From 724868de3632437ab2fa50c8d71b69335bff1509 Mon Sep 17 00:00:00 2001 From: Isaac Chen Date: Mon, 28 May 2018 18:53:26 +0200 Subject: [PATCH] msm8937-common: sepolicy: Organize for treble compatibility Signed-off-by: Isaac Chen --- sepolicy/bluetooth_loader-qcom.te | 26 ++++++++++++++++++++++++++ sepolicy/file_contexts | 5 ++++- sepolicy/gx_fpd.te | 4 ++-- sepolicy/hal_camera_default.te | 2 +- sepolicy/hal_fingerprint_default.te | 21 --------------------- sepolicy/hal_fingerprint_msm8937.te | 27 +++++++++++++++++++++++++++ sepolicy/service.te | 1 + sepolicy/service_contexts | 2 +- 8 files changed, 62 insertions(+), 26 deletions(-) create mode 100644 sepolicy/bluetooth_loader-qcom.te delete mode 100644 sepolicy/hal_fingerprint_default.te create mode 100644 sepolicy/hal_fingerprint_msm8937.te diff --git a/sepolicy/bluetooth_loader-qcom.te b/sepolicy/bluetooth_loader-qcom.te new file mode 100644 index 0000000..a7a2c92 --- /dev/null +++ b/sepolicy/bluetooth_loader-qcom.te @@ -0,0 +1,26 @@ +type bluetooth_loader, domain; +type bluetooth_loader_exec, exec_type, vendor_file_type, file_type; + +# Started by init +init_daemon_domain(bluetooth_loader) + +# Get persist.service.bdroid.*, bluetooth.* and wcnss property values +get_prop(bluetooth_loader, bluetooth_prop) +get_prop(bluetooth_loader, wcnss_prop) + +# Access the serial device +allow bluetooth_loader serial_device:chr_file rw_file_perms; + +# And the smd device +allow bluetooth_loader smd_device:chr_file rw_file_perms; + +# And qmuxd +allow bluetooth_loader qmuxd_socket:dir create_dir_perms; +allow bluetooth_loader qmuxd_socket:sock_file create_file_perms; +allow bluetooth_loader qmuxd:unix_stream_socket connectto; + +r_dir_file(bluetooth_loader, persist_file) + +userdebug_or_eng(` + diag_use(bluetooth_loader) +') diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 7934d2d..c1502a3 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -1,5 +1,8 @@ # Biometric -/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_msm8937 u:object_r:hal_fingerprint_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_msm8937 u:object_r:hal_fingerprint_msm8937_exec:s0 + +# Bluetooth +/(vendor|system/vendor)/bin/hci_qcomm_init u:object_r:bluetooth_loader_exec:s0 # Block devices /dev/block/bootdevice/by-name/persist u:object_r:persist_block_device:s0 diff --git a/sepolicy/gx_fpd.te b/sepolicy/gx_fpd.te index fa46d05..69a75e9 100644 --- a/sepolicy/gx_fpd.te +++ b/sepolicy/gx_fpd.te @@ -1,5 +1,5 @@ -type gx_fpd, domain; -type gx_fpd_exec, exec_type, file_type; +type gx_fpd, domain, binder_in_vendor_violators; +type gx_fpd_exec, exec_type, vendor_file_type, file_type; # gx_fpd init_daemon_domain(gx_fpd) diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te index ba65e48..2c09d0b 100644 --- a/sepolicy/hal_camera_default.te +++ b/sepolicy/hal_camera_default.te @@ -1 +1 @@ -allow hal_camera_default camera_data_file:sock_file rw_file_perms; +allow hal_camera_default camera_data_file:sock_file read; diff --git a/sepolicy/hal_fingerprint_default.te b/sepolicy/hal_fingerprint_default.te deleted file mode 100644 index 11027fc..0000000 --- a/sepolicy/hal_fingerprint_default.te +++ /dev/null @@ -1,21 +0,0 @@ -binder_use(hal_fingerprint_default) -add_service(hal_fingerprint_default, hal_fingerprint_service) -binder_call(hal_fingerprint_default, gx_fpd) - -allow hal_fingerprint_default gx_fpd_service:service_manager find; - -allow gx_fpd hal_fingerprint_default:binder call; - -allow hal_fingerprint_default fingerprint_service:service_manager find; -allow hal_fingerprint_default keystore_service:service_manager find; - -allow hal_fingerprint_default fpc_sysfs:file rw_file_perms; -allow hal_fingerprint_default fpc_sysfs:dir rw_dir_perms; -allow hal_fingerprint_default tee_device:chr_file rw_file_perms; -allow hal_fingerprint_default uhid_device:chr_file rw_file_perms; -allow hal_fingerprint_default fpc_data_file:dir rw_dir_perms; -allow hal_fingerprint_default fpc_data_file:sock_file create_file_perms; - -r_dir_file(hal_fingerprint_default, firmware_file) - -use_keystore(hal_fingerprint_default) diff --git a/sepolicy/hal_fingerprint_msm8937.te b/sepolicy/hal_fingerprint_msm8937.te new file mode 100644 index 0000000..82a915b --- /dev/null +++ b/sepolicy/hal_fingerprint_msm8937.te @@ -0,0 +1,27 @@ +type hal_fingerprint_msm8937, domain, binder_in_vendor_violators; +hal_server_domain(hal_fingerprint_msm8937, hal_fingerprint) + +type hal_fingerprint_msm8937_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_fingerprint_msm8937) + +binder_use(hal_fingerprint_msm8937) +add_service(hal_fingerprint_msm8937, hal_fingerprint_msm8937_service) +binder_call(hal_fingerprint_msm8937, gx_fpd) + +allow hal_fingerprint_msm8937 gx_fpd_service:service_manager find; + +allow gx_fpd hal_fingerprint_msm8937:binder call; + +allow hal_fingerprint_msm8937 fingerprint_service:service_manager find; +allow hal_fingerprint_msm8937 keystore_service:service_manager find; + +allow hal_fingerprint_msm8937 fpc_sysfs:file rw_file_perms; +allow hal_fingerprint_msm8937 fpc_sysfs:dir rw_dir_perms; +allow hal_fingerprint_msm8937 tee_device:chr_file rw_file_perms; +allow hal_fingerprint_msm8937 uhid_device:chr_file rw_file_perms; +allow hal_fingerprint_msm8937 fpc_data_file:dir rw_dir_perms; +allow hal_fingerprint_msm8937 fpc_data_file:sock_file create_file_perms; + +r_dir_file(hal_fingerprint_msm8937, firmware_file) + +use_keystore(hal_fingerprint_msm8937) diff --git a/sepolicy/service.te b/sepolicy/service.te index c6ad55b..5f63e4c 100644 --- a/sepolicy/service.te +++ b/sepolicy/service.te @@ -1 +1,2 @@ type gx_fpd_service, service_manager_type; +type hal_fingerprint_msm8937_service, service_manager_type; diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts index 4fdf722..a4dfc44 100644 --- a/sepolicy/service_contexts +++ b/sepolicy/service_contexts @@ -1,2 +1,2 @@ goodix.fp u:object_r:gx_fpd_service:s0 -android.hardware.fingerprint.IFingerprintCustomDaemon u:object_r:hal_fingerprint_service:s0 +android.hardware.fingerprint.IFingerprintCustomDaemon u:object_r:hal_fingerprint_msm8937_service:s0