blob: 35004556efdada690164f6233080b96433ec4d5d
| 1 | type system_control, domain; |
| 2 | type system_control_exec, exec_type, vendor_file_type, file_type; |
| 3 | |
| 4 | init_daemon_domain(system_control) |
| 5 | |
| 6 | allow system_control vndbinder_device:chr_file { read write open ioctl }; |
| 7 | allow system_control vndservicemanager:binder { call transfer }; |
| 8 | #allow system_control default_android_vndservice:service_manager { add }; |
| 9 | |
| 10 | allow system_control hwservicemanager:binder { call transfer }; |
| 11 | allow system_control { systemcontrol_hwservice hidl_base_hwservice }:hwservice_manager { add }; |
| 12 | |
| 13 | allow system_control sysfs:file rw_file_perms; |
| 14 | allow system_control sysfs_devices_system_cpu:file rw_file_perms; |
| 15 | |
| 16 | allow system_control system_control:netlink_kobject_uevent_socket { create setopt bind read shutdown }; |
| 17 | allow system_control self:capability { net_admin }; |
| 18 | |
| 19 | allow system_control unify_device:chr_file { ioctl open read write }; |
| 20 | |
| 21 | allow system_control vendor_shell_exec:file execute_no_trans; |
| 22 | allow system_control vendor_file:file execute_no_trans; |
| 23 | |
| 24 | allow system_control sysfs_display:dir search; |
| 25 | allow system_control sysfs_di:dir search; |
| 26 | #unix_socket_connect(system_control, vold, vold); |
| 27 | #unix_socket_connect(system_control, property, init); |
| 28 | |
| 29 | allow system_control mnt_vendor_file:dir { add_name write }; |
| 30 | allow system_control mnt_vendor_file:file { create open read write }; |
| 31 | allow system_control sysfs_amvdec:file { open read write }; |
| 32 | |
| 33 | allow system_control mnt_vendor_file:dir { search read open remove_name rmdir }; |
| 34 | allow system_control mnt_vendor_file:file { setattr getattr lock unlink }; |
| 35 | |
| 36 | # Property Service write |
| 37 | #--------------------------------------------------------------------# |
| 38 | # product_shipping_api_level=28 vendor/system cannot share prop |
| 39 | #--------------------------------------------------------------------# |
| 40 | get_prop(system_control, tv_config_prop) |
| 41 | get_prop(system_control, bcmdl_prop) |
| 42 | get_prop(system_control, safemode_prop) |
| 43 | get_prop(system_control, mmc_prop) |
| 44 | get_prop(system_control, device_logging_prop) |
| 45 | get_prop(system_control, vendor_platform_prop) |
| 46 | set_prop(system_control, vendor_platform_prop) |
| 47 | get_prop(system_control, vendor_default_prop) |
| 48 | |
| 49 | set_prop(system_control, media_prop) |
| 50 | get_prop(system_control, media_prop) |
| 51 | get_prop(system_control, aml_display_prop) |
| 52 | set_prop(system_control, uboot_prop) |
| 53 | get_prop(system_control, uboot_prop) |
| 54 | set_prop(system_control, tv_prop) |
| 55 | get_prop(system_control, tv_prop) |
| 56 | |
| 57 | set_prop(system_control, vendor_persist_prop) |
| 58 | get_prop(system_control, vendor_persist_prop) |
| 59 | |
| 60 | set_prop(system_control, netflix_prop) |
| 61 | get_prop(system_control, netflix_prop) |
| 62 | |
| 63 | #get_prop(system_control, wifi_prop) |
| 64 | set_prop(system_control, boottime_prop) |
| 65 | get_prop(system_control, boottime_prop) |
| 66 | |
| 67 | set_prop(system_control, overlay_prop) |
| 68 | get_prop(system_control, overlay_prop) |
| 69 | set_prop(system_control, net_dns_prop) |
| 70 | get_prop(system_control, net_dns_prop) |
| 71 | set_prop(system_control, logpersistd_logging_prop) |
| 72 | get_prop(system_control, logpersistd_logging_prop) |
| 73 | set_prop(system_control, hwservicemanager_prop) |
| 74 | get_prop(system_control, hwservicemanager_prop) |
| 75 | set_prop(system_control, dumpstate_options_prop) |
| 76 | #set_prop(system_control, bluetooth_prop) |
| 77 | #get_prop(system_control, bluetooth_prop) |
| 78 | |
| 79 | set_prop(system_control, persistent_properties_ready_prop) |
| 80 | get_prop(system_control, persistent_properties_ready_prop) |
| 81 | |
| 82 | get_prop(system_control, system_boot_reason_prop) |
| 83 | # ctl interface |
| 84 | set_prop(system_control, ctl_default_prop) |
| 85 | set_prop(system_control, ctl_dhcp_pan_prop) |
| 86 | set_prop(system_control, ctl_bugreport_prop) |
| 87 | |
| 88 | allow system_control block_device:dir r_dir_perms; |
| 89 | |
| 90 | allow system_control sysfs_audio_cap:file {open getattr read}; |
| 91 | allow system_control sysfs_audio:file {open getattr read}; |
| 92 | allow system_control sysfs_video:file rw_file_perms; |
| 93 | allow system_control { sysfs_video sysfs_cec sysfs_am_vecm }:dir { search }; |
| 94 | allow system_control sysfs_cec:file rw_file_perms; |
| 95 | |
| 96 | #allow system_control app_data_file:file rw_file_perms; |
| 97 | |
| 98 | r_dir_file(system_control, domain) |
| 99 | r_dir_file(system_control, binderservicedomain) |
| 100 | r_dir_file(system_control, appdomain) |
| 101 | r_dir_file(system_control, platform_app) |
| 102 | |
| 103 | |
| 104 | allow system_control appdomain:dir { getattr search }; |
| 105 | allow system_control appdomain:file { r_file_perms }; |
| 106 | allow system_control platform_app:dir { search }; |
| 107 | |
| 108 | allow system_control param_tv_file:dir { search read write open add_name remove_name rmdir create }; |
| 109 | allow system_control param_tv_file:file { create open read write setattr getattr lock unlink }; |
| 110 | |
| 111 | #allow system_control shell_exec:file { execute_no_trans execute open read getattr }; |
| 112 | allow system_control sysfs_digital_codec:file { read write }; |
| 113 | #allow system_control system_file:file execute_no_trans; |
| 114 | |
| 115 | allow system_control { env_device cri_block_device }:blk_file { getattr read open write }; |
| 116 | allow system_control self:capability sys_nice; |
| 117 | |
| 118 | allow system_control system_app:binder { call }; |
| 119 | allow system_control droidvold_hwservice:hwservice_manager { find }; |
| 120 | allow system_control droidvold:binder { call }; |
| 121 | |
| 122 | |
| 123 | allow system_control { video_device amvecm_device }:chr_file { read write open ioctl getattr }; |
| 124 | allow system_control di0_device:chr_file { read write open ioctl }; |
| 125 | allow system_control param_tv_file:dir { write search add_name create }; |
| 126 | allow system_control param_tv_file:file { create read write open getattr ioctl}; |
| 127 | allow system_control sysfs_amhdmitx:dir search; |
| 128 | allow system_control sysfs_amvdec:file { create open read write getattr}; |
| 129 | allow system_control sysfs_xbmc:file { read open }; |
| 130 | |
| 131 | allow system_control vendor_configs_file:file { ioctl lock }; |
| 132 | allow system_control sysfs_display:lnk_file { read write open getattr }; |
| 133 | allow system_control { sysfs_display sysfs_am_vecm sysfs_display sysfs_amhdmitx }:file { read write open getattr }; |
| 134 | |
| 135 | allow system_control sysfs_unifykey:dir { search }; |
| 136 | allow system_control sysfs_unifykey:file { read write open }; |
| 137 | allow system_control unlabeled:dir search; |
| 138 | allow system_control sysfs_mpgpu:file rw_file_perms ; |
| 139 | allow system_control hdmirx0_device:chr_file { read write open ioctl getattr }; |
| 140 | |
| 141 | allow system_control exported_system_prop:file { read } ; |
| 142 | get_prop(system_control, exported_system_prop); |
| 143 | |
| 144 | allow system_control tvserver:binder { call transfer }; |
| 145 | allow system_control tvserver_hwservice:hwservice_manager find; |
| 146 | allow system_control sysfs_leds:dir search; |
| 147 | |
| 148 | allow system_control hal_keymaster_hwservice:hwservice_manager { find }; |
| 149 | allow system_control hal_keymaster_default:binder { call }; |
| 150 | allow system_control priv_app:binder { call }; |
| 151 | allow system_control hdmicecd:binder { call transfer }; |
| 152 | allow system_control aml_core_app:binder { call transfer }; |
| 153 | allow system_control hal_graphics_composer_default:binder { call transfer }; |
| 154 | allow system_control platform_app:binder { call transfer }; |
| 155 | allow system_control untrusted_app:binder { call transfer }; |