diff --git a/r_non_plat/aee_aedv.te b/r_non_plat/aee_aedv.te index a860871..3b7197e 100644 --- a/r_non_plat/aee_aedv.te +++ b/r_non_plat/aee_aedv.te @@ -431,3 +431,6 @@ allow aee_aedv debugfs_vpu_memory:file r_file_perms; # Purpose: Allow aee_aedv to read /proc/cpuhvfs/dbg_repo allow aee_aedv proc_dbg_repo:file r_file_perms; + +# Purpose: Allow aee_aedv to read /proc/pl_lk +allow aee_aedv proc_pl_lk:file r_file_perms; diff --git a/r_non_plat/atci_service.te b/r_non_plat/atci_service.te index f3f8f21..c3a4c81 100644 --- a/r_non_plat/atci_service.te +++ b/r_non_plat/atci_service.te @@ -13,9 +13,6 @@ init_daemon_domain(atci_service) allow atci_service block_device:dir search; allow atci_service misc2_block_device:blk_file { open read write }; allow atci_service misc2_device:chr_file { open read write }; -allow atci_service bootdevice_block_device:blk_file { open read write }; - -allow atci_service self:capability { net_raw chown fsetid sys_nice net_admin fowner sys_admin }; allow atci_service camera_isp_device:chr_file { read write ioctl open }; allow atci_service graphics_device:chr_file { read write ioctl open }; allow atci_service graphics_device:dir search; @@ -71,11 +68,9 @@ allow atci_service storage_file:lnk_file read; #allow atci_service media_rw_data_file:file { read write create open }; #============= atci_service ============== -allow atci_service property_socket:sock_file write; allow atci_service CAM_CAL_DRV_device:chr_file { read write ioctl open}; -allow atci_service init:unix_stream_socket connectto; -allow atci_service mtk_em_prop:property_service set; +set_prop(atci_service, mtk_em_prop) # Date : 2016/03/02 # Operation : M-Migration diff --git a/r_non_plat/atcid.te b/r_non_plat/atcid.te index 1b1eddd..9ce98d2 100644 --- a/r_non_plat/atcid.te +++ b/r_non_plat/atcid.te @@ -9,10 +9,10 @@ type atcid, domain; type atcid_exec, exec_type, file_type, vendor_file_type; init_daemon_domain(atcid) -allow atcid init:unix_stream_socket connectto; -allow atcid property_socket:sock_file write; +set_prop(atcid,persist_service_atci_prop) allow atcid block_device:dir search; allow atcid socket_device:sock_file write; +allow atcid gsmrild_socket:sock_file write; # Date : WK17.21 # Purpose: Allow to use HIDL @@ -20,11 +20,8 @@ hwbinder_use(atcid) hal_client_domain(atcid, hal_telephony) allow atcid ttyGS_device:chr_file { read write ioctl open }; -allow atcid persist_service_atci_prop:property_service set; -allow atcid misc2_device:chr_file { read write open }; allow atcid wmtWifi_device:chr_file { write open }; allow atcid misc2_block_device:blk_file { read write open }; -allow atcid bootdevice_block_device:blk_file { open read write }; allow atci_service gpu_device:chr_file { read write open ioctl getattr }; allow atcid self:capability sys_time; diff --git a/r_non_plat/ccci_fsd.te b/r_non_plat/ccci_fsd.te index 370fb23..4f5e6a6 100644 --- a/r_non_plat/ccci_fsd.te +++ b/r_non_plat/ccci_fsd.te @@ -44,9 +44,9 @@ allow ccci_fsd otp_device:chr_file rw_file_perms; allow ccci_fsd sysfs:file r_file_perms; allow ccci_fsd sysfs_boot_type:file { read open }; #============= ccci_fsd MD block data============== +##restore>NVM_GetDeviceInfo>open /dev/block/platform/bootdevice/by-name/nvram allow ccci_fsd block_device:dir search; allow ccci_fsd nvram_device:blk_file rw_file_perms; -allow ccci_fsd bootdevice_block_device:blk_file rw_file_perms; allow ccci_fsd nvdata_device:blk_file rw_file_perms; #============= ccci_fsd cryption related ============== allow ccci_fsd rawfs:dir create_dir_perms; @@ -63,7 +63,7 @@ allow ccci_fsd kmsg_device:chr_file w_file_perms; allow ccci_fsd proc_lk_env:file rw_file_perms; #============= ccci_fsd MD Low Power Monitor Related ============== -allow ccci_fsd vendor_data_file:dir create_dir_perms; -allow ccci_fsd vendor_data_file:file create_file_perms; +allow ccci_fsd ccci_data_md1_file:dir create_dir_perms; +allow ccci_fsd ccci_data_md1_file:file create_file_perms; allow ccci_fsd sysfs_mmcblk:dir search; allow ccci_fsd sysfs_mmcblk:file { read getattr open }; diff --git a/r_non_plat/ccci_mdinit.te b/r_non_plat/ccci_mdinit.te index 11d33c7..3245459 100644 --- a/r_non_plat/ccci_mdinit.te +++ b/r_non_plat/ccci_mdinit.te @@ -71,15 +71,11 @@ allow ccci_mdinit protect_s_data_file:dir rw_dir_perms; allow ccci_mdinit protect_s_data_file:file create_file_perms; allow ccci_mdinit nvram_device:blk_file rw_file_perms; allow ccci_mdinit nvdata_device:blk_file rw_file_perms; -allow ccci_mdinit bootdevice_block_device:blk_file rw_file_perms; set_prop(ccci_mdinit, ril_mux_report_case_prop) allow ccci_mdinit ccci_cfg_file:dir create_dir_perms; allow ccci_mdinit ccci_cfg_file:file create_file_perms; -allow ccci_mdinit block_device:dir search; -allow ccci_mdinit preloader_block_device:blk_file r_file_perms; -allow ccci_mdinit secro_block_device:blk_file r_file_perms; #===============security relate ========================== allow ccci_mdinit preloader_device:chr_file rw_file_perms; allow ccci_mdinit misc_sd_device:chr_file r_file_perms; diff --git a/r_non_plat/domain.te b/r_non_plat/domain.te index 14ceb2d..f1877f7 100644 --- a/r_non_plat/domain.te +++ b/r_non_plat/domain.te @@ -20,14 +20,6 @@ allow { -isolated_app } sysfs_devinfo:file r_file_perms; -# Date:20170519 -# Purpose: Full treble bootup issue, coredomain need to access libudf.so where -# located on /vendor. -# TODO:: In O MR1 may need to change design -allow coredomain vendor_file:dir r_dir_perms; -#allow coredomain vendor_file:file { read open getattr execute }; -allow coredomain vendor_file:lnk_file { getattr read }; - # Date:20170630 # Purpose: allow trusted process to connect aee daemon #allow { diff --git a/r_non_plat/dumpstate.te b/r_non_plat/dumpstate.te index 4e23ee0..3c3d81f 100644 --- a/r_non_plat/dumpstate.te +++ b/r_non_plat/dumpstate.te @@ -54,8 +54,7 @@ allow dumpstate sysfs_lowmemorykiller:dir search; allow dumpstate expdb_block_device:blk_file { read write ioctl open }; #/data/anr/SF_RTT -allow dumpstate sf_rtt_file:dir search; -allow dumpstate sf_rtt_file:file r_file_perms; +allow dumpstate sf_rtt_file:dir { search getattr }; # Data : 2017/03/22 # Operation : add fd use selinux rule @@ -174,3 +173,11 @@ allow dumpstate sysfs_adsp:file r_file_perms; #Purpose: Allow dumpstate to read /sys/kernel/debug/smi_mon allow dumpstate debugfs_smi_mon:file r_file_perms; + +# MTEE Trusty +allow dumpstate mtee_trusty_file:file rw_file_perms; + +# 09-05 15:58:31.552000 9693 9693 W df : type=1400 audit(0.0:990): +# avc: denied { search } for name="expand" dev="tmpfs" ino=10779 scontext=u:r:dumpstate:s0 +# tcontext=u:object_r:mnt_expand_file:s0 tclass=dir permissive=0 +allow dumpstate mnt_expand_file:dir search; diff --git a/r_non_plat/em_hidl.te b/r_non_plat/em_hidl.te index 34b31fa..fcf6abf 100644 --- a/r_non_plat/em_hidl.te +++ b/r_non_plat/em_hidl.te @@ -123,4 +123,8 @@ set_prop(em_hidl, mtk_em_hidl_prop) # Date : 2019/08/22 # Operation : EM AAL # Purpose: for em set aal property -set_prop(em_hidl, mtk_pq_prop) \ No newline at end of file +set_prop(em_hidl, mtk_pq_prop) +# Date : 2019/09/10 +# Operation : EM wcn coredump +# Purpose: for em set wcn coredump property +set_prop(em_hidl, coredump_prop) diff --git a/r_non_plat/file.te b/r_non_plat/file.te index 2b23f0f..ea7986b 100644 --- a/r_non_plat/file.te +++ b/r_non_plat/file.te @@ -13,6 +13,7 @@ type wpa_supplicant_data_file, file_type, data_file_type; type radvd_data_file, file_type, data_file_type; type volte_vt_socket, file_type; type dfo_socket, file_type; +type gsmrild_socket, file_type; type rild2_socket, file_type; type rild3_socket, file_type; type rild4_socket, file_type; @@ -136,6 +137,7 @@ type sf_rtt_file, file_type, data_file_type, core_data_file_type; type rild-dongle_socket, file_type; type ccci_cfg_file, file_type, data_file_type; +type ccci_data_md1_file, file_type, data_file_type; type c2k_file, file_type, data_file_type; #For sensor type sensor_data_file, file_type, data_file_type; @@ -343,10 +345,10 @@ type debugfs_regmap, fs_type, debugfs_type; type sys_usb_rawbulk, fs_type, sysfs_type; # Backlight brightness file -type sysfs_vibrator_setting, fs_type, sysfs_type; +type sysfs_leds_setting, fs_type, sysfs_type; # Vibrator vibrate file -type sysfs_leds_setting, fs_type, sysfs_type; +type sysfs_vibrator_setting, fs_type, sysfs_type; # Date : 2019/04/09 # Purpose: mtk EM battery settings @@ -380,3 +382,29 @@ type debugfs_smi_mon, fs_type, debugfs_type; # Date : WK19.34 # Purpose: Android Migration for video codec driver type vcodec_file, file_type, data_file_type; + +# Date : 2019/08/24 +type sysfs_sensor, fs_type, sysfs_type; + +#MTEE trusty +type mtee_trusty_file, fs_type, sysfs_type; + +# Date : 2019/08/29 +# Purpose: Allow rild access proc/aed/reboot-reason +type proc_aed_reboot_reason, fs_type, proc_type; + +# Date : 2019/09/05 +# Purpose: Allow powerhal to control kernel resources +type proc_ppm, fs_type, proc_type; +type proc_cpufreq, fs_type, proc_type; +type proc_hps, fs_type, proc_type; +type proc_cm_mgr, fs_type, proc_type; +type proc_ca_drv, fs_type, proc_type; +type sysfs_ged, fs_type, sysfs_type; +type sysfs_fbt_cpu, fs_type, sysfs_type; +type sysfs_fbt_fteh, fs_type, sysfs_type; + +# Date : WK19.38 +# Purpose: Android Migration for video codec driver +type sysfs_device_tree_model, fs_type, sysfs_type; + diff --git a/r_non_plat/file_contexts b/r_non_plat/file_contexts index ca2cb8e..7bce018 100644 --- a/r_non_plat/file_contexts +++ b/r_non_plat/file_contexts @@ -28,6 +28,7 @@ /data/vendor/gps(/.*)? u:object_r:gps_data_file:s0 /data/anr/SF_RTT(/.*)? u:object_r:sf_rtt_file:s0 /data/vendor/ccci_cfg(/.*)? u:object_r:ccci_cfg_file:s0 +/data/vendor/mdlpm(/.*)? u:object_r:ccci_data_md1_file:s0 /data/vendor/flashless(/.*)? u:object_r:c2k_file:s0 /data/core(/.*)? u:object_r:aee_core_data_file:s0 /data/vendor/core(/.*)? u:object_r:aee_core_vendor_file:s0 @@ -262,6 +263,22 @@ /dev/socket/mnld(/.*)? u:object_r:mnld_socket:s0 /dev/socket/netdiag(/.*)? u:object_r:netdiag_socket:s0 /dev/socket/netd(/.*)? u:object_r:netd_socket:s0 +/dev/socket/mrild(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/mrild2(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/mrild3(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/rild-atci u:object_r:gsmrild_socket:s0 +/dev/socket/rild-mbim(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/msap_uim_socket1(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/msap_uim_socket2(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/sap_uim_socket(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/msap_c2k_socket1(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/msap_c2k_socket2(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/msap_c2k_socket3(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/msap_c2k_socket4(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/sap_uim_socket1(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/sap_uim_socket2(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/sap_uim_socket3(/.*)? u:object_r:gsmrild_socket:s0 +/dev/socket/sap_uim_socket4(/.*)? u:object_r:gsmrild_socket:s0 /dev/socket/rild2-md2(/.*)? u:object_r:rild2_md2_socket:s0 /dev/socket/rild2(/.*)? u:object_r:rild2_socket:s0 /dev/socket/rild3(/.*)? u:object_r:rild3_socket:s0 @@ -273,6 +290,8 @@ /dev/socket/rild-ims(/.*)? u:object_r:rild_ims_socket:s0 /dev/socket/volte_imsm_dongle(/.*)? u:object_r:rild_imsm_socket:s0 /dev/socket/rild-vsim(/.*)? u:object_r:rild_vsim_socket:s0 +/dev/socket/rild-vsim2(/.*)? u:object_r:rild_vsim_socket:s0 +/dev/socket/rild-vsim3(/.*)? u:object_r:rild_vsim_socket:s0 /dev/socket/rild-vsim-md2(/.*)? u:object_r:rild_vsim_md2_socket:s0 /dev/socket/rild-ctclient u:object_r:rild_ctclient_socket:s0 /dev/socket/rild-debug-md2(/.*)? u:object_r:rild_debug_md2_socket:s0 @@ -289,6 +308,8 @@ /dev/socket/rild-oem(/.*)? u:object_r:rild_oem_socket:s0 /dev/socket/rild(/.*)? u:object_r:rild_socket:s0 /dev/socket/rild-via u:object_r:rild_via_socket:s0 +/dev/socket/rildc-debug u:object_r:rild_via_socket:s0 +/dev/socket/rild-atci-c2k u:object_r:rild_via_socket:s0 /dev/socket/mal-mfi(/.*)? u:object_r:mal_mfi_socket:s0 /dev/socket/mal-mfi-dongle(/.*)? u:object_r:mal_mfi_socket:s0 /dev/socket/rpc u:object_r:rpc_socket:s0 @@ -486,10 +507,8 @@ /dev/block/platform/bootdevice/by-name/vbmeta(_system|_vendor)?(_[ab])? u:object_r:vbmeta_block_device:s0 # Key manager -/dev/block/platform/bootdevice/by-name/kb u:object_r:kb_block_device:s0 -/dev/block/platform/bootdevice/by-name/dkb u:object_r:dkb_block_device:s0 -/dev/kb u:object_r:kb_block_device:s0 -/dev/dkb u:object_r:dkb_block_device:s0 +/dev/block/platform/soc/[0-9]+\.mmc/by-name/kb u:object_r:kb_block_device:s0 +/dev/block/platform/soc/[0-9]+\.mmc/by-name/dkb u:object_r:dkb_block_device:s0 # W19.23 Q new feature - Userdata Checkpoint /dev/block/by-name/md_udc u:object_r:metadata_block_device:s0 diff --git a/r_non_plat/genfs_contexts b/r_non_plat/genfs_contexts index 732b36c..52e0e1d 100644 --- a/r_non_plat/genfs_contexts +++ b/r_non_plat/genfs_contexts @@ -89,6 +89,8 @@ genfscon sysfs /devices/platform/charger/Pump_Express u:object_r:sysfs_pump_expr genfscon sysfs /devices/platform/battery/Pump_Express u:object_r:sysfs_pump_express:s0 genfscon sysfs /devices/platform/mt_charger/power_supply u:object_r:sysfs_batteryinfo:s0 genfscon sysfs /devices/platform/mt-rtc/rtc u:object_r:sysfs_rtc:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6359-pmic/mt6359-rtc/rtc u:object_r:sysfs_rtc:s0 +genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6358-pmic/mt6358-rtc/rtc u:object_r:sysfs_rtc:s0 genfscon sysfs /devices/platform/mt-pmic u:object_r:sysfs_pmu:s0 genfscon sysfs /devices/platform/1000d000.pwrap/mt-pmic u:object_r:sysfs_pmu:s0 genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6358-pmic/mt-pmic u:object_r:sysfs_pmu:s0 @@ -107,7 +109,10 @@ genfscon sysfs /devices/virtual/misc/scp_B u:object_r:sysfs_scp:s0 genfscon sysfs /devices/virtual/misc/sspm u:object_r:sysfs_sspm:s0 genfscon sysfs /devices/virtual/misc/adsp u:object_r:sysfs_adsp:s0 +# Date : 2019/09/12 genfscon sysfs /devices/virtual/thermal u:object_r:sysfs_therm:s0 +genfscon sysfs /devices/class/thermal u:object_r:sysfs_therm:s0 + genfscon sysfs /devices/virtual/switch/fps u:object_r:sysfs_fps:s0 genfscon sysfs /firmware/devicetree/base/chosen/atag,devinfo u:object_r:sysfs_devinfo:s0 @@ -158,9 +163,9 @@ genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:2/block/sdc # Date : 2019/07/12 # Purpose:dumpstate mmcblk1 access +genfscon sysfs /devices/platform/externdevice/mmc_host/mmc0 u:object_r:sysfs_devices_block:s0 genfscon sysfs /devices/platform/externdevice/mmc_host/mmc1 u:object_r:sysfs_devices_block:s0 - ############################# # debugfs files # @@ -213,4 +218,29 @@ genfscon iso9660 / u:object_r:iso9660:s0 genfscon rawfs / u:object_r:rawfs:s0 genfscon fuseblk / u:object_r:fuseblk:s0 +# 2019/08/24 +genfscon sysfs /class/sensor u:object_r:sysfs_sensor:s0 +genfscon sysfs /devices/virtual/sensor u:object_r:sysfs_sensor:s0 +# MTEE trusty +genfscon sysfs /devices/platform/trusty u:object_r:mtee_trusty_file:s0 + +# Date : 2019/08/29 +# Purpose: allow rild to access /proc/aed/reboot-reason +genfscon proc /aed/reboot-reason u:object_r:proc_aed_reboot_reason:s0 + + +# 2019/09/05 +# Purpose: Allow powerhal to control kernel resources +genfscon proc /ppm u:object_r:proc_ppm:s0 +genfscon proc /cpufreq u:object_r:proc_cpufreq:s0 +genfscon proc /hps u:object_r:proc_hps:s0 +genfscon proc /cm_mgr u:object_r:proc_cm_mgr:s0 +genfscon proc /ca_drv u:object_r:proc_ca_drv:s0 +genfscon sysfs /module/ged u:object_r:sysfs_ged:s0 +genfscon sysfs /module/fbt_cpu u:object_r:sysfs_fbt_cpu:s0 +genfscon sysfs /module/fbt_fteh u:object_r:sysfs_fbt_fteh:s0 + +# Date : WK19.38 +# Purpose: Android Migration for video codec driver +genfscon sysfs /firmware/devicetree/base/model u:object_r:sysfs_device_tree_model:s0 diff --git a/r_non_plat/hal_graphics_allocator_default.te b/r_non_plat/hal_graphics_allocator_default.te index 4814d6c..a968437 100644 --- a/r_non_plat/hal_graphics_allocator_default.te +++ b/r_non_plat/hal_graphics_allocator_default.te @@ -21,3 +21,4 @@ allow hal_graphics_allocator_default debugfs_tracing:file open; allow hal_graphics_allocator_default proc_ged:file r_file_perms; allowxperm hal_graphics_allocator_default proc_ged:file ioctl { proc_ged_ioctls }; +#============= hal_graphics_allocator_default ============== diff --git a/r_non_plat/ioctl_defines b/r_non_plat/ioctl_defines index d7ec7ee..d227aab 100755 --- a/r_non_plat/ioctl_defines +++ b/r_non_plat/ioctl_defines @@ -15,6 +15,7 @@ define(`GED_BRIDGE_IO_WAIT_HW_VSYNC', `0x670a') define(`GED_BRIDGE_IO_QUERY_TARGET_FPS', `0x670b') define(`GED_BRIDGE_IO_VSYNC_WAIT', `0x670c') define(`GED_BRIDGE_IO_GPU_HINT_TO_CPU', `0x670d') +define(`GED_BRIDGE_IO_HINT_FORCE_MDP', `0x670e') define(`GED_BRIDGE_IO_GE_ALLOC', `0x6764') define(`GED_BRIDGE_IO_GE_GET', `0x6765') diff --git a/r_non_plat/ioctl_macros b/r_non_plat/ioctl_macros index 61b70c1..bf86503 100644 --- a/r_non_plat/ioctl_macros +++ b/r_non_plat/ioctl_macros @@ -14,6 +14,7 @@ define(`proc_ged_ioctls', `{ GED_BRIDGE_IO_QUERY_TARGET_FPS GED_BRIDGE_IO_VSYNC_WAIT GED_BRIDGE_IO_GPU_HINT_TO_CPU + GED_BRIDGE_IO_HINT_FORCE_MDP GED_BRIDGE_IO_GE_ALLOC GED_BRIDGE_IO_GE_GET GED_BRIDGE_IO_GE_SET diff --git a/r_non_plat/mtk_hal_audio.te b/r_non_plat/mtk_hal_audio.te index 5627c80..ffd5c7c 100644 --- a/r_non_plat/mtk_hal_audio.te +++ b/r_non_plat/mtk_hal_audio.te @@ -158,17 +158,13 @@ allow mtk_hal_audio mnt_user_file:lnk_file {read write}; # Operation : Migration # Purpose: read/open sysfs node allow mtk_hal_audio sysfs_ccci:file r_file_perms; +allow mtk_hal_audio sysfs_ccci:dir search; # Date : WK16.18 # Operation : Migration # Purpose: research root dir "/" allow mtk_hal_audio tmpfs:dir search; -# Date : WK16.18 -# Operation : Migration -# Purpose: access sysfs node -allow mtk_hal_audio sysfs:file { open read write }; -allow mtk_hal_audio sysfs_ccci:dir search; # Purpose: Dump debug info allow mtk_hal_audio debugfs_binder:dir search; allow mtk_hal_audio kmsg_device:chr_file { open write }; diff --git a/r_non_plat/mtk_hal_bluetooth.te b/r_non_plat/mtk_hal_bluetooth.te index 46b9d03..e08fb56 100644 --- a/r_non_plat/mtk_hal_bluetooth.te +++ b/r_non_plat/mtk_hal_bluetooth.te @@ -45,4 +45,8 @@ get_prop(mtk_hal_bluetooth, hwservicemanager_prop) allow hal_bluetooth_client mtk_hal_bluetooth_hwservice:hwservice_manager find; allow mtk_hal_bluetooth system_data_file:lnk_file read; + hal_server_domain(mtk_hal_bluetooth,hal_bluetooth); + +# Purpose: Allow BT Driver to insmod +allow mtk_hal_bluetooth wmt_prop:property_service set; diff --git a/r_non_plat/mtk_hal_gpu.te b/r_non_plat/mtk_hal_gpu.te index 939351d..ab08bdd 100644 --- a/r_non_plat/mtk_hal_gpu.te +++ b/r_non_plat/mtk_hal_gpu.te @@ -31,11 +31,6 @@ hal_client_domain(mtk_hal_gpu, hal_allocator) # Purpose : Allow to use kernel driver allow mtk_hal_gpu graphics_device:chr_file rw_file_perms; -# Purpose : Allow property set -allow mtk_hal_gpu init:unix_stream_socket connectto; -allow mtk_hal_gpu property_socket:sock_file write; - - # Purpose : Allow permission to set pq property #set_prop(mtk_hal_gpu, mtk_gpu_prop) diff --git a/r_non_plat/mtk_hal_light.te b/r_non_plat/mtk_hal_light.te index 7a69812..de88326 100644 --- a/r_non_plat/mtk_hal_light.te +++ b/r_non_plat/mtk_hal_light.te @@ -14,7 +14,6 @@ binder_call(mtk_hal_light, system_server) # system file allow mtk_hal_light system_file:dir read; allow mtk_hal_light system_file:dir open; -allow mtk_hal_light sysfs:file rw_file_perms; allow mtk_hal_light sysfs_leds:lnk_file read; allow mtk_hal_light sysfs_leds:file rw_file_perms; diff --git a/r_non_plat/mtk_hal_mms.te b/r_non_plat/mtk_hal_mms.te index 8ebbcaf..d52f12b 100755 --- a/r_non_plat/mtk_hal_mms.te +++ b/r_non_plat/mtk_hal_mms.te @@ -40,6 +40,7 @@ allow mtk_hal_mms mtk_hal_pq:binder call; # Purpose : Allow to use graphics allocator fd for gralloc_extra allow mtk_hal_mms hal_graphics_allocator_default:fd use; allow mtk_hal_mms debugfs_ion:dir search; +allow mtk_hal_mms merged_hal_service:fd use; # Purpose : VDEC/VENC device node allow mtk_hal_mms Vcodec_device:chr_file rw_file_perms; diff --git a/r_non_plat/mtk_hal_power.te b/r_non_plat/mtk_hal_power.te index d987d93..fa52542 100644 --- a/r_non_plat/mtk_hal_power.te +++ b/r_non_plat/mtk_hal_power.te @@ -18,10 +18,6 @@ allow hal_power_client mtk_hal_power_hwservice:hwservice_manager find; hal_server_domain(mtk_hal_power, hal_power); hal_server_domain(mtk_hal_power, hal_wifi); -# proc fs -allow mtk_hal_power proc:dir r_dir_perms; -allow mtk_hal_power proc:file rw_file_perms; - # sysfs allow mtk_hal_power sysfs_devices_system_cpu:file rw_file_perms; @@ -62,7 +58,6 @@ allow mtk_hal_power mtk_hal_camera:file r_file_perms; # Operation: SQC # Purpose : Allow powerHAL to access thermal allow mtk_hal_power proc_thermal:dir r_dir_perms; -allow mtk_hal_power sysfs:file rw_file_perms; allow mtk_hal_power debugfs_fpsgo:dir r_dir_perms; allow mtk_hal_power debugfs_fpsgo:file rw_file_perms; @@ -147,3 +142,20 @@ allowxperm mtk_hal_power self:udp_socket ioctl priv_sock_ioctls; # Purpose : MTK power hal interface permission set_prop(mtk_hal_power, mtk_powerhal_prop) +# Date : 2019/09/05 +# Operation: SQC +# Purpose : Add procfs, sysfs policy +allow mtk_hal_power proc_ppm:dir r_dir_perms; +allow mtk_hal_power proc_ppm:file rw_file_perms; +allow mtk_hal_power proc_cpufreq:dir r_dir_perms; +allow mtk_hal_power proc_cpufreq:file rw_file_perms; +allow mtk_hal_power proc_hps:dir r_dir_perms; +allow mtk_hal_power proc_hps:file rw_file_perms; +allow mtk_hal_power proc_cm_mgr:dir r_dir_perms; +allow mtk_hal_power proc_cm_mgr:file rw_file_perms; +allow mtk_hal_power sysfs_ged:dir r_dir_perms; +allow mtk_hal_power sysfs_ged:file rw_file_perms; +allow mtk_hal_power sysfs_fbt_cpu:dir r_dir_perms; +allow mtk_hal_power sysfs_fbt_cpu:file rw_file_perms; +allow mtk_hal_power sysfs_fbt_fteh:dir r_dir_perms; +allow mtk_hal_power sysfs_fbt_fteh:file rw_file_perms; diff --git a/r_non_plat/mtk_hal_sensors.te b/r_non_plat/mtk_hal_sensors.te index a0da1ca..51662d9 100644 --- a/r_non_plat/mtk_hal_sensors.te +++ b/r_non_plat/mtk_hal_sensors.te @@ -27,7 +27,8 @@ allow mtk_hal_sensors system_file:dir read; allow mtk_hal_sensors system_file:dir open; # sensors input rw access -allow mtk_hal_sensors sysfs:file rw_file_perms; +allow mtk_hal_sensors sysfs_sensor:dir r_dir_perms; +allow mtk_hal_sensors sysfs_sensor:file rw_file_perms; # hal sensor for chr_file allow mtk_hal_sensors hwmsensor_device:chr_file r_file_perms; diff --git a/r_non_plat/mtkrild.te b/r_non_plat/mtkrild.te index ae80035..a134520 100644 --- a/r_non_plat/mtkrild.te +++ b/r_non_plat/mtkrild.te @@ -54,7 +54,7 @@ allow mtkrild bluetooth_efs_file:dir r_dir_perms; allow mtkrild sdcardfs:dir r_dir_perms; # Violate Android P rule #allow mtkrild system_file:file x_file_perms; -allow mtkrild proc:file rw_file_perms; +#allow mtkrild proc:file rw_file_perms; allow mtkrild proc_net:file w_file_perms; # Set and get routes directly via netlink. @@ -68,13 +68,13 @@ allow mtkrild mtd_device:dir search; allow mtkrild tty_device:chr_file rw_file_perms; allow mtkrild eemcs_device:chr_file { rw_file_perms }; -allow mtkrild Vcodec_device:chr_file { rw_file_perms }; +#allow mtkrild Vcodec_device:chr_file { rw_file_perms }; allow mtkrild devmap_device:chr_file { r_file_perms }; allow mtkrild devpts:chr_file { rw_file_perms }; allow mtkrild ccci_device:chr_file { rw_file_perms }; allow mtkrild misc_device:chr_file { rw_file_perms }; allow mtkrild proc_lk_env:file rw_file_perms; -allow mtkrild bootdevice_block_device:blk_file { rw_file_perms }; +#allow mtkrild bootdevice_block_device:blk_file { rw_file_perms }; allow mtkrild para_block_device:blk_file { rw_file_perms }; # Allow dir search, fd uses @@ -82,10 +82,6 @@ allow mtkrild block_device:dir search; allow mtkrild platform_app:fd use; allow mtkrild radio:fd use; -# For emulator -allow mtkrild qemu_pipe_device:chr_file rw_file_perms; -allow mtkrild socket_device:sock_file { w_file_perms }; - # For MAL MFI allow mtkrild mal_mfi_socket:sock_file { w_file_perms }; @@ -93,8 +89,6 @@ allow mtkrild mal_mfi_socket:sock_file { w_file_perms }; allow mtkrild sysfs_ccci:dir search; allow mtkrild sysfs_ccci:file r_file_perms; -allow init socket_device:sock_file { create unlink setattr }; - #For Kryptowire mtklog issue allow mtkrild aee_aedv:unix_stream_socket connectto; # Allow ioctl in order to control network interface diff --git a/r_non_plat/nvram_agent_binder.te b/r_non_plat/nvram_agent_binder.te index cd50bb7..5dc888a 100644 --- a/r_non_plat/nvram_agent_binder.te +++ b/r_non_plat/nvram_agent_binder.te @@ -21,7 +21,6 @@ init_daemon_domain(nvram_agent_binder) # Operation : 2rd Selinux Migration # Purpose : the role of nvram_agent_binder is same with nvram_daemon except property_set & exect permission allow nvram_agent_binder nvram_device:blk_file rw_file_perms; -allow nvram_agent_binder bootdevice_block_device:blk_file rw_file_perms; allow nvram_agent_binder nvdata_device:blk_file rw_file_perms; allow nvram_agent_binder nvram_data_file:dir create_dir_perms; allow nvram_agent_binder nvram_data_file:file create_file_perms; @@ -34,9 +33,6 @@ allow nvram_agent_binder als_ps_device:chr_file r_file_perms; allow nvram_agent_binder mtk-adc-cali_device:chr_file rw_file_perms; allow nvram_agent_binder gsensor_device:chr_file r_file_perms; allow nvram_agent_binder gyroscope_device:chr_file r_file_perms; -allow nvram_agent_binder init:unix_stream_socket connectto; -allow nvram_agent_binder property_socket:sock_file write; -allow nvram_agent_binder sysfs:file write; allow nvram_agent_binder self:capability { fowner chown fsetid }; # Purpose: for backup @@ -44,7 +40,6 @@ allow nvram_agent_binder nvram_device:chr_file rw_file_perms; allow nvram_agent_binder pro_info_device:chr_file rw_file_perms; allow nvram_agent_binder block_device:dir search; -allow nvram_agent_binder app_data_file:file write; # for MLC device allow nvram_agent_binder mtd_device:dir search; allow nvram_agent_binder mtd_device:chr_file rw_file_perms; diff --git a/r_non_plat/nvram_daemon.te b/r_non_plat/nvram_daemon.te index 731d6ce..7ed8bfa 100644 --- a/r_non_plat/nvram_daemon.te +++ b/r_non_plat/nvram_daemon.te @@ -21,7 +21,6 @@ init_daemon_domain(nvram_daemon) # Operation : Migration # Purpose : the device is used to store Nvram backup data that can not be lost. allow nvram_daemon nvram_device:blk_file rw_file_perms; -allow nvram_daemon bootdevice_block_device:blk_file rw_file_perms; allow nvram_daemon nvdata_device:blk_file rw_file_perms; # Date : WK14.35 @@ -41,7 +40,6 @@ allow nvram_daemon gyroscope_device:chr_file r_file_perms; allow nvram_daemon init:unix_stream_socket connectto; # Purpose: for property set -allow nvram_daemon sysfs:file w_file_perms; allow nvram_daemon self:capability { fowner chown fsetid }; # Purpose: for backup diff --git a/r_non_plat/property.te b/r_non_plat/property.te index fad95d8..3ac67c0 100644 --- a/r_non_plat/property.te +++ b/r_non_plat/property.te @@ -320,3 +320,6 @@ type mtk_wifi_hotspot_prop, property_type, mtk_core_property_type; #=============mtk hdmi property============= type mtk_hdmi_prop, property_type, mtk_core_property_type; + +#=============mtk nn option property============= +type mtk_nn_option_prop, property_type; diff --git a/r_non_plat/property_contexts b/r_non_plat/property_contexts index ee3f0cc..609ded7 100644 --- a/r_non_plat/property_contexts +++ b/r_non_plat/property_contexts @@ -348,3 +348,6 @@ ro.vendor.wifi.sap.interface u:object_r:mtk_wifi_hotspot_prop:s0 #=============allow mtk hdmi==============# persist.vendor.sys.hdmi_hidl. u:object_r:mtk_hdmi_prop:s0 + +#=============mtk nn option==============# +ro.vendor.mtk_nn.option u:object_r:mtk_nn_option_prop:s0 diff --git a/r_non_plat/rild.te b/r_non_plat/rild.te index 1247403..67cf3eb 100644 --- a/r_non_plat/rild.te +++ b/r_non_plat/rild.te @@ -43,7 +43,6 @@ allow rild bluetooth_efs_file:dir r_dir_perms; # Violate Android P rule allow rild sdcardfs:dir r_dir_perms; #allow rild system_file:file x_file_perms; -allow rild proc:file rw_file_perms; allow rild proc_net:file w_file_perms; # Allow rild to create and use netlink sockets. @@ -58,14 +57,14 @@ allow rild mtd_device:dir search; allow rild tty_device:chr_file rw_file_perms; allow rild eemcs_device:chr_file { rw_file_perms }; -allow rild Vcodec_device:chr_file { rw_file_perms }; +#allow rild Vcodec_device:chr_file { rw_file_perms }; allow rild devmap_device:chr_file { r_file_perms }; allow rild devpts:chr_file { rw_file_perms }; allow rild ccci_device:chr_file { rw_file_perms }; allow rild misc_device:chr_file { rw_file_perms }; allow rild proc_lk_env:file rw_file_perms; allow rild sysfs_vcorefs_pwrctrl:file { w_file_perms }; -allow rild bootdevice_block_device:blk_file { rw_file_perms }; +#allow rild bootdevice_block_device:blk_file { rw_file_perms }; allow rild para_block_device:blk_file { rw_file_perms }; # Allow dir search, fd uses @@ -155,3 +154,7 @@ allow rild proc_cmdline:file r_file_perms; # Operation: AP wifi path # Purpose: Allow packet can be filtered by RILD process allow rild self:netlink_netfilter_socket { create_socket_perms_no_ioctl }; + +# Date : 2019/08/29 +# Purpose: Allow rild to access proc/aed/reboot-reason +allow rild proc_aed_reboot_reason:file rw_file_perms; \ No newline at end of file diff --git a/r_non_plat/rilproxy.te b/r_non_plat/rilproxy.te index 7b8c5d4..0f74a36 100644 --- a/r_non_plat/rilproxy.te +++ b/r_non_plat/rilproxy.te @@ -18,7 +18,6 @@ allow rild init:unix_stream_socket connectto; allow rild mtkrild:unix_stream_socket connectto; allow rild property_socket:sock_file write; allow rild self:capability setuid; -allow rild socket_device:sock_file write; allow rild radio_prop:property_service set; allow rild ril_mux_report_case_prop:property_service set; allow rild mtk_agpsd:unix_stream_socket connectto; @@ -72,3 +71,9 @@ set_prop(mtkrild, mtk_ss_vendor_prop) # Purpose: Allow rild access to send SUPL INIT to mnld allow rild mnld:unix_dgram_socket sendto; allow mtkrild mnld:unix_dgram_socket sendto; + +# Date : W19.35 +# Operation: Q migration +# Purpose: Fix rilproxy SeLinux warning of pre-defined socket +allow rild gsmrild_socket:sock_file write; + diff --git a/r_non_plat/system_server.te b/r_non_plat/system_server.te index bba72c3..427103a 100644 --- a/r_non_plat/system_server.te +++ b/r_non_plat/system_server.te @@ -207,3 +207,8 @@ allowxperm system_server proc_ged:file ioctl { proc_ged_ioctls }; # Date: 2019/06/14 # Operation : Migration get_prop(system_server, vendor_default_prop) + +# Date: 2019/06/14 +# Operation : when WFD turnning on, turn off hdmi +allow system_server mtk_hal_hdmi_hwservice:hwservice_manager find; +allow system_server mtk_hal_hdmi:binder call; \ No newline at end of file diff --git a/r_non_plat/thermal_manager.te b/r_non_plat/thermal_manager.te index 2ad3f91..a33e4b4 100644 --- a/r_non_plat/thermal_manager.te +++ b/r_non_plat/thermal_manager.te @@ -39,16 +39,17 @@ allow thermal_manager camera_isp_device:chr_file { read write }; allow thermal_manager cameraserver:fd use; allow thermal_manager kd_camera_hw_device:chr_file { read write }; allow thermal_manager MTK_SMI_device:chr_file read; -allow thermal_manager property_socket:sock_file write; allow thermal_manager surfaceflinger:fd use; -allow thermal_manager init:unix_stream_socket connectto; -allow thermal_manager sysfs:file write; +set_prop(thermal_manager ,mtk_thermal_config_prop) -# Date : WK17.12 +# Date : 2019/09/12 # Operation : Migration -# Purpose : Allow thermal_manager to notify SPA. -allow thermal_manager mtk_thermal_config_prop:file { getattr open read }; -allow thermal_manager mtk_thermal_config_prop:property_service set; +# Purpose : add sysfs permission +# path = " sys/devices/virtual/thermal/" +# path = " sys/class/thermal/" +allow thermal_manager sysfs_therm:file w_file_perms; + + # Date : WK18.18 # Operation : P Migration diff --git a/r_non_plat/vendor_init.te b/r_non_plat/vendor_init.te index f9b5517..5df8e27 100644 --- a/r_non_plat/vendor_init.te +++ b/r_non_plat/vendor_init.te @@ -32,6 +32,7 @@ set_prop(vendor_init, tel_switch_prop) set_prop(vendor_init, mtk_aal_ro_prop) set_prop(vendor_init, mtk_pq_ro_prop) set_prop(vendor_init, mtk_default_prop) +set_prop(vendor_init, mtk_nn_option_prop) set_prop(vendor_init, mtk_emmc_support_prop) set_prop(vendor_init, mtk_anr_support_prop)