From 49214eec4831b92fe9bf16e260dd76bc363ff017 Mon Sep 17 00:00:00 2001 From: TheMalachite Date: Sun, 14 Aug 2022 15:08:06 +0200 Subject: [PATCH] mtk-sepolicy: Import zirconia modem sepolicy rules --- BoardSEPolicyConfig.mk | 3 +- modem/bip.te | 47 +++++++++++++++++++ modem/epdg_wod.te | 94 ++++++++++++++++++++++++++++++++++++++ modem/file.te | 8 ++++ modem/file_contexts | 31 +++++++++++++ modem/ipsec.te | 88 +++++++++++++++++++++++++++++++++++ modem/mtk_ims_ap_domain.te | 10 ++++ modem/property.te | 17 +++++++ modem/property_contexts | 16 +++++++ modem/volte_imcb.te | 61 +++++++++++++++++++++++++ modem/volte_imsm_93.te | 37 +++++++++++++++ modem/volte_md_status.te | 22 +++++++++ modem/volte_stack.te | 56 +++++++++++++++++++++++ modem/volte_ua.te | 51 +++++++++++++++++++++ modem/wfca.te | 50 ++++++++++++++++++++ 15 files changed, 590 insertions(+), 1 deletion(-) create mode 100644 modem/bip.te create mode 100644 modem/epdg_wod.te create mode 100644 modem/file.te create mode 100644 modem/file_contexts create mode 100644 modem/ipsec.te create mode 100644 modem/mtk_ims_ap_domain.te create mode 100644 modem/property.te create mode 100644 modem/property_contexts create mode 100644 modem/volte_imcb.te create mode 100644 modem/volte_imsm_93.te create mode 100644 modem/volte_md_status.te create mode 100644 modem/volte_stack.te create mode 100644 modem/volte_ua.te create mode 100644 modem/wfca.te diff --git a/BoardSEPolicyConfig.mk b/BoardSEPolicyConfig.mk index efd69a4..934e17b 100644 --- a/BoardSEPolicyConfig.mk +++ b/BoardSEPolicyConfig.mk @@ -2,7 +2,8 @@ # SELinux Policy File Configuration BOARD_SEPOLICY_DIRS += \ device/mediatek/sepolicy/basic/non_plat \ - device/mediatek/sepolicy/bsp/non_plat + device/mediatek/sepolicy/bsp/non_plat \ + device/mediatek/sepolicy/modem ifneq ($(call math_lt,$(PRODUCT_SHIPPING_API_LEVEL),28),) BOARD_SEPOLICY_DIRS += $(wildcard device/mediatek/sepolicy/bsp/ota_upgrade) diff --git a/modem/bip.te b/modem/bip.te new file mode 100644 index 0000000..02d99ad --- /dev/null +++ b/modem/bip.te @@ -0,0 +1,47 @@ +# ============================================== +# Policy File of /system/bin/bip Executable File + +# ============================================== +# Type Declaration +# ============================================== +type bip, domain, mtkimsmddomain, netdomain; +type bip_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +# permissive bip; +init_daemon_domain(bip) +net_domain(bip) + +# Date : WK14.42 +# Operation : Migration +# Purpose : for bip send RTP/RTCP +allow bip self:capability { net_raw setuid setgid net_admin}; +allow bip self:udp_socket { create write bind read setopt ioctl getattr shutdown connect }; +allow bip node:udp_socket node_bind; +allow bip port:udp_socket name_bind; +allow bip fwmarkd_socket:sock_file write; +allow bip self:tcp_socket { create setopt ioctl bind listen accept read write connect }; +allow bip port:tcp_socket name_connect; +allow bip self:netlink_route_socket read; +allow bip bip_socket:sock_file write; +allow bip vendor_bip_socket:sock_file write; + +#get_prop(bip, net_radio_prop) +set_prop(bip, vendor_mtk_ril_mux_report_case_prop) +set_prop(bip, vendor_mtk_ctl_muxreport-daemon_prop) + +# Purpose : for access ccci device +allow bip ccci_device:chr_file { read write open ioctl }; + +# Purpose : for raw socket +allow bip self:rawip_socket { create write bind setopt read getattr}; +allow bip node:rawip_socket {node_bind}; + +allow bip netd:unix_stream_socket connectto; +allow bip netd_socket:sock_file write; + +allow netd bip:fd use; +allow netd bip:tcp_socket { read write setopt getopt }; +allow netd bip:udp_socket {read write setopt getopt}; diff --git a/modem/epdg_wod.te b/modem/epdg_wod.te new file mode 100644 index 0000000..aa18c0b --- /dev/null +++ b/modem/epdg_wod.te @@ -0,0 +1,94 @@ +# ============================================== +# Policy File of /system/bin/epdg_wod Executable File + +# ============================================== +# Type Declaration +# ============================================== +type epdg_wod_exec, exec_type, file_type, vendor_file_type; +type epdg_wod, domain, mtkimsmddomain; + + +#20141222 Add EPDG socket usage +type wod_ipsec_conf_file, file_type, data_file_type; +type wod_apn_conf_file, file_type, data_file_type; +type wod_action_socket, file_type; +type wod_sim_socket, file_type; +type wod_ipsec_socket, file_type; +type wod_dns_socket, file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(epdg_wod) +net_domain(epdg_wod) + +domain_auto_trans(epdg_wod, starter_exec, ipsec) +domain_auto_trans(epdg_wod, charon_exec, ipsec) +domain_auto_trans(epdg_wod, starter_exec, ipsec) +domain_auto_trans(epdg_wod, stroke_exec, ipsec) + +# Date: WK14.52 +# Operation : Feature for ePDG +# Purpose : handle tunnel interface +allow epdg_wod self:tun_socket { relabelfrom relabelto create }; +allow epdg_wod tun_device:chr_file { read write ioctl open getattr }; +allow epdg_wod self:netlink_route_socket { setopt nlmsg_write read bind create nlmsg_read write getattr }; +allow epdg_wod self:capability { net_admin kill }; + + +# Purpose : update ipsec deamon +allow epdg_wod ipsec_exec:file { read getattr open execute execute_no_trans lock}; + +# Purpose : send signal to process (ipsec/charon) +allow epdg_wod ipsec:process { signal sigkill signull }; + +# Purpose : set property for debug messages +set_prop(epdg_wod, vendor_mtk_wod_prop) +set_prop(epdg_wod, vendor_mtk_persist_wod_prop) + +# Purpose : create strongswan config file for IKEv2 Tunnel +allow epdg_wod wod_apn_conf_file:dir { write read open add_name remove_name search }; +allow epdg_wod wod_apn_conf_file:file { write read create unlink open getattr }; +allow epdg_wod wod_ipsec_conf_file:file { write read create unlink open getattr }; +allow epdg_wod wod_ipsec_conf_file:dir { write read open add_name remove_name search }; + +# tear_xfrm_policy +allow epdg_wod self:netlink_xfrm_socket { write getattr setopt nlmsg_write read bind create }; + +# Purpose : check tun device is ready +allow epdg_wod self:udp_socket { create ioctl }; +allow epdg_wod self:capability sys_module; + + +# Purpose: Kill Process, removed these permissions as security concerns +#allow epdg_wod system_server:process { signal signull }; +#allow epdg_wod kernel:process signal; + +# Purpose: access iptables for mss +allow epdg_wod self:capability net_raw; +allow epdg_wod self:rawip_socket { getopt create setopt }; + +# Purpose: communicate with NETD +unix_socket_connect(epdg_wod,netd,netd); +allow netd epdg_wod:fd use; +allow netd epdg_wod:tcp_socket { read write setopt getopt }; +allow netd epdg_wod:udp_socket {read write setopt getopt}; + +# Purpose: use netutils-wrapper +domain_auto_trans(epdg_wod, netutils_wrapper_exec, netutils_wrapper) +allow netutils_wrapper epdg_wod:fd use; +allow netutils_wrapper epdg_wod:unix_stream_socket { read write }; + +#Purpose: use ccci device +allow epdg_wod ccci_device:chr_file {open read write ioctl}; + +# Purpose : starter daemon charon +allow epdg_wod starter_exec:file { read getattr open execute execute_no_trans lock}; + +# Purpose : stroke daemon charon +allow epdg_wod stroke_exec:file { read getattr open execute execute_no_trans lock}; + +# Purpose : starter invoke charon +allow epdg_wod charon_exec:file { read getattr open execute execute_no_trans lock}; + + diff --git a/modem/file.te b/modem/file.te new file mode 100644 index 0000000..1c00ab5 --- /dev/null +++ b/modem/file.te @@ -0,0 +1,8 @@ +type volte_imcb_socket, file_type; +type volte_ut_socket, file_type; +type volte_ua_socket, file_type; +type volte_stack_socket, file_type; +type wfca_socket, file_type; +type bip_socket, file_type; +type vendor_bip_socket, file_type; + diff --git a/modem/file_contexts b/modem/file_contexts new file mode 100644 index 0000000..45a97c8 --- /dev/null +++ b/modem/file_contexts @@ -0,0 +1,31 @@ +/(system\/vendor|vendor)/bin/epdg_wod u:object_r:epdg_wod_exec:s0 +/(system\/vendor|vendor)/bin/wfca u:object_r:wfca_exec:s0 +/(system\/vendor|vendor)/bin/ipsec u:object_r:ipsec_exec:s0 +/(system\/vendor|vendor)/bin/charon u:object_r:charon_exec:s0 +/(system\/vendor|vendor)/bin/starter u:object_r:starter_exec:s0 +/(system\/vendor|vendor)/bin/stroke u:object_r:stroke_exec:s0 +/(system\/vendor|vendor)/bin/bip u:object_r:bip_exec:s0 +/data/vendor/ipsec(/.*)? u:object_r:wod_ipsec_conf_file:s0 +/data/vendor/ipsec/wo(/.*)? u:object_r:wod_apn_conf_file:s0 +/dev/socket/wod_action(/.*)? u:object_r:wod_action_socket:s0 +/dev/socket/wod_sim(/.*)? u:object_r:wod_sim_socket:s0 +/dev/socket/wod_ipsec(/.*)? u:object_r:wod_ipsec_socket:s0 +/dev/socket/wod_dns(/.*)? u:object_r:wod_dns_socket:s0 + +/dev/socket/volte_imsm(/.*)? u:object_r:rild_imsm_socket:s0 +/dev/socket/volte_imsa[0-9](/.*)? u:object_r:volte_imsa_socket:s0 +/dev/socket/volte_imsvt[0-9](/.*)? u:object_r:volte_imsvt_socket:s0 +/dev/socket/volte_imcb(/.*)? u:object_r:volte_imcb_socket:s0 +/dev/socket/volte_ut(/.*)? u:object_r:volte_ut_socket:s0 +/dev/socket/volte_ua(/.*)? u:object_r:volte_ua_socket:s0 +/dev/socket/volte_stack(/.*)? u:object_r:volte_stack_socket:s0 +/dev/socket/wfca(/.*)? u:object_r:wfca_socket:s0 +/dev/socket/bip(/.*)? u:object_r:bip_socket:s0 +/dev/socket/vendor\.bip(/.*)? u:object_r:vendor_bip_socket:s0 + +/(system\/vendor|vendor)/bin/volte_imcb u:object_r:volte_imcb_exec:s0 +/(system\/vendor|vendor)/bin/volte_stack u:object_r:volte_stack_exec:s0 +/(system\/vendor|vendor)/bin/volte_ua u:object_r:volte_ua_exec:s0 +/(system\/vendor|vendor)/bin/volte_imsm_93 u:object_r:volte_imsm_93_exec:s0 + +/(system\/vendor|vendor)/bin/volte_md_status u:object_r:volte_md_status_exec:s0 diff --git a/modem/ipsec.te b/modem/ipsec.te new file mode 100644 index 0000000..a74569b --- /dev/null +++ b/modem/ipsec.te @@ -0,0 +1,88 @@ +# ============================================== +# Policy File of /system/bin/ipsec Executable File + +# ============================================== +# Type Declaration +# ============================================== +type starter_exec , exec_type, file_type, vendor_file_type; +type charon_exec , exec_type, file_type, vendor_file_type; +type ipsec_exec , exec_type, file_type, vendor_file_type; +type stroke_exec , exec_type, file_type, vendor_file_type; +type ipsec, domain; + +net_domain(ipsec) + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date: WK14.52 +# Operation : Feature developing for ePDG + +# Purpose : access xfrm +allow ipsec proc_net:file write; + +# Purpose : set property for ip address with epdg_wod +set_prop(ipsec, vendor_mtk_wod_prop) + +# Purpose : create socket for IKEv2 protocol +allow ipsec node:udp_socket node_bind; +allow ipsec port:tcp_socket name_connect; +allow ipsec port:udp_socket name_bind; + +# Purpose : Query DNS address +allow ipsec netd:unix_stream_socket connectto; +allow ipsec dnsproxyd_socket:sock_file write; + + +# Purpose : access socket of wod and property +allow ipsec epdg_wod:unix_stream_socket { read write connectto }; + +# Purpose : output to /dev/null +allow ipsec epdg_wod:fd use; + +# Purpose : starter invoke charon +allow ipsec charon_exec:file execute_no_trans; + +# Purpose : charon set fwmark +allow ipsec fwmarkd_socket:sock_file write; + +# Purpose : kernel ip/route operations +allow ipsec self:capability { net_admin net_bind_service kill }; + +# Purpose : send/receive packet to/from peer +allow ipsec self:tcp_socket { write getattr connect read getopt create }; +allow ipsec self:udp_socket { write bind create read setopt }; + +# Purpose : kernel ip/route operations +allow ipsec self:netlink_route_socket { write nlmsg_write read bind create nlmsg_read }; +allow ipsec self:netlink_xfrm_socket { write bind create read nlmsg_write nlmsg_read }; + +# Purpose : charon read certs +allow ipsec custom_file:dir { read open search }; +allow ipsec custom_file:file { read getattr open }; + +# Purpose : read strongswan config file for IKEv2 Tunnel +allow ipsec wod_apn_conf_file:dir { write read open search remove_name add_name create}; +allow ipsec wod_apn_conf_file:file { write read ioctl open getattr }; +allow ipsec wod_ipsec_conf_file:file { write read ioctl open getattr create append unlink }; +allow ipsec wod_ipsec_conf_file:dir { write read open search remove_name add_name }; + +# Purpose : set alarm for DPD +allow ipsec self:capability2 wake_alarm; + +allow ipsec devpts:chr_file { open read write }; + +# to NETD +unix_socket_connect(ipsec,netd,netd); +allow netd ipsec:fd use; +allow netd ipsec:tcp_socket { read write setopt getopt }; +allow netd ipsec:udp_socket {read write setopt getopt}; + +# Propose: access configuration files +allow ipsec wod_ipsec_conf_file:sock_file { write create unlink setattr }; +allow ipsec proc_modules:file getattr; +allow ipsec proc_net:file getattr; +allow ipsec vendor_configs_file:file ioctl; + + diff --git a/modem/mtk_ims_ap_domain.te b/modem/mtk_ims_ap_domain.te new file mode 100644 index 0000000..28be99a --- /dev/null +++ b/modem/mtk_ims_ap_domain.te @@ -0,0 +1,10 @@ +unix_socket_connect(mtkimsapdomain, volte_imsvt, volte_imcb) +allow mtkimsapdomain volte_vt_socket:dir { read write ioctl open remove_name add_name }; +allow mtkimsapdomain volte_vt_socket:dir write; +allow mtkimsapdomain volte_vt_socket:sock_file { create unlink read write }; +allow mtkimsapdomain volte_ua:fd use; +#allow mtkimsapdomain volte_ua:udp_socket {connect read write setopt getattr getopt shutdown}; +allow mtkimsapdomain volte_stack:unix_stream_socket connectto; + +unix_socket_connect(mtkimsapdomain, volte_stack, volte_stack) +unix_socket_connect(mtkimsapdomain, volte_imsa, volte_imcb) diff --git a/modem/property.te b/modem/property.te new file mode 100644 index 0000000..4c9cab9 --- /dev/null +++ b/modem/property.te @@ -0,0 +1,17 @@ +#=============allow mtkmal to start volte============== + +vendor_internal_prop(vendor_mtk_ctl_volte_imcb_prop) +vendor_internal_prop(vendor_mtk_ctl_volte_stack_prop) +vendor_internal_prop(vendor_mtk_ctl_volte_ua_prop) +vendor_restricted_prop(vendor_mtk_md_volte_prop) +typeattribute vendor_mtk_md_volte_prop mtk_core_property_type; + +#=============allow wifi offload deamon ============== +vendor_restricted_prop(vendor_mtk_wod_prop) +vendor_restricted_prop(vendor_mtk_persist_wod_prop) + +typeattribute vendor_mtk_wod_prop mtk_core_property_type; +typeattribute vendor_mtk_persist_wod_prop mtk_core_property_type; + +#=============allow volte md status deamon ============== +vendor_internal_prop(vendor_mtk_md_status_prop) diff --git a/modem/property_contexts b/modem/property_contexts new file mode 100644 index 0000000..433d4bf --- /dev/null +++ b/modem/property_contexts @@ -0,0 +1,16 @@ +#=============allow wifi offload deamon ============== +vendor.wo. u:object_r:vendor_mtk_wod_prop:s0 +persist.vendor.wo. u:object_r:vendor_mtk_persist_wod_prop:s0 + +#=============allow volte deamon ============== +ctl.vendor.volte_imcb u:object_r:vendor_mtk_ctl_volte_imcb_prop:s0 +ctl.vendor.volte_stack u:object_r:vendor_mtk_ctl_volte_stack_prop:s0 +ctl.vendor.volte_ua u:object_r:vendor_mtk_ctl_volte_ua_prop:s0 +vendor.ril.volte. u:object_r:vendor_mtk_md_volte_prop:s0 + +#=============allow MD APP============== +ro.vendor.md_apps. u:object_r:vendor_mtk_default_prop:s0 +vendor.md_apps. u:object_r:vendor_mtk_default_prop:s0 + +#=============allow MD status============== +vendor.volte_md_status u:object_r:vendor_mtk_md_status_prop:s0 diff --git a/modem/volte_imcb.te b/modem/volte_imcb.te new file mode 100644 index 0000000..893b962 --- /dev/null +++ b/modem/volte_imcb.te @@ -0,0 +1,61 @@ +# ============================================== +# Policy File of /system/bin/volte_imcb Executable File + +# ============================================== +# Type Declaration +# ============================================== +type volte_imcb, domain, mtkimsmddomain; +type volte_imcb_exec, exec_type, file_type, vendor_file_type; +type volte_imsa_socket, file_type; +type volte_imsvt_socket, file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +#permissive volte_imcb; +init_daemon_domain(volte_imcb) +net_domain(volte_imcb) + +# Date : WK14.42 +# Operation : Migration +# Purpose : for VoLTE L early bring up and first call +allow volte_imcb node:tcp_socket node_bind; +allow volte_imcb port:tcp_socket name_bind; +allow volte_imcb self:tcp_socket { bind create setopt accept listen }; +allow volte_imcb self:tcp_socket { read getattr }; +allow volte_imcb self:tcp_socket write; +allow volte_imcb self:capability { setuid setgid }; + +# Date : 2015/8/5 +# Operation : M Migration +# Purpose : For imcb connect to ua by local socket +unix_socket_connect(volte_imcb, volte_ua, volte_ua) + +allow volte_imcb volte_imcb_socket:sock_file write; +allow volte_imcb volte_ut_socket:sock_file write; + +# Dtae : WK15.42 +# Operation : ViLTE Migration +# Purpose : For open socket device to vtservice connect + +# Date : 2016/12/14 +# Purpose : TRM +set_prop(volte_imcb, vendor_mtk_md_volte_prop) + +# to NETD +allow volte_imcb netd:unix_stream_socket connectto; +allow volte_imcb netd_socket:sock_file write; +allow netd volte_imcb:fd use; +allow netd volte_imcb:tcp_socket { read write setopt getopt }; +allow netd volte_imcb:udp_socket {read write setopt getopt}; + +# Date : 2020/02/24 +# Purpose : pttyims +allow volte_imcb mtk_radio_device:dir w_dir_perms; +allow volte_imcb mtk_radio_device:lnk_file create_file_perms; +allow volte_imcb devpts:chr_file setattr; +allow volte_imcb self:capability2 wake_alarm; +allow volte_imcb sysfs_ccci:dir search; +allow volte_imcb sysfs_ccci:file r_file_perms; +allow volte_imcb ccci_device:chr_file rw_file_perms; + diff --git a/modem/volte_imsm_93.te b/modem/volte_imsm_93.te new file mode 100644 index 0000000..0fe8196 --- /dev/null +++ b/modem/volte_imsm_93.te @@ -0,0 +1,37 @@ +# ============================================== +# Policy File of volte_imsm_93 Executable File + +# ============================================== +# Type Declaration +# ============================================== +type volte_imsm_93, domain, mtkimsmddomain; +type volte_imsm_93_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +# permissive volte_imsm_93; +init_daemon_domain(volte_imsm_93) +net_domain(volte_imsm_93) + +allow volte_imsm_93 self:capability { setuid setgid net_admin chown}; + +allow volte_imsm_93 self:udp_socket { create write bind read setopt ioctl getattr shutdown }; + +# Prupose: IMCB connection +allow volte_imsm_93 volte_imcb:unix_stream_socket connectto; +allow volte_imsm_93 volte_imsa_socket:sock_file write; + +# Purpose: CCCI device +allow volte_imsm_93 ccci_device:chr_file rw_file_perms; + +# Purpose: Routing +allow volte_imsm_93 self:netlink_route_socket { connect write getattr setopt read bind create nlmsg_read nlmsg_write }; + +# Purpose: Property +set_prop(volte_imsm_93, vendor_mtk_md_volte_prop) +set_prop(volte_imsm_93, vendor_mtk_ril_mux_report_case_prop) +allow volte_imsm_93 mtk_radio_device:dir w_dir_perms; +allow volte_imsm_93 mtk_radio_device:lnk_file create_file_perms; +allow volte_imsm_93 devpts:chr_file { rw_file_perms setattr }; +allow volte_imsm_93 self:netlink_generic_socket { connect write getattr setopt read bind create }; diff --git a/modem/volte_md_status.te b/modem/volte_md_status.te new file mode 100644 index 0000000..b88265c --- /dev/null +++ b/modem/volte_md_status.te @@ -0,0 +1,22 @@ +# ============================================== +# Policy File of volte_md_status Executable File + +# ============================================== +# Type Declaration +# ============================================== +type volte_md_status, domain, mtkimsmddomain; +type volte_md_status_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +# permissive volte_md_status; +init_daemon_domain(volte_md_status) + +# Purpose: CCCI device +allow volte_md_status ccci_device:chr_file rw_file_perms; + +# Purpose: get set property +allow volte_md_status property_socket:sock_file write; +set_prop(volte_md_status, vendor_mtk_md_status_prop) + diff --git a/modem/volte_stack.te b/modem/volte_stack.te new file mode 100644 index 0000000..eb154e5 --- /dev/null +++ b/modem/volte_stack.te @@ -0,0 +1,56 @@ +# ============================================== +# Policy File of /system/bin/volte_stack Executable File + +# ============================================== +# Type Declaration +# ============================================== +type volte_stack, domain, mtkimsmddomain; +type volte_stack_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +#permissive volte_stack; +init_daemon_domain(volte_stack) +net_domain(volte_stack) + + +# Date : WK14.42 +# Operation : Migration +# Purpose : for VoLTE L early bring up and first call +allow volte_stack self:key_socket { write read create setopt }; +allow volte_stack self:capability net_admin; +allow volte_stack self:capability { setuid setgid }; +allow volte_stack self:tcp_socket { bind create setopt listen }; +allow volte_stack self:udp_socket { write bind read setopt }; +allow volte_stack self:udp_socket create; +allow volte_stack self:tcp_socket shutdown; +allow volte_stack self:udp_socket shutdown; +allow volte_stack node:tcp_socket node_bind; +allow volte_stack node:udp_socket node_bind; +allow volte_stack port:tcp_socket name_bind; +allow volte_stack port:udp_socket name_bind; + +# Date : 2015/01/07 +# Operation : Migration +# Purpose : for VoLTE L Pre-FT test, Pre-FT error show we need add tcp rule +allow volte_stack self:tcp_socket accept; +allow volte_stack self:tcp_socket read; +allow volte_stack self:tcp_socket write; +allow volte_stack self:tcp_socket getattr; +allow volte_stack self:tcp_socket connect; +allow volte_stack port:tcp_socket name_connect; + +allow volte_stack volte_stack_socket:sock_file write; + +# Date : 2016/06/21 +# Operation : ims_ipsec_lib performance +# Purpose : use netlink +allow volte_stack self:netlink_xfrm_socket { write bind create read nlmsg_write nlmsg_read}; + +# to NETD +allow volte_stack netd:unix_stream_socket connectto; +allow volte_stack netd_socket:sock_file write; +allow netd volte_stack:fd use; +allow netd volte_stack:tcp_socket { read write setopt getopt }; +allow netd volte_stack:udp_socket {read write setopt getopt}; diff --git a/modem/volte_ua.te b/modem/volte_ua.te new file mode 100644 index 0000000..88e98c6 --- /dev/null +++ b/modem/volte_ua.te @@ -0,0 +1,51 @@ +# ============================================== +# Policy File of /system/bin/volte_ua Executable File + +# ============================================== +# Type Declaration +# ============================================== +type volte_ua, domain, mtkimsmddomain; +type volte_ua_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +#permissive volte_ua; +init_daemon_domain(volte_ua) +net_domain(volte_ua) + +# Date : WK14.42 +# Operation : Migration +# Purpose : for VoLTE L early bring up and first call +allow volte_ua node:udp_socket node_bind; +allow volte_ua self:udp_socket { bind create }; +allow volte_ua self:udp_socket read; +allow volte_ua self:capability { setuid setgid }; + +# Date : 2015/8/5 +# Operation : M Migration +# Purpose : For ua connect to stack by local socke +unix_socket_connect(volte_ua, volte_stack, volte_stack) + +allow volte_ua volte_ua_socket:sock_file write; + +# Date : 2015/09/30 +# Operation: Permission to use unix domain soccket +# Purpose: change socket between vtservice and volte_ua +allow volte_ua self:udp_socket setopt; + +#for timer +allow volte_ua self:capability2 wake_alarm; + +# Date: 2016/12/02 +# purpose: allow volte to access aee socket + +# to NETD +allow volte_ua netd:unix_stream_socket connectto; +allow volte_ua netd_socket:sock_file write; +allow netd volte_ua:fd use; +allow netd volte_ua:tcp_socket { read write setopt getopt }; +allow netd volte_ua:udp_socket {read write setopt getopt}; + +#for wfca socket +unix_socket_connect(volte_ua, wfca, wfca) diff --git a/modem/wfca.te b/modem/wfca.te new file mode 100644 index 0000000..f574976 --- /dev/null +++ b/modem/wfca.te @@ -0,0 +1,50 @@ +# ============================================== +# Policy File of /system/bin/wfca Executable File + +# ============================================== +# Type Declaration +# ============================================== +type wfca, domain, mtkimsmddomain; +type wfca_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +# permissive wfca; +init_daemon_domain(wfca) +net_domain(wfca) + +# Date : WK14.42 +# Operation : Migration +# Purpose : for WFCA send RTP/RTCP +allow wfca self:capability { net_raw setuid setgid net_admin}; +allow wfca self:udp_socket { create write bind read setopt ioctl getattr shutdown }; +allow wfca node:udp_socket node_bind; +allow wfca port:udp_socket name_bind; +allow wfca fwmarkd_socket:sock_file write; + +# Date : 2015/03/27 +# Operation : Migration +# Purpose : for access ccci device +allow wfca ccci_device:chr_file { read write open ioctl }; + +# Purpose : for WakeUpLock +allow wfca sysfs_wake_lock:file { read write open }; + +# Purpose : for raw socket +allow wfca self:rawip_socket { create write bind setopt read getattr}; +allow wfca node:rawip_socket {node_bind}; + +# Date : 2015/06/25 +# Purpose : for UA socket pass +allow wfca volte_ua:fd use; +allow wfca volte_ua:udp_socket {read write setopt getattr getopt shutdown}; + +# Purpose : For Ping ICMP feature +allow wfca self:packet_socket { read create setopt }; + +# Purpose : add Vinson permission +dontaudit wfca self:capability dac_override; +allow wfca self:capability2 block_suspend; + +allow wfca wfca_socket:sock_file write;