diff --git a/P404Sepolicy.mk b/P404Sepolicy.mk new file mode 100644 index 0000000..157c279 --- /dev/null +++ b/P404Sepolicy.mk @@ -0,0 +1,13 @@ +# +# This policy configuration will be used by all qcom products +# that inherit from 404 +# + +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += \ + device/404/sepolicy/private + +SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += \ + device/404/sepolicy/public + +BOARD_VENDOR_SEPOLICY_DIRS += \ + device/404/sepolicy/vendor diff --git a/common/dynamic/file.te b/common/dynamic/file.te deleted file mode 100644 index e69de29..0000000 diff --git a/common/dynamic/genfs_contexts b/common/dynamic/genfs_contexts deleted file mode 100644 index e69de29..0000000 diff --git a/common/dynamic/hal_lineage_camera_motor.te b/common/dynamic/hal_lineage_camera_motor.te deleted file mode 100644 index f398cc2..0000000 --- a/common/dynamic/hal_lineage_camera_motor.te +++ /dev/null @@ -1,5 +0,0 @@ -# HwBinder IPC from client to server -binder_call(hal_lineage_camera_motor_client, hal_lineage_camera_motor_server) - -add_hwservice(hal_lineage_camera_motor_server, hal_lineage_camera_motor_hwservice) -allow hal_lineage_camera_motor_client hal_lineage_camera_motor_hwservice:hwservice_manager find; diff --git a/common/dynamic/hal_lineage_powershare.te b/common/dynamic/hal_lineage_powershare.te deleted file mode 100644 index 86e8aa3..0000000 --- a/common/dynamic/hal_lineage_powershare.te +++ /dev/null @@ -1,8 +0,0 @@ -# HWBinder IPC from client to server -binder_call(hal_lineage_powershare_client, hal_lineage_powershare_server) - -add_hwservice(hal_lineage_powershare_server, hal_lineage_powershare_hwservice) -allow hal_lineage_powershare_client hal_lineage_powershare_hwservice:hwservice_manager find; - -# Allow binder communication with platform_app -binder_call(hal_lineage_powershare, platform_app) diff --git a/common/dynamic/hwservice.te b/common/dynamic/hwservice.te deleted file mode 100644 index ffcc1fd..0000000 --- a/common/dynamic/hwservice.te +++ /dev/null @@ -1,2 +0,0 @@ -type hal_lineage_camera_motor_hwservice, hwservice_manager_type; -type hal_lineage_powershare_hwservice, hwservice_manager_type; diff --git a/common/dynamic/hwservice_contexts b/common/dynamic/hwservice_contexts deleted file mode 100644 index 3cd403e..0000000 --- a/common/dynamic/hwservice_contexts +++ /dev/null @@ -1,2 +0,0 @@ -vendor.lineage.camera.motor::ICameraMotor u:object_r:hal_lineage_camera_motor_hwservice:s0 -vendor.lineage.powershare::IPowerShare u:object_r:hal_lineage_powershare_hwservice:s0 diff --git a/common/private/backuptool.te b/common/private/backuptool.te deleted file mode 100644 index b948b61..0000000 --- a/common/private/backuptool.te +++ /dev/null @@ -1,11 +0,0 @@ -type backuptool, domain, coredomain; - -neverallow { - domain - -recovery - -update_engine -} backuptool:process transition; - -userdebug_or_eng(` - permissive backuptool; -') diff --git a/common/private/cameraserver.te b/common/private/cameraserver.te deleted file mode 100644 index d91c174..0000000 --- a/common/private/cameraserver.te +++ /dev/null @@ -1,2 +0,0 @@ -# Use HALs -hal_client_domain(cameraserver, hal_lineage_camera_motor) diff --git a/common/private/file.te b/common/private/file.te deleted file mode 100644 index 6e488a7..0000000 --- a/common/private/file.te +++ /dev/null @@ -1,2 +0,0 @@ -# DC Dimming -type sysfs_dc_dim, fs_type, sysfs_type; \ No newline at end of file diff --git a/common/private/file_contexts b/common/private/file_contexts deleted file mode 100644 index f858e82..0000000 --- a/common/private/file_contexts +++ /dev/null @@ -1,13 +0,0 @@ -# Postinstall -/system/bin/backuptool_ab\.functions u:object_r:otapreopt_chroot_exec:s0 -/system/bin/backuptool_ab\.sh u:object_r:otapreopt_chroot_exec:s0 -/system/bin/backuptool_postinstall\.sh u:object_r:otapreopt_chroot_exec:s0 - -# Bash -/system/xbin/bash u:object_r:shell_exec:s0 - -# OTA -/data/p404_updates(/.*)? u:object_r:ota_package_file:s0 - -# restricted-networking-mode -/dev/socket/netdl u:object_r:fwmarkd_socket:s0 diff --git a/common/private/gallery_app.te b/common/private/gallery_app.te deleted file mode 100644 index e3453bf..0000000 --- a/common/private/gallery_app.te +++ /dev/null @@ -1,29 +0,0 @@ -type gallery_app, domain, coredomain; - -app_domain(gallery_app) -net_domain(gallery_app) - -# Access standard system services -allow gallery_app app_api_service:service_manager find; -allow gallery_app audioserver_service:service_manager find; -allow gallery_app cameraserver_service:service_manager find; -allow gallery_app drmserver_service:service_manager find; -allow gallery_app mediaextractor_service:service_manager find; -allow gallery_app mediaserver_service:service_manager find; -allow gallery_app mediametrics_service:service_manager find; -allow gallery_app nfc_service:service_manager find; -allow gallery_app surfaceflinger_service:service_manager find; - -allow gallery_app hidl_token_hwservice:hwservice_manager find; - -# Allow to read and execute camera app modules -typeattribute gallery_app system_executes_vendor_violators; -allow gallery_app vendor_file:file { rx_file_perms }; - -# Read and write system app data files passed over Binder. -# Motivating case was /data/data/com.android.settings/cache/*.jpg for -# cropping or taking user photos. -allow gallery_app system_app_data_file:file { read write getattr }; - -# Binder call with gpuservice -binder_call(gallery_app, gpuservice) diff --git a/common/private/genfs_contexts b/common/private/genfs_contexts deleted file mode 100644 index 87013ad..0000000 --- a/common/private/genfs_contexts +++ /dev/null @@ -1 +0,0 @@ -genfscon sysfs /devices/virtual/timed_output/vibrator u:object_r:sysfs_vibrator:s0 diff --git a/common/private/platform_app.te b/common/private/platform_app.te deleted file mode 100644 index 57550d2..0000000 --- a/common/private/platform_app.te +++ /dev/null @@ -1,5 +0,0 @@ -# Allow NFC service to be found -allow platform_app nfc_service:service_manager find; - -# Allow PowerShare HAL service to be found -hal_client_domain(platform_app, hal_lineage_powershare) diff --git a/common/private/priv_app.te b/common/private/priv_app.te deleted file mode 100644 index 2b15701..0000000 --- a/common/private/priv_app.te +++ /dev/null @@ -1 +0,0 @@ -allow priv_app sysfs_dc_dim:file rw_file_perms; \ No newline at end of file diff --git a/common/private/recovery.te b/common/private/recovery.te deleted file mode 100644 index 2b6f7fa..0000000 --- a/common/private/recovery.te +++ /dev/null @@ -1,20 +0,0 @@ -recovery_only(` -userdebug_or_eng(` -permissive recovery; -') - -# Volume manager -allow recovery block_device:dir create_dir_perms; -allow recovery block_device:blk_file { create unlink rw_file_perms }; -allow recovery self:capability { mknod fsetid }; -allow recovery proc_filesystems:file r_file_perms; -allow recovery self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; -allow recovery sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot. -allow recovery tmpfs:file link; -allow recovery rootfs:dir w_dir_perms; -allow recovery rootfs:file { create_file_perms link }; -allow recovery media_rw_data_file:dir r_dir_perms; - -# Read fbe encryption info -r_dir_file(recovery, unencrypted_data_file) -') diff --git a/common/private/seapp_contexts b/common/private/seapp_contexts deleted file mode 100644 index 3df2a9c..0000000 --- a/common/private/seapp_contexts +++ /dev/null @@ -1,3 +0,0 @@ -#user=_app isPrivApp=true seinfo=platform name=com.android.gallery3d domain=gallery_app type=app_data_file levelFrom=user -#user=_app isPrivApp=true seinfo=platform name=org.lineageos.snap domain=snap_app type=app_data_file levelFrom=user -#user=_app isPrivApp=true seinfo=platform name=com.android.updater domain=updater_app type=app_data_file levelFrom=user diff --git a/common/private/service.te b/common/private/service.te deleted file mode 100644 index b531b54..0000000 --- a/common/private/service.te +++ /dev/null @@ -1,4 +0,0 @@ -type lineage_hardware_service, system_api_service, system_server_service, service_manager_type; - -type dc_dimming_service, system_api_service, system_server_service, service_manager_type; -type applock_service, system_api_service, system_server_service, service_manager_type; diff --git a/common/private/service_contexts b/common/private/service_contexts deleted file mode 100644 index f1e4895..0000000 --- a/common/private/service_contexts +++ /dev/null @@ -1,2 +0,0 @@ -dc_dim_service u:object_r:dc_dimming_service:s0 -applock u:object_r:applock_service:s0 diff --git a/common/private/snap_app.te b/common/private/snap_app.te deleted file mode 100644 index 178aafa..0000000 --- a/common/private/snap_app.te +++ /dev/null @@ -1,39 +0,0 @@ -type snap_app, domain, coredomain; - -app_domain(snap_app) -net_domain(snap_app) - -# Access standard system services -allow snap_app app_api_service:service_manager find; -allow snap_app audioserver_service:service_manager find; -allow snap_app cameraserver_service:service_manager find; -allow snap_app drmserver_service:service_manager find; -allow snap_app mediaextractor_service:service_manager find; -allow snap_app mediaserver_service:service_manager find; -allow snap_app mediametrics_service:service_manager find; -allow snap_app nfc_service:service_manager find; -allow snap_app surfaceflinger_service:service_manager find; - -allow snap_app hidl_token_hwservice:hwservice_manager find; - -# Allow to read and execute camera app modules -typeattribute snap_app system_executes_vendor_violators; -allow snap_app vendor_file:file { rx_file_perms }; - -# Execute libraries from RenderScript cache -allow snap_app app_data_file:file { rx_file_perms }; - -# Execute /system/bin/bcc -allow snap_app rs_exec:file rx_file_perms; - -# Read memory info -allow snap_app proc_meminfo:file r_file_perms; - -# gdbserver / stack traces -allow snap_app self:process ptrace; - -# Read and write system app data files passed over Binder. -allow snap_app system_app_data_file:file { read write getattr }; - -# Binder call with gpuservice -binder_call(snap_app, gpuservice) diff --git a/common/private/system_server.te b/common/private/system_server.te deleted file mode 100644 index b719708..0000000 --- a/common/private/system_server.te +++ /dev/null @@ -1,6 +0,0 @@ -allow system_server sysfs_dc_dim:file rw_file_perms; -add_service(system_server, dc_dimming_service); -add_service(system_server, applock_service); - -# Use HALs -hal_client_domain(system_server, hal_lineage_powershare) diff --git a/common/private/updater_app.te b/common/private/updater_app.te deleted file mode 100644 index 8589183..0000000 --- a/common/private/updater_app.te +++ /dev/null @@ -1,26 +0,0 @@ -type updater_app, domain, coredomain; - -app_domain(updater_app) -net_domain(updater_app) - -binder_call(updater_app, gpuservice) -binder_call(updater_app, update_engine) - -allow updater_app app_api_service:service_manager find; -allow updater_app recovery_service:service_manager find; -allow updater_app system_api_service:service_manager find; -allow updater_app update_engine_service:service_manager find; - -allow updater_app app_data_file:dir create_dir_perms; -allow updater_app app_data_file:{ file lnk_file } create_file_perms; - -allow updater_app cache_file:dir r_dir_perms; - -allow updater_app cache_recovery_file:dir rw_dir_perms; -allow updater_app cache_recovery_file:file create_file_perms; - -allow updater_app ota_package_file:dir create_dir_perms; -allow updater_app ota_package_file:file create_file_perms; - -get_prop(updater_app, default_prop) -get_prop(updater_app, build_prop) diff --git a/common/public/attributes b/common/public/attributes deleted file mode 100644 index bd2b06e..0000000 --- a/common/public/attributes +++ /dev/null @@ -1,3 +0,0 @@ -# HALs -hal_attribute_lineage(lineage_camera_motor) -hal_attribute_lineage(lineage_powershare) diff --git a/common/public/file.te b/common/public/file.te deleted file mode 100644 index 871b09e..0000000 --- a/common/public/file.te +++ /dev/null @@ -1 +0,0 @@ -type dummy_type_meant_to_prevent_selinux_compilation_from_failing_when_system_ext_public_dir_has_nothing_but_attributes; diff --git a/common/public/shell.te b/common/public/shell.te deleted file mode 100644 index 051365d..0000000 --- a/common/public/shell.te +++ /dev/null @@ -1 +0,0 @@ -dontauditxperm shell adbd:unix_stream_socket ioctl unpriv_tty_ioctls; diff --git a/common/public/te_macros b/common/public/te_macros deleted file mode 100644 index 2af4893..0000000 --- a/common/public/te_macros +++ /dev/null @@ -1,10 +0,0 @@ -##################################### -# hal_attribute_lineage(hal_name) -define(`hal_attribute_lineage', ` -attribute hal_$1; -expandattribute hal_$1 true; -attribute hal_$1_client; -expandattribute hal_$1_client true; -attribute hal_$1_server; -expandattribute hal_$1_server false; -') diff --git a/common/sepolicy.mk b/common/sepolicy.mk deleted file mode 100644 index e39b059..0000000 --- a/common/sepolicy.mk +++ /dev/null @@ -1,29 +0,0 @@ -# -# This policy configuration will be used by all products that -# inherit from 404 -# - -ifeq ($(TARGET_COPY_OUT_VENDOR), vendor) -ifeq ($(BOARD_VENDORIMAGE_FILE_SYSTEM_TYPE),) -TARGET_USES_PREBUILT_VENDOR_SEPOLICY ?= true -endif -endif - -SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += \ - device/404/sepolicy/common/public - -SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += \ - device/404/sepolicy/common/private - -ifeq ($(TARGET_USES_PREBUILT_VENDOR_SEPOLICY), true) -SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += \ - device/404/sepolicy/common/dynamic \ - device/404/sepolicy/common/system-only -else -BOARD_VENDOR_SEPOLICY_DIRS += \ - device/404/sepolicy/common/dynamic \ - device/404/sepolicy/common/vendor -endif - -# Selectively include legacy rules defined by the products --include device/404/sepolicy/legacy-common/sepolicy.mk diff --git a/common/system-only/file_contexts b/common/system-only/file_contexts deleted file mode 100644 index 61ffc0b..0000000 --- a/common/system-only/file_contexts +++ /dev/null @@ -1,4 +0,0 @@ -# Vendor Overlay -/(product|system/product)/vendor_overlay/[0-9]+/etc(/.*)? u:object_r:vendor_configs_file:s0 -/(product|system/product)/vendor_overlay/[0-9]+/lib(64)?/hw u:object_r:vendor_hal_file:s0 -/(product|system/product)/vendor_overlay/[0-9]+/overlay(/.*)? u:object_r:vendor_overlay_file:s0 diff --git a/common/vendor/file_contexts b/common/vendor/file_contexts deleted file mode 100644 index 22b4ef4..0000000 --- a/common/vendor/file_contexts +++ /dev/null @@ -1,14 +0,0 @@ -# Fingerprint HAL -/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.0-service u:object_r:hal_fingerprint_default_exec:s0 - -# GNSS HAL -/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@1\.0-service\.legacy u:object_r:hal_gnss_default_exec:s0 - -# Light HAL -/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.aw2013 u:object_r:hal_light_default_exec:s0 - -# USB HAL -/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service\.basic u:object_r:hal_usb_default_exec:s0 - -# Wi-Fi HAL -/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service\.legacy u:object_r:hal_wifi_default_exec:s0 diff --git a/common/vendor/hal_lineage_camera_motor_default.te b/common/vendor/hal_lineage_camera_motor_default.te deleted file mode 100644 index e742834..0000000 --- a/common/vendor/hal_lineage_camera_motor_default.te +++ /dev/null @@ -1,5 +0,0 @@ -type hal_lineage_camera_motor_default, domain; -hal_server_domain(hal_lineage_camera_motor_default, hal_lineage_camera_motor) - -type hal_lineage_camera_motor_default_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_lineage_camera_motor_default) diff --git a/common/vendor/hal_lineage_powershare_default.te b/common/vendor/hal_lineage_powershare_default.te deleted file mode 100644 index 23192c8..0000000 --- a/common/vendor/hal_lineage_powershare_default.te +++ /dev/null @@ -1,5 +0,0 @@ -type hal_lineage_powershare_default, domain; -hal_server_domain(hal_lineage_powershare_default, hal_lineage_powershare) - -type hal_lineage_powershare_default_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_lineage_powershare_default) diff --git a/legacy-common/public/legacy-camera-hal1/mediaserver.te b/legacy-common/public/legacy-camera-hal1/mediaserver.te deleted file mode 100644 index ffd5c57..0000000 --- a/legacy-common/public/legacy-camera-hal1/mediaserver.te +++ /dev/null @@ -1,8 +0,0 @@ -# Legacy camera HAL1 -add_service(mediaserver, cameraserver_service) -add_hwservice(mediaserver, fwk_camera_hwservice) - -allow mediaserver { cameraproxy_service sensor_privacy_service }:service_manager find; -allow mediaserver hal_camera_hwservice:hwservice_manager find; - -hal_client_domain(mediaserver, hal_lineage_camera_motor) diff --git a/legacy-common/sepolicy.mk b/legacy-common/sepolicy.mk deleted file mode 100644 index 740ee00..0000000 --- a/legacy-common/sepolicy.mk +++ /dev/null @@ -1,9 +0,0 @@ -# -# This policy configuration will be used by select legacy products that -# inherit from 404 -# - -ifeq ($(TARGET_HAS_LEGACY_CAMERA_HAL1), true) -SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += \ - device/404/sepolicy/legacy-common/public/legacy-camera-hal1 -endif diff --git a/private/appdomain.te b/private/appdomain.te new file mode 100644 index 0000000..8a6b929 --- /dev/null +++ b/private/appdomain.te @@ -0,0 +1 @@ +get_prop(appdomain, pih_disable_prop) diff --git a/private/bootanim.te b/private/bootanim.te new file mode 100644 index 0000000..ceea6fc --- /dev/null +++ b/private/bootanim.te @@ -0,0 +1,3 @@ +# Allow bootanimation to call mediametrics. +allow bootanim mediametrics_service:service_manager find; +binder_call(bootanim, mediametrics) diff --git a/private/genfs_contexts b/private/genfs_contexts new file mode 100644 index 0000000..63003d0 --- /dev/null +++ b/private/genfs_contexts @@ -0,0 +1,8 @@ +# Dirty writeback tunables +genfscon proc /sys/vm/dirty_background_bytes u:object_r:proc_dirty:s0 +#genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0 +genfscon proc /sys/vm/dirty_bytes u:object_r:proc_dirty:s0 +genfscon proc /sys/vm/dirty_ratio u:object_r:proc_dirty:s0 +#genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0 +genfscon proc /sys/vm/dirty_writeback_centisecs u:object_r:proc_dirty:s0 +genfscon proc /sys/vm/dirtytime_expire_seconds u:object_r:proc_dirty:s0 diff --git a/private/platform_app.te b/private/platform_app.te new file mode 100644 index 0000000..b7d7ec4 --- /dev/null +++ b/private/platform_app.te @@ -0,0 +1 @@ +binder_use(platform_app) diff --git a/private/property.te b/private/property.te new file mode 100644 index 0000000..6ac8d27 --- /dev/null +++ b/private/property.te @@ -0,0 +1,5 @@ +# PIHooks +system_public_prop(pih_disable_prop) + +# Tethering +system_internal_prop(device_config_tethering_prop) diff --git a/private/property_contexts b/private/property_contexts new file mode 100644 index 0000000..a44ba2a --- /dev/null +++ b/private/property_contexts @@ -0,0 +1,5 @@ +# PIHooks +persist.sys.pihooks.disable. u:object_r:pih_disable_prop:s0 + +# Tethering +persist.device_config.tethering. u:object_r:device_config_tethering_prop:s0 diff --git a/common/private/rootfs.te b/private/rootfs.te similarity index 100% rename from common/private/rootfs.te rename to private/rootfs.te diff --git a/common/private/sdcardfs.te b/private/sdcardfs.te similarity index 100% rename from common/private/sdcardfs.te rename to private/sdcardfs.te diff --git a/private/shell.te b/private/shell.te new file mode 100644 index 0000000..f08d073 --- /dev/null +++ b/private/shell.te @@ -0,0 +1,5 @@ +# Allow shell to get LMKD's stats +get_prop(shell, system_lmk_prop) + +# Allow shell to disable PIHooks +set_prop(shell, pih_disable_prop) diff --git a/private/system_server.te b/private/system_server.te new file mode 100644 index 0000000..dc4623b --- /dev/null +++ b/private/system_server.te @@ -0,0 +1,5 @@ +# Set tethering properties +set_prop(system_server, device_config_tethering_prop) + +# CachedAppOptimizer +allow system_server zygote_tmpfs:file rw_file_perms; diff --git a/common/private/update_engine.te b/private/update_engine.te similarity index 61% rename from common/private/update_engine.te rename to private/update_engine.te index 7718ff9..115ad73 100644 --- a/common/private/update_engine.te +++ b/private/update_engine.te @@ -1,5 +1,5 @@ # Allow update_engine to call the callback function provided by updater_app -binder_call(update_engine, updater_app) +binder_call(update_engine, hub_app) # Read updates from storage data r_dir_file(update_engine, mnt_user_file) @@ -7,7 +7,3 @@ r_dir_file(update_engine, storage_file) # Allow mount and unmount of system partition allow update_engine labeledfs:filesystem { mount unmount }; - -# Allow transition to backuptool domain -allow update_engine self:process setexec; -domain_trans(update_engine, otapreopt_chroot_exec, backuptool) diff --git a/public/file.te b/public/file.te new file mode 100644 index 0000000..f41542a --- /dev/null +++ b/public/file.te @@ -0,0 +1,2 @@ +# Fastcharge +type sysfs_fastcharge, sysfs_type, fs_type; \ No newline at end of file diff --git a/public/te_macros b/public/te_macros new file mode 100644 index 0000000..048c312 --- /dev/null +++ b/public/te_macros @@ -0,0 +1,17 @@ +##################################### +# rw_dir_file(domain, type) +# Allow the specified domain to read directories and read/write files +# and symbolic links of the specified type. +define(`rw_dir_file', ` +allow $1 $2:dir r_dir_perms; +allow $1 $2:{ file lnk_file } rw_file_perms; +') + +##################################### +# create_dir_file(domain, type) +# Allow the specified domain to read directories and create files +# and symbolic links of the specified type. +define(`create_dir_file', ` +allow $1 $2:dir r_dir_perms; +allow $1 $2:{ file lnk_file } create_file_perms; +') diff --git a/qcom/dynamic/dontaudit.te b/qcom/dynamic/dontaudit.te deleted file mode 100644 index 313ca25..0000000 --- a/qcom/dynamic/dontaudit.te +++ /dev/null @@ -1 +0,0 @@ -dontaudit gmscore_app { adsprpcd_file bt_firmware_file firmware_file }:filesystem getattr; diff --git a/qcom/private/property_contexts b/qcom/private/property_contexts deleted file mode 100644 index 021afb9..0000000 --- a/qcom/private/property_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# FM -hw.fm. u:object_r:exported3_system_prop:s0 diff --git a/qcom/sepolicy.mk b/qcom/sepolicy.mk deleted file mode 100644 index d0bf081..0000000 --- a/qcom/sepolicy.mk +++ /dev/null @@ -1,41 +0,0 @@ -# -# This policy configuration will be used by all qcom products -# that inherit from 404 -# - -ifeq ($(TARGET_COPY_OUT_VENDOR), vendor) -ifeq ($(BOARD_VENDORIMAGE_FILE_SYSTEM_TYPE),) -TARGET_USES_PREBUILT_VENDOR_SEPOLICY ?= true -endif -endif - -SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += \ - device/404/sepolicy/qcom/private - -ifeq ($(TARGET_USES_PREBUILT_VENDOR_SEPOLICY), true) -SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += \ - device/404/sepolicy/qcom/dynamic \ - device/404/sepolicy/qcom/system \ - device/404/sepolicy/qcom/system-only -else -BOARD_VENDOR_SEPOLICY_DIRS += \ - device/404/sepolicy/qcom/dynamic \ - device/404/sepolicy/qcom/vendor -endif - -ifneq ($(filter msm8960 msm8226 msm8610 msm8974 apq8084 msm8909 msm8916 msm8952 msm8992 msm8994,$(TARGET_BOARD_PLATFORM)),) -BOARD_VENDOR_SEPOLICY_DIRS += \ - device/404/sepolicy/qcom/legacy-vendor -endif - -ifeq (,$(filter msm8960 msm8226 msm8610 msm8974 apq8084 msm8909 msm8916 msm8952 msm8992 msm8994 msm8937 msm8953 msm8996 msm8998 sdm660 sdm710 sdm845, $(TARGET_BOARD_PLATFORM))) -BOARD_SEPOLICY_M4DEFS += \ - qdisplay_service=vendor_qdisplay_service \ - sysfs_graphics=vendor_sysfs_graphics \ - hal_keymaster_qti_exec=vendor_hal_keymaster_qti_exec \ - persist_block_device=vendor_persist_block_device \ - display_vendor_data_file=vendor_display_vendor_data_file \ - hal_perf_default=vendor_hal_perf_default \ - sysfs_battery_supply=vendor_sysfs_battery_supply \ - sysfs_usb_supply=vendor_sysfs_usb_supply -endif diff --git a/qcom/system-only/file_contexts b/qcom/system-only/file_contexts deleted file mode 100644 index e696685..0000000 --- a/qcom/system-only/file_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# Vendor Overlay -/(product|system/product)/vendor_overlay/[0-9]+/bin/init\.qcom\.post_boot\.sh u:object_r:qti_init_shell_exec:s0 diff --git a/qcom/vendor/file_contexts b/qcom/vendor/file_contexts deleted file mode 100644 index cc6ebd0..0000000 --- a/qcom/vendor/file_contexts +++ /dev/null @@ -1,2 +0,0 @@ -# CryptfsHW HAL -/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.cryptfshw@1\.0-service-qti\.qsee u:object_r:hal_keymaster_qti_exec:s0 diff --git a/qcom/vendor/fsck.te b/qcom/vendor/fsck.te deleted file mode 100644 index 1500b5f..0000000 --- a/qcom/vendor/fsck.te +++ /dev/null @@ -1 +0,0 @@ -allow fsck persist_block_device:blk_file rw_file_perms; diff --git a/qcom/vendor/hal_perf_default.te b/qcom/vendor/hal_perf_default.te deleted file mode 100644 index b517884..0000000 --- a/qcom/vendor/hal_perf_default.te +++ /dev/null @@ -1 +0,0 @@ -r_dir_file(hal_perf_default, hal_power_default) diff --git a/qcom/vendor/untrusted_app_all.te b/qcom/vendor/untrusted_app_all.te deleted file mode 100644 index b7e6532..0000000 --- a/qcom/vendor/untrusted_app_all.te +++ /dev/null @@ -1,3 +0,0 @@ -# allow apps to read battery status -r_dir_file(untrusted_app_all, sysfs_battery_supply) -r_dir_file(untrusted_app_all, sysfs_usb_supply) diff --git a/vendor/file_contexts b/vendor/file_contexts new file mode 100644 index 0000000..61d98cd --- /dev/null +++ b/vendor/file_contexts @@ -0,0 +1,2 @@ +# Usb +/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service\.basic u:object_r:hal_usb_default_exec:s0 diff --git a/vendor/lmkd.te b/vendor/lmkd.te new file mode 100644 index 0000000..14ee799 --- /dev/null +++ b/vendor/lmkd.te @@ -0,0 +1 @@ +get_prop(lmkd, vendor_lmkd_prop) diff --git a/vendor/property.te b/vendor/property.te new file mode 100644 index 0000000..cd48ecc --- /dev/null +++ b/vendor/property.te @@ -0,0 +1,2 @@ +# lmkd properties +vendor_restricted_prop(vendor_lmkd_prop); diff --git a/vendor/property_contexts b/vendor/property_contexts new file mode 100644 index 0000000..ceca12f --- /dev/null +++ b/vendor/property_contexts @@ -0,0 +1,2 @@ +# lmkd properties +ro.vendor.lmk. u:object_r:vendor_lmkd_prop:s0 diff --git a/vendor/system_server.te b/vendor/system_server.te new file mode 100644 index 0000000..5211570 --- /dev/null +++ b/vendor/system_server.te @@ -0,0 +1 @@ +allow system_server sysfs_fastcharge:file r_file_perms; diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te new file mode 100644 index 0000000..eee611e --- /dev/null +++ b/vendor/vendor_init.te @@ -0,0 +1 @@ +set_prop(vendor_init, vendor_lmkd_prop)