# ============================================== # MTK Policy Rule # ============ # Date : WK14.32 # Operation : AEE UT # Purpose : for AEE module domain_auto_trans(debuggerd, dmlog_exec, dmlog) allow debuggerd aed_device:chr_file { read write ioctl open }; allow debuggerd expdb_device:chr_file { read write ioctl open }; allow debuggerd expdb_block_device:blk_file { read write ioctl open }; allow debuggerd mmcblk0_block_device:blk_file { read write ioctl open }; allow debuggerd ccci_device:chr_file { read ioctl open }; allow debuggerd etb_device:chr_file { read write ioctl open }; allow debuggerd graphics_device:dir search; allow debuggerd graphics_device:chr_file r_file_perms; allow debuggerd Vcodec_device:chr_file r_file_perms; allow debuggerd camera_isp_device:chr_file r_file_perms; # AED start: /dev/block/expdb allow debuggerd block_device:dir search; # debuggerd open/dev/mtd/mtd12 failed(expdb) allow debuggerd mtd_device:dir create_dir_perms; allow debuggerd mtd_device:chr_file { read write ioctl open }; allow debuggerd userdata_block_device:blk_file create_file_perms; # NE flow: /dev/RT_Monitor allow debuggerd RT_Monitor_device:chr_file { read ioctl open }; # /dev/_GPU_ dev/pvrsrvkm allow debuggerd gpu_device:chr_file rw_file_perms; # /dev/exm0 allow debuggerd exm0_device:chr_file r_file_perms; allow debuggerd shell_exec:file { execute execute_no_trans }; allow debuggerd dex2oat_exec:file { execute execute_no_trans }; # aee db dir and db files allow debuggerd sdcard_internal:dir create_dir_perms; allow debuggerd sdcard_internal:file create_file_perms; #data/anr allow debuggerd anr_data_file:dir create_dir_perms; allow debuggerd anr_data_file:file create_file_perms; #data/aee_exp allow debuggerd aee_exp_data_file:dir { relabelto create_dir_perms }; allow debuggerd aee_exp_data_file:file create_file_perms; #data/dumpsys allow debuggerd aee_dumpsys_data_file:dir { relabelto create_dir_perms }; allow debuggerd aee_dumpsys_data_file:file create_file_perms; #/data/core allow debuggerd aee_core_data_file:dir create_dir_perms; allow debuggerd aee_core_data_file:file create_file_perms; # /data/data_tmpfs_log allow debuggerd data_tmpfs_log_file:dir create_dir_perms; allow debuggerd data_tmpfs_log_file:file create_file_perms; allow debuggerd shell_data_file:dir search; allow debuggerd shell_data_file:file r_file_perms; #/data/anr/SF_RTT allow debuggerd sf_rtt_file:dir search; allow debuggerd sf_rtt_file:file r_file_perms; allow debuggerd sysfs:file write; allow debuggerd proc:file write; allow debuggerd sysfs_lowmemorykiller:file { read open }; allow debuggerd debugfs:file read; #allow debuggerd proc_security:file { write open }; allow debuggerd self:capability { fsetid sys_nice sys_resource net_admin sys_module }; allow debuggerd domain:process { sigkill getattr getsched}; allow debuggerd domain:lnk_file getattr; #core-pattern allow debuggerd usermodehelper:file { read open }; #file_type_auto_trans(debuggerd, system_data_file, debuggerd_data_file); #allow debuggerd debuggerd_data_file:file rw_file_perms; #suid_dumpable allow debuggerd proc_security:file { read open }; #kptr_restrict #allow debuggerd proc_security:file { write open }; #dmesg allow debuggerd kernel:system syslog_read; #property allow debuggerd init:unix_stream_socket connectto; allow debuggerd property_socket:sock_file write; # dumpstate ION_MM_HEAP allow debuggerd debugfs:lnk_file read; #allow debuggerd tmpfs:lnk_file read; # aed set property allow debuggerd persist_mtk_aee_prop:property_service set; allow debuggerd persist_aee_prop:property_service set; allow debuggerd debug_mtk_aee_prop:property_service set; # aee_dumpstate set property allow debuggerd debug_bq_dump_prop:property_service set; #com.android.settings NE allow debuggerd system_app_data_file:dir search; # sogou NE allow debuggerd app_data_file:dir search; # open and read /data/data/com.android.settings/databases/search_index.db-journal allow debuggerd system_app_data_file:file r_file_perms; allow debuggerd app_data_file:file r_file_perms; # /system/bin/am allow debuggerd system_file:file execute_no_trans; allow debuggerd zygote_exec:file { execute execute_no_trans }; #/proc/driver/storage_logger allow debuggerd proc_slogger:file { write read open }; # MOTA upgrade from JB->L: aee_dumpstate(ps top df dmesg) # allow debuggerd unlabeled:lnk_file read; #allow debuggerd dalvikcache_data_file:dir { write add_name remove_name}; #allow debuggerd dalvikcache_data_file:file { write create setattr }; binder_use(debuggerd) allow debuggerd system_server:binder call; allow debuggerd surfaceflinger:binder call; allow debuggerd surfaceflinger:fd use; allow debuggerd platform_app:fd use; allow debuggerd platform_app_tmpfs:file write; # aed and MTKLogger.apk socket connect allow debuggerd platform_app:unix_stream_socket connectto; allow debuggerd self:udp_socket { create ioctl }; allow debuggerd init:process getsched; allow debuggerd kernel:process getsched; # for SF_dump allow debuggerd sf_bqdump_data_file:dir { read write open remove_name search}; allow debuggerd sf_bqdump_data_file:file { read getattr unlink open }; allow debuggerd custom_file:dir search; # avc: denied { read } for pid=4503 comm="screencap" name="secmem0" dev="proc" allow debuggerd proc_secmem:file r_file_perms; #add debuggerd policy allow debuggerd mnt_user_file:dir search; allow debuggerd mnt_user_file:lnk_file read; allow debuggerd procrank_exec:file { execute execute_no_trans }; #allow debuggerd storage_file:dir search; allow debuggerd storage_file:lnk_file read; # Date : WK15.30 # Operation : Migration # Purpose : for device bring up, not to block early migration/sanity allow debuggerd log_device:chr_file read; # Date: W15.34 # Operation: Migration # Purpose: For pagemap & pageflags information in NE DB userdebug_or_eng(`allow debuggerd self:capability sys_admin;') # Date: W15.35 # Operation: Android M Daily Sanity # Purpose: Add rules for Violation allow debuggerd activity_service:service_manager find; allow debuggerd dbinfo_service:service_manager find; allow debuggerd meminfo_service:service_manager find; allow debuggerd self:capability sys_admin; allow debuggerd surfaceflinger_service:service_manager find; allow debuggerd window_service:service_manager find; # Date: W15.37 # Operation: daily build violation on branch trunk-m0.tk # Purpose: Add rules for Violation allow debuggerd proc_lk_env:file { read write ioctl open }; # Date: W15.39 # Operation: daily build violation on branch trunk-m0.tk # Purpose: Allow debuggerd to find gfxinfo_service allow debuggerd gfxinfo_service:service_manager find; # Date : 2015/06/12 # Operation: TEEI integration # Purpose: access for fp device and client device of TEEI allow debuggerd teei_fp_device:chr_file rw_file_perms; allow debuggerd teei_client_device:chr_file rw_file_perms; #scp file dumpstate allow debuggerd sysfs_scp:dir search; allow debuggerd sysfs_scp:file { read open }; #android log much file allow debuggerd logmuch_data_file:dir search; allow debuggerd logmuch_data_file:file { read open }; # Date: W15.53 # Operation: add DUMPSYS_DISPLAY to db # Purpose: Allow debuggerd to find gfxinfo_service allow debuggerd display_service:service_manager find; # Date : WK16.04 # Operation : direct coredump enhancement # Purpose : support abort message dumping userdebug_or_eng(` allow debuggerd aee_interim_data_file:dir { remove_name }; allow debuggerd aee_interim_data_file:file { unlink }; ')