From cd903ec19e5c6ddf80790cd4a0461c119fe8d82c Mon Sep 17 00:00:00 2001 From: Anushek Prasal Date: Sun, 11 Sep 2022 20:20:15 +0530 Subject: [PATCH 01/20] sepolicy: Init Havoc Signed-off-by: Anushek Prasal --- common/private/file_contexts | 2 +- common/private/seapp_contexts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/common/private/file_contexts b/common/private/file_contexts index a441605..b761186 100644 --- a/common/private/file_contexts +++ b/common/private/file_contexts @@ -5,7 +5,7 @@ /system/bin/mkfs\.ntfs u:object_r:mkfs_exec:s0 # OTA packages -/data/lineageos_updates(/.*)? u:object_r:ota_package_file:s0 +/data/havoc_updates(/.*)? u:object_r:ota_package_file:s0 # Postinstall /system/bin/backuptool_ab\.functions u:object_r:otapreopt_chroot_exec:s0 diff --git a/common/private/seapp_contexts b/common/private/seapp_contexts index a960b57..6e5270d 100644 --- a/common/private/seapp_contexts +++ b/common/private/seapp_contexts @@ -1 +1 @@ -user=_app isPrivApp=true seinfo=platform name=org.lineageos.updater domain=updater_app type=app_data_file levelFrom=user +user=_app isPrivApp=true seinfo=platform name=com.havoc.updater domain=updater_app type=app_data_file levelFrom=user From 9458e6a68a71fbaa812c8f5a1f438efa27409703 Mon Sep 17 00:00:00 2001 From: Anushek Prasal Date: Sun, 8 Dec 2019 13:32:46 +0530 Subject: [PATCH 02/20] sepolicy: Allow system_server to read and write to sysfs_battery_supply Signed-off-by: Anushek Prasal --- qcom/dynamic/system_server.te | 1 + 1 file changed, 1 insertion(+) create mode 100644 qcom/dynamic/system_server.te diff --git a/qcom/dynamic/system_server.te b/qcom/dynamic/system_server.te new file mode 100644 index 0000000..924aa54 --- /dev/null +++ b/qcom/dynamic/system_server.te @@ -0,0 +1 @@ +allow system_server sysfs_battery_supply:file rw_file_perms; From 2b2c847dc0a8a1b685ce4e3f8e44f0cf7460bc71 Mon Sep 17 00:00:00 2001 From: Pranav Vashi Date: Tue, 5 May 2020 09:38:48 +0530 Subject: [PATCH 03/20] sepolicy: Allow key disabler access for platform Signed-off-by: Pranav Vashi Signed-off-by: Anushek Prasal --- common/private/platform_app.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common/private/platform_app.te b/common/private/platform_app.te index 07183e7..dfe41b2 100644 --- a/common/private/platform_app.te +++ b/common/private/platform_app.te @@ -9,3 +9,6 @@ hal_client_domain(platform_app, hal_lineage_livedisplay) # Allow PowerShare HAL service to be found hal_client_domain(platform_app, hal_lineage_powershare) + +# Allow Touch HAL service to be found +hal_client_domain(platform_app, hal_lineage_touch) From ba7f2bc429ae5c8ed46f21e3269655037af79295 Mon Sep 17 00:00:00 2001 From: Jabiyeff Date: Fri, 2 Jul 2021 16:09:05 +0400 Subject: [PATCH 04/20] updater_app: Address uncrypt denials * This will be fix OTA install problem on F2FS format type Signed-off-by: Jabiyeff Signed-off-by: Pranav Vashi Signed-off-by: Anushek Prasal --- common/private/uncrypt.te | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 common/private/uncrypt.te diff --git a/common/private/uncrypt.te b/common/private/uncrypt.te new file mode 100644 index 0000000..9638596 --- /dev/null +++ b/common/private/uncrypt.te @@ -0,0 +1,2 @@ +allow uncrypt cache_file:dir rw_dir_perms; +allow uncrypt cache_file:file create_file_perms; From 70dadbfbeb96713b023f8e576e4d04cfb8b74b33 Mon Sep 17 00:00:00 2001 From: Pranav Vashi Date: Sat, 11 Apr 2020 16:26:12 +0530 Subject: [PATCH 05/20] Allow platform access for fps info Signed-off-by: Pranav Vashi Signed-off-by: Anushek Prasal --- qcom/vendor/platform_app.te | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 qcom/vendor/platform_app.te diff --git a/qcom/vendor/platform_app.te b/qcom/vendor/platform_app.te new file mode 100644 index 0000000..4e59fee --- /dev/null +++ b/qcom/vendor/platform_app.te @@ -0,0 +1,3 @@ +# Allow FPS access to system +allow platform_app sysfs_graphics:dir search; +allow platform_app sysfs_graphics:file r_file_perms; From 151a6fb37470812a8ec6ecb1d800c67008b76017 Mon Sep 17 00:00:00 2001 From: Pranav Vashi Date: Wed, 19 Jan 2022 02:21:12 +0530 Subject: [PATCH 06/20] Allow updater to read data files Signed-off-by: Pranav Vashi Signed-off-by: Anushek Prasal --- common/private/updater_app.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common/private/updater_app.te b/common/private/updater_app.te index 91b63a0..915885f 100644 --- a/common/private/updater_app.te +++ b/common/private/updater_app.te @@ -19,6 +19,9 @@ allow updater_app cache_file:dir r_dir_perms; allow updater_app cache_recovery_file:dir rw_dir_perms; allow updater_app cache_recovery_file:file create_file_perms; +allow updater_app system_data_file:dir r_dir_perms; +allow updater_app user_profile_root_file:dir r_dir_perms; + allow updater_app ota_package_file:dir create_dir_perms; allow updater_app ota_package_file:file create_file_perms; From 13024ea6b3582bd06bcd5e35af5a709fe5678e85 Mon Sep 17 00:00:00 2001 From: Nvertigo Date: Sat, 23 Mar 2019 15:54:21 +0100 Subject: [PATCH 07/20] sepolicy: Fix OTA auto-flashing with encrypted f2fs If userdata is on f2fs and encrypted (stock config for userdata), /cache/recovery/block.map is not created due to this denial: 05-01 13:43:47.512 6538 6538 W uncrypt : type=1400 audit(0.0:10): avc: denied { sys_admin } for capability=21 scontext=u:r:uncrypt:s0 tcontext=u:r:uncrypt:s0 tclass=capability permissive=0 Without block.map the automatic flashing of the OTA without user interaction fails, and the user needs to manually mount data, and flash the OTA manually. Change-Id: I6ecb84e8b730d4c641a8bd8769043dfbfb817b83 Signed-off-by: Pranav Vashi Signed-off-by: Anushek Prasal --- common/private/uncrypt.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common/private/uncrypt.te b/common/private/uncrypt.te index 9638596..d8fd2c7 100644 --- a/common/private/uncrypt.te +++ b/common/private/uncrypt.te @@ -1,2 +1,5 @@ allow uncrypt cache_file:dir rw_dir_perms; allow uncrypt cache_file:file create_file_perms; + +# OTA with encrypted f2fs +allow uncrypt self:capability sys_admin; From 5876ac162b4af828e0c2dde359194dae554e09b3 Mon Sep 17 00:00:00 2001 From: Pranav Vashi Date: Fri, 1 Apr 2022 21:17:40 +0530 Subject: [PATCH 08/20] sepolicy: Label skip unconfigure prop Signed-off-by: Pranav Vashi Signed-off-by: Anushek Prasal --- common/private/property_contexts | 1 + 1 file changed, 1 insertion(+) diff --git a/common/private/property_contexts b/common/private/property_contexts index af7e1b4..0009a64 100644 --- a/common/private/property_contexts +++ b/common/private/property_contexts @@ -1,6 +1,7 @@ # Aux camera vendor.camera.aux.packageexcludelist u:object_r:vendor_persist_camera_prop:s0 vendor.camera.aux.packagelist u:object_r:vendor_persist_camera_prop:s0 +vendor.camera.skip_unconfigure.packagelist u:object_r:vendor_persist_camera_prop:s0 # Bluetooth bluetooth.hci.disabled_commands u:object_r:bluetooth_config_prop:s0 From 2c09c33e39330688815fe2c5f836b6e7d6c39a23 Mon Sep 17 00:00:00 2001 From: Pranav Vashi Date: Sat, 16 Apr 2022 01:29:19 +0530 Subject: [PATCH 09/20] Allow apps to access usap pool Signed-off-by: Pranav Vashi Signed-off-by: Anushek Prasal --- common/private/appdomain.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/common/private/appdomain.te b/common/private/appdomain.te index 72760a6..a9eda51 100644 --- a/common/private/appdomain.te +++ b/common/private/appdomain.te @@ -1 +1,3 @@ get_prop(appdomain, vendor_persist_camera_prop) + +allow appdomain zygote:unix_stream_socket getopt; From 2bf8aa2ceef4de03fec1086e17eab45706da9d2f Mon Sep 17 00:00:00 2001 From: Lucas Dupin Date: Wed, 11 Aug 2021 19:57:41 -0700 Subject: [PATCH 10/20] sepolicy: Allow boot color propagation Allows SystemUI to write the boot color sysprop Test: manual Bug: 190093578 Change-Id: I844a4dae87fe09a09ff3368c540ffab5f745d455 (cherry picked from commit 8a586e678656b6359220ef208fc237ccf3823e2c) Signed-off-by: Karan Parashar Signed-off-by: Anushek Prasal --- common/private/platform_app.te | 4 ++++ common/private/property_contexts | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/common/private/platform_app.te b/common/private/platform_app.te index dfe41b2..b9e46ba 100644 --- a/common/private/platform_app.te +++ b/common/private/platform_app.te @@ -12,3 +12,7 @@ hal_client_domain(platform_app, hal_lineage_powershare) # Allow Touch HAL service to be found hal_client_domain(platform_app, hal_lineage_touch) + +# allow systemui to set boot animation colors +get_prop(platform_app, bootanim_system_prop) +set_prop(platform_app, bootanim_system_prop) diff --git a/common/private/property_contexts b/common/private/property_contexts index 0009a64..af53600 100644 --- a/common/private/property_contexts +++ b/common/private/property_contexts @@ -15,5 +15,11 @@ ro.minui.default_touch_rotation u:object_r:recovery_config_prop:s0 # Recovery update persist.vendor.recovery_update u:object_r:recovery_update_prop:s0 +# Themed Bootanimation dynamic colors +persist.bootanim.color1 u:object_r:bootanim_system_prop:s0 +persist.bootanim.color2 u:object_r:bootanim_system_prop:s0 +persist.bootanim.color3 u:object_r:bootanim_system_prop:s0 +persist.bootanim.color4 u:object_r:bootanim_system_prop:s0 + # xtra-daemon control persist.sys.xtra-daemon.enabled u:object_r:xtra_control_prop:s0 exact bool From d0ba6429229d4bea804916f85680dcc0f1b5f51b Mon Sep 17 00:00:00 2001 From: jhonboy121 Date: Sun, 29 Jan 2023 17:18:38 +0100 Subject: [PATCH 11/20] sepolicy: introduce app lock [2/4] Signed-off-by: jhonboy121 Signed-off-by: Pranav Vashi Signed-off-by: Anushek Prasal --- common/private/service.te | 1 + common/private/service_contexts | 1 + common/private/system_server.te | 2 ++ 3 files changed, 4 insertions(+) diff --git a/common/private/service.te b/common/private/service.te index 86f6e4c..2744b53 100644 --- a/common/private/service.te +++ b/common/private/service.te @@ -1,4 +1,5 @@ type adbroot_service, service_manager_type; +type app_lock_service, system_api_service, system_server_service, service_manager_type; type lineage_hardware_service, system_api_service, system_server_service, service_manager_type; type lineage_health_interface_service, system_api_service, system_server_service, service_manager_type; type lineage_globalactions_service, system_api_service, system_server_service, service_manager_type; diff --git a/common/private/service_contexts b/common/private/service_contexts index cd984cb..2d14d29 100644 --- a/common/private/service_contexts +++ b/common/private/service_contexts @@ -6,3 +6,4 @@ lineagetrust u:object_r:lineage_trust_service:s0 profile u:object_r:lineage_profile_service:s0 adbroot_service u:object_r:adbroot_service:s0 +app_lock u:object_r:app_lock_service:s0 diff --git a/common/private/system_server.te b/common/private/system_server.te index e396fa5..7f2bf24 100644 --- a/common/private/system_server.te +++ b/common/private/system_server.te @@ -2,6 +2,8 @@ allow system_server storage_stub_file:dir getattr; allow system_server adbroot_service:service_manager find; +add_service(system_server, app_lock_service); + # Use HALs hal_client_domain(system_server, hal_lineage_fastcharge) hal_client_domain(system_server, hal_lineage_health) From 3d074c3b574f67ce4b30c8c1b6af92005f5c2e0b Mon Sep 17 00:00:00 2001 From: Dyneteve Date: Fri, 30 Oct 2020 11:27:36 +0100 Subject: [PATCH 12/20] sepolicy: Add flipendo sepolicy rules Change-Id: Iba3d327ea3036911a004505bee2e27f8fb854fb1 Signed-off-by: Anushek Prasal --- common/private/flipendo.te | 28 ++++++++++++++++++++++++++++ common/private/seapp_contexts | 1 + 2 files changed, 29 insertions(+) create mode 100644 common/private/flipendo.te diff --git a/common/private/flipendo.te b/common/private/flipendo.te new file mode 100644 index 0000000..aaa0822 --- /dev/null +++ b/common/private/flipendo.te @@ -0,0 +1,28 @@ +type flipendo, domain, coredomain; +app_domain(flipendo) + +# HwBinder IPC from client to flipendo +binder_call(hal_power_client, flipendo) + +# HwBinder IPC from flipendo to statsd +binder_call(flipendo, statsd) + +# HwBinder IPC from flipendo to gpuservice, and callbacks +binder_call(gpuservice, flipendo) +binder_call(flipendo, gpuservice) + +# HwBinder IPC from stats_service_server to flipendo, and callbacks +binder_call(stats_service_server, flipendo) +binder_call(flipendo, stats_service_server) + +# Allow flipendo to find app_api_service +allow flipendo app_api_service:service_manager find; + +# Allow flipendo to find fwk_stats_hwservice +allow flipendo fwk_stats_hwservice:hwservice_manager find; + +# Allow flipendo to find color_display_service +allow flipendo color_display_service:service_manager find; + +# Allow flipendo to find hal_power_service +allow flipendo hal_power_service:service_manager find; \ No newline at end of file diff --git a/common/private/seapp_contexts b/common/private/seapp_contexts index 6e5270d..12daa20 100644 --- a/common/private/seapp_contexts +++ b/common/private/seapp_contexts @@ -1 +1,2 @@ user=_app isPrivApp=true seinfo=platform name=com.havoc.updater domain=updater_app type=app_data_file levelFrom=user +user=_app seinfo=platform name=com.google.android.flipendo domain=flipendo type=app_data_file levelFrom=all From 9d50d265d5b1fc87ce290b7c8c3b60ceeee70eac Mon Sep 17 00:00:00 2001 From: jhenrique09 Date: Fri, 20 Nov 2020 17:32:06 -0300 Subject: [PATCH 13/20] sepolicy: Add turbo_adapter rules Change-Id: I8be569572ba99b8fabac53280f229c67d1cb893b Signed-off-by: Anushek Prasal --- common/private/seapp_contexts | 1 + common/private/turbo_adapter.te | 13 +++++++++++++ 2 files changed, 14 insertions(+) create mode 100644 common/private/turbo_adapter.te diff --git a/common/private/seapp_contexts b/common/private/seapp_contexts index 12daa20..bb7120c 100644 --- a/common/private/seapp_contexts +++ b/common/private/seapp_contexts @@ -1,2 +1,3 @@ user=_app isPrivApp=true seinfo=platform name=com.havoc.updater domain=updater_app type=app_data_file levelFrom=user user=_app seinfo=platform name=com.google.android.flipendo domain=flipendo type=app_data_file levelFrom=all +user=_app seinfo=platform name=com.google.android.turboadapter domain=turbo_adapter type=app_data_file levelFrom=all diff --git a/common/private/turbo_adapter.te b/common/private/turbo_adapter.te new file mode 100644 index 0000000..5ad6723 --- /dev/null +++ b/common/private/turbo_adapter.te @@ -0,0 +1,13 @@ +# Normal platform_apps cannot access PowerHAL, so we need to define our own domain. Unfortunately +# this means that TurboAdapter doesn't get the platform_app permissions any more, so we need to +# list everything that it needs here. + +type turbo_adapter, domain, coredomain; + +app_domain(turbo_adapter) + +# To use ServiceManager +allow turbo_adapter app_api_service:service_manager find; + +# To find and call hal_power_default so turbo can obtain the service extension (IPowerExt) +allow turbo_adapter hal_power_service:service_manager find; \ No newline at end of file From 5d368cb511d0976ff6fd0681801be546c1b16c1c Mon Sep 17 00:00:00 2001 From: Chenyang Zhong Date: Sun, 25 Apr 2021 03:13:40 -0400 Subject: [PATCH 14/20] sepolicy: move flipendo to dynamic so that it can call power HAL through binder Signed-off-by: Chenyang Zhong Change-Id: Ifaf0e22436cccaaa63038fd1e5fcefa77a1d881d Signed-off-by: Anushek Prasal --- common/{private => dynamic}/flipendo.te | 0 common/dynamic/seapp_contexts | 1 + common/private/seapp_contexts | 1 - 3 files changed, 1 insertion(+), 1 deletion(-) rename common/{private => dynamic}/flipendo.te (100%) create mode 100644 common/dynamic/seapp_contexts diff --git a/common/private/flipendo.te b/common/dynamic/flipendo.te similarity index 100% rename from common/private/flipendo.te rename to common/dynamic/flipendo.te diff --git a/common/dynamic/seapp_contexts b/common/dynamic/seapp_contexts new file mode 100644 index 0000000..ebf7fe4 --- /dev/null +++ b/common/dynamic/seapp_contexts @@ -0,0 +1 @@ +user=_app seinfo=platform name=com.google.android.flipendo domain=flipendo type=app_data_file levelFrom=all diff --git a/common/private/seapp_contexts b/common/private/seapp_contexts index bb7120c..9da6886 100644 --- a/common/private/seapp_contexts +++ b/common/private/seapp_contexts @@ -1,3 +1,2 @@ user=_app isPrivApp=true seinfo=platform name=com.havoc.updater domain=updater_app type=app_data_file levelFrom=user -user=_app seinfo=platform name=com.google.android.flipendo domain=flipendo type=app_data_file levelFrom=all user=_app seinfo=platform name=com.google.android.turboadapter domain=turbo_adapter type=app_data_file levelFrom=all From 974e1380fc2484587f87944ecb6e6e9cff45e30d Mon Sep 17 00:00:00 2001 From: Chenyang Zhong Date: Sun, 25 Apr 2021 17:23:45 -0400 Subject: [PATCH 15/20] sepolicy: move turbo_adapter to dynamic Signed-off-by: Chenyang Zhong Change-Id: I41c4d6c30433f875cd85ed44cf0c5eea32d7647c Signed-off-by: Anushek Prasal --- common/dynamic/seapp_contexts | 1 + common/{private => dynamic}/turbo_adapter.te | 0 common/private/seapp_contexts | 1 - 3 files changed, 1 insertion(+), 1 deletion(-) rename common/{private => dynamic}/turbo_adapter.te (100%) diff --git a/common/dynamic/seapp_contexts b/common/dynamic/seapp_contexts index ebf7fe4..f4775d5 100644 --- a/common/dynamic/seapp_contexts +++ b/common/dynamic/seapp_contexts @@ -1 +1,2 @@ user=_app seinfo=platform name=com.google.android.flipendo domain=flipendo type=app_data_file levelFrom=all +user=_app seinfo=platform name=com.google.android.turboadapter domain=turbo_adapter type=app_data_file levelFrom=all diff --git a/common/private/turbo_adapter.te b/common/dynamic/turbo_adapter.te similarity index 100% rename from common/private/turbo_adapter.te rename to common/dynamic/turbo_adapter.te diff --git a/common/private/seapp_contexts b/common/private/seapp_contexts index 9da6886..6e5270d 100644 --- a/common/private/seapp_contexts +++ b/common/private/seapp_contexts @@ -1,2 +1 @@ user=_app isPrivApp=true seinfo=platform name=com.havoc.updater domain=updater_app type=app_data_file levelFrom=user -user=_app seinfo=platform name=com.google.android.turboadapter domain=turbo_adapter type=app_data_file levelFrom=all From dc2fb5553fe73eb0c8ccad68b6e731e4a133bb1a Mon Sep 17 00:00:00 2001 From: Chenyang Zhong Date: Sun, 25 Apr 2021 17:24:34 -0400 Subject: [PATCH 16/20] sepolicy: correctly set turbo_adapter as a client of power HAL ref: hardware/google/pixel-sepolicy/turbo_adapter/turbo_adapter.te Signed-off-by: Chenyang Zhong Change-Id: I59a789348b690888273dd765b68b0bb9a9774d4f Signed-off-by: Anushek Prasal --- common/dynamic/turbo_adapter.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/dynamic/turbo_adapter.te b/common/dynamic/turbo_adapter.te index 5ad6723..b2f0202 100644 --- a/common/dynamic/turbo_adapter.te +++ b/common/dynamic/turbo_adapter.te @@ -10,4 +10,4 @@ app_domain(turbo_adapter) allow turbo_adapter app_api_service:service_manager find; # To find and call hal_power_default so turbo can obtain the service extension (IPowerExt) -allow turbo_adapter hal_power_service:service_manager find; \ No newline at end of file +hal_client_domain(turbo_adapter, hal_power) From 36d5ac6ce0fbbed413c0e6d6d1db898b4cb7a6d4 Mon Sep 17 00:00:00 2001 From: Chenyang Zhong Date: Sun, 25 Apr 2021 18:01:23 -0400 Subject: [PATCH 17/20] sepolicy: correctly set flipendo as a client of power HAL ref: hardware/google/pixel-sepolicy/flipendo/flipendo.te Signed-off-by: Chenyang Zhong Change-Id: I05b37fa3c273e6c105fe413568a07a1bdb235613 Signed-off-by: Anushek Prasal --- common/dynamic/flipendo.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/dynamic/flipendo.te b/common/dynamic/flipendo.te index aaa0822..b3df802 100644 --- a/common/dynamic/flipendo.te +++ b/common/dynamic/flipendo.te @@ -25,4 +25,4 @@ allow flipendo fwk_stats_hwservice:hwservice_manager find; allow flipendo color_display_service:service_manager find; # Allow flipendo to find hal_power_service -allow flipendo hal_power_service:service_manager find; \ No newline at end of file +hal_client_domain(flipendo, hal_power); From b0d8accf8e4783da99486159c18ad3080355cef1 Mon Sep 17 00:00:00 2001 From: Chenyang Zhong Date: Wed, 12 May 2021 01:21:04 -0400 Subject: [PATCH 18/20] sepolicy: move and guard access to power HAL On devices with prebuilt vendor, if the power HAL accesses input device nodes to support DT2W related feature, the resulting sepolicy may trigger following neverallow in system/sepolicy/public/app.te: neverallow { appdomain -shell # bugreport } input_device:chr_file ~getattr; Since the vendor image and the vendor sepolicy are prebuilt, power HAL sepolicy on such devices is often written in the following fashion: allow hal_power input_device:dir search; allow hal_power input_device:chr_file rw_file_perms; This combined with the flipendo/turbo_adapter sepolicy will give the app(s) direct access to input device nodes, thus triggering the neverallow. Considering that flipendo and turbo_adapter's access to power HAL is not critical, guard the sepolicy to allow opting out. Signed-off-by: Chenyang Zhong Change-Id: Iac02247e2b0ac5ba5f3f464bd0b21ef41b99693b Signed-off-by: Chenyang Zhong Signed-off-by: Anushek Prasal --- common/dynamic/flipendo.te | 3 --- common/dynamic/turbo_adapter.te | 3 --- common/dynamic_extra/flipendo.te | 2 ++ common/dynamic_extra/turbo_adapter.te | 2 ++ common/sepolicy.mk | 6 ++++++ 5 files changed, 10 insertions(+), 6 deletions(-) create mode 100644 common/dynamic_extra/flipendo.te create mode 100644 common/dynamic_extra/turbo_adapter.te diff --git a/common/dynamic/flipendo.te b/common/dynamic/flipendo.te index b3df802..b16032d 100644 --- a/common/dynamic/flipendo.te +++ b/common/dynamic/flipendo.te @@ -23,6 +23,3 @@ allow flipendo fwk_stats_hwservice:hwservice_manager find; # Allow flipendo to find color_display_service allow flipendo color_display_service:service_manager find; - -# Allow flipendo to find hal_power_service -hal_client_domain(flipendo, hal_power); diff --git a/common/dynamic/turbo_adapter.te b/common/dynamic/turbo_adapter.te index b2f0202..d6128cf 100644 --- a/common/dynamic/turbo_adapter.te +++ b/common/dynamic/turbo_adapter.te @@ -8,6 +8,3 @@ app_domain(turbo_adapter) # To use ServiceManager allow turbo_adapter app_api_service:service_manager find; - -# To find and call hal_power_default so turbo can obtain the service extension (IPowerExt) -hal_client_domain(turbo_adapter, hal_power) diff --git a/common/dynamic_extra/flipendo.te b/common/dynamic_extra/flipendo.te new file mode 100644 index 0000000..b467886 --- /dev/null +++ b/common/dynamic_extra/flipendo.te @@ -0,0 +1,2 @@ +# Access to PowerHal service +hal_client_domain(flipendo, hal_power); diff --git a/common/dynamic_extra/turbo_adapter.te b/common/dynamic_extra/turbo_adapter.te new file mode 100644 index 0000000..035aca2 --- /dev/null +++ b/common/dynamic_extra/turbo_adapter.te @@ -0,0 +1,2 @@ +# To find and call hal_power_default so turbo can obtain the service extension (IPowerExt) +hal_client_domain(turbo_adapter, hal_power) diff --git a/common/sepolicy.mk b/common/sepolicy.mk index 561d341..a1e6087 100644 --- a/common/sepolicy.mk +++ b/common/sepolicy.mk @@ -25,9 +25,15 @@ ifeq ($(TARGET_USES_PREBUILT_VENDOR_SEPOLICY), true) SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += \ device/lineage/sepolicy/common/dynamic \ device/lineage/sepolicy/common/system + +ifneq ($(TARGET_HAL_POWER_RW_INPUT_DEVICE), true) +SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += \ + device/lineage/sepolicy/common/dynamic_extra +endif else BOARD_VENDOR_SEPOLICY_DIRS += \ device/lineage/sepolicy/common/dynamic \ + device/lineage/sepolicy/common/dynamic_extra \ device/lineage/sepolicy/common/vendor endif From 9d706391caa816c8e8e6c721dbd4905f2c3bf4c2 Mon Sep 17 00:00:00 2001 From: HDzungx Date: Fri, 28 Apr 2023 05:02:42 +0700 Subject: [PATCH 19/20] sepolicy: address denials in TurboAdapter E SELinux : avc: denied { find } for interface=vendor.google.google_battery::IGoogleBattery sid=u:r:platform_app:s0:c512,c768 pid=2679 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:hal_turbo_adapter_hwservice:s0 tclass=hwservice_manager permissive=0 Change-Id: I46b46e5d788152c199887fef859021d3f13bf325 Signed-off-by: Anushek Prasal --- common/vendor/hwservice_contexts | 1 + common/vendor/platform_app.te | 1 + 2 files changed, 2 insertions(+) create mode 100644 common/vendor/hwservice_contexts create mode 100644 common/vendor/platform_app.te diff --git a/common/vendor/hwservice_contexts b/common/vendor/hwservice_contexts new file mode 100644 index 0000000..88a5fa2 --- /dev/null +++ b/common/vendor/hwservice_contexts @@ -0,0 +1 @@ +vendor.google.google_battery::IGoogleBattery u:object_r:hal_turbo_adapter_hwservice:s0 diff --git a/common/vendor/platform_app.te b/common/vendor/platform_app.te new file mode 100644 index 0000000..8e861e5 --- /dev/null +++ b/common/vendor/platform_app.te @@ -0,0 +1 @@ +allow platform_app hal_turbo_adapter_hwservice:hwservice_manager find; From 7ad502de0aa142b69749195338c836867140e47a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andy=20=7C=20=E3=82=A2=E3=83=B3=E3=83=87=E3=82=A3?= <54360298+nullptr03@users.noreply.github.com> Date: Mon, 28 Aug 2023 10:49:41 +0800 Subject: [PATCH 20/20] sepolicy: Import missing TurboAdapter type ERROR 'unknown type hal_turbo_adapter_hwservice' at token ';' on line 44258: #line 1 "device/lineage/sepolicy/common/vendor/platform_app.te" --- common/dynamic/hwservice.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/common/dynamic/hwservice.te b/common/dynamic/hwservice.te index 757af6f..954bee5 100644 --- a/common/dynamic/hwservice.te +++ b/common/dynamic/hwservice.te @@ -4,3 +4,6 @@ type hal_lineage_livedisplay_hwservice, hwservice_manager_type; type hal_lineage_powershare_hwservice, hwservice_manager_type; type hal_lineage_touch_hwservice, hwservice_manager_type; type hal_lineage_trust_hwservice, hwservice_manager_type; + +# TurboAdapter +type hal_turbo_adapter_hwservice, hwservice_manager_type;