NekoSakura/Android_Device_Mediatek_Sepolicy_Vndr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
113 Commits 2 Branches 0 Tags
Commit Graph

113 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
SamarV-121
22b3052286
sepolicy: Allow init to create wfca_rds sockets 
I auditd  : type=1400 audit(0.0:196): avc: denied { create } for comm="init" name="wfca_rds" scontext=u:r:init:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file permissive=0

Change-Id: I6205d0ac2e30e0558f1a1ba3b57283c433c8ac0b
 2023-04-27 14:43:49 +05:30
LinkBoi00
5800f20308
Revert "sepolicy: basic: non_plat: Allow mediacodec to read vendor_mtk_hdr_video_prop" 
We did not have necessary rules for vendor_init to set this
but apparently this rule is completely unnecessary anyways.
Labelling this under the vendor_default_prop domain is enough.

This reverts commit 6f21f83c672af237827e0335cd566c1ce4810735.

Change-Id: Ic053bfed210562c173d14f2399c155cba0e9a4f2
Signed-off-by: LinkBoi00 <linkdevel@protonmail.com>
 2023-03-19 22:50:35 +02:00
LinkBoi00
062b82634e sepolicy: basic: non_plat: Allow audio HAL to read and write vendor_mtk_audio_prop 
Signed-off-by: LinkBoi00 <linkdevel@protonmail.com>
Change-Id: I309a6f8e7609b07f1b089ef1bac9b469a3d9e6d4
 2023-03-08 12:56:22 +01:00
LinkBoi00
40db888e15 sepolicy: basic: non_plat: Label a few more audio properties 
Signed-off-by: LinkBoi00 <linkdevel@protonmail.com>
Change-Id: I1f9d4c11e84054d34ef83784ffa243acb67c26cf
 2023-03-08 12:56:09 +01:00
LinkBoi00
80ca7b0e68 sepolicy: basic: non_plat: Allow rild to access NVRAM HAL 
Signed-off-by: LinkBoi00 <linkdevel@protonmail.com>
Change-Id: Ifdd22bc48d86270a30b9fbbc1b64e654fd4713fa
 2023-03-08 12:56:09 +01:00
LinkBoi00
4683bfcc08 sepolicy: basic: non_plat: Label microtrust SE service 
Signed-off-by: LinkBoi00 <linkdevel@protonmail.com>
Change-Id: Id31ce8ccb57c128ba4637e70d4abd466aeedb20f
 2023-03-08 12:56:09 +01:00
LinkBoi00
dc84220dbd sepolicy: bsp: plat_private: Fixup musb-hdrc cmode device typo 
Signed-off-by: LinkBoi00 <linkdevel@protonmail.com>
Change-Id: I972c7af0d7ec2f0f85f317d4e0135045c82917a9
 2023-02-11 13:15:56 +01:00
LinkBoi00
d62a4a891d
sepolicy: basic: non_plat: Label all versioned secure_element services 
Signed-off-by: LinkBoi00 <linkdevel@protonmail.com>
Change-Id: I6d314bbc779f9e20157f1886a016758d00fb5e44
 2023-02-05 17:37:10 +02:00
LinkBoi00
6b4f51c3b5
sepolicy: basic: non_plat: Label proper location for libaiselector.so 
Some devices may move this library from the default location

Signed-off-by: LinkBoi00 <linkdevel@protonmail.com>
Change-Id: I508cb911fa0264339ed4a29d514bf14966c9528c
 2023-02-05 17:36:26 +02:00
Zinadin Zidan
3c90852f99 sepolicy: basic: non_plat: Allow mtk fm app to access /dev/fm 
Signed-off-by: Zinadin Zidan <zidan44@pixelexperience.org>
Change-Id: Ie9f4593ae6d122505b39ba212cce939375c7f447
 2023-01-02 23:50:36 +01:00
Matsvei Niaverau
3de9a934ad sepolicy: basic: non_plat: Label all versions of MMS service 
Change-Id: Ibd41320e5152f7a96143e7967eac9d74e69f3564
 2023-01-02 23:50:27 +01:00
SamarV-121
a5ba3aa187 sepolicy: basic: non_plat: Allow mediacodec to read sysfs_boot_mode 
W omx@1.0-service: type=1400 audit(0.0:3382): avc: denied { read } for name="boot_mode" dev="sysfs" ino=7123 scontext=u:r:mediacodec:s0 tcontext=u:object_r:sysfs_boot_mode:s0 tclass=file permissive=0
E PQ      : [PQ][PQConfig] fail to open: /sys/class/BOOT/BOOT/boot/boot_mode

Change-Id: I1246c6e3290e39968f6fd309c37fcb639178fa14
 2023-01-02 23:50:20 +01:00
SamarV-121
b924fa4058 sepolicy: basic: non_plat: Add selinux rules for mtkcodecservice HAL 
Change-Id: Ia024bc02b07c45c17475005b4216baa50cee9c13
 2023-01-02 23:50:10 +01:00
SamarV-121
ca74f59339 sepolicy: basic: non_plat: Address vpud_native denials 
Change-Id: I4be2decf9e054e5313b7fcc7098f26248e708bbb
 2023-01-02 23:50:00 +01:00
SamarV-121
440f5f9ee7 sepolicy: basic: non_plat: Address mediaswcodec denials 
W oid.avc.decoder: type=1400 audit(0.0:642): avc: denied { connectto } for path="/dev/socket/logdr" scontext=u:r:mediaswcodec:s0 tcontext=u:r:logd:s0 tclass=unix_stream_socket permissive=0
I auditd  : type=1400 audit(0.0:1352): avc: denied { write } for comm="oid.avc.decoder" name="logdr" dev="tmpfs" ino=9467 scontext=u:r:mediaswcodec:s0 tcontext=u:object_r:logdr_socket:s0 tclass=sock_file permissive=0
crash log: https://pastebin.com/raw/Lhwhhbr0

Change-Id: Ia53ee584c82875e8bce032e0869ae58f60c52217
 2023-01-02 23:49:54 +01:00
SamarV-121
173aae2fb1 sepolicy: bsp: non_plat: Grant all network permissions to ipsec_mon 
Change-Id: I01ffcf9cc31332f45f9a1d3120c6d2946d3dc650
 2023-01-02 23:49:48 +01:00
SamarV-121
6f21f83c67 sepolicy: basic: non_plat: Allow mediacodec to read vendor_mtk_hdr_video_prop 
Change-Id: I2d2f602a298f2967b798ac00ce73dac1ec84bb18
 2023-01-02 23:49:38 +01:00
SamarV-121
8a583e3348 sepolicy: basic: non_plat: Allow mediacodec to read some props 
W omx@1.0-service: type=1400 audit(0.0:117): avc: denied { open } for path="/dev/__properties__/u:object_r:default_prop:s0" dev="tmpfs" ino=12368 scontext=u:r:mediacodec:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0
W libc    : Access denied finding property "ro.mtk_deinterlace_support"
W libc    : Access denied finding property "ro.mtk_crossmount_support"
W libc    : Access denied finding property "mtk.vendor.omx.core.log"

Change-Id: I14cbe8a4e6a7892b0b34d05c86b68281291d6579
 2023-01-02 23:49:27 +01:00
SamarV-121
224041dad4 sepolicy: basic: plat_private: Remove mapping files 
Change-Id: I4d89bae940f6a367e3cf47fa52283bda689150d6
 2023-01-02 23:49:22 +01:00
Matsvei Niaverau
f40f049d12 fixup! sepolicy: basic: non_plat: Add rules for MediaTek GPU HAL * Dropped in S sepolicy but we need it since we have blobs from R. 
Change-Id: I6a232495fcf9087cfbc8212806bb805d50cad091
 2023-01-02 23:49:16 +01:00
bengris32
812fea90fa sepolicy: basic: non_plat: Allow all unstrusted apps to read thermal info 
Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: I84215736966a2e6637483f74b307442436b17c30
 2023-01-02 23:49:01 +01:00
bengris32
952e2e6368 sepolicy: basic: non_plat: Drop proc_cpu_alignment type 
* Moved into AOSP sepolicy.

Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: I531fed8839ed7c667e21fc4d370427f1094cd50e
 2023-01-02 23:48:55 +01:00
TheMalachite
e24c0688e9 sepolicy: bsp: Fix Netflix widevine L1 denies 
Change-Id: I9553462fea01deb7d953d0c885218d3490dcfee7
Reviewed-on: https://review.statixos.com/c/android_device_mediatek_sepolicy_vndr/+/7763
Reviewed-by: Vaisakh Murali <mvaisakh@statixos.com>
Tested-by: Vaisakh Murali <mvaisakh@statixos.com>
 2023-01-02 23:48:50 +01:00
bengris32
695d5c0359 sepolicy: basic: non_plat: Address Audio HAL tcp_socket neverallow 
* Due to system SEPolicy/audioserver changes in Android 13,
  mtk_hal_audio needs to be allowed to create and use TCP sockets.
Signed-off-by: bengris32 <bengris32@protonmail.ch>

Change-Id: I8d1d0034dfeb64ede815f7c7c7249ee034dd9528
 2023-01-02 23:48:40 +01:00
bengris32
0f2e6efe70 sepolicy: basic: non_plat: Drop proc_watermark_boost_factor type 
* Already defined in AOSP sepolicy.

Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: I816928df2d63b0076170478660c5892b6aa391d7
 2023-01-02 23:48:33 +01:00
bengris32
b2fd09835a sepolicy: basic: non_plat: Drop proc_watermark_scale_factor type 
* Defined in AOSP T sepolicy.

Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: I0de4eef26238c2414adcdfe658173a0cac2dfc82
 2023-01-02 23:48:24 +01:00
bengris32
a17351d505 sepolicy: basic: non_plat: Rename sysfs_gpu to sysfs_gpu_mtk 
* A duplicate type is already defined in AOSP sepolicy.

Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: I8721e4556aaabd1202a5b3c6b8bd44b6ce95ca43
 2023-01-02 23:48:15 +01:00
bengris32
13193b0c71 sepolicy: basic: non_plat: Drop sysfs_block type 
* The sysfs_block type was removed in the T sepolicy.

Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: Ib301a4b49d1a74013923fc6c56ade1a2a3c5c13d
 2023-01-02 23:48:05 +01:00
bengris32
3538c267c2 sepolicy: basic: non_plat: Add rules for MediaTek GPU HAL 
* Dropped in S sepolicy but we need it since we have
  blobs from R.

Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: Ifb8fa7d8e28b1d74c1bf3ea6b817afd3c84a90c6
 2023-01-02 23:47:59 +01:00
bengris32
9235669c21 sepolicy: bsp: non_plat: Label camera debuglog props 
Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: I5c3c83f5d655426b1fce1fa43b3bcb7f009ee624
 2023-01-02 23:47:52 +01:00
Vaisakh Murali
aea3299924 sepolicy: Build with broken namespaces 
The userspace blobs that we have are proprietary. Rather than hex
editing each one of those blobs to match the allowed namespaces, it
is better to avoid the restriction as a whole.
This is needed until we have newer userspace blobs with proper
property namespaces allowed by the VTS.

Signed-off-by: Vaisakh Murali <mvaisakh@statixos.com>
Change-Id: I2abc9821f28885a89cf8905a58475a68766d38d2
Reviewed-on: https://review.statixos.com/c/android_device_mediatek_sepolicy_vndr/+/6330
Reviewed-by: Vaisakh Murali <vaisakhmurali@gmail.com>
Tested-by: Vaisakh Murali <vaisakhmurali@gmail.com>
 2023-01-02 23:47:43 +01:00
bengris32
6f37ffbe81 sepolicy: bsp: non_plat: Label ril.cdma.inecmmode property 
Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: I9dbbc28d5c3b047c1fce6e759e88c432f254242f
 2023-01-02 23:47:36 +01:00
bengris32
7dde2a48b4 sepolicy: basic: non_plat: Label MediaTek latch_unsignaled property 
Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: Ie217b7a61701452a4b49a74af8720d286e8b8266
 2023-01-02 23:47:27 +01:00
Vaisakh Murali
efb8514231 sepolicy: basic/non_plat: Allow nvram_daemon to search gsi_metadata 
Change-Id: Iec92c6e142e7c080876aa33ea90a20c76a49180e
 2023-01-02 23:47:19 +01:00
Zinadin Zidan
8b8dc4fb5f sepolicy: basic: non_plat: Allow nvram_daemon to search metadata files 
Signed-off-by: Zinadin Zidan <zidan44@pixelexperience.org>
Change-Id: Ib74216772112fb8613d4de3178a2777dc5dc7d7e
 2023-01-02 23:47:15 +01:00
bengris32
3afd698bbd sepolicy: basic: non_plat: Address nvram_daemon denials 
Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: I86df292fa27eb3756deaf537085607c20c7f6a99
 2023-01-02 23:47:00 +01:00
bengris32
f5923e2c19 sepolicy: basic: non_plat: Label some misc MDP properties 
* Also define a new type for these miscellaneous properties.

Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: Ifa3dde2836771ca6c0de2fa9a4357f3787e2e61f
 2023-01-02 23:46:56 +01:00
bengris32
ee38ef4445 sepolicy: basic: non_plat: Label some dp logging properties 
Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: I05d4cf0e33ff3b6f4b5a04552c6549ee90c60e4d
 2023-01-02 23:46:41 +01:00
bengris32
d79c75256b sepolicy: basic: non_plat: Label ro.vendor.globalpq.support property 
Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: Id8bf17af4ec6848555bd964a17b128473ca5c3fc
 2023-01-02 23:46:36 +01:00
bengris32
02da8c9f4c sepolicy: basic: non_plat: Label another PQ prop prefix 
Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: I4a6fef51827ead08284a3d29c4d5b49d2f1675f2
 2023-01-02 23:46:28 +01:00
bengris32
4444a0ec73 sepolicy: basic: non_plat: Label all versions of Bluetooth service 
Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: I1665247d7b297f431bc31d6077e6cc75d060c253
 2023-01-02 23:46:15 +01:00
bengris32
367ef77f0d sepolicy: bsp: non_plat: Label ccci_fsd executable 
* This label was dropped in S sepolicy but the rules
  for it are still here.

Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: I7e0aab508243629faa846249516c46c95fd246bf
 2023-01-02 23:46:05 +01:00
bengris32
ed9ea3b405 sepolicy: bsp: non_plat: Label MTK keyinstall interface 
* This was dropped in the S sepolicy, but we still need
  it since we're on R blobs.

Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: Ie0c2ea88b1a8aed96183cce856bbdb0b73c50f65
 2023-01-02 23:45:59 +01:00
bengris32
2e9c05d5e0 sepolicy: basic: non_plat: Seperate Core NFC data from vendor 
* Required to pass new SEPolicy tests.

Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: I9d137c9e156692b798161afae7e61b604d839cda
 2023-01-02 23:45:51 +01:00
bengris32
05133df612 sepolicy: basic: non_plat: Label libpq_cust.so 
Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: I6b200cfff7ceeb4922338fb75b4be663773941ee
 2023-01-02 23:45:38 +01:00
bengris32
2cdb5b6db5 sepolicy: basic: non_plat: Allow NFC HAL to create files 
Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: I533fe5352a98e469d0baa063cb676191e674eb98
 2023-01-02 23:45:31 +01:00
bengris32
5aa558a7d6 sepolicy: basic: non_plat: Allow rild to set vendor_mtk_md_prop 
Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: I0736d58a7cd93f09880507d0fecfb341cb8f9781
 2023-01-02 23:45:26 +01:00
bengris32
88370c7038 sepolicy: basic: non_plat: Label NFC data files 
Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: Ib73bd3960721a087f7d2626291d43c7c65aa2220
 2023-01-02 23:45:17 +01:00
bengris32
747c0bcfa5 sepolicy: basic: non_plat: Add SEPolicy rules for NFC HAL 
Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: I9f10189eaedf02eb4ed8c0eaf354a65857de9bc8
 2023-01-02 23:45:04 +01:00
bengris32
023535373b sepolicy: basic: non_plat: Allow CameraHAL to set vendor_mtk_emcamera_prop 
Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: Ie11e1ebd3cead23d9e2a769d64f514f9c302b63b
 2023-01-02 23:44:56 +01:00