From 203b3d02de91ee3f20f86f45495b8c8c3aa43a47 Mon Sep 17 00:00:00 2001
From: Shanshan Guo <Shanshan.Guo@mediatek.com>
Date: Sat, 18 Jan 2020 10:12:00 +0800
Subject: [PATCH] [ALPS04428389] SEPlolicy: for app to access ged by ioctlcmd

[Detail]
For Andorid Q, there is a more stringent restriction for ioctl,
app need some permissions to access proc_ged by ioctlcmd.

[Solution]
Group existing sepolicies for different types app to access
proc_ged by ioctlcmd together in appdomain.

MTK-Commit-Id: e9ba9a00dbbc063388c8120048a72fd8f7ce497c

Change-Id: I24a4671259a68a0fda756d37c16b7e61801e6cc8
CR-Id: ALPS04428389
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
---
 non_plat/app.te           | 11 ++++++++++-
 non_plat/platform_app.te  |  3 ---
 non_plat/system_app.te    |  5 -----
 non_plat/untrusted_app.te |  8 --------
 4 files changed, 10 insertions(+), 17 deletions(-)

diff --git a/non_plat/app.te b/non_plat/app.te
index 354fd72..a3b2195 100644
--- a/non_plat/app.te
+++ b/non_plat/app.te
@@ -4,7 +4,16 @@
 
 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-allow appdomain proc_ged:file {open read write ioctl getattr};
+allow appdomain proc_ged:file rw_file_perms;
+allowxperm appdomain proc_ged:file ioctl {
+ GED_BRIDGE_IO_GE_ALLOC
+ GED_BRIDGE_IO_LOG_BUF_GET
+ GED_BRIDGE_IO_GE_GET
+ GED_BRIDGE_IO_GE_SET
+ GED_BRIDGE_IO_MONITOR_3D_FENCE
+ GED_BRIDGE_IO_QUERY_INFO
+ GED_BRIDGE_IO_LOG_BUF_WRITE
+ };
 
 # Date : W16.42
 # Operation : Integration
diff --git a/non_plat/platform_app.te b/non_plat/platform_app.te
index d05a2dd..595ba0f 100644
--- a/non_plat/platform_app.te
+++ b/non_plat/platform_app.te
@@ -108,6 +108,3 @@ get_prop(platform_app, vendor_bluetooth_prop)
 get_prop(platform_app, mobile_log_prop)
 
 get_prop(platform_app, vendor_connsysfw_prop)
-
-allow platform_app proc_ged:file ioctl;
-allowxperm platform_app proc_ged:file ioctl { GED_BRIDGE_IO_GE_ALLOC };
diff --git a/non_plat/system_app.te b/non_plat/system_app.te
index a3ac9d2..a7e9def 100644
--- a/non_plat/system_app.te
+++ b/non_plat/system_app.te
@@ -29,8 +29,3 @@ allow system_app mtk_thermal_config_prop:file { getattr open read };
 allow system_app aee_exp_data_file:file r_file_perms;
 allow system_app aee_exp_data_file:dir r_dir_perms;
 allow system_app md_monitor:unix_stream_socket connectto;
-
-# Date : WK19.11
-# Operation: Q migration
-# Purpose : Allow system_app to use ioctl/ioctlcmd
-allowxperm system_app proc_ged:file ioctl GED_BRIDGE_IO_LOG_BUF_GET;
diff --git a/non_plat/untrusted_app.te b/non_plat/untrusted_app.te
index 5152390..3d3c42a 100644
--- a/non_plat/untrusted_app.te
+++ b/non_plat/untrusted_app.te
@@ -26,11 +26,3 @@ allow untrusted_app_25 sysfs_batteryinfo:dir search;
 #allow untrusted_app_25 sysfs_batteryinfo:file { getattr open read };
 allow untrusted_app_25 sysfs_therm:dir { open read search };
 allow untrusted_app_25 sysfs_therm:file { getattr open read };
-
-allowxperm untrusted_app_25 proc_ged:file ioctl {
-GED_BRIDGE_IO_GE_GET
-GED_BRIDGE_IO_MONITOR_3D_FENCE
-GED_BRIDGE_IO_GE_SET
-GED_BRIDGE_IO_QUERY_INFO
-GED_BRIDGE_IO_GE_ALLOC
-};
\ No newline at end of file