp_sailfish. Run through some basic tests
verifying no new denials.
Change-Id: Iaeb1c383c6652ecbd07d6f9db5e00acf2b8e4873
diff --git a/sepolicy/camera.te b/sepolicy/camera.te
index 96201f4..938c9be 100644
--- a/sepolicy/camera.te
+++ b/sepolicy/camera.te
@@ -27,6 +27,7 @@
set_prop(camera, camera_prop)
allow camera surfaceflinger:fd use;
+allow camera hal_graphics_allocator:fd use;
allow camera cameraserver:fd use;
allow camera camera_data_file:dir rw_dir_perms;
diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te
index 63a47c6..5a66085 100644
--- a/sepolicy/cameraserver.te
+++ b/sepolicy/cameraserver.te
@@ -26,3 +26,18 @@
allow cameraserver system_server:unix_stream_socket { read write };
allow cameraserver sensorservice_service:service_manager find;
+
+allow cameraserver self:socket { create ioctl read write };
+
+# Grant access to Qualcomm MSM Interface (QMI) radio sockets
+qmux_socket(cameraserver)
+
+# allow cameraserver to call some socket ioctls
+allowxperm cameraserver self:socket ioctl { IPC_ROUTER_IOCTL_LOOKUP_SERVER IPC_ROUTER_IOCTL_BIND_CONTROL_PORT };
+
+# ignore spurious denial
+dontaudit cameraserver graphics_device:dir search;
+
+userdebug_or_eng(`
+ allow cameraserver diag_device:chr_file rw_file_perms;
+')
diff --git a/sepolicy/cnss-daemon.te b/sepolicy/cnss-daemon.te
index d4c16e3..adb20aa 100644
--- a/sepolicy/cnss-daemon.te
+++ b/sepolicy/cnss-daemon.te
@@ -20,10 +20,14 @@
allowxperm cnss-daemon self:socket ioctl msm_sock_ipc_ioctls;
allow cnss-daemon proc_net:file rw_file_perms;
-allow cnss-daemon sysfs_wifi:file write;
-allow cnss-daemon sysfs_pcie:file write;
-allow cnss-daemon sysfs_msm_core:file write;
-r_dir_file(cnss-daemon, sysfs_type)
+allow cnss-daemon sysfs:dir r_dir_perms;
+allow cnss-daemon sysfs_wifi:dir search;
+allow cnss-daemon sysfs_wifi:file rw_file_perms;
+allow cnss-daemon sysfs_pcie:dir search;
+allow cnss-daemon sysfs_pcie:file w_file_perms;
+allow cnss-daemon sysfs_soc:dir search;
+allow cnss-daemon sysfs_soc:file r_file_perms;
+r_dir_file(cnss-daemon, sysfs_msm_subsys)
# access to /dev/diag on debug builds
userdebug_or_eng(`
diff --git a/sepolicy/cnss_diag.te b/sepolicy/cnss_diag.te
index 349ad6f..e45a4dd 100644
--- a/sepolicy/cnss_diag.te
+++ b/sepolicy/cnss_diag.te
@@ -5,16 +5,19 @@
# STOPSHIP b/28340421
# Temporarily grant this permission and log its use.
allow cnss_diag self:capability net_admin;
+auditallow cnss_diag self:capability net_admin;
+
+init_daemon_domain(cnss_diag)
+
allow cnss_diag self:capability { setgid setuid };
allow cnss_diag self:netlink_socket create_socket_perms_no_ioctl;
-auditallow cnss_diag self:capability net_admin;
-
-init_daemon_domain(cnss_diag)
-r_dir_file(cnss_diag, sysfs_type)
-
+r_dir_file(cnss-daemon, sysfs_type)
+allow cnss-daemon sysfs_msm_core:file write;
userdebug_or_eng(`
allow cnss_diag diag_device:chr_file rw_file_perms;
+ allow cnss_diag cnss_diag_data_file:dir create_dir_perms;
+ allow cnss_diag cnss_diag_data_file:file create_file_perms;
')
diff --git a/sepolicy/domain.te b/sepolicy/domain.te
index 935f0ea..6652378 100644
--- a/sepolicy/domain.te
+++ b/sepolicy/domain.te
@@ -2,12 +2,38 @@
dontaudit domain self:capability sys_module;
-# Do not allow access to the serial number of the camera's sensor except for a
-# few whitelisted domains.
-neverallow {
- domain
- -dumpstate
- -cameraserver
- -init
- -shell
-} camera_serialno_prop:file r_file_perms;
+# b/29072816
+# Triggered by kernel code which calls request_firmware(), which
+# eventually calls filp_open(), which attempts to look in /firmware
+# for the firmware file itself using the context of the calling
+# domain.
+# This does not occur on other Android builds because the marlin
+# kernel has various references to /firmware paths in the following
+# code:
+#
+# /* direct firmware loading support */
+# static char fw_path_para[256];
+# static const char * const fw_path[] = {
+# fw_path_para,
+# "/lib/firmware/updates/" UTS_RELEASE,
+# "/lib/firmware/updates",
+# "/lib/firmware/" UTS_RELEASE,
+# "/lib/firmware",
+# "/firmware/image",
+# "/firmware/radio",
+# "/firmware/adsp" //HTC_AUD
+# };
+#
+# As described at http://www.makelinux.net/ldd3/chp-14-sect-8 ,
+# the userspace helper (in our case, ueventd) should always be loading
+# these files, not the requesting process itself. It is only due to a
+# hack added by Linus Torvalds that the kernel even attempt to load
+# firmware files directly from the filesystem
+# (https://github.com/torvalds/linux/commit/abb139e75c2cdbb955e840d6331cb5863e409d0e).
+#
+# Suppress these denials for most domains, since ueventd should be doing the
+# opening of the firmware.
+dontaudit domain firmware_file:dir search;
+
+allow domain debugfs_ion:dir search;
+allow domain debugfs_kgsl:dir search;
diff --git a/sepolicy/dumpstate.te b/sepolicy/dumpstate.te
index 2301e0b..72935eb 100644
--- a/sepolicy/dumpstate.te
+++ b/sepolicy/dumpstate.te
@@ -1,2 +1,4 @@
-# supress audit messages for attempting access to /firmware
-dontaudit dumpstate firmware_file:dir search;
+userdebug_or_eng(`
+allow dumpstate smlog_dump_file:dir create_dir_perms;
+allow dumpstate smlog_dump_file:file create_file_perms;
+')
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 6b261ef..da19a99 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -5,11 +5,17 @@
# /data
type diag_logs, file_type, data_file_type, mlstrustedobject;
+type cnss_diag_data_file, file_type, data_file_type, mlstrustedobject;
+type smlog_dump_file, file_type, data_file_type;
type location_data_file, file_type, data_file_type;
type perfd_data_file, file_type, data_file_type;
-type ramdump_data_file, file_type, data_file_type;
+type ramdump_data_file, file_type, data_file_type, mlstrustedobject;
type time_data_file, file_type, data_file_type;
type display_data_file, file_type, data_file_type;
+type netmgr_data_file, file_type, data_file_type;
+type nanohub_lock_file, file_type, data_file_type;
+type sensors_cal_file, file_type;
+type sensors_saved_settings_file, file_type, data_file_type;
# /sys
type sysfs_camera, sysfs_type, fs_type;
@@ -33,6 +39,11 @@
type debugfs_sps, debugfs_type, fs_type;
type debugfs_rpm, debugfs_type, fs_type;
type debugfs_kgsl, debugfs_type, fs_type;
+type debugfs_ipc, debugfs_type, fs_type;
+type debugfs_bufinfo, debugfs_type, fs_type;
+type debugfs_mdp, debugfs_type, fs_type;
+type debugfs_ion, debugfs_type, fs_type;
+type debugfs_qsee_log, debugfs_type, fs_type;
# /proc
type proc_kernel_sched, fs_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 622ff2a..7d66a29 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -78,6 +78,10 @@
/firmware(/.*)? u:object_r:firmware_file:s0
# files in /system
+/system/bin/init\.mid\.sh u:object_r:init_mid_exec:s0
+/system/bin/init\.power\.sh u:object_r:init_power_exec:s0
+/system/bin/init\.radio\.sh u:object_r:init_radio_exec:s0
+/system/bin/init\.foreground\.sh u:object_r:init_foreground_exec:s0
/system/bin/irsc_util u:object_r:irsc_util_exec:s0
/system/bin/mm-pp-dpps u:object_r:mm-pp-daemon_exec:s0
/system/bin/pm-service u:object_r:per_mgr_exec:s0
@@ -94,7 +98,6 @@
/system/bin/loc_launcher u:object_r:location_exec:s0
/system/bin/location-mq u:object_r:location_exec:s0
/system/bin/lowi-server u:object_r:location_exec:s0
-/vendor/bin/qseecomd u:object_r:tee_exec:s0
/system/bin/cnd u:object_r:cnd_exec:s0
/system/bin/imsdatadaemon u:object_r:ims_exec:s0
/system/bin/imsqmidaemon u:object_r:ims_exec:s0
@@ -107,28 +110,38 @@
/system/bin/subsystem_ramdump u:object_r:subsystem_ramdump_exec:s0
/system/bin/ssr_setup u:object_r:ssr_setup_exec:s0
/system/bin/ramdump u:object_r:htc_ramdump_exec:s0
-
-/system/bin/init\.mid\.sh u:object_r:init_mid_exec:s0
-/system/bin/init\.power\.sh u:object_r:init_power_exec:s0
-/system/bin/init\.radio\.sh u:object_r:init_radio_exec:s0
-/system/bin/init\.foreground\.sh u:object_r:init_foreground_exec:s0
+/system/bin/smlog_dump u:object_r:smlog_dump_exec:s0
+/system/bin/qsee_logger u:object_r:qsee_logger_exec:s0
/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
# files in /vendor
-/vendor/bin/thermal-engine u:object_r:thermal-engine_exec:s0
-/vendor/bin/perfd u:object_r:perfd_exec:s0
-/vendor/bin/nanohub_slpi u:object_r:nanohub_slpi_exec:s0
+/vendor/bin/hw/android\.hardware\.dumpstate@1\.0-service.marlin u:object_r:hal_dumpstate_impl_exec:s0
+/vendor/bin/hw/android\.hardware\.usb@1\.0-service.marlin u:object_r:hal_usb_default_exec:s0
/vendor/bin/msm_irqbalance u:object_r:irqbalance_exec:s0
+/vendor/bin/nanohub_slpi u:object_r:nanohub_slpi_exec:s0
+/vendor/bin/perfd u:object_r:perfd_exec:s0
+/vendor/bin/thermal-engine u:object_r:thermal-engine_exec:s0
+/vendor/bin/qseecomd u:object_r:tee_exec:s0
+/vendor/bin/wcnss_filter u:object_r:wcnss_filter_exec:s0
+
+/vendor/bin/init\.qcom\.devstart\.sh u:object_r:init-qcom-devstart-sh_exec:s0
+/vendor/bin/init\.mid\.sh u:object_r:init_mid_exec:s0
+/vendor/bin/init\.power\.sh u:object_r:init_power_exec:s0
+/vendor/bin/init\.radio\.sh u:object_r:init_radio_exec:s0
+/vendor/bin/init\.foreground\.sh u:object_r:init_foreground_exec:s0
# /sys
/sys/devices/virtual/nanohub/nanohub(/.*)? u:object_r:sysfs_nanoapp_cmd:s0
/sys/devices/virtual/thermal(/.*)? u:object_r:sysfs_thermal:s0
/sys/devices/bt_qca[0-9]+/extldo u:object_r:sysfs_bluetooth_writable:s0
/sys/devices/bt_qca[0-9]+/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/soc/leds-qpnp-ffffffc0f92b4400/leds(/.*)? u:object_r:sysfs_leds:s0
+/sys/devices/soc/900000\.qcom,mdss_mdp/900000\.qcom,mdss_mdp:qcom,mdss_fb_primary/leds(/.*)? u:object_r:sysfs_leds:s0
/sys/module/msm_core(/.*)? u:object_r:sysfs_msm_core:s0
/sys/devices/soc/70000\.qcom,msm-core(/.*)? u:object_r:sysfs_msm_core:s0
/sys/module/msm_thermal(/.*)? u:object_r:sysfs_thermal:s0
+/sys/class/thermal(/.*)? u:object_r:sysfs_thermal:s0
/sys/module/msm_performance(/.*)? u:object_r:sysfs_perf:s0
/sys/devices/virtual/net(/.*)? u:object_r:sysfs_net:s0
/sys/module/subsystem_restart(/.*)? u:object_r:sysfs_msm_subsys_restart:s0
@@ -141,6 +154,8 @@
/sys/devices/soc/9300000\.qcom,lpass(/.*)? u:object_r:sysfs_msm_subsys:s0
/sys/devices/soc/1c00000\.qcom,ssc(/.*)? u:object_r:sysfs_msm_subsys:s0
/sys/devices/soc/2080000\.qcom,mss(/.*)? u:object_r:sysfs_msm_subsys:s0
+/sys/kernel/boot_adsp/boot u:object_r:sysfs_msm_subsys:s0
+/sys/kernel/boot_slpi/boot u:object_r:sysfs_msm_subsys:s0
/sys/devices/soc/600000\.qcom,pcie(/.*)? u:object_r:sysfs_pcie:s0
/sys/devices/soc/8c0000\.qcom,msm-cam(/.*)? u:object_r:sysfs_camera:s0
/sys/devices/soc/aa4000\.qcom,fd(/.*)? u:object_r:sysfs_video:s0
@@ -161,9 +176,16 @@
/sys/kernel/debug/sps(/.*)? u:object_r:debugfs_sps:s0
/sys/kernel/debug/rpm_stats u:object_r:debugfs_rpm:s0
/sys/kernel/debug/rpm_master_stats u:object_r:debugfs_rpm:s0
+/sys/kernel/debug/ipc_logging(/.*)? u:object_r:debugfs_ipc:s0
+/sys/kernel/debug/dma_buf/bufinfo u:object_r:debugfs_bufinfo:s0
+/sys/kernel/debug/mdp/xlog/dump u:object_r:debugfs_mdp:s0
+/sys/kernel/debug/tzdbg/qsee_log u:object_r:debugfs_qsee_log:s0
+/sys/kernel/debug/ion(/.*)? u:object_r:debugfs_ion:s0
# /data
/data/diag_logs(/.*)? u:object_r:diag_logs:s0
+/data/cnss_diag(/.*)? u:object_r:cnss_diag_data_file:s0
+/data/smlog_dump(/.*)? u:object_r:smlog_dump_file:s0
/data/nfc(/.*)? u:object_r:nfc_data_file:s0
/data/time(/.*)? u:object_r:time_data_file:s0
/data/ramdump(/.*)? u:object_r:ramdump_data_file:s0
@@ -173,6 +195,10 @@
/data/misc/perfd(/.*)? u:object_r:perfd_data_file:s0
/data/system/perfd(/.*)? u:object_r:perfd_data_file:s0
/data/misc/radio(/.*)? u:object_r:radio_data_file:s0
+/data/misc/netmgr(/.*)? u:object_r:netmgr_data_file:s0
+/data/system/nanohub_lock(/.*)? u:object_r:nanohub_lock_file:s0
+/data/misc/sensorcal_saved\.json u:object_r:sensors_saved_settings_file:s0
+
# /
@@ -180,12 +206,8 @@
/tombstones u:object_r:rootfs:s0
/dsp u:object_r:rootfs:s0
-# make /dev/snd/seq and /dev/snd/timer inaccessible by labeling with
-# default "device" label
-/dev/snd/seq u:object_r:device:s0
-/dev/snd/timer u:object_r:device:s0
-
# /persist
/persist(/.*)? u:object_r:persist_file:s0
/persist/data(/.*)? u:object_r:persist_data_file:s0
/persist/display(/.*)? u:object_r:persist_display_file:s0
+/persist/sensorcal\.json u:object_r:sensors_cal_file:s0
diff --git a/sepolicy/google_camera_app.te b/sepolicy/google_camera_app.te
index 66364a0..8ea0372 100644
--- a/sepolicy/google_camera_app.te
+++ b/sepolicy/google_camera_app.te
@@ -10,6 +10,7 @@
allow google_camera_app mediacodec_service:service_manager find;
allow google_camera_app mediaextractor_service:service_manager find;
allow google_camera_app mediaserver_service:service_manager find;
+allow google_camera_app mediametrics_service:service_manager find;
allow google_camera_app nfc_service:service_manager find;
allow google_camera_app surfaceflinger_service:service_manager find;
diff --git a/sepolicy/hal_camera.te b/sepolicy/hal_camera.te
new file mode 100644
index 0000000..3d45f7a
--- /dev/null
+++ b/sepolicy/hal_camera.te
@@ -0,0 +1,45 @@
+# communicate with perfd
+allow hal_camera perfd_data_file:dir search;
+allow hal_camera perfd:unix_stream_socket connectto;
+allow hal_camera perfd_data_file:sock_file write;
+
+allow hal_camera self:capability sys_nice;
+
+# communicate with camera
+allow hal_camera camera:unix_dgram_socket sendto;
+allow hal_camera camera_data_file:sock_file write;
+allow hal_camera camera_device:chr_file rw_file_perms;
+
+allow hal_camera gpu_device:chr_file rw_file_perms;
+
+# access to /dev/input/event{5,10}
+allow hal_camera input_device:dir r_dir_perms;
+allow hal_camera input_device:chr_file r_file_perms;
+
+set_prop(hal_camera, camera_prop)
+
+allow hal_camera sysfs_enable_ps_sensor:file w_file_perms;
+r_dir_file(hal_camera, sysfs_type)
+# find libraries
+allow hal_camera system_file:dir r_dir_perms;
+
+# talk over binder to some binder services
+# TODO: Must be moved to HIDL
+binder_use(hal_camera)
+binder_call(hal_camera, binderservicedomain)
+
+allow hal_camera surfaceflinger_service:service_manager find;
+allow hal_camera sensorservice_service:service_manager find;
+allow hal_camera scheduling_policy_service:service_manager find;
+
+# talk to system_server
+
+allow hal_camera system_server:unix_stream_socket { read write };
+
+allow hal_camera self:socket { create ioctl read write };
+
+# Grant access to Qualcomm MSM Interface (QMI) radio sockets
+qmux_socket(hal_camera)
+
+# allow hal_camera to call some socket ioctls
+allowxperm hal_camera self:socket ioctl { IPC_ROUTER_IOCTL_LOOKUP_SERVER IPC_ROUTER_IOCTL_BIND_CONTROL_PORT };
diff --git a/sepolicy/hal_contexthub.te b/sepolicy/hal_contexthub.te
new file mode 100644
index 0000000..c832311
--- /dev/null
+++ b/sepolicy/hal_contexthub.te
@@ -0,0 +1,7 @@
+allow hal_contexthub sensors_device:chr_file rw_file_perms;
+
+# files in /data/system/
+# TODO: b/34980308 : Do not use the data partition.
+allow hal_contexthub nanohub_lock_file:dir create_dir_perms;
+allow hal_contexthub nanohub_lock_file:file create_file_perms;
+allow hal_contexthub nanohub_lock_file:file rw_file_perms;
diff --git a/sepolicy/hal_dumpstate_impl.te b/sepolicy/hal_dumpstate_impl.te
new file mode 100644
index 0000000..cf0bbcb
--- /dev/null
+++ b/sepolicy/hal_dumpstate_impl.te
@@ -0,0 +1,46 @@
+type hal_dumpstate_impl, domain;
+hal_server_domain(hal_dumpstate_impl, hal_dumpstate)
+
+type hal_dumpstate_impl_exec, exec_type, file_type;
+init_daemon_domain(hal_dumpstate_impl)
+
+# Execute dump scripts
+allow hal_dumpstate_impl shell_exec:file rx_file_perms;
+allow hal_dumpstate_impl toolbox_exec:file rx_file_perms;
+# system file execution
+#allow hal_dumpstate_impl system_data_file:dir r_dir_perms;
+
+# smlog_dump
+allow hal_dumpstate_impl smlog_dump_exec:file rx_file_perms;
+userdebug_or_eng(`
+allow hal_dumpstate_impl smlog_dump_file:dir create_dir_perms;
+allow hal_dumpstate_impl smlog_dump_file:file create_file_perms;
+allow hal_dumpstate_impl radio_data_file:dir r_dir_perms;
+allow hal_dumpstate_impl netmgr_data_file:dir r_dir_perms;
+allow hal_dumpstate_impl radio_data_file:file r_file_perms;
+allow hal_dumpstate_impl netmgr_data_file:file r_file_perms;
+')
+
+allow hal_dumpstate_impl uio_device:chr_file rw_file_perms;
+r_dir_file(hal_dumpstate_impl, sysfs_uio)
+r_dir_file(hal_dumpstate_impl, sysfs_rmtfs)
+r_dir_file(hal_dumpstate_impl, sysfs_msm_subsys)
+
+# Access to files for dumping
+allow hal_dumpstate_impl sysfs:dir r_dir_perms;
+# rpm stat
+allow hal_dumpstate_impl debugfs_rpm:file r_file_perms;
+allow hal_dumpstate_impl debugfs_bufinfo:file r_file_perms;
+# qsee_logger
+allow hal_dumpstate_impl qsee_logger_exec:file rx_file_perms;
+allow hal_dumpstate_impl debugfs_qsee_log:file r_file_perms;
+# MDP logs
+allow hal_dumpstate_impl debugfs_mdp:file r_file_perms;
+# ION HEAPS
+r_dir_file(hal_dumpstate_impl, debugfs_ion)
+# ipc
+r_dir_file(hal_dumpstate_impl, debugfs_ipc)
+# Temperatures
+r_dir_file(hal_dumpstate_impl, sysfs_thermal)
+# CPU stat
+r_dir_file(hal_dumpstate_impl, sysfs_devices_system_cpu)
diff --git a/sepolicy/hal_fingerprint.te b/sepolicy/hal_fingerprint.te
new file mode 100644
index 0000000..6994917
--- /dev/null
+++ b/sepolicy/hal_fingerprint.te
@@ -0,0 +1,7 @@
+allow hal_fingerprint sysfs_fingerprint:dir r_dir_perms;
+allow hal_fingerprint sysfs_fingerprint:file rw_file_perms;
+allow hal_fingerprint tee_device:chr_file rw_file_perms;
+allow hal_fingerprint uhid_device:chr_file rw_file_perms;
+allow hal_fingerprint sysfs:dir { open read };
+
+
diff --git a/sepolicy/hal_graphics_allocator.te b/sepolicy/hal_graphics_allocator.te
new file mode 100644
index 0000000..fa7fce3
--- /dev/null
+++ b/sepolicy/hal_graphics_allocator.te
@@ -0,0 +1 @@
+r_dir_file(hal_graphics_allocator, sysfs_type)
diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te
new file mode 100644
index 0000000..36abbf5
--- /dev/null
+++ b/sepolicy/hal_graphics_composer_default.te
@@ -0,0 +1,26 @@
+userdebug_or_eng(`
+ allow hal_graphics_composer_default diag_device:chr_file rw_file_perms;
+')
+
+# misc
+allow hal_graphics_composer_default display_data_file:dir create_dir_perms;
+allow hal_graphics_composer_default display_data_file:file create_file_perms;
+
+# persist
+allow hal_graphics_composer_default persist_file:dir search;
+
+# persist/display
+allow hal_graphics_composer_default persist_display_file:dir r_dir_perms;
+allow hal_graphics_composer_default persist_display_file:file create_file_perms;
+
+# Binder access (for display.qservice)
+# TODO remove after the HAL is fixed
+binder_service(hal_graphics_composer_default)
+binder_use(hal_graphics_composer_default)
+allow hal_graphics_composer_default surfaceflinger_service:service_manager { add find };
+
+# HWC_UeventThread
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Access /sys/devices/virtual/graphics/fb0/mdp/caps and maybe others
+r_dir_file(hal_graphics_composer_default, sysfs_type)
diff --git a/sepolicy/hal_sensors.te b/sepolicy/hal_sensors.te
new file mode 100644
index 0000000..5f02d06
--- /dev/null
+++ b/sepolicy/hal_sensors.te
@@ -0,0 +1,24 @@
+# TODO: b/34980308 : Do not use the data or persist partition.
+
+#Allow access to nanohub device
+allow hal_sensors sensors_device:chr_file rw_file_perms;
+
+# Allow access to the nanohub_lock_file to allow the contexthub and
+# the sensor hal to synchronize access
+allow hal_sensors nanohub_lock_file:dir create_dir_perms;
+allow hal_sensors nanohub_lock_file:file create_file_perms;
+
+# Allow acess to uinput for lidstate determination
+allow hal_sensors uhid_device:chr_file rw_file_perms;
+
+# Allow access to persistent partition for calibration data
+allow hal_sensors persist_file:dir search;
+allow hal_sensors sensors_cal_file:dir create_dir_perms;
+allow hal_sensors sensors_cal_file:file create_file_perms;
+
+# Allow access to saved settings file
+allow hal_sensors sensors_saved_settings_file:dir create_dir_perms;
+allow hal_sensors sensors_saved_settings_file:file create_file_perms;
+
+# Allow access to sensor properties
+set_prop(hal_sensors, sensors_prop)
diff --git a/sepolicy/hal_thermal.te b/sepolicy/hal_thermal.te
new file mode 100644
index 0000000..025806a
--- /dev/null
+++ b/sepolicy/hal_thermal.te
@@ -0,0 +1,4 @@
+allow hal_thermal sysfs_thermal:dir search;
+allow hal_thermal sysfs_thermal:file { getattr open read };
+allow hal_thermal sysfs_thermal:lnk_file read;
+allow hal_thermal proc_stat:file { getattr open read };
diff --git a/sepolicy/hal_vr.te b/sepolicy/hal_vr.te
index af826af..f3f0546 100644
--- a/sepolicy/hal_vr.te
+++ b/sepolicy/hal_vr.te
@@ -1,3 +1,2 @@
-# connect to the thermal engine
-allow hal_vr thermal_socket:sock_file write;
-allow hal_vr thermal-engine:unix_stream_socket connectto;
+# interact with thermal_config
+set_prop(hal_vr, thermal_prop)
diff --git a/sepolicy/init-devstart-sh.te b/sepolicy/init-devstart-sh.te
new file mode 100644
index 0000000..24004d2
--- /dev/null
+++ b/sepolicy/init-devstart-sh.te
@@ -0,0 +1,15 @@
+type init-qcom-devstart-sh, domain;
+type init-qcom-devstart-sh_exec, exec_type, file_type;
+
+init_daemon_domain(init-qcom-devstart-sh)
+
+allow init-qcom-devstart-sh shell_exec:file rx_file_perms;
+
+# execute toybox/toolbox
+allow init-qcom-devstart-sh toolbox_exec:file rx_file_perms;
+
+# Set the sys.qcom.devup property
+set_prop(init-qcom-devstart-sh, system_prop)
+
+# Set boot_adsp and boot_slpi to 1
+allow init-qcom-devstart-sh sysfs_msm_subsys:file w_file_perms;
diff --git a/sepolicy/init_foreground.te b/sepolicy/init_foreground.te
index 0842d2e..0215580 100644
--- a/sepolicy/init_foreground.te
+++ b/sepolicy/init_foreground.te
@@ -7,6 +7,11 @@
allow init_foreground proc_iomem:file getattr;
allow init_foreground proc_meminfo:file getattr;
allow init_foreground proc_sysrq:file getattr;
+dontaudit init_foreground proc_interrupts:file getattr;
+dontaudit init_foreground proc_stat:file getattr;
+dontaudit init_foreground proc_timer:file getattr;
+dontaudit init_foreground proc_zoneinfo:file getattr;
+
allow init_foreground shell_exec:file { getattr read };
allow init_foreground toolbox_exec:file rx_file_perms;
diff --git a/sepolicy/irqbalance.te b/sepolicy/irqbalance.te
index 33a47a2..f4f560a 100644
--- a/sepolicy/irqbalance.te
+++ b/sepolicy/irqbalance.te
@@ -9,4 +9,7 @@
allow irqbalance proc_irq:dir r_dir_perms;
allow irqbalance proc_irq:file rw_file_perms;
-r_dir_file(irqbalance, proc)
\ No newline at end of file
+allow irqbalance proc_stat:file r_file_perms;
+allow irqbalance proc_interrupts:file r_file_perms;
+
+r_dir_file(irqbalance, proc)
diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te
index 7ae9b8c..4359e26 100644
--- a/sepolicy/kernel.te
+++ b/sepolicy/kernel.te
@@ -1,4 +1,7 @@
+
r_dir_file(kernel, firmware_file)
+# ipc
+allow kernel debugfs_ipc:dir search;
# for diag over socket
userdebug_or_eng(`
diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te
index 805baa0..1c7e243 100644
--- a/sepolicy/mediacodec.te
+++ b/sepolicy/mediacodec.te
@@ -1,6 +1,9 @@
allow mediacodec perfd:unix_stream_socket connectto;
allow mediacodec perfd_data_file:dir search;
allow mediacodec perfd_data_file:sock_file write;
+
+allow mediacodec system_file:dir r_dir_perms;
+
allow mediacodec sysfs_soc:dir search;
allow mediacodec sysfs_soc:file r_file_perms;
# Only allow gpu ioctl commands that have been demonstrated to be necessary.
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index 3730aad..353a4bd 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -25,6 +25,12 @@
allow netmgrd net_data_file:dir r_dir_perms;
allow netmgrd net_data_file:file r_file_perms;
+# read and write /data/misc/netmgr
+userdebug_or_eng(`
+ allow netmgrd netmgr_data_file:dir rw_dir_perms;
+ allow netmgrd netmgr_data_file:file create_file_perms;
+')
+
# execute shell, ip, and toolbox
allow netmgrd shell_exec:file rx_file_perms;
allow netmgrd system_file:file rx_file_perms;
diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
index 16f2126..72448c4 100644
--- a/sepolicy/platform_app.te
+++ b/sepolicy/platform_app.te
@@ -3,4 +3,11 @@
allow platform_app diag_logs:dir rw_dir_perms;
allow platform_app diag_logs:file create_file_perms;
allow platform_app diag_device:chr_file rw_file_perms;
+ allow platform_app cnss_diag_data_file:dir create_dir_perms;
+ allow platform_app cnss_diag_data_file:file create_file_perms;
+ allow platform_app ramdump_data_file:dir { getattr open read remove_name rmdir search write };
+ allow platform_app ramdump_data_file:file { getattr open read unlink write };
+ dontaudit platform_app proc_sysrq:file getattr;
+ dontaudit platform_app proc_iomem:file getattr;
+ set_prop(platform_app, cnss_diag_prop);
')
diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te
index a5951f1..04a1594 100644
--- a/sepolicy/priv_app.te
+++ b/sepolicy/priv_app.te
@@ -1,6 +1,3 @@
allowxperm priv_app self:udp_socket ioctl { SIOCGIWESSID };
-# supress audit messages for attempting access to /firmware
-dontaudit priv_app firmware_file:dir search;
-
r_dir_file(priv_app, sysfs_type)
diff --git a/sepolicy/property.te b/sepolicy/property.te
index 11f27ae..b4a1de8 100644
--- a/sepolicy/property.te
+++ b/sepolicy/property.te
@@ -5,3 +5,5 @@
type hw_sku_prop, property_type;
type mid_prop, property_type;
type ssr_prop, property_type;
+type cnss_diag_prop, property_type;
+type thermal_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
index 0d741af..5424306 100644
--- a/sepolicy/property_contexts
+++ b/sepolicy/property_contexts
@@ -9,3 +9,6 @@
ro.boot.hardware.sku u:object_r:hw_sku_prop:s0
ro.boot.mid u:object_r:mid_prop:s0
debug.ssrdump u:object_r:ssr_prop:s0
+persist.sys.cnss. u:object_r:cnss_diag_prop:s0
+sys.qcom.thermalcfg u:object_r:thermal_prop:s0
+ctl.thermal-engine u:object_r:thermal_prop:s0
diff --git a/sepolicy/qsee_logger.te b/sepolicy/qsee_logger.te
new file mode 100644
index 0000000..50f9eba
--- /dev/null
+++ b/sepolicy/qsee_logger.te
@@ -0,0 +1 @@
+type qsee_logger_exec, exec_type, file_type;
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
index a7ce841..827586a 100644
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -14,6 +14,8 @@
r_dir_file(rild, sysfs_type)
allow rild time:unix_stream_socket connectto;
+# smlog_dump
+allow rild smlog_dump_exec:file rx_file_perms;
allowxperm rild self:udp_socket ioctl priv_sock_ioctls;
allow rild self:socket ioctl;
diff --git a/sepolicy/smlog_dump.te b/sepolicy/smlog_dump.te
new file mode 100644
index 0000000..d6be165
--- /dev/null
+++ b/sepolicy/smlog_dump.te
@@ -0,0 +1,7 @@
+type smlog_dump_exec, exec_type, file_type;
+
+type smlog_dump, domain;
+allow smlog_dump smlog_dump_file:dir r_dir_perms;
+allow smlog_dump smlog_dump_file:file create_file_perms;
+r_dir_file(smlog_dump, sysfs_uio)
+r_dir_file(smlog_dump, sysfs_rmtfs)
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
index 4b032f6..7f0558d 100644
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -3,6 +3,8 @@
allow system_app cne_service:service_manager add;
allow system_app time:unix_stream_socket connectto;
get_prop(system_app, hw_sku_prop);
+set_prop(system_app, radio_prop)
+r_dir_file(system_app, sysfs_msm_subsys)
userdebug_or_eng(`
allow system_app ramdump_data_file:dir r_dir_perms;
allow system_app ramdump_data_file:file r_file_perms;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 198ef61..505e64d 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -33,14 +33,32 @@
allow system_server location_data_file:dir create_dir_perms;
allow system_server location_data_file:{ file fifo_file } create_file_perms;
-# read sensor calibration data
+## Rules needed for sensors HAL when it is running in passthrough mode.
+
+# Access to the nanohub device
+allow system_server sensors_device:chr_file rw_file_perms;
+# Access to the lock file to arbitrate access
+allow system_server nanohub_lock_file:dir create_dir_perms;
+allow system_server nanohub_lock_file:file create_file_perms;
+# Access to uinput for lidstate determination
+allow system_server uhid_device:chr_file rw_file_perms;
+# Allow access to persistent partition for calibration data
allow system_server persist_file:dir search;
-allow system_server persist_file:file r_file_perms;
+allow system_server sensors_cal_file:dir create_dir_perms;
+allow system_server sensors_cal_file:file create_file_perms;
+# Allow access to saved settings file
+allow system_server sensors_saved_settings_file:dir create_dir_perms;
+allow system_server sensors_saved_settings_file:file create_file_perms;
+# Allow access to sensor properties
set_prop(system_server, sensors_prop)
+## End sensor HAL section
+
# interact with thermal_config
-allow system_server thermal-engine:unix_stream_socket connectto;
-allow system_server thermal_socket:sock_file write;
+set_prop(system_server, thermal_prop)
+
+# rpm
+r_dir_file(system_server, debugfs_rpm)
# kgsl
allow system_server debugfs_kgsl:file { open read getattr };
diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te
index 6315b5b..c1adac1 100644
--- a/sepolicy/thermal-engine.te
+++ b/sepolicy/thermal-engine.te
@@ -25,3 +25,12 @@
allow thermal-engine diag_device:chr_file rw_file_perms;
')
+# write proc/sysrq-trigger for remount r/o during reboot
+allow thermal-engine proc_sysrq:file w_file_perms;
+# reboot warnings and errors to kernel via klog
+allow thermal-engine kmsg_device:chr_file w_file_perms;
+# write file last_reboot_reason to inform of previous thermal shutdown
+allow thermal-engine reboot_data_file:dir ra_dir_perms;
+allow thermal-engine reboot_data_file:file create_file_perms;
+# reboot/shutdown for thermal limits exceeded
+allow thermal-engine self:capability sys_boot;
