blob: 1aaf99bf51a1e69c8f3faff7ed400fb1b829d553 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
# ==============================================
# MTK Policy Rule
# ==============================================
# New added for moving to /system
type mobile_log_d_exec, system_file_type, exec_type, file_type;
typeattribute mobile_log_d coredomain;
typeattribute mobile_log_d mlstrustedsubject;
init_daemon_domain(mobile_log_d)
#syslog module
allow mobile_log_d kernel:system syslog_mod;
#GMO project
dontaudit mobile_log_d untrusted_app:fd use;
dontaudit mobile_log_d isolated_app:fd use;
#debug property set
set_prop(mobile_log_d, debug_prop)
#socket connect and write
unix_socket_connect(mobile_log_d, logdr, logd);
#capability
allow mobile_log_d self:capability { setuid setgid chown fowner fsetid };
allow mobile_log_d self:capability { setuid chown setgid };
allow mobile_log_d self:capability2 syslog;
#aee mode switch
allow mobile_log_d system_file:file execute_no_trans;
#shell command
allow mobile_log_d shell_exec:file rx_file_perms;
# execute logcat command
allow mobile_log_d logcat_exec:file rx_file_perms;
# execute 'logcat -L' via dumpstate
domain_auto_trans(mobile_log_d, logcat_exec, dumpstate)
#general storage access
allow mobile_log_d storage_file:dir create_dir_perms;
allow mobile_log_d storage_file:file create_file_perms;
allow mobile_log_d storage_file:lnk_file create_file_perms;
allow mobile_log_d mnt_user_file:dir create_dir_perms;
allow mobile_log_d mnt_user_file:lnk_file create_file_perms;
allow mobile_log_d sdcard_type:dir create_dir_perms;
allow mobile_log_d sdcard_type:file create_file_perms;
#factory mode vfat access
allow mobile_log_d vfat:dir create_dir_perms;
allow mobile_log_d vfat:file create_file_perms;
#chiptest mode storage access
allow mobile_log_d mnt_media_rw_file:dir create_dir_perms;
allow mobile_log_d mnt_media_rw_file:lnk_file create_file_perms;
#system/bin/toybox for using 'sh' command
allow mobile_log_d toolbox_exec:file rx_file_perms;
#selinux_version access
allow mobile_log_d rootfs:file r_file_perms;
#dev/__properties__ access
allow mobile_log_d device_logging_prop:file { getattr open };
allow mobile_log_d mmc_prop:file { getattr open };
allow mobile_log_d safemode_prop:file { getattr open };
# purpose: allow MobileLog to access storage in N version
allow mobile_log_d media_rw_data_file:file create_file_perms;
allow mobile_log_d media_rw_data_file:dir create_dir_perms;
# access debugfs/tracing/instances/
allow mobile_log_d debugfs_tracing:dir create_dir_perms;
#allow mobile_log_d debugfs_tracing:file create_file_perms;
allow mobile_log_d debugfs_tracing_instances:dir create_dir_perms;
allow mobile_log_d debugfs_tracing_instances:file create_file_perms;
#data/debuglog
allow mobile_log_d debuglog_data_file:dir {relabelto create_dir_perms};
allow mobile_log_d debuglog_data_file:file create_file_perms;
#mcupm
allow mobile_log_d mcupm_device:chr_file r_file_perms;
allow mobile_log_d sysfs_mcupm:file w_file_perms;
allow mobile_log_d sysfs_mcupm:dir search;
allow mobile_log_d sysfs_boot_info:file r_file_perms;
#for logpost feature
userdebug_or_eng(`
allow mobile_log_d domain:dir r_dir_perms;
allow mobile_log_d domain:{file lnk_file} r_file_perms;
allow mobile_log_d dnsproxyd_socket:sock_file write;
allow mobile_log_d self:udp_socket create;
allow mobile_log_d netd:unix_stream_socket connectto;
allow mobile_log_d self:tcp_socket getopt;
allow mobile_log_d fwmarkd_socket:sock_file write;
set_prop(mobile_log_d, mobile_log_post_prop)
')
|
