NekoSakura/android_device_mediatek_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[ALPS04428389] SEPlolicy: for app to access ged by ioctlcmd

Browse Source 
[Detail]
For Andorid Q, there is a more stringent restriction for ioctl,
app need some permissions to access proc_ged by ioctlcmd.

[Solution]
Group existing sepolicies for different types app to access
proc_ged by ioctlcmd together in appdomain.

MTK-Commit-Id: e9ba9a00dbbc063388c8120048a72fd8f7ce497c

Change-Id: I24a4671259a68a0fda756d37c16b7e61801e6cc8
CR-Id: ALPS04428389
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
This commit is contained in:
Shanshan Guo 2020-01-18 10:12:00 +08:00
parent be375a5c38
commit 203b3d02de
4 changed files with 10 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
non_plat/app.te
View File

@ -4,7 +4,16 @@
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow appdomain proc_ged:file {open read write ioctl getattr};
allow appdomain proc_ged:file rw_file_perms;
allowxperm appdomain proc_ged:file ioctl {
GED_BRIDGE_IO_GE_ALLOC
GED_BRIDGE_IO_LOG_BUF_GET
GED_BRIDGE_IO_GE_GET
GED_BRIDGE_IO_GE_SET
GED_BRIDGE_IO_MONITOR_3D_FENCE
GED_BRIDGE_IO_QUERY_INFO
GED_BRIDGE_IO_LOG_BUF_WRITE
};
# Date : W16.42
# Operation : Integration

3
non_plat/platform_app.te
View File

@ -108,6 +108,3 @@ get_prop(platform_app, vendor_bluetooth_prop)
get_prop(platform_app, mobile_log_prop)
get_prop(platform_app, vendor_connsysfw_prop)
allow platform_app proc_ged:file ioctl;
allowxperm platform_app proc_ged:file ioctl { GED_BRIDGE_IO_GE_ALLOC };

5
non_plat/system_app.te
View File

@ -29,8 +29,3 @@ allow system_app mtk_thermal_config_prop:file { getattr open read };
allow system_app aee_exp_data_file:file r_file_perms;
allow system_app aee_exp_data_file:dir r_dir_perms;
allow system_app md_monitor:unix_stream_socket connectto;
# Date : WK19.11
# Operation: Q migration
# Purpose : Allow system_app to use ioctl/ioctlcmd
allowxperm system_app proc_ged:file ioctl GED_BRIDGE_IO_LOG_BUF_GET;

8
non_plat/untrusted_app.te
View File

@ -26,11 +26,3 @@ allow untrusted_app_25 sysfs_batteryinfo:dir search;
#allow untrusted_app_25 sysfs_batteryinfo:file { getattr open read };
allow untrusted_app_25 sysfs_therm:dir { open read search };
allow untrusted_app_25 sysfs_therm:file { getattr open read };
allowxperm untrusted_app_25 proc_ged:file ioctl {
GED_BRIDGE_IO_GE_GET
GED_BRIDGE_IO_MONITOR_3D_FENCE
GED_BRIDGE_IO_GE_SET
GED_BRIDGE_IO_QUERY_INFO
GED_BRIDGE_IO_GE_ALLOC
};