1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
|
# ==============================================
# MTK Policy Rule
# ==============================================
# Do not allow access to the generic sysfs label. This is too broad.
# Instead, if access to part of sysfs is desired, it should have a
# more specific label.
# TODO: Remove hal_usb/mtk_hal_usb and so on once there are no violations.
# allow hal_usb sysfs:file write;
# hal_server_domain(mtk_hal_usb, hal_usb)
#
# r_dir_file(hal_wifi, sysfs_type)
# hal_server_domain(mtk_hal_wifi, hal_wifi)
#
full_treble_only(`
neverallow ~{
apexd
init
merged_hal_service
mtk_hal_bluetooth
# TODO(b/152082918) Remove mtk_hal_camera line when permissions are fixed.
mtk_hal_camera
mtk_hal_power
mtk_hal_usb
mtk_hal_wifi
hal_bluetooth_btlinux
hal_bluetooth_default
hal_drm_clearkey
hal_drm_clearkey_aidl
hal_drm_default
hal_drm_widevine
hal_fingerprint_default
hal_radio_config_default
hal_radio_default
hal_usb_default
hal_wifi_default
hal_wifi_supplicant_default
rild
tee
ueventd
vendor_init
vold
} sysfs:file *;
neverallow {
merged_hal_service
mtk_hal_bluetooth
mtk_hal_power
mtk_hal_wifi
hal_bluetooth_btlinux
hal_bluetooth_default
hal_drm_clearkey
hal_drm_clearkey_aidl
hal_drm_default
hal_drm_widevine
hal_fingerprint_default
hal_radio_config_default
hal_radio_default
hal_wifi_default
hal_wifi_supplicant_default
rild
tee
} sysfs:file ~r_file_perms;
neverallow {
hal_usb_default
init
mtk_hal_usb
ueventd
vendor_init
vold
} sysfs:file ~{ r_file_perms write setattr append relabelfrom relabelto };
')
# Do not allow access to the generic proc label. This is too broad.
# Instead, if access to part of proc is desired, it should have a
# more specific label.
# TODO: Remove mtk_hal_audio/audioserver and so on once there are no violations.
#
# r_dir_file(hal_audio, proc)
# hal_server_domain(mtk_hal_audio, hal_audio)
# hal_client_domain(audioserver, hal_audio)
#
full_treble_only(`
neverallow ~{
audiocmdservice_atci
audioserver
bluetooth
hal_audio_default
hal_graphics_allocator_default
init
merged_hal_service
mtk_hal_audio
rild
system_server
vendor_init
vold
} proc:file *;
neverallow {
audiocmdservice_atci
audioserver
bluetooth
hal_audio_default
hal_graphics_allocator_default
init
merged_hal_service
mtk_hal_audio
rild
system_server
vold
} proc:file ~r_file_perms;
neverallow vendor_init proc:file ~{ r_file_perms setattr };
neverallow ~{
audiocmdservice_atci
audioserver
bluetooth
hal_audio_default
init
mtk_hal_audio
rild
system_server
} proc:lnk_file ~{ read getattr };
neverallow {
audiocmdservice_atci
audioserver
bluetooth
hal_audio_default
init
mtk_hal_audio
rild
system_server
} proc:lnk_file ~r_file_perms;
')
# Do not allow access to the generic system_data_file label. This is
# too broad.
# Instead, if access to part of system_data_file is desired, it should
# have a more specific label.
# TODO: Remove merged_hal_service and so on once there are no violations.
#
# allow hal_drm system_data_file:file { getattr read };
# hal_server_domain(merged_hal_service, hal_drm)
#
full_treble_only(`
neverallow {
domain
-coredomain
-appdomain
-hal_cas_default
-hal_drm_clearkey
-hal_drm_clearkey_aidl
-hal_drm_default
-hal_drm_widevine
-merged_hal_service
-tee
} system_data_file:file *;
neverallow ~{
appdomain
app_zygote
hal_drm_clearkey
hal_drm_clearkey_aidl
hal_drm_default
hal_drm_widevine
init
installd
iorap_prefetcherd
mediadrmserver
mediaextractor
mediaserver
merged_hal_service
system_server
tee
toolbox
vold
vold_prepare_subdirs
with_asan(`asan_extract')
} system_data_file:file ~r_file_perms;
neverallow { appdomain app_zygote } system_data_file:file ~{ getattr read map };
neverallow init system_data_file:file ~{ create getattr open read write setattr relabelfrom unlink map getattr relabelto };
neverallow installd system_data_file:file ~{ getattr relabelfrom unlink };
neverallow iorap_prefetcherd system_data_file:file ~{ open read };
neverallow {
hal_drm_clearkey
hal_drm_clearkey_aidl
hal_drm_default
hal_drm_widevine
mediadrmserver
mediaextractor
mediaserver
merged_hal_service
tee
} system_data_file:file ~{ getattr read };
neverallow system_server system_data_file:file ~{ create_file_perms relabelfrom link };
neverallow { toolbox vold_prepare_subdirs } system_data_file:file ~{ getattr unlink };
neverallow vold system_data_file:file ~read;
')
# Do not allow access to the generic device label. This is too broad.
# Instead, if access to part of device is desired, it should have a
# more specific label.
# TODO: Remove hal_camera and so on once there are no violations.
#
# allow hal_camera device:dir r_dir_perms;
# hal_client_domain(cameraserver, hal_camera)
#
full_treble_only(`
neverallow ~{
apexd
cameraserver
fastbootd
hal_camera
hal_camera_default
init
mtk_hal_camera
otapreopt_chroot
recovery
shell
slideshow
system_server
vendor_init
vold
ueventd
} device:dir ~{ search getattr };
neverallow {
cameraserver
fastbootd
hal_camera
hal_camera_default
mtk_hal_camera
system_server
shell
slideshow
recovery
} device:dir ~r_dir_perms;
neverallow init device:dir ~{ create_dir_perms mounton relabelto };
neverallow vendor_init device:dir ~{ create_dir_perms mounton };
neverallow vold device:dir ~{ search getattr write };
neverallow ueventd device:dir ~create_dir_perms;
')
|