[ALPS03841705] modify aee_core_forwarder selinux rule

[Detail] transfer aee_core_forwarder form /vendor/bin to /system/bin, so modify aee_core_forwarder selinux rule. [Solution] MTK-Commit-Id: 5a583b375a0d33032e8004e1818f05c75363e4f5 Change-Id: I9ff1d0b5d521ce2f09780146f6b75c5378d03d4d CR-Id: ALPS03841705 Feature: Android Exception Engine(AEE)
2020-01-18 09:40:34 +08:00 · 2020-01-18 09:40:34 +08:00 · 07c11d89ba
commit 07c11d89ba
parent bea2ef85fd
5 changed files with 19 additions and 15 deletions
--- a/non_plat/file_contexts
+++ b/non_plat/file_contexts
@ -513,7 +513,6 @@
 #
 /(system\/vendor|vendor)/bin/stp_dump3 u:object_r:stp_dump3_exec:s0
 /(system\/vendor|vendor)/bin/wmt_launcher u:object_r:mtk_wmt_launcher_exec:s0
-/(system\/vendor|vendor)/bin/aee_core_forwarder u:object_r:aee_core_forwarder_exec:s0
 /(system\/vendor|vendor)/bin/ccci_fsd u:object_r:ccci_fsd_exec:s0
 /(system\/vendor|vendor)/bin/fuelgauged u:object_r:fuelgauged_exec:s0
 /(system\/vendor|vendor)/bin/fuelgauged_nvram u:object_r:fuelgauged_nvram_exec:s0
--- a/non_plat/kernel.te
+++ b/non_plat/kernel.te
@ -22,7 +22,6 @@ allow kernel system_data_file:lnk_file r_file_perms;
 # Operation : Migration
 # Purpose : transit from kernel to aee_core_forwarder domain when executing aee_core_forwarder
 typeattribute kernel system_executes_vendor_violators;
-domain_auto_trans(kernel, aee_core_forwarder_exec, aee_core_forwarder)

 # Date : WK14.43
 # Operation : Migration
--- a/plat_private/aee_core_forwarder.te
+++ b/plat_private/aee_core_forwarder.te
@ -1,11 +1,11 @@
 # ==============================================
-# Policy File of /vendor/bin/aee_core_forwarder Executable File
+# Policy File of /system/bin/aee_core_forwarder Executable File

 # ==============================================
 # Type Declaration
 # ==============================================
-type aee_core_forwarder_exec, exec_type, file_type, vendor_file_type;
-type aee_core_forwarder, domain;
+type aee_core_forwarder_exec, exec_type, file_type;
+typeattribute aee_core_forwarder coredomain;

 # ==============================================
 # MTK Policy Rule
@ -13,18 +13,17 @@ type aee_core_forwarder, domain;
 init_daemon_domain(aee_core_forwarder)

 #/data/core/zcorexxx.zip
-allow aee_core_forwarder aee_core_data_file:dir relabelto;
-allow aee_core_forwarder aee_core_data_file:dir create_dir_perms;
-allow aee_core_forwarder aee_core_data_file:file create_file_perms;
-typeattribute aee_core_forwarder data_between_core_and_vendor_violators;
-allow aee_core_forwarder system_data_file:dir { write relabelfrom create add_name };
+#allow aee_core_forwarder aee_core_data_file:dir relabelto;
+#allow aee_core_forwarder aee_core_data_file:dir create_dir_perms;
+#allow aee_core_forwarder aee_core_data_file:file create_file_perms;
+#allow aee_core_forwarder system_data_file:dir { write relabelfrom create add_name };

 #mkdir /sdcard/mtklog/aee_exp and write /sdcard/mtklog/aee_exp/zcorexxx.zip
 allow aee_core_forwarder sdcard_type:dir create_dir_perms;
 allow aee_core_forwarder sdcard_type:file create_file_perms;
 allow aee_core_forwarder self:capability fsetid;
-allow aee_core_forwarder aee_exp_data_file:dir create_dir_perms;
-allow aee_core_forwarder aee_exp_data_file:file create_file_perms;
+#allow aee_core_forwarder aee_exp_data_file:dir create_dir_perms;
+#allow aee_core_forwarder aee_exp_data_file:file create_file_perms;

 #mkdir(path, mode)
 #allow aee_core_forwarder self:capability dac_override;
@ -64,7 +63,7 @@ dontaudit aee_core_forwarder untrusted_app:dir search;
 # Purpose : access for pipefs
 allow aee_core_forwarder kernel:fd use;
 # Purpose : read AEE persist property
-allow aee_core_forwarder persist_aee_prop:file r_file_perms;
+#allow aee_core_forwarder persist_aee_prop:file r_file_perms;
 # Purpose: search root dir "/"
 allow aee_core_forwarder tmpfs:dir search;
 # Purpose : read /selinux_version
@ -104,7 +103,7 @@ allow aee_core_forwarder media_rw_data_file:file { create open write };
 # Purpose : type=1400 audit(0.0:6594): avc: denied { connectto } for
 #           path=00616E64726F69643A6165655F616564 scontext=u:r:aee_core_forwarder:s0
 #           tcontext=u:r:aee_aedv:s0 tclass=unix_stream_socket permissive=0
-allow aee_core_forwarder aee_aedv:unix_stream_socket connectto;
+#allow aee_core_forwarder aee_aedv:unix_stream_socket connectto;

 # Data : 2017/08/04
 # Operation : fix sys_nice selinux warning
--- a/plat_private/file_contexts
+++ b/plat_private/file_contexts
@ -11,7 +11,7 @@
 #

 /system/bin/mobile_log_d u:object_r:mobile_log_d_exec:s0
-
+/system/bin/aee_core_forwarder u:object_r:aee_core_forwarder_exec:s0
 /system/bin/mdlogger u:object_r:mdlogger_exec:s0
 /system/bin/emdlogger[0-9]+ u:object_r:emdlogger_exec:s0
 /system/bin/netdiag u:object_r:netdiag_exec:s0
--- a/plat_public/aee_core_forwarder.te
+++ b/plat_public/aee_core_forwarder.te
@ -0,0 +1,7 @@
+# ==============================================
+# Policy File of /system/bin/aee_core_forwarder Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type aee_core_forwarder, domain;