diff options
author | Shanshan Gio <shanshan.guo@mediatek.com> | 2020-04-02 18:47:03 +0800 |
---|---|---|
committer | Shanshan Gio <shanshan.guo@mediatek.com> | 2020-04-08 20:49:25 +0800 |
commit | 941d09bdf1a039159618a297ef48b5a412070fb6 (patch) | |
tree | 879073abb0f60d5e9e153e901bbdc7f8d69934b6 /plat_private | |
parent | 0a4e6642b91c02755e95d6b894a8a54cc44e5253 (diff) | |
download | wembley-sepolicy-941d09bdf1a039159618a297ef48b5a412070fb6.tar.gz |
[ALPS05025406] SEPolicy: Modify prop context with naming conventions
[Detail]
In AOSP/948386 and AOSP/1161048, there are new naming conventions for
property context.
The MTK sepolicies of properties need some modification for them.
[Solution]
1.Modify property context in non_plat/ with new naming conventions.
2.Modify property context end with suffix _prop.
3.Remove unused property sepolicy.
4.Sort context in property.te .
Change-Id: Ic300b217c1457d46fdcdec9034eb9ba8ac602c69
CR-Id: ALPS05025406
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
Diffstat (limited to 'plat_private')
-rw-r--r-- | plat_private/boot_logo_updater.te | 5 | ||||
-rw-r--r-- | plat_private/bootanim.te | 4 | ||||
-rw-r--r-- | plat_private/cmddumper.te | 2 | ||||
-rw-r--r-- | plat_private/emdlogger.te | 4 | ||||
-rw-r--r-- | plat_private/lbs_dbg.te | 2 | ||||
-rw-r--r-- | plat_private/mdlogger.te | 2 | ||||
-rw-r--r-- | plat_private/mobile_log_d.te | 8 | ||||
-rw-r--r-- | plat_private/mtkbootanimation.te | 4 | ||||
-rw-r--r-- | plat_private/netdiag.te | 13 | ||||
-rw-r--r-- | plat_private/platform_app.te | 3 | ||||
-rw-r--r-- | plat_private/property_contexts | 6 |
11 files changed, 19 insertions, 34 deletions
diff --git a/plat_private/boot_logo_updater.te b/plat_private/boot_logo_updater.te index 62aa7f3..2370498 100644 --- a/plat_private/boot_logo_updater.te +++ b/plat_private/boot_logo_updater.te @@ -14,13 +14,10 @@ init_daemon_domain(boot_logo_updater) # Date : WK14.32 # Operation : Migration # Puration : set boot reason -allow boot_logo_updater system_prop:property_service set; +set_prop(boot_logo_updater, system_prop) allow boot_logo_updater graphics_device:chr_file rw_file_perms; -# For IPC communication -allow boot_logo_updater init:unix_stream_socket connectto; -allow boot_logo_updater property_socket:sock_file write; # To access directory /dev/block/mmcblk0 or /dev/block/sdc allow boot_logo_updater block_device:dir search; allow boot_logo_updater graphics_device:dir search; diff --git a/plat_private/bootanim.te b/plat_private/bootanim.te index 46fe429..76b93b0 100644 --- a/plat_private/bootanim.te +++ b/plat_private/bootanim.te @@ -15,9 +15,7 @@ allow bootanim audioserver_service:service_manager find; # Date : WK14.37 # Operation : Migration # Purpose : for opetator -allow bootanim property_socket:sock_file write; -allow bootanim init:unix_stream_socket connectto; -allow bootanim debug_prop:property_service set; +set_prop(bootanim, debug_prop) # Date : WK14.46 # Operation : Migration diff --git a/plat_private/cmddumper.te b/plat_private/cmddumper.te index 01b5dc5..2c5b4d2 100644 --- a/plat_private/cmddumper.te +++ b/plat_private/cmddumper.te @@ -14,8 +14,6 @@ allow cmddumper sdcard_type:dir create_dir_perms; allow cmddumper sdcard_type:file create_file_perms; # modem logger socket access -allow cmddumper init:unix_stream_socket connectto; -allow cmddumper property_socket:sock_file { write read }; allow cmddumper platform_app:unix_stream_socket connectto; allow cmddumper shell_exec:file { rx_file_perms }; allow cmddumper system_file:file x_file_perms; diff --git a/plat_private/emdlogger.te b/plat_private/emdlogger.te index 47a3d9c..4ab40f3 100644 --- a/plat_private/emdlogger.te +++ b/plat_private/emdlogger.te @@ -17,8 +17,6 @@ allow emdlogger sdcard_type:file { create_file_perms }; # modem logger socket access -#allow emdlogger property_socket:sock_file write; -#allow emdlogger init:unix_stream_socket connectto; allow emdlogger platform_app:unix_stream_socket connectto; allow emdlogger shell_exec:file { rx_file_perms }; allow emdlogger system_file:file execute_no_trans; @@ -72,7 +70,7 @@ allow emdlogger sysfs_dt_firmware_android:dir { read open search }; allow emdlogger tmpfs:dir write; allow emdlogger sysfs_dt_firmware_android:file { read open getattr }; allow emdlogger system_file:dir open; -allow emdlogger vendor_default_prop:file { read getattr open }; +get_prop(emdlogger, vendor_default_prop) ## Android Q migration ## purpose: read modem db and filter folder and file diff --git a/plat_private/lbs_dbg.te b/plat_private/lbs_dbg.te index ec17037..78a1e19 100644 --- a/plat_private/lbs_dbg.te +++ b/plat_private/lbs_dbg.te @@ -36,7 +36,7 @@ allow lbs_dbg self:netlink_route_socket { bind create getattr write nlmsg_read r allow lbs_dbg self:tcp_socket create_stream_socket_perms; allow lbs_dbg self:udp_socket create_socket_perms; -allow lbs_dbg hwservicemanager_prop:file read; +get_prop(lbs_dbg, hwservicemanager_prop) hal_client_domain(lbs_dbg, mtk_hal_lbs) diff --git a/plat_private/mdlogger.te b/plat_private/mdlogger.te index afa04ea..40d82f8 100644 --- a/plat_private/mdlogger.te +++ b/plat_private/mdlogger.te @@ -13,8 +13,6 @@ binder_use(mdlogger) binder_service(mdlogger) # modem logger socket access -#allow mdlogger init:unix_stream_socket connectto; -#allow mdlogger property_socket:sock_file write; allow mdlogger platform_app:unix_stream_socket connectto; allow mdlogger shell_exec:file { rx_file_perms }; allow mdlogger system_file:file x_file_perms; diff --git a/plat_private/mobile_log_d.te b/plat_private/mobile_log_d.te index 1aaf99b..526bcb5 100644 --- a/plat_private/mobile_log_d.te +++ b/plat_private/mobile_log_d.te @@ -63,9 +63,9 @@ allow mobile_log_d toolbox_exec:file rx_file_perms; allow mobile_log_d rootfs:file r_file_perms; #dev/__properties__ access -allow mobile_log_d device_logging_prop:file { getattr open }; -allow mobile_log_d mmc_prop:file { getattr open }; -allow mobile_log_d safemode_prop:file { getattr open }; +get_prop(mobile_log_d, device_logging_prop) +get_prop(mobile_log_d, mmc_prop) +get_prop(mobile_log_d, safemode_prop) # purpose: allow MobileLog to access storage in N version allow mobile_log_d media_rw_data_file:file create_file_perms; @@ -97,5 +97,5 @@ userdebug_or_eng(` allow mobile_log_d netd:unix_stream_socket connectto; allow mobile_log_d self:tcp_socket getopt; allow mobile_log_d fwmarkd_socket:sock_file write; - set_prop(mobile_log_d, mobile_log_post_prop) + set_prop(mobile_log_d, system_mtk_mobile_log_post_prop) ') diff --git a/plat_private/mtkbootanimation.te b/plat_private/mtkbootanimation.te index 857b86d..425c166 100644 --- a/plat_private/mtkbootanimation.te +++ b/plat_private/mtkbootanimation.te @@ -59,9 +59,7 @@ allow mtkbootanimation audioserver_service:service_manager find; # Date : WK14.37 # Operation : Migration # Purpose : for opetator -allow mtkbootanimation property_socket:sock_file write; -allow mtkbootanimation init:unix_stream_socket connectto; -allow mtkbootanimation debug_prop:property_service set; +set_prop(mtkbootanimation, debug_prop) # Date : WK14.46 # Operation : Migration diff --git a/plat_private/netdiag.te b/plat_private/netdiag.te index ec128a9..95a79b2 100644 --- a/plat_private/netdiag.te +++ b/plat_private/netdiag.te @@ -58,10 +58,10 @@ allow netdiag network_management_service:service_manager find; allow netdiag settings_service:service_manager find; # Purpose : for acess /system/bin/toybox, mmc_prop,proc_net and safemode_prop -allow netdiag device_logging_prop:file { getattr open }; -allow netdiag mmc_prop:file { getattr open }; +get_prop(netdiag, device_logging_prop) +get_prop(netdiag, mmc_prop) allow netdiag proc_net:dir { read open }; -allow netdiag safemode_prop:file { getattr open }; +get_prop(netdiag, safemode_prop) allow netdiag toolbox_exec:file rx_file_perms; # purpose: allow netdiag to access storage in new version @@ -86,12 +86,11 @@ allow netdiag self:rawip_socket { getopt create }; allow netdiag self:udp_socket { ioctl create }; ## Android P migration -#avc: denied { open } for path="/dev/__properties__/u:object_r:atm_ipaddr_prop:s0" -#avc: denied { getattr } for path="/dev/__properties__/u:object_r:atm_ipaddr_prop:s0" -#avc: denied { open } for path="/dev/__properties__/u:object_r:atm_mdmode_prop:s0" +#avc: denied { open } for path="/dev/__properties__/u:object_r:vendor_mtk_atm_ipaddr_prop:s0" +#avc: denied { getattr } for path="/dev/__properties__/u:object_r:vendor_mtk_atm_ipaddr_prop:s0" +#avc: denied { open } for path="/dev/__properties__/u:object_r:vendor_mtk_atm_mdmode_prop:s0" allow netdiag proc_qtaguid_stat:dir { read open search }; allow netdiag proc_qtaguid_stat:file { read getattr open }; -#allow netdiag vendor_default_prop:file { read getattr open map }; get_prop(netdiag, vendor_default_prop) allow netdiag proc_net_tcp_udp:file getattr; allow netdiag netd:binder call; diff --git a/plat_private/platform_app.te b/plat_private/platform_app.te index fbf84a9..80b9c4b 100644 --- a/plat_private/platform_app.te +++ b/plat_private/platform_app.te @@ -1,11 +1,10 @@ # ============================================== -# MTK Policy Rule +# MTK Policy Rule # ============================================== # SEPolicy Split allow platform_app system_app_service:service_manager find; -allow platform_app init:unix_stream_socket connectto; # Date : WK17.29 # Stage: O Migration, SQC diff --git a/plat_private/property_contexts b/plat_private/property_contexts index c56ca1b..0933495 100644 --- a/plat_private/property_contexts +++ b/plat_private/property_contexts @@ -11,6 +11,6 @@ persist.adb.nonblocking_ffs u:object_r:exported_default_prop:s0 exact int #============system fingerprint property=========== ro.system.build.fingerprint u:object_r:exported_fingerprint_prop:s0 exact string -vendor.MB.logpost u:object_r:mobile_log_post_prop:s0 -vendor.MB.logpost. u:object_r:mobile_log_post_prop:s0 -persist.vendor.MB.logpost u:object_r:mobile_log_post_prop:s0 +vendor.MB.logpost u:object_r:system_mtk_mobile_log_post_prop:s0 +vendor.MB.logpost. u:object_r:system_mtk_mobile_log_post_prop:s0 +persist.vendor.MB.logpost u:object_r:system_mtk_mobile_log_post_prop:s0 |