diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2020-10-10 23:02:54 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2020-10-10 23:02:54 +0000 |
commit | f5b54c9597773c7a6a0f9415ea57e8eeabf2873c (patch) | |
tree | ebcb19a245da1307f6da3a17f5dc919d1d0aa87f | |
parent | 60e5eae0dc61eb1c05f3a7b0e799b1ddc007b281 (diff) | |
parent | 3d809cd26669fc96816b939701a80df53070277e (diff) | |
download | wembley-sepolicy-f5b54c9597773c7a6a0f9415ea57e8eeabf2873c.tar.gz |
Snap for 6897438 from 3d809cd26669fc96816b939701a80df53070277e to sc-release
Change-Id: If44bb088acd0adcfb30bbaa75270c13fa01fe9f8
39 files changed, 372 insertions, 125 deletions
diff --git a/neverallows/non_plat/app_neverallows.te b/neverallows/non_plat/app_neverallows.te index d66bb15..48d161d 100644 --- a/neverallows/non_plat/app_neverallows.te +++ b/neverallows/non_plat/app_neverallows.te @@ -58,6 +58,7 @@ neverallow all_untrusted_apps ~{ hidl_manager_hwservice # coredomain_hwservice. Designed for use by any domain hidl_memory_hwservice # coredomain_hwservice. Designed for use by any domain hidl_token_hwservice # coredomain_hwservice. Designed for use by any domain + mtk_safe_hwservice_manager_type }:hwservice_manager find; # Restrict *Binder access from apps to HAL domains. We can only do this on full @@ -65,6 +66,15 @@ neverallow all_untrusted_apps ~{ # restricted. full_treble_only(` neverallow all_untrusted_apps { - hwservice_manager_type + halserverdomain + -coredomain + -hal_cas_server + -hal_codec2_server + -hal_configstore_server + -hal_drm_server + -hal_graphics_allocator_server + -hal_neuralnetworks_server + -hal_omx_server + -mtk_safe_halserverdomain_type }:binder { call transfer }; ') diff --git a/neverallows/plat_private/app_neverallows.te b/neverallows/plat_private/app_neverallows.te index 6992f83..92a48bd 100644 --- a/neverallows/plat_private/app_neverallows.te +++ b/neverallows/plat_private/app_neverallows.te @@ -58,6 +58,7 @@ neverallow all_untrusted_apps ~{ hidl_manager_hwservice # coredomain_hwservice. Designed for use by any domain hidl_memory_hwservice # coredomain_hwservice. Designed for use by any domain hidl_token_hwservice # coredomain_hwservice. Designed for use by any domain + mtk_safe_hwservice_manager_type }:hwservice_manager find; # Restrict *Binder access from apps to HAL domains. We can only do this on full @@ -65,6 +66,15 @@ neverallow all_untrusted_apps ~{ # restricted. full_treble_only(` neverallow all_untrusted_apps { - hwservice_manager_type + halserverdomain + -coredomain + -hal_cas_server + -hal_codec2_server + -hal_configstore_server + -hal_drm_server + -hal_graphics_allocator_server + -hal_neuralnetworks_server + -hal_omx_server + -mtk_safe_halserverdomain_type }:binder { call transfer }; ') diff --git a/neverallows/plat_public/app_neverallows.te b/neverallows/plat_public/app_neverallows.te index d66bb15..48d161d 100644 --- a/neverallows/plat_public/app_neverallows.te +++ b/neverallows/plat_public/app_neverallows.te @@ -58,6 +58,7 @@ neverallow all_untrusted_apps ~{ hidl_manager_hwservice # coredomain_hwservice. Designed for use by any domain hidl_memory_hwservice # coredomain_hwservice. Designed for use by any domain hidl_token_hwservice # coredomain_hwservice. Designed for use by any domain + mtk_safe_hwservice_manager_type }:hwservice_manager find; # Restrict *Binder access from apps to HAL domains. We can only do this on full @@ -65,6 +66,15 @@ neverallow all_untrusted_apps ~{ # restricted. full_treble_only(` neverallow all_untrusted_apps { - hwservice_manager_type + halserverdomain + -coredomain + -hal_cas_server + -hal_codec2_server + -hal_configstore_server + -hal_drm_server + -hal_graphics_allocator_server + -hal_neuralnetworks_server + -hal_omx_server + -mtk_safe_halserverdomain_type }:binder { call transfer }; ') diff --git a/non_plat/aee_aedv.te b/non_plat/aee_aedv.te index e802754..d8f8037 100644 --- a/non_plat/aee_aedv.te +++ b/non_plat/aee_aedv.te @@ -118,27 +118,27 @@ allow aee_aedv crash_dump:file r_file_perms; allow aee_aedv vendor_file:file execute_no_trans; # Purpose: debugfs files -allow aee_aedv debugfs_binder:dir { read open }; -allow aee_aedv debugfs_binder:file { read open }; -allow aee_aedv debugfs_blockio:file { read open }; +allow aee_aedv debugfs_binder:dir r_dir_perms; +allow aee_aedv debugfs_binder:file r_file_perms; +allow aee_aedv debugfs_blockio:file r_file_perms; allow aee_aedv debugfs_fb:dir search; -allow aee_aedv debugfs_fb:file { read open }; +allow aee_aedv debugfs_fb:file r_file_perms; allow aee_aedv debugfs_fuseio:dir search; -allow aee_aedv debugfs_fuseio:file { read open }; +allow aee_aedv debugfs_fuseio:file r_file_perms; allow aee_aedv debugfs_ged:dir search; -allow aee_aedv debugfs_ged:file { read open }; +allow aee_aedv debugfs_ged:file r_file_perms; allow aee_aedv debugfs_rcu:dir search; -allow aee_aedv debugfs_shrinker_debug:file { read open }; -allow aee_aedv debugfs_wakeup_sources:file { read open }; -allow aee_aedv debugfs_dmlog_debug:file { read open }; -allow aee_aedv debugfs_page_owner_slim_debug:file { read open }; +allow aee_aedv debugfs_shrinker_debug:file r_file_perms; +allow aee_aedv debugfs_wakeup_sources:file r_file_perms; +allow aee_aedv debugfs_dmlog_debug:file r_file_perms; +allow aee_aedv debugfs_page_owner_slim_debug:file r_file_perms; allow aee_aedv debugfs_ion_mm_heap:dir search; allow aee_aedv debugfs_ion_mm_heap:file r_file_perms; allow aee_aedv debugfs_ion_mm_heap:lnk_file read; allow aee_aedv debugfs_cpuhvfs:dir search; -allow aee_aedv debugfs_cpuhvfs:file { read open }; -allow aee_aedv debugfs_emi_mbw_buf:file { read open }; -allow aee_aedv debugfs_vpu_device_dbg:file { read open }; +allow aee_aedv debugfs_cpuhvfs:file r_file_perms; +allow aee_aedv debugfs_emi_mbw_buf:file r_file_perms; +allow aee_aedv debugfs_vpu_device_dbg:file r_file_perms; allow aee_aedv debugfs_vpu_memory:file r_file_perms; allow aee_aedv debugfs_apusys_midware_register_all:file r_file_perms; allow aee_aedv debugfs_apusys_mdla_memory:file r_file_perms; @@ -465,3 +465,17 @@ allow aee_aedv proc_log_much:file r_file_perms; # Purpose: Allow aee_aedv to read /sys/kernel/tracing/instances/mmstat/trace allow aee_aedv debugfs_tracing_instances:dir r_dir_perms; allow aee_aedv debugfs_tracing_instances:file r_file_perms; + +allow aee_aedv binderfs_logs:dir r_dir_perms; +allow aee_aedv binderfs_logs:file r_file_perms; + +allow aee_aedv proc_ion:dir r_dir_perms; +allow aee_aedv proc_ion:file r_file_perms; +allow aee_aedv proc_m4u_dbg:dir r_dir_perms; +allow aee_aedv proc_m4u_dbg:file r_file_perms; +allow aee_aedv proc_mtkfb:file r_file_perms; + +allow aee_aedv debugfs_cmdq:file r_file_perms; + +allow aee_aedv sysfs_dvfsrc_dbg:dir r_dir_perms; +allow aee_aedv sysfs_dvfsrc_dbg:file r_file_perms; diff --git a/non_plat/aee_hidl.te b/non_plat/aee_hidl.te index d7d97f0..49536fb 100644 --- a/non_plat/aee_hidl.te +++ b/non_plat/aee_hidl.te @@ -5,6 +5,9 @@ type aee_hal,domain; type aee_hal_exec, exec_type, file_type, vendor_file_type; typeattribute aee_hal mlstrustedsubject; # Purpose : for create hidl server +allow aee_hal aee_exp_vendor_file:dir w_dir_perms; +allow aee_hal aee_exp_vendor_file:file create_file_perms; +allow aee_hal aee_exp_data_file:file { read write }; hal_server_domain(aee_hal, mtk_hal_aee) # ============================================== # MTK Policy Rule diff --git a/non_plat/app.te b/non_plat/app.te index 5d1d8ac..776ea4b 100644 --- a/non_plat/app.te +++ b/non_plat/app.te @@ -7,15 +7,16 @@ allow appdomain proc_ged:file rw_file_perms; allowxperm appdomain proc_ged:file ioctl { proc_ged_ioctls }; +# Data : WK16.42 +# Operator: Whitney bring up +# Purpose: call surfaceflinger due to powervr +allow appdomain surfaceflinger:fifo_file rw_file_perms; + # Date : W16.42 # Operation : Integration # Purpose : DRM / DRI GPU driver required allow appdomain gpu_device:dir search; -# Date : W17.30 -# Purpose : Allow MDP user access cmdq driver -allow appdomain mtk_cmdq_device:chr_file {open read ioctl}; - # Date : W17.41 # Operation: SQC # Purpose : Allow HWUI to access perfmgr @@ -28,13 +29,6 @@ allowxperm appdomain proc_perfmgr:file ioctl { PERFMGR_FPSGO_BQID }; -# Date : W19.4 -# Purpose : Allow MDP user access mdp driver -allow appdomain mdp_device:chr_file rw_file_perms; -allow appdomain mtk_mdp_device:chr_file rw_file_perms; -allow appdomain mtk_mdp_sync:chr_file rw_file_perms; -allow appdomain sw_sync_device:chr_file rw_file_perms; - # Date : W19.23 # Operation : Migration # Purpose : For platform app com.android.gallery3d @@ -44,3 +38,13 @@ allow { appdomain -isolated_app } radio_data_file:file rw_file_perms; # Operation : Migration # Purpose : For app com.tencent.qqpimsecure allowxperm appdomain appdomain:fifo_file ioctl SNDCTL_TMR_START; + +# Date : W20.26 +# Operation : Migration +# Purpose : For apps other than isolated_app call hidl +hwbinder_use({ appdomain -isolated_app }) +get_prop({ appdomain -isolated_app }, hwservicemanager_prop) +allow { appdomain -isolated_app } hidl_manager_hwservice:hwservice_manager find; +binder_call({ appdomain -isolated_app }, mtk_safe_halserverdomain_type) +binder_call(mtk_safe_halserverdomain_type, { appdomain -isolated_app }) +allow { appdomain -isolated_app } mtk_safe_hwservice_manager_type:hwservice_manager find; diff --git a/non_plat/appdomain.te b/non_plat/appdomain.te deleted file mode 100644 index 3311b98..0000000 --- a/non_plat/appdomain.te +++ /dev/null @@ -1,8 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============ - -# Data : WK16.42 -# Operator: Whitney bring up -# Purpose: call surfaceflinger due to powervr -allow appdomain surfaceflinger:fifo_file rw_file_perms; diff --git a/non_plat/atci_service.te b/non_plat/atci_service.te index 1adf671..3ca0b46 100644 --- a/non_plat/atci_service.te +++ b/non_plat/atci_service.te @@ -109,10 +109,10 @@ allow atci_service fwk_sensor_hwservice:hwservice_manager find; allow atci_service hidl_allocator_hwservice:hwservice_manager find; allow atci_service hidl_memory_hwservice:hwservice_manager find; allow atci_service ion_device:chr_file { read ioctl open }; -allow atci_service mtk_cmdq_device:chr_file { read ioctl open }; -allow atci_service mtk_mdp_device:chr_file rw_file_perms; -allow atci_service mtk_mdp_sync:chr_file rw_file_perms; -allow atci_service sw_sync_device:chr_file rw_file_perms; +allow atci_service mtk_cmdq_device:chr_file r_file_perms; +allow atci_service mtk_mdp_device:chr_file r_file_perms; +allow atci_service mtk_mdp_sync:chr_file r_file_perms; +allow atci_service sw_sync_device:chr_file r_file_perms; hal_client_domain(atci_service, hal_power) allow atci_service sysfs_batteryinfo:dir search; allow atci_service sysfs_batteryinfo:file { read getattr open }; diff --git a/non_plat/bluetooth.te b/non_plat/bluetooth.te index 257f85e..7ef4418 100644 --- a/non_plat/bluetooth.te +++ b/non_plat/bluetooth.te @@ -17,3 +17,11 @@ allow bluetooth bluetooth_logs_data_file:fifo_file { create_file_perms }; # Date: 2019/09/19 allow bluetooth mtk_hal_bluetooth_audio_hwservice:hwservice_manager find; + +# Date : 2020/06/11 +# Operation : allow bt native process to access driver debug node and set kernel thread priority +# Purpose: allow bt native process to access driver debug node and set kernel thread priority +allow bluetooth proc_btdbg:file rw_file_perms; +allow bluetooth kernel:process setsched; + + diff --git a/non_plat/ccci_mdinit.te b/non_plat/ccci_mdinit.te index 750b36f..47a4e6d 100644 --- a/non_plat/ccci_mdinit.te +++ b/non_plat/ccci_mdinit.te @@ -101,3 +101,8 @@ allow ccci_mdinit block_device:dir search; allow ccci_mdinit metadata_file:dir search; allow ccci_mdinit proc_cmdline:file r_file_perms; allow ccci_mdinit sysfs_dt_firmware_android:dir search; + +# Date : 2020-07-06 +# Purpose: no trigger avc log when call nvram api +dontaudit ccci_mdinit gsi_metadata_file:dir search; + diff --git a/non_plat/device.te b/non_plat/device.te index 5a64882..bd1896e 100644 --- a/non_plat/device.te +++ b/non_plat/device.te @@ -281,3 +281,8 @@ type m_bio_misc_device, dev_type; # Operation : Migration # Purpose : Add permission for gpu access type dri_device, dev_type, mlstrustedobject; + +# Date : 2020/07/16 +# Operation : R Migration +# Purpose : Add permission for adsp access +type adsp_misc_device, dev_type; diff --git a/non_plat/dumpstate.te b/non_plat/dumpstate.te index cc3c3ad..22cae01 100644 --- a/non_plat/dumpstate.te +++ b/non_plat/dumpstate.te @@ -14,36 +14,36 @@ allow dumpstate aee_exp_data_file:dir { w_dir_perms }; allow dumpstate aee_exp_data_file:file { create_file_perms }; # Purpose: debugfs files -allow dumpstate debugfs_binder:dir { read open }; -allow dumpstate debugfs_binder:file { read open }; -allow dumpstate debugfs_blockio:file { read open }; +allow dumpstate debugfs_binder:dir r_dir_perms; +allow dumpstate debugfs_binder:file r_file_perms; +allow dumpstate debugfs_blockio:file r_file_perms; allow dumpstate debugfs_fb:dir search; -allow dumpstate debugfs_fb:file { read open }; +allow dumpstate debugfs_fb:file r_file_perms; allow dumpstate debugfs_fuseio:dir search; -allow dumpstate debugfs_fuseio:file { read open }; +allow dumpstate debugfs_fuseio:file r_file_perms; allow dumpstate debugfs_ged:dir search; -allow dumpstate debugfs_ged:file { read open }; +allow dumpstate debugfs_ged:file r_file_perms; allow dumpstate debugfs_rcu:dir search; -allow dumpstate debugfs_shrinker_debug:file { read open }; -allow dumpstate debugfs_wakeup_sources:file { read open }; -allow dumpstate debugfs_dmlog_debug:file { read open }; -allow dumpstate debugfs_page_owner_slim_debug:file { read open }; +allow dumpstate debugfs_shrinker_debug:file r_file_perms; +allow dumpstate debugfs_wakeup_sources:file r_file_perms; +allow dumpstate debugfs_dmlog_debug:file r_file_perms; +allow dumpstate debugfs_page_owner_slim_debug:file r_file_perms; allow dumpstate debugfs_ion_mm_heap:dir search; -allow dumpstate debugfs_ion_mm_heap:file { read open }; +allow dumpstate debugfs_ion_mm_heap:file r_file_perms; allow dumpstate debugfs_ion_mm_heap:lnk_file read; allow dumpstate debugfs_cpuhvfs:dir search; -allow dumpstate debugfs_cpuhvfs:file { read open }; -allow dumpstate debugfs_vpu_device_dbg:file { read open }; +allow dumpstate debugfs_cpuhvfs:file r_file_perms; +allow dumpstate debugfs_vpu_device_dbg:file r_file_perms; # Purpose: /sys/kernel/ccci/md_chn allow dumpstate sysfs_ccci:dir search; -allow dumpstate sysfs_ccci:file { read open }; +allow dumpstate sysfs_ccci:file r_file_perms; # Purpose: leds status allow dumpstate sysfs_leds:lnk_file read; # Purpose: /sys/module/lowmemorykiller/parameters/adj -allow dumpstate sysfs_lowmemorykiller:file { read open }; +allow dumpstate sysfs_lowmemorykiller:file r_file_perms; allow dumpstate sysfs_lowmemorykiller:dir search; # Purpose: /dev/block/mmcblk0p10 @@ -188,3 +188,11 @@ hal_client_domain(dumpstate, hal_light) #Purpose: Allow dumpstate to read /sys/kernel/tracing/instances/mmstat/trace allow dumpstate debugfs_tracing_instances:dir r_dir_perms; allow dumpstate debugfs_tracing_instances:file r_file_perms; + +allow dumpstate proc_ion:dir r_dir_perms; +allow dumpstate proc_ion:file r_file_perms; +allow dumpstate proc_m4u_dbg:dir r_dir_perms; +allow dumpstate proc_m4u_dbg:file r_file_perms; +allow dumpstate proc_mtkfb:file r_file_perms; + +allow dumpstate debugfs_cmdq:file r_file_perms; diff --git a/non_plat/factory.te b/non_plat/factory.te index ddf43c9..4d56052 100644 --- a/non_plat/factory.te +++ b/non_plat/factory.te @@ -203,6 +203,13 @@ allow factory camera_owe_device:chr_file rw_file_perms; allow factory camera_mfb_device:chr_file rw_file_perms; hal_client_domain(factory, hal_power) get_prop(factory, vendor_mtk_mediatek_prop) +# Date: 2020/07/20 +# Operation : For M4U security +allow factory proc_m4u:file r_file_perms; +allowxperm factory proc_m4u:file ioctl { + MTK_M4U_T_SEC_INIT + MTK_M4U_T_CONFIG_PORT +}; #Purpose: For FM test and headset test allow factory accdet_device:chr_file r_file_perms; @@ -281,10 +288,10 @@ hal_client_domain(factory, hal_nfc); # Date : WK17.32 # Operation : O Migration # Purpose: Allow to access cmdq driver -allow factory mtk_cmdq_device:chr_file { read ioctl open }; -allow factory mtk_mdp_device:chr_file rw_file_perms; -allow factory mtk_mdp_sync:chr_file rw_file_perms; -allow factory sw_sync_device:chr_file rw_file_perms; +allow factory mtk_cmdq_device:chr_file r_file_perms; +allow factory mtk_mdp_device:chr_file r_file_perms; +allow factory mtk_mdp_sync:chr_file r_file_perms; +allow factory sw_sync_device:chr_file r_file_perms; # Date: WK1733 # Purpose: add selinux policy to stop 'ccci_fsd' for clear emmc in factory mode @@ -428,3 +435,4 @@ allow factory factory_vendor_file:dir { w_dir_perms }; # Purpose : Add permission for health HAL and vbus hal_client_domain(factory, hal_health); allow factory sysfs_vbus:file r_file_perms; +allow factory sysfs_chg2_present:file r_file_perms; diff --git a/non_plat/file.te b/non_plat/file.te index a7f0486..2610fde 100644 --- a/non_plat/file.te +++ b/non_plat/file.te @@ -269,6 +269,9 @@ type debugfs_gpu_mali_utgard, fs_type, debugfs_type; type debugfs_gpu_img, fs_type, debugfs_type; type debugfs_ion, fs_type, debugfs_type; +# memtrack procfs file +type procfs_gpu_img, fs_type, proc_type; + # /sys/kernel/debug/ion/ion_mm_heap type debugfs_ion_mm_heap, fs_type, debugfs_type; @@ -320,6 +323,7 @@ type sysfs_usb_nonplat, fs_type, sysfs_type; # Date : WK1820 # Purpose : for charger to access pump_express type sysfs_pump_express, fs_type, sysfs_type; +type sysfs_chg2_present, fs_type, sysfs_type; # Widevine move data/mediadrm folder from system to vendor type mediadrm_vendor_data_file, file_type, data_file_type; @@ -346,10 +350,6 @@ type rilproxy_atci_socket, file_type; type atci_service_socket, file_type; type adb_atci_socket, file_type; -# Date : 2018/11/01 -# Purpose : mtk EM c2k bypass read usb file -type sys_usb_rawbulk, fs_type, sysfs_type; - # Backlight brightness file type sysfs_leds_setting, fs_type, sysfs_type; @@ -492,3 +492,34 @@ type sysfs_cache_status, fs_type, sysfs_type; # Date : 2020/06/12 # Purpose: define sysfs_mali_power_policy fs_type type sysfs_mali_power_policy, fs_type, sysfs_type; + +# Date : 2020/06/12 +# Operation: R migration +# Purpose: Allow powerhal to control displowpower +type proc_displowpower, fs_type, proc_type; + +# Date : 2020/06/29 +# Operation: R migration +# Purpose: Add permission for access /proc/ion/* +type proc_ion, fs_type, proc_type; + +# Date : 2020/07/01 +# Operation: R migration +# Purpose: Add permission for access /proc/m4u_dbg/* +type proc_m4u_dbg, fs_type, proc_type; + +# Date : 20120/07/02 +# Purpose: define sysfs_mtk_nanohub_state fs_type +type sysfs_mtk_nanohub_state, fs_type, sysfs_type; + +type proc_mtkfb, fs_type, proc_type; + +# Date : 2020/07/08 +# Purpose: add permission for /proc/sys/vm/swappiness +type proc_swappiness, fs_type, proc_type; + +type debugfs_cmdq, fs_type, debugfs_type; + +# Date : 20120/07/13 +# Purpose: define sysfs_dvfsrc_dbg fs_type +type sysfs_dvfsrc_dbg, fs_type, sysfs_type; diff --git a/non_plat/file_contexts b/non_plat/file_contexts index fd38259..ce9ad69 100644 --- a/non_plat/file_contexts +++ b/non_plat/file_contexts @@ -550,6 +550,9 @@ # W19.23 Q new feature - Userdata Checkpoint /dev/block/by-name/md_udc u:object_r:metadata_block_device:s0 +# W20.29 R migration - ADSP for tablet +/dev/adsp_misc(/.*)? u:object_r:adsp_misc_device:s0 + ############################# # System files # @@ -620,7 +623,7 @@ #PQ hal /(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.pq@2\.2-service u:object_r:mtk_hal_pq_exec:s0 #MMS hal -/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.mms@1\.4-service u:object_r:mtk_hal_mms_exec:s0 +/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.mms@1\.5-service u:object_r:mtk_hal_mms_exec:s0 # Keymaster Attestation Hal /(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.keymaster_attestation@1\.1-service u:object_r:hal_keymaster_attestation_exec:s0 #ST NFC 1.2 hidl service @@ -670,6 +673,8 @@ /vendor/lib(64)?/libgralloc_extra\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libgpu_aux\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libgpud\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgralloc_metadata\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgralloctypes_mtk\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libged\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/arm\.graphics-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 @@ -680,6 +685,7 @@ /vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl-2\.1\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@4\.0-impl-mediatek\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/vendor\.mediatek\.hardware\.mms@[0-9]\.[0-9]\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libdpframework\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libpq_cust_base\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/vendor\.mediatek\.hardware\.pq@[0-9]\.[0-9]\.so u:object_r:same_process_hal_file:s0 @@ -747,3 +753,8 @@ # Operation: R migration # Purpose : Add permission for acess vendor_de. /data/vendor_de/factory(/.*)? u:object_r:factory_vendor_file:s0 + +# Date: 2020/06/16 +# Operation: R migration +# Purpose: Add permission for boot control lazy HAL +/vendor/bin/hw/android\.hardware\.boot@[0-9]+\.[0-9]+-service-lazy u:object_r:hal_bootctl_default_exec:s0 diff --git a/non_plat/genfs_contexts b/non_plat/genfs_contexts index 9b78eef..8eb8e9d 100644 --- a/non_plat/genfs_contexts +++ b/non_plat/genfs_contexts @@ -39,6 +39,7 @@ genfscon proc /ufs_debug u:object_r:proc_ufs_debug:s0 genfscon proc /pidmap u:object_r:proc_pidmap:s0 genfscon proc /mtk_memcfg/slabtrace u:object_r:proc_slabtrace:s0 genfscon proc /mtk_cmdq_debug/status u:object_r:proc_cmdq_debug:s0 +genfscon proc /mtk_cmdq_debug/record u:object_r:proc_cmdq_debug:s0 genfscon proc /cpuhvfs/dbg_repo u:object_r:proc_dbg_repo:s0 # Purpose dump not exit file @@ -78,11 +79,14 @@ genfscon sysfs /bus/platform/drivers/meta_uart_port_info/meta_uart_port_info u:o genfscon sysfs /devices/platform/battery u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/charger/Pump_Express u:object_r:sysfs_pump_express:s0 genfscon sysfs /devices/platform/battery/Pump_Express u:object_r:sysfs_pump_express:s0 +genfscon sysfs /devices/platform/charger/power_supply/mtk-slave-charger/present u:object_r:sysfs_chg2_present:s0 genfscon sysfs /devices/platform/mt_charger/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-gauge/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6359-gauge/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-gauge/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/11016000.i2c5/i2c-5/5-0034/mt6370_pmu_charger/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/soc/11016000.i2c5/i2c-5/5-0034/mt6360_pmu_chg.2.auto/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/soc/11e00000.i2c/i2c-7/7-0034/mt6360_chg.1.auto/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-charger-type-detection/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/mt-rtc/rtc u:object_r:sysfs_rtc:s0 genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6359-pmic/mt6359-rtc/rtc u:object_r:sysfs_rtc:s0 @@ -96,7 +100,8 @@ genfscon sysfs /devices/platform/mt_usb/musb-hdrc/cmode u:object_r:sysfs_usb_non genfscon sysfs /devices/platform/11270000.usb3/musb-hdrc/cmode u:object_r:sysfs_usb_nonplat:s0 genfscon sysfs /devices/platform/soc/usb0/cmode u:object_r:sysfs_usb_nonplat:s0 genfscon sysfs /devices/platform/mt_usb/musb-hdrc/usb1 u:object_r:sysfs_usb_nonplat:s0 -genfscon sysfs /devices/platform/soc/usb0/xhci0/usb1 u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/soc/usb0/11200000.xhci0/usb1 u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/usb_xhci/usb1 u:object_r:sysfs_usb_nonplat:s0 genfscon sysfs /devices/virtual/BOOT/BOOT/boot/boot_mode u:object_r:sysfs_boot_mode:s0 genfscon sysfs /devices/virtual/BOOT/BOOT/boot/boot_type u:object_r:sysfs_boot_type:s0 @@ -130,26 +135,31 @@ genfscon sysfs /power/vcorefs/opp_table u:object_r:sysfs_vcore_debug:s0 genfscon sysfs /devices/virtual/timed_output/vibrator u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/odm/odm:vibrator@0/leds/vibrator u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/soc/soc:regulator_vibrator/leds/vibrator u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/soc/soc:pwm_leds/leds/lcd-backlight u:object_r:sysfs_leds:s0 genfscon sysfs /devices/platform/regulator_vibrator/leds/vibrator u:object_r:sysfs_vibrator:s0 genfscon sysfs /devices/platform/leds-mt65xx/leds u:object_r:sysfs_leds:s0 genfscon sysfs /devices/platform/pwmleds/leds u:object_r:sysfs_leds:s0 genfscon sysfs /devices/platform/disp_leds/leds u:object_r:sysfs_leds:s0 -# Date : 2018/11/01 -# Purpose : mtk EM c2k bypass read usb file -genfscon sysfs /devices/virtual/usb_rawbulk u:object_r:sys_usb_rawbulk:s0 #Date : 2018/11/22 #Purpose: allow mdlogger to read mdinfo file genfscon sysfs /kernel/md/mdee u:object_r:sysfs_mdinfo:s0 # Date : 2019/07/03 -# Purpose: SIU update mmcblk access -genfscon sysfs /devices/platform/bootdevice/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0 -genfscon sysfs /devices/mtk-msdc.0/11230000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0 -genfscon sysfs /devices/platform/mtk-msdc.0/11230000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0 -genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:0/block/sda u:object_r:sysfs_devices_block:s0 -genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:1/block/sdb u:object_r:sysfs_devices_block:s0 -genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:2/block/sdc u:object_r:sysfs_devices_block:s0 +# Purpose: SIU update sysfs_devices_block access for emmc and ufs +genfscon sysfs /devices/platform/bootdevice/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/mtk-msdc.0/11230000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/mtk-msdc.0/11230000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:0/block/sda u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:1/block/sdb u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:2/block/sdc u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:0/block/sda u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:1/block/sdb u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc15 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc33 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc43 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc53 u:object_r:sysfs_devices_block:s0 # Date : 2019/07/12 # Purpose:dumpstate mmcblk1 access @@ -294,8 +304,8 @@ genfscon sysfs /firmware/devicetree/base/chosen/atag,chipid u:object_r:sysfs_chi # Date : 2019/10/18 # Purpose : allow system_server to access rt5509 param and calib node -genfscon sysfs /devices/platform/rt5509_param.0 u:object_r:sysfs_rt_param:s0 -genfscon sysfs /devices/virtual/rt5509_cal/rt5509.0 u:object_r:sysfs_rt_calib:s0 +genfscon sysfs /devices/platform/1100f000.i2c3/i2c-3/3-0034/rt5509_param.0 u:object_r:sysfs_rt_param:s0 +genfscon sysfs /devices/platform/1100f000.i2c3/i2c-3/3-0034/rt5509_cal/rt5509.0 u:object_r:sysfs_rt_calib:s0 # 2019/11/14 # Purpose: Allow powerhal to control MCDI @@ -338,3 +348,60 @@ genfscon sysfs /kernel/gbe u:object_r:sysfs_gbe:s0 # Date : 2020/06/12 # Purpose : Allow powerhal to control mali power policy genfscon sysfs /class/misc/mali0/device/power_policy u:object_r:sysfs_mali_power_policy:s0 + +# 2020/06/12 +# Operation: R migration +# Purpose: Allow powerhal to control displowpower +genfscon proc /displowpower u:object_r:proc_displowpower:s0 + +# Date : WK20.25 +# Operation: R migration +# Purpose : for VTS NetdSELinuxTest.CheckProperMTULabels requirement. +genfscon sysfs /devices/platform/18000000.wifi/net/wlan0/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/18000000.wifi/net/wlan1/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/soc/18000000.wifi/net/wlan0/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/soc/18000000.wifi/net/wlan1/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/180f0000.wifi/net/wlan0/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/180f0000.wifi/net/wlan1/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/180f0000.wifi/net/p2p0/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/180f0000.wifi/net/p2p1/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/bus/180f0000.WIFI/net/wlan0/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/bus/180f0000.WIFI/net/wlan1/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/bus/180f0000.WIFI/net/p2p0/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/bus/180f0000.WIFI/net/p2p1/mtu u:object_r:sysfs_net:s0 + +# 2020/06/29 +# Operation: R migration +# Purpose: Add permission for access /proc/ion/* +genfscon proc /ion u:object_r:proc_ion:s0 + +# 2020/07/01 +# Operation: R migration +# Purpose: Add permission for access /proc/m4u_dbg/* +genfscon proc /m4u_dbg u:object_r:proc_m4u_dbg:s0 + +# Date : 2020/07/02 +# Purpose : mtk nanohub sensor state detect +genfscon sysfs /bus/platform/drivers/mtk_nanohub/state u:object_r:sysfs_mtk_nanohub_state:s0 + +genfscon proc /mtkfb u:object_r:proc_mtkfb:s0 + +# 2020/07/07 +# Operation: R migration +# Purpose: Add permission for access /proc/pvr/* +genfscon proc /pvr u:object_r:procfs_gpu_img:s0 + +# Date : 2020/07/08 +# Purpose: add permission for /proc/sys/vm/swappiness +genfscon proc /sys/vm/swappiness u:object_r:proc_swappiness:s0 + +genfscon debugfs /cmdq/cmdq-status u:object_r:debugfs_cmdq:s0 +genfscon debugfs /cmdq/cmdq-record u:object_r:debugfs_cmdq:s0 + +# Date : 2020/07/13 +# Purpose : Add permission for access dvfsrc dbg sysfs +genfscon sysfs /devices/platform/10012000.dvfsrc/helio-dvfsrc u:object_r:sysfs_dvfsrc_dbg:s0 +genfscon sysfs /devices/platform/10012000.dvfsrc/10012000.dvfsrc:dvfsrc-debug u:object_r:sysfs_dvfsrc_dbg:s0 +genfscon sysfs /devices/platform/10012000.dvfsrc/10012000.dvfsrc:dvfsrc-up u:object_r:sysfs_dvfsrc_dbg:s0 +genfscon sysfs /devices/platform/soc/10012000.dvfsrc/10012000.dvfsrc:dvfsrc-debug u:object_r:sysfs_dvfsrc_dbg:s0 +genfscon sysfs /devices/platform/soc/10012000.dvfsrc/10012000.dvfsrc:dvfsrc-up u:object_r:sysfs_dvfsrc_dbg:s0 diff --git a/non_plat/hal_graphics_composer_default.te b/non_plat/hal_graphics_composer_default.te index 03bd5c7..58e3210 100644 --- a/non_plat/hal_graphics_composer_default.te +++ b/non_plat/hal_graphics_composer_default.te @@ -25,7 +25,7 @@ allow hal_graphics_composer_default debugfs_tracing:file open; # Date : WK17.30 # Operation : O Migration # Purpose: Allow to access cmdq driver -allow hal_graphics_composer_default mtk_cmdq_device:chr_file { read ioctl open }; +allow hal_graphics_composer_default mtk_cmdq_device:chr_file r_file_perms; # Date : W17.30 # Add for control PowerHAL @@ -41,8 +41,8 @@ set_prop(hal_graphics_composer_default, vendor_mtk_graphics_hwc_validate_separat # Date : WK18.03 # Purpose: Allow to access property dev/mdp_sync -allow hal_graphics_composer_default mtk_mdp_sync:chr_file rw_file_perms; -allow hal_graphics_composer_default mtk_mdp_device:chr_file rw_file_perms; +allow hal_graphics_composer_default mtk_mdp_sync:chr_file r_file_perms; +allow hal_graphics_composer_default mtk_mdp_device:chr_file r_file_perms; allow hal_graphics_composer_default mdp_device:chr_file rw_file_perms; allow hal_graphics_composer_default tee_device:chr_file rw_file_perms; allowxperm hal_graphics_composer_default proc_ged:file ioctl { proc_ged_ioctls }; diff --git a/non_plat/hal_memtrack_default.te b/non_plat/hal_memtrack_default.te index 8594ac3..5a75130 100644 --- a/non_plat/hal_memtrack_default.te +++ b/non_plat/hal_memtrack_default.te @@ -7,3 +7,11 @@ allow hal_memtrack debugfs_gpu_img:dir search; allow hal_memtrack debugfs_gpu_img:file {open read getattr }; allow hal_memtrack debugfs_ion:dir rw_dir_perms; allow hal_memtrack debugfs_ion:file {open read getattr }; +allow hal_memtrack procfs_gpu_img:dir search; +allow hal_memtrack procfs_gpu_img:file r_file_perms; + +# Date : 2020/06/29 +# Operation: R migration +# Purpose: Add permission for access /proc/ion/* +allow hal_memtrack proc_ion:dir r_dir_perms; +allow hal_memtrack proc_ion:file r_file_perms; diff --git a/non_plat/hwservice.te b/non_plat/hwservice.te index 6d26890..887fc26 100644 --- a/non_plat/hwservice.te +++ b/non_plat/hwservice.te @@ -41,7 +41,7 @@ type mtk_hal_em_hwservice, hwservice_manager_type; # Date: 2018/07/02 # MMS HIDL -type mtk_hal_mms_hwservice, hwservice_manager_type; +type mtk_hal_mms_hwservice, hwservice_manager_type, mtk_safe_hwservice_manager_type; type hal_atci_hwservice, hwservice_manager_type; type mtk_hal_keymanage_hwservice, hwservice_manager_type; diff --git a/non_plat/ioctl_defines b/non_plat/ioctl_defines index 4204989..06bf7b0 100644 --- a/non_plat/ioctl_defines +++ b/non_plat/ioctl_defines @@ -71,3 +71,5 @@ define(`MTK_M4U_T_DMA_OP', `0x671d') define(`MTK_M4U_T_SEC_INIT', `0x6732') define(`MTK_M4U_T_CONFIG_PORT_ARRAY', `0x671a') define(`MTK_M4U_T_CACHE_SYNC', `0x670a') +define(`MTK_M4U_GZ_SEC_INIT', `0x673c') + diff --git a/non_plat/mediacodec.te b/non_plat/mediacodec.te index 2be21d7..853da9b 100644 --- a/non_plat/mediacodec.te +++ b/non_plat/mediacodec.te @@ -114,10 +114,10 @@ allow mediacodec debugfs_ion:dir search; # Date : WK17.30 # Operation : O Migration # Purpose: Allow mediacodec to access cmdq driver -allow mediacodec mtk_cmdq_device:chr_file { read ioctl open }; -allow mediacodec mtk_mdp_device:chr_file rw_file_perms; -allow mediacodec mtk_mdp_sync:chr_file rw_file_perms; -allow mediacodec sw_sync_device:chr_file rw_file_perms; +allow mediacodec mtk_cmdq_device:chr_file r_file_perms; +allow mediacodec mtk_mdp_device:chr_file r_file_perms; +allow mediacodec mtk_mdp_sync:chr_file r_file_perms; +allow mediacodec sw_sync_device:chr_file r_file_perms; # Date : WK17.28 # Operation : MT6757 SQC diff --git a/non_plat/mediaserver.te b/non_plat/mediaserver.te index 6f88644..4b8fb26 100644 --- a/non_plat/mediaserver.te +++ b/non_plat/mediaserver.te @@ -292,9 +292,9 @@ allow mediaserver camera_owe_device:chr_file rw_file_perms; # Date : WK17.30 # Operation : O Migration # Purpose: Allow to access cmdq driver -allow mediaserver mtk_cmdq_device:chr_file { read ioctl open }; -allow mediaserver mtk_mdp_device:chr_file rw_file_perms; -allow mediaserver mtk_mdp_sync:chr_file rw_file_perms; +allow mediaserver mtk_cmdq_device:chr_file r_file_perms; +allow mediaserver mtk_mdp_device:chr_file r_file_perms; +allow mediaserver mtk_mdp_sync:chr_file r_file_perms; # Date : WK17.43 # Operation : Migration diff --git a/non_plat/meta_tst.te b/non_plat/meta_tst.te index 276ace8..940af74 100644 --- a/non_plat/meta_tst.te +++ b/non_plat/meta_tst.te @@ -426,3 +426,8 @@ allow meta_tst self:capability2 {block_suspend}; # Date : WK20.14 # Purpose: Allow meta connect GPS MNLD allow meta_tst mnld:unix_stream_socket connectto; + +# Date : WK20.25 +# Operation: Android R migration +# Purpose : for sensor test +allow meta_tst hf_manager_device:chr_file rw_file_perms; diff --git a/non_plat/mtk_agpsd.te b/non_plat/mtk_agpsd.te index c805795..40abed3 100644 --- a/non_plat/mtk_agpsd.te +++ b/non_plat/mtk_agpsd.te @@ -68,3 +68,5 @@ get_prop(mtk_agpsd, vendor_mtk_mnld_prop) # Read the property of ro.vendor.mtk_log_hide_gps get_prop(mtk_agpsd, vendor_mtk_gps_support_prop) + +wakelock_use(mtk_agpsd) diff --git a/non_plat/mtk_hal_audio.te b/non_plat/mtk_hal_audio.te index 24894b7..e09b0ef 100644 --- a/non_plat/mtk_hal_audio.te +++ b/non_plat/mtk_hal_audio.te @@ -240,3 +240,18 @@ allow mtk_hal_audio dri_device:chr_file rw_file_perms; allow mtk_hal_audio gpu_device:dir search; allow mtk_hal_audio mtk_hal_bluetooth_audio_hwservice:hwservice_manager find; + +# Date : WK20.26 +allow mtk_hal_audio sysfs_dt_firmware_android:file r_file_perms; +allow mtk_hal_audio metadata_file:dir search; +allow mtk_hal_audio nvdata_file:dir create_dir_perms; + +# Date : WK20.29 +# Purpose: no trigger avc log when call nvram api +dontaudit mtk_hal_audio gsi_metadata_file:dir search; + +# Date : WK20.29 +# Operation : Migration +# Purpose : SoundTrigger Hal for tablet +allow mtk_hal_audio adsp_misc_device:chr_file rw_file_perms; +allow mtk_hal_audio self:netlink_kobject_uevent_socket getopt;
\ No newline at end of file diff --git a/non_plat/mtk_hal_camera.te b/non_plat/mtk_hal_camera.te index 2c01db3..131095e 100644 --- a/non_plat/mtk_hal_camera.te +++ b/non_plat/mtk_hal_camera.te @@ -265,9 +265,9 @@ allow mtk_hal_camera hal_graphics_composer_default:fd use; # Date : WK17.30 # Operation : O Migration # Purpose: Allow to access cmdq driver -allow mtk_hal_camera mtk_cmdq_device:chr_file { read ioctl open }; -allow mtk_hal_camera mtk_mdp_device:chr_file rw_file_perms; -allow mtk_hal_camera mtk_mdp_sync:chr_file rw_file_perms; +allow mtk_hal_camera mtk_cmdq_device:chr_file r_file_perms; +allow mtk_hal_camera mtk_mdp_device:chr_file r_file_perms; +allow mtk_hal_camera mtk_mdp_sync:chr_file r_file_perms; # Date : WK17.36 # Operation : O Migration diff --git a/non_plat/mtk_hal_mms.te b/non_plat/mtk_hal_mms.te index e2cd478..d5e62b1 100644 --- a/non_plat/mtk_hal_mms.te +++ b/non_plat/mtk_hal_mms.te @@ -5,7 +5,7 @@ # Type Declaration # ============================================== -type mtk_hal_mms, domain; +type mtk_hal_mms, domain, mtk_safe_halserverdomain_type; type mtk_hal_mms_exec, exec_type, file_type, vendor_file_type; # ============================================== @@ -16,7 +16,7 @@ type mtk_hal_mms_exec, exec_type, file_type, vendor_file_type; init_daemon_domain(mtk_hal_mms) # Allow to use HWBinder IPC -hwbinder_use(mtk_hal_mms); +hwbinder_use(mtk_hal_mms) # Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder. hal_server_domain(mtk_hal_mms, hal_mms) @@ -27,15 +27,15 @@ add_hwservice(hal_mms_server, mtk_hal_mms_hwservice) # Purpose : Allow to use kernel driver allow mtk_hal_mms graphics_device:chr_file { read write open ioctl }; allow mtk_hal_mms ion_device:chr_file { read open ioctl }; -allow mtk_hal_mms mtk_cmdq_device:chr_file { read open ioctl }; -allow mtk_hal_mms mtk_mdp_device:chr_file rw_file_perms; -allow mtk_hal_mms mtk_mdp_sync:chr_file rw_file_perms; -allow mtk_hal_mms sw_sync_device:chr_file rw_file_perms; -allow mtk_hal_mms mtk_hal_pq_hwservice:hwservice_manager find; +allow mtk_hal_mms mtk_cmdq_device:chr_file r_file_perms; +allow mtk_hal_mms mtk_mdp_device:chr_file r_file_perms; +allow mtk_hal_mms mtk_mdp_sync:chr_file r_file_perms; +allow mtk_hal_mms sw_sync_device:chr_file r_file_perms; # Purpose : Allow to use allocator for JPEG hal_client_domain(mtk_hal_mms, hal_allocator) -allow mtk_hal_mms mtk_hal_pq:binder call; +hal_client_domain(mtk_hal_mms, hal_graphics_allocator) +hal_client_domain(mtk_hal_mms, hal_pq) # Purpose : Allow to use graphics allocator fd for gralloc_extra allow mtk_hal_mms hal_graphics_allocator_default:fd use; @@ -52,7 +52,11 @@ allowxperm mtk_hal_mms proc_mtk_jpeg:file ioctl { JPG_BRIDGE_ENC_IO_DEINIT JPG_BRIDGE_ENC_IO_START }; -# Allow to use mms by JPEG with handle + +# Purpose : Allow to use mms by JPEG with handle allow mtk_hal_mms platform_app:fd use; # Purpose : Allow Miravision to set Sharpness allow mtk_hal_mms system_app:fd use; + +# Purpose : Allow to set property for AIPQ +allow mtk_hal_mms apusys_device:chr_file rw_file_perms; diff --git a/non_plat/mtk_hal_power.te b/non_plat/mtk_hal_power.te index 9313174..d2d9f86 100644 --- a/non_plat/mtk_hal_power.te +++ b/non_plat/mtk_hal_power.te @@ -203,3 +203,9 @@ allow mtk_hal_power proc_cpuidle:file rw_file_perms; # Operation: SQC # Purpose : Allow powerhal to control mali power policy allow mtk_hal_power sysfs_mali_power_policy:file rw_file_perms; + +# Date : 2020/06/12 +# Operation: SQC +# Purpose : Allow powerhal to control displowpower +allow mtk_hal_power proc_displowpower:dir r_dir_perms; +allow mtk_hal_power proc_displowpower:file rw_file_perms; diff --git a/non_plat/mtk_hal_sensors.te b/non_plat/mtk_hal_sensors.te index 372130d..fddf5a7 100644 --- a/non_plat/mtk_hal_sensors.te +++ b/non_plat/mtk_hal_sensors.te @@ -71,3 +71,7 @@ allow mtk_hal_sensors mnt_vendor_file:dir search; # Date : WK19.48 # Purpose: fix [vts_10.0_r2]VtsHalSensorsV2_0Target fail allow mtk_hal_sensors merged_hal_service:fd use; + +# Date : WK20.25 +# Purpose: Allow to read /bus/platform/drivers/mtk_nanohub/state +allow mtk_hal_sensors sysfs_mtk_nanohub_state:file r_file_perms; diff --git a/non_plat/netdiag.te b/non_plat/netdiag.te index 8554d46..0b4e1ee 100644 --- a/non_plat/netdiag.te +++ b/non_plat/netdiag.te @@ -21,3 +21,6 @@ allow netdiag tmpfs:lnk_file read; # purpose: allow netdiag to access storage in new version allow netdiag media_rw_data_file:file { create_file_perms }; allow netdiag media_rw_data_file:dir { create_dir_perms }; + +# purpose: read ip address +allow netdiag self:netlink_route_socket nlmsg_readpriv;
\ No newline at end of file diff --git a/non_plat/platform_app.te b/non_plat/platform_app.te index f191824..182c563 100644 --- a/non_plat/platform_app.te +++ b/non_plat/platform_app.te @@ -90,11 +90,6 @@ hal_client_domain(platform_app, mtk_hal_fm) # Purpose : MTKLogger need connect to log hidl server # Package: com.mediatek.mtklogger hal_client_domain(platform_app, mtk_hal_log) -# Date: 2018/11/08 -# Operation : JPEG -# Purpose : JPEG need to use PQ via MMS HIDL -allow platform_app mtk_hal_mms_hwservice:hwservice_manager find; -allow platform_app mtk_hal_mms:binder call; # Date: 2019/07/04 # Stage: Migration diff --git a/non_plat/property_contexts b/non_plat/property_contexts index fff922c..9ecf97f 100644 --- a/non_plat/property_contexts +++ b/non_plat/property_contexts @@ -325,3 +325,6 @@ vendor.debug.gpud. u:object_r:vendor_mtk_gpu_prop:s0 #============= sensor set initrc property ============== ro.vendor.init.sensor.rc u:object_r:vendor_mtk_sensor_prop:s0 + +#=============add for bluetooth ldac abr==================== +vendor.bluetooth.ldac.abr u:object_r:vendor_mtk_default_prop:s0 diff --git a/non_plat/surfaceflinger.te b/non_plat/surfaceflinger.te index 0353697..9df1865 100644 --- a/non_plat/surfaceflinger.te +++ b/non_plat/surfaceflinger.te @@ -5,7 +5,7 @@ # Data : WK14.42 # Operation : Migration # Purpose : Video playback -allow surfaceflinger sw_sync_device:chr_file { rw_file_perms }; +allow surfaceflinger sw_sync_device:chr_file rw_file_perms; # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions @@ -28,9 +28,10 @@ allow surfaceflinger debugfs_ion:dir search; # Date : WK17.30 # Operation : O Migration # Purpose: Allow to access cmdq driver -allow surfaceflinger mtk_cmdq_device:chr_file { read ioctl open }; +allow surfaceflinger mtk_cmdq_device:chr_file r_file_perms; allow surfaceflinger mtk_mdp_device:chr_file r_file_perms; -allow surfaceflinger mtk_mdp_sync:chr_file rw_file_perms; +allow surfaceflinger mtk_mdp_sync:chr_file r_file_perms; +allow surfaceflinger sysfs_boot_mode:file r_file_perms; # Date : W17.39 # Perform Binder IPC. @@ -64,17 +65,13 @@ get_prop(surfaceflinger, vendor_mtk_graphics_hwc_latch_unsignaled_prop) get_prop(surfaceflinger, vendor_mtk_graphics_hwc_validate_separate_prop) allow surfaceflinger hal_graphics_composer_default:dir search; allow surfaceflinger hal_graphics_composer_default:lnk_file read; +dontaudit surfaceflinger hal_graphics_composer_default:file r_file_perms; # Date : WK19.4 # Operation : P Migration # Purpose: Allow to access /dev/mdp_device driver allow surfaceflinger mdp_device:chr_file rw_file_perms; -# Date : WK19.09 -# Purpose: Allow to access property dev/mdp_sync -#============= surfaceflinger ============== -allow surfaceflinger mtk_mdp_device:chr_file rw_file_perms; - # Date : WK18.43 # Operation : HDR # Purpose: Allow to skip aosp hdr solution diff --git a/non_plat/system_app.te b/non_plat/system_app.te index 2bc6de6..a62e4d3 100644 --- a/non_plat/system_app.te +++ b/non_plat/system_app.te @@ -28,12 +28,6 @@ get_prop(system_app, vendor_mtk_thermal_config_prop) allow system_app aee_exp_data_file:file r_file_perms; allow system_app aee_exp_data_file:dir r_dir_perms; -# Date: 2018/11/08 -# Operation : JPEG -# Purpose : JPEG need to use PQ via MMS HIDL -allow system_app mtk_hal_mms_hwservice:hwservice_manager find; -allow system_app mtk_hal_mms:binder call; - # Date: 2019/06/14 # Operation : Migration # Purpose : system_app need vendor_default_prop @@ -57,3 +51,8 @@ allowxperm system_app proc_mtk_jpeg:file ioctl { JPG_BRIDGE_DEC_IO_WAIT JPG_BRIDGE_DEC_IO_UNLOCK }; + +# Date: 2020/06/29 +# Purpose: Allow system app to access mtk fpsgo +allow system_app sysfs_fpsgo:dir search; +allow system_app sysfs_fpsgo:file r_file_perms; diff --git a/non_plat/system_server.te b/non_plat/system_server.te index 0a448e9..8e37c12 100644 --- a/non_plat/system_server.te +++ b/non_plat/system_server.te @@ -255,3 +255,11 @@ allowxperm system_server proc_mtk_jpeg:file ioctl { JPG_BRIDGE_DEC_IO_WAIT JPG_BRIDGE_DEC_IO_UNLOCK }; + +#Date : 2020/06/30 +#Operation : R Migration +dontaudit system_server kernel:process sigkill; + +#Date:2020/07/23 +#Operation:R Migration +dontaudit system_server iorapd:process setsched; diff --git a/non_plat/vendor_init.te b/non_plat/vendor_init.te index 784fb92..ac0b98d 100644 --- a/non_plat/vendor_init.te +++ b/non_plat/vendor_init.te @@ -84,3 +84,7 @@ allow vendor_init debugfs_tracing_debug:file w_file_perms; # Operation: SQC # Purpose : Allow vendor_init to control MCDI allow vendor_init proc_cpuidle:file rw_file_perms; + +# Date : 2020/07/08 +# Purpose: add permission for /proc/sys/vm/swappiness +allow vendor_init proc_swappiness:file w_file_perms; diff --git a/plat_private/file_contexts b/plat_private/file_contexts index defa023..50f8ec3 100644 --- a/plat_private/file_contexts +++ b/plat_private/file_contexts @@ -15,17 +15,18 @@ # /system/bin/mobile_log_d u:object_r:mobile_log_d_exec:s0 -/system/bin/aee_core_forwarder u:object_r:aee_core_forwarder_exec:s0 -/system/bin/mdlogger u:object_r:mdlogger_exec:s0 -/system/bin/emdlogger[0-9]+ u:object_r:emdlogger_exec:s0 +/(system_ext|system/system_ext)/bin/aee_core_forwarder u:object_r:aee_core_forwarder_exec:s0 +/(system_ext|system/system_ext)/bin/mdlogger u:object_r:mdlogger_exec:s0 +/(system_ext|system/system_ext)/bin/emdlogger[0-9]+ u:object_r:emdlogger_exec:s0 /system/bin/modemdbfilter_client u:object_r:modemdbfilter_client_exec:s0 /system/bin/netdiag u:object_r:netdiag_exec:s0 /system/bin/loghidlsysservice u:object_r:loghidlsysservice_exec:s0 /system/bin/cmddumper u:object_r:cmddumper_exec:s0 /system/bin/em_svr u:object_r:em_svr_exec:s0 -/system/bin/aee_aed u:object_r:crash_dump_exec:s0 -/system/bin/aee_aed64 u:object_r:crash_dump_exec:s0 -/system/bin/aee_dumpstate u:object_r:dumpstate_exec:s0 +/(system_ext|system/system_ext)/bin/aee u:object_r:crash_dump_exec:s0 +/(system_ext|system/system_ext)/bin/aee_aed u:object_r:crash_dump_exec:s0 +/(system_ext|system/system_ext)/bin/aee_aed64 u:object_r:crash_dump_exec:s0 +/(system_ext|system/system_ext)/bin/aee_dumpstate u:object_r:dumpstate_exec:s0 /system/bin/lbs_dbg u:object_r:lbs_dbg_exec:s0 /system/bin/connsyslogger u:object_r:connsyslogger_exec:s0 diff --git a/plat_private/property_contexts b/plat_private/property_contexts index 731038b..fc3324e 100644 --- a/plat_private/property_contexts +++ b/plat_private/property_contexts @@ -17,7 +17,6 @@ persist.vendor.MB.logpost u:object_r:system_mtk_mobile_log_post_prop:s0 #=============allow vendor-init/system process access ro.telephony property============== ro.telephony.sim.count u:object_r:telephony_config_prop:s0 exact int -ro.telephony.max.active.modems u:object_r:telephony_config_prop:s0 exact int #=============allow netlog============== vendor.mtklog u:object_r:system_mtk_debug_mtklog_prop:s0 diff --git a/plat_public/attributes b/plat_public/attributes index 478dd6f..c9c3780 100644 --- a/plat_public/attributes +++ b/plat_public/attributes @@ -99,3 +99,9 @@ attribute hal_atci_server; attribute mtk_hal_aee; attribute mtk_hal_aee_client; attribute mtk_hal_aee_server; + +# All types used for mtk's safe hwservice +attribute mtk_safe_hwservice_manager_type; + +# All types used for mtk's safe halserver +attribute mtk_safe_halserverdomain_type; |