├── common
    ├── private
    │   ├── gmscore_app.te
    │   ├── rootfs.te
    │   ├── sdcardfs.te
    │   ├── appdomain.te
    │   ├── cameraserver.te
    │   ├── fsck_untrusted.te
    │   ├── adbd.te
    │   ├── mediaserver.te
    │   ├── seapp_contexts
    │   ├── property.te
    │   ├── file.te
    │   ├── backuptool.te
    │   ├── genfs_contexts
    │   ├── mkfs.te
    │   ├── service_contexts
    │   ├── vold.te
    │   ├── platform_app.te
    │   ├── service.te
    │   ├── adbroot.te
    │   ├── system_app.te
    │   ├── system_server.te
    │   ├── property_contexts
    │   ├── update_engine.te
    │   ├── file_contexts
    │   ├── recovery.te
    │   └── updater_app.te
    ├── vendor
    │   ├── hal_vibrator_default.te
    │   ├── hal_camera_default.te
    │   ├── hal_lineage_touch_default.te
    │   ├── hal_lineage_powershare_default.te
    │   ├── hal_lineage_camera_motor_default.te
    │   └── file_contexts
    ├── public
    │   ├── file.te
    │   ├── shell.te
    │   ├── property.te
    │   ├── attributes
    │   └── te_macros
    ├── dynamic
    │   ├── hwservice.te
    │   ├── hal_lineage_touch.te
    │   ├── hal_lineage_camera_motor.te
    │   ├── hal_lineage_powershare.te
    │   └── hwservice_contexts
    └── sepolicy.mk
└── qcom
    ├── vendor
        ├── fsck.te
        ├── hal_perf_default.te
        └── file_contexts
    ├── dynamic
        └── dontaudit.te
    ├── private
        └── property_contexts
    └── sepolicy.mk


/common/private/gmscore_app.te:
--------------------------------------------------------------------------------
1 | set_prop(gmscore_app, system_prop)
2 | 


--------------------------------------------------------------------------------
/common/private/rootfs.te:
--------------------------------------------------------------------------------
1 | allow rootfs labeledfs:filesystem associate;
2 | 


--------------------------------------------------------------------------------
/common/private/sdcardfs.te:
--------------------------------------------------------------------------------
1 | allow sdcardfs labeledfs:filesystem associate;
2 | 


--------------------------------------------------------------------------------
/common/vendor/hal_vibrator_default.te:
--------------------------------------------------------------------------------
1 | hwbinder_use(hal_vibrator_default)
2 | 


--------------------------------------------------------------------------------
/common/private/appdomain.te:
--------------------------------------------------------------------------------
1 | get_prop(appdomain, vendor_persist_camera_prop)
2 | 


--------------------------------------------------------------------------------
/qcom/vendor/fsck.te:
--------------------------------------------------------------------------------
1 | allow fsck persist_block_device:blk_file rw_file_perms;
2 | 


--------------------------------------------------------------------------------
/qcom/vendor/hal_perf_default.te:
--------------------------------------------------------------------------------
1 | r_dir_file(hal_perf_default, hal_power_default)
2 | 


--------------------------------------------------------------------------------
/common/public/file.te:
--------------------------------------------------------------------------------
1 | # DC Dimming
2 | type vendor_sysfs_dc_dim, fs_type, sysfs_type;
3 | 


--------------------------------------------------------------------------------
/common/public/shell.te:
--------------------------------------------------------------------------------
1 | dontauditxperm shell adbd:unix_stream_socket ioctl unpriv_tty_ioctls;
2 | 


--------------------------------------------------------------------------------
/common/vendor/hal_camera_default.te:
--------------------------------------------------------------------------------
1 | get_prop(hal_camera_default, vendor_persist_camera_prop)
2 | 


--------------------------------------------------------------------------------
/common/private/cameraserver.te:
--------------------------------------------------------------------------------
1 | # Use HALs
2 | hal_client_domain(cameraserver, hal_lineage_camera_motor)
3 | 


--------------------------------------------------------------------------------
/common/private/fsck_untrusted.te:
--------------------------------------------------------------------------------
1 | # External storage
2 | allow fsck_untrusted self:capability sys_admin;
3 | 


--------------------------------------------------------------------------------
/common/private/adbd.te:
--------------------------------------------------------------------------------
1 | allow adbd adbroot:binder call;
2 | allow adbd adbroot_service:service_manager find;
3 | 


--------------------------------------------------------------------------------
/common/private/mediaserver.te:
--------------------------------------------------------------------------------
1 | # Allow mediaserver to get wfd properties
2 | get_prop(mediaserver, media_wfd_prop);
3 | 


--------------------------------------------------------------------------------
/common/public/property.te:
--------------------------------------------------------------------------------
1 | # Aux camera allow/excludelist prop
2 | system_vendor_config_prop(vendor_persist_camera_prop)
3 | 


--------------------------------------------------------------------------------
/qcom/dynamic/dontaudit.te:
--------------------------------------------------------------------------------
1 | dontaudit gmscore_app { adsprpcd_file bt_firmware_file firmware_file }:filesystem getattr;
2 | 


--------------------------------------------------------------------------------
/qcom/private/property_contexts:
--------------------------------------------------------------------------------
1 | # FM
2 | hw.fm.                                  u:object_r:exported3_system_prop:s0
3 | 


--------------------------------------------------------------------------------
/common/private/seapp_contexts:
--------------------------------------------------------------------------------
1 | user=_app isPrivApp=true seinfo=platform name=org.lineageos.updater domain=updater_app type=app_data_file levelFrom=user
2 | 


--------------------------------------------------------------------------------
/common/private/property.te:
--------------------------------------------------------------------------------
1 | # Recovery update
2 | system_internal_prop(recovery_update_prop)
3 | 
4 | # Wi-Fi Display
5 | system_public_prop(media_wfd_prop);
6 | 


--------------------------------------------------------------------------------
/common/public/attributes:
--------------------------------------------------------------------------------
1 | # HALs
2 | hal_attribute_lineage(lineage_camera_motor)
3 | hal_attribute_lineage(lineage_touch)
4 | hal_attribute_lineage(lineage_powershare)
5 | 


--------------------------------------------------------------------------------
/common/dynamic/hwservice.te:
--------------------------------------------------------------------------------
1 | type hal_lineage_camera_motor_hwservice, hwservice_manager_type;
2 | type hal_lineage_powershare_hwservice, hwservice_manager_type;
3 | type hal_lineage_touch_hwservice, hwservice_manager_type;
4 | 


--------------------------------------------------------------------------------
/common/private/file.te:
--------------------------------------------------------------------------------
1 | type sdcard_posix, sdcard_type, sdcard_posix_contextmount_type, fs_type, mlstrustedobject;
2 | type adbroot_data_file, file_type, data_file_type, core_data_file_type;
3 | type sysfs_perdev_minors, fs_type, sysfs_type;
4 | 


--------------------------------------------------------------------------------
/common/private/backuptool.te:
--------------------------------------------------------------------------------
 1 | type backuptool, domain, coredomain;
 2 | 
 3 | neverallow {
 4 |     domain
 5 |     -recovery
 6 |     -update_engine
 7 | } backuptool:process transition;
 8 | 
 9 | userdebug_or_eng(`
10 |     permissive backuptool;
11 | ')
12 | 


--------------------------------------------------------------------------------
/common/vendor/hal_lineage_touch_default.te:
--------------------------------------------------------------------------------
1 | type hal_lineage_touch_default, domain;
2 | hal_server_domain(hal_lineage_touch_default, hal_lineage_touch)
3 | 
4 | type hal_lineage_touch_default_exec, exec_type, vendor_file_type, file_type;
5 | init_daemon_domain(hal_lineage_touch_default)
6 | 


--------------------------------------------------------------------------------
/common/dynamic/hal_lineage_touch.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_lineage_touch_client, hal_lineage_touch_server)
3 | 
4 | add_hwservice(hal_lineage_touch_server, hal_lineage_touch_hwservice)
5 | allow hal_lineage_touch_client hal_lineage_touch_hwservice:hwservice_manager find;
6 | 


--------------------------------------------------------------------------------
/common/private/genfs_contexts:
--------------------------------------------------------------------------------
1 | ifelse(board_excludes_fuseblk_sepolicy, `true', ,
2 | genfscon fuseblk / u:object_r:vfat:s0
3 | )
4 | 
5 | genfscon sysfs /devices/virtual/timed_output/vibrator u:object_r:sysfs_vibrator:s0
6 | genfscon sysfs /module/mmcblk/parameters/perdev_minors u:object_r:sysfs_perdev_minors:s0
7 | 


--------------------------------------------------------------------------------
/qcom/vendor/file_contexts:
--------------------------------------------------------------------------------
1 | # CryptfsHW HAL
2 | /(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.cryptfshw@1\.0-service-qti\.qsee   u:object_r:hal_keymaster_qti_exec:s0
3 | 
4 | # Power
5 | /(vendor|system/vendor)/bin/hw/android\.hardware\.power-service-qti               u:object_r:hal_power_default_exec:s0
6 | 


--------------------------------------------------------------------------------
/common/vendor/hal_lineage_powershare_default.te:
--------------------------------------------------------------------------------
1 | type hal_lineage_powershare_default, domain;
2 | hal_server_domain(hal_lineage_powershare_default, hal_lineage_powershare)
3 | 
4 | type hal_lineage_powershare_default_exec, exec_type, vendor_file_type, file_type;
5 | init_daemon_domain(hal_lineage_powershare_default)
6 | 


--------------------------------------------------------------------------------
/common/vendor/hal_lineage_camera_motor_default.te:
--------------------------------------------------------------------------------
1 | type hal_lineage_camera_motor_default, domain;
2 | hal_server_domain(hal_lineage_camera_motor_default, hal_lineage_camera_motor)
3 | 
4 | type hal_lineage_camera_motor_default_exec, exec_type, vendor_file_type, file_type;
5 | init_daemon_domain(hal_lineage_camera_motor_default)
6 | 


--------------------------------------------------------------------------------
/common/dynamic/hal_lineage_camera_motor.te:
--------------------------------------------------------------------------------
1 | # HwBinder IPC from client to server
2 | binder_call(hal_lineage_camera_motor_client, hal_lineage_camera_motor_server)
3 | 
4 | add_hwservice(hal_lineage_camera_motor_server, hal_lineage_camera_motor_hwservice)
5 | allow hal_lineage_camera_motor_client hal_lineage_camera_motor_hwservice:hwservice_manager find;
6 | 


--------------------------------------------------------------------------------
/common/private/mkfs.te:
--------------------------------------------------------------------------------
 1 | type mkfs, coredomain, domain;
 2 | type mkfs_exec, system_file_type, exec_type, file_type;
 3 | 
 4 | init_daemon_domain(mkfs)
 5 | 
 6 | # Allow formatting userdata or cache partitions
 7 | allow mkfs block_device:dir search;
 8 | allow mkfs userdata_block_device:blk_file rw_file_perms;
 9 | allow mkfs cache_block_device:blk_file rw_file_perms;
10 | 


--------------------------------------------------------------------------------
/common/private/service_contexts:
--------------------------------------------------------------------------------
 1 | adbroot_service                           u:object_r:adbroot_service:s0
 2 | 
 3 | # Parallel space
 4 | parallel                                  u:object_r:parallel_space_manager_service:s0
 5 | 
 6 | # App Lock
 7 | app_lock                                  u:object_r:app_lock_service:s0
 8 | 
 9 | # DC Dimming
10 | dc_dim_service                            u:object_r:dc_dimming_service:s0
11 | 


--------------------------------------------------------------------------------
/common/dynamic/hal_lineage_powershare.te:
--------------------------------------------------------------------------------
1 | # HWBinder IPC from client to server
2 | binder_call(hal_lineage_powershare_client, hal_lineage_powershare_server)
3 | 
4 | add_hwservice(hal_lineage_powershare_server, hal_lineage_powershare_hwservice)
5 | allow hal_lineage_powershare_client hal_lineage_powershare_hwservice:hwservice_manager find;
6 | 
7 | # Allow binder communication with platform_app
8 | binder_call(hal_lineage_powershare, platform_app)
9 | 


--------------------------------------------------------------------------------
/common/private/vold.te:
--------------------------------------------------------------------------------
 1 | # NTFS-3g wants to drop permission
 2 | allow vold self:capability { setgid setuid };
 3 | 
 4 | # External storage
 5 | allow vold mkfs_exec:file rx_file_perms;
 6 | allow vold mnt_media_rw_stub_file:dir r_dir_perms;
 7 | allow vold storage_stub_file:dir rw_dir_perms;
 8 | 
 9 | # External EXT4/F2FS storage
10 | allow vold sdcard_posix:filesystem { relabelto relabelfrom };
11 | allow vold labeledfs:filesystem relabelfrom;
12 | 


--------------------------------------------------------------------------------
/common/private/platform_app.te:
--------------------------------------------------------------------------------
 1 | # Allow NFC service to be found
 2 | allow platform_app nfc_service:service_manager find;
 3 | 
 4 | # Allow externalstorage access
 5 | allow platform_app mnt_pass_through_file:dir { create_dir_perms mounton };
 6 | 
 7 | # Allow bypassing the FUSE layer
 8 | r_dir_file(platform_app, mnt_pass_through_file)
 9 | 
10 | # Allow PowerShare HAL service to be found
11 | hal_client_domain(platform_app, hal_lineage_powershare)
12 | 


--------------------------------------------------------------------------------
/common/private/service.te:
--------------------------------------------------------------------------------
 1 | type adbroot_service,                   service_manager_type;
 2 | 
 3 | # Parallel space
 4 | type parallel_space_manager_service, system_api_service, system_server_service, service_manager_type;
 5 | 
 6 | # App Lock
 7 | type app_lock_service, system_api_service, system_server_service, service_manager_type;
 8 | 
 9 | # DC Dimming
10 | type dc_dimming_service, system_api_service, system_server_service, service_manager_type;
11 | 


--------------------------------------------------------------------------------
/common/private/adbroot.te:
--------------------------------------------------------------------------------
 1 | type adbroot, domain, coredomain;
 2 | type adbroot_exec, exec_type, file_type, system_file_type;
 3 | 
 4 | init_daemon_domain(adbroot)
 5 | 
 6 | binder_use(adbroot)
 7 | binder_service(adbroot)
 8 | add_service(adbroot, adbroot_service)
 9 | 
10 | allow adbroot adbroot_data_file:dir rw_dir_perms;
11 | allow adbroot adbroot_data_file:file create_file_perms;
12 | 
13 | set_prop(adbroot, shell_prop)
14 | set_prop(adbroot, ctl_adbd_prop)
15 | 


--------------------------------------------------------------------------------
/common/private/system_app.te:
--------------------------------------------------------------------------------
 1 | # Allow Settings to read ro.vendor.build.security_patch
 2 | get_prop(system_app, vendor_security_patch_level_prop)
 3 | 
 4 | # Allow access to the HALs
 5 | hal_client_domain(system_app, hal_lineage_touch)
 6 | 
 7 | # Allow SetupWizard to set recovery update prop
 8 | set_prop(system_app, recovery_update_prop)
 9 | 
10 | # DC Dimming
11 | allow system_server vendor_sysfs_dc_dim:file rw_file_perms;
12 | add_service(system_server, dc_dimming_service);
13 | 


--------------------------------------------------------------------------------
/common/private/system_server.te:
--------------------------------------------------------------------------------
 1 | allow system_server storage_stub_file:dir getattr;
 2 | 
 3 | allow system_server adbroot_service:service_manager find;
 4 | 
 5 | # Use HALs
 6 | hal_client_domain(system_server, hal_lineage_touch)
 7 | 
 8 | # Let system server find auxiliary camera properties
 9 | get_prop(system_server, vendor_persist_camera_prop)
10 | 
11 | # App Lock
12 | add_service(system_server, app_lock_service);
13 | 
14 | # Use HALs
15 | hal_client_domain(system_server, hal_lineage_powershare)
16 | 


--------------------------------------------------------------------------------
/common/private/property_contexts:
--------------------------------------------------------------------------------
 1 | # Aux camera
 2 | vendor.camera.aux.packageexcludelist   u:object_r:vendor_persist_camera_prop:s0
 3 | vendor.camera.aux.packagelist          u:object_r:vendor_persist_camera_prop:s0
 4 | 
 5 | # Radio
 6 | ro.telephony.use_old_mnc_mcc_format    u:object_r:telephony_config_prop:s0
 7 | 
 8 | # Recovery update
 9 | persist.vendor.recovery_update         u:object_r:recovery_update_prop:s0
10 | 
11 | # Wi-Fi Display
12 | media.wfd.                             u:object_r:media_wfd_prop:s0
13 | 


--------------------------------------------------------------------------------
/common/private/update_engine.te:
--------------------------------------------------------------------------------
 1 | # Allow update_engine to call the callback function provided by updater_app
 2 | binder_call(update_engine, updater_app)
 3 | 
 4 | # Read updates from storage data
 5 | r_dir_file(update_engine, mnt_user_file)
 6 | r_dir_file(update_engine, storage_file)
 7 | 
 8 | # Allow mount and unmount of system partition
 9 | allow update_engine labeledfs:filesystem { mount unmount };
10 | 
11 | # Allow transition to backuptool domain
12 | allow update_engine self:process setexec;
13 | domain_trans(update_engine, otapreopt_chroot_exec, backuptool)
14 | 


--------------------------------------------------------------------------------
/common/private/file_contexts:
--------------------------------------------------------------------------------
 1 | # Filesystem tools
 2 | /system/bin/fsck\.ntfs                  u:object_r:fsck_exec:s0
 3 | /system/bin/mkfs\.exfat                 u:object_r:mkfs_exec:s0
 4 | /system/bin/mkfs\.f2fs                  u:object_r:mkfs_exec:s0
 5 | /system/bin/mkfs\.ntfs                  u:object_r:mkfs_exec:s0
 6 | 
 7 | # OTA packages
 8 | /data/arrowos_updates(/.*)?           u:object_r:ota_package_file:s0
 9 | 
10 | # Postinstall
11 | /system/bin/backuptool_ab\.functions              u:object_r:otapreopt_chroot_exec:s0
12 | /system/bin/backuptool_ab\.sh                     u:object_r:otapreopt_chroot_exec:s0
13 | /system/bin/backuptool_postinstall\.sh            u:object_r:otapreopt_chroot_exec:s0
14 | 
15 | # ADB Root
16 | /(system_ext|system/system_ext)/bin/adb_root      u:object_r:adbroot_exec:s0
17 | /data/adbroot(/.*)?        u:object_r:adbroot_data_file:s0
18 | 
19 | # Bash
20 | /(system_ext|system/system_ext)/bin/bash          u:object_r:shell_exec:s0
21 | 


--------------------------------------------------------------------------------
/common/sepolicy.mk:
--------------------------------------------------------------------------------
 1 | #
 2 | # This policy configuration will be used by all products that
 3 | # inherit from Arrow
 4 | #
 5 | 
 6 | ifeq ($(TARGET_COPY_OUT_VENDOR), vendor)
 7 | ifeq ($(BOARD_VENDORIMAGE_FILE_SYSTEM_TYPE),)
 8 | TARGET_USES_PREBUILT_VENDOR_SEPOLICY ?= true
 9 | endif
10 | endif
11 | 
12 | ifeq ($(TARGET_USES_PREBUILT_VENDOR_SEPOLICY), true)
13 | ifeq ($(TARGET_HAS_FUSEBLK_SEPOLICY_ON_VENDOR),true)
14 | BOARD_SEPOLICY_M4DEFS += board_excludes_fuseblk_sepolicy=true
15 | endif
16 | endif
17 | 
18 | SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += \
19 |     device/arrow/sepolicy/common/public
20 | 
21 | SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += \
22 |     device/arrow/sepolicy/common/private
23 | 
24 | ifeq ($(TARGET_USES_PREBUILT_VENDOR_SEPOLICY), true)
25 | SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += \
26 |     device/arrow/sepolicy/common/dynamic
27 | else
28 | BOARD_VENDOR_SEPOLICY_DIRS += \
29 |     device/arrow/sepolicy/common/dynamic \
30 |     device/arrow/sepolicy/common/vendor
31 | endif
32 | 


--------------------------------------------------------------------------------
/common/vendor/file_contexts:
--------------------------------------------------------------------------------
 1 | # Fingerprint HAL
 2 | /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.0-service u:object_r:hal_fingerprint_default_exec:s0
 3 | 
 4 | # GNSS HAL
 5 | /(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@1\.0-service\.legacy u:object_r:hal_gnss_default_exec:s0
 6 | 
 7 | # Light HAL
 8 | /(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.aw2013 u:object_r:hal_light_default_exec:s0
 9 | 
10 | # USB HAL
11 | /(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service\.basic u:object_r:hal_usb_default_exec:s0
12 | /(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.1-service\.typec u:object_r:hal_usb_default_exec:s0
13 | 
14 | # Vibrator HAL
15 | /(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service\.lineage u:object_r:hal_vibrator_default_exec:s0
16 | 
17 | # Wi-Fi HAL
18 | /(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service\.legacy u:object_r:hal_wifi_default_exec:s0
19 | 


--------------------------------------------------------------------------------
/common/public/te_macros:
--------------------------------------------------------------------------------
 1 | #####################################
 2 | # rw_dir_file(domain, type)
 3 | # Allow the specified domain to read directories and read/write files
 4 | # and symbolic links of the specified type.
 5 | define(`rw_dir_file', `
 6 | allow $1 $2:dir r_dir_perms;
 7 | allow $1 $2:{ file lnk_file } rw_file_perms;
 8 | ')
 9 | 
10 | #####################################
11 | # create_dir_file(domain, type)
12 | # Allow the specified domain to read directories and create files
13 | # and symbolic links of the specified type.
14 | define(`create_dir_file', `
15 | allow $1 $2:dir r_dir_perms;
16 | allow $1 $2:{ file lnk_file } create_file_perms;
17 | ')
18 | 
19 | #####################################
20 | # hal_attribute_lineage(hal_name)
21 | define(`hal_attribute_lineage', `
22 | attribute hal_$1;
23 | expandattribute hal_$1 true;
24 | attribute hal_$1_client;
25 | expandattribute hal_$1_client true;
26 | attribute hal_$1_server;
27 | expandattribute hal_$1_server false;
28 | ')
29 | 


--------------------------------------------------------------------------------
/common/private/recovery.te:
--------------------------------------------------------------------------------
 1 | recovery_only(`
 2 | userdebug_or_eng(`
 3 | permissive recovery;
 4 | ')
 5 | 
 6 | # Volume manager
 7 | r_dir_file(recovery, sdcard_type)
 8 | allow recovery block_device:dir create_dir_perms;
 9 | allow recovery block_device:blk_file { create unlink rw_file_perms };
10 | allow recovery self:capability { mknod fsetid };
11 | allow recovery proc_filesystems:file r_file_perms;
12 | allow recovery self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
13 | allow recovery sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
14 | allow recovery tmpfs:file link;
15 | allow recovery rootfs:dir w_dir_perms;
16 | allow recovery rootfs:file { create_file_perms link };
17 | allow recovery media_rw_data_file:dir r_dir_perms;
18 | allow recovery sysfs_perdev_minors:file r_file_perms;
19 | allowxperm recovery block_device:blk_file ioctl { HDIO_GETGEO BLKGETSIZE };
20 | 
21 | # Read fbe encryption info
22 | r_dir_file(recovery, unencrypted_data_file)
23 | ')
24 | 


--------------------------------------------------------------------------------
/common/private/updater_app.te:
--------------------------------------------------------------------------------
 1 | type updater_app, domain, coredomain;
 2 | 
 3 | app_domain(updater_app)
 4 | net_domain(updater_app)
 5 | 
 6 | binder_call(updater_app, gpuservice)
 7 | binder_call(updater_app, update_engine)
 8 | 
 9 | allow updater_app app_api_service:service_manager find;
10 | allow updater_app recovery_service:service_manager find;
11 | allow updater_app system_api_service:service_manager find;
12 | allow updater_app update_engine_service:service_manager find;
13 | 
14 | allow updater_app app_data_file:dir create_dir_perms;
15 | allow updater_app app_data_file:{ file lnk_file } create_file_perms;
16 | 
17 | allow updater_app cache_file:dir r_dir_perms;
18 | 
19 | allow updater_app cache_recovery_file:dir rw_dir_perms;
20 | allow updater_app cache_recovery_file:file create_file_perms;
21 | 
22 | allow updater_app ota_package_file:dir create_dir_perms;
23 | allow updater_app ota_package_file:file create_file_perms;
24 | 
25 | get_prop(updater_app, default_prop)
26 | get_prop(updater_app, build_prop)
27 | 
28 | set_prop(updater_app, recovery_update_prop)
29 | 


--------------------------------------------------------------------------------
/common/dynamic/hwservice_contexts:
--------------------------------------------------------------------------------
 1 | motorola.hardware.health::IMotHealth                                    u:object_r:hal_health_hwservice:s0
 2 | vendor.lineage.camera.motor::ICameraMotor                               u:object_r:hal_lineage_camera_motor_hwservice:s0
 3 | vendor.lineage.powershare::IPowerShare                                  u:object_r:hal_lineage_powershare_hwservice:s0
 4 | vendor.lineage.touch::IGloveMode                                        u:object_r:hal_lineage_touch_hwservice:s0
 5 | vendor.lineage.touch::IHighTouchPollingRate                             u:object_r:hal_lineage_touch_hwservice:s0
 6 | vendor.lineage.touch::IKeyDisabler                                      u:object_r:hal_lineage_touch_hwservice:s0
 7 | vendor.lineage.touch::IKeySwapper                                       u:object_r:hal_lineage_touch_hwservice:s0
 8 | vendor.lineage.touch::IStylusMode                                       u:object_r:hal_lineage_touch_hwservice:s0
 9 | vendor.lineage.touch::ITouchscreenGesture                               u:object_r:hal_lineage_touch_hwservice:s0
10 | 


--------------------------------------------------------------------------------
/qcom/sepolicy.mk:
--------------------------------------------------------------------------------
 1 | #
 2 | # This policy configuration will be used by all qcom products
 3 | # that inherit from Arrow
 4 | #
 5 | 
 6 | ifeq ($(TARGET_COPY_OUT_VENDOR), vendor)
 7 | ifeq ($(BOARD_VENDORIMAGE_FILE_SYSTEM_TYPE),)
 8 | TARGET_USES_PREBUILT_VENDOR_SEPOLICY ?= true
 9 | endif
10 | endif
11 | 
12 | SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += \
13 |     device/arrow/sepolicy/qcom/private
14 | 
15 | ifeq ($(TARGET_USES_PREBUILT_VENDOR_SEPOLICY), true)
16 | SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += \
17 |     device/arrow/sepolicy/qcom/dynamic
18 | else
19 | BOARD_VENDOR_SEPOLICY_DIRS += \
20 |     device/arrow/sepolicy/qcom/dynamic \
21 |     device/arrow/sepolicy/qcom/vendor
22 | endif
23 | 
24 | ifeq (,$(filter msm8960 msm8226 msm8610 msm8974 apq8084 msm8909 msm8916 msm8952 msm8992 msm8994 msm8937 msm8953 msm8996 msm8998 sdm660 sdm710 sdm845, $(TARGET_BOARD_PLATFORM)))
25 | BOARD_SEPOLICY_M4DEFS += \
26 |     display_vendor_data_file=vendor_display_vendor_data_file \
27 |     hal_keymaster_qti_exec=vendor_hal_keymaster_qti_exec \
28 |     hal_perf_default=vendor_hal_perf_default \
29 |     persist_block_device=vendor_persist_block_device \
30 |     qdisplay_service=vendor_qdisplay_service \
31 |     sysfs_battery_supply=vendor_sysfs_battery_supply \
32 |     sysfs_graphics=vendor_sysfs_graphics \
33 |     sysfs_usb_supply=vendor_sysfs_usb_supply
34 | endif
35 | 


--------------------------------------------------------------------------------