diff --git a/BoardConfig.mk b/BoardConfig.mk index 329b5fd..83a5f30 100644 --- a/BoardConfig.mk +++ b/BoardConfig.mk @@ -1,3 +1,19 @@ +# Copyright (C) 2015 Matthew D. Mower +# Copyright (C) 2015 The CyanogenMod Project +# Copyright (C) 2013 The Android Open Source Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + USE_CAMERA_STUB := true # inherit from the proprietary version @@ -18,6 +34,7 @@ TARGET_CPU_ABI := armeabi-v7a TARGET_CPU_ABI2 := armeabi TARGET_CPU_SMP := true TARGET_CPU_VARIANT := krait +TARGET_USE_QCOM_BIONIC_OPTIMIZATION := true # Kernel BOARD_KERNEL_BASE := 0x80600000 @@ -29,14 +46,10 @@ TARGET_KERNEL_SOURCE := kernel/htc/msm8960 # QCOM hardware BOARD_USES_QCOM_HARDWARE := true -TARGET_ENABLE_QC_AV_ENHANCEMENTS := true -TARGET_QCOM_AUDIO_VARIANT := caf -TARGET_QCOM_DISPLAY_VARIANT := caf -TARGET_QCOM_MEDIA_VARIANT := caf -TARGET_USES_QCOM_BSP := true # Flags COMMON_GLOBAL_CFLAGS += -DHTCLOG +COMMON_GLOBAL_CFLAGS += -DNO_SECURE_DISCARD # Graphics USE_OPENGL_RENDERER := true @@ -44,9 +57,10 @@ TARGET_DISPLAY_USE_RETIRE_FENCE := true TARGET_USES_C2D_COMPOSITION := true TARGET_USES_ION := true BOARD_EGL_CFG := device/htc/m7/configs/egl.cfg +NUM_FRAMEBUFFER_SURFACE_BUFFERS := 3 # Power -TARGET_POWERHAL_VARIANT := cm +TARGET_POWERHAL_VARIANT := qcom # Filesystem TARGET_USERIMAGES_USE_EXT4 := true @@ -56,56 +70,35 @@ BOARD_SYSTEMIMAGE_PARTITION_SIZE := 1946156032 BOARD_USERDATAIMAGE_PARTITION_SIZE := 27917287424 BOARD_FLASH_BLOCK_SIZE := 131072 -# Use power button as select in recovery +# Recovery BOARD_HAS_NO_SELECT_BUTTON := true # Vold -BOARD_VOLD_MAX_PARTITIONS := 37 -TARGET_USE_CUSTOM_LUN_FILE_PATH := /sys/devices/platform/msm_hsusb/gadget/lun%d/file +BOARD_VOLD_MAX_PARTITIONS := 38 # Charge mode BOARD_CHARGING_MODE_BOOTING_LPM := /sys/htc_lpm/lpm_mode # SELinux +-include device/qcom/sepolicy/sepolicy.mk + BOARD_SEPOLICY_DIRS += device/htc/m7/sepolicy BOARD_SEPOLICY_UNION += \ - app.te \ - bluetooth.te \ - device.te \ - domain.te \ - drmserver.te \ - file_contexts \ - file.te \ - hci_init.te \ - healthd.te \ - init_shell.te \ - init.te \ - keystore.te \ - kickstart.te \ - mediaserver.te \ - rild.te \ - surfaceflinger.te \ - system.te \ - ueventd.te \ - wpa_socket.te \ - wpa.te + akmd.te \ + cir_fw_update.te # TWRP DEVICE_RESOLUTION := 1080x1920 TARGET_RECOVERY_PIXEL_FORMAT := "RGBX_8888" -BOARD_USE_CUSTOM_RECOVERY_FONT := \"roboto_23x41.h\" RECOVERY_GRAPHICS_USE_LINELENGTH := true TW_BRIGHTNESS_PATH := "/sys/class/leds/lcd-backlight/brightness" -TW_FLASH_FROM_STORAGE := true -TW_INTERNAL_STORAGE_PATH := "/data/media" -TW_INTERNAL_STORAGE_MOUNT_POINT := "data" -TW_EXTERNAL_STORAGE_PATH := "/usb-otg" -TW_EXTERNAL_STORAGE_MOUNT_POINT := "usb-otg" -RECOVERY_SDCARD_ON_DATA := true -BOARD_HAS_NO_REAL_SDCARD := true -TW_INCLUDE_JB_CRYPTO := true -TW_NO_USB_STORAGE := true +TW_INCLUDE_CRYPTO := true BOARD_RECOVERY_BLDRMSG_OFFSET := 2048 RECOVERY_VARIANT := twrp TARGET_RECOVERY_DEVICE_MODULES := chargeled +RECOVERY_SDCARD_ON_DATA := true +BOARD_HAS_NO_REAL_SDCARD := true +TW_NO_USB_STORAGE := true +TW_EXTERNAL_STORAGE_PATH := "/usb-otg" +TW_EXTERNAL_STORAGE_MOUNT_POINT := "usb-otg" diff --git a/configs/egl.cfg b/configs/egl.cfg index 303d812..2a11ba2 100644 --- a/configs/egl.cfg +++ b/configs/egl.cfg @@ -1,2 +1,2 @@ 0 0 android -0 1 adreno200 +0 1 adreno diff --git a/device.mk b/device.mk index 07ac440..770b7d3 100644 --- a/device.mk +++ b/device.mk @@ -14,8 +14,6 @@ else LOCAL_KERNEL := $(TARGET_PREBUILT_KERNEL) endif -COMMON_GLOBAL_CFLAGS += -DNO_SECURE_DISCARD - $(call inherit-product, build/target/product/full.mk) PRODUCT_BUILD_PROP_OVERRIDES += BUILD_UTC_DATE=0 diff --git a/recovery/root/fstab.qcom b/recovery/root/fstab.qcom index 9a001b3..2e5c8ad 100644 --- a/recovery/root/fstab.qcom +++ b/recovery/root/fstab.qcom @@ -1,5 +1,4 @@ # /dev/block/platform/msm_sdcc.1/by-name/cache /cache ext4 nosuid,nodev,noatime,barrier=1 wait,check /dev/block/platform/msm_sdcc.1/by-name/userdata /data ext4 noatime,nosuid,nodev,noauto_da_alloc,barrier=1 wait,check,encryptable=/dev/block/platform/msm_sdcc.1/by-name/extra -/dev/block/platform/msm_sdcc.1/by-name/devlog /devlog ext4 noatime,nosuid,nodev,barrier=1 wait /dev/block/platform/msm_sdcc.1/by-name/system /system ext4 ro,noatime,barrier=1 wait diff --git a/recovery/root/init.recovery.qcom.rc b/recovery/root/init.recovery.qcom.rc index 8f1fb55..26ccd3a 100644 --- a/recovery/root/init.recovery.qcom.rc +++ b/recovery/root/init.recovery.qcom.rc @@ -1,7 +1,4 @@ on boot - setprop usb.vendor 0bb4 - setprop usb.product.adb 0c02 - setprop usb.product.mtpadb 0f87 write /sys/module/rpm_resources/enable_low_power/L2_cache 1 write /sys/module/rpm_resources/enable_low_power/pxo 1 write /sys/module/rpm_resources/enable_low_power/vdd_dig 1 @@ -15,10 +12,20 @@ on boot write /sys/devices/system/cpu/cpu1/cpufreq/scaling_min_freq 384000 write /sys/devices/system/cpu/cpu2/cpufreq/scaling_min_freq 384000 write /sys/devices/system/cpu/cpu3/cpufreq/scaling_min_freq 384000 + write /sys/class/android_usb/android0/enable 0 + write /sys/class/android_usb/android0/idVendor 0bb4 + write /sys/class/android_usb/android0/idProduct 0c02 + setprop usb.vendor 0bb4 + setprop usb.product.adb 0c02 + setprop usb.product.mtpadb 0f87 setprop recovery.perf.mode 0 - start choice_fn start chargeled +on charger + start choice_fn + start detect_key + start offmode_charging + on property:recovery.perf.mode=0 write /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor "ondemand" write /sys/devices/system/cpu/cpu1/cpufreq/scaling_governor "ondemand" @@ -37,17 +44,25 @@ on property:recovery.perf.mode=1 write /sys/devices/system/cpu/cpu2/cpufreq/scaling_governor "performance" write /sys/devices/system/cpu/cpu3/cpufreq/scaling_governor "performance" -service choice_fn /sbin/choice_fn +service chargeled /sbin/chargeled disabled + seclabel u:r:healthd:s0 -service power_test /sbin/power_test +service choice_fn /sbin/choice_fn disabled + oneshot + seclabel u:r:recovery:s0 -service offmode_charging /sbin/offmode_charging +service detect_key /sbin/detect_key disabled + oneshot + seclabel u:r:healthd:s0 -service detect_key /sbin/detect_key +service offmode_charging /sbin/offmode_charging disabled + seclabel u:r:healthd:s0 -service chargeled /sbin/chargeled +service power_test /sbin/power_test disabled + oneshot + seclabel u:r:recovery:s0 diff --git a/recovery/root/lpm.rc b/recovery/root/lpm.rc deleted file mode 100644 index e09e5f8..0000000 --- a/recovery/root/lpm.rc +++ /dev/null @@ -1,71 +0,0 @@ -on early-init - start ueventd - -on init - export PATH /sbin - export ANDROID_ROOT /system - export ANDROID_DATA /data - export EXTERNAL_STORAGE /sdcard - - symlink /system/etc /etc - - mkdir /boot - mkdir /recovery - mkdir /sdcard - mkdir /internal_sd - mkdir /external_sd - mkdir /sd-ext - mkdir /datadata - mkdir /emmc - mkdir /system - mkdir /data - mkdir /cache - mount /tmp /tmp tmpfs - - chown root shell /tmp - chmod 0775 /tmp - - write /sys/class/android_usb/android0/enable 0 - write /sys/class/android_usb/android0/idVendor 18D1 - write /sys/class/android_usb/android0/idProduct D001 - write /sys/class/android_usb/android0/functions adb - write /sys/class/android_usb/android0/iManufacturer ${ro.product.manufacturer} - write /sys/class/android_usb/android0/iProduct ${ro.product.model} - write /sys/class/android_usb/android0/iSerial ${ro.serialno} - -on boot - # disable 3 CPUs to prevent heat for M7 - write /sys/devices/system/cpu/cpu1/online 0 - write /sys/devices/system/cpu/cpu2/online 0 - write /sys/devices/system/cpu/cpu3/online 0 - chmod 444 /sys/devices/system/cpu/cpu1/online - chmod 444 /sys/devices/system/cpu/cpu2/online - chmod 444 /sys/devices/system/cpu/cpu3/online - - start choice_fn - -service choice_fn /sbin/choice_fn - disabled - -service detect_key /sbin/detect_key - disabled - -service offmode_charging /sbin/offmode_charging - disabled - -service power_test /sbin/power_test - disabled - -service ueventd /sbin/ueventd - critical - -service adbd /sbin/adbd recovery - disabled - -# Recovery will start adb once it has checked the keys - -# Restart adbd so it can run as root -on property:service.adb.root=1 - write /sys/class/android_usb/android0/enable 0 - restart adbd - write /sys/class/android_usb/android0/enable 1 diff --git a/recovery/root/res/offmode_charging_warn_images/batt_incompatible_charger.png b/recovery/root/res/offmode_charging_warn_images/batt_incompatible_charger.png deleted file mode 100644 index c19f9a8..0000000 Binary files a/recovery/root/res/offmode_charging_warn_images/batt_incompatible_charger.png and /dev/null differ diff --git a/recovery/root/res/offmode_charging_warn_images/batt_low_current_charger.png b/recovery/root/res/offmode_charging_warn_images/batt_low_current_charger.png deleted file mode 100644 index bfc0d57..0000000 Binary files a/recovery/root/res/offmode_charging_warn_images/batt_low_current_charger.png and /dev/null differ diff --git a/recovery/root/sbin/choice_fn b/recovery/root/sbin/choice_fn index 4159979..5ad7a2f 100755 Binary files a/recovery/root/sbin/choice_fn and b/recovery/root/sbin/choice_fn differ diff --git a/recovery/root/sbin/detect_key b/recovery/root/sbin/detect_key index 381bc64..1d4c9f6 100755 Binary files a/recovery/root/sbin/detect_key and b/recovery/root/sbin/detect_key differ diff --git a/recovery/root/sbin/offmode_charging b/recovery/root/sbin/offmode_charging index c850274..1a6eb63 100755 Binary files a/recovery/root/sbin/offmode_charging and b/recovery/root/sbin/offmode_charging differ diff --git a/recovery/root/sbin/power_test b/recovery/root/sbin/power_test index e73f843..cf42254 100755 Binary files a/recovery/root/sbin/power_test and b/recovery/root/sbin/power_test differ diff --git a/sepolicy/akmd.te b/sepolicy/akmd.te new file mode 100644 index 0000000..48c6742 --- /dev/null +++ b/sepolicy/akmd.te @@ -0,0 +1,8 @@ +type akmd, domain; +type akmd_exec, exec_type, file_type; +init_daemon_domain(akmd) + +allow akmd sensors_data_file:file { getattr setattr open read write create }; +allow akmd sensors_device:chr_file { open read write ioctl }; +allow akmd system_data_file:dir { add_name write }; +type_transition akmd system_data_file:file sensors_data_file; diff --git a/sepolicy/app.te b/sepolicy/app.te deleted file mode 100644 index eb71391..0000000 --- a/sepolicy/app.te +++ /dev/null @@ -1,3 +0,0 @@ -# Grant GPU access to all processes started by Zygote. -# They need that to render the standard UI. -allow appdomain gpu_device:chr_file rw_file_perms; diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te index 523b252..239264c 100644 --- a/sepolicy/bluetooth.te +++ b/sepolicy/bluetooth.te @@ -1 +1 @@ -allow bluetooth smd_device:chr_file rw_file_perms; +allow bluetooth bluetooth_device:chr_file { write open }; diff --git a/sepolicy/cir_fw_update.te b/sepolicy/cir_fw_update.te new file mode 100644 index 0000000..66caa31 --- /dev/null +++ b/sepolicy/cir_fw_update.te @@ -0,0 +1,6 @@ +type cir_fw_update, domain; +type cir_fw_update_exec, exec_type, file_type; +init_daemon_domain(cir_fw_update) + +allow cir_fw_update cir_device:chr_file { getattr open read write ioctl }; +allow cir_fw_update self:capability dac_override; diff --git a/sepolicy/device.te b/sepolicy/device.te index 5ea01a3..20c82b0 100644 --- a/sepolicy/device.te +++ b/sepolicy/device.te @@ -1,19 +1,3 @@ -# GPU (used by most UI apps) -type gpu_device, dev_type; - -# BT lock device for BCM4335 -type btlock_device, dev_type; - -# Qualcomm Secure Execution Environment Communicator (QSEECOM) device -type qseecom_device, dev_type; - -type diag_device, dev_type; - -# Qualcomm MSM Audio ACDB device -type msm_acdb_device, dev_type; - -# Kickstart device used by QC qcks -type kickstart_device, dev_type; - -# SMD device, used by hci_qcomm_init -type smd_device, dev_type; +type bluetooth_device, dev_type; +type cir_device, dev_type; +type timerirq_device, dev_type; diff --git a/sepolicy/domain.te b/sepolicy/domain.te deleted file mode 100644 index 45925a7..0000000 --- a/sepolicy/domain.te +++ /dev/null @@ -1 +0,0 @@ -allow domain init_tmpfs:file read; diff --git a/sepolicy/drmserver.te b/sepolicy/drmserver.te deleted file mode 100644 index 0c8b461..0000000 --- a/sepolicy/drmserver.te +++ /dev/null @@ -1,3 +0,0 @@ -# Grant DRM Service access to Qualcomm Secure Execution Environment Communicator (QSEECOM) device -allow drmserver qseecom_device:chr_file rw_file_perms; -allow drmserver sdcard_external:file open; diff --git a/sepolicy/file.te b/sepolicy/file.te index 6517a48..f8eae16 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,9 +1,2 @@ -# Qualcomm MSM Interface (QMI) socket types -type qmux_audio_socket, file_type; -type qmux_bluetooth_socket, file_type; -type qmux_gps_socket, file_type; -type qmux_radio_socket, file_type; - -allow efs_file rootfs:filesystem associate; -allow cache_file rootfs:filesystem associate; -allow asec_apk_file rootfs:filesystem associate; +type camera_sysfs, fs_type, sysfs_type; +type vibeamp_sysfs, fs_type, sysfs_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index a720690..5d47719 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -1,38 +1,45 @@ -# GPU device -/dev/kgsl-3d0 u:object_r:gpu_device:s0 -/dev/msm_rotator u:object_r:gpu_device:s0 - -# Qualcomm Secure Execution Environment Communicator (QSEECOM) device -/dev/qseecom u:object_r:qseecom_device:s0 - -# Qualcomm MSM Interface (QMI) devices -/dev/socket/qmux_audio/* u:object_r:qmux_audio_socket:s0 -/dev/socket/qmux_bluetooth/* u:object_r:qmux_bluetooth_socket:s0 -/dev/socket/qmux_gps/* u:object_r:qmux_gps_socket:s0 -/dev/socket/qmux_radio/* u:object_r:qmux_radio_socket:s0 - -/dev/akm8963* u:object_r:akm_device:s0 -/dev/akm8975* u:object_r:akm_device:s0 -/dev/btlock u:object_r:btlock_device:s0 -/dev/diag u:object_r:diag_device:s0 -/dev/mdm u:object_r:radio_device:s0 -/dev/media([0-9])+ u:object_r:camera_device:s0 -/dev/rawchip([0-9])+ u:object_r:camera_device:s0 -/dev/smd([0-9])+ u:object_r:smd_device:s0 -/dev/tfa9887* u:object_r:audio_device:s0 -/dev/rt5501 u:object_r:audio_device:s0 - -# Qualcomm MSM Audio ACDB device -/dev/msm_acdb u:object_r:msm_acdb_device:s0 - -/dev/ks_hsic_bridge u:object_r:kickstart_device:s0 -/dev/efs_hsic_bridge u:object_r:kickstart_device:s0 - -/system/bin/qcks u:object_r:kickstart_exec:s0 -/system/bin/efsks u:object_r:kickstart_exec:s0 -/system/bin/ks u:object_r:kickstart_exec:s0 - -/data/nfc(/.*)? u:object_r:nfc_data_file:s0 - -/system/bin/hci_qcomm_init u:object_r:hci_exec:s0 -/system/bin/bdAddrLoader u:object_r:hci_exec:s0 + +# Audio +/dev/htc-acoustic u:object_r:audio_device:s0 +/dev/rt5501 u:object_r:audio_device:s0 +/dev/tfa9887 u:object_r:audio_device:s0 +/dev/tfa9887l u:object_r:audio_device:s0 + +# Bluetooth +/dev/btlock u:object_r:bluetooth_device:s0 +/dev/rfkill u:object_r:bluetooth_device:s0 + +# Camera +/data/cam_socket.* u:object_r:camera_socket:s0 +/dev/gemini.* u:object_r:camera_device:s0 +/dev/rawchip.* u:object_r:camera_device:s0 +/sys/camera_htccallback/htccallback u:object_r:camera_sysfs:s0 + +# CIR +/dev/ttyHSL2 u:object_r:cir_device:s0 +/system/bin/cir_fw_update u:object_r:cir_fw_update_exec:s0 + +# CMHW +/sys/devices/virtual/timed_output/vibrator/voltage_level u:object_r:vibeamp_sysfs:s0 + +# Modem +/dev/block/mmcblk0p17 u:object_r:modem_efs_partition_device:s0 +/dev/block/mmcblk0p20 u:object_r:modem_efs_partition_device:s0 +/dev/block/mmcblk0p21 u:object_r:modem_efs_partition_device:s0 +/dev/block/mmcblk0p28 u:object_r:modem_efs_partition_device:s0 +/dev/ttyUSB0 u:object_r:radio_device:s0 + +# Mpdecision +/data/system/default_values u:object_r:mpctl_data_file:s0 +/dev/socket/mpctl u:object_r:mpctl_socket:s0 + +# Sensors +/data/misc/akmd_set.txt u:object_r:sensors_data_file:s0 +/dev/akm8963 u:object_r:sensors_device:s0 +/dev/akm8963_dev u:object_r:sensors_device:s0 +/dev/cm3602 u:object_r:sensors_device:s0 +/dev/lightsensor u:object_r:sensors_device:s0 +/system/bin/akmd u:object_r:akmd_exec:s0 + +# Timer +/dev/timerirq u:object_r:timerirq_device:s0 diff --git a/sepolicy/hci_init.te b/sepolicy/hci_init.te deleted file mode 100644 index 85f5d32..0000000 --- a/sepolicy/hci_init.te +++ /dev/null @@ -1,6 +0,0 @@ -type hci_init, domain; -permissive hci_init; -type hci_exec, file_type, exec_type; -type hci_data_file, file_type; -domain_auto_trans(shell, hci_exec, hci_init) -unconfined_domain(hci_init) diff --git a/sepolicy/healthd.te b/sepolicy/healthd.te index a9a1502..5baabe3 100644 --- a/sepolicy/healthd.te +++ b/sepolicy/healthd.te @@ -1 +1,7 @@ -allow healthd rootfs:file entrypoint; +# For detect_key +recovery_only(` + allow healthd input_device:chr_file write; + allow healthd misc_partition:blk_file { read write open }; + allow healthd block_device:dir search; + allow healthd powerctl_prop:property_service set; +') diff --git a/sepolicy/hostapd.te b/sepolicy/hostapd.te new file mode 100644 index 0000000..f9388f6 --- /dev/null +++ b/sepolicy/hostapd.te @@ -0,0 +1 @@ +allow hostapd bluetooth_device:chr_file { open read }; diff --git a/sepolicy/init.te b/sepolicy/init.te deleted file mode 100644 index 3f11893..0000000 --- a/sepolicy/init.te +++ /dev/null @@ -1 +0,0 @@ -allow init wpa_socket:unix_dgram_socket { bind create }; diff --git a/sepolicy/init_shell.te b/sepolicy/init_shell.te deleted file mode 100644 index 204392f..0000000 --- a/sepolicy/init_shell.te +++ /dev/null @@ -1,6 +0,0 @@ -allow init_shell diag_device:chr_file { read write }; -allow init_shell hci_exec:file rx_file_perms; -allow init_shell bluetooth_prop:property_service set; -allow init_shell smd_device:chr_file rw_file_perms; -allow init_shell unlabeled:file r_file_perms; -allow init_shell init:fifo_file r_file_perms; diff --git a/sepolicy/keystore.te b/sepolicy/keystore.te deleted file mode 100644 index 2583cac..0000000 --- a/sepolicy/keystore.te +++ /dev/null @@ -1,3 +0,0 @@ -# Grant keystore daemon access to Qualcomm Secure Execution Environment Communicator (QSEECOM) device -allow keystore qseecom_device:chr_file rw_file_perms; - diff --git a/sepolicy/kickstart.te b/sepolicy/kickstart.te deleted file mode 100644 index f4a4a26..0000000 --- a/sepolicy/kickstart.te +++ /dev/null @@ -1,5 +0,0 @@ -type kickstart, domain; -permissive kickstart; -type kickstart_exec, file_type, exec_type; -domain_auto_trans(init, kickstart_exec, kickstart) -unconfined_domain(kickstart) diff --git a/sepolicy/mdm_helper.te b/sepolicy/mdm_helper.te new file mode 100644 index 0000000..690e7e3 --- /dev/null +++ b/sepolicy/mdm_helper.te @@ -0,0 +1,12 @@ +allow mdm_helper cgroup:dir { create add_name }; +allow mdm_helper default_prop:property_service set; +allow mdm_helper efs_data_file:lnk_file read; +allow mdm_helper firmware_file:file read; +allow mdm_helper init:unix_stream_socket { connectto read write }; +allow mdm_helper mdm_helper_tmpfs:file { getattr setattr open read write create unlink }; +allow mdm_helper modem_efs_partition_device:blk_file { getattr open read write }; +allow mdm_helper property_socket:sock_file write; +allow mdm_helper radio_device:chr_file { getattr open read write ioctl }; +allow mdm_helper shell_exec:file { execute entrypoint }; +allow mdm_helper sysfs_wake_lock:file { read write }; +allow mdm_helper tmpfs:dir { write add_name remove_name }; diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te index dacaacf..33c5d53 100644 --- a/sepolicy/mediaserver.te +++ b/sepolicy/mediaserver.te @@ -1,13 +1,10 @@ -# Grant access to Qualcomm MSM Audio ACDB device to mediaserver -allow mediaserver msm_acdb_device:chr_file rw_file_perms; +allow mediaserver camera_prop:property_service set; -# Grant access to Qualcomm MSM Interface (QMI) audio sockets to mediaserver -allow mediaserver qmux_audio_socket:sock_file create_file_perms; -allow mediaserver qmux_audio_socket:dir rw_dir_perms; +# Unsure what mediaserver is reaching out to here +allow mediaserver self:netlink_kobject_uevent_socket create_socket_perms; -# Permit mediaserver to create sockets -allow mediaserver self:socket create; - -# Grant access to audio firmware files to mediaserver -allow mediaserver audio_firmware_file:dir ra_dir_perms; -allow mediaserver audio_firmware_file:file create_file_perms; +# Unsure what mediaserver is reaching out to here +allow mediaserver system_server:binder { call transfer }; +allow mediaserver system_server:unix_stream_socket { read write }; +allow system_server mediaserver:binder { call transfer }; +binder_use(mediaserver); diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te new file mode 100644 index 0000000..6450364 --- /dev/null +++ b/sepolicy/mm-qcamerad.te @@ -0,0 +1,5 @@ +allow mm-qcamerad camera_socket:sock_file setattr; +allow mm-qcamerad camera_sysfs:file { write open getattr }; +allow mm-qcamerad graphics_device:chr_file { open ioctl read write }; +allow mm-qcamerad graphics_device:dir search; +type_transition mm-qcamerad system_data_file:sock_file camera_socket "cam_socket0"; diff --git a/sepolicy/mpdecision.te b/sepolicy/mpdecision.te new file mode 100644 index 0000000..d517136 --- /dev/null +++ b/sepolicy/mpdecision.te @@ -0,0 +1,2 @@ +type_transition mpdecision socket_device:sock_file mpctl_socket; +type_transition mpdecision system_data_file:file mpctl_data_file; diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te new file mode 100644 index 0000000..641f50f --- /dev/null +++ b/sepolicy/netmgrd.te @@ -0,0 +1 @@ +allow netmgrd self:packet_socket { create bind read write }; diff --git a/sepolicy/property.te b/sepolicy/property.te new file mode 100644 index 0000000..2026491 --- /dev/null +++ b/sepolicy/property.te @@ -0,0 +1 @@ +type camera_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts new file mode 100644 index 0000000..2bf2366 --- /dev/null +++ b/sepolicy/property_contexts @@ -0,0 +1,2 @@ +oc.cpu_ctrl u:object_r:powerctl_prop:s0 +persist.camera. u:object_r:camera_prop:s0 diff --git a/sepolicy/qseecomd.te b/sepolicy/qseecomd.te new file mode 100644 index 0000000..c4bb836 --- /dev/null +++ b/sepolicy/qseecomd.te @@ -0,0 +1 @@ +allow tee self:process execmem; diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te new file mode 100644 index 0000000..b792068 --- /dev/null +++ b/sepolicy/recovery.te @@ -0,0 +1,2 @@ +allow recovery input_device:chr_file write; +allow recovery self:capability sys_boot; diff --git a/sepolicy/rild.te b/sepolicy/rild.te deleted file mode 100644 index 419c583..0000000 --- a/sepolicy/rild.te +++ /dev/null @@ -1,5 +0,0 @@ -allow rild diag_device:chr_file rw_file_perms; - -# Grant access to Qualcomm MSM Interface (QMI) radio sockets to RILD -allow rild qmux_radio_socket:sock_file create_file_perms; -allow rild qmux_radio_socket:dir rw_dir_perms; diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te deleted file mode 100644 index 787432d..0000000 --- a/sepolicy/surfaceflinger.te +++ /dev/null @@ -1,9 +0,0 @@ -# Grant GPU access to SurfaceFlinger -allow surfaceflinger gpu_device:chr_file rw_file_perms; - -allow surfaceflinger sysfs:file rw_file_perms; - -# Read from /data/local/tmp -allow surfaceflinger shell_data_file:dir search; -allow surfaceflinger shell_data_file:file { open getattr read }; -allow surfaceflinger shell_data_file:lnk_file read; diff --git a/sepolicy/system.te b/sepolicy/system.te deleted file mode 100644 index 1a5f4c5..0000000 --- a/sepolicy/system.te +++ /dev/null @@ -1,10 +0,0 @@ -# Grant GPU access to system apps (e.g., PowerManagerService) -allow system gpu_device:chr_file rw_file_perms; -allow system diag_device:chr_file rw_file_perms; - -# Grant access to Qualcomm MSM Interface (QMI) radio sockets to system apps -# (e.g., LocationManager) -allow system qmux_radio_socket:sock_file create_file_perms; -allow system qmux_radio_socket:dir rw_dir_perms; - -allow system wpa_socket:unix_dgram_socket sendto; diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te new file mode 100644 index 0000000..98071e4 --- /dev/null +++ b/sepolicy/system_app.te @@ -0,0 +1,2 @@ +allow system_app vibeamp_sysfs:file { getattr open read write }; +allow system_app vibeamp_sysfs:dir search; diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te new file mode 100644 index 0000000..b1e6454 --- /dev/null +++ b/sepolicy/system_server.te @@ -0,0 +1 @@ +allow system_server cir_device:chr_file { open read write ioctl }; diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te new file mode 100644 index 0000000..ff8a5ae --- /dev/null +++ b/sepolicy/thermal-engine.te @@ -0,0 +1,12 @@ +allow thermal-engine self:capability { chown net_admin }; +allow thermal-engine self:netlink_kobject_uevent_socket { create setopt bind read }; +allow thermal-engine sysfs_devices_system_cpu:file { read write }; + +# Some files in /sys/devices/system/cpu may pop in and out of existance, +# defeating our attempt to label them. As a result, they could have the +# sysfs label, not the sysfs_devices_system_cpu label. +# Allow write access for now until we figure out a better solution. +# For example, the following files pop in and out of existance: +# /sys/devices/system/cpu/cpu1/cpufreq/cpuinfo_min_freq +# /sys/devices/system/cpu/cpu1/cpufreq/scaling_min_freq +allow thermal-engine sysfs:file write; diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te index 9f734f4..e69de29 100644 --- a/sepolicy/ueventd.te +++ b/sepolicy/ueventd.te @@ -1,4 +0,0 @@ -allow ueventd sdcard_external:dir search; -allow ueventd sdcard_external:file r_file_perms; -allow ueventd wifi_data_file:dir search; -allow ueventd wifi_data_file:file r_file_perms; diff --git a/sepolicy/wpa.te b/sepolicy/wpa.te index 5f8988f..c864f90 100644 --- a/sepolicy/wpa.te +++ b/sepolicy/wpa.te @@ -1,2 +1 @@ -allow wpa devpts:chr_file rw_file_perms; -allow wpa wpa_socket:unix_dgram_socket { read write }; +allow wpa bluetooth_device:chr_file { open read }; diff --git a/sepolicy/wpa_socket.te b/sepolicy/wpa_socket.te deleted file mode 100644 index 7cf3600..0000000 --- a/sepolicy/wpa_socket.te +++ /dev/null @@ -1 +0,0 @@ -allow wpa_socket system:unix_dgram_socket sendto;