NekoSakura/Android_Device_Mediatek_Sepolicy_Vndr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: NekoSakura:lineage-21
Branches Tags
NekoSakura:lineage-21
NekoSakura:lineage-20
..
compare: NekoSakura:lineage-20
Branches Tags
NekoSakura:lineage-21
NekoSakura:lineage-20

2 Commits
lineage-21 ... lineage-20

Author SHA1 Message Date
bengris32
026c381d77 basic: non_plat: Unlabel preloader_raw block devices 
Change-Id: Ice2b087fc78ef9decba27f6b0fc2e20400ff09ff
Signed-off-by: bengris32 <bengris32@protonmail.ch>
 2024-03-01 16:27:13 +01:00
bengris32
8fed0bd20e basic: plat_private: Label create_pl_dev 
Change-Id: Ia69ffe6264bef39554b708fa8bb3c70375431e2f
Signed-off-by: bengris32 <bengris32@protonmail.ch>
 2024-03-01 16:27:07 +01:00
51 changed files with 315 additions and 490 deletions
Show Stats Expand all files Collapse all files

7
SEPolicy.mk
View File

@ -1,17 +1,12 @@
# Board specific SELinux policy variable definitions
MTK_SEPOLICY_PATH := device/mediatek/sepolicy_vndr
ifeq ($(BOARD_MTK_SEPOLICY_IS_LEGACY), true)
# Build with broken namespaces
# Userspace blobs are still dependent older props that
# do not pass the VTS test cases.
BUILD_BROKEN_VENDOR_PROPERTY_NAMESPACE := true
BOARD_VENDOR_SEPOLICY_DIRS += \
$(MTK_SEPOLICY_PATH)/legacy/non_plat
endif
BOARD_VENDOR_SEPOLICY_DIRS += \
BOARD_SEPOLICY_DIRS += \
$(MTK_SEPOLICY_PATH)/basic/non_plat \
$(MTK_SEPOLICY_PATH)/basic/debug/non_plat \
$(MTK_SEPOLICY_PATH)/bsp/non_plat \

2
basic/debug/plat_private/mobile_log_d.te
View File

@ -13,7 +13,7 @@ allow mobile_log_d kernel:system syslog_mod;
#GMO project
dontaudit mobile_log_d untrusted_app:fd use;
dontaudit mobile_log_d isolated_app_all:fd use;
dontaudit mobile_log_d isolated_app:fd use;
#debug property set
set_prop(mobile_log_d, debug_prop)

14
basic/non_plat/app.te
View File

@ -34,7 +34,7 @@ allowxperm appdomain proc_perfmgr:file ioctl {
# Date : W19.23
# Operation : Migration
# Purpose : For platform app com.android.gallery3d
allow { appdomain -isolated_app_all } radio_data_file:file rw_file_perms;
allow { appdomain -isolated_app } radio_data_file:file rw_file_perms;
# Date : W19.23
# Operation : Migration
@ -43,12 +43,12 @@ allowxperm appdomain appdomain:fifo_file ioctl SNDCTL_TMR_START;
# Date : W20.26
# Operation : Migration
# Purpose : For apps other than isolated_app_all call hidl
hwbinder_use({ appdomain -isolated_app_all })
get_prop({ appdomain -isolated_app_all }, hwservicemanager_prop)
allow { appdomain -isolated_app_all } hidl_manager_hwservice:hwservice_manager find;
binder_call({ appdomain -isolated_app_all }, mtk_safe_halserverdomain_type)
allow { appdomain -isolated_app_all } mtk_safe_hwservice_manager_type:hwservice_manager find;
# Purpose : For apps other than isolated_app call hidl
hwbinder_use({ appdomain -isolated_app })
get_prop({ appdomain -isolated_app }, hwservicemanager_prop)
allow { appdomain -isolated_app } hidl_manager_hwservice:hwservice_manager find;
binder_call({ appdomain -isolated_app }, mtk_safe_halserverdomain_type)
allow { appdomain -isolated_app } mtk_safe_hwservice_manager_type:hwservice_manager find;
# Date : 2021/04/24
# Operation: addwindow

2
basic/non_plat/audiocmdservice_atci.te
View File

@ -21,7 +21,7 @@ allow audiocmdservice_atci bootdevice_block_device:blk_file rw_file_perms;
# can route /dev/binder traffic to /dev/vndbinder
vndbinder_use(audiocmdservice_atci)
binder_call(audiocmdservice_atci, hal_audio_default)
binder_call(audiocmdservice_atci, mtk_hal_audio)
hal_client_domain(audiocmdservice_atci, hal_audio)

1
basic/non_plat/device.te
View File

@ -236,6 +236,7 @@ type bootdevice_block_device, dev_type;
type odm_block_device, dev_type;
type oem_block_device, dev_type;
type vendor_block_device, dev_type;
type dtbo_block_device, dev_type;
type loader_ext_block_device, dev_type;
type spm_device, dev_type;
type persist_block_device, dev_type;

4
basic/non_plat/domain.te
View File

@ -11,7 +11,7 @@ get_prop(domain, mtk_core_property_type)
# as it is a public interface for all processes to read some OTP data.
allow {
domain
-isolated_app_all
-isolated_app
} sysfs_devinfo:file r_file_perms;
# Date : W18.45
@ -19,5 +19,5 @@ allow {
# Purpose : drvb need dgb2 permission
allow {
domain
-isolated_app_all
-isolated_app
} sysfs_gpu_mtk:file r_file_perms;

9
basic/non_plat/file.te
View File

@ -43,8 +43,6 @@ type proc_gpu_memory, fs_type, proc_type;
type proc_mtk_es_reg_dump, fs_type, proc_type;
type proc_ccci_dump, fs_type, proc_type;
type proc_log_much, fs_type, proc_type;
type proc_vm_dirty, fs_type, proc_type;
type proc_irq, fs_type, proc_type;
#For icusb
type proc_icusb, fs_type, proc_type;
@ -185,7 +183,6 @@ type sysfs_vcore_debug, fs_type, sysfs_type;
type sysfs_systracker, fs_type, sysfs_type;
type sysfs_keypad_file, fs_type, sysfs_type;
type sysfs_vcp, fs_type, sysfs_type;
type sysfs_irq, fs_type, sysfs_type;
# apusys_queue sysfs file
type sysfs_apusys_queue, fs_type, sysfs_type;
@ -387,6 +384,9 @@ type iso9660, fs_type;
# rawfs for /protect_f on NAND projects
type rawfs, fs_type, mlstrustedobject;
#fuse
type fuseblk, sdcard_type, fs_type, mlstrustedobject;
##########################
# File types
#
@ -481,9 +481,6 @@ type thermal_manager_data_file, file_type, data_file_type;
# thermal core config file
type thermal_core_data_file, file_type, data_file_type;
# Thermal link device
type thermal_link_device, dev_type;
#autokd data file
type autokd_data_file, file_type, data_file_type;

19
basic/non_plat/file_contexts
View File

@ -671,8 +671,6 @@
/(vendor|system/vendor)/bin/frs64 u:object_r:thermal_core_exec:s0
/(vendor|system/vendor)/bin/thermalloadalgod u:object_r:thermalloadalgod_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@2\.0-service\.mtk u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@2\.0-service\.mediatek u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal-service\.mediatek u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/lbs_hidl_service u:object_r:lbs_hidl_service_exec:s0
/(vendor|system/vendor)/bin/meta_tst u:object_r:meta_tst_exec:s0
/(vendor|system/vendor)/bin/kisd u:object_r:kisd_exec:s0
@ -692,13 +690,11 @@
/(vendor|system/vendor)/bin/xcap u:object_r:xcap_exec:s0
/(vendor|system/vendor)/bin/rebalance_interrupts-vendor.mediatek u:object_r:rebalance_interrupts_vendor_exec:s0
/(vendor|system/vendor)/bin/biosensord_nvram u:object_r:biosensord_nvram_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio\.service\.mediatek u:object_r:hal_audio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]-service-mediatek u:object_r:mtk_hal_bluetooth_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@2\.1-service-mediatek u:object_r:mtk_hal_gnss_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss-service\.mediatek u:object_r:mtk_hal_gnss_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio\.service\.mediatek u:object_r:mtk_hal_audio_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.mtkpower@1\.0-service u:object_r:mtk_hal_power_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service-mediatek u:object_r:mtk_hal_sensors_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@2\.0-service-mediatek u:object_r:mtk_hal_sensors_exec:s0
@ -721,7 +717,6 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.c2@1\.2-mediatek-64b u:object_r:mtk_hal_c2_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service\.mediatek u:object_r:mtk_hal_memtrack_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.mtkcodecservice@1\.1-service u:object_r:hal_mtkcodecservice_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health-service\.mediatek u:object_r:hal_health_default_exec:s0
# Google Trusty system files
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service\.trusty u:object_r:hal_keymaster_default_exec:s0
@ -736,11 +731,6 @@
# Trustonic TEE
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service\.trustonic u:object_r:hal_keymint_default_exec:s0
# Thermal
/vendor/bin/thermal_logd_mediatek u:object_r:init-thermal-logging-sh_exec:s0
/vendor/bin/thermal_symlinks_mediatek u:object_r:init-thermal-symlinks-sh_exec:s0
/dev/thermal(/.*)? u:object_r:thermal_link_device:s0
# Microtrust SE
/(vendor|system/vendor)/bin/hw/vendor\.microtrust\.hardware\.se@1\.0-service u:object_r:hal_secure_element_default_exec:s0
@ -756,7 +746,6 @@
/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.keymaster_attestation@1\.1-service u:object_r:hal_keymaster_attestation_exec:s0
# ST NFC 1.2 hidl service
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc-service.st u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service-st u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-st54spi u:object_r:st54spi_hal_secure_element_exec:s0
@ -766,10 +755,7 @@
# MTK USB hal
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.[0-9]+-service-mediatek u:object_r:mtk_hal_usb_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb-service.mediatek u:object_r:mtk_hal_usb_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb-service.mediatek-legacy u:object_r:mtk_hal_usb_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.[0-9]+-service-mediatekv2 u:object_r:mtk_hal_usb_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget-service\.mediatek u:object_r:mtk_hal_usb_exec:s0
# MTK OMAPI for UICC
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.[0-9]+-service-mediatek u:object_r:mtk_hal_secure_element_exec:s0
@ -995,9 +981,6 @@
# Purpose: Add permission for vilte
/dev/ccci_vts u:object_r:ccci_vts_device:s0
# ConsumerIr
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir-service\.mediatek u:object_r:hal_ir_default_exec:s0
# Power
/(vendor|system/vendor)/bin/hw/android\.hardware\.power-service\.mediatek-libperfmgr u:object_r:hal_power_default_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.mediatek\.hardware\.mtkpower@1\.2-service\.stub u:object_r:mtk_hal_power_exec:s0

2
basic/non_plat/fpsgo_native.te
View File

@ -26,7 +26,7 @@ allow fpsgo_native logd:process setsched;
allow fpsgo_native mediaserver:process setsched;
allow fpsgo_native mediaswcodec:process setsched;
allow fpsgo_native mediaextractor:process setsched;
allow fpsgo_native hal_audio_default:process setsched;
allow fpsgo_native mtk_hal_audio:process setsched;
allow fpsgo_native mtk_hal_sensors:process setsched;
allow fpsgo_native mtk_hal_c2:process setsched;
allow fpsgo_native mtk_hal_gnss:process setsched;

10
basic/non_plat/genfs_contexts
View File

@ -44,8 +44,6 @@ genfscon proc /mtk_cmdq_debug/status u:object_r:proc_cmdq_debug:s0
genfscon proc /mtk_cmdq_debug/record u:object_r:proc_cmdq_debug:s0
genfscon proc /cpuhvfs/dbg_repo u:object_r:proc_dbg_repo:s0
genfscon proc /sys/kernel/panic_on_rcu_stall u:object_r:proc_panic_on_rcu_stall:s0
genfscon proc /sys/vm/dirty_writeback_centisecs u:object_r:proc_vm_dirty:s0
genfscon proc /sys/kernel/sched_pelt_multiplier u:object_r:proc_sched:s0
# Purpose dump not exit file
genfscon proc /isp_p2/isp_p2_dump u:object_r:proc_isp_p2_dump:s0
@ -245,7 +243,6 @@ genfscon sysfs /devices/virtual/misc/adsp_1 u:object_r:sysfs_adsp:s0
genfscon sysfs /devices/virtual/misc/vcp u:object_r:sysfs_vcp:s0
# Date : 2019/09/12
genfscon sysfs /class/thermal u:object_r:sysfs_therm:s0
genfscon sysfs /devices/virtual/thermal u:object_r:sysfs_therm:s0
genfscon sysfs /devices/class/thermal u:object_r:sysfs_therm:s0
genfscon sysfs /kernel/thermal u:object_r:sysfs_thermal_sram:s0
@ -669,13 +666,6 @@ genfscon proc /mgq u:object_r:proc_mgq:s0
genfscon sysfs /kernel/thunderquake_engine u:object_r:sysfs_vibrator:s0
# GPU
genfscon sysfs /devices/platform/13000000.mali/dma_buf_gpu_mem u:object_r:sysfs_gpu:s0
genfscon sysfs /devices/platform/13000000.mali/kprcs u:object_r:sysfs_gpu:s0
genfscon sysfs /devices/platform/13000000.mali/total_gpu_mem u:object_r:sysfs_gpu:s0
genfscon sysfs /devices/platform/13040000.mali/dma_buf_gpu_mem u:object_r:sysfs_gpu:s0
genfscon sysfs /devices/platform/13040000.mali/kprcs u:object_r:sysfs_gpu:s0
genfscon sysfs /devices/platform/13040000.mali/total_gpu_mem u:object_r:sysfs_gpu:s0
# IRQ
genfscon sysfs /kernel/irq u:object_r:sysfs_irq:s0
genfscon proc /irq u:object_r:proc_irq:s0

228
basic/non_plat/hal_audio_default.te
View File

@ -1,228 +0,0 @@
# ==============================================
# Common SEPolicy Rule
# ==============================================
wakelock_use(hal_audio_default)
add_hwservice(hal_audio_default, mtk_hal_bluetooth_audio_hwservice)
allow hal_audio_default ion_device:chr_file r_file_perms;
allow hal_audio_default system_file:dir r_dir_perms;
r_dir_file(hal_audio_default, proc)
allow hal_audio_default audio_device:dir r_dir_perms;
allow hal_audio_default audio_device:chr_file rw_file_perms;
# Date : WK14.32
# Operation : Migration
# Purpose : Set audio driver permission to access SD card for debug purpose and accss NVRam.
allow hal_audio_default sdcard_type:dir create_dir_perms;
allow hal_audio_default sdcard_type:file create_file_perms;
allow hal_audio_default nvram_data_file:dir w_dir_perms;
allow hal_audio_default nvram_data_file:file create_file_perms;
allow hal_audio_default nvram_data_file:lnk_file r_file_perms;
allow hal_audio_default nvdata_file:lnk_file r_file_perms;
allow hal_audio_default nvdata_file:dir create_dir_perms;
allow hal_audio_default nvdata_file:file create_file_perms;
# Date : WK14.34
# Operation : Migration
# Purpose : nvram access (dumchar case for nand and legacy chip)
allow hal_audio_default nvram_device:chr_file rw_file_perms;
allow hal_audio_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
# Date : WK14.36
# Operation : Migration
# Purpose : media server and bt process communication for A2DP data.and other control flow
allow hal_audio_default bt_a2dp_stream_socket:sock_file w_file_perms;
allow hal_audio_default bt_int_adp_socket:sock_file w_file_perms;
# Date : WK14.36
# Operation : Migration
# Purpose : access nvram, otp, ccci cdoec devices.
allow hal_audio_default ccci_device:chr_file rw_file_perms;
allow hal_audio_default eemcs_device:chr_file rw_file_perms;
allow hal_audio_default devmap_device:chr_file r_file_perms;
allow hal_audio_default ebc_device:chr_file rw_file_perms;
allow hal_audio_default nvram_device:blk_file rw_file_perms;
# Date : WK14.38
# Operation : Migration
# Purpose : FM driver access
allow hal_audio_default fm_device:chr_file rw_file_perms;
# Data : WK14.39
# Operation : Migration
# Purpose : dump for debug
set_prop(hal_audio_default, vendor_mtk_audiohal_prop)
# Date : WK14.40
# Operation : Migration
# Purpose : HDMI driver access
allow hal_audio_default graphics_device:chr_file rw_file_perms;
# Date : WK14.40
# Operation : Migration
# Purpose : Smartpa
allow hal_audio_default smartpa_device:chr_file rw_file_perms;
allow hal_audio_default sysfs_rt_param:file rw_file_perms;
allow hal_audio_default sysfs_rt_param:dir r_dir_perms;
allow hal_audio_default sysfs_rt_calib:file rw_file_perms;
allow hal_audio_default sysfs_rt_calib:dir r_dir_perms;
# Date : WK14.41
# Operation : Migration
# Purpose : WFD HID Driver
allow hal_audio_default uhid_device:chr_file rw_file_perms;
# Date : WK14.43
# Operation : Migration
# Purpose : VOW
allow hal_audio_default vow_device:chr_file rw_file_perms;
# Date: WK14.44
# Operation : Migration
# Purpose : EVDO
allow hal_audio_default rpc_socket:sock_file w_file_perms;
allow hal_audio_default ttySDIO_device:chr_file rw_file_perms;
# Data: WK14.44
# Operation : Migration
# Purpose : for low SD card latency issue
allow hal_audio_default sysfs_lowmemorykiller:file r_file_perms;
# Data: WK14.45
# Operation : Migration
# Purpose : for change thermal policy when needed
allow hal_audio_default proc_mtkcooler:dir search;
allow hal_audio_default proc_mtktz:dir search;
allow hal_audio_default proc_thermal:dir search;
allow hal_audio_default thermal_manager_data_file:file create_file_perms;
allow hal_audio_default thermal_manager_data_file:dir { rw_dir_perms setattr };
# for as33970
allow hal_audio_default sysfs_reset_dsp:file rw_file_perms;
allow hal_audio_default tahiti_device:chr_file rw_file_perms_no_map;
# for smartpa
allow hal_audio_default sysfs_chip_vendor:file r_file_perms;
allow hal_audio_default sysfs_pa_num:file rw_file_perms;
# Data : WK14.47
# Operation : Audio playback
# Purpose : Music as ringtone
allow hal_audio_default radio:dir r_dir_perms;
allow hal_audio_default radio:file r_file_perms;
# Data : WK14.47
# Operation : CTS
# Purpose : cts search strange app
allow hal_audio_default untrusted_app:dir search;
# Date : WK15.03
# Operation : Migration
# Purpose : offloadservice
allow hal_audio_default offloadservice_device:chr_file rw_file_perms;
# Date : WK15.34
# Operation : Migration
# Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump
allow hal_audio_default storage_file:dir search;
allow hal_audio_default storage_file:lnk_file rw_file_perms;
allow hal_audio_default mnt_user_file:dir rw_dir_perms;
allow hal_audio_default mnt_user_file:lnk_file rw_file_perms;
# Date : WK16.17
# Operation : Migration
# Purpose: read/open sysfs node
allow hal_audio_default sysfs_ccci:file r_file_perms;
allow hal_audio_default sysfs_ccci:dir search;
# Date : WK16.18
# Operation : Migration
# Purpose: research root dir "/"
allow hal_audio_default tmpfs:dir search;
# Purpose: Dump debug info
allow hal_audio_default kmsg_device:chr_file w_file_perms;
allow hal_audio_default fuse:file rw_file_perms;
# Date : WK16.27
# Operation : Migration
# Purpose: tunning tool update parameters
binder_call(hal_audio_default, radio)
allow hal_audio_default mtk_audiohal_data_file:dir create_dir_perms;
allow hal_audio_default mtk_audiohal_data_file:file create_file_perms;
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow hal_audio_default proc_ged:file rw_file_perms;
# Fix bootup violation
allow hal_audio_default fuse:dir r_dir_perms;
# for usb phone call, allow sys_nice
allow hal_audio_default self:capability sys_nice;
# Date : W17.29
# Boot for opening trace file: Permission denied (13)
allow hal_audio_default debugfs_tracing:file w_file_perms;
# Audio Tuning Tool Android O porting
binder_call(hal_audio_default, audiocmdservice_atci)
# Add for control PowerHAL
hal_client_domain(hal_audio_default, hal_power)
# cm4 smartpa
allow hal_audio_default audio_ipi_device:chr_file rw_file_perms;
allow hal_audio_default audio_scp_device:chr_file r_file_perms;
# Date : WK18.21
# Operation: P migration
# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init()
allow hal_audio_default mnt_vendor_file:dir search;
# Date: 2019/06/14
# Operation : Migration
allow hal_audio_default audioserver:fifo_file w_file_perms;
allow hal_audio_default sysfs_boot_mode:file r_file_perms;
allow hal_audio_default sysfs_dt_firmware_android:dir search;
# Date : WK18.44
# Operation: adsp
allow hal_audio_default adsp_device:file rw_file_perms;
allow hal_audio_default adsp_device:chr_file rw_file_perms;
# Date : 2020/3/21
# Operation: audio dptx
allow hal_audio_default dri_device:chr_file rw_file_perms;
allow hal_audio_default gpu_device:dir search;
# Date : WK20.26
allow hal_audio_default sysfs_dt_firmware_android:file r_file_perms;
# Date : WK20.36
# Operation : Migration
# Purpose : AAudio HAL
allow hal_audio_default debugfs_ion:dir search;
# Date : 2021/06/15
# Purpose: Allow to change mtk MMQoS scenario
allow hal_audio_default sysfs_mtk_mmqos_scen:file w_file_perms;
allow hal_audio_default sysfs_mtk_mmqos_scen_v2:file w_file_perms;
# Allow ReadDefaultFstab().
read_fstab(hal_audio_default)
# Date : WK21.23
# Operation : Migration
# Purpose : factory mode
allow hal_audio_default sysfs_boot_info:file r_file_perms;
# Date : WK21.32
# Operation : Migration
# Purpose: permission for audioserver to use ccci node
allow hal_audio_default ccci_aud_device:chr_file rw_file_perms;
# Date: 2022/12/01
# Purpose: Allow Audio HAL to get and set vendor_mtk_audio_prop
get_prop(hal_audio_default, vendor_mtk_audio_prop)
set_prop(hal_audio_default, vendor_mtk_audio_prop)

2
basic/non_plat/hal_drm_clearkey.te
View File

@ -14,4 +14,4 @@ hal_server_domain(hal_drm_clearkey, hal_drm)
vndbinder_use(hal_drm_clearkey)
allow hal_drm_clearkey { appdomain -isolated_app_all }:fd use;
allow hal_drm_clearkey { appdomain -isolated_app }:fd use;

2
basic/non_plat/hal_drm_widevine.te
View File

@ -10,7 +10,7 @@ init_daemon_domain(hal_drm_widevine)
hal_server_domain(hal_drm_widevine, hal_drm)
allow hal_drm_widevine mediacodec:fd use;
allow hal_drm_widevine { appdomain -isolated_app_all }:fd use;
allow hal_drm_widevine { appdomain -isolated_app }:fd use;
vndbinder_use(hal_drm_widevine)

2
basic/non_plat/hal_keymint_default.te
View File

@ -14,5 +14,3 @@ allow hal_keymint_default persist_data_file:file r_file_perms;
# Purpose : Open MobiCore access permission for keystore.
allow hal_keymint_default mobicore:unix_stream_socket { connectto read write };
allow hal_keymint_default mobicore_user_device:chr_file rw_file_perms;
set_prop(hal_keymint_default, vendor_mtk_soter_teei_prop)

13
basic/non_plat/hal_thermal_default.te
View File

@ -2,18 +2,12 @@
# Common SEPolicy Rule
# ==============================================
r_dir_file(hal_thermal_default, sysfs_therm)
allow hal_thermal_default sysfs_therm:file w_file_perms;
allow hal_thermal_default thermal_link_device:dir r_dir_perms;
allow hal_thermal_default proc_mtktz:dir search;
allow hal_thermal_default proc_mtktz:file r_file_perms;
allow hal_thermal_default proc_stat:file r_file_perms;
#for uevent handle
allow hal_thermal_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow hal_thermal_default self:netlink_generic_socket create_socket_perms_no_ioctl;
#for thermal sysfs
allow hal_thermal_default sysfs_therm:file rw_file_perms;
@ -21,9 +15,4 @@ allow hal_thermal_default sysfs_therm:dir search;
#for thermal hal socket
allow hal_thermal_default thermal_hal_socket:dir { rw_dir_perms setattr};
allow hal_thermal_default thermal_hal_socket:sock_file create_file_perms;
hal_client_domain(hal_thermal_default, hal_power);
# read thermal_config
get_prop(hal_thermal_default, vendor_thermal_prop)
allow hal_thermal_default thermal_hal_socket:sock_file create_file_perms;

10
basic/non_plat/init-thermal-logging.sh.te
View File

@ -1,10 +0,0 @@
type init-thermal-logging-sh, domain;
type init-thermal-logging-sh_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(init-thermal-logging-sh)
userdebug_or_eng(`
allow init-thermal-logging-sh vendor_toolbox_exec:file rx_file_perms;
allow init-thermal-logging-sh sysfs_therm:dir r_dir_perms;
allow init-thermal-logging-sh sysfs_therm:file r_file_perms;
')

12
basic/non_plat/init-thermal-symlinks.sh.te
View File

@ -1,12 +0,0 @@
type init-thermal-symlinks-sh, domain;
type init-thermal-symlinks-sh_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(init-thermal-symlinks-sh)
allow init-thermal-symlinks-sh vendor_toolbox_exec:file rx_file_perms;
allow init-thermal-symlinks-sh thermal_link_device:dir rw_dir_perms;
allow init-thermal-symlinks-sh thermal_link_device:lnk_file create_file_perms;
r_dir_file(init-thermal-symlinks-sh, sysfs_therm)
set_prop(init-thermal-symlinks-sh, vendor_thermal_prop)

7
basic/non_plat/init.te
View File

@ -52,6 +52,10 @@ allow init tmpfs:lnk_file create_file_perms;
# Purpose : bt hal interface permission
allow init mtk_hal_bluetooth_exec:file getattr;
# Date : WK17.02
# Purpose: Fix audio hal service fail
allow init mtk_hal_audio_exec:file getattr;
# Date : W17.20
# Purpose: Enable PRODUCT_FULL_TREBLE
allow init vendor_block_device:lnk_file relabelto;
@ -143,6 +147,3 @@ allow init sysfs_mtk_core_ctl:dir r_dir_perms;
allow init sysfs_mtk_core_ctl:file rw_file_perms;
allow init xcap_socket:sock_file create_file_perms;
# Allow init to write to sysfs_devices_block
allow init sysfs_devices_block:file w_file_perms;

7
basic/non_plat/init_insmod_sh.te
View File

@ -12,13 +12,6 @@ allow init_insmod_sh kernel:key search;
# Purpose : modprobe need proc_modules
allow init_insmod_sh proc_modules:file r_file_perms;
# Allow init.insmod.sh to read cmdline
allow init_insmod_sh proc_cmdline:file r_file_perms;
# Allow required capabilities for modprobe
allow init_insmod_sh self:capability sys_nice;
allow init_insmod_sh kernel:process setsched;
# Date : WK20.46
# Purpose : Set the vendor.all.modules.ready property
set_prop(init_insmod_sh, vendor_mtk_device_prop)

5
basic/non_plat/kernel.te
View File

@ -70,7 +70,7 @@ allow kernel audioserver:fd use;
# Date : WK18.02
# Operation: SQC
# Purpose: Allow SCP SmartPA kthread to write debug dump to sdcard
allow kernel hal_audio_default:fd use;
allow kernel mtk_hal_audio:fd use;
allow kernel factory:fd use;
# Date : WK18.29
@ -85,6 +85,3 @@ allow kernel mtk_audiohal_data_file:file write;
# Date: WK19.03
allow kernel expdb_block_device:blk_file rw_file_perms;
# b/220801802
allow kernel same_process_hal_file:file r_file_perms;

2
basic/non_plat/merged_hal_service.te
View File

@ -42,7 +42,7 @@ hal_client_domain(merged_hal_service, hal_allocator)
#for default drm permissions
hal_server_domain(merged_hal_service, hal_drm)
allow merged_hal_service mediacodec:fd use;
allow merged_hal_service { appdomain -isolated_app_all }:fd use;
allow merged_hal_service { appdomain -isolated_app }:fd use;
# Date : WK18.23
# Operation : P Migration

2
basic/non_plat/meta_tst.te
View File

@ -266,7 +266,7 @@ allow meta_tst mddb_data_file:dir create_dir_perms;
# Date: W17.43
# Purpose : Allow meta_tst to call Audio HAL service
binder_call(meta_tst, hal_audio_default)
binder_call(meta_tst, mtk_hal_audio)
allow meta_tst mtk_audiohal_data_file:dir r_dir_perms;
#Data:W1745

244
basic/non_plat/mtk_hal_audio.te Normal file
View File

@ -0,0 +1,244 @@
# ==============================================
# Common SEPolicy Rule
# ==============================================
type mtk_hal_audio, domain;
type mtk_hal_audio_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(mtk_hal_audio)
hal_server_domain(mtk_hal_audio, hal_audio)
hal_client_domain(mtk_hal_audio, hal_allocator)
wakelock_use(mtk_hal_audio)
add_hwservice(mtk_hal_audio, mtk_hal_bluetooth_audio_hwservice)
allow mtk_hal_audio ion_device:chr_file r_file_perms;
allow mtk_hal_audio system_file:dir r_dir_perms;
r_dir_file(mtk_hal_audio, proc)
allow mtk_hal_audio audio_device:dir r_dir_perms;
allow mtk_hal_audio audio_device:chr_file rw_file_perms;
# mtk_hal_audio should never execute any executable without
# a domain transition
neverallow mtk_hal_audio { file_type fs_type }:file execute_no_trans;
# mtk_hal_audio should never need network access.
# Disallow network sockets apart from TCP sockets.
neverallow mtk_hal_audio domain:{ udp_socket rawip_socket } *;
# Date : WK14.32
# Operation : Migration
# Purpose : Set audio driver permission to access SD card for debug purpose and accss NVRam.
allow mtk_hal_audio sdcard_type:dir create_dir_perms;
allow mtk_hal_audio sdcard_type:file create_file_perms;
allow mtk_hal_audio nvram_data_file:dir w_dir_perms;
allow mtk_hal_audio nvram_data_file:file create_file_perms;
allow mtk_hal_audio nvram_data_file:lnk_file r_file_perms;
allow mtk_hal_audio nvdata_file:lnk_file r_file_perms;
allow mtk_hal_audio nvdata_file:dir create_dir_perms;
allow mtk_hal_audio nvdata_file:file create_file_perms;
# Date : WK14.34
# Operation : Migration
# Purpose : nvram access (dumchar case for nand and legacy chip)
allow mtk_hal_audio nvram_device:chr_file rw_file_perms;
allow mtk_hal_audio self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
# Date : WK14.36
# Operation : Migration
# Purpose : media server and bt process communication for A2DP data.and other control flow
allow mtk_hal_audio bt_a2dp_stream_socket:sock_file w_file_perms;
allow mtk_hal_audio bt_int_adp_socket:sock_file w_file_perms;
# Date : WK14.36
# Operation : Migration
# Purpose : access nvram, otp, ccci cdoec devices.
allow mtk_hal_audio ccci_device:chr_file rw_file_perms;
allow mtk_hal_audio eemcs_device:chr_file rw_file_perms;
allow mtk_hal_audio devmap_device:chr_file r_file_perms;
allow mtk_hal_audio ebc_device:chr_file rw_file_perms;
allow mtk_hal_audio nvram_device:blk_file rw_file_perms;
# Date : WK14.38
# Operation : Migration
# Purpose : FM driver access
allow mtk_hal_audio fm_device:chr_file rw_file_perms;
# Data : WK14.39
# Operation : Migration
# Purpose : dump for debug
set_prop(mtk_hal_audio, vendor_mtk_audiohal_prop)
# Date : WK14.40
# Operation : Migration
# Purpose : HDMI driver access
allow mtk_hal_audio graphics_device:chr_file rw_file_perms;
# Date : WK14.40
# Operation : Migration
# Purpose : Smartpa
allow mtk_hal_audio smartpa_device:chr_file rw_file_perms;
allow mtk_hal_audio sysfs_rt_param:file rw_file_perms;
allow mtk_hal_audio sysfs_rt_param:dir r_dir_perms;
allow mtk_hal_audio sysfs_rt_calib:file rw_file_perms;
allow mtk_hal_audio sysfs_rt_calib:dir r_dir_perms;
# Date : WK14.41
# Operation : Migration
# Purpose : WFD HID Driver
allow mtk_hal_audio uhid_device:chr_file rw_file_perms;
# Date : WK14.43
# Operation : Migration
# Purpose : VOW
allow mtk_hal_audio vow_device:chr_file rw_file_perms;
# Date: WK14.44
# Operation : Migration
# Purpose : EVDO
allow mtk_hal_audio rpc_socket:sock_file w_file_perms;
allow mtk_hal_audio ttySDIO_device:chr_file rw_file_perms;
# Data: WK14.44
# Operation : Migration
# Purpose : for low SD card latency issue
allow mtk_hal_audio sysfs_lowmemorykiller:file r_file_perms;
# Data: WK14.45
# Operation : Migration
# Purpose : for change thermal policy when needed
allow mtk_hal_audio proc_mtkcooler:dir search;
allow mtk_hal_audio proc_mtktz:dir search;
allow mtk_hal_audio proc_thermal:dir search;
allow mtk_hal_audio thermal_manager_data_file:file create_file_perms;
allow mtk_hal_audio thermal_manager_data_file:dir { rw_dir_perms setattr };
# for as33970
allow mtk_hal_audio sysfs_reset_dsp:file rw_file_perms;
allow mtk_hal_audio tahiti_device:chr_file rw_file_perms_no_map;
# for smartpa
allow mtk_hal_audio sysfs_chip_vendor:file r_file_perms;
allow mtk_hal_audio sysfs_pa_num:file rw_file_perms;
# Data : WK14.47
# Operation : Audio playback
# Purpose : Music as ringtone
allow mtk_hal_audio radio:dir r_dir_perms;
allow mtk_hal_audio radio:file r_file_perms;
# Data : WK14.47
# Operation : CTS
# Purpose : cts search strange app
allow mtk_hal_audio untrusted_app:dir search;
# Date : WK15.03
# Operation : Migration
# Purpose : offloadservice
allow mtk_hal_audio offloadservice_device:chr_file rw_file_perms;
# Date : WK15.34
# Operation : Migration
# Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump
allow mtk_hal_audio storage_file:dir search;
allow mtk_hal_audio storage_file:lnk_file rw_file_perms;
allow mtk_hal_audio mnt_user_file:dir rw_dir_perms;
allow mtk_hal_audio mnt_user_file:lnk_file rw_file_perms;
# Date : WK16.17
# Operation : Migration
# Purpose: read/open sysfs node
allow mtk_hal_audio sysfs_ccci:file r_file_perms;
allow mtk_hal_audio sysfs_ccci:dir search;
# Date : WK16.18
# Operation : Migration
# Purpose: research root dir "/"
allow mtk_hal_audio tmpfs:dir search;
# Purpose: Dump debug info
allow mtk_hal_audio kmsg_device:chr_file w_file_perms;
allow mtk_hal_audio fuse:file rw_file_perms;
# Date : WK16.27
# Operation : Migration
# Purpose: tunning tool update parameters
binder_call(mtk_hal_audio, radio)
allow mtk_hal_audio mtk_audiohal_data_file:dir create_dir_perms;
allow mtk_hal_audio mtk_audiohal_data_file:file create_file_perms;
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow mtk_hal_audio proc_ged:file rw_file_perms;
# Fix bootup violation
allow mtk_hal_audio fuse:dir r_dir_perms;
# for usb phone call, allow sys_nice
allow mtk_hal_audio self:capability sys_nice;
# Date : W17.29
# Boot for opening trace file: Permission denied (13)
allow mtk_hal_audio debugfs_tracing:file w_file_perms;
# Audio Tuning Tool Android O porting
binder_call(mtk_hal_audio, audiocmdservice_atci)
# Add for control PowerHAL
hal_client_domain(mtk_hal_audio, hal_power)
# cm4 smartpa
allow mtk_hal_audio audio_ipi_device:chr_file rw_file_perms;
allow mtk_hal_audio audio_scp_device:chr_file r_file_perms;
# Date : WK18.21
# Operation: P migration
# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init()
allow mtk_hal_audio mnt_vendor_file:dir search;
# Date: 2019/06/14
# Operation : Migration
allow mtk_hal_audio audioserver:fifo_file w_file_perms;
allow mtk_hal_audio sysfs_boot_mode:file r_file_perms;
allow mtk_hal_audio sysfs_dt_firmware_android:dir search;
# Date : WK18.44
# Operation: adsp
allow mtk_hal_audio adsp_device:file rw_file_perms;
allow mtk_hal_audio adsp_device:chr_file rw_file_perms;
# Date : 2020/3/21
# Operation: audio dptx
allow mtk_hal_audio dri_device:chr_file rw_file_perms;
allow mtk_hal_audio gpu_device:dir search;
# Date : WK20.26
allow mtk_hal_audio sysfs_dt_firmware_android:file r_file_perms;
# Date : WK20.36
# Operation : Migration
# Purpose : AAudio HAL
allow mtk_hal_audio debugfs_ion:dir search;
# Date : 2021/06/15
# Purpose: Allow to change mtk MMQoS scenario
allow mtk_hal_audio sysfs_mtk_mmqos_scen:file w_file_perms;
allow mtk_hal_audio sysfs_mtk_mmqos_scen_v2:file w_file_perms;
# Allow ReadDefaultFstab().
read_fstab(mtk_hal_audio)
# Date : WK21.23
# Operation : Migration
# Purpose : factory mode
allow mtk_hal_audio sysfs_boot_info:file r_file_perms;
# Date : WK21.32
# Operation : Migration
# Purpose: permission for audioserver to use ccci node
allow mtk_hal_audio ccci_aud_device:chr_file rw_file_perms;
# Date: 2022/12/01
# Purpose: Allow Audio HAL to get and set vendor_mtk_audio_prop
get_prop(mtk_hal_audio, vendor_mtk_audio_prop)
set_prop(mtk_hal_audio, vendor_mtk_audio_prop)

3
basic/non_plat/mtk_hal_c2.te
View File

@ -28,8 +28,7 @@ neverallow mtk_hal_c2 { file_type fs_type }:file execute_no_trans;
# permissions and be isolated from the rest of the system and network.
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mtk_hal_c2 domain:{ udp_socket rawip_socket } *;
neverallow mtk_hal_c2 { domain userdebug_or_eng(`-su') }:tcp_socket *;
neverallow mtk_hal_c2 domain:{ tcp_socket udp_socket rawip_socket } *;
#============= mtk_hal_c2 ==============
allow mtk_hal_c2 debugfs_ion:dir search;

4
basic/non_plat/mtk_hal_nvramagent.te
View File

@ -50,7 +50,3 @@ get_prop(mtk_hal_nvramagent, vendor_mtk_rat_config_prop)
allow mtk_hal_nvramagent mnt_vendor_file:dir search;
allow mtk_hal_nvramagent sysfs_boot_mode:file r_file_perms;
r_dir_file(mtk_hal_nvramagent, sysfs_dt_firmware_android)
allow mtk_hal_nvramagent sysfs_dt_firmware_android:file r_file_perms;

7
basic/non_plat/mtk_hal_power.te
View File

@ -11,9 +11,6 @@ init_daemon_domain(mtk_hal_power)
hal_server_domain(mtk_hal_power, hal_power)
hal_server_domain(mtk_hal_power, hal_wifi)
# Allow mtkpower stub service to call powerhal
binder_call(mtk_hal_power, hal_power_default)
# sysfs
allow mtk_hal_power sysfs_devices_system_cpu:file rw_file_perms;
allow mtk_hal_power sysfs_mtk_core_ctl:dir r_dir_perms;
@ -24,7 +21,7 @@ allow mtk_hal_power sysfs_mtk_core_ctl:file rw_file_perms;
allow mtk_hal_power proc_thermal:file rw_file_perms;
# proc info
allow mtk_hal_power hal_audio_default:dir r_dir_perms;
allow mtk_hal_power mtk_hal_audio:dir r_dir_perms;
# Date : 2017/10/02
# Operation: SQC
@ -123,7 +120,7 @@ allow mtk_hal_power sysfs_devices_block:file rw_file_perms;
# Date : 2019/05/22
# Operation: SQC
# Purpose : Allow powerHAL to access prop
set_prop(mtk_hal_power, vendor_power_prop)
set_prop(mtk_hal_power, vendor_mtk_powerhal_prop)
# Date : 2019/05/29
# Operation: SQC

5
basic/non_plat/mtk_hal_pq.te
View File

@ -45,7 +45,4 @@ hal_client_domain(mtk_hal_pq, hal_mtk_mmagent)
allow mtk_hal_pq dmabuf_system_heap_device:chr_file r_file_perms;
# Purpose : Allow change priority
allow mtk_hal_pq self:capability sys_nice;
# Allow PQ HAL to use /dev/ion
allow mtk_hal_pq ion_device:chr_file rw_file_perms;
allow mtk_hal_pq self:capability sys_nice;

4
basic/non_plat/mtk_hal_sensors.te
View File

@ -76,7 +76,3 @@ allow mtk_hal_sensors merged_hal_service:fd use;
# Date : WK20.25
# Purpose: Allow to read /bus/platform/drivers/mtk_nanohub/state
allow mtk_hal_sensors sysfs_mtk_nanohub_state:file r_file_perms;
# Allow mtk_hal_sensors to access sysfs_scp
allow mtk_hal_sensors sysfs_scp:dir search;
allow mtk_hal_sensors sysfs_scp:file rw_file_perms;

3
basic/non_plat/mtk_hal_usb.te
View File

@ -12,8 +12,5 @@ hal_server_domain(mtk_hal_usb, hal_usb_gadget)
r_dir_file(mtk_hal_usb, sysfs_usb_nonplat)
allow mtk_hal_usb sysfs_usb_nonplat:file w_file_perms;
allow mtk_hal_usb configfs:dir { create rmdir };
allow mtk_hal_usb functionfs:dir { watch watch_reads };
set_prop(mtk_hal_usb, vendor_mtk_usb_prop)
get_prop(mtk_hal_usb, usb_control_prop)

4
basic/non_plat/mtk_safe_halserverdomain_type.te
View File

@ -4,5 +4,5 @@
# Date : W20.26
# Operation : Migration
# Purpose : For apps other than isolated_app_all call hidl
binder_call(mtk_safe_halserverdomain_type, { appdomain -isolated_app_all })
# Purpose : For apps other than isolated_app call hidl
binder_call(mtk_safe_halserverdomain_type, { appdomain -isolated_app })

2
basic/non_plat/netd.te
View File

@ -31,7 +31,7 @@ allow netd untrusted_app:fd use;
# Operation : SQC
# Purpose : CTS for wifi
allow netd untrusted_app:unix_stream_socket rw_socket_perms_no_ioctl;
allow netd isolated_app_all:fd use;
allow netd isolated_app:fd use;
# MTK support app feature
get_prop(netd, vendor_mtk_app_prop)

2
basic/non_plat/property.te
View File

@ -20,12 +20,12 @@ vendor_internal_prop(vendor_mtk_ctl_muxreport-daemon_prop)
vendor_internal_prop(vendor_mtk_ctl_ril-daemon-mtk_prop)
vendor_internal_prop(vendor_mtk_ctl_ril-proxy_prop)
vendor_internal_prop(vendor_mtk_ctl_viarild_prop)
vendor_internal_prop(vendor_mtk_powerhal_prop)
vendor_internal_prop(vendor_mtk_wfc_serv_prop)
vendor_internal_prop(vendor_mtk_factory_prop)
vendor_internal_prop(vendor_mtk_factory_start_prop)
vendor_internal_prop(vendor_mtk_eara_io_prop)
vendor_internal_prop(vendor_power_prop)
vendor_internal_prop(vendor_thermal_prop)
# Properties which can't be written outside vendor
vendor_restricted_prop(vendor_mtk_aal_ro_prop)

12
basic/non_plat/property_contexts
View File

@ -280,8 +280,8 @@ vendor.voicerecognize.noDL u:object_r:vendor_mtk_voicerecgnize_prop:s0
ro.vendor.mtk.bt_sap_enable u:object_r:vendor_mtk_bt_sap_enable_prop:s0
# powerhal config
persist.vendor.powerhal. u:object_r:vendor_power_prop:s0
vendor.powerhal. u:object_r:vendor_power_prop:s0
persist.vendor.powerhal. u:object_r:vendor_mtk_powerhal_prop:s0
vendor.powerhal. u:object_r:vendor_mtk_powerhal_prop:s0
vendor.powerhal.gpu. u:object_r:vendor_mtk_powerhal_gpu_prop:s0
# MTK Wifi wlan_assistant property
@ -403,5 +403,9 @@ persist.vendor.eara_io. u:object_r:vendor_mtk_eara_io_prop:s0
persist.vendor.mdrsra_v2_support u:object_r:vendor_mtk_mdrsra_v2_support_prop:s0
persist.vendor.xfrm_support u:object_r:vendor_mtk_xfrm_support_prop:s0
# Thermal
vendor.thermal. u:object_r:vendor_thermal_prop:s0
mtk.vendor.omx.core.log u:object_r:vendor_mtk_omx_core_prop:s0
ro.mtk_crossmount_support u:object_r:vendor_mtk_crossmount_prop:s0
ro.mtk_deinterlace_support u:object_r:vendor_mtk_deinterlace_prop:s0
# Power
vendor.mediatek.powerhal. u:object_r:vendor_power_prop:s0

2
basic/non_plat/radio.te
View File

@ -47,7 +47,7 @@ hal_client_domain(radio, hal_mtk_imsa)
#Dat: 2017/06/29
#Purpose: For audio parameter tuning
binder_call(radio, hal_audio_default)
binder_call(radio, mtk_hal_audio)
# Date : WK18.16
# Operation: P migration

13
basic/non_plat/rebalance_interrupts.te
View File

@ -1,13 +0,0 @@
# rebalance_interrupts vendor
type rebalance_interrupts_vendor, domain;
type rebalance_interrupts_vendor_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(rebalance_interrupts_vendor)
allow rebalance_interrupts_vendor sysfs_irq:dir r_dir_perms;
allow rebalance_interrupts_vendor sysfs_irq:file r_file_perms;
allow rebalance_interrupts_vendor proc_irq:dir r_dir_perms;
allow rebalance_interrupts_vendor proc_irq:file { rw_file_perms setattr };
allow rebalance_interrupts_vendor self:capability { chown setuid setgid };
r_dir_file(rebalance_interrupts_vendor, sysfs_devices_system_cpu)

2
basic/non_plat/rild.te
View File

@ -160,7 +160,7 @@ allow rild netd_socket:sock_file { write read };
#Date : W17.20
#Purpose: allow access to audio hal
binder_call(rild, hal_audio_default)
binder_call(rild, mtk_hal_audio)
hal_client_domain(rild, hal_audio)
# Date : W19.16

6
basic/non_plat/system_server.te
View File

@ -62,7 +62,7 @@ allow system_server proc_mtktz:file r_file_perms;
# Date:W17.02
# Operation : audio hal developing
# Purpose : audio hal interface permission
allow system_server hal_audio_default:process { getsched setsched };
allow system_server mtk_hal_audio:process { getsched setsched };
# Dat: 2017/02/14
# Purpose: allow get telephony Sensitive property
@ -262,8 +262,8 @@ allow system_server mediaserver_tmpfs:file w_file_perms;
dontaudit system_server hal_wifi_default:process sigkill;
dontaudit system_server eara_io:process sigkill;
# Purpose : dontaudit system_server is not allowed to kill hal_audio_default
dontaudit system_server hal_audio_default:process sigkill;
# Purpose : dontaudit system_server is not allowed to kill mtk_hal_audio
dontaudit system_server mtk_hal_audio:process sigkill;
dontaudit system_server mtk_hal_c2:process sigkill;
# Search /proc/mgq

14
basic/non_plat/vendor_init.te
View File

@ -15,7 +15,6 @@ allow vendor_init proc_cpufreq:file w_file_perms;
allow vendor_init proc_bootprof:file w_file_perms;
allow vendor_init proc_pl_lk:file w_file_perms;
allow vendor_init proc_mtprintk:file w_file_perms;
allow vendor_init proc_vm_dirty:file w_file_perms;
allow vendor_init rootfs:dir create_dir_perms;
allow vendor_init self:capability sys_module;
allow vendor_init tmpfs:dir create_dir_perms;
@ -39,9 +38,6 @@ set_prop(vendor_init, vendor_mtk_bt_sap_enable_prop)
set_prop(vendor_init, vendor_mtk_factory_prop)
get_prop(vendor_init, vendor_mtk_soc_prop)
set_prop(vendor_init, vendor_mtk_prefer64_prop)
set_prop(vendor_init, vendor_mtk_audio_prop)
set_prop(vendor_init, vendor_mtk_audiohal_prop)
set_prop(vendor_init, vendor_mtk_pq_prop)
# allow create symbolic link, /mnt/sdcard, for meta/factory mode
allow vendor_init tmpfs:lnk_file create_file_perms;
@ -72,7 +68,7 @@ allow vendor_init expdb_block_device:blk_file rw_file_perms;
set_prop(vendor_init, vendor_mtk_wifi_hotspot_prop)
set_prop(vendor_init, vendor_mtk_wifi_hal_prop)
set_prop(vendor_init, vendor_power_prop)
set_prop(vendor_init, vendor_mtk_powerhal_prop)
# mmstat tracer
allow vendor_init debugfs_tracing_instances:dir create_dir_perms;
@ -169,11 +165,3 @@ set_prop(vendor_init, vendor_mtk_xfrm_support_prop)
# Power
set_prop(vendor_init, vendor_power_prop)
# Allow vendor_init to write to sysfs_devices_block
allow vendor_init sysfs_devices_block:file w_file_perms;
# Thermal
allow vendor_init thermal_link_device:dir r_dir_perms;
allow vendor_init thermal_link_device:lnk_file r_file_perms;
set_prop(vendor_init, vendor_thermal_prop)

4
basic/plat_private/file_contexts
View File

@ -34,8 +34,12 @@
/system/bin/create_pl_dev u:object_r:mtk_plpath_utils_exec:s0
# mediaserver 64 bit support
/system/bin/mediaserver64 u:object_r:mediaserver_exec:s0
/system/bin/mediahelper u:object_r:mediahelper_exec:s0
# drmserver 64 bit support
/system/bin/drmserver64 u:object_r:drmserver_exec:s0
##########################
# SystemExt files
#

2
bsp/non_plat/domain.te
View File

@ -5,7 +5,7 @@
# Date : WK15.29
# Operation : Migration
# Purpose : for device bring up, not to block early migration
allow { domain -isolated_app_all } storage_file:dir search;
allow { domain -isolated_app } storage_file:dir search;
# Date : W17.47
# Allow system_server to enable/disable logmuch_prop for Wi-Fi logging purpose

4
bsp/non_plat/factory.te
View File

@ -17,8 +17,8 @@ allow factory protect1_block_device:blk_file getattr;
allow factory protect2_block_device:blk_file getattr;
# Purpose : Allow factory to call android.hardware.audio@2.0-service-mediatek
binder_call(factory, hal_audio_default)
allow factory hal_audio_default:binder call;
binder_call(factory, mtk_hal_audio)
allow factory mtk_hal_audio:binder call;
allow factory mtk_audiohal_data_file:dir r_dir_perms;
allow factory audio_device:chr_file rw_file_perms;
allow factory audio_device:dir w_dir_perms;

6
bsp/non_plat/hwservice_contexts
View File

@ -8,6 +8,9 @@ vendor.mediatek.hardware.camera.advcam::IAdvCamControl u:object_r:hal_camera_hws
# Date : 2017/06/15
vendor.mediatek.hardware.wfo::IWifiOffload u:object_r:mtk_hal_wfo_hwservice:s0
# Date: 2017/06/22
vendor.mediatek.hardware.camera.lomoeffect::ILomoEffect u:object_r:hal_camera_hwservice:s0
# Date : 2017/07/11
vendor.mediatek.hardware.videotelephony::IVideoTelephony u:object_r:mtk_hal_videotelephony_hwservice:s0
@ -20,6 +23,9 @@ vendor.mediatek.hardware.netdagent::INetdagent u:object_r:mtk_hal_netdagent_hwse
# Date : 2017/08/4
vendor.mediatek.hardware.rcs::IRcs u:object_r:volte_rcs_ua_hwservice:s0
# Date: 2017/06/22
vendor.mediatek.hardware.camera.ccap::ICCAPControl u:object_r:hal_camera_hwservice:s0
# Date : 2017/10/22
vendor.mediatek.hardware.dfps::IFpsPolicyService u:object_r:mtk_hal_dfps_hwservice:s0

2
bsp/non_plat/mtk_hal_audio.te
View File

@ -1,2 +1,2 @@
# Purpose : adsp
allow hal_audio_default adsp_device:chr_file { rw_file_perms };
allow mtk_hal_audio adsp_device:chr_file { rw_file_perms };

7
bsp/non_plat/netutils_wrapper.te
View File

@ -16,10 +16,3 @@ allow netutils_wrapper rild:fifo_file rw_file_perms;
allow netutils_wrapper wo_epdg_client:unix_stream_socket { read write };
allow netutils_wrapper wo_epdg_client:fd use;
allow netutils_wrapper {
gsm0710muxd_device
ccci_vts_device
ccci_wifi_proxy_device
ccci_device
}:chr_file rw_file_perms;

3
bsp/non_plat/property_contexts
View File

@ -196,6 +196,8 @@ ro.vendor.mtk_vibspk_support u:object_r:vendor_mtk_default_prop:s0
# fm 50khz support
ro.vendor.mtk_fm_50khz_support u:object_r:vendor_mtk_default_prop:s0
debuglog.drv u:object_r:vendor_mtk_camera_prop:s0
debuglog.drv. u:object_r:vendor_mtk_camera_prop:s0
vendor.camera.save.temp.video u:object_r:vendor_mtk_camera_prop:s0
vendor.camera_af_power_debug u:object_r:vendor_mtk_camera_prop:s0
vendor.com.mediatek.gesture.pose u:object_r:vendor_mtk_camera_prop:s0
@ -254,6 +256,7 @@ ro.vendor.mtk_ct4greg_app u:object_r:vendor_mtk_default_prop:s0
ro.vendor.mtk_devreg_app u:object_r:vendor_mtk_default_prop:s0
vendor.cdma. u:object_r:vendor_mtk_cdma_prop:s0
ril.cdma.inecmmode u:object_r:vendor_mtk_cdma_prop:s0
persist.vendor.service.rcs u:object_r:vendor_mtk_service_rcs_prop:s0
persist.vendor.service.tag.rcs u:object_r:vendor_mtk_service_rcs_prop:s0

4
bsp/non_plat/zygote.te
View File

@ -19,8 +19,8 @@ allow zygote servicemanager:binder call;
# Date : WK14.49
# Operation : SQC
# Purpose : for isolated_app_all to use fd (ex: share image by gmail)
allow zygote isolated_app_all:fd use;
# Purpose : for isolated_app to use fd (ex: share image by gmail)
allow zygote isolated_app:fd use;
# Date : WK15.02
# Operation : SQC

4
bsp/plat_private/file_contexts
View File

@ -8,13 +8,13 @@
# MTK Adv Camera Server
/system/bin/mtk_advcamserver u:object_r:mtk_advcamserver_exec:s0
/(system|system_ext|system/system_ext)/bin/kpoc_charger u:object_r:kpoc_charger_exec:s0
/system/bin/kpoc_charger u:object_r:kpoc_charger_exec:s0
# MTK Thermald
/system/bin/thermald u:object_r:thermald_exec:s0
# MTK VTService
/(system|system_ext|system/system_ext)/bin/vtservice u:object_r:vtservice_exec:s0
/system/bin/vtservice u:object_r:vtservice_exec:s0
# MTK ATCI
/system/bin/atci_service_sys u:object_r:atci_service_sys_exec:s0

3
bsp/plat_private/radio.te
View File

@ -181,6 +181,3 @@ get_prop(radio, system_mtk_fd_prop)
# Date : 2021/12/22
# Purpose : Allow radio to read ims debug property
get_prop(radio, system_mtk_dbg_ims_prop)
# Allow radio to get system_mtk_vodata_prop
get_prop(radio, system_mtk_vodata_prop)

1
bsp/plat_private/service.te
View File

@ -42,4 +42,3 @@ type mtk_vowbridge_service, app_api_service, system_server_service, service_mana
type mtk_appdetection_service, app_api_service, system_server_service, service_manager_type;
type vtservice_hidl_service, service_manager_type;
type teei_ifaa_service, app_api_service, service_manager_type;
type mtk_hal_sf_service, service_manager_type;

69
bsp/plat_private/service_contexts
View File

@ -54,72 +54,3 @@ media.VTS.HiDL u:object_r:vtservice_hid
# MICROTRUST SEPolicy Rule
# for ifaa upgrade on android O
ifaa_service u:object_r:teei_ifaa_service:s0
# Data: 2022/01/04
# add telephony aidl
vendor.mediatek.hardware.mtkradioex.data.IMtkRadioExData/slot1 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.data.IMtkRadioExData/slot2 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.data.IMtkRadioExData/slot3 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.data.IMtkRadioExData/slot4 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.ims.IMtkRadioExIms/slot1 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.ims.IMtkRadioExIms/slot2 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.ims.IMtkRadioExIms/slot3 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.ims.IMtkRadioExIms/slot4 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.messaging.IMtkRadioExMessaging/slot1 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.messaging.IMtkRadioExMessaging/slot2 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.messaging.IMtkRadioExMessaging/slot3 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.messaging.IMtkRadioExMessaging/slot4 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.modem.IMtkRadioExModem/slot1 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.modem.IMtkRadioExModem/slot2 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.modem.IMtkRadioExModem/slot3 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.modem.IMtkRadioExModem/slot4 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.network.IMtkRadioExNetwork/slot1 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.network.IMtkRadioExNetwork/slot2 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.network.IMtkRadioExNetwork/slot3 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.network.IMtkRadioExNetwork/slot4 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.sim.IMtkRadioExSim/slot1 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.sim.IMtkRadioExSim/slot2 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.sim.IMtkRadioExSim/slot3 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.sim.IMtkRadioExSim/slot4 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.voice.IMtkRadioExVoice/slot1 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.voice.IMtkRadioExVoice/slot2 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.voice.IMtkRadioExVoice/slot3 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.voice.IMtkRadioExVoice/slot4 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.rcs.IMtkRadioExRcs/slot1 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.rcs.IMtkRadioExRcs/slot2 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.rcs.IMtkRadioExRcs/slot3 u:object_r:hal_radio_service:s0
vendor.mediatek.hardware.mtkradioex.rcs.IMtkRadioExRcs/slot4 u:object_r:hal_radio_service:s0
# Data: 2022/01/10
# add telephony aidl
android.hardware.radio.modem.IRadioModem/imsSlot1 u:object_r:hal_radio_service:s0
android.hardware.radio.modem.IRadioModem/imsSlot2 u:object_r:hal_radio_service:s0
android.hardware.radio.modem.IRadioModem/imsSlot3 u:object_r:hal_radio_service:s0
android.hardware.radio.modem.IRadioModem/imsSlot4 u:object_r:hal_radio_service:s0
android.hardware.radio.network.IRadioNetwork/imsSlot1 u:object_r:hal_radio_service:s0
android.hardware.radio.network.IRadioNetwork/imsSlot2 u:object_r:hal_radio_service:s0
android.hardware.radio.network.IRadioNetwork/imsSlot3 u:object_r:hal_radio_service:s0
android.hardware.radio.network.IRadioNetwork/imsSlot4 u:object_r:hal_radio_service:s0
android.hardware.radio.sim.IRadioSim/imsSlot1 u:object_r:hal_radio_service:s0
android.hardware.radio.sim.IRadioSim/imsSlot2 u:object_r:hal_radio_service:s0
android.hardware.radio.sim.IRadioSim/imsSlot3 u:object_r:hal_radio_service:s0
android.hardware.radio.sim.IRadioSim/imsSlot4 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/imsSlot1 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/imsSlot2 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/imsSlot3 u:object_r:hal_radio_service:s0
android.hardware.radio.voice.IRadioVoice/imsSlot4 u:object_r:hal_radio_service:s0
# Data: 2022/03/21
# add telephony aidl
android.hardware.radio.modem.IRadioModem/se1 u:object_r:hal_radio_service:s0
android.hardware.radio.modem.IRadioModem/se2 u:object_r:hal_radio_service:s0
android.hardware.radio.modem.IRadioModem/se3 u:object_r:hal_radio_service:s0
android.hardware.radio.modem.IRadioModem/se4 u:object_r:hal_radio_service:s0
android.hardware.radio.sim.IRadioSim/se1 u:object_r:hal_radio_service:s0
android.hardware.radio.sim.IRadioSim/se2 u:object_r:hal_radio_service:s0
android.hardware.radio.sim.IRadioSim/se3 u:object_r:hal_radio_service:s0
android.hardware.radio.sim.IRadioSim/se4 u:object_r:hal_radio_service:s0
# Data: 2022/05/13
# add mtk sf aidl
vendor.mediatek.framework.mtksf_ext.IMtkSF_ext/default u:object_r:mtk_hal_sf_service:s0

7
legacy/non_plat/property_contexts
View File

@ -1,7 +0,0 @@
mtk.vendor.omx.core.log u:object_r:vendor_mtk_omx_core_prop:s0
ro.mtk_crossmount_support u:object_r:vendor_mtk_crossmount_prop:s0
ro.mtk_deinterlace_support u:object_r:vendor_mtk_deinterlace_prop:s0
debuglog.drv u:object_r:vendor_mtk_camera_prop:s0
debuglog.drv. u:object_r:vendor_mtk_camera_prop:s0
ril.cdma.inecmmode u:object_r:vendor_mtk_cdma_prop:s0