android_device_mediatek_sep.../plat_private/mobile_log_d.te

# ==============================================
# MTK Policy Rule
# ==============================================

# New added for moving to /system
type mobile_log_d_exec, system_file_type, exec_type, file_type;
typeattribute mobile_log_d coredomain;

init_daemon_domain(mobile_log_d)

#syslog module
allow mobile_log_d kernel:system syslog_mod;

#GMO project
dontaudit mobile_log_d untrusted_app:fd use;
dontaudit mobile_log_d isolated_app:fd use;

#debug property set
set_prop(mobile_log_d, debug_prop)

#socket connect and write
unix_socket_connect(mobile_log_d, logdr, logd);

#capability
allow mobile_log_d self:capability { setuid setgid chown fowner fsetid };
allow mobile_log_d self:capability { setuid chown setgid };
allow mobile_log_d self:capability2 syslog;

#aee mode switch
allow mobile_log_d system_file:file execute_no_trans;

#shell command
allow mobile_log_d shell_exec:file rx_file_perms;

# execute logcat command
allow mobile_log_d logcat_exec:file rx_file_perms;

# execute 'logcat -L' via dumpstate
domain_auto_trans(mobile_log_d, logcat_exec, dumpstate)

#general storage access
allow mobile_log_d storage_file:dir create_dir_perms;
allow mobile_log_d storage_file:file create_file_perms;
allow mobile_log_d storage_file:lnk_file create_file_perms;
allow mobile_log_d mnt_user_file:dir create_dir_perms;
allow mobile_log_d mnt_user_file:lnk_file create_file_perms;
allow mobile_log_d sdcard_type:dir create_dir_perms;
allow mobile_log_d sdcard_type:file create_file_perms;

#factory mode vfat access
allow mobile_log_d vfat:dir create_dir_perms;
allow mobile_log_d vfat:file create_file_perms;

#chiptest mode storage access
allow mobile_log_d mnt_media_rw_file:dir create_dir_perms;
allow mobile_log_d mnt_media_rw_file:lnk_file create_file_perms;

#system/bin/toybox for using 'sh' command
allow mobile_log_d toolbox_exec:file rx_file_perms;

#selinux_version access
allow mobile_log_d rootfs:file r_file_perms;

#dev/__properties__ access
allow mobile_log_d device_logging_prop:file { getattr open };
allow mobile_log_d mmc_prop:file { getattr open };
allow mobile_log_d safemode_prop:file { getattr open };

# purpose: allow MobileLog to access storage in N version
allow mobile_log_d media_rw_data_file:file  create_file_perms;
allow mobile_log_d media_rw_data_file:dir create_dir_perms;

# access debugfs/tracing/instances/
allow mobile_log_d debugfs_tracing:dir create_dir_perms;
#allow mobile_log_d debugfs_tracing:file create_file_perms;
allow mobile_log_d debugfs_tracing_instances:dir create_dir_perms;
allow mobile_log_d debugfs_tracing_instances:file create_file_perms;

#data/debuglog
allow mobile_log_d debuglog_data_file:dir {relabelto create_dir_perms};
allow mobile_log_d debuglog_data_file:file create_file_perms;
allow mobile_log_d system_data_file:dir create_dir_perms;
file_type_auto_trans(mobile_log_d, system_data_file, debuglog_data_file)

#mcupm
allow mobile_log_d mcupm_device:chr_file r_file_perms;
allow mobile_log_d sysfs_mcupm:file w_file_perms;
allow mobile_log_d sysfs_mcupm:dir search;
import from mediatek/master to mediatek/alps-mp-o1.mp1 Change-Id: Ic78db8195c5c51f85c9c6fd3ef8333489afd6e79 MTK-Commit-Id: 848bf57127be9d01fd1df4aab95737855456afee 2020-01-18 09:29:32 +08:00			`# ==============================================`
			`# MTK Policy Rule`
			`# ==============================================`

			`# New added for moving to /system`
[ALPS04239425] Sepolicy: fix undefined type declration [Detail] Unknown type:untrusted_v2_app,alarm_device,qtaguid_proc,mtd_device Duplicated type:proc_slabinfo MTK-Commit-Id: 11ccfcffb994452eb58a697e94a8da748ac73933 Change-Id: I2e847041d14d6b6613044cfaa98f242b7fd9381a CR-Id: ALPS04239425 Feature: Build System 2020-01-18 10:08:05 +08:00			`type mobile_log_d_exec, system_file_type, exec_type, file_type;`
import from mediatek/master to mediatek/alps-mp-o1.mp1 Change-Id: Ic78db8195c5c51f85c9c6fd3ef8333489afd6e79 MTK-Commit-Id: 848bf57127be9d01fd1df4aab95737855456afee 2020-01-18 09:29:32 +08:00			`typeattribute mobile_log_d coredomain;`

			`init_daemon_domain(mobile_log_d)`

			`#syslog module`
			`allow mobile_log_d kernel:system syslog_mod;`

			`#GMO project`
			`dontaudit mobile_log_d untrusted_app:fd use;`
			`dontaudit mobile_log_d isolated_app:fd use;`

			`#debug property set`
			`set_prop(mobile_log_d, debug_prop)`

			`#socket connect and write`
			`unix_socket_connect(mobile_log_d, logdr, logd);`

			`#capability`
[ALPS03982747] Remove unused sepolicy rules Some rules is no need any more, need to remove it. MTK-Commit-Id: 49685f1299d990a7195a2d54b955517d8f2cc699 Change-Id: I4a590ad781589cf94989ce72c88751ac10b82eae CR-Id: ALPS03982747 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK 2020-01-18 10:02:25 +08:00			`allow mobile_log_d self:capability { setuid setgid chown fowner fsetid };`
[ALPS03886572] Mobile Log selinux rule porting [Detail] Mobile Log selinux rule porting: 1. fix the violation on P 2. relable some kernel interfaces. MTK-Commit-Id: 4108ed13f3e7693c3642b6f073c5444f133b3c38 Change-Id: I1fac185779510f10b9b94bdf6ec40573237d846a CR-Id: ALPS03886572 Feature: Mobile Log Tool 2020-01-18 09:37:45 +08:00			`allow mobile_log_d self:capability { setuid chown setgid };`
import from mediatek/master to mediatek/alps-mp-o1.mp1 Change-Id: Ic78db8195c5c51f85c9c6fd3ef8333489afd6e79 MTK-Commit-Id: 848bf57127be9d01fd1df4aab95737855456afee 2020-01-18 09:29:32 +08:00			`allow mobile_log_d self:capability2 syslog;`

			`#aee mode switch`
			`allow mobile_log_d system_file:file execute_no_trans;`

			`#shell command`
			`allow mobile_log_d shell_exec:file rx_file_perms;`

[ALPS03997871] allow MobileLog exec logcat -L Mobile_log_d exec logcat -L to get last Android Log MTK-Commit-Id: e51d67ff3d1024ec236d26f66d5286a1aed6fb75 Change-Id: Id2f2aceb501a5324ff642f34455080ccbd54bf34 CR-Id: ALPS03997871 Feature: Mobile Log Tool 2020-01-18 10:04:04 +08:00			`# execute logcat command`
			`allow mobile_log_d logcat_exec:file rx_file_perms;`

			`# execute 'logcat -L' via dumpstate`
			`domain_auto_trans(mobile_log_d, logcat_exec, dumpstate)`

import from mediatek/master to mediatek/alps-mp-o1.mp1 Change-Id: Ic78db8195c5c51f85c9c6fd3ef8333489afd6e79 MTK-Commit-Id: 848bf57127be9d01fd1df4aab95737855456afee 2020-01-18 09:29:32 +08:00			`#general storage access`
			`allow mobile_log_d storage_file:dir create_dir_perms;`
			`allow mobile_log_d storage_file:file create_file_perms;`
			`allow mobile_log_d storage_file:lnk_file create_file_perms;`
			`allow mobile_log_d mnt_user_file:dir create_dir_perms;`
			`allow mobile_log_d mnt_user_file:lnk_file create_file_perms;`
			`allow mobile_log_d sdcard_type:dir create_dir_perms;`
			`allow mobile_log_d sdcard_type:file create_file_perms;`

			`#factory mode vfat access`
			`allow mobile_log_d vfat:dir create_dir_perms;`
			`allow mobile_log_d vfat:file create_file_perms;`

			`#chiptest mode storage access`
			`allow mobile_log_d mnt_media_rw_file:dir create_dir_perms;`
			`allow mobile_log_d mnt_media_rw_file:lnk_file create_file_perms;`

			`#system/bin/toybox for using 'sh' command`
			`allow mobile_log_d toolbox_exec:file rx_file_perms;`

			`#selinux_version access`
			`allow mobile_log_d rootfs:file r_file_perms;`

			`#dev/__properties__ access`
			`allow mobile_log_d device_logging_prop:file { getattr open };`
			`allow mobile_log_d mmc_prop:file { getattr open };`
			`allow mobile_log_d safemode_prop:file { getattr open };`

			`# purpose: allow MobileLog to access storage in N version`
			`allow mobile_log_d media_rw_data_file:file create_file_perms;`
			`allow mobile_log_d media_rw_data_file:dir create_dir_perms;`

			`# access debugfs/tracing/instances/`
			`allow mobile_log_d debugfs_tracing:dir create_dir_perms;`
[ALPS03825066] P migration selinux build failed fix 1. Mark polices which accessing proc/sysfs file system 2. Add violator attribute to modules violate vendor/system rule. MTK-Commit-Id: 3954cad7a1428cda694d8428c2235a78aa6e7cc8 Change-Id: I401ae5b87eb9a03f324bef83c6678149606b15a8 CR-Id: ALPS03825066 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK 2020-01-18 09:29:36 +08:00			`#allow mobile_log_d debugfs_tracing:file create_file_perms;`
import from mediatek/master to mediatek/alps-mp-o1.mp1 Change-Id: Ic78db8195c5c51f85c9c6fd3ef8333489afd6e79 MTK-Commit-Id: 848bf57127be9d01fd1df4aab95737855456afee 2020-01-18 09:29:32 +08:00			`allow mobile_log_d debugfs_tracing_instances:dir create_dir_perms;`
[ALPS03825066] Mark file context to fix build fails Restore the policies accessing files labeled as proc_xxx or sysfs_xxx, but there are some exceptions for coredomain process, such as meta_tst,dump_state,kpoc_charger MTK-Commit-Id: 7953b5203bb3cac099c3326d330643b4cd73746d Change-Id: I4b16c09c352891783e837bea370c264966ca6d13 CR-Id: ALPS03825066 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK 2020-01-18 09:29:41 +08:00			`allow mobile_log_d debugfs_tracing_instances:file create_file_perms;`
[ALPS04649268] Move SELINUX policies to plat_private These policies are for system process, as a result, move it to plat_private folder. MTK-Commit-Id: 46e87002024d5675d566dd59f77cbde9c69bdd37 Change-Id: I9c2b72136d1f1c3062f0ac6b174c8334b1965e80 CR-Id: ALPS04649268 Feature: Mobile Log Tool 2020-01-18 10:16:47 +08:00
			`#data/debuglog`
			`allow mobile_log_d debuglog_data_file:dir {relabelto create_dir_perms};`
			`allow mobile_log_d debuglog_data_file:file create_file_perms;`
			`allow mobile_log_d system_data_file:dir create_dir_perms;`
			`file_type_auto_trans(mobile_log_d, system_data_file, debuglog_data_file)`
[ALPS04709387] Support to catch MCUPM log Add SELINUX rule for MCUPM log. MTK-Commit-Id: 9fb8d206f37f0fb00581f4417473974c014ff0dd Change-Id: I7a935534d4975e444b556d133ff222a4c144b5ca CR-Id: ALPS04709387 Feature: Mobile Log Tool 2020-01-18 10:17:51 +08:00
			`#mcupm`
			`allow mobile_log_d mcupm_device:chr_file r_file_perms;`
			`allow mobile_log_d sysfs_mcupm:file w_file_perms;`
			`allow mobile_log_d sysfs_mcupm:dir search;`