diff options
| author | Greg Kaiser <gkaiser@google.com> | 2020-02-27 12:38:39 -0800 |
|---|---|---|
| committer | Greg Kaiser <gkaiser@google.com> | 2020-02-27 13:45:56 -0800 |
| commit | 9f0dee706bef6e4f0e8580f39ad8590187bc2797 (patch) | |
| tree | b35f55cd6ce105361508fb814cff4af5ed05bf20 | |
| parent | 66cf15c4515882e764928c4241203b49bbe8e00b (diff) | |
| parent | 9370538053f4730c38568e8dae86e3fa9ac776eb (diff) | |
| download | wembley-sepolicy-9f0dee706bef6e4f0e8580f39ad8590187bc2797.tar.gz | |
Automated merge of MTK Keystone code for various_libs
Bug: 147140436
Test: Section 6 in vendor/mediatek/build/wembley_tools/merge_process.txt
* commit '9370538053f4730c38568e8dae86e3fa9ac776eb': (806 commits)
Update drm service executables file_contexts
[ALPS04971420] SELIUX: remove system_data_file rule
[ALPS04971420] SELIUX: remove netd sys_module rule
[ALPS04968107] Error handling for RILD auto-restart
[ALPS04979747] SEPolicy: Fix mistake for BASIC project
[ALPS04978995] SEPolicy: Add neverallow rule for vendor_data_file
[ALPS04974468] SEPolicy: Add neverallow rule for system_data_file
[ALPS04970566] SEPolicy: Add neverallow rule for debugfs
[ALPS04961200] recovery: replace sysfs_mmcblk selinux label with sysfs_mmcblk_block
[ALPS04967689] SEPolicy: Add neverallow rule for proc
[ALPS04968083] SEPolicy: Modify sepolicy files mode and type
[ALPS04967419] SEPolicy: Add neverallow rule for sysfs
[ALPS04962211] [EM] remove unused selinux prop
[ALPS04248635] Vibrator: add the new path for driver
[ALPS04961644] SEPolicy: Fix build error for Android R
[ALPS04940525] Add SELINUX rules
[ALPS04925594] EMI: add permission to concurrency_scenario node
[ALPS04915107] HWC: Enable write permission for ged_debug
[ALPS04882955] Error handling for RILD auto-restart
[ALPS04859387] gz: add nebula-ipc-dev0 sepolicy
...
Change-Id: I3f697ba364098f642e241ba7b14d23e4187780b2
263 files changed, 12035 insertions, 486 deletions
diff --git a/non_plat/aee_aed.te b/non_plat/aee_aed.te index 4e0a8a2..fb69ca2 100644 --- a/non_plat/aee_aed.te +++ b/non_plat/aee_aed.te @@ -11,7 +11,6 @@ allow aee_aed aed_device:chr_file rw_file_perms; allow aee_aed expdb_device:chr_file rw_file_perms; allow aee_aed expdb_block_device:blk_file rw_file_perms; -allow aee_aed bootdevice_block_device:blk_file rw_file_perms; allow aee_aed etb_device:chr_file rw_file_perms; # open/dev/mtd/mtd12 failed(expdb) @@ -67,5 +66,4 @@ hal_client_domain(aee_aed, mtk_hal_log) # Purpose: create /data/aee_exp at runtime allow aee_aed file_contexts_file:file r_file_perms; -allow aee_aed system_data_file:dir { relabelfrom setattr }; allow aee_aed aee_exp_data_file:dir relabelto; diff --git a/non_plat/aee_aedv.te b/non_plat/aee_aedv.te index 59af2f1..1231a55 100644 --- a/non_plat/aee_aedv.te +++ b/non_plat/aee_aedv.te @@ -5,6 +5,13 @@ # MTK Policy Rule # ============================================== +type aee_aedv, domain; + +type aee_aedv_exec, exec_type, file_type, vendor_file_type; +typeattribute aee_aedv mlstrustedsubject; + +init_daemon_domain(aee_aedv) + # Date : WK14.32 # Operation : AEE UT @@ -18,17 +25,9 @@ allow aee_aedv etb_device:chr_file rw_file_perms; # AED start: /dev/block/expdb allow aee_aedv block_device:dir search; -# open/dev/mtd/mtd12 failed(expdb) -allow aee_aedv mtd_device:dir create_dir_perms; -allow aee_aedv mtd_device:chr_file rw_file_perms; - # NE flow: /dev/RT_Monitor allow aee_aedv RT_Monitor_device:chr_file r_file_perms; -# aee db dir and db files -allow aee_aedv sdcard_type:dir create_dir_perms; -allow aee_aedv sdcard_type:file create_file_perms; - #data/aee_exp allow aee_aedv aee_exp_vendor_file:dir create_dir_perms; allow aee_aedv aee_exp_vendor_file:file create_file_perms; @@ -51,13 +50,6 @@ allow aee_aedv domain:lnk_file getattr; #core-pattern allow aee_aedv usermodehelper:file r_file_perms; -#property -allow aee_aedv init:unix_stream_socket connectto; -allow aee_aedv property_socket:sock_file write; - -allow aee_aedv init:process getsched; -allow aee_aedv kernel:process getsched; - # Date: W15.34 # Operation: Migration # Purpose: For pagemap & pageflags information in NE DB @@ -88,7 +80,6 @@ allow aee_aedv dumpstate:unix_stream_socket { read write ioctl }; allow aee_aedv dumpstate:dir search; allow aee_aedv dumpstate:file r_file_perms; -allow aee_aedv proc:file rw_file_perms; allow aee_aedv logdr_socket:sock_file write; allow aee_aedv logd:unix_stream_socket connectto; @@ -127,7 +118,6 @@ allow aee_aedv crash_dump:file r_file_perms; allow aee_aedv vendor_file:file execute_no_trans; # Purpose: debugfs files -# allow aee_aedv debugfs:lnk_file read; allow aee_aedv debugfs_binder:dir { read open }; allow aee_aedv debugfs_binder:file { read open }; allow aee_aedv debugfs_blockio:file { read open }; @@ -143,7 +133,7 @@ allow aee_aedv debugfs_wakeup_sources:file { read open }; allow aee_aedv debugfs_dmlog_debug:file { read open }; allow aee_aedv debugfs_page_owner_slim_debug:file { read open }; allow aee_aedv debugfs_ion_mm_heap:dir search; -allow aee_aedv debugfs_ion_mm_heap:file { read open }; +allow aee_aedv debugfs_ion_mm_heap:file r_file_perms; allow aee_aedv debugfs_ion_mm_heap:lnk_file read; allow aee_aedv debugfs_cpuhvfs:dir search; allow aee_aedv debugfs_cpuhvfs:file { read open }; @@ -283,7 +273,7 @@ allow aee_aedv debugfs_dynamic_debug:file r_file_perms; # [ 241.001976] <1>.(1)[209:logd.auditd]type=1400 audit(1262304586.172:515): avc: denied { read } # for pid=1978 comm="aee_aedv64" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aedv:s0 # tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 -allow aee_aedv sysfs:file { r_file_perms write }; +allow aee_aedv sysfs_mrdump_lbaooo:file w_file_perms; # Purpose: Allow aee_aedv to use HwBinder IPC. hwbinder_use(aee_aedv) @@ -313,8 +303,14 @@ allow aee_aedv metadata_file:dir search; allow aee_aedv self:capability linux_immutable; allow aee_aedv userdata_block_device:blk_file { read write open }; allow aee_aedv para_block_device:blk_file rw_file_perms; -allowxperm aee_aedv aee_dumpsys_vendor_file:file ioctl FS_IOC_FIEMAP; allow aee_aedv mrdump_device:blk_file rw_file_perms; +allowxperm aee_aedv aee_dumpsys_vendor_file:file ioctl { + FS_IOC_GETFLAGS + FS_IOC_SETFLAGS + F2FS_IOC_GET_PIN_FILE + F2FS_IOC_SET_PIN_FILE + FS_IOC_FIEMAP +}; # Purpose: allow vendor aee read lowmemorykiller logs # file path: /sys/module/lowmemorykiller/parameters/ @@ -405,9 +401,6 @@ allow aee_aedv proc_slabtrace:file r_file_perms; #Purpose: Allow aee_aedv to read /proc/mtk_cmdq_debug/status allow aee_aedv proc_cmdq_debug:file r_file_perms; -#Purpose: Allow aee_aedv to read /sys/kernel/debug/cmdq/ -allow aee_aedv debugfs_cmdq:file r_file_perms; - # temp solution get_prop(aee_aedv, vendor_default_prop) @@ -422,3 +415,23 @@ allow aee_aedv connsyslog_data_vendor_file:dir r_dir_perms; # Purpose: Allow aee_aedv to read the /proc/*/exe of vendor process allow aee_aedv vendor_file_type:file r_file_perms; + +# Purpose: Allow aee_aedv to read /sys/kernel/debug/smi_mon +allow aee_aedv debugfs_smi_mon:file r_file_perms; + +# Purpose: Allow aee_aedv to read /proc/isp_p2/isp_p2_kedump +allow aee_aedv proc_isp_p2_kedump:file r_file_perms; + +# Purpose: Allow aee_aedv to read /sys/kernel/debug/vpu/vpu_memory +allow aee_aedv debugfs_vpu_memory:file r_file_perms; + +# Purpose: Allow aee_aedv to read /proc/cpuhvfs/dbg_repo +allow aee_aedv proc_dbg_repo:file r_file_perms; + +# Purpose: Allow aee_aedv to read /proc/pl_lk +allow aee_aedv proc_pl_lk:file r_file_perms; + +allow aee_aedv proc_aed_reboot_reason:file r_file_perms; + +# Purpose: Allow aee_aedv to write /proc/sys/vm/drop_caches +allow aee_aedv proc_drop_caches:file rw_file_perms; diff --git a/non_plat/aee_core_forwarder.te b/non_plat/aee_core_forwarder.te index 2a6d951..43e97fe 100644 --- a/non_plat/aee_core_forwarder.te +++ b/non_plat/aee_core_forwarder.te @@ -7,12 +7,12 @@ allow aee_core_forwarder aee_exp_data_file:dir { write add_name search }; allow aee_core_forwarder aee_exp_data_file:file { write create open getattr }; -allow aee_core_forwarder hwservicemanager_prop:file { read open getattr }; +get_prop(aee_core_forwarder, hwservicemanager_prop) # Date: 2019/06/14 # Operation : Migration # Purpose : interface=android.system.suspend::ISystemSuspend for aee_core_forwarder wakelock_use(aee_core_forwarder) allow aee_core_forwarder aee_aed:unix_stream_socket connectto; -allow aee_core_forwarder aee_core_data_file:dir read; +allow aee_core_forwarder aee_core_data_file:dir r_dir_perms; hwbinder_use(aee_core_forwarder) diff --git a/non_plat/atci_service.te b/non_plat/atci_service.te index f3f8f21..af1e683 100644 --- a/non_plat/atci_service.te +++ b/non_plat/atci_service.te @@ -13,9 +13,6 @@ init_daemon_domain(atci_service) allow atci_service block_device:dir search; allow atci_service misc2_block_device:blk_file { open read write }; allow atci_service misc2_device:chr_file { open read write }; -allow atci_service bootdevice_block_device:blk_file { open read write }; - -allow atci_service self:capability { net_raw chown fsetid sys_nice net_admin fowner sys_admin }; allow atci_service camera_isp_device:chr_file { read write ioctl open }; allow atci_service graphics_device:chr_file { read write ioctl open }; allow atci_service graphics_device:dir search; @@ -34,15 +31,11 @@ allow atci_service kd_camera_flashlight_device:chr_file { read write ioctl open allow atci_service ccu_device:chr_file { read write ioctl open }; allow atci_service vpu_device:chr_file { read write ioctl open }; allow atci_service MTK_SMI_device:chr_file { open read write ioctl }; -#allow atci_service system_server:binder call; -#allow atci_service system_data_file:dir { write remove_name add_name }; allow atci_service DW9714AF_device:chr_file { read write ioctl open }; allow atci_service devmap_device:chr_file { open read write ioctl }; allow atci_service sdcard_type:dir { search write read open add_name remove_name create getattr setattr }; allow atci_service sdcard_type:file { setattr read create write getattr unlink open append }; allow atci_service mediaserver:binder call; -#allow atci_service sysfs:file write; -#allow atci_service system_server:unix_stream_socket { read write }; allow atci_service self:capability sys_boot; # Date : 2015/09/17 @@ -71,11 +64,9 @@ allow atci_service storage_file:lnk_file read; #allow atci_service media_rw_data_file:file { read write create open }; #============= atci_service ============== -allow atci_service property_socket:sock_file write; allow atci_service CAM_CAL_DRV_device:chr_file { read write ioctl open}; -allow atci_service init:unix_stream_socket connectto; -allow atci_service mtk_em_prop:property_service set; +set_prop(atci_service, mtk_em_prop) # Date : 2016/03/02 # Operation : M-Migration @@ -121,7 +112,6 @@ allow atci_service mtk_hal_power:binder call; allow atci_service mtk_hal_power_hwservice:hwservice_manager find; allow atci_service sysfs_batteryinfo:dir search; allow atci_service sysfs_batteryinfo:file { read getattr open }; -#allow atci_service system_data_file:lnk_file read; allow atci_service system_file:dir { read open }; allow atci_service camera_pipemgr_device:chr_file { read ioctl open }; #allow atci_service media_rw_data_file:dir { read getattr open }; @@ -133,7 +123,6 @@ allow atci_service debugfs_ion:dir search; allow atci_service sysfs_tpd_setting:file { read write open getattr }; allow atci_service sysfs_vibrator_setting:file { read write open getattr }; allow atci_service sysfs_leds_setting:file { read write open getattr }; -allow atci_service proc:file getattr; allow atci_service vendor_toolbox_exec:file { read getattr open execute execute_no_trans }; # Date : WK18.21 diff --git a/non_plat/atcid.te b/non_plat/atcid.te index 1b1eddd..9503a4f 100644 --- a/non_plat/atcid.te +++ b/non_plat/atcid.te @@ -9,10 +9,9 @@ type atcid, domain; type atcid_exec, exec_type, file_type, vendor_file_type; init_daemon_domain(atcid) -allow atcid init:unix_stream_socket connectto; -allow atcid property_socket:sock_file write; +set_prop(atcid,persist_service_atci_prop) allow atcid block_device:dir search; -allow atcid socket_device:sock_file write; +allow atcid gsmrild_socket:sock_file write; # Date : WK17.21 # Purpose: Allow to use HIDL @@ -20,11 +19,8 @@ hwbinder_use(atcid) hal_client_domain(atcid, hal_telephony) allow atcid ttyGS_device:chr_file { read write ioctl open }; -allow atcid persist_service_atci_prop:property_service set; -allow atcid misc2_device:chr_file { read write open }; allow atcid wmtWifi_device:chr_file { write open }; allow atcid misc2_block_device:blk_file { read write open }; -allow atcid bootdevice_block_device:blk_file { open read write }; allow atci_service gpu_device:chr_file { read write open ioctl getattr }; allow atcid self:capability sys_time; @@ -67,11 +63,17 @@ allow atcid nvdata_file:file { open read write create getattr setattr }; allow atcid nvram_device:blk_file { open read write }; allow atcid proc_meminfo:file { open read }; allow atcid sysfs_batteryinfo:dir search; -allow atcid sysfs_mmcblk:dir search; -allow atcid sysfs_mmcblk:file { read open }; +allow atcid sysfs_devices_block:dir search; +allow atcid sysfs_devices_block:file { read open }; # Date : WK18.35 # Purpose: Add socket for TelephonyWare ATCI unix_socket_connect(atcid, rild_atci, rild); unix_socket_connect(atcid, rilproxy_atci, rild); unix_socket_connect(atcid, atci_service, atci_service); + +# Date : WK19.42 +# Purpose: Add policy to access ATCI sockets +unix_socket_connect(atcid, atci-audio, audiocmdservice_atci); +unix_socket_connect(atcid, meta_atci, meta_tst); +allow atcid adb_atci_socket:sock_file write; diff --git a/non_plat/attributes b/non_plat/attributes index 344d60d..e00aa73 100644 --- a/non_plat/attributes +++ b/non_plat/attributes @@ -80,3 +80,11 @@ attribute mtk_hal_md_dbfilter_server; attribute hal_hdmi; attribute hal_hdmi_client; attribute hal_hdmi_server; + +# Date: 2019/09/06 +# BGService HIDL +attribute mtk_hal_bgs; +attribute mtk_hal_bgs_client; +attribute mtk_hal_bgs_server; + + diff --git a/non_plat/biosensord_nvram.te b/non_plat/biosensord_nvram.te index dc1b19f..5fe181c 100644 --- a/non_plat/biosensord_nvram.te +++ b/non_plat/biosensord_nvram.te @@ -30,4 +30,3 @@ allow biosensord_nvram nvdata_file:file {rw_file_perms create_file_perms}; allow biosensord_nvram nvram_data_file:lnk_file rw_file_perms; allow biosensord_nvram biometric_device:chr_file { open ioctl read write }; allow biosensord_nvram self:capability { chown fsetid }; -allow biosensord_nvram system_data_file:lnk_file read; diff --git a/non_plat/bootanim.te b/non_plat/bootanim.te index 4f0bc35..3e9cd40 100644 --- a/non_plat/bootanim.te +++ b/non_plat/bootanim.te @@ -32,3 +32,8 @@ allowxperm bootanim proc_perfmgr:file ioctl { PERFMGR_FPSGO_QUEUE_CONNECT PERFMGR_FPSGO_BQID }; + +# Date : WK19.48 +# Operation : Migration +# Purpose : Allow to access gpu device search +allow bootanim gpu_device:dir search; diff --git a/non_plat/cameraserver.te b/non_plat/cameraserver.te index e2e04d6..318cf2e 100644 --- a/non_plat/cameraserver.te +++ b/non_plat/cameraserver.te @@ -43,7 +43,6 @@ allow cameraserver mtkcam_prop:file { open read getattr }; # allow cameraserver kd_camera_flashlight_device:chr_file rw_file_perms; # allow cameraserver lens_device:chr_file rw_file_perms; # allow cameraserver nvdata_file:lnk_file read; -# allow cameraserver proc_meminfo:file { read getattr open }; # Date : WK14.34 # Operation : Migration @@ -58,13 +57,6 @@ allow cameraserver mtkcam_prop:file { open read getattr }; # Purpose : VP/VR # allow cameraserver devmap_device:chr_file { ioctl }; -# Date : WK14.34 -# Operation : Migration -# Purpose : Smartcard Service -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -# #allow cameraserver self:netlink_kobject_uevent_socket read; -# allow cameraserver system_data_file:file open; - # Date : WK14.36 # Operation : Migration # Purpose : media server and bt process communication for A2DP data.and other control flow @@ -201,13 +193,6 @@ allow cameraserver graphics_device:chr_file rw_file_perms; # Purpose : for low SD card latency issue # allow cameraserver sysfs_lowmemorykiller:file { read open }; -# Data: WK14.45 -# Operation : Migration -# Purpose : for change thermal policy when needed -# allow cameraserver proc_mtkcooler:dir search; -# allow cameraserver proc_mtktz:dir search; -# allow cameraserver proc_thermal:dir search; - # Date : WK14.46 # Operation : Migration # Purpose : for MTK Emulator HW GPU @@ -244,14 +229,6 @@ allow cameraserver graphics_device:chr_file rw_file_perms; # Purpose : 3A algorithm need to access sensor service # allow cameraserver sensorservice_service:service_manager find; -# Date : WK15.34 -# Operation : Migration -# Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump -# allow cameraserver system_data_file:dir write; -# allow cameraserver storage_file:lnk_file {read write}; -# allow cameraserver mnt_user_file:dir {write read search}; -# allow cameraserver mnt_user_file:lnk_file {read write}; - # Date : WK15.35 # Operation : Migration # Purpose: Allow cameraserver to read binder from surfaceflinger @@ -279,14 +256,6 @@ allow cameraserver system_file:dir { read open }; allow cameraserver gpu_device:chr_file rw_file_perms; allow cameraserver gpu_device:dir search; -# Date : WK16.30 -# Operation : Migration -# Purpose : Use file_type_auto_trans to specify label to avoid violated(never allow) -# allow cameraserver property_socket:sock_file write; -# allow cameraserver proc:file getattr; -# allow cameraserver shell_exec:file { execute read getattr open}; -# allow cameraserver init:unix_stream_socket connectto; - # Date : WK16.32 # Operation : Migration # Purpose : RSC Driver @@ -324,9 +293,6 @@ allowxperm cameraserver proc_ged:file ioctl { proc_ged_ioctls }; # allow cameraserver aee_aed:unix_stream_socket connectto; # ') -# Purpose: Allow to access debugfs_ion dir. -allow cameraserver system_data_file:lnk_file read; - # Date : WK17.19 # Operation : Migration # Purpose : OWE Driver diff --git a/non_plat/ccci_fsd.te b/non_plat/ccci_fsd.te index 370fb23..889d1e8 100644 --- a/non_plat/ccci_fsd.te +++ b/non_plat/ccci_fsd.te @@ -22,7 +22,6 @@ allow ccci_fsd nvdata_file:lnk_file read; allow ccci_fsd nvdata_file:dir create_dir_perms; allow ccci_fsd nvdata_file:file create_file_perms; allow ccci_fsd nvram_device:chr_file rw_file_perms; -allow ccci_fsd system_data_file:lnk_file read; allow ccci_fsd vendor_configs_file:file r_file_perms; allow ccci_fsd vendor_configs_file:dir r_dir_perms; @@ -41,12 +40,11 @@ allow ccci_fsd c2k_file:dir create_dir_perms; allow ccci_fsd c2k_file:file create_file_perms; allow ccci_fsd otp_part_block_device:blk_file rw_file_perms; allow ccci_fsd otp_device:chr_file rw_file_perms; -allow ccci_fsd sysfs:file r_file_perms; allow ccci_fsd sysfs_boot_type:file { read open }; #============= ccci_fsd MD block data============== +##restore>NVM_GetDeviceInfo>open /dev/block/platform/bootdevice/by-name/nvram allow ccci_fsd block_device:dir search; allow ccci_fsd nvram_device:blk_file rw_file_perms; -allow ccci_fsd bootdevice_block_device:blk_file rw_file_perms; allow ccci_fsd nvdata_device:blk_file rw_file_perms; #============= ccci_fsd cryption related ============== allow ccci_fsd rawfs:dir create_dir_perms; @@ -63,7 +61,7 @@ allow ccci_fsd kmsg_device:chr_file w_file_perms; allow ccci_fsd proc_lk_env:file rw_file_perms; #============= ccci_fsd MD Low Power Monitor Related ============== -allow ccci_fsd vendor_data_file:dir create_dir_perms; -allow ccci_fsd vendor_data_file:file create_file_perms; -allow ccci_fsd sysfs_mmcblk:dir search; -allow ccci_fsd sysfs_mmcblk:file { read getattr open }; +allow ccci_fsd ccci_data_md1_file:dir create_dir_perms; +allow ccci_fsd ccci_data_md1_file:file create_file_perms; +allow ccci_fsd sysfs_devices_block:dir search; +allow ccci_fsd sysfs_devices_block:file { read getattr open }; diff --git a/non_plat/ccci_mdinit.te b/non_plat/ccci_mdinit.te index 11d33c7..6fbe3ba 100644 --- a/non_plat/ccci_mdinit.te +++ b/non_plat/ccci_mdinit.te @@ -27,7 +27,7 @@ set_prop(ccci_mdinit, ctl_dualmdlogger_prop) set_prop(ccci_mdinit, ctl_gsm0710muxd_prop) set_prop(ccci_mdinit, ctl_gsm0710muxd-s_prop) set_prop(ccci_mdinit, ctl_gsm0710muxd-d_prop) -set_prop(ccci_mdinit, ctl_rildaemon_prop) +#set_prop(ccci_mdinit, ctl_rildaemon_prop) set_prop(ccci_mdinit, ctl_ril-daemon-mtk_prop) set_prop(ccci_mdinit, ctl_fusion_ril_mtk_prop) set_prop(ccci_mdinit, ctl_ril-daemon-s_prop) @@ -61,7 +61,6 @@ allow ccci_mdinit nvdata_file:lnk_file read; allow ccci_mdinit nvdata_file:dir rw_dir_perms; allow ccci_mdinit nvdata_file:file create_file_perms; allow ccci_mdinit nvram_device:chr_file rw_file_perms; -allow ccci_mdinit system_data_file:lnk_file read; #=============allow ccci_mdinit to access ccci config============== allow ccci_mdinit protect_f_data_file:dir rw_dir_perms; @@ -71,15 +70,11 @@ allow ccci_mdinit protect_s_data_file:dir rw_dir_perms; allow ccci_mdinit protect_s_data_file:file create_file_perms; allow ccci_mdinit nvram_device:blk_file rw_file_perms; allow ccci_mdinit nvdata_device:blk_file rw_file_perms; -allow ccci_mdinit bootdevice_block_device:blk_file rw_file_perms; set_prop(ccci_mdinit, ril_mux_report_case_prop) allow ccci_mdinit ccci_cfg_file:dir create_dir_perms; allow ccci_mdinit ccci_cfg_file:file create_file_perms; -allow ccci_mdinit block_device:dir search; -allow ccci_mdinit preloader_block_device:blk_file r_file_perms; -allow ccci_mdinit secro_block_device:blk_file r_file_perms; #===============security relate ========================== allow ccci_mdinit preloader_device:chr_file rw_file_perms; allow ccci_mdinit misc_sd_device:chr_file r_file_perms; @@ -100,7 +95,6 @@ allow ccci_mdinit sysfs_ccci:dir search; allow ccci_mdinit sysfs_ccci:file rw_file_perms; allow ccci_mdinit sysfs_ssw:dir search; allow ccci_mdinit sysfs_ssw:file r_file_perms; -allow ccci_mdinit sysfs:file r_file_perms; allow ccci_mdinit sysfs_boot_mode:file { read open }; # Purpose : Allow ccci_mdinit to open and read/write /proc/bootprof @@ -111,3 +105,8 @@ allow ccci_mdinit proc_bootprof:file rw_file_perms; # Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init() allow ccci_mdinit mnt_vendor_file:dir search; +# Purpose : Allow ccci_mdinit call sysenv_get and sysenv_set +allow ccci_mdinit block_device:dir search; +allow ccci_mdinit metadata_file:dir search; +allow ccci_mdinit proc_cmdline:file r_file_perms; +allow ccci_mdinit sysfs_dt_firmware_android:dir search; diff --git a/non_plat/connsyslogger.te b/non_plat/connsyslogger.te index 36b700d..25cd310 100755..100644 --- a/non_plat/connsyslogger.te +++ b/non_plat/connsyslogger.te @@ -18,11 +18,10 @@ allow connsyslogger fuse:file { create_file_perms }; allow connsyslogger consyslog_data_file:dir { create_dir_perms relabelto }; allow connsyslogger consyslog_data_file:fifo_file { create_file_perms }; allow connsyslogger consyslog_data_file:file { create_file_perms }; -allow connsyslogger system_data_file:dir { create_dir_perms relabelfrom}; #consys logger socket access -allow connsyslogger property_socket:sock_file write; -allow connsyslogger init:unix_stream_socket connectto; +#allow connsyslogger property_socket:sock_file write; +#allow connsyslogger init:unix_stream_socket connectto; allow connsyslogger tmpfs:lnk_file { create_file_perms }; diff --git a/non_plat/domain.te b/non_plat/domain.te index f1877f7..f9401fc 100644 --- a/non_plat/domain.te +++ b/non_plat/domain.te @@ -27,4 +27,204 @@ allow { # -untrusted_app_all #} aee_aed:unix_stream_socket connectto; allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:unix_stream_socket connectto; +allow { domain -coredomain -hal_configstore_server -vendor_init } aee_exp_vendor_file:file w_file_perms; +allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:fd use; + +# Do not allow access to the generic sysfs label. This is too broad. +# Instead, if access to part of sysfs is desired, it should have a +# more specific label. +# TODO: Remove hal_usb/mtk_hal_usb and so on once there are no violations. +# allow hal_usb sysfs:file write; +# hal_server_domain(mtk_hal_usb, hal_usb) +# +# r_dir_file(hal_wifi, sysfs_type) +# hal_server_domain(mtk_hal_wifi, hal_wifi) +# +full_treble_only(` + neverallow ~{ + init + merged_hal_service + mtk_hal_bluetooth + mtk_hal_power + mtk_hal_usb + mtk_hal_wifi + hal_bluetooth_btlinux + hal_bluetooth_default + hal_drm_clearkey + hal_drm_default + hal_drm_widevine + hal_fingerprint_default + hal_radio_config_default + hal_radio_default + hal_usb_default + hal_wifi_default + hal_wifi_supplicant_default + rild + tee + ueventd + vendor_init + vold + } sysfs:file *; + + neverallow { + merged_hal_service + mtk_hal_bluetooth + mtk_hal_power + mtk_hal_wifi + hal_bluetooth_btlinux + hal_bluetooth_default + hal_drm_clearkey + hal_drm_default + hal_drm_widevine + hal_fingerprint_default + hal_radio_config_default + hal_radio_default + hal_wifi_default + hal_wifi_supplicant_default + rild + tee + } sysfs:file ~r_file_perms; + + neverallow { + hal_usb_default + init + mtk_hal_usb + ueventd + vendor_init + vold + } sysfs:file ~{ r_file_perms write setattr append relabelfrom relabelto }; +') + +# Do not allow access to the generic proc label. This is too broad. +# Instead, if access to part of proc is desired, it should have a +# more specific label. +# TODO: Remove mtk_hal_audio/audioserver and so on once there are no violations. +# +# r_dir_file(hal_audio, proc) +# hal_server_domain(mtk_hal_audio, hal_audio) +# hal_client_domain(audioserver, hal_audio) +# +full_treble_only(` + neverallow ~{ + audiocmdservice_atci + audioserver + bluetooth + hal_audio_default + hal_graphics_allocator_default + init + merged_hal_service + mtk_hal_audio + rild + system_server + vendor_init + vold + } proc:file *; + + neverallow { + audiocmdservice_atci + audioserver + bluetooth + hal_audio_default + hal_graphics_allocator_default + init + merged_hal_service + mtk_hal_audio + rild + system_server + vold + } proc:file ~r_file_perms; + + neverallow vendor_init proc:file ~{ r_file_perms setattr }; + + neverallow ~{ + audiocmdservice_atci + audioserver + bluetooth + hal_audio_default + init + mtk_hal_audio + rild + system_server + } proc:lnk_file ~{ read getattr }; + + neverallow { + audiocmdservice_atci + audioserver + bluetooth + hal_audio_default + init + mtk_hal_audio + rild + system_server + } proc:lnk_file ~r_file_perms; +') + + +# Do not allow access to the generic system_data_file label. This is +# too broad. +# Instead, if access to part of system_data_file is desired, it should +# have a more specific label. +# TODO: Remove merged_hal_service and so on once there are no violations. +# +# allow hal_drm system_data_file:file { getattr read }; +# hal_server_domain(merged_hal_service, hal_drm) +# +full_treble_only(` + neverallow { + domain + -coredomain + -appdomain + -hal_cas_default + -hal_drm_clearkey + -hal_drm_default + -hal_drm_widevine + -merged_hal_service + -tee + } system_data_file:file *; + + neverallow ~{ + appdomain + app_zygote + hal_drm_clearkey + hal_drm_default + hal_drm_widevine + init + installd + iorap_prefetcherd + mediadrmserver + mediaextractor + mediaserver + merged_hal_service + system_server + tee + toolbox + vold + vold_prepare_subdirs + } system_data_file:file ~r_file_perms; + + neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map }; + + neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto }; + + neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; + + neverallow iorap_prefetcherd system_data_file:file ~{ open read }; + + neverallow { + hal_drm_clearkey + hal_drm_default + hal_drm_widevine + mediadrmserver + mediaextractor + mediaserver + merged_hal_service + tee + } system_data_file:file ~{ getattr read }; + + neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link }; + + neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink }; + + neverallow vold system_data_file:file ~read; +') diff --git a/non_plat/dumpstate.te b/non_plat/dumpstate.te index a12ab4f..01343a5 100644 --- a/non_plat/dumpstate.te +++ b/non_plat/dumpstate.te @@ -17,7 +17,6 @@ allow dumpstate aee_exp_data_file:dir { w_dir_perms }; allow dumpstate aee_exp_data_file:file { create_file_perms }; # Purpose: debugfs files -allow dumpstate debugfs:lnk_file read; allow dumpstate debugfs_binder:dir { read open }; allow dumpstate debugfs_binder:file { read open }; allow dumpstate debugfs_blockio:file { read open }; @@ -155,7 +154,6 @@ allow dumpstate proc_isp_p2:file r_file_perms; # Date : W19.26 # Operation : Migration # Purpose : fix google dumpstate avc error in xTS -allow dumpstate debugfs:dir r_dir_perms; allow dumpstate debugfs_mmc:dir search; allow dumpstate mnt_media_rw_file:dir getattr; @@ -171,6 +169,13 @@ allow dumpstate debugfs_kmemleak:file r_file_perms; #Purpose: Allow dumpstate to read /sys/class/misc/adsp/adsp_last_log allow dumpstate sysfs_adsp:file r_file_perms; -# Date: 19/08/07 -#Purpose: Allow dumpstate to read /sys/kernel/debug/cmdq -allow dumpstate debugfs_cmdq:file r_file_perms; +#Purpose: Allow dumpstate to read /sys/kernel/debug/smi_mon +allow dumpstate debugfs_smi_mon:file r_file_perms; + +# MTEE Trusty +allow dumpstate mtee_trusty_file:file rw_file_perms; + +# 09-05 15:58:31.552000 9693 9693 W df : type=1400 audit(0.0:990): +# avc: denied { search } for name="expand" dev="tmpfs" ino=10779 scontext=u:r:dumpstate:s0 +# tcontext=u:object_r:mnt_expand_file:s0 tclass=dir permissive=0 +allow dumpstate mnt_expand_file:dir search; diff --git a/non_plat/e2fs.te b/non_plat/e2fs.te index 4b9931e..f927a21 100644 --- a/non_plat/e2fs.te +++ b/non_plat/e2fs.te @@ -19,13 +19,16 @@ allow e2fs devpts:chr_file {read write}; allow e2fs cache_block_device:blk_file rw_file_perms; allow e2fs userdata_block_device:blk_file rw_file_perms; -# Date : WK19.11 -# Operation: Q migration -# Purpose : Allow mke2fs to use ioctl/ioctlcmd -allowxperm e2fs protect1_block_device:blk_file ioctl BLKPBSZGET; -allowxperm e2fs protect2_block_device:blk_file ioctl BLKPBSZGET; - # Date : WK19.23 # Operation: Q migration # Purpose : Allow format /metadata for UDC allow e2fs metadata_block_device:blk_file rw_file_perms; + +# Date : WK19.34 +# Operation: Q migration +# Purpose : Allow mke2fs to use ioctl/ioctlcmd +allowxperm e2fs protect1_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD }; +allowxperm e2fs protect2_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD }; +allowxperm e2fs nvdata_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD }; +allowxperm e2fs nvcfg_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD }; +allowxperm e2fs persist_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD }; diff --git a/non_plat/em_hidl.te b/non_plat/em_hidl.te index 34b31fa..eb64f6b 100644 --- a/non_plat/em_hidl.te +++ b/non_plat/em_hidl.te @@ -99,8 +99,8 @@ set_prop(em_hidl, vendor_usb_otg_switch) # Data : 2018/07/06 # Purpose : EM MCF read nvdata dir and file -allow em_hidl nvdata_file:dir { read open add_name search getattr}; -allow em_hidl nvdata_file:file { getattr read open }; +allow em_hidl nvcfg_file:dir ra_dir_perms; +allow em_hidl nvcfg_file:file r_file_perms; # Data : 2018/07/06 # Purpose : EM MCF search vendor dir @@ -114,6 +114,8 @@ allow em_hidl sysfs_boot_mode:file { read open }; allow em_hidl ttyGS_device:chr_file { read write ioctl open }; allow em_hidl vendor_usb_prop:file { read getattr open }; set_prop(em_hidl, vendor_usb_prop) +allow em_hidl nvdata_file:file r_file_perms; +allow em_hidl nvdata_file:dir search; # Date : 2018/08/28 # Operation : EM DEBUG @@ -123,4 +125,8 @@ set_prop(em_hidl, mtk_em_hidl_prop) # Date : 2019/08/22 # Operation : EM AAL # Purpose: for em set aal property -set_prop(em_hidl, mtk_pq_prop)
\ No newline at end of file +set_prop(em_hidl, mtk_pq_prop) +# Date : 2019/09/10 +# Operation : EM wcn coredump +# Purpose: for em set wcn coredump property +set_prop(em_hidl, coredump_prop) diff --git a/non_plat/emdlogger.te b/non_plat/emdlogger.te index 6b1dbaf..a026832 100644 --- a/non_plat/emdlogger.te +++ b/non_plat/emdlogger.te @@ -1,7 +1,7 @@ #allow emdlogger to set property -allow emdlogger debug_prop:property_service set; -allow emdlogger persist_mtklog_prop:property_service set; -allow emdlogger system_radio_prop:property_service set; +#allow emdlogger debug_prop:property_service set; +#allow emdlogger persist_mtklog_prop:property_service set; +#allow emdlogger system_radio_prop:property_service set; # ccci device for internal modem allow emdlogger ccci_device:chr_file { rw_file_perms }; @@ -26,7 +26,6 @@ allow emdlogger sdcard_type:file { create_file_perms }; allow emdlogger mdlog_data_file:dir { create_dir_perms relabelto }; allow emdlogger mdlog_data_file:fifo_file { create_file_perms }; allow emdlogger mdlog_data_file:file { create_file_perms }; -allow emdlogger system_data_file:dir { create_dir_perms relabelfrom}; # modem logger control port access /dev/ttyC1 allow emdlogger mdlog_device:chr_file { rw_file_perms}; @@ -87,7 +86,7 @@ allow emdlogger para_block_device:blk_file { read open write }; allow emdlogger proc_lk_env:file { read write ioctl open }; ## purpose: avc: denied { read } for name="plat_file_contexts" -allow emdlogger file_contexts_file:file { read getattr open map}; +#allow emdlogger file_contexts_file:file { read getattr open map}; allow emdlogger block_device:dir search; allow emdlogger md_block_device:blk_file { read open }; @@ -112,6 +111,8 @@ get_prop(emdlogger, vendor_usb_prop) set_prop(emdlogger, persist_mdlog_prop) set_prop(emdlogger, vendor_mdl_pulllog_prop) set_prop(emdlogger, exported_system_radio_prop) +set_prop(emdlogger, debug_prop) +set_prop(emdlogger, system_radio_prop) allow emdlogger vendor_configs_file:file map; allow emdlogger vendor_default_prop:file map; diff --git a/non_plat/factory.te b/non_plat/factory.te index b1593fb..6ec8325 100644 --- a/non_plat/factory.te +++ b/non_plat/factory.te @@ -8,7 +8,6 @@ # ============================================== # MTK Policy Rule # ============================================== -#file_type_auto_trans(factory, system_data_file, factory_data_file) type factory, domain; type factory_exec, exec_type, file_type, vendor_file_type; init_daemon_domain(factory) @@ -199,7 +198,6 @@ allow factory camera_wpe_device:chr_file rw_file_perms; allow factory camera_owe_device:chr_file rw_file_perms; allow factory camera_mfb_device:chr_file rw_file_perms; allow factory mtk_hal_power_hwservice:hwservice_manager find; -allow factory vendor_data_file:file getattr; allow factory mtk_hal_power:binder call; get_prop(factory,mediatek_prop); #Purpose: For FM test and headset test @@ -338,7 +336,6 @@ allow factory proc_asound:file { read open getattr write }; allow factory audiohal_prop:property_service set; # For Accdet data permission -allow factory sysfs:file { read open }; allow factory sysfs_headset:file { read open }; # For touch auto test @@ -362,17 +359,11 @@ allow factory factory:capability { sys_module net_admin net_raw }; r_dir_file(factory, sysfs_batteryinfo) r_dir_file(factory, sysfs_switch) -# Date : WK18.27 -# Operation: P migration -# Purpose : Allow factory to save test report to /data/vendor -allow factory vendor_data_file:dir { add_name read write}; -allow factory vendor_data_file:file { create read write open }; - # Date : WK18.31 # Operation: P migration # Purpose : Refine policy -allow factory sysfs_mmcblk:dir { search }; -allow factory sysfs_mmcblk:file { read getattr open }; +allow factory sysfs_devices_block:dir { search }; +allow factory sysfs_devices_block:file { read getattr open }; # Date : WK18.37 # Operation: P migration @@ -396,3 +387,15 @@ allow factory vendor_nfc_socket:sock_file { create write unlink setattr }; # Allow to get AOSP property persist.radio.multisim.config get_prop(factory, exported3_radio_prop) +# Date : WK19.38 +# Operation : Q Migration +# Purpose: Allow clear eMMC +set_prop(factory, ctl_mdlogger_prop); + +# Date : WK19.41 +# Operation : Q Migration +# Purpose: allow system_server to access rt5509 param and calib node +allow factory sysfs_rt_param:file rw_file_perms; +allow factory sysfs_rt_calib:file rw_file_perms; +allow factory sysfs_rt_param:dir r_dir_perms; +allow factory sysfs_rt_calib:dir r_dir_perms; diff --git a/non_plat/fastbootd.te b/non_plat/fastbootd.te new file mode 100644 index 0000000..0a48fbd --- /dev/null +++ b/non_plat/fastbootd.te @@ -0,0 +1,28 @@ +# fastbootd (used in recovery init.rc for /sbin/fastbootd) + + +allow fastbootd { + bootdevice_block_device +# cache_block_device +# logo_block_device + para_block_device + }:blk_file { rw_file_perms }; + +allow fastbootd { + sysfs_boot_type +}:file { rw_file_perms }; + +allow fastbootd self:process setfscreate; +allow fastbootd self:capability sys_rawio; + +allowxperm fastbootd { + bootdevice_block_device +# cache_block_device +# logo_block_device +# para_block_device + }:blk_file ioctl { + BLKSECDISCARD + BLKDISCARD + MMC_IOCTLCMD + }; + diff --git a/non_plat/file.te b/non_plat/file.te index cb41cae..5c12bb3 100644 --- a/non_plat/file.te +++ b/non_plat/file.te @@ -13,6 +13,7 @@ type wpa_supplicant_data_file, file_type, data_file_type; type radvd_data_file, file_type, data_file_type; type volte_vt_socket, file_type; type dfo_socket, file_type; +type gsmrild_socket, file_type; type rild2_socket, file_type; type rild3_socket, file_type; type rild4_socket, file_type; @@ -50,6 +51,7 @@ type bt_data_file, file_type, data_file_type; type proc_thermal, fs_type, proc_type; type proc_mtkcooler, fs_type, proc_type; type proc_mtktz, fs_type, proc_type; +type proc_mtd, fs_type, proc_type; type proc_slogger, fs_type, proc_type; type proc_lk_env, fs_type, proc_type; type proc_ged, fs_type, proc_type; @@ -69,6 +71,7 @@ type proc_pl_lk, fs_type, proc_type; type proc_msdc_debug, fs_type, proc_type; type proc_ufs_debug, fs_type, proc_type; type proc_pidmap, fs_type, proc_type; +#type proc_kpageflags, fs_type, proc_type; type proc_slabtrace, fs_type, proc_type; type proc_cmdq_debug, fs_type, proc_type; type proc_isp_p2, fs_type, proc_type; @@ -87,6 +90,8 @@ type sysfs_vcorefs_pwrctrl, fs_type, sysfs_type; type sysfs_md32, fs_type, sysfs_type; type sysfs_scp, fs_type, sysfs_type; type sysfs_adsp, fs_type, sysfs_type; +type sysfs_rt_param, fs_type, sysfs_type; +type sysfs_rt_calib, fs_type, sysfs_type; type sysfs_sspm, fs_type, sysfs_type; type sysfs_devinfo, fs_type, sysfs_type, mlstrustedobject; type sysfs_dcm, fs_type, sysfs_type; @@ -135,6 +140,7 @@ type sf_rtt_file, file_type, data_file_type, core_data_file_type; type rild-dongle_socket, file_type; type ccci_cfg_file, file_type, data_file_type; +type ccci_data_md1_file, file_type, data_file_type; type c2k_file, file_type, data_file_type; #For sensor type sensor_data_file, file_type, data_file_type; @@ -250,9 +256,6 @@ type debugfs_vpu_device_dbg, fs_type, debugfs_type; # /sys/kernel/debug/kmemleak type debugfs_kmemleak, fs_type, debugfs_type; -# /sys/kernel/debug/cmdq -type debugfs_cmdq, fs_type, debugfs_type; - ###################################### # core domain file data @@ -331,6 +334,9 @@ type sysfs_headset, fs_type, sysfs_type; # socket between atci_service and audio-daemon type atci-audio_socket, file_type; +# socket between atcid and meta_tst +type meta_atci_socket, file_type; + # ATCI socket types type rild_atci_socket, file_type; type rilproxy_atci_socket, file_type; @@ -345,10 +351,10 @@ type debugfs_regmap, fs_type, debugfs_type; type sys_usb_rawbulk, fs_type, sysfs_type; # Backlight brightness file -type sysfs_vibrator_setting, fs_type, sysfs_type; +type sysfs_leds_setting, fs_type, sysfs_type; # Vibrator vibrate file -type sysfs_leds_setting, fs_type, sysfs_type; +type sysfs_vibrator_setting, fs_type, sysfs_type; # Date : 2019/04/09 # Purpose: mtk EM battery settings @@ -376,5 +382,63 @@ type netd_socket, file_type, coredomain_socket; # Purpose: Android Migration for SVP type proc_m4u, fs_type, proc_type; +# Date : 2019/08/15 +type debugfs_smi_mon, fs_type, debugfs_type; + +# Date : WK19.34 +# Purpose: Android Migration for video codec driver +type vcodec_file, file_type, data_file_type; + # Date : 2019/08/24 type sysfs_sensor, fs_type, sysfs_type; + +#MTEE trusty +type mtee_trusty_file, fs_type, sysfs_type; + +# Date : 2019/08/29 +# Purpose: Allow rild access proc/aed/reboot-reason +type proc_aed_reboot_reason, fs_type, proc_type; + +# Date : 2019/09/05 +# Purpose: Allow powerhal to control kernel resources +type proc_ppm, fs_type, proc_type; +type proc_cpufreq, fs_type, proc_type; +type proc_hps, fs_type, proc_type; +type proc_cm_mgr, fs_type, proc_type; +type proc_fliperfs, fs_type, proc_type; +type sysfs_ged, fs_type, sysfs_type; +type sysfs_fbt_cpu, fs_type, sysfs_type; +type sysfs_fbt_fteh, fs_type, sysfs_type; + +# Date : 2019/09/17 +# Purpose: Allow powerhal to control cache audit +type sysfs_ca_drv, fs_type, sysfs_type; +type sysfs_pftch_qos, fs_type, sysfs_type; + +# Date : WK19.38 +# Purpose: Android Migration for video codec driver +type sysfs_device_tree_model, fs_type, sysfs_type; + +# Date : 2019/10/11 +# Purpose : allow system_server to access /proc/wlan/status for Q Migration +type proc_wlan_status, fs_type, proc_type; + +# Date : 2019/10/11 +# Purpose : allow system_server to access /sys/kernel/mm/ksm/pages_xxx +type sysfs_pages_shared, fs_type, sysfs_type; +type sysfs_pages_sharing, fs_type, sysfs_type; +type sysfs_pages_unshared, fs_type, sysfs_type; +type sysfs_pages_volatile, fs_type, sysfs_type; + +# Date : 2019/10/22 +# Purpose : allow aee_aedv write /sys/module/mrdump/parameters/lbaooo +type sysfs_mrdump_lbaooo, fs_type, sysfs_type; + +# Date : 2019/10/25 +# Purpose : To avoid using the SELabel of u:object_r:proc:s0 or u:object_r:sysfs:s0 +# to access /proc/device-tree/chosen/atag,chipid or /sysfs/firmware/devicetree/base/chosen/atag,chipid +type sysfs_chipid, fs_type, sysfs_type; + +# Date : 2019/12/12 +# Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/* +type sysfs_concurrency_scenario, fs_type, sysfs_type; diff --git a/non_plat/file_contexts b/non_plat/file_contexts index 5d091d1..c17da3a 100644 --- a/non_plat/file_contexts +++ b/non_plat/file_contexts @@ -28,6 +28,7 @@ /data/vendor/gps(/.*)? u:object_r:gps_data_file:s0 /data/anr/SF_RTT(/.*)? u:object_r:sf_rtt_file:s0 /data/vendor/ccci_cfg(/.*)? u:object_r:ccci_cfg_file:s0 +/data/vendor/mdlpm(/.*)? u:object_r:ccci_data_md1_file:s0 /data/vendor/flashless(/.*)? u:object_r:c2k_file:s0 /data/core(/.*)? u:object_r:aee_core_data_file:s0 /data/vendor/core(/.*)? u:object_r:aee_core_vendor_file:s0 @@ -66,6 +67,7 @@ /data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 /data/vendor/dipdebug(/.*)? u:object_r:aee_dipdebug_vendor_file:s0 /data/vendor/key_provisioning(/.*)? u:object_r:key_install_data_file:s0 +/data/vendor/vcodec(/.*)? u:object_r:vcodec_file:s0 # Misc data #/data/misc/acdapi(/.*)? u:object_r:acdapi_data_file:s0 @@ -252,6 +254,7 @@ /dev/socket/agpsd3(/.*)? u:object_r:agpsd_socket:s0 /dev/socket/agpsd(/.*)? u:object_r:agpsd_socket:s0 /dev/socket/atci-audio(/.*)? u:object_r:atci-audio_socket:s0 +/dev/socket/meta-atci(/.*)? u:object_r:meta_atci_socket:s0 /dev/socket/backuprestore(/.*)? u:object_r:backuprestore_socket:s0 /dev/socket/dfo(/.*)? u:object_r:dfo_socket:s0 /dev/socket/dnsproxyd(/.*)? u:object_r:dnsproxyd_socket:s0 @@ -261,6 +264,22 @@ /dev/socket/mnld(/.*)? u:object_r:mnld_socket:s0 /dev/socket/netdiag(/.*)? u:object_r:netdiag_socket:s0 /dev/socket/netd(/.*)? u:object_r:netd_socket:s0 +/dev/socket/mrild(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/mrild2(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/mrild3(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/rild-atci u:object_r:gsmrild_socket:s0 +/dev/socket/rild-mbim(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/msap_uim_socket1(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/msap_uim_socket2(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/sap_uim_socket(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/msap_c2k_socket1(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/msap_c2k_socket2(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/msap_c2k_socket3(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/msap_c2k_socket4(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/sap_uim_socket1(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/sap_uim_socket2(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/sap_uim_socket3(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/sap_uim_socket4(/.*)? u:object_r:gsmrild_socket:s0 /dev/socket/rild2-md2(/.*)? u:object_r:rild2_md2_socket:s0 /dev/socket/rild2(/.*)? u:object_r:rild2_socket:s0 /dev/socket/rild3(/.*)? u:object_r:rild3_socket:s0 @@ -272,6 +291,8 @@ /dev/socket/rild-ims(/.*)? u:object_r:rild_ims_socket:s0 /dev/socket/volte_imsm_dongle(/.*)? u:object_r:rild_imsm_socket:s0 /dev/socket/rild-vsim(/.*)? u:object_r:rild_vsim_socket:s0 +/dev/socket/rild-vsim2(/.*)? u:object_r:rild_vsim_socket:s0 +/dev/socket/rild-vsim3(/.*)? u:object_r:rild_vsim_socket:s0 /dev/socket/rild-vsim-md2(/.*)? u:object_r:rild_vsim_md2_socket:s0 /dev/socket/rild-ctclient u:object_r:rild_ctclient_socket:s0 /dev/socket/rild-debug-md2(/.*)? u:object_r:rild_debug_md2_socket:s0 @@ -288,6 +309,8 @@ /dev/socket/rild-oem(/.*)? u:object_r:rild_oem_socket:s0 /dev/socket/rild(/.*)? u:object_r:rild_socket:s0 /dev/socket/rild-via u:object_r:rild_via_socket:s0 +/dev/socket/rildc-debug u:object_r:rild_via_socket:s0 +/dev/socket/rild-atci-c2k u:object_r:rild_via_socket:s0 /dev/socket/mal-mfi(/.*)? u:object_r:mal_mfi_socket:s0 /dev/socket/mal-mfi-dongle(/.*)? u:object_r:mal_mfi_socket:s0 /dev/socket/rpc u:object_r:rpc_socket:s0 @@ -351,6 +374,7 @@ /dev/ttyACM0 u:object_r:ttyACM_device:s0 /dev/hrm u:object_r:hrm_device:s0 /dev/trusty-ipc-dev0 u:object_r:tee_device:s0 +/dev/nebula-ipc-dev0 u:object_r:tee_device:s0 /dev/mbim u:object_r:mbim_device:s0 /dev/alarm(/.*)? u:object_r:alarm_device:s0 ########################## @@ -485,10 +509,8 @@ /dev/block/platform/bootdevice/by-name/vbmeta(_system|_vendor)?(_[ab])? u:object_r:vbmeta_block_device:s0 # Key manager -/dev/block/platform/bootdevice/by-name/kb u:object_r:kb_block_device:s0 -/dev/block/platform/bootdevice/by-name/dkb u:object_r:dkb_block_device:s0 -/dev/kb u:object_r:kb_block_device:s0 -/dev/dkb u:object_r:dkb_block_device:s0 +/dev/block/platform/soc/[0-9]+\.mmc/by-name/kb u:object_r:kb_block_device:s0 +/dev/block/platform/soc/[0-9]+\.mmc/by-name/dkb u:object_r:dkb_block_device:s0 # W19.23 Q new feature - Userdata Checkpoint /dev/block/by-name/md_udc u:object_r:metadata_block_device:s0 @@ -598,10 +620,12 @@ /vendor/lib(64)?/libgralloc_extra\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libgpu_aux\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgpud\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libged\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libion_mtk\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libion_ulit\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mtk_cache\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl-2\.1\.so u:object_r:same_process_hal_file:s0 @@ -634,6 +658,7 @@ # Purpose: Neuron runtime API and the dependencies /vendor/lib(64)?/libneuron_platform.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libion_mtk.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mtk_cache.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libvpu.so u:object_r:same_process_hal_file:s0 # Date: 2019/01/21 @@ -654,3 +679,10 @@ /vendor/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 /vendor/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service-lazy\.clearkey u:object_r:hal_drm_clearkey_exec:s0 + +# Date : 2019/10/28 +# Purpose : move these contexts from plat_private/file_contexts +/(system\/vendor|vendor)/bin/aee_aedv u:object_r:aee_aedv_exec:s0 +/(system\/vendor|vendor)/bin/aee_aedv64 u:object_r:aee_aedv_exec:s0 +/vendor/bin/aeev u:object_r:aee_aedv_exec:s0 + diff --git a/non_plat/fuelgauged_nvram.te b/non_plat/fuelgauged_nvram.te index 1bf2585..96862d9 100644 --- a/non_plat/fuelgauged_nvram.te +++ b/non_plat/fuelgauged_nvram.te @@ -1,5 +1,5 @@ # ============================================== -# Policy File of /system/bin/fuelgauged_nvram Executable File +# Policy File of /system/bin/fuelgauged_nvram Executable File # ============================================== # Type Declaration @@ -48,8 +48,7 @@ allow fuelgauged_nvram MT_pmic_adc_cali_device:chr_file rw_file_perms; # Date: W18.03 # Operation : change fuelgagued_nvram access from cache to nvcfg # Purpose : add fuelgauged to nvcfg read write permit -# need add label -allow fuelgauged_nvram sysfs:file { read open }; +# need add label allow fuelgauged_nvram nvcfg_file:dir { search write open read add_name create getattr}; allow fuelgauged_nvram nvcfg_file:file { read write getattr open create }; diff --git a/non_plat/genfs_contexts b/non_plat/genfs_contexts index 6ad0a59..86453af 100644 --- a/non_plat/genfs_contexts +++ b/non_plat/genfs_contexts @@ -19,6 +19,7 @@ genfscon proc /driver/storage_logger u:object_r:proc_slogger:s0 genfscon proc /driver/icusb u:object_r:proc_icusb:s0 genfscon proc /mrdump_rst u:object_r:proc_mrdump_rst:s0 genfscon proc /mtk_battery_cmd u:object_r:proc_battery_cmd:s0 +genfscon proc /mtd u:object_r:proc_mtd:s0 genfscon proc /ged u:object_r:proc_ged:s0 genfscon proc /mtk_jpeg u:object_r:proc_mtk_jpeg:s0 genfscon proc /perfmgr u:object_r:proc_perfmgr:s0 @@ -27,8 +28,7 @@ genfscon proc /zraminfo u:object_r:proc_zraminfo:s0 genfscon proc /gpulog u:object_r:proc_gpulog:s0 genfscon proc /cpu/alignment u:object_r:proc_cpu_alignment:s0 genfscon proc /sched_debug u:object_r:proc_sched_debug:s0 -genfscon proc /chip/hw_ver u:object_r:proc_chip:s0 -genfscon proc /chip/info u:object_r:proc_chip:s0 +genfscon proc /chip u:object_r:proc_chip:s0 genfscon proc /atf_log u:object_r:proc_atf_log:s0 genfscon proc /gz_log u:object_r:proc_gz_log:s0 genfscon proc /last_kmsg u:object_r:proc_last_kmsg:s0 @@ -37,6 +37,7 @@ genfscon proc /pl_lk u:object_r:proc_pl_lk:s0 genfscon proc /msdc_debug u:object_r:proc_msdc_debug:s0 genfscon proc /ufs_debug u:object_r:proc_ufs_debug:s0 genfscon proc /pidmap u:object_r:proc_pidmap:s0 +#genfscon proc /kpageflags u:object_r:proc_kpageflags:s0 genfscon proc /mtk_memcfg/slabtrace u:object_r:proc_slabtrace:s0 genfscon proc /mtk_cmdq_debug/status u:object_r:proc_cmdq_debug:s0 genfscon proc /cpuhvfs/dbg_repo u:object_r:proc_dbg_repo:s0 @@ -88,6 +89,8 @@ genfscon sysfs /devices/platform/charger/Pump_Express u:object_r:sysfs_pump_expr genfscon sysfs /devices/platform/battery/Pump_Express u:object_r:sysfs_pump_express:s0 genfscon sysfs /devices/platform/mt_charger/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/mt-rtc/rtc u:object_r:sysfs_rtc:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6359-pmic/mt6359-rtc/rtc u:object_r:sysfs_rtc:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6358-pmic/mt6358-rtc/rtc u:object_r:sysfs_rtc:s0 genfscon sysfs /devices/platform/mt-pmic u:object_r:sysfs_pmu:s0 genfscon sysfs /devices/platform/1000d000.pwrap/mt-pmic u:object_r:sysfs_pmu:s0 genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6358-pmic/mt-pmic u:object_r:sysfs_pmu:s0 @@ -106,7 +109,10 @@ genfscon sysfs /devices/virtual/misc/scp_B u:object_r:sysfs_scp:s0 genfscon sysfs /devices/virtual/misc/sspm u:object_r:sysfs_sspm:s0 genfscon sysfs /devices/virtual/misc/adsp u:object_r:sysfs_adsp:s0 +# Date : 2019/09/12 genfscon sysfs /devices/virtual/thermal u:object_r:sysfs_therm:s0 +genfscon sysfs /devices/class/thermal u:object_r:sysfs_therm:s0 + genfscon sysfs /devices/virtual/switch/fps u:object_r:sysfs_fps:s0 genfscon sysfs /firmware/devicetree/base/chosen/atag,devinfo u:object_r:sysfs_devinfo:s0 @@ -124,6 +130,7 @@ genfscon sysfs /power/vcorefs/opp_table u:object_r:sysfs_vcore_debug:s0 #Purpose : MTK Vibrator genfscon sysfs /devices/virtual/timed_output/vibrator u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/odm/odm:vibrator@0/leds/vibrator u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/soc/soc:regulator_vibrator/leds/vibrator u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/leds-mt65xx/leds u:object_r:sysfs_leds:s0 # Date : 2018/08/109 # Purpose : mtk EM Power debug_log setting @@ -148,17 +155,21 @@ genfscon sysfs /devices/platform/battery/disable_nafg u:object_r:sysfs_dis_nafg: # Date : 2019/07/03 # Purpose: SIU update mmcblk access -genfscon sysfs /devices/platform/bootdevice/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_mmcblk:s0 -genfscon sysfs /devices/mtk-msdc.0/11230000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_mmcblk:s0 -genfscon sysfs /devices/platform/mtk-msdc.0/11230000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_mmcblk:s0 -genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:0/block/sda u:object_r:sysfs_mmcblk:s0 -genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:1/block/sdb u:object_r:sysfs_mmcblk:s0 -genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:2/block/sdc u:object_r:sysfs_mmcblk:s0 +genfscon sysfs /devices/platform/bootdevice/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/mtk-msdc.0/11230000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/mtk-msdc.0/11230000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:0/block/sda u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:1/block/sdb u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:2/block/sdc u:object_r:sysfs_devices_block:s0 # Date : 2019/07/12 # Purpose:dumpstate mmcblk1 access +genfscon sysfs /devices/platform/externdevice/mmc_host/mmc0 u:object_r:sysfs_devices_block:s0 genfscon sysfs /devices/platform/externdevice/mmc_host/mmc1 u:object_r:sysfs_devices_block:s0 +# Date : 2019/10/22 +# Purpose : mrdump_tool(copy_process by aee_aedv) need to write data to lbaooo +genfscon sysfs /module/mrdump/parameters/lbaooo u:object_r:sysfs_mrdump_lbaooo:s0 ############################# # debugfs files @@ -205,16 +216,66 @@ genfscon debugfs /eara_thermal/enable u:object_r:debugfs_eara_thermal:s0 # mtk EM power PMU register genfscon debugfs /rt-regmap u:object_r:debugfs_regmap:s0 +# 2019/08/15 +genfscon debugfs /smi_mon u:object_r:debugfs_smi_mon:s0 genfscon iso9660 / u:object_r:iso9660:s0 genfscon rawfs / u:object_r:rawfs:s0 genfscon fuseblk / u:object_r:fuseblk:s0 -# Date: 2019/08/07 -# Purpose:dumpstate debugfs cmdq access -genfscon debugfs /cmdq/cmdq-status u:object_r:debugfs_cmdq:s0 -genfscon debugfs /cmdq/cmdq-record u:object_r:debugfs_cmdq:s0 - # 2019/08/24 genfscon sysfs /class/sensor u:object_r:sysfs_sensor:s0 genfscon sysfs /devices/virtual/sensor u:object_r:sysfs_sensor:s0 + +# MTEE trusty +genfscon sysfs /devices/platform/trusty u:object_r:mtee_trusty_file:s0 + +# Date : 2019/08/29 +# Purpose: allow rild to access /proc/aed/reboot-reason +genfscon proc /aed/reboot-reason u:object_r:proc_aed_reboot_reason:s0 + +# 2019/09/05 +# Purpose: Allow powerhal to control kernel resources +genfscon proc /ppm u:object_r:proc_ppm:s0 +genfscon proc /cpufreq u:object_r:proc_cpufreq:s0 +genfscon proc /hps u:object_r:proc_hps:s0 +genfscon proc /cm_mgr u:object_r:proc_cm_mgr:s0 +genfscon proc /fliperfs u:object_r:proc_fliperfs:s0 +genfscon sysfs /module/ged u:object_r:sysfs_ged:s0 +genfscon sysfs /module/fbt_cpu u:object_r:sysfs_fbt_cpu:s0 +genfscon sysfs /module/fbt_fteh u:object_r:sysfs_fbt_fteh:s0 + +# 2019/09/05 +# Purpose: Allow powerhal to control cache audit +genfscon sysfs /module/ca_drv u:object_r:sysfs_ca_drv:s0 +genfscon sysfs /module/pftch_qos u:object_r:sysfs_pftch_qos:s0 + +# Date : WK19.38 +# Purpose: Android Migration for video codec driver +genfscon sysfs /firmware/devicetree/base/model u:object_r:sysfs_device_tree_model:s0 + +# Date : 2019/10/11 +# Purpose : allow system_server to access /proc/wlan/status for Q Migration +genfscon proc /wlan/status u:object_r:proc_wlan_status:s0 + +# Date : 2019/10/11 +# Purpose : allow system_server to access /sys/kernel/mm/ksm/pages_xxx +genfscon sysfs /kernel/mm/ksm/pages_shared u:object_r:sysfs_pages_shared:s0 +genfscon sysfs /kernel/mm/ksm/pages_sharing u:object_r:sysfs_pages_sharing:s0 +genfscon sysfs /kernel/mm/ksm/pages_unshared u:object_r:sysfs_pages_unshared:s0 +genfscon sysfs /kernel/mm/ksm/pages_volatile u:object_r:sysfs_pages_volatile:s0 + +# Date : 2019/10/25 +# Purpose : To avoid using the SELabel of u:object_r:proc:s0 or u:object_r:sysfs:s0 +# to access /proc/device-tree/chosen/atag,chipid or /sysfs/firmware/devicetree/base/chosen/atag,chipid +genfscon sysfs /firmware/devicetree/base/chosen/atag,chipid u:object_r:sysfs_chipid:s0 + +# Date : 2019/10/18 +# Purpose : allow system_server to access rt5509 param and calib node +genfscon sysfs /devices/platform/rt5509_param.0 u:object_r:sysfs_rt_param:s0 +genfscon sysfs /devices/virtual/rt5509_cal/rt5509.0 u:object_r:sysfs_rt_calib:s0 +genfscon sysfs /devices/platform/11270000.usb3/musb-hdrc/cmode u:object_r:sysfs_usb_cmode:s0 + +# Date : 2019/12/12 +# Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/* +genfscon sysfs /bus/platform/drivers/mem_bw_ctrl/concurrency_scenario u:object_r:sysfs_concurrency_scenario:s0 diff --git a/non_plat/gsm0710muxd.te b/non_plat/gsm0710muxd.te index 5afcd84..2596e18 100644 --- a/non_plat/gsm0710muxd.te +++ b/non_plat/gsm0710muxd.te @@ -17,7 +17,7 @@ allow gsm0710muxd self:capability { chown fowner setuid }; # Property service # Set ctl.ril-daemon property -set_prop(gsm0710muxd, ctl_rildaemon_prop) +#set_prop(gsm0710muxd, ctl_rildaemon_prop) set_prop(gsm0710muxd, ctl_ril-daemon-mtk_prop) set_prop(gsm0710muxd, ctl_fusion_ril_mtk_prop) set_prop(gsm0710muxd, gsm0710muxd_prop) @@ -31,7 +31,6 @@ allow gsm0710muxd device:dir rw_dir_perms; allow gsm0710muxd device:lnk_file { create unlink }; allow gsm0710muxd devpts:chr_file setattr; allow gsm0710muxd eemcs_device:chr_file rw_file_perms; -allow gsm0710muxd sysfs:file r_file_perms; # Allow read to sys/kernel/ccci/* files allow gsm0710muxd sysfs_ccci:dir search; diff --git a/non_plat/hal_bootctl_default.te b/non_plat/hal_bootctl_default.te index 5c2afda..757c0fe 100644 --- a/non_plat/hal_bootctl_default.te +++ b/non_plat/hal_bootctl_default.te @@ -11,4 +11,5 @@ allowxperm hal_bootctl_default bootdevice_block_device:blk_file ioctl MMC_IOCTLC allowxperm hal_bootctl_default bootdevice_block_device:blk_file ioctl UFS_IOCTLCMD; allow hal_bootctl_default proc_cmdline:file r_file_perms; allow hal_bootctl_default sysfs_boot_type:file r_file_perms; -allow hal_bootctl_default self:capability sys_rawio;
\ No newline at end of file +allow hal_bootctl_default self:capability sys_rawio; +allow hal_bootctl_default misc_block_device:blk_file rw_file_perms; diff --git a/non_plat/hal_graphics_allocator_default.te b/non_plat/hal_graphics_allocator_default.te index 4814d6c..6265330 100644 --- a/non_plat/hal_graphics_allocator_default.te +++ b/non_plat/hal_graphics_allocator_default.te @@ -20,4 +20,3 @@ allow hal_graphics_allocator_default debugfs_tracing:file open; #============= hal_graphics_allocator_default ============== allow hal_graphics_allocator_default proc_ged:file r_file_perms; allowxperm hal_graphics_allocator_default proc_ged:file ioctl { proc_ged_ioctls }; - diff --git a/non_plat/hal_graphics_composer_default.te b/non_plat/hal_graphics_composer_default.te index 242c062..a3c4243 100644 --- a/non_plat/hal_graphics_composer_default.te +++ b/non_plat/hal_graphics_composer_default.te @@ -6,7 +6,6 @@ allow hal_graphics_composer_default debugfs_ged:dir search; # Operation : Add sepolicy # Purpose : Add polivy for hwc HIDL -allow hal_graphics_composer_default proc:file { read getattr open ioctl }; allow hal_graphics_composer_default proc_ged:file r_file_perms; allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { read bind create setopt }; @@ -52,3 +51,7 @@ allowxperm hal_graphics_composer_default proc_ged:file ioctl { proc_ged_ioctls } # Operation : JPEG # Purpose : JPEG need to use PQ via MMS HIDL allow hal_graphics_composer_default sysfs_boot_mode:file r_file_perms; + +# Date : WK19.46 +# Purpose: Allow to access ged debug node +allow hal_graphics_composer_default debugfs_ged:file { w_file_perms }; diff --git a/non_plat/hal_mms.te b/non_plat/hal_mms.te index 766ccac..766ccac 100755..100644 --- a/non_plat/hal_mms.te +++ b/non_plat/hal_mms.te diff --git a/non_plat/hal_nvramagent.te b/non_plat/hal_nvramagent.te index 680a031..680a031 100755..100644 --- a/non_plat/hal_nvramagent.te +++ b/non_plat/hal_nvramagent.te diff --git a/non_plat/hal_thermal_default.te b/non_plat/hal_thermal_default.te index 2a648fb..2a648fb 100755..100644 --- a/non_plat/hal_thermal_default.te +++ b/non_plat/hal_thermal_default.te diff --git a/non_plat/hal_vibrator.te b/non_plat/hal_vibrator.te index 7f13029..11742f8 100644 --- a/non_plat/hal_vibrator.te +++ b/non_plat/hal_vibrator.te @@ -3,4 +3,4 @@ allow hal_vibrator sysfs_vibrator:dir r_dir_perms; allow hal_vibrator sysfs_leds:file rw_file_perms; allow hal_vibrator sysfs_leds:dir r_dir_perms; allow hal_vibrator sysfs_leds:lnk_file read; -allow hal_vibrator_default sysfs:file { open write read }; +allow hal_vibrator sysfs_vibrator:file rw_file_perms; diff --git a/non_plat/hwservice.te b/non_plat/hwservice.te index 298fa79..6a7304a 100644 --- a/non_plat/hwservice.te +++ b/non_plat/hwservice.te @@ -57,3 +57,7 @@ type mtk_hal_md_dbfilter_hwservice, hwservice_manager_type; # Date: 2019/07/16 # HDMI HIDL type mtk_hal_hdmi_hwservice, hwservice_manager_type; + +# Date: 2019/09/06 +# BGService HIDL +type mtk_hal_bgs_hwservice, hwservice_manager_type; diff --git a/non_plat/hwservice_contexts b/non_plat/hwservice_contexts index 361d19b..614e502 100644 --- a/non_plat/hwservice_contexts +++ b/non_plat/hwservice_contexts @@ -1,4 +1,4 @@ -vendor.mediatek.hardware.bluetooth::IMtkBluetoothHci u:object_r:mtk_hal_bluetooth_hwservice:s0 +vendor.mediatek.hardware.bluetooth::IMtkBluetoothHci u:object_r:mtk_hal_bluetooth_hwservice:s0 # Date: 2017/05/9 vendor.mediatek.hardware.mtkradioex::IMtkRadioEx u:object_r:mtk_hal_rild_hwservice:s0 @@ -62,8 +62,16 @@ vendor.mediatek.hardware.modemdbfilter::ICopyDBFilter u:object_r:mtk_hal_md_dbfi # Date: 2019/07/04 vendor.mediatek.hardware.camera.lomoeffect::ILomoEffect u:object_r:hal_camera_hwservice:s0 vendor.mediatek.hardware.camera.ccap::ICCAPControl u:object_r:hal_camera_hwservice:s0 -vendor.mediatek.hardware.camera.bgservice::IBGService u:object_r:hal_camera_hwservice:s0 +vendor.mediatek.hardware.camera.bgservice::IBGService u:object_r:mtk_hal_bgs_hwservice:s0 +vendor.mediatek.hardware.camera.isphal::IISPModule u:object_r:mtk_hal_bgs_hwservice:s0 + +# Date : 2019/07/31 +vendor.mediatek.hardware.camera.postproc::IPostDevice u:object_r:mtk_hal_bgs_hwservice:s0 # Date : 2019/07/16 # HDMI HIDL vendor.mediatek.hardware.hdmi::IMtkHdmiService u:object_r:mtk_hal_hdmi_hwservice:s0 + +#Date: 2019/09/02 +# ATMs hidl +vendor.mediatek.hardware.camera.atms::IATMs u:object_r:hal_camera_hwservice:s0 diff --git a/non_plat/init.te b/non_plat/init.te index 283796a..6ccdd74 100644 --- a/non_plat/init.te +++ b/non_plat/init.te @@ -41,9 +41,9 @@ allow init para_block_device:blk_file w_file_perms; # Date : WK15.32 # Operation : Migration # Purpose : disable AT_SECURE for LD_PRELOAD -# userdebug_or_eng(` -# allow init { domain -lmkd -crash_dump -llkd -mediaswcodec }:process noatsecure; -# ') +#userdebug_or_eng(` +# allow init { domain -lmkd -crash_dump -llkd -mediaswcodec }:process noatsecure; +#') # Date : WK16.26 # Operation : Access dynamic_debug control file @@ -66,10 +66,6 @@ allow init tmpfs:lnk_file create; # Purpose : bt hal interface permission allow init mtk_hal_bluetooth_exec:file getattr; -# Date : WK17.12 -# Purpose: Fix bootup fail -allow init debugfs:file w_file_perms; - # Date : WK17.02 # Purpose: Fix audio hal service fail allow init mtk_hal_audio_exec:file getattr; @@ -88,7 +84,6 @@ allow init debugfs_tracing_instances:file relabelfrom; # Date: W17.22 # Operation : New Feature # Purpose : Add for A/B system -allow init debugfs:file write; allow init kernel:system module_request; allow init nvdata_file:dir mounton; allow init oemfs:dir mounton; diff --git a/non_plat/ioctl_defines b/non_plat/ioctl_defines index d7ec7ee..0bdfe2f 100755..100644 --- a/non_plat/ioctl_defines +++ b/non_plat/ioctl_defines @@ -15,6 +15,7 @@ define(`GED_BRIDGE_IO_WAIT_HW_VSYNC', `0x670a') define(`GED_BRIDGE_IO_QUERY_TARGET_FPS', `0x670b') define(`GED_BRIDGE_IO_VSYNC_WAIT', `0x670c') define(`GED_BRIDGE_IO_GPU_HINT_TO_CPU', `0x670d') +define(`GED_BRIDGE_IO_HINT_FORCE_MDP', `0x670e') define(`GED_BRIDGE_IO_GE_ALLOC', `0x6764') define(`GED_BRIDGE_IO_GE_GET', `0x6765') @@ -60,4 +61,10 @@ define(`JPG_BRIDGE_ENC_IO_DEINIT', `0x780e') define(`JPG_BRIDGE_ENC_IO_START', `0x780f') ##################################### # m4u_priv.h +define(`MTK_M4U_T_ALLOC_MVA', `0x6704') +define(`MTK_M4U_T_DEALLOC_MVA', `0x6705') +define(`MTK_M4U_T_CONFIG_PORT', `0x670b') +define(`MTK_M4U_T_DMA_OP', `0x671d') define(`MTK_M4U_T_SEC_INIT', `0x6732') +define(`MTK_M4U_T_CONFIG_PORT_ARRAY', `0x671a') +define(`MTK_M4U_T_CACHE_SYNC', `0x670a') diff --git a/non_plat/ioctl_macros b/non_plat/ioctl_macros index 61b70c1..bf86503 100644 --- a/non_plat/ioctl_macros +++ b/non_plat/ioctl_macros @@ -14,6 +14,7 @@ define(`proc_ged_ioctls', `{ GED_BRIDGE_IO_QUERY_TARGET_FPS GED_BRIDGE_IO_VSYNC_WAIT GED_BRIDGE_IO_GPU_HINT_TO_CPU + GED_BRIDGE_IO_HINT_FORCE_MDP GED_BRIDGE_IO_GE_ALLOC GED_BRIDGE_IO_GE_GET GED_BRIDGE_IO_GE_SET diff --git a/non_plat/kernel.te b/non_plat/kernel.te index 0b33f40..15b2430 100644 --- a/non_plat/kernel.te +++ b/non_plat/kernel.te @@ -13,11 +13,6 @@ allow kernel block_device:blk_file rw_file_perms; allow kernel loop_device:blk_file r_file_perms; allow kernel vold_device:blk_file rw_file_perms; -# Date : WK14.43 -# Operation : Migration -# Purpose : Access to nvarm for reading MAC. (LOS WIFI feature) -allow kernel system_data_file:lnk_file r_file_perms; - # Date : WK15.35 # Operation : Migration # Purpose : grant fon_image_data_file read permission for loop device diff --git a/non_plat/loghidlvendorservice.te b/non_plat/loghidlvendorservice.te index 9b97bed..6cc47b6 100644 --- a/non_plat/loghidlvendorservice.te +++ b/non_plat/loghidlvendorservice.te @@ -12,3 +12,4 @@ typeattribute loghidlvendorservice mlstrustedsubject; hal_server_domain(loghidlvendorservice, mtk_hal_log) init_daemon_domain(loghidlvendorservice) # allow loghidlvendorservice self:capability dac_override; +allow loghidlvendorservice system_app:binder call;
\ No newline at end of file diff --git a/non_plat/mdlogger.te b/non_plat/mdlogger.te index cfda1d6..4d3cf3e 100644 --- a/non_plat/mdlogger.te +++ b/non_plat/mdlogger.te @@ -1,7 +1,6 @@ #allow mdlogger to set property -allow mdlogger debug_mdlogger_prop:property_service set; -allow mdlogger debug_prop:property_service set; - +set_prop(mdlogger, debug_mdlogger_prop) +set_prop(mdlogger, debug_prop) # ccci device for internal modem allow mdlogger ccci_device:chr_file { rw_file_perms }; @@ -12,7 +11,6 @@ allow mdlogger ttyGS_device:chr_file { rw_file_perms}; allow mdlogger mdlog_data_file:dir { create_dir_perms relabelto}; allow mdlogger mdlog_data_file:fifo_file { create_file_perms}; allow mdlogger mdlog_data_file:file { create_file_perms }; -allow mdlogger system_data_file:dir { create_dir_perms relabelfrom}; # modem logger control port access /dev/ttyC1 allow mdlogger mdlog_device:chr_file { rw_file_perms}; diff --git a/non_plat/mediacodec.te b/non_plat/mediacodec.te index 76e8384..67b4c0d 100644 --- a/non_plat/mediacodec.te +++ b/non_plat/mediacodec.te @@ -16,8 +16,6 @@ allow mediacodec Vcodec_device:chr_file rw_file_perms; # Operation : Migration # Purpose : VP & VR dump and debug allow mediacodec M4U_device_device:chr_file rw_file_perms; -allow mediacodec proc:file r_file_perms; -allow mediacodec sysfs:file {read write open}; allow mediacodec debugfs_binder:dir search; allow mediacodec MTK_SMI_device:chr_file { ioctl read open }; allow mediacodec storage_file:lnk_file {read write open}; @@ -148,3 +146,13 @@ allow mediacodec graphics_device:dir search; allow mediacodec proc_m4u:file r_file_perms; allowxperm mediacodec proc_m4u:file ioctl MTK_M4U_T_SEC_INIT; +# Date : WK19.40 +# Purpose: Android Migration for Hybrid Encoder +allowxperm mediacodec proc_m4u:file ioctl MTK_M4U_T_CONFIG_PORT; +allowxperm mediacodec proc_m4u:file ioctl MTK_M4U_T_CACHE_SYNC; +allowxperm mediacodec proc_m4u:file ioctl MTK_M4U_T_CONFIG_PORT_ARRAY; + +# Date : 2019/12/12 +# Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/* +allow mediacodec sysfs_concurrency_scenario:file rw_file_perms; +allow mediacodec sysfs_concurrency_scenario:dir search; diff --git a/non_plat/mediaserver.te b/non_plat/mediaserver.te index 56af7ad..ff75df1 100644 --- a/non_plat/mediaserver.te +++ b/non_plat/mediaserver.te @@ -38,11 +38,6 @@ allow mediaserver self:capability { net_admin }; # Purpose : VP/VR allow mediaserver devmap_device:chr_file { ioctl }; -# Date : WK14.34 -# Operation : Migration -# Purpose : Smartcard Service -allow mediaserver system_data_file:file open; - # Date : WK14.36 # Operation : Migration # Purpose : media server and bt process communication for A2DP data.and other control flow @@ -234,7 +229,6 @@ allow mediaserver sensorservice_service:service_manager find; # Date : WK15.34 # Operation : Migration # Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump -allow mediaserver system_data_file:dir write; allow mediaserver storage_file:lnk_file {read write}; allow mediaserver mnt_user_file:dir {write read search}; allow mediaserver mnt_user_file:lnk_file {read write}; diff --git a/non_plat/mediaswcodec.te b/non_plat/mediaswcodec.te index ca64913..ca64913 100755..100644 --- a/non_plat/mediaswcodec.te +++ b/non_plat/mediaswcodec.te diff --git a/non_plat/merged_hal_service.te b/non_plat/merged_hal_service.te index df44f98..c2d8db4 100644 --- a/non_plat/merged_hal_service.te +++ b/non_plat/merged_hal_service.te @@ -14,9 +14,6 @@ hal_server_domain(merged_hal_service, hal_power) hal_server_domain(merged_hal_service, hal_thermal) hal_server_domain(merged_hal_service, hal_memtrack) -#adjust light brightness -allow merged_hal_service sysfs:file write; - #mtk libs_hidl_service permissions hal_server_domain(merged_hal_service, mtk_hal_lbs) vndbinder_use(merged_hal_service) @@ -52,33 +49,6 @@ allow merged_hal_service mediacodec:fd use; allow merged_hal_service { appdomain -isolated_app }:fd use; allow merged_hal_service debugfs_tracing:file write; -#power permissions -allow merged_hal_service proc:dir {search getattr}; -allow merged_hal_service proc:file rw_file_perms; -allow merged_hal_service debugfs_ged:dir search; -allow merged_hal_service debugfs_ged:file { getattr open read write }; -allow merged_hal_service proc_thermal:file { write open }; -allow merged_hal_service proc_thermal:dir search; -allow merged_hal_service sysfs:file {open write read}; -allow merged_hal_service proc_perfmgr:dir search; -allow merged_hal_service proc_perfmgr:file rw_file_perms; -allow merged_hal_service sdcard_type:dir create_dir_perms; -allow merged_hal_service sdcard_type:file create_file_perms; -allow merged_hal_service eemcs_device:chr_file rw_file_perms; -allow merged_hal_service mnt_user_file:dir create_dir_perms; -allow merged_hal_service debugfs_fb:dir search; -allow merged_hal_service debugfs_fb:file { getattr open read write }; -allow merged_hal_service debugfs_fpsgo:dir search; -allow merged_hal_service debugfs_fpsgo:file { getattr open read write }; -allow merged_hal_service mtk_hal_camera:dir search; -allow merged_hal_service mtk_hal_camera:file { open read }; -allow merged_hal_service sysfs_devices_system_cpu:file write; - -allow merged_hal_service mtk_powerhal_data_file:dir {create_dir_perms rw_dir_perms}; -allow merged_hal_service mtk_powerhal_data_file:file {create_file_perms rw_file_perms}; -allow merged_hal_service mtk_powerhal_data_file:sock_file {create_file_perms rw_file_perms}; - - # Date : WK18.23 # Operation : P Migration # Purpose : add grant permission for Thermal HAL mtktz and proc diff --git a/non_plat/meta_tst.te b/non_plat/meta_tst.te index 3e1858c..ead7145 100644 --- a/non_plat/meta_tst.te +++ b/non_plat/meta_tst.te @@ -281,7 +281,6 @@ binder_call(meta_tst, mtk_hal_audio) allow meta_tst mtk_hal_audio:binder call; #allow meta_tst hal_audio_hwservice:hwservice_manager find; allow meta_tst mtk_audiohal_data_file:dir {read search open}; -allow meta_tst proc:file {read open}; allow meta_tst audio_device:chr_file rw_file_perms; allow meta_tst audio_device:dir w_dir_perms; allow meta_tst audiohal_prop:property_service set; @@ -361,7 +360,6 @@ allow meta_tst proc_asound:dir { read search open }; allow meta_tst proc_asound:file { read open getattr write }; allow meta_tst mtk_audiohal_data_file:dir { read search open }; allow meta_tst audiohal_prop:property_service set; -allow meta_tst sysfs:file { read open }; allow meta_tst sysfs_headset:file { read open }; # Date: W18.05 @@ -370,7 +368,7 @@ allow meta_tst meta_tst:netlink_kobject_uevent_socket { read bind create setopt # Date : WK18.28 # Operation: P migration -# Purpose : +# Purpose : set_prop(meta_tst, vendor_usb_prop); # Date: W18.29 @@ -381,7 +379,7 @@ allow meta_tst loghidlvendorservice:unix_stream_socket connectto; # Date: W18.32 # Operation: Android P migration # Purpose : Allow meta_tst to set powerctl property -# avc: denied { set } for property=sys.powerctl pid=330 uid=0 gid=1001 scontext=u:r:meta_tst:s0 +# avc: denied { set } for property=sys.powerctl pid=330 uid=0 gid=1001 scontext=u:r:meta_tst:s0 # tcontext=u:object_r:powerctl_prop:s0 tclass=property_service permissive=0 set_prop(meta_tst, powerctl_prop); diff --git a/non_plat/mnld.te b/non_plat/mnld.te index 5d113dd..11fe7a4 100644 --- a/non_plat/mnld.te +++ b/non_plat/mnld.te @@ -19,7 +19,6 @@ net_domain(mnld) allow mnld agpsd_data_file:dir create_dir_perms; allow mnld agpsd_data_file:sock_file create_file_perms; allow mnld mtk_agpsd:unix_dgram_socket sendto; -allow mnld sysfs:file rw_file_perms; allow mnld sysfs_wake_lock:file rw_file_perms; # Purpose : For access NVRAM data allow mnld nvram_data_file:dir create_dir_perms; @@ -88,7 +87,8 @@ allow mnld mtk_hal_gnss:unix_dgram_socket sendto; hwbinder_use(mnld); binder_call(mnld, system_server) allow mnld fwk_sensor_hwservice:hwservice_manager find; -allow mnld hwservicemanager_prop:file { read open getattr }; +#allow mnld hwservicemanager_prop:file { read open getattr }; +get_prop(mnld, hwservicemanager_prop); allow mnld debugfs_tracing:file { open write }; allow mnld mnt_vendor_file:dir search; diff --git a/non_plat/modemdbfilter_service.te b/non_plat/modemdbfilter_service.te index e1c1090..e1c1090 100755..100644 --- a/non_plat/modemdbfilter_service.te +++ b/non_plat/modemdbfilter_service.te diff --git a/non_plat/mtk_hal_audio.te b/non_plat/mtk_hal_audio.te index 5627c80..48ef236 100644 --- a/non_plat/mtk_hal_audio.te +++ b/non_plat/mtk_hal_audio.te @@ -99,6 +99,10 @@ allow mtk_hal_audio graphics_device:chr_file rw_file_perms; # Operation : Migration # Purpose : Smartpa allow mtk_hal_audio smartpa_device:chr_file rw_file_perms; +allow mtk_hal_audio sysfs_rt_param:file rw_file_perms; +allow mtk_hal_audio sysfs_rt_calib:file rw_file_perms; +allow mtk_hal_audio sysfs_rt_param:dir r_dir_perms; +allow mtk_hal_audio sysfs_rt_calib:dir r_dir_perms; # Date : WK14.41 # Operation : Migration @@ -158,17 +162,13 @@ allow mtk_hal_audio mnt_user_file:lnk_file {read write}; # Operation : Migration # Purpose: read/open sysfs node allow mtk_hal_audio sysfs_ccci:file r_file_perms; +allow mtk_hal_audio sysfs_ccci:dir search; # Date : WK16.18 # Operation : Migration # Purpose: research root dir "/" allow mtk_hal_audio tmpfs:dir search; -# Date : WK16.18 -# Operation : Migration -# Purpose: access sysfs node -allow mtk_hal_audio sysfs:file { open read write }; -allow mtk_hal_audio sysfs_ccci:dir search; # Purpose: Dump debug info allow mtk_hal_audio debugfs_binder:dir search; allow mtk_hal_audio kmsg_device:chr_file { open write }; diff --git a/non_plat/mtk_hal_bgs.te b/non_plat/mtk_hal_bgs.te new file mode 100644 index 0000000..c93342f --- /dev/null +++ b/non_plat/mtk_hal_bgs.te @@ -0,0 +1,6 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(mtk_hal_bgs_client, mtk_hal_bgs_server) +binder_call(mtk_hal_bgs_server, mtk_hal_bgs_client) + +add_hwservice(mtk_hal_bgs_server, mtk_hal_bgs_hwservice) +allow mtk_hal_bgs_client mtk_hal_bgs_hwservice:hwservice_manager find;
\ No newline at end of file diff --git a/non_plat/mtk_hal_bluetooth.te b/non_plat/mtk_hal_bluetooth.te index 46b9d03..d51b29b 100644 --- a/non_plat/mtk_hal_bluetooth.te +++ b/non_plat/mtk_hal_bluetooth.te @@ -15,7 +15,6 @@ r_dir_file(mtk_hal_bluetooth, bluetooth_efs_file) allow mtk_hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms; # sysfs access. -r_dir_file(mtk_hal_bluetooth, sysfs_type) allow mtk_hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms; allow mtk_hal_bluetooth self:capability2 wake_alarm; @@ -44,5 +43,7 @@ get_prop(mtk_hal_bluetooth, hwservicemanager_prop) #add_hwservice(hal_bluetooth, mtk_hal_bluetooth_hwservice) allow hal_bluetooth_client mtk_hal_bluetooth_hwservice:hwservice_manager find; -allow mtk_hal_bluetooth system_data_file:lnk_file read; hal_server_domain(mtk_hal_bluetooth,hal_bluetooth); + +# Purpose: Allow BT Driver to insmod +allow mtk_hal_bluetooth wmt_prop:property_service set; diff --git a/non_plat/mtk_hal_camera.te b/non_plat/mtk_hal_camera.te index d424a15..489540a 100644 --- a/non_plat/mtk_hal_camera.te +++ b/non_plat/mtk_hal_camera.te @@ -23,6 +23,8 @@ init_daemon_domain(mtk_hal_camera) # HAL implementation of the specified type over HwBinder. hal_server_domain(mtk_hal_camera, hal_camera) +hal_server_domain(mtk_hal_camera, mtk_hal_bgs) + # Allow camerahalserver to use HwBinder and vendor binder IPC. hwbinder_use(mtk_hal_camera) vndbinder_use(mtk_hal_camera) @@ -62,7 +64,6 @@ hal_client_domain(mtk_hal_camera, hal_graphics_allocator) # ----------------------------------- # Purpose: Camera-related devices (driver) # ----------------------------------- -allow mtk_hal_camera proc:file rw_file_perms; allow mtk_hal_camera proc_mtk_jpeg:file r_file_perms; allowxperm mtk_hal_camera proc_mtk_jpeg:file ioctl { JPG_BRIDGE_ENC_IO_INIT @@ -71,7 +72,6 @@ allowxperm mtk_hal_camera proc_mtk_jpeg:file ioctl { JPG_BRIDGE_ENC_IO_DEINIT JPG_BRIDGE_ENC_IO_START }; -allow mtk_hal_camera sysfs:file { read write open getattr }; allow mtk_hal_camera camera_sysram_device:chr_file r_file_perms; allow mtk_hal_camera camera_pipemgr_device:chr_file r_file_perms; @@ -252,12 +252,6 @@ allow mtk_hal_camera gpu_device:chr_file rw_file_perms; allow mtk_hal_camera proc_ged:file rw_file_perms; allowxperm mtk_hal_camera proc_ged:file ioctl { proc_ged_ioctls }; -################################################################################ -# Date : WK17 -# Operation : O Migration -## Purpose: Allow to call hal_graphics_allocator binder. -allow mtk_hal_camera system_data_file:lnk_file read; - allow mtk_hal_camera debugfs_tracing:file { write open }; ## Purpose : camera3 IT/CTS @@ -332,9 +326,6 @@ allow mtk_hal_camera aee_dipdebug_vendor_file:file { create_file_perms }; allow mtk_hal_camera proc_isp_p2:dir search; allow mtk_hal_camera proc_isp_p2:file {create_file_perms}; -# Purpose : AINR/Thermal Boost -allow mtk_hal_camera system_data_file:dir { getattr }; - # Date: 2019/06/14 # Operation : Migration allow mtk_hal_camera sysfs_dt_firmware_android:dir search; @@ -342,4 +333,15 @@ allow mtk_hal_camera sysfs_dt_firmware_android:dir search; # Date: 2019/07/09 # Operation : For M4U security allow mtk_hal_camera proc_m4u:file r_file_perms; -allowxperm mtk_hal_camera proc_m4u:file ioctl MTK_M4U_T_SEC_INIT; +allowxperm mtk_hal_camera proc_m4u:file ioctl{ +MTK_M4U_T_ALLOC_MVA +MTK_M4U_T_DEALLOC_MVA +MTK_M4U_T_CONFIG_PORT +MTK_M4U_T_DMA_OP +MTK_M4U_T_SEC_INIT +}; + +# Date: 2019/08/27 +# Operation : For android Q allowing ioctl +allow mtk_hal_camera mtk_hal_camera:unix_stream_socket { ioctl }; +allowxperm mtk_hal_camera mtk_hal_camera:unix_stream_socket ioctl IIOCNETAIF; diff --git a/non_plat/mtk_hal_gpu.te b/non_plat/mtk_hal_gpu.te index 939351d..ab08bdd 100644 --- a/non_plat/mtk_hal_gpu.te +++ b/non_plat/mtk_hal_gpu.te @@ -31,11 +31,6 @@ hal_client_domain(mtk_hal_gpu, hal_allocator) # Purpose : Allow to use kernel driver allow mtk_hal_gpu graphics_device:chr_file rw_file_perms; -# Purpose : Allow property set -allow mtk_hal_gpu init:unix_stream_socket connectto; -allow mtk_hal_gpu property_socket:sock_file write; - - # Purpose : Allow permission to set pq property #set_prop(mtk_hal_gpu, mtk_gpu_prop) diff --git a/non_plat/mtk_hal_light.te b/non_plat/mtk_hal_light.te index 7a69812..de88326 100644 --- a/non_plat/mtk_hal_light.te +++ b/non_plat/mtk_hal_light.te @@ -14,7 +14,6 @@ binder_call(mtk_hal_light, system_server) # system file allow mtk_hal_light system_file:dir read; allow mtk_hal_light system_file:dir open; -allow mtk_hal_light sysfs:file rw_file_perms; allow mtk_hal_light sysfs_leds:lnk_file read; allow mtk_hal_light sysfs_leds:file rw_file_perms; diff --git a/non_plat/mtk_hal_md_dbfilter.te b/non_plat/mtk_hal_md_dbfilter.te index 2b8a4e6..2b8a4e6 100755..100644 --- a/non_plat/mtk_hal_md_dbfilter.te +++ b/non_plat/mtk_hal_md_dbfilter.te diff --git a/non_plat/mtk_hal_mms.te b/non_plat/mtk_hal_mms.te index 8ebbcaf..a78247c 100755..100644 --- a/non_plat/mtk_hal_mms.te +++ b/non_plat/mtk_hal_mms.te @@ -31,7 +31,6 @@ allow mtk_hal_mms mtk_cmdq_device:chr_file { read open ioctl }; allow mtk_hal_mms mtk_mdp_device:chr_file rw_file_perms; allow mtk_hal_mms sw_sync_device:chr_file rw_file_perms; allow mtk_hal_mms mtk_hal_pq_hwservice:hwservice_manager find; -allow mtk_hal_mms proc:file r_file_perms; # Purpose : Allow to use allocator for JPEG hal_client_domain(mtk_hal_mms, hal_allocator) @@ -40,6 +39,7 @@ allow mtk_hal_mms mtk_hal_pq:binder call; # Purpose : Allow to use graphics allocator fd for gralloc_extra allow mtk_hal_mms hal_graphics_allocator_default:fd use; allow mtk_hal_mms debugfs_ion:dir search; +allow mtk_hal_mms merged_hal_service:fd use; # Purpose : VDEC/VENC device node allow mtk_hal_mms Vcodec_device:chr_file rw_file_perms; @@ -53,3 +53,5 @@ allowxperm mtk_hal_mms proc_mtk_jpeg:file ioctl { }; # Allow to use mms by JPEG with handle allow mtk_hal_mms platform_app:fd use; +# Purpose : Allow Miravision to set Sharpness +allow mtk_hal_mms system_app:fd use; diff --git a/non_plat/mtk_hal_power.te b/non_plat/mtk_hal_power.te index f548586..d6de04d 100644 --- a/non_plat/mtk_hal_power.te +++ b/non_plat/mtk_hal_power.te @@ -18,10 +18,6 @@ allow hal_power_client mtk_hal_power_hwservice:hwservice_manager find; hal_server_domain(mtk_hal_power, hal_power); hal_server_domain(mtk_hal_power, hal_wifi); -# proc fs -allow mtk_hal_power proc:dir r_dir_perms; -allow mtk_hal_power proc:file rw_file_perms; - # sysfs allow mtk_hal_power sysfs_devices_system_cpu:file rw_file_perms; @@ -62,7 +58,6 @@ allow mtk_hal_power mtk_hal_camera:file r_file_perms; # Operation: SQC # Purpose : Allow powerHAL to access thermal allow mtk_hal_power proc_thermal:dir r_dir_perms; -allow mtk_hal_power sysfs:file rw_file_perms; allow mtk_hal_power debugfs_fpsgo:dir r_dir_perms; allow mtk_hal_power debugfs_fpsgo:file rw_file_perms; @@ -90,6 +85,9 @@ allow mtk_hal_power debugfs_fb:file rw_file_perms; allow mtk_hal_power proc_thermal:file r_file_perms; allow mtk_hal_power thermal_manager_data_file:file create_file_perms; +allow mtk_hal_power thermal_manager_data_file:dir { rw_dir_perms setattr }; + + allow mtk_hal_power thermalloadalgod:unix_stream_socket connectto; allow mtk_hal_power proc_mtkcooler:dir r_dir_perms; @@ -120,8 +118,8 @@ allow mtk_hal_power rild:unix_stream_socket connectto; # Purpose : Allow powerHAL to access block read ahead allow mtk_hal_power sysfs_dm:dir r_dir_perms; allow mtk_hal_power sysfs_dm:file rw_file_perms; -allow mtk_hal_power sysfs_mmcblk:dir r_dir_perms; -allow mtk_hal_power sysfs_mmcblk:file rw_file_perms; +allow mtk_hal_power sysfs_devices_block:dir r_dir_perms; +allow mtk_hal_power sysfs_devices_block:file rw_file_perms; allow mtk_hal_power debugfs_eara_thermal:dir search; allow mtk_hal_power debugfs_eara_thermal:file { getattr open write read }; @@ -144,3 +142,36 @@ allowxperm mtk_hal_power self:udp_socket ioctl priv_sock_ioctls; # Purpose : MTK power hal interface permission set_prop(mtk_hal_power, mtk_powerhal_prop) +# Date : 2019/09/05 +# Operation: SQC +# Purpose : Add procfs, sysfs policy +allow mtk_hal_power proc_ppm:dir r_dir_perms; +allow mtk_hal_power proc_ppm:file rw_file_perms; +allow mtk_hal_power proc_cpufreq:dir r_dir_perms; +allow mtk_hal_power proc_cpufreq:file rw_file_perms; +allow mtk_hal_power proc_hps:dir r_dir_perms; +allow mtk_hal_power proc_hps:file rw_file_perms; +allow mtk_hal_power proc_cm_mgr:dir r_dir_perms; +allow mtk_hal_power proc_cm_mgr:file rw_file_perms; +allow mtk_hal_power proc_fliperfs:dir r_dir_perms; +allow mtk_hal_power proc_fliperfs:file rw_file_perms; +allow mtk_hal_power sysfs_ged:dir r_dir_perms; +allow mtk_hal_power sysfs_ged:file rw_file_perms; +allow mtk_hal_power sysfs_fbt_cpu:dir r_dir_perms; +allow mtk_hal_power sysfs_fbt_cpu:file rw_file_perms; +allow mtk_hal_power sysfs_fbt_fteh:dir r_dir_perms; +allow mtk_hal_power sysfs_fbt_fteh:file rw_file_perms; + +# Date : 2019/09/17 +# Operation: SQC +# Purpose : Add cache audit +allow mtk_hal_power sysfs_ca_drv:dir r_dir_perms; +allow mtk_hal_power sysfs_ca_drv:file rw_file_perms; +allow mtk_hal_power sysfs_pftch_qos:dir r_dir_perms; +allow mtk_hal_power sysfs_pftch_qos:file rw_file_perms; + +# Date : 2019/09/18 +# Operation: SQC +# Purpose : Add f2fs permission +allow mtk_hal_power sysfs_fs_f2fs:dir r_dir_perms; +allow mtk_hal_power sysfs_fs_f2fs:file rw_file_perms; diff --git a/non_plat/mtk_hal_sensors.te b/non_plat/mtk_hal_sensors.te index 51662d9..6ecacea 100644 --- a/non_plat/mtk_hal_sensors.te +++ b/non_plat/mtk_hal_sensors.te @@ -67,3 +67,6 @@ allow mtk_hal_sensors nvcfg_file:dir create_dir_perms; # Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init() allow mtk_hal_sensors mnt_vendor_file:dir search; +# Date : WK19.48 +# Purpose: fix [vts_10.0_r2]VtsHalSensorsV2_0Target fail +allow mtk_hal_sensors merged_hal_service:fd use; diff --git a/non_plat/mtk_hal_wifi.te b/non_plat/mtk_hal_wifi.te index 4740f38..4740f38 100755..100644 --- a/non_plat/mtk_hal_wifi.te +++ b/non_plat/mtk_hal_wifi.te diff --git a/non_plat/mtkrild.te b/non_plat/mtkrild.te index 8c30d35..3e7ec04 100644 --- a/non_plat/mtkrild.te +++ b/non_plat/mtkrild.te @@ -54,7 +54,6 @@ allow mtkrild bluetooth_efs_file:dir r_dir_perms; allow mtkrild sdcardfs:dir r_dir_perms; # Violate Android P rule #allow mtkrild system_file:file x_file_perms; -allow mtkrild proc:file rw_file_perms; allow mtkrild proc_net:file w_file_perms; # Set and get routes directly via netlink. @@ -68,14 +67,13 @@ allow mtkrild mtd_device:dir search; allow mtkrild tty_device:chr_file rw_file_perms; allow mtkrild eemcs_device:chr_file { rw_file_perms }; -allow mtkrild Vcodec_device:chr_file { rw_file_perms }; +#allow mtkrild Vcodec_device:chr_file { rw_file_perms }; allow mtkrild devmap_device:chr_file { r_file_perms }; allow mtkrild devpts:chr_file { rw_file_perms }; allow mtkrild ccci_device:chr_file { rw_file_perms }; allow mtkrild misc_device:chr_file { rw_file_perms }; allow mtkrild proc_lk_env:file rw_file_perms; -allow mtkrild sysfs_vcorefs_pwrctrl:file { w_file_perms }; -allow mtkrild bootdevice_block_device:blk_file { rw_file_perms }; +#allow mtkrild bootdevice_block_device:blk_file { rw_file_perms }; allow mtkrild para_block_device:blk_file { rw_file_perms }; # Allow dir search, fd uses @@ -83,10 +81,6 @@ allow mtkrild block_device:dir search; allow mtkrild platform_app:fd use; allow mtkrild radio:fd use; -# For emulator -allow mtkrild qemu_pipe_device:chr_file rw_file_perms; -allow mtkrild socket_device:sock_file { w_file_perms }; - # For MAL MFI allow mtkrild mal_mfi_socket:sock_file { w_file_perms }; @@ -94,8 +88,6 @@ allow mtkrild mal_mfi_socket:sock_file { w_file_perms }; allow mtkrild sysfs_ccci:dir search; allow mtkrild sysfs_ccci:file r_file_perms; -allow init socket_device:sock_file { create unlink setattr }; - #For Kryptowire mtklog issue allow mtkrild aee_aedv:unix_stream_socket connectto; # Allow ioctl in order to control network interface @@ -107,10 +99,6 @@ vndbinder_use(mtkrild) # Allow to trigger IPv6 RS allow mtkrild node:rawip_socket node_bind; -# Allow to use sysenv -allow mtkrild sysfs:file open; -allow mtkrild sysfs:file read; - #Date : W18.15 #Purpose: allow rild access to vendor.ril.ipo system property set_prop(mtkrild, vendor_ril_ipo_prop) @@ -137,3 +125,8 @@ allow mtkrild nvdata_file:file create_file_perms; # Operation: P migration # Purpose: Allow supplementary service HIDL to set vendor property set_prop(mtkrild, mtk_ss_vendor_prop) + +# Date : WK19.43 +# Purpose: Allow wfc module from rild read system property from wfc module +get_prop(mtkrild, mtk_wfc_serv_prop) + diff --git a/non_plat/netd.te b/non_plat/netd.te index aa21a5d..f13fc65 100644 --- a/non_plat/netd.te +++ b/non_plat/netd.te @@ -5,32 +5,32 @@ # Date : WK14.34 # Operation : Migration -# Purpose : For WIFI SANITY test to set FW path(STA/P2P/AP) -# Owner£º TingTing Lei +# Purpose : For WIFI SANITY test to set FW path(STA/P2P/AP) +# Owner: TingTing Lei allow netd wmtWifi_device:chr_file { write open }; # Date : WK14.34 # Operation : Migration -# Purpose : NA -# Owner£º Changqing Sun +# Purpose : NA +# Owner: Changqing Sun allow netd self:capability fsetid; # Date : WK14.34 # Operation : Migration -# Purpose : APP +# Purpose: APP allow netd platform_app:fd use; # Date : WK14.37 # Operation : Migration -# Purpose : PPPOE Test +# Purpose : PPPOE Test # Owner : lina wang allow netd ppp:process sigkill; # Date : WK14.39 # Operation : Migration # Purpose : MDLogger USB logging -# Owner : Bo shang +# Owner : Bo shang allow netd mdlogger:fd use; allow netd mdlogger:tcp_socket { read write }; allow netd mdlogger:tcp_socket { getopt setopt }; @@ -38,7 +38,7 @@ allow netd mdlogger:tcp_socket { getopt setopt }; # Date : WK14.41 # Operation : Migration # Purpose : network logging -# Owner : Bo shang +# Owner : Bo shang allow netd netdiag:fd use; allow netd netdiag:udp_socket { read write getopt setopt}; diff --git a/non_plat/nvram_agent_binder.te b/non_plat/nvram_agent_binder.te index e8e454e..6655e6e 100644 --- a/non_plat/nvram_agent_binder.te +++ b/non_plat/nvram_agent_binder.te @@ -15,14 +15,12 @@ init_daemon_domain(nvram_agent_binder) # Date : WK14.35 # Operation : access nvram by binder # Purpose : ensure nvram user can access nvram file normally. -# TODO(b/140176632): Uncomment this line below -# allow nvram_agent_binder nvram_agent_service:service_manager add; +#allow nvram_agent_binder nvram_agent_service:service_manager add; # Date : WK14.43 # Operation : 2rd Selinux Migration # Purpose : the role of nvram_agent_binder is same with nvram_daemon except property_set & exect permission allow nvram_agent_binder nvram_device:blk_file rw_file_perms; -allow nvram_agent_binder bootdevice_block_device:blk_file rw_file_perms; allow nvram_agent_binder nvdata_device:blk_file rw_file_perms; allow nvram_agent_binder nvram_data_file:dir create_dir_perms; allow nvram_agent_binder nvram_data_file:file create_file_perms; @@ -35,9 +33,6 @@ allow nvram_agent_binder als_ps_device:chr_file r_file_perms; allow nvram_agent_binder mtk-adc-cali_device:chr_file rw_file_perms; allow nvram_agent_binder gsensor_device:chr_file r_file_perms; allow nvram_agent_binder gyroscope_device:chr_file r_file_perms; -allow nvram_agent_binder init:unix_stream_socket connectto; -allow nvram_agent_binder property_socket:sock_file write; -allow nvram_agent_binder sysfs:file write; allow nvram_agent_binder self:capability { fowner chown fsetid }; # Purpose: for backup @@ -45,7 +40,6 @@ allow nvram_agent_binder nvram_device:chr_file rw_file_perms; allow nvram_agent_binder pro_info_device:chr_file rw_file_perms; allow nvram_agent_binder block_device:dir search; -allow nvram_agent_binder app_data_file:file write; # for MLC device allow nvram_agent_binder mtd_device:dir search; allow nvram_agent_binder mtd_device:chr_file rw_file_perms; @@ -53,9 +47,6 @@ allow nvram_agent_binder mtd_device:chr_file rw_file_perms; #for nvram agent hidl get_prop(nvram_agent_binder, hwservicemanager_prop) -#for nvram hidl client support -allow nvram_agent_binder sysfs:file { read open }; - # Allow to use HWBinder IPC hwbinder_use(nvram_agent_binder); diff --git a/non_plat/nvram_daemon.te b/non_plat/nvram_daemon.te index 731d6ce..71db04c 100644 --- a/non_plat/nvram_daemon.te +++ b/non_plat/nvram_daemon.te @@ -1,5 +1,5 @@ # ============================================== -# Policy File of /vendor/binnvram_daemon Executable File +# Policy File of /vendor/binnvram_daemon Executable File # ============================================== @@ -18,15 +18,14 @@ init_daemon_domain(nvram_daemon) # Date : WK14.31 -# Operation : Migration -# Purpose : the device is used to store Nvram backup data that can not be lost. +# Operation : Migration +# Purpose : the device is used to store Nvram backup data that can not be lost. allow nvram_daemon nvram_device:blk_file rw_file_perms; -allow nvram_daemon bootdevice_block_device:blk_file rw_file_perms; allow nvram_daemon nvdata_device:blk_file rw_file_perms; # Date : WK14.35 -# Operation : chown folder and file permission -# Purpose : ensure nvram user can access nvram file normally when upgrade from KK/KK.AOSP to L. +# Operation : chown folder and file permission +# Purpose : ensure nvram user can access nvram file normally when upgrade from KK/KK.AOSP to L. allow nvram_daemon nvram_data_file:dir create_dir_perms; allow nvram_daemon nvram_data_file:file create_file_perms; allow nvram_daemon nvram_data_file:lnk_file read; @@ -41,7 +40,6 @@ allow nvram_daemon gyroscope_device:chr_file r_file_perms; allow nvram_daemon init:unix_stream_socket connectto; # Purpose: for property set -allow nvram_daemon sysfs:file w_file_perms; allow nvram_daemon self:capability { fowner chown fsetid }; # Purpose: for backup @@ -73,10 +71,9 @@ allow nvram_daemon nvram_data_file:lnk_file unlink; # denied { set } for property=ro.wlan.mtk.wifi.5g pid=242 uid=0 gid=1000 scontext=u:r:nvram_daemon:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=1 set_prop(nvram_daemon, service_nvram_init_prop) set_prop(nvram_daemon, wifi_5g_prop) - + #WK17.26 camera 8163 allow nvram_daemon sysfs:dir read; -allow nvram_daemon sysfs:file read; # Date : WK18.16 # Operation: P migration diff --git a/non_plat/platform_app.te b/non_plat/platform_app.te index 1fe51aa..33178e0 100644 --- a/non_plat/platform_app.te +++ b/non_plat/platform_app.te @@ -119,5 +119,9 @@ allow platform_app sw_sync_device:chr_file rw_file_perms; # Date: 2019/07/04 # Purpose: Allow platform app to use BGService HIDL and access mtk_hal_camera +hal_client_domain(platform_app, mtk_hal_bgs) +allow platform_app mtk_hal_bgs_hwservice:hwservice_manager find; +binder_call(platform_app, mtk_hal_bgs) +binder_call(mtk_hal_bgs, platform_app) binder_call(platform_app, mtk_hal_camera) binder_call(mtk_hal_camera, platform_app) diff --git a/non_plat/property.te b/non_plat/property.te index 3ac67c0..3abf8df 100644 --- a/non_plat/property.te +++ b/non_plat/property.te @@ -224,11 +224,6 @@ type vendor_radio_prop, property_type, mtk_core_property_type; #=============allow bluetooth============== type vendor_bluetooth_prop, property_type, extended_core_property_type; - - -#=============em camera property============== -type vendor_debug_prop, property_type, mtk_core_property_type; - #=============allow ct volte============== type mtk_ct_volte_prop, property_type, mtk_core_property_type; @@ -323,3 +318,7 @@ type mtk_hdmi_prop, property_type, mtk_core_property_type; #=============mtk nn option property============= type mtk_nn_option_prop, property_type; + +#============system wfc service property=========== +type mtk_wfc_serv_prop, property_type; + diff --git a/non_plat/property_contexts b/non_plat/property_contexts index 609ded7..aec00cb 100644 --- a/non_plat/property_contexts +++ b/non_plat/property_contexts @@ -200,6 +200,18 @@ persist.vendor.meta.connecttype u:object_r:meta_connecttype_prop:s0 vendor.ril.iccid.sim u:object_r:mtk_telephony_sensitive_prop:s0 vendor.ril.uim.subscriberid u:object_r:mtk_telephony_sensitive_prop:s0 persist.vendor.radio.last_iccid_sim u:object_r:mtk_telephony_sensitive_prop:s0 +vendor.ril.ia.iccid u:object_r:mtk_telephony_sensitive_prop:s0 +vendor.ril.radio.ia u:object_r:mtk_telephony_sensitive_prop:s0 +vendor.ril.c2kirat.ia.sim1 u:object_r:mtk_telephony_sensitive_prop:s0 +vendor.ril.c2kirat.ia.sim2 u:object_r:mtk_telephony_sensitive_prop:s0 +vendor.ril.c2kirat.ia.sim3 u:object_r:mtk_telephony_sensitive_prop:s0 +vendor.ril.c2kirat.ia.sim4 u:object_r:mtk_telephony_sensitive_prop:s0 +persist.vendor.radio.ia u:object_r:mtk_telephony_sensitive_prop:s0 +persist.vendor.radio.ia.1 u:object_r:mtk_telephony_sensitive_prop:s0 +persist.vendor.radio.ia.2 u:object_r:mtk_telephony_sensitive_prop:s0 +persist.vendor.radio.ia.3 u:object_r:mtk_telephony_sensitive_prop:s0 +persist.vendor.radio.data.iccid u:object_r:mtk_telephony_sensitive_prop:s0 +persist.vendor.radio.mobile.data u:object_r:mtk_telephony_sensitive_prop:s0 #=============allow sim config property============== vendor.gsm.sim.operator.default-name u:object_r:vendor_sim_system_prop:s0 @@ -232,9 +244,6 @@ persist.vendor.radio. u:object_r:vendor_radio_prop:s0 #=============allow bluetooth============== vendor.bthcisnoop u:object_r:vendor_bluetooth_prop:s0 -#=============em camera property============== -vendor.debug. u:object_r:vendor_debug_prop:s0 - #=============allow ct volte============== persist.vendor.mtk_ct_volte_support u:object_r:mtk_ct_volte_prop:s0 @@ -351,3 +360,7 @@ persist.vendor.sys.hdmi_hidl. u:object_r:mtk_hdmi_prop:s0 #=============mtk nn option==============# ro.vendor.mtk_nn.option u:object_r:mtk_nn_option_prop:s0 + +#============system wfc service property=========== +persist.vendor.wfc. u:object_r:mtk_wfc_serv_prop:s0 + diff --git a/non_plat/radio.te b/non_plat/radio.te index 5d3db51..9f6077e 100644 --- a/non_plat/radio.te +++ b/non_plat/radio.te @@ -204,7 +204,7 @@ allow radio mtk_hal_lbs_hwservice:hwservice_manager find; # Purpose : Allow EM to set poweroffmd property set_prop(radio, mtk_power_off_md_type) -get_prop(radio, persist_mtk_aeev_prop); +get_prop(radio, persist_mtk_aee_prop); # Date : 2018/08/31 @@ -233,4 +233,4 @@ allow radio debugfs_regmap:dir { search }; # Date : 2018/09/29 # Purpose : Allow get USB Current Speed in Engineer Mode -get_prop(radio, vendor_usb_prop);
\ No newline at end of file +get_prop(radio, vendor_usb_prop); diff --git a/non_plat/recovery.te b/non_plat/recovery.te index a130f89..4d807ec 100644 --- a/non_plat/recovery.te +++ b/non_plat/recovery.te @@ -16,9 +16,9 @@ allow recovery self:capability sys_resource; allow recovery misc_sd_device:chr_file rw_file_perms; allow recovery vfat:dir r_dir_perms; allow recovery vfat:file r_file_perms; -allow recovery sysfs_mmcblk:dir r_dir_perms; -allow recovery sysfs_mmcblk:file rw_file_perms; -allow recovery sysfs_mmcblk:lnk_file r_file_perms; +allow recovery sysfs_devices_block:dir r_dir_perms; +allow recovery sysfs_devices_block:file rw_file_perms; +allow recovery sysfs_devices_block:lnk_file r_file_perms; # Date : WK18.25 # Operation : UT diff --git a/non_plat/rild.te b/non_plat/rild.te index 1247403..29c1c9b 100644 --- a/non_plat/rild.te +++ b/non_plat/rild.te @@ -43,7 +43,6 @@ allow rild bluetooth_efs_file:dir r_dir_perms; # Violate Android P rule allow rild sdcardfs:dir r_dir_perms; #allow rild system_file:file x_file_perms; -allow rild proc:file rw_file_perms; allow rild proc_net:file w_file_perms; # Allow rild to create and use netlink sockets. @@ -58,14 +57,14 @@ allow rild mtd_device:dir search; allow rild tty_device:chr_file rw_file_perms; allow rild eemcs_device:chr_file { rw_file_perms }; -allow rild Vcodec_device:chr_file { rw_file_perms }; +#allow rild Vcodec_device:chr_file { rw_file_perms }; allow rild devmap_device:chr_file { r_file_perms }; allow rild devpts:chr_file { rw_file_perms }; allow rild ccci_device:chr_file { rw_file_perms }; allow rild misc_device:chr_file { rw_file_perms }; allow rild proc_lk_env:file rw_file_perms; allow rild sysfs_vcorefs_pwrctrl:file { w_file_perms }; -allow rild bootdevice_block_device:blk_file { rw_file_perms }; +#allow rild bootdevice_block_device:blk_file { rw_file_perms }; allow rild para_block_device:blk_file { rw_file_perms }; # Allow dir search, fd uses @@ -101,12 +100,6 @@ allow rild mtk_agpsd:unix_stream_socket connectto; #allow rild toolbox_exec:file getattr; allow rild mtk_net_ipv6_prop:property_service set; -#Dat: 2017/10/17 -# Allow to use sysenv & persist.radio.multisim.config -# for dynamic feature switch between ss & dsds -allow rild sysfs:file open; -allow rild sysfs:file read; - #Date: 2017/12/6 #Purpose: allow set the RS times for /proc/sys/net/ipv6/conf/ccmniX/router_solicitations allow rild vendor_shell_exec:file {execute_no_trans}; @@ -155,3 +148,16 @@ allow rild proc_cmdline:file r_file_perms; # Operation: AP wifi path # Purpose: Allow packet can be filtered by RILD process allow rild self:netlink_netfilter_socket { create_socket_perms_no_ioctl }; + +# Date : 2019/08/29 +# Purpose: Allow rild to access proc/aed/reboot-reason +allow rild proc_aed_reboot_reason:file rw_file_perms; + +# Date : WK19.43 +# Purpose: Allow wfc module from rild read system property from wfc module +get_prop(rild, mtk_wfc_serv_prop) + +# Date: 2019/11/15 +# Operation: RILD init flow +# Purpose: To handle illegal rild started +set_prop(rild, gsm0710muxd_prop) diff --git a/non_plat/rilproxy.te b/non_plat/rilproxy.te index 7b8c5d4..bf1d79e 100644 --- a/non_plat/rilproxy.te +++ b/non_plat/rilproxy.te @@ -18,14 +18,12 @@ allow rild init:unix_stream_socket connectto; allow rild mtkrild:unix_stream_socket connectto; allow rild property_socket:sock_file write; allow rild self:capability setuid; -allow rild socket_device:sock_file write; allow rild radio_prop:property_service set; allow rild ril_mux_report_case_prop:property_service set; allow rild mtk_agpsd:unix_stream_socket connectto; allow servicemanager rild:dir search; allow servicemanager rild:file { read open }; allow servicemanager rild:process getattr; -allow rild proc:file read; # Allow the socket read/write of netd for rild allow rild netd_socket:sock_file write; @@ -72,3 +70,9 @@ set_prop(mtkrild, mtk_ss_vendor_prop) # Purpose: Allow rild access to send SUPL INIT to mnld allow rild mnld:unix_dgram_socket sendto; allow mtkrild mnld:unix_dgram_socket sendto; + +# Date : W19.35 +# Operation: Q migration +# Purpose: Fix rilproxy SeLinux warning of pre-defined socket +allow rild gsmrild_socket:sock_file write; + diff --git a/non_plat/stp_dump3.te b/non_plat/stp_dump3.te index 34e7510..d7e7675 100644 --- a/non_plat/stp_dump3.te +++ b/non_plat/stp_dump3.te @@ -20,7 +20,6 @@ type stp_dump3, domain; # ============================================== # MTK Policy Rule # ============================================== -file_type_auto_trans(stp_dump3,vendor_data_file,stp_dump_data_file) allow stp_dump3 self:capability { net_admin fowner chown fsetid }; allow stp_dump3 self:netlink_socket { read write getattr bind create setopt }; allow stp_dump3 self:netlink_generic_socket { read write getattr bind create setopt }; @@ -40,6 +39,5 @@ allow stp_dump3 stp_dump_data_file:dir create_dir_perms; allow stp_dump3 stp_dump_data_file:file create_file_perms; allow stp_dump3 connsyslog_data_vendor_file:dir create_dir_perms; allow stp_dump3 connsyslog_data_vendor_file:file create_file_perms; -allow stp_dump3 vendor_data_file:dir create_dir_perms; get_prop(stp_dump3, coredump_prop) init_daemon_domain(stp_dump3) diff --git a/non_plat/system_server.te b/non_plat/system_server.te index bba72c3..beeb30a 100644 --- a/non_plat/system_server.te +++ b/non_plat/system_server.te @@ -15,9 +15,6 @@ allow system_server proc_bootprof:file rw_file_perms; # /data/core access. allow system_server aee_core_data_file:dir r_dir_perms; -# /sys/kernel/debug/ion/clients access -allow system_server debugfs:dir r_dir_perms; - # Perform Binder IPC. allow system_server zygote:binder impersonate; @@ -207,3 +204,73 @@ allowxperm system_server proc_ged:file ioctl { proc_ged_ioctls }; # Date: 2019/06/14 # Operation : Migration get_prop(system_server, vendor_default_prop) + +# Date: 2019/06/14 +# Operation : when WFD turnning on, turn off hdmi +allow system_server mtk_hal_hdmi_hwservice:hwservice_manager find; +allow system_server mtk_hal_hdmi:binder call; + +#Date:2019/10/08 +#Operation:Q Migration +allow system_server proc_battery_cmd:dir search; + +#Date:2019/10/09 +#Operation:Q Migration +get_prop(system_server, debug_mtk_aee_prop) + +#Date:2019/10/09 +#Operation:Q Migration +get_prop(system_server, debug_bq_dump_prop) +get_prop(system_server, mtk_telecom_vibrate) +allow system_server proc_cmdq_debug:file getattr; +allow system_server proc_freqhop:file getattr; +allow system_server proc_last_kmsg:file r_file_perms; +allow system_server proc_cm_mgr:dir search; +allow system_server proc_isp_p2:dir search; +allow system_server proc_thermal:dir search; +allow system_server proc_atf_log:dir search; +allow system_server proc_cpufreq:dir search; +allow system_server proc_mtkcooler:dir search; +allow system_server proc_ppm:dir search; + +# Date : 2019/10/11 +# Operation : Q Migration +allow system_server proc_wlan_status:file getattr; + +# Date : 2019/10/11 +# Operation : Q Migration +allow system_server sysfs_pages_shared:file r_file_perms; +allow system_server sysfs_pages_sharing:file r_file_perms; +allow system_server sysfs_pages_unshared:file r_file_perms; +allow system_server sysfs_pages_volatile:file r_file_perms; + +# Date:2019/10/14 +# Operation: Q Migration +# Purpose : power_hal_mgr_service may use libmtkperf_client +allow system_server sysfs_boot_mode:file r_file_perms; + +# Date : 2019/10/22 +# Operation : Q Migration +allow system_server self:capability sys_module; + +# Date : 2019/10/22 +# Operation : Q Migration +dontaudit system_server sdcardfs:file r_file_perms; + +# Date : 2019/10/26 +# Operation : Q Migration +allow system_server mtk_hal_camera:process sigkill; +allow system_server kernel:system syslog_read; + +# Date : 2019/10/30 +# Operation : Q Migration +allow system_server proc_chip:dir search; +allow system_server zygote:process setsched; + +# Date : 2019/11/21 +# Operation : Q Migration +allow system_server sf_rtt_file:dir rmdir; + +# Date : 2019/11/29 +# Operation : Q Migration +allow system_server storage_stub_file:dir getattr; diff --git a/non_plat/thermal_manager.te b/non_plat/thermal_manager.te index 2ad3f91..3bdf75c 100644 --- a/non_plat/thermal_manager.te +++ b/non_plat/thermal_manager.te @@ -19,36 +19,31 @@ allow thermal_manager proc_mtkcooler:file rw_file_perms; allow thermal_manager proc_mtktz:file rw_file_perms; allow thermal_manager proc_thermal:file rw_file_perms; - -# Date : WK15.30 -# Operation : Migration -# Purpose : Use file_type_auto_trans to specify label to avoid violated(never allow) - allow thermal_manager thermal_manager_data_file:file create_file_perms; allow thermal_manager thermal_manager_data_file:dir { rw_dir_perms setattr }; - allow thermal_manager mediaserver:fd use; allow thermal_manager mediaserver:fifo_file { read write }; allow thermal_manager mediaserver:tcp_socket { read write }; # Date : WK16.30 # Operation : Migration -# Purpose : Use file_type_auto_trans to specify label to avoid violated(never allow) +# Purpose : allow thermal_manager camera_isp_device:chr_file { read write }; allow thermal_manager cameraserver:fd use; allow thermal_manager kd_camera_hw_device:chr_file { read write }; allow thermal_manager MTK_SMI_device:chr_file read; -allow thermal_manager property_socket:sock_file write; allow thermal_manager surfaceflinger:fd use; -allow thermal_manager init:unix_stream_socket connectto; -allow thermal_manager sysfs:file write; +set_prop(thermal_manager ,mtk_thermal_config_prop) -# Date : WK17.12 +# Date : 2019/09/12 # Operation : Migration -# Purpose : Allow thermal_manager to notify SPA. -allow thermal_manager mtk_thermal_config_prop:file { getattr open read }; -allow thermal_manager mtk_thermal_config_prop:property_service set; +# Purpose : add sysfs permission +# path = " sys/devices/virtual/thermal/" +# path = " sys/class/thermal/" +allow thermal_manager sysfs_therm:file w_file_perms; + + # Date : WK18.18 # Operation : P Migration diff --git a/non_plat/thermalloadalgod.te b/non_plat/thermalloadalgod.te index 646f48c..e699912 100644 --- a/non_plat/thermalloadalgod.te +++ b/non_plat/thermalloadalgod.te @@ -12,9 +12,6 @@ type thermalloadalgod_exec , exec_type, file_type, vendor_file_type; # ============================================== init_daemon_domain(thermalloadalgod) - - - # Data : WK14.43 # Operation : Migration # Purpose : thermal algorithm daemon for access driver node @@ -31,19 +28,18 @@ allow thermalloadalgod kmsg_device:chr_file write; # Operation : SPA porting # Purpose : thermal algorithm daemon for SPA # For /proc/[pid]/cgroup accessing -typeattribute thermalloadalgod mlstrustedsubject; -allow thermalloadalgod proc:dir {search getattr}; -allow thermalloadalgod proc:file {getattr open read write ioctl}; -allow thermalloadalgod shell:dir search; -allow thermalloadalgod platform_app:dir search; -allow thermalloadalgod platform_app:file {open read getattr}; -allow thermalloadalgod priv_app:dir search; -allow thermalloadalgod priv_app:file {open read getattr}; -allow thermalloadalgod system_app:dir search; -allow thermalloadalgod system_app:file {open read getattr}; -allow thermalloadalgod untrusted_app:dir search; -allow thermalloadalgod untrusted_app:file {open read getattr}; -allow thermalloadalgod mediaserver:dir search; -allow thermalloadalgod mediaserver:file {open read getattr}; -allow thermalloadalgod proc_thermal:dir search; -allow thermalloadalgod proc_thermal:file { open read write getattr }; +typeattribute thermalloadalgod mlstrustedsubject; +allow thermalloadalgod proc:dir { search getattr }; +allow thermalloadalgod shell:dir search; +allow thermalloadalgod platform_app:dir search; +allow thermalloadalgod platform_app:file { open read getattr }; +allow thermalloadalgod priv_app:dir search; +allow thermalloadalgod priv_app:file { open read getattr }; +allow thermalloadalgod system_app:dir search; +allow thermalloadalgod system_app:file { open read getattr }; +allow thermalloadalgod untrusted_app:dir search; +allow thermalloadalgod untrusted_app:file { open read getattr }; +allow thermalloadalgod mediaserver:dir search; +allow thermalloadalgod mediaserver:file {open read getattr}; +allow thermalloadalgod proc_thermal:dir search; +allow thermalloadalgod proc_thermal:file { open read write getattr }; diff --git a/non_plat/uncrypt.te b/non_plat/uncrypt.te new file mode 100644 index 0000000..c9b3acb --- /dev/null +++ b/non_plat/uncrypt.te @@ -0,0 +1,13 @@ +#====================== uncrypt.te ====================== +# uncrypt for mtd +allow uncrypt mtd_device:chr_file { read write open ioctl }; +allow uncrypt mtd_device:dir search; + +allow uncrypt misc_device:chr_file ~rename; +allow uncrypt userdata_block_device:blk_file w_file_perms; +allow uncrypt para_block_device:blk_file { write open }; +allow uncrypt system_app_data_file:dir { getattr search }; +allow uncrypt system_app_data_file:file { read getattr }; +allow uncrypt media_rw_data_file:dir { getattr search }; +allow uncrypt media_rw_data_file:file { read getattr open }; +allow uncrypt ota_package_file:file w_file_perms; diff --git a/non_plat/uncrypte.te b/non_plat/uncrypte.te index 22efa73..80b0635 100755 --- a/non_plat/uncrypte.te +++ b/non_plat/uncrypte.te @@ -1,3 +1,4 @@ #====================== uncrypt.te ====================== allow uncrypt para_block_device:blk_file w_file_perms; allow uncrypt ota_package_file:file w_file_perms; + diff --git a/non_plat/vendor_init.te b/non_plat/vendor_init.te index 5df8e27..d0bc030 100644 --- a/non_plat/vendor_init.te +++ b/non_plat/vendor_init.te @@ -1,7 +1,7 @@ -allow vendor_init exported3_system_prop:property_service set; -allow vendor_init dalvik_prop:property_service set; +#allow vendor_init exported3_system_prop:property_service set; +#allow vendor_init dalvik_prop:property_service set; -allow vendor_init ffs_prop:property_service set; +#allow vendor_init ffs_prop:property_service set; allow vendor_init mediatek_prop:property_service set; allow vendor_init mtk_md_version_prop:property_service set; allow vendor_init mtk_volte_prop:property_service set; @@ -10,9 +10,9 @@ allow vendor_init mtk_ril_mode_prop:property_service set; allow vendor_init wmt_prop:property_service set; allow vendor_init coredump_prop:property_service set; allow vendor_init proc_wmtdbg:file w_file_perms; -allow vendor_init vold_prop:property_service set; +#allow vendor_init vold_prop:property_service set; -allow vendor_init proc:file write; +allow vendor_init proc_cpufreq:file w_file_perms; allow vendor_init proc_bootprof:file write; allow vendor_init rootfs:dir { write add_name setattr }; allow vendor_init self:capability sys_module; @@ -69,4 +69,8 @@ allow vendor_init kernel:key search; # Purpose: /dev/block/mmcblk0p10 allow vendor_init expdb_block_device:blk_file rw_file_perms; -set_prop(vendor_init, mtk_wifi_hotspot_prop)
\ No newline at end of file +set_prop(vendor_init, mtk_wifi_hotspot_prop) + +set_prop(vendor_init, persist_aeev_prop) + +set_prop(vendor_init, mtk_powerhal_prop) diff --git a/plat_private/vendor_shell.te b/non_plat/vendor_shell.te index 46903b0..46903b0 100644 --- a/plat_private/vendor_shell.te +++ b/non_plat/vendor_shell.te diff --git a/non_plat/vold_prepare_subdirs.te b/non_plat/vold_prepare_subdirs.te index 3c531e2..3c531e2 100755..100644 --- a/non_plat/vold_prepare_subdirs.te +++ b/non_plat/vold_prepare_subdirs.te diff --git a/non_plat/wlan_assistant.te b/non_plat/wlan_assistant.te index f5aa5c2..830da67 100644 --- a/non_plat/wlan_assistant.te +++ b/non_plat/wlan_assistant.te @@ -34,13 +34,8 @@ allow wlan_assistant self:udp_socket { create ioctl }; # allow wlan_assistant wifi_data_file:dir { read search getattr open }; allow wlan_assistant nvdata_file:dir { search read getattr open }; allow wlan_assistant nvdata_file:file { read getattr open }; -allow wlan_assistant sysfs:file { open read }; allow wlan_assistant wmtWifi_device:chr_file { read write getattr open }; -# allow wlan_assistant to read file under /data/vendor -allow wlan_assistant vendor_data_file:dir { search read getattr open }; -allow wlan_assistant vendor_data_file:file { read getattr open }; - allow wlan_assistant mnt_vendor_file :dir search; allow wlan_assistant init:unix_stream_socket connectto; allow wlan_assistant property_socket:sock_file write; diff --git a/non_plat/wmt_loader.te b/non_plat/wmt_loader.te index de04ce6..25c9bde 100644 --- a/non_plat/wmt_loader.te +++ b/non_plat/wmt_loader.te @@ -25,8 +25,6 @@ allow wmt_loader wmtdetect_device:chr_file rw_file_perms; allow wmt_loader stpwmt_device:chr_file rw_file_perms; allow wmt_loader devpts:chr_file rwx_file_perms; -allow wmt_loader proc:file setattr; - # Date: 2019/06/14 # Operation : Migration allow wmt_loader proc_wmtdbg:file setattr; diff --git a/plat_private/aee_aed.te b/plat_private/aee_aed.te index fe92aa0..bc3c436 100644 --- a/plat_private/aee_aed.te +++ b/plat_private/aee_aed.te @@ -34,10 +34,6 @@ allow aee_aed usermodehelper:file r_file_perms; #suid_dumpable. this is neverallow #allow aee_aed proc_security:file r_file_perms; -#property -allow aee_aed init:unix_stream_socket connectto; -allow aee_aed property_socket:sock_file write; - #allow aee_aed call binaries labeled "system_file" under /system/bin/ allow aee_aed system_file:file execute_no_trans; @@ -49,19 +45,9 @@ allow aee_aed kernel:process getsched; # Purpose: For pagemap & pageflags information in NE DB userdebug_or_eng(`allow aee_aed self:capability sys_admin;') -# Date: W16.17 -# Operation: N0 Migeration -# Purpose: creat dir "aee_exp" under /data -allow aee_aed system_data_file:dir { write create add_name }; -allow aee_aed system_data_file:file r_file_perms; - # Purpose: allow aee_aed to access toolbox allow aee_aed toolbox_exec:file rx_file_perms; -# purpose: allow aee_aed to access storage on N version -allow aee_aed media_rw_data_file:file { create_file_perms }; -allow aee_aed media_rw_data_file:dir { create_dir_perms }; - # Purpose: mnt/user/* allow aee_aed mnt_user_file:dir search; allow aee_aed mnt_user_file:lnk_file read; diff --git a/plat_private/aee_aedv.te b/plat_private/aee_aedv.te deleted file mode 100644 index c5f82da..0000000 --- a/plat_private/aee_aedv.te +++ /dev/null @@ -1,9 +0,0 @@ -# =============================================+ -# Type Declaration -# ============================================== - -type aee_aedv_exec, exec_type, file_type, vendor_file_type; -typeattribute aee_aedv mlstrustedsubject; - -init_daemon_domain(aee_aedv) - diff --git a/plat_private/audioserver.te b/plat_private/audioserver.te index a167d6d..3109661 100644 --- a/plat_private/audioserver.te +++ b/plat_private/audioserver.te @@ -10,11 +10,6 @@ allow audioserver sdcard_type:file create; allow audioserver sdcard_type:dir remove_name; allow audioserver sdcard_type:file unlink; -# Date : WK14.34 -# Operation : Migration -# Purpose : Smartcard Service -allow audioserver system_data_file:file open; - # Data : WK14.38 # Operation : Migration # Purpose : for boot animation. @@ -47,16 +42,13 @@ allow audioserver untrusted_app:dir search; # Date : WK15.34 # Operation : Migration # Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump -allow audioserver system_data_file:dir write; allow audioserver storage_file:lnk_file {read write}; allow audioserver mnt_user_file:dir {write read search}; allow audioserver mnt_user_file:lnk_file {read write}; # Purpose: Dump debug info allow audioserver kmsg_device:chr_file { open write }; -allow audioserver property_socket:sock_file write; allow audioserver media_rw_data_file:dir { create_dir_perms }; -allow audioserver init:unix_stream_socket connectto; # Date : WK16.27 # Operation : Migration diff --git a/plat_private/boot_logo_updater.te b/plat_private/boot_logo_updater.te index 069a9f0..7b537bb 100644 --- a/plat_private/boot_logo_updater.te +++ b/plat_private/boot_logo_updater.te @@ -38,7 +38,4 @@ allow boot_logo_updater sysfs:dir read; # for path="/sys/firmware/devicetree/base/firmware/android/fstab" andfor name = "cmdline" and "mtdblock14" allow boot_logo_updater mtd_device:blk_file read; allow boot_logo_updater sysfs:dir open; -allow boot_logo_updater system_data_file:dir write; allow boot_logo_updater mtd_device:blk_file open; - - diff --git a/plat_private/cmddumper.te b/plat_private/cmddumper.te index 3dc20b8..01b5dc5 100644 --- a/plat_private/cmddumper.te +++ b/plat_private/cmddumper.te @@ -8,12 +8,6 @@ typeattribute cmddumper coredomain; init_daemon_domain(cmddumper) -# cmddumper access on /data/mdlog -allow cmddumper system_data_file:dir { create_dir_perms relabelfrom relabelto}; - -# "mdl_serv_fifo" scontext=u:r:cmddumper:s0 tcontext=u:object_r:system_data_file -allow cmddumper system_data_file:fifo_file create_file_perms; - # for modem logging sdcard access allow cmddumper sdcard_type:dir create_dir_perms; @@ -36,4 +30,3 @@ allow cmddumper file_contexts_file:file { read getattr open }; ## Save C2K modem log into data allow cmddumper debuglog_data_file:dir {relabelto create_dir_perms}; allow cmddumper debuglog_data_file:file create_file_perms; -allow cmddumper system_data_file:dir create_dir_perms; diff --git a/plat_private/domain.te b/plat_private/domain.te new file mode 100644 index 0000000..7f95649 --- /dev/null +++ b/plat_private/domain.te @@ -0,0 +1,117 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Rules for all domains. + +# Do not allow access to the generic system_data_file label. This is +# too broad. +# Instead, if access to part of system_data_file is desired, it should +# have a more specific label. +# TODO: Remove merged_hal_service and so on once there are no violations. +# +# allow hal_drm system_data_file:file { getattr read }; +# hal_server_domain(merged_hal_service, hal_drm) +# +full_treble_only(` + neverallow { + coredomain + -appdomain + -app_zygote + -dumpstate + -init + -installd + -iorap_inode2filename + -iorap_prefetcherd + -logd + -mediadrmserver + -mediaextractor + -mediaserver + -runas + -sdcardd + -simpleperf_app_runner + -storaged + -system_server + -toolbox + -vold + -vold_prepare_subdirs + -zygote + } system_data_file:file *; + + neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map }; + + neverallow { + dumpstate + logd + runas + sdcardd + simpleperf_app_runner + storaged + zygote + } system_data_file:file ~r_file_perms; + + neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto }; + + neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; + + neverallow iorap_prefetcherd system_data_file:file ~{ open read }; + neverallow iorap_inode2filename system_data_file:file ~{ open read getattr }; + + neverallow { + mediadrmserver + mediaextractor + mediaserver + } system_data_file:file ~{ read getattr }; + + neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link }; + + neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink }; + + neverallow vold system_data_file:file ~read; + + neverallow ~{ + appdomain + app_zygote + dexoptanalyzer + init + installd + iorap_inode2filename + iorap_prefetcherd + logd + rs + runas + simpleperf_app_runner + system_server + tee + vold + webview_zygote + zygote + } system_data_file:lnk_file *; + + neverallow { + appdomain + app_zygote + logd + webview_zygote + } system_data_file:lnk_file ~r_file_perms; + + neverallow { dexoptanalyzer vold } system_data_file:lnk_file ~getattr; + + neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink }; + + neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom }; + + neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open }; + + neverallow iorap_inode2filename system_data_file:lnk_file ~{ read open getattr }; + + neverallow rs system_data_file:lnk_file ~{ read }; + + neverallow { + runas + simpleperf_app_runner + tee + } system_data_file:lnk_file ~{ read getattr }; + + neverallow system_server system_data_file:lnk_file ~create_file_perms; +') diff --git a/plat_private/emdlogger.te b/plat_private/emdlogger.te index cd91357..47a3d9c 100755..100644 --- a/plat_private/emdlogger.te +++ b/plat_private/emdlogger.te @@ -17,8 +17,8 @@ allow emdlogger sdcard_type:file { create_file_perms }; # modem logger socket access -allow emdlogger property_socket:sock_file write; -allow emdlogger init:unix_stream_socket connectto; +#allow emdlogger property_socket:sock_file write; +#allow emdlogger init:unix_stream_socket connectto; allow emdlogger platform_app:unix_stream_socket connectto; allow emdlogger shell_exec:file { rx_file_perms }; allow emdlogger system_file:file execute_no_trans; @@ -58,7 +58,7 @@ allow emdlogger media_rw_data_file:file { create_file_perms }; allow emdlogger media_rw_data_file:dir { create_dir_perms }; ## purpose: avc: denied { read } for name="plat_file_contexts" -allow emdlogger file_contexts_file:file { read getattr open }; +#allow emdlogger file_contexts_file:file { read getattr open }; ## Android P migration ## purpose: denied { read } for name="cmdline" dev="proc" @@ -82,4 +82,5 @@ allow emdlogger mddb_filter_data_file:file { r_file_perms }; # save log into /data/debuglogger allow emdlogger debuglog_data_file:dir {relabelto create_dir_perms}; allow emdlogger debuglog_data_file:file create_file_perms; -allow emdlogger system_data_file:dir create_dir_perms; +# get persist.sys. proeprty +get_prop(emdlogger, system_prop) diff --git a/plat_private/file.te b/plat_private/file.te index 268f03b..268f03b 100755..100644 --- a/plat_private/file.te +++ b/plat_private/file.te diff --git a/plat_private/file_contexts b/plat_private/file_contexts index fdcd059..053ebe4 100644 --- a/plat_private/file_contexts +++ b/plat_private/file_contexts @@ -4,6 +4,8 @@ /data/system_de/mdfilter(/.*)? u:object_r:mddb_filter_data_file:s0 /data/debuglogger(/.*)? u:object_r:debuglog_data_file:s0 +/data/ramdump(/.*)? u:object_r:debuglog_data_file:s0 + ############################# # debugfs files # @@ -27,11 +29,6 @@ /system/bin/lbs_dbg u:object_r:lbs_dbg_exec:s0 /system/bin/connsyslogger u:object_r:connsyslogger_exec:s0 -# google suggest that move aee_aedv_exec to platform @google_issue_id:64130120 -/(system\/vendor|vendor)/bin/aee_aedv u:object_r:aee_aedv_exec:s0 -/(system\/vendor|vendor)/bin/aee_aedv64 u:object_r:aee_aedv_exec:s0 -/vendor/bin/aeev u:object_r:aee_aedv_exec:s0 - # storagemanager daemon # it is used to mount all storages in meta/factory mode /system/bin/storagemanagerd u:object_r:vold_exec:s0 diff --git a/plat_private/genfs_contexts b/plat_private/genfs_contexts index fdf8565..7cfb555 100644 --- a/plat_private/genfs_contexts +++ b/plat_private/genfs_contexts @@ -3,3 +3,4 @@ genfscon sysfs /devices/platform/vibrator@0/leds/vibrator u:object_r:sysfs_vibra genfscon sysfs /block/mmcblk0rpmb/size u:object_r:access_sys_file:s0 genfscon sysfs /devices/virtual/misc/mcupm u:object_r:sysfs_mcupm:s0 +genfscon sysfs /firmware/devicetree/base/chosen/atag,boot u:object_r:sysfs_boot_info:s0 diff --git a/plat_private/lbs_dbg.te b/plat_private/lbs_dbg.te index db46413..01bcdc8 100755..100644 --- a/plat_private/lbs_dbg.te +++ b/plat_private/lbs_dbg.te @@ -8,7 +8,6 @@ type lbs_dbg, domain; # ============================================== # MTK Policy Rule # ============================================== -file_type_auto_trans(lbs_dbg, system_data_file, lbs_dbg_data_file); type lbs_dbg_exec, system_file_type, exec_type, file_type; typeattribute lbs_dbg coredomain; @@ -19,8 +18,6 @@ allow lbs_dbg storage_file:dir { write create add_name search mounton }; allow lbs_dbg storage_file:lnk_file read; allow lbs_dbg lbs_dbg_data_file:file create_file_perms; -allow lbs_dbg system_data_file:lnk_file read; - #allow lbs_dbg mnld_device:chr_file rw_file_perms; allow lbs_dbg media_rw_data_file:dir search; diff --git a/plat_private/loghidlsysservice.te b/plat_private/loghidlsysservice.te index 4edbfba..4edbfba 100755..100644 --- a/plat_private/loghidlsysservice.te +++ b/plat_private/loghidlsysservice.te diff --git a/plat_private/mdlogger.te b/plat_private/mdlogger.te index ad6990a..afa04ea 100644 --- a/plat_private/mdlogger.te +++ b/plat_private/mdlogger.te @@ -13,8 +13,8 @@ binder_use(mdlogger) binder_service(mdlogger) # modem logger socket access -allow mdlogger init:unix_stream_socket connectto; -allow mdlogger property_socket:sock_file write; +#allow mdlogger init:unix_stream_socket connectto; +#allow mdlogger property_socket:sock_file write; allow mdlogger platform_app:unix_stream_socket connectto; allow mdlogger shell_exec:file { rx_file_perms }; allow mdlogger system_file:file x_file_perms; @@ -54,4 +54,3 @@ allow mdlogger mddb_filter_data_file:file { r_file_perms }; ## Save modem log into data allow mdlogger debuglog_data_file:dir {relabelto create_dir_perms}; allow mdlogger debuglog_data_file:file create_file_perms; -allow mdlogger system_data_file:dir create_dir_perms; diff --git a/plat_private/mobile_log_d.te b/plat_private/mobile_log_d.te index 09c7b05..d6c9468 100644 --- a/plat_private/mobile_log_d.te +++ b/plat_private/mobile_log_d.te @@ -84,3 +84,5 @@ allow mobile_log_d debuglog_data_file:file create_file_perms; allow mobile_log_d mcupm_device:chr_file r_file_perms; allow mobile_log_d sysfs_mcupm:file w_file_perms; allow mobile_log_d sysfs_mcupm:dir search; + +allow mobile_log_d sysfs_boot_info:file r_file_perms; diff --git a/plat_private/modemdbfilter_client.te b/plat_private/modemdbfilter_client.te index c63b2b8..4c123a8 100755..100644 --- a/plat_private/modemdbfilter_client.te +++ b/plat_private/modemdbfilter_client.te @@ -17,6 +17,3 @@ hal_client_domain(modemdbfilter_client, mtk_hal_md_dbfilter) # ============================================== allow modemdbfilter_client mddb_filter_data_file:dir { create_dir_perms relabelto }; allow modemdbfilter_client mddb_filter_data_file:file { create_file_perms }; -allow modemdbfilter_client system_data_file:dir { create_dir_perms relabelfrom }; -allow modemdbfilter_client file_contexts_file:file { r_file_perms }; - diff --git a/plat_private/mtkbootanimation.te b/plat_private/mtkbootanimation.te index bcb7456..857b86d 100644 --- a/plat_private/mtkbootanimation.te +++ b/plat_private/mtkbootanimation.te @@ -41,7 +41,6 @@ allow mtkbootanimation hal_graphics_composer:fd use; # Read access to pseudo filesystems. #r_dir_file(mtkbootanimation, proc) allow mtkbootanimation proc_meminfo:file r_file_perms; -#r_dir_file(mtkbootanimation, sysfs) r_dir_file(mtkbootanimation, cgroup) # System file accesses. diff --git a/plat_private/netdiag.te b/plat_private/netdiag.te index 834dcf8..c2499bb 100755..100644 --- a/plat_private/netdiag.te +++ b/plat_private/netdiag.te @@ -99,5 +99,3 @@ get_prop(netdiag, apexd_prop) # Q save log into /data/debuglogger allow netdiag debuglog_data_file:dir {relabelto create_dir_perms}; allow netdiag debuglog_data_file:file create_file_perms; -allow netdiag system_data_file:dir { create_dir_perms relabelfrom }; -allow netdiag file_contexts_file:file { r_file_perms }; diff --git a/plat_private/ppp.te b/plat_private/ppp.te index 1e7a34b..b91cd4a 100644 --- a/plat_private/ppp.te +++ b/plat_private/ppp.te @@ -2,38 +2,6 @@ # MTK Policy Rule # ============================================== - - -# Date : WK14.34 -# Operation : Migration -# Purpose: for VPN - -allow ppp init:unix_stream_socket connectto; -allow ppp property_socket:sock_file write; - -# Date : WK14.37 -# Operation : Migration -# Purpose: for PPPOE Test - -allow ppp devpts:chr_file { read write ioctl open setattr }; -allow ppp self:capability { setuid net_raw setgid }; -allow ppp shell_exec:file { read execute open execute_no_trans }; - - -# Date : WK14.37 -# Operation : Migration -# Purpose: for PPPOE Test: Property permission - -allow ppp net_radio_prop:property_service set; -allow ppp system_prop:property_service set; - - -# Date : WK14.38 -# Operation : Migration -# Purpose: for PPPOE Test - -allow ppp ppp_exec:file execute_no_trans; - # Date : WK14.53 # Operation : check in # Purpose: for warning kernel API diff --git a/plat_private/property_contexts b/plat_private/property_contexts index 66792db..b85131f 100644 --- a/plat_private/property_contexts +++ b/plat_private/property_contexts @@ -12,3 +12,7 @@ ro.audio.usb.period_us u:object_r:exported_default_prop:s0 exact int #allow adb daemon to read "persist.adb.nonblocking_ffs" persist.adb.nonblocking_ffs u:object_r:exported_default_prop:s0 exact int + +#============system fingerprint property===========# +ro.system.build.fingerprint u:object_r:exported_fingerprint_prop:s0 exact string + diff --git a/plat_private/service_contexts b/plat_private/service_contexts index 814ca69..03dbfe3 100644 --- a/plat_private/service_contexts +++ b/plat_private/service_contexts @@ -9,4 +9,5 @@ NvRAMAgent u:object_r:nvram_agent_service:s0 memory_dumper u:object_r:mediaserver_service:s0 imsa u:object_r:radio_service:s0 mtkIms u:object_r:radio_service:s0 -GbaService u:object_r:radio_service:s0
\ No newline at end of file +GbaService u:object_r:radio_service:s0 + diff --git a/plat_private/system_app.te b/plat_private/system_app.te index 0dd6fc5..6d45fbe 100644 --- a/plat_private/system_app.te +++ b/plat_private/system_app.te @@ -12,9 +12,5 @@ allow system_app vfat:dir create; allow system_app media_rw_data_file:dir {r_dir_perms w_dir_perms}; allow system_app media_rw_data_file:file {r_file_perms w_file_perms}; -#Dat: 2017/07/13 -#Purpose: allow system app to read/open system data file -allow system_app system_data_file:dir { read open }; - # Purpose: receive dropbox message allow system_app aee_aed:unix_stream_socket connectto; diff --git a/plat_private/system_server.te b/plat_private/system_server.te index 72201ee..c606c5c 100644 --- a/plat_private/system_server.te +++ b/plat_private/system_server.te @@ -7,3 +7,7 @@ allow uncrypt uncrypt:capability fowner; # Purpose: receive dropbox message allow system_server aee_aed:fifo_file w_file_perms; allow system_server aee_aed:fd use; + +#Date:2019/10/10 +#Operation:Q Migration +allow system_server mddb_filter_data_file:dir getattr; diff --git a/plat_public/aee_aedv.te b/plat_public/aee_aedv.te deleted file mode 100644 index fe413f8..0000000 --- a/plat_public/aee_aedv.te +++ /dev/null @@ -1,4 +0,0 @@ -# ============================================== -# Type Declaration -# ============================================== -type aee_aedv, domain; diff --git a/plat_public/domain.te b/plat_public/domain.te new file mode 100644 index 0000000..1478421 --- /dev/null +++ b/plat_public/domain.te @@ -0,0 +1,361 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Rules for all domains. + +# Do not allow access to the generic sysfs label. This is too broad. +# Instead, if access to part of sysfs is desired, it should have a +# more specific label. +full_treble_only(` + neverallow * sysfs:{ chr_file blk_file sock_file fifo_file } *; + + neverallow { + coredomain + -init + -ueventd + -vold + } sysfs:file *; + + neverallow { + init + ueventd + vold + } sysfs:file ~{ r_file_perms write setattr append relabelfrom relabelto }; + + neverallow ~{ + init + ueventd + } sysfs:lnk_file ~r_file_perms; + + neverallow { + init + ueventd + } sysfs:lnk_file ~{ r_file_perms setattr relabelfrom relabelto }; + + neverallow ~{ + init + ueventd + vendor_init + } sysfs:dir ~r_dir_perms; + + neverallow { + init + ueventd + vendor_init + } sysfs:dir ~{ r_dir_perms relabelfrom relabelto mounton setattr }; +') + + +# Do not allow access to the generic proc label. This is too broad. +# Instead, if access to part of proc is desired, it should have a +# more specific label. +# TODO: Remove mtk_hal_audio/audioserver and so on once there are no violations. +# +# r_dir_file(hal_audio, proc) +# hal_server_domain(mtk_hal_audio, hal_audio) +# hal_client_domain(audioserver, hal_audio) +# +full_treble_only(` + neverallow * proc:{ chr_file blk_file sock_file fifo_file } *; + + neverallow { + coredomain + -audioserver + -bluetooth + -init + -system_server + -vold + } proc:file *; + + neverallow { + audioserver + bluetooth + init + system_server + vold + } proc:file ~r_file_perms; + + neverallow vendor_init proc:file ~{ read setattr map open }; + + neverallow { + coredomain + -audioserver + -bluetooth + -init + -system_server + } proc:lnk_file ~{ read getattr }; + + neverallow { + audioserver + bluetooth + init + system_server + } proc:lnk_file ~r_file_perms; + + neverallow ~{ + init + vendor_init + } proc:dir ~{ r_file_perms search }; + + neverallow { + init + vendor_init + } proc:dir ~{ r_file_perms search setattr }; +') + + +# Do not allow access to the generic debugfs label. This is too broad. +# Instead, if access to part of debugfs is desired, it should have a +# more specific label. +full_treble_only(` + neverallow * debugfs:{ chr_file blk_file sock_file fifo_file } *; + + neverallow ~{ + dumpstate + init + vendor_init + } debugfs:file *; + + neverallow dumpstate debugfs:file ~r_file_perms; + + neverallow init debugfs:file ~{ getattr relabelfrom open read setattr relabelto }; + + neverallow vendor_init debugfs:file ~{ read setattr open map }; + + neverallow ~init debugfs:lnk_file *; + + neverallow init debugfs:lnk_file ~{ getattr relabelfrom relabelto }; + + neverallow ~{ + init + vendor_init + } debugfs:dir ~{ search getattr }; + + neverallow init debugfs:dir ~{ search getattr relabelfrom open read setattr relabelto }; + + neverallow vendor_init debugfs:dir ~{ search getattr read setattr open }; +') + + +# Do not allow access to the generic system_data_file label. This is +# too broad. +# Instead, if access to part of system_data_file is desired, it should +# have a more specific label. +# TODO: Remove merged_hal_service and so on once there are no violations. +# +# allow hal_drm system_data_file:file { getattr read }; +# hal_server_domain(merged_hal_service, hal_drm) +# +# full_treble_only(` +# neverallow ~{ +# init +# installd +# system_server +# } system_data_file:{ chr_file blk_file sock_file fifo_file } *; +# +# neverallow init system_data_file:{ chr_file blk_file } ~{ relabelto };; +# +# neverallow init system_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto }; +# +# neverallow installd system_data_file:{ chr_file blk_file } *; +# +# neverallow installd system_data_file:{ sock_file fifo_file } ~{ getattr relabelfrom unlink }; +# +# neverallow system_server system_data_file:{ lnk_file sock_file fifo_file } ~create_file_perms; +# +# neverallow { +# coredomain +# -appdomain +# -app_zygote +# -init +# -installd +# -iorap_prefetcherd +# -system_server +# -toolbox +# -vold +# -vold_prepare_subdirs +# } system_data_file:file ~r_file_perms; +# +# neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map }; +# +# neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto }; +# +# neverallow installd system_data_file:file ~{ getattr relabelfrom unlink }; +# +# neverallow iorap_prefetcherd system_data_file:file ~{ open read }; +# +# neverallow { +# mediadrmserver +# mediaextractor +# mediaserver +# } system_data_file:file ~{ read getattr }; +# +# neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link }; +# +# neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink }; +# +# neverallow vold system_data_file:file ~read; +# +# neverallow ~{ +# appdomain +# app_zygote +# init +# installd +# iorap_prefetcherd +# logd +# rs +# runas +# simpleperf_app_runner +# system_server +# tee +# vold +# webview_zygote +# zygote +# } system_data_file:lnk_file ~getattr; +# +# neverallow { +# appdomain +# app_zygote +# logd +# webview_zygote +# } system_data_file:lnk_file ~r_file_perms; +# +# neverallow init system_data_file:lnk_file ~{ r_file_perms create setattr relabelfrom relabelto unlink }; +# +# neverallow installd system_data_file:lnk_file ~{ create getattr read setattr unlink relabelfrom }; +# +# neverallow iorap_prefetcherd system_data_file:lnk_file ~{ read open }; +# +# neverallow rs system_data_file:lnk_file ~{ read }; +# +# neverallow { +# runas +# simpleperf_app_runner +# tee +# } system_data_file:lnk_file ~{ read getattr }; +# +# neverallow system_server system_data_file:lnk_file ~create_file_perms; +# +# neverallow ~{ +# init +# installd +# iorap_prefetcherd +# system_server +# toolbox +# traced_probes +# vold +# vold_prepare_subdirs +# zygote +# } system_data_file:dir ~{ search getattr }; +# +# neverallow init system_data_file:dir ~{ +# create search getattr open read setattr ioctl +# mounton +# relabelto +# write add_name remove_name rmdir relabelfrom +# }; +# +# neverallow installd system_data_file:dir ~{ relabelfrom create_dir_perms }; +# +# neverallow { +# iorap_prefetcherd +# traced_probes +# } system_data_file:dir ~{ open read search getattr }; +# +# neverallow system_server system_data_file:dir ~{ relabelfrom create_dir_perms }; +# +# neverallow toolbox system_data_file:dir ~{ rmdir rw_dir_perms }; +# +# neverallow vold system_data_file:dir ~{ create rw_dir_perms mounton setattr rmdir }; +# +# neverallow vold_prepare_subdirs system_data_file:dir ~{ open read write add_name remove_name rmdir relabelfrom search getattr }; +# +# neverallow zygote system_data_file:dir ~{ r_dir_perms mounton relabelto }; +# ') + + +# Do not allow access to the generic vendor_data_file label. This is +# too broad. +# Instead, if access to part of vendor_data_file is desired, it should +# have a more specific label. +full_treble_only(` + neverallow ~{ + init + vendor_init + } vendor_data_file:file_class_set *; + + neverallow { + init + vendor_init + } vendor_data_file:{ chr_file blk_file } ~{ relabelto }; + + neverallow { + init + vendor_init + } vendor_data_file:{ sock_file fifo_file } ~{ create getattr open read setattr relabelfrom unlink relabelto }; + + neverallow { + init + vendor_init + } vendor_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map relabelto }; + + neverallow { + init + vendor_init + } vendor_data_file:lnk_file ~{ create getattr setattr relabelfrom unlink relabelto }; + + neverallow ~{ + init + vendor_init + vold + vold_prepare_subdirs + } vendor_data_file:dir ~{ getattr search }; + + neverallow { + init + vendor_init + } vendor_data_file:dir ~{ create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom relabelto }; + + neverallow vold vendor_data_file:dir ~create_dir_perms; + + neverallow vold_prepare_subdirs vendor_data_file:dir ~{ getattr search open read write add_name remove_name rmdir relabelfrom }; +') + +# Do not allow access to the generic app_data_file label. This is too broad. +# Instead, if access to part of app_data_file is desired, it should have a +# more specific label. +#neverallow * app_data_file:dir_file_class_set *; + +# Do not allow access to the generic default_prop label. This is too broad. +# Instead, if access to part of default_prop is desired, it should have a +# more specific label. +#neverallow * default_prop:dir_file_class_set *; + +# Do not allow access to the generic vendor_default_prop label. This is +# too broad. +# Instead, if access to part of vendor_default_prop is desired, it should +# have a more specific label. +#neverallow * vendor_default_prop:dir_file_class_set *; + +# Do not allow access to the generic device label. This is too broad. +# Instead, if access to part of device is desired, it should have a +# more specific label. +#neverallow * device:dir_file_class_set *; + +# Do not allow access to the generic socket_device label. This is too broad. +# Instead, if access to part of socket_device is desired, it should have a +# more specific label. +#neverallow * socket_device:dir_file_class_set *; + +# Do not allow access to the generic block_device label. This is too broad. +# Instead, if access to part of block_device is desired, it should have a +# more specific label. +#neverallow * block_device:dir_file_class_set *; + +# Do not allow access to the generic bootdevice_block_device label. This is +# too broad. +# Instead, if access to part of bootdevice_block_device is desired, it should +# have a more specific label. +#neverallow * bootdevice_block_device:dir_file_class_set *; + diff --git a/plat_public/emdlogger.te b/plat_public/emdlogger.te index f116ac0..f116ac0 100755..100644 --- a/plat_public/emdlogger.te +++ b/plat_public/emdlogger.te diff --git a/plat_public/file.te b/plat_public/file.te index 0e572de..fcf55c9 100644 --- a/plat_public/file.te +++ b/plat_public/file.te @@ -4,3 +4,5 @@ # lbs debug file type lbs_dbg_data_file, file_type, data_file_type, core_data_file_type; + +type sysfs_boot_info, fs_type, sysfs_type; diff --git a/plat_public/mdlogger.te b/plat_public/mdlogger.te index e4ca402..e4ca402 100755..100644 --- a/plat_public/mdlogger.te +++ b/plat_public/mdlogger.te diff --git a/plat_public/modemdbfilter_client.te b/plat_public/modemdbfilter_client.te index 840b786..840b786 100755..100644 --- a/plat_public/modemdbfilter_client.te +++ b/plat_public/modemdbfilter_client.te diff --git a/plat_public/netdiag.te b/plat_public/netdiag.te index 19a04b5..19a04b5 100755..100644 --- a/plat_public/netdiag.te +++ b/plat_public/netdiag.te diff --git a/prebuilts/api/26.0/plat_private/aee_aedv.te b/prebuilts/api/26.0/plat_private/aee_aedv.te deleted file mode 100755 index c5f82da..0000000 --- a/prebuilts/api/26.0/plat_private/aee_aedv.te +++ /dev/null @@ -1,9 +0,0 @@ -# =============================================+ -# Type Declaration -# ============================================== - -type aee_aedv_exec, exec_type, file_type, vendor_file_type; -typeattribute aee_aedv mlstrustedsubject; - -init_daemon_domain(aee_aedv) - diff --git a/r_non_plat/MtkCodecService.te b/r_non_plat/MtkCodecService.te new file mode 100644 index 0000000..f9229a7 --- /dev/null +++ b/r_non_plat/MtkCodecService.te @@ -0,0 +1,9 @@ +# ============================================== +# Policy File of /vendor/bin/MtkCodecService Executable File + +# ============================================== +# Type Declaration +# ============================================== +type MtkCodecService_exec , exec_type, file_type, vendor_file_type; +type MtkCodecService ,domain; + diff --git a/r_non_plat/adbd.te b/r_non_plat/adbd.te new file mode 100644 index 0000000..b431979 --- /dev/null +++ b/r_non_plat/adbd.te @@ -0,0 +1,13 @@ +# ============================================== +# MTK Policy Rule +# ============ + +#permissive adbd; + +# Data : WK17.46 +# Operator: Migration +# Purpose: Allow adbd to read KE DB +allow adbd aee_dumpsys_data_file:file r_file_perms; +allow adbd aee_exp_data_file:dir r_dir_perms; +allow adbd aee_exp_data_file:file r_file_perms; +allow adbd gpu_device:dir search; diff --git a/r_non_plat/aee_aed.te b/r_non_plat/aee_aed.te new file mode 100644 index 0000000..fb69ca2 --- /dev/null +++ b/r_non_plat/aee_aed.te @@ -0,0 +1,69 @@ +# ============================================== +# Policy File of /system/bin/aee_aed Executable File + +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK14.32 +# Operation : AEE UT +# Purpose : for AEE module +allow aee_aed aed_device:chr_file rw_file_perms; +allow aee_aed expdb_device:chr_file rw_file_perms; +allow aee_aed expdb_block_device:blk_file rw_file_perms; +allow aee_aed etb_device:chr_file rw_file_perms; + +# open/dev/mtd/mtd12 failed(expdb) +allow aee_aed mtd_device:dir create_dir_perms; +allow aee_aed mtd_device:chr_file rw_file_perms; + +# NE flow: /dev/RT_Monitor +allow aee_aed RT_Monitor_device:chr_file r_file_perms; + +#data/aee_exp +allow aee_aed aee_exp_data_file:dir create_dir_perms; +allow aee_aed aee_exp_data_file:file create_file_perms; + +#data/dumpsys +allow aee_aed aee_dumpsys_data_file:dir create_dir_perms; +allow aee_aed aee_dumpsys_data_file:file create_file_perms; + +#/data/core +allow aee_aed aee_core_data_file:dir create_dir_perms; +allow aee_aed aee_core_data_file:file create_file_perms; + +# /data/data_tmpfs_log +allow aee_aed data_tmpfs_log_file:dir create_dir_perms; +allow aee_aed data_tmpfs_log_file:file create_file_perms; + +# Purpose: aee_aed set property +set_prop(aee_aed, persist_mtk_aee_prop); +set_prop(aee_aed, persist_aee_prop); +set_prop(aee_aed, debug_mtk_aee_prop); + +# /proc/lk_env +allow aee_aed proc_lk_env:file rw_file_perms; + +# Purpose: Allow aee_aed to read /proc/pid/exe +#allow aee_aed exec_type:file r_file_perms; + +# Purpose: Allow aee_aed to read /proc/cpu/alignment +allow aee_aed proc_cpu_alignment:file { write open }; + +# Purpose: Allow aee_aed to access /sys/devices/virtual/timed_output/vibrator/enable +allow aee_aed sysfs_vibrator_setting:dir search; +allow aee_aed sysfs_vibrator_setting:file w_file_perms; +allow aee_aed sysfs_vibrator:dir search; +allow aee_aed sysfs_leds:dir search; + +# Purpose: Allow aee_aed to read /proc/kpageflags +allow aee_aed proc_kpageflags:file r_file_perms; + +# temp solution +get_prop(aee_aed, vendor_default_prop) + +hal_client_domain(aee_aed, mtk_hal_log) + +# Purpose: create /data/aee_exp at runtime +allow aee_aed file_contexts_file:file r_file_perms; +allow aee_aed aee_exp_data_file:dir relabelto; diff --git a/r_non_plat/aee_aedv.te b/r_non_plat/aee_aedv.te new file mode 100644 index 0000000..7a13c5a --- /dev/null +++ b/r_non_plat/aee_aedv.te @@ -0,0 +1,431 @@ +# ============================================== +# Policy File of /vendor/bin/aee_aedv Executable File + +# ============================================== +# MTK Policy Rule +# ============================================== + +type aee_aedv, domain; + +type aee_aedv_exec, exec_type, file_type, vendor_file_type; +typeattribute aee_aedv mlstrustedsubject; + +init_daemon_domain(aee_aedv) + +# Date : WK14.32 +# Operation : AEE UT +# Purpose : for AEE module +allow aee_aedv aed_device:chr_file rw_file_perms; +allow aee_aedv expdb_device:chr_file rw_file_perms; +allow aee_aedv expdb_block_device:blk_file rw_file_perms; +allow aee_aedv bootdevice_block_device:blk_file rw_file_perms; +allow aee_aedv etb_device:chr_file rw_file_perms; + +# AED start: /dev/block/expdb +allow aee_aedv block_device:dir search; + +# NE flow: /dev/RT_Monitor +allow aee_aedv RT_Monitor_device:chr_file r_file_perms; + +#data/aee_exp +allow aee_aedv aee_exp_vendor_file:dir create_dir_perms; +allow aee_aedv aee_exp_vendor_file:file create_file_perms; + +#data/dumpsys +allow aee_aedv aee_dumpsys_vendor_file:dir create_dir_perms; +allow aee_aedv aee_dumpsys_vendor_file:file create_file_perms; + +#/data/core +allow aee_aedv aee_core_vendor_file:dir create_dir_perms; +allow aee_aedv aee_core_vendor_file:file create_file_perms; + +# /data/data_tmpfs_log +allow aee_aedv vendor_tmpfs_log_file:dir create_dir_perms; +allow aee_aedv vendor_tmpfs_log_file:file create_file_perms; + +allow aee_aedv domain:process { sigkill getattr getsched}; +allow aee_aedv domain:lnk_file getattr; + +#core-pattern +allow aee_aedv usermodehelper:file r_file_perms; + +# Date: W15.34 +# Operation: Migration +# Purpose: For pagemap & pageflags information in NE DB +userdebug_or_eng(`allow aee_aedv self:capability sys_admin;') + +# Purpose: aee_aedv set property +set_prop(aee_aedv, persist_mtk_aeev_prop); +set_prop(aee_aedv, persist_aeev_prop); +set_prop(aee_aedv, debug_mtk_aeev_prop); + +# Purpose: mnt/user/* +allow aee_aedv mnt_user_file:dir search; +allow aee_aedv mnt_user_file:lnk_file read; + +allow aee_aedv storage_file:dir search; +allow aee_aedv storage_file:lnk_file read; + +userdebug_or_eng(` + allow aee_aedv su:dir {search read open }; + allow aee_aedv su:file { read getattr open }; +') + +# /proc/pid/ +allow aee_aedv self:capability { fowner chown fsetid sys_nice sys_resource net_admin sys_module}; + +# PROCESS_FILE_STATE +allow aee_aedv dumpstate:unix_stream_socket { read write ioctl }; +allow aee_aedv dumpstate:dir search; +allow aee_aedv dumpstate:file r_file_perms; + +allow aee_aedv logdr_socket:sock_file write; +allow aee_aedv logd:unix_stream_socket connectto; + +# vibrator +allow aee_aedv sysfs_vibrator:file w_file_perms; + +# /proc/lk_env +allow aee_aedv proc_lk_env:file rw_file_perms; + +# Data : 2017/03/22 +# Operation : add NE flow rule for Android O +# Purpose : make aee_aedv can get specific process NE info +allow aee_aedv domain:dir r_dir_perms; +allow aee_aedv domain:{ file lnk_file } r_file_perms; +#allow aee_aedv { +# domain +# -logd +# -keystore +# -init +#}:process ptrace; +#allow aee_aedv zygote_exec:file r_file_perms; +#allow aee_aedv init_exec:file r_file_perms; + +# Data : 2017/04/06 +# Operation : add selinux rule for crash_dump notify aee_aedv +# Purpose : make aee_aedv can get notify from crash_dump +allow aee_aedv crash_dump:dir search; +allow aee_aedv crash_dump:file r_file_perms; + +# Date : 20170512 +# Operation : fix aee_archive can't execute issue +# Purpose : type=1400 audit(0.0:97916): avc: denied { execute_no_trans } for +# path="/system/vendor/bin/aee_archive" dev="mmcblk0p26" ino=2355 +# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:vendor_file:s0 +# tclass=file permissive=0 +allow aee_aedv vendor_file:file execute_no_trans; + +# Purpose: debugfs files +allow aee_aedv debugfs_binder:dir { read open }; +allow aee_aedv debugfs_binder:file { read open }; +allow aee_aedv debugfs_blockio:file { read open }; +allow aee_aedv debugfs_fb:dir search; +allow aee_aedv debugfs_fb:file { read open }; +allow aee_aedv debugfs_fuseio:dir search; +allow aee_aedv debugfs_fuseio:file { read open }; +allow aee_aedv debugfs_ged:dir search; +allow aee_aedv debugfs_ged:file { read open }; +allow aee_aedv debugfs_rcu:dir search; +allow aee_aedv debugfs_shrinker_debug:file { read open }; +allow aee_aedv debugfs_wakeup_sources:file { read open }; +allow aee_aedv debugfs_dmlog_debug:file { read open }; +allow aee_aedv debugfs_page_owner_slim_debug:file { read open }; +allow aee_aedv debugfs_ion_mm_heap:dir search; +allow aee_aedv debugfs_ion_mm_heap:file r_file_perms; +allow aee_aedv debugfs_ion_mm_heap:lnk_file read; +allow aee_aedv debugfs_cpuhvfs:dir search; +allow aee_aedv debugfs_cpuhvfs:file { read open }; +allow aee_aedv debugfs_emi_mbw_buf:file { read open }; +allow aee_aedv debugfs_vpu_device_dbg:file { read open }; + +# Purpose: +# 01-01 00:02:46.390 3315 3315 W aee_dumpstatev: type=1400 audit(0.0:4728): +# avc: denied { read } for name="interrupts" dev="proc" ino=4026533608 scontext= +# u:r:aee_aedv:s0 tcontext=u:object_r:proc_interrupts:s0 tclass=file permissive=0 +allow aee_aedv proc_interrupts:file read; + +# Purpose: +# 01-01 17:59:14.440 7664 7664 I aee_dumpstate: type=1400 audit(0.0:63497): +# avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev= +# "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r: +# tracing_shell_writable:s0 tclass=file permissive=1 +allow aee_aedv debugfs_tracing:file rw_file_perms; + +# Purpose: +# 01-01 00:05:16.730 3566 3566 W dmesg : type=1400 audit(0.0:5173): avc: +# denied { read } for name="kmsg" dev="tmpfs" ino=12292 scontext=u:r:aee_aedv: +# s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 +allow aee_aedv kmsg_device:chr_file read; + +# Purpose: +# 01-01 00:05:17.720 3567 3567 W ps : type=1400 audit(0.0:5192): avc: +# denied { getattr } for path="/proc/3421" dev="proc" ino=78975 scontext=u:r: +# aee_aedv:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=dir permissive=0 +allow aee_aedv platform_app:dir r_dir_perms; +allow aee_aedv platform_app:file r_file_perms; + +# Purpose: +# 01-01 00:05:17.750 3567 3567 W ps : type=1400 audit(0.0:5193): avc: +# denied { getattr } for path="/proc/3461" dev="proc" ino=11013 scontext=u:r: +# aee_aedv:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=dir permissive=0 +allow aee_aedv untrusted_app_25:dir getattr; + +# Purpose: +# 01-01 00:05:17.650 3567 3567 W ps : type=1400 audit(0.0:5179): avc: +# denied { getattr } for path="/proc/2712" dev="proc" ino=65757 scontext=u:r: +# aee_aedv:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=dir permissive=0 +allow aee_aedv untrusted_app:dir getattr; + +# Purpose: +# 01-01 00:05:17.650 3567 3567 W ps : type=1400 audit(0.0:5180): avc: +# denied { getattr } for path="/proc/2747" dev="proc" ino=66659 scontext=u:r: +# aee_aedv:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=dir permissive=0 +allow aee_aedv priv_app:dir getattr; + +# Purpose: +# 01-01 00:05:16.270 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5153): +# avc: denied { open } for path="/proc/interrupts" dev="proc" ino=4026533608 +# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:proc_interrupts:s0 tclass=file +# permissive=0 +allow aee_aedv proc_interrupts:file r_file_perms; + +# Purpose: +# 01-01 00:05:16.620 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5171): +# avc: denied { read } for name="route" dev="proc" ino=4026533633 scontext=u:r: +# aee_aedv:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 +allow aee_aedv proc_net:file read; + +# Purpose: +# 01-01 00:05:16.610 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5168): +# avc: denied { read } for name="zoneinfo" dev="proc" ino=4026533664 scontext= +# u:r:aee_aedv:s0 tcontext=u:object_r:proc_zoneinfo:s0 tclass=file permissive=0 +allow aee_aedv proc_zoneinfo:file read; + +# Purpose: +# 01-01 00:05:17.840 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5200): +# avc: denied { search } for name="leds" dev="sysfs" ino=6217 scontext=u:r: +# aee_aedv:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=0 +allow aee_aedv sysfs_leds:dir search; +allow aee_aedv sysfs_leds:file r_file_perms; + +# Purpose: +# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5592): avc: denied +# { search } for name="ccci" dev="sysfs" ino=6026 scontext=u:r:aee_aedv:s0 tcontext=u:object_r: +# sysfs_ccci:s0 tclass=dir permissive=1 +# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5593): avc: denied { read } +# for name="md_chn" dev="sysfs" ino=6035 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:sysfs_ccci:s0 +# tclass=file permissive=1 +# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5594): avc: denied { open } +# for path="/sys/kernel/ccci/md_chn" dev="sysfs" ino=6035 scontext=u:r:aee_aedv:s0 tcontext=u: +# object_r:sysfs_ccci:s0 tclass=file permissive=1 +allow aee_aedv sysfs_ccci:dir search; +allow aee_aedv sysfs_ccci:file r_file_perms; + +# Purpose: +# 01-01 00:03:44.330 3658 3658 I aee_dumpstatev: type=1400 audit(0.0:5411): avc: denied +# { execute_no_trans } for path="/vendor/bin/toybox_vendor" dev="mmcblk0p26" ino=250 scontext=u:r: +# aee_aedv:s0 tcontext=u:object_r:vendor_toolbox_exec:s0 tclass=file permissive=1 +allow aee_aedv vendor_toolbox_exec:file rx_file_perms; + +# Purpose: +# 01-01 00:12:06.320000 4145 4145 W dmesg : type=1400 audit(0.0:826): avc: denied { open } for +# path="/dev/kmsg" dev="tmpfs" ino=10875 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:kmsg_device: +# s0 tclass=chr_file permissive=0 +# 01-01 00:42:33.070000 4171 4171 W dmesg : type=1400 audit(0.0:1343): avc: denied +# { syslog_read } for scontext=u:r:aee_aedv:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0 +allow aee_aedv kmsg_device:chr_file r_file_perms; +allow aee_aedv kernel:system syslog_read; + +# Purpose: +# 01-01 00:12:37.890000 4162 4162 W aee_dumpstatev: type=1400 audit(0.0:914): avc: denied +# { read } for name="meminfo" dev="proc" ino=4026533612 scontext=u:r:aee_aedv:s0 tcontext=u: +# object_r:proc_meminfo:s0 tclass=file permissive=0 +allow aee_aedv proc_meminfo:file r_file_perms; + +# Purpose: +# 01-01 00:08:39.900000 3833 3833 W aee_dumpstatev: type=1400 audit(0.0:371): avc: denied +# { open } for path="/proc/3833/net/route" dev="proc" ino=4026533632 scontext=u:r:aee_aedv:s0 +# tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 +allow aee_aedv proc_net:file r_file_perms; + +# Purpose: +# 01-01 00:08:39.880000 3833 3833 W aee_dumpstatev: type=1400 audit(0.0:370): avc: denied +# { open } for path="/proc/zoneinfo" dev="proc" ino=4026533663 scontext=u:r:aee_aedv:s0 tcontext= +# u:object_r:proc_zoneinfo:s0 tclass=file permissive=0 +allow aee_aedv proc_zoneinfo:file r_file_perms; + +# Purpose: +# 01-01 00:33:27.750000 338 338 W aee_aedv: type=1400 audit(0.0:98): avc: denied { read } +# for name="fstab.mt6755" dev="rootfs" ino=1082 scontext=u:r:aee_aedv:s0 tcontext=u:object_r: +# rootfs:s0 tclass=file permissive=0 +allow aee_aedv rootfs:file r_file_perms; + +# Purpose: +# 01-01 00:33:28.340000 338 338 W aee_aedv: type=1400 audit(0.0:104): avc: denied { search } +# for name="dynamic_debug" dev="debugfs" ino=8182 scontext=u:r:aee_aedv:s0 tcontext=u:object_r: +# debugfs_dynamic_debug:s0 tclass=dir permissive=0 +allow aee_aedv debugfs_dynamic_debug:dir search; +allow aee_aedv debugfs_dynamic_debug:file r_file_perms; + +# Purpose: +# [ 241.001976] <1>.(1)[209:logd.auditd]type=1400 audit(1262304586.172:515): avc: denied { read } +# for pid=1978 comm="aee_aedv64" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aedv:s0 +# tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 +allow aee_aedv sysfs_mrdump_lbaooo:file w_file_perms; + +# Purpose: Allow aee_aedv to use HwBinder IPC. +hwbinder_use(aee_aedv) +get_prop(aee_aedv, hwservicemanager_prop) + +# Purpose: Allow aee_aedv access to vendor/bin/mtkcam-debug, which in turn invokes ICameraProvider +# - avc: denied { find } for interface=android.hardware.camera.provider::ICameraProvider pid=2956 +# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:hal_camera_hwservice:s0 tclass=hwservice_manager +# - Transaction error in ICameraProvider::debug: Status(EX_TRANSACTION_FAILED) +hal_client_domain(aee_aedv, hal_camera) +allow aee_aedv hal_camera_hwservice:hwservice_manager { find }; +binder_call(aee_aedv, mtk_hal_camera) + +# Purpose: allow aee to read /sys/fs/selinux/enforce to get selinux status +allow aee_aedv selinuxfs:file r_file_perms; + +# Purpose: Allow aee_aedv to read /proc/pid/exe +#allow aee_aedv exec_type:file r_file_perms; + +# Purpose: mrdump db flow and pre-allocation +# mrdump db flow +allow aee_aedv sysfs_dt_firmware_android:dir search; +allow aee_aedv sysfs_dt_firmware_android:file r_file_perms; +allow aee_aedv kernel:system module_request; +allow aee_aedv metadata_file:dir search; +# pre-allocation +allow aee_aedv self:capability linux_immutable; +allow aee_aedv userdata_block_device:blk_file { read write open }; +allow aee_aedv para_block_device:blk_file rw_file_perms; +allow aee_aedv mrdump_device:blk_file rw_file_perms; +allowxperm aee_aedv aee_dumpsys_vendor_file:file ioctl { + FS_IOC_GETFLAGS + FS_IOC_SETFLAGS + F2FS_IOC_GET_PIN_FILE + F2FS_IOC_SET_PIN_FILE + FS_IOC_FIEMAP +}; + +# Purpose: allow vendor aee read lowmemorykiller logs +# file path: /sys/module/lowmemorykiller/parameters/ +allow aee_aedv sysfs_lowmemorykiller:dir search; +allow aee_aedv sysfs_lowmemorykiller:file r_file_perms; + +# Purpose: Allow aee read /sys/class/misc/scp/scp_dump +allow aee_aedv sysfs_scp:dir r_dir_perms; +allow aee_aedv sysfs_scp:file r_file_perms; + +# Purpose: Allow aee read /sys/class/misc/adsp/adsp_dump +allow aee_aedv sysfs_adsp:dir r_dir_perms; +allow aee_aedv sysfs_adsp:file r_file_perms; + +# Purpose: allow aee_aedv self to fsetid/sys_nice/chown/fowner/kill +allow aee_aedv self:capability { fsetid sys_nice chown fowner kill }; + +# Purpose: allow aee_aedv to read /proc/buddyinfo +allow aee_aedv proc_buddyinfo:file r_file_perms; + +# Purpose: allow aee_aedv to read /proc/cmdline +allow aee_aedv proc_cmdline:file r_file_perms; + +# Purpose: allow aee_aedv to read /proc/slabinfo +allow aee_aedv proc_slabinfo:file r_file_perms; + +# Purpose: allow aee_aedv to read /proc/stat +allow aee_aedv proc_stat:file r_file_perms; + +# Purpose: allow aee_aedv to read /proc/version +allow aee_aedv proc_version:file r_file_perms; + +# Purpose: allow aee_aedv to read /proc/vmallocinfo +allow aee_aedv proc_vmallocinfo:file r_file_perms; + +# Purpose: allow aee_aedv to read /proc/vmstat +allow aee_aedv proc_vmstat:file r_file_perms; + +# Purpose: Allow aee_aedv to read /proc/cpu/alignment +allow aee_aedv proc_cpu_alignment:file w_file_perms; + +# Purpose: Allow aee_aedv to read /proc/gpulog +allow aee_aedv proc_gpulog:file r_file_perms; + +# Purpose: Allow aee_aedv to read /proc/chip/hw_ver +allow aee_aedv proc_chip:file r_file_perms; + +# Purpose: Allow aee_aedv to read /proc/sched_debug +allow aee_aedv proc_sched_debug:file r_file_perms; + +# Purpose: Allow aee_aedv to read /proc/atf_log +allow aee_aedv proc_atf_log:dir search; + +# Purpose: Allow aee_aedv to read /proc/last_kmsg +allow aee_aedv proc_last_kmsg:file r_file_perms; + +# Purpose: Allow aee_aedv to access /sys/devices/virtual/timed_output/vibrator/enable +allow aee_aedv sysfs_vibrator_setting:dir search; +allow aee_aedv sysfs_vibrator_setting:file w_file_perms; +allow aee_aedv sysfs_vibrator:dir search; + +# Purpose: Allow aee_aedv to read /sys/kernel/debug/rcu/rcu_callback_log +allow aee_aedv debugfs_rcu:file r_file_perms; + +# Purpose: Allow aee_aedv to read /proc/ufs_debug +allow aee_aedv proc_ufs_debug:file rw_file_perms; + +# Purpose: Allow aee_aedv to read /proc/msdc_debug +allow aee_aedv proc_msdc_debug:file r_file_perms; + +# Purpose: Allow aee_aedv to read /proc/pidmap +allow aee_aedv proc_pidmap:file r_file_perms; + +# Purpose: Allow aee_aedv to read /sys/power/vcorefs/vcore_debug +allow aee_aedv sysfs_vcore_debug:file r_file_perms; + +# Purpose: Allow aee_aedv to read /sys/devices/virtual/BOOT/BOOT/boot/boot_mode +allow aee_aedv sysfs_boot_mode:file r_file_perms; + +#Purpose: Allow aee_aedv to read/write /sys/kernel/debug/tracing/buffer_total_size_kb +userdebug_or_eng(` +allow aee_aedv debugfs_tracing_debug:file { rw_file_perms }; +') + +#Purpose: Allow aee_aedv to read /sys/mtk_memcfg/slabtrace +allow aee_aedv proc_slabtrace:file r_file_perms; + +#Purpose: Allow aee_aedv to read /proc/mtk_cmdq_debug/status +allow aee_aedv proc_cmdq_debug:file r_file_perms; + +# temp solution +get_prop(aee_aedv, vendor_default_prop) + +#data/dipdebug +allow aee_aedv aee_dipdebug_vendor_file:dir r_dir_perms; +allow aee_aedv aee_dipdebug_vendor_file:file r_file_perms; +allow aee_aedv proc_isp_p2:dir r_dir_perms; +allow aee_aedv proc_isp_p2:file r_file_perms; + +allow aee_aedv connsyslog_data_vendor_file:file r_file_perms; +allow aee_aedv connsyslog_data_vendor_file:dir r_dir_perms; + +# Purpose: Allow aee_aedv to read the /proc/*/exe of vendor process +allow aee_aedv vendor_file_type:file r_file_perms; + +# Purpose: Allow aee_aedv to read /sys/kernel/debug/smi_mon +allow aee_aedv debugfs_smi_mon:file r_file_perms; + +# Purpose: Allow aee_aedv to read /proc/isp_p2/isp_p2_kedump +allow aee_aedv proc_isp_p2_kedump:file r_file_perms; + +# Purpose: Allow aee_aedv to read /sys/kernel/debug/vpu/vpu_memory +allow aee_aedv debugfs_vpu_memory:file r_file_perms; + +# Purpose: Allow aee_aedv to read /proc/cpuhvfs/dbg_repo +allow aee_aedv proc_dbg_repo:file r_file_perms; + +# Purpose: Allow aee_aedv to read /proc/pl_lk +allow aee_aedv proc_pl_lk:file r_file_perms; diff --git a/r_non_plat/aee_core_forwarder.te b/r_non_plat/aee_core_forwarder.te new file mode 100644 index 0000000..43e97fe --- /dev/null +++ b/r_non_plat/aee_core_forwarder.te @@ -0,0 +1,18 @@ +# ============================================== +# Policy File of /system/bin/aee_core_forwarder Executable File + +# ============================================== +# MTK Policy Rule +# ============================================== + +allow aee_core_forwarder aee_exp_data_file:dir { write add_name search }; +allow aee_core_forwarder aee_exp_data_file:file { write create open getattr }; +get_prop(aee_core_forwarder, hwservicemanager_prop) + +# Date: 2019/06/14 +# Operation : Migration +# Purpose : interface=android.system.suspend::ISystemSuspend for aee_core_forwarder +wakelock_use(aee_core_forwarder) +allow aee_core_forwarder aee_aed:unix_stream_socket connectto; +allow aee_core_forwarder aee_core_data_file:dir r_dir_perms; +hwbinder_use(aee_core_forwarder) diff --git a/r_non_plat/aee_hidl.te b/r_non_plat/aee_hidl.te new file mode 100644 index 0000000..347cbdc --- /dev/null +++ b/r_non_plat/aee_hidl.te @@ -0,0 +1,17 @@ +# ============================================== +# Type Declaration +# ============================================== +type aee_hal,domain; +type aee_hal_exec, exec_type, file_type, vendor_file_type; +typeattribute aee_hal mlstrustedsubject; +# Purpose : for create hidl server +hal_server_domain(aee_hal, mtk_hal_log) +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(aee_hal) + +set_prop(aee_hal, persist_mtk_aeev_prop); +set_prop(aee_hal, persist_aeev_prop); +set_prop(aee_hal, debug_mtk_aeev_prop); + diff --git a/r_non_plat/app.te b/r_non_plat/app.te new file mode 100644 index 0000000..455cafb --- /dev/null +++ b/r_non_plat/app.te @@ -0,0 +1,50 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow appdomain proc_ged:file rw_file_perms; +allowxperm appdomain proc_ged:file ioctl { proc_ged_ioctls }; + +# Date : W16.42 +# Operation : Integration +# Purpose : DRM / DRI GPU driver required +allow appdomain gpu_device:dir search; + +# Date : W17.30 +# Purpose : Allow MDP user access cmdq driver +allow appdomain mtk_cmdq_device:chr_file {open read ioctl}; + +# Date : W17.41 +# Operation: SQC +# Purpose : Allow HWUI to access perfmgr +allow appdomain proc_perfmgr:dir search; +allow appdomain proc_perfmgr:file { getattr open read ioctl}; +allowxperm appdomain proc_perfmgr:file ioctl { + PERFMGR_FPSGO_QUEUE + PERFMGR_FPSGO_DEQUEUE + PERFMGR_FPSGO_QUEUE_CONNECT + PERFMGR_FPSGO_BQID +}; + +# Date : W19.4 +# Purpose : Allow MDP user access mdp driver +allow appdomain mdp_device:chr_file rw_file_perms; +allow appdomain mtk_mdp_device:chr_file rw_file_perms; +allow appdomain sw_sync_device:chr_file rw_file_perms; + +# Date : W19.23 +# Operation : Migration +# Purpose : For platform app com.android.gallery3d +allow { appdomain -isolated_app } radio_data_file:file rw_file_perms; + +# Date : W19.23 +# Operation : Migration +# Purpose : For app com.tencent.qqpimsecure +allowxperm appdomain appdomain:fifo_file ioctl SNDCTL_TMR_START; + +# Date: 2019/06/17 +# Operation : Migration +# Purpose : appdomain need get mtk_amslog_prop +get_prop(appdomain, mtk_amslog_prop) diff --git a/r_non_plat/appdomain.te b/r_non_plat/appdomain.te new file mode 100644 index 0000000..3311b98 --- /dev/null +++ b/r_non_plat/appdomain.te @@ -0,0 +1,8 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# Data : WK16.42 +# Operator: Whitney bring up +# Purpose: call surfaceflinger due to powervr +allow appdomain surfaceflinger:fifo_file rw_file_perms; diff --git a/r_non_plat/atci_service.te b/r_non_plat/atci_service.te new file mode 100644 index 0000000..a10bc1d --- /dev/null +++ b/r_non_plat/atci_service.te @@ -0,0 +1,137 @@ +# ============================================== +# Policy File of /vendor/bin/atci_service Executable File +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== +type atci_service, domain; +type atci_service_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(atci_service) + +allow atci_service block_device:dir search; +allow atci_service misc2_block_device:blk_file { open read write }; +allow atci_service misc2_device:chr_file { open read write }; +allow atci_service camera_isp_device:chr_file { read write ioctl open }; +allow atci_service graphics_device:chr_file { read write ioctl open }; +allow atci_service graphics_device:dir search; +allow atci_service kd_camera_hw_device:chr_file { read write ioctl open }; +allow atci_service self:capability { sys_nice ipc_lock }; +allow atci_service nvram_device:chr_file { read write open ioctl }; +allow atci_service camera_isp_device:chr_file { read write ioctl open }; +allow atci_service camera_sysram_device:chr_file { read ioctl open }; +allow atci_service camera_tsf_device:chr_file rw_file_perms; +allow atci_service camera_rsc_device:chr_file rw_file_perms; +allow atci_service camera_gepf_device:chr_file rw_file_perms; +allow atci_service camera_fdvt_device:chr_file rw_file_perms; +allow atci_service camera_wpe_device:chr_file rw_file_perms; +allow atci_service camera_owe_device:chr_file rw_file_perms; +allow atci_service kd_camera_flashlight_device:chr_file { read write ioctl open }; +allow atci_service ccu_device:chr_file { read write ioctl open }; +allow atci_service vpu_device:chr_file { read write ioctl open }; +allow atci_service MTK_SMI_device:chr_file { open read write ioctl }; +allow atci_service DW9714AF_device:chr_file { read write ioctl open }; +allow atci_service devmap_device:chr_file { open read write ioctl }; +allow atci_service sdcard_type:dir { search write read open add_name remove_name create getattr setattr }; +allow atci_service sdcard_type:file { setattr read create write getattr unlink open append }; +allow atci_service mediaserver:binder call; +#allow atci_service system_server:unix_stream_socket { read write }; +allow atci_service self:capability sys_boot; + +# Date : 2015/09/17 +# Operation : M-Migration +# Purpose : to operation CCT tool +allow atci_service nvram_device:blk_file { open read write }; +allow atci_service input_device:dir { open read search }; +allow atci_service input_device:file { open read write ioctl }; +allow atci_service input_device:chr_file { open read write ioctl }; +allow atci_service MAINAF_device:chr_file { open read write ioctl }; +allow atci_service MAIN2AF_device:chr_file { open read write ioctl }; +allow atci_service SUBAF_device:chr_file { open read write ioctl }; +allow atci_service tmpfs:lnk_file read; +allow atci_service self:capability2 block_suspend; + +# Date : 2015/10/13 +# Operation : M-Migration +# Purpose : to operation CCT tool +#allow atci_service mediaserver_service:service_manager find; +allow atci_service mnt_user_file:dir search; +allow atci_service mnt_user_file:lnk_file read; +#allow atci_service mtk_perf_service:service_manager find; +#allow atci_service sensorservice_service:service_manager find; +allow atci_service storage_file:lnk_file read; +#allow atci_service media_rw_data_file:dir { write search create add_name }; +#allow atci_service media_rw_data_file:file { read write create open }; + +#============= atci_service ============== +allow atci_service CAM_CAL_DRV_device:chr_file { read write ioctl open}; + +set_prop(atci_service, mtk_em_prop) + +# Date : 2016/03/02 +# Operation : M-Migration +# Purpose : to support ATCI touch tool +allow atci_service vendor_shell_exec:file { read execute open execute_no_trans }; + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow atci_service proc_ged:file rw_file_perms; + +# Date : WK16.35 +# Operation : Migration +# Purpose : Update camera flashlight driver device file +allow atci_service flashlight_device:chr_file { read write ioctl open }; + +# Date : WK17.01 +# Operation : Migration +# Purpose : Update AT_Command NFC function +allow atci_service factory_data_file:sock_file write; + +# Date : WK17.23 +# Stage: O Migration, SQC +# Purpose: Allow to use HAL PQ +hal_client_domain(atci_service, hal_pq) + +# Date : WK17.28 +# Purpose : Allow to execute battery command +allow atci_service MT_pmic_adc_cali_device:chr_file rw_file_perms; + +# Date : WK17.43 +# Purpose : CCT +allow atci_service CAM_CAL_DRV_device:chr_file rw_file_perms; +allow atci_service CAM_CAL_DRV1_device:chr_file rw_file_perms; +allow atci_service CAM_CAL_DRV2_device:chr_file rw_file_perms; +allow atci_service fwk_sensor_hwservice:hwservice_manager find; +allow atci_service hidl_allocator_hwservice:hwservice_manager find; +allow atci_service hidl_memory_hwservice:hwservice_manager find; +allow atci_service ion_device:chr_file { read ioctl open }; +allow atci_service mtk_cmdq_device:chr_file { read ioctl open }; +allow atci_service mtk_mdp_device:chr_file rw_file_perms; +allow atci_service sw_sync_device:chr_file rw_file_perms; +allow atci_service mtk_hal_power:binder call; +allow atci_service mtk_hal_power_hwservice:hwservice_manager find; +allow atci_service sysfs_batteryinfo:dir search; +allow atci_service sysfs_batteryinfo:file { read getattr open }; +allow atci_service system_file:dir { read open }; +allow atci_service camera_pipemgr_device:chr_file { read ioctl open }; +allow atci_service mtkcam_prop:file { read getattr open }; +allow atci_service mtk_hal_camera:binder call; +allow atci_service debugfs_ion:dir search; +allow atci_service sysfs_tpd_setting:file { read write open getattr }; +allow atci_service sysfs_vibrator_setting:file { read write open getattr }; +allow atci_service sysfs_leds_setting:file { read write open getattr }; +allow atci_service vendor_toolbox_exec:file { read getattr open execute execute_no_trans }; + +# Date : WK18.21 +# Purpose: Allow to use HIDL +hwbinder_use(atci_service) +hal_client_domain(atci_service, hal_atci) + +# Date : WK18.26 +# Purpose: Allow gps socket sendto +allow atci_service mnld:unix_dgram_socket sendto; + +# Date : WK18.35 +# Purpose : allow CCT to allocate memory +hal_client_domain(atci_service, hal_allocator); diff --git a/r_non_plat/atcid.te b/r_non_plat/atcid.te new file mode 100644 index 0000000..9ce98d2 --- /dev/null +++ b/r_non_plat/atcid.te @@ -0,0 +1,74 @@ +# ============================================== +# Policy File of /vendor/bin/atcid Executable File +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== +type atcid, domain; +type atcid_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(atcid) +set_prop(atcid,persist_service_atci_prop) +allow atcid block_device:dir search; +allow atcid socket_device:sock_file write; +allow atcid gsmrild_socket:sock_file write; + +# Date : WK17.21 +# Purpose: Allow to use HIDL +hwbinder_use(atcid) +hal_client_domain(atcid, hal_telephony) + +allow atcid ttyGS_device:chr_file { read write ioctl open }; +allow atcid wmtWifi_device:chr_file { write open }; +allow atcid misc2_block_device:blk_file { read write open }; +allow atci_service gpu_device:chr_file { read write open ioctl getattr }; +allow atcid self:capability sys_time; + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow atcid proc_ged:file rw_file_perms; + +# Date : WK17.23 +# Stage: O Migration, SQC +# Purpose: Allow to use HAL PQ +hal_client_domain(atcid, hal_pq) + +# Date : WK17.34 +# Purpose: Allow to access meta_tst +allow atcid meta_tst:unix_stream_socket connectto; + +# Date : WK18.15 +# Purpose: Allow to access power_supply in sysfs +allow atcid sysfs_batteryinfo:file { read open }; + +# Date : WK18.16 +# Operation: P migration +# Purpose: Allow atcid to get tel_switch_prop +get_prop(atcid, tel_switch_prop) + +# Date : WK18.21 +# Purpose: Allow to use HIDL +hwbinder_use(atcid); +vndbinder_use(atcid); +hal_server_domain(atcid, hal_atci) +add_hwservice(hal_atci_server,hal_atci_hwservice) + +# Date : WK18.21 +# Purpose: For special command for customer +set_prop(atcid, mtk_atci_prop); +set_prop(atcid, powerctl_prop); +allow atcid mnt_vendor_file:dir search; +allow atcid nvdata_file:dir { open read write search add_name }; +allow atcid nvdata_file:file { open read write create getattr setattr }; +allow atcid nvram_device:blk_file { open read write }; +allow atcid proc_meminfo:file { open read }; +allow atcid sysfs_batteryinfo:dir search; +allow atcid sysfs_mmcblk:dir search; +allow atcid sysfs_mmcblk:file { read open }; + +# Date : WK18.35 +# Purpose: Add socket for TelephonyWare ATCI +unix_socket_connect(atcid, rild_atci, rild); +unix_socket_connect(atcid, rilproxy_atci, rild); +unix_socket_connect(atcid, atci_service, atci_service); diff --git a/r_non_plat/attributes b/r_non_plat/attributes new file mode 100644 index 0000000..e00aa73 --- /dev/null +++ b/r_non_plat/attributes @@ -0,0 +1,90 @@ +# ============================================== +# MTK Attribute declarations +# ============================================== + +# Attribute that represents all mtk property types (except those with ctl_xxx prefix) +attribute mtk_core_property_type; + +# Date: 2017/06/12 +# LBS HIDL +#attribute mtk_hal_lbs; +#attribute mtk_hal_lbs_client; +#attribute mtk_hal_lbs_server; + +# Date: 2017/06/27 +# IMSA HIDL +attribute hal_imsa; +attribute hal_imsa_client; +attribute hal_imsa_server; + +# attribute that represents all MTK IMS types. It should be used by AP side module only. +attribute mtkimsapdomain; +# +# # attribute that represents all MTK IMS types. It should be used by MD side module only. +attribute mtkimsmddomain; + +# Date: 2017/07/19 +# PQ HIDL +attribute hal_pq; +attribute hal_pq_client; +attribute hal_pq_server; + +# Date: 2017/07/28 +# KEY ATTESTATION HIDL +attribute mtk_hal_keyattestation; +attribute mtk_hal_keyattestation_client; +attribute mtk_hal_keyattestation_server; +# Date: 2017/07/13 +# NVRAM AGENT HIDL +attribute hal_nvramagent; +attribute hal_nvramagent_client; +attribute hal_nvramagent_server; + +# Date: 2018/05/25 +# FM HIDL +attribute mtk_hal_fm; +attribute mtk_hal_fm_client; +attribute mtk_hal_fm_server; + +# Date: 2018/03/23 +# log hidl +attribute mtk_hal_log; +attribute mtk_hal_log_client; +attribute mtk_hal_log_server; + +# Date: 2018/06/26 +# em hidl +attribute mtk_hal_em; +attribute mtk_hal_em_client; +attribute mtk_hal_em_server; + +# Date: 2018/07/02 +# MDP HIDL +attribute hal_mms; +attribute hal_mms_client; +attribute hal_mms_server; + +attribute hal_mtkcodecservice_server; +attribute hal_mtkcodecservice; + +attribute hal_atci; +attribute hal_atci_client; +attribute hal_atci_server; + +# Date: 2019/06/12 +# modem db filter hidl +attribute mtk_hal_md_dbfilter_server; + +# Date: 2019/07/16 +# HDMI HIDL +attribute hal_hdmi; +attribute hal_hdmi_client; +attribute hal_hdmi_server; + +# Date: 2019/09/06 +# BGService HIDL +attribute mtk_hal_bgs; +attribute mtk_hal_bgs_client; +attribute mtk_hal_bgs_server; + + diff --git a/r_non_plat/audiocmdservice_atci.te b/r_non_plat/audiocmdservice_atci.te new file mode 100644 index 0000000..7be9753 --- /dev/null +++ b/r_non_plat/audiocmdservice_atci.te @@ -0,0 +1,34 @@ +# ============================================== +# Policy File of /system/bin/audiocmdservice_atci Executable File +type audiocmdservice_atci ,domain; +type audiocmdservice_atci_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(audiocmdservice_atci) + +unix_socket_connect(atcid, atci-audio, audiocmdservice_atci); +allow audiocmdservice_atci self:unix_stream_socket { create_socket_perms read write }; + +# Access to storages for audio tuning tool to read/write tuning result +allow audiocmdservice_atci { block_device device }:dir { write search }; +allow audiocmdservice_atci mnt_user_file:dir rw_dir_perms; +allow audiocmdservice_atci { mnt_user_file storage_file }:lnk_file rw_file_perms; +allow audiocmdservice_atci bootdevice_block_device:blk_file { read write }; + + +# can route /dev/binder traffic to /dev/vndbinder +vndbinder_use(audiocmdservice_atci) +binder_call(audiocmdservice_atci,mtk_hal_audio); + +#Android O porting +hwbinder_use(audiocmdservice_atci) +get_prop(audiocmdservice_atci, hwservicemanager_prop); +#allow audiocmdservice_atci hal_audio_hwservice:hwservice_manager find; + +hal_client_domain(audiocmdservice_atci, hal_audio) + +#To access the file at /dev/kmsg +allow audiocmdservice_atci kmsg_device:chr_file w_file_perms; + +userdebug_or_eng(` + allow audiocmdservice_atci self:capability { sys_nice fowner chown fsetid setuid ipc_lock net_admin}; +') diff --git a/r_non_plat/audioserver.te b/r_non_plat/audioserver.te new file mode 100644 index 0000000..e4451c8 --- /dev/null +++ b/r_non_plat/audioserver.te @@ -0,0 +1,57 @@ +# ============================================== +# MTK Policy Rule for vendor +# ============================================== + +# Date: WK14.44 +# Operation : Migration +# Purpose : EVDO +allow audioserver rpc_socket:sock_file write; +allow audioserver ttySDIO_device:chr_file rw_file_perms; + +# Data: WK14.44 +# Operation : Migration +# Purpose : for low SD card latency issue +allow audioserver sysfs_lowmemorykiller:file { read open }; + +# Data: WK14.45 +# Operation : Migration +# Purpose : for change thermal policy when needed +allow audioserver proc_mtkcooler:dir search; +allow audioserver proc_mtktz:dir search; +allow audioserver proc_thermal:dir search; + +# Date : WK15.03 +# Operation : Migration +# Purpose : offloadservice +allow audioserver offloadservice_device:chr_file rw_file_perms; + +# Date : WK16.17 +# Operation : Migration +# Purpose: read/open sysfs node +allow audioserver sysfs_ccci:file r_file_perms; + +# Date : WK16.18 +# Operation : Migration +# Purpose: research root dir "/" +allow audioserver tmpfs:dir search; + +# Date : WK16.18 +# Operation : Migration +# Purpose: access sysfs node +allow audioserver sysfs_ccci:dir search; + +# Purpose: Dump debug info +allow audioserver debugfs_binder:dir search; +allow audioserver fuse:file write; + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow audioserver proc_ged:file rw_file_perms; + +# Date : WK16.48 +# Purpose: Allow to trigger AEE dump +allow audioserver aee_aed:unix_stream_socket connectto; + +# Date: 2019/06/14 +# Operation : Migration +get_prop(audioserver, vendor_default_prop) diff --git a/r_non_plat/biosensord_nvram.te b/r_non_plat/biosensord_nvram.te new file mode 100644 index 0000000..5fe181c --- /dev/null +++ b/r_non_plat/biosensord_nvram.te @@ -0,0 +1,32 @@ +# ============================================== +# Policy File of /system/bin/biosensord_nvram Executable File + +# ============================================== +# Type Declaration +# ============================================== +type biosensord_nvram ,domain; +type biosensord_nvram_exec , exec_type, file_type, vendor_file_type; +type biosensord_nvram_file, file_type, data_file_type; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(biosensord_nvram) + +# Data : WK16.21 +# Operation : New Feature +# Purpose : For biosensor daemon can do nvram r/w to save calibration data +allow biosensord_nvram nvdata_file:dir rw_dir_perms; +allow biosensord_nvram nvdata_file:file {rw_file_perms create_file_perms}; +allow biosensord_nvram nvram_data_file:lnk_file rw_file_perms; +allow biosensord_nvram biometric_device:chr_file { open ioctl read write }; +allow biosensord_nvram self:capability { chown fsetid }; diff --git a/r_non_plat/bluetooth.te b/r_non_plat/bluetooth.te new file mode 100644 index 0000000..ec4d725 --- /dev/null +++ b/r_non_plat/bluetooth.te @@ -0,0 +1,25 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date:W17.07 +# Operation : bt hal developing +# Purpose : bt hal interface permission +binder_call(bluetooth, mtk_hal_bluetooth) + +allow bluetooth storage_stub_file:dir getattr; + +# Date: 2018/01/17 +#allow bluetooth to set property +set_prop(bluetooth, vendor_bluetooth_prop) +set_prop(bluetooth, debug_prop) + +# Date: 2018/02/02 +# Major permission allow are in /system/sepoplicy/private/bluetooth.te +# Add dir create perms for bluetooth on /data/misc/bluetooth/logs +allow bluetooth bluetooth_logs_data_file:dir { create_dir_perms relabelto }; +allow bluetooth bluetooth_logs_data_file:fifo_file { create_file_perms }; + +# Date: 2019/06/14 +# Operation : Migration +get_prop(bluetooth, mtk_amslog_prop) diff --git a/r_non_plat/boot_logo_updater.te b/r_non_plat/boot_logo_updater.te new file mode 100644 index 0000000..bebd392 --- /dev/null +++ b/r_non_plat/boot_logo_updater.te @@ -0,0 +1,22 @@ +# ============================================== +# Policy File of /system/binboot_logo_updater Executable File +# ============================================== +# Type Declaration +# ============================================== + +# Date : WK14.43 +# Operation : Migration +# Purpose : To access file directories and files like logo.bin +allow boot_logo_updater logo_block_device:blk_file r_file_perms; +# To access block files at /dev/block/mmcblk0 ir /dev/block/sdc +allow boot_logo_updater bootdevice_block_device:blk_file r_file_perms; + +#To access file at /dev/logo +allow boot_logo_updater logo_device:chr_file r_file_perms; +# To access file at /proc/lk_env +allow boot_logo_updater proc_lk_env:file rw_file_perms; + +# Date : WK16.25 +# Operation : Global_Device/Uniservice Feature +# Purpose : for it to read-write SysEnv data +allow boot_logo_updater para_block_device:blk_file rw_file_perms; diff --git a/r_non_plat/bootanim.te b/r_non_plat/bootanim.te new file mode 100644 index 0000000..4f0bc35 --- /dev/null +++ b/r_non_plat/bootanim.te @@ -0,0 +1,34 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# Date : WK14.37 +# Operation : Migration +# Purpose : for opetator +allow bootanim bootani_prop:property_service set; + +# Date : WK14.46 +# Operation : Migration +# Purpose : For MTK Emulator HW GPU +allow bootanim qemu_pipe_device:chr_file rw_file_perms; + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow bootanim proc_ged:file rw_file_perms; + +# Date : WK17.43 +# Operation : Migration +# Purpose : For MTK perfmgr +allow bootanim proc_perfmgr:dir r_dir_perms; +allow bootanim proc_perfmgr:file r_file_perms; + +# Date : WK19.11 +# Operation : Migration +# Purpose : Allow to access ged for ioctl related functions +allowxperm bootanim proc_ged:file ioctl { proc_ged_ioctls }; +allowxperm bootanim proc_perfmgr:file ioctl { + PERFMGR_FPSGO_QUEUE + PERFMGR_FPSGO_DEQUEUE + PERFMGR_FPSGO_QUEUE_CONNECT + PERFMGR_FPSGO_BQID +}; diff --git a/r_non_plat/cameraserver.te b/r_non_plat/cameraserver.te new file mode 100644 index 0000000..727eef6 --- /dev/null +++ b/r_non_plat/cameraserver.te @@ -0,0 +1,322 @@ +# ============================================================================== +# Policy File of /system/bin/cameraserver Executable File + +# ============================================== +# MTK Policy Rule +# ============================================== + +# ----------------------------------- +# Android O +# Purpose: Allow cameraserver to perform binder IPC to servers and callbacks. +# ----------------------------------- + +# call camerahalserver +binder_call(cameraserver, mtk_hal_camera) + +# call the graphics allocator hal +binder_call(cameraserver, hal_graphics_allocator) + +# ----------------------------------- +# Android O +# Purpose: Debugging +# ----------------------------------- +# Purpose: adb shell dumpsys media.camera --unreachable +allow cameraserver self:process { ptrace }; + +# ----------------------------------- +# Purpose: property access +# ----------------------------------- +allow cameraserver mtkcam_prop:file { open read getattr }; + +# Date : WK14.34 +# Operation : Migration +# Purpose : nvram access (dumchar case for nand and legacy chip) +# allow cameraserver nvram_device:chr_file rw_file_perms; +### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te +# #allow cameraserver self:netlink_kobject_uevent_socket { create setopt bind }; +# allow cameraserver self:capability { net_admin }; + +# Date : WK14.34 +# Operation : Migration +# Purpose : VP/VR +# allow cameraserver devmap_device:chr_file { ioctl }; + +# Date : WK14.36 +# Operation : Migration +# Purpose : media server and bt process communication for A2DP data.and other control flow +# allow cameraserver bluetooth:unix_dgram_socket sendto; +# allow cameraserver bt_a2dp_stream_socket:sock_file write; +# allow cameraserver bt_int_adp_socket:sock_file write; + +# Date : WK14.37 +# Operation : Migration +# Purpose : camera ioctl +# allow cameraserver camera_sysram_device:chr_file r_file_perms; + +# Date : WK14.36 +# Operation : Migration +# Purpose : VDEC/VENC device node +# allow cameraserver Vcodec_device:chr_file rw_file_perms; + +# Date : WK14.36 +# Operation : Migration +# Purpose : access nvram, otp, ccci cdoec devices. +# allow cameraserver MtkCodecService:binder call; +# allow cameraserver ccci_device:chr_file rw_file_perms; +# allow cameraserver eemcs_device:chr_file rw_file_perms; +# allow cameraserver devmap_device:chr_file r_file_perms; +# allow cameraserver ebc_device:chr_file rw_file_perms; +# allow cameraserver nvram_device:blk_file rw_file_perms; +# allow cameraserver bootdevice_block_device:blk_file rw_file_perms; + +# Date : WK14.36 +# Operation : Migration +# Purpose : for SW codec VP/VR +# allow cameraserver mtk_sched_device:chr_file rw_file_perms; + +# Date : WK14.38 +# Operation : Migration +# Purpose : NVRam access +# allow cameraserver block_device:dir { write search }; + +# Date : WK14.38 +# Operation : Migration +# Purpose : FM driver access +# allow cameraserver fm_device:chr_file rw_file_perms; + +# Data : WK14.38 +# Operation : Migration +# Purpose : for VP/VR +# allow cameraserver block_device:dir search; +# allow cameraserver FM50AF_device:chr_file rw_file_perms; +# allow cameraserver AD5820AF_device:chr_file rw_file_perms; +# allow cameraserver DW9714AF_device:chr_file rw_file_perms; +# allow cameraserver DW9814AF_device:chr_file rw_file_perms; +# allow cameraserver AK7345AF_device:chr_file rw_file_perms; +# allow cameraserver DW9714A_device:chr_file rw_file_perms; +# allow cameraserver LC898122AF_device:chr_file rw_file_perms; +# allow cameraserver LC898212AF_device:chr_file rw_file_perms; +# allow cameraserver BU6429AF_device:chr_file rw_file_perms; +# allow cameraserver DW9718AF_device:chr_file rw_file_perms; +# allow cameraserver BU64745GWZAF_device:chr_file rw_file_perms; +# allow cameraserver MAINAF_device:chr_file rw_file_perms; +# allow cameraserver MAIN2AF_device:chr_file rw_file_perms; +# allow cameraserver SUBAF_device:chr_file rw_file_perms; + +# Data : WK14.38 +# Operation : Migration +# Purpose : for boot animation. +# allow cameraserver bootanim:binder { transfer call }; + +# allow cameraserver mtkbootanimation:binder { transfer call }; +# Data : WK14.38 +# Operation : Migration +# Purpose : dump for debug +# allow cameraserver sdcard_type:file append; + +# Date : WK14.39 +# Operation : Migration +# Purpose : FDVT Driver +# allow cameraserver camera_fdvt_device:chr_file rw_file_perms; + +# Date : WK14.39 +# Operation : Migration +# Purpose : APE PLAYBACK +# binder_call(cameraserver, MtkCodecService) + +# Data : WK14.39 +# Operation : Migration +# Purpose : HW encrypt SW codec +# allow cameraserver sec_device:chr_file r_file_perms; + +# Date : WK14.40 +# Operation : Migration +# Purpose : HDMI driver access +allow cameraserver graphics_device:chr_file rw_file_perms; + +# Date : WK14.40 +# Operation : Migration +# Purpose : Smartpa +# allow cameraserver smartpa_device:chr_file rw_file_perms; + +# Date : WK14.40 +# Operation : Migration +# Purpose : mtk_jpeg +# allow cameraserver mtk_jpeg_device:chr_file r_file_perms; + +# Date : WK14.41 +# Operation : Migration +# Purpose : WFD HID Driver +# allow cameraserver uhid_device:chr_file rw_file_perms; + +# Date : WK14.41 +# Operation : Migration +# Purpose : Camera EEPROM Calibration +# allow cameraserver CAM_CAL_DRV_device:chr_file rw_file_perms; +# allow cameraserver CAM_CAL_DRV1_device:chr_file rw_file_perms; +# allow cameraserver CAM_CAL_DRV2_device:chr_file rw_file_perms; + +# Date : WK14.43 +# Operation : Migration +# Purpose : VOW +# allow cameraserver vow_device:chr_file rw_file_perms; + +# Date: WK14.44 +# Operation : Migration +# Purpose : EVDO +# allow cameraserver rpc_socket:sock_file write; +# allow cameraserver ttySDIO_device:chr_file rw_file_perms; + +# Data: WK14.44 +# Operation : Migration +# Purpose : VP +# allow cameraserver surfaceflinger:file getattr; + +# Data: WK14.44 +# Operation : Migration +# Purpose : for low SD card latency issue +# allow cameraserver sysfs_lowmemorykiller:file { read open }; + +# Date : WK14.46 +# Operation : Migration +# Purpose : for MTK Emulator HW GPU +# allow cameraserver qemu_pipe_device:chr_file rw_file_perms; + +# Date : WK14.46 +# Operation : Migration +# Purpose : for camera init +# allow cameraserver system_server:unix_stream_socket { read write }; + +# Data : WK14.46 +# Operation : Migration +# Purpose : for SMS app +# allow cameraserver radio_data_file:dir search; +# allow cameraserver radio_data_file:file open; + +# Data : WK14.47 +# Operation : Launch camcorder from MMS +# Purpose : Camcorder +# allow cameraserver radio_data_file:file open; + +# Data : WK14.47 +# Operation : CTS +# Purpose : cts search strange app +# allow cameraserver untrusted_app:dir search; + +# Date : WK15.03 +# Operation : Migration +# Purpose : offloadservice +# allow cameraserver offloadservice_device:chr_file rw_file_perms; + +# Date : WK15.32 +# Operation : Pre-sanity +# Purpose : 3A algorithm need to access sensor service +# allow cameraserver sensorservice_service:service_manager find; + +# Date : WK15.34 +# Operation : Migration +# Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump +# allow cameraserver storage_file:lnk_file {read write}; +# allow cameraserver mnt_user_file:dir {write read search}; +# allow cameraserver mnt_user_file:lnk_file {read write}; + +# Date : WK15.35 +# Operation : Migration +# Purpose: Allow cameraserver to read binder from surfaceflinger +# allow cameraserver surfaceflinger:fifo_file {read write}; + +# Date : WK15.46 +# Operation : Migration +# Purpose : DPE Driver +# allow cameraserver camera_dpe_device:chr_file rw_file_perms; + +# Date : WK15.46 +# Operation : Migration +# Purpose : TSF Driver +# allow cameraserver camera_tsf_device:chr_file rw_file_perms; + +# Date : WK16.20 +# Operation : Migration +# Purpose: research root dir "/" +allow cameraserver tmpfs:dir search; + +# Date : WK16.21 +# Operation : Migration +# Purpose : EGL file access +allow cameraserver system_file:dir { read open }; +allow cameraserver gpu_device:chr_file rw_file_perms; +allow cameraserver gpu_device:dir search; + +# Date : WK16.32 +# Operation : Migration +# Purpose : RSC Driver +# allow cameraserver camera_rsc_device:chr_file rw_file_perms; + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow cameraserver proc_ged:file rw_file_perms; +allowxperm cameraserver proc_ged:file ioctl { proc_ged_ioctls }; + +# Date : WK16.33 +# Operation : Migration +# Purpose : GEPF Driver +# allow cameraserver camera_gepf_device:chr_file rw_file_perms; + +# Date : WK16.35 +# Operation : Migration +# Purpose : Update camera flashlight driver device file +# allow cameraserver flashlight_device:chr_file rw_file_perms; + +# Data : WK16.42 +# Operator: Whitney bring up +# Purpose: call surfaceflinger due to powervr +# allow cameraserver surfaceflinger:fifo_file rw_file_perms; + +# Date : WK16.43 +# Operation : Migration +# Purpose : WPE Driver +# allow cameraserver camera_wpe_device:chr_file rw_file_perms; + +# Date : WK16.49 +# Operation : label aee_aed sockets +# Purpose : Engineering mode need access for aee commmand +# userdebug_or_eng(` +# allow cameraserver aee_aed:unix_stream_socket connectto; +# ') + +# Date : WK17.19 +# Operation : Migration +# Purpose : OWE Driver +# allow cameraserver camera_owe_device:chr_file rw_file_perms; + +# Date : WK17.25 +# Operation : Migration +allow cameraserver debugfs_ion:dir search; + +# Date : WK17.30 +# Operation : O Migration +# Purpose: Allow to access cmdq driver +# allow cameraserver mtk_cmdq_device:chr_file { read ioctl open }; + +# Date : WK17.44 +# Operation : Migration +# Purpose : DIP Driver +# allow cameraserver camera_dip_device:chr_file rw_file_perms; + +# Date : WK17.44 +# Operation : Migration +# Purpose : MFB Driver +# allow cameraserver camera_mfb_device:chr_file rw_file_perms; + +# Date : WK17.49 +# Operation : MT6771 SQC +# Purpose: Allow permgr access +allow cameraserver proc_perfmgr:dir {read search}; +allow cameraserver proc_perfmgr:file r_file_perms; +allowxperm cameraserver proc_perfmgr:file ioctl { + PERFMGR_FPSGO_QUEUE + PERFMGR_FPSGO_DEQUEUE + PERFMGR_FPSGO_QUEUE_CONNECT + PERFMGR_FPSGO_BQID +}; + diff --git a/r_non_plat/ccci_fsd.te b/r_non_plat/ccci_fsd.te new file mode 100644 index 0000000..1b7dd94 --- /dev/null +++ b/r_non_plat/ccci_fsd.te @@ -0,0 +1,67 @@ +# ============================================== +# Policy File of /system/bin/ccci_fsd Executable File + +# ============================================== +# Type Declaration +# ============================================== +type ccci_fsd_exec, exec_type, file_type, vendor_file_type; +type ccci_fsd, domain; + +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(ccci_fsd) + +wakelock_use(ccci_fsd) + +#============= ccci_fsd MD NVRAM============== +allow ccci_fsd nvram_data_file:dir create_dir_perms; +allow ccci_fsd nvram_data_file:file create_file_perms; +allow ccci_fsd nvram_data_file:lnk_file read; +allow ccci_fsd nvdata_file:lnk_file read; +allow ccci_fsd nvdata_file:dir create_dir_perms; +allow ccci_fsd nvdata_file:file create_file_perms; +allow ccci_fsd nvram_device:chr_file rw_file_perms; +allow ccci_fsd vendor_configs_file:file r_file_perms; +allow ccci_fsd vendor_configs_file:dir r_dir_perms; + +#============= ccci_fsd device/path/data access============== +allow ccci_fsd ccci_device:chr_file rw_file_perms; +allow ccci_fsd ccci_cfg_file:dir create_dir_perms; +allow ccci_fsd ccci_cfg_file:file create_file_perms; +#============= ccci_fsd MD Data============== +allow ccci_fsd protect_f_data_file:dir create_dir_perms; +allow ccci_fsd protect_f_data_file:file create_file_perms; + +allow ccci_fsd protect_s_data_file:dir create_dir_perms; +allow ccci_fsd protect_s_data_file:file create_file_perms; +#============= ccci_fsd MD3 related============== +allow ccci_fsd c2k_file:dir create_dir_perms; +allow ccci_fsd c2k_file:file create_file_perms; +allow ccci_fsd otp_part_block_device:blk_file rw_file_perms; +allow ccci_fsd otp_device:chr_file rw_file_perms; +allow ccci_fsd sysfs_boot_type:file { read open }; +#============= ccci_fsd MD block data============== +##restore>NVM_GetDeviceInfo>open /dev/block/platform/bootdevice/by-name/nvram +allow ccci_fsd block_device:dir search; +allow ccci_fsd nvram_device:blk_file rw_file_perms; +allow ccci_fsd nvdata_device:blk_file rw_file_perms; +#============= ccci_fsd cryption related ============== +allow ccci_fsd rawfs:dir create_dir_perms; +allow ccci_fsd rawfs:file create_file_perms; +#============= ccci_fsd sysfs related ============== +allow ccci_fsd sysfs_ccci:dir search; +allow ccci_fsd sysfs_ccci:file r_file_perms; + +#============= ccci_fsd ============== +allow ccci_fsd mnt_vendor_file:dir search; + +# Purpose: for fstab parser +allow ccci_fsd kmsg_device:chr_file w_file_perms; +allow ccci_fsd proc_lk_env:file rw_file_perms; + +#============= ccci_fsd MD Low Power Monitor Related ============== +allow ccci_fsd ccci_data_md1_file:dir create_dir_perms; +allow ccci_fsd ccci_data_md1_file:file create_file_perms; +allow ccci_fsd sysfs_mmcblk:dir search; +allow ccci_fsd sysfs_mmcblk:file { read getattr open }; diff --git a/r_non_plat/ccci_mdinit.te b/r_non_plat/ccci_mdinit.te new file mode 100644 index 0000000..0c81c3a --- /dev/null +++ b/r_non_plat/ccci_mdinit.te @@ -0,0 +1,107 @@ +# ============================================== +# Policy File of /system/bin/ccci_mdinit Executable File + +# ============================================== +# Type Declaration +# ============================================== +type ccci_mdinit_exec , exec_type, file_type, vendor_file_type; +type ccci_mdinit ,domain; + +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(ccci_mdinit) +wakelock_use(ccci_mdinit) +#=============allow ccci_mdinit to start gsm0710muxd============== +set_prop(ccci_mdinit, ctl_gsm0710muxd_prop) +#=============allow ccci_mdinit to start emcsmdlogger============== +set_prop(ccci_mdinit, ctl_mdlogger_prop) +#=============allow ccci_mdinit to start c2krild============== +set_prop(ccci_mdinit, ctl_viarild_prop) +#=============allow ccci_mdinit to start/stop rild, mdlogger============== +set_prop(ccci_mdinit, ctl_mdlogger_prop) +set_prop(ccci_mdinit, ctl_emdlogger1_prop) +set_prop(ccci_mdinit, ctl_emdlogger2_prop) +set_prop(ccci_mdinit, ctl_emdlogger3_prop) +set_prop(ccci_mdinit, ctl_dualmdlogger_prop) +set_prop(ccci_mdinit, ctl_gsm0710muxd_prop) +set_prop(ccci_mdinit, ctl_gsm0710muxd-s_prop) +set_prop(ccci_mdinit, ctl_gsm0710muxd-d_prop) +set_prop(ccci_mdinit, ctl_rildaemon_prop) +set_prop(ccci_mdinit, ctl_ril-daemon-mtk_prop) +set_prop(ccci_mdinit, ctl_fusion_ril_mtk_prop) +set_prop(ccci_mdinit, ctl_ril-daemon-s_prop) +set_prop(ccci_mdinit, ctl_ril-daemon-d_prop) +set_prop(ccci_mdinit, ctl_ril-proxy_prop) +set_prop(ccci_mdinit, ril_active_md_prop) +set_prop(ccci_mdinit, mtk_md_prop) +#set_prop(ccci_mdinit, radio_prop) +set_prop(ccci_mdinit, net_cdma_mdmstat) +set_prop(ccci_mdinit, ctl_start_prop) +#=============allow ccci_mdinit to get tel_switch_prop============== +get_prop(ccci_mdinit, tel_switch_prop) + +#=============allow ccci_mdinit to start/stop fsd============== +set_prop(ccci_mdinit, ctl_ccci_fsd_prop) +set_prop(ccci_mdinit, ctl_ccci2_fsd_prop) +set_prop(ccci_mdinit, ctl_ccci3_fsd_prop) + +get_prop(ccci_mdinit, vendor_default_prop) +get_prop(ccci_mdinit, init_svc_emdlogger1_prop) +get_prop(ccci_mdinit, init_svc_aee_aedv_prop) + +allow ccci_mdinit ccci_device:chr_file rw_file_perms; +allow ccci_mdinit ccci_monitor_device:chr_file rw_file_perms; + +#=============allow ccci_mdinit to access MD NVRAM============== +allow ccci_mdinit nvram_data_file:dir rw_dir_perms; +allow ccci_mdinit nvram_data_file:file create_file_perms; +allow ccci_mdinit nvram_data_file:lnk_file read; +allow ccci_mdinit nvdata_file:lnk_file read; +allow ccci_mdinit nvdata_file:dir rw_dir_perms; +allow ccci_mdinit nvdata_file:file create_file_perms; +allow ccci_mdinit nvram_device:chr_file rw_file_perms; + +#=============allow ccci_mdinit to access ccci config============== +allow ccci_mdinit protect_f_data_file:dir rw_dir_perms; +allow ccci_mdinit protect_f_data_file:file create_file_perms; +#=============allow ccci_mdinit to property============== +allow ccci_mdinit protect_s_data_file:dir rw_dir_perms; +allow ccci_mdinit protect_s_data_file:file create_file_perms; +allow ccci_mdinit nvram_device:blk_file rw_file_perms; +allow ccci_mdinit nvdata_device:blk_file rw_file_perms; + +set_prop(ccci_mdinit, ril_mux_report_case_prop) + +allow ccci_mdinit ccci_cfg_file:dir create_dir_perms; +allow ccci_mdinit ccci_cfg_file:file create_file_perms; +#===============security relate ========================== +allow ccci_mdinit preloader_device:chr_file rw_file_perms; +allow ccci_mdinit misc_sd_device:chr_file r_file_perms; +allow ccci_mdinit sec_ro_device:chr_file r_file_perms; + +allow ccci_mdinit custom_file:dir r_dir_perms; +allow ccci_mdinit custom_file:file r_file_perms; + +# Purpose : for nand partition access +allow ccci_mdinit mtd_device:dir search; +allow ccci_mdinit mtd_device:chr_file rw_file_perms; +allow ccci_mdinit devmap_device:chr_file r_file_perms; +# Purpose : for device bring up, not to block early migration/sanity +allow ccci_mdinit proc_lk_env:file rw_file_perms; +allow ccci_mdinit para_block_device:blk_file rw_file_perms; +#============= ccci_mdinit sysfs related ============== +allow ccci_mdinit sysfs_ccci:dir search; +allow ccci_mdinit sysfs_ccci:file rw_file_perms; +allow ccci_mdinit sysfs_ssw:dir search; +allow ccci_mdinit sysfs_ssw:file r_file_perms; +allow ccci_mdinit sysfs_boot_mode:file { read open }; + +# Purpose : Allow ccci_mdinit to open and read/write /proc/bootprof +allow ccci_mdinit proc_bootprof:file rw_file_perms; + +# Date : WK18.21 +# Operation: P migration +# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init() +allow ccci_mdinit mnt_vendor_file:dir search; + diff --git a/r_non_plat/cmddumper.te b/r_non_plat/cmddumper.te new file mode 100644 index 0000000..d1ee1f6 --- /dev/null +++ b/r_non_plat/cmddumper.te @@ -0,0 +1,31 @@ +#cmddumper access external modem ttySDIO2 +allow cmddumper ttySDIO_device:chr_file { read write ioctl open }; + +# for modem logging sdcard access +allow cmddumper sdcard_type:dir create_dir_perms; +allow cmddumper sdcard_type:file create_file_perms; + +# cmddumper access on /data/mdlog +allow cmddumper mdlog_data_file:fifo_file create_file_perms; +allow cmddumper mdlog_data_file:file create_file_perms; +allow cmddumper mdlog_data_file:dir { create_dir_perms relabelto }; + +#allow emdlogger to set property +allow cmddumper debug_mdlogger_prop:property_service set; +allow cmddumper debug_prop:property_service set; + +# purpose: allow cmddumper to access storage in N version +allow cmddumper media_rw_data_file:file { create_file_perms }; +allow cmddumper media_rw_data_file:dir { create_dir_perms }; + +# purpose: access plat_file_contexts +allow cmddumper file_contexts_file:file { read getattr open }; + +# purpose: access /sys/devices/virtual/BOOT/BOOT/boot/boot_mode +allow cmddumper sysfs_boot_mode:file { read open }; + +# Android P migration +set_prop(cmddumper, persist_mtklog_prop) +set_prop(cmddumper, vendor_mdl_prop) +allow cmddumper tmpfs:lnk_file read; +allow cmddumper vmodem_device:chr_file { read write ioctl open };
\ No newline at end of file diff --git a/r_non_plat/connsyslogger.te b/r_non_plat/connsyslogger.te new file mode 100644 index 0000000..59f8f07 --- /dev/null +++ b/r_non_plat/connsyslogger.te @@ -0,0 +1,82 @@ + +# Policy File of /system/bin/connsyslogger Executable File + +# ============================================== +# Type Declaration +# ============================================== +# Purpose : for create hidl server +#hal_server_domain(connsyslogger, mtk_hal_log) +# ============================================== +# MTK Policy Rule +# ============================================== + +#for logging sdcard access +allow connsyslogger fuse:dir { create_dir_perms }; +allow connsyslogger fuse:file { create_file_perms }; + +#consys logger access on /data/consyslog +allow connsyslogger consyslog_data_file:dir { create_dir_perms relabelto }; +allow connsyslogger consyslog_data_file:fifo_file { create_file_perms }; +allow connsyslogger consyslog_data_file:file { create_file_perms }; + +#consys logger socket access +allow connsyslogger property_socket:sock_file write; +allow connsyslogger init:unix_stream_socket connectto; + +allow connsyslogger tmpfs:lnk_file { create_file_perms }; + +# purpose: avc: denied { read } for name="plat_file_contexts" +allow connsyslogger file_contexts_file:file { read getattr open map}; + +#logger SD logging in factory mode +allow connsyslogger vfat:dir create_dir_perms; +allow connsyslogger vfat:file create_file_perms; + +#logger permission in storage in android M version +allow connsyslogger mnt_user_file:dir search; +allow connsyslogger mnt_user_file:lnk_file read; +allow connsyslogger storage_file:lnk_file read; + +#permission for use SELinux API +allow connsyslogger rootfs:file r_file_perms; + +#permission for storage access storage +allow connsyslogger storage_file:dir { create_dir_perms }; +allow connsyslogger storage_file:file { create_file_perms }; + +#permission for read boot mode +allow connsyslogger sysfs_boot_mode:file { read open }; + +allow connsyslogger fw_log_wifi_device:chr_file {read write open ioctl}; +allow connsyslogger fw_log_bt_device:chr_file {read write open ioctl}; +allow connsyslogger fw_log_gps_device:chr_file {read write open ioctl}; +allow connsyslogger fw_log_wmt_device:chr_file {read write open ioctl}; + +allow connsyslogger sdcardfs:dir { create_dir_perms }; +allow connsyslogger sdcardfs:file { create_file_perms }; +allow connsyslogger rootfs:lnk_file getattr; + +allow connsyslogger media_rw_data_file:file { create_file_perms }; +allow connsyslogger media_rw_data_file:dir { create_dir_perms }; + +set_prop(connsyslogger, vendor_connsysfw_prop) + +allow connsyslogger vendor_configs_file:file map; +#permission to get driver ready status +get_prop(connsyslogger, wmt_prop) + +#Date:2019/03/25 +# purpose: allow connsyslogger to access persist.meta.connecttype +get_prop(connsyslogger, meta_connecttype_prop); + +#Date:2019/03/25 +# purpose: allow emdlogger to create socket +allow connsyslogger port:tcp_socket { name_connect name_bind }; +allow connsyslogger connsyslogger:tcp_socket { create_stream_socket_perms }; +allow connsyslogger node:tcp_socket node_bind; + +#Date:2019/03/25 +# usb device ttyGSx for modem logger usb logging +allow connsyslogger ttyGS_device:chr_file { rw_file_perms}; + + diff --git a/r_non_plat/device.te b/r_non_plat/device.te new file mode 100644 index 0000000..702a58d --- /dev/null +++ b/r_non_plat/device.te @@ -0,0 +1,274 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +type devmap_device, dev_type; +type ttyMT_device, dev_type; +type ttyS_device, dev_type; +type ttySDIO_device, dev_type; +type vmodem_device, dev_type; +type stpwmt_device, dev_type; +type wmtdetect_device, dev_type; +type wmtWifi_device, dev_type; +type stpbt_device, dev_type; +type fw_log_bt_device, dev_type; +type stpant_device, dev_type; +type fm_device, dev_type; +type stpgps_device, dev_type; +type gpsdl_device, dev_type; +type fw_log_gps_device, dev_type; +type fw_log_wmt_device, dev_type; +type fw_log_wifi_device, dev_type; +type pmem_multimedia_device, dev_type; +type mt6516_isp_device, dev_type; +type mt6516_IDP_device, dev_type; +type mt9p012_device, dev_type; +type mt6516_jpeg_device, dev_type; +type FM50AF_device, dev_type; +type DW9714AF_device, dev_type; +type DW9814AF_device, dev_type; +type AK7345AF_device, dev_type; +type DW9714A_device, dev_type; +type LC898122AF_device, dev_type; +type LC898212AF_device, dev_type; +type BU6429AF_device, dev_type; +type AD5820AF_device, dev_type; +type DW9718AF_device, dev_type; +type BU64745GWZAF_device, dev_type; +type MAINAF_device, dev_type; +type MAIN2AF_device, dev_type; +type SUBAF_device, dev_type; +type M4U_device_device, dev_type; +type Vcodec_device, dev_type; +type MJC_device, dev_type; +type smartpa_device, dev_type; +type smartpa1_device, dev_type; +type uio0_device, dev_type; +type xt_qtaguid_device, dev_type; +type rfkill_device, dev_type; +type sw_sync_device, dev_type, mlstrustedobject; +type sec_device, dev_type; +type hid_keyboard_device, dev_type; +type btn_device, dev_type; +type uinput_device, dev_type; +type TV_out_device, dev_type; +type gz_device, dev_type; +type camera_sysram_device, dev_type; +type camera_isp_device, dev_type; +type camera_dip_device, dev_type; +type camera_dpe_device, dev_type; +type camera_tsf_device, dev_type; +type camera_fdvt_device, dev_type; +type camera_rsc_device, dev_type; +type camera_gepf_device, dev_type; +type camera_wpe_device, dev_type; +type camera_owe_device, dev_type; +type camera_mfb_device, dev_type; +type camera_pipemgr_device, dev_type; +type ccu_device, dev_type; +type vpu_device, dev_type, mlstrustedobject; +type mdla_device, dev_type, mlstrustedobject; +type mtk_jpeg_device, dev_type; +type kd_camera_hw_device, dev_type; +type seninf_device, dev_type; +type kd_camera_flashlight_device, dev_type; +type flashlight_device, dev_type; +type kd_camera_hw_bus2_device, dev_type; +type MATV_device, dev_type; +type mt_otg_test_device, dev_type; +type mt_mdp_device, dev_type; +type mtkg2d_device, dev_type; +type misc_sd_device, dev_type; +type mtk_sched_device, dev_type; +type ampc0_device, dev_type; +type mmp_device, dev_type; +type ttyGS_device, dev_type; +type CAM_CAL_DRV_device, dev_type; +type CAM_CAL_DRV1_device, dev_type; +type CAM_CAL_DRV2_device, dev_type; +type MTK_SMI_device, dev_type; +type mtk_cmdq_device, dev_type; +type mtk_mdp_device, dev_type; +type mtk_rrc_device, dev_type; +type ebc_device, dev_type; +type vow_device, dev_type; +type MT6516_H264_DEC_device, dev_type; +type MT6516_Int_SRAM_device, dev_type; +type MT6516_MM_QUEUE_device, dev_type; +type MT6516_MP4_DEC_device, dev_type; +type MT6516_MP4_ENC_device, dev_type; +type sensor_device, dev_type; +type aed_device, dev_type; +type ccci_device, dev_type; +type ccci_monitor_device, dev_type; +type gsm0710muxd_device, dev_type; +type eemcs_device, dev_type; +type emd_device, dev_type; +type mt6605_device, dev_type; +type st21nfc_device, dev_type; +type st54spi_device, dev_type; +type exm0_device, dev_type; +type mmcblk_device, dev_type; +type BOOT_device, dev_type; +type MT_pmic_device, dev_type; +type aal_als_device, dev_type; +type accdet_device, dev_type; +type android_device, dev_type; +type bmtpool_device, dev_type; +type bootimg_device, dev_type; +type btif_device, dev_type; +type cache_device, dev_type; +type cpu_dma_latency_device, dev_type; +type dummy_cam_cal_device, dev_type; +type ebr_device, dev_type; +type expdb_device, dev_type; +type fat_device, dev_type; +type logo_device, dev_type; +type loop-control_device, dev_type; +type mbr_device, dev_type; +type met_device, dev_type; +type misc_device, dev_type; +type misc2_device, dev_type; +type mtfreqhopping_device, dev_type; +type mtgpio_device, dev_type; +type mtk_kpd_device, dev_type; +type network_device, dev_type; +type nvram_device, dev_type; +type pmt_device, dev_type; +type preloader_device, dev_type; +type pro_info_device, dev_type; +type protect_f_device, dev_type; +type protect_s_device, dev_type; +type psaux_device, dev_type; +type ptyp_device, dev_type; +type recovery_device, dev_type; +type sec_ro_device, dev_type; +type seccfg_device, dev_type; +type tee_part_device, dev_type; +type snapshot_device, dev_type; +type tgt_device, dev_type; +type touch_device, dev_type; +type tpd_em_log_device, dev_type; +type ttyp_device, dev_type; +type uboot_device, dev_type; +type uibc_device, dev_type; +type usrdata_device, dev_type; +type zram0_device, dev_type; +type hwzram0_device, dev_type; +type RT_Monitor_device, dev_type; +type kick_powerkey_device, dev_type; +type agps_device, dev_type; +type mnld_device, dev_type; +type geo_device, dev_type; +type mdlog_device, dev_type; +type md32_device, dev_type; +type scp_device, dev_type; +type adsp_device, dev_type; +type audio_scp_device, dev_type; +type sspm_device, dev_type; +type etb_device, dev_type; +type MT_pmic_adc_cali_device, dev_type; +type mtk-adc-cali_device, dev_type; +type MT_pmic_cali_device,dev_type; +type otp_device, dev_type; +type otp_part_block_device, dev_type; +type qemu_pipe_device, dev_type; +type icusb_device, dev_type; +type nlop_device, dev_type; +type irtx_device, dev_type; +type pmic_ftm_device, dev_type; +type charger_ftm_device, dev_type; +type shf_device, dev_type; +type keyblock_device, dev_type; +type offloadservice_device, dev_type; +type ttyACM_device, dev_type; +type hrm_device, dev_type; +type lens_device, dev_type; +type nvdata_device, dev_type; +type nvcfg_device, dev_type; +type expdb_block_device, dev_type; +type misc2_block_device, dev_type; +type logo_block_device, dev_type; +type para_block_device, dev_type; +type tee_block_device, dev_type; +type seccfg_block_device, dev_type; +type secro_block_device, dev_type; +type preloader_block_device, dev_type; +type lk_block_device, dev_type; +type protect1_block_device, dev_type; +type protect2_block_device, dev_type; +type keystore_block_device, dev_type; +type oemkeystore_block_device, dev_type; +type sec1_block_device, dev_type; +type md1img_block_device, dev_type; +type md1dsp_block_device, dev_type; +type md1arm7_block_device, dev_type; +type md3img_block_device, dev_type; +type mmcblk1_block_device, dev_type; +type mmcblk1p1_block_device, dev_type; +type bootdevice_block_device, dev_type; +type odm_block_device, dev_type; +type oem_block_device, dev_type; +type vendor_block_device, dev_type; +type dtbo_block_device, dev_type; +type loader_ext_block_device, dev_type; +type spm_device, dev_type; +type persist_block_device, dev_type; +type md_block_device, dev_type; +type spmfw_block_device, dev_type; +type mcupmfw_block_device, dev_type; +type scp_block_device, dev_type; +type sspm_block_device, dev_type; +type dsp_block_device, dev_type; +type ppl_block_device, dev_type; +type nvcfg_block_device, dev_type; +type ancservice_device, dev_type; +type mbim_device, dev_type; +type audio_ipi_device, dev_type; +type cam_vpu_block_device,dev_type; +type boot_para_block_device,dev_type; +type mtk_dfrc_device, dev_type; +type vbmeta_block_device, dev_type; +type alarm_device, dev_type; +type mdp_device, dev_type; +type mrdump_device, dev_type; +type kb_block_device,dev_type; +type dkb_block_device,dev_type; + +########################## +# Sensor common Devices Start +# +type hwmsensor_device, dev_type; +type msensor_device, dev_type; +type gsensor_device, dev_type; +type als_ps_device, dev_type; +type gyroscope_device, dev_type; +type barometer_device,dev_type; +type humidity_device,dev_type; +type biometric_device,dev_type; +type sensorlist_device,dev_type; +########################## +# Sensor Devices Start +# +type m_batch_misc_device, dev_type; +########################## +# Sensor bio Devices Start +# +type m_als_misc_device, dev_type; +type m_ps_misc_device, dev_type; +type m_baro_misc_device, dev_type; +type m_hmdy_misc_device, dev_type; +type m_acc_misc_device, dev_type; +type m_mag_misc_device, dev_type; +type m_gyro_misc_device, dev_type; +type m_act_misc_device, dev_type; +type m_pedo_misc_device, dev_type; +type m_situ_misc_device, dev_type; +type m_step_c_misc_device, dev_type; +type m_fusion_misc_device, dev_type; +type m_bio_misc_device, dev_type; + +# Date : 2016/07/11 +# Operation : Migration +# Purpose : Add permission for gpu access +type dri_device, dev_type, mlstrustedobject; diff --git a/r_non_plat/domain.te b/r_non_plat/domain.te new file mode 100644 index 0000000..f1877f7 --- /dev/null +++ b/r_non_plat/domain.te @@ -0,0 +1,30 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Grant read access to mtk core property type which represents all +# mtk properties except those with ctl_xxx prefix. +# Align Google change: f01453ad453b29dd723838984ea03978167491e5 +get_prop(domain, mtk_core_property_type) + +# Allow all processes to search /sys/kernel/debug/binder/ since it's has been +# labeled with specific debugfs label and many violations to dir search debugfs_binder +# are observed. Grant domain to suppress the violations as originally "debugfs:dir search" +# is also allowed to domain as well in Google default domain.te +allow domain debugfs_binder:dir search; + +# Allow all processes to read /sys/bus/platform/drivers/dev_info/dev_info +# as it is a public interface for all processes to read some OTP data. +allow { + domain + -isolated_app +} sysfs_devinfo:file r_file_perms; + +# Date:20170630 +# Purpose: allow trusted process to connect aee daemon +#allow { +# coredomain +# -untrusted_app_all +#} aee_aed:unix_stream_socket connectto; +allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:unix_stream_socket connectto; + diff --git a/r_non_plat/drmserver.te b/r_non_plat/drmserver.te new file mode 100644 index 0000000..6086c27 --- /dev/null +++ b/r_non_plat/drmserver.te @@ -0,0 +1,7 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow drmserver proc_ged:file rw_file_perms; diff --git a/r_non_plat/dumpstate.te b/r_non_plat/dumpstate.te new file mode 100644 index 0000000..01343a5 --- /dev/null +++ b/r_non_plat/dumpstate.te @@ -0,0 +1,181 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Purpose: aee_dumpstate set surfaceflinger property +set_prop(dumpstate, debug_bq_dump_prop); + +# Purpose: access dev/aed0 +allow dumpstate aed_device:chr_file { read getattr }; + +# Purpose: data/dumpsys/* +allow dumpstate aee_dumpsys_data_file:dir { w_dir_perms }; +allow dumpstate aee_dumpsys_data_file:file { create_file_perms }; + +# Purpose: data/aee_exp/* +allow dumpstate aee_exp_data_file:dir { w_dir_perms }; +allow dumpstate aee_exp_data_file:file { create_file_perms }; + +# Purpose: debugfs files +allow dumpstate debugfs_binder:dir { read open }; +allow dumpstate debugfs_binder:file { read open }; +allow dumpstate debugfs_blockio:file { read open }; +allow dumpstate debugfs_fb:dir search; +allow dumpstate debugfs_fb:file { read open }; +allow dumpstate debugfs_fuseio:dir search; +allow dumpstate debugfs_fuseio:file { read open }; +allow dumpstate debugfs_ged:dir search; +allow dumpstate debugfs_ged:file { read open }; +allow dumpstate debugfs_rcu:dir search; +allow dumpstate debugfs_shrinker_debug:file { read open }; +allow dumpstate debugfs_wakeup_sources:file { read open }; +allow dumpstate debugfs_dmlog_debug:file { read open }; +allow dumpstate debugfs_page_owner_slim_debug:file { read open }; +allow dumpstate debugfs_ion_mm_heap:dir search; +allow dumpstate debugfs_ion_mm_heap:file { read open }; +allow dumpstate debugfs_ion_mm_heap:lnk_file read; +allow dumpstate debugfs_cpuhvfs:dir search; +allow dumpstate debugfs_cpuhvfs:file { read open }; +allow dumpstate debugfs_vpu_device_dbg:file { read open }; + +# Purpose: /sys/kernel/ccci/md_chn +allow dumpstate sysfs_ccci:dir search; +allow dumpstate sysfs_ccci:file { read open }; + +# Purpose: leds status +allow dumpstate sysfs_leds:lnk_file read; + +# Purpose: /sys/module/lowmemorykiller/parameters/adj +allow dumpstate sysfs_lowmemorykiller:file { read open }; +allow dumpstate sysfs_lowmemorykiller:dir search; + +# Purpose: /dev/block/mmcblk0p10 +allow dumpstate expdb_block_device:blk_file { read write ioctl open }; + +#/data/anr/SF_RTT +allow dumpstate sf_rtt_file:dir { search getattr }; + +# Data : 2017/03/22 +# Operation : add fd use selinux rule +# Purpose : type=1400 audit(0.0:81356): avc: denied { use } for path="/system/bin/linker" +# dev="mmcblk0p26" ino=250 scontext=u:r:dumpstate:s0 +# tcontext=u:r:aee_aed:s0 tclass=fd permissive=0 +allow dumpstate aee_aed:fd use; +allow dumpstate aee_aed:unix_stream_socket { read write ioctl }; + +# private define +# allow dumpstate config_gz:file read; + +allow dumpstate sysfs_leds:dir r_dir_perms; + +# Purpose: 01-01 08:30:57.260 3070 3070 W aee_dumpstate: type=1400 audit(0.0:13196): avc: denied +# { read } for name="SF_dump" dev="dm-0" ino=352257 scontext=u:r:dumpstate:s0 tcontext=u:object_r: +# sf_bqdump_data_file:s0 tclass=dir permissive=0 +allow dumpstate sf_bqdump_data_file:dir r_dir_perms; +allow dumpstate sf_bqdump_data_file:file r_file_perms; + +# Purpose: +# 01-01 17:59:14.440 7664 7664 I aee_dumpstate: type=1400 audit(0.0:63497): +# avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev= +# "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r: +# tracing_shell_writable:s0 tclass=file permissive=1 +allow dumpstate debugfs_tracing:file rw_file_perms; + +# Data : WK17.03 +# Purpose: Allow to access gpu +allow dumpstate gpu_device:dir search; + +# Purpose: Allow aee_dumpstate to invoke "lshal debug <interface>", where <interface> is "ICameraProvider". +allow dumpstate mtk_hal_camera:binder { call }; + +# Purpose: Allow aee_dumpstate to read /proc/slabinfo +allow dumpstate proc_slabinfo:file r_file_perms; + +# Purpose: Allow aee_dumpstate to read /proc/zraminfo +allow dumpstate proc_zraminfo:file r_file_perms; + +# Purpose: Allow aee_dumpstate to read /proc/gpulog +allow dumpstate proc_gpulog:file r_file_perms; + +# Purpose: Allow aee_dumpstate to read /proc/sched_debug +allow dumpstate proc_sched_debug:file r_file_perms; + +# Purpose: Allow aee_dumpstate to read /proc/chip/hw_ver +allow dumpstate proc_chip:file r_file_perms; + +# Purpose: Allow aee_dumpstate to write /sys/devices/virtual/timed_output/vibrator/enable +allow dumpstate sysfs_vibrator_setting:file write; + +# Purpose: Allow dumpstate to read /sys/kernel/debug/rcu/rcu_callback_log +allow dumpstate debugfs_rcu:file r_file_perms; + +# Purpose: Allow dumpstate to read /proc/ufs_debug +allow dumpstate proc_ufs_debug:file rw_file_perms; + +# Purpose: Allow dumpstate to read /proc/msdc_debug +allow dumpstate proc_msdc_debug:file r_file_perms; + +# Purpose: Allow dumpstate to r/w /proc/pidmap +allow dumpstate proc_pidmap:file rw_file_perms; + +# Purpose: Allow dumpstate to read /sys/power/vcorefs/vcore_debug +allow dumpstate sysfs_vcore_debug:file r_file_perms; + +# Purpose: Allow dumpstate to read /data/anr/SF_RTT/rtt_dump.txt +allow dumpstate sf_rtt_file:file r_file_perms; + +#Purpose: Allow dumpstate to read/write /sys/mtk_memcfg/slabtrace +allow dumpstate proc_slabtrace:file r_file_perms; + +#Purpose: Allow dumpstate to read /proc/mtk_cmdq_debug/status +allow dumpstate proc_cmdq_debug:file r_file_perms; + +#Purpose: Allow dumpstate to read /proc/cpuhvfs/dbg_repo +allow dumpstate proc_dbg_repo:file r_file_perms; + +#Purpose: Allow dumpstate to read /proc/isp_p2/isp_p2_dump +allow dumpstate proc_isp_p2_dump:file r_file_perms; + +#Purpose: Allow dumpstate to read /proc/isp_p2/isp_p2_kedump +allow dumpstate proc_isp_p2_kedump:file r_file_perms; + +#Purpose: Allow dumpstate to read /proc/mali/memory_usage +allow dumpstate proc_memory_usage:file r_file_perms; + +#Purpose: Allow dumpstate to read /proc/mtk_es_reg_dump +allow dumpstate proc_mtk_es_reg_dump:file r_file_perms; + +#Purpose: Allow dumpstate to read /sys/power/mtkpasr/execstate +allow dumpstate sysfs_execstate:file r_file_perms; + +allow dumpstate proc_isp_p2:dir r_dir_perms; +allow dumpstate proc_isp_p2:file r_file_perms; + +# Date : W19.26 +# Operation : Migration +# Purpose : fix google dumpstate avc error in xTS +allow dumpstate debugfs_mmc:dir search; +allow dumpstate mnt_media_rw_file:dir getattr; + +# Date: 19/07/15 +# Purpose: fix google dumpstate avc error in xTs +allow dumpstate sysfs_devices_block:file r_file_perms; +allow dumpstate proc_last_kmsg:file r_file_perms; + +# Date: 19/07/15 +# Purpose: Allow dumpstate to read /sys/kernel/debug/kmemleak +allow dumpstate debugfs_kmemleak:file r_file_perms; + +#Purpose: Allow dumpstate to read /sys/class/misc/adsp/adsp_last_log +allow dumpstate sysfs_adsp:file r_file_perms; + +#Purpose: Allow dumpstate to read /sys/kernel/debug/smi_mon +allow dumpstate debugfs_smi_mon:file r_file_perms; + +# MTEE Trusty +allow dumpstate mtee_trusty_file:file rw_file_perms; + +# 09-05 15:58:31.552000 9693 9693 W df : type=1400 audit(0.0:990): +# avc: denied { search } for name="expand" dev="tmpfs" ino=10779 scontext=u:r:dumpstate:s0 +# tcontext=u:object_r:mnt_expand_file:s0 tclass=dir permissive=0 +allow dumpstate mnt_expand_file:dir search; diff --git a/r_non_plat/e2fs.te b/r_non_plat/e2fs.te new file mode 100644 index 0000000..f927a21 --- /dev/null +++ b/r_non_plat/e2fs.te @@ -0,0 +1,34 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK17.32 +# Operation : Migration +# Purpose : create ext4 images for protect1/protect2/persist/nvdata/nvcfg block devices. +allow e2fs protect1_block_device:blk_file rw_file_perms; +allow e2fs protect2_block_device:blk_file rw_file_perms; +allow e2fs persist_block_device:blk_file rw_file_perms; +allow e2fs nvdata_device:blk_file rw_file_perms; +allow e2fs nvcfg_block_device:blk_file rw_file_perms; + +allow e2fs devpts:chr_file {read write}; + +# Date : WK18.23 +# Operation: P migration +# Purpose : Allow mke2fs to format userdata and cache partition +allow e2fs cache_block_device:blk_file rw_file_perms; +allow e2fs userdata_block_device:blk_file rw_file_perms; + +# Date : WK19.23 +# Operation: Q migration +# Purpose : Allow format /metadata for UDC +allow e2fs metadata_block_device:blk_file rw_file_perms; + +# Date : WK19.34 +# Operation: Q migration +# Purpose : Allow mke2fs to use ioctl/ioctlcmd +allowxperm e2fs protect1_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD }; +allowxperm e2fs protect2_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD }; +allowxperm e2fs nvdata_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD }; +allowxperm e2fs nvcfg_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD }; +allowxperm e2fs persist_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD }; diff --git a/r_non_plat/em_hidl.te b/r_non_plat/em_hidl.te new file mode 100644 index 0000000..fcf6abf --- /dev/null +++ b/r_non_plat/em_hidl.te @@ -0,0 +1,130 @@ +# ============================================== +# Policy File of /vendor/bin/em_hidi Executable File +# ============================================== +type em_hidl, domain; +type em_hidl_exec, exec_type, file_type, vendor_file_type; + +# Date : 2018/06/28 +init_daemon_domain(em_hidl) + +# Date : 2018/06/28 +# Purpose: EM_HILD +hal_server_domain(em_hidl, mtk_hal_em) + +# Date : 2018/06/28 +# Operation : EM DEBUG +# Purpose: EM should set ims operator +set_prop(em_hidl, mtk_operator_id_prop) + +# Date : 2018/06/28 +# Operation : EM DEBUG +# Purpose: EM should set mtk_simswitch_emmode_prop +set_prop(em_hidl, mtk_simswitch_emmode_prop) + +# Date : 2018/06/28 +# Operation : EM DEBUG +# Purpose: EM should set mtk_dsbp_support_prop +set_prop(em_hidl, mtk_dsbp_support_prop) + +# Date : 2018/06/28 +# Operation : EM DEBUG +# Purpose: EM should set mtk_imstestmode_prop +set_prop(em_hidl, mtk_imstestmode_prop) + +# Date : 2018/06/28 +# Operation : EM DEBUG +# Purpose: EM should set mtk_smsformat_prop +set_prop(em_hidl, mtk_smsformat_prop) + +# Date : 2018/06/28 +# Operation : EM DEBUG +# Purpose: EM should set mtk_gprs_prefer_prop +set_prop(em_hidl, mtk_gprs_prefer_prop) + +# Date : 2018/06/28 +# Operation : EM DEBUG +# Purpose: EM should set mtk_testsim_cardtype_prop +set_prop(em_hidl, mtk_testsim_cardtype_prop) + +# Date : 2018/06/28 +# Operation : EM DEBUG +# Purpose: EM should set mtk_ct_ir_engmode_prop +set_prop(em_hidl, mtk_ct_ir_engmode_prop) + +# Date : 2018/06/28 +# Operation : EM DEBUG +# Purpose: EM should mtk_disable_c2k_cap_prop +set_prop(em_hidl, mtk_disable_c2k_cap_prop) + +# Date : 2018/06/29 +# Operation : EM DEBUG +# Purpose: EM should mtk_debug_md_reset_prop +set_prop(em_hidl, mtk_debug_md_reset_prop) + + +# Date : 2018/06/29 +# Operation : EM DEBUG +# Purpose: EM should video log mtk_omx_log_prop +set_prop(em_hidl, mtk_omx_log_prop) + +# Date : 2018/06/29 +# Operation : EM DEBUG +# Purpose: EM should video log mtk_vdec_log_prop +set_prop(em_hidl, mtk_vdec_log_prop) + +# Date : 2018/06/29 +# Operation : EM DEBUG +# Purpose: EM should video log mtk_vdectlc_log_prop +set_prop(em_hidl, mtk_vdectlc_log_prop) + +# Date : 2018/06/29 +# Operation : EM DEBUG +# Purpose: EM should video log mtk_venc_h264_showlog_prop +set_prop(em_hidl, mtk_venc_h264_showlog_prop) + +# Date : 2018/06/29 +# Operation : EM DEBUG +# Purpose: EM should video log mtk_modem_warning_prop +set_prop(em_hidl, mtk_modem_warning_prop) + +# Date : 2018/07/06 +# Operation : EM DEBUG +# Purpose: EM allow usb vendor_em_usb_prop +set_prop(em_hidl, vendor_em_usb_prop) + +# Date : 2018/07/06 +# Operation : EM DEBUG +# Purpose: for setting usb otg enable property +set_prop(em_hidl, vendor_usb_otg_switch) + +# Data : 2018/07/06 +# Purpose : EM MCF read nvdata dir and file +allow em_hidl nvdata_file:dir { read open add_name search getattr}; +allow em_hidl nvdata_file:file { getattr read open }; + +# Data : 2018/07/06 +# Purpose : EM MCF search vendor dir +allow em_hidl mnt_vendor_file:dir search; +allow em_hidl vendor_default_prop:file read; + +# Data : 2018/08/10 +# Purpose : EM BT usage +allow em_hidl stpbt_device:chr_file { read write open }; +allow em_hidl sysfs_boot_mode:file { read open }; +allow em_hidl ttyGS_device:chr_file { read write ioctl open }; +allow em_hidl vendor_usb_prop:file { read getattr open }; +set_prop(em_hidl, vendor_usb_prop) + +# Date : 2018/08/28 +# Operation : EM DEBUG +# Purpose: for em set hidl configure +set_prop(em_hidl, mtk_em_hidl_prop) + +# Date : 2019/08/22 +# Operation : EM AAL +# Purpose: for em set aal property +set_prop(em_hidl, mtk_pq_prop) +# Date : 2019/09/10 +# Operation : EM wcn coredump +# Purpose: for em set wcn coredump property +set_prop(em_hidl, coredump_prop) diff --git a/r_non_plat/em_svr.te b/r_non_plat/em_svr.te new file mode 100644 index 0000000..5c00360 --- /dev/null +++ b/r_non_plat/em_svr.te @@ -0,0 +1,77 @@ +# Date: WK1812 +# Purpose: add for sensor calibration +allow em_svr als_ps_device:chr_file { read open ioctl }; +allow em_svr gsensor_device:chr_file { read open ioctl }; + +# Date: WK1812 +# Purpose: add for MD log filter +allow em_svr md_block_device:blk_file { read open }; + +# Date: WK1812 +# Purpose: add for SIB capture +allow em_svr para_block_device:blk_file { read open write}; +allow em_svr proc_lk_env:file { read write ioctl open }; + +# Date: WK1812 +# Purpose: add for MSDC get/set +allow em_svr misc_sd_device:chr_file { read open ioctl }; + +# Date: WK1812 +# Purpose: add for battery log +allow em_svr proc_battery_cmd:dir { search }; +allow em_svr proc_battery_cmd:file { create write open }; + +# Date: WK1812 +# Purpose: add for light/proximity sensor +allow em_svr nvram_device:blk_file { open read write }; + +# Date: WK1812 +# Purpose: add for Gyroscope sensor +allow em_svr gyroscope_device:chr_file { read ioctl open }; + +# Date : 2018/06/15 +# Purpose : Allow EM access touchscreen settings +allow em_svr sysfs_tpd_debug:dir { search }; +allow em_svr sysfs_tpd_setting:dir { search }; +allow em_svr sysfs_tpd_debug:file { rw_file_perms }; +allow em_svr sysfs_tpd_setting:file { rw_file_perms }; + +# Date : 2018/06/15 +# Purpose : EM FreqHopping setting +allow em_svr proc_freqhop:file { open read write }; + +# Date : 2018/06/15 +# Purpose : EM flash reading +allow em_svr proc_flash:file { open read }; +allow em_svr proc_partition:file { open read }; + +# Date : 2018/06/15 +# Purpose : EM Power PMU reading/setting +allow em_svr sysfs_pmu:dir { search }; +allow em_svr sysfs_pmu:file { rw_file_perms }; +allow em_svr sysfs_pmu:lnk_file { read }; + +# Date : 2018/06/15 +# Purpose : EM Power debug_log setting +allow em_svr sysfs_spm:dir { search }; +allow em_svr sysfs_spm:file { open read write }; + +# Date: 2019/04/09 +# Purpose: battery temprature setting +allow em_svr sysfs_battery_temp:file w_file_perms; +allow em_svr sysfs_battery_consumption:file r_file_perms; +allow em_svr sysfs_power_on_vol:file r_file_perms; +allow em_svr sysfs_power_off_vol:file r_file_perms; +allow em_svr sysfs_fg_disable:file w_file_perms; +allow em_svr sysfs_dis_nafg:file w_file_perms; + + + +# Date : 2018/10/12 +# Purpose : EM Power PMU register reading/setting +allow em_svr debugfs_regmap:dir { search }; +allow em_svr debugfs_regmap:file { rw_file_perms }; + +# Date:2019/04/15 +# Purpose: EM Power +allow em_svr toolbox_exec:file { map }; diff --git a/r_non_plat/emdlogger.te b/r_non_plat/emdlogger.te new file mode 100644 index 0000000..28525e9 --- /dev/null +++ b/r_non_plat/emdlogger.te @@ -0,0 +1,124 @@ +#allow emdlogger to set property +allow emdlogger debug_prop:property_service set; +allow emdlogger persist_mtklog_prop:property_service set; +allow emdlogger system_radio_prop:property_service set; + +# ccci device for internal modem +allow emdlogger ccci_device:chr_file { rw_file_perms }; + +# eemcs device for external modem +allow emdlogger eemcs_device:chr_file { rw_file_perms }; + +# C2K project SDIO device for external modem ttySDIO2 control port, ttySDIO8 log port +allow emdlogger ttySDIO_device:chr_file { rw_file_perms }; + +# C2K project modem device for external modem vmodem start/stop/ioctl modem +allow emdlogger vmodem_device:chr_file { rw_file_perms }; + +# usb device ttyGSx for modem logger usb logging +allow emdlogger ttyGS_device:chr_file { rw_file_perms}; + +# for modem logging sdcard access +allow emdlogger sdcard_type:dir { create_dir_perms }; +allow emdlogger sdcard_type:file { create_file_perms }; + +# modem logger access on /data/mdlog +allow emdlogger mdlog_data_file:dir { create_dir_perms relabelto }; +allow emdlogger mdlog_data_file:fifo_file { create_file_perms }; +allow emdlogger mdlog_data_file:file { create_file_perms }; + +# modem logger control port access /dev/ttyC1 +allow emdlogger mdlog_device:chr_file { rw_file_perms}; + +#modem logger SD logging in factory mode +allow emdlogger vfat:dir create_dir_perms; +allow emdlogger vfat:file create_file_perms; + +#modem logger permission in storage in android M version +allow emdlogger mnt_user_file:dir search; +allow emdlogger mnt_user_file:lnk_file read; +allow emdlogger storage_file:lnk_file read; + +#permission for storage link access in vzw Project +allow emdlogger mnt_media_rw_file:dir search; + + +#permission for use SELinux API +#avc: denied { read } for pid=576 comm="emdlogger1" name="selinux_version" dev="rootfs" +allow emdlogger rootfs:file r_file_perms; + +#permission for storage access storage +allow emdlogger storage_file:dir { create_dir_perms }; +allow emdlogger tmpfs:lnk_file read; +allow emdlogger storage_file:file { create_file_perms }; + +#permission for read boot mode +#avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs" +allow emdlogger sysfs_boot_mode:file { read open }; + +# Allow read to sys/kernel/ccci/* files +allow emdlogger sysfs_ccci:dir search; +allow emdlogger sysfs_ccci:file r_file_perms; + +allow emdlogger sysfs_mdinfo:file r_file_perms; +allow emdlogger sysfs_mdinfo:dir search; + +# Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 +# scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 +allow emdlogger system_file:dir read; + + +# purpose: allow emdlogger to access storage in N version +allow emdlogger media_rw_data_file:file { create_file_perms }; +allow emdlogger media_rw_data_file:dir { create_dir_perms }; + +#avc: denied { connectto } for path=006165653A72747464 scontext=u:r:emdlogger:s0 +#tcontext=u:object_r:aee_aed_socket:s0 tclass=unix_stream_socket permissive=0 +#security issue control +allow emdlogger aee_aed:unix_stream_socket connectto; + +# For dynamic CCB buffer feature +#avc: denied { read write } for name="lk_env" dev="proc" ino=4026532192 +#scontext=u:r:emdlogger:s0 tcontext=u:object_r:proc_lk_env:s0 tclass=file permissive=0 +#avc: denied { read } for name="mmcblk0p3" dev="tmpfs" ino=8493 scontext=u:r:emdlogger:s0 +# tcontext=u:object_r:para_block_device:s0 tclass=blk_file permissive=0 +allow emdlogger para_block_device:blk_file { read open write }; +allow emdlogger proc_lk_env:file { read write ioctl open }; + +## purpose: avc: denied { read } for name="plat_file_contexts" +allow emdlogger file_contexts_file:file { read getattr open map}; + +allow emdlogger block_device:dir search; +allow emdlogger md_block_device:blk_file { read open }; +allow emdlogger self:capability { chown }; + + +# purpose: allow emdlogger to access persist.meta.connecttype +get_prop(emdlogger, meta_connecttype_prop); + +# purpose: allow emdlogger to create socket +allow emdlogger port:tcp_socket { name_connect name_bind }; +allow emdlogger emdlogger:tcp_socket { create connect setopt bind }; +allow emdlogger emdlogger:tcp_socket { bind setopt listen accept read write }; +allow emdlogger node:tcp_socket node_bind; + +# Android P migration +set_prop(emdlogger, persist_mtklog_prop) +set_prop(emdlogger, vendor_mdl_prop) +set_prop(emdlogger, vendor_mdl_start_prop) +set_prop(emdlogger, debug_mdlogger_prop) +get_prop(emdlogger, vendor_usb_prop) +set_prop(emdlogger, persist_mdlog_prop) +set_prop(emdlogger, vendor_mdl_pulllog_prop) +set_prop(emdlogger, exported_system_radio_prop) + +allow emdlogger vendor_configs_file:file map; +allow emdlogger vendor_default_prop:file map; + +# Date : WK19.12 +# Operation: add permission to catch logs +# Purpose : get kernel and radio logs when modem exception +allow emdlogger kernel:system syslog_read; +allow emdlogger logcat_exec:file {rx_file_perms}; +allow emdlogger logdr_socket:sock_file write; + diff --git a/r_non_plat/factory.te b/r_non_plat/factory.te new file mode 100644 index 0000000..5695bf1 --- /dev/null +++ b/r_non_plat/factory.te @@ -0,0 +1,389 @@ +# ============================================== +# Policy File of /system/bin/factory Executable File + +# ============================================== +# Type Declaration +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== +type factory, domain; +type factory_exec, exec_type, file_type, vendor_file_type; +init_daemon_domain(factory) + +#============= factory ============== +allow factory MTK_SMI_device:chr_file r_file_perms; +allow factory ashmem_device:chr_file execute; +allow factory ebc_device:chr_file rw_file_perms; +allow factory stpbt_device:chr_file rw_file_perms; + +# Date: WK14.47 +# Operation : Migration +# Purpose : CCCI +allow factory eemcs_device:chr_file rw_file_perms; +allow factory ccci_device:chr_file rw_file_perms; +allow factory gsm0710muxd_device:chr_file rw_file_perms; + +#Purpose: file system requirement +allow factory debugfs_usb:file rw_file_perms; +allow factory debugfs_usb:dir search; +allow factory devpts:chr_file rw_file_perms; +allow factory vfat:dir w_dir_perms; +allow factory labeledfs:filesystem unmount; +allow factory rootfs:dir mounton; +allow factory vfat:dir { read open search mounton }; +allow factory vfat:filesystem { mount unmount }; + +# Purpose : SDIO +allow factory ttySDIO_device:chr_file rw_file_perms; + +#Purpose: USB +allow factory ttyMT_device:chr_file rw_file_perms; +allow factory ttyS_device:chr_file rw_file_perms; +allow factory ttyGS_device:chr_file rw_file_perms; + +# Purpose: OTG +allow factory usb_device:chr_file rw_file_perms; +allow factory usb_device:dir r_dir_perms; + +# Date: WK15.01 +# Purpose : OTG Mount +allow factory sdcard_type:dir mounton; +# Date: WK15.07 +# Purpose : use c2k flight mode; +allow factory vmodem_device:chr_file rw_file_perms; + +# Date: WK15.13 +# Purpose: for nand project +allow factory mtd_device:dir search; +allow factory mtd_device:chr_file rw_file_perms; +allow factory self:capability sys_resource; +allow factory pro_info_device:chr_file rw_file_perms; + +# Data: WK15.28 +# Purpose: for mt-ramdump reset +allow factory proc_mrdump_rst:file w_file_perms; + +#Date: WK15.31 +#Purpose: define factory_data_file instead of system_data_file +# because system_data_file is sensitive partition from M +wakelock_use(factory); +allow factory storage_file:dir { write create add_name search mounton }; + +# Date: WK15.44 +# Purpose: factory idle current status +allow factory vendor_factory_idle_state_prop:property_service set; + +# Date: WK15.46 +# Purpose: gps factory mode +allow factory agpsd_data_file:dir search; +allow factory gps_data_file:dir { write add_name search remove_name unlink}; +allow factory gps_data_file:file { read write open create getattr append setattr unlink lock}; +allow factory gps_data_file:lnk_file read; +allow factory storage_file:lnk_file r_file_perms; + +#Date: WK15.48 +#Purpose: capture for factory mode +allow factory devmap_device:chr_file r_file_perms; +allow factory sdcard_type:dir create_dir_perms; +allow factory sdcard_type:file create_file_perms; +allow factory mnt_user_file:dir search; +allow factory mnt_user_file:lnk_file read; +allow factory storage_file:lnk_file read; + +#Date: WK16.05 +#Purpose: For access NVRAM +allow factory factory:capability chown; +allow factory nvram_data_file:dir create_dir_perms; +allow factory nvram_data_file:file create_file_perms; +allow factory nvram_data_file:lnk_file r_file_perms; +allow factory nvdata_file:lnk_file r_file_perms; +allow factory nvram_device:chr_file rw_file_perms; +allow factory nvram_device:blk_file rw_file_perms; +allow factory nvdata_device:blk_file rw_file_perms; + +#Date: WK16.12 +#Purpose: For sensor test +allow factory als_ps_device:chr_file r_file_perms; +allow factory barometer_device:chr_file r_file_perms; +allow factory gsensor_device:chr_file r_file_perms; +allow factory gyroscope_device:chr_file r_file_perms; +allow factory msensor_device:chr_file r_file_perms; +allow factory biometric_device:chr_file r_file_perms; + +#Purpose: For camera Test +allow factory kd_camera_flashlight_device:chr_file rw_file_perms; +allow factory kd_camera_hw_device:chr_file rw_file_perms; +allow factory seninf_device:chr_file rw_file_perms; +allow factory CAM_CAL_DRV_device:chr_file rw_file_perms; + +#Purpose: For reboot the target +allow factory powerctl_prop:property_service set; + +#Purpose: For memory card test +allow factory misc_sd_device:chr_file r_file_perms; +allow factory mmcblk1_block_device:blk_file rw_file_perms; +allow factory bootdevice_block_device:blk_file rw_file_perms; +allow factory mmcblk1p1_block_device:blk_file rw_file_perms; +allow factory block_device:dir w_dir_perms; +allowxperm factory mmcblk1_block_device:blk_file ioctl BLKGETSIZE; +allowxperm factory bootdevice_block_device:blk_file ioctl BLKGETSIZE; + +#Purpose: For EMMC test +allow factory nvdata_file:dir create_dir_perms; +allow factory nvdata_file:file create_file_perms; + +#Purpose: For HRM test +allow factory hrm_device:chr_file r_file_perms; + +#Purpose: For IrTx LED test +allow factory irtx_device:chr_file rw_file_perms; + +#Purpose: For battery test, ext_buck test and ext_vbat_boost test +allow factory pmic_ftm_device:chr_file rw_file_perms; +allow factory MT_pmic_adc_cali_device:chr_file rw_file_perms; +allow factory MT_pmic_cali_device:chr_file r_file_perms; +allow factory charger_ftm_device:chr_file r_file_perms; + +#Purpose: For HDMI test +allow factory graphics_device:dir w_dir_perms; +allow factory graphics_device:chr_file rw_file_perms; + +#Purpose: For WIFI test +allow factory wmtWifi_device:chr_file rw_file_perms; + +#Purpose: For rtc test +allow factory rtc_device:chr_file rw_file_perms; + +#Purpose: For nfc test +allow factory mt6605_device:chr_file rwx_file_perms; + +#Purpose: For gps test +allow factory mnld_device:chr_file rw_file_perms; +allow factory mnld_exec:file rx_file_perms; + +#Purpose: For keypad test +allow factory mtk_kpd_device:chr_file r_file_perms; + +#Purpose: For Humidity test +allow factory humidity_device:chr_file r_file_perms; + +#Purpose: For camera test +allow factory camera_isp_device:chr_file rw_file_perms; +allow factory camera_dip_device:chr_file rw_file_perms; +allow factory camera_pipemgr_device:chr_file r_file_perms; +allow factory camera_sysram_device:chr_file r_file_perms; +allow factory ccu_device:chr_file rw_file_perms; +allow factory vpu_device:chr_file rw_file_perms; +allow factory MAINAF_device:chr_file rw_file_perms; +allow factory MAIN2AF_device:chr_file rw_file_perms; +allow factory SUBAF_device:chr_file rw_file_perms; +allow factory FM50AF_device:chr_file rw_file_perms; +allow factory AD5820AF_device:chr_file rw_file_perms; +allow factory DW9714AF_device:chr_file rw_file_perms; +allow factory DW9714A_device:chr_file rw_file_perms; +allow factory LC898122AF_device:chr_file rw_file_perms; +allow factory LC898212AF_device:chr_file rw_file_perms; +allow factory BU6429AF_device:chr_file rw_file_perms; +allow factory DW9718AF_device:chr_file rw_file_perms; +allow factory BU64745GWZAF_device:chr_file rw_file_perms; +allow factory cct_data_file:dir create_dir_perms; +allow factory cct_data_file:file create_file_perms; +allow factory camera_tsf_device:chr_file rw_file_perms; +allow factory camera_rsc_device:chr_file rw_file_perms; +allow factory camera_gepf_device:chr_file rw_file_perms; +allow factory camera_fdvt_device:chr_file rw_file_perms; +allow factory camera_wpe_device:chr_file rw_file_perms; +allow factory camera_owe_device:chr_file rw_file_perms; +allow factory camera_mfb_device:chr_file rw_file_perms; +allow factory mtk_hal_power_hwservice:hwservice_manager find; +allow factory mtk_hal_power:binder call; +get_prop(factory,mediatek_prop); +#Purpose: For FM test and headset test +allow factory accdet_device:chr_file r_file_perms; +allow factory fm_device:chr_file rw_file_perms; + +#Purpose: For audio test +allow factory audio_device:chr_file rw_file_perms; +allow factory audio_device:dir w_dir_perms; +allow factory audiohal_prop:property_service set; +allow factory audio_ipi_device:chr_file { read write ioctl open }; +allow factory audio_scp_device:chr_file r_file_perms; + +#Purpose: For key and touch event +allow factory input_device:chr_file r_file_perms; +allow factory input_device:dir rw_dir_perms; + +# Date: WK16.17 +# Purpose: N Migration For ccci sysfs node +# Allow read to sys/kernel/ccci/* files +allow factory sysfs_ccci:dir search; +allow factory sysfs_ccci:file r_file_perms; + +# Date: WK16.18 +# Purpose: N Migration For boot_mode +# Allow to read boot mode +# avc: denied { read } for name="boot_mode" dev="sysfs" ino=117 +# scontext=u:r:factory:s0 tcontext=u:object_r:sysfs:s0 +# tclass=file permissive=0 +allow factory sysfs_boot_mode:file { read open }; +allow factory sysfs_boot_type:file { read open }; + +#TODO:: MTK need to remove later +not_full_treble(` + allow factory mnld:unix_dgram_socket sendto; +') + +# Date: WK16.31 +#Purpose: For gps test +allow factory mnld_prop:property_service set; + +# Date: WK16.33 +#Purpose: for unmount sdcardfs and stop services which are using data partition +allow factory sdcard_type:filesystem unmount; +allow factory ctl_default_prop:property_service set; + +# Date : WK16.35 +# Operation : Migration +# Purpose : Update camera flashlight driver device file +allow factory flashlight_device:chr_file rw_file_perms; + + +# Date: WK15.25 +#Purpose: for unmount sdcardfs and stop services which are using data partition +allow factory ctl_emdlogger1_prop:property_service set; +# Date: WK17.07 +# Purpose: Clear bootdevice (eMMC/UFS) may need to unmount tmpfs +allow factory tmpfs:filesystem unmount; +allow factory sysfs:dir { read open }; +allow factory sysfs_leds:dir search; +allow factory sysfs_leds:lnk_file read; +allow factory sysfs_leds:file rw_file_perms; +allow factory sysfs_leds:dir r_dir_perms; +allow factory sysfs_power:file rw_file_perms; +allow factory sysfs_power:dir r_dir_perms; +allow factory self:capability2 {block_suspend}; +allow factory sysfs_vibrator:file {open read write}; +allow factory ion_device:chr_file { read open ioctl }; +allow factory debugfs_ion:dir search; +# Date: WK17.27 +# Purpose: STMicro NFC solution integration +allow factory st21nfc_device:chr_file { open read getattr write ioctl }; +set_prop(factory,hwservicemanager_prop); +hwbinder_use(factory); +hal_client_domain(factory, hal_nfc); + +# Date : WK17.32 +# Operation : O Migration +# Purpose: Allow to access cmdq driver +allow factory mtk_cmdq_device:chr_file { read ioctl open }; +allow factory mtk_mdp_device:chr_file rw_file_perms; +allow factory sw_sync_device:chr_file rw_file_perms; + +# Date: WK1733 +# Purpose: add selinux policy to stop 'ccci_fsd' for clear emmc in factory mode +set_prop(factory,ctl_ccci_fsd_prop); + +# Date : WK17.38 +# Operation : O Migration +# Purpose: Allow to access sysfs +allow factory sysfs_therm:dir search; +allow factory sysfs_therm:file {open read write}; + +#Date: W18.22 +# Purpose: P Migration for factory get com port type and uart port info +# detail avc log: [ 11.751803] <1>.(1)[227:logd.auditd]type=1400 audit(1262304016.560:10): +#avc: denied { read } for pid=203 comm="factory" name="meta_com_type_info" dev= +#"sysfs" ino=11073 scontext=u:r:factory:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 +allow factory sysfs_comport_type:file rw_file_perms; +allow factory sysfs_uart_info:file rw_file_perms; + + +# from private +allow factory property_socket:sock_file write; +allow factory init:unix_stream_socket connectto; +allow factory kernel:system module_request; +allow factory node:tcp_socket node_bind; +allow factory userdata_block_device:blk_file rw_file_perms; +allow factory port:tcp_socket { name_bind name_connect }; +allow factory self:capability { sys_module ipc_lock sys_nice net_raw fsetid net_admin sys_time sys_boot sys_admin }; +allow factory sdcard_type:dir r_dir_perms; +allow factory self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write }; +allow factory proc_net:file { read getattr open }; +allowxperm factory self:udp_socket ioctl priv_sock_ioctls; +allowxperm factory self:udp_socket ioctl {SIOCGIFFLAGS SIOCGIWNWID}; + +allow factory self:process execmem; +allow factory self:tcp_socket create_stream_socket_perms; +allow factory self:udp_socket create_socket_perms; + +allow factory sysfs_wake_lock:file rw_file_perms; +#allow factory system_file:file x_file_perms; + +# For Light HIDL permission +hal_client_domain(factory, hal_light); +allow factory hal_light_hwservice:hwservice_manager find; +allow factory mtk_hal_light:binder call; +allow factory merged_hal_service:binder call; +# For vibrator test permission +allow factory sysfs_vibrator:file rw_file_perms; +allow factory sysfs_vibrator:dir search; + +# For Audio device permission +allow factory proc_asound:dir { read search open }; +allow factory proc_asound:file { read open getattr write }; +allow factory audiohal_prop:property_service set; + +# For Accdet data permission +allow factory sysfs_headset:file { read open }; + +# For touch auto test +allow factory sysfs_tpd_setting:dir search; +allow factory sysfs_tpd_setting:file { read getattr open }; + +# Date : WK18.23 +# Operation: P migration +# Purpose : Allow factory to unmount partition, stop service, and then erase partition +allow factory vendor_shell_exec:file { read execute open execute_no_trans }; +allow factory vendor_toolbox_exec:file { execute_no_trans }; +allow factory labeledfs:filesystem { unmount }; +allow factory proc_cmdline:file { read open getattr }; +allow factory factory:capability { sys_boot sys_admin}; +allow factory sysfs_dt_firmware_android:file { read open getattr }; +allow factory sysfs_dt_firmware_android:dir { read open search }; +# Purpose : Allow factory to communicate with driver thru socket +allow factory factory:capability { sys_module net_admin net_raw }; + +# For power_supply and switch permission +r_dir_file(factory, sysfs_batteryinfo) +r_dir_file(factory, sysfs_switch) + +# Date : WK18.31 +# Operation: P migration +# Purpose : Refine policy +allow factory sysfs_mmcblk:dir { search }; +allow factory sysfs_mmcblk:file { read getattr open }; + +# Date : WK18.37 +# Operation: P migration +# Purpose : ADSP SmartPA calibration +allow factory vendor_file:file execute_no_trans; +allow factory mtk_audiohal_data_file:dir create_dir_perms; +allow factory mtk_audiohal_data_file:file { write create unlink r_file_perms }; + +#Date : WK18.37 +# Operation: P migration +# Purpose : Allow factory to open /proc/version +allow factory proc_version:file {read open getattr}; + +# Purpose : adsp +allow factory adsp_device:chr_file rw_file_perms; + +# Purpose : NFC +allow factory vendor_nfc_socket:dir { write add_name remove_name search }; +allow factory vendor_nfc_socket:sock_file { create write unlink setattr }; + +# Allow to get AOSP property persist.radio.multisim.config +get_prop(factory, exported3_radio_prop) + diff --git a/r_non_plat/fastbootd.te b/r_non_plat/fastbootd.te new file mode 100644 index 0000000..cb6708d --- /dev/null +++ b/r_non_plat/fastbootd.te @@ -0,0 +1,25 @@ +# fastbootd (used in recovery init.rc for /sbin/fastbootd) + + +allow fastbootd { + bootdevice_block_device + cache_block_device + logo_block_device + para_block_device + }:blk_file { rw_file_perms }; + +allow fastbootd { + sysfs_boot_type +}:file { rw_file_perms }; + +allowxperm fastbootd { + bootdevice_block_device + cache_block_device + logo_block_device + para_block_device + }:blk_file ioctl { + BLKSECDISCARD + BLKDISCARD + MMC_IOCTLCMD + }; + diff --git a/r_non_plat/file.te b/r_non_plat/file.te new file mode 100644 index 0000000..d43727c --- /dev/null +++ b/r_non_plat/file.te @@ -0,0 +1,416 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +type custom_file, file_type, data_file_type; +type lost_found_data_file, file_type, data_file_type; +type dontpanic_data_file, file_type, data_file_type; +type resource_cache_data_file, file_type, data_file_type; +type http_proxy_cfg_data_file, file_type, data_file_type; +type acdapi_data_file, file_type, data_file_type; +type ppp_data_file, file_type, data_file_type; +type wpa_supplicant_data_file, file_type, data_file_type; +type radvd_data_file, file_type, data_file_type; +type volte_vt_socket, file_type; +type dfo_socket, file_type; +type gsmrild_socket, file_type; +type rild2_socket, file_type; +type rild3_socket, file_type; +type rild4_socket, file_type; +type rild_mal_socket, file_type; +type rild_mal_at_socket, file_type; +type rild_mal_md2_socket, file_type; +type rild_mal_at_md2_socket, file_type; +type rild_ims_socket, file_type; +type rild_imsm_socket, file_type; +type rild_oem_socket, file_type; +type rild_mtk_ut_socket, file_type; +type rild_mtk_ut_2_socket, file_type; +type rild_mtk_modem_socket, file_type; +type rild_md2_socket, file_type; +type rild2_md2_socket, file_type; +type rild_debug_md2_socket, file_type; +type rild_oem_md2_socket, file_type; +type rild_mtk_ut_md2_socket, file_type; +type rild_mtk_ut_2_md2_socket, file_type; +type rild_mtk_modem_md2_socket, file_type; +type rild_vsim_socket, file_type; +type rild_vsim_md2_socket, file_type; +type mal_mfi_socket, file_type; +type mal_data_file, file_type, data_file_type; +type netdiag_socket, file_type; +type wpa_wlan0_socket, file_type; +type soc_vt_imcb_socket, file_type; +type soc_vt_tcv_socket, file_type; +type soc_vt_stk_socket, file_type; +type soc_vt_svc_socket, file_type; +type dbus_bluetooth_socket, file_type; +type bt_int_adp_socket, file_type; +type bt_a2dp_stream_socket, file_type; +type bt_data_file, file_type, data_file_type; +type proc_thermal, fs_type, proc_type; +type proc_mtkcooler, fs_type, proc_type; +type proc_mtktz, fs_type, proc_type; +type proc_mtd, fs_type, proc_type; +type proc_slogger, fs_type, proc_type; +type proc_lk_env, fs_type, proc_type; +type proc_ged, fs_type, proc_type; +type proc_mtk_jpeg, fs_type, proc_type; +type proc_perfmgr, fs_type, proc_type; +type proc_wmtdbg, fs_type, proc_type; +type proc_zraminfo, fs_type, proc_type; +type proc_cpu_alignment, fs_type, proc_type; +type proc_gpulog, fs_type, proc_type; +type proc_sched_debug, fs_type, proc_type; +type proc_chip, fs_type, proc_type; +type proc_atf_log, fs_type, proc_type; +type proc_gz_log, fs_type, proc_type; +type proc_last_kmsg, fs_type, proc_type; +type proc_bootprof, fs_type, proc_type; +type proc_pl_lk, fs_type, proc_type; +type proc_msdc_debug, fs_type, proc_type; +type proc_ufs_debug, fs_type, proc_type; +type proc_pidmap, fs_type, proc_type; +type proc_slabtrace, fs_type, proc_type; +type proc_cmdq_debug, fs_type, proc_type; +type proc_isp_p2, fs_type, proc_type; +type proc_dbg_repo, fs_type, proc_type; +type proc_isp_p2_dump, fs_type, proc_type; +type proc_isp_p2_kedump, fs_type, proc_type; +type proc_memory_usage, fs_type, proc_type; +type proc_mtk_es_reg_dump, fs_type, proc_type; +type sysfs_execstate, fs_type, sysfs_type; +type sysfs_therm, fs_type, sysfs_type; +type sysfs_fps, fs_type, sysfs_type; +type sysfs_ccci, fs_type, sysfs_type; +type sysfs_mdinfo, fs_type,sysfs_type; +type sysfs_ssw, fs_type,sysfs_type; +type sysfs_vcorefs_pwrctrl, fs_type, sysfs_type; +type sysfs_md32, fs_type, sysfs_type; +type sysfs_scp, fs_type, sysfs_type; +type sysfs_adsp, fs_type, sysfs_type; +type sysfs_sspm, fs_type, sysfs_type; +type sysfs_devinfo, fs_type, sysfs_type, mlstrustedobject; +type sysfs_dcm, fs_type, sysfs_type; +type sysfs_dcs, fs_type, sysfs_type; +type sysfs_vcore_debug, fs_type, sysfs_type; +type agpsd_socket, file_type; +type agpsd_data_file, file_type, data_file_type; +type mnld_socket, file_type; +type mnld_data_file, file_type, data_file_type; +type gps_data_file, file_type, data_file_type; +type MPED_socket, file_type; +type MPED_data_file, file_type, data_file_type; +type sysctl_socket, file_type; +type backuprestore_socket, file_type; +type protect_f_data_file, file_type, data_file_type; +type protect_s_data_file, file_type, data_file_type; +type persist_data_file, file_type, data_file_type; +type nvram_data_file, file_type, data_file_type; +type nvdata_file, file_type, data_file_type; +type nvcfg_file, file_type, data_file_type; +type cct_data_file, file_type, data_file_type; +type mediaserver_data_file, file_type, data_file_type; +type mediacodec_data_file, file_type, data_file_type; +type connsyslog_data_vendor_file, file_type, data_file_type; + +#mobilelog data/misc/mblog +type logmisc_data_file, file_type, data_file_type, core_data_file_type; + +#mobilelog data/log_temp +type logtemp_data_file, file_type, data_file_type, core_data_file_type; + +# NE core_forwarder +type aee_core_data_file, file_type, data_file_type, core_data_file_type; +type aee_core_vendor_file, file_type, data_file_type; + +# AEE exp +type aee_exp_data_file, file_type, data_file_type, core_data_file_type; +type aee_exp_vendor_file, file_type, data_file_type; +type aee_dumpsys_data_file, file_type, data_file_type, core_data_file_type; +type aee_dumpsys_vendor_file, file_type, data_file_type; + +# SF rtt dump +type sf_rtt_file, file_type, data_file_type, core_data_file_type; + +#for 3Gdongle +type rild-dongle_socket, file_type; + +type ccci_cfg_file, file_type, data_file_type; +type ccci_data_md1_file, file_type, data_file_type; +type c2k_file, file_type, data_file_type; +#For sensor +type sensor_data_file, file_type, data_file_type; +type stp_dump_data_file, file_type, data_file_type; +type sysfs_keypad_file, fs_type, sysfs_type; +type rild_via_socket, file_type; +type rpc_socket, file_type; +type rild_ctclient_socket, file_type; +#For icusb +type proc_icusb, fs_type, proc_type; + +# for labeling /mnt/cd-rom as iso9660 +type iso9660, fs_type; + +# data_tmpfs_log +type data_tmpfs_log_file, file_type, data_file_type, core_data_file_type; +type vendor_tmpfs_log_file, file_type, data_file_type; + +# rawfs for /protect_f on NAND projects +type rawfs, fs_type, mlstrustedobject; + +# fat on nand fat.img +type fon_image_data_file, file_type, data_file_type; + +# ims ipsec config file +type ims_ipsec_data_file, file_type, data_file_type; + +# thermal manager config file +type thermal_manager_data_file, file_type, data_file_type; + +# adbd config file +type adbd_data_file, file_type, data_file_type, core_data_file_type; + +#autokd data file +type autokd_data_file, file_type, data_file_type; + +#fuse +type fuseblk,sdcard_type,fs_type,mlstrustedobject; + +# for mt-ramdump reset +type proc_mrdump_rst, fs_type, proc_type; + +# battery_cmd file +type proc_battery_cmd, fs_type, proc_type; + +# binder debugfs file +type debugfs_binder, fs_type, debugfs_type; + +# blockio debugfs file +type debugfs_blockio, fs_type, debugfs_type; + +# fuseio debugfs file +type debugfs_fuseio, fs_type, debugfs_type; + +# usb debugfs file +type debugfs_usb, fs_type, debugfs_type; + +# display debugfs file +type debugfs_fb, fs_type, debugfs_type; + +# cpuhvfs debugfs file +type debugfs_cpuhvfs, fs_type, debugfs_type; + +#for engineermode Usb PHY Tuning +type debugfs_usb20_phy, fs_type, debugfs_type; + +# dynamic_debug debugfs file +type debugfs_dynamic_debug, fs_type, debugfs_type; + +# shrinker debugfs file +type debugfs_shrinker_debug, fs_type, debugfs_type; + +# dmlog debugfs file +type debugfs_dmlog_debug, fs_type, debugfs_type; + +# page_owner_slim debugfs file +type debugfs_page_owner_slim_debug, fs_type, debugfs_type; + +# rcu debugfs file +type debugfs_rcu, fs_type, debugfs_type; + +# gpu debugfs file +type debugfs_ged, fs_type, debugfs_type; + +# fpsgo debugfs file +type debugfs_fpsgo, fs_type, debugfs_type; + +# eara_thermal debugfs file +type debugfs_eara_thermal, fs_type, debugfs_type; + +# vpu debugfs file +type debugfs_vpu_power, fs_type, debugfs_type; +type debugfs_vpu_memory, fs_type, debugfs_type; + +# mdla debugfs file +type debugfs_mdla_power, fs_type, debugfs_type; + +# memtrack debugfs file +type debugfs_gpu_mali_midgard, fs_type, debugfs_type; +type debugfs_gpu_mali_utgard, fs_type, debugfs_type; +type debugfs_gpu_img, fs_type, debugfs_type; +type debugfs_ion, fs_type, debugfs_type; + +# /sys/kernel/debug/ion/ion_mm_heap +type debugfs_ion_mm_heap, fs_type, debugfs_type; + +# /sys/kernel/debug/emi_mbw/dump_buf +type debugfs_emi_mbw_buf, fs_type, debugfs_type; + +# /sys/kernel/debug/vpu/device_dbg +type debugfs_vpu_device_dbg, fs_type, debugfs_type; + +# /sys/kernel/debug/kmemleak +type debugfs_kmemleak, fs_type, debugfs_type; + +###################################### +# core domain file data + +# SF bqdump +type sf_bqdump_data_file, file_type, data_file_type, core_data_file_type; +type nfc_socket, file_type, data_file_type, core_data_file_type; +type vendor_nfc_socket, file_type, data_file_type; +# factory data file +type factory_data_file, file_type, data_file_type, core_data_file_type; +# Modem Log folder +type mdlog_data_file, file_type, data_file_type, core_data_file_type; + +# MTK audio HAL folder +type mtk_audiohal_data_file, file_type, data_file_type; + +# MTK Power HAL folder +type mtk_powerhal_data_file, file_type, data_file_type; + +# Date : WK1743 +# Purpose : for meta_tst copy MD DB from MD image +type mddb_data_file, file_type, data_file_type; + +# Date : WK1814 +# Purpose : for factory to get boot mode and type +type sysfs_boot_mode, fs_type, sysfs_type; +type sysfs_boot_type, fs_type, sysfs_type; + +# consys Log folder +type consyslog_data_file, file_type, data_file_type, core_data_file_type; + +# Date : WK1817 +# Purpose : for meta to get com port type and uart port info +type sysfs_comport_type, fs_type, sysfs_type; +type sysfs_uart_info, fs_type, sysfs_type; +type sysfs_usb_cmode, fs_type, sysfs_type; + +# Date : WK1820 +# Purpose : for charger to access vbus info and pump_express +type sysfs_vbus, fs_type, sysfs_type; +type sysfs_pump_express, fs_type, sysfs_type; + +# Widevine move data/mediadrm folder from system to vendor +type mediadrm_vendor_data_file, file_type, data_file_type; + +# mtk usb hal +type sysfs_dual_role_usb20, fs_type, sysfs_type; + +# lbs debug file +#type lbs_dbg_data_file, file_type, data_file_type, core_data_file_type; + +# Touch parameters file +type sysfs_tpd_setting, fs_type, sysfs_type; +type sysfs_tpd_debug, fs_type, sysfs_type; + +# Date : 2018/06/11 +# Purpose : mtk EM FreqHopping setting +type proc_freqhop, fs_type, proc_type; + +# Date : 2018/06/11 +# Purpose : mtk EM flash reading +type proc_flash, fs_type, proc_type; +type proc_partition, fs_type, proc_type; + +# Date : 2018/06/11 +# Purpose : mtk EM PMU reading/setting +type sysfs_pmu, fs_type, sysfs_type; + +# Date : 2018/06/11 +# Purpose : mtk EM Power debug_log setting +type sysfs_spm, fs_type, sysfs_type; + +# Date : 2018/06/11 +# Purpose : mtk EM Audio headset detect +type sysfs_headset, fs_type, sysfs_type; + +# socket between atci_service and audio-daemon +type atci-audio_socket, file_type; + +# ATCI socket types +type rild_atci_socket, file_type; +type rilproxy_atci_socket, file_type; +type atci_service_socket, file_type; +type adb_atci_socket, file_type; + +# EM Power PMU register reading/setting +type debugfs_regmap, fs_type, debugfs_type; + +# Date : 2018/11/01 +# Purpose : mtk EM c2k bypass read usb file +type sys_usb_rawbulk, fs_type, sysfs_type; + +# Backlight brightness file +type sysfs_leds_setting, fs_type, sysfs_type; + +# Vibrator vibrate file +type sysfs_vibrator_setting, fs_type, sysfs_type; + +# Date : 2019/04/09 +# Purpose: mtk EM battery settings +type sysfs_battery_temp, fs_type, sysfs_type; +type sysfs_battery_consumption, fs_type, sysfs_type; +type sysfs_power_on_vol, fs_type, sysfs_type; +type sysfs_power_off_vol, fs_type, sysfs_type; +type sysfs_fg_disable, fs_type, sysfs_type; +type sysfs_dis_nafg, fs_type, sysfs_type; + +# drm key manager +type provision_file, file_type, data_file_type; +type key_install_data_file, file_type, data_file_type; + +# Date : WK18.16 +# Purpose: Android Migration +type sysfs_mmcblk, fs_type, sysfs_type; +type sysfs_mmcblk1, fs_type, sysfs_type; + +type aee_dipdebug_vendor_file, file_type, data_file_type; + +type netd_socket, file_type, coredomain_socket; + +# Date : WK19.27 +# Purpose: Android Migration for SVP +type proc_m4u, fs_type, proc_type; + +# Date : 2019/08/15 +type debugfs_smi_mon, fs_type, debugfs_type; + +# Date : WK19.34 +# Purpose: Android Migration for video codec driver +type vcodec_file, file_type, data_file_type; + +# Date : 2019/08/24 +type sysfs_sensor, fs_type, sysfs_type; + +#MTEE trusty +type mtee_trusty_file, fs_type, sysfs_type; + +# Date : 2019/08/29 +# Purpose: Allow rild access proc/aed/reboot-reason +type proc_aed_reboot_reason, fs_type, proc_type; + +# Date : 2019/09/05 +# Purpose: Allow powerhal to control kernel resources +type proc_ppm, fs_type, proc_type; +type proc_cpufreq, fs_type, proc_type; +type proc_hps, fs_type, proc_type; +type proc_cm_mgr, fs_type, proc_type; +type proc_ca_drv, fs_type, proc_type; +type sysfs_ged, fs_type, sysfs_type; +type sysfs_fbt_cpu, fs_type, sysfs_type; +type sysfs_fbt_fteh, fs_type, sysfs_type; + +# Date : WK19.38 +# Purpose: Android Migration for video codec driver +type sysfs_device_tree_model, fs_type, sysfs_type; + +# Date : 2019/10/22 +# Purpose : allow aee_aedv write /sys/module/mrdump/parameters/lbaooo +type sysfs_mrdump_lbaooo, fs_type, sysfs_type; +# Date : 2019/12/12 +# Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/* +type sysfs_concurrency_scenario, fs_type, sysfs_type; diff --git a/r_non_plat/file_contexts b/r_non_plat/file_contexts new file mode 100644 index 0000000..5b8bf0c --- /dev/null +++ b/r_non_plat/file_contexts @@ -0,0 +1,686 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +############################ +# A/B system +/enableswap.sh u:object_r:rootfs:s0 +/factory_init\..* u:object_r:rootfs:s0 +/meta_init\..* u:object_r:rootfs:s0 +/multi_init\..* u:object_r:rootfs:s0 + +############################# +# Custom files +(/vendor)?/custom(/.*)? u:object_r:custom_file:s0 +/dev/socket/netd u:object_r:netd_socket:s0 + + +############################# +# Data files +# +/data/vendor/.tp(/.*)? u:object_r:thermal_manager_data_file:s0 +/data/vendor_de/meta(/.*)? u:object_r:mddb_data_file:s0 +/data/aee_exp(/.*)? u:object_r:aee_exp_data_file:s0 +/data/vendor/aee_exp(/.*)? u:object_r:aee_exp_vendor_file:s0 +/data/vendor/agps_supl(/.*)? u:object_r:agpsd_data_file:s0 +#/data/mnl_flp(/.*)? u:object_r:mnld_data_file:s0 +#/data/mnl_gfc(/.*)? u:object_r:mnld_data_file:s0 +/data/vendor/gps(/.*)? u:object_r:gps_data_file:s0 +/data/anr/SF_RTT(/.*)? u:object_r:sf_rtt_file:s0 +/data/vendor/ccci_cfg(/.*)? u:object_r:ccci_cfg_file:s0 +/data/vendor/mdlpm(/.*)? u:object_r:ccci_data_md1_file:s0 +/data/vendor/flashless(/.*)? u:object_r:c2k_file:s0 +/data/core(/.*)? u:object_r:aee_core_data_file:s0 +/data/vendor/core(/.*)? u:object_r:aee_core_vendor_file:s0 +#/data/dontpanic(/.*)? u:object_r:dontpanic_data_file:s0 +/data/dumpsys(/.*)? u:object_r:aee_dumpsys_data_file:s0 +/data/vendor/dumpsys(/.*)? u:object_r:aee_dumpsys_vendor_file:s0 +/data/extmdl(/.*)? u:object_r:mdlog_data_file:s0 +#/data/http-proxy-cfg(/.*)? u:object_r:http_proxy_cfg_data_file:s0 +/data/log_temp(/.*)? u:object_r:logtemp_data_file:s0 +#/data/lost\+found(/.*)? u:object_r:lost_found_data_file:s0 +/data/mdlog(/.*)? u:object_r:mdlog_data_file:s0 +/data/mdl(/.*)? u:object_r:mdlog_data_file:s0 +/data/mdl3(/.*)? u:object_r:mdlog_data_file:s0 +#/data/mediaserver(/.*)? u:object_r:mediaserver_data_file:s0 +#/data/mediacodec(/.*)? u:object_r:mediacodec_data_file:s0 +#/data/.tp(/.*)? u:object_r:thermal_manager_data_file:s0 +/data/nfc_socket(/.*)? u:object_r:nfc_socket:s0 +/data/vendor/nfc_socket(/.*)? u:object_r:vendor_nfc_socket:s0 +#/data/nvram(/.*)? u:object_r:nvram_data_file:s0 +#/data/cct(/.*)? u:object_r:cct_data_file:s0 +/data/vendor/md3(/.*)? u:object_r:c2k_file:s0 +#/data/mal(/.*)? u:object_r:mal_data_file:s0 +/data/SF_dump(./*)? u:object_r:sf_bqdump_data_file:s0 +/data/data_tmpfs_log(/.*)? u:object_r:data_tmpfs_log_file:s0 +/data/vendor/data_tmpfs_log(/.*)? u:object_r:vendor_tmpfs_log_file:s0 +#/data/tmp_mnt/data_tmpfs_log(/.*)? u:object_r:data_tmpfs_log_file:s0 +#/data/tmp_mnt/vendor/data_tmpfs_log(/.*)? u:object_r:data_tmpfs_log_file:s0 +#/data/setkey.conf u:object_r:ims_ipsec_data_file:s0 +#/data/setkey_bak.conf u:object_r:ims_ipsec_data_file:s0 +#/data/setkey_latest.conf u:object_r:ims_ipsec_data_file:s0 +/data/vendor/audiohal(/.*)? u:object_r:mtk_audiohal_data_file:s0 +/data/vendor/powerhal(/.*)? u:object_r:mtk_powerhal_data_file:s0 +#/data/vendor/nfc(/.*)? u:object_r:nfc_data_file:s0 +/data/connsyslog(/.*)? u:object_r:consyslog_data_file:s0 +/data/vendor/stp_dump(/.*)? u:object_r:stp_dump_data_file:s0 +/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 +/data/vendor/dipdebug(/.*)? u:object_r:aee_dipdebug_vendor_file:s0 +/data/vendor/key_provisioning(/.*)? u:object_r:key_install_data_file:s0 +/data/vendor/vcodec(/.*)? u:object_r:vcodec_file:s0 + +# Misc data +#/data/misc/acdapi(/.*)? u:object_r:acdapi_data_file:s0 +/data/misc/mblog(/.*)? u:object_r:logmisc_data_file:s0 +#/data/misc/ppp(/.*)? u:object_r:ppp_data_file:s0 +#/data/misc/radvd(/.*)? u:object_r:radvd_data_file:s0 +/data/vendor/sensor(/.*)? u:object_r:sensor_data_file:s0 +#/data/misc/wpa_supplicant(/.*)? u:object_r:wpa_supplicant_data_file:s0 + +# Wallpaper file for smartbook +/data/system/users/[0-9]+/smartbook_wallpaper u:object_r:wallpaper_file:s0 + +/data/vendor/connsyslog(/.*)? u:object_r:connsyslog_data_vendor_file:s0 + +# nvdata +/mnt/vendor/nvdata(/.*)? u:object_r:nvdata_file:s0 +/mnt/vendor/nvcfg(/.*)? u:object_r:nvcfg_file:s0 + +# protected data file +/mnt/vendor/protect_f(/.*)? u:object_r:protect_f_data_file:s0 +/mnt/vendor/protect_s(/.*)? u:object_r:protect_s_data_file:s0 +/mnt/vendor/persist(/.*)? u:object_r:persist_data_file:s0 + +#fat on nand image +/fat(/.*)? u:object_r:fon_image_data_file:s0 + +########################## +# Devices +# +/dev/aal_als(/.*)? u:object_r:aal_als_device:s0 +/dev/accdet(/.*)? u:object_r:accdet_device:s0 +/dev/AD5820AF(/.*)? u:object_r:AD5820AF_device:s0 +/dev/aed[0-9]+ u:object_r:aed_device:s0 +/dev/ampc0(/.*)? u:object_r:ampc0_device:s0 +/dev/android(/.*)? u:object_r:android_device:s0 +/dev/block/zram0 u:object_r:swap_block_device:s0 +/dev/block/platform/bootdevice/by-name/otp u:object_r:otp_part_block_device:s0 +/dev/bmtpool(/.*)? u:object_r:bmtpool_device:s0 +/dev/bootimg(/.*)? u:object_r:bootimg_device:s0 +/dev/BOOT(/.*)? u:object_r:BOOT_device:s0 +/dev/btif(/.*)? u:object_r:btif_device:s0 +/dev/btn(/.*)? u:object_r:btn_device:s0 +/dev/BU6429AF(/.*)? u:object_r:BU6429AF_device:s0 +/dev/BU64745GWZAF(/.*)? u:object_r:BU64745GWZAF_device:s0 +/dev/MAINAF(/.*)? u:object_r:MAINAF_device:s0 +/dev/MAIN2AF(/.*)? u:object_r:MAIN2AF_device:s0 +/dev/SUBAF(/.*)? u:object_r:SUBAF_device:s0 +/dev/cache(/.*)? u:object_r:cache_device:s0 +/dev/CAM_CAL_DRV(/.*)? u:object_r:CAM_CAL_DRV_device:s0 +/dev/CAM_CAL_DRV1(/.*)? u:object_r:CAM_CAL_DRV1_device:s0 +/dev/CAM_CAL_DRV2(/.*)? u:object_r:CAM_CAL_DRV2_device:s0 +/dev/gz_kree(/.*)? u:object_r:gz_device:s0 +/dev/camera-fdvt(/.*)? u:object_r:camera_fdvt_device:s0 +/dev/camera-isp(/.*)? u:object_r:camera_isp_device:s0 +/dev/camera-dip(/.*)? u:object_r:camera_dip_device:s0 +/dev/camera-dpe(/.*)? u:object_r:camera_dpe_device:s0 +/dev/camera-tsf(/.*)? u:object_r:camera_tsf_device:s0 +/dev/camera-rsc(/.*)? u:object_r:camera_rsc_device:s0 +/dev/camera-gepf(/.*)? u:object_r:camera_gepf_device:s0 +/dev/camera-wpe(/.*)? u:object_r:camera_wpe_device:s0 +/dev/camera-owe(/.*)? u:object_r:camera_owe_device:s0 +/dev/camera-mfb(/.*)? u:object_r:camera_mfb_device:s0 +/dev/camera-pipemgr(/.*)? u:object_r:camera_pipemgr_device:s0 +/dev/camera-sysram(/.*)? u:object_r:camera_sysram_device:s0 +/dev/ccu(/.*)? u:object_r:ccu_device:s0 +/dev/vpu(/.*)? u:object_r:vpu_device:s0 +/dev/mdlactl(/.*)? u:object_r:mdla_device:s0 +/dev/ccci_monitor u:object_r:ccci_monitor_device:s0 +/dev/ccci.* u:object_r:ccci_device:s0 +/dev/cpu_dma_latency(/.*)? u:object_r:cpu_dma_latency_device:s0 +/dev/devmap(/.*)? u:object_r:devmap_device:s0 +/dev/dri(/.*)? u:object_r:gpu_device:s0 +/dev/dummy_cam_cal(/.*)? u:object_r:dummy_cam_cal_device:s0 +/dev/DW9714AF(/.*)? u:object_r:DW9714AF_device:s0 +/dev/DW9814AF(/.*)? u:object_r:DW9814AF_device:s0 +/dev/AK7345AF(/.*)? u:object_r:AK7345AF_device:s0 +/dev/DW9714A(/.*)? u:object_r:DW9714A_device:s0 +/dev/DW9718AF(/.*)? u:object_r:DW9718AF_device:s0 +/dev/WV511AAF(/.*)? u:object_r:lens_device:s0 +/dev/ebc(/.*)? u:object_r:ebc_device:s0 +/dev/usip(/.*)? u:object_r:ebc_device:s0 +/dev/ebr[0-9]+ u:object_r:ebr_device:s0 +/dev/eemcs.* u:object_r:eemcs_device:s0 +/dev/emd.* u:object_r:emd_device:s0 +/dev/etb u:object_r:etb_device:s0 +/dev/exm0(/.*)? u:object_r:exm0_device:s0 +/dev/expdb(/.*)? u:object_r:expdb_device:s0 +/dev/fat(/.*)? u:object_r:fat_device:s0 +/dev/FM50AF(/.*)? u:object_r:FM50AF_device:s0 +/dev/fm(/.*)? u:object_r:fm_device:s0 +/dev/fw_log_wmt u:object_r:fw_log_wmt_device:s0 +/dev/fw_log_wifi u:object_r:fw_log_wifi_device:s0 +#/dev/gps(/.*)? u:object_r:gps_device:s0 +/dev/geofence(/.*)? u:object_r:geo_device:s0 +/dev/fw_log_gps u:object_r:fw_log_gps_device:s0 +#/dev/mt3337_gpsonly u:object_r:gps_device:s0 +/dev/hdmitx(/.*)? u:object_r:graphics_device:s0 +/dev/hid-keyboard(/.*)? u:object_r:hid_keyboard_device:s0 +/dev/ion(/.*)? u:object_r:ion_device:s0 +/dev/kd_camera_flashlight(/.*)? u:object_r:kd_camera_flashlight_device:s0 +/dev/flashlight(/.*)? u:object_r:flashlight_device:s0 +/dev/kd_camera_hw_bus2(/.*)? u:object_r:kd_camera_hw_bus2_device:s0 +/dev/kd_camera_hw(/.*)? u:object_r:kd_camera_hw_device:s0 +/dev/seninf(/.*)? u:object_r:seninf_device:s0 +/dev/LC898122AF(/.*)? u:object_r:LC898122AF_device:s0 +/dev/LC898212AF(/.*)? u:object_r:LC898212AF_device:s0 +/dev/logo(/.*)? u:object_r:logo_device:s0 +/dev/loop-control(/.*)? u:object_r:loop-control_device:s0 +/dev/M4U_device(/.*)? u:object_r:M4U_device_device:s0 +/dev/mali.* u:object_r:gpu_device:s0 +/dev/MATV(/.*)? u:object_r:MATV_device:s0 +/dev/mbr(/.*)? u:object_r:mbr_device:s0 +/dev/md32(/.*)? u:object_r:md32_device:s0 +/dev/scp(/.*)? u:object_r:scp_device:s0 +/dev/scp_B(/.*)? u:object_r:scp_device:s0 +/dev/sspm(/.*)? u:object_r:sspm_device:s0 +/dev/misc-sd(/.*)? u:object_r:misc_sd_device:s0 +/dev/misc(/.*)? u:object_r:misc_device:s0 +/dev/misc2(/.*)? u:object_r:misc2_device:s0 +/dev/MJC(/.*)? u:object_r:MJC_device:s0 +/dev/mmp(/.*)? u:object_r:mmp_device:s0 +/dev/MT6516_H264_DEC(/.*)? u:object_r:MT6516_H264_DEC_device:s0 +/dev/mt6516-IDP(/.*)? u:object_r:mt6516_IDP_device:s0 +/dev/MT6516_Int_SRAM(/.*)? u:object_r:MT6516_Int_SRAM_device:s0 +/dev/mt6516-isp(/.*)? u:object_r:mt6516_isp_device:s0 +/dev/mt6516_jpeg(/.*)? u:object_r:mt6516_jpeg_device:s0 +/dev/MT6516_MM_QUEUE(/.*)? u:object_r:MT6516_MM_QUEUE_device:s0 +/dev/MT6516_MP4_DEC(/.*)? u:object_r:MT6516_MP4_DEC_device:s0 +/dev/MT6516_MP4_ENC(/.*)? u:object_r:MT6516_MP4_ENC_device:s0 +/dev/mt6605 u:object_r:mt6605_device:s0 +/dev/st21nfc u:object_r:st21nfc_device:s0 +/dev/st54spi u:object_r:st54spi_device:s0 +/dev/mt9p012(/.*)? u:object_r:mt9p012_device:s0 +/dev/mtfreqhopping(/.*)? u:object_r:mtfreqhopping_device:s0 +/dev/mtgpio(/.*)? u:object_r:mtgpio_device:s0 +/dev/mtk-adc-cali(/.*)? u:object_r:mtk-adc-cali_device:s0 +/dev/mtk_disp.* u:object_r:graphics_device:s0 +/dev/mtkfb_vsync(/.*)? u:object_r:graphics_device:s0 +/dev/mtkg2d(/.*)? u:object_r:mtkg2d_device:s0 +/dev/mtk_jpeg(/.*)? u:object_r:mtk_jpeg_device:s0 +/dev/mtk-kpd(/.*)? u:object_r:mtk_kpd_device:s0 +/dev/mtk_sched(/.*)? u:object_r:mtk_sched_device:s0 +/dev/MTK_SMI(/.*)? u:object_r:MTK_SMI_device:s0 +/dev/mtk_cmdq(/.*)? u:object_r:mtk_cmdq_device:s0 +/dev/mdp_device(/.*)? u:object_r:mdp_device:s0 +/dev/mdp_sync(/.*)? u:object_r:mtk_mdp_device:s0 +/dev/mtk_rrc(/.*)? u:object_r:mtk_rrc_device:s0 +/dev/mtk_dfrc(/.*)? u:object_r:mtk_dfrc_device:s0 +/dev/mt-mdp(/.*)? u:object_r:mt_mdp_device:s0 +/dev/mt_otg_test(/.*)? u:object_r:mt_otg_test_device:s0 +/dev/MT_pmic_adc_cali u:object_r:MT_pmic_adc_cali_device:s0 +/dev/MT_pmic_adc_cali(/.*)? u:object_r:MT_pmic_cali_device:s0 +/dev/MT_pmic(/.*)? u:object_r:MT_pmic_device:s0 +/dev/network.* u:object_r:network_device:s0 +/dev/nvram(/.*)? u:object_r:nvram_device:s0 +/dev/nxpspk(/.*)? u:object_r:smartpa_device:s0 +/dev/otp u:object_r:otp_device:s0 +/dev/pmem_multimedia(/.*)? u:object_r:pmem_multimedia_device:s0 +/dev/pmt(/.*)? u:object_r:pmt_device:s0 +/dev/preloader(/.*)? u:object_r:preloader_device:s0 +/dev/pro_info(/.*)? u:object_r:pro_info_device:s0 +/dev/protect_f(/.*)? u:object_r:protect_f_device:s0 +/dev/protect_s(/.*)? u:object_r:protect_s_device:s0 +/dev/psaux(/.*)? u:object_r:psaux_device:s0 +/dev/ptmx(/.*)? u:object_r:ptmx_device:s0 +/dev/ptyp.* u:object_r:ptyp_device:s0 +/dev/pvr_sync(/.*)? u:object_r:gpu_device:s0 +/dev/qemu_pipe(/.*)? u:object_r:qemu_pipe_device:s0 +/dev/recovery(/.*)? u:object_r:recovery_device:s0 +/dev/rfkill(/.*)? u:object_r:rfkill_device:s0 +/dev/rtc[0-9]+ u:object_r:rtc_device:s0 +/dev/RT_Monitor(/.*)? u:object_r:RT_Monitor_device:s0 +/dev/kick_powerkey(/.*)? u:object_r:kick_powerkey_device:s0 +/dev/seccfg(/.*)? u:object_r:seccfg_device:s0 +/dev/sec_ro(/.*)? u:object_r:sec_ro_device:s0 +/dev/sec(/.*)? u:object_r:sec_device:s0 +/dev/tee1 u:object_r:tee_part_device:s0 +/dev/tee2 u:object_r:tee_part_device:s0 +/dev/sensor(/.*)? u:object_r:sensor_device:s0 +/dev/smartpa_i2c(/.*)? u:object_r:smartpa1_device:s0 +/dev/snapshot(/.*)? u:object_r:snapshot_device:s0 +/dev/socket/adbd(/.*)? u:object_r:adbd_socket:s0 +/dev/socket/agpsd2(/.*)? u:object_r:agpsd_socket:s0 +/dev/socket/agpsd3(/.*)? u:object_r:agpsd_socket:s0 +/dev/socket/agpsd(/.*)? u:object_r:agpsd_socket:s0 +/dev/socket/atci-audio(/.*)? u:object_r:atci-audio_socket:s0 +/dev/socket/backuprestore(/.*)? u:object_r:backuprestore_socket:s0 +/dev/socket/dfo(/.*)? u:object_r:dfo_socket:s0 +/dev/socket/dnsproxyd(/.*)? u:object_r:dnsproxyd_socket:s0 +/dev/socket/dumpstate(/.*)? u:object_r:dumpstate_socket:s0 +/dev/socket/mdnsd(/.*)? u:object_r:mdnsd_socket:s0 +/dev/socket/mdns(/.*)? u:object_r:mdns_socket:s0 +/dev/socket/mnld(/.*)? u:object_r:mnld_socket:s0 +/dev/socket/netdiag(/.*)? u:object_r:netdiag_socket:s0 +/dev/socket/netd(/.*)? u:object_r:netd_socket:s0 +/dev/socket/mrild(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/mrild2(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/mrild3(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/rild-atci u:object_r:gsmrild_socket:s0 +/dev/socket/rild-mbim(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/msap_uim_socket1(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/msap_uim_socket2(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/sap_uim_socket(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/msap_c2k_socket1(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/msap_c2k_socket2(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/msap_c2k_socket3(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/msap_c2k_socket4(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/sap_uim_socket1(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/sap_uim_socket2(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/sap_uim_socket3(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/sap_uim_socket4(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/rild2-md2(/.*)? u:object_r:rild2_md2_socket:s0 +/dev/socket/rild2(/.*)? u:object_r:rild2_socket:s0 +/dev/socket/rild3(/.*)? u:object_r:rild3_socket:s0 +/dev/socket/rild4(/.*)? u:object_r:rild4_socket:s0 +/dev/socket/rild-mal(/.*)? u:object_r:rild_mal_socket:s0 +/dev/socket/rild-mal-at(/.*)? u:object_r:rild_mal_at_socket:s0 +/dev/socket/rild-mal-md2(/.*)? u:object_r:rild_mal_md2_socket:s0 +/dev/socket/rild-mal-at-md2(/.*)? u:object_r:rild_mal_at_md2_socket:s0 +/dev/socket/rild-ims(/.*)? u:object_r:rild_ims_socket:s0 +/dev/socket/volte_imsm_dongle(/.*)? u:object_r:rild_imsm_socket:s0 +/dev/socket/rild-vsim(/.*)? u:object_r:rild_vsim_socket:s0 +/dev/socket/rild-vsim2(/.*)? u:object_r:rild_vsim_socket:s0 +/dev/socket/rild-vsim3(/.*)? u:object_r:rild_vsim_socket:s0 +/dev/socket/rild-vsim-md2(/.*)? u:object_r:rild_vsim_md2_socket:s0 +/dev/socket/rild-ctclient u:object_r:rild_ctclient_socket:s0 +/dev/socket/rild-debug-md2(/.*)? u:object_r:rild_debug_md2_socket:s0 +/dev/socket/rild-debug(/.*)? u:object_r:rild_debug_socket:s0 +/dev/socket/rild-dongle(/.*)? u:object_r:rild-dongle_socket:s0 +/dev/socket/rild-md2(/.*)? u:object_r:rild_md2_socket:s0 +/dev/socket/rild-mtk-modem-md2(/.*)? u:object_r:rild_mtk_modem_md2_socket:s0 +/dev/socket/rild-mtk-modem(/.*)? u:object_r:rild_mtk_modem_socket:s0 +/dev/socket/rild-mtk-ut-2-md2(/.*)? u:object_r:rild_mtk_ut_2_md2_socket:s0 +/dev/socket/rild-mtk-ut-2(/.*)? u:object_r:rild_mtk_ut_2_socket:s0 +/dev/socket/rild-mtk-ut-md2(/.*)? u:object_r:rild_mtk_ut_md2_socket:s0 +/dev/socket/rild-mtk-ut(/.*)? u:object_r:rild_mtk_ut_socket:s0 +/dev/socket/rild-oem-md2(/.*)? u:object_r:rild_oem_md2_socket:s0 +/dev/socket/rild-oem(/.*)? u:object_r:rild_oem_socket:s0 +/dev/socket/rild(/.*)? u:object_r:rild_socket:s0 +/dev/socket/rild-via u:object_r:rild_via_socket:s0 +/dev/socket/rildc-debug u:object_r:rild_via_socket:s0 +/dev/socket/rild-atci-c2k u:object_r:rild_via_socket:s0 +/dev/socket/mal-mfi(/.*)? u:object_r:mal_mfi_socket:s0 +/dev/socket/mal-mfi-dongle(/.*)? u:object_r:mal_mfi_socket:s0 +/dev/socket/rpc u:object_r:rpc_socket:s0 +/dev/socket/soc_vt_stk(/.*)? u:object_r:soc_vt_stk_socket:s0 +/dev/socket/soc_vt_svc(/.*)? u:object_r:soc_vt_svc_socket:s0 +/dev/socket/soc_vt_tcv(/.*)? u:object_r:soc_vt_tcv_socket:s0 +/dev/socket/sysctl(/.*)? u:object_r:sysctl_socket:s0 +/dev/socket/volte_vt(/.*)? u:object_r:volte_vt_socket:s0 +/dev/socket/wpa_wlan0(/.*)? u:object_r:wpa_wlan0_socket:s0 +/dev/stpant(/.*)? u:object_r:stpant_device:s0 +/dev/stpbt(/.*)? u:object_r:stpbt_device:s0 +/dev/fw_log_bt u:object_r:fw_log_bt_device:s0 +/dev/stpgps u:object_r:mnld_device:s0 +/dev/stpgps(/.*)? u:object_r:stpgps_device:s0 +/dev/gpsdl0 u:object_r:mnld_device:s0 +/dev/gpsdl0(/.*)? u:object_r:gpsdl_device:s0 +/dev/gpsdl1 u:object_r:mnld_device:s0 +/dev/gpsdl1(/.*)? u:object_r:gpsdl_device:s0 +/dev/stpwmt(/.*)? u:object_r:stpwmt_device:s0 +/dev/sw_sync(/.*)? u:object_r:sw_sync_device:s0 +/dev/tgt(/.*)? u:object_r:tgt_device:s0 +/dev/touch(/.*)? u:object_r:touch_device:s0 +/dev/tpd_em_log(/.*)? u:object_r:tpd_em_log_device:s0 +/dev/ttyC0 u:object_r:gsm0710muxd_device:s0 +/dev/ttyC1 u:object_r:mdlog_device:s0 +/dev/ttyC2 u:object_r:agps_device:s0 +/dev/ttyC3 u:object_r:icusb_device:s0 +/dev/ttyC6 u:object_r:nlop_device:s0 +/dev/ttyGS.* u:object_r:ttyGS_device:s0 +/dev/ttyMT.* u:object_r:ttyMT_device:s0 +/dev/ttyS.* u:object_r:ttyS_device:s0 +/dev/ttyp.* u:object_r:ttyp_device:s0 +/dev/ttySDIO.* u:object_r:ttySDIO_device:s0 +/dev/ttyUSB0 u:object_r:tty_device:s0 +/dev/ttyUSB1 u:object_r:tty_device:s0 +/dev/ttyUSB2 u:object_r:tty_device:s0 +/dev/ttyUSB3 u:object_r:tty_device:s0 +/dev/ttyUSB4 u:object_r:tty_device:s0 +/dev/TV-out(/.*)? u:object_r:TV_out_device:s0 +/dev/uboot(/.*)? u:object_r:uboot_device:s0 +/dev/uibc(/.*)? u:object_r:uibc_device:s0 +/dev/uinput(/.*)? u:object_r:uinput_device:s0 +/dev/uio0(/.*)? u:object_r:uio0_device:s0 +/dev/usrdata(/.*)? u:object_r:usrdata_device:s0 +/dev/Vcodec(/.*)? u:object_r:Vcodec_device:s0 +/dev/vmodem u:object_r:vmodem_device:s0 +/dev/vow(/.*)? u:object_r:vow_device:s0 +/dev/wmtdetect(/.*)? u:object_r:wmtdetect_device:s0 +/dev/wmtWifi(/.*)? u:object_r:wmtWifi_device:s0 +/dev/ancservice(/.*)? u:object_r:ancservice_device:s0 +/dev/offloadservice(/.*)? u:object_r:offloadservice_device:s0 +/dev/audio_ipi(/.*)? u:object_r:audio_ipi_device:s0 +/dev/adsp(/.*)? u:object_r:adsp_device:s0 +/dev/audio_scp(/.*)? u:object_r:audio_scp_device:s0 +/dev/irtx u:object_r:irtx_device:s0 +/dev/spm(/.*)? u:object_r:spm_device:s0 +/dev/xt_qtaguid(/.*)? u:object_r:xt_qtaguid_device:s0 +/dev/pmic_ftm(/.*)? u:object_r:pmic_ftm_device:s0 +/dev/charger_ftm(/.*)? u:object_r:charger_ftm_device:s0 +/dev/shf u:object_r:shf_device:s0 +/dev/ttyACM0 u:object_r:ttyACM_device:s0 +/dev/hrm u:object_r:hrm_device:s0 +/dev/trusty-ipc-dev0 u:object_r:tee_device:s0 +/dev/nebula-ipc-dev0 u:object_r:tee_device:s0 +/dev/mbim u:object_r:mbim_device:s0 +/dev/alarm(/.*)? u:object_r:alarm_device:s0 +########################## +# Sensor common Devices Start +# +/dev/als_ps(/.*)? u:object_r:als_ps_device:s0 +/dev/barometer(/.*)? u:object_r:barometer_device:s0 +/dev/humidity(/.*)? u:object_r:humidity_device:s0 +/dev/gsensor(/.*)? u:object_r:gsensor_device:s0 +/dev/gyroscope(/.*)? u:object_r:gyroscope_device:s0 +/dev/hwmsensor(/.*)? u:object_r:hwmsensor_device:s0 +/dev/msensor(/.*)? u:object_r:msensor_device:s0 +/dev/biometric(/.*)? u:object_r:biometric_device:s0 +/dev/sensorlist(/.*)? u:object_r:sensorlist_device:s0 +########################## +# Sensor Devices Start +# +/dev/m_batch_misc(/.*)? u:object_r:m_batch_misc_device:s0 +########################## +# Sensor bio Devices Start +# +/dev/m_als_misc(/.*)? u:object_r:m_als_misc_device:s0 +/dev/m_ps_misc(/.*)? u:object_r:m_ps_misc_device:s0 +/dev/m_baro_misc(/.*)? u:object_r:m_baro_misc_device:s0 +/dev/m_hmdy_misc(/.*)? u:object_r:m_hmdy_misc_device:s0 +/dev/m_acc_misc(/.*)? u:object_r:m_acc_misc_device:s0 +/dev/m_mag_misc(/.*)? u:object_r:m_mag_misc_device:s0 +/dev/m_gyro_misc(/.*)? u:object_r:m_gyro_misc_device:s0 +/dev/m_act_misc(/.*)? u:object_r:m_act_misc_device:s0 +/dev/m_pedo_misc(/.*)? u:object_r:m_pedo_misc_device:s0 +/dev/m_situ_misc(/.*)? u:object_r:m_situ_misc_device:s0 +/dev/m_step_c_misc(/.*)? u:object_r:m_step_c_misc_device:s0 +/dev/m_fusion_misc(/.*)? u:object_r:m_fusion_misc_device:s0 +/dev/m_bio_misc(/.*)? u:object_r:m_bio_misc_device:s0 + +# block partition definitions +/dev/block/mmcblk0boot0 u:object_r:preloader_block_device:s0 +/dev/block/mmcblk0boot1 u:object_r:preloader_block_device:s0 +/dev/block/sda u:object_r:preloader_block_device:s0 +/dev/block/sdb u:object_r:preloader_block_device:s0 +/dev/block/mmcblk0 u:object_r:bootdevice_block_device:s0 +/dev/block/sdc u:object_r:bootdevice_block_device:s0 +/dev/block/mmcblk1 u:object_r:mmcblk1_block_device:s0 +/dev/block/mmcblk1p1 u:object_r:mmcblk1p1_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/proinfo u:object_r:nvram_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/nvram u:object_r:nvram_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/nvdata u:object_r:nvdata_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/expdb u:object_r:expdb_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/misc2 u:object_r:misc2_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/logo u:object_r:logo_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/para u:object_r:para_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/misc u:object_r:misc_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/seccfg u:object_r:seccfg_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/secro u:object_r:secro_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/system u:object_r:system_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/cache u:object_r:cache_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/recovery u:object_r:recovery_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/protect1 u:object_r:protect1_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/protect2 u:object_r:protect2_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/keystore u:object_r:keystore_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/oemkeystore u:object_r:oemkeystore_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/boot u:object_r:boot_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/persist u:object_r:persist_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/metadata u:object_r:metadata_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/nvcfg u:object_r:nvcfg_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/ppl u:object_r:ppl_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/sec1 u:object_r:sec1_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/boot_para u:object_r:boot_para_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/super u:object_r:super_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/boot(_[ab])? u:object_r:boot_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/system(_[ab])? u:object_r:system_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/odm(_[ab])? u:object_r:odm_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/oem(_[ab])? u:object_r:oem_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/vendor(_[ab])? u:object_r:vendor_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/lk(_[ab])? u:object_r:lk_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/odmdtbo(_[ab])? u:object_r:dtbo_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/dtbo(_[ab])? u:object_r:dtbo_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/tee([12]|_[ab]) u:object_r:tee_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md1img(_[ab])? u:object_r:md_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md1dsp(_[ab])? u:object_r:dsp_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md1arm7(_[ab])? u:object_r:md_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md3img(_[ab])? u:object_r:md_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/scp(_[ab])? u:object_r:scp_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/sspm(_[ab])? u:object_r:sspm_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/spmfw(_[ab])? u:object_r:spmfw_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/vbmeta(_system|_vendor)?(_[ab])? u:object_r:vbmeta_block_device:s0 + +/dev/block/platform/bootdevice/by-name/proinfo u:object_r:nvram_device:s0 +/dev/block/platform/bootdevice/by-name/nvram u:object_r:nvram_device:s0 +/dev/block/platform/bootdevice/by-name/nvdata u:object_r:nvdata_device:s0 +/dev/block/platform/bootdevice/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/bootdevice/by-name/expdb u:object_r:expdb_block_device:s0 +/dev/block/platform/bootdevice/by-name/misc2 u:object_r:misc2_block_device:s0 +/dev/block/platform/bootdevice/by-name/logo u:object_r:logo_block_device:s0 +/dev/block/platform/bootdevice/by-name/para u:object_r:para_block_device:s0 +/dev/block/platform/bootdevice/by-name/misc u:object_r:misc_block_device:s0 +/dev/block/platform/bootdevice/by-name/seccfg u:object_r:seccfg_block_device:s0 +/dev/block/platform/bootdevice/by-name/secro u:object_r:secro_block_device:s0 +/dev/block/platform/bootdevice/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/bootdevice/by-name/cache u:object_r:cache_block_device:s0 +/dev/block/platform/bootdevice/by-name/recovery u:object_r:recovery_block_device:s0 +/dev/block/platform/bootdevice/by-name/protect1 u:object_r:protect1_block_device:s0 +/dev/block/platform/bootdevice/by-name/protect2 u:object_r:protect2_block_device:s0 +/dev/block/platform/bootdevice/by-name/keystore u:object_r:keystore_block_device:s0 +/dev/block/platform/bootdevice/by-name/persist u:object_r:persist_block_device:s0 +/dev/block/platform/bootdevice/by-name/metadata u:object_r:metadata_block_device:s0 +/dev/block/platform/bootdevice/by-name/nvcfg u:object_r:nvcfg_block_device:s0 +/dev/block/platform/bootdevice/by-name/sec1 u:object_r:sec1_block_device:s0 +/dev/block/platform/bootdevice/by-name/boot_para u:object_r:boot_para_block_device:s0 +/dev/block/platform/bootdevice/by-name/super u:object_r:super_block_device:s0 +/dev/block/platform/bootdevice/by-name/cam_vpu[1-3](_[ab])? u:object_r:cam_vpu_block_device:s0 +/dev/block/platform/bootdevice/by-name/system(_[ab])? u:object_r:system_block_device:s0 +/dev/block/platform/bootdevice/by-name/boot(_[ab])? u:object_r:boot_block_device:s0 +/dev/block/platform/bootdevice/by-name/odm(_[ab])? u:object_r:odm_block_device:s0 +/dev/block/platform/bootdevice/by-name/oem(_[ab])? u:object_r:oem_block_device:s0 +/dev/block/platform/bootdevice/by-name/vendor(_[ab])? u:object_r:vendor_block_device:s0 +/dev/block/platform/bootdevice/by-name/lk(_[ab])? u:object_r:lk_block_device:s0 +/dev/block/platform/bootdevice/by-name/odmdtbo(_[ab])? u:object_r:dtbo_block_device:s0 +/dev/block/platform/bootdevice/by-name/dtbo(_[ab])? u:object_r:dtbo_block_device:s0 +/dev/block/platform/bootdevice/by-name/tee([12]|_[ab]) u:object_r:tee_block_device:s0 +/dev/block/platform/bootdevice/by-name/md1img(_[ab])? u:object_r:md_block_device:s0 +/dev/block/platform/bootdevice/by-name/md1dsp(_[ab])? u:object_r:dsp_block_device:s0 +/dev/block/platform/bootdevice/by-name/md1arm7(_[ab])? u:object_r:md_block_device:s0 +/dev/block/platform/bootdevice/by-name/md3img(_[ab])? u:object_r:md_block_device:s0 +/dev/block/platform/bootdevice/by-name/scp(_[ab])? u:object_r:scp_block_device:s0 +/dev/block/platform/bootdevice/by-name/sspm(_[ab])? u:object_r:sspm_block_device:s0 +/dev/block/platform/bootdevice/by-name/spmfw(_[ab])? u:object_r:spmfw_block_device:s0 +/dev/block/platform/bootdevice/by-name/mcupmfw(_[ab])? u:object_r:mcupmfw_block_device:s0 +/dev/block/platform/bootdevice/by-name/loader_ext(_[ab])? u:object_r:loader_ext_block_device:s0 +/dev/block/platform/bootdevice/by-name/vbmeta(_system|_vendor)?(_[ab])? u:object_r:vbmeta_block_device:s0 + +# Key manager +/dev/block/platform/soc/[0-9]+\.mmc/by-name/kb u:object_r:kb_block_device:s0 +/dev/block/platform/soc/[0-9]+\.mmc/by-name/dkb u:object_r:dkb_block_device:s0 + +# W19.23 Q new feature - Userdata Checkpoint +/dev/block/by-name/md_udc u:object_r:metadata_block_device:s0 + +############################# +# System files +# +/(system\/vendor|vendor)/bin/audiocmdservice_atci u:object_r:audiocmdservice_atci_exec:s0 +/(system\/vendor|vendor)/bin/stp_dump3 u:object_r:stp_dump3_exec:s0 +/(system\/vendor|vendor)/bin/wmt_launcher u:object_r:mtk_wmt_launcher_exec:s0 +/(system\/vendor|vendor)/bin/ccci_fsd u:object_r:ccci_fsd_exec:s0 +/(system\/vendor|vendor)/bin/fuelgauged u:object_r:fuelgauged_exec:s0 +/(system\/vendor|vendor)/bin/fuelgauged_nvram u:object_r:fuelgauged_nvram_exec:s0 +/(system\/vendor|vendor)/bin/gsm0710muxd u:object_r:gsm0710muxd_exec:s0 +/(system\/vendor|vendor)/bin/mmc_ffu u:object_r:mmc_ffu_exec:s0 +/(system\/vendor|vendor)/bin/mtk_agpsd u:object_r:mtk_agpsd_exec:s0 +/(system\/vendor|vendor)/bin/MtkCodecService u:object_r:MtkCodecService_exec:s0 +/(system\/vendor|vendor)/bin/mtkrild u:object_r:mtkrild_exec:s0 +/(system\/vendor|vendor)/bin/muxreport u:object_r:muxreport_exec:s0 +/(system\/vendor|vendor)/bin/nvram_agent_binder u:object_r:nvram_agent_binder_exec:s0 +/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.nvram@(.*)-service u:object_r:nvram_agent_binder_exec:s0 +/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.nvram@(.*)-service-lazy u:object_r:nvram_agent_binder_exec:s0 +/(system\/vendor|vendor)/bin/nvram_daemon u:object_r:nvram_daemon_exec:s0 +/(system\/vendor|vendor)/bin/slpd u:object_r:slpd_exec:s0 +/(system\/vendor|vendor)/bin/thermal_manager u:object_r:thermal_manager_exec:s0 +/(system\/vendor|vendor)/bin/thermalloadalgod u:object_r:thermalloadalgod_exec:s0 +/(system\/vendor|vendor)/bin/lbs_hidl_service u:object_r:lbs_hidl_service_exec:s0 +/(system\/vendor|vendor)/bin/meta_tst u:object_r:meta_tst_exec:s0 +/(system\/vendor|vendor)/bin/kisd u:object_r:kisd_exec:s0 + +/(system\/vendor|vendor)/bin/fm_hidl_service u:object_r:fm_hidl_service_exec:s0 +/(system\/vendor|vendor)/bin/wlan_assistant u:object_r:wlan_assistant_exec:s0 +/(system\/vendor|vendor)/bin/wmt_loader u:object_r:wmt_loader_exec:s0 +/(system\/vendor|vendor)/bin/spm_loader u:object_r:spm_loader_exec:s0 +/(system\/vendor|vendor)/bin/ccci_mdinit u:object_r:ccci_mdinit_exec:s0 +/(system\/vendor|vendor)/bin/factory u:object_r:factory_exec:s0 + +/(system\/vendor|vendor)/bin/mnld u:object_r:mnld_exec:s0 +#/system/bin/connsyslogger u:object_r:connsyslogger_exec:s0 + +/(system\/vendor|vendor)/bin/biosensord_nvram u:object_r:biosensord_nvram_exec:s0 +/(system\/vendor|vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service-mediatek u:object_r:mtk_hal_bluetooth_exec:s0 +/(system\/vendor|vendor)/bin/hw/android\.hardware\.gnss@2\.0-service-mediatek u:object_r:mtk_hal_gnss_exec:s0 +/(system\/vendor|vendor)/bin/hw/android\.hardware\.audio@5\.0-service-mediatek u:object_r:mtk_hal_audio_exec:s0 +/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.mtkpower@1\.0-service u:object_r:mtk_hal_power_exec:s0 +/(system\/vendor|vendor)/bin/hw/android\.hardware\.sensors@1\.0-service-mediatek u:object_r:mtk_hal_sensors_exec:s0 +/(system\/vendor|vendor)/bin/hw/android\.hardware\.sensors@2\.0-service-mediatek u:object_r:mtk_hal_sensors_exec:s0 +/(system\/vendor|vendor)/bin/hw/rilproxy u:object_r:rild_exec:s0 +/(system\/vendor|vendor)/bin/hw/mtkfusionrild u:object_r:rild_exec:s0 +/(system\/vendor|vendor)/bin/hw/android\.hardware\.light@2\.0-service-mediatek u:object_r:mtk_hal_light_exec:s0 +/(system\/vendor|vendor)/bin/hw/android\.hardware\.light@2\.0-service-mediatek-lazy u:object_r:mtk_hal_light_exec:s0 +/(system\/vendor|vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service-mediatek u:object_r:hal_vibrator_default_exec:s0 +/(system\/vendor|vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service-mediatek-lazy u:object_r:hal_vibrator_default_exec:s0 +/(system\/vendor|vendor)/bin/hw/camerahalserver u:object_r:mtk_hal_camera_exec:s0 +/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.imsa@1\.0-service u:object_r:mtk_hal_imsa_exec:s0 + +# Google Trusty system files +/(vendor|system\/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service\.trusty u:object_r:hal_keymaster_default_exec:s0 + +#PQ hal +/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.pq@2\.2-service u:object_r:mtk_hal_pq_exec:s0 +#MMS hal +/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.mms@1\.3-service u:object_r:mtk_hal_mms_exec:s0 +/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.mms@1\.3-service-lazy u:object_r:mtk_hal_mms_exec:s0 +# Keymaster Attestation Hal +/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.keymaster_attestation@1\.1-service u:object_r:hal_keymaster_attestation_exec:s0 +#ST NFC 1.2 hidl service +/(system\/vendor|vendor)/bin/hw/android\.hardware\.nfc@1\.2-service-st u:object_r:hal_nfc_default_exec:s0 +/(system\/vendor|vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service-st54spi u:object_r:st54spi_hal_secure_element_exec:s0 +# MTK Wifi Hal +/(system\/vendor|vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-mediatek u:object_r:mtk_hal_wifi_exec:s0 +/(system\/vendor|vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-lazy-mediatek u:object_r:mtk_hal_wifi_exec:s0 +# MTK USB hal +/(system\/vendor|vendor)/bin/hw/android\.hardware\.usb@1\.1-service-mediatek u:object_r:mtk_hal_usb_exec:s0 +# MTK OMAPI for UICC +/(system\/vendor|vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service-mediatek u:object_r:mtk_hal_secure_element_exec:s0 + +#gpu hal +/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.gpu@1\.0-service u:object_r:mtk_hal_gpu_exec:s0 + +############################# +# System/bin files + +#hidl process merging +/(system\/vendor|vendor)/bin/hw/merged_hal_service u:object_r:merged_hal_service_exec:s0 + + +############################################### +# same-process HAL files and their dependencies +# +/vendor/lib(64)?/hw/gralloc\.mt[0-9]+[a-z]*\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/vulkan\.mt[0-9]+\.so u:object_r:same_process_hal_file:s0 + +/vendor/lib(64)?/libIMGegl\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libglslcompiler\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libPVRScopeServices\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libsrv_um\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libmpvr\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libusc\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libtqvalidate\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libPVROCL\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libufwriter\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libmemtrack_GL\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libPVRTrace\.so u:object_r:same_process_hal_file:s0 + +/vendor/lib(64)?/libGLES_mali\.so u:object_r:same_process_hal_file:s0 + +/vendor/lib(64)?/libgralloc_extra\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgpu_aux\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgpud\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libged\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libion_mtk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libion_ulit\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mtk_cache\.so u:object_r:same_process_hal_file:s0 + +/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl-2\.1\.so u:object_r:same_process_hal_file:s0 + +/vendor/lib(64)?/libdpframework\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libpq_cust_base\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/vendor\.mediatek\.hardware\.pq@[0-9]\.[0-9]\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libpq_prot\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libhdrvideo\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libscltm\.so u:object_r:same_process_hal_file:s0 + +/vendor/lib(64)?/vendor\.mediatek\.hardware\.gpu@1\.0.so u:object_r:same_process_hal_file:s0 + +/vendor/lib(64)?/libladder\.so u:object_r:same_process_hal_file:s0 + +/vendor/lib(64)?/libtflite_mtk.so u:object_r:same_process_hal_file:s0 + +/vendor/bin/hw/vendor\.mediatek\.hardware\.log@1\.0-service u:object_r:aee_hal_exec:s0 + +/vendor/bin/loghidlvendorservice u:object_r:loghidlvendorservice_exec:s0 + +/vendor/bin/em_hidl u:object_r:em_hidl_exec:s0 + +/vendor/bin/hw/modemdbfilter_service u:object_r:modemdbfilter_service_exec:s0 + +# Date: 2018/07/06 +# Purpose for same-process HAL files and their dependencies: libGLES_mali.so need libm4u.so on mali GPU. +/vendor/lib(64)?/libm4u\.so u:object_r:same_process_hal_file:s0 + +# Date: 2018/12/04 +# Purpose: Neuron runtime API and the dependencies +/vendor/lib(64)?/libneuron_platform.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libion_mtk.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mtk_cache.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libvpu.so u:object_r:same_process_hal_file:s0 + +# Date: 2019/01/21 +# Purpose: OpenCL feature requirments +/vendor/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0 + +#MRDUMP +/dev/block/platform/bootdevice/by-name/mrdump(/.*)? u:object_r:mrdump_device:s0 + +# Date: 2019/07/16 +# hdmi hal +/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.hdmi@1\.0-service u:object_r:mtk_hal_hdmi_exec:s0 + +#Widevine drm hal(include lazy hal) +/vendor/bin/hw/android\.hardware\.drm@[0-9]\.[0-9]-service\.widevine u:object_r:hal_drm_widevine_exec:s0 +/vendor/bin/hw/android\.hardware\.drm@[0-9]\.[0-9]-service-lazy\.widevine u:object_r:hal_drm_widevine_exec:s0 +#Cleaarkey hal(include lazy hal) +/vendor/bin/hw/android\.hardware\.drm@[0-9]\.[0-9]-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 +/vendor/bin/hw/android\.hardware\.drm@[0-9]\.[0-9]-service-lazy\.clearkey u:object_r:hal_drm_clearkey_exec:s0 + + +# Date : 2019/10/28 +# Purpose : move these contexts from plat_private/file_contexts +/(system\/vendor|vendor)/bin/aee_aedv u:object_r:aee_aedv_exec:s0 +/(system\/vendor|vendor)/bin/aee_aedv64 u:object_r:aee_aedv_exec:s0 +/vendor/bin/aeev u:object_r:aee_aedv_exec:s0 diff --git a/r_non_plat/fm_hidl_service.te b/r_non_plat/fm_hidl_service.te new file mode 100644 index 0000000..30509ca --- /dev/null +++ b/r_non_plat/fm_hidl_service.te @@ -0,0 +1,19 @@ +# Set a new domain +type fm_hidl_service, domain; + +# Set domain as server domain of mtk_hal_fm +hal_server_domain(fm_hidl_service, mtk_hal_fm) + +# Set exec file type +type fm_hidl_service_exec, exec_type, vendor_file_type, file_type; + +# Setup for domain transition +init_daemon_domain(fm_hidl_service) + +#add_hwservice(hal_fm_server, mtk_hal_fm_service) + +vndbinder_use(fm_hidl_service) + +#r_dir_file(fm_hidl_service, system_file) + +allow fm_hidl_service fm_device:chr_file { rw_file_perms };
\ No newline at end of file diff --git a/r_non_plat/fsck.te b/r_non_plat/fsck.te new file mode 100644 index 0000000..635d3c7 --- /dev/null +++ b/r_non_plat/fsck.te @@ -0,0 +1,18 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK15.29 +# Operation : Migration +# Purpose : file system check for protect1/protect2/nvdata/persist/nvcfg block devices. +allow fsck protect1_block_device:blk_file rw_file_perms; +allow fsck protect2_block_device:blk_file rw_file_perms; +allow fsck nvdata_device:blk_file rw_file_perms; +allow fsck persist_block_device:blk_file rw_file_perms; +allow fsck nvcfg_block_device:blk_file rw_file_perms; +allow fsck odm_block_device:blk_file rw_file_perms; +allow fsck oem_block_device:blk_file rw_file_perms; + +# Date : WK17.12 +# Purpose: Fix bootup fail +allow fsck system_block_device:blk_file getattr; diff --git a/r_non_plat/fuelgauged.te b/r_non_plat/fuelgauged.te new file mode 100644 index 0000000..332043a --- /dev/null +++ b/r_non_plat/fuelgauged.te @@ -0,0 +1,71 @@ +# ============================================== +# Policy File of /system/bin/fuelgauged Executable File + +# ============================================== +# Type Declaration +# ============================================== +type fuelgauged ,domain; +type fuelgauged_exec , exec_type, file_type, vendor_file_type; +type fuelgauged_file, file_type, data_file_type; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(fuelgauged) + +# Data : WK14.43 +# Operation : Migration +# Purpose : Fuel Gauge daemon for access driver node +allow fuelgauged input_device:dir rw_dir_perms; +allow fuelgauged input_device:file r_file_perms; + +# Data : WK14.43 +# Operation : Migration +# Purpose : For meta tool calibration +allow fuelgauged mtk-adc-cali_device:chr_file rw_file_perms; + +# Data : WK14.43 +# Operation : Migration +# Purpose : For fg.log can be printed with kernel log +allow fuelgauged kmsg_device:chr_file w_file_perms; + +# Data : WK14.43 +# Operation : Migration +# Purpose : For fg daemon can comminucate with kernel +allow fuelgauged self:netlink_socket create; +allow fuelgauged self:netlink_socket create_socket_perms_no_ioctl; +allow fuelgauged self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write }; + +# Data : WK16.39 +allow fuelgauged self:capability { chown fsetid }; + +# Date: W17.22 +# Operation : New Feature +# Purpose : Add for A/B system +allow fuelgauged kernel:system module_request; + +# Date: W18.03 +# Operation : change fuelgagued access from cache to nvcfg +# Purpose : add fuelgauged to nvcfg read write permit +allow fuelgauged nvcfg_file:dir { search write open read add_name create getattr}; +allow fuelgauged nvcfg_file:file { read write getattr open create }; + +# Date: W18.17 +# Operation : add label for /sys/devices/platform/battery(/.*) +# Purpose : add fuelgauged could access +r_dir_file(fuelgauged, sysfs_batteryinfo); + +# Date : WK18.21 +# Operation: P migration +# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init() +allow fuelgauged mnt_vendor_file:dir search; + diff --git a/r_non_plat/fuelgauged_nvram.te b/r_non_plat/fuelgauged_nvram.te new file mode 100644 index 0000000..96862d9 --- /dev/null +++ b/r_non_plat/fuelgauged_nvram.te @@ -0,0 +1,66 @@ +# ============================================== +# Policy File of /system/bin/fuelgauged_nvram Executable File + +# ============================================== +# Type Declaration +# ============================================== +type fuelgauged_nvram ,domain; +type fuelgauged_nvram_exec , exec_type, file_type, vendor_file_type; +type fuelgauged_nvram_file, file_type, data_file_type; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(fuelgauged_nvram) + +# Data : WK16.21 +# Operation : New Feature +# Purpose : For fg daemon can do nvram r/w to save car_tune_value +allow fuelgauged_nvram nvdata_file:dir rw_dir_perms; +allow fuelgauged_nvram nvdata_file:file {rw_file_perms create_file_perms}; +allow fuelgauged_nvram nvram_data_file:lnk_file rw_file_perms; +allow fuelgauged_nvram nvdata_file:lnk_file rw_file_perms; + +allow fuelgauged_nvram fuelgauged_file:dir rw_dir_perms; +allow fuelgauged_nvram fuelgauged_file:file {rw_file_perms create_file_perms}; + +# Data : W16.43 +# Operation : New Feature +# Purpose : Change from /data to /cache +allow fuelgauged_nvram self:capability { chown }; +allow fuelgauged_nvram kmsg_device:chr_file { write open }; +allow fuelgauged_nvram self:capability fsetid; + +# Data : W17.34 +# Operation : New Feature +# Purpose : fgauge_nvram could use IOCTL +allow fuelgauged_nvram MT_pmic_adc_cali_device:chr_file rw_file_perms; + +# Date: W18.03 +# Operation : change fuelgagued_nvram access from cache to nvcfg +# Purpose : add fuelgauged to nvcfg read write permit +# need add label +allow fuelgauged_nvram nvcfg_file:dir { search write open read add_name create getattr}; +allow fuelgauged_nvram nvcfg_file:file { read write getattr open create }; + +# Date: W18.17 +# Operation : add label for /sys/devices/platform/battery(/.*) +# Purpose : add fuelgauged could access +r_dir_file(fuelgauged_nvram, sysfs_batteryinfo) + + +# Date : WK18.21 +# Operation: P migration +# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init() +allow fuelgauged_nvram mnt_vendor_file:dir search; + +allow fuelgauged_nvram sysfs_boot_mode:file { open read }; diff --git a/r_non_plat/genfs_contexts b/r_non_plat/genfs_contexts new file mode 100644 index 0000000..003aa24 --- /dev/null +++ b/r_non_plat/genfs_contexts @@ -0,0 +1,254 @@ +# ============================================== +# MTK Policy Rule +# ============ + +############################# +# proc files +# +genfscon proc /driver/thermal u:object_r:proc_thermal:s0 +genfscon proc /thermlmt u:object_r:proc_thermal:s0 +genfscon proc /fps_tm u:object_r:proc_thermal:s0 +genfscon proc /wmt_tm u:object_r:proc_thermal:s0 +genfscon proc /mobile_tm u:object_r:proc_thermal:s0 +genfscon proc /bcctlmt u:object_r:proc_thermal:s0 +genfscon proc /battery_status u:object_r:proc_thermal:s0 +genfscon proc /mtkcooler u:object_r:proc_mtkcooler:s0 +genfscon proc /mtktz u:object_r:proc_mtktz:s0 +genfscon proc /lk_env u:object_r:proc_lk_env:s0 +genfscon proc /driver/storage_logger u:object_r:proc_slogger:s0 +genfscon proc /driver/icusb u:object_r:proc_icusb:s0 +genfscon proc /mrdump_rst u:object_r:proc_mrdump_rst:s0 +genfscon proc /mtk_battery_cmd u:object_r:proc_battery_cmd:s0 +genfscon proc /mtd u:object_r:proc_mtd:s0 +genfscon proc /ged u:object_r:proc_ged:s0 +genfscon proc /mtk_jpeg u:object_r:proc_mtk_jpeg:s0 +genfscon proc /perfmgr u:object_r:proc_perfmgr:s0 +genfscon proc /driver/wmt_dbg u:object_r:proc_wmtdbg:s0 +genfscon proc /zraminfo u:object_r:proc_zraminfo:s0 +genfscon proc /gpulog u:object_r:proc_gpulog:s0 +genfscon proc /cpu/alignment u:object_r:proc_cpu_alignment:s0 +genfscon proc /sched_debug u:object_r:proc_sched_debug:s0 +genfscon proc /chip/hw_ver u:object_r:proc_chip:s0 +genfscon proc /chip/info u:object_r:proc_chip:s0 +genfscon proc /atf_log u:object_r:proc_atf_log:s0 +genfscon proc /gz_log u:object_r:proc_gz_log:s0 +genfscon proc /last_kmsg u:object_r:proc_last_kmsg:s0 +genfscon proc /bootprof u:object_r:proc_bootprof:s0 +genfscon proc /pl_lk u:object_r:proc_pl_lk:s0 +genfscon proc /msdc_debug u:object_r:proc_msdc_debug:s0 +genfscon proc /ufs_debug u:object_r:proc_ufs_debug:s0 +genfscon proc /pidmap u:object_r:proc_pidmap:s0 +genfscon proc /mtk_memcfg/slabtrace u:object_r:proc_slabtrace:s0 +genfscon proc /mtk_cmdq_debug/status u:object_r:proc_cmdq_debug:s0 +genfscon proc /cpuhvfs/dbg_repo u:object_r:proc_dbg_repo:s0 + +# mtk EM FreqHopping setting +genfscon proc /freqhopping/freqhopping_debug u:object_r:proc_freqhop:s0 +genfscon proc /freqhopping/status u:object_r:proc_freqhop:s0 +genfscon proc /freqhopping/dumpregs u:object_r:proc_freqhop:s0 + +# mtk EM flash reading +genfscon proc /partitions u:object_r:proc_partition:s0 + +# Purpose dump not exit file +genfscon proc /isp_p2/isp_p2_dump u:object_r:proc_isp_p2_dump:s0 +genfscon proc /isp_p2/isp_p2_kedump u:object_r:proc_isp_p2_kedump:s0 +genfscon proc /mali/memory_usage u:object_r:proc_memory_usage:s0 +genfscon proc /mtk_es_reg_dump u:object_r:proc_mtk_es_reg_dump:s0 + +# Date : 2018/11/01 +# Purpose : mtk EM c2k bypass read usb file +genfscon proc /isp_p2 u:object_r:proc_isp_p2:s0 + +# Date : WK19.27 +# Purpose: Android Migration for SVP +genfscon proc /m4u u:object_r:proc_m4u:s0 + + +############################# +# sysfs files +# +genfscon sysfs /bus/platform/drivers/mtk-kpd u:object_r:sysfs_keypad_file:s0 +genfscon sysfs /power/vcorefs/pwr_ctrl u:object_r:sysfs_vcorefs_pwrctrl:s0 +genfscon sysfs /power/dcm_state u:object_r:sysfs_dcm:s0 +genfscon sysfs /power/mtkdcs/mode u:object_r:sysfs_dcs:s0 +genfscon sysfs /power/mtkpasr/execstate u:object_r:sysfs_execstate:s0 +genfscon sysfs /mtk_ssw u:object_r:sysfs_ssw:s0 + +# Date : 2018/06/15 +# Purpose : mtk EM Audio headset detect +genfscon sysfs /bus/platform/drivers/Accdet_Driver/state u:object_r:sysfs_headset:s0 +genfscon sysfs /bus/platform/drivers/dev_info/dev_info u:object_r:sysfs_devinfo:s0 +genfscon sysfs /bus/platform/drivers/meta_com_type_info/meta_com_type_info u:object_r:sysfs_comport_type:s0 +genfscon sysfs /bus/platform/drivers/meta_uart_port_info/meta_uart_port_info u:object_r:sysfs_uart_info:s0 + +genfscon sysfs /devices/platform/battery u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/charger/ADC_Charger_Voltage u:object_r:sysfs_vbus:s0 +genfscon sysfs /devices/platform/battery/ADC_Charger_Voltage u:object_r:sysfs_vbus:s0 +genfscon sysfs /devices/platform/charger/Pump_Express u:object_r:sysfs_pump_express:s0 +genfscon sysfs /devices/platform/battery/Pump_Express u:object_r:sysfs_pump_express:s0 +genfscon sysfs /devices/platform/mt_charger/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/mt-rtc/rtc u:object_r:sysfs_rtc:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6359-pmic/mt6359-rtc/rtc u:object_r:sysfs_rtc:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6358-pmic/mt6358-rtc/rtc u:object_r:sysfs_rtc:s0 +genfscon sysfs /devices/platform/mt-pmic u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/mt-pmic u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6358-pmic/mt-pmic u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6359-pmic/mt-pmic u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/mt6333-user u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/mt6311-user u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/mt_usb/musb-hdrc/dual_role_usb u:object_r:sysfs_dual_role_usb20:s0 +genfscon sysfs /devices/platform/mt_usb/musb-hdrc/cmode u:object_r:sysfs_usb_cmode:s0 + +genfscon sysfs /devices/virtual/BOOT/BOOT/boot/boot_mode u:object_r:sysfs_boot_mode:s0 +genfscon sysfs /devices/virtual/BOOT/BOOT/boot/boot_type u:object_r:sysfs_boot_type:s0 + +genfscon sysfs /devices/virtual/misc/md32 u:object_r:sysfs_md32:s0 +genfscon sysfs /devices/virtual/misc/scp u:object_r:sysfs_scp:s0 +genfscon sysfs /devices/virtual/misc/scp_B u:object_r:sysfs_scp:s0 +genfscon sysfs /devices/virtual/misc/sspm u:object_r:sysfs_sspm:s0 +genfscon sysfs /devices/virtual/misc/adsp u:object_r:sysfs_adsp:s0 + +# Date : 2019/09/12 +genfscon sysfs /devices/virtual/thermal u:object_r:sysfs_therm:s0 +genfscon sysfs /devices/class/thermal u:object_r:sysfs_therm:s0 + +genfscon sysfs /devices/virtual/switch/fps u:object_r:sysfs_fps:s0 + +genfscon sysfs /firmware/devicetree/base/chosen/atag,devinfo u:object_r:sysfs_devinfo:s0 + +genfscon sysfs /kernel/ccci u:object_r:sysfs_ccci:s0 + +# Date : 2018/06/15 +# Purpose : mtk EM touchscreen settings +genfscon sysfs /module/tpd_debug u:object_r:sysfs_tpd_debug:s0 +genfscon sysfs /module/tpd_setting u:object_r:sysfs_tpd_setting:s0 +genfscon sysfs /power/vcorefs/vcore_debug u:object_r:sysfs_vcore_debug:s0 +genfscon sysfs /power/vcorefs/opp_table u:object_r:sysfs_vcore_debug:s0 + +# Date: 2018/08/09 +#Purpose : MTK Vibrator +genfscon sysfs /devices/virtual/timed_output/vibrator u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/odm/odm:vibrator@0/leds/vibrator u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/leds-mt65xx/leds u:object_r:sysfs_leds:s0 +# Date : 2018/08/109 +# Purpose : mtk EM Power debug_log setting +genfscon sysfs /devices/platform/spm u:object_r:sysfs_spm:s0 + +# Date : 2018/11/01 +# Purpose : mtk EM c2k bypass read usb file +genfscon sysfs /devices/virtual/usb_rawbulk u:object_r:sys_usb_rawbulk:s0 + +#Date : 2018/11/22 +#Purpose: allow mdlogger to read mdinfo file +genfscon sysfs /kernel/md/mdee u:object_r:sysfs_mdinfo:s0 + +# Date : 2019/04/09 +# Purpose: mtk EM battery temprature settings +genfscon sysfs /devices/platform/battery/Battery_Temperature u:object_r:sysfs_battery_temp:s0 +genfscon sysfs /devices/platform/battery/FG_Battery_CurrentConsumption u:object_r:sysfs_battery_consumption:s0 +genfscon sysfs /devices/platform/battery/Power_On_Voltage u:object_r:sysfs_power_on_vol:s0 +genfscon sysfs /devices/platform/battery/Power_Off_Voltage u:object_r:sysfs_power_off_vol:s0 +genfscon sysfs /devices/platform/battery/FG_daemon_disable u:object_r:sysfs_fg_disable:s0 +genfscon sysfs /devices/platform/battery/disable_nafg u:object_r:sysfs_dis_nafg:s0 + +# Date : 2019/07/03 +# Purpose: SIU update mmcblk access +genfscon sysfs /devices/platform/bootdevice/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_mmcblk:s0 +genfscon sysfs /devices/bootdevice/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_mmcblk:s0 +#genfscon sysfs /devices/platform/mtk-msdc.0/11230000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_mmcblk:s0 +genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:0/block/sda u:object_r:sysfs_mmcblk:s0 +genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:1/block/sdb u:object_r:sysfs_mmcblk:s0 +genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:2/block/sdc u:object_r:sysfs_mmcblk:s0 + +# Date : 2019/07/12 +# Purpose:dumpstate mmcblk1 access +genfscon sysfs /devices/platform/externdevice/mmc_host/mmc0 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/externdevice/mmc_host/mmc1 u:object_r:sysfs_devices_block:s0 + +# Date : 2019/10/22 +# Purpose : mrdump_tool(copy_process by aee_aedv) need to write data to lbaooo +genfscon sysfs /module/mrdump/parameters/lbaooo u:object_r:sysfs_mrdump_lbaooo:s0 + +############################# +# debugfs files +# +genfscon debugfs /binder u:object_r:debugfs_binder:s0 +genfscon debugfs /blockio u:object_r:debugfs_blockio:s0 +genfscon debugfs /cpuhvfs u:object_r:debugfs_cpuhvfs:s0 +genfscon debugfs /displowpower u:object_r:debugfs_fb:s0 +genfscon debugfs /disp u:object_r:debugfs_fb:s0 +genfscon debugfs /dispsys u:object_r:debugfs_fb:s0 +genfscon debugfs /dmlog u:object_r:debugfs_dmlog_debug:s0 +genfscon debugfs /dynamic_debug u:object_r:debugfs_dynamic_debug:s0 +genfscon debugfs /emi_mbw/dump_buf u:object_r:debugfs_emi_mbw_buf:s0 +genfscon debugfs /fbconfig u:object_r:debugfs_fb:s0 +genfscon debugfs /fpsgo u:object_r:debugfs_fpsgo:s0 +genfscon debugfs /fuseio u:object_r:debugfs_fuseio:s0 +genfscon debugfs /ged u:object_r:debugfs_ged:s0 +genfscon debugfs /ion/client_history u:object_r:debugfs_ion_mm_heap:s0 +genfscon debugfs /ion/clients u:object_r:debugfs_ion:s0 +genfscon debugfs /ion/heaps u:object_r:debugfs_ion_mm_heap:s0 +genfscon debugfs /ion/ion_mm_heap u:object_r:debugfs_ion_mm_heap:s0 +genfscon debugfs /kmemleak u:object_r:debugfs_kmemleak:s0 +genfscon debugfs /mali0/gpu_memory u:object_r:debugfs_gpu_mali_midgard:s0 +genfscon debugfs /mali/gpu_memory u:object_r:debugfs_gpu_mali_utgard:s0 +genfscon debugfs /mtkfb u:object_r:debugfs_fb:s0 +genfscon debugfs /mmprofile u:object_r:debugfs_fb:s0 +genfscon debugfs /musb-hdrc u:object_r:debugfs_usb:s0 +genfscon debugfs /page_owner_slim u:object_r:debugfs_page_owner_slim_debug:s0 +genfscon debugfs /pvr u:object_r:debugfs_gpu_img:s0 +genfscon debugfs /rcu u:object_r:debugfs_rcu:s0 +genfscon debugfs /shrinker u:object_r:debugfs_shrinker_debug:s0 +genfscon debugfs /usb20_phy u:object_r:debugfs_usb20_phy:s0 +genfscon debugfs /usb_c u:object_r:debugfs_usb:s0 +genfscon debugfs /vpu/device_dbg u:object_r:debugfs_vpu_device_dbg:s0 + +# mtk VPU/MDLA power reading +genfscon debugfs /vpu/power u:object_r:debugfs_vpu_power:s0 +genfscon debugfs /mdla/power u:object_r:debugfs_mdla_power:s0 +genfscon debugfs /vpu/vpu_memory u:object_r:debugfs_vpu_memory:s0 + +# mtk eara thermal reading +genfscon debugfs /eara_thermal/enable u:object_r:debugfs_eara_thermal:s0 + +# mtk EM power PMU register +genfscon debugfs /rt-regmap u:object_r:debugfs_regmap:s0 + +# 2019/08/15 +genfscon debugfs /smi_mon u:object_r:debugfs_smi_mon:s0 + +genfscon iso9660 / u:object_r:iso9660:s0 +genfscon rawfs / u:object_r:rawfs:s0 +genfscon fuseblk / u:object_r:fuseblk:s0 + +# 2019/08/24 +genfscon sysfs /class/sensor u:object_r:sysfs_sensor:s0 +genfscon sysfs /devices/virtual/sensor u:object_r:sysfs_sensor:s0 + +# MTEE trusty +genfscon sysfs /devices/platform/trusty u:object_r:mtee_trusty_file:s0 + +# Date : 2019/08/29 +# Purpose: allow rild to access /proc/aed/reboot-reason +genfscon proc /aed/reboot-reason u:object_r:proc_aed_reboot_reason:s0 + + +# 2019/09/05 +# Purpose: Allow powerhal to control kernel resources +genfscon proc /ppm u:object_r:proc_ppm:s0 +genfscon proc /cpufreq u:object_r:proc_cpufreq:s0 +genfscon proc /hps u:object_r:proc_hps:s0 +genfscon proc /cm_mgr u:object_r:proc_cm_mgr:s0 +genfscon proc /ca_drv u:object_r:proc_ca_drv:s0 +genfscon sysfs /module/ged u:object_r:sysfs_ged:s0 +genfscon sysfs /module/fbt_cpu u:object_r:sysfs_fbt_cpu:s0 +genfscon sysfs /module/fbt_fteh u:object_r:sysfs_fbt_fteh:s0 + +# Date : WK19.38 +# Purpose: Android Migration for video codec driver +genfscon sysfs /firmware/devicetree/base/model u:object_r:sysfs_device_tree_model:s0 + +# Date : 2019/12/12 +# Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/* +genfscon sysfs /bus/platform/drivers/mem_bw_ctrl/concurrency_scenario u:object_r:sysfs_concurrency_scenario:s0 diff --git a/r_non_plat/gpuservice.te b/r_non_plat/gpuservice.te new file mode 100644 index 0000000..0fa7d06 --- /dev/null +++ b/r_non_plat/gpuservice.te @@ -0,0 +1,8 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK19.31 +# Operation : Migration +# Purpose : [ALPS04685294] com.google.android.graphics.gts.VulkanTest#checkVulkan1_1Requirements-fail +allow gpuservice gpu_device:dir search; diff --git a/r_non_plat/gsm0710muxd.te b/r_non_plat/gsm0710muxd.te new file mode 100644 index 0000000..2596e18 --- /dev/null +++ b/r_non_plat/gsm0710muxd.te @@ -0,0 +1,41 @@ +# ============================================== +# Policy File of /system/bin/gsm0710muxd Executable File + +# ============================================== +# Type Declaration +# ============================================== +type gsm0710muxd, domain; +type gsm0710muxd_exec , exec_type, file_type, vendor_file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(gsm0710muxd) + +# Capabilities assigned for gsm0710muxd +allow gsm0710muxd self:capability { chown fowner setuid }; + +# Property service +# Set ctl.ril-daemon property +#set_prop(gsm0710muxd, ctl_rildaemon_prop) +set_prop(gsm0710muxd, ctl_ril-daemon-mtk_prop) +set_prop(gsm0710muxd, ctl_fusion_ril_mtk_prop) +set_prop(gsm0710muxd, gsm0710muxd_prop) +set_prop(gsm0710muxd, vendor_radio_prop) +# allow set muxreport control properties +set_prop(gsm0710muxd, ril_mux_report_case_prop) + +# Allow read/write to devices/files +allow gsm0710muxd gsm0710muxd_device:chr_file rw_file_perms; +allow gsm0710muxd device:dir rw_dir_perms; +allow gsm0710muxd device:lnk_file { create unlink }; +allow gsm0710muxd devpts:chr_file setattr; +allow gsm0710muxd eemcs_device:chr_file rw_file_perms; + +# Allow read to sys/kernel/ccci/* files +allow gsm0710muxd sysfs_ccci:dir search; +allow gsm0710muxd sysfs_ccci:file r_file_perms; + +#Date: W1818 +#Purpose: allow rild access property of vendor_radio_prop +set_prop(rild, vendor_radio_prop) diff --git a/r_non_plat/hal_audio.te b/r_non_plat/hal_audio.te new file mode 100644 index 0000000..9245891 --- /dev/null +++ b/r_non_plat/hal_audio.te @@ -0,0 +1,10 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# Date: 2019/06/14 +# Operation : Migration +# Purpose : interface=android.hardware.audio::IDevicesFactory for hal_audio_hwservice +binder_call(hal_audio_client, hal_audio_server) +binder_call(hal_audio_server, hal_audio_client) +hal_attribute_hwservice(hal_audio, hal_audio_hwservice) diff --git a/r_non_plat/hal_bootctl_default.te b/r_non_plat/hal_bootctl_default.te new file mode 100644 index 0000000..5c2afda --- /dev/null +++ b/r_non_plat/hal_bootctl_default.te @@ -0,0 +1,14 @@ +# Add for bootctl +#============= hal_bootctl_default ============== +allow hal_bootctl_default para_block_device:blk_file { read open write}; +allow hal_bootctl_default rootfs:file { read getattr open }; +allow hal_bootctl_default sysfs:dir { read open }; +allow hal_bootctl_default sysfs_boot_type:file { read open }; +allow hal_bootctl_default block_device:dir search; +allow hal_bootctl_default misc_sd_device:chr_file rw_file_perms; +allow hal_bootctl_default bootdevice_block_device:blk_file rw_file_perms; +allowxperm hal_bootctl_default bootdevice_block_device:blk_file ioctl MMC_IOCTLCMD; +allowxperm hal_bootctl_default bootdevice_block_device:blk_file ioctl UFS_IOCTLCMD; +allow hal_bootctl_default proc_cmdline:file r_file_perms; +allow hal_bootctl_default sysfs_boot_type:file r_file_perms; +allow hal_bootctl_default self:capability sys_rawio;
\ No newline at end of file diff --git a/r_non_plat/hal_cas_default.te b/r_non_plat/hal_cas_default.te new file mode 100644 index 0000000..4e23d6b --- /dev/null +++ b/r_non_plat/hal_cas_default.te @@ -0,0 +1,5 @@ +# Date : 2017/08/14 +# Operation : O1 Migration +# Purpose : hal_cas_default needs to use vendor binder to communicate +vndbinder_use(hal_cas_default); + diff --git a/r_non_plat/hal_drm_clearkey.te b/r_non_plat/hal_drm_clearkey.te new file mode 100644 index 0000000..2445adb --- /dev/null +++ b/r_non_plat/hal_drm_clearkey.te @@ -0,0 +1,12 @@ +# policy for /vendor/bin/hw/android.hardware.drm@1.1-service.clearkey +type hal_drm_clearkey, domain; +type hal_drm_clearkey_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_drm_clearkey) + +hal_server_domain(hal_drm_clearkey, hal_drm) + +vndbinder_use(hal_drm_clearkey); + +allow hal_drm_clearkey { appdomain -isolated_app }:fd use; +allow hal_drm_clearkey hal_allocator_server:fd use; diff --git a/r_non_plat/hal_drm_default.te b/r_non_plat/hal_drm_default.te new file mode 100644 index 0000000..465ec55 --- /dev/null +++ b/r_non_plat/hal_drm_default.te @@ -0,0 +1,6 @@ +vndbinder_use(hal_drm_default); + +#============= hal_drm_default ============== +allow hal_drm_default debugfs_tracing:file write; +allow hal_drm_default debugfs_ion:dir search; + diff --git a/r_non_plat/hal_drm_widevine.te b/r_non_plat/hal_drm_widevine.te new file mode 100644 index 0000000..c3705ba --- /dev/null +++ b/r_non_plat/hal_drm_widevine.te @@ -0,0 +1,16 @@ +# define SELinux domain +type hal_drm_widevine, domain; +hal_server_domain(hal_drm_widevine, hal_drm) + +type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_drm_widevine) + +allow hal_drm_widevine mediacodec:fd use; +allow hal_drm_widevine { appdomain -isolated_app }:fd use; + +vndbinder_use(hal_drm_widevine); +hal_client_domain(hal_drm_widevine, hal_graphics_composer); +allow hal_drm_widevine hal_allocator_server:fd use; +allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms; +allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms; + diff --git a/r_non_plat/hal_gnss.te b/r_non_plat/hal_gnss.te new file mode 100644 index 0000000..eee7a92 --- /dev/null +++ b/r_non_plat/hal_gnss.te @@ -0,0 +1,2 @@ +#TODO:: work around solution, wait for correct solution from google +vndbinder_use(hal_gnss) diff --git a/r_non_plat/hal_gnss_default.te b/r_non_plat/hal_gnss_default.te new file mode 100644 index 0000000..884aacf --- /dev/null +++ b/r_non_plat/hal_gnss_default.te @@ -0,0 +1,7 @@ +# Communicate over a socket created by mnld process. +allow hal_gnss_default mnld_data_file:sock_file create_file_perms; +allow hal_gnss_default mnld_data_file:sock_file rw_file_perms; +allow hal_gnss_default mnld_data_file:dir create_file_perms; +allow hal_gnss_default mnld_data_file:dir rw_dir_perms; + +allow hal_gnss_default mnld:unix_dgram_socket sendto; diff --git a/r_non_plat/hal_gpu.te b/r_non_plat/hal_gpu.te new file mode 100644 index 0000000..6020588 --- /dev/null +++ b/r_non_plat/hal_gpu.te @@ -0,0 +1,6 @@ +# HwBinder IPC from clients into server, and callbacks +binder_call(hal_gpu_client, hal_gpu_server) +binder_call(hal_gpu_server, hal_gpu_client) + +# give permission for hal client +allow hal_gpu_client mtk_hal_gpu_hwservice :hwservice_manager find; diff --git a/r_non_plat/hal_graphics_allocator.te b/r_non_plat/hal_graphics_allocator.te new file mode 100644 index 0000000..6da702d --- /dev/null +++ b/r_non_plat/hal_graphics_allocator.te @@ -0,0 +1,5 @@ +# Date : WK17.13 +# Operation : Add sepolicy +# Purpose : Add policy for gralloc HIDL + +allow hal_graphics_allocator proc_ged:file r_file_perms; diff --git a/r_non_plat/hal_graphics_allocator_default.te b/r_non_plat/hal_graphics_allocator_default.te new file mode 100644 index 0000000..a968437 --- /dev/null +++ b/r_non_plat/hal_graphics_allocator_default.te @@ -0,0 +1,24 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +#============= hal_graphics_allocator_default ============== +allow hal_graphics_allocator_default gpu_device:dir search; + +#============= hal_graphics_allocator_default ============== +allow hal_graphics_allocator_default sw_sync_device:chr_file { open read write getattr ioctl }; + +#============= hal_graphics_allocator_default ============== +allow hal_graphics_allocator_default debugfs_ion:dir search; + +#============= hal_graphics_allocator_default ============== +allow hal_graphics_allocator_default debugfs_tracing:file write; + +#============= hal_graphics_allocator_default ============== +allow hal_graphics_allocator_default debugfs_tracing:file open; + +#============= hal_graphics_allocator_default ============== +allow hal_graphics_allocator_default proc_ged:file r_file_perms; +allowxperm hal_graphics_allocator_default proc_ged:file ioctl { proc_ged_ioctls }; + +#============= hal_graphics_allocator_default ============== diff --git a/r_non_plat/hal_graphics_composer_default.te b/r_non_plat/hal_graphics_composer_default.te new file mode 100644 index 0000000..6f54e9f --- /dev/null +++ b/r_non_plat/hal_graphics_composer_default.te @@ -0,0 +1,53 @@ +vndbinder_use(hal_graphics_composer_default) + +allow hal_graphics_composer_default debugfs_ged:dir search; + +# Date : WK17.09 +# Operation : Add sepolicy +# Purpose : Add polivy for hwc HIDL + +allow hal_graphics_composer_default proc_ged:file r_file_perms; +allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { read bind create setopt }; + +# Date : WK17.21 +# Purpose: GPU driver required +allow hal_graphics_composer_default sw_sync_device:chr_file rw_file_perms; +allow hal_graphics_composer_default hal_graphics_mapper_hwservice:hwservice_manager find; + +# Date : W17.24 +# Purpose: GPU driver required +allow hal_graphics_composer_default gpu_device:dir search; + +allow hal_graphics_composer_default debugfs_ion:dir search; +allow hal_graphics_composer_default debugfs_tracing:file write; +allow hal_graphics_composer_default debugfs_tracing:file open; + +# Date : WK17.30 +# Operation : O Migration +# Purpose: Allow to access cmdq driver +allow hal_graphics_composer_default mtk_cmdq_device:chr_file { read ioctl open }; + +# Date : W17.30 +# Add for control PowerHAL +allow hal_graphics_composer_default mtk_hal_power_hwservice:hwservice_manager find; +binder_call(hal_graphics_composer_default, mtk_hal_power) + +# Date : WK17.32 +# Operation : O Migration +# Purpose: Allow to access property +set_prop(hal_graphics_composer_default, graphics_hwc_pid_prop) +get_prop(hal_graphics_composer_default, graphics_hwc_pid_prop) +set_prop(hal_graphics_composer_default, graphics_hwc_latch_unsignaled_prop) +set_prop(hal_graphics_composer_default, graphics_hwc_hdr_prop) + +# Date : WK18.03 +# Purpose: Allow to access property dev/mdp_sync +allow hal_graphics_composer_default mtk_mdp_device:chr_file rw_file_perms; +allow hal_graphics_composer_default mdp_device:chr_file rw_file_perms; +allow hal_graphics_composer_default tee_device:chr_file rw_file_perms; +allowxperm hal_graphics_composer_default proc_ged:file ioctl { proc_ged_ioctls }; + +# Date: 2018/11/08 +# Operation : JPEG +# Purpose : JPEG need to use PQ via MMS HIDL +allow hal_graphics_composer_default sysfs_boot_mode:file r_file_perms; diff --git a/r_non_plat/hal_hdmi.te b/r_non_plat/hal_hdmi.te new file mode 100644 index 0000000..ea8e0c5 --- /dev/null +++ b/r_non_plat/hal_hdmi.te @@ -0,0 +1,6 @@ +# HwBinder IPC from clients into server, and callbacks +binder_call(hal_hdmi_client, hal_hdmi_server) +binder_call(hal_hdmi_server, hal_hdmi_client) + +# give permission for hal client +allow hal_hdmi_client mtk_hal_hdmi_hwservice :hwservice_manager find; diff --git a/r_non_plat/hal_imsa.te b/r_non_plat/hal_imsa.te new file mode 100644 index 0000000..d517344 --- /dev/null +++ b/r_non_plat/hal_imsa.te @@ -0,0 +1,6 @@ +# HwBinder IPC from clients into server, and callbacks +binder_call(hal_imsa_client, hal_imsa_server) +binder_call(hal_imsa_server, hal_imsa_client) + +# give permission for hal client +allow hal_imsa_client mtk_hal_imsa_hwservice :hwservice_manager find;
\ No newline at end of file diff --git a/r_non_plat/hal_ir.te b/r_non_plat/hal_ir.te new file mode 100644 index 0000000..2a01403 --- /dev/null +++ b/r_non_plat/hal_ir.te @@ -0,0 +1,4 @@ +#============= hal_ir_default ============== +allow hal_ir_default irtx_device:chr_file rw_file_perms; +allow hal_ir_default irtx_device:chr_file { ioctl open }; +allow hal_ir_default irtx_device:chr_file { read write };
\ No newline at end of file diff --git a/r_non_plat/hal_keymaster_attestation.te b/r_non_plat/hal_keymaster_attestation.te new file mode 100644 index 0000000..35b9b71 --- /dev/null +++ b/r_non_plat/hal_keymaster_attestation.te @@ -0,0 +1,17 @@ +type hal_keymaster_attestation, domain; +hal_server_domain(hal_keymaster_attestation, mtk_hal_keyattestation) + +type hal_keymaster_attestation_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_keymaster_attestation) + +hwbinder_use(hal_keymaster_attestation); + +#============= hal_keymaster_attestation ============== +allow hal_keymaster_attestation tee_device:chr_file { read write open ioctl }; + +# Date : WK17.42 2017/10/19 +# Operation: Keymaster 3.0 +# Purpose: Access attestation key in persist partition +allow hal_keymaster_attestation mnt_vendor_file:dir search; +allow hal_keymaster_attestation persist_data_file:dir { write search add_name }; +allow hal_keymaster_attestation persist_data_file:file { write create open getattr }; diff --git a/r_non_plat/hal_memtrack_default.te b/r_non_plat/hal_memtrack_default.te new file mode 100644 index 0000000..8594ac3 --- /dev/null +++ b/r_non_plat/hal_memtrack_default.te @@ -0,0 +1,9 @@ +# Date : WK16.52 +# Operation : HIDL Migration +# Purpose : For memtrack related service access +allow hal_memtrack debugfs_gpu_mali_midgard:file {open read getattr }; +allow hal_memtrack debugfs_gpu_mali_utgard:file {open read getattr }; +allow hal_memtrack debugfs_gpu_img:dir search; +allow hal_memtrack debugfs_gpu_img:file {open read getattr }; +allow hal_memtrack debugfs_ion:dir rw_dir_perms; +allow hal_memtrack debugfs_ion:file {open read getattr }; diff --git a/r_non_plat/hal_mms.te b/r_non_plat/hal_mms.te new file mode 100644 index 0000000..766ccac --- /dev/null +++ b/r_non_plat/hal_mms.te @@ -0,0 +1,6 @@ +# HwBinder IPC from clients into server, and callbacks +binder_call(hal_mms_client, hal_mms_server) +binder_call(hal_mms_server, hal_mms_client) + +# give permission for hal client +allow hal_mms_client mtk_hal_mms_hwservice :hwservice_manager find; diff --git a/prebuilts/api/26.0/plat_public/aee_aedv.te b/r_non_plat/hal_nfc.te index fe413f8..e9683be 100755..100644 --- a/prebuilts/api/26.0/plat_public/aee_aedv.te +++ b/r_non_plat/hal_nfc.te @@ -1,4 +1,5 @@ # ============================================== -# Type Declaration +# ST NFC HAL rule # ============================================== -type aee_aedv, domain; + +allow hal_nfc st21nfc_device:chr_file { read write getattr open ioctl }; diff --git a/r_non_plat/hal_nvramagent.te b/r_non_plat/hal_nvramagent.te new file mode 100644 index 0000000..680a031 --- /dev/null +++ b/r_non_plat/hal_nvramagent.te @@ -0,0 +1,6 @@ +#for nvram hidl client support +binder_call(hal_nvramagent_client, hal_nvramagent_server) +allow hal_nvramagent_client nvram_agent_binder_hwservice:hwservice_manager find; + +# add/find permission rule to hwservicemanager +add_hwservice(hal_nvramagent_server, nvram_agent_binder_hwservice) diff --git a/r_non_plat/hal_pq.te b/r_non_plat/hal_pq.te new file mode 100644 index 0000000..30eaf0e --- /dev/null +++ b/r_non_plat/hal_pq.te @@ -0,0 +1,6 @@ +# HwBinder IPC from clients into server, and callbacks +binder_call(hal_pq_client, hal_pq_server) +binder_call(hal_pq_server, hal_pq_client) + +# give permission for hal client +allow hal_pq_client mtk_hal_pq_hwservice :hwservice_manager find; diff --git a/r_non_plat/hal_thermal_default.te b/r_non_plat/hal_thermal_default.te new file mode 100644 index 0000000..2a648fb --- /dev/null +++ b/r_non_plat/hal_thermal_default.te @@ -0,0 +1,8 @@ + +# Date : WK18.23 +# Operation : P Migration +# Purpose : add grant permission for Thermal HAL mtktz and proc + +allow hal_thermal_default proc_mtktz:dir search; +allow hal_thermal_default proc_mtktz:file {open read getattr}; +allow hal_thermal_default proc_stat:file {open read getattr }; diff --git a/r_non_plat/hal_usb.te b/r_non_plat/hal_usb.te new file mode 100644 index 0000000..b1f7134 --- /dev/null +++ b/r_non_plat/hal_usb.te @@ -0,0 +1,11 @@ +type mtk_hal_usb, domain; +hal_server_domain(mtk_hal_usb, hal_usb) + +type mtk_hal_usb_exec, exec_type, file_type, vendor_file_type; +init_daemon_domain(mtk_hal_usb) + +allow hal_usb_default sysfs_dual_role_usb20:dir {search read}; +allow hal_usb_default sysfs_dual_role_usb20:file {open read getattr}; + +allow mtk_hal_usb sysfs_dual_role_usb20:dir {search read open}; +allow mtk_hal_usb sysfs_dual_role_usb20:file {open read getattr}; diff --git a/r_non_plat/hal_vibrator.te b/r_non_plat/hal_vibrator.te new file mode 100644 index 0000000..c88619d --- /dev/null +++ b/r_non_plat/hal_vibrator.te @@ -0,0 +1,5 @@ +# vibrator sysfs rw access +allow hal_vibrator sysfs_vibrator:dir r_dir_perms; +allow hal_vibrator sysfs_leds:file rw_file_perms; +allow hal_vibrator sysfs_leds:dir r_dir_perms; +allow hal_vibrator sysfs_leds:lnk_file read; diff --git a/r_non_plat/hal_wifi.te b/r_non_plat/hal_wifi.te new file mode 100644 index 0000000..4a2d8f5 --- /dev/null +++ b/r_non_plat/hal_wifi.te @@ -0,0 +1,8 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Allow hal wifi service to open/read/setattr wifi device. +# wmtWifi is wifi char device file to control wifi driver. +allow hal_wifi wmtWifi_device:chr_file w_file_perms; + diff --git a/r_non_plat/hwservice.te b/r_non_plat/hwservice.te new file mode 100644 index 0000000..6a7304a --- /dev/null +++ b/r_non_plat/hwservice.te @@ -0,0 +1,63 @@ +type mtk_hal_bluetooth_hwservice, hwservice_manager_type; + +# Date: 2017/05/9 +type mtk_hal_rild_hwservice, hwservice_manager_type; + +# Date: 2017/06/07 +# power hidl +type mtk_hal_power_hwservice, hwservice_manager_type; + +# Date: 2017/06/12 +# LBS HIDL +type mtk_hal_lbs_hwservice, hwservice_manager_type; + +# Date: 2017/06/27 +# IMSA HIDL +type mtk_hal_imsa_hwservice, hwservice_manager_type; + +# Date: 2017/07/12 +# NVRAM HIDL +type nvram_agent_binder_hwservice, hwservice_manager_type; + +# Date: 2017/07/19 +# PQ HIDL +type mtk_hal_pq_hwservice, hwservice_manager_type; + +# Date: 2017/07/20 +# keymaster attestation hidl +type mtk_hal_keyattestation_hwservice, hwservice_manager_type; + +# Date: 2018/05/25 +# FM HIDL +type mtk_hal_fm_hwservice, hwservice_manager_type; + +# Date: 2018/03/23 +# log hidl +type mtk_hal_log_hwservice, hwservice_manager_type; + +# Date: 2018/06/26 +# em hidl +type mtk_hal_em_hwservice, hwservice_manager_type; + +# Date: 2018/07/02 +# MMS HIDL +type mtk_hal_mms_hwservice, hwservice_manager_type; + +type hal_atci_hwservice, hwservice_manager_type; +type mtk_hal_keymanage_hwservice, hwservice_manager_type; + +# Date: 2019/04/26 +# GPU HIDL +type mtk_hal_gpu_hwservice, hwservice_manager_type; + +# Date: 2019/06/12 +# modem db filter hidl +type mtk_hal_md_dbfilter_hwservice, hwservice_manager_type; + +# Date: 2019/07/16 +# HDMI HIDL +type mtk_hal_hdmi_hwservice, hwservice_manager_type; + +# Date: 2019/09/06 +# BGService HIDL +type mtk_hal_bgs_hwservice, hwservice_manager_type; diff --git a/r_non_plat/hwservice_contexts b/r_non_plat/hwservice_contexts new file mode 100644 index 0000000..e3e2b34 --- /dev/null +++ b/r_non_plat/hwservice_contexts @@ -0,0 +1,69 @@ +vendor.mediatek.hardware.bluetooth::IMtkBluetoothHci u:object_r:mtk_hal_bluetooth_hwservice:s0 + +# Date: 2017/05/9 +vendor.mediatek.hardware.mtkradioex::IMtkRadioEx u:object_r:mtk_hal_rild_hwservice:s0 +vendor.mediatek.hardware.radio::ISap u:object_r:mtk_hal_rild_hwservice:s0 +vendor.mediatek.hardware.interfaces_tc1.mtkradioex_tc1::IMtkRadioEx u:object_r:mtk_hal_rild_hwservice:s0 +vendor.mediatek.hardware.radio_op::IRadioOp u:object_r:mtk_hal_rild_hwservice:s0 + +# Date: 2017/06/07 +# power hidl +vendor.mediatek.hardware.mtkpower::IMtkPerf u:object_r:mtk_hal_power_hwservice:s0 +vendor.mediatek.hardware.mtkpower::IMtkPower u:object_r:mtk_hal_power_hwservice:s0 +vendor.mediatek.hardware.power::IPerf u:object_r:mtk_hal_power_hwservice:s0 +vendor.mediatek.hardware.power::IPower u:object_r:mtk_hal_power_hwservice:s0 + + + +# Date: 2017/06/12 +# LBS HIDL +vendor.mediatek.hardware.lbs::ILbs u:object_r:mtk_hal_lbs_hwservice:s0 + +# Date : 2017/06/27 +# IMSA HIDL +vendor.mediatek.hardware.imsa::IImsa u:object_r:mtk_hal_imsa_hwservice:s0 + +# Date : 2017/07/12 +#nvram hidl +vendor.mediatek.hardware.nvram::INvram u:object_r:nvram_agent_binder_hwservice:s0 + +# Date : 2017/07/19 +# PQ HIDL +vendor.mediatek.hardware.pq::IPictureQuality u:object_r:mtk_hal_pq_hwservice:s0 + +# Date: 2017/07/20 +# keymaster attestation hidl +vendor.mediatek.hardware.keymaster_attestation::IKeymasterDevice u:object_r:mtk_hal_keyattestation_hwservice:s0 + +# Date: 2018/05/25 +# FM HIDL +vendor.mediatek.hardware.fm::IFmRadio u:object_r:mtk_hal_fm_hwservice:s0 + +# Date: 2018/03/23 +# log hidl +vendor.mediatek.hardware.log::ILog u:object_r:mtk_hal_log_hwservice:s0 + +# Date: 2018/06/26 +# em hidl +vendor.mediatek.hardware.engineermode::IEmd u:object_r:mtk_hal_em_hwservice:s0 + +# Date : 2018/07/02 +# MMS HIDL +vendor.mediatek.hardware.mms::IMms u:object_r:mtk_hal_mms_hwservice:s0 + +# Date : 2019/04/19 +# GPU HIDL +vendor.mediatek.hardware.gpu::IGraphicExt u:object_r:mtk_hal_gpu_hwservice:s0 + +# Date: 2019/06/12 +# modem db filter hidl +vendor.mediatek.hardware.modemdbfilter::ICopyDBFilter u:object_r:mtk_hal_md_dbfilter_hwservice:s0 + +# Date: 2019/07/04 +vendor.mediatek.hardware.camera.lomoeffect::ILomoEffect u:object_r:hal_camera_hwservice:s0 +vendor.mediatek.hardware.camera.ccap::ICCAPControl u:object_r:hal_camera_hwservice:s0 +vendor.mediatek.hardware.camera.bgservice::IBGService u:object_r:mtk_hal_bgs_hwservice:s0 + +# Date : 2019/07/16 +# HDMI HIDL +vendor.mediatek.hardware.hdmi::IMtkHdmiService u:object_r:mtk_hal_hdmi_hwservice:s0 diff --git a/r_non_plat/init.te b/r_non_plat/init.te new file mode 100644 index 0000000..6ccdd74 --- /dev/null +++ b/r_non_plat/init.te @@ -0,0 +1,142 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# Date : WK14.34 +# Operation : Migration +# Purpose : for L early bring up: add for nvram command in init rc files +allow init nvram_data_file:dir create_dir_perms; +allow init nvram_data_file:lnk_file r_file_perms; +allow init nvdata_file:lnk_file r_file_perms; +allow init nvdata_file:dir create_file_perms; + +#============= init ============== +# Date : W14.42 +# Operation : Migration +# Purpose : for L : add for partition (chown/chmod) +allow init block_device:blk_file setattr; +allow init system_block_device:blk_file setattr; +allow init nvram_device:blk_file setattr; +allow init seccfg_block_device:blk_file setattr; +allow init secro_block_device:blk_file setattr; +allow init frp_block_device:blk_file setattr; +allow init logo_block_device:blk_file setattr; +allow init para_block_device:blk_file setattr; +allow init recovery_block_device:blk_file setattr; + +# Date : WK15.30 +# Operation : Migration +# Purpose : format wiped partition with "formattable" and "check" flag in fstab file +allow init protect1_block_device:blk_file rw_file_perms; +allow init protect2_block_device:blk_file rw_file_perms; +allow init userdata_block_device:blk_file rw_file_perms; +allow init cache_block_device:blk_file rw_file_perms; +allow init nvdata_device:blk_file w_file_perms; +allow init persist_block_device:blk_file rw_file_perms; +allow init nvcfg_block_device:blk_file rw_file_perms; +allow init odm_block_device:blk_file rw_file_perms; +allow init oem_block_device:blk_file rw_file_perms; +allow init para_block_device:blk_file w_file_perms; + +# Date : WK15.32 +# Operation : Migration +# Purpose : disable AT_SECURE for LD_PRELOAD +#userdebug_or_eng(` +# allow init { domain -lmkd -crash_dump -llkd -mediaswcodec }:process noatsecure; +#') + +# Date : WK16.26 +# Operation : Access dynamic_debug control file +# Purpose : For MobileLog on/off pr_debug on user/userdebug load +allow init debugfs_dynamic_debug:file write; + +# Date : W16.28 +# Operation : Migration +# Purpose : enable modules capability +allow init self:capability sys_module; +allow init kernel:system module_request; + +# Date : WK16.35 +# Operation : Migration +# Purpose : create symbolic link from /mnt/sdcard to /sdcard +allow init tmpfs:lnk_file create; + +# Date:W17.07 +# Operation : bt hal +# Purpose : bt hal interface permission +allow init mtk_hal_bluetooth_exec:file getattr; + +# Date : WK17.02 +# Purpose: Fix audio hal service fail +allow init mtk_hal_audio_exec:file getattr; + +# Date : W17.20 +# Purpose: Enable PRODUCT_FULL_TREBLE +allow init vendor_block_device:lnk_file relabelto; + +# Date : WK17.21 +# Purpose: Fix gnss hal service fail +allow init mtk_hal_gnss_exec:file getattr; + +# Fix boot up violation +allow init debugfs_tracing_instances:file relabelfrom; + +# Date: W17.22 +# Operation : New Feature +# Purpose : Add for A/B system +allow init kernel:system module_request; +allow init nvdata_file:dir mounton; +allow init oemfs:dir mounton; +allow init protect_f_data_file:dir mounton; +allow init protect_s_data_file:dir mounton; +allow init nvcfg_file:dir mounton; +allow init persist_data_file:dir mounton; +allow init tmpfs:lnk_file create; + +# boot process denial clean up +allow init debugfs_ged:file w_file_perms; + + + +# Date : WK17.39 +# Operation : able to relabel mntl block device link +# Purpose : Correct permission for mntl +allow init block_device:lnk_file relabelfrom; +allow init expdb_block_device:lnk_file relabelto; +allow init mcupmfw_block_device:lnk_file relabelto; +allow init tee_block_device:lnk_file relabelto; + +# Date : WK17.43 +# Operation : able to insert fpsgo kernel module +# Purpose : Correct permission for fpsgo +allow init rootfs:system module_load; + +# Date: W17.43 +# Operation : module load +# Purpose : insmod LKM under /vendor (connsys module KO) +allow init vendor_file:system module_load; + +# Date : WK17.46 +# Operation : feature porting +# Purpose : kernel module verification +allow init kernel:key search; + +# Date : WK17.50 +# Operation : boost cpu while booting +# Purpose : enhance boottime +allow init proc_perfmgr:file write; +allow init proc_wmtdbg:file w_file_perms; + +# Date : W18.20 +# Operation : mount soc vendor's partition when booting +allow init mnt_vendor_file:dir mounton; + +# Date : W19.28 +# Purpose: Allow to setattr /proc/last_kmsg +allow init proc_last_kmsg:file setattr; +# Purpose: Allow to write /proc/cpu/alignment +allow init proc_cpu_alignment:file w_file_perms; + +# Purpose: Allow to relabelto for selinux_android_restorecon +allow init boot_block_device:lnk_file relabelto; +allow init vbmeta_block_device:lnk_file relabelto; diff --git a/r_non_plat/installd.te b/r_non_plat/installd.te new file mode 100644 index 0000000..88c6b54 --- /dev/null +++ b/r_non_plat/installd.te @@ -0,0 +1,7 @@ +# ================================== +# MTK Policy Rule +# ================================== + +# Kernel-4.14 migration, fix boot fail. +allow installd vendor_configs_file:file map; + diff --git a/r_non_plat/ioctl_defines b/r_non_plat/ioctl_defines new file mode 100644 index 0000000..d227aab --- /dev/null +++ b/r_non_plat/ioctl_defines @@ -0,0 +1,64 @@ +##################################### +# ged_bridge_id.h +# +define(`GED_BRIDGE_IO_LOG_BUF_GET', `0x6700') +define(`GED_BRIDGE_IO_LOG_BUF_WRITE', `0x6701') +define(`GED_BRIDGE_IO_LOG_BUF_RESET', `0x6702') +define(`GED_BRIDGE_IO_BOOST_GPU_FREQ', `0x6703') +define(`GED_BRIDGE_IO_MONITOR_3D_FENCE', `0x6704') +define(`GED_BRIDGE_IO_QUERY_INFO', `0x6705') +define(`GED_BRIDGE_IO_NOTIFY_VSYNC', `0x6706') +define(`GED_BRIDGE_IO_DVFS_PROBE', `0x6707') +define(`GED_BRIDGE_IO_DVFS_UM_RETURN', `0x6708') +define(`GED_BRIDGE_IO_EVENT_NOTIFY', `0x6709') +define(`GED_BRIDGE_IO_WAIT_HW_VSYNC', `0x670a') +define(`GED_BRIDGE_IO_QUERY_TARGET_FPS', `0x670b') +define(`GED_BRIDGE_IO_VSYNC_WAIT', `0x670c') +define(`GED_BRIDGE_IO_GPU_HINT_TO_CPU', `0x670d') +define(`GED_BRIDGE_IO_HINT_FORCE_MDP', `0x670e') + +define(`GED_BRIDGE_IO_GE_ALLOC', `0x6764') +define(`GED_BRIDGE_IO_GE_GET', `0x6765') +define(`GED_BRIDGE_IO_GE_SET', `0x6766') +define(`GED_BRIDGE_IO_GPU_TIMESTAMP', `0x6767') +define(`GED_BRIDGE_IO_TARGET_FPS', `0x6768') +define(`GED_BRIDGE_IO_GE_INFO', `0x6769') +define(`GED_BRIDGE_IO_GPU_TUNER_STATUS', `0x676a') + +##################################### +# perf_ioctl.h : FPSGO +# +define(`PERFMGR_FPSGO_QUEUE', `0x6701') +define(`PERFMGR_FPSGO_DEQUEUE', `0x6703') +define(`PERFMGR_FPSGO_VSYNC', `0x6705') +define(`PERFMGR_FPSGO_TOUCH', `0x670a') +define(`PERFMGR_FPSGO_QUEUE_CONNECT', `0x670f') +define(`PERFMGR_FPSGO_BQID', `0x6710') + +# perf_ioctl.h : EARA +define(`PERFMGR_EARA_NN_BEGIN', `0x6701') +define(`PERFMGR_EARA_NN_END', `0x6702') +define(`PERFMGR_EARA_GETUSAGE', `0x6703') + +# perf_ioctl.h : others +define(`PERFMGR_CPU_PREFER', `0x6701') + +##################################### +# +# +define(`MMC_IOCTLCMD', `0xb300') +define(`MMC_IOC_MULTI_CMD', `0xb301') +define(`UFS_IOCTLCMD', `0x5388') +define(`UFS_IOCTL_RPMB', `0x5391') + +##################################### +# +# +define(`JPG_BRIDGE_ENC_IO_INIT', `0x780b') +define(`JPG_BRIDGE_ENC_IO_CONFIG', `0x780c') +define(`JPG_BRIDGE_ENC_IO_WAIT', `0x780d') +define(`JPG_BRIDGE_ENC_IO_DEINIT', `0x780e') +define(`JPG_BRIDGE_ENC_IO_START', `0x780f') +##################################### +# m4u_priv.h +define(`MTK_M4U_T_SEC_INIT', `0x6732') diff --git a/r_non_plat/ioctl_macros b/r_non_plat/ioctl_macros new file mode 100644 index 0000000..bf86503 --- /dev/null +++ b/r_non_plat/ioctl_macros @@ -0,0 +1,25 @@ +# proc_ged ioctls +define(`proc_ged_ioctls', `{ + GED_BRIDGE_IO_LOG_BUF_GET + GED_BRIDGE_IO_LOG_BUF_WRITE + GED_BRIDGE_IO_LOG_BUF_RESET + GED_BRIDGE_IO_BOOST_GPU_FREQ + GED_BRIDGE_IO_MONITOR_3D_FENCE + GED_BRIDGE_IO_QUERY_INFO + GED_BRIDGE_IO_NOTIFY_VSYNC + GED_BRIDGE_IO_DVFS_PROBE + GED_BRIDGE_IO_DVFS_UM_RETURN + GED_BRIDGE_IO_EVENT_NOTIFY + GED_BRIDGE_IO_WAIT_HW_VSYNC + GED_BRIDGE_IO_QUERY_TARGET_FPS + GED_BRIDGE_IO_VSYNC_WAIT + GED_BRIDGE_IO_GPU_HINT_TO_CPU + GED_BRIDGE_IO_HINT_FORCE_MDP + GED_BRIDGE_IO_GE_ALLOC + GED_BRIDGE_IO_GE_GET + GED_BRIDGE_IO_GE_SET + GED_BRIDGE_IO_GPU_TIMESTAMP + GED_BRIDGE_IO_TARGET_FPS + GED_BRIDGE_IO_GE_INFO + GED_BRIDGE_IO_GPU_TUNER_STATUS +}') diff --git a/r_non_plat/kernel.te b/r_non_plat/kernel.te new file mode 100644 index 0000000..15b2430 --- /dev/null +++ b/r_non_plat/kernel.te @@ -0,0 +1,84 @@ +# ============================================== +# MTK Policy Rule +# ============ +# Date : WK14.38 +# Operation : Migration +# Purpose : run guitar_update for touch F/W upgrade. +allow kernel sdcard_type:dir search; + +# Date : WK14.39 +# Operation : Migration +# Purpose : ums driver can access blk_file +allow kernel block_device:blk_file rw_file_perms; +allow kernel loop_device:blk_file r_file_perms; +allow kernel vold_device:blk_file rw_file_perms; + +# Date : WK15.35 +# Operation : Migration +# Purpose : grant fon_image_data_file read permission for loop device +allow kernel fon_image_data_file:file read; + +# Date : WK15.38 +# Operation : Migration +# Purpose : grant proc_thermal for dir search +allow kernel proc_thermal:dir search; + +# Date : WK16.11 +# Operation : Migration +# Purpose : grant storage_file and wifi_data_file for kernel thread mtk_wmtd to access /sdcard/wifi.cfg +# and /data/misc/wifi/wifi.cfg to access wifi.cfg, in which, some wifi driver configuations are there. +allow kernel mnt_user_file:dir search; +allow kernel mnt_user_file:lnk_file read; +allow kernel wifi_data_file:file r_file_perms; +allow kernel wifi_data_file:dir search; +allow kernel storage_file:lnk_file read; +allow kernel sdcard_type:file open; + +# Data : WK16.16 +# Operation : Migration +# Purpose : Access to TC1 partition for reading MEID +allow kernel block_device:dir search; + +# Data : WK16.16 +# Operation : Migration +# Purpose : Access to TC1 partition for reading MEID +allow kernel misc2_block_device:blk_file rw_file_perms; + +# Date : WK16.30 +# Operation: SQC +# Purpose: Allow sdcardfs workqueue to access lower file systems +allow kernel { fuseblk }:dir create_dir_perms; +allow kernel { fuseblk }:file create_file_perms; + +# Date : WK16.30 +# Operation: SQC +# Purpose: Allow sdcardfs workqueue to access lower file systems +allow kernel {vfat mnt_media_rw_file}:dir create_dir_perms; +allow kernel {vfat mnt_media_rw_file}:file create_file_perms; +allow kernel kernel:key { write search setattr }; + +# Date : WK16.42 +# Operation: SQC +# Purpose: Allow task of cpuset cgroup can migration to parent cgroup when cpus is NULL +allow kernel platform_app:process setsched; + +# Date : WK17.01 +# Operation: SQC +# Purpose: Allow OpenDSP kthread to write debug dump to sdcard +allow kernel audioserver:fd use; + +# Date : WK18.02 +# Operation: SQC +# Purpose: Allow SCP SmartPA kthread to write debug dump to sdcard +allow kernel mtk_hal_audio:fd use; +allow kernel factory:fd use; + +# Date : WK18.29 +# Operation: SQC +# Purpose: Allow kernel read firmware binary on vendor partition +allow kernel vendor_file:file r_file_perms; + +# Date : WK18.35 +# Operation: SQC +# Purpose: Allow VOW kthread to write debug PCM dump +allow kernel mtk_audiohal_data_file:file write; diff --git a/r_non_plat/keystore.te b/r_non_plat/keystore.te new file mode 100644 index 0000000..174c8f5 --- /dev/null +++ b/r_non_plat/keystore.te @@ -0,0 +1,13 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# Date : WK14.40 2014/12/26 +# Operation : CTS 5.0_r1 +# Purpose : allow access to /data/data for full CTS +allow keystore app_data_file:file write; + +# Date : WK17.30 2017/07/25 +# Operation : keystore +# Purpose : Fix keystore boot selinux violation +allow hal_keymaster_default debugfs_tracing:file write; diff --git a/r_non_plat/kisd.te b/r_non_plat/kisd.te new file mode 100644 index 0000000..b0ed180 --- /dev/null +++ b/r_non_plat/kisd.te @@ -0,0 +1,32 @@ +# ============================================== +# Policy File of /vendor/bin/kisd Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type kisd ,domain; +type kisd_exec, exec_type, file_type, vendor_file_type; +typeattribute kisd mlstrustedsubject; + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(kisd) + +allow kisd tee_device:chr_file {read write open ioctl}; +allow kisd provision_file:dir {read write open ioctl add_name search remove_name}; +allow kisd provision_file:file {create read write open getattr unlink}; +allow kisd block_device:dir {read write open ioctl search}; +allow kisd kb_block_device:blk_file {read write open ioctl getattr}; +allow kisd dkb_block_device:blk_file {read write open ioctl getattr}; +allow kisd key_install_data_file:dir {write remove_name add_name}; +allow kisd key_install_data_file:file {write getattr read create unlink open}; +allow kisd key_install_data_file:dir search; +allow kisd mtd_device:chr_file { open read write }; +allow kisd mtd_device:blk_file { open read write ioctl getattr}; +allow kisd mtd_device:dir { search }; +allow kisd kb_block_device:chr_file {read write open ioctl getattr}; +allow kisd dkb_block_device:chr_file {read write open ioctl getattr}; diff --git a/r_non_plat/lbs_hidl_service.te b/r_non_plat/lbs_hidl_service.te new file mode 100644 index 0000000..36ccad0 --- /dev/null +++ b/r_non_plat/lbs_hidl_service.te @@ -0,0 +1,11 @@ +type lbs_hidl_service, domain; +hal_server_domain(lbs_hidl_service, mtk_hal_lbs) + +type lbs_hidl_service_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(lbs_hidl_service) +vndbinder_use(lbs_hidl_service) + +#r_dir_file(lbs_hidl_service, system_file) +unix_socket_connect(lbs_hidl_service, agpsd, mtk_agpsd); +allow lbs_hidl_service mtk_agpsd:unix_dgram_socket sendto; +allow lbs_hidl_service mnld:unix_dgram_socket sendto; diff --git a/r_non_plat/lmkd.te b/r_non_plat/lmkd.te new file mode 100644 index 0000000..3ba12e2 --- /dev/null +++ b/r_non_plat/lmkd.te @@ -0,0 +1,23 @@ +# ============================================== +# MTK Policy Rule +# ============ + + +# Data : 2015/01/14 +# Operation : MT6735 SQC bug fix +# Purpose : ALPS01905960 - selinux_warning: audit(1420845354.752:91): avc: denied { search } +# for pid=194 comm="lmkd" name="23573" dev="proc" +# ino=915740 scontext=u:r:lmkd:s0 tcontext=u:r:zygote:s0 tclass=dir permissive=0 +dontaudit lmkd zygote:dir rw_dir_perms; + +# Data : 2015/04/17 +# Operation : tb8163p1 low memory selinux warning +# Purpose : ALPS02038466 audit(1429079840.646:7): avc: denied { use } +# for pid=170 comm="lmkd" +# path=2F6465762F6173686D656D2F4469736361726461626C654D656D6F72794173686D656D416C6C6F6361746F72202864656C6574656429 +# dev="tmpfs" ino=14475 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=fd permissive=0 +dontaudit lmkd platform_app:fd use; + +# Data : 2018/05/25 +# Operation : Add for duraSpeed socket +allow lmkd system_server:unix_stream_socket connectto; diff --git a/r_non_plat/loghidlsysservice.te b/r_non_plat/loghidlsysservice.te new file mode 100644 index 0000000..5af0e39 --- /dev/null +++ b/r_non_plat/loghidlsysservice.te @@ -0,0 +1,6 @@ +# ============================================== +# Policy File of /system/bin/loghidlsysservice Executable File + +# Purpose : for create hidl server +hal_client_domain(loghidlsysservice, mtk_hal_log) +allow loghidlsysservice connsyslogger:unix_stream_socket connectto;
\ No newline at end of file diff --git a/r_non_plat/loghidlvendorservice.te b/r_non_plat/loghidlvendorservice.te new file mode 100644 index 0000000..9b97bed --- /dev/null +++ b/r_non_plat/loghidlvendorservice.te @@ -0,0 +1,14 @@ +# ============================================== +# Policy File of /system/bin/loghidlvendorservice Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type loghidlvendorservice ,domain; +type loghidlvendorservice_exec, exec_type, file_type, vendor_file_type; +typeattribute loghidlvendorservice mlstrustedsubject; + +hal_server_domain(loghidlvendorservice, mtk_hal_log) +init_daemon_domain(loghidlvendorservice) +# allow loghidlvendorservice self:capability dac_override; diff --git a/r_non_plat/mdlogger.te b/r_non_plat/mdlogger.te new file mode 100644 index 0000000..5c34491 --- /dev/null +++ b/r_non_plat/mdlogger.te @@ -0,0 +1,62 @@ +#allow mdlogger to set property +allow mdlogger debug_mdlogger_prop:property_service set; +allow mdlogger debug_prop:property_service set; + +# ccci device for internal modem +allow mdlogger ccci_device:chr_file { rw_file_perms }; + +# usb device ttyGSx for modem logger usb logging +allow mdlogger ttyGS_device:chr_file { rw_file_perms}; + +# modem logger access on /data/mdlog +allow mdlogger mdlog_data_file:dir { create_dir_perms relabelto}; +allow mdlogger mdlog_data_file:fifo_file { create_file_perms}; +allow mdlogger mdlog_data_file:file { create_file_perms }; + +# modem logger control port access /dev/ttyC1 +allow mdlogger mdlog_device:chr_file { rw_file_perms}; + + +#modem logger SD logging in factory mode +allow mdlogger vfat:dir create_dir_perms; +allow mdlogger vfat:file create_file_perms; + +#mdlogger for read /sdcard +allow mdlogger tmpfs:lnk_file read; +allow mdlogger storage_file:lnk_file rw_file_perms; +allow mdlogger mnt_user_file:dir search; +allow mdlogger mnt_user_file:lnk_file rw_file_perms; +allow mdlogger sdcard_type:file create_file_perms; +allow mdlogger sdcard_type:dir { create_dir_perms }; +allow mdlogger storage_file:dir { create_dir_perms }; +allow mdlogger storage_file:file { create_file_perms }; + + +# Allow read to sys/kernel/ccci/* files +allow mdlogger sysfs_ccci:dir search; +allow mdlogger sysfs_ccci:file r_file_perms; + +# purpose: allow mdlogger to access storage in new version +allow mdlogger media_rw_data_file:file { create_file_perms }; +allow mdlogger media_rw_data_file:dir { create_dir_perms }; + +#avc: denied { connectto } for path=006165653A72747464 scontext=u:r:mdlogger:s0 +#tcontext=u:object_r:aee_aed_socket:s0 tclass=unix_stream_socket permissive=0 +#security issue control +allow mdlogger aee_aed:unix_stream_socket connectto; + +## purpose: avc: denied { read } for name="plat_file_contexts" +allow emdlogger file_contexts_file:file { read getattr open}; + +#permission for read boot mode +#avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs" +allow mdlogger sysfs_boot_mode:file { read open }; + +# avc: denied { open } for path="system/etc/mddb" dev="mmcblk0p21" scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 +allow mdlogger system_file:dir { read open }; + +# Android P migration +set_prop(mdlogger, vendor_mdl_prop) +set_prop(mdlogger, debug_mdlogger_prop) +set_prop(mdlogger, persist_mdlog_prop) +set_prop(mdlogger, persist_mtklog_prop) diff --git a/r_non_plat/mediacodec.te b/r_non_plat/mediacodec.te new file mode 100644 index 0000000..48c14d7 --- /dev/null +++ b/r_non_plat/mediacodec.te @@ -0,0 +1,153 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK14.34 +# Operation : Migration +# Purpose : VP/VR +allow mediacodec devmap_device:chr_file { ioctl }; + +# Date : WK14.36 +# Operation : Migration +# Purpose : VDEC/VENC device node +allow mediacodec Vcodec_device:chr_file rw_file_perms; + +# Date : WK16.21 +# Operation : Migration +# Purpose : VP & VR dump and debug +allow mediacodec M4U_device_device:chr_file rw_file_perms; +allow mediacodec debugfs_binder:dir search; +allow mediacodec MTK_SMI_device:chr_file { ioctl read open }; +allow mediacodec storage_file:lnk_file {read write open}; +allow mediacodec tmpfs:dir search; +allow mediacodec mnt_user_file:dir {write read search}; +allow mediacodec mnt_user_file:lnk_file {read write}; +allow mediacodec sdcard_type:dir {write read search add_name remove_name}; +allow mediacodec sdcard_type:file {getattr write read create open append unlink}; +allow mediacodec nvram_data_file:dir w_dir_perms; +allow mediacodec nvram_data_file:file create_file_perms; +allow mediacodec nvram_data_file:lnk_file read; +allow mediacodec nvdata_file:lnk_file read; +allow mediacodec nvdata_file:dir w_dir_perms; +allow mediacodec nvdata_file:file create_file_perms; +allow mediacodec devmap_device:chr_file r_file_perms; +allow mediacodec proc_meminfo:file {read getattr open}; + +# Date : WK14.36 +# Operation : Migration +# Purpose : for SW codec VP/VR +allow mediacodec mtk_sched_device:chr_file { read write ioctl open }; + +# Data : WK14.39 +# Operation : Migration +# Purpose : HW encrypt SW codec +allow mediacodec mediacodec_data_file:file create_file_perms; +allow mediacodec mediacodec_data_file:dir create_dir_perms; +allow mediacodec sec_device:chr_file r_file_perms; + +# Data: WK14.44 +# Operation : Migration +# Purpose : VP +allow mediacodec surfaceflinger:file getattr; + +# Data: WK14.44 +# Operation : Migration +# Purpose : for low SD card latency issue +allow mediacodec sysfs_lowmemorykiller:file { read open }; + +# Data: WK14.45 +# Operation : Migration +# Purpose : for change thermal policy when needed +allow mediacodec proc_mtkcooler:dir search; +allow mediacodec proc_mtktz:dir search; +allow mediacodec proc_thermal:dir search; +allow mediacodec proc_mtkcooler:file { read write open }; +allow mediacodec proc_mtktz:file { read write open getattr }; +allow mediacodec proc_thermal:file { read write open getattr}; +allow mediacodec thermal_manager_data_file:file create_file_perms; +allow mediacodec thermal_manager_data_file:dir { rw_dir_perms setattr }; +allow mediacodec thermal_manager_data_file:dir search; + +# Data : WK14.47 +# Operation : CTS +# Purpose : cts search strange app +allow mediacodec untrusted_app:dir search; + +# Date : WK14.39 +# Operation : Migration +# Purpose : MJC Driver +allow mediacodec MJC_device:chr_file { read write ioctl open }; + +# Date : WK16.27 +# Operation : APE SQC +# Purpose : for APE file playback +allow mediacodec MtkCodecService:binder call; +allow mediacodec MtkCodecService:binder transfer; + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow mediacodec proc_ged:file rw_file_perms; +allowxperm mediacodec proc_ged:file ioctl { proc_ged_ioctls }; + +# Data : WK16.42 +# Operator: Whitney bring up +# Purpose: call surfaceflinger due to powervr +allow mediacodec surfaceflinger:fifo_file rw_file_perms; + +# Date: WK16.43 +# Operator: Whitney SQC +# Purpose: mediacodec use gpu +allow mediacodec gpu_device:dir search; + +# Date : W18.01 +# Add for turn on SElinux in enforcing mode +allow mediacodec vndbinder_device:chr_file rw_file_perms; + +vndbinder_use(mediacodec) + +# Date : WK1721 +# Purpose: For FULL TREBLE +allow mediacodec system_file:dir r_dir_perms; +allow mediacodec debugfs_ion:dir search; + + +# Date : WK17.30 +# Operation : O Migration +# Purpose: Allow mediacodec to access cmdq driver +allow mediacodec mtk_cmdq_device:chr_file { read ioctl open }; +allow mediacodec mtk_mdp_device:chr_file rw_file_perms; +allow mediacodec sw_sync_device:chr_file rw_file_perms; + +# Date : WK17.28 +# Operation : MT6757 SQC +# Purpose : Change thermal config + + +# Date : WK17.30 +# Purpose : For Power Hal +allow mediacodec mtk_hal_power_hwservice:hwservice_manager find; +allow mediacodec mtk_hal_power:binder call; +allow mediacodec mtk_hal_power:unix_stream_socket connectto; + + +# Date : WK17.12 +# Operation : MT6799 SQC +# Purpose : Change thermal config +set_prop(mediacodec, mtk_thermal_config_prop) + +# Date : WK17.43 +# Operation : Migration +# Purpose : DISP access +allow mediacodec graphics_device:chr_file { ioctl open read }; +allow mediacodec graphics_device:dir search; + +# Date : WK19.27 +# Purpose: Android Migration for SVP +allow mediacodec proc_m4u:file r_file_perms; +allowxperm mediacodec proc_m4u:file ioctl MTK_M4U_T_SEC_INIT; + + +# Date : 2019/12/12 +# Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/* +allow mediacodec sysfs_concurrency_scenario:file rw_file_perms; +allow mediacodec sysfs_concurrency_scenario:dir search; diff --git a/r_non_plat/mediadrmserver.te b/r_non_plat/mediadrmserver.te new file mode 100644 index 0000000..70f5178 --- /dev/null +++ b/r_non_plat/mediadrmserver.te @@ -0,0 +1,9 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow mediadrmserver proc_ged:file rw_file_perms; + + diff --git a/r_non_plat/mediaextractor.te b/r_non_plat/mediaextractor.te new file mode 100644 index 0000000..1ce425f --- /dev/null +++ b/r_non_plat/mediaextractor.te @@ -0,0 +1,15 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow mediaextractor proc_ged:file rw_file_perms; + +#============= mediaextractor ============== +allow mediaextractor vfat:file r_file_perms; + +allow mediaextractor mediaserver_service:service_manager find; + +allow mediaextractor platform_app:dir search; +allow mediaextractor platform_app:file r_file_perms; diff --git a/r_non_plat/mediaserver.te b/r_non_plat/mediaserver.te new file mode 100644 index 0000000..ff75df1 --- /dev/null +++ b/r_non_plat/mediaserver.te @@ -0,0 +1,329 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK14.31 +# Operation : Migration +# Purpose : camera devices access. +allow mediaserver camera_isp_device:chr_file rw_file_perms; +allow mediaserver ccu_device:chr_file rw_file_perms; +allow mediaserver vpu_device:chr_file rw_file_perms; +allow mediaserver kd_camera_hw_device:chr_file rw_file_perms; +allow mediaserver seninf_device:chr_file rw_file_perms; +allow mediaserver self:capability { setuid ipc_lock sys_nice }; +allow mediaserver sysfs_wake_lock:file rw_file_perms; +allow mediaserver MTK_SMI_device:chr_file r_file_perms; +allow mediaserver camera_pipemgr_device:chr_file r_file_perms; +allow mediaserver kd_camera_flashlight_device:chr_file rw_file_perms; +allow mediaserver lens_device:chr_file rw_file_perms; + +# Date : WK14.32 +# Operation : Migration +# Purpose : Set audio driver permission to access SD card for debug purpose and accss NVRam. +allow mediaserver sdcard_type:dir { w_dir_perms create }; +allow mediaserver sdcard_type:file create; +allow mediaserver nvram_data_file:lnk_file read; +allow mediaserver nvdata_file:lnk_file read; +allow mediaserver sdcard_type:dir remove_name; +allow mediaserver sdcard_type:file unlink; + +# Date : WK14.34 +# Operation : Migration +# Purpose : nvram access (dumchar case for nand and legacy chip) +allow mediaserver nvram_device:chr_file rw_file_perms; +allow mediaserver self:capability { net_admin }; + +# Date : WK14.34 +# Operation : Migration +# Purpose : VP/VR +allow mediaserver devmap_device:chr_file { ioctl }; + +# Date : WK14.36 +# Operation : Migration +# Purpose : media server and bt process communication for A2DP data.and other control flow +allow mediaserver bluetooth:unix_dgram_socket sendto; +allow mediaserver bt_a2dp_stream_socket:sock_file write; +allow mediaserver bt_int_adp_socket:sock_file write; + +# Date : WK14.37 +# Operation : Migration +# Purpose : camera ioctl +allow mediaserver camera_sysram_device:chr_file r_file_perms; + +# Date : WK14.36 +# Operation : Migration +# Purpose : VDEC/VENC device node +allow mediaserver Vcodec_device:chr_file rw_file_perms; + +# Date : WK14.36 +# Operation : Migration +# Purpose : access nvram, otp, ccci cdoec devices. +allow mediaserver MtkCodecService:binder call; +allow mediaserver ccci_device:chr_file rw_file_perms; +allow mediaserver eemcs_device:chr_file rw_file_perms; +allow mediaserver devmap_device:chr_file r_file_perms; +allow mediaserver ebc_device:chr_file rw_file_perms; +allow mediaserver nvram_device:blk_file rw_file_perms; +allow mediaserver bootdevice_block_device:blk_file rw_file_perms; + +# Date : WK14.36 +# Operation : Migration +# Purpose : for SW codec VP/VR +allow mediaserver mtk_sched_device:chr_file rw_file_perms; + +# Date : WK14.38 +# Operation : Migration +# Purpose : NVRam access +allow mediaserver block_device:dir { write search }; + +# Date : WK14.38 +# Operation : Migration +# Purpose : FM driver access +allow mediaserver fm_device:chr_file rw_file_perms; + +# Data : WK14.38 +# Operation : Migration +# Purpose : for VP/VR +allow mediaserver block_device:dir search; +allow mediaserver FM50AF_device:chr_file rw_file_perms; +allow mediaserver AD5820AF_device:chr_file rw_file_perms; +allow mediaserver DW9714AF_device:chr_file rw_file_perms; +allow mediaserver DW9814AF_device:chr_file rw_file_perms; +allow mediaserver AK7345AF_device:chr_file rw_file_perms; +allow mediaserver DW9714A_device:chr_file rw_file_perms; +allow mediaserver LC898122AF_device:chr_file rw_file_perms; +allow mediaserver LC898212AF_device:chr_file rw_file_perms; +allow mediaserver BU6429AF_device:chr_file rw_file_perms; +allow mediaserver DW9718AF_device:chr_file rw_file_perms; +allow mediaserver BU64745GWZAF_device:chr_file rw_file_perms; +allow mediaserver MAINAF_device:chr_file rw_file_perms; +allow mediaserver MAIN2AF_device:chr_file rw_file_perms; +allow mediaserver SUBAF_device:chr_file rw_file_perms; + + +# Data : WK14.38 +# Operation : Migration +# Purpose : for boot animation. +allow mediaserver bootanim:binder { transfer call }; + +allow mediaserver mtkbootanimation:binder { transfer call }; + +# Data : WK14.38 +# Operation : Migration +# Purpose : dump for debug +allow mediaserver sdcard_type:file append; + +# Date : WK14.39 +# Operation : Migration +# Purpose : FDVT Driver +allow mediaserver camera_fdvt_device:chr_file rw_file_perms; + +# Date : WK14.39 +# Operation : Migration +# Purpose : APE PLAYBACK +binder_call(mediaserver,MtkCodecService) + +# Date : WK14.40 +# Operation : Migration +# Purpose : HDMI driver access +allow mediaserver graphics_device:chr_file rw_file_perms; + +# Date : WK14.40 +# Operation : Migration +# Purpose : Smartpa +allow mediaserver smartpa_device:chr_file rw_file_perms; + +# Data : WK14.40 +# Operation : Migration +# Purpose : permit 'call' by audio tunning tool audiocmdservice_atci +allow mediaserver audiocmdservice_atci:binder call; +binder_call(mediaserver,audiocmdservice_atci) + +# Date : WK14.40 +# Operation : Migration +# Purpose : mtk_jpeg +allow mediaserver mtk_jpeg_device:chr_file r_file_perms; + +# Date : WK14.41 +# Operation : Migration +# Purpose : WFD HID Driver +allow mediaserver uhid_device:chr_file rw_file_perms; + +# Date : WK14.41 +# Operation : Migration +# Purpose : Camera EEPROM Calibration +allow mediaserver CAM_CAL_DRV_device:chr_file rw_file_perms; +allow mediaserver CAM_CAL_DRV1_device:chr_file rw_file_perms; +allow mediaserver CAM_CAL_DRV2_device:chr_file rw_file_perms; + +# Date : WK14.43 +# Operation : Migration +# Purpose : VOW +allow mediaserver vow_device:chr_file rw_file_perms; + +# Date: WK14.44 +# Operation : Migration +# Purpose : EVDO +allow mediaserver rpc_socket:sock_file write; +allow mediaserver ttySDIO_device:chr_file rw_file_perms; + +# Data: WK14.44 +# Operation : Migration +# Purpose : VP +allow mediaserver surfaceflinger:file getattr; + +# Data: WK14.44 +# Operation : Migration +# Purpose : for low SD card latency issue +allow mediaserver sysfs_lowmemorykiller:file { read open }; + +# Data: WK14.45 +# Operation : Migration +# Purpose : for change thermal policy when needed +allow mediaserver proc_mtkcooler:dir search; +allow mediaserver proc_mtktz:dir search; +allow mediaserver proc_thermal:dir search; + +# Date : WK14.46 +# Operation : Migration +# Purpose : for MTK Emulator HW GPU +allow mediaserver qemu_pipe_device:chr_file rw_file_perms; + +# Date : WK14.46 +# Operation : Migration +# Purpose : for camera init +allow mediaserver system_server:unix_stream_socket { read write }; + +# Data : WK14.46 +# Operation : Migration +# Purpose : for SMS app +allow mediaserver radio_data_file:dir search; +allow mediaserver radio_data_file:file open; + +# Data : WK14.47 +# Operation : Audio playback +# Purpose : Music as ringtone +allow mediaserver radio:dir { search read }; +allow mediaserver radio:file r_file_perms; + +# Data : WK14.47 +# Operation : Launch camcorder from MMS +# Purpose : Camcorder +allow mediaserver radio_data_file:file open; + +# Data : WK14.47 +# Operation : CTS +# Purpose : cts search strange app +allow mediaserver untrusted_app:dir search; + +# Date : WK15.03 +# Operation : Migration +# Purpose : offloadservice +allow mediaserver offloadservice_device:chr_file rw_file_perms; + +# Date : WK15.32 +# Operation : Pre-sanity +# Purpose : 3A algorithm need to access sensor service +allow mediaserver sensorservice_service:service_manager find; + +# Date : WK15.34 +# Operation : Migration +# Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump +allow mediaserver storage_file:lnk_file {read write}; +allow mediaserver mnt_user_file:dir {write read search}; +allow mediaserver mnt_user_file:lnk_file {read write}; + +# Date : WK15.35 +# Operation : Migration +# Purpose: Allow mediaserver to read binder from surfaceflinger +allow mediaserver surfaceflinger:fifo_file {read write}; + +# Date : WK15.46 +# Operation : Migration +# Purpose : DPE Driver +allow mediaserver camera_dpe_device:chr_file rw_file_perms; + +# Date : WK15.46 +# Operation : Migration +# Purpose : TSF Driver +allow mediaserver camera_tsf_device:chr_file rw_file_perms; + +# Date : WK16.32 +# Operation : N Migration +# Purpose : RSC Driver +allow mediaserver camera_rsc_device:chr_file rw_file_perms; + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow mediaserver proc_ged:file rw_file_perms; +allowxperm mediaserver proc_ged:file ioctl { proc_ged_ioctls }; + +# Date : WK16.33 +# Operation : N Migration +# Purpose : GEPF Driver +allow mediaserver camera_gepf_device:chr_file rw_file_perms; + +# Date : WK16.35 +# Operation : Migration +# Purpose : Update camera flashlight driver device file +allow mediaserver flashlight_device:chr_file rw_file_perms; + +# Data : WK16.42 +# Operator: Whitney bring up +# Purpose: call surfaceflinger due to powervr +allow dumpstate surfaceflinger:fifo_file rw_file_perms; + +# Date : WK16.43 +# Operation : N Migration +# Purpose : WPE Driver +allow mediaserver camera_wpe_device:chr_file rw_file_perms; +allow mediaserver gpu_device:dir search; +allow mediaserver sw_sync_device:chr_file rw_file_perms; + +# Date : WK17.19 +# Operation : N Migration +# Purpose : OWE Driver +allow mediaserver camera_owe_device:chr_file rw_file_perms; + +# Date : WK17.30 +# Operation : O Migration +# Purpose: Allow to access cmdq driver +allow mediaserver mtk_cmdq_device:chr_file { read ioctl open }; +allow mediaserver mtk_mdp_device:chr_file rw_file_perms; + +# Date : WK17.43 +# Operation : Migration +# Purpose : DISP access +allow mediaserver graphics_device:chr_file { ioctl open read }; +allow mediaserver graphics_device:dir search; + +# Date : WK17.44 +# Operation : Migration +# Purpose : DIP Driver +allow mediaserver camera_dip_device:chr_file rw_file_perms; + +# Date : WK17.44 +# Operation : Migration +# Purpose : MFB Driver +allow mediaserver camera_mfb_device:chr_file rw_file_perms; + +# Date : WK17.49 +# Operation : MT6771 SQC +# Purpose : Allow permgr access +allow mediaserver proc_perfmgr:dir {read search}; +allow mediaserver proc_perfmgr:file r_file_perms; +allowxperm mediaserver proc_perfmgr:file ioctl { + PERFMGR_FPSGO_DEQUEUE + PERFMGR_FPSGO_QUEUE_CONNECT + PERFMGR_FPSGO_QUEUE + PERFMGR_FPSGO_BQID +}; + +# Date : WK18.18 +# Operation : Migration +# Purpose : wifidisplay hdcp +# DRM Key Manage HIDL +allow mediaserver mtk_hal_keymanage:binder call; +# Purpose : Allow mediadrmserver to call vendor.mediatek.hardware.keymanage@1.0-service. +hal_client_domain(mediaserver , hal_keymaster) +allow mediaserver mtk_hal_keymanage_hwservice:hwservice_manager find; diff --git a/r_non_plat/mediaswcodec.te b/r_non_plat/mediaswcodec.te new file mode 100644 index 0000000..ca64913 --- /dev/null +++ b/r_non_plat/mediaswcodec.te @@ -0,0 +1,11 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK19.25 +# Operation : Migration +# Purpose : [ALPS04669482] DRTS failed due to avc denied +allow mediaswcodec debugfs_ion:dir rw_dir_perms; +allow mediaswcodec gpu_device:dir rw_dir_perms; +allow mediaswcodec dri_device:chr_file rw_file_perms; +allow mediaswcodec gpu_device:chr_file rw_file_perms; diff --git a/r_non_plat/merged_hal_service.te b/r_non_plat/merged_hal_service.te new file mode 100644 index 0000000..fea6d78 --- /dev/null +++ b/r_non_plat/merged_hal_service.te @@ -0,0 +1,90 @@ +# ============================================================================== +# Type Declaration +# ============================================================================== +type merged_hal_service, domain; +#type merged_hal_service, domain; +type merged_hal_service_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(merged_hal_service) + +hwbinder_use(merged_hal_service) +hal_server_domain(merged_hal_service, hal_vibrator) +hal_server_domain(merged_hal_service, hal_light) +hal_server_domain(merged_hal_service, hal_power) +hal_server_domain(merged_hal_service, hal_thermal) +hal_server_domain(merged_hal_service, hal_memtrack) + +#mtk libs_hidl_service permissions +hal_server_domain(merged_hal_service, mtk_hal_lbs) +vndbinder_use(merged_hal_service) +#r_dir_file(merged_hal_service, system_file) +unix_socket_connect(merged_hal_service, agpsd, mtk_agpsd); +allow merged_hal_service mtk_agpsd:unix_dgram_socket sendto; + +#mtk_gnss permissions +hal_server_domain(merged_hal_service, hal_gnss); +allow merged_hal_service mnld_data_file:sock_file create_file_perms; +allow merged_hal_service mnld_data_file:sock_file rw_file_perms; +allow merged_hal_service mnld_data_file:dir create_file_perms; +allow merged_hal_service mnld_data_file:dir rw_dir_perms; +allow merged_hal_service mnld:unix_dgram_socket sendto; + +#graphics allocator permissions +hal_server_domain(merged_hal_service, hal_graphics_allocator) +allow merged_hal_service gpu_device:dir search; +allow merged_hal_service sw_sync_device:chr_file rw_file_perms; +allow merged_hal_service debugfs_ion:dir search; +allow merged_hal_service debugfs_tracing:file write; +allow merged_hal_service debugfs_tracing:file open; + +#for ape hidl permissions +hal_server_domain(merged_hal_service,hal_mtkcodecservice) +allow merged_hal_service hidl_allocator_hwservice:hwservice_manager find; +allow merged_hal_service hidl_memory_hwservice:hwservice_manager find; +hal_client_domain(merged_hal_service, hal_allocator) + +#for default drm permissions +hal_server_domain(merged_hal_service, hal_drm) +allow merged_hal_service mediacodec:fd use; +allow merged_hal_service { appdomain -isolated_app }:fd use; +allow merged_hal_service debugfs_tracing:file write; + +#power permissions +allow merged_hal_service proc:dir {search getattr}; +allow merged_hal_service debugfs_ged:dir search; +allow merged_hal_service debugfs_ged:file { getattr open read write }; +allow merged_hal_service proc_thermal:file { write open }; +allow merged_hal_service proc_thermal:dir search; +allow merged_hal_service proc_perfmgr:dir search; +allow merged_hal_service proc_perfmgr:file rw_file_perms; +allow merged_hal_service sdcard_type:dir create_dir_perms; +allow merged_hal_service sdcard_type:file create_file_perms; +allow merged_hal_service eemcs_device:chr_file rw_file_perms; +allow merged_hal_service mnt_user_file:dir create_dir_perms; +allow merged_hal_service debugfs_fb:dir search; +allow merged_hal_service debugfs_fb:file { getattr open read write }; +allow merged_hal_service debugfs_fpsgo:dir search; +allow merged_hal_service debugfs_fpsgo:file { getattr open read write }; +allow merged_hal_service mtk_hal_camera:dir search; +allow merged_hal_service mtk_hal_camera:file { open read }; +allow merged_hal_service sysfs_devices_system_cpu:file write; + +allow merged_hal_service mtk_powerhal_data_file:dir {create_dir_perms rw_dir_perms}; +allow merged_hal_service mtk_powerhal_data_file:file {create_file_perms rw_file_perms}; +allow merged_hal_service mtk_powerhal_data_file:sock_file {create_file_perms rw_file_perms}; + + +# Date : WK18.23 +# Operation : P Migration +# Purpose : add grant permission for Thermal HAL mtktz and proc +allow merged_hal_service proc_mtktz:dir search; +allow merged_hal_service proc_mtktz:file {open read getattr}; +allow merged_hal_service proc_stat:file {open read getattr }; + +# Date : WK19.11 +# Operation : Q Migration +allowxperm merged_hal_service proc_ged:file ioctl { proc_ged_ioctls }; + +# Date: 2019/06/14 +# Operation : Migration +allow merged_hal_service nvram_agent_binder_hwservice:hwservice_manager find; diff --git a/r_non_plat/meta_tst.te b/r_non_plat/meta_tst.te new file mode 100644 index 0000000..ead7145 --- /dev/null +++ b/r_non_plat/meta_tst.te @@ -0,0 +1,419 @@ +# ============================================== +# Policy File of /vendor/bin/meta_tst Executable File + + + +# ============================================== +# Type Declaration +# ============================================== +type meta_tst, domain; +type meta_tst_exec , exec_type, file_type, vendor_file_type; +init_daemon_domain(meta_tst) + +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date: WK16.12 +# Operation : Migration +# Purpose : for meta mode device node USB +allow meta_tst ttyGS_device:chr_file rw_file_perms; + +# Date: WK16.12 +# Operation : Migration +# Purpose : for meta mode device node UART +allow meta_tst ttyMT_device:chr_file rw_file_perms; + +# Date: WK17.12 +# Operation : Migration +# Purpose : for meta mode device node UART +allow meta_tst ttyS_device:chr_file rw_file_perms; + +# Date: WK16.12 +# Operation : Migration +# Purpose : for meta mode device node CCCI +allow meta_tst ccci_device:chr_file rw_file_perms; +allow meta_tst eemcs_device:chr_file rw_file_perms; +allow meta_tst emd_device:chr_file rw_file_perms; +allow meta_tst ttyACM_device:chr_file rw_file_perms; +allow meta_tst mdlog_device:chr_file rw_file_perms; + +# Data: WK15.07 +# Purpose : SDIO +allow meta_tst ttySDIO_device:chr_file rw_file_perms; + +# Date: WK16.12 +# Operation : Migration +# Purpose : for meta mode file system +allow meta_tst bootdevice_block_device:blk_file rw_file_perms; +allow meta_tst mmcblk1_block_device:blk_file rw_file_perms; +allow meta_tst userdata_block_device:blk_file rw_file_perms; +allow meta_tst cache_block_device:blk_file rw_file_perms; + +# Date: WK16.12 +# Operation : Migration +# Purpose : for meta mode nvram +allow meta_tst nvram_data_file:dir create_dir_perms; +allow meta_tst nvram_data_file:file create_file_perms; +allow meta_tst nvram_data_file:lnk_file r_file_perms; +allow meta_tst nvdata_file:lnk_file r_file_perms; +allow meta_tst nvdata_file:dir create_dir_perms; +allow meta_tst nvdata_file:file create_file_perms; +allow meta_tst nvram_device:chr_file rw_file_perms; +allow meta_tst nvram_device:blk_file rw_file_perms; +allow meta_tst nvdata_device:blk_file rw_file_perms; + +# Date: WK14.47 +# Operation : Migration +# Purpose : for meta mode audio +allow meta_tst audio_device:chr_file rw_file_perms; +allow meta_tst audio_device:dir r_dir_perms; +allow meta_tst audio_ipi_device:chr_file rw_file_perms; +set_prop(meta_tst, audiohal_prop); + +# Date: WK16.12 +# Operation : Migration +# Purpose : for meta mode RTC and PMIC +allow meta_tst rtc_device:chr_file r_file_perms; +allow meta_tst MT_pmic_adc_cali_device:chr_file rw_file_perms; + +# Date: WK14.45 +# Operation : Migration +# Purpose : HDCP +allow meta_tst persist_data_file:dir create_dir_perms; +allow meta_tst persist_data_file:file create_file_perms; + + +# Date: WK14.46 +# Operation : Migration +# Purpose : Camera +allow meta_tst devmap_device:chr_file rw_file_perms; +allow meta_tst camera_pipemgr_device:chr_file rw_file_perms; +allow meta_tst MTK_SMI_device:chr_file rw_file_perms; +allow meta_tst camera_isp_device:chr_file rw_file_perms; +allow meta_tst camera_sysram_device:chr_file r_file_perms; +allow meta_tst kd_camera_flashlight_device:chr_file rw_file_perms; +allow meta_tst kd_camera_hw_device:chr_file rw_file_perms; +allow meta_tst AD5820AF_device:chr_file rw_file_perms; +allow meta_tst DW9714AF_device:chr_file rw_file_perms; +allow meta_tst DW9714A_device:chr_file rw_file_perms; +allow meta_tst LC898122AF_device:chr_file rw_file_perms; +allow meta_tst LC898212AF_device:chr_file rw_file_perms; +allow meta_tst BU6429AF_device:chr_file rw_file_perms; +allow meta_tst DW9718AF_device:chr_file rw_file_perms; +allow meta_tst BU64745GWZAF_device:chr_file rw_file_perms; +allow meta_tst MAINAF_device:chr_file rw_file_perms; +allow meta_tst MAIN2AF_device:chr_file rw_file_perms; +allow meta_tst SUBAF_device:chr_file rw_file_perms; + +# Date: WK16.12 +# Operation : Migration +# Purpose : meta mode LCM +allow meta_tst graphics_device:chr_file rw_file_perms; +allow meta_tst graphics_device:dir search; + +# Date: WK16.12 +# Operation : Migration +# Purpose : meta mode sensor +allow meta_tst als_ps_device:chr_file r_file_perms; +allow meta_tst gsensor_device:chr_file r_file_perms; +allow meta_tst msensor_device:chr_file r_file_perms; +allow meta_tst gyroscope_device:chr_file r_file_perms; + +# Date: WK16.12 +# Operation : Migration +# Purpose : meta mode FM +allow meta_tst fm_device:chr_file rw_file_perms; +allow meta_tst FM50AF_device:chr_file rw_file_perms; + +# Date: WK16.12 +# Operation : Migration +# Purpose : meta mode wifi +allow meta_tst wmtWifi_device:chr_file w_file_perms; + +# Date: WK16.12 +# Operation : Migration +# Purpose : meta mode BT +allow meta_tst stpbt_device:chr_file rw_file_perms; + +# Date: WK16.12 +# Operation : Migration +# Purpose : meta mode GPS +allow meta_tst gps_data_file:dir { write add_name search remove_name unlink}; +allow meta_tst gps_data_file:file { read write open create getattr append setattr unlink lock}; +allow meta_tst gps_data_file:lnk_file read; +allow meta_tst tmpfs:lnk_file read; +allow meta_tst agpsd_data_file:dir search; +allow meta_tst agpsd_data_file:sock_file write; +allow meta_tst mnld_device:chr_file rw_file_perms; +allow meta_tst mnld_exec:file rx_file_perms; +set_prop(meta_tst, mnld_prop); + +# Date: WK16.12 +# Operation : Migration +# Purpose : meta mode NFC +allow meta_tst mt6605_device:chr_file rw_file_perms; + +#Date WK14.49 +#Operation : Migration +#Purpose : DRM key installation +allow meta_tst key_install_data_file:dir w_dir_perms; +allow meta_tst key_install_data_file:file create_file_perms; + +# Date: WK14.51 +# Purpose : set/get cryptfs cfg in sys env +allow meta_tst misc_device:chr_file rw_file_perms; +allow meta_tst proc_lk_env:file rw_file_perms; + +# Purpose : FT_EMMC_OP_FORMAT_TCARD +allow meta_tst block_device:blk_file getattr; +allow meta_tst system_block_device:blk_file getattr; + +# Date: WK15.52 +# Purpose : NVRAM related LID +allow meta_tst pro_info_device:chr_file rw_file_perms; + +# Date: WK15.13 +# Purpose: for nand project +allow meta_tst mtd_device:dir search; +allow meta_tst mtd_device:chr_file rw_file_perms; + +# Date: WK16.17 +# Purpose: N Migration For ccci sysfs node +allow meta_tst sysfs_ccci:dir search; +allow meta_tst sysfs_ccci:file r_file_perms; + +#Date: W18.22 +# Purpose: P Migration meta_tst get com port type/uart port info/boot mode/usb state/usb close +allow meta_tst sysfs_comport_type:file rw_file_perms; +allow meta_tst sysfs_uart_info:file rw_file_perms; +allow meta_tst sysfs_boot_mode:file rw_file_perms; +allow meta_tst sysfs_boot_type:file r_file_perms; +allow meta_tst sysfs_android_usb:file rw_file_perms; +allow meta_tst sysfs_android_usb:dir search; +allow meta_tst sysfs_usb_cmode:file rw_file_perms; +allow meta_tst sysfs_usb_cmode:dir search; +allow meta_tst sysfs_batteryinfo:file rw_file_perms; +allow meta_tst sysfs_batteryinfo:dir search; + +#Date: W16.17 +# Purpose: N Migration For meta_tst load MD NVRAM database +# Detail avc log: [04-23-20:41:58][ 160.687655] <1>.(1)[230:logd.auditd]type= +#1400 audit(1262304165.560:24): avc: denied { read } for pid=228 comm= +#"meta_tst" name="mddb" dev="mmcblk0p20" ino=664 scontext=u:r:meta_tst: +#s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 +allow meta_tst system_file:dir r_dir_perms; + +# Date: WK16.18 +# Purpose: for CCCI reboot modem +allow meta_tst gsm0710muxd_device:chr_file rw_file_perms; + +# Date : WK16.35 +# Purpose : Update camera flashlight driver device file +allow meta_tst flashlight_device:chr_file rw_file_perms; + +#Date: W16.36 +# Purpose: meta_tst use libmeta_rat to write libsysenv +# Detail avc log:[ 25.307141] .(5)[264:logd.auditd]type=1400 audit(1469438818.570:7): +#avc: denied { read write } for pid=312 comm="meta_tst" name="mmcblk0p2" dev="tmpfs" +#ino=4561 scontext=u:r:meta_tst:s0 tcontext=u:object_r:para_block_device:s0 tclass=blk_file permissive=0 +allow meta_tst para_block_device:blk_file { read write open }; + +#Date: W16.44 +allow meta_tst nvcfg_file:dir { search read open }; + +#Date: W16.45 +# Purpose : Allow unmount sdcardfs mounted on /data/media +allow meta_tst sdcard_type:filesystem unmount; +allow meta_tst storage_stub_file:dir search; + +# Date : WK16.19 +# Operation: meta_tst set persist.meta.connecttype property +# Purpose: Switch meta connect type, set persist.meta.connecttype as "wifi" or "usb". +set_prop(meta_tst, meta_connecttype_prop); + +# Date : WK16.23 +# Purpose: support meta_tst check key event +allow meta_tst input_device:dir r_dir_perms; +allow meta_tst input_device:chr_file r_file_perms; + +# Date : WK16.29 +# Purpose: support meta mode show string on screen +allow meta_tst ashmem_device:chr_file execute; + +#Date: W16.50 +# Purpose : Allow meta_tst stop service which occupy data partition. +allow meta_tst ctl_default_prop:property_service set; + +#Date: W17.25 +# Purpose : Allow meta_tst stop service which occupy data partition. +allow meta_tst ctl_emdlogger1_prop:property_service set; + +#Date: W17.27 +# Purpose: STMicro NFC solution integration +allow meta_tst st21nfc_device:chr_file { open read write ioctl }; +allow meta_tst vendor_file:file { getattr execute execute_no_trans read open }; +set_prop(meta_tst,hwservicemanager_prop); +hwbinder_use(meta_tst); +hal_client_domain(meta_tst, hal_nfc); +allow meta_tst debugfs_tracing:file { open write }; + +# Date: W17.29 +# Purpose : Allow meta_tst to call vendor.mediatek.hardware.keymaster_attestation@1.0-service. +hal_client_domain(meta_tst, mtk_hal_keyattestation) + +# Date : WK17.30 +# Operation : Android O migration +# Purpose : add sepolicy for accessing sysfs_leds +allow meta_tst sysfs_leds:lnk_file read; +allow meta_tst sysfs_leds:file rw_file_perms; +allow meta_tst sysfs_leds:dir r_dir_perms; + +# Date: WK17.43 +# Purpose: add permission for meta_tst access md image +allow meta_tst md_block_device:blk_file { read open }; +allow meta_tst mddb_data_file:file { create open write read getattr}; +allow meta_tst mddb_data_file:dir { search write add_name create getattr read open }; + +# Date: W17.43 +# Purpose : Allow meta_tst to call Audio HAL service +binder_call(meta_tst, mtk_hal_audio) +allow meta_tst mtk_hal_audio:binder call; +#allow meta_tst hal_audio_hwservice:hwservice_manager find; +allow meta_tst mtk_audiohal_data_file:dir {read search open}; +allow meta_tst audio_device:chr_file rw_file_perms; +allow meta_tst audio_device:dir w_dir_perms; +allow meta_tst audiohal_prop:property_service set; + +#Data:W1745 +# Purpose : Allow meta_tst to open and read proc/bootprof +allow meta_tst proc_bootprof:file {write open read}; + +# Date:W17.51 +# Operation : lbs hal +# Purpose : lbs hidl interface permission +hal_client_domain(meta_tst, mtk_hal_lbs) + +# Data:W1750 +# Purpose : Allow meta_tst to access mtd device +allow meta_tst mtd_device:blk_file rw_file_perms; + +#Date: W17.51 +#Purpose : Allow meta_tst to access pesist.atm.mdmode in ATM. +set_prop(meta_tst, atm_mdmode_prop); + +#Date: W17.51 +#Purpose : Allow meta_tst to access pesist.atm.ipaddress in ATM. +set_prop(meta_tst, atm_ipaddr_prop); + +# Date : WK18.16 +# Operation: P migration +# Purpose: Allow meta_tst to get tel_switch_prop +get_prop(meta_tst, tel_switch_prop); + +# Date : WK18.21 +# Operation: P migration +# Purpose : Allow meta_tst to call nvram hal +allow meta_tst nvram_agent_binder_hwservice:hwservice_manager find; +allow meta_tst nvram_agent_binder:binder call; + +# Date : WK18.21 +# Operation: P migration +# Purpose : Allow meta_tst to write misc partition +allow meta_tst block_device:dir search; + +# Date : W18.24 +# Operation: P migration +# Purpose : Allow meta_tst to access tpd sysfs nodes for CTP test +allow meta_tst sysfs_tpd_setting:dir search; +allow meta_tst sysfs_tpd_setting:file { read getattr open }; + +# Date : WK18.24 +# Operation: P migration +# Purpose : Allow meta_tst to unmount partition, stop service, and then erase partition +allow meta_tst vendor_shell_exec:file { read execute open execute_no_trans }; +allow meta_tst vendor_toolbox_exec:file { execute_no_trans }; +allow meta_tst labeledfs:filesystem { unmount }; +allow meta_tst proc_cmdline:file { read open getattr }; +allow meta_tst meta_tst:capability { sys_admin }; +allow meta_tst sysfs_dt_firmware_android:file { read open getattr }; +allow meta_tst sysfs_dt_firmware_android:dir { read open search }; +# Purpose : Allow meta_tst to communicate with driver thru socket +allow meta_tst meta_tst:capability { sys_module net_admin net_raw }; +allow meta_tst self:udp_socket { create ioctl }; +allowxperm meta_tst self:udp_socket ioctl priv_sock_ioctls; + +# Date : WK18.25 +# Operation: P migration +# Purpose : GPS test, Allow meta_tst to write/connect tcp socket +allow meta_tst node:tcp_socket node_bind; +allow meta_tst port:tcp_socket { name_bind name_connect }; +allow meta_tst self:capability net_raw; +allow meta_tst self:tcp_socket { setopt bind create listen accept connect }; +allow meta_tst self:tcp_socket { read write }; +allow meta_tst self:udp_socket { write connect }; + +# Date : WK18.28 +# Operation: P migration +# Purpose : AUDIO test, Allow meta_tst to write/read asound +allow meta_tst proc_asound:dir { read search open }; +allow meta_tst proc_asound:file { read open getattr write }; +allow meta_tst mtk_audiohal_data_file:dir { read search open }; +allow meta_tst audiohal_prop:property_service set; +allow meta_tst sysfs_headset:file { read open }; + +# Date: W18.05 +# Purpose : Allow meta_tst to use socket for listening uevent +allow meta_tst meta_tst:netlink_kobject_uevent_socket { read bind create setopt }; + +# Date : WK18.28 +# Operation: P migration +# Purpose : +set_prop(meta_tst, vendor_usb_prop); + +# Date: W18.29 +# Operation: Catch log +# Purpose : meta connect with loghidlserver by socket. +allow meta_tst loghidlvendorservice:unix_stream_socket connectto; + +# Date: W18.32 +# Operation: Android P migration +# Purpose : Allow meta_tst to set powerctl property +# avc: denied { set } for property=sys.powerctl pid=330 uid=0 gid=1001 scontext=u:r:meta_tst:s0 +# tcontext=u:object_r:powerctl_prop:s0 tclass=property_service permissive=0 +set_prop(meta_tst, powerctl_prop); + +# Date: W18.33 +# Operation: Android P migration +# Purpose : Allow meta_tst to set system clock +# avc: denied { sys_time } for capability=25 scontext=u:r:meta_tst:s0 tcontext=u:r:meta_tst:s0 tclass=capability permissive=0 +allow meta_tst self:capability sys_time; + +# Data: W18.35 +# Operation: Android P migration +# Purpose : check usb online status +# avc: denied { search } for name="power_supply" dev="sysfs" ino=8712 scontext=u:r:meta_tst:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0 +# avc: denied { read } for name="online" dev="sysfs" ino=8764 scontext=u:r:meta_tst:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=0 +# avc: denied { open } for path="/sys/devices/platform/mt_charger/power_supply/usb/online" dev="sysfs" ino=8764 scontext=u:r:meta_tst:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=0 +allow meta_tst sysfs_batteryinfo:dir search; +allow meta_tst sysfs_batteryinfo:file {read open}; + +# Data: W18.42 +# Operation: Android P migration +# Purpose : add socket permission for meta +allow meta_tst fwmarkd_socket:sock_file write; + +#Date: W18.42 +# Operation: Android P migration +# Purpose : Add ATM meta mvram sepolicy +allow meta_tst mnt_vendor_file:dir search; + +# Date : WK18.44 +# Operation: P migration +# Purpose : adsp +allow meta_tst adsp_device:chr_file rw_file_perms; + +# Date : WK19.08 +# Operation: P migration +# Purpose : audio scp recovery +allow meta_tst audio_scp_device:chr_file r_file_perms; diff --git a/r_non_plat/mmc_ffu.te b/r_non_plat/mmc_ffu.te new file mode 100644 index 0000000..1206991 --- /dev/null +++ b/r_non_plat/mmc_ffu.te @@ -0,0 +1,21 @@ +# ============================================== +# Policy File of /system/bin/mmc_ffu Executable File + +# ============================================== +# Type Declaration +# ============================================== +type mmc_ffu, domain; +type mmc_ffu_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(mmc_ffu) +# Purpose: For seek file size +allow mmc_ffu block_device:dir r_dir_perms; + +# Purpose: ioctl to /dev/misc-sd and for obtaining emmc vendor id and firmware revision +allow mmc_ffu misc_sd_device:chr_file r_file_perms; + +#Purpose: Write eMMC firmware data to /dev/block/mmcblk0 for upgrade firmware +allow mmc_ffu bootdevice_block_device:blk_file rw_file_perms; diff --git a/r_non_plat/mnld.te b/r_non_plat/mnld.te new file mode 100644 index 0000000..11fe7a4 --- /dev/null +++ b/r_non_plat/mnld.te @@ -0,0 +1,102 @@ +# ============================================== +# Policy File of /vendor/bin/mnld Executable File + +# ============================================== +# Type Declaration +# ============================================== +type mnld, domain; +type mnld_exec, exec_type, file_type, vendor_file_type; +typeattribute mnld mlstrustedsubject; + +# ============================================== +# MTK Policy Rule +# ============================================== +# STOPSHIP: Permissive is not allowed. CTS violation! +init_daemon_domain(mnld) + +net_domain(mnld) +# Purpose : For communicate with AGPSD by socket +allow mnld agpsd_data_file:dir create_dir_perms; +allow mnld agpsd_data_file:sock_file create_file_perms; +allow mnld mtk_agpsd:unix_dgram_socket sendto; +allow mnld sysfs_wake_lock:file rw_file_perms; +# Purpose : For access NVRAM data +allow mnld nvram_data_file:dir create_dir_perms; +allow mnld nvram_data_file:file create_file_perms; +allow mnld nvram_data_file:lnk_file read; +allow mnld nvdata_file:lnk_file read; +allow mnld nvram_device:blk_file rw_file_perms; +allow mnld nvram_device:chr_file rw_file_perms; +allow mnld nvdata_file:dir create_dir_perms; +allow mnld nvdata_file:file create_file_perms; +# Purpose : For access kernel device +allow mnld mnld_data_file:dir rw_dir_perms; +allow mnld mnld_data_file:sock_file create_file_perms; +allow mnld mnld_device:chr_file rw_file_perms; +allow mnld mnld_data_file:file rw_file_perms; +allow mnld mnld_data_file:file create_file_perms; +allow mnld mnld_data_file:fifo_file create_file_perms; +# Purpose : For init process +allow mnld init:unix_stream_socket connectto; +allow mnld init:udp_socket { read write }; + +# Send the message to the LBS HIDL Service to forward to applications +allow mnld lbs_hidl_service:unix_dgram_socket sendto; + +# Send the message to the merged hal Service to forward to applications +allow mnld merged_hal_service:unix_dgram_socket sendto; + +# Purpose : For access system data +allow mnld bootdevice_block_device:blk_file rw_file_perms; +allow mnld block_device:dir search; +allow mnld mnld_prop:property_service set; +allow mnld property_socket:sock_file write; +allow mnld mdlog_device:chr_file { read write }; +allow mnld self:capability { fsetid }; +allow mnld stpbt_device:chr_file { read write }; +allow mnld gpsdl_device:chr_file { read write }; +allow mnld ttyGS_device:chr_file { read write }; +# Purpose : For file system operations +allow mnld sdcard_type:dir search; +allow mnld sdcard_type:dir write; +allow mnld sdcard_type:dir add_name; +allow mnld sdcard_type:file create; +allow mnld sdcard_type:file rw_file_perms; +allow mnld sdcard_type:file create_file_perms; +allow mnld sdcard_type:dir { read remove_name create open }; +allow mnld tmpfs:lnk_file { read create open }; +allow mnld mtd_device:dir search; +allow mnld mnt_user_file:lnk_file read; +allow mnld mnt_user_file:dir search; +allow mnld gps_data_file:dir { write add_name search remove_name unlink}; +allow mnld gps_data_file:file { read write open create getattr append setattr unlink lock rename }; +allow mnld gps_data_file:lnk_file read; + +allow mnld storage_file:lnk_file read; +allow mnld nvcfg_file:dir search; + +# Date : WK15.30 +# Operation : Migration +# Purpose : for device bring up, not to block early migration/sanity +allow mnld proc_lk_env:file rw_file_perms; + +# For HIDL, communicate mtk_hal_gnss instead of system_server +allow mnld mtk_hal_gnss:unix_dgram_socket sendto; + +# Purpose : MPE sensor HIDL policy +hwbinder_use(mnld); +binder_call(mnld, system_server) +allow mnld fwk_sensor_hwservice:hwservice_manager find; +#allow mnld hwservicemanager_prop:file { read open getattr }; +get_prop(mnld, hwservicemanager_prop); +allow mnld debugfs_tracing:file { open write }; + +allow mnld mnt_vendor_file:dir search; + +# Date : WK18.26 +# Purpose : for atci gps test +allow mnld atci_service:unix_dgram_socket sendto; + +allow mnld sysfs_boot_mode:file { read open }; + +set_prop(mnld, vendor_radio_prop); diff --git a/r_non_plat/mobile_log_d.te b/r_non_plat/mobile_log_d.te new file mode 100644 index 0000000..0caa870 --- /dev/null +++ b/r_non_plat/mobile_log_d.te @@ -0,0 +1,64 @@ +# boot_mdoe file access +allow mobile_log_d sysfs_boot_mode:file { open read }; + +#proc/ access +allow mobile_log_d proc_kmsg:file r_file_perms; +allow mobile_log_d proc_cmdline:file r_file_perms; +allow mobile_log_d proc_atf_log:dir search; +allow mobile_log_d proc_atf_log:file r_file_perms; +allow mobile_log_d proc_gz_log:file r_file_perms; +allow mobile_log_d proc_last_kmsg:file r_file_perms; +allow mobile_log_d proc_bootprof:file r_file_perms; +allow mobile_log_d proc_pl_lk:file r_file_perms; + +#scp +allow mobile_log_d sysfs_scp:file { open write }; +allow mobile_log_d sysfs_scp:dir search; +allow mobile_log_d scp_device:chr_file { read open }; + +#adsp +allow mobile_log_d sysfs_adsp:file { open write }; +allow mobile_log_d sysfs_adsp:dir search; +allow mobile_log_d adsp_device:chr_file r_file_perms; + +#sspm +allow mobile_log_d sysfs_sspm:file { open write }; +allow mobile_log_d sysfs_sspm:dir search; +allow mobile_log_d sspm_device:chr_file { read open }; + +#data/misc/mblog +allow mobile_log_d logmisc_data_file:dir { relabelto create_dir_perms }; +allow mobile_log_d logmisc_data_file:file create_file_perms; + +#data/log_temp +allow mobile_log_d logtemp_data_file:dir { relabelto create_dir_perms }; +allow mobile_log_d logtemp_data_file:file create_file_perms; + +#data/data_tmpfs_log +allow mobile_log_d data_tmpfs_log_file:dir create_dir_perms; +allow mobile_log_d data_tmpfs_log_file:file create_file_perms; + +#mobile itself property +set_prop(mobile_log_d, mobile_log_prop) + +# Date: 2016/11/11 +# purpose: allow MobileLog to access aee socket +allow mobile_log_d aee_aed:unix_stream_socket connectto; + +# purpose: send log to com port +allow mobile_log_d ttyGS_device:chr_file { read write ioctl open }; + +# purpose: allow mobile_log_d to access persist.meta.connecttype +get_prop(mobile_log_d, meta_connecttype_prop); + +# purpose: allow mobile_log_d to create socket +allow mobile_log_d port:tcp_socket { name_connect name_bind }; +allow mobile_log_d mobile_log_d:tcp_socket { create connect setopt bind }; +allow mobile_log_d mobile_log_d:tcp_socket { bind setopt listen accept read write }; +allow mobile_log_d node:tcp_socket node_bind; + +# purpose: allow mobile_log_d to read system property init.svc.vendor. +get_prop(mobile_log_d, vendor_default_prop) + +# purpose: allow mobile_log_d to read persist.vendor.mtk.aee +get_prop(mobile_log_d, persist_mtk_aee_prop) diff --git a/r_non_plat/modemdbfilter_service.te b/r_non_plat/modemdbfilter_service.te new file mode 100644 index 0000000..e1c1090 --- /dev/null +++ b/r_non_plat/modemdbfilter_service.te @@ -0,0 +1,18 @@ +# ============================================== +# Policy File of /vendor/bin/hw/modemdbfilter_service Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type modemdbfilter_service ,domain; +type modemdbfilter_service_exec, exec_type, file_type, vendor_file_type; +typeattribute modemdbfilter_service mlstrustedsubject; + +#Purpose : for create hidl server +hal_server_domain(modemdbfilter_service, mtk_hal_md_dbfilter) +init_daemon_domain(modemdbfilter_service) + +# ============================================== +# MTK Policy Rule +# ============================================== diff --git a/r_non_plat/mtk_agpsd.te b/r_non_plat/mtk_agpsd.te new file mode 100644 index 0000000..5c71128 --- /dev/null +++ b/r_non_plat/mtk_agpsd.te @@ -0,0 +1,70 @@ +# ============================================== +# Policy File of /vendor/bin/mtk_agpsd Executable File + +# ============================================== +# Type Declaration +# ============================================== +type mtk_agpsd_exec, exec_type, file_type, vendor_file_type; +type mtk_agpsd, domain; + +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(mtk_agpsd) + +net_domain(mtk_agpsd) + +# Access channels to modem for E-CID, RRLP, and LPP +allow mtk_agpsd agps_device:chr_file rw_file_perms; +allow mtk_agpsd ttySDIO_device:chr_file { create setattr unlink rw_file_perms }; +allow mtk_agpsd ccci_device:chr_file { create setattr unlink rw_file_perms }; + +# Access folders, files, and sockets in /data/agps_supl +allow mtk_agpsd agpsd_data_file:dir create_dir_perms; +allow mtk_agpsd agpsd_data_file:file create_file_perms; +allow mtk_agpsd agpsd_data_file:sock_file create_file_perms; + +# Access file system partitions like /system, /data and SD Card +allow mtk_agpsd sdcard_type:dir create_dir_perms; +allow mtk_agpsd sdcard_type:file create_file_perms; +allow mtk_agpsd eemcs_device:chr_file rw_file_perms; +allow mtk_agpsd mnt_user_file:dir create_dir_perms; +allow mtk_agpsd mnt_vendor_file:dir create_dir_perms; +allow mtk_agpsd mnt_vendor_file:file create_file_perms; +allow mtk_agpsd gps_data_file:dir create_dir_perms; +allow mtk_agpsd gps_data_file:file create_file_perms; + +# Access symbolic link files like /etc and /sdcard +allow mtk_agpsd tmpfs:lnk_file create_file_perms; +allow mtk_agpsd mnt_user_file:lnk_file create_file_perms; +allow mtk_agpsd storage_file:dir create_dir_perms; +allow mtk_agpsd storage_file:file create_file_perms; + +# Send supl profile configuration to SLPD (to get SUPL Reference Location for HW Fused Location) +allow mtk_agpsd slpd:unix_dgram_socket sendto; + +# Operators will send agps settings via OMADM. +# Operators ask UE to save these settings into NVRAM. +allow mtk_agpsd nvcfg_file:dir create_dir_perms; +allow mtk_agpsd nvcfg_file:file create_file_perms; + +# Send GNSS assistance data and AGPS commands to MTK's GPS module 'mnld' +allow mtk_agpsd mnld:unix_dgram_socket sendto; + +# Send the message to the LBS HIDL Service to forward to system partitions +allow mtk_agpsd lbs_hidl_service:unix_dgram_socket sendto; + +# Send the message to the merged hal Service to forward to system partitions +allow mtk_agpsd merged_hal_service:unix_dgram_socket sendto; + +# Allow send socket to fusion rild +allow mtk_agpsd rild:unix_dgram_socket sendto; + +# Allow libapmonitor to read the property of hwservicemanager.ready +get_prop(mtk_agpsd,hwservicemanager_prop) + +# Read the property of vendor.debug.gps.mnld.ne +get_prop(mtk_agpsd,mnld_prop) + +# Read the property of ro.vendor.mtk_log_hide_gps +get_prop(mtk_agpsd,mtk_gps_support_prop) diff --git a/r_non_plat/mtk_hal_audio.te b/r_non_plat/mtk_hal_audio.te new file mode 100644 index 0000000..ffd5c7c --- /dev/null +++ b/r_non_plat/mtk_hal_audio.te @@ -0,0 +1,233 @@ +type mtk_hal_audio, domain; +hal_server_domain(mtk_hal_audio, hal_audio) + +type mtk_hal_audio_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(mtk_hal_audio) + +hal_client_domain(mtk_hal_audio, hal_allocator) + +hwbinder_use(mtk_hal_audio) +wakelock_use(mtk_hal_audio); + +allow mtk_hal_audio ion_device:chr_file r_file_perms; + +allow mtk_hal_audio system_file:dir { open read }; + +r_dir_file(mtk_hal_audio, proc) +allow mtk_hal_audio audio_device:dir r_dir_perms; +allow mtk_hal_audio audio_device:chr_file rw_file_perms; + +### +### neverallow rules +### + +# mtk_hal_audio should never execute any executable without +# a domain transition +neverallow mtk_hal_audio { file_type fs_type }:file execute_no_trans; + +# mtk_hal_audio should never need network access. +# Disallow network sockets. +neverallow mtk_hal_audio domain:{ tcp_socket udp_socket rawip_socket } *; + +# Date : WK14.32 +# Operation : Migration +# Purpose : Set audio driver permission to access SD card for debug purpose and accss NVRam. +allow mtk_hal_audio sdcard_type:dir { w_dir_perms create }; +allow mtk_hal_audio sdcard_type:file create; +allow mtk_hal_audio nvram_data_file:dir w_dir_perms; +allow mtk_hal_audio nvram_data_file:file create_file_perms; +allow mtk_hal_audio nvram_data_file:lnk_file read; +allow mtk_hal_audio nvdata_file:lnk_file read; +allow mtk_hal_audio nvdata_file:dir w_dir_perms; +allow mtk_hal_audio nvdata_file:file create_file_perms; +allow mtk_hal_audio sdcard_type:dir remove_name; +allow mtk_hal_audio sdcard_type:file unlink; + +# Date : WK14.34 +# Operation : Migration +# Purpose : nvram access (dumchar case for nand and legacy chip) +allow mtk_hal_audio nvram_device:chr_file rw_file_perms; +allow mtk_hal_audio self:netlink_kobject_uevent_socket { create setopt bind }; + +# Date : WK14.34 +# Operation : Migration +# Purpose : Smartcard Service +allow mtk_hal_audio self:netlink_kobject_uevent_socket read; + +# Date : WK14.36 +# Operation : Migration +# Purpose : media server and bt process communication for A2DP data.and other control flow +allow mtk_hal_audio bt_a2dp_stream_socket:sock_file write; +allow mtk_hal_audio bt_int_adp_socket:sock_file write; + +# Date : WK14.36 +# Operation : Migration +# Purpose : access nvram, otp, ccci cdoec devices. +allow mtk_hal_audio MtkCodecService:binder call; +allow mtk_hal_audio ccci_device:chr_file rw_file_perms; +allow mtk_hal_audio eemcs_device:chr_file rw_file_perms; +allow mtk_hal_audio devmap_device:chr_file r_file_perms; +allow mtk_hal_audio ebc_device:chr_file rw_file_perms; +allow mtk_hal_audio nvram_device:blk_file rw_file_perms; + +# Date : WK14.38 +# Operation : Migration +# Purpose : NVRam access +allow mtk_hal_audio block_device:dir { write search }; + +# Date : WK14.38 +# Operation : Migration +# Purpose : FM driver access +allow mtk_hal_audio fm_device:chr_file rw_file_perms; + +# Data : WK14.38 +# Operation : Migration +# Purpose : dump for debug +allow mtk_hal_audio sdcard_type:file append; + +# Data : WK14.39 +# Operation : Migration +# Purpose : dump for debug +allow mtk_hal_audio audiohal_prop:property_service set; + +# Date : WK14.40 +# Operation : Migration +# Purpose : HDMI driver access +allow mtk_hal_audio graphics_device:chr_file rw_file_perms; + +# Date : WK14.40 +# Operation : Migration +# Purpose : Smartpa +allow mtk_hal_audio smartpa_device:chr_file rw_file_perms; + +# Date : WK14.41 +# Operation : Migration +# Purpose : WFD HID Driver +allow mtk_hal_audio uhid_device:chr_file rw_file_perms; + +# Date : WK14.43 +# Operation : Migration +# Purpose : VOW +allow mtk_hal_audio vow_device:chr_file rw_file_perms; + +# Date: WK14.44 +# Operation : Migration +# Purpose : EVDO +allow mtk_hal_audio rpc_socket:sock_file write; +allow mtk_hal_audio ttySDIO_device:chr_file rw_file_perms; + +# Data: WK14.44 +# Operation : Migration +# Purpose : for low SD card latency issue +allow mtk_hal_audio sysfs_lowmemorykiller:file { read open }; + +# Data: WK14.45 +# Operation : Migration +# Purpose : for change thermal policy when needed +allow mtk_hal_audio proc_mtkcooler:dir search; +allow mtk_hal_audio proc_mtktz:dir search; +allow mtk_hal_audio proc_thermal:dir search; +allow mtk_hal_audio thermal_manager_data_file:file create_file_perms; +allow mtk_hal_audio thermal_manager_data_file:dir { rw_dir_perms setattr }; + +# Data : WK14.47 +# Operation : Audio playback +# Purpose : Music as ringtone +allow mtk_hal_audio radio:dir { search read }; +allow mtk_hal_audio radio:file r_file_perms; + +# Data : WK14.47 +# Operation : CTS +# Purpose : cts search strange app +allow mtk_hal_audio untrusted_app:dir search; + +# Date : WK15.03 +# Operation : Migration +# Purpose : offloadservice +allow mtk_hal_audio offloadservice_device:chr_file rw_file_perms; + +# Date : WK15.34 +# Operation : Migration +# Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump +allow mtk_hal_audio storage_file:dir search; +allow mtk_hal_audio storage_file:lnk_file {read write}; +allow mtk_hal_audio mnt_user_file:dir {write read search}; +allow mtk_hal_audio mnt_user_file:lnk_file {read write}; + +# Date : WK16.17 +# Operation : Migration +# Purpose: read/open sysfs node +allow mtk_hal_audio sysfs_ccci:file r_file_perms; +allow mtk_hal_audio sysfs_ccci:dir search; + +# Date : WK16.18 +# Operation : Migration +# Purpose: research root dir "/" +allow mtk_hal_audio tmpfs:dir search; + +# Purpose: Dump debug info +allow mtk_hal_audio debugfs_binder:dir search; +allow mtk_hal_audio kmsg_device:chr_file { open write }; +allow mtk_hal_audio property_socket:sock_file write; +allow mtk_hal_audio fuse:file rw_file_perms; +allow mtk_hal_audio init:unix_stream_socket connectto; + +# Date : WK16.27 +# Operation : Migration +# Purpose: tunning tool update parameters +binder_call(mtk_hal_audio,radio) +allow mtk_hal_audio mtk_audiohal_data_file:dir create_dir_perms; +allow mtk_hal_audio mtk_audiohal_data_file:file create_file_perms; + +# Date : WK16.28 +# Operation : Migration +# Purpose: Write audio dump files to external SDCard. +allow mtk_hal_audio sdcard_type:file { create_file_perms }; + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow mtk_hal_audio proc_ged:file rw_file_perms; + +set_prop(mtk_hal_audio,hwservicemanager_prop); +allow mtk_hal_audio storage_file:dir search; + +# Fix bootup violation +allow mtk_hal_audio fuse:dir read; + +# for usb phone call, allow sys_nice +allow mtk_hal_audio self:capability sys_nice; + +# Date : W17.29 +# Boot for opening trace file: Permission denied (13) +allow mtk_hal_audio debugfs_tracing:file { write open }; + +# for usb phone call, allow sys_nice +allow mtk_hal_audio self:capability sys_nice; + +# Audio Tuning Tool Android O porting +binder_call(mtk_hal_audio,audiocmdservice_atci); + + +# Add for control PowerHAL +allow mtk_hal_audio mtk_hal_power_hwservice:hwservice_manager find; +binder_call(mtk_hal_audio, mtk_hal_power) +binder_call(mtk_hal_audio, merged_hal_service) +# cm4 smartpa +allow mtk_hal_audio audio_ipi_device:chr_file { read write ioctl open }; +allow mtk_hal_audio audio_scp_device:chr_file r_file_perms; + +# Date : WK18.21 +# Operation: P migration +# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init() +allow mtk_hal_audio mnt_vendor_file:dir search; + +# Date: 2019/06/14 +# Operation : Migration +allow mtk_hal_audio audioserver:fifo_file w_file_perms; +allow mtk_hal_audio sysfs_boot_mode:file r_file_perms; +allow mtk_hal_audio sysfs_dt_firmware_android:dir search; + +# Date : WK18.44 +# Operation: adsp +allow mtk_hal_audio adsp_device:file rw_file_perms; +allow mtk_hal_audio adsp_device:chr_file rw_file_perms; diff --git a/r_non_plat/mtk_hal_bgs.te b/r_non_plat/mtk_hal_bgs.te new file mode 100644 index 0000000..c93342f --- /dev/null +++ b/r_non_plat/mtk_hal_bgs.te @@ -0,0 +1,6 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(mtk_hal_bgs_client, mtk_hal_bgs_server) +binder_call(mtk_hal_bgs_server, mtk_hal_bgs_client) + +add_hwservice(mtk_hal_bgs_server, mtk_hal_bgs_hwservice) +allow mtk_hal_bgs_client mtk_hal_bgs_hwservice:hwservice_manager find;
\ No newline at end of file diff --git a/r_non_plat/mtk_hal_bluetooth.te b/r_non_plat/mtk_hal_bluetooth.te new file mode 100644 index 0000000..d51b29b --- /dev/null +++ b/r_non_plat/mtk_hal_bluetooth.te @@ -0,0 +1,49 @@ +type mtk_hal_bluetooth, domain; +type mtk_hal_bluetooth_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(mtk_hal_bluetooth) + +#r_dir_file(mtk_hal_bluetooth, system_file) +# call into the Bluetooth process (callbacks) +binder_call(mtk_hal_bluetooth, bluetooth) +hwbinder_use(mtk_hal_bluetooth); + +wakelock_use(mtk_hal_bluetooth); + +# bluetooth factory file accesses. +r_dir_file(mtk_hal_bluetooth, bluetooth_efs_file) + +allow mtk_hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms; + +# sysfs access. +allow mtk_hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms; +allow mtk_hal_bluetooth self:capability2 wake_alarm; + +# Allow write access to bluetooth-specific properties +set_prop(mtk_hal_bluetooth, bluetooth_prop) + +# /proc access (bluesleep etc.). +allow mtk_hal_bluetooth proc_bluetooth_writable:file rw_file_perms; + +# VTS tests need to be able to toggle rfkill +allow mtk_hal_bluetooth self:capability net_admin; + +# Purpose : Set to access stpbt driver & NVRAM +allow mtk_hal_bluetooth stpbt_device:chr_file rw_file_perms; + +allow mtk_hal_bluetooth nvdata_file:dir search; +allow mtk_hal_bluetooth nvdata_file:file rw_file_perms; +allow mtk_hal_bluetooth nvram_data_file:lnk_file read; +allow mtk_hal_bluetooth nvdata_file:lnk_file read; + +# Purpose: Allow to search /mnt/vendor/* for fstab when using NVM_Init() +allow mtk_hal_bluetooth mnt_vendor_file:dir search; + +get_prop(mtk_hal_bluetooth, hwservicemanager_prop) + +#add_hwservice(hal_bluetooth, mtk_hal_bluetooth_hwservice) +allow hal_bluetooth_client mtk_hal_bluetooth_hwservice:hwservice_manager find; + +hal_server_domain(mtk_hal_bluetooth,hal_bluetooth); + +# Purpose: Allow BT Driver to insmod +allow mtk_hal_bluetooth wmt_prop:property_service set; diff --git a/r_non_plat/mtk_hal_camera.te b/r_non_plat/mtk_hal_camera.te new file mode 100644 index 0000000..f428efb --- /dev/null +++ b/r_non_plat/mtk_hal_camera.te @@ -0,0 +1,341 @@ +# ============================================================================== +# Policy File of /vendor/bin/camerahalserver Executable File + +# ============================================================================== +# Type Declaration +# ============================================================================== + +type mtk_hal_camera, domain; +type mtk_hal_camera_exec, exec_type, file_type, vendor_file_type; + +# ============================================================================== +# MTK Policy Rule +# ============================================================================== + +# ----------------------------------- +# Purpose: Binderized HAL Server +# ----------------------------------- + +# Set up a transition from init to the camerahalserver upon executing its binary. +init_daemon_domain(mtk_hal_camera) + +# Allow a base set of permissions required for a domain to offer a +# HAL implementation of the specified type over HwBinder. +hal_server_domain(mtk_hal_camera, hal_camera) + +hal_server_domain(mtk_hal_camera, mtk_hal_bgs) + +# Allow camerahalserver to use HwBinder and vendor binder IPC. +hwbinder_use(mtk_hal_camera) +vndbinder_use(mtk_hal_camera) + +allow mtk_hal_camera hwservicemanager_prop:file { open read getattr }; + +# ----------------------------------- +# Purpose: Allow camerahalserver to perform binder IPC to servers and callbacks. +# ----------------------------------- + +# callback to cameraserver +binder_call(mtk_hal_camera, cameraserver) + +# callback to shell for debugging +binder_call(mtk_hal_camera, shell) + +# callback to /vendor/bin/aee_aedv for aee debugging +binder_call(mtk_hal_camera, aee_aedv) + +# call the graphics allocator hal +binder_call(mtk_hal_camera, hal_graphics_allocator) + +# call PowerHal +binder_call(mtk_hal_camera, mtk_hal_power) + +# ----------------------------------- +# Purpose: Allow camerahalserver to find a service from hwservice_manager +# ----------------------------------- +allow mtk_hal_camera hal_graphics_mapper_hwservice:hwservice_manager find; +#allow mtk_hal_camera hal_graphics_allocator_hwservice:hwservice_manager find; +allow mtk_hal_camera fwk_sensor_hwservice:hwservice_manager find; +allow mtk_hal_camera mtk_hal_power_hwservice:hwservice_manager find; +allow mtk_hal_camera nvram_data_file:lnk_file { read write getattr setattr read create open }; +allow mtk_hal_camera nvdata_file:lnk_file { read write getattr setattr read create open }; +hal_client_domain(mtk_hal_camera, hal_graphics_allocator) + +# ----------------------------------- +# Purpose: Camera-related devices (driver) +# ----------------------------------- +allow mtk_hal_camera proc_mtk_jpeg:file r_file_perms; +allowxperm mtk_hal_camera proc_mtk_jpeg:file ioctl { + JPG_BRIDGE_ENC_IO_INIT + JPG_BRIDGE_ENC_IO_CONFIG + JPG_BRIDGE_ENC_IO_WAIT + JPG_BRIDGE_ENC_IO_DEINIT + JPG_BRIDGE_ENC_IO_START + }; + +allow mtk_hal_camera camera_sysram_device:chr_file r_file_perms; +allow mtk_hal_camera camera_pipemgr_device:chr_file r_file_perms; +allow mtk_hal_camera camera_isp_device:chr_file rw_file_perms; +allow mtk_hal_camera camera_dip_device:chr_file rw_file_perms; +allow mtk_hal_camera camera_tsf_device:chr_file rw_file_perms; +allow mtk_hal_camera kd_camera_hw_device:chr_file rw_file_perms; +allow mtk_hal_camera kd_camera_flashlight_device:chr_file rw_file_perms; +allow mtk_hal_camera flashlight_device:chr_file rw_file_perms; +allow mtk_hal_camera lens_device:chr_file rw_file_perms; + +# FDVT Driver +allow mtk_hal_camera camera_fdvt_device:chr_file rw_file_perms; + +# DPE Driver +allow mtk_hal_camera camera_dpe_device:chr_file rw_file_perms; + +# MFB Driver +allow mtk_hal_camera camera_mfb_device:chr_file rw_file_perms; + +# WPE Driver +allow mtk_hal_camera camera_wpe_device:chr_file rw_file_perms; + +# mtk_jpeg +allow mtk_hal_camera mtk_jpeg_device:chr_file r_file_perms; + +allow mtk_hal_camera ccu_device:chr_file rw_file_perms; +allow mtk_hal_camera vpu_device:chr_file rw_file_perms; + +# Purpose: RSC driver +allow mtk_hal_camera camera_rsc_device:chr_file rw_file_perms; + +# Purpose: OWE driver +allow mtk_hal_camera camera_owe_device:chr_file rw_file_perms; + +# Purpose: AF related +allow mtk_hal_camera MAINAF_device:chr_file rw_file_perms; +allow mtk_hal_camera MAIN2AF_device:chr_file rw_file_perms; +allow mtk_hal_camera SUBAF_device:chr_file rw_file_perms; +allow mtk_hal_camera FM50AF_device:chr_file rw_file_perms; +allow mtk_hal_camera AD5820AF_device:chr_file rw_file_perms; +allow mtk_hal_camera DW9714AF_device:chr_file rw_file_perms; +allow mtk_hal_camera DW9814AF_device:chr_file rw_file_perms; +allow mtk_hal_camera AK7345AF_device:chr_file rw_file_perms; +allow mtk_hal_camera DW9714A_device:chr_file rw_file_perms; +allow mtk_hal_camera LC898122AF_device:chr_file rw_file_perms; +allow mtk_hal_camera LC898212AF_device:chr_file rw_file_perms; +allow mtk_hal_camera BU6429AF_device:chr_file rw_file_perms; +allow mtk_hal_camera DW9718AF_device:chr_file rw_file_perms; +allow mtk_hal_camera BU64745GWZAF_device:chr_file rw_file_perms; + +# Purpose: Camera EEPROM Calibration +allow mtk_hal_camera CAM_CAL_DRV_device:chr_file rw_file_perms; +allow mtk_hal_camera CAM_CAL_DRV1_device:chr_file rw_file_perms; +allow mtk_hal_camera CAM_CAL_DRV2_device:chr_file rw_file_perms; + +# ----------------------------------- +# Purpose: Other device drivers used by camera +# ----------------------------------- +allow mtk_hal_camera ion_device:chr_file rw_file_perms; +allow mtk_hal_camera sw_sync_device:chr_file rw_file_perms; +allow mtk_hal_camera MTK_SMI_device:chr_file r_file_perms; + +# ----------------------------------- +# Purpose: Filesystem in Userspace (FUSE) +# - sdcard access (buffer dump for EM mode) +# ----------------------------------- +allow mtk_hal_camera fuse:dir { search read write }; +allow mtk_hal_camera fuse:file rw_file_perms; + +# ----------------------------------- +# Purpose: Storage access +# ----------------------------------- +## Date : WK14.XX-15.XX +## nvram access +allow mtk_hal_camera block_device:dir { write search }; +allow mtk_hal_camera nvram_data_file:dir { search add_name write create}; +allow mtk_hal_camera nvram_data_file:file { write getattr setattr read create open }; +## nvram access (dumchar case for nand and legacy chip) +allow mtk_hal_camera nvram_device:chr_file rw_file_perms; +allow mtk_hal_camera self:netlink_kobject_uevent_socket { create setopt bind }; + +## Date : WK14.XX-15.XX +## sdcard access - dump for debug +allow mtk_hal_camera sdcard_type:dir { write add_name create }; +allow mtk_hal_camera sdcard_type:file { append create getattr }; + +# ----------------------------------- +# Purpose: property access +# ----------------------------------- +allow mtk_hal_camera mtkcam_prop:file { open read getattr }; + +# ----------------------------------- +# Android O +# Purpose: Shell Debugging +# ----------------------------------- +# Purpose: Allow shell to invoke "lshal debug <interface>", where <interface> is "ICameraProvider". +# (used in user build) +allow mtk_hal_camera shell:unix_stream_socket { read write }; +allow mtk_hal_camera shell:fifo_file write; + +# ----------------------------------- +# Android O +# Purpose: AEE Debugging +# ----------------------------------- +# Purpose: Allow aee_dumpstate to invoke "lshal debug <interface>", where <interface> is "ICameraProvider". +allow mtk_hal_camera dumpstate:binder { call }; +allow mtk_hal_camera dumpstate:unix_stream_socket { read write }; +allow mtk_hal_camera dumpstate:fd { use }; +allow mtk_hal_camera dumpstate:fifo_file write; + +# Purpose: Allow camerahalserver to dump debug info to SYS_DEBUG_MTKCAM via aee_aedv. +# avc: denied { write } for path="/data/vendor/mtklog/aee_exp/temp/db.9oRG8O/SYS_DEBUG_MTKCAM" +# dev="dm-2" ino=1458278 scontext=u:r:mtk_hal_camera:s0 tcontext=u:object_r:aee_exp_vendor_file:s0 +# tclass=file permissive=0 +allow mtk_hal_camera aee_exp_vendor_file:dir { w_dir_perms }; +allow mtk_hal_camera aee_exp_vendor_file:file { create_file_perms }; + +# ----------------------------------- +# Android O +# Purpose: Debugging +# ----------------------------------- +# Purpose: libmemunreachable.so/GetUnreachableMemory() +allow mtk_hal_camera self:process { ptrace }; + +################################################################################ +# Date : WK14.XX-15.XX +# Operation : Copy from Media server +allow mtk_hal_camera self:capability { setuid ipc_lock sys_nice }; +allow mtk_hal_camera sysfs_wake_lock:file rw_file_perms; +allow mtk_hal_camera nvdata_file:dir { write search add_name }; +allow mtk_hal_camera nvdata_file:file { read write getattr setattr open create }; +allow mtk_hal_camera proc_meminfo:file { read getattr open }; + +## Purpose : for low SD card latency issue +allow mtk_hal_camera sysfs_lowmemorykiller:file { read open }; + +## Purpose : for change thermal policy when needed +allow mtk_hal_camera proc_mtkcooler:dir search; +allow mtk_hal_camera proc_mtktz:dir search; +allow mtk_hal_camera proc_thermal:dir search; +allow mtk_hal_camera thermal_manager_data_file:file create_file_perms; +allow mtk_hal_camera thermal_manager_data_file:dir { rw_dir_perms setattr }; + +## Purpose : cts search strange app +allow mtk_hal_camera untrusted_app:dir search; + +## Purpose : offloadservice +allow mtk_hal_camera offloadservice_device:chr_file rw_file_perms; + +## Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump +allow mtk_hal_camera storage_file:lnk_file {read write}; +allow mtk_hal_camera mnt_user_file:dir {write read search}; +allow mtk_hal_camera mnt_user_file:lnk_file {read write}; + +## Purpose: Allow mtk_hal_camera to read binder from surfaceflinger +allow mtk_hal_camera surfaceflinger:fifo_file {read write}; + +## Purpose : camera read/write /nvcfg/camera data +allow mtk_hal_camera nvcfg_file:dir create_dir_perms; +allow mtk_hal_camera nvcfg_file:file create_file_perms; + +# Purpose : for camera init +allow mtk_hal_camera system_server:unix_stream_socket { read write }; + +################################################################################ +# Date : WK16 +# Operation : N Migration +## Purpose: research root dir "/" +allow mtk_hal_camera tmpfs:dir search; + +## Purpose : EGL file access +allow mtk_hal_camera system_file:dir { read open }; +allow mtk_hal_camera gpu_device:dir search; +allow mtk_hal_camera gpu_device:chr_file rw_file_perms; + +## Purpose: Allow to access ged for gralloc_extra functions +allow mtk_hal_camera proc_ged:file rw_file_perms; +allowxperm mtk_hal_camera proc_ged:file ioctl { proc_ged_ioctls }; + +allow mtk_hal_camera debugfs_tracing:file { write open }; + +## Purpose : camera3 IT/CTS +allow mtk_hal_camera debugfs_ion:dir search; +allow mtk_hal_camera hal_graphics_composer_default:fd use; +allow mtk_hal_camera property_socket:sock_file write; + +# Date : WK17.30 +# Operation : O Migration +# Purpose: Allow to access cmdq driver +allow mtk_hal_camera mtk_cmdq_device:chr_file { read ioctl open }; +allow mtk_hal_camera mtk_mdp_device:chr_file rw_file_perms; + +# Date : WK17.36 +# Operation : O Migration +# Purpose: Allow to access battery status +allow mtk_hal_camera sysfs_batteryinfo:dir search; +allow mtk_hal_camera sysfs_batteryinfo:file { getattr open read }; + +# Date : WK17.39 +# Operation : O Migration +# Purpose: Change thermal config +allow mtk_hal_camera mtk_thermal_config_prop:property_service set; + +# Date : WK18.31 +# Stage: P Migration +# Purpose: CCT +allow mtk_hal_camera graphics_device:chr_file { read write ioctl open }; +allow mtk_hal_camera graphics_device:dir search; +allow mtk_hal_camera cct_data_file:dir create_dir_perms; +allow mtk_hal_camera cct_data_file:file create_file_perms; +allow mtk_hal_camera cct_data_file:fifo_file create_file_perms; +allow mtk_hal_camera sysfs_boot_mode:file { read open }; +allow mtk_hal_camera mnt_vendor_file:dir create_dir_perms; +allow mtk_hal_camera mnt_vendor_file:fifo_file create_file_perms; + +# Date : WK18.01 +# Operation : label aee_aed sockets +# Purpose : Engineering mode need access for aee commmand +userdebug_or_eng(` +allow mtk_hal_camera aee_aedv:unix_stream_socket connectto; +') + +# Date : WK18.02 +# Stage: O Migration +# Purpose: ISP tuning remapping +allow mtk_hal_camera mediatek_prop:property_service set; + +# Date : WK18.22 +# Stage: p Migration +# Purpose: NVRAM +allow mtk_hal_camera nvram_data_file:dir search; +allow mtk_hal_camera nvram_data_file:file rw_file_perms; +allow mtk_hal_camera nvram_data_file:lnk_file read; +allow mtk_hal_camera nvdata_file:lnk_file read; +allow mtk_hal_camera nvdata_file:dir create_dir_perms; +allow mtk_hal_camera nvdata_file:file { read write getattr setattr open create }; +allow mtk_hal_camera nvcfg_file:lnk_file read; +allow mtk_hal_camera nvcfg_file:dir create_dir_perms; +allow mtk_hal_camera nvcfg_file:file { read write getattr setattr open create }; +allow mtk_hal_camera mnt_vendor_file:dir search; +allow mtk_hal_camera mnt_vendor_file:file create_file_perms; + +# Date : WK18.35 +# Purpose: allow mtk_hal_camera to access gz_device node +allow mtk_hal_camera gz_device:chr_file rw_file_perms; + +#data/dipdebug +allow mtk_hal_camera aee_dipdebug_vendor_file:dir rw_dir_perms; +allow mtk_hal_camera aee_dipdebug_vendor_file:file { create_file_perms }; + +allow mtk_hal_camera proc_isp_p2:dir search; +allow mtk_hal_camera proc_isp_p2:file {create_file_perms}; + +# Date: 2019/06/14 +# Operation : Migration +allow mtk_hal_camera sysfs_dt_firmware_android:dir search; + +# Date: 2019/07/09 +# Operation : For M4U security +allow mtk_hal_camera proc_m4u:file r_file_perms; +allowxperm mtk_hal_camera proc_m4u:file ioctl MTK_M4U_T_SEC_INIT; + +# Date: 2019/08/27 +# Operation : For android Q allowing ioctl +allow mtk_hal_camera mtk_hal_camera:unix_stream_socket { ioctl }; +allowxperm mtk_hal_camera mtk_hal_camera:unix_stream_socket ioctl IIOCNETAIF; diff --git a/r_non_plat/mtk_hal_em.te b/r_non_plat/mtk_hal_em.te new file mode 100644 index 0000000..6d3b6a8 --- /dev/null +++ b/r_non_plat/mtk_hal_em.te @@ -0,0 +1,6 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(mtk_hal_em_client, mtk_hal_em_server) +binder_call(mtk_hal_em_server, mtk_hal_em_client) + +add_hwservice(mtk_hal_em_server, mtk_hal_em_hwservice) +allow mtk_hal_em_client mtk_hal_em_hwservice:hwservice_manager find; diff --git a/r_non_plat/mtk_hal_fm.te b/r_non_plat/mtk_hal_fm.te new file mode 100644 index 0000000..ccd0894 --- /dev/null +++ b/r_non_plat/mtk_hal_fm.te @@ -0,0 +1,8 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(mtk_hal_fm_client, mtk_hal_fm_server) +binder_call(mtk_hal_fm_server, mtk_hal_fm_client) + +add_hwservice(mtk_hal_fm_server, mtk_hal_fm_hwservice) +allow mtk_hal_fm_client mtk_hal_fm_hwservice:hwservice_manager find; + +vndbinder_use(mtk_hal_fm)
\ No newline at end of file diff --git a/r_non_plat/mtk_hal_gnss.te b/r_non_plat/mtk_hal_gnss.te new file mode 100644 index 0000000..175ff10 --- /dev/null +++ b/r_non_plat/mtk_hal_gnss.te @@ -0,0 +1,19 @@ +type mtk_hal_gnss, domain; +hal_server_domain(mtk_hal_gnss, hal_gnss); + +type mtk_hal_gnss_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(mtk_hal_gnss) + +#TODO:: work around solution, wait for correct solution from google +vndbinder_use(mtk_hal_gnss) + +#r_dir_file(mtk_hal_gnss, system_file) + +# Communicate over a socket created by mnld process. +allow mtk_hal_gnss mnld_data_file:sock_file create_file_perms; +allow mtk_hal_gnss mnld_data_file:sock_file rw_file_perms; +allow mtk_hal_gnss mnld_data_file:dir create_file_perms; +allow mtk_hal_gnss mnld_data_file:dir rw_dir_perms; + +allow mtk_hal_gnss mnld:unix_dgram_socket sendto; + diff --git a/r_non_plat/mtk_hal_gpu.te b/r_non_plat/mtk_hal_gpu.te new file mode 100644 index 0000000..ab08bdd --- /dev/null +++ b/r_non_plat/mtk_hal_gpu.te @@ -0,0 +1,47 @@ +# ============================================== +# Policy File of /vendor/bin/hw/vendor.mediatek.hardware.gpu@1.0-service Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type mtk_hal_gpu, domain; +type mtk_hal_gpu_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== + +# Setup for domain transition +init_daemon_domain(mtk_hal_gpu) + +# Allow to use HWBinder IPC +hwbinder_use(mtk_hal_gpu); + +# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder. +hal_server_domain(mtk_hal_gpu, hal_gpu) + +# add/find permission rule to hwservicemanager +add_hwservice(hal_gpu, mtk_hal_gpu_hwservice) +allow hal_gpu_client mtk_hal_gpu_hwservice:hwservice_manager find; + +# Allow to allocate hidl memory +hal_client_domain(mtk_hal_gpu, hal_allocator) + +# Purpose : Allow to use kernel driver +allow mtk_hal_gpu graphics_device:chr_file rw_file_perms; + +# Purpose : Allow permission to set pq property +#set_prop(mtk_hal_gpu, mtk_gpu_prop) + +allow mtk_hal_gpu debugfs_ged:dir rw_dir_perms; +allow mtk_hal_gpu debugfs_ged:file rw_file_perms; +allow mtk_hal_gpu proc_ged:file rw_file_perms; +allowxperm mtk_hal_gpu proc_ged:file ioctl { proc_ged_ioctls }; + +allow mtk_hal_gpu hal_graphics_allocator_default:fd use; +allow mtk_hal_gpu ion_device:chr_file r_file_perms; +allow mtk_hal_gpu debugfs_ion:dir search; + +allow mtk_hal_gpu merged_hal_service:fd use; + diff --git a/r_non_plat/mtk_hal_hdmi.te b/r_non_plat/mtk_hal_hdmi.te new file mode 100644 index 0000000..a1995ca --- /dev/null +++ b/r_non_plat/mtk_hal_hdmi.te @@ -0,0 +1,48 @@ +# ============================================== +# Policy File of /vendor/bin/hw/vendor.mediatek.hardware.hdmi@1.0-service Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type mtk_hal_hdmi, domain; +type mtk_hal_hdmi_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== + +# Setup for domain transition +init_daemon_domain(mtk_hal_hdmi) + +# Allow to use HWBinder IPC +hwbinder_use(mtk_hal_hdmi); + +# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder. +hal_server_domain(mtk_hal_hdmi, hal_hdmi) + +# add/find permission rule to hwservicemanager +add_hwservice(hal_hdmi_server, mtk_hal_hdmi_hwservice) + +# Allow to allocate hidl memory +#hal_client_domain(mtk_hal_hdmi, hal_allocator) + +# Purpose : Allow to use kernel driver +allow mtk_hal_hdmi graphics_device:chr_file rw_file_perms; + +# Purpose : Allow permission to get AmbientLux from hwservice_manager +allow mtk_hal_hdmi fwk_sensor_hwservice:hwservice_manager find; + +#for hdmi uevent +allow mtk_hal_hdmi self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +#============= Key Manager HIDL Service ============== +allow mtk_hal_hdmi mtk_hal_keymanage:binder call; + +# Purpose : Allow hdmi to call vendor.mediatek.hardware.keymanage@1.0-service. +hal_client_domain(mtk_hal_hdmi, hal_keymaster) + +allow mtk_hal_hdmi mtk_hal_keymanage_hwservice:hwservice_manager find; + +# Purpose : Allow permission to set hdmi property +set_prop(mtk_hal_hdmi, mtk_hdmi_prop); diff --git a/r_non_plat/mtk_hal_imsa.te b/r_non_plat/mtk_hal_imsa.te new file mode 100644 index 0000000..bb04277 --- /dev/null +++ b/r_non_plat/mtk_hal_imsa.te @@ -0,0 +1,35 @@ +# ============================================================================== +# Type Declaration +# ============================================================================== +type mtk_hal_imsa, domain, mtkimsapdomain; +type mtk_hal_imsa_exec, exec_type, vendor_file_type, file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(mtk_hal_imsa) + +# hwbinder access +hwbinder_use(mtk_hal_imsa) +hal_server_domain(mtk_hal_imsa, hal_imsa) +add_hwservice(hal_imsa_server, mtk_hal_imsa_hwservice) + +# call into system_server process (callbacks) +binder_call(mtk_hal_imsa, system_server) + +# Date : 2017/05/18 +# Operation : VoLTE sanity +# Purpose : Add permission for IMSA connect to IMSM +allow mtk_hal_imsa rild_imsm_socket:sock_file write; + +# Date : 2017/06/08 +# Operation : IMSA sanity +# Purpose : Add permission for IMSA connect to hwservicemanager +allow mtk_hal_imsa hwservicemanager_prop:file { read open }; +allow mtk_hal_imsa hwservicemanager_prop:file getattr; + +# Date : 2017/06/13 +# Operation : IMSA sanity +# Purpose : Add permission for IMSA to access radio +allow mtk_hal_imsa radio:binder call; +allow mtk_hal_imsa debugfs_tracing:file { write open };
\ No newline at end of file diff --git a/r_non_plat/mtk_hal_keyattestation.te b/r_non_plat/mtk_hal_keyattestation.te new file mode 100644 index 0000000..901f837 --- /dev/null +++ b/r_non_plat/mtk_hal_keyattestation.te @@ -0,0 +1,7 @@ +# HwBinder IPC from client to server +binder_call(mtk_hal_keyattestation_client, mtk_hal_keyattestation_server); + +add_hwservice(mtk_hal_keyattestation_server, mtk_hal_keyattestation_hwservice) +allow mtk_hal_keyattestation_client mtk_hal_keyattestation_hwservice:hwservice_manager find; + +# allow hal_keymaster tee_device:chr_file rw_file_perms; diff --git a/r_non_plat/mtk_hal_keymanage.te b/r_non_plat/mtk_hal_keymanage.te new file mode 100644 index 0000000..d3efa88 --- /dev/null +++ b/r_non_plat/mtk_hal_keymanage.te @@ -0,0 +1,27 @@ +# Set a new domain +type mtk_hal_keymanage, domain; + +# Set mtk_hal_keymanage as server domain of hal_keymaster +hal_server_domain(mtk_hal_keymanage, hal_keymaster) + +# Set exec file type +type mtk_hal_keymanage_exec, exec_type, file_type, vendor_file_type; + +# Setup for domain transition +init_daemon_domain(mtk_hal_keymanage) + +# Associate mtk_hal_keymanage_hwservice with all server domain +add_hwservice(hal_keymaster_server, mtk_hal_keymanage_hwservice) + +# Give permission for hal_keymaster_client to find mtk_hal_keymanage_hwservice via hwservice_manager +allow hal_keymaster_client mtk_hal_keymanage_hwservice:hwservice_manager find; + +# Give permission for hal_key_manage to access kisd service + +allow mtk_hal_keymanage kisd:unix_stream_socket connectto; + +# Allow mtk_hal_keyinstall to access /data/key_provisioning +allow mtk_hal_keymanage key_install_data_file:dir { write add_name remove_name search }; +allow mtk_hal_keymanage key_install_data_file:file { write create setattr read getattr unlink open append }; + +allow mtk_hal_keymanage debugfs_tracing:file { write }; diff --git a/r_non_plat/mtk_hal_lbs.te b/r_non_plat/mtk_hal_lbs.te new file mode 100644 index 0000000..55a9cc7 --- /dev/null +++ b/r_non_plat/mtk_hal_lbs.te @@ -0,0 +1,8 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(mtk_hal_lbs_client, mtk_hal_lbs_server) +binder_call(mtk_hal_lbs_server, mtk_hal_lbs_client) + +add_hwservice(mtk_hal_lbs_server, mtk_hal_lbs_hwservice) +allow mtk_hal_lbs_client mtk_hal_lbs_hwservice:hwservice_manager find; + +vndbinder_use(mtk_hal_lbs)
\ No newline at end of file diff --git a/r_non_plat/mtk_hal_light.te b/r_non_plat/mtk_hal_light.te new file mode 100644 index 0000000..de88326 --- /dev/null +++ b/r_non_plat/mtk_hal_light.te @@ -0,0 +1,23 @@ +# ============================================================================== +# Type Declaration +# ============================================================================== +type mtk_hal_light, domain; +type mtk_hal_light_exec, exec_type, file_type, vendor_file_type; + +# hwbinder access +init_daemon_domain(mtk_hal_light) +hwbinder_use(mtk_hal_light) + +# call into system_server process (callbacks) +binder_call(mtk_hal_light, system_server) + +# system file +allow mtk_hal_light system_file:dir read; +allow mtk_hal_light system_file:dir open; + +allow mtk_hal_light sysfs_leds:lnk_file read; +allow mtk_hal_light sysfs_leds:file rw_file_perms; +allow mtk_hal_light sysfs_leds:dir r_dir_perms; + +get_prop(mtk_hal_light, hwservicemanager_prop) +hal_server_domain(mtk_hal_light,hal_light); diff --git a/r_non_plat/mtk_hal_log.te b/r_non_plat/mtk_hal_log.te new file mode 100644 index 0000000..6db3cd0 --- /dev/null +++ b/r_non_plat/mtk_hal_log.te @@ -0,0 +1,6 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(mtk_hal_log_client, mtk_hal_log_server) +binder_call(mtk_hal_log_server, mtk_hal_log_client) + +add_hwservice(mtk_hal_log_server, mtk_hal_log_hwservice) +allow mtk_hal_log_client mtk_hal_log_hwservice:hwservice_manager find; diff --git a/r_non_plat/mtk_hal_md_dbfilter.te b/r_non_plat/mtk_hal_md_dbfilter.te new file mode 100644 index 0000000..2b8a4e6 --- /dev/null +++ b/r_non_plat/mtk_hal_md_dbfilter.te @@ -0,0 +1,6 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(mtk_hal_md_dbfilter_client, mtk_hal_md_dbfilter_server) +binder_call(mtk_hal_md_dbfilter_server, mtk_hal_md_dbfilter_client) + +add_hwservice(mtk_hal_md_dbfilter_server, mtk_hal_md_dbfilter_hwservice) +allow mtk_hal_md_dbfilter_client mtk_hal_md_dbfilter_hwservice:hwservice_manager find; diff --git a/r_non_plat/mtk_hal_mms.te b/r_non_plat/mtk_hal_mms.te new file mode 100644 index 0000000..5609e97 --- /dev/null +++ b/r_non_plat/mtk_hal_mms.te @@ -0,0 +1,55 @@ +# ============================================== +# Policy File of /vendor/bin/hw/vendor.mediatek.hardware.mms@1.0-service Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type mtk_hal_mms, domain; +type mtk_hal_mms_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== + +# Setup for domain transition +init_daemon_domain(mtk_hal_mms) + +# Allow to use HWBinder IPC +hwbinder_use(mtk_hal_mms); + +# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder. +hal_server_domain(mtk_hal_mms, hal_mms) + +# add/find permission rule to hwservicemanager +add_hwservice(hal_mms_server, mtk_hal_mms_hwservice) + +# Purpose : Allow to use kernel driver +allow mtk_hal_mms graphics_device:chr_file { read write open ioctl }; +allow mtk_hal_mms ion_device:chr_file { read open ioctl }; +allow mtk_hal_mms mtk_cmdq_device:chr_file { read open ioctl }; +allow mtk_hal_mms mtk_mdp_device:chr_file rw_file_perms; +allow mtk_hal_mms sw_sync_device:chr_file rw_file_perms; +allow mtk_hal_mms mtk_hal_pq_hwservice:hwservice_manager find; + +# Purpose : Allow to use allocator for JPEG +hal_client_domain(mtk_hal_mms, hal_allocator) +allow mtk_hal_mms mtk_hal_pq:binder call; + +# Purpose : Allow to use graphics allocator fd for gralloc_extra +allow mtk_hal_mms hal_graphics_allocator_default:fd use; +allow mtk_hal_mms debugfs_ion:dir search; +allow mtk_hal_mms merged_hal_service:fd use; + +# Purpose : VDEC/VENC device node +allow mtk_hal_mms Vcodec_device:chr_file rw_file_perms; +allow mtk_hal_mms proc_mtk_jpeg:file r_file_perms; +allowxperm mtk_hal_mms proc_mtk_jpeg:file ioctl { + JPG_BRIDGE_ENC_IO_INIT + JPG_BRIDGE_ENC_IO_CONFIG + JPG_BRIDGE_ENC_IO_WAIT + JPG_BRIDGE_ENC_IO_DEINIT + JPG_BRIDGE_ENC_IO_START + }; +# Allow to use mms by JPEG with handle +allow mtk_hal_mms platform_app:fd use; diff --git a/r_non_plat/mtk_hal_power.te b/r_non_plat/mtk_hal_power.te new file mode 100644 index 0000000..fa52542 --- /dev/null +++ b/r_non_plat/mtk_hal_power.te @@ -0,0 +1,161 @@ +# ============================================================================== +# Type Declaration +# ============================================================================== +type mtk_hal_power, domain; +type mtk_hal_power_exec, exec_type, file_type, vendor_file_type; + +# hwbinder access +init_daemon_domain(mtk_hal_power) +hwbinder_use(mtk_hal_power); + +get_prop(mtk_hal_power, hwservicemanager_prop) +allow mtk_hal_power hal_power_hwservice:hwservice_manager { add find }; +allow mtk_hal_power hidl_base_hwservice:hwservice_manager add; + +add_hwservice(mtk_hal_power, mtk_hal_power_hwservice) +allow hal_power_client mtk_hal_power_hwservice:hwservice_manager find; + +hal_server_domain(mtk_hal_power, hal_power); +hal_server_domain(mtk_hal_power, hal_wifi); + +# sysfs +allow mtk_hal_power sysfs_devices_system_cpu:file rw_file_perms; + +# debugfs +allow mtk_hal_power debugfs_ged:dir r_dir_perms; +allow mtk_hal_power debugfs_ged:file rw_file_perms; + +# proc_thermal +allow mtk_hal_power proc_thermal:file w_file_perms; + +# proc info +allow mtk_hal_power mtk_hal_audio:dir r_dir_perms; + +# Date : 2017/10/02 +# Operation: SQC +# Purpose : Allow powerHAL to access perfmgr +allow mtk_hal_power proc_perfmgr:dir r_dir_perms; +allow mtk_hal_power proc_perfmgr:file rw_file_perms; +allowxperm mtk_hal_power proc_perfmgr:file ioctl PERFMGR_FPSGO_TOUCH; + +# Date : 2017/10/11 +# Operation: SQC +# Purpose : Allow powerHAL to access powerhal folder +allow mtk_hal_power sdcard_type:dir create_dir_perms; +allow mtk_hal_power sdcard_type:file create_file_perms; +allow mtk_hal_power eemcs_device:chr_file rw_file_perms; +allow mtk_hal_power mnt_user_file:dir create_dir_perms; + +allow mtk_hal_power mtk_powerhal_data_file:dir {create_dir_perms rw_dir_perms}; +allow mtk_hal_power mtk_powerhal_data_file:file {create_file_perms rw_file_perms}; +allow mtk_hal_power mtk_powerhal_data_file:sock_file {create_file_perms rw_file_perms}; + +#camera contorl cpu +allow mtk_hal_power mtk_hal_camera:dir r_dir_perms; +allow mtk_hal_power mtk_hal_camera:file r_file_perms; + +# Date : 2017/10/24 +# Operation: SQC +# Purpose : Allow powerHAL to access thermal +allow mtk_hal_power proc_thermal:dir r_dir_perms; +allow mtk_hal_power debugfs_fpsgo:dir r_dir_perms; +allow mtk_hal_power debugfs_fpsgo:file rw_file_perms; + +# Date : 2017/12/19 +# Operation: SQC +# Purpose : Allow powerHAL to access wlan +allow mtk_hal_power proc_net:file w_file_perms; + +# Date : 2017/12/21 +# Operation: SQC +# Purpose : Allow powerHAL to access mediacodec +allow mtk_hal_power mediacodec:dir r_dir_perms; +allow mtk_hal_power mediacodec:file r_file_perms; + +set_prop(mtk_hal_power, mtk_thermal_config_prop) + +# Date : 2018/03/16 +# Operation: SQC +# Purpose : Allow powerHAL to access /d/mtkfb +allow mtk_hal_power debugfs_fb:dir r_dir_perms; +allow mtk_hal_power debugfs_fb:file rw_file_perms; + +# Date : 2018/06/26 +# Operation: Thermal change policy in perfservice + +allow mtk_hal_power proc_thermal:file r_file_perms; +allow mtk_hal_power thermal_manager_data_file:file create_file_perms; +allow mtk_hal_power thermal_manager_data_file:dir { rw_dir_perms setattr }; + + +allow mtk_hal_power thermalloadalgod:unix_stream_socket connectto; + +allow mtk_hal_power proc_mtkcooler:dir r_dir_perms; +allow mtk_hal_power proc_mtkcooler:file rw_file_perms; +allow mtk_hal_power proc_mtktz:dir r_dir_perms; +allow mtk_hal_power proc_mtktz:file rw_file_perms; + +# Date : 2019/05/08 +# Operation: SQC +# Purpose : Allow powerHAL to access /proc/[pid] +allow mtk_hal_power system_server:dir r_dir_perms; +allow mtk_hal_power system_server:file r_file_perms; + +# Date : 2019/07/11 +# Operation: mt6779 SQC +# Purpose : Allow powerHAL to VPU, RILD +allow mtk_hal_power debugfs_vpu_power:dir r_dir_perms; +allow mtk_hal_power debugfs_vpu_power:file rw_file_perms; + +allow mtk_hal_power debugfs_mdla_power:dir r_dir_perms; +allow mtk_hal_power debugfs_mdla_power:file rw_file_perms; + +allow mtk_hal_power rild_oem_socket:sock_file write; +allow mtk_hal_power rild:unix_stream_socket connectto; + +# Date : 2019/05/22 +# Operation: SQC +# Purpose : Allow powerHAL to access block read ahead +allow mtk_hal_power sysfs_dm:dir r_dir_perms; +allow mtk_hal_power sysfs_dm:file rw_file_perms; +allow mtk_hal_power sysfs_mmcblk:dir r_dir_perms; +allow mtk_hal_power sysfs_mmcblk:file rw_file_perms; + +allow mtk_hal_power debugfs_eara_thermal:dir search; +allow mtk_hal_power debugfs_eara_thermal:file { getattr open write read }; + +# Date : 2019/05/22 +# Operation: SQC +# Purpose : Allow powerHAL to access prop +set_prop(mtk_hal_power, mtk_powerhal_prop) + +# Date : 2019/05/29 +# Operation: SQC +# Purpose : Allow powerHAL to access wifi driver +allow mtk_hal_power self:udp_socket create; +allow mtk_hal_power kernel:system module_request; +allow mtk_hal_power self:capability sys_module; +allowxperm mtk_hal_power self:udp_socket ioctl priv_sock_ioctls; + +# Date : W19.20 +# Operation : MTK power hal migration +# Purpose : MTK power hal interface permission +set_prop(mtk_hal_power, mtk_powerhal_prop) + +# Date : 2019/09/05 +# Operation: SQC +# Purpose : Add procfs, sysfs policy +allow mtk_hal_power proc_ppm:dir r_dir_perms; +allow mtk_hal_power proc_ppm:file rw_file_perms; +allow mtk_hal_power proc_cpufreq:dir r_dir_perms; +allow mtk_hal_power proc_cpufreq:file rw_file_perms; +allow mtk_hal_power proc_hps:dir r_dir_perms; +allow mtk_hal_power proc_hps:file rw_file_perms; +allow mtk_hal_power proc_cm_mgr:dir r_dir_perms; +allow mtk_hal_power proc_cm_mgr:file rw_file_perms; +allow mtk_hal_power sysfs_ged:dir r_dir_perms; +allow mtk_hal_power sysfs_ged:file rw_file_perms; +allow mtk_hal_power sysfs_fbt_cpu:dir r_dir_perms; +allow mtk_hal_power sysfs_fbt_cpu:file rw_file_perms; +allow mtk_hal_power sysfs_fbt_fteh:dir r_dir_perms; +allow mtk_hal_power sysfs_fbt_fteh:file rw_file_perms; diff --git a/r_non_plat/mtk_hal_pq.te b/r_non_plat/mtk_hal_pq.te new file mode 100644 index 0000000..87b6c59 --- /dev/null +++ b/r_non_plat/mtk_hal_pq.te @@ -0,0 +1,41 @@ +# ============================================== +# Policy File of /vendor/bin/hw/vendor.mediatek.hardware.pq@2.0-service Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type mtk_hal_pq, domain; +type mtk_hal_pq_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== + +# Setup for domain transition +init_daemon_domain(mtk_hal_pq) + +# Allow to use HWBinder IPC +hwbinder_use(mtk_hal_pq); + +# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder. +hal_server_domain(mtk_hal_pq, hal_pq) + +# add/find permission rule to hwservicemanager +add_hwservice(hal_pq_server, mtk_hal_pq_hwservice) + +# Allow to allocate hidl memory +hal_client_domain(mtk_hal_pq, hal_allocator) + +# Purpose : Allow to use kernel driver +allow mtk_hal_pq graphics_device:chr_file { read write open ioctl }; + +# Purpose : Allow property set +allow mtk_hal_pq init:unix_stream_socket connectto; +allow mtk_hal_pq property_socket:sock_file write; + +# Purpose : Allow permission to get AmbientLux from hwservice_manager +allow mtk_hal_pq fwk_sensor_hwservice:hwservice_manager find; + +# Purpose : Allow permission to set pq property +set_prop(mtk_hal_pq, mtk_pq_prop) diff --git a/r_non_plat/mtk_hal_secure_element.te b/r_non_plat/mtk_hal_secure_element.te new file mode 100644 index 0000000..bb51108 --- /dev/null +++ b/r_non_plat/mtk_hal_secure_element.te @@ -0,0 +1,18 @@ +type mtk_hal_secure_element, domain; +hal_server_domain(mtk_hal_secure_element, hal_secure_element) +type mtk_hal_secure_element_exec, exec_type, vendor_file_type, file_type; + +allow mtk_hal_secure_element secure_element_device:chr_file rw_file_perms; + +init_daemon_domain(mtk_hal_secure_element) + +# Allow to get vendor.mediatek.hardware.radio HIDL interface +allow mtk_hal_secure_element mtk_hal_rild_hwservice:hwservice_manager find; +binder_call(mtk_hal_secure_element, rild) + +# Allow to get android.hardware.radio HIDL interface +hal_client_domain(mtk_hal_secure_element, hal_telephony) +allow mtk_hal_secure_element hal_telephony_hwservice:hwservice_manager find; + +# Allow to use persist.radio.multisim.config +get_prop(mtk_hal_secure_element, exported3_radio_prop) diff --git a/r_non_plat/mtk_hal_sensors.te b/r_non_plat/mtk_hal_sensors.te new file mode 100644 index 0000000..6ecacea --- /dev/null +++ b/r_non_plat/mtk_hal_sensors.te @@ -0,0 +1,72 @@ +# ============================================================================== +# Type Declaration +# ============================================================================== +type mtk_hal_sensors, domain; +type mtk_hal_sensors_exec, exec_type, file_type, vendor_file_type; + +# hwbinder access +init_daemon_domain(mtk_hal_sensors) +hwbinder_use(mtk_hal_sensors) + +# call into system_server process (callbacks) +binder_call(mtk_hal_sensors, system_server) + +# graphics allocator +allow mtk_hal_sensors hal_graphics_allocator_default:fd use; + +# gpu device +allow mtk_hal_sensors gpu_device:dir create_dir_perms; +allow mtk_hal_sensors gpu_device:chr_file rw_file_perms; +allow mtk_hal_sensors dri_device:chr_file rw_file_perms; + +# ion device +allow mtk_hal_sensors ion_device:dir create_dir_perms; +allow mtk_hal_sensors ion_device:chr_file rw_file_perms; +# system file +allow mtk_hal_sensors system_file:dir read; +allow mtk_hal_sensors system_file:dir open; + +# sensors input rw access +allow mtk_hal_sensors sysfs_sensor:dir r_dir_perms; +allow mtk_hal_sensors sysfs_sensor:file rw_file_perms; + +# hal sensor for chr_file +allow mtk_hal_sensors hwmsensor_device:chr_file r_file_perms; +get_prop(mtk_hal_sensors, hwservicemanager_prop) + +#hwservicemanager +hal_server_domain(mtk_hal_sensors, hal_sensors); + +# Access sensor bio devices +allow mtk_hal_sensors sensorlist_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_acc_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_als_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_ps_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_mag_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_gyro_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_baro_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_hmdy_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_act_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_pedo_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_situ_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_step_c_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_fusion_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_bio_misc_device:chr_file rw_file_perms; + +# Access mtk sensor setting and calibration node. +# for data +allow mtk_hal_sensors sensor_data_file:file create_file_perms; +allow mtk_hal_sensors sensor_data_file:dir create_dir_perms; +# for nvcfg +allow mtk_hal_sensors nvcfg_file:file create_file_perms; +allow mtk_hal_sensors nvcfg_file:dir create_dir_perms; + + +# Date : WK18.21 +# Operation: P migration +# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init() +allow mtk_hal_sensors mnt_vendor_file:dir search; + +# Date : WK19.48 +# Purpose: fix [vts_10.0_r2]VtsHalSensorsV2_0Target fail +allow mtk_hal_sensors merged_hal_service:fd use; diff --git a/r_non_plat/mtk_hal_wifi.te b/r_non_plat/mtk_hal_wifi.te new file mode 100644 index 0000000..4740f38 --- /dev/null +++ b/r_non_plat/mtk_hal_wifi.te @@ -0,0 +1,5 @@ +type mtk_hal_wifi, domain; +hal_server_domain(mtk_hal_wifi, hal_wifi) + +type mtk_hal_wifi_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(mtk_hal_wifi) diff --git a/r_non_plat/mtk_wmt_launcher.te b/r_non_plat/mtk_wmt_launcher.te new file mode 100644 index 0000000..f0bc360 --- /dev/null +++ b/r_non_plat/mtk_wmt_launcher.te @@ -0,0 +1,26 @@ +# ============================================== +# Policy File of /system/bin/mtk_wmt_launcher Executable File + + +# ============================================== +# Type Declaration +# ============================================== +type mtk_wmt_launcher ,domain; +type mtk_wmt_launcher_exec , exec_type, file_type, vendor_file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(mtk_wmt_launcher) + +# set the property +set_prop(mtk_wmt_launcher, wmt_prop) + +# add ioctl/open/read/write permission for mtk_wmt_launcher with /dev/stpwmt +allow mtk_wmt_launcher stpwmt_device:chr_file rw_file_perms; +allow mtk_wmt_launcher devpts:chr_file rw_file_perms; +allow mtk_wmt_launcher system_file:dir { read open }; + +# Date : W18.01 +# Add for turn on SElinux in enforcing mode +allow mtk_wmt_launcher vendor_file:dir { read open };
\ No newline at end of file diff --git a/r_non_plat/mtkbootanimation.te b/r_non_plat/mtkbootanimation.te new file mode 100644 index 0000000..4c56c81 --- /dev/null +++ b/r_non_plat/mtkbootanimation.te @@ -0,0 +1,50 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# Date : WK14.37 +# Operation : Migration +# Purpose : for opetator +allow mtkbootanimation bootani_prop:property_service set; + +# Date : WK14.46 +# Operation : Migration +# Purpose : For MTK Emulator HW GPU +allow mtkbootanimation qemu_pipe_device:chr_file rw_file_perms; + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow mtkbootanimation proc_ged:file rw_file_perms; + +# ============================================== +# Type Declaration for secmem +# ============================================== +type proc_secmem, fs_type, proc_type; +# genfscon proc /secmem0 u:object_r:proc_secmem:s0; + +# Date : WK14.31 +# Operation : Migration +# Purpose : access to sec mem proc interface. +allow mtkbootanimation proc_secmem:file { read open}; + +# Date : WK14.36 +# Operation : Migration +# Purpose : for ui +# allow mtkbootanimation guiext-server:binder call; +# allow mtkbootanimation guiext-server:binder transfer; + +# Date : WK16.29 +# Operation : Migration +# Purpose : for gpu access +allow mtkbootanimation dri_device:chr_file { read write open ioctl }; + +# Date : WK17.29 +# Operation : Migration +# Purpose : for device bring up +# allow mtkbootanimation guiext-server_service:service_manager find; + +# Date : WK17.48 +# Operation : Migration +# Purpose : FPSGO integration +allow mtkbootanimation proc_perfmgr:dir {search read}; +allow mtkbootanimation proc_perfmgr:file {open read ioctl}; diff --git a/r_non_plat/mtkrild.te b/r_non_plat/mtkrild.te new file mode 100644 index 0000000..b064169 --- /dev/null +++ b/r_non_plat/mtkrild.te @@ -0,0 +1,125 @@ +# ============================================== +# Policy File of /system/bin/mtkrild Executable File + +# ============================================== +# Type Declaration +# ============================================== +type mtkrild_exec , exec_type, file_type, vendor_file_type; +type mtkrild ,domain; + +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(mtkrild) +net_domain(mtkrild) + +# Trigger module auto-load. +allow mtkrild kernel:system module_request; + +# Capabilities assigned for mtkrild +allow mtkrild self:capability { setuid net_admin net_raw }; + +# Control cgroups +allow mtkrild cgroup:dir create_dir_perms; + +# Property service +# allow set RIL related properties (radio./net./system./etc) +#set_prop(mtkrild, radio_prop) +#set_prop(mtkrild, net_radio_prop) +#set_prop(mtkrild, system_radio_prop) +auditallow mtkrild net_radio_prop:property_service set; +auditallow mtkrild system_radio_prop:property_service set; +set_prop(mtkrild, ril_active_md_prop) +# allow set muxreport control properties +set_prop(mtkrild, ril_cdma_report_prop) +set_prop(mtkrild, ril_mux_report_case_prop) +set_prop(mtkrild, ctl_muxreport-daemon_prop) + +#Dat: 2017/02/14 +#Purpose: allow set telephony Sensitive property +set_prop(mtkrild, mtk_telephony_sensitive_prop) + +# Access to wake locks +wakelock_use(mtkrild) + +# Allow access permission to efs files +allow mtkrild efs_file:dir create_dir_perms; +allow mtkrild efs_file:file create_file_perms; +allow mtkrild bluetooth_efs_file:file r_file_perms; +allow mtkrild bluetooth_efs_file:dir r_dir_perms; + +# Allow access permission to dir/files +# (radio data/system data/proc/etc) +# Violate Android P rule +allow mtkrild sdcardfs:dir r_dir_perms; +allow mtkrild proc_net:file w_file_perms; + +# Set and get routes directly via netlink. +allow mtkrild self:netlink_route_socket nlmsg_write; + +# Allow read/write to devices/files +allow mtkrild radio_device:chr_file rw_file_perms; +allow mtkrild radio_device:blk_file r_file_perms; +allow mtkrild mtd_device:dir search; +# Allow read/write to tty devices +allow mtkrild tty_device:chr_file rw_file_perms; +allow mtkrild eemcs_device:chr_file { rw_file_perms }; + +#allow mtkrild Vcodec_device:chr_file { rw_file_perms }; +allow mtkrild devmap_device:chr_file { r_file_perms }; +allow mtkrild devpts:chr_file { rw_file_perms }; +allow mtkrild ccci_device:chr_file { rw_file_perms }; +allow mtkrild misc_device:chr_file { rw_file_perms }; +allow mtkrild proc_lk_env:file rw_file_perms; +#allow mtkrild bootdevice_block_device:blk_file { rw_file_perms }; +allow mtkrild para_block_device:blk_file { rw_file_perms }; + +# Allow dir search, fd uses +allow mtkrild block_device:dir search; +allow mtkrild platform_app:fd use; +allow mtkrild radio:fd use; + +# For MAL MFI +allow mtkrild mal_mfi_socket:sock_file { w_file_perms }; + +# For ccci sysfs node +allow mtkrild sysfs_ccci:dir search; +allow mtkrild sysfs_ccci:file r_file_perms; + +#For Kryptowire mtklog issue +allow mtkrild aee_aedv:unix_stream_socket connectto; +# Allow ioctl in order to control network interface +allowxperm mtkrild self:udp_socket ioctl {SIOCDELRT SIOCSIFFLAGS SIOCSIFADDR SIOCKILLADDR SIOCDEVPRIVATE SIOCDEVPRIVATE_1}; + +# Allow to use vendor binder +vndbinder_use(mtkrild) + +# Allow to trigger IPv6 RS +allow mtkrild node:rawip_socket node_bind; + +#Date : W18.15 +#Purpose: allow rild access to vendor.ril.ipo system property +set_prop(mtkrild, vendor_ril_ipo_prop) + +# Date : WK18.16 +# Operation: P migration +# Purpose: Allow mtkrild to get tel_switch_prop +get_prop(mtkrild, tel_switch_prop) + +#Date: W1817 +#Purpose: allow rild access property of vendor_radio_prop +set_prop(mtkrild, vendor_radio_prop) + +# Date : WK18.26 +# Operation: P migration +# Purpose: Allow carrier express HIDL to set vendor property +set_prop(mtkrild, mtk_cxp_vendor_prop) +allow mtkrild mnt_vendor_file:dir search; +allow mtkrild mnt_vendor_file:file create_file_perms; +allow mtkrild nvdata_file:dir create_dir_perms; +allow mtkrild nvdata_file:file create_file_perms; + +# Date : WK18.31 +# Operation: P migration +# Purpose: Allow supplementary service HIDL to set vendor property +set_prop(mtkrild, mtk_ss_vendor_prop) diff --git a/r_non_plat/muxreport.te b/r_non_plat/muxreport.te new file mode 100644 index 0000000..1b7243b --- /dev/null +++ b/r_non_plat/muxreport.te @@ -0,0 +1,36 @@ +# ============================================== +# Policy File of /system/bin/muxreport Executable File + +# ============================================== +# Type Declaration +# ============================================== +type muxreport_exec , exec_type, file_type, vendor_file_type; +type muxreport ,domain; + +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(muxreport) + +# Property service +# allow set muxreport control properties +set_prop(muxreport, ril_mux_report_case_prop) + +# Allow read/write to devices/files +allow muxreport ccci_device:chr_file { rw_file_perms }; +allow muxreport devpts:chr_file { rw_file_perms }; +allow muxreport eemcs_device:chr_file { rw_file_perms }; +allow muxreport emd_device:chr_file { rw_file_perms }; +# Allow read to sys/kernel/ccci/* files +allow muxreport sysfs_ccci:dir search; +allow muxreport sysfs_ccci:file r_file_perms; + +# Date : WK18.16 +# Operation: P migration +# Purpose: Allow muxreport to get tel_switch_prop +get_prop(muxreport, tel_switch_prop) + +#Date: W1824 +#Purpose: allow muxreport access property of vendor_radio_prop +set_prop(muxreport, vendor_radio_prop) + diff --git a/r_non_plat/netd.te b/r_non_plat/netd.te new file mode 100644 index 0000000..2783d06 --- /dev/null +++ b/r_non_plat/netd.te @@ -0,0 +1,65 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + + +# Date : WK14.34 +# Operation : Migration +# Purpose : For WIFI SANITY test to set FW path(STA/P2P/AP) +# Owner: TingTing Lei +allow netd wmtWifi_device:chr_file { write open }; + +# Date : WK14.34 +# Operation : Migration +# Purpose : NA +# Owner: Changqing Sun +# allow netd kernel:system module_request; +# allow netd self:capability sys_module; +allow netd self:capability fsetid; + +# Date : WK14.34 +# Operation : Migration +# Purpose: APP +allow netd platform_app:fd use; + + +# Date : WK14.37 +# Operation : Migration +# Purpose : PPPOE Test +# Owner : lina wang +allow netd ppp:process sigkill; + +# Date : WK14.39 +# Operation : Migration +# Purpose : MDLogger USB logging +# Owner : Bo shang +allow netd mdlogger:fd use; +allow netd mdlogger:tcp_socket { read write }; +allow netd mdlogger:tcp_socket { getopt setopt }; + +# Date : WK14.41 +# Operation : Migration +# Purpose : network logging +# Owner : Bo shang +allow netd netdiag:fd use; +allow netd netdiag:udp_socket { read write getopt setopt}; + +# Date : WK14.44 +# Operation : Migration +# Purpose : ALPS01789552 +#============= netd ============== +allow netd self:capability { setuid setgid }; + + +#============= netd ============== +allow netd untrusted_app:fd use; + + +# Date : W15.02 +# Operation : SQC +# Purpose : CTS for wifi +allow netd untrusted_app:unix_stream_socket { read write getopt setopt}; +allow netd isolated_app:fd use; + +# MTK support antutu feature +get_prop(netd, mtk_antutu_prop); diff --git a/r_non_plat/netdiag.te b/r_non_plat/netdiag.te new file mode 100644 index 0000000..cb19c48 --- /dev/null +++ b/r_non_plat/netdiag.te @@ -0,0 +1,28 @@ +# Purpose : for access storage file +allow netdiag sdcard_type:dir create_dir_perms; +allow netdiag sdcard_type:file create_file_perms; +allow netdiag net_data_file:file r_file_perms; +allow netdiag net_data_file:dir search; +allow netdiag storage_file:dir search; +allow netdiag storage_file:lnk_file read; +allow netdiag mnt_user_file:dir search; +allow netdiag mnt_user_file:lnk_file read; +allow netdiag platform_app:dir search; +allow netdiag untrusted_app:dir search; +allow netdiag mnt_media_rw_file:dir search; +allow netdiag vfat:dir create_dir_perms; +allow netdiag vfat:file create_file_perms; +allow netdiag tmpfs:lnk_file read; + +#Purpose : for network log property +set_prop(netdiag, debug_netlog_prop) +set_prop(netdiag, persist_mtklog_prop) +set_prop(netdiag, debug_mtklog_prop) + +# Purpose : for acess /system/bin/toybox, mmc_prop,proc_net and safemode_prop +allow netdiag device_logging_prop:file { getattr open }; +allow netdiag mmc_prop:file { getattr open }; + +# purpose: allow netdiag to access storage in new version +allow netdiag media_rw_data_file:file { create_file_perms }; +allow netdiag media_rw_data_file:dir { create_dir_perms }; diff --git a/r_non_plat/nvram_agent_binder.te b/r_non_plat/nvram_agent_binder.te new file mode 100644 index 0000000..6655e6e --- /dev/null +++ b/r_non_plat/nvram_agent_binder.te @@ -0,0 +1,66 @@ +# ============================================== +# Policy File of /vendor/bin/nvram_agent_binder Executable File + +# ============================================== +# Type Declaration +# ============================================== +type nvram_agent_binder_exec , exec_type, file_type, vendor_file_type; +type nvram_agent_binder ,domain; + +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(nvram_agent_binder) + +# Date : WK14.35 +# Operation : access nvram by binder +# Purpose : ensure nvram user can access nvram file normally. +#allow nvram_agent_binder nvram_agent_service:service_manager add; + +# Date : WK14.43 +# Operation : 2rd Selinux Migration +# Purpose : the role of nvram_agent_binder is same with nvram_daemon except property_set & exect permission +allow nvram_agent_binder nvram_device:blk_file rw_file_perms; +allow nvram_agent_binder nvdata_device:blk_file rw_file_perms; +allow nvram_agent_binder nvram_data_file:dir create_dir_perms; +allow nvram_agent_binder nvram_data_file:file create_file_perms; +allow nvram_agent_binder nvram_data_file:lnk_file read; +allow nvram_agent_binder nvdata_file:lnk_file read; +allow nvram_agent_binder nvdata_file:dir create_dir_perms; +allow nvram_agent_binder nvdata_file:file create_file_perms; + +allow nvram_agent_binder als_ps_device:chr_file r_file_perms; +allow nvram_agent_binder mtk-adc-cali_device:chr_file rw_file_perms; +allow nvram_agent_binder gsensor_device:chr_file r_file_perms; +allow nvram_agent_binder gyroscope_device:chr_file r_file_perms; +allow nvram_agent_binder self:capability { fowner chown fsetid }; + +# Purpose: for backup +allow nvram_agent_binder nvram_device:chr_file rw_file_perms; +allow nvram_agent_binder pro_info_device:chr_file rw_file_perms; +allow nvram_agent_binder block_device:dir search; + +# for MLC device +allow nvram_agent_binder mtd_device:dir search; +allow nvram_agent_binder mtd_device:chr_file rw_file_perms; + +#for nvram agent hidl +get_prop(nvram_agent_binder, hwservicemanager_prop) + +# Allow to use HWBinder IPC +hwbinder_use(nvram_agent_binder); + +# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder. +hal_server_domain(nvram_agent_binder, hal_nvramagent) + +# Date : WK18.16 +# Operation: P migration +# Purpose: Allow nvram_daemon to get tel_switch_prop +get_prop(nvram_daemon, tel_switch_prop) + +# Date : WK18.21 +# Operation: P migration +# Purpose: Allow to search /mnt/vendor/nvdata when using nvram function +allow nvram_agent_binder mnt_vendor_file:dir search; + +allow nvram_agent_binder sysfs_boot_mode:file r_file_perms; diff --git a/r_non_plat/nvram_daemon.te b/r_non_plat/nvram_daemon.te new file mode 100644 index 0000000..71db04c --- /dev/null +++ b/r_non_plat/nvram_daemon.te @@ -0,0 +1,90 @@ +# ============================================== +# Policy File of /vendor/binnvram_daemon Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type nvram_daemon_exec , exec_type, file_type, vendor_file_type; +type nvram_daemon ,domain; + +# ============================================== +# MTK Policy Rule +# ============================================== + +init_daemon_domain(nvram_daemon) + + + +# Date : WK14.31 +# Operation : Migration +# Purpose : the device is used to store Nvram backup data that can not be lost. +allow nvram_daemon nvram_device:blk_file rw_file_perms; +allow nvram_daemon nvdata_device:blk_file rw_file_perms; + +# Date : WK14.35 +# Operation : chown folder and file permission +# Purpose : ensure nvram user can access nvram file normally when upgrade from KK/KK.AOSP to L. +allow nvram_daemon nvram_data_file:dir create_dir_perms; +allow nvram_daemon nvram_data_file:file create_file_perms; +allow nvram_daemon nvram_data_file:lnk_file read; +allow nvram_daemon nvdata_file:lnk_file read; +allow nvram_daemon nvdata_file:dir create_dir_perms; +allow nvram_daemon nvdata_file:file create_file_perms; + +allow nvram_daemon als_ps_device:chr_file r_file_perms; +allow nvram_daemon mtk-adc-cali_device:chr_file rw_file_perms; +allow nvram_daemon gsensor_device:chr_file r_file_perms; +allow nvram_daemon gyroscope_device:chr_file r_file_perms; +allow nvram_daemon init:unix_stream_socket connectto; + +# Purpose: for property set +allow nvram_daemon self:capability { fowner chown fsetid }; + +# Purpose: for backup +allow nvram_daemon nvram_device:chr_file rw_file_perms; +allow nvram_daemon pro_info_device:chr_file rw_file_perms; + +allow nvram_daemon block_device:dir search; + +# Purpose: for nand project +allow nvram_daemon mtd_device:dir search; +allow nvram_daemon mtd_device:chr_file rw_file_perms; + +# Purpose: for fstab parser +allow nvram_daemon kmsg_device:chr_file w_file_perms; +allow nvram_daemon proc_lk_env:file rw_file_perms; + +# Purpose: property set +allow nvram_daemon service_nvram_init_prop:property_service set; + +# Purpose: copy /fstab* +allow nvram_daemon rootfs:dir { read open }; +allow nvram_daemon rootfs:file r_file_perms; + +# Purpose: remove /data/nvram link +allow nvram_daemon nvram_data_file:lnk_file unlink; + +# Purpose: for setting property +# ro.wlan.mtk.wifi.5g relabel to wifi_5g_prop +# denied { set } for property=ro.wlan.mtk.wifi.5g pid=242 uid=0 gid=1000 scontext=u:r:nvram_daemon:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=1 +set_prop(nvram_daemon, service_nvram_init_prop) +set_prop(nvram_daemon, wifi_5g_prop) + +#WK17.26 camera 8163 +allow nvram_daemon sysfs:dir read; + +# Date : WK18.16 +# Operation: P migration +# Purpose: Allow nvram_daemon to get tel_switch_prop +get_prop(nvram_daemon, tel_switch_prop) + +# Date : WK18.21 +# Operation: P migration +# Purpose: Allow nvram_daemon to search /mnt/vendor/nvdata for fstab +allow nvram_daemon mnt_vendor_file:dir search; +allow nvram_daemon self:capability { fowner chown fsetid }; + +allow nvram_daemon sysfs_boot_mode:file r_file_perms; + diff --git a/r_non_plat/permissive.te b/r_non_plat/permissive.te new file mode 100644 index 0000000..cd38fd1 --- /dev/null +++ b/r_non_plat/permissive.te @@ -0,0 +1,5 @@ +userdebug_or_eng(` + + +') + diff --git a/r_non_plat/platform_app.te b/r_non_plat/platform_app.te new file mode 100644 index 0000000..33178e0 --- /dev/null +++ b/r_non_plat/platform_app.te @@ -0,0 +1,127 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +typeattribute platform_app mlstrustedsubject; + +# Date : 2017/07/03 +# Operation : Migration +# Purpose : get/set agps configuration via mtk_hal_lbs +hal_client_domain(platform_app, mtk_hal_lbs) + + +# Date : 2014/08/21 +# Operation : Migration +# Purpose : FMRadio enable driver access permission for fmradio hardware device +# Package: com.mediatek.fmradio +allow platform_app fm_device:chr_file rw_file_perms; + +# Date : 2014/09/11 +# Operation : Migration +# Purpose : MTKLogger need setup local socket with native daemon:mobile_logd, +# netdialog,mdlogger,emdlogger,cmddumper +# Package: com.mediatek.mtklogger +allow platform_app mobile_log_d:unix_stream_socket connectto; +allow platform_app mdlogger:unix_stream_socket connectto; +allow platform_app emdlogger:unix_stream_socket connectto; +allow platform_app cmddumper:unix_stream_socket connectto; +allow platform_app connsyslogger:unix_stream_socket connectto; +unix_socket_connect(platform_app, netdiag, netdiag) +# Date: 2018/11/17 +# purpose: allow MTKLogger to control Bluetooth HCI log via socket +allow platform_app bluetooth:unix_stream_socket connectto; + +# Date : 2014/10/17 +# Operation : Migration +# Purpose :Make MTKLogger or VIASaber apk can Access TTYSDIO_device +# Package: com.mediatek.mtklogger +allow platform_app ttySDIO_device:chr_file rw_file_perms; + +# Date : 2014/10/17 +# Operation : Migration +# Purpose :Make MTKLogger or VIASaber apk can Access storage +# Package: com.mediatek.mtklogger +allow platform_app sdcard_type:file create_file_perms; +allow platform_app sdcard_type:dir create_dir_perms; + +# Date : 2014/11/12 +# Operation : Migration +# Purpose : MTKLogger need copy exception db from data folder +# Package: com.mediatek.mtklogger +allow platform_app aee_exp_data_file:file r_file_perms; +allow platform_app aee_exp_data_file:dir r_dir_perms; + +# Date : 2014/11/14 +# Operation : Migration +# Purpose : MTKLogger need update md config file in data for mode changed +# Package: com.mediatek.mtklogger +allow platform_app mdlog_data_file:file rw_file_perms; +allow platform_app mdlog_data_file:dir rw_dir_perms; + +# Date : 2015/01/13 +# Operation : New feature for GPS Log +# Purpose : MTKLogger need setup local socket with mnld +# Package: com.mediatek.mtklogger +# TODO:: MTK need to remove later +not_full_treble(` + allow platform_app mnld:unix_stream_socket connectto; +') + +# Date : WK17.46 +# Operation : Migration +# Purpose : allow MTKLogger to read KE DB +allow platform_app aee_dumpsys_data_file:file r_file_perms; + +# Date : WK18.17 +# Operation : P Migration +# Purpose: allow platform_app to read /data/vendor/mtklog/aee_exp +allow platform_app aee_exp_vendor_file:dir search; +allow platform_app aee_exp_vendor_file:dir { read getattr open }; +allow platform_app aee_exp_vendor_file:file { read getattr open }; + +# Date : WK18.21 +# Operation : Migration +# Purpose : Do FM operation via mtk_hal_fm +hal_client_domain(platform_app, mtk_hal_fm) + +# Date: 2018/03/23 +# Operation : Migration +# Purpose : MTKLogger need connect to log hidl server +# Package: com.mediatek.mtklogger +hal_client_domain(platform_app, mtk_hal_log) + +# Date: 2018/06/08 +# Operation : Migration +# Purpose : MTKLogger need get netlog/mdlog/mobilelog property for property change +# Package: com.mediatek.mtklogger +# allow platform_app debug_mdlogger_prop:file r_file_perms; +# allow platform_app debug_mtklog_prop:file r_file_perms; +get_prop(platform_app, debug_mdlogger_prop) +get_prop(platform_app, debug_mtklog_prop) +get_prop(platform_app, vendor_bluetooth_prop) +get_prop(platform_app, mobile_log_prop) + +get_prop(platform_app, vendor_connsysfw_prop) + +# Date: 2018/11/08 +# Operation : JPEG +# Purpose : JPEG need to use PQ via MMS HIDL +allow platform_app mtk_hal_mms_hwservice:hwservice_manager find; +allow platform_app mtk_hal_mms:binder call; + +# Date: 2019/07/04 +# Stage: Migration +# Purpose: Allow to use lomo effect +# Package: com.mediatek.camera +#allow platform_app hal_camera_hwservice:hwservice_manager find; +allow platform_app mtk_hal_camera:binder call; +allow platform_app sw_sync_device:chr_file rw_file_perms; + +# Date: 2019/07/04 +# Purpose: Allow platform app to use BGService HIDL and access mtk_hal_camera +hal_client_domain(platform_app, mtk_hal_bgs) +allow platform_app mtk_hal_bgs_hwservice:hwservice_manager find; +binder_call(platform_app, mtk_hal_bgs) +binder_call(mtk_hal_bgs, platform_app) +binder_call(platform_app, mtk_hal_camera) +binder_call(mtk_hal_camera, platform_app) diff --git a/r_non_plat/property.te b/r_non_plat/property.te new file mode 100644 index 0000000..fe5f367 --- /dev/null +++ b/r_non_plat/property.te @@ -0,0 +1,320 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# MTK properties, allow all system/vendor processes to read. +type mtk_default_prop, property_type, mtk_core_property_type; + +# Date: W14.32 +# Operation: Migration +# Purpose: don't allow to use default_prop +### TBD +#neverallow { domain -init } default_prop:property_service set; +#neverallow { domain -init -system_server -recovery -system_app} ctl_default_prop:property_service set; + +#=============allow ccci_mdinit to start gsm0710muxd============== +type ctl_gsm0710muxd_prop, property_type; +type ctl_gsm0710muxd-s_prop, property_type; +type ctl_gsm0710muxd-d_prop, property_type; + +#=============allow viarild to start property============== +type ctl_viarild_prop, property_type; +#=============allow mtkrild to set persist.ril property============== +type vendor_ril_ipo_prop, property_type, mtk_core_property_type; + +#=============allow gsm0710muxd to set mux property============== +type gsm0710muxd_prop, property_type, mtk_core_property_type; + +#=============allow netlog running============== +type debug_mtklog_prop, property_type, extended_core_property_type; +type persist_mtklog_prop, property_type, extended_core_property_type; +type debug_netlog_prop, property_type, extended_core_property_type; + +#=============allow netd to set mtk_wifi.*========================= +type mtk_wifi_prop, property_type, mtk_core_property_type; + +#=============allow mdlogger============== +type debug_mdlogger_prop, property_type, extended_core_property_type; +type vendor_mdl_prop, property_type, extended_core_property_type; +type vendor_mdl_start_prop, property_type, extended_core_property_type; +type vendor_usb_prop, property_type; +type persist_mdlog_prop, property_type, extended_core_property_type; +type vendor_mdl_pulllog_prop, property_type, extended_core_property_type; + +#=============allow AEE============== +type persist_mtk_aee_prop, property_type, extended_core_property_type; +type persist_aee_prop, property_type, extended_core_property_type; +type debug_mtk_aee_prop, property_type, extended_core_property_type; + +type persist_mtk_aeev_prop, property_type, mtk_core_property_type; +type persist_aeev_prop, property_type, mtk_core_property_type; +type debug_mtk_aeev_prop, property_type, mtk_core_property_type; +type ro_mtk_aee_prop, property_type, mtk_core_property_type; + +#=============allow aee_dumpstate============== +type debug_bq_dump_prop, property_type, extended_core_property_type; + +#=============allow ccci_mdinit to stop rild============== +type ctl_ril-daemon-mtk_prop, property_type; +type ctl_fusion_ril_mtk_prop, property_type; +type ctl_ril-daemon-s_prop, property_type; +type ctl_ril-daemon-d_prop, property_type; +type ctl_ril-proxy_prop, property_type; + +#=============allow ccci_mdinit to start ccci_fsd============== +type ctl_ccci_fsd_prop, property_type; +type ctl_ccci2_fsd_prop, property_type; +type ctl_ccci3_fsd_prop, property_type; + +#=============allow ccci_mdinit to set ril_active_md_prop============== +type ril_active_md_prop, property_type, mtk_core_property_type; + +#=============allow ccci_mdinit to stop rild============== +type ril_mux_report_case_prop, property_type, mtk_core_property_type; +type ril_cdma_report_prop, property_type, mtk_core_property_type; + +#=============allow ccci_mdinit to mtk_md_prop============== +type mtk_md_prop, property_type, mtk_core_property_type; + +#=============allow mtkrild to start muxreport============== +type ctl_muxreport-daemon_prop, property_type; + +#=============allow telephony modules to set tel_switch_prop============== +type tel_switch_prop, property_type, mtk_core_property_type; + +#=============allow bootanim============== +type bootani_prop, property_type, extended_core_property_type; + +#=============allow mnld_prop============== +type mnld_prop, property_type, mtk_core_property_type; + +#=============allow audiohal============== +type audiohal_prop, property_type, mtk_core_property_type; + +#=============allow wmt============== +type wmt_prop, property_type, mtk_core_property_type; +type coredump_prop, property_type, mtk_core_property_type; + +#=============allow sensor============== +type ctl_emcsmdlogger_prop, property_type; +type ctl_eemcs_fsd_prop, property_type; + +#=============allow statusd============== +type net_cdma_mdmstat, property_type, mtk_core_property_type; + +#=============allow bt============== +type persist_bt_prop, property_type, mtk_core_property_type; + +#============= allow factory idle current prop ============== +type vendor_factory_idle_state_prop, property_type, mtk_core_property_type; + +#============= allow mobile log property =============== +type mobile_log_prop, property_type, extended_core_property_type; + +#============= allow service.nvram_init property =============== +type service_nvram_init_prop, property_type, mtk_core_property_type; + +#============= allow ro.wlan.mtk.wifi.5g property =============== +type wifi_5g_prop, property_type, mtk_core_property_type; + +#=============allow em to set client.appmode ============== +type mtk_em_prop, property_type, mtk_core_property_type; + +#=============allow mediatek_prop ============== +type mediatek_prop, property_type, mtk_core_property_type; + +#=============Property set by EM, for test/debug purpose========= +type mtk_em_sys_prop, property_type, extended_core_property_type; +type mtk_em_hidl_prop, property_type, mtk_core_property_type; + +#============= allow em set protocol =============== +type mtk_em_net_auto_tethering_prop, property_type, extended_core_property_type; + +#=============allow em set property============= +type mtk_operator_id_prop, property_type, mtk_core_property_type; + +#=============allow em set testsim.cardtype property=========== +type mtk_simswitch_emmode_prop, property_type, mtk_core_property_type; + +#=============allow em set property============= +type mtk_dsbp_support_prop, property_type, mtk_core_property_type; + +#=============allow em set property============= +type mtk_imstestmode_prop, property_type, mtk_core_property_type; + +#=============allow em set property============= +type mtk_smsformat_prop, property_type, mtk_core_property_type; + +#=============allow em set property============= +type mtk_gprs_prefer_prop, property_type, mtk_core_property_type; + +#=============allow em set property============= +type mtk_testsim_cardtype_prop, property_type, mtk_core_property_type; + +#=============allow em set property============= +type mtk_ct_ir_engmode_prop, property_type, mtk_core_property_type; + +#=============allow em set property============= +type mtk_disable_c2k_cap_prop, property_type, mtk_core_property_type; + +#=============allow em to set modem reset delay property================ +type mtk_debug_md_reset_prop, property_type, mtk_core_property_type; + +#=============allow em to set video log omx.* property================ +type mtk_omx_log_prop, property_type, mtk_core_property_type; + +#=============allow em to set vdec log property================ +type mtk_vdec_log_prop, property_type, mtk_core_property_type; + +#=============allow em to set vdectlc log property================ +type mtk_vdectlc_log_prop, property_type, mtk_core_property_type; + +#=============allow em to set venc h264 showlog property================ +type mtk_venc_h264_showlog_prop, property_type, mtk_core_property_type; + +#=============allow em to set modem warning_prop property================ +type mtk_modem_warning_prop, property_type, mtk_core_property_type; + +#=============allow em to set bgdata disabled property================ +type mtk_bgdata_disabled, property_type, extended_core_property_type; + +#=============allow em to set telecom vibrate property================ +type mtk_telecom_vibrate, property_type, extended_core_property_type; + +#=============allow em to set gprs attach type property================ +type mtk_gprs_attach_type, property_type, extended_core_property_type; + +#=============allow em to set poweroffmd property================ +type mtk_power_off_md_type, property_type, extended_core_property_type; + +#=============allow meta_tst to stop specific service =============== +type ctl_mobile_log_d_prop, property_type; +type ctl_mnld_prop, property_type; +type ctl_mobicore_prop, property_type; + +#=============allow system server to set meta_connecttype property ============== +type meta_connecttype_prop, property_type; + +#=============Telephony Sensitive property============== +type mtk_telephony_sensitive_prop, property_type; + +#=============allow processes to change thermal config================ +type mtk_thermal_config_prop, property_type; + +#=============allow composer set property ============================ +type graphics_hwc_pid_prop, property_type; +type graphics_hwc_latch_unsignaled_prop, property_type; +type graphics_hwc_hdr_prop, property_type; + +#============= mtkcam property ============================ +type mtkcam_prop, property_type; + +#============= atm modem mode property ============== +type atm_mdmode_prop, property_type; + +#============= atm ip address property ============== +type atm_ipaddr_prop, property_type; + +#=============allow consyslogger============== +type vendor_connsysfw_prop, property_type, extended_core_property_type; + +#=============radio group property============= +type vendor_radio_prop, property_type, mtk_core_property_type; + +#=============allow bluetooth============== +type vendor_bluetooth_prop, property_type, extended_core_property_type; + +#=============allow ct volte============== +type mtk_ct_volte_prop, property_type, mtk_core_property_type; + +#=============mtk ril mode property============= +type mtk_ril_mode_prop, property_type, mtk_core_property_type; +type mtk_ss_vendor_prop, property_type, mtk_core_property_type; + +#=============GPS support properties============== +type mtk_gps_support_prop, property_type, mtk_core_property_type; + +#=============mtk rat config property============= +type mtk_rat_config_prop, property_type, mtk_core_property_type; + +#=============mtk aal property============= +type mtk_aal_ro_prop, property_type, mtk_core_property_type; + +#=============mtk pq property============= +type mtk_pq_ro_prop, property_type, mtk_core_property_type; +type mtk_pq_prop, property_type, mtk_core_property_type; + +#=============mtk emmc property============= +type mtk_emmc_support_prop, property_type, mtk_core_property_type; + +#=============sim system property============= +type vendor_sim_system_prop, property_type, extended_core_property_type; + +#=============em usb property============== +type vendor_em_usb_prop, property_type, mtk_core_property_type; + +#=============allow em to set usb otg enable property ============== +type vendor_usb_otg_switch, property_type, mtk_core_property_type; + +#=============mtk anr property============= +type mtk_anr_support_prop, property_type, mtk_core_property_type; + +#=============mtk app resolution tuner property============= +type mtk_appresolutiontuner_prop, property_type, mtk_core_property_type; + +#=============mtk fullscreen switch============= +type mtk_fullscreenswitch_prop, property_type, mtk_core_property_type; + +# MTK Antutu feature +type mtk_antutu_prop, property_type, mtk_core_property_type; + +#=============mtk malloc debug switch unwind backtrace property============= +type mtk_malloc_debug_backtrace_prop, property_type, mtk_core_property_type; + +#=============MTK Voice Recognize property=========== +type mtk_voicerecgnize_prop, property_type, mtk_core_property_type; + +#=============allow radio to set/get xcap rawurl config================ +type persist_xcap_rawurl_prop, property_type, extended_core_property_type; + +#=============allow atcid============== +type persist_service_atci_prop, property_type, mtk_core_property_type; +type mtk_atci_prop, property_type, mtk_core_property_type; + +#=============allow Netd property============== +type mtk_net_ipv6_prop, property_type, mtk_core_property_type; + +#============= allow carrier express (cxp) ============== +type usp_prop, property_type, mtk_core_property_type; +type usp_srv_prop, property_type, extended_core_property_type; +type mtk_cxp_vendor_prop, property_type, mtk_core_property_type; + +#=============allow MD to set mtk_md_version_prop============== +type mtk_md_version_prop, property_type, mtk_core_property_type; + +#=============allow radio to set mtk_volte_enable property============== +type mtk_volte_prop, property_type, mtk_core_property_type; + +#=============allow AMS dynamic enable log property=========== +type mtk_amslog_prop, property_type, extended_core_property_type; + +#=============allow android log much property============== +type logmuch_prop, property_type, extended_core_property_type; + +#=============mtk bt enable SAP profile property============= +type mtk_bt_sap_enable_prop, property_type, mtk_core_property_type; + +#=============MTK powerhal property================ +type mtk_powerhal_prop, property_type; + +#=============MTK Wifi wlan_assistant property============= +type mtk_nvram_ready_prop, property_type, mtk_core_property_type; + +#=============allow wifi hotspot to read property=========== +type mtk_wifi_hotspot_prop, property_type, mtk_core_property_type; + +#=============mtk hdmi property============= +type mtk_hdmi_prop, property_type, mtk_core_property_type; + +#=============mtk nn option property============= +type mtk_nn_option_prop, property_type; diff --git a/r_non_plat/property_contexts b/r_non_plat/property_contexts new file mode 100644 index 0000000..a62a6f0 --- /dev/null +++ b/r_non_plat/property_contexts @@ -0,0 +1,351 @@ +# ============================================== +# MTK Policy Rule +# ============================================== +#=============allow ccci_mdinit to start gsm0710muxd============== +ctl.vendor.gsm0710muxd u:object_r:ctl_gsm0710muxd_prop:s0 + + +#=============allow mtkrild to set persist.ril property============== +vendor.ril.ipo u:object_r:vendor_ril_ipo_prop:s0 + +#=============allow netlog============== +vendor.mtklog u:object_r:debug_mtklog_prop:s0 +persist.vendor.mtklog u:object_r:persist_mtklog_prop:s0 +vendor.netlog u:object_r:debug_netlog_prop:s0 + +#=============allow mdlogger============== +vendor.mdlogger u:object_r:debug_mdlogger_prop:s0 +vendor.mdl u:object_r:vendor_mdl_prop:s0 +vendor.starting.mode u:object_r:vendor_mdl_start_prop:s0 +vendor.usb. u:object_r:vendor_usb_prop:s0 +persist.vendor.usb. u:object_r:vendor_usb_prop:s0 +persist.vendor.mdl u:object_r:persist_mdlog_prop:s0 +vendor.pullmdlog u:object_r:vendor_mdl_pulllog_prop:s0 + + +#=============allow AEE============== +# persist.vendor.mtk.aee.mode && persist.vendor.mtk.aee.dal +persist.vendor.mtk.aee. u:object_r:persist_mtk_aee_prop:s0 +persist.vendor.mtk.aeev. u:object_r:persist_mtk_aeev_prop:s0 + +# persist.vendor.aee.core.dump && persist.vendor.aee.core.direct +persist.vendor.aee. u:object_r:persist_aee_prop:s0 +persist.vendor.aeev. u:object_r:persist_aeev_prop:s0 + +# vendor.debug.mtk.aee.db +vendor.debug.mtk.aee. u:object_r:debug_mtk_aee_prop:s0 +vendor.debug.mtk.aeev u:object_r:debug_mtk_aeev_prop:s0 + +ro.vendor.aee.build.info u:object_r:ro_mtk_aee_prop:s0 +ro.vendor.aee.enforcing u:object_r:ro_mtk_aee_prop:s0 +ro.vendor.have_aee_feature u:object_r:ro_mtk_aee_prop:s0 + +#=============allow AEE_Dumpstate============== +vendor.debug.bq.dump u:object_r:debug_bq_dump_prop:s0 + +#=============allow mux============== +vendor.ril.mux. u:object_r:gsm0710muxd_prop:s0 + +#=============allow mdinit============== +ctl.vendor.ril-daemon-mtk u:object_r:ctl_ril-daemon-mtk_prop:s0 +ctl.vendor.fusion_ril_mtk u:object_r:ctl_fusion_ril_mtk_prop:s0 +ctl.vendor.ril-proxy u:object_r:ctl_ril-proxy_prop:s0 +ctl.vendor.viarild u:object_r:ctl_viarild_prop:s0 + +ctl.vendor.muxreport-daemon u:object_r:ctl_muxreport-daemon_prop:s0 +ctl.vendor.ccci_fsd u:object_r:ctl_ccci_fsd_prop:s0 +ctl.vendor.ccci2_fsd u:object_r:ctl_ccci2_fsd_prop:s0 +ctl.vendor.ccci3_fsd u:object_r:ctl_ccci3_fsd_prop:s0 + +vendor.ril.active.md u:object_r:ril_active_md_prop:s0 +vendor.ril.mux.report.case u:object_r:ril_mux_report_case_prop:s0 +vendor.ril.cdma.report u:object_r:ril_cdma_report_prop:s0 + +#=============allow dynamic telephony switch============== +ro.boot.opt_c2k_lte_mode u:object_r:tel_switch_prop:s0 +ro.boot.opt_c2k_support u:object_r:tel_switch_prop:s0 +ro.boot.opt_eccci_c2k u:object_r:tel_switch_prop:s0 +ro.boot.opt_lte_support u:object_r:tel_switch_prop:s0 +ro.boot.opt_md1_support u:object_r:tel_switch_prop:s0 +ro.boot.opt_md2_support u:object_r:tel_switch_prop:s0 +ro.boot.opt_md3_support u:object_r:tel_switch_prop:s0 +ro.boot.opt_md5_support u:object_r:tel_switch_prop:s0 +ro.boot.opt_ps1_rat u:object_r:tel_switch_prop:s0 +ro.boot.opt_sim_count u:object_r:tel_switch_prop:s0 +ro.boot.opt_using_default u:object_r:tel_switch_prop:s0 +ro.vendor.mtk_c2k_lte_mode u:object_r:tel_switch_prop:s0 +ro.vendor.mtk_c2k_support u:object_r:tel_switch_prop:s0 +ro.vendor.mtk_eccci_c2k u:object_r:tel_switch_prop:s0 +ro.vendor.mtk_lte_support u:object_r:tel_switch_prop:s0 +ro.vendor.mtk_md1_support u:object_r:tel_switch_prop:s0 +ro.vendor.mtk_md3_support u:object_r:tel_switch_prop:s0 +ro.vendor.mtk_ps1_rat u:object_r:tel_switch_prop:s0 + +#=============allow bootanim============== +persist.vendor.bootanim. u:object_r:bootani_prop:s0 + +#=============allow mnld_prop ============== +vendor.gps.clock.type u:object_r:mnld_prop:s0 +vendor.gps.gps.version u:object_r:mnld_prop:s0 +vendor.gpsdbglog.enable u:object_r:mnld_prop:s0 +vendor.gpsdbglog. u:object_r:mnld_prop:s0 +vendor.debug.gps. u:object_r:mnld_prop:s0 + +#=============allow audiohal============== +vendor.streamout. u:object_r:audiohal_prop:s0 +vendor.streamin. u:object_r:audiohal_prop:s0 +vendor.a2dp. u:object_r:audiohal_prop:s0 +vendor.audiohal. u:object_r:audiohal_prop:s0 +persist.vendor.audiohal. u:object_r:audiohal_prop:s0 +persist.vendor.vow. u:object_r:audiohal_prop:s0 + +#=============allow wmt ============== +persist.vendor.connsys.coredump.mode u:object_r:coredump_prop:s0 +persist.vendor.connsys. u:object_r:wmt_prop:s0 +vendor.connsys. u:object_r:wmt_prop:s0 + + +#=============allow c2k_prop ============== +vendor.net.cdma.mdmstat u:object_r:net_cdma_mdmstat:s0 + + +#=============allow ccci_mdinit md status ============== +vendor.mtk.md u:object_r:mtk_md_prop:s0 +#============= allow factory idle current prop ============== +vendor.debug.factory.idle_state u:object_r:vendor_factory_idle_state_prop:s0 + +#=============allow mobile log property================ +vendor.MB. u:object_r:mobile_log_prop:s0 + +#=============allow service.nvram_init property================ +vendor.service.nvram_init u:object_r:service_nvram_init_prop:s0 + + +#=============Allow EM To Set Camera APP Mode ============== +vendor.client. u:object_r:mtk_em_prop:s0 + +#=============allow mediatek_prop ============== +vendor.debug.camera.p2plug.log u:object_r:mediatek_prop:s0 +vendor.client.em.appmode u:object_r:mediatek_prop:s0 +#=============Property set by EM, for test/debug purpose========= +persist.vendor.em. u:object_r:mtk_em_sys_prop:s0 +persist.vendor.em.hidl. u:object_r:mtk_em_hidl_prop:s0 + +#=============allow em set tethering protocol================ +persist.vendor.net.auto.tethering u:object_r:mtk_em_net_auto_tethering_prop:s0 + +#=============allow em set ims operator property=========== +vendor.ril.volte.mal.pctid u:object_r:mtk_operator_id_prop:s0 + +#=============allow em set simswitch property=========== +persist.vendor.radio.simswitch.emmode u:object_r:mtk_simswitch_emmode_prop:s0 + +#=============allow em set mtk_dsbp_support property=========== +persist.vendor.radio.mtk_dsbp_support u:object_r:mtk_dsbp_support_prop:s0 + +#=============allow em set imstestmode property=========== +persist.vendor.radio.imstestmode u:object_r:mtk_imstestmode_prop:s0 + +#=============allow em set smsformat property=========== +persist.vendor.radio.smsformat u:object_r:mtk_smsformat_prop:s0 + +#=============allow em set gprs.prefer property=========== +persist.vendor.radio.gprs.prefer u:object_r:mtk_gprs_prefer_prop:s0 + +#=============allow em set testsim.cardtype property=========== +persist.vendor.radio.testsim.cardtype u:object_r:mtk_testsim_cardtype_prop:s0 + +#=============allow em set ct.ir.engmode property=========== +persist.vendor.radio.ct.ir.engmode u:object_r:mtk_ct_ir_engmode_prop:s0 + +#=============allow em set disable_c2k_cap property=========== +persist.vendor.radio.disable_c2k_cap u:object_r:mtk_disable_c2k_cap_prop:s0 + +#=============allow em to set modem reset delay property================ +vendor.mediatek.debug.md.reset.wait u:object_r:mtk_debug_md_reset_prop:s0 + +#=============allow em to set video log omx.* property================ +vendor.mtk.omx. u:object_r:mtk_omx_log_prop:s0 + +#=============allow em to set vdec log property================ +vendor.mtk.vdec.log u:object_r:mtk_vdec_log_prop:s0 + +#=============allow em to set vdectlc logproperty================ +vendor.mtk.vdectlc.log u:object_r:mtk_vdectlc_log_prop:s0 + +#=============allow em to set venc h264 showlog property================ +vendor.mtk.venc.h264.showlog u:object_r:mtk_venc_h264_showlog_prop:s0 + +#=============allow em to set modem warning property================ +persist.vendor.radio.modem.warning u:object_r:mtk_modem_warning_prop:s0 + +#=============allow em to set bgdata disabled property================ +persist.vendor.radio.bgdata.disabled u:object_r:mtk_bgdata_disabled:s0 + +#=============allow em to set telecom vibrate property================ +persist.vendor.radio.telecom.vibrate u:object_r:mtk_telecom_vibrate:s0 + +#=============allow em to set gprs attach type property================ +persist.vendor.radio.gprs.attach.type u:object_r:mtk_gprs_attach_type:s0 + +#=============allow em to set poweroffmd property================ +vendor.ril.test.poweroffmd u:object_r:mtk_power_off_md_type:s0 +vendor.ril.testmode u:object_r:mtk_power_off_md_type:s0 + + +#=============allow system server to set meta_connecttype property ============== +persist.vendor.meta.connecttype u:object_r:meta_connecttype_prop:s0 + +#=============Telephony Sensitive property============== +vendor.ril.iccid.sim u:object_r:mtk_telephony_sensitive_prop:s0 +vendor.ril.uim.subscriberid u:object_r:mtk_telephony_sensitive_prop:s0 +persist.vendor.radio.last_iccid_sim u:object_r:mtk_telephony_sensitive_prop:s0 + +#=============allow sim config property============== +vendor.gsm.sim.operator.default-name u:object_r:vendor_sim_system_prop:s0 + +#=============allow processes to change thermal config================ +vendor.thermal.manager.data u:object_r:mtk_thermal_config_prop:s0 +#=============allow composer set property ============================ +vendor.debug.sf.hwc_pid u:object_r:graphics_hwc_pid_prop:s0 +vendor.debug.sf.latch_unsignaled u:object_r:graphics_hwc_latch_unsignaled_prop:s0 +vendor.debug.sf.hdr_enable u:object_r:graphics_hwc_hdr_prop:s0 + +#============= atm modem mode property(ATM) ============== +persist.vendor.atm.mdmode u:object_r:atm_mdmode_prop:s0 + +#============= atm ip address property(ATM) ============== +persist.vendor.atm.ipaddress u:object_r:atm_ipaddr_prop:s0 + +#============= atm boot property(ATM) ============== +ro.boot.atm u:object_r:mtk_default_prop:s0 + +#=============allow consyslogger============== +vendor.connsysfw u:object_r:vendor_connsysfw_prop:s0 + +#============Label telephony property=======# +vendor.ril. u:object_r:vendor_radio_prop:s0 +ro.vendor.ril. u:object_r:vendor_radio_prop:s0 +vendor.gsm. u:object_r:vendor_radio_prop:s0 +persist.vendor.radio. u:object_r:vendor_radio_prop:s0 + +#=============allow bluetooth============== +vendor.bthcisnoop u:object_r:vendor_bluetooth_prop:s0 + +#=============allow ct volte============== +persist.vendor.mtk_ct_volte_support u:object_r:mtk_ct_volte_prop:s0 + +#============Label mtk ril mode=======# +ro.vendor.mtk_ril_mode u:object_r:mtk_ril_mode_prop:s0 + +#=============GPS support properties============== +ro.vendor.mtk_gps_support u:object_r:mtk_gps_support_prop:s0 +ro.vendor.mtk_agps_app u:object_r:mtk_gps_support_prop:s0 +ro.vendor.mtk_log_hide_gps u:object_r:mtk_gps_support_prop:s0 +ro.vendor.mtk_hidl_consolidation u:object_r:mtk_gps_support_prop:s0 + +#============allow rat config=======# +ro.vendor.mtk_protocol1_rat_config u:object_r:mtk_rat_config_prop:s0 + +#=============allow mtk aal==============# +ro.vendor.mtk_aal_support u:object_r:mtk_aal_ro_prop:s0 +ro.vendor.mtk_ultra_dimming_support u:object_r:mtk_aal_ro_prop:s0 +ro.vendor.mtk_dre30_support u:object_r:mtk_aal_ro_prop:s0 + +#=============allow mtk pq==============# +persist.vendor.sys.pq. u:object_r:mtk_pq_prop:s0 +vendor.debug.pq. u:object_r:mtk_pq_prop:s0 +persist.vendor.sys.isp. u:object_r:mtk_pq_prop:s0 +persist.vendor.sys.mtkaal. u:object_r:mtk_pq_prop:s0 +ro.vendor.mtk_pq_color_mode u:object_r:mtk_pq_ro_prop:s0 +ro.vendor.mtk_blulight_def_support u:object_r:mtk_pq_ro_prop:s0 +ro.vendor.mtk_chameleon_support u:object_r:mtk_pq_ro_prop:s0 +ro.vendor.mtk_pq_support u:object_r:mtk_pq_ro_prop:s0 + +# Mtk properties that allow all system/vendor processes to read. +# Usually they are config properties (but not limited to) +ro.vendor.mtk_tdd_data_only_support u:object_r:mtk_default_prop:s0 +ro.vendor.mtk_audio_alac_support u:object_r:mtk_default_prop:s0 +ro.vendor.mtk_support_mp2_playback u:object_r:mtk_default_prop:s0 +ro.vendor.mtk_audio_ape_support u:object_r:mtk_default_prop:s0 +ro.vendor.mtk_flv_playback_support u:object_r:mtk_default_prop:s0 +ro.vendor.mtk_mtkps_playback_support u:object_r:mtk_default_prop:s0 +ro.vendor.mtk_wearable_platform u:object_r:mtk_default_prop:s0 +ro.vendor.mediatek.platform u:object_r:mtk_default_prop:s0 +ro.vendor.mediatek.version.branch u:object_r:mtk_default_prop:s0 +ro.vendor.mediatek.version.release u:object_r:mtk_default_prop:s0 +ro.vendor.mtk_exchange_support u:object_r:mtk_default_prop:s0 +vendor.met.running u:object_r:mtk_default_prop:s0 +ro.vendor.mtk_disable_cap_switch u:object_r:mtk_default_prop:s0 +ro.vendor.mtk_sim_card_onoff u:object_r:mtk_default_prop:s0 +ro.vendor.mtk_perf_plus u:object_r:mtk_default_prop:s0 + +#============mtk emmc=======# +ro.vendor.mtk_emmc_support u:object_r:mtk_emmc_support_prop:s0 + +# MTK connsys log feature +ro.vendor.connsys.dedicated.log u:object_r:mtk_default_prop:s0 + +#=============em usb property============== +vendor.usb.port.mode u:object_r:vendor_em_usb_prop:s0 +vendor.em.usb. u:object_r:vendor_em_usb_prop:s0 + +#=============allow em to set usb otg switch property ============== +persist.vendor.usb.otg.switch u:object_r:vendor_usb_otg_switch:s0 + +#============mtk rsc========# +ro.boot.rsc u:object_r:mtk_default_prop:s0 + +#=============mtk anr property============= +persist.vendor.dbg.anrflow u:object_r:mtk_anr_support_prop:s0 +persist.vendor.anr. u:object_r:mtk_anr_support_prop:s0 +vendor.anr.autotest u:object_r:mtk_anr_support_prop:s0 + +#=============mtk app resolution tuner============= +ro.vendor.app_resolution_tuner u:object_r:mtk_appresolutiontuner_prop:s0 +persist.vendor.dbg.disable.art u:object_r:mtk_appresolutiontuner_prop:s0 + +#=============mtk fullscreen switch============= +ro.vendor.fullscreen_switch u:object_r:mtk_fullscreenswitch_prop:s0 + +#============= allow em set ims xcap property =============== +persist.vendor.ss. u:object_r:mtk_ss_vendor_prop:s0 + +# MTK Antutu feature +ro.vendor.net.upload.benchmark.default u:object_r:mtk_antutu_prop:s0 + +#=============malloc debug unwind backtrace switch property==============# +vendor.debug.malloc.bt.switch u:object_r:mtk_malloc_debug_backtrace_prop:s0 + +#=============allow gmo====================# +ro.vendor.gmo.ram_optimize u:object_r:mtk_default_prop:s0 +ro.vendor.gmo.rom_optimize u:object_r:mtk_default_prop:s0 +ro.vendor.mtk_config_max_dram_size u:object_r:mtk_default_prop:s0 + +#=============MTK Voice Recognize property===========# +vendor.voicerecognize.raw u:object_r:mtk_voicerecgnize_prop:s0 +vendor.voicerecognize_data.raw u:object_r:mtk_voicerecgnize_prop:s0 +vendor.voicerecognize.noDL u:object_r:mtk_voicerecgnize_prop:s0 + +#=============allow radio to set/get xcap rawurl config================ +persist.vendor.mtk.xcap.rawurl u:object_r:persist_xcap_rawurl_prop:s0 + +#=============mtk bt enable SAP profile property=============# +ro.vendor.mtk.bt_sap_enable u:object_r:mtk_bt_sap_enable_prop:s0 + +#=============allow processes to change powerhal config================ +persist.vendor.powerhal. u:object_r:mtk_powerhal_prop:s0 +vendor.powerhal. u:object_r:mtk_powerhal_prop:s0 + +#=============MTK Wifi wlan_assistant property============= +vendor.mtk.nvram.ready u:object_r:mtk_nvram_ready_prop:s0 + +#=============Wi-Fi Hotspot============== +ro.vendor.wifi.sap.interface u:object_r:mtk_wifi_hotspot_prop:s0 + +#=============allow mtk hdmi==============# +persist.vendor.sys.hdmi_hidl. u:object_r:mtk_hdmi_prop:s0 + +#=============mtk nn option==============# +ro.vendor.mtk_nn.option u:object_r:mtk_nn_option_prop:s0 + diff --git a/r_non_plat/radio.te b/r_non_plat/radio.te new file mode 100644 index 0000000..5d3db51 --- /dev/null +++ b/r_non_plat/radio.te @@ -0,0 +1,236 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# Purpose : allow to access kpd driver file +allow radio sysfs_keypad_file:dir { r_dir_perms }; +allow radio sysfs_keypad_file:file { w_file_perms }; + +# Date : WK15.34 2015/08/21 +# Operation : IT +# Purpose : for engineermode WFD IOT property +allow radio surfaceflinger:fifo_file { rw_file_perms }; + +# Date : 2016/06/11 +# Operation : IT +# Purpose : for engineermode Usb PHY Tuning +allow radio debugfs_usb20_phy:file { read open getattr }; +allow radio debugfs_usb20_phy:dir search; + +# Date : WK14.38 2016/06/28 +# Operation : Migration +# Purpose : for engineermode +allow radio mt_otg_test_device:chr_file { read write ioctl open }; +allow radio mtgpio_device:chr_file { read ioctl open }; +allow radio stpbt_device:chr_file { read write open }; +allow radio stpant_device:chr_file { read write open }; +allow radio bt_int_adp_socket:sock_file write; +allow radio mt6605_device:chr_file { read write ioctl open getattr }; +allow radio nfc_socket:dir { write add_name remove_name search }; +allow radio system_prop:property_service set; + +# Date : WK14.38 2016/06/28 +# Operation : Migration +# Purpose : for engineermode +allow radio em_svr:unix_stream_socket connectto; + +# Date : WK15.25 2016/06/28 +# Operation :N Migration +# Purpose : for engineermode WiFi test mode +# todo: in the feature Google maybe forbid this option,we should use other way +allowxperm radio self:udp_socket ioctl { SIOCIWFIRSTPRIV-SIOCIWFIRSTPRIV_09 SIOCIWFIRSTPRIV_0B SIOCSIWESSID SIOCSIWMODE }; + +# Date : 2014/12/13 +# Operation : IT +# Purpose : for bluetooth relayer mode +allow radio block_device:dir search; +allow radio ttyGS_device:chr_file { open read write ioctl }; + +# Date : 2016/07/05 +# Purpose : +# Write IMEI - presanity item write imei should read the file on storage +# Swift APK integration - access TTL scripts and logs on external storage +# eng mode camera - save iamges files and log files on external storage +# eng mode ygps - save location information on external storage +allow radio media_rw_data_file:dir { create_dir_perms }; +allow radio media_rw_data_file:file { create_file_perms }; + +# Date : 2016/08/02 +# Purpose : +# Swift APK integration - access ccci dir/file +allow radio ccci_fsd:dir { r_dir_perms }; + +# Date : 2016/07/25 +# Operation : Bluetooth access NVRAM fail in Engineer Mode +# Purpose : for Bluetooth read NVRAM data +allow radio nvdata_file:dir search; +allow radio nvdata_file:file rw_file_perms; + +#Date : 2016/11/08 +#Operation: IT +#Purpose: for EM set persist.net.auto.tethering +set_prop(radio, mtk_em_net_auto_tethering_prop) + +# Date : WK17.03 +# Operation : O Migration +# Purpose : HIDL for rilproxy +binder_call(radio, hal_telephony) + +# Date : WK17.15 +# Operation : O Migration +# Purpose : for YGPS execution +allow radio hal_graphics_composer_default:fd use; + +#Dat: 2017/02/14 +#Purpose: allow get telephony Sensitive property +get_prop(radio, mtk_telephony_sensitive_prop) + +# Date : WK17.26 +# Operation : O Migration +# Purpose : HIDL for imsa +binder_call(radio, mtk_hal_imsa) + +# Date : WK1727 2017/07/04 +# Operation : IT +# Purpose : Allow to use HAL imsa +hal_client_domain(radio, hal_imsa) + +#Dat: 2017/06/29 +#Purpose: For audio parameter tuning +#allow radio hal_audio_hwservice:hwservice_manager find; +binder_call(radio,mtk_hal_audio) + +# TODO : Will move to plat_private when SEPolicy split done +# Date : WK1727 2017/07/19 +# Operation : Migration +# Purpose : Allow EM set usb property +set_prop(radio, system_radio_prop) + +#Dat: 2017/07/20 +#Purpose: NFC EM +allow radio hal_nfc_hwservice:hwservice_manager find; +binder_call(radio, hal_nfc) +binder_call(hal_nfc, radio) +hwbinder_use(radio); +#hal_client_domain(radio, hal_nfc) +typeattribute radio halclientdomain; +typeattribute radio hal_nfc_client; +allow radio nfc_socket:sock_file { create write unlink setattr }; +set_prop(radio, system_prop) + +# Date : WK1734 2017/08/23 +# Purpose : Allow EM use power HAL +allow radio mtk_hal_power_hwservice:hwservice_manager find; +binder_call(radio, mtk_hal_power) + +# Date : 2017/10/31 +# Purpose: Policy for EM to set wcn coredump property +get_prop(radio, wmt_prop) + +# Date : WK18.16 +# Operation: P migration +# Purpose: Allow radio to get tel_switch_prop +get_prop(radio, tel_switch_prop) + +# Date : 2018/05/03 +# Operation: P migration +# Purpose: allow EM to set modem reset delay property +get_prop(radio, mtk_debug_md_reset_prop) + +# Date : 2018/06/01 +# Operation : P migration +# Purpose : For EM access battery info +allow radio sysfs_batteryinfo:dir search; +#allow radio sysfs_batteryinfo:file { read write getattr open create}; +allow radio sysfs_vbus:file { read getattr open }; +allow radio sysfs_battery_consumption:file r_file_perms; +allow radio sysfs_power_on_vol:file r_file_perms; +allow radio sysfs_power_off_vol:file r_file_perms; +allow radio sysfs_fg_disable:file w_file_perms; +allow radio sysfs_dis_nafg:file w_file_perms; + +# Date : 2018/06/15 +# Purpose : Allow EM access touchscreen settings +allow radio sysfs_tpd_debug:dir { search read open }; +allow radio sysfs_tpd_setting:dir { search read open }; + +# Date : 2018/06/15 +# Purpose : mtk EM PMU reading/setting +allow radio sysfs_pmu:dir { search }; +allow radio sysfs_pmu:file { read }; +allow radio sysfs_pmu:lnk_file { read }; + +# Date : 2018/06/15 +# Purpose : mtk EM Power debug_log setting +allow radio sysfs_spm:dir { search }; + +# Date : 2018/06/15 +# Purpose: Allow EM detect Audio headset status +allow radio sysfs_headset:file { read open }; + +# Date : 2018/06/26 +# Operation : IT +# Purpose : Allow to use HAL em +hal_client_domain(radio, mtk_hal_em) + +# Date : 2018/07/03 +# Purpose : Allow sim system to set prop +set_prop(radio, vendor_sim_system_prop) + +# Date : 2018/07/03 +# Purpose : Allow Mwi to get vendor default properties (ro.vendor.*) +get_prop(radio, vendor_default_prop) + +# Operation : DEBUG +# Purpose : Allow to use mtk_bgdata_disabled +set_prop(radio, mtk_bgdata_disabled) + +# Date : 2018/07/03 +# Operation : DEBUG +# Purpose : Allow to use mtk_telecom_vibrate +set_prop(radio, mtk_telecom_vibrate) + +# Date : 2018/07/03 +# Operation : DEBUG +# Purpose : Allow to use mtk_gprs_attach_type +set_prop(radio, mtk_gprs_attach_type) + +# Date : 2018/07/12 +# Purpose : Allow EM to use Lbs Hidl +binder_call(radio, lbs_hidl_service) +allow radio mtk_hal_lbs_hwservice:hwservice_manager find; + +# Date : 2018/08/12 +# Purpose : Allow EM to set poweroffmd property +set_prop(radio, mtk_power_off_md_type) + +get_prop(radio, persist_mtk_aeev_prop); + + +# Date : 2018/08/31 +# Purpose : Allow EM to set sys property +set_prop(radio, mtk_em_sys_prop) + +# Date : 2018/11/01 +# Purpose : mtk EM c2k bypass read usb file +allow radio sys_usb_rawbulk:file { r_file_perms }; +allow radio sys_usb_rawbulk:dir { r_dir_perms }; + +#Date : 2018/11/02 +# Operation : Allow radio persist_xcap_rawurl_prop:property_service set; +# Purpose : for set telephony xcap use raw url property in IMS SS +set_prop(radio, persist_xcap_rawurl_prop) + +# Date : 2019/05/08 +# Operation : label aee_aed sockets +# Purpose : Engineering mode need access for aee commmand +allow radio aee_aed:unix_stream_socket connectto; + +# Date : 2019/05/23 +# Operation : Get subpimc reigster status +# Purpose : Engineering mode need get subpimic register status +allow radio debugfs_regmap:dir { search }; + +# Date : 2018/09/29 +# Purpose : Allow get USB Current Speed in Engineer Mode +get_prop(radio, vendor_usb_prop);
\ No newline at end of file diff --git a/r_non_plat/recovery.te b/r_non_plat/recovery.te new file mode 100644 index 0000000..a130f89 --- /dev/null +++ b/r_non_plat/recovery.te @@ -0,0 +1,57 @@ +# ============================================== +# MTK Policy Rule +# ============================================== +# recovery console (used in recovery init.rc for /sbin/recovery) + +# Date : WK15.13 +# Operation : UT +# Purpose : Nand device policy +allow recovery mtd_device:dir search; +allow recovery mtd_device:chr_file rw_file_perms; +allow recovery self:capability sys_resource; + +# Date : WK18.16 +# Operation : UT +# Purpose : Refine policy +allow recovery misc_sd_device:chr_file rw_file_perms; +allow recovery vfat:dir r_dir_perms; +allow recovery vfat:file r_file_perms; +allow recovery sysfs_mmcblk:dir r_dir_perms; +allow recovery sysfs_mmcblk:file rw_file_perms; +allow recovery sysfs_mmcblk:lnk_file r_file_perms; + +# Date : WK18.25 +# Operation : UT +# Purpose : Add policy for therm, gpu, battery, and boot_type +allow recovery sysfs:dir r_dir_perms; +allow recovery sysfs_batteryinfo:dir r_dir_perms; +allow recovery sysfs_boot_type:file r_file_perms; +allow recovery sysfs_therm:dir r_dir_perms; +allow recovery sysfs_therm:file r_file_perms; +allow recovery gpu_device:dir r_dir_perms; + +# Date : WK18.09 +# Operation : UT +# Purpose : Allow recovery can update boot partition +allow recovery tmpfs:lnk_file r_file_perms; + +# Date : WK19.03 +# Operation : UT +# Purpose : Android Migration +allow recovery bootdevice_block_device:blk_file rw_file_perms; +allow recovery self:capability { sys_rawio fsetid }; +allowxperm recovery bootdevice_block_device:blk_file ioctl { + MMC_IOCTLCMD + UFS_IOCTLCMD +}; +allow recovery block_device:blk_file ioctl; +allowxperm recovery block_device:blk_file ioctl { + BLKIOMIN + BLKALIGNOFF +}; +allow recovery sysfs_dm:dir search; +allow recovery sysfs_dm:file r_file_perms; +allowxperm recovery tmpfs:file ioctl FS_IOC_FIEMAP; +allowxperm recovery cache_block_device:blk_file ioctl BLKPBSZGET; +allowxperm recovery nvdata_device:blk_file ioctl BLKPBSZGET; +allow recovery proc_filesystems:file r_file_perms; diff --git a/r_non_plat/resize.te b/r_non_plat/resize.te new file mode 100644 index 0000000..b2e8c7c --- /dev/null +++ b/r_non_plat/resize.te @@ -0,0 +1,38 @@ +# ============================================== +# Policy File of /vendor/bin/resize_xxx Executable File + +# ============================================== +# Type Declaration +# ============================================== +type resize, domain; +type resize_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK15.30 +# Operation : Migration +# Purpose : resize fs(ext4) partition, only run once. +init_daemon_domain(resize) + +allow resize resize_exec:file execute_no_trans; + +# Inherit and use pty created by android_fork_execvp_ext(). +allow resize devpts:chr_file { read write open getattr ioctl }; + +allow resize kmsg_device:chr_file { write open }; + +allow resize userdata_block_device:blk_file rw_file_perms; + +allow resize block_device:dir search; + +allow resize resize:capability sys_admin; + +allow resize labeledfs:filesystem unmount; + +allow resize property_socket:sock_file write; + +allow resize init:unix_stream_socket connectto; + +#allow resize system_file:file execute_no_trans; diff --git a/r_non_plat/rild.te b/r_non_plat/rild.te new file mode 100644 index 0000000..0d7ae35 --- /dev/null +++ b/r_non_plat/rild.te @@ -0,0 +1,159 @@ +# ============================================== +# Policy File of /vendor/bin/rild Executable File + +# ============================================== +# Type Declaration +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== +# Access to wake locks +wakelock_use(rild) +# Trigger module auto-load. +allow rild kernel:system module_request; + +# Capabilities assigned for rild +allow rild self:capability { setuid net_admin net_raw }; + +# Control cgroups +allow rild cgroup:dir create_dir_perms; + +# Property service +# allow set RIL related properties (radio./net./system./etc) +auditallow rild net_radio_prop:property_service set; +auditallow rild system_radio_prop:property_service set; +set_prop(rild, ril_active_md_prop) +# allow set muxreport control properties +set_prop(rild, ril_cdma_report_prop) +set_prop(rild, ril_mux_report_case_prop) +set_prop(rild, ctl_muxreport-daemon_prop) + +# Access to wake locks +wakelock_use(rild) + +# Allow access permission to efs files +allow rild efs_file:dir create_dir_perms; +allow rild efs_file:file create_file_perms; +allow rild bluetooth_efs_file:file r_file_perms; +allow rild bluetooth_efs_file:dir r_dir_perms; + +# Allow access permission to dir/files +# (radio data/system data/proc/etc) +# Violate Android P rule +allow rild sdcardfs:dir r_dir_perms; +#allow rild system_file:file x_file_perms; +allow rild proc_net:file w_file_perms; + +# Allow rild to create and use netlink sockets. +# Set and get routes directly via netlink. +allow rild self:netlink_route_socket nlmsg_write; + +# Allow read/write to devices/files +allow rild radio_device:chr_file rw_file_perms; +allow rild radio_device:blk_file r_file_perms; +allow rild mtd_device:dir search; +# Allow read/write to tty devices +allow rild tty_device:chr_file rw_file_perms; +allow rild eemcs_device:chr_file { rw_file_perms }; + +#allow rild Vcodec_device:chr_file { rw_file_perms }; +allow rild devmap_device:chr_file { r_file_perms }; +allow rild devpts:chr_file { rw_file_perms }; +allow rild ccci_device:chr_file { rw_file_perms }; +allow rild misc_device:chr_file { rw_file_perms }; +allow rild proc_lk_env:file rw_file_perms; +allow rild sysfs_vcorefs_pwrctrl:file { w_file_perms }; +#allow rild bootdevice_block_device:blk_file { rw_file_perms }; +allow rild para_block_device:blk_file { rw_file_perms }; + +# Allow dir search, fd uses +allow rild block_device:dir search; +allow rild platform_app:fd use; +allow rild radio:fd use; + +# For MAL MFI +allow rild mal_mfi_socket:sock_file { w_file_perms }; + +# For ccci sysfs node +allow rild sysfs_ccci:dir search; +allow rild sysfs_ccci:file r_file_perms; + +#Date : W17.18 +#Purpose: Treble SEpolicy denied clean up +add_hwservice(hal_telephony_server, mtk_hal_rild_hwservice) +allow hal_telephony_client mtk_hal_rild_hwservice:hwservice_manager find; + +#Date : W17.21 +#Purpose: Grant permission to access binder dev node +vndbinder_use(rild) + +#Dat: 2017/03/27 +#Purpose: allow set telephony Sensitive property +set_prop(rild, mtk_telephony_sensitive_prop) + +# For AGPSD +allow rild mtk_agpsd:unix_stream_socket connectto; + +#Date 2017/10/12 +#Purpose: allow set MTU size +#allow rild toolbox_exec:file getattr; +allow rild mtk_net_ipv6_prop:property_service set; + +#Date: 2017/12/6 +#Purpose: allow set the RS times for /proc/sys/net/ipv6/conf/ccmniX/router_solicitations +allow rild vendor_shell_exec:file {execute_no_trans}; +allow rild vendor_toolbox_exec:file {execute_no_trans}; + +# Date : WK18.16 +# Operation: P migration +# Purpose: Allow rild to get tel_switch_prop +get_prop(rild, tel_switch_prop) + +#Date: W1817 +#Purpose: allow rild access property of vendor_radio_prop +set_prop(rild, vendor_radio_prop) + +#Date : W18.21 +#Purpose: allow rild access to vendor.ril.ipo system property +set_prop(rild, vendor_ril_ipo_prop) + +# Date : WK18.26 +# Operation: P migration +# Purpose: Allow carrier express HIDL to set vendor property +set_prop(rild, mtk_cxp_vendor_prop) +allow rild mnt_vendor_file:dir search; +allow rild mnt_vendor_file:file create_file_perms; +allow rild nvdata_file:dir create_dir_perms; +allow rild nvdata_file:file create_file_perms; + +#Date : W18.29 +#Purpose: allow rild access binder to mtk_hal_secure_element +allow rild mtk_hal_secure_element:binder call; + +# Date : WK18.31 +# Operation: P migration +# Purpose: Allow supplementary service HIDL to set vendor property +set_prop(rild, mtk_ss_vendor_prop) + +# Date : 2018/2/27 +# Purpose : for NVRAM recovery mechanism +set_prop(rild,powerctl_prop); + +# Date: 2019/06/14 +# Operation : Migration +allow rild proc_cmdline:file r_file_perms; + +# Date: 2019/07/18 +# Operation: AP wifi path +# Purpose: Allow packet can be filtered by RILD process +allow rild self:netlink_netfilter_socket { create_socket_perms_no_ioctl }; + +# Date : 2019/08/29 +# Purpose: Allow rild to access proc/aed/reboot-reason +allow rild proc_aed_reboot_reason:file rw_file_perms; + +# Date: 2019/11/15 +# Operation: RILD init flow +# Purpose: To handle illegal rild started +set_prop(rild, gsm0710muxd_prop) diff --git a/r_non_plat/rilproxy.te b/r_non_plat/rilproxy.te new file mode 100644 index 0000000..bf1d79e --- /dev/null +++ b/r_non_plat/rilproxy.te @@ -0,0 +1,78 @@ +# ============================================== +# Policy File of /vendor/bin/rilproxy Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== + +# Access to wake locks +wakelock_use(rild) + +# rild Bringup Policy +allow rild init:unix_stream_socket connectto; +allow rild mtkrild:unix_stream_socket connectto; +allow rild property_socket:sock_file write; +allow rild self:capability setuid; +allow rild radio_prop:property_service set; +allow rild ril_mux_report_case_prop:property_service set; +allow rild mtk_agpsd:unix_stream_socket connectto; +allow servicemanager rild:dir search; +allow servicemanager rild:file { read open }; +allow servicemanager rild:process getattr; + +# Allow the socket read/write of netd for rild +allow rild netd_socket:sock_file write; +allow rild netd_socket:sock_file read; + +#Date : W17.13 +#Purpose: Treble SEpolicy denied clean up +get_prop(rild, hwservicemanager_prop) + +#Date : W17.18 +#Purpose: Treble SEpolicy denied clean up +add_hwservice(hal_telephony_server, mtk_hal_rild_hwservice) +allow hal_telephony_client mtk_hal_rild_hwservice:hwservice_manager find; + +#Date : W17.21 +#Purpose: Grant permission to access binder dev node +vndbinder_use(rild) + +#Date : W17.20 +#Purpose: allow access to audio hal +binder_call(rild, mtk_hal_audio) +hal_client_domain(rild, hal_audio) + +#Date : W18.15 +#Purpose: allow rild access to vendor.ril.ipo system property +set_prop(mtkrild, vendor_ril_ipo_prop) + +# Date : WK18.26 +# Operation: P migration +# Purpose: Allow carrier express HIDL to set vendor property +set_prop(mtkrild, mtk_cxp_vendor_prop) +allow mtkrild mnt_vendor_file:dir search; +allow mtkrild mnt_vendor_file:file create_file_perms; +allow mtkrild nvdata_file:dir create_dir_perms; +allow mtkrild nvdata_file:file create_file_perms; + +# Date : WK18.31 +# Operation: P migration +# Purpose: Allow supplementary service HIDL to set vendor property +set_prop(mtkrild, mtk_ss_vendor_prop) + +# Date : W19.16 +# Operation: Q migration +# Purpose: Allow rild access to send SUPL INIT to mnld +allow rild mnld:unix_dgram_socket sendto; +allow mtkrild mnld:unix_dgram_socket sendto; + +# Date : W19.35 +# Operation: Q migration +# Purpose: Fix rilproxy SeLinux warning of pre-defined socket +allow rild gsmrild_socket:sock_file write; + diff --git a/r_non_plat/shared_relro.te b/r_non_plat/shared_relro.te new file mode 100644 index 0000000..88430ee --- /dev/null +++ b/r_non_plat/shared_relro.te @@ -0,0 +1,7 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# Date: 2019/06/14 +# Operation : Migration +get_prop(shared_relro, mtk_amslog_prop) diff --git a/r_non_plat/shell.te b/r_non_plat/shell.te new file mode 100644 index 0000000..b292564 --- /dev/null +++ b/r_non_plat/shell.te @@ -0,0 +1,25 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# Date : WK16.46 +# Purpose : allow shell to switch aee mode +allow shell aee_aed:unix_stream_socket connectto; + +# Date : WK17.35 +# Purpose : allow shell to dump the debugging information of camera hal. +#allow shell hal_camera_hwservice:hwservice_manager { find }; +binder_call(shell, mtk_hal_camera) + +# Date : WK17.36 +# Purpose : allow shell to dump the debugging information of power hal. +hal_client_domain(shell, hal_power) +allow shell aee_exp_vendor_file:dir r_dir_perms; +allow shell aee_exp_vendor_file:file r_file_perms; +allow shell aee_exp_data_file:dir r_dir_perms; +allow shell aee_exp_data_file:file r_file_perms; + +get_prop(shell, mobile_log_prop) +get_prop(shell, persist_mtk_aee_prop); +get_prop(shell, persist_aee_prop); +get_prop(shell, debug_mtk_aee_prop); diff --git a/r_non_plat/slpd.te b/r_non_plat/slpd.te new file mode 100644 index 0000000..cfce93b --- /dev/null +++ b/r_non_plat/slpd.te @@ -0,0 +1,18 @@ +# ============================================== +# Policy File of /vendor/bin/slpd Executable File + +# ============================================== +# Type Declaration +# ============================================== +type slpd_exec, exec_type, file_type, vendor_file_type; +type slpd, domain; + +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(slpd) + +net_domain(slpd) + +# mtk_agpsd will send the current SUPL profile to SLPD +allow slpd mtk_agpsd:unix_dgram_socket sendto; diff --git a/r_non_plat/spm_loader.te b/r_non_plat/spm_loader.te new file mode 100644 index 0000000..d0f5984 --- /dev/null +++ b/r_non_plat/spm_loader.te @@ -0,0 +1,19 @@ +# ============================================== +# Policy File of /system/bin/spm_loader Executable File + +# ============================================== +# Type Declaration +# ============================================== +type spm_loader_exec , exec_type, file_type, vendor_file_type; +type spm_loader ,domain; + +# ============================================== +# MTK Policy Rule +# ============================================== +# date: 2015/6/18 wk1525 +# purpose: load spm firmware +# ============================================== +init_daemon_domain(spm_loader) + +# Read to /dev/spm +allow spm_loader spm_device:chr_file r_file_perms; diff --git a/r_non_plat/st54spi_hal_secure_element.te b/r_non_plat/st54spi_hal_secure_element.te new file mode 100644 index 0000000..f949e19 --- /dev/null +++ b/r_non_plat/st54spi_hal_secure_element.te @@ -0,0 +1,9 @@ +type st54spi_hal_secure_element, domain; +hal_server_domain(st54spi_hal_secure_element, hal_secure_element) +type st54spi_hal_secure_element_exec, exec_type, vendor_file_type, file_type; + +allow st54spi_hal_secure_element st54spi_device:chr_file rw_file_perms; + +init_daemon_domain(st54spi_hal_secure_element) + + diff --git a/r_non_plat/stp_dump3.te b/r_non_plat/stp_dump3.te new file mode 100644 index 0000000..d7e7675 --- /dev/null +++ b/r_non_plat/stp_dump3.te @@ -0,0 +1,43 @@ +# ============================================== +# Policy File of /system/binstp_dump3 Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type stp_dump3_exec, vendor_file_type, exec_type, file_type; +type stp_dump3, domain; + +# ============================================== +# Android Policy Rule +# ============================================== + +# ============================================== +# NSA Policy Rule +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== +allow stp_dump3 self:capability { net_admin fowner chown fsetid }; +allow stp_dump3 self:netlink_socket { read write getattr bind create setopt }; +allow stp_dump3 self:netlink_generic_socket { read write getattr bind create setopt }; +allow stp_dump3 wmtdetect_device:chr_file { read write ioctl open }; +allow stp_dump3 stpwmt_device:chr_file rw_file_perms; +allow stp_dump3 tmpfs:lnk_file r_file_perms; +allow stp_dump3 tmpfs:lnk_file read; +allow stp_dump3 mnt_user_file:dir search; +allow stp_dump3 mnt_user_file:lnk_file read; +allow stp_dump3 storage_file:lnk_file read; +allow stp_dump3 storage_file:dir search; +allow stp_dump3 sdcard_type:dir search; +allow stp_dump3 sdcard_type:dir {open read write create setattr getattr add_name remove_name search}; +allow stp_dump3 sdcard_type:file { open read write create setattr getattr append unlink rename}; +allow stp_dump3 sdcard_type:file create_file_perms; +allow stp_dump3 stp_dump_data_file:dir create_dir_perms; +allow stp_dump3 stp_dump_data_file:file create_file_perms; +allow stp_dump3 connsyslog_data_vendor_file:dir create_dir_perms; +allow stp_dump3 connsyslog_data_vendor_file:file create_file_perms; +get_prop(stp_dump3, coredump_prop) +init_daemon_domain(stp_dump3) diff --git a/r_non_plat/surfaceflinger.te b/r_non_plat/surfaceflinger.te new file mode 100644 index 0000000..795076e --- /dev/null +++ b/r_non_plat/surfaceflinger.te @@ -0,0 +1,84 @@ +# ============================================== +# MTK Policy Rule +# ============ + +# Data : WK14.42 +# Operation : Migration +# Purpose : Video playback +allow surfaceflinger sw_sync_device:chr_file { rw_file_perms }; +allow surfaceflinger debug_prop:property_service set; + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow surfaceflinger proc_ged:file rw_file_perms; +allowxperm surfaceflinger proc_ged:file ioctl { proc_ged_ioctls }; + +# Date : W16.42 +# Operation : Integration +# Purpose : DRM / DRI GPU driver required + +allow surfaceflinger gpu_device:dir search; + +# Date : WK17.12 +# Purpose: Fix bootup fail +allow surfaceflinger proc_bootprof:file r_file_perms; + +#============= surfaceflinger ============== +allow surfaceflinger debugfs_ion:dir search; + +# Date : WK17.30 +# Operation : O Migration +# Purpose: Allow to access cmdq driver +allow surfaceflinger mtk_cmdq_device:chr_file { read ioctl open }; + +# Date : W17.39 +# Perform Binder IPC. +binder_use(surfaceflinger) +binder_call(surfaceflinger, binderservicedomain) +binder_call(surfaceflinger, appdomain) +binder_call(surfaceflinger, mtkbootanimation) +binder_service(surfaceflinger) + +allow surfaceflinger mtkbootanimation:dir search; +allow surfaceflinger mtkbootanimation:file { read getattr open }; + +# Date : W17.43 +# Operation : Migration +# Purpose: Allow to access perfmgr +allow surfaceflinger proc_perfmgr:dir {read search}; +allow surfaceflinger proc_perfmgr:file {open read ioctl}; +allowxperm surfaceflinger proc_perfmgr:file ioctl { + PERFMGR_FPSGO_QUEUE + PERFMGR_FPSGO_DEQUEUE + PERFMGR_FPSGO_QUEUE_CONNECT + PERFMGR_FPSGO_BQID + PERFMGR_FPSGO_VSYNC +}; + +# Date : WK17.43 +# Operation : Debug +# Purpose: Allow to dump HWC backtrace +get_prop(surfaceflinger, graphics_hwc_pid_prop) +get_prop(surfaceflinger, graphics_hwc_latch_unsignaled_prop) +allow surfaceflinger hal_graphics_composer_default:dir search; +allow surfaceflinger hal_graphics_composer_default:lnk_file read; + +# Date : WK18.36 +# Operation : Debug +# Purpose: Allow to dump buffer queue +get_prop(surfaceflinger, debug_bq_dump_prop) + +# Date : WK19.4 +# Operation : P Migration +# Purpose: Allow to access /dev/mdp_device driver +allow surfaceflinger mdp_device:chr_file rw_file_perms; + +# Date : WK19.09 +# Purpose: Allow to access property dev/mdp_sync +#============= surfaceflinger ============== +allow surfaceflinger mtk_mdp_device:chr_file rw_file_perms; + +# Date : WK18.43 +# Operation : HDR +# Purpose: Allow to skip aosp hdr solution +get_prop(surfaceflinger, graphics_hwc_hdr_prop) diff --git a/r_non_plat/system_app.te b/r_non_plat/system_app.te new file mode 100644 index 0000000..4e18c90 --- /dev/null +++ b/r_non_plat/system_app.te @@ -0,0 +1,50 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +typeattribute system_app mlstrustedsubject; + +# Date : 2017/07/21 +# Purpose :[CdsInfo] read/ write WI-FI MAC address by NVRAM API +# Package Name: com.mediatek.connectivity +hal_client_domain(system_app, hal_nvramagent); + +hal_client_domain(system_app, mtk_hal_lbs) + +#Dat: 2017/02/14 +#Purpose: allow set telephony Sensitive property +get_prop(system_app, mtk_telephony_sensitive_prop) + + +# Date : WK17.12 +# Operation : MT6799 SQC +# Purpose : Change thermal config +allow system_app mtk_thermal_config_prop:file { getattr open read }; + + +# Date : 2017/11/07 +# Operation : Migration +# Purpose : CAT need copy exception db file from data folder +# Package: CAT tool +allow system_app aee_exp_data_file:file r_file_perms; +allow system_app aee_exp_data_file:dir r_dir_perms; + +# Date: 2018/11/08 +# Operation : JPEG +# Purpose : JPEG need to use PQ via MMS HIDL +allow system_app mtk_hal_mms_hwservice:hwservice_manager find; +allow system_app mtk_hal_mms:binder call; + +# Date: 2019/06/14 +# Operation : Migration +# Purpose : system_app need vendor_default_prop +get_prop(system_app, vendor_default_prop) + +# Date: 2019/07/16 +# Operation : Migration +# Purpose : system_app need use hdmi service and create socktet +allow system_app mtk_hal_hdmi_hwservice:hwservice_manager find; +allow system_app mtk_hal_hdmi:binder call; +allow system_app self:netlink_kobject_uevent_socket {read bind create setopt }; +# system_app need to read from sysfs /sys/class/switch/hdmi/state +r_dir_file(system_app, sysfs_switch); diff --git a/r_non_plat/system_server.te b/r_non_plat/system_server.te new file mode 100644 index 0000000..d79c56f --- /dev/null +++ b/r_non_plat/system_server.te @@ -0,0 +1,211 @@ +# ============================================== +# MTK Policy Rule +# ============================================== +# Access devices. +allow system_server touch_device:chr_file rw_file_perms; +allow system_server stpant_device:chr_file rw_file_perms; +allow system_server devmap_device:chr_file r_file_perms; +allow system_server irtx_device:chr_file rw_file_perms; +allow system_server qemu_pipe_device:chr_file rw_file_perms; +allow system_server wmtWifi_device:chr_file w_file_perms; + +# Add for bootprof +allow system_server proc_bootprof:file rw_file_perms; + +# /data/core access. +allow system_server aee_core_data_file:dir r_dir_perms; + +# Perform Binder IPC. +allow system_server zygote:binder impersonate; + +# Property service. +allow system_server ctl_bootanim_prop:property_service set; + +# For dumpsys. +allow system_server aee_dumpsys_data_file:file w_file_perms; +allow system_server aee_exp_data_file:file w_file_perms; + +# Dump native process backtrace. +#allow system_server exec_type:file r_file_perms; + +# Querying zygote socket. +allow system_server zygote:unix_stream_socket { getopt getattr }; + +# Communicate over a socket created by mnld process. + +# Allow system_server to read /sys/kernel/debug/wakeup_sources +allow system_server debugfs_wakeup_sources:file r_file_perms; + +# Allow system_server to read/write /sys/power/dcm_state +allow system_server sysfs_dcm:file rw_file_perms; + +# Date : WK16.36 +# Purpose: Allow to set property log.tag.WifiHW to control log level of WifiHW +allow system_server log_tag_prop:property_service set; + +# Data : WK16.42 +# Operator: Whitney bring up +# Purpose: call surfaceflinger due to powervr +allow system_server surfaceflinger:fifo_file rw_file_perms; + +# Date : W16.42 +# Operation : Integration +# Purpose : DRM / DRI GPU driver required +allow system_server gpu_device:dir search; +allow system_server debugfs_gpu_img:dir search; + +# Date : W16.43 +# Operation : Integration +# Purpose : DRM / DRI GPU driver required +allow system_server sw_sync_device:chr_file { read write getattr open ioctl }; + +# Date : WK16.44 +# Purpose: Allow to access UART1 ttyMT1 +allow system_server ttyMT_device:chr_file rw_file_perms; + +# Date : WK17.52 +# Purpose: Allow to access UART1 ttyS +allow system_server ttyS_device:chr_file rw_file_perms; + +# Date:W16.46 +# Operation : thermal hal Feature developing +# Purpose : thermal hal interface permission +allow system_server proc_mtktz:dir search; +allow system_server proc_mtktz:file r_file_perms; + +# Date:W17.02 +# Operation : audio hal developing +# Purpose : audio hal interface permission +allow system_server mtk_hal_audio:process { getsched setsched }; + +# Date:W17.07 +# Operation : bt hal +# Purpose : bt hal interface permission +binder_call(system_server, mtk_hal_bluetooth) + +# Date:W17.08 +# Operation : sensors hal developing +# Purpose : sensors hal interface permission +binder_call(system_server, mtk_hal_sensors) + +# Operation : light hal developing +# Purpose : light hal interface permission +binder_call(system_server, mtk_hal_light) + +# Date:W17.21 +# Operation : gnss hal +# Purpose : gnss hal interface permission +hal_client_domain(system_server, hal_gnss) + +# Date : W18.01 +# Add for turn on SElinux in enforcing mode +allow system_server vendor_framework_file:dir r_file_perms; + +# Fix bootup violation +allow system_server vendor_framework_file:file getattr; +allow system_server wifi_prop:file { read getattr open }; + +# Date:W17.22 +# Operation : add aee_aed socket rule +# Purpose : type=1400 audit(0.0:134519): avc: denied { connectto } +# for comm=4572726F722064756D703A20737973 +# path=00636F6D2E6D746B2E6165652E6165645F3634 +# scontext=u:r:system_server:s0 tcontext=u:r:aee_aed:s0 +# tclass=unix_stream_socket permissive=0 +allow system_server aee_aed:unix_stream_socket connectto; + +#Dat: 2017/02/14 +#Purpose: allow get telephony Sensitive property +get_prop(system_server, mtk_telephony_sensitive_prop) + +# Date: W17.22 +# Operation : New Feature +# Purpose : Add for A/B system +allow system_server debugfs_wakeup_sources:file { read getattr open }; + +# Date:W17.26 +# Operation : imsa hal +# Purpose : imsa hal interface permission +binder_call(system_server, mtk_hal_imsa) + +# Date:W17.28 +# Operation : camera hal developing +# Purpose : camera hal binder_call permission +binder_call(system_server, mtk_hal_camera) + +# Date:W17.31 +# Operation : mpe sensor hidl developing +# Purpose : mpe sensor hidl permission +binder_call(system_server, mnld) + +# Date : WK17.32 +# Operation : Migration +# Purpose : for network log dumpsys setting/netd information +# audit(0.0:914): avc: denied { write } for path="pipe:[46088]" +# dev="pipefs" ino=46088 scontext=u:r:system_server:s0 +# tcontext=u:r:netdiag:s0 tclass=fifo_file permissive=1 +allow system_server netdiag:fifo_file write; + +# Date : WK17.32 +# Operation : Migration +# Purpose : for DHCP Client ip recover functionality +allow system_server dhcp_data_file:dir search; +allow system_server dhcp_data_file:dir rw_dir_perms; +allow system_server dhcp_data_file:file create_file_perms; + +# Date:W17.35 +# Operation : lbs hal +# Purpose : lbs hidl interface permission +hal_client_domain(system_server, mtk_hal_lbs) + +# Date : WK17.12 +# Operation : MT6799 SQC +# Purpose : Change thermal config +allow system_server mtk_thermal_config_prop:file { getattr open read }; + + +# Date : WK17.43 +# Operation : Migration +# Purpose : perfmgr permission +allow system_server mtk_hal_power_hwservice:hwservice_manager find; +allow system_server proc_perfmgr:dir {read search}; +allow system_server proc_perfmgr:file {open read ioctl}; +allowxperm system_server proc_perfmgr:file ioctl { + PERFMGR_FPSGO_QUEUE + PERFMGR_FPSGO_DEQUEUE + PERFMGR_FPSGO_QUEUE_CONNECT + PERFMGR_FPSGO_BQID +}; + +# Date : W18.22 +# Operation : MTK wifi hal migration +# Purpose : MTK wifi hal interface permission +binder_call(system_server, mtk_hal_wifi) + +# Date : WK18.33 +# Purpose : type=1400 audit(0.0:1592): avc: denied { read } +# for comm=4572726F722064756D703A20646174 name= +# "u:object_r:persist_mtk_aee_prop:s0" dev="tmpfs" +# ino=10312 scontext=u:r:system_server:s0 tcontext= +# u:object_r:persist_mtk_aee_prop:s0 tclass=file permissive=0 +get_prop(system_server, persist_mtk_aee_prop); + +# Date : W19.15 +# Operation : alarm device permission +# Purpose : support power-off alarm +allow system_server alarm_device:chr_file rw_file_perms; + +# Date : WK19.7 +# Operation: Q migration +# Purpose : Allow system_server to use ioctl/ioctlcmd +allow system_server proc_ged:file rw_file_perms; +allowxperm system_server proc_ged:file ioctl { proc_ged_ioctls }; + +# Date: 2019/06/14 +# Operation : Migration +get_prop(system_server, vendor_default_prop) + +# Date: 2019/06/14 +# Operation : when WFD turnning on, turn off hdmi +allow system_server mtk_hal_hdmi_hwservice:hwservice_manager find; +allow system_server mtk_hal_hdmi:binder call; diff --git a/r_non_plat/thermal_manager.te b/r_non_plat/thermal_manager.te new file mode 100644 index 0000000..3bdf75c --- /dev/null +++ b/r_non_plat/thermal_manager.te @@ -0,0 +1,53 @@ +# ============================================== +# Policy File of /system/bin/thermal_manager Executable File + +# ============================================== +# Type Declaration +# ============================================== +type thermal_manager_exec , exec_type, file_type, vendor_file_type; +type thermal_manager ,domain; + +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(thermal_manager) + +allow thermal_manager proc_mtkcooler:dir search; +allow thermal_manager proc_mtktz:dir search; +allow thermal_manager proc_thermal:dir search; +allow thermal_manager proc_mtkcooler:file rw_file_perms; +allow thermal_manager proc_mtktz:file rw_file_perms; +allow thermal_manager proc_thermal:file rw_file_perms; + +allow thermal_manager thermal_manager_data_file:file create_file_perms; +allow thermal_manager thermal_manager_data_file:dir { rw_dir_perms setattr }; + +allow thermal_manager mediaserver:fd use; +allow thermal_manager mediaserver:fifo_file { read write }; +allow thermal_manager mediaserver:tcp_socket { read write }; + +# Date : WK16.30 +# Operation : Migration +# Purpose : +allow thermal_manager camera_isp_device:chr_file { read write }; +allow thermal_manager cameraserver:fd use; +allow thermal_manager kd_camera_hw_device:chr_file { read write }; +allow thermal_manager MTK_SMI_device:chr_file read; +allow thermal_manager surfaceflinger:fd use; +set_prop(thermal_manager ,mtk_thermal_config_prop) + +# Date : 2019/09/12 +# Operation : Migration +# Purpose : add sysfs permission +# path = " sys/devices/virtual/thermal/" +# path = " sys/class/thermal/" +allow thermal_manager sysfs_therm:file w_file_perms; + + + +# Date : WK18.18 +# Operation : P Migration +# Purpose : Allow thermal_manager to access vendor data file. + +allow thermal_manager self:capability { fowner chown }; + diff --git a/r_non_plat/thermalloadalgod.te b/r_non_plat/thermalloadalgod.te new file mode 100644 index 0000000..a0091b4 --- /dev/null +++ b/r_non_plat/thermalloadalgod.te @@ -0,0 +1,45 @@ +# ============================================== +# Policy File of /system/bin/thermalloadalgod_exec Executable File + +# ============================================== +# Type Declaration +# ============================================== +type thermalloadalgod ,domain; +type thermalloadalgod_exec , exec_type, file_type, vendor_file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(thermalloadalgod) + +# Data : WK14.43 +# Operation : Migration +# Purpose : thermal algorithm daemon for access driver node +allow thermalloadalgod input_device:dir { r_dir_perms write }; +allow thermalloadalgod input_device:file r_file_perms; + +allow thermalloadalgod thermalloadalgod:netlink_socket { create bind write read}; + +allow thermalloadalgod thermal_manager_data_file:dir create_dir_perms; +allow thermalloadalgod thermal_manager_data_file:file create_file_perms; +allow thermalloadalgod kmsg_device:chr_file write; + +# Data : WK16.49 +# Operation : SPA porting +# Purpose : thermal algorithm daemon for SPA +# For /proc/[pid]/cgroup accessing +typeattribute thermalloadalgod mlstrustedsubject; +allow thermalloadalgod proc:dir { search getattr }; +allow thermalloadalgod shell:dir search; +allow thermalloadalgod platform_app:dir search; +allow thermalloadalgod platform_app:file { open read getattr }; +allow thermalloadalgod priv_app:dir search; +allow thermalloadalgod priv_app:file { open read getattr }; +allow thermalloadalgod system_app:dir search; +allow thermalloadalgod system_app:file { open read getattr }; +allow thermalloadalgod untrusted_app:dir search; +allow thermalloadalgod untrusted_app:file { open read getattr }; +allow thermalloadalgod mediaserver:dir search; +allow thermalloadalgod mediaserver:file { open read getattr }; +allow thermalloadalgod proc_thermal:dir search; +allow thermalloadalgod proc_thermal:file { open read write getattr }; diff --git a/r_non_plat/ueventd.te b/r_non_plat/ueventd.te new file mode 100644 index 0000000..a98faaa --- /dev/null +++ b/r_non_plat/ueventd.te @@ -0,0 +1,14 @@ +# Date : WK17.12 +# Purpose: Fix bootup fail +allow ueventd proc_net:file r_file_perms; + +# Date: W17.22 +# Operation : New Feature +# Purpose : Add for A/B system +allow ueventd device:chr_file { relabelfrom relabelto }; +allow ueventd m_acc_misc_device:chr_file { relabelfrom relabelto }; +allow ueventd m_mag_misc_device:chr_file { relabelfrom relabelto }; + +# Date: 2019/06/14 +# Operation : Migration +allow ueventd tmpfs:lnk_file r_file_perms; diff --git a/r_non_plat/uncrypte.te b/r_non_plat/uncrypte.te new file mode 100644 index 0000000..22efa73 --- /dev/null +++ b/r_non_plat/uncrypte.te @@ -0,0 +1,3 @@ +#====================== uncrypt.te ====================== +allow uncrypt para_block_device:blk_file w_file_perms; +allow uncrypt ota_package_file:file w_file_perms; diff --git a/r_non_plat/untrusted_app.te b/r_non_plat/untrusted_app.te new file mode 100644 index 0000000..040d47f --- /dev/null +++ b/r_non_plat/untrusted_app.te @@ -0,0 +1,12 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# TODO:: Security Issue. + +# Date: 2016/02/26 +# Operation: Migration +# Purpose: Allow MTK modified ElephantStress and WhatsTemp to read thermal zone temperatures +# from MTK kernel modules for thermal tests at OEM/ODM. +allow untrusted_app proc_mtktz:dir search; +allow untrusted_app proc_mtktz:file r_file_perms; diff --git a/r_non_plat/untrusted_app_25.te b/r_non_plat/untrusted_app_25.te new file mode 100644 index 0000000..76310d7 --- /dev/null +++ b/r_non_plat/untrusted_app_25.te @@ -0,0 +1,19 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : 2017/08/01 +# Operation: SQC +# Purpose : Allow Whatstemp, a MTK thermal logging tool, to log thermal related information +# properly for thermal tests at OEM/ODM. +allow untrusted_app_25 proc_mtktz:dir search; +allow untrusted_app_25 proc_mtktz:file r_file_perms; +allow untrusted_app_25 proc_thermal:dir search; +allow untrusted_app_25 proc_thermal:file r_file_perms; + +allow untrusted_app_25 sysfs_fps:dir search; +allow untrusted_app_25 sysfs_fps:file r_file_perms; +allow untrusted_app_25 sysfs_batteryinfo:dir search; +#allow untrusted_app_25 sysfs_batteryinfo:file { getattr open read }; +allow untrusted_app_25 sysfs_therm:dir r_dir_perms; +allow untrusted_app_25 sysfs_therm:file r_file_perms; diff --git a/r_non_plat/update_engine.te b/r_non_plat/update_engine.te new file mode 100644 index 0000000..e3013f9 --- /dev/null +++ b/r_non_plat/update_engine.te @@ -0,0 +1,29 @@ +# MTK Add policy for update_engine +# Add for update_engine update block device +allow update_engine preloader_block_device:blk_file rw_file_perms; +allow update_engine lk_block_device:blk_file rw_file_perms; +allow update_engine dtbo_block_device:blk_file rw_file_perms; +allow update_engine tee_block_device:blk_file rw_file_perms; +allow update_engine vendor_block_device:blk_file rw_file_perms; +allow update_engine odm_block_device:blk_file rw_file_perms; +allow update_engine oem_block_device:blk_file rw_file_perms; +allow update_engine md_block_device:blk_file rw_file_perms; +allow update_engine dsp_block_device:blk_file rw_file_perms; +allow update_engine scp_block_device:blk_file rw_file_perms; +allow update_engine sspm_block_device:blk_file rw_file_perms; +allow update_engine spmfw_block_device:blk_file rw_file_perms; +allow update_engine mcupmfw_block_device:blk_file rw_file_perms; +allow update_engine loader_ext_block_device:blk_file rw_file_perms; +allow update_engine cam_vpu_block_device:blk_file rw_file_perms; +allow update_engine para_block_device:blk_file rw_file_perms; +allow update_engine vbmeta_block_device:blk_file rw_file_perms; +allow update_engine proc_filesystems:file r_file_perms; + +# Add for update_engine call by system_app +allow update_engine system_app:binder { call transfer }; + +# Add for update_engine with postinstall +allow update_engine postinstall_mnt_dir:dir { search getattr open read write search unlink}; + +# Add for AVB20 +allow update_engine tmpfs:lnk_file read; diff --git a/r_non_plat/vendor_init.te b/r_non_plat/vendor_init.te new file mode 100644 index 0000000..eef9af4 --- /dev/null +++ b/r_non_plat/vendor_init.te @@ -0,0 +1,71 @@ +#allow vendor_init exported3_system_prop:property_service set; +#allow vendor_init dalvik_prop:property_service set; + +#allow vendor_init ffs_prop:property_service set; +allow vendor_init mediatek_prop:property_service set; +allow vendor_init mtk_md_version_prop:property_service set; +allow vendor_init mtk_volte_prop:property_service set; +allow vendor_init vendor_radio_prop:property_service set; +allow vendor_init mtk_ril_mode_prop:property_service set; +allow vendor_init wmt_prop:property_service set; +allow vendor_init coredump_prop:property_service set; +allow vendor_init proc_wmtdbg:file w_file_perms; +#allow vendor_init vold_prop:property_service set; + +allow vendor_init proc_bootprof:file write; +allow vendor_init rootfs:dir { write add_name setattr }; +allow vendor_init self:capability sys_module; + +allow vendor_init tmpfs:dir { write create add_name }; +allow vendor_init unlabeled:dir { relabelfrom getattr setattr search }; +allow vendor_init vendor_file:system module_load; + +allow vendor_init kmsg_device:chr_file unlink; +set_prop(vendor_init, persist_mtk_aee_prop) +set_prop(vendor_init, ro_mtk_aee_prop) +set_prop(vendor_init, vendor_usb_prop) +set_prop(vendor_init, mtk_ct_volte_prop) +set_prop(vendor_init, mtk_gps_support_prop) +set_prop(vendor_init, mtk_rat_config_prop) +set_prop(vendor_init, tel_switch_prop) +set_prop(vendor_init, mtk_aal_ro_prop) +set_prop(vendor_init, mtk_pq_ro_prop) +set_prop(vendor_init, mtk_default_prop) +set_prop(vendor_init, mtk_nn_option_prop) + +set_prop(vendor_init, mtk_emmc_support_prop) +set_prop(vendor_init, mtk_anr_support_prop) +set_prop(vendor_init, mtk_antutu_prop) +set_prop(vendor_init, mtk_bt_sap_enable_prop) +set_prop(vendor_init, coredump_prop) + +# allow create symbolic link, /mnt/sdcard, for meta/factory mode +allow vendor_init tmpfs:lnk_file create; + +set_prop(vendor_init, mtk_cxp_vendor_prop) + +# Run "ifup lo" to bring up the localhost interface +allow vendor_init proc_hostname:file w_file_perms; +allow vendor_init self:udp_socket { create ioctl }; +# in addition to unpriv ioctls granted to all domains, init also needs: +allowxperm vendor_init self:udp_socket ioctl { SIOCSIFFLAGS }; +allow vendor_init self:global_capability_class_set net_raw; + +# enhance boot time +allow vendor_init proc_perfmgr:file write; + +# allow create symbolic link, /mnt/sdcard, for meta/factory mode +allow vendor_init tmpfs:lnk_file create; + +set_prop(vendor_init, mtk_appresolutiontuner_prop) + +# fullscreen switch +set_prop(vendor_init, mtk_fullscreenswitch_prop) + +# for kernel module verification support, allow vendor domain to search kernel keyring +allow vendor_init kernel:key search; + +# Purpose: /dev/block/mmcblk0p10 +allow vendor_init expdb_block_device:blk_file rw_file_perms; + +set_prop(vendor_init, mtk_wifi_hotspot_prop) diff --git a/r_non_plat/vendor_shell.te b/r_non_plat/vendor_shell.te new file mode 100644 index 0000000..46903b0 --- /dev/null +++ b/r_non_plat/vendor_shell.te @@ -0,0 +1,5 @@ +# ============================================== +# MTK Policy Rule +# ============================================= +# Purpose : allow vendor_shell to run aeev +allow vendor_shell aee_aedv_exec:file execute_no_trans; diff --git a/r_non_plat/vold.te b/r_non_plat/vold.te new file mode 100644 index 0000000..8679bc7 --- /dev/null +++ b/r_non_plat/vold.te @@ -0,0 +1,46 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# volume manager + +# Date : WK16.19 +# Operation : Migration +# Purpose : unmount /mnt/cd-rom. It causes by unmountAll() when VolumeManager starts +allow vold iso9660:filesystem unmount; + +# Date : WK16.19 +# Operation : Migration +# Purpose : vold will traverse /proc when remountUid(). +# It will trigger violation if mtk customize some label in /proc. +# However, we should ignore the violation if the processes never access the storage. +dontaudit vold proc_battery_cmd:dir { read open }; +dontaudit vold proc_mtkcooler:dir { read open }; +dontaudit vold proc_mtktz:dir { read open }; +dontaudit vold proc_thermal:dir { read open }; + +# Date : WK18.30 +# Operation : Migration +# Purpose : vold create mdlog folder in data for meta mode. +allow vold mdlog_data_file:dir { create_dir_perms }; + +allow vold mtd_device:blk_file rw_file_perms; + +# dontaudit for fstrim on 'vendor' folder +dontaudit vold nvdata_file:dir r_dir_perms; +dontaudit vold nvcfg_file:dir r_dir_perms; +dontaudit vold protect_f_data_file:dir r_dir_perms; +dontaudit vold protect_s_data_file:dir r_dir_perms; + +# execute mke2fs when format as internal +allow vold cache_block_device:blk_file getattr; +allowxperm vold dm_device:blk_file ioctl { + BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET +}; +allow vold nvcfg_block_device:blk_file getattr; +allow vold nvdata_device:blk_file getattr; +allow vold proc_swaps:file r_file_perms; +allow vold protect1_block_device:blk_file getattr; +allow vold protect2_block_device:blk_file getattr; +allow vold proc_swaps:file getattr; +allow vold swap_block_device:blk_file getattr; diff --git a/r_non_plat/vold_prepare_subdirs.te b/r_non_plat/vold_prepare_subdirs.te new file mode 100644 index 0000000..3c531e2 --- /dev/null +++ b/r_non_plat/vold_prepare_subdirs.te @@ -0,0 +1,10 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# volume manager + +# Date : WK18.42 +# Operation : Migration +# Purpose : kernel-4.14 migration +allow vold_prepare_subdirs vendor_configs_file:file map; diff --git a/r_non_plat/wlan_assistant.te b/r_non_plat/wlan_assistant.te new file mode 100644 index 0000000..830da67 --- /dev/null +++ b/r_non_plat/wlan_assistant.te @@ -0,0 +1,43 @@ +# ============================================== +# Policy File of /vendor/bin/wlan_assistant Executable File + +# ============================================== +# Type Declaration +# ============================================== +type wlan_assistant_exec , exec_type, file_type, vendor_file_type; +type wlan_assistant ,domain; + +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(wlan_assistant) + +# Date : WK14.34 +# Operation : Migration +# Purpose : for mtk debug mechanism. agpsd_data_file, mtk_agpsd are used +# to share wifi scan results with AGPS module. netlink_socket is used to +# listen events of wlan driver. udp_socket is used to do ioctl with wlan driver +# kernel-3.18 uses netlink_socket, but kernel-4.4 uses generic netlink_socket +allow wlan_assistant agpsd_data_file:sock_file write; +allow wlan_assistant mtk_agpsd:unix_dgram_socket sendto; +allow wlan_assistant agpsd_data_file:dir search; +allow wlan_assistant self:netlink_generic_socket create_socket_perms_no_ioctl; +allow wlan_assistant self:udp_socket { create ioctl }; + +# Date : WK18.17 +# Operation : Migration +# Purpose : To allow wlan_assistant monitor /vendor/nvdata/APCFG/APRDEB, +# /storage/sdcard0, /vendor/firmware. Which can help to check if nvram, +# driver config or firmware config file are changed, if yes, will write it +# to wlan driver in time. +# allow wlan_assistant wifi_data_file:file { read getattr open }; +# allow wlan_assistant wifi_data_file:dir { read search getattr open }; +allow wlan_assistant nvdata_file:dir { search read getattr open }; +allow wlan_assistant nvdata_file:file { read getattr open }; +allow wlan_assistant wmtWifi_device:chr_file { read write getattr open }; + +allow wlan_assistant mnt_vendor_file :dir search; +allow wlan_assistant init:unix_stream_socket connectto; +allow wlan_assistant property_socket:sock_file write; + +set_prop(wlan_assistant, mtk_nvram_ready_prop) diff --git a/r_non_plat/wmt_loader.te b/r_non_plat/wmt_loader.te new file mode 100644 index 0000000..25c9bde --- /dev/null +++ b/r_non_plat/wmt_loader.te @@ -0,0 +1,30 @@ +# ============================================== +# Policy File of /system/bin/wmt_loader Executable File + + +# ============================================== +# Type Declaration +# ============================================== +type wmt_loader ,domain; +type wmt_loader_exec , exec_type, file_type, vendor_file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== +init_daemon_domain(wmt_loader) + +allow wmt_loader self:capability chown; + +# Set the property +set_prop(wmt_loader, wmt_prop) + +# add ioctl/open/read/write permission for wmt_loader with /dev/wmtdetect +allow wmt_loader wmtdetect_device:chr_file rw_file_perms; + +# add ioctl/open/read/write permission for wmt_loader with /dev/stpwm +allow wmt_loader stpwmt_device:chr_file rw_file_perms; +allow wmt_loader devpts:chr_file rwx_file_perms; + +# Date: 2019/06/14 +# Operation : Migration +allow wmt_loader proc_wmtdbg:file setattr; diff --git a/r_non_plat/zygote.te b/r_non_plat/zygote.te new file mode 100644 index 0000000..82dedf9 --- /dev/null +++ b/r_non_plat/zygote.te @@ -0,0 +1,15 @@ +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow zygote proc_ged:file rw_file_perms; + +# Date : WK17.02 +# Purpose: Allow to access gpu for memtrack functions +allow zygote gpu_device:dir search; +allow zygote gpu_device:chr_file { open read write ioctl getattr}; + +allow zygote proc_bootprof:file rw_file_perms; +allow zygote proc_uptime:file rw_file_perms; |