author | jie.yuan <jie.yuan@amlogic.com> | 2019-04-02 03:14:17 (GMT) |
---|---|---|
committer | jie yuan <jie.yuan@amlogic.com> | 2019-05-10 01:16:24 (GMT) |
commit | 7f3474215dca36056ba529d449c39f397b010e14 (patch) | |
tree | bf94705819f9ac59682b3f862e864f20cd6061fd | |
parent | 1d3c62cdf9df632e3e761b1ce4933e8e45a44a06 (diff) | |
download | common-7f3474215dca36056ba529d449c39f397b010e14.zip common-7f3474215dca36056ba529d449c39f397b010e14.tar.gz common-7f3474215dca36056ba529d449c39f397b010e14.tar.bz2 |
product:enable PRODUCT_SHIPPING_API_LEVEL := 28 [1/8]
PD#SWPL-227
BUG=129695230
Problem:
shipping api level is 28, need Tighter access properties
Solution:
add some selinux policies
Verify:
verify it on Atom and Beast
we must use PartnerPrefixes properties:
init.svc.vendor.
ro.vendor.
persist.vendor.
vendor.
init.svc.odm.
ro.odm.
persist.odm.
odm.
ro.boot.
and we don't use hidden apis
Change-Id: Ia71c44af056a2df53535732809af491dfd6a37d1
Signed-off-by: jie.yuan <jie.yuan@amlogic.com>
75 files changed, 596 insertions, 160 deletions
@@ -16,6 +16,8 @@ BUILT_IMAGES += system.img userdata.img ifneq ($(AB_OTA_UPDATER),true) BUILT_IMAGES += cache.img +ifdef BOARD_PREBUILT_DTBOIMAGE +BUILT_IMAGES += dtbo.img endif BUILT_IMAGES += vendor.img @@ -35,6 +37,7 @@ endif ifeq ($(BUILD_WITH_AVB),true) BUILT_IMAGES += vbmeta.img endif +endif ifeq ($(strip $(HAS_BUILD_NUMBER)),false) # BUILD_NUMBER has a timestamp in it, which means that @@ -85,6 +88,9 @@ endif ifdef KERNEL_DEVICETREE DTBTOOL := $(BOARD_AML_VENDOR_PATH)/tools/dtbTool +DTCTOOL := out/host/linux-x86/bin/dtc +DTIMGTOOL := out/host/linux-x86/bin/mkdtimg + ifdef KERNEL_DEVICETREE_CUSTOMER_DIR KERNEL_DEVICETREE_DIR := $(KERNEL_DEVICETREE_CUSTOMER_DIR) else @@ -116,7 +122,7 @@ ifeq ($(PRODUCT_BUILD_SECURE_BOOT_IMAGE_DIRECTLY),true) INSTALLED_BOARDDTB_TARGET := $(INSTALLED_BOARDDTB_TARGET).encrypt endif# ifeq ($(PRODUCT_BUILD_SECURE_BOOT_IMAGE_DIRECTLY),true) -$(INSTALLED_BOARDDTB_TARGET) : $(KERNEL_DEVICETREE_SRC) $(KERNEL_OUT) $(KERNEL_CONFIG) +$(INSTALLED_BOARDDTB_TARGET) : $(KERNEL_DEVICETREE_SRC) $(DTCTOOL) $(DTIMGTOOL) $(foreach aDts, $(KERNEL_DEVICETREE), \ sed -i 's/^#include \"partition_.*/#include \"$(TARGET_PARTITION_DTSI)\"/' $(KERNEL_ROOTDIR)/$(KERNEL_DEVICETREE_DIR)/$(strip $(aDts)).dts; \ sed -i 's/^#include \"firmware_.*/#include \"$(TARGET_FIRMWARE_DTSI)\"/' $(KERNEL_ROOTDIR)/$(KERNEL_DEVICETREE_DIR)/$(TARGET_PARTITION_DTSI); \ @@ -140,9 +146,16 @@ ifeq ($(BOARD_AVB_ENABLE),true) --partition_name dtb endif +$(BOARD_PREBUILT_DTBOIMAGE): $(INSTALLED_BOARDDTB_TARGET) | $(DTCTOOL) $(DTIMGTOOL) + $(DTCTOOL) -@ -O dtb -o $(PRODUCT_OUT)/$(DTBO_DEVICETREE).dtbo $(KERNEL_ROOTDIR)/$(KERNEL_DEVICETREE_DIR)/$(DTBO_DEVICETREE).dts + $(DTIMGTOOL) create $@ $(PRODUCT_OUT)/$(DTBO_DEVICETREE).dtbo + .PHONY: dtbimage dtbimage: $(INSTALLED_BOARDDTB_TARGET) +.PHONY: dtboimage +dtboimage: $(PRODUCT_OUT)/dtbo.img + endif # ifdef KERNEL_DEVICETREE # Adds to <product name>-img-<build number>.zip so can be flashed. b/110831381 @@ -369,6 +382,10 @@ ifeq ($(BOARD_USES_PRODUCTIMAGE),true) FASTBOOT_IMAGES += product.img endif +ifdef BOARD_PREBUILT_DTBOIMAGE +FASTBOOT_IMAGES += dtbo.img +endif + ifeq ($(BUILD_WITH_AVB),true) FASTBOOT_IMAGES += vbmeta.img endif diff --git a/flash-all-ab.bat b/flash-all-ab.bat index df57ea7..df57ea7 100755..100644 --- a/flash-all-ab.bat +++ b/flash-all-ab.bat diff --git a/flash-all-ab.sh b/flash-all-ab.sh index 60a3bb6..60a3bb6 100755..100644 --- a/flash-all-ab.sh +++ b/flash-all-ab.sh diff --git a/flash-all.bat b/flash-all.bat index dbbeaf5..a52d9d9 100755..100644 --- a/flash-all.bat +++ b/flash-all.bat @@ -26,7 +26,10 @@ ping -n 5 127.0.0.1 >nul fastboot flashing unlock_critical fastboot flashing unlock fastboot flash dts dt.img +fastboot flash dtbo dtbo.img fastboot -w +fastboot erase param +fastboot erase tee fastboot flash vbmeta vbmeta.img fastboot flash odm odm.img fastboot flash logo logo.img diff --git a/flash-all.sh b/flash-all.sh index 96397a9..7ba15f4 100755..100644 --- a/flash-all.sh +++ b/flash-all.sh @@ -61,7 +61,9 @@ sleep 5 fastboot $sern flashing unlock_critical fastboot $sern flashing unlock fastboot $sern flash dts dt.img +fastboot $sern flash dtbo dtbo.img fastboot $sern erase param +fastboot $sern erase tee fastboot $sern -w flash_with_retry vbmeta vbmeta.img diff --git a/init.amlogic.media.rc b/init.amlogic.media.rc index 5ab1885..008fde8 100644 --- a/init.amlogic.media.rc +++ b/init.amlogic.media.rc @@ -14,11 +14,13 @@ on fs insmod /vendor/lib/modules/amvdec_mjpeg.ko insmod /vendor/lib/modules/amvdec_mmjpeg.ko insmod /vendor/lib/modules/amvdec_mpeg12.ko + insmod /vendor/lib/modules/amvdec_mmpeg12.ko insmod /vendor/lib/modules/amvdec_mpeg4.ko insmod /vendor/lib/modules/amvdec_mmpeg4.ko insmod /vendor/lib/modules/amvdec_real.ko insmod /vendor/lib/modules/amvdec_vc1.ko insmod /vendor/lib/modules/amvdec_vp9.ko + insmod /vendor/lib/modules/amvdec_avs2.ko insmod /vendor/lib/modules/encoder.ko insmod /vendor/lib/modules/vpu.ko diff --git a/optimization/config b/optimization/config index ec564fc..597a2ec 100755 --- a/optimization/config +++ b/optimization/config @@ -1 +1 @@ -NPEF;IjhiQspgjmfEBUB;0tzt0dmbtt0uifsnbm0uifsnbm`{pof10npef;ejtbcmfe0tzt0dmbtt0uifsnbm0uifsnbm`{pof20npef;ejtbcmfe0tzt0efwjdft0tztufn0dqv0dqv10dqvgsfr0tdbmjoh`nby`gsfr;0tzt0efwjdft0tztufn0dqv0dqv10dqvgsfr0dqvjogp`nby`gsfr0tzt0efwjdft0tztufn0dqv0dqv10dqvgsfr0inq`cpptu;20tzt0dmbtt0nqhqv0tdbmf`npef;40tzt0efwjdft0tztufn0dmpdltpvsdf0dmpdltpvsdf10dvssfou`dmpdltpvsdf;Ujnfs.Ltzt/pqujnj{bujpo/vj/ix;usvftzt/ibsexbsf/wtzod;usvfQLH;dpn/bouvuvdpn/sjhiuxbsf/uenn3w21kojgsfftpguxfh/ix/qfsgpsnbodfdpn/hmcfodinbsldb/qsjnbufmbct/hfflcfodi3dpn/fmmjtnbslpw/hqvcfodiqfsgpsnbodf/uftudpn/hsffofdpnqvujoh/mjoqbdldpn/espmf{/ocfoditf/ofobdpn/rvbmdpnn/ry/ofpdpsfdpn/bvspsbtpguxpslt/rvbesboudpn/tnbsucfodi/fmfwfodpn/qbttnbsl/qu`npcjmfdpn/fecvsofuuf/gqt3edpn/Cgjfme/DqvJefoujgjfsfv/dibjogjsf/dgcfodidpn/gvuvsfnbsl/enboespje/bqqmjdbujpodpn/rvjdjod/wfmmbnpdpn/IPUJDF/NpcjmfUftudpn/qduwuw/boespje/uutydpn/ffncd/dpsfnbsldpn/boespje/dn4dpn/qsjnbufmbctdpn/bsn/of21/efnpdpn/boespje/dut/pqfohm0/qsjnjujwf/HMQsjnjujwfBdujwjuzdpn/ubdufm/fmfdupqjbdpn/rrgsjfoetdpn/topxdpme/cfodinbslNPEF;DqvMjnjufsGsfrEBUB;0tzt0dmbtt0uifsnbm0uifsnbm`{pof10npef;ejtbcmfe0tzt0dmbtt0uifsnbm0uifsnbm`{pof20npef;ejtbcmfe0tzt0efwjdft0tztufn0dqv0dqv10dqvgsfr0tdbmjoh`nby`gsfr;711111QLH;dpn/bouvuv/uftufsNPEF;HqvGpsdfSfoefsEBUB;tzt/pqujnj{bujpo/vj/ix;usvfQLH;dpn/ufodfou/hbnf/sizuinnbtufsNPEF;DUTEBUB;tzt/wtzod/uzqf;ibsexbsftzt/nfejb/pny/ws;usvfQLH;boespje/nfejb/dut0/EfdpefBddvsbdzUftuBdujwjuzboespje/wjfx/dut0/QjyfmDpqzWjefpTpvsdfBdujwjuzboespje/wjfx/dut0/tvsgbdfwbmjebups/DbquvsfeBdujwjuzdpn/hpphmf/boespje/fypqmbzfs/hut0/vujm/IptuBdujwjuzdpn/boespje/dut/wfsjgjfsNPEF;HqvIjhiQspgjmfEBUB;0tzt0dmbtt0nqhqv0tdbmf`npef;4QLH;dpn/esbxfmfnfout/efrqboespje/mfbocbdlkbol/dutboespje/mfbocbdlkbol/bqqdpn/boespje/tfswfs/dut/efwjdf/hsbqijdttubutboespje/wjfx/dut0/EjtqmbzSfgsftiSbufDutBdujwjuzboespje/pqfohmqfsg/dut0/HmQmbofutBdujwjuzdpn/ofugmjy/ojokb0/NbjoBdujwjuzNPEF;FodpefsHutUftuEBUB;ix/fodpefs/cjusbuf/uftu;2nfejb/pny/ejtqmbz`npef;20tzt0npevmf0ej0qbsbnfufst0czqbtt`bmm;2QLH;dpn/hpphmf/boespje/nfejb/hut
\ No newline at end of file +NPEF;IjhiQspgjmfEBUB;0tzt0dmbtt0uifsnbm0uifsnbm`{pof10npef;ejtbcmfe0tzt0dmbtt0uifsnbm0uifsnbm`{pof20npef;ejtbcmfe0tzt0efwjdft0tztufn0dqv0dqv10dqvgsfr0tdbmjoh`nby`gsfr;0tzt0efwjdft0tztufn0dqv0dqv10dqvgsfr0dqvjogp`nby`gsfr0tzt0efwjdft0tztufn0dqv0dqv10dqvgsfr0inq`cpptu;20tzt0dmbtt0nqhqv0tdbmf`npef;40tzt0efwjdft0tztufn0dmpdltpvsdf0dmpdltpvsdf10dvssfou`dmpdltpvsdf;Ujnfs.Ltzt/pqujnj{bujpo/vj/ix;usvftzt/ibsexbsf/wtzod;usvfQLH;dpn/bouvuvdpn/sjhiuxbsf/uenn3w21kojgsfftpguxfh/ix/qfsgpsnbodfdpn/hmcfodinbsldb/qsjnbufmbct/hfflcfodi3dpn/fmmjtnbslpw/hqvcfodiqfsgpsnbodf/uftudpn/hsffofdpnqvujoh/mjoqbdldpn/espmf{/ocfoditf/ofobdpn/rvbmdpnn/ry/ofpdpsfdpn/bvspsbtpguxpslt/rvbesboudpn/tnbsucfodi/fmfwfodpn/qbttnbsl/qu`npcjmfdpn/fecvsofuuf/gqt3edpn/Cgjfme/DqvJefoujgjfsfv/dibjogjsf/dgcfodidpn/gvuvsfnbsl/enboespje/bqqmjdbujpodpn/rvjdjod/wfmmbnpdpn/IPUJDF/NpcjmfUftudpn/qduwuw/boespje/uutydpn/ffncd/dpsfnbsldpn/boespje/dn4dpn/qsjnbufmbctdpn/bsn/of21/efnpdpn/boespje/dut/pqfohm0/qsjnjujwf/HMQsjnjujwfBdujwjuzdpn/ubdufm/fmfdupqjbdpn/rrgsjfoetdpn/topxdpme/cfodinbslNPEF;DqvMjnjufsGsfrEBUB;0tzt0dmbtt0uifsnbm0uifsnbm`{pof10npef;ejtbcmfe0tzt0dmbtt0uifsnbm0uifsnbm`{pof20npef;ejtbcmfe0tzt0efwjdft0tztufn0dqv0dqv10dqvgsfr0tdbmjoh`nby`gsfr;711111QLH;dpn/bouvuv/uftufsNPEF;HqvGpsdfSfoefsEBUB;tzt/pqujnj{bujpo/vj/ix;usvfQLH;dpn/ufodfou/hbnf/sizuinnbtufsNPEF;DUTEBUB;tzt/wtzod/uzqf;ibsexbsfnfejb/pny/ws;usvfQLH;boespje/nfejb/dut0/EfdpefBddvsbdzUftuBdujwjuzboespje/wjfx/dut0/QjyfmDpqzWjefpTpvsdfBdujwjuzboespje/wjfx/dut0/tvsgbdfwbmjebups/DbquvsfeBdujwjuzdpn/hpphmf/boespje/fypqmbzfs/hut0/vujm/IptuBdujwjuzdpn/boespje/dut/wfsjgjfsNPEF;HqvIjhiQspgjmfEBUB;0tzt0dmbtt0nqhqv0tdbmf`npef;4QLH;dpn/esbxfmfnfout/efrqboespje/mfbocbdlkbol/dutboespje/mfbocbdlkbol/bqqdpn/boespje/tfswfs/dut/efwjdf/hsbqijdttubutboespje/wjfx/dut0/EjtqmbzSfgsftiSbufDutBdujwjuzboespje/pqfohmqfsg/dut0/HmQmbofutBdujwjuzdpn/ofugmjy/ojokb0/NbjoBdujwjuzNPEF;FodpefsHutUftuEBUB;nfejb/fodpefs/cjusbuf/uftu;2nfejb/pny/ejtqmbz`npef;20tzt0npevmf0ej0qbsbnfufst0czqbtt`bmm;2QLH;dpn/hpphmf/boespje/nfejb/hut
\ No newline at end of file diff --git a/optimization/liboptimization_32.so b/optimization/liboptimization_32.so index 90bf96a..991f8b8 100755..100644 --- a/optimization/liboptimization_32.so +++ b/optimization/liboptimization_32.so @@ -1,19 +1,19 @@ -ELF - -@ -HAxD -(F!FOrB(F@U-OF +ELF + +HAxD +(F!FOr6(F@-OF -!F, HFpy x/(%1HDhxD - - - +!F, HFpy x/(%1HDhxD + + + +O +PF1F"PF9F"0PF9F" F1F
+ +9 C -$8F - -O -PF1F"PF9F"\PF9F" F1F
- +b$8F +, HF*F p @@ -23,18 +23,19 @@ p hHF1F 1DF - -) -أ0F)F"F -1 ,أ2h(F!F -F + +) -أ0F)F"F +1 ,أ2h(F!F + +F -nFcH -"F - FoBF -KzD +nFcH +"F + FoBF +KzD Fb -8 +8 p@ p@ p@ @@ -44,48 +45,55 @@ Fb p@ hA - + I}D J -KzD - FoG%HxD +KzD + FoG%HxD `J - - - - - - + + + - - - - - - - - - - - + + + + + + + + + + + + + + - + - - - + + + + + A -"&7zXZ - l5^<`.sd<GePPcFT-R? $Xg\L[~I8H -ŷd< - ^wcK뭗AkSO6i0~!3]X-擩mR
}ךd&YP,J|N6ܒ{/BKO$J-v`ʽ$ӻE=ᷕ,SbdN -!%}(-3e2-/i,"ezl-^2**Aaz#\Dh#. -Nc鑵wHi,&(l25U\f֬%
1_gq[Q-3xGoKQ1ֳTfT'_q"c
W%nXokER&xmWcC\źLUmcddͦZr>kVmQMnmm~^X}#g&g1*5Є
vӯ;G0_/3OepMLřWՇu3 -箱 -Zb#3t -\EaJ9fJbeqorzH&ȵZX=35eD;hC_sǂ֎ -=2 -g - - +"&7zXZ +[B⥐jyvƷxV^ SW9 +e.2QϺ2CP9YF'3 +x ̬=H7^T89%\.[Bo'qudJbNJ(PIh&܅٦:(hE=)uW=VSO$6/Ƨgf-VKY +Dۛ<$Uf_'
T$ܐ;5.ΌgΏIs.,21Z^/
~I 3TMG}ZI r|#FUr;Z(Е[>¿iOK2?73k6/
8'2rD0JW+2،##>5ఆ7z0`"__C@8q*eF#*Y[AfhgVk%-yR[kTݜi5P VI!@^X6_
kp_W`EY#v=0ƞe+ܨ'WgK6as_j&A;XcʗQ㶙v~^a!ZV֡wxaM'egVҏAGn;e'?L*p!YcP*xA+$Pџ4zGC>)^?V +$qҦK(Ȟ
b?샑8P}{'g {{6kM9> 2+wՕ.a# +*YTH״ + +REj)GAűy'qGܯ)BA9FE䈆- +Cq:& +\ +BƔgGvݑdaxCo Kx>B
RZ.rapw.b + + + + + + diff --git a/products/mbox/init.amlogic.system.rc b/products/mbox/init.amlogic.system.rc index 10b9ee9..b7a460a 100644 --- a/products/mbox/init.amlogic.system.rc +++ b/products/mbox/init.amlogic.system.rc @@ -239,6 +239,11 @@ on boot chown media system /sys/module/amvdec_h265/parameters/double_write_mode chmod 666 /sys/module/amvdec_h265/parameters/double_write_mode + chown media system /sys/module/amdolby_vision/parameters/dolby_vision_profile + chown media system /sys/module/amdolby_vision/parameters/dolby_vision_level + chmod 666 /sys/module/amdolby_vision/parameters/dolby_vision_profile + chmod 666 /sys/module/amdolby_vision/parameters/dolby_vision_level + chown media system /sys/module/deinterlace/parameters/deinterlace_mode chown media system /sys/class/graphics/fb0/block_mode @@ -269,7 +274,7 @@ on boot chown system system /sys/class/amhdmitx/amhdmitx0/cec_lang_config chown system system /sys/class/amhdmitx/amhdmitx0/config chown system system /sys/class/amhdmitx/amhdmitx0/avmute - chmod 0664 /sys/class/amhdmitx/amhdmitx0/avmute + chmod 0666 /sys/class/amhdmitx/amhdmitx0/avmute chown mediadrm audio /sys/class/amhdmitx/amhdmitx0/aud_output_chs chown media system /sys/class/switch/hdmi/state chmod 0660 /sys/class/switch/hdmi/state diff --git a/products/mbox/upgrade_4.9/aml_upgrade_package.conf b/products/mbox/upgrade_4.9/aml_upgrade_package.conf index 6b1e222..e64aed8 100644 --- a/products/mbox/upgrade_4.9/aml_upgrade_package.conf +++ b/products/mbox/upgrade_4.9/aml_upgrade_package.conf @@ -24,4 +24,5 @@ file="product.img" main_type="PARTITION" sub_type="product" file="recovery.img" main_type="PARTITION" sub_type="recovery" file="bootloader.img" main_type="PARTITION" sub_type="bootloader" file="dt.img" main_type="PARTITION" sub_type="_aml_dtb" +file="dtbo.img" main_type="PARTITION" sub_type="dtbo" diff --git a/products/mbox/upgrade_4.9/aml_upgrade_package_AB.conf b/products/mbox/upgrade_4.9/aml_upgrade_package_AB.conf index e78eb2a..ad38dda 100644 --- a/products/mbox/upgrade_4.9/aml_upgrade_package_AB.conf +++ b/products/mbox/upgrade_4.9/aml_upgrade_package_AB.conf @@ -23,4 +23,5 @@ file="odm.img" main_type="PARTITION" sub_type="odm_a" file="odm.img" main_type="PARTITION" sub_type="odm_b" file="bootloader.img" main_type="PARTITION" sub_type="bootloader" file="dt.img" main_type="PARTITION" sub_type="_aml_dtb" +file="dtbo.img" main_type="PARTITION" sub_type="dtbo" diff --git a/products/mbox/upgrade_4.9/aml_upgrade_package_AB_enc.conf b/products/mbox/upgrade_4.9/aml_upgrade_package_AB_enc.conf index 4d76632..c65dee0 100644 --- a/products/mbox/upgrade_4.9/aml_upgrade_package_AB_enc.conf +++ b/products/mbox/upgrade_4.9/aml_upgrade_package_AB_enc.conf @@ -27,4 +27,5 @@ file="odm.img" main_type="PARTITION" sub_type="odm_a" file="odm.img" main_type="PARTITION" sub_type="odm_b" file="bootloader.img.encrypt" main_type="PARTITION" sub_type="bootloader" file="dt.img.encrypt" main_type="PARTITION" sub_type="_aml_dtb" +file="dtbo.img" main_type="PARTITION" sub_type="dtbo" diff --git a/products/mbox/upgrade_4.9/aml_upgrade_package_avb.conf b/products/mbox/upgrade_4.9/aml_upgrade_package_avb.conf index 5985f54..c35249c 100644 --- a/products/mbox/upgrade_4.9/aml_upgrade_package_avb.conf +++ b/products/mbox/upgrade_4.9/aml_upgrade_package_avb.conf @@ -25,4 +25,5 @@ file="product.img" main_type="PARTITION" sub_type="product" file="recovery.img" main_type="PARTITION" sub_type="recovery" file="bootloader.img" main_type="PARTITION" sub_type="bootloader" file="dt.img" main_type="PARTITION" sub_type="_aml_dtb" +file="dtbo.img" main_type="PARTITION" sub_type="dtbo" diff --git a/products/mbox/upgrade_4.9/aml_upgrade_package_enc.conf b/products/mbox/upgrade_4.9/aml_upgrade_package_enc.conf index 1fe859b..714ef45 100644 --- a/products/mbox/upgrade_4.9/aml_upgrade_package_enc.conf +++ b/products/mbox/upgrade_4.9/aml_upgrade_package_enc.conf @@ -28,4 +28,5 @@ file="product.img" main_type="PARTITION" sub_type="product" file="recovery.img.encrypt" main_type="PARTITION" sub_type="recovery" file="bootloader.img.encrypt" main_type="PARTITION" sub_type="bootloader" file="dt.img.encrypt" main_type="PARTITION" sub_type="_aml_dtb" +file="dtbo.img" main_type="PARTITION" sub_type="dtbo" diff --git a/products/tv/init.amlogic.system.rc b/products/tv/init.amlogic.system.rc index a20c565..5de777d 100755 --- a/products/tv/init.amlogic.system.rc +++ b/products/tv/init.amlogic.system.rc @@ -253,6 +253,11 @@ on boot chown media system /sys/module/amvdec_h265/parameters/double_write_mode chmod 666 /sys/module/amvdec_h265/parameters/double_write_mode + chown media system /sys/module/amdolby_vision/parameters/dolby_vision_profile + chown media system /sys/module/amdolby_vision/parameters/dolby_vision_level + chmod 666 /sys/module/amdolby_vision/parameters/dolby_vision_profile + chmod 666 /sys/module/amdolby_vision/parameters/dolby_vision_level + chown media system /sys/module/deinterlace/parameters/deinterlace_mode chown media system /sys/class/graphics/fb0/block_mode @@ -283,7 +288,7 @@ on boot chown system system /sys/class/amhdmitx/amhdmitx0/cec_lang_config chown system system /sys/class/amhdmitx/amhdmitx0/config chown system system /sys/class/amhdmitx/amhdmitx0/avmute - chmod 644 /sys/class/amhdmitx/amhdmitx0/avmute + chmod 0666 /sys/class/amhdmitx/amhdmitx0/avmute chown system mediadrm /sys/class/amhdmitx/amhdmitx0/aud_output_chs chown media system /sys/class/switch/hdmi/state chmod 0660 /sys/class/switch/hdmi/state diff --git a/products/tv/product_tv.mk b/products/tv/product_tv.mk index 974a778..9bad47f 100644 --- a/products/tv/product_tv.mk +++ b/products/tv/product_tv.mk @@ -96,8 +96,13 @@ endif # USB PRODUCT_COPY_FILES += \ - frameworks/native/data/etc/android.hardware.usb.host.xml:$(TARGET_COPY_OUT_VENDOR)/etc/permissions/android.hardware.usb.host.xml \ + frameworks/native/data/etc/android.hardware.usb.host.xml:$(TARGET_COPY_OUT_VENDOR)/etc/permissions/android.hardware.usb.host.xml + +#usb accessory donnot need in atv +ifneq ($(TARGET_BUILD_GOOGLE_ATV), true) +PRODUCT_COPY_FILES += \ frameworks/native/data/etc/android.hardware.usb.accessory.xml:$(TARGET_COPY_OUT_VENDOR)/etc/permissions/android.hardware.usb.accessory.xml +endif custom_keylayouts := $(wildcard device/amlogic/common/keyboards/*.kl) PRODUCT_COPY_FILES += $(foreach file,$(custom_keylayouts),\ @@ -136,3 +141,7 @@ PRODUCT_PROPERTY_OVERRIDES += \ #TV project,set omx to video layer,or PQ hasn't effect PRODUCT_PROPERTY_OVERRIDES += \ media.omx.display_mode=1 + +#TV project, need use 8 ch 32 bit output. +TARGET_WITH_TV_AUDIO_MODE := true + diff --git a/products/tv/ueventd.amlogic.rc b/products/tv/ueventd.amlogic.rc index 8851eb2..38434bb 100644 --- a/products/tv/ueventd.amlogic.rc +++ b/products/tv/ueventd.amlogic.rc @@ -39,7 +39,7 @@ /dev/HevcEnc 0660 mediacodec system /dev/amsubtitle 0660 media system /dev/jpegenc 0660 media system -/dev/display 0660 media graphics +/dev/display 0660 media graphics #audio data /dev/audio_data_debug 0660 mediacodec audio @@ -80,6 +80,7 @@ /sys/devices/bt-dev.*/rfkill/rfkill0 state 0660 bluetooth bluetooth /sys/devices/bt-dev.*/rfkill/rfkill0 type 0660 bluetooth bluetooth /dev/rtk_btusb 0660 bluetooth bluetooth +/dev/rtkbt_dev 0660 bluetooth bluetooth /dev/hidraw* 0660 system audio #hdmi cec /sys/class/amhdmitx/amhdmitx0 phy_addr 0664 system system @@ -92,6 +93,7 @@ # /dev/graphics/* 0660 root graphics +/dev/display 0660 root graphics # For USB Joysticks /dev/input/js* 0664 system system diff --git a/products/tv/upgrade_4.9/aml_upgrade_package.conf b/products/tv/upgrade_4.9/aml_upgrade_package.conf index 6b1e222..e64aed8 100644 --- a/products/tv/upgrade_4.9/aml_upgrade_package.conf +++ b/products/tv/upgrade_4.9/aml_upgrade_package.conf @@ -24,4 +24,5 @@ file="product.img" main_type="PARTITION" sub_type="product" file="recovery.img" main_type="PARTITION" sub_type="recovery" file="bootloader.img" main_type="PARTITION" sub_type="bootloader" file="dt.img" main_type="PARTITION" sub_type="_aml_dtb" +file="dtbo.img" main_type="PARTITION" sub_type="dtbo" diff --git a/products/tv/upgrade_4.9/aml_upgrade_package_AB.conf b/products/tv/upgrade_4.9/aml_upgrade_package_AB.conf index 96bfb61..2491323 100644 --- a/products/tv/upgrade_4.9/aml_upgrade_package_AB.conf +++ b/products/tv/upgrade_4.9/aml_upgrade_package_AB.conf @@ -22,4 +22,5 @@ file="vendor.img" main_type="PARTITION" sub_type="vendor_a" file="odm.img" main_type="PARTITION" sub_type="odm_a" file="bootloader.img" main_type="PARTITION" sub_type="bootloader" file="dt.img" main_type="PARTITION" sub_type="_aml_dtb" +file="dtbo.img" main_type="PARTITION" sub_type="dtbo" diff --git a/products/tv/upgrade_4.9/aml_upgrade_package_AB_enc.conf b/products/tv/upgrade_4.9/aml_upgrade_package_AB_enc.conf index b2af592..bc0bb43 100644 --- a/products/tv/upgrade_4.9/aml_upgrade_package_AB_enc.conf +++ b/products/tv/upgrade_4.9/aml_upgrade_package_AB_enc.conf @@ -27,4 +27,5 @@ file="system.img" main_type="PARTITION" sub_type="system_a" #file="system.img" main_type="PARTITION" sub_type="system_b" file="bootloader.img.encrypt" main_type="PARTITION" sub_type="bootloader" file="dt.img.encrypt" main_type="PARTITION" sub_type="_aml_dtb" +file="dtbo.img" main_type="PARTITION" sub_type="dtbo" diff --git a/products/tv/upgrade_4.9/aml_upgrade_package_avb.conf b/products/tv/upgrade_4.9/aml_upgrade_package_avb.conf index 1e17a97..ddc66fc 100644 --- a/products/tv/upgrade_4.9/aml_upgrade_package_avb.conf +++ b/products/tv/upgrade_4.9/aml_upgrade_package_avb.conf @@ -26,4 +26,5 @@ file="product.img" main_type="PARTITION" sub_type="product" file="recovery.img" main_type="PARTITION" sub_type="recovery" file="bootloader.img" main_type="PARTITION" sub_type="bootloader" file="dt.img" main_type="PARTITION" sub_type="_aml_dtb" +file="dtbo.img" main_type="PARTITION" sub_type="dtbo" diff --git a/products/tv/upgrade_4.9/aml_upgrade_package_avb_enc.conf b/products/tv/upgrade_4.9/aml_upgrade_package_avb_enc.conf index 0c9574c..7fd2f8b 100644 --- a/products/tv/upgrade_4.9/aml_upgrade_package_avb_enc.conf +++ b/products/tv/upgrade_4.9/aml_upgrade_package_avb_enc.conf @@ -30,4 +30,4 @@ file="product.img" main_type="PARTITION" sub_type="product" file="recovery.img.encrypt" main_type="PARTITION" sub_type="recovery" file="bootloader.img.encrypt" main_type="PARTITION" sub_type="bootloader" file="dt.img" main_type="PARTITION" sub_type="_aml_dtb" - +file="dtbo.img" main_type="PARTITION" sub_type="dtbo" diff --git a/products/tv/upgrade_4.9/aml_upgrade_package_enc.conf b/products/tv/upgrade_4.9/aml_upgrade_package_enc.conf index 0413369..dec7053 100644 --- a/products/tv/upgrade_4.9/aml_upgrade_package_enc.conf +++ b/products/tv/upgrade_4.9/aml_upgrade_package_enc.conf @@ -28,4 +28,5 @@ file="product.img" main_type="PARTITION" sub_type="product" file="recovery.img.encrypt" main_type="PARTITION" sub_type="recovery" file="bootloader.img.encrypt" main_type="PARTITION" sub_type="bootloader" file="dt.img.encrypt" main_type="PARTITION" sub_type="_aml_dtb" +file="dtbo.img" main_type="PARTITION" sub_type="dtbo" diff --git a/recovery/init.rc b/recovery/init.rc index dc28a52..6e564e9 100644 --- a/recovery/init.rc +++ b/recovery/init.rc @@ -29,6 +29,8 @@ on init write /proc/sys/kernel/panic_on_oops 1 write /proc/sys/vm/max_map_count 1000000 + write /proc/sys/vm/watermark_scale_factor 30 + write /proc/sys/vm/min_free_kbytes 12288 # Mount configfs for ffs mount configfs configfs /sys/kernel/config diff --git a/recovery/updater-script b/recovery/updater-script index 4bf0ce8..ed9688a 100755..100644 --- a/recovery/updater-script +++ b/recovery/updater-script @@ -1,5 +1,7 @@ ui_print("update logo.img..."); package_extract_file("logo.img", "/dev/block/logo"); +ui_print("update dtbo.img..."); +package_extract_file("dtbo.img", "/dev/block/dtbo"); ui_print("update dtb.img..."); backup_data_cache(dtb, /cache/recovery/); write_dtb_image(package_extract_file("dt.img")); diff --git a/seccomp/mediaextractor.policy b/seccomp/mediaextractor.policy index 0ec4dd8..6ebcd51 100644 --- a/seccomp/mediaextractor.policy +++ b/seccomp/mediaextractor.policy @@ -5,3 +5,4 @@ getuid: 1 newfstatat: 1 getrlimit: 1 sched_setscheduler: 1 +recvfrom: 1 diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te index bb6d881..246a01f 100644 --- a/sepolicy/audioserver.te +++ b/sepolicy/audioserver.te @@ -12,6 +12,11 @@ allow audioserver self:netlink_kobject_uevent_socket create_socket_perms_no_ioct # operation hidraw device allow audioserver hidraw_audio_device:chr_file rw_file_perms; +#bootanim +allow audioserver bootanim:binder call; + #operation property; set_prop(audioserver, audio_prop) + +get_prop(audioserver, vendor_platform_prop) diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te new file mode 100644 index 0000000..eb54089 --- a/dev/null +++ b/sepolicy/bluetooth.te @@ -0,0 +1,3 @@ +type device_stpbt, dev_type,fs_type; +allow bluetooth system_control_service:service_manager find; +allow bluetooth device_stpbt:chr_file { open read write }; diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te index 5d1577a..49a56ef 100644 --- a/sepolicy/bootanim.te +++ b/sepolicy/bootanim.te @@ -1 +1,14 @@ -#allow bootanim vendor_file:file { open read getattr execute };
+allow bootanim sysfs_video:dir { search }; +allow bootanim sysfs_video:file { open read write getattr }; +allow bootanim input_device:dir {open read write search }; +allow bootanim input_device:chr_file {open read write ioctl }; +allow bootanim sysfs_display:file {open read write ioctl }; +allow bootanim video_device:chr_file {open read write getattr ioctl }; +allow bootanim sysfs_audio:file {open read write getattr }; +allow bootanim system_data_file:file { open read }; +allow bootanim system_data_file:dir { open read }; +allow bootanim mediaserver_service:service_manager { find }; +allow bootanim mediaserver:binder { call transfer }; +set_prop(bootanim, system_prop) +get_prop(bootanim, media_prop) + diff --git a/sepolicy/bootvideo.te b/sepolicy/bootvideo.te index 6f1ca89..356394e 100644 --- a/sepolicy/bootvideo.te +++ b/sepolicy/bootvideo.te @@ -23,4 +23,7 @@ allow bootvideo property_socket:sock_file write; allow bootvideo sysfs_xbmc:file { open read write getattr }; -set_prop(bootvideo, system_prop) +#--------------------------------------------------------------------# +# product_shipping_api_level=28 vendor/system cannot share prop +#--------------------------------------------------------------------# +#set_prop(bootvideo, system_prop) diff --git a/sepolicy/device.te b/sepolicy/device.te index b97236f..f8f8cb8 100644 --- a/sepolicy/device.te +++ b/sepolicy/device.te @@ -4,6 +4,7 @@ type env_device, dev_type; type bootloader_device, dev_type; type defendkey_device, dev_type; type dtb_device, dev_type; +type frontend_device, dev_type; type dvb_device, dev_type, mlstrustedobject; type cec_device, dev_type; @@ -21,6 +22,7 @@ type amvideo_device, dev_type; type codec_device, dev_type; type product_block_device, dev_type; +type dtbo_block_device, dev_type; type param_block_device, dev_type; type cri_block_device, dev_type; @@ -30,10 +32,12 @@ type drm_block_device, dev_type; type tee_block_device, dev_type; type odm_block_device, dev_type; type vendor_block_device, dev_type; +type vbmeta_block_device, dev_type; type system_block_fsck_device, dev_type; type subtitle_device, dev_type; type sw_sync_device, dev_type; type ge2d_device, dev_type; +type display_device, dev_type; type amvecm_device, dev_type; type di0_device, dev_type; type hidraw_device, dev_type; diff --git a/sepolicy/drmserver.te b/sepolicy/drmserver.te index 9351c5d..2e64607 100644 --- a/sepolicy/drmserver.te +++ b/sepolicy/drmserver.te @@ -9,3 +9,6 @@ allow drmserver kernel:system module_request; allow drmserver unlabeled:file { read }; +allow drmserver bootanim:fd { use }; +allow drmserver system_data_file:file { read }; + diff --git a/sepolicy/e2fs.te b/sepolicy/e2fs.te index 8ed0e16..a1babaf 100644 --- a/sepolicy/e2fs.te +++ b/sepolicy/e2fs.te @@ -5,6 +5,7 @@ allow e2fs product_block_device:blk_file { read getattr open ioctl write }; allow e2fs devpts:chr_file { read write getattr ioctl }; allow e2fs odm_block_device:blk_file getattr; +allow e2fs dtbo_block_device:blk_file getattr; allow e2fs system_block_fsck_device:blk_file getattr; allow e2fs tee_block_device:blk_file { getattr ioctl open read write }; allow e2fs vendor_block_device:blk_file getattr; diff --git a/sepolicy/file.te b/sepolicy/file.te index 1be0154..96e0bdf 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -66,6 +66,9 @@ type sysfs_remote, fs_type, sysfs_type; type sysfs_clock, fs_type, sysfs_type; type sysfs_hdmi, fs_type, sysfs_type; +type sysfs_ir, fs_type, sysfs_type; +type sysfs_pm, fs_type, sysfs_type; + type reco_file, file_type; type sysfs_unifykey, fs_type, sysfs_type; @@ -76,3 +79,6 @@ type hdcp_file, file_type, data_file_type, core_data_file_type; #for app jni lib type app_jni_lib_file, vendor_file_type, file_type; + +# /data/btmic/ +type btmic_data_file, file_type, data_file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 0c05a2d..d975235 100644..100755 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -4,6 +4,7 @@ /data/media_rw/sdcard1 u:object_r:media_rw_data_file:s0 /data/tee(/.*)? u:object_r:tee_droid_data_file:s0 /data/droidota(/.*)? u:object_r:update_data_file:s0 +/data/vendor/btmic(/.*)? u:object_r:btmic_data_file:s0 /data/misc/wifi/sockets u:object_r:wifi_socket:s0 /data/misc/hdcp u:object_r:hdcp_file:s0 @@ -29,6 +30,8 @@ /dev/block/data u:object_r:userdata_block_device:s0 /dev/block/cache u:object_r:cache_block_device:s0 /dev/block/metadata u:object_r:metadata_block_device:s0 +/dev/block/metadata_a u:object_r:metadata_block_device:s0 +/dev/block/metadata_b u:object_r:metadata_block_device:s0 /dev/block/zram0 u:object_r:swap_block_device:s0 /dev/block/param u:object_r:param_block_device:s0 /dev/block/cri_data u:object_r:cri_block_device:s0 @@ -46,6 +49,11 @@ /dev/block/vendor_b u:object_r:vendor_block_device:s0 /dev/block/vendor u:object_r:vendor_block_device:s0 /dev/block/product u:object_r:product_block_device:s0 +/dev/block/product_a u:object_r:product_block_device:s0 +/dev/block/product_b u:object_r:product_block_device:s0 +/dev/block/dtbo u:object_r:dtbo_block_device:s0 +/dev/block/dtbo_a u:object_r:dtbo_block_device:s0 +/dev/block/dtbo_b u:object_r:dtbo_block_device:s0 /dev/block/misc u:object_r:misc_block_device:s0 /dev/block/tee u:object_r:tee_block_device:s0 /dev/block/odm u:object_r:odm_block_device:s0 @@ -56,17 +64,24 @@ /dev/block/mmcblk[0-9]rpmb u:object_r:sda_block_device:s0 /sys/block/mmcblk0/queue/read_ahead_kb u:object_r:sysfs_block_ahead:s0 +/dev/block/vbmeta_a u:object_r:vbmeta_block_device:s0 +/dev/block/vbmeta_b u:object_r:vbmeta_block_device:s0 +/dev/block/vbmeta u:object_r:vbmeta_block_device:s0 + /dev/block/mmcblk0boot0 u:object_r:bootloader_device:s0 /dev/block/mmcblk0boot1 u:object_r:bootloader_device:s0 /dev/block/bootloader u:object_r:bootloader_device:s0 /dev/bootloader u:object_r:bootloader_device:s0 /dev/btusb0 u:object_r:hci_attach_dev:s0 +/dev/stpbt u:object_r:device_stpbt:s0 /dev/cec u:object_r:cec_device:s0 /dev/defendkey u:object_r:defendkey_device:s0 +/dev/display u:object_r:display_device:s0 /dev/dtb u:object_r:dtb_device:s0 /dev/dvb0.* u:object_r:dvb_device:s0 /dev/dvb.* u:object_r:video_device:s0 +/dev/v4l2_frontend u:object_r:frontend_device:s0 /dev/esm u:object_r:hdcptx_device:s0 /dev/esm_rx u:object_r:hdcprx_device:s0 /dev/ge2d u:object_r:ge2d_device:s0 @@ -79,6 +94,7 @@ /dev/otz_client u:object_r:tee_device:s0 /dev/picdec u:object_r:picture_device:s0 /dev/rtk_btusb u:object_r:hci_attach_dev:s0 +/dev/rtkbt_dev u:object_r:hci_attach_dev:s0 /dev/socket/dig u:object_r:dig_socket:s0 /dev/socket/pppoe_wrapper u:object_r:pppoe_wrapper_socket:s0 /dev/sw_sync u:object_r:sw_sync_device:s0 @@ -89,8 +105,7 @@ /dev/tvafe0 u:object_r:video_device:s0 /dev/vdin0 u:object_r:video_device:s0 /dev/wifi_power u:object_r:radio_device:s0 -/dev/hidraw[0-3] u:object_r:hidraw_device:s0 -/dev/display u:object_r:graphics_device:s0 +/dev/hidraw[0-3] u:object_r:hidraw_device:s0 ############################# # boot files @@ -110,9 +125,11 @@ /sys/class/video/axis u:object_r:sysfs_video:s0 /sys/class/tsync/enable u:object_r:sysfs_video:s0 /sys/class/audiodsp/digital_raw u:object_r:sysfs_audio:s0 +/sys/class/amaudio/debug u:object_r:sysfs_audio:s0 /sys/class/hidraw(/.*)? u:object_r:sysfs_audio:s0 /sys/class/tsync/firstapts u:object_r:sysfs_xbmc:s0 /sys/class/tsync/pts_audio u:object_r:sysfs_xbmc:s0 +/sys/class/tsync/pts_video u:object_r:sysfs_xbmc:s0 /sys/class/tsync/event u:object_r:sysfs_xbmc:s0 /sys/class/tsync/pts_pcrscr u:object_r:sysfs_xbmc:s0 @@ -145,10 +162,13 @@ /sys/devices/platform/meson-fb/graphics/fb[0-3](/.*) u:object_r:sysfs_display:s0 /sys/class/lcd/enable u:object_r:sysfs_lcd:s0 /sys/class/video/video_scaler_path_sel u:object_r:sysfs_video:s0 +/sys/module/amdolby_vision/parameters(/.*)? u:object_r:sysfs_video:s0 /sys/class/unifykeys(/.*)? u:object_r:sysfs_unifykey:s0 /sys/devices/platform/ffd26000.hdmirx/hdmirx/hdmirx0/key u:object_r:sysfs_unifykey:s0 +/sys/devices/virtual/meson-irblaster/irblaster1(/.*)? u:object_r:sysfs_ir:s0 + /sys/class/aml_store/store_device u:object_r:sysfs_store:s0 /sys/class/defendkey/decrypt_dtb u:object_r:sysfs_defendkey:s0 /sys/class/aml_store/bl_off_bytes u:object_r:sysfs_store:s0 @@ -159,7 +179,9 @@ /sys/class/amhdmitx/amhdmitx0/sink_type u:object_r:sysfs_amhdmitx:s0 /sys/class/amhdmitx/amhdmitx0/edid_parsing u:object_r:sysfs_amhdmitx:s0 /sys/class/amhdmitx/amhdmitx0/hdcp_mode u:object_r:sysfs_amhdmitx:s0 +/sys/class/amhdmitx/amhdmitx0/avmute u:object_r:sysfs_amhdmitx:s0 /sys/class/amhdmitx/amhdmitx0/disp_cap u:object_r:sysfs_amhdmitx:s0 +/sys/class/amhdmitx/amhdmitx0/hdr_cap u:object_r:sysfs_amhdmitx:s0 /sys/module/amvdec_h265/parameters/double_write_mode u:object_r:sysfs_amvdec:s0 /sys/devices/virtual/remote/amremote(/.*)? u:object_r:sysfs_remote:s0 @@ -167,6 +189,7 @@ /sys/devices/virtual/amhdmitx/amhdmitx0/hdmi_audio/state u:object_r:sysfs_hdmi:s0 /sys/devices/virtual/amhdmitx/amhdmitx0/hdmi/state u:object_r:sysfs_hdmi:s0 /sys/devices/virtual/thermal/thermal_zone0/mode u:object_r:sysfs_display:s0 +/sys/devices/platform/aml_pm/suspend_reason u:object_r:sysfs_pm:s0 /acct/uid/cgroup.procs u:object_r:reco_file:s0 /acct/cgroup.procs u:object_r:reco_file:s0 @@ -195,6 +218,7 @@ /sys/class/amvecm(/.*)? u:object_r:sysfs_video:s0 /sys/class/video(/.*)? u:object_r:sysfs_video:s0 +/dev/vbi u:object_r:vbi_device:s0 /dev/vbi[0-3] u:object_r:vbi_device:s0 /sys/class/mpgpu/scale_mode u:object_r:sysfs_mpgpu_scale:s0 @@ -204,6 +228,7 @@ /tee(/.*)? u:object_r:tee_data_file:s0 /mnt/vendor/tee(/.*)? u:object_r:tee_data_file:s0 /mnt/vendor/param(/.*)? u:object_r:param_tv_file:s0 +/mnt/vendor u:object_r:param_tv_file:s0 #/vendor/bin/bootplayer u:object_r:bootvideo_exec:s0 #/vendor/bin/dv_config u:object_r:dv_config_exec:s0 @@ -216,11 +241,12 @@ /vendor/bin/hdcp_rx22 u:object_r:hdcp_rx22_exec:s0 /vendor/bin/hdcp_tx22 u:object_r:hdcp_tx22_exec:s0 +/vendor/bin/hdcp_rp22 u:object_r:hdcp_rp22_exec:s0 /vendor/bin/remotecfg u:object_r:remotecfg_exec:s0 /vendor/bin/systemcontrol u:object_r:system_control_exec:s0 /vendor/bin/hdmicecd u:object_r:hdmicecd_exec:s0 /vendor/bin/droidvold u:object_r:droidvold_exec:s0 -/vendor/bin/ntfs-3g u:object_r:ntfs_3g_exec:s0 +/vendor/bin/rc_server u:object_r:rc_server_exec:s0 /vendor/bin/tee-supplicant u:object_r:tee_exec:s0 /vendor/bin/tee_preload_fw u:object_r:firmload_exec:s0 @@ -238,16 +264,23 @@ /data/vendor/mediadrm(/.*)? u:object_r:hal_drm_data:s0 /vendor/lib(64)?/hw/gralloc\.amlogic\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl-2.1\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libfbcnf\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/extractors u:object_r:same_process_hal_file:s0 +/vendor/lib(64)? u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/extractors/libamextractor\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libamffmpegadapter\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libamffmpeg\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libjni_remoteime\.so u:object_r:vendor_app_file:s0 /vendor/lib(64)?/libtunertvinput_jni\.so u:object_r:vendor_app_file:s0 /vendor/lib(64)?/libjnifont\.so u:object_r:vendor_app_file:s0 /vendor/lib(64)?/jnidtvepgscanner\.so u:object_r:vendor_app_file:s0 -/vendor/lib(64)?/am_adp\.so u:object_r:vendor_app_file:s0 -/vendor/lib(64)?/am_mw\.so u:object_r:vendor_app_file:s0 -/vendor/lib(64)?/zvbi\.so u:object_r:vendor_app_file:s0 -/vendor/lib(64)?/jnidtvsubtitle\.so u:object_r:vendor_app_file:s0 +/vendor/lib(64)?/libam_adp\.so u:object_r:vendor_app_file:s0 +/vendor/lib(64)?/libam_mw\.so u:object_r:vendor_app_file:s0 +/vendor/lib(64)?/libicuuc_vendor\.so u:object_r:vendor_app_file:s0 +/vendor/lib(64)?/libzvbi\.so u:object_r:vendor_app_file:s0 +/vendor/lib(64)?/libjnidtvsubtitle\.so u:object_r:vendor_app_file:s0 /vendor/lib(64)?/libvendorfont\.so u:object_r:vendor_app_file:s0 /vendor/lib(64)?/libtvbinder\.so u:object_r:vendor_app_file:s0 /vendor/lib(64)?/libtv_jni\.so u:object_r:vendor_app_file:s0 @@ -262,7 +295,16 @@ /vendor/lib(64)?/vendor\.amlogic\.hardware\.remotecontrol@1\.0\.so u:object_r:vendor_app_file:s0 /vendor/lib(64)?/vendor\.amlogic\.hardware\.hdmicec@1\.0\.so u:object_r:vendor_app_file:s0 /vendor/lib(64)?/vendor\.amlogic\.hardware\.droidvold@1\.0\.so u:object_r:vendor_app_file:s0 +/vendor/lib(64)?/libjnidtvepgscanner\.so u:object_r:vendor_app_file:s0 +/vendor/lib(64)?/libjniuevent\.so u:object_r:vendor_app_file:s0 +/vendor/lib(64)?/libsubjni\.so u:object_r:vendor_app_file:s0 +/vendor/lib(64)?/libtvsubtitle_tv\.so u:object_r:vendor_app_file:s0 +/vendor/lib(64)?/libjnifont_tv\.so u:object_r:vendor_app_file:s0 /dev/hidraw[0-9]* u:object_r:hidraw_audio_device:s0 #The final space is necessary. Please don't delete it. +/vendor/lib/vendor\.amlogic\.hardware\.remotecontrol@1\.0\.so u:object_r:vendor_app_file:s0 +/system/bin/ntfs-3g u:object_r:fsck_exec:s0 +/system/bin/fsck.exfat u:object_r:fsck_exec:s0 + diff --git a/sepolicy/fsck.te b/sepolicy/fsck.te index 00e1580..ea2aea6 100644 --- a/sepolicy/fsck.te +++ b/sepolicy/fsck.te @@ -3,7 +3,7 @@ allow fsck tmpfs:blk_file { getattr read write open ioctl }; allow fsck { vold_block_device param_block_device drm_block_device tee_block_device }:blk_file { getattr read write open ioctl }; -allow fsck { vendor_block_device odm_block_device userdata_block_device cache_block_device metadata_block_device product_block_device }:blk_file { getattr read write open ioctl }; +allow fsck { vendor_block_device odm_block_device userdata_block_device cache_block_device metadata_block_device product_block_device dtbo_block_device }:blk_file { getattr read write open ioctl }; allow fsck { system_block_fsck_device }:blk_file { getattr read write open ioctl }; diff --git a/sepolicy/fsck_untrusted.te b/sepolicy/fsck_untrusted.te index 3eda53a..2ee816f 100644 --- a/sepolicy/fsck_untrusted.te +++ b/sepolicy/fsck_untrusted.te @@ -1,3 +1,26 @@ allow fsck_untrusted vold_block_device:blk_file { getattr read write open ioctl }; allow fsck_untrusted sda_block_device:blk_file { create getattr read write open ioctl }; allow fsck_untrusted vold:unix_stream_socket { read write }; + +allow fsck_untrusted fsck_exec:file entrypoint; +allow fsck_untrusted block_device:dir getattr; +allow fsck_untrusted vold_block_device:blk_file lock; +allow fsck_untrusted self:capability sys_admin; + +allow fsck_untrusted fuseblk:filesystem { mount unmount }; +allow fsck_untrusted devpts:chr_file rw_file_perms; +allow fsck_untrusted self:capability { setgid setuid sys_admin }; + +allow fsck_untrusted block_device:dir { open read search getattr }; +allow fsck_untrusted sda_block_device:dir search; +allow fsck_untrusted sda_block_device:blk_file rw_file_perms; +allow fsck_untrusted fuse_device:chr_file rw_file_perms; + +allow fsck_untrusted tmpfs:dir {open read search getattr }; +allow fsck_untrusted mnt_media_rw_file:dir { create_dir_perms mounton }; +allow fsck_untrusted mnt_media_rw_file:file create_file_perms; + +allow fsck_untrusted mnt_media_rw_stub_file:dir { getattr mounton }; +allow fsck_untrusted proc:file { getattr }; +allow fsck_untrusted proc_filesystems:file { open read getattr }; + diff --git a/sepolicy/hal_audio_default.te b/sepolicy/hal_audio_default.te index 30e1d48..4f48e23 100644 --- a/sepolicy/hal_audio_default.te +++ b/sepolicy/hal_audio_default.te @@ -6,19 +6,29 @@ allow hal_audio_default sysfs_digital_codec:file { write read open }; allow hal_audio_default sysfs_amhdmitx:dir search; allow hal_audio_default kernel:system { module_request }; allow hal_audio_default media_prop:file { read open getattr }; +allow hal_audio_default media_prop:property_service { set }; allow hal_audio_default shell_data_file:file { read write }; allow hal_audio_default sysfs_xbmc:file { read open write }; allow hal_audio_default hidraw_device:chr_file { create read write open ioctl}; allow hal_audio_default property_socket:sock_file { write }; allow hal_audio_default init:unix_stream_socket { connectto }; -allow hal_audio_default bluetooth_prop:property_service { set }; -allow hal_audio_default bluetooth_prop:file { read getattr open }; + +#--------------------------------------------------------------------# +# product_shipping_api_level=28 +#--------------------------------------------------------------------# +get_prop(hal_audio_default, vendor_platform_prop) + allow hal_audio_default sysfs_aud_output_chs:file { open read write }; allow hal_audio_default sysfs_aud_output_chs:file { read write open }; allow hal_audio_default remotecontrol_hwservice:hwservice_manager find; -allow hal_audio_default sysfs:file open; +allow hal_audio_default sysfs:file { open read write }; allow hal_audio_default device:dir read; +allow hal_audio_default uio_device:chr_file { open read write }; allow hal_audio_default system_app:binder call; +allow hal_audio_default tv_prop:file { read getattr open }; allow hal_audio_default hidraw_audio_device:chr_file { create read write open ioctl}; allow hal_audio_default sysfs_audio:file rw_file_perms; allow hal_audio_default sysfs_audio:dir r_dir_perms; +allow hal_audio_default device:dir {read open}; +allow hal_audio_default btmic_data_file:dir {write read open add_name search}; +allow hal_audio_default btmic_data_file:file {write open create}; diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te new file mode 100644 index 0000000..15f3c0d --- a/dev/null +++ b/sepolicy/hal_bluetooth_default.te @@ -0,0 +1,4 @@ +allow hal_bluetooth_default device_stpbt:chr_file { read open write }; +allow hal_bluetooth_default vendor_platform_prop:property_service { set }; +allow hal_bluetooth_default vendor_platform_prop:file { read open getattr }; +get_prop(hal_bluetooth_default, bluetooth_prop); diff --git a/sepolicy/hal_bootctl_default.te b/sepolicy/hal_bootctl_default.te index ba88f5b..df017f9 100644 --- a/sepolicy/hal_bootctl_default.te +++ b/sepolicy/hal_bootctl_default.te @@ -3,5 +3,10 @@ allow hal_bootctl_default proc:file { open read getattr}; allow hal_bootctl_default block_device:dir search; allow hal_bootctl_default misc_block_device:blk_file {read open write}; +allow hal_bootctl_default sysfs_dt_firmware_android:dir { open read search }; +allow hal_bootctl_default sysfs_dt_firmware_android:file { getattr open read }; + +allow hal_bootctl_default proc_cmdline:file read; + allow hal_bootctl_default sysfs:dir { open read }; #allow hal_bootctl_default sysfs:file { getattr open read }; diff --git a/sepolicy/hal_graphics_allocator_default.te b/sepolicy/hal_graphics_allocator_default.te index dbc938c..4b3d1fd 100644 --- a/sepolicy/hal_graphics_allocator_default.te +++ b/sepolicy/hal_graphics_allocator_default.te @@ -2,4 +2,6 @@ allow hal_graphics_allocator_default graphics_device:dir {search}; allow hal_graphics_allocator_default graphics_device:chr_file {open read write ioctl}; allow hal_graphics_allocator_default sysfs_display:lnk_file { read open write ioctl }; allow hal_graphics_allocator_default sysfs_display:dir search; -allow hal_graphics_allocator_default sysfs_fb0_afbcd:file rw_file_perms;
\ No newline at end of file +allow hal_graphics_allocator_default sysfs_fb0_afbcd:file rw_file_perms; +allow hal_graphics_allocator_default media_prop:file { getattr open read }; +get_prop(hal_graphics_allocator_default, media_prop) diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te index 699e79b..05660f8 100644 --- a/sepolicy/hal_graphics_composer_default.te +++ b/sepolicy/hal_graphics_composer_default.te @@ -7,8 +7,6 @@ allow hal_graphics_composer_default vndservicemanager:binder { call transfer }; allow hal_graphics_composer_default systemcontrol_hwservice:hwservice_manager { find }; allow hal_graphics_composer_default system_control:binder { call }; -allow hal_graphics_composer_default tv_prop:file { getattr open read }; - allow hal_graphics_composer_default video_device:chr_file rw_file_perms; allow hal_graphics_composer_default graphics_device:chr_file {open read write ioctl}; allow hal_graphics_composer_default sysfs_video:file rw_file_perms; @@ -18,9 +16,18 @@ allow hal_graphics_composer_default sysfs_display:dir search; allow hal_graphics_composer_default sysfs_display:lnk_file { open read write ioctl }; allow hal_graphics_composer_default sysfs_display:file { read write open getattr }; allow hal_graphics_composer_default sysfs_display:chr_file { ioctl read write open }; +allow hal_graphics_composer_default display_device:chr_file r_file_perms; allow hal_graphics_composer_default sysfs_amhdmitx:file { read write open getattr }; allow hal_graphics_composer_default sysfs_amhdmitx:dir search; +allow hal_graphics_composer_default tv_prop:file { getattr open read }; get_prop(hal_graphics_composer_default, tv_prop) + +allow hal_graphics_composer_default media_prop:file { getattr open read }; +get_prop(hal_graphics_composer_default, media_prop) + allow hal_graphics_composer_default sysfs_video:dir { search }; allow hal_graphics_composer_default sysfs_display:file { read write open getattr }; + +allow hal_graphics_composer_default vendor_platform_prop:file {getattr open read}; +get_prop(hal_graphics_composer_default, vendor_platform_prop) diff --git a/sepolicy/hal_ir_default.te b/sepolicy/hal_ir_default.te new file mode 100644 index 0000000..1c44714 --- a/dev/null +++ b/sepolicy/hal_ir_default.te @@ -0,0 +1,2 @@ +allow hal_ir_default sysfs_ir:dir { search }; +allow hal_ir_default sysfs_ir:file rw_file_perms; diff --git a/sepolicy/hal_memtrack_default.te b/sepolicy/hal_memtrack_default.te index 9940dd7..4b2815e 100644 --- a/sepolicy/hal_memtrack_default.te +++ b/sepolicy/hal_memtrack_default.te @@ -24,6 +24,7 @@ allow hal_memtrack_default hal_thermal_default:dir search; allow hal_memtrack_default hal_thermal_default:file { r_file_perms }; allow hal_memtrack_default thermalserviced:dir search; allow hal_memtrack_default thermalserviced:file { r_file_perms }; +allow hal_memtrack_default debugfs:dir { read open }; allow hal_memtrack_default incidentd:dir search; allow hal_memtrack_default incidentd:file { getattr open read }; @@ -37,8 +38,8 @@ allow hal_memtrack_default perfprofd:file { getattr open read }; allow hal_memtrack_default secure_element:dir search; allow hal_memtrack_default secure_element:file { getattr open read }; -allow hal_memtrack_default { priv_app platform_app untrusted_app su drmserver installd keystore mdnsd isolated_app }:dir { search }; -allow hal_memtrack_default { priv_app platform_app untrusted_app su drmserver installd keystore mdnsd isolated_app }:file { r_file_perms }; +allow hal_memtrack_default { priv_app platform_app untrusted_app su drmserver hal_memtrack_default hal_bluetooth_default bluetooth installd keystore mdnsd isolated_app }:dir { search }; +allow hal_memtrack_default { priv_app platform_app untrusted_app su drmserver hal_bluetooth_default bluetooth installd keystore mdnsd isolated_app }:file { r_file_perms }; allow hal_memtrack_default { gatekeeperd tombstoned webview_zygote zygote netd wificond sdcardd hal_camera_default hal_tv_cec_default }:dir { search }; allow hal_memtrack_default { gatekeeperd tombstoned webview_zygote zygote netd wificond sdcardd hal_camera_default hal_tv_cec_default }:file { r_file_perms }; @@ -82,3 +83,5 @@ allow hal_memtrack_default tvserver:file r_file_perms; allow hal_memtrack_default hal_drm_clearkey:dir search; allow hal_memtrack_default hdcp_tx22:dir search; +allow hal_memtrack_default hdcp_rx22:dir { search read }; +allow hal_memtrack_default hdcp_rx22:file { read open getattr }; diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te index 57d73c7..b59adcf 100644 --- a/sepolicy/hal_power_default.te +++ b/sepolicy/hal_power_default.te @@ -1,2 +1,6 @@ allow hal_power_default sysfs_mpgpu_cmd:file { read write open }; allow hal_power_default sysfs_power_trigger:file { read write open }; +allow hal_power_default hdmicecd_hwservice:hwservice_manager { find }; +allow hal_power_default hdmicecd:binder { call transfer }; +allow hal_power_default vendor_platform_prop:file { open read getattr }; +allow hal_power_default vendor_platform_prop:file { open read getattr }; diff --git a/sepolicy/hdcp_rp22.te b/sepolicy/hdcp_rp22.te new file mode 100644 index 0000000..f6b7c26 --- a/dev/null +++ b/sepolicy/hdcp_rp22.te @@ -0,0 +1,45 @@ +type hdcp_rp22, domain; +type hdcp_rp22_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hdcp_rp22) +type hdcprp_device, dev_type; + +allow hdcp_rp22 hdcprp_device:chr_file { open read write getattr ioctl }; + +allow hdcp_rp22 system_file:file execute_no_trans; +allow hdcp_rp22 hdcp_rp22_exec:file {entrypoint read}; + +#allow hdcp_rp22 shell_exec:file rx_file_perms; + +allow hdcp_rp22 sysfs:file rw_file_perms; + +allow hdcp_rp22 param_tv_file:dir { search create read write open add_name remove_name rmdir }; +allow hdcp_rp22 param_tv_file:file { create open read write setattr getattr lock unlink }; +allow hdcp_rp22 kmsg_device:chr_file {write}; +allow hdcp_rp22 device:dir {write}; +allow hdcp_rp22 kmsg_device:chr_file {open}; +allow hdcp_rp22 hdcptx_device:chr_file {open read write ioctl}; + +allow hdcp_rp22 mnt_media_rw_file:file { create read write open }; +allow hdcp_rp22 mnt_media_rw_file:dir { write add_name }; +allow hdcp_rp22 rootfs:lnk_file {getattr}; +allow hdcp_rp22 storage_file:dir {read write search}; +allow hdcp_rp22 storage_file:file {open read write getattr}; +allow hdcp_rp22 storage_file:lnk_file {open read write getattr}; +allow hdcp_rp22 tmpfs:dir {search getattr}; +allow hdcp_rp22 tmpfs:file create_file_perms; +allow hdcp_rp22 mnt_user_file:dir {read write search}; +allow hdcp_rp22 mnt_user_file:file {open read write getattr}; +allow hdcp_rp22 mnt_user_file:lnk_file {open read write getattr}; +allow hdcp_rp22 fuse:dir {create open read write search add_name getattr}; +allow hdcp_rp22 fuse:file {open create read write getattr}; +allow hdcp_rp22 fuse:file rw_file_perms; +#allow hdcp_rp22 app_data_file:file rw_file_perms; +#allow hdcp_rp22 app_data_file:dir search; +allow hdcp_rp22 fuse:lnk_file {open read write getattr}; +allow hdcp_rp22 { mnt_user_file storage_file }:dir { create open read write search add_name getattr }; +allow hdcp_rp22 { mnt_user_file storage_file }:lnk_file { open read write getattr }; +allow hdcp_rp22 sysfs_cec:dir { search open }; +allow hdcp_rp22 sysfs_cec:file { read open write getattr }; +allow hdcp_rp22 sysfs_amhdmitx:dir search; +allow hdcp_rp22 sysfs_amhdmitx:file { getattr open read write ioctl }; +allow hdcp_rp22 mnt_vendor_file:dir {search}; diff --git a/sepolicy/hdmicecd.te b/sepolicy/hdmicecd.te index 697cf50..617577a 100644 --- a/sepolicy/hdmicecd.te +++ b/sepolicy/hdmicecd.te @@ -12,7 +12,13 @@ allow hdmicecd { hdmicecd_hwservice hidl_base_hwservice }:hwservice_manager { a allow hdmicecd cec_device:chr_file { open read write ioctl }; allow hdmicecd hwservicemanager_prop:file { open read getattr }; +allow hdmicecd system_control:binder { call transfer }; +allow hdmicecd systemcontrol_hwservice:hwservice_manager { find }; + +allow hdmicecd tvserver_hwservice:hwservice_manager { find }; +allow hdmicecd tvserver:binder { transfer call }; + allow hdmicecd { hal_tv_cec_default system_app }:binder { call transfer }; -allow hdmicecd systemcontrol_hwservice:hwservice_manager find; -allow hdmicecd system_control:binder { call transfer }; +allow hdmicecd vendor_platform_prop:file { open read getattr }; + diff --git a/sepolicy/hwservice.te b/sepolicy/hwservice.te index a37e6fb..27188b0 100644 --- a/sepolicy/hwservice.te +++ b/sepolicy/hwservice.te @@ -3,4 +3,4 @@ type hdmicecd_hwservice, hwservice_manager_type; type droidvold_hwservice, hwservice_manager_type; type tvserver_hwservice, hwservice_manager_type; type remotecontrol_hwservice, hwservice_manager_type; - +type imageserver_hwservice, hwservice_manager_type; diff --git a/sepolicy/hwservice_contexts b/sepolicy/hwservice_contexts index 2f4e22f..9daa08b 100644..100755 --- a/sepolicy/hwservice_contexts +++ b/sepolicy/hwservice_contexts @@ -3,4 +3,4 @@ vendor.amlogic.hardware.hdmicec::IDroidHdmiCEC u:object_r:hd vendor.amlogic.hardware.droidvold::IDroidVold u:object_r:droidvold_hwservice:s0 vendor.amlogic.hardware.tvserver::ITvServer u:object_r:tvserver_hwservice:s0 vendor.amlogic.hardware.remotecontrol::IRemoteControl u:object_r:remotecontrol_hwservice:s0 - +vendor.amlogic.hardware.imageserver::IImageService u:object_r:imageserver_hwservice:s0 diff --git a/sepolicy/hwservicemanager.te b/sepolicy/hwservicemanager.te index 697b434..65bc9f8 100644 --- a/sepolicy/hwservicemanager.te +++ b/sepolicy/hwservicemanager.te @@ -17,3 +17,8 @@ allow hwservicemanager tvserver:binder { call transfer }; allow hwservicemanager tvserver:dir { search }; allow hwservicemanager tvserver:file { read open }; allow hwservicemanager tvserver:process { getattr }; + +allow hwservicemanager imageserver:binder { call transfer }; +allow hwservicemanager imageserver:dir { search }; +allow hwservicemanager imageserver:file { read open }; +allow hwservicemanager imageserver:process { getattr }; diff --git a/sepolicy/imageserver.te b/sepolicy/imageserver.te index 4f68d0e..924e47f 100644 --- a/sepolicy/imageserver.te +++ b/sepolicy/imageserver.te @@ -1,44 +1,31 @@ -type imageserver, domain; -type imageserver_exec, exec_type, vendor_file_type, file_type; +type imageserver, domain, coredomain; +type imageserver_exec, exec_type, file_type; typeattribute imageserver mlstrustedsubject; init_daemon_domain(imageserver) -allow imageserver vendor_file:file { execute }; - -#allow imageserver shell_exec:file rx_file_perms; -#allow imageserver system_file:file execute_no_trans; - -#allow imageserver imageserver_service:service_manager add; - -#allow imageserver imageserver_exec:file { entrypoint read }; - -#allow imageserver self:process execmem; - -#binder_use(imageserver); -#binder_call(imageserver, binderservicedomain) -#binder_call(imageserver, appdomain) -#binder_service(imageserver) - -#allow imageserver self:capability dac_override; -#allow imageserver self:capability dac_read_search; - -#allow imageserver appdomain:file { r_file_perms }; -#allow imageserver fuse:dir r_dir_perms; -#allow imageserver fuse:file r_file_perms; -#allow imageserver app_data_file:file rw_file_perms; -#allow imageserver system_file:file execmod; - -#allow imageserver app_data_file:dir search; - -#allow imageserver system_control_service:service_manager find; - -#allow imageserver { mnt_user_file storage_file }:dir { getattr search }; -#allow imageserver { mnt_user_file storage_file }:lnk_file { getattr read }; -#allow imageserver permission_service:service_manager find; - -#allow imageserver picture_device:chr_file { read write open ioctl }; -#allow imageserver kernel:system module_request; - -#allow imageserver tmpfs:dir { getattr search }; +allow imageserver hwservicemanager:binder { call transfer }; +allow imageserver { imageserver_hwservice hidl_base_hwservice }:hwservice_manager { add }; +r_dir_file(system_control, domain) +r_dir_file(system_control, binderservicedomain) +r_dir_file(system_control, appdomain) +r_dir_file(system_control, platform_app) +allow imageserver sdcardfs:dir {search}; +allow imageserver sdcardfs:file {read open getattr}; +allow imageserver media_rw_data_file:file {read open getattr}; +allow imageserver appdomain:file { r_file_perms }; +allow imageserver fuse:dir r_dir_perms; +allow imageserver fuse:file r_file_perms; +allow imageserver vfat:file { read open getattr}; +allow imageserver { mnt_user_file storage_file }:dir { getattr search }; +allow imageserver { mnt_user_file storage_file }:lnk_file { getattr read }; + +allow imageserver picture_device:chr_file { read write open ioctl }; +allow imageserver kernel:system module_request; +allow imageserver tmpfs:dir { getattr search }; +allow imageserver sysfs_video:file rw_file_perms; +allow imageserver { sysfs_video sysfs_cec sysfs_am_vecm }:dir { search }; +allow imageserver fuseblk:file { read open getattr }; +set_prop(imageserver, hwservicemanager_prop) +get_prop(imageserver, hwservicemanager_prop) diff --git a/sepolicy/init.te b/sepolicy/init.te index 6fbc19e..62b360f 100644 --- a/sepolicy/init.te +++ b/sepolicy/init.te @@ -13,8 +13,8 @@ allow init { system_file vendor_file rootfs}:system { module_load }; allow init vendor_file:file { execute }; -allow init { tee_block_device userdata_block_device cache_block_device block_device metadata_block_device }:blk_file { relabelto write read }; -allow init { vendor_block_device system_block_fsck_device odm_block_device param_block_device product_block_device }:blk_file { relabelto write read }; +allow init { tee_block_device userdata_block_device cache_block_device block_device metadata_block_device vbmeta_block_device }:blk_file { relabelto write read }; +allow init { vendor_block_device system_block_fsck_device odm_block_device param_block_device product_block_device dtbo_block_device }:blk_file { relabelto write read }; allow init boot_block_device:blk_file relabelto; diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te index d053773..3fe52ef 100644 --- a/sepolicy/mediacodec.te +++ b/sepolicy/mediacodec.te @@ -21,3 +21,6 @@ allow mediacodec sysfs_am_vecm:file { read write open getattr }; allow mediacodec uio_device:chr_file rw_file_perms; allow mediacodec audio_device:chr_file { setattr open read write }; allow mediacodec sysfs_audio:file { open read write }; +allow mediacodec vendor_platform_prop:file { open read getattr }; +allow mediacodec sysfs_amhdmitx:file rw_file_perms; +allow mediacodec sysfs_amhdmitx:dir search; diff --git a/sepolicy/mediaextractor.te b/sepolicy/mediaextractor.te index 76c843f..83fb9b0 100644 --- a/sepolicy/mediaextractor.te +++ b/sepolicy/mediaextractor.te @@ -1,10 +1,21 @@ +allow mediaextractor init:unix_stream_socket { connectto }; get_prop(mediaextractor, media_prop) +get_prop(mediaextractor, vendor_default_prop) +get_prop(mediaextractor, vendor_platform_prop) allow mediaextractor vfat:file { read getattr }; allow mediaextractor fuseblk:file { read getattr }; allow mediaextractor fuse:file { read getattr }; allow mediaextractor sdcardfs:file { read getattr }; allow mediaextractor system_server:fifo_file { write getattr append }; -#allow mediaextractor vendor_file:file { read open getattr execute }; +allow mediaextractor same_process_hal_file:dir { read open }; +allow mediaextractor same_process_hal_file:file { read open getattr execute}; allow platform_app iso9660:dir { search open read getattr }; allow platform_app iso9660:file { open read getattr }; + +allow mediaextractor exfat:file { read getattr }; +allow mediaextractor property_socket:sock_file write; + +allow mediaextractor bootanim:fd { use }; +allow mediaextractor system_data_file:file { read getattr }; + diff --git a/sepolicy/mediaprovider.te b/sepolicy/mediaprovider.te index 85882e5..c6b1a83 100644 --- a/sepolicy/mediaprovider.te +++ b/sepolicy/mediaprovider.te @@ -1 +1,5 @@ allow mediaprovider media_prop:file { getattr open read }; + +allow mediaprovider fuseblk:dir { open read search }; +allow mediaprovider fuseblk:file { getattr open read }; + diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te index 0152b22..63b44f2 100644 --- a/sepolicy/mediaserver.te +++ b/sepolicy/mediaserver.te @@ -9,3 +9,9 @@ allow mediaserver sysfs_video:file rw_file_perms; allow mediaserver sysfs_audio:file rw_file_perms; get_prop(mediaserver, media_prop) +get_prop(mediaserver, vendor_platform_prop) + +allow mediaserver bootanim:binder { call transfer }; +allow mediaserver bootanim:fd use; +allow mediaserver system_data_file:file { read getattr }; + diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te index 44c7e5a..7a112d8 100644 --- a/sepolicy/platform_app.te +++ b/sepolicy/platform_app.te @@ -15,3 +15,6 @@ allow platform_app droidvold:binder { call transfer }; allow platform_app tvserver_hwservice:hwservice_manager { find }; allow platform_app tvserver:binder { call transfer }; + +allow platform_app imageserver_hwservice:hwservice_manager { find }; +allow platform_app imageserver:binder { call transfer }; diff --git a/sepolicy/postinstall.te b/sepolicy/postinstall.te new file mode 100644 index 0000000..ae01860 --- a/dev/null +++ b/sepolicy/postinstall.te @@ -0,0 +1,10 @@ +allow postinstall ota_data_file:file { create getattr lock open read setattr unlink write }; +allow postinstall self:capability { chown setgid setuid fowner }; +#allow postinstall vendor_app_file:dir search; +#allow postinstall vendor_app_file:file { getattr open read }; +allow postinstall ota_data_file:dir { add_name getattr read remove_name write create open search }; +allow postinstall postinstall_file:filesystem getattr; +allow postinstall proc_filesystems:file { getattr open read }; +allow postinstall tmpfs:file read; +allow postinstall ota_data_file:lnk_file { create read }; +allow postinstall user_profile_data_file:dir search;
\ No newline at end of file diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te index 5889379..5758d64 100644 --- a/sepolicy/priv_app.te +++ b/sepolicy/priv_app.te @@ -16,4 +16,11 @@ allow priv_app device:dir { read search open }; allow priv_app proc_stat:file { getattr open }; allow priv_app { su_exec bootanim_exec bootstat_exec }:file { getattr }; -allow priv_app proc_uptime:file read;
\ No newline at end of file +allow priv_app proc_uptime:file read; + +allow priv_app tvserver_hwservice:hwservice_manager { find }; +allow priv_app systemcontrol_hwservice:hwservice_manager { find }; +allow priv_app system_control:binder call; +allow priv_app tvserver:binder { call transfer }; +allow priv_app param_tv_file:file { create open read write setattr getattr lock unlink }; +allow priv_app param_tv_file:dir { search read open write add_name remove_name getattr }; diff --git a/sepolicy/property.te b/sepolicy/property.te index a3e38fb..697638b 100644 --- a/sepolicy/property.te +++ b/sepolicy/property.te @@ -6,3 +6,6 @@ type tv_prop, property_type; type bcmdl_prop, property_type; type ctl_dhcp_pan_prop, property_type; type netflix_prop, property_type; +type vendor_platform_prop, property_type; +type vendor_persist_prop, property_type; +type vendor_app_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts index 81cf3d1..eba261c 100644..100755 --- a/sepolicy/property_contexts +++ b/sepolicy/property_contexts @@ -1,11 +1,27 @@ media. u:object_r:media_prop:s0 +ro.media. u:object_r:media_prop:s0 +sys.media. u:object_r:media_prop:s0 +sys.subtitle. u:object_r:media_prop:s0 +ro.audio. u:object_r:media_prop:s0 +ro.af. u:object_r:media_prop:s0 +persist.vendor.audio. u:object_r:media_prop:s0 +persist.vendor.media. u:object_r:media_prop:s0 +drm. u:object_r:media_prop:s0 ubootenv. u:object_r:uboot_prop:s0 ro.ubootenv. u:object_r:uboot_prop:s0 const.filesystem. u:object_r:aml_display_prop:s0 snd. u:object_r:tv_config_prop:s0 tv. u:object_r:tv_prop:s0 +persist.tv. u:object_r:tv_prop:s0 bcmdl_status u:object_r:bcmdl_prop:s0 wc_transport u:object_r:bluetooth_prop:s0 rc_hidraw_fd u:object_r:bluetooth_prop:s0 +ro.rfkilldisabled u:object_r:bluetooth_prop:s0 vendor.display-size u:object_r:netflix_prop:s0 +ro.vendor.nrdp.modelgroup u:object_r:netflix_prop:s0 ro.vendor.nrdp. u:object_r:netflix_prop:s0 +ro.vendor.platform u:object_r:vendor_platform_prop:s0 +persist.vendor.sys u:object_r:vendor_persist_prop:s0 +vendor.sys u:object_r:vendor_platform_prop:s0 +ro.vendor.app u:object_r:vendor_app_prop:s0 + diff --git a/sepolicy/rc_server.te b/sepolicy/rc_server.te new file mode 100644 index 0000000..ed0c33c --- a/dev/null +++ b/sepolicy/rc_server.te @@ -0,0 +1,14 @@ +type rc_server, domain; +type rc_server_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(rc_server) + +allow rc_server vndbinder_device:chr_file rw_file_perms; + +vndbinder_use(rc_server); +hwbinder_use(rc_server); + +allow rc_server remotecontrol_hwservice:hwservice_manager add; +allow rc_server hidl_base_hwservice:hwservice_manager add; + +get_prop(rc_server, hwservicemanager_prop); diff --git a/sepolicy/recovery.te b/sepolicy/recovery.te index e2f49eb..4fe6388 100644 --- a/sepolicy/recovery.te +++ b/sepolicy/recovery.te @@ -1,4 +1,4 @@ -allow recovery aml_display_prop:property_service set; +#allow recovery aml_display_prop:property_service set; allow recovery input_device:chr_file write; allow recovery kmsg_device:chr_file { write open read }; allow recovery self:netlink_kobject_uevent_socket { create setopt bind read }; @@ -6,7 +6,7 @@ allow recovery sysfs_xbmc:file { read write open }; allow recovery system_prop:property_service set; allow recovery self:capability net_admin; -allow recovery uboot_prop:property_service set; +#allow recovery uboot_prop:property_service set; allow recovery rootfs:dir create_dir_perms; allow recovery sysfs:dir mounton; @@ -20,7 +20,7 @@ allow recovery device:dir rw_dir_perms; allow recovery bootloader_device:chr_file rw_file_perms; allow recovery defendkey_device:chr_file rw_file_perms; allow recovery dtb_device:chr_file { open read write }; -allow recovery aml_display_prop:property_service set; +#allow recovery aml_display_prop:property_service set; allow recovery recovery:capability { net_admin }; allow recovery sysfs_unifykey:dir search; @@ -32,9 +32,13 @@ allow recovery sysfs_am_vecm:file { open read write }; allow recovery sysfs_audio_cap:file r_file_perms; allow recovery sysfs_cec:file rw_file_perms; -set_prop(recovery, aml_display_prop) -set_prop(recovery, uboot_prop) -set_prop(recovery, bluetooth_prop) +#--------------------------------------------------------------------# +# product_shipping_api_level=28 vendor/system cannot share prop +#--------------------------------------------------------------------# +#get_prop(recovery, aml_display_prop) +get_prop(recovery, uboot_prop) +get_prop(recovery, bluetooth_prop) +get_prop(recovery, vendor_platform_prop) set_prop(recovery, boottime_prop) set_prop(recovery, ctl_bootanim_prop) @@ -62,7 +66,7 @@ allow recovery cache_file:dir mounton; allow recovery tmpfs:blk_file write; allow recovery sysfs:dir { open read }; -allow recovery sysfs_display:file read; +allow recovery sysfs_display:file { open read write }; allow recovery sysfs_video:dir search; allow recovery sysfs_store:file { open read write getattr }; @@ -129,7 +133,11 @@ allow recovery sysfs_display:lnk_file { open read write getattr }; allow init reco_file:file { open read create write }; -get_prop(recovery, aml_display_prop) +allow recovery aml_display_prop:file { getattr open read }; +allow recovery bluetooth_a2dp_offload_prop:file { getattr open }; +allow recovery exported_bluetooth_prop:file { getattr open }; +allow recovery exported_overlay_prop:file { getattr open }; +allow recovery exported_wifi_prop:file { getattr open }; allow shell tmpfs:file {open read getattr}; allow shell rootfs:file {execute_no_trans}; diff --git a/sepolicy/sdcardd.te b/sepolicy/sdcardd.te index 88c5b2e..16f72cf 100644 --- a/sepolicy/sdcardd.te +++ b/sepolicy/sdcardd.te @@ -6,3 +6,6 @@ allow sdcardd vold:unix_stream_socket { read write }; # for exfat allow sdcardd unlabeled:dir { open read write getattr search }; allow sdcardd unlabeled:file { open read write getattr }; + +allow sdcardd storage_file:dir mounton; + diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te index 474383d..8f7f98f 100644 --- a/sepolicy/system_app.te +++ b/sepolicy/system_app.te @@ -1,7 +1,8 @@ allow system_app sysfs_mpgpu_scale:file { read write open }; allow system_app cache_recovery_file:dir { search read open write add_name remove_name }; -allow system_app cache_recovery_file:file { create getattr open read write unlink }; - +allow system_app cache_recovery_file:file { create getattr setattr open read write unlink }; +allow system_app cache_file:dir {search open read write unlink add_name remove_name}; +allow system_app cache_file:file {create getattr write open unlink read}; allow system_app update_engine:binder {call transfer}; allow system_app rootfs:dir { getattr }; @@ -42,15 +43,33 @@ allow system_app sysfs_clock:file { getattr open read }; allow sysfs_display tmpfs:filesystem associate; allow system_app sysfs_display:dir search; +allow system_app sysfs_display:dir search; allow system_app sysfs_display:file { read write open getattr }; +#--------------------------------------------------------------------# +# product_shipping_api_level=28 vendor/system cannot share prop +#--------------------------------------------------------------------# get_prop(system_app, tv_prop) -set_prop(system_app, media_prop) -set_prop(system_app, netflix_prop) +#set_prop(system_app, media_prop) +get_prop(system_app, media_prop) +#set_prop(system_app, netflix_prop) +get_prop(system_app, netflix_prop) +get_prop(system_app, vendor_platform_prop) +get_prop(system_app, vendor_app_prop) + allow system_app vbi_device:chr_file { read write open ioctl }; allow system_app vendor_file:file r_file_perms; allow system_app sysfs_video:dir { search }; allow system_app sysfs_video:file r_file_perms; allow system_app sysfs_amhdmitx:dir search; allow system_app sysfs_amhdmitx:file { getattr open read }; -allow system_app vendor_app_file:file execute; +allow system_app sysfs_pm:file r_file_perms; +allow system_app vendor_app_file:file { read open getattr execute }; +allow system_app dvb_device:chr_file { open read write ioctl }; +allow system_app codec_device:chr_file { open read write ioctl getattr}; +allow system_app param_tv_file:file { create open read write setattr getattr lock unlink }; +allow system_app param_tv_file:dir { search read open write add_name remove_name getattr }; + +allow system_app sysfs_xbmc:file rw_file_perms; + +allow system_app subtitle_device:chr_file rw_file_perms; diff --git a/sepolicy/system_control.te b/sepolicy/system_control.te index d7d3df3..6994c01 100644 --- a/sepolicy/system_control.te +++ b/sepolicy/system_control.te @@ -22,7 +22,7 @@ allow system_control vendor_shell_exec:file execute_no_trans; allow system_control vendor_file:file execute_no_trans; allow system_control sysfs_display:dir search; - +allow system_control sysfs_di:dir search; #unix_socket_connect(system_control, vold, vold); #unix_socket_connect(system_control, property, init); @@ -34,38 +34,52 @@ allow system_control mnt_vendor_file:dir { search read open remove_name rmdir }; allow system_control mnt_vendor_file:file { setattr getattr lock unlink }; # Property Service write -set_prop(system_control, system_prop) -set_prop(system_control, dhcp_prop) -set_prop(system_control, net_radio_prop) -set_prop(system_control, system_radio_prop) -set_prop(system_control, debug_prop) -set_prop(system_control, powerctl_prop) - +#--------------------------------------------------------------------# +# product_shipping_api_level=28 vendor/system cannot share prop +#--------------------------------------------------------------------# get_prop(system_control, tv_config_prop) get_prop(system_control, bcmdl_prop) get_prop(system_control, safemode_prop) get_prop(system_control, mmc_prop) get_prop(system_control, device_logging_prop) +get_prop(system_control, vendor_platform_prop) +set_prop(system_control, vendor_platform_prop) +get_prop(system_control, vendor_default_prop) set_prop(system_control, media_prop) +get_prop(system_control, media_prop) get_prop(system_control, aml_display_prop) set_prop(system_control, uboot_prop) +get_prop(system_control, uboot_prop) set_prop(system_control, tv_prop) +get_prop(system_control, tv_prop) + +set_prop(system_control, vendor_persist_prop) +get_prop(system_control, vendor_persist_prop) + set_prop(system_control, netflix_prop) +get_prop(system_control, netflix_prop) -get_prop(system_control, wifi_prop) +#get_prop(system_control, wifi_prop) set_prop(system_control, boottime_prop) +get_prop(system_control, boottime_prop) #get_prop(system_control, firstboot_prop) #get_prop(system_control, serialno_prop) set_prop(system_control, overlay_prop) +get_prop(system_control, overlay_prop) set_prop(system_control, net_dns_prop) +get_prop(system_control, net_dns_prop) set_prop(system_control, logpersistd_logging_prop) +get_prop(system_control, logpersistd_logging_prop) set_prop(system_control, hwservicemanager_prop) +get_prop(system_control, hwservicemanager_prop) set_prop(system_control, dumpstate_options_prop) -set_prop(system_control, bluetooth_prop) +#set_prop(system_control, bluetooth_prop) +#get_prop(system_control, bluetooth_prop) set_prop(system_control, persistent_properties_ready_prop) +get_prop(system_control, persistent_properties_ready_prop) get_prop(system_control, system_boot_reason_prop) @@ -77,6 +91,7 @@ set_prop(system_control, ctl_bugreport_prop) allow system_control block_device:dir r_dir_perms; allow system_control sysfs_audio_cap:file {open getattr read}; +allow system_control sysfs_audio:file {open getattr read}; allow system_control sysfs_video:file rw_file_perms; allow system_control { sysfs_video sysfs_cec sysfs_am_vecm }:dir { search }; allow system_control sysfs_cec:file rw_file_perms; @@ -93,7 +108,7 @@ allow system_control appdomain:dir { getattr search }; allow system_control appdomain:file { r_file_perms }; allow system_control platform_app:dir { search }; -allow system_control param_tv_file:dir { search read write open add_name remove_name rmdir }; +allow system_control param_tv_file:dir { search read write open add_name remove_name rmdir create }; allow system_control param_tv_file:file { create open read write setattr getattr lock unlink }; #allow system_control shell_exec:file { execute_no_trans execute open read getattr }; @@ -111,9 +126,10 @@ allow system_control droidvold:binder { call }; allow system_control { video_device amvecm_device }:chr_file { read write open ioctl getattr }; allow system_control di0_device:chr_file { read write open ioctl }; allow system_control param_tv_file:dir { write search add_name create }; -allow system_control param_tv_file:file { create read write open getattr }; +allow system_control param_tv_file:file { create read write open getattr ioctl}; allow system_control sysfs_amhdmitx:dir search; allow system_control sysfs_amvdec:file { create open read write getattr}; +allow system_control sysfs_xbmc:file { read open }; allow system_control vendor_configs_file:file { ioctl lock }; allow system_control sysfs_display:lnk_file { read write open getattr }; @@ -122,3 +138,11 @@ allow system_control { sysfs_display sysfs_am_vecm sysfs_display sysfs_amhdmitx allow system_control sysfs_unifykey:dir { search }; allow system_control sysfs_unifykey:file { read write open }; allow system_control unlabeled:dir search; +allow system_control sysfs_mpgpu_scale:file { read write open } ; +allow system_control hdmirx0_device:chr_file { read write open ioctl getattr }; + +allow system_control exported_system_prop:file { read } ; +get_prop(system_control, exported_system_prop); + +allow system_control tvserver:binder { call transfer }; +allow system_control tvserver_hwservice:hwservice_manager find;
\ No newline at end of file diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te index ef5133b..2396525 100644 --- a/sepolicy/system_server.te +++ b/sepolicy/system_server.te @@ -3,6 +3,7 @@ typeattribute system_server mlstrustedsubject; #allow system_server vendor_file:file { getattr read open execute }; allow system_server vendor_framework_file:dir { search getattr }; allow system_server vendor_framework_file:file { read getattr open }; +allow system_server bluetooth:file { open read write }; get_prop(system_server, media_prop) @@ -29,13 +30,16 @@ allow system_server sysfs:file { getattr }; allow system_server sysfs:dir r_dir_perms; allow system_server sysfs_rtc:file { read write open getattr }; - r_dir_file(system_server, sysfs_hdmi) -allow system_server sysfs_hdmi:file write; +allow system_server sysfs_hdmi:file { read write open getattr }; allow system_server sysfs_display:lnk_file { read write open getattr }; allow system_server sysfs_display:file { read write open getattr }; allow system_server hal_audio_default:file write; +allow system_server update_engine:binder call; + allow system_server mediaprovider:file { write open }; + +allow system_server dvb_device:chr_file rw_file_perms; diff --git a/sepolicy/tee.te b/sepolicy/tee.te index 137d092..1a6775e 100644 --- a/sepolicy/tee.te +++ b/sepolicy/tee.te @@ -17,3 +17,4 @@ allow tee unlabeled:file { open read rename write }; allow tee hidraw_device:chr_file { create read open write ioctl }; allow tee vendor_file:file { read open getattr execute }; +allow tee param_tv_file:dir { search }; diff --git a/sepolicy/toolbox.te b/sepolicy/toolbox.te index aeae6ba..85f9a26 100644 --- a/sepolicy/toolbox.te +++ b/sepolicy/toolbox.te @@ -1 +1,3 @@ allow toolbox unlabeled:dir getattr; +allow toolbox vendor_file:system module_load; +allow toolbox toolbox:capability sys_module; diff --git a/sepolicy/tvserver.te b/sepolicy/tvserver.te index c10e154..cfa32f8 100644 --- a/sepolicy/tvserver.te +++ b/sepolicy/tvserver.te @@ -24,6 +24,7 @@ get_prop(tvserver, media_prop) get_prop(tvserver, tv_prop) set_prop(tvserver, tv_prop) set_prop(tvserver, tv_config_prop) +get_prop(tvserver, vendor_default_prop) allow tvserver tv_prop:file { read open getattr }; allow tvserver proc:file { read write open ioctl getattr }; @@ -60,5 +61,17 @@ allow tvserver mnt_vendor_file:file { create open write setattr getattr lock rea allow tvserver platform_app:binder { call }; allow tvserver sysfs:file { read write open }; +#add for search channel +allow tvserver dvb_device:chr_file { open read write ioctl }; +allow tvserver frontend_device:chr_file { open read write ioctl }; +allow tvserver priv_app:binder { call }; +allow tvserver codec_device:chr_file { read write open ioctl }; + +#add for timeshift +allow tvserver vendor_data_file:dir { search remove_name write add_name create }; +allow tvserver vendor_data_file:file { unlink write create open read getattr }; + allow tvserver sysfs_amhdmitx:dir search; allow tvserver sysfs_amhdmitx:file { write open read getattr }; + +allow tvserver hdmicecd:binder { call transfer }; diff --git a/sepolicy/uncrypt.te b/sepolicy/uncrypt.te new file mode 100644 index 0000000..69210b6 --- a/dev/null +++ b/sepolicy/uncrypt.te @@ -0,0 +1,2 @@ +allow uncrypt cache_file:dir {getattr}; +allow uncrypt cache_file:file {open read getattr}; diff --git a/sepolicy/update_engine.te b/sepolicy/update_engine.te index f3330aa..ec53610 100644 --- a/sepolicy/update_engine.te +++ b/sepolicy/update_engine.te @@ -1,8 +1,22 @@ # Allow read/write on system and boot partitions. allow update_engine misc_block_device:blk_file rw_file_perms; allow update_engine vendor_block_device:blk_file rw_file_perms; +allow update_engine vbmeta_block_device:blk_file rw_file_perms; allow update_engine odm_block_device:blk_file rw_file_perms; +allow update_engine product_block_device:blk_file rw_file_perms; +allow update_engine dtbo_block_device:blk_file rw_file_perms; allow update_engine system_app:binder { call }; + +allow update_engine system_file:file execute_no_trans; +allow update_engine labeledfs:filesystem mount; +allow update_engine otadexopt_service:service_manager find; +allow update_engine otapreopt_chroot_exec:file { execute execute_no_trans getattr open read }; +allow update_engine postinstall_file:dir mounton; +allow update_engine self:capability sys_chroot; +allow update_engine system_server:binder call; +allow update_engine toolbox_exec:file { execute execute_no_trans getattr open read }; +allow update_engine system_server:binder transfer; + #allow update_engine sysfs:file {read open getattr}; allow update_engine sysfs:blk_file {read write getattr}; allow update_engine rootfs:dir {getattr}; diff --git a/sepolicy/vendor_init.te b/sepolicy/vendor_init.te index 90d4bea..08ca710 100644 --- a/sepolicy/vendor_init.te +++ b/sepolicy/vendor_init.te @@ -7,6 +7,7 @@ allow vendor_init rootfs:dir { create_dir_perms relabelfrom }; allow vendor_init sysfs_devices_system_cpu:file { create }; allow vendor_init debugfs:dir { mounton }; +allow vendor_init debugfs:file { read write }; allow vendor_init update_data_file:file { read }; @@ -19,8 +20,20 @@ allow vendor_init self:capability sys_module; allow vendor_init proc:file write; allow vendor_init unlabeled:dir search; +allow vendor_init ffs_prop:property_service set; # optee allow vendor_init drm_device:chr_file setattr; # allow init mount a new filesystem and set its selinux contexts allow vendor_init unlabeled:dir { getattr read relabelfrom setattr }; + +set_prop(vendor_init, vendor_platform_prop) +set_prop(vendor_init, shell_prop) +set_prop(vendor_init, vendor_app_prop) +set_prop(vendor_init, media_prop) +set_prop(vendor_init, aml_display_prop) +set_prop(vendor_init, tv_config_prop) +set_prop(vendor_init, tv_prop) +set_prop(vendor_init, netflix_prop) +set_prop(vendor_init, vold_prop) +set_prop(vendor_init, config_prop) diff --git a/sepolicy/vold.te b/sepolicy/vold.te index dffc5bf..3a5d396 100644 --- a/sepolicy/vold.te +++ b/sepolicy/vold.te @@ -6,3 +6,7 @@ allow vold param_tv_file:dir { ioctl open read }; #for hw keymaster allow vold drm_device:chr_file {open read write ioctl}; + +allow vold fsck_exec:file {execute read open }; +allow vold kernel:system module_request; + diff --git a/sepolicy/webview_zygote.te b/sepolicy/webview_zygote.te index dacd374..3412078 100644 --- a/sepolicy/webview_zygote.te +++ b/sepolicy/webview_zygote.te @@ -1,2 +1,3 @@ allow webview_zygote mnt_expand_file:dir { getattr }; -allow webview_zygote zygote:unix_dgram_socket write;
\ No newline at end of file +allow webview_zygote zygote:unix_dgram_socket write; +allow webview_zygote vendor_file:file { read }; |