| author | Tellen Yu <tellen.yu@amlogic.com> | 2017-09-13 01:38:59 (GMT) |
|---|---|---|
| committer | jie.yuan <jie.yuan@amlogic.com> | 2017-10-31 13:06:20 (GMT) |
| commit | 77d95ce6ccb6046f9a55187c7d1fb873493f0673 (patch) | |
| tree | edca470f5335539a95f5f0896b623f9163e3d14d | |
| parent | 71058a6c61eaedf427fc9ca26a72cd88498b927d (diff) | |
| download | amlogic-o-77d95ce6ccb6046f9a55187c7d1fb873493f0673.zip amlogic-o-77d95ce6ccb6046f9a55187c7d1fb873493f0673.tar.gz amlogic-o-77d95ce6ccb6046f9a55187c7d1fb873493f0673.tar.bz2 | |
treble: enable full treble mode [3/9]
PD# 151674
remove all policies that can not fit full treble,
hdmicec daemon use hwbinder instead of binder
Change-Id: Ia016d8704167a8782cb4681a3a7327901531365b
94 files changed, 987 insertions, 1322 deletions
diff --git a/common/bluetooth.mk b/common/bluetooth.mk index 0c63970..3b83ebe 100644 --- a/common/bluetooth.mk +++ b/common/bluetooth.mk @@ -48,8 +48,9 @@ PRODUCT_PACKAGES += Bluetooth \ audio.a2dp.default \ libbt-client-api \ com.broadcom.bt \ + com.broadcom.bt.xml \ android.hardware.bluetooth@1.0-impl \ - com.broadcom.bt.xml + android.hardware.bluetooth@1.0-service PRODUCT_COPY_FILES += \ hardware/amlogic/libbt/data/auto_pairing.conf:$(TARGET_COPY_OUT_VENDOR)/etc/bluetooth/auto_pairing.conf \ diff --git a/common/core_amlogic.mk b/common/core_amlogic.mk index b7ec4b3..5858b2f 100644 --- a/common/core_amlogic.mk +++ b/common/core_amlogic.mk @@ -170,7 +170,7 @@ PRODUCT_PACKAGES += \ systemcontrol \ systemcontrol_static \ libsystemcontrolservice \ - vendor.amlogic.hardware.systemcontrol@1.0 + vendor.amlogic.hardware.systemcontrol@1.0_vendor PRODUCT_PACKAGES += \ OTAUpgrade \ @@ -201,6 +201,7 @@ PRODUCT_PACKAGES += \ ntfs-3g \ ntfsfix \ mkntfs \ + libxml2 \ gralloc.amlogic \ power.amlogic \ hwcomposer.amlogic \ @@ -335,20 +336,14 @@ PRODUCT_PROPERTY_OVERRIDES += \ # ######################################################################### PRODUCT_PACKAGES += \ - android.hardware.light@2.0-impl \ - android.hardware.drm@1.0-impl \ android.hardware.soundtrigger@2.0-impl \ - android.hardware.thermal@1.0-impl \ android.hardware.wifi@1.0-service \ - android.hardware.usb@1.0-service \ - android.hardware.tv.cec@1.0-impl \ - android.hardware.health@1.0-impl - -#android.hardware.biometrics.fingerprint@2.1-service -#android.hardware.bluetooth@1.0-impl \ + android.hardware.usb@1.0-service +#workround because android.hardware.wifi@1.0-service has not permission to insmod ko PRODUCT_COPY_FILES += \ hardware/amlogic/wifi/multi_wifi/android.hardware.wifi@1.0-service.rc:$(TARGET_COPY_OUT_VENDOR)/etc/init/android.hardware.wifi@1.0-service.rc + #Audio HAL PRODUCT_PACKAGES += \ android.hardware.audio@2.0-impl \ @@ -403,6 +398,31 @@ PRODUCT_PACKAGES += \ android.hardware.drm@1.0-impl \ android.hardware.drm@1.0-service +# HDMITX CEC HAL +PRODUCT_PACKAGES += \ + android.hardware.tv.cec@1.0-impl \ + android.hardware.tv.cec@1.0-service \ + hdmicecd \ + libhdmicec \ + libhdmicec_jni \ + vendor.amlogic.hardware.hdmicec@1.0_vendor \ + hdmi_cec.amlogic + +#light hal +PRODUCT_PACKAGES += \ + android.hardware.light@2.0-impl \ + android.hardware.light@2.0-service + +#thermal hal +PRODUCT_PACKAGES += \ + android.hardware.thermal@1.0-impl \ + android.hardware.thermal@1.0-service + +#health hal +PRODUCT_PACKAGES += \ + android.hardware.health@1.0-impl \ + android.hardware.health@1.0-service + ifeq ($(TARGET_BUILD_GOOGLE_ATV), true) PRODUCT_IS_ATV := true endif @@ -416,10 +436,36 @@ PRODUCT_PROPERTY_OVERRIDES += \ # VNDK version is specified PRODUCT_PROPERTY_OVERRIDES += \ - ro.vendor.vndk.version=26 + ro.vendor.vndk.version=26.1.0 PRODUCT_PROPERTY_OVERRIDES += \ ro.treble.enabled=true PRODUCT_PACKAGES += \ - libxml2 + android.hardware.graphics.allocator@2.0.vndk-sp\ + android.hardware.graphics.mapper@2.0.vndk-sp\ + android.hardware.graphics.common@1.0.vndk-sp\ + android.hardware.renderscript@1.0.vndk-sp\ + android.hidl.base@1.0.vndk-sp\ + android.hidl.memory@1.0.vndk-sp \ + libRSCpuRef.vndk-sp\ + libRSDriver.vndk-sp\ + libRS_internal.vndk-sp\ + libbacktrace.vndk-sp\ + libbase.vndk-sp\ + libbcinfo.vndk-sp\ + libblas.vndk-sp\ + libc++.vndk-sp\ + libcompiler_rt.vndk-sp\ + libcutils.vndk-sp\ + libft2.vndk-sp\ + libhardware.vndk-sp\ + libhidlbase.vndk-sp\ + libhidlmemory.vndk-sp \ + libhidltransport.vndk-sp\ + libhwbinder.vndk-sp\ + libion.vndk-sp\ + liblzma.vndk-sp\ + libpng.vndk-sp\ + libunwind.vndk-sp\ + libutils.vndk-sp diff --git a/common/products/mbox/init.amlogic.ab.rc b/common/products/mbox/init.amlogic.ab.rc index 0b946c6..0a6532e 100644 --- a/common/products/mbox/init.amlogic.ab.rc +++ b/common/products/mbox/init.amlogic.ab.rc @@ -46,14 +46,9 @@ on fs setprop ro.crypto.fuse_sdcard true swapon_all /fstab.amlogic -on post-fs - restorecon_recursive /tee - start tee_supplicant - on post-fs-data mkdir /data/misc/wifi 0770 wifi wifi mkdir /data/misc/wifi/sockets 0770 wifi wifi - mkdir /data/misc/dhcp 0770 system dhcp mkdir /data/misc/etc 0777 system pppoe mkdir /data/misc/etc/ppp 0777 system pppoe @@ -319,14 +314,6 @@ on boot chmod 664 /sys/devices/system/cpu/cpu1/online chown system system /sys/devices/system/clocksource/clocksource0/current_clocksource - # usbpm - chown system system /sys/devices/dwc2_a/peri_power - chown system system /sys/devices/dwc2_a/peri_sleepm - chown system system /sys/devices/dwc2_a/peri_otg_disable - chown system system /sys/devices/dwc2_b/peri_sleepm - chown system system /sys/devices/dwc2_b/peri_otg_disable - chown system system /sys/class/aml_mod/mod_off - chown system system /sys/class/aml_mod/mod_on # hdcp2 write /sys/class/unifykeys/attach 1 @@ -404,37 +391,6 @@ service watchdogd /sbin/watchdogd 10 20 seclabel u:r:watchdogd:s0 - -service dhcpcd_eth0 /system/bin/dhcpcd -ABKLG - class main - disabled - oneshot - -service dhcpcd_usbnet0 /system/bin/dhcpcd -ABKLG - class main - disabled - oneshot - -service dhcpcd_wlan0 /system/bin/dhcpcd -ABKL - class main - disabled - oneshot - -service dhcpcd_p2p /system/bin/dhcpcd -aABKL - class main - disabled - oneshot - -service iprenew_wlan0 /system/bin/dhcpcd -n - class main - disabled - oneshot - -service iprenew_p2p /system/bin/dhcpcd -n - class main - disabled - oneshot - # on userdebug and eng builds, enable kgdb on the serial console on property:ro.debuggable=1 write /sys/module/kgdboc/parameters/kgdboc ttyFIQ2 @@ -451,13 +407,6 @@ service pppoe_wrapper /vendor/bin/pppoe_wrapper oneshot seclabel u:r:pppoe_wrapper:s0 -service usbpm /vendor/bin/usbtestpm - class main - user system - group system - seclabel u:r:usbpm:s0 - disabled - service imageserver /vendor/bin/imageserver class main user root @@ -471,14 +420,8 @@ service bootvideo /vendor/bin/bootplayer /vendor/etc/bootvideo disabled oneshot -on property:dev.bootcomplete=1 - start usbpm - -on property:vold.post_fs_data_done=1 - start tee_supplicant - service hdcp_tx22 /vendor/bin/hdcp_tx22 \ - -f /system/etc/firmware/firmware.le + -f /vendor/etc/firmware/firmware.le class main disabled oneshot diff --git a/common/products/mbox/init.amlogic.rc b/common/products/mbox/init.amlogic.rc index 31012dd..84e920e 100644 --- a/common/products/mbox/init.amlogic.rc +++ b/common/products/mbox/init.amlogic.rc @@ -46,14 +46,9 @@ on fs setprop ro.crypto.fuse_sdcard true swapon_all /fstab.amlogic -on post-fs - restorecon_recursive /tee - start tee_supplicant - on post-fs-data mkdir /data/misc/wifi 0770 wifi wifi mkdir /data/misc/wifi/sockets 0770 wifi wifi - mkdir /data/misc/dhcp 0770 system dhcp mkdir /data/misc/etc 0777 system pppoe mkdir /data/misc/etc/ppp 0777 system pppoe @@ -319,14 +314,6 @@ on boot chmod 664 /sys/devices/system/cpu/cpu1/online chown system system /sys/devices/system/clocksource/clocksource0/current_clocksource - # usbpm - chown system system /sys/devices/dwc2_a/peri_power - chown system system /sys/devices/dwc2_a/peri_sleepm - chown system system /sys/devices/dwc2_a/peri_otg_disable - chown system system /sys/devices/dwc2_b/peri_sleepm - chown system system /sys/devices/dwc2_b/peri_otg_disable - chown system system /sys/class/aml_mod/mod_off - chown system system /sys/class/aml_mod/mod_on # hdcp2 write /sys/class/unifykeys/attach 1 @@ -358,8 +345,6 @@ on boot chown root system /sys/module/di/parameters/det3d_en chown root system /sys/module/di/parameters/prog_proc_config -# start sdcard - write /sys/class/vfm/map "rm default" write /sys/class/vfm/map "add default decoder ppmgr deinterlace amvideo" @@ -370,11 +355,6 @@ on aml-firstboot-init wait /dev/block/cache 20 confirm_formated ext4 /dev/block/cache /cache -service hdmi_cec /vendor/bin/hdmi_cec - class core - user root - group system - # virtual sdcard daemon running as media_rw (1023) #service sdcard /system/bin/sdcard -u 1023 -g 1023 /data/media /mnt/shell/emulated # class late_start @@ -406,37 +386,6 @@ service watchdogd /sbin/watchdogd 10 20 seclabel u:r:watchdogd:s0 - -service dhcpcd_eth0 /system/bin/dhcpcd -ABKLG - class main - disabled - oneshot - -service dhcpcd_usbnet0 /system/bin/dhcpcd -ABKLG - class main - disabled - oneshot - -service dhcpcd_wlan0 /system/bin/dhcpcd -ABKL - class main - disabled - oneshot - -service dhcpcd_p2p /system/bin/dhcpcd -aABKL - class main - disabled - oneshot - -service iprenew_wlan0 /system/bin/dhcpcd -n - class main - disabled - oneshot - -service iprenew_p2p /system/bin/dhcpcd -n - class main - disabled - oneshot - # on userdebug and eng builds, enable kgdb on the serial console on property:ro.debuggable=1 write /sys/module/kgdboc/parameters/kgdboc ttyFIQ2 @@ -447,25 +396,6 @@ service remotecfg /vendor/bin/remotecfg /vendor/etc/remote.conf oneshot seclabel u:r:remotecfg:s0 -service pppoe_wrapper /vendor/bin/pppoe_wrapper - class main - group system inet - oneshot - seclabel u:r:pppoe_wrapper:s0 - -service usbpm /vendor/bin/usbtestpm - class main - user system - group system - seclabel u:r:usbpm:s0 - disabled - -service imageserver /vendor/bin/imageserver - class main - user root - group system - seclabel u:r:imageserver:s0 - service bootvideo /vendor/bin/bootplayer /vendor/etc/bootvideo class main user root @@ -473,14 +403,8 @@ service bootvideo /vendor/bin/bootplayer /vendor/etc/bootvideo disabled oneshot -on property:dev.bootcomplete=1 - start usbpm - -on property:vold.post_fs_data_done=1 - start tee_supplicant - service hdcp_tx22 /vendor/bin/hdcp_tx22 \ - -f /system/etc/firmware/firmware.le + -f /vendor/etc/firmware/firmware.le class main disabled oneshot diff --git a/common/products/mbox/product_mbox.mk b/common/products/mbox/product_mbox.mk index 0b2614e..c43a59d 100644 --- a/common/products/mbox/product_mbox.mk +++ b/common/products/mbox/product_mbox.mk @@ -35,13 +35,6 @@ PRODUCT_PACKAGES += \ PRODUCT_PACKAGES += \ camera.amlogic -# HDMITX CEC HAL -PRODUCT_PACKAGES += \ - hdmi_cec \ - libhdmicec \ - libhdmicec_jni \ - hdmi_cec.amlogic - PRODUCT_PROPERTY_OVERRIDES += ro.hdmi.device_type=4 #Tvsettings diff --git a/common/products/tablet/init.amlogic.rc b/common/products/tablet/init.amlogic.rc index 48224e4..5220adb 100644 --- a/common/products/tablet/init.amlogic.rc +++ b/common/products/tablet/init.amlogic.rc @@ -263,12 +263,6 @@ on aml-firstboot-init confirm_formated ext4 /dev/block/data /data confirm_formated ext4 /dev/block/cache /cache -service system_control /vendor/bin/systemcontrol - class main - user root - group system - seclabel u:r:system_control:s0 - service usbpm /vendor/bin/usbtestpm class main user system diff --git a/common/products/tv/init.amlogic.rc b/common/products/tv/init.amlogic.rc index f8c68e6..9ce53ff 100644 --- a/common/products/tv/init.amlogic.rc +++ b/common/products/tv/init.amlogic.rc @@ -50,13 +50,10 @@ on init on post-fs restorecon_recursive /param - restorecon_recursive /tee - start tee_supplicant on post-fs-data mkdir /data/misc/wifi 0770 wifi wifi mkdir /data/misc/wifi/sockets 0770 wifi wifi - mkdir /data/misc/dhcp 0770 system dhcp mkdir /data/misc/etc 0777 system pppoe mkdir /data/misc/etc/ppp 0777 system pppoe @@ -333,14 +330,6 @@ on boot chmod 664 /sys/devices/system/cpu/cpu1/online chown system system /sys/devices/system/clocksource/clocksource0/current_clocksource - # usbpm - chown system system /sys/devices/dwc2_a/peri_power - chown system system /sys/devices/dwc2_a/peri_sleepm - chown system system /sys/devices/dwc2_a/peri_otg_disable - chown system system /sys/devices/dwc2_b/peri_sleepm - chown system system /sys/devices/dwc2_b/peri_otg_disable - chown system system /sys/class/aml_mod/mod_off - chown system system /sys/class/aml_mod/mod_on # hdcp2 write /sys/class/unifykeys/attach 1 @@ -397,12 +386,6 @@ service tvd /vendor/bin/tvserver group system seclabel u:r:tvserver:s0 -service hdmi_cec /vendor/bin/hdmi_cec - class core - user root - group system - seclabel u:r:hdmi_cec:s0 - # virtual sdcard daemon running as media_rw (1023) #service sdcard /system/bin/sdcard -u 1023 -g 1023 /data/media /mnt/shell/emulated # class late_start @@ -433,38 +416,6 @@ service watchdogd /sbin/watchdogd 10 20 disabled seclabel u:r:watchdogd:s0 - - -service dhcpcd_eth0 /system/bin/dhcpcd -ABKLG - class main - disabled - oneshot - -service dhcpcd_usbnet0 /system/bin/dhcpcd -ABKLG - class main - disabled - oneshot - -service dhcpcd_wlan0 /system/bin/dhcpcd -ABKL - class main - disabled - oneshot - -service dhcpcd_p2p /system/bin/dhcpcd -aABKL - class main - disabled - oneshot - -service iprenew_wlan0 /system/bin/dhcpcd -n - class main - disabled - oneshot - -service iprenew_p2p /system/bin/dhcpcd -n - class main - disabled - oneshot - # on userdebug and eng builds, enable kgdb on the serial console on property:ro.debuggable=1 write /sys/module/kgdboc/parameters/kgdboc ttyFIQ2 @@ -494,18 +445,14 @@ service bootvideo /vendor/bin/bootplayer /vendor/etc/bootvideo disabled oneshot -on property:dev.bootcomplete=1 -on property:vold.post_fs_data_done=1 - start tee_supplicant - service hdcp_tx22 /vendor/bin/hdcp_tx22 \ - -f /system/etc/firmware/firmware.le + -f /vendor/etc/firmware/firmware.le class main disabled oneshot service hdcp_rx22 /vendor/bin/hdcp_rx22 \ - -f /system/etc/firmware/firmware.le + -f /vendor/etc/firmware/firmware.le class main disabled oneshot diff --git a/common/products/tv/product_tv.mk b/common/products/tv/product_tv.mk index fa63ecb..090434b 100644 --- a/common/products/tv/product_tv.mk +++ b/common/products/tv/product_tv.mk @@ -43,10 +43,6 @@ PRODUCT_PACKAGES += \ PRODUCT_PACKAGES += \ remotecfg -# HDMITX CEC HAL -PRODUCT_PACKAGES += \ - hdmi_cec.amlogic - USE_CUSTOM_AUDIO_POLICY := 1 ifneq ($(TARGET_BUILD_GOOGLE_ATV), true) @@ -67,13 +63,6 @@ PRODUCT_PACKAGES += \ PRODUCT_PACKAGES += \ camera.amlogic -# HDMITX CEC HAL -PRODUCT_PACKAGES += \ - hdmi_cec \ - libhdmicec \ - libhdmicec_jni \ - hdmi_cec.amlogic - PRODUCT_PROPERTY_OVERRIDES += ro.hdmi.device_type=0 #Tvsettings diff --git a/common/sepolicy/adbd.te b/common/sepolicy/adbd.te deleted file mode 100644 index 20b99e9..0000000 --- a/common/sepolicy/adbd.te +++ b/dev/null @@ -1 +0,0 @@ -set_prop(adbd, ctl_mdnsd_prop)
\ No newline at end of file diff --git a/common/sepolicy/app.te b/common/sepolicy/app.te index eb9f839..6f6cbad 100644 --- a/common/sepolicy/app.te +++ b/common/sepolicy/app.te @@ -1,75 +1,80 @@ # Write to various pseudo file systems. -allow untrusted_app block_device:dir { search getattr }; +#allow untrusted_app block_device:dir { search getattr }; +# +#allow untrusted_app imageserver_service:service_manager find; +# +#allow untrusted_app system_control_service:service_manager find; +# +#allow untrusted_app unlabeled:dir { search read write getattr }; +#allow untrusted_app unlabeled:file { lock open read write getattr }; +# +## Read and write /data/data subdirectory. +#allow untrusted_app { system_app_data_file app_data_file }:dir { getattr read search }; +# +#allow untrusted_app { system_app_data_file app_data_file }:file { getattr read write }; +# +#allow untrusted_app subtitle_service:service_manager { find }; +#allow untrusted_app unlabeled:filesystem getattr; +#allow untrusted_app proc_sysrq:file { read getattr }; +#allow untrusted_app kernel:file { open read getattr }; +#allow untrusted_app kernel:dir { search getattr }; +#allow untrusted_app pppoe_wrapper:file { open read getattr }; +#allow untrusted_app pppoe_wrapper:dir { search getattr }; +#allow untrusted_app zygote:file { open read getattr }; +#allow untrusted_app zygote:dir { search getattr }; +#allow untrusted_app gatekeeperd:file { open read getattr }; +#allow untrusted_app gatekeeperd:dir { search getattr }; +#allow untrusted_app imageserver:file { open read getattr }; +#allow untrusted_app imageserver:dir { search getattr }; +#allow untrusted_app system_control:file { open read getattr }; +#allow untrusted_app system_control:dir { search getattr }; +#allow untrusted_app keystore:file { open read getattr }; +#allow untrusted_app keystore:dir { search getattr }; +#allow untrusted_app installd:file { open read getattr }; +#allow untrusted_app installd:dir { search getattr }; +#allow untrusted_app mediaserver:file { open read getattr }; +#allow untrusted_app mediaserver:dir { search getattr }; +#allow untrusted_app drmserver:file { open read getattr }; +#allow untrusted_app drmserver:dir { search getattr }; +#allow untrusted_app netd:file { open read getattr }; +#allow untrusted_app netd:dir { search getattr }; +#allow untrusted_app surfaceflinger:file { open read getattr }; +#allow untrusted_app surfaceflinger:dir { search getattr }; +#allow untrusted_app servicemanager:file { open read getattr }; +#allow untrusted_app servicemanager:dir { search getattr }; +#allow untrusted_app lmkd:file { open read getattr }; +#allow untrusted_app lmkd:dir { search getattr }; +#allow untrusted_app shell:file { open read getattr }; +#allow untrusted_app shell:dir { search getattr }; +#allow untrusted_app healthd:file { open read getattr }; +#allow untrusted_app healthd:dir { search getattr }; +#allow untrusted_app vold:file { open read getattr }; +#allow untrusted_app vold:dir { search getattr }; +#allow untrusted_app logd:file { open read getattr }; +#allow untrusted_app logd:dir { search getattr }; +#allow untrusted_app ueventd:file { open read getattr }; +#allow untrusted_app ueventd:dir { search getattr }; +#allow untrusted_app init:file { open read getattr }; +#allow untrusted_app init:dir { search getattr }; +#allow untrusted_app system_server:file { open read getattr }; +#allow untrusted_app system_server:dir { search getattr }; +#allow untrusted_app dhcp:file { open read getattr }; +#allow untrusted_app dhcp:dir { search getattr }; +#allow untrusted_app sdcardd:file { open read getattr }; +#allow untrusted_app sdcardd:dir { search getattr }; +#allow untrusted_app platform_app:file { open read getattr }; +#allow untrusted_app platform_app:dir { search getattr }; +#allow untrusted_app system_app:file { open read getattr }; +#allow untrusted_app system_app:dir { search getattr }; +#allow untrusted_app usbpm:file { open read getattr }; +#allow untrusted_app usbpm:dir { search getattr }; +# +#allow untrusted_app fuseblk:dir { search }; +#allow untrusted_app fuseblk:file { read open }; +#allow untrusted_app dex2oat:dir { getattr }; +#allow untrusted_app storage_stub_file:dir { getattr }; -allow untrusted_app imageserver_service:service_manager find; -allow untrusted_app system_control_service:service_manager find; - -allow untrusted_app unlabeled:dir { search read write getattr }; -allow untrusted_app unlabeled:file { lock open read write getattr }; - -# Read and write /data/data subdirectory. -allow untrusted_app { system_app_data_file app_data_file }:dir { getattr read search }; - -allow untrusted_app { system_app_data_file app_data_file }:file { getattr read write }; - -allow untrusted_app subtitle_service:service_manager { find }; -allow untrusted_app unlabeled:filesystem getattr; -allow untrusted_app proc_sysrq:file { read getattr }; -allow untrusted_app kernel:file { open read getattr }; -allow untrusted_app kernel:dir { search getattr }; -allow untrusted_app pppoe_wrapper:file { open read getattr }; -allow untrusted_app pppoe_wrapper:dir { search getattr }; -allow untrusted_app zygote:file { open read getattr }; -allow untrusted_app zygote:dir { search getattr }; -allow untrusted_app gatekeeperd:file { open read getattr }; -allow untrusted_app gatekeeperd:dir { search getattr }; -allow untrusted_app imageserver:file { open read getattr }; -allow untrusted_app imageserver:dir { search getattr }; -allow untrusted_app system_control:file { open read getattr }; -allow untrusted_app system_control:dir { search getattr }; -allow untrusted_app keystore:file { open read getattr }; -allow untrusted_app keystore:dir { search getattr }; -allow untrusted_app installd:file { open read getattr }; -allow untrusted_app installd:dir { search getattr }; -allow untrusted_app mediaserver:file { open read getattr }; -allow untrusted_app mediaserver:dir { search getattr }; -allow untrusted_app drmserver:file { open read getattr }; -allow untrusted_app drmserver:dir { search getattr }; -allow untrusted_app netd:file { open read getattr }; -allow untrusted_app netd:dir { search getattr }; -allow untrusted_app surfaceflinger:file { open read getattr }; -allow untrusted_app surfaceflinger:dir { search getattr }; -allow untrusted_app servicemanager:file { open read getattr }; -allow untrusted_app servicemanager:dir { search getattr }; -allow untrusted_app lmkd:file { open read getattr }; -allow untrusted_app lmkd:dir { search getattr }; -allow untrusted_app shell:file { open read getattr }; -allow untrusted_app shell:dir { search getattr }; -allow untrusted_app healthd:file { open read getattr }; -allow untrusted_app healthd:dir { search getattr }; -allow untrusted_app vold:file { open read getattr }; -allow untrusted_app vold:dir { search getattr }; -allow untrusted_app logd:file { open read getattr }; -allow untrusted_app logd:dir { search getattr }; -allow untrusted_app ueventd:file { open read getattr }; -allow untrusted_app ueventd:dir { search getattr }; -allow untrusted_app init:file { open read getattr }; -allow untrusted_app init:dir { search getattr }; -allow untrusted_app system_server:file { open read getattr }; -allow untrusted_app system_server:dir { search getattr }; -allow untrusted_app dhcp:file { open read getattr }; -allow untrusted_app dhcp:dir { search getattr }; -allow untrusted_app sdcardd:file { open read getattr }; -allow untrusted_app sdcardd:dir { search getattr }; -allow untrusted_app platform_app:file { open read getattr }; -allow untrusted_app platform_app:dir { search getattr }; -allow untrusted_app system_app:file { open read getattr }; -allow untrusted_app system_app:dir { search getattr }; -allow untrusted_app usbpm:file { open read getattr }; -allow untrusted_app usbpm:dir { search getattr }; - -allow untrusted_app fuseblk:dir { search }; -allow untrusted_app fuseblk:file { read open }; -allow untrusted_app dex2oat:dir { getattr }; -allow untrusted_app storage_stub_file:dir { getattr }; +allow untrusted_app vendor_file:file { getattr read open execute }; +allow untrusted_app sysfs_zram:file { read open getattr }; +allow untrusted_app sysfs_zram:dir { search }; diff --git a/common/sepolicy/audioserver.te b/common/sepolicy/audioserver.te index ea026c1..e1993ec 100644 --- a/common/sepolicy/audioserver.te +++ b/common/sepolicy/audioserver.te @@ -1,7 +1,6 @@ -allow audioserver sysfs_digital_codec:file { open read write getattr }; -allow audioserver sysfs_audio_samesource:file { open read write getattr }; -allow audioserver sysfs_audio_cap:file { open read write getattr }; -allow audioserver sysfs_xbmc:file { open read write getattr }; +allow audioserver { sysfs_xbmc sysfs_digital_codec sysfs_audio_samesource sysfs_audio_cap }:file { open read write getattr }; + +allow audioserver vendor_file:file { read open getattr execute }; allow audioserver kernel:system module_request; diff --git a/common/sepolicy/bluetooth.te b/common/sepolicy/bluetooth.te deleted file mode 100644 index eddaea3..0000000 --- a/common/sepolicy/bluetooth.te +++ b/dev/null @@ -1 +0,0 @@ -allow bluetooth system_control_service:service_manager find; diff --git a/common/sepolicy/bootanim.te b/common/sepolicy/bootanim.te index faefeb2..8468e7c 100644 --- a/common/sepolicy/bootanim.te +++ b/common/sepolicy/bootanim.te @@ -1,2 +1 @@ -#Bootanim start bootvideo -allow bootanim system_control:binder call;
\ No newline at end of file +allow bootanim vendor_file:file { open read getattr execute };
\ No newline at end of file diff --git a/common/sepolicy/bootvideo.te b/common/sepolicy/bootvideo.te index 5237fc3..49a341e 100644 --- a/common/sepolicy/bootvideo.te +++ b/common/sepolicy/bootvideo.te @@ -1,7 +1,7 @@ type bootvideo, domain; -type bootvideo_exec, exec_type, file_type; -init_daemon_domain(bootvideo) -binder_use(bootvideo); +type bootvideo_exec, exec_type, vendor_file_type, file_type; +#init_daemon_domain(bootvideo) +#binder_use(bootvideo); #unix_socket_connect(bootvideo, property, init); #Bootvideo @@ -31,6 +31,6 @@ allow bootvideo property_socket:sock_file write; allow bootvideo system_data_file:file open; allow bootvideo sysfs_xbmc:file { open read write getattr }; -allow bootvideo system_control_service:service_manager find; +#allow bootvideo system_control_service:service_manager find; set_prop(bootvideo, system_prop) diff --git a/common/sepolicy/cameraserver.te b/common/sepolicy/cameraserver.te deleted file mode 100644 index e507c6e..0000000 --- a/common/sepolicy/cameraserver.te +++ b/dev/null @@ -1 +0,0 @@ -allow cameraserver kernel:system module_request;
\ No newline at end of file diff --git a/common/sepolicy/device.te b/common/sepolicy/device.te index 160cbcf..77b2fa0 100644 --- a/common/sepolicy/device.te +++ b/common/sepolicy/device.te @@ -23,6 +23,7 @@ type drm_block_device, dev_type; type tee_block_device, dev_type; type odm_block_device, dev_type; type vendor_block_device, dev_type; +type system_block_fsck_device, dev_type; type dvb_video_device, dev_type; type subtitle_device, dev_type; type sw_sync_device, dev_type; diff --git a/common/sepolicy/dex2oat.te b/common/sepolicy/dex2oat.te deleted file mode 100644 index c6e8e73..0000000 --- a/common/sepolicy/dex2oat.te +++ b/dev/null @@ -1 +0,0 @@ -allow dex2oat kernel:system module_request; diff --git a/common/sepolicy/drm_device.te b/common/sepolicy/drm_device.te deleted file mode 100644 index fbd7be1..0000000 --- a/common/sepolicy/drm_device.te +++ b/dev/null @@ -1,2 +0,0 @@ -allow drm_device tmpfs:filesystem associate; -allow drm_device tmpfs:chr_file { read write open}; diff --git a/common/sepolicy/drmserver.te b/common/sepolicy/drmserver.te index 2f82742..22a676a 100644 --- a/common/sepolicy/drmserver.te +++ b/common/sepolicy/drmserver.te @@ -1,10 +1,14 @@ allow drmserver sysfs_xbmc:file rw_file_perms; allow drmserver sysfs:file rw_file_perms; allow drmserver drm_data_file:lnk_file {create open read write}; -allow drmserver system_control_service:service_manager find; -allow drmserver system_control:binder call; +#allow drmserver system_control_service:service_manager find; +#allow drmserver system_control:binder call; allow drmserver mediaserver:dir {getattr}; allow drmserver kernel:system module_request; + allow drmserver exfat:file { read }; allow drmserver ntfs:file { read }; + +allow drmserver unlabeled:file { read }; + diff --git a/common/sepolicy/droidvold.te b/common/sepolicy/droidvold.te new file mode 100644 index 0000000..cb8ae6b --- a/dev/null +++ b/common/sepolicy/droidvold.te @@ -0,0 +1,38 @@ +type droidvold, domain; +type droidvold_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(droidvold) + +allow droidvold self:capability { setgid setuid }; + +allow droidvold cpuctl_device:dir search; + +allow droidvold device:dir { open read }; +allow droidvold usb_device:dir { open read search }; +allow droidvold system_data_file:fifo_file { open read write }; + +allow droidvold block_device:dir { create read write search add_name }; + +allow droidvold fuseblk:filesystem mount; + +#allow droidvold self:capability { dac_override sys_admin }; + +allow droidvold tmpfs:dir create_dir_perms; +allow droidvold tmpfs:dir mounton; + +allow droidvold kernel:system module_request; +allow droidvold mnt_media_rw_file:dir { r_dir_perms }; +allow droidvold mnt_media_rw_stub_file:dir { r_dir_perms mounton }; + +allow droidvold droidvold:netlink_kobject_uevent_socket { create setopt bind read getopt }; +allow droidvold self:capability { net_admin }; + +allow droidvold rootfs:dir mounton; +allow droidvold rootfs:file { read open getattr }; + +allow droidvold { sysfs sysfs_zram sysfs_zram_uevent }:dir { open read search }; +allow droidvold { sysfs sysfs_zram sysfs_zram_uevent }:file { write open read }; + +allow droidvold file_contexts_file:file r_file_perms; + +allow proc_net proc:filesystem { associate }; diff --git a/common/sepolicy/dv_config.te b/common/sepolicy/dv_config.te deleted file mode 100644 index 31136fd..0000000 --- a/common/sepolicy/dv_config.te +++ b/dev/null @@ -1,4 +0,0 @@ -type dv_config, domain; -type dv_config_exec, exec_type, file_type; - -init_daemon_domain(dv_config)
\ No newline at end of file diff --git a/common/sepolicy/file.te b/common/sepolicy/file.te index ecfb2a4..1cfbd12 100644 --- a/common/sepolicy/file.te +++ b/common/sepolicy/file.te @@ -31,5 +31,9 @@ type sysfs_audio_cap, fs_type, sysfs_type; type ppp_system_file, exec_type, file_type; type ppp_data_file, file_type; type log_file, file_type, data_file_type; + type ntfs, sdcard_type, fs_type, mlstrustedobject; type exfat, sdcard_type, fs_type, mlstrustedobject; + +type optee_file, file_type, data_file_type; + diff --git a/common/sepolicy/file_contexts b/common/sepolicy/file_contexts index 7e06f56..4a5806b 100644 --- a/common/sepolicy/file_contexts +++ b/common/sepolicy/file_contexts @@ -1,142 +1,136 @@ +/boot/optee.ko u:object_r:optee_file:s0 + /data/log(/.*)? u:object_r:log_file:s0 /data/media_rw/sdcard1 u:object_r:media_rw_data_file:s0 /data/tee(/.*)? u:object_r:tee_data_file:s0 -/data/droidota(/.*)? u:object_r:update_data_file:s0 +/data/droidota(/.*)? u:object_r:update_data_file:s0 -/dev/amaudio_.* u:object_r:audio_device:s0 +/dev/amaudio_.* u:object_r:audio_device:s0 /dev/amaudio2_out u:object_r:audio_device:s0 -/dev/amremote u:object_r:input_device:s0 -/dev/am_adc_kpd u:object_r:input_device:s0 -/dev/amv.* u:object_r:video_device:s0 +/dev/amremote u:object_r:input_device:s0 +/dev/am_adc_kpd u:object_r:input_device:s0 +/dev/amv.* u:object_r:video_device:s0 /dev/amvecm u:object_r:amvecm_device:s0 -/dev/amvideo u:object_r:dvb_video_device:s0 -/dev/amvideo_poll u:object_r:amvideo_device:s0 +/dev/amvideo u:object_r:dvb_video_device:s0 +/dev/amvideo_poll u:object_r:amvideo_device:s0 /dev/ionvideo u:object_r:dvb_video_device:s0 -/dev/amstream_.* u:object_r:video_device:s0 -/dev/amstream_sub u:object_r:subtitle_device:s0 +/dev/amstream_.* u:object_r:video_device:s0 +/dev/amstream_sub u:object_r:subtitle_device:s0 /dev/amstream_sub_read u:object_r:subtitle_device:s0 -/dev/amstream_mpts u:object_r:dvb_video_device:s0 +/dev/amstream_mpts u:object_r:dvb_video_device:s0 /dev/amstream_userdata u:object_r:dvb_video_device:s0 -/dev/avin_detect u:object_r:avin_device:s0 - -/dev/block/env u:object_r:env_device:s0 -/dev/block/data u:object_r:userdata_block_device:s0 -/dev/block/cache u:object_r:cache_block_device:s0 -/dev/block/zram0 u:object_r:swap_block_device:s0 -/dev/block/param u:object_r:param_block_device:s0 -/dev/block/cri_data u:object_r:cri_block_device:s0 -/dev/block/sd[a-z] u:object_r:sda_block_device:s0 +/dev/avin_detect u:object_r:avin_device:s0 + +/dev/block/env u:object_r:env_device:s0 +/dev/block/data u:object_r:userdata_block_device:s0 +/dev/block/cache u:object_r:cache_block_device:s0 +/dev/block/zram0 u:object_r:swap_block_device:s0 +/dev/block/param u:object_r:param_block_device:s0 +/dev/block/cri_data u:object_r:cri_block_device:s0 +/dev/block/sd[a-z] u:object_r:sda_block_device:s0 /dev/block/sd[a-z](.*) u:object_r:sda_block_device:s0 /dev/block/vold(/.*)? u:object_r:vold_block_device:s0 -/dev/block/drm u:object_r:drm_block_device:s0 -/dev/block/boot_a u:object_r:boot_block_device:s0 -/dev/block/boot_b u:object_r:boot_block_device:s0 -/dev/block/boot u:object_r:boot_block_device:s0 -/dev/block/system_a u:object_r:system_block_device:s0 -/dev/block/system_b u:object_r:system_block_device:s0 +/dev/block/drm u:object_r:drm_block_device:s0 +/dev/block/boot_a u:object_r:boot_block_device:s0 +/dev/block/boot_b u:object_r:boot_block_device:s0 +/dev/block/boot u:object_r:boot_block_device:s0 +/dev/block/system_a u:object_r:system_block_fsck_device:s0 +/dev/block/system_b u:object_r:system_block_fsck_device:s0 +/dev/block/system u:object_r:system_block_fsck_device:s0 /dev/block/vendor_a u:object_r:vendor_block_device:s0 /dev/block/vendor_b u:object_r:vendor_block_device:s0 /dev/block/vendor u:object_r:vendor_block_device:s0 -/dev/block/misc u:object_r:misc_block_device:s0 +/dev/block/misc u:object_r:misc_block_device:s0 /dev/block/tee u:object_r:tee_block_device:s0 /dev/block/odm u:object_r:odm_block_device:s0 -/dev/block/odm_a u:object_r:odm_block_device:s0 -/dev/block/odm_b u:object_r:odm_block_device:s0 +/dev/block/odm_a u:object_r:odm_block_device:s0 +/dev/block/odm_b u:object_r:odm_block_device:s0 /dev/block/mmcblk[0-9] u:object_r:sda_block_device:s0 -/dev/block/mmcblk[0-9]p(.*) u:object_r:sda_block_device:s0 -/dev/block/mmcblk[0-9]rpmb u:object_r:sda_block_device:s0 -/dev/block/droidvold/.+ u:object_r:vold_device:s0 - -/dev/bootloader u:object_r:bootloader_device:s0 -/dev/btusb0 u:object_r:hci_attach_dev:s0 -/dev/cec u:object_r:cec_device:s0 -/dev/defendkey u:object_r:defendkey_device:s0 -/dev/dtb u:object_r:dtb_device:s0 -/dev/dvb0.* u:object_r:dvb_device:s0 -/dev/dvb.* u:object_r:video_device:s0 -/dev/esm u:object_r:hdcptx_device:s0 -/dev/esm_rx u:object_r:hdcprx_device:s0 -/dev/ge2d u:object_r:ge2d_device:s0 -/dev/hdmirx0 u:object_r:hdmirx0_device:s0 -/dev/irblaster1 u:object_r:ir_device:s0 -/dev/mali u:object_r:gpu_device:s0 -/dev/mali0 u:object_r:gpu_device:s0 -/dev/nand_env u:object_r:env_device:s0 +/dev/block/mmcblk[0-9]p(.*) u:object_r:sda_block_device:s0 +/dev/block/mmcblk[0-9]rpmb u:object_r:sda_block_device:s0 + +/dev/bootloader u:object_r:bootloader_device:s0 +/dev/btusb0 u:object_r:hci_attach_dev:s0 +/dev/cec u:object_r:cec_device:s0 +/dev/defendkey u:object_r:defendkey_device:s0 +/dev/dtb u:object_r:dtb_device:s0 +/dev/dvb0.* u:object_r:dvb_device:s0 +/dev/dvb.* u:object_r:video_device:s0 +/dev/esm u:object_r:hdcptx_device:s0 +/dev/esm_rx u:object_r:hdcprx_device:s0 +/dev/ge2d u:object_r:ge2d_device:s0 +/dev/hdmirx0 u:object_r:hdmirx0_device:s0 +/dev/irblaster1 u:object_r:ir_device:s0 +/dev/mali u:object_r:gpu_device:s0 +/dev/mali0 u:object_r:gpu_device:s0 +/dev/nand_env u:object_r:env_device:s0 /dev/opteearmtz00 u:object_r:drm_device:s0 -/dev/otz_client u:object_r:tee_device:s0 -/dev/picdec u:object_r:picture_device:s0 -/dev/rtk_btusb u:object_r:hci_attach_dev:s0 +/dev/otz_client u:object_r:tee_device:s0 +/dev/picdec u:object_r:picture_device:s0 +/dev/rtk_btusb u:object_r:hci_attach_dev:s0 /dev/socket/dig u:object_r:dig_socket:s0 /dev/socket/pppoe_wrapper u:object_r:pppoe_wrapper_socket:s0 /dev/sw_sync u:object_r:sw_sync_device:s0 /dev/tee0 u:object_r:drm_device:s0 /dev/teepriv0 u:object_r:drm_device:s0 -/dev/ttyS[1-2] u:object_r:hci_attach_dev:s0 -/dev/ttyUSB.* u:object_r:radio_device:s0 +/dev/ttyS[1-2] u:object_r:hci_attach_dev:s0 +/dev/ttyUSB.* u:object_r:radio_device:s0 /dev/tvafe0 u:object_r:video_device:s0 /dev/vdin0 u:object_r:video_device:s0 -/dev/wifi_power u:object_r:radio_device:s0 - - -/sys/devices/platform/bt-dev/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 -/sys/devices/platform/bt-dev/rfkill/rfkill0/type u:object_r:sysfs_bluetooth_writable:s0 -/sys/devices/bt-dev.*/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 -/sys/devices/bt-dev.*/rfkill/rfkill0/type u:object_r:sysfs_bluetooth_writable:s0 -/sys/devices/virtual/amhdmitx/amhdmitx0/aud_cap u:object_r:sysfs_audio_cap:s0 -/sys/devices/d0074000.emmc/mmc_host/emmc/emmc:0001/cid u:object_r:sysfs_xbmc:s0 - -/sys/class/audiodsp/digital_raw u:object_r:sysfs_xbmc:s0 -/sys/class/video/disable_video u:object_r:sysfs_xbmc:s0 -/sys/class/video/axis u:object_r:sysfs_xbmc:s0 -/sys/class/video/screen_mode u:object_r:sysfs_xbmc:s0 -/sys/class/tsync/pts_pcrscr u:object_r:sysfs_xbmc:s0 -/sys/class/tsync/enable u:object_r:sysfs_xbmc:s0 -/sys/class/tsync/event u:object_r:sysfs_xbmc:s0 -/sys/class/tsync/pts_audio u:object_r:sysfs_xbmc:s0 -/sys/class/amhdmitx/amhdmitx0/aud_output_chs u:object_r:sysfs_xbmc:s0 -/sys/class/audiodsp/digital_codec u:object_r:sysfs_digital_codec:s0 -/sys/class/audiodsp/audio_samesource u:object_r:sysfs_audio_samesource:s0 -/sys/class/amhdmitx/amhdmitx0/aud_cap u:object_r:sysfs_audio_cap:s0 - -/sys/class/mpgpu/mpgpucmd u:object_r:sysfs_mpgpu_cmd:s0 -/sys/power/early_suspend_trigger u:object_r:sysfs_power_trigger:s0 - -/sys/class/vfm/map u:object_r:sysfs_xbmc:s0 - -/param(/.*)? u:object_r:param_tv_file:s0 -/tee(/.*)? u:object_r:tee_data_file:s0 - -#for daemon seclabel -/vendor/bin/bootplayer u:object_r:bootvideo_exec:s0 -/vendor/bin/dv_config u:object_r:dv_config_exec:s0 -/vendor/bin/hdcp_rx22 u:object_r:hdcp_rx22_exec:s0 -/vendor/bin/hdcp_tx22 u:object_r:hdcp_tx22_exec:s0 -/vendor/bin/hdmi_cec u:object_r:hdmi_cec_exec:s0 -/vendor/bin/imageserver u:object_r:imageserver_exec:s0 -/system/bin/make_ext4fs u:object_r:make_ext4fs_exec:s0 -/vendor/bin/pppoe_wrapper u:object_r:pppoe_wrapper_exec:s0 -/vendor/bin/remotecfg u:object_r:remotecfg_exec:s0 -/vendor/bin/systemcontrol u:object_r:system_control_exec:s0 -/system/bin/tee-supplicant u:object_r:tee_exec:s0 -/vendor/bin/tee_preload_fw u:object_r:firmload_exec:s0 -/vendor/bin/tvserver u:object_r:tvserver_exec:s0 -/vendor/bin/usbtestpm u:object_r:usbpm_exec:s0 -/vendor/bin/wlan_fwloader u:object_r:wlan_fwloader_exec:s0 -/vendor/xbin/bcmdl u:object_r:bcmdl_exec:s0 -/vendor/bin/droidvold u:object_r:vold_exec:s0 +/dev/wifi_power u:object_r:radio_device:s0 + + +/sys/devices/platform/bt-dev/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices/platform/bt-dev/rfkill/rfkill0/type u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices/bt-dev.*/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices/bt-dev.*/rfkill/rfkill0/type u:object_r:sysfs_bluetooth_writable:s0 +/sys/devices/virtual/amhdmitx/amhdmitx0/aud_cap u:object_r:sysfs_audio_cap:s0 +/sys/devices/d0074000.emmc/mmc_host/emmc/emmc:0001/cid u:object_r:sysfs_xbmc:s0 + +/sys/class/audiodsp/digital_raw u:object_r:sysfs_xbmc:s0 +/sys/class/video/disable_video u:object_r:sysfs_xbmc:s0 +/sys/class/video/axis u:object_r:sysfs_xbmc:s0 +/sys/class/video/screen_mode u:object_r:sysfs_xbmc:s0 +/sys/class/tsync/pts_pcrscr u:object_r:sysfs_xbmc:s0 +/sys/class/tsync/enable u:object_r:sysfs_xbmc:s0 +/sys/class/tsync/event u:object_r:sysfs_xbmc:s0 +/sys/class/tsync/pts_audio u:object_r:sysfs_xbmc:s0 +/sys/class/amhdmitx/amhdmitx0/aud_output_chs u:object_r:sysfs_xbmc:s0 +/sys/class/audiodsp/digital_codec u:object_r:sysfs_digital_codec:s0 +/sys/class/audiodsp/audio_samesource u:object_r:sysfs_audio_samesource:s0 +/sys/class/amhdmitx/amhdmitx0/aud_cap u:object_r:sysfs_audio_cap:s0 + +/sys/class/mpgpu/mpgpucmd u:object_r:sysfs_mpgpu_cmd:s0 +/sys/power/early_suspend_trigger u:object_r:sysfs_power_trigger:s0 + +/sys/class/vfm/map u:object_r:sysfs_xbmc:s0 + +/param(/.*)? u:object_r:param_tv_file:s0 +/tee(/.*)? u:object_r:tee_data_file:s0 + +#/vendor/bin/bootplayer u:object_r:bootvideo_exec:s0 +#/vendor/bin/dv_config u:object_r:dv_config_exec:s0 + + +#/vendor/bin/imageserver u:object_r:imageserver_exec:s0 +#/system/bin/make_ext4fs u:object_r:make_ext4fs_exec:s0 +#/vendor/bin/pppoe_wrapper u:object_r:pppoe_wrapper_exec:s0 + +/vendor/bin/hdcp_rx22 u:object_r:hdcp_rx22_exec:s0 +/vendor/bin/hdcp_tx22 u:object_r:hdcp_tx22_exec:s0 +/vendor/bin/remotecfg u:object_r:remotecfg_exec:s0 +/vendor/bin/systemcontrol u:object_r:system_control_exec:s0 +/vendor/bin/hdmicecd u:object_r:hdmicecd_exec:s0 +/vendor/bin/droidvold u:object_r:droidvold_exec:s0 +/vendor/bin/tee-supplicant u:object_r:tee_exec:s0 +/vendor/bin/tee_preload_fw u:object_r:firmload_exec:s0 + +#/vendor/bin/tvserver u:object_r:tvserver_exec:s0 +#/vendor/bin/wlan_fwloader u:object_r:wlan_fwloader_exec:s0 +#/vendor/xbin/bcmdl u:object_r:bcmdl_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service.droidlogic u:object_r:hal_dumpstate_default_exec:s0 -/system/vendor/bin/bootplayer u:object_r:bootvideo_exec:s0 -/system/vendor/bin/dv_config u:object_r:dv_config_exec:s0 -/system/vendor/bin/hdcp_rx22 u:object_r:hdcp_rx22_exec:s0 -/system/vendor/bin/hdcp_tx22 u:object_r:hdcp_tx22_exec:s0 -/system/vendor/bin/hdmi_cec u:object_r:hdmi_cec_exec:s0 -/system/vendor/bin/imageserver u:object_r:imageserver_exec:s0 -/system/vendor/bin/pppoe_wrapper u:object_r:pppoe_wrapper_exec:s0 -/system/vendor/bin/remotecfg u:object_r:remotecfg_exec:s0 -/system/vendor/bin/systemcontrol u:object_r:system_control_exec:s0 -/system/vendor/bin/tvserver u:object_r:tvserver_exec:s0 -/system/vendor/bin/usbtestpm u:object_r:usbpm_exec:s0 -/system/vendor/bin/wlan_fwloader u:object_r:wlan_fwloader_exec:s0 -/system/vendor/xbin/bcmdl u:object_r:bcmdl_exec:s0 +/vendor/lib(64)?/hw/gralloc\.amlogic\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libfbcnf\.so u:object_r:same_process_hal_file:s0 + diff --git a/common/sepolicy/firmload.te b/common/sepolicy/firmload.te index 6ea347d..e394ffb 100644 --- a/common/sepolicy/firmload.te +++ b/common/sepolicy/firmload.te @@ -1,10 +1,10 @@ type firmload, domain; -type firmload_exec, exec_type, file_type; +type firmload_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(firmload) -allow firmload drm_device:chr_file {open read write ioctl}; +allow firmload drm_device:chr_file { open read write ioctl }; allow firmload rootfs:lnk_file getattr; -allow firmload system_data_file:dir { write}; -allow firmload system_data_file:file { read open getattr}; +allow firmload system_data_file:dir { write add_name }; +allow firmload system_data_file:file { read open getattr }; allow firmload sysfs:file { read open getattr }; -allow firmload proc:file { read open getattr };
\ No newline at end of file +allow firmload proc:file { read open getattr }; diff --git a/common/sepolicy/fsck.te b/common/sepolicy/fsck.te index 5b6d99b..cfc5eaa 100644 --- a/common/sepolicy/fsck.te +++ b/common/sepolicy/fsck.te @@ -1,9 +1,10 @@ -allow fsck param_block_device:blk_file { getattr read write open ioctl }; -allow fsck block_device:blk_file { getattr }; -allow fsck drm_block_device:blk_file { getattr read write }; -allow fsck userdata_block_device:blk_file { getattr read write }; -allow fsck tee_block_device:blk_file rw_file_perms; -allow fsck odm_block_device:blk_file rw_file_perms; -allow fsck vold_block_device:blk_file { getattr read write open ioctl }; +#allow fsck block_device:blk_file { getattr read write }; +allow fsck tmpfs:blk_file { getattr read write open ioctl }; + +allow fsck { vold_block_device param_block_device drm_block_device tee_block_device }:blk_file { getattr read write open ioctl }; + +allow fsck { vendor_block_device odm_block_device userdata_block_device }:blk_file { getattr read write open ioctl }; + +allow fsck { system_block_fsck_device }:blk_file { getattr read write open ioctl }; allow fsck rootfs:lnk_file { getattr };
\ No newline at end of file diff --git a/common/sepolicy/genfs_contexts b/common/sepolicy/genfs_contexts index 2732a03..21d754e 100644..100755 --- a/common/sepolicy/genfs_contexts +++ b/common/sepolicy/genfs_contexts @@ -1,9 +1,9 @@ -genfscon fuseblk / u:object_r:fuseblk:s0 -genfscon hfsplus / u:object_r:hfsplus:s0 -genfscon iso9660 / u:object_r:iso9660:s0 -genfscon udf / u:object_r:udf:s0 -genfscon proc /mounts u:object_r:proc_mounts:s0 -genfscon proc /bluetooth/sleep/lpm u:object_r:proc_bluetooth_writable:s0 -genfscon proc /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0 -genfscon ntfs / u:object_r:ntfs:s0 -genfscon exfat / u:object_r:exfat:s0 +genfscon fuseblk / u:object_r:fuseblk:s0 +genfscon hfsplus / u:object_r:hfsplus:s0 +genfscon iso9660 / u:object_r:iso9660:s0 +genfscon udf / u:object_r:udf:s0 +genfscon proc /mounts u:object_r:proc_mounts:s0 +genfscon proc /bluetooth/sleep/lpm u:object_r:proc_bluetooth_writable:s0 +genfscon proc /bluetooth/sleep/btwrite u:object_r:proc_bluetooth_writable:s0 +genfscon ntfs / u:object_r:ntfs:s0 +genfscon exfat / u:object_r:exfat:s0 diff --git a/common/sepolicy/hal_camera_default.te b/common/sepolicy/hal_camera_default.te index a60e4c4..3752db0 100644 --- a/common/sepolicy/hal_camera_default.te +++ b/common/sepolicy/hal_camera_default.te @@ -1,2 +1,3 @@ -allow hal_camera_default vndbinder_device:dir {search}; -allow hal_camera_default vndbinder_device:chr_file {open read write ioctl}; +allow hal_camera_default hal_camera_default:netlink_kobject_uevent_socket { create setopt bind read shutdown }; + +allow hal_camera_default vndbinder_device:chr_file { read write open ioctl };
\ No newline at end of file diff --git a/common/sepolicy/hal_drm_default.te b/common/sepolicy/hal_drm_default.te index 77021b5..4f2d0be 100644 --- a/common/sepolicy/hal_drm_default.te +++ b/common/sepolicy/hal_drm_default.te @@ -1,2 +1,4 @@ allow hal_drm_default vndbinder_device:chr_file { read write open ioctl }; allow hal_drm_default drm_device:chr_file { read open write ioctl }; + +get_prop(hal_drm_default, media_prop) diff --git a/common/sepolicy/hal_dumpstate_impl.te b/common/sepolicy/hal_dumpstate_impl.te index 14b262d..f0d0e6a 100644 --- a/common/sepolicy/hal_dumpstate_impl.te +++ b/common/sepolicy/hal_dumpstate_impl.te @@ -1,10 +1,9 @@ type hal_dumpstate_impl, domain; -hal_server_domain(hal_dumpstate_impl, hal_dumpstate) +#hal_server_domain(hal_dumpstate_impl, hal_dumpstate) -type hal_dumpstate_impl_exec, exec_type, file_type; -init_daemon_domain(hal_dumpstate_impl) +#type hal_dumpstate_impl_exec, exec_type, file_type; +#init_daemon_domain(hal_dumpstate_impl) # Access to files for dumping -allow hal_dumpstate_impl proc_interrupts:file { open read }; +#allow hal_dumpstate_impl proc_interrupts:file { open read }; allow hal_dumpstate_impl pstorefs:dir search; -allow hal_dumpstate_impl sysfs:file { open read }; diff --git a/common/sepolicy/hal_memtrack_default.te b/common/sepolicy/hal_memtrack_default.te index 6db0312..6cde1cc 100644 --- a/common/sepolicy/hal_memtrack_default.te +++ b/common/sepolicy/hal_memtrack_default.te @@ -1,3 +1,5 @@ +typeattribute hal_memtrack_default mlstrustedsubject; + allow hal_memtrack_default proc:file { open read getattr }; allow hal_memtrack_default system_app:file { open read getattr }; allow hal_memtrack_default system_app:dir { search }; @@ -11,18 +13,27 @@ allow hal_memtrack_default hal_dumpstate_default:file { open read getattr }; allow hal_memtrack_default hal_dumpstate_default:dir { search }; allow hal_memtrack_default hal_configstore_default:file { open read getattr }; allow hal_memtrack_default hal_configstore_default:dir { search }; -allow hal_memtrack_default hal_usb_default:file { open read getattr }; -allow hal_memtrack_default hal_usb_default:dir { search }; -allow hal_memtrack_default hal_power_default:dir { search }; -allow hal_memtrack_default hal_power_default:file { read }; -allow hal_memtrack_default { priv_app platform_app untrusted_app }:dir { search }; -allow hal_memtrack_default { priv_app platform_app untrusted_app }:file { read }; +allow hal_memtrack_default { priv_app platform_app untrusted_app su drmserver installd keystore mdnsd isolated_app }:dir { search }; +allow hal_memtrack_default { priv_app platform_app untrusted_app su drmserver installd keystore mdnsd isolated_app }:file { read open getattr }; + +allow hal_memtrack_default { gatekeeperd tombstoned webview_zygote zygote netd wificond sdcardd hal_camera_default hal_tv_cec_default }:dir { search }; +allow hal_memtrack_default { gatekeeperd tombstoned webview_zygote zygote netd wificond sdcardd hal_camera_default hal_tv_cec_default }:file { read open getattr }; + +allow hal_memtrack_default { hal_audio_default hal_usb_default hal_power_default hal_wifi_default hal_drm_default }:dir { search }; +allow hal_memtrack_default { hal_audio_default hal_usb_default hal_power_default hal_wifi_default hal_drm_default }:file { read open getattr }; +allow hal_memtrack_default { hal_graphics_composer_default hal_graphics_allocator_default hal_gatekeeper_default }:dir { search }; +allow hal_memtrack_default { hal_graphics_composer_default hal_graphics_allocator_default hal_gatekeeper_default }:file { read open getattr }; + +allow hal_memtrack_default { hal_graphics_composer_default hal_graphics_allocator_default hal_gatekeeper_default }:dir { search }; +allow hal_memtrack_default { hal_graphics_composer_default hal_graphics_allocator_default hal_gatekeeper_default }:file { read open getattr }; + +allow hal_memtrack_default { hal_keymaster_default droidvold adbd tee hdmicecd bluetooth untrusted_app_25 }:dir { search }; +allow hal_memtrack_default { hal_keymaster_default droidvold adbd tee hdmicecd bluetooth untrusted_app_25 }:file { read open getattr }; + +allow hal_memtrack_default { mediadrmserver mediaextractor mediametrics mediacodec audioserver cameraserver mediaserver }:dir { search }; +allow hal_memtrack_default { mediadrmserver mediaextractor mediametrics mediacodec audioserver cameraserver mediaserver }:file { read open getattr }; -allow hal_memtrack_default { logd ueventd vold system_server init }:dir { search }; -allow hal_memtrack_default { logd ueventd vold system_server init }:file { read open getattr }; +allow hal_memtrack_default { logd ueventd vold system_server init shell surfaceflinger lmkd healthd system_control }:dir { search }; +allow hal_memtrack_default { logd ueventd vold system_server init shell surfaceflinger lmkd healthd system_control }:file { read open getattr }; -allow hal_memtrack_default untrusted_app:dir { search }; -allow hal_memtrack_default untrusted_app:file { read open }; -allow hal_memtrack_default platform_app:dir { search }; -allow hal_memtrack_default untrusted_app:file { read open getattr};
\ No newline at end of file diff --git a/common/sepolicy/hal_tv_cec_default.te b/common/sepolicy/hal_tv_cec_default.te new file mode 100644 index 0000000..32d5870 --- a/dev/null +++ b/common/sepolicy/hal_tv_cec_default.te @@ -0,0 +1,2 @@ +allow hal_tv_cec_default hdmicecd_hwservice:hwservice_manager { find }; +allow hal_tv_cec_default hdmicecd:binder { call transfer }; diff --git a/common/sepolicy/hal_wifi_default.te b/common/sepolicy/hal_wifi_default.te index 0fbfee7..163f403 100644 --- a/common/sepolicy/hal_wifi_default.te +++ b/common/sepolicy/hal_wifi_default.te @@ -10,5 +10,9 @@ allow hal_wifi_default ctl_default_prop:property_service set; allow hal_wifi_default wifi_data_file:file { open setattr create read write}; allow hal_wifi_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; allow hal_wifi_default { system_file vendor_file }:system module_load; -allow hal_wifi_default hal_wifi_default:capability chown; -allow hal_wifi_default kernel:system module_request; + +#allow hal_wifi_default hal_wifi_default:capability chown; +#allow hal_wifi_default kernel:system module_request; + +allow hal_wifi_default wifi_data_file:dir { search }; + diff --git a/common/sepolicy/hdcp_rx22.te b/common/sepolicy/hdcp_rx22.te index 2ff4f35..af1b729 100644 --- a/common/sepolicy/hdcp_rx22.te +++ b/common/sepolicy/hdcp_rx22.te @@ -1,13 +1,14 @@ type hdcp_rx22, domain; -type hdcp_rx22_exec, exec_type, file_type; +type hdcp_rx22_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hdcp_rx22) -allow hdcp_rx22 system_file:file execute_no_trans; +#allow hdcp_rx22 system_file:file execute_no_trans; -allow hdcp_rx22 sysfs:file rw_file_perms; +#allow hdcp_rx22 sysfs:file rw_file_perms; + +#allow hdcp_rx22 param_tv_file:dir { search read write open add_name remove_name rmdir }; +#allow hdcp_rx22 param_tv_file:file { create open read write setattr getattr lock unlink }; + +#allow hdcp_rx22 device:dir {write}; +#allow hdcp_rx22 kmsg_device:chr_file { open write }; -allow hdcp_rx22 param_tv_file:dir { search read write open add_name remove_name rmdir }; -allow hdcp_rx22 param_tv_file:file { create open read write setattr getattr lock unlink }; -allow hdcp_rx22 kmsg_device:chr_file {write}; -allow hdcp_rx22 device:dir {write}; -allow hdcp_rx22 kmsg_device:chr_file {open};
\ No newline at end of file diff --git a/common/sepolicy/hdcp_tx22.te b/common/sepolicy/hdcp_tx22.te index 2c8feaa..7ac7f26 100644 --- a/common/sepolicy/hdcp_tx22.te +++ b/common/sepolicy/hdcp_tx22.te @@ -1,8 +1,9 @@ type hdcp_tx22, domain; -type hdcp_tx22_exec, exec_type, file_type; +type hdcp_tx22_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(hdcp_tx22) allow hdcp_tx22 hdcptx_device:chr_file { open read write getattr ioctl }; allow hdcp_tx22 system_file:file execute_no_trans; allow hdcp_tx22 sysfs:file rw_file_perms; + diff --git a/common/sepolicy/hdmi_cec.te b/common/sepolicy/hdmi_cec.te deleted file mode 100644 index 4bdefb9..0000000 --- a/common/sepolicy/hdmi_cec.te +++ b/dev/null @@ -1,14 +0,0 @@ -type hdmi_cec, domain; -type hdmi_cec_exec, exec_type, file_type; - -init_daemon_domain(hdmi_cec) - -binder_use(hdmi_cec); -binder_call(hdmi_cec, binderservicedomain) -binder_call(hdmi_cec, appdomain) -binder_service(hdmi_cec) - -allow hdmi_cec system_file:file execute_no_trans; -allow hdmi_cec hdmi_cec_exec:file { entrypoint read }; -allow hdmi_cec hdmi_cec_service:service_manager add; -allow hdmi_cec cec_device:chr_file { open read write ioctl }; diff --git a/common/sepolicy/hdmicecd.te b/common/sepolicy/hdmicecd.te new file mode 100644 index 0000000..96ddcac --- a/dev/null +++ b/common/sepolicy/hdmicecd.te @@ -0,0 +1,15 @@ +type hdmicecd, domain; +type hdmicecd_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hdmicecd) + +allow hdmicecd vndbinder_device:chr_file { read write open ioctl }; +allow hdmicecd vndservicemanager:binder { call transfer }; + +allow hdmicecd hwservicemanager:binder { call transfer }; +allow hdmicecd { hdmicecd_hwservice hidl_base_hwservice }:hwservice_manager { add }; + +allow hdmicecd cec_device:chr_file { open read write ioctl }; +allow hdmicecd hwservicemanager_prop:file { open read getattr }; + +allow hdmicecd hal_tv_cec_default:binder { call transfer }; diff --git a/common/sepolicy/hwservice.te b/common/sepolicy/hwservice.te index cdf8581..9668e00 100644 --- a/common/sepolicy/hwservice.te +++ b/common/sepolicy/hwservice.te @@ -1 +1,2 @@ -type systemcontrol_hwservice, hwservice_manager_type;
\ No newline at end of file +type systemcontrol_hwservice, hwservice_manager_type; +type hdmicecd_hwservice, hwservice_manager_type; diff --git a/common/sepolicy/hwservice_contexts b/common/sepolicy/hwservice_contexts index 48a2be0..e6787ae 100644 --- a/common/sepolicy/hwservice_contexts +++ b/common/sepolicy/hwservice_contexts @@ -1 +1,2 @@ vendor.amlogic.hardware.systemcontrol::ISystemControl u:object_r:systemcontrol_hwservice:s0 +vendor.amlogic.hardware.hdmicec::IDroidHdmiCEC u:object_r:hdmicecd_hwservice:s0 diff --git a/common/sepolicy/hwservicemanager.te b/common/sepolicy/hwservicemanager.te index 0395fac..b74d62b 100644 --- a/common/sepolicy/hwservicemanager.te +++ b/common/sepolicy/hwservicemanager.te @@ -1,4 +1,9 @@ allow hwservicemanager system_control:binder { call transfer }; allow hwservicemanager system_control:dir { search }; allow hwservicemanager system_control:file { read open }; -allow hwservicemanager system_control:process { getattr };
\ No newline at end of file +allow hwservicemanager system_control:process { getattr }; + +allow hwservicemanager hdmicecd:binder { call transfer }; +allow hwservicemanager hdmicecd:dir { search }; +allow hwservicemanager hdmicecd:file { read open }; +allow hwservicemanager hdmicecd:process { getattr };
\ No newline at end of file diff --git a/common/sepolicy/imageserver.te b/common/sepolicy/imageserver.te index 2807189..4f68d0e 100644 --- a/common/sepolicy/imageserver.te +++ b/common/sepolicy/imageserver.te @@ -1,42 +1,44 @@ type imageserver, domain; -type imageserver_exec, exec_type, file_type; +type imageserver_exec, exec_type, vendor_file_type, file_type; typeattribute imageserver mlstrustedsubject; init_daemon_domain(imageserver) -allow imageserver shell_exec:file rx_file_perms; -allow imageserver system_file:file execute_no_trans; +allow imageserver vendor_file:file { execute }; -allow imageserver imageserver_service:service_manager add; +#allow imageserver shell_exec:file rx_file_perms; +#allow imageserver system_file:file execute_no_trans; -allow imageserver imageserver_exec:file { entrypoint read }; +#allow imageserver imageserver_service:service_manager add; -allow imageserver self:process execmem; +#allow imageserver imageserver_exec:file { entrypoint read }; -binder_use(imageserver); -binder_call(imageserver, binderservicedomain) -binder_call(imageserver, appdomain) -binder_service(imageserver) +#allow imageserver self:process execmem; -allow imageserver self:capability dac_override; -allow imageserver self:capability dac_read_search; +#binder_use(imageserver); +#binder_call(imageserver, binderservicedomain) +#binder_call(imageserver, appdomain) +#binder_service(imageserver) + +#allow imageserver self:capability dac_override; +#allow imageserver self:capability dac_read_search; #allow imageserver appdomain:file { r_file_perms }; -allow imageserver fuse:dir r_dir_perms; -allow imageserver fuse:file r_file_perms; -allow imageserver app_data_file:file rw_file_perms; +#allow imageserver fuse:dir r_dir_perms; +#allow imageserver fuse:file r_file_perms; +#allow imageserver app_data_file:file rw_file_perms; #allow imageserver system_file:file execmod; -allow imageserver app_data_file:dir search; +#allow imageserver app_data_file:dir search; -allow imageserver system_control_service:service_manager find; +#allow imageserver system_control_service:service_manager find; -allow imageserver { mnt_user_file storage_file }:dir { getattr search }; -allow imageserver { mnt_user_file storage_file }:lnk_file { getattr read }; -allow imageserver permission_service:service_manager find; +#allow imageserver { mnt_user_file storage_file }:dir { getattr search }; +#allow imageserver { mnt_user_file storage_file }:lnk_file { getattr read }; +#allow imageserver permission_service:service_manager find; -allow imageserver picture_device:chr_file { read write open ioctl }; -allow imageserver kernel:system module_request; +#allow imageserver picture_device:chr_file { read write open ioctl }; +#allow imageserver kernel:system module_request; -allow imageserver tmpfs:dir { getattr search }; +#allow imageserver tmpfs:dir { getattr search }; diff --git a/common/sepolicy/init.te b/common/sepolicy/init.te index 275b00c..dfb48d9 100644 --- a/common/sepolicy/init.te +++ b/common/sepolicy/init.te @@ -1,76 +1,110 @@ allow init self:capability { sys_module }; -# add system_control service -domain_trans(init, system_control_exec, system_control) -domain_auto_trans(init, system_control_exec, system_control) +allow init tmpfs:lnk_file { create_file_perms }; +allow init tmpfs:blk_file { getattr read write open }; -#allow init imageserver_service:service_manager add; -domain_trans(init, imageserver_exec, imageserver) - -domain_trans(init, shell_exec, logcat) - -domain_trans(init, tee_exec, tee) -allow init fuse:file { open read write }; -allow init fuse:dir search; +allow init sysfs:dir { add_name }; +allow init sysfs:file { create }; -#allow tvserver service -domain_trans(init, tvserver_exec, tvserver) -domain_auto_trans(init, tvserver_exec, tvserver) +allow init kernel:system module_request; +allow init configfs:file { create getattr open unlink write }; -#allow hdmi_cec service -domain_trans(init, hdmi_cec_exec, hdmi_cec) -domain_auto_trans(init, hdmi_cec_exec, hdmi_cec) +allow init cgroup:file create_file_perms; +allow init { system_file vendor_file rootfs}:system { module_load }; -#allow dv_config service -domain_trans(init, dv_config_exec, dv_config) -domain_auto_trans(init, dv_config_exec, dv_config) +allow init vendor_file:file { execute }; -domain_trans(init, make_ext4fs_exec, make_ext4fs) +allow init { tee_block_device userdata_block_device cache_block_device block_device }:blk_file { relabelto write read }; +allow init { vendor_block_device system_block_fsck_device odm_block_device }:blk_file { relabelto write read }; -domain_trans(init, hdcp_tx22_exec, hdcp_tx22) +allow init configfs:file { create getattr open unlink write }; +allow init configfs:lnk_file { create unlink }; -domain_trans(init, bcmdl_exec, bcmdl); -#allow usbpm service -domain_trans(init, usbpm_exec, usbpm) -domain_auto_trans(init, usbpm_exec, usbpm) +allow init sysfs_devices_system_cpu:file { create }; +allow init sysfs_devices_system_cpu:dir { write add_name }; +allow init functionfs:dir mounton; allow init property_socket:sock_file write; -allow param_tv_file rootfs:filesystem { associate }; +allow init proc:dir { write add_name }; +allow init proc:file { create }; -allow init vfat:dir rw_dir_perms; -allow init vfat:file create_file_perms; +allow init socket_device:sock_file { create setattr unlink }; -allow init init:tcp_socket create_stream_socket_perms; -allow init port:tcp_socket name_bind; -allow init node:tcp_socket node_bind; -allow init tmpfs:lnk_file {create_file_perms}; -allow init socket_device:sock_file create_file_perms; -allow init functionfs:file mounton; -allow init functionfs:dir mounton; -allow init system_data_file:file {link}; -allow init debugfs:dir mounton; -allow init debugfs:file w_file_perms; -allow init userdata_block_device:blk_file rw_file_perms; -allow init cache_block_device:blk_file rw_file_perms; -allow init drm_device:chr_file {setattr read write open ioctl}; -allow init tee_block_device:blk_file rw_file_perms; -allow init odm_block_device:blk_file rw_file_perms; -allow shell drm_device:chr_file rw_file_perms; +allow init drm_device:chr_file { setattr read write open ioctl }; allow init firmload_exec:file {getattr}; -recovery_only(` - domain_trans(init, rootfs, shell) - domain_trans(init, rootfs, adbd) -') - -allow init property_socket:sock_file write; -allow init configfs:file { create getattr open unlink write }; -allow init configfs:lnk_file { create }; -allow init sysfs_devices_system_cpu:dir { add_name write }; -allow init sysfs_devices_system_cpu:file { create }; - -allow init sysfs:dir { add_name }; -allow init sysfs:file { create }; -allow init cgroup:file create_file_perms; -allow init kernel:system module_request; - -allow init { system_file vendor_file rootfs}:system { module_load }; +# +# +## add system_control service +##domain_trans(init, system_control_exec, system_control) +#domain_auto_trans(init, system_control_exec, system_control) +# +##allow init imageserver_service:service_manager add; +#domain_trans(init, imageserver_exec, imageserver) +# +#domain_trans(init, shell_exec, logcat) +# +#domain_trans(init, tee_exec, tee) +#allow init fuse:file { open read write }; +#allow init fuse:dir search; +# +##allow tvserver service +#domain_trans(init, tvserver_exec, tvserver) +#domain_auto_trans(init, tvserver_exec, tvserver) +# +##allow hdmi_cec service +#domain_trans(init, hdmi_cec_exec, hdmi_cec) +#domain_auto_trans(init, hdmi_cec_exec, hdmi_cec) +# +##allow dv_config service +#domain_trans(init, dv_config_exec, dv_config) +#domain_auto_trans(init, dv_config_exec, dv_config) +# +#domain_trans(init, make_ext4fs_exec, make_ext4fs) +# +#domain_trans(init, hdcp_tx22_exec, hdcp_tx22) +# +#domain_trans(init, bcmdl_exec, bcmdl); +##allow usbpm service +#domain_trans(init, usbpm_exec, usbpm) +#domain_auto_trans(init, usbpm_exec, usbpm) +# +#allow init property_socket:sock_file write; +#allow param_tv_file rootfs:filesystem { associate }; +# +#allow init vfat:dir rw_dir_perms; +#allow init vfat:file create_file_perms; +# +#allow init init:tcp_socket create_stream_socket_perms; +#allow init port:tcp_socket name_bind; +#allow init node:tcp_socket node_bind; +#allow init tmpfs:lnk_file {create_file_perms}; +#allow init socket_device:sock_file create_file_perms; +#allow init functionfs:file mounton; +#allow init functionfs:dir mounton; +#allow init system_data_file:file {link}; +#allow init debugfs:dir mounton; +#allow init debugfs:file w_file_perms; +#allow init userdata_block_device:blk_file rw_file_perms; +#allow init cache_block_device:blk_file rw_file_perms; + +#allow init tee_block_device:blk_file rw_file_perms; +#allow init odm_block_device:blk_file rw_file_perms; + +# +#recovery_only(` +# domain_trans(init, rootfs, shell) +# domain_trans(init, rootfs, adbd) +#') +# +#allow init property_socket:sock_file write; +#allow init configfs:file { create getattr open unlink write }; +#allow init configfs:lnk_file { create }; +#allow init sysfs_devices_system_cpu:dir { add_name write }; +#allow init sysfs_devices_system_cpu:file { create }; +# +#allow init sysfs:dir { add_name }; +#allow init sysfs:file { create }; +#allow init cgroup:file create_file_perms; +#allow init kernel:system module_request; +# +#allow init { system_file vendor_file rootfs}:system { module_load }; diff --git a/common/sepolicy/installd.te b/common/sepolicy/installd.te deleted file mode 100644 index a751249..0000000 --- a/common/sepolicy/installd.te +++ b/dev/null @@ -1,8 +0,0 @@ -# Types extracted from seapp_contexts type= fields. -allow installd { media_data_file }:dir { create_dir_perms relabelfrom relabelto }; -allow installd { media_data_file }:lnk_file { create setattr getattr unlink rename relabelfrom relabelto }; -allow installd { media_data_file }:{ file sock_file fifo_file } { getattr unlink rename relabelfrom relabelto setattr }; - -allow installd media_data_file:dir { getattr read write open search setattr rmdir add_name relabelfrom relabelto}; - -allow installd self:capability sys_nice;
\ No newline at end of file diff --git a/common/sepolicy/kernel.te b/common/sepolicy/kernel.te index 0856d03..a51302f 100644 --- a/common/sepolicy/kernel.te +++ b/common/sepolicy/kernel.te @@ -2,3 +2,5 @@ allow kernel self:capability mknod; allow kernel device:blk_file { ioctl read write create getattr setattr unlink }; allow kernel device:dir {rw_file_perms rw_dir_perms write create}; allow kernel device:chr_file { getattr setattr create }; + +allow kernel vendor_file:file { getattr read open execute }; diff --git a/common/sepolicy/keystore.te b/common/sepolicy/keystore.te deleted file mode 100644 index 0a0edb3..0000000 --- a/common/sepolicy/keystore.te +++ b/dev/null @@ -1,3 +0,0 @@ -allow keystore app_data_file:file rw_file_perms; -allow keystore tmpfs:filesystem associate; -allow keystore drm_device:chr_file { read open write ioctl }; diff --git a/common/sepolicy/lmkd.te b/common/sepolicy/lmkd.te deleted file mode 100644 index d6c7a6e..0000000 --- a/common/sepolicy/lmkd.te +++ b/dev/null @@ -1,2 +0,0 @@ -allow lmkd mediaserver:dir {open read search }; -allow lmkd mediaserver:file { open read write};
\ No newline at end of file diff --git a/common/sepolicy/logcat.te b/common/sepolicy/logcat.te deleted file mode 100644 index da7b7fd..0000000 --- a/common/sepolicy/logcat.te +++ b/dev/null @@ -1,12 +0,0 @@ -type logcat, domain; - -allow logcat logcat_exec:file { entrypoint read execute getattr }; - -allow logcat log_file:dir { read open write add_name create setattr search remove_name rename }; -allow logcat log_file:file { create write open getattr read append rename unlink setattr }; -allow logcat logdr_socket:sock_file write; -allow logcat logd:unix_stream_socket connectto; - - -allow logcat shell_exec:file rx_file_perms; -allow logcat shell_exec:file { execute_no_trans execute read open };
\ No newline at end of file diff --git a/common/sepolicy/make_ext4fs.te b/common/sepolicy/make_ext4fs.te deleted file mode 100644 index 2f73a93..0000000 --- a/common/sepolicy/make_ext4fs.te +++ b/dev/null @@ -1,19 +0,0 @@ -type make_ext4fs, domain; -type make_ext4fs_exec, exec_type, file_type; -init_daemon_domain(make_ext4fs) - -allow make_ext4fs devpts:dir { search }; -allow make_ext4fs devpts:chr_file { read write getattr ioctl }; - -allow make_ext4fs block_device:dir { search getattr }; - -# Allow stdin/out back to vold -allow make_ext4fs vold:fd use; -allow make_ext4fs vold:fifo_file { read write getattr }; - -allow make_ext4fs dm_device:blk_file { ioctl open read write create getattr }; - -allow make_ext4fs rootfs:lnk_file {getattr}; -allow make_ext4fs rootfs:file {getattr read open}; - -allow make_ext4fs file_contexts_file:file {getattr read open}; diff --git a/common/sepolicy/mediacodec.te b/common/sepolicy/mediacodec.te index e82a2fd..ebd66e9 100644 --- a/common/sepolicy/mediacodec.te +++ b/common/sepolicy/mediacodec.te @@ -1,11 +1,13 @@ -allow mediacodec system_control_service:service_manager find; -allow mediacodec drm_device:chr_file {setattr read write open ioctl}; -allow mediacodec sysfs:file { open read write}; +#allow mediacodec system_control_service:service_manager find; +allow mediacodec drm_device:chr_file { setattr read write open ioctl }; +allow mediacodec sysfs:file { open read write }; allow mediacodec sysfs_xbmc:file { open read write}; -allow mediacodec audioserver_service:service_manager find; +#allow mediacodec audioserver_service:service_manager find; get_prop(mediacodec, media_prop) allow mediacodec kernel:system module_request; allow mediacodec mediaserver:dir { search }; allow mediacodec mediaserver:file { read open }; allow mediacodec dvb_video_device:chr_file rw_file_perms; + +allow mediacodec system_file:dir { read open }; diff --git a/common/sepolicy/mediaserver.te b/common/sepolicy/mediaserver.te index 2461546..749c070 100644 --- a/common/sepolicy/mediaserver.te +++ b/common/sepolicy/mediaserver.te @@ -1,27 +1,27 @@ -allow mediaserver system_server:unix_stream_socket { read write setopt }; -# media.* props -allow mediaserver media_prop:property_service set; -allow mediaserver system_server:dir search; -# /dev/uio0 for amadec -#allow mediaserver uio_device:chr_file rw_file_perms; -#allow mediaserver dvb_video_device:chr_file rw_file_perms; -# read app /proc/pid/ -allow mediaserver appdomain:dir { getattr search }; -allow mediaserver appdomain:file { r_file_perms }; - -allow mediaserver graphics_device:dir r_dir_perms; -allow mediaserver system_data_file:dir {write add_name}; -allow mediaserver sysfs:file { open read write}; -allow mediaserver sysfs_xbmc:file {open read write}; -allow mediaserver screenmediasource_service:service_manager add; -allow mediaserver system_control_service:service_manager find; -allow mediaserver media_data_file:lnk_file {create open read write}; -allow mediaserver tvserver:fd use; -allow mediaserver storage_file:dir search; - -allow mediaserver audio_device:dir r_dir_perms; -allow mediaserver sysfs_audio_cap:file {open read write}; -allow mediaserver kernel:system module_request; +#allow mediaserver system_server:unix_stream_socket { read write setopt }; +## media.* props +#allow mediaserver media_prop:property_service set; +#allow mediaserver system_server:dir search; +## /dev/uio0 for amadec +##allow mediaserver uio_device:chr_file rw_file_perms; +##allow mediaserver dvb_video_device:chr_file rw_file_perms; +## read app /proc/pid/ +#allow mediaserver appdomain:dir { getattr search }; +#allow mediaserver appdomain:file { r_file_perms }; +# +#allow mediaserver graphics_device:dir r_dir_perms; +#allow mediaserver system_data_file:dir {write add_name}; +#allow mediaserver sysfs:file { open read write}; +#allow mediaserver sysfs_xbmc:file {open read write}; +#allow mediaserver screenmediasource_service:service_manager add; +#allow mediaserver system_control_service:service_manager find; +#allow mediaserver media_data_file:lnk_file {create open read write}; +#allow mediaserver tvserver:fd use; +#allow mediaserver storage_file:dir search; +# +#allow mediaserver audio_device:dir r_dir_perms; +#allow mediaserver sysfs_audio_cap:file {open read write}; +#allow mediaserver kernel:system module_request; allow mediaserver exfat:file { getattr read }; allow mediaserver ntfs:file { getattr read }; diff --git a/common/sepolicy/netd.te b/common/sepolicy/netd.te index 0cf070b..9361eaf 100644 --- a/common/sepolicy/netd.te +++ b/common/sepolicy/netd.te @@ -3,5 +3,8 @@ allow netd self:capability sys_module; allow netd servicemanager:binder call; +allow netd proc_net:dir { write add_name }; +allow netd proc_net:file { create }; + allow netd rootfs:lnk_file { getattr }; -allow netd self:capability sys_nice;
\ No newline at end of file +allow netd self:capability sys_nice; diff --git a/common/sepolicy/platform_app.te b/common/sepolicy/platform_app.te index 9447a97..37d09a7 100644 --- a/common/sepolicy/platform_app.te +++ b/common/sepolicy/platform_app.te @@ -1,23 +1,32 @@ -allow platform_app sysfs_xbmc:file {rw_file_perms}; -allow platform_app usb_device:dir {open read}; -allow platform_app system_control_service:service_manager find; -allow platform_app subtitle_service:service_manager find; -allow platform_app system_control_service:dir { read open search }; -allow platform_app imageserver_service:service_manager find; +#allow platform_app sysfs_xbmc:file {rw_file_perms}; +#allow platform_app usb_device:dir {open read}; +#allow platform_app system_control_service:service_manager find; +#allow platform_app subtitle_service:service_manager find; +#allow platform_app system_control_service:dir { read open search }; +#allow platform_app imageserver_service:service_manager find; +# +#allow platform_app mediadrmserver_service:service_manager find; +#allow platform_app loop_device:dir { open read }; +# +#allow platform_app iso9660:dir { search open read getattr }; +#allow platform_app iso9660:file { open read getattr }; +# +#allow platform_app udf:dir { search open read getattr }; +#allow platform_app udf:file { open read getattr }; +# +#allow platform_app fuseblk:dir create_dir_perms; +#allow platform_app fuseblk:file create_file_perms; +# +#allow platform_app tvserver_service:service_manager find; +#allow system_app unlabeled:dir { search read write getattr }; +#allow system_app unlabeled:file { lock open read write getattr }; +#allow priv_app media_prop:file { read }; -allow platform_app mediadrmserver_service:service_manager find; -allow platform_app loop_device:dir { open read }; - -allow platform_app iso9660:dir { search open read getattr }; -allow platform_app iso9660:file { open read getattr }; - -allow platform_app udf:dir { search open read getattr }; -allow platform_app udf:file { open read getattr }; +get_prop(platform_app, media_prop) +get_prop(system_app, media_prop) -allow platform_app fuseblk:dir create_dir_perms; -allow platform_app fuseblk:file create_file_perms; +allow platform_app vendor_file:file { getattr read open execute }; -allow platform_app tvserver_service:service_manager find; allow platform_app exfat:dir create_dir_perms; allow platform_app exfat:file create_file_perms; @@ -25,8 +34,3 @@ allow platform_app exfat:file create_file_perms; allow platform_app ntfs:dir create_dir_perms; allow platform_app ntfs:file create_file_perms; -allow platform_app storage_stub_file:dir { read open getattr search }; - -allow priv_app media_prop:file { read }; -get_prop(platform_app, media_prop) -get_prop(system_app, media_prop) diff --git a/common/sepolicy/ppp.te b/common/sepolicy/ppp.te deleted file mode 100644 index 4d4d25f..0000000 --- a/common/sepolicy/ppp.te +++ b/dev/null @@ -1,13 +0,0 @@ -# Point to Point Protocol daemon -allow ppp mtp:socket rw_socket_perms; -allow ppp mtp:unix_dgram_socket rw_socket_perms; -#allow ppp ppp_device:chr_file rw_file_perms; -allow ppp self:capability net_admin; -allow ppp system_file:file rx_file_perms; -allow ppp vpn_data_file:dir w_dir_perms; -allow ppp vpn_data_file:file create_file_perms; -allow ppp mtp:fd use; -allow ppp dhcp_prop:property_service set; -allow ppp ppp_data_file:dir { write search setattr create add_name mounton create_dir_perms }; -allow ppp ppp_system_file:dir { search }; -allow ppp ppp_system_file:file { getattr execute read open execute_no_trans }; diff --git a/common/sepolicy/pppd.te b/common/sepolicy/pppd.te deleted file mode 100644 index 66a4408..0000000 --- a/common/sepolicy/pppd.te +++ b/dev/null @@ -1,42 +0,0 @@ -# Point to Point Protocol daemon -type sh, domain; -type sh_device, dev_type; -type sh_exec, exec_type, file_type; - -domain_auto_trans(ppp, sh_exec, sh) - -init_daemon_domain(ppp) -net_domain(ppp) - -allow ppp mtp:socket rw_socket_perms; -allow ppp mtp:unix_dgram_socket rw_socket_perms; -allow ppp ppp_device:file { rw_file_perms x_file_perms }; -allow ppp ppp_device:dir { rw_file_perms search }; -allow ppp self:capability { dac_override net_admin net_raw setgid setuid }; -allow ppp system_file:file rx_file_perms; -allow ppp system_file:dir r_file_perms; -allow ppp system_data_file:dir rw_file_perms; -allow ppp system_data_file:fifo_file rw_file_perms; -allow ppp vpn_data_file:dir w_dir_perms; -allow ppp vpn_data_file:file create_file_perms; -allow ppp mtp:fd use; - -allow ppp shell_exec:file rx_file_perms; -allow ppp property_socket:sock_file write; -allow ppp radio_prop:property_service set; -allow ppp system_prop:property_service set; -allow ppp net_radio_prop:property_service set; -allow ppp init:unix_stream_socket connectto; - -allow ppp radio_device:chr_file rw_file_perms; -allow ppp radio_data_file:file rw_file_perms; -allow ppp unlabeled:filesystem { associate }; -allow ppp ppp_exec:file rx_file_perms; -allow ppp device:file create_file_perms; -allow ppp device:lnk_file create_file_perms; -allow ppp device:dir { create_file_perms add_name }; - -allow sh shell_exec:file rx_file_perms; -allow sh system_file:file rx_file_perms; -allow sh ppp_exec:file rx_file_perms; -allow sh radio_device:file { rw_file_perms link unlink }; diff --git a/common/sepolicy/pppoe_wrapper.te b/common/sepolicy/pppoe_wrapper.te index 892d556..f8f55d4 100644 --- a/common/sepolicy/pppoe_wrapper.te +++ b/common/sepolicy/pppoe_wrapper.te @@ -1,28 +1,31 @@ type pppoe_wrapper, domain; -type pppoe_wrapper_exec, exec_type, file_type; - +type pppoe_wrapper_exec, exec_type, vendor_file_type, file_type; +# init_daemon_domain(pppoe_wrapper) -allow pppoe_wrapper ppp_exec:file { execute_no_trans execute getattr read open }; -allow pppoe_wrapper pppoe_wrapper_exec:file { entrypoint read execute }; -allow pppoe_wrapper system_file:file execute_no_trans; -allow pppoe_wrapper pppoe_wrapper:process setfscreate; -allow pppoe_wrapper pppoe_wrapper:capability { net_raw dac_override net_admin setgid setuid kill }; -allow pppoe_wrapper pppoe_wrapper:netlink_route_socket { bind create read write }; -allow pppoe_wrapper property_socket:sock_file write; -allow pppoe_wrapper system_app:unix_dgram_socket sendto; -allow pppoe_wrapper ppp_data_file:sock_file { create write setattr unlink }; -allow pppoe_wrapper ppp_data_file:dir { write search setattr create add_name mounton remove_name }; -allow pppoe_wrapper ppp_data_file:file { create write open lock getattr read unlink }; -allow pppoe_wrapper ppp_system_file:dir search; -allow pppoe_wrapper socket_device:dir { add_name write }; -allow pppoe_wrapper socket_device:sock_file { create setattr }; -allow pppoe_wrapper pppoe_wrapper_socket:sock_file { create setattr write }; -allow pppoe_wrapper shell_exec:file { execute_no_trans execute read open }; -allow pppoe_wrapper net_radio_prop:property_service set; -allow pppoe_wrapper dhcp_prop:property_service set; -allow pppoe_wrapper init:unix_stream_socket connectto; -allow pppoe_wrapper socket_device:sock_file { setattr write }; -allow pppoe_wrapper rootfs:file { read open getattr }; -allow pppoe_wrapper shell_exec:file getattr; -allow pppoe_wrapper proc_net:file { read open getattr };
\ No newline at end of file +allow pppoe_wrapper vendor_file:file { execute }; + +# +#allow pppoe_wrapper ppp_exec:file { execute_no_trans execute getattr read open }; +#allow pppoe_wrapper pppoe_wrapper_exec:file { entrypoint read execute }; +#allow pppoe_wrapper system_file:file execute_no_trans; +#allow pppoe_wrapper pppoe_wrapper:process setfscreate; +#allow pppoe_wrapper pppoe_wrapper:capability { net_raw dac_override net_admin setgid setuid kill }; +#allow pppoe_wrapper pppoe_wrapper:netlink_route_socket { bind create read write }; +#allow pppoe_wrapper property_socket:sock_file write; +#allow pppoe_wrapper system_app:unix_dgram_socket sendto; +#allow pppoe_wrapper ppp_data_file:sock_file { create write setattr unlink }; +#allow pppoe_wrapper ppp_data_file:dir { write search setattr create add_name mounton remove_name }; +#allow pppoe_wrapper ppp_data_file:file { create write open lock getattr read unlink }; +#allow pppoe_wrapper ppp_system_file:dir search; +#allow pppoe_wrapper socket_device:dir { add_name write }; +#allow pppoe_wrapper socket_device:sock_file { create setattr }; +#allow pppoe_wrapper pppoe_wrapper_socket:sock_file { create setattr write }; +#allow pppoe_wrapper shell_exec:file { execute_no_trans execute read open }; +#allow pppoe_wrapper net_radio_prop:property_service set; +#allow pppoe_wrapper dhcp_prop:property_service set; +#allow pppoe_wrapper init:unix_stream_socket connectto; +#allow pppoe_wrapper socket_device:sock_file { setattr write }; +#allow pppoe_wrapper rootfs:file { read open getattr }; +#allow pppoe_wrapper shell_exec:file getattr; +#allow pppoe_wrapper proc_net:file { read open getattr }; diff --git a/common/sepolicy/priv_app.te b/common/sepolicy/priv_app.te index efb5f52..2b02883 100644 --- a/common/sepolicy/priv_app.te +++ b/common/sepolicy/priv_app.te @@ -1,5 +1,16 @@ allow priv_app fuseblk:dir { search }; allow priv_app fuseblk:file { read open getattr }; -allow priv_app proc_modules:file {getattr}; -allow priv_app media_prop:file {read}; +allow priv_app proc_modules:file { getattr read open }; +allow priv_app proc_interrupts:file { getattr read open }; + +allow priv_app media_prop:file { read }; allow priv_app dvb_device:chr_file rw_file_perms; +#allow priv_app property_socket:sock_file { write }; + +allow priv_app vendor_file:file { open read getattr execute }; + +allow priv_app zygote:dir { search read }; +allow priv_app zygote:file { open read }; +allow priv_app device:dir { read search open }; + +allow priv_app { su_exec bootanim_exec bootstat_exec }:file { getattr }; diff --git a/common/sepolicy/recovery.te b/common/sepolicy/recovery.te deleted file mode 100644 index e559270..0000000 --- a/common/sepolicy/recovery.te +++ b/dev/null @@ -1,34 +0,0 @@ -recovery_only(` - - allow recovery uboot_prop:property_service set; - allow recovery rootfs:dir create_dir_perms; - allow recovery sysfs:dir mounton; - #allow recovery debugfs:file r_file_perms; - - allow recovery vfat:dir create_dir_perms; - allow recovery vfat:file create_file_perms; - - #allow recovery ppp_system_file:file {create_file_perms relabelfrom relabelto}; - #allow recovery ppp_system_file:dir {create_dir_perms relabelfrom relabelto}; - -# allow recovery env_device:chr_file rw_file_perms; -# allow recovery input_device:chr_file write; - allow recovery property_data_file:dir { search }; - allow recovery device:dir rw_dir_perms; -# allow recovery bootloader_device:chr_file rw_file_perms; -# allow recovery defendkey_device:chr_file rw_file_perms; - allow recovery dtb_device:chr_file { open read write }; - allow recovery aml_display_prop:property_service set; -# allow recovery kmsg_device:chr_file rw_file_perms; - allow recovery recovery:capability { net_admin }; -# allow recovery recovery:netlink_kobject_uevent_socket { create bind setopt read }; - allow recovery aml_display_prop:file {open read getattr}; - allow recovery uboot_prop:file {open read getattr}; - allow recovery sysfs_xbmc:file {open read write}; - allow recovery update_data_file:file rw_file_perms; - allow recovery update_data_file:dir { search read write open }; - - allow shell tmpfs:file {open read getattr}; - allow shell sysfs:file {read}; - allow shell rootfs:file {execute_no_trans}; -') diff --git a/common/sepolicy/remotecfg.te b/common/sepolicy/remotecfg.te index 72e0334..32116ad 100644 --- a/common/sepolicy/remotecfg.te +++ b/common/sepolicy/remotecfg.te @@ -1,6 +1,6 @@ # remotecfg seclabel is specified in init.amlogic.rc type remotecfg, domain; -type remotecfg_exec, exec_type, file_type; +type remotecfg_exec, exec_type, vendor_file_type, file_type; init_daemon_domain(remotecfg) diff --git a/common/sepolicy/seapp_contexts b/common/sepolicy/seapp_contexts deleted file mode 100644 index e3aab7e..0000000 --- a/common/sepolicy/seapp_contexts +++ b/dev/null @@ -1,38 +0,0 @@ -# Input selectors: -# isSystemServer (boolean) -# user (string) -# seinfo (string) -# name (string) -# path (string) -# sebool (string) -# isSystemServer=true can only be used once. -# An unspecified isSystemServer defaults to false. -# An unspecified string selector will match any value. -# A user string selector that ends in * will perform a prefix match. -# user=_app will match any regular app UID. -# user=_isolated will match any isolated service UID. -# All specified input selectors in an entry must match (i.e. logical AND). -# Matching is case-insensitive. -# -# Precedence rules: -# (1) isSystemServer=true before isSystemServer=false. -# (2) Specified user= string before unspecified user= string. -# (3) Fixed user= string before user= prefix (i.e. ending in *). -# (4) Longer user= prefix before shorter user= prefix. -# (5) Specified seinfo= string before unspecified seinfo= string. -# (6) Specified name= string before unspecified name= string. -# (7) Specified path= string before unspecified path= string. -# (8) Specified sebool= string before unspecified sebool= string. -# -# Outputs: -# domain (string) -# type (string) -# levelFrom (string; one of none, all, app, or user) -# level (string) -# Only entries that specify domain= will be used for app process labeling. -# Only entries that specify type= will be used for app directory labeling. -# levelFrom=user is only supported for _app or _isolated UIDs. -# levelFrom=app or levelFrom=all is only supported for _app UIDs. -# level may be used to specify a fixed level for any UID. -# -#user=media domain=mediaserver type=media_data_file diff --git a/common/sepolicy/servicemanager.te b/common/sepolicy/servicemanager.te deleted file mode 100644 index f698d9d..0000000 --- a/common/sepolicy/servicemanager.te +++ b/dev/null @@ -1,6 +0,0 @@ -allow servicemanager init:dir search; -allow servicemanager init:file { read open }; -allow servicemanager init:process getattr; - -allow servicemanager system_control:dir r_dir_perms; -allow servicemanager system_control:file r_file_perms;
\ No newline at end of file diff --git a/common/sepolicy/shell.te b/common/sepolicy/shell.te new file mode 100644 index 0000000..5c3da9a --- a/dev/null +++ b/common/sepolicy/shell.te @@ -0,0 +1,6 @@ +allow shell rootfs:file { entrypoint }; +allow shell sysfs:file { read open getattr }; + + +allow shell hdcptx_device:chr_file { open read write getattr ioctl }; + diff --git a/common/sepolicy/surfaceflinger.te b/common/sepolicy/surfaceflinger.te index 4348c9b..b94ba82 100644 --- a/common/sepolicy/surfaceflinger.te +++ b/common/sepolicy/surfaceflinger.te @@ -1,7 +1,5 @@ -allow surfaceflinger sysfs:file write; -allow surfaceflinger sysfs_xbmc:file {open read write}; +allow surfaceflinger vendor_file:file { open read getattr execute }; allow surfaceflinger system_control_service:service_manager find; get_prop(surfaceflinger, tv_prop) -set_prop(surfaceflinger, ctl_default_prop) -allow surfaceflinger dvb_video_device:chr_file rw_file_perms;
\ No newline at end of file +set_prop(surfaceflinger, ctl_default_prop)
\ No newline at end of file diff --git a/common/sepolicy/system_app.te b/common/sepolicy/system_app.te index c24b45c..f9dd27b 100644 --- a/common/sepolicy/system_app.te +++ b/common/sepolicy/system_app.te @@ -1,56 +1,67 @@ -allow system_app sysfs_lowmemorykiller:file { getattr w_file_perms }; -allow system_app subtitle_service:service_manager add; - -#added for atv remote -allow system_app uhid_device:dir r_dir_perms; - -allow system_app dhcp_data_file:file { r_file_perms }; -allow system_app ppp_data_file:dir { create_dir_perms }; -allow system_app ppp_data_file:file { create_file_perms }; -allow system_app ppp_data_file:sock_file { create_file_perms }; -allow system_app pppoe_wrapper_socket:sock_file { write setattr }; -allow system_app pppoe_wrapper_socket:file { getattr write open }; -allow system_app pppoe_wrapper:unix_dgram_socket sendto; -allow system_app dhcp_data_file:dir { r_dir_perms }; -allow system_app dhcp_data_file:fifo_file { r_file_perms }; - -allow system_app vold:unix_stream_socket connectto; -allow system_app pppoe_service:service_manager add; -allow system_app dig_socket:sock_file write; - -allow system_app iso9660:dir { search read open }; -allow system_app unlabeled:dir { open search read write getattr }; -allow system_app unlabeled:file { lock open read write getattr }; - -# /cache_file for dvb app creat update.zip file at /cache dir -allow system_app cache_file:dir {create_dir_perms create_file_perms rw_file_perms}; -allow system_app cache_file:file {create_file_perms rw_file_perms getattr}; - -allow system_app log_file:dir { search read open getattr }; -allow system_app log_file:file { read open getattr }; -allow system_app tombstone_data_file:dir r_dir_perms; -allow system_app tombstone_data_file:file r_file_perms; - -allow system_app shell_data_file:dir search; -allow system_app graphics_device:dir search; -allow system_app sysfs_xbmc:file {open read write}; -allow system_app media_prop:property_service set; -allow system_app system_app:process setfscreate; -allow system_app socket_device:sock_file setattr; -allow system_app pppoe_wrapper_socket:sock_file create; -allow system_app pppoe_wrapper_socket:sock_file unlink; -allow system_app pppoe_wrapper_socket:file create; -allow system_app cache_recovery_file:dir { search read open write add_name remove_name}; -allow system_app cache_recovery_file:file { create rw_file_perms unlink}; -allow system_app update_data_file:dir {getattr search read write open add_name remove_name}; -allow system_app update_data_file:file {getattr write read create open unlink}; -allow system_app update_engine:binder {call transfer}; - -allow system_app tv_prop:file {open read getattr}; -allow system_app tv_prop:property_service {set}; - -allow system_app proc_stat:file { read open getattr }; -allow system_app proc_interrupts:file { read open getattr }; +#allow system_app sysfs_lowmemorykiller:file { getattr w_file_perms }; +#allow system_app subtitle_service:service_manager add; +# +##added for atv remote +#allow system_app uhid_device:dir r_dir_perms; +# +#allow system_app dhcp_data_file:file { r_file_perms }; +#allow system_app ppp_data_file:dir { create_dir_perms }; +#allow system_app ppp_data_file:file { create_file_perms }; +#allow system_app ppp_data_file:sock_file { create_file_perms }; +#allow system_app pppoe_wrapper_socket:sock_file { write setattr }; +#allow system_app pppoe_wrapper_socket:file { getattr write open }; +#allow system_app pppoe_wrapper:unix_dgram_socket sendto; +#allow system_app dhcp_data_file:dir { r_dir_perms }; +#allow system_app dhcp_data_file:fifo_file { r_file_perms }; +# +#allow system_app vold:unix_stream_socket connectto; +#allow system_app pppoe_service:service_manager add; +#allow system_app dig_socket:sock_file write; +# +#allow system_app iso9660:dir { search read open }; +#allow system_app unlabeled:dir { search read write getattr }; +#allow system_app unlabeled:file { lock open read write getattr }; +# +## /cache_file for dvb app creat update.zip file at /cache dir +#allow system_app cache_file:dir {create_dir_perms create_file_perms rw_file_perms}; +#allow system_app cache_file:file {create_file_perms rw_file_perms}; +# +#allow system_app log_file:dir { search read open getattr }; +#allow system_app log_file:file { read open getattr }; +#allow system_app tombstone_data_file:dir r_dir_perms; +#allow system_app tombstone_data_file:file r_file_perms; +# +#allow system_app shell_data_file:dir search; +#allow system_app graphics_device:dir search; +#allow system_app sysfs_xbmc:file {open read write}; +#allow system_app media_prop:property_service set; +#allow system_app system_app:process setfscreate; +#allow system_app socket_device:sock_file setattr; +#allow system_app pppoe_wrapper_socket:sock_file create; +#allow system_app pppoe_wrapper_socket:sock_file unlink; +#allow system_app pppoe_wrapper_socket:file create; +#allow system_app cache_recovery_file:dir { search read open write add_name remove_name}; +#allow system_app cache_recovery_file:file { create rw_file_perms unlink}; + +#allow system_app update_engine:binder {call transfer}; +# +#allow system_app tv_prop:file {open read getattr}; +#allow system_app tv_prop:property_service {set}; + +allow system_app rootfs:dir { getattr }; + +allow system_app vendor_file:file { read open getattr execute }; + +allow system_app system_app:netlink_kobject_uevent_socket { create }; + +allow system_app update_data_file:dir { getattr search read write open add_name remove_name }; +allow system_app update_data_file:file { getattr write read create open unlink }; + +allow system_app { pppoe_service subtitle_service }:service_manager { add }; + +allow system_app system_app:netlink_kobject_uevent_socket { create setopt bind read getopt }; + +#allow system_app socket_device:sock_file { write }; allow system_app exfat:dir create_dir_perms; allow system_app exfat:file create_file_perms; @@ -59,3 +70,6 @@ allow system_app ntfs:dir create_dir_perms; allow system_app ntfs:file create_file_perms; allow system_app mnt_media_rw_file:dir r_dir_perms; +allow system_app { systemcontrol_hwservice hdmicecd_hwservice }:hwservice_manager { find }; + +allow system_app { system_control hdmicecd }:binder { call transfer }; diff --git a/common/sepolicy/system_control.te b/common/sepolicy/system_control.te index 8038edb..828b97b 100644 --- a/common/sepolicy/system_control.te +++ b/common/sepolicy/system_control.te @@ -1,12 +1,7 @@ type system_control, domain; -type system_control_exec, exec_type, file_type; +type system_control_exec, exec_type, vendor_file_type, file_type; -allow system_control system_control_exec:file { entrypoint read }; - -binder_use(system_control); -binder_call(system_control, binderservicedomain) -binder_call(system_control, system_server) -binder_service(system_control) +init_daemon_domain(system_control) allow system_control vndbinder_device:chr_file { read write open ioctl }; allow system_control vndservicemanager:binder { call transfer }; @@ -24,7 +19,7 @@ allow system_control system_control:netlink_kobject_uevent_socket { create setop allow system_control self:capability { net_admin }; -unix_socket_connect(system_control, vold, vold); +#unix_socket_connect(system_control, vold, vold); #unix_socket_connect(system_control, property, init); # Property Service write @@ -82,9 +77,9 @@ allow system_control graphics_device:dir r_dir_perms; allow system_control sysfs_audio_cap:file {open getattr read}; allow system_control sysfs_xbmc:file rw_file_perms; allow system_control app_data_file:file rw_file_perms; -allow system_control system_control_service:service_manager add; -allow system_control permission_service:service_manager find; -allow system_control surfaceflinger_service:service_manager find; +#allow system_control system_control_service:service_manager add; +#allow system_control permission_service:service_manager find; +#allow system_control surfaceflinger_service:service_manager find; # Allow system_control to read /proc/pid for all processes r_dir_file(system_control, domain) r_dir_file(system_control, binderservicedomain) @@ -99,9 +94,11 @@ allow system_control platform_app:dir { search }; allow system_control param_tv_file:dir { search read write open add_name remove_name rmdir }; allow system_control param_tv_file:file { create open read write setattr getattr lock unlink }; -allow system_control shell_exec:file { execute_no_trans execute open read getattr }; +#allow system_control shell_exec:file { execute_no_trans execute open read getattr }; allow system_control sysfs_digital_codec:file { read write }; -allow system_control system_file:file execute_no_trans; +#allow system_control system_file:file execute_no_trans; allow system_control env_device:blk_file { getattr read open write }; -allow system_control self:capability sys_nice;
\ No newline at end of file +allow system_control self:capability sys_nice; + +allow system_control system_app:binder { call }; diff --git a/common/sepolicy/system_server.te b/common/sepolicy/system_server.te index 2baf4bc..94eb4fd 100644 --- a/common/sepolicy/system_server.te +++ b/common/sepolicy/system_server.te @@ -1,32 +1,46 @@ -allow system_server fuse:dir search; +#allow system_server fuse:dir search; +# +#allow system_server mediaserver:process {signal sigkill}; +#allow system_server { system_app_data_file media_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search }; +# +#allow system_server self:capability sys_module; +# +#allow system_server { system_control_service tvserver_service hdmi_cec_service }:service_manager find; +# +#allow system_server storage_stub_file:dir { getattr read open }; +# +#allow system_server debugfs:dir { getattr read open }; +#allow system_server debugfs:file r_file_perms; +# +#allow system_server system_app:fifo_file { read write getattr }; +# +#allow system_server param_tv_file:dir { search }; +# +#set_prop(system_server, uboot_prop) +#get_prop(system_server, uboot_prop) +# +#allow system_server { system_app platform_app untrusted_app priv_app }:file { write }; +#allow system_server uhid_device:chr_file {write open ioctl}; +#allow system_server dvb_device:chr_file rw_file_perms; +# + +typeattribute system_server mlstrustedsubject; + +allow system_server vendor_file:file { getattr read open execute }; +allow system_server vendor_framework_file:dir { search getattr }; +allow system_server vendor_framework_file:file { read getattr open }; -allow system_server mediaserver:process {signal sigkill}; -allow system_server { system_app_data_file media_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search }; - -allow system_server self:capability sys_module; - -allow system_server { system_control_service tvserver_service hdmi_cec_service }:service_manager find; - -allow system_server storage_stub_file:dir { getattr read open }; - -set_prop(system_control, bcmdl_prop) -set_prop(system_control, media_prop) get_prop(system_server, media_prop) -allow system_server debugfs:dir { getattr read open }; -allow system_server debugfs:file r_file_perms; +# For writing to /proc/<tid>/timerslack_ns (XXX - this is probably wrong) +allow system_server priv_app:file write; +allow system_server untrusted_app:file write; +allow system_server untrusted_app_25:file write; +allow system_server platform_app:file write; +allow system_server system_app:file write; +allow system_server isolated_app:file write; +allow system_server bluetooth:file write; -allow system_server system_app:fifo_file { read write getattr }; +allow system_server socket_device:sock_file { write }; -allow system_server param_tv_file:dir { search }; - -set_prop(system_server, uboot_prop) -get_prop(system_server, uboot_prop) - -allow system_server { system_app platform_app untrusted_app priv_app }:file { write }; -allow system_server uhid_device:chr_file {write open ioctl}; -allow system_server dvb_device:chr_file rw_file_perms; allow system_server uhid_device:chr_file { write open ioctl }; - -allow system_server socket_device:sock_file { read write open }; - diff --git a/common/sepolicy/tee.te b/common/sepolicy/tee.te index 1690548..0b9d645 100644 --- a/common/sepolicy/tee.te +++ b/common/sepolicy/tee.te @@ -7,3 +7,5 @@ allow tee tee_data_file:dir { add_name write create ioctl remove_name open read allow tee tee_data_file:file { write create open unlink link read }; allow tee system_data_file:dir { write search add_name create }; allow tee system_data_file:file read; + +allow tee vendor_file:file { read open getattr execute }; diff --git a/common/sepolicy/tvserver.te b/common/sepolicy/tvserver.te deleted file mode 100644 index e5bdbde..0000000 --- a/common/sepolicy/tvserver.te +++ b/dev/null @@ -1,63 +0,0 @@ -type tvserver, domain; -type tvserver_exec, exec_type, file_type; - -init_daemon_domain(tvserver) - -allow tvserver shell_exec:file rx_file_perms; -allow tvserver system_file:file execute_no_trans; -allow tvserver tvserver_service:service_manager add; -allow tvserver tvserver_exec:file { entrypoint read }; -allow tvserver audio_device:dir { search }; -allow tvserver block_device:dir search; -allow tvserver input_device:dir search; -allow tvserver sysfs:file { read write open getattr }; -allow tvserver sysfs_xbmc:file { open read write getattr }; -allow tvserver property_socket:sock_file write; -allow tvserver init:unix_stream_socket connectto; -allow tvserver mediaserver:fd { use }; -allow tvserver { mediaserver system_app system_control }:binder { call transfer }; -allow mediaserver tvserver:binder { call transfer }; -allow system_app tvserver:binder { call transfer }; -allow system_control tvserver:binder { call transfer }; -allow system_server tvserver:binder { call transfer }; -allow tvserver platform_app:binder { call transfer }; -allow platform_app tvserver:binder { call transfer }; -allow tvserver { ctl_default_prop ctl_bootanim_prop media_prop system_prop uboot_prop powerctl_prop }:property_service set; - -allow tvserver self:process execmem; -allow tvserver self:capability dac_override; - -get_prop(tvserver, media_prop) -allow tvserver media_prop:property_service set; -allow tvserver system_control_service:service_manager find; -allow tvserver mediaserver_service:service_manager find; -allow tvserver audioserver_service:service_manager find; -allow tvserver mediacodec_service:service_manager find; -binder_use(tvserver); -binder_call(tvserver, system_server) -binder_call(tvserver, binderservicedomain) -binder_service(tvserver) - -allow tvserver param_tv_file:dir { search read write open add_name remove_name rmdir }; -allow tvserver param_tv_file:file { create open read write setattr getattr lock unlink }; -allow param_tv_file labeledfs:filesystem { associate }; - -allow tvserver tv_config_prop:property_service set; - -allow tvserver sysfs:dir { write }; -allow tvserver self:capability sys_nice; - -allow tvserver { fuse storage_file }:dir { read search }; -allow tvserver { fuse storage_file }:file { open read getattr }; - -allow tvserver unlabeled:dir { setattr search write }; -allow tvserver unlabeled:file { getattr open write read lock }; - -allow tvserver self:capability kill; -allow tvserver appdomain:process { sigkill signal }; - -allow tvserver proc:file { read write open getattr }; - -get_prop(tvserver, tv_prop) -allow tvserver tv_prop:property_service set; -allow tvserver tv_prop:file { read open getattr}; diff --git a/common/sepolicy/ueventd.te b/common/sepolicy/ueventd.te index 8fe630c..ff0d91b 100644 --- a/common/sepolicy/ueventd.te +++ b/common/sepolicy/ueventd.te @@ -1 +1,2 @@ allow ueventd drm_device:chr_file { create getattr setattr relabelfrom relabelto } ; +allow { ueventd drm_device } tmpfs:filesystem { associate } ; diff --git a/common/sepolicy/update_engine.te b/common/sepolicy/update_engine.te index 75af4e9..b59ec26 100644 --- a/common/sepolicy/update_engine.te +++ b/common/sepolicy/update_engine.te @@ -2,4 +2,4 @@ allow update_engine misc_block_device:blk_file rw_file_perms; allow update_engine vendor_block_device:blk_file rw_file_perms; allow update_engine odm_block_device:blk_file rw_file_perms; -allow update_engine system_app:binder {call}; +allow update_engine system_app:binder { call }; diff --git a/common/sepolicy/update_verifier.te b/common/sepolicy/update_verifier.te index 2b3ddec..1235cd2 100644 --- a/common/sepolicy/update_verifier.te +++ b/common/sepolicy/update_verifier.te @@ -1,5 +1,5 @@ # TODO: Add rules to allow update_verifier to read system_block_device. allow update_verifier system_block_device:blk_file r_file_perms; -allow update_verifier rootfs:file {getattr read open}; +allow update_verifier rootfs:file { getattr read open }; allow update_verifier proc:file { read open getattr }; -allow update_verifier misc_block_device:blk_file rw_file_perms;
\ No newline at end of file +#allow update_verifier misc_block_device:blk_file rw_file_perms; diff --git a/common/sepolicy/usbpm.te b/common/sepolicy/usbpm.te deleted file mode 100644 index 044ec5e..0000000 --- a/common/sepolicy/usbpm.te +++ b/dev/null @@ -1,9 +0,0 @@ -type usbpm, domain; -type usbpm_exec, exec_type, file_type; - -init_daemon_domain(usbpm) - -allow usbpm usbpm_exec:file { entrypoint read }; -allow usbpm sysfs:file { open read write getattr }; -allow usbpm sysfs:dir { read }; -allow usbpm rootfs:lnk_file { getattr };
\ No newline at end of file diff --git a/common/sepolicy/vndservicemanager.te b/common/sepolicy/vndservicemanager.te deleted file mode 100644 index e42e765..0000000 --- a/common/sepolicy/vndservicemanager.te +++ b/dev/null @@ -1,3 +0,0 @@ -allow vndservicemanager system_control:dir { search }; -allow vndservicemanager system_control:file { open read getattr }; -allow vndservicemanager system_control:process { getattr }; diff --git a/common/sepolicy/vold.te b/common/sepolicy/vold.te index 9418698..cccd57c 100644 --- a/common/sepolicy/vold.te +++ b/common/sepolicy/vold.te @@ -1,39 +1,35 @@ # NTFS -userdebug_or_eng(` - allow vold self:capability { sys_rawio }; -') -allow vold self:capability { setgid setuid }; - -allow vold cpuctl_device:dir search; - -allow vold device:dir { open read }; -allow vold usb_device:dir { open read search }; -allow vold system_data_file:fifo_file { open read write }; -allow vold kernel:system { module_request }; - -domain_auto_trans(vold, vold_ext_exec, vold_ext) -allow vold vold_ext_exec:file { execute read open execute_no_trans }; -allow vold kernel:system module_request; -allow vold mnt_media_rw_stub_file:dir { r_dir_perms mounton }; -allow vold sda_block_device:blk_file rw_file_perms; - -#for dig -allow vold cache_file:file create_file_perms; -allow vold cache_file:dir { create_file_perms add_name remove_name }; - -allow vold vold_block_device:blk_file { create getattr read open unlink ioctl lock write }; -allow vold param_tv_file:dir { read open }; - -allow vold storage_stub_file:dir { getattr read open search write add_name }; +#userdebug_or_eng(` +# allow vold self:capability { sys_rawio }; +#') +#allow vold self:capability { setgid setuid }; +# +#allow vold cpuctl_device:dir search; +# +#allow vold device:dir { open read }; +#allow vold usb_device:dir { open read search }; +#allow vold system_data_file:fifo_file { open read write }; +#allow vold kernel:system { module_request }; +# +#domain_auto_trans(vold, vold_ext_exec, vold_ext) +#allow vold vold_ext_exec:file { execute read open execute_no_trans }; +#allow vold kernel:system module_request; +#allow vold mnt_media_rw_stub_file:dir { r_dir_perms mounton }; +# +##for dig +#allow vold cache_file:file create_file_perms; +#allow vold cache_file:dir { create_file_perms add_name remove_name }; +# +#allow vold param_tv_file:dir { read open }; +# +#allow vold storage_stub_file:dir { getattr read open search write add_name }; # for make ext4fs -domain_auto_trans(vold, make_ext4fs_exec, make_ext4fs); - -allow vold tee_data_file:dir { open read }; +#domain_auto_trans(vold, make_ext4fs_exec, make_ext4fs); -allow vold vold_block_device:blk_file { create read open ioctl unlink }; +allow vold tee_data_file:dir { open read ioctl }; -allow vold apk_data_file:dir { getattr open read }; +#allow vold vold_block_device:blk_file { create read open ioctl unlink }; #for hw keymaster allow vold drm_device:chr_file {open read write ioctl}; diff --git a/common/sepolicy/vold_ext.te b/common/sepolicy/vold_ext.te deleted file mode 100644 index 4133855..0000000 --- a/common/sepolicy/vold_ext.te +++ b/dev/null @@ -1,27 +0,0 @@ -type vold_ext, domain; -type vold_ext_exec, exec_type, file_type; - -init_daemon_domain(vold_ext) - -allow vold_ext self:capability { setgid setuid }; - -allow vold_ext cpuctl_device:dir search; - -allow vold_ext device:dir { open read }; -allow vold_ext usb_device:dir { open read search }; -allow vold_ext system_data_file:fifo_file { open read write }; - -allow vold_ext block_device:dir rw_dir_perms; -allow vold_ext fuseblk:filesystem mount; -allow vold_ext rootfs:dir mounton; -allow vold_ext self:capability { dac_override sys_admin }; -allow vold_ext vold:fd use; -allow vold_ext vold:fifo_file { read write }; -allow vold_ext vold:unix_stream_socket { read write }; - -allow vold_ext tmpfs:dir create_dir_perms; -allow vold_ext tmpfs:dir mounton; - -allow vold_ext kernel:system module_request; -allow vold_ext mnt_media_rw_file:dir { r_dir_perms }; -allow vold_ext mnt_media_rw_stub_file:dir { r_dir_perms mounton };
\ No newline at end of file diff --git a/common/sepolicy/webview_zygote.te b/common/sepolicy/webview_zygote.te index d06664c..fe347f6 100644 --- a/common/sepolicy/webview_zygote.te +++ b/common/sepolicy/webview_zygote.te @@ -1 +1 @@ -allow webview_zygote kernel:system module_request; +allow webview_zygote mnt_expand_file:dir { getattr }; diff --git a/common/sepolicy/wlan_fwloader.te b/common/sepolicy/wlan_fwloader.te deleted file mode 100644 index cd1bb6d..0000000 --- a/common/sepolicy/wlan_fwloader.te +++ b/dev/null @@ -1,10 +0,0 @@ -type wlan_fwloader, domain; -type wlan_fwloader_exec, exec_type, file_type; - -init_daemon_domain(wlan_fwloader) - -allow wlan_fwloader init:unix_stream_socket connectto; -allow wlan_fwloader kernel:system module_request; -allow wlan_fwloader property_socket:sock_file write; -allow wlan_fwloader self:capability { net_admin net_raw sys_module }; -allow wlan_fwloader system_prop:property_service set;
\ No newline at end of file diff --git a/common/sepolicy/zygote.te b/common/sepolicy/zygote.te index 1899a7a..683ea47 100644 --- a/common/sepolicy/zygote.te +++ b/common/sepolicy/zygote.te @@ -10,5 +10,4 @@ get_prop(zygote, media_prop) allow zygote kernel:system module_request; -#allow zygote zygote_socket:sock_file { write }; -allow zygote adbd:unix_stream_socket { connectto read write }; +allow zygote vendor_file:file { read open getattr execute }; diff --git a/common/software.mk b/common/software.mk index 0c3fe67..7f647fa 100644 --- a/common/software.mk +++ b/common/software.mk @@ -1,5 +1,6 @@ PRODUCT_PROPERTY_OVERRIDES += \ - ro.adb.secure=1 + ro.adb.secure=1 \ + sys.open.deepcolor=true ifeq ($(TARGET_BUILD_CTS), true) diff --git a/common/vndk/Android.mk b/common/vndk/Android.mk new file mode 100644 index 0000000..f4bdb14 --- a/dev/null +++ b/common/vndk/Android.mk @@ -0,0 +1,57 @@ +LOCAL_PATH := $(call my-dir) + +VNDK_SP_LIBRARIES := \ + android.hardware.graphics.allocator@2.0 \ + android.hardware.graphics.mapper@2.0 \ + android.hardware.graphics.common@1.0 \ + android.hardware.renderscript@1.0 \ + android.hidl.base@1.0 \ + android.hidl.memory@1.0 \ + libRSCpuRef \ + libRSDriver \ + libRS_internal \ + libbacktrace \ + libbase \ + libbcinfo \ + libblas \ + libc++ \ + libcompiler_rt \ + libcutils \ + libft2 \ + libhardware \ + libhidlbase \ + libhidlmemory \ + libhidltransport \ + libhwbinder \ + libion \ + liblzma \ + libpng \ + libunwind \ + libutils \ + +define add-vndk-sp-lib +include $$(CLEAR_VARS) +LOCAL_MODULE := $1.vndk-sp +LOCAL_MODULE_CLASS := SHARED_LIBRARIES +LOCAL_PREBUILT_MODULE_FILE := $$(TARGET_OUT)/lib/$1.so +LOCAL_MULTILIB := 32 +LOCAL_MODULE_TAGS := optional +LOCAL_INSTALLED_MODULE_STEM := $1.so +LOCAL_MODULE_SUFFIX := .so +LOCAL_MODULE_RELATIVE_PATH := vndk-sp +include $$(BUILD_PREBUILT) + +include $$(CLEAR_VARS) +LOCAL_MODULE := $1.vndk-sp +LOCAL_MODULE_CLASS := SHARED_LIBRARIES +LOCAL_PREBUILT_MODULE_FILE := $$(TARGET_OUT)/lib64/$1.so +LOCAL_MULTILIB := 64 +LOCAL_MODULE_TAGS := optional +LOCAL_INSTALLED_MODULE_STEM := $1.so +LOCAL_MODULE_SUFFIX := .so +LOCAL_MODULE_RELATIVE_PATH := vndk-sp +include $$(BUILD_PREBUILT) +endef + +$(foreach lib,$(VNDK_SP_LIBRARIES),\ + $(eval $(call add-vndk-sp-lib,$(lib)))) diff --git a/p212/BoardConfig.mk b/p212/BoardConfig.mk index d517c1f..51c128a 100644 --- a/p212/BoardConfig.mk +++ b/p212/BoardConfig.mk @@ -108,4 +108,8 @@ include device/amlogic/common/gpu/mali450-user-$(TARGET_ARCH).mk #MALLOC_IMPL := dlmalloc WITH_DEXPREOPT := true -TARGET_USES_HWC2ON1ADAPTER := true +PRODUCT_FULL_TREBLE_OVERRIDE := true +BOARD_PROPERTY_OVERRIDES_SPLIT_ENABLED := true + +DEVICE_MANIFEST_FILE := device/amlogic/p212/manifest.xml +#DEVICE_MATRIX_FILE := device/amlogic/common/compatibility_matrix.xml diff --git a/p212/device.mk b/p212/device.mk index 7122a92..ffdd33a 100644 --- a/p212/device.mk +++ b/p212/device.mk @@ -44,7 +44,7 @@ PRODUCT_COPY_FILES += \ device/amlogic/p212/files/audio_policy.conf:$(TARGET_COPY_OUT_VENDOR)/etc/audio_policy.conf \ device/amlogic/p212/files/media_codecs.xml:$(TARGET_COPY_OUT_VENDOR)/etc/media_codecs.xml \ device/amlogic/p212/files/media_codecs_performance.xml:$(TARGET_COPY_OUT_VENDOR)/etc/media_codecs_performance.xml \ - device/amlogic/p212/files/mixer_paths.xml:system/etc/mixer_paths.xml \ + device/amlogic/p212/files/mixer_paths.xml:$(TARGET_COPY_OUT_VENDOR)/etc/mixer_paths.xml \ device/amlogic/p212/files/mesondisplay.cfg:$(TARGET_COPY_OUT_VENDOR)/etc/mesondisplay.cfg \ device/amlogic/p212/manifest.xml:$(TARGET_COPY_OUT_VENDOR)/manifest.xml diff --git a/p212/fstab.amlogic b/p212/fstab.amlogic index d444f85..adaa6b1 100644 --- a/p212/fstab.amlogic +++ b/p212/fstab.amlogic @@ -4,9 +4,6 @@ # specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK /dev/block/misc /misc emmc defaults defaults -/dev/block/system /system ext4 ro wait -/dev/block/vendor /vendor ext4 ro wait -/dev/block/odm /odm ext4 ro wait /dev/block/data /data ext4 noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic wait,check,encryptable=footer,quota /dev/block/cache /cache ext4 noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic wait,check /devices/*.sd/mmc_host/sd* auto vfat defaults voldmanaged=sdcard1:auto,noemulatedsd @@ -16,4 +13,4 @@ /dev/block/loop auto loop defaults voldmanaged=loop:auto # Add for zram. zramsize can be in numeric (byte) , in percent /dev/block/zram0 /swap_zram0 swap defaults wait,zramsize=524288000 -/dev/block/tee /tee ext4 noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic wait,check +/dev/block/tee /tee ext4 noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic wait,check
\ No newline at end of file diff --git a/p212/init.amlogic.board.rc b/p212/init.amlogic.board.rc index 0517829..c6e6623 100644 --- a/p212/init.amlogic.board.rc +++ b/p212/init.amlogic.board.rc @@ -6,9 +6,6 @@ on early-init mount configfs configfs /sys/kernel/config #mount usbfs none /proc/bus/usb - insmod /boot/optee.ko - insmod /boot/optee_armtz.ko - on init on post-fs-data @@ -26,21 +23,8 @@ on boot chmod 666 /sys/class/sii9233a/enable chmod 666 /sys/module/tvin_vdin/parameters/max_buf_num - #chmod 0666 /dev/amstream_sub_read - -# insmod /vendor/lib/audio_data.ko - # chmod 0666 /dev/ge2d chmod 666 /dev/cec chmod 0666 /dev/opteearmtz00 chmod 0666 /dev/tee0 -on fs -on post-fs-data - mkdir /data/tee - -service tee_supplicant /system/bin/tee-supplicant - class main - oneshot - seclabel u:r:tee:s0 - diff --git a/p212/manifest.xml b/p212/manifest.xml index 10fdb8c..153af53 100644 --- a/p212/manifest.xml +++ b/p212/manifest.xml @@ -9,6 +9,15 @@ </interface> </hal> <hal format="hidl"> + <name>android.hardware.bluetooth</name> + <transport>hwbinder</transport> + <version>1.0</version> + <interface> + <name>IBluetoothHci</name> + <instance>default</instance> + </interface> + </hal> + <hal format="hidl"> <name>android.hardware.usb</name> <transport>hwbinder</transport> <version>1.0</version> @@ -27,6 +36,15 @@ </interface> </hal> <hal format="hidl"> + <name>android.hardware.wifi.supplicant</name> + <transport>hwbinder</transport> + <version>1.0</version> + <interface> + <name>ISupplicant</name> + <instance>default</instance> + </interface> + </hal> + <hal format="hidl"> <name>android.hardware.power</name> <transport>hwbinder</transport> <version>1.0</version> @@ -134,6 +152,15 @@ </interface> </hal> <hal> + <name>android.hardware.tv.cec</name> + <transport>hwbinder</transport> + <version>1.0</version> + <interface> + <name>IHdmiCec</name> + <instance>default</instance> + </interface> + </hal> + <hal> <name>vendor.amlogic.hardware.systemcontrol</name> <transport>hwbinder</transport> <version>1.0</version> @@ -142,6 +169,42 @@ <instance>default</instance> </interface> </hal> + <hal> + <name>vendor.amlogic.hardware.hdmicec</name> + <transport>hwbinder</transport> + <version>1.0</version> + <interface> + <name>IDroidHdmiCEC</name> + <instance>default</instance> + </interface> + </hal> + <hal format="hidl"> + <name>android.hardware.thermal</name> + <transport>hwbinder</transport> + <version>1.0</version> + <interface> + <name>IThermal</name> + <instance>default</instance> + </interface> + </hal> + <hal format="hidl"> + <name>android.hardware.light</name> + <transport>hwbinder</transport> + <version>2.0</version> + <interface> + <name>ILight</name> + <instance>default</instance> + </interface> + </hal> + <hal format="hidl"> + <name>android.hardware.health</name> + <transport>hwbinder</transport> + <version>1.0</version> + <interface> + <name>IHealth</name> + <instance>default</instance> + </interface> + </hal> <sepolicy> <version>26.0</version> </sepolicy> diff --git a/p212/system.prop b/p212/system.prop index 36d7460..048b952 100644 --- a/p212/system.prop +++ b/p212/system.prop @@ -91,84 +91,3 @@ mbx.hdmiin.videolayer=false #adb service.adb.tcp.port=5555 - -#netflix -ro.nrdp.modelgroup=S905 - -sys.open.deepcolor=true -######## UBOOTENV VARIBLES - r/w as system properties ########## -# -# Now we can load ubootenv varibles to system properties. -# We use a special prefix ("ubootenv.var" as default) to indicate that the 'property' -# actually is an ubootenv varible. -# -# A ubootenv 'property' will be initialized during system booting. And when user set -# a different value, it will be written back to ubootenv device immediately. -# - -## prefix of ubootenv varibles - should less than 16 chars. -#UBOOTENV MTD NAME -#ubootenv.var.bootcmd= -#ubootenv.var.cpuclock= -#ubootenv.var.gpuclock= -#ubootenv.var.memsize= -#ubootenv.var.ethaddr= -#ubootenv.var.ipaddr= -#ubootenv.var.gatewayip= -ubootenv.var.outputmode= -#ubootenv.var.screenratio= -#ubootenv.var.oobeflag= -ubootenv.var.480p_x= -ubootenv.var.480p_y= -ubootenv.var.480p_w= -ubootenv.var.480p_h= -ubootenv.var.480i_x= -ubootenv.var.480i_y= -ubootenv.var.480i_w= -ubootenv.var.480i_h= -ubootenv.var.576p_x= -ubootenv.var.576p_y= -ubootenv.var.576p_w= -ubootenv.var.576p_h= -ubootenv.var.576i_x= -ubootenv.var.576i_y= -ubootenv.var.576i_w= -ubootenv.var.576i_h= -ubootenv.var.720p_x= -ubootenv.var.720p_y= -ubootenv.var.720p_w= -ubootenv.var.720p_h= -ubootenv.var.1080p_x= -ubootenv.var.1080p_y= -ubootenv.var.1080p_w= -ubootenv.var.1080p_h= -ubootenv.var.1080i_x= -ubootenv.var.1080i_y= -ubootenv.var.1080i_w= -ubootenv.var.1080i_h= -ubootenv.var.4k2k24hz_x= -ubootenv.var.4k2k24hz_y= -ubootenv.var.4k2k24hz_w= -ubootenv.var.4k2k24hz_h= -ubootenv.var.4k2k25hz_x= -ubootenv.var.4k2k25hz_y= -ubootenv.var.4k2k25hz_w= -ubootenv.var.4k2k25hz_h= -ubootenv.var.4k2k30hz_x= -ubootenv.var.4k2k30hz_y= -ubootenv.var.4k2k30hz_w= -ubootenv.var.4k2k30hz_h= -ubootenv.var.4k2ksmpte_x= -ubootenv.var.4k2ksmpte_y= -ubootenv.var.4k2ksmpte_w= -ubootenv.var.4k2ksmpte_h= -ubootenv.var.digitaudiooutput= -ubootenv.var.defaulttvfrequency= -ubootenv.var.has.accelerometer= -ubootenv.var.cecconfig= -ubootenv.var.cvbsmode= -ubootenv.var.hdmimode= -ubootenv.var.is.bestmode= -ubootenv.var.disp.fromleft= -ubootenv.var.edid.crcvalue= -ubootenv.var.colorattribute= diff --git a/p230/BoardConfig.mk b/p230/BoardConfig.mk index 9ccbd10..277af49 100644 --- a/p230/BoardConfig.mk +++ b/p230/BoardConfig.mk @@ -109,3 +109,8 @@ include device/amlogic/common/gpu/mali450-user-$(TARGET_ARCH).mk #MALLOC_IMPL := dlmalloc WITH_DEXPREOPT := true +PRODUCT_FULL_TREBLE_OVERRIDE := true +BOARD_PROPERTY_OVERRIDES_SPLIT_ENABLED := true + +DEVICE_MANIFEST_FILE := device/amlogic/p230/manifest.xml +#DEVICE_MATRIX_FILE := device/amlogic/common/compatibility_matrix.xml diff --git a/p230/device.mk b/p230/device.mk index ff82ee2..b14b8f6 100644 --- a/p230/device.mk +++ b/p230/device.mk @@ -31,7 +31,7 @@ PRODUCT_COPY_FILES += \ device/amlogic/p230/files/audio_policy.conf:$(TARGET_COPY_OUT_VENDOR)/etc/audio_policy.conf \ device/amlogic/p230/files/media_codecs.xml:$(TARGET_COPY_OUT_VENDOR)/etc/media_codecs.xml \ device/amlogic/p230/files/media_codecs_performance.xml:$(TARGET_COPY_OUT_VENDOR)/etc/media_codecs_performance.xml \ - device/amlogic/p230/files/mixer_paths.xml:system/etc/mixer_paths.xml \ + device/amlogic/p230/files/mixer_paths.xml:$(TARGET_COPY_OUT_VENDOR)/etc/mixer_paths.xml \ device/amlogic/p230/files/mesondisplay.cfg:$(TARGET_COPY_OUT_VENDOR)/etc/mesondisplay.cfg \ frameworks/native/data/etc/android.hardware.hdmi.cec.xml:system/etc/permissions/android.hardware.hdmi.cec.xml \ device/amlogic/p230/manifest.xml:$(TARGET_COPY_OUT_VENDOR)/manifest.xml diff --git a/p230/fstab.AB.amlogic b/p230/fstab.AB.amlogic index 3376911..a7b1b72 100644 --- a/p230/fstab.AB.amlogic +++ b/p230/fstab.AB.amlogic @@ -4,9 +4,6 @@ # specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK /dev/block/platform/d0074000.emmc/misc /misc emmc defaults defaults -/dev/block/system /system ext4 ro wait,slotselect -/dev/block/vendor /vendor ext4 ro wait,slotselect -/dev/block/odm /odm ext4 ro wait,slotselect /dev/block/data /data ext4 noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic wait,check,encryptable=footer,quota /devices/*.sd/mmc_host/sd* auto vfat defaults voldmanaged=sdcard1:auto,noemulatedsd /devices/*dwc3/xhci-hcd.0.auto/usb?/*/host*/target*/block/sd* auto vfat defaults voldmanaged=udisk0:auto diff --git a/p230/fstab.AB.verity.amlogic b/p230/fstab.AB.verity.amlogic index 4c3d152..a7b1b72 100644 --- a/p230/fstab.AB.verity.amlogic +++ b/p230/fstab.AB.verity.amlogic @@ -4,9 +4,6 @@ # specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK /dev/block/platform/d0074000.emmc/misc /misc emmc defaults defaults -/dev/block/system /system ext4 ro wait,slotselect,verify -/dev/block/vendor /vendor ext4 ro wait,slotselect,verify -/dev/block/odm /odm ext4 ro wait,slotselect /dev/block/data /data ext4 noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic wait,check,encryptable=footer,quota /devices/*.sd/mmc_host/sd* auto vfat defaults voldmanaged=sdcard1:auto,noemulatedsd /devices/*dwc3/xhci-hcd.0.auto/usb?/*/host*/target*/block/sd* auto vfat defaults voldmanaged=udisk0:auto diff --git a/p230/fstab.amlogic b/p230/fstab.amlogic index d444f85..2e4888b 100644 --- a/p230/fstab.amlogic +++ b/p230/fstab.amlogic @@ -4,9 +4,6 @@ # specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK /dev/block/misc /misc emmc defaults defaults -/dev/block/system /system ext4 ro wait -/dev/block/vendor /vendor ext4 ro wait -/dev/block/odm /odm ext4 ro wait /dev/block/data /data ext4 noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic wait,check,encryptable=footer,quota /dev/block/cache /cache ext4 noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic wait,check /devices/*.sd/mmc_host/sd* auto vfat defaults voldmanaged=sdcard1:auto,noemulatedsd diff --git a/p230/fstab.amlogic.bak b/p230/fstab.amlogic.bak deleted file mode 100644 index bc3c5f3..0000000 --- a/p230/fstab.amlogic.bak +++ b/dev/null @@ -1,19 +0,0 @@ -# Android fstab file. -#<src> <mnt_point> <type> <mnt_flags and options> <fs_mgr_flags> -# The filesystem that contains the filesystem checker binary (typically /system) cannot -# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK - -/dev/block/misc /misc emmc defaults defaults -/dev/block/system /system ext4 ro wait -/dev/block/vendor /vendor ext4 ro wait -/dev/block/odm /odm ext4 ro wait -/dev/block/data /data ext4 noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic wait,check,encryptable=footer -/dev/block/cache /cache ext4 noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic wait,check -/devices/*.sd/mmc_host/sd* auto vfat defaults voldmanaged=sdcard1:auto,noemulatedsd -/devices/*dwc3/xhci-hcd.0.auto/usb?/*/host*/target*/block/sd* auto vfat defaults voldmanaged=udisk0:auto -/devices/*dwc3/xhci-hcd.0.auto/usb?/*/host*/target*/block/sd* auto vfat defaults voldmanaged=udisk1:auto -/devices/*dwc3/xhci-hcd.0.auto/usb?/*/host*/target*/block/sr* auto vfat defaults voldmanaged=sr0:auto -/dev/block/loop auto loop defaults voldmanaged=loop:auto -# Add for zram. zramsize can be in numeric (byte) , in percent -/dev/block/zram0 /swap_zram0 swap defaults wait,zramsize=524288000 -#/dev/block/tee /tee ext4 noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic wait,check diff --git a/p230/fstab.verity.amlogic b/p230/fstab.verity.amlogic index ef2ff90..2e4888b 100644 --- a/p230/fstab.verity.amlogic +++ b/p230/fstab.verity.amlogic @@ -4,9 +4,6 @@ # specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK /dev/block/misc /misc emmc defaults defaults -/dev/block/system /system ext4 ro wait,verify -/dev/block/vendor /vendor ext4 ro wait,verify -/dev/block/odm /odm ext4 ro wait /dev/block/data /data ext4 noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic wait,check,encryptable=footer,quota /dev/block/cache /cache ext4 noatime,nosuid,nodev,nodelalloc,nomblk_io_submit,errors=panic wait,check /devices/*.sd/mmc_host/sd* auto vfat defaults voldmanaged=sdcard1:auto,noemulatedsd diff --git a/p230/init.amlogic.board.rc b/p230/init.amlogic.board.rc index 81ab73e..18068b3 100644 --- a/p230/init.amlogic.board.rc +++ b/p230/init.amlogic.board.rc @@ -6,9 +6,6 @@ on early-init mount configfs configfs /sys/kernel/config #mount usbfs none /proc/bus/usb - insmod /boot/optee.ko - insmod /boot/optee_armtz.ko - on init on post-fs-data @@ -27,21 +24,8 @@ on boot chmod 666 /sys/class/sii9233a/enable chmod 666 /sys/module/tvin_vdin/parameters/max_buf_num - #chmod 0666 /dev/amstream_sub_read - -# insmod /vendor/lib/audio_data.ko - # chmod 0666 /dev/ge2d chmod 666 /dev/cec chmod 0666 /dev/opteearmtz00 chmod 0666 /dev/tee0 -on fs -on post-fs-data - mkdir /data/tee - -service tee_supplicant /system/bin/tee-supplicant - class main - oneshot - seclabel u:r:tee:s0 - diff --git a/p230/manifest.xml b/p230/manifest.xml index 88567d2..1bf74e9 100644 --- a/p230/manifest.xml +++ b/p230/manifest.xml @@ -9,6 +9,15 @@ </interface> </hal> <hal format="hidl"> + <name>android.hardware.bluetooth</name> + <transport>hwbinder</transport> + <version>1.0</version> + <interface> + <name>IBluetoothHci</name> + <instance>default</instance> + </interface> + </hal> + <hal format="hidl"> <name>android.hardware.usb</name> <transport>hwbinder</transport> <version>1.0</version> @@ -27,6 +36,15 @@ </interface> </hal> <hal format="hidl"> + <name>android.hardware.wifi.supplicant</name> + <transport>hwbinder</transport> + <version>1.0</version> + <interface> + <name>ISupplicant</name> + <instance>default</instance> + </interface> + </hal> + <hal format="hidl"> <name>android.hardware.power</name> <transport>hwbinder</transport> <version>1.0</version> @@ -134,6 +152,15 @@ </interface> </hal> <hal> + <name>android.hardware.tv.cec</name> + <transport>hwbinder</transport> + <version>1.0</version> + <interface> + <name>IHdmiCec</name> + <instance>default</instance> + </interface> + </hal> + <hal> <name>vendor.amlogic.hardware.systemcontrol</name> <transport>hwbinder</transport> <version>1.0</version> @@ -142,6 +169,15 @@ <instance>default</instance> </interface> </hal> + <hal> + <name>vendor.amlogic.hardware.hdmicec</name> + <transport>hwbinder</transport> + <version>1.0</version> + <interface> + <name>IDroidHdmiCEC</name> + <instance>default</instance> + </interface> + </hal> <hal format="hidl"> <name>android.hardware.boot</name> <transport>hwbinder</transport> @@ -151,6 +187,33 @@ <instance>default</instance> </interface> </hal> + <hal format="hidl"> + <name>android.hardware.thermal</name> + <transport>hwbinder</transport> + <version>1.0</version> + <interface> + <name>IThermal</name> + <instance>default</instance> + </interface> + </hal> + <hal format="hidl"> + <name>android.hardware.light</name> + <transport>hwbinder</transport> + <version>2.0</version> + <interface> + <name>ILight</name> + <instance>default</instance> + </interface> + </hal> + <hal format="hidl"> + <name>android.hardware.health</name> + <transport>hwbinder</transport> + <version>1.0</version> + <interface> + <name>IHealth</name> + <instance>default</instance> + </interface> + </hal> <sepolicy> <version>26.0</version> </sepolicy> diff --git a/p230/system.prop b/p230/system.prop index 36d7460..048b952 100644 --- a/p230/system.prop +++ b/p230/system.prop @@ -91,84 +91,3 @@ mbx.hdmiin.videolayer=false #adb service.adb.tcp.port=5555 - -#netflix -ro.nrdp.modelgroup=S905 - -sys.open.deepcolor=true -######## UBOOTENV VARIBLES - r/w as system properties ########## -# -# Now we can load ubootenv varibles to system properties. -# We use a special prefix ("ubootenv.var" as default) to indicate that the 'property' -# actually is an ubootenv varible. -# -# A ubootenv 'property' will be initialized during system booting. And when user set -# a different value, it will be written back to ubootenv device immediately. -# - -## prefix of ubootenv varibles - should less than 16 chars. -#UBOOTENV MTD NAME -#ubootenv.var.bootcmd= -#ubootenv.var.cpuclock= -#ubootenv.var.gpuclock= -#ubootenv.var.memsize= -#ubootenv.var.ethaddr= -#ubootenv.var.ipaddr= -#ubootenv.var.gatewayip= -ubootenv.var.outputmode= -#ubootenv.var.screenratio= -#ubootenv.var.oobeflag= -ubootenv.var.480p_x= -ubootenv.var.480p_y= -ubootenv.var.480p_w= -ubootenv.var.480p_h= -ubootenv.var.480i_x= -ubootenv.var.480i_y= -ubootenv.var.480i_w= -ubootenv.var.480i_h= -ubootenv.var.576p_x= -ubootenv.var.576p_y= -ubootenv.var.576p_w= -ubootenv.var.576p_h= -ubootenv.var.576i_x= -ubootenv.var.576i_y= -ubootenv.var.576i_w= -ubootenv.var.576i_h= -ubootenv.var.720p_x= -ubootenv.var.720p_y= -ubootenv.var.720p_w= -ubootenv.var.720p_h= -ubootenv.var.1080p_x= -ubootenv.var.1080p_y= -ubootenv.var.1080p_w= -ubootenv.var.1080p_h= -ubootenv.var.1080i_x= -ubootenv.var.1080i_y= -ubootenv.var.1080i_w= -ubootenv.var.1080i_h= -ubootenv.var.4k2k24hz_x= -ubootenv.var.4k2k24hz_y= -ubootenv.var.4k2k24hz_w= -ubootenv.var.4k2k24hz_h= -ubootenv.var.4k2k25hz_x= -ubootenv.var.4k2k25hz_y= -ubootenv.var.4k2k25hz_w= -ubootenv.var.4k2k25hz_h= -ubootenv.var.4k2k30hz_x= -ubootenv.var.4k2k30hz_y= -ubootenv.var.4k2k30hz_w= -ubootenv.var.4k2k30hz_h= -ubootenv.var.4k2ksmpte_x= -ubootenv.var.4k2ksmpte_y= -ubootenv.var.4k2ksmpte_w= -ubootenv.var.4k2ksmpte_h= -ubootenv.var.digitaudiooutput= -ubootenv.var.defaulttvfrequency= -ubootenv.var.has.accelerometer= -ubootenv.var.cecconfig= -ubootenv.var.cvbsmode= -ubootenv.var.hdmimode= -ubootenv.var.is.bestmode= -ubootenv.var.disp.fromleft= -ubootenv.var.edid.crcvalue= -ubootenv.var.colorattribute= |