[DNM]umi: Initial sepolicy

Signed-off-by: Isaac Chen <[email protected]>
Co-authored-by: Pig <[email protected]>
Co-authored-by: TH779 <[email protected]>
Co-authored-by: Akash <[email protected]>
Signed-off-by: TH779 <[email protected]>

sepolicy/private/dontaudit.te

@@ -0,0 +1,3 @@
+dontaudit fsck self:capability kill;
+dontaudit linkerconfig self:capability kill;
+dontaudit vdc self:capability kill;

sepolicy/private/property_contexts

@@ -0,0 +1,15 @@
+# Global
+ro.boot.hwc             u:object_r:exported_default_prop:s0
+ro.build.flavor         u:object_r:exported_default_prop:s0
+ro.product.mod_device   u:object_r:exported2_default_prop:s0
+
+# IMEI
+persist.radio.imei      u:object_r:deviceid_prop:s0
+persist.radio.meid      u:object_r:deviceid_prop:s0
+ro.ril.miui.imei        u:object_r:deviceid_prop:s0
+ro.ril.oem.imei         u:object_r:deviceid_prop:s0
+ro.ril.oem.meid         u:object_r:deviceid_prop:s0
+
+# MIUI
+ro.cust.test            u:object_r:exported_system_prop:s0
+ro.miui.                u:object_r:exported_system_prop:s0

sepolicy/private/seapp_contexts

@@ -0,0 +1 @@
+user=system seinfo=platform name=org.lineageos.settings domain=xiaomiparts_app type=system_app_data_file

sepolicy/private/system_app.te

@@ -0,0 +1 @@
+hal_client_domain(system_app, hal_mlipay)

sepolicy/private/xiaomiparts_app.te

@@ -0,0 +1,11 @@
+app_domain(xiaomiparts_app)
+
+allow xiaomiparts_app {
+  activity_service
+  mediaextractor_service
+  mediametrics_service
+  mediaserver_service
+  sensorservice_service
+}:service_manager find;
+
+allow xiaomiparts_app system_app_data_file:dir create_dir_perms;

sepolicy/public/attributes

@@ -0,0 +1,3 @@
+hal_attribute_lineage(displayfeature)
+hal_attribute_lineage(mlipay)
+hal_attribute_lineage(touchfeature)

sepolicy/public/property.te

@@ -0,0 +1 @@
+type deviceid_prop, property_type;

sepolicy/public/xiaomiparts_app.te

@@ -0,0 +1 @@
+type xiaomiparts_app, domain;

sepolicy/vendor/app.te

@@ -0,0 +1,5 @@
+get_prop({ appdomain -isolated_app }, vendor_fp_prop)
+get_prop({ appdomain -isolated_app }, vendor_tee_listener_prop)
+
+# Allow appdomain to get persist_camera_prop
+get_prop(appdomain, vendor_persist_camera_prop)

sepolicy/vendor/batterysecret.te

@@ -0,0 +1,14 @@
+type batterysecret, domain;
+type batterysecret_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(batterysecret)
+
+allow batterysecret self:capability2 block_suspend;
+allow batterysecret sysfs:file { read write };
+allow batterysecret sysfs:file { open };
+allow batterysecret self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow batterysecret sysfs_usb_supply:dir r_dir_perms;
+allow batterysecret sysfs_usb_supply:file r_file_perms;
+allow batterysecret vendor_sysfs_usb_supply:dir { search };
+allow batterysecret vendor_sysfs_usb_supply:file { read };
+allow batterysecret vendor_sysfs_usb_supply:file { open };

sepolicy/vendor/device.te

@@ -0,0 +1,7 @@
+type efs_block_device, dev_type;
+type fingerprint_device, dev_type;
+type hall_device, dev_type;
+type ir_device, dev_type;
+type migt_device, dev_type;
+type touchfeature_device, dev_type;
+type ultrasound_device, dev_type;

sepolicy/vendor/file.te

@@ -1 +1,8 @@
+type audio_socket, file_type;
+type persist_camera_file, file_type, vendor_persist_type;
+type fingerprint_data_file, data_file_type, file_type;
+type sysfs_usb_supply, sysfs_type, fs_type;
+type sysfs_battery_supply, fs_type, sysfs_type;
+type sysfs_graphics, sysfs_type, fs_type;
+type sysfs_kgsl, sysfs_type, fs_type;
 type persist_file, file_type;

sepolicy/vendor/file_contexts

@@ -1,6 +1,47 @@
+# Audio
+/dev/socket/audio_hw_socket         u:object_r:audio_socket:s0
+
+# Camera
+/mnt/vendor/persist/camera(/.*)?    u:object_r:persist_camera_file:s0
+
+# Charger
+/vendor/bin/batterysecret           u:object_r:batterysecret_exec:s0
+
+# Devices
+/dev/akm09970                       u:object_r:hall_device:s0
+/dev/elliptic(.*)?                  u:object_r:ultrasound_device:s0
+/dev/goodix_fp                      u:object_r:fingerprint_device:s0
+/dev/ir_spi                         u:object_r:ir_device:s0
+/dev/migt                           u:object_r:migt_device:s0
+/dev/xiaomi-touch                   u:object_r:touchfeature_device:s0
+/dev/xlog                           u:object_r:audio_device:s0
+
+# EFS
+/dev/block/sde[0-9]                 u:object_r:efs_block_device:s0
+
 # Files in rootfs
 /persist(/.*)?                                                                                                 u:object_r:persist_file:s0
 
-# Hals
-/(vendor|system/vendor)/bin/hw/vendor\.lineage\.biometrics\.fingerprint\.inscreen@1\.0-service\.xiaomi_kona    u:object_r:hal_lineage_fod_default_exec:s0
+# Fingerprint
+/data/vendor/goodix(/.*)?           u:object_r:fingerprint_data_file:s0
+/data/vendor/fpc(/.*)?              u:object_r:fingerprint_data_file:s0
+/data/vendor/fpdump(/.*)?           u:object_r:fingerprint_data_file:s0
+
+# Graphics
+/sys/devices/platform/soc/[a-z0-9]+.qcom,mdss_mdp/drm/card([0-3])+/card([0-3])+-DSI-1/disp_param    u:object_r:sysfs_graphics:s0
+
+# HALs
+/(vendor|system/vendor)/bin/hw/vendor\.lineage\.biometrics\.fingerprint\.inscreen@1\.0-service\.xiaomi_kona    u:object_r:hal_lineage_fod_kona_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.lineage\.powershare@1\.0-service\.xiaomi_kona                           u:object_r:hal_lineage_powershare_default_exec:s0
+/vendor/bin/hw/vendor\.xiaomi\.hardware\.displayfeature@1\.0-service                                           u:object_r:hal_displayfeature_default_exec:s0
+/vendor/bin/hw/vendor\.xiaomi\.hardware\.wireless@1\.0-service                                                 u:object_r:hal_wireless_default_exec:s0
+/vendor/bin/hw/vendor\.xiaomi\.hardware\.touchfeature@1\.0-service                                             u:object_r:hal_touchfeature_default_exec:s0
+/vendor/bin/displayfeature                                                                                     u:object_r:hal_displayfeature_default_exec:s0
+/vendor/bin/mlipayd@1\.1                                                                                       u:object_r:hal_mlipay_default_exec:s0
+
+# Health
+/sys/devices/platform/soc/soc:maxim_ds28e16/power_supply/batt_verify(/.*)?          u:object_r:sysfs_battery_supply:s0
+
+# MAC
+/vendor/bin/nv_mac                  u:object_r:vendor_wcnss_service_exec:s0
+/data/vendor/mac_addr(/.*)?         u:object_r:vendor_wifi_vendor_data_file:s0

sepolicy/vendor/genfs_contexts

@@ -0,0 +1,4 @@
+genfscon sysfs /devices/platform/soc/884000.i2c/i2c-5/5-0066/power_supply/bq2597x-standalone/type                                       u:object_r:sysfs_usb_supply:s0
+genfscon sysfs /class/power_supply/battery/capacity                                                                                     u:object_r:sysfs_battery_supply:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,dsi-display-primary                                                                       u:object_r:sysfs_graphics:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm8150@0:qcom,pm8150_rtc/rtc/rtc0/hctosys u:object_r:sysfs_wakeup:s0

sepolicy/vendor/hal_audio_default.te

@@ -0,0 +1,4 @@
+allow hal_audio_default audio_device:chr_file rw_file_perms;
+allow hal_audio_default init:unix_stream_socket connectto;
+
+set_prop(hal_audio_default, vendor_audio_prop)

sepolicy/vendor/hal_bluetooth_default.te

@@ -0,0 +1 @@
+r_dir_file(hal_bluetooth_default, vendor_wifi_vendor_data_file)

sepolicy/vendor/hal_camera_default.te

@@ -0,0 +1,7 @@
+r_dir_file(hal_camera_default, persist_camera_file)
+r_dir_file(hal_camera_default, mnt_vendor_file)
+
+allow hal_camera_default {
+  vendor_sysfs_kgsl
+  proc_stat
+}:file r_file_perms;

sepolicy/vendor/hal_displayfeature_default.te

@@ -0,0 +1,37 @@
+type hal_displayfeature_default, domain;
+hal_server_domain(hal_displayfeature_default, hal_displayfeature)
+
+binder_call(hal_displayfeature_client, hal_displayfeature_server)
+
+add_hwservice(hal_displayfeature_server, hal_displayfeature_hwservice)
+
+type hal_displayfeature_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_displayfeature_default)
+
+binder_call(hal_displayfeature_client, hal_displayfeature_server)
+
+hal_attribute_hwservice(hal_displayfeature, hal_displayfeature_hwservice)
+
+set_prop(hal_displayfeature_default, vendor_displayfeature_prop)
+set_prop(hal_displayfeature_default, hwservicemanager_prop)
+get_prop(hal_displayfeature_default, vendor_mpctl_prop)
+
+vndbinder_use(hal_displayfeature_default)
+
+allow hal_displayfeature_default vendor_hal_display_config_hwservice:hwservice_manager find;
+allow hal_displayfeature_default fwk_sensor_hwservice:hwservice_manager find;
+allow hal_displayfeature_default vendor_qdisplay_service:service_manager find;
+allow hal_displayfeature_default hwservicemanager:binder { call transfer };
+allow hal_displayfeature_default hal_displayfeature_hwservice:hwservice_manager { add find };
+allow hal_displayfeature_default hal_graphics_composer_default:binder { call transfer };
+allow hal_displayfeature_default hidl_base_hwservice:hwservice_manager add;
+allow hal_displayfeature_default sysfs:file { read };
+allow hal_displayfeature_default sysfs:file { open };
+allow hal_displayfeature_default sysfs:file { getattr };
+allow hal_displayfeature_default vendor_display_vendor_data_file:dir {search write add_name};
+allow hal_displayfeature_default vendor_hal_display_postproc_hwservice:hwservice_manager find;
+allow hal_displayfeature_default vendor_sysfs_graphics:file rw_file_perms;
+allow hal_displayfeature_default vendor_sysfs_graphics:dir r_dir_perms;
+allow hal_displayfeature_default vendor_display_vendor_data_file : file {open getattr read};
+allow hal_displayfeature_default vendor_hal_display_color_default : binder {call};
+allow hal_displayfeature_default system_server : binder { call transfer};

sepolicy/vendor/hal_fingerprint_default.te

@@ -0,0 +1,20 @@
+hal_client_domain(hal_fingerprint_default, vendor_hal_perf)
+
+binder_call(hal_fingerprint_default, vendor_hal_perf_default)
+
+allow hal_fingerprint_default fingerprint_data_file:dir create_dir_perms;
+allow hal_fingerprint_default fingerprint_data_file:file create_file_perms;
+
+allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
+
+allow hal_fingerprint_default input_device:dir r_dir_perms;
+
+allow hal_fingerprint_default {
+  fingerprint_device
+  input_device
+  tee_device
+}:chr_file rw_file_perms;
+
+set_prop(hal_fingerprint_default, vendor_fp_prop)
+
+get_prop(hal_fingerprint_default, vendor_displayfeature_prop);

sepolicy/vendor/hal_graphics_composer_default.te

@@ -0,0 +1,4 @@
+hal_client_domain(hal_graphics_composer_default, hal_displayfeature)
+binder_call(hal_graphics_composer_default, hal_displayfeature)
+
+set_prop(hal_graphics_composer_default, vendor_displayfeature_prop)

sepolicy/vendor/hal_health_default.te

@@ -0,0 +1,3 @@
+allow hal_health_default sysfs:file { read };
+allow hal_health_default sysfs:file { open };
+allow hal_health_default sysfs:file { getattr };

sepolicy/vendor/hal_ir_default.te

@@ -0,0 +1 @@
+allow hal_ir_default ir_device:chr_file rw_file_perms;

sepolicy/vendor/hal_lineage_fod_kona.te

@@ -0,0 +1,19 @@
+type hal_lineage_fod_kona, domain;
+type hal_lineage_fod_kona_exec, exec_type, vendor_file_type, file_type;
+
+hal_server_domain(hal_lineage_fod_kona, hal_lineage_fod)
+
+init_daemon_domain(hal_lineage_fod_kona)
+
+wakelock_use(hal_lineage_fod_kona)
+
+hal_client_domain(hal_lineage_fod_kona, hal_displayfeature)
+hal_client_domain(hal_lineage_fod_kona, hal_fingerprint)
+hal_client_domain(hal_lineage_fod_kona, hal_touchfeature)
+
+binder_call(hal_lineage_fod_kona, hal_fingerprint_default)
+binder_call(hal_lineage_fod_kona, hal_touchfeature_default)
+binder_call(hal_lineage_fod_kona, hal_displayfeature_default)
+
+allow hal_lineage_fod_kona vendor_sysfs_graphics:dir search;
+allow hal_lineage_fod_kona vendor_sysfs_graphics:file rw_file_perms;

sepolicy/vendor/hal_lineage_powershare_default.te

@@ -0,0 +1,3 @@
+allow hal_lineage_powershare_default sysfs:file { read };
+allow hal_lineage_powershare_default sysfs:file { open };
+allow hal_lineage_powershare_default sysfs:file { getattr };

sepolicy/vendor/hal_mlipay_default.te

@@ -0,0 +1,19 @@
+type hal_mlipay_default, domain;
+type hal_mlipay_default_exec, exec_type, vendor_file_type, file_type;
+
+hal_server_domain(hal_mlipay_default, hal_mlipay)
+hal_attribute_hwservice(hal_mlipay, hal_mlipay_hwservice)
+
+init_daemon_domain(hal_mlipay_default)
+
+binder_call(hal_mlipay_client, hal_mlipay_server)
+
+allow hal_mlipay_default {
+  tee_device
+  ion_device
+}:chr_file rw_file_perms;
+
+r_dir_file(hal_mlipay_default, firmware_file)
+
+get_prop(hal_mlipay_default, vendor_fp_prop)
+set_prop(hal_mlipay_default, vendor_tee_listener_prop)

sepolicy/vendor/hal_nfc_default.te

@@ -0,0 +1,2 @@
+allow hal_nfc_default vendor_nfc_vendor_data_file:dir create_dir_perms;
+allow hal_nfc_default vendor_nfc_vendor_data_file:file create_file_perms;

sepolicy/vendor/hal_power_default.te

@@ -0,0 +1,2 @@
+allow hal_power_default input_device:dir r_dir_perms;
+allow hal_power_default input_device:chr_file rw_file_perms;

sepolicy/vendor/hal_sensors_default.te

@@ -0,0 +1,5 @@
+allow hal_sensors_default ultrasound_device:chr_file { read };
+allow hal_sensors_default audio_socket:sock_file { write };
+allow hal_sensors_default ultrasound_device:chr_file { open };
+allow hal_sensors_default hal_audio_default:unix_stream_socket { connectto };
+allow hal_sensors_default ultrasound_device:chr_file { ioctl };

sepolicy/vendor/hal_touchfeature_default.te

@@ -0,0 +1,13 @@
+type hal_touchfeature_default, domain;
+type hal_touchfeature_default_exec, exec_type, vendor_file_type, file_type;
+
+hal_server_domain(hal_touchfeature_default, hal_touchfeature)
+hal_attribute_hwservice(hal_touchfeature, hal_touchfeature_hwservice)
+
+init_daemon_domain(hal_touchfeature_default)
+
+binder_call(hal_touchfeature_client, hal_touchfeature_server)
+
+allow hal_touchfeature_default touchfeature_device:chr_file rw_file_perms;
+
+vndbinder_use(hal_touchfeature_default)

sepolicy/vendor/hal_wireless_default.te

@@ -0,0 +1,8 @@
+type hal_wireless_default, domain;
+type hal_wireless_default_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_wireless_default)
+
+get_prop(hal_wireless_default, hwservicemanager_prop)
+
+binder_call(hal_wireless_default, hwservicemanager)

sepolicy/vendor/hwservice.te

@@ -0,0 +1,3 @@
+type hal_displayfeature_hwservice, hwservice_manager_type;
+type hal_mlipay_hwservice, hwservice_manager_type;
+type hal_touchfeature_hwservice, hwservice_manager_type;

sepolicy/vendor/hwservice_contexts

@@ -0,0 +1,7 @@
+vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon         u:object_r:hal_fingerprint_hwservice:s0
+vendor.xiaomi.hardware.displayfeature::IDisplayFeature                          u:object_r:hal_displayfeature_hwservice:s0
+vendor.xiaomi.hardware.fingerprintextension::IXiaomiFingerprint                 u:object_r:hal_fingerprint_hwservice:s0
+vendor.xiaomi.hardware.mlipay::IMlipayService                                   u:object_r:hal_mlipay_hwservice:s0
+vendor.xiaomi.hardware.touchfeature::ITouchFeature                              u:object_r:hal_touchfeature_hwservice:s0
+
+vendor.dolby.hardware.dms::IDms u:object_r:hal_dms_hwservice:s0

sepolicy/vendor/hwservicemanager.te

@@ -0,0 +1 @@
+allow hwservicemanager hal_displayfeature_default:binder { call transfer };

sepolicy/vendor/init.te

@@ -0,0 +1,3 @@
+allow init debugfs_tracing_debug:dir mounton;
+allow init hal_displayfeature_default : binder {call};
+allow init hal_touchfeature_default : binder {call};

sepolicy/vendor/platform_app.te

@@ -0,0 +1,2 @@
+allow platform_app hal_power_default:binder { call };
+allow platform_app sysfs_kgsl:lnk_file read;

sepolicy/vendor/property.te

@@ -0,0 +1,6 @@
+# Displayfeature
+type vendor_displayfeature_prop, property_type;
+
+type vendor_fp_prop, property_type;
+
+type vendor_dolby_loglevel_prop, property_type;

sepolicy/vendor/property_contexts

@@ -0,0 +1,40 @@
+# Camera
+camera.                                 u:object_r:vendor_camera_prop:s0
+persist.camera.                         u:object_r:vendor_camera_prop:s0
+vendor.camera.                          u:object_r:vendor_camera_prop:s0
+
+# Display feature
+vendor.panel.color                           u:object_r:vendor_displayfeature_prop:s0
+vendor.panel.vendor                          u:object_r:vendor_displayfeature_prop:s0
+vendor.panel.display                         u:object_r:vendor_displayfeature_prop:s0
+vendor.panel.touch_vendor                    u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.eyecare.threshold                  u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.eyecare.level                      u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.hist.threshold                     u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.histogram.enable                   u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.whitepoint_calibration_enable      u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.df.effect.conflict                 u:object_r:vendor_displayfeature_prop:s0
+persist.vendor.df.extcolor.proc              u:object_r:vendor_displayfeature_prop:s0
+vendor.displayfeature.entry.enable           u:object_r:vendor_displayfeature_prop:s0
+persist.vendor.df.color.temp                 u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.bl.notify                          u:object_r:vendor_displayfeature_prop:s0
+persist.vendor.dc_backlight.enable           u:object_r:vendor_displayfeature_prop:s0
+persist.vendor.dc_backlight.threshold        u:object_r:vendor_displayfeature_prop:s0
+vendor.display.panel.calibration.status      u:object_r:vendor_displayfeature_prop:s0
+vendor.hbm.enable                            u:object_r:vendor_displayfeature_prop:s0
+persist.vendor.max.brightness                u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.bl.poll                            u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.default_fps                u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.cabc.enable                        u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.bcbc.enable                        u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.dfps.enable                        u:object_r:vendor_displayfeature_prop:s0
+
+# Fingerprint
+gf.debug.                   u:object_r:vendor_fp_prop:s0
+persist.vendor.sys.fp.      u:object_r:vendor_fp_prop:s0
+
+# Mlipay
+persist.vendor.sys.pay.     u:object_r:vendor_tee_listener_prop:s0
+
+# Dolby
+persist.vendor.dolby.loglevel   u:object_r:vendor_dolby_loglevel_prop:s0

sepolicy/vendor/rild.te

@@ -0,0 +1 @@
+set_prop(rild, deviceid_prop)

sepolicy/vendor/system_server.te

@@ -0,0 +1,4 @@
+# Allow system_server to set persist_camera_prop
+get_prop(system_server, vendor_persist_camera_prop)
+
+allow system_server hal_displayfeature_default : binder {call transfer};

sepolicy/vendor/tee.te

@@ -0,0 +1,2 @@
+allow tee mnt_vendor_file:file create_file_perms;
+allow tee mnt_vendor_file:dir rw_dir_perms;

sepolicy/vendor/vendor_hal_perf_default.te

@@ -0,0 +1,4 @@
+allow vendor_hal_perf_default system_server:dir { search };
+allow vendor_hal_perf_default system_server:file { read };
+allow vendor_hal_perf_default system_server:file { open };
+allow vendor_hal_perf_default system_server:file { getattr };

sepolicy/vendor/vendor_init.te

@@ -0,0 +1,6 @@
+allow vendor_init block_device:lnk_file setattr;
+
+allow vendor_init migt_device:chr_file rw_file_perms;
+
+# Allow vendor_init to set persist_camera_prop
+set_prop(vendor_init, vendor_persist_camera_prop)

sepolicy/vendor/vendor_mdm_helper.te

@@ -0,0 +1,3 @@
+allow vendor_mdm_helper efs_block_device:blk_file r_file_perms;
+
+get_prop(vendor_mdm_helper, vendor_ssr_prop)

sepolicy/vendor/vendor_modprobe.te

@@ -0,0 +1 @@
+allow vendor_modprobe vendor_debugfs_ipc:dir search;