common/init_shell.te


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194

# Restricted domain for shell processes spawned by init.
# Normally these are shell commands or scripts invoked via sh
# from an init*.rc file.  No service should ever run in this domain.
type qti_init_shell, domain, domain_deprecated;
domain_auto_trans(init, shell_exec, qti_init_shell)

# For executing init shell scripts (init.qcom.early_boot.sh)
allow qti_init_shell rootfs:file entrypoint;

# For getting idle_time value
# this is needed for dynamic_fps and bw_mode_bitmap
allow qti_init_shell sysfs_graphics:file {rw_file_perms setattr};
allow qti_init_shell sysfs:file setattr;

allow qti_init_shell persist_file:dir w_dir_perms;
allow qti_init_shell persist_file:file create_file_perms;
allow qti_init_shell smd_device:chr_file rw_file_perms;

# Run helpers from / or /system without changing domain.
allow qti_init_shell { system_file rootfs shell_exec }:file execute_no_trans;

# For accessing fmradio device node
allow qti_init_shell fm_radio_device:chr_file r_file_perms;

#give permission to read/write fm dir for calibration file
allow qti_init_shell fm_data_file: dir rw_dir_perms;

#allow shell to access /dev/vm_bms
allow qti_init_shell vm_bms_device:chr_file getattr;

# create/open, read/write permission for fm calibration file.
allow qti_init_shell fm_data_file: file create_file_perms;

allow qti_init_shell gpu_device:chr_file getattr;

# for insmod of iris ko, this is needed.
# dac_read/override is needed for scripts to do chown/mkdir which is
# needed by most of the services
# fowner and fsetid are needed for chmod display nodes.
allow qti_init_shell self:capability {
    sys_module
    net_admin
    chown
    fowner
    fsetid
    dac_override
    dac_read_search
    sys_admin
};

# For  property starting with hw
# freq_prop - for setting frequency from postboot script
# perfd_prop - for setting ctl.perfd property from postboot script
# mpdecision_prop - for setting ctl.mpdecision property from postboot script
# bluetooth_prop - for setting bt related properties from postboot script
# uicc_prop - for access to UICC property
# ctl_qmuxd_prop/ctl_netmgrd_prop - Needed in order to set properties on qmuxd and netmgrd processes
# rmnet_mux_prop - Needed to set persist.rmnet.mux property
# sys_usb_controller_prop - Needed to set sys.usb.controller property
# sys_usb_configfs_prop - Needed to set sys.usb.configfs property
allow qti_init_shell {
    system_prop
    freq_prop
    perfd_prop
    gamed_prop
    mpdecision_prop
    bluetooth_prop
    config_prop
    sensors_prop
    msm_irqbalance_prop
    ipacm_prop
    ipacm-diag_prop
    qti_prop
    ctl_rildaemon_prop
    uicc_prop
    ctl_qmuxd_prop
    ctl_netmgrd_prop
    ctl_port-bridge_prop
    sdm_idle_time_prop
    sf_lcd_density_prop
    opengles_prop
    mdm_helper_prop
    fm_prop
    usf_prop
    qemu_hw_mainkeys_prop
    alarm_boot_prop
    boot_animation_prop
    debug_gralloc_prop
    # Needed for starting console in userdebug mode
    userdebug_or_eng(`ctl_console_prop coresight_prop')
    rmnet_mux_prop
    ctl_hbtp_prop
    #Needed for starting vm_bms executable post-boot
    vm_bms_prop
    sys_usb_controller_prop
    sys_usb_configfs_prop
    #Needed for setting hwui properties in post_boot
    hwui_prop
    graphics_vulkan_prop
}:property_service set;

allow qti_init_shell efs_boot_dev:blk_file r_file_perms;

# For hci_comm_init
allow qti_init_shell { serial_device userdebug_or_eng(`qdss_device') }:chr_file rw_file_perms;

# Allow property changes
unix_socket_connect(qti_init_shell, property, init)

allow qti_init_shell {
    sysfs
    sysfs_devices_system_cpu
    sysfs_thermal
    sysfs_lowmemorykiller
}:file w_file_perms;

r_dir_file(qti_init_shell, sysfs_thermal)
allow qti_init_shell sysfs_socinfo:file write;
allow qti_init_shell sysfs:{ dir file lnk_file } relabelfrom;
allow qti_init_shell sysfs_devices_system_cpu: { dir file lnk_file } relabelto;
# Check if /dev/sensors or /dev/msm_dsps present
allow qti_init_shell sensors_data_file:dir r_dir_perms;
allow qti_init_shell sensors_device:chr_file r_file_perms;

# To start sensors for DSPS enabled platforms
r_dir_file(qti_init_shell, persist_file)
r_dir_file(qti_init_shell, sensors_persist_file)
r_dir_file(qti_init_shell, persist_bluetooth_file)
allow qti_init_shell sensors_persist_file:file setattr;

# To start of selected USF based calculators
r_dir_file(qti_init_shell, usf_data_file)
allow qti_init_shell usf_data_file:file w_file_perms;
r_dir_file(qti_init_shell, persist_usf_file)
allow qti_init_shell persist_usf_file:dir w_dir_perms;
allow qti_init_shell usf_data_file:dir create_dir_perms;
allow qti_init_shell usf_data_file:{ file lnk_file } create_file_perms;

# To check if /system/bin/msm_irqbalance is persent in the device
allow qti_init_shell msm_irqbalanced_exec:file getattr;

# To write to /data/system/perfd
allow qti_init_shell mpctl_data_file:dir w_dir_perms;
allow qti_init_shell mpctl_data_file:file { write getattr unlink };

allow qti_init_shell { proc proc_net }:file write;

allow qti_init_shell radio_data_file:dir create_dir_perms;
allow qti_init_shell radio_data_file:file create_file_perms;

allow qti_init_shell graphics_device:dir create_dir_perms;
allow qti_init_shell graphics_device:lnk_file create_file_perms;

# To create sensor dir inside /data/misc/
allow qti_init_shell system_data_file:dir create_dir_perms;

#insmod of ko from scripts need kernel key search
allow qti_init_shell kernel:key search;

# To change owner of /sys/devices/virtual/hsicctl/hsicctl0/modem_wait to radio
allow qti_init_shell sysfs_hsic_modem_wait:file { r_file_perms setattr };

# core-ctl
allow qti_init_shell cgroup:dir add_name;

# To allow copy for mbn files
r_dir_file(qti_init_shell, firmware_file)

# /dev/block/zram0
allow qti_init_shell block_device:dir r_dir_perms;
allow qti_init_shell swap_block_device:blk_file rw_file_perms;

# /data/system/swap/swapfile
allow qti_init_shell swap_data_file:dir rw_dir_perms;
allow qti_init_shell swap_data_file:file create_file_perms;

#execute init scripts
allow qti_init_shell toolbox_exec:file rx_file_perms;

#For configfs permission
allow qti_init_shell configfs:dir r_dir_perms;

#Allow read permissions to read adj
allow qti_init_shell sysfs_lowmemorykiller:file read;

allow qti_init_shell persist_alarm_file:dir r_dir_perms;
allow qti_init_shell persist_alarm_file:file r_file_perms;

#Allow /sys access to write zram disksize
allow qti_init_shell sysfs_zram:dir r_dir_perms;
allow qti_init_shell sysfs_zram:file w_file_perms;

# To get GPU frequencies
allow qti_init_shell sysfs_kgsl:file r_file_perms;