1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
|
# Restricted domain for shell processes spawned by init.
# Normally these are shell commands or scripts invoked via sh
# from an init*.rc file. No service should ever run in this domain.
type qti_init_shell, domain, domain_deprecated;
domain_auto_trans(init, shell_exec, qti_init_shell)
# For executing init shell scripts (init.qcom.early_boot.sh)
allow qti_init_shell rootfs:file entrypoint;
# For getting idle_time value
# this is needed for dynamic_fps and bw_mode_bitmap
allow qti_init_shell sysfs_graphics:file {rw_file_perms setattr};
allow qti_init_shell sysfs:file setattr;
allow qti_init_shell persist_file:dir w_dir_perms;
allow qti_init_shell persist_file:file create_file_perms;
allow qti_init_shell smd_device:chr_file rw_file_perms;
# Run helpers from / or /system without changing domain.
allow qti_init_shell { system_file rootfs shell_exec }:file execute_no_trans;
# For accessing fmradio device node
allow qti_init_shell fm_radio_device:chr_file r_file_perms;
#give permission to read/write fm dir for calibration file
allow qti_init_shell fm_data_file: dir rw_dir_perms;
#allow shell to access /dev/vm_bms
allow qti_init_shell vm_bms_device:chr_file getattr;
# create/open, read/write permission for fm calibration file.
allow qti_init_shell fm_data_file: file create_file_perms;
allow qti_init_shell gpu_device:chr_file getattr;
# for insmod of iris ko, this is needed.
# dac_read/override is needed for scripts to do chown/mkdir which is
# needed by most of the services
# fowner and fsetid are needed for chmod display nodes.
allow qti_init_shell self:capability {
sys_module
net_admin
chown
fowner
fsetid
dac_override
dac_read_search
sys_admin
};
# For property starting with hw
# freq_prop - for setting frequency from postboot script
# perfd_prop - for setting ctl.perfd property from postboot script
# mpdecision_prop - for setting ctl.mpdecision property from postboot script
# bluetooth_prop - for setting bt related properties from postboot script
# uicc_prop - for access to UICC property
# ctl_qmuxd_prop/ctl_netmgrd_prop - Needed in order to set properties on qmuxd and netmgrd processes
# rmnet_mux_prop - Needed to set persist.rmnet.mux property
# sys_usb_controller_prop - Needed to set sys.usb.controller property
# sys_usb_configfs_prop - Needed to set sys.usb.configfs property
allow qti_init_shell {
system_prop
freq_prop
perfd_prop
gamed_prop
mpdecision_prop
bluetooth_prop
config_prop
sensors_prop
msm_irqbalance_prop
ipacm_prop
ipacm-diag_prop
qti_prop
ctl_rildaemon_prop
uicc_prop
ctl_qmuxd_prop
ctl_netmgrd_prop
ctl_port-bridge_prop
sdm_idle_time_prop
sf_lcd_density_prop
opengles_prop
mdm_helper_prop
fm_prop
usf_prop
qemu_hw_mainkeys_prop
alarm_boot_prop
boot_animation_prop
debug_gralloc_prop
# Needed for starting console in userdebug mode
userdebug_or_eng(`ctl_console_prop coresight_prop')
rmnet_mux_prop
ctl_hbtp_prop
#Needed for starting vm_bms executable post-boot
vm_bms_prop
sys_usb_controller_prop
sys_usb_configfs_prop
#Needed for setting hwui properties in post_boot
hwui_prop
graphics_vulkan_prop
}:property_service set;
allow qti_init_shell efs_boot_dev:blk_file r_file_perms;
# For hci_comm_init
allow qti_init_shell { serial_device userdebug_or_eng(`qdss_device') }:chr_file rw_file_perms;
# Allow property changes
unix_socket_connect(qti_init_shell, property, init)
allow qti_init_shell {
sysfs
sysfs_devices_system_cpu
sysfs_thermal
sysfs_lowmemorykiller
}:file w_file_perms;
r_dir_file(qti_init_shell, sysfs_thermal)
allow qti_init_shell sysfs_socinfo:file write;
allow qti_init_shell sysfs:{ dir file lnk_file } relabelfrom;
allow qti_init_shell sysfs_devices_system_cpu: { dir file lnk_file } relabelto;
# Check if /dev/sensors or /dev/msm_dsps present
allow qti_init_shell sensors_data_file:dir r_dir_perms;
allow qti_init_shell sensors_device:chr_file r_file_perms;
# To start sensors for DSPS enabled platforms
r_dir_file(qti_init_shell, persist_file)
r_dir_file(qti_init_shell, sensors_persist_file)
r_dir_file(qti_init_shell, persist_bluetooth_file)
allow qti_init_shell sensors_persist_file:file setattr;
# To start of selected USF based calculators
r_dir_file(qti_init_shell, usf_data_file)
allow qti_init_shell usf_data_file:file w_file_perms;
r_dir_file(qti_init_shell, persist_usf_file)
allow qti_init_shell persist_usf_file:dir w_dir_perms;
allow qti_init_shell usf_data_file:dir create_dir_perms;
allow qti_init_shell usf_data_file:{ file lnk_file } create_file_perms;
# To check if /system/bin/msm_irqbalance is persent in the device
allow qti_init_shell msm_irqbalanced_exec:file getattr;
# To write to /data/system/perfd
allow qti_init_shell mpctl_data_file:dir w_dir_perms;
allow qti_init_shell mpctl_data_file:file { write getattr unlink };
allow qti_init_shell { proc proc_net }:file write;
allow qti_init_shell radio_data_file:dir create_dir_perms;
allow qti_init_shell radio_data_file:file create_file_perms;
allow qti_init_shell graphics_device:dir create_dir_perms;
allow qti_init_shell graphics_device:lnk_file create_file_perms;
# To create sensor dir inside /data/misc/
allow qti_init_shell system_data_file:dir create_dir_perms;
#insmod of ko from scripts need kernel key search
allow qti_init_shell kernel:key search;
# To change owner of /sys/devices/virtual/hsicctl/hsicctl0/modem_wait to radio
allow qti_init_shell sysfs_hsic_modem_wait:file { r_file_perms setattr };
# To change owner/permissions of secure touch sysfs files
r_dir_file(qti_init_shell, sysfs_securetouch)
# core-ctl
allow qti_init_shell cgroup:dir add_name;
# To allow copy for mbn files
r_dir_file(qti_init_shell, firmware_file)
# /dev/block/zram0
allow qti_init_shell block_device:dir r_dir_perms;
allow qti_init_shell swap_block_device:blk_file rw_file_perms;
# /data/system/swap/swapfile
allow qti_init_shell swap_data_file:dir rw_dir_perms;
allow qti_init_shell swap_data_file:file create_file_perms;
#execute init scripts
allow qti_init_shell toolbox_exec:file rx_file_perms;
#For configfs permission
allow qti_init_shell configfs:dir r_dir_perms;
#Allow read permissions to read adj
allow qti_init_shell sysfs_lowmemorykiller:file read;
allow qti_init_shell persist_alarm_file:dir r_dir_perms;
allow qti_init_shell persist_alarm_file:file r_file_perms;
#Allow /sys access to write zram disksize
allow qti_init_shell sysfs_zram:dir r_dir_perms;
allow qti_init_shell sysfs_zram:file w_file_perms;
# To get GPU frequencies
allow qti_init_shell sysfs_kgsl:file r_file_perms;
|