android_device_mediatek_sep.../plat_private/aee_aed.te

# ==============================================
# Policy File of /system/bin/aee_aed Executable File

# ==============================================
# Type Declaration
# ==============================================
type aee_aed_exec, exec_type, file_type;
typeattribute aee_aed coredomain;
typeattribute aee_aed mlstrustedsubject;

init_daemon_domain(aee_aed)

# ==============================================
# MTK Policy Rule
# ==============================================

# AED start: /dev/block/expdb
allow aee_aed block_device:dir search;

#allow aee_aed userdata_block_device:blk_file create_file_perms; # neverallow

# aee db dir and db files
allow aee_aed sdcard_type:dir create_dir_perms;
allow aee_aed sdcard_type:file create_file_perms;

#data/anr
allow aee_aed anr_data_file:dir create_dir_perms;
allow aee_aed anr_data_file:file create_file_perms;

allow aee_aed domain:process { sigkill getattr getsched signal };
allow aee_aed domain:lnk_file getattr;

#core-pattern
allow aee_aed usermodehelper:file r_file_perms;

#suid_dumpable. this is neverallow
# allow aee_aed proc_security:file r_file_perms;

#property
allow aee_aed init:unix_stream_socket connectto;
allow aee_aed property_socket:sock_file write;

#allow aee_aed call binaries labeled "system_file" under /system/bin/
allow aee_aed system_file:file execute_no_trans;

allow aee_aed init:process getsched;
allow aee_aed kernel:process getsched;

# Date: W15.34
# Operation: Migration
# Purpose: For pagemap & pageflags information in NE DB
userdebug_or_eng(`allow aee_aed self:capability sys_admin;')

# Date: W16.17
# Operation: N0 Migeration
# Purpose: creat dir "aee_exp" under /data
allow aee_aed system_data_file:dir { write create add_name };
allow aee_aed system_data_file:file r_file_perms;

# Purpose: allow aee_aed to access toolbox
allow aee_aed toolbox_exec:file rx_file_perms;

# purpose: allow aee_aed to access storage on N version
allow aee_aed media_rw_data_file:file  { create_file_perms };
allow aee_aed media_rw_data_file:dir { create_dir_perms };

# Purpose: mnt/user/*
allow aee_aed mnt_user_file:dir search;
allow aee_aed mnt_user_file:lnk_file read;

allow aee_aed storage_file:dir search;
allow aee_aed storage_file:lnk_file read;

# Date : WK17.09
# Operation : AEE UT for Android O
# Purpose : for AEE module to dump files
domain_auto_trans(aee_aed, dumpstate_exec, dumpstate)

# Purpose : aee_aed communicate with aee_core_forwarder
# allow aee_aed aee_core_forwarder:dir search;
# allow aee_aed aee_core_forwarder:file { read getattr open };

userdebug_or_eng(`
  allow aee_aed su:dir {search read open };
  allow aee_aed su:file { read getattr open };
')

# /data/tombstone
allow aee_aed tombstone_data_file:dir w_dir_perms;
allow aee_aed tombstone_data_file:file create_file_perms;

# /proc/pid/
#allow aee_aed self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module setgid setuid kill };

# system(cmd) aee_dumpstate aee_archive
allow aee_aed shell_exec:file rx_file_perms;

# PROCESS_FILE_STATE
allow aee_aed dumpstate:unix_stream_socket { read write ioctl };
allow aee_aed dumpstate:dir search;
allow aee_aed dumpstate:file r_file_perms;

#allow aee_aed proc:file rw_file_perms;
allow aee_aed logdr_socket:sock_file write;
allow aee_aed logd:unix_stream_socket connectto;
# allow aee_aed system_ndebug_socket:sock_file write; mask for never allow rule

# vibrator
allow aee_aed sysfs_vibrator:file w_file_perms;

# Data : 2017/03/22
# Operation : add NE flow rule for Android O
# Purpose : make aee_aed can get specific process NE info
allow aee_aed domain:dir r_dir_perms;
allow aee_aed domain:{ file lnk_file } r_file_perms;
allow aee_aed {
  domain
  -logd
  -keystore
  -init
}:process ptrace;
allow aee_aed dalvikcache_data_file:dir r_dir_perms;
allow aee_aed zygote_exec:file r_file_perms;
allow aee_aed init_exec:file r_file_perms;

# Data : 2017/04/06
# Operation : add selinux rule for crash_dump notify aee_aed
# Purpose : make aee_aed can get notify from crash_dump
allow aee_aed crash_dump:dir search;
allow aee_aed crash_dump:file r_file_perms;

# Purpose:
# [  217.196275] <0>.(0)[209:logd.auditd]type=1400 audit(1262304561.676:377): avc: denied { read }
# for pid=1486 comm="aee_aed" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aed:s0
# tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
#allow aee_aed sysfs:file r_file_perms;

# Purpose : allow aee_aed to read /proc/version
allow aee_aed proc_version:file { read open };

# Purpose : allow aee_aed self to sys_nice/chown
allow aee_aed self:capability { sys_nice chown };
import from mediatek/master to mediatek/alps-mp-o1.mp1 Change-Id: Ic78db8195c5c51f85c9c6fd3ef8333489afd6e79 MTK-Commit-Id: 848bf57127be9d01fd1df4aab95737855456afee 2020-01-18 09:29:32 +08:00			`# ==============================================`
			`# Policy File of /system/bin/aee_aed Executable File`

			`# ==============================================`
			`# Type Declaration`
			`# ==============================================`
			`type aee_aed_exec, exec_type, file_type;`
			`typeattribute aee_aed coredomain;`
			`typeattribute aee_aed mlstrustedsubject;`

			`init_daemon_domain(aee_aed)`

			`# ==============================================`
			`# MTK Policy Rule`
			`# ==============================================`

			`# AED start: /dev/block/expdb`
			`allow aee_aed block_device:dir search;`

			`#allow aee_aed userdata_block_device:blk_file create_file_perms; # neverallow`

			`# aee db dir and db files`
			`allow aee_aed sdcard_type:dir create_dir_perms;`
			`allow aee_aed sdcard_type:file create_file_perms;`

			`#data/anr`
			`allow aee_aed anr_data_file:dir create_dir_perms;`
			`allow aee_aed anr_data_file:file create_file_perms;`

			`allow aee_aed domain:process { sigkill getattr getsched signal };`
			`allow aee_aed domain:lnk_file getattr;`

			`#core-pattern`
			`allow aee_aed usermodehelper:file r_file_perms;`

			`#suid_dumpable. this is neverallow`
			`# allow aee_aed proc_security:file r_file_perms;`

			`#property`
			`allow aee_aed init:unix_stream_socket connectto;`
			`allow aee_aed property_socket:sock_file write;`

			`#allow aee_aed call binaries labeled "system_file" under /system/bin/`
			`allow aee_aed system_file:file execute_no_trans;`

			`allow aee_aed init:process getsched;`
			`allow aee_aed kernel:process getsched;`

			`# Date: W15.34`
			`# Operation: Migration`
			`# Purpose: For pagemap & pageflags information in NE DB`
			userdebug_or_eng(`allow aee_aed self:capability sys_admin;')

			`# Date: W16.17`
			`# Operation: N0 Migeration`
			`# Purpose: creat dir "aee_exp" under /data`
			`allow aee_aed system_data_file:dir { write create add_name };`
			`allow aee_aed system_data_file:file r_file_perms;`

			`# Purpose: allow aee_aed to access toolbox`
			`allow aee_aed toolbox_exec:file rx_file_perms;`

			`# purpose: allow aee_aed to access storage on N version`
			`allow aee_aed media_rw_data_file:file { create_file_perms };`
			`allow aee_aed media_rw_data_file:dir { create_dir_perms };`

			`# Purpose: mnt/user/*`
			`allow aee_aed mnt_user_file:dir search;`
			`allow aee_aed mnt_user_file:lnk_file read;`

			`allow aee_aed storage_file:dir search;`
			`allow aee_aed storage_file:lnk_file read;`

			`# Date : WK17.09`
			`# Operation : AEE UT for Android O`
			`# Purpose : for AEE module to dump files`
			`domain_auto_trans(aee_aed, dumpstate_exec, dumpstate)`

			`# Purpose : aee_aed communicate with aee_core_forwarder`
			`# allow aee_aed aee_core_forwarder:dir search;`
			`# allow aee_aed aee_core_forwarder:file { read getattr open };`

			userdebug_or_eng(`
			`allow aee_aed su:dir {search read open };`
			`allow aee_aed su:file { read getattr open };`
			`')`

			`# /data/tombstone`
			`allow aee_aed tombstone_data_file:dir w_dir_perms;`
			`allow aee_aed tombstone_data_file:file create_file_perms;`

			`# /proc/pid/`
[ALPS03825066] Resolve vendor violates [Detail] Google add new neverallows rules on android P, some rule violate the rules [Solution] Remove the rules which violate google new rules MTK-Commit-Id: ff683b4eee0a6dd95ff25fbb6c7d1fc3a79c604d Change-Id: Iead494212c6adcec234eaef14c83d1f8c7a49deb CR-Id: ALPS03825066 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK 2020-01-18 09:29:34 +08:00			`#allow aee_aed self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module setgid setuid kill };`
import from mediatek/master to mediatek/alps-mp-o1.mp1 Change-Id: Ic78db8195c5c51f85c9c6fd3ef8333489afd6e79 MTK-Commit-Id: 848bf57127be9d01fd1df4aab95737855456afee 2020-01-18 09:29:32 +08:00
			`# system(cmd) aee_dumpstate aee_archive`
			`allow aee_aed shell_exec:file rx_file_perms;`

			`# PROCESS_FILE_STATE`
			`allow aee_aed dumpstate:unix_stream_socket { read write ioctl };`
			`allow aee_aed dumpstate:dir search;`
			`allow aee_aed dumpstate:file r_file_perms;`

[ALPS03825066] P migration selinux build failed fix 1. Mark polices which accessing proc/sysfs file system 2. Add violator attribute to modules violate vendor/system rule. MTK-Commit-Id: 3954cad7a1428cda694d8428c2235a78aa6e7cc8 Change-Id: I401ae5b87eb9a03f324bef83c6678149606b15a8 CR-Id: ALPS03825066 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK 2020-01-18 09:29:36 +08:00			`#allow aee_aed proc:file rw_file_perms;`
import from mediatek/master to mediatek/alps-mp-o1.mp1 Change-Id: Ic78db8195c5c51f85c9c6fd3ef8333489afd6e79 MTK-Commit-Id: 848bf57127be9d01fd1df4aab95737855456afee 2020-01-18 09:29:32 +08:00			`allow aee_aed logdr_socket:sock_file write;`
			`allow aee_aed logd:unix_stream_socket connectto;`
			`# allow aee_aed system_ndebug_socket:sock_file write; mask for never allow rule`

			`# vibrator`
[ALPS03825066] Mark file context to fix build fails Restore the policies accessing files labeled as proc_xxx or sysfs_xxx, but there are some exceptions for coredomain process, such as meta_tst,dump_state,kpoc_charger MTK-Commit-Id: 7953b5203bb3cac099c3326d330643b4cd73746d Change-Id: I4b16c09c352891783e837bea370c264966ca6d13 CR-Id: ALPS03825066 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK 2020-01-18 09:29:41 +08:00			`allow aee_aed sysfs_vibrator:file w_file_perms;`
import from mediatek/master to mediatek/alps-mp-o1.mp1 Change-Id: Ic78db8195c5c51f85c9c6fd3ef8333489afd6e79 MTK-Commit-Id: 848bf57127be9d01fd1df4aab95737855456afee 2020-01-18 09:29:32 +08:00
			`# Data : 2017/03/22`
			`# Operation : add NE flow rule for Android O`
			`# Purpose : make aee_aed can get specific process NE info`
			`allow aee_aed domain:dir r_dir_perms;`
			`allow aee_aed domain:{ file lnk_file } r_file_perms;`
			`allow aee_aed {`
			`domain`
			`-logd`
			`-keystore`
			`-init`
			`}:process ptrace;`
			`allow aee_aed dalvikcache_data_file:dir r_dir_perms;`
			`allow aee_aed zygote_exec:file r_file_perms;`
			`allow aee_aed init_exec:file r_file_perms;`

			`# Data : 2017/04/06`
			`# Operation : add selinux rule for crash_dump notify aee_aed`
			`# Purpose : make aee_aed can get notify from crash_dump`
			`allow aee_aed crash_dump:dir search;`
			`allow aee_aed crash_dump:file r_file_perms;`

			`# Purpose:`
			`# [ 217.196275] <0>.(0)[209:logd.auditd]type=1400 audit(1262304561.676:377): avc: denied { read }`
			`# for pid=1486 comm="aee_aed" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aed:s0`
			`# tcontext=u:object_r:sysfs:s0 tclass=file permissive=0`
[ALPS03825066] P migration selinux build failed fix 1. Mark polices which accessing proc/sysfs file system 2. Add violator attribute to modules violate vendor/system rule. MTK-Commit-Id: 3954cad7a1428cda694d8428c2235a78aa6e7cc8 Change-Id: I401ae5b87eb9a03f324bef83c6678149606b15a8 CR-Id: ALPS03825066 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK 2020-01-18 09:29:36 +08:00			`#allow aee_aed sysfs:file r_file_perms;`
[ALPS03841705] AEE porting on Android P [Detail] 1. modify property according to P rule 2. add some selinux rules 3. relable /proc/slabinfo /proc/zraminfo MTK-Commit-Id: aa654138c8b48d223b614c81d2f39d7cd6eedd1f Change-Id: Ib47383553b0d320d3766780f35c397be60dc1339 CR-Id: ALPS03841705 Feature: Android Exception Engine(AEE) 2020-01-18 09:35:48 +08:00
			`# Purpose : allow aee_aed to read /proc/version`
			`allow aee_aed proc_version:file { read open };`

			`# Purpose : allow aee_aed self to sys_nice/chown`
			`allow aee_aed self:capability { sys_nice chown };`