From 961041ba3e23f8930ca7735c75f77091e965be1d Mon Sep 17 00:00:00 2001 From: TheMalachite Date: Sun, 14 Aug 2022 15:07:12 +0200 Subject: [PATCH] mtk-sepolicy: Initial SEPolicy rules --- BoardSEPolicyConfig.mk | 32 + basic/debug/non_plat/aee_aedv.te | 500 +++++++++ basic/debug/non_plat/aee_core_forwarder.te | 19 + basic/debug/non_plat/aee_hal.te | 25 + basic/debug/non_plat/atcid.te | 10 + basic/debug/non_plat/audioserver.te | 3 + basic/debug/non_plat/ccci_mdinit.te | 1 + basic/debug/non_plat/connsyslogger.te | 75 ++ basic/debug/non_plat/crash_dump.te | 27 + basic/debug/non_plat/device.te | 6 + basic/debug/non_plat/domain.te | 5 + basic/debug/non_plat/dumpstate.te | 126 +++ basic/debug/non_plat/emdlogger.te | 124 +++ basic/debug/non_plat/file.te | 86 ++ basic/debug/non_plat/file_contexts | 37 + basic/debug/non_plat/genfs_contexts | 72 ++ basic/debug/non_plat/hal_mtk_aee.te | 10 + basic/debug/non_plat/hal_mtk_log.te | 8 + basic/debug/non_plat/hwservice.te | 1 + basic/debug/non_plat/hwservice_contexts | 1 + basic/debug/non_plat/loghidlsysservice.te | 10 + basic/debug/non_plat/loghidlvendorservice.te | 30 + basic/debug/non_plat/mdlogger.te | 58 ++ basic/debug/non_plat/meta_tst.te | 7 + basic/debug/non_plat/mobile_log_d.te | 73 ++ basic/debug/non_plat/modemdbfilter_service.te | 19 + basic/debug/non_plat/mtk_hal_camera.te | 26 + basic/debug/non_plat/mtkrild.te | 2 + basic/debug/non_plat/netd.te | 22 + basic/debug/non_plat/netdiag.te | 26 + basic/debug/non_plat/platform_app.te | 100 ++ basic/debug/non_plat/property.te | 11 + basic/debug/non_plat/property_contexts | 9 + basic/debug/non_plat/rild.te | 3 + basic/debug/non_plat/shell.te | 3 + basic/debug/non_plat/system_app.te | 6 + basic/debug/non_plat/system_server.te | 12 + basic/debug/non_plat/vendor_init.te | 5 + basic/debug/non_plat/vendor_shell.te | 5 + .../debug/plat_private/aee_core_forwarder.te | 91 ++ basic/debug/plat_private/connsyslogger.te | 15 + basic/debug/plat_private/crash_dump.te | 29 + basic/debug/plat_private/dumpstate.te | 18 + basic/debug/plat_private/emdlogger.te | 87 ++ basic/debug/plat_private/file_contexts | 29 + basic/debug/plat_private/init.te | 1 + basic/debug/plat_private/kernel.te | 6 + basic/debug/plat_private/loghidlsysservice.te | 16 + basic/debug/plat_private/mdlogger.te | 65 ++ basic/debug/plat_private/mobile_log_d.te | 105 ++ .../plat_private/modemdbfilter_client.te | 20 + basic/debug/plat_private/netdiag.te | 102 ++ basic/debug/plat_private/network_stack.te | 3 + basic/debug/plat_private/platform_app.te | 37 + basic/debug/plat_private/property.te | 8 + basic/debug/plat_private/property_contexts | 5 + basic/debug/plat_private/radio.te | 5 + basic/debug/plat_private/shell.te | 3 + basic/debug/plat_private/system_server.te | 9 + basic/debug/plat_public/aee_core_forwarder.te | 7 + basic/debug/plat_public/attributes | 13 + basic/debug/plat_public/connsyslogger.te | 7 + basic/debug/plat_public/emdlogger.te | 7 + basic/debug/plat_public/loghidlsysservice.te | 7 + basic/debug/plat_public/mdlogger.te | 7 + basic/debug/plat_public/mobile_log_d.te | 7 + .../debug/plat_public/modemdbfilter_client.te | 7 + basic/debug/plat_public/property.te | 2 + basic/non_plat/DcxoSetCap.te | 26 + basic/non_plat/adbd.te | 9 + basic/non_plat/app.te | 56 + basic/non_plat/atci_service.te | 130 +++ basic/non_plat/atcid.te | 92 ++ basic/non_plat/audiocmdservice_atci.te | 33 + basic/non_plat/audioserver.te | 48 + basic/non_plat/biosensord_nvram.te | 22 + basic/non_plat/bip_ap.te | 34 + basic/non_plat/bluetooth.te | 32 + basic/non_plat/boot_logo_updater.te | 27 + basic/non_plat/bootanim.te | 40 + basic/non_plat/bp_kmsetkey_ca.te | 1 + basic/non_plat/bt_dump.te | 28 + basic/non_plat/cameraserver.te | 63 ++ basic/non_plat/ccci_fsd.te | 77 ++ basic/non_plat/ccci_mdinit.te | 168 +++ basic/non_plat/ccci_rpcd.te | 1 + basic/non_plat/chipinfo.te | 11 + basic/non_plat/cmddumper.te | 29 + basic/non_plat/conninfra_loader.te | 20 + basic/non_plat/crash_dump.te | 58 ++ basic/non_plat/dconfig.te | 1 + basic/non_plat/device.te | 380 +++++++ basic/non_plat/dmc_core.te | 1 + basic/non_plat/domain.te | 23 + basic/non_plat/drmserver.te | 10 + basic/non_plat/dumpstate.te | 122 +++ basic/non_plat/e2fs.te | 34 + basic/non_plat/eara_io.te | 31 + basic/non_plat/em_hidl.te | 138 +++ basic/non_plat/em_svr.te | 12 + basic/non_plat/emcamera_app.te | 1 + basic/non_plat/ephemeral_app.te | 12 + basic/non_plat/factory.te | 521 ++++++++++ basic/non_plat/fastbootd.te | 20 + basic/non_plat/file.te | 660 ++++++++++++ basic/non_plat/file_contexts | 971 ++++++++++++++++++ basic/non_plat/flashlessd.te | 1 + basic/non_plat/fm_hidl_service.te | 16 + basic/non_plat/fpsgo_native.te | 52 + basic/non_plat/fsck.te | 18 + basic/non_plat/fuelgauged.te | 61 ++ basic/non_plat/fuelgauged_nvram.te | 56 + basic/non_plat/gbe_native.te | 23 + basic/non_plat/genfs_contexts | 674 ++++++++++++ basic/non_plat/getgameserver.te | 1 + basic/non_plat/gpuservice.te | 8 + basic/non_plat/gsm0710muxd.te | 40 + basic/non_plat/hal_audio.te | 11 + basic/non_plat/hal_bluetooth.te | 5 + basic/non_plat/hal_bootctl_default.te | 16 + basic/non_plat/hal_camera.te | 14 + basic/non_plat/hal_cas_default.te | 9 + basic/non_plat/hal_drm_clearkey.te | 17 + basic/non_plat/hal_drm_default.te | 8 + basic/non_plat/hal_drm_widevine.te | 22 + basic/non_plat/hal_gnss.te | 6 + basic/non_plat/hal_gnss_default.te | 8 + basic/non_plat/hal_graphics_allocator.te | 8 + .../hal_graphics_allocator_default.te | 12 + basic/non_plat/hal_graphics_composer.te | 2 + .../non_plat/hal_graphics_composer_default.te | 79 ++ basic/non_plat/hal_ir_default.te | 5 + basic/non_plat/hal_keymaster.te | 9 + basic/non_plat/hal_keymaster_attestation.te | 19 + basic/non_plat/hal_keymaster_default.te | 8 + basic/non_plat/hal_keymint_default.te | 16 + basic/non_plat/hal_memtrack.te | 25 + basic/non_plat/hal_mtk_atci.te | 8 + basic/non_plat/hal_mtk_bgs.te | 8 + basic/non_plat/hal_mtk_em.te | 8 + basic/non_plat/hal_mtk_fm.te | 10 + basic/non_plat/hal_mtk_hdmi.te | 8 + basic/non_plat/hal_mtk_imsa.te | 8 + basic/non_plat/hal_mtk_keyattestation.te | 8 + basic/non_plat/hal_mtk_lbs.te | 10 + basic/non_plat/hal_mtk_md_dbfilter.te | 8 + basic/non_plat/hal_mtk_mmagent.te | 6 + basic/non_plat/hal_mtk_mms.te | 13 + basic/non_plat/hal_mtk_nvramagent.te | 9 + basic/non_plat/hal_mtk_pq.te | 8 + basic/non_plat/hal_nfc.te | 5 + basic/non_plat/hal_tee_default.te | 1 + basic/non_plat/hal_teeregistry_default.te | 1 + basic/non_plat/hal_telephony.te | 8 + basic/non_plat/hal_thermal_default.te | 18 + basic/non_plat/hal_vibrator.te | 10 + basic/non_plat/hal_vibrator_default.te | 6 + basic/non_plat/hal_wifi.te | 8 + basic/non_plat/hal_wifi_default.te | 18 + basic/non_plat/hwservice.te | 76 ++ basic/non_plat/hwservice_contexts | 89 ++ basic/non_plat/init.te | 148 +++ basic/non_plat/init_insmod_sh.te | 17 + basic/non_plat/init_thh_service.te | 1 + basic/non_plat/ioctl_defines | 120 +++ basic/non_plat/ioctl_macros | 33 + basic/non_plat/ipsec_mon.te | 1 + basic/non_plat/kernel.te | 87 ++ basic/non_plat/keystore.te | 8 + basic/non_plat/kisd.te | 31 + basic/non_plat/lbs_hidl_service.te | 14 + basic/non_plat/lmkd.te | 26 + basic/non_plat/md_monitor.te | 1 + basic/non_plat/mediacodec.te | 147 +++ basic/non_plat/mediadrmserver.te | 9 + basic/non_plat/mediaextractor.te | 17 + basic/non_plat/mediahelper.te | 7 + basic/non_plat/mediaserver.te | 309 ++++++ basic/non_plat/mediaswcodec.te | 16 + basic/non_plat/merged_hal_service.te | 68 ++ basic/non_plat/meta_tst.te | 414 ++++++++ basic/non_plat/mmc_ffu.te | 19 + basic/non_plat/mnld.te | 121 +++ basic/non_plat/mobicore.te | 1 + basic/non_plat/mobicore_app.te | 1 + basic/non_plat/mtk_agpsd.te | 68 ++ basic/non_plat/mtk_hal_audio.te | 239 +++++ basic/non_plat/mtk_hal_bluetooth.te | 61 ++ basic/non_plat/mtk_hal_c2.te | 64 ++ basic/non_plat/mtk_hal_camera.te | 380 +++++++ .../non_plat/mtk_hal_codecservice_default.te | 1 + basic/non_plat/mtk_hal_dfps.te | 1 + basic/non_plat/mtk_hal_dplanner.te | 1 + basic/non_plat/mtk_hal_gnss.te | 22 + basic/non_plat/mtk_hal_hdmi.te | 34 + basic/non_plat/mtk_hal_imsa.te | 28 + basic/non_plat/mtk_hal_keyinstall.te | 3 + basic/non_plat/mtk_hal_keymanage.te | 24 + basic/non_plat/mtk_hal_light.te | 14 + basic/non_plat/mtk_hal_memtrack.te | 19 + basic/non_plat/mtk_hal_mmagent.te | 28 + basic/non_plat/mtk_hal_mms.te | 60 ++ basic/non_plat/mtk_hal_neuralnetworks.te | 5 + basic/non_plat/mtk_hal_nvramagent.te | 52 + basic/non_plat/mtk_hal_nwk_opt.te | 1 + basic/non_plat/mtk_hal_omadm.te | 1 + basic/non_plat/mtk_hal_power.te | 317 ++++++ basic/non_plat/mtk_hal_pq.te | 48 + basic/non_plat/mtk_hal_secure_element.te | 18 + basic/non_plat/mtk_hal_sensors.te | 78 ++ basic/non_plat/mtk_hal_thp.te | 1 + basic/non_plat/mtk_hal_touchll.te | 1 + basic/non_plat/mtk_hal_usb.te | 16 + basic/non_plat/mtk_hal_wfo.te | 1 + basic/non_plat/mtk_hal_wifi.te | 13 + basic/non_plat/mtk_pkm_service.te | 1 + .../non_plat/mtk_safe_halserverdomain_type.te | 8 + basic/non_plat/mtk_wmt_launcher.te | 25 + basic/non_plat/mtkbootanimation.te | 28 + basic/non_plat/mtkrild.te | 143 +++ basic/non_plat/muxreport.te | 36 + basic/non_plat/netd.te | 42 + basic/non_plat/netdagent.te | 1 + basic/non_plat/nfcstackp_vendor.te | 1 + basic/non_plat/nvram_daemon.te | 79 ++ basic/non_plat/platform_app.te | 40 + basic/non_plat/postinstall.te | 7 + basic/non_plat/ppl_agent.te | 1 + basic/non_plat/priv_app.te | 12 + basic/non_plat/property.te | 201 ++++ basic/non_plat/property_contexts | 382 +++++++ basic/non_plat/radio.te | 55 + basic/non_plat/rcs_volte_stack.te | 1 + basic/non_plat/recovery.te | 54 + basic/non_plat/remosaic_daemon.te | 1 + basic/non_plat/rild.te | 185 ++++ basic/non_plat/sensorhub_app.te | 1 + basic/non_plat/servicemanager.te | 11 + basic/non_plat/shell.te | 17 + basic/non_plat/slpd.te | 18 + basic/non_plat/smartcharging.te | 40 + basic/non_plat/spm_loader.te | 19 + basic/non_plat/st54spi_hal_secure_element.te | 10 + basic/non_plat/statusd.te | 1 + basic/non_plat/stflashtool.te | 1 + basic/non_plat/stp_dump3.te | 31 + basic/non_plat/surfaceflinger.te | 100 ++ basic/non_plat/system_app.te | 44 + basic/non_plat/system_server.te | 278 +++++ basic/non_plat/teei_hal_capi.te | 3 + basic/non_plat/teei_hal_ifaa.te | 1 + basic/non_plat/teei_hal_thh.te | 3 + basic/non_plat/teei_hal_tui.te | 3 + basic/non_plat/teei_hal_wechat.te | 1 + basic/non_plat/tesiai_hal_hdcp.te | 1 + basic/non_plat/thermal.te | 1 + basic/non_plat/thermal_core.te | 85 ++ basic/non_plat/thermal_manager.te | 47 + basic/non_plat/thermalloadalgod.te | 45 + basic/non_plat/ueventd.te | 17 + basic/non_plat/uncrypt.te | 17 + basic/non_plat/untrusted_app.te | 10 + basic/non_plat/untrusted_app_25.te | 18 + basic/non_plat/untrusted_app_all.te | 12 + basic/non_plat/update_engine.te | 63 ++ basic/non_plat/vendor_init.te | 163 +++ basic/non_plat/viarild.te | 1 + basic/non_plat/vold.te | 47 + basic/non_plat/volte_clientapi_ua.te | 1 + basic/non_plat/volte_rcs_ua.te | 1 + basic/non_plat/vpud_native.te | 49 + basic/non_plat/vtservice_hidl.te | 2 + basic/non_plat/wifi_dump.te | 27 + basic/non_plat/wlan_assistant.te | 39 + basic/non_plat/wmt_loader.te | 33 + basic/non_plat/wo_epdg_client.te | 1 + basic/non_plat/wo_ipsec.te | 1 + basic/non_plat/xgff_test_native.te | 24 + basic/non_plat/zygote.te | 31 + basic/plat_private/aal.te | 1 + basic/plat_private/adbd.te | 6 + basic/plat_private/app.te | 8 + basic/plat_private/audioserver.te | 62 ++ basic/plat_private/batterywarning.te | 1 + basic/plat_private/bluetooth.te | 48 + basic/plat_private/boot_logo_updater.te | 39 + basic/plat_private/bootanim.te | 39 + basic/plat_private/cmddumper.te | 36 + basic/plat_private/compat/30.0/30.0.cil | 162 +++ .../plat_private/compat/30.0/31.0.compat.cil | 1 + .../plat_private/compat/30.0/31.0.ignore.cil | 8 + basic/plat_private/coredomain.te | 7 + basic/plat_private/crash_dump.te | 97 ++ basic/plat_private/device.te | 6 + basic/plat_private/domain.te | 3 + basic/plat_private/drmserver.te | 5 + basic/plat_private/dumpstate.te | 36 + basic/plat_private/em_svr.te | 48 + basic/plat_private/file.te | 37 + basic/plat_private/file_contexts | 55 + basic/plat_private/genfs_contexts | 33 + basic/plat_private/init.te | 17 + basic/plat_private/lbs_dbg.te | 48 + basic/plat_private/mediahelper.te | 9 + basic/plat_private/mediaserver.te | 8 + basic/plat_private/mediatranscoding.te | 8 + basic/plat_private/met_log_d.te | 1 + basic/plat_private/mmp.te | 1 + basic/plat_private/mtk_plpath_utils.te | 4 + basic/plat_private/mtkbootanimation.te | 77 ++ basic/plat_private/platform_app.te | 9 + basic/plat_private/ppp.te | 8 + basic/plat_private/property.te | 65 ++ basic/plat_private/property_contexts | 80 ++ basic/plat_private/radio.te | 38 + basic/plat_private/recovery.te | 9 + basic/plat_private/resize.te | 1 + basic/plat_private/service_contexts | 9 + basic/plat_private/shared_relro.te | 7 + basic/plat_private/shell.te | 9 + basic/plat_private/surfaceflinger.te | 18 + basic/plat_private/system_app.te | 24 + basic/plat_private/system_server.te | 53 + basic/plat_private/teed_app.te | 1 + basic/plat_private/tombstoned.te | 9 + basic/plat_private/uncrypt.te | 5 + basic/plat_private/vendor_init.te | 3 + basic/plat_public/GoogleOtaBinder.te | 8 + basic/plat_public/apmsrv_app.te | 9 + basic/plat_public/atci_service_sys.te | 9 + basic/plat_public/attributes | 113 ++ basic/plat_public/boot_logo_updater.te | 7 + basic/plat_public/camerapostalgo.te | 8 + basic/plat_public/capability_app.te | 8 + basic/plat_public/cmddumper.te | 7 + basic/plat_public/device.te | 5 + basic/plat_public/em_app.te | 8 + basic/plat_public/em_svr.te | 7 + basic/plat_public/file.te | 17 + basic/plat_public/global_macros | 12 + basic/plat_public/kpoc_charger.te | 7 + basic/plat_public/mdi_redirector.te | 5 + basic/plat_public/mdmi_redirector.te | 5 + basic/plat_public/mediahelper.te | 6 + basic/plat_public/mtk_advcamserver.te | 8 + basic/plat_public/mtkbootanimation.te | 8 + basic/plat_public/netd.te | 6 + basic/plat_public/netdiag.te | 7 + basic/plat_public/osi.te | 5 + basic/plat_public/property.te | 18 + basic/plat_public/rsu_app.te | 4 + basic/plat_public/teeregistryd_app.te | 5 + basic/plat_public/terservice.te | 8 + basic/plat_public/thermald.te | 7 + basic/plat_public/usp_service.te | 7 + basic/plat_public/vtservice.te | 9 + bsp/debug/non_plat/aee_aedv.te | 11 + bsp/debug/non_plat/domain.te | 4 + bsp/debug/non_plat/file.te | 9 + bsp/debug/non_plat/logd.te | 2 + bsp/debug/non_plat/platform_app.te | 6 + bsp/debug/non_plat/rild.te | 4 + bsp/debug/non_plat/shell.te | 4 + bsp/debug/non_plat/surfaceflinger.te | 1 + bsp/debug/non_plat/system_app.te | 8 + bsp/debug/non_plat/system_server.te | 9 + bsp/debug/non_plat/untrusted_app.te | 9 + bsp/debug/non_plat/viarild.te | 2 + bsp/debug/plat_private/domain.te | 4 + bsp/debug/plat_private/em_app.te | 2 + bsp/debug/plat_private/emdlogger.te | 7 + bsp/debug/plat_private/mobile_log_d.te | 9 + bsp/debug/plat_private/platform_app.te | 5 + bsp/debug/plat_private/system_server.te | 7 + bsp/non_plat/GoogleOtaBinder.te | 10 + bsp/non_plat/apmsrv_app.te | 11 + bsp/non_plat/app.te | 14 + bsp/non_plat/atci_service_sys.te | 22 + bsp/non_plat/audioserver.te | 23 + bsp/non_plat/bluetooth.te | 22 + bsp/non_plat/boot_logo_updater.te | 5 + bsp/non_plat/bootanim.te | 15 + bsp/non_plat/bp_kmsetkey_ca.te | 14 + bsp/non_plat/camerapostalgo.te | 26 + bsp/non_plat/cameraserver.te | 32 + bsp/non_plat/capability_app.te | 9 + bsp/non_plat/ccci_mdinit.te | 8 + bsp/non_plat/ccci_rpcd.te | 22 + bsp/non_plat/dconfig.te | 18 + bsp/non_plat/dmc_core.te | 39 + bsp/non_plat/domain.te | 23 + bsp/non_plat/drmserver.te | 143 +++ bsp/non_plat/dumpstate.te | 11 + bsp/non_plat/e2fs.te | 9 + bsp/non_plat/em_app.te | 120 +++ bsp/non_plat/em_hidl.te | 57 + bsp/non_plat/em_svr.te | 14 + bsp/non_plat/emcamera_app.te | 29 + bsp/non_plat/factory.te | 47 + bsp/non_plat/file.te | 123 +++ bsp/non_plat/file_contexts | 276 +++++ bsp/non_plat/flashlessd.te | 19 + bsp/non_plat/fsck.te | 8 + bsp/non_plat/gatekeeperd.te | 28 + bsp/non_plat/genfs_contexts | 55 + bsp/non_plat/getgameserver.te | 22 + bsp/non_plat/hal_clientapi.te | 12 + bsp/non_plat/hal_dfps.te | 6 + bsp/non_plat/hal_drm_widevine.te | 35 + bsp/non_plat/hal_fingerprint_default.te | 21 + .../hal_graphics_allocator_default.te | 3 + bsp/non_plat/hal_graphics_composer_default.te | 39 + bsp/non_plat/hal_keymaster_attestation.te | 17 + bsp/non_plat/hal_keymaster_default.te | 33 + bsp/non_plat/hal_keymint_default.te | 4 + bsp/non_plat/hal_mtk_apm.te | 8 + bsp/non_plat/hal_mtk_dmc.te | 8 + bsp/non_plat/hal_mtk_omadm.te | 8 + bsp/non_plat/hal_mtk_thp.te | 9 + bsp/non_plat/hal_mtk_touchll.te | 8 + bsp/non_plat/hal_mtk_wfo.te | 8 + bsp/non_plat/hal_presence.te | 6 + bsp/non_plat/hal_rcs.te | 13 + bsp/non_plat/hal_tee.te | 9 + bsp/non_plat/hal_tee_default.te | 20 + bsp/non_plat/hal_teei_capi.te | 8 + bsp/non_plat/hal_teei_ifaa.te | 8 + bsp/non_plat/hal_teei_thh.te | 8 + bsp/non_plat/hal_teei_tui.te | 8 + bsp/non_plat/hal_teei_wechat.te | 8 + bsp/non_plat/hal_teeregistry.te | 9 + bsp/non_plat/hal_teeregistry_default.te | 21 + bsp/non_plat/hal_tesiai_hdcp.te | 6 + bsp/non_plat/hal_tetheroffload_default.te | 37 + bsp/non_plat/hal_wifi_supplicant_default.te | 6 + bsp/non_plat/healthd.te | 5 + bsp/non_plat/hwservice.te | 55 + bsp/non_plat/hwservice_contexts | 119 +++ bsp/non_plat/init.te | 39 + bsp/non_plat/init_thh_service.te | 22 + bsp/non_plat/installd.te | 36 + bsp/non_plat/ipsec_mon.te | 29 + bsp/non_plat/kernel.te | 11 + bsp/non_plat/kpoc_charger.te | 39 + bsp/non_plat/logd.te | 7 + bsp/non_plat/logo_updater.te | 7 + bsp/non_plat/md_monitor.te | 57 + bsp/non_plat/md_monitor_hal.te | 5 + bsp/non_plat/mdi_redirector.te | 6 + bsp/non_plat/mdmi_redirector.te | 6 + bsp/non_plat/mediacodec.te | 79 ++ bsp/non_plat/mediaserver.te | 106 ++ bsp/non_plat/mediaswcodec.te | 7 + bsp/non_plat/merged_hal_service.te | 5 + bsp/non_plat/meta_tst.te | 89 ++ bsp/non_plat/mobicore.te | 33 + bsp/non_plat/mobicore_app.te | 16 + bsp/non_plat/mtk_advcamserver.te | 14 + bsp/non_plat/mtk_agpsd.te | 13 + bsp/non_plat/mtk_hal_audio.te | 2 + bsp/non_plat/mtk_hal_c2.te | 12 + bsp/non_plat/mtk_hal_camera.te | 105 ++ bsp/non_plat/mtk_hal_codecservice_default.te | 10 + bsp/non_plat/mtk_hal_dfps.te | 23 + bsp/non_plat/mtk_hal_dplanner.te | 30 + bsp/non_plat/mtk_hal_keyinstall.te | 24 + bsp/non_plat/mtk_hal_netdagent.te | 6 + bsp/non_plat/mtk_hal_neuralnetworks.te | 88 ++ bsp/non_plat/mtk_hal_nwk_opt.te | 20 + bsp/non_plat/mtk_hal_omadm.te | 26 + bsp/non_plat/mtk_hal_power.te | 37 + bsp/non_plat/mtk_hal_pplagent.te | 9 + bsp/non_plat/mtk_hal_pq.te | 22 + bsp/non_plat/mtk_hal_thp.te | 22 + bsp/non_plat/mtk_hal_touchll.te | 8 + bsp/non_plat/mtk_hal_wfo.te | 15 + bsp/non_plat/mtk_pkm_service.te | 44 + bsp/non_plat/mtkfusionrild.te | 88 ++ bsp/non_plat/mtkimsmddomain.te | 76 ++ bsp/non_plat/mtkrild.te | 22 + bsp/non_plat/netd.te | 17 + bsp/non_plat/netdagent.te | 23 + bsp/non_plat/netutils_wrapper.te | 18 + bsp/non_plat/nfc.te | 70 ++ bsp/non_plat/nfcstackp_vendor.te | 20 + bsp/non_plat/osi.te | 7 + bsp/non_plat/platform_app.te | 121 +++ bsp/non_plat/ppl_agent.te | 64 ++ bsp/non_plat/priv_app.te | 8 + bsp/non_plat/property.te | 216 ++++ bsp/non_plat/property_contexts | 348 +++++++ bsp/non_plat/radio.te | 103 ++ bsp/non_plat/rcs_volte_stack.te | 31 + bsp/non_plat/remosaic_daemon.te | 12 + bsp/non_plat/rild.te | 60 ++ bsp/non_plat/rsu_app.te | 3 + bsp/non_plat/seapp_contexts | 13 + bsp/non_plat/sensorhub_app.te | 25 + bsp/non_plat/service_contexts | 8 + bsp/non_plat/shell.te | 24 + bsp/non_plat/statusd.te | 59 ++ bsp/non_plat/stflashtool.te | 15 + bsp/non_plat/surfaceflinger.te | 96 ++ bsp/non_plat/system_app.te | 165 +++ bsp/non_plat/system_server.te | 148 +++ bsp/non_plat/tee.te | 83 ++ bsp/non_plat/teei_hal_capi.te | 21 + bsp/non_plat/teei_hal_ifaa.te | 12 + bsp/non_plat/teei_hal_thh.te | 20 + bsp/non_plat/teei_hal_tui.te | 17 + bsp/non_plat/teei_hal_wechat.te | 12 + bsp/non_plat/terservice.te | 11 + bsp/non_plat/tesiai_hal_hdcp.te | 31 + bsp/non_plat/thermal.te | 37 + bsp/non_plat/thermal_manager.te | 5 + bsp/non_plat/thermald.te | 12 + bsp/non_plat/ueventd.te | 15 + bsp/non_plat/untrusted_app.te | 36 + bsp/non_plat/untrusted_app_25.te | 19 + bsp/non_plat/untrusted_app_27.te | 14 + bsp/non_plat/untrusted_app_29.te | 8 + bsp/non_plat/untrusted_app_all.te | 14 + bsp/non_plat/usp_service.te | 8 + bsp/non_plat/ut_ta_manager_service.te | 7 + bsp/non_plat/vendor_init.te | 76 ++ bsp/non_plat/vendor_shell.te | 8 + bsp/non_plat/viarild.te | 81 ++ bsp/non_plat/vndservice.te | 5 + bsp/non_plat/vndservice_contexts | 6 + bsp/non_plat/vold.te | 13 + bsp/non_plat/volte_clientapi_ua.te | 22 + bsp/non_plat/volte_rcs_ua.te | 38 + bsp/non_plat/vpud_native.te | 11 + bsp/non_plat/vtservice.te | 181 ++++ bsp/non_plat/vtservice_hidl.te | 46 + bsp/non_plat/wo_epdg_client.te | 58 ++ bsp/non_plat/wo_ipsec.te | 64 ++ bsp/non_plat/wpa.te | 9 + bsp/non_plat/zygote.te | 33 + bsp/ota_upgrade/file_contexts | 10 + bsp/ota_upgrade/move-widevine-data-sh.te | 23 + bsp/plat_private/GoogleOtaBinder.te | 25 + bsp/plat_private/aal.te | 46 + bsp/plat_private/apmsrv_app.te | 22 + bsp/plat_private/atci_service_sys.te | 12 + bsp/plat_private/audioserver.te | 11 + bsp/plat_private/batterywarning.te | 36 + bsp/plat_private/bluetooth.te | 8 + bsp/plat_private/bootanim.te | 6 + bsp/plat_private/camerapostalgo.te | 35 + bsp/plat_private/cameraserver.te | 18 + bsp/plat_private/capability_app.te | 20 + bsp/plat_private/dnsmasq.te | 5 + bsp/plat_private/domain.te | 15 + bsp/plat_private/drmserver.te | 15 + bsp/plat_private/em_app.te | 264 +++++ bsp/plat_private/em_svr.te | 61 ++ bsp/plat_private/file.te | 82 ++ bsp/plat_private/file_contexts | 62 ++ bsp/plat_private/genfs_contexts | 174 ++++ bsp/plat_private/init.te | 10 + bsp/plat_private/kpoc_charger.te | 74 ++ bsp/plat_private/logd.te | 10 + bsp/plat_private/mdi_redirector.te | 25 + bsp/plat_private/mdmi_redirector.te | 25 + bsp/plat_private/mediaserver.te | 27 + bsp/plat_private/met_log_d.te | 13 + bsp/plat_private/mmp.te | 12 + bsp/plat_private/mtk_advcamserver.te | 23 + bsp/plat_private/netd.te | 57 + bsp/plat_private/nfc.te | 8 + bsp/plat_private/osi.te | 31 + bsp/plat_private/platform_app.te | 147 +++ bsp/plat_private/priv_app.te | 37 + bsp/plat_private/property.te | 126 +++ bsp/plat_private/property_contexts | 173 ++++ bsp/plat_private/radio.te | 183 ++++ bsp/plat_private/resize.te | 26 + bsp/plat_private/rsu_app.te | 18 + bsp/plat_private/sdcardd.te | 18 + bsp/plat_private/seapp_contexts | 17 + bsp/plat_private/service.te | 44 + bsp/plat_private/service_contexts | 56 + bsp/plat_private/shell.te | 36 + bsp/plat_private/surfaceflinger.te | 41 + bsp/plat_private/system_app.te | 118 +++ bsp/plat_private/system_server.te | 172 ++++ bsp/plat_private/teed_app.te | 35 + bsp/plat_private/teeregistryd_app.te | 29 + bsp/plat_private/terservice.te | 25 + bsp/plat_private/thermald.te | 28 + bsp/plat_private/untrusted_app.te | 14 + bsp/plat_private/untrusted_app_25.te | 8 + bsp/plat_private/untrusted_app_27.te | 8 + bsp/plat_private/untrusted_app_all.te | 13 + bsp/plat_private/usp_service.te | 13 + bsp/plat_private/vendor_init.te | 9 + bsp/plat_private/vendor_shell.te | 6 + bsp/plat_private/vold.te | 19 + bsp/plat_private/vtservice.te | 24 + bsp/plat_private/zygote.te | 9 + bsp/plat_public/attributes | 117 +++ bsp/plat_public/file.te | 13 + bsp/plat_public/property.te | 18 + 604 files changed, 24113 insertions(+) create mode 100644 BoardSEPolicyConfig.mk create mode 100644 basic/debug/non_plat/aee_aedv.te create mode 100644 basic/debug/non_plat/aee_core_forwarder.te create mode 100644 basic/debug/non_plat/aee_hal.te create mode 100755 basic/debug/non_plat/atcid.te create mode 100644 basic/debug/non_plat/audioserver.te create mode 100644 basic/debug/non_plat/ccci_mdinit.te create mode 100644 basic/debug/non_plat/connsyslogger.te create mode 100644 basic/debug/non_plat/crash_dump.te create mode 100644 basic/debug/non_plat/device.te create mode 100644 basic/debug/non_plat/domain.te create mode 100644 basic/debug/non_plat/dumpstate.te create mode 100644 basic/debug/non_plat/emdlogger.te create mode 100644 basic/debug/non_plat/file.te create mode 100644 basic/debug/non_plat/file_contexts create mode 100644 basic/debug/non_plat/genfs_contexts create mode 100644 basic/debug/non_plat/hal_mtk_aee.te create mode 100644 basic/debug/non_plat/hal_mtk_log.te create mode 100644 basic/debug/non_plat/hwservice.te create mode 100644 basic/debug/non_plat/hwservice_contexts create mode 100644 basic/debug/non_plat/loghidlsysservice.te create mode 100644 basic/debug/non_plat/loghidlvendorservice.te create mode 100644 basic/debug/non_plat/mdlogger.te create mode 100644 basic/debug/non_plat/meta_tst.te create mode 100644 basic/debug/non_plat/mobile_log_d.te create mode 100644 basic/debug/non_plat/modemdbfilter_service.te create mode 100644 basic/debug/non_plat/mtk_hal_camera.te create mode 100644 basic/debug/non_plat/mtkrild.te create mode 100644 basic/debug/non_plat/netd.te create mode 100644 basic/debug/non_plat/netdiag.te create mode 100644 basic/debug/non_plat/platform_app.te create mode 100644 basic/debug/non_plat/property.te create mode 100644 basic/debug/non_plat/property_contexts create mode 100644 basic/debug/non_plat/rild.te create mode 100644 basic/debug/non_plat/shell.te create mode 100644 basic/debug/non_plat/system_app.te create mode 100644 basic/debug/non_plat/system_server.te create mode 100644 basic/debug/non_plat/vendor_init.te create mode 100644 basic/debug/non_plat/vendor_shell.te create mode 100644 basic/debug/plat_private/aee_core_forwarder.te create mode 100644 basic/debug/plat_private/connsyslogger.te create mode 100644 basic/debug/plat_private/crash_dump.te create mode 100644 basic/debug/plat_private/dumpstate.te create mode 100644 basic/debug/plat_private/emdlogger.te create mode 100644 basic/debug/plat_private/file_contexts create mode 100644 basic/debug/plat_private/init.te create mode 100644 basic/debug/plat_private/kernel.te create mode 100644 basic/debug/plat_private/loghidlsysservice.te create mode 100644 basic/debug/plat_private/mdlogger.te create mode 100644 basic/debug/plat_private/mobile_log_d.te create mode 100644 basic/debug/plat_private/modemdbfilter_client.te create mode 100644 basic/debug/plat_private/netdiag.te create mode 100644 basic/debug/plat_private/network_stack.te create mode 100644 basic/debug/plat_private/platform_app.te create mode 100644 basic/debug/plat_private/property.te create mode 100644 basic/debug/plat_private/property_contexts create mode 100644 basic/debug/plat_private/radio.te create mode 100644 basic/debug/plat_private/shell.te create mode 100644 basic/debug/plat_private/system_server.te create mode 100644 basic/debug/plat_public/aee_core_forwarder.te create mode 100644 basic/debug/plat_public/attributes create mode 100644 basic/debug/plat_public/connsyslogger.te create mode 100644 basic/debug/plat_public/emdlogger.te create mode 100644 basic/debug/plat_public/loghidlsysservice.te create mode 100644 basic/debug/plat_public/mdlogger.te create mode 100644 basic/debug/plat_public/mobile_log_d.te create mode 100644 basic/debug/plat_public/modemdbfilter_client.te create mode 100644 basic/debug/plat_public/property.te create mode 100644 basic/non_plat/DcxoSetCap.te create mode 100644 basic/non_plat/adbd.te create mode 100644 basic/non_plat/app.te create mode 100644 basic/non_plat/atci_service.te create mode 100644 basic/non_plat/atcid.te create mode 100644 basic/non_plat/audiocmdservice_atci.te create mode 100644 basic/non_plat/audioserver.te create mode 100644 basic/non_plat/biosensord_nvram.te create mode 100644 basic/non_plat/bip_ap.te create mode 100644 basic/non_plat/bluetooth.te create mode 100644 basic/non_plat/boot_logo_updater.te create mode 100644 basic/non_plat/bootanim.te create mode 100644 basic/non_plat/bp_kmsetkey_ca.te create mode 100644 basic/non_plat/bt_dump.te create mode 100644 basic/non_plat/cameraserver.te create mode 100644 basic/non_plat/ccci_fsd.te create mode 100644 basic/non_plat/ccci_mdinit.te create mode 100644 basic/non_plat/ccci_rpcd.te create mode 100644 basic/non_plat/chipinfo.te create mode 100644 basic/non_plat/cmddumper.te create mode 100644 basic/non_plat/conninfra_loader.te create mode 100644 basic/non_plat/crash_dump.te create mode 100644 basic/non_plat/dconfig.te create mode 100644 basic/non_plat/device.te create mode 100644 basic/non_plat/dmc_core.te create mode 100644 basic/non_plat/domain.te create mode 100644 basic/non_plat/drmserver.te create mode 100644 basic/non_plat/dumpstate.te create mode 100644 basic/non_plat/e2fs.te create mode 100644 basic/non_plat/eara_io.te create mode 100644 basic/non_plat/em_hidl.te create mode 100644 basic/non_plat/em_svr.te create mode 100644 basic/non_plat/emcamera_app.te create mode 100644 basic/non_plat/ephemeral_app.te create mode 100644 basic/non_plat/factory.te create mode 100644 basic/non_plat/fastbootd.te create mode 100644 basic/non_plat/file.te create mode 100644 basic/non_plat/file_contexts create mode 100644 basic/non_plat/flashlessd.te create mode 100644 basic/non_plat/fm_hidl_service.te create mode 100644 basic/non_plat/fpsgo_native.te create mode 100644 basic/non_plat/fsck.te create mode 100644 basic/non_plat/fuelgauged.te create mode 100644 basic/non_plat/fuelgauged_nvram.te create mode 100644 basic/non_plat/gbe_native.te create mode 100644 basic/non_plat/genfs_contexts create mode 100644 basic/non_plat/getgameserver.te create mode 100644 basic/non_plat/gpuservice.te create mode 100644 basic/non_plat/gsm0710muxd.te create mode 100644 basic/non_plat/hal_audio.te create mode 100644 basic/non_plat/hal_bluetooth.te create mode 100644 basic/non_plat/hal_bootctl_default.te create mode 100644 basic/non_plat/hal_camera.te create mode 100644 basic/non_plat/hal_cas_default.te create mode 100644 basic/non_plat/hal_drm_clearkey.te create mode 100644 basic/non_plat/hal_drm_default.te create mode 100644 basic/non_plat/hal_drm_widevine.te create mode 100644 basic/non_plat/hal_gnss.te create mode 100644 basic/non_plat/hal_gnss_default.te create mode 100644 basic/non_plat/hal_graphics_allocator.te create mode 100644 basic/non_plat/hal_graphics_allocator_default.te create mode 100644 basic/non_plat/hal_graphics_composer.te create mode 100644 basic/non_plat/hal_graphics_composer_default.te create mode 100644 basic/non_plat/hal_ir_default.te create mode 100644 basic/non_plat/hal_keymaster.te create mode 100644 basic/non_plat/hal_keymaster_attestation.te create mode 100644 basic/non_plat/hal_keymaster_default.te create mode 100644 basic/non_plat/hal_keymint_default.te create mode 100644 basic/non_plat/hal_memtrack.te create mode 100644 basic/non_plat/hal_mtk_atci.te create mode 100644 basic/non_plat/hal_mtk_bgs.te create mode 100644 basic/non_plat/hal_mtk_em.te create mode 100644 basic/non_plat/hal_mtk_fm.te create mode 100644 basic/non_plat/hal_mtk_hdmi.te create mode 100644 basic/non_plat/hal_mtk_imsa.te create mode 100644 basic/non_plat/hal_mtk_keyattestation.te create mode 100644 basic/non_plat/hal_mtk_lbs.te create mode 100644 basic/non_plat/hal_mtk_md_dbfilter.te create mode 100644 basic/non_plat/hal_mtk_mmagent.te create mode 100644 basic/non_plat/hal_mtk_mms.te create mode 100644 basic/non_plat/hal_mtk_nvramagent.te create mode 100644 basic/non_plat/hal_mtk_pq.te create mode 100644 basic/non_plat/hal_nfc.te create mode 100644 basic/non_plat/hal_tee_default.te create mode 100644 basic/non_plat/hal_teeregistry_default.te create mode 100644 basic/non_plat/hal_telephony.te create mode 100644 basic/non_plat/hal_thermal_default.te create mode 100644 basic/non_plat/hal_vibrator.te create mode 100644 basic/non_plat/hal_vibrator_default.te create mode 100644 basic/non_plat/hal_wifi.te create mode 100644 basic/non_plat/hal_wifi_default.te create mode 100644 basic/non_plat/hwservice.te create mode 100644 basic/non_plat/hwservice_contexts create mode 100644 basic/non_plat/init.te create mode 100644 basic/non_plat/init_insmod_sh.te create mode 100644 basic/non_plat/init_thh_service.te create mode 100644 basic/non_plat/ioctl_defines create mode 100644 basic/non_plat/ioctl_macros create mode 100644 basic/non_plat/ipsec_mon.te create mode 100644 basic/non_plat/kernel.te create mode 100644 basic/non_plat/keystore.te create mode 100644 basic/non_plat/kisd.te create mode 100644 basic/non_plat/lbs_hidl_service.te create mode 100644 basic/non_plat/lmkd.te create mode 100644 basic/non_plat/md_monitor.te create mode 100644 basic/non_plat/mediacodec.te create mode 100644 basic/non_plat/mediadrmserver.te create mode 100644 basic/non_plat/mediaextractor.te create mode 100755 basic/non_plat/mediahelper.te create mode 100644 basic/non_plat/mediaserver.te create mode 100644 basic/non_plat/mediaswcodec.te create mode 100644 basic/non_plat/merged_hal_service.te create mode 100644 basic/non_plat/meta_tst.te create mode 100644 basic/non_plat/mmc_ffu.te create mode 100644 basic/non_plat/mnld.te create mode 100644 basic/non_plat/mobicore.te create mode 100644 basic/non_plat/mobicore_app.te create mode 100644 basic/non_plat/mtk_agpsd.te create mode 100644 basic/non_plat/mtk_hal_audio.te create mode 100644 basic/non_plat/mtk_hal_bluetooth.te create mode 100644 basic/non_plat/mtk_hal_c2.te create mode 100644 basic/non_plat/mtk_hal_camera.te create mode 100644 basic/non_plat/mtk_hal_codecservice_default.te create mode 100644 basic/non_plat/mtk_hal_dfps.te create mode 100644 basic/non_plat/mtk_hal_dplanner.te create mode 100644 basic/non_plat/mtk_hal_gnss.te create mode 100644 basic/non_plat/mtk_hal_hdmi.te create mode 100644 basic/non_plat/mtk_hal_imsa.te create mode 100644 basic/non_plat/mtk_hal_keyinstall.te create mode 100644 basic/non_plat/mtk_hal_keymanage.te create mode 100644 basic/non_plat/mtk_hal_light.te create mode 100644 basic/non_plat/mtk_hal_memtrack.te create mode 100644 basic/non_plat/mtk_hal_mmagent.te create mode 100644 basic/non_plat/mtk_hal_mms.te create mode 100644 basic/non_plat/mtk_hal_neuralnetworks.te create mode 100644 basic/non_plat/mtk_hal_nvramagent.te create mode 100644 basic/non_plat/mtk_hal_nwk_opt.te create mode 100644 basic/non_plat/mtk_hal_omadm.te create mode 100644 basic/non_plat/mtk_hal_power.te create mode 100644 basic/non_plat/mtk_hal_pq.te create mode 100644 basic/non_plat/mtk_hal_secure_element.te create mode 100644 basic/non_plat/mtk_hal_sensors.te create mode 100644 basic/non_plat/mtk_hal_thp.te create mode 100644 basic/non_plat/mtk_hal_touchll.te create mode 100644 basic/non_plat/mtk_hal_usb.te create mode 100644 basic/non_plat/mtk_hal_wfo.te create mode 100644 basic/non_plat/mtk_hal_wifi.te create mode 100644 basic/non_plat/mtk_pkm_service.te create mode 100644 basic/non_plat/mtk_safe_halserverdomain_type.te create mode 100644 basic/non_plat/mtk_wmt_launcher.te create mode 100644 basic/non_plat/mtkbootanimation.te create mode 100644 basic/non_plat/mtkrild.te create mode 100644 basic/non_plat/muxreport.te create mode 100644 basic/non_plat/netd.te create mode 100644 basic/non_plat/netdagent.te create mode 100644 basic/non_plat/nfcstackp_vendor.te create mode 100644 basic/non_plat/nvram_daemon.te create mode 100644 basic/non_plat/platform_app.te create mode 100644 basic/non_plat/postinstall.te create mode 100644 basic/non_plat/ppl_agent.te create mode 100644 basic/non_plat/priv_app.te create mode 100644 basic/non_plat/property.te create mode 100644 basic/non_plat/property_contexts create mode 100644 basic/non_plat/radio.te create mode 100644 basic/non_plat/rcs_volte_stack.te create mode 100644 basic/non_plat/recovery.te create mode 100644 basic/non_plat/remosaic_daemon.te create mode 100644 basic/non_plat/rild.te create mode 100644 basic/non_plat/sensorhub_app.te create mode 100644 basic/non_plat/servicemanager.te create mode 100644 basic/non_plat/shell.te create mode 100644 basic/non_plat/slpd.te create mode 100644 basic/non_plat/smartcharging.te create mode 100644 basic/non_plat/spm_loader.te create mode 100644 basic/non_plat/st54spi_hal_secure_element.te create mode 100644 basic/non_plat/statusd.te create mode 100644 basic/non_plat/stflashtool.te create mode 100644 basic/non_plat/stp_dump3.te create mode 100644 basic/non_plat/surfaceflinger.te create mode 100644 basic/non_plat/system_app.te create mode 100644 basic/non_plat/system_server.te create mode 100644 basic/non_plat/teei_hal_capi.te create mode 100644 basic/non_plat/teei_hal_ifaa.te create mode 100644 basic/non_plat/teei_hal_thh.te create mode 100644 basic/non_plat/teei_hal_tui.te create mode 100644 basic/non_plat/teei_hal_wechat.te create mode 100644 basic/non_plat/tesiai_hal_hdcp.te create mode 100644 basic/non_plat/thermal.te create mode 100644 basic/non_plat/thermal_core.te create mode 100644 basic/non_plat/thermal_manager.te create mode 100644 basic/non_plat/thermalloadalgod.te create mode 100644 basic/non_plat/ueventd.te create mode 100644 basic/non_plat/uncrypt.te create mode 100644 basic/non_plat/untrusted_app.te create mode 100644 basic/non_plat/untrusted_app_25.te create mode 100644 basic/non_plat/untrusted_app_all.te create mode 100644 basic/non_plat/update_engine.te create mode 100644 basic/non_plat/vendor_init.te create mode 100644 basic/non_plat/viarild.te create mode 100644 basic/non_plat/vold.te create mode 100644 basic/non_plat/volte_clientapi_ua.te create mode 100644 basic/non_plat/volte_rcs_ua.te create mode 100644 basic/non_plat/vpud_native.te create mode 100644 basic/non_plat/vtservice_hidl.te create mode 100644 basic/non_plat/wifi_dump.te create mode 100644 basic/non_plat/wlan_assistant.te create mode 100644 basic/non_plat/wmt_loader.te create mode 100644 basic/non_plat/wo_epdg_client.te create mode 100644 basic/non_plat/wo_ipsec.te create mode 100644 basic/non_plat/xgff_test_native.te create mode 100644 basic/non_plat/zygote.te create mode 100644 basic/plat_private/aal.te create mode 100644 basic/plat_private/adbd.te create mode 100644 basic/plat_private/app.te create mode 100644 basic/plat_private/audioserver.te create mode 100644 basic/plat_private/batterywarning.te create mode 100644 basic/plat_private/bluetooth.te create mode 100644 basic/plat_private/boot_logo_updater.te create mode 100644 basic/plat_private/bootanim.te create mode 100644 basic/plat_private/cmddumper.te create mode 100644 basic/plat_private/compat/30.0/30.0.cil create mode 100644 basic/plat_private/compat/30.0/31.0.compat.cil create mode 100644 basic/plat_private/compat/30.0/31.0.ignore.cil create mode 100644 basic/plat_private/coredomain.te create mode 100644 basic/plat_private/crash_dump.te create mode 100644 basic/plat_private/device.te create mode 100644 basic/plat_private/domain.te create mode 100644 basic/plat_private/drmserver.te create mode 100644 basic/plat_private/dumpstate.te create mode 100644 basic/plat_private/em_svr.te create mode 100644 basic/plat_private/file.te create mode 100644 basic/plat_private/file_contexts create mode 100644 basic/plat_private/genfs_contexts create mode 100644 basic/plat_private/init.te create mode 100644 basic/plat_private/lbs_dbg.te create mode 100755 basic/plat_private/mediahelper.te create mode 100755 basic/plat_private/mediaserver.te create mode 100644 basic/plat_private/mediatranscoding.te create mode 100644 basic/plat_private/met_log_d.te create mode 100644 basic/plat_private/mmp.te create mode 100644 basic/plat_private/mtk_plpath_utils.te create mode 100644 basic/plat_private/mtkbootanimation.te create mode 100644 basic/plat_private/platform_app.te create mode 100644 basic/plat_private/ppp.te create mode 100644 basic/plat_private/property.te create mode 100644 basic/plat_private/property_contexts create mode 100644 basic/plat_private/radio.te create mode 100644 basic/plat_private/recovery.te create mode 100644 basic/plat_private/resize.te create mode 100644 basic/plat_private/service_contexts create mode 100644 basic/plat_private/shared_relro.te create mode 100644 basic/plat_private/shell.te create mode 100644 basic/plat_private/surfaceflinger.te create mode 100644 basic/plat_private/system_app.te create mode 100644 basic/plat_private/system_server.te create mode 100644 basic/plat_private/teed_app.te create mode 100644 basic/plat_private/tombstoned.te create mode 100644 basic/plat_private/uncrypt.te create mode 100644 basic/plat_private/vendor_init.te create mode 100644 basic/plat_public/GoogleOtaBinder.te create mode 100644 basic/plat_public/apmsrv_app.te create mode 100644 basic/plat_public/atci_service_sys.te create mode 100644 basic/plat_public/attributes create mode 100644 basic/plat_public/boot_logo_updater.te create mode 100644 basic/plat_public/camerapostalgo.te create mode 100644 basic/plat_public/capability_app.te create mode 100644 basic/plat_public/cmddumper.te create mode 100644 basic/plat_public/device.te create mode 100644 basic/plat_public/em_app.te create mode 100644 basic/plat_public/em_svr.te create mode 100644 basic/plat_public/file.te create mode 100644 basic/plat_public/global_macros create mode 100644 basic/plat_public/kpoc_charger.te create mode 100644 basic/plat_public/mdi_redirector.te create mode 100644 basic/plat_public/mdmi_redirector.te create mode 100755 basic/plat_public/mediahelper.te create mode 100644 basic/plat_public/mtk_advcamserver.te create mode 100644 basic/plat_public/mtkbootanimation.te create mode 100644 basic/plat_public/netd.te create mode 100644 basic/plat_public/netdiag.te create mode 100644 basic/plat_public/osi.te create mode 100644 basic/plat_public/property.te create mode 100644 basic/plat_public/rsu_app.te create mode 100644 basic/plat_public/teeregistryd_app.te create mode 100644 basic/plat_public/terservice.te create mode 100644 basic/plat_public/thermald.te create mode 100644 basic/plat_public/usp_service.te create mode 100644 basic/plat_public/vtservice.te create mode 100644 bsp/debug/non_plat/aee_aedv.te create mode 100644 bsp/debug/non_plat/domain.te create mode 100644 bsp/debug/non_plat/file.te create mode 100644 bsp/debug/non_plat/logd.te create mode 100644 bsp/debug/non_plat/platform_app.te create mode 100644 bsp/debug/non_plat/rild.te create mode 100644 bsp/debug/non_plat/shell.te create mode 100644 bsp/debug/non_plat/surfaceflinger.te create mode 100644 bsp/debug/non_plat/system_app.te create mode 100644 bsp/debug/non_plat/system_server.te create mode 100644 bsp/debug/non_plat/untrusted_app.te create mode 100644 bsp/debug/non_plat/viarild.te create mode 100644 bsp/debug/plat_private/domain.te create mode 100644 bsp/debug/plat_private/em_app.te create mode 100644 bsp/debug/plat_private/emdlogger.te create mode 100644 bsp/debug/plat_private/mobile_log_d.te create mode 100644 bsp/debug/plat_private/platform_app.te create mode 100644 bsp/debug/plat_private/system_server.te create mode 100644 bsp/non_plat/GoogleOtaBinder.te create mode 100644 bsp/non_plat/apmsrv_app.te create mode 100644 bsp/non_plat/app.te create mode 100644 bsp/non_plat/atci_service_sys.te create mode 100644 bsp/non_plat/audioserver.te create mode 100644 bsp/non_plat/bluetooth.te create mode 100644 bsp/non_plat/boot_logo_updater.te create mode 100644 bsp/non_plat/bootanim.te create mode 100644 bsp/non_plat/bp_kmsetkey_ca.te create mode 100644 bsp/non_plat/camerapostalgo.te create mode 100644 bsp/non_plat/cameraserver.te create mode 100644 bsp/non_plat/capability_app.te create mode 100644 bsp/non_plat/ccci_mdinit.te create mode 100644 bsp/non_plat/ccci_rpcd.te create mode 100644 bsp/non_plat/dconfig.te create mode 100644 bsp/non_plat/dmc_core.te create mode 100644 bsp/non_plat/domain.te create mode 100644 bsp/non_plat/drmserver.te create mode 100644 bsp/non_plat/dumpstate.te create mode 100644 bsp/non_plat/e2fs.te create mode 100644 bsp/non_plat/em_app.te create mode 100644 bsp/non_plat/em_hidl.te create mode 100644 bsp/non_plat/em_svr.te create mode 100644 bsp/non_plat/emcamera_app.te create mode 100644 bsp/non_plat/factory.te create mode 100644 bsp/non_plat/file.te create mode 100644 bsp/non_plat/file_contexts create mode 100644 bsp/non_plat/flashlessd.te create mode 100644 bsp/non_plat/fsck.te create mode 100644 bsp/non_plat/gatekeeperd.te create mode 100644 bsp/non_plat/genfs_contexts create mode 100644 bsp/non_plat/getgameserver.te create mode 100644 bsp/non_plat/hal_clientapi.te create mode 100644 bsp/non_plat/hal_dfps.te create mode 100644 bsp/non_plat/hal_drm_widevine.te create mode 100644 bsp/non_plat/hal_fingerprint_default.te create mode 100644 bsp/non_plat/hal_graphics_allocator_default.te create mode 100644 bsp/non_plat/hal_graphics_composer_default.te create mode 100644 bsp/non_plat/hal_keymaster_attestation.te create mode 100644 bsp/non_plat/hal_keymaster_default.te create mode 100644 bsp/non_plat/hal_keymint_default.te create mode 100644 bsp/non_plat/hal_mtk_apm.te create mode 100644 bsp/non_plat/hal_mtk_dmc.te create mode 100644 bsp/non_plat/hal_mtk_omadm.te create mode 100644 bsp/non_plat/hal_mtk_thp.te create mode 100644 bsp/non_plat/hal_mtk_touchll.te create mode 100644 bsp/non_plat/hal_mtk_wfo.te create mode 100644 bsp/non_plat/hal_presence.te create mode 100644 bsp/non_plat/hal_rcs.te create mode 100644 bsp/non_plat/hal_tee.te create mode 100644 bsp/non_plat/hal_tee_default.te create mode 100644 bsp/non_plat/hal_teei_capi.te create mode 100644 bsp/non_plat/hal_teei_ifaa.te create mode 100644 bsp/non_plat/hal_teei_thh.te create mode 100644 bsp/non_plat/hal_teei_tui.te create mode 100644 bsp/non_plat/hal_teei_wechat.te create mode 100644 bsp/non_plat/hal_teeregistry.te create mode 100644 bsp/non_plat/hal_teeregistry_default.te create mode 100644 bsp/non_plat/hal_tesiai_hdcp.te create mode 100644 bsp/non_plat/hal_tetheroffload_default.te create mode 100644 bsp/non_plat/hal_wifi_supplicant_default.te create mode 100644 bsp/non_plat/healthd.te create mode 100644 bsp/non_plat/hwservice.te create mode 100644 bsp/non_plat/hwservice_contexts create mode 100644 bsp/non_plat/init.te create mode 100644 bsp/non_plat/init_thh_service.te create mode 100644 bsp/non_plat/installd.te create mode 100644 bsp/non_plat/ipsec_mon.te create mode 100644 bsp/non_plat/kernel.te create mode 100644 bsp/non_plat/kpoc_charger.te create mode 100644 bsp/non_plat/logd.te create mode 100644 bsp/non_plat/logo_updater.te create mode 100644 bsp/non_plat/md_monitor.te create mode 100644 bsp/non_plat/md_monitor_hal.te create mode 100644 bsp/non_plat/mdi_redirector.te create mode 100644 bsp/non_plat/mdmi_redirector.te create mode 100644 bsp/non_plat/mediacodec.te create mode 100644 bsp/non_plat/mediaserver.te create mode 100644 bsp/non_plat/mediaswcodec.te create mode 100644 bsp/non_plat/merged_hal_service.te create mode 100644 bsp/non_plat/meta_tst.te create mode 100644 bsp/non_plat/mobicore.te create mode 100644 bsp/non_plat/mobicore_app.te create mode 100644 bsp/non_plat/mtk_advcamserver.te create mode 100644 bsp/non_plat/mtk_agpsd.te create mode 100644 bsp/non_plat/mtk_hal_audio.te create mode 100644 bsp/non_plat/mtk_hal_c2.te create mode 100644 bsp/non_plat/mtk_hal_camera.te create mode 100644 bsp/non_plat/mtk_hal_codecservice_default.te create mode 100644 bsp/non_plat/mtk_hal_dfps.te create mode 100644 bsp/non_plat/mtk_hal_dplanner.te create mode 100644 bsp/non_plat/mtk_hal_keyinstall.te create mode 100644 bsp/non_plat/mtk_hal_netdagent.te create mode 100644 bsp/non_plat/mtk_hal_neuralnetworks.te create mode 100644 bsp/non_plat/mtk_hal_nwk_opt.te create mode 100644 bsp/non_plat/mtk_hal_omadm.te create mode 100644 bsp/non_plat/mtk_hal_power.te create mode 100644 bsp/non_plat/mtk_hal_pplagent.te create mode 100644 bsp/non_plat/mtk_hal_pq.te create mode 100644 bsp/non_plat/mtk_hal_thp.te create mode 100644 bsp/non_plat/mtk_hal_touchll.te create mode 100644 bsp/non_plat/mtk_hal_wfo.te create mode 100644 bsp/non_plat/mtk_pkm_service.te create mode 100644 bsp/non_plat/mtkfusionrild.te create mode 100644 bsp/non_plat/mtkimsmddomain.te create mode 100644 bsp/non_plat/mtkrild.te create mode 100644 bsp/non_plat/netd.te create mode 100644 bsp/non_plat/netdagent.te create mode 100644 bsp/non_plat/netutils_wrapper.te create mode 100644 bsp/non_plat/nfc.te create mode 100644 bsp/non_plat/nfcstackp_vendor.te create mode 100644 bsp/non_plat/osi.te create mode 100644 bsp/non_plat/platform_app.te create mode 100644 bsp/non_plat/ppl_agent.te create mode 100644 bsp/non_plat/priv_app.te create mode 100644 bsp/non_plat/property.te create mode 100644 bsp/non_plat/property_contexts create mode 100644 bsp/non_plat/radio.te create mode 100644 bsp/non_plat/rcs_volte_stack.te create mode 100644 bsp/non_plat/remosaic_daemon.te create mode 100644 bsp/non_plat/rild.te create mode 100644 bsp/non_plat/rsu_app.te create mode 100644 bsp/non_plat/seapp_contexts create mode 100644 bsp/non_plat/sensorhub_app.te create mode 100644 bsp/non_plat/service_contexts create mode 100644 bsp/non_plat/shell.te create mode 100644 bsp/non_plat/statusd.te create mode 100644 bsp/non_plat/stflashtool.te create mode 100644 bsp/non_plat/surfaceflinger.te create mode 100644 bsp/non_plat/system_app.te create mode 100644 bsp/non_plat/system_server.te create mode 100644 bsp/non_plat/tee.te create mode 100644 bsp/non_plat/teei_hal_capi.te create mode 100644 bsp/non_plat/teei_hal_ifaa.te create mode 100644 bsp/non_plat/teei_hal_thh.te create mode 100644 bsp/non_plat/teei_hal_tui.te create mode 100644 bsp/non_plat/teei_hal_wechat.te create mode 100644 bsp/non_plat/terservice.te create mode 100644 bsp/non_plat/tesiai_hal_hdcp.te create mode 100644 bsp/non_plat/thermal.te create mode 100644 bsp/non_plat/thermal_manager.te create mode 100644 bsp/non_plat/thermald.te create mode 100644 bsp/non_plat/ueventd.te create mode 100644 bsp/non_plat/untrusted_app.te create mode 100644 bsp/non_plat/untrusted_app_25.te create mode 100644 bsp/non_plat/untrusted_app_27.te create mode 100644 bsp/non_plat/untrusted_app_29.te create mode 100644 bsp/non_plat/untrusted_app_all.te create mode 100644 bsp/non_plat/usp_service.te create mode 100644 bsp/non_plat/ut_ta_manager_service.te create mode 100644 bsp/non_plat/vendor_init.te create mode 100644 bsp/non_plat/vendor_shell.te create mode 100644 bsp/non_plat/viarild.te create mode 100644 bsp/non_plat/vndservice.te create mode 100644 bsp/non_plat/vndservice_contexts create mode 100644 bsp/non_plat/vold.te create mode 100644 bsp/non_plat/volte_clientapi_ua.te create mode 100644 bsp/non_plat/volte_rcs_ua.te create mode 100644 bsp/non_plat/vpud_native.te create mode 100644 bsp/non_plat/vtservice.te create mode 100644 bsp/non_plat/vtservice_hidl.te create mode 100644 bsp/non_plat/wo_epdg_client.te create mode 100644 bsp/non_plat/wo_ipsec.te create mode 100644 bsp/non_plat/wpa.te create mode 100644 bsp/non_plat/zygote.te create mode 100644 bsp/ota_upgrade/file_contexts create mode 100644 bsp/ota_upgrade/move-widevine-data-sh.te create mode 100644 bsp/plat_private/GoogleOtaBinder.te create mode 100644 bsp/plat_private/aal.te create mode 100644 bsp/plat_private/apmsrv_app.te create mode 100644 bsp/plat_private/atci_service_sys.te create mode 100644 bsp/plat_private/audioserver.te create mode 100644 bsp/plat_private/batterywarning.te create mode 100644 bsp/plat_private/bluetooth.te create mode 100644 bsp/plat_private/bootanim.te create mode 100644 bsp/plat_private/camerapostalgo.te create mode 100644 bsp/plat_private/cameraserver.te create mode 100644 bsp/plat_private/capability_app.te create mode 100644 bsp/plat_private/dnsmasq.te create mode 100644 bsp/plat_private/domain.te create mode 100644 bsp/plat_private/drmserver.te create mode 100644 bsp/plat_private/em_app.te create mode 100644 bsp/plat_private/em_svr.te create mode 100644 bsp/plat_private/file.te create mode 100644 bsp/plat_private/file_contexts create mode 100644 bsp/plat_private/genfs_contexts create mode 100644 bsp/plat_private/init.te create mode 100644 bsp/plat_private/kpoc_charger.te create mode 100644 bsp/plat_private/logd.te create mode 100644 bsp/plat_private/mdi_redirector.te create mode 100644 bsp/plat_private/mdmi_redirector.te create mode 100644 bsp/plat_private/mediaserver.te create mode 100644 bsp/plat_private/met_log_d.te create mode 100644 bsp/plat_private/mmp.te create mode 100644 bsp/plat_private/mtk_advcamserver.te create mode 100644 bsp/plat_private/netd.te create mode 100644 bsp/plat_private/nfc.te create mode 100644 bsp/plat_private/osi.te create mode 100644 bsp/plat_private/platform_app.te create mode 100644 bsp/plat_private/priv_app.te create mode 100644 bsp/plat_private/property.te create mode 100644 bsp/plat_private/property_contexts create mode 100644 bsp/plat_private/radio.te create mode 100644 bsp/plat_private/resize.te create mode 100644 bsp/plat_private/rsu_app.te create mode 100644 bsp/plat_private/sdcardd.te create mode 100644 bsp/plat_private/seapp_contexts create mode 100644 bsp/plat_private/service.te create mode 100644 bsp/plat_private/service_contexts create mode 100644 bsp/plat_private/shell.te create mode 100644 bsp/plat_private/surfaceflinger.te create mode 100644 bsp/plat_private/system_app.te create mode 100644 bsp/plat_private/system_server.te create mode 100644 bsp/plat_private/teed_app.te create mode 100644 bsp/plat_private/teeregistryd_app.te create mode 100644 bsp/plat_private/terservice.te create mode 100644 bsp/plat_private/thermald.te create mode 100644 bsp/plat_private/untrusted_app.te create mode 100644 bsp/plat_private/untrusted_app_25.te create mode 100644 bsp/plat_private/untrusted_app_27.te create mode 100644 bsp/plat_private/untrusted_app_all.te create mode 100644 bsp/plat_private/usp_service.te create mode 100644 bsp/plat_private/vendor_init.te create mode 100644 bsp/plat_private/vendor_shell.te create mode 100644 bsp/plat_private/vold.te create mode 100644 bsp/plat_private/vtservice.te create mode 100644 bsp/plat_private/zygote.te create mode 100644 bsp/plat_public/attributes create mode 100644 bsp/plat_public/file.te create mode 100644 bsp/plat_public/property.te diff --git a/BoardSEPolicyConfig.mk b/BoardSEPolicyConfig.mk new file mode 100644 index 0000000..efd69a4 --- /dev/null +++ b/BoardSEPolicyConfig.mk @@ -0,0 +1,32 @@ + +# SELinux Policy File Configuration +BOARD_SEPOLICY_DIRS += \ + device/mediatek/sepolicy/basic/non_plat \ + device/mediatek/sepolicy/bsp/non_plat + +ifneq ($(call math_lt,$(PRODUCT_SHIPPING_API_LEVEL),28),) +BOARD_SEPOLICY_DIRS += $(wildcard device/mediatek/sepolicy/bsp/ota_upgrade) +endif + +BOARD_PLAT_PRIVATE_SEPOLICY_DIR += \ + device/mediatek/sepolicy/basic/plat_private \ + device/mediatek/sepolicy/bsp/plat_private + +BOARD_PLAT_PUBLIC_SEPOLICY_DIR += \ + device/mediatek/sepolicy/basic/plat_public \ + device/mediatek/sepolicy/bsp/plat_public + +# MTK Debug Rules Configuration +ifeq ($(strip $(HAVE_MTK_DEBUG_SEPOLICY)), yes) +BOARD_SEPOLICY_DIRS += \ + device/mediatek/sepolicy/basic/debug/non_plat \ + device/mediatek/sepolicy/bsp/debug/non_plat + +BOARD_PLAT_PUBLIC_SEPOLICY_DIR += \ + device/mediatek/sepolicy/basic/debug/plat_public \ + device/mediatek/sepolicy/bsp/debug/plat_public + +BOARD_PLAT_PRIVATE_SEPOLICY_DIR += \ + device/mediatek/sepolicy/basic/debug/plat_private \ + device/mediatek/sepolicy/bsp/debug/plat_private +endif diff --git a/basic/debug/non_plat/aee_aedv.te b/basic/debug/non_plat/aee_aedv.te new file mode 100644 index 0000000..1d5e873 --- /dev/null +++ b/basic/debug/non_plat/aee_aedv.te @@ -0,0 +1,500 @@ +# ============================================== +# Policy File of /vendor/bin/aee_aedv Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type aee_aedv, domain; + +type aee_aedv_exec, exec_type, file_type, vendor_file_type; +typeattribute aee_aedv mlstrustedsubject; + +init_daemon_domain(aee_aedv) + +# Date : WK14.32 +# Operation : AEE UT +# Purpose : for AEE module +allow aee_aedv aed_device:chr_file rw_file_perms; +allow aee_aedv expdb_device:chr_file rw_file_perms; +allow aee_aedv expdb_block_device:blk_file rw_file_perms; +allow aee_aedv bootdevice_block_device:blk_file rw_file_perms; +allow aee_aedv etb_device:chr_file rw_file_perms; + +# AED start: /dev/block/expdb +allow aee_aedv block_device:dir search; + +# NE flow: /dev/RT_Monitor +allow aee_aedv RT_Monitor_device:chr_file r_file_perms; + +#data/aee_exp +allow aee_aedv aee_exp_vendor_file:dir create_dir_perms; +allow aee_aedv aee_exp_vendor_file:file create_file_perms; + +#data/dumpsys +allow aee_aedv aee_dumpsys_vendor_file:dir create_dir_perms; +allow aee_aedv aee_dumpsys_vendor_file:file create_file_perms; + +#/data/core +allow aee_aedv aee_core_vendor_file:dir create_dir_perms; +allow aee_aedv aee_core_vendor_file:file create_file_perms; + +# /data/data_tmpfs_log +allow aee_aedv vendor_tmpfs_log_file:dir create_dir_perms; +allow aee_aedv vendor_tmpfs_log_file:file create_file_perms; + +allow aee_aedv domain:process { sigkill getattr getsched}; + +#core-pattern +allow aee_aedv usermodehelper:file r_file_perms; + +# Date: W15.34 +# Operation: Migration +# Purpose: For pagemap & pageflags information in NE DB +# /proc/pid/ +# pre-allocation +allow aee_aedv self:capability { + chown + fowner + fsetid + kill + linux_immutable + net_admin + sys_admin + sys_nice + sys_resource + sys_module +}; + +# Purpose: aee_aedv set property +set_prop(aee_aedv, vendor_mtk_persist_mtk_aeev_prop) +set_prop(aee_aedv, vendor_mtk_persist_aeev_prop) +set_prop(aee_aedv, vendor_mtk_debug_mtk_aeev_prop) +set_prop(aee_aedv, vendor_mtk_aeev_dynamic_switch_prop) + +# Purpose: mnt/user/* +allow aee_aedv mnt_user_file:dir search; +allow aee_aedv mnt_user_file:lnk_file r_file_perms; + +allow aee_aedv storage_file:dir search; +allow aee_aedv storage_file:lnk_file r_file_perms; + +userdebug_or_eng(` + allow aee_aedv su:dir r_dir_perms; + allow aee_aedv su:file r_file_perms; +') + +# PROCESS_FILE_STATE +allow aee_aedv dumpstate:unix_stream_socket { read write ioctl }; +allow aee_aedv dumpstate:dir search; +allow aee_aedv dumpstate:file r_file_perms; + +allow aee_aedv logdr_socket:sock_file write; +allow aee_aedv logd:unix_stream_socket connectto; + +# vibrator +allow aee_aedv sysfs_vibrator:file w_file_perms; + +# /proc/lk_env +allow aee_aedv proc_lk_env:file rw_file_perms; + +# Data : 2017/03/22 +# Operation : add NE flow rule for Android O +# Purpose : make aee_aedv can get specific process NE info +allow aee_aedv domain:dir r_dir_perms; +allow aee_aedv domain:{ file lnk_file } r_file_perms; + +# Data : 2017/04/06 +# Operation : add selinux rule for crash_dump notify aee_aedv +# Purpose : make aee_aedv can get notify from crash_dump +allow aee_aedv crash_dump:dir search; +allow aee_aedv crash_dump:file r_file_perms; + +# Date : 20170512 +# Operation : fix aee_archive can't execute issue +# Purpose : type=1400 audit(0.0:97916): avc: denied { execute_no_trans } for +# path="/system/vendor/bin/aee_archive" dev="mmcblk0p26" ino=2355 +# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:vendor_file:s0 +# tclass=file permissive=0 +allow aee_aedv vendor_file:file x_file_perms; + +# Purpose: debugfs files +allow aee_aedv procfs_blockio:file r_file_perms; +no_debugfs_restriction(` + userdebug_or_eng(` + allow aee_aedv debugfs_cam_dbg:file r_file_perms; + allow aee_aedv debugfs_cam_exception:file r_file_perms; + ') +') + +# Purpose: +# 01-01 17:59:14.440 7664 7664 I aee_dumpstate: type=1400 audit(0.0:63497): +# avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev= +# "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r: +# tracing_shell_writable:s0 tclass=file permissive=1 +allow aee_aedv debugfs_tracing:file rw_file_perms; + +# Purpose: +# 01-01 00:05:17.720 3567 3567 W ps : type=1400 audit(0.0:5192): avc: +# denied { getattr } for path="/proc/3421" dev="proc" ino=78975 scontext=u:r: +# aee_aedv:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=dir permissive=0 +allow aee_aedv platform_app:dir r_dir_perms; +allow aee_aedv platform_app:file r_file_perms; + +# Purpose: +# 01-01 00:05:17.750 3567 3567 W ps : type=1400 audit(0.0:5193): avc: +# denied { getattr } for path="/proc/3461" dev="proc" ino=11013 scontext=u:r: +# aee_aedv:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=dir permissive=0 +allow aee_aedv untrusted_app_25:dir getattr; + +# Purpose: +# 01-01 00:05:17.650 3567 3567 W ps : type=1400 audit(0.0:5179): avc: +# denied { getattr } for path="/proc/2712" dev="proc" ino=65757 scontext=u:r: +# aee_aedv:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=dir permissive=0 +allow aee_aedv untrusted_app:dir getattr; + +# Purpose: +# 01-01 00:05:17.650 3567 3567 W ps : type=1400 audit(0.0:5180): avc: +# denied { getattr } for path="/proc/2747" dev="proc" ino=66659 scontext=u:r: +# aee_aedv:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=dir permissive=0 +allow aee_aedv priv_app:dir getattr; + +# Purpose: +# 01-01 00:05:16.270 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5153): +# avc: denied { open } for path="/proc/interrupts" dev="proc" ino=4026533608 +# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:proc_interrupts:s0 tclass=file +# permissive=0 +allow aee_aedv proc_interrupts:file r_file_perms; + +# Purpose: +# 01-01 00:05:17.840 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5200): +# avc: denied { search } for name="leds" dev="sysfs" ino=6217 scontext=u:r: +# aee_aedv:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=0 +allow aee_aedv sysfs_leds:dir search; +allow aee_aedv sysfs_leds:file r_file_perms; + +# Purpose: +# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5592): avc: denied +# { search } for name="ccci" dev="sysfs" ino=6026 scontext=u:r:aee_aedv:s0 tcontext=u:object_r: +# sysfs_ccci:s0 tclass=dir permissive=1 +# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5593): avc: denied { read } +# for name="md_chn" dev="sysfs" ino=6035 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:sysfs_ccci:s0 +# tclass=file permissive=1 +# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5594): avc: denied { open } +# for path="/sys/kernel/ccci/md_chn" dev="sysfs" ino=6035 scontext=u:r:aee_aedv:s0 tcontext=u: +# object_r:sysfs_ccci:s0 tclass=file permissive=1 +allow aee_aedv sysfs_ccci:dir search; +allow aee_aedv sysfs_ccci:file r_file_perms; + +# Purpose: +# 01-01 00:03:44.330 3658 3658 I aee_dumpstatev: type=1400 audit(0.0:5411): avc: denied +# { execute_no_trans } for path="/vendor/bin/toybox_vendor" dev="mmcblk0p26" ino=250 scontext=u:r: +# aee_aedv:s0 tcontext=u:object_r:vendor_toolbox_exec:s0 tclass=file permissive=1 +allow aee_aedv vendor_toolbox_exec:file rx_file_perms; + +# Purpose: +# 01-01 00:12:06.320000 4145 4145 W dmesg : type=1400 audit(0.0:826): avc: denied { open } for +# path="/dev/kmsg" dev="tmpfs" ino=10875 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:kmsg_device: +# s0 tclass=chr_file permissive=0 +# 01-01 00:42:33.070000 4171 4171 W dmesg : type=1400 audit(0.0:1343): avc: denied +# { syslog_read } for scontext=u:r:aee_aedv:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0 +allow aee_aedv kmsg_device:chr_file r_file_perms; +allow aee_aedv kernel:system syslog_read; + +# Purpose: +# 01-01 00:12:37.890000 4162 4162 W aee_dumpstatev: type=1400 audit(0.0:914): avc: denied +# { read } for name="meminfo" dev="proc" ino=4026533612 scontext=u:r:aee_aedv:s0 tcontext=u: +# object_r:proc_meminfo:s0 tclass=file permissive=0 +allow aee_aedv proc_meminfo:file r_file_perms; + +# Purpose: +# 01-01 00:08:39.900000 3833 3833 W aee_dumpstatev: type=1400 audit(0.0:371): avc: denied +# { open } for path="/proc/3833/net/route" dev="proc" ino=4026533632 scontext=u:r:aee_aedv:s0 +# tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 +allow aee_aedv proc_net:file r_file_perms; + +# Purpose: +# 01-01 00:08:39.880000 3833 3833 W aee_dumpstatev: type=1400 audit(0.0:370): avc: denied +# { open } for path="/proc/zoneinfo" dev="proc" ino=4026533663 scontext=u:r:aee_aedv:s0 tcontext= +# u:object_r:proc_zoneinfo:s0 tclass=file permissive=0 +allow aee_aedv proc_zoneinfo:file r_file_perms; + +# Purpose: +# 01-01 00:33:27.750000 338 338 W aee_aedv: type=1400 audit(0.0:98): avc: denied { read } +# for name="fstab.mt6755" dev="rootfs" ino=1082 scontext=u:r:aee_aedv:s0 tcontext=u:object_r: +# rootfs:s0 tclass=file permissive=0 +allow aee_aedv rootfs:file r_file_perms; + +# Purpose: +# [ 241.001976] <1>.(1)[209:logd.auditd]type=1400 audit(1262304586.172:515): avc: denied { read } +# for pid=1978 comm="aee_aedv64" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aedv:s0 +# tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 +allow aee_aedv sysfs_mrdump:file rw_file_perms; +allow aee_aedv sysfs_memory:file r_file_perms; + +# Purpose: Allow aee_aedv access to vendor/bin/mtkcam-debug, which in turn invokes ICameraProvider +# - avc: denied { find } for interface=android.hardware.camera.provider::ICameraProvider pid=2956 +# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:hal_camera_hwservice:s0 tclass=hwservice_manager +# - Transaction error in ICameraProvider::debug: Status(EX_TRANSACTION_FAILED) +hal_client_domain(aee_aedv, hal_camera) +allow aee_aedv hal_camera_hwservice:hwservice_manager { find }; +binder_call(aee_aedv, mtk_hal_camera) + +# Purpose: allow aee to read /sys/fs/selinux/enforce to get selinux status +allow aee_aedv selinuxfs:file r_file_perms; + +# Purpose: mrdump db flow and pre-allocation +# mrdump db flow +allow aee_aedv sysfs_dt_firmware_android:dir search; +allow aee_aedv sysfs_dt_firmware_android:file r_file_perms; +allow aee_aedv kernel:system module_request; +allow aee_aedv metadata_file:dir search; + +allow aee_aedv userdata_block_device:blk_file rw_file_perms; +allow aee_aedv para_block_device:blk_file rw_file_perms; +allow aee_aedv mrdump_device:blk_file rw_file_perms; +allowxperm aee_aedv aee_dumpsys_vendor_file:file ioctl { + FS_IOC_GETFLAGS + FS_IOC_SETFLAGS + F2FS_IOC_GET_PIN_FILE + F2FS_IOC_SET_PIN_FILE + FS_IOC_FIEMAP +}; + +# Purpose: allow vendor aee read lowmemorykiller logs +# file path: /sys/module/lowmemorykiller/parameters/ +allow aee_aedv sysfs_lowmemorykiller:dir search; +allow aee_aedv sysfs_lowmemorykiller:file r_file_perms; + +# Purpose: Allow aee read /sys/class/misc/scp/scp_dump +allow aee_aedv sysfs_scp:dir r_dir_perms; +allow aee_aedv sysfs_scp:file r_file_perms; + +# Purpose: Allow aee read /sys/class/misc/adsp/adsp_dump +allow aee_aedv sysfs_adsp:dir r_dir_perms; +allow aee_aedv sysfs_adsp:file r_file_perms; + +# Purpose: allow aee_aedv to read /proc/buddyinfo +allow aee_aedv proc_buddyinfo:file r_file_perms; + +# Purpose: allow aee_aedv to read /proc/cmdline +allow aee_aedv proc_cmdline:file r_file_perms; + +# Purpose: allow aee_aedv to read /proc/bootconfig +allow aee_aedv proc_bootconfig:file r_file_perms; + +# Purpose: allow aee_aedv to read /proc/slabinfo +allow aee_aedv proc_slabinfo:file r_file_perms; + +# Purpose: allow aee_aedv to read /proc/stat +allow aee_aedv proc_stat:file r_file_perms; + +# Purpose: allow aee_aedv to read /proc/version +allow aee_aedv proc_version:file r_file_perms; + +# Purpose: allow aee_aedv to read /proc/vmallocinfo +allow aee_aedv proc_vmallocinfo:file r_file_perms; + +# Purpose: allow aee_aedv to read /proc/vmstat +allow aee_aedv proc_vmstat:file r_file_perms; + +# Purpose: Allow aee_aedv to read /proc/cpu/alignment +allow aee_aedv proc_cpu_alignment:file w_file_perms; + +# Purpose: Allow aee_aedv to read /proc/gpulog +allow aee_aedv proc_gpulog:file r_file_perms; + +# Purpose: Allow aee_aedv to read /proc/chip/hw_ver +allow aee_aedv proc_chip:file r_file_perms; +allow aee_aedv proc_chip:dir r_dir_perms; + +# Purpose: Allow aee_aedv to read /proc/sched_debug +allow aee_aedv proc_sched_debug:file r_file_perms; + +# Purpose: Allow aee_aedv to read /proc/atf_log +allow aee_aedv proc_atf_log:dir r_dir_perms; +allow aee_aedv proc_atf_log:file r_file_perms; + +# Purpose: Allow aee_aedv to read /proc/last_kmsg +allow aee_aedv proc_last_kmsg:file r_file_perms; + +# Purpose: Allow aee_aedv to access /sys/devices/virtual/timed_output/vibrator/enable +allow aee_aedv sysfs_vibrator_setting:dir search; +allow aee_aedv sysfs_vibrator_setting:file w_file_perms; +allow aee_aedv sysfs_vibrator:dir search; + +# Purpose: Allow aee_aedv to read /proc/ufs_debug +allow aee_aedv proc_ufs_debug:file rw_file_perms; + +# Purpose: Allow aee_aedv to read /proc/msdc_debug +allow aee_aedv proc_msdc_debug:file r_file_perms; + +# Purpose: Allow aee_aedv to read /proc/pidmap +allow aee_aedv proc_pidmap:file r_file_perms; + +# Purpose: Allow aee_aedv to read /sys/power/vcorefs/vcore_debug +allow aee_aedv sysfs_vcore_debug:file r_file_perms; + +# Purpose: Allow aee_aedv to read /sys/devices/virtual/BOOT/BOOT/boot/boot_mode +allow aee_aedv sysfs_boot_mode:file r_file_perms; + +#Purpose: Allow aee_aedv to read/write /sys/kernel/debug/tracing/buffer_total_size_kb +userdebug_or_eng(` +allow aee_aedv debugfs_tracing_debug:file { rw_file_perms }; +') + +#Purpose: Allow aee_aedv to read /sys/mtk_memcfg/slabtrace +allow aee_aedv proc_slabtrace:file r_file_perms; + +#Purpose: Allow aee_aedv to read /proc/mtk_cmdq_debug/status +allow aee_aedv proc_cmdq_debug:file r_file_perms; + +#data/dipdebug +allow aee_aedv aee_dipdebug_vendor_file:dir r_dir_perms; +allow aee_aedv aee_dipdebug_vendor_file:file r_file_perms; +allow aee_aedv proc_isp_p2:dir r_dir_perms; +allow aee_aedv proc_isp_p2:file r_file_perms; + +allow aee_aedv connsyslog_data_vendor_file:file r_file_perms; +allow aee_aedv connsyslog_data_vendor_file:dir r_dir_perms; + +# Purpose: Allow aee_aedv to read the /proc/*/exe of vendor process +allow aee_aedv vendor_file_type:file r_file_perms; + +# Purpose: Allow aee_aedv to read /proc/isp_p2/isp_p2_kedump +allow aee_aedv proc_isp_p2_kedump:file r_file_perms; + +# Purpose: Allow aee_aedv to read /proc/cpuhvfs/dbg_repo +allow aee_aedv proc_dbg_repo:file r_file_perms; + +# Purpose: Allow aee_aedv to read /proc/pl_lk +allow aee_aedv proc_pl_lk:file r_file_perms; + +allow aee_aedv proc_aed_reboot_reason:file r_file_perms; + +# Purpose: Allow aee_aedv to write /proc/sys/vm/drop_caches +allow aee_aedv proc_drop_caches:file rw_file_perms; + +allow aee_aedv proc_wmt_aee:file r_file_perms; + +allow aee_aedv proc_aed:file rw_file_perms; +allow aee_aedv proc_aed:dir r_dir_perms; +allow aee_aedv proc_ppm:dir r_dir_perms; + +allow aee_aedv dpm_block_device:blk_file r_file_perms; +allow aee_aedv sspm_block_device:blk_file r_file_perms; +allow aee_aedv boot_para_block_device:blk_file rw_file_perms; + +allow aee_aedv proc_modules:file r_file_perms; + +set_prop(aee_aedv, powerctl_prop) + + +allow aee_aedv proc_ccci_dump:file r_file_perms; +allow aee_aedv proc_log_much:file r_file_perms; + +# Purpose: Allow aee_aedv to read /sys/kernel/tracing/instances/mmstat/trace +allow aee_aedv debugfs_tracing_instances:dir r_dir_perms; +allow aee_aedv debugfs_tracing_instances:file r_file_perms; + +allow aee_aedv binderfs_logs:dir r_dir_perms; +allow aee_aedv binderfs_logs:file r_file_perms; + +allow aee_aedv proc_ion:dir r_dir_perms; +allow aee_aedv proc_ion:file r_file_perms; +allow aee_aedv proc_m4u_dbg:dir r_dir_perms; +allow aee_aedv proc_m4u_dbg:file r_file_perms; +allow aee_aedv proc_mtkfb:file r_file_perms; + +allow aee_aedv proc_dmaheap:dir r_dir_perms; +allow aee_aedv proc_dmaheap:file r_file_perms; + +allow aee_aedv proc_iommu_debug:dir r_dir_perms; +allow aee_aedv proc_iommu_debug:file r_file_perms; + +allow aee_aedv sysfs_dvfsrc_dbg:dir r_dir_perms; +allow aee_aedv sysfs_dvfsrc_dbg:file r_file_perms; + +allow aee_aedv sysfs_systracker:dir r_dir_perms; +allow aee_aedv sysfs_systracker:file r_file_perms; + +allow aee_aedv sysfs_aee_enable:file r_file_perms; + +#Purpose: Allow aee_aedv to read /data/vendor/gpu_dump +allow aee_aedv gpu_dump_vendor_file:dir r_dir_perms; +allow aee_aedv gpu_dump_vendor_file:file r_file_perms; + +# Date : 2020/12/14 +# Purpose: allow aee_aedv to read /sys/kernel/mm/mlog/dump +allow aee_aedv sysfs_mm:file r_file_perms; + +#Purpose: Allow aee_aedv to read /sys/bus/scsi/devices/0:0:0:0/vpd_pg80 +allow aee_aedv sysfs_vpd:dir r_dir_perms; +allow aee_aedv sysfs_vpd:file r_file_perms; + +# Date: 2021/05/21 +# Purpose: allow aee_aedv to read /sys/kernel/notes +allow aee_aedv sysfs_kernel_notes:file r_file_perms; + +# Date: 2021/08/09 +# Purpose: Add apusys debug info into db +allow aee_aedv proc_apusys_rv_coredump_debug:file r_file_perms; +allow aee_aedv proc_apusys_rv_xfile_debug:file r_file_perms; +allow aee_aedv proc_apusys_rv_regdump_debug:file r_file_perms; +allow aee_aedv proc_apusys_logger_seq_log_debug:file r_file_perms; + +# Date: 2021/08/10 +# Purpose: Add apusys mdw debug info into db +allow aee_aedv proc_aputag_mdw_debug:file r_file_perms; + +no_debugfs_restriction(` + userdebug_or_eng(` + allow aee_aedv debugfs_blockio:file r_file_perms; + allow aee_aedv debugfs_fb:dir search; + allow aee_aedv debugfs_fb:file r_file_perms; + allow aee_aedv debugfs_fuseio:dir search; + allow aee_aedv debugfs_fuseio:file r_file_perms; + allow aee_aedv debugfs_rcu:dir search; + allow aee_aedv debugfs_shrinker_debug:file r_file_perms; + allow aee_aedv debugfs_dmlog_debug:file r_file_perms; + allow aee_aedv debugfs_page_owner_slim_debug:file r_file_perms; + allow aee_aedv debugfs_ion_mm_heap:dir search; + allow aee_aedv debugfs_ion_mm_heap:file r_file_perms; + allow aee_aedv debugfs_ion_mm_heap:lnk_file r_file_perms; + allow aee_aedv debugfs_cpuhvfs:dir search; + allow aee_aedv debugfs_cpuhvfs:file r_file_perms; + allow aee_aedv debugfs_emi_mbw_buf:file r_file_perms; + + # Purpose: + # 01-01 00:33:28.340000 338 338 W aee_aedv: type=1400 audit(0.0:104): avc: denied { search } + # for name="dynamic_debug" dev="debugfs" ino=8182 scontext=u:r:aee_aedv:s0 tcontext=u:object_r: + # debugfs_dynamic_debug:s0 tclass=dir permissive=0 + allow aee_aedv debugfs_dynamic_debug:dir search; + allow aee_aedv debugfs_dynamic_debug:file r_file_perms; + + # Purpose: Allow aee_aedv to read /sys/kernel/debug/rcu/rcu_callback_log + allow aee_aedv debugfs_rcu:file r_file_perms; + + # Purpose: Allow aee_aedv to read /sys/kernel/debug/smi_mon + allow aee_aedv debugfs_smi_mon:file r_file_perms; + + allow aee_aedv debugfs_cmdq:file r_file_perms; + allow aee_aedv debugfs_mml:file r_file_perms; + allow aee_aedv debugfs_wakeup_sources:file r_file_perms; + ') +') + +allow aee_aedv sysfs_cache_status:file r_file_perms; + +allow aee_aedv sysfs_emiisu:file r_file_perms; + +allow aee_aedv mnt_vendor_file:dir search; +allow aee_aedv nvdata_file:dir r_dir_perms; +allow aee_aedv nvdata_file:file r_file_perms; +allow aee_aedv protect_f_data_file:dir r_dir_perms; +allow aee_aedv protect_f_data_file:file r_file_perms; +allow aee_aedv protect_s_data_file:dir r_dir_perms; +allow aee_aedv protect_s_data_file:file r_file_perms; +allow aee_aedv proc_vpu_memory:file r_file_perms; + +allow aee_aedv proc_lockdep:file r_file_perms; diff --git a/basic/debug/non_plat/aee_core_forwarder.te b/basic/debug/non_plat/aee_core_forwarder.te new file mode 100644 index 0000000..03123c2 --- /dev/null +++ b/basic/debug/non_plat/aee_core_forwarder.te @@ -0,0 +1,19 @@ +# ============================================== +# Policy File of /system/bin/aee_core_forwarder Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow aee_core_forwarder aee_exp_data_file:dir rw_dir_perms; +allow aee_core_forwarder aee_exp_data_file:file create_file_perms; + +# Date: 2019/06/14 +# Operation : Migration +# Purpose : interface=android.system.suspend::ISystemSuspend for aee_core_forwarder +wakelock_use(aee_core_forwarder) +allow aee_core_forwarder crash_dump:unix_stream_socket connectto; +allow aee_core_forwarder aee_core_data_file:dir r_dir_perms; +allow aee_core_forwarder crash_dump:lnk_file r_file_perms; +allow aee_core_forwarder crash_dump:process {getattr}; +allow aee_core_forwarder sysfs_aee_enable:file r_file_perms; diff --git a/basic/debug/non_plat/aee_hal.te b/basic/debug/non_plat/aee_hal.te new file mode 100644 index 0000000..9a722b9 --- /dev/null +++ b/basic/debug/non_plat/aee_hal.te @@ -0,0 +1,25 @@ +# ============================================== +# Type Declaration +# ============================================== + +type aee_hal,domain; +type aee_hal_exec, exec_type, file_type, vendor_file_type; +typeattribute aee_hal mlstrustedsubject; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +init_daemon_domain(aee_hal) + +hal_server_domain(aee_hal, hal_mtk_aee) + +allow aee_hal aee_exp_vendor_file:dir w_dir_perms; +allow aee_hal aee_exp_vendor_file:file create_file_perms; +allow aee_hal aee_exp_data_file:file { read write }; + +set_prop(aee_hal, vendor_mtk_persist_mtk_aeev_prop) +set_prop(aee_hal, vendor_mtk_persist_aeev_prop) +set_prop(aee_hal, vendor_mtk_debug_mtk_aeev_prop) + +binder_call(aee_hal, system_app); diff --git a/basic/debug/non_plat/atcid.te b/basic/debug/non_plat/atcid.te new file mode 100755 index 0000000..c5dc484 --- /dev/null +++ b/basic/debug/non_plat/atcid.te @@ -0,0 +1,10 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK21.33 +# Purpose: Add policy to support get modem status + +allow atcid ccci_device:chr_file rw_file_perms_no_map; +allow atcid self:unix_stream_socket ioctl; +allowxperm atcid self:unix_stream_socket ioctl unpriv_tty_ioctls; \ No newline at end of file diff --git a/basic/debug/non_plat/audioserver.te b/basic/debug/non_plat/audioserver.te new file mode 100644 index 0000000..a31e4c2 --- /dev/null +++ b/basic/debug/non_plat/audioserver.te @@ -0,0 +1,3 @@ +# Date : WK16.48 +# Purpose: Allow to trigger AEE dump +allow audioserver crash_dump:unix_stream_socket connectto; diff --git a/basic/debug/non_plat/ccci_mdinit.te b/basic/debug/non_plat/ccci_mdinit.te new file mode 100644 index 0000000..4c800a8 --- /dev/null +++ b/basic/debug/non_plat/ccci_mdinit.te @@ -0,0 +1 @@ +get_prop(ccci_mdinit, system_mtk_init_svc_aee_aedv_prop) diff --git a/basic/debug/non_plat/connsyslogger.te b/basic/debug/non_plat/connsyslogger.te new file mode 100644 index 0000000..293834f --- /dev/null +++ b/basic/debug/non_plat/connsyslogger.te @@ -0,0 +1,75 @@ +# ============================================== +# Policy File of /system/bin/connsyslogger Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +#for logging sdcard access +allow connsyslogger fuse:dir create_dir_perms; +allow connsyslogger fuse:file create_file_perms; + +#consys logger access on /data/consyslog +allow connsyslogger consyslog_data_file:dir { create_dir_perms relabelto }; +allow connsyslogger consyslog_data_file:fifo_file create_file_perms; +allow connsyslogger consyslog_data_file:file create_file_perms; + +allow connsyslogger tmpfs:lnk_file create_file_perms; + +# purpose: avc: denied { read } for name="plat_file_contexts" +allow connsyslogger file_contexts_file:file r_file_perms; + +#logger SD logging in factory mode +allow connsyslogger vfat:dir create_dir_perms; +allow connsyslogger vfat:file create_file_perms; + +#logger permission in storage in android M version +allow connsyslogger mnt_user_file:dir search; +allow connsyslogger mnt_user_file:lnk_file r_file_perms; +allow connsyslogger storage_file:lnk_file r_file_perms; + +#permission for use SELinux API +allow connsyslogger rootfs:file r_file_perms; + +#permission for storage access storage +allow connsyslogger storage_file:dir create_dir_perms; +allow connsyslogger storage_file:file create_file_perms; + +#permission for read boot mode +allow connsyslogger sysfs_boot_mode:file r_file_perms; + +allow connsyslogger fw_log_wifi_device:chr_file rw_file_perms; +allow connsyslogger fw_log_bt_device:chr_file rw_file_perms; +allow connsyslogger fw_log_gps_device:chr_file rw_file_perms; +allow connsyslogger fw_log_wmt_device:chr_file rw_file_perms; +allow connsyslogger fw_log_ics_device:chr_file rw_file_perms; +allow connsyslogger fw_log_wifimcu_device:chr_file rw_file_perms_no_map; +allow connsyslogger fw_log_btmcu_device:chr_file rw_file_perms_no_map; + +allow connsyslogger sdcardfs:dir create_dir_perms; +allow connsyslogger sdcardfs:file create_file_perms; +allow connsyslogger rootfs:lnk_file getattr; + +allow connsyslogger media_rw_data_file:file create_file_perms; +allow connsyslogger media_rw_data_file:dir create_dir_perms; + +#permission to get driver ready status +get_prop(connsyslogger, vendor_mtk_wmt_prop) + +#Date:2019/03/25 +# purpose: allow connsyslogger to access persist.meta.connecttype +get_prop(connsyslogger, vendor_mtk_meta_connecttype_prop) + + +#Date:2019/03/25 +# purpose: allow emdlogger to create socket +allow connsyslogger port:tcp_socket { name_connect name_bind }; +allow connsyslogger connsyslogger:tcp_socket create_stream_socket_perms; +allow connsyslogger node:tcp_socket node_bind; + +#Date:2019/03/25 +# usb device ttyGSx for modem logger usb logging +allow connsyslogger ttyGS_device:chr_file rw_file_perms; + +# Add permission to access new bootmode file +allow connsyslogger sysfs_boot_info:file r_file_perms; diff --git a/basic/debug/non_plat/crash_dump.te b/basic/debug/non_plat/crash_dump.te new file mode 100644 index 0000000..572b2b4 --- /dev/null +++ b/basic/debug/non_plat/crash_dump.te @@ -0,0 +1,27 @@ +#data/aee_exp +allow crash_dump aee_exp_data_file:dir { create_dir_perms relabelto }; +allow crash_dump aee_exp_data_file:file create_file_perms; + +hal_client_domain(crash_dump, hal_mtk_aee) + +allow crash_dump aed_device:chr_file rw_file_perms; + +# Date : 2020/12/14 +# Purpose: allow aee_aed to read /sys/kernel/mm/mlog/dump +allow crash_dump sysfs_mm:file r_file_perms; + +# Purpose: Allow crash_dump to write /proc/aed/generate-kernel-notify +allow crash_dump proc_aed:dir r_dir_perms; +allow crash_dump proc_aed:file rw_file_perms; + +no_debugfs_restriction(` + userdebug_or_eng(` + allow crash_dump debugfs_blockio:file r_file_perms; + allow crash_dump debugfs_ion_mm_heap:dir search; + allow crash_dump debugfs_ion_mm_heap:file r_file_perms; + allow crash_dump debugfs_ion_mm_heap:lnk_file r_file_perms; + allow crash_dump debugfs_dmlog_debug:file r_file_perms; + ') +') + +allow crash_dump sysfs_aee_enable:file r_file_perms; diff --git a/basic/debug/non_plat/device.te b/basic/debug/non_plat/device.te new file mode 100644 index 0000000..69aea3a --- /dev/null +++ b/basic/debug/non_plat/device.te @@ -0,0 +1,6 @@ +type aed_device, dev_type; + +# Date:2021/07/27 +# Purpose: permission for emdlogger +type ccci_mdl_device, dev_type; + diff --git a/basic/debug/non_plat/domain.te b/basic/debug/non_plat/domain.te new file mode 100644 index 0000000..4bc29e6 --- /dev/null +++ b/basic/debug/non_plat/domain.te @@ -0,0 +1,5 @@ +# Date:20170630 +# Purpose: allow trusted process to connect aee daemon +allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:unix_stream_socket connectto; +allow { domain -coredomain -hal_configstore_server -vendor_init } aee_exp_vendor_file:file w_file_perms; +allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:fd use; diff --git a/basic/debug/non_plat/dumpstate.te b/basic/debug/non_plat/dumpstate.te new file mode 100644 index 0000000..d784dbc --- /dev/null +++ b/basic/debug/non_plat/dumpstate.te @@ -0,0 +1,126 @@ +# Purpose: data/aee_exp/* +allow dumpstate aee_exp_data_file:dir rw_dir_perms; +allow dumpstate aee_exp_data_file:file create_file_perms; + +# Data : 2017/03/22 +# Operation : add fd use selinux rule +# Purpose : type=1400 audit(0.0:81356): avc: denied { use } for path="/system/bin/linker" +# dev="mmcblk0p26" ino=250 scontext=u:r:dumpstate:s0 +# tcontext=u:r:crash_dump:s0 tclass=fd permissive=0 +allow dumpstate crash_dump:fd use; +allow dumpstate crash_dump:unix_stream_socket { rw_socket_perms connectto }; + +# Purpose: access dev/aed0 +allow dumpstate aed_device:chr_file r_file_perms; +allow dumpstate vcp_device:chr_file r_file_perms_no_map; + +# Purpose: 01-01 08:30:57.260 3070 3070 W aee_dumpstate: type=1400 audit(0.0:13196): avc: denied +# { read } for name="SF_dump" dev="dm-0" ino=352257 scontext=u:r:dumpstate:s0 tcontext=u:object_r: +# sf_bqdump_data_file:s0 tclass=dir permissive=0 +allow dumpstate sf_bqdump_data_file:dir r_dir_perms; +allow dumpstate sf_bqdump_data_file:file r_file_perms; + +# Purpose: +# 01-01 17:59:14.440 7664 7664 I aee_dumpstate: type=1400 audit(0.0:63497): +# avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev= +# "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r: +# tracing_shell_writable:s0 tclass=file permissive=1 +allow dumpstate debugfs_tracing:file rw_file_perms; + +# Purpose: Allow aee_dumpstate to invoke "lshal debug ", where is "ICameraProvider". +allow dumpstate mtk_hal_camera:binder call; + +# Purpose: Allow aee_dumpstate to read /proc/slabinfo +allow dumpstate proc_slabinfo:file r_file_perms; + +# Purpose: Allow aee_dumpstate to read /proc/zraminfo +allow dumpstate proc_zraminfo:file r_file_perms; + +# Purpose: Allow aee_dumpstate to read /proc/gpulog +allow dumpstate proc_gpulog:file r_file_perms; + +# Purpose: Allow aee_dumpstate to read /proc/sched_debug +allow dumpstate proc_sched_debug:file r_file_perms; + +# Purpose: Allow aee_dumpstate to read /proc/chip/hw_ver +allow dumpstate proc_chip:file r_file_perms; +allow dumpstate proc_chip:dir r_dir_perms; + +# Purpose: Allow aee_dumpstate to write /sys/devices/virtual/timed_output/vibrator/enable +allow dumpstate sysfs_vibrator_setting:file w_file_perms; + +# Date : 2020/12/14 +# Purpose: allow aee_dumpstate to read /sys/kernel/mm/mlog/dump +allow dumpstate sysfs_mm:file r_file_perms; + +#Purpose: Allow dumpstate to read /sys/bus/scsi/devices/0:0:0:0/vpd_pg80 +allow dumpstate sysfs_vpd:dir r_dir_perms; +allow dumpstate sysfs_vpd:file r_file_perms; + +#Purpose: Alloc dumpstate to read /proc/dma_heap/ +allow dumpstate proc_dmaheap:dir r_dir_perms; +allow dumpstate proc_dmaheap:file r_file_perms; + +#Purpose: Allow dumpstate to read /proc/iommu_debug/ +allow dumpstate proc_iommu_debug:dir r_dir_perms; +allow dumpstate proc_iommu_debug:file r_file_perms; + +#Date: 2020/07/23 +#Purpose: Allow dumpstate to read /sys/kernel/notes +allow dumpstate sysfs_kernel_notes:file r_file_perms; + +no_debugfs_restriction(` + userdebug_or_eng(` + allow dumpstate debugfs_blockio:file r_file_perms; + allow dumpstate debugfs_fb:dir search; + allow dumpstate debugfs_fb:file r_file_perms; + allow dumpstate debugfs_fuseio:dir search; + allow dumpstate debugfs_fuseio:file r_file_perms; + allow dumpstate debugfs_rcu:dir search; + allow dumpstate debugfs_shrinker_debug:file r_file_perms; + allow dumpstate debugfs_dmlog_debug:file r_file_perms; + allow dumpstate debugfs_page_owner_slim_debug:file r_file_perms; + allow dumpstate debugfs_ion_mm_heap:dir search; + allow dumpstate debugfs_ion_mm_heap:file r_file_perms; + allow dumpstate debugfs_ion_mm_heap:lnk_file r_file_perms; + allow dumpstate debugfs_cpuhvfs:dir search; + allow dumpstate debugfs_cpuhvfs:file r_file_perms; + + # Purpose: Allow dumpstate to read /sys/kernel/debug/rcu/rcu_callback_log + allow dumpstate debugfs_rcu:file r_file_perms; + + # Date: 19/07/15 + # Purpose: Allow dumpstate to read /sys/kernel/debug/kmemleak + allow dumpstate debugfs_kmemleak:file r_file_perms; + + #Purpose: Allow dumpstate to read /sys/kernel/debug/smi_mon + allow dumpstate debugfs_smi_mon:file r_file_perms; + + allow dumpstate debugfs_cmdq:file r_file_perms; + allow dumpstate debugfs_mml:file r_file_perms; + allow dumpstate debugfs_wakeup_sources:file r_file_perms; + ') +') + +#Date: 2021/08/24 +#Purpose: debugfs files +no_debugfs_restriction(` + userdebug_or_eng(` + allow dumpstate debugfs_cam_dbg:file r_file_perms; + allow dumpstate debugfs_cam_exception:file r_file_perms; + ') +') + +allow dumpstate sysfs_dvfsrc_dbg:dir r_dir_perms; +allow dumpstate sysfs_dvfsrc_dbg:file r_file_perms; +#Purpose: Allow dumpstate to read /proc/apusys_rv/apusys_rv_xfile and /proc/apusys_logger/seq_log +allow dumpstate proc_apusys_rv_xfile_debug:file r_file_perms; +allow dumpstate proc_apusys_logger_seq_log_debug:file r_file_perms; +allow dumpstate sysfs_emiisu:file r_file_perms; + +#Purpose: Allow dumpstate to read /proc/vpu/vpu_memory +allow dumpstate proc_vpu_memory:file r_file_perms; + +#Purpose: Allow dumpstate to read /proc/mtk_mali/gpu_memory +allow dumpstate proc_gpu_memory:file r_file_perms; + diff --git a/basic/debug/non_plat/emdlogger.te b/basic/debug/non_plat/emdlogger.te new file mode 100644 index 0000000..e466fee --- /dev/null +++ b/basic/debug/non_plat/emdlogger.te @@ -0,0 +1,124 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# ccci device for internal modem +allow emdlogger ccci_mdl_device:chr_file rw_file_perms; +allow emdlogger ccci_ccb_device:chr_file rw_file_perms; +#add for read /dev/ccci_md1_sta +allow emdlogger ccci_device:chr_file rw_file_perms; + +# eemcs device for external modem +allow emdlogger eemcs_device:chr_file rw_file_perms; + +# C2K project SDIO device for external modem ttySDIO2 control port, ttySDIO8 log port +allow emdlogger ttySDIO_device:chr_file rw_file_perms; + +# C2K project modem device for external modem vmodem start/stop/ioctl modem +allow emdlogger vmodem_device:chr_file rw_file_perms; + +# usb device ttyGSx for modem logger usb logging +allow emdlogger ttyGS_device:chr_file rw_file_perms; + +# for modem logging sdcard access +allow emdlogger sdcard_type:dir create_dir_perms; +allow emdlogger sdcard_type:file create_file_perms; + +# modem logger access on /data/mdlog +allow emdlogger mdlog_data_file:dir { create_dir_perms relabelto }; +allow emdlogger mdlog_data_file:fifo_file create_file_perms; +allow emdlogger mdlog_data_file:file create_file_perms; + +# modem logger control port access /dev/ttyC1 +allow emdlogger mdlog_device:chr_file rw_file_perms; + +# modem logger SD logging in factory mode +allow emdlogger vfat:dir create_dir_perms; +allow emdlogger vfat:file create_file_perms; + +# modem logger permission in storage in android M version +allow emdlogger mnt_user_file:dir search; +allow emdlogger mnt_user_file:lnk_file r_file_perms; +allow emdlogger storage_file:lnk_file r_file_perms; + +# permission for storage link access in vzw Project +allow emdlogger mnt_media_rw_file:dir search; + +# permission for use SELinux API +# avc: denied { read } for pid=576 comm="emdlogger1" name="selinux_version" dev="rootfs" +allow emdlogger rootfs:file r_file_perms; + +# permission for storage access storage +allow emdlogger storage_file:dir create_dir_perms; +allow emdlogger tmpfs:lnk_file r_file_perms; +allow emdlogger storage_file:file create_file_perms; + +# permission for read boot mode +# avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs" +allow emdlogger sysfs_boot_mode:file r_file_perms; + +# Allow read to sys/kernel/ccci/* files +allow emdlogger sysfs_ccci:dir search; +allow emdlogger sysfs_ccci:file r_file_perms; + +allow emdlogger sysfs_mdinfo:file r_file_perms; +allow emdlogger sysfs_mdinfo:dir search; + +# Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 +# scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 +allow emdlogger system_file:dir r_dir_perms; + +# purpose: allow emdlogger to access storage in N version +allow emdlogger media_rw_data_file:file create_file_perms; +allow emdlogger media_rw_data_file:dir create_dir_perms; + +# For dynamic CCB buffer feature +# avc: denied { read write } for name="lk_env" dev="proc" ino=4026532192 +# scontext=u:r:emdlogger:s0 tcontext=u:object_r:proc_lk_env:s0 tclass=file permissive=0 +# avc: denied { read } for name="mmcblk0p3" dev="tmpfs" ino=8493 scontext=u:r:emdlogger:s0 +# tcontext=u:object_r:para_block_device:s0 tclass=blk_file permissive=0 +allow emdlogger para_block_device:blk_file rw_file_perms; +allow emdlogger proc_lk_env:file rw_file_perms; + +allow emdlogger block_device:dir search; +allow emdlogger md_block_device:blk_file r_file_perms; +allow emdlogger self:capability chown; + +# purpose: allow emdlogger to access persist.meta.connecttype +get_prop(emdlogger, vendor_mtk_meta_connecttype_prop) + +# purpose: allow emdlogger to create socket +allow emdlogger port:tcp_socket { name_connect name_bind }; +allow emdlogger emdlogger:tcp_socket {create_stream_socket_perms}; +allow emdlogger node:tcp_socket node_bind; +allow emdlogger fwmarkd_socket:sock_file {write}; +allow emdlogger netd:unix_stream_socket {connectto}; +allow emdlogger self:tcp_socket {ioctl}; + + +# Android P migration +get_prop(emdlogger, vendor_mtk_usb_prop) + +# Date : WK19.12 +# Operation: add permission to catch logs +# Purpose : get kernel and radio logs when modem exception +allow emdlogger kernel:system syslog_read; +allow emdlogger logcat_exec:file rx_file_perms; +allow emdlogger logdr_socket:sock_file w_file_perms; + +# Add permission to access new bootmode file +allow emdlogger sysfs_boot_info:file r_file_perms; + +# avc: denied { connectto } for path=006165653A72747464 scontext=u:r:emdlogger:s0 +# tcontext=u:object_r:aee_aed_socket:s0 tclass=unix_stream_socket permissive=0 +# security issue control +allow emdlogger crash_dump:unix_stream_socket connectto; +# Allow ReadDefaultFstab(). +read_fstab(emdlogger) + +# Date : 2021/07/06 +# Purpose: add permission to access devie tree to get ccb gear info +allow emdlogger sysfs_soc_ccb_gear:file r_file_perms; +allow emdlogger sysfs_ccb_gear:file r_file_perms; + +get_prop(emdlogger, vendor_mtk_atm_ipaddr_prop) \ No newline at end of file diff --git a/basic/debug/non_plat/file.te b/basic/debug/non_plat/file.te new file mode 100644 index 0000000..f746ee6 --- /dev/null +++ b/basic/debug/non_plat/file.te @@ -0,0 +1,86 @@ +# AEE exp +type aee_exp_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; +type aee_exp_vendor_file, file_type, data_file_type; + +# Date : 2019/08/29 +# Purpose: Allow rild access proc/aed/reboot-reason +type proc_aed_reboot_reason, fs_type, proc_type; + +# Date : 2021/06/24 +# Operation: S development +# Purpose: Add permission for access /proc/iommu_debug +type proc_iommu_debug, fs_type, proc_type; + +type proc_aed, fs_type, proc_type; + +type sysfs_soc_ccb_gear, sysfs_type, fs_type; +type sysfs_ccb_gear, sysfs_type, fs_type; + +# Date : 2021/08/09 +# Purpose: Add apusys debug info into db +type proc_apusys_rv_coredump_debug, fs_type, proc_type; +type proc_apusys_rv_xfile_debug, fs_type, proc_type; +type proc_apusys_rv_regdump_debug, fs_type, proc_type; +type proc_apusys_logger_seq_log_debug, fs_type, proc_type; + +# Date : 2021/08/10 +# Purpose: Add apusys MDW debug info into db +type proc_aputag_mdw_debug, fs_type, proc_type; + +# Date : 2021/10/13 +type proc_mtmon, fs_type, proc_type; + +# Date : 2022/01/19 +# Purpose: Add lockdep debug info into db +type proc_lockdep, fs_type, proc_type; + +# blockio procfs file +type debugfs_blockio, fs_type, debugfs_type; + +# fuseio debugfs file +type debugfs_fuseio, fs_type, debugfs_type; + +# cpuhvfs debugfs file +type debugfs_cpuhvfs, fs_type, debugfs_type; + +# dynamic_debug debugfs file +type debugfs_dynamic_debug, fs_type, debugfs_type; + +# shrinker debugfs file +type debugfs_shrinker_debug, fs_type, debugfs_type; + +# dmlog debugfs file +type debugfs_dmlog_debug, fs_type, debugfs_type; + +# page_owner_slim debugfs file +type debugfs_page_owner_slim_debug, fs_type, debugfs_type; + +# rcu debugfs file +type debugfs_rcu, fs_type, debugfs_type; + +# /sys/kernel/debug/ion/ion_mm_heap +type debugfs_ion_mm_heap, fs_type, debugfs_type; + +# /sys/kernel/debug/emi_mbw/dump_buf +type debugfs_emi_mbw_buf, fs_type, debugfs_type; + +# /sys/devices/platform/emiisu/emi_isu_buf +type sysfs_emiisu, sysfs_type, fs_type; + +# /sys/kernel/debug/kmemleak +type debugfs_kmemleak, fs_type, debugfs_type; + +# Date : 2019/08/15 +type debugfs_smi_mon, fs_type, debugfs_type; + +type debugfs_cmdq, fs_type, debugfs_type; +type debugfs_mml, fs_type, debugfs_type; + +# Date : 2021/08/24 +# camsys debugfs file +type debugfs_cam_dbg, fs_type, debugfs_type; +type debugfs_cam_exception, fs_type, debugfs_type; + +#vpu proc file +type proc_vpu_memory, fs_type, proc_type; + diff --git a/basic/debug/non_plat/file_contexts b/basic/debug/non_plat/file_contexts new file mode 100644 index 0000000..ecdd3da --- /dev/null +++ b/basic/debug/non_plat/file_contexts @@ -0,0 +1,37 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +########################## +# Data files +# +/data/connsyslog(/.*)? u:object_r:consyslog_data_file:s0 +########################## +# Devices +# +/dev/socket/netdiag(/.*)? u:object_r:netdiag_socket:s0 +########################## +# Vendor files +# +/vendor/bin/loghidlvendorservice u:object_r:loghidlvendorservice_exec:s0 + +/data/aee_exp(/.*)? u:object_r:aee_exp_data_file:s0 +/data/vendor/aee_exp(/.*)? u:object_r:aee_exp_vendor_file:s0 + +/(vendor|system/vendor)/bin/aee_aedv u:object_r:aee_aedv_exec:s0 +/(vendor|system/vendor)/bin/aee_aedv64 u:object_r:aee_aedv_exec:s0 +/(vendor|system/vendor)/bin/aee_aedv64_v2 u:object_r:aee_aedv_exec:s0 + +/vendor/bin/hw/vendor\.mediatek\.hardware\.aee@1\.0-service u:object_r:aee_hal_exec:s0 +/vendor/bin/hw/vendor\.mediatek\.hardware\.aee@1\.1-service u:object_r:aee_hal_exec:s0 + +/dev/aed[0-9]+ u:object_r:aed_device:s0 + +# Date:2021/07/27 +# Purpose: permission for emdlogger +/dev/ccci_md_log_ctrl u:object_r:ccci_mdl_device:s0 +/dev/ccci_ccb_dhl u:object_r:ccci_mdl_device:s0 +/dev/ccci_raw_dhl u:object_r:ccci_mdl_device:s0 +# Purpose: permission for mdlogger +/dev/ccci_md_log_tx u:object_r:ccci_mdl_device:s0 +/dev/ccci_md_log_rx u:object_r:ccci_mdl_device:s0 diff --git a/basic/debug/non_plat/genfs_contexts b/basic/debug/non_plat/genfs_contexts new file mode 100644 index 0000000..c824343 --- /dev/null +++ b/basic/debug/non_plat/genfs_contexts @@ -0,0 +1,72 @@ +genfscon proc /aed u:object_r:proc_aed:s0 +# Date : 2019/08/29 +# Purpose: allow rild to access /proc/aed/reboot-reason +genfscon proc /aed/reboot-reason u:object_r:proc_aed_reboot_reason:s0 + +# 2021/06/24 +# Purpose: add iommu debug info into db +genfscon proc /iommu_debug u:object_r:proc_iommu_debug:s0 + +# Date : 2021/07/06 +# Purpose: allow emdlogger to access /proc/device-tree/soc/mddriver +genfscon sysfs /firmware/devicetree/base/soc/mddriver/md1_ccb_gear_list u:object_r:sysfs_soc_ccb_gear:s0 +genfscon sysfs /firmware/devicetree/base/soc/mddriver/md1_ccb_cap_gear u:object_r:sysfs_soc_ccb_gear:s0 + +# Date : 2021/07/06 +# Purpose: allow emdlogger to access /proc/device-tree/mddriver +genfscon sysfs /firmware/devicetree/base/mddriver/md1_ccb_cap_gear u:object_r:sysfs_ccb_gear:s0 +genfscon sysfs /firmware/devicetree/base/mddriver/md1_ccb_gear_list u:object_r:sysfs_ccb_gear:s0 + +# Date : 2021/08/09 +# Purpose: add apusys debug info into db +genfscon proc /apusys_rv/apusys_rv_coredump u:object_r:proc_apusys_rv_coredump_debug:s0 +genfscon proc /apusys_rv/apusys_rv_xfile u:object_r:proc_apusys_rv_xfile_debug:s0 +genfscon proc /apusys_rv/apusys_regdump u:object_r:proc_apusys_rv_regdump_debug:s0 +genfscon proc /apusys_logger/seq_log u:object_r:proc_apusys_logger_seq_log_debug:s0 + +# Date : 2021/08/10 +# Purpose: add apusys MDW debug info into db +genfscon proc /aputag/mdw u:object_r:proc_aputag_mdw_debug:s0 + +# Date : 2021/10/13 +# Purpose: allow vendor_init to access /proc/mtmon +genfscon proc /mtmon u:object_r:proc_mtmon:s0 + +# Date : 2022/01/19 +# Purpose: add lockdep debug info into db +genfscon proc /lockdep u:object_r:proc_lockdep:s0 +genfscon proc /lockdep_chains u:object_r:proc_lockdep:s0 +genfscon proc /lockdep_stats u:object_r:proc_lockdep:s0 + +genfscon debugfs /blockio u:object_r:debugfs_blockio:s0 +genfscon debugfs /cpuhvfs u:object_r:debugfs_cpuhvfs:s0 +genfscon debugfs /dmlog u:object_r:debugfs_dmlog_debug:s0 +genfscon debugfs /dynamic_debug u:object_r:debugfs_dynamic_debug:s0 +genfscon debugfs /emi_mbw/dump_buf u:object_r:debugfs_emi_mbw_buf:s0 +genfscon debugfs /fuseio u:object_r:debugfs_fuseio:s0 +genfscon debugfs /ion/client_history u:object_r:debugfs_ion_mm_heap:s0 +genfscon debugfs /ion/heaps u:object_r:debugfs_ion_mm_heap:s0 +genfscon debugfs /ion/ion_mm_heap u:object_r:debugfs_ion_mm_heap:s0 +genfscon debugfs /kmemleak u:object_r:debugfs_kmemleak:s0 +genfscon debugfs /page_owner_slim u:object_r:debugfs_page_owner_slim_debug:s0 +genfscon debugfs /rcu u:object_r:debugfs_rcu:s0 +genfscon debugfs /shrinker u:object_r:debugfs_shrinker_debug:s0 +# 2019/08/15 +genfscon debugfs /smi_mon u:object_r:debugfs_smi_mon:s0 + +genfscon debugfs /cmdq/cmdq-status u:object_r:debugfs_cmdq:s0 +genfscon debugfs /cmdq/cmdq-record u:object_r:debugfs_cmdq:s0 + +genfscon debugfs /mml/mml-record u:object_r:debugfs_mml:s0 +genfscon debugfs /mml/mml-frame-dump-in u:object_r:debugfs_mml:s0 + +# Date: 2021/08/24 +# allow aee to get camsys dump +genfscon debugfs /mtk_cam_dbg_dump u:object_r:debugfs_cam_dbg:s0 +genfscon debugfs /mtk_cam_exp_dump u:object_r:debugfs_cam_exception:s0 + +genfscon sysfs /devices/platform/emiisu/emi_isu_buf u:object_r:sysfs_emiisu:s0 +genfscon sysfs /devices/platform/soc/soc:emiisu/emi_isu_buf u:object_r:sysfs_emiisu:s0 + +genfscon proc /vpu/vpu_memory u:object_r:proc_vpu_memory:s0 + diff --git a/basic/debug/non_plat/hal_mtk_aee.te b/basic/debug/non_plat/hal_mtk_aee.te new file mode 100644 index 0000000..d930915 --- /dev/null +++ b/basic/debug/non_plat/hal_mtk_aee.te @@ -0,0 +1,10 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +hal_attribute_hwservice(hal_mtk_aee, mtk_hal_aee_hwservice) + +binder_call(hal_mtk_aee_client, hal_mtk_aee_server) +binder_call(hal_mtk_aee_server, hal_mtk_aee_client) +allow hal_mtk_aee_server aee_exp_vendor_file:dir {r_dir_perms rmdir}; +allow hal_mtk_aee_server aee_exp_vendor_file:file r_file_perms; diff --git a/basic/debug/non_plat/hal_mtk_log.te b/basic/debug/non_plat/hal_mtk_log.te new file mode 100644 index 0000000..0a6205e --- /dev/null +++ b/basic/debug/non_plat/hal_mtk_log.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +hal_attribute_hwservice(hal_mtk_log, mtk_hal_log_hwservice) + +binder_call(hal_mtk_log_client, hal_mtk_log_server) +binder_call(hal_mtk_log_server, hal_mtk_log_client) diff --git a/basic/debug/non_plat/hwservice.te b/basic/debug/non_plat/hwservice.te new file mode 100644 index 0000000..aafc6b8 --- /dev/null +++ b/basic/debug/non_plat/hwservice.te @@ -0,0 +1 @@ +type mtk_hal_aee_hwservice, hwservice_manager_type; diff --git a/basic/debug/non_plat/hwservice_contexts b/basic/debug/non_plat/hwservice_contexts new file mode 100644 index 0000000..1d8e9c2 --- /dev/null +++ b/basic/debug/non_plat/hwservice_contexts @@ -0,0 +1 @@ +vendor.mediatek.hardware.aee::IAee u:object_r:mtk_hal_aee_hwservice:s0 diff --git a/basic/debug/non_plat/loghidlsysservice.te b/basic/debug/non_plat/loghidlsysservice.te new file mode 100644 index 0000000..e191118 --- /dev/null +++ b/basic/debug/non_plat/loghidlsysservice.te @@ -0,0 +1,10 @@ +# ============================================== +# Policy File of /system/bin/loghidlsysservice Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Purpose : for create hidl server +hal_client_domain(loghidlsysservice, hal_mtk_log) +allow loghidlsysservice connsyslogger:unix_stream_socket connectto; diff --git a/basic/debug/non_plat/loghidlvendorservice.te b/basic/debug/non_plat/loghidlvendorservice.te new file mode 100644 index 0000000..859e410 --- /dev/null +++ b/basic/debug/non_plat/loghidlvendorservice.te @@ -0,0 +1,30 @@ +# ============================================== +# Policy File of /vendor/bin/loghidlvendorservice Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type loghidlvendorservice, domain; +type loghidlvendorservice_exec, exec_type, file_type, vendor_file_type; +typeattribute loghidlvendorservice mlstrustedsubject; + +init_daemon_domain(loghidlvendorservice) + +hal_server_domain(loghidlvendorservice, hal_mtk_log) +allow loghidlvendorservice system_app:binder call; + +#============= r/w video log properties ============== +set_prop(loghidlvendorservice, vendor_mtk_c2_log_prop) + +#============= r/w gpud properties ============== +set_prop(loghidlvendorservice, vendor_mtk_gpu_prop) + +# allow loghidlvendorservice can access video node +allow loghidlvendorservice video_device:chr_file rw_file_perms_no_map; + +#============= r/w display debug log properties ============== +set_prop(loghidlvendorservice, vendor_mtk_hwc_debug_log_prop) +set_prop(loghidlvendorservice, vendor_mtk_mdp_debug_log_prop) +set_prop(loghidlvendorservice, vendor_mtk_em_dy_debug_ctrl_prop) +set_prop(loghidlvendorservice, vendor_debug_logger_prop) diff --git a/basic/debug/non_plat/mdlogger.te b/basic/debug/non_plat/mdlogger.te new file mode 100644 index 0000000..b307bb5 --- /dev/null +++ b/basic/debug/non_plat/mdlogger.te @@ -0,0 +1,58 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# ccci device for internal modem +allow mdlogger ccci_device:chr_file rw_file_perms; +allow mdlogger ccci_mdl_device:chr_file rw_file_perms; + +# usb device ttyGSx for modem logger usb logging +allow mdlogger ttyGS_device:chr_file rw_file_perms; + +# modem logger access on /data/mdlog +allow mdlogger mdlog_data_file:dir { create_dir_perms relabelto}; +allow mdlogger mdlog_data_file:fifo_file create_file_perms; +allow mdlogger mdlog_data_file:file create_file_perms; + +# modem logger control port access /dev/ttyC1 +allow mdlogger mdlog_device:chr_file rw_file_perms; + +#modem logger SD logging in factory mode +allow mdlogger vfat:dir create_dir_perms; +allow mdlogger vfat:file create_file_perms; + +#mdlogger for read /sdcard +allow mdlogger tmpfs:lnk_file r_file_perms; +allow mdlogger storage_file:lnk_file rw_file_perms; +allow mdlogger storage_file:dir create_dir_perms; +allow mdlogger storage_file:file create_file_perms; +allow mdlogger mnt_user_file:dir search; +allow mdlogger mnt_user_file:lnk_file rw_file_perms; +allow mdlogger sdcard_type:file create_file_perms; +allow mdlogger sdcard_type:dir create_dir_perms; + +# Allow read to sys/kernel/ccci/* files +allow mdlogger sysfs_ccci:dir search; +allow mdlogger sysfs_ccci:file r_file_perms; + +# purpose: allow mdlogger to access storage in new version +allow mdlogger media_rw_data_file:file create_file_perms; +allow mdlogger media_rw_data_file:dir create_dir_perms; + +## purpose: avc: denied { read } for name="plat_file_contexts" +allow emdlogger file_contexts_file:file r_file_perms; + +#permission for read boot mode +#avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs" +allow mdlogger sysfs_boot_mode:file r_file_perms; + +# avc: denied { open } for path="system/etc/mddb" dev="mmcblk0p21" scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 +allow mdlogger system_file:dir r_dir_perms; + +# Add permission to access new bootmode file +allow mdlogger sysfs_boot_info:file r_file_perms; + +#avc: denied { connectto } for path=006165653A72747464 scontext=u:r:mdlogger:s0 +#tcontext=u:object_r:aee_aed_socket:s0 tclass=unix_stream_socket permissive=0 +#security issue control +allow mdlogger crash_dump:unix_stream_socket connectto; diff --git a/basic/debug/non_plat/meta_tst.te b/basic/debug/non_plat/meta_tst.te new file mode 100644 index 0000000..45a8bbb --- /dev/null +++ b/basic/debug/non_plat/meta_tst.te @@ -0,0 +1,7 @@ +# ============================================== +# Policy File of /vendor/bin/meta_tst Executable File + +# Date: W18.29 +# Operation: Catch log +# Purpose : meta connect with loghidlserver by socket. +allow meta_tst loghidlvendorservice:unix_stream_socket connectto; diff --git a/basic/debug/non_plat/mobile_log_d.te b/basic/debug/non_plat/mobile_log_d.te new file mode 100644 index 0000000..7c596f9 --- /dev/null +++ b/basic/debug/non_plat/mobile_log_d.te @@ -0,0 +1,73 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# boot_mdoe file access +allow mobile_log_d sysfs_boot_mode:file r_file_perms; + +#proc/ access +allow mobile_log_d proc_kmsg:file r_file_perms; +allow mobile_log_d proc_cmdline:file r_file_perms; +allow mobile_log_d proc_atf_log:dir search; +allow mobile_log_d proc_atf_log:file r_file_perms; +allow mobile_log_d proc_gz_log:file r_file_perms; +allow mobile_log_d proc_last_kmsg:file r_file_perms; +allow mobile_log_d proc_bootprof:file r_file_perms; +allow mobile_log_d proc_pl_lk:file r_file_perms; + +#apusys +allow mobile_log_d proc_apusys_up_seq_logl:file r_file_perms; + +#scp +allow mobile_log_d sysfs_scp:file w_file_perms; +allow mobile_log_d sysfs_scp:dir search; +allow mobile_log_d scp_device:chr_file r_file_perms; + +#vcp +allow mobile_log_d sysfs_vcp:file w_file_perms; +allow mobile_log_d sysfs_vcp:dir search; +allow mobile_log_d vcp_device:chr_file r_file_perms_no_map; + +#adsp +allow mobile_log_d sysfs_adsp:file w_file_perms; +allow mobile_log_d sysfs_adsp:dir search; +allow mobile_log_d adsp_device:chr_file r_file_perms; + +#sspm +allow mobile_log_d sysfs_sspm:file w_file_perms; +allow mobile_log_d sysfs_sspm:dir search; +allow mobile_log_d sspm_device:chr_file r_file_perms; + +#data/misc/mblog +allow mobile_log_d logmisc_data_file:dir { relabelto create_dir_perms }; +allow mobile_log_d logmisc_data_file:file create_file_perms; + +#data/log_temp +allow mobile_log_d logtemp_data_file:dir { relabelto create_dir_perms }; +allow mobile_log_d logtemp_data_file:file create_file_perms; + +#data/data_tmpfs_log +allow mobile_log_d data_tmpfs_log_file:dir create_dir_perms; +allow mobile_log_d data_tmpfs_log_file:file create_file_perms; + +# purpose: send log to com port +allow mobile_log_d ttyGS_device:chr_file rw_file_perms; + +# purpose: allow mobile_log_d to access persist.meta.connecttype +get_prop(mobile_log_d, vendor_mtk_meta_connecttype_prop) + +# purpose: allow mobile_log_d to create socket +allow mobile_log_d port:tcp_socket { name_connect name_bind }; +allow mobile_log_d mobile_log_d:tcp_socket create_stream_socket_perms; +allow mobile_log_d node:tcp_socket node_bind; + +# purpose: allow mobile_log_d to write dev/wmtWifi. +allow mobile_log_d wmtWifi_device:chr_file rw_file_perms; + +# Date: 2016/11/11 +# purpose: allow MobileLog to access aee socket +allow mobile_log_d crash_dump:unix_stream_socket connectto; + +# Date : WK21.31 +# Purpose: Add permission to access new bootmode file +allow mobile_log_d sysfs_boot_info:file r_file_perms; diff --git a/basic/debug/non_plat/modemdbfilter_service.te b/basic/debug/non_plat/modemdbfilter_service.te new file mode 100644 index 0000000..faa5ceb --- /dev/null +++ b/basic/debug/non_plat/modemdbfilter_service.te @@ -0,0 +1,19 @@ +# ============================================== +# Policy File of /vendor/bin/hw/modemdbfilter_service Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type modemdbfilter_service, domain; +type modemdbfilter_service_exec, exec_type, file_type, vendor_file_type; +typeattribute modemdbfilter_service mlstrustedsubject; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +init_daemon_domain(modemdbfilter_service) + +#Purpose : for create hidl server +hal_server_domain(modemdbfilter_service, hal_mtk_md_dbfilter) diff --git a/basic/debug/non_plat/mtk_hal_camera.te b/basic/debug/non_plat/mtk_hal_camera.te new file mode 100644 index 0000000..75663ff --- /dev/null +++ b/basic/debug/non_plat/mtk_hal_camera.te @@ -0,0 +1,26 @@ +# callback to /vendor/bin/aee_aedv for aee debugging +binder_call(mtk_hal_camera, aee_aedv) + +# ----------------------------------- +# Android O +# Purpose: AEE Debugging +# ----------------------------------- +# Purpose: Allow aee_dumpstate to invoke "lshal debug ", where is "ICameraProvider". +allow mtk_hal_camera dumpstate:binder { call }; +allow mtk_hal_camera dumpstate:unix_stream_socket { read write }; +allow mtk_hal_camera dumpstate:fd { use }; +allow mtk_hal_camera dumpstate:fifo_file w_file_perms; + +# Purpose: Allow camerahalserver to dump debug info to SYS_DEBUG_MTKCAM via aee_aedv. +# avc: denied { write } for path="/data/vendor/mtklog/aee_exp/temp/db.9oRG8O/SYS_DEBUG_MTKCAM" +# dev="dm-2" ino=1458278 scontext=u:r:mtk_hal_camera:s0 tcontext=u:object_r:aee_exp_vendor_file:s0 +# tclass=file permissive=0 +allow mtk_hal_camera aee_exp_vendor_file:dir w_dir_perms; +allow mtk_hal_camera aee_exp_vendor_file:file create_file_perms; + +# Date : WK18.01 +# Operation : label aee_aed sockets +# Purpose : Engineering mode need access for aee commmand +userdebug_or_eng(` +allow mtk_hal_camera aee_aedv:unix_stream_socket connectto; +') diff --git a/basic/debug/non_plat/mtkrild.te b/basic/debug/non_plat/mtkrild.te new file mode 100644 index 0000000..d84cb54 --- /dev/null +++ b/basic/debug/non_plat/mtkrild.te @@ -0,0 +1,2 @@ +#For Kryptowire mtklog issue +allow mtkrild aee_aedv:unix_stream_socket connectto; diff --git a/basic/debug/non_plat/netd.te b/basic/debug/non_plat/netd.te new file mode 100644 index 0000000..0c5c6d6 --- /dev/null +++ b/basic/debug/non_plat/netd.te @@ -0,0 +1,22 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK14.39 +# Operation : Migration +# Purpose : MDLogger USB logging +# Owner : Bo shang +allow netd mdlogger:fd use; +allow netd mdlogger:tcp_socket rw_socket_perms_no_ioctl; + +# Date : WK14.41 +# Operation : Migration +# Purpose : network logging +# Owner : Bo shang +allow netd netdiag:fd use; +allow netd netdiag:udp_socket rw_socket_perms_no_ioctl; + +userdebug_or_eng(` + allow netd mobile_log_d:fd use; + allow netd mobile_log_d:tcp_socket rw_socket_perms_no_ioctl; +') diff --git a/basic/debug/non_plat/netdiag.te b/basic/debug/non_plat/netdiag.te new file mode 100644 index 0000000..a264e9c --- /dev/null +++ b/basic/debug/non_plat/netdiag.te @@ -0,0 +1,26 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Purpose : for access storage file +allow netdiag sdcard_type:dir create_dir_perms; +allow netdiag sdcard_type:file create_file_perms; +allow netdiag net_data_file:file r_file_perms; +allow netdiag net_data_file:dir search; +allow netdiag storage_file:dir search; +allow netdiag storage_file:lnk_file r_file_perms; +allow netdiag mnt_user_file:dir search; +allow netdiag mnt_user_file:lnk_file r_file_perms; +allow netdiag platform_app:dir search; +allow netdiag untrusted_app:dir search; +allow netdiag mnt_media_rw_file:dir search; +allow netdiag vfat:dir create_dir_perms; +allow netdiag vfat:file create_file_perms; +allow netdiag tmpfs:lnk_file r_file_perms; + +# purpose: allow netdiag to access storage in new version +allow netdiag media_rw_data_file:file create_file_perms; +allow netdiag media_rw_data_file:dir create_dir_perms; + +# purpose: read ip address +allow netdiag self:netlink_route_socket nlmsg_readpriv; \ No newline at end of file diff --git a/basic/debug/non_plat/platform_app.te b/basic/debug/non_plat/platform_app.te new file mode 100644 index 0000000..7830d69 --- /dev/null +++ b/basic/debug/non_plat/platform_app.te @@ -0,0 +1,100 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : 2017/07/03 +# Operation : Migration +# Purpose : get/set agps configuration via hal_mtk_lbs +hal_client_domain(platform_app, hal_mtk_lbs) + +# Date : 2014/08/21 +# Operation : Migration +# Purpose : FMRadio enable driver access permission for fmradio hardware device +# Package: com.mediatek.fmradio +allow platform_app fm_device:chr_file rw_file_perms; + +# Date : 2014/09/11 +# Operation : Migration +# Purpose : MTKLogger need setup local socket with native daemon:mobile_logd, +# netdialog,mdlogger,emdlogger,cmddumper +# Package: com.mediatek.mtklogger +allow platform_app mobile_log_d:unix_stream_socket connectto; +allow platform_app mdlogger:unix_stream_socket connectto; +allow platform_app emdlogger:unix_stream_socket connectto; +allow platform_app cmddumper:unix_stream_socket connectto; +allow platform_app connsyslogger:unix_stream_socket connectto; +unix_socket_connect(platform_app, netdiag, netdiag) + +# Date: 2018/11/17 +# purpose: allow MTKLogger to control Bluetooth HCI log via socket +allow platform_app bluetooth:unix_stream_socket connectto; + +# Date : 2014/10/17 +# Operation : Migration +# Purpose :Make MTKLogger or VIASaber apk can Access TTYSDIO_device +# Package: com.mediatek.mtklogger +allow platform_app ttySDIO_device:chr_file rw_file_perms; + +# Date : 2014/10/17 +# Operation : Migration +# Purpose :Make MTKLogger or VIASaber apk can Access storage +# Package: com.mediatek.mtklogger +allow platform_app sdcard_type:file create_file_perms; +allow platform_app sdcard_type:dir create_dir_perms; + +# Date : 2014/11/12 +# Operation : Migration +# Purpose : MTKLogger need copy exception db from data folder +# Package: com.mediatek.mtklogger +allow platform_app aee_exp_data_file:file r_file_perms; +allow platform_app aee_exp_data_file:dir r_dir_perms; + +# Date : 2014/11/14 +# Operation : Migration +# Purpose : MTKLogger need update md config file in data for mode changed +# Package: com.mediatek.mtklogger +allow platform_app mdlog_data_file:file rw_file_perms; +allow platform_app mdlog_data_file:dir rw_dir_perms; + +# Date : WK17.46 +# Operation : Migration +# Purpose : allow MTKLogger to read KE DB +allow platform_app aee_dumpsys_data_file:file r_file_perms; + +# Date: 2018/03/23 +# Operation : Migration +# Purpose : MTKLogger need connect to log hidl server +# Package: com.mediatek.mtklogger +hal_client_domain(platform_app, hal_mtk_log) + +# Date : 2020/09/15 +# Operation : Migration +# Purpose : DebugLoggerUI need copy proc/ccci_sib to storage +# Package: com.debug.loggerui +allow platform_app proc_ccci_sib:file r_file_perms; + +# Date : 2021/03/05 +# Operation : Migration +# Purpose : DebugLoggerUI need call wifi JNI set wifi level +# Package: com.debug.loggerui +allow platform_app self:udp_socket { create ioctl }; +allowxperm platform_app self:udp_socket ioctl { + SIOCIWFIRSTPRIV_0B + SIOCIWFIRSTPRIV_0F + SIOCSIWMODE SIOCIWFIRSTPRIV_01 + SIOCIWFIRSTPRIV_09 + SIOCDEVPRIVATE_2 +}; + +# Date : WK18.17 +# Operation : P Migration +# Purpose: allow platform_app to read /data/vendor/mtklog/aee_exp +allow platform_app aee_exp_vendor_file:dir r_dir_perms; +allow platform_app aee_exp_vendor_file:file r_file_perms; + +# Date : 2021/06/01 +# Operation : Migration +# Purpose : DebugLoggerUI need copy & delete /data/vendor/vcodec/ folder +# Package: com.debug.loggerui +allow platform_app vcodec_file:dir {rw_dir_perms rmdir}; +allow platform_app vcodec_file:file rw_file_perms; diff --git a/basic/debug/non_plat/property.te b/basic/debug/non_plat/property.te new file mode 100644 index 0000000..1d0fe4f --- /dev/null +++ b/basic/debug/non_plat/property.te @@ -0,0 +1,11 @@ +vendor_restricted_prop(vendor_mtk_debug_mtk_aeev_prop) +vendor_restricted_prop(vendor_mtk_persist_aeev_prop) +vendor_restricted_prop(vendor_mtk_persist_mtk_aeev_prop) +vendor_restricted_prop(vendor_mtk_ro_aee_prop) +vendor_restricted_prop(vendor_mtk_aeev_dynamic_switch_prop) + +typeattribute vendor_mtk_debug_mtk_aeev_prop mtk_core_property_type; +typeattribute vendor_mtk_persist_aeev_prop mtk_core_property_type; +typeattribute vendor_mtk_persist_mtk_aeev_prop mtk_core_property_type; +typeattribute vendor_mtk_ro_aee_prop mtk_core_property_type; +typeattribute vendor_mtk_aeev_dynamic_switch_prop mtk_core_property_type; diff --git a/basic/debug/non_plat/property_contexts b/basic/debug/non_plat/property_contexts new file mode 100644 index 0000000..1d14cb1 --- /dev/null +++ b/basic/debug/non_plat/property_contexts @@ -0,0 +1,9 @@ +persist.vendor.mtk.aeev. u:object_r:vendor_mtk_persist_mtk_aeev_prop:s0 +persist.vendor.aeev. u:object_r:vendor_mtk_persist_aeev_prop:s0 +vendor.debug.mtk.aeev u:object_r:vendor_mtk_debug_mtk_aeev_prop:s0 + +ro.vendor.aee.build.info u:object_r:vendor_mtk_ro_aee_prop:s0 +ro.vendor.aee.enforcing u:object_r:vendor_mtk_ro_aee_prop:s0 +ro.vendor.have_aee_feature u:object_r:vendor_mtk_ro_aee_prop:s0 +ro.vendor.aeev.dynamic.switch u:object_r:vendor_mtk_aeev_dynamic_switch_prop:s0 +ro.vendor.aee.convert64 u:object_r:vendor_mtk_ro_aee_prop:s0 diff --git a/basic/debug/non_plat/rild.te b/basic/debug/non_plat/rild.te new file mode 100644 index 0000000..a36b4b9 --- /dev/null +++ b/basic/debug/non_plat/rild.te @@ -0,0 +1,3 @@ +# Date : 2019/08/29 +# Purpose: Allow rild to access proc/aed/reboot-reason +allow rild proc_aed_reboot_reason:file rw_file_perms; diff --git a/basic/debug/non_plat/shell.te b/basic/debug/non_plat/shell.te new file mode 100644 index 0000000..7b9fc75 --- /dev/null +++ b/basic/debug/non_plat/shell.te @@ -0,0 +1,3 @@ +# Date : WK16.46 +# Purpose : allow shell to switch aee mode +allow shell crash_dump:unix_stream_socket connectto; diff --git a/basic/debug/non_plat/system_app.te b/basic/debug/non_plat/system_app.te new file mode 100644 index 0000000..ed7f920 --- /dev/null +++ b/basic/debug/non_plat/system_app.te @@ -0,0 +1,6 @@ +# Date : 2017/11/07 +# Operation : Migration +# Purpose : CAT need copy exception db file from data folder +# Package: CAT tool +allow system_app aee_exp_data_file:file r_file_perms; +allow system_app aee_exp_data_file:dir r_dir_perms; diff --git a/basic/debug/non_plat/system_server.te b/basic/debug/non_plat/system_server.te new file mode 100644 index 0000000..694bb79 --- /dev/null +++ b/basic/debug/non_plat/system_server.te @@ -0,0 +1,12 @@ +allow system_server aee_exp_data_file:file w_file_perms; +# Date:W17.22 +# Operation : add aee_aed socket rule +# Purpose : type=1400 audit(0.0:134519): avc: denied { connectto } +# for comm=4572726F722064756D703A20737973 +# path=00636F6D2E6D746B2E6165652E6165645F3634 +# scontext=u:r:system_server:s0 tcontext=u:r:crash_dump:s0 +# tclass=unix_stream_socket permissive=0 +allow system_server crash_dump:unix_stream_socket connectto; + +# Search /proc/proc_mtmon +allow system_server proc_mtmon:dir search; diff --git a/basic/debug/non_plat/vendor_init.te b/basic/debug/non_plat/vendor_init.te new file mode 100644 index 0000000..fe541d1 --- /dev/null +++ b/basic/debug/non_plat/vendor_init.te @@ -0,0 +1,5 @@ +set_prop(vendor_init, system_mtk_persist_mtk_aee_prop) +set_prop(vendor_init, vendor_mtk_ro_aee_prop) +set_prop(vendor_init, vendor_mtk_persist_aeev_prop) + +allow vendor_init proc_mtmon:file w_file_perms; diff --git a/basic/debug/non_plat/vendor_shell.te b/basic/debug/non_plat/vendor_shell.te new file mode 100644 index 0000000..c9a8ce7 --- /dev/null +++ b/basic/debug/non_plat/vendor_shell.te @@ -0,0 +1,5 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================= +# Purpose : allow vendor_shell to run aeev +allow vendor_shell aee_aedv_exec:file x_file_perms; diff --git a/basic/debug/plat_private/aee_core_forwarder.te b/basic/debug/plat_private/aee_core_forwarder.te new file mode 100644 index 0000000..4674252 --- /dev/null +++ b/basic/debug/plat_private/aee_core_forwarder.te @@ -0,0 +1,91 @@ +# ============================================== +# Policy File of /system/bin/aee_core_forwarder Executable File + +# ============================================== +# Type Declaration +# ============================================== +type aee_core_forwarder_exec, system_file_type, exec_type, file_type; +typeattribute aee_core_forwarder coredomain; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(aee_core_forwarder) + +#mkdir /sdcard/mtklog/aee_exp and write /sdcard/mtklog/aee_exp/zcorexxx.zip +allow aee_core_forwarder sdcard_type:dir create_dir_perms; +allow aee_core_forwarder sdcard_type:file create_file_perms; +allow aee_core_forwarder self:capability { fsetid setgid sys_nice sys_admin }; + +#read STDIN_FILENO +allow aee_core_forwarder kernel:fifo_file r_file_perms; + +#read /proc//cmdline +allow aee_core_forwarder domain:dir r_dir_perms; +allow aee_core_forwarder domain:file r_file_perms; + +#get wake_lock to avoid system suspend when coredump is generating +allow aee_core_forwarder sysfs_wake_lock:file rw_file_perms; + +# Date : 2015/07/11 +# Operation : Migration +# Purpose : for mtk debug mechanism +allow aee_core_forwarder self:capability2 block_suspend; + +# Date : 2015/07/21 +# Operation : Migration +# Purpose : for generating core dump on sdcard +allow aee_core_forwarder mnt_user_file:dir search; +allow aee_core_forwarder mnt_user_file:lnk_file r_file_perms; +allow aee_core_forwarder storage_file:dir search; +allow aee_core_forwarder storage_file:lnk_file r_file_perms; + +# Date : 2016/03/05 +# Operation : selinux waring fix +# Purpose : avc: denied { search } for pid=15909 comm="aee_core_forwar" +# name="15493" dev="proc" ino=112310 scontext=u:r:aee_core_forwarder:s0 +# tcontext=u:r:untrusted_app:s0:c512,c768 tclass=dir permissive=0 +dontaudit aee_core_forwarder untrusted_app:dir search; + +# Date : 2016/04/18 +# Operation : N0 Migration +# Purpose : access for pipefs +allow aee_core_forwarder kernel:fd use; + +# Purpose: search root dir "/" +allow aee_core_forwarder tmpfs:dir search; + +# Purpose : read /selinux_version +allow aee_core_forwarder rootfs:file r_file_perms; + +# Data : 2016/06/13 +# Operation : fix sys_ptrace selinux warning +# Purpose : type=1400 audit(1420070409.080:177): avc: denied { sys_ptrace } for pid=3136 +# comm="aee_core_forwar" capability=19 scontext=u:r:aee_core_forwarder:s0 +# tcontext=u:r:aee_core_forwarder:s0 tclass=capability permissive=0 +dontaudit aee_core_forwarder self:capability sys_ptrace; + +# Data : 2016/06/24 +# Operation : fix media_rw_data_file access selinux warning +# Purpose : +# type=1400 audit(0.0:6511): avc: denied { search } for name="db.p08JgF" +# dev="dm-0" ino=540948 scontext=u:r:aee_core_forwarder:s0 +# tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1 +# type=1400 audit(0.0:6512): avc: denied { write } for name="db.p08JgF" +# dev="dm-0" ino=540948 scontext=u:r:aee_core_forwarder:s0 +# tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1 +# type=1400 audit(0.0:6513): avc: denied { add_name } for name="CURRENT.dbg" +# scontext=u:r:aee_core_forwarder:s0 tcontext=u:object_r:media_rw_data_file:s0 +# tclass=dir permissive=1 +# type=1400 audit(0.0:6514): avc: denied { create } for name="CURRENT.dbg" +# scontext=u:r:aee_core_forwarder:s0 tcontext=u:object_r:media_rw_data_file:s0 +# tclass=file permissive=1 +# type=1400 audit(0.0:6515): avc: denied { write open } for +# path="/data/media/0/mtklog/aee_exp/temp/db.p08JgF/CURRENT.dbg" dev="dm-0" +# ino=540952 scontext=u:r:aee_core_forwarder:s0 tcontext=u:object_r:media_rw_data_file:s0 +# tclass=file permissive=1 +allow aee_core_forwarder media_rw_data_file:dir w_dir_perms; +allow aee_core_forwarder media_rw_data_file:file create_file_perms; + +# Purpose : allow aee_core_forwarder to connect aee_aed socket +allow aee_core_forwarder crash_dump:unix_stream_socket connectto; diff --git a/basic/debug/plat_private/connsyslogger.te b/basic/debug/plat_private/connsyslogger.te new file mode 100644 index 0000000..8070561 --- /dev/null +++ b/basic/debug/plat_private/connsyslogger.te @@ -0,0 +1,15 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +typeattribute connsyslogger coredomain; +typeattribute connsyslogger mlstrustedsubject; +type connsyslogger_exec, system_file_type, exec_type, file_type; +init_daemon_domain(connsyslogger) + +set_prop(connsyslogger, system_mtk_connsysfw_prop) + +#Date:2019/06/27 +#access data/debuglog +allow connsyslogger debuglog_data_file:dir {relabelto create_dir_perms}; +allow connsyslogger debuglog_data_file:file create_file_perms; diff --git a/basic/debug/plat_private/crash_dump.te b/basic/debug/plat_private/crash_dump.te new file mode 100644 index 0000000..24f57bb --- /dev/null +++ b/basic/debug/plat_private/crash_dump.te @@ -0,0 +1,29 @@ +# Purpose: crash_dump set property +set_prop(crash_dump, system_mtk_persist_mtk_aee_prop) +set_prop(crash_dump, system_mtk_persist_aee_prop) +set_prop(crash_dump, system_mtk_debug_mtk_aee_prop) +get_prop(crash_dump, system_mtk_aee_basic_prop) + +# Date : WK17.09 +# Operation : AEE UT for Android O +# Purpose : for AEE module to dump files +domain_auto_trans(crash_dump, dumpstate_exec, dumpstate) + +# aee db dir and db files +allow crash_dump sdcard_type:dir create_dir_perms; +allow crash_dump sdcard_type:file create_file_perms; + +# system(cmd) aee_dumpstate aee_archive +allow crash_dump shell_exec:file rx_file_perms; + +# Purpose: dump bugreport into NE DB +allow crash_dump dumpstate_socket:sock_file w_file_perms; +allow crash_dump dumpstate:unix_stream_socket connectto; +set_prop(crash_dump, ctl_start_prop) + +# Purpose: Allow crash_dump to get mobile log prop +get_prop(crash_dump, system_mtk_mobile_log_prop) + +# Purpose: Allow crash_dump to write /data/debuglogger/mobilelog +allow crash_dump debuglog_data_file:dir create_dir_perms; +allow crash_dump debuglog_data_file:file create_file_perms; diff --git a/basic/debug/plat_private/dumpstate.te b/basic/debug/plat_private/dumpstate.te new file mode 100644 index 0000000..236691c --- /dev/null +++ b/basic/debug/plat_private/dumpstate.te @@ -0,0 +1,18 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# 01-01 17:59:14.440 7664 7664 I aee_dumpstate: type=1400 audit(0.0:63497): +# avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev= +# "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r: +# tracing_shell_writable:s0 tclass=file permissive=1 +allow dumpstate debugfs_tracing:file rw_file_perms; + +# Purpose: aee_dumpstate set surfaceflinger property +set_prop(dumpstate, system_mtk_debug_bq_dump_prop) + +# Date: W1826 +# Purpose : mobile_log_d exec 'logcat -L' via dumpstate +allow dumpstate mobile_log_d:fd use; +allow dumpstate mobile_log_d:fifo_file w_file_perms; +allow dumpstate mobile_log_d:unix_stream_socket rw_socket_perms_no_ioctl; diff --git a/basic/debug/plat_private/emdlogger.te b/basic/debug/plat_private/emdlogger.te new file mode 100644 index 0000000..73203f8 --- /dev/null +++ b/basic/debug/plat_private/emdlogger.te @@ -0,0 +1,87 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type emdlogger_exec, system_file_type, exec_type, file_type; +typeattribute emdlogger coredomain; +typeattribute emdlogger mlstrustedsubject; + +init_daemon_domain(emdlogger) +binder_use(emdlogger) +binder_service(emdlogger) + +# for modem logging sdcard access +allow emdlogger sdcard_type:dir create_dir_perms; +allow emdlogger sdcard_type:file create_file_perms; + +# modem logger socket access +allow emdlogger platform_app:unix_stream_socket connectto; +allow emdlogger shell_exec:file rx_file_perms; +allow emdlogger system_file:file x_file_perms; +allow emdlogger zygote_exec:file rx_file_perms; + +#modem logger SD logging in factory mode +allow emdlogger vfat:dir create_dir_perms; +allow emdlogger vfat:file create_file_perms; + +#modem logger permission in storage in android M version +allow emdlogger mnt_user_file:dir search; +allow emdlogger mnt_user_file:lnk_file r_file_perms; +allow emdlogger storage_file:lnk_file r_file_perms; + +#permission for storage link access in vzw Project +allow emdlogger mnt_media_rw_file:dir search; + + +#permission for use SELinux API +#avc: denied { read } for pid=576 comm="emdlogger1" name="selinux_version" dev="rootfs" +allow emdlogger rootfs:file r_file_perms; + +#permission for storage access storage +allow emdlogger storage_file:dir create_dir_perms; +allow emdlogger tmpfs:lnk_file r_file_perms; +allow emdlogger storage_file:file create_file_perms; + +# Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 +# scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 +allow emdlogger system_file:dir r_dir_perms; + +# permission for android N policy +allow emdlogger toolbox_exec:file rx_file_perms; + +# purpose: allow emdlogger to access storage in N version +allow emdlogger media_rw_data_file:file create_file_perms; +allow emdlogger media_rw_data_file:dir create_dir_perms; + +## Android P migration +## purpose: denied { read } for name="cmdline" dev="proc" +#denied { search } for name="android" dev="sysfs" +#for name="compatible" dev="sysfs" ino=2985 scontext=u +#:r:emdlogger:s0 tcontext=u:object_r:sysfs_dt_firmware_android:s0 +#avc: denied { open } for path="/system/etc/mddb" +#avc: denied { read } for name="u:object_r:vendor_default_prop:s0" +allow emdlogger proc_cmdline:file r_file_perms; +allow emdlogger sysfs_dt_firmware_android:dir r_dir_perms; +allow emdlogger tmpfs:dir w_dir_perms; +allow emdlogger sysfs_dt_firmware_android:file r_file_perms; +set_prop(emdlogger, system_mtk_persist_mtklog_prop) +set_prop(emdlogger, system_mtk_mdl_prop) +set_prop(emdlogger, system_mtk_mdl_start_prop) +set_prop(emdlogger, system_mtk_debug_mdlogger_prop) +set_prop(emdlogger, system_mtk_persist_mdlog_prop) +set_prop(emdlogger, system_mtk_mdl_pulllog_prop) +set_prop(emdlogger, usb_prop) +set_prop(emdlogger, debug_prop) +set_prop(emdlogger, usb_control_prop) + +## Android Q migration +## purpose: read modem db and filter folder and file +allow emdlogger mddb_filter_data_file:dir r_dir_perms; +allow emdlogger mddb_filter_data_file:file r_file_perms; + +# save log into /data/debuglogger +allow emdlogger debuglog_data_file:dir {relabelto create_dir_perms}; +allow emdlogger debuglog_data_file:file create_file_perms; + +# get persist.sys. proeprty +get_prop(emdlogger, system_prop) diff --git a/basic/debug/plat_private/file_contexts b/basic/debug/plat_private/file_contexts new file mode 100644 index 0000000..28466fc --- /dev/null +++ b/basic/debug/plat_private/file_contexts @@ -0,0 +1,29 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +########################## +# System files +# +/system/bin/mobile_log_d u:object_r:mobile_log_d_exec:s0 +/system/bin/modemdbfilter_client u:object_r:modemdbfilter_client_exec:s0 +/system/bin/netdiag u:object_r:netdiag_exec:s0 +/system/bin/loghidlsysservice u:object_r:loghidlsysservice_exec:s0 +/system/bin/connsyslogger u:object_r:connsyslogger_exec:s0 + +########################## +# SystemExt files +# +/(system_ext|system/system_ext)/bin/mdlogger u:object_r:mdlogger_exec:s0 +/(system_ext|system/system_ext)/bin/emdlogger[0-9]+ u:object_r:emdlogger_exec:s0 + +/(system_ext|system/system_ext)/bin/aee_core_forwarder u:object_r:aee_core_forwarder_exec:s0 +/(system_ext|system/system_ext)/bin/aeedb u:object_r:crash_dump_exec:s0 +/(system_ext|system/system_ext)/bin/aee_aed u:object_r:crash_dump_exec:s0 +/(system_ext|system/system_ext)/bin/aee_aed64 u:object_r:crash_dump_exec:s0 +/(system_ext|system/system_ext)/bin/aee_dumpstate u:object_r:dumpstate_exec:s0 +/(system_ext|system/system_ext)/bin/aee_aed64_v2 u:object_r:crash_dump_exec:s0 +/(system_ext|system/system_ext)/bin/aee_core_forwarder_v2 u:object_r:aee_core_forwarder_exec:s0 +/(system_ext|system/system_ext)/bin/aee_v2 u:object_r:crash_dump_exec:s0 +/(system_ext|system/system_ext)/bin/aeedb_v2 u:object_r:crash_dump_exec:s0 +/(system_ext|system/system_ext)/bin/aee_dumpstate_v2 u:object_r:dumpstate_exec:s0 diff --git a/basic/debug/plat_private/init.te b/basic/debug/plat_private/init.te new file mode 100644 index 0000000..20fe316 --- /dev/null +++ b/basic/debug/plat_private/init.te @@ -0,0 +1 @@ +domain_trans(init, crash_dump_exec, shell) diff --git a/basic/debug/plat_private/kernel.te b/basic/debug/plat_private/kernel.te new file mode 100644 index 0000000..cbe42f6 --- /dev/null +++ b/basic/debug/plat_private/kernel.te @@ -0,0 +1,6 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +domain_auto_trans(kernel, aee_core_forwarder_exec, aee_core_forwarder) + diff --git a/basic/debug/plat_private/loghidlsysservice.te b/basic/debug/plat_private/loghidlsysservice.te new file mode 100644 index 0000000..84ee073 --- /dev/null +++ b/basic/debug/plat_private/loghidlsysservice.te @@ -0,0 +1,16 @@ +# ============================================== +# Policy File of /system/bin/loghidlsysservice Executable File + +# ============================================== +# Type Declaration +# ============================================== +type loghidlsysservice_exec, system_file_type, exec_type, file_type; +typeattribute loghidlsysservice coredomain; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(loghidlsysservice) + +allow loghidlsysservice emdlogger:unix_stream_socket connectto; +allow loghidlsysservice mobile_log_d:unix_stream_socket connectto; diff --git a/basic/debug/plat_private/mdlogger.te b/basic/debug/plat_private/mdlogger.te new file mode 100644 index 0000000..699cc7e --- /dev/null +++ b/basic/debug/plat_private/mdlogger.te @@ -0,0 +1,65 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type mdlogger_exec , system_file_type, exec_type, file_type; +typeattribute mdlogger coredomain; +typeattribute mdlogger mlstrustedsubject; + +init_daemon_domain(mdlogger) + +binder_use(mdlogger) + +binder_service(mdlogger) + +# modem logger socket access +allow mdlogger platform_app:unix_stream_socket connectto; +allow mdlogger shell_exec:file rx_file_perms; +allow mdlogger system_file:file x_file_perms; +allow mdlogger zygote_exec:file r_file_perms; +allow mdlogger node:tcp_socket node_bind; +allow mdlogger port:tcp_socket name_bind; +allow mdlogger self:tcp_socket create_stream_socket_perms; + +#modem logger SD logging in factory mode +allow mdlogger vfat:dir create_dir_perms; +allow mdlogger vfat:file create_file_perms; + +allow mdlogger tmpfs:lnk_file r_file_perms; +allow mdlogger storage_file:lnk_file rw_file_perms; +allow mdlogger mnt_user_file:dir search; +allow mdlogger mnt_user_file:lnk_file rw_file_perms; +allow mdlogger sdcard_type:file create_file_perms; +allow mdlogger sdcard_type:dir create_dir_perms; + +# purpose: allow mdlogger to access storage in new version +allow mdlogger media_rw_data_file:file create_file_perms; +allow mdlogger media_rw_data_file:dir create_dir_perms; + +allow mdlogger storage_file:dir create_dir_perms; +allow mdlogger storage_file:file create_file_perms; + +## purpose: avc: denied { read } for name="plat_file_contexts" +allow mdlogger file_contexts_file:file r_file_perms; + +# Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 +# scontext=u:r:mdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 +allow mdlogger system_file:dir r_dir_perms; + +# Android P migration +set_prop(mdlogger, system_mtk_mdl_prop) +set_prop(mdlogger, system_mtk_persist_mdlog_prop) +set_prop(mdlogger, system_mtk_persist_mtklog_prop) + +## Android Q migration +## purpose: read modem db and filter folder and file +allow mdlogger mddb_filter_data_file:dir r_dir_perms; +allow mdlogger mddb_filter_data_file:file r_file_perms; + +## Save modem log into data +allow mdlogger debuglog_data_file:dir {relabelto create_dir_perms}; +allow mdlogger debuglog_data_file:file create_file_perms; + +#allow mdlogger to set property +set_prop(mdlogger, system_mtk_debug_mdlogger_prop) +set_prop(mdlogger, debug_prop) diff --git a/basic/debug/plat_private/mobile_log_d.te b/basic/debug/plat_private/mobile_log_d.te new file mode 100644 index 0000000..e8d4697 --- /dev/null +++ b/basic/debug/plat_private/mobile_log_d.te @@ -0,0 +1,105 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type mobile_log_d_exec, system_file_type, exec_type, file_type; +typeattribute mobile_log_d coredomain; +typeattribute mobile_log_d mlstrustedsubject; + +init_daemon_domain(mobile_log_d) + +#syslog module +allow mobile_log_d kernel:system syslog_mod; + +#GMO project +dontaudit mobile_log_d untrusted_app:fd use; +dontaudit mobile_log_d isolated_app:fd use; + +#debug property set +set_prop(mobile_log_d, debug_prop) + +#socket connect and write +unix_socket_connect(mobile_log_d, logdr, logd); + +#capability +allow mobile_log_d self:capability { setuid setgid chown fowner fsetid }; +allow mobile_log_d self:capability2 syslog; + +#aee mode switch +allow mobile_log_d system_file:file x_file_perms; + +#shell command +allow mobile_log_d shell_exec:file rx_file_perms; + +# execute logcat command +allow mobile_log_d logcat_exec:file rx_file_perms; + +# execute 'logcat -L' via dumpstate +domain_auto_trans(mobile_log_d, logcat_exec, dumpstate) + +#general storage access +allow mobile_log_d storage_file:dir create_dir_perms; +allow mobile_log_d storage_file:file create_file_perms; +allow mobile_log_d storage_file:lnk_file create_file_perms; +allow mobile_log_d mnt_user_file:dir create_dir_perms; +allow mobile_log_d mnt_user_file:lnk_file create_file_perms; +allow mobile_log_d sdcard_type:dir create_dir_perms; +allow mobile_log_d sdcard_type:file create_file_perms; + +#factory mode vfat access +allow mobile_log_d vfat:dir create_dir_perms; +allow mobile_log_d vfat:file create_file_perms; + +#chiptest mode storage access +allow mobile_log_d mnt_media_rw_file:dir create_dir_perms; +allow mobile_log_d mnt_media_rw_file:lnk_file create_file_perms; + +#system/bin/toybox for using 'sh' command +allow mobile_log_d toolbox_exec:file rx_file_perms; + +#selinux_version access +allow mobile_log_d rootfs:file r_file_perms; + +#dev/__properties__ access +get_prop(mobile_log_d, device_logging_prop) +get_prop(mobile_log_d, mmc_prop) +get_prop(mobile_log_d, safemode_prop) + +# purpose: allow MobileLog to access storage in N version +allow mobile_log_d media_rw_data_file:file create_file_perms; +allow mobile_log_d media_rw_data_file:dir create_dir_perms; + +# access debugfs/tracing/instances/ +allow mobile_log_d debugfs_tracing:dir create_dir_perms; +allow mobile_log_d debugfs_tracing_instances:dir create_dir_perms; +allow mobile_log_d debugfs_tracing_instances:file create_file_perms; + +#data/debuglog +allow mobile_log_d debuglog_data_file:dir {relabelto create_dir_perms}; +allow mobile_log_d debuglog_data_file:file create_file_perms; + +#mcupm +allow mobile_log_d mcupm_device:chr_file r_file_perms; +allow mobile_log_d sysfs_mcupm:file w_file_perms; +allow mobile_log_d sysfs_mcupm:dir search; + +#for logpost feature +userdebug_or_eng(` + allow mobile_log_d domain:dir r_dir_perms; + allow mobile_log_d domain:{file lnk_file} r_file_perms; + allow mobile_log_d dnsproxyd_socket:sock_file w_file_perms; + allow mobile_log_d self:udp_socket create_socket_perms_no_ioctl; + allow mobile_log_d netd:unix_stream_socket connectto; + allow mobile_log_d self:tcp_socket getopt; + allow mobile_log_d fwmarkd_socket:sock_file w_file_perms; + set_prop(mobile_log_d, system_mtk_mobile_log_post_prop) +') + +#mobile itself property +set_prop(mobile_log_d, system_mtk_mobile_log_prop) + +#wifi driver log property +get_prop(mobile_log_d, system_mtk_wifisa_log_prop) + +# purpose: allow mobile_log_d to read persist.vendor.mtk.aee +get_prop(mobile_log_d, system_mtk_persist_mtk_aee_prop) diff --git a/basic/debug/plat_private/modemdbfilter_client.te b/basic/debug/plat_private/modemdbfilter_client.te new file mode 100644 index 0000000..64b9e16 --- /dev/null +++ b/basic/debug/plat_private/modemdbfilter_client.te @@ -0,0 +1,20 @@ +# ============================================== +# Policy File of /system/bin/modemdbfilter_client Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type modemdbfilter_client_exec, exec_type, system_file_type, file_type; +typeattribute modemdbfilter_client coredomain; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +init_daemon_domain(modemdbfilter_client) + +# Purpose : for create hidl client +hal_client_domain(modemdbfilter_client, hal_mtk_md_dbfilter) +allow modemdbfilter_client mddb_filter_data_file:dir { create_dir_perms relabelto }; +allow modemdbfilter_client mddb_filter_data_file:file create_file_perms; diff --git a/basic/debug/plat_private/netdiag.te b/basic/debug/plat_private/netdiag.te new file mode 100644 index 0000000..9d54ea5 --- /dev/null +++ b/basic/debug/plat_private/netdiag.te @@ -0,0 +1,102 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type netdiag_exec, system_file_type, exec_type, file_type; +typeattribute netdiag coredomain; +typeattribute netdiag mlstrustedsubject; + +init_daemon_domain(netdiag) + +# Purpose : for access storage file +allow netdiag sdcard_type:dir create_dir_perms; +allow netdiag sdcard_type:file create_file_perms; +allow netdiag domain:dir search; +allow netdiag domain:file r_file_perms; +allow netdiag net_data_file:file r_file_perms; +allow netdiag net_data_file:dir search; +allow netdiag storage_file:dir search; +allow netdiag storage_file:lnk_file r_file_perms; +allow netdiag mnt_user_file:dir search; +allow netdiag mnt_user_file:lnk_file r_file_perms; +allow netdiag platform_app:dir search; +allow netdiag untrusted_app:dir search; +allow netdiag mnt_media_rw_file:dir search; +allow netdiag vfat:dir create_dir_perms; +allow netdiag vfat:file create_file_perms; +allow netdiag tmpfs:lnk_file r_file_perms; +allow netdiag system_file:file rx_file_perms; + +# Purpose : for shell, set uid and gid +allow netdiag self:capability { net_admin setuid net_raw setgid}; +allow netdiag shell_exec:file rx_file_perms; + +#access /proc/318/net/psched +allow netdiag proc_net:file r_file_perms; + +# Purpose : for ping +allow netdiag dnsproxyd_socket:sock_file w_file_perms; +allow netdiag fwmarkd_socket:sock_file w_file_perms; +allow netdiag netd:unix_stream_socket connectto; +allow netdiag self:udp_socket create_socket_perms; + +# Purpose : for service permission +allow netdiag connectivity_service:service_manager find; +allow netdiag netstats_service:service_manager find; +allow netdiag system_server:binder call; +allow netdiag servicemanager:binder call; +binder_use(netdiag) + +# Purpose : for dumpsys permission +allow netdiag connmetrics_service:service_manager find; +allow netdiag netpolicy_service:service_manager find; +allow netdiag network_management_service:service_manager find; +allow netdiag settings_service:service_manager find; + +# Purpose : for acess /system/bin/toybox, mmc_prop,proc_net and safemode_prop +get_prop(netdiag, device_logging_prop) +get_prop(netdiag, mmc_prop) +allow netdiag proc_net:dir r_dir_perms; +get_prop(netdiag, safemode_prop) +allow netdiag toolbox_exec:file rx_file_perms; + +# purpose: allow netdiag to access storage in new version +allow netdiag media_rw_data_file:file create_file_perms; +allow netdiag media_rw_data_file:dir create_dir_perms; + +# Purpose : for ip spec output +allow netdiag self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read }; + +# Purpose: for socket error of tcpdump +allow netdiag self:packet_socket create_socket_perms; +allowxperm netdiag self:packet_socket ioctl {SIOCGIFINDEX SIOCGSTAMP}; +allow netdiag proc_net_tcp_udp:file r_file_perms; + +# Purpose: for ip +allow netdiag self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read }; + +# Purpose: for iptables +allow netdiag kernel:system module_request; +allow netdiag self:rawip_socket create_socket_perms_no_ioctl; + +#Purpose : for network log property +set_prop(netdiag, system_mtk_debug_netlog_prop) +set_prop(netdiag, system_mtk_persist_mtklog_prop) +set_prop(netdiag, system_mtk_debug_mtklog_prop) + +## Android P migration +allow netdiag proc_qtaguid_stat:dir r_dir_perms; +allow netdiag proc_qtaguid_stat:file r_file_perms; +allow netdiag netd:binder call; +get_prop(netdiag, apexd_prop) + +# Q save log into /data/debuglogger +allow netdiag debuglog_data_file:dir {relabelto create_dir_perms}; +allow netdiag debuglog_data_file:file create_file_perms; + +# add for dump network_stack +allow netdiag network_stack:binder call; +allow netdiag network_stack_service:service_manager find; + +# add for unlink file_tree.txt +allow netdiag debuglog_data_file:lnk_file { getattr unlink }; diff --git a/basic/debug/plat_private/network_stack.te b/basic/debug/plat_private/network_stack.te new file mode 100644 index 0000000..2c7822c --- /dev/null +++ b/basic/debug/plat_private/network_stack.te @@ -0,0 +1,3 @@ +# add for netdiag dump network_stack +allow network_stack netdiag:fd use; +allow network_stack netdiag:fifo_file w_file_perms; \ No newline at end of file diff --git a/basic/debug/plat_private/platform_app.te b/basic/debug/plat_private/platform_app.te new file mode 100644 index 0000000..9214d75 --- /dev/null +++ b/basic/debug/plat_private/platform_app.te @@ -0,0 +1,37 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow platform_app system_app_service:service_manager find; + +# Date : WK17.29 +# Stage: O Migration, SQC +# Purpose: Allow to use selinux for hal_power +hal_client_domain(platform_app, hal_power) + +# Date: 2018/06/08 +# Operation : Migration +# Purpose : MTKLogger need get netlog/mdlog/mobilelog property for property change +# Package: com.mediatek.mtklogger +get_prop(platform_app, system_mtk_debug_mdlogger_prop) +get_prop(platform_app, system_mtk_debug_mtklog_prop) +get_prop(platform_app, system_mtk_vendor_bluetooth_prop) +get_prop(platform_app, system_mtk_mobile_log_prop) + +get_prop(platform_app, system_mtk_connsysfw_prop) + +# Date: 2019/07/18 +# Operation : Migration +# Purpose : DebugLoggerUI access data/debuglogger/ folder +# Package: com.debug.loggerui +allow platform_app debuglog_data_file:dir create_dir_perms; +allow platform_app debuglog_data_file:file create_file_perms; + +#For tel log settings +set_prop(platform_app, log_tag_prop) + +#For audio log settings +set_prop(platform_app, system_mtk_audio_prop) + +#For display debug log settings +set_prop(platform_app, system_mtk_sf_debug_prop) diff --git a/basic/debug/plat_private/property.te b/basic/debug/plat_private/property.te new file mode 100644 index 0000000..ba0c12a --- /dev/null +++ b/basic/debug/plat_private/property.te @@ -0,0 +1,8 @@ +system_internal_prop(system_mtk_debug_mtk_aee_prop) +system_internal_prop(system_mtk_persist_aee_prop) +system_internal_prop(system_mtk_aee_basic_prop) + +typeattribute system_mtk_debug_mtk_aee_prop extended_core_property_type; +typeattribute system_mtk_persist_aee_prop extended_core_property_type; +typeattribute system_mtk_aee_basic_prop extended_core_property_type; +typeattribute system_mtk_persist_mtk_aee_prop extended_core_property_type; diff --git a/basic/debug/plat_private/property_contexts b/basic/debug/plat_private/property_contexts new file mode 100644 index 0000000..464db08 --- /dev/null +++ b/basic/debug/plat_private/property_contexts @@ -0,0 +1,5 @@ +persist.vendor.mtk.aee. u:object_r:system_mtk_persist_mtk_aee_prop:s0 +persist.vendor.aee. u:object_r:system_mtk_persist_aee_prop:s0 +vendor.debug.mtk.aee. u:object_r:system_mtk_debug_mtk_aee_prop:s0 +ro.vendor.aee.basic u:object_r:system_mtk_aee_basic_prop:s0 +init.svc.aee_aedv u:object_r:system_mtk_init_svc_aee_aedv_prop:s0 \ No newline at end of file diff --git a/basic/debug/plat_private/radio.te b/basic/debug/plat_private/radio.te new file mode 100644 index 0000000..47e2a6b --- /dev/null +++ b/basic/debug/plat_private/radio.te @@ -0,0 +1,5 @@ +#Date : 2021/08/01 +# Operation : Allow radio read write data/debuglogger folder +# Purpose : Add for ATG app +allow radio debuglog_data_file:dir create_dir_perms; +allow radio debuglog_data_file:file create_file_perms; \ No newline at end of file diff --git a/basic/debug/plat_private/shell.te b/basic/debug/plat_private/shell.te new file mode 100644 index 0000000..5ad5b4d --- /dev/null +++ b/basic/debug/plat_private/shell.te @@ -0,0 +1,3 @@ +get_prop(shell, system_mtk_persist_mtk_aee_prop) +get_prop(shell, system_mtk_persist_aee_prop) +get_prop(shell, system_mtk_debug_mtk_aee_prop) diff --git a/basic/debug/plat_private/system_server.te b/basic/debug/plat_private/system_server.te new file mode 100644 index 0000000..a554fe7 --- /dev/null +++ b/basic/debug/plat_private/system_server.te @@ -0,0 +1,9 @@ +# Date : WK18.33 +# Purpose : type=1400 audit(0.0:1592): avc: denied { read } +# for comm=4572726F722064756D703A20646174 name= +# "u:object_r:system_mtk_persist_mtk_aee_prop:s0" dev="tmpfs" +# ino=10312 scontext=u:r:system_server:s0 tcontext= +# u:object_r:system_mtk_persist_mtk_aee_prop:s0 tclass=file permissive=0 +get_prop(system_server, system_mtk_persist_mtk_aee_prop) + +get_prop(system_server, system_mtk_debug_mtk_aee_prop) diff --git a/basic/debug/plat_public/aee_core_forwarder.te b/basic/debug/plat_public/aee_core_forwarder.te new file mode 100644 index 0000000..b8c237e --- /dev/null +++ b/basic/debug/plat_public/aee_core_forwarder.te @@ -0,0 +1,7 @@ +# ============================================== +# Policy File of /system/bin/aee_core_forwarder Executable File + +# ============================================== +# Type Declaration +# ============================================== +type aee_core_forwarder, domain; diff --git a/basic/debug/plat_public/attributes b/basic/debug/plat_public/attributes new file mode 100644 index 0000000..9abd6f6 --- /dev/null +++ b/basic/debug/plat_public/attributes @@ -0,0 +1,13 @@ +# ============================================== +# MTK Attribute declarations +# ============================================== + +# Date: 2018/03/23 +# log hidl +attribute hal_mtk_log; +attribute hal_mtk_log_client; +attribute hal_mtk_log_server; + +attribute hal_mtk_aee; +attribute hal_mtk_aee_client; +attribute hal_mtk_aee_server; diff --git a/basic/debug/plat_public/connsyslogger.te b/basic/debug/plat_public/connsyslogger.te new file mode 100644 index 0000000..f3062c8 --- /dev/null +++ b/basic/debug/plat_public/connsyslogger.te @@ -0,0 +1,7 @@ +# ============================================== +# Policy File of /system/bin/connsyslogger Executable File + +# ============================================== +# Type Declaration +# ============================================== +type connsyslogger, domain; diff --git a/basic/debug/plat_public/emdlogger.te b/basic/debug/plat_public/emdlogger.te new file mode 100644 index 0000000..f116ac0 --- /dev/null +++ b/basic/debug/plat_public/emdlogger.te @@ -0,0 +1,7 @@ +# ============================================== +# Policy File of /system/bin/emdlogger[x] Executable File + +# ============================================== +# Type Declaration +# ============================================== +type emdlogger, domain; diff --git a/basic/debug/plat_public/loghidlsysservice.te b/basic/debug/plat_public/loghidlsysservice.te new file mode 100644 index 0000000..9f3b33d --- /dev/null +++ b/basic/debug/plat_public/loghidlsysservice.te @@ -0,0 +1,7 @@ +# ============================================== +# Policy File of /system/bin/loghidlsysservice Executable File + +# ============================================== +# Type Declaration +# ============================================== +type loghidlsysservice, domain; diff --git a/basic/debug/plat_public/mdlogger.te b/basic/debug/plat_public/mdlogger.te new file mode 100644 index 0000000..4febc5e --- /dev/null +++ b/basic/debug/plat_public/mdlogger.te @@ -0,0 +1,7 @@ +# ============================================== +# Policy File of /system/bin/mdlogger Executable File + +# ============================================== +# Type Declaration +# ============================================== +type mdlogger, domain; diff --git a/basic/debug/plat_public/mobile_log_d.te b/basic/debug/plat_public/mobile_log_d.te new file mode 100644 index 0000000..8ad1e2a --- /dev/null +++ b/basic/debug/plat_public/mobile_log_d.te @@ -0,0 +1,7 @@ +# ============================================== +# Policy File of /system/bin/mobile_log_d Executable File + +# ============================================== +# Type Declaration +# ============================================== +type mobile_log_d, domain; diff --git a/basic/debug/plat_public/modemdbfilter_client.te b/basic/debug/plat_public/modemdbfilter_client.te new file mode 100644 index 0000000..ec9df6e --- /dev/null +++ b/basic/debug/plat_public/modemdbfilter_client.te @@ -0,0 +1,7 @@ +# ============================================== +# Policy File of /system/bin/modemdbfilter_client Executable File + +# ============================================== +# Type Declaration +# ============================================== +type modemdbfilter_client, domain; diff --git a/basic/debug/plat_public/property.te b/basic/debug/plat_public/property.te new file mode 100644 index 0000000..b89898c --- /dev/null +++ b/basic/debug/plat_public/property.te @@ -0,0 +1,2 @@ +system_public_prop(system_mtk_init_svc_aee_aedv_prop) +system_public_prop(system_mtk_persist_mtk_aee_prop) diff --git a/basic/non_plat/DcxoSetCap.te b/basic/non_plat/DcxoSetCap.te new file mode 100644 index 0000000..b5b5fe4 --- /dev/null +++ b/basic/non_plat/DcxoSetCap.te @@ -0,0 +1,26 @@ +# ============================================== +# Policy File of /vendor/bin/DcxoSetCap Executable File + +# ============================================== +# Type Declaration +# ============================================== +type DcxoSetCap, domain; +type DcxoSetCap_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(DcxoSetCap) + +#============= DcxoSetCap ============== +allow DcxoSetCap nvdata_file:dir rw_dir_perms; +allow DcxoSetCap nvdata_file:file rw_file_perms; +allow DcxoSetCap proc_cmdline:file r_file_perms; +allow DcxoSetCap sysfs_dcxo:file rw_file_perms; +allow DcxoSetCap sysfs_boot_mode:file r_file_perms; +allow DcxoSetCap sysfs_dt_firmware_android:dir r_dir_perms; +allow DcxoSetCap sysfs_dt_firmware_android:file r_file_perms; + +allow DcxoSetCap metadata_file:dir search; +allow DcxoSetCap gsi_metadata_file:dir search; +allow DcxoSetCap mnt_vendor_file:dir search; \ No newline at end of file diff --git a/basic/non_plat/adbd.te b/basic/non_plat/adbd.te new file mode 100644 index 0000000..b7c2287 --- /dev/null +++ b/basic/non_plat/adbd.te @@ -0,0 +1,9 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Data : WK17.46 +# Operator: Migration +# Purpose: Allow adbd to read KE DB +allow adbd aee_dumpsys_data_file:file r_file_perms; +allow adbd gpu_device:dir search; diff --git a/basic/non_plat/app.te b/basic/non_plat/app.te new file mode 100644 index 0000000..9e9a6e1 --- /dev/null +++ b/basic/non_plat/app.te @@ -0,0 +1,56 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow appdomain proc_ged:file rw_file_perms; +allowxperm appdomain proc_ged:file ioctl { proc_ged_ioctls }; + +# Data : WK16.42 +# Operator: Whitney bring up +# Purpose: call surfaceflinger due to powervr +allow appdomain surfaceflinger:fifo_file rw_file_perms; + +# Date : W16.42 +# Operation : Integration +# Purpose : DRM / DRI GPU driver required +allow appdomain gpu_device:dir search; + +# Date : W17.41 +# Operation: SQC +# Purpose : Allow HWUI to access perfmgr +allow appdomain proc_perfmgr:dir search; +allow appdomain proc_perfmgr:file r_file_perms; +allowxperm appdomain proc_perfmgr:file ioctl { + PERFMGR_FPSGO_QUEUE + PERFMGR_FPSGO_DEQUEUE + PERFMGR_FPSGO_QUEUE_CONNECT + PERFMGR_FPSGO_BQID + PERFMGR_FPSGO_SWAP_BUFFER + PERFMGR_FPSGO_SBE_RESCUE +}; + +# Date : W19.23 +# Operation : Migration +# Purpose : For platform app com.android.gallery3d +allow { appdomain -isolated_app } radio_data_file:file rw_file_perms; + +# Date : W19.23 +# Operation : Migration +# Purpose : For app com.tencent.qqpimsecure +allowxperm appdomain appdomain:fifo_file ioctl SNDCTL_TMR_START; + +# Date : W20.26 +# Operation : Migration +# Purpose : For apps other than isolated_app call hidl +hwbinder_use({ appdomain -isolated_app }) +get_prop({ appdomain -isolated_app }, hwservicemanager_prop) +allow { appdomain -isolated_app } hidl_manager_hwservice:hwservice_manager find; +binder_call({ appdomain -isolated_app }, mtk_safe_halserverdomain_type) +allow { appdomain -isolated_app } mtk_safe_hwservice_manager_type:hwservice_manager find; + +# Date : 2021/04/24 +# Operation: addwindow +# Purpose: Get the variable value of touch report rate +get_prop(appdomain, vendor_mtk_input_report_rate_prop) diff --git a/basic/non_plat/atci_service.te b/basic/non_plat/atci_service.te new file mode 100644 index 0000000..7a6bbdf --- /dev/null +++ b/basic/non_plat/atci_service.te @@ -0,0 +1,130 @@ +# ============================================== +# Policy File of /vendor/bin/atci_service Executable File +# ============================================== + +# ============================================== +# Common SEPolicy Rule +# ============================================== +type atci_service, domain; +type atci_service_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(atci_service) + +allow atci_service block_device:dir search; +allow atci_service misc2_block_device:blk_file rw_file_perms; +allow atci_service misc2_device:chr_file rw_file_perms; +allow atci_service camera_isp_device:chr_file rw_file_perms; +allow atci_service graphics_device:chr_file rw_file_perms; +allow atci_service graphics_device:dir search; +allow atci_service kd_camera_hw_device:chr_file rw_file_perms; +allow atci_service self:capability { sys_nice ipc_lock sys_boot }; +allow atci_service nvram_device:chr_file rw_file_perms; +allow atci_service camera_sysram_device:chr_file r_file_perms; +allow atci_service camera_tsf_device:chr_file rw_file_perms; +allow atci_service camera_rsc_device:chr_file rw_file_perms; +allow atci_service camera_gepf_device:chr_file rw_file_perms; +allow atci_service camera_fdvt_device:chr_file rw_file_perms; +allow atci_service camera_wpe_device:chr_file rw_file_perms; +allow atci_service camera_owe_device:chr_file rw_file_perms; +allow atci_service camera_pda_device:chr_file rw_file_perms; +allow atci_service kd_camera_flashlight_device:chr_file rw_file_perms; +allow atci_service ccu_device:chr_file rw_file_perms; +allow atci_service vpu_device:chr_file rw_file_perms; +allow atci_service MTK_SMI_device:chr_file rw_file_perms; +allow atci_service DW9714AF_device:chr_file rw_file_perms; +allow atci_service devmap_device:chr_file rw_file_perms; +allow atci_service sdcard_type:dir create_dir_perms; +allow atci_service sdcard_type:file create_file_perms; +allow atci_service mediaserver:binder call; + +# Date : 2015/09/17 +# Operation : M-Migration +# Purpose : to operation CCT tool +allow atci_service nvram_device:blk_file rw_file_perms; +allow atci_service input_device:dir r_dir_perms; +allow atci_service input_device:file rw_file_perms; +allow atci_service input_device:chr_file rw_file_perms; +allow atci_service MAINAF_device:chr_file rw_file_perms; +allow atci_service MAIN2AF_device:chr_file rw_file_perms; +allow atci_service MAIN3AF_device:chr_file rw_file_perms; +allow atci_service MAIN4AF_device:chr_file rw_file_perms; +allow atci_service SUBAF_device:chr_file rw_file_perms; +allow atci_service SUB2AF_device:chr_file rw_file_perms; +allow atci_service tmpfs:lnk_file r_file_perms; +allow atci_service self:capability2 block_suspend; + +# Date : 2015/10/13 +# Operation : M-Migration +# Purpose : to operation CCT tool +allow atci_service mnt_user_file:dir search; +allow atci_service mnt_user_file:lnk_file r_file_perms; +allow atci_service storage_file:lnk_file r_file_perms; + +set_prop(atci_service, vendor_mtk_em_prop) + +# Date : 2016/03/02 +# Operation : M-Migration +# Purpose : to support ATCI touch tool +allow atci_service vendor_shell_exec:file rx_file_perms; + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow atci_service proc_ged:file rw_file_perms; + +# Date : WK16.35 +# Operation : Migration +# Purpose : Update camera flashlight driver device file +allow atci_service flashlight_device:chr_file rw_file_perms; + +# Date : WK17.01 +# Operation : Migration +# Purpose : Update AT_Command NFC function +allow atci_service factory_data_file:sock_file write; + +# Date : WK17.23 +# Stage: O Migration, SQC +# Purpose: Allow to use HAL PQ +hal_client_domain(atci_service, hal_mtk_pq) + +# Date : WK17.28 +# Purpose : Allow to execute battery command +allow atci_service MT_pmic_adc_cali_device:chr_file rw_file_perms; + +# Date : WK17.43 +# Purpose : CCT +allow atci_service CAM_CAL_DRV_device:chr_file rw_file_perms; +allow atci_service CAM_CAL_DRV1_device:chr_file rw_file_perms; +allow atci_service CAM_CAL_DRV2_device:chr_file rw_file_perms; +allow atci_service camera_eeprom_device:chr_file rw_file_perms; +allow atci_service seninf_n3d_device:chr_file rw_file_perms; +allow atci_service fwk_sensor_hwservice:hwservice_manager find; +allow atci_service ion_device:chr_file r_file_perms; +allow atci_service mtk_cmdq_device:chr_file r_file_perms; +allow atci_service mtk_mdp_device:chr_file r_file_perms; +allow atci_service mtk_mdp_sync_device:chr_file r_file_perms; +allow atci_service sw_sync_device:chr_file r_file_perms; +hal_client_domain(atci_service, hal_power) +allow atci_service sysfs_batteryinfo:dir search; +allow atci_service sysfs_batteryinfo:file r_file_perms; +allow atci_service system_file:dir r_dir_perms; +allow atci_service camera_pipemgr_device:chr_file r_file_perms; +allow atci_service mtk_hal_camera:binder call; +allow atci_service debugfs_ion:dir search; +allow atci_service sysfs_tpd_setting:file rw_file_perms; +allow atci_service sysfs_vibrator_setting:file rw_file_perms; +allow atci_service sysfs_leds_setting:file rw_file_perms; +allow atci_service vendor_toolbox_exec:file rx_file_perms; + +# Date : WK18.21 +# Purpose: Allow to use HIDL +hal_client_domain(atci_service, hal_mtk_atci) + +# Date : WK18.26 +# Purpose: Allow gps socket sendto +allow atci_service mnld:unix_dgram_socket sendto; + +# Date : WK18.35 +# Purpose : allow CCT to allocate memory +hal_client_domain(atci_service, hal_allocator) + +allow atci_service gpu_device:chr_file rw_file_perms; diff --git a/basic/non_plat/atcid.te b/basic/non_plat/atcid.te new file mode 100644 index 0000000..2cc2bf0 --- /dev/null +++ b/basic/non_plat/atcid.te @@ -0,0 +1,92 @@ +# ============================================== +# Policy File of /vendor/bin/atcid Executable File +# ============================================== + +# ============================================== +# Common SEPolicy Rule +# ============================================== +type atcid, domain; +type atcid_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(atcid) +set_prop(atcid, vendor_mtk_persist_service_atci_prop) +allow atcid block_device:dir search; +allow atcid gsmrild_socket:sock_file w_file_perms; + +# Date : WK17.21 +# Purpose: Allow to use HIDL +hal_client_domain(atcid, hal_telephony) + +allow atcid ttyGS_device:chr_file rw_file_perms; +allow atcid wmtWifi_device:chr_file w_file_perms; +allow atcid misc2_block_device:blk_file rw_file_perms; +allow atcid self:capability sys_time; + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow atcid proc_ged:file rw_file_perms; + +# Date : WK17.23 +# Stage: O Migration, SQC +# Purpose: Allow to use HAL PQ +hal_client_domain(atcid, hal_mtk_pq) + +# Date : WK17.34 +# Purpose: Allow to access meta_tst +allow atcid meta_tst:unix_stream_socket connectto; + +# Date : WK18.15 +# Purpose: Allow to access power_supply in sysfs +allow atcid sysfs_batteryinfo:file r_file_perms; + +# Date : WK18.16 +# Operation: P migration +# Purpose: Allow atcid to get vendor_mtk_tel_switch_prop +get_prop(atcid, vendor_mtk_tel_switch_prop) + +# Date : WK18.21 +# Purpose: Allow to use HIDL +vndbinder_use(atcid) +hal_server_domain(atcid, hal_mtk_atci) + +# Date : WK18.21 +# Purpose: For special command for customer +set_prop(atcid, vendor_mtk_atci_prop) +set_prop(atcid, powerctl_prop) +allow atcid mnt_vendor_file:dir search; +allow atcid nvdata_file:dir rw_dir_perms; +allow atcid nvdata_file:file create_file_perms; +allow atcid nvram_device:blk_file rw_file_perms; +allow atcid proc_meminfo:file r_file_perms; +allow atcid sysfs_batteryinfo:dir search; +allow atcid sysfs_devices_block:dir search; +allow atcid sysfs_devices_block:file r_file_perms; + +# Date : WK18.35 +# Purpose: Add socket for TelephonyWare ATCI +unix_socket_connect(atcid, rild_atci, rild) +unix_socket_connect(atcid, rilproxy_atci, rild) +unix_socket_connect(atcid, atci_service, atci_service) + +# Date : WK19.42 +# Purpose: Add policy to access ATCI sockets +unix_socket_connect(atcid, atci-audio, audiocmdservice_atci) +unix_socket_connect(atcid, meta_atci, meta_tst) +allow atcid adb_atci_socket:sock_file w_file_perms; + +# Date : WK21.13 +# Purpose: Add policy to access CCCI +allow atcid sysfs_ccci:dir search; +allow atcid sysfs_ccci:file r_file_perms; +allow atcid gsm0710muxd_device:chr_file rw_file_perms; + +# Date : WK21.22 +unix_socket_connect(atcid, factory_atci, factory); +set_prop(atcid, vendor_mtk_factory_start_prop) + +# Date : WK21.31 +# Purpose: Add policy to support uart +allow atcid sysfs_boot_info:file r_file_perms; +allow atcid sysfs_meta_info:file r_file_perms; +allow atcid ttyS_device:chr_file rw_file_perms; + diff --git a/basic/non_plat/audiocmdservice_atci.te b/basic/non_plat/audiocmdservice_atci.te new file mode 100644 index 0000000..ed9f24c --- /dev/null +++ b/basic/non_plat/audiocmdservice_atci.te @@ -0,0 +1,33 @@ +# ============================================== +# Policy File of /vendor/bin/audiocmdservice_atci Executable File + +# ============================================== +# Type Declaration +# ============================================== +type audiocmdservice_atci, domain; +type audiocmdservice_atci_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(audiocmdservice_atci) + +allow audiocmdservice_atci self:unix_stream_socket create_socket_perms; + +# Access to storages for audio tuning tool to read/write tuning result +allow audiocmdservice_atci mnt_user_file:dir rw_dir_perms; +allow audiocmdservice_atci { mnt_user_file storage_file }:lnk_file rw_file_perms; +allow audiocmdservice_atci bootdevice_block_device:blk_file rw_file_perms; + +# can route /dev/binder traffic to /dev/vndbinder +vndbinder_use(audiocmdservice_atci) +binder_call(audiocmdservice_atci, mtk_hal_audio) + +hal_client_domain(audiocmdservice_atci, hal_audio) + +#To access the file at /dev/kmsg +allow audiocmdservice_atci kmsg_device:chr_file w_file_perms; + +userdebug_or_eng(` + allow audiocmdservice_atci self:capability { sys_nice fowner chown fsetid setuid ipc_lock net_admin }; +') diff --git a/basic/non_plat/audioserver.te b/basic/non_plat/audioserver.te new file mode 100644 index 0000000..8ec55b5 --- /dev/null +++ b/basic/non_plat/audioserver.te @@ -0,0 +1,48 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date: WK14.44 +# Operation : Migration +# Purpose : EVDO +allow audioserver rpc_socket:sock_file write; +allow audioserver ttySDIO_device:chr_file rw_file_perms; + +# Data: WK14.44 +# Operation : Migration +# Purpose : for low SD card latency issue +allow audioserver sysfs_lowmemorykiller:file r_file_perms; + +# Data: WK14.45 +# Operation : Migration +# Purpose : for change thermal policy when needed +allow audioserver proc_mtkcooler:dir search; +allow audioserver proc_mtktz:dir search; +allow audioserver proc_thermal:dir search; + +# Date : WK15.03 +# Operation : Migration +# Purpose : offloadservice +allow audioserver offloadservice_device:chr_file rw_file_perms; + +# Date : WK16.17 +# Operation : Migration +# Purpose: read/open sysfs node +allow audioserver sysfs_ccci:file r_file_perms; + +# Date : WK16.18 +# Operation : Migration +# Purpose: research root dir "/" +allow audioserver tmpfs:dir search; + +# Date : WK16.18 +# Operation : Migration +# Purpose: access sysfs node +allow audioserver sysfs_ccci:dir search; + +# Purpose: Dump debug info +allow audioserver fuse:file w_file_perms; + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow audioserver proc_ged:file rw_file_perms; diff --git a/basic/non_plat/biosensord_nvram.te b/basic/non_plat/biosensord_nvram.te new file mode 100644 index 0000000..2fe6860 --- /dev/null +++ b/basic/non_plat/biosensord_nvram.te @@ -0,0 +1,22 @@ +# ============================================== +# Policy File of /vendor/bin/biosensord_nvram Executable File + +# ============================================== +# Type Declaration +# ============================================== +type biosensord_nvram, domain; +type biosensord_nvram_exec , exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(biosensord_nvram) + +# Data : WK16.21 +# Operation : New Feature +# Purpose : For biosensor daemon can do nvram r/w to save calibration data +allow biosensord_nvram nvdata_file:dir rw_dir_perms; +allow biosensord_nvram nvdata_file:file create_file_perms; +allow biosensord_nvram nvram_data_file:lnk_file rw_file_perms; +allow biosensord_nvram biometric_device:chr_file rw_file_perms; +allow biosensord_nvram self:capability { chown fsetid }; diff --git a/basic/non_plat/bip_ap.te b/basic/non_plat/bip_ap.te new file mode 100644 index 0000000..00e0331 --- /dev/null +++ b/basic/non_plat/bip_ap.te @@ -0,0 +1,34 @@ +# ============================================== +# Policy File of /vendor/bin/bip_ap Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type bip_ap, domain, mtkimsmddomain; +type bip_ap_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(bip_ap) +net_domain(bip_ap) + +# Date : WK14.42 +# Operation : Migration +# Purpose : for bip_ap send RTP/RTCP +allow bip_ap self:udp_socket create_socket_perms; +allow bip_ap node:udp_socket node_bind; +allow bip_ap port:udp_socket name_bind; +allow bip_ap fwmarkd_socket:sock_file write; +allow bip_ap self:tcp_socket create_stream_socket_perms; +allow bip_ap port:tcp_socket name_connect; +allow bip_ap self:netlink_route_socket read; + +# Purpose : for access ccci device +allow bip_ap ccci_device:chr_file rw_file_perms; + +# Purpose : for raw socket +allow bip_ap self:rawip_socket { create write bind setopt read getattr}; +allow bip_ap node:rawip_socket node_bind; + +allow bip_ap netd:unix_stream_socket connectto; +allow bip_ap netd_socket:sock_file write; + diff --git a/basic/non_plat/bluetooth.te b/basic/non_plat/bluetooth.te new file mode 100644 index 0000000..4734932 --- /dev/null +++ b/basic/non_plat/bluetooth.te @@ -0,0 +1,32 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date:W17.07 +# Operation : bt hal developing +# Purpose : bt hal interface permission +binder_call(bluetooth, mtk_hal_bluetooth) + +allow bluetooth storage_stub_file:dir getattr; + +# Date: 2018/02/02 +# Major permission allow are in /system/sepoplicy/private/bluetooth.te +# Add dir create perms for bluetooth on /data/misc/bluetooth/logs +allow bluetooth bluetooth_logs_data_file:dir { create_dir_perms relabelto }; +allow bluetooth bluetooth_logs_data_file:fifo_file create_file_perms; + +# Date: 2019/09/19 +allow bluetooth mtk_hal_bluetooth_audio_hwservice:hwservice_manager find; + +# Date : 2020/06/11 +# Operation : allow bt native process to access driver debug node and set kernel thread priority +# Purpose: allow bt native process to access driver debug node and set kernel thread priority +allow bluetooth proc_btdbg:file rw_file_perms; +allow bluetooth kernel:process setsched; + +get_prop(bluetooth, vendor_mtk_bt_perf_prop) + +# Date : 2021/09/07 +# Operation : allow bluetooth to access mediametrics +# Purpose: This operation will block A2DP Sink playback +allow bluetooth mediametrics_service:service_manager find; diff --git a/basic/non_plat/boot_logo_updater.te b/basic/non_plat/boot_logo_updater.te new file mode 100644 index 0000000..62f6b1d --- /dev/null +++ b/basic/non_plat/boot_logo_updater.te @@ -0,0 +1,27 @@ +# ============================================== +# Policy File of /system/bin/boot_logo_updater Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK14.43 +# Operation : Migration +# Purpose : To access file directories and files like logo.bin +allow boot_logo_updater logo_block_device:blk_file r_file_perms; + +# To access block files at /dev/block/mmcblk0 ir /dev/block/sdc +allow boot_logo_updater bootdevice_block_device:blk_file r_file_perms; + +#To access file at /dev/logo +allow boot_logo_updater logo_device:chr_file r_file_perms; + +# To access file at /proc/lk_env +allow boot_logo_updater proc_lk_env:file rw_file_perms; + +# Date : WK16.25 +# Operation : Global_Device/Uniservice Feature +# Purpose : for it to read-write SysEnv data +allow boot_logo_updater para_block_device:blk_file rw_file_perms; +# Allow ReadDefaultFstab(). +read_fstab(boot_logo_updater) diff --git a/basic/non_plat/bootanim.te b/basic/non_plat/bootanim.te new file mode 100644 index 0000000..ea20491 --- /dev/null +++ b/basic/non_plat/bootanim.te @@ -0,0 +1,40 @@ + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK14.46 +# Operation : Migration +# Purpose : For MTK Emulator HW GPU +allow bootanim qemu_pipe_device:chr_file rw_file_perms; + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow bootanim proc_ged:file rw_file_perms; + +# Date : WK17.43 +# Operation : Migration +# Purpose : For MTK perfmgr +allow bootanim proc_perfmgr:dir r_dir_perms; +allow bootanim proc_perfmgr:file r_file_perms; + +# Date : WK19.11 +# Operation : Migration +# Purpose : Allow to access ged for ioctl related functions +allowxperm bootanim proc_ged:file ioctl { proc_ged_ioctls }; +allowxperm bootanim proc_perfmgr:file ioctl { + PERFMGR_FPSGO_QUEUE + PERFMGR_FPSGO_DEQUEUE + PERFMGR_FPSGO_QUEUE_CONNECT + PERFMGR_FPSGO_BQID +}; + +# Date : WK19.48 +# Operation : Migration +# Purpose : Allow to access gpu device search +allow bootanim gpu_device:dir search; + +# Date : WK21.26 +# Operation : Migration +# Purpose : donotaudit data directory search +dontaudit bootanim system_data_file:dir search; diff --git a/basic/non_plat/bp_kmsetkey_ca.te b/basic/non_plat/bp_kmsetkey_ca.te new file mode 100644 index 0000000..dce5b19 --- /dev/null +++ b/basic/non_plat/bp_kmsetkey_ca.te @@ -0,0 +1 @@ +type bp_kmsetkey_ca, domain; diff --git a/basic/non_plat/bt_dump.te b/basic/non_plat/bt_dump.te new file mode 100644 index 0000000..4cdb090 --- /dev/null +++ b/basic/non_plat/bt_dump.te @@ -0,0 +1,28 @@ +# ============================================== +# Policy File of /vendor/bin/bt_dump Executable File + +# ============================================== +# Type Declaration +# ============================================== +type bt_dump, domain; +type bt_dump_exec, vendor_file_type, exec_type, file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(bt_dump) + +allow bt_dump self:capability net_admin; +allow bt_dump self:netlink_socket create_socket_perms_no_ioctl; +allow bt_dump self:netlink_generic_socket create_socket_perms_no_ioctl; +allow bt_dump conninfra_device:chr_file rw_file_perms; +allow bt_dump stpwmt_device:chr_file rw_file_perms; +allow bt_dump tmpfs:lnk_file r_file_perms; +allow bt_dump mnt_user_file:dir search; +allow bt_dump mnt_user_file:lnk_file r_file_perms; +allow bt_dump storage_file:lnk_file r_file_perms; +allow bt_dump stp_dump_data_file:dir create_dir_perms; +allow bt_dump stp_dump_data_file:file create_file_perms; +allow bt_dump connsyslog_data_vendor_file:dir create_dir_perms; +allow bt_dump connsyslog_data_vendor_file:file create_file_perms; +get_prop(bt_dump, vendor_mtk_coredump_prop) diff --git a/basic/non_plat/cameraserver.te b/basic/non_plat/cameraserver.te new file mode 100644 index 0000000..13b9f55 --- /dev/null +++ b/basic/non_plat/cameraserver.te @@ -0,0 +1,63 @@ +# ============================================================================== +# Policy File of /system/bin/cameraserver Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# ----------------------------------- +# Android O +# Purpose: Allow cameraserver to perform binder IPC to servers and callbacks. +# call camerahalserver +binder_call(cameraserver, mtk_hal_camera) + +# call the graphics allocator hal +binder_call(cameraserver, hal_graphics_allocator) + +# ----------------------------------- +# Android O +# Purpose: adb shell dumpsys media.camera --unreachable +allow cameraserver self:process ptrace; + +# Date : WK14.40 +# Operation : Migration +# Purpose : HDMI driver access +allow cameraserver graphics_device:chr_file rw_file_perms; + +# Date : WK16.20 +# Operation : Migration +# Purpose: research root dir "/" +allow cameraserver tmpfs:dir search; + +# Date : WK16.21 +# Operation : Migration +# Purpose : EGL file access +allow cameraserver system_file:dir r_dir_perms; +allow cameraserver gpu_device:chr_file rw_file_perms; +allow cameraserver gpu_device:dir search; + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow cameraserver proc_ged:file rw_file_perms; +allowxperm cameraserver proc_ged:file ioctl proc_ged_ioctls; + +# Date : WK17.25 +# Operation : Migration +allow cameraserver debugfs_ion:dir search; + +# Date : WK17.49 +# Operation : MT6771 SQC +# Purpose: Allow permgr access +allow cameraserver proc_perfmgr:dir r_dir_perms; +allow cameraserver proc_perfmgr:file r_file_perms; +allowxperm cameraserver proc_perfmgr:file ioctl { + PERFMGR_FPSGO_QUEUE + PERFMGR_FPSGO_DEQUEUE + PERFMGR_FPSGO_QUEUE_CONNECT + PERFMGR_FPSGO_BQID +}; + +# Date : WK21.25 +# Operation : Migration +# Purpose : PDA Driver +allow cameraserver camera_pda_device:chr_file rw_file_perms; diff --git a/basic/non_plat/ccci_fsd.te b/basic/non_plat/ccci_fsd.te new file mode 100644 index 0000000..fd41e81 --- /dev/null +++ b/basic/non_plat/ccci_fsd.te @@ -0,0 +1,77 @@ +# ============================================== +# Policy File of /system/bin/ccci_fsd Executable File + +# ============================================== +# Type Declaration +# ============================================== +type ccci_fsd_exec, exec_type, file_type, vendor_file_type; +type ccci_fsd, domain; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(ccci_fsd) + +wakelock_use(ccci_fsd) + +#============= ccci_fsd MD NVRAM============== +allow ccci_fsd nvram_data_file:dir create_dir_perms; +allow ccci_fsd nvram_data_file:file create_file_perms; +allow ccci_fsd nvram_data_file:lnk_file read; +allow ccci_fsd nvdata_file:lnk_file read; +allow ccci_fsd nvdata_file:dir create_dir_perms; +allow ccci_fsd nvdata_file:file create_file_perms; +allow ccci_fsd nvram_device:chr_file rw_file_perms; +allow ccci_fsd vendor_configs_file:file r_file_perms; +allow ccci_fsd vendor_configs_file:dir r_dir_perms; + +#============= ccci_fsd device/path/data access============== +allow ccci_fsd ccci_device:chr_file rw_file_perms; +allow ccci_fsd ccci_cfg_file:dir create_dir_perms; +allow ccci_fsd ccci_cfg_file:file create_file_perms; +#============= ccci_fsd MD Data============== +allow ccci_fsd protect_f_data_file:dir create_dir_perms; +allow ccci_fsd protect_f_data_file:file create_file_perms; + +allow ccci_fsd protect_s_data_file:dir create_dir_perms; +allow ccci_fsd protect_s_data_file:file create_file_perms; +#============= ccci_fsd MD3 related============== +allow ccci_fsd c2k_file:dir create_dir_perms; +allow ccci_fsd c2k_file:file create_file_perms; +allow ccci_fsd otp_part_block_device:blk_file rw_file_perms; +allow ccci_fsd otp_device:chr_file rw_file_perms; +allow ccci_fsd sysfs_boot_type:file { read open }; +#============= ccci_fsd MD block data============== +#restore>NVM_GetDeviceInfo>open /dev/block/by-name/nvram +allow ccci_fsd block_device:dir search; +allow ccci_fsd nvram_device:blk_file rw_file_perms; +allow ccci_fsd nvdata_device:blk_file rw_file_perms; +allow ccci_fsd nvcfg_file:dir create_dir_perms; +allow ccci_fsd nvcfg_file:file create_file_perms; +#============= ccci_fsd cryption related ============== +allow ccci_fsd rawfs:dir create_dir_perms; +allow ccci_fsd rawfs:file create_file_perms; +#============= ccci_fsd sysfs related ============== +allow ccci_fsd sysfs_ccci:dir search; +allow ccci_fsd sysfs_ccci:file r_file_perms; + +#============= ccci_fsd ============== +allow ccci_fsd mnt_vendor_file:dir search; + +# Purpose: for fstab parser +allow ccci_fsd kmsg_device:chr_file w_file_perms; +allow ccci_fsd proc_lk_env:file rw_file_perms; + +#============= ccci_fsd MD Low Power Monitor Related ============== +allow ccci_fsd ccci_data_md1_file:dir create_dir_perms; +allow ccci_fsd ccci_data_md1_file:file create_file_perms; +allow ccci_fsd sysfs_devices_block:dir search; +allow ccci_fsd sysfs_devices_block:file { read getattr open }; + +#============= ccci_fsd access vendor/etc/md file ============== +allow ccci_fsd vendor_etc_md_file:dir search; +allow ccci_fsd vendor_etc_md_file:file r_file_perms; + +#============= ccci_fsd access data/vendor_de/md file ============== +allow ccci_fsd data_vendor_de_md_file:dir create_dir_perms; +allow ccci_fsd data_vendor_de_md_file:file create_file_perms; diff --git a/basic/non_plat/ccci_mdinit.te b/basic/non_plat/ccci_mdinit.te new file mode 100644 index 0000000..de9af63 --- /dev/null +++ b/basic/non_plat/ccci_mdinit.te @@ -0,0 +1,168 @@ +# ============================================== +# Policy File of /vendor/bin/ccci_mdinit Executable File + +# ============================================== +# Type Declaration +# ============================================== +type ccci_mdinit, domain; +type ccci_mdinit_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +init_daemon_domain(ccci_mdinit) +wakelock_use(ccci_mdinit) + +#=============allow ccci_mdinit to start c2krild============== +set_prop(ccci_mdinit, vendor_mtk_ctl_viarild_prop) + +#=============allow ccci_mdinit to start/stop rild, mdlogger============== +set_prop(ccci_mdinit, system_mtk_ctl_mdlogger_prop) +set_prop(ccci_mdinit, system_mtk_ctl_emdlogger1_prop) +set_prop(ccci_mdinit, system_mtk_ctl_emdlogger2_prop) +set_prop(ccci_mdinit, system_mtk_ctl_emdlogger3_prop) +set_prop(ccci_mdinit, vendor_mtk_ctl_gsm0710muxd_prop) +set_prop(ccci_mdinit, vendor_mtk_ctl_ril-daemon-mtk_prop) +set_prop(ccci_mdinit, vendor_mtk_ctl_fusion_ril_mtk_prop) +set_prop(ccci_mdinit, vendor_mtk_ctl_ril-proxy_prop) +set_prop(ccci_mdinit, vendor_mtk_ril_active_md_prop) +set_prop(ccci_mdinit, vendor_mtk_md_prop) +set_prop(ccci_mdinit, vendor_mtk_net_cdma_mdmstat_prop) +set_prop(ccci_mdinit, ctl_start_prop) +get_prop(ccci_mdinit, vendor_mtk_tel_switch_prop) + +#=============allow ccci_mdinit to start/stop fsd============== +set_prop(ccci_mdinit, vendor_mtk_ctl_ccci_fsd_prop) +set_prop(ccci_mdinit, vendor_mtk_ctl_ccci2_fsd_prop) +set_prop(ccci_mdinit, vendor_mtk_ctl_ccci3_fsd_prop) + +get_prop(ccci_mdinit, system_mtk_init_svc_emdlogger1_prop) + +allow ccci_mdinit ccci_device:chr_file rw_file_perms; +allow ccci_mdinit ccci_monitor_device:chr_file rw_file_perms; + +allow ccci_mdinit ccci_ccb_device:chr_file rw_file_perms; +#=============allow ccci_mdinit to access MD NVRAM============== + +allow ccci_mdinit nvram_data_file:file create_file_perms; +allow ccci_mdinit nvram_data_file:lnk_file r_file_perms; +allow ccci_mdinit nvdata_file:lnk_file r_file_perms; +allow ccci_mdinit nvdata_file:file create_file_perms; +allow ccci_mdinit nvram_device:chr_file rw_file_perms; +read_fstab(ccci_mdinit) +get_prop(ccci_mdinit, vendor_mtk_rat_config_prop) + +#=============allow ccci_mdinit to access ccci config============== +allow ccci_mdinit protect_f_data_file:file create_file_perms; + +#=============allow ccci_mdinit to property============== +allow ccci_mdinit protect_s_data_file:file create_file_perms; +allow ccci_mdinit nvram_device:blk_file rw_file_perms; +allow ccci_mdinit nvdata_device:blk_file rw_file_perms; + +set_prop(ccci_mdinit, vendor_mtk_ril_mux_report_case_prop) + +allow ccci_mdinit ccci_cfg_file:dir create_dir_perms; +allow ccci_mdinit ccci_cfg_file:file create_file_perms; + +#===============security relate ========================== +allow ccci_mdinit preloader_device:chr_file rw_file_perms; +allow ccci_mdinit misc_sd_device:chr_file r_file_perms; +allow ccci_mdinit sec_ro_device:chr_file r_file_perms; + +allow ccci_mdinit custom_file:dir r_dir_perms; +allow ccci_mdinit custom_file:file r_file_perms; + +# Purpose : for nand partition access +allow ccci_mdinit mtd_device:dir search; +allow ccci_mdinit mtd_device:chr_file rw_file_perms; +allow ccci_mdinit devmap_device:chr_file r_file_perms; + +# Purpose : for device bring up, not to block early migration/sanity +allow ccci_mdinit proc_lk_env:file rw_file_perms; +allow ccci_mdinit para_block_device:blk_file rw_file_perms; + +#============= ccci_mdinit sysfs related ============== +allow ccci_mdinit sysfs_ccci:dir search; +allow ccci_mdinit sysfs_ccci:file rw_file_perms; +allow ccci_mdinit sysfs_ssw:dir search; +allow ccci_mdinit sysfs_ssw:file r_file_perms; +allow ccci_mdinit sysfs_boot_info:file r_file_perms; + +# Purpose : Allow ccci_mdinit to open and read/write /proc/bootprof +allow ccci_mdinit proc_bootprof:file rw_file_perms; + +# Date : WK18.21 +# Operation: P migration +# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init() +allow ccci_mdinit mnt_vendor_file:dir search; + +# Purpose : Allow ccci_mdinit call sysenv_get and sysenv_set +allow ccci_mdinit block_device:dir search; +allow ccci_mdinit proc_cmdline:file r_file_perms; +allow ccci_mdinit sysfs_dt_firmware_android:dir search; + +# ============================================== +# Policy File of /vendor/bin/ccci_fs Executable File + +#============= ccci_fsd MD NVRAM============== +allow ccci_mdinit nvram_data_file:dir create_dir_perms; +allow ccci_mdinit nvdata_file:dir create_dir_perms; + +#============= ccci_fsd MD Data============== +allow ccci_mdinit protect_f_data_file:dir create_dir_perms; +allow ccci_mdinit protect_s_data_file:dir create_dir_perms; + +#============= ccci_fsd MD3 related============== +allow ccci_mdinit c2k_file:dir create_dir_perms; +allow ccci_mdinit c2k_file:file create_file_perms; +allow ccci_mdinit otp_part_block_device:blk_file rw_file_perms; +allow ccci_mdinit otp_device:chr_file rw_file_perms; +allow ccci_mdinit sysfs_boot_type:file r_file_perms; + +#============= ccci_fsd MD block data============== +#restore>NVM_GetDeviceInfo>open /dev/block/by-name/nvram +allow ccci_mdinit nvcfg_file:dir create_dir_perms; +allow ccci_mdinit nvcfg_file:file create_file_perms; + +#============= ccci_fsd cryption related ============== +allow ccci_mdinit rawfs:dir create_dir_perms; +allow ccci_mdinit rawfs:file create_file_perms; + +# Purpose: for fstab parser +allow ccci_mdinit kmsg_device:chr_file w_file_perms; + +#============= ccci_fsd MD Low Power Monitor Related ============== +allow ccci_mdinit ccci_data_md1_file:dir create_dir_perms; +allow ccci_mdinit ccci_data_md1_file:file create_file_perms; +allow ccci_mdinit sysfs_devices_block:dir search; +allow ccci_mdinit sysfs_devices_block:file r_file_perms; + +#============= ccci_fsd access vendor/etc/md file ============== +allow ccci_mdinit vendor_etc_md_file:dir search; +allow ccci_mdinit vendor_etc_md_file:file r_file_perms; + +#============= ccci_fsd access data/vendor_de/md file ============== +allow ccci_mdinit data_vendor_de_md_file:dir create_dir_perms; +allow ccci_mdinit data_vendor_de_md_file:file create_file_perms; + +allow ccci_mdinit unlabeled:dir rw_dir_perms; +allow ccci_mdinit unlabeled:file rw_file_perms; + +# Date : 2021-04-12 +# Purpose: allow ccci_mdinit to access ccci_dump +allow ccci_mdinit proc_ccci_dump:file w_file_perms; + +# Allow ReadDefaultFstab(). +read_fstab(ccci_mdinit) + +allow ccci_mdinit mcf_ota_block_device:dir search; + +# Date : 2021-07-30 +# Purpose : change sepolicy for MCF3.0 +allow ccci_mdinit sysfs_dt_firmware_android:file r_file_perms; +allow ccci_mdinit proc_version:file r_file_perms; +allow ccci_mdinit mcf_ota_file:dir { getattr search }; +allow ccci_mdinit mcf_ota_file:file rw_file_perms; + diff --git a/basic/non_plat/ccci_rpcd.te b/basic/non_plat/ccci_rpcd.te new file mode 100644 index 0000000..b64e847 --- /dev/null +++ b/basic/non_plat/ccci_rpcd.te @@ -0,0 +1 @@ +type ccci_rpcd, domain; diff --git a/basic/non_plat/chipinfo.te b/basic/non_plat/chipinfo.te new file mode 100644 index 0000000..c62fd84 --- /dev/null +++ b/basic/non_plat/chipinfo.te @@ -0,0 +1,11 @@ +type chipinfo, domain; +type chipinfo_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(chipinfo) + +allow chipinfo vendor_toolbox_exec:file rx_file_perms; +allow chipinfo sysfs_device_tree_model:file r_file_perms; +allow chipinfo sysfs_soc:file r_file_perms; +allow chipinfo sysfs_soc:dir search; + +set_prop(chipinfo, vendor_mtk_soc_prop) diff --git a/basic/non_plat/cmddumper.te b/basic/non_plat/cmddumper.te new file mode 100644 index 0000000..aeb5e54 --- /dev/null +++ b/basic/non_plat/cmddumper.te @@ -0,0 +1,29 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +#cmddumper access external modem ttySDIO2 +allow cmddumper ttySDIO_device:chr_file rw_file_perms; + +# for modem logging sdcard access +allow cmddumper sdcard_type:dir create_dir_perms; +allow cmddumper sdcard_type:file create_file_perms; + +# cmddumper access on /data/mdlog +allow cmddumper mdlog_data_file:fifo_file create_file_perms; +allow cmddumper mdlog_data_file:file create_file_perms; +allow cmddumper mdlog_data_file:dir { create_dir_perms relabelto }; + +# purpose: allow cmddumper to access storage in N version +allow cmddumper media_rw_data_file:file create_file_perms; +allow cmddumper media_rw_data_file:dir create_dir_perms; + +# purpose: access plat_file_contexts +allow cmddumper file_contexts_file:file r_file_perms; + +# purpose: access /sys/devices/virtual/BOOT/BOOT/boot/boot_mode +allow cmddumper sysfs_boot_mode:file r_file_perms; + +# Android P migration +allow cmddumper tmpfs:lnk_file r_file_perms; +allow cmddumper vmodem_device:chr_file rw_file_perms; diff --git a/basic/non_plat/conninfra_loader.te b/basic/non_plat/conninfra_loader.te new file mode 100644 index 0000000..f530406 --- /dev/null +++ b/basic/non_plat/conninfra_loader.te @@ -0,0 +1,20 @@ +# ============================================== +# Policy File of /vendor/bin/conninfra_loader Executable File + +# ============================================== +# Type Declaration +# ============================================== +type conninfra_loader, domain; +type conninfra_loader_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(conninfra_loader) + +# Set the property +set_prop(conninfra_loader, vendor_mtk_wmt_prop) + +# add ioctl/open/read/write permission for conninfra_loader with /dev/conninfra_dev +allow conninfra_loader conninfra_device:chr_file rw_file_perms; + diff --git a/basic/non_plat/crash_dump.te b/basic/non_plat/crash_dump.te new file mode 100644 index 0000000..5301f87 --- /dev/null +++ b/basic/non_plat/crash_dump.te @@ -0,0 +1,58 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK14.32 +# Operation : AEE UT +# Purpose : for AEE module +allow crash_dump expdb_device:chr_file rw_file_perms; +allow crash_dump expdb_block_device:blk_file rw_file_perms; +allow crash_dump etb_device:chr_file rw_file_perms; + +# open/dev/mtd/mtd12 failed(expdb) +allow crash_dump mtd_device:dir create_dir_perms; +allow crash_dump mtd_device:chr_file rw_file_perms; + +# NE flow: /dev/RT_Monitor +allow crash_dump RT_Monitor_device:chr_file r_file_perms; + +#data/dumpsys +allow crash_dump aee_dumpsys_data_file:dir create_dir_perms; +allow crash_dump aee_dumpsys_data_file:file create_file_perms; + +#/data/core +allow crash_dump aee_core_data_file:dir create_dir_perms; +allow crash_dump aee_core_data_file:file create_file_perms; + +# /data/data_tmpfs_log +allow crash_dump data_tmpfs_log_file:dir create_dir_perms; +allow crash_dump data_tmpfs_log_file:file create_file_perms; + +# /proc/lk_env +allow crash_dump proc_lk_env:file rw_file_perms; + +# Purpose: Allow crash_dump to read /proc/cpu/alignment +allow crash_dump proc_cpu_alignment:file w_file_perms; + +# Purpose: Allow crash_dump to access /sys/devices/virtual/timed_output/vibrator/enable +allow crash_dump sysfs_vibrator_setting:dir search; +allow crash_dump sysfs_vibrator_setting:file w_file_perms; +allow crash_dump sysfs_vibrator:dir search; +allow crash_dump sysfs_leds:dir search; + +# Purpose: Allow crash_dump to read /proc/kpageflags +allow crash_dump proc_kpageflags:file r_file_perms; + +# Purpose: create /data/aee_exp at runtime +allow crash_dump file_contexts_file:file r_file_perms; + +allow crash_dump proc_ppm:dir r_dir_perms; +allow crash_dump proc_ppm:file rw_file_perms; +allow crash_dump selinuxfs:file r_file_perms; + +allow crash_dump proc_meminfo:file r_file_perms; +allow crash_dump procfs_blockio:file r_file_perms; + +# Purpose: Allow crash_dump to create/write /sys/kernel/tracing/slog +allow crash_dump debugfs_tracing_instances:dir create_dir_perms; +allow crash_dump debugfs_tracing_instances:file create_file_perms; diff --git a/basic/non_plat/dconfig.te b/basic/non_plat/dconfig.te new file mode 100644 index 0000000..387b7a4 --- /dev/null +++ b/basic/non_plat/dconfig.te @@ -0,0 +1 @@ +type mtk_dconfig, domain; diff --git a/basic/non_plat/device.te b/basic/non_plat/device.te new file mode 100644 index 0000000..88447c2 --- /dev/null +++ b/basic/non_plat/device.te @@ -0,0 +1,380 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== +# Device types +type devmap_device, dev_type; +type ttyMT_device, dev_type; +type ttyS_device, dev_type; +type ttySDIO_device, dev_type; +type vmodem_device, dev_type; +type stpwmt_device, dev_type; +type conninfra_device, dev_type; +type conn_pwr_device, dev_type; +type conn_scp_device, dev_type; +type wmtdetect_device, dev_type; +type wmtWifi_device, dev_type; +type stpbt_device, dev_type; +type fw_log_bt_device, dev_type; +type stpant_device, dev_type; +type fm_device, dev_type, mlstrustedobject; +type gps_emi_device, dev_type; +type stpgps_device, dev_type; +type gps2scp_device, dev_type; +type gps_pwr_device, dev_type; +type gpsdl_device, dev_type; +type connfem_device, dev_type; +type fw_log_gps_device, dev_type; +type fw_log_wmt_device, dev_type; +type fw_log_wifi_device, dev_type; +type fw_log_ics_device, dev_type; +type fw_log_wifimcu_device, dev_type; +type fw_log_btmcu_device, dev_type; +type pmem_multimedia_device, dev_type; +type mt6516_isp_device, dev_type; +type mt6516_IDP_device, dev_type; +type mt9p012_device, dev_type; +type mt6516_jpeg_device, dev_type; +type FM50AF_device, dev_type; +type DW9714AF_device, dev_type; +type DW9814AF_device, dev_type; +type AK7345AF_device, dev_type; +type DW9714A_device, dev_type; +type LC898122AF_device, dev_type; +type LC898212AF_device, dev_type; +type BU6429AF_device, dev_type; +type AD5820AF_device, dev_type; +type DW9718AF_device, dev_type; +type BU64745GWZAF_device, dev_type; +type MAINAF_device, dev_type; +type MAIN2AF_device, dev_type; +type MAIN3AF_device, dev_type; +type MAIN4AF_device, dev_type; +type SUBAF_device, dev_type; +type SUB2AF_device, dev_type; +type M4U_device_device, dev_type; +type Vcodec_device, dev_type; +type MJC_device, dev_type; +type smartpa_device, dev_type; +type smartpa1_device, dev_type; +type tahiti_device, dev_type; +type uio0_device, dev_type; +type xt_qtaguid_device, dev_type; +type rfkill_device, dev_type; +type sw_sync_device, dev_type, mlstrustedobject; +type sec_device, dev_type; +type hid_keyboard_device, dev_type; +type btn_device, dev_type; +type uinput_device, dev_type; +type TV_out_device, dev_type; +type gz_device, dev_type; +type camera_sysram_device, dev_type; +type camera_mem_device, dev_type; +type camera_isp_device, dev_type; +type camera_dip_device, dev_type; +type camera_dpe_device, dev_type; +type camera_tsf_device, dev_type; +type camera_fdvt_device, dev_type; +type camera_rsc_device, dev_type; +type camera_gepf_device, dev_type; +type camera_wpe_device, dev_type; +type camera_owe_device, dev_type; +type camera_mfb_device, dev_type; +type camera_pda_device, dev_type; +type camera_pipemgr_device, dev_type; +type mtk_hcp_device, dev_type; +type mtk_ccd_device, dev_type; +type mtk_v4l2_media_device, dev_type; +type ccu_device, dev_type; +type gpueb_device, dev_type; +type vcp_device, dev_type; +type mvpu_algo_device, dev_type; +type vpu_device, dev_type, mlstrustedobject; +type mdla_device, dev_type, mlstrustedobject; +type apusys_device, dev_type; +type mtk_jpeg_device, dev_type; +type kd_camera_hw_device, dev_type; +type seninf_device, dev_type; +type kd_camera_flashlight_device, dev_type; +type flashlight_device, dev_type; +type kd_camera_hw_bus2_device, dev_type; +type MATV_device, dev_type; +type mt_otg_test_device, dev_type; +type mt_mdp_device, dev_type; +type mtkg2d_device, dev_type; +type misc_sd_device, dev_type; +type mtk_sched_device, dev_type; +type ampc0_device, dev_type; +type mmp_device, dev_type; +type ttyGS_device, dev_type; +type CAM_CAL_DRV_device, dev_type; +type CAM_CAL_DRV1_device, dev_type; +type CAM_CAL_DRV2_device, dev_type; +type camera_eeprom_device, dev_type; +type seninf_n3d_device, dev_type; +type MTK_SMI_device, dev_type; +type mtk_cmdq_device, dev_type; +type mtk_mdp_device, dev_type; +type mtk_mdp_sync_device, dev_type; +type mtk_fmt_sync_device, dev_type; +type mtk_fmt_device, dev_type; +type mtk_rrc_device, dev_type; +type ebc_device, dev_type; +type vow_device, dev_type; +type MT6516_H264_DEC_device, dev_type; +type MT6516_Int_SRAM_device, dev_type; +type MT6516_MM_QUEUE_device, dev_type; +type MT6516_MP4_DEC_device, dev_type; +type MT6516_MP4_ENC_device, dev_type; +type sensor_device, dev_type; +type ccci_device, dev_type; +type ccci_monitor_device, dev_type; +type gsm0710muxd_device, dev_type; +type eemcs_device, dev_type; +type emd_device, dev_type; +type st21nfc_device, dev_type; +type st54spi_device, dev_type; +type mmcblk_device, dev_type; +type BOOT_device, dev_type; +type MT_pmic_device, dev_type; +type aal_als_device, dev_type; +type accdet_device, dev_type; +type android_device, dev_type; +type bmtpool_device, dev_type; +type bootimg_device, dev_type; +type btif_device, dev_type; +type cache_device, dev_type; +type cpu_dma_latency_device, dev_type; +type dummy_cam_cal_device, dev_type; +type ebr_device, dev_type; +type expdb_device, dev_type; +type fat_device, dev_type; +type logo_device, dev_type; +type loop-control_device, dev_type; +type mbr_device, dev_type; +type met_device, dev_type; +type misc_device, dev_type; +type misc2_device, dev_type; +type mtfreqhopping_device, dev_type; +type mtgpio_device, dev_type; +type mtk_kpd_device, dev_type; +type network_device, dev_type; +type nvram_device, dev_type; +type pmt_device, dev_type; +type preloader_device, dev_type; +type pro_info_device, dev_type; +type protect_f_device, dev_type; +type protect_s_device, dev_type; +type psaux_device, dev_type; +type ptyp_device, dev_type; +type recovery_device, dev_type; +type sec_ro_device, dev_type; +type seccfg_device, dev_type; +type tee_part_device, dev_type; +type snapshot_device, dev_type; +type tgt_device, dev_type; +type touch_device, dev_type; +type tpd_em_log_device, dev_type; +type ttyp_device, dev_type; +type uboot_device, dev_type; +type uibc_device, dev_type; +type usrdata_device, dev_type; +type zram0_device, dev_type; +type hwzram0_device, dev_type; +type RT_Monitor_device, dev_type; +type kick_powerkey_device, dev_type; +type agps_device, dev_type; +type mnld_device, dev_type; +type geo_device, dev_type; +type mdlog_device, dev_type; +type md32_device, dev_type; +type scp_device, dev_type; +type adsp_device, dev_type; +type audio_scp_device, dev_type; +type sspm_device, dev_type; +type etb_device, dev_type; +type MT_pmic_adc_cali_device, dev_type; +type mtk-adc-cali_device, dev_type; +type MT_pmic_cali_device,dev_type; +type otp_device, dev_type; +type otp_part_block_device, dev_type; +type qemu_pipe_device, dev_type; +type icusb_device, dev_type; +type nlop_device, dev_type; +type irtx_device, dev_type; +type pmic_ftm_device, dev_type; +type charger_ftm_device, dev_type; +type shf_device, dev_type; +type keyblock_device, dev_type; +type offloadservice_device, dev_type; +type ttyACM_device, dev_type; +type hrm_device, dev_type; +type lens_device, dev_type; +type nvdata_device, dev_type; +type mcf_ota_block_device,dev_type; +type nvcfg_device, dev_type; +type expdb_block_device, dev_type; +type misc2_block_device, dev_type; +type logo_block_device, dev_type; +type para_block_device, dev_type; +type tee_block_device, dev_type; +type seccfg_block_device, dev_type; +type secro_block_device, dev_type; +type preloader_block_device, dev_type; +type lk_block_device, dev_type; +type protect1_block_device, dev_type; +type protect2_block_device, dev_type; +type keystore_block_device, dev_type; +type oemkeystore_block_device, dev_type; +type sec1_block_device, dev_type; +type md1img_block_device, dev_type; +type md1dsp_block_device, dev_type; +type md1arm7_block_device, dev_type; +type md3img_block_device, dev_type; +type mmcblk1_block_device, dev_type; +type mmcblk1p1_block_device, dev_type; +type bootdevice_block_device, dev_type; +type odm_block_device, dev_type; +type oem_block_device, dev_type; +type vendor_block_device, dev_type; +type dtbo_block_device, dev_type; +type loader_ext_block_device, dev_type; +type spm_device, dev_type; +type persist_block_device, dev_type; +type md_block_device, dev_type; +type spmfw_block_device, dev_type; +type mcupmfw_block_device, dev_type; +type scp_block_device, dev_type; +type sspm_block_device, dev_type; +type dsp_block_device, dev_type; +type ppl_block_device, dev_type; +type nvcfg_block_device, dev_type; +type ancservice_device, dev_type; +type mbim_device, dev_type; +type audio_ipi_device, dev_type; +type cam_vpu_block_device,dev_type; +type boot_para_block_device,dev_type; +type mtk_dfrc_device, dev_type; +type vbmeta_block_device, dev_type; +type alarm_device, dev_type; +type mdp_device, dev_type; +type mrdump_device, dev_type; +type kb_block_device,dev_type; +type dkb_block_device,dev_type; +type mtk_radio_device, dev_type; +type dpm_block_device, dev_type; +type audio_dsp_block_device, dev_type; +type gz_block_device, dev_type; +type pi_img_device, dev_type; +type vpud_device, dev_type; +type vcu_device, dev_type; +type mml_pq_device, dev_type; + +########################## +# Sensor common Devices Start +# +type hwmsensor_device, dev_type; +type msensor_device, dev_type; +type gsensor_device, dev_type; +type als_ps_device, dev_type; +type gyroscope_device, dev_type; +type barometer_device,dev_type; +type humidity_device,dev_type; +type biometric_device,dev_type; +type sensorlist_device,dev_type; +type hf_manager_device,dev_type; + +########################## +# Sensor Devices Start +# +type m_batch_misc_device, dev_type; + +########################## +# Sensor bio Devices Start +# +type m_als_misc_device, dev_type; +type m_ps_misc_device, dev_type; +type m_baro_misc_device, dev_type; +type m_hmdy_misc_device, dev_type; +type m_acc_misc_device, dev_type; +type m_mag_misc_device, dev_type; +type m_gyro_misc_device, dev_type; +type m_act_misc_device, dev_type; +type m_pedo_misc_device, dev_type; +type m_situ_misc_device, dev_type; +type m_step_c_misc_device, dev_type; +type m_fusion_misc_device, dev_type; +type m_bio_misc_device, dev_type; + +# Date : 2016/07/11 +# Operation : Migration +# Purpose : Add permission for gpu access +type dri_device, dev_type, mlstrustedobject; + +# Date : 2021/07/09 +# Operation : S Migration +# Purpose : Add permission for ABOTA +type postinstall_block_device, dev_type; + +# Date : 2021/08/27 +# Operation : S Migration +# Purpose : Add permission for wifi proxy +type ccci_wifi_proxy_device, dev_type; + +# Date : 2016/06/01 +# Operation: TEEI integration +# Purpose: access for fp device and client device of TEEI +type teei_fp_device, dev_type; +type teei_client_device, dev_type, mlstrustedobject; +type teei_config_device, dev_type; +type utr_tui_device, dev_type; +type teei_vfs_device, dev_type; +type teei_rpmb_device, dev_type; +type ut_keymaster_device, dev_type; + +# Date : 2019/07/19 +# Operation : Add newwork optimization feature +# Purpose : Add permission for nwk +type nwkopt_device, dev_type; +type tx_device, dev_type; + +# Date : 2019/11/07 +# Operation : Add thp feature +# Purpose : Add permission for thp +type gdix_mt_wrapper_device, dev_type, fs_type; +type gdix_thp_device, dev_type, fs_type; + +type mddp_device, dev_type; + +type tkcore_admin_device, dev_type, mlstrustedobject; +type tkcore_block_device, dev_type; + +# mobicore device type +type mobicore_admin_device, dev_type; +type mobicore_user_device, dev_type, mlstrustedobject; +type mobicore_tui_device, dev_type; + +# teeperf device type +type teeperf_device, dev_type, mlstrustedobject; + +type rpmb_block_device, dev_type; +type rpmb_device, dev_type; + +type fingerprint_device, dev_type; + +# widevine device type +type widevine_drv_device, dev_type; + +# Date:2021/08/05 +# Purpose: permission for audioserver to use ccci node +type ccci_aud_device, dev_type; + +# Date:2021/07/27 +# Purpose: permission for CCB user +type ccci_ccb_device, dev_type; +# Purpose: permission for md_monitor +type ccci_mdmonitor_device, dev_type; + +# Date: 2021/09/26 +# Operator: S migration +# Purpose: Add permission for vilte +type ccci_vts_device, dev_type; diff --git a/basic/non_plat/dmc_core.te b/basic/non_plat/dmc_core.te new file mode 100644 index 0000000..7522042 --- /dev/null +++ b/basic/non_plat/dmc_core.te @@ -0,0 +1 @@ +type dmc_core, domain; diff --git a/basic/non_plat/domain.te b/basic/non_plat/domain.te new file mode 100644 index 0000000..277ca64 --- /dev/null +++ b/basic/non_plat/domain.te @@ -0,0 +1,23 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Grant read access to mtk core property type which represents all +# mtk properties except those with ctl_xxx prefix. +# Align Google change: f01453ad453b29dd723838984ea03978167491e5 +get_prop(domain, mtk_core_property_type) + +# Allow all processes to read /sys/bus/platform/drivers/dev_info/dev_info +# as it is a public interface for all processes to read some OTP data. +allow { + domain + -isolated_app +} sysfs_devinfo:file r_file_perms; + +# Date : W18.45 +# Operation : MTK gpu enable drvb +# Purpose : drvb need dgb2 permission +allow { + domain + -isolated_app +} sysfs_gpu:file r_file_perms; diff --git a/basic/non_plat/drmserver.te b/basic/non_plat/drmserver.te new file mode 100644 index 0000000..e7c76b3 --- /dev/null +++ b/basic/non_plat/drmserver.te @@ -0,0 +1,10 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow drmserver proc_ged:file rw_file_perms; + +# get prop to judge use 64-bit or not +get_prop(drmserver, vendor_mtk_prefer64_prop) \ No newline at end of file diff --git a/basic/non_plat/dumpstate.te b/basic/non_plat/dumpstate.te new file mode 100644 index 0000000..1fff2b0 --- /dev/null +++ b/basic/non_plat/dumpstate.te @@ -0,0 +1,122 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Purpose: data/dumpsys/* +allow dumpstate aee_dumpsys_data_file:dir w_dir_perms; +allow dumpstate aee_dumpsys_data_file:file create_file_perms; + +# Purpose: debugfs files +allow dumpstate procfs_blockio:file r_file_perms; + +# Purpose: /sys/kernel/ccci/md_chn +allow dumpstate sysfs_ccci:dir search; +allow dumpstate sysfs_ccci:file r_file_perms; + +# Purpose: leds status +allow dumpstate sysfs_leds:lnk_file r_file_perms; + +# Purpose: /sys/module/lowmemorykiller/parameters/adj +allow dumpstate sysfs_lowmemorykiller:file r_file_perms; +allow dumpstate sysfs_lowmemorykiller:dir search; + +# Purpose: /dev/block/mmcblk0p10 +allow dumpstate expdb_block_device:blk_file rw_file_perms; + +#/data/anr/SF_RTT +allow dumpstate sf_rtt_file:dir { search getattr }; + +allow dumpstate sysfs_leds:dir r_dir_perms; + +# Data : WK17.03 +# Purpose: Allow to access gpu +allow dumpstate gpu_device:dir search; + +# Purpose: Allow dumpstate to read /proc/ufs_debug +allow dumpstate proc_ufs_debug:file rw_file_perms; + +# Purpose: Allow dumpstate to read /proc/msdc_debug +allow dumpstate proc_msdc_debug:file r_file_perms; + +# Purpose: Allow dumpstate to r/w /proc/pidmap +allow dumpstate proc_pidmap:file rw_file_perms; + +# Purpose: Allow dumpstate to read /sys/power/vcorefs/vcore_debug +allow dumpstate sysfs_vcore_debug:file r_file_perms; + +# Purpose: Allow dumpstate to read /data/anr/SF_RTT/rtt_dump.txt +allow dumpstate sf_rtt_file:file r_file_perms; + +#Purpose: Allow dumpstate to read/write /sys/mtk_memcfg/slabtrace +allow dumpstate proc_slabtrace:file r_file_perms; + +#Purpose: Allow dumpstate to read /proc/mtk_cmdq_debug/status +allow dumpstate proc_cmdq_debug:file r_file_perms; + +#Purpose: Allow dumpstate to read /proc/cpuhvfs/dbg_repo +allow dumpstate proc_dbg_repo:file r_file_perms; + +#Purpose: Allow dumpstate to read /proc/isp_p2/isp_p2_dump +allow dumpstate proc_isp_p2_dump:file r_file_perms; + +#Purpose: Allow dumpstate to read /proc/isp_p2/isp_p2_kedump +allow dumpstate proc_isp_p2_kedump:file r_file_perms; + +#Purpose: Allow dumpstate to read /proc/mali/memory_usage +allow dumpstate proc_memory_usage:file r_file_perms; + +#Purpose: Allow dumpstate to read /proc/mtk_es_reg_dump +allow dumpstate proc_mtk_es_reg_dump:file r_file_perms; + +#Purpose: Allow dumpstate to read /sys/power/mtkpasr/execstate +allow dumpstate sysfs_execstate:file r_file_perms; + +allow dumpstate proc_isp_p2:dir r_dir_perms; +allow dumpstate proc_isp_p2:file r_file_perms; + +# Data : WK16.42 +# Operator: Whitney bring up +# Purpose: call surfaceflinger due to powervr +allow dumpstate surfaceflinger:fifo_file rw_file_perms; + +# Date : W19.26 +# Operation : Migration +# Purpose : fix google dumpstate avc error in xTS +allow dumpstate debugfs_mmc:dir search; +allow dumpstate mnt_media_rw_file:dir getattr; + +# Date: 19/07/15 +# Purpose: fix google dumpstate avc error in xTs +allow dumpstate sysfs_devices_block:file r_file_perms; +allow dumpstate proc_last_kmsg:file r_file_perms; + +#Purpose: Allow dumpstate to read /sys/class/misc/adsp/adsp_last_log +allow dumpstate sysfs_adsp:file r_file_perms; + +# MTEE Trusty +allow dumpstate mtee_trusty_file:file rw_file_perms; + +# 09-05 15:58:31.552000 9693 9693 W df : type=1400 audit(0.0:990): +# avc: denied { search } for name="expand" dev="tmpfs" ino=10779 scontext=u:r:dumpstate:s0 +# tcontext=u:object_r:mnt_expand_file:s0 tclass=dir permissive=0 +allow dumpstate mnt_expand_file:dir { search getattr }; + +#Purpose: Allow dumpstate to read /dev/usb-ffs +allow dumpstate functionfs:file getattr; + +#Purpose: Allow dumpstate to read /sys/bus/platform/drivers/cache_parity/cache_status +allow dumpstate sysfs_cache_status:file r_file_perms; + +hal_client_domain(dumpstate, hal_light) + +#Purpose: Allow dumpstate to read /sys/kernel/tracing/instances/mmstat/trace +allow dumpstate debugfs_tracing_instances:dir r_dir_perms; +allow dumpstate debugfs_tracing_instances:file r_file_perms; + +allow dumpstate proc_ion:dir r_dir_perms; +allow dumpstate proc_ion:file r_file_perms; +allow dumpstate proc_m4u_dbg:dir r_dir_perms; +allow dumpstate proc_m4u_dbg:file r_file_perms; +allow dumpstate proc_mtkfb:file r_file_perms; + +allow dumpstate proc_ccci_dump:file r_file_perms; diff --git a/basic/non_plat/e2fs.te b/basic/non_plat/e2fs.te new file mode 100644 index 0000000..a69759f --- /dev/null +++ b/basic/non_plat/e2fs.te @@ -0,0 +1,34 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK17.32 +# Operation : Migration +# Purpose : create ext4 images for protect1/protect2/persist/nvdata/nvcfg block devices. +allow e2fs protect1_block_device:blk_file rw_file_perms; +allow e2fs protect2_block_device:blk_file rw_file_perms; +allow e2fs persist_block_device:blk_file rw_file_perms; +allow e2fs nvdata_device:blk_file rw_file_perms; +allow e2fs nvcfg_block_device:blk_file rw_file_perms; + +allow e2fs devpts:chr_file rw_file_perms; + +# Date : WK18.23 +# Operation: P migration +# Purpose : Allow mke2fs to format userdata and cache partition +allow e2fs cache_block_device:blk_file rw_file_perms; +allow e2fs userdata_block_device:blk_file rw_file_perms; + +# Date : WK19.23 +# Operation: Q migration +# Purpose : Allow format /metadata for UDC +allow e2fs metadata_block_device:blk_file rw_file_perms; + +# Date : WK19.34 +# Operation: Q migration +# Purpose : Allow mke2fs to use ioctl/ioctlcmd +allowxperm e2fs protect1_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD }; +allowxperm e2fs protect2_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD }; +allowxperm e2fs nvdata_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD }; +allowxperm e2fs nvcfg_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD }; +allowxperm e2fs persist_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD }; diff --git a/basic/non_plat/eara_io.te b/basic/non_plat/eara_io.te new file mode 100644 index 0000000..68d1422 --- /dev/null +++ b/basic/non_plat/eara_io.te @@ -0,0 +1,31 @@ +# ============================================================================== +# Type Declaration +# ============================================================================== +type eara_io, domain; +type eara_io_exec, vendor_file_type, exec_type, file_type; +# ============================================================================== +# Common SEPolicy Rules +# ============================================================================== +init_daemon_domain(eara_io) + +allow eara_io eara_io_data_file:dir rw_dir_perms; +allow eara_io eara_io_data_file:fifo_file create_file_perms; +allow eara_io eara_io_data_file:file create_file_perms; +allow eara_io proc_earaio:file r_file_perms; +allow eara_io proc_earaio:dir r_dir_perms; +allow eara_io proc_perfmgr:file r_file_perms; +allow eara_io proc_perfmgr:dir r_dir_perms; +allow eara_io proc_version:file r_file_perms; +allow eara_io self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +allow eara_io self:perf_event { open kernel }; +allow eara_io sysfs_boot_mode:file r_file_perms; +hal_client_domain(eara_io, hal_power) +allowxperm eara_io proc_earaio:file ioctl { + PERFMGR_EARA_GETINDEX + PERFMGR_EARA_COLLECT +}; +allowxperm eara_io proc_perfmgr:file ioctl { + PERFMGR_EARA_GETINDEX + PERFMGR_EARA_COLLECT +}; +set_prop(eara_io, vendor_mtk_eara_io_prop) diff --git a/basic/non_plat/em_hidl.te b/basic/non_plat/em_hidl.te new file mode 100644 index 0000000..ced4962 --- /dev/null +++ b/basic/non_plat/em_hidl.te @@ -0,0 +1,138 @@ +# ============================================== +# Policy File of /vendor/bin/em_hidl Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== +type em_hidl, domain; +type em_hidl_exec, exec_type, file_type, vendor_file_type; + +# Date : 2018/06/28 +init_daemon_domain(em_hidl) + +# Date : 2018/06/28 +# Purpose: EM_HILD +hal_server_domain(em_hidl, hal_mtk_em) + +# Date : 2018/06/28 +# Operation : EM DEBUG +# Purpose: EM should set ims operator +set_prop(em_hidl, vendor_mtk_operator_id_prop) + +# Date : 2018/06/28 +# Operation : EM DEBUG +# Purpose: EM should set vendor_mtk_simswitch_emmode_prop +set_prop(em_hidl, vendor_mtk_simswitch_emmode_prop) + +# Date : 2018/06/28 +# Operation : EM DEBUG +# Purpose: EM should set vendor_mtk_dsbp_support_prop +set_prop(em_hidl, vendor_mtk_dsbp_support_prop) + +# Date : 2018/06/28 +# Operation : EM DEBUG +# Purpose: EM should set vendor_mtk_imstestmode_prop +set_prop(em_hidl, vendor_mtk_imstestmode_prop) + +# Date : 2018/06/28 +# Operation : EM DEBUG +# Purpose: EM should set vendor_mtk_smsformat_prop +set_prop(em_hidl, vendor_mtk_smsformat_prop) + +# Date : 2018/06/28 +# Operation : EM DEBUG +# Purpose: EM should set vendor_mtk_gprs_prefer_prop +set_prop(em_hidl, vendor_mtk_gprs_prefer_prop) + +# Date : 2018/06/28 +# Operation : EM DEBUG +# Purpose: EM should set vendor_mtk_testsim_cardtype_prop +set_prop(em_hidl, vendor_mtk_testsim_cardtype_prop) + +# Date : 2018/06/28 +# Operation : EM DEBUG +# Purpose: EM should set vendor_mtk_ct_ir_engmode_prop +set_prop(em_hidl, vendor_mtk_ct_ir_engmode_prop) + +# Date : 2018/06/28 +# Operation : EM DEBUG +# Purpose: EM should vendor_mtk_disable_c2k_cap_prop +set_prop(em_hidl, vendor_mtk_disable_c2k_cap_prop) + +# Date : 2018/06/29 +# Operation : EM DEBUG +# Purpose: EM should vendor_mtk_debug_md_reset_prop +set_prop(em_hidl, vendor_mtk_debug_md_reset_prop) + +# Date : 2018/06/29 +# Operation : EM DEBUG +# Purpose: EM should video log vendor_mtk_omx_log_prop +set_prop(em_hidl, vendor_mtk_omx_log_prop) + +# Date : 2018/06/29 +# Operation : EM DEBUG +# Purpose: EM should video log vendor_mtk_vdec_log_prop +set_prop(em_hidl, vendor_mtk_vdec_log_prop) + +# Date : 2018/06/29 +# Operation : EM DEBUG +# Purpose: EM should video log vendor_mtk_vdectlc_log_prop +set_prop(em_hidl, vendor_mtk_vdectlc_log_prop) + +# Date : 2018/06/29 +# Operation : EM DEBUG +# Purpose: EM should video log vendor_mtk_venc_h264_showlog_prop +set_prop(em_hidl, vendor_mtk_venc_h264_showlog_prop) + +# Date : 2018/06/29 +# Operation : EM DEBUG +# Purpose: EM should video log vendor_mtk_modem_warning_prop +set_prop(em_hidl, vendor_mtk_modem_warning_prop) + +# Date : 2018/07/06 +# Operation : EM DEBUG +# Purpose: EM allow usb vendor_mtk_em_usb_prop +set_prop(em_hidl, vendor_mtk_em_usb_prop) + +# Date : 2018/07/06 +# Operation : EM DEBUG +# Purpose: for setting usb otg enable property +set_prop(em_hidl, vendor_mtk_usb_otg_switch_prop) + +# Data : 2018/07/06 +# Purpose : EM MCF read nvdata dir and file +allow em_hidl nvcfg_file:dir ra_dir_perms; +allow em_hidl nvcfg_file:file r_file_perms; + +# Data : 2018/07/06 +# Purpose : EM MCF search vendor dir +allow em_hidl mnt_vendor_file:dir search; + +# Data : 2018/08/10 +# Purpose : EM BT usage +allow em_hidl stpbt_device:chr_file rw_file_perms; +allow em_hidl sysfs_boot_mode:file r_file_perms; +allow em_hidl ttyGS_device:chr_file rw_file_perms; +set_prop(em_hidl, vendor_mtk_usb_prop) +allow em_hidl nvdata_file:file r_file_perms; +allow em_hidl nvdata_file:dir search; + +# Date : 2018/08/28 +# Operation : EM DEBUG +# Purpose: for em set hidl configure +set_prop(em_hidl, vendor_mtk_em_hidl_prop) + +# Date : 2019/08/22 +# Operation : EM AAL +# Purpose: for em set aal property +set_prop(em_hidl, vendor_mtk_pq_prop) + +# Date : 2019/09/10 +# Operation : EM wcn coredump +# Purpose: for em set wcn coredump property +set_prop(em_hidl, vendor_mtk_coredump_prop) + +# Date : 2021/04/15 +# Operation : mdota read +# Purpose: read mdota files +allow em_hidl mcf_ota_file:dir r_dir_perms; diff --git a/basic/non_plat/em_svr.te b/basic/non_plat/em_svr.te new file mode 100644 index 0000000..5a2a4dc --- /dev/null +++ b/basic/non_plat/em_svr.te @@ -0,0 +1,12 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date: WK1812 +# Purpose: add for MD log filter +allow em_svr md_block_device:blk_file r_file_perms; + +# Date: WK1812 +# Purpose: add for SIB capture +allow em_svr para_block_device:blk_file rw_file_perms; +allow em_svr proc_lk_env:file rw_file_perms; diff --git a/basic/non_plat/emcamera_app.te b/basic/non_plat/emcamera_app.te new file mode 100644 index 0000000..feb8b9f --- /dev/null +++ b/basic/non_plat/emcamera_app.te @@ -0,0 +1 @@ +type emcamera_app, domain; diff --git a/basic/non_plat/ephemeral_app.te b/basic/non_plat/ephemeral_app.te new file mode 100644 index 0000000..b84b387 --- /dev/null +++ b/basic/non_plat/ephemeral_app.te @@ -0,0 +1,12 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date: 2020/06/08 +# Purpose: Allow ephemeral app to access mtk jpeg +allow ephemeral_app proc_mtk_jpeg:file rw_file_perms; +allowxperm ephemeral_app proc_mtk_jpeg:file ioctl { + JPG_BRIDGE_DEC_IO_LOCK + JPG_BRIDGE_DEC_IO_WAIT + JPG_BRIDGE_DEC_IO_UNLOCK +}; diff --git a/basic/non_plat/factory.te b/basic/non_plat/factory.te new file mode 100644 index 0000000..9f28f91 --- /dev/null +++ b/basic/non_plat/factory.te @@ -0,0 +1,521 @@ +# ============================================== +# Policy File of /vendor/bin/factory Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== +type factory, domain; +type factory_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(factory) + +allow factory MTK_SMI_device:chr_file r_file_perms; +allow factory ashmem_device:chr_file x_file_perms; +allow factory ebc_device:chr_file rw_file_perms; +allow factory stpbt_device:chr_file rw_file_perms; + +# Date: WK14.47 +# Operation : Migration +# Purpose : CCCI +allow factory eemcs_device:chr_file rw_file_perms; +allow factory ccci_device:chr_file rw_file_perms; +allow factory gsm0710muxd_device:chr_file rw_file_perms; + +# Purpose: file system requirement +allow factory devpts:chr_file rw_file_perms; +allow factory vfat:dir { w_dir_perms mounton }; +allow factory vfat:filesystem { mount unmount }; +allow factory labeledfs:filesystem unmount; +allow factory rootfs:dir mounton; + +# Purpose : SDIO +allow factory ttySDIO_device:chr_file rw_file_perms; + +# Purpose: USB +allow factory ttyMT_device:chr_file rw_file_perms; +allow factory ttyS_device:chr_file rw_file_perms; +allow factory ttyGS_device:chr_file rw_file_perms; + +# Purpose: OTG +allow factory usb_device:chr_file rw_file_perms; +allow factory usb_device:dir r_dir_perms; +allow factory sysfs_usb_nonplat:file r_file_perms; +allow factory sysfs_usb_nonplat:dir r_dir_perms; + +# Date: WK15.01 +# Purpose : OTG Mount +allow factory sdcard_type:dir { mounton create_dir_perms }; + +# Date: WK15.07 +# Purpose : use c2k flight mode; +allow factory vmodem_device:chr_file rw_file_perms; + +# Date: WK15.13 +# Purpose: for nand project +allow factory mtd_device:dir search; +allow factory mtd_device:chr_file rw_file_perms; +allow factory self:capability { + chown + fsetid + ipc_lock + net_admin + net_raw + sys_time + sys_admin + sys_boot + sys_module + sys_nice + sys_resource + }; +allow factory pro_info_device:chr_file rw_file_perms; + +# Data: WK15.28 +# Purpose: for mt-ramdump reset +allow factory proc_mrdump_rst:file w_file_perms; + +# Date: WK15.31 +# Purpose: define factory_data_file instead of system_data_file +# because system_data_file is sensitive partition from M +wakelock_use(factory); +allow factory storage_file:dir { create_dir_perms mounton }; + +# Date: WK15.44 +# Purpose: factory idle current status +set_prop(factory, vendor_mtk_factory_idle_state_prop) + +# Date: WK15.46 +# Purpose: gps factory mode +allow factory agpsd_data_file:dir search; +allow factory gps_data_file:dir { w_dir_perms unlink}; +allow factory gps_data_file:file create_file_perms; +allow factory gps_data_file:lnk_file r_file_perms; +allow factory storage_file:lnk_file r_file_perms; +allow factory mnld:unix_dgram_socket sendto; + +# Date: WK15.48 +# Purpose: capture for factory mode +allow factory devmap_device:chr_file r_file_perms; +allow factory sdcard_type:file create_file_perms; +allow factory mnt_user_file:dir search; +allow factory mnt_user_file:lnk_file r_file_perms; + +# Date: WK16.05 +# Purpose: For access NVRAM +allow factory nvram_data_file:dir create_dir_perms; +allow factory nvram_data_file:file create_file_perms; +allow factory nvram_data_file:lnk_file r_file_perms; +allow factory nvdata_file:lnk_file r_file_perms; +allow factory nvram_device:chr_file rw_file_perms; +allow factory nvram_device:blk_file rw_file_perms; +allow factory nvdata_device:blk_file rw_file_perms; + +# Date: WK16.12 +# Purpose: For sensor test +allow factory hf_manager_device:chr_file rw_file_perms; +allow factory als_ps_device:chr_file r_file_perms; +allow factory barometer_device:chr_file r_file_perms; +allow factory gsensor_device:chr_file r_file_perms; +allow factory gyroscope_device:chr_file r_file_perms; +allow factory msensor_device:chr_file r_file_perms; +allow factory biometric_device:chr_file r_file_perms; + +# Purpose: For camera Test +allow factory kd_camera_flashlight_device:chr_file rw_file_perms; +allow factory kd_camera_hw_device:chr_file rw_file_perms; +allow factory seninf_device:chr_file rw_file_perms; +allow factory CAM_CAL_DRV_device:chr_file rw_file_perms; +allow factory camera_eeprom_device:chr_file rw_file_perms; +allow factory ion_device:chr_file rw_file_perms; + +# Purpose: For reboot the target +set_prop(factory, powerctl_prop) + +# Purpose: For memory card test +allow factory misc_sd_device:chr_file r_file_perms; +allow factory mmcblk1_block_device:blk_file rw_file_perms; +allow factory bootdevice_block_device:blk_file rw_file_perms; +allow factory mmcblk1p1_block_device:blk_file rw_file_perms; +allow factory block_device:dir search; +allowxperm factory mmcblk1_block_device:blk_file ioctl BLKGETSIZE; +allowxperm factory bootdevice_block_device:blk_file ioctl BLKGETSIZE; + +# Purpose: For EMMC test +allow factory nvdata_file:dir create_dir_perms; +allow factory nvdata_file:file create_file_perms; + +# Purpose: For HRM test +allow factory hrm_device:chr_file r_file_perms; + +# Purpose: For IrTx LED test +allow factory irtx_device:chr_file rw_file_perms; + +# Purpose: For battery test, ext_buck test and ext_vbat_boost test +allow factory pmic_ftm_device:chr_file rw_file_perms; +allow factory MT_pmic_adc_cali_device:chr_file rw_file_perms; +allow factory MT_pmic_cali_device:chr_file r_file_perms; +allow factory charger_ftm_device:chr_file r_file_perms; + +# Purpose: For HDMI test +allow factory graphics_device:dir w_dir_perms; +allow factory graphics_device:chr_file rw_file_perms; + +# Purpose: For WIFI test +allow factory wmtWifi_device:chr_file rw_file_perms; + +# Purpose: For rtc test +allow factory rtc_device:chr_file rw_file_perms; + +# Purpose: For gps test +allow factory mnld_device:chr_file rw_file_perms; +allow factory stpgps_device:chr_file rw_file_perms; +allow factory mnld_exec:file rx_file_perms; + +# Purpose: For keypad test +allow factory mtk_kpd_device:chr_file r_file_perms; + +# Purpose: For Humidity test +allow factory humidity_device:chr_file r_file_perms; + +# Purpose: For camera test +allow factory camera_isp_device:chr_file rw_file_perms; +allow factory camera_dip_device:chr_file rw_file_perms; +allow factory camera_pipemgr_device:chr_file r_file_perms; +allow factory camera_sysram_device:chr_file r_file_perms; +allow factory ccu_device:chr_file rw_file_perms; +allow factory vpu_device:chr_file rw_file_perms; +allow factory mdla_device:chr_file rw_file_perms; +allow factory apusys_device:chr_file rw_file_perms; +allow factory sysfs_apusys_queue:dir r_dir_perms; +allow factory sysfs_apusys_queue:file r_file_perms; +allow factory MAINAF_device:chr_file rw_file_perms; +allow factory MAIN2AF_device:chr_file rw_file_perms; +allow factory MAIN3AF_device:chr_file rw_file_perms; +allow factory MAIN4AF_device:chr_file rw_file_perms; +allow factory SUBAF_device:chr_file rw_file_perms; +allow factory SUB2AF_device:chr_file rw_file_perms; +allow factory FM50AF_device:chr_file rw_file_perms; +allow factory AD5820AF_device:chr_file rw_file_perms; +allow factory DW9714AF_device:chr_file rw_file_perms; +allow factory DW9714A_device:chr_file rw_file_perms; +allow factory LC898122AF_device:chr_file rw_file_perms; +allow factory LC898212AF_device:chr_file rw_file_perms; +allow factory BU6429AF_device:chr_file rw_file_perms; +allow factory DW9718AF_device:chr_file rw_file_perms; +allow factory BU64745GWZAF_device:chr_file rw_file_perms; +allow factory cct_data_file:dir create_dir_perms; +allow factory cct_data_file:file create_file_perms; +allow factory camera_tsf_device:chr_file rw_file_perms; +allow factory camera_rsc_device:chr_file rw_file_perms; +allow factory camera_gepf_device:chr_file rw_file_perms; +allow factory camera_fdvt_device:chr_file rw_file_perms; +allow factory camera_wpe_device:chr_file rw_file_perms; +allow factory camera_owe_device:chr_file rw_file_perms; +allow factory camera_mfb_device:chr_file rw_file_perms; +allow factory camera_pda_device:chr_file rw_file_perms; +hal_client_domain(factory, hal_power) +get_prop(factory, vendor_mtk_mediatek_prop) + +# Date: 2021/12/10 +# Operation : allow camera test to read dla network file +allow factory vendor_etc_nn_file:dir r_dir_perms; +allow factory vendor_etc_nn_file:file r_file_perms; +allowxperm factory vendor_etc_nn_file:file ioctl VT_SENDSIG; + +# Date: 2020/07/20 +# Operation : For M4U security +allow factory proc_m4u:file r_file_perms; +allowxperm factory proc_m4u:file ioctl { + MTK_M4U_T_SEC_INIT + MTK_M4U_T_CONFIG_PORT +}; + +# Purpose: For FM test and headset test +allow factory accdet_device:chr_file r_file_perms; +allow factory fm_device:chr_file rw_file_perms; + +# Purpose: For audio test +allow factory audio_device:chr_file rw_file_perms; +allow factory audio_device:dir w_dir_perms; +set_prop(factory, vendor_mtk_audiohal_prop) +allow factory audio_ipi_device:chr_file rw_file_perms; +allow factory audio_scp_device:chr_file r_file_perms; + +# Purpose: For key and touch event +allow factory input_device:chr_file r_file_perms; +allow factory input_device:dir rw_dir_perms; + +# Date: WK16.17 +# Purpose: N Migration For ccci sysfs node +# Allow read to sys/kernel/ccci/* files +allow factory sysfs_ccci:dir search; +allow factory sysfs_ccci:file r_file_perms; + +# Date: WK16.18 +# Purpose: N Migration For boot_mode +# Allow to read boot mode +# avc: denied { read } for name="boot_mode" dev="sysfs" ino=117 +# scontext=u:r:factory:s0 tcontext=u:object_r:sysfs:s0 +# tclass=file permissive=0 +allow factory sysfs_boot_mode:file r_file_perms; +allow factory sysfs_boot_type:file r_file_perms; + +# Date: WK16.31 +# Purpose: For gps test +set_prop(factory, vendor_mtk_mnld_prop) + +# Date: WK16.33 +# Purpose: for unmount sdcardfs and stop services which are using data partition +allow factory sdcard_type:filesystem unmount; +set_prop(factory, ctl_default_prop) + +# Date : WK16.35 +# Operation : Migration +# Purpose : Update camera flashlight driver device file +allow factory flashlight_device:chr_file rw_file_perms; + +# Date: WK15.25 +# Purpose: for unmount sdcardfs and stop services which are using data partition +set_prop(factory, system_mtk_ctl_emdlogger1_prop) + +# Date: WK17.07 +# Purpose: Clear bootdevice (eMMC/UFS) may need to unmount tmpfs +allow factory tmpfs:filesystem unmount; +allow factory sysfs:dir r_dir_perms; +allow factory sysfs_leds:lnk_file r_file_perms; +allow factory sysfs_leds:file rw_file_perms; +allow factory sysfs_leds:dir r_dir_perms; +allow factory sysfs_power:file rw_file_perms; +allow factory sysfs_power:dir r_dir_perms; +allow factory self:capability2 block_suspend; +allow factory sysfs_vibrator:file rw_file_perms; +allow factory debugfs_ion:dir search; +allow factory selinuxfs:file r_file_perms; +allow factory sysfs_devices_block:dir r_dir_perms; +allow factory vendor_mtk_factory_start_prop:file read; +allow factory vendor_mtk_factory_start_prop:file open; +allow factory vendor_mtk_factory_start_prop:file getattr; +allow factory vendor_mtk_factory_start_prop:file map; + +# Date: WK17.27 +# Purpose: STMicro NFC solution integration +allow factory st21nfc_device:chr_file rw_file_perms; +hal_client_domain(factory, hal_nfc) + +# Date : WK17.32 +# Operation : O Migration +# Purpose: Allow to access cmdq driver +allow factory mtk_cmdq_device:chr_file r_file_perms; +allow factory mtk_mdp_device:chr_file r_file_perms; +allow factory mtk_mdp_sync_device:chr_file r_file_perms; +allow factory sw_sync_device:chr_file r_file_perms; + +# Date: WK1733 +# Purpose: add selinux policy to stop 'ccci_fsd' for clear emmc in factory mode +set_prop(factory, vendor_mtk_ctl_ccci_fsd_prop) + +# Date : WK17.38 +# Operation : O Migration +# Purpose: Allow to access sysfs +allow factory sysfs_therm:dir search; +allow factory sysfs_therm:file rw_file_perms; + +# Date: W18.22 +# Purpose: P Migration for factory get com port type and uart port info +# detail avc log: [ 11.751803] <1>.(1)[227:logd.auditd]type=1400 audit(1262304016.560:10): +# avc: denied { read } for pid=203 comm="factory" name="meta_com_type_info" dev= +# "sysfs" ino=11073 scontext=u:r:factory:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 +allow factory sysfs_comport_type:file rw_file_perms; +allow factory sysfs_uart_info:file rw_file_perms; + +# from private +allow factory kernel:system module_request; +allow factory node:tcp_socket node_bind; +allow factory userdata_block_device:blk_file rw_file_perms; +allow factory port:tcp_socket { name_bind name_connect }; +allow factory self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; +allow factory proc_net:file r_file_perms; +allowxperm factory self:udp_socket ioctl { priv_sock_ioctls SIOCGIFFLAGS SIOCGIWNWID}; + +allow factory self:process execmem; +allow factory self:tcp_socket create_stream_socket_perms; +allow factory self:udp_socket create_socket_perms; + +allow factory sysfs_wake_lock:file rw_file_perms; + +# For Light HIDL permission +hal_client_domain(factory, hal_light) +allow factory mtk_hal_light:binder call; +allow factory merged_hal_service:binder call; + +# For vibrator test permission +allow factory sysfs_vibrator:dir search; + +# For Audio device permission +allow factory proc_asound:dir r_dir_perms; +allow factory proc_asound:file rw_file_perms; + +# For Accdet data permission +allow factory sysfs_headset:file r_file_perms; + +# For touch auto test +allow factory sysfs_tpd_setting:dir search; +allow factory sysfs_tpd_setting:file r_file_perms; + +# For fingerprinto test +allow factory sysfs_gf_spi_tee:dir search; +allow factory sysfs_gf_spi_tee:file r_file_perms; + +# Date : WK18.23 +# Operation: P migration +# Purpose : Allow factory to unmount partition, stop service, and then erase partition +allow factory vendor_shell_exec:file rx_file_perms; +allow factory vendor_toolbox_exec:file x_file_perms; +allow factory proc_cmdline:file r_file_perms; +allow factory sysfs_dt_firmware_android:file r_file_perms; +allow factory sysfs_dt_firmware_android:dir r_dir_perms; + +# For power_supply and switch permission +r_dir_file(factory, sysfs_batteryinfo) +r_dir_file(factory, sysfs_switch) + +# Date : WK18.31 +# Operation: P migration +# Purpose : Refine policy +allow factory sysfs_devices_block:dir search; +allow factory sysfs_devices_block:file r_file_perms; + +# Date : WK18.37 +# Operation: P migration +# Purpose : ADSP SmartPA calibration +allow factory vendor_file:file x_file_perms; +allow factory mtk_audiohal_data_file:dir create_dir_perms; +allow factory mtk_audiohal_data_file:file create_file_perms; + +# Date : WK18.37 +# Operation: P migration +# Purpose : Allow factory to open /proc/version +allow factory proc_version:file r_file_perms; + +# Purpose : adsp +allow factory adsp_device:chr_file rw_file_perms; + +# Purpose : NFC +allow factory vendor_nfc_socket_file:dir w_dir_perms; + +# Allow to get AOSP property persist.radio.multisim.config +get_prop(factory, radio_control_prop) + +# Date : WK19.38 +# Operation : Q Migration +# Purpose: Allow clear eMMC +set_prop(factory, system_mtk_ctl_mdlogger_prop) + +# Date : WK19.41 +# Operation : Q Migration +# Purpose: allow system_server to access rt5509 param and calib node +allow factory sysfs_rt_param:file rw_file_perms; +allow factory sysfs_rt_calib:file rw_file_perms; +allow factory sysfs_rt_param:dir r_dir_perms; +allow factory sysfs_rt_calib:dir r_dir_perms; + +# Date : WK20.13 +# Operation: R migration +# Contains lib to visit file permission +allow factory ashmem_libcutils_device:chr_file x_file_perms; + +# Date : WK20.13 +# Operation: R migration +# Purpose : Add permission for new device node. +allow factory sysfs_boot_info:file r_file_perms; +allow factory proc_bootprof:file getattr; +allow factory sysfs_meta_info:file r_file_perms; + +# Date : WK20.17 +# Operation: R migration +# Purpose : Add permission for acess vendor_de. +allow factory factory_vendor_file:file create_file_perms; +allow factory factory_vendor_file:dir w_dir_perms; + +# Date : WK20.20 +# Operation: R migration +# Purpose : Add permission for health HAL and vbus +hal_client_domain(factory, hal_health) +allow factory sysfs_vbus:file r_file_perms; +allow factory sysfs_chg2_present:file r_file_perms; + +# Date : WK20.31 +# Operation: R migration +# Purpose : Add permission for /proc/bus/input/devices +allow factory proc_bus_input:file r_file_perms; + +# Date : WK20.33 +# Operation: R migration +# Purpose : Add permission for access aux_adc +allow factory sys_mt6577_auxadc:dir r_dir_perms; +allow factory sys_mt6577_auxadc:file r_file_perms; + +# Date : WK21.14 +# Operation: Layer decoupling 2.0 +# Purpose: ro.vendor.factory.GB2312 +set_prop(factory, vendor_mtk_factory_prop) + +# Date : WK21.18 +# Operation: GKI +# Purpose : Factory access drm permission +allow factory gpu_device:dir search; +allow factory dri_device:chr_file rw_file_perms; + +# Date : WK21.19 +# Operation: GKI +# Purpose : Add permission for access camera_mem +allow factory camera_mem_device:chr_file rw_file_perms; + +# Allow ReadDefaultFstab(). +read_fstab(factory) +allow factory proc_bootconfig:file r_file_perms; + +# Date : WK21.22 +# Operation: GKI 2.0 +# Purpose : Add permission for access dmabuf +allow factory dmabuf_system_heap_device:chr_file rw_file_perms; + +# Date: 2021/05/26 +# Purpose : add permission for access extdev_io (rtk device) +allow factory sysfs_extdev:dir r_dir_perms; +allow factory sysfs_extdev:file rw_file_perms; + +# Date: 2021/06/23 +# Purpose : add permission for access camera dev +hal_client_domain(factory, hal_camera) + +# Date : 2021/06/30 +# Operation: New IMGSYS Driver +# Purpose : Add permission for imgsys daemon driver +allow factory mtk_hcp_device:chr_file rw_file_perms; + +# Date: 2021/07/02 +# Purpose : add permission for charger configuration +allow factory sysfs_chg_cfg:file r_file_perms; + +# Date: 2021/07/30 +# Operation : To access V4L2 devices (media, video and sub devices) +allow factory mtk_v4l2_media_device:dir r_dir_perms; +allow factory mtk_v4l2_media_device:chr_file rw_file_perms; +allow factory video_device:dir r_dir_perms; +allow factory video_device:chr_file rw_file_perms; + +# Date: 2021/07/30 +# Purpose : Add permission for access /dev directory +allow factory device:dir r_dir_perms; + +# Date: 2021/07/30 +# Operation : To access camera control daemon driver +allow factory mtk_ccd_device:chr_file rw_file_perms; +# Date: 2021/08/27 +# Operation : add permission for storage +allow factory sysfs_block:dir search; + + +# Date: 2022/01/24 +allow factory mnt_vendor_file:dir search; +allow factory mnt_vendor_file:file r_file_perms; diff --git a/basic/non_plat/fastbootd.te b/basic/non_plat/fastbootd.te new file mode 100644 index 0000000..194c28d --- /dev/null +++ b/basic/non_plat/fastbootd.te @@ -0,0 +1,20 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== +# fastbootd (used in recovery init.rc for /sbin/fastbootd) + +allow fastbootd { + bootdevice_block_device + para_block_device + }:blk_file rw_file_perms; + +allow fastbootd sysfs_boot_type:file rw_file_perms; + +allow fastbootd self:process setfscreate; +allow fastbootd self:capability sys_rawio; + +allowxperm fastbootd bootdevice_block_device:blk_file ioctl { + BLKSECDISCARD + BLKDISCARD + MMC_IOCTLCMD +}; diff --git a/basic/non_plat/file.te b/basic/non_plat/file.te new file mode 100644 index 0000000..b7220ad --- /dev/null +++ b/basic/non_plat/file.te @@ -0,0 +1,660 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== +########################## +# Filesystem types +# +########################## +# Proc Filesystem types +# +type proc_secmem, fs_type, proc_type; +type proc_thermal, fs_type, proc_type; +type proc_mtkcooler, fs_type, proc_type; +type proc_mtktz, fs_type, proc_type; +type proc_mtd, fs_type, proc_type; +type proc_slogger, fs_type, proc_type; +type proc_lk_env, fs_type, proc_type; +type proc_ged, fs_type, proc_type; +type proc_mtk_jpeg, fs_type, proc_type, mlstrustedobject; +type proc_perfmgr, fs_type, proc_type; +type proc_wmtdbg, fs_type, proc_type; +type proc_zraminfo, fs_type, proc_type; +type proc_cpu_alignment, fs_type, proc_type; +type proc_gpulog, fs_type, proc_type; +type proc_gpufreqv2, fs_type, proc_type; +type proc_sched_debug, fs_type, proc_type; +type proc_chip, fs_type, proc_type; +type proc_atf_log, fs_type, proc_type; +type proc_gz_log, fs_type, proc_type; +type proc_last_kmsg, fs_type, proc_type; +type proc_bootprof, fs_type, proc_type; +type proc_mtprintk, fs_type, proc_type; +type proc_pl_lk, fs_type, proc_type; +type proc_msdc_debug, fs_type, proc_type; +type proc_ufs_debug, fs_type, proc_type; +type proc_pidmap, fs_type, proc_type; +type proc_slabtrace, fs_type, proc_type; +type proc_cmdq_debug, fs_type, proc_type; +type proc_isp_p2, fs_type, proc_type; +type proc_dbg_repo, fs_type, proc_type; +type proc_isp_p2_dump, fs_type, proc_type; +type proc_isp_p2_kedump, fs_type, proc_type; +type proc_memory_usage, fs_type, proc_type; +type proc_gpu_memory, fs_type, proc_type; +type proc_mtk_es_reg_dump, fs_type, proc_type; +type proc_ccci_dump, fs_type, proc_type; +type proc_log_much, fs_type, proc_type; + +#For icusb +type proc_icusb, fs_type, proc_type; + +# for mt-ramdump reset +type proc_mrdump_rst, fs_type, proc_type; + +# blockio procfs file +type proc_earaio, fs_type, proc_type; +type procfs_blockio, fs_type, proc_type; + +# memtrack procfs file +type procfs_gpu_img, fs_type, proc_type; + +# Date : WK19.27 +# Purpose: Android Migration for SVP +type proc_m4u, fs_type, proc_type; + +# Date : 2019/09/05 +# Purpose: Allow powerhal to control kernel resources +type proc_ppm, fs_type, proc_type; +type proc_cpufreq, fs_type, proc_type; +type proc_hps, fs_type, proc_type; +type proc_cm_mgr, fs_type, proc_type; +type proc_fliperfs, fs_type, proc_type; + +# Date : 2019/11/14 +# Purpose: Allow powerhal to control MCDI +type proc_cpuidle, fs_type, proc_type; + +# Date : 2019/10/11 +# Purpose : allow system_server to access /proc/wlan/status for Q Migration +type proc_wlan_status, fs_type, proc_type; + +# Date : 2019/12/10 +# Purpose: Allow bt process or tool to control bt_dbg +type proc_btdbg, fs_type, proc_type; + +type proc_wmt_aee, fs_type, proc_type; + +# Date : 2020/01/16 +# Purpose: Allow mtk_hal_neuralnetworks to read chip id and segment code +type proc_devinfo, fs_type, proc_type; + +# Date : 2020/06/12 +# Operation: R migration +# Purpose: Allow powerhal to control displowpower +type proc_displowpower, fs_type, proc_type; + +# Date : 2020/06/29 +# Operation: R migration +# Purpose: Add permission for access /proc/ion/* +type proc_ion, fs_type, proc_type; + +# Date : 2020/07/01 +# Operation: R migration +# Purpose: Add permission for access /proc/m4u_dbg/* +type proc_m4u_dbg, fs_type, proc_type; + +# Date : WK20.31 +# Operation: R migration +# Purpose : Add permission for /proc/bus/input/devices +type proc_bus_input, fs_type, proc_type; + +# Date : 2020/08/05 +# Purpose: Add permission for /proc/driver/wmt_user_proc +type proc_wmtuserproc, fs_type, proc_type; + +# Date : 2020/09/07 +# Purpose: mtk trigger panic by rcu stall +type proc_panic_on_rcu_stall, fs_type, proc_type; + +# Date : 2020/09/18 +# Purpose: add permission for /proc/mcdi/ +type proc_mcdi, fs_type, proc_type; + +# Date : 2020/09/22 +# Purpose: define proc_ccci_sib +type proc_ccci_sib, fs_type, proc_type; + +type proc_mtkfb, fs_type, proc_type; + +# Date : 2020/07/08 +# Purpose: add permission for /proc/sys/vm/swappiness +type proc_swappiness, fs_type, proc_type; + +# Date : 2020/12/23 +# Purpose: Add permission for /proc/driver/conninfra_dbg +type proc_conninfradbg, fs_type, proc_type; + +# Date: 2021/04/20 +# Purpose : add permission for proc/sys/vm/watermark_scale_factor +type proc_watermark_scale_factor, fs_type, proc_type; + +# Data : 2021/4/21 +# Purpose : add permission for /proc/mtk_usb, /proc/mtk_typec +type proc_usb_plat, fs_type, proc_type; + +# Date 2021/05/10 +# Purpose : init the default value before bootup +type proc_sched_migration_cost_ns, fs_type, proc_type; + +# Date : 2021/5/21 +# Purpose: Allow mobile log to read apusysy log +type proc_apusys_up_seq_logl, fs_type, proc_type; + +# Date : 2021/8/24 +# For CachedAppOptimizer +type proc_mtk_mdp_debug, fs_type, proc_type; + +# 2021/8/25 +# allow powerhal to access /proc/cpuhvfs/cpufreq_cci_mode +type proc_cpuhvfs, fs_type, proc_type; + +########################## +# Sys Filesystem types +# +type sysfs_execstate, fs_type, sysfs_type; +type sysfs_therm, fs_type, sysfs_type; +type sysfs_thermal_sram, fs_type, sysfs_type; +type sysfs_charger_cooler, fs_type, sysfs_type; +type sysfs_fps, fs_type, sysfs_type; +type sysfs_ccci, fs_type, sysfs_type; +type sysfs_mdinfo, fs_type,sysfs_type; +type sysfs_ssw, fs_type,sysfs_type; +type sysfs_soc, fs_type, sysfs_type; +type sysfs_vcorefs_pwrctrl, fs_type, sysfs_type; +type sysfs_md32, fs_type, sysfs_type; +type sysfs_scp, fs_type, sysfs_type; +type sysfs_adsp, fs_type, sysfs_type; +type sysfs_rt_param, fs_type, sysfs_type; +type sysfs_rt_calib, fs_type, sysfs_type; +type sysfs_reset_dsp, fs_type, sysfs_type; +type sysfs_chip_vendor, fs_type, sysfs_type; +type sysfs_pa_num, fs_type, sysfs_type; +type sysfs_sspm, fs_type, sysfs_type; +type sysfs_devinfo, fs_type, sysfs_type, mlstrustedobject; +type sysfs_aee_enable, fs_type, sysfs_type; +type sysfs_dcm, fs_type, sysfs_type; +type sysfs_dcs, fs_type, sysfs_type; +type sysfs_vcore_debug, fs_type, sysfs_type; +type sysfs_systracker, fs_type, sysfs_type; +type sysfs_keypad_file, fs_type, sysfs_type; +type sysfs_vcp, fs_type, sysfs_type; + +# apusys_queue sysfs file +type sysfs_apusys_queue, fs_type, sysfs_type; + +# Date : WK1814 +# Purpose : for factory to get boot mode and type +type sysfs_boot_mode, fs_type, sysfs_type; +type sysfs_boot_type, fs_type, sysfs_type; + +# Date : WK1817 +# Purpose : for meta to get com port type and uart port info +type sysfs_comport_type, fs_type, sysfs_type; +type sysfs_uart_info, fs_type, sysfs_type; +type sysfs_usb_nonplat, fs_type, sysfs_type; + +# Date : WK1820 +# Purpose : for charger to access pump_express +type sysfs_pump_express, fs_type, sysfs_type; +type sysfs_chg2_present, fs_type, sysfs_type; + +# Date : 2018/10/25 +# Purpose : mtk GPU drvb permission setting +type sysfs_gpu, fs_type, sysfs_type, mlstrustedobject; + +# Touch parameters file +type sysfs_tpd_setting, fs_type, sysfs_type; + +# Date : 2019/09/17 +# Purpose : mtk factory fingerprint settings +type sysfs_gf_spi_tee, fs_type, sysfs_type; + +# Backlight brightness file +type sysfs_leds_setting, fs_type, sysfs_type; + +# Vibrator vibrate file +type sysfs_vibrator_setting, fs_type, sysfs_type; + +# Date : WK18.16 +# Purpose: Android Migration +type sysfs_mmcblk, fs_type, sysfs_type; +type sysfs_mmcblk1, fs_type, sysfs_type; + +# Date : 2019/08/24 +type sysfs_sensor, fs_type, sysfs_type; + +#MTEE trusty +type mtee_trusty_file, fs_type, sysfs_type; + +type sysfs_ged, fs_type, sysfs_type; +type sysfs_fbt_cpu, fs_type, sysfs_type; +type sysfs_fbt_fteh, fs_type, sysfs_type; +type sysfs_fpsgo, fs_type, sysfs_type; +type sysfs_xgf, fs_type, sysfs_type; +type sysfs_gbe, fs_type, sysfs_type; +type sysfs_mtk_fpsgo, fs_type, sysfs_type; +type sysfs_mtk_core_ctl, fs_type, sysfs_type; + +# Date : 2019/09/17 +# Purpose: Allow powerhal to control cache audit +type sysfs_cache_ctrl, fs_type, sysfs_type; +type sysfs_pftch_qos, fs_type, sysfs_type; + +# Date : 2019/09/19 +# Purpose: Allow powerhal to trigger task-turbo +type sysfs_task_turbo, fs_type, sysfs_type; + +# Date : 2019/09/23 +# Purpose: Define change_rate fs_type +type sysfs_change_rate, fs_type, sysfs_type; + +# Date : 2019/10/16 +# Purpose: Define sysfs_ext4_disable_barrier fs_type +type sysfs_ext4_disable_barrier, fs_type, sysfs_type; + +# Date : WK19.38 +# Purpose: Android Migration for video codec driver +type sysfs_device_tree_model, fs_type, sysfs_type; + +# Date : 2019/10/11 +# Purpose : allow system_server to access /sys/kernel/mm/ksm/pages_xxx +type sysfs_pages_shared, fs_type, sysfs_type; +type sysfs_pages_sharing, fs_type, sysfs_type; +type sysfs_pages_unshared, fs_type, sysfs_type; +type sysfs_pages_volatile, fs_type, sysfs_type; + +# Date : 2019/10/22 +# Purpose : allow aee_aedv write /sys/module/mrdump/parameters/lbaooo +type sysfs_mrdump, fs_type, sysfs_type; +type sysfs_memory, fs_type, sysfs_type; + +# Date : 2019/10/25 +# Purpose : To avoid using the SELabel of u:object_r:proc:s0 or u:object_r:sysfs:s0 +# to access /proc/device-tree/chosen/atag,chipid or /sysfs/firmware/devicetree/base/chosen/atag,chipid +type sysfs_chipid, fs_type, sysfs_type; + +# Date : 2019/12/12 +# Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/* +type sysfs_concurrency_scenario, fs_type, sysfs_type; + +# Date : WK20.07 +# Operation: R migration +# Purpose : Add permission for new device node. +type sysfs_meta_info, fs_type, sysfs_type; + +type sysfs_cache_status, fs_type, sysfs_type; + +# Date : 2020/06/12 +# Purpose: define sysfs_mali_power_policy fs_type +type sysfs_mali_power_policy, fs_type, sysfs_type; + +# Date : 20120/07/02 +# Purpose: define sysfs_mtk_nanohub_state fs_type +type sysfs_mtk_nanohub_state, fs_type, sysfs_type; + +# Date : 20120/07/13 +# Purpose: define sysfs_dvfsrc_dbg fs_type +type sysfs_dvfsrc_dbg, fs_type, sysfs_type; + +# Date : 2020/07/31 +# Purpose: add permission for /sys/kernel/apusys/ +type sysfs_apusys, fs_type, sysfs_type; + +# Date : WK20.33 +# Operation: R migration +# Purpose : Add permission for access aux_adc +type sys_mt6577_auxadc, fs_type, sysfs_type; + +# Date : 2020/07/10 +# Purpose : allow media sources to access /sys/bus/platform/drivers/emi_ctrl/* +type sysfs_emi_ctrl_concurrency_scenario, fs_type, sysfs_type; + +# Date : 20120/08/19 +# Purpose: define sysfs_dvfsrc_devfreq fs_type +type sysfs_dvfsrc_devfreq, fs_type, sysfs_type; + +# Date : 2020/09/03 +# Purpose: mtk MMQoS set camera max BW +type sysfs_camera_max_bw, fs_type, sysfs_type; +type sysfs_camera_max_bw_v2, fs_type, sysfs_type; + +# Date : 2021/06/15 +# Purpose: mtk MMQoS scenario change +type sysfs_mtk_mmqos_scen, fs_type, sysfs_type; +type sysfs_mtk_mmqos_scen_v2, fs_type, sysfs_type; + +# Date : 2020/09/29 +# Purpose: add permission for /sys/kernel/eara_thermal/ +type sysfs_eara_thermal, fs_type, sysfs_type; + +# Date : 2021/3/12 +# Purpose: add permission for /sys/class/misc/mali0/device/pm_poweroff +type sysfs_mali_poweroff, fs_type, sysfs_type; + +# Date : 2020/12/14 +# Purpose: allow dumpstate/crash_dump/aee_aedv to read /sys/kernel/mm/mlog/dump +type sysfs_mm, fs_type, sysfs_type; + +type sysfs_vpd, fs_type, sysfs_type; + +# Date : 2021/06/01 +# Purpose: for dcxo calibration +type sysfs_dcxo, fs_type, sysfs_type; + +# 2021/05/26 +# RTK Device +type sysfs_extdev, fs_type, sysfs_type; + +# 2021/07/06 +# charger configuration +type sysfs_chg_cfg, fs_type, sysfs_type; + +# 2021/07/29 +# boot mode access +type sysfs_boot_info, fs_type, sysfs_type; + +# 2021/8/25 +# allow powerhal to access /sys/kernel/cm_mgr/dbg_cm_mgr +type sysfs_cm_mgr, fs_type, sysfs_type; + +########################## +# Debug Filesystem types +# + +# display debugfs file +type debugfs_fb, fs_type, debugfs_type; + +# fpsgo debugfs file +type debugfs_fpsgo, fs_type, debugfs_type; + +# memtrack debugfs file +type debugfs_ion, fs_type, debugfs_type; + +########################## +# Other Filesystem types +# +# for labeling /mnt/cd-rom as iso9660 +type iso9660, fs_type; + +# rawfs for /protect_f on NAND projects +type rawfs, fs_type, mlstrustedobject; + +#fuse +type fuseblk, sdcard_type, fs_type, mlstrustedobject; + +########################## +# File types +# +# Date : 2019/12/19 +# Purpose : Allow ccci_mdinit read /vendor/etc/md +type vendor_etc_md_file, vendor_file_type, file_type; + +# Date : 2021/12/10 +# Purpose : Allow mtk_hal_camera read /vendor/etc/nn +type vendor_etc_nn_file, vendor_file_type, file_type; + + +# Data : 2020/12/30 +# Purpose : DBReleasePlan +type vendor_bin_crossbuild_file, vendor_file_type, file_type; +########################## +# File types +# Data file types +type custom_file, file_type, data_file_type; +type lost_found_data_file, file_type, data_file_type; +type dontpanic_data_file, file_type, data_file_type; +type resource_cache_data_file, file_type, data_file_type; +type http_proxy_cfg_data_file, file_type, data_file_type; +type acdapi_data_file, file_type, data_file_type; +type ppp_data_file, file_type, data_file_type; +type wpa_supplicant_data_file, file_type, data_file_type; +type radvd_data_file, file_type, data_file_type; +type mal_data_file, file_type, data_file_type; +type bt_data_file, file_type, data_file_type; +type agpsd_data_file, file_type, data_file_type; +type mnld_data_file, file_type, data_file_type; +type gps_data_file, file_type, data_file_type; +type MPED_data_file, file_type, data_file_type; +type protect_f_data_file, file_type, data_file_type; +type protect_s_data_file, file_type, data_file_type; +type persist_data_file, file_type, data_file_type; +type nvram_data_file, file_type, data_file_type; +type nvdata_file, file_type, data_file_type; +type nvcfg_file, file_type, data_file_type; +type mcf_ota_file, file_type, data_file_type; +type cct_data_file, file_type, data_file_type; +type mediaserver_data_file, file_type, data_file_type; +type mediacodec_data_file, file_type, data_file_type; +type connsyslog_data_vendor_file, file_type, data_file_type; + +# AAO +type data_vendor_aao_file, file_type, data_file_type; +type data_vendor_aaoHwBuf_file, file_type, data_file_type; +type data_vendor_AAObitTrue_file, file_type, data_file_type; + +# Flash +type data_vendor_flash_file, file_type, data_file_type; + +# Flicker +type data_vendor_flicker_file, file_type, data_file_type; + +# AFO +type data_vendor_afo_file, file_type, data_file_type; + +# PDO +type data_vendor_pdo_file, file_type, data_file_type; + +# NE core_forwarder +type aee_core_vendor_file, file_type, data_file_type; + +type aee_dumpsys_vendor_file, file_type, data_file_type; + +type ccci_cfg_file, file_type, data_file_type; +type ccci_data_md1_file, file_type, data_file_type; +type c2k_file, file_type, data_file_type; + +#For sensor +type sensor_data_file, file_type, data_file_type; + +type stp_dump_data_file, file_type, data_file_type; +type wifi_dump_data_file, file_type, data_file_type; +type bt_dump_data_file, file_type, data_file_type; + +# data_tmpfs_log +type vendor_tmpfs_log_file, file_type, data_file_type; + +# fat on nand fat.img +type fon_image_data_file, file_type, data_file_type; + +# ims ipsec config file +type ims_ipsec_data_file, file_type, data_file_type; + +# thermal manager config file +type thermal_manager_data_file, file_type, data_file_type; + +# thermal core config file +type thermal_core_data_file, file_type, data_file_type; + +#autokd data file +type autokd_data_file, file_type, data_file_type; + +# MTK audio HAL folder +type mtk_audiohal_data_file, file_type, data_file_type; + +# MTK Power HAL folder +type mtk_powerhal_data_file, file_type, data_file_type; + +# Date : WK1743 +# Purpose : for meta_tst copy MD DB from MD image +type mddb_data_file, file_type, data_file_type; + +# Widevine move data/mediadrm folder from system to vendor +type mediadrm_vendor_data_file, file_type, data_file_type; + +# drm key manager +type provision_file, file_type, data_file_type; +type key_install_data_file, file_type, data_file_type; + +type aee_dipdebug_vendor_file, file_type, data_file_type; + +# Date : WK19.34 +# Purpose: Android Migration for video codec driver +type vcodec_file, file_type, data_file_type, mlstrustedobject; + +# Date : 2019/12/23 +# Purpose : Allow ccci_mdinit read /data/vendor_de/md +type data_vendor_de_md_file, data_file_type, file_type; + +# Date : 2019/04/23 +# Operation: R migration +# Purpose : Add permission for acess vendor_de. +type factory_vendor_file, file_type, data_file_type; + +# Date : 2020/09/24 +# Purpose: mtk camsys raw buffer dump +type data_vendor_raw_file, file_type, data_file_type; + +type vendor_nfc_socket_file, file_type, data_file_type; + +# Date : W2109 +# Purpose: add permission for /data/vendor/gpu_dump +type gpu_dump_vendor_file, file_type, data_file_type; + +# Date : 2021/2/22 +# Purpose: Add permission for EARA-IO +type eara_io_data_file, file_type, data_file_type; + +########################## +# File types +# Core domain data file types +# +#mobilelog data/misc/mblog +type logmisc_data_file, file_type, data_file_type, core_data_file_type; + +#mobilelog data/log_temp +type logtemp_data_file, file_type, data_file_type, core_data_file_type; + +# NE core_forwarder +type aee_core_data_file, file_type, data_file_type, core_data_file_type; + +type aee_dumpsys_data_file, file_type, data_file_type, core_data_file_type; + +# SF rtt dump +type sf_rtt_file, file_type, data_file_type, core_data_file_type; + +# data_tmpfs_log +type data_tmpfs_log_file, file_type, data_file_type, core_data_file_type; + +# adbd config file +type adbd_data_file, file_type, data_file_type, core_data_file_type; + +# SF bqdump +type sf_bqdump_data_file, file_type, data_file_type, core_data_file_type; + +# factory data file +type factory_data_file, file_type, data_file_type, core_data_file_type; + +# Modem Log folder +type mdlog_data_file, file_type, data_file_type, core_data_file_type; + +# consys Log folder +type consyslog_data_file, file_type, data_file_type, core_data_file_type; + +type nfc_socket_file, file_type, data_file_type, core_data_file_type; + +########################## +# Socket types +# +type volte_vt_socket, file_type; +type dfo_socket, file_type; +type gsmrild_socket, file_type; +type rild2_socket, file_type; +type rild3_socket, file_type; +type rild4_socket, file_type; +type rild_mal_socket, file_type; +type rild_mal_at_socket, file_type; +type rild_mal_md2_socket, file_type; +type rild_mal_at_md2_socket, file_type; +type rild_ims_socket, file_type; +type rild_imsm_socket, file_type; +type rild_oem_socket, file_type; +type rild_mtk_ut_socket, file_type; +type rild_mtk_ut_2_socket, file_type; +type rild_mtk_modem_socket, file_type; +type rild_md2_socket, file_type; +type rild2_md2_socket, file_type; +type rild_debug_md2_socket, file_type; +type rild_oem_md2_socket, file_type; +type rild_mtk_ut_md2_socket, file_type; +type rild_mtk_ut_2_md2_socket, file_type; +type rild_mtk_modem_md2_socket, file_type; +type rild_vsim_socket, file_type; +type rild_vsim_md2_socket, file_type; +type mal_mfi_socket, file_type; +type netdiag_socket, file_type, mlstrustedobject; +type wpa_wlan0_socket, file_type; +type soc_vt_imcb_socket, file_type; +type soc_vt_tcv_socket, file_type; +type soc_vt_stk_socket, file_type; +type soc_vt_svc_socket, file_type; +type dbus_bluetooth_socket, file_type; +type bt_int_adp_socket, file_type; +type bt_a2dp_stream_socket, file_type; +type agpsd_socket, file_type; +type mnld_socket, file_type; +type MPED_socket, file_type; +type sysctl_socket, file_type; +type backuprestore_socket, file_type; + +#for 3Gdongle +type rild-dongle_socket, file_type; + +type rild_via_socket, file_type; +type rpc_socket, file_type; +type rild_ctclient_socket, file_type; + +# socket between atci_service and audio-daemon +type atci-audio_socket, file_type; + +# socket between atcid and meta_tst +type meta_atci_socket, file_type; + +# socket between atcid and factory +type factory_atci_socket, file_type; + +# ATCI socket types +type rild_atci_socket, file_type; +type rilproxy_atci_socket, file_type; +type atci_service_socket, file_type; +type adb_atci_socket, file_type; + +type netd_socket, file_type, coredomain_socket; + +# thermal hal socket file +type thermal_hal_socket, file_type; + +# thermal core socket file +type thermal_socket, file_type; + +# Data : 2021/08/24 +# Operaton: S development +# Purpose: Add permission for node /proc/dma_heap +type proc_dmaheap, fs_type, proc_type; + +# Date : 2021/11/12 +# Purpose: add permission for /proc/sys/vm/watermark_boost_factor +type proc_watermark_boost_factor, fs_type, proc_type; + +# Date: 2021/12/24 +# Purpose: add new label for /proc/mgq +type proc_mgq, fs_type, proc_type; diff --git a/basic/non_plat/file_contexts b/basic/non_plat/file_contexts new file mode 100644 index 0000000..194232d --- /dev/null +++ b/basic/non_plat/file_contexts @@ -0,0 +1,971 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +########################## +# Data files +# +/data/vendor/.tp(/.*)? u:object_r:thermal_manager_data_file:s0 +/data/vendor/thermal(/.*)? u:object_r:thermal_core_data_file:s0 +/data/vendor_de/meta(/.*)? u:object_r:mddb_data_file:s0 +/data/vendor/agps_supl(/.*)? u:object_r:agpsd_data_file:s0 +/data/vendor/gps(/.*)? u:object_r:gps_data_file:s0 +/data/vendor/log/gps(/.*)? u:object_r:gps_data_file:s0 +/data/anr/SF_RTT(/.*)? u:object_r:sf_rtt_file:s0 +/data/vendor/ccci_cfg(/.*)? u:object_r:ccci_cfg_file:s0 +/data/vendor/mdlpm(/.*)? u:object_r:ccci_data_md1_file:s0 +/data/vendor/flashless(/.*)? u:object_r:c2k_file:s0 +/data/core(/.*)? u:object_r:aee_core_data_file:s0 +/data/vendor/core(/.*)? u:object_r:aee_core_vendor_file:s0 +/data/dumpsys(/.*)? u:object_r:aee_dumpsys_data_file:s0 +/data/vendor/dumpsys(/.*)? u:object_r:aee_dumpsys_vendor_file:s0 +/data/extmdl(/.*)? u:object_r:mdlog_data_file:s0 +/data/log_temp(/.*)? u:object_r:logtemp_data_file:s0 +/data/mdlog(/.*)? u:object_r:mdlog_data_file:s0 +/data/mdl(/.*)? u:object_r:mdlog_data_file:s0 +/data/mdl3(/.*)? u:object_r:mdlog_data_file:s0 +/data/nfc_socket(/.*)? u:object_r:nfc_socket_file:s0 +/data/vendor/nfc_socket(/.*)? u:object_r:vendor_nfc_socket_file:s0 +/data/vendor/md3(/.*)? u:object_r:c2k_file:s0 +/data/SF_dump(./*)? u:object_r:sf_bqdump_data_file:s0 +/data/data_tmpfs_log(/.*)? u:object_r:data_tmpfs_log_file:s0 +/data/vendor/data_tmpfs_log(/.*)? u:object_r:vendor_tmpfs_log_file:s0 +/data/vendor/audiohal(/.*)? u:object_r:mtk_audiohal_data_file:s0 +/data/vendor/powerhal(/.*)? u:object_r:mtk_powerhal_data_file:s0 +/data/vendor/stp_dump(/.*)? u:object_r:stp_dump_data_file:s0 +/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 +/data/vendor/dipdebug(/.*)? u:object_r:aee_dipdebug_vendor_file:s0 +/data/vendor/key_provisioning(/.*)? u:object_r:key_install_data_file:s0 +/data/vendor/vcodec(/.*)? u:object_r:vcodec_file:s0 + +# Misc data +/data/misc/mblog(/.*)? u:object_r:logmisc_data_file:s0 +/data/vendor/sensor(/.*)? u:object_r:sensor_data_file:s0 + +# Wallpaper file for smartbook +/data/system/users/[0-9]+/smartbook_wallpaper u:object_r:wallpaper_file:s0 + +/data/vendor/connsyslog(/.*)? u:object_r:connsyslog_data_vendor_file:s0 + +# AAO +/data/vendor/aao(/.*)? u:object_r:data_vendor_aao_file:s0 +/data/vendor/aaoHwBuf(/.*)? u:object_r:data_vendor_aaoHwBuf_file:s0 +/data/vendor/AAObitTrue(/.*)? u:object_r:data_vendor_AAObitTrue_file:s0 + +# Flash +/data/vendor/flash(/.*)? u:object_r:data_vendor_flash_file:s0 + +# Flicker +/data/vendor/flicker(/.*)? u:object_r:data_vendor_flicker_file:s0 + +# AFO +/data/vendor/AFObitTrue(/.*)? u:object_r:data_vendor_afo_file:s0 + +# PDO +/data/vendor/pdo(/.*)? u:object_r:data_vendor_pdo_file:s0 + +# ccci_mdinit access /data/vendor_de/md file +/data/vendor_de/md(/.*)? u:object_r:data_vendor_de_md_file:s0 + +# Date : 2019/04/23 +# Operation: R migration +# Purpose : Add permission for acess vendor_de. +/data/vendor_de/factory(/.*)? u:object_r:factory_vendor_file:s0 + +# Date: 2020/09/24 +# Purpose: mtk camsys raw dump file +/data/vendor/raw(/.*)? u:object_r:data_vendor_raw_file:s0 + +# Date: 2020/02/22 +# Purpose: add permission for /data/vendor/gpu_dump +/data/vendor/gpu_dump(/.*)? u:object_r:gpu_dump_vendor_file:s0 + +# EARA-IO +/data/vendor/eara_io(/.*)? u:object_r:eara_io_data_file:s0 + +########################## +# Devices +# +/dev/aal_als(/.*)? u:object_r:aal_als_device:s0 +/dev/accdet(/.*)? u:object_r:accdet_device:s0 +/dev/AD5820AF(/.*)? u:object_r:AD5820AF_device:s0 +/dev/ampc0(/.*)? u:object_r:ampc0_device:s0 +/dev/android(/.*)? u:object_r:android_device:s0 + +/dev/block/zram0 u:object_r:swap_block_device:s0 +/dev/block/by-name/otp u:object_r:otp_part_block_device:s0 + +/dev/bmtpool(/.*)? u:object_r:bmtpool_device:s0 +/dev/bootimg(/.*)? u:object_r:bootimg_device:s0 +/dev/BOOT(/.*)? u:object_r:BOOT_device:s0 +/dev/btif(/.*)? u:object_r:btif_device:s0 +/dev/btn(/.*)? u:object_r:btn_device:s0 + +/dev/BU6429AF(/.*)? u:object_r:BU6429AF_device:s0 +/dev/BU64745GWZAF(/.*)? u:object_r:BU64745GWZAF_device:s0 + +/dev/MAINAF(/.*)? u:object_r:MAINAF_device:s0 +/dev/MAIN2AF(/.*)? u:object_r:MAIN2AF_device:s0 +/dev/MAIN3AF(/.*)? u:object_r:MAIN3AF_device:s0 +/dev/MAIN4AF(/.*)? u:object_r:MAIN4AF_device:s0 + +/dev/SUBAF(/.*)? u:object_r:SUBAF_device:s0 +/dev/SUB2AF(/.*)? u:object_r:SUB2AF_device:s0 +/dev/cache(/.*)? u:object_r:cache_device:s0 + +/dev/CAM_CAL_DRV(/.*)? u:object_r:CAM_CAL_DRV_device:s0 +/dev/CAM_CAL_DRV1(/.*)? u:object_r:CAM_CAL_DRV1_device:s0 +/dev/CAM_CAL_DRV2(/.*)? u:object_r:CAM_CAL_DRV2_device:s0 +/dev/camera_eeprom[0-9]+ u:object_r:camera_eeprom_device:s0 +/dev/seninf_n3d u:object_r:seninf_n3d_device:s0 + +/dev/gz_kree(/.*)? u:object_r:gz_device:s0 +/dev/camera-fdvt(/.*)? u:object_r:camera_fdvt_device:s0 +/dev/camera-mem(/.*)? u:object_r:camera_mem_device:s0 +/dev/camera-isp(/.*)? u:object_r:camera_isp_device:s0 +/dev/camera-dip(/.*)? u:object_r:camera_dip_device:s0 +/dev/camera-dpe(/.*)? u:object_r:camera_dpe_device:s0 +/dev/camera-tsf(/.*)? u:object_r:camera_tsf_device:s0 +/dev/camera-rsc(/.*)? u:object_r:camera_rsc_device:s0 +/dev/camera-gepf(/.*)? u:object_r:camera_gepf_device:s0 +/dev/camera-wpe(/.*)? u:object_r:camera_wpe_device:s0 +/dev/camera-owe(/.*)? u:object_r:camera_owe_device:s0 +/dev/camera-mfb(/.*)? u:object_r:camera_mfb_device:s0 +/dev/camera-pda(/.*)? u:object_r:camera_pda_device:s0 +/dev/camera-pipemgr(/.*)? u:object_r:camera_pipemgr_device:s0 +/dev/camera-sysram(/.*)? u:object_r:camera_sysram_device:s0 +/dev/mtk_ccd(/.*)? u:object_r:mtk_ccd_device:s0 + +/dev/mtk_hcp(/.*)? u:object_r:mtk_hcp_device:s0 +/dev/media[0-9]+ u:object_r:mtk_v4l2_media_device:s0 +/dev/v4l-subdev.* u:object_r:mtk_v4l2_media_device:s0 +/dev/ccu(/.*)? u:object_r:ccu_device:s0 +/dev/ccu_rproc(/.*)? u:object_r:ccu_device:s0 +/dev/vpu(/.*)? u:object_r:vpu_device:s0 +/dev/mdlactl(/.*)? u:object_r:mdla_device:s0 +/dev/apusys(/.*)? u:object_r:apusys_device:s0 +/dev/ccci_monitor u:object_r:ccci_monitor_device:s0 +/dev/ccci_c2k_agps u:object_r:agps_device:s0 +/dev/ccci.* u:object_r:ccci_device:s0 + +/dev/cpu_dma_latency(/.*)? u:object_r:cpu_dma_latency_device:s0 +/dev/devmap(/.*)? u:object_r:devmap_device:s0 +/dev/dri(/.*)? u:object_r:gpu_device:s0 +/dev/dummy_cam_cal(/.*)? u:object_r:dummy_cam_cal_device:s0 + +/dev/DW9714AF(/.*)? u:object_r:DW9714AF_device:s0 +/dev/DW9814AF(/.*)? u:object_r:DW9814AF_device:s0 +/dev/AK7345AF(/.*)? u:object_r:AK7345AF_device:s0 +/dev/DW9714A(/.*)? u:object_r:DW9714A_device:s0 +/dev/DW9718AF(/.*)? u:object_r:DW9718AF_device:s0 +/dev/WV511AAF(/.*)? u:object_r:lens_device:s0 + +/dev/ebc(/.*)? u:object_r:ebc_device:s0 +/dev/usip(/.*)? u:object_r:ebc_device:s0 +/dev/ebr[0-9]+ u:object_r:ebr_device:s0 +/dev/eemcs.* u:object_r:eemcs_device:s0 +/dev/emd.* u:object_r:emd_device:s0 + +/dev/etb u:object_r:etb_device:s0 +/dev/expdb(/.*)? u:object_r:expdb_device:s0 + +/dev/fat(/.*)? u:object_r:fat_device:s0 +/dev/FM50AF(/.*)? u:object_r:FM50AF_device:s0 +/dev/fm(/.*)? u:object_r:fm_device:s0 +/dev/fw_log_wmt u:object_r:fw_log_wmt_device:s0 +/dev/fw_log_wifi u:object_r:fw_log_wifi_device:s0 +/dev/fw_log_wifimcu u:object_r:fw_log_wifimcu_device:s0 +/dev/fw_log_ics u:object_r:fw_log_ics_device:s0 + +/dev/geofence(/.*)? u:object_r:geo_device:s0 +/dev/fw_log_gps u:object_r:fw_log_gps_device:s0 +/dev/hdmitx(/.*)? u:object_r:graphics_device:s0 +/dev/gps2scp u:object_r:gps2scp_device:s0 +/dev/gps_pwr u:object_r:gps_pwr_device:s0 +/dev/hid-keyboard(/.*)? u:object_r:hid_keyboard_device:s0 +/dev/ion(/.*)? u:object_r:ion_device:s0 + +/dev/kd_camera_flashlight(/.*)? u:object_r:kd_camera_flashlight_device:s0 +/dev/flashlight(/.*)? u:object_r:flashlight_device:s0 +/dev/kd_camera_hw_bus2(/.*)? u:object_r:kd_camera_hw_bus2_device:s0 +/dev/kd_camera_hw(/.*)? u:object_r:kd_camera_hw_device:s0 +/dev/seninf(/.*)? u:object_r:seninf_device:s0 + +/dev/LC898122AF(/.*)? u:object_r:LC898122AF_device:s0 +/dev/LC898212AF(/.*)? u:object_r:LC898212AF_device:s0 + +/dev/logo(/.*)? u:object_r:logo_device:s0 +/dev/loop-control(/.*)? u:object_r:loop-control_device:s0 + +/dev/dma_heap/mtk_mm u:object_r:dmabuf_system_heap_device:s0 +/dev/dma_heap/mtk_mm-uncached u:object_r:dmabuf_system_heap_device:s0 +/dev/dma_heap/mtk_svp_page-uncached u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/dma_heap/mtk_prot_page-uncached u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/dma_heap/mtk_svp_region u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/dma_heap/mtk_svp_region-aligned u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/dma_heap/mtk_prot_region u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/dma_heap/mtk_prot_region-aligned u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/dma_heap/mtk_2d_fr_region u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/dma_heap/mtk_2d_fr_region-aligned u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/dma_heap/mtk_wfd_region u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/dma_heap/mtk_wfd_region-aligned u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/dma_heap/mtk_wfd_page-uncached u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/dma_heap/mtk_sapu_data_shm_region u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/dma_heap/mtk_sapu_data_shm_region-aligned u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/dma_heap/mtk_sapu_engine_shm_region u:object_r:dmabuf_system_secure_heap_device:s0 +/dev/dma_heap/mtk_sapu_engine_shm_region-aligned u:object_r:dmabuf_system_secure_heap_device:s0 + +/dev/M4U_device(/.*)? u:object_r:M4U_device_device:s0 +/dev/mali.* u:object_r:gpu_device:s0 +/dev/MATV(/.*)? u:object_r:MATV_device:s0 +/dev/mbr(/.*)? u:object_r:mbr_device:s0 +/dev/md32(/.*)? u:object_r:md32_device:s0 + +/dev/scp(/.*)? u:object_r:scp_device:s0 +/dev/scp_B(/.*)? u:object_r:scp_device:s0 +/dev/sspm(/.*)? u:object_r:sspm_device:s0 +/dev/vcp(/.*)? u:object_r:vcp_device:s0 + +/dev/misc-sd(/.*)? u:object_r:misc_sd_device:s0 +/dev/misc(/.*)? u:object_r:misc_device:s0 +/dev/misc2(/.*)? u:object_r:misc2_device:s0 +/dev/MJC(/.*)? u:object_r:MJC_device:s0 +/dev/mmp(/.*)? u:object_r:mmp_device:s0 + +/dev/MT6516_H264_DEC(/.*)? u:object_r:MT6516_H264_DEC_device:s0 +/dev/mt6516-IDP(/.*)? u:object_r:mt6516_IDP_device:s0 +/dev/MT6516_Int_SRAM(/.*)? u:object_r:MT6516_Int_SRAM_device:s0 +/dev/mt6516-isp(/.*)? u:object_r:mt6516_isp_device:s0 +/dev/mt6516_jpeg(/.*)? u:object_r:mt6516_jpeg_device:s0 +/dev/MT6516_MM_QUEUE(/.*)? u:object_r:MT6516_MM_QUEUE_device:s0 +/dev/MT6516_MP4_DEC(/.*)? u:object_r:MT6516_MP4_DEC_device:s0 +/dev/MT6516_MP4_ENC(/.*)? u:object_r:MT6516_MP4_ENC_device:s0 + +/dev/st21nfc u:object_r:st21nfc_device:s0 +/dev/st54spi u:object_r:st54spi_device:s0 + +/dev/mt9p012(/.*)? u:object_r:mt9p012_device:s0 +/dev/mtfreqhopping(/.*)? u:object_r:mtfreqhopping_device:s0 +/dev/mtgpio(/.*)? u:object_r:mtgpio_device:s0 + +/dev/mtk-adc-cali(/.*)? u:object_r:mtk-adc-cali_device:s0 +/dev/mtk_disp.* u:object_r:graphics_device:s0 +/dev/mtkfb_vsync(/.*)? u:object_r:graphics_device:s0 +/dev/mtkg2d(/.*)? u:object_r:mtkg2d_device:s0 +/dev/mtk_jpeg(/.*)? u:object_r:mtk_jpeg_device:s0 +/dev/mtk-kpd(/.*)? u:object_r:mtk_kpd_device:s0 +/dev/mtk_sched(/.*)? u:object_r:mtk_sched_device:s0 +/dev/MTK_SMI(/.*)? u:object_r:MTK_SMI_device:s0 +/dev/mtk_cmdq(/.*)? u:object_r:mtk_cmdq_device:s0 +/dev/mtk_mdp(/.*)? u:object_r:mtk_mdp_device:s0 +/dev/mdp_device(/.*)? u:object_r:mdp_device:s0 +/dev/mdp_sync(/.*)? u:object_r:mtk_mdp_sync_device:s0 +/dev/fmt_sync(/.*)? u:object_r:mtk_fmt_sync_device:s0 +/dev/vdec-fmt(/.*)? u:object_r:mtk_fmt_device:s0 +/dev/mtk_rrc(/.*)? u:object_r:mtk_rrc_device:s0 +/dev/mtk_dfrc(/.*)? u:object_r:mtk_dfrc_device:s0 + +/dev/mt-mdp(/.*)? u:object_r:mt_mdp_device:s0 +/dev/mt_otg_test(/.*)? u:object_r:mt_otg_test_device:s0 +/dev/MT_pmic_adc_cali u:object_r:MT_pmic_adc_cali_device:s0 +/dev/MT_pmic_adc_cali(/.*)? u:object_r:MT_pmic_cali_device:s0 +/dev/MT_pmic(/.*)? u:object_r:MT_pmic_device:s0 + +/dev/network.* u:object_r:network_device:s0 +/dev/nvram(/.*)? u:object_r:nvram_device:s0 +/dev/nxpspk(/.*)? u:object_r:smartpa_device:s0 + +/dev/otp u:object_r:otp_device:s0 +/dev/pmem_multimedia(/.*)? u:object_r:pmem_multimedia_device:s0 +/dev/pmt(/.*)? u:object_r:pmt_device:s0 + +/dev/preloader(/.*)? u:object_r:preloader_device:s0 +/dev/pro_info(/.*)? u:object_r:pro_info_device:s0 +/dev/protect_f(/.*)? u:object_r:protect_f_device:s0 +/dev/protect_s(/.*)? u:object_r:protect_s_device:s0 + +/dev/psaux(/.*)? u:object_r:psaux_device:s0 +/dev/ptmx(/.*)? u:object_r:ptmx_device:s0 +/dev/ptyp.* u:object_r:ptyp_device:s0 +/dev/pvr_sync(/.*)? u:object_r:gpu_device:s0 + +/dev/qemu_pipe(/.*)? u:object_r:qemu_pipe_device:s0 +/dev/recovery(/.*)? u:object_r:recovery_device:s0 +/dev/rfkill(/.*)? u:object_r:rfkill_device:s0 +/dev/rtc[0-9]+ u:object_r:rtc_device:s0 +/dev/RT_Monitor(/.*)? u:object_r:RT_Monitor_device:s0 +/dev/kick_powerkey(/.*)? u:object_r:kick_powerkey_device:s0 + +/dev/seccfg(/.*)? u:object_r:seccfg_device:s0 +/dev/sec_ro(/.*)? u:object_r:sec_ro_device:s0 +/dev/sec(/.*)? u:object_r:sec_device:s0 + +/dev/tee1 u:object_r:tee_part_device:s0 +/dev/tee2 u:object_r:tee_part_device:s0 + +/dev/sensor(/.*)? u:object_r:sensor_device:s0 +/dev/smartpa_i2c(/.*)? u:object_r:smartpa1_device:s0 +/dev/snapshot(/.*)? u:object_r:snapshot_device:s0 +/dev/i2c-9(/.*)? u:object_r:tahiti_device:s0 + +/dev/socket/adbd(/.*)? u:object_r:adbd_socket:s0 +/dev/socket/agpsd2(/.*)? u:object_r:agpsd_socket:s0 +/dev/socket/agpsd3(/.*)? u:object_r:agpsd_socket:s0 +/dev/socket/agpsd(/.*)? u:object_r:agpsd_socket:s0 +/dev/socket/atci-audio(/.*)? u:object_r:atci-audio_socket:s0 + +/dev/socket/meta-atci(/.*)? u:object_r:meta_atci_socket:s0 +/dev/socket/factory-atci(/.*)? u:object_r:factory_atci_socket:s0 +/dev/socket/backuprestore(/.*)? u:object_r:backuprestore_socket:s0 + +/dev/socket/dfo(/.*)? u:object_r:dfo_socket:s0 +/dev/socket/dnsproxyd(/.*)? u:object_r:dnsproxyd_socket:s0 +/dev/socket/dumpstate(/.*)? u:object_r:dumpstate_socket:s0 + +/dev/socket/mdnsd(/.*)? u:object_r:mdnsd_socket:s0 +/dev/socket/mdns(/.*)? u:object_r:mdns_socket:s0 +/dev/socket/mnld(/.*)? u:object_r:mnld_socket:s0 + +/dev/socket/netd(/.*)? u:object_r:netd_socket:s0 + +/dev/socket/mrild(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/mrild2(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/mrild3(/.*)? u:object_r:gsmrild_socket:s0 + +/dev/socket/rild-atci u:object_r:gsmrild_socket:s0 +/dev/socket/rild-mbim(/.*)? u:object_r:gsmrild_socket:s0 + +/dev/socket/msap_uim_socket1(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/msap_uim_socket2(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/msap_c2k_socket1(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/msap_c2k_socket2(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/msap_c2k_socket3(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/msap_c2k_socket4(/.*)? u:object_r:gsmrild_socket:s0 + +/dev/socket/sap_uim_socket(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/sap_uim_socket1(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/sap_uim_socket2(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/sap_uim_socket3(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/sap_uim_socket4(/.*)? u:object_r:gsmrild_socket:s0 + +/dev/socket/rild2-md2(/.*)? u:object_r:rild2_md2_socket:s0 +/dev/socket/rild2(/.*)? u:object_r:rild2_socket:s0 +/dev/socket/rild3(/.*)? u:object_r:rild3_socket:s0 +/dev/socket/rild4(/.*)? u:object_r:rild4_socket:s0 + +/dev/socket/rild-mal(/.*)? u:object_r:rild_mal_socket:s0 +/dev/socket/rild-mal-at(/.*)? u:object_r:rild_mal_at_socket:s0 +/dev/socket/rild-mal-md2(/.*)? u:object_r:rild_mal_md2_socket:s0 +/dev/socket/rild-mal-at-md2(/.*)? u:object_r:rild_mal_at_md2_socket:s0 +/dev/socket/rild-ims(/.*)? u:object_r:rild_ims_socket:s0 +/dev/socket/volte_imsm_dongle(/.*)? u:object_r:rild_imsm_socket:s0 + +/dev/socket/rild-vsim(/.*)? u:object_r:rild_vsim_socket:s0 +/dev/socket/rild-vsim2(/.*)? u:object_r:rild_vsim_socket:s0 +/dev/socket/rild-vsim3(/.*)? u:object_r:rild_vsim_socket:s0 +/dev/socket/rild-vsim-md2(/.*)? u:object_r:rild_vsim_md2_socket:s0 + +/dev/socket/rild-ctclient u:object_r:rild_ctclient_socket:s0 +/dev/socket/rild-debug-md2(/.*)? u:object_r:rild_debug_md2_socket:s0 +/dev/socket/rild-debug(/.*)? u:object_r:rild_debug_socket:s0 +/dev/socket/rild-dongle(/.*)? u:object_r:rild-dongle_socket:s0 + +/dev/socket/rild-md2(/.*)? u:object_r:rild_md2_socket:s0 +/dev/socket/rild-mtk-modem-md2(/.*)? u:object_r:rild_mtk_modem_md2_socket:s0 +/dev/socket/rild-mtk-modem(/.*)? u:object_r:rild_mtk_modem_socket:s0 +/dev/socket/rild-mtk-ut-2-md2(/.*)? u:object_r:rild_mtk_ut_2_md2_socket:s0 +/dev/socket/rild-mtk-ut-2(/.*)? u:object_r:rild_mtk_ut_2_socket:s0 +/dev/socket/rild-mtk-ut-md2(/.*)? u:object_r:rild_mtk_ut_md2_socket:s0 +/dev/socket/rild-mtk-ut(/.*)? u:object_r:rild_mtk_ut_socket:s0 + +/dev/socket/rild-oem-md2(/.*)? u:object_r:rild_oem_md2_socket:s0 +/dev/socket/rild-oem(/.*)? u:object_r:rild_oem_socket:s0 +/dev/socket/rild(/.*)? u:object_r:rild_socket:s0 +/dev/socket/rild-via u:object_r:rild_via_socket:s0 +/dev/socket/rildc-debug u:object_r:rild_via_socket:s0 +/dev/socket/rild-atci-c2k u:object_r:rild_via_socket:s0 + +/dev/socket/mal-mfi(/.*)? u:object_r:mal_mfi_socket:s0 +/dev/socket/mal-mfi-dongle(/.*)? u:object_r:mal_mfi_socket:s0 +/dev/socket/rpc u:object_r:rpc_socket:s0 + +/dev/socket/soc_vt_stk(/.*)? u:object_r:soc_vt_stk_socket:s0 +/dev/socket/soc_vt_svc(/.*)? u:object_r:soc_vt_svc_socket:s0 +/dev/socket/soc_vt_tcv(/.*)? u:object_r:soc_vt_tcv_socket:s0 + +/dev/socket/sysctl(/.*)? u:object_r:sysctl_socket:s0 +/dev/socket/volte_vt(/.*)? u:object_r:volte_vt_socket:s0 +/dev/socket/wpa_wlan0(/.*)? u:object_r:wpa_wlan0_socket:s0 + +/dev/socket/thermal_socket(/.*)? u:object_r:thermal_socket:s0 +/dev/socket/thermal_hal_socket(/.*)? u:object_r:thermal_hal_socket:s0 + +/dev/stpant(/.*)? u:object_r:stpant_device:s0 +/dev/stpbt(/.*)? u:object_r:stpbt_device:s0 +/dev/fw_log_bt u:object_r:fw_log_bt_device:s0 +/dev/fw_log_btmcu u:object_r:fw_log_btmcu_device:s0 + +/dev/stpgps u:object_r:mnld_device:s0 +/dev/stpgps(/.*)? u:object_r:stpgps_device:s0 +/dev/stpgps2(/.*)? u:object_r:stpgps_device:s0 +/dev/gpsdl0 u:object_r:mnld_device:s0 +/dev/gpsdl0(/.*)? u:object_r:gpsdl_device:s0 +/dev/gpsdl1 u:object_r:mnld_device:s0 +/dev/gpsdl1(/.*)? u:object_r:gpsdl_device:s0 +/dev/gps_emi(/.*)? u:object_r:gps_emi_device:s0 + +/dev/stpwmt(/.*)? u:object_r:stpwmt_device:s0 +/dev/conninfra_dev(/.*)? u:object_r:conninfra_device:s0 +/dev/sw_sync(/.*)? u:object_r:sw_sync_device:s0 +/dev/tgt(/.*)? u:object_r:tgt_device:s0 +/dev/touch(/.*)? u:object_r:touch_device:s0 +/dev/tpd_em_log(/.*)? u:object_r:tpd_em_log_device:s0 + +/dev/connfem(/.*)? u:object_r:connfem_device:s0 + +/dev/ttyC0 u:object_r:gsm0710muxd_device:s0 +/dev/ttyCMIPC0 u:object_r:gsm0710muxd_device:s0 +/dev/ttyCMIPC1 u:object_r:gsm0710muxd_device:s0 +/dev/ttyCMIPC2 u:object_r:gsm0710muxd_device:s0 +/dev/ttyCMIPC9 u:object_r:gsm0710muxd_device:s0 +/dev/ttyC1 u:object_r:mdlog_device:s0 +/dev/ttyC2 u:object_r:agps_device:s0 +/dev/ttyC3 u:object_r:icusb_device:s0 +/dev/ttyC6 u:object_r:nlop_device:s0 +/dev/ttyGS.* u:object_r:ttyGS_device:s0 +/dev/ttyMT.* u:object_r:ttyMT_device:s0 +/dev/ttyS.* u:object_r:ttyS_device:s0 +/dev/ttyp.* u:object_r:ttyp_device:s0 +/dev/ttySDIO.* u:object_r:ttySDIO_device:s0 +/dev/ttyUSB0 u:object_r:tty_device:s0 +/dev/ttyUSB1 u:object_r:tty_device:s0 +/dev/ttyUSB2 u:object_r:tty_device:s0 +/dev/ttyUSB3 u:object_r:tty_device:s0 +/dev/ttyUSB4 u:object_r:tty_device:s0 + +/dev/TV-out(/.*)? u:object_r:TV_out_device:s0 +/dev/uboot(/.*)? u:object_r:uboot_device:s0 +/dev/uibc(/.*)? u:object_r:uibc_device:s0 +/dev/uinput(/.*)? u:object_r:uinput_device:s0 +/dev/uio0(/.*)? u:object_r:uio0_device:s0 +/dev/usrdata(/.*)? u:object_r:usrdata_device:s0 + +/dev/Vcodec(/.*)? u:object_r:Vcodec_device:s0 +/dev/vmodem u:object_r:vmodem_device:s0 +/dev/vow(/.*)? u:object_r:vow_device:s0 + +/dev/wmtdetect(/.*)? u:object_r:wmtdetect_device:s0 +/dev/conn_pwr_dev(/.*)? u:object_r:conn_pwr_device:s0 +/dev/conn_scp(/.*)? u:object_r:conn_scp_device:s0 +/dev/wmtWifi(/.*)? u:object_r:wmtWifi_device:s0 +/dev/ancservice(/.*)? u:object_r:ancservice_device:s0 +/dev/offloadservice(/.*)? u:object_r:offloadservice_device:s0 +/dev/audio_ipi(/.*)? u:object_r:audio_ipi_device:s0 + +/dev/adsp(/.*)? u:object_r:adsp_device:s0 +/dev/adsp_0(/.*)? u:object_r:adsp_device:s0 +/dev/adsp_1(/.*)? u:object_r:adsp_device:s0 +/dev/audio_scp(/.*)? u:object_r:audio_scp_device:s0 + +/dev/irtx u:object_r:irtx_device:s0 +/dev/lirc[0-9]+ u:object_r:irtx_device:s0 +/dev/spm(/.*)? u:object_r:spm_device:s0 +/dev/xt_qtaguid(/.*)? u:object_r:xt_qtaguid_device:s0 +/dev/pmic_ftm(/.*)? u:object_r:pmic_ftm_device:s0 +/dev/charger_ftm(/.*)? u:object_r:charger_ftm_device:s0 +/dev/shf u:object_r:shf_device:s0 +/dev/ttyACM0 u:object_r:ttyACM_device:s0 +/dev/hrm u:object_r:hrm_device:s0 +/dev/trusty-ipc-dev0 u:object_r:tee_device:s0 +/dev/nebula-ipc-dev0 u:object_r:tee_device:s0 +/dev/trustzone u:object_r:tee_device:s0 +/dev/mbim u:object_r:mbim_device:s0 +/dev/alarm(/.*)? u:object_r:alarm_device:s0 +/dev/radio(/.*)? u:object_r:mtk_radio_device:s0 +/dev/mml_pq u:object_r:mml_pq_device:s0 + +# Sensor common Devices Start +/dev/als_ps(/.*)? u:object_r:als_ps_device:s0 +/dev/barometer(/.*)? u:object_r:barometer_device:s0 +/dev/humidity(/.*)? u:object_r:humidity_device:s0 +/dev/gsensor(/.*)? u:object_r:gsensor_device:s0 +/dev/gyroscope(/.*)? u:object_r:gyroscope_device:s0 +/dev/hwmsensor(/.*)? u:object_r:hwmsensor_device:s0 +/dev/msensor(/.*)? u:object_r:msensor_device:s0 +/dev/biometric(/.*)? u:object_r:biometric_device:s0 +/dev/sensorlist(/.*)? u:object_r:sensorlist_device:s0 +/dev/hf_manager(/.*)? u:object_r:hf_manager_device:s0 + +# Sensor Devices Start +/dev/m_batch_misc(/.*)? u:object_r:m_batch_misc_device:s0 + +# Sensor bio Devices Start +/dev/m_als_misc(/.*)? u:object_r:m_als_misc_device:s0 +/dev/m_ps_misc(/.*)? u:object_r:m_ps_misc_device:s0 +/dev/m_baro_misc(/.*)? u:object_r:m_baro_misc_device:s0 +/dev/m_hmdy_misc(/.*)? u:object_r:m_hmdy_misc_device:s0 +/dev/m_acc_misc(/.*)? u:object_r:m_acc_misc_device:s0 +/dev/m_mag_misc(/.*)? u:object_r:m_mag_misc_device:s0 +/dev/m_gyro_misc(/.*)? u:object_r:m_gyro_misc_device:s0 +/dev/m_act_misc(/.*)? u:object_r:m_act_misc_device:s0 +/dev/m_pedo_misc(/.*)? u:object_r:m_pedo_misc_device:s0 +/dev/m_situ_misc(/.*)? u:object_r:m_situ_misc_device:s0 +/dev/m_step_c_misc(/.*)? u:object_r:m_step_c_misc_device:s0 +/dev/m_fusion_misc(/.*)? u:object_r:m_fusion_misc_device:s0 +/dev/m_bio_misc(/.*)? u:object_r:m_bio_misc_device:s0 + +# block partition definitions +/dev/block/mmcblk0boot0 u:object_r:preloader_block_device:s0 +/dev/block/mmcblk0boot1 u:object_r:preloader_block_device:s0 +/dev/block/sda u:object_r:preloader_block_device:s0 +/dev/block/sdb u:object_r:preloader_block_device:s0 +/dev/block/mmcblk0 u:object_r:bootdevice_block_device:s0 +/dev/block/sdc u:object_r:bootdevice_block_device:s0 +/dev/block/mmcblk1 u:object_r:mmcblk1_block_device:s0 +/dev/block/mmcblk1p1 u:object_r:mmcblk1p1_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/proinfo u:object_r:nvram_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/nvram u:object_r:nvram_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/nvdata u:object_r:nvdata_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/expdb u:object_r:expdb_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/misc2 u:object_r:misc2_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/logo u:object_r:logo_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/para u:object_r:para_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/misc u:object_r:misc_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/seccfg u:object_r:seccfg_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/secro u:object_r:secro_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/system u:object_r:system_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/cache u:object_r:cache_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/recovery u:object_r:recovery_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/protect1 u:object_r:protect1_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/protect2 u:object_r:protect2_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/keystore u:object_r:keystore_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/oemkeystore u:object_r:oemkeystore_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/boot u:object_r:boot_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/persist u:object_r:persist_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/metadata u:object_r:metadata_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/nvcfg u:object_r:nvcfg_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/ppl u:object_r:ppl_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/sec1 u:object_r:sec1_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/boot_para u:object_r:boot_para_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/super u:object_r:super_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/boot(_[ab])? u:object_r:boot_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/system(_[ab])? u:object_r:system_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/odm(_[ab])? u:object_r:odm_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/oem(_[ab])? u:object_r:oem_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/vendor(_[ab])? u:object_r:vendor_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/lk(_[ab])? u:object_r:lk_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/odmdtbo(_[ab])? u:object_r:dtbo_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/dtbo(_[ab])? u:object_r:dtbo_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/tee([12]|_[ab]) u:object_r:tee_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md1img(_[ab])? u:object_r:md_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md1dsp(_[ab])? u:object_r:dsp_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md1arm7(_[ab])? u:object_r:md_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md3img(_[ab])? u:object_r:md_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/scp(_[ab])? u:object_r:scp_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/sspm(_[ab])? u:object_r:sspm_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/spmfw(_[ab])? u:object_r:spmfw_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/vbmeta(_system|_vendor)?(_[ab])? u:object_r:vbmeta_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/dpm.* u:object_r:dpm_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/mcf_ota(_[ab])? u:object_r:mcf_ota_block_device:s0 +/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/vcp(_[ab])? u:object_r:vcp_device:s0 +# Key manager +/dev/block/platform/soc/[0-9]+\.mmc/by-name/kb u:object_r:kb_block_device:s0 +/dev/block/platform/soc/[0-9]+\.mmc/by-name/dkb u:object_r:dkb_block_device:s0 + +/dev/block/by-name/proinfo u:object_r:nvram_device:s0 +/dev/block/by-name/nvram u:object_r:nvram_device:s0 +/dev/block/by-name/nvdata u:object_r:nvdata_device:s0 +/dev/block/by-name/frp u:object_r:frp_block_device:s0 +/dev/block/by-name/expdb u:object_r:expdb_block_device:s0 +/dev/block/by-name/misc2 u:object_r:misc2_block_device:s0 +/dev/block/by-name/logo u:object_r:logo_block_device:s0 +/dev/block/by-name/para u:object_r:para_block_device:s0 +/dev/block/by-name/misc u:object_r:misc_block_device:s0 +/dev/block/by-name/seccfg u:object_r:seccfg_block_device:s0 +/dev/block/by-name/secro u:object_r:secro_block_device:s0 +/dev/block/by-name/userdata u:object_r:userdata_block_device:s0 +/dev/block/by-name/cache u:object_r:cache_block_device:s0 +/dev/block/by-name/recovery u:object_r:recovery_block_device:s0 +/dev/block/by-name/protect1 u:object_r:protect1_block_device:s0 +/dev/block/by-name/protect2 u:object_r:protect2_block_device:s0 +/dev/block/by-name/keystore u:object_r:keystore_block_device:s0 +/dev/block/by-name/persist u:object_r:persist_block_device:s0 +/dev/block/by-name/metadata u:object_r:metadata_block_device:s0 +/dev/block/by-name/nvcfg u:object_r:nvcfg_block_device:s0 +/dev/block/by-name/sec1 u:object_r:sec1_block_device:s0 +/dev/block/by-name/boot_para u:object_r:boot_para_block_device:s0 +/dev/block/by-name/mcf_ota(_[ab])? u:object_r:mcf_ota_block_device:s0 +/dev/block/by-name/super u:object_r:super_block_device:s0 +/dev/block/by-name/cam_vpu[1-3](_[ab])? u:object_r:cam_vpu_block_device:s0 +/dev/block/by-name/system(_[ab])? u:object_r:system_block_device:s0 +/dev/block/by-name/boot(_[ab])? u:object_r:boot_block_device:s0 +/dev/block/by-name/odm(_[ab])? u:object_r:odm_block_device:s0 +/dev/block/by-name/oem(_[ab])? u:object_r:oem_block_device:s0 +/dev/block/by-name/vendor(_[ab])? u:object_r:vendor_block_device:s0 +/dev/block/by-name/lk(_[ab])? u:object_r:lk_block_device:s0 +/dev/block/by-name/odmdtbo(_[ab])? u:object_r:dtbo_block_device:s0 +/dev/block/by-name/dtbo(_[ab])? u:object_r:dtbo_block_device:s0 +/dev/block/by-name/tee([12]|_[ab]) u:object_r:tee_block_device:s0 +/dev/block/by-name/md1img(_[ab])? u:object_r:md_block_device:s0 +/dev/block/by-name/md1dsp(_[ab])? u:object_r:dsp_block_device:s0 +/dev/block/by-name/md1arm7(_[ab])? u:object_r:md_block_device:s0 +/dev/block/by-name/md3img(_[ab])? u:object_r:md_block_device:s0 +/dev/block/by-name/scp(_[ab])? u:object_r:scp_block_device:s0 +/dev/block/by-name/sspm(_[ab])? u:object_r:sspm_block_device:s0 +/dev/block/by-name/spmfw(_[ab])? u:object_r:spmfw_block_device:s0 +/dev/block/by-name/mcupmfw(_[ab])? u:object_r:mcupmfw_block_device:s0 +/dev/block/by-name/mcupm(_[ab])? u:object_r:mcupmfw_block_device:s0 +/dev/block/by-name/loader_ext(_[ab])? u:object_r:loader_ext_block_device:s0 +/dev/block/by-name/vbmeta(_system|_vendor)?(_[ab])? u:object_r:vbmeta_block_device:s0 +/dev/block/by-name/dpm.* u:object_r:dpm_block_device:s0 +/dev/block/by-name/dpm(_[ab])? u:object_r:dpm_block_device:s0 +/dev/block/by-name/audio_dsp(_[ab])? u:object_r:audio_dsp_block_device:s0 +/dev/block/by-name/gz([12]|_[ab]) u:object_r:gz_block_device:s0 +/dev/block/by-name/vendor_boot(_[ab])? u:object_r:boot_block_device:s0 +/dev/block/by-name/pi_img(_[ab])? u:object_r:pi_img_device:s0 +/dev/block/by-name/apusys(_[ab])? u:object_r:apusys_device:s0 +/dev/block/by-name/ccu(_[ab])? u:object_r:ccu_device:s0 +/dev/block/by-name/gpueb(_[ab])? u:object_r:gpueb_device:s0 +/dev/block/by-name/vcp(_[ab])? u:object_r:vcp_device:s0 +/dev/block/by-name/mvpu_algo(_[ab])? u:object_r:mvpu_algo_device:s0 +# W19.23 Q new feature - Userdata Checkpoint +/dev/block/by-name/md_udc u:object_r:metadata_block_device:s0 + +# MRDUMP +/dev/block/by-name/mrdump(/.*)? u:object_r:mrdump_device:s0 + +/dev/vcu u:object_r:vcu_device:s0 +/dev/vpud u:object_r:vpud_device:s0 + +########################## +# Vendor files +# +/(vendor|system/vendor)/bin/audiocmdservice_atci u:object_r:audiocmdservice_atci_exec:s0 +/(vendor|system/vendor)/bin/stp_dump3 u:object_r:stp_dump3_exec:s0 +/(vendor|system/vendor)/bin/wifi_dump u:object_r:wifi_dump_exec:s0 +/(vendor|system/vendor)/bin/bt_dump u:object_r:bt_dump_exec:s0 +/(vendor|system/vendor)/bin/wmt_launcher u:object_r:mtk_wmt_launcher_exec:s0 +/(vendor|system/vendor)/bin/fuelgauged u:object_r:fuelgauged_exec:s0 +/(vendor|system/vendor)/bin/smartcharging u:object_r:smartcharging_exec:s0 +/(vendor|system/vendor)/bin/fuelgauged_nvram u:object_r:fuelgauged_nvram_exec:s0 +/(vendor|system/vendor)/bin/gsm0710muxd u:object_r:gsm0710muxd_exec:s0 +/(vendor|system/vendor)/bin/mmc_ffu u:object_r:mmc_ffu_exec:s0 +/(vendor|system/vendor)/bin/mtk_agpsd u:object_r:mtk_agpsd_exec:s0 +/(vendor|system/vendor)/bin/mtkrild u:object_r:mtkrild_exec:s0 +/(vendor|system/vendor)/bin/muxreport u:object_r:muxreport_exec:s0 +/(vendor|system/vendor)/bin/nvram_agent_binder u:object_r:mtk_hal_nvramagent_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.nvram@(.*)-service u:object_r:mtk_hal_nvramagent_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.nvram@(.*)-service-lazy u:object_r:mtk_hal_nvramagent_exec:s0 +/(vendor|system/vendor)/bin/nvram_daemon u:object_r:nvram_daemon_exec:s0 +/(vendor|system/vendor)/bin/slpd u:object_r:slpd_exec:s0 +/(vendor|system/vendor)/bin/thermal_manager u:object_r:thermal_manager_exec:s0 +/(vendor|system/vendor)/bin/thermal_core u:object_r:thermal_core_exec:s0 +/(vendor|system/vendor)/bin/thermal_core64 u:object_r:thermal_core_exec:s0 +/(vendor|system/vendor)/bin/frs u:object_r:thermal_core_exec:s0 +/(vendor|system/vendor)/bin/frs64 u:object_r:thermal_core_exec:s0 +/(vendor|system/vendor)/bin/thermalloadalgod u:object_r:thermalloadalgod_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@2\.0-service\.mtk u:object_r:hal_thermal_default_exec:s0 +/(vendor|system/vendor)/bin/lbs_hidl_service u:object_r:lbs_hidl_service_exec:s0 +/(vendor|system/vendor)/bin/meta_tst u:object_r:meta_tst_exec:s0 +/(vendor|system/vendor)/bin/kisd u:object_r:kisd_exec:s0 + +/(vendor|system/vendor)/bin/fm_hidl_service u:object_r:fm_hidl_service_exec:s0 +/(vendor|system/vendor)/bin/wlan_assistant u:object_r:wlan_assistant_exec:s0 +/(vendor|system/vendor)/bin/wmt_loader u:object_r:wmt_loader_exec:s0 +/(vendor|system/vendor)/bin/spm_loader u:object_r:spm_loader_exec:s0 +/(vendor|system/vendor)/bin/ccci_mdinit u:object_r:ccci_mdinit_exec:s0 +/(vendor|system/vendor)/bin/factory u:object_r:factory_exec:s0 +/(vendor|system/vendor)/bin/conninfra_loader u:object_r:conninfra_loader_exec:s0 + +/(vendor|system/vendor)/bin/mnld u:object_r:mnld_exec:s0 +/(vendor|system/vendor)/bin/gbe u:object_r:gbe_native_exec:s0 +/(vendor|system/vendor)/bin/fpsgo u:object_r:fpsgo_native_exec:s0 +/(vendor|system/vendor)/bin/xgff_test u:object_r:xgff_test_native_exec:s0 + +/(vendor|system/vendor)/bin/biosensord_nvram u:object_r:biosensord_nvram_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service-mediatek u:object_r:mtk_hal_bluetooth_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@2\.1-service-mediatek u:object_r:mtk_hal_gnss_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss-service\.mediatek u:object_r:mtk_hal_gnss_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.audio\.service\.mediatek u:object_r:mtk_hal_audio_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.mtkpower@1\.0-service u:object_r:mtk_hal_power_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service-mediatek u:object_r:mtk_hal_sensors_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@2\.0-service-mediatek u:object_r:mtk_hal_sensors_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@2\.0-service\.multihal-mediatek u:object_r:mtk_hal_sensors_exec:s0 +/(vendor|system/vendor)/bin/hw/rilproxy u:object_r:rild_exec:s0 +/(vendor|system/vendor)/bin/hw/mtkfusionrild u:object_r:rild_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-mediatek u:object_r:mtk_hal_light_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service-mediatek-lazy u:object_r:mtk_hal_light_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.mediatek u:object_r:mtk_hal_light_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service-mediatek u:object_r:hal_vibrator_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service-mediatek-lazy u:object_r:hal_vibrator_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator-service\.example u:object_r:hal_vibrator_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator-service\.mediatek u:object_r:hal_vibrator_default_exec:s0 +/(vendor|system/vendor)/bin/hw/camerahalserver u:object_r:mtk_hal_camera_exec:s0 +/(vendor|system/vendor)/bin/hw/mt[0-9]+[a-z]*/camerahalserver u:object_r:mtk_hal_camera_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.imsa@1\.0-service u:object_r:mtk_hal_imsa_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@4\.0-service-mediatek u:object_r:hal_graphics_allocator_default_exec:s0 +/(vendor|system/vendor)/bin/hw/mt[0-9]+[a-z]*/android\.hardware\.graphics\.allocator@4\.0-service-mediatek\.mt[0-9]+[a-z]* u:object_r:hal_graphics_allocator_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.c2@1\.2-mediatek u:object_r:mtk_hal_c2_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.c2@1\.2-mediatek-64b u:object_r:mtk_hal_c2_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service\.mediatek u:object_r:mtk_hal_memtrack_exec:s0 + +# Google Trusty system files +/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service\.trusty u:object_r:hal_keymaster_default_exec:s0 + +# MTEE keymaster4.0/4.1 system files +/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service\.mtee u:object_r:hal_keymaster_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service\.mtee u:object_r:hal_keymaster_default_exec:s0 + +# Trustonic TEE +/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service\.trustonic u:object_r:hal_keymint_default_exec:s0 + +# PQ hal +/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.pq@2\.2-service u:object_r:mtk_hal_pq_exec:s0 + +# MMS hal +/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.mms@1\.6-service u:object_r:mtk_hal_mms_exec:s0 + +#MMAgent hal +/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.mmagent@[0-9]+\.[0-9]+-service u:object_r:mtk_hal_mmagent_exec:s0 +# Keymaster Attestation Hal +/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.keymaster_attestation@1\.1-service u:object_r:hal_keymaster_attestation_exec:s0 + +# ST NFC 1.2 hidl service +/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service-st u:object_r:hal_nfc_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-st54spi u:object_r:st54spi_hal_secure_element_exec:s0 + +# MTK Wifi Hal +/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-mediatek u:object_r:mtk_hal_wifi_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-lazy-mediatek u:object_r:mtk_hal_wifi_exec:s0 + +# MTK USB hal +/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.[0-9]+-service-mediatek u:object_r:mtk_hal_usb_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.[0-9]+-service-mediatekv2 u:object_r:mtk_hal_usb_exec:s0 + +# MTK OMAPI for UICC +/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-mediatek u:object_r:mtk_hal_secure_element_exec:s0 + +# hidl process merging +/(vendor|system/vendor)/bin/hw/merged_hal_service u:object_r:merged_hal_service_exec:s0 + +# Date: 2019/07/16 +# hdmi hal +/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.hdmi@1\.0-service u:object_r:mtk_hal_hdmi_exec:s0 + +# BIP AP +/(vendor|system/vendor)/bin/bip_ap u:object_r:bip_ap_exec:s0 + +# Date : 2019/10/28 +# Purpose : move these contexts from plat_private/file_contexts +/vendor/bin/em_hidl u:object_r:em_hidl_exec:s0 + +# Widevine drm hal(include lazy hal) +/vendor/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.widevine u:object_r:hal_drm_widevine_exec:s0 +/vendor/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service-lazy\.widevine u:object_r:hal_drm_widevine_exec:s0 + +# Cleaarkey hal(include lazy hal) +/vendor/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 +/vendor/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service-lazy\.clearkey u:object_r:hal_drm_clearkey_exec:s0 + +# Date: 2020/06/16 +# Operation: R migration +# Purpose: Add permission for boot control lazy HAL +/vendor/bin/hw/android\.hardware\.boot@[0-9]+\.[0-9]+-service-lazy u:object_r:hal_bootctl_default_exec:s0 + +# Date: 2020/09/25 +# Purpose: kernel modules +/vendor/bin/init\.insmod\.sh u:object_r:init_insmod_sh_exec:s0 + +# GMS requirement +/vendor/bin/chipinfo u:object_r:chipinfo_exec:s0 + +/vendor/bin/vpud u:object_r:vpud_native_exec:s0 +/vendor/bin(/mt[0-9]+)?/v3avpud(\.mt[0-9]+)? u:object_r:vpud_native_exec:s0 + +# EARA-IO +/vendor/bin/eara_io_service u:object_r:eara_io_exec:s0 + +# ccci_mdinit access vendor/etc/md file +/vendor/etc/md(/.*)? u:object_r:vendor_etc_md_file:s0 + +# AI feature access vendor/etc/nn file +/vendor/etc/nn(/.*)? u:object_r:vendor_etc_nn_file:s0 + +# Data : 2020/12/30 +# Purpose : DBReleasePlan +/vendor/bin/crossbuild(/.*)? u:object_r:vendor_bin_crossbuild_file:s0 +########################## +# same-process HAL files and their dependencies +# +/vendor/lib(64)?/hw/gralloc\.mt[0-9]+[a-z]*\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/gralloc\.rogue\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/mt[0-9]+[a-z]*/gralloc\.rogue\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/vulkan\.mt[0-9]+\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/vulkan\.mtk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/vulkan\.mali\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/vulkan\.mali\.mt[0-9]+\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/mt[0-9]+/vulkan\.mali\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/mt[0-9]+/vulkan\.mtk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgpudataproducer\.mt[0-9]+\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mt[0-9]+\/libgpudataproducer\.so u:object_r:same_process_hal_file:s0 + + +/vendor/lib(64)?/libIMGegl\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libglslcompiler\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libPVRScopeServices\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libsrv_um\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libmpvr\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libPVRMtkutils\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libusc\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libtqvalidate\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libPVROCL\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libufwriter\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libmemtrack_GL\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libPVRTrace\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mt[0-9]+[a-z]*/libIMGegl\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mt[0-9]+[a-z]*/libglslcompiler\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mt[0-9]+[a-z]*/libPVRScopeServices\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mt[0-9]+[a-z]*/libsrv_um\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mt[0-9]+[a-z]*/libmpvr\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mt[0-9]+[a-z]*/libPVRMtkutils\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mt[0-9]+[a-z]*/libusc\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mt[0-9]+[a-z]*/libtqvalidate\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mt[0-9]+[a-z]*/libPVROCL\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mt[0-9]+[a-z]*/libufwriter\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mt[0-9]+[a-z]*/libmemtrack_GL\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mt[0-9]+[a-z]*/libPVRTrace\.so u:object_r:same_process_hal_file:s0 + +/vendor/lib(64)?/libGLES_mali\.so u:object_r:same_process_hal_file:s0 + +/vendor/firmware/valhall-1691526.wa u:object_r:same_process_hal_file:s0 +/vendor/firmware/mali_csffw.bin u:object_r:same_process_hal_file:s0 + +/vendor/lib(64)?/libgralloc_extra\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgpu_aux\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgpud\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgralloc_metadata\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgralloctypes_mtk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libged\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/arm\.graphics-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mt[0-9]+[a-z]*/arm\.graphics-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libion_mtk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libion_ulit\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mtk_cache\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/arm\.graphics-ndk_platform\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mt[0-9]+[a-z]*/arm\.graphics-ndk_platform\.so u:object_r:same_process_hal_file:s0 + +/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl-2\.1\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@4\.0-impl-mediatek\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/hw/mt[0-9]+[a-z]*/android\.hardware\.graphics\.mapper@4\.0-impl-mediatek\.so u:object_r:same_process_hal_file:s0 + +/vendor/lib(64)?/vendor\.mediatek\.hardware\.mms@[0-9]\.[0-9]\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libdpframework\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mt[0-9]+[a-z]*/libdpframework\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libpq_cust_base\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mt[0-9]+[a-z]*/libpq_cust_base\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/vendor\.mediatek\.hardware\.pq@[0-9]\.[0-9]\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libpq_prot\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mt[0-9]+[a-z]*/libpq_prot\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libhdrvideo\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libscltm\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libaal_mtk\.so u:object_r:same_process_hal_file:s0 + +/vendor/lib(64)?/vendor\.mediatek\.hardware\.mmagent@[0-9]\.[0-9]\.so u:object_r:same_process_hal_file:s0 + +/vendor/lib(64)?/mt[0-9]+[a-z]*/libaiselector\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libaispq\.so u:object_r:same_process_hal_file:s0 + +/vendor/lib(64)?/vendor\.mediatek\.hardware\.gpu@1\.0.so u:object_r:same_process_hal_file:s0 + +/vendor/lib(64)?/libladder\.so u:object_r:same_process_hal_file:s0 + +/vendor/lib(64)?/libtflite_mtk.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libnir_neon_driver_ndk.mtk.vndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libcmdl_ndk.mtk.vndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libarmnn_ndk.mtk.vndk\.so u:object_r:same_process_hal_file:s0 + +# Date: 2018/07/06 +# Purpose for same-process HAL files and their dependencies: libGLES_mali.so need libm4u.so on mali GPU. +/vendor/lib(64)?/libm4u\.so u:object_r:same_process_hal_file:s0 + +# Date: 2018/12/04 +# Purpose: Neuron runtime API and the dependencies +/vendor/lib(64)?/libneuron_platform.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libion_mtk.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/mtk_cache.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libvpu.so u:object_r:same_process_hal_file:s0 + +# Date: 2019/01/21 +# Purpose: OpenCL feature requirments +/vendor/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0 + +# Date: 2019/09/05 +# Purpose: GiFT related libraries +/vendor/lib(64)?/libDefaultFpsActor.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libNoFpsActor.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libFrameRecord.so u:object_r:same_process_hal_file:s0 + +# Date: 2021/07/26 +# Purpose: RayTracing related libraries +/vendor/lib(64)?/libVkLayer_mtk_rt_sdk.so u:object_r:same_process_hal_file:s0 + +########################## +# Others +# +# nvdata +/mnt/vendor/nvdata(/.*)? u:object_r:nvdata_file:s0 +/mnt/vendor/nvcfg(/.*)? u:object_r:nvcfg_file:s0 + +# protected data file +/mnt/vendor/protect_f(/.*)? u:object_r:protect_f_data_file:s0 +/mnt/vendor/protect_s(/.*)? u:object_r:protect_s_data_file:s0 +/mnt/vendor/persist(/.*)? u:object_r:persist_data_file:s0 + +# fat on nand image +/fat(/.*)? u:object_r:fon_image_data_file:s0 + +# A/B system +/enableswap.sh u:object_r:rootfs:s0 +/factory_init\..* u:object_r:rootfs:s0 +/meta_init\..* u:object_r:rootfs:s0 +/multi_init\..* u:object_r:rootfs:s0 +/dev/block/by-name/preloader_raw_a u:object_r:postinstall_block_device:s0 +/dev/block/by-name/preloader_raw_b u:object_r:postinstall_block_device:s0 +/dev/block/platform/bootdevice/by-name/preloader_raw_a u:object_r:postinstall_block_device:s0 +/dev/block/platform/bootdevice/by-name/preloader_raw_b u:object_r:postinstall_block_device:s0 + +/postinstall/bin/mtk_plpath_utils_ota u:object_r:postinstall_file:s0 +# Custom files +(/vendor)?/custom(/.*)? u:object_r:custom_file:s0 + +# mdota +/mnt/vendor/mdota(/.*)? u:object_r:mcf_ota_file:s0 + +# Date: 2021/07/23 +# Purpose: Add permission for dcxo calibration daemon to set cap id +/vendor/bin/dcxosetcap u:object_r:DcxoSetCap_exec:s0 + +# Date:2021/08/05 +# Purpose: permission for audioserver to access ccci node +/dev/ccci_aud u:object_r:ccci_aud_device:s0 +/dev/ccci_raw_audio u:object_r:ccci_aud_device:s0 + +# Date : 2021/08/27 +# Purpose : Add permission for wifi proxy +/dev/ccci_wifi_proxy u:object_r:ccci_wifi_proxy_device:s0 + +# Date:2021/07/27 +# Purpose: permission for CCB user +/dev/ccci_ccb_ctrl u:object_r:ccci_ccb_device:s0 +# Purpose: permission for md_monitor +/dev/ccci_ccb_md_monitor u:object_r:ccci_mdmonitor_device:s0 +/dev/ccci_mdl_monitor u:object_r:ccci_mdmonitor_device:s0 +/dev/ccci_raw_mdm u:object_r:ccci_mdmonitor_device:s0 + +# Date: 2021/09/26 +# Purpose: Add permission for vilte +/dev/ccci_vts u:object_r:ccci_vts_device:s0 diff --git a/basic/non_plat/flashlessd.te b/basic/non_plat/flashlessd.te new file mode 100644 index 0000000..f774721 --- /dev/null +++ b/basic/non_plat/flashlessd.te @@ -0,0 +1 @@ +type flashlessd, domain; diff --git a/basic/non_plat/fm_hidl_service.te b/basic/non_plat/fm_hidl_service.te new file mode 100644 index 0000000..1c10139 --- /dev/null +++ b/basic/non_plat/fm_hidl_service.te @@ -0,0 +1,16 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type fm_hidl_service, domain; +type fm_hidl_service_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(fm_hidl_service) + +hal_server_domain(fm_hidl_service, hal_mtk_fm) + +vndbinder_use(fm_hidl_service) + +allow fm_hidl_service fm_device:chr_file rw_file_perms; + +binder_call(fm_hidl_service, system_server) diff --git a/basic/non_plat/fpsgo_native.te b/basic/non_plat/fpsgo_native.te new file mode 100644 index 0000000..a2feb46 --- /dev/null +++ b/basic/non_plat/fpsgo_native.te @@ -0,0 +1,52 @@ +# ============================================== +# Policy File of /vendor/bin/fpsgo Executable File + +# ============================================== +# Type Declaration +# ============================================== +type fpsgo_native_exec, exec_type, file_type, vendor_file_type; +type fpsgo_native, domain, mlstrustedsubject; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(fpsgo_native) + +allow fpsgo_native self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +allow fpsgo_native sysfs_boot_mode:file r_file_perms; +hal_client_domain(fpsgo_native, hal_power) +allow fpsgo_native proc_perfmgr:dir r_dir_perms; +allow fpsgo_native proc_perfmgr:file rw_file_perms; + +allow fpsgo_native audioserver:process setsched; +allow fpsgo_native dumpstate:process setsched; +allow fpsgo_native hal_graphics_allocator_default:process setsched; +allow fpsgo_native init:process setsched; +allow fpsgo_native logd:process setsched; +allow fpsgo_native mediaserver:process setsched; +allow fpsgo_native mediaswcodec:process setsched; +allow fpsgo_native mediaextractor:process setsched; +allow fpsgo_native mtk_hal_audio:process setsched; +allow fpsgo_native mtk_hal_sensors:process setsched; +allow fpsgo_native mtk_hal_c2:process setsched; +allow fpsgo_native mtk_hal_gnss:process setsched; +allow fpsgo_native mtk_hal_power:process setsched; +allow fpsgo_native netd:process setsched; +allow fpsgo_native platform_app:process setsched; +allow fpsgo_native priv_app:process setsched; +allow fpsgo_native radio:process setsched; +allow fpsgo_native self:capability sys_nice; +allow fpsgo_native servicemanager:process setsched; +allow fpsgo_native surfaceflinger:process setsched; +allow fpsgo_native system_app:process setsched; +allow fpsgo_native system_server:process setsched; +allow fpsgo_native untrusted_app_all:process setsched; +allow fpsgo_native vpud_native:process setsched; +allow fpsgo_native wificond:process setsched; + + + + +allowxperm fpsgo_native proc_perfmgr:file ioctl { + PERFMGR_FPSGO_GET_CMD +}; diff --git a/basic/non_plat/fsck.te b/basic/non_plat/fsck.te new file mode 100644 index 0000000..7ba0876 --- /dev/null +++ b/basic/non_plat/fsck.te @@ -0,0 +1,18 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK15.29 +# Operation : Migration +# Purpose : file system check for protect1/protect2/nvdata/persist/nvcfg block devices. +allow fsck protect1_block_device:blk_file rw_file_perms; +allow fsck protect2_block_device:blk_file rw_file_perms; +allow fsck nvdata_device:blk_file rw_file_perms; +allow fsck persist_block_device:blk_file rw_file_perms; +allow fsck nvcfg_block_device:blk_file rw_file_perms; +allow fsck odm_block_device:blk_file rw_file_perms; +allow fsck oem_block_device:blk_file rw_file_perms; + +# Date : WK17.12 +# Purpose: Fix bootup fail +allow fsck system_block_device:blk_file getattr; diff --git a/basic/non_plat/fuelgauged.te b/basic/non_plat/fuelgauged.te new file mode 100644 index 0000000..a7dbfb0 --- /dev/null +++ b/basic/non_plat/fuelgauged.te @@ -0,0 +1,61 @@ +# ============================================== +# Policy File of /vendor/bin/fuelgauged Executable File + +# ============================================== +# Type Declaration +# ============================================== +type fuelgauged, domain; +type fuelgauged_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +init_daemon_domain(fuelgauged) + +# Data : WK14.43 +# Operation : Migration +# Purpose : Fuel Gauge daemon for access driver node +allow fuelgauged input_device:dir rw_dir_perms; +allow fuelgauged input_device:file r_file_perms; + +# Data : WK14.43 +# Operation : Migration +# Purpose : For meta tool calibration +allow fuelgauged mtk-adc-cali_device:chr_file rw_file_perms; + +# Data : WK14.43 +# Operation : Migration +# Purpose : For fg.log can be printed with kernel log +allow fuelgauged kmsg_device:chr_file w_file_perms; + +# Data : WK14.43 +# Operation : Migration +# Purpose : For fg daemon can comminucate with kernel +allow fuelgauged self:netlink_socket create_socket_perms_no_ioctl; +allow fuelgauged self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; + +# Data : WK16.39 +allow fuelgauged self:capability { chown fsetid }; + +# Date: W17.22 +# Operation : New Feature +# Purpose : Add for A/B system +allow fuelgauged kernel:system module_request; + +# Date: W18.03 +# Operation : change fuelgagued access from cache to nvcfg +# Purpose : add fuelgauged to nvcfg read write permit +allow fuelgauged nvcfg_file:dir create_dir_perms; +allow fuelgauged nvcfg_file:file create_file_perms; + +# Date: W18.17 +# Operation : add label for /sys/devices/platform/battery(/.*) +# Purpose : add fuelgauged could access +r_dir_file(fuelgauged, sysfs_batteryinfo) + +# Date : WK18.21 +# Operation: P migration +# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init() +allow fuelgauged mnt_vendor_file:dir search; + diff --git a/basic/non_plat/fuelgauged_nvram.te b/basic/non_plat/fuelgauged_nvram.te new file mode 100644 index 0000000..9114614 --- /dev/null +++ b/basic/non_plat/fuelgauged_nvram.te @@ -0,0 +1,56 @@ +# ============================================== +# Policy File of /vendor/bin/fuelgauged_nvram Executable File + +# ============================================== +# Type Declaration +# ============================================== +type fuelgauged_nvram, domain; +type fuelgauged_nvram_exec , exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +init_daemon_domain(fuelgauged_nvram) + +# Data : WK16.21 +# Operation : New Feature +# Purpose : For fg daemon can do nvram r/w to save car_tune_value +allow fuelgauged_nvram nvdata_file:dir rw_dir_perms; +allow fuelgauged_nvram nvdata_file:file create_file_perms; +allow fuelgauged_nvram nvdata_file:lnk_file rw_file_perms; +allow fuelgauged_nvram nvram_data_file:lnk_file rw_file_perms; + +# Data : W16.43 +# Operation : New Feature +# Purpose : Change from /data to /cache +allow fuelgauged_nvram self:capability { chown fsetid }; +allow fuelgauged_nvram kmsg_device:chr_file w_file_perms; + +# Data : W17.34 +# Operation : New Feature +# Purpose : fgauge_nvram could use IOCTL +allow fuelgauged_nvram MT_pmic_adc_cali_device:chr_file rw_file_perms; + +# Date: W18.03 +# Operation : change fuelgagued_nvram access from cache to nvcfg +# Purpose : add fuelgauged to nvcfg read write permit +# need add label +allow fuelgauged_nvram nvcfg_file:dir create_dir_perms; +allow fuelgauged_nvram nvcfg_file:file create_file_perms; + +# Date: W18.17 +# Operation : add label for /sys/devices/platform/battery(/.*) +# Purpose : add fuelgauged could access +r_dir_file(fuelgauged_nvram, sysfs_batteryinfo) + + +# Date : WK18.21 +# Operation: P migration +# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init() +allow fuelgauged_nvram mnt_vendor_file:dir search; + +allow fuelgauged_nvram sysfs_boot_mode:file r_file_perms; + +# Allow ReadDefaultFstab(). +read_fstab(fuelgauged_nvram) diff --git a/basic/non_plat/gbe_native.te b/basic/non_plat/gbe_native.te new file mode 100644 index 0000000..7374da1 --- /dev/null +++ b/basic/non_plat/gbe_native.te @@ -0,0 +1,23 @@ +# ============================================== +# Policy File of /vendor/bin/gbe Executable File + +# ============================================== +# Type Declaration +# ============================================== +type gbe_native_exec, exec_type, file_type, vendor_file_type; +type gbe_native, domain; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(gbe_native) + +allow gbe_native self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +set_prop(gbe_native, vendor_mtk_gbe_prop) +allow gbe_native sysfs_boot_mode:file r_file_perms; +hal_client_domain(gbe_native, hal_power) +allow gbe_native proc_perfmgr:dir r_dir_perms; +allow gbe_native proc_perfmgr:file rw_file_perms; +allowxperm gbe_native proc_perfmgr:file ioctl { + PERFMGR_FPSGO_GBE_GET_CMD +}; diff --git a/basic/non_plat/genfs_contexts b/basic/non_plat/genfs_contexts new file mode 100644 index 0000000..c9b37e6 --- /dev/null +++ b/basic/non_plat/genfs_contexts @@ -0,0 +1,674 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +########################## +# proc files +# +genfscon proc /blocktag/blockio u:object_r:procfs_blockio:s0 +genfscon proc /blocktag/eara_io u:object_r:proc_earaio:s0 +genfscon proc /driver/thermal u:object_r:proc_thermal:s0 +genfscon proc /thermlmt u:object_r:proc_thermal:s0 +genfscon proc /fps_tm u:object_r:proc_thermal:s0 +genfscon proc /wmt_tm u:object_r:proc_thermal:s0 +genfscon proc /mobile_tm u:object_r:proc_thermal:s0 +genfscon proc /bcctlmt u:object_r:proc_thermal:s0 +genfscon proc /battery_status u:object_r:proc_thermal:s0 +genfscon proc /mtkcooler u:object_r:proc_mtkcooler:s0 +genfscon proc /mtktz u:object_r:proc_mtktz:s0 +genfscon proc /lk_env u:object_r:proc_lk_env:s0 +genfscon proc /driver/storage_logger u:object_r:proc_slogger:s0 +genfscon proc /driver/icusb u:object_r:proc_icusb:s0 +genfscon proc /mrdump_rst u:object_r:proc_mrdump_rst:s0 +genfscon proc /mtd u:object_r:proc_mtd:s0 +genfscon proc /ged u:object_r:proc_ged:s0 +genfscon proc /mtk_jpeg u:object_r:proc_mtk_jpeg:s0 +genfscon proc /perfmgr u:object_r:proc_perfmgr:s0 +genfscon proc /driver/wmt_dbg u:object_r:proc_wmtdbg:s0 +genfscon proc /zraminfo u:object_r:proc_zraminfo:s0 +genfscon proc /gpulog u:object_r:proc_gpulog:s0 +genfscon proc /gpufreqv2 u:object_r:proc_gpufreqv2:s0 +genfscon proc /cpu/alignment u:object_r:proc_cpu_alignment:s0 +genfscon proc /sched_debug u:object_r:proc_sched_debug:s0 +genfscon proc /chip u:object_r:proc_chip:s0 +genfscon proc /atf_log u:object_r:proc_atf_log:s0 +genfscon proc /gz_log u:object_r:proc_gz_log:s0 +genfscon proc /last_kmsg u:object_r:proc_last_kmsg:s0 +genfscon proc /bootprof u:object_r:proc_bootprof:s0 +genfscon proc /mtprintk u:object_r:proc_mtprintk:s0 +genfscon proc /pl_lk u:object_r:proc_pl_lk:s0 +genfscon proc /msdc_debug u:object_r:proc_msdc_debug:s0 +genfscon proc /ufs_debug u:object_r:proc_ufs_debug:s0 +genfscon proc /pidmap u:object_r:proc_pidmap:s0 +genfscon proc /mtk_memcfg/slabtrace u:object_r:proc_slabtrace:s0 +genfscon proc /mtk_cmdq_debug/status u:object_r:proc_cmdq_debug:s0 +genfscon proc /mtk_cmdq_debug/record u:object_r:proc_cmdq_debug:s0 +genfscon proc /cpuhvfs/dbg_repo u:object_r:proc_dbg_repo:s0 +genfscon proc /sys/kernel/panic_on_rcu_stall u:object_r:proc_panic_on_rcu_stall:s0 + +# Purpose dump not exit file +genfscon proc /isp_p2/isp_p2_dump u:object_r:proc_isp_p2_dump:s0 +genfscon proc /isp_p2/isp_p2_kedump u:object_r:proc_isp_p2_kedump:s0 +genfscon proc /mali/memory_usage u:object_r:proc_memory_usage:s0 +genfscon proc /mtk_mali/gpu_memory u:object_r:proc_gpu_memory:s0 +genfscon proc /mtk_es_reg_dump u:object_r:proc_mtk_es_reg_dump:s0 + +# Date : 2018/11/01 +# Purpose : mtk EM c2k bypass read usb file +genfscon proc /isp_p2 u:object_r:proc_isp_p2:s0 + +# Date : WK19.27 +# Purpose: Android Migration for SVP +genfscon proc /m4u u:object_r:proc_m4u:s0 + +genfscon proc /driver/wmt_aee u:object_r:proc_wmt_aee:s0 + +genfscon proc /ccci_dump u:object_r:proc_ccci_dump:s0 +genfscon proc /log_much u:object_r:proc_log_much:s0 +genfscon proc /ccci_sib u:object_r:proc_ccci_sib:s0 + +# Purpose: get input devices +genfscon proc /bus/input/devices u:object_r:proc_bus_input:s0 + +# 2019/09/05 +# Purpose: Allow powerhal to control kernel resources +genfscon proc /ppm u:object_r:proc_ppm:s0 +genfscon proc /cpufreq u:object_r:proc_cpufreq:s0 +genfscon proc /hps u:object_r:proc_hps:s0 +genfscon proc /cm_mgr u:object_r:proc_cm_mgr:s0 +genfscon proc /fliperfs u:object_r:proc_fliperfs:s0 + +# Date : 2019/10/11 +# Purpose : allow system_server to access /proc/wlan/status for Q Migration +genfscon proc /wlan/status u:object_r:proc_wlan_status:s0 + +genfscon sysfs /devices/platform/11015000.i2c9/i2c-9/9-0041/reset_dsp u:object_r:sysfs_reset_dsp:s0 +genfscon sysfs /bus/platform/drivers/smartpainfo/chip_vendor u:object_r:sysfs_chip_vendor:s0 +genfscon sysfs /bus/platform/drivers/smartpainfo/pa_num u:object_r:sysfs_pa_num:s0 + +# 2019/11/14 +# Purpose: Allow powerhal to control MCDI +genfscon proc /cpuidle u:object_r:proc_cpuidle:s0 + +# Date : 2019/12/10 +# Purpose: Allow bt process or tool to control bt_dbg +genfscon proc /driver/bt_dbg u:object_r:proc_btdbg:s0 + +# Date : WK20.03 +# Purpose: Allow mtk_hal_neuralnetworks to read chip id and segment code +# /proc/device-tree/chosen/atag,chipid is linked to +genfscon proc /device-tree/chosen/atag,devinfo u:object_r:proc_devinfo:s0 + +# 2020/06/12 +# Operation: R migration +# Purpose: Allow powerhal to control displowpower +genfscon proc /displowpower u:object_r:proc_displowpower:s0 + +# 2020/06/29 +# Operation: R migration +# Purpose: Add permission for access /proc/ion/* +genfscon proc /ion u:object_r:proc_ion:s0 + +# 2020/07/01 +# Operation: R migration +# Purpose: Add permission for access /proc/m4u_dbg/* +genfscon proc /m4u_dbg u:object_r:proc_m4u_dbg:s0 + +genfscon proc /mtkfb u:object_r:proc_mtkfb:s0 + +# 2020/07/07 +# Operation: R migration +# Purpose: Add permission for access /proc/pvr/* +genfscon proc /pvr u:object_r:procfs_gpu_img:s0 + +# Date : 2020/07/08 +# Purpose: add permission for /proc/sys/vm/swappiness +genfscon proc /sys/vm/swappiness u:object_r:proc_swappiness:s0 + +# Date : 2020/08/05 +# Purpose: add permission for /proc/driver/wmt_user_proc +genfscon proc /driver/wmt_user_proc u:object_r:proc_wmtuserproc:s0 + +# Date : 2020/09/18 +# Purpose: add permission for /proc/mcdi/ +genfscon proc /mcdi/ u:object_r:proc_mcdi:s0 + +# Date : 2020/12/23 +# Purpose: Add permission for /proc/driver/conninfra_dbg +genfscon proc /driver/conninfra_dbg u:object_r:proc_conninfradbg:s0 + +# Date : 2021/04/20 +# Purpose : write /proc/sys/vm/watermark_scale_factor +genfscon proc /sys/vm/watermark_scale_factor u:object_r:proc_watermark_scale_factor:s0 + +# Data : 2021/4/21 +# Purpose : read/write /proc/mtk_usb, /proc/mtk_typec +genfscon proc /mtk_usb u:object_r:proc_usb_plat:s0 +genfscon proc /mtk_typec u:object_r:proc_usb_plat:s0 + +# Date 2021/05/10 +# Purpose : init the default value before bootup +genfscon proc /sys/kernel/sched_migration_cost_ns u:object_r:proc_sched_migration_cost_ns:s0 + +# 2021/8/25 +# allow powerhal to access /proc/cpuhvfs/cpufreq_cci_mode +genfscon proc /cpuhvfs/cpufreq_cci_mode u:object_r:proc_cpuhvfs:s0 + +# Date : 2021/11/12 +# Purpose : write /proc/sys/vm/watermark_boost_factor +genfscon proc /sys/vm/watermark_boost_factor u:object_r:proc_watermark_boost_factor:s0 + +########################## +# sysfs files +# +genfscon sysfs /bus/platform/drivers/mtk-kpd u:object_r:sysfs_keypad_file:s0 +genfscon sysfs /power/vcorefs/pwr_ctrl u:object_r:sysfs_vcorefs_pwrctrl:s0 +genfscon sysfs /power/dcm_state u:object_r:sysfs_dcm:s0 +genfscon sysfs /power/mtkdcs/mode u:object_r:sysfs_dcs:s0 +genfscon sysfs /power/mtkpasr/execstate u:object_r:sysfs_execstate:s0 +genfscon sysfs /mtk_ssw u:object_r:sysfs_ssw:s0 +genfscon sysfs /devices/soc0 u:object_r:sysfs_soc:s0 + +genfscon sysfs /kernel/mm/mlog/dump u:object_r:sysfs_mm:s0 + +genfscon sysfs /bus/platform/drivers/dev_info/dev_info u:object_r:sysfs_devinfo:s0 +genfscon sysfs /bus/platform/drivers/meta_com_type_info/meta_com_type_info u:object_r:sysfs_comport_type:s0 +genfscon sysfs /bus/platform/drivers/meta_uart_port_info/meta_uart_port_info u:object_r:sysfs_uart_info:s0 + +genfscon sysfs /devices/platform/battery u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/charger/Pump_Express u:object_r:sysfs_pump_express:s0 +genfscon sysfs /devices/platform/charger/Charger_Config u:object_r:sysfs_chg_cfg:s0 +genfscon sysfs /devices/platform/battery/Pump_Express u:object_r:sysfs_pump_express:s0 +genfscon sysfs /devices/platform/charger/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/11d04000.i2c8/i2c-8/8-0055/power_supply/battery u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/11d04000.i2c8/i2c-8/8-0055/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/charger/power_supply/mtk-slave-charger/present u:object_r:sysfs_chg2_present:s0 +genfscon sysfs /devices/platform/mt_charger/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-gauge/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/soc/10026000.pwrap/10026000.pwrap:mt6366/mt6358-gauge/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6359-gauge/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-gauge/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/soc/11cb1000.i2c/i2c-9/9-0034/11cb1000.i2c:mt6375@34:mt6375_gauge/power_supply/ u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/11016000.i2c5/i2c-5/5-0034/mt6370_pmu_charger/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/soc/11016000.i2c5/i2c-5/5-0034/mt6360_pmu_chg.2.auto/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/soc/11e00000.i2c/i2c-7/7-0034/mt6360_chg.1.auto/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/soc/11e00000.i2c/i2c-5/5-0034/mt6360_chg.1.auto/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/soc/11f00000.i2c/i2c-5/5-0034/mt6360_chg.2.auto/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/soc/11cb1000.i2c/i2c-9/9-0034/11cb1000.i2c:mt6375@34:chg/power_supply/ u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/11e01000.i2c/i2c-5/5-0034/11e01000.i2c:mt6375@34:mtk_gauge/power_supply/ u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/11e01000.i2c/i2c-5/5-0034/11e01000.i2c:mt6375@34:chg/power_supply/ u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/11ed1000.i2c/i2c-5/5-0034/11ed1000.i2c:mt6375@34:mtk_gauge/power_supply/ u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/11ed1000.i2c/i2c-5/5-0034/11ed1000.i2c:mt6375@34:chg/power_supply/ u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/soc/11280000.i2c/i2c-5/5-0034/11280000.i2c:mt6375@34:mtk_gauge/power_supply/ u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/soc/11280000.i2c/i2c-5/5-0034/11280000.i2c:mt6375@34:chg/power_supply/ u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/11b20000.i2c/i2c-5/5-0034/11b20000.i2c:mt6375@34:mtk_gauge/power_supply/ u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/11b20000.i2c/i2c-5/5-0034/11b20000.i2c:mt6375@34:chg/power_supply/ u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/soc/11017000.i2c/i2c-5/5-0034/11017000.i2c:mt6375@34:chg/power_supply/ u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/11e01000.i2c/i2c-5/5-0034/mt6360_chg.3.auto/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-charger-type-detection/power_supply u:object_r:sysfs_batteryinfo:s0 +genfscon sysfs /devices/platform/mt-rtc/rtc u:object_r:sysfs_rtc:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6359-pmic/mt6359-rtc/rtc u:object_r:sysfs_rtc:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6358-pmic/mt6358-rtc/rtc u:object_r:sysfs_rtc:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6397-rtc/rtc u:object_r:sysfs_rtc:s0 +genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6397-rtc/rtc u:object_r:sysfs_rtc:s0 +genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359-pmic/mt6359-rtc/rtc u:object_r:sysfs_rtc:s0 +genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-rtc/rtc u:object_r:sysfs_rtc:s0 +genfscon sysfs /class/typec u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/mt_usb/musb-hdrc/dual_role_usb u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/mt_usb/musb-hdrc/cmode u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/11270000.usb3/musb-hdrc/cmode u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/soc/usb0/cmode u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/mt_usb/musb-hdrc/usb1 u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/mt_usb/musb-hdrc/usb2 u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/soc/mt_usb/musb-hdrc/usb1 u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/soc/mt_usb/musb-hdrc/usb2 u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/soc/usb0/11200000.xhci0/usb1 u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/soc/usb0/11200000.xhci0/usb2 u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/soc/usb0/11200000.xhci0/usb3 u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/soc/11201000.usb0/11200000.xhci0/usb1 u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/soc/11201000.usb0/11200000.xhci0/usb2 u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/soc/11201000.usb0/11200000.xhci0/usb3 u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/usb_xhci/usb1 u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/usb3_xhci/usb1 u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/mt_usb/musb-hdrc/udc/musb-hdrc u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/11201000.mtu3_0/udc/musb-hdrc u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/11201000.usb3/udc/musb-hdrc u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/11270000.usb3/musb-hdrc/udc/musb-hdrc u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/soc/11201000.usb0/udc/11201000.usb0 u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/usb0/udc/usb0 u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/usb0/11200000.xhci0/usb1 u:object_r:sysfs_usb_nonplat:s0 +genfscon sysfs /devices/platform/usb0/11200000.xhci0/usb2 u:object_r:sysfs_usb_nonplat:s0 + +genfscon sysfs /devices/virtual/BOOT/BOOT/boot/boot_mode u:object_r:sysfs_boot_mode:s0 +genfscon sysfs /devices/virtual/BOOT/BOOT/boot/boot_type u:object_r:sysfs_boot_type:s0 + +genfscon sysfs /devices/virtual/misc/md32 u:object_r:sysfs_md32:s0 +genfscon sysfs /devices/virtual/misc/scp u:object_r:sysfs_scp:s0 +genfscon sysfs /devices/virtual/misc/scp_B u:object_r:sysfs_scp:s0 +genfscon sysfs /devices/virtual/misc/sspm u:object_r:sysfs_sspm:s0 +genfscon sysfs /devices/virtual/misc/adsp u:object_r:sysfs_adsp:s0 +genfscon sysfs /devices/virtual/misc/adsp_0 u:object_r:sysfs_adsp:s0 +genfscon sysfs /devices/virtual/misc/adsp_1 u:object_r:sysfs_adsp:s0 +genfscon sysfs /devices/virtual/misc/vcp u:object_r:sysfs_vcp:s0 + +# Date : 2019/09/12 +genfscon sysfs /devices/virtual/thermal u:object_r:sysfs_therm:s0 +genfscon sysfs /devices/class/thermal u:object_r:sysfs_therm:s0 +genfscon sysfs /kernel/thermal u:object_r:sysfs_thermal_sram:s0 +genfscon sysfs /kernel/charger_cooler u:object_r:sysfs_charger_cooler:s0 + +genfscon sysfs /devices/virtual/switch/fps u:object_r:sysfs_fps:s0 + +genfscon sysfs /firmware/devicetree/base/chosen/atag,devinfo u:object_r:sysfs_devinfo:s0 + +genfscon sysfs /firmware/devicetree/base/chosen/aee,enable u:object_r:sysfs_aee_enable:s0 + +genfscon sysfs /kernel/ccci u:object_r:sysfs_ccci:s0 + +# Date : 2018/06/15 +# Purpose : mtk EM touchscreen settings +genfscon sysfs /module/tpd_setting u:object_r:sysfs_tpd_setting:s0 +genfscon sysfs /power/vcorefs/vcore_debug u:object_r:sysfs_vcore_debug:s0 +genfscon sysfs /power/vcorefs/opp_table u:object_r:sysfs_vcore_debug:s0 + +# Date: 2018/08/09 +# Purpose : MTK Vibrator +genfscon sysfs /devices/virtual/timed_output/vibrator u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/odm/odm:vibrator@0/leds/vibrator u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/soc/soc:regulator_vibrator/leds/vibrator u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/soc/soc:pwm_leds/leds/lcd-backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/soc/soc:mtk_leds/leds/lcd-backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/mtk_leds/leds/lcd-backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/i2c_leds/leds/lcd-backlight u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/regulator_vibrator/leds/vibrator u:object_r:sysfs_vibrator:s0 +genfscon sysfs /devices/platform/leds-mt65xx/leds u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/pwmleds/leds u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/disp_leds/leds u:object_r:sysfs_leds:s0 +genfscon sysfs /devices/platform/11f00000.i2c6/i2c-6/6-0011/leds/lcd-backlight u:object_r:sysfs_leds:s0 + +# Date : 2018/11/22 +# Purpose: allow mdlogger to read mdinfo file +genfscon sysfs /kernel/md/mdee u:object_r:sysfs_mdinfo:s0 + +# Date : 2019/07/03 +# Purpose: SIU update sysfs_devices_block access for emmc and ufs +genfscon sysfs /devices/platform/bootdevice/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/mtk-msdc.0/11230000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/mtk-msdc.0/11230000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/bootdevice/mmc_host/mmc0/mmc0:0001/wp_grp_size u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:0/block/sda u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:1/block/sdb u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:2/block/sdc u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:0/block/sda u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:1/block/sdb u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc15 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc33 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc43 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc53 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/112b0000.ufshci/host0/target0:0:0/0:0:0:0/block/sda u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/112b0000.ufshci/host0/target0:0:0/0:0:0:1/block/sdb u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc2 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc15 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc33 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc43 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc53 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc61 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/112b0000.ufshci/host0/target0:0:0/0:0:0:0/block/sda u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/112b0000.ufshci/host0/target0:0:0/0:0:0:1/block/sdb u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc2 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc15 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc33 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc43 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc53 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/112b0000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc/sdc61 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/112b0000.ufshci/host0/scsi_host/host0 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/11230000.mmc/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/11230000.msdc/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/11240000.mmc/mmc_host/mmc0/mmc0:aaaa/block/mmcblk0 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/11240000.mmc/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/11270000.ufshci/host0/target0:0:0/0:0:0:0/block/sda u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/11270000.ufshci/host0/target0:0:0/0:0:0:1/block/sdb u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/11270000.ufshci/host0/target0:0:0/0:0:0:2/block/sdc u:object_r:sysfs_devices_block:s0 + +# Date : 2019/07/12 +# Purpose:dumpstate mmcblk1 access +genfscon sysfs /devices/platform/externdevice/mmc_host/mmc0 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/externdevice/mmc_host/mmc1 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/11240000.mmc/mmc_host/mmc1 u:object_r:sysfs_devices_block:s0 + +# Date : 2019/09/16 +# Purpose : mtk factory fingerprint settings +genfscon sysfs /module/gf_spi_tee u:object_r:sysfs_gf_spi_tee:s0 + +# Date : 2019/10/22 +# Purpose : mrdump_tool(copy_process by aee_aedv) need to write data to lbaooo +genfscon sysfs /module/mrdump/version u:object_r:sysfs_mrdump:s0 +genfscon sysfs /kernel/mrdump_version u:object_r:sysfs_mrdump:s0 +genfscon sysfs /firmware/devicetree/base/chosen/mrdump,lk u:object_r:sysfs_mrdump:s0 +genfscon sysfs /module/mrdump/parameters/lbaooo u:object_r:sysfs_mrdump:s0 +genfscon sysfs /firmware/devicetree/base/memory/reg u:object_r:sysfs_memory:s0 +genfscon sysfs /firmware/devicetree/base/memory@0x40000000/reg u:object_r:sysfs_memory:s0 + +# mtk APUSYS information reading +genfscon sysfs /devices/virtual/misc/apusys/queue u:object_r:sysfs_apusys_queue:s0 + +# 2019/08/24 +genfscon sysfs /class/sensor u:object_r:sysfs_sensor:s0 +genfscon sysfs /devices/virtual/sensor u:object_r:sysfs_sensor:s0 + +# MTEE trusty +genfscon sysfs /devices/platform/trusty u:object_r:mtee_trusty_file:s0 + +# 2019/09/05 +# Purpose: Allow powerhal to control kernel resources +genfscon sysfs /module/ged u:object_r:sysfs_ged:s0 +genfscon sysfs /module/fbt_cpu u:object_r:sysfs_fbt_cpu:s0 +genfscon sysfs /module/fbt_fteh u:object_r:sysfs_fbt_fteh:s0 +genfscon sysfs /module/xgf u:object_r:sysfs_xgf:s0 +genfscon sysfs /module/mtk_fpsgo u:object_r:sysfs_mtk_fpsgo:s0 +genfscon sysfs /module/mtk_core_ctl u:object_r:sysfs_mtk_core_ctl:s0 + +# 2019/09/05 +# Purpose: Allow powerhal to control cache audit +genfscon sysfs /module/cache_ctrl u:object_r:sysfs_cache_ctrl:s0 +genfscon sysfs /module/pftch_qos u:object_r:sysfs_pftch_qos:s0 + +# 2019/09/19 +# Purpose: Allow powerhal to trigger task-turbo +genfscon sysfs /module/task_turbo u:object_r:sysfs_task_turbo:s0 + +# Date : 2019/09/23 +# Operation: SQC +# Purpose : Allow powerHAL to control touch boost +genfscon sysfs /devices/platform/mtk-tpd2.0/change_rate u:object_r:sysfs_change_rate:s0 + +# Date : 2019/10/16 +# Operation: SQC +# Purpose : Allow powerHAL to control /sys/fs/ext4/xxx/disable_barrier +genfscon sysfs /fs/ext4/sdc46/disable_barrier u:object_r:sysfs_ext4_disable_barrier:s0 +genfscon sysfs /fs/ext4/sdc47/disable_barrier u:object_r:sysfs_ext4_disable_barrier:s0 +genfscon sysfs /fs/ext4/sdc48/disable_barrier u:object_r:sysfs_ext4_disable_barrier:s0 +genfscon sysfs /fs/ext4/dm-6/disable_barrier u:object_r:sysfs_ext4_disable_barrier:s0 + +# Date : WK19.38 +# Purpose: Android Migration for video codec driver +genfscon sysfs /firmware/devicetree/base/model u:object_r:sysfs_device_tree_model:s0 + +# Date : 2019/10/11 +# Purpose : allow system_server to access /sys/kernel/mm/ksm/pages_xxx +genfscon sysfs /kernel/mm/ksm/pages_shared u:object_r:sysfs_pages_shared:s0 +genfscon sysfs /kernel/mm/ksm/pages_sharing u:object_r:sysfs_pages_sharing:s0 +genfscon sysfs /kernel/mm/ksm/pages_unshared u:object_r:sysfs_pages_unshared:s0 +genfscon sysfs /kernel/mm/ksm/pages_volatile u:object_r:sysfs_pages_volatile:s0 + +# Date : 2019/10/25 +# Purpose : /proc/device-tree/chosen/atag,chipid or /sysfs/firmware/devicetree/base/chosen/atag,chipid +genfscon sysfs /firmware/devicetree/base/chosen/atag,chipid u:object_r:sysfs_chipid:s0 + +# Date : 2019/10/18 +# Purpose : allow system_server to access rt5509 param and calib node +genfscon sysfs /devices/platform/1100f000.i2c3/i2c-3/3-0034/rt5509_param.0 u:object_r:sysfs_rt_param:s0 +genfscon sysfs /devices/platform/1100f000.i2c3/i2c-3/3-0034/rt5509_cal/rt5509.0 u:object_r:sysfs_rt_calib:s0 + +# Date : 2020/07/10 +# Purpose : allow media sources to access /sys/bus/platform/drivers/emi_ctrl/* +genfscon sysfs /bus/platform/drivers/emi_ctrl/concurrency_scenario u:object_r:sysfs_emi_ctrl_concurrency_scenario:s0 + +# Date : 2019/12/12 +# Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/* +genfscon sysfs /bus/platform/drivers/mem_bw_ctrl/concurrency_scenario u:object_r:sysfs_concurrency_scenario:s0 + +# Date : WK20.07 +# Operation: R migration +# Purpose : Add permission for new device node. +genfscon sysfs /firmware/devicetree/base/chosen/atag,meta u:object_r:sysfs_meta_info:s0 + +genfscon sysfs /bus/platform/drivers/cache_parity/cache_status u:object_r:sysfs_cache_status:s0 +genfscon sysfs /bus/platform/drivers/cache_parity/status u:object_r:sysfs_cache_status:s0 + +# Date : WK20.17 +# Purpose: Allow powerhal to control ged hal +genfscon sysfs /kernel/ged u:object_r:sysfs_ged:s0 + +# Date : WK20.19 +# Purpose: Allow powerhal to control fpsgo +genfscon sysfs /kernel/fpsgo u:object_r:sysfs_fpsgo:s0 + +# Date : WK20.23 +# Purpose: Allow powerhal to control gbe +genfscon sysfs /kernel/gbe u:object_r:sysfs_gbe:s0 + +# Date : 2020/06/12 +# Purpose : Allow powerhal to control mali power policy +genfscon sysfs /class/misc/mali0/device/power_policy u:object_r:sysfs_mali_power_policy:s0 +genfscon sysfs /devices/platform/13000000.mali/power_policy u:object_r:sysfs_mali_power_policy:s0 + +# Date : WK20.25 +# Operation: R migration +# Purpose : for VTS NetdSELinuxTest.CheckProperMTULabels requirement. +genfscon sysfs /devices/platform/18000000.wifi/net/wlan0/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/18000000.wifi/net/wlan1/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/soc/18000000.wifi/net/wlan0/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/soc/18000000.wifi/net/wlan1/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/180f0000.wifi/net/wlan0/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/180f0000.wifi/net/p2p0/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/bus/180f0000.WIFI/net/wlan0/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/bus/180f0000.WIFI/net/p2p0/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/bus/180f0000.wifi/net/wlan0/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/bus/180f0000.wifi/net/p2p0/mtu u:object_r:sysfs_net:s0 + +# Date : 2020/07/02 +# Purpose : mtk nanohub sensor state detect +genfscon sysfs /bus/platform/drivers/mtk_nanohub/state u:object_r:sysfs_mtk_nanohub_state:s0 + +# Date : 2020/07/13 +# Purpose : Add permission for access dvfsrc dbg sysfs +genfscon sysfs /devices/platform/10012000.dvfsrc/helio-dvfsrc u:object_r:sysfs_dvfsrc_dbg:s0 +genfscon sysfs /devices/platform/10012000.dvfsrc/10012000.dvfsrc:dvfsrc-debug u:object_r:sysfs_dvfsrc_dbg:s0 +genfscon sysfs /devices/platform/10012000.dvfsrc/10012000.dvfsrc:dvfsrc-up u:object_r:sysfs_dvfsrc_dbg:s0 +genfscon sysfs /devices/platform/10012000.dvfsrc/10012000.dvfsrc:dvfsrc-helper u:object_r:sysfs_dvfsrc_dbg:s0 +genfscon sysfs /devices/platform/1c00f000.dvfsrc/1c00f000.dvfsrc:dvfsrc-helper u:object_r:sysfs_dvfsrc_dbg:s0 +genfscon sysfs /devices/platform/soc/10012000.dvfsrc/10012000.dvfsrc:dvfsrc-debug u:object_r:sysfs_dvfsrc_dbg:s0 +genfscon sysfs /devices/platform/soc/10012000.dvfsrc/10012000.dvfsrc:dvfsrc-up u:object_r:sysfs_dvfsrc_dbg:s0 +genfscon sysfs /devices/platform/soc/10012000.dvfsrc/10012000.dvfsrc:dvfsrc-helper u:object_r:sysfs_dvfsrc_dbg:s0 +genfscon sysfs /devices/platform/soc/1c00f000.dvfsrc/1c00f000.dvfsrc:dvfsrc-helper u:object_r:sysfs_dvfsrc_dbg:s0 + + +# Date : 2020/07/31 +# Purpose: add permission for /sys/kernel/apusys/ +genfscon sysfs /kernel/apusys/ u:object_r:sysfs_apusys:s0 + +# Date : WK20.33 +# Operation: R migration +# Purpose: Add permission for access aux_adc +genfscon sysfs /bus/platform/drivers/mt6577-auxadc u:object_r:sys_mt6577_auxadc:s0 +genfscon sysfs /devices/platform/11001000.auxadc/iio:device2 u:object_r:sys_mt6577_auxadc:s0 + +# Date : 2020/08/11 +# Purpose : For kernel 4.14 platforms, allow system_server to access rt5509 param and calib node +genfscon sysfs /devices/platform/rt5509_param.0 u:object_r:sysfs_rt_param:s0 +genfscon sysfs /devices/virtual/rt5509_cal/rt5509.0 u:object_r:sysfs_rt_calib:s0 + +# Date : 2020/08/19 +# Purpose : Add permission for access dvfsrc dbg sysfs +genfscon sysfs /devices/platform/soc/10012000.dvfsrc/mtk-dvfsrc-devfreq/devfreq/mtk-dvfsrc-devfreq u:object_r:sysfs_dvfsrc_devfreq:s0 +genfscon sysfs /devices/platform/10012000.dvfsrc/mtk-dvfsrc-devfreq/devfreq/mtk-dvfsrc-devfreq u:object_r:sysfs_dvfsrc_devfreq:s0 +genfscon sysfs /devices/platform/1c00f000.dvfsrc/mtk-dvfsrc-devfreq/devfreq/mtk-dvfsrc-devfreq u:object_r:sysfs_dvfsrc_devfreq:s0 +genfscon sysfs /devices/platform/soc/1c00f000.dvfsrc/mtk-dvfsrc-devfreq/devfreq/mtk-dvfsrc-devfreq u:object_r:sysfs_dvfsrc_devfreq:s0 + +# Date : 2020/08/21 +# Purpose : allow aee_aedv to access /sys/bus/platform/drivers/systracker node +genfscon sysfs /bus/platform/drivers/systracker u:object_r:sysfs_systracker:s0 + +# Date : 2020/09/03 +# Purpose: mtk MMQoS set camera max BW +genfscon sysfs /devices/platform/soc/soc:interconnect/mmqos_hrt/camera_max_bw u:object_r:sysfs_camera_max_bw:s0 +genfscon sysfs /devices/platform/interconnect/mmqos_hrt/camera_max_bw u:object_r:sysfs_camera_max_bw_v2:s0 + +# Date : 2020/06/15 +# Purpose: mtk MMQoS scen change +genfscon sysfs /devices/platform/soc/soc:interconnect/mmqos_hrt/mtk_mmqos_scen u:object_r:sysfs_mtk_mmqos_scen:s0 +genfscon sysfs /devices/platform/interconnect/mmqos_hrt/mtk_mmqos_scen u:object_r:sysfs_mtk_mmqos_scen_v2:s0 + +# Date : 2020/09/29 +# Purpose: add permission for /sys/kernel/eara_thermal/ +genfscon sysfs /kernel/eara_thermal/ u:object_r:sysfs_eara_thermal:s0 + +# Date : 2021/3/12 +# Purpose : Allow powerhal to control mali power onoff +genfscon sysfs /class/misc/mali0/device/pm_poweroff u:object_r:sysfs_mali_poweroff:s0 +genfscon sysfs /devices/platform/13000000.mali/pm_poweroff u:object_r:sysfs_mali_poweroff:s0 + +# Date: 2021/05/28 +# Purpose: allow DcxoSetCap set dcxo calibration +genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:mt6357-pmic/mt6357-dcxo/dcxo_board_offset u:object_r:sysfs_dcxo:s0 +genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:mt6357-pmic/mt6357-dcxo/nvram_board_offset u:object_r:sysfs_dcxo:s0 +genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:mt6357-pmic/mt6357-dcxo/dcxo_capid u:object_r:sysfs_dcxo:s0 +genfscon sysfs /power/clk_buf/ u:object_r:sysfs_dcxo:s0 + +# Date : 2021/06/04 +# Purpose: Allow mobile log to read apusysy log +genfscon proc /apusys_logger/seq_logl u:object_r:proc_apusys_up_seq_logl:s0 + +# labeling sysfs wakeup files to avoid sepolicy violation +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-charger-type-detection/power_supply/mtk_charger_type/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-gauge/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-gauge/power_supply/mtk-gauge/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt635x-auxadc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6397-rtc/rtc/rtc0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6397-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359-pmic/mt6359-rtc/rtc/rtc0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359-pmic/mt6359-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359-pmic/mt635x-auxadc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-gauge/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-gauge/power_supply/mtk-gauge/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-rtc/rtc/rtc0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt635x-auxadc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10027000.spmi/spmi-0/0-09/10027000.spmi:mt6362@9:chg/power_supply/10027000.spmi:mt6362@9:chg/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10027000.spmi/spmi-0/0-09/10027000.spmi:mt6362@9:tcpc/tcpc/type_c_port0/dual-role-type_c_port0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10027000.spmi/spmi-0/0-09/10027000.spmi:mt6362@9:tcpc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/10027000.spmi/spmi-0/0-09/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11016000.i2c5/i2c-5/5-0034/mt6370_pmu_charger/power_supply/mt6370_pmu_charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11016000.i2c5/i2c-5/5-0034/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11016000.i2c5/i2c-5/5-004e/tcpc/type_c_port0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11016000.i2c5/i2c-5/5-004e/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11201000.mtu3_0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11201000.usb/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11cb0000.i2c3/i2c-3/3-0018/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11d00000.i2c5/i2c-5/5-0034/mt6360_pmu_chg.2.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11d00000.i2c5/i2c-5/5-0034/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11d00000.i2c5/i2c-5/5-004e/tcpc/type_c_port0/dual-role-type_c_port0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11e00000.i2c5/i2c-5/5-0034/mt6360_pmu_chg.2.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11e00000.i2c5/i2c-5/5-0034/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11e00000.i2c5/i2c-5/5-004e/tcpc/type_c_port0/dual-role-type_c_port0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11e01000.i2c5/i2c-5/5-0034/mt6360_pmu_chg.3.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11e01000.i2c5/i2c-5/5-0034/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11e01000.i2c5/i2c-5/5-004e/tcpc/type_c_port0/dual-role-type_c_port0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11f00000.i2c5/i2c-5/5-0034/mt6360_pmu_chg.2.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11f00000.i2c5/i2c-5/5-0034/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/11f00000.i2c5/i2c-5/5-004e/tcpc/type_c_port0/dual-role-type_c_port0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/15004000.ispsys/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/15020000.imgsys/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/battery/power_supply/ac/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/battery/power_supply/battery/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/battery/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/battery/power_supply/wireless/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/charger/power_supply/mtk-master-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/charger/power_supply/mtk-slave-charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/mt_charger/power_supply/ac/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/mt_charger/power_supply/charger/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/mt_charger/power_supply/usb/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/mt_charger/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/mtk_lpm/mtk_cpuidle_pm/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/mt-rtc/rtc/rtc0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/mt-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/1000f000.pwrap/1000f000.pwrap:mt6392/mt6397-rtc/rtc/rtc0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/1000f000.pwrap/1000f000.pwrap:mt6392/mt6397-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/11201000.usb0/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/11e00000.i2c/i2c-7/7-0034/mt6360_chg.1.auto/power_supply/mt6360_chg.1.auto/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/11e00000.i2c/i2c-7/7-0034/mt6360_chg.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/11e00000.i2c/i2c-7/7-0034/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/11e00000.i2c/i2c-7/7-004e/tcpc/type_c_port0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/11e00000.i2c/i2c-7/7-004e/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/15020000.imgsys_config/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/18002000.consys/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/1a000000.camisp_legacy/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/mt_usb/musb-hdrc/dual_role_usb/dual-role-usb20/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/soc:mfgsys-async/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/trusty/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/misc/alarm/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/usb_rawbulk/atc/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/usb_rawbulk/data/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/usb_rawbulk/dummy0/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/usb_rawbulk/dummy1/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/usb_rawbulk/dummy2/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/usb_rawbulk/ets/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/usb_rawbulk/gps/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/usb_rawbulk/pcv/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/virtual/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/1f000000.mdp/wakeup/wakeup2/event_count u:object_r:sysfs_wakeup:s0 +genfscon sysfs /devices/platform/soc/1f000000.mdp/wakeup/wakeup2 u:object_r:sysfs_wakeup:s0 + +# allow gpu to set dbg +genfscon sysfs /disp/dbg1 u:object_r:sysfs_gpu:s0 +genfscon sysfs /disp/dbg2 u:object_r:sysfs_gpu:s0 +genfscon sysfs /disp/dbg3 u:object_r:sysfs_gpu:s0 + +# Purpose: Add permission for /sys/devices/platform/bootdevice/host0/target0:0:0/0:0:0:0/vpd_pg80 +genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:0/vpd_pg80 u:object_r:sysfs_vpd:s0 + +# Purpose: Add permission for /sys/devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:0/vpd_pg80 +genfscon sysfs /devices/platform/soc/11270000.ufshci/host0/target0:0:0/0:0:0:0/vpd_pg80 u:object_r:sysfs_vpd:s0 + +# RTK Device +genfscon sysfs /class/extdev_io u:object_r:sysfs_extdev:s0 + +# 2021/8/25 +# allow powerhal to access /sys/kernel/cm_mgr/dbg_cm_mgr +genfscon sysfs /kernel/cm_mgr u:object_r:sysfs_cm_mgr:s0 + +########################## +# debugfs files +# +genfscon debugfs /displowpower u:object_r:debugfs_fb:s0 +genfscon debugfs /disp u:object_r:debugfs_fb:s0 +genfscon debugfs /dispsys u:object_r:debugfs_fb:s0 +genfscon debugfs /fbconfig u:object_r:debugfs_fb:s0 +genfscon debugfs /fpsgo u:object_r:debugfs_fpsgo:s0 +genfscon debugfs /ion/clients u:object_r:debugfs_ion:s0 +genfscon debugfs /mtkfb u:object_r:debugfs_fb:s0 +genfscon debugfs /mmprofile u:object_r:debugfs_fb:s0 + +########################## +# other files +# +genfscon iso9660 / u:object_r:iso9660:s0 +genfscon rawfs / u:object_r:rawfs:s0 +genfscon fuseblk / u:object_r:fuseblk:s0 + +# move from plat_private to non_plat +genfscon sysfs /firmware/devicetree/base/chosen/atag,boot u:object_r:sysfs_boot_info:s0 + +# 2021/08/24 +# Purpose: add dmabuf heap debug info for memtrack +genfscon proc /dma_heap u:object_r:proc_dmaheap:s0 + +# For CachedAppOptimizer +genfscon proc /mtk_mdp_debug u:object_r:proc_mtk_mdp_debug:s0 + +# AudioManager/WiredAccessoryManager, extcon uevents +genfscon sysfs /devices/platform/14800000.dp_tx/extcon u:object_r:sysfs_extcon:s0 + +# dumpstate mmcblk access +genfscon sysfs /devices/platform/soc/11230000.mmc/mmc_host/mmc0 u:object_r:sysfs_devices_block:s0 +genfscon sysfs /devices/platform/soc/11240000.mmc/mmc_host/mmc0 u:object_r:sysfs_devices_block:s0 + +# Purpose: allow otg access +genfscon sysfs /devices/platform/soc/11201000.usb/11200000.xhci/usb1 u:object_r:sysfs_usb_nonplat:s0 + +# Purpose: allow mgq access +genfscon proc /mgq u:object_r:proc_mgq:s0 diff --git a/basic/non_plat/getgameserver.te b/basic/non_plat/getgameserver.te new file mode 100644 index 0000000..97e48c3 --- /dev/null +++ b/basic/non_plat/getgameserver.te @@ -0,0 +1 @@ +type getgameserver, domain; diff --git a/basic/non_plat/gpuservice.te b/basic/non_plat/gpuservice.te new file mode 100644 index 0000000..f5ada1e --- /dev/null +++ b/basic/non_plat/gpuservice.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK19.31 +# Operation : Migration +# Purpose : [ALPS04685294] com.google.android.graphics.gts.VulkanTest#checkVulkan1_1Requirements-fail +allow gpuservice gpu_device:dir search; diff --git a/basic/non_plat/gsm0710muxd.te b/basic/non_plat/gsm0710muxd.te new file mode 100644 index 0000000..348285e --- /dev/null +++ b/basic/non_plat/gsm0710muxd.te @@ -0,0 +1,40 @@ +# ============================================== +# Policy File of /vendor/bin/gsm0710muxd Executable File + +# ============================================== +# Type Declaration +# ============================================== +type gsm0710muxd, domain; +type gsm0710muxd_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(gsm0710muxd) + +# Capabilities assigned for gsm0710muxd +allow gsm0710muxd self:capability { chown fowner setuid }; + +# Property service +set_prop(gsm0710muxd, vendor_mtk_ctl_ril-daemon-mtk_prop) +set_prop(gsm0710muxd, vendor_mtk_ctl_fusion_ril_mtk_prop) +set_prop(gsm0710muxd, vendor_mtk_gsm0710muxd_prop) +set_prop(gsm0710muxd, vendor_mtk_radio_prop) + +# Date: w2043 +# Allow to get AOSP property persist.radio.multisim.config +get_prop(gsm0710muxd, radio_control_prop) + +# allow set muxreport control properties +set_prop(gsm0710muxd, vendor_mtk_ril_mux_report_case_prop) + +# Allow read/write to devices/files +allow gsm0710muxd gsm0710muxd_device:chr_file rw_file_perms; +allow gsm0710muxd mtk_radio_device:dir rw_dir_perms; +allow gsm0710muxd mtk_radio_device:lnk_file create_file_perms; +allow gsm0710muxd devpts:chr_file setattr; +allow gsm0710muxd eemcs_device:chr_file rw_file_perms; + +# Allow read to sys/kernel/ccci/* files +allow gsm0710muxd sysfs_ccci:dir search; +allow gsm0710muxd sysfs_ccci:file r_file_perms; diff --git a/basic/non_plat/hal_audio.te b/basic/non_plat/hal_audio.te new file mode 100644 index 0000000..066e8b5 --- /dev/null +++ b/basic/non_plat/hal_audio.te @@ -0,0 +1,11 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date: 2019/06/14 +# Operation : Migration +# Purpose : interface=android.hardware.audio::IDevicesFactory for hal_audio_hwservice +hal_attribute_hwservice(hal_audio, hal_audio_hwservice) + +binder_call(hal_audio_client, hal_audio_server) +binder_call(hal_audio_server, hal_audio_client) diff --git a/basic/non_plat/hal_bluetooth.te b/basic/non_plat/hal_bluetooth.te new file mode 100644 index 0000000..3592bdb --- /dev/null +++ b/basic/non_plat/hal_bluetooth.te @@ -0,0 +1,5 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow hal_bluetooth_client mtk_hal_bluetooth_hwservice:hwservice_manager find; diff --git a/basic/non_plat/hal_bootctl_default.te b/basic/non_plat/hal_bootctl_default.te new file mode 100644 index 0000000..5d36ec9 --- /dev/null +++ b/basic/non_plat/hal_bootctl_default.te @@ -0,0 +1,16 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow hal_bootctl_default rootfs:file r_file_perms; +allow hal_bootctl_default sysfs:dir r_dir_perms; +allow hal_bootctl_default misc_sd_device:chr_file rw_file_perms; +allow hal_bootctl_default bootdevice_block_device:blk_file rw_file_perms; +allowxperm hal_bootctl_default bootdevice_block_device:blk_file ioctl { + MMC_IOCTLCMD + UFS_IOCTLCMD +}; +allow hal_bootctl_default proc_cmdline:file r_file_perms; +allow hal_bootctl_default sysfs_boot_type:file r_file_perms; +allow hal_bootctl_default self:capability sys_rawio; +allow hal_bootctl_default para_block_device:blk_file rw_file_perms; diff --git a/basic/non_plat/hal_camera.te b/basic/non_plat/hal_camera.te new file mode 100644 index 0000000..0c24ba6 --- /dev/null +++ b/basic/non_plat/hal_camera.te @@ -0,0 +1,14 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date: 2020/08/13 +# Operation : To access camera control daemon driver +allow hal_camera mtk_ccd_device:chr_file rw_file_perms; + +# Date: 2020/08/13 +# Operation : To access V4L2 devices (media, video and sub devices) +allow hal_camera mtk_v4l2_media_device:dir r_dir_perms; +allow hal_camera mtk_v4l2_media_device:chr_file rw_file_perms; +allow hal_camera video_device:dir r_dir_perms; +allow hal_camera video_device:chr_file rw_file_perms; diff --git a/basic/non_plat/hal_cas_default.te b/basic/non_plat/hal_cas_default.te new file mode 100644 index 0000000..289fab7 --- /dev/null +++ b/basic/non_plat/hal_cas_default.te @@ -0,0 +1,9 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : 2017/08/14 +# Operation : O1 Migration +# Purpose : hal_cas_default needs to use vendor binder to communicate +vndbinder_use(hal_cas_default) + diff --git a/basic/non_plat/hal_drm_clearkey.te b/basic/non_plat/hal_drm_clearkey.te new file mode 100644 index 0000000..3bcb375 --- /dev/null +++ b/basic/non_plat/hal_drm_clearkey.te @@ -0,0 +1,17 @@ +# ============================================== +# policy for /vendor/bin/hw/android.hardware.drm@1.1-service.clearkey + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type hal_drm_clearkey, domain; +type hal_drm_clearkey_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_drm_clearkey) + +hal_server_domain(hal_drm_clearkey, hal_drm) + +vndbinder_use(hal_drm_clearkey) + +allow hal_drm_clearkey { appdomain -isolated_app }:fd use; diff --git a/basic/non_plat/hal_drm_default.te b/basic/non_plat/hal_drm_default.te new file mode 100644 index 0000000..fd7b4a2 --- /dev/null +++ b/basic/non_plat/hal_drm_default.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +vndbinder_use(hal_drm_default) + +allow hal_drm_default debugfs_tracing:file w_file_perms; +allow hal_drm_default debugfs_ion:dir search; diff --git a/basic/non_plat/hal_drm_widevine.te b/basic/non_plat/hal_drm_widevine.te new file mode 100644 index 0000000..0cad4e7 --- /dev/null +++ b/basic/non_plat/hal_drm_widevine.te @@ -0,0 +1,22 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type hal_drm_widevine, domain; +type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_drm_widevine) + +hal_server_domain(hal_drm_widevine, hal_drm) + +allow hal_drm_widevine mediacodec:fd use; +allow hal_drm_widevine { appdomain -isolated_app }:fd use; + +vndbinder_use(hal_drm_widevine) + +hal_client_domain(hal_drm_widevine, hal_graphics_composer) + +allow hal_drm_widevine hal_allocator_server:fd use; +allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms; +allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms; + diff --git a/basic/non_plat/hal_gnss.te b/basic/non_plat/hal_gnss.te new file mode 100644 index 0000000..07d7d70 --- /dev/null +++ b/basic/non_plat/hal_gnss.te @@ -0,0 +1,6 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +#TODO:: work around solution, wait for correct solution from google +vndbinder_use(hal_gnss) diff --git a/basic/non_plat/hal_gnss_default.te b/basic/non_plat/hal_gnss_default.te new file mode 100644 index 0000000..bd9bb14 --- /dev/null +++ b/basic/non_plat/hal_gnss_default.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Communicate over a socket created by mnld process. +allow hal_gnss_default mnld_data_file:sock_file create_file_perms; +allow hal_gnss_default mnld_data_file:dir create_dir_perms; +allow hal_gnss_default mnld:unix_dgram_socket sendto; diff --git a/basic/non_plat/hal_graphics_allocator.te b/basic/non_plat/hal_graphics_allocator.te new file mode 100644 index 0000000..1a75285 --- /dev/null +++ b/basic/non_plat/hal_graphics_allocator.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK17.13 +# Operation : Add sepolicy +# Purpose : Add policy for gralloc HIDL +allow hal_graphics_allocator proc_ged:file r_file_perms; diff --git a/basic/non_plat/hal_graphics_allocator_default.te b/basic/non_plat/hal_graphics_allocator_default.te new file mode 100644 index 0000000..fef9261 --- /dev/null +++ b/basic/non_plat/hal_graphics_allocator_default.te @@ -0,0 +1,12 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow hal_graphics_allocator_default gpu_device:dir search; +allow hal_graphics_allocator_default sw_sync_device:chr_file rw_file_perms; +allow hal_graphics_allocator_default debugfs_ion:dir search; +allow hal_graphics_allocator_default debugfs_tracing:file w_file_perms; +allow hal_graphics_allocator_default proc_ged:file r_file_perms; +allow hal_graphics_allocator_default dmabuf_system_heap_device:chr_file r_file_perms; +allow hal_graphics_allocator_default dmabuf_system_secure_heap_device:chr_file r_file_perms; +allowxperm hal_graphics_allocator_default proc_ged:file ioctl proc_ged_ioctls; diff --git a/basic/non_plat/hal_graphics_composer.te b/basic/non_plat/hal_graphics_composer.te new file mode 100644 index 0000000..52e20b4 --- /dev/null +++ b/basic/non_plat/hal_graphics_composer.te @@ -0,0 +1,2 @@ +# allow hal_graphics_composer domain to get mtk_hal_composer_ext_hwservice +hal_attribute_hwservice(hal_graphics_composer, mtk_hal_composer_ext_hwservice) diff --git a/basic/non_plat/hal_graphics_composer_default.te b/basic/non_plat/hal_graphics_composer_default.te new file mode 100644 index 0000000..81f304e --- /dev/null +++ b/basic/non_plat/hal_graphics_composer_default.te @@ -0,0 +1,79 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +vndbinder_use(hal_graphics_composer_default) + +allow hal_graphics_composer_default proc_ged:file r_file_perms; +allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +# Date : WK17.21 +# Purpose: GPU driver required +allow hal_graphics_composer_default sw_sync_device:chr_file rw_file_perms; + +# Date : W17.24 +# Purpose: GPU driver required +allow hal_graphics_composer_default gpu_device:dir search; + +allow hal_graphics_composer_default debugfs_ion:dir search; +allow hal_graphics_composer_default debugfs_tracing:file w_file_perms; + +# Date : WK17.30 +# Operation : O Migration +# Purpose: Allow to access cmdq driver +allow hal_graphics_composer_default mtk_cmdq_device:chr_file r_file_perms; + +# Date : W17.30 +# Add for control PowerHAL +hal_client_domain(hal_graphics_composer_default, hal_power) + +# Date : WK17.32 +# Operation : O Migration +# Purpose: Allow to access property +set_prop(hal_graphics_composer_default, vendor_mtk_graphics_hwc_pid_prop) +set_prop(hal_graphics_composer_default, vendor_mtk_graphics_hwc_hdr_prop) +set_prop(hal_graphics_composer_default, vendor_mtk_graphics_hwc_validate_separate_prop) + +# Date : WK18.03 +# Purpose: Allow to access property dev/mdp_sync +allow hal_graphics_composer_default mtk_mdp_sync_device:chr_file r_file_perms; +allow hal_graphics_composer_default mtk_mdp_device:chr_file r_file_perms; +allow hal_graphics_composer_default mdp_device:chr_file rw_file_perms; +allow hal_graphics_composer_default tee_device:chr_file rw_file_perms; +allowxperm hal_graphics_composer_default proc_ged:file ioctl proc_ged_ioctls; + +# Date: 2018/11/08 +# Operation : JPEG +# Purpose : JPEG need to use PQ via MMS HIDL +allow hal_graphics_composer_default sysfs_boot_mode:file r_file_perms; + +# Data: 2019/09/04 +# Purpose: Display architecture chage to DRM, so HWC has to access +# the DRM device node "/dev/dri/card0". +allow hal_graphics_composer_default dri_device:chr_file rw_file_perms; + +# Data: 2020/03/25 +# Purpose: HWC has to access allocator for dbq +hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator) + +# Data: 2021/04/01 +# Purpose: HWC needs to check whether AppGamePQ is supported or not +get_prop(hal_graphics_composer_default, vendor_mtk_pq_ro_prop) + +# Data: 2021/02/24 +# Purpose: HWC has to access to open m4u for m4u_sec_init +allow hal_graphics_composer_default proc_m4u:file r_file_perms; +allowxperm hal_graphics_composer_default proc_m4u:file ioctl { MTK_M4U_T_SEC_INIT MTK_M4U_GZ_SEC_INIT }; + +# Data: 2021/09/16 +# Purpose: HWC has to access to open debug log for mtk_hwc_debug_log +set_prop(hal_graphics_composer_default, vendor_mtk_hwc_debug_log_prop) + +# Date: 2021/9/29 +# Purpose: HWC needs to check whether display bringup or not +get_prop(hal_graphics_composer_default, vendor_mtk_display_ro_prop) + +# Date: 2021/10/22 +# Purpose: Add permission for simplehwc reading dmabuf_system_secure_heap_device +allow hal_graphics_composer_default dmabuf_system_secure_heap_device:chr_file r_file_perms_no_map; + diff --git a/basic/non_plat/hal_ir_default.te b/basic/non_plat/hal_ir_default.te new file mode 100644 index 0000000..ddcf13e --- /dev/null +++ b/basic/non_plat/hal_ir_default.te @@ -0,0 +1,5 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow hal_ir_default irtx_device:chr_file rw_file_perms; \ No newline at end of file diff --git a/basic/non_plat/hal_keymaster.te b/basic/non_plat/hal_keymaster.te new file mode 100644 index 0000000..8c842d3 --- /dev/null +++ b/basic/non_plat/hal_keymaster.te @@ -0,0 +1,9 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Associate mtk_hal_keymanage_hwservice with all server domain +add_hwservice(hal_keymaster_server, mtk_hal_keymanage_hwservice) + +# Give permission for hal_keymaster_client to find mtk_hal_keymanage_hwservice via hwservice_manager +allow hal_keymaster_client mtk_hal_keymanage_hwservice:hwservice_manager find; \ No newline at end of file diff --git a/basic/non_plat/hal_keymaster_attestation.te b/basic/non_plat/hal_keymaster_attestation.te new file mode 100644 index 0000000..6c7f6fc --- /dev/null +++ b/basic/non_plat/hal_keymaster_attestation.te @@ -0,0 +1,19 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type hal_keymaster_attestation, domain; +type hal_keymaster_attestation_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_keymaster_attestation) + +hal_server_domain(hal_keymaster_attestation, hal_mtk_keyattestation) + +allow hal_keymaster_attestation tee_device:chr_file rw_file_perms; + +# Date : WK17.42 2017/10/19 +# Operation: Keymaster 3.0 +# Purpose: Access attestation key in persist partition +allow hal_keymaster_attestation mnt_vendor_file:dir search; +allow hal_keymaster_attestation persist_data_file:dir w_dir_perms; +allow hal_keymaster_attestation persist_data_file:file create_file_perms; diff --git a/basic/non_plat/hal_keymaster_default.te b/basic/non_plat/hal_keymaster_default.te new file mode 100644 index 0000000..5174eb7 --- /dev/null +++ b/basic/non_plat/hal_keymaster_default.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK17.30 2017/07/25 +# Operation : keystore +# Purpose : Fix keystore boot selinux violation +allow hal_keymaster_default debugfs_tracing:file w_file_perms; diff --git a/basic/non_plat/hal_keymint_default.te b/basic/non_plat/hal_keymint_default.te new file mode 100644 index 0000000..0b1ebf4 --- /dev/null +++ b/basic/non_plat/hal_keymint_default.te @@ -0,0 +1,16 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : 2021/08/12 +# Operation: Keymint 1.0 +# Purpose: Access attestation key in persist partition. +allow hal_keymint_default mnt_vendor_file:dir search; +allow hal_keymint_default persist_data_file:dir search; +allow hal_keymint_default persist_data_file:file r_file_perms; + +# Date : 2021/08/12 +# Operation: Keymint 1.0 +# Purpose : Open MobiCore access permission for keystore. +allow hal_keymint_default mobicore:unix_stream_socket { connectto read write }; +allow hal_keymint_default mobicore_user_device:chr_file rw_file_perms; diff --git a/basic/non_plat/hal_memtrack.te b/basic/non_plat/hal_memtrack.te new file mode 100644 index 0000000..3ae8ca3 --- /dev/null +++ b/basic/non_plat/hal_memtrack.te @@ -0,0 +1,25 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK16.52 +# Operation : HIDL Migration +# Purpose : For memtrack related service access +allow hal_memtrack procfs_gpu_img:dir search; +allow hal_memtrack procfs_gpu_img:file r_file_perms; + +# Date : 2020/06/29 +# Operation: R migration +# Purpose: Add permission for access /proc/ion/* +allow hal_memtrack proc_ion:dir r_dir_perms; +allow hal_memtrack proc_ion:file r_file_perms; + +# Date : 2020/11/10 +# Operation: R migration replace debug node with proc node +# Purpose: Add permission for access /proc/mali/memory_usage +allow hal_memtrack proc_memory_usage:file r_file_perms; + +# Date : 2021/05/14 +# Operation: GPU DDK migration rename proc node +# Purpose: Add permission for access /proc/mtk_mali/gpu_memory +allow hal_memtrack proc_gpu_memory:file r_file_perms; diff --git a/basic/non_plat/hal_mtk_atci.te b/basic/non_plat/hal_mtk_atci.te new file mode 100644 index 0000000..3d453f5 --- /dev/null +++ b/basic/non_plat/hal_mtk_atci.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +hal_attribute_hwservice(hal_mtk_atci, mtk_hal_atci_hwservice) + +binder_call(hal_mtk_atci_client, hal_mtk_atci_server) +binder_call(hal_mtk_atci_server, hal_mtk_atci_client) diff --git a/basic/non_plat/hal_mtk_bgs.te b/basic/non_plat/hal_mtk_bgs.te new file mode 100644 index 0000000..8d4b5a2 --- /dev/null +++ b/basic/non_plat/hal_mtk_bgs.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +hal_attribute_hwservice(hal_mtk_bgs, mtk_hal_bgs_hwservice) + +binder_call(hal_mtk_bgs_client, hal_mtk_bgs_server) +binder_call(hal_mtk_bgs_server, hal_mtk_bgs_client) diff --git a/basic/non_plat/hal_mtk_em.te b/basic/non_plat/hal_mtk_em.te new file mode 100644 index 0000000..5df7cbb --- /dev/null +++ b/basic/non_plat/hal_mtk_em.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +hal_attribute_hwservice(hal_mtk_em, mtk_hal_em_hwservice) + +binder_call(hal_mtk_em_client, hal_mtk_em_server) +binder_call(hal_mtk_em_server, hal_mtk_em_client) diff --git a/basic/non_plat/hal_mtk_fm.te b/basic/non_plat/hal_mtk_fm.te new file mode 100644 index 0000000..bff3758 --- /dev/null +++ b/basic/non_plat/hal_mtk_fm.te @@ -0,0 +1,10 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +hal_attribute_hwservice(hal_mtk_fm, mtk_hal_fm_hwservice) + +binder_call(hal_mtk_fm_client, hal_mtk_fm_server) +binder_call(hal_mtk_fm_server, hal_mtk_fm_client) + +vndbinder_use(hal_mtk_fm) diff --git a/basic/non_plat/hal_mtk_hdmi.te b/basic/non_plat/hal_mtk_hdmi.te new file mode 100644 index 0000000..5d76ba3 --- /dev/null +++ b/basic/non_plat/hal_mtk_hdmi.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +hal_attribute_hwservice(hal_mtk_hdmi, mtk_hal_hdmi_hwservice) + +binder_call(hal_mtk_hdmi_client, hal_mtk_hdmi_server) +binder_call(hal_mtk_hdmi_server, hal_mtk_hdmi_client) diff --git a/basic/non_plat/hal_mtk_imsa.te b/basic/non_plat/hal_mtk_imsa.te new file mode 100644 index 0000000..f60c013 --- /dev/null +++ b/basic/non_plat/hal_mtk_imsa.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +hal_attribute_hwservice(hal_mtk_imsa, mtk_hal_imsa_hwservice) + +binder_call(hal_mtk_imsa_client, hal_mtk_imsa_server) +binder_call(hal_mtk_imsa_server, hal_mtk_imsa_client) diff --git a/basic/non_plat/hal_mtk_keyattestation.te b/basic/non_plat/hal_mtk_keyattestation.te new file mode 100644 index 0000000..b8ad311 --- /dev/null +++ b/basic/non_plat/hal_mtk_keyattestation.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +hal_attribute_hwservice(hal_mtk_keyattestation, mtk_hal_keyattestation_hwservice) + +binder_call(hal_mtk_keyattestation_client, hal_mtk_keyattestation_server) +binder_call(hal_mtk_keyattestation_server, hal_mtk_keyattestation_client) diff --git a/basic/non_plat/hal_mtk_lbs.te b/basic/non_plat/hal_mtk_lbs.te new file mode 100644 index 0000000..f5ec2ee --- /dev/null +++ b/basic/non_plat/hal_mtk_lbs.te @@ -0,0 +1,10 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +hal_attribute_hwservice(hal_mtk_lbs, mtk_hal_lbs_hwservice) + +binder_call(hal_mtk_lbs_client, hal_mtk_lbs_server) +binder_call(hal_mtk_lbs_server, hal_mtk_lbs_client) + +vndbinder_use(hal_mtk_lbs) diff --git a/basic/non_plat/hal_mtk_md_dbfilter.te b/basic/non_plat/hal_mtk_md_dbfilter.te new file mode 100644 index 0000000..b821cf5 --- /dev/null +++ b/basic/non_plat/hal_mtk_md_dbfilter.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +hal_attribute_hwservice(hal_mtk_md_dbfilter, mtk_hal_md_dbfilter_hwservice) + +binder_call(hal_mtk_md_dbfilter_client, hal_mtk_md_dbfilter_server) +binder_call(hal_mtk_md_dbfilter_server, hal_mtk_md_dbfilter_client) diff --git a/basic/non_plat/hal_mtk_mmagent.te b/basic/non_plat/hal_mtk_mmagent.te new file mode 100644 index 0000000..c0ae839 --- /dev/null +++ b/basic/non_plat/hal_mtk_mmagent.te @@ -0,0 +1,6 @@ +# HwBinder IPC from clients into server, and callbacks +binder_call(hal_mtk_mmagent_client, hal_mtk_mmagent_server) +binder_call(hal_mtk_mmagent_server, hal_mtk_mmagent_client) + +# add/find permission rule to hwservicemanager +hal_attribute_hwservice(hal_mtk_mmagent, mtk_hal_mmagent_hwservice) \ No newline at end of file diff --git a/basic/non_plat/hal_mtk_mms.te b/basic/non_plat/hal_mtk_mms.te new file mode 100644 index 0000000..bdcebeb --- /dev/null +++ b/basic/non_plat/hal_mtk_mms.te @@ -0,0 +1,13 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# HwBinder IPC from clients into server, and callbacks +binder_call(hal_mtk_mms_client, hal_mtk_mms_server) +binder_call(hal_mtk_mms_server, hal_mtk_mms_client) + +# add/find permission rule to hwservicemanager +add_hwservice(hal_mtk_mms_server, mtk_hal_mms_hwservice) + +# give permission for hal client +allow hal_mtk_mms_client mtk_hal_mms_hwservice:hwservice_manager find; diff --git a/basic/non_plat/hal_mtk_nvramagent.te b/basic/non_plat/hal_mtk_nvramagent.te new file mode 100644 index 0000000..2f69ef5 --- /dev/null +++ b/basic/non_plat/hal_mtk_nvramagent.te @@ -0,0 +1,9 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +hal_attribute_hwservice(hal_mtk_nvramagent, mtk_hal_nvramagent_hwservice) + +binder_call(hal_mtk_nvramagent_client, hal_mtk_nvramagent_server) +binder_call(hal_mtk_nvramagent_server, hal_mtk_nvramagent_client) + diff --git a/basic/non_plat/hal_mtk_pq.te b/basic/non_plat/hal_mtk_pq.te new file mode 100644 index 0000000..89588ca --- /dev/null +++ b/basic/non_plat/hal_mtk_pq.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +hal_attribute_hwservice(hal_mtk_pq, mtk_hal_pq_hwservice) + +binder_call(hal_mtk_pq_client, hal_mtk_pq_server) +binder_call(hal_mtk_pq_server, hal_mtk_pq_client) diff --git a/basic/non_plat/hal_nfc.te b/basic/non_plat/hal_nfc.te new file mode 100644 index 0000000..f972894 --- /dev/null +++ b/basic/non_plat/hal_nfc.te @@ -0,0 +1,5 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow hal_nfc st21nfc_device:chr_file rw_file_perms; diff --git a/basic/non_plat/hal_tee_default.te b/basic/non_plat/hal_tee_default.te new file mode 100644 index 0000000..623dc5b --- /dev/null +++ b/basic/non_plat/hal_tee_default.te @@ -0,0 +1 @@ +type hal_tee_default, domain; diff --git a/basic/non_plat/hal_teeregistry_default.te b/basic/non_plat/hal_teeregistry_default.te new file mode 100644 index 0000000..03e2939 --- /dev/null +++ b/basic/non_plat/hal_teeregistry_default.te @@ -0,0 +1 @@ +type hal_teeregistry_default, domain; diff --git a/basic/non_plat/hal_telephony.te b/basic/non_plat/hal_telephony.te new file mode 100644 index 0000000..f4933ca --- /dev/null +++ b/basic/non_plat/hal_telephony.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +#Date : W17.18 +#Purpose: Treble SEpolicy denied clean up +add_hwservice(hal_telephony_server, mtk_hal_rild_hwservice) +allow hal_telephony_client mtk_hal_rild_hwservice:hwservice_manager find; \ No newline at end of file diff --git a/basic/non_plat/hal_thermal_default.te b/basic/non_plat/hal_thermal_default.te new file mode 100644 index 0000000..0403fee --- /dev/null +++ b/basic/non_plat/hal_thermal_default.te @@ -0,0 +1,18 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow hal_thermal_default proc_mtktz:dir search; +allow hal_thermal_default proc_mtktz:file r_file_perms; +allow hal_thermal_default proc_stat:file r_file_perms; + +#for uevent handle +allow hal_thermal_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +#for thermal sysfs +allow hal_thermal_default sysfs_therm:file rw_file_perms; +allow hal_thermal_default sysfs_therm:dir search; + +#for thermal hal socket +allow hal_thermal_default thermal_hal_socket:dir { rw_dir_perms setattr}; +allow hal_thermal_default thermal_hal_socket:sock_file create_file_perms; \ No newline at end of file diff --git a/basic/non_plat/hal_vibrator.te b/basic/non_plat/hal_vibrator.te new file mode 100644 index 0000000..a35814a --- /dev/null +++ b/basic/non_plat/hal_vibrator.te @@ -0,0 +1,10 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# vibrator sysfs rw access +allow hal_vibrator sysfs_vibrator:dir r_dir_perms; +allow hal_vibrator sysfs_vibrator:file rw_file_perms; +allow hal_vibrator sysfs_leds:file rw_file_perms; +allow hal_vibrator sysfs_leds:dir r_dir_perms; +allow hal_vibrator sysfs_leds:lnk_file r_file_perms; diff --git a/basic/non_plat/hal_vibrator_default.te b/basic/non_plat/hal_vibrator_default.te new file mode 100644 index 0000000..bd84b3e --- /dev/null +++ b/basic/non_plat/hal_vibrator_default.te @@ -0,0 +1,6 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# vibrator sysfs rw access +allow hal_vibrator_default sysfs_vibrator:file rw_file_perms; diff --git a/basic/non_plat/hal_wifi.te b/basic/non_plat/hal_wifi.te new file mode 100644 index 0000000..b7cf2f6 --- /dev/null +++ b/basic/non_plat/hal_wifi.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Allow hal wifi service to open/read/setattr wifi device. +# wmtWifi is wifi char device file to control wifi driver. +allow hal_wifi wmtWifi_device:chr_file w_file_perms; + diff --git a/basic/non_plat/hal_wifi_default.te b/basic/non_plat/hal_wifi_default.te new file mode 100644 index 0000000..81d9043 --- /dev/null +++ b/basic/non_plat/hal_wifi_default.te @@ -0,0 +1,18 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow hal_wifi_default self:capability sys_module; +allow hal_wifi_default vendor_file:system module_load; +allow hal_wifi_default kernel:system module_request; + +# allow hal service to manage AP bridge +allowxperm hal_wifi_default self:udp_socket ioctl { + SIOCBRADDBR + SIOCBRADDIF + SIOCBRDELBR + SIOCBRDELIF + SIOCDEVPRIVATE_1 +}; + +set_prop(hal_wifi_default, vendor_mtk_wifi_hal_prop) diff --git a/basic/non_plat/hwservice.te b/basic/non_plat/hwservice.te new file mode 100644 index 0000000..4d59524 --- /dev/null +++ b/basic/non_plat/hwservice.te @@ -0,0 +1,76 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type mtk_hal_bluetooth_hwservice, hwservice_manager_type; + +# Date: 2017/05/9 +type mtk_hal_rild_hwservice, hwservice_manager_type; + +# Date: 2017/06/07 +# power hidl +type mtk_hal_power_hwservice, hwservice_manager_type; + +# Date: 2017/06/12 +# LBS HIDL +type mtk_hal_lbs_hwservice, hwservice_manager_type; + +# Date: 2017/06/27 +# IMSA HIDL +type mtk_hal_imsa_hwservice, hwservice_manager_type; + +# Date: 2017/07/12 +# NVRAM HIDL +type mtk_hal_nvramagent_hwservice, hwservice_manager_type; + +# Date: 2017/07/19 +# PQ HIDL +type mtk_hal_pq_hwservice, hwservice_manager_type; + +# Date: 2017/07/20 +# keymaster attestation hidl +type mtk_hal_keyattestation_hwservice, hwservice_manager_type; + +# Date: 2018/05/25 +# FM HIDL +type mtk_hal_fm_hwservice, hwservice_manager_type; + +# Date: 2018/03/23 +# log hidl +type mtk_hal_log_hwservice, hwservice_manager_type; + +# Date: 2018/06/26 +# em hidl +type mtk_hal_em_hwservice, hwservice_manager_type; + +# Date: 2018/07/02 +# MMS HIDL +type mtk_hal_mms_hwservice, hwservice_manager_type, mtk_safe_hwservice_manager_type; + +type mtk_hal_atci_hwservice, hwservice_manager_type; + +# Date: 2020/12/02 +# MMAgent HIDL +type mtk_hal_mmagent_hwservice, hwservice_manager_type; + +type mtk_hal_keymanage_hwservice, hwservice_manager_type; + +# Date: 2019/06/12 +# modem db filter hidl +type mtk_hal_md_dbfilter_hwservice, hwservice_manager_type; + +# Date: 2019/07/16 +# HDMI HIDL +type mtk_hal_hdmi_hwservice, hwservice_manager_type; + +# Date: 2019/09/06 +# BGService HIDL +type mtk_hal_bgs_hwservice, hwservice_manager_type; + +# Date: 2019/07/04 +# bluetooth audio hidl +type mtk_hal_bluetooth_audio_hwservice,hwservice_manager_type; + +# Date: 2021/06/30 +# composer extension HIDL +type mtk_hal_composer_ext_hwservice, hwservice_manager_type, protected_hwservice; diff --git a/basic/non_plat/hwservice_contexts b/basic/non_plat/hwservice_contexts new file mode 100644 index 0000000..5e5a37e --- /dev/null +++ b/basic/non_plat/hwservice_contexts @@ -0,0 +1,89 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +vendor.mediatek.hardware.bluetooth::IMtkBluetoothHci u:object_r:mtk_hal_bluetooth_hwservice:s0 + +# Date: 2017/05/9 +vendor.mediatek.hardware.mtkradioex::IMtkRadioEx u:object_r:mtk_hal_rild_hwservice:s0 +vendor.mediatek.hardware.radio::ISap u:object_r:mtk_hal_rild_hwservice:s0 +vendor.mediatek.hardware.interfaces_tc1.mtkradioex_tc1::IMtkRadioEx u:object_r:mtk_hal_rild_hwservice:s0 +vendor.mediatek.hardware.radio_op::IRadioOp u:object_r:mtk_hal_rild_hwservice:s0 + +# Date: 2017/06/07 +# power hidl +vendor.mediatek.hardware.mtkpower::IMtkPerf u:object_r:hal_power_hwservice:s0 +vendor.mediatek.hardware.mtkpower::IMtkPower u:object_r:hal_power_hwservice:s0 + +# Date: 2017/06/12 +# LBS HIDL +vendor.mediatek.hardware.lbs::ILbs u:object_r:mtk_hal_lbs_hwservice:s0 + +# Date : 2017/06/27 +# IMSA HIDL +vendor.mediatek.hardware.imsa::IImsa u:object_r:mtk_hal_imsa_hwservice:s0 + +# Date : 2017/07/12 +# nvram hidl +vendor.mediatek.hardware.nvram::INvram u:object_r:mtk_hal_nvramagent_hwservice:s0 + +# Date : 2017/07/19 +# PQ HIDL +vendor.mediatek.hardware.pq::IPictureQuality u:object_r:mtk_hal_pq_hwservice:s0 + +# Date: 2017/07/20 +# keymaster attestation hidl +vendor.mediatek.hardware.keymaster_attestation::IKeymasterDevice u:object_r:mtk_hal_keyattestation_hwservice:s0 + +# Date: 2018/05/25 +# FM HIDL +vendor.mediatek.hardware.fm::IFmRadio u:object_r:mtk_hal_fm_hwservice:s0 + +# Date: 2018/03/23 +# log hidl +vendor.mediatek.hardware.log::ILog u:object_r:mtk_hal_log_hwservice:s0 + +# Date: 2018/05/23 +# ATCI +vendor.mediatek.hardware.atci::IAtcid u:object_r:mtk_hal_atci_hwservice:s0 + +# Date: 2018/06/26 +# em hidl +vendor.mediatek.hardware.engineermode::IEmd u:object_r:mtk_hal_em_hwservice:s0 + +# Date : 2018/07/02 +# MMS HIDL +vendor.mediatek.hardware.mms::IMms u:object_r:mtk_hal_mms_hwservice:s0 + +# Date : 2020/12/02 +# MMAgent HIDL +vendor.mediatek.hardware.mmagent::IMMAgent u:object_r:mtk_hal_mmagent_hwservice:s0 + +# Date: 2019/06/12 +# modem db filter hidl +vendor.mediatek.hardware.modemdbfilter::ICopyDBFilter u:object_r:mtk_hal_md_dbfilter_hwservice:s0 + +# Date: 2019/07/04 +vendor.mediatek.hardware.camera.lomoeffect::ILomoEffect u:object_r:hal_camera_hwservice:s0 +vendor.mediatek.hardware.camera.ccap::ICCAPControl u:object_r:hal_camera_hwservice:s0 +vendor.mediatek.hardware.camera.bgservice::IBGService u:object_r:mtk_hal_bgs_hwservice:s0 +vendor.mediatek.hardware.camera.isphal::IISPModule u:object_r:mtk_hal_bgs_hwservice:s0 + +# Date : 2019/07/31 +vendor.mediatek.hardware.camera.postproc::IPostDevice u:object_r:mtk_hal_bgs_hwservice:s0 + +# Date : 2019/07/16 +# HDMI HIDL +vendor.mediatek.hardware.hdmi::IMtkHdmiService u:object_r:mtk_hal_hdmi_hwservice:s0 + +# Date: 2019/09/02 +# ATMs hidl +vendor.mediatek.hardware.camera.atms::IATMs u:object_r:hal_camera_hwservice:s0 + +# Date: 2019/09/04 +# bluetooth audio hidl +vendor.mediatek.hardware.bluetooth.audio::IBluetoothAudioProvidersFactory u:object_r:mtk_hal_bluetooth_audio_hwservice:s0 + +# Date: 2021/06/30 +# composer extension HIDL +vendor.mediatek.hardware.composer_ext::IComposerExt u:object_r:mtk_hal_composer_ext_hwservice:s0 diff --git a/basic/non_plat/init.te b/basic/non_plat/init.te new file mode 100644 index 0000000..d99d170 --- /dev/null +++ b/basic/non_plat/init.te @@ -0,0 +1,148 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK14.34 +# Operation : Migration +# Purpose : for L early bring up: add for nvram command in init rc files +allow init nvram_data_file:dir create_dir_perms; +allow init nvram_data_file:lnk_file r_file_perms; +allow init nvdata_file:lnk_file r_file_perms; +allow init nvdata_file:dir { create_dir_perms mounton }; + +#============= init ============== +# Date : W14.42 +# Operation : Migration +# Purpose : for L : add for partition (chown/chmod) +allow init system_block_device:blk_file setattr; +allow init nvram_device:blk_file setattr; +allow init seccfg_block_device:blk_file setattr; +allow init secro_block_device:blk_file setattr; +allow init frp_block_device:blk_file setattr; +allow init logo_block_device:blk_file setattr; +allow init para_block_device:blk_file { setattr w_file_perms }; +allow init recovery_block_device:blk_file setattr; + +# Date : WK15.30 +# Operation : Migration +# Purpose : format wiped partition with "formattable" and "check" flag in fstab file +allow init protect1_block_device:blk_file rw_file_perms; +allow init protect2_block_device:blk_file rw_file_perms; +allow init userdata_block_device:blk_file rw_file_perms; +allow init cache_block_device:blk_file rw_file_perms; +allow init nvdata_device:blk_file w_file_perms; +allow init persist_block_device:blk_file rw_file_perms; +allow init nvcfg_block_device:blk_file rw_file_perms; +allow init odm_block_device:blk_file rw_file_perms; +allow init oem_block_device:blk_file rw_file_perms; + +# Date : W16.28 +# Operation : Migration +# Purpose : enable modules capability +allow init self:capability sys_module; +allow init kernel:system module_request; + +# Date : WK16.35 +# Operation : Migration +# Purpose : create symbolic link from /mnt/sdcard to /sdcard +allow init tmpfs:lnk_file create_file_perms; + +# Date:W17.07 +# Operation : bt hal +# Purpose : bt hal interface permission +allow init mtk_hal_bluetooth_exec:file getattr; + +# Date : WK17.02 +# Purpose: Fix audio hal service fail +allow init mtk_hal_audio_exec:file getattr; + +# Date : W17.20 +# Purpose: Enable PRODUCT_FULL_TREBLE +allow init vendor_block_device:lnk_file relabelto; + +# Date : WK17.21 +# Purpose: Fix gnss hal service fail +allow init mtk_hal_gnss_exec:file getattr; + +# Fix boot up violation +allow init debugfs_tracing_instances:file relabelfrom; + +# Date: W17.22 +# Operation : New Feature +# Purpose : Add for A/B system +allow init oemfs:dir mounton; +allow init protect_f_data_file:dir mounton; +allow init protect_s_data_file:dir mounton; +allow init nvcfg_file:dir mounton; +allow init mcf_ota_file:dir mounton; +allow init persist_data_file:dir mounton; + +# Date : WK17.39 +# Operation : able to relabel mntl block device link +# Purpose : Correct permission for mntl +allow init expdb_block_device:lnk_file relabelto; +allow init mcupmfw_block_device:lnk_file relabelto; +allow init tee_block_device:lnk_file relabelto; + +# Date : WK17.43 +# Operation : able to insert fpsgo kernel module +# Purpose : Correct permission for fpsgo +allow init rootfs:system module_load; + +# Date: W17.43 +# Operation : module load +# Purpose : insmod LKM under /vendor (connsys module KO) +allow init vendor_file:system module_load; + +# Date : WK17.46 +# Operation : feature porting +# Purpose : kernel module verification +allow init kernel:key search; + +# Date : WK17.50 +# Operation : boost cpu while booting +# Purpose : enhance boottime +allow init proc_perfmgr:file w_file_perms; +allow init proc_wmtdbg:file w_file_perms; + +# Date : W18.20 +# Operation : mount soc vendor's partition when booting +allow init mnt_vendor_file:dir mounton; + +# Date : W19.28 +# Purpose: Allow to setattr /proc/last_kmsg +allow init proc_last_kmsg:file setattr; + +# Purpose: Allow to write /proc/cpu/alignment +allow init proc_cpu_alignment:file w_file_perms; + +# Purpose: Allow to relabelto for selinux_android_restorecon +allow init boot_block_device:lnk_file relabelto; +allow init vbmeta_block_device:lnk_file relabelto; + +# Purpose: Allow to write /proc/mtprintk +allow init proc_mtprintk:file w_file_perms; + +# Date : 2020/08/05 +# Purpose: Allow to write /proc/driver/wmt_user_proc +allow init proc_wmtuserproc:file w_file_perms; + +# Date: 2020/09/02 +# Operation: R migration +# Purpose: Add permission for pl path utilities to add symlink to raw pl +recovery_only(` + domain_trans(init, rootfs, update_engine) +') + +# Date : 2020/12/23 +# Purpose: Allow init to write /proc/driver/conninfra_dbg +allow init proc_conninfradbg:file w_file_perms; +# Date : 2021/07/15 +# Purpose: Add permission for pl path utilities +domain_auto_trans(init, postinstall_file, update_engine) + +# Date : 2021/09/13 +# Purpose: Add permission for mtk_core_ctl +allow init sysfs_mtk_core_ctl:dir r_dir_perms; +allow init sysfs_mtk_core_ctl:file rw_file_perms; + diff --git a/basic/non_plat/init_insmod_sh.te b/basic/non_plat/init_insmod_sh.te new file mode 100644 index 0000000..a9fb4e4 --- /dev/null +++ b/basic/non_plat/init_insmod_sh.te @@ -0,0 +1,17 @@ +type init_insmod_sh, domain; +type init_insmod_sh_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(init_insmod_sh) + +allow init_insmod_sh vendor_toolbox_exec:file rx_file_perms; +allow init_insmod_sh self:capability sys_module; +allow init_insmod_sh vendor_file:system module_load; +allow init_insmod_sh kernel:key search; + +# Date : WK20.46 +# Purpose : modprobe need proc_modules +allow init_insmod_sh proc_modules:file r_file_perms; + +# Date : WK20.46 +# Purpose : Set the vendor.all.modules.ready property +set_prop(init_insmod_sh, vendor_mtk_device_prop) diff --git a/basic/non_plat/init_thh_service.te b/basic/non_plat/init_thh_service.te new file mode 100644 index 0000000..3a40479 --- /dev/null +++ b/basic/non_plat/init_thh_service.te @@ -0,0 +1 @@ +type init_thh_service, domain; diff --git a/basic/non_plat/ioctl_defines b/basic/non_plat/ioctl_defines new file mode 100644 index 0000000..da54262 --- /dev/null +++ b/basic/non_plat/ioctl_defines @@ -0,0 +1,120 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +########################## +# ged_bridge_id.h +# +define(`GED_BRIDGE_IO_LOG_BUF_GET', `0x6700') +define(`GED_BRIDGE_IO_LOG_BUF_WRITE', `0x6701') +define(`GED_BRIDGE_IO_LOG_BUF_RESET', `0x6702') +define(`GED_BRIDGE_IO_BOOST_GPU_FREQ', `0x6703') +define(`GED_BRIDGE_IO_MONITOR_3D_FENCE', `0x6704') +define(`GED_BRIDGE_IO_QUERY_INFO', `0x6705') +define(`GED_BRIDGE_IO_NOTIFY_VSYNC', `0x6706') +define(`GED_BRIDGE_IO_DVFS_PROBE', `0x6707') +define(`GED_BRIDGE_IO_DVFS_UM_RETURN', `0x6708') +define(`GED_BRIDGE_IO_EVENT_NOTIFY', `0x6709') +define(`GED_BRIDGE_IO_WAIT_HW_VSYNC', `0x670a') +define(`GED_BRIDGE_IO_QUERY_TARGET_FPS', `0x670b') +define(`GED_BRIDGE_IO_VSYNC_WAIT', `0x670c') +define(`GED_BRIDGE_IO_GPU_HINT_TO_CPU', `0x670d') +define(`GED_BRIDGE_IO_HINT_FORCE_MDP', `0x670e') +define(`GED_BRIDGE_IO_QUERY_DVFS_FREQ_PRED', `0x670f') +define(`GED_BRIDGE_IO_QUERY_GPU_DVFS_INFO', `0x6710') + +define(`GED_BRIDGE_IO_GE_ALLOC', `0x6764') +define(`GED_BRIDGE_IO_GE_GET', `0x6765') +define(`GED_BRIDGE_IO_GE_SET', `0x6766') +define(`GED_BRIDGE_IO_GPU_TIMESTAMP', `0x6767') +define(`GED_BRIDGE_IO_TARGET_FPS', `0x6768') +define(`GED_BRIDGE_IO_GE_INFO', `0x6769') +define(`GED_BRIDGE_IO_GPU_TUNER_STATUS', `0x676a') +define(`GED_BRIDGE_IO_DMABUF_SET_NAME', `0x676b') + +define(`GED_BRIDGE_IO_CREATE_TIMELINE', `0x67c8') + +########################## +# perf_ioctl.h : FPSGO +# +define(`PERFMGR_FPSGO_QUEUE', `0x6701') +define(`PERFMGR_FPSGO_DEQUEUE', `0x6703') +define(`PERFMGR_FPSGO_VSYNC', `0x6705') +define(`PERFMGR_FPSGO_TOUCH', `0x670a') +define(`PERFMGR_FPSGO_SWAP_BUFFER', `0x670e') +define(`PERFMGR_FPSGO_QUEUE_CONNECT', `0x670f') +define(`PERFMGR_FPSGO_BQID', `0x6710') +define(`PERFMGR_FPSGO_GET_FPS', `0x6711') +define(`PERFMGR_FPSGO_GET_CMD', `0x6712') +define(`PERFMGR_FPSGO_GBE_GET_CMD', `0x6713') +define(`PERFMGR_FPSGO_GET_FSTB_ACTIVE', `0x6714') +define(`PERFMGR_FPSGO_WAIT_FSTB_ACTIVE', `0x6715') +define(`PERFMGR_FPSGO_SBE_RESCUE', `0x6716') + +# perf_ioctl.h : EARA +define(`PERFMGR_EARA_NN_BEGIN', `0x6701') +define(`PERFMGR_EARA_NN_END', `0x6702') +define(`PERFMGR_EARA_GETUSAGE', `0x6703') + +define(`PERFMGR_EARA_GETINDEX', `0x6701') +define(`PERFMGR_EARA_COLLECT', `0x6702') + +# perf_ioctl.h : EARA +define(`PERFMGR_EARA_ENABLE', `0x6701') +define(`PERFMGR_EARA_GETINFO', `0x6702') +define(`PERFMGR_EARA_TDIFF', `0x6703') + +# perf_ioctl.h : others +define(`PERFMGR_CPU_PREFER', `0x6701') + +# perf_ioctl.h : EAS +define(`EAS_SYNC_SET', `0x6701') +define(`EAS_PERTASK_LS_SET', `0x6703') +define(`CORE_CTL_FORCE_PAUSE_CPU', `0x6707') +define(`CORE_CTL_SET_OFFLINE_THROTTLE_MS', `0x6708') +define(`CORE_CTL_SET_LIMIT_CPUS', `0x6709') +define(`CORE_CTL_SET_NOT_PREFERRED', `0x670a') +define(`CORE_CTL_SET_BOOST', `0x670b') +define(`CORE_CTL_SET_UP_THRES', `0x670c') +define(`CPUQOS_V3_SET_CPUQOS_MODE', `0x670e') +define(`CPUQOS_V3_SET_CT_TASK', `0x670f') +define(`CPUQOS_V3_SET_CT_GROUP', `0x6710') +define(`EAS_NEWLY_IDLE_BALANCE_INTERVAL_SET', `0x6711') +define(`EAS_GET_THERMAL_HEADROOM_INTERVAL_SET', `0x6713') + +# perf_ioctl.h : XGFF +define(`PERFMGR_XGFFRAME_START', `0x6701') +define(`PERFMGR_XGFFRAME_END', `0x6702') + +########################## +# +# +define(`MMC_IOCTLCMD', `0xb300') +define(`MMC_IOC_MULTI_CMD', `0xb301') +define(`UFS_IOCTLCMD', `0x5388') +define(`UFS_IOCTL_RPMB', `0x5391') + +########################## +# +# +define(`JPG_BRIDGE_ENC_IO_INIT', `0x780b') +define(`JPG_BRIDGE_ENC_IO_CONFIG', `0x780c') +define(`JPG_BRIDGE_ENC_IO_WAIT', `0x780d') +define(`JPG_BRIDGE_ENC_IO_DEINIT', `0x780e') +define(`JPG_BRIDGE_ENC_IO_START', `0x780f') +define(`JPG_BRIDGE_DEC_IO_LOCK', `0x7812') +define(`JPG_BRIDGE_DEC_IO_WAIT', `0x7813') +define(`JPG_BRIDGE_DEC_IO_UNLOCK', `0x7814') + +########################## +# m4u_priv.h +# +define(`MTK_M4U_T_ALLOC_MVA', `0x6704') +define(`MTK_M4U_T_DEALLOC_MVA', `0x6705') +define(`MTK_M4U_T_CONFIG_PORT', `0x670b') +define(`MTK_M4U_T_DMA_OP', `0x671d') +define(`MTK_M4U_T_SEC_INIT', `0x6732') +define(`MTK_M4U_T_CONFIG_PORT_ARRAY', `0x671a') +define(`MTK_M4U_T_CACHE_SYNC', `0x670a') +define(`MTK_M4U_GZ_SEC_INIT', `0x673c') + diff --git a/basic/non_plat/ioctl_macros b/basic/non_plat/ioctl_macros new file mode 100644 index 0000000..9d9e37c --- /dev/null +++ b/basic/non_plat/ioctl_macros @@ -0,0 +1,33 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# proc_ged ioctls +define(`proc_ged_ioctls', `{ + GED_BRIDGE_IO_LOG_BUF_GET + GED_BRIDGE_IO_LOG_BUF_WRITE + GED_BRIDGE_IO_LOG_BUF_RESET + GED_BRIDGE_IO_BOOST_GPU_FREQ + GED_BRIDGE_IO_MONITOR_3D_FENCE + GED_BRIDGE_IO_QUERY_INFO + GED_BRIDGE_IO_NOTIFY_VSYNC + GED_BRIDGE_IO_DVFS_PROBE + GED_BRIDGE_IO_DVFS_UM_RETURN + GED_BRIDGE_IO_EVENT_NOTIFY + GED_BRIDGE_IO_WAIT_HW_VSYNC + GED_BRIDGE_IO_QUERY_TARGET_FPS + GED_BRIDGE_IO_VSYNC_WAIT + GED_BRIDGE_IO_GPU_HINT_TO_CPU + GED_BRIDGE_IO_HINT_FORCE_MDP + GED_BRIDGE_IO_QUERY_DVFS_FREQ_PRED + GED_BRIDGE_IO_QUERY_GPU_DVFS_INFO + GED_BRIDGE_IO_GE_ALLOC + GED_BRIDGE_IO_GE_GET + GED_BRIDGE_IO_GE_SET + GED_BRIDGE_IO_GPU_TIMESTAMP + GED_BRIDGE_IO_TARGET_FPS + GED_BRIDGE_IO_GE_INFO + GED_BRIDGE_IO_GPU_TUNER_STATUS + GED_BRIDGE_IO_DMABUF_SET_NAME + GED_BRIDGE_IO_CREATE_TIMELINE +}') diff --git a/basic/non_plat/ipsec_mon.te b/basic/non_plat/ipsec_mon.te new file mode 100644 index 0000000..adab2f3 --- /dev/null +++ b/basic/non_plat/ipsec_mon.te @@ -0,0 +1 @@ +type ipsec_mon, domain; diff --git a/basic/non_plat/kernel.te b/basic/non_plat/kernel.te new file mode 100644 index 0000000..5831906 --- /dev/null +++ b/basic/non_plat/kernel.te @@ -0,0 +1,87 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK14.38 +# Operation : Migration +# Purpose : run guitar_update for touch F/W upgrade. +allow kernel sdcard_type:dir search; + +# Date : WK14.39 +# Operation : Migration +# Purpose : ums driver can access blk_file +allow kernel loop_device:blk_file r_file_perms; +allow kernel vold_device:blk_file rw_file_perms; + +# Date : WK15.35 +# Operation : Migration +# Purpose : grant fon_image_data_file read permission for loop device +allow kernel fon_image_data_file:file read; + +# Date : WK15.38 +# Operation : Migration +# Purpose : grant proc_thermal for dir search +allow kernel proc_thermal:dir search; + +# Date : WK16.11 +# Operation : Migration +# Purpose : grant storage_file and wifi_data_file for kernel thread mtk_wmtd to access /sdcard/wifi.cfg +# and /data/misc/wifi/wifi.cfg to access wifi.cfg, in which, some wifi driver configuations are there. +allow kernel mnt_user_file:dir search; +allow kernel mnt_user_file:lnk_file r_file_perms; +allow kernel wifi_data_file:file r_file_perms; +allow kernel wifi_data_file:dir search; +allow kernel storage_file:lnk_file r_file_perms; +allow kernel sdcard_type:file open; + +# Data : WK16.16 +# Operation : Migration +# Purpose : Access to TC1 partition for reading MEID +allow kernel block_device:dir search; + +# Data : WK16.16 +# Operation : Migration +# Purpose : Access to TC1 partition for reading MEID +allow kernel misc2_block_device:blk_file rw_file_perms; + +# Date : WK16.30 +# Operation: SQC +# Purpose: Allow sdcardfs workqueue to access lower file systems +allow kernel fuseblk:dir create_dir_perms; +allow kernel fuseblk:file create_file_perms; + +# Date : WK16.30 +# Operation: SQC +# Purpose: Allow sdcardfs workqueue to access lower file systems +allow kernel {vfat mnt_media_rw_file}:dir create_dir_perms; +allow kernel {vfat mnt_media_rw_file}:file create_file_perms; +allow kernel kernel:key { write search setattr }; + +# Date : WK16.42 +# Operation: SQC +# Purpose: Allow task of cpuset cgroup can migration to parent cgroup when cpus is NULL +allow kernel platform_app:process setsched; + +# Date : WK17.01 +# Operation: SQC +# Purpose: Allow OpenDSP kthread to write debug dump to sdcard +allow kernel audioserver:fd use; + +# Date : WK18.02 +# Operation: SQC +# Purpose: Allow SCP SmartPA kthread to write debug dump to sdcard +allow kernel mtk_hal_audio:fd use; +allow kernel factory:fd use; + +# Date : WK18.29 +# Operation: SQC +# Purpose: Allow kernel read firmware binary on vendor partition +allow kernel vendor_file:file r_file_perms; + +# Date : WK18.35 +# Operation: SQC +# Purpose: Allow VOW kthread to write debug PCM dump +allow kernel mtk_audiohal_data_file:file write; + +# Date: WK19.03 +allow kernel expdb_block_device:blk_file rw_file_perms; diff --git a/basic/non_plat/keystore.te b/basic/non_plat/keystore.te new file mode 100644 index 0000000..fff024b --- /dev/null +++ b/basic/non_plat/keystore.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK14.40 2014/12/26 +# Operation : CTS 5.0_r1 +# Purpose : allow access to /data/data for full CTS +allow keystore app_data_file:file write; diff --git a/basic/non_plat/kisd.te b/basic/non_plat/kisd.te new file mode 100644 index 0000000..25bd23a --- /dev/null +++ b/basic/non_plat/kisd.te @@ -0,0 +1,31 @@ +# ============================================== +# Policy File of /vendor/bin/kisd Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type kisd, domain; +type kisd_exec, exec_type, file_type, vendor_file_type; +typeattribute kisd mlstrustedsubject; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +init_daemon_domain(kisd) + +allow kisd tee_device:chr_file rw_file_perms; +allow kisd provision_file:dir rw_dir_perms; +allow kisd provision_file:file create_file_perms; +allow kisd kb_block_device:blk_file rw_file_perms; +allow kisd kb_block_device:chr_file rw_file_perms; +allow kisd dkb_block_device:blk_file rw_file_perms; +allow kisd dkb_block_device:chr_file rw_file_perms; +allow kisd key_install_data_file:dir w_dir_perms; +allow kisd key_install_data_file:file create_file_perms; +allow kisd key_install_data_file:dir search; +allow kisd mtd_device:chr_file rw_file_perms; +allow kisd mtd_device:blk_file rw_file_perms; +allow kisd mtd_device:dir search; +allow kisd block_device:dir search; diff --git a/basic/non_plat/lbs_hidl_service.te b/basic/non_plat/lbs_hidl_service.te new file mode 100644 index 0000000..2b8b512 --- /dev/null +++ b/basic/non_plat/lbs_hidl_service.te @@ -0,0 +1,14 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type lbs_hidl_service, domain; +type lbs_hidl_service_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(lbs_hidl_service) +hal_server_domain(lbs_hidl_service, hal_mtk_lbs) +vndbinder_use(lbs_hidl_service) + +unix_socket_connect(lbs_hidl_service, agpsd, mtk_agpsd) +allow lbs_hidl_service mtk_agpsd:unix_dgram_socket sendto; +allow lbs_hidl_service mnld:unix_dgram_socket sendto; diff --git a/basic/non_plat/lmkd.te b/basic/non_plat/lmkd.te new file mode 100644 index 0000000..b88d9ef --- /dev/null +++ b/basic/non_plat/lmkd.te @@ -0,0 +1,26 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Data : 2015/01/14 +# Operation : MT6735 SQC bug fix +# Purpose : ALPS01905960 - selinux_warning: audit(1420845354.752:91): avc: denied { search } +# for pid=194 comm="lmkd" name="23573" dev="proc" +# ino=915740 scontext=u:r:lmkd:s0 tcontext=u:r:zygote:s0 tclass=dir permissive=0 +dontaudit lmkd zygote:dir rw_dir_perms; + +# Data : 2015/04/17 +# Operation : tb8163p1 low memory selinux warning +# Purpose : ALPS02038466 audit(1429079840.646:7): avc: denied { use } +# for pid=170 comm="lmkd" +# path=2F6465762F6173686D656D2F4469736361726461626C654D656D6F72794173686D656D416C6C6F6361746F72202864656C6574656429 +# dev="tmpfs" ino=14475 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=fd permissive=0 +dontaudit lmkd platform_app:fd use; + +# Data : 2018/05/25 +# Operation : Add for duraSpeed socket +allow lmkd system_server:unix_stream_socket connectto; + +# Data : 2021/04/20 +# Operation : Add for powerhal mem index +hal_client_domain(lmkd, hal_power) diff --git a/basic/non_plat/md_monitor.te b/basic/non_plat/md_monitor.te new file mode 100644 index 0000000..48c5388 --- /dev/null +++ b/basic/non_plat/md_monitor.te @@ -0,0 +1 @@ +type md_monitor, domain; diff --git a/basic/non_plat/mediacodec.te b/basic/non_plat/mediacodec.te new file mode 100644 index 0000000..c733874 --- /dev/null +++ b/basic/non_plat/mediacodec.te @@ -0,0 +1,147 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK14.36 +# Operation : Migration +# Purpose : VDEC/VENC device node +allow mediacodec Vcodec_device:chr_file rw_file_perms; + +# Date : WK16.21 +# Operation : Migration +# Purpose : VP & VR dump and debug +allow mediacodec M4U_device_device:chr_file rw_file_perms; +allow mediacodec MTK_SMI_device:chr_file r_file_perms; +allow mediacodec storage_file:lnk_file rw_file_perms; +allow mediacodec tmpfs:dir search; +allow mediacodec mnt_user_file:dir rw_dir_perms; +allow mediacodec mnt_user_file:lnk_file rw_file_perms; +allow mediacodec sdcard_type:dir rw_dir_perms; +allow mediacodec sdcard_type:file create_file_perms; +allow mediacodec nvram_data_file:dir w_dir_perms; +allow mediacodec nvram_data_file:file create_file_perms; +allow mediacodec nvram_data_file:lnk_file r_file_perms; +allow mediacodec nvdata_file:lnk_file r_file_perms; +allow mediacodec nvdata_file:dir w_dir_perms; +allow mediacodec nvdata_file:file create_file_perms; +allow mediacodec devmap_device:chr_file r_file_perms; +allow mediacodec proc_meminfo:file r_file_perms; + +# Date : WK14.36 +# Operation : Migration +# Purpose : for SW codec VP/VR +allow mediacodec mtk_sched_device:chr_file rw_file_perms; + +# Data : WK14.39 +# Operation : Migration +# Purpose : HW encrypt SW codec +allow mediacodec mediacodec_data_file:file create_file_perms; +allow mediacodec mediacodec_data_file:dir create_dir_perms; +allow mediacodec sec_device:chr_file r_file_perms; + +# Data: WK14.44 +# Operation : Migration +# Purpose : VP +allow mediacodec surfaceflinger:file getattr; + +# Data: WK14.44 +# Operation : Migration +# Purpose : for low SD card latency issue +allow mediacodec sysfs_lowmemorykiller:file r_file_perms; + +# Data: WK14.45 +# Operation : Migration +# Purpose : for change thermal policy when needed +allow mediacodec proc_mtkcooler:dir search; +allow mediacodec proc_mtkcooler:file rw_file_perms; +allow mediacodec proc_mtktz:dir search; +allow mediacodec proc_mtktz:file rw_file_perms; +allow mediacodec proc_thermal:dir search; +allow mediacodec proc_thermal:file rw_file_perms; +allow mediacodec thermal_manager_data_file:file create_file_perms; +allow mediacodec thermal_manager_data_file:dir { rw_dir_perms setattr }; + +# Data : WK14.47 +# Operation : CTS +# Purpose : cts search strange app +allow mediacodec untrusted_app:dir search; + +# Date : WK14.39 +# Operation : Migration +# Purpose : MJC Driver +allow mediacodec MJC_device:chr_file rw_file_perms; + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow mediacodec proc_ged:file rw_file_perms; +allowxperm mediacodec proc_ged:file ioctl { proc_ged_ioctls }; + +# Data : WK16.42 +# Operator: Whitney bring up +# Purpose: call surfaceflinger due to powervr +allow mediacodec surfaceflinger:fifo_file rw_file_perms; + +# Date: WK16.43 +# Operator: Whitney SQC +# Purpose: mediacodec use gpu +allow mediacodec gpu_device:dir search; + +# Date : W18.01 +# Add for turn on SElinux in enforcing mode +allow mediacodec vndbinder_device:chr_file rw_file_perms; + +vndbinder_use(mediacodec) + +# Date : WK1721 +# Purpose: For FULL TREBLE +allow mediacodec system_file:dir r_dir_perms; +allow mediacodec debugfs_ion:dir search; + + +# Date : WK17.30 +# Operation : O Migration +# Purpose: Allow mediacodec to access cmdq driver +allow mediacodec mtk_cmdq_device:chr_file r_file_perms; +allow mediacodec mtk_mdp_device:chr_file r_file_perms; +allow mediacodec mtk_mdp_sync_device:chr_file r_file_perms; +allow mediacodec sw_sync_device:chr_file r_file_perms; + +# Date : WK17.30 +# Purpose : For Power Hal +hal_client_domain(mediacodec, hal_power) + +# Date : WK17.12 +# Operation : MT6799 SQC +# Purpose : Change thermal config +set_prop(mediacodec, vendor_mtk_thermal_config_prop) + +# Date : WK17.43 +# Operation : Migration +# Purpose : DISP access +allow mediacodec graphics_device:chr_file r_file_perms; +allow mediacodec graphics_device:dir search; + +# Date : WK19.27 +# Purpose: Android Migration for SVP +allow mediacodec proc_m4u:file r_file_perms; +allowxperm mediacodec proc_m4u:file ioctl { + MTK_M4U_T_SEC_INIT + MTK_M4U_T_CONFIG_PORT + MTK_M4U_T_CACHE_SYNC + MTK_M4U_T_CONFIG_PORT_ARRAY +}; + +# Date : 2019/12/12 +# Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/* +allow mediacodec sysfs_concurrency_scenario:file rw_file_perms; +allow mediacodec sysfs_concurrency_scenario:dir search; + +# Date : 2020/07/10 +# Purpose : allow media sources to access /sys/bus/platform/drivers/emi_ctrl/* +allow mediacodec sysfs_emi_ctrl_concurrency_scenario:file rw_file_perms; +allow mediacodec sysfs_emi_ctrl_concurrency_scenario:dir search; + +# Date : WK20.16 +# # Operation: SQC +# # Purpose : Allow medicodec to control video mode property +set_prop(mediacodec, vendor_mtk_video_prop) diff --git a/basic/non_plat/mediadrmserver.te b/basic/non_plat/mediadrmserver.te new file mode 100644 index 0000000..3b7a2c1 --- /dev/null +++ b/basic/non_plat/mediadrmserver.te @@ -0,0 +1,9 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow mediadrmserver proc_ged:file rw_file_perms; + + diff --git a/basic/non_plat/mediaextractor.te b/basic/non_plat/mediaextractor.te new file mode 100644 index 0000000..36ffb24 --- /dev/null +++ b/basic/non_plat/mediaextractor.te @@ -0,0 +1,17 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow mediaextractor proc_ged:file rw_file_perms; + +#============= mediaextractor ============== +allow mediaextractor vfat:file r_file_perms; + +allow mediaextractor mediaserver_service:service_manager find; + +allow mediaextractor platform_app:dir search; +allow mediaextractor platform_app:file r_file_perms; + +hal_client_domain(mediaextractor, hal_omx) diff --git a/basic/non_plat/mediahelper.te b/basic/non_plat/mediahelper.te new file mode 100755 index 0000000..b1b2d63 --- /dev/null +++ b/basic/non_plat/mediahelper.te @@ -0,0 +1,7 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# get prop to judge use 64-bit or not +get_prop(mediahelper, vendor_mtk_prefer64_prop) + diff --git a/basic/non_plat/mediaserver.te b/basic/non_plat/mediaserver.te new file mode 100644 index 0000000..1cc0cf4 --- /dev/null +++ b/basic/non_plat/mediaserver.te @@ -0,0 +1,309 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK14.31 +# Operation : Migration +# Purpose : camera devices access. +allow mediaserver camera_isp_device:chr_file rw_file_perms; +allow mediaserver ccu_device:chr_file rw_file_perms; +allow mediaserver vpu_device:chr_file rw_file_perms; +allow mediaserver mdla_device:chr_file rw_file_perms; +allow mediaserver apusys_device:chr_file rw_file_perms; +allow mediaserver sysfs_apusys_queue:dir r_dir_perms; +allow mediaserver sysfs_apusys_queue:file r_file_perms; +allow mediaserver kd_camera_hw_device:chr_file rw_file_perms; +allow mediaserver seninf_device:chr_file rw_file_perms; +allow mediaserver self:capability { setuid ipc_lock sys_nice net_admin }; +allow mediaserver sysfs_wake_lock:file rw_file_perms; +allow mediaserver MTK_SMI_device:chr_file r_file_perms; +allow mediaserver camera_pipemgr_device:chr_file r_file_perms; +allow mediaserver kd_camera_flashlight_device:chr_file rw_file_perms; +allow mediaserver lens_device:chr_file rw_file_perms; + +# Date : WK14.32 +# Operation : Migration +# Purpose : Set audio driver permission to access SD card for debug purpose and accss NVRam. +allow mediaserver sdcard_type:dir create_dir_perms; +allow mediaserver sdcard_type:file create_file_perms; +allow mediaserver nvram_data_file:lnk_file read; +allow mediaserver nvdata_file:lnk_file read; + +# Date : WK14.34 +# Operation : Migration +# Purpose : nvram access (dumchar case for nand and legacy chip) +allow mediaserver nvram_device:chr_file rw_file_perms; + +# Date : WK14.36 +# Operation : Migration +# Purpose : media server and bt process communication for A2DP data.and other control flow +allow mediaserver bluetooth:unix_dgram_socket sendto; +allow mediaserver bt_a2dp_stream_socket:sock_file write; +allow mediaserver bt_int_adp_socket:sock_file write; + +# Date : WK14.37 +# Operation : Migration +# Purpose : camera ioctl +allow mediaserver camera_sysram_device:chr_file r_file_perms; + +# Date : WK14.36 +# Operation : Migration +# Purpose : VDEC/VENC device node +allow mediaserver Vcodec_device:chr_file rw_file_perms; + +# Date : WK14.36 +# Operation : Migration +# Purpose : access nvram, otp, ccci cdoec devices. +allow mediaserver ccci_device:chr_file rw_file_perms; +allow mediaserver eemcs_device:chr_file rw_file_perms; +allow mediaserver devmap_device:chr_file r_file_perms; +allow mediaserver ebc_device:chr_file rw_file_perms; +allow mediaserver nvram_device:blk_file rw_file_perms; +allow mediaserver bootdevice_block_device:blk_file rw_file_perms; + +# Date : WK14.36 +# Operation : Migration +# Purpose : for SW codec VP/VR +allow mediaserver mtk_sched_device:chr_file rw_file_perms; + +# Date : WK14.38 +# Operation : Migration +# Purpose : FM driver access +allow mediaserver fm_device:chr_file rw_file_perms; + +# Data : WK14.38 +# Operation : Migration +# Purpose : for VP/VR +allow mediaserver FM50AF_device:chr_file rw_file_perms; +allow mediaserver AD5820AF_device:chr_file rw_file_perms; +allow mediaserver DW9714AF_device:chr_file rw_file_perms; +allow mediaserver DW9814AF_device:chr_file rw_file_perms; +allow mediaserver AK7345AF_device:chr_file rw_file_perms; +allow mediaserver DW9714A_device:chr_file rw_file_perms; +allow mediaserver LC898122AF_device:chr_file rw_file_perms; +allow mediaserver LC898212AF_device:chr_file rw_file_perms; +allow mediaserver BU6429AF_device:chr_file rw_file_perms; +allow mediaserver DW9718AF_device:chr_file rw_file_perms; +allow mediaserver BU64745GWZAF_device:chr_file rw_file_perms; +allow mediaserver MAINAF_device:chr_file rw_file_perms; +allow mediaserver MAIN2AF_device:chr_file rw_file_perms; +allow mediaserver MAIN3AF_device:chr_file rw_file_perms; +allow mediaserver MAIN4AF_device:chr_file rw_file_perms; +allow mediaserver SUBAF_device:chr_file rw_file_perms; +allow mediaserver SUB2AF_device:chr_file rw_file_perms; + +# Data : WK14.38 +# Operation : Migration +# Purpose : for boot animation. +binder_call(mediaserver, bootanim) +binder_call(mediaserver, mtkbootanimation) + +# Date : WK14.39 +# Operation : Migration +# Purpose : FDVT Driver +allow mediaserver camera_fdvt_device:chr_file rw_file_perms; + +# Date : WK14.40 +# Operation : Migration +# Purpose : HDMI driver access +allow mediaserver graphics_device:chr_file rw_file_perms; + +# Date : WK14.40 +# Operation : Migration +# Purpose : Smartpa +allow mediaserver smartpa_device:chr_file rw_file_perms; + +# Data : WK14.40 +# Operation : Migration +# Purpose : permit 'call' by audio tunning tool audiocmdservice_atci +binder_call(mediaserver, audiocmdservice_atci) + +# Date : WK14.40 +# Operation : Migration +# Purpose : mtk_jpeg +allow mediaserver mtk_jpeg_device:chr_file r_file_perms; + +# Date : WK14.41 +# Operation : Migration +# Purpose : WFD HID Driver +allow mediaserver uhid_device:chr_file rw_file_perms; + +# Date : WK14.41 +# Operation : Migration +# Purpose : Camera EEPROM Calibration +allow mediaserver CAM_CAL_DRV_device:chr_file rw_file_perms; +allow mediaserver CAM_CAL_DRV1_device:chr_file rw_file_perms; +allow mediaserver CAM_CAL_DRV2_device:chr_file rw_file_perms; +allow mediaserver camera_eeprom_device:chr_file rw_file_perms; +allow mediaserver seninf_n3d_device:chr_file rw_file_perms; + +# Date : WK14.43 +# Operation : Migration +# Purpose : VOW +allow mediaserver vow_device:chr_file rw_file_perms; + +# Date: WK14.44 +# Operation : Migration +# Purpose : EVDO +allow mediaserver rpc_socket:sock_file write; +allow mediaserver ttySDIO_device:chr_file rw_file_perms; + +# Data: WK14.44 +# Operation : Migration +# Purpose : VP +allow mediaserver surfaceflinger:file getattr; + +# Data: WK14.44 +# Operation : Migration +# Purpose : for low SD card latency issue +allow mediaserver sysfs_lowmemorykiller:file r_file_perms; + +# Data: WK14.45 +# Operation : Migration +# Purpose : for change thermal policy when needed +allow mediaserver proc_mtkcooler:dir search; +allow mediaserver proc_mtktz:dir search; +allow mediaserver proc_thermal:dir search; + +# Date : WK14.46 +# Operation : Migration +# Purpose : for MTK Emulator HW GPU +allow mediaserver qemu_pipe_device:chr_file rw_file_perms; + +# Date : WK14.46 +# Operation : Migration +# Purpose : for camera init +allow mediaserver system_server:unix_stream_socket rw_socket_perms_no_ioctl; + +# Data : WK14.46 +# Operation : Migration +# Purpose : for SMS app +allow mediaserver radio_data_file:dir search; +allow mediaserver radio_data_file:file open; + +# Data : WK14.47 +# Operation : Audio playback +# Purpose : Music as ringtone +allow mediaserver radio:dir r_dir_perms; +allow mediaserver radio:file r_file_perms; + +# Data : WK14.47 +# Operation : CTS +# Purpose : cts search strange app +allow mediaserver untrusted_app:dir search; + +# Date : WK15.03 +# Operation : Migration +# Purpose : offloadservice +allow mediaserver offloadservice_device:chr_file rw_file_perms; + +# Date : WK15.32 +# Operation : Pre-sanity +# Purpose : 3A algorithm need to access sensor service +allow mediaserver sensorservice_service:service_manager find; + +# Date : WK15.34 +# Operation : Migration +# Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump +allow mediaserver storage_file:lnk_file rw_file_perms; +allow mediaserver mnt_user_file:dir rw_dir_perms; +allow mediaserver mnt_user_file:lnk_file rw_file_perms; + +# Date : WK15.35 +# Operation : Migration +# Purpose: Allow mediaserver to read binder from surfaceflinger +allow mediaserver surfaceflinger:fifo_file rw_file_perms; + +# Date : WK15.46 +# Operation : Migration +# Purpose : DPE Driver +allow mediaserver camera_dpe_device:chr_file rw_file_perms; + +# Date : WK15.46 +# Operation : Migration +# Purpose : TSF Driver +allow mediaserver camera_tsf_device:chr_file rw_file_perms; + +# Date : WK16.32 +# Operation : N Migration +# Purpose : RSC Driver +allow mediaserver camera_rsc_device:chr_file rw_file_perms; + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow mediaserver proc_ged:file rw_file_perms; +allowxperm mediaserver proc_ged:file ioctl { proc_ged_ioctls }; + +# Date : WK16.33 +# Operation : N Migration +# Purpose : GEPF Driver +allow mediaserver camera_gepf_device:chr_file rw_file_perms; + +# Date : WK16.35 +# Operation : Migration +# Purpose : Update camera flashlight driver device file +allow mediaserver flashlight_device:chr_file rw_file_perms; + +# Date : WK16.43 +# Operation : N Migration +# Purpose : WPE Driver +allow mediaserver camera_wpe_device:chr_file rw_file_perms; +allow mediaserver gpu_device:dir search; +allow mediaserver sw_sync_device:chr_file rw_file_perms; + +# Date : WK17.19 +# Operation : N Migration +# Purpose : OWE Driver +allow mediaserver camera_owe_device:chr_file rw_file_perms; + +# Date : WK17.30 +# Operation : O Migration +# Purpose: Allow to access cmdq driver +allow mediaserver mtk_cmdq_device:chr_file r_file_perms; +allow mediaserver mtk_mdp_device:chr_file r_file_perms; +allow mediaserver mtk_mdp_sync_device:chr_file r_file_perms; +hal_client_domain(mediaserver, hal_mtk_mms) + +# Date : WK17.43 +# Operation : Migration +# Purpose : DISP access +allow mediaserver graphics_device:dir search; + +# Date : WK17.44 +# Operation : Migration +# Purpose : DIP Driver +allow mediaserver camera_dip_device:chr_file rw_file_perms; + +# Date : WK17.44 +# Operation : Migration +# Purpose : MFB Driver +allow mediaserver camera_mfb_device:chr_file rw_file_perms; + +# Date : WK17.49 +# Operation : MT6771 SQC +# Purpose : Allow permgr access +allow mediaserver proc_perfmgr:dir r_dir_perms; +allow mediaserver proc_perfmgr:file r_file_perms; +allowxperm mediaserver proc_perfmgr:file ioctl { + PERFMGR_FPSGO_DEQUEUE + PERFMGR_FPSGO_QUEUE_CONNECT + PERFMGR_FPSGO_QUEUE + PERFMGR_FPSGO_BQID +}; + +# Date : WK18.18 +# Operation : Migration +# Purpose : wifidisplay hdcp +# DRM Key Manage HIDL +binder_call(mediaserver, mtk_hal_keymanage) + +# Date : WK21.25 +# Operation : Migration +# Purpose : PDA Driver +allow mediaserver camera_pda_device:chr_file rw_file_perms; + +# Purpose : Allow mediadrmserver to call vendor.mediatek.hardware.keymanage@1.0-service. +hal_client_domain(mediaserver, hal_keymaster) +hal_client_domain(mediaserver, hal_power) + +allow mediaserver vpud_device:chr_file rw_file_perms; diff --git a/basic/non_plat/mediaswcodec.te b/basic/non_plat/mediaswcodec.te new file mode 100644 index 0000000..d5ed060 --- /dev/null +++ b/basic/non_plat/mediaswcodec.te @@ -0,0 +1,16 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK19.25 +# Operation : Migration +# Purpose : [ALPS04669482] DRTS failed due to avc denied +allow mediaswcodec debugfs_ion:dir rw_dir_perms; +allow mediaswcodec gpu_device:dir rw_dir_perms; +allow mediaswcodec gpu_device:chr_file rw_file_perms; +allow mediaswcodec dri_device:chr_file rw_file_perms; + +# Date : WK20.38 +# Purpose: Allow to access ged for gralloc_extra functions +allow mediaswcodec proc_ged:file rw_file_perms; +allowxperm mediaswcodec proc_ged:file ioctl { proc_ged_ioctls }; diff --git a/basic/non_plat/merged_hal_service.te b/basic/non_plat/merged_hal_service.te new file mode 100644 index 0000000..d0f003c --- /dev/null +++ b/basic/non_plat/merged_hal_service.te @@ -0,0 +1,68 @@ +# ============================================================================== +# Type Declaration +# ============================================================================== +type merged_hal_service, domain; +type merged_hal_service_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +init_daemon_domain(merged_hal_service) + +hal_server_domain(merged_hal_service, hal_vibrator) +hal_server_domain(merged_hal_service, hal_light) +hal_server_domain(merged_hal_service, hal_power) +hal_server_domain(merged_hal_service, hal_thermal) +hal_server_domain(merged_hal_service, hal_memtrack) + +#mtk libs_hidl_service permissions +hal_server_domain(merged_hal_service, hal_mtk_lbs) + +vndbinder_use(merged_hal_service) +unix_socket_connect(merged_hal_service, agpsd, mtk_agpsd) +allow merged_hal_service mtk_agpsd:unix_dgram_socket sendto; + +#mtk_gnss permissions +hal_server_domain(merged_hal_service, hal_gnss) +allow merged_hal_service mnld_data_file:sock_file create_file_perms; +allow merged_hal_service mnld_data_file:dir create_dir_perms; +allow merged_hal_service mnld:unix_dgram_socket sendto; + +#graphics allocator permissions +hal_server_domain(merged_hal_service, hal_graphics_allocator) +allow merged_hal_service gpu_device:dir search; +allow merged_hal_service sw_sync_device:chr_file rw_file_perms; +allow merged_hal_service debugfs_tracing:file w_file_perms; + +#for ape hidl permissions +hal_server_domain(merged_hal_service, hal_mtk_codecservice) +hal_client_domain(merged_hal_service, hal_allocator) + +#for default drm permissions +hal_server_domain(merged_hal_service, hal_drm) +allow merged_hal_service mediacodec:fd use; +allow merged_hal_service { appdomain -isolated_app }:fd use; + +# Date : WK18.23 +# Operation : P Migration +# Purpose : add grant permission for Thermal HAL mtktz and proc +allow merged_hal_service proc_mtktz:dir search; +allow merged_hal_service proc_mtktz:file r_file_perms; +allow merged_hal_service proc_stat:file r_file_perms; + +#for uevent handle +allow merged_hal_service self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +#for thermal sysfs +allow merged_hal_service sysfs_therm:file rw_file_perms; +allow merged_hal_service sysfs_therm:dir search; + + +# Date : WK19.11 +# Operation : Q Migration +allowxperm merged_hal_service proc_ged:file ioctl { proc_ged_ioctls }; + +# Date: 2019/06/14 +# Operation : Migration +hal_client_domain(merged_hal_service, hal_mtk_nvramagent) diff --git a/basic/non_plat/meta_tst.te b/basic/non_plat/meta_tst.te new file mode 100644 index 0000000..bdb87cb --- /dev/null +++ b/basic/non_plat/meta_tst.te @@ -0,0 +1,414 @@ +# ============================================== +# Policy File of /vendor/bin/meta_tst Executable File + +# ============================================== +# Type Declaration +# ============================================== +type meta_tst, domain; +type meta_tst_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +init_daemon_domain(meta_tst) + +# Date: WK16.12 +# Operation : Migration +# Purpose : for meta mode device node USB +allow meta_tst ttyGS_device:chr_file rw_file_perms; + +# Date: WK16.12 +# Operation : Migration +# Purpose : for meta mode device node UART +allow meta_tst ttyMT_device:chr_file rw_file_perms; + +# Date: WK17.12 +# Operation : Migration +# Purpose : for meta mode device node UART +allow meta_tst ttyS_device:chr_file rw_file_perms; + +# Date: WK16.12 +# Operation : Migration +# Purpose : for meta mode device node CCCI +allow meta_tst ccci_device:chr_file rw_file_perms; +allow meta_tst eemcs_device:chr_file rw_file_perms; +allow meta_tst emd_device:chr_file rw_file_perms; +allow meta_tst ttyACM_device:chr_file rw_file_perms; +allow meta_tst mdlog_device:chr_file rw_file_perms; + +# Data: WK15.07 +# Purpose : SDIO +allow meta_tst ttySDIO_device:chr_file rw_file_perms; + +# Date: WK16.12 +# Operation : Migration +# Purpose : for meta mode file system +allow meta_tst bootdevice_block_device:blk_file rw_file_perms; +allow meta_tst mmcblk1_block_device:blk_file rw_file_perms; +allow meta_tst userdata_block_device:blk_file rw_file_perms; +allow meta_tst cache_block_device:blk_file rw_file_perms; + +# Date: WK16.12 +# Operation : Migration +# Purpose : for meta mode nvram +allow meta_tst nvram_data_file:dir create_dir_perms; +allow meta_tst nvram_data_file:file create_file_perms; +allow meta_tst nvram_data_file:lnk_file r_file_perms; +allow meta_tst nvdata_file:lnk_file r_file_perms; +allow meta_tst nvdata_file:dir create_dir_perms; +allow meta_tst nvdata_file:file create_file_perms; +allow meta_tst nvram_device:chr_file rw_file_perms; +allow meta_tst nvram_device:blk_file rw_file_perms; +allow meta_tst nvdata_device:blk_file rw_file_perms; +read_fstab(meta_tst) +get_prop(meta_tst, vendor_mtk_rat_config_prop) + +# Date: WK14.47 +# Operation : Migration +# Purpose : for meta mode audio +allow meta_tst audio_device:chr_file rw_file_perms; +allow meta_tst audio_device:dir rw_dir_perms; +allow meta_tst audio_ipi_device:chr_file rw_file_perms; +set_prop(meta_tst, vendor_mtk_audiohal_prop) + +# Date: WK16.12 +# Operation : Migration +# Purpose : for meta mode RTC and PMIC +allow meta_tst rtc_device:chr_file r_file_perms; +allow meta_tst MT_pmic_adc_cali_device:chr_file rw_file_perms; + +# Date: WK14.46 +# Operation : Migration +# Purpose : Camera +allow meta_tst devmap_device:chr_file rw_file_perms; +allow meta_tst camera_pipemgr_device:chr_file rw_file_perms; +allow meta_tst MTK_SMI_device:chr_file rw_file_perms; +allow meta_tst camera_isp_device:chr_file rw_file_perms; +allow meta_tst camera_sysram_device:chr_file r_file_perms; +allow meta_tst kd_camera_flashlight_device:chr_file rw_file_perms; +allow meta_tst kd_camera_hw_device:chr_file rw_file_perms; +allow meta_tst AD5820AF_device:chr_file rw_file_perms; +allow meta_tst DW9714AF_device:chr_file rw_file_perms; +allow meta_tst DW9714A_device:chr_file rw_file_perms; +allow meta_tst LC898122AF_device:chr_file rw_file_perms; +allow meta_tst LC898212AF_device:chr_file rw_file_perms; +allow meta_tst BU6429AF_device:chr_file rw_file_perms; +allow meta_tst DW9718AF_device:chr_file rw_file_perms; +allow meta_tst BU64745GWZAF_device:chr_file rw_file_perms; +allow meta_tst MAINAF_device:chr_file rw_file_perms; +allow meta_tst MAIN2AF_device:chr_file rw_file_perms; +allow meta_tst MAIN3AF_device:chr_file rw_file_perms; +allow meta_tst MAIN4AF_device:chr_file rw_file_perms; +allow meta_tst SUBAF_device:chr_file rw_file_perms; +allow meta_tst SUB2AF_device:chr_file rw_file_perms; + +# Date: WK16.12 +# Operation : Migration +# Purpose : meta mode LCM +allow meta_tst graphics_device:chr_file rw_file_perms; +allow meta_tst graphics_device:dir search; + +# Date: WK16.12 +# Operation : Migration +# Purpose : meta mode sensor +allow meta_tst als_ps_device:chr_file r_file_perms; +allow meta_tst gsensor_device:chr_file r_file_perms; +allow meta_tst msensor_device:chr_file r_file_perms; +allow meta_tst gyroscope_device:chr_file r_file_perms; + +# Date: WK16.12 +# Operation : Migration +# Purpose : meta mode FM +allow meta_tst fm_device:chr_file rw_file_perms; +allow meta_tst FM50AF_device:chr_file rw_file_perms; + +# Date: WK16.12 +# Operation : Migration +# Purpose : meta mode wifi +allow meta_tst wmtWifi_device:chr_file w_file_perms; + +# Date: WK16.12 +# Operation : Migration +# Purpose : meta mode BT +allow meta_tst stpbt_device:chr_file rw_file_perms; + +# Date: WK16.12 +# Operation : Migration +# Purpose : meta mode GPS +allow meta_tst gps_data_file:dir { w_dir_perms unlink}; +allow meta_tst gps_data_file:file create_file_perms; +allow meta_tst gps_data_file:lnk_file r_file_perms; +allow meta_tst tmpfs:lnk_file r_file_perms; +allow meta_tst agpsd_data_file:dir search; +allow meta_tst agpsd_data_file:sock_file w_file_perms; +allow meta_tst mnld_device:chr_file rw_file_perms; +allow meta_tst stpgps_device:chr_file rw_file_perms; +allow meta_tst mnld_exec:file rx_file_perms; +allow meta_tst mnld:unix_dgram_socket sendto; +set_prop(meta_tst, vendor_mtk_mnld_prop) + +#Date WK14.49 +#Operation : Migration +#Purpose : DRM key installation +allow meta_tst key_install_data_file:dir w_dir_perms; +allow meta_tst key_install_data_file:file create_file_perms; + +# Date: WK14.51 +# Purpose : set/get cryptfs cfg in sys env +allow meta_tst misc_device:chr_file rw_file_perms; +allow meta_tst proc_lk_env:file rw_file_perms; + +# Purpose : FT_EMMC_OP_FORMAT_TCARD +allow meta_tst system_block_device:blk_file getattr; + +# Date: WK15.52 +# Purpose : NVRAM related LID +allow meta_tst pro_info_device:chr_file rw_file_perms; + +# Date: WK15.13 +# Purpose: for nand project +allow meta_tst mtd_device:dir search; +allow meta_tst mtd_device:chr_file rw_file_perms; + +# Date: WK16.17 +# Purpose: N Migration For ccci sysfs node +allow meta_tst sysfs_ccci:dir search; +allow meta_tst sysfs_ccci:file r_file_perms; + +#Date: W18.22 +# Purpose: P Migration meta_tst get com port type/uart port info/boot mode/usb state/usb close +allow meta_tst sysfs_comport_type:file rw_file_perms; +allow meta_tst sysfs_uart_info:file rw_file_perms; +allow meta_tst sysfs_boot_mode:file rw_file_perms; +allow meta_tst sysfs_boot_type:file r_file_perms; +allow meta_tst sysfs_android_usb:file rw_file_perms; +allow meta_tst sysfs_android_usb:dir search; +allow meta_tst sysfs_usb_nonplat:file rw_file_perms; +allow meta_tst sysfs_usb_nonplat:dir search; +allow meta_tst sysfs_batteryinfo:file rw_file_perms; +allow meta_tst sysfs_batteryinfo:dir search; + +#Date: W16.17 +# Purpose: N Migration For meta_tst load MD NVRAM database +# Detail avc log: [04-23-20:41:58][ 160.687655] <1>.(1)[230:logd.auditd]type= +#1400 audit(1262304165.560:24): avc: denied { read } for pid=228 comm= +#"meta_tst" name="mddb" dev="mmcblk0p20" ino=664 scontext=u:r:meta_tst: +#s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 +allow meta_tst system_file:dir r_dir_perms; + +# Date: WK16.18 +# Purpose: for CCCI reboot modem +allow meta_tst gsm0710muxd_device:chr_file rw_file_perms; + +# Date : WK16.35 +# Purpose : Update camera flashlight driver device file +allow meta_tst flashlight_device:chr_file rw_file_perms; + +#Date: W16.36 +# Purpose: meta_tst use libmeta_rat to write libsysenv +# Detail avc log:[ 25.307141] .(5)[264:logd.auditd]type=1400 audit(1469438818.570:7): +#avc: denied { read write } for pid=312 comm="meta_tst" name="mmcblk0p2" dev="tmpfs" +#ino=4561 scontext=u:r:meta_tst:s0 tcontext=u:object_r:para_block_device:s0 tclass=blk_file permissive=0 +allow meta_tst para_block_device:blk_file rw_file_perms; + +#Date: W16.44 +allow meta_tst nvcfg_file:dir r_dir_perms; + +#Date: W16.45 +# Purpose : Allow unmount sdcardfs mounted on /data/media +allow meta_tst sdcard_type:filesystem unmount; +allow meta_tst storage_stub_file:dir search; + +# Date : WK16.19 +# Operation: meta_tst set persist.meta.connecttype property +# Purpose: Switch meta connect type, set persist.meta.connecttype as "wifi" or "usb". +set_prop(meta_tst, vendor_mtk_meta_connecttype_prop) + +# Date : WK16.23 +# Purpose: support meta_tst check key event +allow meta_tst input_device:dir r_dir_perms; +allow meta_tst input_device:chr_file r_file_perms; + +# Date : WK16.29 +# Purpose: support meta mode show string on screen +allow meta_tst ashmem_device:chr_file x_file_perms; + +#Date: W16.50 +# Purpose : Allow meta_tst stop service which occupy data partition. +set_prop(meta_tst, ctl_default_prop) + +#Date: W17.25 +# Purpose : Allow meta_tst stop service which occupy data partition. +set_prop(meta_tst, system_mtk_ctl_emdlogger1_prop) + +#Date: W17.27 +# Purpose: STMicro NFC solution integration +allow meta_tst vendor_file:file rx_file_perms; +allow meta_tst debugfs_tracing:file w_file_perms; + +# Date: W17.29 +# Purpose : Allow meta_tst to call vendor.mediatek.hardware.keymaster_attestation@1.0-service. +hal_client_domain(meta_tst, hal_mtk_keyattestation) + +# Date : WK17.30 +# Operation : Android O migration +# Purpose : add sepolicy for accessing sysfs_leds +allow meta_tst sysfs_leds:lnk_file r_file_perms; +allow meta_tst sysfs_leds:file rw_file_perms; +allow meta_tst sysfs_leds:dir r_dir_perms; + +# Date: WK17.43 +# Purpose: add permission for meta_tst access md image +allow meta_tst md_block_device:blk_file r_file_perms; +allow meta_tst mddb_data_file:file create_file_perms; +allow meta_tst mddb_data_file:dir create_dir_perms; + +# Date: W17.43 +# Purpose : Allow meta_tst to call Audio HAL service +binder_call(meta_tst, mtk_hal_audio) +allow meta_tst mtk_audiohal_data_file:dir r_dir_perms; + +#Data:W1745 +# Purpose : Allow meta_tst to open and read proc/bootprof +allow meta_tst proc_bootprof:file rw_file_perms; + +# Date:W17.51 +# Operation : lbs hal +# Purpose : lbs hidl interface permission +hal_client_domain(meta_tst, hal_mtk_lbs) + +# Data:W1750 +# Purpose : Allow meta_tst to access mtd device +allow meta_tst mtd_device:blk_file rw_file_perms; + +#Date: W17.51 +#Purpose : Allow meta_tst to access pesist.atm.mdmode in ATM. +set_prop(meta_tst, vendor_mtk_atm_mdmode_prop) + +#Date: W17.51 +#Purpose : Allow meta_tst to access pesist.atm.ipaddress in ATM. +set_prop(meta_tst, vendor_mtk_atm_ipaddr_prop) + +# Date : WK18.16 +# Operation: P migration +# Purpose: Allow meta_tst to get vendor_mtk_tel_switch_prop +get_prop(meta_tst, vendor_mtk_tel_switch_prop) + +# Date : WK18.21 +# Operation: P migration +# Purpose : Allow meta_tst to call nvram hal +hal_client_domain(meta_tst, hal_mtk_nvramagent) + +# Date : WK18.21 +# Operation: P migration +# Purpose : Allow meta_tst to write misc partition +allow meta_tst block_device:dir search; + +# Date : W18.24 +# Operation: P migration +# Purpose : Allow meta_tst to access tpd sysfs nodes for CTP test +allow meta_tst sysfs_tpd_setting:dir search; +allow meta_tst sysfs_tpd_setting:file r_file_perms; + +# Date : WK18.24 +# Operation: P migration +# Purpose : Allow meta_tst to unmount partition, stop service, and then erase partition +allow meta_tst vendor_shell_exec:file rx_file_perms; +allow meta_tst vendor_toolbox_exec:file x_file_perms; +allow meta_tst labeledfs:filesystem { unmount }; +allow meta_tst proc_cmdline:file r_file_perms; +allow meta_tst self:capability { sys_admin sys_module net_admin net_raw sys_time }; +allow meta_tst sysfs_dt_firmware_android:file r_file_perms; +allow meta_tst sysfs_dt_firmware_android:dir r_dir_perms; + +# Purpose : Allow meta_tst to communicate with driver thru socket +allow meta_tst self:udp_socket create_socket_perms; +allowxperm meta_tst self:udp_socket ioctl priv_sock_ioctls; + +# Date : WK18.25 +# Operation: P migration +# Purpose : GPS test, Allow meta_tst to write/connect tcp socket +allow meta_tst node:tcp_socket node_bind; +allow meta_tst port:tcp_socket { name_bind name_connect }; + +# Date : WK18.28 +# Operation: P migration +# Purpose : AUDIO test, Allow meta_tst to write/read asound +allow meta_tst proc_asound:dir r_dir_perms; +allow meta_tst proc_asound:file rw_file_perms; +allow meta_tst sysfs_headset:file r_file_perms; + +# Date: W18.05 +# Purpose : Allow meta_tst to use socket for listening uevent +allow meta_tst meta_tst:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +# Date : WK18.28 +# Operation: P migration +# Purpose : +set_prop(meta_tst, vendor_mtk_usb_prop) + +# Date: W18.32 +# Operation: Android P migration +# Purpose : Allow meta_tst to set powerctl property +# avc: denied { set } for property=sys.powerctl pid=330 uid=0 gid=1001 scontext=u:r:meta_tst:s0 +# tcontext=u:object_r:powerctl_prop:s0 tclass=property_service permissive=0 +set_prop(meta_tst, powerctl_prop) + +# Data: W18.42 +# Operation: Android P migration +# Purpose : add socket permission for meta +allow meta_tst fwmarkd_socket:sock_file write; + +#Date: W18.42 +# Operation: Android P migration +# Purpose : Add ATM meta mvram sepolicy +allow meta_tst mnt_vendor_file:dir search; + +# Date : WK18.44 +# Operation: P migration +# Purpose : adsp +allow meta_tst adsp_device:chr_file rw_file_perms; + +# Date : WK19.08 +# Operation: P migration +# Purpose : audio scp recovery +allow meta_tst audio_scp_device:chr_file r_file_perms; + +# Date : WK19.50 +# Purpose: Allow bt process or tool to control bt_dbg +allow meta_tst proc_btdbg:file rw_file_perms; + +# Date : WK20.07 +# Operation: R migration +# Purpose : Add permission for new device node. +allow meta_tst sysfs_boot_info:file r_file_perms; +allow meta_tst sysfs_meta_info:file r_file_perms; + +# Date : WK20.16 +# Operation: R migration +# Purpose : Allow meta_tst to access /sys/power/* +allow meta_tst sysfs_power:file rw_file_perms; +allow meta_tst sysfs_power:dir r_dir_perms; +allow meta_tst self:capability2 block_suspend; + +# Date : WK20.14 +# Purpose: Allow meta connect GPS MNLD +allow meta_tst mnld:unix_stream_socket connectto; + +# Date : WK20.25 +# Operation: Android R migration +# Purpose : for sensor test +allow meta_tst hf_manager_device:chr_file rw_file_perms; + +# Date : WK20.25 +# Operation: Android S migration +# Purpose : Allow meta_tst to operate tcp socket +allow meta_tst self:tcp_socket { listen accept create_socket_perms_no_ioctl }; + +allow meta_tst meta_atci_socket:sock_file w_file_perms; + +# Date : WK21.40 +# Operation: Android S migration +# Purpose : Allow meta_tst to read/write ccci/ccb +allow meta_tst ccci_ccb_device:chr_file rw_file_perms; \ No newline at end of file diff --git a/basic/non_plat/mmc_ffu.te b/basic/non_plat/mmc_ffu.te new file mode 100644 index 0000000..c2bfb40 --- /dev/null +++ b/basic/non_plat/mmc_ffu.te @@ -0,0 +1,19 @@ +# ============================================== +# Policy File of /system/bin/mmc_ffu Executable File + +# ============================================== +# Type Declaration +# ============================================== +type mmc_ffu, domain; +type mmc_ffu_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(mmc_ffu) + +# Purpose: ioctl to /dev/misc-sd and for obtaining emmc vendor id and firmware revision +allow mmc_ffu misc_sd_device:chr_file r_file_perms; + +#Purpose: Write eMMC firmware data to /dev/block/mmcblk0 for upgrade firmware +allow mmc_ffu bootdevice_block_device:blk_file rw_file_perms; diff --git a/basic/non_plat/mnld.te b/basic/non_plat/mnld.te new file mode 100644 index 0000000..996dea4 --- /dev/null +++ b/basic/non_plat/mnld.te @@ -0,0 +1,121 @@ +# ============================================== +# Policy File of /vendor/bin/mnld Executable File + +# ============================================== +# Type Declaration +# ============================================== +type mnld, domain; +type mnld_exec, exec_type, file_type, vendor_file_type; +typeattribute mnld mlstrustedsubject; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +# STOPSHIP: Permissive is not allowed. CTS violation! +init_daemon_domain(mnld) + +net_domain(mnld) + +# Purpose : For communicate with AGPSD by socket +allow mnld agpsd_data_file:dir create_dir_perms; +allow mnld agpsd_data_file:sock_file create_file_perms; +allow mnld mtk_agpsd:unix_dgram_socket sendto; +allow mnld sysfs_wake_lock:file rw_file_perms; + +# Purpose : For access NVRAM data +allow mnld nvram_data_file:dir create_dir_perms; +allow mnld nvram_data_file:file create_file_perms; +allow mnld nvram_data_file:lnk_file r_file_perms; +allow mnld nvdata_file:lnk_file r_file_perms; +allow mnld nvram_device:blk_file rw_file_perms; +allow mnld nvram_device:chr_file rw_file_perms; +allow mnld nvdata_file:dir create_dir_perms; +allow mnld nvdata_file:file create_file_perms; +allow mnld gsi_metadata_file:dir search; + +# Purpose : For access kernel device +allow mnld mnld_data_file:dir rw_dir_perms; +allow mnld mnld_data_file:sock_file create_file_perms; +allow mnld mnld_device:chr_file rw_file_perms; +allow mnld stpgps_device:chr_file rw_file_perms; +allow mnld gps2scp_device:chr_file rw_file_perms; +allow mnld gps_pwr_device:chr_file rw_file_perms; +allow mnld mnld_data_file:file create_file_perms; +allow mnld mnld_data_file:fifo_file create_file_perms; +allow mnld gps_emi_device:chr_file rw_file_perms; + +# Purpose : For init process +allow mnld init:udp_socket rw_socket_perms_no_ioctl; + +# Purpose : For RTKSDK +allow mnld proc_net:file r_file_perms; +allow mnld gps_data_file:sock_file create_file_perms; + +# Send the message to the LBS HIDL Service to forward to applications +allow mnld lbs_hidl_service:unix_dgram_socket sendto; + +# Send the message to the merged hal Service to forward to applications +allow mnld merged_hal_service:unix_dgram_socket sendto; + +# Purpose : For access system data +allow mnld block_device:dir search; +set_prop(mnld, vendor_mtk_mnld_prop) +allow mnld mdlog_device:chr_file rw_file_perms; +allow mnld self:capability fsetid; +allow mnld stpbt_device:chr_file rw_file_perms; +allow mnld gpsdl_device:chr_file rw_file_perms; +allow mnld ttyGS_device:chr_file rw_file_perms; + +# Purpose : For file system operations +allow mnld sdcard_type:dir create_dir_perms; +allow mnld sdcard_type:file create_file_perms; +allow mnld tmpfs:lnk_file create_file_perms; +allow mnld mtd_device:dir search; +allow mnld mnt_user_file:lnk_file r_file_perms; +allow mnld mnt_user_file:dir search; +allow mnld gps_data_file:dir { create_dir_perms unlink }; +allow mnld gps_data_file:file create_file_perms; +allow mnld gps_data_file:lnk_file r_file_perms; + +allow mnld storage_file:lnk_file r_file_perms; + +# Date : WK15.30 +# Operation : Migration +# Purpose : for device bring up, not to block early migration/sanity +allow mnld proc_lk_env:file rw_file_perms; + +# For HIDL, communicate mtk_hal_gnss instead of system_server +allow mnld mtk_hal_gnss:unix_dgram_socket sendto; + +# Purpose : MPE sensor HIDL policy +hwbinder_use(mnld) +binder_call(mnld, system_server) +allow mnld fwk_sensor_hwservice:hwservice_manager find; +get_prop(mnld, hwservicemanager_prop) +allow mnld debugfs_tracing:file w_file_perms; + +allow mnld mnt_vendor_file:dir search; + +#get waks_alarm timer create prop +allow mnld mnld:capability2 wake_alarm; + +# Date : WK18.26 +# Purpose : for atci gps test +allow mnld atci_service:unix_dgram_socket sendto; + +allow mnld sysfs_boot_mode:file r_file_perms; + +set_prop(mnld, vendor_mtk_radio_prop) + +allow mnld proc_cmdline:file r_file_perms; +allow mnld sysfs_dt_firmware_android:dir search; +allow mnld sysfs_dt_firmware_android:file r_file_perms; +allow mnld metadata_file:dir search; + +#for mnld get screen on/off +allow mnld sysfs_leds:dir search; +allow mnld sysfs_leds:file r_file_perms; + +#Add for /nvcfg/almanac.dat +allow mnld nvcfg_file:dir w_dir_perms; +allow mnld nvcfg_file:file create_file_perms; diff --git a/basic/non_plat/mobicore.te b/basic/non_plat/mobicore.te new file mode 100644 index 0000000..1f00d94 --- /dev/null +++ b/basic/non_plat/mobicore.te @@ -0,0 +1 @@ +type mobicore, domain; diff --git a/basic/non_plat/mobicore_app.te b/basic/non_plat/mobicore_app.te new file mode 100644 index 0000000..f501355 --- /dev/null +++ b/basic/non_plat/mobicore_app.te @@ -0,0 +1 @@ +type mobicore_app, domain; diff --git a/basic/non_plat/mtk_agpsd.te b/basic/non_plat/mtk_agpsd.te new file mode 100644 index 0000000..127ff34 --- /dev/null +++ b/basic/non_plat/mtk_agpsd.te @@ -0,0 +1,68 @@ +# ============================================== +# Policy File of /vendor/bin/mtk_agpsd Executable File + +# ============================================== +# Type Declaration +# ============================================== +type mtk_agpsd_exec, exec_type, file_type, vendor_file_type; +type mtk_agpsd, domain; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(mtk_agpsd) + +net_domain(mtk_agpsd) + +wakelock_use(mtk_agpsd) + +# Access channels to modem for E-CID, RRLP, and LPP +allow mtk_agpsd agps_device:chr_file rw_file_perms; +allow mtk_agpsd ttySDIO_device:chr_file { create setattr unlink rw_file_perms }; + +# Access folders, files, and sockets in /data/agps_supl +allow mtk_agpsd agpsd_data_file:dir create_dir_perms; +allow mtk_agpsd agpsd_data_file:file create_file_perms; +allow mtk_agpsd agpsd_data_file:sock_file create_file_perms; + +# Access file system partitions like /system, /data and SD Card +allow mtk_agpsd sdcard_type:dir create_dir_perms; +allow mtk_agpsd sdcard_type:file create_file_perms; +allow mtk_agpsd eemcs_device:chr_file rw_file_perms; +allow mtk_agpsd mnt_user_file:dir create_dir_perms; +allow mtk_agpsd mnt_vendor_file:dir create_dir_perms; +allow mtk_agpsd mnt_vendor_file:file create_file_perms; +allow mtk_agpsd gps_data_file:dir create_dir_perms; +allow mtk_agpsd gps_data_file:file create_file_perms; + +# Access symbolic link files like /etc and /sdcard +allow mtk_agpsd tmpfs:lnk_file create_file_perms; +allow mtk_agpsd mnt_user_file:lnk_file create_file_perms; +allow mtk_agpsd storage_file:dir create_dir_perms; +allow mtk_agpsd storage_file:file create_file_perms; + +# Send supl profile configuration to SLPD (to get SUPL Reference Location for HW Fused Location) +allow mtk_agpsd slpd:unix_dgram_socket sendto; + +# Operators will send agps settings via OMADM. +# Operators ask UE to save these settings into NVRAM. +allow mtk_agpsd nvcfg_file:dir create_dir_perms; +allow mtk_agpsd nvcfg_file:file create_file_perms; + +# Send GNSS assistance data and AGPS commands to MTK's GPS module 'mnld' +allow mtk_agpsd mnld:unix_dgram_socket sendto; + +# Send the message to the LBS HIDL Service to forward to system partitions +allow mtk_agpsd lbs_hidl_service:unix_dgram_socket sendto; + +# Send the message to the merged hal Service to forward to system partitions +allow mtk_agpsd merged_hal_service:unix_dgram_socket sendto; + +# Allow send socket to fusion rild +allow mtk_agpsd rild:unix_dgram_socket sendto; + +# Read the property of vendor.debug.gps.mnld.ne +get_prop(mtk_agpsd, vendor_mtk_mnld_prop) + +# Read the property of ro.vendor.mtk_log_hide_gps +get_prop(mtk_agpsd, vendor_mtk_gps_support_prop) diff --git a/basic/non_plat/mtk_hal_audio.te b/basic/non_plat/mtk_hal_audio.te new file mode 100644 index 0000000..f02354c --- /dev/null +++ b/basic/non_plat/mtk_hal_audio.te @@ -0,0 +1,239 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== +type mtk_hal_audio, domain; + +type mtk_hal_audio_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(mtk_hal_audio) + +hal_server_domain(mtk_hal_audio, hal_audio) +hal_client_domain(mtk_hal_audio, hal_allocator) + +wakelock_use(mtk_hal_audio) + +add_hwservice(mtk_hal_audio, mtk_hal_bluetooth_audio_hwservice) +allow mtk_hal_audio ion_device:chr_file r_file_perms; + +allow mtk_hal_audio system_file:dir r_dir_perms; + +r_dir_file(mtk_hal_audio, proc) +allow mtk_hal_audio audio_device:dir r_dir_perms; +allow mtk_hal_audio audio_device:chr_file rw_file_perms; + +# mtk_hal_audio should never execute any executable without +# a domain transition +neverallow mtk_hal_audio { file_type fs_type }:file execute_no_trans; + +# mtk_hal_audio should never need network access. +# Disallow network sockets. +neverallow mtk_hal_audio domain:{ tcp_socket udp_socket rawip_socket } *; + +# Date : WK14.32 +# Operation : Migration +# Purpose : Set audio driver permission to access SD card for debug purpose and accss NVRam. +allow mtk_hal_audio sdcard_type:dir create_dir_perms; +allow mtk_hal_audio sdcard_type:file create_file_perms; +allow mtk_hal_audio nvram_data_file:dir w_dir_perms; +allow mtk_hal_audio nvram_data_file:file create_file_perms; +allow mtk_hal_audio nvram_data_file:lnk_file r_file_perms; +allow mtk_hal_audio nvdata_file:lnk_file r_file_perms; +allow mtk_hal_audio nvdata_file:dir create_dir_perms; +allow mtk_hal_audio nvdata_file:file create_file_perms; + +# Date : WK14.34 +# Operation : Migration +# Purpose : nvram access (dumchar case for nand and legacy chip) +allow mtk_hal_audio nvram_device:chr_file rw_file_perms; +allow mtk_hal_audio self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +# Date : WK14.36 +# Operation : Migration +# Purpose : media server and bt process communication for A2DP data.and other control flow +allow mtk_hal_audio bt_a2dp_stream_socket:sock_file w_file_perms; +allow mtk_hal_audio bt_int_adp_socket:sock_file w_file_perms; + +# Date : WK14.36 +# Operation : Migration +# Purpose : access nvram, otp, ccci cdoec devices. +allow mtk_hal_audio ccci_device:chr_file rw_file_perms; +allow mtk_hal_audio eemcs_device:chr_file rw_file_perms; +allow mtk_hal_audio devmap_device:chr_file r_file_perms; +allow mtk_hal_audio ebc_device:chr_file rw_file_perms; +allow mtk_hal_audio nvram_device:blk_file rw_file_perms; + +# Date : WK14.38 +# Operation : Migration +# Purpose : FM driver access +allow mtk_hal_audio fm_device:chr_file rw_file_perms; + +# Data : WK14.39 +# Operation : Migration +# Purpose : dump for debug +set_prop(mtk_hal_audio, vendor_mtk_audiohal_prop) + +# Date : WK14.40 +# Operation : Migration +# Purpose : HDMI driver access +allow mtk_hal_audio graphics_device:chr_file rw_file_perms; + +# Date : WK14.40 +# Operation : Migration +# Purpose : Smartpa +allow mtk_hal_audio smartpa_device:chr_file rw_file_perms; +allow mtk_hal_audio sysfs_rt_param:file rw_file_perms; +allow mtk_hal_audio sysfs_rt_param:dir r_dir_perms; +allow mtk_hal_audio sysfs_rt_calib:file rw_file_perms; +allow mtk_hal_audio sysfs_rt_calib:dir r_dir_perms; + +# Date : WK14.41 +# Operation : Migration +# Purpose : WFD HID Driver +allow mtk_hal_audio uhid_device:chr_file rw_file_perms; + +# Date : WK14.43 +# Operation : Migration +# Purpose : VOW +allow mtk_hal_audio vow_device:chr_file rw_file_perms; + +# Date: WK14.44 +# Operation : Migration +# Purpose : EVDO +allow mtk_hal_audio rpc_socket:sock_file w_file_perms; +allow mtk_hal_audio ttySDIO_device:chr_file rw_file_perms; + +# Data: WK14.44 +# Operation : Migration +# Purpose : for low SD card latency issue +allow mtk_hal_audio sysfs_lowmemorykiller:file r_file_perms; + +# Data: WK14.45 +# Operation : Migration +# Purpose : for change thermal policy when needed +allow mtk_hal_audio proc_mtkcooler:dir search; +allow mtk_hal_audio proc_mtktz:dir search; +allow mtk_hal_audio proc_thermal:dir search; +allow mtk_hal_audio thermal_manager_data_file:file create_file_perms; +allow mtk_hal_audio thermal_manager_data_file:dir { rw_dir_perms setattr }; + +# for as33970 +allow mtk_hal_audio sysfs_reset_dsp:file rw_file_perms; +allow mtk_hal_audio tahiti_device:chr_file rw_file_perms_no_map; +# for smartpa +allow mtk_hal_audio sysfs_chip_vendor:file r_file_perms; +allow mtk_hal_audio sysfs_pa_num:file rw_file_perms; + +# Data : WK14.47 +# Operation : Audio playback +# Purpose : Music as ringtone +allow mtk_hal_audio radio:dir r_dir_perms; +allow mtk_hal_audio radio:file r_file_perms; + +# Data : WK14.47 +# Operation : CTS +# Purpose : cts search strange app +allow mtk_hal_audio untrusted_app:dir search; + +# Date : WK15.03 +# Operation : Migration +# Purpose : offloadservice +allow mtk_hal_audio offloadservice_device:chr_file rw_file_perms; + +# Date : WK15.34 +# Operation : Migration +# Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump +allow mtk_hal_audio storage_file:dir search; +allow mtk_hal_audio storage_file:lnk_file rw_file_perms; +allow mtk_hal_audio mnt_user_file:dir rw_dir_perms; +allow mtk_hal_audio mnt_user_file:lnk_file rw_file_perms; + +# Date : WK16.17 +# Operation : Migration +# Purpose: read/open sysfs node +allow mtk_hal_audio sysfs_ccci:file r_file_perms; +allow mtk_hal_audio sysfs_ccci:dir search; + +# Date : WK16.18 +# Operation : Migration +# Purpose: research root dir "/" +allow mtk_hal_audio tmpfs:dir search; + +# Purpose: Dump debug info +allow mtk_hal_audio kmsg_device:chr_file w_file_perms; +allow mtk_hal_audio fuse:file rw_file_perms; + +# Date : WK16.27 +# Operation : Migration +# Purpose: tunning tool update parameters +binder_call(mtk_hal_audio, radio) +allow mtk_hal_audio mtk_audiohal_data_file:dir create_dir_perms; +allow mtk_hal_audio mtk_audiohal_data_file:file create_file_perms; +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow mtk_hal_audio proc_ged:file rw_file_perms; + +# Fix bootup violation +allow mtk_hal_audio fuse:dir r_dir_perms; + +# for usb phone call, allow sys_nice +allow mtk_hal_audio self:capability sys_nice; + +# Date : W17.29 +# Boot for opening trace file: Permission denied (13) +allow mtk_hal_audio debugfs_tracing:file w_file_perms; + +# Audio Tuning Tool Android O porting +binder_call(mtk_hal_audio, audiocmdservice_atci) + +# Add for control PowerHAL +hal_client_domain(mtk_hal_audio, hal_power) + +# cm4 smartpa +allow mtk_hal_audio audio_ipi_device:chr_file rw_file_perms; +allow mtk_hal_audio audio_scp_device:chr_file r_file_perms; + +# Date : WK18.21 +# Operation: P migration +# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init() +allow mtk_hal_audio mnt_vendor_file:dir search; + +# Date: 2019/06/14 +# Operation : Migration +allow mtk_hal_audio audioserver:fifo_file w_file_perms; +allow mtk_hal_audio sysfs_boot_mode:file r_file_perms; +allow mtk_hal_audio sysfs_dt_firmware_android:dir search; + +# Date : WK18.44 +# Operation: adsp +allow mtk_hal_audio adsp_device:file rw_file_perms; +allow mtk_hal_audio adsp_device:chr_file rw_file_perms; + +# Date : 2020/3/21 +# Operation: audio dptx +allow mtk_hal_audio dri_device:chr_file rw_file_perms; +allow mtk_hal_audio gpu_device:dir search; + +# Date : WK20.26 +allow mtk_hal_audio sysfs_dt_firmware_android:file r_file_perms; + +# Date : WK20.36 +# Operation : Migration +# Purpose : AAudio HAL +allow mtk_hal_audio debugfs_ion:dir search; + +# Date : 2021/06/15 +# Purpose: Allow to change mtk MMQoS scenario +allow mtk_hal_audio sysfs_mtk_mmqos_scen:file w_file_perms; +allow mtk_hal_audio sysfs_mtk_mmqos_scen_v2:file w_file_perms; + +# Allow ReadDefaultFstab(). +read_fstab(mtk_hal_audio) + +# Date : WK21.23 +# Operation : Migration +# Purpose : factory mode +allow mtk_hal_audio sysfs_boot_info:file r_file_perms; + +# Date : WK21.32 +# Operation : Migration +# Purpose: permission for audioserver to use ccci node +allow mtk_hal_audio ccci_aud_device:chr_file rw_file_perms; diff --git a/basic/non_plat/mtk_hal_bluetooth.te b/basic/non_plat/mtk_hal_bluetooth.te new file mode 100644 index 0000000..0bccd29 --- /dev/null +++ b/basic/non_plat/mtk_hal_bluetooth.te @@ -0,0 +1,61 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== +type mtk_hal_bluetooth, domain; +type mtk_hal_bluetooth_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(mtk_hal_bluetooth) + +wakelock_use(mtk_hal_bluetooth) + +hal_server_domain(mtk_hal_bluetooth, hal_bluetooth) + +# call into the Bluetooth process (callbacks) +binder_call(mtk_hal_bluetooth, bluetooth) + +# bluetooth factory file accesses. +r_dir_file(mtk_hal_bluetooth, bluetooth_efs_file) + +allow mtk_hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms; + +# sysfs access. +allow mtk_hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms; +allow mtk_hal_bluetooth self:capability2 wake_alarm; + +# Allow write access to bluetooth-specific properties +set_prop(mtk_hal_bluetooth, bluetooth_prop) + +# /proc access (bluesleep etc.). +allow mtk_hal_bluetooth proc_bluetooth_writable:file rw_file_perms; + +# VTS tests need to be able to toggle rfkill +allow mtk_hal_bluetooth self:capability net_admin; + +# Purpose : Set to access stpbt driver & NVRAM +allow mtk_hal_bluetooth stpbt_device:chr_file rw_file_perms; + +allow mtk_hal_bluetooth nvdata_file:dir search; +allow mtk_hal_bluetooth nvdata_file:file rw_file_perms; +allow mtk_hal_bluetooth nvdata_file:lnk_file r_file_perms; +allow mtk_hal_bluetooth nvram_data_file:lnk_file r_file_perms; + +# Purpose: Allow to search /mnt/vendor/* for fstab when using NVM_Init() +allow mtk_hal_bluetooth mnt_vendor_file:dir search; + +# Purpose: Allow BT Driver to insmod +set_prop(mtk_hal_bluetooth, vendor_mtk_wmt_prop) + +# Date : 2019/10/30 +# Operation : get bt fw branch info, set to property for eng mode +# Purpose: get bt fw branch info, set to property for eng mode +allow mtk_hal_bluetooth proc_btdbg:file rw_file_perms; + +# Date : 2019/12/03 +# Operation : ability to enable bt driver thread as RT priority +# Purpose: ability to enable bt driver thread as RT priority +allow mtk_hal_bluetooth kernel:process setsched; + +# Date : 2021/04/27 +# Allow ReadDefaultFstab(). +read_fstab(mtk_hal_bluetooth) + diff --git a/basic/non_plat/mtk_hal_c2.te b/basic/non_plat/mtk_hal_c2.te new file mode 100644 index 0000000..b15e2c9 --- /dev/null +++ b/basic/non_plat/mtk_hal_c2.te @@ -0,0 +1,64 @@ +type mtk_hal_c2, domain; +type mtk_hal_c2_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(mtk_hal_c2) + +# can route /dev/binder traffic to /dev/vndbinder +vndbinder_use(mtk_hal_c2) + +hal_server_domain(mtk_hal_c2, hal_codec2) + +# mediacodec may use an input surface from a different Codec2 or OMX service +hal_client_domain(mtk_hal_c2, hal_codec2) + +hal_client_domain(mtk_hal_c2, hal_allocator) +hal_client_domain(mtk_hal_c2, hal_graphics_allocator) + +allow mtk_hal_c2 gpu_device:chr_file rw_file_perms; +allow mtk_hal_c2 ion_device:chr_file rw_file_perms; +allow mtk_hal_c2 video_device:chr_file rw_file_perms; +allow mtk_hal_c2 video_device:dir search; + +crash_dump_fallback(mtk_hal_c2) + +# mediacodec should never execute any executable without a domain transition +neverallow mtk_hal_c2 { file_type fs_type }:file execute_no_trans; + +# Media processing code is inherently risky and thus should have limited +# permissions and be isolated from the rest of the system and network. +# Lengthier explanation here: +# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html +neverallow mtk_hal_c2 domain:{ tcp_socket udp_socket rawip_socket } *; + +#============= mtk_hal_c2 ============== +allow mtk_hal_c2 debugfs_ion:dir search; +allow mtk_hal_c2 proc_ged:file rw_file_perms; +allowxperm mtk_hal_c2 proc_ged:file ioctl { proc_ged_ioctls }; +allow mtk_hal_c2 gpu_device:dir search; +allow mtk_hal_c2 mtk_cmdq_device:chr_file r_file_perms; +hal_client_domain(mtk_hal_c2, hal_mtk_pq) +allow mtk_hal_c2 vcodec_file:dir w_dir_perms; +allow mtk_hal_c2 vcodec_file:file create_file_perms; +allow mtk_hal_c2 mtk_mdp_device:chr_file r_file_perms; +allow mtk_hal_c2 mtk_mdp_sync_device:chr_file r_file_perms; +allow mtk_hal_c2 mtk_fmt_sync_device:chr_file r_file_perms_no_map; +allow mtk_hal_c2 mtk_fmt_device:chr_file rw_file_perms_no_map; +allow mtk_hal_c2 proc_meminfo:file r_file_perms; +dontaudit mtk_hal_c2 vcodec_file:file ioctl; + +#============= mtk_hal_c2 for legacy vcodec ============== +allow mtk_hal_c2 tmpfs:dir search; +allow mtk_hal_c2 Vcodec_device:chr_file rw_file_perms; +allow mtk_hal_c2 MTK_SMI_device:chr_file r_file_perms; +allow mtk_hal_c2 sysfs_concurrency_scenario:file rw_file_perms; +allow mtk_hal_c2 sysfs_concurrency_scenario:dir search; + +#============= mtk_hal_c2 for dmabuf heap ============== +allow mtk_hal_c2 dmabuf_system_heap_device:chr_file r_file_perms; +allow mtk_hal_c2 dmabuf_system_secure_heap_device:chr_file r_file_perms; + +#============= mtk_hal_c2 for log properties ============== +get_prop(mtk_hal_c2, vendor_mtk_c2_log_prop) + +#============= mtk_hal_c2 for power hal ============== +hal_client_domain(mtk_hal_c2, hal_power) diff --git a/basic/non_plat/mtk_hal_camera.te b/basic/non_plat/mtk_hal_camera.te new file mode 100644 index 0000000..aef1201 --- /dev/null +++ b/basic/non_plat/mtk_hal_camera.te @@ -0,0 +1,380 @@ +# ============================================================================== +# Policy File of /vendor/bin/hw/camerahalserver Executable File + +# ============================================================================== +# Common SEPolicy Rule +# ============================================================================== + +type mtk_hal_camera, domain; +type mtk_hal_camera_exec, exec_type, file_type, vendor_file_type; + +# Set up a transition from init to the camerahalserver upon executing its binary. +init_daemon_domain(mtk_hal_camera) + +# Allow a base set of permissions required for a domain to offer a +# HAL implementation of the specified type over HwBinder. +hal_server_domain(mtk_hal_camera, hal_camera) +hal_server_domain(mtk_hal_camera, hal_mtk_bgs) + +# Allow camerahalserver to use vendor binder IPC. +vndbinder_use(mtk_hal_camera) + +# callback to cameraserver +binder_call(mtk_hal_camera, cameraserver) + +# callback to shell for debugging +binder_call(mtk_hal_camera, shell) + +# call the graphics allocator hal +binder_call(mtk_hal_camera, hal_graphics_allocator) + +# call to surfaceflinger +binder_call(mtk_hal_camera, surfaceflinger) + +# call PowerHal +hal_client_domain(mtk_hal_camera, hal_power) + +# ----------------------------------- +# Purpose: Allow camerahalserver to find a service from hwservice_manager +# ----------------------------------- +allow mtk_hal_camera hal_graphics_mapper_hwservice:hwservice_manager find; +allow mtk_hal_camera fwk_sensor_hwservice:hwservice_manager find; +allow mtk_hal_camera nvram_data_file:lnk_file create_file_perms; +allow mtk_hal_camera nvdata_file:lnk_file create_file_perms; +allow mtk_hal_camera fwk_display_hwservice:hwservice_manager find; +hal_client_domain(mtk_hal_camera, hal_graphics_allocator) + +# ----------------------------------- +# Purpose: Camera-related devices (driver) +# ----------------------------------- +allow mtk_hal_camera proc_mtk_jpeg:file r_file_perms; +allowxperm mtk_hal_camera proc_mtk_jpeg:file ioctl { + JPG_BRIDGE_ENC_IO_INIT + JPG_BRIDGE_ENC_IO_CONFIG + JPG_BRIDGE_ENC_IO_WAIT + JPG_BRIDGE_ENC_IO_DEINIT + JPG_BRIDGE_ENC_IO_START + }; + +allow mtk_hal_camera camera_sysram_device:chr_file r_file_perms; +allow mtk_hal_camera camera_pipemgr_device:chr_file r_file_perms; +allow mtk_hal_camera camera_mem_device:chr_file rw_file_perms; +allow mtk_hal_camera camera_isp_device:chr_file rw_file_perms; +allow mtk_hal_camera camera_dip_device:chr_file rw_file_perms; +allow mtk_hal_camera camera_tsf_device:chr_file rw_file_perms; +allow mtk_hal_camera kd_camera_hw_device:chr_file rw_file_perms; +allow mtk_hal_camera kd_camera_flashlight_device:chr_file rw_file_perms; +allow mtk_hal_camera flashlight_device:chr_file rw_file_perms; +allow mtk_hal_camera lens_device:chr_file rw_file_perms; +allow mtk_hal_camera seninf_device:chr_file rw_file_perms; + +# FDVT Driver +allow mtk_hal_camera camera_fdvt_device:chr_file rw_file_perms; + +# DPE Driver +allow mtk_hal_camera camera_dpe_device:chr_file rw_file_perms; + +# MFB Driver +allow mtk_hal_camera camera_mfb_device:chr_file rw_file_perms; + +# WPE Driver +allow mtk_hal_camera camera_wpe_device:chr_file rw_file_perms; + +# PDA Driver +allow mtk_hal_camera camera_pda_device:chr_file rw_file_perms; + +# mtk_jpeg +allow mtk_hal_camera mtk_jpeg_device:chr_file r_file_perms; + +allow mtk_hal_camera ccu_device:chr_file rw_file_perms; + +# APUSYS +allow mtk_hal_camera vpu_device:chr_file rw_file_perms; +allow mtk_hal_camera mdla_device:chr_file rw_file_perms; +allow mtk_hal_camera apusys_device:chr_file rw_file_perms; +allow mtk_hal_camera sysfs_apusys_queue:dir r_dir_perms; +allow mtk_hal_camera sysfs_apusys_queue:file r_file_perms; + +# Date: 2021/12/10 +# Operation : allow camera hal server to read dla network file +allow mtk_hal_camera vendor_etc_nn_file:dir r_dir_perms; +allow mtk_hal_camera vendor_etc_nn_file:file r_file_perms; +allowxperm mtk_hal_camera vendor_etc_nn_file:file ioctl VT_SENDSIG; + +# Purpose: RSC driver +allow mtk_hal_camera camera_rsc_device:chr_file rw_file_perms; + +# Purpose: OWE driver +allow mtk_hal_camera camera_owe_device:chr_file rw_file_perms; + +# Purpose: AF related +allow mtk_hal_camera MAINAF_device:chr_file rw_file_perms; +allow mtk_hal_camera MAIN2AF_device:chr_file rw_file_perms; +allow mtk_hal_camera MAIN3AF_device:chr_file rw_file_perms; +allow mtk_hal_camera MAIN4AF_device:chr_file rw_file_perms; +allow mtk_hal_camera SUBAF_device:chr_file rw_file_perms; +allow mtk_hal_camera SUB2AF_device:chr_file rw_file_perms; +allow mtk_hal_camera FM50AF_device:chr_file rw_file_perms; +allow mtk_hal_camera AD5820AF_device:chr_file rw_file_perms; +allow mtk_hal_camera DW9714AF_device:chr_file rw_file_perms; +allow mtk_hal_camera DW9814AF_device:chr_file rw_file_perms; +allow mtk_hal_camera AK7345AF_device:chr_file rw_file_perms; +allow mtk_hal_camera DW9714A_device:chr_file rw_file_perms; +allow mtk_hal_camera LC898122AF_device:chr_file rw_file_perms; +allow mtk_hal_camera LC898212AF_device:chr_file rw_file_perms; +allow mtk_hal_camera BU6429AF_device:chr_file rw_file_perms; +allow mtk_hal_camera DW9718AF_device:chr_file rw_file_perms; +allow mtk_hal_camera BU64745GWZAF_device:chr_file rw_file_perms; + +# Purpose: Camera EEPROM Calibration +allow mtk_hal_camera CAM_CAL_DRV_device:chr_file rw_file_perms; +allow mtk_hal_camera CAM_CAL_DRV1_device:chr_file rw_file_perms; +allow mtk_hal_camera CAM_CAL_DRV2_device:chr_file rw_file_perms; +allow mtk_hal_camera camera_eeprom_device:chr_file rw_file_perms; +allow mtk_hal_camera seninf_n3d_device:chr_file rw_file_perms; + +# ----------------------------------- +# Purpose: Other device drivers used by camera +# ----------------------------------- +allow mtk_hal_camera ion_device:chr_file rw_file_perms; +allow mtk_hal_camera sw_sync_device:chr_file rw_file_perms; +allow mtk_hal_camera MTK_SMI_device:chr_file r_file_perms; + +# ----------------------------------- +# Purpose: Filesystem in Userspace (FUSE) +# - sdcard access (buffer dump for EM mode) +# ----------------------------------- +allow mtk_hal_camera fuse:dir rw_dir_perms; +allow mtk_hal_camera fuse:file rw_file_perms; + +# ----------------------------------- +# Purpose: Storage access +# ----------------------------------- +## Date : WK14.XX-15.XX +## nvram access +allow mtk_hal_camera nvram_data_file:dir create_dir_perms; +allow mtk_hal_camera nvram_data_file:file create_file_perms; + +## nvram access (dumchar case for nand and legacy chip) +allow mtk_hal_camera nvram_device:chr_file rw_file_perms; +allow mtk_hal_camera self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +## Date : WK14.XX-15.XX +## sdcard access - dump for debug +allow mtk_hal_camera sdcard_type:dir create_dir_perms; +allow mtk_hal_camera sdcard_type:file create_file_perms; + +# ----------------------------------- +# Android O +# Purpose: Shell Debugging +# ----------------------------------- +# Purpose: Allow shell to invoke "lshal debug ", where is "ICameraProvider". +# (used in user build) +allow mtk_hal_camera shell:unix_stream_socket { read write }; +allow mtk_hal_camera shell:fifo_file w_file_perms; + +# ----------------------------------- +# Android O +# Purpose: Debugging +# ----------------------------------- +# Purpose: libmemunreachable.so/GetUnreachableMemory() +allow mtk_hal_camera self:process { ptrace }; + +########################## +# Date : WK14.XX-15.XX +# Operation : Copy from Media server +allow mtk_hal_camera self:capability { setuid ipc_lock sys_nice }; +allow mtk_hal_camera sysfs_wake_lock:file rw_file_perms; +allow mtk_hal_camera nvdata_file:file create_file_perms; +allow mtk_hal_camera proc_meminfo:file r_file_perms; + +## Purpose : for low SD card latency issue +allow mtk_hal_camera sysfs_lowmemorykiller:file r_file_perms; + +## Purpose : for change thermal policy when needed +allow mtk_hal_camera proc_mtkcooler:dir search; +allow mtk_hal_camera proc_mtktz:dir search; +allow mtk_hal_camera proc_thermal:dir search; +allow mtk_hal_camera thermal_manager_data_file:file create_file_perms; +allow mtk_hal_camera thermal_manager_data_file:dir { rw_dir_perms setattr }; + +## Purpose : cts search strange app +allow mtk_hal_camera untrusted_app:dir search; + +## Purpose : offloadservice +allow mtk_hal_camera offloadservice_device:chr_file rw_file_perms; + +## Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump +allow mtk_hal_camera storage_file:lnk_file rw_file_perms; +allow mtk_hal_camera mnt_user_file:dir rw_dir_perms; +allow mtk_hal_camera mnt_user_file:lnk_file rw_file_perms; + +## Purpose: Allow mtk_hal_camera to read binder from surfaceflinger +allow mtk_hal_camera surfaceflinger:fifo_file rw_file_perms; + +## Purpose : camera read/write /nvcfg/camera data +allow mtk_hal_camera nvcfg_file:dir create_dir_perms; +allow mtk_hal_camera nvcfg_file:file create_file_perms; + +# Purpose : for camera init +allow mtk_hal_camera system_server:unix_stream_socket { read write }; + +########################## +# Date : WK16 +# Operation : N Migration +## Purpose: research root dir "/" +allow mtk_hal_camera tmpfs:dir search; + +## Purpose : EGL file access +allow mtk_hal_camera system_file:dir r_dir_perms; +allow mtk_hal_camera gpu_device:dir search; +allow mtk_hal_camera gpu_device:chr_file rw_file_perms; + +## Purpose: Allow to access ged for gralloc_extra functions +allow mtk_hal_camera proc_ged:file rw_file_perms; +allowxperm mtk_hal_camera proc_ged:file ioctl { proc_ged_ioctls }; + +allow mtk_hal_camera debugfs_tracing:file w_file_perms; + +## Purpose : camera3 IT/CTS +allow mtk_hal_camera debugfs_ion:dir search; +allow mtk_hal_camera hal_graphics_composer_default:fd use; + +# Date : WK17.30 +# Operation : O Migration +# Purpose: Allow to access cmdq driver +allow mtk_hal_camera mtk_cmdq_device:chr_file r_file_perms; +allow mtk_hal_camera mtk_mdp_device:chr_file r_file_perms; +allow mtk_hal_camera mtk_mdp_sync_device:chr_file r_file_perms; + +# Date : WK17.36 +# Operation : O Migration +# Purpose: Allow to access battery status +allow mtk_hal_camera sysfs_batteryinfo:dir search; +allow mtk_hal_camera sysfs_batteryinfo:file r_file_perms; + +# Date : WK17.39 +# Operation : O Migration +# Purpose: Change thermal config +set_prop(mtk_hal_camera, vendor_mtk_thermal_config_prop) + +# Date : WK18.31 +# Stage: P Migration +# Purpose: CCT +allow mtk_hal_camera graphics_device:chr_file rw_file_perms; +allow mtk_hal_camera graphics_device:dir search; +allow mtk_hal_camera cct_data_file:dir create_dir_perms; +allow mtk_hal_camera cct_data_file:file create_file_perms; +allow mtk_hal_camera cct_data_file:fifo_file create_file_perms; +allow mtk_hal_camera sysfs_boot_mode:file r_file_perms; +allow mtk_hal_camera mnt_vendor_file:dir create_dir_perms; +allow mtk_hal_camera mnt_vendor_file:fifo_file create_file_perms; + +# Date : WK18.02 +# Stage: O Migration +# Purpose: ISP tuning remapping +set_prop(mtk_hal_camera, vendor_mtk_mediatek_prop) + +# Date : WK18.22 +# Stage: p Migration +# Purpose: NVRAM +allow mtk_hal_camera nvdata_file:dir create_dir_perms; +allow mtk_hal_camera nvcfg_file:lnk_file r_file_perms; +allow mtk_hal_camera mnt_vendor_file:file create_file_perms; + +# AAO +allow mtk_hal_camera data_vendor_aao_file:dir create_dir_perms; +allow mtk_hal_camera data_vendor_aao_file:file create_file_perms; +allow mtk_hal_camera data_vendor_aaoHwBuf_file:dir create_dir_perms; +allow mtk_hal_camera data_vendor_aaoHwBuf_file:file create_file_perms; +allow mtk_hal_camera data_vendor_AAObitTrue_file:dir create_dir_perms; +allow mtk_hal_camera data_vendor_AAObitTrue_file:file create_file_perms; + +# Flash +allow mtk_hal_camera data_vendor_flash_file:dir create_dir_perms; +allow mtk_hal_camera data_vendor_flash_file:file create_file_perms; + +# Flicker +allow mtk_hal_camera data_vendor_flicker_file:dir create_dir_perms; +allow mtk_hal_camera data_vendor_flicker_file:file create_file_perms; + +# AFO +allow mtk_hal_camera data_vendor_afo_file:dir create_dir_perms; +allow mtk_hal_camera data_vendor_afo_file:file create_file_perms; + +# PDO +allow mtk_hal_camera data_vendor_pdo_file:dir create_dir_perms; +allow mtk_hal_camera data_vendor_pdo_file:file create_file_perms; + +# Date : WK18.35 +# Purpose: allow mtk_hal_camera to access gz_device node +allow mtk_hal_camera gz_device:chr_file rw_file_perms; + +#data/dipdebug +allow mtk_hal_camera aee_dipdebug_vendor_file:dir rw_dir_perms; +allow mtk_hal_camera aee_dipdebug_vendor_file:file create_file_perms; + +allow mtk_hal_camera proc_isp_p2:dir search; +allow mtk_hal_camera proc_isp_p2:file create_file_perms; + +# Date: 2019/06/14 +# Operation : Migration +allow mtk_hal_camera sysfs_dt_firmware_android:dir search; + +# Date: 2019/07/09 +# Operation : For M4U security +allow mtk_hal_camera proc_m4u:file r_file_perms; +allowxperm mtk_hal_camera proc_m4u:file ioctl{ +MTK_M4U_T_ALLOC_MVA +MTK_M4U_T_DEALLOC_MVA +MTK_M4U_T_CONFIG_PORT +MTK_M4U_T_DMA_OP +MTK_M4U_T_SEC_INIT +MTK_M4U_GZ_SEC_INIT +}; + +# Date: 2019/07/04 +binder_call(mtk_hal_camera, platform_app) + +# Date : 2020/09/03 +# Purpose: mtk MMQoS set camera max BW +allow mtk_hal_camera sysfs_camera_max_bw:file { w_file_perms ioctl }; +allow mtk_hal_camera sysfs_camera_max_bw_v2:file { w_file_perms ioctl }; +allowxperm mtk_hal_camera sysfs_camera_max_bw:file ioctl VT_SENDSIG; +allowxperm mtk_hal_camera sysfs_camera_max_bw_v2:file ioctl VT_SENDSIG; + +# Date : 2020/09/24 +# Purpose: mtk camsys raw dump file +allow mtk_hal_camera data_vendor_raw_file:dir create_dir_perms; +allow mtk_hal_camera data_vendor_raw_file:file create_file_perms; + +# Date : 2020/12/05 +# Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/* +allow mtk_hal_camera sysfs_concurrency_scenario:file rw_file_perms; + +# Date : 2020/07/10 +# Purpose : allow media sources to access /sys/bus/platform/drivers/emi_ctrl/* +allow mtk_hal_camera sysfs_emi_ctrl_concurrency_scenario:file rw_file_perms; + +# Date : 2020/12/21 +# Operation : To access imgsys daemon driver +allow mtk_hal_camera mtk_hcp_device:chr_file rw_file_perms; + +# Allow ReadDefaultFstab(). +read_fstab(mtk_hal_camera) + +# Data : 2020/12/30 +# Purpose : DBReleasePlan +allow mtk_hal_camera vendor_bin_crossbuild_file:file r_file_perms; + +# Date: 2021/08/27 +# Operation : For DMABUF security +allow mtk_hal_camera dmabuf_system_secure_heap_device:chr_file r_file_perms_no_map; + +# Date : 2021/08/31 +# Purpose : allow camera hal to access /dev/hfmanager/* +allow mtk_hal_camera hf_manager_device:chr_file rw_file_perms_no_map; + +# Data : 2021/10/27 +# Purpose : DBReleasePlan +allowxperm mtk_hal_camera vendor_bin_crossbuild_file:file ioctl VT_SENDSIG; diff --git a/basic/non_plat/mtk_hal_codecservice_default.te b/basic/non_plat/mtk_hal_codecservice_default.te new file mode 100644 index 0000000..7e1ea6f --- /dev/null +++ b/basic/non_plat/mtk_hal_codecservice_default.te @@ -0,0 +1 @@ +type mtk_hal_codecservice_default, domain; diff --git a/basic/non_plat/mtk_hal_dfps.te b/basic/non_plat/mtk_hal_dfps.te new file mode 100644 index 0000000..9772577 --- /dev/null +++ b/basic/non_plat/mtk_hal_dfps.te @@ -0,0 +1 @@ +type mtk_hal_dfps, domain; diff --git a/basic/non_plat/mtk_hal_dplanner.te b/basic/non_plat/mtk_hal_dplanner.te new file mode 100644 index 0000000..57de0c6 --- /dev/null +++ b/basic/non_plat/mtk_hal_dplanner.te @@ -0,0 +1 @@ +type mtk_hal_dplanner, domain; diff --git a/basic/non_plat/mtk_hal_gnss.te b/basic/non_plat/mtk_hal_gnss.te new file mode 100644 index 0000000..3e4d450 --- /dev/null +++ b/basic/non_plat/mtk_hal_gnss.te @@ -0,0 +1,22 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type mtk_hal_gnss, domain; +type mtk_hal_gnss_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(mtk_hal_gnss) + +hal_server_domain(mtk_hal_gnss, hal_gnss) + +#TODO:: work around solution, wait for correct solution from google +vndbinder_use(mtk_hal_gnss) + +# Communicate over a socket created by mnld process. +allow mtk_hal_gnss mnld_data_file:sock_file create_file_perms; +allow mtk_hal_gnss mnld_data_file:dir create_dir_perms; + +allow mtk_hal_gnss mnld:unix_dgram_socket sendto; +#get waks_alarm timer create prop +allow mtk_hal_gnss mtk_hal_gnss:capability2 wake_alarm; + diff --git a/basic/non_plat/mtk_hal_hdmi.te b/basic/non_plat/mtk_hal_hdmi.te new file mode 100644 index 0000000..1ac1184 --- /dev/null +++ b/basic/non_plat/mtk_hal_hdmi.te @@ -0,0 +1,34 @@ +# ============================================== +# Policy File of /vendor/bin/hw/vendor.mediatek.hardware.hdmi@1.0-service Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type mtk_hal_hdmi, domain; +type mtk_hal_hdmi_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Setup for domain transition +init_daemon_domain(mtk_hal_hdmi) + +# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder. +hal_server_domain(mtk_hal_hdmi, hal_mtk_hdmi) + +# Purpose : Allow to use kernel driver +allow mtk_hal_hdmi graphics_device:chr_file rw_file_perms; + +# Purpose : Allow permission to get AmbientLux from hwservice_manager +allow mtk_hal_hdmi fwk_sensor_hwservice:hwservice_manager find; + +#for hdmi uevent +allow mtk_hal_hdmi self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +# Purpose : Allow hdmi to call vendor.mediatek.hardware.keymanage@1.0-service. +hal_client_domain(mtk_hal_hdmi, hal_keymaster) + +# Purpose : Allow permission to set hdmi property +set_prop(mtk_hal_hdmi, vendor_mtk_hdmi_prop) diff --git a/basic/non_plat/mtk_hal_imsa.te b/basic/non_plat/mtk_hal_imsa.te new file mode 100644 index 0000000..d5bc3e9 --- /dev/null +++ b/basic/non_plat/mtk_hal_imsa.te @@ -0,0 +1,28 @@ +# ============================================================================== +# Type Declaration +# ============================================================================== +type mtk_hal_imsa, domain, mtkimsapdomain; +type mtk_hal_imsa_exec, exec_type, vendor_file_type, file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +init_daemon_domain(mtk_hal_imsa) + +# hwbinder access +hal_server_domain(mtk_hal_imsa, hal_mtk_imsa) + +# call into system_server process (callbacks) +binder_call(mtk_hal_imsa, system_server) + +# Date : 2017/05/18 +# Operation : VoLTE sanity +# Purpose : Add permission for IMSA connect to IMSM +allow mtk_hal_imsa rild_imsm_socket:sock_file w_file_perms; + +# Date : 2017/06/13 +# Operation : IMSA sanity +# Purpose : Add permission for IMSA to access radio +allow mtk_hal_imsa radio:binder call; +allow mtk_hal_imsa debugfs_tracing:file w_file_perms; diff --git a/basic/non_plat/mtk_hal_keyinstall.te b/basic/non_plat/mtk_hal_keyinstall.te new file mode 100644 index 0000000..872dc3d --- /dev/null +++ b/basic/non_plat/mtk_hal_keyinstall.te @@ -0,0 +1,3 @@ +# Set a new domain +type mtk_hal_keyinstall, domain; + diff --git a/basic/non_plat/mtk_hal_keymanage.te b/basic/non_plat/mtk_hal_keymanage.te new file mode 100644 index 0000000..016b8ec --- /dev/null +++ b/basic/non_plat/mtk_hal_keymanage.te @@ -0,0 +1,24 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Set a new domain +type mtk_hal_keymanage, domain; + +# Set exec file type +type mtk_hal_keymanage_exec, exec_type, file_type, vendor_file_type; + +# Setup for domain transition +init_daemon_domain(mtk_hal_keymanage) + +# Set mtk_hal_keymanage as server domain of hal_keymaster +hal_server_domain(mtk_hal_keymanage, hal_keymaster) + +# Give permission for hal_key_manage to access kisd service +allow mtk_hal_keymanage kisd:unix_stream_socket connectto; + +# Allow mtk_hal_keyinstall to access /data/key_provisioning +allow mtk_hal_keymanage key_install_data_file:dir w_dir_perms; +allow mtk_hal_keymanage key_install_data_file:file create_file_perms; + +allow mtk_hal_keymanage debugfs_tracing:file w_file_perms; diff --git a/basic/non_plat/mtk_hal_light.te b/basic/non_plat/mtk_hal_light.te new file mode 100644 index 0000000..0687c80 --- /dev/null +++ b/basic/non_plat/mtk_hal_light.te @@ -0,0 +1,14 @@ +# ============================================================================== +# Type Declaration +# ============================================================================== +type mtk_hal_light, domain; +type mtk_hal_light_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +init_daemon_domain(mtk_hal_light) + +hal_server_domain(mtk_hal_light, hal_light) + diff --git a/basic/non_plat/mtk_hal_memtrack.te b/basic/non_plat/mtk_hal_memtrack.te new file mode 100644 index 0000000..7bc8fef --- /dev/null +++ b/basic/non_plat/mtk_hal_memtrack.te @@ -0,0 +1,19 @@ +# ============================================================================== +# Type Declaration +# ============================================================================== +type mtk_hal_memtrack, domain; +type mtk_hal_memtrack_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +init_daemon_domain(mtk_hal_memtrack) + +hal_server_domain(mtk_hal_memtrack, hal_memtrack) + +# Date : 2021/08/24 +# Operation: S migration +# Purpose: Add permission for access /proc/dmaheap/* +allow mtk_hal_memtrack proc_dmaheap:dir r_dir_perms; +allow mtk_hal_memtrack proc_dmaheap:file rw_file_perms; \ No newline at end of file diff --git a/basic/non_plat/mtk_hal_mmagent.te b/basic/non_plat/mtk_hal_mmagent.te new file mode 100644 index 0000000..1fcc8a0 --- /dev/null +++ b/basic/non_plat/mtk_hal_mmagent.te @@ -0,0 +1,28 @@ +# ============================================== +# Policy File of /vendor/bin/hw/vendor.mediatek.hardware.mmagent@1.0-service Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type mtk_hal_mmagent, domain; +type mtk_hal_mmagent_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Setup for domain transition +init_daemon_domain(mtk_hal_mmagent) + +# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder. +hal_server_domain(mtk_hal_mmagent, hal_mtk_mmagent) + +# Purpose : Allow to use kernel driver +allow mtk_hal_mmagent ion_device:chr_file rw_file_perms; + +# Purpose : Allow to set property for AI function +allow mtk_hal_mmagent apusys_device:chr_file rw_file_perms; + +# Purpose : Allow use gralloc buffer +allow mtk_hal_mmagent hal_graphics_allocator_default:fd use; diff --git a/basic/non_plat/mtk_hal_mms.te b/basic/non_plat/mtk_hal_mms.te new file mode 100644 index 0000000..9329eb7 --- /dev/null +++ b/basic/non_plat/mtk_hal_mms.te @@ -0,0 +1,60 @@ +# ============================================== +# Policy File of /vendor/bin/hw/vendor.mediatek.hardware.mms@1.0-service Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type mtk_hal_mms, domain, mtk_safe_halserverdomain_type; +type mtk_hal_mms_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Setup for domain transition +init_daemon_domain(mtk_hal_mms) + +# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder. +hal_server_domain(mtk_hal_mms, hal_mtk_mms) + +# Purpose : Allow to use kernel driver +allow mtk_hal_mms graphics_device:chr_file rw_file_perms; +allow mtk_hal_mms ion_device:chr_file r_file_perms; +allow mtk_hal_mms mtk_cmdq_device:chr_file r_file_perms; +allow mtk_hal_mms mtk_mdp_device:chr_file r_file_perms; +allow mtk_hal_mms mtk_mdp_sync_device:chr_file r_file_perms; +allow mtk_hal_mms sw_sync_device:chr_file r_file_perms; +allow mtk_hal_mms proc_ged:file r_file_perms; +allowxperm mtk_hal_mms proc_ged:file ioctl { proc_ged_ioctls }; + +# Purpose : Allow to use allocator for JPEG +hal_client_domain(mtk_hal_mms, hal_allocator) +hal_client_domain(mtk_hal_mms, hal_graphics_allocator) +hal_client_domain(mtk_hal_mms, hal_mtk_pq) + +# Purpose : Allow to use graphics allocator fd for gralloc_extra +allow mtk_hal_mms hal_graphics_allocator_default:fd use; +allow mtk_hal_mms debugfs_ion:dir search; +allow mtk_hal_mms merged_hal_service:fd use; + +# Purpose : VDEC/VENC device node +allow mtk_hal_mms Vcodec_device:chr_file rw_file_perms; + +allow mtk_hal_mms proc_mtk_jpeg:file r_file_perms; +allowxperm mtk_hal_mms proc_mtk_jpeg:file ioctl { + JPG_BRIDGE_ENC_IO_INIT + JPG_BRIDGE_ENC_IO_CONFIG + JPG_BRIDGE_ENC_IO_WAIT + JPG_BRIDGE_ENC_IO_DEINIT + JPG_BRIDGE_ENC_IO_START + }; + +# Purpose : Allow to use mms by JPEG with handle +allow mtk_hal_mms platform_app:fd use; + +# Purpose : Allow Miravision to set Sharpness +allow mtk_hal_mms system_app:fd use; + +# Purpose : Allow to set property for AIPQ +allow mtk_hal_mms apusys_device:chr_file rw_file_perms; diff --git a/basic/non_plat/mtk_hal_neuralnetworks.te b/basic/non_plat/mtk_hal_neuralnetworks.te new file mode 100644 index 0000000..26f75a4 --- /dev/null +++ b/basic/non_plat/mtk_hal_neuralnetworks.te @@ -0,0 +1,5 @@ +type mtk_hal_neuralnetworks, domain; + +# Date : 2021/09/10 +# Purpose: Allow Neuron Hidl read data +allow mtk_hal_neuralnetworks media_rw_data_file:file {read map}; diff --git a/basic/non_plat/mtk_hal_nvramagent.te b/basic/non_plat/mtk_hal_nvramagent.te new file mode 100644 index 0000000..da493ab --- /dev/null +++ b/basic/non_plat/mtk_hal_nvramagent.te @@ -0,0 +1,52 @@ +# ============================================== +# Policy File of /vendor/bin/mtk_hal_nvramagent Executable File + +# ============================================== +# Type Declaration +# ============================================== +type mtk_hal_nvramagent_exec, exec_type, file_type, vendor_file_type; +type mtk_hal_nvramagent, domain; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(mtk_hal_nvramagent) + +# Date : WK14.43 +# Operation : 2rd Selinux Migration +# Purpose : the role of mtk_hal_nvramagent is same with nvram_daemon except property_set & exect permission +allow mtk_hal_nvramagent nvram_device:blk_file rw_file_perms; +allow mtk_hal_nvramagent nvdata_device:blk_file rw_file_perms; +allow mtk_hal_nvramagent nvram_data_file:dir create_dir_perms; +allow mtk_hal_nvramagent nvram_data_file:file create_file_perms; +allow mtk_hal_nvramagent nvram_data_file:lnk_file r_file_perms; +allow mtk_hal_nvramagent nvdata_file:lnk_file r_file_perms; +allow mtk_hal_nvramagent nvdata_file:dir create_dir_perms; +allow mtk_hal_nvramagent nvdata_file:file create_file_perms; + +allow mtk_hal_nvramagent als_ps_device:chr_file r_file_perms; +allow mtk_hal_nvramagent mtk-adc-cali_device:chr_file rw_file_perms; +allow mtk_hal_nvramagent gsensor_device:chr_file r_file_perms; +allow mtk_hal_nvramagent gyroscope_device:chr_file r_file_perms; +allow mtk_hal_nvramagent self:capability { fowner chown fsetid }; + +# Purpose: for backup +allow mtk_hal_nvramagent nvram_device:chr_file rw_file_perms; +allow mtk_hal_nvramagent pro_info_device:chr_file rw_file_perms; +allow mtk_hal_nvramagent block_device:dir search; + +# for MLC device +allow mtk_hal_nvramagent mtd_device:dir search; +allow mtk_hal_nvramagent mtd_device:chr_file rw_file_perms; + +# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder. +hal_server_domain(mtk_hal_nvramagent, hal_mtk_nvramagent) +read_fstab(mtk_hal_nvramagent) +get_prop(mtk_hal_nvramagent, vendor_mtk_rat_config_prop) + +# Date : WK18.21 +# Operation: P migration +# Purpose: Allow to search /mnt/vendor/nvdata when using nvram function +allow mtk_hal_nvramagent mnt_vendor_file:dir search; + +allow mtk_hal_nvramagent sysfs_boot_mode:file r_file_perms; diff --git a/basic/non_plat/mtk_hal_nwk_opt.te b/basic/non_plat/mtk_hal_nwk_opt.te new file mode 100644 index 0000000..3a8a5f6 --- /dev/null +++ b/basic/non_plat/mtk_hal_nwk_opt.te @@ -0,0 +1 @@ +type mtk_hal_nwk_opt, domain; diff --git a/basic/non_plat/mtk_hal_omadm.te b/basic/non_plat/mtk_hal_omadm.te new file mode 100644 index 0000000..91d8785 --- /dev/null +++ b/basic/non_plat/mtk_hal_omadm.te @@ -0,0 +1 @@ +type mtk_hal_omadm, domain, mtkimsapdomain; diff --git a/basic/non_plat/mtk_hal_power.te b/basic/non_plat/mtk_hal_power.te new file mode 100644 index 0000000..91fba99 --- /dev/null +++ b/basic/non_plat/mtk_hal_power.te @@ -0,0 +1,317 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type mtk_hal_power, domain; +type mtk_hal_power_exec, exec_type, file_type, vendor_file_type; + +# hwbinder access +init_daemon_domain(mtk_hal_power) + +hal_server_domain(mtk_hal_power, hal_power) +hal_server_domain(mtk_hal_power, hal_wifi) + +# sysfs +allow mtk_hal_power sysfs_devices_system_cpu:file rw_file_perms; +allow mtk_hal_power sysfs_mtk_core_ctl:dir r_dir_perms; +allow mtk_hal_power sysfs_mtk_core_ctl:file rw_file_perms; + + +# proc_thermal +allow mtk_hal_power proc_thermal:file rw_file_perms; + +# proc info +allow mtk_hal_power mtk_hal_audio:dir r_dir_perms; + +# Date : 2017/10/02 +# Operation: SQC +# Purpose : Allow powerHAL to access perfmgr +allow mtk_hal_power proc_perfmgr:dir r_dir_perms; +allow mtk_hal_power proc_perfmgr:file rw_file_perms; +allowxperm mtk_hal_power proc_perfmgr:file ioctl { + PERFMGR_FPSGO_TOUCH + PERFMGR_FPSGO_GET_FPS + PERFMGR_FPSGO_GET_FSTB_ACTIVE + PERFMGR_FPSGO_WAIT_FSTB_ACTIVE + PERFMGR_FPSGO_SBE_RESCUE + EAS_SYNC_SET + EAS_PERTASK_LS_SET + CORE_CTL_FORCE_PAUSE_CPU + CORE_CTL_SET_OFFLINE_THROTTLE_MS + CORE_CTL_SET_LIMIT_CPUS + CORE_CTL_SET_NOT_PREFERRED + CORE_CTL_SET_BOOST + CORE_CTL_SET_UP_THRES + CPUQOS_V3_SET_CPUQOS_MODE + CPUQOS_V3_SET_CT_TASK + CPUQOS_V3_SET_CT_GROUP + EAS_NEWLY_IDLE_BALANCE_INTERVAL_SET + EAS_GET_THERMAL_HEADROOM_INTERVAL_SET + }; + +# Date : 2017/10/11 +# Operation: SQC +# Purpose : Allow powerHAL to access powerhal folder +allow mtk_hal_power sdcard_type:dir create_dir_perms; +allow mtk_hal_power sdcard_type:file create_file_perms; +allow mtk_hal_power eemcs_device:chr_file rw_file_perms; +allow mtk_hal_power mnt_user_file:dir create_dir_perms; + +allow mtk_hal_power mtk_powerhal_data_file:dir create_dir_perms; +allow mtk_hal_power mtk_powerhal_data_file:file create_file_perms; +allow mtk_hal_power mtk_powerhal_data_file:sock_file create_file_perms; + +#camera contorl cpu +allow mtk_hal_power mtk_hal_camera:dir r_dir_perms; +allow mtk_hal_power mtk_hal_camera:file r_file_perms; + +# Date : 2017/10/24 +# Operation: SQC +# Purpose : Allow powerHAL to access thermal +allow mtk_hal_power proc_thermal:dir r_dir_perms; + +# Date : 2017/12/19 +# Operation: SQC +# Purpose : Allow powerHAL to access wlan +allow mtk_hal_power proc_net:file w_file_perms; + +# Date : 2017/12/21 +# Operation: SQC +# Purpose : Allow powerHAL to access mediacodec +allow mtk_hal_power mediacodec:dir r_dir_perms; +allow mtk_hal_power mediacodec:file r_file_perms; + +allow mtk_hal_power mediaserver:dir r_dir_perms; +allow mtk_hal_power mediaserver:file r_file_perms; + +set_prop(mtk_hal_power, vendor_mtk_thermal_config_prop) + + +# Date : 2018/06/26 +# Operation: Thermal change policy in perfservice +allow mtk_hal_power thermal_manager_data_file:file create_file_perms; +allow mtk_hal_power thermal_manager_data_file:dir { rw_dir_perms setattr }; +allow mtk_hal_power thermalloadalgod:unix_stream_socket connectto; + +allow mtk_hal_power proc_mtkcooler:dir r_dir_perms; +allow mtk_hal_power proc_mtkcooler:file rw_file_perms; +allow mtk_hal_power proc_mtktz:dir r_dir_perms; +allow mtk_hal_power proc_mtktz:file rw_file_perms; + +# Date : 2019/05/08 +# Operation: SQC +# Purpose : Allow powerHAL to access /proc/[pid] +allow mtk_hal_power system_server:dir r_dir_perms; +allow mtk_hal_power system_server:file r_file_perms; + + +allow mtk_hal_power rild_oem_socket:sock_file w_file_perms; +allow mtk_hal_power rild:unix_stream_socket connectto; + +# Date : 2019/05/22 +# Operation: SQC +# Purpose : Allow powerHAL to access block read ahead +allow mtk_hal_power sysfs_dm:dir r_dir_perms; +allow mtk_hal_power sysfs_dm:file rw_file_perms; +allow mtk_hal_power sysfs_devices_block:dir r_dir_perms; +allow mtk_hal_power sysfs_devices_block:file rw_file_perms; + + +# Date : 2019/05/22 +# Operation: SQC +# Purpose : Allow powerHAL to access prop +set_prop(mtk_hal_power, vendor_mtk_powerhal_prop) + +# Date : 2019/05/29 +# Operation: SQC +# Purpose : Allow powerHAL to access wifi driver +allow mtk_hal_power self:udp_socket create_socket_perms_no_ioctl; +allow mtk_hal_power kernel:system module_request; +allow mtk_hal_power self:capability sys_module; +allowxperm mtk_hal_power self:udp_socket ioctl priv_sock_ioctls; + +# Date : 2019/09/05 +# Operation: SQC +# Purpose : Add procfs, sysfs policy +allow mtk_hal_power proc_ppm:dir r_dir_perms; +allow mtk_hal_power proc_ppm:file rw_file_perms; +allow mtk_hal_power proc_cpufreq:dir r_dir_perms; +allow mtk_hal_power proc_cpufreq:file rw_file_perms; +allow mtk_hal_power proc_hps:dir r_dir_perms; +allow mtk_hal_power proc_hps:file rw_file_perms; +allow mtk_hal_power proc_cm_mgr:dir r_dir_perms; +allow mtk_hal_power proc_cm_mgr:file rw_file_perms; +allow mtk_hal_power proc_fliperfs:dir r_dir_perms; +allow mtk_hal_power proc_fliperfs:file rw_file_perms; +allow mtk_hal_power sysfs_ged:dir r_dir_perms; +allow mtk_hal_power sysfs_ged:file rw_file_perms; +allow mtk_hal_power sysfs_fbt_cpu:dir r_dir_perms; +allow mtk_hal_power sysfs_fbt_cpu:file rw_file_perms; +allow mtk_hal_power sysfs_fbt_fteh:dir r_dir_perms; +allow mtk_hal_power sysfs_fbt_fteh:file rw_file_perms; +allow mtk_hal_power sysfs_xgf:dir r_dir_perms; +allow mtk_hal_power sysfs_xgf:file rw_file_perms; +allow mtk_hal_power sysfs_mtk_fpsgo:dir r_dir_perms; +allow mtk_hal_power sysfs_mtk_fpsgo:file rw_file_perms; +allow mtk_hal_power sysfs_fpsgo:dir r_dir_perms; +allow mtk_hal_power sysfs_fpsgo:file rw_file_perms; +allow mtk_hal_power sysfs_gbe:dir r_dir_perms; +allow mtk_hal_power sysfs_gbe:file rw_file_perms; +allow mtk_hal_power gbe_native:dir r_dir_perms; +allow mtk_hal_power gbe_native:file r_file_perms; +allow mtk_hal_power fpsgo_native:dir r_dir_perms; +allow mtk_hal_power fpsgo_native:file r_file_perms; + +# Date : 2019/09/17 +# Operation: SQC +# Purpose : Add cache audit +allow mtk_hal_power sysfs_cache_ctrl:dir r_dir_perms; +allow mtk_hal_power sysfs_cache_ctrl:file rw_file_perms; +allow mtk_hal_power sysfs_pftch_qos:dir r_dir_perms; +allow mtk_hal_power sysfs_pftch_qos:file rw_file_perms; + +# Date : 2019/09/18 +# Operation: SQC +# Purpose : Add f2fs permission +allow mtk_hal_power sysfs_fs_f2fs:dir r_dir_perms; +allow mtk_hal_power sysfs_fs_f2fs:file rw_file_perms; + +# Date : 2019/09/19 +# Operation: SQC +# Purpose : Add task turbo +allow mtk_hal_power sysfs_task_turbo:dir r_dir_perms; +allow mtk_hal_power sysfs_task_turbo:file rw_file_perms; + +# Date : 2019/09/23 +# Operation: SQC +# Purpose : Allow powerHAL to access touch boost +allow mtk_hal_power sysfs_change_rate:file rw_file_perms; + +# Date : 2019/10/16 +# Operation: SQC +allow mtk_hal_power sysfs_ext4_disable_barrier:file w_file_perms; +allow mtk_hal_power block_device:dir search; + +# Date : 2019/11/14 +# Operation: SQC +# Purpose : Allow powerhal to control MCDI +allow mtk_hal_power proc_cpuidle:dir r_dir_perms; +allow mtk_hal_power proc_cpuidle:file rw_file_perms; + +# Date : 2020/06/12 +# Operation: SQC +# Purpose : Allow powerhal to control mali power policy +allow mtk_hal_power sysfs_mali_power_policy:file rw_file_perms; + +# Date : 2020/06/12 +# Operation: SQC +# Purpose : Allow powerhal to control displowpower +allow mtk_hal_power proc_displowpower:dir r_dir_perms; +allow mtk_hal_power proc_displowpower:file rw_file_perms; + +# Date : 2020/07/31 +# Purpose: add permission for /sys/kernel/apusys/ +allow mtk_hal_power sysfs_apusys:dir r_dir_perms; +allow mtk_hal_power sysfs_apusys:file rw_file_perms; + +# vpud_native control CPU +# Date : 2020/8/7 +# Operation: video playback +allow mtk_hal_power vpud_native:dir r_dir_perms; +allow mtk_hal_power vpud_native:file rw_file_perms; +allow mtk_hal_power mtk_hal_c2:dir r_dir_perms; +allow mtk_hal_power mtk_hal_c2:file rw_file_perms; + +# Date : 2020/08/19 +# Purpose: add permission for /sys/class/devfreq/mtk-dvfsrc-devfreq/userspace +allow mtk_hal_power sysfs_dvfsrc_devfreq:dir r_dir_perms; +allow mtk_hal_power sysfs_dvfsrc_devfreq:file rw_file_perms; + +# Date : 2020/04/15 +# Operation: SQC +# Purpose : Allow powerhal to control video mode property +set_prop(mtk_hal_power, vendor_mtk_video_prop) + +# Date : 2020/09/18 +# Purpose: allow powerhal to control mcdi +allow mtk_hal_power proc_mcdi:dir r_dir_perms; +allow mtk_hal_power proc_mcdi:file rw_file_perms; + +# Date : 2020/09/29 +# Purpose: add permission for /sys/kernel/eara_thermal/ +allow mtk_hal_power sysfs_eara_thermal:dir r_dir_perms; +allow mtk_hal_power sysfs_eara_thermal:file rw_file_perms; + +# Date : 2021/3/12 +# Purpose: add permission for /sys/class/misc/mali0/device/pm_poweroff +allow mtk_hal_power sysfs_mali_poweroff:dir r_dir_perms; +allow mtk_hal_power sysfs_mali_poweroff:file rw_file_perms; + +# Date : 2021/03/19 +# Purpose: add permission for EARA IO Service +allow mtk_hal_power eara_io:dir r_dir_perms; +allow mtk_hal_power eara_io:file r_file_perms; + +# Date : 2021/03/15 +# Purpose: add permission for /dev/cpu_dma_latency +allow mtk_hal_power cpu_dma_latency_device:chr_file rw_file_perms; + +# Date : 2021/4/14 +# change policy via socket to thermal core +allow mtk_hal_power thermal_socket:sock_file write; +allow mtk_hal_power thermal_core:unix_stream_socket connectto; + +# Date : 2021/03/15 +# Purpose: add powerhal to control eara property +set_prop(mtk_hal_power, vendor_mtk_frs_prop) + +# Date : 2021/04/20 +# Purpose: add permission for vendor.sys.vm.swappiness/dropcaches/extrafreekbytesadj/watermarkscalefactor +set_prop(mtk_hal_power, vendor_mtk_vm_prop) + +# Date : 2021/04/26 +# Purpose: allow thermal core to limit CPU and GPU +allow mtk_hal_power thermal_core:dir { getattr search }; +allow mtk_hal_power thermal_core:file r_file_perms; + +# Date : 2021/05/07 +# add permission for dev/cpuctl/ +allow mtk_hal_power cgroup:file rw_file_perms_no_map; +allow mtk_hal_power cgroup:dir r_dir_perms; + +allow mtk_hal_power mtk_hal_bluetooth_audio_hwservice:hwservice_manager find; + +# Date: WK21.33 +# Purpose: allow Power-HAL to access /proc/[surfaceflinger_pid] +allow mtk_hal_power surfaceflinger:dir r_dir_perms; +allow mtk_hal_power surfaceflinger:file r_file_perms; + +# 2021/8/25 +# allow powerhal to access /proc/cpuhvfs/cpufreq_cci_mode +allow mtk_hal_power proc_cpuhvfs:dir r_dir_perms; +allow mtk_hal_power proc_cpuhvfs:file rw_file_perms; + +# 2021/8/25 +# allow powerhal to access /sys/kernel/cm_mgr/dbg_cm_mgr +allow mtk_hal_power sysfs_cm_mgr:dir r_dir_perms; +allow mtk_hal_power sysfs_cm_mgr:file rw_file_perms; + +set_prop(mtk_hal_power, vendor_mtk_bt_perf_prop) + +# Date : 2021/10/14 +# Purpose: add permission for get lmkd_config_prop +get_prop(mtk_hal_power, lmkd_config_prop) + +# Date: 2021/12/08 +# allow powerhal to access /sys/kernel/thermal/sports_mode +allow mtk_hal_power sysfs_thermal_sram:file w_file_perms; + +# Date: 2022/01/17 +# allow powerhal to access /sys/kernel/helio-dvfsrc/dvfsrc_qos_mode +allow mtk_hal_power sysfs_dvfsrc_dbg:dir r_dir_perms; +allow mtk_hal_power sysfs_dvfsrc_dbg:file rw_file_perms; + +# Date: 2021/12/24 +# allow powerhal to access /proc/mgq +allow mtk_hal_power proc_mgq:dir r_dir_perms; +allow mtk_hal_power proc_mgq:file w_file_perms; diff --git a/basic/non_plat/mtk_hal_pq.te b/basic/non_plat/mtk_hal_pq.te new file mode 100644 index 0000000..e64c09f --- /dev/null +++ b/basic/non_plat/mtk_hal_pq.te @@ -0,0 +1,48 @@ +# ============================================== +# Policy File of /vendor/bin/hw/vendor.mediatek.hardware.pq@2.0-service Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type mtk_hal_pq, domain; +type mtk_hal_pq_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Setup for domain transition +init_daemon_domain(mtk_hal_pq) + +# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder. +hal_server_domain(mtk_hal_pq, hal_mtk_pq) + +# Allow to allocate hidl memory +hal_client_domain(mtk_hal_pq, hal_allocator) + +# Purpose : Allow to use kernel driver +allow mtk_hal_pq graphics_device:chr_file rw_file_perms; + +# Purpose : Allow permission to get AmbientLux from hwservice_manager +allow mtk_hal_pq fwk_sensor_hwservice:hwservice_manager find; + +# Purpose : Allow permission to set pq property +set_prop(mtk_hal_pq, vendor_mtk_pq_prop) + +# Purpose : Allow permission to get pq property +get_prop(mtk_hal_pq, vendor_mtk_pq_ro_prop) + +# Purpose : +allow mtk_hal_pq gpu_device:dir search; +allow mtk_hal_pq dri_device:chr_file rw_file_perms; +allow mtk_hal_pq mml_pq_device:chr_file rw_file_perms; + +# Purpose : Allow permission to get MMAgent from hwservice_manager +hal_client_domain(mtk_hal_pq, hal_mtk_mmagent) + +# Purpose : Allow permission to use DMABuffer +allow mtk_hal_pq dmabuf_system_heap_device:chr_file r_file_perms; + +# Purpose : Allow change priority +allow mtk_hal_pq self:capability sys_nice; \ No newline at end of file diff --git a/basic/non_plat/mtk_hal_secure_element.te b/basic/non_plat/mtk_hal_secure_element.te new file mode 100644 index 0000000..ba05b00 --- /dev/null +++ b/basic/non_plat/mtk_hal_secure_element.te @@ -0,0 +1,18 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== +type mtk_hal_secure_element, domain; +type mtk_hal_secure_element_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(mtk_hal_secure_element) + +hal_server_domain(mtk_hal_secure_element, hal_secure_element) + +# Allow to get android.hardware.radio HIDL interface +hal_client_domain(mtk_hal_secure_element, hal_telephony) +binder_call(mtk_hal_secure_element, rild) + +allow mtk_hal_secure_element secure_element_device:chr_file rw_file_perms; + +# Allow to use persist.radio.multisim.config +get_prop(mtk_hal_secure_element, radio_control_prop) diff --git a/basic/non_plat/mtk_hal_sensors.te b/basic/non_plat/mtk_hal_sensors.te new file mode 100644 index 0000000..9de5caa --- /dev/null +++ b/basic/non_plat/mtk_hal_sensors.te @@ -0,0 +1,78 @@ +# ============================================================================== +# Type Declaration +# ============================================================================== +type mtk_hal_sensors, domain; +type mtk_hal_sensors_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +init_daemon_domain(mtk_hal_sensors) + +# call into system_server process (callbacks) +binder_call(mtk_hal_sensors, system_server) + +#hwservicemanager +hal_server_domain(mtk_hal_sensors, hal_sensors) + +# graphics allocator +allow mtk_hal_sensors hal_graphics_allocator_default:fd use; + +# gpu device +allow mtk_hal_sensors gpu_device:dir create_dir_perms; +allow mtk_hal_sensors gpu_device:chr_file rw_file_perms; +allow mtk_hal_sensors dri_device:chr_file rw_file_perms; + +# ion device +allow mtk_hal_sensors ion_device:dir create_dir_perms; +allow mtk_hal_sensors ion_device:chr_file rw_file_perms; + +# system file +allow mtk_hal_sensors system_file:dir r_dir_perms; + +# sensors input rw access +allow mtk_hal_sensors sysfs_sensor:dir r_dir_perms; +allow mtk_hal_sensors sysfs_sensor:file rw_file_perms; + +# hal sensor for chr_file +allow mtk_hal_sensors hwmsensor_device:chr_file r_file_perms; + +# Access sensor bio devices +allow mtk_hal_sensors sensorlist_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_acc_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_als_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_ps_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_mag_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_gyro_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_baro_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_hmdy_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_act_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_pedo_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_situ_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_step_c_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_fusion_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors m_bio_misc_device:chr_file rw_file_perms; +allow mtk_hal_sensors hf_manager_device:chr_file rw_file_perms; + +# Access mtk sensor setting and calibration node. +# for data +allow mtk_hal_sensors sensor_data_file:file create_file_perms; +allow mtk_hal_sensors sensor_data_file:dir create_dir_perms; + +# for nvcfg +allow mtk_hal_sensors nvcfg_file:file create_file_perms; +allow mtk_hal_sensors nvcfg_file:dir create_dir_perms; + +# Date : WK18.21 +# Operation: P migration +# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init() +allow mtk_hal_sensors mnt_vendor_file:dir search; + +# Date : WK19.48 +# Purpose: fix [vts_10.0_r2]VtsHalSensorsV2_0Target fail +allow mtk_hal_sensors merged_hal_service:fd use; + +# Date : WK20.25 +# Purpose: Allow to read /bus/platform/drivers/mtk_nanohub/state +allow mtk_hal_sensors sysfs_mtk_nanohub_state:file r_file_perms; diff --git a/basic/non_plat/mtk_hal_thp.te b/basic/non_plat/mtk_hal_thp.te new file mode 100644 index 0000000..8f81364 --- /dev/null +++ b/basic/non_plat/mtk_hal_thp.te @@ -0,0 +1 @@ +type mtk_hal_thp, domain; diff --git a/basic/non_plat/mtk_hal_touchll.te b/basic/non_plat/mtk_hal_touchll.te new file mode 100644 index 0000000..75d9723 --- /dev/null +++ b/basic/non_plat/mtk_hal_touchll.te @@ -0,0 +1 @@ +type mtk_hal_touchll, domain; diff --git a/basic/non_plat/mtk_hal_usb.te b/basic/non_plat/mtk_hal_usb.te new file mode 100644 index 0000000..be28b9b --- /dev/null +++ b/basic/non_plat/mtk_hal_usb.te @@ -0,0 +1,16 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== +type mtk_hal_usb, domain; +type mtk_hal_usb_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(mtk_hal_usb) + +hal_server_domain(mtk_hal_usb, hal_usb) +hal_server_domain(mtk_hal_usb, hal_usb_gadget) + +r_dir_file(mtk_hal_usb, sysfs_usb_nonplat) +allow mtk_hal_usb sysfs_usb_nonplat:file w_file_perms; + +set_prop(mtk_hal_usb, vendor_mtk_usb_prop) +get_prop(mtk_hal_usb, usb_control_prop) diff --git a/basic/non_plat/mtk_hal_wfo.te b/basic/non_plat/mtk_hal_wfo.te new file mode 100644 index 0000000..a9b9e2a --- /dev/null +++ b/basic/non_plat/mtk_hal_wfo.te @@ -0,0 +1 @@ +type mtk_hal_wfo, domain, mtkimsapdomain; diff --git a/basic/non_plat/mtk_hal_wifi.te b/basic/non_plat/mtk_hal_wifi.te new file mode 100644 index 0000000..0382e05 --- /dev/null +++ b/basic/non_plat/mtk_hal_wifi.te @@ -0,0 +1,13 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type mtk_hal_wifi, domain; +type mtk_hal_wifi_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(mtk_hal_wifi) +hal_server_domain(mtk_hal_wifi, hal_wifi) + +allow mtk_hal_wifi self:capability sys_module; +allow mtk_hal_wifi vendor_file:system module_load; +allow mtk_hal_wifi kernel:system module_request; diff --git a/basic/non_plat/mtk_pkm_service.te b/basic/non_plat/mtk_pkm_service.te new file mode 100644 index 0000000..2f39902 --- /dev/null +++ b/basic/non_plat/mtk_pkm_service.te @@ -0,0 +1 @@ +type mtk_pkm_service, domain; diff --git a/basic/non_plat/mtk_safe_halserverdomain_type.te b/basic/non_plat/mtk_safe_halserverdomain_type.te new file mode 100644 index 0000000..74cb3b2 --- /dev/null +++ b/basic/non_plat/mtk_safe_halserverdomain_type.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : W20.26 +# Operation : Migration +# Purpose : For apps other than isolated_app call hidl +binder_call(mtk_safe_halserverdomain_type, { appdomain -isolated_app }) diff --git a/basic/non_plat/mtk_wmt_launcher.te b/basic/non_plat/mtk_wmt_launcher.te new file mode 100644 index 0000000..6e09e09 --- /dev/null +++ b/basic/non_plat/mtk_wmt_launcher.te @@ -0,0 +1,25 @@ +# ============================================== +# Policy File of /vendor/bin/mtk_wmt_launcher Executable File + +# ============================================== +# Type Declaration +# ============================================== +type mtk_wmt_launcher, domain; +type mtk_wmt_launcher_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(mtk_wmt_launcher) + +# set the property +set_prop(mtk_wmt_launcher, vendor_mtk_wmt_prop) + +# add ioctl/open/read/write permission for mtk_wmt_launcher with /dev/stpwmt +allow mtk_wmt_launcher stpwmt_device:chr_file rw_file_perms; +allow mtk_wmt_launcher devpts:chr_file rw_file_perms; +allow mtk_wmt_launcher system_file:dir r_dir_perms; + +# Date : W18.01 +# Add for turn on SElinux in enforcing mode +allow mtk_wmt_launcher vendor_file:dir r_dir_perms; \ No newline at end of file diff --git a/basic/non_plat/mtkbootanimation.te b/basic/non_plat/mtkbootanimation.te new file mode 100644 index 0000000..fd6a37c --- /dev/null +++ b/basic/non_plat/mtkbootanimation.te @@ -0,0 +1,28 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK14.46 +# Operation : Migration +# Purpose : For MTK Emulator HW GPU +allow mtkbootanimation qemu_pipe_device:chr_file rw_file_perms; + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow mtkbootanimation proc_ged:file rw_file_perms; + +# Date : WK14.31 +# Operation : Migration +# Purpose : access to sec mem proc interface. +allow mtkbootanimation proc_secmem:file r_file_perms; + +# Date : WK16.29 +# Operation : Migration +# Purpose : for gpu access +allow mtkbootanimation dri_device:chr_file rw_file_perms; + +# Date : WK17.48 +# Operation : Migration +# Purpose : FPSGO integration +allow mtkbootanimation proc_perfmgr:dir r_dir_perms; +allow mtkbootanimation proc_perfmgr:file r_file_perms; diff --git a/basic/non_plat/mtkrild.te b/basic/non_plat/mtkrild.te new file mode 100644 index 0000000..355b34f --- /dev/null +++ b/basic/non_plat/mtkrild.te @@ -0,0 +1,143 @@ +# ============================================== +# Policy File of /vendor/bin/mtkrild Executable File + +# ============================================== +# Type Declaration +# ============================================== +type mtkrild_exec, exec_type, file_type, vendor_file_type; +type mtkrild, domain; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(mtkrild) +net_domain(mtkrild) + +# Access to wake locks +wakelock_use(mtkrild) + +# Allow to use vendor binder +vndbinder_use(mtkrild) + +# Trigger module auto-load. +allow mtkrild kernel:system module_request; + +# Capabilities assigned for mtkrild +allow mtkrild self:capability { setuid net_admin net_raw }; + +# Control cgroups +allow mtkrild cgroup:dir create_dir_perms; + +# Property service +# allow set RIL related properties (radio./net./system./etc) +set_prop(mtkrild, vendor_mtk_ril_active_md_prop) + +# allow set muxreport control properties +set_prop(mtkrild, vendor_mtk_ril_cdma_report_prop) +set_prop(mtkrild, vendor_mtk_ril_mux_report_case_prop) +set_prop(mtkrild, vendor_mtk_ctl_muxreport-daemon_prop) + +#Dat: 2017/02/14 +#Purpose: allow set telephony Sensitive property +set_prop(mtkrild, vendor_mtk_telephony_sensitive_prop) + +# Allow access permission to efs files +allow mtkrild efs_file:dir create_dir_perms; +allow mtkrild efs_file:file create_file_perms; +allow mtkrild bluetooth_efs_file:file r_file_perms; +allow mtkrild bluetooth_efs_file:dir r_dir_perms; + +# Allow access permission to dir/files +# (radio data/system data/proc/etc) + +allow mtkrild sdcardfs:dir r_dir_perms; + +allow mtkrild proc_net:file w_file_perms; + +# Set and get routes directly via netlink. +allow mtkrild self:netlink_route_socket nlmsg_write; + +# Allow read/write to devices/files +allow mtkrild mtk_radio_device:dir search; +allow mtkrild radio_device:chr_file rw_file_perms; +allow mtkrild radio_device:blk_file r_file_perms; +allow mtkrild mtd_device:dir search; + +# Allow read/write to tty devices +allow mtkrild tty_device:chr_file rw_file_perms; +allow mtkrild eemcs_device:chr_file rw_file_perms; + +allow mtkrild devmap_device:chr_file r_file_perms; +allow mtkrild devpts:chr_file rw_file_perms; +allow mtkrild ccci_device:chr_file rw_file_perms; +allow mtkrild misc_device:chr_file rw_file_perms; +allow mtkrild proc_lk_env:file rw_file_perms; +allow mtkrild para_block_device:blk_file rw_file_perms; + +# Allow dir search, fd uses +allow mtkrild block_device:dir search; +allow mtkrild platform_app:fd use; +allow mtkrild radio:fd use; + +# For MAL MFI +allow mtkrild mal_mfi_socket:sock_file w_file_perms; + +# For ccci sysfs node +allow mtkrild sysfs_ccci:dir search; +allow mtkrild sysfs_ccci:file r_file_perms; + +# Allow ioctl in order to control network interface +allowxperm mtkrild self:udp_socket ioctl {SIOCDELRT SIOCSIFFLAGS SIOCSIFADDR SIOCKILLADDR SIOCDEVPRIVATE SIOCDEVPRIVATE_1}; + +# Allow to trigger IPv6 RS +allow mtkrild node:rawip_socket node_bind; + +#Date : W18.15 +#Purpose: allow rild access to vendor.ril.ipo system property +set_prop(mtkrild, vendor_mtk_ril_ipo_prop) + +# Date : WK18.16 +# Operation: P migration +# Purpose: Allow mtkrild to get vendor_mtk_tel_switch_prop +get_prop(mtkrild, vendor_mtk_tel_switch_prop) + +#Date: W1817 +#Purpose: allow rild access property of vendor_mtk_radio_prop +set_prop(mtkrild, vendor_mtk_radio_prop) + +# Date : WK18.26 +# Operation: P migration +# Purpose: Allow carrier express HIDL to set vendor property +set_prop(mtkrild, vendor_mtk_cxp_vendor_prop) +allow mtkrild mnt_vendor_file:dir search; +allow mtkrild mnt_vendor_file:file create_file_perms; +allow mtkrild nvdata_file:dir create_dir_perms; +allow mtkrild nvdata_file:file create_file_perms; + +# Date : WK18.31 +# Operation: P migration +# Purpose: Allow supplementary service HIDL to set vendor property +set_prop(mtkrild, vendor_mtk_ss_vendor_prop) + +# Date : W19.16 +# Operation: Q migration +# Purpose: Allow mtkrild access to send SUPL INIT to mnld +allow mtkrild mnld:unix_dgram_socket sendto; + +# Date : WK19.43 +# Purpose: Allow wfc module from rild read system property from wfc module +get_prop(mtkrild, vendor_mtk_wfc_serv_prop) + +# Date : 2020/06/11 +# Operation: R migration +# Purpose: Allow mtkrild to get system_boot_reason_prop +get_prop(mtkrild, system_boot_reason_prop) + +# Date: WK20.31 +# Operation: RILD init flow +# Purpose: To handle illegal rild started +set_prop(mtkrild, vendor_mtk_gsm0710muxd_prop) + +# Date : 2020/08/17 +# Purpose: Allow mtkrild to access netlink_xfrm_socket +allow mtkrild self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; diff --git a/basic/non_plat/muxreport.te b/basic/non_plat/muxreport.te new file mode 100644 index 0000000..4449058 --- /dev/null +++ b/basic/non_plat/muxreport.te @@ -0,0 +1,36 @@ +# ============================================== +# Policy File of /vendor/bin/muxreport Executable File + +# ============================================== +# Type Declaration +# ============================================== +type muxreport_exec, exec_type, file_type, vendor_file_type; +type muxreport, domain; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(muxreport) + +# Property service +# allow set muxreport control properties +set_prop(muxreport, vendor_mtk_ril_mux_report_case_prop) + +# Allow read/write to devices/files +allow muxreport ccci_device:chr_file rw_file_perms; +allow muxreport devpts:chr_file rw_file_perms; +allow muxreport eemcs_device:chr_file rw_file_perms; +allow muxreport emd_device:chr_file rw_file_perms; + +# Allow read to sys/kernel/ccci/* files +allow muxreport sysfs_ccci:dir search; +allow muxreport sysfs_ccci:file r_file_perms; + +# Date : WK18.16 +# Operation: P migration +# Purpose: Allow muxreport to get vendor_mtk_tel_switch_prop +get_prop(muxreport, vendor_mtk_tel_switch_prop) + +#Date: W1824 +#Purpose: allow muxreport access property of vendor_mtk_radio_prop +set_prop(muxreport, vendor_mtk_radio_prop) diff --git a/basic/non_plat/netd.te b/basic/non_plat/netd.te new file mode 100644 index 0000000..f93ff1f --- /dev/null +++ b/basic/non_plat/netd.te @@ -0,0 +1,42 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK14.34 +# Operation : Migration +# Purpose : For WIFI SANITY test to set FW path(STA/P2P/AP) +# Owner: TingTing Lei +allow netd wmtWifi_device:chr_file w_file_perms; + +# Date : WK14.34 +# Operation : Migration +# Purpose : NA +# Owner: Changqing Sun +allow netd self:capability { fsetid setuid setgid }; + +# Date : WK14.34 +# Operation : Migration +# Purpose: APP +allow netd platform_app:fd use; + +# Date : WK14.37 +# Operation : Migration +# Purpose : PPPOE Test +# Owner : lina wang +allow netd ppp:process sigkill; + +allow netd untrusted_app:fd use; + +# Date : W15.02 +# Operation : SQC +# Purpose : CTS for wifi +allow netd untrusted_app:unix_stream_socket rw_socket_perms_no_ioctl; +allow netd isolated_app:fd use; + +# MTK support app feature +get_prop(netd, vendor_mtk_app_prop) + + +allow netd bip_ap:fd use; +allow netd bip_ap:tcp_socket { read write setopt getopt }; +allow netd bip_ap:udp_socket {read write setopt getopt}; diff --git a/basic/non_plat/netdagent.te b/basic/non_plat/netdagent.te new file mode 100644 index 0000000..88a30d5 --- /dev/null +++ b/basic/non_plat/netdagent.te @@ -0,0 +1 @@ +type netdagent, domain; diff --git a/basic/non_plat/nfcstackp_vendor.te b/basic/non_plat/nfcstackp_vendor.te new file mode 100644 index 0000000..a4431cc --- /dev/null +++ b/basic/non_plat/nfcstackp_vendor.te @@ -0,0 +1 @@ +type nfcstackp_vendor, domain; diff --git a/basic/non_plat/nvram_daemon.te b/basic/non_plat/nvram_daemon.te new file mode 100644 index 0000000..eba4cf6 --- /dev/null +++ b/basic/non_plat/nvram_daemon.te @@ -0,0 +1,79 @@ +# ============================================== +# Policy File of /vendor/bin/nvram_daemon Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type nvram_daemon_exec, exec_type, file_type, vendor_file_type; +type nvram_daemon, domain; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +init_daemon_domain(nvram_daemon) + +# Date : WK14.31 +# Operation : Migration +# Purpose : the device is used to store Nvram backup data that can not be lost. +allow nvram_daemon nvram_device:blk_file rw_file_perms; +allow nvram_daemon nvdata_device:blk_file rw_file_perms; + +# Date : WK14.35 +# Operation : chown folder and file permission +# Purpose : ensure nvram user can access nvram file normally when upgrade from KK/KK.AOSP to L. +allow nvram_daemon nvram_data_file:dir create_dir_perms; +allow nvram_daemon nvram_data_file:file create_file_perms; +allow nvram_daemon nvram_data_file:lnk_file { r_file_perms unlink }; +allow nvram_daemon nvdata_file:lnk_file r_file_perms; +allow nvram_daemon nvdata_file:dir create_dir_perms; +allow nvram_daemon nvdata_file:file create_file_perms; + +allow nvram_daemon als_ps_device:chr_file r_file_perms; +allow nvram_daemon mtk-adc-cali_device:chr_file rw_file_perms; +allow nvram_daemon gsensor_device:chr_file r_file_perms; +allow nvram_daemon gyroscope_device:chr_file r_file_perms; + +# Purpose: for property set +allow nvram_daemon self:capability { fowner chown fsetid }; + +# Purpose: for backup +allow nvram_daemon nvram_device:chr_file rw_file_perms; +allow nvram_daemon pro_info_device:chr_file rw_file_perms; + +allow nvram_daemon block_device:dir search; + +# Purpose: for nand project +allow nvram_daemon mtd_device:dir search; +allow nvram_daemon mtd_device:chr_file rw_file_perms; + +# Purpose: for fstab parser +allow nvram_daemon kmsg_device:chr_file w_file_perms; +allow nvram_daemon proc_lk_env:file rw_file_perms; + +# Purpose: property set +set_prop(nvram_daemon, vendor_mtk_service_nvram_init_prop) + +# Purpose: copy /fstab* +allow nvram_daemon rootfs:dir r_dir_perms; +allow nvram_daemon rootfs:file r_file_perms; + +# Date : WK18.16 +# Operation: P migration +# Purpose: Allow nvram_daemon to get vendor_mtk_tel_switch_prop +get_prop(nvram_daemon, vendor_mtk_tel_switch_prop) +get_prop(nvram_daemon, vendor_mtk_rat_config_prop) + +# Date : WK18.21 +# Operation: P migration +# Purpose: Allow nvram_daemon to search /mnt/vendor/nvdata for fstab +allow nvram_daemon mnt_vendor_file:dir search; + +allow nvram_daemon sysfs_boot_mode:file r_file_perms; + +# Allow ReadDefaultFstab(). +read_fstab(nvram_daemon) + +# Purpose: Wifi NVRAM ConnFem Kernel node access +allow nvram_daemon connfem_device:chr_file rw_file_perms; \ No newline at end of file diff --git a/basic/non_plat/platform_app.te b/basic/non_plat/platform_app.te new file mode 100644 index 0000000..73d34c7 --- /dev/null +++ b/basic/non_plat/platform_app.te @@ -0,0 +1,40 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK18.21 +# Operation : Migration +# Purpose : Do FM operation via hal_mtk_fm +hal_client_domain(platform_app, hal_mtk_fm) + +# Date: 2019/07/04 +# Stage: Migration +# Purpose: Allow to use lomo effect +# Package: com.mediatek.camera +allow platform_app sw_sync_device:chr_file rw_file_perms; + +# Date: 2019/07/04 +# Purpose: Allow platform app to use BGService HIDL and access mtk_hal_camera +hal_client_domain(platform_app, hal_mtk_bgs) +binder_call(platform_app, mtk_hal_camera) + +# Date: 2020/06/08 +# Purpose: Allow platform app to access mtk jpeg +allow platform_app proc_mtk_jpeg:file rw_file_perms; +allowxperm platform_app proc_mtk_jpeg:file ioctl { + JPG_BRIDGE_DEC_IO_LOCK + JPG_BRIDGE_DEC_IO_WAIT + JPG_BRIDGE_DEC_IO_UNLOCK +}; + +# Date : 2021/04/22 +# Operation : Migration +# Purpose : DebugLoggerUI need copy & delete /data/vendor/vcodec/ folder +# Package: com.debug.loggerui +allow platform_app vcodec_file:dir create_dir_perms; +allow platform_app vcodec_file:file create_file_perms; +# DebugLoggerUI can get c2 log properties +get_prop(platform_app, vendor_mtk_c2_log_prop) + +# Allow FMRadio to talk to /dev/fm +allow platform_app fm_device:chr_file rw_file_perms; diff --git a/basic/non_plat/postinstall.te b/basic/non_plat/postinstall.te new file mode 100644 index 0000000..9db77b6 --- /dev/null +++ b/basic/non_plat/postinstall.te @@ -0,0 +1,7 @@ +allow postinstall dm_device:chr_file rw_file_perms; +allow postinstall preloader_block_device:blk_file rw_file_perms; +allow postinstall postinstall_block_device:blk_file rw_file_perms; +allow postinstall sysfs_devices_block:dir search; +allowxperm postinstall preloader_block_device:blk_file ioctl BLKROSET; +allow postinstall block_device:dir search; +allow postinstall self:capability sys_admin; diff --git a/basic/non_plat/ppl_agent.te b/basic/non_plat/ppl_agent.te new file mode 100644 index 0000000..7a3e8d9 --- /dev/null +++ b/basic/non_plat/ppl_agent.te @@ -0,0 +1 @@ +type ppl_agent, domain; diff --git a/basic/non_plat/priv_app.te b/basic/non_plat/priv_app.te new file mode 100644 index 0000000..f5ac8d4 --- /dev/null +++ b/basic/non_plat/priv_app.te @@ -0,0 +1,12 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date: 2020/06/08 +# Purpose: Allow private app to access mtk jpeg +allow priv_app proc_mtk_jpeg:file rw_file_perms; +allowxperm priv_app proc_mtk_jpeg:file ioctl { + JPG_BRIDGE_DEC_IO_LOCK + JPG_BRIDGE_DEC_IO_WAIT + JPG_BRIDGE_DEC_IO_UNLOCK +}; diff --git a/basic/non_plat/property.te b/basic/non_plat/property.te new file mode 100644 index 0000000..92335ba --- /dev/null +++ b/basic/non_plat/property.te @@ -0,0 +1,201 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# system_internal_prop -- Properties used only in /system +# system_restricted_prop -- Properties which can't be written outside system +# system_public_prop -- Properties with no restrictions +# system_vendor_config_prop -- Properties which can be written only by vendor_init +# vendor_internal_prop -- Properties used only in /vendor +# vendor_restricted_prop -- Properties which can't be written outside vendor +# vendor_public_prop -- Properties with no restrictions + +# Properties used only in /vendor +vendor_internal_prop(vendor_mtk_ctl_ccci2_fsd_prop) +vendor_internal_prop(vendor_mtk_ctl_ccci3_fsd_prop) +vendor_internal_prop(vendor_mtk_ctl_ccci_fsd_prop) +vendor_internal_prop(vendor_mtk_ctl_fusion_ril_mtk_prop) +vendor_internal_prop(vendor_mtk_ctl_gsm0710muxd_prop) +vendor_internal_prop(vendor_mtk_ctl_muxreport-daemon_prop) +vendor_internal_prop(vendor_mtk_ctl_ril-daemon-mtk_prop) +vendor_internal_prop(vendor_mtk_ctl_ril-proxy_prop) +vendor_internal_prop(vendor_mtk_ctl_viarild_prop) +vendor_internal_prop(vendor_mtk_powerhal_prop) +vendor_internal_prop(vendor_mtk_wfc_serv_prop) +vendor_internal_prop(vendor_mtk_factory_prop) +vendor_internal_prop(vendor_mtk_factory_start_prop) +vendor_internal_prop(vendor_mtk_eara_io_prop) + +# Properties which can't be written outside vendor +vendor_restricted_prop(vendor_mtk_aal_ro_prop) +vendor_restricted_prop(vendor_mtk_anr_support_prop) +vendor_restricted_prop(vendor_mtk_app_prop) +vendor_restricted_prop(vendor_mtk_appresolutiontuner_prop) +vendor_restricted_prop(vendor_mtk_atci_prop) +vendor_restricted_prop(vendor_mtk_atm_ipaddr_prop) +vendor_restricted_prop(vendor_mtk_atm_mdmode_prop) +vendor_restricted_prop(vendor_mtk_audiohal_prop) +vendor_restricted_prop(vendor_mtk_bt_sap_enable_prop) +vendor_restricted_prop(vendor_mtk_coredump_prop) +vendor_restricted_prop(vendor_mtk_ct_ir_engmode_prop) +vendor_restricted_prop(vendor_mtk_ct_volte_prop) +vendor_restricted_prop(vendor_mtk_cxp_vendor_prop) +vendor_restricted_prop(vendor_mtk_debug_md_reset_prop) +vendor_restricted_prop(vendor_mtk_default_prop) +vendor_restricted_prop(vendor_mtk_disable_c2k_cap_prop) +vendor_restricted_prop(vendor_mtk_display_ro_prop) +vendor_restricted_prop(vendor_mtk_dsbp_support_prop) +vendor_restricted_prop(vendor_mtk_em_hidl_prop) +vendor_restricted_prop(vendor_mtk_emmc_support_prop) +vendor_restricted_prop(vendor_mtk_em_prop) +vendor_restricted_prop(vendor_mtk_em_usb_prop) +vendor_restricted_prop(vendor_mtk_factory_idle_state_prop) +vendor_restricted_prop(vendor_mtk_fullscreenswitch_prop) +vendor_restricted_prop(vendor_mtk_gprs_prefer_prop) +vendor_restricted_prop(vendor_mtk_gps_support_prop) +vendor_restricted_prop(vendor_mtk_graphics_hwc_hdr_prop) +vendor_restricted_prop(vendor_mtk_graphics_hwc_pid_prop) +vendor_restricted_prop(vendor_mtk_graphics_hwc_validate_separate_prop) +vendor_restricted_prop(vendor_mtk_gsm0710muxd_prop) +vendor_restricted_prop(vendor_mtk_hdmi_prop) +vendor_restricted_prop(vendor_mtk_imstestmode_prop) +vendor_restricted_prop(vendor_mtk_malloc_debug_backtrace_prop) +vendor_restricted_prop(vendor_mtk_md_prop) +vendor_restricted_prop(vendor_mtk_md_version_prop) +vendor_restricted_prop(vendor_mtk_mediatek_prop) +vendor_restricted_prop(vendor_mtk_meta_connecttype_prop) +vendor_restricted_prop(vendor_mtk_mnld_prop) +vendor_restricted_prop(vendor_mtk_modem_warning_prop) +vendor_restricted_prop(vendor_mtk_net_cdma_mdmstat_prop) +vendor_restricted_prop(vendor_mtk_nn_option_prop) +vendor_restricted_prop(vendor_mtk_gbe_prop) +vendor_restricted_prop(vendor_mtk_nvram_ready_prop) +vendor_restricted_prop(vendor_mtk_omx_log_prop) +vendor_restricted_prop(vendor_mtk_operator_id_prop) +vendor_restricted_prop(vendor_mtk_persist_service_atci_prop) +vendor_restricted_prop(vendor_mtk_pq_prop) +vendor_restricted_prop(vendor_mtk_pq_ro_prop) +vendor_restricted_prop(vendor_mtk_radio_prop) +vendor_restricted_prop(vendor_mtk_rat_config_prop) +vendor_restricted_prop(vendor_mtk_ril_active_md_prop) +vendor_restricted_prop(vendor_mtk_ril_cdma_report_prop) +vendor_restricted_prop(vendor_mtk_ril_ipo_prop) +vendor_restricted_prop(vendor_mtk_ril_mode_prop) +vendor_restricted_prop(vendor_mtk_ril_mux_report_case_prop) +vendor_restricted_prop(vendor_mtk_service_nvram_init_prop) +vendor_restricted_prop(vendor_mtk_simswitch_emmode_prop) +vendor_restricted_prop(vendor_mtk_smsformat_prop) +vendor_restricted_prop(vendor_mtk_ss_vendor_prop) +vendor_restricted_prop(vendor_mtk_telephony_sensitive_prop) +vendor_restricted_prop(vendor_mtk_tel_switch_prop) +vendor_restricted_prop(vendor_mtk_testsim_cardtype_prop) +vendor_restricted_prop(vendor_mtk_thermal_config_prop) +vendor_restricted_prop(vendor_mtk_usb_otg_switch_prop) +vendor_restricted_prop(vendor_mtk_usb_prop) +vendor_restricted_prop(vendor_mtk_c2_log_prop) +vendor_restricted_prop(vendor_mtk_vdec_log_prop) +vendor_restricted_prop(vendor_mtk_vdectlc_log_prop) +vendor_restricted_prop(vendor_mtk_venc_h264_showlog_prop) +vendor_restricted_prop(vendor_mtk_voicerecgnize_prop) +vendor_restricted_prop(vendor_mtk_volte_prop) +vendor_restricted_prop(vendor_mtk_wifi_hotspot_prop) +vendor_restricted_prop(vendor_mtk_wifi_hal_prop) +vendor_restricted_prop(vendor_mtk_wmt_prop) +vendor_restricted_prop(vendor_mtk_gpu_prop) +vendor_restricted_prop(vendor_mtk_powerhal_gpu_prop) +vendor_restricted_prop(vendor_mtk_sensor_prop) +vendor_restricted_prop(vendor_mtk_device_prop) +vendor_restricted_prop(vendor_mtk_input_resample_latency_prop) +vendor_restricted_prop(vendor_mtk_input_report_rate_prop) +vendor_restricted_prop(vendor_mtk_video_prop) +vendor_restricted_prop(vendor_mtk_frs_prop) +vendor_restricted_prop(vendor_mtk_vm_prop) +vendor_restricted_prop(vendor_mtk_aod_support_prop) +vendor_restricted_prop(vendor_mtk_soc_prop) +vendor_restricted_prop(vendor_mtk_prefer64_prop) +vendor_restricted_prop(vendor_mtk_bt_aac_vbr_prop) +vendor_restricted_prop(vendor_mtk_bt_perf_prop) +vendor_restricted_prop(vendor_mtk_hwc_debug_log_prop) +vendor_restricted_prop(vendor_mtk_mdp_debug_log_prop) +vendor_restricted_prop(vendor_mtk_debug_sf_cpupolicy_prop) +vendor_restricted_prop(vendor_mtk_neuropilot_flag_prop) +vendor_restricted_prop(vendor_mtk_mdrsra_v2_support_prop) +vendor_restricted_prop(vendor_mtk_xfrm_support_prop) +vendor_restricted_prop(vendor_debug_logger_prop) + +# Properties with can be read by all domains +typeattribute vendor_mtk_aal_ro_prop mtk_core_property_type; +typeattribute vendor_mtk_anr_support_prop mtk_core_property_type; +typeattribute vendor_mtk_app_prop mtk_core_property_type; +typeattribute vendor_mtk_appresolutiontuner_prop mtk_core_property_type; +typeattribute vendor_mtk_atci_prop mtk_core_property_type; +typeattribute vendor_mtk_audiohal_prop mtk_core_property_type; +typeattribute vendor_mtk_bt_sap_enable_prop mtk_core_property_type; +typeattribute vendor_mtk_coredump_prop mtk_core_property_type; +typeattribute vendor_mtk_ct_ir_engmode_prop mtk_core_property_type; +typeattribute vendor_mtk_ct_volte_prop mtk_core_property_type; +typeattribute vendor_mtk_cxp_vendor_prop mtk_core_property_type; +typeattribute vendor_mtk_debug_md_reset_prop mtk_core_property_type; +typeattribute vendor_mtk_default_prop mtk_core_property_type; +typeattribute vendor_mtk_disable_c2k_cap_prop mtk_core_property_type; +typeattribute vendor_mtk_dsbp_support_prop mtk_core_property_type; +typeattribute vendor_mtk_em_hidl_prop mtk_core_property_type; +typeattribute vendor_mtk_emmc_support_prop mtk_core_property_type; +typeattribute vendor_mtk_em_prop mtk_core_property_type; +typeattribute vendor_mtk_em_usb_prop mtk_core_property_type; +typeattribute vendor_mtk_factory_idle_state_prop mtk_core_property_type; +typeattribute vendor_mtk_fullscreenswitch_prop mtk_core_property_type; +typeattribute vendor_mtk_gprs_prefer_prop mtk_core_property_type; +typeattribute vendor_mtk_gps_support_prop mtk_core_property_type; +typeattribute vendor_mtk_gsm0710muxd_prop mtk_core_property_type; +typeattribute vendor_mtk_hdmi_prop mtk_core_property_type; +typeattribute vendor_mtk_imstestmode_prop mtk_core_property_type; +typeattribute vendor_mtk_malloc_debug_backtrace_prop mtk_core_property_type; +typeattribute vendor_mtk_md_prop mtk_core_property_type; +typeattribute vendor_mtk_md_version_prop mtk_core_property_type; +typeattribute vendor_mtk_mediatek_prop mtk_core_property_type; +typeattribute vendor_mtk_mnld_prop mtk_core_property_type; +typeattribute vendor_mtk_modem_warning_prop mtk_core_property_type; +typeattribute vendor_mtk_net_cdma_mdmstat_prop mtk_core_property_type; +typeattribute vendor_mtk_nvram_ready_prop mtk_core_property_type; +typeattribute vendor_mtk_omx_log_prop mtk_core_property_type; +typeattribute vendor_mtk_operator_id_prop mtk_core_property_type; +typeattribute vendor_mtk_persist_service_atci_prop mtk_core_property_type; +typeattribute vendor_mtk_pq_prop mtk_core_property_type; +typeattribute vendor_mtk_pq_ro_prop mtk_core_property_type; +typeattribute vendor_mtk_radio_prop mtk_core_property_type; +typeattribute vendor_mtk_rat_config_prop mtk_core_property_type; +typeattribute vendor_mtk_ril_active_md_prop mtk_core_property_type; +typeattribute vendor_mtk_ril_cdma_report_prop mtk_core_property_type; +typeattribute vendor_mtk_ril_ipo_prop mtk_core_property_type; +typeattribute vendor_mtk_ril_mode_prop mtk_core_property_type; +typeattribute vendor_mtk_ril_mux_report_case_prop mtk_core_property_type; +typeattribute vendor_mtk_service_nvram_init_prop mtk_core_property_type; +typeattribute vendor_mtk_simswitch_emmode_prop mtk_core_property_type; +typeattribute vendor_mtk_smsformat_prop mtk_core_property_type; +typeattribute vendor_mtk_ss_vendor_prop mtk_core_property_type; +typeattribute vendor_mtk_tel_switch_prop mtk_core_property_type; +typeattribute vendor_mtk_testsim_cardtype_prop mtk_core_property_type; +typeattribute vendor_mtk_usb_otg_switch_prop mtk_core_property_type; +typeattribute vendor_mtk_vdec_log_prop mtk_core_property_type; +typeattribute vendor_mtk_vdectlc_log_prop mtk_core_property_type; +typeattribute vendor_mtk_venc_h264_showlog_prop mtk_core_property_type; +typeattribute vendor_mtk_voicerecgnize_prop mtk_core_property_type; +typeattribute vendor_mtk_volte_prop mtk_core_property_type; +typeattribute vendor_mtk_wifi_hotspot_prop mtk_core_property_type; +typeattribute vendor_mtk_wifi_hal_prop mtk_core_property_type; +typeattribute vendor_mtk_wmt_prop mtk_core_property_type; +typeattribute vendor_mtk_gpu_prop mtk_core_property_type; +typeattribute vendor_mtk_powerhal_gpu_prop mtk_core_property_type; +typeattribute vendor_mtk_sensor_prop mtk_core_property_type; +typeattribute vendor_mtk_input_resample_latency_prop mtk_core_property_type; +typeattribute vendor_mtk_video_prop mtk_core_property_type; +typeattribute vendor_mtk_vm_prop mtk_core_property_type; +typeattribute vendor_mtk_aod_support_prop mtk_core_property_type; +typeattribute vendor_mtk_bt_aac_vbr_prop mtk_core_property_type; +typeattribute vendor_mtk_hwc_debug_log_prop mtk_core_property_type; +typeattribute vendor_mtk_mdp_debug_log_prop mtk_core_property_type; +typeattribute vendor_mtk_neuropilot_flag_prop mtk_core_property_type; +typeattribute vendor_mtk_mdrsra_v2_support_prop mtk_core_property_type; +typeattribute vendor_mtk_xfrm_support_prop mtk_core_property_type; +typeattribute vendor_debug_logger_prop mtk_core_property_type; diff --git a/basic/non_plat/property_contexts b/basic/non_plat/property_contexts new file mode 100644 index 0000000..6f5933e --- /dev/null +++ b/basic/non_plat/property_contexts @@ -0,0 +1,382 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +ctl.vendor.gsm0710muxd u:object_r:vendor_mtk_ctl_gsm0710muxd_prop:s0 + +vendor.ril.ipo u:object_r:vendor_mtk_ril_ipo_prop:s0 + +vendor.usb. u:object_r:vendor_mtk_usb_prop:s0 +persist.vendor.usb. u:object_r:vendor_mtk_usb_prop:s0 + +vendor.ril.mux. u:object_r:vendor_mtk_gsm0710muxd_prop:s0 + +ctl.vendor.ril-daemon-mtk u:object_r:vendor_mtk_ctl_ril-daemon-mtk_prop:s0 +ctl.vendor.fusion_ril_mtk u:object_r:vendor_mtk_ctl_fusion_ril_mtk_prop:s0 +ctl.vendor.ril-proxy u:object_r:vendor_mtk_ctl_ril-proxy_prop:s0 +ctl.vendor.viarild u:object_r:vendor_mtk_ctl_viarild_prop:s0 + +ctl.vendor.muxreport-daemon u:object_r:vendor_mtk_ctl_muxreport-daemon_prop:s0 +ctl.vendor.ccci_fsd u:object_r:vendor_mtk_ctl_ccci_fsd_prop:s0 +ctl.vendor.ccci2_fsd u:object_r:vendor_mtk_ctl_ccci2_fsd_prop:s0 +ctl.vendor.ccci3_fsd u:object_r:vendor_mtk_ctl_ccci3_fsd_prop:s0 + +vendor.ril.active.md u:object_r:vendor_mtk_ril_active_md_prop:s0 +vendor.ril.mux.report.case u:object_r:vendor_mtk_ril_mux_report_case_prop:s0 +vendor.ril.cdma.report u:object_r:vendor_mtk_ril_cdma_report_prop:s0 + +# dynamic telephony switch +ro.boot.opt_md2_support u:object_r:vendor_mtk_tel_switch_prop:s0 +ro.boot.opt_md5_support u:object_r:vendor_mtk_tel_switch_prop:s0 +ro.boot.opt_sim_count u:object_r:vendor_mtk_tel_switch_prop:s0 +ro.boot.opt_using_default u:object_r:vendor_mtk_tel_switch_prop:s0 +ro.vendor.mtk_c2k_lte_mode u:object_r:vendor_mtk_tel_switch_prop:s0 +ro.vendor.mtk_c2k_support u:object_r:vendor_mtk_tel_switch_prop:s0 +ro.vendor.mtk_eccci_c2k u:object_r:vendor_mtk_tel_switch_prop:s0 +ro.vendor.mtk_lte_support u:object_r:vendor_mtk_tel_switch_prop:s0 +ro.vendor.mtk_md1_support u:object_r:vendor_mtk_tel_switch_prop:s0 +ro.vendor.mtk_md3_support u:object_r:vendor_mtk_tel_switch_prop:s0 +ro.vendor.mtk_ps1_rat u:object_r:vendor_mtk_tel_switch_prop:s0 + +vendor.gps.clock.type u:object_r:vendor_mtk_mnld_prop:s0 +vendor.gps.gps.version u:object_r:vendor_mtk_mnld_prop:s0 +vendor.gpsdbglog.enable u:object_r:vendor_mtk_mnld_prop:s0 +vendor.gpsdbglog. u:object_r:vendor_mtk_mnld_prop:s0 +vendor.debug.gps. u:object_r:vendor_mtk_mnld_prop:s0 + +vendor.streamout. u:object_r:vendor_mtk_audiohal_prop:s0 +vendor.streamin. u:object_r:vendor_mtk_audiohal_prop:s0 +vendor.a2dp. u:object_r:vendor_mtk_audiohal_prop:s0 +vendor.audiohal. u:object_r:vendor_mtk_audiohal_prop:s0 +persist.vendor.audiohal. u:object_r:vendor_mtk_audiohal_prop:s0 +persist.vendor.vow. u:object_r:vendor_mtk_audiohal_prop:s0 + +persist.vendor.connsys.coredump.mode u:object_r:vendor_mtk_coredump_prop:s0 +persist.vendor.connsys. u:object_r:vendor_mtk_wmt_prop:s0 +vendor.connsys. u:object_r:vendor_mtk_wmt_prop:s0 + +# c2k_prop +vendor.net.cdma.mdmstat u:object_r:vendor_mtk_net_cdma_mdmstat_prop:s0 + +# md status +vendor.mtk.md u:object_r:vendor_mtk_md_prop:s0 + +# factory idle current prop +vendor.debug.factory.idle_state u:object_r:vendor_mtk_factory_idle_state_prop:s0 + +vendor.service.nvram_init u:object_r:vendor_mtk_service_nvram_init_prop:s0 + +# Camera APP Mode +vendor.client. u:object_r:vendor_mtk_em_prop:s0 + +vendor.debug.camera.p2plug.log u:object_r:vendor_mtk_mediatek_prop:s0 +vendor.client.em.appmode u:object_r:vendor_mtk_mediatek_prop:s0 + +# EM test/debug purpose +persist.vendor.em.hidl. u:object_r:vendor_mtk_em_hidl_prop:s0 + +# ims operator property +vendor.ril.volte.mal.pctid u:object_r:vendor_mtk_operator_id_prop:s0 + +persist.vendor.radio.simswitch.emmode u:object_r:vendor_mtk_simswitch_emmode_prop:s0 + +persist.vendor.radio.mtk_dsbp_support u:object_r:vendor_mtk_dsbp_support_prop:s0 + +persist.vendor.radio.imstestmode u:object_r:vendor_mtk_imstestmode_prop:s0 + +persist.vendor.radio.smsformat u:object_r:vendor_mtk_smsformat_prop:s0 + +persist.vendor.radio.gprs.prefer u:object_r:vendor_mtk_gprs_prefer_prop:s0 + +persist.vendor.radio.testsim.cardtype u:object_r:vendor_mtk_testsim_cardtype_prop:s0 + +persist.vendor.radio.ct.ir.engmode u:object_r:vendor_mtk_ct_ir_engmode_prop:s0 + +persist.vendor.radio.disable_c2k_cap u:object_r:vendor_mtk_disable_c2k_cap_prop:s0 + +# modem reset delay property +vendor.mediatek.debug.md.reset.wait u:object_r:vendor_mtk_debug_md_reset_prop:s0 + +# video c2 log property +vendor.mtk.c2 u:object_r:vendor_mtk_c2_log_prop:s0 + +# video log omx.* property +vendor.mtk.omx. u:object_r:vendor_mtk_omx_log_prop:s0 + +vendor.mtk.vdec.log u:object_r:vendor_mtk_vdec_log_prop:s0 + +vendor.mtk.vdectlc.log u:object_r:vendor_mtk_vdectlc_log_prop:s0 + +vendor.mtk.venc.h264.showlog u:object_r:vendor_mtk_venc_h264_showlog_prop:s0 + +persist.vendor.radio.modem.warning u:object_r:vendor_mtk_modem_warning_prop:s0 + +persist.vendor.meta.connecttype u:object_r:vendor_mtk_meta_connecttype_prop:s0 + +# Telephony Sensitive property +vendor.ril.iccid.sim u:object_r:vendor_mtk_telephony_sensitive_prop:s0 +vendor.ril.uim.subscriberid u:object_r:vendor_mtk_telephony_sensitive_prop:s0 +persist.vendor.radio.last_iccid_sim u:object_r:vendor_mtk_telephony_sensitive_prop:s0 +vendor.ril.ia.iccid u:object_r:vendor_mtk_telephony_sensitive_prop:s0 +vendor.ril.radio.ia u:object_r:vendor_mtk_telephony_sensitive_prop:s0 +vendor.ril.c2kirat.ia.sim1 u:object_r:vendor_mtk_telephony_sensitive_prop:s0 +vendor.ril.c2kirat.ia.sim2 u:object_r:vendor_mtk_telephony_sensitive_prop:s0 +vendor.ril.c2kirat.ia.sim3 u:object_r:vendor_mtk_telephony_sensitive_prop:s0 +vendor.ril.c2kirat.ia.sim4 u:object_r:vendor_mtk_telephony_sensitive_prop:s0 +persist.vendor.radio.ia u:object_r:vendor_mtk_telephony_sensitive_prop:s0 +persist.vendor.radio.ia.1 u:object_r:vendor_mtk_telephony_sensitive_prop:s0 +persist.vendor.radio.ia.2 u:object_r:vendor_mtk_telephony_sensitive_prop:s0 +persist.vendor.radio.ia.3 u:object_r:vendor_mtk_telephony_sensitive_prop:s0 +persist.vendor.radio.data.iccid u:object_r:vendor_mtk_telephony_sensitive_prop:s0 +persist.vendor.radio.mobile.data u:object_r:vendor_mtk_telephony_sensitive_prop:s0 +persist.vendor.radio.ls1icid u:object_r:vendor_mtk_telephony_sensitive_prop:s0 +persist.vendor.radio.ls2icid u:object_r:vendor_mtk_telephony_sensitive_prop:s0 +persist.vendor.radio.ls3icid u:object_r:vendor_mtk_telephony_sensitive_prop:s0 +persist.vendor.radio.ls4icid u:object_r:vendor_mtk_telephony_sensitive_prop:s0 +persist.vendor.mtk.provision.mccmnc. u:object_r:vendor_mtk_telephony_sensitive_prop:s0 +persist.vendor.radio.ss.hashed_last_iccid1 u:object_r:vendor_mtk_telephony_sensitive_prop:s0 +persist.vendor.radio.ss.hashed_last_iccid2 u:object_r:vendor_mtk_telephony_sensitive_prop:s0 +persist.vendor.radio.ss.hashed_last_iccid3 u:object_r:vendor_mtk_telephony_sensitive_prop:s0 +persist.vendor.radio.ss.hashed_last_iccid4 u:object_r:vendor_mtk_telephony_sensitive_prop:s0 + +# change thermal config +vendor.thermal.manager.data u:object_r:vendor_mtk_thermal_config_prop:s0 + +vendor.debug.sf.hwc_pid u:object_r:vendor_mtk_graphics_hwc_pid_prop:s0 +vendor.debug.sf.hdr_enable u:object_r:vendor_mtk_graphics_hwc_hdr_prop:s0 +vendor.debug.sf.validate_separate u:object_r:vendor_mtk_graphics_hwc_validate_separate_prop:s0 + +# sf vendor cpupolicy config +vendor.debug.sf.cpupolicy u:object_r:vendor_mtk_debug_sf_cpupolicy_prop:s0 +vendor.debug.sf.cpupolicy. u:object_r:vendor_mtk_debug_sf_cpupolicy_prop:s0 + +# atm modem mode property(ATM) +persist.vendor.atm.mdmode u:object_r:vendor_mtk_atm_mdmode_prop:s0 + +# atm ip address property(ATM) +persist.vendor.atm.ipaddress u:object_r:vendor_mtk_atm_ipaddr_prop:s0 + +# atm boot property(ATM) +ro.boot.atm u:object_r:vendor_mtk_default_prop:s0 + +# telephony property +vendor.ril. u:object_r:vendor_mtk_radio_prop:s0 +ro.vendor.ril. u:object_r:vendor_mtk_radio_prop:s0 +vendor.gsm. u:object_r:vendor_mtk_radio_prop:s0 +persist.vendor.radio. u:object_r:vendor_mtk_radio_prop:s0 + +persist.vendor.mtk_ct_volte_support u:object_r:vendor_mtk_ct_volte_prop:s0 + +ro.vendor.mtk_ril_mode u:object_r:vendor_mtk_ril_mode_prop:s0 + +# GPS support properties +ro.vendor.mtk_gps_support u:object_r:vendor_mtk_gps_support_prop:s0 +ro.vendor.mtk_agps_app u:object_r:vendor_mtk_gps_support_prop:s0 +ro.vendor.mtk_log_hide_gps u:object_r:vendor_mtk_gps_support_prop:s0 +ro.vendor.mtk_hidl_consolidation u:object_r:vendor_mtk_gps_support_prop:s0 + +# MTK GMS +ro.vendor.soc u:object_r:vendor_mtk_soc_prop:s0 + +# rat config +ro.vendor.mtk_protocol1_rat_config u:object_r:vendor_mtk_rat_config_prop:s0 + +# mtk aal +ro.vendor.mtk_aal_support u:object_r:vendor_mtk_aal_ro_prop:s0 +ro.vendor.mtk_ultra_dimming_support u:object_r:vendor_mtk_aal_ro_prop:s0 +ro.vendor.mtk_dre30_support u:object_r:vendor_mtk_aal_ro_prop:s0 + +# mtk pq +persist.vendor.sys.pq. u:object_r:vendor_mtk_pq_prop:s0 +vendor.debug.pq. u:object_r:vendor_mtk_pq_prop:s0 +persist.vendor.sys.isp. u:object_r:vendor_mtk_pq_prop:s0 +persist.vendor.sys.mtkaal. u:object_r:vendor_mtk_pq_prop:s0 +ro.vendor.mtk_pq_color_mode u:object_r:vendor_mtk_pq_ro_prop:s0 +ro.vendor.mtk_blulight_def_support u:object_r:vendor_mtk_pq_ro_prop:s0 +ro.vendor.mtk_chameleon_support u:object_r:vendor_mtk_pq_ro_prop:s0 +ro.vendor.mtk_pq_support u:object_r:vendor_mtk_pq_ro_prop:s0 +ro.vendor.mtk_appgamepq_support u:object_r:vendor_mtk_pq_ro_prop:s0 +ro.vendor.mtk_gamehdr_support u:object_r:vendor_mtk_pq_ro_prop:s0 +ro.vendor.pq. u:object_r:vendor_mtk_pq_ro_prop:s0 + +# mtk display +ro.vendor.mtk_ovl u:object_r:vendor_mtk_display_ro_prop:s0 + +# Mtk properties that allow all system/vendor processes to read. +# Usually they are config properties (but not limited to) +ro.vendor.mtk_tdd_data_only_support u:object_r:vendor_mtk_default_prop:s0 +ro.vendor.mtk_audio_alac_support u:object_r:vendor_mtk_default_prop:s0 +ro.vendor.mtk_support_mp2_playback u:object_r:vendor_mtk_default_prop:s0 +ro.vendor.mtk_audio_ape_support u:object_r:vendor_mtk_default_prop:s0 +ro.vendor.mtk_flv_playback_support u:object_r:vendor_mtk_default_prop:s0 +ro.vendor.mtk_mtkps_playback_support u:object_r:vendor_mtk_default_prop:s0 +ro.vendor.mtk_wearable_platform u:object_r:vendor_mtk_default_prop:s0 +ro.vendor.mediatek.platform u:object_r:vendor_mtk_default_prop:s0 +ro.vendor.mediatek.version.branch u:object_r:vendor_mtk_default_prop:s0 +ro.vendor.mediatek.version.release u:object_r:vendor_mtk_default_prop:s0 +ro.vendor.mtk_exchange_support u:object_r:vendor_mtk_default_prop:s0 +vendor.met.running u:object_r:vendor_mtk_default_prop:s0 +ro.vendor.mtk_disable_cap_switch u:object_r:vendor_mtk_default_prop:s0 +ro.vendor.mtk_sim_card_onoff u:object_r:vendor_mtk_default_prop:s0 +ro.vendor.mtk_perf_plus u:object_r:vendor_mtk_default_prop:s0 +ro.vendor.pref_scale_enable_cfg u:object_r:vendor_mtk_default_prop:s0 +ro.vendor.mtk_flight_mode_power_off_md u:object_r:vendor_mtk_default_prop:s0 + +# mtk emmc +ro.vendor.mtk_emmc_support u:object_r:vendor_mtk_emmc_support_prop:s0 + +# MTK connsys log feature +ro.vendor.connsys.dedicated.log u:object_r:vendor_mtk_default_prop:s0 + +# em usb property +vendor.usb.port.mode u:object_r:vendor_mtk_em_usb_prop:s0 +vendor.em.usb. u:object_r:vendor_mtk_em_usb_prop:s0 + +persist.vendor.usb.otg.switch u:object_r:vendor_mtk_usb_otg_switch_prop:s0 + +# mtk rsc +ro.boot.rsc u:object_r:vendor_mtk_default_prop:s0 + +# mtk anr property +persist.vendor.dbg.anrflow u:object_r:vendor_mtk_anr_support_prop:s0 +persist.vendor.anr. u:object_r:vendor_mtk_anr_support_prop:s0 +vendor.anr.autotest u:object_r:vendor_mtk_anr_support_prop:s0 + +# mtk app resolution tuner +ro.vendor.app_resolution_tuner u:object_r:vendor_mtk_appresolutiontuner_prop:s0 +persist.vendor.dbg.disable.art u:object_r:vendor_mtk_appresolutiontuner_prop:s0 + +# mtk fullscreen switch +ro.vendor.fullscreen_switch u:object_r:vendor_mtk_fullscreenswitch_prop:s0 + +# ims xcap property +persist.vendor.ss. u:object_r:vendor_mtk_ss_vendor_prop:s0 + +# MTK App feature +ro.vendor.net.upload.mark.default u:object_r:vendor_mtk_app_prop:s0 + +# malloc debug unwind backtrace switch property +vendor.debug.malloc.bt.switch u:object_r:vendor_mtk_malloc_debug_backtrace_prop:s0 + +ro.vendor.gmo.ram_optimize u:object_r:vendor_mtk_default_prop:s0 +ro.vendor.gmo.rom_optimize u:object_r:vendor_mtk_default_prop:s0 +ro.vendor.mtk_config_max_dram_size u:object_r:vendor_mtk_default_prop:s0 + +# MTK Voice Recognize property +vendor.voicerecognize.raw u:object_r:vendor_mtk_voicerecgnize_prop:s0 +vendor.voicerecognize_data.raw u:object_r:vendor_mtk_voicerecgnize_prop:s0 +vendor.voicerecognize.noDL u:object_r:vendor_mtk_voicerecgnize_prop:s0 + +# mtk bt enable SAP profile property +ro.vendor.mtk.bt_sap_enable u:object_r:vendor_mtk_bt_sap_enable_prop:s0 + +# powerhal config +persist.vendor.powerhal. u:object_r:vendor_mtk_powerhal_prop:s0 +vendor.powerhal. u:object_r:vendor_mtk_powerhal_prop:s0 +vendor.powerhal.gpu. u:object_r:vendor_mtk_powerhal_gpu_prop:s0 + +# MTK Wifi wlan_assistant property +vendor.mtk.nvram.ready u:object_r:vendor_mtk_nvram_ready_prop:s0 + +# Wi-Fi Hotspot +ro.vendor.wifi.sap.interface u:object_r:vendor_mtk_wifi_hotspot_prop:s0 +ro.vendor.wifi.sap.concurrent.iface u:object_r:vendor_mtk_wifi_hotspot_prop:s0 + +# Wi-Fi HAL +vendor.wlan.firmware.version u:object_r:vendor_mtk_wifi_hal_prop:s0 +vendor.wlan.driver.version u:object_r:vendor_mtk_wifi_hal_prop:s0 + +# mtk hdmi +persist.vendor.sys.hdmi_hidl. u:object_r:vendor_mtk_hdmi_prop:s0 + +# mtk nn option +ro.vendor.mtk_nn.option u:object_r:vendor_mtk_nn_option_prop:s0 + +# mtk gbe +vendor.performance.gbe u:object_r:vendor_mtk_gbe_prop:s0 + +# system wfc service property +persist.vendor.wfc. u:object_r:vendor_mtk_wfc_serv_prop:s0 + +# config no bt consys chip +ro.vendor.bluetooth.noconsyschip u:object_r:vendor_mtk_default_prop:s0 + +# mtk gpu property +vendor.debug.gpu. u:object_r:vendor_mtk_gpu_prop:s0 +vendor.debug.gpud. u:object_r:vendor_mtk_gpu_prop:s0 +vendor.mali.config u:object_r:vendor_mtk_gpu_prop:s0 +ro.vendor.game_aisr_enable u:object_r:vendor_mtk_gpu_prop:s0 +ro.vendor.mtk.gpu. u:object_r:vendor_mtk_gpu_prop:s0 + +# mtk aod property +ro.vendor.mtk_aod_support u:object_r:vendor_mtk_aod_support_prop:s0 + +# mtk hwc property +ro.vendor.composer_version u:object_r:vendor_mtk_default_prop:s0 + +#============= mtk sensor property ============== +ro.vendor.init.sensor.rc u:object_r:vendor_mtk_sensor_prop:s0 +ro.vendor.mtk.sensor.support u:object_r:vendor_mtk_sensor_prop:s0 +ro.vendor.mag.calibration.in.sensorhub u:object_r:vendor_mtk_sensor_prop:s0 +ro.vendor.fusion.algorithm.in.sensorhub u:object_r:vendor_mtk_sensor_prop:s0 + +vendor.bluetooth.ldac.abr u:object_r:vendor_mtk_default_prop:s0 + +# input resample latency property +ro.vendor.input.resample_latency_ms u:object_r:vendor_mtk_input_resample_latency_prop:s0 + +# allow input report rate property +ro.vendor.input.touch_report_rate u:object_r:vendor_mtk_input_report_rate_prop:s0 + +# video property +vendor.mtkomx.color.convert u:object_r:vendor_mtk_video_prop:s0 +vendor.mtk.c2.vdec.fmt.disabled.whitelist u:object_r:vendor_mtk_video_prop:s0 + +# config no bt multidevice performance according to chip +ro.vendor.bluetooth.bt_multidevice_perform u:object_r:vendor_mtk_default_prop:s0 + +# factory mode property +persist.vendor.factory. u:object_r:vendor_mtk_factory_prop:s0 +vendor.mtk.factory.start u:object_r:vendor_mtk_factory_start_prop:s0 + +#=============mtk loading module property==================== +vendor.all.modules.ready u:object_r:vendor_mtk_device_prop:s0 + +#=============mtk wifi driver log property==================== +ro.vendor.wlan.standalone.log u:object_r:vendor_mtk_default_prop:s0 + +#=============mtk eara============== +vendor.performance.frs u:object_r:vendor_mtk_frs_prop:s0 + +# mtkperf powerhal memory property +vendor.sys.vm. u:object_r:vendor_mtk_vm_prop:s0 + +# mediaserver support 64-bit +ro.vendor.mtk_prefer_64bit_proc u:object_r:vendor_mtk_prefer64_prop:s0 + +#=============mtk bt property==================== +ro.vendor.bluetooth.a2dp_aac_vbr.is_disabled u:object_r:vendor_mtk_bt_aac_vbr_prop:s0 +persist.vendor.bluetooth.leaudio_mode u:object_r:vendor_mtk_default_prop:s0 +persist.vendor.bluetooth.a2dp_src_sink_both_enable u:object_r:vendor_mtk_default_prop:s0 +persist.vendor.bluetooth.blemesh_enable u:object_r:vendor_mtk_default_prop:s0 +persist.vendor.bluetooth.mtk_bt_consumer_feature u:object_r:vendor_mtk_default_prop:s0 +persist.vendor.bluetooth.fw_log_switch u:object_r:vendor_mtk_default_prop:s0 + +vendor.bluetooth.performance. u:object_r:vendor_mtk_bt_perf_prop:s0 + +# display debug log property +persist.vendor.debug.hwc.log u:object_r:vendor_mtk_hwc_debug_log_prop:s0 +vendor.debug.hwc. u:object_r:vendor_mtk_hwc_debug_log_prop:s0 +vendor.dp.log.enable u:object_r:vendor_mtk_mdp_debug_log_prop:s0 +vendor.dp.frameChange.disable u:object_r:vendor_mtk_mdp_debug_log_prop:s0 +vendor.debug.logger. u:object_r:vendor_debug_logger_prop:s0 + +# neuropilot flag +ro.vendor.neuropilot.flag u:object_r:vendor_mtk_neuropilot_flag_prop:s0 + +#=============mtk eara_io property==================== +persist.vendor.eara_io. u:object_r:vendor_mtk_eara_io_prop:s0 + +# xfrm and mdrsra property for non 5G GKI platform +persist.vendor.mdrsra_v2_support u:object_r:vendor_mtk_mdrsra_v2_support_prop:s0 +persist.vendor.xfrm_support u:object_r:vendor_mtk_xfrm_support_prop:s0 diff --git a/basic/non_plat/radio.te b/basic/non_plat/radio.te new file mode 100644 index 0000000..255d63e --- /dev/null +++ b/basic/non_plat/radio.te @@ -0,0 +1,55 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Purpose : allow to access kpd driver file +allow radio sysfs_keypad_file:dir r_dir_perms; +allow radio sysfs_keypad_file:file w_file_perms; + +# Date : 2014/12/13 +# Operation : IT +# Purpose : for bluetooth relayer mode +allow radio block_device:dir search; +allow radio ttyGS_device:chr_file rw_file_perms; + +# Date : 2016/07/05 +# Purpose : +# Write IMEI - presanity item write imei should read the file on storage +# Swift APK integration - access TTL scripts and logs on external storage +# eng mode camera - save iamges files and log files on external storage +# eng mode ygps - save location information on external storage +allow radio media_rw_data_file:dir create_dir_perms; +allow radio media_rw_data_file:file create_file_perms; + +# Date : 2016/08/02 +# Purpose : +# Swift APK integration - access ccci dir/file +allow radio ccci_mdinit:dir r_dir_perms; + +# Date : WK17.03 +# Operation : O Migration +# Purpose : HIDL for rilproxy +binder_call(radio, hal_telephony) + +#Dat: 2017/02/14 +#Purpose: allow get telephony Sensitive property +get_prop(radio, vendor_mtk_telephony_sensitive_prop) + +# Date : WK17.26 +# Operation : O Migration +# Purpose : HIDL for imsa +binder_call(radio, mtk_hal_imsa) + +# Date : WK1727 2017/07/04 +# Operation : IT +# Purpose : Allow to use HAL imsa +hal_client_domain(radio, hal_mtk_imsa) + +#Dat: 2017/06/29 +#Purpose: For audio parameter tuning +binder_call(radio, mtk_hal_audio) + +# Date : WK18.16 +# Operation: P migration +# Purpose: Allow radio to get vendor_mtk_tel_switch_prop +get_prop(radio, vendor_mtk_tel_switch_prop) diff --git a/basic/non_plat/rcs_volte_stack.te b/basic/non_plat/rcs_volte_stack.te new file mode 100644 index 0000000..b670a7f --- /dev/null +++ b/basic/non_plat/rcs_volte_stack.te @@ -0,0 +1 @@ +type rcs_volte_stack, domain, mtkimsapdomain; diff --git a/basic/non_plat/recovery.te b/basic/non_plat/recovery.te new file mode 100644 index 0000000..aad62a6 --- /dev/null +++ b/basic/non_plat/recovery.te @@ -0,0 +1,54 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== +# recovery console (used in recovery init.rc for /sbin/recovery) + +# Date : WK18.16 +# Operation : UT +# Purpose : Refine policy +allow recovery misc_sd_device:chr_file rw_file_perms; +allow recovery vfat:dir r_dir_perms; +allow recovery vfat:file r_file_perms; +allow recovery sysfs_devices_block:dir r_dir_perms; +allow recovery sysfs_devices_block:file rw_file_perms; +allow recovery sysfs_devices_block:lnk_file r_file_perms; + +# Date : WK18.25 +# Operation : UT +# Purpose : Add policy for therm, gpu, battery, and boot_type +allow recovery sysfs:dir r_dir_perms; +allow recovery sysfs_batteryinfo:dir r_dir_perms; +allow recovery sysfs_boot_type:file r_file_perms; +allow recovery sysfs_therm:dir r_dir_perms; +allow recovery sysfs_therm:file r_file_perms; +allow recovery gpu_device:dir r_dir_perms; +allow recovery dri_device:chr_file rw_file_perms; + +# Date : WK18.09 +# Operation : UT +# Purpose : Allow recovery can update boot partition +allow recovery tmpfs:lnk_file r_file_perms; + +# Date : WK19.03 +# Operation : UT +# Purpose : Android Migration +allow recovery bootdevice_block_device:blk_file rw_file_perms; +allowxperm recovery bootdevice_block_device:blk_file ioctl { + MMC_IOCTLCMD + UFS_IOCTLCMD +}; + +allow recovery sysfs_dm:dir search; +allow recovery sysfs_dm:file r_file_perms; +allowxperm recovery tmpfs:file ioctl FS_IOC_FIEMAP; +allowxperm recovery cache_block_device:blk_file ioctl BLKPBSZGET; +allowxperm recovery nvdata_device:blk_file ioctl BLKPBSZGET; +allow recovery proc_filesystems:file r_file_perms; + +# Seen during 'Wipe data/factory reset' +allow recovery devpts:chr_file rw_file_perms; + +# Date : WK36.02 +# Operation : OTA-SIU +# Purpose : Android Migration for Google issue +allow recovery sysfs_block:dir search; diff --git a/basic/non_plat/remosaic_daemon.te b/basic/non_plat/remosaic_daemon.te new file mode 100644 index 0000000..3371424 --- /dev/null +++ b/basic/non_plat/remosaic_daemon.te @@ -0,0 +1 @@ +type remosaic_daemon, domain; diff --git a/basic/non_plat/rild.te b/basic/non_plat/rild.te new file mode 100644 index 0000000..069d5ec --- /dev/null +++ b/basic/non_plat/rild.te @@ -0,0 +1,185 @@ +# ============================================== +# Policy File of /vendor/bin/rild Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== +# Access to wake locks +wakelock_use(rild) + +#Date : W17.21 +#Purpose: Grant permission to access binder dev node +vndbinder_use(rild) + +# Trigger module auto-load. +allow rild kernel:system module_request; + +# Capabilities assigned for rild +allow rild self:capability { setuid net_admin net_raw }; + +# Control cgroups +allow rild cgroup:dir create_dir_perms; + +# Property service +# allow set RIL related properties (radio./net./system./etc) +set_prop(rild, vendor_mtk_ril_active_md_prop) + +# allow set muxreport control properties +set_prop(rild, vendor_mtk_ril_cdma_report_prop) +set_prop(rild, vendor_mtk_ril_mux_report_case_prop) +set_prop(rild, vendor_mtk_ctl_muxreport-daemon_prop) + +# Allow access permission to efs files +allow rild efs_file:dir create_dir_perms; +allow rild efs_file:file create_file_perms; +allow rild bluetooth_efs_file:file r_file_perms; +allow rild bluetooth_efs_file:dir r_dir_perms; + +# Allow access permission to dir/files +# (radio data/system data/proc/etc) +allow rild sdcardfs:dir r_dir_perms; +allow rild proc_net:file w_file_perms; + +# Allow rild to create and use netlink sockets. +# Set and get routes directly via netlink. +allow rild self:netlink_route_socket nlmsg_write; + +# Allow read/write to devices/files +allow rild mtk_radio_device:dir search; +allow rild radio_device:chr_file rw_file_perms; +allow rild radio_device:blk_file r_file_perms; +allow rild mtd_device:dir search; + +# Allow read/write to tty devices +allow rild tty_device:chr_file rw_file_perms; +allow rild eemcs_device:chr_file rw_file_perms; + +allow rild devmap_device:chr_file r_file_perms; +allow rild devpts:chr_file rw_file_perms; +allow rild ccci_device:chr_file rw_file_perms; +allow rild misc_device:chr_file rw_file_perms; +allow rild proc_lk_env:file rw_file_perms; +allow rild sysfs_vcorefs_pwrctrl:file w_file_perms; +allow rild para_block_device:blk_file rw_file_perms; + +# Allow dir search, fd uses +allow rild block_device:dir search; +allow rild platform_app:fd use; +allow rild radio:fd use; + +# For MAL MFI +allow rild mal_mfi_socket:sock_file w_file_perms; + +# For ccci sysfs node +allow rild sysfs_ccci:dir search; +allow rild sysfs_ccci:file r_file_perms; + +#Dat: 2017/03/27 +#Purpose: allow set telephony Sensitive property +set_prop(rild, vendor_mtk_telephony_sensitive_prop) + +# For AGPSD +allow rild mtk_agpsd:unix_stream_socket connectto; + +#Date: 2017/12/6 +#Purpose: allow set the RS times for /proc/sys/net/ipv6/conf/ccmniX/router_solicitations +allow rild vendor_shell_exec:file x_file_perms; +allow rild vendor_toolbox_exec:file x_file_perms; + +# Date : WK18.16 +# Operation: P migration +# Purpose: Allow rild to get vendor_mtk_tel_switch_prop +get_prop(rild, vendor_mtk_tel_switch_prop) + +#Date: W1817 +#Purpose: allow rild access property of vendor_mtk_radio_prop +set_prop(rild, vendor_mtk_radio_prop) + +#Date : W18.21 +#Purpose: allow rild access to vendor.ril.ipo system property +set_prop(rild, vendor_mtk_ril_ipo_prop) + +# Date : WK18.26 +# Operation: P migration +# Purpose: Allow carrier express HIDL to set vendor property +set_prop(rild, vendor_mtk_cxp_vendor_prop) +allow rild mnt_vendor_file:dir search; +allow rild mnt_vendor_file:file create_file_perms; +allow rild nvdata_file:dir create_dir_perms; +allow rild nvdata_file:file create_file_perms; + +#Date : W18.29 +#Purpose: allow rild access binder to mtk_hal_secure_element +allow rild mtk_hal_secure_element:binder call; + +# Date : WK18.31 +# Operation: P migration +# Purpose: Allow supplementary service HIDL to set vendor property +set_prop(rild, vendor_mtk_ss_vendor_prop) + +# Date : 2018/2/27 +# Purpose : for NVRAM recovery mechanism +set_prop(rild, powerctl_prop) + +# Date: 2019/06/14 +# Operation : Migration +allow rild proc_cmdline:file r_file_perms; + +# Date: 2019/07/18 +# Operation: AP wifi path +# Purpose: Allow packet can be filtered by RILD process +allow rild self:netlink_netfilter_socket { create_socket_perms_no_ioctl }; + +# Date : WK19.43 +# Purpose: Allow wfc module from rild read system property from wfc module +get_prop(rild, vendor_mtk_wfc_serv_prop) + +# Date: 2019/11/15 +# Operation: RILD init flow +# Purpose: To handle illegal rild started +set_prop(rild, vendor_mtk_gsm0710muxd_prop) + +# Date : 2019/10/29 +# Operation: imstestmode +# Purpose: Allow HIDL to set vendor property +set_prop(rild, vendor_mtk_imstestmode_prop) + +# Date : 2020/06/11 +# Operation: R migration +# Purpose: Allow rild to get system_boot_reason_prop +get_prop(rild, system_boot_reason_prop) + +# rild Bringup Policy +allow rild mtkrild:unix_stream_socket connectto; +set_prop(rild, radio_prop) + +# Allow the socket read/write of netd for rild +allow rild netd_socket:sock_file { write read }; + +#Date : W17.20 +#Purpose: allow access to audio hal +binder_call(rild, mtk_hal_audio) +hal_client_domain(rild, hal_audio) + +# Date : W19.16 +# Operation: Q migration +# Purpose: Allow rild access to send SUPL INIT to mnld +allow rild mnld:unix_dgram_socket sendto; + +# Date : W19.35 +# Operation: Q migration +# Purpose: Fix rilproxy SeLinux warning of pre-defined socket +allow rild gsmrild_socket:sock_file w_file_perms; + +# Date: 2021/02/03 +# Operation: for Gen98 RILD dev +# Allow read/write to devices/files +allow rild gsm0710muxd_device:chr_file rw_file_perms; + +# Date : 2021/08/27 +# Purpose: Allow rild to access ccci wifi proxy +allow rild ccci_wifi_proxy_device:chr_file rw_file_perms; + +# Date: 2021/09/26 +# Purpose: Add permission for vilte +allow rild ccci_vts_device:chr_file rw_file_perms_no_map; \ No newline at end of file diff --git a/basic/non_plat/sensorhub_app.te b/basic/non_plat/sensorhub_app.te new file mode 100644 index 0000000..819edb1 --- /dev/null +++ b/basic/non_plat/sensorhub_app.te @@ -0,0 +1 @@ +type sensorhub_app, domain; diff --git a/basic/non_plat/servicemanager.te b/basic/non_plat/servicemanager.te new file mode 100644 index 0000000..72ed18c --- /dev/null +++ b/basic/non_plat/servicemanager.te @@ -0,0 +1,11 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# rild Bringup Policy +allow servicemanager rild:dir search; +allow servicemanager rild:file r_file_perms; +allow servicemanager rild:process getattr; +binder_call(servicemanager, mtk_hal_light) +binder_call(servicemanager, hal_vibrator_default) + diff --git a/basic/non_plat/shell.te b/basic/non_plat/shell.te new file mode 100644 index 0000000..e69dadd --- /dev/null +++ b/basic/non_plat/shell.te @@ -0,0 +1,17 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK17.35 +# Purpose : allow shell to dump the debugging information of camera hal. +binder_call(shell, mtk_hal_camera) + +# Date : WK17.36 +# Purpose : allow shell to dump the debugging information of power hal. +hal_client_domain(shell, hal_power) + +# Data: 2021/12/07 +# Purpose: adjust the cpu policy config +userdebug_or_eng(` + get_prop(shell, vendor_mtk_debug_sf_cpupolicy_prop); +') diff --git a/basic/non_plat/slpd.te b/basic/non_plat/slpd.te new file mode 100644 index 0000000..661ccc8 --- /dev/null +++ b/basic/non_plat/slpd.te @@ -0,0 +1,18 @@ +# ============================================== +# Policy File of /vendor/bin/slpd Executable File + +# ============================================== +# Type Declaration +# ============================================== +type slpd_exec, exec_type, file_type, vendor_file_type; +type slpd, domain; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(slpd) + +net_domain(slpd) + +# mtk_agpsd will send the current SUPL profile to SLPD +allow slpd mtk_agpsd:unix_dgram_socket sendto; diff --git a/basic/non_plat/smartcharging.te b/basic/non_plat/smartcharging.te new file mode 100644 index 0000000..6757604 --- /dev/null +++ b/basic/non_plat/smartcharging.te @@ -0,0 +1,40 @@ +# ============================================== +# Policy File of /vendor/bin/smartcharging Executable File + +# ============================================== +# Type Declaration +# ============================================== +type smartcharging, domain; +type smartcharging_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +init_daemon_domain(smartcharging) + +# Data : WK14.43 +# Operation : Migration +# Purpose : smartcharging daemon for access driver node +allow smartcharging input_device:dir r_dir_perms; +allow smartcharging input_device:file r_file_perms; + +# Data : WK14.43 +# Operation : Migration +# Purpose : For smartcharging log can be printed with kernel log +allow smartcharging kmsg_device:chr_file w_file_perms; + +# Data : WK14.43 +# Operation : Migration +# Purpose : For smartcharging daemon can comminucate with kernel +allow smartcharging self:netlink_socket create_socket_perms_no_ioctl; +allow smartcharging self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; + +# Data : WK16.39 +allow smartcharging self:capability { fsetid }; + +# Date: W18.17 +# Operation : add label for /sys/devices/platform/battery(/.*) +# Purpose : add smartcharging could access +r_dir_file(smartcharging, sysfs_batteryinfo) + diff --git a/basic/non_plat/spm_loader.te b/basic/non_plat/spm_loader.te new file mode 100644 index 0000000..6524181 --- /dev/null +++ b/basic/non_plat/spm_loader.te @@ -0,0 +1,19 @@ +# ============================================== +# Policy File of /vendor/bin/spm_loader Executable File + +# ============================================== +# Type Declaration +# ============================================== +type spm_loader_exec, exec_type, file_type, vendor_file_type; +type spm_loader, domain; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# date: 2015/6/18 wk1525 +# purpose: load spm firmware +init_daemon_domain(spm_loader) + +# Read to /dev/spm +allow spm_loader spm_device:chr_file r_file_perms; diff --git a/basic/non_plat/st54spi_hal_secure_element.te b/basic/non_plat/st54spi_hal_secure_element.te new file mode 100644 index 0000000..9003c0a --- /dev/null +++ b/basic/non_plat/st54spi_hal_secure_element.te @@ -0,0 +1,10 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== +type st54spi_hal_secure_element, domain; +type st54spi_hal_secure_element_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(st54spi_hal_secure_element) + +hal_server_domain(st54spi_hal_secure_element, hal_secure_element) +allow st54spi_hal_secure_element st54spi_device:chr_file rw_file_perms; diff --git a/basic/non_plat/statusd.te b/basic/non_plat/statusd.te new file mode 100644 index 0000000..589e2d5 --- /dev/null +++ b/basic/non_plat/statusd.te @@ -0,0 +1 @@ +type statusd, domain; diff --git a/basic/non_plat/stflashtool.te b/basic/non_plat/stflashtool.te new file mode 100644 index 0000000..291b189 --- /dev/null +++ b/basic/non_plat/stflashtool.te @@ -0,0 +1 @@ +type stflashtool, domain; diff --git a/basic/non_plat/stp_dump3.te b/basic/non_plat/stp_dump3.te new file mode 100644 index 0000000..64341a0 --- /dev/null +++ b/basic/non_plat/stp_dump3.te @@ -0,0 +1,31 @@ +# ============================================== +# Policy File of /vendor/bin/stp_dump3 Executable File + +# ============================================== +# Type Declaration +# ============================================== +type stp_dump3_exec, vendor_file_type, exec_type, file_type; +type stp_dump3, domain; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(stp_dump3) +allow stp_dump3 self:capability { net_admin fowner chown fsetid }; +allow stp_dump3 self:netlink_socket create_socket_perms_no_ioctl; +allow stp_dump3 self:netlink_generic_socket create_socket_perms_no_ioctl; +allow stp_dump3 wmtdetect_device:chr_file rw_file_perms; +allow stp_dump3 stpwmt_device:chr_file rw_file_perms; +allow stp_dump3 tmpfs:lnk_file r_file_perms; +allow stp_dump3 mnt_user_file:dir search; +allow stp_dump3 mnt_user_file:lnk_file r_file_perms; +allow stp_dump3 storage_file:lnk_file r_file_perms; +allow stp_dump3 storage_file:dir search; +allow stp_dump3 sdcard_type:dir create_dir_perms; +allow stp_dump3 sdcard_type:file create_file_perms; +allow stp_dump3 stp_dump_data_file:dir create_dir_perms; +allow stp_dump3 stp_dump_data_file:file create_file_perms; +allow stp_dump3 stp_dump_data_file:sock_file create_file_perms; +allow stp_dump3 connsyslog_data_vendor_file:dir create_dir_perms; +allow stp_dump3 connsyslog_data_vendor_file:file create_file_perms; +get_prop(stp_dump3, vendor_mtk_coredump_prop) diff --git a/basic/non_plat/surfaceflinger.te b/basic/non_plat/surfaceflinger.te new file mode 100644 index 0000000..5abd9c1 --- /dev/null +++ b/basic/non_plat/surfaceflinger.te @@ -0,0 +1,100 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Data : WK14.42 +# Operation : Migration +# Purpose : Video playback +allow surfaceflinger sw_sync_device:chr_file rw_file_perms; + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow surfaceflinger proc_ged:file rw_file_perms; +allowxperm surfaceflinger proc_ged:file ioctl { proc_ged_ioctls }; + +# Date : W16.42 +# Operation : Integration +# Purpose : DRM / DRI GPU driver required +allow surfaceflinger gpu_device:dir search; + +# Date : WK17.12 +# Purpose: Fix bootup fail +allow surfaceflinger proc_bootprof:file r_file_perms; + +allow surfaceflinger debugfs_ion:dir search; +allow surfaceflinger kernel:dir search; + +# Date : WK17.30 +# Operation : O Migration +# Purpose: Allow to access cmdq driver +allow surfaceflinger mtk_cmdq_device:chr_file r_file_perms; +allow surfaceflinger mtk_mdp_device:chr_file r_file_perms; +allow surfaceflinger mtk_mdp_sync_device:chr_file r_file_perms; +allow surfaceflinger sysfs_boot_mode:file r_file_perms; + +# Date : W17.39 +# Perform Binder IPC. +binder_use(surfaceflinger) +binder_call(surfaceflinger, binderservicedomain) +binder_call(surfaceflinger, appdomain) +binder_call(surfaceflinger, mtkbootanimation) + +binder_call(surfaceflinger, mtk_hal_camera) + +binder_service(surfaceflinger) + +allow surfaceflinger mtkbootanimation:dir search; +allow surfaceflinger mtkbootanimation:file r_file_perms; + +# Date : W17.43 +# Operation : Migration +# Purpose: Allow to access perfmgr +allow surfaceflinger proc_perfmgr:dir r_dir_perms; +allowxperm surfaceflinger proc_perfmgr:file ioctl { + PERFMGR_FPSGO_QUEUE + PERFMGR_FPSGO_DEQUEUE + PERFMGR_FPSGO_QUEUE_CONNECT + PERFMGR_FPSGO_BQID + PERFMGR_FPSGO_VSYNC + PERFMGR_XGFFRAME_START + PERFMGR_XGFFRAME_END +}; + +# Date : WK17.43 +# Operation : Debug +# Purpose: Allow to dump HWC backtrace +get_prop(surfaceflinger, vendor_mtk_graphics_hwc_pid_prop) +get_prop(surfaceflinger, vendor_mtk_graphics_hwc_validate_separate_prop) +allow surfaceflinger hal_graphics_composer_default:dir search; +allow surfaceflinger hal_graphics_composer_default:lnk_file r_file_perms; +dontaudit surfaceflinger hal_graphics_composer_default:file r_file_perms; + +# Date : WK19.4 +# Operation : P Migration +# Purpose: Allow to access /dev/mdp_device driver +allow surfaceflinger mdp_device:chr_file rw_file_perms; + +# Date : WK18.43 +# Operation : HDR +# Purpose: Allow to skip aosp hdr solution +get_prop(surfaceflinger, vendor_mtk_graphics_hwc_hdr_prop) + +# Date: WK21.14 +# Purpose: allow to check AppGamePQ is supported or not +get_prop(surfaceflinger, vendor_mtk_pq_ro_prop); + +# Date: WK21.33 +# Purpose: allow surfaceflinger to use PowerHAL API +allow surfaceflinger proc_perfmgr:file rw_file_perms; + +# Data: 2021/09/18 +# Purpose: adjust the uclamp for HWComposer +allow surfaceflinger hal_graphics_composer_default:process { getsched setsched }; + +# Data: 2021/10/12 +# Purpose: adjust the cpu policy for HWComposer +allow surfaceflinger hal_graphics_composer_default:file w_file_perms; + +# Data: 2021/12/07 +# Purpose: adjust the cpu policy config +get_prop(surfaceflinger, vendor_mtk_debug_sf_cpupolicy_prop) diff --git a/basic/non_plat/system_app.te b/basic/non_plat/system_app.te new file mode 100644 index 0000000..e135679 --- /dev/null +++ b/basic/non_plat/system_app.te @@ -0,0 +1,44 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +typeattribute system_app mlstrustedsubject; + +# Date : 2017/07/21 +# Purpose :[CdsInfo] read/ write WI-FI MAC address by NVRAM API +# Package Name: com.mediatek.connectivity +hal_client_domain(system_app, hal_mtk_nvramagent) + +hal_client_domain(system_app, hal_mtk_lbs) + +# Dat: 2017/02/14 +# Purpose: allow set telephony Sensitive property +get_prop(system_app, vendor_mtk_telephony_sensitive_prop) + +# Date : WK17.12 +# Operation : MT6799 SQC +# Purpose : Change thermal config +get_prop(system_app, vendor_mtk_thermal_config_prop) + +# Date: 2019/07/16 +# Operation : Migration +# Purpose : system_app need use hdmi service and create socktet +hal_client_domain(system_app, hal_mtk_hdmi) +allow system_app self:netlink_kobject_uevent_socket { read bind create setopt }; + +# system_app need to read from sysfs /sys/class/switch/hdmi/state +r_dir_file(system_app, sysfs_switch) + +# Date: 2020/06/08 +# Purpose: Allow system app to access mtk jpeg +allow system_app proc_mtk_jpeg:file rw_file_perms; +allowxperm system_app proc_mtk_jpeg:file ioctl { + JPG_BRIDGE_DEC_IO_LOCK + JPG_BRIDGE_DEC_IO_WAIT + JPG_BRIDGE_DEC_IO_UNLOCK +}; + +# Date: 2020/06/29 +# Purpose: Allow system app to access mtk fpsgo +allow system_app sysfs_fpsgo:dir search; +allow system_app sysfs_fpsgo:file r_file_perms; diff --git a/basic/non_plat/system_server.te b/basic/non_plat/system_server.te new file mode 100644 index 0000000..f7b527a --- /dev/null +++ b/basic/non_plat/system_server.te @@ -0,0 +1,278 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Access devices. +allow system_server touch_device:chr_file rw_file_perms; +allow system_server stpant_device:chr_file rw_file_perms; +allow system_server devmap_device:chr_file r_file_perms; +allow system_server irtx_device:chr_file rw_file_perms; +allow system_server qemu_pipe_device:chr_file rw_file_perms; +allow system_server wmtWifi_device:chr_file w_file_perms; + +# Add for proc_btdbg +allow system_server proc_btdbg:file rw_file_perms; +# Add for bootprof +allow system_server proc_bootprof:file rw_file_perms; + +# /data/core access. +allow system_server aee_core_data_file:dir r_dir_perms; + +# Perform Binder IPC. +allow system_server zygote:binder impersonate; + +# For dumpsys. +allow system_server aee_dumpsys_data_file:file w_file_perms; + +# Querying zygote socket. +allow system_server zygote:unix_stream_socket { getopt getattr }; + +# Allow system_server to read/write /sys/power/dcm_state +allow system_server sysfs_dcm:file rw_file_perms; + +# Data : WK16.42 +# Operator: Whitney bring up +# Purpose: call surfaceflinger due to powervr +allow system_server surfaceflinger:fifo_file rw_file_perms; + +# Date : W16.42 +# Operation : Integration +# Purpose : DRM / DRI GPU driver required +allow system_server gpu_device:dir search; + +# Date : W16.43 +# Operation : Integration +# Purpose : DRM / DRI GPU driver required +allow system_server sw_sync_device:chr_file rw_file_perms; + +# Date : WK16.44 +# Purpose: Allow to access UART1 ttyMT1 +allow system_server ttyMT_device:chr_file rw_file_perms; + +# Date : WK17.52 +# Purpose: Allow to access UART1 ttyS +allow system_server ttyS_device:chr_file rw_file_perms; + +# Date:W16.46 +# Operation : thermal hal Feature developing +# Purpose : thermal hal interface permission +allow system_server proc_mtktz:dir search; +allow system_server proc_mtktz:file r_file_perms; + +# Date:W17.02 +# Operation : audio hal developing +# Purpose : audio hal interface permission +allow system_server mtk_hal_audio:process { getsched setsched }; + +# Dat: 2017/02/14 +# Purpose: allow get telephony Sensitive property +get_prop(system_server, vendor_mtk_telephony_sensitive_prop) + +# Date:W17.07 +# Operation : bt hal +# Purpose : bt hal interface permission +binder_call(system_server, mtk_hal_bluetooth) + +# Date:W17.08 +# Operation : sensors hal developing +# Purpose : sensors hal interface permission +binder_call(system_server, mtk_hal_sensors) + +# Operation : light hal developing +# Purpose : light hal interface permission +binder_call(system_server, mtk_hal_light) + +# Date:W17.21 +# Operation : gnss hal +# Purpose : gnss hal interface permission +hal_client_domain(system_server, hal_gnss) + +# Date:W17.26 +# Operation : imsa hal +# Purpose : imsa hal interface permission +binder_call(system_server, mtk_hal_imsa) + +# Date:W17.28 +# Operation : camera hal developing +# Purpose : camera hal binder_call permission +binder_call(system_server, mtk_hal_camera) + +# Date:W17.31 +# Operation : mpe sensor hidl developing +# Purpose : mpe sensor hidl permission +binder_call(system_server, mnld) + +# Date : WK17.32 +# Operation : Migration +# Purpose : for network log dumpsys setting/netd information +# audit(0.0:914): avc: denied { write } for path="pipe:[46088]" +# dev="pipefs" ino=46088 scontext=u:r:system_server:s0 +# tcontext=u:r:netdiag:s0 tclass=fifo_file permissive=1 +allow system_server netdiag:fifo_file w_file_perms; + +# Date : WK17.32 +# Operation : Migration +# Purpose : for DHCP Client ip recover functionality +allow system_server dhcp_data_file:dir rw_dir_perms; +allow system_server dhcp_data_file:file create_file_perms; + +# Date:W17.35 +# Operation : lbs hal +# Purpose : lbs hidl interface permission +hal_client_domain(system_server, hal_mtk_lbs) + +# Date : WK17.12 +# Operation : MT6799 SQC +# Purpose : Change thermal config +get_prop(system_server, vendor_mtk_thermal_config_prop) + +# Date : WK17.43 +# Operation : Migration +# Purpose : perfmgr permission +allow system_server proc_perfmgr:dir r_dir_perms; +allow system_server proc_perfmgr:file r_file_perms; +allowxperm system_server proc_perfmgr:file ioctl { + PERFMGR_FPSGO_QUEUE + PERFMGR_FPSGO_DEQUEUE + PERFMGR_FPSGO_QUEUE_CONNECT + PERFMGR_FPSGO_BQID + PERFMGR_FPSGO_SWAP_BUFFER +}; + +# Date : W18.22 +# Operation : MTK wifi hal migration +# Purpose : MTK wifi hal interface permission +binder_call(system_server, mtk_hal_wifi) + +# Date : W19.15 +# Operation : alarm device permission +# Purpose : support power-off alarm +allow system_server alarm_device:chr_file rw_file_perms; + +# Date : WK19.7 +# Operation: Q migration +# Purpose : Allow system_server to use ioctl/ioctlcmd +allow system_server proc_ged:file rw_file_perms; +allowxperm system_server proc_ged:file ioctl { proc_ged_ioctls }; + +# Date: 2019/06/14 +# Operation : when WFD turnning on, turn off hdmi +hal_client_domain(system_server, hal_mtk_hdmi) + +# Date:2019/10/09 +# Operation:Q Migration +allow system_server proc_cmdq_debug:file getattr; +allow system_server proc_last_kmsg:file r_file_perms; +allow system_server proc_cm_mgr:dir search; +allow system_server proc_isp_p2:dir search; +allow system_server proc_thermal:dir search; +allow system_server proc_atf_log:dir search; +allow system_server proc_cpufreq:dir search; +allow system_server proc_mtkcooler:dir search; +allow system_server proc_ppm:dir search; + +# Date : 2019/10/11 +# Operation : Q Migration +allow system_server proc_wlan_status:file getattr; + +# Date : 2019/10/11 +# Operation : Q Migration +allow system_server sysfs_pages_shared:file r_file_perms; +allow system_server sysfs_pages_sharing:file r_file_perms; +allow system_server sysfs_pages_unshared:file r_file_perms; +allow system_server sysfs_pages_volatile:file r_file_perms; + +# Date:2019/10/14 +# Operation: Q Migration +# Purpose : power_hal_mgr_service may use libmtkperf_client +allow system_server sysfs_boot_mode:file r_file_perms; + +# Date : 2019/10/22 +# Operation : Q Migration +allow system_server self:capability sys_module; + +# Date : 2019/10/22 +# Operation : Q Migration +dontaudit system_server sdcardfs:file r_file_perms; + +# Date : 2019/10/26 +# Operation : Q Migration +allow system_server mtk_hal_camera:process sigkill; +allow system_server kernel:system syslog_read; + +# Date : 2019/10/30 +# Operation : Q Migration +allow system_server proc_chip:dir search; +allow system_server zygote:process setsched; + +# Date : 2019/11/21 +# Operation : Q Migration +allow system_server sf_rtt_file:dir rmdir; + +# Date : 2019/11/29 +# Operation : Q Migration +allow system_server storage_stub_file:dir getattr; + +# Date : 2020/05/12 +# Operation : R Migration +allow system_server proc_ppm:file r_file_perms; + +# Date: 2019/11/12 +# Purpose: Allow system server to access mtk jpeg +allow system_server proc_mtk_jpeg:file rw_file_perms; +allowxperm system_server proc_mtk_jpeg:file ioctl { + JPG_BRIDGE_DEC_IO_LOCK + JPG_BRIDGE_DEC_IO_WAIT + JPG_BRIDGE_DEC_IO_UNLOCK +}; + +# Date : 2020/06/30 +# Operation : R Migration +dontaudit system_server kernel:process sigkill; + +# Date : 2021/04/24 +# Operation: addwindow +# Purpose: Get the variable value of touch report rate +get_prop(system_server, vendor_mtk_input_report_rate_prop) + + +# Date : 2021/07/20 +# Operation : S Migration +# Purpose : dontaudit system_server is not allowed to getopt 'shell' type of unix_stream_socket +dontaudit system_server shell:unix_stream_socket getopt; + +# Search /proc/cpuidle +allow system_server proc_cpuidle:dir search; + +# Date:2021/08/23 +# Operation:allow CachedAppOptimi to getattr from /proc/mtk_mdp_debug +allow system_server proc_mtk_mdp_debug:file getattr; + +# Search /proc/mtk_mdp_debug +allow system_server proc_mtk_mdp_debug:dir search; + +# For AudioManager/WiredAccessoryManager, for Extcon uevent +# listeners +allow system_server sysfs_extcon:file r_file_perms; + +# When ams cleans up the process, it should not kill mtk_hal_bluetooth +dontaudit system_server mtk_hal_bluetooth:process sigkill; + +# Write tempfs for CachedAppOptimi +allow system_server tmpfs:file w_file_perms; + +# Write mediaserver_tmpfs for CachedAppOptimi +allow system_server mediaserver_tmpfs:file w_file_perms; +# Purpose : dontaudit system_server is not allowed to kill eara_io +dontaudit system_server hal_wifi_default:process sigkill; +dontaudit system_server eara_io:process sigkill; + +# Purpose : dontaudit system_server is not allowed to kill mtk_hal_audio +dontaudit system_server mtk_hal_audio:process sigkill; +dontaudit system_server mtk_hal_c2:process sigkill; + +# Search /proc/mgq +allow system_server proc_mgq:dir search; + +# when anr dump process, SystemServer need send sigal +allow system_server mtk_hal_pq:process signal; diff --git a/basic/non_plat/teei_hal_capi.te b/basic/non_plat/teei_hal_capi.te new file mode 100644 index 0000000..6040fd0 --- /dev/null +++ b/basic/non_plat/teei_hal_capi.te @@ -0,0 +1,3 @@ +# TEE SEPolicy Rule +# Set a new domain +type teei_hal_capi, domain; diff --git a/basic/non_plat/teei_hal_ifaa.te b/basic/non_plat/teei_hal_ifaa.te new file mode 100644 index 0000000..9bb3d30 --- /dev/null +++ b/basic/non_plat/teei_hal_ifaa.te @@ -0,0 +1 @@ +type teei_hal_ifaa, domain; diff --git a/basic/non_plat/teei_hal_thh.te b/basic/non_plat/teei_hal_thh.te new file mode 100644 index 0000000..5b2fb52 --- /dev/null +++ b/basic/non_plat/teei_hal_thh.te @@ -0,0 +1,3 @@ +# Set a new domain +type teei_hal_thh, domain; + diff --git a/basic/non_plat/teei_hal_tui.te b/basic/non_plat/teei_hal_tui.te new file mode 100644 index 0000000..7fd0fa2 --- /dev/null +++ b/basic/non_plat/teei_hal_tui.te @@ -0,0 +1,3 @@ +# Set a new domain +type teei_hal_tui, domain; + diff --git a/basic/non_plat/teei_hal_wechat.te b/basic/non_plat/teei_hal_wechat.te new file mode 100644 index 0000000..aa47f71 --- /dev/null +++ b/basic/non_plat/teei_hal_wechat.te @@ -0,0 +1 @@ +type teei_hal_wechat, domain; diff --git a/basic/non_plat/tesiai_hal_hdcp.te b/basic/non_plat/tesiai_hal_hdcp.te new file mode 100644 index 0000000..e522e66 --- /dev/null +++ b/basic/non_plat/tesiai_hal_hdcp.te @@ -0,0 +1 @@ +type tesiai_hal_hdcp ,domain; diff --git a/basic/non_plat/thermal.te b/basic/non_plat/thermal.te new file mode 100644 index 0000000..a4c8ecf --- /dev/null +++ b/basic/non_plat/thermal.te @@ -0,0 +1 @@ +type thermal, domain; diff --git a/basic/non_plat/thermal_core.te b/basic/non_plat/thermal_core.te new file mode 100644 index 0000000..50958d1 --- /dev/null +++ b/basic/non_plat/thermal_core.te @@ -0,0 +1,85 @@ +# ============================================== +# Policy File of /vendor/bin/thermal_core Executable File + +# ============================================== +# Type Declaration +# ============================================== +type thermal_core_exec , exec_type, file_type, vendor_file_type; +type thermal_core ,domain; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(thermal_core) + +# call PowerHal +hal_client_domain(thermal_core, hal_power) + +#thermal socket file, policy setting file +allow thermal_core thermal_core_data_file:file create_file_perms; +allow thermal_core thermal_core_data_file:dir { rw_dir_perms setattr}; +allow thermal_core thermal_core_data_file:sock_file create; +allow thermal_core thermal_socket:dir { rw_dir_perms setattr}; +allow thermal_core thermal_socket:sock_file create_file_perms; + +#send notification to thermal hal +allow thermal_core hal_thermal_default:unix_stream_socket connectto; +allow thermal_core thermal_hal_socket:sock_file write; + + +allow thermal_core mediaserver:fd use; +allow thermal_core mediaserver:fifo_file { rw_file_perms }; +allow thermal_core mediaserver:tcp_socket { read write }; + +# Date : WK16.30 +# Operation : Migration +# Purpose : +allow thermal_core camera_isp_device:chr_file { rw_file_perms }; +allow thermal_core cameraserver:fd use; +allow thermal_core kd_camera_hw_device:chr_file { rw_file_perms }; +allow thermal_core MTK_SMI_device:chr_file r_file_perms; +allow thermal_core surfaceflinger:fd use; +set_prop(thermal_core, vendor_mtk_thermal_config_prop) + +#for thermal sysfs +allow thermal_core sysfs_therm:file rw_file_perms; +allow thermal_core sysfs_therm:dir search; + + +#for md_on/md_off control +allow thermal_core rild:unix_stream_socket connectto; +allow thermal_core rild_oem_socket:sock_file write; + +#for sysfs thermal sram +allow thermal_core sysfs_thermal_sram:file rw_file_perms; +allow thermal_core sysfs_thermal_sram:dir search; + +#for fps cool interface +set_prop(thermal_core, vendor_mtk_frs_prop) +allow thermal_core self:netlink_socket { read write bind create }; + + +# To find a service from hwservice_manager +allow thermal_core fwk_sensor_hwservice:hwservice_manager find; +allow thermal_core nvram_data_file:lnk_file create_file_perms; +allow thermal_core nvdata_file:lnk_file create_file_perms; +hal_client_domain(thermal_core, hal_graphics_allocator) + +# To read gpu opp table +allow thermal_core proc_gpufreqv2:file r_file_perms; +allow thermal_core proc_gpufreqv2:dir search; + +#for sysfs charger cooler +allow thermal_core sysfs_charger_cooler:file r_file_perms; +allow thermal_core sysfs_charger_cooler:dir search; + +# To read modem boot status +allow thermal_core sysfs_ccci:dir search; +allow thermal_core sysfs_ccci:file r_file_perms; + +# To init mipc +allow thermal_core gsm0710muxd_device:chr_file rw_file_perms; + +# To read connsys node +allow thermal_core conn_pwr_device:chr_file rw_file_perms_no_map; + diff --git a/basic/non_plat/thermal_manager.te b/basic/non_plat/thermal_manager.te new file mode 100644 index 0000000..a4ba20b --- /dev/null +++ b/basic/non_plat/thermal_manager.te @@ -0,0 +1,47 @@ +# ============================================== +# Policy File of /vendor/bin/thermal_manager Executable File + +# ============================================== +# Type Declaration +# ============================================== +type thermal_manager_exec, exec_type, file_type, vendor_file_type; +type thermal_manager, domain; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(thermal_manager) + +allow thermal_manager proc_mtkcooler:dir search; +allow thermal_manager proc_mtktz:dir search; +allow thermal_manager proc_thermal:dir search; +allow thermal_manager proc_mtkcooler:file rw_file_perms; +allow thermal_manager proc_mtktz:file rw_file_perms; +allow thermal_manager proc_thermal:file rw_file_perms; +allow thermal_manager thermal_manager_data_file:file create_file_perms; +allow thermal_manager thermal_manager_data_file:dir { rw_dir_perms setattr }; +allow thermal_manager mediaserver:fd use; +allow thermal_manager mediaserver:fifo_file rw_file_perms; +allow thermal_manager mediaserver:tcp_socket { read write }; + +# Date : WK16.30 +# Operation : Migration +# Purpose : +allow thermal_manager camera_isp_device:chr_file rw_file_perms; +allow thermal_manager cameraserver:fd use; +allow thermal_manager kd_camera_hw_device:chr_file rw_file_perms; +allow thermal_manager MTK_SMI_device:chr_file r_file_perms; +allow thermal_manager surfaceflinger:fd use; +set_prop(thermal_manager, vendor_mtk_thermal_config_prop) + +# Date : 2019/09/12 +# Operation : Migration +# Purpose : add sysfs permission +# path = " sys/devices/virtual/thermal/" +# path = " sys/class/thermal/" +allow thermal_manager sysfs_therm:file w_file_perms; + +# Date : WK18.18 +# Operation : P Migration +# Purpose : Allow thermal_manager to access vendor data file. +allow thermal_manager self:capability { fowner chown }; diff --git a/basic/non_plat/thermalloadalgod.te b/basic/non_plat/thermalloadalgod.te new file mode 100644 index 0000000..23a91f7 --- /dev/null +++ b/basic/non_plat/thermalloadalgod.te @@ -0,0 +1,45 @@ +# ============================================== +# Policy File of /vendor/bin/thermalloadalgod_exec Executable File + +# ============================================== +# Type Declaration +# ============================================== +type thermalloadalgod ,domain; +type thermalloadalgod_exec, exec_type, file_type, vendor_file_type; +typeattribute thermalloadalgod mlstrustedsubject; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(thermalloadalgod) + +# Data : WK14.43 +# Operation : Migration +# Purpose : thermal algorithm daemon for access driver node +allow thermalloadalgod input_device:dir rw_dir_perms; +allow thermalloadalgod input_device:file r_file_perms; + +allow thermalloadalgod thermalloadalgod:netlink_socket create_socket_perms_no_ioctl; + +allow thermalloadalgod thermal_manager_data_file:dir create_dir_perms; +allow thermalloadalgod thermal_manager_data_file:file create_file_perms; +allow thermalloadalgod kmsg_device:chr_file w_file_perms; + +# Data : WK16.49 +# Operation : SPA porting +# Purpose : thermal algorithm daemon for SPA +# For /proc/[pid]/cgroup accessing +allow thermalloadalgod proc:dir { search getattr }; +allow thermalloadalgod shell:dir search; +allow thermalloadalgod platform_app:dir search; +allow thermalloadalgod platform_app:file r_file_perms; +allow thermalloadalgod priv_app:dir search; +allow thermalloadalgod priv_app:file r_file_perms; +allow thermalloadalgod system_app:dir search; +allow thermalloadalgod system_app:file r_file_perms; +allow thermalloadalgod untrusted_app:dir search; +allow thermalloadalgod untrusted_app:file r_file_perms; +allow thermalloadalgod mediaserver:dir search; +allow thermalloadalgod mediaserver:file r_file_perms; +allow thermalloadalgod proc_thermal:dir search; +allow thermalloadalgod proc_thermal:file rw_file_perms; diff --git a/basic/non_plat/ueventd.te b/basic/non_plat/ueventd.te new file mode 100644 index 0000000..82162e7 --- /dev/null +++ b/basic/non_plat/ueventd.te @@ -0,0 +1,17 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK17.12 +# Purpose: Fix bootup fail +allow ueventd proc_net:file r_file_perms; + +# Date: W17.22 +# Operation : New Feature +# Purpose : Add for A/B system +allow ueventd m_acc_misc_device:chr_file { relabelfrom relabelto }; +allow ueventd m_mag_misc_device:chr_file { relabelfrom relabelto }; + +# Date: 2019/06/14 +# Operation : Migration +allow ueventd tmpfs:lnk_file r_file_perms; diff --git a/basic/non_plat/uncrypt.te b/basic/non_plat/uncrypt.te new file mode 100644 index 0000000..7723531 --- /dev/null +++ b/basic/non_plat/uncrypt.te @@ -0,0 +1,17 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# uncrypt for mtd +allow uncrypt mtd_device:chr_file rw_file_perms; +allow uncrypt mtd_device:dir search; +allow uncrypt mtd_device:blk_file rw_file_perms; + +allow uncrypt misc_device:chr_file ~rename; +allow uncrypt userdata_block_device:blk_file w_file_perms; +allow uncrypt para_block_device:blk_file w_file_perms; +allow uncrypt system_app_data_file:dir { getattr search }; +allow uncrypt system_app_data_file:file { read getattr }; +allow uncrypt media_rw_data_file:dir { getattr search }; +allow uncrypt media_rw_data_file:file r_file_perms; +allow uncrypt ota_package_file:file w_file_perms; diff --git a/basic/non_plat/untrusted_app.te b/basic/non_plat/untrusted_app.te new file mode 100644 index 0000000..d726ed0 --- /dev/null +++ b/basic/non_plat/untrusted_app.te @@ -0,0 +1,10 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date: 2016/02/26 +# Operation: Migration +# Purpose: Allow MTK modified ElephantStress and WhatsTemp to read thermal zone temperatures +# from MTK kernel modules for thermal tests at OEM/ODM. +allow untrusted_app proc_mtktz:dir search; +allow untrusted_app proc_mtktz:file r_file_perms; diff --git a/basic/non_plat/untrusted_app_25.te b/basic/non_plat/untrusted_app_25.te new file mode 100644 index 0000000..8c94ea3 --- /dev/null +++ b/basic/non_plat/untrusted_app_25.te @@ -0,0 +1,18 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : 2017/08/01 +# Operation: SQC +# Purpose : Allow Whatstemp, a MTK thermal logging tool, to log thermal related information +# properly for thermal tests at OEM/ODM. +allow untrusted_app_25 proc_mtktz:dir search; +allow untrusted_app_25 proc_mtktz:file r_file_perms; +allow untrusted_app_25 proc_thermal:dir search; +allow untrusted_app_25 proc_thermal:file r_file_perms; + +allow untrusted_app_25 sysfs_fps:dir search; +allow untrusted_app_25 sysfs_fps:file r_file_perms; +allow untrusted_app_25 sysfs_batteryinfo:dir search; +allow untrusted_app_25 sysfs_therm:dir r_dir_perms; +allow untrusted_app_25 sysfs_therm:file r_file_perms; diff --git a/basic/non_plat/untrusted_app_all.te b/basic/non_plat/untrusted_app_all.te new file mode 100644 index 0000000..d5a2a90 --- /dev/null +++ b/basic/non_plat/untrusted_app_all.te @@ -0,0 +1,12 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date: 2020/06/08 +# Purpose: Allow untrusted app to access mtk jpeg +allow untrusted_app_all proc_mtk_jpeg:file rw_file_perms; +allowxperm untrusted_app_all proc_mtk_jpeg:file ioctl { + JPG_BRIDGE_DEC_IO_LOCK + JPG_BRIDGE_DEC_IO_WAIT + JPG_BRIDGE_DEC_IO_UNLOCK +}; diff --git a/basic/non_plat/update_engine.te b/basic/non_plat/update_engine.te new file mode 100644 index 0000000..9a9f66c --- /dev/null +++ b/basic/non_plat/update_engine.te @@ -0,0 +1,63 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Add for update_engine update block device +allow update_engine preloader_block_device:blk_file rw_file_perms; +allow update_engine lk_block_device:blk_file rw_file_perms; +allow update_engine dtbo_block_device:blk_file rw_file_perms; +allow update_engine tee_block_device:blk_file rw_file_perms; +allow update_engine vendor_block_device:blk_file rw_file_perms; +allow update_engine odm_block_device:blk_file rw_file_perms; +allow update_engine oem_block_device:blk_file rw_file_perms; +allow update_engine md_block_device:blk_file rw_file_perms; +allow update_engine dsp_block_device:blk_file rw_file_perms; +allow update_engine scp_block_device:blk_file rw_file_perms; +allow update_engine sspm_block_device:blk_file rw_file_perms; +allow update_engine spmfw_block_device:blk_file rw_file_perms; +allow update_engine mcupmfw_block_device:blk_file rw_file_perms; +allow update_engine loader_ext_block_device:blk_file rw_file_perms; +allow update_engine cam_vpu_block_device:blk_file rw_file_perms; +allow update_engine para_block_device:blk_file rw_file_perms; +allow update_engine vbmeta_block_device:blk_file rw_file_perms; +allow update_engine audio_dsp_block_device:blk_file rw_file_perms; +allow update_engine gz_block_device:blk_file rw_file_perms; +allow update_engine proc_filesystems:file r_file_perms; +allow update_engine dpm_block_device:blk_file rw_file_perms; +allow update_engine pi_img_device:blk_file rw_file_perms; +allow update_engine apusys_device:blk_file rw_file_perms_no_map; +allow update_engine ccu_device:blk_file rw_file_perms_no_map; +allow update_engine gpueb_device:blk_file rw_file_perms_no_map; +allow update_engine mcf_ota_block_device:blk_file rw_file_perms_no_map; +allow update_engine vcp_device:blk_file rw_file_perms_no_map; +allow update_engine mvpu_algo_device:blk_file rw_file_perms_no_map; + +# Add for update_engine call by system_app +allow update_engine system_app:binder { call transfer }; + +# Add for update_engine with postinstall +allow update_engine postinstall_mnt_dir:dir { rw_dir_perms unlink}; + +# Add for AVB20 +allow update_engine tmpfs:lnk_file r_file_perms; + +allow update_engine metadata_file:dir { getattr mounton }; +allow update_engine devpts:chr_file rw_file_perms; +allow update_engine kmsg_device:chr_file w_file_perms; + +# Date: 2020/09/02 +# Operation: R migration +# Purpose: Add permission for pl path utilities to add symlink to raw pl +allow update_engine sysfs_devices_block:dir search; + +# Date: 2021/07/15 +# Operation: S migration +# Purpose: Add permission for pl path utilities +allow update_engine postinstall_block_device:dir w_dir_perms; +allow update_engine postinstall_block_device:lnk_file create_file_perms; +allow update_engine proc_bootconfig:file r_file_perms; + +# Date : 2022/02/07 +# Operation : T migration +# Purpose : Add permission for pl path utilities +allow update_engine sysfs_block:dir search; diff --git a/basic/non_plat/vendor_init.te b/basic/non_plat/vendor_init.te new file mode 100644 index 0000000..58ca754 --- /dev/null +++ b/basic/non_plat/vendor_init.te @@ -0,0 +1,163 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +set_prop(vendor_init, vendor_mtk_mediatek_prop) +set_prop(vendor_init, vendor_mtk_md_version_prop) +set_prop(vendor_init, vendor_mtk_volte_prop) +set_prop(vendor_init, vendor_mtk_radio_prop) +set_prop(vendor_init, vendor_mtk_ril_mode_prop) +set_prop(vendor_init, vendor_mtk_wmt_prop) +set_prop(vendor_init, vendor_mtk_coredump_prop) +allow vendor_init proc_wmtdbg:file w_file_perms; +allow vendor_init proc_cpufreq:file w_file_perms; +allow vendor_init proc_bootprof:file w_file_perms; +allow vendor_init proc_pl_lk:file w_file_perms; +allow vendor_init proc_mtprintk:file w_file_perms; +allow vendor_init rootfs:dir create_dir_perms; +allow vendor_init self:capability sys_module; +allow vendor_init tmpfs:dir create_dir_perms; +allow vendor_init unlabeled:dir { relabelfrom getattr setattr search }; +allow vendor_init vendor_file:system module_load; +allow vendor_init kmsg_device:chr_file unlink; +set_prop(vendor_init, vendor_mtk_sensor_prop) +set_prop(vendor_init, vendor_mtk_usb_prop) +set_prop(vendor_init, vendor_mtk_ct_volte_prop) +set_prop(vendor_init, vendor_mtk_gps_support_prop) +set_prop(vendor_init, vendor_mtk_rat_config_prop) +set_prop(vendor_init, vendor_mtk_tel_switch_prop) +set_prop(vendor_init, vendor_mtk_aal_ro_prop) +set_prop(vendor_init, vendor_mtk_pq_ro_prop) +set_prop(vendor_init, vendor_mtk_default_prop) +set_prop(vendor_init, vendor_mtk_nn_option_prop) +set_prop(vendor_init, vendor_mtk_emmc_support_prop) +set_prop(vendor_init, vendor_mtk_anr_support_prop) +set_prop(vendor_init, vendor_mtk_app_prop) +set_prop(vendor_init, vendor_mtk_bt_sap_enable_prop) +set_prop(vendor_init, vendor_mtk_factory_prop) +get_prop(vendor_init, vendor_mtk_soc_prop) +set_prop(vendor_init, vendor_mtk_prefer64_prop) + +# allow create symbolic link, /mnt/sdcard, for meta/factory mode +allow vendor_init tmpfs:lnk_file create_file_perms; + +set_prop(vendor_init, vendor_mtk_cxp_vendor_prop) + +# Run "ifup lo" to bring up the localhost interface +allow vendor_init proc_hostname:file w_file_perms; +allow vendor_init self:udp_socket create_socket_perms; + +# in addition to unpriv ioctls granted to all domains, init also needs: +allowxperm vendor_init self:udp_socket ioctl { SIOCSIFFLAGS }; +allow vendor_init self:global_capability_class_set net_raw; + +# enhance boot time +allow vendor_init proc_perfmgr:file w_file_perms; + +set_prop(vendor_init, vendor_mtk_appresolutiontuner_prop) + +# fullscreen switch +set_prop(vendor_init, vendor_mtk_fullscreenswitch_prop) + +# for kernel module verification support, allow vendor domain to search kernel keyring +allow vendor_init kernel:key search; + +# Purpose: /dev/block/mmcblk0p10 +allow vendor_init expdb_block_device:blk_file rw_file_perms; + +set_prop(vendor_init, vendor_mtk_wifi_hotspot_prop) +set_prop(vendor_init, vendor_mtk_wifi_hal_prop) +set_prop(vendor_init, vendor_mtk_powerhal_prop) + +# mmstat tracer +allow vendor_init debugfs_tracing_instances:dir create_dir_perms; +allow vendor_init debugfs_tracing_instances:file w_file_perms; + +#boot tracer +allow vendor_init debugfs_tracing_debug:file w_file_perms; + +# Set surfaceflinger cpu policy property +set_prop(vendor_init, vendor_mtk_debug_sf_cpupolicy_prop) + +# Date : 2019/11/21 +# Operation: SQC +# Purpose : Allow vendor_init to control MCDI +allow vendor_init proc_cpuidle:file rw_file_perms; + +# Date : 2020/07/08 +# Purpose: add permission for /proc/sys/vm/swappiness +allow vendor_init proc_swappiness:file w_file_perms; + +# Date : 2020/08/05 +# Purpose: add permission for /proc/driver/wmt_user_proc +allow vendor_init proc_wmtuserproc:file w_file_perms; + +# Date : 2020/08/20 +# Operation: touchboost +# Purpose: Allow vendor_init to set the default value of touch resample latency +set_prop(vendor_init, vendor_mtk_input_resample_latency_prop) + +# Date : 2021/04/24 +# Operation: addwindow +# Purpose: Get the variable value of touch report rate +set_prop(vendor_init, vendor_mtk_input_report_rate_prop) + +# Date : 2020/09/07 +# Purpose: add permission for /proc/sys/kernel/panic_on_rcu_stall +allow vendor_init proc_panic_on_rcu_stall:file rw_file_perms; + +# Date : 2020/12/23 +# Purpose: Allow vendor_init to write /proc/driver/conninfra_dbg +allow vendor_init proc_conninfradbg:file w_file_perms; + +# Date: 2020/11/18 +# Purpose: Set the vendor.all.modules.ready property +set_prop(vendor_init, vendor_mtk_device_prop) + +# Date: 2021/04/15 +# Purpose: Allow init to write /proc/blocktag/blockio +allow vendor_init procfs_blockio:file w_file_perms; + +# Date : 2021/04/20 +# Purpose: Allow vendor_init to write /proc/driver/drop_caches , extra_free_kbytes , watermark_scale_factor +allow vendor_init proc_extra_free_kbytes:file w_file_perms; +allow vendor_init proc_drop_caches:file w_file_perms; +allow vendor_init proc_watermark_scale_factor:file w_file_perms; +set_prop(vendor_init, vendor_mtk_vm_prop) + +# Date 2021/05/10 +# Purpose : init the default value before bootup +allow vendor_init proc_sched_migration_cost_ns:file rw_file_perms; + +# Date 2021/05/15 +# Purpose allow vendor_init to write proc/sys/kernel/sched_* +allow vendor_init proc_sched:file w_file_perms; + +# Date 2021/07/21 +# Purpose: Set the ro.vendor.mtk_aod_support property +set_prop(vendor_init, vendor_mtk_aod_support_prop) + +# Data 2021/08/06 +# Purpose: Set the ro.vendor.bluetooth.a2dp_aac_vbr.is_disabled property +set_prop(vendor_init, vendor_mtk_bt_aac_vbr_prop) + +# Data 2021/09/23 +# Purpose: Set the ro.vendor.game_aisr_enable property +set_prop(vendor_init, vendor_mtk_gpu_prop) + +# Data 2021/09/28 +# Purpose: Set the ro.vendor.mtk_ovl_bringup property +set_prop(vendor_init, vendor_mtk_display_ro_prop) + +# Date : 2021/11/12 +# Purpose: add permission for /proc/sys/vm/watermark_boost_factor +allow vendor_init proc_watermark_boost_factor:file w_file_perms; + +# Date: 2022/1/4 +# Purpose: add Neuropilot flag +set_prop(vendor_init, vendor_mtk_neuropilot_flag_prop) + +# Date: 2022/2/16 +# Purpose: for non-5G GKI platform +set_prop(vendor_init, vendor_mtk_mdrsra_v2_support_prop) +set_prop(vendor_init, vendor_mtk_xfrm_support_prop) diff --git a/basic/non_plat/viarild.te b/basic/non_plat/viarild.te new file mode 100644 index 0000000..f9878ef --- /dev/null +++ b/basic/non_plat/viarild.te @@ -0,0 +1 @@ +type viarild, domain; diff --git a/basic/non_plat/vold.te b/basic/non_plat/vold.te new file mode 100644 index 0000000..9eb5f22 --- /dev/null +++ b/basic/non_plat/vold.te @@ -0,0 +1,47 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# volume manager + +# Date : WK16.19 +# Operation : Migration +# Purpose : unmount /mnt/cd-rom. It causes by unmountAll() when VolumeManager starts +allow vold iso9660:filesystem unmount; + +# Date : WK16.19 +# Operation : Migration +# Purpose : vold will traverse /proc when remountUid(). +# It will trigger violation if mtk customize some label in /proc. +# However, we should ignore the violation if the processes never access the storage. +dontaudit vold proc_mtkcooler:dir r_dir_perms; +dontaudit vold proc_mtktz:dir r_dir_perms; +dontaudit vold proc_thermal:dir r_dir_perms; + +# Date : WK18.30 +# Operation : Migration +# Purpose : vold create mdlog folder in data for meta mode. +allow vold mdlog_data_file:dir create_dir_perms; + +allow vold mtd_device:blk_file rw_file_perms; + +# dontaudit for fstrim on 'vendor' folder +dontaudit vold nvdata_file:dir r_dir_perms; +dontaudit vold nvcfg_file:dir r_dir_perms; +dontaudit vold protect_f_data_file:dir r_dir_perms; +dontaudit vold protect_s_data_file:dir r_dir_perms; + +# execute mke2fs when format as internal +allow vold cache_block_device:blk_file getattr; +allowxperm vold dm_device:blk_file ioctl { + BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET +}; +allow vold nvcfg_block_device:blk_file getattr; +allow vold nvdata_device:blk_file getattr; +allow vold proc_swaps:file r_file_perms; +allow vold protect1_block_device:blk_file getattr; +allow vold protect2_block_device:blk_file getattr; +allow vold swap_block_device:blk_file getattr; + +# trigger udisk uevent +allow vold sysfs_usb_nonplat:file w_file_perms; \ No newline at end of file diff --git a/basic/non_plat/volte_clientapi_ua.te b/basic/non_plat/volte_clientapi_ua.te new file mode 100644 index 0000000..c20979e --- /dev/null +++ b/basic/non_plat/volte_clientapi_ua.te @@ -0,0 +1 @@ +type volte_clientapi_ua, domain, mtkimsapdomain; diff --git a/basic/non_plat/volte_rcs_ua.te b/basic/non_plat/volte_rcs_ua.te new file mode 100644 index 0000000..8e25f8d --- /dev/null +++ b/basic/non_plat/volte_rcs_ua.te @@ -0,0 +1 @@ +type volte_rcs_ua, domain, mtkimsapdomain; diff --git a/basic/non_plat/vpud_native.te b/basic/non_plat/vpud_native.te new file mode 100644 index 0000000..312437e --- /dev/null +++ b/basic/non_plat/vpud_native.te @@ -0,0 +1,49 @@ +# ============================================== +# Policy File of /vendor/bin/vpud Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type vpud_native_exec, exec_type, file_type, vendor_file_type; +type vpud_native, domain; + +init_daemon_domain(vpud_native) + +allow vpud_native ion_device:chr_file rw_file_perms; +allow vpud_native vcu_device:chr_file rw_file_perms; +allow vpud_native MTK_SMI_device:chr_file r_file_perms; +allow vpud_native thermal_manager_data_file:file rw_file_perms; +allow vpud_native thermalloadalgod:unix_stream_socket connectto; +allow vpud_native proc_mtktz:dir search; +allow vpud_native proc_mtktz:file rw_file_perms; +allow vpud_native proc_thermal:file rw_file_perms; +set_prop(vpud_native, vendor_mtk_thermal_config_prop) +allowxperm vpud_native proc_m4u:file ioctl MTK_M4U_GZ_SEC_INIT; +allowxperm vpud_native proc_m4u:file ioctl MTK_M4U_T_SEC_INIT; +allow vpud_native vcodec_file:file create_file_perms; +allow vpud_native vcodec_file:dir create_dir_perms; +allow vpud_native sysfs_device_tree_model:file r_file_perms; + +allow vpud_native gz_device:chr_file rw_file_perms; +allow vpud_native proc_m4u:file rw_file_perms; +allow vpud_native tee_device:chr_file rw_file_perms; + +# call PowerHal +hal_client_domain(vpud_native, hal_power) + +allow vpud_native mediaserver:fd use; +allow vpud_native debugfs_ion:dir search; + +not_full_treble(` + allow vpud_native shell_exec:file { execute read open execute_no_trans getattr }; + allow vpud_native toolbox_exec:file { getattr execute read open execute_no_trans }; +') + +full_treble_only(` + allow vpud_native vendor_shell_exec:file rx_file_perms; + allow vpud_native vendor_toolbox_exec:file rx_file_perms; +') + +# add power config +allow vpud_native sysfs_boot_mode:file r_file_perms; diff --git a/basic/non_plat/vtservice_hidl.te b/basic/non_plat/vtservice_hidl.te new file mode 100644 index 0000000..c96d8b6 --- /dev/null +++ b/basic/non_plat/vtservice_hidl.te @@ -0,0 +1,2 @@ +# "mtkimsapdomain" is for IMS repo phase 3, mean all permiton for IMCB/UA +type vtservice_hidl, domain, mtkimsapdomain; diff --git a/basic/non_plat/wifi_dump.te b/basic/non_plat/wifi_dump.te new file mode 100644 index 0000000..0794dd8 --- /dev/null +++ b/basic/non_plat/wifi_dump.te @@ -0,0 +1,27 @@ +# ============================================== +# Policy File of /vendor/bin/wifi_dump Executable File + +# ============================================== +# Type Declaration +# ============================================== +type wifi_dump_exec, vendor_file_type, exec_type, file_type; +type wifi_dump, domain; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(wifi_dump) +allow wifi_dump self:capability net_admin; +allow wifi_dump self:netlink_socket create_socket_perms_no_ioctl; +allow wifi_dump self:netlink_generic_socket create_socket_perms_no_ioctl; +allow wifi_dump conninfra_device:chr_file rw_file_perms; +allow wifi_dump stpwmt_device:chr_file rw_file_perms; +allow wifi_dump tmpfs:lnk_file r_file_perms; +allow wifi_dump mnt_user_file:dir search; +allow wifi_dump mnt_user_file:lnk_file r_file_perms; +allow wifi_dump storage_file:lnk_file r_file_perms; +allow wifi_dump stp_dump_data_file:dir create_dir_perms; +allow wifi_dump stp_dump_data_file:file create_file_perms; +allow wifi_dump connsyslog_data_vendor_file:dir create_dir_perms; +allow wifi_dump connsyslog_data_vendor_file:file create_file_perms; +get_prop(wifi_dump, vendor_mtk_coredump_prop) \ No newline at end of file diff --git a/basic/non_plat/wlan_assistant.te b/basic/non_plat/wlan_assistant.te new file mode 100644 index 0000000..98f2ecb --- /dev/null +++ b/basic/non_plat/wlan_assistant.te @@ -0,0 +1,39 @@ +# ============================================== +# Policy File of /vendor/bin/wlan_assistant Executable File + +# ============================================== +# Type Declaration +# ============================================== +type wlan_assistant_exec, exec_type, file_type, vendor_file_type; +type wlan_assistant, domain; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(wlan_assistant) + +# Date : WK14.34 +# Operation : Migration +# Purpose : for mtk debug mechanism. agpsd_data_file, mtk_agpsd are used +# to share wifi scan results with AGPS module. netlink_socket is used to +# listen events of wlan driver. udp_socket is used to do ioctl with wlan driver +# kernel-3.18 uses netlink_socket, but kernel-4.4 uses generic netlink_socket +allow wlan_assistant agpsd_data_file:sock_file w_file_perms; +allow wlan_assistant mtk_agpsd:unix_dgram_socket sendto; +allow wlan_assistant agpsd_data_file:dir search; +allow wlan_assistant self:netlink_generic_socket create_socket_perms_no_ioctl; +allow wlan_assistant self:udp_socket create_socket_perms; + +# Date : WK18.17 +# Operation : Migration +# Purpose : To allow wlan_assistant monitor /vendor/nvdata/APCFG/APRDEB, +# /storage/sdcard0, /vendor/firmware. Which can help to check if nvram, +# driver config or firmware config file are changed, if yes, will write it +# to wlan driver in time. +allow wlan_assistant nvdata_file:dir r_dir_perms; +allow wlan_assistant nvdata_file:file r_file_perms; +allow wlan_assistant wmtWifi_device:chr_file rw_file_perms; + +allow wlan_assistant mnt_vendor_file:dir search; + +set_prop(wlan_assistant, vendor_mtk_nvram_ready_prop) diff --git a/basic/non_plat/wmt_loader.te b/basic/non_plat/wmt_loader.te new file mode 100644 index 0000000..de812f3 --- /dev/null +++ b/basic/non_plat/wmt_loader.te @@ -0,0 +1,33 @@ +# ============================================== +# Policy File of /vendor/bin/wmt_loader Executable File + +# ============================================== +# Type Declaration +# ============================================== +type wmt_loader, domain; +type wmt_loader_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(wmt_loader) + +allow wmt_loader self:capability chown; + +# Set the property +set_prop(wmt_loader, vendor_mtk_wmt_prop) + +# add ioctl/open/read/write permission for wmt_loader with /dev/wmtdetect +allow wmt_loader wmtdetect_device:chr_file rw_file_perms; + +# add ioctl/open/read/write permission for wmt_loader with /dev/stpwm +allow wmt_loader stpwmt_device:chr_file rw_file_perms; +allow wmt_loader devpts:chr_file rwx_file_perms; + +# Date: 2019/06/14 +# Operation : Migration +allow wmt_loader proc_wmtdbg:file setattr; + +# Date : 2020/08/05 +# add setattr permission for wmt_loader with /proc/driver/wmt_user_proc +allow wmt_loader proc_wmtuserproc:file setattr; diff --git a/basic/non_plat/wo_epdg_client.te b/basic/non_plat/wo_epdg_client.te new file mode 100644 index 0000000..181ba2e --- /dev/null +++ b/basic/non_plat/wo_epdg_client.te @@ -0,0 +1 @@ +type wo_epdg_client, domain; diff --git a/basic/non_plat/wo_ipsec.te b/basic/non_plat/wo_ipsec.te new file mode 100644 index 0000000..ce5c597 --- /dev/null +++ b/basic/non_plat/wo_ipsec.te @@ -0,0 +1 @@ +type wo_ipsec, domain; diff --git a/basic/non_plat/xgff_test_native.te b/basic/non_plat/xgff_test_native.te new file mode 100644 index 0000000..8fb3e5e --- /dev/null +++ b/basic/non_plat/xgff_test_native.te @@ -0,0 +1,24 @@ +# ============================================== +# Policy File of /vendor/bin/xgff_test Executable File + +# ============================================== +# Type Declaration +# ============================================== +type xgff_test_native_exec, exec_type, file_type, vendor_file_type; +type xgff_test_native, domain; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(xgff_test_native) + +allow xgff_test_native self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +allow xgff_test_native sysfs_boot_mode:file r_file_perms; +hal_client_domain(xgff_test_native, hal_power) + +allow xgff_test_native proc_perfmgr:dir r_dir_perms; +allow xgff_test_native proc_perfmgr:file rw_file_perms; +allowxperm xgff_test_native proc_perfmgr:file ioctl { + PERFMGR_XGFFRAME_START + PERFMGR_XGFFRAME_END +}; diff --git a/basic/non_plat/zygote.te b/basic/non_plat/zygote.te new file mode 100644 index 0000000..61b5c47 --- /dev/null +++ b/basic/non_plat/zygote.te @@ -0,0 +1,31 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow zygote proc_ged:file rw_file_perms; + +# Date : WK17.02 +# Purpose: Allow to access gpu for memtrack functions +allow zygote gpu_device:dir search; +allow zygote gpu_device:chr_file rw_file_perms; + +allow zygote proc_bootprof:file rw_file_perms; +allow zygote proc_uptime:file rw_file_perms; + +# Date : WK21.29 +# Purpose: Allow Zygote to unmount labeledfs +allow zygote labeledfs:filesystem { unmount }; + +# Date : WK21.41 +# Purpose: Allow Zygote to access cgroup for statsd functions +allow zygote cgroup:file setattr; + +# Date : WK21.47 +# Purpose: dontaudit Zygote set its the nice value +dontaudit zygote self:capability sys_nice; + +# Date : WK22.04 +# Purpose: dontaudit Zygote write system_file when restarting Android +dontaudit zygote system_file:dir write; diff --git a/basic/plat_private/aal.te b/basic/plat_private/aal.te new file mode 100644 index 0000000..4262a7c --- /dev/null +++ b/basic/plat_private/aal.te @@ -0,0 +1 @@ +type aal, domain; diff --git a/basic/plat_private/adbd.te b/basic/plat_private/adbd.te new file mode 100644 index 0000000..d2b1195 --- /dev/null +++ b/basic/plat_private/adbd.te @@ -0,0 +1,6 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow adbd debuglog_data_file:dir r_dir_perms; +allow adbd debuglog_data_file:file r_file_perms; diff --git a/basic/plat_private/app.te b/basic/plat_private/app.te new file mode 100644 index 0000000..2f1c073 --- /dev/null +++ b/basic/plat_private/app.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date: 2019/06/17 +# Operation : Migration +# Purpose : appdomain need get system_mtk_amslog_prop +get_prop(appdomain, system_mtk_amslog_prop) diff --git a/basic/plat_private/audioserver.te b/basic/plat_private/audioserver.te new file mode 100644 index 0000000..808460d --- /dev/null +++ b/basic/plat_private/audioserver.te @@ -0,0 +1,62 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK14.32 +# Operation : Migration +# Purpose : For audio dump and log +allow audioserver sdcard_type:dir create_dir_perms; + +# Data : WK14.38 +# Operation : Migration +# Purpose : for boot animation. +binder_call(audioserver, bootanim) +binder_call(audioserver, mtkbootanimation) + +# Data : WK14.46 +# Operation : Migration +# Purpose : for SMS app +allow audioserver radio_data_file:dir search; +allow audioserver radio_data_file:file open; + +# Data : WK14.47 +# Operation : Audio playback +# Purpose : Music as ringtone +allow audioserver radio:dir r_dir_perms; +allow audioserver radio:file r_file_perms; + +# Data : WK14.47 +# Operation : CTS +# Purpose : cts search strange app +allow audioserver untrusted_app:dir search; + +# Date : WK15.34 +# Operation : Migration +# Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump +allow audioserver storage_file:lnk_file rw_file_perms; +allow audioserver mnt_user_file:dir rw_dir_perms; +allow audioserver mnt_user_file:lnk_file rw_file_perms; + +# Purpose: Dump debug info +allow audioserver kmsg_device:chr_file w_file_perms; +allow audioserver media_rw_data_file:dir create_dir_perms; + +# Date : WK16.27 +# Operation : Migration +# Purpose: tunning tool update parameters +allow audioserver media_rw_data_file:file create_file_perms; + +# Date : WK16.28 +# Operation : Migration +# Purpose: Write audio dump files to external SDCard. +allow audioserver sdcard_type:file create_file_perms; +allow audioserver storage_file:dir r_dir_perms; + +# Date : W18.01 +# Add for turn on SElinux in enforcing mode +allow audioserver self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +# Date : WK20.14 +# Operation : Migartion +# Purpose : MTK Audio debug use +set_prop(audioserver, system_mtk_audio_prop) diff --git a/basic/plat_private/batterywarning.te b/basic/plat_private/batterywarning.te new file mode 100644 index 0000000..833fc86 --- /dev/null +++ b/basic/plat_private/batterywarning.te @@ -0,0 +1 @@ +type batterywarning, domain; diff --git a/basic/plat_private/bluetooth.te b/basic/plat_private/bluetooth.te new file mode 100644 index 0000000..0257806 --- /dev/null +++ b/basic/plat_private/bluetooth.te @@ -0,0 +1,48 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date: 2018/01/17 +set_prop(bluetooth, system_mtk_vendor_bluetooth_prop) +set_prop(bluetooth, debug_prop) + +# Date: 2018/02/02 +# Add permission for different storage types logging +# permission in storage for legacy android M version +allow bluetooth mnt_user_file:dir search; +allow bluetooth mnt_user_file:lnk_file r_file_perms; +allow bluetooth storage_file:lnk_file r_file_perms; + +# purpose: allow access storage for legacy N version +allow bluetooth media_rw_data_file:file create_file_perms; +allow bluetooth media_rw_data_file:dir create_dir_perms; + +# permission for storage link access in vzw Project +allow bluetooth mnt_media_rw_file:dir search; + +# for logging sdcard access +allow bluetooth sdcard_type:dir create_dir_perms; +allow bluetooth sdcard_type:file create_file_perms; +allow bluetooth sdcardfs:dir create_dir_perms; +allow bluetooth sdcardfs:file create_file_perms; +allow bluetooth rootfs:lnk_file getattr; + +allow bluetooth fuse:dir create_dir_perms; +allow bluetooth fuse:file create_file_perms; + +# permission for storage access storage +allow bluetooth vfat:dir create_dir_perms; +allow bluetooth vfat:file create_file_perms; +allow bluetooth storage_file:dir create_dir_perms; +allow bluetooth tmpfs:lnk_file r_file_perms; +allow bluetooth storage_file:file create_file_perms; + +# Date: 2019/06/14 +# Operation : Migration +get_prop(bluetooth, system_mtk_amslog_prop) + +# Date: 2019/06/20 +# Add dir create perms for bluetooth on /data/debuglogger +#{ read write create search open getattr }; +allow bluetooth debuglog_data_file:dir {relabelto create_dir_perms}; +allow bluetooth debuglog_data_file:file create_file_perms; diff --git a/basic/plat_private/boot_logo_updater.te b/basic/plat_private/boot_logo_updater.te new file mode 100644 index 0000000..e06d736 --- /dev/null +++ b/basic/plat_private/boot_logo_updater.te @@ -0,0 +1,39 @@ +# ============================================== +# Policy File of /system/bin/boot_logo_updater Executable File + +typeattribute boot_logo_updater coredomain; +type boot_logo_updater_exec, system_file_type, exec_type, file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +init_daemon_domain(boot_logo_updater) + +# Date : WK14.32 +# Operation : Migration +# Puration : set boot reason +set_prop(boot_logo_updater, system_prop) + +allow boot_logo_updater graphics_device:chr_file rw_file_perms; + +# To access directory /dev/block/mmcblk0 or /dev/block/sdc +allow boot_logo_updater block_device:dir search; +allow boot_logo_updater graphics_device:dir search; + +# to access file at /dev/block/mtd +allow boot_logo_updater mtd_device:chr_file r_file_perms; +allow boot_logo_updater mtd_device:dir search; + +#To access the file at /dev/kmsg +allow boot_logo_updater kmsg_device:chr_file w_file_perms; + +#To the access /fstab mount point +allow boot_logo_updater rootfs:file r_file_perms; + +#To access linux filesystem +allow boot_logo_updater sysfs:dir r_dir_perms; + +# sanity fail for ALPS03604686: +# for path="/sys/firmware/devicetree/base/firmware/android/fstab" andfor name = "cmdline" and "mtdblock14" +allow boot_logo_updater mtd_device:blk_file r_file_perms; diff --git a/basic/plat_private/bootanim.te b/basic/plat_private/bootanim.te new file mode 100644 index 0000000..a697388 --- /dev/null +++ b/basic/plat_private/bootanim.te @@ -0,0 +1,39 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK14.32 +# Operation : Migration +# Purpose : for playing boot tone +binder_call(bootanim, mediaserver) +allow bootanim mediaserver_service:service_manager find; + +# Purpose : for playing bootanimation audio +allow bootanim audioserver:binder {call transfer}; +allow bootanim audioserver_service:service_manager find; + +# Date : WK14.37 +# Operation : Migration +# Purpose : for opetator +set_prop(bootanim, debug_prop) + +# Date : WK14.37 +# Operation : Migration +# Purpose : for opetator +set_prop(bootanim, system_mtk_bootani_prop) + +# Date : WK14.46 +# Operation : Migration +# /data/resource-cache +allow bootanim resourcecache_data_file:dir search; +allow bootanim resourcecache_data_file:file r_file_perms; + +# Data : WK16.42 +# Operator: Whitney bring up +# Purpose: call surfaceflinger due to powervr +allow bootanim surfaceflinger:fifo_file rw_file_perms; + +# Date : W16.42 +# Operation : Integration +# Purpose : DRM / DRI GPU driver required +allow bootanim gpu_device:dir search; diff --git a/basic/plat_private/cmddumper.te b/basic/plat_private/cmddumper.te new file mode 100644 index 0000000..176dfc7 --- /dev/null +++ b/basic/plat_private/cmddumper.te @@ -0,0 +1,36 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type cmddumper_exec, system_file_type, exec_type, file_type; +typeattribute cmddumper coredomain; + +init_daemon_domain(cmddumper) + +# for modem logging sdcard access +allow cmddumper sdcard_type:dir create_dir_perms; +allow cmddumper sdcard_type:file create_file_perms; + +# modem logger socket access +allow cmddumper platform_app:unix_stream_socket connectto; +allow cmddumper shell_exec:file rx_file_perms; +allow cmddumper system_file:file x_file_perms; + +# purpose: allow cmddumper to access storage in N version +allow cmddumper media_rw_data_file:file create_file_perms; +allow cmddumper media_rw_data_file:dir create_dir_perms; + +# purpose: access plat_file_contexts +allow cmddumper file_contexts_file:file r_file_perms; + +# Save C2K modem log into data +allow cmddumper debuglog_data_file:dir { relabelto create_dir_perms }; +allow cmddumper debuglog_data_file:file create_file_perms; + +#allow emdlogger to set property +set_prop(cmddumper, system_mtk_debug_mdlogger_prop) +set_prop(cmddumper, debug_prop) + +# Android P migration +set_prop(cmddumper, system_mtk_persist_mtklog_prop) +set_prop(cmddumper, system_mtk_mdl_prop) diff --git a/basic/plat_private/compat/30.0/30.0.cil b/basic/plat_private/compat/30.0/30.0.cil new file mode 100644 index 0000000..6a18837 --- /dev/null +++ b/basic/plat_private/compat/30.0/30.0.cil @@ -0,0 +1,162 @@ +(expandtypeattribute (aee_aed_30_0) true) +(expandtypeattribute (aee_core_forwarder_30_0) true) +(expandtypeattribute (apmsrv_app_30_0) true) +(expandtypeattribute (atci_service_sys_30_0) true) +(expandtypeattribute (boot_logo_updater_30_0) true) +(expandtypeattribute (camerapostalgo_30_0) true) +(expandtypeattribute (capability_app_30_0) true) +(expandtypeattribute (cmddumper_30_0) true) +(expandtypeattribute (connsyslogger_30_0) true) +(expandtypeattribute (dm_agent_binder_service_30_0) true) +(expandtypeattribute (em_app_30_0) true) +(expandtypeattribute (emdlogger_30_0) true) +(expandtypeattribute (em_svr_30_0) true) +(expandtypeattribute (fpspolicy-server_service_30_0) true) +(expandtypeattribute (gas_srv_service_30_0) true) +(expandtypeattribute (GoogleOtaBinder_30_0) true) +(expandtypeattribute (kpoc_charger_30_0) true) +(expandtypeattribute (lbs_dbg_data_file_30_0) true) +(expandtypeattribute (loghidlsysservice_30_0) true) +(expandtypeattribute (mcupm_device_30_0) true) +(expandtypeattribute (mdi_redirector_30_0) true) +(expandtypeattribute (mdlogger_30_0) true) +(expandtypeattribute (mdmi_redirector_30_0) true) +(expandtypeattribute (met_log_d_30_0) true) +(expandtypeattribute (mobile_log_d_30_0) true) +(expandtypeattribute (modemdbfilter_client_30_0) true) +(expandtypeattribute (mtd_device_30_0) true) +(expandtypeattribute (mtk_advcamserver_30_0) true) +(expandtypeattribute (mtk_advcamserver_service_30_0) true) +(expandtypeattribute (mtk_anrmanager_service_30_0) true) +(expandtypeattribute (mtk_appdetection_service_30_0) true) +(expandtypeattribute (mtk_autoboot_service_30_0) true) +(expandtypeattribute (mtkbootanimation_30_0) true) +(expandtypeattribute (mtk_carrierexpress_service_30_0) true) +(expandtypeattribute (mtk_data_shaping_service_30_0) true) +(expandtypeattribute (mtk_duraspeed_service_30_0) true) +(expandtypeattribute (mtk_epdg_service_30_0) true) +(expandtypeattribute (mtk_fm_radio_service_30_0) true) +(expandtypeattribute (mtk_gwsd_service_30_0) true) +(expandtypeattribute (mtk_hdmi_service_30_0) true) +(expandtypeattribute (mtk_mobile_service_30_0) true) +(expandtypeattribute (mtk_msg_monitor_service_30_0) true) +(expandtypeattribute (mtk_omadm_service_30_0) true) +(expandtypeattribute (mtk_perf_service_30_0) true) +(expandtypeattribute (mtk_permrecords_service_30_0) true) +(expandtypeattribute (mtk_phonesubinfo_service_30_0) true) +(expandtypeattribute (mtk_power_hal_mgr_service_30_0) true) +(expandtypeattribute (mtk_radio_service_30_0) true) +(expandtypeattribute (mtk_registry_service_30_0) true) +(expandtypeattribute (mtk_rns_service_30_0) true) +(expandtypeattribute (mtk_search_engine_service_30_0) true) +(expandtypeattribute (mtk_simphonebook_service_30_0) true) +(expandtypeattribute (mtk_telecom_service_30_0) true) +(expandtypeattribute (mtk_vowbridge_service_30_0) true) +(expandtypeattribute (netdiag_30_0) true) +(expandtypeattribute (nvram_agent_service_30_0) true) +(expandtypeattribute (ota_agent_service_30_0) true) +(expandtypeattribute (ppl_agent_service_30_0) true) +(expandtypeattribute (sysfs_boot_info_30_0) true) +(expandtypeattribute (sysfs_headset_30_0) true) +(expandtypeattribute (sysfs_pmu_30_0) true) +(expandtypeattribute (sysfs_vbus_30_0) true) +(expandtypeattribute (system_mtk_ctl_emdlogger1_prop_30_0) true) +(expandtypeattribute (system_mtk_ctl_emdlogger2_prop_30_0) true) +(expandtypeattribute (system_mtk_ctl_emdlogger3_prop_30_0) true) +(expandtypeattribute (system_mtk_ctl_mdlogger_prop_30_0) true) +(expandtypeattribute (system_mtk_heavy_loading_prop_30_0) true) +(expandtypeattribute (system_mtk_init_svc_aee_aedv_prop_30_0) true) +(expandtypeattribute (system_mtk_init_svc_emdlogger1_prop_30_0) true) +(expandtypeattribute (system_mtk_init_svc_md_monitor_prop_30_0) true) +(expandtypeattribute (system_mtk_persist_mtk_aee_prop_30_0) true) +(expandtypeattribute (system_mtk_pkm_init_prop_30_0) true) +(expandtypeattribute (teeregistry_service_30_0) true) +(expandtypeattribute (tee_service_30_0) true) +(expandtypeattribute (terservice_30_0) true) +(expandtypeattribute (thermald_30_0) true) +(expandtypeattribute (usp_service_30_0) true) +(expandtypeattribute (vpuservice_service_30_0) true) +(expandtypeattribute (vtservice_30_0) true) +(expandtypeattribute (vtservice_hidl_service_30_0) true) +(expandtypeattribute (vtservice_service_30_0) true) +(typeattributeset aee_aed_30_0 (aee_aed)) +(typeattributeset aee_core_forwarder_30_0 (aee_core_forwarder)) +(typeattributeset apmsrv_app_30_0 (apmsrv_app)) +(typeattributeset atci_service_sys_30_0 (atci_service_sys)) +(typeattributeset boot_logo_updater_30_0 (boot_logo_updater)) +(typeattributeset camerapostalgo_30_0 (camerapostalgo)) +(typeattributeset capability_app_30_0 (capability_app)) +(typeattributeset cmddumper_30_0 (cmddumper)) +(typeattributeset connsyslogger_30_0 (connsyslogger)) +(typeattributeset dm_agent_binder_service_30_0 (dm_agent_binder_service)) +(typeattributeset em_app_30_0 (em_app)) +(typeattributeset emdlogger_30_0 (emdlogger)) +(typeattributeset em_svr_30_0 (em_svr)) +(typeattributeset fpspolicy-server_service_30_0 (fpspolicy-server_service)) +(typeattributeset gas_srv_service_30_0 (gas_srv_service)) +(typeattributeset GoogleOtaBinder_30_0 (GoogleOtaBinder)) +(typeattributeset kpoc_charger_30_0 (kpoc_charger)) +(typeattributeset lbs_dbg_data_file_30_0 (lbs_dbg_data_file)) +(typeattributeset loghidlsysservice_30_0 (loghidlsysservice)) +(typeattributeset mcupm_device_30_0 (mcupm_device)) +(typeattributeset mdi_redirector_30_0 (mdi_redirector)) +(typeattributeset mdlogger_30_0 (mdlogger)) +(typeattributeset mdmi_redirector_30_0 (mdmi_redirector)) +(typeattributeset met_log_d_30_0 (met_log_d)) +(typeattributeset mobile_log_d_30_0 (mobile_log_d)) +(typeattributeset modemdbfilter_client_30_0 (modemdbfilter_client)) +(typeattributeset mtd_device_30_0 (mtd_device)) +(typeattributeset mtk_advcamserver_30_0 (mtk_advcamserver)) +(typeattributeset mtk_advcamserver_service_30_0 (mtk_advcamserver_service)) +(typeattributeset mtk_anrmanager_service_30_0 (mtk_anrmanager_service)) +(typeattributeset mtk_appdetection_service_30_0 (mtk_appdetection_service)) +(typeattributeset mtk_autoboot_service_30_0 (mtk_autoboot_service)) +(typeattributeset mtkbootanimation_30_0 (mtkbootanimation)) +(typeattributeset mtk_carrierexpress_service_30_0 (mtk_carrierexpress_service)) +(typeattributeset mtk_data_shaping_service_30_0 (mtk_data_shaping_service)) +(typeattributeset mtk_duraspeed_service_30_0 (mtk_duraspeed_service)) +(typeattributeset mtk_epdg_service_30_0 (mtk_epdg_service)) +(typeattributeset mtk_fm_radio_service_30_0 (mtk_fm_radio_service)) +(typeattributeset mtk_gwsd_service_30_0 (mtk_gwsd_service)) +(typeattributeset mtk_hdmi_service_30_0 (mtk_hdmi_service)) +(typeattributeset mtk_mobile_service_30_0 (mtk_mobile_service)) +(typeattributeset mtk_msg_monitor_service_30_0 (mtk_msg_monitor_service)) +(typeattributeset mtk_omadm_service_30_0 (mtk_omadm_service)) +(typeattributeset mtk_perf_service_30_0 (mtk_perf_service)) +(typeattributeset mtk_permrecords_service_30_0 (mtk_permrecords_service)) +(typeattributeset mtk_phonesubinfo_service_30_0 (mtk_phonesubinfo_service)) +(typeattributeset mtk_power_hal_mgr_service_30_0 (mtk_power_hal_mgr_service)) +(typeattributeset mtk_radio_service_30_0 (mtk_radio_service)) +(typeattributeset mtk_registry_service_30_0 (mtk_registry_service)) +(typeattributeset mtk_rns_service_30_0 (mtk_rns_service)) +(typeattributeset mtk_search_engine_service_30_0 (mtk_search_engine_service)) +(typeattributeset mtk_simphonebook_service_30_0 (mtk_simphonebook_service)) +(typeattributeset mtk_telecom_service_30_0 (mtk_telecom_service)) +(typeattributeset mtk_vowbridge_service_30_0 (mtk_vowbridge_service)) +(typeattributeset netdiag_30_0 (netdiag)) +(typeattributeset nvram_agent_service_30_0 (nvram_agent_service)) +(typeattributeset ota_agent_service_30_0 (ota_agent_service)) +(typeattributeset ppl_agent_service_30_0 (ppl_agent_service)) +(typeattributeset sysfs_boot_info_30_0 (sysfs_boot_info)) +(typeattributeset sysfs_headset_30_0 (sysfs_headset)) +(typeattributeset sysfs_pmu_30_0 (sysfs_pmu)) +(typeattributeset sysfs_vbus_30_0 (sysfs_vbus)) +(typeattributeset system_mtk_ctl_emdlogger1_prop_30_0 (system_mtk_ctl_emdlogger1_prop)) +(typeattributeset system_mtk_ctl_emdlogger2_prop_30_0 (system_mtk_ctl_emdlogger2_prop)) +(typeattributeset system_mtk_ctl_emdlogger3_prop_30_0 (system_mtk_ctl_emdlogger3_prop)) +(typeattributeset system_mtk_ctl_mdlogger_prop_30_0 (system_mtk_ctl_mdlogger_prop)) +(typeattributeset system_mtk_heavy_loading_prop_30_0 (system_mtk_heavy_loading_prop)) +(typeattributeset system_mtk_init_svc_aee_aedv_prop_30_0 (system_mtk_init_svc_aee_aedv_prop)) +(typeattributeset system_mtk_init_svc_emdlogger1_prop_30_0 (system_mtk_init_svc_emdlogger1_prop)) +(typeattributeset system_mtk_init_svc_md_monitor_prop_30_0 (system_mtk_init_svc_md_monitor_prop)) +(typeattributeset system_mtk_persist_mtk_aee_prop_30_0 (system_mtk_persist_mtk_aee_prop)) +(typeattributeset system_mtk_pkm_init_prop_30_0 (system_mtk_pkm_init_prop)) +(typeattributeset teeregistry_service_30_0 (teeregistry_service)) +(typeattributeset tee_service_30_0 (tee_service)) +(typeattributeset terservice_30_0 (terservice)) +(typeattributeset thermald_30_0 (thermald)) +(typeattributeset usp_service_30_0 (usp_service)) +(typeattributeset vpuservice_service_30_0 (vpuservice_service)) +(typeattributeset vtservice_30_0 (vtservice)) +(typeattributeset vtservice_hidl_service_30_0 (vtservice_hidl_service)) +(typeattributeset vtservice_service_30_0 (vtservice_service)) diff --git a/basic/plat_private/compat/30.0/31.0.compat.cil b/basic/plat_private/compat/30.0/31.0.compat.cil new file mode 100644 index 0000000..628abfc --- /dev/null +++ b/basic/plat_private/compat/30.0/31.0.compat.cil @@ -0,0 +1 @@ +;; This file can't be empty. diff --git a/basic/plat_private/compat/30.0/31.0.ignore.cil b/basic/plat_private/compat/30.0/31.0.ignore.cil new file mode 100644 index 0000000..5bc85a7 --- /dev/null +++ b/basic/plat_private/compat/30.0/31.0.ignore.cil @@ -0,0 +1,8 @@ +;; new_objects - a collection of types that have been introduced that have no +;; analogue in older policy. Thus, we do not need to map these types to +;; previous ones. Add here to pass checkapi tests. +(type new_objects) +(typeattribute new_objects) +(typeattributeset new_objects + ( new_objects + )) diff --git a/basic/plat_private/coredomain.te b/basic/plat_private/coredomain.te new file mode 100644 index 0000000..88216ff --- /dev/null +++ b/basic/plat_private/coredomain.te @@ -0,0 +1,7 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Operation : DEBUG +# Purpose : Allow to get system_mtk_audio_prop +get_prop(coredomain, system_mtk_audio_prop) diff --git a/basic/plat_private/crash_dump.te b/basic/plat_private/crash_dump.te new file mode 100644 index 0000000..c976e33 --- /dev/null +++ b/basic/plat_private/crash_dump.te @@ -0,0 +1,97 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +typeattribute crash_dump mlstrustedsubject; + +# /porc/pid/ +allow crash_dump appdomain:dir r_dir_perms; +allow crash_dump coredomain:dir r_dir_perms; + +# AED start: /dev/block/expdb +allow crash_dump block_device:dir search; + +#data/anr +allow crash_dump anr_data_file:dir create_dir_perms; +allow crash_dump anr_data_file:file create_file_perms; + +allow crash_dump domain:process { getattr getsched }; + +#core-pattern +allow crash_dump usermodehelper:file r_file_perms; + +#allow crash_dump call binaries labeled "system_file" under /system/bin/ +allow crash_dump system_file:file x_file_perms; + +allow crash_dump init:process getsched; +allow crash_dump kernel:process getsched; + +# Date: W15.34 +# Operation: Migration +# Purpose: For pagemap & pageflags information in NE DB +userdebug_or_eng(`allow crash_dump self:capability sys_admin;') + +# Purpose: allow crash_dump to access toolbox +allow crash_dump toolbox_exec:file rx_file_perms; + +# Purpose: mnt/user/* +allow crash_dump mnt_user_file:dir search; +allow crash_dump mnt_user_file:lnk_file r_file_perms; + +allow crash_dump storage_file:dir search; +allow crash_dump storage_file:lnk_file r_file_perms; + +userdebug_or_eng(` + allow crash_dump su:dir r_dir_perms; + allow crash_dump su:file r_file_perms; +') + +# /data/tombstone +allow crash_dump tombstone_data_file:dir w_dir_perms; +allow crash_dump tombstone_data_file:file create_file_perms; + +# /proc/pid/ +allow crash_dump self:capability { fowner chown fsetid sys_nice sys_resource net_admin sys_module setgid setuid kill }; + +# PROCESS_FILE_STATE +allow crash_dump dumpstate:unix_stream_socket rw_socket_perms; +allow crash_dump dumpstate:dir search; +allow crash_dump dumpstate:file r_file_perms; + +allow crash_dump logdr_socket:sock_file w_file_perms; +allow crash_dump logd:unix_stream_socket connectto; + +# vibrator +allow crash_dump sysfs_vibrator:file w_file_perms; + +# Data : 2017/03/22 +# Operation : add NE flow rule for Android O +# Purpose : make crash_dump can get specific process NE info +allow crash_dump domain:dir r_dir_perms; +allow crash_dump domain:{ file lnk_file } r_file_perms; + +allow crash_dump dalvikcache_data_file:dir r_dir_perms; + +# Data : 2017/04/06 +# Operation : add selinux rule for crash_dump notify crash_dump +# Purpose : make crash_dump can get notify from crash_dump +allow crash_dump crash_dump:dir search; +allow crash_dump crash_dump:file r_file_perms; + +# Purpose : allow crash_dump to read /proc/version +allow crash_dump proc_version:file r_file_perms; + +# Purpose: Allow crash_dump to write /sys/kernel/debug/tracing/snapshot +userdebug_or_eng(`allow crash_dump debugfs_tracing_debug:file rw_file_perms;') + +# Purpose: receive dropbox message +allow crash_dump dropbox_data_file:file { getattr read }; +allow crash_dump dropbox_service:service_manager find; +allow crash_dump servicemanager:binder call; +allow crash_dump system_server:binder call; + +# Purpose: allow crash_dump to read packages.list +allow crash_dump packages_list_file:file r_file_perms; + +# Purpose: Allow crash_dump to read /proc/*/exe +allow crash_dump system_file_type:file r_file_perms; diff --git a/basic/plat_private/device.te b/basic/plat_private/device.te new file mode 100644 index 0000000..8f703f5 --- /dev/null +++ b/basic/plat_private/device.te @@ -0,0 +1,6 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type tll_device, dev_type; +type mcupm_device, dev_type; diff --git a/basic/plat_private/domain.te b/basic/plat_private/domain.te new file mode 100644 index 0000000..6d0e3ec --- /dev/null +++ b/basic/plat_private/domain.te @@ -0,0 +1,3 @@ +allow domain system_mtk_pmb_file:dir r_dir_perms; +allow domain system_mtk_pmb_file:lnk_file { getattr read }; +allow { appdomain coredomain } system_mtk_pmb_file:file { execute read open getattr map }; diff --git a/basic/plat_private/drmserver.te b/basic/plat_private/drmserver.te new file mode 100644 index 0000000..74bf06e --- /dev/null +++ b/basic/plat_private/drmserver.te @@ -0,0 +1,5 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow drmserver access_sys_file:file r_file_perms; diff --git a/basic/plat_private/dumpstate.te b/basic/plat_private/dumpstate.te new file mode 100644 index 0000000..c882261 --- /dev/null +++ b/basic/plat_private/dumpstate.te @@ -0,0 +1,36 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Purpose: access for SYS_MEMORY_INFO +allow dumpstate fuse:dir w_dir_perms; +allow dumpstate fuse:file create_file_perms; + +# Purpose: mnt/user/* +allow dumpstate mnt_user_file:dir search; +allow dumpstate mnt_user_file:lnk_file r_file_perms; + +# Purpose: /storage/* +allow dumpstate storage_file:lnk_file r_file_perms; + +# Purpose: timer_intval. this is neverallow +allow dumpstate kmsg_device:chr_file r_file_perms; + +# Data : WK17.03 +# Purpose: Allow to access gpu +allow dumpstate gpu_device:dir search; + +# Date: 2017/07/11 +# Purpose: 01-01 08:30:57.474 286 286 E SELinux : avc: denied { find } for interface= +# android.hardware.camera.provider::ICameraProvider pid=3133 scontext=u:r:dumpstate:s0 tcontext= +# u:object_r:hal_camera_hwservice:s0 tclass=hwservice_manager +hal_client_domain(dumpstate, hal_camera) + +#Purpose: Allow dumpstate to read/write /sys/kernel/debug/tracing/buffer_total_size_kb +userdebug_or_eng(`allow dumpstate debugfs_tracing_debug:file rw_file_perms;') + +# Purpose: Allow dumpstate to write /sys/devices/virtual/timed_output/vibrator/enable +allow dumpstate sysfs_vibrator:file w_file_perms; + +# Purpose : Allow dumpstate self to sys_nice sys_admin +allow dumpstate self:capability { sys_nice sys_admin }; diff --git a/basic/plat_private/em_svr.te b/basic/plat_private/em_svr.te new file mode 100644 index 0000000..67c1025 --- /dev/null +++ b/basic/plat_private/em_svr.te @@ -0,0 +1,48 @@ +# ============================================== +# Policy File of /system/bin/em_svr Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type em_svr_exec, system_file_type, exec_type, file_type; +typeattribute em_svr coredomain; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +init_daemon_domain(em_svr) + +# Date: WK1812 +# Purpose: add for MD log filter +allow em_svr block_device:dir search; +allow em_svr sdcardfs:dir w_dir_perms; +allow em_svr sdcardfs:file create_file_perms; + +allow em_svr media_rw_data_file:dir rw_dir_perms; +allow em_svr media_rw_data_file:file create_file_perms; + +# Date: WK1812 +# Purpose: add for controlling screen on/off +allow em_svr graphics_device:dir search; +allow em_svr graphics_device:chr_file rw_file_perms; +allow em_svr surfaceflinger_service:service_manager find; +binder_use(em_svr) +binder_call(em_svr, surfaceflinger) + +# Date: WK1812 +# Purpose: add for controlling backlight +allow em_svr sysfs_leds:dir search; + +# Date: WK1812 +# Purpose: add for sensor calibration +allow em_svr self:capability { chown fsetid }; + +# Date: WK1812 +# Purpose: add for shell cmd +allow em_svr shell_exec:file rx_file_perms; + +# Date: WK1812 +# Purpose: sys file access +allow em_svr sysfs:dir r_dir_perms; diff --git a/basic/plat_private/file.te b/basic/plat_private/file.te new file mode 100644 index 0000000..4502ebb --- /dev/null +++ b/basic/plat_private/file.te @@ -0,0 +1,37 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== +########################## +# Filesystem types +# +########################## +# Proc Filesystem types +# +type proc_ccci_lp_mem, fs_type, proc_type; +type proc_dynamic_debug_control, fs_type, proc_type; + +########################## +# Sys Filesystem types +# +type sysfs_mcupm, fs_type, sysfs_type; + +# For drmserver +# Date: WK1812 +# Operation : Migration +# Purpose : For drmserver +type access_sys_file, fs_type, sysfs_type; + +########################## +# File types +# Core domain data file types +# +# For modem db filter HIDL client +# Date: WK1924 +# Operation : Save modem db and filter into data partition +# Purpose : For Modem db and filter file +type mddb_filter_data_file, file_type, data_file_type, core_data_file_type; + +type debuglog_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject; + +#support system server domain do ioctl +type system_mtk_pmb_file, system_file_type, file_type, mlstrustedobject; diff --git a/basic/plat_private/file_contexts b/basic/plat_private/file_contexts new file mode 100644 index 0000000..0f6ebc0 --- /dev/null +++ b/basic/plat_private/file_contexts @@ -0,0 +1,55 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +########################## +# Data files +# +/data/system_de/mdfilter(/.*)? u:object_r:mddb_filter_data_file:s0 +/data/debuglogger(/.*)? u:object_r:debuglog_data_file:s0 +/data/ramdump(/.*)? u:object_r:debuglog_data_file:s0 + +########################## +# System files +# +/system/bin/cmddumper u:object_r:cmddumper_exec:s0 +/system/bin/em_svr u:object_r:em_svr_exec:s0 +/system/bin/lbs_dbg u:object_r:lbs_dbg_exec:s0 + +# wifi standalone log +/data/log_wifi_temp(/.*)? u:object_r:logtemp_data_file:s0 + +# storagemanager daemon +# it is used to mount all storages in meta/factory mode +/system/bin/storagemanagerd u:object_r:vold_exec:s0 + +# MTK Bootanim +/system/bin/mtkbootanimation u:object_r:mtkbootanimation_exec:s0 +/system/bin/boot_logo_updater u:object_r:boot_logo_updater_exec:s0 + +# Date: 2020/08/17 +# Operation: R migration +# Purpose: Add permission for pl path utilities for OTA +/system/bin/mtk_plpath_utils u:object_r:mtk_plpath_utils_exec:s0 + +# mediaserver 64 bit support +/system/bin/mediaserver64 u:object_r:mediaserver_exec:s0 +/system/bin/mediahelper u:object_r:mediahelper_exec:s0 + +# drmserver 64 bit support +/system/bin/drmserver64 u:object_r:drmserver_exec:s0 + +########################## +# SystemExt files +# +########################## +# Devices +# +/dev/ubi_ctrl u:object_r:mtd_device:s0 +/dev/ubi[_0-9]* u:object_r:mtd_device:s0 +/dev/block/mtd(.*)? u:object_r:mtd_device:s0 +/dev/block/mntlblk(.*)? u:object_r:mtd_device:s0 +/dev/mcupm(/.*)? u:object_r:mcupm_device:s0 + +# support system server domain do ioctl with framework-res +/system/framework/framework-res.apk u:object_r:system_mtk_pmb_file:s0 diff --git a/basic/plat_private/genfs_contexts b/basic/plat_private/genfs_contexts new file mode 100644 index 0000000..5561e3c --- /dev/null +++ b/basic/plat_private/genfs_contexts @@ -0,0 +1,33 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +########################## +# proc files +# +# proc labeling can be further refined (longest matching prefix). +genfscon proc /ccci_lp_mem u:object_r:proc_ccci_lp_mem:s0 + +# Date : WK21.02 +# Purpose : write proc/dynamic_debug/control +genfscon proc /dynamic_debug/control u:object_r:proc_dynamic_debug_control:s0 + +########################## +# sysfs files +# +# sysfs labels can be set by userspace. +genfscon sysfs /devices/platform/vibrator@0/leds/vibrator u:object_r:sysfs_vibrator:s0 +genfscon sysfs /block/mmcblk0rpmb/size u:object_r:access_sys_file:s0 +genfscon sysfs /devices/virtual/misc/mcupm u:object_r:sysfs_mcupm:s0 + +# Date : 2020/04/17 +# Purpose : mtk Audio headset detect +genfscon sysfs /bus/platform/drivers/Accdet_Driver/state u:object_r:sysfs_headset:s0 +genfscon sysfs /bus/platform/drivers/pmic-codec-accdet/state u:object_r:sysfs_headset:s0 + +# Date : WK20.20 +# Operation: R migration +# Purpose : vbus voltage +genfscon sysfs /devices/platform/charger/ADC_Charger_Voltage u:object_r:sysfs_vbus:s0 +genfscon sysfs /devices/platform/battery/ADC_Charger_Voltage u:object_r:sysfs_vbus:s0 + diff --git a/basic/plat_private/init.te b/basic/plat_private/init.te new file mode 100644 index 0000000..fb88f18 --- /dev/null +++ b/basic/plat_private/init.te @@ -0,0 +1,17 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# insmod LKM under /odm or /vendor +allow init self:capability sys_module; +allow init system_file:system module_load; + +# boot process denial clean up +allow init debugfs_tracing:dir w_dir_perms; +allow init debugfs_tracing:file w_file_perms; +allow init sysfs_devices_system_cpu:file relabelfrom; + +domain_auto_trans(init, mtk_plpath_utils_exec, update_engine) + +#allow write for mobile_log_d.rc +allow init proc_dynamic_debug_control:file w_file_perms; diff --git a/basic/plat_private/lbs_dbg.te b/basic/plat_private/lbs_dbg.te new file mode 100644 index 0000000..18cc51e --- /dev/null +++ b/basic/plat_private/lbs_dbg.te @@ -0,0 +1,48 @@ +# ============================================== +# Policy File of /system/bin/lbs_dbg Executable File + +# ============================================== +# Type Declaration +# ============================================== +type lbs_dbg, domain; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +type lbs_dbg_exec, system_file_type, exec_type, file_type; +typeattribute lbs_dbg coredomain; + +init_daemon_domain(lbs_dbg) + +#============= lbs_dbg ============== +allow lbs_dbg storage_file:dir { create_dir_perms mounton }; +allow lbs_dbg storage_file:lnk_file r_file_perms; + +allow lbs_dbg debuglog_data_file:lnk_file r_file_perms; + +allow lbs_dbg mnt_user_file:dir search; +allow lbs_dbg fuse:dir create_dir_perms; +allow lbs_dbg fuse:file create_file_perms; +allow lbs_dbg sdcard_type:filesystem unmount; +allow lbs_dbg tmpfs:filesystem unmount; +allow lbs_dbg sysfs:dir r_dir_perms; +allow lbs_dbg sysfs_leds:dir search; +allow lbs_dbg sysfs_leds:lnk_file r_file_perms; +allow lbs_dbg sysfs_vibrator:file rw_file_perms; + +allow lbs_dbg sdcard_type:dir r_dir_perms; +allow lbs_dbg self:netlink_route_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write }; + +allow lbs_dbg self:tcp_socket create_stream_socket_perms; +allow lbs_dbg self:udp_socket create_socket_perms; + +hal_client_domain(lbs_dbg, hal_mtk_lbs) + +allow lbs_dbg vfat:dir create_dir_perms; +allow lbs_dbg vfat:file create_file_perms; +allow lbs_dbg debuglog_data_file:dir create_dir_perms; +allow lbs_dbg debuglog_data_file:file create_file_perms; +allow lbs_dbg sdcardfs:dir create_dir_perms; +allow lbs_dbg sdcardfs:file create_file_perms; +allow lbs_dbg media_rw_data_file:dir create_dir_perms; +allow lbs_dbg media_rw_data_file:file create_file_perms; diff --git a/basic/plat_private/mediahelper.te b/basic/plat_private/mediahelper.te new file mode 100755 index 0000000..dae1755 --- /dev/null +++ b/basic/plat_private/mediahelper.te @@ -0,0 +1,9 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type mediahelper_exec, system_file_type, exec_type, file_type; +typeattribute mediahelper coredomain; +init_daemon_domain(mediahelper) +domain_auto_trans(mediahelper, mediaserver_exec, mediaserver) + diff --git a/basic/plat_private/mediaserver.te b/basic/plat_private/mediaserver.te new file mode 100755 index 0000000..03e46f7 --- /dev/null +++ b/basic/plat_private/mediaserver.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK21.31 +# Operation : 64-bit support +# Purpose : Allow mediahelper exec mediaserver +allow mediaserver mediahelper:fd use; diff --git a/basic/plat_private/mediatranscoding.te b/basic/plat_private/mediatranscoding.te new file mode 100644 index 0000000..5e68264 --- /dev/null +++ b/basic/plat_private/mediatranscoding.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK21.31 +# Operation : Migration +# Purpose : Allow mediatranscoding service to access the GPU +allow mediatranscoding gpu_device:chr_file rw_file_perms; diff --git a/basic/plat_private/met_log_d.te b/basic/plat_private/met_log_d.te new file mode 100644 index 0000000..7c02140 --- /dev/null +++ b/basic/plat_private/met_log_d.te @@ -0,0 +1 @@ +type met_log_d, domain; diff --git a/basic/plat_private/mmp.te b/basic/plat_private/mmp.te new file mode 100644 index 0000000..7d37656 --- /dev/null +++ b/basic/plat_private/mmp.te @@ -0,0 +1 @@ +type mmp, domain; diff --git a/basic/plat_private/mtk_plpath_utils.te b/basic/plat_private/mtk_plpath_utils.te new file mode 100644 index 0000000..7b3071b --- /dev/null +++ b/basic/plat_private/mtk_plpath_utils.te @@ -0,0 +1,4 @@ +# ============================================== +# Type Declaration +# ============================================== +type mtk_plpath_utils_exec, system_file_type, exec_type, file_type; diff --git a/basic/plat_private/mtkbootanimation.te b/basic/plat_private/mtkbootanimation.te new file mode 100644 index 0000000..1f978eb --- /dev/null +++ b/basic/plat_private/mtkbootanimation.te @@ -0,0 +1,77 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +typeattribute mtkbootanimation coredomain; + +type mtkbootanimation_exec, system_file_type, exec_type, file_type; + +init_daemon_domain(mtkbootanimation) + +# Date : WK14.37 +# Operation : Migration +# Purpose : for opetator +set_prop(mtkbootanimation, system_mtk_bootani_prop) + +hal_client_domain(mtkbootanimation, hal_configstore) +hal_client_domain(mtkbootanimation, hal_graphics_allocator) +hal_client_domain(mtkbootanimation, hal_graphics_composer) +binder_use(mtkbootanimation) +binder_call(mtkbootanimation, surfaceflinger) +binder_call(mtkbootanimation, audioserver) + +allow mtkbootanimation gpu_device:chr_file rw_file_perms; + +# /oem access +allow mtkbootanimation oemfs:dir search; +allow mtkbootanimation oemfs:file r_file_perms; + +allow mtkbootanimation audio_device:dir r_dir_perms; +allow mtkbootanimation audio_device:chr_file rw_file_perms; + +allow mtkbootanimation surfaceflinger_service:service_manager find; + +# Allow access to ion memory allocation device +allow mtkbootanimation ion_device:chr_file rw_file_perms; +allow mtkbootanimation hal_graphics_allocator:fd use; + +# Fences +allow mtkbootanimation hal_graphics_composer:fd use; + +# Read access to pseudo filesystems. +allow mtkbootanimation proc_meminfo:file r_file_perms; +r_dir_file(mtkbootanimation, cgroup) + +# System file accesses. +allow mtkbootanimation system_file:dir r_dir_perms; + +# Date : WK14.32 +# Operation : Migration +# Purpose : for playing boot tone +binder_call(mtkbootanimation, mediaserver) +allow mtkbootanimation mediaserver_service:service_manager find; + +# Purpose : for playing bootanimation audio +allow mtkbootanimation audioserver_service:service_manager find; + +# Date : WK14.37 +# Operation : Migration +# Purpose : for opetator +set_prop(mtkbootanimation, debug_prop) + +# Date : WK14.46 +# Operation : Migration +# /data/resource-cache +allow mtkbootanimation resourcecache_data_file:dir search; +allow mtkbootanimation resourcecache_data_file:file r_file_perms; + +# Data : WK16.42 +# Operator: Whitney bring up +# Purpose: call surfaceflinger due to powervr +allow mtkbootanimation surfaceflinger:fifo_file rw_file_perms; + +# Date : W16.42 +# Operation : Integration +# Purpose : DRM / DRI GPU driver required +allow mtkbootanimation gpu_device:dir search; + diff --git a/basic/plat_private/platform_app.te b/basic/plat_private/platform_app.te new file mode 100644 index 0000000..7cc6942 --- /dev/null +++ b/basic/plat_private/platform_app.te @@ -0,0 +1,9 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date: 2021/06/02 +# Operation : S Migration +# Purpose : access soundtrigger_middleware_service +# Package : com.mediatek.voicecommand +allow platform_app soundtrigger_middleware_service:service_manager find; diff --git a/basic/plat_private/ppp.te b/basic/plat_private/ppp.te new file mode 100644 index 0000000..b35cf77 --- /dev/null +++ b/basic/plat_private/ppp.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK14.53 +# Operation : check in +# Purpose: for warning kernel API +allow ppp mtp:file r_file_perms; diff --git a/basic/plat_private/property.te b/basic/plat_private/property.te new file mode 100644 index 0000000..91d18e6 --- /dev/null +++ b/basic/plat_private/property.te @@ -0,0 +1,65 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# system_internal_prop -- Properties used only in /system +# system_restricted_prop -- Properties which can't be written outside system +# system_public_prop -- Properties with no restrictions +# system_vendor_config_prop -- Properties which can be written only by vendor_init +# vendor_internal_prop -- Properties used only in /vendor +# vendor_restricted_prop -- Properties which can't be written outside vendor +# vendor_public_prop -- Properties with no restrictions + +# Properties used only in /system +system_internal_prop(system_mtk_audio_prop) +system_internal_prop(system_mtk_bgdata_disabled_prop) +system_internal_prop(system_mtk_bootani_prop) +system_internal_prop(system_mtk_connsysfw_prop) +system_internal_prop(system_mtk_debug_bq_dump_prop) +system_internal_prop(system_mtk_debug_mdlogger_prop) +system_internal_prop(system_mtk_debug_mtklog_prop) +system_internal_prop(system_mtk_debug_netlog_prop) +system_internal_prop(system_mtk_gprs_attach_type_prop) +system_internal_prop(system_mtk_mdl_prop) +system_internal_prop(system_mtk_mdl_pulllog_prop) +system_internal_prop(system_mtk_mdl_start_prop) +system_internal_prop(system_mtk_mobile_log_post_prop) +system_internal_prop(system_mtk_mobile_log_prop) +system_internal_prop(system_mtk_persist_mdlog_prop) +system_internal_prop(system_mtk_persist_mtklog_prop) +system_internal_prop(system_mtk_persist_xcap_rawurl_prop) +system_internal_prop(system_mtk_power_off_md_prop) +system_internal_prop(system_mtk_sim_system_prop) +system_internal_prop(system_mtk_vendor_bluetooth_prop) +system_internal_prop(system_mtk_wifisa_log_prop) +system_internal_prop(system_mtk_rcs_single_reg_support_prop) +system_internal_prop(system_mtk_sf_debug_prop) +system_internal_prop(system_mtk_pco_prop) + +# Properties which can't be written outside system +system_restricted_prop(system_mtk_amslog_prop) + +# Properties with can't be accessed by device-sepcific domains +typeattribute system_mtk_amslog_prop extended_core_property_type; +typeattribute system_mtk_audio_prop extended_core_property_type; +typeattribute system_mtk_bgdata_disabled_prop extended_core_property_type; +typeattribute system_mtk_bootani_prop extended_core_property_type; +typeattribute system_mtk_connsysfw_prop extended_core_property_type; +typeattribute system_mtk_debug_bq_dump_prop extended_core_property_type; +typeattribute system_mtk_debug_mdlogger_prop extended_core_property_type; +typeattribute system_mtk_debug_mtklog_prop extended_core_property_type; +typeattribute system_mtk_debug_netlog_prop extended_core_property_type; +typeattribute system_mtk_gprs_attach_type_prop extended_core_property_type; +typeattribute system_mtk_mdl_prop extended_core_property_type; +typeattribute system_mtk_mdl_pulllog_prop extended_core_property_type; +typeattribute system_mtk_mdl_start_prop extended_core_property_type; +typeattribute system_mtk_mobile_log_prop extended_core_property_type; +typeattribute system_mtk_persist_mdlog_prop extended_core_property_type; +typeattribute system_mtk_persist_mtklog_prop extended_core_property_type; +typeattribute system_mtk_persist_xcap_rawurl_prop extended_core_property_type; +typeattribute system_mtk_power_off_md_prop extended_core_property_type; +typeattribute system_mtk_sim_system_prop extended_core_property_type; +typeattribute system_mtk_vendor_bluetooth_prop extended_core_property_type; +typeattribute system_mtk_rcs_single_reg_support_prop extended_core_property_type; +typeattribute system_mtk_sf_debug_prop extended_core_property_type; +typeattribute system_mtk_pco_prop extended_core_property_type; diff --git a/basic/plat_private/property_contexts b/basic/plat_private/property_contexts new file mode 100644 index 0000000..7340287 --- /dev/null +++ b/basic/plat_private/property_contexts @@ -0,0 +1,80 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +ro.audio.usb.period_us u:object_r:exported_default_prop:s0 exact int + +persist.adb.nonblocking_ffs u:object_r:exported_default_prop:s0 exact int + +vendor.MB.logpost u:object_r:system_mtk_mobile_log_post_prop:s0 +vendor.MB.logpost. u:object_r:system_mtk_mobile_log_post_prop:s0 +persist.vendor.MB.logpost u:object_r:system_mtk_mobile_log_post_prop:s0 + +vendor.mtklog u:object_r:system_mtk_debug_mtklog_prop:s0 +persist.vendor.mtklog u:object_r:system_mtk_persist_mtklog_prop:s0 +vendor.netlog u:object_r:system_mtk_debug_netlog_prop:s0 + +vendor.mdlogger u:object_r:system_mtk_debug_mdlogger_prop:s0 +vendor.mdl u:object_r:system_mtk_mdl_prop:s0 +vendor.starting.mode u:object_r:system_mtk_mdl_start_prop:s0 +persist.vendor.mdl u:object_r:system_mtk_persist_mdlog_prop:s0 +vendor.pullmdlog u:object_r:system_mtk_mdl_pulllog_prop:s0 + +vendor.debug.bq.dump u:object_r:system_mtk_debug_bq_dump_prop:s0 + +persist.vendor.bootanim. u:object_r:system_mtk_bootani_prop:s0 + +# mobile log property +vendor.MB. u:object_r:system_mtk_mobile_log_prop:s0 + +persist.vendor.radio.bgdata.disabled u:object_r:system_mtk_bgdata_disabled_prop:s0 + +persist.vendor.radio.gprs.attach.type u:object_r:system_mtk_gprs_attach_type_prop:s0 + +persist.vendor.mtk_rcs_single_reg_support u:object_r:system_mtk_rcs_single_reg_support_prop:s0 + +persist.vendor.pco5.radio.ctrl u:object_r:system_mtk_pco_prop:s0 + +vendor.ril.test.poweroffmd u:object_r:system_mtk_power_off_md_prop:s0 +vendor.ril.testmode u:object_r:system_mtk_power_off_md_prop:s0 + +# sim config property +vendor.gsm.sim.operator.default-name u:object_r:system_mtk_sim_system_prop:s0 + +vendor.connsysfw u:object_r:system_mtk_connsysfw_prop:s0 + +vendor.bthcisnoop u:object_r:system_mtk_vendor_bluetooth_prop:s0 + +# xcap rawurl config +persist.vendor.mtk.xcap.rawurl u:object_r:system_mtk_persist_xcap_rawurl_prop:s0 + +ctl.mdlogger u:object_r:system_mtk_ctl_mdlogger_prop:s0 +ctl.emdlogger1 u:object_r:system_mtk_ctl_emdlogger1_prop:s0 +ctl.emdlogger2 u:object_r:system_mtk_ctl_emdlogger2_prop:s0 +ctl.emdlogger3 u:object_r:system_mtk_ctl_emdlogger3_prop:s0 + +init.svc.emdlogger1 u:object_r:system_mtk_init_svc_emdlogger1_prop:s0 + +#=============mtk wifi driver log property==================== +persist.vendor.wlan.standalone.log u:object_r:system_mtk_wifisa_log_prop:s0 + +# mtk audio log and dump property +vendor.af.mixer.pcm u:object_r:system_mtk_audio_prop:s0 +vendor.af.track.pcm u:object_r:system_mtk_audio_prop:s0 +vendor.af.offload.write.raw u:object_r:system_mtk_audio_prop:s0 +vendor.af.resampler.pcm u:object_r:system_mtk_audio_prop:s0 +vendor.af.mixer.end.pcm u:object_r:system_mtk_audio_prop:s0 +vendor.af.record.dump.pcm u:object_r:system_mtk_audio_prop:s0 +vendor.af.effect.pcm u:object_r:system_mtk_audio_prop:s0 +vendor.af.mixer.drc.pcm u:object_r:system_mtk_audio_prop:s0 +vendor.af.dumplog u:object_r:system_mtk_audio_prop:s0 +vendor.aaudio.pcm u:object_r:system_mtk_audio_prop:s0 +vendor.af.audioflinger.log u:object_r:system_mtk_audio_prop:s0 +vendor.af.track.log u:object_r:system_mtk_audio_prop:s0 +vendor.af.policy.debug u:object_r:system_mtk_audio_prop:s0 +vendor.af.audioserver.restart u:object_r:system_mtk_audio_prop:s0 + +# mtk display driver log property +vendor.debug.sf.log_repaint u:object_r:system_mtk_sf_debug_prop:s0 +vendor.debug.sf.log_transaction u:object_r:system_mtk_sf_debug_prop:s0 +vendor.debug.sf.restart u:object_r:system_mtk_sf_debug_prop:s0 diff --git a/basic/plat_private/radio.te b/basic/plat_private/radio.te new file mode 100644 index 0000000..d285c19 --- /dev/null +++ b/basic/plat_private/radio.te @@ -0,0 +1,38 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow radio proc_ccci_lp_mem:file r_file_perms; + +#Data : 2021/08/11 +# Operattion : DEBUG +# Purpose : Allow process at radio domain get mediametrics_service from service_manager +allow radio mediametrics_service:service_manager find; + +# Date : 2018/07/03 +# Purpose : Allow sim system to set prop +set_prop(radio, system_mtk_sim_system_prop) + +# Operation : DEBUG +# Purpose : Allow to use system_mtk_bgdata_disabled_prop +set_prop(radio, system_mtk_bgdata_disabled_prop) + +# Date : 2018/07/03 +# Operation : DEBUG +# Purpose : Allow to use system_mtk_gprs_attach_type_prop +set_prop(radio, system_mtk_gprs_attach_type_prop) + +#Date : 2018/11/02 +# Operation : Allow radio set system_mtk_persist_xcap_rawurl_prop +# Purpose : for set telephony xcap use raw url property in IMS SS +set_prop(radio, system_mtk_persist_xcap_rawurl_prop) + +#Date : 2021/09/06 +# Operation : Allow radio set system_mtk_rcs_single_reg_support_prop +# Purpose : To use SIngle Registration property which will enable Google UCE flow in IMS and Presence +set_prop(radio, system_mtk_rcs_single_reg_support_prop) + +#Date : 2021/11/10 +# Operation : Allow radio set for pco_property +# Purpose : which will run pco flow +set_prop(radio, system_mtk_pco_prop) diff --git a/basic/plat_private/recovery.te b/basic/plat_private/recovery.te new file mode 100644 index 0000000..1518dd4 --- /dev/null +++ b/basic/plat_private/recovery.te @@ -0,0 +1,9 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Purpose : Nand device policy +allow recovery mtd_device:dir search; +allow recovery mtd_device:chr_file rw_file_perms; +allow recovery self:capability { sys_resource sys_rawio fsetid }; +set_prop(recovery, boottime_prop) diff --git a/basic/plat_private/resize.te b/basic/plat_private/resize.te new file mode 100644 index 0000000..5bed6eb --- /dev/null +++ b/basic/plat_private/resize.te @@ -0,0 +1 @@ +type resize, domain; diff --git a/basic/plat_private/service_contexts b/basic/plat_private/service_contexts new file mode 100644 index 0000000..85bd71e --- /dev/null +++ b/basic/plat_private/service_contexts @@ -0,0 +1,9 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +memory_dumper u:object_r:mediaserver_service:s0 +imsa u:object_r:radio_service:s0 +mtkIms u:object_r:radio_service:s0 +GbaService u:object_r:radio_service:s0 + diff --git a/basic/plat_private/shared_relro.te b/basic/plat_private/shared_relro.te new file mode 100644 index 0000000..69d1f66 --- /dev/null +++ b/basic/plat_private/shared_relro.te @@ -0,0 +1,7 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date: 2019/06/14 +# Operation : Migration +get_prop(shared_relro, system_mtk_amslog_prop) diff --git a/basic/plat_private/shell.te b/basic/plat_private/shell.te new file mode 100644 index 0000000..d528492 --- /dev/null +++ b/basic/plat_private/shell.te @@ -0,0 +1,9 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow shell debuglog_data_file:dir r_dir_perms; +allow shell debuglog_data_file:file r_file_perms; + +get_prop(shell, system_mtk_mobile_log_prop) + diff --git a/basic/plat_private/surfaceflinger.te b/basic/plat_private/surfaceflinger.te new file mode 100644 index 0000000..18f9a20 --- /dev/null +++ b/basic/plat_private/surfaceflinger.te @@ -0,0 +1,18 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Data : WK14.42 +# Operation : Migration +# Purpose : Video playback +set_prop(surfaceflinger, debug_prop) + +# Date : WK18.36 +# Operation : Debug +# Purpose: Allow to dump buffer queue +get_prop(surfaceflinger, system_mtk_debug_bq_dump_prop) + +# Date : WK21.32 +# Operation : Debug +# Purpose: Allow to open debug log +set_prop(surfaceflinger, system_mtk_sf_debug_prop) diff --git a/basic/plat_private/system_app.te b/basic/plat_private/system_app.te new file mode 100644 index 0000000..ddd81de --- /dev/null +++ b/basic/plat_private/system_app.te @@ -0,0 +1,24 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : 2016/07/12 +# Purpose : Issue submitter need creat folder on SD card +allow system_app vfat:dir create_dir_perms; + +# Date: 2017/07/01 +# Change to simple policy +allow system_app media_rw_data_file:dir rw_dir_perms; +allow system_app media_rw_data_file:file rw_file_perms; + +# Purpose: receive dropbox message +allow system_app system_server:unix_stream_socket connectto; +allow system_app crash_dump:unix_stream_socket connectto; + +# Date : 2021/01/19 +# Purpose : access power hal +hal_client_domain(system_app, hal_power) + +# Date: 2021/09/06 +# Purpose: To enable Google UCE Flow +set_prop(system_app, system_mtk_rcs_single_reg_support_prop) \ No newline at end of file diff --git a/basic/plat_private/system_server.te b/basic/plat_private/system_server.te new file mode 100644 index 0000000..4e6100f --- /dev/null +++ b/basic/plat_private/system_server.te @@ -0,0 +1,53 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date: W18.32 +# Operation : dontaudit writing to timerslack_ns +dontaudit system_server appdomain:file w_file_perms; +allow system_server ota_package_file:dir getattr; + +# Purpose: receive dropbox message +allow system_server crash_dump:fifo_file w_file_perms; +allow system_server crash_dump:fd use; + +# Property service. +set_prop(system_server, ctl_bootanim_prop) + +# Date : WK16.36 +# Purpose: Allow to set property log.tag.WifiHW to control log level of WifiHW +set_prop(system_server, log_tag_prop) + +# Fix bootup violation +get_prop(system_server, wifi_prop) + +#Date:2019/10/09 +#Operation:Q Migration +get_prop(system_server, system_mtk_debug_bq_dump_prop) + +#Date:2019/10/10 +#Operation:Q Migration +allow system_server mddb_filter_data_file:dir getattr; + +allow system_server netdiag:fd use; + +#Date :2020/10/19 +#Operation : Allow system server to kill dex2oat +allow system_server dex2oat:process sigkill; + +#Date:2021/9/22 +# Allow system server to get pgid +allow system_server rs:process getpgid; +allow system_server webview_zygote:process getpgid; +allow system_server netd:process setsched; +allow system_server keystore:process setsched; +allow system_server audioserver_tmpfs:file write; +#Date:2021/10/13 +# neverallow system server to kill process +dontaudit system_server mediaserver:process sigkill; +dontaudit system_server netd:process sigkill; +dontaudit system_server keystore:process sigkill; + +#support system server domain do ioctl +allow system_server system_mtk_pmb_file:file ioctl; +allowxperm system_server system_mtk_pmb_file:file ioctl FS_IOC_MEASURE_VERITY; diff --git a/basic/plat_private/teed_app.te b/basic/plat_private/teed_app.te new file mode 100644 index 0000000..d962391 --- /dev/null +++ b/basic/plat_private/teed_app.te @@ -0,0 +1 @@ +type teed_app, domain; diff --git a/basic/plat_private/tombstoned.te b/basic/plat_private/tombstoned.te new file mode 100644 index 0000000..3cc2c68 --- /dev/null +++ b/basic/plat_private/tombstoned.te @@ -0,0 +1,9 @@ +# Common SEPolicy Rule +# ============================================== + +# Date : 20200520 +# Operation : failed to create tombstone in /data/anr because permissive denied +# Purpose : type=1400 audit(0.0:14838): avc: denied { write } for +# name=".temporary0" dev="mmcblk0p43" ino=3478 scontext=u:r:tombstoned:s0 +# tcontext=u:object_r:anr_data_file:s0 tclass=file permissive=0 +allow tombstoned anr_data_file:file w_file_perms; diff --git a/basic/plat_private/uncrypt.te b/basic/plat_private/uncrypt.te new file mode 100644 index 0000000..9dca90e --- /dev/null +++ b/basic/plat_private/uncrypt.te @@ -0,0 +1,5 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow uncrypt uncrypt:capability fowner; \ No newline at end of file diff --git a/basic/plat_private/vendor_init.te b/basic/plat_private/vendor_init.te new file mode 100644 index 0000000..f808cf3 --- /dev/null +++ b/basic/plat_private/vendor_init.te @@ -0,0 +1,3 @@ +# allow write for mobile_log_d.rc +allow vendor_init proc_dynamic_debug_control:file w_file_perms; + diff --git a/basic/plat_public/GoogleOtaBinder.te b/basic/plat_public/GoogleOtaBinder.te new file mode 100644 index 0000000..3723d07 --- /dev/null +++ b/basic/plat_public/GoogleOtaBinder.te @@ -0,0 +1,8 @@ +# ============================================== +# Policy File of /system/bin/GoogleOtaBinder Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type GoogleOtaBinder, domain; diff --git a/basic/plat_public/apmsrv_app.te b/basic/plat_public/apmsrv_app.te new file mode 100644 index 0000000..a8dd525 --- /dev/null +++ b/basic/plat_public/apmsrv_app.te @@ -0,0 +1,9 @@ +# ============================================== +# Policy File of /system/priv-app/ApmService/ApmService.apk Executable File +# ============================================== + +# ============================================== +# Type Declaration +# ============================================== + +type apmsrv_app, domain, coredomain; diff --git a/basic/plat_public/atci_service_sys.te b/basic/plat_public/atci_service_sys.te new file mode 100644 index 0000000..d40559f --- /dev/null +++ b/basic/plat_public/atci_service_sys.te @@ -0,0 +1,9 @@ +# ============================================== +# Policy File of /system/bin/atci_service_sys Executable File +# ============================================== + +# ============================================== +# Type Declaration +# ============================================== + +type atci_service_sys, domain; diff --git a/basic/plat_public/attributes b/basic/plat_public/attributes new file mode 100644 index 0000000..4c48837 --- /dev/null +++ b/basic/plat_public/attributes @@ -0,0 +1,113 @@ +# ============================================== +# MTK Attribute declarations +# ============================================== + +# Attribute that represents all mtk property types (except those with ctl_xxx prefix) +attribute mtk_core_property_type; + +# attribute that represents all MTK IMS types. It should be used by AP side module only. +attribute mtkimsapdomain; +# +# # attribute that represents all MTK IMS types. It should be used by MD side module only. +attribute mtkimsmddomain; + +# Just for MTK's neverallow rules +attribute domain_deprecated; +attribute public_mtk_debug_domain; +attribute system_aosp_dev_type; +attribute system_aosp_domain; +attribute system_mtk_debug_dev_type; +attribute system_mtk_debug_domain; +attribute system_mtk_dev_type; +attribute system_mtk_domain; +attribute vendor_aosp_dev_type; +attribute vendor_aosp_domain; +attribute vendor_mtk_debug_dev_type; +attribute vendor_mtk_debug_domain; +attribute vendor_mtk_dev_type; +attribute vendor_mtk_domain; + +# Date: 2017/06/12 +# LBS HIDL +attribute hal_mtk_lbs; +attribute hal_mtk_lbs_client; +attribute hal_mtk_lbs_server; + +# Date: 2017/06/27 +# IMSA HIDL +attribute hal_mtk_imsa; +attribute hal_mtk_imsa_client; +attribute hal_mtk_imsa_server; + +# Date: 2017/07/13 +# NVRAM AGENT HIDL +attribute hal_mtk_nvramagent; +attribute hal_mtk_nvramagent_client; +attribute hal_mtk_nvramagent_server; + +# Date: 2017/07/19 +# PQ HIDL +attribute hal_mtk_pq; +attribute hal_mtk_pq_client; +attribute hal_mtk_pq_server; + +# Date: 2017/07/28 +# KEY ATTESTATION HIDL +attribute hal_mtk_keyattestation; +attribute hal_mtk_keyattestation_client; +attribute hal_mtk_keyattestation_server; + +# Date: 2018/05/25 +# FM HIDL +attribute hal_mtk_fm; +attribute hal_mtk_fm_client; +attribute hal_mtk_fm_server; + +# Date: 2018/07/02 +# MDP HIDL +attribute hal_mtk_mms; +attribute hal_mtk_mms_client; +attribute hal_mtk_mms_server; + +# Date: 2019/06/12 +# modem db filter hidl +attribute hal_mtk_md_dbfilter; +attribute hal_mtk_md_dbfilter_client; +attribute hal_mtk_md_dbfilter_server; + +# Date: 2019/07/16 +# HDMI HIDL +attribute hal_mtk_hdmi; +attribute hal_mtk_hdmi_client; +attribute hal_mtk_hdmi_server; + +# Date: 2019/09/06 +# BGService HIDL +attribute hal_mtk_bgs; +attribute hal_mtk_bgs_client; +attribute hal_mtk_bgs_server; + +# Date: 2019/11/18 +# em hidl +attribute hal_mtk_em; +attribute hal_mtk_em_client; +attribute hal_mtk_em_server; + +attribute hal_mtk_codecservice; +attribute hal_mtk_codecservice_client; +attribute hal_mtk_codecservice_server; + +attribute hal_mtk_atci; +attribute hal_mtk_atci_client; +attribute hal_mtk_atci_server; + +# All types used for mtk's safe hwservice +attribute mtk_safe_hwservice_manager_type; + +# All types used for mtk's safe halserver +attribute mtk_safe_halserverdomain_type; + +# Date: 2020/12/30 +attribute hal_mtk_mmagent; +attribute hal_mtk_mmagent_client; +attribute hal_mtk_mmagent_server; diff --git a/basic/plat_public/boot_logo_updater.te b/basic/plat_public/boot_logo_updater.te new file mode 100644 index 0000000..a09f0c1 --- /dev/null +++ b/basic/plat_public/boot_logo_updater.te @@ -0,0 +1,7 @@ +# ============================================== +# Policy File of /system/bin/boot_logo_updater Executable File + +# ============================================== +# Type Declaration +# ============================================== +type boot_logo_updater, domain; diff --git a/basic/plat_public/camerapostalgo.te b/basic/plat_public/camerapostalgo.te new file mode 100644 index 0000000..0b38e9c --- /dev/null +++ b/basic/plat_public/camerapostalgo.te @@ -0,0 +1,8 @@ +# ============================================== +# Policy File of /system/bin/camerapostalgo Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type camerapostalgo, domain; diff --git a/basic/plat_public/capability_app.te b/basic/plat_public/capability_app.te new file mode 100644 index 0000000..ddd2f53 --- /dev/null +++ b/basic/plat_public/capability_app.te @@ -0,0 +1,8 @@ +# ============================================== +# Policy File of /system/priv-app/CapabilityTest/CapabilityTest.apk Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type capability_app, domain, coredomain; diff --git a/basic/plat_public/cmddumper.te b/basic/plat_public/cmddumper.te new file mode 100644 index 0000000..332858a --- /dev/null +++ b/basic/plat_public/cmddumper.te @@ -0,0 +1,7 @@ +# ============================================== +# Policy File of /system/bin/cmddumper Executable File + +# ============================================== +# Type Declaration +# ============================================== +type cmddumper, domain; diff --git a/basic/plat_public/device.te b/basic/plat_public/device.te new file mode 100644 index 0000000..6ad5ed8 --- /dev/null +++ b/basic/plat_public/device.te @@ -0,0 +1,5 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type mtd_device, dev_type; diff --git a/basic/plat_public/em_app.te b/basic/plat_public/em_app.te new file mode 100644 index 0000000..144ef4a --- /dev/null +++ b/basic/plat_public/em_app.te @@ -0,0 +1,8 @@ +# ============================================== +# Policy File of /system/priv-app/EngineerMode/EngineerMode.apk Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type em_app, domain, coredomain; diff --git a/basic/plat_public/em_svr.te b/basic/plat_public/em_svr.te new file mode 100644 index 0000000..3236653 --- /dev/null +++ b/basic/plat_public/em_svr.te @@ -0,0 +1,7 @@ +# ============================================== +# Policy File of /system/bin/em_svr Executable File + +# ============================================== +# Type Declaration +# ============================================== +type em_svr, domain; diff --git a/basic/plat_public/file.te b/basic/plat_public/file.te new file mode 100644 index 0000000..8c4c5c8 --- /dev/null +++ b/basic/plat_public/file.te @@ -0,0 +1,17 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== +########################## +# Filesystem types +# +########################## +# Sys Filesystem types + +# Date : 2020/03/25 +# Purpose : mtk Audio headset detect +type sysfs_headset, fs_type, sysfs_type; + +# Date : WK20.20 +# Operation: R migration +# Purpose : read vbus voltage +type sysfs_vbus, fs_type, sysfs_type; diff --git a/basic/plat_public/global_macros b/basic/plat_public/global_macros new file mode 100644 index 0000000..0ae4a59 --- /dev/null +++ b/basic/plat_public/global_macros @@ -0,0 +1,12 @@ +##################################### +# Common groupings of permissions without map. +# +define(`x_file_perms_no_map', `{ getattr execute execute_no_trans }') +define(`r_file_perms_no_map', `{ getattr open read ioctl lock watch watch_reads }') +define(`w_file_perms_no_map', `{ open append write lock }') +define(`rx_file_perms_no_map', `{ getattr open read ioctl lock watch watch_reads execute execute_no_trans }') +define(`ra_file_perms_no_map', `{ getattr open read ioctl lock watch watch_reads append }') +define(`rw_file_perms_no_map', `{ getattr open read ioctl lock watch watch_reads append write }') +define(`rwx_file_perms_no_map', `{ getattr open read ioctl lock watch watch_reads append write execute execute_no_trans }') +define(`create_file_perms_no_map', `{ create rename setattr unlink getattr open read ioctl lock watch watch_reads append write }') + diff --git a/basic/plat_public/kpoc_charger.te b/basic/plat_public/kpoc_charger.te new file mode 100644 index 0000000..a17827a --- /dev/null +++ b/basic/plat_public/kpoc_charger.te @@ -0,0 +1,7 @@ +# ============================================== +# Policy File of /system/bin/kpoc_charger Executable File + +# ============================================== +# Type Declaration +# ============================================== +type kpoc_charger, domain; diff --git a/basic/plat_public/mdi_redirector.te b/basic/plat_public/mdi_redirector.te new file mode 100644 index 0000000..cd80ba3 --- /dev/null +++ b/basic/plat_public/mdi_redirector.te @@ -0,0 +1,5 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type mdi_redirector, domain; diff --git a/basic/plat_public/mdmi_redirector.te b/basic/plat_public/mdmi_redirector.te new file mode 100644 index 0000000..89ca55e --- /dev/null +++ b/basic/plat_public/mdmi_redirector.te @@ -0,0 +1,5 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type mdmi_redirector, domain; diff --git a/basic/plat_public/mediahelper.te b/basic/plat_public/mediahelper.te new file mode 100755 index 0000000..16638bc --- /dev/null +++ b/basic/plat_public/mediahelper.te @@ -0,0 +1,6 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type mediahelper, domain; + diff --git a/basic/plat_public/mtk_advcamserver.te b/basic/plat_public/mtk_advcamserver.te new file mode 100644 index 0000000..e0b0bf9 --- /dev/null +++ b/basic/plat_public/mtk_advcamserver.te @@ -0,0 +1,8 @@ +# ============================================== +# Policy File of /system/bin/mtk_advcamserver Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type mtk_advcamserver, domain; diff --git a/basic/plat_public/mtkbootanimation.te b/basic/plat_public/mtkbootanimation.te new file mode 100644 index 0000000..95254dd --- /dev/null +++ b/basic/plat_public/mtkbootanimation.te @@ -0,0 +1,8 @@ +# ============================================== +# Policy File of /system/bin/mtkbootanimation Executable File + +# ============================================== +# Type Declaration +# ============================================== +#bootanimation oneshot service +type mtkbootanimation, domain; diff --git a/basic/plat_public/netd.te b/basic/plat_public/netd.te new file mode 100644 index 0000000..14ceb98 --- /dev/null +++ b/basic/plat_public/netd.te @@ -0,0 +1,6 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +#Suppress the denial for netd to use surfaceflinger +dontaudit netd surfaceflinger:fd use; diff --git a/basic/plat_public/netdiag.te b/basic/plat_public/netdiag.te new file mode 100644 index 0000000..e4a691b --- /dev/null +++ b/basic/plat_public/netdiag.te @@ -0,0 +1,7 @@ +# ============================================== +# Policy File of /system/bin/netdiag Executable File + +# ============================================== +# Type Declaration +# ============================================== +type netdiag, domain; diff --git a/basic/plat_public/osi.te b/basic/plat_public/osi.te new file mode 100644 index 0000000..7bb301d --- /dev/null +++ b/basic/plat_public/osi.te @@ -0,0 +1,5 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type osi, domain; diff --git a/basic/plat_public/property.te b/basic/plat_public/property.te new file mode 100644 index 0000000..99f45a7 --- /dev/null +++ b/basic/plat_public/property.te @@ -0,0 +1,18 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# system_internal_prop -- Properties used only in /system +# system_restricted_prop -- Properties which can't be written outside system +# system_public_prop -- Properties with no restrictions +# system_vendor_config_prop -- Properties which can be written only by vendor_init +# vendor_internal_prop -- Properties used only in /vendor +# vendor_restricted_prop -- Properties which can't be written outside vendor +# vendor_public_prop -- Properties with no restrictions + +# Properties with no restrictions +system_public_prop(system_mtk_ctl_emdlogger1_prop) +system_public_prop(system_mtk_ctl_emdlogger2_prop) +system_public_prop(system_mtk_ctl_emdlogger3_prop) +system_public_prop(system_mtk_ctl_mdlogger_prop) +system_public_prop(system_mtk_init_svc_emdlogger1_prop) diff --git a/basic/plat_public/rsu_app.te b/basic/plat_public/rsu_app.te new file mode 100644 index 0000000..13e3955 --- /dev/null +++ b/basic/plat_public/rsu_app.te @@ -0,0 +1,4 @@ +# ============================================== +# Policy File of /system/priv-app/RsuService/RsuService.apk Executable File + +type rsu_app, domain; diff --git a/basic/plat_public/teeregistryd_app.te b/basic/plat_public/teeregistryd_app.te new file mode 100644 index 0000000..16b2887 --- /dev/null +++ b/basic/plat_public/teeregistryd_app.te @@ -0,0 +1,5 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type teeregistryd_app, domain; diff --git a/basic/plat_public/terservice.te b/basic/plat_public/terservice.te new file mode 100644 index 0000000..8a6527f --- /dev/null +++ b/basic/plat_public/terservice.te @@ -0,0 +1,8 @@ +# ============================================== +# Policy File of /system/bin/terservice Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type terservice, domain; diff --git a/basic/plat_public/thermald.te b/basic/plat_public/thermald.te new file mode 100644 index 0000000..052a0ab --- /dev/null +++ b/basic/plat_public/thermald.te @@ -0,0 +1,7 @@ +# ============================================== +# Policy File of /system/bin/thermald Executable File + +# ============================================== +# Type Declaration +# ============================================== +type thermald, domain; diff --git a/basic/plat_public/usp_service.te b/basic/plat_public/usp_service.te new file mode 100644 index 0000000..493c870 --- /dev/null +++ b/basic/plat_public/usp_service.te @@ -0,0 +1,7 @@ +# ============================================== +# Policy File of /system/bin/usp_service Executable File + +# ============================================== +# Type Declaration +# ============================================== +type usp_service ,domain; diff --git a/basic/plat_public/vtservice.te b/basic/plat_public/vtservice.te new file mode 100644 index 0000000..e10bbfc --- /dev/null +++ b/basic/plat_public/vtservice.te @@ -0,0 +1,9 @@ +# ============================================== +# Policy File of /system/bin/vtservice Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# TODO: Should move to plat_private after split. +type vtservice, domain; diff --git a/bsp/debug/non_plat/aee_aedv.te b/bsp/debug/non_plat/aee_aedv.te new file mode 100644 index 0000000..5944760 --- /dev/null +++ b/bsp/debug/non_plat/aee_aedv.te @@ -0,0 +1,11 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK16.21 +# Operation : direct coredump enhancement +# Purpose : support abort message dumping +userdebug_or_eng(` + allow aee_aedv coredump_file:dir { remove_name }; + allow aee_aedv coredump_file:file { unlink }; +') diff --git a/bsp/debug/non_plat/domain.te b/bsp/debug/non_plat/domain.te new file mode 100644 index 0000000..9a66593 --- /dev/null +++ b/bsp/debug/non_plat/domain.te @@ -0,0 +1,4 @@ +# Date : WK17.29 +# Operation : Migration +# Purpose : for aee dump systemAPI db, get backtrace +allow domain aee_aedv:process sigchld; diff --git a/bsp/debug/non_plat/file.te b/bsp/debug/non_plat/file.te new file mode 100644 index 0000000..f38e08e --- /dev/null +++ b/bsp/debug/non_plat/file.te @@ -0,0 +1,9 @@ +# Date : WK16.35 +# Operation : untrusted_app support direct-coredump abort message +# Purpose : +# avc: denied { write } for name="aee_interim" dev="dm-0" ino=8236 +# scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:coredump_file:s0 +# tclass=dir permissive=0 +userdebug_or_eng(` + typeattribute coredump_file mlstrustedobject; +') diff --git a/bsp/debug/non_plat/logd.te b/bsp/debug/non_plat/logd.te new file mode 100644 index 0000000..17fe263 --- /dev/null +++ b/bsp/debug/non_plat/logd.te @@ -0,0 +1,2 @@ +# purpose: allow logd to access aee socket +allow logd crash_dump:unix_stream_socket connectto; diff --git a/bsp/debug/non_plat/platform_app.te b/bsp/debug/non_plat/platform_app.te new file mode 100644 index 0000000..4a8b81a --- /dev/null +++ b/bsp/debug/non_plat/platform_app.te @@ -0,0 +1,6 @@ +# Date : 2021/05/19 +# Purpose :[CdsInfo] read/ write WI-FI MAC address by NVRAM API +# Package Name: com.mediatek.connectivity +hal_client_domain(platform_app, hal_mtk_nvramagent) +hal_client_domain(platform_app, hal_telephony) +binder_call(platform_app, rild) \ No newline at end of file diff --git a/bsp/debug/non_plat/rild.te b/bsp/debug/non_plat/rild.te new file mode 100644 index 0000000..b51dde8 --- /dev/null +++ b/bsp/debug/non_plat/rild.te @@ -0,0 +1,4 @@ +# Date: 2021/05/25 +# Operation: Engineer mode send AT command +# Purpose: allow rild callback to CDS_INFO app +binder_call(rild, platform_app) \ No newline at end of file diff --git a/bsp/debug/non_plat/shell.te b/bsp/debug/non_plat/shell.te new file mode 100644 index 0000000..4af0fe9 --- /dev/null +++ b/bsp/debug/non_plat/shell.te @@ -0,0 +1,4 @@ +# Date : WK17.46 +# Operation : Migration +# Purpose: Allow shell to read KE DB +allow shell aee_dumpsys_data_file:file r_file_perms; diff --git a/bsp/debug/non_plat/surfaceflinger.te b/bsp/debug/non_plat/surfaceflinger.te new file mode 100644 index 0000000..92b0add --- /dev/null +++ b/bsp/debug/non_plat/surfaceflinger.te @@ -0,0 +1 @@ +allow surfaceflinger aee_exp_data_file:file write; diff --git a/bsp/debug/non_plat/system_app.te b/bsp/debug/non_plat/system_app.te new file mode 100644 index 0000000..15cfebb --- /dev/null +++ b/bsp/debug/non_plat/system_app.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + + +# Date: 2019/09/11 +# Purpose: Allow atmwifimeta apk to use HIDL and access loghidlvendorservice +hal_client_domain(system_app, hal_mtk_log) diff --git a/bsp/debug/non_plat/system_server.te b/bsp/debug/non_plat/system_server.te new file mode 100644 index 0000000..a4038d5 --- /dev/null +++ b/bsp/debug/non_plat/system_server.te @@ -0,0 +1,9 @@ +# Date:2020/09/01 +# Operation:R Migration +allow system_server proc_aed:dir search; + +# Search /proc/iommu/debug +allow system_server proc_iommu_debug:dir search; + +# Search /proc/dmaheap +allow system_server proc_dmaheap:dir search; diff --git a/bsp/debug/non_plat/untrusted_app.te b/bsp/debug/non_plat/untrusted_app.te new file mode 100644 index 0000000..c03c690 --- /dev/null +++ b/bsp/debug/non_plat/untrusted_app.te @@ -0,0 +1,9 @@ +# Date : WK16.35 +# Operation : untrusted_app support direct-coredump abort message +# Purpose : +# avc: denied { write } for name="aee_interim" dev="dm-0" ino=8236 +# scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:coredump_file:s0 +# tclass=dir permissive=0 +userdebug_or_eng(` + allow untrusted_app coredump_file:dir w_dir_perms; +') diff --git a/bsp/debug/non_plat/viarild.te b/bsp/debug/non_plat/viarild.te new file mode 100644 index 0000000..04d4972 --- /dev/null +++ b/bsp/debug/non_plat/viarild.te @@ -0,0 +1,2 @@ +# For Kryptowire mtklog issue +allow viarild aee_aedv:unix_stream_socket connectto; diff --git a/bsp/debug/plat_private/domain.te b/bsp/debug/plat_private/domain.te new file mode 100644 index 0000000..1748f84 --- /dev/null +++ b/bsp/debug/plat_private/domain.te @@ -0,0 +1,4 @@ +# Date : WK17.29 +# Operation : Migration +# Purpose : for aee dump systemAPI db, get backtrace +allow domain crash_dump:process sigchld; diff --git a/bsp/debug/plat_private/em_app.te b/bsp/debug/plat_private/em_app.te new file mode 100644 index 0000000..9b70794 --- /dev/null +++ b/bsp/debug/plat_private/em_app.te @@ -0,0 +1,2 @@ +#For debug utils +get_prop(em_app, system_mtk_persist_mtk_aee_prop) diff --git a/bsp/debug/plat_private/emdlogger.te b/bsp/debug/plat_private/emdlogger.te new file mode 100644 index 0000000..fc7c51b --- /dev/null +++ b/bsp/debug/plat_private/emdlogger.te @@ -0,0 +1,7 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# get & set persist.vendor.radio.port_index proeprty +set_prop(emdlogger, system_mtk_atci_sys_prop) + diff --git a/bsp/debug/plat_private/mobile_log_d.te b/bsp/debug/plat_private/mobile_log_d.te new file mode 100644 index 0000000..2a70fab --- /dev/null +++ b/bsp/debug/plat_private/mobile_log_d.te @@ -0,0 +1,9 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# purpose: allow mobile_log_d to read persist.vendor.log.tel_dbg +get_prop(mobile_log_d, system_mtk_em_tel_log_prop) + +# purpose: allow mobile_log_d to read persist.vendor.logmuch +get_prop(mobile_log_d, system_mtk_logmuch_prop) diff --git a/bsp/debug/plat_private/platform_app.te b/bsp/debug/plat_private/platform_app.te new file mode 100644 index 0000000..3b183df --- /dev/null +++ b/bsp/debug/plat_private/platform_app.te @@ -0,0 +1,5 @@ +# Date: 2021/07/16 +# Purpose : DebugLoggerUI support for telephony log settings +# Package: com.debug.loggerui +set_prop(platform_app, system_mtk_logmuch_prop) +set_prop(platform_app, system_mtk_em_tel_log_prop) \ No newline at end of file diff --git a/bsp/debug/plat_private/system_server.te b/bsp/debug/plat_private/system_server.te new file mode 100644 index 0000000..4d61c64 --- /dev/null +++ b/bsp/debug/plat_private/system_server.te @@ -0,0 +1,7 @@ +# Date : 2016/11/11 +# Purpose : Add permission for aee socket access to report Java Layer Exception +allow system_server crash_dump:unix_stream_socket connectto; + +# Date:2020/12/23 +# Operation:R Migration, add permission for AMS read mtk_AEE_prop +get_prop(system_server, system_mtk_persist_aee_prop) diff --git a/bsp/non_plat/GoogleOtaBinder.te b/bsp/non_plat/GoogleOtaBinder.te new file mode 100644 index 0000000..a5c370f --- /dev/null +++ b/bsp/non_plat/GoogleOtaBinder.te @@ -0,0 +1,10 @@ +# ============================================== +# Policy File of /system/bin/GoogleOtaBinder Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +#/dev/misc +allow GoogleOtaBinder misc_device:chr_file rw_file_perms; + diff --git a/bsp/non_plat/apmsrv_app.te b/bsp/non_plat/apmsrv_app.te new file mode 100644 index 0000000..569b20e --- /dev/null +++ b/bsp/non_plat/apmsrv_app.te @@ -0,0 +1,11 @@ +# ============================================== +# Policy File of /system/priv-app/ApmService/ApmService.apk Executable File +# This is a workaround for Google bug, put apmsrv_app in non_platform + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Allow to get DMC properties +get_prop(apmsrv_app, vendor_mtk_dmc_prop) + diff --git a/bsp/non_plat/app.te b/bsp/non_plat/app.te new file mode 100644 index 0000000..dc0b3ac --- /dev/null +++ b/bsp/non_plat/app.te @@ -0,0 +1,14 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : 2016/07/11 +# Operation: Migration +# Purpose: Add permission for gpu access +allow appdomain dri_device:chr_file rw_file_perms; + +#allow mtk_sec_video_path_support +get_prop(appdomain, vendor_mtk_sec_video_path_support_prop) + +#allow mtk_mtee_on_svp_support +get_prop(appdomain, vendor_mtk_svp_on_mtee_support_prop) diff --git a/bsp/non_plat/atci_service_sys.te b/bsp/non_plat/atci_service_sys.te new file mode 100644 index 0000000..c45ee87 --- /dev/null +++ b/bsp/non_plat/atci_service_sys.te @@ -0,0 +1,22 @@ +# ============================================== +# Policy File of /system/bin/atci_service_sys Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow atci_service_sys nfc_socket_file:dir w_dir_perms; +allow atci_service_sys system_file:file execute_no_trans; + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow atci_service_sys proc_ged:file rw_file_perms; + +# Date : WK17.01 +# Operation : Migration +# Purpose : Update AT_Command NFC function +allow atci_service_sys factory_data_file:sock_file write; + +# Date : WK18.21 +# Purpose: Allow to use HIDL +hal_client_domain(atci_service_sys, hal_mtk_atci) diff --git a/bsp/non_plat/audioserver.te b/bsp/non_plat/audioserver.te new file mode 100644 index 0000000..9dd0465 --- /dev/null +++ b/bsp/non_plat/audioserver.te @@ -0,0 +1,23 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK15.03 +# Operation : Migration +# Purpose : offloadservice +allow audioserver offloadservice_device:chr_file rw_file_perms; + +# Date : WK15.44 +# Operation : Migration +# Purpose : ancservice +allow audioserver ancservice_device:chr_file rw_file_perms; + +# Date : WK17.31 +# Operation : ViLTE +# Purpose : for ViLTE - set VTservice has permission to access me +binder_call(audioserver, vtservice) + +# Date : WK18.42 +# Operation : Migration +# Purpose : adsp +allow audioserver adsp_device:chr_file rw_file_perms; diff --git a/bsp/non_plat/bluetooth.te b/bsp/non_plat/bluetooth.te new file mode 100644 index 0000000..5e1c5b9 --- /dev/null +++ b/bsp/non_plat/bluetooth.te @@ -0,0 +1,22 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Device access +allow bluetooth stpbt_device:chr_file rw_file_perms; + +# NVRAM access +allow bluetooth nvram_data_file:dir search; +allow bluetooth nvram_data_file:file rw_file_perms; +allow bluetooth nvram_data_file:lnk_file r_file_perms; +allow bluetooth nvdata_file:lnk_file r_file_perms; +allow bluetooth nvdata_file:dir search; +allow bluetooth nvdata_file:file rw_file_perms; + +allow bluetooth block_device:dir search; +allow bluetooth proc_secmem:file r_file_perms; + +# Date : WK15.36 +# Operation : Migration +# Purpose: Allow bluetooth to access surfaceflinger +allow bluetooth surfaceflinger:fifo_file rw_file_perms; diff --git a/bsp/non_plat/boot_logo_updater.te b/bsp/non_plat/boot_logo_updater.te new file mode 100644 index 0000000..1a07963 --- /dev/null +++ b/bsp/non_plat/boot_logo_updater.te @@ -0,0 +1,5 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow boot_logo_updater sysfs:dir open; diff --git a/bsp/non_plat/bootanim.te b/bsp/non_plat/bootanim.te new file mode 100644 index 0000000..6d34bc6 --- /dev/null +++ b/bsp/non_plat/bootanim.te @@ -0,0 +1,15 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK14.31 +# Operation : Migration +# Purpose : access to sec mem proc interface. +allow bootanim proc_secmem:file r_file_perms; + +# Date : WK16.29 +# Operation : Migration +# Purpose : for gpu access +allow bootanim dri_device:chr_file rw_file_perms; + +allow bootanim debugfs_ion:dir search; diff --git a/bsp/non_plat/bp_kmsetkey_ca.te b/bsp/non_plat/bp_kmsetkey_ca.te new file mode 100644 index 0000000..8563324 --- /dev/null +++ b/bsp/non_plat/bp_kmsetkey_ca.te @@ -0,0 +1,14 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type bp_kmsetkey_ca_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(bp_kmsetkey_ca) + +set_prop(bp_kmsetkey_ca, vendor_mtk_soter_teei_prop) + +allow bp_kmsetkey_ca ut_keymaster_device:chr_file rw_file_perms; +allow bp_kmsetkey_ca teei_client_device:chr_file rw_file_perms; + +hal_client_domain(bp_kmsetkey_ca, hal_keymaster) diff --git a/bsp/non_plat/camerapostalgo.te b/bsp/non_plat/camerapostalgo.te new file mode 100644 index 0000000..9023a6d --- /dev/null +++ b/bsp/non_plat/camerapostalgo.te @@ -0,0 +1,26 @@ +# ============================================== +# Policy File of /system/bin/camerapostalgo Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow camerapostalgo proc_perfmgr:dir r_dir_perms; +allow camerapostalgo proc_perfmgr:file r_file_perms; +allowxperm camerapostalgo proc_perfmgr:file ioctl { + PERFMGR_FPSGO_QUEUE + PERFMGR_FPSGO_DEQUEUE + PERFMGR_FPSGO_QUEUE_CONNECT + PERFMGR_FPSGO_BQID +}; + +allow camerapostalgo proc_ged:file r_file_perms; +allowxperm camerapostalgo proc_ged:file ioctl { proc_ged_ioctls }; +allow camerapostalgo debugfs_ion:dir search; + +# ipc call +hal_client_domain(camerapostalgo, hal_mtk_mms) +hal_client_domain(camerapostalgo, hal_graphics_allocator) +allow camerapostalgo hal_graphics_mapper_hwservice:hwservice_manager find; +allow camerapostalgo hal_configstore_default:binder call; + diff --git a/bsp/non_plat/cameraserver.te b/bsp/non_plat/cameraserver.te new file mode 100644 index 0000000..b5bf393 --- /dev/null +++ b/bsp/non_plat/cameraserver.te @@ -0,0 +1,32 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK16.29 +# Operation : Migration +# Purpose : Add permission for gpu access +allow cameraserver dri_device:chr_file rw_file_perms; + +# Date : WK16.30 +# Operation : Migration +# Purpose : allow camera to save raw data on sdcard +allow cameraserver fuse:dir create_dir_perms; +allow cameraserver fuse:file create_file_perms; + +# Date : WK16.33 +# Operation : Migration +# Purpose : Dump camera buffer to sdcard for debug +allow cameraserver sdcardfs:dir create_dir_perms; +allow cameraserver sdcardfs:file create_file_perms; +allow cameraserver media_rw_data_file:dir create_dir_perms; +allow cameraserver media_rw_data_file:file create_file_perms; + +# Date : WK17.23 +# Stage: O Migration, SQC +# Purpose: Allow to use shared memory for HAL PQ +hal_client_domain(cameraserver, hal_allocator) + +# Date : WK17.31 +# Operation : ViLTE +# Purpose : for ViLTE - set VTservice has permission to access me +binder_call(cameraserver, vtservice) diff --git a/bsp/non_plat/capability_app.te b/bsp/non_plat/capability_app.te new file mode 100644 index 0000000..106af33 --- /dev/null +++ b/bsp/non_plat/capability_app.te @@ -0,0 +1,9 @@ +# ============================================== +# Policy File of /system/priv-app/CapabilityTest/CapabilityTest.apk Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow capability_app sysfs_boot_mode:file r_file_perms; +allow capability_app debugfs_ion:dir search; diff --git a/bsp/non_plat/ccci_mdinit.te b/bsp/non_plat/ccci_mdinit.te new file mode 100644 index 0000000..db0051d --- /dev/null +++ b/bsp/non_plat/ccci_mdinit.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +#=============allow ccci_mdinit to start/stop fsd============== +typeattribute ccci_mdinit mtkimsapdomain; +set_prop(ccci_mdinit, vendor_mtk_ctl_ccci_rpcd_prop) +set_prop(ccci_mdinit, vendor_mtk_ctl_ccci2_rpcd_prop) diff --git a/bsp/non_plat/ccci_rpcd.te b/bsp/non_plat/ccci_rpcd.te new file mode 100644 index 0000000..92de144 --- /dev/null +++ b/bsp/non_plat/ccci_rpcd.te @@ -0,0 +1,22 @@ +# ============================================== +# Policy File of /vendor/bin/ccci_fsd Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type ccci_rpcd_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(ccci_rpcd) + +wakelock_use(ccci_rpcd) + +allow ccci_rpcd ccci_device:chr_file rw_file_perms; +allow ccci_rpcd block_device:dir search; +allow ccci_rpcd misc2_block_device:blk_file rw_file_perms; +allow ccci_rpcd bootdevice_block_device:blk_file rw_file_perms; + +allow ccci_rpcd sysfs_ccci:dir search; +allow ccci_rpcd sysfs_ccci:file r_file_perms; + +allow ccci_rpcd md_block_device:blk_file r_file_perms; diff --git a/bsp/non_plat/dconfig.te b/bsp/non_plat/dconfig.te new file mode 100644 index 0000000..1e7fc9b --- /dev/null +++ b/bsp/non_plat/dconfig.te @@ -0,0 +1,18 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type mtk_dconfig_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(mtk_dconfig) +userdebug_or_eng(` + allow mtk_dconfig mtk_hal_dplanner:fd use; + allow mtk_dconfig mtk_hal_dplanner:fifo_file { w_file_perms getattr }; +') +allow mtk_dconfig proc_chip:file r_file_perms; +allow mtk_dconfig sysfs_chipid:file r_file_perms; + +#for setting +allow mtk_dconfig mtk_dconfig_exec:file execute_no_trans; +allow mtk_dconfig block_device:dir search; +allow mtk_dconfig boot_para_block_device:blk_file rw_file_perms; diff --git a/bsp/non_plat/dmc_core.te b/bsp/non_plat/dmc_core.te new file mode 100644 index 0000000..7c72aff --- /dev/null +++ b/bsp/non_plat/dmc_core.te @@ -0,0 +1,39 @@ +# ============================================== +# Policy File of /vendor/bin/dmc_core Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type dmc_core_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(dmc_core) + +# ============================================== +# Date : W1920 +# Operation : Diagnostic framework Q migration +# ============================================== + +# Purpose : allow dmc_core to start DMC and APM HIDL server +hal_server_domain(dmc_core, hal_mtk_dmc) +hal_server_domain(dmc_core, hal_mtk_apm) + +# Purpose : for dmc_core to connenct to md_monitor +hal_client_domain(dmc_core, md_monitor_hal) + +# Purpose : for dmc_core to access /data/md_mon/ +allow dmc_core md_monitor_vendor_file:dir r_dir_perms; +allow dmc_core md_monitor_vendor_file:file r_file_perms; + +# Purpose : Allow dmc_core to start/stop md_monitor +set_prop(dmc_core, ctl_start_prop) +set_prop(dmc_core, ctl_stop_prop) + +# Purpose : Allow dmc_core to set DMC control property (vendor.dmc.apm.active) +set_prop(dmc_core, vendor_mtk_dmc_prop) + +# Add policy read property for init.svc.md_monitor +get_prop(dmc_core, system_mtk_init_svc_md_monitor_prop) + +# Add policy read property for init.svc.mtk_pkm_service +get_prop(dmc_core, system_mtk_pkm_init_prop) diff --git a/bsp/non_plat/domain.te b/bsp/non_plat/domain.te new file mode 100644 index 0000000..d724bc1 --- /dev/null +++ b/bsp/non_plat/domain.te @@ -0,0 +1,23 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK15.29 +# Operation : Migration +# Purpose : for device bring up, not to block early migration +allow { domain -isolated_app } storage_file:dir search; + +# Date : W17.47 +# Allow system_server to enable/disable logmuch_prop for Wi-Fi logging purpose +neverallow { + domain + -init + -mtkrild + -mtk_hal_camera + -vendor_init + } vendor_mtk_logmuch_prop:property_service set; + +# Date : WK18.34 +# Operation : Migration +# Purpose : for CTS android.os.cts.SecurityPatchTest +get_prop(domain, vendor_security_patch_level_prop) diff --git a/bsp/non_plat/drmserver.te b/bsp/non_plat/drmserver.te new file mode 100644 index 0000000..b0670d9 --- /dev/null +++ b/bsp/non_plat/drmserver.te @@ -0,0 +1,143 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK14.30 +# Operation : DRM UT +# Purpose : To pass DRM UT +allow drmserver mtk_hal_nvramagent:binder call; +allow drmserver platform_app:dir search; +allow drmserver platform_app:file { read getattr open }; +allow drmserver radio_data_file:file { read getattr open }; +allow drmserver sdcard_type:file open; + +# Date : WK14.36 +# Operation : DRM UT +# Purpose : Make drmserver and binder read /proc/pid/cmdline to get process name +allow drmserver system_app:dir search; +allow drmserver system_app:file { read open getattr }; + +# Mediaserver to drmserver +allow drmserver mediaserver:dir search; +allow drmserver mediaserver:file { read open getattr }; + +# Date : WK14.36.5 +# Operation : DRM UT +# Purpose : Make widevine mediacodec mode work +allow drmserver untrusted_app:dir search; +allow drmserver untrusted_app:file { read open getattr }; + +# Date : WK14.40.1 +# Operation : DRM SQC - play OMA DRM audio file failed +# Purpose : Make OMA DRM audio file can be played +allow drmserver radio_data_file:dir search; + +# Date : WK14.44.2 +# Operation : DRM SQC - view image failed +# Purpose : To fix ALPS01790300 +allow drmserver surfaceflinger:fd use; + +# Date : WK14.44.3 +# Operation : MTBF test fail +# Purpose : To fix ALPS01793801 +allow drmserver mediaserver:fifo_file read; + +# Date : WK14.46.4 +# Operation : DRM SQC - view image failed +# Purpose : To fix ALPS01822176 +allow drmserver mediaserver:fifo_file write; + +# Date : WK15.30 +# Operation : Migration +# Purpose : for device bring up, not to block early migration/sanity +allow drmserver system_app:process getattr; + +# Date : WK15.34 +# Operation : Play Ready IT +# Purpose : Allow access to link file; Such as play ready will request +# drmserver to access /mnt/sdcard/xxx, which links to /sdcard/xxx. +allow drmserver mnt_user_file:dir search; +allow drmserver mnt_user_file:lnk_file read; +allow drmserver storage_file:lnk_file read; + +# Add by : Jackie +# Date : WK15.34 +# Operation : Migration +# Purpose : Allow drmserver to access some system_server opreration on M +# and allow drmserver access file stored in sdcard +use_drmservice(system_server) +allow drmserver system_server:file getattr; +allow system_server drmserver:drmservice openDecryptSession; + +# Date : WK15.35 +# Operation : Migration +# Purpose : Allow reador path="/data/data/com.mediatek.voicecommand/training +# /unlock/passwordfile/0.dat" +allow drmserver system_app_data_file:file read; + +# Add by : Jackie +# Date : WK15.35 +# Operation : Migration +# Purpose : allow drmserver access file stored in sdcard like /mnt/media_rw/ +allow drmserver vfat:file open; +allow drmserver mnt_media_rw_file:dir search; + +# Add by : Jackie +# Date : WK15.44 +# Operation : Migration +# Purpose : allow drmserver access nfc process info, because drmserver need +# check whether calling process is granted process, it need get process name +# with calling pid +allow drmserver nfc:dir search; +allow drmserver nfc:file { read getattr open }; + +# Add by : Jackie +# Date : WK16.17 +# Operation : Bug Fixed +# Purpose : allow drmserver access internal storage which mounted by sdcard, on Android M, +# google add new feature which can format sdcard as internal storage. MediaScanner will use +# .maybeTranslateEmulatedPathToInternal to translate emulate storage path(/storage/emulated/0) +# to internal storage path(/mnt/expand/edf477fd-9470-450e-882a-7ecda941edf6/media/0), this +# need add policy to grand permission. +allow drmserver mnt_expand_file:dir search; + +# Add by : Jackie +# Date : WK16.25 +# Operation : New Feature +# Purpose : allow drmserver get AMS to start renew/expire/secure time invalid dialog +allow drmserver activity_service:service_manager find; + +# Add by : Jackie +# Date : WK16.26 +# Operation : Migration +# Purpose : allow drmserver access priv app(such as wallpaper) info, because +# drmserver need check whether calling process is granted process, it need +# get process name with calling pid +allow drmserver priv_app:dir search; +allow drmserver priv_app:file { read getattr open }; + +# Add by : Bo +# Date : WK16.27 +# Operation : Migration +# Purpose : allow drmserver encrypt file +allow drmserver media_rw_data_file:file write; + +# Add by : Jackie +# Date : WK16.34 +# Operation : Migration +# Purpose : allow drmserver access ringtone file, so that it can play +# FL cached ringtone in /data/system_de/0/ringtones/ringtone_cache +allow drmserver ringtone_file:file read; + +# Fix boot violation +allow drmserver proc_uptime:file r_file_perms; + +# Add by : sheetal.garg +# Operation : Migration issue +allow drmserver mediaextractor:dir search; +allow drmserver mediaextractor:file { read open getattr }; +allow drmserver untrusted_app_25:dir search; +allow drmserver untrusted_app_25:file { getattr open read }; + +allow drmserver proc_uptime:file read; +allow drmserver sdcardfs:file open; diff --git a/bsp/non_plat/dumpstate.te b/bsp/non_plat/dumpstate.te new file mode 100644 index 0000000..d61c0f6 --- /dev/null +++ b/bsp/non_plat/dumpstate.te @@ -0,0 +1,11 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK19.22 +# Operation : let dumpstate can read sysfs_mmcblk +# Purpose : fix Test error +allow dumpstate sysfs_devices_block:file r_file_perms; + +# Purpose: workaround patch for xTS +allow dumpstate mtk_hal_neuralnetworks:process signal; diff --git a/bsp/non_plat/e2fs.te b/bsp/non_plat/e2fs.te new file mode 100644 index 0000000..592dae0 --- /dev/null +++ b/bsp/non_plat/e2fs.te @@ -0,0 +1,9 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow e2fs cache_block_device:blk_file getattr; +allow e2fs devpts:chr_file { getattr ioctl }; +allow e2fs sysfs_fs_ext4_features:dir search; +allow e2fs system_block_device:blk_file getattr; +allow e2fs vendor_block_device:blk_file getattr; diff --git a/bsp/non_plat/em_app.te b/bsp/non_plat/em_app.te new file mode 100644 index 0000000..c762b58 --- /dev/null +++ b/bsp/non_plat/em_app.te @@ -0,0 +1,120 @@ +# ============================================== +# Policy File of /system/priv-app/EngineerMode/EngineerMode.apk Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# For Rild hidl connection +binder_call(em_app, rild) + +# For lbs hidl usage +hal_client_domain(em_app, hal_mtk_lbs) + +# Allow to get vendor_mtk_dmc_prop +get_prop(em_app, vendor_mtk_dmc_prop) + +# Date: 2020/03/25 +# Purpose : Allow get USB Current Speed in Engineer Mode +get_prop(em_app, vendor_mtk_usb_prop) + +# Date: 2020/04/30 +# Purose: telephony -> Vilte +get_prop(em_app, vendor_mtk_vendor_vt_prop) + +# Purose: SIM Switch +get_prop(em_app, vendor_mtk_simswitch_emmode_prop) + +# Date: 2020/04/30 +# Purpose: telephony ->IMS +get_prop(em_app, vendor_mtk_mims_prop) +get_prop(em_app, vendor_mtk_smsformat_prop) +get_prop(em_app, vendor_mtk_imstestmode_prop) +get_prop(em_app, vendor_mtk_dsbp_support_prop) + +# Date: 2020/04/30 +# Purpose: telephony ->MobileDataPreferred %%em_hidl +get_prop(em_app, vendor_mtk_gprs_prefer_prop) + +# Date: 2020/04/30 +# Purpose: telephony ->RatConfiguration +get_prop(em_app, vendor_mtk_rat_config_prop) +get_prop(em_app, vendor_mtk_tel_switch_prop) + +# Date : 2020/04/30 +# Purpose: FeatureSupport +get_prop(em_app, vendor_mtk_default_prop) +get_prop(em_app, vendor_mtk_mdm_prop) +get_prop(em_app, vendor_mtk_aal_ro_prop) +get_prop(em_app, vendor_mtk_fd_support_prop) +get_prop(em_app, vendor_mtk_wfd_support_prop) +get_prop(em_app, vendor_mtk_vilte_support_prop) +get_prop(em_app, vendor_mtk_mdworldmode_prop) +get_prop(em_app, vendor_mtk_log_tel_dbg_prop) +get_prop(em_app, vendor_mtk_ril_mode_prop) +get_prop(em_app, vendor_mtk_wfc_support_prop) +get_prop(em_app, vendor_mtk_telephony_addon_prop) +get_prop(em_app, vendor_mtk_ims_prop) + +# Date : 2020/04/30 +# Purpose: PrefsFragment +get_prop(em_app, vendor_mtk_cxp_vendor_prop) + +# Date: 2020/04/30 +# Purpose: telephony ->IMS ,ModemCategory +get_prop(em_app, vendor_mtk_radio_prop) + +# Date : 2021/01/27 +# Purpose: Allow EM to read persist.vendor.sys.mtkaal.xx +get_prop(em_app, vendor_mtk_pq_prop) +# Purpose: Allow EM to read persist.vendor.ss.xx +get_prop(em_app, vendor_mtk_ss_vendor_prop) +# Purpose: Allow EM to read persist.vendor.connsys.xx +get_prop(em_app, vendor_mtk_wmt_prop) +# Purpose: Allow EM to read persist.vendor.em.dy.debug +get_prop(em_app, vendor_mtk_em_dy_debug_ctrl_prop) +# Purpose: Allow EM to read persist.vendor.em.hidl.xx +get_prop(em_app, vendor_mtk_em_hidl_prop) +# Purpose: Allow EM to read persist.vendor.usb.otg.switch +get_prop(em_app, vendor_mtk_usb_otg_switch_prop) +# Purpose: Allow EM to read vendor.debug.gps.xx +get_prop(em_app, vendor_mtk_mnld_prop) +# Purpose: Allow EM to read vendor.mtk.omx.xx +get_prop(em_app, vendor_mtk_omx_log_prop) +# Purpose: Allow EM to read vendor.mtk.vdec.log +get_prop(em_app, vendor_mtk_vdec_log_prop) +# Purpose: Allow EM to read vendor.mtk.vdectlc.log +get_prop(em_app, vendor_mtk_vdectlc_log_prop) +# Purpose: Allow EM to read vendor.mtk.venc.h264.showlog +get_prop(em_app, vendor_mtk_venc_h264_showlog_prop) +# Purpose: Allow EM to read vendor.usb.xx +get_prop(em_app, vendor_mtk_usb_prop) +# Purpose: Allow EM to read vendor.usb.port.mode +get_prop(em_app, vendor_mtk_em_usb_prop) +# Purpose: Allow EM to read vendor.net.xx +get_prop(em_app, vendor_mtk_network_prop) +# Purpose: Allow EM to endor.mediatek.debug.md.reset.wait +get_prop(em_app, vendor_mtk_debug_md_reset_prop) + +# Data : 2021/4/21 +# Purpose : add permission for /proc/mtk_usb +allow em_app proc_usb_plat:dir search; +allow em_app proc_usb_plat:file rw_file_perms; + +# Data : 2021/6/4 +# Purpose : add permission for /sys/class/udc/xxx/current_speed +allow em_app sysfs_usb_nonplat:dir search; +allow em_app sysfs_usb_nonplat:file rw_file_perms; + +# Date : 2021/05/07 +# Purpose : AOL test in EngineerMode +allow em_app self:netlink_generic_socket { read write getattr bind create setopt }; +allow em_app conn_scp_device:chr_file rw_file_perms; + +# Date: 2021/08/17 +# Purpose: Allow EM to ro.vendor.mcf_support +get_prop(em_app, vendor_mtk_mcf_prop) + +# Date:2021/10/29 +# Purpose: Allow EM PMU search extdev +allow em_app sysfs_extdev:dir search; \ No newline at end of file diff --git a/bsp/non_plat/em_hidl.te b/bsp/non_plat/em_hidl.te new file mode 100644 index 0000000..c5d301b --- /dev/null +++ b/bsp/non_plat/em_hidl.te @@ -0,0 +1,57 @@ +# ============================================== +# Policy File of /vendor/bin/em_hidi Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : 2018/07/10 +# Operation : EM DEBUG +# Purpose: EM set Moms property +set_prop(em_hidl, vendor_mtk_moms_prop) + +# Date : 2019/2/11 +# Operation: EM for ViLTE +# Purpose: Allow EM HIDL to get/set vendor_mtk_vendor_vt_prop +set_prop(em_hidl, vendor_mtk_vendor_vt_prop) + +# Date : 2019/08/20 +# Operation : DMC Q Migration +# Purpose : allow EM to set vendor_mtk_dmc_prop +set_prop(em_hidl, vendor_mtk_dmc_prop) + +# Date : 2020/04/24 +# Purpos : allow EM set dynamic debug control property +set_prop(em_hidl, vendor_mtk_em_dy_debug_ctrl_prop) + +# Date : 2020/05/04 +# Purpose : allow EM to access vendor_nfc_socket_file +allow em_hidl vendor_nfc_socket_file:dir w_dir_perms; +allow em_hidl nfcstackp_vendor:unix_stream_socket connectto; + +# Date : 2020/05/05 +# Purpose : Add availablities to set property +set_prop(em_hidl, vendor_mtk_nfc_nfcstackp_enable_prop) + +# Date : 2020/05/07 +# Purpose : allow EM to access MNL config file +allow em_hidl gps_data_file:file rw_file_perms; +allow em_hidl gps_data_file:dir search; + +# Date : 2020/05/09 +# Purpose: allow IMS SS to set radio prop +set_prop(em_hidl,vendor_mtk_radio_prop) + +# Date : 2020/11/18 +# Purpos : allow EM set mtu property +set_prop(em_hidl, vendor_mtk_em_mtu_prop) + +# Date: 2021/01/27 +# Purpose: Allow EM to set persist.vendor.connsys.xx +set_prop(em_hidl, vendor_mtk_wmt_prop) + +# Date: 2021/04/28 +# Purpose: Allow EM to access NVRAM for BT +allow em_hidl metadata_file:dir search; +allow em_hidl gsi_metadata_file:dir search; + diff --git a/bsp/non_plat/em_svr.te b/bsp/non_plat/em_svr.te new file mode 100644 index 0000000..0861421 --- /dev/null +++ b/bsp/non_plat/em_svr.te @@ -0,0 +1,14 @@ +# ============================================== +# Policy File of /system/bin/em_svr Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date: WK1823 +# Purpose: Rsc switch +allow em_svr para_block_device:blk_file w_file_perms; + +# Date:2021/10/29 +# Purpose: Allow EM PMU search extdev +allow em_svr sysfs_extdev:dir search; \ No newline at end of file diff --git a/bsp/non_plat/emcamera_app.te b/bsp/non_plat/emcamera_app.te new file mode 100644 index 0000000..a5ab8fd --- /dev/null +++ b/bsp/non_plat/emcamera_app.te @@ -0,0 +1,29 @@ +# ============================================== +# Policy File of /vendor/app/emcamera Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +app_domain(emcamera_app) + +# Date: WK1931 +# Purpose: write data/vendor/camera_dump +allow emcamera_app vendor_camera_dump_file:dir create_dir_perms; +allow emcamera_app vendor_camera_dump_file:file create_file_perms; + +allow emcamera_app cameraserver_service:service_manager find; +allow emcamera_app activity_service:service_manager find; +allow emcamera_app surfaceflinger_service:service_manager find; +allow emcamera_app activity_task_service:service_manager find; +allow emcamera_app audio_service:service_manager find; +allow emcamera_app trust_service:service_manager find; +allow emcamera_app device_policy_service:service_manager find; +allow emcamera_app autofill_service:service_manager find; +allow emcamera_app sensorservice_service:service_manager find; + +# Date: WK1931 +# Purpose: set em camera properties +set_prop(emcamera_app, vendor_mtk_em_prop) +set_prop(emcamera_app, vendor_mtk_emcamera_prop) +set_prop(emcamera_app, vendor_mtk_mediatek_prop) diff --git a/bsp/non_plat/factory.te b/bsp/non_plat/factory.te new file mode 100644 index 0000000..e8d10e2 --- /dev/null +++ b/bsp/non_plat/factory.te @@ -0,0 +1,47 @@ +# ============================================== +# Policy File of /vendor/bin/factory Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date: WK17.46 +allow factory kmsg_device:chr_file w_file_perms; +allow factory dm_device:blk_file rw_file_perms; +allow factory sysfs_fs_ext4_features:dir search; +allow factory sysfs_fs_ext4_features:file r_file_perms; +allow factory system_block_device:blk_file getattr; +allow factory vendor_block_device:blk_file getattr; +allow factory cache_block_device:blk_file getattr; +allow factory protect1_block_device:blk_file getattr; +allow factory protect2_block_device:blk_file getattr; + +# Purpose : Allow factory to call android.hardware.audio@2.0-service-mediatek +binder_call(factory, mtk_hal_audio) +allow factory mtk_hal_audio:binder call; +allow factory mtk_audiohal_data_file:dir r_dir_perms; +allow factory audio_device:chr_file rw_file_perms; +allow factory audio_device:dir w_dir_perms; + +# Purpose : adsp +allow factory adsp_device:chr_file rw_file_perms; + +# Purpose : Allow factory to get usb_state +allow factory sysfs_android_usb:dir search; +allow factory sysfs_android_usb:file r_file_perms; + +# Date : 2020/05/12 +allow factory nfcstackp_vendor:unix_stream_socket connectto; + +# Date : 2020/05/12 +# Purpose : Add availablities to set property +set_prop(factory, vendor_mtk_nfc_nfcstackp_enable_prop) + +allow factory fingerprint_device:chr_file rw_file_perms; +allow factory tmpfs:chr_file rw_file_perms; +allow factory self:netlink_socket create_socket_perms_no_ioctl; + +# Data : 2021/4/21 +# Purpose : add permission for /proc/mtk_usb +allow factory proc_usb_plat:dir search; +allow factory proc_usb_plat:file rw_file_perms; \ No newline at end of file diff --git a/bsp/non_plat/file.te b/bsp/non_plat/file.te new file mode 100644 index 0000000..3bd8416 --- /dev/null +++ b/bsp/non_plat/file.te @@ -0,0 +1,123 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +########################## +# Filesystem types +# +########################## +# Proc Filesystem types +# +# For DuraSpeed +type proc_cpu_loading, fs_type, proc_type; +type proc_low_memory_hit, fs_type, proc_type; + +# TKCore proc file +type proc_tkcore, fs_type, proc_type; + +# For CachedAppOptimizer +type proc_freqhopping, fs_type, proc_type; + +########################## +# Sys Filesystem types +# +# TEEI data file +type teei_control_file, fs_type, sysfs_type; + +########################## +# File types +# +# mobicore device type and file type +type mobicore_vendor_file, file_type, vendor_file_type; + +type tkcore_systa_file, file_type, vendor_file_type; + +type wo_starter_exec, exec_type, file_type, vendor_file_type; +type wo_charon_exec, exec_type, file_type, vendor_file_type; +type wo_stroke_exec, exec_type, file_type, vendor_file_type; + +########################## +# File types +# Data file types +# +# TEEI data file +type teei_data_file, file_type, data_file_type; + +# Date:WK1822 +# Purpose: Store ims config data +type mtk_radio_data_file, file_type, data_file_type; + +# mobicore file type +type mobicore_data_file, file_type, data_file_type; + +# DOE +type doe_vendor_data_file, file_type, data_file_type; + +# md monitor file +type md_monitor_vendor_file, file_type, data_file_type; + +# MTK omadm data folder +type omadm_data_file, file_type, data_file_type; +type omadm_misc_file, file_type, data_file_type; + +# camera_dump +type vendor_camera_dump_file, file_type, data_file_type; + +type tkcore_spta_file, file_type, data_file_type, mlstrustedobject; +type tkcore_data_file, file_type, data_file_type, mlstrustedobject; + +type tkcore_protect_data_file, file_type, data_file_type; +type tkcore_log_file, file_type, data_file_type; + +# Date : W1949 +# Purpose: for thp data file +type mtk_thp_data_file, file_type, data_file_type; + +# for img gpu_nn_service +type gpunn_data_file, file_type, data_file_type; + +# Date : 2021/06/30 +# Purpose: add permission for /data/vendor/nn/ +type data_vendor_nn_file, data_file_type, file_type; + +# Date : 2021/07/01 +# Purpose: add permission for /data/vendor/hmp/ +type data_vendor_hmp_file, data_file_type, file_type; + +########################## +# File types +# Core domain data file types +# +# android log too much data/misc/log +type logmuch_data_file, file_type, data_file_type, core_data_file_type; + +# For DuraSpeed +type duraspeed_data_file, file_type, data_file_type, core_data_file_type; + +########################## +# Socket types +# +type statusd_socket, file_type; + +# Date : WK17.30 +# Purpose : wifi offload daemon access files and sockets +type wo_epdg_ipsec_socket, file_type; + +# Date : WK17.48 +# Purpose: RCS stack for 2/3G network +type rcs_volte_stack_socket, file_type; + +# Date : WK1929 +# Purpose: Rcs Volte stack submarine development +type rcs_rild_socket, file_type; + +# vtservice_hidl for imsvt socket +type volte_imsvt1_socket, file_type; + +type rcs_ua_proxy_socket, file_type; + +# For chager enable fast charging algorithm +type sysfs_fs_chg_file, fs_type, sysfs_type; + +# For InputReader scan and search power_supply path +type sysfs_power_supply, fs_type, sysfs_type; diff --git a/bsp/non_plat/file_contexts b/bsp/non_plat/file_contexts new file mode 100644 index 0000000..76fe240 --- /dev/null +++ b/bsp/non_plat/file_contexts @@ -0,0 +1,276 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +########################## +# Data files +# +# Trustonic data files +/data/vendor/mcRegistry(/.*)? u:object_r:mobicore_data_file:s0 + +# Microtrust data files +/data/vendor/thh(/.*)? u:object_r:teei_data_file:s0 + +/data/vendor/radio(/.*)? u:object_r:mtk_radio_data_file:s0 +/data/vendor/verizon(/.*)? u:object_r:omadm_data_file:s0 +/data/vendor/misc/msdata(/.*)? u:object_r:omadm_misc_file:s0 + +# TrustKernel add +/data/vendor/t6(/.*)? u:object_r:tkcore_data_file:s0 +/data/vendor/t6/app(/.*)? u:object_r:tkcore_spta_file:s0 +/data/vendor/t6/tkcore.log u:object_r:tkcore_log_file:s0 + +# For Google Trusty Secure Storage Proxy +/data/vendor/trusty(/.*)? u:object_r:tee_data_file:s0 + +# DOE +/data/vendor/doe(/.*)? u:object_r:doe_vendor_data_file:s0 + +# MTK thp hal +/data/vendor/thp(/.*)? u:object_r:mtk_thp_data_file:s0 + +# MTK MDM +/data/vendor/md_mon(/.*)? u:object_r:md_monitor_vendor_file:s0 + +# EmCamera +/data/vendor/camera_dump(/.*)? u:object_r:vendor_camera_dump_file:s0 + +/data/vendor/.img(/.*)? u:object_r:gpunn_data_file:s0 + +# DuraSpeed +/data/duraspeed(/.*)? u:object_r:duraspeed_data_file:s0 + +/data/misc/log(/.*)? u:object_r:logmuch_data_file:s0 + +# Date: 2021/06/30 +# Purpose: mtk nn info file +/data/vendor/nn(/.*)? u:object_r:data_vendor_nn_file:s0 + +# Date: 2021/07/01 +# Purpose: mtk hmp info file +/data/vendor/hmp(/.*)? u:object_r:data_vendor_hmp_file:s0 + +########################## +# Devices +# +# TrustKernel add +/dev/tkcoredrv u:object_r:tkcore_admin_device:s0 + +# For Google Trusty Secure Storage Proxy +/dev/block/mmcblk0rpmb u:object_r:rpmb_block_device:s0 + +# Trustonic TEE devices +/dev/mobicore u:object_r:mobicore_admin_device:s0 +/dev/mobicore-user u:object_r:mobicore_user_device:s0 +/dev/t-base-tui u:object_r:mobicore_tui_device:s0 + +# teeperf devices +/dev/teeperf u:object_r:teeperf_device:s0 + +# Microtrust TEEI devices +/dev/teei_config u:object_r:teei_config_device:s0 +/dev/teei_client u:object_r:teei_client_device:s0 +/dev/isee_tee0 u:object_r:teei_client_device:s0 +/dev/tz_vfs u:object_r:teei_vfs_device:s0 + +# rpmb char device +/dev/rpmb0 u:object_r:teei_rpmb_device:s0 +/dev/mmcblk0rpmb u:object_r:rpmb_device:s0 + +# legacy char device for cross-platform compatibility +/dev/emmcrpmb0 u:object_r:teei_rpmb_device:s0 +/dev/teei_fp u:object_r:teei_fp_device:s0 +/dev/ut_keymaster u:object_r:ut_keymaster_device:s0 +/dev/utr_tui u:object_r:utr_tui_device:s0 + +# microtrust lite version use start +/dev/teei_loader u:object_r:tee_device:s0 + +# microtrust lite version use end +/dev/dri/card0 u:object_r:dri_device:s0 + +/dev/ttyC5 u:object_r:nwkopt_device:s0 +/dev/mix_event u:object_r:tx_device:s0 + +# MTK thp hal +/dev/thp u:object_r:gdix_thp_device:s0 +/dev/input_mt_wrapper u:object_r:gdix_mt_wrapper_device:s0 + +# tetheroffload +/dev/mddp u:object_r:mddp_device:s0 + +/dev/socket/rcs_ua_proxy(/.*)? u:object_r:rcs_ua_proxy_socket:s0 +/dev/socket/rcs_volte_stack(/.*)? u:object_r:rcs_volte_stack_socket:s0 +/dev/socket/rcs_rild(/.*)? u:object_r:rcs_rild_socket:s0 +/dev/socket/statusd u:object_r:statusd_socket:s0 +/dev/socket/rilproxy-mal(/.*)? u:object_r:rild_mal_socket:s0 +/dev/socket/wo_epdg_ipsec(/.*)? u:object_r:wo_epdg_ipsec_socket:s0 + +# MTK ATCI +/dev/socket/rild-atci(/.*)? u:object_r:rild_atci_socket:s0 +/dev/socket/rilproxy-atci(/.*)? u:object_r:rilproxy_atci_socket:s0 +/dev/socket/atci-service(/.*)? u:object_r:atci_service_socket:s0 +/dev/socket/adb_atci_socket(/.*)? u:object_r:adb_atci_socket:s0 + +# MTK VTService +/dev/socket/volte_imsvt1(/.*)? u:object_r:volte_imsvt1_socket:s0 + +/dev/goodix_fp u:object_r:fingerprint_device:s0 + +#MTK widevine kernel driver +/dev/drm_wv u:object_r:widevine_drv_device:s0 + +########################## +# Vendor files +# +# TrustKernel add +/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service\.trustkernel u:object_r:hal_keymaster_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service\.trustkernel u:object_r:hal_keymaster_default_exec:s0 + +# Trustonic TEE +/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service\.trustonic u:object_r:hal_keymaster_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service\.trustonic u:object_r:hal_keymaster_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service\.trustonic u:object_r:hal_keymaster_default_exec:s0 + +# Trustonic TEE system files +/(vendor|system/vendor)/app/mcRegistry(/.*)? u:object_r:mobicore_vendor_file:s0 +/(vendor|system/vendor)/bin/mcDriverDaemon u:object_r:mobicore_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.trustonic\.tee@1\.1-service u:object_r:hal_tee_default_exec:s0 + +/(vendor|system/vendor)/bin/thermal u:object_r:thermal_exec:s0 +/(vendor|system/vendor)/bin/volte_rcs_ua u:object_r:volte_rcs_ua_exec:s0 +/(vendor|system/vendor)/bin/rcs_volte_stack u:object_r:rcs_volte_stack_exec:s0 +/(vendor|system/vendor)/bin/volte_clientapi_ua u:object_r:volte_clientapi_ua_exec:s0 +/(vendor|system/vendor)/bin/viarild u:object_r:viarild_exec:s0 +/(vendor|system/vendor)/bin/statusd u:object_r:statusd_exec:s0 +/(vendor|system/vendor)/bin/flashlessd u:object_r:flashlessd_exec:s0 +/(vendor|system/vendor)/bin/ccci_rpcd u:object_r:ccci_rpcd_exec:s0 +/(vendor|system/vendor)/bin/ipsec_mon u:object_r:ipsec_mon_exec:s0 +/(vendor|system/vendor)/bin/getgameserver u:object_r:getgameserver_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.wfo@1\.0-service u:object_r:mtk_hal_wfo_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.clientapi@1\.0-service u:object_r:volte_clientapi_ua_exec:s0 +/(vendor|system/vendor)/bin/hw/vtservice_hidl u:object_r:vtservice_hidl_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.rcs@1\.0-service u:object_r:volte_rcs_ua_exec:s0 +/(vendor|system/vendor)/bin/STFlashTool u:object_r:stflashtool_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.dfps@1\.0-service u:object_r:mtk_hal_dfps_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.omadm@1\.0-service u:object_r:mtk_hal_omadm_exec:s0 + +# DOE +/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.dplanner@1\.0-service u:object_r:mtk_hal_dplanner_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.dplanner@2\.0-service u:object_r:mtk_hal_dplanner_exec:s0 +/(vendor|system/vendor)/bin/dconfig u:object_r:mtk_dconfig_exec:s0 +/(vendor|system/vendor)/bin/dtc_vendor u:object_r:mtk_dconfig_exec:s0 + +# DRM Key Installation HIDL +/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.keyinstall@1\.0-service u:object_r:mtk_hal_keyinstall_exec:s0 + +# DRM Key Manage HIDL +/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.keymanage@1\.0-service u:object_r:mtk_hal_keymanage_exec:s0 + +/(vendor|system/vendor)/bin/wo_ipsec u:object_r:wo_ipsec_exec:s0 +/(vendor|system/vendor)/bin/wo_charon u:object_r:wo_charon_exec:s0 +/(vendor|system/vendor)/bin/wo_starter u:object_r:wo_starter_exec:s0 +/(vendor|system/vendor)/bin/wo_stroke u:object_r:wo_stroke_exec:s0 +/(vendor|system/vendor)/bin/wo_epdg_client u:object_r:wo_epdg_client_exec:s0 + +# netdagent +/(vendor|system/vendor)/bin/netdagent u:object_r:netdagent_exec:s0 + +# MTK PPL +/(vendor|system/vendor)/bin/ppl_agent u:object_r:ppl_agent_exec:s0 + +# Microtrust TEEI system files +/(vendor|system/vendor)/bin/init_thh u:object_r:init_thh_service_exec:s0 +/(vendor|system/vendor)/bin/teei_daemon u:object_r:tee_exec:s0 + +# microtrust THH daemon +/(vendor|system/vendor)/bin/hw/vendor\.microtrust\.hardware\.thh@2\.0-service u:object_r:teei_hal_thh_exec:s0 + +# microtrust TUI daemon +/(vendor|system/vendor)/bin/hw/vendor\.microtrust\.hardware\.tui@2\.0-service u:object_r:teei_hal_tui_exec:s0 + +# microtrust IFAA hidl service +/(vendor|system/vendor)/bin/hw/vendor\.microtrust\.hardware\.ifaa@1\.0-service u:object_r:teei_hal_ifaa_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.microtrust\.hardware\.ifaa@2\.0-service u:object_r:teei_hal_ifaa_exec:s0 + +# microtrust WECHAT hidl service +/(vendor|system/vendor)/bin/hw/vendor\.microtrust\.hardware\.soter@1\.0-service u:object_r:teei_hal_wechat_exec:s0 +/(vendor|system/vendor)/bin/teei_loader u:object_r:tee_exec:s0 +/(vendor|system/vendor)/bin/istorageproxyd u:object_r:tee_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.microtrust\.hardware\.capi@2\.0-service u:object_r:teei_hal_capi_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service\.beanpod u:object_r:hal_keymaster_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service\.beanpod\.lite u:object_r:hal_keymaster_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service\.beanpod u:object_r:hal_keymaster_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service\.beanpod\.lite u:object_r:hal_keymaster_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint@1\.0-service\.beanpod u:object_r:hal_keymint_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.beanpod\.lite u:object_r:hal_gatekeeper_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.itrusty u:object_r:hal_gatekeeper_default_exec:s0 +/(vendor|system/vendor)/bin/bp_kmsetkey_ca u:object_r:bp_kmsetkey_ca_exec:s0 + +/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerrpint@1\.1-service u:object_r:hal_fingerprint_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-gpunn u:object_r:mtk_hal_neuralnetworks_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-mtk-neuron u:object_r:mtk_hal_neuralnetworks_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-mtk-neuron-lazy u:object_r:mtk_hal_neuralnetworks_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-mtk-neuron-debug u:object_r:mtk_hal_neuralnetworks_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-mtk-neuron-debug-lazy u:object_r:mtk_hal_neuralnetworks_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.neuralnetworks-shim-service-mtk u:object_r:mtk_hal_neuralnetworks_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.neuralnetworks-shell-service-mtk u:object_r:mtk_hal_neuralnetworks_exec:s0 + +# MTK nwk opt hal +/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.nwk_opt@1\.0-service u:object_r:mtk_hal_nwk_opt_exec:s0 + +# MTK touchll hal +/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.touchll@1\.0-service u:object_r:mtk_hal_touchll_exec:s0 + +# MTK thp hal +/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.thp@1\.0-service u:object_r:mtk_hal_thp_exec:s0 + +# tetheroffload +/(vendor|system/vendor)/bin/hw/tetheroffloadservice u:object_r:hal_tetheroffload_default_exec:s0 + +# MTK ATCI +/(vendor|system/vendor)/bin/atcid u:object_r:atcid_exec:s0 +/(vendor|system/vendor)/bin/atci_service u:object_r:atci_service_exec:s0 + +# MTK PMS ext +/(vendor|system/vendor)/operator/app(/.*)? u:object_r:vendor_app_file:s0 +/(vendor|system/vendor)/etc/rsc/[^/]+/app(/.*)? u:object_r:vendor_app_file:s0 +/(vendor|system/vendor)/etc/rsc/[^/]+/priv-app(/.*)? u:object_r:vendor_app_file:s0 +/(vendor|system/vendor)/etc/rsc/[^/]+/plugin(/.*)? u:object_r:vendor_app_file:s0 +/(vendor|system/vendor)/etc/rsc/[^/]+/overlay(/.*)? u:object_r:vendor_overlay_file:s0 +/(vendor|system/vendor)/etc/rsc/[^/]+/framework(/.*)? u:object_r:vendor_framework_file:s0 + +/(vendor|system/vendor)/bin/remosaic_daemon u:object_r:remosaic_daemon_exec:s0 + +# HDCP +/(vendor|system/vendor)/bin/hw/vendor\.tesiai\.hardware\.hdcpconnection@1\.0-service u:object_r:tesiai_hal_hdcp_exec:s0 + +# ST nfcstackp service +/vendor/bin/nfcstackp-vendor u:object_r:nfcstackp_vendor_exec:s0 + +# DMC (Diagnostic Monitoring Collector) +/vendor/bin/dmc_core u:object_r:dmc_core_exec:s0 + +# DMC Packet Monitor (PKM) +/vendor/bin/mtk_pkm_service u:object_r:mtk_pkm_service_exec:s0 + +# TrustKernel add +/vendor/bin/teed u:object_r:tee_exec:s0 + +# For Google Trusty Secure Storage Proxy +/vendor/bin/storageproxyd u:object_r:tee_exec:s0 +/(vendor|system/vendor)/bin/rpmb_svc u:object_r:tee_exec:s0 + +# MTK MDM +/vendor/bin/md_monitor u:object_r:md_monitor_exec:s0 + +/vendor/app/t6(/.*)? u:object_r:tkcore_systa_file:s0 + +########################## +# Others +# +/mnt/vendor/persist/t6(/.*)? u:object_r:tkcore_protect_data_file:s0 +/mnt/vendor/protect_f/tee(/.*)? u:object_r:tkcore_protect_data_file:s0 + +# Logo Updater +/vendor/bin/logo_updater u:object_r:logo_updater_exec:s0 diff --git a/bsp/non_plat/flashlessd.te b/bsp/non_plat/flashlessd.te new file mode 100644 index 0000000..0f2598e --- /dev/null +++ b/bsp/non_plat/flashlessd.te @@ -0,0 +1,19 @@ +# ============================================== +# Policy File of /vendor/bin/flashlessd Executable File + +type flashlessd_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(flashlessd) + +#============= flashlessd ttyMT related ============== +allow flashlessd ttyMT_device:chr_file rw_file_perms; + + +#============= ccci_fsd MD NVRAM============== +allow flashlessd nvram_data_file:dir create_dir_perms; +allow flashlessd nvram_data_file:file create_file_perms; +allow flashlessd nvram_data_file:lnk_file read; +allow flashlessd nvdata_file:lnk_file read; +allow flashlessd nvdata_file:dir create_dir_perms; +allow flashlessd nvdata_file:file create_file_perms; +allow flashlessd nvram_device:chr_file rw_file_perms; diff --git a/bsp/non_plat/fsck.te b/bsp/non_plat/fsck.te new file mode 100644 index 0000000..33e62cf --- /dev/null +++ b/bsp/non_plat/fsck.te @@ -0,0 +1,8 @@ +#============= fsck ============== +allow fsck sysfs_fs_ext4_features:dir search; + +# Date : WK19.12 +# Operation: Q migration +# Purpose : Allow resize.f2fs to read in "f2fs" block dev +allow init fsck_exec: lnk_file r_file_perms; +allowxperm fsck userdata_block_device:blk_file ioctl BLKSECDISCARD; diff --git a/bsp/non_plat/gatekeeperd.te b/bsp/non_plat/gatekeeperd.te new file mode 100644 index 0000000..bba3640 --- /dev/null +++ b/bsp/non_plat/gatekeeperd.te @@ -0,0 +1,28 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK15.49 +# Operation : Migration +# Purpose: Trustonic HW-backed Gatekeeper +allow hal_gatekeeper_default mobicore:unix_stream_socket { connectto read write }; +allow hal_gatekeeper_default mobicore_user_device:chr_file { read write open ioctl}; + +allow hal_gatekeeper_default debugfs_tracing:file write; +allow hal_gatekeeper_default mnt_vendor_file:dir search; +allow hal_gatekeeper_default persist_data_file:dir { write search add_name remove_name}; +allow hal_gatekeeper_default persist_data_file:file { write read getattr open create unlink}; + +# Date : 2016/06/01 +# Operation: TEEI integration +# Purpose: Microtrust HW-backed Gatekeeper +hal_client_domain(hal_gatekeeper_default, hal_teei_capi) +hal_client_domain(hal_gatekeeper_default, hal_allocator) +allow hal_gatekeeper_default teei_client_device:chr_file rw_file_perms; + +# Purpose: TrustKernel HW-backed Gatekeeper +allow hal_gatekeeper_default tkcore_admin_device:chr_file { read write open ioctl }; + +# Allow hal_gatekeeper_default to access /data/key_provisioning +allow hal_gatekeeper_default key_install_data_file:dir w_dir_perms; +allow hal_gatekeeper_default key_install_data_file:file create_file_perms; diff --git a/bsp/non_plat/genfs_contexts b/bsp/non_plat/genfs_contexts new file mode 100644 index 0000000..9cefccc --- /dev/null +++ b/bsp/non_plat/genfs_contexts @@ -0,0 +1,55 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +########################## +# proc files +# +genfscon proc /secmem0 u:object_r:proc_secmem:s0 + +# TrustKernel TEE proc +genfscon proc /tkcore u:object_r:proc_tkcore:s0 + +# For DuraSpeed +genfscon proc /cpu_loading/onoff u:object_r:proc_cpu_loading:s0 +genfscon proc /cpu_loading/uevent_enable u:object_r:proc_cpu_loading:s0 +genfscon proc /cpu_loading/poltime_secs u:object_r:proc_cpu_loading:s0 +genfscon proc /cpu_loading/poltime_nsecs u:object_r:proc_cpu_loading:s0 +genfscon proc /cpu_loading/overThrhld u:object_r:proc_cpu_loading:s0 +genfscon proc /cpu_loading/specify_cpus u:object_r:proc_cpu_loading:s0 +genfscon proc /cpu_loading/specify_overThrhld u:object_r:proc_cpu_loading:s0 + +# For CachedAppOptimizer +genfscon proc /freqhopping u:object_r:proc_freqhopping:s0 + +########################## +# sysfs files +# +# Microtrust TEEI sysfs files +genfscon sysfs /devices/platform/utos u:object_r:teei_control_file:s0 +genfscon sysfs /devices/utos u:object_r:teei_control_file:s0 + +# for 7663 VTS NetdSELinuxTest.CheckProperMTULabels requirement +genfscon sysfs /devices/platform/soc/11250000.mmc/mmc_host/mmc2/mmc2:0001/mmc2:0001:1/net/wlan0/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/soc/11250000.mmc/mmc_host/mmc2/mmc2:0001/mmc2:0001:1/net/ap0/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/soc/11250000.mmc/mmc_host/mmc2/mmc2:0001/mmc2:0001:1/net/p2p0/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/11240000.msdc/mmc_host/mmc1/mmc1:0001/mmc1:0001:1/net/wlan0/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/11240000.msdc/mmc_host/mmc1/mmc1:0001/mmc1:0001:1/net/ap0/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/11240000.msdc/mmc_host/mmc1/mmc1:0001/mmc1:0001:1/net/p2p0/mtu u:object_r:sysfs_net:s0 + +# for 7668 VTS NetdSELinuxTest.CheckProperMTULabels requirement +genfscon sysfs /devices/platform/soc/11170000.sdio/mmc_host/mmc1/mmc1:0001/mmc1:0001:1/net/wlan0/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/soc/11170000.sdio/mmc_host/mmc1/mmc1:0001/mmc1:0001:1/net/ap0/mtu u:object_r:sysfs_net:s0 +genfscon sysfs /devices/platform/soc/11170000.sdio/mmc_host/mmc1/mmc1:0001/mmc1:0001:1/net/p2p0/mtu u:object_r:sysfs_net:s0 + +# Date : 2020/09/09 +# Purpose: for otg access +genfscon sysfs /devices/platform/bus/mt_usb/musb-hdrc/usb1 u:object_r:sysfs_usb_nonplat:s0 + +# For chager enable fast charging algorithm +genfscon sysfs /devices/platform/charger/fast_chg_indicator u:object_r:sysfs_fs_chg_file:s0 + +# Date: 2021/08/10 +# Operation: S migration +# Purpose: Add permission for inputReader search every input device path including "power_supply" +genfscon sysfs /devices/virtual/power_supply u:object_r:sysfs_power_supply:s0 diff --git a/bsp/non_plat/getgameserver.te b/bsp/non_plat/getgameserver.te new file mode 100644 index 0000000..0925f5c --- /dev/null +++ b/bsp/non_plat/getgameserver.te @@ -0,0 +1,22 @@ +# ============================================== +# Policy File of /vendor/bin/getgameserver Executable File + +# ============================================== +# Type Declaration +# ============================================== + +type getgameserver_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(getgameserver) +net_domain(getgameserver) + +# ============================================== +# Common SEPolicy Rule +# ============================================== +allow getgameserver self:capability net_raw; +allow getgameserver self:packet_socket { create_socket_perms }; +allow getgameserver self:udp_socket { create_socket_perms }; + +allowxperm getgameserver self:packet_socket ioctl {SIOCGIFINDEX SIOCGSTAMP }; +allowxperm getgameserver self:udp_socket ioctl {SIOCGIFINDEX SIOCGSTAMP }; +set_prop(getgameserver, vendor_mtk_netdagent_gameserver_prop) diff --git a/bsp/non_plat/hal_clientapi.te b/bsp/non_plat/hal_clientapi.te new file mode 100644 index 0000000..54f3459 --- /dev/null +++ b/bsp/non_plat/hal_clientapi.te @@ -0,0 +1,12 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# HwBinder IPC from clients into server, and callbacks +binder_call(hal_clientapi_client, hal_clientapi_server) +binder_call(hal_clientapi_server, hal_clientapi_client) + +add_hwservice(hal_clientapi_server, volte_clientapi_ua_hwservice) + +# give permission for hal client +allow hal_clientapi_client volte_clientapi_ua_hwservice:hwservice_manager find; diff --git a/bsp/non_plat/hal_dfps.te b/bsp/non_plat/hal_dfps.te new file mode 100644 index 0000000..e56b0df --- /dev/null +++ b/bsp/non_plat/hal_dfps.te @@ -0,0 +1,6 @@ +# HwBinder IPC from clients into server, and callbacks +binder_call(hal_dfps_client, hal_dfps_server) +binder_call(hal_dfps_server, hal_dfps_client) + +# give permission for hal client +allow hal_dfps_client mtk_hal_dfps_hwservice:hwservice_manager find; diff --git a/bsp/non_plat/hal_drm_widevine.te b/bsp/non_plat/hal_drm_widevine.te new file mode 100644 index 0000000..fb632d2 --- /dev/null +++ b/bsp/non_plat/hal_drm_widevine.te @@ -0,0 +1,35 @@ +allow hal_drm_widevine debugfs_tracing:file write; +allow hal_drm_widevine debugfs_ion:dir search; + +# Allow widevine hidl process read keybox stored in /mnt/vendor/persist +allow hal_drm_widevine mnt_vendor_file:dir search; + +# Add sepolicy for tee relate +allow hal_drm_widevine mobicore:unix_stream_socket connectto; +allow hal_drm_widevine persist_data_file:dir search; +allow hal_drm_widevine mobicore_user_device:chr_file { read write ioctl open }; +allow hal_drm_widevine persist_data_file:file { read getattr open }; +allow hal_drm_widevine mobicore_data_file:file { read open getattr}; +allow hal_drm_widevine mobicore_data_file:dir search; +allow hal_drm_widevine block_device:dir search; +allow hal_drm_widevine kb_block_device:blk_file r_file_perms; +allow hal_drm_widevine dkb_block_device:blk_file r_file_perms; + +# Allow widevine hidl process access teeperf +allow hal_drm_widevine teeperf_device:chr_file rw_file_perms_no_map; + +# Allow widevine hidl process access TEEI +hal_client_domain(hal_drm_widevine, hal_teei_capi) +hal_client_domain(hal_drm_widevine, hal_allocator) +allow hal_drm_widevine teei_client_device:chr_file rw_file_perms; + +# Add selinux policy for mtee related permission +allow hal_drm_widevine kisd:unix_stream_socket connectto; +allow hal_drm_widevine sysfs_mmcblk:dir search; +allow hal_drm_widevine sysfs_mmcblk:file { read open getattr}; + +# Allow widevine hidl process access widevine kernel driver +allow hal_drm_widevine widevine_drv_device:chr_file { getattr open read ioctl write }; + +# Allow widevine hidl process to read vendor_mtk_soc_prop +get_prop(hal_drm_widevine, vendor_mtk_soc_prop) diff --git a/bsp/non_plat/hal_fingerprint_default.te b/bsp/non_plat/hal_fingerprint_default.te new file mode 100644 index 0000000..49901f4 --- /dev/null +++ b/bsp/non_plat/hal_fingerprint_default.te @@ -0,0 +1,21 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# MICROTRUST SEPolicy Rule +allow hal_fingerprint_default teei_fp_device:chr_file rw_file_perms; +allow hal_fingerprint_default teei_client_device:chr_file rw_file_perms; +allow hal_fingerprint_default teei_control_file:dir r_dir_perms; +allow hal_fingerprint_default teei_control_file:file rw_file_perms; +allow hal_fingerprint_default teei_control_file:lnk_file rw_file_perms; +allow hal_fingerprint_default uhid_device:chr_file rw_file_perms; +allow hal_fingerprint_default tkcore_admin_device:chr_file rw_file_perms; +allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms; +allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; +allow hal_fingerprint_default self:unix_stream_socket connectto; +allow hal_fingerprint_default mobicore_user_device:chr_file rw_file_perms; +allow hal_fingerprint_default mobicore_user_device:unix_stream_socket connectto; +allow hal_fingerprint_default mobicore:unix_stream_socket connectto; +allow hal_fingerprint_default tmpfs:chr_file rw_file_perms; +allow hal_fingerprint_default debugfs_trace_marker:file rw_file_perms; +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; diff --git a/bsp/non_plat/hal_graphics_allocator_default.te b/bsp/non_plat/hal_graphics_allocator_default.te new file mode 100644 index 0000000..5b9761c --- /dev/null +++ b/bsp/non_plat/hal_graphics_allocator_default.te @@ -0,0 +1,3 @@ +#============= hal_graphics_allocator_default ============== +allow hal_graphics_allocator_default teei_client_device:chr_file rw_file_perms; +allow hal_graphics_allocator_default mobicore_user_device:chr_file rw_file_perms; diff --git a/bsp/non_plat/hal_graphics_composer_default.te b/bsp/non_plat/hal_graphics_composer_default.te new file mode 100644 index 0000000..a2f8018 --- /dev/null +++ b/bsp/non_plat/hal_graphics_composer_default.te @@ -0,0 +1,39 @@ +# Date : WK17.25 +# Stage: O Migration, SQC +# Purpose: Allow to use HAL PQ +hal_client_domain(hal_graphics_composer_default, hal_mtk_pq) + +# Date : WK17.25 +# Stage: O Migration, SQC +# Purpose: Allow to use shared memory for HAL PQ +hal_client_domain(hal_graphics_composer_default, hal_allocator) + +# Date : WK19.45 +# Operation : WFD +# Purpose : HWC verify secure WFD +get_prop(hal_graphics_composer_default, vendor_mtk_secure_venc_prop) + +# Date : WK20.39 +# Purpose: allow proess access tee node(tee_client_device/isee_tee0) +allow hal_graphics_composer_default teei_client_device:chr_file rw_file_perms; + +# Date : WK20.40 +# Purpose : wifidisplay notify +get_prop(hal_graphics_composer_default, vendor_mtk_wfd_enable_prop) + +# Date : WK21.01 +# Purpose : Allow to use MMAgent +hal_client_domain(hal_graphics_composer_default, hal_mtk_mmagent) +allow hal_graphics_composer_default ion_device:chr_file w_file_perms; + +# Date : WK21.25 +# Purpose : Allow to use DAM buffer +allow hal_graphics_composer_default dmabuf_system_heap_device:chr_file rw_file_perms; + +# Data: WK21.26 +# Purpose: HWC needs to check whether mtk_svp_on_mtee is supported or not +get_prop(hal_graphics_composer_default, vendor_mtk_svp_on_mtee_support_prop) + +# Data: WK21.35 +# Purpose: Call NpAgent +hal_client_domain(hal_graphics_composer_default,hal_neuralnetworks) diff --git a/bsp/non_plat/hal_keymaster_attestation.te b/bsp/non_plat/hal_keymaster_attestation.te new file mode 100644 index 0000000..6c55f5f --- /dev/null +++ b/bsp/non_plat/hal_keymaster_attestation.te @@ -0,0 +1,17 @@ +# ============================================== +# MICROTRUST SEPolicy Rule +# ============================================== + +allow hal_keymaster_attestation ut_keymaster_device:chr_file rw_file_perms; +allow hal_keymaster_attestation teei_client_device:chr_file rw_file_perms; +hal_client_domain(hal_keymaster_attestation, hal_teei_capi) +hal_client_domain(hal_keymaster_attestation, hal_allocator) +hal_client_domain(hal_keymaster_attestation, hal_keymaster) +set_prop(hal_keymaster_attestation, vendor_mtk_soter_teei_prop) +allow hal_keymaster_attestation tkcore_admin_device:chr_file rw_file_perms; + +# Date : 2017/08/08 (or WK17.32) +# Operation : Keymaster 3.0 Migration +# Purpose : Set sepolicy for Keymaster attestation key injection +allow hal_keymaster_attestation mobicore:unix_stream_socket connectto; +allow hal_keymaster_attestation mobicore_user_device:chr_file rw_file_perms; diff --git a/bsp/non_plat/hal_keymaster_default.te b/bsp/non_plat/hal_keymaster_default.te new file mode 100644 index 0000000..d44b58c --- /dev/null +++ b/bsp/non_plat/hal_keymaster_default.te @@ -0,0 +1,33 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK17.42 2017/10/19 +# Operation: Keymaster 3.0 +# Purpose: Access attestation key in persist partition +allow hal_keymaster_default mnt_vendor_file:dir search; +allow hal_keymaster_default persist_data_file:dir search; +allow hal_keymaster_default persist_data_file:file r_file_perms; + +# Date : WK17.22 2017/06/02 (Revised for HIDL) +# Operation : keystore CTS +# Purpose : Open MobiCore access permission for keystore CTS hardware-backed solution +allow hal_keymaster_default mobicore:unix_stream_socket { connectto read write }; +allow hal_keymaster_default mobicore_user_device:chr_file rw_file_perms; + +# Date : 2016/06/01 +# Operation: TEEI integration +# Purpose: Microtrust HW-backed Keymaster +allow hal_keymaster_default ut_keymaster_device:chr_file rw_file_perms; +allow hal_keymaster_default teei_client_device:chr_file rw_file_perms; +set_prop(hal_keymaster_default, vendor_mtk_soter_teei_prop) +hal_client_domain(hal_keymaster_default, hal_teei_capi) +hal_client_domain(hal_keymaster_default, hal_allocator) + +# Purpose: TrustKernel HW-backed Keymaster +allow hal_keymaster_default tkcore_admin_device:chr_file rw_file_perms; + +# Date : 2018/09/11 +# Operation: MTEE Keymaster +# Purpose: Access kisd to get key & certs +allow hal_keymaster_default kisd:unix_stream_socket connectto; diff --git a/bsp/non_plat/hal_keymint_default.te b/bsp/non_plat/hal_keymint_default.te new file mode 100644 index 0000000..cdedc10 --- /dev/null +++ b/bsp/non_plat/hal_keymint_default.te @@ -0,0 +1,4 @@ +# Date : 2021/07/16 +# Operation: TEEI integration +# Purpose: Microtrust HW-backed Keymint +allow hal_keymint_default teei_client_device:chr_file rw_file_perms; diff --git a/bsp/non_plat/hal_mtk_apm.te b/bsp/non_plat/hal_mtk_apm.te new file mode 100644 index 0000000..b1b5cd4 --- /dev/null +++ b/bsp/non_plat/hal_mtk_apm.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +hal_attribute_hwservice(hal_mtk_apm, mtk_hal_apm_hwservice) + +binder_call(hal_mtk_apm_client, hal_mtk_apm_server) +binder_call(hal_mtk_apm_server, hal_mtk_apm_client) diff --git a/bsp/non_plat/hal_mtk_dmc.te b/bsp/non_plat/hal_mtk_dmc.te new file mode 100644 index 0000000..390abb3 --- /dev/null +++ b/bsp/non_plat/hal_mtk_dmc.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +binder_call(hal_mtk_dmc_client, hal_mtk_dmc_server) +binder_call(hal_mtk_dmc_server, hal_mtk_dmc_client) +add_hwservice(hal_mtk_dmc_server, mtk_hal_dmc_hwservice) +allow hal_mtk_dmc_client mtk_hal_dmc_hwservice:hwservice_manager find; diff --git a/bsp/non_plat/hal_mtk_omadm.te b/bsp/non_plat/hal_mtk_omadm.te new file mode 100644 index 0000000..1c5b170 --- /dev/null +++ b/bsp/non_plat/hal_mtk_omadm.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +hal_attribute_hwservice(hal_mtk_omadm, mtk_hal_omadm_hwservice) + +binder_call(hal_mtk_omadm_client, hal_mtk_omadm_server) +binder_call(hal_mtk_omadm_server, hal_mtk_omadm_client) diff --git a/bsp/non_plat/hal_mtk_thp.te b/bsp/non_plat/hal_mtk_thp.te new file mode 100644 index 0000000..a0cf40a --- /dev/null +++ b/bsp/non_plat/hal_mtk_thp.te @@ -0,0 +1,9 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +hal_attribute_hwservice(hal_mtk_thp, mtk_hal_thp_hwservice) + +binder_call(hal_mtk_thp_client, hal_mtk_thp_server) +binder_call(hal_mtk_thp_server, hal_mtk_thp_client) + diff --git a/bsp/non_plat/hal_mtk_touchll.te b/bsp/non_plat/hal_mtk_touchll.te new file mode 100644 index 0000000..be08128 --- /dev/null +++ b/bsp/non_plat/hal_mtk_touchll.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +hal_attribute_hwservice(hal_mtk_touchll, mtk_hal_touchll_hwservice) + +binder_call(hal_mtk_touchll_client, hal_mtk_touchll_server) +binder_call(hal_mtk_touchll_server, hal_mtk_touchll_client) diff --git a/bsp/non_plat/hal_mtk_wfo.te b/bsp/non_plat/hal_mtk_wfo.te new file mode 100644 index 0000000..5671090 --- /dev/null +++ b/bsp/non_plat/hal_mtk_wfo.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +hal_attribute_hwservice(hal_mtk_wfo, mtk_hal_wfo_hwservice) + +binder_call(hal_mtk_wfo_client, hal_mtk_wfo_server) +binder_call(hal_mtk_wfo_server, hal_mtk_wfo_client) diff --git a/bsp/non_plat/hal_presence.te b/bsp/non_plat/hal_presence.te new file mode 100644 index 0000000..9950ebf --- /dev/null +++ b/bsp/non_plat/hal_presence.te @@ -0,0 +1,6 @@ +# HwBinder IPC from clients into server, and callbacks +binder_call(hal_presence_client, hal_presence_server) +binder_call(hal_presence_server, hal_presence_client) + +# give permission for hal client +allow hal_presence_client volte_uce_ua_hwservice :hwservice_manager find; diff --git a/bsp/non_plat/hal_rcs.te b/bsp/non_plat/hal_rcs.te new file mode 100644 index 0000000..1da5237 --- /dev/null +++ b/bsp/non_plat/hal_rcs.te @@ -0,0 +1,13 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# HwBinder IPC from clients into server, and callbacks +binder_call(hal_rcs_client, hal_rcs_server) +binder_call(hal_rcs_server, hal_rcs_client) + +add_hwservice(hal_rcs_server, volte_rcs_ua_hwservice) + +# give permission for hal client +allow hal_rcs_client volte_rcs_ua_hwservice:hwservice_manager find; + diff --git a/bsp/non_plat/hal_tee.te b/bsp/non_plat/hal_tee.te new file mode 100644 index 0000000..d0efc4f --- /dev/null +++ b/bsp/non_plat/hal_tee.te @@ -0,0 +1,9 @@ +## +# Trustonic TeeService +# + +binder_call(hal_tee_client, hal_tee_server) +binder_call(hal_tee_server, hal_tee_client) + +add_hwservice(hal_tee_server, hal_tee_hwservice) +allow hal_tee_client hal_tee_hwservice:hwservice_manager find; \ No newline at end of file diff --git a/bsp/non_plat/hal_tee_default.te b/bsp/non_plat/hal_tee_default.te new file mode 100644 index 0000000..af7c303 --- /dev/null +++ b/bsp/non_plat/hal_tee_default.te @@ -0,0 +1,20 @@ +## +# Trustonic TeeService +# + +type hal_tee_default_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_tee_default) + +hal_server_domain(hal_tee_default, hal_tee) +hal_client_domain(hal_tee_default, hal_allocator) + +# Access to TEE driver nodes (user and tui) +allow hal_tee_default mobicore_user_device:chr_file rw_file_perms; +allow hal_tee_default mobicore_tui_device:chr_file rw_file_perms; +allow hal_tee_default system_app:fd use; + +# HIDL memory is using this behind the scene +allow hal_tee_default untrusted_app_all:fd use; +allow hal_tee_default teeregistryd_app:fd use; + diff --git a/bsp/non_plat/hal_teei_capi.te b/bsp/non_plat/hal_teei_capi.te new file mode 100644 index 0000000..62a48f2 --- /dev/null +++ b/bsp/non_plat/hal_teei_capi.te @@ -0,0 +1,8 @@ +# ============================================== +# Microtrust SEPolicy Rule +# ============================================== + +hal_attribute_hwservice(hal_teei_capi, teei_hal_capi_hwservice) + +binder_call(hal_teei_capi_client, hal_teei_capi_server) +binder_call(hal_teei_capi_server, hal_teei_capi_client) diff --git a/bsp/non_plat/hal_teei_ifaa.te b/bsp/non_plat/hal_teei_ifaa.te new file mode 100644 index 0000000..ba50010 --- /dev/null +++ b/bsp/non_plat/hal_teei_ifaa.te @@ -0,0 +1,8 @@ +# ============================================== +# Microtrust SEPolicy Rule +# ============================================== + +hal_attribute_hwservice(hal_teei_ifaa, teei_hal_ifaa_hwservice) + +binder_call(hal_teei_ifaa_client, hal_teei_ifaa_server) +binder_call(hal_teei_ifaa_server, hal_teei_ifaa_client) diff --git a/bsp/non_plat/hal_teei_thh.te b/bsp/non_plat/hal_teei_thh.te new file mode 100644 index 0000000..4a10db2 --- /dev/null +++ b/bsp/non_plat/hal_teei_thh.te @@ -0,0 +1,8 @@ +# ============================================== +# Microtrust SEPolicy Rule +# ============================================== + +hal_attribute_hwservice(hal_teei_thh, teei_hal_thh_hwservice) + +binder_call(hal_teei_thh_client, hal_teei_thh_server) +binder_call(hal_teei_thh_server, hal_teei_thh_client) diff --git a/bsp/non_plat/hal_teei_tui.te b/bsp/non_plat/hal_teei_tui.te new file mode 100644 index 0000000..22db585 --- /dev/null +++ b/bsp/non_plat/hal_teei_tui.te @@ -0,0 +1,8 @@ +# ============================================== +# Microtrust SEPolicy Rule +# ============================================== + +hal_attribute_hwservice(hal_teei_tui, teei_hal_tui_hwservice) + +binder_call(hal_teei_tui_client, hal_teei_tui_server) +binder_call(hal_teei_tui_server, hal_teei_tui_client) diff --git a/bsp/non_plat/hal_teei_wechat.te b/bsp/non_plat/hal_teei_wechat.te new file mode 100644 index 0000000..a6a5467 --- /dev/null +++ b/bsp/non_plat/hal_teei_wechat.te @@ -0,0 +1,8 @@ +# ============================================== +# Microtrust SEPolicy Rule +# ============================================== + +hal_attribute_hwservice(hal_teei_wechat, teei_hal_wechat_hwservice) + +binder_call(hal_teei_wechat_client, hal_teei_wechat_server) +binder_call(hal_teei_wechat_server, hal_teei_wechat_client) diff --git a/bsp/non_plat/hal_teeregistry.te b/bsp/non_plat/hal_teeregistry.te new file mode 100644 index 0000000..a79561e --- /dev/null +++ b/bsp/non_plat/hal_teeregistry.te @@ -0,0 +1,9 @@ +## +# Trustonic TeeService +# + +binder_call(hal_teeregistry_client, hal_teeregistry_server) +binder_call(hal_teeregistry_server, hal_teeregistry_client) + +add_hwservice(hal_teeregistry_server, hal_teeregistry_hwservice) +allow hal_teeregistry_client hal_teeregistry_hwservice:hwservice_manager find; \ No newline at end of file diff --git a/bsp/non_plat/hal_teeregistry_default.te b/bsp/non_plat/hal_teeregistry_default.te new file mode 100644 index 0000000..d307846 --- /dev/null +++ b/bsp/non_plat/hal_teeregistry_default.te @@ -0,0 +1,21 @@ +## +# Trustonic TeeService +# + +type hal_teeregistry_default_exec, exec_type, vendor_file_type, file_type; + +hal_server_domain(hal_teeregistry_default, hal_teeregistry) + +hal_client_domain(hal_teeregistry_default, hal_allocator) + +# Access to TEE driver nodes (user and admin) +allow hal_teeregistry_default mobicore_user_device:chr_file rw_file_perms; +allow hal_teeregistry_default mobicore_admin_device:chr_file rw_file_perms; + +# Registry need to be accessed by the HAL OTAv1 + +allow hal_teeregistry_default mobicore_data_file:dir { rw_dir_perms create rename rmdir }; +allow hal_teeregistry_default mobicore_data_file:file { rw_file_perms rename create }; +allow hal_teeregistry_default mobicore_vendor_file:file { r_file_perms }; + +init_daemon_domain(hal_teeregistry_default); diff --git a/bsp/non_plat/hal_tesiai_hdcp.te b/bsp/non_plat/hal_tesiai_hdcp.te new file mode 100644 index 0000000..f9f07e4 --- /dev/null +++ b/bsp/non_plat/hal_tesiai_hdcp.te @@ -0,0 +1,6 @@ +# add/find permission rule to hwservicemanager +hal_attribute_hwservice(hal_tesiai_hdcp, tesiai_hal_hdcp_hwservice) + +# Allow client domain to perform hwbinder IPC to server domain, and callbacks +binder_call(hal_tesiai_hdcp_client, hal_tesiai_hdcp_server) +binder_call(hal_tesiai_hdcp_server, hal_tesiai_hdcp_client) diff --git a/bsp/non_plat/hal_tetheroffload_default.te b/bsp/non_plat/hal_tetheroffload_default.te new file mode 100644 index 0000000..a3ee2f9 --- /dev/null +++ b/bsp/non_plat/hal_tetheroffload_default.te @@ -0,0 +1,37 @@ +# ============================================== +# Policy File of /vendor/bin/hw/tetheroffloadservice Executable File + + +# ============================================== +# New design +# ============================================== +# associate netdomain to use for accessing internet sockets +net_domain(hal_tetheroffload_default) + +# Register to hwbinder service +add_hwservice(hal_tetheroffload_default, hal_tetheroffload_hwservice) + +allow hal_tetheroffload_default self:{ + netlink_socket + netlink_generic_socket +} create_socket_perms_no_ioctl; + +#============= for binder call ============== +allow hal_tetheroffload_default system_server:binder call; +allow hal_tetheroffload_default netdagent:binder call; + +#============= mddp device ============== +allow hal_tetheroffload_default mddp_device:chr_file rw_file_perms; + +#============= proc ============== +allow hal_tetheroffload_default proc_net:file r_file_perms; + +#=============for other hild services============== +hal_client_domain(hal_tetheroffload_default,mtk_hal_netdagent); + +#============= other rules ============== +allow hal_tetheroffload_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; +allow hal_tetheroffload_default self:netlink_route_socket create_socket_perms_no_ioctl; +allow hal_tetheroffload_default system_server:netlink_netfilter_socket {read write}; +allow hal_tetheroffload_default system_server:fd use; + diff --git a/bsp/non_plat/hal_wifi_supplicant_default.te b/bsp/non_plat/hal_wifi_supplicant_default.te new file mode 100644 index 0000000..8384292 --- /dev/null +++ b/bsp/non_plat/hal_wifi_supplicant_default.te @@ -0,0 +1,6 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +typealias hal_wifi_supplicant_default alias wpa; + diff --git a/bsp/non_plat/healthd.te b/bsp/non_plat/healthd.te new file mode 100644 index 0000000..21a9fb0 --- /dev/null +++ b/bsp/non_plat/healthd.te @@ -0,0 +1,5 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow healthd sysfs_vcorefs_pwrctrl:file write; diff --git a/bsp/non_plat/hwservice.te b/bsp/non_plat/hwservice.te new file mode 100644 index 0000000..d679316 --- /dev/null +++ b/bsp/non_plat/hwservice.te @@ -0,0 +1,55 @@ +type mtk_hal_wfo_hwservice, hwservice_manager_type; +type volte_uce_ua_hwservice, hwservice_manager_type; +type mtk_hal_videotelephony_hwservice, hwservice_manager_type; +type mtk_hal_codecservice_hwservice, hwservice_manager_type; +type mtk_hal_netdagent_hwservice, hwservice_manager_type; +type volte_rcs_ua_hwservice, hwservice_manager_type; +type mtk_hal_dfps_hwservice, hwservice_manager_type; +type mtk_hal_dplanner_hwservice, hwservice_manager_type; +type mtk_hal_pplagent_hwservice, hwservice_manager_type; +# omadm hidl +type mtk_hal_omadm_hwservice, hwservice_manager_type; +# DMC HIDL +type mtk_hal_dmc_hwservice, hwservice_manager_type; +# APM HIDL +type mtk_hal_apm_hwservice, hwservice_manager_type; +# nwk opt HIDL +type mtk_hal_nwk_opt_hwservice, hwservice_manager_type; +# touchll HIDL +type mtk_hal_touchll_hwservice, hwservice_manager_type; +# thp +type mtk_hal_thp_hwservice, hwservice_manager_type; + +# MICROTRUST SEPolicy Rule +# microtrust THH service manager type +type teei_hal_thh_hwservice, hwservice_manager_type; + +# microtrust TUI service manager type +type teei_hal_tui_hwservice, hwservice_manager_type; + +# microtrust IFAA service manager type +type teei_hal_ifaa_hwservice, hwservice_manager_type; + +# microtrust CAPI service manager type +type teei_hal_capi_hwservice, hwservice_manager_type; + +# microtrust WECHAT service manager type +type teei_hal_wechat_hwservice, hwservice_manager_type; + +# Trustonic SEPolicy Rule +type hal_tee_hwservice, hwservice_manager_type; +type hal_teeregistry_hwservice, hwservice_manager_type; + +# Date : 2019/05/16 +# Operation : IT +# Purpose : Add for HIDL service +type mtk_mdm_hidl_server, hwservice_manager_type; + + +#client API HIDL +type volte_clientapi_ua_hwservice, hwservice_manager_type; + +# ============================================== +# HDCP SEPolicy Rule +# ============================================== +type tesiai_hal_hdcp_hwservice, hwservice_manager_type; diff --git a/bsp/non_plat/hwservice_contexts b/bsp/non_plat/hwservice_contexts new file mode 100644 index 0000000..73e3119 --- /dev/null +++ b/bsp/non_plat/hwservice_contexts @@ -0,0 +1,119 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : 2017/06/1 +vendor.mediatek.hardware.camera.advcam::IAdvCamControl u:object_r:hal_camera_hwservice:s0 + +# Date : 2017/06/15 +vendor.mediatek.hardware.wfo::IWifiOffload u:object_r:mtk_hal_wfo_hwservice:s0 + +# Date: 2017/06/22 +vendor.mediatek.hardware.camera.lomoeffect::ILomoEffect u:object_r:hal_camera_hwservice:s0 + +# Date : 2017/07/11 +vendor.mediatek.hardware.videotelephony::IVideoTelephony u:object_r:mtk_hal_videotelephony_hwservice:s0 + +# Date : 2017/07/20 +vendor.mediatek.hardware.presence::IPresence u:object_r:volte_uce_ua_hwservice:s0 + +# Date: 2017/09/06 +vendor.mediatek.hardware.netdagent::INetdagent u:object_r:mtk_hal_netdagent_hwservice:s0 + +# Date : 2017/08/4 +vendor.mediatek.hardware.rcs::IRcs u:object_r:volte_rcs_ua_hwservice:s0 + +# Date: 2017/06/22 +vendor.mediatek.hardware.camera.ccap::ICCAPControl u:object_r:hal_camera_hwservice:s0 + +# Date : 2017/10/22 +vendor.mediatek.hardware.dfps::IFpsPolicyService u:object_r:mtk_hal_dfps_hwservice:s0 + +# Date : 2018/11/13 +vendor.mediatek.hardware.dplanner::IDPlanner u:object_r:mtk_hal_dplanner_hwservice:s0 + +# Date : 2018/01/04 +# tablet DRM Key Manage HIDL +vendor.mediatek.hardware.keymanage::IKeymanage u:object_r:mtk_hal_keymanage_hwservice:s0 + +# Date: 2018/05/07 +vendor.mediatek.hardware.pplagent::IPplAgent u:object_r:mtk_hal_pplagent_hwservice:s0 + +# Date : 2019/05/14 +# Android Q diagnostic framework migration +vendor.mediatek.hardware.dmc::IDmcService u:object_r:mtk_hal_dmc_hwservice:s0 + +# Date : 2019/05/14 +# Android Q diagnostic framework migration +vendor.mediatek.hardware.apmonitor::IApmService u:object_r:mtk_hal_apm_hwservice:s0 + +# MICROTRUST SEPolicy Rule +# microtrust THH hidl +vendor.microtrust.hardware.thh::IThhDevice u:object_r:teei_hal_thh_hwservice:s0 + +# microtrust TUI hidl +vendor.microtrust.hardware.tui::ITuiDevice u:object_r:teei_hal_tui_hwservice:s0 + +# microtrust IFAA hidl +vendor.microtrust.hardware.ifaa::IIFAADevice u:object_r:teei_hal_ifaa_hwservice:s0 + +# microtrust Client Api hidl +vendor.microtrust.hardware.capi::IClientApiDevice u:object_r:teei_hal_capi_hwservice:s0 + +# microtrust wechat hidl +vendor.microtrust.hardware.soter::ISoter u:object_r:teei_hal_wechat_hwservice:s0 + +# Date : 2018/05/14 +# IMtkSupplicant hidl, to export Mediatek supplicant hidl interface to framework +vendor.mediatek.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0 + +# Date : 2018/07/16 +vendor.mediatek.hardware.camera.security::ISecureCamera u:object_r:hal_camera_hwservice:s0 + +# Date : 2018/08/27 +vendor.mediatek.hardware.camera.frhandler::IFRHandler u:object_r:hal_camera_hwservice:s0 + +# Date : 2019/05/16 +# Operation : IT +# Purpose : Add for HIDL service +vendor.mediatek.hardware.mdmonitor::IMDMonitorService u:object_r:mtk_mdm_hidl_server:s0 + +# omadm hidl +vendor.mediatek.hardware.omadm::IOmadm u:object_r:mtk_hal_omadm_hwservice:s0 + +# nwk opt HIDL +vendor.mediatek.hardware.nwk_opt::INwkOpt u:object_r:mtk_hal_nwk_opt_hwservice:s0 + +# Date : 2018/10/25 +vendor.mediatek.hardware.clientapi::IClientapi u:object_r:volte_clientapi_ua_hwservice:s0 + +# Date: 2019/09/25 +vendor.mediatek.hardware.touchll::ITouchll u:object_r:mtk_hal_touchll_hwservice:s0 + +# Date: 2019/11/07 +vendor.mediatek.hardware.thp::ITHP u:object_r:mtk_hal_thp_hwservice:s0 + +# Trustonic SEPolicy Rule +vendor.trustonic.tee::ITee u:object_r:hal_tee_hwservice:s0 +vendor.trustonic.tee.tui::ITui u:object_r:hal_tee_hwservice:s0 +vendor.trustonic.teeregistry::ITeeRegistry u:object_r:hal_teeregistry_hwservice:s0 + +# HDCP SEPolicy Rule +vendor.tesiai.hardware.hdcpconnection::IHDCPConnection u:object_r:tesiai_hal_hdcp_hwservice:s0 + +# Date : 2020/06/10 +# Define apuware context +vendor.mediatek.hardware.apuware.apusys::INeuronApusys u:object_r:hal_neuralnetworks_hwservice:s0 +vendor.mediatek.hardware.apuware.xrp::INeuronXrp u:object_r:hal_neuralnetworks_hwservice:s0 + +# Date : 2020/07/03 +# Define uitls hidl context for ann +vendor.mediatek.hardware.apuware.utils::IApuwareUtils u:object_r:hal_neuralnetworks_hwservice:s0 + +# Date : 2021/04/23 +# Define hml hidl context +vendor.mediatek.hardware.apuware.hmp::IApuwareHmp u:object_r:hal_neuralnetworks_hwservice:s0 + +# Date : 2021/06/28 +# Define NpAgent hidl context for ann +vendor.mediatek.hardware.neuropilot.agent::IAgent u:object_r:hal_neuralnetworks_hwservice:s0 diff --git a/bsp/non_plat/init.te b/bsp/non_plat/init.te new file mode 100644 index 0000000..7a63da9 --- /dev/null +++ b/bsp/non_plat/init.te @@ -0,0 +1,39 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK15.15 +# Operation : Migration +# Purpose : set specific label for used raw partitions, for dumchar cases. +allow init system_block_device:blk_file relabelfrom; +allow init nvram_device:blk_file relabelto; +allow init nvdata_device:blk_file relabelto; +allow init nvcfg_block_device:blk_file relabelto; +allow init expdb_block_device:blk_file relabelto; +allow init misc2_block_device:blk_file relabelto; +allow init logo_block_device:blk_file relabelto; +allow init para_block_device:blk_file relabelto; +allow init tee_block_device:blk_file relabelto; +allow init seccfg_block_device:blk_file relabelto; +allow init secro_block_device:blk_file relabelto; +allow init frp_block_device:blk_file relabelto; +allow init userdata_block_device:blk_file relabelto; +allow init mtk_hal_dfps_exec:file getattr; + +# Operation : Migration +# Purpose : for init reboot operate /dev/RT_Monitor when enable hang detect +allow init RT_Monitor_device:chr_file rw_file_perms; + +# Purpose : For DuraSpeed +allow init proc_drop_caches:file w_file_perms; + +allow init teei_client_device:chr_file rw_file_perms; + +# Date : W19.28 +# Purpose: Allow to setattr for duraspeed.rc +allow init proc_cpu_loading:file setattr; +allow init proc_pressure_cpu:file setattr; + +# Date : W20.20 +# Purpose: Allow to create socket for rild +allow init volte_imsvt1_socket:sock_file create_file_perms; diff --git a/bsp/non_plat/init_thh_service.te b/bsp/non_plat/init_thh_service.te new file mode 100644 index 0000000..ba79a7b --- /dev/null +++ b/bsp/non_plat/init_thh_service.te @@ -0,0 +1,22 @@ +# ============================================== +# MICROTRUST SEPolicy Rule +# ============================================== + +# Date : 2016/06/01 +# Operation: TEEI integration +# Purpose: Microtrust service +type init_thh_service_exec, exec_type, file_type, vendor_file_type; + +# set up domain +init_daemon_domain(init_thh_service) + +allow init_thh_service teei_data_file:dir create_dir_perms; +allow init_thh_service teei_data_file:file create_file_perms; +allow init_thh_service tee_device:chr_file rw_file_perms; + +# enable access android property +set_prop(init_thh_service, vendor_mtk_soter_teei_prop) + +hal_client_domain(init_thh_service, hal_teei_capi) +hal_client_domain(init_thh_service, hal_allocator) +hal_client_domain(init_thh_service, hal_teei_thh) diff --git a/bsp/non_plat/installd.te b/bsp/non_plat/installd.te new file mode 100644 index 0000000..3978c95 --- /dev/null +++ b/bsp/non_plat/installd.te @@ -0,0 +1,36 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK14.34 +# Operation : Migration +# Purpose : Move app to phone storage +# 1. Enter Settings->Apps +# 2. Select Downloaded tab +# 3. Choose the application and move to phone storage +# 4. Check the application in Phone storage tab +allow installd apk_tmp_file:dir getattr; +allow installd vfat:file getattr; + +# Date : WK14.34 +# Operation : Development GMO Feature "Move OAT to SD Card" +# Purpose : for GMO ROM Size Slim +allow installd dalvikcache_data_file:lnk_file create_file_perms; +allow installd sdcard_type:dir create_dir_perms; +allow installd sdcard_type:file create_file_perms; + +# Date : WK14.40 +# Operation : SQC1 +# Purpose : for access .android_secure +allow installd vfat:dir search; + +# Date : WK15.02 +# Operation : SQC0 +# Purpose : ALPS01889518 (MTK MTBF) +allow installd platform_app:fd use; + +# Date : WK16.09 +# Operation : Migration +# Purpose : copy the content in /data/media/0 to /data/media +allow installd media_rw_data_file:file create_file_perms; +allow installd shell_exec:file rx_file_perms; diff --git a/bsp/non_plat/ipsec_mon.te b/bsp/non_plat/ipsec_mon.te new file mode 100644 index 0000000..363b5ec --- /dev/null +++ b/bsp/non_plat/ipsec_mon.te @@ -0,0 +1,29 @@ +# ============================================== +# Policy File of /vendor/bin/ipsec_mon Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type ipsec_mon_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(ipsec_mon) + +allow ipsec_mon self:netlink_xfrm_socket { write bind create read nlmsg_read nlmsg_write}; +allow ipsec_mon ims_ipsec_data_file:dir w_dir_perms; +allow ipsec_mon ims_ipsec_data_file:file create_file_perms; +allow ipsec_mon self:key_socket { write read create setopt }; + +# Date: W17.36 +# Purpose: ipsec_mon fulfill 3x solution +allow ipsec_mon self:capability { net_admin net_raw }; +allow ipsec_mon self:udp_socket { create ioctl }; +allow ipsec_mon self:netlink_route_socket { write read create nlmsg_read bind connect nlmsg_write}; +allowxperm ipsec_mon self:udp_socket ioctl { SIOCDEVPRIVATE_2 }; +allow ipsec_mon devpts:chr_file rw_file_perms; +allow ipsec_mon proc_net:file w_file_perms; + +set_prop(ipsec_mon, vendor_mtk_network_prop) + +allowxperm ipsec_mon self:udp_socket ioctl SIOCDEVPRIVATE; +dontaudit ipsec_mon kernel:system module_request; diff --git a/bsp/non_plat/kernel.te b/bsp/non_plat/kernel.te new file mode 100644 index 0000000..617400d --- /dev/null +++ b/bsp/non_plat/kernel.te @@ -0,0 +1,11 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow kernel teei_client_device:chr_file rw_file_perms; + +# For FPSGO set affinity +allow kernel servicemanager:process setsched; +allow kernel surfaceflinger:process setsched; +allow kernel system_server:process setsched; +allow kernel untrusted_app_all:process setsched; diff --git a/bsp/non_plat/kpoc_charger.te b/bsp/non_plat/kpoc_charger.te new file mode 100644 index 0000000..72cc627 --- /dev/null +++ b/bsp/non_plat/kpoc_charger.te @@ -0,0 +1,39 @@ +# ============================================== +# Policy File of /system/bin/kpoc_charger Executable File + + +allow kpoc_charger logo_block_device:blk_file { read open }; + +# Date : WK15.45 +# Operation : Migration +# Purpose : add sepolicy for kpoc_charger +allow kpoc_charger logo_device:chr_file read; +allow kpoc_charger logo_device:chr_file open; +allow kpoc_charger bootdevice_block_device:blk_file read; +allow kpoc_charger bootdevice_block_device:blk_file open; + +# Date : WK18.20 +# Operation : Android P migration +# Purpose : access boot mode +allow kpoc_charger sysfs_boot_mode:file r_file_perms; + +# Purpose : access pump_express +allow kpoc_charger sysfs_pump_express:file r_file_perms; + +# Purpose: ioctl operation on /dev/RT_Monitor to enable hang detect +allow kpoc_charger RT_Monitor_device:chr_file r_file_perms; + +# Purpose: Add permission to access metadata_file and sysfs to +# enable fast charging algorithm +allow kpoc_charger metadata_file:file r_file_perms; +allow kpoc_charger sysfs_fs_chg_file:file rw_file_perms; + +allow kpoc_charger gsi_metadata_file:dir search; +allow kpoc_charger self:capability2 block_suspend; + +#Purpose: Add permission for DRM in animation +allow kpoc_charger dri_device:chr_file rw_file_perms; + +# Date : WK21.31 +# Purpose: Add permission to access new bootmode file +allow kpoc_charger sysfs_boot_info:file r_file_perms; diff --git a/bsp/non_plat/logd.te b/bsp/non_plat/logd.te new file mode 100644 index 0000000..c60def9 --- /dev/null +++ b/bsp/non_plat/logd.te @@ -0,0 +1,7 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : W18.26 +# Allow logmuch related property +get_prop(logd, vendor_mtk_logmuch_prop) diff --git a/bsp/non_plat/logo_updater.te b/bsp/non_plat/logo_updater.te new file mode 100644 index 0000000..a6ead89 --- /dev/null +++ b/bsp/non_plat/logo_updater.te @@ -0,0 +1,7 @@ +type logo_updater, domain, mlstrustedsubject; +type logo_updater_exec, exec_type, file_type, vendor_file_type; +init_daemon_domain(logo_updater) + +allow logo_updater logo_block_device:blk_file rw_file_perms; +allow logo_updater vendor_file:file r_file_perms; +allow logo_updater block_device:dir search; diff --git a/bsp/non_plat/md_monitor.te b/bsp/non_plat/md_monitor.te new file mode 100644 index 0000000..2f23ba7 --- /dev/null +++ b/bsp/non_plat/md_monitor.te @@ -0,0 +1,57 @@ +# ============================================== +# Policy File of /vendor/bin/md_monitor Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type md_monitor_exec ,exec_type, vendor_file_type, file_type; +init_daemon_domain(md_monitor) + +typeattribute md_monitor mlstrustedsubject; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : 2019/05/16 +# Operation : IT +# Purpose : access /data/vendor/md_mon/, write filter bin and layout file to this dir +allow md_monitor md_monitor_vendor_file:dir { create_dir_perms relabelto relabelfrom}; +allow md_monitor md_monitor_vendor_file:file create_file_perms; + +# Date : 2017/10/20 +# Operation : IT +# Purpose : Allow md_monitor to dump raw data to file in /sdcard/MdmDump/ +allow md_monitor mnt_user_file:dir search; +allow md_monitor mnt_user_file:lnk_file read; +allow md_monitor sdcardfs:dir create_dir_perms; +allow md_monitor sdcardfs:file create_file_perms; +allow md_monitor storage_file:lnk_file read; + +# Date : 2019/05/16 +# Operation : IT +# Purpose : Add for HIDL service +add_hwservice(md_monitor, mtk_mdm_hidl_server) +get_prop(md_monitor, hwservicemanager_prop) +hwbinder_use(md_monitor) +hal_server_domain(md_monitor, md_monitor_hal) + +# Date : 2015/10/12 +# Operation : IT +# Purpose : Allow md_monitor to set +allow md_monitor ccci_mdmonitor_device:chr_file rw_file_perms; +allow md_monitor ccci_ccb_device:chr_file rw_file_perms; +allow md_monitor sysfs_ccci:dir search; +allow md_monitor sysfs_ccci:file r_file_perms; +allow md_monitor file_contexts_file:file r_file_perms; + +# Date : 2017/10/16 +# Operation : IT +# Purpose : Allow md_monitor to use restore_image_from_pt() +allow md_monitor block_device:dir search; +allow md_monitor md_block_device:blk_file r_file_perms; +allow md_monitor self:capability chown; +allow md_monitor storage_file:dir search; +allow md_monitor tmpfs:lnk_file read; diff --git a/bsp/non_plat/md_monitor_hal.te b/bsp/non_plat/md_monitor_hal.te new file mode 100644 index 0000000..f0a81b7 --- /dev/null +++ b/bsp/non_plat/md_monitor_hal.te @@ -0,0 +1,5 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(md_monitor_hal_client, md_monitor_hal_server) +binder_call(md_monitor_hal_server, md_monitor_hal_client) + +allow md_monitor_hal_client mtk_mdm_hidl_server:hwservice_manager find; diff --git a/bsp/non_plat/mdi_redirector.te b/bsp/non_plat/mdi_redirector.te new file mode 100644 index 0000000..ad6f844 --- /dev/null +++ b/bsp/non_plat/mdi_redirector.te @@ -0,0 +1,6 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Read ro.vendor.mtk_mapi_support +get_prop(mdi_redirector, vendor_mtk_dmc_prop) diff --git a/bsp/non_plat/mdmi_redirector.te b/bsp/non_plat/mdmi_redirector.te new file mode 100644 index 0000000..95fcdd9 --- /dev/null +++ b/bsp/non_plat/mdmi_redirector.te @@ -0,0 +1,6 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Read ro.vendor.mtk_mapi_support +get_prop(mdmi_redirector, vendor_mtk_dmc_prop) diff --git a/bsp/non_plat/mediacodec.te b/bsp/non_plat/mediacodec.te new file mode 100644 index 0000000..ea34c6b --- /dev/null +++ b/bsp/non_plat/mediacodec.te @@ -0,0 +1,79 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Data : WK16.25 +# Operation : Camera display client +# Purpose : for SVP secure memory allocation +allow mediacodec proc_secmem:file rw_file_perms; + +# Date : WK16.25 +# Operation : WVL1 IT +# Purpose : SVP module operates secmem driver +allow mediacodec mobicore_data_file:file { read open getattr}; +allow mediacodec mobicore_user_device:chr_file rw_file_perms; +allow mediacodec mobicore:unix_stream_socket connectto; +allow mediacodec mobicore_data_file:dir search; +allow mediacodec persist_data_file:file { read getattr open }; +allow mediacodec persist_data_file:dir search; + +# Date : WK16.28 +# Operation : video codec driver +# Purpose : for performance profiling and timing issue tracking during video playback +allow mediacodec debugfs_fb:dir search; + +# Date : WK16.29 +# Operation : Migration +# Purpose : Add permission for gpu access +allow mediacodec dri_device:chr_file rw_file_perms; + +# Date : WK16.50 +# Operation : video codec driver +# Purpose : Add permission for thermal function access +allow mediacodec proc_mtktz:dir search; +allow mediacodec proc_mtktz:file r_file_perms; + +# Date : WK17.23 +# Stage: O Migration, SQC +# Purpose: Allow to use HAL PQ +hal_client_domain(mediacodec, hal_mtk_pq) + +# Date : WK17.23 +# Stage: O Migration, SQC +# Purpose: Allow to use shared memory for HAL PQ +hal_client_domain(mediacodec, hal_allocator) + +# Date : WK17.31 +# Stage: O Migration, SQC +# Purpose: Allow to use ape decoder +hal_client_domain(mediacodec, hal_mtk_codecservice) + +# Date : WK18.46 +# Operation : WVL1 IT for TEEI +# Purpose : SVP module operates TEEI +hal_client_domain(mediacodec, hal_teei_capi) +allow mediacodec teei_client_device:chr_file rw_file_perms; + +# Date : WK19.44 +# Purpose: Android Migration for D2+ Encoder +allow mediacodec proc_chip:dir r_dir_perms; +allow mediacodec proc_chip:file r_file_perms; + +# Date : WK19.45 +# Operation : WFD +# Purpose : Allow set property to notify HWC secure venc enabled +set_prop(mediacodec, vendor_mtk_secure_venc_prop) + +# Date : WK20.22 +# Operation : VDEC debug +# Purpose : allow vdec can dump file to storage +allow mediacodec vcodec_file:dir create_dir_perms; +allow mediacodec vcodec_file:file create_file_perms; + +# Date : WK20.40 +# Operation : WFD +# Purpose : Allow set property to notify HWC wfd enabled +set_prop(mediacodec, vendor_mtk_wfd_enable_prop) + +#allow get mtk_sec_video_path_support +get_prop(mediacodec, vendor_mtk_sec_video_path_support_prop) diff --git a/bsp/non_plat/mediaserver.te b/bsp/non_plat/mediaserver.te new file mode 100644 index 0000000..89062fa --- /dev/null +++ b/bsp/non_plat/mediaserver.te @@ -0,0 +1,106 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK14.52 +# Operation : WVL1 IT +# Purpose : SVP module operates secmem driver +allow mediaserver mobicore_data_file:file getattr; +allow mediaserver mobicore_data_file:file getattr; + +allow mediaserver mobicore_data_file:file { getattr read}; +allow mediaserver mobicore_user_device:chr_file { read write open ioctl}; + +# Date: WK14.45 +# Operation : Migration +# Purpose : HDCP +allow mediaserver persist_data_file:file { read write getattr }; + +# Date : WK15.03 +# Operation : Migration +# Purpose : offloadservice +allow mediaserver offloadservice_device:chr_file { read write ioctl open }; + +# Data : WK14.38 +# Operation : Migration +# Purpose : WFD +allow mediaserver surfaceflinger:dir search; +allow mediaserver surfaceflinger:file { read open }; + +# Date : WK14.49 +# Operation : WFD +# Purpose : WFD notifies its status to thermal module +allow mediaserver proc_thermal:file { write getattr open }; +allow mediaserver proc_mtkcooler:file { read write open }; +allow mediaserver proc_mtktz:file { read write open }; +allow mediaserver proc_thermal:file { read write open }; + +# Date : WK15.44 +# Operation : Migration +# Purpose : ancservice +allow mediaserver ancservice_device:chr_file { read write ioctl open }; + +# Date : WK16.29 +# Operation : Migration +# Purpose : Add permission for gpu access +allow mediaserver dri_device:chr_file { read write open ioctl }; + +# Date : WK17.23 +# Stage: O Migration, SQC +# Purpose: Allow to use HAL PQ +hal_client_domain(mediaserver, hal_mtk_pq) + +# Date : WK17.23 +# Stage: O Migration, SQC +# Purpose: Allow to use shared memory for HAL PQ +hal_client_domain(mediaserver, hal_allocator) + +# Date : WK17.31 +# Stage: O Migration, SQC +# Purpose: Allow to use ape decoder +hal_client_domain(mediaserver, hal_mtk_codecservice) + +# Date : WK17.31 +# Operation : ViLTE +# Purpose : for ViLTE - set VTservice has permission to access me +allow mediaserver vtservice:binder { transfer call }; +allow mediaserver vtservice:fd use; + +# Date : WK17.43 +# Operation : OMA DRM +# Purpose : Allow mediaserver to read processname to pass OMA DRM permisson check +allow mediaserver platform_app:dir search; +allow mediaserver platform_app:file { read open }; + +# Date : WK17.47 +# Operation : SQC +# Purpose : Allow mediaserver to read processname of DeskClock to pass OMA DRM permisson check +allow mediaserver mediaprovider:dir search; +allow mediaserver platform_app:file getattr; +allow mediaserver system_app:dir search; +allow mediaserver system_app:file read; +allow mediaserver system_app:file open; + +# Date : WK17.49 +# Operation : VOW +# Purpose: Allow read and getattr path="/data/data/com.mediatek.voicecommand/training +# /anyone/passwordfile/0.dat" +allow mediaserver system_app_data_file:file { read getattr }; + +# Date : WK19.16 +# Operation : WFD +# Purpose: Allow ioctl +allowxperm mediaserver proc_perfmgr:file ioctl { + PERFMGR_FPSGO_QUEUE + PERFMGR_FPSGO_DEQUEUE +}; + +# Date : WK19.43 +# Operation : HDCP +# Purpose : Allow to connect HDCP HIDL server +hal_client_domain(mediaserver, hal_tesiai_hdcp) + +# Date : WK21.37 +# Operation : HDCP +# Purpose : Allow HDCP to access wv dev to get handle +allow mediaserver widevine_drv_device:chr_file rw_file_perms_no_map; diff --git a/bsp/non_plat/mediaswcodec.te b/bsp/non_plat/mediaswcodec.te new file mode 100644 index 0000000..60af43c --- /dev/null +++ b/bsp/non_plat/mediaswcodec.te @@ -0,0 +1,7 @@ +# Date : WK19.25 +# Operation : Migration +# Purpose : [ALPS04666895] DRTS failed due to avc denied +allow mediaswcodec debugfs_ion:dir rw_dir_perms; +allow mediaswcodec gpu_device:dir rw_dir_perms; +allow mediaswcodec dri_device:chr_file rw_file_perms; +allow mediaswcodec gpu_device:chr_file rw_file_perms; \ No newline at end of file diff --git a/bsp/non_plat/merged_hal_service.te b/bsp/non_plat/merged_hal_service.te new file mode 100644 index 0000000..28985fa --- /dev/null +++ b/bsp/non_plat/merged_hal_service.te @@ -0,0 +1,5 @@ +# Date : 2018/4/13 +# Operation: SQC +# Purpose : Allow powerHAL to access dfps +allow merged_hal_service mtk_hal_dfps:binder call; +hal_client_domain(merged_hal_service, hal_dfps); diff --git a/bsp/non_plat/meta_tst.te b/bsp/non_plat/meta_tst.te new file mode 100644 index 0000000..05c8bf5 --- /dev/null +++ b/bsp/non_plat/meta_tst.te @@ -0,0 +1,89 @@ +# ============================================== +# Policy File of /vendor/bin/meta_tst Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : 2016/06/01 +# Operation: TEEI integration +# Purpose: Microtrust service +allow meta_tst init_thh_service_exec:file rx_file_perms; +allow meta_tst teei_data_file:dir create_dir_perms; +allow meta_tst teei_data_file:file create_file_perms; +allow meta_tst teei_client_device:chr_file { create setattr unlink rw_file_perms }; +set_prop(meta_tst, vendor_mtk_soter_teei_prop) +hal_client_domain(meta_tst, hal_teei_thh) +allow meta_tst tee_device:chr_file rw_file_perms; + +allow meta_tst camera_fdvt_device:chr_file rw_file_perms; +allow meta_tst camera_owe_device:chr_file rw_file_perms; +allow meta_tst camera_wpe_device:chr_file rw_file_perms; +allow meta_tst camera_gepf_device:chr_file rw_file_perms; +allow meta_tst camera_rsc_device:chr_file rw_file_perms; +allow meta_tst camera_tsf_device:chr_file rw_file_perms; +allow meta_tst camera_isp_device:chr_file rw_file_perms; +allow meta_tst ccu_device:chr_file rw_file_perms; +allow meta_tst vpu_device:chr_file rw_file_perms; + +# Data: W17.27 +# DRM Key Installation HIDL +allow meta_tst mtk_hal_keyinstall:binder call; + +# Date: W17.27 +# Purpose : Allow meta_tst to call vendor.mediatek.hardware.keyinstall@1.0-service. +hal_client_domain(meta_tst, hal_keymaster) + +# Date: W17.46 +allow meta_tst dm_device:blk_file rw_file_perms; +allow meta_tst devpts:chr_file rw_file_perms; +allow meta_tst kmsg_device:chr_file w_file_perms; +allow meta_tst sysfs_fs_ext4_features:dir search; +allow meta_tst sysfs_fs_ext4_features:file read; +allow meta_tst vendor_block_device:blk_file getattr; +allow meta_tst protect1_block_device:blk_file getattr; +allow meta_tst protect2_block_device:blk_file getattr; + +# Date: W17.48 +# Purpose : meta connect with ATCI by socket. +set_prop(meta_tst, vendor_mtk_persist_service_atci_prop) +allow meta_tst atcid:unix_stream_socket connectto; + +# Purpose: TrustKernel Service +allow meta_tst tkcore_admin_device:chr_file { read write open ioctl }; +allow meta_tst sdcardfs:dir create_dir_perms; +allow meta_tst sdcardfs:file create_file_perms; + +# Data: W18.01 +#tablet DRM Key Manager HIDL +allow meta_tst mtk_hal_keymanage:binder call; + +# lite version start +allow meta_tst init_thh_service_exec:file { execute_no_trans }; +# lite version end + +# Date: W18.32 +# Purpose: DRM key install +allow meta_tst mobicore_user_device:chr_file rw_file_perms; + +# Data: W19.18 +# Operation: Android Q migration +# Purpose : meta set atci property +set_prop(meta_tst, vendor_mtk_atci_sys_prop) +allow meta_tst adb_atci_socket:sock_file write; + +# Date: WK20.13 +# Operation : Migration +# Purpose : HDCP +allow meta_tst persist_data_file:dir create_dir_perms; +allow meta_tst persist_data_file:file create_file_perms; +allow meta_tst mobicore_vendor_file:file lock; +allow meta_tst self:capability chown; + +hal_client_domain(meta_tst, hal_teei_capi) +hal_client_domain(meta_tst, hal_allocator) + +# Date : WK20.51 +# Purpose: Allow meta connect to sysfs_pmu +allow meta_tst sysfs_pmu:dir search; +allow meta_tst sysfs_pmu:file rw_file_perms; diff --git a/bsp/non_plat/mobicore.te b/bsp/non_plat/mobicore.te new file mode 100644 index 0000000..550fa27 --- /dev/null +++ b/bsp/non_plat/mobicore.te @@ -0,0 +1,33 @@ +## +# Trustonic TEE (mobicore) daemon +# + +# ============================================== +# Type Declaration +# ============================================== +type mobicore_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +# permissive mobicore; +init_daemon_domain(mobicore) +allow mobicore mobicore_admin_device:chr_file rw_file_perms; +allow mobicore mobicore_user_device:chr_file rw_file_perms; +allow mobicore mobicore_data_file:dir { create rw_dir_perms rename reparent }; +allow mobicore mobicore_data_file:file { create_file_perms rw_file_perms }; + +# Date : 2016/10/17 (or WK16.43) +# Operation : TUI Migration/SQC +# Purpose : Set new added properties for TuiStarter in 311B mcDriverDaemon +allow mobicore mobicore_tui_device:chr_file { read open ioctl }; + +# Date: 2017/12/11 +# Purpose: set policy for FBE +allow mobicore unlabeled:dir search; + +# Date: 2018/06/22 +# Purpose: set sepolicy for access mnt vendor file on Android P +allow mobicore mnt_vendor_file:dir search; +allow mobicore persist_data_file:dir { ra_dir_perms }; +allow mobicore persist_data_file:file { read write create open getattr }; diff --git a/bsp/non_plat/mobicore_app.te b/bsp/non_plat/mobicore_app.te new file mode 100644 index 0000000..4c70ba6 --- /dev/null +++ b/bsp/non_plat/mobicore_app.te @@ -0,0 +1,16 @@ +app_domain(mobicore_app) +net_domain(mobicore_app) + +# ============================================== +# Rules between mobicore_app and mobicore +# ============================================== + +# For RootPA (TA installation OTAv1) + RSU daemon +allow mobicore_app mobicore_user_device:chr_file { getattr read write ioctl open }; +allow mobicore_app mobicore_admin_device:chr_file { getattr }; + +allow mobicore_app mobicore_data_file:dir { read getattr open search}; +allow mobicore_app mobicore_data_file:file { read getattr open }; +allow mobicore_app mobicore_tui_device:chr_file { ioctl open read}; +allow mobicore_app mobicore:unix_stream_socket { connectto }; + diff --git a/bsp/non_plat/mtk_advcamserver.te b/bsp/non_plat/mtk_advcamserver.te new file mode 100644 index 0000000..c5be294 --- /dev/null +++ b/bsp/non_plat/mtk_advcamserver.te @@ -0,0 +1,14 @@ +# ============================================== +# Policy File of /system/bin/mtk_advcamserver Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +binder_call(mtk_advcamserver, mtk_hal_camera) + +allow mtk_advcamserver hal_graphics_allocator_default:fd use; +allow mtk_advcamserver hal_graphics_mapper_hwservice:hwservice_manager find; +allow mtk_advcamserver debugfs_ion:dir search; +allow mtk_advcamserver proc_perfmgr:dir search; +allow mtk_advcamserver proc_perfmgr:file r_file_perms; diff --git a/bsp/non_plat/mtk_agpsd.te b/bsp/non_plat/mtk_agpsd.te new file mode 100644 index 0000000..d5b884a --- /dev/null +++ b/bsp/non_plat/mtk_agpsd.te @@ -0,0 +1,13 @@ +# ============================================== +# Policy File of /system/bin/mtk_agpsd Executable File + +# Request CDMA network info for CDMA A-GPS +allow mtk_agpsd rild:unix_dgram_socket sendto; + +#============= mtk_agpsd ============== +allow mtk_agpsd sysfs_ccci:dir search; +allow mtk_agpsd sysfs_ccci:file { read open }; + +# Allow to connect APM HIDL server +hal_client_domain(mtk_agpsd, hal_mtk_apm) +get_prop(mtk_agpsd, vendor_mtk_dmc_prop) diff --git a/bsp/non_plat/mtk_hal_audio.te b/bsp/non_plat/mtk_hal_audio.te new file mode 100644 index 0000000..a44a747 --- /dev/null +++ b/bsp/non_plat/mtk_hal_audio.te @@ -0,0 +1,2 @@ +# Purpose : adsp +allow mtk_hal_audio adsp_device:chr_file { rw_file_perms }; diff --git a/bsp/non_plat/mtk_hal_c2.te b/bsp/non_plat/mtk_hal_c2.te new file mode 100644 index 0000000..ecd5b0a --- /dev/null +++ b/bsp/non_plat/mtk_hal_c2.te @@ -0,0 +1,12 @@ +#============= mtk_hal_c2 for SVP on legacy vcodec ============== +allow mtk_hal_c2 mobicore_user_device:chr_file rw_file_perms; +allow mtk_hal_c2 proc_m4u:file r_file_perms; +allowxperm mtk_hal_c2 proc_m4u:file ioctl { + MTK_M4U_T_SEC_INIT + MTK_M4U_T_CONFIG_PORT + MTK_M4U_T_CACHE_SYNC + MTK_M4U_T_CONFIG_PORT_ARRAY +}; + +hal_client_domain(mtk_hal_c2, hal_teei_capi) +allow mtk_hal_c2 teei_client_device:chr_file rw_file_perms; diff --git a/bsp/non_plat/mtk_hal_camera.te b/bsp/non_plat/mtk_hal_camera.te new file mode 100644 index 0000000..d06affa --- /dev/null +++ b/bsp/non_plat/mtk_hal_camera.te @@ -0,0 +1,105 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK17.27 +# Stage: O Migration, SQC +# Purpose: Allow to use HAL PQ +hal_client_domain(mtk_hal_camera, hal_mtk_pq) + +# Date : WK17.27 +# Stage: O Migration, SQC +# Purpose: Allow to use shared memory for HAL PQ +hal_client_domain(mtk_hal_camera, hal_allocator) + +# WK17.33 camera binder_call permission +binder_call(mtk_hal_camera, system_server) + +# Date : WK17.33 +# Stage: O Migration, SQC +# Purpose: Allow to set log too much property +set_prop(mtk_hal_camera, vendor_mtk_logmuch_prop) + +# Date : WK17.35 +# Stage: O Migration, SQC +# Purpose: camera notifies its status to thermal module +allow mtk_hal_camera proc_thermal:file rw_file_perms; +allow mtk_hal_camera proc_mtktz:file rw_file_perms; +get_prop(mtk_hal_camera, vendor_mtk_thermal_config_prop) +allow mtk_hal_camera proc_mtkcooler:file rw_file_perms; + +# W17.36 callback to mtk_advcamserver +binder_call(mtk_hal_camera, mtk_advcamserver) + +# Date : WK17.39 +# Stage: O1 Migration, SQC +# Purpose : Update camera Vcodec device file +allow mtk_hal_camera Vcodec_device:chr_file rw_file_perms; + +# Date : WK17.42 +# Operation : Migration +# Purpose : Dump camera buffer to sdcard for debug +allow mtk_hal_camera sdcardfs:dir create_dir_perms; +allow mtk_hal_camera sdcardfs:file create_file_perms; + +# Date : WK17.48 +# Stage: O Migration +# Purpose: CCT +allow mtk_hal_camera cct_data_file:dir create_dir_perms; +allow mtk_hal_camera cct_data_file:file create_file_perms; +allow mtk_hal_camera cct_data_file:fifo_file create_file_perms; + +# Date : WK18.22 +# Stage: p Migration +# Purpose: NVRAM +allow mtk_hal_camera nvram_data_file:dir search; +allow mtk_hal_camera nvram_data_file:file rw_file_perms; +allow mtk_hal_camera nvram_data_file:lnk_file r_file_perms; +allow mtk_hal_camera nvdata_file:lnk_file r_file_perms; +allow mtk_hal_camera nvdata_file:dir create_dir_perms; +allow mtk_hal_camera nvdata_file:file create_file_perms; +allow mtk_hal_camera nvcfg_file:lnk_file r_file_perms; +allow mtk_hal_camera nvcfg_file:dir create_dir_perms; +allow mtk_hal_camera nvcfg_file:file create_file_perms; +allow mtk_hal_camera mnt_vendor_file:dir search; +allow mtk_hal_camera mnt_vendor_file:file create_file_perms; + +# Date : WK18.29 +# Stage: P Migration +# Purpose: Trustonic TEE access +allow mtk_hal_camera mobicore_user_device:chr_file rw_file_perms; + +# Date : WK18.29 +# Stage: P Migration +# Purpose: secure memory driver access +allow mtk_hal_camera proc_secmem:file rw_file_perms; + +# Date : WK18.30 +# Stage: P migration +# Purpose: sysfs boot mode access for HalSensor +allow mtk_hal_camera sysfs_boot_mode:file r_file_perms; + +# Date : WK18.40 +# Stage: P migration +# Purpose: Allow setprop for CCT +set_prop(mtk_hal_camera, vendor_mtk_camera_prop) + +# Date : WK19.39 +# Stage: Q Migration +# Purpose: Microtrust TEE access +allow mtk_hal_camera teei_client_device:chr_file rw_file_perms; + +allow mtk_hal_camera mdla_device:chr_file rw_file_perms; + +# Date: 2019/11/11 +# Operation: For NDD +allow mtk_hal_camera vendor_camera_dump_file:dir create_dir_perms; +allow mtk_hal_camera vendor_camera_dump_file:file create_file_perms; + +binder_call(mtk_hal_camera, remosaic_daemon) +allow mtk_hal_camera remosaic_daemon_service:service_manager find; + +# Date : WK21.14 +# Stage: R Migration +# Purpose: Allow memfd access by MPEG4Writer +allow mtk_hal_camera tmpfs:file rw_file_perms; diff --git a/bsp/non_plat/mtk_hal_codecservice_default.te b/bsp/non_plat/mtk_hal_codecservice_default.te new file mode 100644 index 0000000..7479ab0 --- /dev/null +++ b/bsp/non_plat/mtk_hal_codecservice_default.te @@ -0,0 +1,10 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type mtk_hal_codecservice_default_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(mtk_hal_codecservice_default) + +hal_server_domain(mtk_hal_codecservice_default, hal_mtk_codecservice) +hal_client_domain(mtk_hal_codecservice_default, hal_allocator) diff --git a/bsp/non_plat/mtk_hal_dfps.te b/bsp/non_plat/mtk_hal_dfps.te new file mode 100644 index 0000000..862cc07 --- /dev/null +++ b/bsp/non_plat/mtk_hal_dfps.te @@ -0,0 +1,23 @@ +# ============================================== +# Type Declaration +# ============================================== +type mtk_hal_dfps_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(mtk_hal_dfps) + +hwbinder_use(mtk_hal_dfps); +vndbinder_use(mtk_hal_dfps); + +hal_server_domain(mtk_hal_dfps, hal_dfps) + +add_hwservice(hal_dfps_server, mtk_hal_dfps_hwservice) + +# sysfs access. +r_dir_file(mtk_hal_dfps, proc_net); + +get_prop(mtk_hal_dfps, hwservicemanager_prop) + +allow mtk_hal_dfps mtk_dfrc_device:chr_file rw_file_perms; diff --git a/bsp/non_plat/mtk_hal_dplanner.te b/bsp/non_plat/mtk_hal_dplanner.te new file mode 100644 index 0000000..78c833c --- /dev/null +++ b/bsp/non_plat/mtk_hal_dplanner.te @@ -0,0 +1,30 @@ +# ============================================== +# Type Declaration +# ============================================== +type mtk_hal_dplanner_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== +init_daemon_domain(mtk_hal_dplanner); + +userdebug_or_eng(` + #Allow domain:mtk_hal_dplanner to use HWBinder IPC + hwbinder_use(mtk_hal_dplanner); + + #Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder + hal_server_domain(mtk_hal_dplanner, hal_dplanner); + + #Add/find permission rule to hwservicemanager + add_hwservice(hal_dplanner, mtk_hal_dplanner_hwservice); + + #Allow platform app calls + allow mtk_hal_dplanner platform_app:binder { call transfer }; + + #Give permissions of dconfig + domain_auto_trans(mtk_hal_dplanner, mtk_dconfig_exec, mtk_dconfig); + + #allow store data + allow mtk_hal_dplanner doe_vendor_data_file:dir create_dir_perms; + allow mtk_hal_dplanner doe_vendor_data_file:file create_file_perms; +') diff --git a/bsp/non_plat/mtk_hal_keyinstall.te b/bsp/non_plat/mtk_hal_keyinstall.te new file mode 100644 index 0000000..c7b192e --- /dev/null +++ b/bsp/non_plat/mtk_hal_keyinstall.te @@ -0,0 +1,24 @@ +# Set mtk_hal_keyinstall as server domain of hal_keymaster +hal_server_domain(mtk_hal_keyinstall, hal_keymaster) + +# Set exec file type +type mtk_hal_keyinstall_exec, exec_type, file_type, vendor_file_type; + +# Setup for domain transition +init_daemon_domain(mtk_hal_keyinstall) + +# Allow mtk_hal_keyinstall to communicate with mobicore +allow mtk_hal_keyinstall mobicore:unix_stream_socket connectto; +allow mtk_hal_keyinstall mobicore_data_file:dir search; +allow mtk_hal_keyinstall mobicore_data_file:file { read getattr open }; +allow mtk_hal_keyinstall mobicore_user_device:chr_file { read write ioctl open }; + +# Allow mtk_hal_keyinstall to access /persist +allow mtk_hal_keyinstall persist_data_file:dir { search write add_name }; +allow mtk_hal_keyinstall persist_data_file:file { read write create open setattr getattr }; + +# Allow mtk_hal_keyinstall to access /data/key_provisioning +allow mtk_hal_keyinstall key_install_data_file:dir { write add_name remove_name search }; +allow mtk_hal_keyinstall key_install_data_file:file { write create setattr read getattr unlink open append }; + +allow mtk_hal_keyinstall debugfs_tracing:file { write }; diff --git a/bsp/non_plat/mtk_hal_netdagent.te b/bsp/non_plat/mtk_hal_netdagent.te new file mode 100644 index 0000000..bb2ad66 --- /dev/null +++ b/bsp/non_plat/mtk_hal_netdagent.te @@ -0,0 +1,6 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(mtk_hal_netdagent_client, mtk_hal_netdagent_server) +binder_call(mtk_hal_netdagent_server, mtk_hal_netdagent_client) + +add_hwservice(mtk_hal_netdagent_server, mtk_hal_netdagent_hwservice) +allow mtk_hal_netdagent_client mtk_hal_netdagent_hwservice:hwservice_manager find; diff --git a/bsp/non_plat/mtk_hal_neuralnetworks.te b/bsp/non_plat/mtk_hal_neuralnetworks.te new file mode 100644 index 0000000..4ec2c13 --- /dev/null +++ b/bsp/non_plat/mtk_hal_neuralnetworks.te @@ -0,0 +1,88 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================= + +type mtk_hal_neuralnetworks_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(mtk_hal_neuralnetworks) + +hal_server_domain(mtk_hal_neuralnetworks, hal_neuralnetworks) +allow mtk_hal_neuralnetworks ion_device:chr_file rw_file_perms; +allow mtk_hal_neuralnetworks debugfs_ion:dir r_dir_perms; +allow mtk_hal_neuralnetworks vpu_device:chr_file rw_file_perms; +allow mtk_hal_neuralnetworks mdla_device:chr_file rw_file_perms; +allow mtk_hal_neuralnetworks apusys_device:chr_file rw_file_perms; +allow mtk_hal_neuralnetworks gpu_device:chr_file rw_file_perms; +binder_call(mtk_hal_neuralnetworks, untrusted_app_25) +binder_call(mtk_hal_neuralnetworks, untrusted_app) +allow mtk_hal_neuralnetworks shell_data_file:file read; +allow mtk_hal_neuralnetworks sdcardfs:file r_file_perms; +allow mtk_hal_neuralnetworks fuse:file r_file_perms; +allow mtk_hal_neuralnetworks sysfs_lowmemorykiller:dir r_dir_perms; +allow mtk_hal_neuralnetworks sysfs_lowmemorykiller:file r_file_perms; +allow mtk_hal_neuralnetworks proc_zoneinfo:file r_file_perms; +allow mtk_hal_neuralnetworks apk_data_file:file read; +allow mtk_hal_neuralnetworks gpu_device:dir r_dir_perms; + +# Date : WK14.40 2018/11/16 +# Purpose : allow access to /data/vendor for blob cache for gpunn service +allow mtk_hal_neuralnetworks mnt_user_file:lnk_file r_file_perms; +allow mtk_hal_neuralnetworks mnt_user_file:dir search; +allow mtk_hal_neuralnetworks storage_file:lnk_file r_file_perms; +allow mtk_hal_neuralnetworks sdcardfs:dir search; +dontaudit mtk_hal_neuralnetworks media_rw_data_file:dir search; + +# Date : WK19.03 2019/01/14 +# Purpose : allow access to /data/vendor for blob cache for gpunn service +allow mtk_hal_neuralnetworks gpunn_data_file:dir create_dir_perms; +allow mtk_hal_neuralnetworks gpunn_data_file:file create_file_perms; + +# Date : WK1919 2019/0513 +# Purpose : allow access to perfmgr for EARA-QoS +allow mtk_hal_neuralnetworks proc_perfmgr:dir r_dir_perms; +allow mtk_hal_neuralnetworks proc_perfmgr:file r_file_perms; +allowxperm mtk_hal_neuralnetworks proc_perfmgr:file ioctl { + PERFMGR_EARA_NN_BEGIN + PERFMGR_EARA_NN_END + PERFMGR_EARA_GETUSAGE +}; + +allow mtk_hal_neuralnetworks proc_ged:file rw_file_perms; +allowxperm mtk_hal_neuralnetworks proc_ged:file ioctl proc_ged_ioctls; + +# Date : WK1946 +# Purpose : allow access to /proc/[pid]/cmdline +typeattribute mtk_hal_neuralnetworks mlstrustedsubject; +allow mtk_hal_neuralnetworks untrusted_app_all:dir search; +allow mtk_hal_neuralnetworks untrusted_app_all:file r_file_perms; + +# Date : WK2003 +# Purpose : read chip id and segment code +allow mtk_hal_neuralnetworks sysfs_chipid:file r_file_perms; +allow mtk_hal_neuralnetworks proc_devinfo:file r_file_perms; + +# Date : WK2016 2020/0415 +# Purpose : Support AHardwareBuffer +hal_client_domain(mtk_hal_neuralnetworks, hal_graphics_allocator) + +# Date : WK2023 +# Purpose : Allow access to PowerHal for performance boost +hal_client_domain(mtk_hal_neuralnetworks, hal_power) + +# Date : WK2038 +# Purpose : Allow VtsHalNeuralnetworks search fd +allow mtk_hal_neuralnetworks shell:dir search; + +# Date : WK2127 +# Purpose : Allow Debug Plus read/write report +allow mtk_hal_neuralnetworks data_vendor_nn_file:dir create_dir_perms; +allow mtk_hal_neuralnetworks data_vendor_nn_file:file create_file_perms; + +# Date : WK2127 +# Purpose : Allow HMP custom api request +allow mtk_hal_neuralnetworks data_vendor_hmp_file:dir { rw_dir_perms }; +allow mtk_hal_neuralnetworks data_vendor_hmp_file:file { create_file_perms }; + +# Date : WK2128 +# Purpose: Allow Neuron Hidl set property +set_prop(mtk_hal_neuralnetworks, vendor_mtk_apuware_debug_prop) diff --git a/bsp/non_plat/mtk_hal_nwk_opt.te b/bsp/non_plat/mtk_hal_nwk_opt.te new file mode 100644 index 0000000..f99f8e7 --- /dev/null +++ b/bsp/non_plat/mtk_hal_nwk_opt.te @@ -0,0 +1,20 @@ +hal_server_domain(mtk_hal_nwk_opt,hal_nwk_opt) +type mtk_hal_nwk_opt_exec,exec_type,file_type,vendor_file_type; +init_daemon_domain(mtk_hal_nwk_opt) +hwbinder_use(mtk_hal_nwk_opt) + +add_hwservice(hal_nwk_opt_server,mtk_hal_nwk_opt_hwservice) + +binder_call(hal_nwk_opt_client, hal_nwk_opt_server) +binder_call(hal_nwk_opt_server, hal_nwk_opt_client) + +allow hal_nwk_opt_client mtk_hal_nwk_opt_hwservice :hwservice_manager find; +allow mtk_hal_nwk_opt nwkopt_device:chr_file rw_file_perms; +allow mtk_hal_nwk_opt sysfs_fpsgo:dir search; +allow mtk_hal_nwk_opt sysfs_fpsgo:file rw_file_perms; +allow mtk_hal_nwk_opt input_device:dir r_dir_perms; +allow mtk_hal_nwk_opt input_device:file rw_file_perms; +allow mtk_hal_nwk_opt input_device:chr_file rw_file_perms; +allow mtk_hal_nwk_opt tx_device:chr_file rw_file_perms; + +set_prop(mtk_hal_nwk_opt, vendor_mtk_nwk_opt_prop) diff --git a/bsp/non_plat/mtk_hal_omadm.te b/bsp/non_plat/mtk_hal_omadm.te new file mode 100644 index 0000000..222c22d --- /dev/null +++ b/bsp/non_plat/mtk_hal_omadm.te @@ -0,0 +1,26 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== +type mtk_hal_omadm_exec, exec_type, vendor_file_type, file_type; +typeattribute mtk_hal_omadm hal_mtk_omadm_server; +typeattribute mtk_hal_omadm hal_mtk_omadm; + +net_domain(mtk_hal_omadm) +init_daemon_domain(mtk_hal_omadm) +hwbinder_use(mtk_hal_omadm) +get_prop(mtk_hal_omadm, hwservicemanager_prop) + +allow mtk_hal_omadm omadm_data_file:file create_file_perms; +allow mtk_hal_omadm omadm_data_file:dir create_dir_perms; +allow mtk_hal_omadm self:udp_socket create_socket_perms_no_ioctl; +allow mtk_hal_omadm self:tcp_socket create_socket_perms_no_ioctl; +allow mtk_hal_omadm self:capability net_raw; +allow mtk_hal_omadm fwmarkd_socket:sock_file write; +allow mtk_hal_omadm netd:unix_stream_socket connectto; +allow mtk_hal_omadm port:tcp_socket { name_bind name_connect }; +allow mtk_hal_omadm protect_f_data_file:dir create_dir_perms; +allow mtk_hal_omadm protect_f_data_file:file create_file_perms; +allow mtk_hal_omadm mnt_vendor_file:dir create_dir_perms; +allow mtk_hal_omadm mnt_vendor_file:file create_file_perms; +allow mtk_hal_omadm omadm_misc_file:file create_file_perms; +allow mtk_hal_omadm omadm_misc_file:dir create_dir_perms; diff --git a/bsp/non_plat/mtk_hal_power.te b/bsp/non_plat/mtk_hal_power.te new file mode 100644 index 0000000..7fa2266 --- /dev/null +++ b/bsp/non_plat/mtk_hal_power.te @@ -0,0 +1,37 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : 2017/10/24 +# Operation: SQC +# Purpose : Allow powerHAL to access dfps +allow mtk_hal_power mtk_hal_dfps:binder call; +hal_client_domain(mtk_hal_power, hal_dfps) + +# Date : 2018/9/10 +# Operation: netdagnt +allow mtk_hal_power mtk_hal_netdagent_hwservice:hwservice_manager find; +allow mtk_hal_power netdagent:binder call; + +# Date : 2019/07/19 +# Operation: NwkOpt +allow mtk_hal_power mtk_hal_nwk_opt:binder call; +hal_client_domain(mtk_hal_power, hal_nwk_opt) + +# Date : 2019/09/19 +# Operation: touchll +allow mtk_hal_power mtk_hal_touchll:binder call; +hal_client_domain(mtk_hal_power, hal_mtk_touchll) + +# Date : 2020/05/19 +# Operation: CapabilityTest +allow mtk_hal_power capability_app:dir { getattr search }; +allow mtk_hal_power capability_app:file r_file_perms; + +# Date : 2020/06/03 +# Purpose : Allow PowerHAL to access Neuralnetworks HAL +allow mtk_hal_power mtk_hal_neuralnetworks:dir r_dir_perms; +allow mtk_hal_power mtk_hal_neuralnetworks:file r_file_perms; + +# Allow Power to alter DT2W node +allow mtk_hal_power sysfs_keypad_file:file rw_file_perms; diff --git a/bsp/non_plat/mtk_hal_pplagent.te b/bsp/non_plat/mtk_hal_pplagent.te new file mode 100644 index 0000000..64d9876 --- /dev/null +++ b/bsp/non_plat/mtk_hal_pplagent.te @@ -0,0 +1,9 @@ +# HwBinder IPC from client to server, and callbacks +binder_call(mtk_hal_pplagent_client, mtk_hal_pplagent_server) +binder_call(mtk_hal_pplagent_server, mtk_hal_pplagent_client) + + +add_hwservice(mtk_hal_pplagent, mtk_hal_pplagent_hwservice) + +add_hwservice(mtk_hal_pplagent_server, mtk_hal_pplagent_hwservice) +allow mtk_hal_pplagent_client mtk_hal_pplagent_hwservice:hwservice_manager find; diff --git a/bsp/non_plat/mtk_hal_pq.te b/bsp/non_plat/mtk_hal_pq.te new file mode 100644 index 0000000..9e64a63 --- /dev/null +++ b/bsp/non_plat/mtk_hal_pq.te @@ -0,0 +1,22 @@ +# ============================================== +# Policy File of /vendor/bin/hw/vendor.mediatek.hardware.pq@2.0-service Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK17.01 +# Operation : New feature: Factory Gamma +# Purpose : Allow nvram access +allow mtk_hal_pq nvdata_file:dir w_dir_perms; +allow mtk_hal_pq nvdata_file:file create_file_perms; +allow mtk_hal_pq nvram_data_file:dir w_dir_perms; +allow mtk_hal_pq nvram_data_file:file create_file_perms; +allow mtk_hal_pq nvram_data_file:lnk_file read; +allow mtk_hal_pq nvdata_file:lnk_file read; + +# Operation : New feature: AppGamePQ 2.0 +# Purpose : create hidl handle for buffer +allow mtk_hal_pq hal_graphics_allocator_default:fd use; +allow mtk_hal_pq proc_ged:file r_file_perms; +allowxperm mtk_hal_pq proc_ged:file ioctl proc_ged_ioctls; diff --git a/bsp/non_plat/mtk_hal_thp.te b/bsp/non_plat/mtk_hal_thp.te new file mode 100644 index 0000000..1ca37a2 --- /dev/null +++ b/bsp/non_plat/mtk_hal_thp.te @@ -0,0 +1,22 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type mtk_hal_thp_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(mtk_hal_thp) + +hal_server_domain(mtk_hal_thp, hal_mtk_thp) + +allow mtk_hal_thp mtk_thp_data_file:dir create_dir_perms; +allow mtk_hal_thp mtk_thp_data_file:file create_file_perms; +allow mtk_hal_thp mtk_thp_data_file:sock_file create_file_perms; +allow mtk_hal_thp mtk_thp_data_file:fifo_file create_file_perms; + +# Allow accessto /dev/thp & /dev/input_mt_wrapper node +allow mtk_hal_thp gdix_thp_device:chr_file rw_file_perms; +allow mtk_hal_thp gdix_mt_wrapper_device:chr_file rw_file_perms; + +# Allow sys_nice +allow mtk_hal_thp self:capability sys_nice; + diff --git a/bsp/non_plat/mtk_hal_touchll.te b/bsp/non_plat/mtk_hal_touchll.te new file mode 100644 index 0000000..43cb2be --- /dev/null +++ b/bsp/non_plat/mtk_hal_touchll.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== +type mtk_hal_touchll_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(mtk_hal_touchll) + +hal_server_domain(mtk_hal_touchll, hal_mtk_touchll) diff --git a/bsp/non_plat/mtk_hal_wfo.te b/bsp/non_plat/mtk_hal_wfo.te new file mode 100644 index 0000000..1b97183 --- /dev/null +++ b/bsp/non_plat/mtk_hal_wfo.te @@ -0,0 +1,15 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== +type mtk_hal_wfo_exec, exec_type, file_type, vendor_file_type; + +# hwbinder access +init_daemon_domain(mtk_hal_wfo) + +hal_server_domain(mtk_hal_wfo, hal_mtk_wfo) + +# Date : WK1721 2017/5/26 +# Operation : IT +# Purpose: WifiOffloadService HIDL Migration +allow mtk_hal_wfo mal_mfi_socket:sock_file write; +allow mtk_hal_wfo debugfs_tracing:file w_file_perms; diff --git a/bsp/non_plat/mtk_pkm_service.te b/bsp/non_plat/mtk_pkm_service.te new file mode 100644 index 0000000..b982763 --- /dev/null +++ b/bsp/non_plat/mtk_pkm_service.te @@ -0,0 +1,44 @@ +# ============================================== +# Policy File of /vendor/bin/mtk_pkm_service Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type mtk_pkm_service_exec ,exec_type, file_type, vendor_file_type; + +init_daemon_domain(mtk_pkm_service) + +# Date : W1920 +# Operation : Diagnostic framework Q migration +# Purpose : allow mtk_pkm_service to send KPI through APM service +hal_client_domain(mtk_pkm_service, hal_mtk_apm) + +# Purpose : for mtk_pkm_service to connenct to md_monitor +hal_client_domain(mtk_pkm_service, md_monitor_hal) + +# Purpose : for mtk_pkm_service to access /data/md_mon/ +allow mtk_pkm_service md_monitor_vendor_file:dir r_dir_perms; +allow mtk_pkm_service md_monitor_vendor_file:file r_file_perms; + +# Purpose : Allow mtk_pkm_service to get properties +# For PKM to know PDN status +# ro.vendor.md_auto_setup_ims +get_prop(mtk_pkm_service, vendor_mtk_ims_prop) +# vendor.ims.eims.pdn.info +get_prop(mtk_pkm_service, vendor_mtk_ims_eims_pdn_prop) +# vendor.ril.data.pdn_info* +get_prop(mtk_pkm_service, vendor_mtk_radio_prop) + +# Purpose : Allow mtk_pkm_service to pull packet from netd +allow mtk_pkm_service self:capability net_raw; +allow mtk_pkm_service self:packet_socket { create_socket_perms }; +allow mtk_pkm_service self:udp_socket { create_socket_perms }; +allowxperm mtk_pkm_service self:packet_socket ioctl {SIOCGIFINDEX SIOCGSTAMP }; +allowxperm mtk_pkm_service self:udp_socket ioctl {SIOCGIFINDEX SIOCGSTAMP }; + +# Add policy read property for init.svc.md_monitor +get_prop(mtk_pkm_service, system_mtk_init_svc_md_monitor_prop) + +# Allow PKM service to read vendor.dmc.apm.active +get_prop(mtk_pkm_service, vendor_mtk_dmc_prop) diff --git a/bsp/non_plat/mtkfusionrild.te b/bsp/non_plat/mtkfusionrild.te new file mode 100644 index 0000000..aa51bbf --- /dev/null +++ b/bsp/non_plat/mtkfusionrild.te @@ -0,0 +1,88 @@ +# ============================================== +# Policy File of /system/bin/mtkfusionrild Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +typeattribute rild mtkimsapdomain; + +# Date : WK18.16 +# Operation: P migration +# Purpose: Allow rild to get/set vendor_mtk_vsim_prop +set_prop(rild, vendor_mtk_vsim_prop) + +# Date : 2018/05/28 +# Operation: Ims config TelephonyWare dev +allow rild mtk_radio_data_file:dir { read remove_name write search add_name open }; +allow rild mtk_radio_data_file:file { read write create open getattr lock unlink }; + +# Date : WK18.22 +# Operation: Ims config TelephonyWare dev +# Purpose: Allow rild to set ims feature +set_prop(rild, vendor_mtk_volte_prop) +set_prop(rild, vendor_mtk_wfc_prop) +set_prop(rild, vendor_mtk_vilte_prop) +set_prop(rild, vendor_mtk_viwifi_prop) + +# Date : WK18.25 +# Operation: P migration +# Purpose: Allow rild to get/set vendor_mtk_ims_prop +set_prop(rild, vendor_mtk_ims_prop) + +# Date : WK18.26 +# Operation: P migration +# Purpose: Allow rild to set ims support property +set_prop(rild, vendor_mtk_volte_support_prop) +set_prop(rild, vendor_mtk_wfc_support_prop) +set_prop(rild, vendor_mtk_vilte_support_prop) +set_prop(rild, vendor_mtk_viwifi_support_prop) +set_prop(rild, vendor_mtk_rcs_ua_support_prop) + +# Date : WK18.29 +# Operation: Ims config TelephonyWare dev +# Purpose: Allow mtkrild to get/set vendor_mtk_provision_prop +set_prop(rild, vendor_mtk_provision_prop) + +# Date : 2019/01/29 +# Operation: IMS/EIMS pdn info +# Purpose: Allow mtkrild to get/set vendor_mtk_ims_eims_pdn_prop +set_prop(rild, vendor_mtk_ims_eims_pdn_prop) + +# Date : 2019/06/27 +# Operation : rild need to read vendor_mtk_cta_support_prop property +# Purpose : allow to get mtk_cta_support property +get_prop(rild, vendor_mtk_cta_support_prop) + +# Date : WK19.29 +# Operation: IMS Config NR dev +# Purpose: Allow rild to set IMS NR feature +set_prop(rild, vendor_mtk_vonr_prop) +set_prop(rild, vendor_mtk_vinr_prop) + +# Date : 2019/07/17 +# Operation: Game SDK +# Purpose: Allow rild to write phantom packet +allow rild nlop_device:chr_file rw_file_perms; + +# Date : 2020/02/17 +# Purpose: Allow rild to access netlink_xfrm_socket +allow rild self:netlink_xfrm_socket {create setopt bind getattr write read nlmsg_read nlmsg_write}; + +# Date : 2020/05/19 +# Purpose: Allow mtkrild to get/set vendor_mtk_hvolte_indicator +set_prop(rild, vendor_mtk_hvolte_indicator) + +# Date : 2020/06/08 +# Purpose: Allow rild have 'wake_alarm' capability +allow rild self:capability2 wake_alarm; + +# Date : 2020/10/30 +# Operation: IMS Config NR force value +# Purpose: Allow rild to force set IMS NR feature +set_prop(rild, vendor_mtk_vonr_force_prop) + +# Date : 2021/09/17 +# Operation: vonr setting +# Purpose: Allow rild to set vonr support property +set_prop(rild, vendor_mtk_vonr_support_prop) diff --git a/bsp/non_plat/mtkimsmddomain.te b/bsp/non_plat/mtkimsmddomain.te new file mode 100644 index 0000000..a3ec961 --- /dev/null +++ b/bsp/non_plat/mtkimsmddomain.te @@ -0,0 +1,76 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# IMCB +allow mtkimsmddomain ccci_device:chr_file { read write open }; +allow mtkimsmddomain fwmarkd_socket:sock_file write; +allow mtkimsmddomain sysfs_ccci:dir search; +allow mtkimsmddomain sysfs_ccci:file r_file_perms; +allow mtkimsmddomain self:capability2 wake_alarm; +set_prop(mtkimsmddomain, vendor_mtk_ril_mux_report_case_prop) +allow mtkimsmddomain self:capability { setuid setgid chown net_raw } ; + +# Date : 2017/02/17 +# Purpose : ptty +allow mtkimsmddomain devpts:chr_file { rw_file_perms setattr }; + +# UA +allow mtkimsmddomain volte_vt_socket:sock_file write; + +# IMSM +allow mtkimsmddomain rild_imsm_socket:sock_file write; +allow mtkimsmddomain mtkrild:unix_stream_socket connectto; +allow mtkimsmddomain rild_mal_socket:sock_file write; +allow mtkimsmddomain rild_mal_at_socket:sock_file write; +allow mtkimsmddomain rild_mal_md2_socket:sock_file write; +allow mtkimsmddomain rild_mal_at_md2_socket:sock_file write; +unix_socket_send(mtkimsmddomain, wpa, wpa) +allow mtkimsmddomain wpa:unix_dgram_socket sendto; + +# ePDG +allow mtkimsmddomain dnsproxyd_socket:sock_file write; +allow mtkimsmddomain ccci_device:chr_file { read write ioctl open }; +allow mtkimsmddomain devpts:chr_file { read write open }; + +# MAL +allow mtkimsmddomain tmpfs:lnk_file read; + +# VzW APN table +allow mtkimsmddomain mal_data_file:dir create_dir_perms; +allow mtkimsmddomain mal_data_file:file create_file_perms; + +# ATCP +allow mtkimsmddomain devpts:chr_file { open read write ioctl }; +allow mtkimsmddomain devpts:chr_file { getattr setattr }; + +# Netlink +allow mtkimsmddomain self:netlink_route_socket { bind create write nlmsg_read }; + +# RILD connection +allow mtkimsmddomain mtkrild:unix_stream_socket connectto; +allow mtkimsmddomain rild_mal_socket:sock_file write; +allow mtkimsmddomain rild_mal_at_socket:sock_file write; +allow mtkimsmddomain rild_mal_md2_socket:sock_file write; +allow mtkimsmddomain rild_mal_at_md2_socket:sock_file write; + +# for RAN access wpa +unix_socket_send(mtkimsmddomain, wpa, wpa) +allow mtkimsmddomain wpa:unix_dgram_socket sendto; + +# RILPROXY +allow mtkimsmddomain rild:unix_stream_socket connectto; + +set_prop(mtkimsmddomain, vendor_mtk_operator_id_prop) + +# Set permission for MAL +vndbinder_use(mtkimsmddomain) + +# ViLTE +allow mtkimsmddomain vtservice_hidl:unix_stream_socket connectto; + +# MD-AP +set_prop(mtkimsmddomain, vendor_mtk_radio_prop) +set_prop(mtkimsmddomain, vendor_mtk_ril_mux_report_case_prop) +set_prop(mtkimsmddomain, vendor_mtk_md_version_prop) +set_prop(mtkimsmddomain, vendor_mtk_network_prop) diff --git a/bsp/non_plat/mtkrild.te b/bsp/non_plat/mtkrild.te new file mode 100644 index 0000000..efe6e87 --- /dev/null +++ b/bsp/non_plat/mtkrild.te @@ -0,0 +1,22 @@ +# ============================================== +# Policy File of /system/bin/mtkrild Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +typeattribute mtkrild mtkimsapdomain; +set_prop(mtkrild, vendor_mtk_logmuch_prop) + +# For sim property +set_prop(mtkrild, vendor_mtk_cdma_prop) + +# Date : WK18.16 +# Operation: P migration +# Purpose: Allow mtkrild to get/set vendor_mtk_vsim_prop +set_prop(mtkrild, vendor_mtk_vsim_prop) + +# Date : WK18.25 +# Operation: P migration +# Purpose: Allow mtkrild to get/set vendor_mtk_ims_prop +set_prop(mtkrild, vendor_mtk_ims_prop) diff --git a/bsp/non_plat/netd.te b/bsp/non_plat/netd.te new file mode 100644 index 0000000..e3c5516 --- /dev/null +++ b/bsp/non_plat/netd.te @@ -0,0 +1,17 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : W17.31 +# Operation : O migration +# Purpose : Allow ViLTE use udp_socket +allow netd vtservice:fd use; +allow netd vtservice:udp_socket { read write setopt getopt }; + +allow netd wo_ipsec:fd use; +allow netd wo_ipsec:tcp_socket { read write setopt getopt }; +allow netd wo_ipsec:udp_socket { read write setopt getopt }; +allow netd wo_epdg_client:fd use; +allow netd wo_epdg_client:tcp_socket { read write setopt getopt }; +allow netd wo_epdg_client:udp_socket {read write setopt getopt}; + diff --git a/bsp/non_plat/netdagent.te b/bsp/non_plat/netdagent.te new file mode 100644 index 0000000..23f2c1b --- /dev/null +++ b/bsp/non_plat/netdagent.te @@ -0,0 +1,23 @@ +# ============================================== +# Policy File of /vendor/bin/netdagent Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type netdagent_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(netdagent) +domain_auto_trans(netdagent, netutils_wrapper_exec, netutils_wrapper) + +allow netdagent devpts:chr_file rw_file_perms; +allow netdagent usermodehelper:file r_file_perms; + +allow netdagent self:netlink_route_socket { connect create setopt bind getattr nlmsg_read nlmsg_write read write }; + +set_prop(netdagent, vendor_mtk_netdagent_prop) +allow netdagent proc_net:file rw_file_perms; +allow netdagent kernel:system module_request; + +hal_server_domain(netdagent, mtk_hal_netdagent) + diff --git a/bsp/non_plat/netutils_wrapper.te b/bsp/non_plat/netutils_wrapper.te new file mode 100644 index 0000000..8c6094c --- /dev/null +++ b/bsp/non_plat/netutils_wrapper.te @@ -0,0 +1,18 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow netutils_wrapper ipsec_mon:fd use; +allow netutils_wrapper ipsec_mon:netlink_route_socket { read write }; +allow netutils_wrapper ipsec_mon:netlink_xfrm_socket { read write }; +allow netutils_wrapper devpts:chr_file { getattr ioctl read write }; + +allow netutils_wrapper netdagent:fd use; +allow netutils_wrapper netdagent:unix_stream_socket { read write }; + +allow netutils_wrapper rild:fd use; +allow netutils_wrapper rild:unix_stream_socket { read write }; +allow netutils_wrapper rild:fifo_file rw_file_perms; + +allow netutils_wrapper wo_epdg_client:unix_stream_socket { read write }; +allow netutils_wrapper wo_epdg_client:fd use; diff --git a/bsp/non_plat/nfc.te b/bsp/non_plat/nfc.te new file mode 100644 index 0000000..4c3618b --- /dev/null +++ b/bsp/non_plat/nfc.te @@ -0,0 +1,70 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : 2014/10/15 +# Operation : Refine +# Purpose : Set NFC permission to access nfc_socket_file. +allow nfc nfc_socket_file:dir w_dir_perms; + +# Date : 2014/10/15 +# Operation : Refine +# Purpose : Set NFC permission to access custom file. +allow nfc custom_file:dir getattr; + +# Date : 2014/10/15 +# Operation : Refine +# Purpose : Set NFC permission to access nfc data file. +allow nfc nfc_data_file:dir { write remove_name add_name search create setattr }; +allow nfc nfc_data_file:file { read getattr open rename write ioctl setattr create unlink }; + +# Date : 2014/10/15 +# Operation : Refine +# Purpose : Set NFC permission to access SD card for debug purpose. +allow nfc sdcard_type:dir { write remove_name search create add_name }; +allow nfc sdcard_type:file { read write getattr open rename create }; +allow nfc vfat:dir { write add_name search }; +allow nfc vfat:file { read write getattr open create }; + +# Date : 2014/10/15 +# Operation : Refine +# Purpose : Set NFC permission for WFD +allow nfc surfaceflinger:dir search; + +# Date : 2014/10/15 +# Operation : Refine +# Purpose : For Mdlogger +allow nfc node:tcp_socket node_bind; +allow nfc port:tcp_socket name_bind; +allow nfc self:tcp_socket { setopt read bind create accept write getattr connect getopt listen }; + +# Date : 2014/10/15 +# Operation : Refine +# Purpose : For NFC-JNI +allow nfc zygote:unix_stream_socket { getopt getattr }; + +# Date : WK1546 +# Operation : Migration +# Purpose: Allow nfc to read binder from surfaceflinger +allow nfc surfaceflinger:fifo_file {read write}; + +# Date : 2016/06/30 +# Operation : SQC +# Purpose : Allow NFC to plays sound which uses DrmServer +allow nfc drmserver_service:service_manager find; + +# Date : 2016/07/04 +# Operation : SQC +# Purpose : Allow NFC to access media data file +allow nfc media_rw_data_file:dir { create read open write remove_name search add_name }; +allow nfc media_rw_data_file:file { read write create unlink open rename }; + +# Date : 2016/11/10 +# Operation : SQC +# Purpose : Allow NFC to use FileManager share file +allow nfc sw_sync_device:chr_file getattr; + +# Date : 2017/07/26 +# Operation : Refine +# Purpose : Set NFC permission to access st21nfc_device ( nfc device node ) . +allow nfc st21nfc_device:chr_file { read write getattr open ioctl }; diff --git a/bsp/non_plat/nfcstackp_vendor.te b/bsp/non_plat/nfcstackp_vendor.te new file mode 100644 index 0000000..92a6541 --- /dev/null +++ b/bsp/non_plat/nfcstackp_vendor.te @@ -0,0 +1,20 @@ +# ============================================== +# Policy File of /vendor/bin/nfcstackp_vendor Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== +type nfcstackp_vendor_exec, exec_type, file_type, vendor_file_type; + +# Date : WK2019 +# Purpose : Start nfcstackp_vendor to serve EM +init_daemon_domain(nfcstackp_vendor) + +# Date : WK2019 +# Purpose : Add availablities to access nfc socket +allow nfcstackp_vendor vendor_nfc_socket_file:dir w_dir_perms; + +# Date : WK2019 +# Purpose : Add availablities to access nfc device +allow nfcstackp_vendor st21nfc_device:chr_file rw_file_perms; + diff --git a/bsp/non_plat/osi.te b/bsp/non_plat/osi.te new file mode 100644 index 0000000..98a645e --- /dev/null +++ b/bsp/non_plat/osi.te @@ -0,0 +1,7 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== +userdebug_or_eng(` +allow osi sysfs_therm:dir search; +allow osi sysfs_therm:file r_file_perms; +') diff --git a/bsp/non_plat/platform_app.te b/bsp/non_plat/platform_app.te new file mode 100644 index 0000000..8fc1bc8 --- /dev/null +++ b/bsp/non_plat/platform_app.te @@ -0,0 +1,121 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : 2014/11/14 +# Operation: SQC +# Purpose: [ALPS01824827][SystemUI] [RenderThread][open device file failed] +# Package: com.android.systemui +allow platform_app proc_secmem:file r_file_perms; + +# Date : 2014/12/30 +# Operation : TUI Migration +# Purpose : TUI service need to access tui device driver +# Package: com.trustonic.tuiservice.TuiService +allow platform_app mobicore_tui_device:chr_file r_file_perms; +allow platform_app mobicore_user_device:chr_file rw_file_perms; + +allow platform_app mobicore_data_file:file r_file_perms; +allow platform_app mobicore_data_file:dir search; +allow platform_app self:netlink_kobject_uevent_socket {create bind read setopt}; + +# Date : 2015/09/12 +# Operation : SQC +# Purpose : allow settings get file of ntfs device +# Package: com.android.settings +allow platform_app fuseblk:dir create_dir_perms; + +# Date : 2015/10/15 +# Operation : jg_jinchuanqin +# Purpose :[ALPS02350168]allow Settings get file of ntfs device +# Package: com.android.settings +allow platform_app fuseblk:file create_file_perms; + +# Date: 2017/08/24 +# Stage: Migration +# Purpose: Allow to use lomo effect +# Package: com.mediatek.camera +allow platform_app mtk_hal_camera:binder call; + +# Date : 2017/10/02 +# Stage: O Migration, SQC +# Purpose: Allow to use HAL PQ +hal_client_domain(platform_app, hal_mtk_pq) + +# Date : 2017/10/02 +# Stage: O Migration, SQC +# Purpose: Allow to use shared memory for HAL PQ +hal_client_domain(platform_app, hal_allocator) + +# Date: 2018/05/08 +# Operation: Migration +# Purpose : Allow System UI to find ppl agent +# Package: com.android.systemui.keyguard +allow platform_app mtk_hal_pplagent_hwservice:hwservice_manager find; +allow platform_app ppl_agent:binder call; + +allow platform_app debugfs_ion:dir search; + +# Date: 2018/06/19 +# Operation: Migration +# Purpose : Allow Dialer to get vendor_mtk_vendor_vt_prop +# Package: com.android.dialer +get_prop(platform_app, vendor_mtk_vendor_vt_prop) + +# Date: 2019/04/27 +# Operation: Migration +# Purpose : Allow Entitlement to get vendor_mtk_cxp_vendor_prop +# Package: com.mediatek.entitlement +get_prop(platform_app, vendor_mtk_cxp_vendor_prop) + +# Date: 2018/07/14 +# Operation: Migration +# Purpose : Allow Dialer to get vendor_mtk_ims_prop +# Package: com.android.dialer +get_prop(platform_app, vendor_mtk_ims_prop) + +# Date: 2018/04/18 +# Purpose: Allow platform app to use HIDL and access mtk_hal_neuralnetworks +allow platform_app mtk_hal_neuralnetworks:binder { call transfer }; + +# Date: 2018/09/17 +# Purpose: Allow platform app to get vendor_mtk_cam_security_prop +get_prop(platform_app, vendor_mtk_cam_security_prop) + +# Date: 2018/09/29 +# Purpose: Allow platform app to use BGService HIDL and access mtk_hal_camera +binder_call(platform_app, mtk_hal_camera) +binder_call(mtk_hal_camera, platform_app) + +# Date: 2018/11/13 +# Purpose: Allow platform app to use HIDL and access to mtk_hal_dplanner +userdebug_or_eng(` + allow platform_app mtk_hal_dplanner:binder call; + allow platform_app mtk_hal_dplanner_hwservice:hwservice_manager find; +') + +# Date : 2019/05/16 +# Operation : IT +# Purpose : Add for HIDL service +hal_client_domain(platform_app, md_monitor_hal) + +# Date : 2019/06/27 +# Operation : platform app need to read vendor_mtk_cta_support_prop property +# Purpose : allow to get mtk_cta_support property +get_prop(platform_app, vendor_mtk_cta_support_prop) + +# Date: 2018/12/19 +# Purpose: Allow platform app to access mdlactl_device and vpu_device +allow platform_app mdla_device:chr_file { rw_file_perms }; +allow platform_app vpu_device:chr_file { rw_file_perms }; + +# Date: 2018/10/25 +# Operation: Clientapi Develope +# Package: com.android.contacts +allow platform_app volte_clientapi_ua_hwservice:hwservice_manager find ; +allow platform_app volte_clientapi_ua:binder { call transfer }; + +# Date: 2020/06/29 +# Operation : eMBMS Migration +# Purpose :allow EXPWAY middleware to access the socket +allow platform_app radio:unix_stream_socket connectto; diff --git a/bsp/non_plat/ppl_agent.te b/bsp/non_plat/ppl_agent.te new file mode 100644 index 0000000..8de8f34 --- /dev/null +++ b/bsp/non_plat/ppl_agent.te @@ -0,0 +1,64 @@ +# ============================================== +# Policy File of /vendor/bin/ppl_agent Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type ppl_agent_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(ppl_agent) + +# Date : 2014/10/16 +# Operation : QC +# Purpose : [Privacy protection lock][ppl_agent call FileOp_BackupToBinRegionForDM to do nvram backup] +# Package name : com.mediatek.ppl +allow ppl_agent nvram_device:blk_file rw_file_perms; + +# Data : 2014/10/24 +# Operation : Migration +# Purpose : [Privacy protection lock][ppl_agent need access nvram data file for backup restore function] +# Package name : com.mediatek.ppl +allow ppl_agent nvram_data_file:dir create_dir_perms; +allow ppl_agent nvram_data_file:file create_file_perms; +allow ppl_agent nvram_data_file:lnk_file read; +allow ppl_agent nvdata_file:lnk_file read; +allow ppl_agent nvdata_file:dir create_dir_perms; +allow ppl_agent nvdata_file:file create_file_perms; + +# Data : 2014/10/31 +# Operation : QC +# Purpose : [Privacy protection lock][ppl_agent need access nvram data file for backup restore function on MT6582] +# Package name : ServiceManager +allow ppl_agent nvram_device:chr_file rw_file_perms; + +# Data : 2015/10/09 +# Operation : IT +# Purpose : [Privacy protection lock][ppl_agent need access ppl data file for backup restore function on MT6577] +# Package name : ppl_agent +allow ppl_agent ppl_block_device:blk_file rw_file_perms; + +# Data : 2015/10/16 +# Operation : QC +# Purpose : [Privacy protection lock][ppl_agent need access nvcfg ext4 partiton ppl on MT6797] +# Package name : com.mediatek.ppl +allow ppl_agent nvcfg_file:dir create_dir_perms; +allow ppl_agent nvcfg_file:file create_file_perms; + +# Data : 2018/05/23 +# Operation : QC +# Purpose : [Privacy protection lock] +allow ppl_agent mnt_vendor_file:dir search; + +# Data : 2018/06/12 +# Operation : QC +# Purpose : [Privacy protection lock] +allow ppl_agent proc_cmdline:file r_file_perms; +allow ppl_agent sysfs_dt_firmware_android:dir search; + +# Data: 2018/08/02 +# Operation: iT +# Purpose : [Privacy protection lock] +allow ppl_agent block_device:dir search; + +hal_server_domain(ppl_agent, mtk_hal_pplagent) diff --git a/bsp/non_plat/priv_app.te b/bsp/non_plat/priv_app.te new file mode 100644 index 0000000..8ab7039 --- /dev/null +++ b/bsp/non_plat/priv_app.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date: 2019/06/17 +# Operation: Migration +# Purpose: allow priv_app to search debugfs_ion dir +allow priv_app debugfs_ion:dir search; diff --git a/bsp/non_plat/property.te b/bsp/non_plat/property.te new file mode 100644 index 0000000..fd4bfc1 --- /dev/null +++ b/bsp/non_plat/property.te @@ -0,0 +1,216 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# system_internal_prop -- Properties used only in /system +# system_restricted_prop -- Properties which can't be written outside system +# system_public_prop -- Properties with no restrictions +# system_vendor_config_prop -- Properties which can be written only by vendor_init +# vendor_internal_prop -- Properties used only in /vendor +# vendor_restricted_prop -- Properties which can't be written outside vendor +# vendor_public_prop -- Properties with no restrictions + +# Properties used only in /vendor +vendor_internal_prop(vendor_mtk_ctl_ccci_rpcd_prop) +vendor_internal_prop(vendor_mtk_ctl_ccci2_rpcd_prop) +vendor_internal_prop(vendor_mtk_rpmb_ready_prop) + +# Properties which can't be written outside vendor +vendor_restricted_prop(vendor_mtk_active_noise_cancel_prop) +vendor_restricted_prop(vendor_mtk_atci_sys_prop) +vendor_restricted_prop(vendor_mtk_besloudness_support_prop) +vendor_restricted_prop(vendor_mtk_bg_power_saving_support_prop) +vendor_restricted_prop(vendor_mtk_bg_power_saving_ui_prop) +vendor_restricted_prop(vendor_mtk_camera_prop) +vendor_restricted_prop(vendor_mtk_cam_security_prop) +vendor_restricted_prop(vendor_mtk_cdma_prop) +vendor_restricted_prop(vendor_mtk_cta_log_prop) +vendor_restricted_prop(vendor_mtk_cta_support_prop) +vendor_restricted_prop(vendor_mtk_boostfwk_log_prop) +vendor_restricted_prop(vendor_mtk_boostfwk_scrollidentify_prop) +vendor_restricted_prop(vendor_mtk_boostfwk_display60_prop) +vendor_restricted_prop(vendor_mtk_boostfwk_frameidentify_prop) +vendor_restricted_prop(vendor_mtk_boostfwk_prop) +vendor_restricted_prop(vendor_mtk_datashaping_prop) +vendor_restricted_prop(vendor_mtk_default_write_disk_prop) +vendor_restricted_prop(vendor_mtk_dmc_prop) +vendor_restricted_prop(vendor_mtk_drm_fwd_lock_only_prop) +vendor_restricted_prop(vendor_mtk_duraspeed_prop) +vendor_restricted_prop(vendor_mtk_dx_hdcp_support_prop) +vendor_restricted_prop(vendor_mtk_dynims_prop) +vendor_restricted_prop(vendor_mtk_emcamera_prop) +vendor_restricted_prop(vendor_mtk_extsim_prop) +vendor_restricted_prop(vendor_mtk_fd_support_prop) +vendor_restricted_prop(vendor_mtk_gallery_prop) +vendor_restricted_prop(vendor_mtk_hifiaudio_support_prop) +vendor_restricted_prop(vendor_mtk_ims_eims_pdn_prop) +vendor_restricted_prop(vendor_mtk_ims_prop) +vendor_restricted_prop(vendor_mtk_jpeg_opt_prop) +vendor_restricted_prop(vendor_mtk_libudf_prop) +vendor_restricted_prop(vendor_mtk_logmuch_prop) +vendor_restricted_prop(vendor_mtk_log_tel_dbg_prop) +vendor_restricted_prop(vendor_mtk_mdm_prop) +vendor_restricted_prop(vendor_mtk_mdworldmode_prop) +vendor_restricted_prop(vendor_mtk_media_prop) +vendor_restricted_prop(vendor_mtk_microtrust_tee_prop) +vendor_restricted_prop(vendor_mtk_mims_prop) +vendor_restricted_prop(vendor_mtk_miravision_support_prop) +vendor_restricted_prop(vendor_mtk_mobile_management_prop) +vendor_restricted_prop(vendor_mtk_moms_prop) +vendor_restricted_prop(vendor_mtk_netdagent_prop) +vendor_restricted_prop(vendor_mtk_network_prop) +vendor_restricted_prop(vendor_mtk_nfc_addon_support_prop) +vendor_restricted_prop(vendor_mtk_nfc_uicc_clf_prop) +vendor_restricted_prop(vendor_mtk_nfc_nfcstackp_enable_prop) +vendor_restricted_prop(vendor_mtk_nn_quant_preferred_prop) +vendor_restricted_prop(vendor_mtk_num_md_protocol_prop) +vendor_restricted_prop(vendor_mtk_nxp_nfc_gsma_support_prop) +vendor_restricted_prop(vendor_mtk_omacp_support_prop) +vendor_restricted_prop(vendor_mtk_oma_drm_support_prop) +vendor_restricted_prop(vendor_mtk_operator_prop) +vendor_restricted_prop(vendor_mtk_persist_epdg_prop) +vendor_restricted_prop(vendor_mtk_pms_prop) +vendor_restricted_prop(vendor_mtk_pppd_gprs_prop) +vendor_restricted_prop(vendor_mtk_printk_prop) +vendor_restricted_prop(vendor_mtk_provision_prop) +vendor_restricted_prop(vendor_mtk_radio_seapi_off_prop) +vendor_restricted_prop(vendor_mtk_rcs_ua_support_prop) +vendor_restricted_prop(vendor_mtk_rsc_prop) +vendor_restricted_prop(vendor_mtk_secure_venc_prop) +vendor_restricted_prop(vendor_mtk_service_rcs_prop) +vendor_restricted_prop(vendor_mtk_soter_teei_prop) +vendor_restricted_prop(vendor_mtk_st_nfc_gsma_support_prop) +vendor_restricted_prop(vendor_mtk_st_nfc_ignore_modem_prop) +vendor_restricted_prop(vendor_mtk_telephony_addon_prop) +vendor_restricted_prop(vendor_mtk_trustkernel_tee_prop) +vendor_restricted_prop(vendor_mtk_trustonic_tee_prop) +vendor_restricted_prop(vendor_mtk_vendor_vt_prop) +vendor_restricted_prop(vendor_mtk_vilte_prop) +vendor_restricted_prop(vendor_mtk_vilte_support_prop) +vendor_restricted_prop(vendor_mtk_vinr_prop) +vendor_restricted_prop(vendor_mtk_viwifi_prop) +vendor_restricted_prop(vendor_mtk_viwifi_support_prop) +vendor_restricted_prop(vendor_mtk_volte_support_prop) +vendor_restricted_prop(vendor_mtk_vonr_support_prop) +vendor_restricted_prop(vendor_mtk_vonr_prop) +vendor_restricted_prop(vendor_mtk_vsim_prop) +vendor_restricted_prop(vendor_mtk_vt_prop) +vendor_restricted_prop(vendor_mtk_wapi_support_prop) +vendor_restricted_prop(vendor_mtk_wappush_prop) +vendor_restricted_prop(vendor_mtk_wfc_prop) +vendor_restricted_prop(vendor_mtk_wfc_support_prop) +vendor_restricted_prop(vendor_mtk_wfd_support_prop) +vendor_restricted_prop(vendor_mtk_em_dy_debug_ctrl_prop) +vendor_restricted_prop(vendor_mtk_hvolte_indicator) +vendor_restricted_prop(vendor_mtk_md_c2k_cap_dep_check_prop) +vendor_restricted_prop(vendor_mtk_gwsd_capability_prop) +vendor_restricted_prop(vendor_mtk_netdagent_gameserver_prop) +vendor_restricted_prop(vendor_mtk_apuware_debug_prop) +vendor_restricted_prop(vendor_mtk_nwk_opt_prop) +vendor_restricted_prop(vendor_mtk_wfd_enable_prop) +vendor_restricted_prop(vendor_mtk_vonr_force_prop) +vendor_restricted_prop(vendor_mtk_em_mtu_prop) +vendor_restricted_prop(vendor_mtk_fast_charging_support_prop) +vendor_restricted_prop(vendor_mtk_call_drop_prop) +vendor_restricted_prop(vendor_mtk_mcf_prop) +vendor_restricted_prop(vendor_mtk_subsidy_lock_support_prop) + +# Properties with no restriction +vendor_public_prop(vendor_mtk_sec_video_path_support_prop) +vendor_public_prop(vendor_mtk_svp_on_mtee_support_prop) + +# Properties with can be read by all domains +typeattribute vendor_mtk_active_noise_cancel_prop mtk_core_property_type; +typeattribute vendor_mtk_besloudness_support_prop mtk_core_property_type; +typeattribute vendor_mtk_bg_power_saving_support_prop mtk_core_property_type; +typeattribute vendor_mtk_bg_power_saving_ui_prop mtk_core_property_type; +typeattribute vendor_mtk_camera_prop mtk_core_property_type; +typeattribute vendor_mtk_cam_security_prop mtk_core_property_type; +typeattribute vendor_mtk_cdma_prop mtk_core_property_type; +typeattribute vendor_mtk_cta_log_prop mtk_core_property_type; +typeattribute vendor_mtk_cta_support_prop mtk_core_property_type; +typeattribute vendor_mtk_boostfwk_log_prop mtk_core_property_type; +typeattribute vendor_mtk_boostfwk_scrollidentify_prop mtk_core_property_type; +typeattribute vendor_mtk_boostfwk_display60_prop mtk_core_property_type; +typeattribute vendor_mtk_boostfwk_frameidentify_prop mtk_core_property_type; +typeattribute vendor_mtk_boostfwk_prop mtk_core_property_type; +typeattribute vendor_mtk_datashaping_prop mtk_core_property_type; +typeattribute vendor_mtk_default_write_disk_prop mtk_core_property_type; +typeattribute vendor_mtk_drm_fwd_lock_only_prop mtk_core_property_type; +typeattribute vendor_mtk_duraspeed_prop mtk_core_property_type; +typeattribute vendor_mtk_dx_hdcp_support_prop mtk_core_property_type; +typeattribute vendor_mtk_dynims_prop mtk_core_property_type; +typeattribute vendor_mtk_emcamera_prop mtk_core_property_type; +typeattribute vendor_mtk_extsim_prop mtk_core_property_type; +typeattribute vendor_mtk_fd_support_prop mtk_core_property_type; +typeattribute vendor_mtk_gallery_prop mtk_core_property_type; +typeattribute vendor_mtk_hifiaudio_support_prop mtk_core_property_type; +typeattribute vendor_mtk_ims_eims_pdn_prop mtk_core_property_type; +typeattribute vendor_mtk_ims_prop mtk_core_property_type; +typeattribute vendor_mtk_jpeg_opt_prop mtk_core_property_type; +typeattribute vendor_mtk_libudf_prop mtk_core_property_type; +typeattribute vendor_mtk_logmuch_prop mtk_core_property_type; +typeattribute vendor_mtk_log_tel_dbg_prop mtk_core_property_type; +typeattribute vendor_mtk_mdm_prop mtk_core_property_type; +typeattribute vendor_mtk_mdworldmode_prop mtk_core_property_type; +typeattribute vendor_mtk_media_prop mtk_core_property_type; +typeattribute vendor_mtk_microtrust_tee_prop mtk_core_property_type; +typeattribute vendor_mtk_mims_prop mtk_core_property_type; +typeattribute vendor_mtk_miravision_support_prop mtk_core_property_type; +typeattribute vendor_mtk_mobile_management_prop mtk_core_property_type; +typeattribute vendor_mtk_moms_prop mtk_core_property_type; +typeattribute vendor_mtk_netdagent_prop mtk_core_property_type; +typeattribute vendor_mtk_network_prop mtk_core_property_type; +typeattribute vendor_mtk_nfc_addon_support_prop mtk_core_property_type; +typeattribute vendor_mtk_nfc_uicc_clf_prop mtk_core_property_type; +typeattribute vendor_mtk_nn_quant_preferred_prop mtk_core_property_type; +typeattribute vendor_mtk_num_md_protocol_prop mtk_core_property_type; +typeattribute vendor_mtk_nxp_nfc_gsma_support_prop mtk_core_property_type; +typeattribute vendor_mtk_omacp_support_prop mtk_core_property_type; +typeattribute vendor_mtk_oma_drm_support_prop mtk_core_property_type; +typeattribute vendor_mtk_operator_prop mtk_core_property_type; +typeattribute vendor_mtk_persist_epdg_prop mtk_core_property_type; +typeattribute vendor_mtk_pms_prop mtk_core_property_type; +typeattribute vendor_mtk_pppd_gprs_prop mtk_core_property_type; +typeattribute vendor_mtk_printk_prop mtk_core_property_type; +typeattribute vendor_mtk_provision_prop mtk_core_property_type; +typeattribute vendor_mtk_radio_seapi_off_prop mtk_core_property_type; +typeattribute vendor_mtk_rcs_ua_support_prop mtk_core_property_type; +typeattribute vendor_mtk_rsc_prop mtk_core_property_type; +typeattribute vendor_mtk_secure_venc_prop mtk_core_property_type; +typeattribute vendor_mtk_service_rcs_prop mtk_core_property_type; +typeattribute vendor_mtk_soter_teei_prop mtk_core_property_type; +typeattribute vendor_mtk_st_nfc_gsma_support_prop mtk_core_property_type; +typeattribute vendor_mtk_st_nfc_ignore_modem_prop mtk_core_property_type; +typeattribute vendor_mtk_telephony_addon_prop mtk_core_property_type; +typeattribute vendor_mtk_trustkernel_tee_prop mtk_core_property_type; +typeattribute vendor_mtk_trustonic_tee_prop mtk_core_property_type; +typeattribute vendor_mtk_vendor_vt_prop mtk_core_property_type; +typeattribute vendor_mtk_vilte_prop mtk_core_property_type; +typeattribute vendor_mtk_vilte_support_prop mtk_core_property_type; +typeattribute vendor_mtk_vinr_prop mtk_core_property_type; +typeattribute vendor_mtk_viwifi_prop mtk_core_property_type; +typeattribute vendor_mtk_viwifi_support_prop mtk_core_property_type; +typeattribute vendor_mtk_volte_support_prop mtk_core_property_type; +typeattribute vendor_mtk_vonr_support_prop mtk_core_property_type; +typeattribute vendor_mtk_vonr_prop mtk_core_property_type; +typeattribute vendor_mtk_vsim_prop mtk_core_property_type; +typeattribute vendor_mtk_vt_prop mtk_core_property_type; +typeattribute vendor_mtk_wapi_support_prop mtk_core_property_type; +typeattribute vendor_mtk_wappush_prop mtk_core_property_type; +typeattribute vendor_mtk_wfc_prop mtk_core_property_type; +typeattribute vendor_mtk_wfc_support_prop mtk_core_property_type; +typeattribute vendor_mtk_wfd_support_prop mtk_core_property_type; +typeattribute vendor_mtk_em_dy_debug_ctrl_prop mtk_core_property_type; +typeattribute vendor_mtk_hvolte_indicator mtk_core_property_type; +typeattribute vendor_mtk_md_c2k_cap_dep_check_prop mtk_core_property_type; +typeattribute vendor_mtk_gwsd_capability_prop mtk_core_property_type; +typeattribute vendor_mtk_netdagent_gameserver_prop mtk_core_property_type; +typeattribute vendor_mtk_apuware_debug_prop mtk_core_property_type; +typeattribute vendor_mtk_nwk_opt_prop mtk_core_property_type; +typeattribute vendor_mtk_wfd_enable_prop mtk_core_property_type; +typeattribute vendor_mtk_vonr_force_prop mtk_core_property_type; +typeattribute vendor_mtk_em_mtu_prop mtk_core_property_type; +typeattribute vendor_mtk_fast_charging_support_prop mtk_core_property_type; +typeattribute vendor_mtk_sec_video_path_support_prop mtk_core_property_type; +typeattribute vendor_mtk_subsidy_lock_support_prop mtk_core_property_type; diff --git a/bsp/non_plat/property_contexts b/bsp/non_plat/property_contexts new file mode 100644 index 0000000..2c3e57c --- /dev/null +++ b/bsp/non_plat/property_contexts @@ -0,0 +1,348 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +ctl.vendor.ccci_rpcd u:object_r:vendor_mtk_ctl_ccci_rpcd_prop:s0 +ctl.vendor.ccci2_rpcd u:object_r:vendor_mtk_ctl_ccci2_rpcd_prop:s0 + +vendor.soter.teei. u:object_r:vendor_mtk_soter_teei_prop:s0 + +vendor.rpmb.ready u:object_r:vendor_mtk_rpmb_ready_prop:s0 + +ro.vendor.mtklog_internal u:object_r:vendor_mtk_default_prop:s0 + +# customer log path +ro.vendor.customer_logpath u:object_r:vendor_mtk_default_prop:s0 + +# android log much detect +vendor.logmuch.value u:object_r:vendor_mtk_logmuch_prop:s0 +vendor.logmuch.delay u:object_r:vendor_mtk_logmuch_prop:s0 + +persist.vendor.mtk.volte.enable u:object_r:vendor_mtk_volte_prop:s0 + +persist.vendor.volte_support u:object_r:vendor_mtk_volte_support_prop:s0 + +persist.vendor.vonr_setting_support u:object_r:vendor_mtk_vonr_support_prop:s0 + +persist.vendor.mtk_wfc_support u:object_r:vendor_mtk_wfc_support_prop:s0 + +persist.vendor.vilte_support u:object_r:vendor_mtk_vilte_support_prop:s0 + +persist.vendor.viwifi_support u:object_r:vendor_mtk_viwifi_support_prop:s0 + +persist.vendor.mtk_rcs_ua_support u:object_r:vendor_mtk_rcs_ua_support_prop:s0 + +persist.vendor.mtk.wfc.enable u:object_r:vendor_mtk_wfc_prop:s0 + +persist.vendor.mtk.vilte.enable u:object_r:vendor_mtk_vilte_prop:s0 + +persist.vendor.mtk.viwifi.enable u:object_r:vendor_mtk_viwifi_prop:s0 + +persist.vendor.mtk.ims.video.enable u:object_r:vendor_mtk_vt_prop:s0 + +persist.vendor.mtk.vonr.enable u:object_r:vendor_mtk_vonr_prop:s0 + +persist.vendor.mtk.vonr.force.enable u:object_r:vendor_mtk_vonr_force_prop:s0 + +persist.vendor.mtk.vinr.enable u:object_r:vendor_mtk_vinr_prop:s0 + +persist.vendor.mtk_hvolte_indicator u:object_r:vendor_mtk_hvolte_indicator:s0 + +persist.vendor.service.atci u:object_r:vendor_mtk_persist_service_atci_prop:s0 +vendor.mtk.atci u:object_r:vendor_mtk_atci_prop:s0 + +# allow carrier express (cxp) +persist.vendor.operator.optr u:object_r:vendor_mtk_cxp_vendor_prop:s0 +persist.vendor.operator.spec u:object_r:vendor_mtk_cxp_vendor_prop:s0 +persist.vendor.operator.seg u:object_r:vendor_mtk_cxp_vendor_prop:s0 +persist.vendor.operator.subid u:object_r:vendor_mtk_cxp_vendor_prop:s0 +persist.vendor.mtk_usp_md_sbp_code u:object_r:vendor_mtk_cxp_vendor_prop:s0 +ro.vendor.mtk_carrierexpress_pack u:object_r:vendor_mtk_cxp_vendor_prop:s0 +persist.vendor.mtk_usp_switch_mode u:object_r:vendor_mtk_cxp_vendor_prop:s0 + +# vt operator property +persist.vendor.vt. u:object_r:vendor_mtk_vendor_vt_prop:s0 +vendor.vt. u:object_r:vendor_mtk_vendor_vt_prop:s0 + + +vendor.gsm.external.sim.enabled u:object_r:vendor_mtk_vsim_prop:s0 +vendor.gsm.external.sim.inserted u:object_r:vendor_mtk_vsim_prop:s0 +vendor.gsm.external.sim.internal u:object_r:vendor_mtk_vsim_prop:s0 +vendor.gsm.modem.vsim.capability u:object_r:vendor_mtk_vsim_prop:s0 +vendor.gsm.prefered.aka.sim.slot u:object_r:vendor_mtk_vsim_prop:s0 +vendor.gsm.prefered.rsim.slot u:object_r:vendor_mtk_vsim_prop:s0 +vendor.gsm.external.sim.timeout u:object_r:vendor_mtk_vsim_prop:s0 +vendor.gsm.external.sim.connected u:object_r:vendor_mtk_vsim_prop:s0 +persist.vendor.radio.external.sim u:object_r:vendor_mtk_vsim_prop:s0 +persist.vendor.radio.vsim.timeout u:object_r:vendor_mtk_vsim_prop:s0 + +# TrustKernel add +vendor.trustkernel. u:object_r:vendor_mtk_trustkernel_tee_prop:s0 +ro.vendor.trustkernel. u:object_r:vendor_mtk_trustkernel_tee_prop:s0 + +ro.vendor.md_prop_ver u:object_r:vendor_mtk_md_version_prop:s0 + +persist.vendor.sys.disable.moms u:object_r:vendor_mtk_moms_prop:s0 + +persist.vendor.log.tel_log_ctrl u:object_r:vendor_mtk_log_tel_dbg_prop:s0 + +# IMS property +ro.vendor.md_auto_setup_ims u:object_r:vendor_mtk_ims_prop:s0 +ro.vendor.md_mims_support u:object_r:vendor_mtk_ims_prop:s0 +persist.vendor.ims_support u:object_r:vendor_mtk_ims_prop:s0 +ro.vendor.mtk_imsi_switch_support u:object_r:vendor_mtk_ims_prop:s0 +persist.vendor.ims.simulate u:object_r:vendor_mtk_ims_prop:s0 +ro.vendor.mtk_ims_notification u:object_r:vendor_mtk_ims_prop:s0 + +vendor.net. u:object_r:vendor_mtk_network_prop:s0 + +# CTA property +vendor.cta.log.enable u:object_r:vendor_mtk_cta_log_prop:s0 +ro.vendor.mtk_mobile_management u:object_r:vendor_mtk_mobile_management_prop:s0 + +vendor.boostfwk.log.enable u:object_r:vendor_mtk_boostfwk_log_prop:s0 +vendor.boostfwk.scrollidentify.option u:object_r:vendor_mtk_boostfwk_scrollidentify_prop:s0 +vendor.boostfwk.display60 u:object_r:vendor_mtk_boostfwk_display60_prop:s0 +vendor.boostfwk.frameidentify.option u:object_r:vendor_mtk_boostfwk_frameidentify_prop:s0 +vendor.boostfwk.option u:object_r:vendor_mtk_boostfwk_prop:s0 + +ro.vendor.mtk_wfd_support u:object_r:vendor_mtk_wfd_support_prop:s0 + +ro.vendor.mtk_dx_hdcp_support u:object_r:vendor_mtk_dx_hdcp_support_prop:s0 + +# mtk duraspeed property +persist.vendor.duraspeed. u:object_r:vendor_mtk_duraspeed_prop:s0 +persist.vendor.low.memory.hint u:object_r:vendor_mtk_duraspeed_prop:s0 + +# Multiple IMS property +persist.vendor.mims_support u:object_r:vendor_mtk_mims_prop:s0 +persist.vendor.mtk_dynamic_ims_switch u:object_r:vendor_mtk_dynims_prop:s0 +ro.vendor.mtk_external_sim_support u:object_r:vendor_mtk_extsim_prop:s0 +ro.vendor.mtk_external_sim_only_slots u:object_r:vendor_mtk_extsim_prop:s0 +ro.vendor.mtk_non_dsda_rsim_support u:object_r:vendor_mtk_extsim_prop:s0 +ro.vendor.mtk_persist_vsim_disabled u:object_r:vendor_mtk_extsim_prop:s0 + +# IMS/EIMS pdn info property +vendor.ims.eims.pdn.info u:object_r:vendor_mtk_ims_eims_pdn_prop:s0 + +# Modem Monitor property +ro.vendor.mtk_modem_monitor_support u:object_r:vendor_mtk_mdm_prop:s0 +ro.vendor.mtk_single_bin_modem_support u:object_r:vendor_mtk_mdm_prop:s0 + +# game server property +vendor.netdagent.gameserver u:object_r:vendor_mtk_netdagent_gameserver_prop:s0 + +# Modem World Mode property +ro.vendor.mtk_md_world_mode_support u:object_r:vendor_mtk_mdworldmode_prop:s0 + +# OMA DRM +ro.vendor.mtk_oma_drm_support u:object_r:vendor_mtk_oma_drm_support_prop:s0 +vendor.drm.forwardlock.only u:object_r:vendor_mtk_drm_fwd_lock_only_prop:s0 + +# relevant property +ro.vendor.mtk_miravision_support u:object_r:vendor_mtk_miravision_support_prop:s0 +ro.vendor.mtk_default_write_disk u:object_r:vendor_mtk_default_write_disk_prop:s0 +ro.vendor.mtk_bg_power_saving_support u:object_r:vendor_mtk_bg_power_saving_support_prop:s0 +ro.vendor.mtk_bg_power_saving_ui u:object_r:vendor_mtk_bg_power_saving_ui_prop:s0 +ro.vendor.mtk_besloudness_support u:object_r:vendor_mtk_besloudness_support_prop:s0 +ro.vendor.mtk_hifiaudio_support u:object_r:vendor_mtk_hifiaudio_support_prop:s0 +ro.vendor.mtk_active_noise_cancel u:object_r:vendor_mtk_active_noise_cancel_prop:s0 +ro.vendor.mtk_wapi_support u:object_r:vendor_mtk_wapi_support_prop:s0 +ro.vendor.mtk_fast_charging_support u:object_r:vendor_mtk_fast_charging_support_prop:s0 + +# FastDormancy support property +ro.vendor.mtk_fd_support u:object_r:vendor_mtk_fd_support_prop:s0 + +# wappush property +ro.vendor.mtk_wappush_support u:object_r:vendor_mtk_wappush_prop:s0 + +# MD Number Protocol +ro.vendor.num_md_protocol u:object_r:vendor_mtk_num_md_protocol_prop:s0 + +# NFC related property +persist.vendor.st_nfc_gsma_support u:object_r:vendor_mtk_st_nfc_gsma_support_prop:s0 +persist.vendor.st_nfc_ignore_modem u:object_r:vendor_mtk_st_nfc_ignore_modem_prop:s0 +ro.vendor.mtk_nfc_addon_support u:object_r:vendor_mtk_nfc_addon_support_prop:s0 +ro.vendor.mtk_uicc_clf u:object_r:vendor_mtk_nfc_uicc_clf_prop:s0 +persist.vendor.radio.seapi.off u:object_r:vendor_mtk_radio_seapi_off_prop:s0 +persist.vendor.nxp_nfc_gsma_support u:object_r:vendor_mtk_nxp_nfc_gsma_support_prop:s0 +vendor.nfc.nfcstackp.enable u:object_r:vendor_mtk_nfc_nfcstackp_enable_prop:s0 + +# MTK operator property +ro.vendor.operator. u:object_r:vendor_mtk_operator_prop:s0 + +ro.vendor.mtk_omacp_support u:object_r:vendor_mtk_omacp_support_prop:s0 + +persist.vendor.md_c2k_cap_dep_check u:object_r:vendor_mtk_md_c2k_cap_dep_check_prop:s0 + +persist.vendor.debug.fdleak u:object_r:vendor_mtk_libudf_prop:s0 +persist.vendor.debug.fdleak.program u:object_r:vendor_mtk_libudf_prop:s0 +persist.vendor.debug.fdleak.bt2log u:object_r:vendor_mtk_libudf_prop:s0 +persist.vendor.debug.fdleak.thd u:object_r:vendor_mtk_libudf_prop:s0 +persist.vendor.libc.debug.malloc u:object_r:vendor_mtk_libudf_prop:s0 +persist.vendor.libc.debug15.prog u:object_r:vendor_mtk_libudf_prop:s0 +persist.vendor.debug15.config u:object_r:vendor_mtk_libudf_prop:s0 +persist.vendor.debug15.config.file u:object_r:vendor_mtk_libudf_prop:s0 +persist.vendor.debug15.statis u:object_r:vendor_mtk_libudf_prop:s0 +persist.vendor.debug.mmap u:object_r:vendor_mtk_libudf_prop:s0 +persist.vendor.debug.mmap.program u:object_r:vendor_mtk_libudf_prop:s0 +persist.vendor.debug.mmap.config u:object_r:vendor_mtk_libudf_prop:s0 + +persist.vendor.uartconsole.enable u:object_r:vendor_mtk_printk_prop:s0 + +# fm vibspk support +ro.vendor.mtk_vibspk_support u:object_r:vendor_mtk_default_prop:s0 + +# fm 50khz support +ro.vendor.mtk_fm_50khz_support u:object_r:vendor_mtk_default_prop:s0 + +vendor.camera.save.temp.video u:object_r:vendor_mtk_camera_prop:s0 +vendor.camera_af_power_debug u:object_r:vendor_mtk_camera_prop:s0 +vendor.com.mediatek.gesture.pose u:object_r:vendor_mtk_camera_prop:s0 +vendor.debug.dualcam.mode u:object_r:vendor_mtk_camera_prop:s0 +vendor.debug.mtkcam.loglevel u:object_r:vendor_mtk_camera_prop:s0 +vendor.mtkcamapp.cshot.platform u:object_r:vendor_mtk_camera_prop:s0 +vendor.mtkcamapp.cshot.version u:object_r:vendor_mtk_camera_prop:s0 +vendor.debug.stereo.single_main2 u:object_r:vendor_mtk_camera_prop:s0 +vendor.debug.surface.enabled u:object_r:vendor_mtk_camera_prop:s0 +vendor.debug.thumbnailFromYuv.enable u:object_r:vendor_mtk_camera_prop:s0 +vendor.lomoeffect. u:object_r:vendor_mtk_camera_prop:s0 +vendor.mtk.camera.app. u:object_r:vendor_mtk_camera_prop:s0 +vendor.multizone.af.window.ratio u:object_r:vendor_mtk_camera_prop:s0 +persist.vendor.mtkcamapp.loglevel u:object_r:vendor_mtk_camera_prop:s0 +persist.vendor.mtk_camera_app_version u:object_r:vendor_mtk_camera_prop:s0 +ro.vendor.mtk_cam_cfb u:object_r:vendor_mtk_camera_prop:s0 +ro.vendor.mtk_cam_dualdenoise_support u:object_r:vendor_mtk_camera_prop:s0 +ro.vendor.mtk_cam_dualzoom_support u:object_r:vendor_mtk_camera_prop:s0 +ro.vendor.mtk_cam_mfb_support u:object_r:vendor_mtk_camera_prop:s0 +ro.vendor.mtk_cam_vfb u:object_r:vendor_mtk_camera_prop:s0 +ro.vendor.mtk_camera_app_api_version u:object_r:vendor_mtk_camera_prop:s0 +ro.vendor.mtk_camera_app_version u:object_r:vendor_mtk_camera_prop:s0 +ro.vendor.mtk_emulator_support u:object_r:vendor_mtk_camera_prop:s0 +ro.vendor.mtk_fat_on_nand u:object_r:vendor_mtk_camera_prop:s0 +ro.vendor.mtk_multiwindow u:object_r:vendor_mtk_camera_prop:s0 +ro.vendor.mtk_slow_motion_support u:object_r:vendor_mtk_camera_prop:s0 +ro.vendor.mtk_zsdhdr_support u:object_r:vendor_mtk_camera_prop:s0 +vendor.vdo.cam.effect u:object_r:vendor_mtk_camera_prop:s0 +vendor.mtk.client.appmode u:object_r:vendor_mtk_camera_prop:s0 +ro.vendor.mtk_video_hevc_enc_support u:object_r:vendor_mtk_camera_prop:s0 +ro.vendor.hdr10plus.enable u:object_r:vendor_mtk_camera_prop:s0 + +vendor.debug.gallery.loglevel u:object_r:vendor_mtk_gallery_prop:s0 +vendor.gallery.log.enable u:object_r:vendor_mtk_gallery_prop:s0 + +vendor.debug.log_delete u:object_r:vendor_mtk_media_prop:s0 +vendor.debug.log_insert u:object_r:vendor_mtk_media_prop:s0 +vendor.debug.log_query u:object_r:vendor_mtk_media_prop:s0 +vendor.debug.log_scan u:object_r:vendor_mtk_media_prop:s0 +vendor.debug.log_update u:object_r:vendor_mtk_media_prop:s0 + +ro.vendor.mtk_privacy_protection_lock u:object_r:vendor_mtk_default_prop:s0 + +ro.vendor.sys.current_rsc_path u:object_r:vendor_mtk_rsc_prop:s0 +ro.vendor.vnd.current_rsc_path u:object_r:vendor_mtk_rsc_prop:s0 + +persist.vendor.net.dhcp.renew u:object_r:vendor_mtk_default_prop:s0 +ro.vendor.mtk_dhcpv6c_wifi u:object_r:vendor_mtk_default_prop:s0 + +persist.vendor.pms_removable u:object_r:vendor_mtk_pms_prop:s0 +ro.vendor.mtk_carrierexpress_inst_sup u:object_r:vendor_mtk_pms_prop:s0 +ro.vendor.mtk_skip_pkg_file u:object_r:vendor_mtk_pms_prop:s0 + +# CT SelfRegister property +ro.vendor.mtk_ct4greg_app u:object_r:vendor_mtk_default_prop:s0 +ro.vendor.mtk_devreg_app u:object_r:vendor_mtk_default_prop:s0 + +vendor.cdma. u:object_r:vendor_mtk_cdma_prop:s0 + +persist.vendor.service.rcs u:object_r:vendor_mtk_service_rcs_prop:s0 +persist.vendor.service.tag.rcs u:object_r:vendor_mtk_service_rcs_prop:s0 +persist.vendor.service.tag.rcs.2 u:object_r:vendor_mtk_service_rcs_prop:s0 +persist.vendor.active.rcs.slot.id u:object_r:vendor_mtk_service_rcs_prop:s0 + +# data shaping property +persist.vendor.datashaping u:object_r:vendor_mtk_datashaping_prop:s0 + +# MTK IMS Config Provision property +persist.vendor.mtk.provision. u:object_r:vendor_mtk_provision_prop:s0 + +# wfd hybrid encode property +ro.vendor.mtk_hybrid_encode_support u:object_r:vendor_mtk_default_prop:s0 + +vendor.mtk.secure.venc.alive u:object_r:vendor_mtk_secure_venc_prop:s0 + +vendor.net.rndis.client u:object_r:vendor_mtk_netdagent_prop:s0 + +# neuropilot property +ro.vendor.mtk_nn_quant_preferred u:object_r:vendor_mtk_nn_quant_preferred_prop:s0 +ro.vendor.mtk_tflite_fuse_pad u:object_r:vendor_mtk_nn_quant_preferred_prop:s0 + +# hdmi service property,used for tablet only +ro.vendor.mtk_tb_hdmi u:object_r:vendor_mtk_default_prop:s0 + +ro.vendor.sim_me_lock_mode u:object_r:vendor_mtk_default_prop:s0 + +# MTK CAM Security property +ro.vendor.mtk_cam_security u:object_r:vendor_mtk_cam_security_prop:s0 + +persist.vendor.service.atci.atm_mode u:object_r:vendor_mtk_atci_sys_prop:s0 + +# Wi-Fi Hotspot +vendor.wifi.tethering.channel u:object_r:vendor_mtk_wifi_hotspot_prop:s0 + +# Telephony Add-on +ro.vendor.mtk_telephony_add_on_policy u:object_r:vendor_mtk_telephony_addon_prop:s0 + +ro.vendor.mtk_cta_support u:object_r:vendor_mtk_cta_support_prop:s0 + +ro.vendor.mtk_subsidy_lock_support u:object_r:vendor_mtk_subsidy_lock_support_prop:s0 + +vendor.debug.camera. u:object_r:vendor_mtk_emcamera_prop:s0 +vendor.debug.cameng. u:object_r:vendor_mtk_emcamera_prop:s0 +vendor.debug.lsc_mgr. u:object_r:vendor_mtk_emcamera_prop:s0 +vendor.debug.ae. u:object_r:vendor_mtk_emcamera_prop:s0 +vendor.debug.ae_mgr. u:object_r:vendor_mtk_emcamera_prop:s0 +vendor.debug.awb_mgr. u:object_r:vendor_mtk_emcamera_prop:s0 +vendor.debug.hdr u:object_r:vendor_mtk_emcamera_prop:s0 +vendor.debug.shot. u:object_r:vendor_mtk_emcamera_prop:s0 +vendor.debug.eis. u:object_r:vendor_mtk_emcamera_prop:s0 +persist.vendor.mtkcam. u:object_r:vendor_mtk_emcamera_prop:s0 + +# jpeg dec opt. property +ro.vendor.jpeg_decode_sw_opt u:object_r:vendor_mtk_jpeg_opt_prop:s0 + +# TEE property +ro.vendor.mtk_trustonic_tee_support u:object_r:vendor_mtk_trustonic_tee_prop:s0 +ro.vendor.mtk_microtrust_tee_support u:object_r:vendor_mtk_microtrust_tee_prop:s0 +ro.vendor.mtk_trustkernel_tee_support u:object_r:vendor_mtk_trustkernel_tee_prop:s0 + +# DMC control property +ro.vendor.mtk_dmc_support u:object_r:vendor_mtk_dmc_prop:s0 +ro.vendor.mtk_mapi_support u:object_r:vendor_mtk_dmc_prop:s0 +vendor.dmc.apm.active u:object_r:vendor_mtk_dmc_prop:s0 + +# MTK dynamic debug control property +persist.vendor.em.dy.debug u:object_r:vendor_mtk_em_dy_debug_ctrl_prop:s0 + +# MTK GWSD property +ro.vendor.mtk_gwsd_capability u:object_r:vendor_mtk_gwsd_capability_prop:s0 + +# APUWare debug property +persist.vendor.apuware.debug. u:object_r:vendor_mtk_apuware_debug_prop:s0 + +persist.vendor.gsm.netin. u:object_r:vendor_mtk_nwk_opt_prop:s0 + +vendor.mtk.wfd.enable u:object_r:vendor_mtk_wfd_enable_prop:s0 + +# mtu property +persist.vendor.radio.mobile.mtu.sysenv u:object_r:vendor_mtk_em_mtu_prop:s0 + +# MTK call drop reason report +ro.vendor.mtk_calldrop_reason u:object_r:vendor_mtk_call_drop_prop:s0 + +#=============allow build property to write default value================= +ro.vendor.mtk_sec_video_path_support u:object_r:vendor_mtk_sec_video_path_support_prop:s0 +ro.vendor.mtk_svp_on_mtee_support u:object_r:vendor_mtk_svp_on_mtee_support_prop:s0 + +# MTK MCF property +ro.vendor.mtk_mcf_support u:object_r:vendor_mtk_mcf_prop:s0 diff --git a/bsp/non_plat/radio.te b/bsp/non_plat/radio.te new file mode 100644 index 0000000..0029aad --- /dev/null +++ b/bsp/non_plat/radio.te @@ -0,0 +1,103 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK16.09 +# Operation : Migration for SWO policy package survey +allow radio rild_mal_socket:sock_file write; +allow radio rild_mal_at_socket:sock_file write; +allow radio rild_mal_md2_socket:sock_file write; +allow radio rild_mal_at_md2_socket:sock_file write; + +# Date : 2018/06/25 +# Purpose: for world phone get modem type +get_prop(radio, vendor_mtk_ril_active_md_prop) + +# Date : WK15.33 2015/08/13 +# Operation : IT +# Purpose : for setting volte enable property +get_prop(radio, vendor_mtk_volte_prop) + +# Date : WK15.48 2015/11/23 +# Operation : IT +# Purpose : for setting wfc enable property +get_prop(radio, vendor_mtk_wfc_prop) + +# Date : WK16.47 2016/11/17 +# Operation : IT +# Purpose : for setting vilte enable property after 93 modem +get_prop(radio, vendor_mtk_vilte_prop) + +# Date : WK16.47 2016/11/17 +# Operation : IT +# Purpose : for setting viwifi enable property +get_prop(radio, vendor_mtk_viwifi_prop) + +# Date : WK15.48 2015/11/23 +# Operation : IT +# Purpose : for setting vt enable property +get_prop(radio, vendor_mtk_vt_prop) + +# Date : 2017/08/14 +# Operation : VT development +# Purpose : Add vtservice to support video telephony functionality +# 3G VT/ViLTE both use this service which will also communication with IMCB/Rild +allow radio vtservice:binder call; +allow radio vtservice:binder transfer; + +# Date: 2017/11/14 +# Operation : rcs hal developing +# Purpose : Allow to use HAL rcs +hal_client_domain(radio, hal_rcs); + +# Date : 2018/6/29 +# Operation: P migration +# Purpose: Allow radio to get vendor_mtk_vsim_prop +get_prop(radio, vendor_mtk_vsim_prop) + +# Date : 2018/05/16 +# Operation: P migration +get_prop(radio, vendor_mtk_ims_prop) + +# Date : 2018/05/23 +# Purpose: for SWIFT connecting to ATCI +hal_client_domain(radio, hal_mtk_atci) + +# Date: 2018/06/12 +# Purpose: P SQC, for SMS framework access PplAgent HIDL interface +allow radio mtk_hal_pplagent_hwservice:hwservice_manager find; +allow radio ppl_agent:binder call; + +# Date : 2018/06/19 +# Operation : P migration +# Purpose : for SelfRegister to call nvram hal +hal_client_domain(radio, hal_mtk_nvramagent) + +# Date : 2019/05/16 +# Operation : IT +# Purpose : Add for HIDL service +hal_client_domain(radio, md_monitor_hal) + +# Date : 2019/07/15 +# Operation : IT +# Purpose : for setting ims nr enable property +get_prop(radio, vendor_mtk_vonr_prop) +get_prop(radio, vendor_mtk_vinr_prop) + +# Date : 2019/08/20 +# Operation : DMC Q Migration +# Purpose : allow to get vendor_mtk_dmc_prop +get_prop(radio, vendor_mtk_dmc_prop) + +# Date : 2020/10/30 +# Operation : QC +# Purpose : for getting ims nr force enable property +get_prop(radio, vendor_mtk_vonr_force_prop) + +# Date: 2021/3/30 +# Purpose: Allow rild to get call drop feature +get_prop(radio, vendor_mtk_call_drop_prop) + +# Date : 2021/08/17 +# Purpose : Allow radio to read ro.vendor.mtk_mcf_support +get_prop(radio, vendor_mtk_mcf_prop) diff --git a/bsp/non_plat/rcs_volte_stack.te b/bsp/non_plat/rcs_volte_stack.te new file mode 100644 index 0000000..5b16442 --- /dev/null +++ b/bsp/non_plat/rcs_volte_stack.te @@ -0,0 +1,31 @@ +# ============================================== +# Policy File of /vendor/bin/rcs_volte_stack Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== +type rcs_volte_stack_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(rcs_volte_stack) + +# Date : WK14.42 +# Operation : Migration +# Purpose : for VoLTE L early bring up and first call +allow rcs_volte_stack vendor_shell_exec:file rx_file_perms; +allow rcs_volte_stack self:key_socket { write read create setopt }; +allow rcs_volte_stack self:capability { net_admin setuid setgid }; +allow rcs_volte_stack self:tcp_socket create_stream_socket_perms; +allow rcs_volte_stack self:udp_socket create_stream_socket_perms; +allow rcs_volte_stack node:udp_socket node_bind; +allow rcs_volte_stack node:tcp_socket node_bind; +allow rcs_volte_stack port:tcp_socket { name_bind name_connect }; +allow rcs_volte_stack port:udp_socket name_bind; +allow rcs_volte_stack fwmarkd_socket:sock_file write; + +allow rcs_volte_stack rcs_volte_stack_socket:sock_file write; +allow rcs_volte_stack self:netlink_xfrm_socket { write bind create read nlmsg_write nlmsg_read }; + +# Date : W1849 +# Operation : Migration +# Purpose : for TMO ROI support Ipsec tunnel +set_prop(rcs_volte_stack, vendor_mtk_network_prop) diff --git a/bsp/non_plat/remosaic_daemon.te b/bsp/non_plat/remosaic_daemon.te new file mode 100644 index 0000000..81892e6 --- /dev/null +++ b/bsp/non_plat/remosaic_daemon.te @@ -0,0 +1,12 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== +type remosaic_daemon_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(remosaic_daemon) + +vndbinder_use(remosaic_daemon) + +allow remosaic_daemon remosaic_daemon_service:service_manager add; +allow remosaic_daemon mtk_hal_camera:fd use; +allow remosaic_daemon ion_device:chr_file { read ioctl open }; diff --git a/bsp/non_plat/rild.te b/bsp/non_plat/rild.te new file mode 100644 index 0000000..275ba7e --- /dev/null +++ b/bsp/non_plat/rild.te @@ -0,0 +1,60 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# For Rild hidl connection +allow rild system_app:binder call; + +# Date: 2018/10/31 +# Operation: Support SubsidyLock +# For Rild hidl connection +allow rild em_app:binder call; + +allow rild statusd:unix_stream_socket connectto; +allow rild rild_via_socket:sock_file write; +allow rild viarild:unix_stream_socket connectto; +set_prop(rild, vendor_mtk_cdma_prop) +set_prop(rild, vendor_mtk_ril_cdma_report_prop) +allow rild rild_vsim_socket:sock_file write; + +# Allow the find/call of netdagent for rilproxy +allow rild mtk_hal_netdagent_hwservice:hwservice_manager find; +allow rild netdagent:binder call; + +#Dat: 2017/02/14 +#Purpose: allow set telephony Sensitive property +set_prop(rild, vendor_mtk_telephony_sensitive_prop) + +# Date : WK18.26 +# Operation: P migration +# Purpose: Allow rild to set ims support property +set_prop(rild, vendor_mtk_volte_support_prop) +set_prop(rild, vendor_mtk_wfc_support_prop) +set_prop(rild, vendor_mtk_vilte_support_prop) +set_prop(rild, vendor_mtk_viwifi_support_prop) +set_prop(rild, vendor_mtk_rcs_ua_support_prop) + +# Date : WK18.29 +# Operation: Ims config TelephonyWare dev +# Purpose: Allow rild to get/set vendor_mtk_provision_prop +set_prop(rild, vendor_mtk_provision_prop) + +# Date : WK18.33 +# Operation: IT +# Purpose: Allow rild to set ims enable property +set_prop(rild, vendor_mtk_volte_prop) +set_prop(rild, vendor_mtk_wfc_prop) +set_prop(rild, vendor_mtk_vilte_prop) +set_prop(rild, vendor_mtk_viwifi_prop) +set_prop(rild, vendor_mtk_vt_prop) + +# Date : WK19.29 +# Operation: IT +# Purpose: Allow rild to set ims nr enable property +set_prop(rild, vendor_mtk_vonr_prop) +set_prop(rild, vendor_mtk_vinr_prop) + +# Date : 2020/10/30 +# Operation: IMS Config NR force value +# Purpose: Allow rild to force set IMS NR feature +set_prop(rild, vendor_mtk_vonr_force_prop) diff --git a/bsp/non_plat/rsu_app.te b/bsp/non_plat/rsu_app.te new file mode 100644 index 0000000..1be115c --- /dev/null +++ b/bsp/non_plat/rsu_app.te @@ -0,0 +1,3 @@ +# ============================================== +# Policy File of /system/priv-app/RsuService/RsuService.apk etc. Executable File +hal_client_domain(rsu_app, hal_telephony) \ No newline at end of file diff --git a/bsp/non_plat/seapp_contexts b/bsp/non_plat/seapp_contexts new file mode 100644 index 0000000..b42f15c --- /dev/null +++ b/bsp/non_plat/seapp_contexts @@ -0,0 +1,13 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# This is for trustonic tui-service +user=_app seinfo=platform name=com.trustonic.tuiservice domain=mobicore_app type=app_data_file levelFrom=user + +# This is for emcamera apk to commnucate with hal1 +user=_app seinfo=platform name=com.mediatek.emcamera domain=emcamera_app type=app_data_file levelFrom=user + +# This is for sensorhub apk to commnucate with hal +user=_app seinfo=platform name=com.mediatek.sensorhub.ui domain=sensorhub_app type=app_data_file levelFrom=user + diff --git a/bsp/non_plat/sensorhub_app.te b/bsp/non_plat/sensorhub_app.te new file mode 100644 index 0000000..5c2bcf9 --- /dev/null +++ b/bsp/non_plat/sensorhub_app.te @@ -0,0 +1,25 @@ +# ============================================== +# Policy File of /vendor/app/sensorhub Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== +app_domain(sensorhub_app) + +allow sensorhub_app activity_service:service_manager find; +allow sensorhub_app surfaceflinger_service:service_manager find; +allow sensorhub_app activity_task_service:service_manager find; +allow sensorhub_app audio_service:service_manager find; +allow sensorhub_app drmserver_service:service_manager find; +allow sensorhub_app autofill_service:service_manager find; +allow sensorhub_app sensorservice_service:service_manager find; +allow sensorhub_app mediaextractor_service:service_manager find; +allow sensorhub_app mediaserver_service:service_manager find; +allow sensorhub_app mediametrics_service:service_manager find; + +# Date : 2019/03/25 +# Operation : IT +# Purpose : for engineermode sensor can work normal +allow sensorhub_app als_ps_device:chr_file r_file_perms; +allow sensorhub_app gsensor_device:chr_file r_file_perms; +allow sensorhub_app gyroscope_device:chr_file r_file_perms; diff --git a/bsp/non_plat/service_contexts b/bsp/non_plat/service_contexts new file mode 100644 index 0000000..9dda972 --- /dev/null +++ b/bsp/non_plat/service_contexts @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +android.hardware.neuralnetworks.IDevice/mtk-gpu_shim u:object_r:hal_neuralnetworks_service:s0 +android.hardware.neuralnetworks.IDevice/mtk-dsp_shim u:object_r:hal_neuralnetworks_service:s0 +android.hardware.neuralnetworks.IDevice/mtk-mdla_shim u:object_r:hal_neuralnetworks_service:s0 +android.hardware.neuralnetworks.IDevice/mtk-neuron_shim u:object_r:hal_neuralnetworks_service:s0 diff --git a/bsp/non_plat/shell.te b/bsp/non_plat/shell.te new file mode 100644 index 0000000..4131beb --- /dev/null +++ b/bsp/non_plat/shell.te @@ -0,0 +1,24 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +userdebug_or_eng(` + +# MICROTRUST SEPolicy Rule +# Date : 2016/06/01 +# Operation: TEEI integration +# Purpose: Microtrust init_thh service + allow shell init_thh_service_exec:file rx_file_perms; + allow shell init_thh_service_exec:dir r_dir_perms; + hal_client_domain(shell, hal_teei_thh) + +# Purpose: Allow shell to read trustkernel log +allow shell tkcore_data_file:dir search; +allow shell tkcore_log_file:file r_file_perms; + +# Date : WK19.07 2019/06/13 +# Operation : mdi_redirector integration test with AT&T Linkmaster +# Purpose : Allow shell to read DMC property ro.vendor.mtk_mapi_support +get_prop(shell, vendor_mtk_dmc_prop) + +') diff --git a/bsp/non_plat/statusd.te b/bsp/non_plat/statusd.te new file mode 100644 index 0000000..9073f97 --- /dev/null +++ b/bsp/non_plat/statusd.te @@ -0,0 +1,59 @@ +# ============================================== +# Policy File of /vendor/bin/statusd Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================= + +type statusd_exec, exec_type, file_type, vendor_file_type; +typeattribute statusd mtkimsapdomain; + +init_daemon_domain(statusd) + +# Dat: 2017/02/14 +# Purpose: allow set telephony Sensitive property +set_prop(statusd, vendor_mtk_telephony_sensitive_prop) + +allow statusd block_device:dir search; +allow statusd flashlessd_exec:file rx_file_perms; +set_prop(statusd, vendor_mtk_md_prop) +set_prop(statusd, vendor_mtk_net_cdma_mdmstat_prop) + +allow statusd nvram_data_file:dir create_dir_perms; +allow statusd nvram_data_file:file create_file_perms; +allow statusd nvram_data_file:lnk_file read; +allow statusd nvdata_file:lnk_file read; +allow statusd nvdata_file:dir create_dir_perms; +allow statusd nvdata_file:file create_file_perms; +allow statusd nvram_device:chr_file rw_file_perms; +allow statusd nvram_device:blk_file rw_file_perms; + +allow statusd nvdata_device:blk_file { read write open }; +set_prop(statusd, vendor_mtk_ril_cdma_report_prop) +allow statusd self:capability net_admin; +allow statusd self:udp_socket { create ioctl }; +allow statusd statusd_socket:sock_file { write setattr }; +allow statusd sysfs_wake_lock:file { read write open }; + +allow statusd c2k_file:dir create_dir_perms; +allow statusd c2k_file:file create_file_perms; +allow statusd ttyMT_device:chr_file { read write ioctl open }; +allow statusd ttySDIO_device:chr_file { read write open setattr ioctl}; +allow statusd viarild_exec:file rx_file_perms; +allow statusd vmodem_device:chr_file { read write open setattr ioctl}; + +# property service +set_prop(statusd, vendor_mtk_ril_mux_report_case_prop) +set_prop(statusd, vendor_mtk_cdma_prop) + +# Search permission for findPidByName +allow statusd domain:dir search; + +# N bringup: viarild is lunched by Statusd, should add the following permission to Status. +allow statusd devpts:chr_file rw_file_perms; + +# Andorid O : Add permission to statusd. +allowxperm statusd self:udp_socket ioctl {SIOCDELRT SIOCSIFFLAGS SIOCSIFADDR SIOCKILLADDR SIOCDEVPRIVATE SIOCDEVPRIVATE_1}; +allow statusd sysfs_ccci:dir search; +allow statusd sysfs_ccci:file r_file_perms; +allow statusd vndbinder_device:chr_file r_file_perms; diff --git a/bsp/non_plat/stflashtool.te b/bsp/non_plat/stflashtool.te new file mode 100644 index 0000000..322ce01 --- /dev/null +++ b/bsp/non_plat/stflashtool.te @@ -0,0 +1,15 @@ +# ============================================== +# Policy File of /vendor/bin/STFlashTool Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== +type stflashtool_exec, exec_type, file_type, vendor_file_type; + +# Date : WK1652 +# Operation : Migration +# Purpose : Start STFlashTool to upgrade the FW for ST NFC Solution +init_daemon_domain(stflashtool) + +allow stflashtool st21nfc_device:chr_file rw_file_perms; + diff --git a/bsp/non_plat/surfaceflinger.te b/bsp/non_plat/surfaceflinger.te new file mode 100644 index 0000000..14cfb67 --- /dev/null +++ b/bsp/non_plat/surfaceflinger.te @@ -0,0 +1,96 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# for debug purpose +allow surfaceflinger self:capability { net_admin sys_nice }; +allow surfaceflinger self:netlink_socket { read bind create }; +allow surfaceflinger anr_data_file:dir { write search create add_name }; +allow surfaceflinger anr_data_file:file { create write}; +allow surfaceflinger aee_dumpsys_data_file:file write; +allow surfaceflinger RT_Monitor_device:chr_file { read ioctl open }; + +# watch dog use shell to move debug file +allow surfaceflinger shell_exec:file rx_file_perms; + +# for using toolbox +allow surfaceflinger system_file:file x_file_perms; + +# for sf_dump +userdebug_or_eng(` +allow surfaceflinger sf_bqdump_data_file:{dir file} {relabelto open create read write getattr }; +allow surfaceflinger sf_bqdump_data_file:dir {search add_name}; +') + +# for driver access +allow surfaceflinger MTK_SMI_device:chr_file { read write open ioctl }; + +# for bootanimation +allow surfaceflinger bootanim:dir search; +allow surfaceflinger bootanim:file { read getattr open }; + +# for MTK Emulator HW GPU +allow surfaceflinger qemu_pipe_device:chr_file rw_file_perms; + +# for SVP secure memory allocation +allow surfaceflinger proc_secmem:file { read write open ioctl }; + +# for watchdog +allow surfaceflinger anr_data_file:dir { relabelfrom read remove_name getattr }; +allow surfaceflinger anr_data_file:file { rename getattr unlink open append}; +allow surfaceflinger sf_rtt_file:dir { create search write add_name remove_name}; +allow surfaceflinger sf_rtt_file:file { open read write create rename append getattr unlink}; +allow surfaceflinger sf_rtt_file:dir {relabelto getattr}; +allow surfaceflinger crash_dump:process sigchld; + +# for BufferQueue check process name of em_svr +allow surfaceflinger em_svr:dir search; +allow surfaceflinger em_svr:file { read getattr open }; + +allow surfaceflinger mobicore_user_device:chr_file { read write ioctl open }; + +# take down the boot time for bootprof +allow surfaceflinger proc_bootprof:file write; + +# Add permission for gpu access +allow surfaceflinger dri_device:chr_file { read write open ioctl }; + +# for rtt dump +allow surfaceflinger toolbox_exec:file rx_file_perms; + +# Date : WK17.23 +# Stage: O Migration, SQC +# Purpose: Allow to use HAL PQ +hal_client_domain(surfaceflinger, hal_mtk_pq) + +# Date : WK17.23 +# Stage: O Migration, SQC +# Purpose: Allow to use shared memory for HAL PQ +hal_client_domain(surfaceflinger, hal_allocator) + +# Date : WK17.43 +# Stage: O Migration, SQC +# purpose: Allow to SF communicate with HAL DFPS +hal_client_domain(surfaceflinger, hal_dfps) + +allow surfaceflinger mtk_dfrc_device:chr_file rw_file_perms; + +# Data: 2019/09/28 +# Purpose: SurfaceFlinger need to call MMS to convert buffer format and PQ effect +hal_client_domain(surfaceflinger, hal_mtk_mms) + +#allow get mtk_sec_video_path_support +get_prop(surfaceflinger, vendor_mtk_sec_video_path_support_prop) +get_prop(surfaceflinger, vendor_mtk_svp_on_mtee_support_prop) + +# Date: 2021/07/02 +# Operation: Allow 'getattr' for unlabeled:filesystem +allow surfaceflinger unlabeled:filesystem {getattr}; + +# Date: 2021/09/01 +# Operation: Allow 'r_file_perms_no_map' for dmabuf_system_secure_heap_device:chr_file +allow surfaceflinger dmabuf_system_secure_heap_device:chr_file r_file_perms_no_map; + +# Data: 2021/09/07 +# Purpose: Call NpAgent +hal_client_domain(surfaceflinger, hal_neuralnetworks) diff --git a/bsp/non_plat/system_app.te b/bsp/non_plat/system_app.te new file mode 100644 index 0000000..fdf05f8 --- /dev/null +++ b/bsp/non_plat/system_app.te @@ -0,0 +1,165 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : 2014/11/19 +# Operation: SQC +# Purpose: [Settings][RenderThread][operate device file failed] +# Package: com.android.settings +allow system_app proc_secmem:file rw_file_perms; + +# Date: 2014/08/01 +# Operation: BaseUT +# Purpose: [Settings][Settings used list views need velocity tracker access touch dev] +# Package: com.android.settings +allow system_app touch_device:chr_file r_file_perms; + +# Date: 2014/08/04 +# Stage: BaseUT +# Purpose: [MTKThermalManager][View thermal zones and coolers, and change thermal policies] +# Package Name: com.mediatek.mtkthermalmanager +allow system_app apk_private_data_file:dir getattr; +allow system_app asec_image_file:dir getattr; +allow system_app dontpanic_data_file:dir getattr; +allow system_app drm_data_file:dir getattr; +allow system_app install_data_file:file getattr; +allow system_app lost_found_data_file:dir getattr; +allow system_app media_data_file:dir getattr; +allow system_app property_data_file:dir getattr; +allow system_app proc_thermal:dir search; +allow system_app proc_thermal:file rw_file_perms; +allow system_app proc_mtkcooler:dir search; +allow system_app proc_mtkcooler:file rw_file_perms; +allow system_app proc_mtktz:dir search; +allow system_app proc_mtktz:file rw_file_perms; +allow system_app proc_slogger:file rw_file_perms; + +# Date : WK17.23 +# Stage: Migration, SQC +# Purpose: Allow to use HAL PQ +hal_client_domain(system_app, hal_mtk_pq) + +# Date : WK17.29 +# Operation : Migration +# Purpose : for device bring up, not to block early SQC +allow system_app debugfs_ion:dir search; + +# Date:W17.29 +# Operation : presence hal developing +# Purpose : Allow to use HAL presence +hal_client_domain(system_app, hal_presence) + +# Date : WK17.31 +# Operation : Migration +# Purpose : Carrier express service on BSP +get_prop(system_app, vendor_mtk_volte_prop) +get_prop(system_app, vendor_mtk_wfc_prop) +get_prop(system_app, vendor_mtk_vt_prop) +get_prop(system_app, vendor_mtk_cxp_vendor_prop) + +# Date:W17.31 +# Operation : rcs hal developing +# Purpose : Allow to use HAL rcs +hal_client_domain(system_app, hal_rcs) + +# Date : WK17.29 +# Operation : SQC +# Purpose : allow SystemUpdate to access ota_package file +allow system_app ota_package_file:dir { create_dir_perms }; +allow system_app ota_package_file:file { create_file_perms }; + +# Date : WK17.30 +# Operation : SQC +# Purpose : allow SystemUpdate to access Update engine +allow system_app update_engine:binder { call transfer }; + +# Date : WK17.41 +# Stage: Migration, IT +# Purpose: allow PermissionControl use mtk_hal_netdagent_hwservice +hal_client_domain(system_app, mtk_hal_netdagent) + +# Date: WK17.41 +# Operation: SQC +# Purpose: [sysoper][sysoper will create folder /cache/recovery] +# Package: com.mediatek.systemupdate.sysoper +allow system_app cache_file:dir { write search create add_name remove_name }; +allow system_app cache_file:file { read write create open getattr unlink }; + +# Date: 2016/07/05 +# Operation: SQC +# Purpose: Add permission to access recovery folder and write command files to recovery for System Update +allow system_app cache_recovery_file:dir { write search add_name remove_name }; +allow system_app cache_recovery_file:file { read write create open getattr unlink }; + +# Date: 2018/05/08 +# Operation: Migration +# Purpose : Allow Privacy protection lock to find ppl agent +# Package: com.mediatek.PrivacyProtectionLock +allow system_app mtk_hal_pplagent_hwservice:hwservice_manager find; +allow system_app ppl_agent:binder call; + +# Date : WK18.25 +# Stage: Migration +# Purpose: allow AtciService to access atcid +hal_client_domain(system_app, hal_mtk_atci) + +# Date: 2018/07/30 +# Purpose: Allow BackupRestore can read /dev/block/mmcblk1. +# Package Name: com.mediatek.backuprestore +allow system_app block_device:dir search; + +# Date: W18.31 +# Purpose: Allow system-app to get vendor_mtk_ss_vendor_prop +# Package Name: com.mediatek.engineermode +get_prop(system_app, vendor_mtk_ss_vendor_prop) + +# Date: 2018/04/18 +# Purpose: Allow to use HIDL and access mtk_hal_neuralnetworks +allow system_app mtk_hal_neuralnetworks:binder { call transfer }; +allow system_app debugfs_ion:dir search; + +# Date: 2018/10/31 +# Operation: Support SubsidyLock +hal_client_domain(system_app, hal_telephony) +binder_call(system_app, rild) + +# Date:W18.43 +# Operation : clientapi hal developing +# Purpose : Allow to use HAL presence +hal_client_domain(system_app, hal_clientapi) + +# Date : 2019/05/09 +# Operation: TrustKernel integration +# Purpose: access for client device of TKCore +allow system_app tkcore_admin_device:chr_file rw_file_perms; + +# Date: 2019/05/24 +# Purpose: System APP can submit KPI to DMC through APM HIDL interface +# Package Name: com.mediatek.apmonitor +hal_client_domain(system_app, hal_mtk_apm) + +# Date: 2019/05/24 +# Purpose: System APP can check DMC proerpty to submit KPI or not. +# Package Name: com.mediatek.apmonitor +get_prop(system_app, vendor_mtk_dmc_prop) + +# Date : 2019/06/27 +# Operation : system app need to read vendor_mtk_cta_support_prop property +# Purpose : allow to get mtk_cta_support property +get_prop(system_app, vendor_mtk_cta_support_prop) + +# Date : 2019/07/15 +# Operation : it +# Purpose : for setting ims nr enable property +get_prop(system_app, vendor_mtk_vonr_prop) +get_prop(system_app, vendor_mtk_vinr_prop) + +# Date : 2019/07/08 +# Operation : New feature +# Purpose : VoW 2E2K request model update: system APP write and audio HAL read +# Package Name: com.mediatek.voicecommand +allow system_app mtk_audiohal_data_file:dir create_dir_perms; +allow system_app mtk_audiohal_data_file:file create_file_perms; + + +hal_client_domain(system_app, hal_fingerprint) diff --git a/bsp/non_plat/system_server.te b/bsp/non_plat/system_server.te new file mode 100644 index 0000000..2f3c0c4 --- /dev/null +++ b/bsp/non_plat/system_server.te @@ -0,0 +1,148 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date: WK14.43 +# Operation : Migration +# Purpose : for bring up +allow system_server sf_rtt_file:dir { relabelto r_dir_perms }; + +# Date: WK14.47 +# Operation : MTBF +# Purpose : for debug +allow system_server sf_rtt_file:file r_file_perms; + +# Date: WK14.47 +# Operation : Sanity +# Purpose : for /proc/secmem (TEE enable) +allow system_server proc_secmem:file rw_file_perms; + +# Date: WK16.30 +# Operation : Migration +# Purpose : for system_server operate /dev/RT_Monitor when enable hang detect +allow system_server RT_Monitor_device:chr_file r_file_perms; + +# Date : WK15.24 +# Operation: TEEI integration +# Purpose: access for fp device +allow system_server teei_fp_device:chr_file rw_file_perms; +allow system_server teei_client_device:chr_file r_file_perms; + +# Date : 2016/07/11 +# Operation : Migration +# Purpose : Add permission for gpu access +allow system_server dri_device:chr_file rw_file_perms; + +# Date : W17.24 +# Purpose: Allow to use HAL PQ +hal_client_domain(system_server, hal_mtk_pq) + +# Date : W17.31 +# Purpose: Allow to use Ape swip decoder +hal_client_domain(system_server, hal_mtk_codecservice) + +# Date:W17.33 +# Operation : camera hal developing +# Purpose : camera hal binder_call permission +binder_call(system_server, mtk_hal_camera) + +# Date:W17.36 +# Operation : Migration +# Purpose : Allow to send signal +allow system_server netd:process signal; + +# Date:W17.07 +# Operation : dfps hal +# Purpose : dfps hal interface permission +hal_client_domain(system_server, hal_dfps) + +allow system_server audioserver:file w_file_perms; + +# Date : 2018/03/06 +# Purpose : Add mtk_hal_netdagent_hwservice for EM firewall usage +allow system_server mtk_hal_netdagent_hwservice:hwservice_manager find; +allow system_server netdagent:binder call; + +# Date : W18.20 +# Operation : Migration +# Purpose : for mobicore (Trustonic TEE) +allow system_server mobicore_vendor_file:dir r_file_perms; + +# Date : 6/20/2018 +# Operation : MTK fm hal migration +# Purpose : MTK fm hal interface permission +hal_client_domain(system_server, hal_mtk_fm) + +# Date : W19.12 +# Operation : For DuraSpeed Migration +allow system_server proc_cpu_loading:file rw_file_perms; +userdebug_or_eng(` +allow system_server debugfs_tracing_debug:file r_file_perms; +') +allow system_server proc_low_memory_hit:file rw_file_perms; +allow system_server duraspeed_data_file:dir create_dir_perms; +allow system_server duraspeed_data_file:file create_file_perms; + +# Date : WK18.36 +# Operation : omadm hidl +# Purpose : hidl interface permission +hal_client_domain(system_server, hal_mtk_omadm) + +# Date : WK19.29 +# Operation : nwk_opt hal +# Purpose : nwk_opt hal permission +hal_client_domain(system_server, hal_nwk_opt) + +# Date:2020/08/07 +# Operation:R Migration +userdebug_or_eng(` allow system_server md_monitor:process signal; ') + +# Date:2020/08/26 +# Operation:kill hal_drm_widevine permission when ANR happened +allow system_server hal_drm_widevine:process signal; + +# Date:2020/09/03 +# Operation:R Migration +allow system_server proc_ion:dir search; + +# Date:2020/09/07 +# Operation:R Migration +allow system_server proc_m4u_dbg:dir search; + +# Date:2020/09/08 +# Operation:R Migration +allow system_server proc_displowpower:dir search; +allow system_server proc_freqhopping:file getattr; + +# Date:2020/09/11 +# Operation:R Migration +allow system_server proc_freqhopping:dir search; + +# Date:2020/09/18 +# Operation:R Migration +allow system_server procfs_gpu_img:dir { search getattr }; + +# Date:2020/09/30 +# Operation:R Migration +allow system_server procfs_gpu_img:file getattr; + +# Read/Write /proc/pressure/cpu +allow system_server proc_pressure_cpu:file rw_file_perms; + +# Search /proc/usb/plat +allow system_server proc_usb_plat:dir search; + +# Search /proc/gpufreqv2 +allow system_server proc_gpufreqv2:dir search; + +# Search /proc/mtkfb +allow system_server proc_mtkfb:dir search; + +# Search /proc/stat +allow system_server proc_stat:dir search; + +# Date: 2021/08/10 +# Operation: S Migration +# Purpose: InputReader read files under power_supply to detect battery device +allow system_server sysfs_power_supply:dir {r_dir_perms}; +allow system_server sysfs_power_supply:file r_file_perms; diff --git a/bsp/non_plat/tee.te b/bsp/non_plat/tee.te new file mode 100644 index 0000000..2aab3be --- /dev/null +++ b/bsp/non_plat/tee.te @@ -0,0 +1,83 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : 2016/06/01 +# Operation: TEEI integration +# Purpose: Microtrust teei_daemon service +allow tee self:capability { sys_module setuid setgid sys_rawio }; + +allow tee teei_config_device:chr_file rw_file_perms; +allow tee teei_client_device:chr_file { create setattr unlink rw_file_perms }; +allow tee teei_vfs_device:chr_file rw_file_perms; +allow tee teei_rpmb_device:chr_file rw_file_perms; +allow tee teei_data_file:dir create_dir_perms; +allow tee teei_data_file:file create_file_perms; + +allow tee teei_control_file:dir r_dir_perms; +allow tee teei_control_file:file rw_file_perms;; +allow tee teei_control_file:lnk_file rw_file_perms;; + +# allow teei_daemon access /persist section +allow tee mnt_vendor_file:dir create_dir_perms; +allow tee mnt_vendor_file:file create_file_perms; +allow tee persist_data_file:dir create_dir_perms; +allow tee persist_data_file:file create_file_perms; + +# enable access android property +set_prop(tee, vendor_mtk_soter_teei_prop) + +# for debug only +allow tee kmsg_device:chr_file w_file_perms; + +# allow tee read ut_keymaster data +allow tee ut_keymaster_device:chr_file rw_file_perms; + +# allow load teei drm drivers +allow tee block_device:dir search; +allow tee teei_rpmb_device:blk_file rw_file_perms; +allow tee nvram_device:blk_file rw_file_perms; + +# kernel device +allow tee tkcore_admin_device:chr_file rw_file_perms; + +# sfs +allow tee tkcore_data_file:dir create_dir_perms; +allow tee tkcore_data_file:file { create_file_perms link }; + +# persist +allow tee protect_f_data_file:dir search; +allow tee tkcore_protect_data_file:dir create_dir_perms; +allow tee tkcore_protect_data_file:file { create_file_perms link }; + +#rpmb +allow tee self:capability sys_rawio; +allow tee block_device:dir search; +set_prop(tee, vendor_mtk_rpmb_ready_prop) + +allow tee rpmb_block_device:blk_file rw_file_perms; +allowxperm tee rpmb_block_device:blk_file ioctl { MMC_IOCTLCMD MMC_IOC_MULTI_CMD UFS_IOCTLCMD UFS_IOCTL_RPMB }; +allow tee rpmb_device:chr_file rw_file_perms; +allowxperm tee rpmb_device:chr_file ioctl { MMC_IOCTLCMD MMC_IOC_MULTI_CMD UFS_IOCTLCMD UFS_IOCTL_RPMB }; + +# systa loading +allow tee tkcore_systa_file:dir r_dir_perms; +allow tee tkcore_systa_file:file r_file_perms; + +# spta mgmt/loading +allow tee tkcore_spta_file:dir create_dir_perms; +allow tee tkcore_spta_file:file create_file_perms; + +# logging +allow tee tkcore_log_file:file create_file_perms; + +# allow tkcore to read/write vendor.trustkernel.* properties +set_prop(tee, vendor_mtk_trustkernel_tee_prop); + +# maintaining version through /proc fs +allow tee proc_tkcore:file rw_file_perms; +allow tee proc_tkcore:dir search; + +allow tee bootdevice_block_device:blk_file rw_file_perms; +allowxperm tee bootdevice_block_device:blk_file ioctl { MMC_IOC_MULTI_CMD UFS_IOCTL_RPMB}; +allow tee tee_data_file:dir create_dir_perms; diff --git a/bsp/non_plat/teei_hal_capi.te b/bsp/non_plat/teei_hal_capi.te new file mode 100644 index 0000000..34b3054 --- /dev/null +++ b/bsp/non_plat/teei_hal_capi.te @@ -0,0 +1,21 @@ +# ============================================== +# MICROTRUST SEPolicy Rule +# ============================================== + +# Set exec file type +type teei_hal_capi_exec, exec_type, vendor_file_type, file_type; + +# Setup for domain transition +init_daemon_domain(teei_hal_capi) + +# Set teei_hal_capi as server domain of hal_teei_capi +hal_server_domain(teei_hal_capi, hal_teei_capi) + +# Access capi devices at all. +allow teei_hal_capi teei_client_device:chr_file rw_file_perms; + +# Allow to use shared memory for HAL PQ +hal_client_domain(teei_hal_capi, hal_allocator) + +# Allow to set soter prop +set_prop(teei_hal_capi, vendor_mtk_soter_teei_prop) diff --git a/bsp/non_plat/teei_hal_ifaa.te b/bsp/non_plat/teei_hal_ifaa.te new file mode 100644 index 0000000..ab129e0 --- /dev/null +++ b/bsp/non_plat/teei_hal_ifaa.te @@ -0,0 +1,12 @@ +# ============================================== +# MICROTRUST SEPolicy Rule +# ============================================== +type teei_hal_ifaa_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(teei_hal_ifaa) +hal_server_domain(teei_hal_ifaa, hal_teei_ifaa) + +hal_client_domain(teei_hal_ifaa, hal_teei_capi) +hal_client_domain(teei_hal_ifaa, hal_allocator) + +allow teei_hal_ifaa teei_client_device:chr_file rw_file_perms; diff --git a/bsp/non_plat/teei_hal_thh.te b/bsp/non_plat/teei_hal_thh.te new file mode 100644 index 0000000..2b14e76 --- /dev/null +++ b/bsp/non_plat/teei_hal_thh.te @@ -0,0 +1,20 @@ +# ============================================== +# MICROTRUST SEPolicy Rule +# ============================================== +# Set exec file type +type teei_hal_thh_exec, exec_type, vendor_file_type, file_type; + +# Setup for domain transition +init_daemon_domain(teei_hal_thh) + +# Set teei_hal_thh as server domain of hal_teei_thh +hal_server_domain(teei_hal_thh, hal_teei_thh) + +hal_client_domain(teei_hal_thh, hal_teei_capi) +hal_client_domain(teei_hal_thh, hal_allocator) + +# Access thh devices at all. +allow teei_hal_thh teei_client_device:chr_file { create setattr unlink rw_file_perms }; +allow teei_hal_thh teei_data_file:dir create_dir_perms; +allow teei_hal_thh teei_data_file:file create_file_perms; +set_prop(teei_hal_thh, vendor_mtk_soter_teei_prop) diff --git a/bsp/non_plat/teei_hal_tui.te b/bsp/non_plat/teei_hal_tui.te new file mode 100644 index 0000000..dae2ca0 --- /dev/null +++ b/bsp/non_plat/teei_hal_tui.te @@ -0,0 +1,17 @@ +# ============================================== +# MICROTRUST SEPolicy Rule +# ============================================== +# Set exec file type +type teei_hal_tui_exec, exec_type, vendor_file_type, file_type; + +# Setup for domain transition +init_daemon_domain(teei_hal_tui) + +# Set teei_hal_tui as server domain of hal_teei_tui +hal_server_domain(teei_hal_tui, hal_teei_tui) + +# Access tui devices at all. +allow teei_hal_tui utr_tui_device:chr_file rw_file_perms; + +# Allow to use shared memory for HAL PQ +hal_client_domain(teei_hal_tui, hal_allocator) diff --git a/bsp/non_plat/teei_hal_wechat.te b/bsp/non_plat/teei_hal_wechat.te new file mode 100644 index 0000000..b7974e9 --- /dev/null +++ b/bsp/non_plat/teei_hal_wechat.te @@ -0,0 +1,12 @@ +# ============================================== +# MICROTRUST SEPolicy Rule +# ============================================== +type teei_hal_wechat_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(teei_hal_wechat) +hal_server_domain(teei_hal_wechat, hal_teei_wechat) + +hal_client_domain(teei_hal_wechat, hal_teei_capi) +hal_client_domain(teei_hal_wechat, hal_allocator) + +allow teei_hal_wechat teei_client_device:chr_file rw_file_perms; diff --git a/bsp/non_plat/terservice.te b/bsp/non_plat/terservice.te new file mode 100644 index 0000000..a3fcb3f --- /dev/null +++ b/bsp/non_plat/terservice.te @@ -0,0 +1,11 @@ +# ============================================== +# Policy File of /system/bin/terservice Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# ccci ioctl +allow terservice ccci_device:chr_file rw_file_perms; +allow terservice sysfs_ccci:dir r_dir_perms; +allow terservice sysfs_ccci:file r_file_perms; diff --git a/bsp/non_plat/tesiai_hal_hdcp.te b/bsp/non_plat/tesiai_hal_hdcp.te new file mode 100644 index 0000000..b14e7d5 --- /dev/null +++ b/bsp/non_plat/tesiai_hal_hdcp.te @@ -0,0 +1,31 @@ +# ============================================== +# Policy File of HDCP HAL service + +# ============================================== +# Type Declaration +# ============================================== +type tesiai_hal_hdcp_exec , exec_type, file_type, vendor_file_type; + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Setup for domain transition +init_daemon_domain(tesiai_hal_hdcp) + + +# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder. +hal_server_domain(tesiai_hal_hdcp, hal_tesiai_hdcp) + +# Allow HDCP to access Trustzone +allow tesiai_hal_hdcp mobicore_user_device:chr_file rw_file_perms; +allow tesiai_hal_hdcp mobicore_vendor_file:file lock; + + +# Allow HDCP to access HDCP key folder +allow tesiai_hal_hdcp mnt_vendor_file:dir { search getattr }; +allow tesiai_hal_hdcp persist_data_file:dir search; +allow tesiai_hal_hdcp persist_data_file:file rw_file_perms; + +# Allow HDCP to access codec FD +allow tesiai_hal_hdcp mtk_hal_c2:fd use; diff --git a/bsp/non_plat/thermal.te b/bsp/non_plat/thermal.te new file mode 100644 index 0000000..99c55ac --- /dev/null +++ b/bsp/non_plat/thermal.te @@ -0,0 +1,37 @@ +# ============================================== +# Policy File of /vendor/bin/thermal Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== +type thermal_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(thermal) +net_domain(thermal) + +allow thermal mtkrild:unix_stream_socket connectto; +allow thermal proc_thermal:dir search; +allow thermal proc_thermal:file rw_file_perms; +allow thermal rild_oem_socket:sock_file write; +allow thermal netd_socket:sock_file write; +allow thermal netd:unix_stream_socket connectto; +allow thermal self:udp_socket create; +allow thermal self:udp_socket ioctl; +allow thermal rpc_socket:sock_file write; +allow thermal viarild:unix_stream_socket connectto; +allow thermal statusd:unix_stream_socket connectto; +allow thermal rild:unix_stream_socket connectto; + +# If thermal(which belongs to vendor partition) want to open binder dev node(e.g. Parcel) will be +# denied for no permission. Should use vndbinder dev node in vendor domain. +# Using the following sepolicy rule to allow thermal to use vendor binder. +vndbinder_use(thermal) + +# Data: 2018/08/26 +# Operation: Thermal +# Purpose : add permission for thermal daemon to access mtcloader +set_prop(thermal, vendor_mtk_thermal_config_prop) +allow thermal thermal_manager_data_file:file rw_file_perms; +allow thermal thermalloadalgod:unix_stream_socket connectto; +allow thermal proc_mtkcooler:dir search; + diff --git a/bsp/non_plat/thermal_manager.te b/bsp/non_plat/thermal_manager.te new file mode 100644 index 0000000..e8c6e68 --- /dev/null +++ b/bsp/non_plat/thermal_manager.te @@ -0,0 +1,5 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow thermal_manager thermalloadalgod:unix_stream_socket connectto; diff --git a/bsp/non_plat/thermald.te b/bsp/non_plat/thermald.te new file mode 100644 index 0000000..c5fa906 --- /dev/null +++ b/bsp/non_plat/thermald.te @@ -0,0 +1,12 @@ +# ============================================== +# Policy File of /system/bin/thermald Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK17.28 +# Operation : SQC +# Purpose : for thermal management to shutdown the phone +allow thermald proc_thermal:dir search; +allow thermald proc_thermal:file rw_file_perms; diff --git a/bsp/non_plat/ueventd.te b/bsp/non_plat/ueventd.te new file mode 100644 index 0000000..b3615a1 --- /dev/null +++ b/bsp/non_plat/ueventd.te @@ -0,0 +1,15 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# add for gmo+512M project +allow ueventd platform_app:fd use; + +# add for sysfs:md32 +allow ueventd sysfs_md32:file w_file_perms; + +# add for sysfs:scp +allow ueventd sysfs_scp:file w_file_perms; + +# add for sysfs:sspm +allow ueventd sysfs_sspm:file w_file_perms; diff --git a/bsp/non_plat/untrusted_app.te b/bsp/non_plat/untrusted_app.te new file mode 100644 index 0000000..fcb9105 --- /dev/null +++ b/bsp/non_plat/untrusted_app.te @@ -0,0 +1,36 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# TODO:: Security Issue +# Date : W1452 +# Operation : WVL1 Modular DRM IT +# Purpose : Allow svp client alloc sec mem +allow untrusted_app proc_secmem:file r_file_perms; + +# TrustKernel add +userdebug_or_eng(` + allow untrusted_app tkcore_admin_device:chr_file rw_file_perms; +') + +# Date : 2016/07/12 +# Operation : SQC +# Purpose : allow untrusted_app access ntfs device +allow untrusted_app fuseblk:dir search; +allow untrusted_app fuseblk:file rw_file_perms; + +# Date : 2016/7/22 +# Operation: Migration +# Purpose : Move from tk sepolicy for ViLTE +allow untrusted_app vtservice:dir search; +allow untrusted_app mediaserver:dir search; + +# Date: 2018/04/18 +# Purpose: Allow untrusted_app to use HIDL and access mtk_hal_neuralnetworks +allow untrusted_app mtk_hal_neuralnetworks:binder { call transfer }; +allow untrusted_app debugfs_ion:dir search; + +# Date: 2020/06/29 +# Operation : eMBMS Migration +# Purpose :allow EXPWAY middleware to access the socket +allow untrusted_app radio:unix_stream_socket connectto; diff --git a/bsp/non_plat/untrusted_app_25.te b/bsp/non_plat/untrusted_app_25.te new file mode 100644 index 0000000..747f23a --- /dev/null +++ b/bsp/non_plat/untrusted_app_25.te @@ -0,0 +1,19 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# untrusted_app_25 for TUI +allow untrusted_app_25 mobicore_vendor_file:dir search; + +# Date: 2019/06/17 +# Operation : Migration +# Purpose :allow untrusted_app_25 to access procs +allow untrusted_app_25 proc_uptime:file getattr; +allow untrusted_app_25 proc_version:file getattr; +allow untrusted_app_25 sysfs_net:dir search; +allow untrusted_app_25 proc_net:file r_file_perms; + +# Date: 2020/06/29 +# Operation : eMBMS Migration +# Purpose :allow EXPWAY middleware to access the socket +allow untrusted_app_25 radio:unix_stream_socket connectto; diff --git a/bsp/non_plat/untrusted_app_27.te b/bsp/non_plat/untrusted_app_27.te new file mode 100644 index 0000000..595788d --- /dev/null +++ b/bsp/non_plat/untrusted_app_27.te @@ -0,0 +1,14 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date: 2019/06/17 +# Operation : Migration +# Purpose :allow untrusted_app_27 to get props +get_prop(untrusted_app_27, vendor_mtk_atci_sys_prop) +get_prop(untrusted_app_27, vendor_mtk_atm_ipaddr_prop) + +# Date: 2020/06/29 +# Operation : eMBMS Migration +# Purpose :allow EXPWAY middleware to access the socket +allow untrusted_app_27 radio:unix_stream_socket connectto; diff --git a/bsp/non_plat/untrusted_app_29.te b/bsp/non_plat/untrusted_app_29.te new file mode 100644 index 0000000..91260c2 --- /dev/null +++ b/bsp/non_plat/untrusted_app_29.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : 2021/07/16 +# Purpose : Allow HMP custom api request +allow untrusted_app_29 data_vendor_hmp_file:dir { rw_dir_perms }; +allow untrusted_app_29 data_vendor_hmp_file:file { rw_file_perms }; diff --git a/bsp/non_plat/untrusted_app_all.te b/bsp/non_plat/untrusted_app_all.te new file mode 100644 index 0000000..ba97cd0 --- /dev/null +++ b/bsp/non_plat/untrusted_app_all.te @@ -0,0 +1,14 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date: 2019/06/17 +# Operation : Migration +# Purpose :allow untrusted_app to search debugfs_ion dir +allow untrusted_app_all debugfs_ion:dir search; + +# Date: 2019/06/17 +# Operation : Migration +# Purpose :allow untrusted_app to search sysfs_mmcblk dir +allow untrusted_app_all sysfs_devices_block:dir search; +get_prop(untrusted_app_all, vendor_mtk_nn_option_prop) diff --git a/bsp/non_plat/usp_service.te b/bsp/non_plat/usp_service.te new file mode 100644 index 0000000..b90a398 --- /dev/null +++ b/bsp/non_plat/usp_service.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow usp_service para_block_device:blk_file rw_file_perms; +allow usp_service proc_lk_env:file rw_file_perms; +allow usp_service ccci_device:chr_file rw_file_perms; +get_prop(usp_service, vendor_mtk_cxp_vendor_prop) diff --git a/bsp/non_plat/ut_ta_manager_service.te b/bsp/non_plat/ut_ta_manager_service.te new file mode 100644 index 0000000..c95a625 --- /dev/null +++ b/bsp/non_plat/ut_ta_manager_service.te @@ -0,0 +1,7 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# MICROTRUST SEPolicy Rule +allow platform_app teei_data_file:dir create_dir_perms; +allow platform_app teei_data_file:file create_file_perms; diff --git a/bsp/non_plat/vendor_init.te b/bsp/non_plat/vendor_init.te new file mode 100644 index 0000000..c328aae --- /dev/null +++ b/bsp/non_plat/vendor_init.te @@ -0,0 +1,76 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +set_prop(vendor_init, vendor_mtk_radio_prop) +set_prop(vendor_init, vendor_mtk_ims_prop) +set_prop(vendor_init, vendor_mtk_wfd_support_prop) +set_prop(vendor_init, vendor_mtk_atci_prop) +set_prop(vendor_init, vendor_mtk_mobile_management_prop) + +allow vendor_init proc_hps:file w_file_perms; +allow vendor_init proc_cpufreq:file w_file_perms; + +allow vendor_init proc_usb_plat:dir search; +allow vendor_init proc_usb_plat:file rw_file_perms; + +set_prop(vendor_init, vendor_mtk_soter_teei_prop) +set_prop(vendor_init, vendor_mtk_trustkernel_tee_prop) +set_prop(vendor_init, vendor_mtk_dx_hdcp_support_prop) +set_prop(vendor_init, vendor_mtk_duraspeed_prop) +set_prop(vendor_init, vendor_mtk_dynims_prop) +set_prop(vendor_init, vendor_mtk_mims_prop) +set_prop(vendor_init, vendor_mtk_extsim_prop) +set_prop(vendor_init, vendor_mtk_volte_support_prop) +set_prop(vendor_init, vendor_mtk_vonr_support_prop) +set_prop(vendor_init, vendor_mtk_wfc_support_prop) +set_prop(vendor_init, vendor_mtk_vilte_support_prop) +set_prop(vendor_init, vendor_mtk_viwifi_support_prop) +set_prop(vendor_init, vendor_mtk_rcs_ua_support_prop) +set_prop(vendor_init, vendor_mtk_mdm_prop) +set_prop(vendor_init, vendor_mtk_mcf_prop) +set_prop(vendor_init, vendor_mtk_mdworldmode_prop) +set_prop(vendor_init, vendor_mtk_oma_drm_support_prop) +set_prop(vendor_init, vendor_mtk_miravision_support_prop) +set_prop(vendor_init, vendor_mtk_default_write_disk_prop) +set_prop(vendor_init, vendor_mtk_bg_power_saving_support_prop) +set_prop(vendor_init, vendor_mtk_bg_power_saving_ui_prop) +set_prop(vendor_init, vendor_mtk_besloudness_support_prop) +set_prop(vendor_init, vendor_mtk_hifiaudio_support_prop) +set_prop(vendor_init, vendor_mtk_active_noise_cancel_prop) +set_prop(vendor_init, vendor_mtk_wapi_support_prop) +set_prop(vendor_init, vendor_mtk_fd_support_prop) +set_prop(vendor_init, vendor_mtk_st_nfc_gsma_support_prop) +set_prop(vendor_init, vendor_mtk_st_nfc_ignore_modem_prop) +set_prop(vendor_init, vendor_mtk_nfc_addon_support_prop) +set_prop(vendor_init, vendor_mtk_nfc_uicc_clf_prop) +set_prop(vendor_init, vendor_mtk_radio_seapi_off_prop) +set_prop(vendor_init, vendor_mtk_nxp_nfc_gsma_support_prop) +set_prop(vendor_init, vendor_mtk_num_md_protocol_prop) +set_prop(vendor_init, vendor_mtk_wappush_prop) +set_prop(vendor_init, vendor_mtk_operator_prop) +set_prop(vendor_init, vendor_mtk_omacp_support_prop) +set_prop(vendor_init, vendor_mtk_log_tel_dbg_prop) +set_prop(vendor_init, vendor_mtk_camera_prop) +set_prop(vendor_init, vendor_mtk_gallery_prop) +set_prop(vendor_init, vendor_mtk_media_prop) +set_prop(vendor_init, vendor_mtk_rsc_prop) +set_prop(vendor_init, vendor_mtk_pms_prop) +set_prop(vendor_init, vendor_mtk_logmuch_prop) +set_prop(vendor_init, vendor_mtk_dsbp_support_prop) +set_prop(vendor_init, vendor_mtk_datashaping_prop) +set_prop(vendor_init, vendor_mtk_nn_quant_preferred_prop) +set_prop(vendor_init, vendor_mtk_cam_security_prop) +set_prop(vendor_init, vendor_mtk_dmc_prop) +set_prop(vendor_init, vendor_mtk_cta_support_prop) +set_prop(vendor_init, system_mtk_heavy_loading_prop) +set_prop(vendor_init, vendor_mtk_jpeg_opt_prop) +set_prop(vendor_init, vendor_mtk_trustonic_tee_prop) +set_prop(vendor_init, vendor_mtk_microtrust_tee_prop) +set_prop(vendor_init, vendor_mtk_md_c2k_cap_dep_check_prop) +set_prop(vendor_init, vendor_mtk_gwsd_capability_prop) +set_prop(vendor_init, vendor_mtk_fast_charging_support_prop) +set_prop(vendor_init, vendor_mtk_call_drop_prop) +set_prop(vendor_init, vendor_mtk_sec_video_path_support_prop) +set_prop(vendor_init, vendor_mtk_svp_on_mtee_support_prop) +set_prop(vendor_init, vendor_mtk_subsidy_lock_support_prop) diff --git a/bsp/non_plat/vendor_shell.te b/bsp/non_plat/vendor_shell.te new file mode 100644 index 0000000..6561678 --- /dev/null +++ b/bsp/non_plat/vendor_shell.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================= + +# Date : 2020/10/30 +# Operation: IMS Config NR force value +# Purpose: Allow vendor_shell to force set IMS NR feature +set_prop(vendor_shell, vendor_mtk_vonr_force_prop) diff --git a/bsp/non_plat/viarild.te b/bsp/non_plat/viarild.te new file mode 100644 index 0000000..1a59228 --- /dev/null +++ b/bsp/non_plat/viarild.te @@ -0,0 +1,81 @@ +# ============================================== +# Policy File of /vendor/bin/viarild Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================= +type viarild_exec, exec_type, file_type, vendor_file_type; +typeattribute viarild mtkimsapdomain; + +init_daemon_domain(viarild) +net_domain(viarild) +allow viarild self:netlink_route_socket nlmsg_write; +allow viarild kernel:system module_request; +allow viarild self:capability { setuid net_admin net_raw }; +allow viarild cgroup:dir create_dir_perms; +allow viarild radio_device:chr_file rw_file_perms; +allow viarild radio_device:blk_file r_file_perms; +allow viarild mtd_device:dir search; +allow viarild efs_file:dir create_dir_perms; +allow viarild efs_file:file create_file_perms; + +allow viarild bluetooth_efs_file:file r_file_perms; +allow viarild bluetooth_efs_file:dir r_dir_perms; +allow viarild sdcardfs:dir r_dir_perms; + +set_prop(viarild, vendor_mtk_cdma_prop) +set_prop(viarild, vendor_mtk_ril_cdma_report_prop) +set_prop(viarild, vendor_mtk_ril_mux_report_case_prop) +set_prop(viarild, vendor_mtk_radio_prop) +set_prop(viarild, vendor_mtk_ril_ipo_prop) + +# Dat: 2017/02/14 +# Purpose: allow set telephony Sensitive property +set_prop(viarild, vendor_mtk_telephony_sensitive_prop) + +allow viarild tty_device:chr_file rw_file_perms; + +# Allow viarild to create and use netlink sockets. +allow viarild self:netlink_socket create_socket_perms_no_ioctl; +allow viarild self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; + +# Access to wake locks +wakelock_use(viarild) + +allow viarild self:socket create_socket_perms_no_ioctl; + +allow viarild Vcodec_device:chr_file { read write open }; +allow viarild devmap_device:chr_file { read ioctl open }; +allow viarild devpts:chr_file { read write open }; + +allow viarild ccci_device:chr_file { read write ioctl open }; +allow viarild devpts:chr_file ioctl; +allow viarild misc_device:chr_file { read write open }; +allow viarild proc_lk_env:file { read ioctl open }; +allow viarild sysfs_vcorefs_pwrctrl:file { open write }; +set_prop(viarild, vendor_mtk_ril_active_md_prop) + +# set for mux +allow viarild devpts:chr_file setattr; +allow viarild self:capability chown; +allow viarild self:capability fowner; +allow viarild self:capability setuid; + +# For MAL MFI +allow viarild mal_mfi_socket:sock_file write; + +# For Vzw Phone CCP - Set IPV6 RS +allow viarild proc_net:file write; + +# If viarild(which belongs to vendor partition) want to open binder dev node(e.g. Parcel) will be +# denied for no permission. Should use vndbinder dev node in vendor domain. +# Using the following sepolicy rule to allow viarild to use vendor binder. +vndbinder_use(viarild) + +# Allow to trigger IPv6 RS +allow viarild node:rawip_socket node_bind; + +# Allow to config network +allowxperm viarild self:udp_socket ioctl {SIOCDELRT SIOCSIFFLAGS SIOCSIFADDR SIOCKILLADDR SIOCDEVPRIVATE SIOCDEVPRIVATE_1}; +allow viarild sysfs_ccci:dir search; +allow viarild sysfs_ccci:file r_file_perms; diff --git a/bsp/non_plat/vndservice.te b/bsp/non_plat/vndservice.te new file mode 100644 index 0000000..3a5ed22 --- /dev/null +++ b/bsp/non_plat/vndservice.te @@ -0,0 +1,5 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================= + +type remosaic_daemon_service, vndservice_manager_type; diff --git a/bsp/non_plat/vndservice_contexts b/bsp/non_plat/vndservice_contexts new file mode 100644 index 0000000..e893550 --- /dev/null +++ b/bsp/non_plat/vndservice_contexts @@ -0,0 +1,6 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +android.IRemosaicDaemon u:object_r:remosaic_daemon_service:s0 + diff --git a/bsp/non_plat/vold.te b/bsp/non_plat/vold.te new file mode 100644 index 0000000..4411bf4 --- /dev/null +++ b/bsp/non_plat/vold.te @@ -0,0 +1,13 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# MICROTRUST SEPolicy Rule +# Date : 2016/06/01 +# Operation: TEEI integration +# Purpose: Microtrust HW-backed Keymaster +allow vold ut_keymaster_device:chr_file rw_file_perms; +allow vold teei_client_device:chr_file rw_file_perms; + +# Purpose : write bootprof +allow vold proc_bootprof:file w_file_perms; diff --git a/bsp/non_plat/volte_clientapi_ua.te b/bsp/non_plat/volte_clientapi_ua.te new file mode 100644 index 0000000..1401954 --- /dev/null +++ b/bsp/non_plat/volte_clientapi_ua.te @@ -0,0 +1,22 @@ +# ============================================== +# Policy File of /vendor/bin/volte_clientapi_ua Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== +type volte_clientapi_ua_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(volte_clientapi_ua) + +# hwbinder access +hal_server_domain(volte_clientapi_ua, hal_clientapi) + +# call into system_app process (callbacks) +binder_call(volte_clientapi_ua, system_app) +binder_call(volte_clientapi_ua, platform_app) + +# Date : W18.43 +# Operation : IT +# Purpose: clientapi HIDL Migration +get_prop(volte_clientapi_ua, hwservicemanager_prop) +allow volte_clientapi_ua debugfs_tracing:file w_file_perms; diff --git a/bsp/non_plat/volte_rcs_ua.te b/bsp/non_plat/volte_rcs_ua.te new file mode 100644 index 0000000..c4aa31d --- /dev/null +++ b/bsp/non_plat/volte_rcs_ua.te @@ -0,0 +1,38 @@ +# ============================================== +# Policy File of /vendor/bin/volte_rcs_ua Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== +type volte_rcs_ua_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(volte_rcs_ua) + +# hwbinder access + +hal_server_domain(volte_rcs_ua, hal_rcs) + +# call into system_app process (callbacks) +binder_call(volte_rcs_ua, system_app) + +# Date : W17.31 +# Operation : IT +# Purpose: Rcs HIDL Migration +allow volte_rcs_ua debugfs_tracing:file { write open }; + +# Date : W1747 +# Operation: RCS over Internet development +# Purpose: For volte_rcs_ua to be able to talk to rcs_volte_stack +allow volte_rcs_ua rcs_volte_stack_socket:sock_file { open getattr read write append }; +allow volte_rcs_ua rcs_volte_stack:unix_stream_socket { read getattr connectto }; + +# Date : W1827 +# Operation: P migration +# Purpose: Allow rcs ua to set rcs property +set_prop(volte_rcs_ua, vendor_mtk_service_rcs_prop) + +# Date : W1929 +# Operation: Volte stack submarine development +# Purpose: For volte_rcs_ua to be able to talk to rcs_rild +allow volte_rcs_ua rcs_rild_socket:sock_file { open getattr read write append }; +allow volte_rcs_ua rild:unix_stream_socket { read getattr connectto }; diff --git a/bsp/non_plat/vpud_native.te b/bsp/non_plat/vpud_native.te new file mode 100644 index 0000000..f71862d --- /dev/null +++ b/bsp/non_plat/vpud_native.te @@ -0,0 +1,11 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow vpud_native teei_client_device:chr_file rw_file_perms; +allow vpud_native mobicore_user_device:chr_file rw_file_perms; + +# Date: 2021/04/30 +# Operation : SVP Migration +# Purpose :allow to access vendor_mtk_sec_video_path_support_prop +get_prop(vpud_native, vendor_mtk_sec_video_path_support_prop) diff --git a/bsp/non_plat/vtservice.te b/bsp/non_plat/vtservice.te new file mode 100644 index 0000000..7170501 --- /dev/null +++ b/bsp/non_plat/vtservice.te @@ -0,0 +1,181 @@ +# ============================================== +# Policy File of /system/bin/vtservice Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK15.33 +# Purpose : Add vtservice to support video telephony functionality +# 3G VT/ViLTE both use this service which will also communication with IMCB/Rild +allow vtservice sdcard_type:dir search; +allow vtservice sdcard_type:file { read write open }; +allow vtservice radio_service:service_manager find; +allow vtservice mediaserver_service:service_manager find; +allow vtservice power_service:service_manager find; +allow vtservice batterystats_service:service_manager find; + +# Date : 2015/08/13 +# Purpose : for access ccci device +allow vtservice ccci_device:chr_file { read write open ioctl }; + +# Purpose : VDEC/VENC device node +allow vtservice Vcodec_device:chr_file { read write ioctl open }; + +# Date: 2016/06/27 +# This part is for both 3G VT/ViLTE +# Purpose: add in N migration for access audioflinger etc. +allow vtservice audioserver_service:service_manager find; +allow vtservice mnt_user_file:dir search; +allow vtservice surfaceflinger:binder call; + +# Date: 2016/06/30 +# This part is for both 3G VT/ViLTE +# Purpose: add in N migration for access SDcard etc. +allow vtservice audioserver:binder call; +allow vtservice mnt_user_file:lnk_file read; + +# Date: 2016/07/01 +# This part is for both 3G VT/ViLTE +# Purpose: add in N migration for write SDcard etc. +allow vtservice media_rw_data_file:dir create_dir_perms; +allow vtservice media_rw_data_file:file { write create open }; + +# Date: 2016/07/26 +# Purpose: add for cleanup thread's AF_UNIX socket +allow vtservice proc_ged:file r_file_perms; +allowxperm vtservice proc_ged:file ioctl { proc_ged_ioctls }; + +# for debug dump data +allow vtservice storage_file:lnk_file read; +allow vtservice devmap_device:chr_file read; + +allow vtservice devmap_device:chr_file open; +allow vtservice devmap_device:chr_file ioctl; + +# for using surfaceflinger +allow vtservice surfaceflinger_service:service_manager find; + +# for using camera +allow vtservice cameraserver_service:service_manager find; +allow vtservice cameraserver:binder call; +allow vtservice cameraserver:fd use; + +# Change VTS uid to media +allow vtservice mediacodec:binder call; +allow vtservice qtaguid_device:chr_file r_file_perms; +allow vtservice priv_app:binder call; + +# For loopback mode +allow vtservice self:capability net_admin; + +# For vendro GPU +allow vtservice gpu_device:dir search; +allow vtservice dri_device:chr_file { open read write ioctl getattr}; +allow vtservice gpu_device:chr_file rw_file_perms; + +# Date : WK17.23 +# Stage: O Migration, SQC +# Purpose: Allow to use HAL PQ +hal_client_domain(vtservice, hal_mtk_pq) + +# Date : WK17.23 +# Stage: O Migration, SQC +# Purpose: Allow to use shared memory for HAL PQ +hal_client_domain(vtservice, hal_allocator) + +# 2017/07/ +# HiDL porting +allow vtservice hwservicemanager:binder call; +allow vtservice system_file:dir read; +allow vtservice system_file:dir open; + +# give permission for hal client +allow vtservice mtk_hal_videotelephony_hwservice:hwservice_manager find; + +# Date : 2017/08/14 +# Operation : VT development +# Purpose : Add vtservice to support video telephony functionality +# 3G VT/ViLTE both use this service which will also communication with IMCB/Rild +allow vtservice soc_vt_svc_socket:sock_file write; +allow vtservice soc_vt_tcv_socket:sock_file write; +allow vtservice rild_oem_socket:sock_file write; +allow vtservice platform_app:binder call; +allow vtservice system_server:binder call; +allow vtservice sdcard_type:dir write; +allow vtservice sdcard_type:dir add_name; +allow vtservice sdcard_type:dir create; +allow vtservice sdcard_type:file create; +allow vtservice sdcard_type:file getattr; +allow vtservice surfaceflinger:fd use; +allow vtservice tmpfs:lnk_file read; +allow vtservice radio:binder call; + +# for codec acces dev/ion +allow vtservice ion_device:chr_file { open read }; + +# for MA socket rebind +hal_client_domain(vtservice, hal_omx) +allow vtservice mediametrics_service:service_manager find; +allow vtservice mediametrics:binder call; + +allow vtservice self:udp_socket create_socket_perms_no_ioctl; +allow vtservice node:udp_socket node_bind; + +allow vtservice debugfs_ion:dir search; +allow vtservice fwmarkd_socket:sock_file write; +allow vtservice hal_graphics_allocator_default:binder call; +allow vtservice hal_graphics_allocator_default:fd use; +hal_client_domain(vtservice, hal_graphics_allocator); +allow vtservice hal_graphics_mapper_hwservice:hwservice_manager find; +allow vtservice netd:unix_stream_socket connectto; +allow vtservice ion_device:chr_file ioctl; +allow vtservice MTK_SMI_device:chr_file { read write ioctl open }; +allow vtservice mtk_cmdq_device:chr_file r_file_perms; +allow vtservice mtk_mdp_device:chr_file r_file_perms; +allow vtservice mtk_mdp_sync_device:chr_file r_file_perms; +allow vtservice merged_hal_service:fd use; +allow vtservice merged_hal_service:binder call; + +# Date : WK17.43 +# Operation : Migration +# Purpose : DISP access +allow vtservice graphics_device:chr_file { ioctl open read }; +allow vtservice graphics_device:dir search; + +# Date : WK18.10 +# Operation : SQC +# Purpose : Allow perfmgr FPSGO access +allow vtservice proc_perfmgr:dir {read search}; +allow vtservice proc_perfmgr:file r_file_perms; +allowxperm vtservice proc_perfmgr:file ioctl { + PERFMGR_FPSGO_QUEUE + PERFMGR_FPSGO_DEQUEUE + PERFMGR_FPSGO_QUEUE_CONNECT + PERFMGR_FPSGO_BQID +}; + +# Date: 2018/07/19 +# Operation: P Migration +get_prop(vtservice, vendor_mtk_vendor_vt_prop) + +# Date: 2018/08/24 +# Operation: add mdp +hal_client_domain(vtservice, hal_mtk_mms) +allow vtservice cameraserver:dir search; +allow vtservice cameraserver:file { getattr open read }; +allow vtservice proc_uptime:file read; + +# Date: 2018/11/07 +# Operation: gen97 +allow vtservice port:udp_socket name_bind; +allow vtservice self:capability net_raw; + +# Date: 2019/08/29 +# Operation: support c2 sw codec +hal_client_domain(vtservice, hal_codec2) + +# Date: 2021/05/29 +# Operation: VT c2 for dmabuf heap +allow vtservice dmabuf_system_heap_device:chr_file r_file_perms; + diff --git a/bsp/non_plat/vtservice_hidl.te b/bsp/non_plat/vtservice_hidl.te new file mode 100644 index 0000000..58daa01 --- /dev/null +++ b/bsp/non_plat/vtservice_hidl.te @@ -0,0 +1,46 @@ +# ============================================== +# Policy File of /vendor/bin/hw/vtservice_hidl Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== +type vtservice_hidl_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(vtservice_hidl) + +unix_socket_connect(vtservice_hidl, rild_oem, mtkrild) +allow vtservice_hidl mtkrild:unix_stream_socket connectto; + +# Date: 2015/09/22 +# Purpose: for unix domain socket access /dev/socket/volte_vt +allow vtservice_hidl MTK_SMI_device:chr_file { read write ioctl open }; +allow vtservice_hidl fwmarkd_socket:sock_file write; +allow vtservice_hidl netd:unix_stream_socket connectto; +allow vtservice_hidl untrusted_app:binder call; + +# For socket path between vt_service and volte_ua +allow vtservice_hidl self:udp_socket { create bind connect read write setopt getattr getopt shutdown }; +allow vtservice_hidl node:udp_socket { node_bind }; +allow vtservice_hidl volte_imsvt1_socket:sock_file write; + +# 2017/07/ +# HiDL porting +# Permission to use hwbinder functionality for communication: +# 1. add_hwservice(server_domain, service_name) +add_hwservice(vtservice_hidl, mtk_hal_videotelephony_hwservice) +# 2. also permission to access to /dev/hwbinder +hwbinder_use(vtservice_hidl) +# 3. For binder transaction. HwBinder IPC from clients into server, and callbacks +binder_call(vtservice, vtservice_hidl) +binder_call(vtservice_hidl, vtservice) + +get_prop(vtservice_hidl, hwservicemanager_prop) + +allow vtservice_hidl debugfs_tracing:file w_file_perms; +allow vtservice_hidl system_file:dir r_file_perms; +allow vtservice_hidl rild:unix_stream_socket connectto; + +net_domain(vtservice_hidl) + +# ViLTE +allow vtservice_hidl mtkimsmddomain:udp_socket { setopt getattr read write }; diff --git a/bsp/non_plat/wo_epdg_client.te b/bsp/non_plat/wo_epdg_client.te new file mode 100644 index 0000000..31921b2 --- /dev/null +++ b/bsp/non_plat/wo_epdg_client.te @@ -0,0 +1,58 @@ +# ============================================== +# Policy File of /vendor/bin/wo_epdg_client Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type wo_epdg_client_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(wo_epdg_client) +net_domain(wo_epdg_client) + +domain_auto_trans(wo_epdg_client, wo_starter_exec, wo_ipsec) +domain_auto_trans(wo_epdg_client, wo_charon_exec, wo_ipsec) +domain_auto_trans(wo_epdg_client, wo_stroke_exec, wo_ipsec) +domain_auto_trans(wo_epdg_client, netutils_wrapper_exec, netutils_wrapper) + +# Date: WK14.52 +# Operation : Feature for ePDG +# Purpose : handle tunnel interface +allow wo_epdg_client self:tun_socket { relabelfrom relabelto create }; +allow wo_epdg_client tun_device:chr_file rw_file_perms; +allow wo_epdg_client self:netlink_route_socket { setopt nlmsg_write read bind create nlmsg_read write getattr }; +allow wo_epdg_client self:capability { net_admin net_raw kill setuid setgid sys_module }; + +# Purpose : update ipsec deamon +allow wo_epdg_client wo_ipsec_exec:file rx_file_perms; + +# Purpose : send signal to process (ipsec/charon) +allow wo_epdg_client wo_ipsec:process { signal sigkill signull }; + +# Purpose : set property for debug messages +set_prop(wo_epdg_client, vendor_mtk_persist_epdg_prop) + +# Purpose : Query ePDG IP address +allow wo_epdg_client dnsproxyd_socket:sock_file write; +allow wo_epdg_client netd:unix_stream_socket connectto; +allow wo_epdg_client netd_socket:sock_file write; + +# tear_xfrm_policy +allow wo_epdg_client self:netlink_xfrm_socket { write getattr setopt nlmsg_write read bind create }; + +# Purpose : check tun device is ready +allow wo_epdg_client self:udp_socket { create ioctl }; + +# Purpose : create symbolic link for /dev/tun +allow wo_epdg_client vendor_shell_exec:file rx_file_perms; + +# Purpose: Kill Process +allow wo_epdg_client system_server:process { signal signull }; +allow wo_epdg_client kernel:process signal; + +# Purpose: access iptables for mss +allow wo_epdg_client self:rawip_socket { getopt create setopt }; + +allow wo_epdg_client devpts:chr_file rw_file_perms; +allow wo_epdg_client kernel:system module_request; +allowxperm wo_epdg_client self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU SIOCSIFADDR }; diff --git a/bsp/non_plat/wo_ipsec.te b/bsp/non_plat/wo_ipsec.te new file mode 100644 index 0000000..84c2fca --- /dev/null +++ b/bsp/non_plat/wo_ipsec.te @@ -0,0 +1,64 @@ +# ============================================== +# Policy File of /vendor/bin/wo_ipsec Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type wo_ipsec_exec, exec_type, file_type, vendor_file_type; + +net_domain(wo_ipsec) + +domain_auto_trans(wo_ipsec, netutils_wrapper_exec, netutils_wrapper) + +# Purpose : access xfrm +allow wo_ipsec proc_net:file w_file_perms; + +# Purpose : send command to epdg_wod +allow wo_ipsec wo_epdg_ipsec_socket:sock_file write; + +# Purpose : create socket for IKEv2 protocol +allow wo_ipsec node:udp_socket node_bind; +allow wo_ipsec port:tcp_socket name_connect; +allow wo_ipsec port:udp_socket name_bind; + +# Purpose : Query DNS address +allow wo_ipsec netd:unix_stream_socket connectto; +allow wo_ipsec dnsproxyd_socket:sock_file write; + +# Purpose : access socket of wod and property +allow wo_ipsec wo_epdg_client:unix_stream_socket { read write connectto }; + +# Purpose : output to /dev/null +allow wo_ipsec wo_epdg_client:fd use; + +# Purpose : starter invoke charon +allow wo_ipsec wo_charon_exec:file execute_no_trans; + +# Purpose : charon set fwmark +allow wo_ipsec fwmarkd_socket:sock_file write; + +# Purpose : send/receive packet to/from peer +allow wo_ipsec self:tcp_socket { write getattr connect read getopt create }; +allow wo_ipsec self:udp_socket { write bind create read setopt }; + +# Purpose : kernel ip/route operations +allow wo_ipsec self:netlink_route_socket { write nlmsg_write read bind create nlmsg_read }; +allow wo_ipsec self:netlink_xfrm_socket { write bind create read nlmsg_write nlmsg_read }; + +# Purpose : charon read certs +allow wo_ipsec custom_file:dir r_dir_perms; +allow wo_ipsec custom_file:file r_file_perms; + +# Purpose : set alarm for DPD +allow wo_ipsec self:capability2 wake_alarm; + +allow wo_ipsec devpts:chr_file rw_file_perms; + +allow wo_ipsec proc_modules:file r_file_perms; +allow wo_ipsec vendor_shell_exec:file rx_file_perms;; +allow wo_ipsec netd_socket:sock_file write; + +allow wo_ipsec vendor_toolbox_exec:file x_file_perms; +allow wo_ipsec kernel:system module_request; + diff --git a/bsp/non_plat/wpa.te b/bsp/non_plat/wpa.te new file mode 100644 index 0000000..7eb304b --- /dev/null +++ b/bsp/non_plat/wpa.te @@ -0,0 +1,9 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow wpa mtkimsmddomain:unix_stream_socket connectto; +allow wpa mtkimsmddomain:unix_dgram_socket sendto; +allow wpa init:unix_dgram_socket sendto; +allow wpa mtkimsmddomain:unix_stream_socket connectto; +allow wpa mtkimsmddomain:unix_dgram_socket sendto; diff --git a/bsp/non_plat/zygote.te b/bsp/non_plat/zygote.te new file mode 100644 index 0000000..6e65086 --- /dev/null +++ b/bsp/non_plat/zygote.te @@ -0,0 +1,33 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK19.43 +# Operation : SQC +# Purpose : for untrusted app to use ptrace (e.g. 360Mobile, taobao, com.duowan.kiwi) +dontaudit zygote untrusted_app_all:process ptrace; + +# Date : WK14.43 +# Operation : SQC2 +# Purpose : found in FST Auto Test (ALPS01774709) +allow zygote platform_app:fd use; + +# Date : WK14.46 +# Operation : SQC +# Purpose : found in sanity test (ALPS01825280) +allow zygote servicemanager:binder call; + +# Date : WK14.49 +# Operation : SQC +# Purpose : for isolated_app to use fd (ex: share image by gmail) +allow zygote isolated_app:fd use; + +# Date : WK15.02 +# Operation : SQC +# Purpose : for "theScore Sports & Scores" app to play video(ALPS01897019) +allow zygote untrusted_app:fd use; + +# Date : WK15.08 +# Operation : SQC +# Purpose : for TTLIA +allow zygote radio:fd use; diff --git a/bsp/ota_upgrade/file_contexts b/bsp/ota_upgrade/file_contexts new file mode 100644 index 0000000..417e8c6 --- /dev/null +++ b/bsp/ota_upgrade/file_contexts @@ -0,0 +1,10 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +########################## +# System files +# +# OTA upgrade from O to P for widevine data migration +/system/bin/move_widevine_data\.sh u:object_r:move-widevine-data-sh_exec:s0 + diff --git a/bsp/ota_upgrade/move-widevine-data-sh.te b/bsp/ota_upgrade/move-widevine-data-sh.te new file mode 100644 index 0000000..2453631 --- /dev/null +++ b/bsp/ota_upgrade/move-widevine-data-sh.te @@ -0,0 +1,23 @@ +# ============================================== +# MTK Attribute declarations +# ============================================== + +type move-widevine-data-sh, domain, coredomain; +type move-widevine-data-sh_exec, exec_type, file_type, system_file_type; +typeattribute move-widevine-data-sh data_between_core_and_vendor_violators; + +init_daemon_domain(move-widevine-data-sh) + +allow move-widevine-data-sh shell_exec:file rx_file_perms; +allow move-widevine-data-sh toolbox_exec:file rx_file_perms; + +allow move-widevine-data-sh file_contexts_file:file { read getattr open }; + +allow move-widevine-data-sh media_data_file:file { getattr setattr relabelfrom }; +allow move-widevine-data-sh media_data_file:dir { reparent rename rmdir setattr rw_dir_perms relabelfrom }; + +allow move-widevine-data-sh mediadrm_vendor_data_file:dir { create_dir_perms relabelto }; + +# for writing files_moved so we only execute the move once +allow move-widevine-data-sh mediadrm_vendor_data_file:file { create open write getattr relabelto }; + diff --git a/bsp/plat_private/GoogleOtaBinder.te b/bsp/plat_private/GoogleOtaBinder.te new file mode 100644 index 0000000..160b457 --- /dev/null +++ b/bsp/plat_private/GoogleOtaBinder.te @@ -0,0 +1,25 @@ +# ============================================== +# Policy File of /system/bin/GoogleOtaBinder Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type GoogleOtaBinder_exec, system_file_type, exec_type, file_type; +typeattribute GoogleOtaBinder coredomain; + +init_daemon_domain(GoogleOtaBinder) + +# Date : 2014/09/10 +# Operation : Migration +# Purpose : allow Binder IPC +binder_use(GoogleOtaBinder) +binder_service(GoogleOtaBinder) + +# to get offset +allow GoogleOtaBinder ota_package_file:dir search; +allow GoogleOtaBinder ota_package_file:file rw_file_perms; +allow GoogleOtaBinder mota_proc_file:file rw_file_perms;; +allow GoogleOtaBinder sysfs_dt_firmware_android:file r_file_perms;; + +allow GoogleOtaBinder ota_agent_service:service_manager add; diff --git a/bsp/plat_private/aal.te b/bsp/plat_private/aal.te new file mode 100644 index 0000000..222d7f1 --- /dev/null +++ b/bsp/plat_private/aal.te @@ -0,0 +1,46 @@ +# ============================================== +# Policy File of /system/bin/aal Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +typeattribute aal coredomain; +type aal_exec, system_file_type, exec_type, file_type; + +init_daemon_domain(aal) + +# Date : 2014/09/09 (or WK14.37) +# Operation : Migration +# Purpose : allow Binder IPC +binder_use(aal) +binder_call(aal, binderservicedomain) +binder_service(aal) + +# Date : WK14.41 +# Operation : Migration +# Purpose : All enforing mode +allow aal graphics_device:chr_file r_file_perms; +allow aal graphics_device:dir search; +allow aal aal_service:service_manager add; + +# Date : WK15.37 +# Operation : Migration +# Purpose : Allow permission check +allow aal permission_service:service_manager { find }; + +# Date : WK17.26 +# Operation : Migration +# Purpose : Allow permission to get AmbientLux from SensorManager +# denied { find } for service=sensorservice pid=441 uid=1000 scontext=u:r:aal:s0 +# tcontext=u:object_r:sensorservice_service:s0 tclass=service_manager +allow aal sensorservice_service:service_manager { find }; + +# denied { read write } for path="socket:[25560]" dev="sockfs" ino=25560 scontext=u:r:aal:s0 +# tcontext=u:r:system_server:s0 tclass=unix_stream_socket permissive=0 +allow aal system_server:unix_stream_socket { read write }; + +# Date : WK18.28 +# Operation : P0 Migration +# Purpose : Allow permission to set property +set_prop(aal, system_mtk_aal_prop) diff --git a/bsp/plat_private/apmsrv_app.te b/bsp/plat_private/apmsrv_app.te new file mode 100644 index 0000000..734489b --- /dev/null +++ b/bsp/plat_private/apmsrv_app.te @@ -0,0 +1,22 @@ +# ============================================== +# Policy File of /system/priv-app/ApmService/ApmService.apk Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +typeattribute apmsrv_app mlstrustedsubject; +app_domain(apmsrv_app) + +# Allow to use HAL APM +hal_client_domain(apmsrv_app, hal_mtk_apm) + +# Allow to start Android service component +allow apmsrv_app activity_service:service_manager find; + +# Used by LocationMessageKpiMonitor to get location info +allow apmsrv_app location_service:service_manager find; + +# Used by NetworkServiceStateKpiMonitor to get Network info +allow apmsrv_app radio_service:service_manager find; +allow apmsrv_app registry_service:service_manager find; diff --git a/bsp/plat_private/atci_service_sys.te b/bsp/plat_private/atci_service_sys.te new file mode 100644 index 0000000..e7e3dd9 --- /dev/null +++ b/bsp/plat_private/atci_service_sys.te @@ -0,0 +1,12 @@ +# ============================================== +# Policy File of /system/bin/atci_service_sys Executable File +# ============================================== + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type atci_service_sys_exec, system_file_type, exec_type, file_type; +typeattribute atci_service_sys coredomain; + +init_daemon_domain(atci_service_sys) diff --git a/bsp/plat_private/audioserver.te b/bsp/plat_private/audioserver.te new file mode 100644 index 0000000..0ad8a22 --- /dev/null +++ b/bsp/plat_private/audioserver.te @@ -0,0 +1,11 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK16.40 +# Operation : Migration +# Purpose : perf service for cpu control and rt thread +allow audioserver mtk_perf_service:service_manager find; + +allow audioserver debuglog_data_file:dir { relabelto create_dir_perms }; +allow audioserver debuglog_data_file:file create_file_perms; diff --git a/bsp/plat_private/batterywarning.te b/bsp/plat_private/batterywarning.te new file mode 100644 index 0000000..36e0904 --- /dev/null +++ b/bsp/plat_private/batterywarning.te @@ -0,0 +1,36 @@ +# ============================================== +# Policy File of /system/bin/batterywarning Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type batterywarning_exec, system_file_type, exec_type, file_type; +typeattribute batterywarning coredomain; + +init_daemon_domain(batterywarning) + +# Date : 2014/10/15 +# Operation : Migration +# Purpose : all Binder IPC for battery warning to call IActivityManager to send broadcast +binder_use(batterywarning) + +# Date : 2014/10/16 +# Operation : Migration +# Purpose : allow battery warning use AMS to send broadcast through binder call +binder_call(batterywarning, system_server) + +# Date : 2015/07/27 +# Operation : Migration +# Purpose : allow battery warning check AMS service status +allow batterywarning activity_service:service_manager find; + +# Date : 2017/07/03 +# Operation : Migration +# Purpose : allow battery warning read file +allow batterywarning sysfs_battery_warning:file r_file_perms; + +# Date : 2019/07/31 +# Operation : Migration +# Purpose : allow battery warning open socket connection +allow batterywarning self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; diff --git a/bsp/plat_private/bluetooth.te b/bsp/plat_private/bluetooth.te new file mode 100644 index 0000000..b7633e5 --- /dev/null +++ b/bsp/plat_private/bluetooth.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : 2018/5/4 +# Operation : Migration +# Purpose: Allow bluetooth to get/set system_mtk_bluetooth_prop +set_prop(bluetooth, system_mtk_bluetooth_prop) diff --git a/bsp/plat_private/bootanim.te b/bsp/plat_private/bootanim.te new file mode 100644 index 0000000..75fba67 --- /dev/null +++ b/bsp/plat_private/bootanim.te @@ -0,0 +1,6 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +#Date : W1728 +allow bootanim resourcecache_data_file:file r_file_perms; diff --git a/bsp/plat_private/camerapostalgo.te b/bsp/plat_private/camerapostalgo.te new file mode 100644 index 0000000..47033a3 --- /dev/null +++ b/bsp/plat_private/camerapostalgo.te @@ -0,0 +1,35 @@ +# ============================================== +# Policy File of /system/bin/camerapostalgo Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type camerapostalgo_exec, system_file_type, exec_type, file_type; +typeattribute camerapostalgo coredomain; +init_daemon_domain(camerapostalgo) + +allow camerapostalgo camerapostalgo_service:service_manager { add find }; + +allow camerapostalgo gpu_device:dir search; +allow camerapostalgo gpu_device:chr_file rw_file_perms; + +allow camerapostalgo ion_device:chr_file r_file_perms; + +allow camerapostalgo sdcardfs:dir search; +allow camerapostalgo sdcardfs:file r_file_perms; +allow camerapostalgo mnt_user_file:dir search; +allow camerapostalgo mnt_user_file:lnk_file r_file_perms; + +allow camerapostalgo storage_file:lnk_file r_file_perms; +allow camerapostalgo media_rw_data_file:dir rw_dir_perms; +allow camerapostalgo media_rw_data_file:file rw_file_perms; + +# ipc call +binder_use(camerapostalgo) +binder_service(camerapostalgo) + +binder_call(camerapostalgo, platform_app) +binder_call(camerapostalgo, surfaceflinger) + +get_prop(camerapostalgo, system_mtk_debug_bq_dump_prop) diff --git a/bsp/plat_private/cameraserver.te b/bsp/plat_private/cameraserver.te new file mode 100644 index 0000000..22294fa --- /dev/null +++ b/bsp/plat_private/cameraserver.te @@ -0,0 +1,18 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK15.32 +# Operation : Migration +# Purpose : for control CPU during camera working flow +allow cameraserver mtk_perf_service:service_manager find; + +# Date : WK16.30 +# Operation : Migration +set_prop(cameraserver, debug_prop) +set_prop(cameraserver, system_prop) + +# Date : WK16.35 +# Operation : Migration +# Purpose : allow camera to access log too much detect property +set_prop(cameraserver, system_mtk_logmuch_prop) diff --git a/bsp/plat_private/capability_app.te b/bsp/plat_private/capability_app.te new file mode 100644 index 0000000..43b2adc --- /dev/null +++ b/bsp/plat_private/capability_app.te @@ -0,0 +1,20 @@ +# ============================================== +# Policy File of /system/priv-app/CapabilityTest/CapabilityTest.apk Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +typeattribute capability_app mlstrustedobject; +app_domain(capability_app) + +allow capability_app activity_service:service_manager find; +allow capability_app activity_task_service:service_manager find; +allow capability_app gpu_service:service_manager find; +allow capability_app surfaceflinger_service:service_manager find; +allow capability_app autofill_service:service_manager find; +allow capability_app textservices_service:service_manager find; +allow capability_app audio_service:service_manager find; +binder_call(capability_app, gpuservice) + +hal_client_domain(capability_app, hal_power) diff --git a/bsp/plat_private/dnsmasq.te b/bsp/plat_private/dnsmasq.te new file mode 100644 index 0000000..b1bd4e4 --- /dev/null +++ b/bsp/plat_private/dnsmasq.te @@ -0,0 +1,5 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow dnsmasq netd:file r_file_perms; diff --git a/bsp/plat_private/domain.te b/bsp/plat_private/domain.te new file mode 100644 index 0000000..db713aa --- /dev/null +++ b/bsp/plat_private/domain.te @@ -0,0 +1,15 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : W17.47 +# Allow system_server to enable/disable logmuch_prop for Wi-Fi logging purpose +neverallow { + coredomain + -init + -logd + -cameraserver + -system_server + -em_app + -platform_app + } system_mtk_logmuch_prop:property_service set; diff --git a/bsp/plat_private/drmserver.te b/bsp/plat_private/drmserver.te new file mode 100644 index 0000000..084ea05 --- /dev/null +++ b/bsp/plat_private/drmserver.te @@ -0,0 +1,15 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Add by : Jackie +# Date : WK15.34 +# Operation : Migration +# Purpose : Allow drmserver to access some system_server opreration on M +# and allow drmserver access file stored in sdcard +allow drmserver nvram_agent_service:service_manager find; + +# Date : WK19.24 +# To let DRM server load ctaplugin based on property +get_prop(drmserver, system_mtk_cta_set_prop) +allow drmserver mediaprovider_app:dir search; diff --git a/bsp/plat_private/em_app.te b/bsp/plat_private/em_app.te new file mode 100644 index 0000000..2efe820 --- /dev/null +++ b/bsp/plat_private/em_app.te @@ -0,0 +1,264 @@ +# ============================================== +# Policy File of /system/priv-app/EngineerMode/EngineerMode.apk Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +typeattribute em_app mlstrustedsubject; +app_domain(em_app) + +# Common +allow em_app activity_service:service_manager find; +allow em_app activity_task_service:service_manager find; +allow em_app gpu_service:service_manager find; +allow em_app surfaceflinger_service:service_manager find; +allow em_app autofill_service:service_manager find; +allow em_app textservices_service:service_manager find; + +# Sub menu start +allow em_app audio_service:service_manager find; + +# Allow to use HAL em +hal_client_domain(em_app, hal_mtk_em) + +# Allow for BT # Main activity start +allow em_app bluetooth_manager_service:service_manager find; + +# Allow for GPS manager usage +allow em_app location_service:service_manager find; + +# Allow for Wifi manager usage +allow em_app wifi_service:service_manager find; + +# For Wifi +allow em_app self:udp_socket { create ioctl }; +allowxperm em_app self:udp_socket ioctl { SIOCIWFIRSTPRIV_0B SIOCIWFIRSTPRIV_0F SIOCSIWMODE SIOCIWFIRSTPRIV_01 SIOCIWFIRSTPRIV_09 SIOCDEVPRIVATE_2 }; + +#For clk tool and gnssat tool to access camera manager +allow em_app cameraserver_service:service_manager find; + +# For debug utils +allow em_app crash_dump:unix_stream_socket connectto; + +# For simulate input action +allow em_app input_service:service_manager find; + +# For get keyguard +allow em_app trust_service:service_manager find; + +# For connect to em_svr +allow em_app em_svr:unix_stream_socket connectto; + +#For usb acm +set_prop(em_app, system_mtk_atci_sys_prop) + +#For atci +set_prop(em_app, system_mtk_ctl_atcid_daemon_u_prop) +set_prop(em_app, ctl_start_prop) +set_prop(em_app, ctl_stop_prop) + +#For voice application +allow em_app audioserver_service:service_manager find; + +#For mnld connect +allow em_app self:tcp_socket create_socket_perms_no_ioctl; + +#For tel log settings +set_prop(em_app, log_tag_prop) + +#For mnld connection +allow em_app fwmarkd_socket:sock_file write; +allow em_app port:tcp_socket name_connect; +allow em_app netd:unix_stream_socket connectto; + +#For telecom service +#allow EM app to change vibration behavior by property. +set_prop(em_app, system_mtk_telecom_vibrate_prop) + +#For wfd iot property settings +set_prop(em_app, system_mtk_media_wfd_prop) + +#For setting md power off property +set_prop(em_app, system_mtk_power_off_md_prop) + +#For video log +set_prop(em_app, system_mtk_logmuch_prop) + +#For tel log +set_prop(em_app, system_mtk_em_tel_log_prop) + +# For background_data_select +set_prop(em_app, system_mtk_bgdata_disabled_prop) + +# For uce service +get_prop(em_app, system_mtk_uce_support_prop) + +allow em_app radio_service:service_manager find; + +# Date: 2020/03/25 +# For power pmu register +allow em_app sysfs_pmu:dir search; + +# Date: 2020/03/25 +# For usb test +allow em_app sysfs_usb_plat:dir search; +allow em_app sysfs_usb_plat:file r_file_perms; + +# Date: 2020/03/25 +# Purpose: Allow EM USB/UART switch +allow em_app sysfs_android0_usb:dir search; +allow em_app sysfs_android0_usb:file r_file_perms; +allow em_app sysfs_android_usb:dir search; +allow em_app sysfs_android_usb:file r_file_perms; + +# Date : 2020/03/25 +#For usb test +set_prop(em_app, usb_prop) + +# Date: 2020/03/25 +# For PMU reading +allow em_app sysfs_pmu:dir search; +allow em_app sysfs_pmu:file r_file_perms; +allow em_app sysfs_pmu:lnk_file r_file_perms; + +# Date: 2020/03/25 +# Purpose: EM battery temprature setting +allow em_app sysfs_batteryinfo:dir search; + +# Date: 2020/03/25 +# For power battery info +allow em_app sysfs_vbus:file r_file_perms; + +# Date: 2020/03/25 +# Purpose: EM power ChargeBattery +allow em_app sysfs_battery_consumption:file r_file_perms; +allow em_app sysfs_power_on_vol:file r_file_perms; +allow em_app sysfs_power_off_vol:file r_file_perms; +allow em_app sysfs_fg_disable:file r_file_perms; +allow em_app sysfs_dis_nafg:file r_file_perms; + +# Date: 2020/03/25 +# Purpose:For wakelock get power manager service +allow em_app thermal_service:service_manager find; + +# Date : 2020/03/25 +# Purpose: Allow EM detect Audio headset status +allow em_app sysfs_headset:file r_file_perms; + +# Operation: Support GWSD +allow em_app mtk_gwsd_service:service_manager find; +allow em_app tethering_service:service_manager find; + +# For supplementary service's CFU to get IccCard type through MtkTelephonyManagerEx +allow em_app mtk_radio_service:service_manager find; + +# For background_data_select +hal_client_domain(em_app, mtk_hal_netdagent) + +# Date : 2020/04/13 +# Purpose: Allow EM get/set CT Register system property +set_prop(em_app, system_mtk_selfreg_prop) + +# Date : 2020/04/14 +# Purpose: Allow EM get/set USB tethering system property for auto test +set_prop(em_app, system_mtk_usb_tethering_prop) + +# Date: 2020/04/20 +# Purpose: Allow EM write MD log filter config file in /data +allow em_app debuglog_data_file:dir r_dir_perms; +allow em_app debuglog_data_file:file rw_file_perms; + +# Date: 2020/04/20 +# Purpose: Allow EM access mediaserver +allow em_app media_session_service:service_manager find; +allow em_app mediaserver_service:service_manager find; + +# Date : 2020/04/28 +# Purpose : STMicro NFC integration for Engineering mode +allow em_app nfc_service:service_manager find; + +# Date : 2020/04/30 +# Purpose: EmRadioHidlAosp get AospRadioProxy +hal_client_domain(em_app, hal_telephony) + +# Date : 2020/04/30 +# Purpose: getSystemService(TELEPHONY_SERVICE) +allow em_app registry_service:service_manager find; +binder_call(em_app, gpuservice) + +# Date : 2020/04/30 +# Purpose: telephony->npt, ccm hopping get serial +get_prop(em_app, radio_prop) + +# Date : 2020/04/30 +# Purpose: FeatureSupport ro.build.type, ro.board.platform +get_prop(em_app, exported_default_prop) + +# Date: 2020/04/30 +#Purpose: telephony ->WifiCalling.EntitlementConfigActivity +set_prop(em_app, system_mtk_wfc_entitlement_prop) + +# Date: 2020/04/30 +#Purpose: telephony ->networkinfotc1.MDMCoreOperation +set_prop(em_app, config_prop) + +# Date: 2020/04/30 +# For uce related access +set_prop(em_app, system_mtk_uce_support_prop) +allow em_app uce_service:service_manager find; + +# Date: 2020/05/08 +# For OTA airplane mode +get_prop(em_app,system_mtk_init_svc_md_monitor_prop) +hal_client_domain(em_app, md_monitor_hal) + +# Date: 2020/05/15 +# Purpose: Fix the exception for long pressing operation +allow em_app clipboard_service:service_manager find; + +# Date: 2020/06/03 +# Operation: DEBUG +# Purpose: Allow EM search usb_rawbulk +allow em_app sys_usb_rawbulk:dir r_dir_perms; +allow em_app usb_service:service_manager find; + +# Date : 2020/06/03 +# Operation : DEBUG +# Purpose : Allow to use system_mtk_gprs_attach_type_prop +set_prop(em_app, system_mtk_gprs_attach_type_prop) + +# Date: 2020/06/30 +allow em_app mtk_vodata_service:service_manager find; + +# Date: 2020/07/29 +# Purpose: Allow EM using search service for monkey bug fix +allow em_app search_service:service_manager find; + +# Date: 2020/08/14 +# Purpose: Allow EM using uimode service for monkey bug fix +allow em_app uimode_service:service_manager find; + +# Date : 2020/11/03 +# Operation : DEBUG +# Purpose : Allow EM to set system_mtk_common_data_prop +set_prop(em_app, system_mtk_common_data_prop) + +# Date : 2021/01/07 +# Purpose : Allow EM to read ro.vendor.mtk_gwsd_support +get_prop(em_app, system_mtk_gwsd_prop) + +# Date: 2021/01/27 +# Purpose: Allow EM to read/set sys.usb.config +set_prop(em_app, usb_control_prop) + +# Purpose: Allow EM to ro.build.type +get_prop(em_app, build_prop) + +# Purpose: Allow EM to ro.vendor.vodata_support +get_prop(em_app, system_mtk_vodata_prop) + +# Date: 2021/04/27 +# Purpose: Allow EM to access shared preference data +allow em_app em_app_data_file:dir create_dir_perms; +allow em_app em_app_data_file:file create_file_perms; diff --git a/bsp/plat_private/em_svr.te b/bsp/plat_private/em_svr.te new file mode 100644 index 0000000..f09d7a4 --- /dev/null +++ b/bsp/plat_private/em_svr.te @@ -0,0 +1,61 @@ +# ============================================== +# Policy File of /system/bin/em_svr Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date: WK1823 +# Purpose: Rsc switch +allow em_svr sysfs_dt_firmware_android:dir r_dir_perms; +allow em_svr sysfs_dt_firmware_android:file r_file_perms; + +# Date: 2020/03/25 +# Purpose : EM Power PMU reading/setting +allow em_svr sysfs_pmu:dir search; +allow em_svr sysfs_pmu:file rw_file_perms; +allow em_svr sysfs_pmu:lnk_file r_file_perms; + +# Date: 2020/03/25 +# Purpose: EM battery temprature setting +allow em_svr sysfs_batteryinfo:dir search; +allow em_svr sysfs_battery_temp:file w_file_perms; + +# Date: 2020/03/25 +# Purpose: EM power ChargeBattery +allow em_svr sysfs_battery_consumption:file r_file_perms; +allow em_svr sysfs_power_on_vol:file r_file_perms; +allow em_svr sysfs_power_off_vol:file r_file_perms; +allow em_svr sysfs_fg_disable:file rw_file_perms; +allow em_svr sysfs_dis_nafg:file rw_file_perms; + +# Date: 2020/03/25 +# Purpose : EM flash reading +allow em_svr proc_flash:file r_file_perms; +allow em_svr proc_partition:file r_file_perms; + +# Date: WK2013 +# Purpose: add for power battery charge/PMU +allow em_svr toolbox_exec:file rx_file_perms; + +# Date: WK1812 +# Purpose: add for battery log +allow em_svr proc_battery_cmd:dir search; +allow em_svr proc_battery_cmd:file create_file_perms; + +# Date: WK2016 +# Purpose: add seolicy for em_svr write phone storage +allow em_svr mnt_user_file:dir search; +allow em_svr fuse:file create_file_perms; +allow em_svr fuse:dir w_dir_perms; + +# Date: 2020/06/03 +# Operation: Telephony->Bypass +# Purpose: Allow EM read usb_rawbulk +allow em_svr sys_usb_rawbulk:dir r_dir_perms; +allow em_svr sys_usb_rawbulk:file r_file_perms; + +# Date 2021/04/26 +# Purpose: Rsc usage +allow em_svr gsi_metadata_file:dir search; +allow em_svr metadata_file:dir search; diff --git a/bsp/plat_private/file.te b/bsp/plat_private/file.te new file mode 100644 index 0000000..38ce294 --- /dev/null +++ b/bsp/plat_private/file.te @@ -0,0 +1,82 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== +########################## +# Filesystem types +# +########################## +# Proc Filesystem types +# +# MOTA permission +# Purpose: Allow GoogleOtaBinder to access proc +# path="/proc/cmdline" +type mota_proc_file, fs_type, proc_type; + +# Purpose : Camera need read cl_cam_status +# Package: com.mediatek.camera +type proc_cl_cam_status, fs_type, proc_type; + +# Date : 2020/03/25 +# Operation: R migration +# Purpose: mtk EM battery settings +type proc_battery_cmd, fs_type, proc_type; + +# Date : 2020/03/25 +# Operation: R migration +# Purpose : mtk EM flash reading +type proc_flash, fs_type, proc_type; +type proc_partition, fs_type, proc_type; + +########################## +# Sys Filesystem types +# +# define new type +# path = "/sys/devices/platform/(charger|mt-battery)/BatteryNotify" +type sysfs_battery_warning, fs_type, sysfs_type; + +# define new type for sn process +# path = "/sys/class/android_usb/android0/iSerial" +# path = "/sys/devices/platform/mt_usb/cmode" +# path = "/sys/class/udc/musb-hdrc/device/cmode" +type sysfs_android0_usb, fs_type, sysfs_type; +type sysfs_usb_plat, fs_type, sysfs_type; + +# Date : 2020/03/25 +# Operation: R migration +# Purpose: mtk EM battery settings +type sysfs_battery_temp, fs_type, sysfs_type; +type sysfs_battery_consumption, fs_type, sysfs_type; +type sysfs_power_on_vol, fs_type, sysfs_type; +type sysfs_power_off_vol, fs_type, sysfs_type; +type sysfs_fg_disable, fs_type, sysfs_type; +type sysfs_dis_nafg, fs_type, sysfs_type; + +# Date : 2020/06/01 +# Operation: R migration +# Purpose : Add permission for acess /sys/devices/platform/mhl@0/extcon/HDMI_audio_extcon/state. +type sysfs_HDMI_audio_extcon_state, fs_type, sysfs_type; + +# Date : 2018/11/01 -> 2020/06/23 +# Operation: R migration +# Purpose : mtk EM c2k bypass read usb file +type sys_usb_rawbulk, fs_type, sysfs_type; + +# wifi throttle +type sysfs_thermald, fs_type, sysfs_type; + +########################## +# Debug Filesystem types +# + +########################## +# File types +# Core domain data file types +# +# ATCI data file +type atci_data_file, file_type, data_file_type, core_data_file_type; + +########################## +# EngineerMode app data file types +# +# for engineermode to access own app files +type em_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type; diff --git a/bsp/plat_private/file_contexts b/bsp/plat_private/file_contexts new file mode 100644 index 0000000..55a052e --- /dev/null +++ b/bsp/plat_private/file_contexts @@ -0,0 +1,62 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +########################## +# System files +# +# MTK Adv Camera Server +/system/bin/mtk_advcamserver u:object_r:mtk_advcamserver_exec:s0 + +/system/bin/kpoc_charger u:object_r:kpoc_charger_exec:s0 + +# MTK Thermald +/system/bin/thermald u:object_r:thermald_exec:s0 + +# MTK VTService +/system/bin/vtservice u:object_r:vtservice_exec:s0 + +# MTK ATCI +/system/bin/atci_service_sys u:object_r:atci_service_sys_exec:s0 + +# MTK Postalgo +/system/bin/camerapostalgo u:object_r:camerapostalgo_exec:s0 + +# MTK AAL +/system/bin/aal u:object_r:aal_exec:s0 + +# MTK Carrier express +/system/bin/usp_service u:object_r:usp_service_exec:s0 +/system/bin/batterywarning u:object_r:batterywarning_exec:s0 +/system/bin/mmp u:object_r:mmp_exec:s0 +/system/bin/GoogleOtaBinder u:object_r:GoogleOtaBinder_exec:s0 + +# MTK MET +/system/bin/met_log_d u:object_r:met_log_d_exec:s0 + +# MTK TerService +/system/bin/terservice u:object_r:terservice_exec:s0 + +# MTK MAPI (Modem Diagnostic Public Interface) +/system/bin/mdi_redirector u:object_r:mdi_redirector_exec:s0 + +# MTK MDMI test tool (Modem Diagnostic Monitoring Interface) +/system/bin/mdmi_redirector u:object_r:mdmi_redirector_exec:s0 + +# resize userdata's filesystem size +/system/bin/resize.f2fs u:object_r:resize_exec:s0 + +# VSIM 3.0 +/system/bin/osi u:object_r:osi_exec:s0 + +########################## +# Devices +# +# MTK touchll hal +/dev/tll u:object_r:tll_device:s0 + +########################## +# Others +# +/eng u:object_r:rootfs:s0 + diff --git a/bsp/plat_private/genfs_contexts b/bsp/plat_private/genfs_contexts new file mode 100644 index 0000000..7822915 --- /dev/null +++ b/bsp/plat_private/genfs_contexts @@ -0,0 +1,174 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== +########################## +# proc files +# +# Purpose : Camera need read cl_cam_status +# Package: com.mediatek.camera +genfscon proc /driver/cl_cam_status u:object_r:proc_cl_cam_status:s0 + +# Date : 2020/03/25 +# Operation: R migration +# Purpose: mtk EM battery log +genfscon proc /mtk_battery_cmd u:object_r:proc_battery_cmd:s0 + +# Date : 2020/03/25 +# Operation: R migration +# mtk EM flash reading +genfscon proc /partitions u:object_r:proc_partition:s0 + +########################## +# sysfs files +# +# label for SN process +genfscon sysfs /class/android_usb/android0 u:object_r:sysfs_android0_usb:s0 + +genfscon sysfs /devices/platform/mt_usb/cmode u:object_r:sysfs_usb_plat:s0 +genfscon sysfs /class/udc/musb-hdrc/device/comde u:object_r:sysfs_usb_plat:s0 + +# Date : 2020/03/25 +# Operation: R migration +# Purpose: for engineermode Usb PHY Tuning +genfscon sysfs /devices/platform/soc/usb-phy0 u:object_r:sysfs_usb_plat:s0 + +# Purpose: Allow EM USB/UART switch +genfscon sysfs /devices/platform/mt_usb/portmode u:object_r:sysfs_usb_plat:s0 +genfscon sysfs /devices/platform/musb-mtu3d/musb-hdrc/portmode u:object_r:sysfs_usb_plat:s0 +genfscon sysfs /bus/platform/devices/musb-hdrc/portmode u:object_r:sysfs_usb_plat:s0 +genfscon sysfs /class/udc/musb-hdrc/device/portmode u:object_r:sysfs_usb_plat:s0 +genfscon sysfs /devices/platform/11201000.mtu3_0/portmode u:object_r:sysfs_usb_plat:s0 + +# for wifi throttle +genfscon sysfs /devices/platform/CONNAC/net/wlan0/operstate u:object_r:sysfs_thermald:s0 +genfscon sysfs /devices/virtual/net/ap0/operstate u:object_r:sysfs_thermald:s0 +genfscon sysfs /devices/virtual/net/p2p0/operstate u:object_r:sysfs_thermald:s0 + +# label for battery warning +genfscon sysfs /devices/platform/charger/BatteryNotify u:object_r:sysfs_battery_warning:s0 +genfscon sysfs /devices/platform/mt-battery/BatteryNotify u:object_r:sysfs_battery_warning:s0 + +# Date : 2020/03/25 +# Operation: R migration +# Purpose: mtk EM battery temprature settings +genfscon sysfs /devices/platform/battery/Battery_Temperature u:object_r:sysfs_battery_temp:s0 + +# Date: 2020/03/25 +# Operation: R migration +# Purpose: EM power ChargeBattery +genfscon sysfs /devices/platform/battery/FG_Battery_CurrentConsumption u:object_r:sysfs_battery_consumption:s0 +genfscon sysfs /devices/platform/battery/Power_On_Voltage u:object_r:sysfs_power_on_vol:s0 +genfscon sysfs /devices/platform/battery/Power_Off_Voltage u:object_r:sysfs_power_off_vol:s0 +genfscon sysfs /devices/platform/battery/FG_daemon_disable u:object_r:sysfs_fg_disable:s0 +genfscon sysfs /devices/platform/battery/disable_nafg u:object_r:sysfs_dis_nafg:s0 +# 6762/6765/6789 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-gauge/Battery_Temperature u:object_r:sysfs_battery_temp:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-gauge/FG_Battery_CurrentConsumption u:object_r:sysfs_battery_consumption:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-gauge/Power_On_Voltage u:object_r:sysfs_power_on_vol:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-gauge/Power_Off_Voltage u:object_r:sysfs_power_off_vol:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-gauge/FG_daemon_disable u:object_r:sysfs_fg_disable:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6357-gauge/disable_nafg u:object_r:sysfs_dis_nafg:s0 +# 6779 +genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6359-gauge/Battery_Temperature u:object_r:sysfs_battery_temp:s0 +genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6359-gauge/FG_Battery_CurrentConsumption u:object_r:sysfs_battery_consumption:s0 +genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6359-gauge/Power_On_Voltage u:object_r:sysfs_power_on_vol:s0 +genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6359-gauge/Power_Off_Voltage u:object_r:sysfs_power_off_vol:s0 +genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6359-gauge/FG_daemon_disable u:object_r:sysfs_fg_disable:s0 +genfscon sysfs /devices/platform/soc/1000d000.pwrap/1000d000.pwrap:main_pmic/mt6359-gauge/disable_nafg u:object_r:sysfs_dis_nafg:s0 +# 6873/6893 +genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-gauge/Battery_Temperature u:object_r:sysfs_battery_temp:s0 +genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-gauge/FG_Battery_CurrentConsumption u:object_r:sysfs_battery_consumption:s0 +genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-gauge/Power_On_Voltage u:object_r:sysfs_power_on_vol:s0 +genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-gauge/Power_Off_Voltage u:object_r:sysfs_power_off_vol:s0 +genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-gauge/FG_daemon_disable u:object_r:sysfs_fg_disable:s0 +genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt6359p-gauge/disable_nafg u:object_r:sysfs_dis_nafg:s0 +# Date: 2021/08/16 +# Purpose: 6983 +genfscon sysfs /devices/platform/11e01000.i2c/i2c-5/5-0034/11e01000.i2c:mt6375@34:mtk_gauge/Battery_Temperature u:object_r:sysfs_battery_temp:s0 +genfscon sysfs /devices/platform/11e01000.i2c/i2c-5/5-0034/11e01000.i2c:mt6375@34:mtk_gauge/FG_Battery_CurrentConsumption u:object_r:sysfs_battery_consumption:s0 +genfscon sysfs /devices/platform/11e01000.i2c/i2c-5/5-0034/11e01000.i2c:mt6375@34:mtk_gauge/Power_On_Voltage u:object_r:sysfs_power_on_vol:s0 +genfscon sysfs /devices/platform/11e01000.i2c/i2c-5/5-0034/11e01000.i2c:mt6375@34:mtk_gauge/Power_Off_Voltage u:object_r:sysfs_power_off_vol:s0 +genfscon sysfs /devices/platform/11e01000.i2c/i2c-5/5-0034/11e01000.i2c:mt6375@34:mtk_gauge/FG_daemon_disable u:object_r:sysfs_fg_disable:s0 +genfscon sysfs /devices/platform/11e01000.i2c/i2c-5/5-0034/11e01000.i2c:mt6375@34:mtk_gauge/disable_nafg u:object_r:sysfs_dis_nafg:s0 +# Purpose:6879 +genfscon sysfs /devices/platform/11ed1000.i2c/i2c-5/5-0034/11ed1000.i2c:mt6375@34:mtk_gauge/Battery_Temperature u:object_r:sysfs_battery_temp:s0 +genfscon sysfs /devices/platform/11ed1000.i2c/i2c-5/5-0034/11ed1000.i2c:mt6375@34:mtk_gauge/FG_Battery_CurrentConsumption u:object_r:sysfs_battery_consumption:s0 +genfscon sysfs /devices/platform/11ed1000.i2c/i2c-5/5-0034/11ed1000.i2c:mt6375@34:mtk_gauge/Power_On_Voltage u:object_r:sysfs_power_on_vol:s0 +genfscon sysfs /devices/platform/11ed1000.i2c/i2c-5/5-0034/11ed1000.i2c:mt6375@34:mtk_gauge/Power_Off_Voltage u:object_r:sysfs_power_off_vol:s0 +genfscon sysfs /devices/platform/11ed1000.i2c/i2c-5/5-0034/11ed1000.i2c:mt6375@34:mtk_gauge/FG_daemon_disable u:object_r:sysfs_fg_disable:s0 +genfscon sysfs /devices/platform/11ed1000.i2c/i2c-5/5-0034/11ed1000.i2c:mt6375@34:mtk_gauge/disable_nafg u:object_r:sysfs_dis_nafg:s0 +# Date: 2021/10/19 +# Purpose: 6895 +genfscon sysfs /devices/platform/soc/11280000.i2c/i2c-5/5-0034/11280000.i2c:mt6375@34:mtk_gauge/Battery_Temperature u:object_r:sysfs_battery_temp:s0 +genfscon sysfs /devices/platform/soc/11280000.i2c/i2c-5/5-0034/11280000.i2c:mt6375@34:mtk_gauge/FG_Battery_CurrentConsumption u:object_r:sysfs_battery_consumption:s0 +genfscon sysfs /devices/platform/soc/11280000.i2c/i2c-5/5-0034/11280000.i2c:mt6375@34:mtk_gauge/Power_On_Voltage u:object_r:sysfs_power_on_vol:s0 +genfscon sysfs /devices/platform/soc/11280000.i2c/i2c-5/5-0034/11280000.i2c:mt6375@34:mtk_gauge/Power_Off_Voltage u:object_r:sysfs_power_off_vol:s0 +genfscon sysfs /devices/platform/soc/11280000.i2c/i2c-5/5-0034/11280000.i2c:mt6375@34:mtk_gauge/FG_daemon_disable u:object_r:sysfs_fg_disable:s0 +genfscon sysfs /devices/platform/soc/11280000.i2c/i2c-5/5-0034/11280000.i2c:mt6375@34:mtk_gauge/disable_nafg u:object_r:sysfs_dis_nafg:s0 +# Date: 2021/12/25 +# Purpose: 6855 +genfscon sysfs /devices/platform/11b20000.i2c/i2c-5/5-0034/11b20000.i2c:mt6375@34:mtk_gauge/power_supply/Battery_Temperature u:object_r:sysfs_battery_temp:s0 +genfscon sysfs /devices/platform/11b20000.i2c/i2c-5/5-0034/11b20000.i2c:mt6375@34:mtk_gauge/power_supply/FG_Battery_CurrentConsumption u:object_r:sysfs_battery_consumption:s0 +genfscon sysfs /devices/platform/11b20000.i2c/i2c-5/5-0034/11b20000.i2c:mt6375@34:mtk_gauge/power_supply/Power_On_Voltage u:object_r:sysfs_power_on_vol:s0 +genfscon sysfs /devices/platform/11b20000.i2c/i2c-5/5-0034/11b20000.i2c:mt6375@34:mtk_gauge/power_supply/Power_Off_Voltage u:object_r:sysfs_power_off_vol:s0 +genfscon sysfs /devices/platform/11b20000.i2c/i2c-5/5-0034/11b20000.i2c:mt6375@34:mtk_gauge/power_supply/FG_daemon_disable u:object_r:sysfs_fg_disable:s0 +genfscon sysfs /devices/platform/11b20000.i2c/i2c-5/5-0034/11b20000.i2c:mt6375@34:mtk_gauge/power_supply/disable_nafg u:object_r:sysfs_dis_nafg:s0 +# Purpose:6789 mt6366 em/battery +genfscon sysfs /devices/platform/soc/10026000.pwrap/10026000.pwrap:mt6366/mt6358-gauge/Battery_Temperature u:object_r:sysfs_battery_temp:s0 +genfscon sysfs /devices/platform/soc/10026000.pwrap/10026000.pwrap:mt6366/mt6358-gauge/FG_Battery_CurrentConsumption u:object_r:sysfs_battery_consumption:s0 +genfscon sysfs /devices/platform/soc/10026000.pwrap/10026000.pwrap:mt6366/mt6358-gauge/Power_On_Voltage u:object_r:sysfs_power_on_vol:s0 +genfscon sysfs /devices/platform/soc/10026000.pwrap/10026000.pwrap:mt6366/mt6358-gauge/Power_Off_Voltage u:object_r:sysfs_power_off_vol:s0 +genfscon sysfs /devices/platform/soc/10026000.pwrap/10026000.pwrap:mt6366/mt6358-gauge/FG_daemon_disable u:object_r:sysfs_fg_disable:s0 +genfscon sysfs /devices/platform/soc/10026000.pwrap/10026000.pwrap:mt6366/mt6358-gauge/disable_nafg u:object_r:sysfs_dis_nafg:s0 + +genfscon sysfs /dev/gauge/Battery_Temperature u:object_r:sysfs_battery_temp:s0 +genfscon sysfs /dev/gauge/FG_Battery_CurrentConsumption u:object_r:sysfs_battery_consumption:s0 +genfscon sysfs /dev/gauge/Power_On_Voltage u:object_r:sysfs_power_on_vol:s0 +genfscon sysfs /dev/gauge/Power_Off_Voltage u:object_r:sysfs_power_off_vol:s0 +genfscon sysfs /dev/gauge/FG_daemon_disable u:object_r:sysfs_fg_disable:s0 +genfscon sysfs /dev/gauge/disable_nafg u:object_r:sysfs_dis_nafg:s0 + +# Date : 2020/03/25 +# Operation: R migration +# mtk EM pmic & pmu register +genfscon sysfs /devices/platform/mt-pmic u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/mt-pmic u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6358-pmic/mt-pmic u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6359-pmic/mt-pmic u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359-pmic/mt-pmic u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/10026000.pwrap/10026000.pwrap:mt6359p/mt-pmic u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/1c015000.spmi/spmi-0/0-04/mt-pmic u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/1c804000.spmi/spmi-0/0-04/mt-pmic u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/mt6333-user u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/mt6311-user u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/10027000.spmi/spmi-0/0-03/10027000.spmi:mt6315@3:mt6315_3_regulator/extbuck_access u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/10027000.spmi/spmi-0/0-06/10027000.spmi:mt6315@6:mt6315_6_regulator/extbuck_access u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/10027000.spmi/spmi-0/0-07/10027000.spmi:mt6315@7:mt6315_7_regulator/extbuck_access u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/10027000.spmi/spmi-0/0-03/10027000.spmi:mt6315@3:extbuck_debug/extbuck_access u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/10027000.spmi/spmi-0/0-06/10027000.spmi:mt6315@6:extbuck_debug/extbuck_access u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/10027000.spmi/spmi-0/0-07/10027000.spmi:mt6315@7:extbuck_debug/extbuck_access u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/soc/11cb1000.i2c/i2c-9/9-0034/extdev_io/MT6375.9-0034 u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/11e01000.i2c/i2c-5/5-0034/extdev_io/MT6375.5-0034 u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/soc/11280000.i2c/i2c-5/5-0018/extdev_io/MT6375.5-0034 u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/soc/11280000.i2c/i2c-5/5-0034/extdev_io/MT6375.5-0034 u:object_r:sysfs_pmu:s0 +# Purpose: 6855 +genfscon sysfs /devices/platform/soc/1c804000.spmi/spmi-0/0-04/mt-pmic u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/11b20000.i2c/i2c-5/5-0034/extdev_io/MT6375.5-0034 u:object_r:sysfs_pmu:s0 +# 6789 mt6375 em/pmic +genfscon sysfs /devices/platform/soc/10026000.pwrap/10026000.pwrap:mt6366/mt-pmic u:object_r:sysfs_pmu:s0 +genfscon sysfs /devices/platform/soc/11017000.i2c/i2c-5/5-0034/extdev_io/MT6375.5-0034 u:object_r:sysfs_pmu:s0 + +# Date : 2020/06/01 +# Operation: R migration +# Purpose : Add permission for acess /sys/devices/platform/mhl@0/extcon/HDMI_audio_extcon/state. +genfscon sysfs /devices/platform/mhl@0/extcon/HDMI_audio_extcon/state u:object_r:sysfs_HDMI_audio_extcon_state:s0 + +# Date : 2018/11/01 -> 2020/06/23 +# Operation: R migration +# Purpose : mtk EM c2k bypass read usb file +genfscon sysfs /devices/virtual/usb_rawbulk u:object_r:sys_usb_rawbulk:s0 + +# Date : 2020/12/16 +# Operation: R migration +# Purpose: mtk meta wifi daemon access pmu register +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:main_pmic/mt-pmic u:object_r:sysfs_pmu:s0 diff --git a/bsp/plat_private/init.te b/bsp/plat_private/init.te new file mode 100644 index 0000000..b5e6522 --- /dev/null +++ b/bsp/plat_private/init.te @@ -0,0 +1,10 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +set_prop(init, system_mtk_cta_set_prop) +set_prop(init, system_mtk_rsc_sys_prop) + +# Date: W20.10 +# Purpose: resize filesystem(userdata) needs read link file +allow init resize_exec:lnk_file r_file_perms; diff --git a/bsp/plat_private/kpoc_charger.te b/bsp/plat_private/kpoc_charger.te new file mode 100644 index 0000000..86446b9 --- /dev/null +++ b/bsp/plat_private/kpoc_charger.te @@ -0,0 +1,74 @@ +# ============================================== +# Policy File of /system/bin/kpoc_charger Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== +type kpoc_charger_exec, system_file_type, exec_type, file_type; +typeattribute kpoc_charger coredomain; + +# Date : WK15.32 +# Operation : Migration +# Purpose : Start kpoc_charger +init_daemon_domain(kpoc_charger) + +# Use light HAL +hal_client_domain(kpoc_charger, hal_light) + +# Use health HAL +hal_client_domain(kpoc_charger, hal_health) + +# Date : WK15.32 +# Operation : Migration +# Purpose : Interact with kernel to perform kpoc_charger +allow kpoc_charger block_device:dir search; +allow kpoc_charger graphics_device:dir search; +allow kpoc_charger graphics_device:chr_file rw_file_perms; +allow kpoc_charger input_device:dir r_dir_perms; +allow kpoc_charger input_device:chr_file rw_file_perms; +allow kpoc_charger self:capability { sys_nice net_admin sys_boot sys_admin }; +allow kpoc_charger self:netlink_kobject_uevent_socket { create bind read setopt }; +allow kpoc_charger sysfs:dir r_dir_perms; +allow kpoc_charger kmsg_device:chr_file { getattr w_file_perms }; +allow kpoc_charger rtc_device:chr_file rw_file_perms; + +# Date : WK15.44 +# Operation : Migration +# Purpose : add sepolicy for nand platform which use mtd_device +allow kpoc_charger mtd_device:dir search; +allow kpoc_charger mtd_device:chr_file r_file_perms; + +# Date : WK17.25 +# Operation : Android O migration +# Purpose : add sepolicy for accessing rootfs and sysfs_leds +allow kpoc_charger rootfs:file r_file_perms; +allow kpoc_charger sysfs_leds:dir r_dir_perms; + +# Date : WK18.20 +# Operation : Android P migration +# Purpose: add sepolicy for sysfs_batteryinfo +allow kpoc_charger sysfs_batteryinfo:dir r_dir_perms; + +# Purpose: add sepolicy for sysfs_power +allow kpoc_charger sysfs_power:file rw_file_perms; + +# Purpose: add sepolicy for sysfs_dt_firmware_android +r_dir_file(kpoc_charger, sysfs_dt_firmware_android) +allow kpoc_charger proc_cmdline:file r_file_perms; + +# Purpose: add sepolicy for BatteryNotify +allow kpoc_charger sysfs_battery_warning:file r_file_perms; + +# Operation: Android R Migration +# Purpose : access vbus +allow kpoc_charger sysfs_vbus:file r_file_perms; + +# Date : WK20.37 +# Operation : common-kernel-5.4 +# Purpose: add sepolicy for acessing metadata_file +allow kpoc_charger metadata_file:dir search; + +#Date: WK20.52 +# Purpose : DRM / DRI GPU driver required +allow kpoc_charger gpu_device:dir search; + diff --git a/bsp/plat_private/logd.te b/bsp/plat_private/logd.te new file mode 100644 index 0000000..d6022fd --- /dev/null +++ b/bsp/plat_private/logd.te @@ -0,0 +1,10 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +set_prop(logd, logd_prop) +set_prop(logd, log_tag_prop) + +# Date : W18.26 +# Allow logmuch related property +set_prop(logd, system_mtk_logmuch_prop) diff --git a/bsp/plat_private/mdi_redirector.te b/bsp/plat_private/mdi_redirector.te new file mode 100644 index 0000000..015d0e1 --- /dev/null +++ b/bsp/plat_private/mdi_redirector.te @@ -0,0 +1,25 @@ +# ============================================== +# Policy File of /system/bin/mdi_redirector Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type mdi_redirector_exec ,exec_type, file_type, system_file_type; +typeattribute mdi_redirector coredomain; + +init_daemon_domain(mdi_redirector) +net_domain(mdi_redirector) + +# Date : WK19.07 2019/02/15 +# Operation : mdi_redirector integration test with AT&T Linkmaster +# Purpose : To allow mdi_redirector create socket to forward KPI to PC tool +allow mdi_redirector fwmarkd_socket:sock_file write; +allow mdi_redirector self:tcp_socket create_stream_socket_perms; +allow mdi_redirector self:udp_socket create_stream_socket_perms; +allow mdi_redirector node:tcp_socket node_bind; +allow mdi_redirector port:tcp_socket name_bind; +allow mdi_redirector netd:unix_stream_socket connectto; + +# Allow to connect DMC HIDL server +hal_client_domain(mdi_redirector, hal_mtk_dmc) diff --git a/bsp/plat_private/mdmi_redirector.te b/bsp/plat_private/mdmi_redirector.te new file mode 100644 index 0000000..4e47f8f --- /dev/null +++ b/bsp/plat_private/mdmi_redirector.te @@ -0,0 +1,25 @@ +# ============================================== +# Policy File of /system/bin/mdmi_redirector Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type mdmi_redirector_exec, exec_type, file_type, system_file_type; +typeattribute mdmi_redirector coredomain; + +init_daemon_domain(mdmi_redirector) +net_domain(mdmi_redirector) + +# Date : WK19.07 2019/02/15 +# Operation : mdmi_redirector integration test with AT&T Linkmaster +# Purpose : To allow mdmi_redirector create socket to forward KPI to PC tool +allow mdmi_redirector fwmarkd_socket:sock_file write; +allow mdmi_redirector self:tcp_socket create_stream_socket_perms; +allow mdmi_redirector self:udp_socket create_stream_socket_perms; +allow mdmi_redirector node:tcp_socket node_bind; +allow mdmi_redirector port:tcp_socket name_bind; +allow mdmi_redirector netd:unix_stream_socket connectto; + +# Allow to connect DMC HIDL server +hal_client_domain(mdmi_redirector, hal_mtk_dmc) diff --git a/bsp/plat_private/mediaserver.te b/bsp/plat_private/mediaserver.te new file mode 100644 index 0000000..65c7eb5 --- /dev/null +++ b/bsp/plat_private/mediaserver.te @@ -0,0 +1,27 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK15.32 +# Operation : Migration +# Purpose : for control CPU during camera working flow +allow mediaserver mtk_perf_service:service_manager find; + +# Date : WK16.29 +# Operation : Migration +# Purpose : Add permission for gpu access +allow mediaserver gas_srv_service:service_manager find; + +# Date : WK17.50 +# Operation : CMCC +# Purpose: Allow set property to notify rtsp server timeout +set_prop(mediaserver, system_prop) + +# Date : WK19.16 +# Operation : WFD +# Purpose: Allow property operations + +# Date : WK21.14 +# Operation : WFD +# Purpose: Allow property set for HDR10 cast and EM setting +set_prop(mediaserver, system_mtk_media_wfd_prop) diff --git a/bsp/plat_private/met_log_d.te b/bsp/plat_private/met_log_d.te new file mode 100644 index 0000000..a131568 --- /dev/null +++ b/bsp/plat_private/met_log_d.te @@ -0,0 +1,13 @@ +# ============================================== +# Policy File of /system/bin/met_log_d Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +typeattribute met_log_d coredomain; +type met_log_d_exec, system_file_type, exec_type, file_type; + +init_daemon_domain(met_log_d) + +set_prop(met_log_d, debug_prop) diff --git a/bsp/plat_private/mmp.te b/bsp/plat_private/mmp.te new file mode 100644 index 0000000..699a609 --- /dev/null +++ b/bsp/plat_private/mmp.te @@ -0,0 +1,12 @@ +# ============================================== +# Policy File of /system/bin/mmp Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +typeattribute mmp coredomain; +type mmp_exec, system_file_type, exec_type, file_type; + +init_daemon_domain(mmp) + diff --git a/bsp/plat_private/mtk_advcamserver.te b/bsp/plat_private/mtk_advcamserver.te new file mode 100644 index 0000000..70a9984 --- /dev/null +++ b/bsp/plat_private/mtk_advcamserver.te @@ -0,0 +1,23 @@ +# ============================================== +# Policy File of /system/bin/mtk_advcamserver Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type mtk_advcamserver_exec, system_file_type, exec_type, file_type; +typeattribute mtk_advcamserver coredomain; + +init_daemon_domain(mtk_advcamserver) + +binder_use(mtk_advcamserver) +hwbinder_use(mtk_advcamserver) +binder_call(mtk_advcamserver, mtk_advcamserver) +binder_service(mtk_advcamserver) +binder_call(mtk_advcamserver, binderservicedomain) +binder_call(mtk_advcamserver, appdomain) + +add_service(mtk_advcamserver, mtk_advcamserver_service) +get_prop(mtk_advcamserver, hwservicemanager_prop) + +allow mtk_advcamserver ion_device:chr_file r_file_perms; diff --git a/bsp/plat_private/netd.te b/bsp/plat_private/netd.te new file mode 100644 index 0000000..8a6cf29 --- /dev/null +++ b/bsp/plat_private/netd.te @@ -0,0 +1,57 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK14.41 +# Operation : Migration +# Purpose : ipv6 Tethering Test +allow netd dhcp_data_file:dir rw_dir_perms; +allow netd dhcp_data_file:file create_file_perms; +allow netd self:capability { setuid net_bind_service setgid }; + +# Date : W15.39 +# Operation : CAT6 T-put +# Purpose : CAT6 T-put +# Owner : Kang ouyang +allow netd mtk_perf_service:service_manager find; + +# Date : W15.39 +# Operation : CAT6 T-put +# Purpose : CAT6 T-put +# Owner : Kang ouyang +binder_call(netd, servicemanager) +binder_call(netd, system_server) +binder_use(netd) + +# Date : W16.27 +# Operation : nsiot set property(Only for Android N) +# Purpose : nsiot set property +# Owner : kang ouyang +set_prop(netd, system_prop) + +# Date : W16.38 +# Operation : MD direct Tethering Test +# Purpose : For support MDT +allowxperm netd self:unix_stream_socket ioctl {SIOCSIFBR SIOCBRADDBR SIOCBRADDIF SIOCDEVPRIVATE}; + +# Data : W18.38 +# Operation : Migration +# Purpose : Trustonic TEE +allow netd teeregistryd_app:fd use; +allow netd teeregistryd_app:tcp_socket rw_socket_perms_no_ioctl; + +# Data : W19.24 +# Operation : Android Q DMC Migration +# Purpose : To allow MAPI to create socket and submit data to PC +allow netd mdi_redirector:fd use; +allow netd mdi_redirector:tcp_socket rw_socket_perms_no_ioctl; + +# Data : W19.25 +# Operation : Android Q DMC Migration +# Purpose : To allow MDMI to create socket as a test tool +allow netd mdmi_redirector:fd use; +allow netd mdmi_redirector:tcp_socket rw_socket_perms_no_ioctl; + +# Purpose: For EngineerMode communication with mnld +allow netd em_app:fd use; +allow netd em_app:tcp_socket rw_socket_perms_no_ioctl; diff --git a/bsp/plat_private/nfc.te b/bsp/plat_private/nfc.te new file mode 100644 index 0000000..1ec4436 --- /dev/null +++ b/bsp/plat_private/nfc.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : 2016/11/10 +# Operation : SQC +# Purpose : Allow NFC to use gas service +allow nfc gas_srv_service:service_manager find; diff --git a/bsp/plat_private/osi.te b/bsp/plat_private/osi.te new file mode 100644 index 0000000..b645c5b --- /dev/null +++ b/bsp/plat_private/osi.te @@ -0,0 +1,31 @@ +# ============================================== +# Policy File of /system/bin/osi Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +typeattribute osi coredomain; +type osi_exec, system_file_type, exec_type, file_type; + +userdebug_or_eng(` +permissive osi; +') + +# Date : WK15.45 +# Operation : create +# Purpose : Start osi +init_daemon_domain(osi) +net_domain(osi) + +userdebug_or_eng(` +allow osi media_rw_data_file:file r_file_perms; +allow osi sdcardfs:file rw_file_perms; +allow osi self:capability net_raw; +allow osi self:udp_socket ioctl; +allow osi shell_exec:file x_file_perms; +allow osi sysfs:dir r_dir_perms; +allow osi sysfs_android_usb:dir search; +allow osi sysfs_android_usb:file r_file_perms; +allow osi toolbox_exec:file x_file_perms; +') diff --git a/bsp/plat_private/platform_app.te b/bsp/plat_private/platform_app.te new file mode 100644 index 0000000..93724a4 --- /dev/null +++ b/bsp/plat_private/platform_app.te @@ -0,0 +1,147 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : 2014/10/28 +# Operation : hs_xiangxu +# Purpose : [ALPS01782971]Settings need read&write to system_app_data_file +# Package: com.android.settings +allow platform_app system_app_data_file:file rw_file_perms; + +# Date : 2015/09/06 +# Operation : SQC +# Purpose : [NFC][can not get nfc service] +# Package: com.android.gallery3d +allow platform_app nfc_service:service_manager find; + +# Date : 2017/06/01 +# Operation : Migration +# Purpose : Allow camera app to find advcam servive +allow platform_app mtk_advcamserver_service:service_manager find; + +# Date: 2017/06/29 +# Operation: Migration +# Purpose : Allow UICC terminal to find phoneEx service +# Package: org.simalliance.openmobileapi +allow platform_app mtk_radio_service:service_manager find; + +# Date : 2017/12/21 +# Operation: IT +# Purpose : For hongbao optimization +allow platform_app mtk_connmetrics_service:service_manager find; + +# Date: 2018/07/03 +# Operation: Migration +# Purpose : Allow Rcs to get system_mtk_rcs_support_prop/system_mtk_em_tel_log_prop +# Package: om.mediatek.rcs +get_prop(platform_app, system_mtk_rcs_support_prop) +get_prop(platform_app, system_mtk_em_tel_log_prop) + +# Date: 2018/07/03 +# Operation: Migration +# Purpose : Allow Contacts to get system_mtk_uce_support_prop +# Package: com.android.contacts +get_prop(platform_app, system_mtk_uce_support_prop) + +# Date: 2018/07/04 +# Operation: P migration +# Purpose : allow radio get vzw device type property +get_prop(platform_app, system_mtk_persist_vendor_vzw_device_type_prop) + +# Date : 2018/07/02 +# Operation : Migration +# Purpose : Allow platform app to get ECBM property +get_prop(platform_app, system_mtk_cdma_ecm_prop) + +# Date: 2018/07/06 +# Operation: Migration +# Purpose : Allow Entitlement to get system_mtk_wfc_entitlement_prop +# Package: com.mediatek.entitlement +get_prop(platform_app, system_mtk_wfc_entitlement_prop) + +# Date : 2018/07/27 +# Operation : Migration +# Purpose : allow platform_app to find aal_service +allow platform_app aal_service:service_manager find; + +# Date: 2018/10/25 +# Operation: Clientapi Develope +# Purpose : Allow Contacts to get system_mtk_clientapi_support_prop +# Package: com.android.contacts +get_prop(platform_app, system_mtk_clientapi_support_prop) + +# Date: 2018/10/26 +# Purpose: Allow platform app to set and get Subsidy Lock properties +set_prop(platform_app, system_mtk_subsidylock_connect_prop) + +# Date: 2018/10/26 +# Purpose: Allow platform app to set and get Subsidy Lock properties +set_prop(platform_app, system_mtk_subsidylock_prop) + +# Date: 2019/02/13 +# Purpose : Allow ACS to get system_mtk_acs_url_prop, system_mtk_acs_version_prop and system_mtk_acs_support_prop +get_prop(platform_app, system_mtk_acs_url_prop) +get_prop(platform_app, system_mtk_acs_version_prop) +get_prop(platform_app, system_mtk_acs_support_prop) + +# Date : 2019/05/28 +# Operation : Q Migration +# Purpose : allow to get mtk_cta_set and mtk_cta_support property +get_prop(platform_app, system_mtk_cta_set_prop) + +# Date: 2019/05/29 +# Operation : Migration +# Purpose : Camera need read cl_cam_status +# Package: com.mediatek.camera +allow platform_app proc_cl_cam_status:file r_file_perms; + +# Date : 2019/06/03 +# Operation : Q Migration split build +# Purpose : allow to get system_mtk_rsc_sys_prop +get_prop(platform_app, system_mtk_rsc_sys_prop) + +# Date : 2019/06/27 +# Purpose : allow to set ctl.start/stop/restart property +set_prop(platform_app, system_mtk_ctl_campostalgo_prop) + +# Date : 2019/06/27 +# Purpose : allow to find camera postalgo service. +allow platform_app camerapostalgo_service:service_manager find; + +# Date : 2019/09/27 +# Operation : MDM IT with MDMLSample app +# Purpose : For MDMLSample to auto start md_monitor +set_prop(platform_app, config_prop) + +# Date: 2019/09/27 +# Operation : MDM IT with MDMLSample app +# Purpose: allow to read init.svc.md_monitor property for calling SystemService.waitForState() +get_prop(platform_app, system_mtk_init_svc_md_monitor_prop) + +# Date : 2020/03/26 +# Purpose : allow to find cta_networkdatacontroller_service. +allow platform_app cta_networkdatacontroller_service:service_manager find; + +# Data : 2020/09/21 +# Purpose : allow to setprop persist.vendor.radio.bgdata.disable +set_prop(platform_app, system_mtk_bgdata_disabled_prop) + +# Allow platform_app to interact with hal_teei_tui +hal_client_domain(platform_app, hal_teei_tui) + +# Allow platform_app to interact with hal_teei_capi +hal_client_domain(platform_app, hal_teei_capi) + +# Allow platform_app to interact with hal_teei_thh +hal_client_domain(platform_app, hal_teei_thh) + +hal_client_domain(platform_app, hal_teei_ifaa) +hal_client_domain(platform_app, hal_teei_wechat) + +# Date:2021/11/13 +# Operation: Add for DSDA in Dialer, add permission for accessing vendor.radio.dsda.state +get_prop(platform_app, system_mtk_common_data_prop) + +# VoNR : 2021/11/26 +# Purpose : allow to setprop persist.vendor.dbg.vonr_ui_ovr +set_prop(platform_app,system_mtk_dbg_ims_prop); diff --git a/bsp/plat_private/priv_app.te b/bsp/plat_private/priv_app.te new file mode 100644 index 0000000..1da670a --- /dev/null +++ b/bsp/plat_private/priv_app.te @@ -0,0 +1,37 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK17.23 +# Stage: O Migration, SQC +# Purpose: Allow to use mtk telephony APIs (phoneEx) +allow priv_app mtk_radio_service:service_manager find; + +# Date : WK17.23 +# Stage: O Migration, SQC +# Purpose: Allow to use HAL PQ +hal_client_domain(priv_app, hal_mtk_pq) + +# Date : WK17.23 +# Stage: O Migration, SQC +# Purpose: Allow to use shared memory for HAL PQ +hal_client_domain(priv_app, hal_allocator) + +# Date : WK19.46 +# Purpose : access cta prop +get_prop(priv_app, system_mtk_cta_set_prop) + +# Date: 2020/04/03 +# Operation : Network data controller feature +# Purpose :allow priv_app to find cta_networkdatacontroller_service +allow priv_app cta_networkdatacontroller_service:service_manager find; + +# Date: 2020/04/30 +# Operation : SQC +# Purpose :allow priv_app to read write system_app_data_file +allow priv_app system_app_data_file:file { read write }; + +# Date: 2021/03/03 +# Operation : Migration +# Purpose :allow priv_app Gallery to access drm service config property +get_prop(priv_app, drm_service_config_prop) diff --git a/bsp/plat_private/property.te b/bsp/plat_private/property.te new file mode 100644 index 0000000..6a37df6 --- /dev/null +++ b/bsp/plat_private/property.te @@ -0,0 +1,126 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# system_internal_prop -- Properties used only in /system +# system_restricted_prop -- Properties which can't be written outside system +# system_public_prop -- Properties with no restrictions +# system_vendor_config_prop -- Properties which can be written only by vendor_init +# vendor_internal_prop -- Properties used only in /vendor +# vendor_restricted_prop -- Properties which can't be written outside vendor +# vendor_public_prop -- Properties with no restrictions + +# Properties used only in /system +system_internal_prop(system_mtk_aal_prop) +system_internal_prop(system_mtk_acs_support_prop) +system_internal_prop(system_mtk_acs_url_prop) +system_internal_prop(system_mtk_acs_version_prop) +system_internal_prop(system_mtk_amsaal_prop) +system_internal_prop(system_mtk_apptoken_required_prop) +system_internal_prop(system_mtk_atci_sys_prop) +system_internal_prop(system_mtk_capctrl_sys_prop) +system_internal_prop(system_mtk_bluetooth_prop) +system_internal_prop(system_mtk_capability_switch_prop) +system_internal_prop(system_mtk_cdma_ecm_prop) +system_internal_prop(system_mtk_cdma_prop) +system_internal_prop(system_mtk_clientapi_support_prop) +system_internal_prop(system_mtk_common_data_prop) +system_internal_prop(system_mtk_cta_set_prop) +system_internal_prop(system_mtk_ctl_atcid_daemon_u_prop) +system_internal_prop(system_mtk_ctl_campostalgo_prop) +system_internal_prop(system_mtk_ctmslot_prop) +system_internal_prop(system_mtk_debug_sf_prop) +system_internal_prop(system_mtk_debug_bq_prop) +system_internal_prop(system_mtk_duraspeed_drop_caches_prop) +system_internal_prop(system_mtk_em_tel_log_prop) +system_internal_prop(system_mtk_imsconfig_prop) +system_internal_prop(system_mtk_logmuch_prop) +system_internal_prop(system_mtk_media_wfd_prop) +system_internal_prop(system_mtk_opt_in_url_prop) +system_internal_prop(system_mtk_permission_control_prop) +system_internal_prop(system_mtk_persist_vendor_vzw_device_type_prop) +system_internal_prop(system_mtk_rcs_support_prop) +system_internal_prop(system_mtk_rsc_sys_prop) +system_internal_prop(system_mtk_rtt_prop) +system_internal_prop(system_mtk_selfreg_prop) +system_internal_prop(system_mtk_subsidylock_connect_prop) +system_internal_prop(system_mtk_supp_serv_prop) +system_internal_prop(system_mtk_telecom_vibrate_prop) +system_internal_prop(system_mtk_terservice_prop) +system_internal_prop(system_mtk_uce_support_prop) +system_internal_prop(system_mtk_update_prop) +system_internal_prop(system_mtk_usb_tethering_prop) +system_internal_prop(system_mtk_usp_srv_prop) +system_internal_prop(system_mtk_vsim_sys_prop) +system_internal_prop(system_mtk_wfc_entitlement_prop) +system_internal_prop(system_mtk_wfc_opt_in_prop) +system_internal_prop(system_mtk_world_phone_prop) +system_internal_prop(system_mtk_ctm_prop) +system_internal_prop(system_mtk_graphics_sf_gll_prop) +system_internal_prop(system_mtk_subsidylock_prop) +system_internal_prop(system_mtk_gwsd_prop) +system_internal_prop(system_mtk_vodata_prop) +system_internal_prop(system_mtk_fd_prop) +system_internal_prop(system_mtk_dbg_ims_prop) + +# Properties which can be written only by vendor_init +system_vendor_config_prop(system_mtk_graphics_sf_gll_ro_prop) +system_vendor_config_prop(system_mtk_update_support_prop) + +# Properties which can't be written outside vendor +#=============allow netflix read property============== +system_public_prop(netflix_bsp_rev_prop) + +# Properties with can't be accessed by device-sepcific domains +typeattribute system_mtk_aal_prop extended_core_property_type; +typeattribute system_mtk_acs_support_prop extended_core_property_type; +typeattribute system_mtk_acs_url_prop extended_core_property_type; +typeattribute system_mtk_acs_version_prop extended_core_property_type; +typeattribute system_mtk_amsaal_prop extended_core_property_type; +typeattribute system_mtk_apptoken_required_prop extended_core_property_type; +typeattribute system_mtk_atci_sys_prop extended_core_property_type; +typeattribute system_mtk_capctrl_sys_prop extended_core_property_type; +typeattribute system_mtk_bluetooth_prop extended_core_property_type; +typeattribute system_mtk_capability_switch_prop extended_core_property_type; +typeattribute system_mtk_cdma_ecm_prop extended_core_property_type; +typeattribute system_mtk_cdma_prop extended_core_property_type; +typeattribute system_mtk_clientapi_support_prop extended_core_property_type; +typeattribute system_mtk_common_data_prop extended_core_property_type; +typeattribute system_mtk_cta_set_prop extended_core_property_type; +typeattribute system_mtk_ctl_atcid_daemon_u_prop extended_core_property_type; +typeattribute system_mtk_ctl_campostalgo_prop extended_core_property_type; +typeattribute system_mtk_ctmslot_prop extended_core_property_type; +typeattribute system_mtk_debug_sf_prop extended_core_property_type; +typeattribute system_mtk_debug_bq_prop extended_core_property_type; +typeattribute system_mtk_duraspeed_drop_caches_prop extended_core_property_type; +typeattribute system_mtk_em_tel_log_prop extended_core_property_type; +typeattribute system_mtk_heavy_loading_prop extended_core_property_type; +typeattribute system_mtk_imsconfig_prop extended_core_property_type; +typeattribute system_mtk_logmuch_prop extended_core_property_type; +typeattribute system_mtk_media_wfd_prop extended_core_property_type; +typeattribute system_mtk_opt_in_url_prop extended_core_property_type; +typeattribute system_mtk_permission_control_prop extended_core_property_type; +typeattribute system_mtk_persist_vendor_vzw_device_type_prop extended_core_property_type; +typeattribute system_mtk_rcs_support_prop extended_core_property_type; +typeattribute system_mtk_rsc_sys_prop extended_core_property_type; +typeattribute system_mtk_rtt_prop extended_core_property_type; +typeattribute system_mtk_selfreg_prop extended_core_property_type; +typeattribute system_mtk_subsidylock_connect_prop extended_core_property_type; +typeattribute system_mtk_subsidylock_prop extended_core_property_type; +typeattribute system_mtk_supp_serv_prop extended_core_property_type; +typeattribute system_mtk_telecom_vibrate_prop extended_core_property_type; +typeattribute system_mtk_terservice_prop extended_core_property_type; +typeattribute system_mtk_uce_support_prop extended_core_property_type; +typeattribute system_mtk_update_prop extended_core_property_type; +typeattribute system_mtk_update_support_prop extended_core_property_type; +typeattribute system_mtk_usb_tethering_prop extended_core_property_type; +typeattribute system_mtk_usp_srv_prop extended_core_property_type; +typeattribute system_mtk_vsim_sys_prop extended_core_property_type; +typeattribute system_mtk_wfc_entitlement_prop extended_core_property_type; +typeattribute system_mtk_wfc_opt_in_prop extended_core_property_type; +typeattribute system_mtk_world_phone_prop extended_core_property_type; +typeattribute system_mtk_ctm_prop extended_core_property_type; +typeattribute system_mtk_gwsd_prop extended_core_property_type; +typeattribute system_mtk_vodata_prop extended_core_property_type; +typeattribute system_mtk_fd_prop extended_core_property_type; +typeattribute system_mtk_dbg_ims_prop extended_core_property_type; diff --git a/bsp/plat_private/property_contexts b/bsp/plat_private/property_contexts new file mode 100644 index 0000000..8689a95 --- /dev/null +++ b/bsp/plat_private/property_contexts @@ -0,0 +1,173 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +ctl.atcid-daemon-u u:object_r:system_mtk_ctl_atcid_daemon_u_prop:s0 +persist.vendor.radio.port_index u:object_r:system_mtk_atci_sys_prop:s0 +vendor.ril.atci.flightmode u:object_r:system_mtk_atci_sys_prop:s0 +persist.vendor.service.atci.autostart u:object_r:system_mtk_atci_sys_prop:s0 +persist.vendor.service.atci.usermode u:object_r:system_mtk_atci_sys_prop:s0 + +vendor.ril.capctrl_loaded u:object_r:system_mtk_capctrl_sys_prop:s0 + +persist.vendor.sys.aal. u:object_r:system_mtk_aal_prop:s0 + +vendor.moms.permission.control.policy.set u:object_r:system_mtk_permission_control_prop:s0 + +persist.vendor.ter u:object_r:system_mtk_terservice_prop:s0 +vendor.ter.service u:object_r:system_mtk_terservice_prop:s0 + +ro.vendor.mtk_cta_set u:object_r:system_mtk_cta_set_prop:s0 + +ro.sys.current_rsc_path u:object_r:system_mtk_rsc_sys_prop:s0 +ro.product.current_rsc_path u:object_r:system_mtk_rsc_sys_prop:s0 +ro.sys_ext.current_rsc_path u:object_r:system_mtk_rsc_sys_prop:s0 + +# Restrict access to starting/stopping campostalgo +ctl.start$camerapostalgo u:object_r:system_mtk_ctl_campostalgo_prop:s0 +ctl.stop$camerapostalgo u:object_r:system_mtk_ctl_campostalgo_prop:s0 +ctl.restart$camerapostalgo u:object_r:system_mtk_ctl_campostalgo_prop:s0 + +persist.vendor.radio.telecom.vibrate u:object_r:system_mtk_telecom_vibrate_prop:s0 + +ro.vendor.graphiclowlatency.version u:object_r:system_mtk_graphics_sf_gll_ro_prop:s0 +vendor.debug.sf. u:object_r:system_mtk_debug_sf_prop:s0 +vendor.debug.bq. u:object_r:system_mtk_debug_bq_prop:s0 + +# CT SelfRegister property +persist.vendor.radio.selfreg u:object_r:system_mtk_selfreg_prop:s0 + +# USB tethering property for auto test +persist.vendor.net.tethering u:object_r:system_mtk_usb_tethering_prop:s0 + +# android log much detect +persist.vendor.logmuch u:object_r:system_mtk_logmuch_prop:s0 + +persist.vendor.entitlement_enabled u:object_r:system_mtk_wfc_entitlement_prop:s0 +persist.vendor.entitlement.sesurl u:object_r:system_mtk_wfc_entitlement_prop:s0 +persist.vendor.entitlement.dbg. u:object_r:system_mtk_wfc_entitlement_prop:s0 +persist.vendor.net.wo.epdg_fqdn u:object_r:system_mtk_wfc_entitlement_prop:s0 + +persist.vendor.mtk_wfc_opt_in u:object_r:system_mtk_wfc_opt_in_prop:s0 +persist.vendor.opt-in.url u:object_r:system_mtk_opt_in_url_prop:s0 +persist.vendor.apptoken.required u:object_r:system_mtk_apptoken_required_prop:s0 + +# common data releated property +persist.vendor.radio.default.data.selected u:object_r:system_mtk_common_data_prop:s0 +persist.vendor.radio.mobile.mtu u:object_r:system_mtk_common_data_prop:s0 +vendor.radio.dsda.state u:object_r:system_mtk_common_data_prop:s0 + +# carrier express (cxp) +persist.vendor.operator.optr_1 u:object_r:system_mtk_usp_srv_prop:s0 +persist.vendor.operator.spec_1 u:object_r:system_mtk_usp_srv_prop:s0 +persist.vendor.operator.seg_1 u:object_r:system_mtk_usp_srv_prop:s0 +persist.vendor.mtk_usp u:object_r:system_mtk_usp_srv_prop:s0 + +persist.vendor.update_finished u:object_r:system_mtk_update_prop:s0 +persist.vendor.previous_slot u:object_r:system_mtk_update_prop:s0 + +vendor.media.wfd. u:object_r:system_mtk_media_wfd_prop:s0 +vendor.media.wfd.portrait u:object_r:system_mtk_media_wfd_prop:s0 +vendor.media.wfd.video-format u:object_r:system_mtk_media_wfd_prop:s0 + +vendor.gsm.disable.sim.dialog u:object_r:system_mtk_vsim_sys_prop:s0 + +# supplementary service property +vendor.gsm.radio.ss.sc u:object_r:system_mtk_supp_serv_prop:s0 +vendor.gsm.radio.ss.imsdereg u:object_r:system_mtk_supp_serv_prop:s0 +persist.vendor.radio.cfu.iccid. u:object_r:system_mtk_supp_serv_prop:s0 +persist.vendor.radio.cfu.change. u:object_r:system_mtk_supp_serv_prop:s0 +persist.vendor.radio.cfu_over_ims u:object_r:system_mtk_supp_serv_prop:s0 +persist.vendor.radio.cfu.sync_for_ota u:object_r:system_mtk_supp_serv_prop:s0 +persist.vendor.radio.cfu.mode u:object_r:system_mtk_supp_serv_prop:s0 +persist.vendor.radio.cfu.timeslot. u:object_r:system_mtk_supp_serv_prop:s0 +persist.vendor.radio.cfu.querytype u:object_r:system_mtk_supp_serv_prop:s0 +persist.vendor.suppserv. u:object_r:system_mtk_supp_serv_prop:s0 +vendor.suppserv. u:object_r:system_mtk_supp_serv_prop:s0 + +vendor.bluetooth. u:object_r:system_mtk_bluetooth_prop:s0 +persist.vendor.bluetooth. u:object_r:system_mtk_bluetooth_prop:s0 + +# tel log property +persist.vendor.log.tel_dbg u:object_r:system_mtk_em_tel_log_prop:s0 + +# ims config property +vendor.ril.imsconfig.force.notify u:object_r:system_mtk_imsconfig_prop:s0 + +# mtk duraspeed property +persist.vendor.sys.vm.drop_caches u:object_r:system_mtk_duraspeed_drop_caches_prop:s0 + +ro.vendor.mtk_system_update_support u:object_r:system_mtk_update_support_prop:s0 + +# AMS dynamic enable log property +persist.vendor.sys.activitylog u:object_r:system_mtk_amslog_prop:s0 + +# AMS-aal dynamic enable property +persist.vendor.sys.mtk_app_aal_support u:object_r:system_mtk_amsaal_prop:s0 + +# MTK CDMA Less property +persist.vendor.vzw_device_type u:object_r:system_mtk_persist_vendor_vzw_device_type_prop:s0 + +persist.vendor.mtk_rtt_support u:object_r:system_mtk_rtt_prop:s0 + +persist.vendor.ctm_slot_flag u:object_r:system_mtk_ctmslot_prop:s0 + +persist.vendor.mtk_uce_support u:object_r:system_mtk_uce_support_prop:s0 + +persist.vendor.mtk_clientapi_support u:object_r:system_mtk_clientapi_support_prop:s0 + +vendor.cdma.icc.operator.mcc u:object_r:system_mtk_cdma_prop:s0 + +# ECBM property +vendor.ril.cdma.inecmmode_by_slot u:object_r:system_mtk_cdma_ecm_prop:s0 + +persist.vendor.mtk_rcs_support u:object_r:system_mtk_rcs_support_prop:s0 + +# MTK World Phone property +persist.vendor.radio.wm_selectmode u:object_r:system_mtk_world_phone_prop:s0 +persist.vendor.radio.wm_fddtimer u:object_r:system_mtk_world_phone_prop:s0 + +# MTK Capability Switch property +persist.vendor.radio.unlock u:object_r:system_mtk_capability_switch_prop:s0 +persist.vendor.radio.unlock.roaming u:object_r:system_mtk_capability_switch_prop:s0 +persist.vendor.radio.wait.imsi u:object_r:system_mtk_capability_switch_prop:s0 +persist.vendor.radio.waitimsi.roaming u:object_r:system_mtk_capability_switch_prop:s0 +persist.vendor.radio.sim.status u:object_r:system_mtk_capability_switch_prop:s0 +persist.vendor.radio.new.sim.slot u:object_r:system_mtk_capability_switch_prop:s0 +vendor.ril.imsi.status. u:object_r:system_mtk_capability_switch_prop:s0 +persist.vendor.radio.simswitchstate u:object_r:system_mtk_capability_switch_prop:s0 + +persist.vendor.subsidylock.connectivity_status u:object_r:system_mtk_subsidylock_connect_prop:s0 +persist.vendor.subsidylock u:object_r:system_mtk_subsidylock_prop:s0 + +persist.vendor.mtk_acs_version u:object_r:system_mtk_acs_version_prop:s0 +persist.vendor.mtk_acs_support u:object_r:system_mtk_acs_support_prop:s0 +persist.vendor.mtk_acs_url u:object_r:system_mtk_acs_url_prop:s0 + +# Modem Monitor property=========== +persist.vendor.mdmmonitor u:object_r:config_prop:s0 + +init.svc.mtk_pkm_service u:object_r:system_mtk_pkm_init_prop:s0 + +# MDM init control property +init.svc.md_monitor u:object_r:system_mtk_init_svc_md_monitor_prop:s0 + +# netflix HD property +ro.netflix.bsp_rev u:object_r:netflix_bsp_rev_prop:s0 + +service.ctm.slot_flag u:object_r:system_mtk_ctm_prop:s0 + +vendor.sf.gll.istarget u:object_r:system_mtk_graphics_sf_gll_prop:s0 +vendor.sf.gll.q2l u:object_r:system_mtk_graphics_sf_gll_prop:s0 +vendor.sf.gll.avgl2p u:object_r:system_mtk_graphics_sf_gll_prop:s0 + +ro.vendor.mtk_gwsd_support u:object_r:system_mtk_gwsd_prop:s0 + +ro.vendor.vodata_support u:object_r:system_mtk_vodata_prop:s0 + +# fastdormancy property +persist.vendor.fd.on.charge u:object_r:system_mtk_fd_prop:s0 +persist.vendor.fd.screen.off.only u:object_r:system_mtk_fd_prop:s0 + +#allow entitlement to set vonr debug +persist.vendor.dbg.vonr_ui_ovr u:object_r:system_mtk_dbg_ims_prop:s0 diff --git a/bsp/plat_private/radio.te b/bsp/plat_private/radio.te new file mode 100644 index 0000000..27bb5d2 --- /dev/null +++ b/bsp/plat_private/radio.te @@ -0,0 +1,183 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow radio mtk_registry_service:service_manager add; + +# Fix boot violation +add_service(radio, mtk_radio_service) + +# Date : WK1721 2017/5/26 +# Operation : IT +# Purpose : Allow to use HAL Wfo +hal_client_domain(radio, hal_mtk_wfo) + +# Date : 2017/06/06 +# Purpose: for iphonesubinfoEx service +add_service(radio, mtk_phonesubinfo_service) + +# Date : 2017/06/15 +# Purpose: for mtksimphonebook service +add_service(radio, mtk_simphonebook_service) + +# Date : 2017/08/14 +# Operation : VT development +# Purpose : Add vtservice to support video telephony functionality +# 3G VT/ViLTE both use this service which will also communication with IMCB/Rild +allow radio vtservice_service:service_manager find; + +# Date : 2017/09/25 +# Operation : Migration IT with Privacy Protection Lock +# Purpose : for pplSmsFilterExtension find ppl_agent service +allow radio ppl_agent_service:service_manager find; + +# Date : 2018/06/22 +# Operation : P migration +# Purpose : Allow ctm to set system_mtk_ctmslot_prop +set_prop(radio, system_mtk_ctmslot_prop) + +# Date : WK18.26 2018/06/25 +# Operation : IT +# Purpose : for setting ims config force notify property +set_prop(radio, system_mtk_imsconfig_prop) + +# Date : 2018/06/28 +# Operation : P migration +# Purpose : Allow radio to set vendor prop in core domain +set_prop(radio, system_mtk_cdma_prop) + +# Date: 2018/06/29 +# Operation: P migration +# Purpose : allow radio set world phohe property +set_prop(radio, system_mtk_world_phone_prop) + +# Date : 2018/6/29 +# Operation: P migration +set_prop(radio, system_mtk_vsim_sys_prop) +set_prop(radio, ctl_start_prop) +set_prop(radio, ctl_stop_prop) + +# Date : 2020/10/30 +# Operation: R migration +set_prop(radio, system_mtk_capctrl_sys_prop) + +# Date : 2018/07/02 +# Operation : Migration +# Purpose : Allow Phone process to set ECBM property +set_prop(radio, system_mtk_cdma_ecm_prop) + +# Date : 2018/07/02 +# Operation : P migration +# Purpose : Allow radio to get/set system_mtk_supp_serv_prop +set_prop(radio, system_mtk_supp_serv_prop) + +# Date : 2018/07/03 +# Operation : P migration +# Purpose : Allow framework to set system_mtk_common_data_prop +set_prop(radio, system_mtk_common_data_prop) + +# Date: 2018/07/03 +# Operation: P migration +# Purpose : allow radio set capability switch property +set_prop(radio, system_mtk_capability_switch_prop) + +# Date: 2018/07/04 +# Operation: P migration +# Purpose : allow radio get vzw device type property +get_prop(radio, system_mtk_persist_vendor_vzw_device_type_prop) + +# Date : 2018/07/03 +# Stage: Migration +# Purpose: allow radio to get RTT property +get_prop(radio, system_mtk_rtt_prop) + +# Date: 2018/07/06 +# Operation: Migration +# Purpose : Allow Entitlement to get system_mtk_wfc_entitlement_prop +# Package: com.mediatek.entitlement +set_prop(radio, system_mtk_wfc_entitlement_prop) + +# Date: 2018/09/13 +# Operation: Support UCE Property +set_prop(radio, system_mtk_uce_support_prop) + +# Date : 2018/10/05 +# Operation : P Migration +# Purpose : allow to find aal_service +allow radio aal_service:service_manager find; + +# Date: 2018/10/31 +# Operation: Support SubsidyLock +set_prop(radio, system_mtk_subsidylock_connect_prop) + +# Date: 2018/10/31 +# Operation: Support SubsidyLock +get_prop(radio, system_mtk_subsidylock_prop) + +# Date: 2018/12/20 +# Operation: Support GWSD +add_service(radio, mtk_gwsd_service) + +# Date : 2019/05/16 +# Operation : MDM IT with Swift app +# Purpose : for app labeled by radio to auto start md_monitor +set_prop(radio, config_prop) + +# Date : 2019/05/28 +# Operation : Q Migration +# Purpose : allow to get mtk_cta_set and mtk_cta_support property +get_prop(radio, system_mtk_cta_set_prop) + +# Date : 2019/06/03 +# Operation : Q Migration split build +# Purpose : allow to get system_mtk_rsc_sys_prop +get_prop(radio, system_mtk_rsc_sys_prop) + +# Date: 2019/07/23 +# Operation : Swift app IT +# Purpose: allow to read init.svc.md_monitor property for calling SystemService.waitForState() +get_prop(radio, system_mtk_init_svc_md_monitor_prop) + +# Date : 2020/03/20 +# Operation: R migration +get_prop(radio, system_mtk_telecom_vibrate_prop) + +# Date : 2020/04/13 +# Purpose: get CT Register system property +get_prop(radio, system_mtk_selfreg_prop) + +# Date : 2020/03/23 +# Operation : Migration +# Purpose : apps need to get networkdatacontroller Service +allow radio cta_networkdatacontroller_service:service_manager find; + +# Date : 2021/07/27 +# Operation : Migration +# Purpose : Allow presence service to add AOSP service by ServiceManager +allow radio uce_service:service_manager add; + +# Date: 2019/04/10 +# Purpose: ctm set property +# Package Name: cn.richinfo.dm +set_prop(radio, system_mtk_ctm_prop) + +# Date: 2020/06/30 +# Operation: Support VODATA +add_service(radio, mtk_vodata_service) + +# Date : 2020/09/16 +# Operation : R Migration +# Purpose : allow radio to get telephony log property +get_prop(radio, system_mtk_em_tel_log_prop) + +# Date : 2021/01/07 +# Purpose : Allow radio to read ro.vendor.mtk_gwsd_support +get_prop(radio, system_mtk_gwsd_prop) + +# Date : 2021/04/25 +# Purpose : Allow radio to read fastdormancy property +get_prop(radio, system_mtk_fd_prop) + +# Date : 2021/12/22 +# Purpose : Allow radio to read ims debug property +get_prop(radio, system_mtk_dbg_ims_prop) diff --git a/bsp/plat_private/resize.te b/bsp/plat_private/resize.te new file mode 100644 index 0000000..573125c --- /dev/null +++ b/bsp/plat_private/resize.te @@ -0,0 +1,26 @@ +# ============================================== +# Policy File of /system/bin/resize_xxx Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +typeattribute resize coredomain; +type resize_exec, exec_type, file_type, system_file_type; + +# Date : WK15.30 => WK20.10, Android R Version +# Operation : Migration +# Purpose : resize fs(ext4/f2fs) partition, only run once. +init_daemon_domain(resize) + +allow resize resize_exec:file execute_no_trans; + +# Inherit and use pty created by android_fork_execvp_ext(). +allow resize devpts:chr_file rw_file_perms; +allow resize proc_swaps:file rw_file_perms; +allow resize dm_device:blk_file rw_file_perms; +allow resize userdata_block_device:blk_file rw_file_perms; +allow resize metadata_block_device:blk_file getattr; +allow resize block_device:dir search; +allowxperm resize userdata_block_device:blk_file ioctl { BLKDISCARDZEROES BLKROGET }; +allow resize sysfs_fs_ext4_features:dir search; diff --git a/bsp/plat_private/rsu_app.te b/bsp/plat_private/rsu_app.te new file mode 100644 index 0000000..73410e7 --- /dev/null +++ b/bsp/plat_private/rsu_app.te @@ -0,0 +1,18 @@ +# ============================================== +# Policy File of /system/priv-app/RsuService/RsuService.apk etc. Executable File + +typeattribute rsu_app mlstrustedobject; +app_domain(rsu_app) + +# Common +allow rsu_app activity_service:service_manager find; +allow rsu_app activity_task_service:service_manager find; +allow rsu_app gpu_service:service_manager find; +allow rsu_app surfaceflinger_service:service_manager find; +allow rsu_app autofill_service:service_manager find; +allow rsu_app textservices_service:service_manager find; + +#Purpose:For wakelock get power manager service +allow rsu_app thermal_service:service_manager find; + + diff --git a/bsp/plat_private/sdcardd.te b/bsp/plat_private/sdcardd.te new file mode 100644 index 0000000..816d76d --- /dev/null +++ b/bsp/plat_private/sdcardd.te @@ -0,0 +1,18 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK14.48 +# Purpose : unknown +allow sdcardd platform_app:fd use; +allow sdcardd untrusted_app:fd use; + +# Date : WK15.38 +# Operation : Migration +# Purpose : for M migration SQC +typeattribute sdcardd mlstrustedsubject; + +# Date : WK17.14 +# Operation : SD card format to internal storage +# Purpose : for N1 SQC +allow sdcardd sdcardfs:dir mounton; diff --git a/bsp/plat_private/seapp_contexts b/bsp/plat_private/seapp_contexts new file mode 100644 index 0000000..8f7a601 --- /dev/null +++ b/bsp/plat_private/seapp_contexts @@ -0,0 +1,17 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# This is for trustonic rootpa apk +user=system seinfo=platform name=com.gd.mobicore.pa domain=teeregistryd_app +user=system seinfo=platform name=com.trustonic.teeservice domain=teed_app + +# This is for EngineerMode apk +user=_app seinfo=platform name=com.mediatek.engineermode domain=em_app type=em_app_data_file levelFrom=user +user=_app seinfo=platform name=com.mediatek.apmonitor domain=apmsrv_app type=app_data_file levelFrom=user + +# This is for CapabilityTest apk +user=_app seinfo=platform name=com.mediatek.capabilitytest domain=capability_app type=app_data_file levelFrom=user + +# This is for RsuService apk +user=_app seinfo=platform name=com.mediatek.rsuprocess domain=rsu_app type=app_data_file levelFrom=user diff --git a/bsp/plat_private/service.te b/bsp/plat_private/service.te new file mode 100644 index 0000000..4796d8d --- /dev/null +++ b/bsp/plat_private/service.te @@ -0,0 +1,44 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type nvram_agent_service, service_manager_type; +type aal_service, service_manager_type; +type mtk_connmetrics_service, service_manager_type; +type terservice_service, service_manager_type; +type camerapostalgo_service, service_manager_type; +type cta_networkdatacontroller_service, service_manager_type; +type mtk_vodata_service, service_manager_type; +type mtk_anrmanager_service, app_api_service, system_server_service, service_manager_type; +type mtk_permrecords_service, app_api_service, system_server_service, service_manager_type; +type mtk_advcamserver_service, service_manager_type; +type ota_agent_service, service_manager_type; +type mtk_perf_service, app_api_service, system_server_service, service_manager_type; +type mtk_power_hal_mgr_service, app_api_service, system_server_service, service_manager_type; +type mtk_registry_service, app_api_service, service_manager_type; +type mtk_phonesubinfo_service, app_api_service, service_manager_type; +type mtk_radio_service, service_manager_type; +type mtk_telecom_service, app_api_service, system_server_service, service_manager_type; +type mtk_simphonebook_service, app_api_service, service_manager_type; +type mtk_data_shaping_service, app_api_service, system_server_service, service_manager_type; +type mtk_duraspeed_service, app_api_service, system_server_service, service_manager_type; +type mtk_autoboot_service, app_api_service, system_server_service, service_manager_type; +type gas_srv_service, service_manager_type; +type fpspolicy-server_service, service_manager_type; +type mtk_carrierexpress_service, app_api_service, service_manager_type; +type vtservice_service, service_manager_type; +type ppl_agent_service, service_manager_type; +type mtk_gwsd_service, service_manager_type; +type tee_service, service_manager_type; +type teeregistry_service, service_manager_type; +type mtk_mobile_service, app_api_service, system_server_service, service_manager_type; +type mtk_msg_monitor_service, app_api_service, system_server_service, service_manager_type; +type mtk_epdg_service, app_api_service, system_server_service, service_manager_type; +type mtk_rns_service, app_api_service, system_server_service, service_manager_type; +type mtk_search_engine_service, app_api_service, system_server_service, service_manager_type; +type mtk_omadm_service, app_api_service, system_server_service, service_manager_type; +type mtk_fm_radio_service, app_api_service, system_server_service, service_manager_type; +type mtk_vowbridge_service, app_api_service, system_server_service, service_manager_type; +type mtk_appdetection_service, app_api_service, system_server_service, service_manager_type; +type vtservice_hidl_service, service_manager_type; +type teei_ifaa_service, app_api_service, service_manager_type; diff --git a/bsp/plat_private/service_contexts b/bsp/plat_private/service_contexts new file mode 100644 index 0000000..f9b41f3 --- /dev/null +++ b/bsp/plat_private/service_contexts @@ -0,0 +1,56 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +anrmanager u:object_r:mtk_anrmanager_service:s0 +permrecords u:object_r:mtk_permrecords_service:s0 +media.mmsdk u:object_r:mtk_advcamserver_service:s0 +media.advcam u:object_r:mtk_advcamserver_service:s0 +AAL u:object_r:aal_service:s0 +terservice u:object_r:terservice_service:s0 +mtk-perfservice u:object_r:mtk_perf_service:s0 +power_hal_mgr_service u:object_r:mtk_power_hal_mgr_service:s0 +phoneEx u:object_r:mtk_radio_service:s0 +telephony.mtkregistry u:object_r:mtk_registry_service:s0 +iphonesubinfoEx u:object_r:mtk_phonesubinfo_service:s0 +mtk_telecom u:object_r:mtk_telecom_service:s0 +mtksimphonebook u:object_r:mtk_simphonebook_service:s0 +data_shaping u:object_r:mtk_data_shaping_service:s0 +mtkconnmetrics u:object_r:mtk_connmetrics_service:s0 +duraspeed u:object_r:mtk_duraspeed_service:s0 +capctrl u:object_r:mtk_radio_service:s0 +autoboot u:object_r:mtk_autoboot_service:s0 +smartratswitch u:object_r:mtk_radio_service:s0 +GoogleOtaBinder u:object_r:ota_agent_service:s0 +GpuAppSpectatorService u:object_r:gas_srv_service:s0 +FpsPolicyService u:object_r:fpspolicy-server_service:s0 +isubstub u:object_r:radio_service:s0 +wfo u:object_r:radio_service:s0 +imtksms u:object_r:radio_service:s0 +carrierexpress u:object_r:mtk_carrierexpress_service:s0 +media.VTS u:object_r:vtservice_service:s0 +mwis u:object_r:radio_service:s0 +PPLAgent u:object_r:ppl_agent_service:s0 +nfc.st_ext u:object_r:nfc_service:s0 +nfc_settings u:object_r:nfc_service:s0 +gwsd u:object_r:mtk_gwsd_service:s0 +ctanetworkdatacontroller u:object_r:cta_networkdatacontroller_service:s0 +vodata u:object_r:mtk_vodata_service:s0 +vendor.trustonic.teeservice.ITeeService u:object_r:tee_service:s0 +vendor.trustonic.teeregistryservice.ITeeRegistryService u:object_r:teeregistry_service:s0 +mediatek.campostalgo u:object_r:camerapostalgo_service:s0 +NvRAMAgent u:object_r:nvram_agent_service:s0 +mobile u:object_r:mtk_mobile_service:s0 +msgmonitorservice u:object_r:mtk_msg_monitor_service:s0 +epdg_service u:object_r:mtk_epdg_service:s0 +rns u:object_r:mtk_rns_service:s0 +search_engine_service u:object_r:mtk_search_engine_service:s0 +omadm_service u:object_r:mtk_omadm_service:s0 +fm_radio_service u:object_r:mtk_fm_radio_service:s0 +vow_bridge u:object_r:mtk_vowbridge_service:s0 +appdetection u:object_r:mtk_appdetection_service:s0 +media.VTS.HiDL u:object_r:vtservice_hidl_service:s0 + +# MICROTRUST SEPolicy Rule +# for ifaa upgrade on android O +ifaa_service u:object_r:teei_ifaa_service:s0 diff --git a/bsp/plat_private/shell.te b/bsp/plat_private/shell.te new file mode 100644 index 0000000..1142eca --- /dev/null +++ b/bsp/plat_private/shell.te @@ -0,0 +1,36 @@ +# ============================================== +# Common SEPolicy Rule +# ============ + +userdebug_or_eng(` +# Date : WK19.07 2019/06/13 +# Operation : mdi_redirector integration test with AT&T Linkmaster +# Purpose : Allow shell to listen MAPI payload from network socket +allow shell mdi_redirector:unix_stream_socket { connectto }; + +# Date : WK19.07 2019/06/13 +# Operation : mdi_redirector integration test with AT&T Linkmaster +# Purpose : Allow shell to execute mdi_redirector_ctrl to start md_monitor & mdi_redirector daemons +set_prop(shell, ctl_start_prop) +set_prop(shell, ctl_stop_prop) + +# Date : 2019/07/15 +# Operation: support heavy loading +# Purpose: Allow shell to write/read the property +set_prop(shell, system_mtk_heavy_loading_prop) + +# Date : WK1925 +# Operation : MDMI Android Q migration +# Purpose : Allow shell to listen MDMI payload from network socket +allow shell mdmi_redirector:unix_stream_socket { connectto }; + +# Date : WK20.14 2020/03/31 +# Operation : adb shell to read netlfix property for test +# Purpose : Allow shell to read netlfix property +get_prop(shell, netflix_bsp_rev_prop) + +# Date : 2020/04/14 +# Purpose: Allow adb shell to get/set USB tethering system property for auto test +set_prop(shell, system_mtk_usb_tethering_prop) + +') diff --git a/bsp/plat_private/surfaceflinger.te b/bsp/plat_private/surfaceflinger.te new file mode 100644 index 0000000..fe5cf33 --- /dev/null +++ b/bsp/plat_private/surfaceflinger.te @@ -0,0 +1,41 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# notify perf service of SF information for performance +allow surfaceflinger mtk_perf_service:service_manager find; + +# for FpsPolicyServer +# GL context of each APP will send fps request, so we have loose policy +# FpsPolicyServer control refresh rate through dfrc +allow surfaceflinger fpspolicy-server_service:service_manager add; + +# Date: WK19.122 +# Stage: Q Migration, SQC +# purpose: allow RTT_Dumper access file context +allow surfaceflinger file_contexts_file:file r_file_perms; + +# Date : WK20.02 +# Operation: Graphics low latency 2.0 +# Purpose: Allow surfaceflinger and power hal can communicate with each other +allow surfaceflinger mtk_power_hal_mgr_service:service_manager find; + +# Date : WK20.02 +# Operation: Graphic low latency 2.0 +# Purpose: Allow surfaceflinger to read the version of Graphic Low Latency +get_prop(surfaceflinger, system_mtk_graphics_sf_gll_ro_prop) + +# Date : WK20.03 +# Operation: Mediatek Debug Functions +# Purpose: Allow surfaceflinger getprop debug options +get_prop(surfaceflinger, system_mtk_debug_sf_prop) + +# Date : WK20.25 +# Operation: Graphic low latency 2.0 +# Purpose: Allow surfaceflinger to set related information for HE2.0 debug tool +set_prop(surfaceflinger, system_mtk_graphics_sf_gll_prop) + +# Date : WK20.28 +# Operation: Mediatek BufferQueue Debug +# Purpose: Allow surfaceflinger getprop debug options for BufferQueue +get_prop(surfaceflinger, system_mtk_debug_bq_prop) diff --git a/bsp/plat_private/system_app.te b/bsp/plat_private/system_app.te new file mode 100644 index 0000000..329bf69 --- /dev/null +++ b/bsp/plat_private/system_app.te @@ -0,0 +1,118 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date: 2016/11/10 +# Purpose: [MDM] Modem monitor config +# Package Name: com.mediatek.mdmconfig +set_prop(system_app, config_prop) + +# Date : WK17.31 +# Operation : Migration +# Purpose : Carrier express service on BSP +allow system_app mtk_carrierexpress_service:service_manager add; +set_prop(system_app, system_mtk_usp_srv_prop) +set_prop(system_app, system_mtk_persist_vendor_vzw_device_type_prop) +set_prop(system_app, system_mtk_uce_support_prop) +set_prop(system_app, system_mtk_rcs_support_prop) +set_prop(system_app, system_mtk_clientapi_support_prop) +set_prop(system_app, radio_prop) + +# Date : W17.36 +# Operation : SQC +# Purpose : allow MOTA app to write perist.update_finished, persist_update_started +set_prop(system_app, system_mtk_update_prop) + +# Date : 2018/06/21 +# Operation : P Migration +# Purpose : Allow AtciService to set ATCI property +set_prop(system_app, system_mtk_atci_sys_prop) + +# Date : 2018/06/21 +# Stage: Migration +# Purpose: allow system app to set RTT property +set_prop(system_app, system_mtk_rtt_prop) + +#Date: 2018/07/18 +# Operation: Migration +# Purpose: all System app to read property +get_prop(system_app, system_mtk_update_support_prop) + +# Date : 2018/07/19 +# Operation : P Migration +# Purpose : Allow to get AAL property +get_prop(system_app, system_mtk_aal_prop) + +# Date: 2018/07/24 +# Operation: Migration +# Purpose : Allow system-app to get system_mtk_wfc_opt_in_prop +# Package: com.mediatek.settings.ext +get_prop(system_app, system_mtk_wfc_opt_in_prop) + +# Date : W18.28 +# Operation : New feature for VSIM SQC +set_prop(system_app, system_mtk_vsim_sys_prop) + +# Date : W18.28 +# Operation : New feature for VSIM SQC +# Purpose : Allow OSI Permission control to tcp socket +allow system_app osi:tcp_socket create_socket_perms_no_ioctl; + +# Date: 2018/10/26 +# Purpose: Allow system app to get Subsidy Lock properties +get_prop(system_app, system_mtk_subsidylock_prop) + +# Date: 2018/10/31 +# Operation: Support SubsidyLock +set_prop(system_app, system_mtk_subsidylock_connect_prop) + +# Date: 2019/02/14 +# Purpose: Permission Control configure +# Package Name: com.mediatek.security +set_prop(system_app, system_mtk_permission_control_prop) + +# Date:2019/05/21 +# Purpose: Allow OP12settings to get opt_in_url_prop +# Package: com.mediatek.op12.settings; +get_prop(system_app, system_mtk_opt_in_url_prop) +get_prop(system_app, system_mtk_apptoken_required_prop) + +# Date: 2019/06/06 +# Operation: SimProcessor needs to read telephony log switch property +# Purpose: allow to get system_mtk_em_tel_log_prop +get_prop(system_app, system_mtk_em_tel_log_prop) + +# Date : 2019/05/28 +# Operation : Q Migration +# Purpose : allow to get mtk_cta_set and mtk_cta_support property +get_prop(system_app, system_mtk_cta_set_prop) + +# Date : 2019/06/03 +# Operation : Q Migration split build +# Purpose : allow to get system_mtk_rsc_sys_prop +get_prop(system_app, system_mtk_rsc_sys_prop) + +# Date: 2019/07/22 +# Purpose: Allow op07settings to get system_mtk_wfc_entitlement_prop +# Package: com.mediatek.op07.settings +get_prop(system_app, system_mtk_wfc_entitlement_prop) + +# Date: 2019/07/23 +# Purpose: allow to read init.svc.md_monitor property for calling SystemService.waitForState() +# Package Name: com.mediatek.mdmconfig +get_prop(system_app, system_mtk_init_svc_md_monitor_prop) + +# Date : 2020/03/23 +# Operation : Migration +# Purpose : Allow cta_networkdatacontroller_service to add AOSP service by ServiceManager +allow system_app cta_networkdatacontroller_service:service_manager add; + +# MICROTRUST SEPolicy Rule +# Date : 2017/12/18 +# Operation: ifaa integration +# Purpose: access for ifaa_service call +# Package: org.ifaa.android.service +add_service(system_app, teei_ifaa_service) + +hal_client_domain(system_app, hal_teei_ifaa) +hal_client_domain(system_app, hal_teei_wechat) diff --git a/bsp/plat_private/system_server.te b/bsp/plat_private/system_server.te new file mode 100644 index 0000000..6b9a7a6 --- /dev/null +++ b/bsp/plat_private/system_server.te @@ -0,0 +1,172 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK15.30 +# Operation : Migration +# Purpose : for device bring up, not to block early migration/sanity +allow system_server aal_service:service_manager find; + +# Date : 2017/01/24 +# Purpose : Add permission for DRM / DRI GPU driver +allow system_server gas_srv_service:service_manager find; + +# Date : 2017/4/14 +# Purpose : Add permission for registering MtkTelecomService to ServiceManager +allow system_server mtk_telecom_service:service_manager add; + +# Date : 2017/09/15 +# Purpose : Add mtk_connmetrics_service for CTA's celluar data control +allow system_server mtk_connmetrics_service:service_manager add; + +# Date:W17.20 +# Operation : wifioffload hal developing +# Purpose : Allow to use HAL Wfo +hal_client_domain(system_server, hal_mtk_wfo) + +# Date : W17.26 +# Purpose: Allow to use phoneEx +allow system_server mtk_radio_service:service_manager find; + +# Date : 2017/10/09 +# Purpose : Record and get permission +allow system_server mtk_permrecords_service:service_manager add; + +# Date : W17.36 +# Operation : Migration +# Purpose : Allow system_server to add anrmanager +allow system_server mtk_anrmanager_service:service_manager add; + +# Date: W17.42 +# Operation : Migration +# Purpose : for WFD functionality +set_prop(system_server, system_mtk_media_wfd_prop) +set_prop(system_server, wifi_prop) + +# Date:W17.47 +# Purpose : Allow to enable/disable log too much +set_prop(system_server, system_mtk_logmuch_prop) +binder_call(system_server, hal_mtk_fm) + +# Date: 2018/07/04 +# Operation: P migration +# Purpose : allow radio get vzw device type property +get_prop(system_server, system_mtk_persist_vendor_vzw_device_type_prop) + +# Date : 2018/07/03 +# Stage: Migration +# Purpose: allow system server to get RTT property +get_prop(system_server, system_mtk_rtt_prop) + +# Date : W18.27 +# Operation : Migration +allow system_server mtk_data_shaping_service:service_manager add; + +# Date : W18.28 +# Operation : Support telephony log +get_prop(system_server, system_mtk_em_tel_log_prop) + +# Date : W18.29 +# Operation : For background data disable function +get_prop(system_server, system_mtk_bgdata_disabled_prop) + +# Date : W18.24 +# Operation : for AMS log +set_prop(system_server, system_mtk_amslog_prop) + +# Date : W18.25 +# Operation : for AMS-aal +set_prop(system_server, system_mtk_amsaal_prop) + +# Date : W18.31 +# Purpose : Support Trustonic TeeService +binder_call(system_server, teed_app) +binder_call(system_server, teeregistryd_app) +allow system_server tee_service:service_manager find; +allow system_server teeregistry_service:service_manager find; + +# Date : W19.12 +# Operation : For DuraSpeed Migration +set_prop(system_server, system_mtk_duraspeed_drop_caches_prop) + +# Date : W19.12 +# Operation : For DuraSpeed Migration +allow system_server mtk_duraspeed_service:service_manager add; + +# Date : 2019/06/03 +# Operation : Q Migration split build +# Purpose : allow to get system_mtk_rsc_sys_prop +get_prop(system_server, system_mtk_rsc_sys_prop) + +# Date : W19.29 +# Operation : Support heavy loading +get_prop(system_server, system_mtk_heavy_loading_prop) + +# Date : WK19.29 +# Operation : touchll hal +# Purpose : touchll hal permission +hal_client_domain(system_server, hal_mtk_touchll) + +# Date: 2020/01/16 +# Purpose : Allow system server to read tll dev +allow system_server tll_device:chr_file r_file_perms; + +# Date : 2020/03/20 +# Operation: R migration +get_prop(system_server, system_mtk_telecom_vibrate_prop) + +# Date:2020/03/26 +# Operation:Q Migration +allow system_server proc_battery_cmd:dir search; + +# Date : 2020/04/14 +# Purpose: Allow ConnectivityService to get USB tethering system property for auto test +get_prop(system_server, system_mtk_usb_tethering_prop) + +# Date : 2020/05/18 +# Operation : R Migration +get_prop(system_server, system_mtk_graphics_sf_gll_ro_prop) + +# Date : 2020/05/19 +# Purpose : Add mtk_autoboot_service for CTA's autoboot app control +allow system_server mtk_autoboot_service:service_manager add; + +# Date : 2020/06/01 +# Operation : R Migration +allow system_server sysfs_HDMI_audio_extcon_state:file r_file_perms; + +# Date : 2020/07/13 +# Purpose : Add permission for AMS access to report Java Layer Exception +allow system_server crash_dump:process { getpgid setsched }; + +# Date : 2020/07/20 +# Purpose : Add permission for AMS access to report Java Layer Exception +allow system_server zygote:process getpgid; + +# Date : 2020/07/23 +# Purpose : Add permission for AMS access to report Java Layer Exception +allow system_server app_zygote:process getpgid; + +# Date:2020/07/27 +# Operation:R Migration +allow system_server installd:process signal; + +# Date:2020/09/04 +# Operation:R Migration, add permission for AMS dump binderinfo when ANR happened in user load +allow system_server binderfs_logs:dir r_dir_perms; +allow system_server binderfs_logs:file r_file_perms; +allow system_server binderfs_logs_proc:dir r_dir_perms; +allow system_server binderfs_logs_proc:file r_file_perms; + +# Date:2020/09/24 +# Operation:R Migration, add permission for PMS access /data/media +allow system_server media_rw_data_file:dir setattr; + +# Date:2020/09/25 +# Operation:R Migration, don't audit for PMS access /mnt/media_rw/XXXX-XXXX/Android/obb +dontaudit system_server vfat:dir r_dir_perms; + +# Date:2021/11/13 +# Operation: Add for DSDA in Telecom, add permission for accessing vendor.radio.dsda.state +get_prop(system_server, system_mtk_common_data_prop) + diff --git a/bsp/plat_private/teed_app.te b/bsp/plat_private/teed_app.te new file mode 100644 index 0000000..0a89e9a --- /dev/null +++ b/bsp/plat_private/teed_app.te @@ -0,0 +1,35 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +typeattribute teed_app coredomain; + +app_domain(teed_app) +binder_service(teed_app) +binder_use(teed_app) + +add_service(teed_app, tee_service) + +hal_client_domain(teed_app, hal_tee) +hal_client_domain(teed_app, hal_allocator) + +allow teed_app activity_service:service_manager find; +allow teed_app connectivity_service:service_manager find; +allow teed_app display_service:service_manager find; +allow teed_app network_management_service:service_manager find; +allow teed_app notification_service:service_manager find; + +allow teed_app system_app_data_file:dir { getattr search }; + +#============= teed_app for TUI ============== +allow teed_app surfaceflinger_service:service_manager find; +allow teed_app activity_task_service:service_manager find; +allow teed_app media_session_service:service_manager find; +allow teed_app system_data_file:dir search; +allow teed_app user_profile_root_file:dir search; +allow teed_app audio_service:service_manager find; +allow teed_app content_capture_service:service_manager find; +allow teed_app gpu_service:service_manager find; + +#============= teed_app for thermal_service ============== +allow teed_app thermal_service:service_manager find; diff --git a/bsp/plat_private/teeregistryd_app.te b/bsp/plat_private/teeregistryd_app.te new file mode 100644 index 0000000..b4b5f3d --- /dev/null +++ b/bsp/plat_private/teeregistryd_app.te @@ -0,0 +1,29 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +typeattribute teeregistryd_app coredomain; + +app_domain(teeregistryd_app) + +binder_service(teeregistryd_app) +binder_use(teeregistryd_app) + +add_service(teeregistryd_app, teeregistry_service) + +hal_client_domain(teeregistryd_app, hal_teeregistry) +hal_client_domain(teeregistryd_app, hal_allocator) + +allow teeregistryd_app activity_service:service_manager find; +allow teeregistryd_app connectivity_service:service_manager find; +allow teeregistryd_app display_service:service_manager find; +allow teeregistryd_app network_management_service:service_manager find; +allow teeregistryd_app tee_service:service_manager find; +allow teeregistryd_app fwmarkd_socket:sock_file write; +allow teeregistryd_app netd:unix_stream_socket connectto; +allow teeregistryd_app node:udp_socket node_bind; +allow teeregistryd_app port:udp_socket name_bind; +allow teeregistryd_app port:tcp_socket name_connect; +allow teeregistryd_app self:tcp_socket { create setopt read getopt getattr write connect }; +allow teeregistryd_app dnsproxyd_socket:sock_file write; +allow teeregistryd_app self:udp_socket { create bind setattr }; diff --git a/bsp/plat_private/terservice.te b/bsp/plat_private/terservice.te new file mode 100644 index 0000000..15e2851 --- /dev/null +++ b/bsp/plat_private/terservice.te @@ -0,0 +1,25 @@ +# ============================================== +# Policy File of /system/bin/terservice Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type terservice_exec, system_file_type, exec_type, file_type; +typeattribute terservice coredomain; + +init_daemon_domain(terservice) + +# Date : 2014/09/18 (WK14.38) +# Operation : Migration +# Purpose : allow register terservice service in servicemanager. +allow terservice terservice_service:service_manager add; + +# property service +set_prop(terservice, system_mtk_terservice_prop) + +# ipc call +binder_use(terservice) +binder_service(terservice) + + diff --git a/bsp/plat_private/thermald.te b/bsp/plat_private/thermald.te new file mode 100644 index 0000000..163a94d --- /dev/null +++ b/bsp/plat_private/thermald.te @@ -0,0 +1,28 @@ +# ============================================== +# Policy File of /system/bin/thermald Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type thermald_exec, system_file_type, exec_type, file_type; +typeattribute thermald coredomain; + +init_daemon_domain(thermald) + +# Date : WK17.28 +# Operation : SQC +# Purpose : for thermal management to shutdown the phone +binder_use(thermald) +binder_call(thermald, system_server) +allow thermald activity_service:service_manager find; + +# for wifi throttle +allow thermald sysfs_net:dir search; +allow thermald sysfs_thermald:file r_file_perms; +allow thermald shell_exec:file rx_file_perms; +allow thermald toolbox_exec:file rx_file_perms; +allow thermald proc_net:file r_file_perms; +allow thermald devpts:chr_file rw_file_perms; +allow thermald self:netlink_route_socket { create setopt bind getattr write nlmsg_read read nlmsg_write }; +allow thermald self:capability net_admin; diff --git a/bsp/plat_private/untrusted_app.te b/bsp/plat_private/untrusted_app.te new file mode 100644 index 0000000..c1f7a17 --- /dev/null +++ b/bsp/plat_private/untrusted_app.te @@ -0,0 +1,14 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : 2017/12/21 +# Operation: IT +# Purpose : For hongbao optimization +allow untrusted_app mtk_connmetrics_service:service_manager find; + +# Date: 2018/07/09 +# Operator: New feature for VSIM SQC +# Purpose: allow vendor's osi to use tcp socket +allow untrusted_app osi:tcp_socket create_socket_perms_no_ioctl; + diff --git a/bsp/plat_private/untrusted_app_25.te b/bsp/plat_private/untrusted_app_25.te new file mode 100644 index 0000000..aea3eac --- /dev/null +++ b/bsp/plat_private/untrusted_app_25.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : 2017/12/21 +# Operation: IT +# Purpose : For hongbao optimization +allow untrusted_app_25 mtk_connmetrics_service:service_manager find; diff --git a/bsp/plat_private/untrusted_app_27.te b/bsp/plat_private/untrusted_app_27.te new file mode 100644 index 0000000..71c0060 --- /dev/null +++ b/bsp/plat_private/untrusted_app_27.te @@ -0,0 +1,8 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date: 2019/06/17 +# Operation : Migration +# Purpose :allow untrusted_app_27 to get props +get_prop(untrusted_app_27, apexd_prop) diff --git a/bsp/plat_private/untrusted_app_all.te b/bsp/plat_private/untrusted_app_all.te new file mode 100644 index 0000000..4aacd65 --- /dev/null +++ b/bsp/plat_private/untrusted_app_all.te @@ -0,0 +1,13 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +allow untrusted_app_all tee_service:service_manager find; + +# Date: W1920 +# Purpose: Make app can get phoneEx +allow untrusted_app_all mtk_radio_service:service_manager find; + +# netflix HD property +get_prop(untrusted_app_all, netflix_bsp_rev_prop) + diff --git a/bsp/plat_private/usp_service.te b/bsp/plat_private/usp_service.te new file mode 100644 index 0000000..b2af3b1 --- /dev/null +++ b/bsp/plat_private/usp_service.te @@ -0,0 +1,13 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +type usp_service_exec, system_file_type, exec_type, file_type; +typeattribute usp_service coredomain; + +init_daemon_domain(usp_service) + +allow usp_service block_device:dir search; +set_prop(usp_service, radio_prop) +set_prop(usp_service, system_mtk_usp_srv_prop) +allow usp_service proc_net:file rw_file_perms; diff --git a/bsp/plat_private/vendor_init.te b/bsp/plat_private/vendor_init.te new file mode 100644 index 0000000..305259f --- /dev/null +++ b/bsp/plat_private/vendor_init.te @@ -0,0 +1,9 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# netflix HD property +set_prop(vendor_init, netflix_bsp_rev_prop) + +# set fuse property +set_prop(vendor_init, system_prop) diff --git a/bsp/plat_private/vendor_shell.te b/bsp/plat_private/vendor_shell.te new file mode 100644 index 0000000..b10da48 --- /dev/null +++ b/bsp/plat_private/vendor_shell.te @@ -0,0 +1,6 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================= + +# netflix HD property +set_prop(vendor_shell, netflix_bsp_rev_prop) diff --git a/bsp/plat_private/vold.te b/bsp/plat_private/vold.te new file mode 100644 index 0000000..3c256f2 --- /dev/null +++ b/bsp/plat_private/vold.te @@ -0,0 +1,19 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : WK15.02 +# Purpose : fsck_msdos +allow vold platform_app:fd use; + +# Date : WK15.11 +allow vold mtd_device:dir search; +allow vold mtd_device:chr_file rw_file_perms; + +# Date : WK17.28 +# Purpose : encrypt phone +allow vold kernel:system module_request; + +# Date : 2020/03/26 +# Android R migration +dontaudit vold proc_battery_cmd:dir r_dir_perms; diff --git a/bsp/plat_private/vtservice.te b/bsp/plat_private/vtservice.te new file mode 100644 index 0000000..11b0831 --- /dev/null +++ b/bsp/plat_private/vtservice.te @@ -0,0 +1,24 @@ +# ============================================== +# Policy File of /system/bin/vtservice Executable File + +# ============================================== +# Common SEPolicy Rule +# ============================================== + +typeattribute vtservice coredomain; +type vtservice_exec, system_file_type, exec_type, file_type; + +init_daemon_domain(vtservice) +binder_use(vtservice) +binder_call(vtservice, mediaserver) +binder_service(vtservice) + +# Date : WK15.33 +# Purpose : Add vtservice to support video telephony functionality +# 3G VT/ViLTE both use this service which will also communication with IMCB/Rild +allow vtservice vtservice_service:service_manager add; + +# Date: 2018/08/24 +# Operation: add mdp +get_prop(vtservice, system_mtk_debug_bq_dump_prop) + diff --git a/bsp/plat_private/zygote.te b/bsp/plat_private/zygote.te new file mode 100644 index 0000000..f9625db --- /dev/null +++ b/bsp/plat_private/zygote.te @@ -0,0 +1,9 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# Date : 2019/11/19 +# Operation : Q Migration split build +# Purpose : allow to get system_mtk_rsc_sys_prop +get_prop(zygote, system_mtk_rsc_sys_prop) + diff --git a/bsp/plat_public/attributes b/bsp/plat_public/attributes new file mode 100644 index 0000000..0447d0f --- /dev/null +++ b/bsp/plat_public/attributes @@ -0,0 +1,117 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# DMC HIDL +attribute hal_mtk_dmc; +attribute hal_mtk_dmc_client; +attribute hal_mtk_dmc_server; + +# APM HIDL +attribute hal_mtk_apm; +attribute hal_mtk_apm_client; +attribute hal_mtk_apm_server; + +# netdagent HIDL +attribute mtk_hal_netdagent; +attribute mtk_hal_netdagent_client; +attribute mtk_hal_netdagent_server; + +attribute hal_mtk_wfo; +attribute hal_mtk_wfo_client; +attribute hal_mtk_wfo_server; + +attribute hal_presence; +attribute hal_presence_client; +attribute hal_presence_server; + +attribute hal_videotelephony; +attribute hal_videotelephony_client; +attribute hal_videotelephony_server; + +attribute hal_rcs; +attribute hal_rcs_client; +attribute hal_rcs_server; + +attribute hal_dfps; +attribute hal_dfps_client; +attribute hal_dfps_server; + +attribute hal_dplanner; +attribute hal_dplanner_client; +attribute hal_dplanner_server; + +attribute mtk_hal_pplagent; +attribute mtk_hal_pplagent_client; +attribute mtk_hal_pplagent_server; + +attribute hal_clientapi; +attribute hal_clientapi_client; +attribute hal_clientapi_server; + +# Trustonic Attribute declarations +attribute hal_tee_client; +attribute hal_tee_server; +attribute hal_tee; + +attribute hal_teeregistry_client; +attribute hal_teeregistry_server; +attribute hal_teeregistry; + +# MDM HIDL +attribute md_monitor_hal_client; +attribute md_monitor_hal_server; +attribute md_monitor_hal; + +# OMADM HIDL +attribute hal_mtk_omadm; +attribute hal_mtk_omadm_client; +attribute hal_mtk_omadm_server; + +# HDCP HIDL +attribute hal_tesiai_hdcp; +attribute hal_tesiai_hdcp_client; +attribute hal_tesiai_hdcp_server; + +# touch HIDL +attribute hal_nwk_opt; +attribute hal_nwk_opt_client; +attribute hal_nwk_opt_server; + +# touchll HIDL +attribute hal_mtk_touchll; +attribute hal_mtk_touchll_client; +attribute hal_mtk_touchll_server; + +# thp HIDL +attribute hal_mtk_thp; +attribute hal_mtk_thp_client; +attribute hal_mtk_thp_server; + +# ============================================== +# MICROTRUST Attribute declarations +# ============================================== +# THH ATTESTATION HIDL +attribute hal_teei_thh; +attribute hal_teei_thh_client; +attribute hal_teei_thh_server; + +# TUI ATTESTATION HIDL +attribute hal_teei_tui; +attribute hal_teei_tui_client; +attribute hal_teei_tui_server; + +# IFAA ATTESTATION HIDL +attribute hal_teei_ifaa; +attribute hal_teei_ifaa_client; +attribute hal_teei_ifaa_server; + +# CLIENT API ATTESTATION HIDL +attribute hal_teei_capi; +attribute hal_teei_capi_client; +attribute hal_teei_capi_server; + +# Wechat ATTESTATION HIDL +attribute hal_teei_wechat; +attribute hal_teei_wechat_client; +attribute hal_teei_wechat_server; diff --git a/bsp/plat_public/file.te b/bsp/plat_public/file.te new file mode 100644 index 0000000..7569152 --- /dev/null +++ b/bsp/plat_public/file.te @@ -0,0 +1,13 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== +########################## +# Filesystem types +# +########################## +# Sys Filesystem types +# +# Date : 2020/12/16 +# Operation: R migration +# Purpose : mtk EM PMU reading/setting +type sysfs_pmu, fs_type, sysfs_type; diff --git a/bsp/plat_public/property.te b/bsp/plat_public/property.te new file mode 100644 index 0000000..1ff71ec --- /dev/null +++ b/bsp/plat_public/property.te @@ -0,0 +1,18 @@ +# ============================================== +# Common SEPolicy Rule +# ============================================== + +# system_internal_prop -- Properties used only in /system +# system_restricted_prop -- Properties which can't be written outside system +# system_public_prop -- Properties with no restrictions +# system_vendor_config_prop -- Properties which can be written only by vendor_init +# vendor_internal_prop -- Properties used only in /vendor +# vendor_restricted_prop -- Properties which can't be written outside vendor +# vendor_public_prop -- Properties with no restrictions + +# Properties which can't be written outside system +system_restricted_prop(system_mtk_init_svc_md_monitor_prop) + +# Properties with no restrictions +system_public_prop(system_mtk_heavy_loading_prop) +system_public_prop(system_mtk_pkm_init_prop)