NekoSakura/android_device_mediatek_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[ALPS05009976] SEPolicy: Merge folder non_plat and r_non_plat

Browse Source 
[Detail]
BASIC and BSP project should have same sepolicies in basic/.

[Solution]
1.Modify SEPolicies in non_plat/ by comparing with r_non_plat/ .
2.Remove r_non_plat/ .

Change-Id: I24d3df00255779bd73f4075c1c4062176d5b6047
CR-Id: ALPS05009976
Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
This commit is contained in:
Shanshan Guo 2020-02-29 12:02:13 +08:00 committed by Aayush Gupta
parent d9354577e0
commit 2b923a53d6
160 changed files with 22 additions and 10896 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
non_plat/atci_service.te
View File

@ -119,10 +119,7 @@ allow atci_service sysfs_batteryinfo:file { read getattr open };
#allow atci_service system_data_file:lnk_file read;
allow atci_service system_file:dir { read open };
allow atci_service camera_pipemgr_device:chr_file { read ioctl open };
#allow atci_service media_rw_data_file:dir { read getattr open };
#allow atci_service media_rw_data_file:file { getattr setattr };
allow atci_service mtkcam_prop:file { read getattr open };
#allow atci_service hal_camera_hwservice:hwservice_manager find;
allow atci_service mtk_hal_camera:binder call;
allow atci_service debugfs_ion:dir search;
allow atci_service sysfs_tpd_setting:file { read write open getattr };

17
non_plat/cameraserver.te
View File

@ -28,23 +28,6 @@ allow cameraserver self:process { ptrace };
# -----------------------------------
allow cameraserver mtkcam_prop:file { open read getattr };
# Date : WK14.31
# Operation : Migration
# Purpose : camera devices access.
# allow cameraserver camera_isp_device:chr_file rw_file_perms;
# allow cameraserver ccu_device:chr_file rw_file_perms;
# allow cameraserver vpu_device:chr_file rw_file_perms;
# allow cameraserver kd_camera_hw_device:chr_file rw_file_perms;
# allow cameraserver seninf_device:chr_file rw_file_perms;
# allow cameraserver self:capability { setuid ipc_lock sys_nice };
# allow cameraserver sysfs_wake_lock:file rw_file_perms;
# allow cameraserver MTK_SMI_device:chr_file r_file_perms;
# allow cameraserver camera_pipemgr_device:chr_file r_file_perms;
# allow cameraserver kd_camera_flashlight_device:chr_file rw_file_perms;
# allow cameraserver lens_device:chr_file rw_file_perms;
# allow cameraserver nvdata_file:lnk_file read;
# allow cameraserver proc_meminfo:file { read getattr open };
# Date : WK14.34
# Operation : Migration
# Purpose : nvram access (dumchar case for nand and legacy chip)

3
non_plat/dumpstate.te
View File

@ -181,3 +181,6 @@ allow dumpstate mtee_trusty_file:file rw_file_perms;
# avc: denied { search } for name="expand" dev="tmpfs" ino=10779 scontext=u:r:dumpstate:s0
# tcontext=u:object_r:mnt_expand_file:s0 tclass=dir permissive=0
allow dumpstate mnt_expand_file:dir { search getattr };
#Purpose: Allow dumpstate to read /dev/usb-ffs
allow dumpstate functionfs:file { getattr };

4
non_plat/netd.te
View File

@ -11,10 +11,6 @@ allow netd wmtWifi_device:chr_file { write open };
# Date : WK14.34
# Operation : Migration
# Purpose : NA
# OwnerŁş Changqing Sun
allow netd kernel:system module_request;
allow netd self:capability sys_module;
allow netd self:capability fsetid;
# Date : WK14.34

28
non_plat/uncrypt.te
View File

@ -1,14 +1,14 @@
#====================== uncrypt.te ======================
# uncrypt for mtd
allow uncrypt mtd_device:chr_file { read write open ioctl };
allow uncrypt mtd_device:dir search;
allow uncrypt misc_device:chr_file ~rename;
allow uncrypt system_data_file:file { open read };
allow uncrypt userdata_block_device:blk_file w_file_perms;
allow uncrypt para_block_device:blk_file { write open };
allow uncrypt system_app_data_file:dir { getattr search };
allow uncrypt system_app_data_file:file { read getattr };
allow uncrypt media_rw_data_file:dir { getattr search };
allow uncrypt media_rw_data_file:file { read getattr open };
allow uncrypt ota_package_file:file w_file_perms;
#====================== uncrypt.te ======================
# uncrypt for mtd
allow uncrypt mtd_device:chr_file rw_file_perms;
allow uncrypt mtd_device:dir search;
allow uncrypt misc_device:chr_file ~rename;
allow uncrypt system_data_file:file { open read };
allow uncrypt userdata_block_device:blk_file w_file_perms;
allow uncrypt para_block_device:blk_file w_file_perms;
allow uncrypt system_app_data_file:dir { getattr search };
allow uncrypt system_app_data_file:file { read getattr };
allow uncrypt media_rw_data_file:dir { getattr search };
allow uncrypt media_rw_data_file:file r_file_perms;
allow uncrypt ota_package_file:file w_file_perms;

6
non_plat/vendor_init.te
View File

@ -74,4 +74,8 @@ set_prop(vendor_init, mtk_wifi_hotspot_prop)
set_prop(vendor_init, persist_aeev_prop)
set_prop(vendor_init, mtk_powerhal_prop)
set_prop(vendor_init, mtk_powerhal_prop)
# mmstat tracer
allow vendor_init debugfs_tracing_instances:dir create_dir_perms;
allow vendor_init debugfs_tracing_instances:file w_file_perms;

9
r_non_plat/MtkCodecService.te
View File

@ -1,9 +0,0 @@
# ==============================================
# Policy File of /vendor/bin/MtkCodecService Executable File
# ==============================================
# Type Declaration
# ==============================================
type MtkCodecService_exec , exec_type, file_type, vendor_file_type;
type MtkCodecService ,domain;

13
r_non_plat/adbd.te
View File

@ -1,13 +0,0 @@
# ==============================================
# MTK Policy Rule
# ============
#permissive adbd;
# Data : WK17.46
# Operator: Migration
# Purpose: Allow adbd to read KE DB
allow adbd aee_dumpsys_data_file:file r_file_perms;
allow adbd aee_exp_data_file:dir r_dir_perms;
allow adbd aee_exp_data_file:file r_file_perms;
allow adbd gpu_device:dir search;

70
r_non_plat/aee_aed.te
View File

@ -1,70 +0,0 @@
# ==============================================
# Policy File of /system/bin/aee_aed Executable File
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK14.32
# Operation : AEE UT
# Purpose : for AEE module
allow aee_aed aed_device:chr_file rw_file_perms;
allow aee_aed expdb_device:chr_file rw_file_perms;
allow aee_aed expdb_block_device:blk_file rw_file_perms;
allow aee_aed etb_device:chr_file rw_file_perms;
# open/dev/mtd/mtd12 failed(expdb)
allow aee_aed mtd_device:dir create_dir_perms;
allow aee_aed mtd_device:chr_file rw_file_perms;
# NE flow: /dev/RT_Monitor
allow aee_aed RT_Monitor_device:chr_file r_file_perms;
#data/aee_exp
allow aee_aed aee_exp_data_file:dir create_dir_perms;
allow aee_aed aee_exp_data_file:file create_file_perms;
#data/dumpsys
allow aee_aed aee_dumpsys_data_file:dir create_dir_perms;
allow aee_aed aee_dumpsys_data_file:file create_file_perms;
#/data/core
allow aee_aed aee_core_data_file:dir create_dir_perms;
allow aee_aed aee_core_data_file:file create_file_perms;
# /data/data_tmpfs_log
allow aee_aed data_tmpfs_log_file:dir create_dir_perms;
allow aee_aed data_tmpfs_log_file:file create_file_perms;
# Purpose: aee_aed set property
set_prop(aee_aed, persist_mtk_aee_prop);
set_prop(aee_aed, persist_aee_prop);
set_prop(aee_aed, debug_mtk_aee_prop);
# /proc/lk_env
allow aee_aed proc_lk_env:file rw_file_perms;
# Purpose: Allow aee_aed to read /proc/pid/exe
#allow aee_aed exec_type:file r_file_perms;
# Purpose: Allow aee_aed to read /proc/cpu/alignment
allow aee_aed proc_cpu_alignment:file { write open };
# Purpose: Allow aee_aed to access /sys/devices/virtual/timed_output/vibrator/enable
allow aee_aed sysfs_vibrator_setting:dir search;
allow aee_aed sysfs_vibrator_setting:file w_file_perms;
allow aee_aed sysfs_vibrator:dir search;
allow aee_aed sysfs_leds:dir search;
# Purpose: Allow aee_aed to read /proc/kpageflags
allow aee_aed proc_kpageflags:file r_file_perms;
# temp solution
get_prop(aee_aed, vendor_default_prop)
hal_client_domain(aee_aed, mtk_hal_log)
# Purpose: create /data/aee_exp at runtime
allow aee_aed file_contexts_file:file r_file_perms;
allow aee_aed system_data_file:dir { relabelfrom setattr };
allow aee_aed aee_exp_data_file:dir relabelto;

434
r_non_plat/aee_aedv.te
View File

@ -1,434 +0,0 @@
# ==============================================
# Policy File of /vendor/bin/aee_aedv Executable File
# ==============================================
# MTK Policy Rule
# ==============================================
type aee_aedv, domain;
type aee_aedv_exec, exec_type, file_type, vendor_file_type;
typeattribute aee_aedv mlstrustedsubject;
init_daemon_domain(aee_aedv)
# Date : WK14.32
# Operation : AEE UT
# Purpose : for AEE module
allow aee_aedv aed_device:chr_file rw_file_perms;
allow aee_aedv expdb_device:chr_file rw_file_perms;
allow aee_aedv expdb_block_device:blk_file rw_file_perms;
allow aee_aedv bootdevice_block_device:blk_file rw_file_perms;
allow aee_aedv etb_device:chr_file rw_file_perms;
# AED start: /dev/block/expdb
allow aee_aedv block_device:dir search;
# NE flow: /dev/RT_Monitor
allow aee_aedv RT_Monitor_device:chr_file r_file_perms;
#data/aee_exp
allow aee_aedv aee_exp_vendor_file:dir create_dir_perms;
allow aee_aedv aee_exp_vendor_file:file create_file_perms;
#data/dumpsys
allow aee_aedv aee_dumpsys_vendor_file:dir create_dir_perms;
allow aee_aedv aee_dumpsys_vendor_file:file create_file_perms;
#/data/core
allow aee_aedv aee_core_vendor_file:dir create_dir_perms;
allow aee_aedv aee_core_vendor_file:file create_file_perms;
# /data/data_tmpfs_log
allow aee_aedv vendor_tmpfs_log_file:dir create_dir_perms;
allow aee_aedv vendor_tmpfs_log_file:file create_file_perms;
allow aee_aedv domain:process { sigkill getattr getsched};
allow aee_aedv domain:lnk_file getattr;
#core-pattern
allow aee_aedv usermodehelper:file r_file_perms;
# Date: W15.34
# Operation: Migration
# Purpose: For pagemap & pageflags information in NE DB
userdebug_or_eng(`allow aee_aedv self:capability sys_admin;')
# Purpose: aee_aedv set property
set_prop(aee_aedv, persist_mtk_aeev_prop);
set_prop(aee_aedv, persist_aeev_prop);
set_prop(aee_aedv, debug_mtk_aeev_prop);
# Purpose: mnt/user/*
allow aee_aedv mnt_user_file:dir search;
allow aee_aedv mnt_user_file:lnk_file read;
allow aee_aedv storage_file:dir search;
allow aee_aedv storage_file:lnk_file read;
userdebug_or_eng(`
allow aee_aedv su:dir {search read open };
allow aee_aedv su:file { read getattr open };
')
# /proc/pid/
allow aee_aedv self:capability { fowner chown fsetid sys_nice sys_resource net_admin sys_module};
# PROCESS_FILE_STATE
allow aee_aedv dumpstate:unix_stream_socket { read write ioctl };
allow aee_aedv dumpstate:dir search;
allow aee_aedv dumpstate:file r_file_perms;
allow aee_aedv proc:file rw_file_perms;
allow aee_aedv logdr_socket:sock_file write;
allow aee_aedv logd:unix_stream_socket connectto;
# vibrator
allow aee_aedv sysfs_vibrator:file w_file_perms;
# /proc/lk_env
allow aee_aedv proc_lk_env:file rw_file_perms;
# Data : 2017/03/22
# Operation : add NE flow rule for Android O
# Purpose : make aee_aedv can get specific process NE info
allow aee_aedv domain:dir r_dir_perms;
allow aee_aedv domain:{ file lnk_file } r_file_perms;
#allow aee_aedv {
# domain
# -logd
# -keystore
# -init
#}:process ptrace;
#allow aee_aedv zygote_exec:file r_file_perms;
#allow aee_aedv init_exec:file r_file_perms;
# Data : 2017/04/06
# Operation : add selinux rule for crash_dump notify aee_aedv
# Purpose : make aee_aedv can get notify from crash_dump
allow aee_aedv crash_dump:dir search;
allow aee_aedv crash_dump:file r_file_perms;
# Date : 20170512
# Operation : fix aee_archive can't execute issue
# Purpose : type=1400 audit(0.0:97916): avc: denied { execute_no_trans } for
# path="/system/vendor/bin/aee_archive" dev="mmcblk0p26" ino=2355
# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:vendor_file:s0
# tclass=file permissive=0
allow aee_aedv vendor_file:file execute_no_trans;
# Purpose: debugfs files
# allow aee_aedv debugfs:lnk_file read;
allow aee_aedv debugfs_binder:dir { read open };
allow aee_aedv debugfs_binder:file { read open };
allow aee_aedv debugfs_blockio:file { read open };
allow aee_aedv debugfs_fb:dir search;
allow aee_aedv debugfs_fb:file { read open };
allow aee_aedv debugfs_fuseio:dir search;
allow aee_aedv debugfs_fuseio:file { read open };
allow aee_aedv debugfs_ged:dir search;
allow aee_aedv debugfs_ged:file { read open };
allow aee_aedv debugfs_rcu:dir search;
allow aee_aedv debugfs_shrinker_debug:file { read open };
allow aee_aedv debugfs_wakeup_sources:file { read open };
allow aee_aedv debugfs_dmlog_debug:file { read open };
allow aee_aedv debugfs_page_owner_slim_debug:file { read open };
allow aee_aedv debugfs_ion_mm_heap:dir search;
allow aee_aedv debugfs_ion_mm_heap:file r_file_perms;
allow aee_aedv debugfs_ion_mm_heap:lnk_file read;
allow aee_aedv debugfs_cpuhvfs:dir search;
allow aee_aedv debugfs_cpuhvfs:file { read open };
allow aee_aedv debugfs_emi_mbw_buf:file { read open };
allow aee_aedv debugfs_vpu_device_dbg:file { read open };
# Purpose:
# 01-01 00:02:46.390 3315 3315 W aee_dumpstatev: type=1400 audit(0.0:4728):
# avc: denied { read } for name="interrupts" dev="proc" ino=4026533608 scontext=
# u:r:aee_aedv:s0 tcontext=u:object_r:proc_interrupts:s0 tclass=file permissive=0
allow aee_aedv proc_interrupts:file read;
# Purpose:
# 01-01 17:59:14.440 7664 7664 I aee_dumpstate: type=1400 audit(0.0:63497):
# avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev=
# "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r:
# tracing_shell_writable:s0 tclass=file permissive=1
allow aee_aedv debugfs_tracing:file rw_file_perms;
# Purpose:
# 01-01 00:05:16.730 3566 3566 W dmesg : type=1400 audit(0.0:5173): avc:
# denied { read } for name="kmsg" dev="tmpfs" ino=12292 scontext=u:r:aee_aedv:
# s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
allow aee_aedv kmsg_device:chr_file read;
# Purpose:
# 01-01 00:05:17.720 3567 3567 W ps : type=1400 audit(0.0:5192): avc:
# denied { getattr } for path="/proc/3421" dev="proc" ino=78975 scontext=u:r:
# aee_aedv:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=dir permissive=0
allow aee_aedv platform_app:dir r_dir_perms;
allow aee_aedv platform_app:file r_file_perms;
# Purpose:
# 01-01 00:05:17.750 3567 3567 W ps : type=1400 audit(0.0:5193): avc:
# denied { getattr } for path="/proc/3461" dev="proc" ino=11013 scontext=u:r:
# aee_aedv:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=dir permissive=0
allow aee_aedv untrusted_app_25:dir getattr;
# Purpose:
# 01-01 00:05:17.650 3567 3567 W ps : type=1400 audit(0.0:5179): avc:
# denied { getattr } for path="/proc/2712" dev="proc" ino=65757 scontext=u:r:
# aee_aedv:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=dir permissive=0
allow aee_aedv untrusted_app:dir getattr;
# Purpose:
# 01-01 00:05:17.650 3567 3567 W ps : type=1400 audit(0.0:5180): avc:
# denied { getattr } for path="/proc/2747" dev="proc" ino=66659 scontext=u:r:
# aee_aedv:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=dir permissive=0
allow aee_aedv priv_app:dir getattr;
# Purpose:
# 01-01 00:05:16.270 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5153):
# avc: denied { open } for path="/proc/interrupts" dev="proc" ino=4026533608
# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:proc_interrupts:s0 tclass=file
# permissive=0
allow aee_aedv proc_interrupts:file r_file_perms;
# Purpose:
# 01-01 00:05:16.620 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5171):
# avc: denied { read } for name="route" dev="proc" ino=4026533633 scontext=u:r:
# aee_aedv:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
allow aee_aedv proc_net:file read;
# Purpose:
# 01-01 00:05:16.610 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5168):
# avc: denied { read } for name="zoneinfo" dev="proc" ino=4026533664 scontext=
# u:r:aee_aedv:s0 tcontext=u:object_r:proc_zoneinfo:s0 tclass=file permissive=0
allow aee_aedv proc_zoneinfo:file read;
# Purpose:
# 01-01 00:05:17.840 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5200):
# avc: denied { search } for name="leds" dev="sysfs" ino=6217 scontext=u:r:
# aee_aedv:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=0
allow aee_aedv sysfs_leds:dir search;
allow aee_aedv sysfs_leds:file r_file_perms;
# Purpose:
# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5592): avc: denied
# { search } for name="ccci" dev="sysfs" ino=6026 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:
# sysfs_ccci:s0 tclass=dir permissive=1
# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5593): avc: denied { read }
# for name="md_chn" dev="sysfs" ino=6035 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:sysfs_ccci:s0
# tclass=file permissive=1
# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5594): avc: denied { open }
# for path="/sys/kernel/ccci/md_chn" dev="sysfs" ino=6035 scontext=u:r:aee_aedv:s0 tcontext=u:
# object_r:sysfs_ccci:s0 tclass=file permissive=1
allow aee_aedv sysfs_ccci:dir search;
allow aee_aedv sysfs_ccci:file r_file_perms;
# Purpose:
# 01-01 00:03:44.330 3658 3658 I aee_dumpstatev: type=1400 audit(0.0:5411): avc: denied
# { execute_no_trans } for path="/vendor/bin/toybox_vendor" dev="mmcblk0p26" ino=250 scontext=u:r:
# aee_aedv:s0 tcontext=u:object_r:vendor_toolbox_exec:s0 tclass=file permissive=1
allow aee_aedv vendor_toolbox_exec:file rx_file_perms;
# Purpose:
# 01-01 00:12:06.320000 4145 4145 W dmesg : type=1400 audit(0.0:826): avc: denied { open } for
# path="/dev/kmsg" dev="tmpfs" ino=10875 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:kmsg_device:
# s0 tclass=chr_file permissive=0
# 01-01 00:42:33.070000 4171 4171 W dmesg : type=1400 audit(0.0:1343): avc: denied
# { syslog_read } for scontext=u:r:aee_aedv:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0
allow aee_aedv kmsg_device:chr_file r_file_perms;
allow aee_aedv kernel:system syslog_read;
# Purpose:
# 01-01 00:12:37.890000 4162 4162 W aee_dumpstatev: type=1400 audit(0.0:914): avc: denied
# { read } for name="meminfo" dev="proc" ino=4026533612 scontext=u:r:aee_aedv:s0 tcontext=u:
# object_r:proc_meminfo:s0 tclass=file permissive=0
allow aee_aedv proc_meminfo:file r_file_perms;
# Purpose:
# 01-01 00:08:39.900000 3833 3833 W aee_dumpstatev: type=1400 audit(0.0:371): avc: denied
# { open } for path="/proc/3833/net/route" dev="proc" ino=4026533632 scontext=u:r:aee_aedv:s0
# tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
allow aee_aedv proc_net:file r_file_perms;
# Purpose:
# 01-01 00:08:39.880000 3833 3833 W aee_dumpstatev: type=1400 audit(0.0:370): avc: denied
# { open } for path="/proc/zoneinfo" dev="proc" ino=4026533663 scontext=u:r:aee_aedv:s0 tcontext=
# u:object_r:proc_zoneinfo:s0 tclass=file permissive=0
allow aee_aedv proc_zoneinfo:file r_file_perms;
# Purpose:
# 01-01 00:33:27.750000 338 338 W aee_aedv: type=1400 audit(0.0:98): avc: denied { read }
# for name="fstab.mt6755" dev="rootfs" ino=1082 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:
# rootfs:s0 tclass=file permissive=0
allow aee_aedv rootfs:file r_file_perms;
# Purpose:
# 01-01 00:33:28.340000 338 338 W aee_aedv: type=1400 audit(0.0:104): avc: denied { search }
# for name="dynamic_debug" dev="debugfs" ino=8182 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:
# debugfs_dynamic_debug:s0 tclass=dir permissive=0
allow aee_aedv debugfs_dynamic_debug:dir search;
allow aee_aedv debugfs_dynamic_debug:file r_file_perms;
# Purpose:
# [ 241.001976] <1>.(1)[209:logd.auditd]type=1400 audit(1262304586.172:515): avc: denied { read }
# for pid=1978 comm="aee_aedv64" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aedv:s0
# tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
allow aee_aedv sysfs:file r_file_perms;
allow aee_aedv sysfs_mrdump_lbaooo:file w_file_perms;
# Purpose: Allow aee_aedv to use HwBinder IPC.
hwbinder_use(aee_aedv)
get_prop(aee_aedv, hwservicemanager_prop)
# Purpose: Allow aee_aedv access to vendor/bin/mtkcam-debug, which in turn invokes ICameraProvider
# - avc: denied { find } for interface=android.hardware.camera.provider::ICameraProvider pid=2956
# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:hal_camera_hwservice:s0 tclass=hwservice_manager
# - Transaction error in ICameraProvider::debug: Status(EX_TRANSACTION_FAILED)
hal_client_domain(aee_aedv, hal_camera)
allow aee_aedv hal_camera_hwservice:hwservice_manager { find };
binder_call(aee_aedv, mtk_hal_camera)
# Purpose: allow aee to read /sys/fs/selinux/enforce to get selinux status
allow aee_aedv selinuxfs:file r_file_perms;
# Purpose: Allow aee_aedv to read /proc/pid/exe
#allow aee_aedv exec_type:file r_file_perms;
# Purpose: mrdump db flow and pre-allocation
# mrdump db flow
allow aee_aedv sysfs_dt_firmware_android:dir search;
allow aee_aedv sysfs_dt_firmware_android:file r_file_perms;
allow aee_aedv kernel:system module_request;
allow aee_aedv metadata_file:dir search;
# pre-allocation
allow aee_aedv self:capability linux_immutable;
allow aee_aedv userdata_block_device:blk_file { read write open };
allow aee_aedv para_block_device:blk_file rw_file_perms;
allow aee_aedv mrdump_device:blk_file rw_file_perms;
allowxperm aee_aedv aee_dumpsys_vendor_file:file ioctl {
FS_IOC_GETFLAGS
FS_IOC_SETFLAGS
F2FS_IOC_GET_PIN_FILE
F2FS_IOC_SET_PIN_FILE
FS_IOC_FIEMAP
};
# Purpose: allow vendor aee read lowmemorykiller logs
# file path: /sys/module/lowmemorykiller/parameters/
allow aee_aedv sysfs_lowmemorykiller:dir search;
allow aee_aedv sysfs_lowmemorykiller:file r_file_perms;
# Purpose: Allow aee read /sys/class/misc/scp/scp_dump
allow aee_aedv sysfs_scp:dir r_dir_perms;
allow aee_aedv sysfs_scp:file r_file_perms;
# Purpose: Allow aee read /sys/class/misc/adsp/adsp_dump
allow aee_aedv sysfs_adsp:dir r_dir_perms;
allow aee_aedv sysfs_adsp:file r_file_perms;
# Purpose: allow aee_aedv self to fsetid/sys_nice/chown/fowner/kill
allow aee_aedv self:capability { fsetid sys_nice chown fowner kill };
# Purpose: allow aee_aedv to read /proc/buddyinfo
allow aee_aedv proc_buddyinfo:file r_file_perms;
# Purpose: allow aee_aedv to read /proc/cmdline
allow aee_aedv proc_cmdline:file r_file_perms;
# Purpose: allow aee_aedv to read /proc/slabinfo
allow aee_aedv proc_slabinfo:file r_file_perms;
# Purpose: allow aee_aedv to read /proc/stat
allow aee_aedv proc_stat:file r_file_perms;
# Purpose: allow aee_aedv to read /proc/version
allow aee_aedv proc_version:file r_file_perms;
# Purpose: allow aee_aedv to read /proc/vmallocinfo
allow aee_aedv proc_vmallocinfo:file r_file_perms;
# Purpose: allow aee_aedv to read /proc/vmstat
allow aee_aedv proc_vmstat:file r_file_perms;
# Purpose: Allow aee_aedv to read /proc/cpu/alignment
allow aee_aedv proc_cpu_alignment:file w_file_perms;
# Purpose: Allow aee_aedv to read /proc/gpulog
allow aee_aedv proc_gpulog:file r_file_perms;
# Purpose: Allow aee_aedv to read /proc/chip/hw_ver
allow aee_aedv proc_chip:file r_file_perms;
# Purpose: Allow aee_aedv to read /proc/sched_debug
allow aee_aedv proc_sched_debug:file r_file_perms;
# Purpose: Allow aee_aedv to read /proc/atf_log
allow aee_aedv proc_atf_log:dir search;
# Purpose: Allow aee_aedv to read /proc/last_kmsg
allow aee_aedv proc_last_kmsg:file r_file_perms;
# Purpose: Allow aee_aedv to access /sys/devices/virtual/timed_output/vibrator/enable
allow aee_aedv sysfs_vibrator_setting:dir search;
allow aee_aedv sysfs_vibrator_setting:file w_file_perms;
allow aee_aedv sysfs_vibrator:dir search;
# Purpose: Allow aee_aedv to read /sys/kernel/debug/rcu/rcu_callback_log
allow aee_aedv debugfs_rcu:file r_file_perms;
# Purpose: Allow aee_aedv to read /proc/ufs_debug
allow aee_aedv proc_ufs_debug:file rw_file_perms;
# Purpose: Allow aee_aedv to read /proc/msdc_debug
allow aee_aedv proc_msdc_debug:file r_file_perms;
# Purpose: Allow aee_aedv to read /proc/pidmap
allow aee_aedv proc_pidmap:file r_file_perms;
# Purpose: Allow aee_aedv to read /sys/power/vcorefs/vcore_debug
allow aee_aedv sysfs_vcore_debug:file r_file_perms;
# Purpose: Allow aee_aedv to read /sys/devices/virtual/BOOT/BOOT/boot/boot_mode
allow aee_aedv sysfs_boot_mode:file r_file_perms;
#Purpose: Allow aee_aedv to read/write /sys/kernel/debug/tracing/buffer_total_size_kb
userdebug_or_eng(`
allow aee_aedv debugfs_tracing_debug:file { rw_file_perms };
')
#Purpose: Allow aee_aedv to read /sys/mtk_memcfg/slabtrace
allow aee_aedv proc_slabtrace:file r_file_perms;
#Purpose: Allow aee_aedv to read /proc/mtk_cmdq_debug/status
allow aee_aedv proc_cmdq_debug:file r_file_perms;
# temp solution
get_prop(aee_aedv, vendor_default_prop)
#data/dipdebug
allow aee_aedv aee_dipdebug_vendor_file:dir r_dir_perms;
allow aee_aedv aee_dipdebug_vendor_file:file r_file_perms;
allow aee_aedv proc_isp_p2:dir r_dir_perms;
allow aee_aedv proc_isp_p2:file r_file_perms;
allow aee_aedv connsyslog_data_vendor_file:file r_file_perms;
allow aee_aedv connsyslog_data_vendor_file:dir r_dir_perms;
# Purpose: Allow aee_aedv to read the /proc/*/exe of vendor process
allow aee_aedv vendor_file_type:file r_file_perms;
# Purpose: Allow aee_aedv to read /sys/kernel/debug/smi_mon
allow aee_aedv debugfs_smi_mon:file r_file_perms;
# Purpose: Allow aee_aedv to read /proc/isp_p2/isp_p2_kedump
allow aee_aedv proc_isp_p2_kedump:file r_file_perms;
# Purpose: Allow aee_aedv to read /sys/kernel/debug/vpu/vpu_memory
allow aee_aedv debugfs_vpu_memory:file r_file_perms;
# Purpose: Allow aee_aedv to read /proc/cpuhvfs/dbg_repo
allow aee_aedv proc_dbg_repo:file r_file_perms;
# Purpose: Allow aee_aedv to read /proc/pl_lk
allow aee_aedv proc_pl_lk:file r_file_perms;

18
r_non_plat/aee_core_forwarder.te
View File

@ -1,18 +0,0 @@
# ==============================================
# Policy File of /system/bin/aee_core_forwarder Executable File
# ==============================================
# MTK Policy Rule
# ==============================================
allow aee_core_forwarder aee_exp_data_file:dir { write add_name search };
allow aee_core_forwarder aee_exp_data_file:file { write create open getattr };
get_prop(aee_core_forwarder, hwservicemanager_prop)
# Date: 2019/06/14
# Operation : Migration
# Purpose : interface=android.system.suspend::ISystemSuspend for aee_core_forwarder
wakelock_use(aee_core_forwarder)
allow aee_core_forwarder aee_aed:unix_stream_socket connectto;
allow aee_core_forwarder aee_core_data_file:dir r_dir_perms;
hwbinder_use(aee_core_forwarder)

17
r_non_plat/aee_hidl.te
View File

@ -1,17 +0,0 @@
# ==============================================
# Type Declaration
# ==============================================
type aee_hal,domain;
type aee_hal_exec, exec_type, file_type, vendor_file_type;
typeattribute aee_hal mlstrustedsubject;
# Purpose : for create hidl server
hal_server_domain(aee_hal, mtk_hal_log)
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(aee_hal)
set_prop(aee_hal, persist_mtk_aeev_prop);
set_prop(aee_hal, persist_aeev_prop);
set_prop(aee_hal, debug_mtk_aeev_prop);

50
r_non_plat/app.te
View File

@ -1,50 +0,0 @@
# ==============================================
# MTK Policy Rule
# ============
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow appdomain proc_ged:file rw_file_perms;
allowxperm appdomain proc_ged:file ioctl { proc_ged_ioctls };
# Date : W16.42
# Operation : Integration
# Purpose : DRM / DRI GPU driver required
allow appdomain gpu_device:dir search;
# Date : W17.30
# Purpose : Allow MDP user access cmdq driver
allow appdomain mtk_cmdq_device:chr_file {open read ioctl};
# Date : W17.41
# Operation: SQC
# Purpose : Allow HWUI to access perfmgr
allow appdomain proc_perfmgr:dir search;
allow appdomain proc_perfmgr:file { getattr open read ioctl};
allowxperm appdomain proc_perfmgr:file ioctl {
PERFMGR_FPSGO_QUEUE
PERFMGR_FPSGO_DEQUEUE
PERFMGR_FPSGO_QUEUE_CONNECT
PERFMGR_FPSGO_BQID
};
# Date : W19.4
# Purpose : Allow MDP user access mdp driver
allow appdomain mdp_device:chr_file rw_file_perms;
allow appdomain mtk_mdp_device:chr_file rw_file_perms;
allow appdomain sw_sync_device:chr_file rw_file_perms;
# Date : W19.23
# Operation : Migration
# Purpose : For platform app com.android.gallery3d
allow { appdomain -isolated_app } radio_data_file:file rw_file_perms;
# Date : W19.23
# Operation : Migration
# Purpose : For app com.tencent.qqpimsecure
allowxperm appdomain appdomain:fifo_file ioctl SNDCTL_TMR_START;
# Date: 2019/06/17
# Operation : Migration
# Purpose : appdomain need get mtk_amslog_prop
get_prop(appdomain, mtk_amslog_prop)

8
r_non_plat/appdomain.te
View File

@ -1,8 +0,0 @@
# ==============================================
# MTK Policy Rule
# ============
# Data : WK16.42
# Operator: Whitney bring up
# Purpose: call surfaceflinger due to powervr
allow appdomain surfaceflinger:fifo_file rw_file_perms;

145
r_non_plat/atci_service.te
View File

@ -1,145 +0,0 @@
# ==============================================
# Policy File of /vendor/bin/atci_service Executable File
# ==============================================
# ==============================================
# MTK Policy Rule
# ==============================================
type atci_service, domain;
type atci_service_exec, exec_type, file_type, vendor_file_type;
init_daemon_domain(atci_service)
allow atci_service block_device:dir search;
allow atci_service misc2_block_device:blk_file { open read write };
allow atci_service misc2_device:chr_file { open read write };
allow atci_service camera_isp_device:chr_file { read write ioctl open };
allow atci_service graphics_device:chr_file { read write ioctl open };
allow atci_service graphics_device:dir search;
allow atci_service kd_camera_hw_device:chr_file { read write ioctl open };
allow atci_service self:capability { sys_nice ipc_lock };
allow atci_service nvram_device:chr_file { read write open ioctl };
allow atci_service camera_isp_device:chr_file { read write ioctl open };
allow atci_service camera_sysram_device:chr_file { read ioctl open };
allow atci_service camera_tsf_device:chr_file rw_file_perms;
allow atci_service camera_rsc_device:chr_file rw_file_perms;
allow atci_service camera_gepf_device:chr_file rw_file_perms;
allow atci_service camera_fdvt_device:chr_file rw_file_perms;
allow atci_service camera_wpe_device:chr_file rw_file_perms;
allow atci_service camera_owe_device:chr_file rw_file_perms;
allow atci_service kd_camera_flashlight_device:chr_file { read write ioctl open };
allow atci_service ccu_device:chr_file { read write ioctl open };
allow atci_service vpu_device:chr_file { read write ioctl open };
allow atci_service MTK_SMI_device:chr_file { open read write ioctl };
#allow atci_service system_server:binder call;
#allow atci_service system_data_file:dir { write remove_name add_name };
allow atci_service DW9714AF_device:chr_file { read write ioctl open };
allow atci_service devmap_device:chr_file { open read write ioctl };
allow atci_service sdcard_type:dir { search write read open add_name remove_name create getattr setattr };
allow atci_service sdcard_type:file { setattr read create write getattr unlink open append };
allow atci_service mediaserver:binder call;
#allow atci_service sysfs:file write;
#allow atci_service system_server:unix_stream_socket { read write };
allow atci_service self:capability sys_boot;
# Date : 2015/09/17
# Operation : M-Migration
# Purpose : to operation CCT tool
allow atci_service nvram_device:blk_file { open read write };
allow atci_service input_device:dir { open read search };
allow atci_service input_device:file { open read write ioctl };
allow atci_service input_device:chr_file { open read write ioctl };
allow atci_service MAINAF_device:chr_file { open read write ioctl };
allow atci_service MAIN2AF_device:chr_file { open read write ioctl };
allow atci_service SUBAF_device:chr_file { open read write ioctl };
allow atci_service tmpfs:lnk_file read;
allow atci_service self:capability2 block_suspend;
# Date : 2015/10/13
# Operation : M-Migration
# Purpose : to operation CCT tool
#allow atci_service mediaserver_service:service_manager find;
allow atci_service mnt_user_file:dir search;
allow atci_service mnt_user_file:lnk_file read;
#allow atci_service mtk_perf_service:service_manager find;
#allow atci_service sensorservice_service:service_manager find;
allow atci_service storage_file:lnk_file read;
#allow atci_service media_rw_data_file:dir { write search create add_name };
#allow atci_service media_rw_data_file:file { read write create open };
#============= atci_service ==============
allow atci_service CAM_CAL_DRV_device:chr_file { read write ioctl open};
set_prop(atci_service, mtk_em_prop)
# Date : 2016/03/02
# Operation : M-Migration
# Purpose : to support ATCI touch tool
allow atci_service vendor_shell_exec:file { read execute open execute_no_trans };
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow atci_service proc_ged:file rw_file_perms;
# Date : WK16.35
# Operation : Migration
# Purpose : Update camera flashlight driver device file
allow atci_service flashlight_device:chr_file { read write ioctl open };
# Date : WK17.01
# Operation : Migration
# Purpose : Update AT_Command NFC function
allow atci_service factory_data_file:sock_file write;
# Date : WK17.23
# Stage: O Migration, SQC
# Purpose: Allow to use HAL PQ
hal_client_domain(atci_service, hal_pq)
# Date : WK17.28
# Purpose : Allow to execute battery command
allow atci_service MT_pmic_adc_cali_device:chr_file rw_file_perms;
# Date : WK17.43
# Purpose : CCT
allow atci_service CAM_CAL_DRV_device:chr_file rw_file_perms;
allow atci_service CAM_CAL_DRV1_device:chr_file rw_file_perms;
allow atci_service CAM_CAL_DRV2_device:chr_file rw_file_perms;
allow atci_service fwk_sensor_hwservice:hwservice_manager find;
allow atci_service hidl_allocator_hwservice:hwservice_manager find;
allow atci_service hidl_memory_hwservice:hwservice_manager find;
allow atci_service ion_device:chr_file { read ioctl open };
allow atci_service mtk_cmdq_device:chr_file { read ioctl open };
allow atci_service mtk_mdp_device:chr_file rw_file_perms;
allow atci_service sw_sync_device:chr_file rw_file_perms;
allow atci_service mtk_hal_power:binder call;
allow atci_service mtk_hal_power_hwservice:hwservice_manager find;
allow atci_service sysfs_batteryinfo:dir search;
allow atci_service sysfs_batteryinfo:file { read getattr open };
#allow atci_service system_data_file:lnk_file read;
allow atci_service system_file:dir { read open };
allow atci_service camera_pipemgr_device:chr_file { read ioctl open };
#allow atci_service media_rw_data_file:dir { read getattr open };
#allow atci_service media_rw_data_file:file { getattr setattr };
allow atci_service mtkcam_prop:file { read getattr open };
#allow atci_service hal_camera_hwservice:hwservice_manager find;
allow atci_service mtk_hal_camera:binder call;
allow atci_service debugfs_ion:dir search;
allow atci_service sysfs_tpd_setting:file { read write open getattr };
allow atci_service sysfs_vibrator_setting:file { read write open getattr };
allow atci_service sysfs_leds_setting:file { read write open getattr };
allow atci_service proc:file getattr;
allow atci_service vendor_toolbox_exec:file { read getattr open execute execute_no_trans };
# Date : WK18.21
# Purpose: Allow to use HIDL
hwbinder_use(atci_service)
hal_client_domain(atci_service, hal_atci)
# Date : WK18.26
# Purpose: Allow gps socket sendto
allow atci_service mnld:unix_dgram_socket sendto;
# Date : WK18.35
# Purpose : allow CCT to allocate memory
hal_client_domain(atci_service, hal_allocator);

74
r_non_plat/atcid.te
View File

@ -1,74 +0,0 @@
# ==============================================
# Policy File of /vendor/bin/atcid Executable File
# ==============================================
# ==============================================
# MTK Policy Rule
# ==============================================
type atcid, domain;
type atcid_exec, exec_type, file_type, vendor_file_type;
init_daemon_domain(atcid)
set_prop(atcid,persist_service_atci_prop)
allow atcid block_device:dir search;
allow atcid socket_device:sock_file write;
allow atcid gsmrild_socket:sock_file write;
# Date : WK17.21
# Purpose: Allow to use HIDL
hwbinder_use(atcid)
hal_client_domain(atcid, hal_telephony)
allow atcid ttyGS_device:chr_file { read write ioctl open };
allow atcid wmtWifi_device:chr_file { write open };
allow atcid misc2_block_device:blk_file { read write open };
allow atci_service gpu_device:chr_file { read write open ioctl getattr };
allow atcid self:capability sys_time;
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow atcid proc_ged:file rw_file_perms;
# Date : WK17.23
# Stage: O Migration, SQC
# Purpose: Allow to use HAL PQ
hal_client_domain(atcid, hal_pq)
# Date : WK17.34
# Purpose: Allow to access meta_tst
allow atcid meta_tst:unix_stream_socket connectto;
# Date : WK18.15
# Purpose: Allow to access power_supply in sysfs
allow atcid sysfs_batteryinfo:file { read open };
# Date : WK18.16
# Operation: P migration
# Purpose: Allow atcid to get tel_switch_prop
get_prop(atcid, tel_switch_prop)
# Date : WK18.21
# Purpose: Allow to use HIDL
hwbinder_use(atcid);
vndbinder_use(atcid);
hal_server_domain(atcid, hal_atci)
add_hwservice(hal_atci_server,hal_atci_hwservice)
# Date : WK18.21
# Purpose: For special command for customer
set_prop(atcid, mtk_atci_prop);
set_prop(atcid, powerctl_prop);
allow atcid mnt_vendor_file:dir search;
allow atcid nvdata_file:dir { open read write search add_name };
allow atcid nvdata_file:file { open read write create getattr setattr };
allow atcid nvram_device:blk_file { open read write };
allow atcid proc_meminfo:file { open read };
allow atcid sysfs_batteryinfo:dir search;
allow atcid sysfs_mmcblk:dir search;
allow atcid sysfs_mmcblk:file { read open };
# Date : WK18.35
# Purpose: Add socket for TelephonyWare ATCI
unix_socket_connect(atcid, rild_atci, rild);
unix_socket_connect(atcid, rilproxy_atci, rild);
unix_socket_connect(atcid, atci_service, atci_service);

90
r_non_plat/attributes
View File

@ -1,90 +0,0 @@
# ==============================================
# MTK Attribute declarations
# ==============================================
# Attribute that represents all mtk property types (except those with ctl_xxx prefix)
attribute mtk_core_property_type;
# Date: 2017/06/12
# LBS HIDL
#attribute mtk_hal_lbs;
#attribute mtk_hal_lbs_client;
#attribute mtk_hal_lbs_server;
# Date: 2017/06/27
# IMSA HIDL
attribute hal_imsa;
attribute hal_imsa_client;
attribute hal_imsa_server;
# attribute that represents all MTK IMS types. It should be used by AP side module only.
attribute mtkimsapdomain;
#
# # attribute that represents all MTK IMS types. It should be used by MD side module only.
attribute mtkimsmddomain;
# Date: 2017/07/19
# PQ HIDL
attribute hal_pq;
attribute hal_pq_client;
attribute hal_pq_server;
# Date: 2017/07/28
# KEY ATTESTATION HIDL
attribute mtk_hal_keyattestation;
attribute mtk_hal_keyattestation_client;
attribute mtk_hal_keyattestation_server;
# Date: 2017/07/13
# NVRAM AGENT HIDL
attribute hal_nvramagent;
attribute hal_nvramagent_client;
attribute hal_nvramagent_server;
# Date: 2018/05/25
# FM HIDL
attribute mtk_hal_fm;
attribute mtk_hal_fm_client;
attribute mtk_hal_fm_server;
# Date: 2018/03/23
# log hidl
attribute mtk_hal_log;
attribute mtk_hal_log_client;
attribute mtk_hal_log_server;
# Date: 2018/06/26
# em hidl
attribute mtk_hal_em;
attribute mtk_hal_em_client;
attribute mtk_hal_em_server;
# Date: 2018/07/02
# MDP HIDL
attribute hal_mms;
attribute hal_mms_client;
attribute hal_mms_server;
attribute hal_mtkcodecservice_server;
attribute hal_mtkcodecservice;
attribute hal_atci;
attribute hal_atci_client;
attribute hal_atci_server;
# Date: 2019/06/12
# modem db filter hidl
attribute mtk_hal_md_dbfilter_server;
# Date: 2019/07/16
# HDMI HIDL
attribute hal_hdmi;
attribute hal_hdmi_client;
attribute hal_hdmi_server;
# Date: 2019/09/06
# BGService HIDL
attribute mtk_hal_bgs;
attribute mtk_hal_bgs_client;
attribute mtk_hal_bgs_server;

34
r_non_plat/audiocmdservice_atci.te
View File

@ -1,34 +0,0 @@
# ==============================================
# Policy File of /system/bin/audiocmdservice_atci Executable File
type audiocmdservice_atci ,domain;
type audiocmdservice_atci_exec, exec_type, file_type, vendor_file_type;
init_daemon_domain(audiocmdservice_atci)
unix_socket_connect(atcid, atci-audio, audiocmdservice_atci);
allow audiocmdservice_atci self:unix_stream_socket { create_socket_perms read write };
# Access to storages for audio tuning tool to read/write tuning result
allow audiocmdservice_atci { block_device device }:dir { write search };
allow audiocmdservice_atci mnt_user_file:dir rw_dir_perms;
allow audiocmdservice_atci { mnt_user_file storage_file }:lnk_file rw_file_perms;
allow audiocmdservice_atci bootdevice_block_device:blk_file { read write };
# can route /dev/binder traffic to /dev/vndbinder
vndbinder_use(audiocmdservice_atci)
binder_call(audiocmdservice_atci,mtk_hal_audio);
#Android O porting
hwbinder_use(audiocmdservice_atci)
get_prop(audiocmdservice_atci, hwservicemanager_prop);
#allow audiocmdservice_atci hal_audio_hwservice:hwservice_manager find;
hal_client_domain(audiocmdservice_atci, hal_audio)
#To access the file at /dev/kmsg
allow audiocmdservice_atci kmsg_device:chr_file w_file_perms;
userdebug_or_eng(`
allow audiocmdservice_atci self:capability { sys_nice fowner chown fsetid setuid ipc_lock net_admin};
')

57
r_non_plat/audioserver.te
View File

@ -1,57 +0,0 @@
# ==============================================
# MTK Policy Rule for vendor
# ==============================================
# Date: WK14.44
# Operation : Migration
# Purpose : EVDO
allow audioserver rpc_socket:sock_file write;
allow audioserver ttySDIO_device:chr_file rw_file_perms;
# Data: WK14.44
# Operation : Migration
# Purpose : for low SD card latency issue
allow audioserver sysfs_lowmemorykiller:file { read open };
# Data: WK14.45
# Operation : Migration
# Purpose : for change thermal policy when needed
allow audioserver proc_mtkcooler:dir search;
allow audioserver proc_mtktz:dir search;
allow audioserver proc_thermal:dir search;
# Date : WK15.03
# Operation : Migration
# Purpose : offloadservice
allow audioserver offloadservice_device:chr_file rw_file_perms;
# Date : WK16.17
# Operation : Migration
# Purpose: read/open sysfs node
allow audioserver sysfs_ccci:file r_file_perms;
# Date : WK16.18
# Operation : Migration
# Purpose: research root dir "/"
allow audioserver tmpfs:dir search;
# Date : WK16.18
# Operation : Migration
# Purpose: access sysfs node
allow audioserver sysfs_ccci:dir search;
# Purpose: Dump debug info
allow audioserver debugfs_binder:dir search;
allow audioserver fuse:file write;
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow audioserver proc_ged:file rw_file_perms;
# Date : WK16.48
# Purpose: Allow to trigger AEE dump
allow audioserver aee_aed:unix_stream_socket connectto;
# Date: 2019/06/14
# Operation : Migration
get_prop(audioserver, vendor_default_prop)

33
r_non_plat/biosensord_nvram.te
View File

@ -1,33 +0,0 @@
# ==============================================
# Policy File of /system/bin/biosensord_nvram Executable File
# ==============================================
# Type Declaration
# ==============================================
type biosensord_nvram ,domain;
type biosensord_nvram_exec , exec_type, file_type, vendor_file_type;
type biosensord_nvram_file, file_type, data_file_type;
# ==============================================
# Android Policy Rule
# ==============================================
# ==============================================
# NSA Policy Rule
# ==============================================
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(biosensord_nvram)
# Data : WK16.21
# Operation : New Feature
# Purpose : For biosensor daemon can do nvram r/w to save calibration data
allow biosensord_nvram nvdata_file:dir rw_dir_perms;
allow biosensord_nvram nvdata_file:file {rw_file_perms create_file_perms};
allow biosensord_nvram nvram_data_file:lnk_file rw_file_perms;
allow biosensord_nvram biometric_device:chr_file { open ioctl read write };
allow biosensord_nvram self:capability { chown fsetid };
allow biosensord_nvram system_data_file:lnk_file read;

25
r_non_plat/bluetooth.te
View File

@ -1,25 +0,0 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Date:W17.07
# Operation : bt hal developing
# Purpose : bt hal interface permission
binder_call(bluetooth, mtk_hal_bluetooth)
allow bluetooth storage_stub_file:dir getattr;
# Date: 2018/01/17
#allow bluetooth to set property
set_prop(bluetooth, vendor_bluetooth_prop)
set_prop(bluetooth, debug_prop)
# Date: 2018/02/02
# Major permission allow are in /system/sepoplicy/private/bluetooth.te
# Add dir create perms for bluetooth on /data/misc/bluetooth/logs
allow bluetooth bluetooth_logs_data_file:dir { create_dir_perms relabelto };
allow bluetooth bluetooth_logs_data_file:fifo_file { create_file_perms };
# Date: 2019/06/14
# Operation : Migration
get_prop(bluetooth, mtk_amslog_prop)

22
r_non_plat/boot_logo_updater.te
View File

@ -1,22 +0,0 @@
# ==============================================
# Policy File of /system/binboot_logo_updater Executable File
# ==============================================
# Type Declaration
# ==============================================
# Date : WK14.43
# Operation : Migration
# Purpose : To access file directories and files like logo.bin
allow boot_logo_updater logo_block_device:blk_file r_file_perms;
# To access block files at /dev/block/mmcblk0 ir /dev/block/sdc
allow boot_logo_updater bootdevice_block_device:blk_file r_file_perms;
#To access file at /dev/logo
allow boot_logo_updater logo_device:chr_file r_file_perms;
# To access file at /proc/lk_env
allow boot_logo_updater proc_lk_env:file rw_file_perms;
# Date : WK16.25
# Operation : Global_Device/Uniservice Feature
# Purpose : for it to read-write SysEnv data
allow boot_logo_updater para_block_device:blk_file rw_file_perms;

34
r_non_plat/bootanim.te
View File

@ -1,34 +0,0 @@
# ==============================================
# MTK Policy Rule
# ============
# Date : WK14.37
# Operation : Migration
# Purpose : for opetator
allow bootanim bootani_prop:property_service set;
# Date : WK14.46
# Operation : Migration
# Purpose : For MTK Emulator HW GPU
allow bootanim qemu_pipe_device:chr_file rw_file_perms;
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow bootanim proc_ged:file rw_file_perms;
# Date : WK17.43
# Operation : Migration
# Purpose : For MTK perfmgr
allow bootanim proc_perfmgr:dir r_dir_perms;
allow bootanim proc_perfmgr:file r_file_perms;
# Date : WK19.11
# Operation : Migration
# Purpose : Allow to access ged for ioctl related functions
allowxperm bootanim proc_ged:file ioctl { proc_ged_ioctls };
allowxperm bootanim proc_perfmgr:file ioctl {
PERFMGR_FPSGO_QUEUE
PERFMGR_FPSGO_DEQUEUE
PERFMGR_FPSGO_QUEUE_CONNECT
PERFMGR_FPSGO_BQID
};

365
r_non_plat/cameraserver.te
View File

@ -1,365 +0,0 @@
# ==============================================================================
# Policy File of /system/bin/cameraserver Executable File
# ==============================================
# MTK Policy Rule
# ==============================================
# -----------------------------------
# Android O
# Purpose: Allow cameraserver to perform binder IPC to servers and callbacks.
# -----------------------------------
# call camerahalserver
binder_call(cameraserver, mtk_hal_camera)
# call the graphics allocator hal
binder_call(cameraserver, hal_graphics_allocator)
# -----------------------------------
# Android O
# Purpose: Debugging
# -----------------------------------
# Purpose: adb shell dumpsys media.camera --unreachable
allow cameraserver self:process { ptrace };
# -----------------------------------
# Purpose: property access
# -----------------------------------
allow cameraserver mtkcam_prop:file { open read getattr };
# Date : WK14.31
# Operation : Migration
# Purpose : camera devices access.
# allow cameraserver camera_isp_device:chr_file rw_file_perms;
# allow cameraserver ccu_device:chr_file rw_file_perms;
# allow cameraserver vpu_device:chr_file rw_file_perms;
# allow cameraserver kd_camera_hw_device:chr_file rw_file_perms;
# allow cameraserver seninf_device:chr_file rw_file_perms;
# allow cameraserver self:capability { setuid ipc_lock sys_nice };
# allow cameraserver sysfs_wake_lock:file rw_file_perms;
# allow cameraserver MTK_SMI_device:chr_file r_file_perms;
# allow cameraserver camera_pipemgr_device:chr_file r_file_perms;
# allow cameraserver kd_camera_flashlight_device:chr_file rw_file_perms;
# allow cameraserver lens_device:chr_file rw_file_perms;
# allow cameraserver nvdata_file:lnk_file read;
# allow cameraserver proc_meminfo:file { read getattr open };
# Date : WK14.34
# Operation : Migration
# Purpose : nvram access (dumchar case for nand and legacy chip)
# allow cameraserver nvram_device:chr_file rw_file_perms;
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
# #allow cameraserver self:netlink_kobject_uevent_socket { create setopt bind };
# allow cameraserver self:capability { net_admin };
# Date : WK14.34
# Operation : Migration
# Purpose : VP/VR
# allow cameraserver devmap_device:chr_file { ioctl };
# Date : WK14.34
# Operation : Migration
# Purpose : Smartcard Service
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
# #allow cameraserver self:netlink_kobject_uevent_socket read;
# allow cameraserver system_data_file:file open;
# Date : WK14.36
# Operation : Migration
# Purpose : media server and bt process communication for A2DP data.and other control flow
# allow cameraserver bluetooth:unix_dgram_socket sendto;
# allow cameraserver bt_a2dp_stream_socket:sock_file write;
# allow cameraserver bt_int_adp_socket:sock_file write;
# Date : WK14.37
# Operation : Migration
# Purpose : camera ioctl
# allow cameraserver camera_sysram_device:chr_file r_file_perms;
# Date : WK14.36
# Operation : Migration
# Purpose : VDEC/VENC device node
# allow cameraserver Vcodec_device:chr_file rw_file_perms;
# Date : WK14.36
# Operation : Migration
# Purpose : access nvram, otp, ccci cdoec devices.
# allow cameraserver MtkCodecService:binder call;
# allow cameraserver ccci_device:chr_file rw_file_perms;
# allow cameraserver eemcs_device:chr_file rw_file_perms;
# allow cameraserver devmap_device:chr_file r_file_perms;
# allow cameraserver ebc_device:chr_file rw_file_perms;
# allow cameraserver nvram_device:blk_file rw_file_perms;
# allow cameraserver bootdevice_block_device:blk_file rw_file_perms;
# Date : WK14.36
# Operation : Migration
# Purpose : for SW codec VP/VR
# allow cameraserver mtk_sched_device:chr_file rw_file_perms;
# Date : WK14.38
# Operation : Migration
# Purpose : NVRam access
# allow cameraserver block_device:dir { write search };
# Date : WK14.38
# Operation : Migration
# Purpose : FM driver access
# allow cameraserver fm_device:chr_file rw_file_perms;
# Data : WK14.38
# Operation : Migration
# Purpose : for VP/VR
# allow cameraserver block_device:dir search;
# allow cameraserver FM50AF_device:chr_file rw_file_perms;
# allow cameraserver AD5820AF_device:chr_file rw_file_perms;
# allow cameraserver DW9714AF_device:chr_file rw_file_perms;
# allow cameraserver DW9814AF_device:chr_file rw_file_perms;
# allow cameraserver AK7345AF_device:chr_file rw_file_perms;
# allow cameraserver DW9714A_device:chr_file rw_file_perms;
# allow cameraserver LC898122AF_device:chr_file rw_file_perms;
# allow cameraserver LC898212AF_device:chr_file rw_file_perms;
# allow cameraserver BU6429AF_device:chr_file rw_file_perms;
# allow cameraserver DW9718AF_device:chr_file rw_file_perms;
# allow cameraserver BU64745GWZAF_device:chr_file rw_file_perms;
# allow cameraserver MAINAF_device:chr_file rw_file_perms;
# allow cameraserver MAIN2AF_device:chr_file rw_file_perms;
# allow cameraserver SUBAF_device:chr_file rw_file_perms;
# Data : WK14.38
# Operation : Migration
# Purpose : for boot animation.
# allow cameraserver bootanim:binder { transfer call };
# allow cameraserver mtkbootanimation:binder { transfer call };
# Data : WK14.38
# Operation : Migration
# Purpose : dump for debug
# allow cameraserver sdcard_type:file append;
# Date : WK14.39
# Operation : Migration
# Purpose : FDVT Driver
# allow cameraserver camera_fdvt_device:chr_file rw_file_perms;
# Date : WK14.39
# Operation : Migration
# Purpose : APE PLAYBACK
# binder_call(cameraserver, MtkCodecService)
# Data : WK14.39
# Operation : Migration
# Purpose : HW encrypt SW codec
# allow cameraserver sec_device:chr_file r_file_perms;
# Date : WK14.40
# Operation : Migration
# Purpose : HDMI driver access
allow cameraserver graphics_device:chr_file rw_file_perms;
# Date : WK14.40
# Operation : Migration
# Purpose : Smartpa
# allow cameraserver smartpa_device:chr_file rw_file_perms;
# Date : WK14.40
# Operation : Migration
# Purpose : mtk_jpeg
# allow cameraserver mtk_jpeg_device:chr_file r_file_perms;
# Date : WK14.41
# Operation : Migration
# Purpose : WFD HID Driver
# allow cameraserver uhid_device:chr_file rw_file_perms;
# Date : WK14.41
# Operation : Migration
# Purpose : Camera EEPROM Calibration
# allow cameraserver CAM_CAL_DRV_device:chr_file rw_file_perms;
# allow cameraserver CAM_CAL_DRV1_device:chr_file rw_file_perms;
# allow cameraserver CAM_CAL_DRV2_device:chr_file rw_file_perms;
# Date : WK14.43
# Operation : Migration
# Purpose : VOW
# allow cameraserver vow_device:chr_file rw_file_perms;
# Date: WK14.44
# Operation : Migration
# Purpose : EVDO
# allow cameraserver rpc_socket:sock_file write;
# allow cameraserver ttySDIO_device:chr_file rw_file_perms;
# Data: WK14.44
# Operation : Migration
# Purpose : VP
# allow cameraserver surfaceflinger:file getattr;
# Data: WK14.44
# Operation : Migration
# Purpose : for low SD card latency issue
# allow cameraserver sysfs_lowmemorykiller:file { read open };
# Data: WK14.45
# Operation : Migration
# Purpose : for change thermal policy when needed
# allow cameraserver proc_mtkcooler:dir search;
# allow cameraserver proc_mtktz:dir search;
# allow cameraserver proc_thermal:dir search;
# Date : WK14.46
# Operation : Migration
# Purpose : for MTK Emulator HW GPU
# allow cameraserver qemu_pipe_device:chr_file rw_file_perms;
# Date : WK14.46
# Operation : Migration
# Purpose : for camera init
# allow cameraserver system_server:unix_stream_socket { read write };
# Data : WK14.46
# Operation : Migration
# Purpose : for SMS app
# allow cameraserver radio_data_file:dir search;
# allow cameraserver radio_data_file:file open;
# Data : WK14.47
# Operation : Launch camcorder from MMS
# Purpose : Camcorder
# allow cameraserver radio_data_file:file open;
# Data : WK14.47
# Operation : CTS
# Purpose : cts search strange app
# allow cameraserver untrusted_app:dir search;
# Date : WK15.03
# Operation : Migration
# Purpose : offloadservice
# allow cameraserver offloadservice_device:chr_file rw_file_perms;
# Date : WK15.32
# Operation : Pre-sanity
# Purpose : 3A algorithm need to access sensor service
# allow cameraserver sensorservice_service:service_manager find;
# Date : WK15.34
# Operation : Migration
# Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump
# allow cameraserver system_data_file:dir write;
# allow cameraserver storage_file:lnk_file {read write};
# allow cameraserver mnt_user_file:dir {write read search};
# allow cameraserver mnt_user_file:lnk_file {read write};
# Date : WK15.35
# Operation : Migration
# Purpose: Allow cameraserver to read binder from surfaceflinger
# allow cameraserver surfaceflinger:fifo_file {read write};
# Date : WK15.46
# Operation : Migration
# Purpose : DPE Driver
# allow cameraserver camera_dpe_device:chr_file rw_file_perms;
# Date : WK15.46
# Operation : Migration
# Purpose : TSF Driver
# allow cameraserver camera_tsf_device:chr_file rw_file_perms;
# Date : WK16.20
# Operation : Migration
# Purpose: research root dir "/"
allow cameraserver tmpfs:dir search;
# Date : WK16.21
# Operation : Migration
# Purpose : EGL file access
allow cameraserver system_file:dir { read open };
allow cameraserver gpu_device:chr_file rw_file_perms;
allow cameraserver gpu_device:dir search;
# Date : WK16.30
# Operation : Migration
# Purpose : Use file_type_auto_trans to specify label to avoid violated(never allow)
# allow cameraserver property_socket:sock_file write;
# allow cameraserver proc:file getattr;
# allow cameraserver shell_exec:file { execute read getattr open};
# allow cameraserver init:unix_stream_socket connectto;
# Date : WK16.32
# Operation : Migration
# Purpose : RSC Driver
# allow cameraserver camera_rsc_device:chr_file rw_file_perms;
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow cameraserver proc_ged:file rw_file_perms;
allowxperm cameraserver proc_ged:file ioctl { proc_ged_ioctls };
# Date : WK16.33
# Operation : Migration
# Purpose : GEPF Driver
# allow cameraserver camera_gepf_device:chr_file rw_file_perms;
# Date : WK16.35
# Operation : Migration
# Purpose : Update camera flashlight driver device file
# allow cameraserver flashlight_device:chr_file rw_file_perms;
# Data : WK16.42
# Operator: Whitney bring up
# Purpose: call surfaceflinger due to powervr
# allow cameraserver surfaceflinger:fifo_file rw_file_perms;
# Date : WK16.43
# Operation : Migration
# Purpose : WPE Driver
# allow cameraserver camera_wpe_device:chr_file rw_file_perms;
# Date : WK16.49
# Operation : label aee_aed sockets
# Purpose : Engineering mode need access for aee commmand
# userdebug_or_eng(`
# allow cameraserver aee_aed:unix_stream_socket connectto;
# ')
# Purpose: Allow to access debugfs_ion dir.
allow cameraserver system_data_file:lnk_file read;
# Date : WK17.19
# Operation : Migration
# Purpose : OWE Driver
# allow cameraserver camera_owe_device:chr_file rw_file_perms;
# Date : WK17.25
# Operation : Migration
allow cameraserver debugfs_ion:dir search;
# Date : WK17.30
# Operation : O Migration
# Purpose: Allow to access cmdq driver
# allow cameraserver mtk_cmdq_device:chr_file { read ioctl open };
# Date : WK17.44
# Operation : Migration
# Purpose : DIP Driver
# allow cameraserver camera_dip_device:chr_file rw_file_perms;
# Date : WK17.44
# Operation : Migration
# Purpose : MFB Driver
# allow cameraserver camera_mfb_device:chr_file rw_file_perms;
# Date : WK17.49
# Operation : MT6771 SQC
# Purpose: Allow permgr access
allow cameraserver proc_perfmgr:dir {read search};
allow cameraserver proc_perfmgr:file r_file_perms;
allowxperm cameraserver proc_perfmgr:file ioctl {
PERFMGR_FPSGO_QUEUE
PERFMGR_FPSGO_DEQUEUE
PERFMGR_FPSGO_QUEUE_CONNECT
PERFMGR_FPSGO_BQID
};

69
r_non_plat/ccci_fsd.te
View File

@ -1,69 +0,0 @@
# ==============================================
# Policy File of /system/bin/ccci_fsd Executable File
# ==============================================
# Type Declaration
# ==============================================
type ccci_fsd_exec, exec_type, file_type, vendor_file_type;
type ccci_fsd, domain;
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(ccci_fsd)
wakelock_use(ccci_fsd)
#============= ccci_fsd MD NVRAM==============
allow ccci_fsd nvram_data_file:dir create_dir_perms;
allow ccci_fsd nvram_data_file:file create_file_perms;
allow ccci_fsd nvram_data_file:lnk_file read;
allow ccci_fsd nvdata_file:lnk_file read;
allow ccci_fsd nvdata_file:dir create_dir_perms;
allow ccci_fsd nvdata_file:file create_file_perms;
allow ccci_fsd nvram_device:chr_file rw_file_perms;
allow ccci_fsd system_data_file:lnk_file read;
allow ccci_fsd vendor_configs_file:file r_file_perms;
allow ccci_fsd vendor_configs_file:dir r_dir_perms;
#============= ccci_fsd device/path/data access==============
allow ccci_fsd ccci_device:chr_file rw_file_perms;
allow ccci_fsd ccci_cfg_file:dir create_dir_perms;
allow ccci_fsd ccci_cfg_file:file create_file_perms;
#============= ccci_fsd MD Data==============
allow ccci_fsd protect_f_data_file:dir create_dir_perms;
allow ccci_fsd protect_f_data_file:file create_file_perms;
allow ccci_fsd protect_s_data_file:dir create_dir_perms;
allow ccci_fsd protect_s_data_file:file create_file_perms;
#============= ccci_fsd MD3 related==============
allow ccci_fsd c2k_file:dir create_dir_perms;
allow ccci_fsd c2k_file:file create_file_perms;
allow ccci_fsd otp_part_block_device:blk_file rw_file_perms;
allow ccci_fsd otp_device:chr_file rw_file_perms;
allow ccci_fsd sysfs:file r_file_perms;
allow ccci_fsd sysfs_boot_type:file { read open };
#============= ccci_fsd MD block data==============
##restore>NVM_GetDeviceInfo>open /dev/block/platform/bootdevice/by-name/nvram
allow ccci_fsd block_device:dir search;
allow ccci_fsd nvram_device:blk_file rw_file_perms;
allow ccci_fsd nvdata_device:blk_file rw_file_perms;
#============= ccci_fsd cryption related ==============
allow ccci_fsd rawfs:dir create_dir_perms;
allow ccci_fsd rawfs:file create_file_perms;
#============= ccci_fsd sysfs related ==============
allow ccci_fsd sysfs_ccci:dir search;
allow ccci_fsd sysfs_ccci:file r_file_perms;
#============= ccci_fsd ==============
allow ccci_fsd mnt_vendor_file:dir search;
# Purpose: for fstab parser
allow ccci_fsd kmsg_device:chr_file w_file_perms;
allow ccci_fsd proc_lk_env:file rw_file_perms;
#============= ccci_fsd MD Low Power Monitor Related ==============
allow ccci_fsd ccci_data_md1_file:dir create_dir_perms;
allow ccci_fsd ccci_data_md1_file:file create_file_perms;
allow ccci_fsd sysfs_mmcblk:dir search;
allow ccci_fsd sysfs_mmcblk:file { read getattr open };

109
r_non_plat/ccci_mdinit.te
View File

@ -1,109 +0,0 @@
# ==============================================
# Policy File of /system/bin/ccci_mdinit Executable File
# ==============================================
# Type Declaration
# ==============================================
type ccci_mdinit_exec , exec_type, file_type, vendor_file_type;
type ccci_mdinit ,domain;
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(ccci_mdinit)
wakelock_use(ccci_mdinit)
#=============allow ccci_mdinit to start gsm0710muxd==============
set_prop(ccci_mdinit, ctl_gsm0710muxd_prop)
#=============allow ccci_mdinit to start emcsmdlogger==============
set_prop(ccci_mdinit, ctl_mdlogger_prop)
#=============allow ccci_mdinit to start c2krild==============
set_prop(ccci_mdinit, ctl_viarild_prop)
#=============allow ccci_mdinit to start/stop rild, mdlogger==============
set_prop(ccci_mdinit, ctl_mdlogger_prop)
set_prop(ccci_mdinit, ctl_emdlogger1_prop)
set_prop(ccci_mdinit, ctl_emdlogger2_prop)
set_prop(ccci_mdinit, ctl_emdlogger3_prop)
set_prop(ccci_mdinit, ctl_dualmdlogger_prop)
set_prop(ccci_mdinit, ctl_gsm0710muxd_prop)
set_prop(ccci_mdinit, ctl_gsm0710muxd-s_prop)
set_prop(ccci_mdinit, ctl_gsm0710muxd-d_prop)
set_prop(ccci_mdinit, ctl_rildaemon_prop)
set_prop(ccci_mdinit, ctl_ril-daemon-mtk_prop)
set_prop(ccci_mdinit, ctl_fusion_ril_mtk_prop)
set_prop(ccci_mdinit, ctl_ril-daemon-s_prop)
set_prop(ccci_mdinit, ctl_ril-daemon-d_prop)
set_prop(ccci_mdinit, ctl_ril-proxy_prop)
set_prop(ccci_mdinit, ril_active_md_prop)
set_prop(ccci_mdinit, mtk_md_prop)
#set_prop(ccci_mdinit, radio_prop)
set_prop(ccci_mdinit, net_cdma_mdmstat)
set_prop(ccci_mdinit, ctl_start_prop)
#=============allow ccci_mdinit to get tel_switch_prop==============
get_prop(ccci_mdinit, tel_switch_prop)
#=============allow ccci_mdinit to start/stop fsd==============
set_prop(ccci_mdinit, ctl_ccci_fsd_prop)
set_prop(ccci_mdinit, ctl_ccci2_fsd_prop)
set_prop(ccci_mdinit, ctl_ccci3_fsd_prop)
get_prop(ccci_mdinit, vendor_default_prop)
get_prop(ccci_mdinit, init_svc_emdlogger1_prop)
get_prop(ccci_mdinit, init_svc_aee_aedv_prop)
allow ccci_mdinit ccci_device:chr_file rw_file_perms;
allow ccci_mdinit ccci_monitor_device:chr_file rw_file_perms;
#=============allow ccci_mdinit to access MD NVRAM==============
allow ccci_mdinit nvram_data_file:dir rw_dir_perms;
allow ccci_mdinit nvram_data_file:file create_file_perms;
allow ccci_mdinit nvram_data_file:lnk_file read;
allow ccci_mdinit nvdata_file:lnk_file read;
allow ccci_mdinit nvdata_file:dir rw_dir_perms;
allow ccci_mdinit nvdata_file:file create_file_perms;
allow ccci_mdinit nvram_device:chr_file rw_file_perms;
allow ccci_mdinit system_data_file:lnk_file read;
#=============allow ccci_mdinit to access ccci config==============
allow ccci_mdinit protect_f_data_file:dir rw_dir_perms;
allow ccci_mdinit protect_f_data_file:file create_file_perms;
#=============allow ccci_mdinit to property==============
allow ccci_mdinit protect_s_data_file:dir rw_dir_perms;
allow ccci_mdinit protect_s_data_file:file create_file_perms;
allow ccci_mdinit nvram_device:blk_file rw_file_perms;
allow ccci_mdinit nvdata_device:blk_file rw_file_perms;
set_prop(ccci_mdinit, ril_mux_report_case_prop)
allow ccci_mdinit ccci_cfg_file:dir create_dir_perms;
allow ccci_mdinit ccci_cfg_file:file create_file_perms;
#===============security relate ==========================
allow ccci_mdinit preloader_device:chr_file rw_file_perms;
allow ccci_mdinit misc_sd_device:chr_file r_file_perms;
allow ccci_mdinit sec_ro_device:chr_file r_file_perms;
allow ccci_mdinit custom_file:dir r_dir_perms;
allow ccci_mdinit custom_file:file r_file_perms;
# Purpose : for nand partition access
allow ccci_mdinit mtd_device:dir search;
allow ccci_mdinit mtd_device:chr_file rw_file_perms;
allow ccci_mdinit devmap_device:chr_file r_file_perms;
# Purpose : for device bring up, not to block early migration/sanity
allow ccci_mdinit proc_lk_env:file rw_file_perms;
allow ccci_mdinit para_block_device:blk_file rw_file_perms;
#============= ccci_mdinit sysfs related ==============
allow ccci_mdinit sysfs_ccci:dir search;
allow ccci_mdinit sysfs_ccci:file rw_file_perms;
allow ccci_mdinit sysfs_ssw:dir search;
allow ccci_mdinit sysfs_ssw:file r_file_perms;
allow ccci_mdinit sysfs:file r_file_perms;
allow ccci_mdinit sysfs_boot_mode:file { read open };
# Purpose : Allow ccci_mdinit to open and read/write /proc/bootprof
allow ccci_mdinit proc_bootprof:file rw_file_perms;
# Date : WK18.21
# Operation: P migration
# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init()
allow ccci_mdinit mnt_vendor_file:dir search;

31
r_non_plat/cmddumper.te
View File

@ -1,31 +0,0 @@
#cmddumper access external modem ttySDIO2
allow cmddumper ttySDIO_device:chr_file { read write ioctl open };
# for modem logging sdcard access
allow cmddumper sdcard_type:dir create_dir_perms;
allow cmddumper sdcard_type:file create_file_perms;
# cmddumper access on /data/mdlog
allow cmddumper mdlog_data_file:fifo_file create_file_perms;
allow cmddumper mdlog_data_file:file create_file_perms;
allow cmddumper mdlog_data_file:dir { create_dir_perms relabelto };
#allow emdlogger to set property
allow cmddumper debug_mdlogger_prop:property_service set;
allow cmddumper debug_prop:property_service set;
# purpose: allow cmddumper to access storage in N version
allow cmddumper media_rw_data_file:file { create_file_perms };
allow cmddumper media_rw_data_file:dir { create_dir_perms };
# purpose: access plat_file_contexts
allow cmddumper file_contexts_file:file { read getattr open };
# purpose: access /sys/devices/virtual/BOOT/BOOT/boot/boot_mode
allow cmddumper sysfs_boot_mode:file { read open };
# Android P migration
set_prop(cmddumper, persist_mtklog_prop)
set_prop(cmddumper, vendor_mdl_prop)
allow cmddumper tmpfs:lnk_file read;
allow cmddumper vmodem_device:chr_file { read write ioctl open };

83
r_non_plat/connsyslogger.te
View File

@ -1,83 +0,0 @@
# Policy File of /system/bin/connsyslogger Executable File
# ==============================================
# Type Declaration
# ==============================================
# Purpose : for create hidl server
#hal_server_domain(connsyslogger, mtk_hal_log)
# ==============================================
# MTK Policy Rule
# ==============================================
#for logging sdcard access
allow connsyslogger fuse:dir { create_dir_perms };
allow connsyslogger fuse:file { create_file_perms };
#consys logger access on /data/consyslog
allow connsyslogger consyslog_data_file:dir { create_dir_perms relabelto };
allow connsyslogger consyslog_data_file:fifo_file { create_file_perms };
allow connsyslogger consyslog_data_file:file { create_file_perms };
allow connsyslogger system_data_file:dir { create_dir_perms relabelfrom};
#consys logger socket access
allow connsyslogger property_socket:sock_file write;
allow connsyslogger init:unix_stream_socket connectto;
allow connsyslogger tmpfs:lnk_file { create_file_perms };
# purpose: avc: denied { read } for name="plat_file_contexts"
allow connsyslogger file_contexts_file:file { read getattr open map};
#logger SD logging in factory mode
allow connsyslogger vfat:dir create_dir_perms;
allow connsyslogger vfat:file create_file_perms;
#logger permission in storage in android M version
allow connsyslogger mnt_user_file:dir search;
allow connsyslogger mnt_user_file:lnk_file read;
allow connsyslogger storage_file:lnk_file read;
#permission for use SELinux API
allow connsyslogger rootfs:file r_file_perms;
#permission for storage access storage
allow connsyslogger storage_file:dir { create_dir_perms };
allow connsyslogger storage_file:file { create_file_perms };
#permission for read boot mode
allow connsyslogger sysfs_boot_mode:file { read open };
allow connsyslogger fw_log_wifi_device:chr_file {read write open ioctl};
allow connsyslogger fw_log_bt_device:chr_file {read write open ioctl};
allow connsyslogger fw_log_gps_device:chr_file {read write open ioctl};
allow connsyslogger fw_log_wmt_device:chr_file {read write open ioctl};
allow connsyslogger sdcardfs:dir { create_dir_perms };
allow connsyslogger sdcardfs:file { create_file_perms };
allow connsyslogger rootfs:lnk_file getattr;
allow connsyslogger media_rw_data_file:file { create_file_perms };
allow connsyslogger media_rw_data_file:dir { create_dir_perms };
set_prop(connsyslogger, vendor_connsysfw_prop)
allow connsyslogger vendor_configs_file:file map;
#permission to get driver ready status
get_prop(connsyslogger, wmt_prop)
#Date:2019/03/25
# purpose: allow connsyslogger to access persist.meta.connecttype
get_prop(connsyslogger, meta_connecttype_prop);
#Date:2019/03/25
# purpose: allow emdlogger to create socket
allow connsyslogger port:tcp_socket { name_connect name_bind };
allow connsyslogger connsyslogger:tcp_socket { create_stream_socket_perms };
allow connsyslogger node:tcp_socket node_bind;
#Date:2019/03/25
# usb device ttyGSx for modem logger usb logging
allow connsyslogger ttyGS_device:chr_file { rw_file_perms};

274
r_non_plat/device.te
View File

@ -1,274 +0,0 @@
# ==============================================
# MTK Policy Rule
# ==============================================
type devmap_device, dev_type;
type ttyMT_device, dev_type;
type ttyS_device, dev_type;
type ttySDIO_device, dev_type;
type vmodem_device, dev_type;
type stpwmt_device, dev_type;
type wmtdetect_device, dev_type;
type wmtWifi_device, dev_type;
type stpbt_device, dev_type;
type fw_log_bt_device, dev_type;
type stpant_device, dev_type;
type fm_device, dev_type;
type stpgps_device, dev_type;
type gpsdl_device, dev_type;
type fw_log_gps_device, dev_type;
type fw_log_wmt_device, dev_type;
type fw_log_wifi_device, dev_type;
type pmem_multimedia_device, dev_type;
type mt6516_isp_device, dev_type;
type mt6516_IDP_device, dev_type;
type mt9p012_device, dev_type;
type mt6516_jpeg_device, dev_type;
type FM50AF_device, dev_type;
type DW9714AF_device, dev_type;
type DW9814AF_device, dev_type;
type AK7345AF_device, dev_type;
type DW9714A_device, dev_type;
type LC898122AF_device, dev_type;
type LC898212AF_device, dev_type;
type BU6429AF_device, dev_type;
type AD5820AF_device, dev_type;
type DW9718AF_device, dev_type;
type BU64745GWZAF_device, dev_type;
type MAINAF_device, dev_type;
type MAIN2AF_device, dev_type;
type SUBAF_device, dev_type;
type M4U_device_device, dev_type;
type Vcodec_device, dev_type;
type MJC_device, dev_type;
type smartpa_device, dev_type;
type smartpa1_device, dev_type;
type uio0_device, dev_type;
type xt_qtaguid_device, dev_type;
type rfkill_device, dev_type;
type sw_sync_device, dev_type, mlstrustedobject;
type sec_device, dev_type;
type hid_keyboard_device, dev_type;
type btn_device, dev_type;
type uinput_device, dev_type;
type TV_out_device, dev_type;
type gz_device, dev_type;
type camera_sysram_device, dev_type;
type camera_isp_device, dev_type;
type camera_dip_device, dev_type;
type camera_dpe_device, dev_type;
type camera_tsf_device, dev_type;
type camera_fdvt_device, dev_type;
type camera_rsc_device, dev_type;
type camera_gepf_device, dev_type;
type camera_wpe_device, dev_type;
type camera_owe_device, dev_type;
type camera_mfb_device, dev_type;
type camera_pipemgr_device, dev_type;
type ccu_device, dev_type;
type vpu_device, dev_type, mlstrustedobject;
type mdla_device, dev_type, mlstrustedobject;
type mtk_jpeg_device, dev_type;
type kd_camera_hw_device, dev_type;
type seninf_device, dev_type;
type kd_camera_flashlight_device, dev_type;
type flashlight_device, dev_type;
type kd_camera_hw_bus2_device, dev_type;
type MATV_device, dev_type;
type mt_otg_test_device, dev_type;
type mt_mdp_device, dev_type;
type mtkg2d_device, dev_type;
type misc_sd_device, dev_type;
type mtk_sched_device, dev_type;
type ampc0_device, dev_type;
type mmp_device, dev_type;
type ttyGS_device, dev_type;
type CAM_CAL_DRV_device, dev_type;
type CAM_CAL_DRV1_device, dev_type;
type CAM_CAL_DRV2_device, dev_type;
type MTK_SMI_device, dev_type;
type mtk_cmdq_device, dev_type;
type mtk_mdp_device, dev_type;
type mtk_rrc_device, dev_type;
type ebc_device, dev_type;
type vow_device, dev_type;
type MT6516_H264_DEC_device, dev_type;
type MT6516_Int_SRAM_device, dev_type;
type MT6516_MM_QUEUE_device, dev_type;
type MT6516_MP4_DEC_device, dev_type;
type MT6516_MP4_ENC_device, dev_type;
type sensor_device, dev_type;
type aed_device, dev_type;
type ccci_device, dev_type;
type ccci_monitor_device, dev_type;
type gsm0710muxd_device, dev_type;
type eemcs_device, dev_type;
type emd_device, dev_type;
type mt6605_device, dev_type;
type st21nfc_device, dev_type;
type st54spi_device, dev_type;
type exm0_device, dev_type;
type mmcblk_device, dev_type;
type BOOT_device, dev_type;
type MT_pmic_device, dev_type;
type aal_als_device, dev_type;
type accdet_device, dev_type;
type android_device, dev_type;
type bmtpool_device, dev_type;
type bootimg_device, dev_type;
type btif_device, dev_type;
type cache_device, dev_type;
type cpu_dma_latency_device, dev_type;
type dummy_cam_cal_device, dev_type;
type ebr_device, dev_type;
type expdb_device, dev_type;
type fat_device, dev_type;
type logo_device, dev_type;
type loop-control_device, dev_type;
type mbr_device, dev_type;
type met_device, dev_type;
type misc_device, dev_type;
type misc2_device, dev_type;
type mtfreqhopping_device, dev_type;
type mtgpio_device, dev_type;
type mtk_kpd_device, dev_type;
type network_device, dev_type;
type nvram_device, dev_type;
type pmt_device, dev_type;
type preloader_device, dev_type;
type pro_info_device, dev_type;
type protect_f_device, dev_type;
type protect_s_device, dev_type;
type psaux_device, dev_type;
type ptyp_device, dev_type;
type recovery_device, dev_type;
type sec_ro_device, dev_type;
type seccfg_device, dev_type;
type tee_part_device, dev_type;
type snapshot_device, dev_type;
type tgt_device, dev_type;
type touch_device, dev_type;
type tpd_em_log_device, dev_type;
type ttyp_device, dev_type;
type uboot_device, dev_type;
type uibc_device, dev_type;
type usrdata_device, dev_type;
type zram0_device, dev_type;
type hwzram0_device, dev_type;
type RT_Monitor_device, dev_type;
type kick_powerkey_device, dev_type;
type agps_device, dev_type;
type mnld_device, dev_type;
type geo_device, dev_type;
type mdlog_device, dev_type;
type md32_device, dev_type;
type scp_device, dev_type;
type adsp_device, dev_type;
type audio_scp_device, dev_type;
type sspm_device, dev_type;
type etb_device, dev_type;
type MT_pmic_adc_cali_device, dev_type;
type mtk-adc-cali_device, dev_type;
type MT_pmic_cali_device,dev_type;
type otp_device, dev_type;
type otp_part_block_device, dev_type;
type qemu_pipe_device, dev_type;
type icusb_device, dev_type;
type nlop_device, dev_type;
type irtx_device, dev_type;
type pmic_ftm_device, dev_type;
type charger_ftm_device, dev_type;
type shf_device, dev_type;
type keyblock_device, dev_type;
type offloadservice_device, dev_type;
type ttyACM_device, dev_type;
type hrm_device, dev_type;
type lens_device, dev_type;
type nvdata_device, dev_type;
type nvcfg_device, dev_type;
type expdb_block_device, dev_type;
type misc2_block_device, dev_type;
type logo_block_device, dev_type;
type para_block_device, dev_type;
type tee_block_device, dev_type;
type seccfg_block_device, dev_type;
type secro_block_device, dev_type;
type preloader_block_device, dev_type;
type lk_block_device, dev_type;
type protect1_block_device, dev_type;
type protect2_block_device, dev_type;
type keystore_block_device, dev_type;
type oemkeystore_block_device, dev_type;
type sec1_block_device, dev_type;
type md1img_block_device, dev_type;
type md1dsp_block_device, dev_type;
type md1arm7_block_device, dev_type;
type md3img_block_device, dev_type;
type mmcblk1_block_device, dev_type;
type mmcblk1p1_block_device, dev_type;
type bootdevice_block_device, dev_type;
type odm_block_device, dev_type;
type oem_block_device, dev_type;
type vendor_block_device, dev_type;
type dtbo_block_device, dev_type;
type loader_ext_block_device, dev_type;
type spm_device, dev_type;
type persist_block_device, dev_type;
type md_block_device, dev_type;
type spmfw_block_device, dev_type;
type mcupmfw_block_device, dev_type;
type scp_block_device, dev_type;
type sspm_block_device, dev_type;
type dsp_block_device, dev_type;
type ppl_block_device, dev_type;
type nvcfg_block_device, dev_type;
type ancservice_device, dev_type;
type mbim_device, dev_type;
type audio_ipi_device, dev_type;
type cam_vpu_block_device,dev_type;
type boot_para_block_device,dev_type;
type mtk_dfrc_device, dev_type;
type vbmeta_block_device, dev_type;
type alarm_device, dev_type;
type mdp_device, dev_type;
type mrdump_device, dev_type;
type kb_block_device,dev_type;
type dkb_block_device,dev_type;
##########################
# Sensor common Devices Start
#
type hwmsensor_device, dev_type;
type msensor_device, dev_type;
type gsensor_device, dev_type;
type als_ps_device, dev_type;
type gyroscope_device, dev_type;
type barometer_device,dev_type;
type humidity_device,dev_type;
type biometric_device,dev_type;
type sensorlist_device,dev_type;
##########################
# Sensor Devices Start
#
type m_batch_misc_device, dev_type;
##########################
# Sensor bio Devices Start
#
type m_als_misc_device, dev_type;
type m_ps_misc_device, dev_type;
type m_baro_misc_device, dev_type;
type m_hmdy_misc_device, dev_type;
type m_acc_misc_device, dev_type;
type m_mag_misc_device, dev_type;
type m_gyro_misc_device, dev_type;
type m_act_misc_device, dev_type;
type m_pedo_misc_device, dev_type;
type m_situ_misc_device, dev_type;
type m_step_c_misc_device, dev_type;
type m_fusion_misc_device, dev_type;
type m_bio_misc_device, dev_type;
# Date : 2016/07/11
# Operation : Migration
# Purpose : Add permission for gpu access
type dri_device, dev_type, mlstrustedobject;

30
r_non_plat/domain.te
View File

@ -1,30 +0,0 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Grant read access to mtk core property type which represents all
# mtk properties except those with ctl_xxx prefix.
# Align Google change: f01453ad453b29dd723838984ea03978167491e5
get_prop(domain, mtk_core_property_type)
# Allow all processes to search /sys/kernel/debug/binder/ since it's has been
# labeled with specific debugfs label and many violations to dir search debugfs_binder
# are observed. Grant domain to suppress the violations as originally "debugfs:dir search"
# is also allowed to domain as well in Google default domain.te
allow domain debugfs_binder:dir search;
# Allow all processes to read /sys/bus/platform/drivers/dev_info/dev_info
# as it is a public interface for all processes to read some OTP data.
allow {
domain
-isolated_app
} sysfs_devinfo:file r_file_perms;
# Date:20170630
# Purpose: allow trusted process to connect aee daemon
#allow {
# coredomain
# -untrusted_app_all
#} aee_aed:unix_stream_socket connectto;
allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:unix_stream_socket connectto;

7
r_non_plat/drmserver.te
View File

@ -1,7 +0,0 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow drmserver proc_ged:file rw_file_perms;

183
r_non_plat/dumpstate.te
View File

@ -1,183 +0,0 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Purpose: aee_dumpstate set surfaceflinger property
set_prop(dumpstate, debug_bq_dump_prop);
# Purpose: access dev/aed0
allow dumpstate aed_device:chr_file { read getattr };
# Purpose: data/dumpsys/*
allow dumpstate aee_dumpsys_data_file:dir { w_dir_perms };
allow dumpstate aee_dumpsys_data_file:file { create_file_perms };
# Purpose: data/aee_exp/*
allow dumpstate aee_exp_data_file:dir { w_dir_perms };
allow dumpstate aee_exp_data_file:file { create_file_perms };
# Purpose: debugfs files
allow dumpstate debugfs:lnk_file read;
allow dumpstate debugfs_binder:dir { read open };
allow dumpstate debugfs_binder:file { read open };
allow dumpstate debugfs_blockio:file { read open };
allow dumpstate debugfs_fb:dir search;
allow dumpstate debugfs_fb:file { read open };
allow dumpstate debugfs_fuseio:dir search;
allow dumpstate debugfs_fuseio:file { read open };
allow dumpstate debugfs_ged:dir search;
allow dumpstate debugfs_ged:file { read open };
allow dumpstate debugfs_rcu:dir search;
allow dumpstate debugfs_shrinker_debug:file { read open };
allow dumpstate debugfs_wakeup_sources:file { read open };
allow dumpstate debugfs_dmlog_debug:file { read open };
allow dumpstate debugfs_page_owner_slim_debug:file { read open };
allow dumpstate debugfs_ion_mm_heap:dir search;
allow dumpstate debugfs_ion_mm_heap:file { read open };
allow dumpstate debugfs_ion_mm_heap:lnk_file read;
allow dumpstate debugfs_cpuhvfs:dir search;
allow dumpstate debugfs_cpuhvfs:file { read open };
allow dumpstate debugfs_vpu_device_dbg:file { read open };
# Purpose: /sys/kernel/ccci/md_chn
allow dumpstate sysfs_ccci:dir search;
allow dumpstate sysfs_ccci:file { read open };
# Purpose: leds status
allow dumpstate sysfs_leds:lnk_file read;
# Purpose: /sys/module/lowmemorykiller/parameters/adj
allow dumpstate sysfs_lowmemorykiller:file { read open };
allow dumpstate sysfs_lowmemorykiller:dir search;
# Purpose: /dev/block/mmcblk0p10
allow dumpstate expdb_block_device:blk_file { read write ioctl open };
#/data/anr/SF_RTT
allow dumpstate sf_rtt_file:dir { search getattr };
# Data : 2017/03/22
# Operation : add fd use selinux rule
# Purpose : type=1400 audit(0.0:81356): avc: denied { use } for path="/system/bin/linker"
# dev="mmcblk0p26" ino=250 scontext=u:r:dumpstate:s0
# tcontext=u:r:aee_aed:s0 tclass=fd permissive=0
allow dumpstate aee_aed:fd use;
allow dumpstate aee_aed:unix_stream_socket { read write ioctl };
# private define
# allow dumpstate config_gz:file read;
allow dumpstate sysfs_leds:dir r_dir_perms;
# Purpose: 01-01 08:30:57.260 3070 3070 W aee_dumpstate: type=1400 audit(0.0:13196): avc: denied
# { read } for name="SF_dump" dev="dm-0" ino=352257 scontext=u:r:dumpstate:s0 tcontext=u:object_r:
# sf_bqdump_data_file:s0 tclass=dir permissive=0
allow dumpstate sf_bqdump_data_file:dir r_dir_perms;
allow dumpstate sf_bqdump_data_file:file r_file_perms;
# Purpose:
# 01-01 17:59:14.440 7664 7664 I aee_dumpstate: type=1400 audit(0.0:63497):
# avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev=
# "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r:
# tracing_shell_writable:s0 tclass=file permissive=1
allow dumpstate debugfs_tracing:file rw_file_perms;
# Data : WK17.03
# Purpose: Allow to access gpu
allow dumpstate gpu_device:dir search;
# Purpose: Allow aee_dumpstate to invoke "lshal debug <interface>", where <interface> is "ICameraProvider".
allow dumpstate mtk_hal_camera:binder { call };
# Purpose: Allow aee_dumpstate to read /proc/slabinfo
allow dumpstate proc_slabinfo:file r_file_perms;
# Purpose: Allow aee_dumpstate to read /proc/zraminfo
allow dumpstate proc_zraminfo:file r_file_perms;
# Purpose: Allow aee_dumpstate to read /proc/gpulog
allow dumpstate proc_gpulog:file r_file_perms;
# Purpose: Allow aee_dumpstate to read /proc/sched_debug
allow dumpstate proc_sched_debug:file r_file_perms;
# Purpose: Allow aee_dumpstate to read /proc/chip/hw_ver
allow dumpstate proc_chip:file r_file_perms;
# Purpose: Allow aee_dumpstate to write /sys/devices/virtual/timed_output/vibrator/enable
allow dumpstate sysfs_vibrator_setting:file write;
# Purpose: Allow dumpstate to read /sys/kernel/debug/rcu/rcu_callback_log
allow dumpstate debugfs_rcu:file r_file_perms;
# Purpose: Allow dumpstate to read /proc/ufs_debug
allow dumpstate proc_ufs_debug:file rw_file_perms;
# Purpose: Allow dumpstate to read /proc/msdc_debug
allow dumpstate proc_msdc_debug:file r_file_perms;
# Purpose: Allow dumpstate to r/w /proc/pidmap
allow dumpstate proc_pidmap:file rw_file_perms;
# Purpose: Allow dumpstate to read /sys/power/vcorefs/vcore_debug
allow dumpstate sysfs_vcore_debug:file r_file_perms;
# Purpose: Allow dumpstate to read /data/anr/SF_RTT/rtt_dump.txt
allow dumpstate sf_rtt_file:file r_file_perms;
#Purpose: Allow dumpstate to read/write /sys/mtk_memcfg/slabtrace
allow dumpstate proc_slabtrace:file r_file_perms;
#Purpose: Allow dumpstate to read /proc/mtk_cmdq_debug/status
allow dumpstate proc_cmdq_debug:file r_file_perms;
#Purpose: Allow dumpstate to read /proc/cpuhvfs/dbg_repo
allow dumpstate proc_dbg_repo:file r_file_perms;
#Purpose: Allow dumpstate to read /proc/isp_p2/isp_p2_dump
allow dumpstate proc_isp_p2_dump:file r_file_perms;
#Purpose: Allow dumpstate to read /proc/isp_p2/isp_p2_kedump
allow dumpstate proc_isp_p2_kedump:file r_file_perms;
#Purpose: Allow dumpstate to read /proc/mali/memory_usage
allow dumpstate proc_memory_usage:file r_file_perms;
#Purpose: Allow dumpstate to read /proc/mtk_es_reg_dump
allow dumpstate proc_mtk_es_reg_dump:file r_file_perms;
#Purpose: Allow dumpstate to read /sys/power/mtkpasr/execstate
allow dumpstate sysfs_execstate:file r_file_perms;
allow dumpstate proc_isp_p2:dir r_dir_perms;
allow dumpstate proc_isp_p2:file r_file_perms;
# Date : W19.26
# Operation : Migration
# Purpose : fix google dumpstate avc error in xTS
allow dumpstate debugfs:dir r_dir_perms;
allow dumpstate debugfs_mmc:dir search;
allow dumpstate mnt_media_rw_file:dir getattr;
# Date: 19/07/15
# Purpose: fix google dumpstate avc error in xTs
allow dumpstate sysfs_devices_block:file r_file_perms;
allow dumpstate proc_last_kmsg:file r_file_perms;
# Date: 19/07/15
# Purpose: Allow dumpstate to read /sys/kernel/debug/kmemleak
allow dumpstate debugfs_kmemleak:file r_file_perms;
#Purpose: Allow dumpstate to read /sys/class/misc/adsp/adsp_last_log
allow dumpstate sysfs_adsp:file r_file_perms;
#Purpose: Allow dumpstate to read /sys/kernel/debug/smi_mon
allow dumpstate debugfs_smi_mon:file r_file_perms;
# MTEE Trusty
allow dumpstate mtee_trusty_file:file rw_file_perms;
# 09-05 15:58:31.552000 9693 9693 W df : type=1400 audit(0.0:990):
# avc: denied { search } for name="expand" dev="tmpfs" ino=10779 scontext=u:r:dumpstate:s0
# tcontext=u:object_r:mnt_expand_file:s0 tclass=dir permissive=0
allow dumpstate mnt_expand_file:dir { search getattr };

34
r_non_plat/e2fs.te
View File

@ -1,34 +0,0 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK17.32
# Operation : Migration
# Purpose : create ext4 images for protect1/protect2/persist/nvdata/nvcfg block devices.
allow e2fs protect1_block_device:blk_file rw_file_perms;
allow e2fs protect2_block_device:blk_file rw_file_perms;
allow e2fs persist_block_device:blk_file rw_file_perms;
allow e2fs nvdata_device:blk_file rw_file_perms;
allow e2fs nvcfg_block_device:blk_file rw_file_perms;
allow e2fs devpts:chr_file {read write};
# Date : WK18.23
# Operation: P migration
# Purpose : Allow mke2fs to format userdata and cache partition
allow e2fs cache_block_device:blk_file rw_file_perms;
allow e2fs userdata_block_device:blk_file rw_file_perms;
# Date : WK19.23
# Operation: Q migration
# Purpose : Allow format /metadata for UDC
allow e2fs metadata_block_device:blk_file rw_file_perms;
# Date : WK19.34
# Operation: Q migration
# Purpose : Allow mke2fs to use ioctl/ioctlcmd
allowxperm e2fs protect1_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD };
allowxperm e2fs protect2_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD };
allowxperm e2fs nvdata_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD };
allowxperm e2fs nvcfg_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD };
allowxperm e2fs persist_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD };

130
r_non_plat/em_hidl.te
View File

@ -1,130 +0,0 @@
# ==============================================
# Policy File of /vendor/bin/em_hidi Executable File
# ==============================================
type em_hidl, domain;
type em_hidl_exec, exec_type, file_type, vendor_file_type;
# Date : 2018/06/28
init_daemon_domain(em_hidl)
# Date : 2018/06/28
# Purpose: EM_HILD
hal_server_domain(em_hidl, mtk_hal_em)
# Date : 2018/06/28
# Operation : EM DEBUG
# Purpose: EM should set ims operator
set_prop(em_hidl, mtk_operator_id_prop)
# Date : 2018/06/28
# Operation : EM DEBUG
# Purpose: EM should set mtk_simswitch_emmode_prop
set_prop(em_hidl, mtk_simswitch_emmode_prop)
# Date : 2018/06/28
# Operation : EM DEBUG
# Purpose: EM should set mtk_dsbp_support_prop
set_prop(em_hidl, mtk_dsbp_support_prop)
# Date : 2018/06/28
# Operation : EM DEBUG
# Purpose: EM should set mtk_imstestmode_prop
set_prop(em_hidl, mtk_imstestmode_prop)
# Date : 2018/06/28
# Operation : EM DEBUG
# Purpose: EM should set mtk_smsformat_prop
set_prop(em_hidl, mtk_smsformat_prop)
# Date : 2018/06/28
# Operation : EM DEBUG
# Purpose: EM should set mtk_gprs_prefer_prop
set_prop(em_hidl, mtk_gprs_prefer_prop)
# Date : 2018/06/28
# Operation : EM DEBUG
# Purpose: EM should set mtk_testsim_cardtype_prop
set_prop(em_hidl, mtk_testsim_cardtype_prop)
# Date : 2018/06/28
# Operation : EM DEBUG
# Purpose: EM should set mtk_ct_ir_engmode_prop
set_prop(em_hidl, mtk_ct_ir_engmode_prop)
# Date : 2018/06/28
# Operation : EM DEBUG
# Purpose: EM should mtk_disable_c2k_cap_prop
set_prop(em_hidl, mtk_disable_c2k_cap_prop)
# Date : 2018/06/29
# Operation : EM DEBUG
# Purpose: EM should mtk_debug_md_reset_prop
set_prop(em_hidl, mtk_debug_md_reset_prop)
# Date : 2018/06/29
# Operation : EM DEBUG
# Purpose: EM should video log mtk_omx_log_prop
set_prop(em_hidl, mtk_omx_log_prop)
# Date : 2018/06/29
# Operation : EM DEBUG
# Purpose: EM should video log mtk_vdec_log_prop
set_prop(em_hidl, mtk_vdec_log_prop)
# Date : 2018/06/29
# Operation : EM DEBUG
# Purpose: EM should video log mtk_vdectlc_log_prop
set_prop(em_hidl, mtk_vdectlc_log_prop)
# Date : 2018/06/29
# Operation : EM DEBUG
# Purpose: EM should video log mtk_venc_h264_showlog_prop
set_prop(em_hidl, mtk_venc_h264_showlog_prop)
# Date : 2018/06/29
# Operation : EM DEBUG
# Purpose: EM should video log mtk_modem_warning_prop
set_prop(em_hidl, mtk_modem_warning_prop)
# Date : 2018/07/06
# Operation : EM DEBUG
# Purpose: EM allow usb vendor_em_usb_prop
set_prop(em_hidl, vendor_em_usb_prop)
# Date : 2018/07/06
# Operation : EM DEBUG
# Purpose: for setting usb otg enable property
set_prop(em_hidl, vendor_usb_otg_switch)
# Data : 2018/07/06
# Purpose : EM MCF read nvdata dir and file
allow em_hidl nvdata_file:dir { read open add_name search getattr};
allow em_hidl nvdata_file:file { getattr read open };
# Data : 2018/07/06
# Purpose : EM MCF search vendor dir
allow em_hidl mnt_vendor_file:dir search;
allow em_hidl vendor_default_prop:file read;
# Data : 2018/08/10
# Purpose : EM BT usage
allow em_hidl stpbt_device:chr_file { read write open };
allow em_hidl sysfs_boot_mode:file { read open };
allow em_hidl ttyGS_device:chr_file { read write ioctl open };
allow em_hidl vendor_usb_prop:file { read getattr open };
set_prop(em_hidl, vendor_usb_prop)
# Date : 2018/08/28
# Operation : EM DEBUG
# Purpose: for em set hidl configure
set_prop(em_hidl, mtk_em_hidl_prop)
# Date : 2019/08/22
# Operation : EM AAL
# Purpose: for em set aal property
set_prop(em_hidl, mtk_pq_prop)
# Date : 2019/09/10
# Operation : EM wcn coredump
# Purpose: for em set wcn coredump property
set_prop(em_hidl, coredump_prop)

77
r_non_plat/em_svr.te
View File

@ -1,77 +0,0 @@
# Date: WK1812
# Purpose: add for sensor calibration
allow em_svr als_ps_device:chr_file { read open ioctl };
allow em_svr gsensor_device:chr_file { read open ioctl };
# Date: WK1812
# Purpose: add for MD log filter
allow em_svr md_block_device:blk_file { read open };
# Date: WK1812
# Purpose: add for SIB capture
allow em_svr para_block_device:blk_file { read open write};
allow em_svr proc_lk_env:file { read write ioctl open };
# Date: WK1812
# Purpose: add for MSDC get/set
allow em_svr misc_sd_device:chr_file { read open ioctl };
# Date: WK1812
# Purpose: add for battery log
allow em_svr proc_battery_cmd:dir { search };
allow em_svr proc_battery_cmd:file { create write open };
# Date: WK1812
# Purpose: add for light/proximity sensor
allow em_svr nvram_device:blk_file { open read write };
# Date: WK1812
# Purpose: add for Gyroscope sensor
allow em_svr gyroscope_device:chr_file { read ioctl open };
# Date : 2018/06/15
# Purpose : Allow EM access touchscreen settings
allow em_svr sysfs_tpd_debug:dir { search };
allow em_svr sysfs_tpd_setting:dir { search };
allow em_svr sysfs_tpd_debug:file { rw_file_perms };
allow em_svr sysfs_tpd_setting:file { rw_file_perms };
# Date : 2018/06/15
# Purpose : EM FreqHopping setting
allow em_svr proc_freqhop:file { open read write };
# Date : 2018/06/15
# Purpose : EM flash reading
allow em_svr proc_flash:file { open read };
allow em_svr proc_partition:file { open read };
# Date : 2018/06/15
# Purpose : EM Power PMU reading/setting
allow em_svr sysfs_pmu:dir { search };
allow em_svr sysfs_pmu:file { rw_file_perms };
allow em_svr sysfs_pmu:lnk_file { read };
# Date : 2018/06/15
# Purpose : EM Power debug_log setting
allow em_svr sysfs_spm:dir { search };
allow em_svr sysfs_spm:file { open read write };
# Date: 2019/04/09
# Purpose: battery temprature setting
allow em_svr sysfs_battery_temp:file w_file_perms;
allow em_svr sysfs_battery_consumption:file r_file_perms;
allow em_svr sysfs_power_on_vol:file r_file_perms;
allow em_svr sysfs_power_off_vol:file r_file_perms;
allow em_svr sysfs_fg_disable:file w_file_perms;
allow em_svr sysfs_dis_nafg:file w_file_perms;
# Date : 2018/10/12
# Purpose : EM Power PMU register reading/setting
allow em_svr debugfs_regmap:dir { search };
allow em_svr debugfs_regmap:file { rw_file_perms };
# Date:2019/04/15
# Purpose: EM Power
allow em_svr toolbox_exec:file { map };

125
r_non_plat/emdlogger.te
View File

@ -1,125 +0,0 @@
#allow emdlogger to set property
allow emdlogger debug_prop:property_service set;
allow emdlogger persist_mtklog_prop:property_service set;
allow emdlogger system_radio_prop:property_service set;
# ccci device for internal modem
allow emdlogger ccci_device:chr_file { rw_file_perms };
# eemcs device for external modem
allow emdlogger eemcs_device:chr_file { rw_file_perms };
# C2K project SDIO device for external modem ttySDIO2 control port, ttySDIO8 log port
allow emdlogger ttySDIO_device:chr_file { rw_file_perms };
# C2K project modem device for external modem vmodem start/stop/ioctl modem
allow emdlogger vmodem_device:chr_file { rw_file_perms };
# usb device ttyGSx for modem logger usb logging
allow emdlogger ttyGS_device:chr_file { rw_file_perms};
# for modem logging sdcard access
allow emdlogger sdcard_type:dir { create_dir_perms };
allow emdlogger sdcard_type:file { create_file_perms };
# modem logger access on /data/mdlog
allow emdlogger mdlog_data_file:dir { create_dir_perms relabelto };
allow emdlogger mdlog_data_file:fifo_file { create_file_perms };
allow emdlogger mdlog_data_file:file { create_file_perms };
allow emdlogger system_data_file:dir { create_dir_perms relabelfrom};
# modem logger control port access /dev/ttyC1
allow emdlogger mdlog_device:chr_file { rw_file_perms};
#modem logger SD logging in factory mode
allow emdlogger vfat:dir create_dir_perms;
allow emdlogger vfat:file create_file_perms;
#modem logger permission in storage in android M version
allow emdlogger mnt_user_file:dir search;
allow emdlogger mnt_user_file:lnk_file read;
allow emdlogger storage_file:lnk_file read;
#permission for storage link access in vzw Project
allow emdlogger mnt_media_rw_file:dir search;
#permission for use SELinux API
#avc: denied { read } for pid=576 comm="emdlogger1" name="selinux_version" dev="rootfs"
allow emdlogger rootfs:file r_file_perms;
#permission for storage access storage
allow emdlogger storage_file:dir { create_dir_perms };
allow emdlogger tmpfs:lnk_file read;
allow emdlogger storage_file:file { create_file_perms };
#permission for read boot mode
#avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs"
allow emdlogger sysfs_boot_mode:file { read open };
# Allow read to sys/kernel/ccci/* files
allow emdlogger sysfs_ccci:dir search;
allow emdlogger sysfs_ccci:file r_file_perms;
allow emdlogger sysfs_mdinfo:file r_file_perms;
allow emdlogger sysfs_mdinfo:dir search;
# Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681
# scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
allow emdlogger system_file:dir read;
# purpose: allow emdlogger to access storage in N version
allow emdlogger media_rw_data_file:file { create_file_perms };
allow emdlogger media_rw_data_file:dir { create_dir_perms };
#avc: denied { connectto } for path=006165653A72747464 scontext=u:r:emdlogger:s0
#tcontext=u:object_r:aee_aed_socket:s0 tclass=unix_stream_socket permissive=0
#security issue control
allow emdlogger aee_aed:unix_stream_socket connectto;
# For dynamic CCB buffer feature
#avc: denied { read write } for name="lk_env" dev="proc" ino=4026532192
#scontext=u:r:emdlogger:s0 tcontext=u:object_r:proc_lk_env:s0 tclass=file permissive=0
#avc: denied { read } for name="mmcblk0p3" dev="tmpfs" ino=8493 scontext=u:r:emdlogger:s0
# tcontext=u:object_r:para_block_device:s0 tclass=blk_file permissive=0
allow emdlogger para_block_device:blk_file { read open write };
allow emdlogger proc_lk_env:file { read write ioctl open };
## purpose: avc: denied { read } for name="plat_file_contexts"
allow emdlogger file_contexts_file:file { read getattr open map};
allow emdlogger block_device:dir search;
allow emdlogger md_block_device:blk_file { read open };
allow emdlogger self:capability { chown };
# purpose: allow emdlogger to access persist.meta.connecttype
get_prop(emdlogger, meta_connecttype_prop);
# purpose: allow emdlogger to create socket
allow emdlogger port:tcp_socket { name_connect name_bind };
allow emdlogger emdlogger:tcp_socket { create connect setopt bind };
allow emdlogger emdlogger:tcp_socket { bind setopt listen accept read write };
allow emdlogger node:tcp_socket node_bind;
# Android P migration
set_prop(emdlogger, persist_mtklog_prop)
set_prop(emdlogger, vendor_mdl_prop)
set_prop(emdlogger, vendor_mdl_start_prop)
set_prop(emdlogger, debug_mdlogger_prop)
get_prop(emdlogger, vendor_usb_prop)
set_prop(emdlogger, persist_mdlog_prop)
set_prop(emdlogger, vendor_mdl_pulllog_prop)
set_prop(emdlogger, exported_system_radio_prop)
allow emdlogger vendor_configs_file:file map;
allow emdlogger vendor_default_prop:file map;
# Date : WK19.12
# Operation: add permission to catch logs
# Purpose : get kernel and radio logs when modem exception
allow emdlogger kernel:system syslog_read;
allow emdlogger logcat_exec:file {rx_file_perms};
allow emdlogger logdr_socket:sock_file write;

398
r_non_plat/factory.te
View File

@ -1,398 +0,0 @@
# ==============================================
# Policy File of /system/bin/factory Executable File
# ==============================================
# Type Declaration
# ==============================================
# ==============================================
# MTK Policy Rule
# ==============================================
#file_type_auto_trans(factory, system_data_file, factory_data_file)
type factory, domain;
type factory_exec, exec_type, file_type, vendor_file_type;
init_daemon_domain(factory)
#============= factory ==============
allow factory MTK_SMI_device:chr_file r_file_perms;
allow factory ashmem_device:chr_file execute;
allow factory ebc_device:chr_file rw_file_perms;
allow factory stpbt_device:chr_file rw_file_perms;
# Date: WK14.47
# Operation : Migration
# Purpose : CCCI
allow factory eemcs_device:chr_file rw_file_perms;
allow factory ccci_device:chr_file rw_file_perms;
allow factory gsm0710muxd_device:chr_file rw_file_perms;
#Purpose: file system requirement
allow factory debugfs_usb:file rw_file_perms;
allow factory debugfs_usb:dir search;
allow factory devpts:chr_file rw_file_perms;
allow factory vfat:dir w_dir_perms;
allow factory labeledfs:filesystem unmount;
allow factory rootfs:dir mounton;
allow factory vfat:dir { read open search mounton };
allow factory vfat:filesystem { mount unmount };
# Purpose : SDIO
allow factory ttySDIO_device:chr_file rw_file_perms;
#Purpose: USB
allow factory ttyMT_device:chr_file rw_file_perms;
allow factory ttyS_device:chr_file rw_file_perms;
allow factory ttyGS_device:chr_file rw_file_perms;
# Purpose: OTG
allow factory usb_device:chr_file rw_file_perms;
allow factory usb_device:dir r_dir_perms;
# Date: WK15.01
# Purpose : OTG Mount
allow factory sdcard_type:dir mounton;
# Date: WK15.07
# Purpose : use c2k flight mode;
allow factory vmodem_device:chr_file rw_file_perms;
# Date: WK15.13
# Purpose: for nand project
allow factory mtd_device:dir search;
allow factory mtd_device:chr_file rw_file_perms;
allow factory self:capability sys_resource;
allow factory pro_info_device:chr_file rw_file_perms;
# Data: WK15.28
# Purpose: for mt-ramdump reset
allow factory proc_mrdump_rst:file w_file_perms;
#Date: WK15.31
#Purpose: define factory_data_file instead of system_data_file
# because system_data_file is sensitive partition from M
wakelock_use(factory);
allow factory storage_file:dir { write create add_name search mounton };
# Date: WK15.44
# Purpose: factory idle current status
allow factory vendor_factory_idle_state_prop:property_service set;
# Date: WK15.46
# Purpose: gps factory mode
allow factory agpsd_data_file:dir search;
allow factory gps_data_file:dir { write add_name search remove_name unlink};
allow factory gps_data_file:file { read write open create getattr append setattr unlink lock};
allow factory gps_data_file:lnk_file read;
allow factory storage_file:lnk_file r_file_perms;
#Date: WK15.48
#Purpose: capture for factory mode
allow factory devmap_device:chr_file r_file_perms;
allow factory sdcard_type:dir create_dir_perms;
allow factory sdcard_type:file create_file_perms;
allow factory mnt_user_file:dir search;
allow factory mnt_user_file:lnk_file read;
allow factory storage_file:lnk_file read;
#Date: WK16.05
#Purpose: For access NVRAM
allow factory factory:capability chown;
allow factory nvram_data_file:dir create_dir_perms;
allow factory nvram_data_file:file create_file_perms;
allow factory nvram_data_file:lnk_file r_file_perms;
allow factory nvdata_file:lnk_file r_file_perms;
allow factory nvram_device:chr_file rw_file_perms;
allow factory nvram_device:blk_file rw_file_perms;
allow factory nvdata_device:blk_file rw_file_perms;
#Date: WK16.12
#Purpose: For sensor test
allow factory als_ps_device:chr_file r_file_perms;
allow factory barometer_device:chr_file r_file_perms;
allow factory gsensor_device:chr_file r_file_perms;
allow factory gyroscope_device:chr_file r_file_perms;
allow factory msensor_device:chr_file r_file_perms;
allow factory biometric_device:chr_file r_file_perms;
#Purpose: For camera Test
allow factory kd_camera_flashlight_device:chr_file rw_file_perms;
allow factory kd_camera_hw_device:chr_file rw_file_perms;
allow factory seninf_device:chr_file rw_file_perms;
allow factory CAM_CAL_DRV_device:chr_file rw_file_perms;
#Purpose: For reboot the target
allow factory powerctl_prop:property_service set;
#Purpose: For memory card test
allow factory misc_sd_device:chr_file r_file_perms;
allow factory mmcblk1_block_device:blk_file rw_file_perms;
allow factory bootdevice_block_device:blk_file rw_file_perms;
allow factory mmcblk1p1_block_device:blk_file rw_file_perms;
allow factory block_device:dir w_dir_perms;
allowxperm factory mmcblk1_block_device:blk_file ioctl BLKGETSIZE;
allowxperm factory bootdevice_block_device:blk_file ioctl BLKGETSIZE;
#Purpose: For EMMC test
allow factory nvdata_file:dir create_dir_perms;
allow factory nvdata_file:file create_file_perms;
#Purpose: For HRM test
allow factory hrm_device:chr_file r_file_perms;
#Purpose: For IrTx LED test
allow factory irtx_device:chr_file rw_file_perms;
#Purpose: For battery test, ext_buck test and ext_vbat_boost test
allow factory pmic_ftm_device:chr_file rw_file_perms;
allow factory MT_pmic_adc_cali_device:chr_file rw_file_perms;
allow factory MT_pmic_cali_device:chr_file r_file_perms;
allow factory charger_ftm_device:chr_file r_file_perms;
#Purpose: For HDMI test
allow factory graphics_device:dir w_dir_perms;
allow factory graphics_device:chr_file rw_file_perms;
#Purpose: For WIFI test
allow factory wmtWifi_device:chr_file rw_file_perms;
#Purpose: For rtc test
allow factory rtc_device:chr_file rw_file_perms;
#Purpose: For nfc test
allow factory mt6605_device:chr_file rwx_file_perms;
#Purpose: For gps test
allow factory mnld_device:chr_file rw_file_perms;
allow factory mnld_exec:file rx_file_perms;
#Purpose: For keypad test
allow factory mtk_kpd_device:chr_file r_file_perms;
#Purpose: For Humidity test
allow factory humidity_device:chr_file r_file_perms;
#Purpose: For camera test
allow factory camera_isp_device:chr_file rw_file_perms;
allow factory camera_dip_device:chr_file rw_file_perms;
allow factory camera_pipemgr_device:chr_file r_file_perms;
allow factory camera_sysram_device:chr_file r_file_perms;
allow factory ccu_device:chr_file rw_file_perms;
allow factory vpu_device:chr_file rw_file_perms;
allow factory MAINAF_device:chr_file rw_file_perms;
allow factory MAIN2AF_device:chr_file rw_file_perms;
allow factory SUBAF_device:chr_file rw_file_perms;
allow factory FM50AF_device:chr_file rw_file_perms;
allow factory AD5820AF_device:chr_file rw_file_perms;
allow factory DW9714AF_device:chr_file rw_file_perms;
allow factory DW9714A_device:chr_file rw_file_perms;
allow factory LC898122AF_device:chr_file rw_file_perms;
allow factory LC898212AF_device:chr_file rw_file_perms;
allow factory BU6429AF_device:chr_file rw_file_perms;
allow factory DW9718AF_device:chr_file rw_file_perms;
allow factory BU64745GWZAF_device:chr_file rw_file_perms;
allow factory cct_data_file:dir create_dir_perms;
allow factory cct_data_file:file create_file_perms;
allow factory camera_tsf_device:chr_file rw_file_perms;
allow factory camera_rsc_device:chr_file rw_file_perms;
allow factory camera_gepf_device:chr_file rw_file_perms;
allow factory camera_fdvt_device:chr_file rw_file_perms;
allow factory camera_wpe_device:chr_file rw_file_perms;
allow factory camera_owe_device:chr_file rw_file_perms;
allow factory camera_mfb_device:chr_file rw_file_perms;
allow factory mtk_hal_power_hwservice:hwservice_manager find;
allow factory vendor_data_file:file getattr;
allow factory mtk_hal_power:binder call;
get_prop(factory,mediatek_prop);
#Purpose: For FM test and headset test
allow factory accdet_device:chr_file r_file_perms;
allow factory fm_device:chr_file rw_file_perms;
#Purpose: For audio test
allow factory audio_device:chr_file rw_file_perms;
allow factory audio_device:dir w_dir_perms;
allow factory audiohal_prop:property_service set;
allow factory audio_ipi_device:chr_file { read write ioctl open };
allow factory audio_scp_device:chr_file r_file_perms;
#Purpose: For key and touch event
allow factory input_device:chr_file r_file_perms;
allow factory input_device:dir rw_dir_perms;
# Date: WK16.17
# Purpose: N Migration For ccci sysfs node
# Allow read to sys/kernel/ccci/* files
allow factory sysfs_ccci:dir search;
allow factory sysfs_ccci:file r_file_perms;
# Date: WK16.18
# Purpose: N Migration For boot_mode
# Allow to read boot mode
# avc: denied { read } for name="boot_mode" dev="sysfs" ino=117
# scontext=u:r:factory:s0 tcontext=u:object_r:sysfs:s0
# tclass=file permissive=0
allow factory sysfs_boot_mode:file { read open };
allow factory sysfs_boot_type:file { read open };
#TODO:: MTK need to remove later
not_full_treble(`
allow factory mnld:unix_dgram_socket sendto;
')
# Date: WK16.31
#Purpose: For gps test
allow factory mnld_prop:property_service set;
# Date: WK16.33
#Purpose: for unmount sdcardfs and stop services which are using data partition
allow factory sdcard_type:filesystem unmount;
allow factory ctl_default_prop:property_service set;
# Date : WK16.35
# Operation : Migration
# Purpose : Update camera flashlight driver device file
allow factory flashlight_device:chr_file rw_file_perms;
# Date: WK15.25
#Purpose: for unmount sdcardfs and stop services which are using data partition
allow factory ctl_emdlogger1_prop:property_service set;
# Date: WK17.07
# Purpose: Clear bootdevice (eMMC/UFS) may need to unmount tmpfs
allow factory tmpfs:filesystem unmount;
allow factory sysfs:dir { read open };
allow factory sysfs_leds:dir search;
allow factory sysfs_leds:lnk_file read;
allow factory sysfs_leds:file rw_file_perms;
allow factory sysfs_leds:dir r_dir_perms;
allow factory sysfs_power:file rw_file_perms;
allow factory sysfs_power:dir r_dir_perms;
allow factory self:capability2 {block_suspend};
allow factory sysfs_vibrator:file {open read write};
allow factory ion_device:chr_file { read open ioctl };
allow factory debugfs_ion:dir search;
# Date: WK17.27
# Purpose: STMicro NFC solution integration
allow factory st21nfc_device:chr_file { open read getattr write ioctl };
set_prop(factory,hwservicemanager_prop);
hwbinder_use(factory);
hal_client_domain(factory, hal_nfc);
# Date : WK17.32
# Operation : O Migration
# Purpose: Allow to access cmdq driver
allow factory mtk_cmdq_device:chr_file { read ioctl open };
allow factory mtk_mdp_device:chr_file rw_file_perms;
allow factory sw_sync_device:chr_file rw_file_perms;
# Date: WK1733
# Purpose: add selinux policy to stop 'ccci_fsd' for clear emmc in factory mode
set_prop(factory,ctl_ccci_fsd_prop);
# Date : WK17.38
# Operation : O Migration
# Purpose: Allow to access sysfs
allow factory sysfs_therm:dir search;
allow factory sysfs_therm:file {open read write};
#Date: W18.22
# Purpose: P Migration for factory get com port type and uart port info
# detail avc log: [ 11.751803] <1>.(1)[227:logd.auditd]type=1400 audit(1262304016.560:10):
#avc: denied { read } for pid=203 comm="factory" name="meta_com_type_info" dev=
#"sysfs" ino=11073 scontext=u:r:factory:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
allow factory sysfs_comport_type:file rw_file_perms;
allow factory sysfs_uart_info:file rw_file_perms;
# from private
allow factory property_socket:sock_file write;
allow factory init:unix_stream_socket connectto;
allow factory kernel:system module_request;
allow factory node:tcp_socket node_bind;
allow factory userdata_block_device:blk_file rw_file_perms;
allow factory port:tcp_socket { name_bind name_connect };
allow factory self:capability { sys_module ipc_lock sys_nice net_raw fsetid net_admin sys_time sys_boot sys_admin };
allow factory sdcard_type:dir r_dir_perms;
allow factory self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write };
allow factory proc_net:file { read getattr open };
allowxperm factory self:udp_socket ioctl priv_sock_ioctls;
allowxperm factory self:udp_socket ioctl {SIOCGIFFLAGS SIOCGIWNWID};
allow factory self:process execmem;
allow factory self:tcp_socket create_stream_socket_perms;
allow factory self:udp_socket create_socket_perms;
allow factory sysfs_wake_lock:file rw_file_perms;
#allow factory system_file:file x_file_perms;
# For Light HIDL permission
hal_client_domain(factory, hal_light);
allow factory hal_light_hwservice:hwservice_manager find;
allow factory mtk_hal_light:binder call;
allow factory merged_hal_service:binder call;
# For vibrator test permission
allow factory sysfs_vibrator:file rw_file_perms;
allow factory sysfs_vibrator:dir search;
# For Audio device permission
allow factory proc_asound:dir { read search open };
allow factory proc_asound:file { read open getattr write };
allow factory audiohal_prop:property_service set;
# For Accdet data permission
allow factory sysfs:file { read open };
allow factory sysfs_headset:file { read open };
# For touch auto test
allow factory sysfs_tpd_setting:dir search;
allow factory sysfs_tpd_setting:file { read getattr open };
# Date : WK18.23
# Operation: P migration
# Purpose : Allow factory to unmount partition, stop service, and then erase partition
allow factory vendor_shell_exec:file { read execute open execute_no_trans };
allow factory vendor_toolbox_exec:file { execute_no_trans };
allow factory labeledfs:filesystem { unmount };
allow factory proc_cmdline:file { read open getattr };
allow factory factory:capability { sys_boot sys_admin};
allow factory sysfs_dt_firmware_android:file { read open getattr };
allow factory sysfs_dt_firmware_android:dir { read open search };
# Purpose : Allow factory to communicate with driver thru socket
allow factory factory:capability { sys_module net_admin net_raw };
# For power_supply and switch permission
r_dir_file(factory, sysfs_batteryinfo)
r_dir_file(factory, sysfs_switch)
# Date : WK18.27
# Operation: P migration
# Purpose : Allow factory to save test report to /data/vendor
allow factory vendor_data_file:dir { add_name read write};
allow factory vendor_data_file:file { create read write open };
# Date : WK18.31
# Operation: P migration
# Purpose : Refine policy
allow factory sysfs_mmcblk:dir { search };
allow factory sysfs_mmcblk:file { read getattr open };
# Date : WK18.37
# Operation: P migration
# Purpose : ADSP SmartPA calibration
allow factory vendor_file:file execute_no_trans;
allow factory mtk_audiohal_data_file:dir create_dir_perms;
allow factory mtk_audiohal_data_file:file { write create unlink r_file_perms };
#Date : WK18.37
# Operation: P migration
# Purpose : Allow factory to open /proc/version
allow factory proc_version:file {read open getattr};
# Purpose : adsp
allow factory adsp_device:chr_file rw_file_perms;
# Purpose : NFC
allow factory vendor_nfc_socket:dir { write add_name remove_name search };
allow factory vendor_nfc_socket:sock_file { create write unlink setattr };
# Allow to get AOSP property persist.radio.multisim.config
get_prop(factory, exported3_radio_prop)

25
r_non_plat/fastbootd.te
View File

@ -1,25 +0,0 @@
# fastbootd (used in recovery init.rc for /sbin/fastbootd)
allow fastbootd {
bootdevice_block_device
cache_block_device
logo_block_device
para_block_device
}:blk_file { rw_file_perms };
allow fastbootd {
sysfs_boot_type
}:file { rw_file_perms };
allowxperm fastbootd {
bootdevice_block_device
cache_block_device
logo_block_device
para_block_device
}:blk_file ioctl {
BLKSECDISCARD
BLKDISCARD
MMC_IOCTLCMD
};

416
r_non_plat/file.te
View File

@ -1,416 +0,0 @@
# ==============================================
# MTK Policy Rule
# ==============================================
type custom_file, file_type, data_file_type;
type lost_found_data_file, file_type, data_file_type;
type dontpanic_data_file, file_type, data_file_type;
type resource_cache_data_file, file_type, data_file_type;
type http_proxy_cfg_data_file, file_type, data_file_type;
type acdapi_data_file, file_type, data_file_type;
type ppp_data_file, file_type, data_file_type;
type wpa_supplicant_data_file, file_type, data_file_type;
type radvd_data_file, file_type, data_file_type;
type volte_vt_socket, file_type;
type dfo_socket, file_type;
type gsmrild_socket, file_type;
type rild2_socket, file_type;
type rild3_socket, file_type;
type rild4_socket, file_type;
type rild_mal_socket, file_type;
type rild_mal_at_socket, file_type;
type rild_mal_md2_socket, file_type;
type rild_mal_at_md2_socket, file_type;
type rild_ims_socket, file_type;
type rild_imsm_socket, file_type;
type rild_oem_socket, file_type;
type rild_mtk_ut_socket, file_type;
type rild_mtk_ut_2_socket, file_type;
type rild_mtk_modem_socket, file_type;
type rild_md2_socket, file_type;
type rild2_md2_socket, file_type;
type rild_debug_md2_socket, file_type;
type rild_oem_md2_socket, file_type;
type rild_mtk_ut_md2_socket, file_type;
type rild_mtk_ut_2_md2_socket, file_type;
type rild_mtk_modem_md2_socket, file_type;
type rild_vsim_socket, file_type;
type rild_vsim_md2_socket, file_type;
type mal_mfi_socket, file_type;
type mal_data_file, file_type, data_file_type;
type netdiag_socket, file_type;
type wpa_wlan0_socket, file_type;
type soc_vt_imcb_socket, file_type;
type soc_vt_tcv_socket, file_type;
type soc_vt_stk_socket, file_type;
type soc_vt_svc_socket, file_type;
type dbus_bluetooth_socket, file_type;
type bt_int_adp_socket, file_type;
type bt_a2dp_stream_socket, file_type;
type bt_data_file, file_type, data_file_type;
type proc_thermal, fs_type, proc_type;
type proc_mtkcooler, fs_type, proc_type;
type proc_mtktz, fs_type, proc_type;
type proc_mtd, fs_type, proc_type;
type proc_slogger, fs_type, proc_type;
type proc_lk_env, fs_type, proc_type;
type proc_ged, fs_type, proc_type;
type proc_mtk_jpeg, fs_type, proc_type;
type proc_perfmgr, fs_type, proc_type;
type proc_wmtdbg, fs_type, proc_type;
type proc_zraminfo, fs_type, proc_type;
type proc_cpu_alignment, fs_type, proc_type;
type proc_gpulog, fs_type, proc_type;
type proc_sched_debug, fs_type, proc_type;
type proc_chip, fs_type, proc_type;
type proc_atf_log, fs_type, proc_type;
type proc_gz_log, fs_type, proc_type;
type proc_last_kmsg, fs_type, proc_type;
type proc_bootprof, fs_type, proc_type;
type proc_pl_lk, fs_type, proc_type;
type proc_msdc_debug, fs_type, proc_type;
type proc_ufs_debug, fs_type, proc_type;
type proc_pidmap, fs_type, proc_type;
type proc_slabtrace, fs_type, proc_type;
type proc_cmdq_debug, fs_type, proc_type;
type proc_isp_p2, fs_type, proc_type;
type proc_dbg_repo, fs_type, proc_type;
type proc_isp_p2_dump, fs_type, proc_type;
type proc_isp_p2_kedump, fs_type, proc_type;
type proc_memory_usage, fs_type, proc_type;
type proc_mtk_es_reg_dump, fs_type, proc_type;
type sysfs_execstate, fs_type, sysfs_type;
type sysfs_therm, fs_type, sysfs_type;
type sysfs_fps, fs_type, sysfs_type;
type sysfs_ccci, fs_type, sysfs_type;
type sysfs_mdinfo, fs_type,sysfs_type;
type sysfs_ssw, fs_type,sysfs_type;
type sysfs_vcorefs_pwrctrl, fs_type, sysfs_type;
type sysfs_md32, fs_type, sysfs_type;
type sysfs_scp, fs_type, sysfs_type;
type sysfs_adsp, fs_type, sysfs_type;
type sysfs_sspm, fs_type, sysfs_type;
type sysfs_devinfo, fs_type, sysfs_type, mlstrustedobject;
type sysfs_dcm, fs_type, sysfs_type;
type sysfs_dcs, fs_type, sysfs_type;
type sysfs_vcore_debug, fs_type, sysfs_type;
type agpsd_socket, file_type;
type agpsd_data_file, file_type, data_file_type;
type mnld_socket, file_type;
type mnld_data_file, file_type, data_file_type;
type gps_data_file, file_type, data_file_type;
type MPED_socket, file_type;
type MPED_data_file, file_type, data_file_type;
type sysctl_socket, file_type;
type backuprestore_socket, file_type;
type protect_f_data_file, file_type, data_file_type;
type protect_s_data_file, file_type, data_file_type;
type persist_data_file, file_type, data_file_type;
type nvram_data_file, file_type, data_file_type;
type nvdata_file, file_type, data_file_type;
type nvcfg_file, file_type, data_file_type;
type cct_data_file, file_type, data_file_type;
type mediaserver_data_file, file_type, data_file_type;
type mediacodec_data_file, file_type, data_file_type;
type connsyslog_data_vendor_file, file_type, data_file_type;
#mobilelog data/misc/mblog
type logmisc_data_file, file_type, data_file_type, core_data_file_type;
#mobilelog data/log_temp
type logtemp_data_file, file_type, data_file_type, core_data_file_type;
# NE core_forwarder
type aee_core_data_file, file_type, data_file_type, core_data_file_type;
type aee_core_vendor_file, file_type, data_file_type;
# AEE exp
type aee_exp_data_file, file_type, data_file_type, core_data_file_type;
type aee_exp_vendor_file, file_type, data_file_type;
type aee_dumpsys_data_file, file_type, data_file_type, core_data_file_type;
type aee_dumpsys_vendor_file, file_type, data_file_type;
# SF rtt dump
type sf_rtt_file, file_type, data_file_type, core_data_file_type;
#for 3Gdongle
type rild-dongle_socket, file_type;
type ccci_cfg_file, file_type, data_file_type;
type ccci_data_md1_file, file_type, data_file_type;
type c2k_file, file_type, data_file_type;
#For sensor
type sensor_data_file, file_type, data_file_type;
type stp_dump_data_file, file_type, data_file_type;
type sysfs_keypad_file, fs_type, sysfs_type;
type rild_via_socket, file_type;
type rpc_socket, file_type;
type rild_ctclient_socket, file_type;
#For icusb
type proc_icusb, fs_type, proc_type;
# for labeling /mnt/cd-rom as iso9660
type iso9660, fs_type;
# data_tmpfs_log
type data_tmpfs_log_file, file_type, data_file_type, core_data_file_type;
type vendor_tmpfs_log_file, file_type, data_file_type;
# rawfs for /protect_f on NAND projects
type rawfs, fs_type, mlstrustedobject;
# fat on nand fat.img
type fon_image_data_file, file_type, data_file_type;
# ims ipsec config file
type ims_ipsec_data_file, file_type, data_file_type;
# thermal manager config file
type thermal_manager_data_file, file_type, data_file_type;
# adbd config file
type adbd_data_file, file_type, data_file_type, core_data_file_type;
#autokd data file
type autokd_data_file, file_type, data_file_type;
#fuse
type fuseblk,sdcard_type,fs_type,mlstrustedobject;
# for mt-ramdump reset
type proc_mrdump_rst, fs_type, proc_type;
# battery_cmd file
type proc_battery_cmd, fs_type, proc_type;
# binder debugfs file
type debugfs_binder, fs_type, debugfs_type;
# blockio debugfs file
type debugfs_blockio, fs_type, debugfs_type;
# fuseio debugfs file
type debugfs_fuseio, fs_type, debugfs_type;
# usb debugfs file
type debugfs_usb, fs_type, debugfs_type;
# display debugfs file
type debugfs_fb, fs_type, debugfs_type;
# cpuhvfs debugfs file
type debugfs_cpuhvfs, fs_type, debugfs_type;
#for engineermode Usb PHY Tuning
type debugfs_usb20_phy, fs_type, debugfs_type;
# dynamic_debug debugfs file
type debugfs_dynamic_debug, fs_type, debugfs_type;
# shrinker debugfs file
type debugfs_shrinker_debug, fs_type, debugfs_type;
# dmlog debugfs file
type debugfs_dmlog_debug, fs_type, debugfs_type;
# page_owner_slim debugfs file
type debugfs_page_owner_slim_debug, fs_type, debugfs_type;
# rcu debugfs file
type debugfs_rcu, fs_type, debugfs_type;
# gpu debugfs file
type debugfs_ged, fs_type, debugfs_type;
# fpsgo debugfs file
type debugfs_fpsgo, fs_type, debugfs_type;
# eara_thermal debugfs file
type debugfs_eara_thermal, fs_type, debugfs_type;
# vpu debugfs file
type debugfs_vpu_power, fs_type, debugfs_type;
type debugfs_vpu_memory, fs_type, debugfs_type;
# mdla debugfs file
type debugfs_mdla_power, fs_type, debugfs_type;
# memtrack debugfs file
type debugfs_gpu_mali_midgard, fs_type, debugfs_type;
type debugfs_gpu_mali_utgard, fs_type, debugfs_type;
type debugfs_gpu_img, fs_type, debugfs_type;
type debugfs_ion, fs_type, debugfs_type;
# /sys/kernel/debug/ion/ion_mm_heap
type debugfs_ion_mm_heap, fs_type, debugfs_type;
# /sys/kernel/debug/emi_mbw/dump_buf
type debugfs_emi_mbw_buf, fs_type, debugfs_type;
# /sys/kernel/debug/vpu/device_dbg
type debugfs_vpu_device_dbg, fs_type, debugfs_type;
# /sys/kernel/debug/kmemleak
type debugfs_kmemleak, fs_type, debugfs_type;
######################################
# core domain file data
# SF bqdump
type sf_bqdump_data_file, file_type, data_file_type, core_data_file_type;
type nfc_socket, file_type, data_file_type, core_data_file_type;
type vendor_nfc_socket, file_type, data_file_type;
# factory data file
type factory_data_file, file_type, data_file_type, core_data_file_type;
# Modem Log folder
type mdlog_data_file, file_type, data_file_type, core_data_file_type;
# MTK audio HAL folder
type mtk_audiohal_data_file, file_type, data_file_type;
# MTK Power HAL folder
type mtk_powerhal_data_file, file_type, data_file_type;
# Date : WK1743
# Purpose : for meta_tst copy MD DB from MD image
type mddb_data_file, file_type, data_file_type;
# Date : WK1814
# Purpose : for factory to get boot mode and type
type sysfs_boot_mode, fs_type, sysfs_type;
type sysfs_boot_type, fs_type, sysfs_type;
# consys Log folder
type consyslog_data_file, file_type, data_file_type, core_data_file_type;
# Date : WK1817
# Purpose : for meta to get com port type and uart port info
type sysfs_comport_type, fs_type, sysfs_type;
type sysfs_uart_info, fs_type, sysfs_type;
type sysfs_usb_cmode, fs_type, sysfs_type;
# Date : WK1820
# Purpose : for charger to access vbus info and pump_express
type sysfs_vbus, fs_type, sysfs_type;
type sysfs_pump_express, fs_type, sysfs_type;
# Widevine move data/mediadrm folder from system to vendor
type mediadrm_vendor_data_file, file_type, data_file_type;
# mtk usb hal
type sysfs_dual_role_usb20, fs_type, sysfs_type;
# lbs debug file
#type lbs_dbg_data_file, file_type, data_file_type, core_data_file_type;
# Touch parameters file
type sysfs_tpd_setting, fs_type, sysfs_type;
type sysfs_tpd_debug, fs_type, sysfs_type;
# Date : 2018/06/11
# Purpose : mtk EM FreqHopping setting
type proc_freqhop, fs_type, proc_type;
# Date : 2018/06/11
# Purpose : mtk EM flash reading
type proc_flash, fs_type, proc_type;
type proc_partition, fs_type, proc_type;
# Date : 2018/06/11
# Purpose : mtk EM PMU reading/setting
type sysfs_pmu, fs_type, sysfs_type;
# Date : 2018/06/11
# Purpose : mtk EM Power debug_log setting
type sysfs_spm, fs_type, sysfs_type;
# Date : 2018/06/11
# Purpose : mtk EM Audio headset detect
type sysfs_headset, fs_type, sysfs_type;
# socket between atci_service and audio-daemon
type atci-audio_socket, file_type;
# ATCI socket types
type rild_atci_socket, file_type;
type rilproxy_atci_socket, file_type;
type atci_service_socket, file_type;
type adb_atci_socket, file_type;
# EM Power PMU register reading/setting
type debugfs_regmap, fs_type, debugfs_type;
# Date : 2018/11/01
# Purpose : mtk EM c2k bypass read usb file
type sys_usb_rawbulk, fs_type, sysfs_type;
# Backlight brightness file
type sysfs_leds_setting, fs_type, sysfs_type;
# Vibrator vibrate file
type sysfs_vibrator_setting, fs_type, sysfs_type;
# Date : 2019/04/09
# Purpose: mtk EM battery settings
type sysfs_battery_temp, fs_type, sysfs_type;
type sysfs_battery_consumption, fs_type, sysfs_type;
type sysfs_power_on_vol, fs_type, sysfs_type;
type sysfs_power_off_vol, fs_type, sysfs_type;
type sysfs_fg_disable, fs_type, sysfs_type;
type sysfs_dis_nafg, fs_type, sysfs_type;
# drm key manager
type provision_file, file_type, data_file_type;
type key_install_data_file, file_type, data_file_type;
# Date : WK18.16
# Purpose: Android Migration
type sysfs_mmcblk, fs_type, sysfs_type;
type sysfs_mmcblk1, fs_type, sysfs_type;
type aee_dipdebug_vendor_file, file_type, data_file_type;
type netd_socket, file_type, coredomain_socket;
# Date : WK19.27
# Purpose: Android Migration for SVP
type proc_m4u, fs_type, proc_type;
# Date : 2019/08/15
type debugfs_smi_mon, fs_type, debugfs_type;
# Date : WK19.34
# Purpose: Android Migration for video codec driver
type vcodec_file, file_type, data_file_type;
# Date : 2019/08/24
type sysfs_sensor, fs_type, sysfs_type;
#MTEE trusty
type mtee_trusty_file, fs_type, sysfs_type;
# Date : 2019/08/29
# Purpose: Allow rild access proc/aed/reboot-reason
type proc_aed_reboot_reason, fs_type, proc_type;
# Date : 2019/09/05
# Purpose: Allow powerhal to control kernel resources
type proc_ppm, fs_type, proc_type;
type proc_cpufreq, fs_type, proc_type;
type proc_hps, fs_type, proc_type;
type proc_cm_mgr, fs_type, proc_type;
type proc_ca_drv, fs_type, proc_type;
type sysfs_ged, fs_type, sysfs_type;
type sysfs_fbt_cpu, fs_type, sysfs_type;
type sysfs_fbt_fteh, fs_type, sysfs_type;
# Date : WK19.38
# Purpose: Android Migration for video codec driver
type sysfs_device_tree_model, fs_type, sysfs_type;
# Date : 2019/10/22
# Purpose : allow aee_aedv write /sys/module/mrdump/parameters/lbaooo
type sysfs_mrdump_lbaooo, fs_type, sysfs_type;
# Date : 2019/12/12
# Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/*
type sysfs_concurrency_scenario, fs_type, sysfs_type;

686
r_non_plat/file_contexts
View File

@ -1,686 +0,0 @@
# ==============================================
# MTK Policy Rule
# ==============================================
############################
# A/B system
/enableswap.sh u:object_r:rootfs:s0
/factory_init\..* u:object_r:rootfs:s0
/meta_init\..* u:object_r:rootfs:s0
/multi_init\..* u:object_r:rootfs:s0
#############################
# Custom files
(/vendor)?/custom(/.*)? u:object_r:custom_file:s0
/dev/socket/netd u:object_r:netd_socket:s0
#############################
# Data files
#
/data/vendor/.tp(/.*)? u:object_r:thermal_manager_data_file:s0
/data/vendor_de/meta(/.*)? u:object_r:mddb_data_file:s0
/data/aee_exp(/.*)? u:object_r:aee_exp_data_file:s0
/data/vendor/aee_exp(/.*)? u:object_r:aee_exp_vendor_file:s0
/data/vendor/agps_supl(/.*)? u:object_r:agpsd_data_file:s0
#/data/mnl_flp(/.*)? u:object_r:mnld_data_file:s0
#/data/mnl_gfc(/.*)? u:object_r:mnld_data_file:s0
/data/vendor/gps(/.*)? u:object_r:gps_data_file:s0
/data/anr/SF_RTT(/.*)? u:object_r:sf_rtt_file:s0
/data/vendor/ccci_cfg(/.*)? u:object_r:ccci_cfg_file:s0
/data/vendor/mdlpm(/.*)? u:object_r:ccci_data_md1_file:s0
/data/vendor/flashless(/.*)? u:object_r:c2k_file:s0
/data/core(/.*)? u:object_r:aee_core_data_file:s0
/data/vendor/core(/.*)? u:object_r:aee_core_vendor_file:s0
#/data/dontpanic(/.*)? u:object_r:dontpanic_data_file:s0
/data/dumpsys(/.*)? u:object_r:aee_dumpsys_data_file:s0
/data/vendor/dumpsys(/.*)? u:object_r:aee_dumpsys_vendor_file:s0
/data/extmdl(/.*)? u:object_r:mdlog_data_file:s0
#/data/http-proxy-cfg(/.*)? u:object_r:http_proxy_cfg_data_file:s0
/data/log_temp(/.*)? u:object_r:logtemp_data_file:s0
#/data/lost\+found(/.*)? u:object_r:lost_found_data_file:s0
/data/mdlog(/.*)? u:object_r:mdlog_data_file:s0
/data/mdl(/.*)? u:object_r:mdlog_data_file:s0
/data/mdl3(/.*)? u:object_r:mdlog_data_file:s0
#/data/mediaserver(/.*)? u:object_r:mediaserver_data_file:s0
#/data/mediacodec(/.*)? u:object_r:mediacodec_data_file:s0
#/data/.tp(/.*)? u:object_r:thermal_manager_data_file:s0
/data/nfc_socket(/.*)? u:object_r:nfc_socket:s0
/data/vendor/nfc_socket(/.*)? u:object_r:vendor_nfc_socket:s0
#/data/nvram(/.*)? u:object_r:nvram_data_file:s0
#/data/cct(/.*)? u:object_r:cct_data_file:s0
/data/vendor/md3(/.*)? u:object_r:c2k_file:s0
#/data/mal(/.*)? u:object_r:mal_data_file:s0
/data/SF_dump(./*)? u:object_r:sf_bqdump_data_file:s0
/data/data_tmpfs_log(/.*)? u:object_r:data_tmpfs_log_file:s0
/data/vendor/data_tmpfs_log(/.*)? u:object_r:vendor_tmpfs_log_file:s0
#/data/tmp_mnt/data_tmpfs_log(/.*)? u:object_r:data_tmpfs_log_file:s0
#/data/tmp_mnt/vendor/data_tmpfs_log(/.*)? u:object_r:data_tmpfs_log_file:s0
#/data/setkey.conf u:object_r:ims_ipsec_data_file:s0
#/data/setkey_bak.conf u:object_r:ims_ipsec_data_file:s0
#/data/setkey_latest.conf u:object_r:ims_ipsec_data_file:s0
/data/vendor/audiohal(/.*)? u:object_r:mtk_audiohal_data_file:s0
/data/vendor/powerhal(/.*)? u:object_r:mtk_powerhal_data_file:s0
#/data/vendor/nfc(/.*)? u:object_r:nfc_data_file:s0
/data/connsyslog(/.*)? u:object_r:consyslog_data_file:s0
/data/vendor/stp_dump(/.*)? u:object_r:stp_dump_data_file:s0
/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0
/data/vendor/dipdebug(/.*)? u:object_r:aee_dipdebug_vendor_file:s0
/data/vendor/key_provisioning(/.*)? u:object_r:key_install_data_file:s0
/data/vendor/vcodec(/.*)? u:object_r:vcodec_file:s0
# Misc data
#/data/misc/acdapi(/.*)? u:object_r:acdapi_data_file:s0
/data/misc/mblog(/.*)? u:object_r:logmisc_data_file:s0
#/data/misc/ppp(/.*)? u:object_r:ppp_data_file:s0
#/data/misc/radvd(/.*)? u:object_r:radvd_data_file:s0
/data/vendor/sensor(/.*)? u:object_r:sensor_data_file:s0
#/data/misc/wpa_supplicant(/.*)? u:object_r:wpa_supplicant_data_file:s0
# Wallpaper file for smartbook
/data/system/users/[0-9]+/smartbook_wallpaper u:object_r:wallpaper_file:s0
/data/vendor/connsyslog(/.*)? u:object_r:connsyslog_data_vendor_file:s0
# nvdata
/mnt/vendor/nvdata(/.*)? u:object_r:nvdata_file:s0
/mnt/vendor/nvcfg(/.*)? u:object_r:nvcfg_file:s0
# protected data file
/mnt/vendor/protect_f(/.*)? u:object_r:protect_f_data_file:s0
/mnt/vendor/protect_s(/.*)? u:object_r:protect_s_data_file:s0
/mnt/vendor/persist(/.*)? u:object_r:persist_data_file:s0
#fat on nand image
/fat(/.*)? u:object_r:fon_image_data_file:s0
##########################
# Devices
#
/dev/aal_als(/.*)? u:object_r:aal_als_device:s0
/dev/accdet(/.*)? u:object_r:accdet_device:s0
/dev/AD5820AF(/.*)? u:object_r:AD5820AF_device:s0
/dev/aed[0-9]+ u:object_r:aed_device:s0
/dev/ampc0(/.*)? u:object_r:ampc0_device:s0
/dev/android(/.*)? u:object_r:android_device:s0
/dev/block/zram0 u:object_r:swap_block_device:s0
/dev/block/platform/bootdevice/by-name/otp u:object_r:otp_part_block_device:s0
/dev/bmtpool(/.*)? u:object_r:bmtpool_device:s0
/dev/bootimg(/.*)? u:object_r:bootimg_device:s0
/dev/BOOT(/.*)? u:object_r:BOOT_device:s0
/dev/btif(/.*)? u:object_r:btif_device:s0
/dev/btn(/.*)? u:object_r:btn_device:s0
/dev/BU6429AF(/.*)? u:object_r:BU6429AF_device:s0
/dev/BU64745GWZAF(/.*)? u:object_r:BU64745GWZAF_device:s0
/dev/MAINAF(/.*)? u:object_r:MAINAF_device:s0
/dev/MAIN2AF(/.*)? u:object_r:MAIN2AF_device:s0
/dev/SUBAF(/.*)? u:object_r:SUBAF_device:s0
/dev/cache(/.*)? u:object_r:cache_device:s0
/dev/CAM_CAL_DRV(/.*)? u:object_r:CAM_CAL_DRV_device:s0
/dev/CAM_CAL_DRV1(/.*)? u:object_r:CAM_CAL_DRV1_device:s0
/dev/CAM_CAL_DRV2(/.*)? u:object_r:CAM_CAL_DRV2_device:s0
/dev/gz_kree(/.*)? u:object_r:gz_device:s0
/dev/camera-fdvt(/.*)? u:object_r:camera_fdvt_device:s0
/dev/camera-isp(/.*)? u:object_r:camera_isp_device:s0
/dev/camera-dip(/.*)? u:object_r:camera_dip_device:s0
/dev/camera-dpe(/.*)? u:object_r:camera_dpe_device:s0
/dev/camera-tsf(/.*)? u:object_r:camera_tsf_device:s0
/dev/camera-rsc(/.*)? u:object_r:camera_rsc_device:s0
/dev/camera-gepf(/.*)? u:object_r:camera_gepf_device:s0
/dev/camera-wpe(/.*)? u:object_r:camera_wpe_device:s0
/dev/camera-owe(/.*)? u:object_r:camera_owe_device:s0
/dev/camera-mfb(/.*)? u:object_r:camera_mfb_device:s0
/dev/camera-pipemgr(/.*)? u:object_r:camera_pipemgr_device:s0
/dev/camera-sysram(/.*)? u:object_r:camera_sysram_device:s0
/dev/ccu(/.*)? u:object_r:ccu_device:s0
/dev/vpu(/.*)? u:object_r:vpu_device:s0
/dev/mdlactl(/.*)? u:object_r:mdla_device:s0
/dev/ccci_monitor u:object_r:ccci_monitor_device:s0
/dev/ccci.* u:object_r:ccci_device:s0
/dev/cpu_dma_latency(/.*)? u:object_r:cpu_dma_latency_device:s0
/dev/devmap(/.*)? u:object_r:devmap_device:s0
/dev/dri(/.*)? u:object_r:gpu_device:s0
/dev/dummy_cam_cal(/.*)? u:object_r:dummy_cam_cal_device:s0
/dev/DW9714AF(/.*)? u:object_r:DW9714AF_device:s0
/dev/DW9814AF(/.*)? u:object_r:DW9814AF_device:s0
/dev/AK7345AF(/.*)? u:object_r:AK7345AF_device:s0
/dev/DW9714A(/.*)? u:object_r:DW9714A_device:s0
/dev/DW9718AF(/.*)? u:object_r:DW9718AF_device:s0
/dev/WV511AAF(/.*)? u:object_r:lens_device:s0
/dev/ebc(/.*)? u:object_r:ebc_device:s0
/dev/usip(/.*)? u:object_r:ebc_device:s0
/dev/ebr[0-9]+ u:object_r:ebr_device:s0
/dev/eemcs.* u:object_r:eemcs_device:s0
/dev/emd.* u:object_r:emd_device:s0
/dev/etb u:object_r:etb_device:s0
/dev/exm0(/.*)? u:object_r:exm0_device:s0
/dev/expdb(/.*)? u:object_r:expdb_device:s0
/dev/fat(/.*)? u:object_r:fat_device:s0
/dev/FM50AF(/.*)? u:object_r:FM50AF_device:s0
/dev/fm(/.*)? u:object_r:fm_device:s0
/dev/fw_log_wmt u:object_r:fw_log_wmt_device:s0
/dev/fw_log_wifi u:object_r:fw_log_wifi_device:s0
#/dev/gps(/.*)? u:object_r:gps_device:s0
/dev/geofence(/.*)? u:object_r:geo_device:s0
/dev/fw_log_gps u:object_r:fw_log_gps_device:s0
#/dev/mt3337_gpsonly u:object_r:gps_device:s0
/dev/hdmitx(/.*)? u:object_r:graphics_device:s0
/dev/hid-keyboard(/.*)? u:object_r:hid_keyboard_device:s0
/dev/ion(/.*)? u:object_r:ion_device:s0
/dev/kd_camera_flashlight(/.*)? u:object_r:kd_camera_flashlight_device:s0
/dev/flashlight(/.*)? u:object_r:flashlight_device:s0
/dev/kd_camera_hw_bus2(/.*)? u:object_r:kd_camera_hw_bus2_device:s0
/dev/kd_camera_hw(/.*)? u:object_r:kd_camera_hw_device:s0
/dev/seninf(/.*)? u:object_r:seninf_device:s0
/dev/LC898122AF(/.*)? u:object_r:LC898122AF_device:s0
/dev/LC898212AF(/.*)? u:object_r:LC898212AF_device:s0
/dev/logo(/.*)? u:object_r:logo_device:s0
/dev/loop-control(/.*)? u:object_r:loop-control_device:s0
/dev/M4U_device(/.*)? u:object_r:M4U_device_device:s0
/dev/mali.* u:object_r:gpu_device:s0
/dev/MATV(/.*)? u:object_r:MATV_device:s0
/dev/mbr(/.*)? u:object_r:mbr_device:s0
/dev/md32(/.*)? u:object_r:md32_device:s0
/dev/scp(/.*)? u:object_r:scp_device:s0
/dev/scp_B(/.*)? u:object_r:scp_device:s0
/dev/sspm(/.*)? u:object_r:sspm_device:s0
/dev/misc-sd(/.*)? u:object_r:misc_sd_device:s0
/dev/misc(/.*)? u:object_r:misc_device:s0
/dev/misc2(/.*)? u:object_r:misc2_device:s0
/dev/MJC(/.*)? u:object_r:MJC_device:s0
/dev/mmp(/.*)? u:object_r:mmp_device:s0
/dev/MT6516_H264_DEC(/.*)? u:object_r:MT6516_H264_DEC_device:s0
/dev/mt6516-IDP(/.*)? u:object_r:mt6516_IDP_device:s0
/dev/MT6516_Int_SRAM(/.*)? u:object_r:MT6516_Int_SRAM_device:s0
/dev/mt6516-isp(/.*)? u:object_r:mt6516_isp_device:s0
/dev/mt6516_jpeg(/.*)? u:object_r:mt6516_jpeg_device:s0
/dev/MT6516_MM_QUEUE(/.*)? u:object_r:MT6516_MM_QUEUE_device:s0
/dev/MT6516_MP4_DEC(/.*)? u:object_r:MT6516_MP4_DEC_device:s0
/dev/MT6516_MP4_ENC(/.*)? u:object_r:MT6516_MP4_ENC_device:s0
/dev/mt6605 u:object_r:mt6605_device:s0
/dev/st21nfc u:object_r:st21nfc_device:s0
/dev/st54spi u:object_r:st54spi_device:s0
/dev/mt9p012(/.*)? u:object_r:mt9p012_device:s0
/dev/mtfreqhopping(/.*)? u:object_r:mtfreqhopping_device:s0
/dev/mtgpio(/.*)? u:object_r:mtgpio_device:s0
/dev/mtk-adc-cali(/.*)? u:object_r:mtk-adc-cali_device:s0
/dev/mtk_disp.* u:object_r:graphics_device:s0
/dev/mtkfb_vsync(/.*)? u:object_r:graphics_device:s0
/dev/mtkg2d(/.*)? u:object_r:mtkg2d_device:s0
/dev/mtk_jpeg(/.*)? u:object_r:mtk_jpeg_device:s0
/dev/mtk-kpd(/.*)? u:object_r:mtk_kpd_device:s0
/dev/mtk_sched(/.*)? u:object_r:mtk_sched_device:s0
/dev/MTK_SMI(/.*)? u:object_r:MTK_SMI_device:s0
/dev/mtk_cmdq(/.*)? u:object_r:mtk_cmdq_device:s0
/dev/mdp_device(/.*)? u:object_r:mdp_device:s0
/dev/mdp_sync(/.*)? u:object_r:mtk_mdp_device:s0
/dev/mtk_rrc(/.*)? u:object_r:mtk_rrc_device:s0
/dev/mtk_dfrc(/.*)? u:object_r:mtk_dfrc_device:s0
/dev/mt-mdp(/.*)? u:object_r:mt_mdp_device:s0
/dev/mt_otg_test(/.*)? u:object_r:mt_otg_test_device:s0
/dev/MT_pmic_adc_cali u:object_r:MT_pmic_adc_cali_device:s0
/dev/MT_pmic_adc_cali(/.*)? u:object_r:MT_pmic_cali_device:s0
/dev/MT_pmic(/.*)? u:object_r:MT_pmic_device:s0
/dev/network.* u:object_r:network_device:s0
/dev/nvram(/.*)? u:object_r:nvram_device:s0
/dev/nxpspk(/.*)? u:object_r:smartpa_device:s0
/dev/otp u:object_r:otp_device:s0
/dev/pmem_multimedia(/.*)? u:object_r:pmem_multimedia_device:s0
/dev/pmt(/.*)? u:object_r:pmt_device:s0
/dev/preloader(/.*)? u:object_r:preloader_device:s0
/dev/pro_info(/.*)? u:object_r:pro_info_device:s0
/dev/protect_f(/.*)? u:object_r:protect_f_device:s0
/dev/protect_s(/.*)? u:object_r:protect_s_device:s0
/dev/psaux(/.*)? u:object_r:psaux_device:s0
/dev/ptmx(/.*)? u:object_r:ptmx_device:s0
/dev/ptyp.* u:object_r:ptyp_device:s0
/dev/pvr_sync(/.*)? u:object_r:gpu_device:s0
/dev/qemu_pipe(/.*)? u:object_r:qemu_pipe_device:s0
/dev/recovery(/.*)? u:object_r:recovery_device:s0
/dev/rfkill(/.*)? u:object_r:rfkill_device:s0
/dev/rtc[0-9]+ u:object_r:rtc_device:s0
/dev/RT_Monitor(/.*)? u:object_r:RT_Monitor_device:s0
/dev/kick_powerkey(/.*)? u:object_r:kick_powerkey_device:s0
/dev/seccfg(/.*)? u:object_r:seccfg_device:s0
/dev/sec_ro(/.*)? u:object_r:sec_ro_device:s0
/dev/sec(/.*)? u:object_r:sec_device:s0
/dev/tee1 u:object_r:tee_part_device:s0
/dev/tee2 u:object_r:tee_part_device:s0
/dev/sensor(/.*)? u:object_r:sensor_device:s0
/dev/smartpa_i2c(/.*)? u:object_r:smartpa1_device:s0
/dev/snapshot(/.*)? u:object_r:snapshot_device:s0
/dev/socket/adbd(/.*)? u:object_r:adbd_socket:s0
/dev/socket/agpsd2(/.*)? u:object_r:agpsd_socket:s0
/dev/socket/agpsd3(/.*)? u:object_r:agpsd_socket:s0
/dev/socket/agpsd(/.*)? u:object_r:agpsd_socket:s0
/dev/socket/atci-audio(/.*)? u:object_r:atci-audio_socket:s0
/dev/socket/backuprestore(/.*)? u:object_r:backuprestore_socket:s0
/dev/socket/dfo(/.*)? u:object_r:dfo_socket:s0
/dev/socket/dnsproxyd(/.*)? u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate(/.*)? u:object_r:dumpstate_socket:s0
/dev/socket/mdnsd(/.*)? u:object_r:mdnsd_socket:s0
/dev/socket/mdns(/.*)? u:object_r:mdns_socket:s0
/dev/socket/mnld(/.*)? u:object_r:mnld_socket:s0
/dev/socket/netdiag(/.*)? u:object_r:netdiag_socket:s0
/dev/socket/netd(/.*)? u:object_r:netd_socket:s0
/dev/socket/mrild(/.*)? u:object_r:gsmrild_socket:s0
/dev/socket/mrild2(/.*)? u:object_r:gsmrild_socket:s0
/dev/socket/mrild3(/.*)? u:object_r:gsmrild_socket:s0
/dev/socket/rild-atci u:object_r:gsmrild_socket:s0
/dev/socket/rild-mbim(/.*)? u:object_r:gsmrild_socket:s0
/dev/socket/msap_uim_socket1(/.*)? u:object_r:gsmrild_socket:s0
/dev/socket/msap_uim_socket2(/.*)? u:object_r:gsmrild_socket:s0
/dev/socket/sap_uim_socket(/.*)? u:object_r:gsmrild_socket:s0
/dev/socket/msap_c2k_socket1(/.*)? u:object_r:gsmrild_socket:s0
/dev/socket/msap_c2k_socket2(/.*)? u:object_r:gsmrild_socket:s0
/dev/socket/msap_c2k_socket3(/.*)? u:object_r:gsmrild_socket:s0
/dev/socket/msap_c2k_socket4(/.*)? u:object_r:gsmrild_socket:s0
/dev/socket/sap_uim_socket1(/.*)? u:object_r:gsmrild_socket:s0
/dev/socket/sap_uim_socket2(/.*)? u:object_r:gsmrild_socket:s0
/dev/socket/sap_uim_socket3(/.*)? u:object_r:gsmrild_socket:s0
/dev/socket/sap_uim_socket4(/.*)? u:object_r:gsmrild_socket:s0
/dev/socket/rild2-md2(/.*)? u:object_r:rild2_md2_socket:s0
/dev/socket/rild2(/.*)? u:object_r:rild2_socket:s0
/dev/socket/rild3(/.*)? u:object_r:rild3_socket:s0
/dev/socket/rild4(/.*)? u:object_r:rild4_socket:s0
/dev/socket/rild-mal(/.*)? u:object_r:rild_mal_socket:s0
/dev/socket/rild-mal-at(/.*)? u:object_r:rild_mal_at_socket:s0
/dev/socket/rild-mal-md2(/.*)? u:object_r:rild_mal_md2_socket:s0
/dev/socket/rild-mal-at-md2(/.*)? u:object_r:rild_mal_at_md2_socket:s0
/dev/socket/rild-ims(/.*)? u:object_r:rild_ims_socket:s0
/dev/socket/volte_imsm_dongle(/.*)? u:object_r:rild_imsm_socket:s0
/dev/socket/rild-vsim(/.*)? u:object_r:rild_vsim_socket:s0
/dev/socket/rild-vsim2(/.*)? u:object_r:rild_vsim_socket:s0
/dev/socket/rild-vsim3(/.*)? u:object_r:rild_vsim_socket:s0
/dev/socket/rild-vsim-md2(/.*)? u:object_r:rild_vsim_md2_socket:s0
/dev/socket/rild-ctclient u:object_r:rild_ctclient_socket:s0
/dev/socket/rild-debug-md2(/.*)? u:object_r:rild_debug_md2_socket:s0
/dev/socket/rild-debug(/.*)? u:object_r:rild_debug_socket:s0
/dev/socket/rild-dongle(/.*)? u:object_r:rild-dongle_socket:s0
/dev/socket/rild-md2(/.*)? u:object_r:rild_md2_socket:s0
/dev/socket/rild-mtk-modem-md2(/.*)? u:object_r:rild_mtk_modem_md2_socket:s0
/dev/socket/rild-mtk-modem(/.*)? u:object_r:rild_mtk_modem_socket:s0
/dev/socket/rild-mtk-ut-2-md2(/.*)? u:object_r:rild_mtk_ut_2_md2_socket:s0
/dev/socket/rild-mtk-ut-2(/.*)? u:object_r:rild_mtk_ut_2_socket:s0
/dev/socket/rild-mtk-ut-md2(/.*)? u:object_r:rild_mtk_ut_md2_socket:s0
/dev/socket/rild-mtk-ut(/.*)? u:object_r:rild_mtk_ut_socket:s0
/dev/socket/rild-oem-md2(/.*)? u:object_r:rild_oem_md2_socket:s0
/dev/socket/rild-oem(/.*)? u:object_r:rild_oem_socket:s0
/dev/socket/rild(/.*)? u:object_r:rild_socket:s0
/dev/socket/rild-via u:object_r:rild_via_socket:s0
/dev/socket/rildc-debug u:object_r:rild_via_socket:s0
/dev/socket/rild-atci-c2k u:object_r:rild_via_socket:s0
/dev/socket/mal-mfi(/.*)? u:object_r:mal_mfi_socket:s0
/dev/socket/mal-mfi-dongle(/.*)? u:object_r:mal_mfi_socket:s0
/dev/socket/rpc u:object_r:rpc_socket:s0
/dev/socket/soc_vt_stk(/.*)? u:object_r:soc_vt_stk_socket:s0
/dev/socket/soc_vt_svc(/.*)? u:object_r:soc_vt_svc_socket:s0
/dev/socket/soc_vt_tcv(/.*)? u:object_r:soc_vt_tcv_socket:s0
/dev/socket/sysctl(/.*)? u:object_r:sysctl_socket:s0
/dev/socket/volte_vt(/.*)? u:object_r:volte_vt_socket:s0
/dev/socket/wpa_wlan0(/.*)? u:object_r:wpa_wlan0_socket:s0
/dev/stpant(/.*)? u:object_r:stpant_device:s0
/dev/stpbt(/.*)? u:object_r:stpbt_device:s0
/dev/fw_log_bt u:object_r:fw_log_bt_device:s0
/dev/stpgps u:object_r:mnld_device:s0
/dev/stpgps(/.*)? u:object_r:stpgps_device:s0
/dev/gpsdl0 u:object_r:mnld_device:s0
/dev/gpsdl0(/.*)? u:object_r:gpsdl_device:s0
/dev/gpsdl1 u:object_r:mnld_device:s0
/dev/gpsdl1(/.*)? u:object_r:gpsdl_device:s0
/dev/stpwmt(/.*)? u:object_r:stpwmt_device:s0
/dev/sw_sync(/.*)? u:object_r:sw_sync_device:s0
/dev/tgt(/.*)? u:object_r:tgt_device:s0
/dev/touch(/.*)? u:object_r:touch_device:s0
/dev/tpd_em_log(/.*)? u:object_r:tpd_em_log_device:s0
/dev/ttyC0 u:object_r:gsm0710muxd_device:s0
/dev/ttyC1 u:object_r:mdlog_device:s0
/dev/ttyC2 u:object_r:agps_device:s0
/dev/ttyC3 u:object_r:icusb_device:s0
/dev/ttyC6 u:object_r:nlop_device:s0
/dev/ttyGS.* u:object_r:ttyGS_device:s0
/dev/ttyMT.* u:object_r:ttyMT_device:s0
/dev/ttyS.* u:object_r:ttyS_device:s0
/dev/ttyp.* u:object_r:ttyp_device:s0
/dev/ttySDIO.* u:object_r:ttySDIO_device:s0
/dev/ttyUSB0 u:object_r:tty_device:s0
/dev/ttyUSB1 u:object_r:tty_device:s0
/dev/ttyUSB2 u:object_r:tty_device:s0
/dev/ttyUSB3 u:object_r:tty_device:s0
/dev/ttyUSB4 u:object_r:tty_device:s0
/dev/TV-out(/.*)? u:object_r:TV_out_device:s0
/dev/uboot(/.*)? u:object_r:uboot_device:s0
/dev/uibc(/.*)? u:object_r:uibc_device:s0
/dev/uinput(/.*)? u:object_r:uinput_device:s0
/dev/uio0(/.*)? u:object_r:uio0_device:s0
/dev/usrdata(/.*)? u:object_r:usrdata_device:s0
/dev/Vcodec(/.*)? u:object_r:Vcodec_device:s0
/dev/vmodem u:object_r:vmodem_device:s0
/dev/vow(/.*)? u:object_r:vow_device:s0
/dev/wmtdetect(/.*)? u:object_r:wmtdetect_device:s0
/dev/wmtWifi(/.*)? u:object_r:wmtWifi_device:s0
/dev/ancservice(/.*)? u:object_r:ancservice_device:s0
/dev/offloadservice(/.*)? u:object_r:offloadservice_device:s0
/dev/audio_ipi(/.*)? u:object_r:audio_ipi_device:s0
/dev/adsp(/.*)? u:object_r:adsp_device:s0
/dev/audio_scp(/.*)? u:object_r:audio_scp_device:s0
/dev/irtx u:object_r:irtx_device:s0
/dev/spm(/.*)? u:object_r:spm_device:s0
/dev/xt_qtaguid(/.*)? u:object_r:xt_qtaguid_device:s0
/dev/pmic_ftm(/.*)? u:object_r:pmic_ftm_device:s0
/dev/charger_ftm(/.*)? u:object_r:charger_ftm_device:s0
/dev/shf u:object_r:shf_device:s0
/dev/ttyACM0 u:object_r:ttyACM_device:s0
/dev/hrm u:object_r:hrm_device:s0
/dev/trusty-ipc-dev0 u:object_r:tee_device:s0
/dev/nebula-ipc-dev0 u:object_r:tee_device:s0
/dev/mbim u:object_r:mbim_device:s0
/dev/alarm(/.*)? u:object_r:alarm_device:s0
##########################
# Sensor common Devices Start
#
/dev/als_ps(/.*)? u:object_r:als_ps_device:s0
/dev/barometer(/.*)? u:object_r:barometer_device:s0
/dev/humidity(/.*)? u:object_r:humidity_device:s0
/dev/gsensor(/.*)? u:object_r:gsensor_device:s0
/dev/gyroscope(/.*)? u:object_r:gyroscope_device:s0
/dev/hwmsensor(/.*)? u:object_r:hwmsensor_device:s0
/dev/msensor(/.*)? u:object_r:msensor_device:s0
/dev/biometric(/.*)? u:object_r:biometric_device:s0
/dev/sensorlist(/.*)? u:object_r:sensorlist_device:s0
##########################
# Sensor Devices Start
#
/dev/m_batch_misc(/.*)? u:object_r:m_batch_misc_device:s0
##########################
# Sensor bio Devices Start
#
/dev/m_als_misc(/.*)? u:object_r:m_als_misc_device:s0
/dev/m_ps_misc(/.*)? u:object_r:m_ps_misc_device:s0
/dev/m_baro_misc(/.*)? u:object_r:m_baro_misc_device:s0
/dev/m_hmdy_misc(/.*)? u:object_r:m_hmdy_misc_device:s0
/dev/m_acc_misc(/.*)? u:object_r:m_acc_misc_device:s0
/dev/m_mag_misc(/.*)? u:object_r:m_mag_misc_device:s0
/dev/m_gyro_misc(/.*)? u:object_r:m_gyro_misc_device:s0
/dev/m_act_misc(/.*)? u:object_r:m_act_misc_device:s0
/dev/m_pedo_misc(/.*)? u:object_r:m_pedo_misc_device:s0
/dev/m_situ_misc(/.*)? u:object_r:m_situ_misc_device:s0
/dev/m_step_c_misc(/.*)? u:object_r:m_step_c_misc_device:s0
/dev/m_fusion_misc(/.*)? u:object_r:m_fusion_misc_device:s0
/dev/m_bio_misc(/.*)? u:object_r:m_bio_misc_device:s0
# block partition definitions
/dev/block/mmcblk0boot0 u:object_r:preloader_block_device:s0
/dev/block/mmcblk0boot1 u:object_r:preloader_block_device:s0
/dev/block/sda u:object_r:preloader_block_device:s0
/dev/block/sdb u:object_r:preloader_block_device:s0
/dev/block/mmcblk0 u:object_r:bootdevice_block_device:s0
/dev/block/sdc u:object_r:bootdevice_block_device:s0
/dev/block/mmcblk1 u:object_r:mmcblk1_block_device:s0
/dev/block/mmcblk1p1 u:object_r:mmcblk1p1_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/proinfo u:object_r:nvram_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/nvram u:object_r:nvram_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/nvdata u:object_r:nvdata_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/frp u:object_r:frp_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/expdb u:object_r:expdb_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/misc2 u:object_r:misc2_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/logo u:object_r:logo_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/para u:object_r:para_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/misc u:object_r:misc_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/seccfg u:object_r:seccfg_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/secro u:object_r:secro_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/system u:object_r:system_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/userdata u:object_r:userdata_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/cache u:object_r:cache_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/recovery u:object_r:recovery_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/protect1 u:object_r:protect1_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/protect2 u:object_r:protect2_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/keystore u:object_r:keystore_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/oemkeystore u:object_r:oemkeystore_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/boot u:object_r:boot_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/persist u:object_r:persist_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/metadata u:object_r:metadata_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/nvcfg u:object_r:nvcfg_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/ppl u:object_r:ppl_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/sec1 u:object_r:sec1_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/boot_para u:object_r:boot_para_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/super u:object_r:super_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/boot(_[ab])? u:object_r:boot_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/system(_[ab])? u:object_r:system_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/odm(_[ab])? u:object_r:odm_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/oem(_[ab])? u:object_r:oem_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/vendor(_[ab])? u:object_r:vendor_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/lk(_[ab])? u:object_r:lk_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/odmdtbo(_[ab])? u:object_r:dtbo_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/dtbo(_[ab])? u:object_r:dtbo_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/tee([12]|_[ab]) u:object_r:tee_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md1img(_[ab])? u:object_r:md_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md1dsp(_[ab])? u:object_r:dsp_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md1arm7(_[ab])? u:object_r:md_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md3img(_[ab])? u:object_r:md_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/scp(_[ab])? u:object_r:scp_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/sspm(_[ab])? u:object_r:sspm_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/spmfw(_[ab])? u:object_r:spmfw_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/vbmeta(_system|_vendor)?(_[ab])? u:object_r:vbmeta_block_device:s0
/dev/block/platform/bootdevice/by-name/proinfo u:object_r:nvram_device:s0
/dev/block/platform/bootdevice/by-name/nvram u:object_r:nvram_device:s0
/dev/block/platform/bootdevice/by-name/nvdata u:object_r:nvdata_device:s0
/dev/block/platform/bootdevice/by-name/frp u:object_r:frp_block_device:s0
/dev/block/platform/bootdevice/by-name/expdb u:object_r:expdb_block_device:s0
/dev/block/platform/bootdevice/by-name/misc2 u:object_r:misc2_block_device:s0
/dev/block/platform/bootdevice/by-name/logo u:object_r:logo_block_device:s0
/dev/block/platform/bootdevice/by-name/para u:object_r:para_block_device:s0
/dev/block/platform/bootdevice/by-name/misc u:object_r:misc_block_device:s0
/dev/block/platform/bootdevice/by-name/seccfg u:object_r:seccfg_block_device:s0
/dev/block/platform/bootdevice/by-name/secro u:object_r:secro_block_device:s0
/dev/block/platform/bootdevice/by-name/userdata u:object_r:userdata_block_device:s0
/dev/block/platform/bootdevice/by-name/cache u:object_r:cache_block_device:s0
/dev/block/platform/bootdevice/by-name/recovery u:object_r:recovery_block_device:s0
/dev/block/platform/bootdevice/by-name/protect1 u:object_r:protect1_block_device:s0
/dev/block/platform/bootdevice/by-name/protect2 u:object_r:protect2_block_device:s0
/dev/block/platform/bootdevice/by-name/keystore u:object_r:keystore_block_device:s0
/dev/block/platform/bootdevice/by-name/persist u:object_r:persist_block_device:s0
/dev/block/platform/bootdevice/by-name/metadata u:object_r:metadata_block_device:s0
/dev/block/platform/bootdevice/by-name/nvcfg u:object_r:nvcfg_block_device:s0
/dev/block/platform/bootdevice/by-name/sec1 u:object_r:sec1_block_device:s0
/dev/block/platform/bootdevice/by-name/boot_para u:object_r:boot_para_block_device:s0
/dev/block/platform/bootdevice/by-name/super u:object_r:super_block_device:s0
/dev/block/platform/bootdevice/by-name/cam_vpu[1-3](_[ab])? u:object_r:cam_vpu_block_device:s0
/dev/block/platform/bootdevice/by-name/system(_[ab])? u:object_r:system_block_device:s0
/dev/block/platform/bootdevice/by-name/boot(_[ab])? u:object_r:boot_block_device:s0
/dev/block/platform/bootdevice/by-name/odm(_[ab])? u:object_r:odm_block_device:s0
/dev/block/platform/bootdevice/by-name/oem(_[ab])? u:object_r:oem_block_device:s0
/dev/block/platform/bootdevice/by-name/vendor(_[ab])? u:object_r:vendor_block_device:s0
/dev/block/platform/bootdevice/by-name/lk(_[ab])? u:object_r:lk_block_device:s0
/dev/block/platform/bootdevice/by-name/odmdtbo(_[ab])? u:object_r:dtbo_block_device:s0
/dev/block/platform/bootdevice/by-name/dtbo(_[ab])? u:object_r:dtbo_block_device:s0
/dev/block/platform/bootdevice/by-name/tee([12]|_[ab]) u:object_r:tee_block_device:s0
/dev/block/platform/bootdevice/by-name/md1img(_[ab])? u:object_r:md_block_device:s0
/dev/block/platform/bootdevice/by-name/md1dsp(_[ab])? u:object_r:dsp_block_device:s0
/dev/block/platform/bootdevice/by-name/md1arm7(_[ab])? u:object_r:md_block_device:s0
/dev/block/platform/bootdevice/by-name/md3img(_[ab])? u:object_r:md_block_device:s0
/dev/block/platform/bootdevice/by-name/scp(_[ab])? u:object_r:scp_block_device:s0
/dev/block/platform/bootdevice/by-name/sspm(_[ab])? u:object_r:sspm_block_device:s0
/dev/block/platform/bootdevice/by-name/spmfw(_[ab])? u:object_r:spmfw_block_device:s0
/dev/block/platform/bootdevice/by-name/mcupmfw(_[ab])? u:object_r:mcupmfw_block_device:s0
/dev/block/platform/bootdevice/by-name/loader_ext(_[ab])? u:object_r:loader_ext_block_device:s0
/dev/block/platform/bootdevice/by-name/vbmeta(_system|_vendor)?(_[ab])? u:object_r:vbmeta_block_device:s0
# Key manager
/dev/block/platform/soc/[0-9]+\.mmc/by-name/kb u:object_r:kb_block_device:s0
/dev/block/platform/soc/[0-9]+\.mmc/by-name/dkb u:object_r:dkb_block_device:s0
# W19.23 Q new feature - Userdata Checkpoint
/dev/block/by-name/md_udc u:object_r:metadata_block_device:s0
#############################
# System files
#
/(system\/vendor|vendor)/bin/audiocmdservice_atci u:object_r:audiocmdservice_atci_exec:s0
/(system\/vendor|vendor)/bin/stp_dump3 u:object_r:stp_dump3_exec:s0
/(system\/vendor|vendor)/bin/wmt_launcher u:object_r:mtk_wmt_launcher_exec:s0
/(system\/vendor|vendor)/bin/ccci_fsd u:object_r:ccci_fsd_exec:s0
/(system\/vendor|vendor)/bin/fuelgauged u:object_r:fuelgauged_exec:s0
/(system\/vendor|vendor)/bin/fuelgauged_nvram u:object_r:fuelgauged_nvram_exec:s0
/(system\/vendor|vendor)/bin/gsm0710muxd u:object_r:gsm0710muxd_exec:s0
/(system\/vendor|vendor)/bin/mmc_ffu u:object_r:mmc_ffu_exec:s0
/(system\/vendor|vendor)/bin/mtk_agpsd u:object_r:mtk_agpsd_exec:s0
/(system\/vendor|vendor)/bin/MtkCodecService u:object_r:MtkCodecService_exec:s0
/(system\/vendor|vendor)/bin/mtkrild u:object_r:mtkrild_exec:s0
/(system\/vendor|vendor)/bin/muxreport u:object_r:muxreport_exec:s0
/(system\/vendor|vendor)/bin/nvram_agent_binder u:object_r:nvram_agent_binder_exec:s0
/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.nvram@(.*)-service u:object_r:nvram_agent_binder_exec:s0
/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.nvram@(.*)-service-lazy u:object_r:nvram_agent_binder_exec:s0
/(system\/vendor|vendor)/bin/nvram_daemon u:object_r:nvram_daemon_exec:s0
/(system\/vendor|vendor)/bin/slpd u:object_r:slpd_exec:s0
/(system\/vendor|vendor)/bin/thermal_manager u:object_r:thermal_manager_exec:s0
/(system\/vendor|vendor)/bin/thermalloadalgod u:object_r:thermalloadalgod_exec:s0
/(system\/vendor|vendor)/bin/lbs_hidl_service u:object_r:lbs_hidl_service_exec:s0
/(system\/vendor|vendor)/bin/meta_tst u:object_r:meta_tst_exec:s0
/(system\/vendor|vendor)/bin/kisd u:object_r:kisd_exec:s0
/(system\/vendor|vendor)/bin/fm_hidl_service u:object_r:fm_hidl_service_exec:s0
/(system\/vendor|vendor)/bin/wlan_assistant u:object_r:wlan_assistant_exec:s0
/(system\/vendor|vendor)/bin/wmt_loader u:object_r:wmt_loader_exec:s0
/(system\/vendor|vendor)/bin/spm_loader u:object_r:spm_loader_exec:s0
/(system\/vendor|vendor)/bin/ccci_mdinit u:object_r:ccci_mdinit_exec:s0
/(system\/vendor|vendor)/bin/factory u:object_r:factory_exec:s0
/(system\/vendor|vendor)/bin/mnld u:object_r:mnld_exec:s0
#/system/bin/connsyslogger u:object_r:connsyslogger_exec:s0
/(system\/vendor|vendor)/bin/biosensord_nvram u:object_r:biosensord_nvram_exec:s0
/(system\/vendor|vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service-mediatek u:object_r:mtk_hal_bluetooth_exec:s0
/(system\/vendor|vendor)/bin/hw/android\.hardware\.gnss@2\.0-service-mediatek u:object_r:mtk_hal_gnss_exec:s0
/(system\/vendor|vendor)/bin/hw/android\.hardware\.audio@5\.0-service-mediatek u:object_r:mtk_hal_audio_exec:s0
/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.mtkpower@1\.0-service u:object_r:mtk_hal_power_exec:s0
/(system\/vendor|vendor)/bin/hw/android\.hardware\.sensors@1\.0-service-mediatek u:object_r:mtk_hal_sensors_exec:s0
/(system\/vendor|vendor)/bin/hw/android\.hardware\.sensors@2\.0-service-mediatek u:object_r:mtk_hal_sensors_exec:s0
/(system\/vendor|vendor)/bin/hw/rilproxy u:object_r:rild_exec:s0
/(system\/vendor|vendor)/bin/hw/mtkfusionrild u:object_r:rild_exec:s0
/(system\/vendor|vendor)/bin/hw/android\.hardware\.light@2\.0-service-mediatek u:object_r:mtk_hal_light_exec:s0
/(system\/vendor|vendor)/bin/hw/android\.hardware\.light@2\.0-service-mediatek-lazy u:object_r:mtk_hal_light_exec:s0
/(system\/vendor|vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service-mediatek u:object_r:hal_vibrator_default_exec:s0
/(system\/vendor|vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service-mediatek-lazy u:object_r:hal_vibrator_default_exec:s0
/(system\/vendor|vendor)/bin/hw/camerahalserver u:object_r:mtk_hal_camera_exec:s0
/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.imsa@1\.0-service u:object_r:mtk_hal_imsa_exec:s0
# Google Trusty system files
/(vendor|system\/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service\.trusty u:object_r:hal_keymaster_default_exec:s0
#PQ hal
/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.pq@2\.2-service u:object_r:mtk_hal_pq_exec:s0
#MMS hal
/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.mms@1\.3-service u:object_r:mtk_hal_mms_exec:s0
/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.mms@1\.3-service-lazy u:object_r:mtk_hal_mms_exec:s0
# Keymaster Attestation Hal
/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.keymaster_attestation@1\.1-service u:object_r:hal_keymaster_attestation_exec:s0
#ST NFC 1.2 hidl service
/(system\/vendor|vendor)/bin/hw/android\.hardware\.nfc@1\.2-service-st u:object_r:hal_nfc_default_exec:s0
/(system\/vendor|vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service-st54spi u:object_r:st54spi_hal_secure_element_exec:s0
# MTK Wifi Hal
/(system\/vendor|vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-mediatek u:object_r:mtk_hal_wifi_exec:s0
/(system\/vendor|vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-lazy-mediatek u:object_r:mtk_hal_wifi_exec:s0
# MTK USB hal
/(system\/vendor|vendor)/bin/hw/android\.hardware\.usb@1\.1-service-mediatek u:object_r:mtk_hal_usb_exec:s0
# MTK OMAPI for UICC
/(system\/vendor|vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service-mediatek u:object_r:mtk_hal_secure_element_exec:s0
#gpu hal
/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.gpu@1\.0-service u:object_r:mtk_hal_gpu_exec:s0
#############################
# System/bin files
#hidl process merging
/(system\/vendor|vendor)/bin/hw/merged_hal_service u:object_r:merged_hal_service_exec:s0
###############################################
# same-process HAL files and their dependencies
#
/vendor/lib(64)?/hw/gralloc\.mt[0-9]+[a-z]*\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/hw/vulkan\.mt[0-9]+\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libIMGegl\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libglslcompiler\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libPVRScopeServices\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libsrv_um\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libmpvr\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libusc\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libtqvalidate\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libPVROCL\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libufwriter\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libmemtrack_GL\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libPVRTrace\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libGLES_mali\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libgralloc_extra\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libgpu_aux\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libgpud\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libged\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libion_mtk\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libion_ulit\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/mtk_cache\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl-2\.1\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libdpframework\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libpq_cust_base\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.mediatek\.hardware\.pq@[0-9]\.[0-9]\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libpq_prot\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libhdrvideo\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libscltm\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/vendor\.mediatek\.hardware\.gpu@1\.0.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libladder\.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libtflite_mtk.so u:object_r:same_process_hal_file:s0
/vendor/bin/hw/vendor\.mediatek\.hardware\.log@1\.0-service u:object_r:aee_hal_exec:s0
/vendor/bin/loghidlvendorservice u:object_r:loghidlvendorservice_exec:s0
/vendor/bin/em_hidl u:object_r:em_hidl_exec:s0
/vendor/bin/hw/modemdbfilter_service u:object_r:modemdbfilter_service_exec:s0
# Date: 2018/07/06
# Purpose for same-process HAL files and their dependencies: libGLES_mali.so need libm4u.so on mali GPU.
/vendor/lib(64)?/libm4u\.so u:object_r:same_process_hal_file:s0
# Date: 2018/12/04
# Purpose: Neuron runtime API and the dependencies
/vendor/lib(64)?/libneuron_platform.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libion_mtk.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/mtk_cache.so u:object_r:same_process_hal_file:s0
/vendor/lib(64)?/libvpu.so u:object_r:same_process_hal_file:s0
# Date: 2019/01/21
# Purpose: OpenCL feature requirments
/vendor/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0
#MRDUMP
/dev/block/platform/bootdevice/by-name/mrdump(/.*)? u:object_r:mrdump_device:s0
# Date: 2019/07/16
# hdmi hal
/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.hdmi@1\.0-service u:object_r:mtk_hal_hdmi_exec:s0
#Widevine drm hal(include lazy hal)
/vendor/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.widevine u:object_r:hal_drm_widevine_exec:s0
/vendor/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service-lazy\.widevine u:object_r:hal_drm_widevine_exec:s0
#Cleaarkey hal(include lazy hal)
/vendor/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0
/vendor/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service-lazy\.clearkey u:object_r:hal_drm_clearkey_exec:s0
# Date : 2019/10/28
# Purpose : move these contexts from plat_private/file_contexts
/(system\/vendor|vendor)/bin/aee_aedv u:object_r:aee_aedv_exec:s0
/(system\/vendor|vendor)/bin/aee_aedv64 u:object_r:aee_aedv_exec:s0
/vendor/bin/aeev u:object_r:aee_aedv_exec:s0

19
r_non_plat/fm_hidl_service.te
View File

@ -1,19 +0,0 @@
# Set a new domain
type fm_hidl_service, domain;
# Set domain as server domain of mtk_hal_fm
hal_server_domain(fm_hidl_service, mtk_hal_fm)
# Set exec file type
type fm_hidl_service_exec, exec_type, vendor_file_type, file_type;
# Setup for domain transition
init_daemon_domain(fm_hidl_service)
#add_hwservice(hal_fm_server, mtk_hal_fm_service)
vndbinder_use(fm_hidl_service)
#r_dir_file(fm_hidl_service, system_file)
allow fm_hidl_service fm_device:chr_file { rw_file_perms };

18
r_non_plat/fsck.te
View File

@ -1,18 +0,0 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK15.29
# Operation : Migration
# Purpose : file system check for protect1/protect2/nvdata/persist/nvcfg block devices.
allow fsck protect1_block_device:blk_file rw_file_perms;
allow fsck protect2_block_device:blk_file rw_file_perms;
allow fsck nvdata_device:blk_file rw_file_perms;
allow fsck persist_block_device:blk_file rw_file_perms;
allow fsck nvcfg_block_device:blk_file rw_file_perms;
allow fsck odm_block_device:blk_file rw_file_perms;
allow fsck oem_block_device:blk_file rw_file_perms;
# Date : WK17.12
# Purpose: Fix bootup fail
allow fsck system_block_device:blk_file getattr;

71
r_non_plat/fuelgauged.te
View File

@ -1,71 +0,0 @@
# ==============================================
# Policy File of /system/bin/fuelgauged Executable File
# ==============================================
# Type Declaration
# ==============================================
type fuelgauged ,domain;
type fuelgauged_exec , exec_type, file_type, vendor_file_type;
type fuelgauged_file, file_type, data_file_type;
# ==============================================
# Android Policy Rule
# ==============================================
# ==============================================
# NSA Policy Rule
# ==============================================
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(fuelgauged)
# Data : WK14.43
# Operation : Migration
# Purpose : Fuel Gauge daemon for access driver node
allow fuelgauged input_device:dir rw_dir_perms;
allow fuelgauged input_device:file r_file_perms;
# Data : WK14.43
# Operation : Migration
# Purpose : For meta tool calibration
allow fuelgauged mtk-adc-cali_device:chr_file rw_file_perms;
# Data : WK14.43
# Operation : Migration
# Purpose : For fg.log can be printed with kernel log
allow fuelgauged kmsg_device:chr_file w_file_perms;
# Data : WK14.43
# Operation : Migration
# Purpose : For fg daemon can comminucate with kernel
allow fuelgauged self:netlink_socket create;
allow fuelgauged self:netlink_socket create_socket_perms_no_ioctl;
allow fuelgauged self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write };
# Data : WK16.39
allow fuelgauged self:capability { chown fsetid };
# Date: W17.22
# Operation : New Feature
# Purpose : Add for A/B system
allow fuelgauged kernel:system module_request;
# Date: W18.03
# Operation : change fuelgagued access from cache to nvcfg
# Purpose : add fuelgauged to nvcfg read write permit
allow fuelgauged nvcfg_file:dir { search write open read add_name create getattr};
allow fuelgauged nvcfg_file:file { read write getattr open create };
# Date: W18.17
# Operation : add label for /sys/devices/platform/battery(/.*)
# Purpose : add fuelgauged could access
r_dir_file(fuelgauged, sysfs_batteryinfo);
# Date : WK18.21
# Operation: P migration
# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init()
allow fuelgauged mnt_vendor_file:dir search;

67
r_non_plat/fuelgauged_nvram.te
View File

@ -1,67 +0,0 @@
# ==============================================
# Policy File of /system/bin/fuelgauged_nvram Executable File
# ==============================================
# Type Declaration
# ==============================================
type fuelgauged_nvram ,domain;
type fuelgauged_nvram_exec , exec_type, file_type, vendor_file_type;
type fuelgauged_nvram_file, file_type, data_file_type;
# ==============================================
# Android Policy Rule
# ==============================================
# ==============================================
# NSA Policy Rule
# ==============================================
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(fuelgauged_nvram)
# Data : WK16.21
# Operation : New Feature
# Purpose : For fg daemon can do nvram r/w to save car_tune_value
allow fuelgauged_nvram nvdata_file:dir rw_dir_perms;
allow fuelgauged_nvram nvdata_file:file {rw_file_perms create_file_perms};
allow fuelgauged_nvram nvram_data_file:lnk_file rw_file_perms;
allow fuelgauged_nvram nvdata_file:lnk_file rw_file_perms;
allow fuelgauged_nvram fuelgauged_file:dir rw_dir_perms;
allow fuelgauged_nvram fuelgauged_file:file {rw_file_perms create_file_perms};
# Data : W16.43
# Operation : New Feature
# Purpose : Change from /data to /cache
allow fuelgauged_nvram self:capability { chown };
allow fuelgauged_nvram kmsg_device:chr_file { write open };
allow fuelgauged_nvram self:capability fsetid;
# Data : W17.34
# Operation : New Feature
# Purpose : fgauge_nvram could use IOCTL
allow fuelgauged_nvram MT_pmic_adc_cali_device:chr_file rw_file_perms;
# Date: W18.03
# Operation : change fuelgagued_nvram access from cache to nvcfg
# Purpose : add fuelgauged to nvcfg read write permit
# need add label
allow fuelgauged_nvram sysfs:file { read open };
allow fuelgauged_nvram nvcfg_file:dir { search write open read add_name create getattr};
allow fuelgauged_nvram nvcfg_file:file { read write getattr open create };
# Date: W18.17
# Operation : add label for /sys/devices/platform/battery(/.*)
# Purpose : add fuelgauged could access
r_dir_file(fuelgauged_nvram, sysfs_batteryinfo)
# Date : WK18.21
# Operation: P migration
# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init()
allow fuelgauged_nvram mnt_vendor_file:dir search;
allow fuelgauged_nvram sysfs_boot_mode:file { open read };

254
r_non_plat/genfs_contexts
View File

@ -1,254 +0,0 @@
# ==============================================
# MTK Policy Rule
# ============
#############################
# proc files
#
genfscon proc /driver/thermal u:object_r:proc_thermal:s0
genfscon proc /thermlmt u:object_r:proc_thermal:s0
genfscon proc /fps_tm u:object_r:proc_thermal:s0
genfscon proc /wmt_tm u:object_r:proc_thermal:s0
genfscon proc /mobile_tm u:object_r:proc_thermal:s0
genfscon proc /bcctlmt u:object_r:proc_thermal:s0
genfscon proc /battery_status u:object_r:proc_thermal:s0
genfscon proc /mtkcooler u:object_r:proc_mtkcooler:s0
genfscon proc /mtktz u:object_r:proc_mtktz:s0
genfscon proc /lk_env u:object_r:proc_lk_env:s0
genfscon proc /driver/storage_logger u:object_r:proc_slogger:s0
genfscon proc /driver/icusb u:object_r:proc_icusb:s0
genfscon proc /mrdump_rst u:object_r:proc_mrdump_rst:s0
genfscon proc /mtk_battery_cmd u:object_r:proc_battery_cmd:s0
genfscon proc /mtd u:object_r:proc_mtd:s0
genfscon proc /ged u:object_r:proc_ged:s0
genfscon proc /mtk_jpeg u:object_r:proc_mtk_jpeg:s0
genfscon proc /perfmgr u:object_r:proc_perfmgr:s0
genfscon proc /driver/wmt_dbg u:object_r:proc_wmtdbg:s0
genfscon proc /zraminfo u:object_r:proc_zraminfo:s0
genfscon proc /gpulog u:object_r:proc_gpulog:s0
genfscon proc /cpu/alignment u:object_r:proc_cpu_alignment:s0
genfscon proc /sched_debug u:object_r:proc_sched_debug:s0
genfscon proc /chip/hw_ver u:object_r:proc_chip:s0
genfscon proc /chip/info u:object_r:proc_chip:s0
genfscon proc /atf_log u:object_r:proc_atf_log:s0
genfscon proc /gz_log u:object_r:proc_gz_log:s0
genfscon proc /last_kmsg u:object_r:proc_last_kmsg:s0
genfscon proc /bootprof u:object_r:proc_bootprof:s0
genfscon proc /pl_lk u:object_r:proc_pl_lk:s0
genfscon proc /msdc_debug u:object_r:proc_msdc_debug:s0
genfscon proc /ufs_debug u:object_r:proc_ufs_debug:s0
genfscon proc /pidmap u:object_r:proc_pidmap:s0
genfscon proc /mtk_memcfg/slabtrace u:object_r:proc_slabtrace:s0
genfscon proc /mtk_cmdq_debug/status u:object_r:proc_cmdq_debug:s0
genfscon proc /cpuhvfs/dbg_repo u:object_r:proc_dbg_repo:s0
# mtk EM FreqHopping setting
genfscon proc /freqhopping/freqhopping_debug u:object_r:proc_freqhop:s0
genfscon proc /freqhopping/status u:object_r:proc_freqhop:s0
genfscon proc /freqhopping/dumpregs u:object_r:proc_freqhop:s0
# mtk EM flash reading
genfscon proc /partitions u:object_r:proc_partition:s0
# Purpose dump not exit file
genfscon proc /isp_p2/isp_p2_dump u:object_r:proc_isp_p2_dump:s0
genfscon proc /isp_p2/isp_p2_kedump u:object_r:proc_isp_p2_kedump:s0
genfscon proc /mali/memory_usage u:object_r:proc_memory_usage:s0
genfscon proc /mtk_es_reg_dump u:object_r:proc_mtk_es_reg_dump:s0
# Date : 2018/11/01
# Purpose : mtk EM c2k bypass read usb file
genfscon proc /isp_p2 u:object_r:proc_isp_p2:s0
# Date : WK19.27
# Purpose: Android Migration for SVP
genfscon proc /m4u u:object_r:proc_m4u:s0
#############################
# sysfs files
#
genfscon sysfs /bus/platform/drivers/mtk-kpd u:object_r:sysfs_keypad_file:s0
genfscon sysfs /power/vcorefs/pwr_ctrl u:object_r:sysfs_vcorefs_pwrctrl:s0
genfscon sysfs /power/dcm_state u:object_r:sysfs_dcm:s0
genfscon sysfs /power/mtkdcs/mode u:object_r:sysfs_dcs:s0
genfscon sysfs /power/mtkpasr/execstate u:object_r:sysfs_execstate:s0
genfscon sysfs /mtk_ssw u:object_r:sysfs_ssw:s0
# Date : 2018/06/15
# Purpose : mtk EM Audio headset detect
genfscon sysfs /bus/platform/drivers/Accdet_Driver/state u:object_r:sysfs_headset:s0
genfscon sysfs /bus/platform/drivers/dev_info/dev_info u:object_r:sysfs_devinfo:s0
genfscon sysfs /bus/platform/drivers/meta_com_type_info/meta_com_type_info u:object_r:sysfs_comport_type:s0
genfscon sysfs /bus/platform/drivers/meta_uart_port_info/meta_uart_port_info u:object_r:sysfs_uart_info:s0
genfscon sysfs /devices/platform/battery u:object_r:sysfs_batteryinfo:s0
genfscon sysfs /devices/platform/charger/ADC_Charger_Voltage u:object_r:sysfs_vbus:s0
genfscon sysfs /devices/platform/battery/ADC_Charger_Voltage u:object_r:sysfs_vbus:s0
genfscon sysfs /devices/platform/charger/Pump_Express u:object_r:sysfs_pump_express:s0
genfscon sysfs /devices/platform/battery/Pump_Express u:object_r:sysfs_pump_express:s0
genfscon sysfs /devices/platform/mt_charger/power_supply u:object_r:sysfs_batteryinfo:s0
genfscon sysfs /devices/platform/mt-rtc/rtc u:object_r:sysfs_rtc:s0
genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6359-pmic/mt6359-rtc/rtc u:object_r:sysfs_rtc:s0
genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6358-pmic/mt6358-rtc/rtc u:object_r:sysfs_rtc:s0
genfscon sysfs /devices/platform/mt-pmic u:object_r:sysfs_pmu:s0
genfscon sysfs /devices/platform/1000d000.pwrap/mt-pmic u:object_r:sysfs_pmu:s0
genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6358-pmic/mt-pmic u:object_r:sysfs_pmu:s0
genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6359-pmic/mt-pmic u:object_r:sysfs_pmu:s0
genfscon sysfs /devices/platform/mt6333-user u:object_r:sysfs_pmu:s0
genfscon sysfs /devices/platform/mt6311-user u:object_r:sysfs_pmu:s0
genfscon sysfs /devices/platform/mt_usb/musb-hdrc/dual_role_usb u:object_r:sysfs_dual_role_usb20:s0
genfscon sysfs /devices/platform/mt_usb/musb-hdrc/cmode u:object_r:sysfs_usb_cmode:s0
genfscon sysfs /devices/virtual/BOOT/BOOT/boot/boot_mode u:object_r:sysfs_boot_mode:s0
genfscon sysfs /devices/virtual/BOOT/BOOT/boot/boot_type u:object_r:sysfs_boot_type:s0
genfscon sysfs /devices/virtual/misc/md32 u:object_r:sysfs_md32:s0
genfscon sysfs /devices/virtual/misc/scp u:object_r:sysfs_scp:s0
genfscon sysfs /devices/virtual/misc/scp_B u:object_r:sysfs_scp:s0
genfscon sysfs /devices/virtual/misc/sspm u:object_r:sysfs_sspm:s0
genfscon sysfs /devices/virtual/misc/adsp u:object_r:sysfs_adsp:s0
# Date : 2019/09/12
genfscon sysfs /devices/virtual/thermal u:object_r:sysfs_therm:s0
genfscon sysfs /devices/class/thermal u:object_r:sysfs_therm:s0
genfscon sysfs /devices/virtual/switch/fps u:object_r:sysfs_fps:s0
genfscon sysfs /firmware/devicetree/base/chosen/atag,devinfo u:object_r:sysfs_devinfo:s0
genfscon sysfs /kernel/ccci u:object_r:sysfs_ccci:s0
# Date : 2018/06/15
# Purpose : mtk EM touchscreen settings
genfscon sysfs /module/tpd_debug u:object_r:sysfs_tpd_debug:s0
genfscon sysfs /module/tpd_setting u:object_r:sysfs_tpd_setting:s0
genfscon sysfs /power/vcorefs/vcore_debug u:object_r:sysfs_vcore_debug:s0
genfscon sysfs /power/vcorefs/opp_table u:object_r:sysfs_vcore_debug:s0
# Date: 2018/08/09
#Purpose : MTK Vibrator
genfscon sysfs /devices/virtual/timed_output/vibrator u:object_r:sysfs_vibrator:s0
genfscon sysfs /devices/platform/odm/odm:vibrator@0/leds/vibrator u:object_r:sysfs_vibrator:s0
genfscon sysfs /devices/platform/leds-mt65xx/leds u:object_r:sysfs_leds:s0
# Date : 2018/08/109
# Purpose : mtk EM Power debug_log setting
genfscon sysfs /devices/platform/spm u:object_r:sysfs_spm:s0
# Date : 2018/11/01
# Purpose : mtk EM c2k bypass read usb file
genfscon sysfs /devices/virtual/usb_rawbulk u:object_r:sys_usb_rawbulk:s0
#Date : 2018/11/22
#Purpose: allow mdlogger to read mdinfo file
genfscon sysfs /kernel/md/mdee u:object_r:sysfs_mdinfo:s0
# Date : 2019/04/09
# Purpose: mtk EM battery temprature settings
genfscon sysfs /devices/platform/battery/Battery_Temperature u:object_r:sysfs_battery_temp:s0
genfscon sysfs /devices/platform/battery/FG_Battery_CurrentConsumption u:object_r:sysfs_battery_consumption:s0
genfscon sysfs /devices/platform/battery/Power_On_Voltage u:object_r:sysfs_power_on_vol:s0
genfscon sysfs /devices/platform/battery/Power_Off_Voltage u:object_r:sysfs_power_off_vol:s0
genfscon sysfs /devices/platform/battery/FG_daemon_disable u:object_r:sysfs_fg_disable:s0
genfscon sysfs /devices/platform/battery/disable_nafg u:object_r:sysfs_dis_nafg:s0
# Date : 2019/07/03
# Purpose: SIU update mmcblk access
genfscon sysfs /devices/platform/bootdevice/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_mmcblk:s0
genfscon sysfs /devices/bootdevice/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_mmcblk:s0
#genfscon sysfs /devices/platform/mtk-msdc.0/11230000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_mmcblk:s0
genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:0/block/sda u:object_r:sysfs_mmcblk:s0
genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:1/block/sdb u:object_r:sysfs_mmcblk:s0
genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:2/block/sdc u:object_r:sysfs_mmcblk:s0
# Date : 2019/07/12
# Purpose:dumpstate mmcblk1 access
genfscon sysfs /devices/platform/externdevice/mmc_host/mmc0 u:object_r:sysfs_devices_block:s0
genfscon sysfs /devices/platform/externdevice/mmc_host/mmc1 u:object_r:sysfs_devices_block:s0
# Date : 2019/10/22
# Purpose : mrdump_tool(copy_process by aee_aedv) need to write data to lbaooo
genfscon sysfs /module/mrdump/parameters/lbaooo u:object_r:sysfs_mrdump_lbaooo:s0
#############################
# debugfs files
#
genfscon debugfs /binder u:object_r:debugfs_binder:s0
genfscon debugfs /blockio u:object_r:debugfs_blockio:s0
genfscon debugfs /cpuhvfs u:object_r:debugfs_cpuhvfs:s0
genfscon debugfs /displowpower u:object_r:debugfs_fb:s0
genfscon debugfs /disp u:object_r:debugfs_fb:s0
genfscon debugfs /dispsys u:object_r:debugfs_fb:s0
genfscon debugfs /dmlog u:object_r:debugfs_dmlog_debug:s0
genfscon debugfs /dynamic_debug u:object_r:debugfs_dynamic_debug:s0
genfscon debugfs /emi_mbw/dump_buf u:object_r:debugfs_emi_mbw_buf:s0
genfscon debugfs /fbconfig u:object_r:debugfs_fb:s0
genfscon debugfs /fpsgo u:object_r:debugfs_fpsgo:s0
genfscon debugfs /fuseio u:object_r:debugfs_fuseio:s0
genfscon debugfs /ged u:object_r:debugfs_ged:s0
genfscon debugfs /ion/client_history u:object_r:debugfs_ion_mm_heap:s0
genfscon debugfs /ion/clients u:object_r:debugfs_ion:s0
genfscon debugfs /ion/heaps u:object_r:debugfs_ion_mm_heap:s0
genfscon debugfs /ion/ion_mm_heap u:object_r:debugfs_ion_mm_heap:s0
genfscon debugfs /kmemleak u:object_r:debugfs_kmemleak:s0
genfscon debugfs /mali0/gpu_memory u:object_r:debugfs_gpu_mali_midgard:s0
genfscon debugfs /mali/gpu_memory u:object_r:debugfs_gpu_mali_utgard:s0
genfscon debugfs /mtkfb u:object_r:debugfs_fb:s0
genfscon debugfs /mmprofile u:object_r:debugfs_fb:s0
genfscon debugfs /musb-hdrc u:object_r:debugfs_usb:s0
genfscon debugfs /page_owner_slim u:object_r:debugfs_page_owner_slim_debug:s0
genfscon debugfs /pvr u:object_r:debugfs_gpu_img:s0
genfscon debugfs /rcu u:object_r:debugfs_rcu:s0
genfscon debugfs /shrinker u:object_r:debugfs_shrinker_debug:s0
genfscon debugfs /usb20_phy u:object_r:debugfs_usb20_phy:s0
genfscon debugfs /usb_c u:object_r:debugfs_usb:s0
genfscon debugfs /vpu/device_dbg u:object_r:debugfs_vpu_device_dbg:s0
# mtk VPU/MDLA power reading
genfscon debugfs /vpu/power u:object_r:debugfs_vpu_power:s0
genfscon debugfs /mdla/power u:object_r:debugfs_mdla_power:s0
genfscon debugfs /vpu/vpu_memory u:object_r:debugfs_vpu_memory:s0
# mtk eara thermal reading
genfscon debugfs /eara_thermal/enable u:object_r:debugfs_eara_thermal:s0
# mtk EM power PMU register
genfscon debugfs /rt-regmap u:object_r:debugfs_regmap:s0
# 2019/08/15
genfscon debugfs /smi_mon u:object_r:debugfs_smi_mon:s0
genfscon iso9660 / u:object_r:iso9660:s0
genfscon rawfs / u:object_r:rawfs:s0
genfscon fuseblk / u:object_r:fuseblk:s0
# 2019/08/24
genfscon sysfs /class/sensor u:object_r:sysfs_sensor:s0
genfscon sysfs /devices/virtual/sensor u:object_r:sysfs_sensor:s0
# MTEE trusty
genfscon sysfs /devices/platform/trusty u:object_r:mtee_trusty_file:s0
# Date : 2019/08/29
# Purpose: allow rild to access /proc/aed/reboot-reason
genfscon proc /aed/reboot-reason u:object_r:proc_aed_reboot_reason:s0
# 2019/09/05
# Purpose: Allow powerhal to control kernel resources
genfscon proc /ppm u:object_r:proc_ppm:s0
genfscon proc /cpufreq u:object_r:proc_cpufreq:s0
genfscon proc /hps u:object_r:proc_hps:s0
genfscon proc /cm_mgr u:object_r:proc_cm_mgr:s0
genfscon proc /ca_drv u:object_r:proc_ca_drv:s0
genfscon sysfs /module/ged u:object_r:sysfs_ged:s0
genfscon sysfs /module/fbt_cpu u:object_r:sysfs_fbt_cpu:s0
genfscon sysfs /module/fbt_fteh u:object_r:sysfs_fbt_fteh:s0
# Date : WK19.38
# Purpose: Android Migration for video codec driver
genfscon sysfs /firmware/devicetree/base/model u:object_r:sysfs_device_tree_model:s0
# Date : 2019/12/12
# Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/*
genfscon sysfs /bus/platform/drivers/mem_bw_ctrl/concurrency_scenario u:object_r:sysfs_concurrency_scenario:s0

8
r_non_plat/gpuservice.te
View File

@ -1,8 +0,0 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK19.31
# Operation : Migration
# Purpose : [ALPS04685294] com.google.android.graphics.gts.VulkanTest#checkVulkan1_1Requirements-fail
allow gpuservice gpu_device:dir search;

42
r_non_plat/gsm0710muxd.te
View File

@ -1,42 +0,0 @@
# ==============================================
# Policy File of /system/bin/gsm0710muxd Executable File
# ==============================================
# Type Declaration
# ==============================================
type gsm0710muxd, domain;
type gsm0710muxd_exec , exec_type, file_type, vendor_file_type;
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(gsm0710muxd)
# Capabilities assigned for gsm0710muxd
allow gsm0710muxd self:capability { chown fowner setuid };
# Property service
# Set ctl.ril-daemon property
set_prop(gsm0710muxd, ctl_rildaemon_prop)
set_prop(gsm0710muxd, ctl_ril-daemon-mtk_prop)
set_prop(gsm0710muxd, ctl_fusion_ril_mtk_prop)
set_prop(gsm0710muxd, gsm0710muxd_prop)
set_prop(gsm0710muxd, vendor_radio_prop)
# allow set muxreport control properties
set_prop(gsm0710muxd, ril_mux_report_case_prop)
# Allow read/write to devices/files
allow gsm0710muxd gsm0710muxd_device:chr_file rw_file_perms;
allow gsm0710muxd device:dir rw_dir_perms;
allow gsm0710muxd device:lnk_file { create unlink };
allow gsm0710muxd devpts:chr_file setattr;
allow gsm0710muxd eemcs_device:chr_file rw_file_perms;
allow gsm0710muxd sysfs:file r_file_perms;
# Allow read to sys/kernel/ccci/* files
allow gsm0710muxd sysfs_ccci:dir search;
allow gsm0710muxd sysfs_ccci:file r_file_perms;
#Date: W1818
#Purpose: allow rild access property of vendor_radio_prop
set_prop(rild, vendor_radio_prop)

10
r_non_plat/hal_audio.te
View File

@ -1,10 +0,0 @@
# ==============================================
# MTK Policy Rule
# ============
# Date: 2019/06/14
# Operation : Migration
# Purpose : interface=android.hardware.audio::IDevicesFactory for hal_audio_hwservice
binder_call(hal_audio_client, hal_audio_server)
binder_call(hal_audio_server, hal_audio_client)
hal_attribute_hwservice(hal_audio, hal_audio_hwservice)

14
r_non_plat/hal_bootctl_default.te
View File

@ -1,14 +0,0 @@
# Add for bootctl
#============= hal_bootctl_default ==============
allow hal_bootctl_default para_block_device:blk_file { read open write};
allow hal_bootctl_default rootfs:file { read getattr open };
allow hal_bootctl_default sysfs:dir { read open };
allow hal_bootctl_default sysfs_boot_type:file { read open };
allow hal_bootctl_default block_device:dir search;
allow hal_bootctl_default misc_sd_device:chr_file rw_file_perms;
allow hal_bootctl_default bootdevice_block_device:blk_file rw_file_perms;
allowxperm hal_bootctl_default bootdevice_block_device:blk_file ioctl MMC_IOCTLCMD;
allowxperm hal_bootctl_default bootdevice_block_device:blk_file ioctl UFS_IOCTLCMD;
allow hal_bootctl_default proc_cmdline:file r_file_perms;
allow hal_bootctl_default sysfs_boot_type:file r_file_perms;
allow hal_bootctl_default self:capability sys_rawio;

5
r_non_plat/hal_cas_default.te
View File

@ -1,5 +0,0 @@
# Date : 2017/08/14
# Operation : O1 Migration
# Purpose : hal_cas_default needs to use vendor binder to communicate
vndbinder_use(hal_cas_default);

11
r_non_plat/hal_drm_clearkey.te
View File

@ -1,11 +0,0 @@
# policy for /vendor/bin/hw/android.hardware.drm@1.1-service.clearkey
type hal_drm_clearkey, domain;
type hal_drm_clearkey_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_drm_clearkey)
hal_server_domain(hal_drm_clearkey, hal_drm)
vndbinder_use(hal_drm_clearkey);
allow hal_drm_clearkey { appdomain -isolated_app }:fd use;

6
r_non_plat/hal_drm_default.te
View File

@ -1,6 +0,0 @@
vndbinder_use(hal_drm_default);
#============= hal_drm_default ==============
allow hal_drm_default debugfs_tracing:file write;
allow hal_drm_default debugfs_ion:dir search;

16
r_non_plat/hal_drm_widevine.te
View File

@ -1,16 +0,0 @@
# define SELinux domain
type hal_drm_widevine, domain;
hal_server_domain(hal_drm_widevine, hal_drm)
type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_drm_widevine)
allow hal_drm_widevine mediacodec:fd use;
allow hal_drm_widevine { appdomain -isolated_app }:fd use;
vndbinder_use(hal_drm_widevine);
hal_client_domain(hal_drm_widevine, hal_graphics_composer);
allow hal_drm_widevine hal_allocator_server:fd use;
allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;

2
r_non_plat/hal_gnss.te
View File

@ -1,2 +0,0 @@
#TODO:: work around solution, wait for correct solution from google
vndbinder_use(hal_gnss)

7
r_non_plat/hal_gnss_default.te
View File

@ -1,7 +0,0 @@
# Communicate over a socket created by mnld process.
allow hal_gnss_default mnld_data_file:sock_file create_file_perms;
allow hal_gnss_default mnld_data_file:sock_file rw_file_perms;
allow hal_gnss_default mnld_data_file:dir create_file_perms;
allow hal_gnss_default mnld_data_file:dir rw_dir_perms;
allow hal_gnss_default mnld:unix_dgram_socket sendto;

6
r_non_plat/hal_gpu.te
View File

@ -1,6 +0,0 @@
# HwBinder IPC from clients into server, and callbacks
binder_call(hal_gpu_client, hal_gpu_server)
binder_call(hal_gpu_server, hal_gpu_client)
# give permission for hal client
allow hal_gpu_client mtk_hal_gpu_hwservice :hwservice_manager find;

5
r_non_plat/hal_graphics_allocator.te
View File

@ -1,5 +0,0 @@
# Date : WK17.13
# Operation : Add sepolicy
# Purpose : Add policy for gralloc HIDL
allow hal_graphics_allocator proc_ged:file r_file_perms;

24
r_non_plat/hal_graphics_allocator_default.te
View File

@ -1,24 +0,0 @@
# ==============================================
# MTK Policy Rule
# ==============================================
#============= hal_graphics_allocator_default ==============
allow hal_graphics_allocator_default gpu_device:dir search;
#============= hal_graphics_allocator_default ==============
allow hal_graphics_allocator_default sw_sync_device:chr_file { open read write getattr ioctl };
#============= hal_graphics_allocator_default ==============
allow hal_graphics_allocator_default debugfs_ion:dir search;
#============= hal_graphics_allocator_default ==============
allow hal_graphics_allocator_default debugfs_tracing:file write;
#============= hal_graphics_allocator_default ==============
allow hal_graphics_allocator_default debugfs_tracing:file open;
#============= hal_graphics_allocator_default ==============
allow hal_graphics_allocator_default proc_ged:file r_file_perms;
allowxperm hal_graphics_allocator_default proc_ged:file ioctl { proc_ged_ioctls };
#============= hal_graphics_allocator_default ==============

54
r_non_plat/hal_graphics_composer_default.te
View File

@ -1,54 +0,0 @@
vndbinder_use(hal_graphics_composer_default)
allow hal_graphics_composer_default debugfs_ged:dir search;
# Date : WK17.09
# Operation : Add sepolicy
# Purpose : Add polivy for hwc HIDL
allow hal_graphics_composer_default proc:file { read getattr open ioctl };
allow hal_graphics_composer_default proc_ged:file r_file_perms;
allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { read bind create setopt };
# Date : WK17.21
# Purpose: GPU driver required
allow hal_graphics_composer_default sw_sync_device:chr_file rw_file_perms;
allow hal_graphics_composer_default hal_graphics_mapper_hwservice:hwservice_manager find;
# Date : W17.24
# Purpose: GPU driver required
allow hal_graphics_composer_default gpu_device:dir search;
allow hal_graphics_composer_default debugfs_ion:dir search;
allow hal_graphics_composer_default debugfs_tracing:file write;
allow hal_graphics_composer_default debugfs_tracing:file open;
# Date : WK17.30
# Operation : O Migration
# Purpose: Allow to access cmdq driver
allow hal_graphics_composer_default mtk_cmdq_device:chr_file { read ioctl open };
# Date : W17.30
# Add for control PowerHAL
allow hal_graphics_composer_default mtk_hal_power_hwservice:hwservice_manager find;
binder_call(hal_graphics_composer_default, mtk_hal_power)
# Date : WK17.32
# Operation : O Migration
# Purpose: Allow to access property
set_prop(hal_graphics_composer_default, graphics_hwc_pid_prop)
get_prop(hal_graphics_composer_default, graphics_hwc_pid_prop)
set_prop(hal_graphics_composer_default, graphics_hwc_latch_unsignaled_prop)
set_prop(hal_graphics_composer_default, graphics_hwc_hdr_prop)
# Date : WK18.03
# Purpose: Allow to access property dev/mdp_sync
allow hal_graphics_composer_default mtk_mdp_device:chr_file rw_file_perms;
allow hal_graphics_composer_default mdp_device:chr_file rw_file_perms;
allow hal_graphics_composer_default tee_device:chr_file rw_file_perms;
allowxperm hal_graphics_composer_default proc_ged:file ioctl { proc_ged_ioctls };
# Date: 2018/11/08
# Operation : JPEG
# Purpose : JPEG need to use PQ via MMS HIDL
allow hal_graphics_composer_default sysfs_boot_mode:file r_file_perms;

6
r_non_plat/hal_hdmi.te
View File

@ -1,6 +0,0 @@
# HwBinder IPC from clients into server, and callbacks
binder_call(hal_hdmi_client, hal_hdmi_server)
binder_call(hal_hdmi_server, hal_hdmi_client)
# give permission for hal client
allow hal_hdmi_client mtk_hal_hdmi_hwservice :hwservice_manager find;

6
r_non_plat/hal_imsa.te
View File

@ -1,6 +0,0 @@
# HwBinder IPC from clients into server, and callbacks
binder_call(hal_imsa_client, hal_imsa_server)
binder_call(hal_imsa_server, hal_imsa_client)
# give permission for hal client
allow hal_imsa_client mtk_hal_imsa_hwservice :hwservice_manager find;

4
r_non_plat/hal_ir.te
View File

@ -1,4 +0,0 @@
#============= hal_ir_default ==============
allow hal_ir_default irtx_device:chr_file rw_file_perms;
allow hal_ir_default irtx_device:chr_file { ioctl open };
allow hal_ir_default irtx_device:chr_file { read write };

17
r_non_plat/hal_keymaster_attestation.te
View File

@ -1,17 +0,0 @@
type hal_keymaster_attestation, domain;
hal_server_domain(hal_keymaster_attestation, mtk_hal_keyattestation)
type hal_keymaster_attestation_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_keymaster_attestation)
hwbinder_use(hal_keymaster_attestation);
#============= hal_keymaster_attestation ==============
allow hal_keymaster_attestation tee_device:chr_file { read write open ioctl };
# Date : WK17.42 2017/10/19
# Operation: Keymaster 3.0
# Purpose: Access attestation key in persist partition
allow hal_keymaster_attestation mnt_vendor_file:dir search;
allow hal_keymaster_attestation persist_data_file:dir { write search add_name };
allow hal_keymaster_attestation persist_data_file:file { write create open getattr };

9
r_non_plat/hal_memtrack_default.te
View File

@ -1,9 +0,0 @@
# Date : WK16.52
# Operation : HIDL Migration
# Purpose : For memtrack related service access
allow hal_memtrack debugfs_gpu_mali_midgard:file {open read getattr };
allow hal_memtrack debugfs_gpu_mali_utgard:file {open read getattr };
allow hal_memtrack debugfs_gpu_img:dir search;
allow hal_memtrack debugfs_gpu_img:file {open read getattr };
allow hal_memtrack debugfs_ion:dir rw_dir_perms;
allow hal_memtrack debugfs_ion:file {open read getattr };

6
r_non_plat/hal_mms.te
View File

@ -1,6 +0,0 @@
# HwBinder IPC from clients into server, and callbacks
binder_call(hal_mms_client, hal_mms_server)
binder_call(hal_mms_server, hal_mms_client)
# give permission for hal client
allow hal_mms_client mtk_hal_mms_hwservice :hwservice_manager find;

5
r_non_plat/hal_nfc.te
View File

@ -1,5 +0,0 @@
# ==============================================
# ST NFC HAL rule
# ==============================================
allow hal_nfc st21nfc_device:chr_file { read write getattr open ioctl };

6
r_non_plat/hal_nvramagent.te
View File

@ -1,6 +0,0 @@
#for nvram hidl client support
binder_call(hal_nvramagent_client, hal_nvramagent_server)
allow hal_nvramagent_client nvram_agent_binder_hwservice:hwservice_manager find;
# add/find permission rule to hwservicemanager
add_hwservice(hal_nvramagent_server, nvram_agent_binder_hwservice)

6
r_non_plat/hal_pq.te
View File

@ -1,6 +0,0 @@
# HwBinder IPC from clients into server, and callbacks
binder_call(hal_pq_client, hal_pq_server)
binder_call(hal_pq_server, hal_pq_client)
# give permission for hal client
allow hal_pq_client mtk_hal_pq_hwservice :hwservice_manager find;

8
r_non_plat/hal_thermal_default.te
View File

@ -1,8 +0,0 @@
# Date : WK18.23
# Operation : P Migration
# Purpose : add grant permission for Thermal HAL mtktz and proc
allow hal_thermal_default proc_mtktz:dir search;
allow hal_thermal_default proc_mtktz:file {open read getattr};
allow hal_thermal_default proc_stat:file {open read getattr };

11
r_non_plat/hal_usb.te
View File

@ -1,11 +0,0 @@
type mtk_hal_usb, domain;
hal_server_domain(mtk_hal_usb, hal_usb)
type mtk_hal_usb_exec, exec_type, file_type, vendor_file_type;
init_daemon_domain(mtk_hal_usb)
allow hal_usb_default sysfs_dual_role_usb20:dir {search read};
allow hal_usb_default sysfs_dual_role_usb20:file {open read getattr};
allow mtk_hal_usb sysfs_dual_role_usb20:dir {search read open};
allow mtk_hal_usb sysfs_dual_role_usb20:file {open read getattr};

6
r_non_plat/hal_vibrator.te
View File

@ -1,6 +0,0 @@
# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:dir r_dir_perms;
allow hal_vibrator sysfs_leds:file rw_file_perms;
allow hal_vibrator sysfs_leds:dir r_dir_perms;
allow hal_vibrator sysfs_leds:lnk_file read;
allow hal_vibrator_default sysfs:file { open write read };

8
r_non_plat/hal_wifi.te
View File

@ -1,8 +0,0 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Allow hal wifi service to open/read/setattr wifi device.
# wmtWifi is wifi char device file to control wifi driver.
allow hal_wifi wmtWifi_device:chr_file w_file_perms;

63
r_non_plat/hwservice.te
View File

@ -1,63 +0,0 @@
type mtk_hal_bluetooth_hwservice, hwservice_manager_type;
# Date: 2017/05/9
type mtk_hal_rild_hwservice, hwservice_manager_type;
# Date: 2017/06/07
# power hidl
type mtk_hal_power_hwservice, hwservice_manager_type;
# Date: 2017/06/12
# LBS HIDL
type mtk_hal_lbs_hwservice, hwservice_manager_type;
# Date: 2017/06/27
# IMSA HIDL
type mtk_hal_imsa_hwservice, hwservice_manager_type;
# Date: 2017/07/12
# NVRAM HIDL
type nvram_agent_binder_hwservice, hwservice_manager_type;
# Date: 2017/07/19
# PQ HIDL
type mtk_hal_pq_hwservice, hwservice_manager_type;
# Date: 2017/07/20
# keymaster attestation hidl
type mtk_hal_keyattestation_hwservice, hwservice_manager_type;
# Date: 2018/05/25
# FM HIDL
type mtk_hal_fm_hwservice, hwservice_manager_type;
# Date: 2018/03/23
# log hidl
type mtk_hal_log_hwservice, hwservice_manager_type;
# Date: 2018/06/26
# em hidl
type mtk_hal_em_hwservice, hwservice_manager_type;
# Date: 2018/07/02
# MMS HIDL
type mtk_hal_mms_hwservice, hwservice_manager_type;
type hal_atci_hwservice, hwservice_manager_type;
type mtk_hal_keymanage_hwservice, hwservice_manager_type;
# Date: 2019/04/26
# GPU HIDL
type mtk_hal_gpu_hwservice, hwservice_manager_type;
# Date: 2019/06/12
# modem db filter hidl
type mtk_hal_md_dbfilter_hwservice, hwservice_manager_type;
# Date: 2019/07/16
# HDMI HIDL
type mtk_hal_hdmi_hwservice, hwservice_manager_type;
# Date: 2019/09/06
# BGService HIDL
type mtk_hal_bgs_hwservice, hwservice_manager_type;

69
r_non_plat/hwservice_contexts
View File

@ -1,69 +0,0 @@
vendor.mediatek.hardware.bluetooth::IMtkBluetoothHci u:object_r:mtk_hal_bluetooth_hwservice:s0
# Date: 2017/05/9
vendor.mediatek.hardware.mtkradioex::IMtkRadioEx u:object_r:mtk_hal_rild_hwservice:s0
vendor.mediatek.hardware.radio::ISap u:object_r:mtk_hal_rild_hwservice:s0
vendor.mediatek.hardware.interfaces_tc1.mtkradioex_tc1::IMtkRadioEx u:object_r:mtk_hal_rild_hwservice:s0
vendor.mediatek.hardware.radio_op::IRadioOp u:object_r:mtk_hal_rild_hwservice:s0
# Date: 2017/06/07
# power hidl
vendor.mediatek.hardware.mtkpower::IMtkPerf u:object_r:mtk_hal_power_hwservice:s0
vendor.mediatek.hardware.mtkpower::IMtkPower u:object_r:mtk_hal_power_hwservice:s0
vendor.mediatek.hardware.power::IPerf u:object_r:mtk_hal_power_hwservice:s0
vendor.mediatek.hardware.power::IPower u:object_r:mtk_hal_power_hwservice:s0
# Date: 2017/06/12
# LBS HIDL
vendor.mediatek.hardware.lbs::ILbs u:object_r:mtk_hal_lbs_hwservice:s0
# Date : 2017/06/27
# IMSA HIDL
vendor.mediatek.hardware.imsa::IImsa u:object_r:mtk_hal_imsa_hwservice:s0
# Date : 2017/07/12
#nvram hidl
vendor.mediatek.hardware.nvram::INvram u:object_r:nvram_agent_binder_hwservice:s0
# Date : 2017/07/19
# PQ HIDL
vendor.mediatek.hardware.pq::IPictureQuality u:object_r:mtk_hal_pq_hwservice:s0
# Date: 2017/07/20
# keymaster attestation hidl
vendor.mediatek.hardware.keymaster_attestation::IKeymasterDevice u:object_r:mtk_hal_keyattestation_hwservice:s0
# Date: 2018/05/25
# FM HIDL
vendor.mediatek.hardware.fm::IFmRadio u:object_r:mtk_hal_fm_hwservice:s0
# Date: 2018/03/23
# log hidl
vendor.mediatek.hardware.log::ILog u:object_r:mtk_hal_log_hwservice:s0
# Date: 2018/06/26
# em hidl
vendor.mediatek.hardware.engineermode::IEmd u:object_r:mtk_hal_em_hwservice:s0
# Date : 2018/07/02
# MMS HIDL
vendor.mediatek.hardware.mms::IMms u:object_r:mtk_hal_mms_hwservice:s0
# Date : 2019/04/19
# GPU HIDL
vendor.mediatek.hardware.gpu::IGraphicExt u:object_r:mtk_hal_gpu_hwservice:s0
# Date: 2019/06/12
# modem db filter hidl
vendor.mediatek.hardware.modemdbfilter::ICopyDBFilter u:object_r:mtk_hal_md_dbfilter_hwservice:s0
# Date: 2019/07/04
vendor.mediatek.hardware.camera.lomoeffect::ILomoEffect u:object_r:hal_camera_hwservice:s0
vendor.mediatek.hardware.camera.ccap::ICCAPControl u:object_r:hal_camera_hwservice:s0
vendor.mediatek.hardware.camera.bgservice::IBGService u:object_r:mtk_hal_bgs_hwservice:s0
# Date : 2019/07/16
# HDMI HIDL
vendor.mediatek.hardware.hdmi::IMtkHdmiService u:object_r:mtk_hal_hdmi_hwservice:s0

147
r_non_plat/init.te
View File

@ -1,147 +0,0 @@
# ==============================================
# MTK Policy Rule
# ============
# Date : WK14.34
# Operation : Migration
# Purpose : for L early bring up: add for nvram command in init rc files
allow init nvram_data_file:dir create_dir_perms;
allow init nvram_data_file:lnk_file r_file_perms;
allow init nvdata_file:lnk_file r_file_perms;
allow init nvdata_file:dir create_file_perms;
#============= init ==============
# Date : W14.42
# Operation : Migration
# Purpose : for L : add for partition (chown/chmod)
allow init block_device:blk_file setattr;
allow init system_block_device:blk_file setattr;
allow init nvram_device:blk_file setattr;
allow init seccfg_block_device:blk_file setattr;
allow init secro_block_device:blk_file setattr;
allow init frp_block_device:blk_file setattr;
allow init logo_block_device:blk_file setattr;
allow init para_block_device:blk_file setattr;
allow init recovery_block_device:blk_file setattr;
# Date : WK15.30
# Operation : Migration
# Purpose : format wiped partition with "formattable" and "check" flag in fstab file
allow init protect1_block_device:blk_file rw_file_perms;
allow init protect2_block_device:blk_file rw_file_perms;
allow init userdata_block_device:blk_file rw_file_perms;
allow init cache_block_device:blk_file rw_file_perms;
allow init nvdata_device:blk_file w_file_perms;
allow init persist_block_device:blk_file rw_file_perms;
allow init nvcfg_block_device:blk_file rw_file_perms;
allow init odm_block_device:blk_file rw_file_perms;
allow init oem_block_device:blk_file rw_file_perms;
allow init para_block_device:blk_file w_file_perms;
# Date : WK15.32
# Operation : Migration
# Purpose : disable AT_SECURE for LD_PRELOAD
#userdebug_or_eng(`
# allow init { domain -lmkd -crash_dump -llkd -mediaswcodec }:process noatsecure;
#')
# Date : WK16.26
# Operation : Access dynamic_debug control file
# Purpose : For MobileLog on/off pr_debug on user/userdebug load
allow init debugfs_dynamic_debug:file write;
# Date : W16.28
# Operation : Migration
# Purpose : enable modules capability
allow init self:capability sys_module;
allow init kernel:system module_request;
# Date : WK16.35
# Operation : Migration
# Purpose : create symbolic link from /mnt/sdcard to /sdcard
allow init tmpfs:lnk_file create;
# Date:W17.07
# Operation : bt hal
# Purpose : bt hal interface permission
allow init mtk_hal_bluetooth_exec:file getattr;
# Date : WK17.12
# Purpose: Fix bootup fail
allow init debugfs:file w_file_perms;
# Date : WK17.02
# Purpose: Fix audio hal service fail
allow init mtk_hal_audio_exec:file getattr;
# Date : W17.20
# Purpose: Enable PRODUCT_FULL_TREBLE
allow init vendor_block_device:lnk_file relabelto;
# Date : WK17.21
# Purpose: Fix gnss hal service fail
allow init mtk_hal_gnss_exec:file getattr;
# Fix boot up violation
allow init debugfs_tracing_instances:file relabelfrom;
# Date: W17.22
# Operation : New Feature
# Purpose : Add for A/B system
allow init debugfs:file write;
allow init kernel:system module_request;
allow init nvdata_file:dir mounton;
allow init oemfs:dir mounton;
allow init protect_f_data_file:dir mounton;
allow init protect_s_data_file:dir mounton;
allow init nvcfg_file:dir mounton;
allow init persist_data_file:dir mounton;
allow init tmpfs:lnk_file create;
# boot process denial clean up
allow init debugfs_ged:file w_file_perms;
# Date : WK17.39
# Operation : able to relabel mntl block device link
# Purpose : Correct permission for mntl
allow init block_device:lnk_file relabelfrom;
allow init expdb_block_device:lnk_file relabelto;
allow init mcupmfw_block_device:lnk_file relabelto;
allow init tee_block_device:lnk_file relabelto;
# Date : WK17.43
# Operation : able to insert fpsgo kernel module
# Purpose : Correct permission for fpsgo
allow init rootfs:system module_load;
# Date: W17.43
# Operation : module load
# Purpose : insmod LKM under /vendor (connsys module KO)
allow init vendor_file:system module_load;
# Date : WK17.46
# Operation : feature porting
# Purpose : kernel module verification
allow init kernel:key search;
# Date : WK17.50
# Operation : boost cpu while booting
# Purpose : enhance boottime
allow init proc_perfmgr:file write;
allow init proc_wmtdbg:file w_file_perms;
# Date : W18.20
# Operation : mount soc vendor's partition when booting
allow init mnt_vendor_file:dir mounton;
# Date : W19.28
# Purpose: Allow to setattr /proc/last_kmsg
allow init proc_last_kmsg:file setattr;
# Purpose: Allow to write /proc/cpu/alignment
allow init proc_cpu_alignment:file w_file_perms;
# Purpose: Allow to relabelto for selinux_android_restorecon
allow init boot_block_device:lnk_file relabelto;
allow init vbmeta_block_device:lnk_file relabelto;

7
r_non_plat/installd.te
View File

@ -1,7 +0,0 @@
# ==================================
# MTK Policy Rule
# ==================================
# Kernel-4.14 migration, fix boot fail.
allow installd vendor_configs_file:file map;

64
r_non_plat/ioctl_defines
View File

@ -1,64 +0,0 @@
#####################################
# ged_bridge_id.h
#
define(`GED_BRIDGE_IO_LOG_BUF_GET', `0x6700')
define(`GED_BRIDGE_IO_LOG_BUF_WRITE', `0x6701')
define(`GED_BRIDGE_IO_LOG_BUF_RESET', `0x6702')
define(`GED_BRIDGE_IO_BOOST_GPU_FREQ', `0x6703')
define(`GED_BRIDGE_IO_MONITOR_3D_FENCE', `0x6704')
define(`GED_BRIDGE_IO_QUERY_INFO', `0x6705')
define(`GED_BRIDGE_IO_NOTIFY_VSYNC', `0x6706')
define(`GED_BRIDGE_IO_DVFS_PROBE', `0x6707')
define(`GED_BRIDGE_IO_DVFS_UM_RETURN', `0x6708')
define(`GED_BRIDGE_IO_EVENT_NOTIFY', `0x6709')
define(`GED_BRIDGE_IO_WAIT_HW_VSYNC', `0x670a')
define(`GED_BRIDGE_IO_QUERY_TARGET_FPS', `0x670b')
define(`GED_BRIDGE_IO_VSYNC_WAIT', `0x670c')
define(`GED_BRIDGE_IO_GPU_HINT_TO_CPU', `0x670d')
define(`GED_BRIDGE_IO_HINT_FORCE_MDP', `0x670e')
define(`GED_BRIDGE_IO_GE_ALLOC', `0x6764')
define(`GED_BRIDGE_IO_GE_GET', `0x6765')
define(`GED_BRIDGE_IO_GE_SET', `0x6766')
define(`GED_BRIDGE_IO_GPU_TIMESTAMP', `0x6767')
define(`GED_BRIDGE_IO_TARGET_FPS', `0x6768')
define(`GED_BRIDGE_IO_GE_INFO', `0x6769')
define(`GED_BRIDGE_IO_GPU_TUNER_STATUS', `0x676a')
#####################################
# perf_ioctl.h : FPSGO
#
define(`PERFMGR_FPSGO_QUEUE', `0x6701')
define(`PERFMGR_FPSGO_DEQUEUE', `0x6703')
define(`PERFMGR_FPSGO_VSYNC', `0x6705')
define(`PERFMGR_FPSGO_TOUCH', `0x670a')
define(`PERFMGR_FPSGO_QUEUE_CONNECT', `0x670f')
define(`PERFMGR_FPSGO_BQID', `0x6710')
# perf_ioctl.h : EARA
define(`PERFMGR_EARA_NN_BEGIN', `0x6701')
define(`PERFMGR_EARA_NN_END', `0x6702')
define(`PERFMGR_EARA_GETUSAGE', `0x6703')
# perf_ioctl.h : others
define(`PERFMGR_CPU_PREFER', `0x6701')
#####################################
#
#
define(`MMC_IOCTLCMD', `0xb300')
define(`MMC_IOC_MULTI_CMD', `0xb301')
define(`UFS_IOCTLCMD', `0x5388')
define(`UFS_IOCTL_RPMB', `0x5391')
#####################################
#
#
define(`JPG_BRIDGE_ENC_IO_INIT', `0x780b')
define(`JPG_BRIDGE_ENC_IO_CONFIG', `0x780c')
define(`JPG_BRIDGE_ENC_IO_WAIT', `0x780d')
define(`JPG_BRIDGE_ENC_IO_DEINIT', `0x780e')
define(`JPG_BRIDGE_ENC_IO_START', `0x780f')
#####################################
# m4u_priv.h
define(`MTK_M4U_T_SEC_INIT', `0x6732')

25
r_non_plat/ioctl_macros
View File

@ -1,25 +0,0 @@
# proc_ged ioctls
define(`proc_ged_ioctls', `{
GED_BRIDGE_IO_LOG_BUF_GET
GED_BRIDGE_IO_LOG_BUF_WRITE
GED_BRIDGE_IO_LOG_BUF_RESET
GED_BRIDGE_IO_BOOST_GPU_FREQ
GED_BRIDGE_IO_MONITOR_3D_FENCE
GED_BRIDGE_IO_QUERY_INFO
GED_BRIDGE_IO_NOTIFY_VSYNC
GED_BRIDGE_IO_DVFS_PROBE
GED_BRIDGE_IO_DVFS_UM_RETURN
GED_BRIDGE_IO_EVENT_NOTIFY
GED_BRIDGE_IO_WAIT_HW_VSYNC
GED_BRIDGE_IO_QUERY_TARGET_FPS
GED_BRIDGE_IO_VSYNC_WAIT
GED_BRIDGE_IO_GPU_HINT_TO_CPU
GED_BRIDGE_IO_HINT_FORCE_MDP
GED_BRIDGE_IO_GE_ALLOC
GED_BRIDGE_IO_GE_GET
GED_BRIDGE_IO_GE_SET
GED_BRIDGE_IO_GPU_TIMESTAMP
GED_BRIDGE_IO_TARGET_FPS
GED_BRIDGE_IO_GE_INFO
GED_BRIDGE_IO_GPU_TUNER_STATUS
}')

89
r_non_plat/kernel.te
View File

@ -1,89 +0,0 @@
# ==============================================
# MTK Policy Rule
# ============
# Date : WK14.38
# Operation : Migration
# Purpose : run guitar_update for touch F/W upgrade.
allow kernel sdcard_type:dir search;
# Date : WK14.39
# Operation : Migration
# Purpose : ums driver can access blk_file
allow kernel block_device:blk_file rw_file_perms;
allow kernel loop_device:blk_file r_file_perms;
allow kernel vold_device:blk_file rw_file_perms;
# Date : WK14.43
# Operation : Migration
# Purpose : Access to nvarm for reading MAC. (LOS WIFI feature)
allow kernel system_data_file:lnk_file r_file_perms;
# Date : WK15.35
# Operation : Migration
# Purpose : grant fon_image_data_file read permission for loop device
allow kernel fon_image_data_file:file read;
# Date : WK15.38
# Operation : Migration
# Purpose : grant proc_thermal for dir search
allow kernel proc_thermal:dir search;
# Date : WK16.11
# Operation : Migration
# Purpose : grant storage_file and wifi_data_file for kernel thread mtk_wmtd to access /sdcard/wifi.cfg
# and /data/misc/wifi/wifi.cfg to access wifi.cfg, in which, some wifi driver configuations are there.
allow kernel mnt_user_file:dir search;
allow kernel mnt_user_file:lnk_file read;
allow kernel wifi_data_file:file r_file_perms;
allow kernel wifi_data_file:dir search;
allow kernel storage_file:lnk_file read;
allow kernel sdcard_type:file open;
# Data : WK16.16
# Operation : Migration
# Purpose : Access to TC1 partition for reading MEID
allow kernel block_device:dir search;
# Data : WK16.16
# Operation : Migration
# Purpose : Access to TC1 partition for reading MEID
allow kernel misc2_block_device:blk_file rw_file_perms;
# Date : WK16.30
# Operation: SQC
# Purpose: Allow sdcardfs workqueue to access lower file systems
allow kernel { fuseblk }:dir create_dir_perms;
allow kernel { fuseblk }:file create_file_perms;
# Date : WK16.30
# Operation: SQC
# Purpose: Allow sdcardfs workqueue to access lower file systems
allow kernel {vfat mnt_media_rw_file}:dir create_dir_perms;
allow kernel {vfat mnt_media_rw_file}:file create_file_perms;
allow kernel kernel:key { write search setattr };
# Date : WK16.42
# Operation: SQC
# Purpose: Allow task of cpuset cgroup can migration to parent cgroup when cpus is NULL
allow kernel platform_app:process setsched;
# Date : WK17.01
# Operation: SQC
# Purpose: Allow OpenDSP kthread to write debug dump to sdcard
allow kernel audioserver:fd use;
# Date : WK18.02
# Operation: SQC
# Purpose: Allow SCP SmartPA kthread to write debug dump to sdcard
allow kernel mtk_hal_audio:fd use;
allow kernel factory:fd use;
# Date : WK18.29
# Operation: SQC
# Purpose: Allow kernel read firmware binary on vendor partition
allow kernel vendor_file:file r_file_perms;
# Date : WK18.35
# Operation: SQC
# Purpose: Allow VOW kthread to write debug PCM dump
allow kernel mtk_audiohal_data_file:file write;

13
r_non_plat/keystore.te
View File

@ -1,13 +0,0 @@
# ==============================================
# MTK Policy Rule
# ============
# Date : WK14.40 2014/12/26
# Operation : CTS 5.0_r1
# Purpose : allow access to /data/data for full CTS
allow keystore app_data_file:file write;
# Date : WK17.30 2017/07/25
# Operation : keystore
# Purpose : Fix keystore boot selinux violation
allow hal_keymaster_default debugfs_tracing:file write;

32
r_non_plat/kisd.te
View File

@ -1,32 +0,0 @@
# ==============================================
# Policy File of /vendor/bin/kisd Executable File
# ==============================================
# Type Declaration
# ==============================================
type kisd ,domain;
type kisd_exec, exec_type, file_type, vendor_file_type;
typeattribute kisd mlstrustedsubject;
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(kisd)
allow kisd tee_device:chr_file {read write open ioctl};
allow kisd provision_file:dir {read write open ioctl add_name search remove_name};
allow kisd provision_file:file {create read write open getattr unlink};
allow kisd block_device:dir {read write open ioctl search};
allow kisd kb_block_device:blk_file {read write open ioctl getattr};
allow kisd dkb_block_device:blk_file {read write open ioctl getattr};
allow kisd key_install_data_file:dir {write remove_name add_name};
allow kisd key_install_data_file:file {write getattr read create unlink open};
allow kisd key_install_data_file:dir search;
allow kisd mtd_device:chr_file { open read write };
allow kisd mtd_device:blk_file { open read write ioctl getattr};
allow kisd mtd_device:dir { search };
allow kisd kb_block_device:chr_file {read write open ioctl getattr};
allow kisd dkb_block_device:chr_file {read write open ioctl getattr};

11
r_non_plat/lbs_hidl_service.te
View File

@ -1,11 +0,0 @@
type lbs_hidl_service, domain;
hal_server_domain(lbs_hidl_service, mtk_hal_lbs)
type lbs_hidl_service_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(lbs_hidl_service)
vndbinder_use(lbs_hidl_service)
#r_dir_file(lbs_hidl_service, system_file)
unix_socket_connect(lbs_hidl_service, agpsd, mtk_agpsd);
allow lbs_hidl_service mtk_agpsd:unix_dgram_socket sendto;
allow lbs_hidl_service mnld:unix_dgram_socket sendto;

23
r_non_plat/lmkd.te
View File

@ -1,23 +0,0 @@
# ==============================================
# MTK Policy Rule
# ============
# Data : 2015/01/14
# Operation : MT6735 SQC bug fix
# Purpose : ALPS01905960 - selinux_warning: audit(1420845354.752:91): avc: denied { search }
# for pid=194 comm="lmkd" name="23573" dev="proc"
# ino=915740 scontext=u:r:lmkd:s0 tcontext=u:r:zygote:s0 tclass=dir permissive=0
dontaudit lmkd zygote:dir rw_dir_perms;
# Data : 2015/04/17
# Operation : tb8163p1 low memory selinux warning
# Purpose : ALPS02038466 audit(1429079840.646:7): avc: denied { use }
# for pid=170 comm="lmkd"
# path=2F6465762F6173686D656D2F4469736361726461626C654D656D6F72794173686D656D416C6C6F6361746F72202864656C6574656429
# dev="tmpfs" ino=14475 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=fd permissive=0
dontaudit lmkd platform_app:fd use;
# Data : 2018/05/25
# Operation : Add for duraSpeed socket
allow lmkd system_server:unix_stream_socket connectto;

6
r_non_plat/loghidlsysservice.te
View File

@ -1,6 +0,0 @@
# ==============================================
# Policy File of /system/bin/loghidlsysservice Executable File
# Purpose : for create hidl server
hal_client_domain(loghidlsysservice, mtk_hal_log)
allow loghidlsysservice connsyslogger:unix_stream_socket connectto;

14
r_non_plat/loghidlvendorservice.te
View File

@ -1,14 +0,0 @@
# ==============================================
# Policy File of /system/bin/loghidlvendorservice Executable File
# ==============================================
# Type Declaration
# ==============================================
type loghidlvendorservice ,domain;
type loghidlvendorservice_exec, exec_type, file_type, vendor_file_type;
typeattribute loghidlvendorservice mlstrustedsubject;
hal_server_domain(loghidlvendorservice, mtk_hal_log)
init_daemon_domain(loghidlvendorservice)
# allow loghidlvendorservice self:capability dac_override;

63
r_non_plat/mdlogger.te
View File

@ -1,63 +0,0 @@
#allow mdlogger to set property
allow mdlogger debug_mdlogger_prop:property_service set;
allow mdlogger debug_prop:property_service set;
# ccci device for internal modem
allow mdlogger ccci_device:chr_file { rw_file_perms };
# usb device ttyGSx for modem logger usb logging
allow mdlogger ttyGS_device:chr_file { rw_file_perms};
# modem logger access on /data/mdlog
allow mdlogger mdlog_data_file:dir { create_dir_perms relabelto};
allow mdlogger mdlog_data_file:fifo_file { create_file_perms};
allow mdlogger mdlog_data_file:file { create_file_perms };
allow mdlogger system_data_file:dir { create_dir_perms relabelfrom};
# modem logger control port access /dev/ttyC1
allow mdlogger mdlog_device:chr_file { rw_file_perms};
#modem logger SD logging in factory mode
allow mdlogger vfat:dir create_dir_perms;
allow mdlogger vfat:file create_file_perms;
#mdlogger for read /sdcard
allow mdlogger tmpfs:lnk_file read;
allow mdlogger storage_file:lnk_file rw_file_perms;
allow mdlogger mnt_user_file:dir search;
allow mdlogger mnt_user_file:lnk_file rw_file_perms;
allow mdlogger sdcard_type:file create_file_perms;
allow mdlogger sdcard_type:dir { create_dir_perms };
allow mdlogger storage_file:dir { create_dir_perms };
allow mdlogger storage_file:file { create_file_perms };
# Allow read to sys/kernel/ccci/* files
allow mdlogger sysfs_ccci:dir search;
allow mdlogger sysfs_ccci:file r_file_perms;
# purpose: allow mdlogger to access storage in new version
allow mdlogger media_rw_data_file:file { create_file_perms };
allow mdlogger media_rw_data_file:dir { create_dir_perms };
#avc: denied { connectto } for path=006165653A72747464 scontext=u:r:mdlogger:s0
#tcontext=u:object_r:aee_aed_socket:s0 tclass=unix_stream_socket permissive=0
#security issue control
allow mdlogger aee_aed:unix_stream_socket connectto;
## purpose: avc: denied { read } for name="plat_file_contexts"
allow emdlogger file_contexts_file:file { read getattr open};
#permission for read boot mode
#avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs"
allow mdlogger sysfs_boot_mode:file { read open };
# avc: denied { open } for path="system/etc/mddb" dev="mmcblk0p21" scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
allow mdlogger system_file:dir { read open };
# Android P migration
set_prop(mdlogger, vendor_mdl_prop)
set_prop(mdlogger, debug_mdlogger_prop)
set_prop(mdlogger, persist_mdlog_prop)
set_prop(mdlogger, persist_mtklog_prop)

155
r_non_plat/mediacodec.te
View File

@ -1,155 +0,0 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK14.34
# Operation : Migration
# Purpose : VP/VR
allow mediacodec devmap_device:chr_file { ioctl };
# Date : WK14.36
# Operation : Migration
# Purpose : VDEC/VENC device node
allow mediacodec Vcodec_device:chr_file rw_file_perms;
# Date : WK16.21
# Operation : Migration
# Purpose : VP & VR dump and debug
allow mediacodec M4U_device_device:chr_file rw_file_perms;
allow mediacodec proc:file r_file_perms;
allow mediacodec sysfs:file {read write open};
allow mediacodec debugfs_binder:dir search;
allow mediacodec MTK_SMI_device:chr_file { ioctl read open };
allow mediacodec storage_file:lnk_file {read write open};
allow mediacodec tmpfs:dir search;
allow mediacodec mnt_user_file:dir {write read search};
allow mediacodec mnt_user_file:lnk_file {read write};
allow mediacodec sdcard_type:dir {write read search add_name remove_name};
allow mediacodec sdcard_type:file {getattr write read create open append unlink};
allow mediacodec nvram_data_file:dir w_dir_perms;
allow mediacodec nvram_data_file:file create_file_perms;
allow mediacodec nvram_data_file:lnk_file read;
allow mediacodec nvdata_file:lnk_file read;
allow mediacodec nvdata_file:dir w_dir_perms;
allow mediacodec nvdata_file:file create_file_perms;
allow mediacodec devmap_device:chr_file r_file_perms;
allow mediacodec proc_meminfo:file {read getattr open};
# Date : WK14.36
# Operation : Migration
# Purpose : for SW codec VP/VR
allow mediacodec mtk_sched_device:chr_file { read write ioctl open };
# Data : WK14.39
# Operation : Migration
# Purpose : HW encrypt SW codec
allow mediacodec mediacodec_data_file:file create_file_perms;
allow mediacodec mediacodec_data_file:dir create_dir_perms;
allow mediacodec sec_device:chr_file r_file_perms;
# Data: WK14.44
# Operation : Migration
# Purpose : VP
allow mediacodec surfaceflinger:file getattr;
# Data: WK14.44
# Operation : Migration
# Purpose : for low SD card latency issue
allow mediacodec sysfs_lowmemorykiller:file { read open };
# Data: WK14.45
# Operation : Migration
# Purpose : for change thermal policy when needed
allow mediacodec proc_mtkcooler:dir search;
allow mediacodec proc_mtktz:dir search;
allow mediacodec proc_thermal:dir search;
allow mediacodec proc_mtkcooler:file { read write open };
allow mediacodec proc_mtktz:file { read write open getattr };
allow mediacodec proc_thermal:file { read write open getattr};
allow mediacodec thermal_manager_data_file:file create_file_perms;
allow mediacodec thermal_manager_data_file:dir { rw_dir_perms setattr };
allow mediacodec thermal_manager_data_file:dir search;
# Data : WK14.47
# Operation : CTS
# Purpose : cts search strange app
allow mediacodec untrusted_app:dir search;
# Date : WK14.39
# Operation : Migration
# Purpose : MJC Driver
allow mediacodec MJC_device:chr_file { read write ioctl open };
# Date : WK16.27
# Operation : APE SQC
# Purpose : for APE file playback
allow mediacodec MtkCodecService:binder call;
allow mediacodec MtkCodecService:binder transfer;
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow mediacodec proc_ged:file rw_file_perms;
allowxperm mediacodec proc_ged:file ioctl { proc_ged_ioctls };
# Data : WK16.42
# Operator: Whitney bring up
# Purpose: call surfaceflinger due to powervr
allow mediacodec surfaceflinger:fifo_file rw_file_perms;
# Date: WK16.43
# Operator: Whitney SQC
# Purpose: mediacodec use gpu
allow mediacodec gpu_device:dir search;
# Date : W18.01
# Add for turn on SElinux in enforcing mode
allow mediacodec vndbinder_device:chr_file rw_file_perms;
vndbinder_use(mediacodec)
# Date : WK1721
# Purpose: For FULL TREBLE
allow mediacodec system_file:dir r_dir_perms;
allow mediacodec debugfs_ion:dir search;
# Date : WK17.30
# Operation : O Migration
# Purpose: Allow mediacodec to access cmdq driver
allow mediacodec mtk_cmdq_device:chr_file { read ioctl open };
allow mediacodec mtk_mdp_device:chr_file rw_file_perms;
allow mediacodec sw_sync_device:chr_file rw_file_perms;
# Date : WK17.28
# Operation : MT6757 SQC
# Purpose : Change thermal config
# Date : WK17.30
# Purpose : For Power Hal
allow mediacodec mtk_hal_power_hwservice:hwservice_manager find;
allow mediacodec mtk_hal_power:binder call;
allow mediacodec mtk_hal_power:unix_stream_socket connectto;
# Date : WK17.12
# Operation : MT6799 SQC
# Purpose : Change thermal config
set_prop(mediacodec, mtk_thermal_config_prop)
# Date : WK17.43
# Operation : Migration
# Purpose : DISP access
allow mediacodec graphics_device:chr_file { ioctl open read };
allow mediacodec graphics_device:dir search;
# Date : WK19.27
# Purpose: Android Migration for SVP
allow mediacodec proc_m4u:file r_file_perms;
allowxperm mediacodec proc_m4u:file ioctl MTK_M4U_T_SEC_INIT;
# Date : 2019/12/12
# Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/*
allow mediacodec sysfs_concurrency_scenario:file rw_file_perms;
allow mediacodec sysfs_concurrency_scenario:dir search;

9
r_non_plat/mediadrmserver.te
View File

@ -1,9 +0,0 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow mediadrmserver proc_ged:file rw_file_perms;

15
r_non_plat/mediaextractor.te
View File

@ -1,15 +0,0 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow mediaextractor proc_ged:file rw_file_perms;
#============= mediaextractor ==============
allow mediaextractor vfat:file r_file_perms;
allow mediaextractor mediaserver_service:service_manager find;
allow mediaextractor platform_app:dir search;
allow mediaextractor platform_app:file r_file_perms;

335
r_non_plat/mediaserver.te
View File

@ -1,335 +0,0 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK14.31
# Operation : Migration
# Purpose : camera devices access.
allow mediaserver camera_isp_device:chr_file rw_file_perms;
allow mediaserver ccu_device:chr_file rw_file_perms;
allow mediaserver vpu_device:chr_file rw_file_perms;
allow mediaserver kd_camera_hw_device:chr_file rw_file_perms;
allow mediaserver seninf_device:chr_file rw_file_perms;
allow mediaserver self:capability { setuid ipc_lock sys_nice };
allow mediaserver sysfs_wake_lock:file rw_file_perms;
allow mediaserver MTK_SMI_device:chr_file r_file_perms;
allow mediaserver camera_pipemgr_device:chr_file r_file_perms;
allow mediaserver kd_camera_flashlight_device:chr_file rw_file_perms;
allow mediaserver lens_device:chr_file rw_file_perms;
# Date : WK14.32
# Operation : Migration
# Purpose : Set audio driver permission to access SD card for debug purpose and accss NVRam.
allow mediaserver sdcard_type:dir { w_dir_perms create };
allow mediaserver sdcard_type:file create;
allow mediaserver nvram_data_file:lnk_file read;
allow mediaserver nvdata_file:lnk_file read;
allow mediaserver sdcard_type:dir remove_name;
allow mediaserver sdcard_type:file unlink;
# Date : WK14.34
# Operation : Migration
# Purpose : nvram access (dumchar case for nand and legacy chip)
allow mediaserver nvram_device:chr_file rw_file_perms;
allow mediaserver self:capability { net_admin };
# Date : WK14.34
# Operation : Migration
# Purpose : VP/VR
allow mediaserver devmap_device:chr_file { ioctl };
# Date : WK14.34
# Operation : Migration
# Purpose : Smartcard Service
allow mediaserver system_data_file:file open;
# Date : WK14.36
# Operation : Migration
# Purpose : media server and bt process communication for A2DP data.and other control flow
allow mediaserver bluetooth:unix_dgram_socket sendto;
allow mediaserver bt_a2dp_stream_socket:sock_file write;
allow mediaserver bt_int_adp_socket:sock_file write;
# Date : WK14.37
# Operation : Migration
# Purpose : camera ioctl
allow mediaserver camera_sysram_device:chr_file r_file_perms;
# Date : WK14.36
# Operation : Migration
# Purpose : VDEC/VENC device node
allow mediaserver Vcodec_device:chr_file rw_file_perms;
# Date : WK14.36
# Operation : Migration
# Purpose : access nvram, otp, ccci cdoec devices.
allow mediaserver MtkCodecService:binder call;
allow mediaserver ccci_device:chr_file rw_file_perms;
allow mediaserver eemcs_device:chr_file rw_file_perms;
allow mediaserver devmap_device:chr_file r_file_perms;
allow mediaserver ebc_device:chr_file rw_file_perms;
allow mediaserver nvram_device:blk_file rw_file_perms;
allow mediaserver bootdevice_block_device:blk_file rw_file_perms;
# Date : WK14.36
# Operation : Migration
# Purpose : for SW codec VP/VR
allow mediaserver mtk_sched_device:chr_file rw_file_perms;
# Date : WK14.38
# Operation : Migration
# Purpose : NVRam access
allow mediaserver block_device:dir { write search };
# Date : WK14.38
# Operation : Migration
# Purpose : FM driver access
allow mediaserver fm_device:chr_file rw_file_perms;
# Data : WK14.38
# Operation : Migration
# Purpose : for VP/VR
allow mediaserver block_device:dir search;
allow mediaserver FM50AF_device:chr_file rw_file_perms;
allow mediaserver AD5820AF_device:chr_file rw_file_perms;
allow mediaserver DW9714AF_device:chr_file rw_file_perms;
allow mediaserver DW9814AF_device:chr_file rw_file_perms;
allow mediaserver AK7345AF_device:chr_file rw_file_perms;
allow mediaserver DW9714A_device:chr_file rw_file_perms;
allow mediaserver LC898122AF_device:chr_file rw_file_perms;
allow mediaserver LC898212AF_device:chr_file rw_file_perms;
allow mediaserver BU6429AF_device:chr_file rw_file_perms;
allow mediaserver DW9718AF_device:chr_file rw_file_perms;
allow mediaserver BU64745GWZAF_device:chr_file rw_file_perms;
allow mediaserver MAINAF_device:chr_file rw_file_perms;
allow mediaserver MAIN2AF_device:chr_file rw_file_perms;
allow mediaserver SUBAF_device:chr_file rw_file_perms;
# Data : WK14.38
# Operation : Migration
# Purpose : for boot animation.
allow mediaserver bootanim:binder { transfer call };
allow mediaserver mtkbootanimation:binder { transfer call };
# Data : WK14.38
# Operation : Migration
# Purpose : dump for debug
allow mediaserver sdcard_type:file append;
# Date : WK14.39
# Operation : Migration
# Purpose : FDVT Driver
allow mediaserver camera_fdvt_device:chr_file rw_file_perms;
# Date : WK14.39
# Operation : Migration
# Purpose : APE PLAYBACK
binder_call(mediaserver,MtkCodecService)
# Date : WK14.40
# Operation : Migration
# Purpose : HDMI driver access
allow mediaserver graphics_device:chr_file rw_file_perms;
# Date : WK14.40
# Operation : Migration
# Purpose : Smartpa
allow mediaserver smartpa_device:chr_file rw_file_perms;
# Data : WK14.40
# Operation : Migration
# Purpose : permit 'call' by audio tunning tool audiocmdservice_atci
allow mediaserver audiocmdservice_atci:binder call;
binder_call(mediaserver,audiocmdservice_atci)
# Date : WK14.40
# Operation : Migration
# Purpose : mtk_jpeg
allow mediaserver mtk_jpeg_device:chr_file r_file_perms;
# Date : WK14.41
# Operation : Migration
# Purpose : WFD HID Driver
allow mediaserver uhid_device:chr_file rw_file_perms;
# Date : WK14.41
# Operation : Migration
# Purpose : Camera EEPROM Calibration
allow mediaserver CAM_CAL_DRV_device:chr_file rw_file_perms;
allow mediaserver CAM_CAL_DRV1_device:chr_file rw_file_perms;
allow mediaserver CAM_CAL_DRV2_device:chr_file rw_file_perms;
# Date : WK14.43
# Operation : Migration
# Purpose : VOW
allow mediaserver vow_device:chr_file rw_file_perms;
# Date: WK14.44
# Operation : Migration
# Purpose : EVDO
allow mediaserver rpc_socket:sock_file write;
allow mediaserver ttySDIO_device:chr_file rw_file_perms;
# Data: WK14.44
# Operation : Migration
# Purpose : VP
allow mediaserver surfaceflinger:file getattr;
# Data: WK14.44
# Operation : Migration
# Purpose : for low SD card latency issue
allow mediaserver sysfs_lowmemorykiller:file { read open };
# Data: WK14.45
# Operation : Migration
# Purpose : for change thermal policy when needed
allow mediaserver proc_mtkcooler:dir search;
allow mediaserver proc_mtktz:dir search;
allow mediaserver proc_thermal:dir search;
# Date : WK14.46
# Operation : Migration
# Purpose : for MTK Emulator HW GPU
allow mediaserver qemu_pipe_device:chr_file rw_file_perms;
# Date : WK14.46
# Operation : Migration
# Purpose : for camera init
allow mediaserver system_server:unix_stream_socket { read write };
# Data : WK14.46
# Operation : Migration
# Purpose : for SMS app
allow mediaserver radio_data_file:dir search;
allow mediaserver radio_data_file:file open;
# Data : WK14.47
# Operation : Audio playback
# Purpose : Music as ringtone
allow mediaserver radio:dir { search read };
allow mediaserver radio:file r_file_perms;
# Data : WK14.47
# Operation : Launch camcorder from MMS
# Purpose : Camcorder
allow mediaserver radio_data_file:file open;
# Data : WK14.47
# Operation : CTS
# Purpose : cts search strange app
allow mediaserver untrusted_app:dir search;
# Date : WK15.03
# Operation : Migration
# Purpose : offloadservice
allow mediaserver offloadservice_device:chr_file rw_file_perms;
# Date : WK15.32
# Operation : Pre-sanity
# Purpose : 3A algorithm need to access sensor service
allow mediaserver sensorservice_service:service_manager find;
# Date : WK15.34
# Operation : Migration
# Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump
allow mediaserver system_data_file:dir write;
allow mediaserver storage_file:lnk_file {read write};
allow mediaserver mnt_user_file:dir {write read search};
allow mediaserver mnt_user_file:lnk_file {read write};
# Date : WK15.35
# Operation : Migration
# Purpose: Allow mediaserver to read binder from surfaceflinger
allow mediaserver surfaceflinger:fifo_file {read write};
# Date : WK15.46
# Operation : Migration
# Purpose : DPE Driver
allow mediaserver camera_dpe_device:chr_file rw_file_perms;
# Date : WK15.46
# Operation : Migration
# Purpose : TSF Driver
allow mediaserver camera_tsf_device:chr_file rw_file_perms;
# Date : WK16.32
# Operation : N Migration
# Purpose : RSC Driver
allow mediaserver camera_rsc_device:chr_file rw_file_perms;
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow mediaserver proc_ged:file rw_file_perms;
allowxperm mediaserver proc_ged:file ioctl { proc_ged_ioctls };
# Date : WK16.33
# Operation : N Migration
# Purpose : GEPF Driver
allow mediaserver camera_gepf_device:chr_file rw_file_perms;
# Date : WK16.35
# Operation : Migration
# Purpose : Update camera flashlight driver device file
allow mediaserver flashlight_device:chr_file rw_file_perms;
# Data : WK16.42
# Operator: Whitney bring up
# Purpose: call surfaceflinger due to powervr
allow dumpstate surfaceflinger:fifo_file rw_file_perms;
# Date : WK16.43
# Operation : N Migration
# Purpose : WPE Driver
allow mediaserver camera_wpe_device:chr_file rw_file_perms;
allow mediaserver gpu_device:dir search;
allow mediaserver sw_sync_device:chr_file rw_file_perms;
# Date : WK17.19
# Operation : N Migration
# Purpose : OWE Driver
allow mediaserver camera_owe_device:chr_file rw_file_perms;
# Date : WK17.30
# Operation : O Migration
# Purpose: Allow to access cmdq driver
allow mediaserver mtk_cmdq_device:chr_file { read ioctl open };
allow mediaserver mtk_mdp_device:chr_file rw_file_perms;
# Date : WK17.43
# Operation : Migration
# Purpose : DISP access
allow mediaserver graphics_device:chr_file { ioctl open read };
allow mediaserver graphics_device:dir search;
# Date : WK17.44
# Operation : Migration
# Purpose : DIP Driver
allow mediaserver camera_dip_device:chr_file rw_file_perms;
# Date : WK17.44
# Operation : Migration
# Purpose : MFB Driver
allow mediaserver camera_mfb_device:chr_file rw_file_perms;
# Date : WK17.49
# Operation : MT6771 SQC
# Purpose : Allow permgr access
allow mediaserver proc_perfmgr:dir {read search};
allow mediaserver proc_perfmgr:file r_file_perms;
allowxperm mediaserver proc_perfmgr:file ioctl {
PERFMGR_FPSGO_DEQUEUE
PERFMGR_FPSGO_QUEUE_CONNECT
PERFMGR_FPSGO_QUEUE
PERFMGR_FPSGO_BQID
};
# Date : WK18.18
# Operation : Migration
# Purpose : wifidisplay hdcp
# DRM Key Manage HIDL
allow mediaserver mtk_hal_keymanage:binder call;
# Purpose : Allow mediadrmserver to call vendor.mediatek.hardware.keymanage@1.0-service.
hal_client_domain(mediaserver , hal_keymaster)
allow mediaserver mtk_hal_keymanage_hwservice:hwservice_manager find;

11
r_non_plat/mediaswcodec.te
View File

@ -1,11 +0,0 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK19.25
# Operation : Migration
# Purpose : [ALPS04669482] DRTS failed due to avc denied
allow mediaswcodec debugfs_ion:dir rw_dir_perms;
allow mediaswcodec gpu_device:dir rw_dir_perms;
allow mediaswcodec dri_device:chr_file rw_file_perms;
allow mediaswcodec gpu_device:chr_file rw_file_perms;

95
r_non_plat/merged_hal_service.te
View File

@ -1,95 +0,0 @@
# ==============================================================================
# Type Declaration
# ==============================================================================
type merged_hal_service, domain;
#type merged_hal_service, domain;
type merged_hal_service_exec, exec_type, file_type, vendor_file_type;
init_daemon_domain(merged_hal_service)
hwbinder_use(merged_hal_service)
hal_server_domain(merged_hal_service, hal_vibrator)
hal_server_domain(merged_hal_service, hal_light)
hal_server_domain(merged_hal_service, hal_power)
hal_server_domain(merged_hal_service, hal_thermal)
hal_server_domain(merged_hal_service, hal_memtrack)
#adjust light brightness
allow merged_hal_service sysfs:file write;
#mtk libs_hidl_service permissions
hal_server_domain(merged_hal_service, mtk_hal_lbs)
vndbinder_use(merged_hal_service)
#r_dir_file(merged_hal_service, system_file)
unix_socket_connect(merged_hal_service, agpsd, mtk_agpsd);
allow merged_hal_service mtk_agpsd:unix_dgram_socket sendto;
#mtk_gnss permissions
hal_server_domain(merged_hal_service, hal_gnss);
allow merged_hal_service mnld_data_file:sock_file create_file_perms;
allow merged_hal_service mnld_data_file:sock_file rw_file_perms;
allow merged_hal_service mnld_data_file:dir create_file_perms;
allow merged_hal_service mnld_data_file:dir rw_dir_perms;
allow merged_hal_service mnld:unix_dgram_socket sendto;
#graphics allocator permissions
hal_server_domain(merged_hal_service, hal_graphics_allocator)
allow merged_hal_service gpu_device:dir search;
allow merged_hal_service sw_sync_device:chr_file rw_file_perms;
allow merged_hal_service debugfs_ion:dir search;
allow merged_hal_service debugfs_tracing:file write;
allow merged_hal_service debugfs_tracing:file open;
#for ape hidl permissions
hal_server_domain(merged_hal_service,hal_mtkcodecservice)
allow merged_hal_service hidl_allocator_hwservice:hwservice_manager find;
allow merged_hal_service hidl_memory_hwservice:hwservice_manager find;
hal_client_domain(merged_hal_service, hal_allocator)
#for default drm permissions
hal_server_domain(merged_hal_service, hal_drm)
allow merged_hal_service mediacodec:fd use;
allow merged_hal_service { appdomain -isolated_app }:fd use;
allow merged_hal_service debugfs_tracing:file write;
#power permissions
allow merged_hal_service proc:dir {search getattr};
allow merged_hal_service proc:file rw_file_perms;
allow merged_hal_service debugfs_ged:dir search;
allow merged_hal_service debugfs_ged:file { getattr open read write };
allow merged_hal_service proc_thermal:file { write open };
allow merged_hal_service proc_thermal:dir search;
allow merged_hal_service sysfs:file {open write read};
allow merged_hal_service proc_perfmgr:dir search;
allow merged_hal_service proc_perfmgr:file rw_file_perms;
allow merged_hal_service sdcard_type:dir create_dir_perms;
allow merged_hal_service sdcard_type:file create_file_perms;
allow merged_hal_service eemcs_device:chr_file rw_file_perms;
allow merged_hal_service mnt_user_file:dir create_dir_perms;
allow merged_hal_service debugfs_fb:dir search;
allow merged_hal_service debugfs_fb:file { getattr open read write };
allow merged_hal_service debugfs_fpsgo:dir search;
allow merged_hal_service debugfs_fpsgo:file { getattr open read write };
allow merged_hal_service mtk_hal_camera:dir search;
allow merged_hal_service mtk_hal_camera:file { open read };
allow merged_hal_service sysfs_devices_system_cpu:file write;
allow merged_hal_service mtk_powerhal_data_file:dir {create_dir_perms rw_dir_perms};
allow merged_hal_service mtk_powerhal_data_file:file {create_file_perms rw_file_perms};
allow merged_hal_service mtk_powerhal_data_file:sock_file {create_file_perms rw_file_perms};
# Date : WK18.23
# Operation : P Migration
# Purpose : add grant permission for Thermal HAL mtktz and proc
allow merged_hal_service proc_mtktz:dir search;
allow merged_hal_service proc_mtktz:file {open read getattr};
allow merged_hal_service proc_stat:file {open read getattr };
# Date : WK19.11
# Operation : Q Migration
allowxperm merged_hal_service proc_ged:file ioctl { proc_ged_ioctls };
# Date: 2019/06/14
# Operation : Migration
allow merged_hal_service nvram_agent_binder_hwservice:hwservice_manager find;

421
r_non_plat/meta_tst.te
View File

@ -1,421 +0,0 @@
# ==============================================
# Policy File of /vendor/bin/meta_tst Executable File
# ==============================================
# Type Declaration
# ==============================================
type meta_tst, domain;
type meta_tst_exec , exec_type, file_type, vendor_file_type;
init_daemon_domain(meta_tst)
# ==============================================
# MTK Policy Rule
# ==============================================
# Date: WK16.12
# Operation : Migration
# Purpose : for meta mode device node USB
allow meta_tst ttyGS_device:chr_file rw_file_perms;
# Date: WK16.12
# Operation : Migration
# Purpose : for meta mode device node UART
allow meta_tst ttyMT_device:chr_file rw_file_perms;
# Date: WK17.12
# Operation : Migration
# Purpose : for meta mode device node UART
allow meta_tst ttyS_device:chr_file rw_file_perms;
# Date: WK16.12
# Operation : Migration
# Purpose : for meta mode device node CCCI
allow meta_tst ccci_device:chr_file rw_file_perms;
allow meta_tst eemcs_device:chr_file rw_file_perms;
allow meta_tst emd_device:chr_file rw_file_perms;
allow meta_tst ttyACM_device:chr_file rw_file_perms;
allow meta_tst mdlog_device:chr_file rw_file_perms;
# Data: WK15.07
# Purpose : SDIO
allow meta_tst ttySDIO_device:chr_file rw_file_perms;
# Date: WK16.12
# Operation : Migration
# Purpose : for meta mode file system
allow meta_tst bootdevice_block_device:blk_file rw_file_perms;
allow meta_tst mmcblk1_block_device:blk_file rw_file_perms;
allow meta_tst userdata_block_device:blk_file rw_file_perms;
allow meta_tst cache_block_device:blk_file rw_file_perms;
# Date: WK16.12
# Operation : Migration
# Purpose : for meta mode nvram
allow meta_tst nvram_data_file:dir create_dir_perms;
allow meta_tst nvram_data_file:file create_file_perms;
allow meta_tst nvram_data_file:lnk_file r_file_perms;
allow meta_tst nvdata_file:lnk_file r_file_perms;
allow meta_tst nvdata_file:dir create_dir_perms;
allow meta_tst nvdata_file:file create_file_perms;
allow meta_tst nvram_device:chr_file rw_file_perms;
allow meta_tst nvram_device:blk_file rw_file_perms;
allow meta_tst nvdata_device:blk_file rw_file_perms;
# Date: WK14.47
# Operation : Migration
# Purpose : for meta mode audio
allow meta_tst audio_device:chr_file rw_file_perms;
allow meta_tst audio_device:dir r_dir_perms;
allow meta_tst audio_ipi_device:chr_file rw_file_perms;
set_prop(meta_tst, audiohal_prop);
# Date: WK16.12
# Operation : Migration
# Purpose : for meta mode RTC and PMIC
allow meta_tst rtc_device:chr_file r_file_perms;
allow meta_tst MT_pmic_adc_cali_device:chr_file rw_file_perms;
# Date: WK14.45
# Operation : Migration
# Purpose : HDCP
allow meta_tst persist_data_file:dir create_dir_perms;
allow meta_tst persist_data_file:file create_file_perms;
# Date: WK14.46
# Operation : Migration
# Purpose : Camera
allow meta_tst devmap_device:chr_file rw_file_perms;
allow meta_tst camera_pipemgr_device:chr_file rw_file_perms;
allow meta_tst MTK_SMI_device:chr_file rw_file_perms;
allow meta_tst camera_isp_device:chr_file rw_file_perms;
allow meta_tst camera_sysram_device:chr_file r_file_perms;
allow meta_tst kd_camera_flashlight_device:chr_file rw_file_perms;
allow meta_tst kd_camera_hw_device:chr_file rw_file_perms;
allow meta_tst AD5820AF_device:chr_file rw_file_perms;
allow meta_tst DW9714AF_device:chr_file rw_file_perms;
allow meta_tst DW9714A_device:chr_file rw_file_perms;
allow meta_tst LC898122AF_device:chr_file rw_file_perms;
allow meta_tst LC898212AF_device:chr_file rw_file_perms;
allow meta_tst BU6429AF_device:chr_file rw_file_perms;
allow meta_tst DW9718AF_device:chr_file rw_file_perms;
allow meta_tst BU64745GWZAF_device:chr_file rw_file_perms;
allow meta_tst MAINAF_device:chr_file rw_file_perms;
allow meta_tst MAIN2AF_device:chr_file rw_file_perms;
allow meta_tst SUBAF_device:chr_file rw_file_perms;
# Date: WK16.12
# Operation : Migration
# Purpose : meta mode LCM
allow meta_tst graphics_device:chr_file rw_file_perms;
allow meta_tst graphics_device:dir search;
# Date: WK16.12
# Operation : Migration
# Purpose : meta mode sensor
allow meta_tst als_ps_device:chr_file r_file_perms;
allow meta_tst gsensor_device:chr_file r_file_perms;
allow meta_tst msensor_device:chr_file r_file_perms;
allow meta_tst gyroscope_device:chr_file r_file_perms;
# Date: WK16.12
# Operation : Migration
# Purpose : meta mode FM
allow meta_tst fm_device:chr_file rw_file_perms;
allow meta_tst FM50AF_device:chr_file rw_file_perms;
# Date: WK16.12
# Operation : Migration
# Purpose : meta mode wifi
allow meta_tst wmtWifi_device:chr_file w_file_perms;
# Date: WK16.12
# Operation : Migration
# Purpose : meta mode BT
allow meta_tst stpbt_device:chr_file rw_file_perms;
# Date: WK16.12
# Operation : Migration
# Purpose : meta mode GPS
allow meta_tst gps_data_file:dir { write add_name search remove_name unlink};
allow meta_tst gps_data_file:file { read write open create getattr append setattr unlink lock};
allow meta_tst gps_data_file:lnk_file read;
allow meta_tst tmpfs:lnk_file read;
allow meta_tst agpsd_data_file:dir search;
allow meta_tst agpsd_data_file:sock_file write;
allow meta_tst mnld_device:chr_file rw_file_perms;
allow meta_tst mnld_exec:file rx_file_perms;
set_prop(meta_tst, mnld_prop);
# Date: WK16.12
# Operation : Migration
# Purpose : meta mode NFC
allow meta_tst mt6605_device:chr_file rw_file_perms;
#Date WK14.49
#Operation : Migration
#Purpose : DRM key installation
allow meta_tst key_install_data_file:dir w_dir_perms;
allow meta_tst key_install_data_file:file create_file_perms;
# Date: WK14.51
# Purpose : set/get cryptfs cfg in sys env
allow meta_tst misc_device:chr_file rw_file_perms;
allow meta_tst proc_lk_env:file rw_file_perms;
# Purpose : FT_EMMC_OP_FORMAT_TCARD
allow meta_tst block_device:blk_file getattr;
allow meta_tst system_block_device:blk_file getattr;
# Date: WK15.52
# Purpose : NVRAM related LID
allow meta_tst pro_info_device:chr_file rw_file_perms;
# Date: WK15.13
# Purpose: for nand project
allow meta_tst mtd_device:dir search;
allow meta_tst mtd_device:chr_file rw_file_perms;
# Date: WK16.17
# Purpose: N Migration For ccci sysfs node
allow meta_tst sysfs_ccci:dir search;
allow meta_tst sysfs_ccci:file r_file_perms;
#Date: W18.22
# Purpose: P Migration meta_tst get com port type/uart port info/boot mode/usb state/usb close
allow meta_tst sysfs_comport_type:file rw_file_perms;
allow meta_tst sysfs_uart_info:file rw_file_perms;
allow meta_tst sysfs_boot_mode:file rw_file_perms;
allow meta_tst sysfs_boot_type:file r_file_perms;
allow meta_tst sysfs_android_usb:file rw_file_perms;
allow meta_tst sysfs_android_usb:dir search;
allow meta_tst sysfs_usb_cmode:file rw_file_perms;
allow meta_tst sysfs_usb_cmode:dir search;
allow meta_tst sysfs_batteryinfo:file rw_file_perms;
allow meta_tst sysfs_batteryinfo:dir search;
#Date: W16.17
# Purpose: N Migration For meta_tst load MD NVRAM database
# Detail avc log: [04-23-20:41:58][ 160.687655] <1>.(1)[230:logd.auditd]type=
#1400 audit(1262304165.560:24): avc: denied { read } for pid=228 comm=
#"meta_tst" name="mddb" dev="mmcblk0p20" ino=664 scontext=u:r:meta_tst:
#s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
allow meta_tst system_file:dir r_dir_perms;
# Date: WK16.18
# Purpose: for CCCI reboot modem
allow meta_tst gsm0710muxd_device:chr_file rw_file_perms;
# Date : WK16.35
# Purpose : Update camera flashlight driver device file
allow meta_tst flashlight_device:chr_file rw_file_perms;
#Date: W16.36
# Purpose: meta_tst use libmeta_rat to write libsysenv
# Detail avc log:[ 25.307141] .(5)[264:logd.auditd]type=1400 audit(1469438818.570:7):
#avc: denied { read write } for pid=312 comm="meta_tst" name="mmcblk0p2" dev="tmpfs"
#ino=4561 scontext=u:r:meta_tst:s0 tcontext=u:object_r:para_block_device:s0 tclass=blk_file permissive=0
allow meta_tst para_block_device:blk_file { read write open };
#Date: W16.44
allow meta_tst nvcfg_file:dir { search read open };
#Date: W16.45
# Purpose : Allow unmount sdcardfs mounted on /data/media
allow meta_tst sdcard_type:filesystem unmount;
allow meta_tst storage_stub_file:dir search;
# Date : WK16.19
# Operation: meta_tst set persist.meta.connecttype property
# Purpose: Switch meta connect type, set persist.meta.connecttype as "wifi" or "usb".
set_prop(meta_tst, meta_connecttype_prop);
# Date : WK16.23
# Purpose: support meta_tst check key event
allow meta_tst input_device:dir r_dir_perms;
allow meta_tst input_device:chr_file r_file_perms;
# Date : WK16.29
# Purpose: support meta mode show string on screen
allow meta_tst ashmem_device:chr_file execute;
#Date: W16.50
# Purpose : Allow meta_tst stop service which occupy data partition.
allow meta_tst ctl_default_prop:property_service set;
#Date: W17.25
# Purpose : Allow meta_tst stop service which occupy data partition.
allow meta_tst ctl_emdlogger1_prop:property_service set;
#Date: W17.27
# Purpose: STMicro NFC solution integration
allow meta_tst st21nfc_device:chr_file { open read write ioctl };
allow meta_tst vendor_file:file { getattr execute execute_no_trans read open };
set_prop(meta_tst,hwservicemanager_prop);
hwbinder_use(meta_tst);
hal_client_domain(meta_tst, hal_nfc);
allow meta_tst debugfs_tracing:file { open write };
# Date: W17.29
# Purpose : Allow meta_tst to call vendor.mediatek.hardware.keymaster_attestation@1.0-service.
hal_client_domain(meta_tst, mtk_hal_keyattestation)
# Date : WK17.30
# Operation : Android O migration
# Purpose : add sepolicy for accessing sysfs_leds
allow meta_tst sysfs_leds:lnk_file read;
allow meta_tst sysfs_leds:file rw_file_perms;
allow meta_tst sysfs_leds:dir r_dir_perms;
# Date: WK17.43
# Purpose: add permission for meta_tst access md image
allow meta_tst md_block_device:blk_file { read open };
allow meta_tst mddb_data_file:file { create open write read getattr};
allow meta_tst mddb_data_file:dir { search write add_name create getattr read open };
# Date: W17.43
# Purpose : Allow meta_tst to call Audio HAL service
binder_call(meta_tst, mtk_hal_audio)
allow meta_tst mtk_hal_audio:binder call;
#allow meta_tst hal_audio_hwservice:hwservice_manager find;
allow meta_tst mtk_audiohal_data_file:dir {read search open};
allow meta_tst proc:file {read open};
allow meta_tst audio_device:chr_file rw_file_perms;
allow meta_tst audio_device:dir w_dir_perms;
allow meta_tst audiohal_prop:property_service set;
#Data:W1745
# Purpose : Allow meta_tst to open and read proc/bootprof
allow meta_tst proc_bootprof:file {write open read};
# Date:W17.51
# Operation : lbs hal
# Purpose : lbs hidl interface permission
hal_client_domain(meta_tst, mtk_hal_lbs)
# Data:W1750
# Purpose : Allow meta_tst to access mtd device
allow meta_tst mtd_device:blk_file rw_file_perms;
#Date: W17.51
#Purpose : Allow meta_tst to access pesist.atm.mdmode in ATM.
set_prop(meta_tst, atm_mdmode_prop);
#Date: W17.51
#Purpose : Allow meta_tst to access pesist.atm.ipaddress in ATM.
set_prop(meta_tst, atm_ipaddr_prop);
# Date : WK18.16
# Operation: P migration
# Purpose: Allow meta_tst to get tel_switch_prop
get_prop(meta_tst, tel_switch_prop);
# Date : WK18.21
# Operation: P migration
# Purpose : Allow meta_tst to call nvram hal
allow meta_tst nvram_agent_binder_hwservice:hwservice_manager find;
allow meta_tst nvram_agent_binder:binder call;
# Date : WK18.21
# Operation: P migration
# Purpose : Allow meta_tst to write misc partition
allow meta_tst block_device:dir search;
# Date : W18.24
# Operation: P migration
# Purpose : Allow meta_tst to access tpd sysfs nodes for CTP test
allow meta_tst sysfs_tpd_setting:dir search;
allow meta_tst sysfs_tpd_setting:file { read getattr open };
# Date : WK18.24
# Operation: P migration
# Purpose : Allow meta_tst to unmount partition, stop service, and then erase partition
allow meta_tst vendor_shell_exec:file { read execute open execute_no_trans };
allow meta_tst vendor_toolbox_exec:file { execute_no_trans };
allow meta_tst labeledfs:filesystem { unmount };
allow meta_tst proc_cmdline:file { read open getattr };
allow meta_tst meta_tst:capability { sys_admin };
allow meta_tst sysfs_dt_firmware_android:file { read open getattr };
allow meta_tst sysfs_dt_firmware_android:dir { read open search };
# Purpose : Allow meta_tst to communicate with driver thru socket
allow meta_tst meta_tst:capability { sys_module net_admin net_raw };
allow meta_tst self:udp_socket { create ioctl };
allowxperm meta_tst self:udp_socket ioctl priv_sock_ioctls;
# Date : WK18.25
# Operation: P migration
# Purpose : GPS test, Allow meta_tst to write/connect tcp socket
allow meta_tst node:tcp_socket node_bind;
allow meta_tst port:tcp_socket { name_bind name_connect };
allow meta_tst self:capability net_raw;
allow meta_tst self:tcp_socket { setopt bind create listen accept connect };
allow meta_tst self:tcp_socket { read write };
allow meta_tst self:udp_socket { write connect };
# Date : WK18.28
# Operation: P migration
# Purpose : AUDIO test, Allow meta_tst to write/read asound
allow meta_tst proc_asound:dir { read search open };
allow meta_tst proc_asound:file { read open getattr write };
allow meta_tst mtk_audiohal_data_file:dir { read search open };
allow meta_tst audiohal_prop:property_service set;
allow meta_tst sysfs:file { read open };
allow meta_tst sysfs_headset:file { read open };
# Date: W18.05
# Purpose : Allow meta_tst to use socket for listening uevent
allow meta_tst meta_tst:netlink_kobject_uevent_socket { read bind create setopt };
# Date : WK18.28
# Operation: P migration
# Purpose :
set_prop(meta_tst, vendor_usb_prop);
# Date: W18.29
# Operation: Catch log
# Purpose : meta connect with loghidlserver by socket.
allow meta_tst loghidlvendorservice:unix_stream_socket connectto;
# Date: W18.32
# Operation: Android P migration
# Purpose : Allow meta_tst to set powerctl property
# avc: denied { set } for property=sys.powerctl pid=330 uid=0 gid=1001 scontext=u:r:meta_tst:s0
# tcontext=u:object_r:powerctl_prop:s0 tclass=property_service permissive=0
set_prop(meta_tst, powerctl_prop);
# Date: W18.33
# Operation: Android P migration
# Purpose : Allow meta_tst to set system clock
# avc: denied { sys_time } for capability=25 scontext=u:r:meta_tst:s0 tcontext=u:r:meta_tst:s0 tclass=capability permissive=0
allow meta_tst self:capability sys_time;
# Data: W18.35
# Operation: Android P migration
# Purpose : check usb online status
# avc: denied { search } for name="power_supply" dev="sysfs" ino=8712 scontext=u:r:meta_tst:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0
# avc: denied { read } for name="online" dev="sysfs" ino=8764 scontext=u:r:meta_tst:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=0
# avc: denied { open } for path="/sys/devices/platform/mt_charger/power_supply/usb/online" dev="sysfs" ino=8764 scontext=u:r:meta_tst:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=0
allow meta_tst sysfs_batteryinfo:dir search;
allow meta_tst sysfs_batteryinfo:file {read open};
# Data: W18.42
# Operation: Android P migration
# Purpose : add socket permission for meta
allow meta_tst fwmarkd_socket:sock_file write;
#Date: W18.42
# Operation: Android P migration
# Purpose : Add ATM meta mvram sepolicy
allow meta_tst mnt_vendor_file:dir search;
# Date : WK18.44
# Operation: P migration
# Purpose : adsp
allow meta_tst adsp_device:chr_file rw_file_perms;
# Date : WK19.08
# Operation: P migration
# Purpose : audio scp recovery
allow meta_tst audio_scp_device:chr_file r_file_perms;

21
r_non_plat/mmc_ffu.te
View File

@ -1,21 +0,0 @@
# ==============================================
# Policy File of /system/bin/mmc_ffu Executable File
# ==============================================
# Type Declaration
# ==============================================
type mmc_ffu, domain;
type mmc_ffu_exec, exec_type, file_type, vendor_file_type;
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(mmc_ffu)
# Purpose: For seek file size
allow mmc_ffu block_device:dir r_dir_perms;
# Purpose: ioctl to /dev/misc-sd and for obtaining emmc vendor id and firmware revision
allow mmc_ffu misc_sd_device:chr_file r_file_perms;
#Purpose: Write eMMC firmware data to /dev/block/mmcblk0 for upgrade firmware
allow mmc_ffu bootdevice_block_device:blk_file rw_file_perms;

103
r_non_plat/mnld.te
View File

@ -1,103 +0,0 @@
# ==============================================
# Policy File of /vendor/bin/mnld Executable File
# ==============================================
# Type Declaration
# ==============================================
type mnld, domain;
type mnld_exec, exec_type, file_type, vendor_file_type;
typeattribute mnld mlstrustedsubject;
# ==============================================
# MTK Policy Rule
# ==============================================
# STOPSHIP: Permissive is not allowed. CTS violation!
init_daemon_domain(mnld)
net_domain(mnld)
# Purpose : For communicate with AGPSD by socket
allow mnld agpsd_data_file:dir create_dir_perms;
allow mnld agpsd_data_file:sock_file create_file_perms;
allow mnld mtk_agpsd:unix_dgram_socket sendto;
allow mnld sysfs:file rw_file_perms;
allow mnld sysfs_wake_lock:file rw_file_perms;
# Purpose : For access NVRAM data
allow mnld nvram_data_file:dir create_dir_perms;
allow mnld nvram_data_file:file create_file_perms;
allow mnld nvram_data_file:lnk_file read;
allow mnld nvdata_file:lnk_file read;
allow mnld nvram_device:blk_file rw_file_perms;
allow mnld nvram_device:chr_file rw_file_perms;
allow mnld nvdata_file:dir create_dir_perms;
allow mnld nvdata_file:file create_file_perms;
# Purpose : For access kernel device
allow mnld mnld_data_file:dir rw_dir_perms;
allow mnld mnld_data_file:sock_file create_file_perms;
allow mnld mnld_device:chr_file rw_file_perms;
allow mnld mnld_data_file:file rw_file_perms;
allow mnld mnld_data_file:file create_file_perms;
allow mnld mnld_data_file:fifo_file create_file_perms;
# Purpose : For init process
allow mnld init:unix_stream_socket connectto;
allow mnld init:udp_socket { read write };
# Send the message to the LBS HIDL Service to forward to applications
allow mnld lbs_hidl_service:unix_dgram_socket sendto;
# Send the message to the merged hal Service to forward to applications
allow mnld merged_hal_service:unix_dgram_socket sendto;
# Purpose : For access system data
allow mnld bootdevice_block_device:blk_file rw_file_perms;
allow mnld block_device:dir search;
allow mnld mnld_prop:property_service set;
allow mnld property_socket:sock_file write;
allow mnld mdlog_device:chr_file { read write };
allow mnld self:capability { fsetid };
allow mnld stpbt_device:chr_file { read write };
allow mnld gpsdl_device:chr_file { read write };
allow mnld ttyGS_device:chr_file { read write };
# Purpose : For file system operations
allow mnld sdcard_type:dir search;
allow mnld sdcard_type:dir write;
allow mnld sdcard_type:dir add_name;
allow mnld sdcard_type:file create;
allow mnld sdcard_type:file rw_file_perms;
allow mnld sdcard_type:file create_file_perms;
allow mnld sdcard_type:dir { read remove_name create open };
allow mnld tmpfs:lnk_file { read create open };
allow mnld mtd_device:dir search;
allow mnld mnt_user_file:lnk_file read;
allow mnld mnt_user_file:dir search;
allow mnld gps_data_file:dir { write add_name search remove_name unlink};
allow mnld gps_data_file:file { read write open create getattr append setattr unlink lock rename };
allow mnld gps_data_file:lnk_file read;
allow mnld storage_file:lnk_file read;
allow mnld nvcfg_file:dir search;
# Date : WK15.30
# Operation : Migration
# Purpose : for device bring up, not to block early migration/sanity
allow mnld proc_lk_env:file rw_file_perms;
# For HIDL, communicate mtk_hal_gnss instead of system_server
allow mnld mtk_hal_gnss:unix_dgram_socket sendto;
# Purpose : MPE sensor HIDL policy
hwbinder_use(mnld);
binder_call(mnld, system_server)
allow mnld fwk_sensor_hwservice:hwservice_manager find;
#allow mnld hwservicemanager_prop:file { read open getattr };
get_prop(mnld, hwservicemanager_prop);
allow mnld debugfs_tracing:file { open write };
allow mnld mnt_vendor_file:dir search;
# Date : WK18.26
# Purpose : for atci gps test
allow mnld atci_service:unix_dgram_socket sendto;
allow mnld sysfs_boot_mode:file { read open };
set_prop(mnld, vendor_radio_prop);

64
r_non_plat/mobile_log_d.te
View File

@ -1,64 +0,0 @@
# boot_mdoe file access
allow mobile_log_d sysfs_boot_mode:file { open read };
#proc/ access
allow mobile_log_d proc_kmsg:file r_file_perms;
allow mobile_log_d proc_cmdline:file r_file_perms;
allow mobile_log_d proc_atf_log:dir search;
allow mobile_log_d proc_atf_log:file r_file_perms;
allow mobile_log_d proc_gz_log:file r_file_perms;
allow mobile_log_d proc_last_kmsg:file r_file_perms;
allow mobile_log_d proc_bootprof:file r_file_perms;
allow mobile_log_d proc_pl_lk:file r_file_perms;
#scp
allow mobile_log_d sysfs_scp:file { open write };
allow mobile_log_d sysfs_scp:dir search;
allow mobile_log_d scp_device:chr_file { read open };
#adsp
allow mobile_log_d sysfs_adsp:file { open write };
allow mobile_log_d sysfs_adsp:dir search;
allow mobile_log_d adsp_device:chr_file r_file_perms;
#sspm
allow mobile_log_d sysfs_sspm:file { open write };
allow mobile_log_d sysfs_sspm:dir search;
allow mobile_log_d sspm_device:chr_file { read open };
#data/misc/mblog
allow mobile_log_d logmisc_data_file:dir { relabelto create_dir_perms };
allow mobile_log_d logmisc_data_file:file create_file_perms;
#data/log_temp
allow mobile_log_d logtemp_data_file:dir { relabelto create_dir_perms };
allow mobile_log_d logtemp_data_file:file create_file_perms;
#data/data_tmpfs_log
allow mobile_log_d data_tmpfs_log_file:dir create_dir_perms;
allow mobile_log_d data_tmpfs_log_file:file create_file_perms;
#mobile itself property
set_prop(mobile_log_d, mobile_log_prop)
# Date: 2016/11/11
# purpose: allow MobileLog to access aee socket
allow mobile_log_d aee_aed:unix_stream_socket connectto;
# purpose: send log to com port
allow mobile_log_d ttyGS_device:chr_file { read write ioctl open };
# purpose: allow mobile_log_d to access persist.meta.connecttype
get_prop(mobile_log_d, meta_connecttype_prop);
# purpose: allow mobile_log_d to create socket
allow mobile_log_d port:tcp_socket { name_connect name_bind };
allow mobile_log_d mobile_log_d:tcp_socket { create connect setopt bind };
allow mobile_log_d mobile_log_d:tcp_socket { bind setopt listen accept read write };
allow mobile_log_d node:tcp_socket node_bind;
# purpose: allow mobile_log_d to read system property init.svc.vendor.
get_prop(mobile_log_d, vendor_default_prop)
# purpose: allow mobile_log_d to read persist.vendor.mtk.aee
get_prop(mobile_log_d, persist_mtk_aee_prop)

18
r_non_plat/modemdbfilter_service.te
View File

@ -1,18 +0,0 @@
# ==============================================
# Policy File of /vendor/bin/hw/modemdbfilter_service Executable File
# ==============================================
# Type Declaration
# ==============================================
type modemdbfilter_service ,domain;
type modemdbfilter_service_exec, exec_type, file_type, vendor_file_type;
typeattribute modemdbfilter_service mlstrustedsubject;
#Purpose : for create hidl server
hal_server_domain(modemdbfilter_service, mtk_hal_md_dbfilter)
init_daemon_domain(modemdbfilter_service)
# ==============================================
# MTK Policy Rule
# ==============================================

70
r_non_plat/mtk_agpsd.te
View File

@ -1,70 +0,0 @@
# ==============================================
# Policy File of /vendor/bin/mtk_agpsd Executable File
# ==============================================
# Type Declaration
# ==============================================
type mtk_agpsd_exec, exec_type, file_type, vendor_file_type;
type mtk_agpsd, domain;
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(mtk_agpsd)
net_domain(mtk_agpsd)
# Access channels to modem for E-CID, RRLP, and LPP
allow mtk_agpsd agps_device:chr_file rw_file_perms;
allow mtk_agpsd ttySDIO_device:chr_file { create setattr unlink rw_file_perms };
allow mtk_agpsd ccci_device:chr_file { create setattr unlink rw_file_perms };
# Access folders, files, and sockets in /data/agps_supl
allow mtk_agpsd agpsd_data_file:dir create_dir_perms;
allow mtk_agpsd agpsd_data_file:file create_file_perms;
allow mtk_agpsd agpsd_data_file:sock_file create_file_perms;
# Access file system partitions like /system, /data and SD Card
allow mtk_agpsd sdcard_type:dir create_dir_perms;
allow mtk_agpsd sdcard_type:file create_file_perms;
allow mtk_agpsd eemcs_device:chr_file rw_file_perms;
allow mtk_agpsd mnt_user_file:dir create_dir_perms;
allow mtk_agpsd mnt_vendor_file:dir create_dir_perms;
allow mtk_agpsd mnt_vendor_file:file create_file_perms;
allow mtk_agpsd gps_data_file:dir create_dir_perms;
allow mtk_agpsd gps_data_file:file create_file_perms;
# Access symbolic link files like /etc and /sdcard
allow mtk_agpsd tmpfs:lnk_file create_file_perms;
allow mtk_agpsd mnt_user_file:lnk_file create_file_perms;
allow mtk_agpsd storage_file:dir create_dir_perms;
allow mtk_agpsd storage_file:file create_file_perms;
# Send supl profile configuration to SLPD (to get SUPL Reference Location for HW Fused Location)
allow mtk_agpsd slpd:unix_dgram_socket sendto;
# Operators will send agps settings via OMADM.
# Operators ask UE to save these settings into NVRAM.
allow mtk_agpsd nvcfg_file:dir create_dir_perms;
allow mtk_agpsd nvcfg_file:file create_file_perms;
# Send GNSS assistance data and AGPS commands to MTK's GPS module 'mnld'
allow mtk_agpsd mnld:unix_dgram_socket sendto;
# Send the message to the LBS HIDL Service to forward to system partitions
allow mtk_agpsd lbs_hidl_service:unix_dgram_socket sendto;
# Send the message to the merged hal Service to forward to system partitions
allow mtk_agpsd merged_hal_service:unix_dgram_socket sendto;
# Allow send socket to fusion rild
allow mtk_agpsd rild:unix_dgram_socket sendto;
# Allow libapmonitor to read the property of hwservicemanager.ready
get_prop(mtk_agpsd,hwservicemanager_prop)
# Read the property of vendor.debug.gps.mnld.ne
get_prop(mtk_agpsd,mnld_prop)
# Read the property of ro.vendor.mtk_log_hide_gps
get_prop(mtk_agpsd,mtk_gps_support_prop)

233
r_non_plat/mtk_hal_audio.te
View File

@ -1,233 +0,0 @@
type mtk_hal_audio, domain;
hal_server_domain(mtk_hal_audio, hal_audio)
type mtk_hal_audio_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(mtk_hal_audio)
hal_client_domain(mtk_hal_audio, hal_allocator)
hwbinder_use(mtk_hal_audio)
wakelock_use(mtk_hal_audio);
allow mtk_hal_audio ion_device:chr_file r_file_perms;
allow mtk_hal_audio system_file:dir { open read };
r_dir_file(mtk_hal_audio, proc)
allow mtk_hal_audio audio_device:dir r_dir_perms;
allow mtk_hal_audio audio_device:chr_file rw_file_perms;
###
### neverallow rules
###
# mtk_hal_audio should never execute any executable without
# a domain transition
neverallow mtk_hal_audio { file_type fs_type }:file execute_no_trans;
# mtk_hal_audio should never need network access.
# Disallow network sockets.
neverallow mtk_hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
# Date : WK14.32
# Operation : Migration
# Purpose : Set audio driver permission to access SD card for debug purpose and accss NVRam.
allow mtk_hal_audio sdcard_type:dir { w_dir_perms create };
allow mtk_hal_audio sdcard_type:file create;
allow mtk_hal_audio nvram_data_file:dir w_dir_perms;
allow mtk_hal_audio nvram_data_file:file create_file_perms;
allow mtk_hal_audio nvram_data_file:lnk_file read;
allow mtk_hal_audio nvdata_file:lnk_file read;
allow mtk_hal_audio nvdata_file:dir w_dir_perms;
allow mtk_hal_audio nvdata_file:file create_file_perms;
allow mtk_hal_audio sdcard_type:dir remove_name;
allow mtk_hal_audio sdcard_type:file unlink;
# Date : WK14.34
# Operation : Migration
# Purpose : nvram access (dumchar case for nand and legacy chip)
allow mtk_hal_audio nvram_device:chr_file rw_file_perms;
allow mtk_hal_audio self:netlink_kobject_uevent_socket { create setopt bind };
# Date : WK14.34
# Operation : Migration
# Purpose : Smartcard Service
allow mtk_hal_audio self:netlink_kobject_uevent_socket read;
# Date : WK14.36
# Operation : Migration
# Purpose : media server and bt process communication for A2DP data.and other control flow
allow mtk_hal_audio bt_a2dp_stream_socket:sock_file write;
allow mtk_hal_audio bt_int_adp_socket:sock_file write;
# Date : WK14.36
# Operation : Migration
# Purpose : access nvram, otp, ccci cdoec devices.
allow mtk_hal_audio MtkCodecService:binder call;
allow mtk_hal_audio ccci_device:chr_file rw_file_perms;
allow mtk_hal_audio eemcs_device:chr_file rw_file_perms;
allow mtk_hal_audio devmap_device:chr_file r_file_perms;
allow mtk_hal_audio ebc_device:chr_file rw_file_perms;
allow mtk_hal_audio nvram_device:blk_file rw_file_perms;
# Date : WK14.38
# Operation : Migration
# Purpose : NVRam access
allow mtk_hal_audio block_device:dir { write search };
# Date : WK14.38
# Operation : Migration
# Purpose : FM driver access
allow mtk_hal_audio fm_device:chr_file rw_file_perms;
# Data : WK14.38
# Operation : Migration
# Purpose : dump for debug
allow mtk_hal_audio sdcard_type:file append;
# Data : WK14.39
# Operation : Migration
# Purpose : dump for debug
allow mtk_hal_audio audiohal_prop:property_service set;
# Date : WK14.40
# Operation : Migration
# Purpose : HDMI driver access
allow mtk_hal_audio graphics_device:chr_file rw_file_perms;
# Date : WK14.40
# Operation : Migration
# Purpose : Smartpa
allow mtk_hal_audio smartpa_device:chr_file rw_file_perms;
# Date : WK14.41
# Operation : Migration
# Purpose : WFD HID Driver
allow mtk_hal_audio uhid_device:chr_file rw_file_perms;
# Date : WK14.43
# Operation : Migration
# Purpose : VOW
allow mtk_hal_audio vow_device:chr_file rw_file_perms;
# Date: WK14.44
# Operation : Migration
# Purpose : EVDO
allow mtk_hal_audio rpc_socket:sock_file write;
allow mtk_hal_audio ttySDIO_device:chr_file rw_file_perms;
# Data: WK14.44
# Operation : Migration
# Purpose : for low SD card latency issue
allow mtk_hal_audio sysfs_lowmemorykiller:file { read open };
# Data: WK14.45
# Operation : Migration
# Purpose : for change thermal policy when needed
allow mtk_hal_audio proc_mtkcooler:dir search;
allow mtk_hal_audio proc_mtktz:dir search;
allow mtk_hal_audio proc_thermal:dir search;
allow mtk_hal_audio thermal_manager_data_file:file create_file_perms;
allow mtk_hal_audio thermal_manager_data_file:dir { rw_dir_perms setattr };
# Data : WK14.47
# Operation : Audio playback
# Purpose : Music as ringtone
allow mtk_hal_audio radio:dir { search read };
allow mtk_hal_audio radio:file r_file_perms;
# Data : WK14.47
# Operation : CTS
# Purpose : cts search strange app
allow mtk_hal_audio untrusted_app:dir search;
# Date : WK15.03
# Operation : Migration
# Purpose : offloadservice
allow mtk_hal_audio offloadservice_device:chr_file rw_file_perms;
# Date : WK15.34
# Operation : Migration
# Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump
allow mtk_hal_audio storage_file:dir search;
allow mtk_hal_audio storage_file:lnk_file {read write};
allow mtk_hal_audio mnt_user_file:dir {write read search};
allow mtk_hal_audio mnt_user_file:lnk_file {read write};
# Date : WK16.17
# Operation : Migration
# Purpose: read/open sysfs node
allow mtk_hal_audio sysfs_ccci:file r_file_perms;
allow mtk_hal_audio sysfs_ccci:dir search;
# Date : WK16.18
# Operation : Migration
# Purpose: research root dir "/"
allow mtk_hal_audio tmpfs:dir search;
# Purpose: Dump debug info
allow mtk_hal_audio debugfs_binder:dir search;
allow mtk_hal_audio kmsg_device:chr_file { open write };
allow mtk_hal_audio property_socket:sock_file write;
allow mtk_hal_audio fuse:file rw_file_perms;
allow mtk_hal_audio init:unix_stream_socket connectto;
# Date : WK16.27
# Operation : Migration
# Purpose: tunning tool update parameters
binder_call(mtk_hal_audio,radio)
allow mtk_hal_audio mtk_audiohal_data_file:dir create_dir_perms;
allow mtk_hal_audio mtk_audiohal_data_file:file create_file_perms;
# Date : WK16.28
# Operation : Migration
# Purpose: Write audio dump files to external SDCard.
allow mtk_hal_audio sdcard_type:file { create_file_perms };
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow mtk_hal_audio proc_ged:file rw_file_perms;
set_prop(mtk_hal_audio,hwservicemanager_prop);
allow mtk_hal_audio storage_file:dir search;
# Fix bootup violation
allow mtk_hal_audio fuse:dir read;
# for usb phone call, allow sys_nice
allow mtk_hal_audio self:capability sys_nice;
# Date : W17.29
# Boot for opening trace file: Permission denied (13)
allow mtk_hal_audio debugfs_tracing:file { write open };
# for usb phone call, allow sys_nice
allow mtk_hal_audio self:capability sys_nice;
# Audio Tuning Tool Android O porting
binder_call(mtk_hal_audio,audiocmdservice_atci);
# Add for control PowerHAL
allow mtk_hal_audio mtk_hal_power_hwservice:hwservice_manager find;
binder_call(mtk_hal_audio, mtk_hal_power)
binder_call(mtk_hal_audio, merged_hal_service)
# cm4 smartpa
allow mtk_hal_audio audio_ipi_device:chr_file { read write ioctl open };
allow mtk_hal_audio audio_scp_device:chr_file r_file_perms;
# Date : WK18.21
# Operation: P migration
# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init()
allow mtk_hal_audio mnt_vendor_file:dir search;
# Date: 2019/06/14
# Operation : Migration
allow mtk_hal_audio audioserver:fifo_file w_file_perms;
allow mtk_hal_audio sysfs_boot_mode:file r_file_perms;
allow mtk_hal_audio sysfs_dt_firmware_android:dir search;
# Date : WK18.44
# Operation: adsp
allow mtk_hal_audio adsp_device:file rw_file_perms;
allow mtk_hal_audio adsp_device:chr_file rw_file_perms;

6
r_non_plat/mtk_hal_bgs.te
View File

@ -1,6 +0,0 @@
# HwBinder IPC from client to server, and callbacks
binder_call(mtk_hal_bgs_client, mtk_hal_bgs_server)
binder_call(mtk_hal_bgs_server, mtk_hal_bgs_client)
add_hwservice(mtk_hal_bgs_server, mtk_hal_bgs_hwservice)
allow mtk_hal_bgs_client mtk_hal_bgs_hwservice:hwservice_manager find;

Some files were not shown because too many files have changed in this diff Show More