[ALPS04357449] Sepolicy: workaround for denied policy

[Detail]
Set proc node specific node
- hraphic_composer
- bootanimation
- aee_core_forwarder
- surfaceflinger

MTK-Commit-Id: 46901e2900a497c472b8a7c01f1350bdd28bbdae

Change-Id: I89a1ab578a2841d3a16718153d5a716ad45c399b
CR-Id: ALPS04357449
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK

non_plat/aee_core_forwarder.te

@@ -7,3 +7,4 @@
 
 allow aee_core_forwarder aee_exp_data_file:dir { write add_name search };
 allow aee_core_forwarder aee_exp_data_file:file { write create open getattr };
+allow aee_core_forwarder hwservicemanager_prop:file { read open getattr };

non_plat/bootanim.te

@@ -25,4 +25,7 @@ allow bootanim proc_perfmgr:file {open read ioctl};
 # Date : WK19.11
 # Operation : Migration
 # Purpose : Allow to access ged for ioctl related functions
-allowxperm bootanim proc_ged:file ioctl { GED_BRIDGE_IO_LOG_BUF_GET GED_BRIDGE_IO_GE_GET };
+allowxperm bootanim proc_ged:file ioctl { GED_BRIDGE_IO_LOG_BUF_GET GED_BRIDGE_IO_GE_GET GED_BRIDGE_IO_GE_SET GED_BRIDGE_IO_MONITOR_3D_FENCE GED_BRIDGE_IO_QUERY_INFO };
+
+allowxperm bootanim proc_perfmgr:file ioctl { GED_BRIDGE_IO_LOG_BUF_WRITE GED_BRIDGE_IO_BOOST_GPU_FREQ GED_BRIDGE_IO_IOCTLCMD_0F GED_BRIDGE_IO_IOCTLCMD_10 };
+

non_plat/hal_graphics_composer_default.te

@@ -51,4 +51,4 @@ set_prop(hal_graphics_composer_default, graphics_hwc_latch_unsignaled_prop)
 #============= hal_graphics_composer_default ==============
 allow hal_graphics_composer_default mtk_mdp_device:chr_file { read write open ioctl };
 
-allowxperm hal_graphics_composer_default proc_ged:file ioctl {GED_BRIDGE_IO_LOG_BUF_GET GED_BRIDGE_IO_GE_INFO};
+allowxperm hal_graphics_composer_default proc_ged:file ioctl {GED_BRIDGE_IO_LOG_BUF_GET GED_BRIDGE_IO_GE_INFO GED_BRIDGE_IO_GE_GET GED_BRIDGE_IO_GE_SET};

non_plat/hwservice_contexts

@@ -12,6 +12,10 @@ vendor.mediatek.hardware.radio_op::IRadioOp u:object_r:mtk_hal_rild_hwservice:s0
 # power hidl
 vendor.mediatek.hardware.mtkpower::IMtkPerf u:object_r:mtk_hal_power_hwservice:s0
 vendor.mediatek.hardware.mtkpower::IMtkPower u:object_r:mtk_hal_power_hwservice:s0
+vendor.mediatek.hardware.power::IPerf u:object_r:mtk_hal_power_hwservice:s0
+vendor.mediatek.hardware.power::IPower u:object_r:mtk_hal_power_hwservice:s0
+
+
 
 # Date: 2017/06/12
 # LBS HIDL

non_plat/ioctl_defines

@@ -1,4 +1,11 @@
 define(`GED_BRIDGE_IO_GE_ALLOC', `0x6764')
 define(`GED_BRIDGE_IO_GE_GET', `0x6765')
+define(`GED_BRIDGE_IO_GE_SET', `0x6766')
 define(`GED_BRIDGE_IO_LOG_BUF_GET', `0x6700')
+define(`GED_BRIDGE_IO_LOG_BUF_WRITE', `0x6701')
+define(`GED_BRIDGE_IO_BOOST_GPU_FREQ', `0x6703')
+define(`GED_BRIDGE_IO_MONITOR_3D_FENCE', `0x6704')
+define(`GED_BRIDGE_IO_QUERY_INFO', `0x6705')
+define(`GED_BRIDGE_IO_IOCTLCMD_0F', `0x670f')
+define(`GED_BRIDGE_IO_IOCTLCMD_10', `0x6710')
 define(`GED_BRIDGE_IO_GE_INFO', `0x6769')

non_plat/mtk_hal_power.te

@@ -12,8 +12,10 @@ get_prop(mtk_hal_power, hwservicemanager_prop)
 allow mtk_hal_power hal_power_hwservice:hwservice_manager { add find };
 allow mtk_hal_power hidl_base_hwservice:hwservice_manager add;
 
-#add_hwservice(hal_power, mtk_hal_power_hwservice)
+add_hwservice(mtk_hal_power, mtk_hal_power_hwservice)
 allow hal_power_client mtk_hal_power_hwservice:hwservice_manager find;
+allow system_server mtk_hal_power_hwservice:hwservice_manager find;
+
 
 hal_server_domain(mtk_hal_power, hal_power);
 

non_plat/surfaceflinger.te

@@ -60,3 +60,6 @@ allow surfaceflinger hal_graphics_composer_default:lnk_file read;
 # Operation : Debug
 # Purpose: Allow to dump buffer queue
 get_prop(surfaceflinger, debug_bq_dump_prop)
+
+allowxperm surfaceflinger proc_perfmgr:file ioctl {GED_BRIDGE_IO_LOG_BUF_GET GED_BRIDGE_IO_BOOST_GPU_FREQ GED_BRIDGE_IO_QUERY_INFO};
+

non_plat/workaround.te

@@ -0,0 +1,56 @@
+
+
+#============= aee_core_forwarder ==============
+allow aee_core_forwarder aee_aed:unix_stream_socket connectto;
+allow aee_core_forwarder aee_core_data_file:dir read;
+allow aee_core_forwarder hwservicemanager:binder { call transfer };
+
+#============= audioserver ==============
+allow audioserver vendor_default_prop:file read;
+
+#============= bip ==============
+allow bip net_dns_prop:file read;
+
+#============= bluetooth ==============
+allow bluetooth mtk_amslog_prop:file read;
+
+#============= emdlogger ==============
+allow emdlogger logmuch_prop:file read;
+
+#============= merged_hal_service ==============
+allow merged_hal_service nvram_agent_binder_hwservice:hwservice_manager find;
+
+#============= mtk_hal_audio ==============
+allow mtk_hal_audio audioserver:fifo_file write;
+allow mtk_hal_audio sysfs_boot_mode:file read;
+allow mtk_hal_audio sysfs_dt_firmware_android:dir search;
+
+#============= mtk_hal_camera ==============
+allow mtk_hal_camera sysfs_dt_firmware_android:dir search;
+
+#============= platform_app ==============
+allow platform_app mtk_amslog_prop:file read;
+
+#============= rild ==============
+allow rild proc_cmdline:file read;
+
+#============= shared_relro ==============
+allow shared_relro mtk_amslog_prop:file read;
+
+#============= system_server ==============
+allow system_server vendor_default_prop:file read;
+
+#============= ueventd ==============
+allow ueventd tmpfs:lnk_file read;
+
+#============= wmt_loader ==============
+allow wmt_loader proc_wmtdbg:file setattr;
+
+# interface=android.hardware.audio::IDevicesFactory for hal_audio_hwservice
+allow hal_audio_client hal_audio_hwservice:hwservice_manager find;
+allow hal_audio_server hal_audio_hwservice:hwservice_manager find;
+allow hal_audio hal_audio_hwservice:hwservice_manager find;
+
+
+# interface=android.system.suspend::ISystemSuspend for aee_core_forwarder
+allow aee_core_forwarder system_suspend_hwservice:hwservice_manager find;