diff --git a/non_plat/atci_service.te b/non_plat/atci_service.te index c3a4c81..eb357c2 100644 --- a/non_plat/atci_service.te +++ b/non_plat/atci_service.te @@ -119,10 +119,7 @@ allow atci_service sysfs_batteryinfo:file { read getattr open }; #allow atci_service system_data_file:lnk_file read; allow atci_service system_file:dir { read open }; allow atci_service camera_pipemgr_device:chr_file { read ioctl open }; -#allow atci_service media_rw_data_file:dir { read getattr open }; -#allow atci_service media_rw_data_file:file { getattr setattr }; allow atci_service mtkcam_prop:file { read getattr open }; -#allow atci_service hal_camera_hwservice:hwservice_manager find; allow atci_service mtk_hal_camera:binder call; allow atci_service debugfs_ion:dir search; allow atci_service sysfs_tpd_setting:file { read write open getattr }; diff --git a/non_plat/cameraserver.te b/non_plat/cameraserver.te index e2e04d6..87369b9 100644 --- a/non_plat/cameraserver.te +++ b/non_plat/cameraserver.te @@ -28,23 +28,6 @@ allow cameraserver self:process { ptrace }; # ----------------------------------- allow cameraserver mtkcam_prop:file { open read getattr }; -# Date : WK14.31 -# Operation : Migration -# Purpose : camera devices access. -# allow cameraserver camera_isp_device:chr_file rw_file_perms; -# allow cameraserver ccu_device:chr_file rw_file_perms; -# allow cameraserver vpu_device:chr_file rw_file_perms; -# allow cameraserver kd_camera_hw_device:chr_file rw_file_perms; -# allow cameraserver seninf_device:chr_file rw_file_perms; -# allow cameraserver self:capability { setuid ipc_lock sys_nice }; -# allow cameraserver sysfs_wake_lock:file rw_file_perms; -# allow cameraserver MTK_SMI_device:chr_file r_file_perms; -# allow cameraserver camera_pipemgr_device:chr_file r_file_perms; -# allow cameraserver kd_camera_flashlight_device:chr_file rw_file_perms; -# allow cameraserver lens_device:chr_file rw_file_perms; -# allow cameraserver nvdata_file:lnk_file read; -# allow cameraserver proc_meminfo:file { read getattr open }; - # Date : WK14.34 # Operation : Migration # Purpose : nvram access (dumchar case for nand and legacy chip) diff --git a/non_plat/dumpstate.te b/non_plat/dumpstate.te index f9fd5d9..46dd441 100644 --- a/non_plat/dumpstate.te +++ b/non_plat/dumpstate.te @@ -181,3 +181,6 @@ allow dumpstate mtee_trusty_file:file rw_file_perms; # avc: denied { search } for name="expand" dev="tmpfs" ino=10779 scontext=u:r:dumpstate:s0 # tcontext=u:object_r:mnt_expand_file:s0 tclass=dir permissive=0 allow dumpstate mnt_expand_file:dir { search getattr }; + +#Purpose: Allow dumpstate to read /dev/usb-ffs +allow dumpstate functionfs:file { getattr }; diff --git a/non_plat/netd.te b/non_plat/netd.te index 02b380f..9dbf77e 100644 --- a/non_plat/netd.te +++ b/non_plat/netd.te @@ -11,10 +11,6 @@ allow netd wmtWifi_device:chr_file { write open }; # Date : WK14.34 # Operation : Migration -# Purpose : NA -# Owner£º Changqing Sun -allow netd kernel:system module_request; -allow netd self:capability sys_module; allow netd self:capability fsetid; # Date : WK14.34 diff --git a/non_plat/uncrypt.te b/non_plat/uncrypt.te index d62e1ff..bd53aed 100755 --- a/non_plat/uncrypt.te +++ b/non_plat/uncrypt.te @@ -1,14 +1,14 @@ -#====================== uncrypt.te ====================== -# uncrypt for mtd -allow uncrypt mtd_device:chr_file { read write open ioctl }; -allow uncrypt mtd_device:dir search; - -allow uncrypt misc_device:chr_file ~rename; -allow uncrypt system_data_file:file { open read }; -allow uncrypt userdata_block_device:blk_file w_file_perms; -allow uncrypt para_block_device:blk_file { write open }; -allow uncrypt system_app_data_file:dir { getattr search }; -allow uncrypt system_app_data_file:file { read getattr }; -allow uncrypt media_rw_data_file:dir { getattr search }; -allow uncrypt media_rw_data_file:file { read getattr open }; -allow uncrypt ota_package_file:file w_file_perms; +#====================== uncrypt.te ====================== +# uncrypt for mtd +allow uncrypt mtd_device:chr_file rw_file_perms; +allow uncrypt mtd_device:dir search; + +allow uncrypt misc_device:chr_file ~rename; +allow uncrypt system_data_file:file { open read }; +allow uncrypt userdata_block_device:blk_file w_file_perms; +allow uncrypt para_block_device:blk_file w_file_perms; +allow uncrypt system_app_data_file:dir { getattr search }; +allow uncrypt system_app_data_file:file { read getattr }; +allow uncrypt media_rw_data_file:dir { getattr search }; +allow uncrypt media_rw_data_file:file r_file_perms; +allow uncrypt ota_package_file:file w_file_perms; diff --git a/non_plat/vendor_init.te b/non_plat/vendor_init.te index cccd114..264ad3d 100644 --- a/non_plat/vendor_init.te +++ b/non_plat/vendor_init.te @@ -74,4 +74,8 @@ set_prop(vendor_init, mtk_wifi_hotspot_prop) set_prop(vendor_init, persist_aeev_prop) -set_prop(vendor_init, mtk_powerhal_prop) \ No newline at end of file +set_prop(vendor_init, mtk_powerhal_prop) + +# mmstat tracer +allow vendor_init debugfs_tracing_instances:dir create_dir_perms; +allow vendor_init debugfs_tracing_instances:file w_file_perms; diff --git a/r_non_plat/MtkCodecService.te b/r_non_plat/MtkCodecService.te deleted file mode 100644 index f9229a7..0000000 --- a/r_non_plat/MtkCodecService.te +++ /dev/null @@ -1,9 +0,0 @@ -# ============================================== -# Policy File of /vendor/bin/MtkCodecService Executable File - -# ============================================== -# Type Declaration -# ============================================== -type MtkCodecService_exec , exec_type, file_type, vendor_file_type; -type MtkCodecService ,domain; - diff --git a/r_non_plat/adbd.te b/r_non_plat/adbd.te deleted file mode 100644 index b431979..0000000 --- a/r_non_plat/adbd.te +++ /dev/null @@ -1,13 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============ - -#permissive adbd; - -# Data : WK17.46 -# Operator: Migration -# Purpose: Allow adbd to read KE DB -allow adbd aee_dumpsys_data_file:file r_file_perms; -allow adbd aee_exp_data_file:dir r_dir_perms; -allow adbd aee_exp_data_file:file r_file_perms; -allow adbd gpu_device:dir search; diff --git a/r_non_plat/aee_aed.te b/r_non_plat/aee_aed.te deleted file mode 100644 index c845ce2..0000000 --- a/r_non_plat/aee_aed.te +++ /dev/null @@ -1,70 +0,0 @@ -# ============================================== -# Policy File of /system/bin/aee_aed Executable File - -# ============================================== -# MTK Policy Rule -# ============================================== - -# Date : WK14.32 -# Operation : AEE UT -# Purpose : for AEE module -allow aee_aed aed_device:chr_file rw_file_perms; -allow aee_aed expdb_device:chr_file rw_file_perms; -allow aee_aed expdb_block_device:blk_file rw_file_perms; -allow aee_aed etb_device:chr_file rw_file_perms; - -# open/dev/mtd/mtd12 failed(expdb) -allow aee_aed mtd_device:dir create_dir_perms; -allow aee_aed mtd_device:chr_file rw_file_perms; - -# NE flow: /dev/RT_Monitor -allow aee_aed RT_Monitor_device:chr_file r_file_perms; - -#data/aee_exp -allow aee_aed aee_exp_data_file:dir create_dir_perms; -allow aee_aed aee_exp_data_file:file create_file_perms; - -#data/dumpsys -allow aee_aed aee_dumpsys_data_file:dir create_dir_perms; -allow aee_aed aee_dumpsys_data_file:file create_file_perms; - -#/data/core -allow aee_aed aee_core_data_file:dir create_dir_perms; -allow aee_aed aee_core_data_file:file create_file_perms; - -# /data/data_tmpfs_log -allow aee_aed data_tmpfs_log_file:dir create_dir_perms; -allow aee_aed data_tmpfs_log_file:file create_file_perms; - -# Purpose: aee_aed set property -set_prop(aee_aed, persist_mtk_aee_prop); -set_prop(aee_aed, persist_aee_prop); -set_prop(aee_aed, debug_mtk_aee_prop); - -# /proc/lk_env -allow aee_aed proc_lk_env:file rw_file_perms; - -# Purpose: Allow aee_aed to read /proc/pid/exe -#allow aee_aed exec_type:file r_file_perms; - -# Purpose: Allow aee_aed to read /proc/cpu/alignment -allow aee_aed proc_cpu_alignment:file { write open }; - -# Purpose: Allow aee_aed to access /sys/devices/virtual/timed_output/vibrator/enable -allow aee_aed sysfs_vibrator_setting:dir search; -allow aee_aed sysfs_vibrator_setting:file w_file_perms; -allow aee_aed sysfs_vibrator:dir search; -allow aee_aed sysfs_leds:dir search; - -# Purpose: Allow aee_aed to read /proc/kpageflags -allow aee_aed proc_kpageflags:file r_file_perms; - -# temp solution -get_prop(aee_aed, vendor_default_prop) - -hal_client_domain(aee_aed, mtk_hal_log) - -# Purpose: create /data/aee_exp at runtime -allow aee_aed file_contexts_file:file r_file_perms; -allow aee_aed system_data_file:dir { relabelfrom setattr }; -allow aee_aed aee_exp_data_file:dir relabelto; diff --git a/r_non_plat/aee_aedv.te b/r_non_plat/aee_aedv.te deleted file mode 100644 index 13d96f4..0000000 --- a/r_non_plat/aee_aedv.te +++ /dev/null @@ -1,434 +0,0 @@ -# ============================================== -# Policy File of /vendor/bin/aee_aedv Executable File - -# ============================================== -# MTK Policy Rule -# ============================================== - -type aee_aedv, domain; - -type aee_aedv_exec, exec_type, file_type, vendor_file_type; -typeattribute aee_aedv mlstrustedsubject; - -init_daemon_domain(aee_aedv) - -# Date : WK14.32 -# Operation : AEE UT -# Purpose : for AEE module -allow aee_aedv aed_device:chr_file rw_file_perms; -allow aee_aedv expdb_device:chr_file rw_file_perms; -allow aee_aedv expdb_block_device:blk_file rw_file_perms; -allow aee_aedv bootdevice_block_device:blk_file rw_file_perms; -allow aee_aedv etb_device:chr_file rw_file_perms; - -# AED start: /dev/block/expdb -allow aee_aedv block_device:dir search; - -# NE flow: /dev/RT_Monitor -allow aee_aedv RT_Monitor_device:chr_file r_file_perms; - -#data/aee_exp -allow aee_aedv aee_exp_vendor_file:dir create_dir_perms; -allow aee_aedv aee_exp_vendor_file:file create_file_perms; - -#data/dumpsys -allow aee_aedv aee_dumpsys_vendor_file:dir create_dir_perms; -allow aee_aedv aee_dumpsys_vendor_file:file create_file_perms; - -#/data/core -allow aee_aedv aee_core_vendor_file:dir create_dir_perms; -allow aee_aedv aee_core_vendor_file:file create_file_perms; - -# /data/data_tmpfs_log -allow aee_aedv vendor_tmpfs_log_file:dir create_dir_perms; -allow aee_aedv vendor_tmpfs_log_file:file create_file_perms; - -allow aee_aedv domain:process { sigkill getattr getsched}; -allow aee_aedv domain:lnk_file getattr; - -#core-pattern -allow aee_aedv usermodehelper:file r_file_perms; - -# Date: W15.34 -# Operation: Migration -# Purpose: For pagemap & pageflags information in NE DB -userdebug_or_eng(`allow aee_aedv self:capability sys_admin;') - -# Purpose: aee_aedv set property -set_prop(aee_aedv, persist_mtk_aeev_prop); -set_prop(aee_aedv, persist_aeev_prop); -set_prop(aee_aedv, debug_mtk_aeev_prop); - -# Purpose: mnt/user/* -allow aee_aedv mnt_user_file:dir search; -allow aee_aedv mnt_user_file:lnk_file read; - -allow aee_aedv storage_file:dir search; -allow aee_aedv storage_file:lnk_file read; - -userdebug_or_eng(` - allow aee_aedv su:dir {search read open }; - allow aee_aedv su:file { read getattr open }; -') - -# /proc/pid/ -allow aee_aedv self:capability { fowner chown fsetid sys_nice sys_resource net_admin sys_module}; - -# PROCESS_FILE_STATE -allow aee_aedv dumpstate:unix_stream_socket { read write ioctl }; -allow aee_aedv dumpstate:dir search; -allow aee_aedv dumpstate:file r_file_perms; - -allow aee_aedv proc:file rw_file_perms; -allow aee_aedv logdr_socket:sock_file write; -allow aee_aedv logd:unix_stream_socket connectto; - -# vibrator -allow aee_aedv sysfs_vibrator:file w_file_perms; - -# /proc/lk_env -allow aee_aedv proc_lk_env:file rw_file_perms; - -# Data : 2017/03/22 -# Operation : add NE flow rule for Android O -# Purpose : make aee_aedv can get specific process NE info -allow aee_aedv domain:dir r_dir_perms; -allow aee_aedv domain:{ file lnk_file } r_file_perms; -#allow aee_aedv { -# domain -# -logd -# -keystore -# -init -#}:process ptrace; -#allow aee_aedv zygote_exec:file r_file_perms; -#allow aee_aedv init_exec:file r_file_perms; - -# Data : 2017/04/06 -# Operation : add selinux rule for crash_dump notify aee_aedv -# Purpose : make aee_aedv can get notify from crash_dump -allow aee_aedv crash_dump:dir search; -allow aee_aedv crash_dump:file r_file_perms; - -# Date : 20170512 -# Operation : fix aee_archive can't execute issue -# Purpose : type=1400 audit(0.0:97916): avc: denied { execute_no_trans } for -# path="/system/vendor/bin/aee_archive" dev="mmcblk0p26" ino=2355 -# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:vendor_file:s0 -# tclass=file permissive=0 -allow aee_aedv vendor_file:file execute_no_trans; - -# Purpose: debugfs files -# allow aee_aedv debugfs:lnk_file read; -allow aee_aedv debugfs_binder:dir { read open }; -allow aee_aedv debugfs_binder:file { read open }; -allow aee_aedv debugfs_blockio:file { read open }; -allow aee_aedv debugfs_fb:dir search; -allow aee_aedv debugfs_fb:file { read open }; -allow aee_aedv debugfs_fuseio:dir search; -allow aee_aedv debugfs_fuseio:file { read open }; -allow aee_aedv debugfs_ged:dir search; -allow aee_aedv debugfs_ged:file { read open }; -allow aee_aedv debugfs_rcu:dir search; -allow aee_aedv debugfs_shrinker_debug:file { read open }; -allow aee_aedv debugfs_wakeup_sources:file { read open }; -allow aee_aedv debugfs_dmlog_debug:file { read open }; -allow aee_aedv debugfs_page_owner_slim_debug:file { read open }; -allow aee_aedv debugfs_ion_mm_heap:dir search; -allow aee_aedv debugfs_ion_mm_heap:file r_file_perms; -allow aee_aedv debugfs_ion_mm_heap:lnk_file read; -allow aee_aedv debugfs_cpuhvfs:dir search; -allow aee_aedv debugfs_cpuhvfs:file { read open }; -allow aee_aedv debugfs_emi_mbw_buf:file { read open }; -allow aee_aedv debugfs_vpu_device_dbg:file { read open }; - -# Purpose: -# 01-01 00:02:46.390 3315 3315 W aee_dumpstatev: type=1400 audit(0.0:4728): -# avc: denied { read } for name="interrupts" dev="proc" ino=4026533608 scontext= -# u:r:aee_aedv:s0 tcontext=u:object_r:proc_interrupts:s0 tclass=file permissive=0 -allow aee_aedv proc_interrupts:file read; - -# Purpose: -# 01-01 17:59:14.440 7664 7664 I aee_dumpstate: type=1400 audit(0.0:63497): -# avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev= -# "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r: -# tracing_shell_writable:s0 tclass=file permissive=1 -allow aee_aedv debugfs_tracing:file rw_file_perms; - -# Purpose: -# 01-01 00:05:16.730 3566 3566 W dmesg : type=1400 audit(0.0:5173): avc: -# denied { read } for name="kmsg" dev="tmpfs" ino=12292 scontext=u:r:aee_aedv: -# s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0 -allow aee_aedv kmsg_device:chr_file read; - -# Purpose: -# 01-01 00:05:17.720 3567 3567 W ps : type=1400 audit(0.0:5192): avc: -# denied { getattr } for path="/proc/3421" dev="proc" ino=78975 scontext=u:r: -# aee_aedv:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=dir permissive=0 -allow aee_aedv platform_app:dir r_dir_perms; -allow aee_aedv platform_app:file r_file_perms; - -# Purpose: -# 01-01 00:05:17.750 3567 3567 W ps : type=1400 audit(0.0:5193): avc: -# denied { getattr } for path="/proc/3461" dev="proc" ino=11013 scontext=u:r: -# aee_aedv:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=dir permissive=0 -allow aee_aedv untrusted_app_25:dir getattr; - -# Purpose: -# 01-01 00:05:17.650 3567 3567 W ps : type=1400 audit(0.0:5179): avc: -# denied { getattr } for path="/proc/2712" dev="proc" ino=65757 scontext=u:r: -# aee_aedv:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=dir permissive=0 -allow aee_aedv untrusted_app:dir getattr; - -# Purpose: -# 01-01 00:05:17.650 3567 3567 W ps : type=1400 audit(0.0:5180): avc: -# denied { getattr } for path="/proc/2747" dev="proc" ino=66659 scontext=u:r: -# aee_aedv:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=dir permissive=0 -allow aee_aedv priv_app:dir getattr; - -# Purpose: -# 01-01 00:05:16.270 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5153): -# avc: denied { open } for path="/proc/interrupts" dev="proc" ino=4026533608 -# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:proc_interrupts:s0 tclass=file -# permissive=0 -allow aee_aedv proc_interrupts:file r_file_perms; - -# Purpose: -# 01-01 00:05:16.620 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5171): -# avc: denied { read } for name="route" dev="proc" ino=4026533633 scontext=u:r: -# aee_aedv:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 -allow aee_aedv proc_net:file read; - -# Purpose: -# 01-01 00:05:16.610 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5168): -# avc: denied { read } for name="zoneinfo" dev="proc" ino=4026533664 scontext= -# u:r:aee_aedv:s0 tcontext=u:object_r:proc_zoneinfo:s0 tclass=file permissive=0 -allow aee_aedv proc_zoneinfo:file read; - -# Purpose: -# 01-01 00:05:17.840 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5200): -# avc: denied { search } for name="leds" dev="sysfs" ino=6217 scontext=u:r: -# aee_aedv:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=0 -allow aee_aedv sysfs_leds:dir search; -allow aee_aedv sysfs_leds:file r_file_perms; - -# Purpose: -# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5592): avc: denied -# { search } for name="ccci" dev="sysfs" ino=6026 scontext=u:r:aee_aedv:s0 tcontext=u:object_r: -# sysfs_ccci:s0 tclass=dir permissive=1 -# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5593): avc: denied { read } -# for name="md_chn" dev="sysfs" ino=6035 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:sysfs_ccci:s0 -# tclass=file permissive=1 -# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5594): avc: denied { open } -# for path="/sys/kernel/ccci/md_chn" dev="sysfs" ino=6035 scontext=u:r:aee_aedv:s0 tcontext=u: -# object_r:sysfs_ccci:s0 tclass=file permissive=1 -allow aee_aedv sysfs_ccci:dir search; -allow aee_aedv sysfs_ccci:file r_file_perms; - -# Purpose: -# 01-01 00:03:44.330 3658 3658 I aee_dumpstatev: type=1400 audit(0.0:5411): avc: denied -# { execute_no_trans } for path="/vendor/bin/toybox_vendor" dev="mmcblk0p26" ino=250 scontext=u:r: -# aee_aedv:s0 tcontext=u:object_r:vendor_toolbox_exec:s0 tclass=file permissive=1 -allow aee_aedv vendor_toolbox_exec:file rx_file_perms; - -# Purpose: -# 01-01 00:12:06.320000 4145 4145 W dmesg : type=1400 audit(0.0:826): avc: denied { open } for -# path="/dev/kmsg" dev="tmpfs" ino=10875 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:kmsg_device: -# s0 tclass=chr_file permissive=0 -# 01-01 00:42:33.070000 4171 4171 W dmesg : type=1400 audit(0.0:1343): avc: denied -# { syslog_read } for scontext=u:r:aee_aedv:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0 -allow aee_aedv kmsg_device:chr_file r_file_perms; -allow aee_aedv kernel:system syslog_read; - -# Purpose: -# 01-01 00:12:37.890000 4162 4162 W aee_dumpstatev: type=1400 audit(0.0:914): avc: denied -# { read } for name="meminfo" dev="proc" ino=4026533612 scontext=u:r:aee_aedv:s0 tcontext=u: -# object_r:proc_meminfo:s0 tclass=file permissive=0 -allow aee_aedv proc_meminfo:file r_file_perms; - -# Purpose: -# 01-01 00:08:39.900000 3833 3833 W aee_dumpstatev: type=1400 audit(0.0:371): avc: denied -# { open } for path="/proc/3833/net/route" dev="proc" ino=4026533632 scontext=u:r:aee_aedv:s0 -# tcontext=u:object_r:proc_net:s0 tclass=file permissive=0 -allow aee_aedv proc_net:file r_file_perms; - -# Purpose: -# 01-01 00:08:39.880000 3833 3833 W aee_dumpstatev: type=1400 audit(0.0:370): avc: denied -# { open } for path="/proc/zoneinfo" dev="proc" ino=4026533663 scontext=u:r:aee_aedv:s0 tcontext= -# u:object_r:proc_zoneinfo:s0 tclass=file permissive=0 -allow aee_aedv proc_zoneinfo:file r_file_perms; - -# Purpose: -# 01-01 00:33:27.750000 338 338 W aee_aedv: type=1400 audit(0.0:98): avc: denied { read } -# for name="fstab.mt6755" dev="rootfs" ino=1082 scontext=u:r:aee_aedv:s0 tcontext=u:object_r: -# rootfs:s0 tclass=file permissive=0 -allow aee_aedv rootfs:file r_file_perms; - -# Purpose: -# 01-01 00:33:28.340000 338 338 W aee_aedv: type=1400 audit(0.0:104): avc: denied { search } -# for name="dynamic_debug" dev="debugfs" ino=8182 scontext=u:r:aee_aedv:s0 tcontext=u:object_r: -# debugfs_dynamic_debug:s0 tclass=dir permissive=0 -allow aee_aedv debugfs_dynamic_debug:dir search; -allow aee_aedv debugfs_dynamic_debug:file r_file_perms; - -# Purpose: -# [ 241.001976] <1>.(1)[209:logd.auditd]type=1400 audit(1262304586.172:515): avc: denied { read } -# for pid=1978 comm="aee_aedv64" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aedv:s0 -# tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 -allow aee_aedv sysfs:file r_file_perms; -allow aee_aedv sysfs_mrdump_lbaooo:file w_file_perms; - -# Purpose: Allow aee_aedv to use HwBinder IPC. -hwbinder_use(aee_aedv) -get_prop(aee_aedv, hwservicemanager_prop) - -# Purpose: Allow aee_aedv access to vendor/bin/mtkcam-debug, which in turn invokes ICameraProvider -# - avc: denied { find } for interface=android.hardware.camera.provider::ICameraProvider pid=2956 -# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:hal_camera_hwservice:s0 tclass=hwservice_manager -# - Transaction error in ICameraProvider::debug: Status(EX_TRANSACTION_FAILED) -hal_client_domain(aee_aedv, hal_camera) -allow aee_aedv hal_camera_hwservice:hwservice_manager { find }; -binder_call(aee_aedv, mtk_hal_camera) - -# Purpose: allow aee to read /sys/fs/selinux/enforce to get selinux status -allow aee_aedv selinuxfs:file r_file_perms; - -# Purpose: Allow aee_aedv to read /proc/pid/exe -#allow aee_aedv exec_type:file r_file_perms; - -# Purpose: mrdump db flow and pre-allocation -# mrdump db flow -allow aee_aedv sysfs_dt_firmware_android:dir search; -allow aee_aedv sysfs_dt_firmware_android:file r_file_perms; -allow aee_aedv kernel:system module_request; -allow aee_aedv metadata_file:dir search; -# pre-allocation -allow aee_aedv self:capability linux_immutable; -allow aee_aedv userdata_block_device:blk_file { read write open }; -allow aee_aedv para_block_device:blk_file rw_file_perms; -allow aee_aedv mrdump_device:blk_file rw_file_perms; -allowxperm aee_aedv aee_dumpsys_vendor_file:file ioctl { - FS_IOC_GETFLAGS - FS_IOC_SETFLAGS - F2FS_IOC_GET_PIN_FILE - F2FS_IOC_SET_PIN_FILE - FS_IOC_FIEMAP -}; - -# Purpose: allow vendor aee read lowmemorykiller logs -# file path: /sys/module/lowmemorykiller/parameters/ -allow aee_aedv sysfs_lowmemorykiller:dir search; -allow aee_aedv sysfs_lowmemorykiller:file r_file_perms; - -# Purpose: Allow aee read /sys/class/misc/scp/scp_dump -allow aee_aedv sysfs_scp:dir r_dir_perms; -allow aee_aedv sysfs_scp:file r_file_perms; - -# Purpose: Allow aee read /sys/class/misc/adsp/adsp_dump -allow aee_aedv sysfs_adsp:dir r_dir_perms; -allow aee_aedv sysfs_adsp:file r_file_perms; - -# Purpose: allow aee_aedv self to fsetid/sys_nice/chown/fowner/kill -allow aee_aedv self:capability { fsetid sys_nice chown fowner kill }; - -# Purpose: allow aee_aedv to read /proc/buddyinfo -allow aee_aedv proc_buddyinfo:file r_file_perms; - -# Purpose: allow aee_aedv to read /proc/cmdline -allow aee_aedv proc_cmdline:file r_file_perms; - -# Purpose: allow aee_aedv to read /proc/slabinfo -allow aee_aedv proc_slabinfo:file r_file_perms; - -# Purpose: allow aee_aedv to read /proc/stat -allow aee_aedv proc_stat:file r_file_perms; - -# Purpose: allow aee_aedv to read /proc/version -allow aee_aedv proc_version:file r_file_perms; - -# Purpose: allow aee_aedv to read /proc/vmallocinfo -allow aee_aedv proc_vmallocinfo:file r_file_perms; - -# Purpose: allow aee_aedv to read /proc/vmstat -allow aee_aedv proc_vmstat:file r_file_perms; - -# Purpose: Allow aee_aedv to read /proc/cpu/alignment -allow aee_aedv proc_cpu_alignment:file w_file_perms; - -# Purpose: Allow aee_aedv to read /proc/gpulog -allow aee_aedv proc_gpulog:file r_file_perms; - -# Purpose: Allow aee_aedv to read /proc/chip/hw_ver -allow aee_aedv proc_chip:file r_file_perms; - -# Purpose: Allow aee_aedv to read /proc/sched_debug -allow aee_aedv proc_sched_debug:file r_file_perms; - -# Purpose: Allow aee_aedv to read /proc/atf_log -allow aee_aedv proc_atf_log:dir search; - -# Purpose: Allow aee_aedv to read /proc/last_kmsg -allow aee_aedv proc_last_kmsg:file r_file_perms; - -# Purpose: Allow aee_aedv to access /sys/devices/virtual/timed_output/vibrator/enable -allow aee_aedv sysfs_vibrator_setting:dir search; -allow aee_aedv sysfs_vibrator_setting:file w_file_perms; -allow aee_aedv sysfs_vibrator:dir search; - -# Purpose: Allow aee_aedv to read /sys/kernel/debug/rcu/rcu_callback_log -allow aee_aedv debugfs_rcu:file r_file_perms; - -# Purpose: Allow aee_aedv to read /proc/ufs_debug -allow aee_aedv proc_ufs_debug:file rw_file_perms; - -# Purpose: Allow aee_aedv to read /proc/msdc_debug -allow aee_aedv proc_msdc_debug:file r_file_perms; - -# Purpose: Allow aee_aedv to read /proc/pidmap -allow aee_aedv proc_pidmap:file r_file_perms; - -# Purpose: Allow aee_aedv to read /sys/power/vcorefs/vcore_debug -allow aee_aedv sysfs_vcore_debug:file r_file_perms; - -# Purpose: Allow aee_aedv to read /sys/devices/virtual/BOOT/BOOT/boot/boot_mode -allow aee_aedv sysfs_boot_mode:file r_file_perms; - -#Purpose: Allow aee_aedv to read/write /sys/kernel/debug/tracing/buffer_total_size_kb -userdebug_or_eng(` -allow aee_aedv debugfs_tracing_debug:file { rw_file_perms }; -') - -#Purpose: Allow aee_aedv to read /sys/mtk_memcfg/slabtrace -allow aee_aedv proc_slabtrace:file r_file_perms; - -#Purpose: Allow aee_aedv to read /proc/mtk_cmdq_debug/status -allow aee_aedv proc_cmdq_debug:file r_file_perms; - -# temp solution -get_prop(aee_aedv, vendor_default_prop) - -#data/dipdebug -allow aee_aedv aee_dipdebug_vendor_file:dir r_dir_perms; -allow aee_aedv aee_dipdebug_vendor_file:file r_file_perms; -allow aee_aedv proc_isp_p2:dir r_dir_perms; -allow aee_aedv proc_isp_p2:file r_file_perms; - -allow aee_aedv connsyslog_data_vendor_file:file r_file_perms; -allow aee_aedv connsyslog_data_vendor_file:dir r_dir_perms; - -# Purpose: Allow aee_aedv to read the /proc/*/exe of vendor process -allow aee_aedv vendor_file_type:file r_file_perms; - -# Purpose: Allow aee_aedv to read /sys/kernel/debug/smi_mon -allow aee_aedv debugfs_smi_mon:file r_file_perms; - -# Purpose: Allow aee_aedv to read /proc/isp_p2/isp_p2_kedump -allow aee_aedv proc_isp_p2_kedump:file r_file_perms; - -# Purpose: Allow aee_aedv to read /sys/kernel/debug/vpu/vpu_memory -allow aee_aedv debugfs_vpu_memory:file r_file_perms; - -# Purpose: Allow aee_aedv to read /proc/cpuhvfs/dbg_repo -allow aee_aedv proc_dbg_repo:file r_file_perms; - -# Purpose: Allow aee_aedv to read /proc/pl_lk -allow aee_aedv proc_pl_lk:file r_file_perms; diff --git a/r_non_plat/aee_core_forwarder.te b/r_non_plat/aee_core_forwarder.te deleted file mode 100644 index 43e97fe..0000000 --- a/r_non_plat/aee_core_forwarder.te +++ /dev/null @@ -1,18 +0,0 @@ -# ============================================== -# Policy File of /system/bin/aee_core_forwarder Executable File - -# ============================================== -# MTK Policy Rule -# ============================================== - -allow aee_core_forwarder aee_exp_data_file:dir { write add_name search }; -allow aee_core_forwarder aee_exp_data_file:file { write create open getattr }; -get_prop(aee_core_forwarder, hwservicemanager_prop) - -# Date: 2019/06/14 -# Operation : Migration -# Purpose : interface=android.system.suspend::ISystemSuspend for aee_core_forwarder -wakelock_use(aee_core_forwarder) -allow aee_core_forwarder aee_aed:unix_stream_socket connectto; -allow aee_core_forwarder aee_core_data_file:dir r_dir_perms; -hwbinder_use(aee_core_forwarder) diff --git a/r_non_plat/aee_hidl.te b/r_non_plat/aee_hidl.te deleted file mode 100644 index 347cbdc..0000000 --- a/r_non_plat/aee_hidl.te +++ /dev/null @@ -1,17 +0,0 @@ -# ============================================== -# Type Declaration -# ============================================== -type aee_hal,domain; -type aee_hal_exec, exec_type, file_type, vendor_file_type; -typeattribute aee_hal mlstrustedsubject; -# Purpose : for create hidl server -hal_server_domain(aee_hal, mtk_hal_log) -# ============================================== -# MTK Policy Rule -# ============================================== -init_daemon_domain(aee_hal) - -set_prop(aee_hal, persist_mtk_aeev_prop); -set_prop(aee_hal, persist_aeev_prop); -set_prop(aee_hal, debug_mtk_aeev_prop); - diff --git a/r_non_plat/app.te b/r_non_plat/app.te deleted file mode 100644 index 455cafb..0000000 --- a/r_non_plat/app.te +++ /dev/null @@ -1,50 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============ - -# Date : WK16.33 -# Purpose: Allow to access ged for gralloc_extra functions -allow appdomain proc_ged:file rw_file_perms; -allowxperm appdomain proc_ged:file ioctl { proc_ged_ioctls }; - -# Date : W16.42 -# Operation : Integration -# Purpose : DRM / DRI GPU driver required -allow appdomain gpu_device:dir search; - -# Date : W17.30 -# Purpose : Allow MDP user access cmdq driver -allow appdomain mtk_cmdq_device:chr_file {open read ioctl}; - -# Date : W17.41 -# Operation: SQC -# Purpose : Allow HWUI to access perfmgr -allow appdomain proc_perfmgr:dir search; -allow appdomain proc_perfmgr:file { getattr open read ioctl}; -allowxperm appdomain proc_perfmgr:file ioctl { - PERFMGR_FPSGO_QUEUE - PERFMGR_FPSGO_DEQUEUE - PERFMGR_FPSGO_QUEUE_CONNECT - PERFMGR_FPSGO_BQID -}; - -# Date : W19.4 -# Purpose : Allow MDP user access mdp driver -allow appdomain mdp_device:chr_file rw_file_perms; -allow appdomain mtk_mdp_device:chr_file rw_file_perms; -allow appdomain sw_sync_device:chr_file rw_file_perms; - -# Date : W19.23 -# Operation : Migration -# Purpose : For platform app com.android.gallery3d -allow { appdomain -isolated_app } radio_data_file:file rw_file_perms; - -# Date : W19.23 -# Operation : Migration -# Purpose : For app com.tencent.qqpimsecure -allowxperm appdomain appdomain:fifo_file ioctl SNDCTL_TMR_START; - -# Date: 2019/06/17 -# Operation : Migration -# Purpose : appdomain need get mtk_amslog_prop -get_prop(appdomain, mtk_amslog_prop) diff --git a/r_non_plat/appdomain.te b/r_non_plat/appdomain.te deleted file mode 100644 index 3311b98..0000000 --- a/r_non_plat/appdomain.te +++ /dev/null @@ -1,8 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============ - -# Data : WK16.42 -# Operator: Whitney bring up -# Purpose: call surfaceflinger due to powervr -allow appdomain surfaceflinger:fifo_file rw_file_perms; diff --git a/r_non_plat/atci_service.te b/r_non_plat/atci_service.te deleted file mode 100644 index c3a4c81..0000000 --- a/r_non_plat/atci_service.te +++ /dev/null @@ -1,145 +0,0 @@ -# ============================================== -# Policy File of /vendor/bin/atci_service Executable File -# ============================================== - -# ============================================== -# MTK Policy Rule -# ============================================== -type atci_service, domain; -type atci_service_exec, exec_type, file_type, vendor_file_type; - -init_daemon_domain(atci_service) - -allow atci_service block_device:dir search; -allow atci_service misc2_block_device:blk_file { open read write }; -allow atci_service misc2_device:chr_file { open read write }; -allow atci_service camera_isp_device:chr_file { read write ioctl open }; -allow atci_service graphics_device:chr_file { read write ioctl open }; -allow atci_service graphics_device:dir search; -allow atci_service kd_camera_hw_device:chr_file { read write ioctl open }; -allow atci_service self:capability { sys_nice ipc_lock }; -allow atci_service nvram_device:chr_file { read write open ioctl }; -allow atci_service camera_isp_device:chr_file { read write ioctl open }; -allow atci_service camera_sysram_device:chr_file { read ioctl open }; -allow atci_service camera_tsf_device:chr_file rw_file_perms; -allow atci_service camera_rsc_device:chr_file rw_file_perms; -allow atci_service camera_gepf_device:chr_file rw_file_perms; -allow atci_service camera_fdvt_device:chr_file rw_file_perms; -allow atci_service camera_wpe_device:chr_file rw_file_perms; -allow atci_service camera_owe_device:chr_file rw_file_perms; -allow atci_service kd_camera_flashlight_device:chr_file { read write ioctl open }; -allow atci_service ccu_device:chr_file { read write ioctl open }; -allow atci_service vpu_device:chr_file { read write ioctl open }; -allow atci_service MTK_SMI_device:chr_file { open read write ioctl }; -#allow atci_service system_server:binder call; -#allow atci_service system_data_file:dir { write remove_name add_name }; -allow atci_service DW9714AF_device:chr_file { read write ioctl open }; -allow atci_service devmap_device:chr_file { open read write ioctl }; -allow atci_service sdcard_type:dir { search write read open add_name remove_name create getattr setattr }; -allow atci_service sdcard_type:file { setattr read create write getattr unlink open append }; -allow atci_service mediaserver:binder call; -#allow atci_service sysfs:file write; -#allow atci_service system_server:unix_stream_socket { read write }; -allow atci_service self:capability sys_boot; - -# Date : 2015/09/17 -# Operation : M-Migration -# Purpose : to operation CCT tool -allow atci_service nvram_device:blk_file { open read write }; -allow atci_service input_device:dir { open read search }; -allow atci_service input_device:file { open read write ioctl }; -allow atci_service input_device:chr_file { open read write ioctl }; -allow atci_service MAINAF_device:chr_file { open read write ioctl }; -allow atci_service MAIN2AF_device:chr_file { open read write ioctl }; -allow atci_service SUBAF_device:chr_file { open read write ioctl }; -allow atci_service tmpfs:lnk_file read; -allow atci_service self:capability2 block_suspend; - -# Date : 2015/10/13 -# Operation : M-Migration -# Purpose : to operation CCT tool -#allow atci_service mediaserver_service:service_manager find; -allow atci_service mnt_user_file:dir search; -allow atci_service mnt_user_file:lnk_file read; -#allow atci_service mtk_perf_service:service_manager find; -#allow atci_service sensorservice_service:service_manager find; -allow atci_service storage_file:lnk_file read; -#allow atci_service media_rw_data_file:dir { write search create add_name }; -#allow atci_service media_rw_data_file:file { read write create open }; - -#============= atci_service ============== -allow atci_service CAM_CAL_DRV_device:chr_file { read write ioctl open}; - -set_prop(atci_service, mtk_em_prop) - -# Date : 2016/03/02 -# Operation : M-Migration -# Purpose : to support ATCI touch tool -allow atci_service vendor_shell_exec:file { read execute open execute_no_trans }; - -# Date : WK16.33 -# Purpose: Allow to access ged for gralloc_extra functions -allow atci_service proc_ged:file rw_file_perms; - -# Date : WK16.35 -# Operation : Migration -# Purpose : Update camera flashlight driver device file -allow atci_service flashlight_device:chr_file { read write ioctl open }; - -# Date : WK17.01 -# Operation : Migration -# Purpose : Update AT_Command NFC function -allow atci_service factory_data_file:sock_file write; - -# Date : WK17.23 -# Stage: O Migration, SQC -# Purpose: Allow to use HAL PQ -hal_client_domain(atci_service, hal_pq) - -# Date : WK17.28 -# Purpose : Allow to execute battery command -allow atci_service MT_pmic_adc_cali_device:chr_file rw_file_perms; - -# Date : WK17.43 -# Purpose : CCT -allow atci_service CAM_CAL_DRV_device:chr_file rw_file_perms; -allow atci_service CAM_CAL_DRV1_device:chr_file rw_file_perms; -allow atci_service CAM_CAL_DRV2_device:chr_file rw_file_perms; -allow atci_service fwk_sensor_hwservice:hwservice_manager find; -allow atci_service hidl_allocator_hwservice:hwservice_manager find; -allow atci_service hidl_memory_hwservice:hwservice_manager find; -allow atci_service ion_device:chr_file { read ioctl open }; -allow atci_service mtk_cmdq_device:chr_file { read ioctl open }; -allow atci_service mtk_mdp_device:chr_file rw_file_perms; -allow atci_service sw_sync_device:chr_file rw_file_perms; -allow atci_service mtk_hal_power:binder call; -allow atci_service mtk_hal_power_hwservice:hwservice_manager find; -allow atci_service sysfs_batteryinfo:dir search; -allow atci_service sysfs_batteryinfo:file { read getattr open }; -#allow atci_service system_data_file:lnk_file read; -allow atci_service system_file:dir { read open }; -allow atci_service camera_pipemgr_device:chr_file { read ioctl open }; -#allow atci_service media_rw_data_file:dir { read getattr open }; -#allow atci_service media_rw_data_file:file { getattr setattr }; -allow atci_service mtkcam_prop:file { read getattr open }; -#allow atci_service hal_camera_hwservice:hwservice_manager find; -allow atci_service mtk_hal_camera:binder call; -allow atci_service debugfs_ion:dir search; -allow atci_service sysfs_tpd_setting:file { read write open getattr }; -allow atci_service sysfs_vibrator_setting:file { read write open getattr }; -allow atci_service sysfs_leds_setting:file { read write open getattr }; -allow atci_service proc:file getattr; -allow atci_service vendor_toolbox_exec:file { read getattr open execute execute_no_trans }; - -# Date : WK18.21 -# Purpose: Allow to use HIDL -hwbinder_use(atci_service) -hal_client_domain(atci_service, hal_atci) - -# Date : WK18.26 -# Purpose: Allow gps socket sendto -allow atci_service mnld:unix_dgram_socket sendto; - -# Date : WK18.35 -# Purpose : allow CCT to allocate memory -hal_client_domain(atci_service, hal_allocator); diff --git a/r_non_plat/atcid.te b/r_non_plat/atcid.te deleted file mode 100644 index 9ce98d2..0000000 --- a/r_non_plat/atcid.te +++ /dev/null @@ -1,74 +0,0 @@ -# ============================================== -# Policy File of /vendor/bin/atcid Executable File -# ============================================== - -# ============================================== -# MTK Policy Rule -# ============================================== -type atcid, domain; -type atcid_exec, exec_type, file_type, vendor_file_type; - -init_daemon_domain(atcid) -set_prop(atcid,persist_service_atci_prop) -allow atcid block_device:dir search; -allow atcid socket_device:sock_file write; -allow atcid gsmrild_socket:sock_file write; - -# Date : WK17.21 -# Purpose: Allow to use HIDL -hwbinder_use(atcid) -hal_client_domain(atcid, hal_telephony) - -allow atcid ttyGS_device:chr_file { read write ioctl open }; -allow atcid wmtWifi_device:chr_file { write open }; -allow atcid misc2_block_device:blk_file { read write open }; -allow atci_service gpu_device:chr_file { read write open ioctl getattr }; -allow atcid self:capability sys_time; - -# Date : WK16.33 -# Purpose: Allow to access ged for gralloc_extra functions -allow atcid proc_ged:file rw_file_perms; - -# Date : WK17.23 -# Stage: O Migration, SQC -# Purpose: Allow to use HAL PQ -hal_client_domain(atcid, hal_pq) - -# Date : WK17.34 -# Purpose: Allow to access meta_tst -allow atcid meta_tst:unix_stream_socket connectto; - -# Date : WK18.15 -# Purpose: Allow to access power_supply in sysfs -allow atcid sysfs_batteryinfo:file { read open }; - -# Date : WK18.16 -# Operation: P migration -# Purpose: Allow atcid to get tel_switch_prop -get_prop(atcid, tel_switch_prop) - -# Date : WK18.21 -# Purpose: Allow to use HIDL -hwbinder_use(atcid); -vndbinder_use(atcid); -hal_server_domain(atcid, hal_atci) -add_hwservice(hal_atci_server,hal_atci_hwservice) - -# Date : WK18.21 -# Purpose: For special command for customer -set_prop(atcid, mtk_atci_prop); -set_prop(atcid, powerctl_prop); -allow atcid mnt_vendor_file:dir search; -allow atcid nvdata_file:dir { open read write search add_name }; -allow atcid nvdata_file:file { open read write create getattr setattr }; -allow atcid nvram_device:blk_file { open read write }; -allow atcid proc_meminfo:file { open read }; -allow atcid sysfs_batteryinfo:dir search; -allow atcid sysfs_mmcblk:dir search; -allow atcid sysfs_mmcblk:file { read open }; - -# Date : WK18.35 -# Purpose: Add socket for TelephonyWare ATCI -unix_socket_connect(atcid, rild_atci, rild); -unix_socket_connect(atcid, rilproxy_atci, rild); -unix_socket_connect(atcid, atci_service, atci_service); diff --git a/r_non_plat/attributes b/r_non_plat/attributes deleted file mode 100644 index e00aa73..0000000 --- a/r_non_plat/attributes +++ /dev/null @@ -1,90 +0,0 @@ -# ============================================== -# MTK Attribute declarations -# ============================================== - -# Attribute that represents all mtk property types (except those with ctl_xxx prefix) -attribute mtk_core_property_type; - -# Date: 2017/06/12 -# LBS HIDL -#attribute mtk_hal_lbs; -#attribute mtk_hal_lbs_client; -#attribute mtk_hal_lbs_server; - -# Date: 2017/06/27 -# IMSA HIDL -attribute hal_imsa; -attribute hal_imsa_client; -attribute hal_imsa_server; - -# attribute that represents all MTK IMS types. It should be used by AP side module only. -attribute mtkimsapdomain; -# -# # attribute that represents all MTK IMS types. It should be used by MD side module only. -attribute mtkimsmddomain; - -# Date: 2017/07/19 -# PQ HIDL -attribute hal_pq; -attribute hal_pq_client; -attribute hal_pq_server; - -# Date: 2017/07/28 -# KEY ATTESTATION HIDL -attribute mtk_hal_keyattestation; -attribute mtk_hal_keyattestation_client; -attribute mtk_hal_keyattestation_server; -# Date: 2017/07/13 -# NVRAM AGENT HIDL -attribute hal_nvramagent; -attribute hal_nvramagent_client; -attribute hal_nvramagent_server; - -# Date: 2018/05/25 -# FM HIDL -attribute mtk_hal_fm; -attribute mtk_hal_fm_client; -attribute mtk_hal_fm_server; - -# Date: 2018/03/23 -# log hidl -attribute mtk_hal_log; -attribute mtk_hal_log_client; -attribute mtk_hal_log_server; - -# Date: 2018/06/26 -# em hidl -attribute mtk_hal_em; -attribute mtk_hal_em_client; -attribute mtk_hal_em_server; - -# Date: 2018/07/02 -# MDP HIDL -attribute hal_mms; -attribute hal_mms_client; -attribute hal_mms_server; - -attribute hal_mtkcodecservice_server; -attribute hal_mtkcodecservice; - -attribute hal_atci; -attribute hal_atci_client; -attribute hal_atci_server; - -# Date: 2019/06/12 -# modem db filter hidl -attribute mtk_hal_md_dbfilter_server; - -# Date: 2019/07/16 -# HDMI HIDL -attribute hal_hdmi; -attribute hal_hdmi_client; -attribute hal_hdmi_server; - -# Date: 2019/09/06 -# BGService HIDL -attribute mtk_hal_bgs; -attribute mtk_hal_bgs_client; -attribute mtk_hal_bgs_server; - - diff --git a/r_non_plat/audiocmdservice_atci.te b/r_non_plat/audiocmdservice_atci.te deleted file mode 100644 index 7be9753..0000000 --- a/r_non_plat/audiocmdservice_atci.te +++ /dev/null @@ -1,34 +0,0 @@ -# ============================================== -# Policy File of /system/bin/audiocmdservice_atci Executable File -type audiocmdservice_atci ,domain; -type audiocmdservice_atci_exec, exec_type, file_type, vendor_file_type; - -init_daemon_domain(audiocmdservice_atci) - -unix_socket_connect(atcid, atci-audio, audiocmdservice_atci); -allow audiocmdservice_atci self:unix_stream_socket { create_socket_perms read write }; - -# Access to storages for audio tuning tool to read/write tuning result -allow audiocmdservice_atci { block_device device }:dir { write search }; -allow audiocmdservice_atci mnt_user_file:dir rw_dir_perms; -allow audiocmdservice_atci { mnt_user_file storage_file }:lnk_file rw_file_perms; -allow audiocmdservice_atci bootdevice_block_device:blk_file { read write }; - - -# can route /dev/binder traffic to /dev/vndbinder -vndbinder_use(audiocmdservice_atci) -binder_call(audiocmdservice_atci,mtk_hal_audio); - -#Android O porting -hwbinder_use(audiocmdservice_atci) -get_prop(audiocmdservice_atci, hwservicemanager_prop); -#allow audiocmdservice_atci hal_audio_hwservice:hwservice_manager find; - -hal_client_domain(audiocmdservice_atci, hal_audio) - -#To access the file at /dev/kmsg -allow audiocmdservice_atci kmsg_device:chr_file w_file_perms; - -userdebug_or_eng(` - allow audiocmdservice_atci self:capability { sys_nice fowner chown fsetid setuid ipc_lock net_admin}; -') diff --git a/r_non_plat/audioserver.te b/r_non_plat/audioserver.te deleted file mode 100644 index e4451c8..0000000 --- a/r_non_plat/audioserver.te +++ /dev/null @@ -1,57 +0,0 @@ -# ============================================== -# MTK Policy Rule for vendor -# ============================================== - -# Date: WK14.44 -# Operation : Migration -# Purpose : EVDO -allow audioserver rpc_socket:sock_file write; -allow audioserver ttySDIO_device:chr_file rw_file_perms; - -# Data: WK14.44 -# Operation : Migration -# Purpose : for low SD card latency issue -allow audioserver sysfs_lowmemorykiller:file { read open }; - -# Data: WK14.45 -# Operation : Migration -# Purpose : for change thermal policy when needed -allow audioserver proc_mtkcooler:dir search; -allow audioserver proc_mtktz:dir search; -allow audioserver proc_thermal:dir search; - -# Date : WK15.03 -# Operation : Migration -# Purpose : offloadservice -allow audioserver offloadservice_device:chr_file rw_file_perms; - -# Date : WK16.17 -# Operation : Migration -# Purpose: read/open sysfs node -allow audioserver sysfs_ccci:file r_file_perms; - -# Date : WK16.18 -# Operation : Migration -# Purpose: research root dir "/" -allow audioserver tmpfs:dir search; - -# Date : WK16.18 -# Operation : Migration -# Purpose: access sysfs node -allow audioserver sysfs_ccci:dir search; - -# Purpose: Dump debug info -allow audioserver debugfs_binder:dir search; -allow audioserver fuse:file write; - -# Date : WK16.33 -# Purpose: Allow to access ged for gralloc_extra functions -allow audioserver proc_ged:file rw_file_perms; - -# Date : WK16.48 -# Purpose: Allow to trigger AEE dump -allow audioserver aee_aed:unix_stream_socket connectto; - -# Date: 2019/06/14 -# Operation : Migration -get_prop(audioserver, vendor_default_prop) diff --git a/r_non_plat/biosensord_nvram.te b/r_non_plat/biosensord_nvram.te deleted file mode 100644 index dc1b19f..0000000 --- a/r_non_plat/biosensord_nvram.te +++ /dev/null @@ -1,33 +0,0 @@ -# ============================================== -# Policy File of /system/bin/biosensord_nvram Executable File - -# ============================================== -# Type Declaration -# ============================================== -type biosensord_nvram ,domain; -type biosensord_nvram_exec , exec_type, file_type, vendor_file_type; -type biosensord_nvram_file, file_type, data_file_type; - -# ============================================== -# Android Policy Rule -# ============================================== - -# ============================================== -# NSA Policy Rule -# ============================================== - -# ============================================== -# MTK Policy Rule -# ============================================== - -init_daemon_domain(biosensord_nvram) - -# Data : WK16.21 -# Operation : New Feature -# Purpose : For biosensor daemon can do nvram r/w to save calibration data -allow biosensord_nvram nvdata_file:dir rw_dir_perms; -allow biosensord_nvram nvdata_file:file {rw_file_perms create_file_perms}; -allow biosensord_nvram nvram_data_file:lnk_file rw_file_perms; -allow biosensord_nvram biometric_device:chr_file { open ioctl read write }; -allow biosensord_nvram self:capability { chown fsetid }; -allow biosensord_nvram system_data_file:lnk_file read; diff --git a/r_non_plat/bluetooth.te b/r_non_plat/bluetooth.te deleted file mode 100644 index ec4d725..0000000 --- a/r_non_plat/bluetooth.te +++ /dev/null @@ -1,25 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -# Date:W17.07 -# Operation : bt hal developing -# Purpose : bt hal interface permission -binder_call(bluetooth, mtk_hal_bluetooth) - -allow bluetooth storage_stub_file:dir getattr; - -# Date: 2018/01/17 -#allow bluetooth to set property -set_prop(bluetooth, vendor_bluetooth_prop) -set_prop(bluetooth, debug_prop) - -# Date: 2018/02/02 -# Major permission allow are in /system/sepoplicy/private/bluetooth.te -# Add dir create perms for bluetooth on /data/misc/bluetooth/logs -allow bluetooth bluetooth_logs_data_file:dir { create_dir_perms relabelto }; -allow bluetooth bluetooth_logs_data_file:fifo_file { create_file_perms }; - -# Date: 2019/06/14 -# Operation : Migration -get_prop(bluetooth, mtk_amslog_prop) diff --git a/r_non_plat/boot_logo_updater.te b/r_non_plat/boot_logo_updater.te deleted file mode 100644 index bebd392..0000000 --- a/r_non_plat/boot_logo_updater.te +++ /dev/null @@ -1,22 +0,0 @@ -# ============================================== -# Policy File of /system/binboot_logo_updater Executable File -# ============================================== -# Type Declaration -# ============================================== - -# Date : WK14.43 -# Operation : Migration -# Purpose : To access file directories and files like logo.bin -allow boot_logo_updater logo_block_device:blk_file r_file_perms; -# To access block files at /dev/block/mmcblk0 ir /dev/block/sdc -allow boot_logo_updater bootdevice_block_device:blk_file r_file_perms; - -#To access file at /dev/logo -allow boot_logo_updater logo_device:chr_file r_file_perms; -# To access file at /proc/lk_env -allow boot_logo_updater proc_lk_env:file rw_file_perms; - -# Date : WK16.25 -# Operation : Global_Device/Uniservice Feature -# Purpose : for it to read-write SysEnv data -allow boot_logo_updater para_block_device:blk_file rw_file_perms; diff --git a/r_non_plat/bootanim.te b/r_non_plat/bootanim.te deleted file mode 100644 index 4f0bc35..0000000 --- a/r_non_plat/bootanim.te +++ /dev/null @@ -1,34 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============ - -# Date : WK14.37 -# Operation : Migration -# Purpose : for opetator -allow bootanim bootani_prop:property_service set; - -# Date : WK14.46 -# Operation : Migration -# Purpose : For MTK Emulator HW GPU -allow bootanim qemu_pipe_device:chr_file rw_file_perms; - -# Date : WK16.33 -# Purpose: Allow to access ged for gralloc_extra functions -allow bootanim proc_ged:file rw_file_perms; - -# Date : WK17.43 -# Operation : Migration -# Purpose : For MTK perfmgr -allow bootanim proc_perfmgr:dir r_dir_perms; -allow bootanim proc_perfmgr:file r_file_perms; - -# Date : WK19.11 -# Operation : Migration -# Purpose : Allow to access ged for ioctl related functions -allowxperm bootanim proc_ged:file ioctl { proc_ged_ioctls }; -allowxperm bootanim proc_perfmgr:file ioctl { - PERFMGR_FPSGO_QUEUE - PERFMGR_FPSGO_DEQUEUE - PERFMGR_FPSGO_QUEUE_CONNECT - PERFMGR_FPSGO_BQID -}; diff --git a/r_non_plat/cameraserver.te b/r_non_plat/cameraserver.te deleted file mode 100644 index e2e04d6..0000000 --- a/r_non_plat/cameraserver.te +++ /dev/null @@ -1,365 +0,0 @@ -# ============================================================================== -# Policy File of /system/bin/cameraserver Executable File - -# ============================================== -# MTK Policy Rule -# ============================================== - -# ----------------------------------- -# Android O -# Purpose: Allow cameraserver to perform binder IPC to servers and callbacks. -# ----------------------------------- - -# call camerahalserver -binder_call(cameraserver, mtk_hal_camera) - -# call the graphics allocator hal -binder_call(cameraserver, hal_graphics_allocator) - -# ----------------------------------- -# Android O -# Purpose: Debugging -# ----------------------------------- -# Purpose: adb shell dumpsys media.camera --unreachable -allow cameraserver self:process { ptrace }; - -# ----------------------------------- -# Purpose: property access -# ----------------------------------- -allow cameraserver mtkcam_prop:file { open read getattr }; - -# Date : WK14.31 -# Operation : Migration -# Purpose : camera devices access. -# allow cameraserver camera_isp_device:chr_file rw_file_perms; -# allow cameraserver ccu_device:chr_file rw_file_perms; -# allow cameraserver vpu_device:chr_file rw_file_perms; -# allow cameraserver kd_camera_hw_device:chr_file rw_file_perms; -# allow cameraserver seninf_device:chr_file rw_file_perms; -# allow cameraserver self:capability { setuid ipc_lock sys_nice }; -# allow cameraserver sysfs_wake_lock:file rw_file_perms; -# allow cameraserver MTK_SMI_device:chr_file r_file_perms; -# allow cameraserver camera_pipemgr_device:chr_file r_file_perms; -# allow cameraserver kd_camera_flashlight_device:chr_file rw_file_perms; -# allow cameraserver lens_device:chr_file rw_file_perms; -# allow cameraserver nvdata_file:lnk_file read; -# allow cameraserver proc_meminfo:file { read getattr open }; - -# Date : WK14.34 -# Operation : Migration -# Purpose : nvram access (dumchar case for nand and legacy chip) -# allow cameraserver nvram_device:chr_file rw_file_perms; -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -# #allow cameraserver self:netlink_kobject_uevent_socket { create setopt bind }; -# allow cameraserver self:capability { net_admin }; - -# Date : WK14.34 -# Operation : Migration -# Purpose : VP/VR -# allow cameraserver devmap_device:chr_file { ioctl }; - -# Date : WK14.34 -# Operation : Migration -# Purpose : Smartcard Service -### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te -# #allow cameraserver self:netlink_kobject_uevent_socket read; -# allow cameraserver system_data_file:file open; - -# Date : WK14.36 -# Operation : Migration -# Purpose : media server and bt process communication for A2DP data.and other control flow -# allow cameraserver bluetooth:unix_dgram_socket sendto; -# allow cameraserver bt_a2dp_stream_socket:sock_file write; -# allow cameraserver bt_int_adp_socket:sock_file write; - -# Date : WK14.37 -# Operation : Migration -# Purpose : camera ioctl -# allow cameraserver camera_sysram_device:chr_file r_file_perms; - -# Date : WK14.36 -# Operation : Migration -# Purpose : VDEC/VENC device node -# allow cameraserver Vcodec_device:chr_file rw_file_perms; - -# Date : WK14.36 -# Operation : Migration -# Purpose : access nvram, otp, ccci cdoec devices. -# allow cameraserver MtkCodecService:binder call; -# allow cameraserver ccci_device:chr_file rw_file_perms; -# allow cameraserver eemcs_device:chr_file rw_file_perms; -# allow cameraserver devmap_device:chr_file r_file_perms; -# allow cameraserver ebc_device:chr_file rw_file_perms; -# allow cameraserver nvram_device:blk_file rw_file_perms; -# allow cameraserver bootdevice_block_device:blk_file rw_file_perms; - -# Date : WK14.36 -# Operation : Migration -# Purpose : for SW codec VP/VR -# allow cameraserver mtk_sched_device:chr_file rw_file_perms; - -# Date : WK14.38 -# Operation : Migration -# Purpose : NVRam access -# allow cameraserver block_device:dir { write search }; - -# Date : WK14.38 -# Operation : Migration -# Purpose : FM driver access -# allow cameraserver fm_device:chr_file rw_file_perms; - -# Data : WK14.38 -# Operation : Migration -# Purpose : for VP/VR -# allow cameraserver block_device:dir search; -# allow cameraserver FM50AF_device:chr_file rw_file_perms; -# allow cameraserver AD5820AF_device:chr_file rw_file_perms; -# allow cameraserver DW9714AF_device:chr_file rw_file_perms; -# allow cameraserver DW9814AF_device:chr_file rw_file_perms; -# allow cameraserver AK7345AF_device:chr_file rw_file_perms; -# allow cameraserver DW9714A_device:chr_file rw_file_perms; -# allow cameraserver LC898122AF_device:chr_file rw_file_perms; -# allow cameraserver LC898212AF_device:chr_file rw_file_perms; -# allow cameraserver BU6429AF_device:chr_file rw_file_perms; -# allow cameraserver DW9718AF_device:chr_file rw_file_perms; -# allow cameraserver BU64745GWZAF_device:chr_file rw_file_perms; -# allow cameraserver MAINAF_device:chr_file rw_file_perms; -# allow cameraserver MAIN2AF_device:chr_file rw_file_perms; -# allow cameraserver SUBAF_device:chr_file rw_file_perms; - -# Data : WK14.38 -# Operation : Migration -# Purpose : for boot animation. -# allow cameraserver bootanim:binder { transfer call }; - -# allow cameraserver mtkbootanimation:binder { transfer call }; -# Data : WK14.38 -# Operation : Migration -# Purpose : dump for debug -# allow cameraserver sdcard_type:file append; - -# Date : WK14.39 -# Operation : Migration -# Purpose : FDVT Driver -# allow cameraserver camera_fdvt_device:chr_file rw_file_perms; - -# Date : WK14.39 -# Operation : Migration -# Purpose : APE PLAYBACK -# binder_call(cameraserver, MtkCodecService) - -# Data : WK14.39 -# Operation : Migration -# Purpose : HW encrypt SW codec -# allow cameraserver sec_device:chr_file r_file_perms; - -# Date : WK14.40 -# Operation : Migration -# Purpose : HDMI driver access -allow cameraserver graphics_device:chr_file rw_file_perms; - -# Date : WK14.40 -# Operation : Migration -# Purpose : Smartpa -# allow cameraserver smartpa_device:chr_file rw_file_perms; - -# Date : WK14.40 -# Operation : Migration -# Purpose : mtk_jpeg -# allow cameraserver mtk_jpeg_device:chr_file r_file_perms; - -# Date : WK14.41 -# Operation : Migration -# Purpose : WFD HID Driver -# allow cameraserver uhid_device:chr_file rw_file_perms; - -# Date : WK14.41 -# Operation : Migration -# Purpose : Camera EEPROM Calibration -# allow cameraserver CAM_CAL_DRV_device:chr_file rw_file_perms; -# allow cameraserver CAM_CAL_DRV1_device:chr_file rw_file_perms; -# allow cameraserver CAM_CAL_DRV2_device:chr_file rw_file_perms; - -# Date : WK14.43 -# Operation : Migration -# Purpose : VOW -# allow cameraserver vow_device:chr_file rw_file_perms; - -# Date: WK14.44 -# Operation : Migration -# Purpose : EVDO -# allow cameraserver rpc_socket:sock_file write; -# allow cameraserver ttySDIO_device:chr_file rw_file_perms; - -# Data: WK14.44 -# Operation : Migration -# Purpose : VP -# allow cameraserver surfaceflinger:file getattr; - -# Data: WK14.44 -# Operation : Migration -# Purpose : for low SD card latency issue -# allow cameraserver sysfs_lowmemorykiller:file { read open }; - -# Data: WK14.45 -# Operation : Migration -# Purpose : for change thermal policy when needed -# allow cameraserver proc_mtkcooler:dir search; -# allow cameraserver proc_mtktz:dir search; -# allow cameraserver proc_thermal:dir search; - -# Date : WK14.46 -# Operation : Migration -# Purpose : for MTK Emulator HW GPU -# allow cameraserver qemu_pipe_device:chr_file rw_file_perms; - -# Date : WK14.46 -# Operation : Migration -# Purpose : for camera init -# allow cameraserver system_server:unix_stream_socket { read write }; - -# Data : WK14.46 -# Operation : Migration -# Purpose : for SMS app -# allow cameraserver radio_data_file:dir search; -# allow cameraserver radio_data_file:file open; - -# Data : WK14.47 -# Operation : Launch camcorder from MMS -# Purpose : Camcorder -# allow cameraserver radio_data_file:file open; - -# Data : WK14.47 -# Operation : CTS -# Purpose : cts search strange app -# allow cameraserver untrusted_app:dir search; - -# Date : WK15.03 -# Operation : Migration -# Purpose : offloadservice -# allow cameraserver offloadservice_device:chr_file rw_file_perms; - -# Date : WK15.32 -# Operation : Pre-sanity -# Purpose : 3A algorithm need to access sensor service -# allow cameraserver sensorservice_service:service_manager find; - -# Date : WK15.34 -# Operation : Migration -# Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump -# allow cameraserver system_data_file:dir write; -# allow cameraserver storage_file:lnk_file {read write}; -# allow cameraserver mnt_user_file:dir {write read search}; -# allow cameraserver mnt_user_file:lnk_file {read write}; - -# Date : WK15.35 -# Operation : Migration -# Purpose: Allow cameraserver to read binder from surfaceflinger -# allow cameraserver surfaceflinger:fifo_file {read write}; - -# Date : WK15.46 -# Operation : Migration -# Purpose : DPE Driver -# allow cameraserver camera_dpe_device:chr_file rw_file_perms; - -# Date : WK15.46 -# Operation : Migration -# Purpose : TSF Driver -# allow cameraserver camera_tsf_device:chr_file rw_file_perms; - -# Date : WK16.20 -# Operation : Migration -# Purpose: research root dir "/" -allow cameraserver tmpfs:dir search; - -# Date : WK16.21 -# Operation : Migration -# Purpose : EGL file access -allow cameraserver system_file:dir { read open }; -allow cameraserver gpu_device:chr_file rw_file_perms; -allow cameraserver gpu_device:dir search; - -# Date : WK16.30 -# Operation : Migration -# Purpose : Use file_type_auto_trans to specify label to avoid violated(never allow) -# allow cameraserver property_socket:sock_file write; -# allow cameraserver proc:file getattr; -# allow cameraserver shell_exec:file { execute read getattr open}; -# allow cameraserver init:unix_stream_socket connectto; - -# Date : WK16.32 -# Operation : Migration -# Purpose : RSC Driver -# allow cameraserver camera_rsc_device:chr_file rw_file_perms; - -# Date : WK16.33 -# Purpose: Allow to access ged for gralloc_extra functions -allow cameraserver proc_ged:file rw_file_perms; -allowxperm cameraserver proc_ged:file ioctl { proc_ged_ioctls }; - -# Date : WK16.33 -# Operation : Migration -# Purpose : GEPF Driver -# allow cameraserver camera_gepf_device:chr_file rw_file_perms; - -# Date : WK16.35 -# Operation : Migration -# Purpose : Update camera flashlight driver device file -# allow cameraserver flashlight_device:chr_file rw_file_perms; - -# Data : WK16.42 -# Operator: Whitney bring up -# Purpose: call surfaceflinger due to powervr -# allow cameraserver surfaceflinger:fifo_file rw_file_perms; - -# Date : WK16.43 -# Operation : Migration -# Purpose : WPE Driver -# allow cameraserver camera_wpe_device:chr_file rw_file_perms; - -# Date : WK16.49 -# Operation : label aee_aed sockets -# Purpose : Engineering mode need access for aee commmand -# userdebug_or_eng(` -# allow cameraserver aee_aed:unix_stream_socket connectto; -# ') - -# Purpose: Allow to access debugfs_ion dir. -allow cameraserver system_data_file:lnk_file read; - -# Date : WK17.19 -# Operation : Migration -# Purpose : OWE Driver -# allow cameraserver camera_owe_device:chr_file rw_file_perms; - -# Date : WK17.25 -# Operation : Migration -allow cameraserver debugfs_ion:dir search; - -# Date : WK17.30 -# Operation : O Migration -# Purpose: Allow to access cmdq driver -# allow cameraserver mtk_cmdq_device:chr_file { read ioctl open }; - -# Date : WK17.44 -# Operation : Migration -# Purpose : DIP Driver -# allow cameraserver camera_dip_device:chr_file rw_file_perms; - -# Date : WK17.44 -# Operation : Migration -# Purpose : MFB Driver -# allow cameraserver camera_mfb_device:chr_file rw_file_perms; - -# Date : WK17.49 -# Operation : MT6771 SQC -# Purpose: Allow permgr access -allow cameraserver proc_perfmgr:dir {read search}; -allow cameraserver proc_perfmgr:file r_file_perms; -allowxperm cameraserver proc_perfmgr:file ioctl { - PERFMGR_FPSGO_QUEUE - PERFMGR_FPSGO_DEQUEUE - PERFMGR_FPSGO_QUEUE_CONNECT - PERFMGR_FPSGO_BQID -}; - diff --git a/r_non_plat/ccci_fsd.te b/r_non_plat/ccci_fsd.te deleted file mode 100644 index 4f5e6a6..0000000 --- a/r_non_plat/ccci_fsd.te +++ /dev/null @@ -1,69 +0,0 @@ -# ============================================== -# Policy File of /system/bin/ccci_fsd Executable File - -# ============================================== -# Type Declaration -# ============================================== -type ccci_fsd_exec, exec_type, file_type, vendor_file_type; -type ccci_fsd, domain; - -# ============================================== -# MTK Policy Rule -# ============================================== -init_daemon_domain(ccci_fsd) - -wakelock_use(ccci_fsd) - -#============= ccci_fsd MD NVRAM============== -allow ccci_fsd nvram_data_file:dir create_dir_perms; -allow ccci_fsd nvram_data_file:file create_file_perms; -allow ccci_fsd nvram_data_file:lnk_file read; -allow ccci_fsd nvdata_file:lnk_file read; -allow ccci_fsd nvdata_file:dir create_dir_perms; -allow ccci_fsd nvdata_file:file create_file_perms; -allow ccci_fsd nvram_device:chr_file rw_file_perms; -allow ccci_fsd system_data_file:lnk_file read; -allow ccci_fsd vendor_configs_file:file r_file_perms; -allow ccci_fsd vendor_configs_file:dir r_dir_perms; - -#============= ccci_fsd device/path/data access============== -allow ccci_fsd ccci_device:chr_file rw_file_perms; -allow ccci_fsd ccci_cfg_file:dir create_dir_perms; -allow ccci_fsd ccci_cfg_file:file create_file_perms; -#============= ccci_fsd MD Data============== -allow ccci_fsd protect_f_data_file:dir create_dir_perms; -allow ccci_fsd protect_f_data_file:file create_file_perms; - -allow ccci_fsd protect_s_data_file:dir create_dir_perms; -allow ccci_fsd protect_s_data_file:file create_file_perms; -#============= ccci_fsd MD3 related============== -allow ccci_fsd c2k_file:dir create_dir_perms; -allow ccci_fsd c2k_file:file create_file_perms; -allow ccci_fsd otp_part_block_device:blk_file rw_file_perms; -allow ccci_fsd otp_device:chr_file rw_file_perms; -allow ccci_fsd sysfs:file r_file_perms; -allow ccci_fsd sysfs_boot_type:file { read open }; -#============= ccci_fsd MD block data============== -##restore>NVM_GetDeviceInfo>open /dev/block/platform/bootdevice/by-name/nvram -allow ccci_fsd block_device:dir search; -allow ccci_fsd nvram_device:blk_file rw_file_perms; -allow ccci_fsd nvdata_device:blk_file rw_file_perms; -#============= ccci_fsd cryption related ============== -allow ccci_fsd rawfs:dir create_dir_perms; -allow ccci_fsd rawfs:file create_file_perms; -#============= ccci_fsd sysfs related ============== -allow ccci_fsd sysfs_ccci:dir search; -allow ccci_fsd sysfs_ccci:file r_file_perms; - -#============= ccci_fsd ============== -allow ccci_fsd mnt_vendor_file:dir search; - -# Purpose: for fstab parser -allow ccci_fsd kmsg_device:chr_file w_file_perms; -allow ccci_fsd proc_lk_env:file rw_file_perms; - -#============= ccci_fsd MD Low Power Monitor Related ============== -allow ccci_fsd ccci_data_md1_file:dir create_dir_perms; -allow ccci_fsd ccci_data_md1_file:file create_file_perms; -allow ccci_fsd sysfs_mmcblk:dir search; -allow ccci_fsd sysfs_mmcblk:file { read getattr open }; diff --git a/r_non_plat/ccci_mdinit.te b/r_non_plat/ccci_mdinit.te deleted file mode 100644 index 3245459..0000000 --- a/r_non_plat/ccci_mdinit.te +++ /dev/null @@ -1,109 +0,0 @@ -# ============================================== -# Policy File of /system/bin/ccci_mdinit Executable File - -# ============================================== -# Type Declaration -# ============================================== -type ccci_mdinit_exec , exec_type, file_type, vendor_file_type; -type ccci_mdinit ,domain; - -# ============================================== -# MTK Policy Rule -# ============================================== -init_daemon_domain(ccci_mdinit) -wakelock_use(ccci_mdinit) -#=============allow ccci_mdinit to start gsm0710muxd============== -set_prop(ccci_mdinit, ctl_gsm0710muxd_prop) -#=============allow ccci_mdinit to start emcsmdlogger============== -set_prop(ccci_mdinit, ctl_mdlogger_prop) -#=============allow ccci_mdinit to start c2krild============== -set_prop(ccci_mdinit, ctl_viarild_prop) -#=============allow ccci_mdinit to start/stop rild, mdlogger============== -set_prop(ccci_mdinit, ctl_mdlogger_prop) -set_prop(ccci_mdinit, ctl_emdlogger1_prop) -set_prop(ccci_mdinit, ctl_emdlogger2_prop) -set_prop(ccci_mdinit, ctl_emdlogger3_prop) -set_prop(ccci_mdinit, ctl_dualmdlogger_prop) -set_prop(ccci_mdinit, ctl_gsm0710muxd_prop) -set_prop(ccci_mdinit, ctl_gsm0710muxd-s_prop) -set_prop(ccci_mdinit, ctl_gsm0710muxd-d_prop) -set_prop(ccci_mdinit, ctl_rildaemon_prop) -set_prop(ccci_mdinit, ctl_ril-daemon-mtk_prop) -set_prop(ccci_mdinit, ctl_fusion_ril_mtk_prop) -set_prop(ccci_mdinit, ctl_ril-daemon-s_prop) -set_prop(ccci_mdinit, ctl_ril-daemon-d_prop) -set_prop(ccci_mdinit, ctl_ril-proxy_prop) -set_prop(ccci_mdinit, ril_active_md_prop) -set_prop(ccci_mdinit, mtk_md_prop) -#set_prop(ccci_mdinit, radio_prop) -set_prop(ccci_mdinit, net_cdma_mdmstat) -set_prop(ccci_mdinit, ctl_start_prop) -#=============allow ccci_mdinit to get tel_switch_prop============== -get_prop(ccci_mdinit, tel_switch_prop) - -#=============allow ccci_mdinit to start/stop fsd============== -set_prop(ccci_mdinit, ctl_ccci_fsd_prop) -set_prop(ccci_mdinit, ctl_ccci2_fsd_prop) -set_prop(ccci_mdinit, ctl_ccci3_fsd_prop) - -get_prop(ccci_mdinit, vendor_default_prop) -get_prop(ccci_mdinit, init_svc_emdlogger1_prop) -get_prop(ccci_mdinit, init_svc_aee_aedv_prop) - -allow ccci_mdinit ccci_device:chr_file rw_file_perms; -allow ccci_mdinit ccci_monitor_device:chr_file rw_file_perms; - -#=============allow ccci_mdinit to access MD NVRAM============== -allow ccci_mdinit nvram_data_file:dir rw_dir_perms; -allow ccci_mdinit nvram_data_file:file create_file_perms; -allow ccci_mdinit nvram_data_file:lnk_file read; -allow ccci_mdinit nvdata_file:lnk_file read; -allow ccci_mdinit nvdata_file:dir rw_dir_perms; -allow ccci_mdinit nvdata_file:file create_file_perms; -allow ccci_mdinit nvram_device:chr_file rw_file_perms; -allow ccci_mdinit system_data_file:lnk_file read; - -#=============allow ccci_mdinit to access ccci config============== -allow ccci_mdinit protect_f_data_file:dir rw_dir_perms; -allow ccci_mdinit protect_f_data_file:file create_file_perms; -#=============allow ccci_mdinit to property============== -allow ccci_mdinit protect_s_data_file:dir rw_dir_perms; -allow ccci_mdinit protect_s_data_file:file create_file_perms; -allow ccci_mdinit nvram_device:blk_file rw_file_perms; -allow ccci_mdinit nvdata_device:blk_file rw_file_perms; - -set_prop(ccci_mdinit, ril_mux_report_case_prop) - -allow ccci_mdinit ccci_cfg_file:dir create_dir_perms; -allow ccci_mdinit ccci_cfg_file:file create_file_perms; -#===============security relate ========================== -allow ccci_mdinit preloader_device:chr_file rw_file_perms; -allow ccci_mdinit misc_sd_device:chr_file r_file_perms; -allow ccci_mdinit sec_ro_device:chr_file r_file_perms; - -allow ccci_mdinit custom_file:dir r_dir_perms; -allow ccci_mdinit custom_file:file r_file_perms; - -# Purpose : for nand partition access -allow ccci_mdinit mtd_device:dir search; -allow ccci_mdinit mtd_device:chr_file rw_file_perms; -allow ccci_mdinit devmap_device:chr_file r_file_perms; -# Purpose : for device bring up, not to block early migration/sanity -allow ccci_mdinit proc_lk_env:file rw_file_perms; -allow ccci_mdinit para_block_device:blk_file rw_file_perms; -#============= ccci_mdinit sysfs related ============== -allow ccci_mdinit sysfs_ccci:dir search; -allow ccci_mdinit sysfs_ccci:file rw_file_perms; -allow ccci_mdinit sysfs_ssw:dir search; -allow ccci_mdinit sysfs_ssw:file r_file_perms; -allow ccci_mdinit sysfs:file r_file_perms; -allow ccci_mdinit sysfs_boot_mode:file { read open }; - -# Purpose : Allow ccci_mdinit to open and read/write /proc/bootprof -allow ccci_mdinit proc_bootprof:file rw_file_perms; - -# Date : WK18.21 -# Operation: P migration -# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init() -allow ccci_mdinit mnt_vendor_file:dir search; - diff --git a/r_non_plat/cmddumper.te b/r_non_plat/cmddumper.te deleted file mode 100644 index d1ee1f6..0000000 --- a/r_non_plat/cmddumper.te +++ /dev/null @@ -1,31 +0,0 @@ -#cmddumper access external modem ttySDIO2 -allow cmddumper ttySDIO_device:chr_file { read write ioctl open }; - -# for modem logging sdcard access -allow cmddumper sdcard_type:dir create_dir_perms; -allow cmddumper sdcard_type:file create_file_perms; - -# cmddumper access on /data/mdlog -allow cmddumper mdlog_data_file:fifo_file create_file_perms; -allow cmddumper mdlog_data_file:file create_file_perms; -allow cmddumper mdlog_data_file:dir { create_dir_perms relabelto }; - -#allow emdlogger to set property -allow cmddumper debug_mdlogger_prop:property_service set; -allow cmddumper debug_prop:property_service set; - -# purpose: allow cmddumper to access storage in N version -allow cmddumper media_rw_data_file:file { create_file_perms }; -allow cmddumper media_rw_data_file:dir { create_dir_perms }; - -# purpose: access plat_file_contexts -allow cmddumper file_contexts_file:file { read getattr open }; - -# purpose: access /sys/devices/virtual/BOOT/BOOT/boot/boot_mode -allow cmddumper sysfs_boot_mode:file { read open }; - -# Android P migration -set_prop(cmddumper, persist_mtklog_prop) -set_prop(cmddumper, vendor_mdl_prop) -allow cmddumper tmpfs:lnk_file read; -allow cmddumper vmodem_device:chr_file { read write ioctl open }; \ No newline at end of file diff --git a/r_non_plat/connsyslogger.te b/r_non_plat/connsyslogger.te deleted file mode 100755 index 36b700d..0000000 --- a/r_non_plat/connsyslogger.te +++ /dev/null @@ -1,83 +0,0 @@ - -# Policy File of /system/bin/connsyslogger Executable File - -# ============================================== -# Type Declaration -# ============================================== -# Purpose : for create hidl server -#hal_server_domain(connsyslogger, mtk_hal_log) -# ============================================== -# MTK Policy Rule -# ============================================== - -#for logging sdcard access -allow connsyslogger fuse:dir { create_dir_perms }; -allow connsyslogger fuse:file { create_file_perms }; - -#consys logger access on /data/consyslog -allow connsyslogger consyslog_data_file:dir { create_dir_perms relabelto }; -allow connsyslogger consyslog_data_file:fifo_file { create_file_perms }; -allow connsyslogger consyslog_data_file:file { create_file_perms }; -allow connsyslogger system_data_file:dir { create_dir_perms relabelfrom}; - -#consys logger socket access -allow connsyslogger property_socket:sock_file write; -allow connsyslogger init:unix_stream_socket connectto; - -allow connsyslogger tmpfs:lnk_file { create_file_perms }; - -# purpose: avc: denied { read } for name="plat_file_contexts" -allow connsyslogger file_contexts_file:file { read getattr open map}; - -#logger SD logging in factory mode -allow connsyslogger vfat:dir create_dir_perms; -allow connsyslogger vfat:file create_file_perms; - -#logger permission in storage in android M version -allow connsyslogger mnt_user_file:dir search; -allow connsyslogger mnt_user_file:lnk_file read; -allow connsyslogger storage_file:lnk_file read; - -#permission for use SELinux API -allow connsyslogger rootfs:file r_file_perms; - -#permission for storage access storage -allow connsyslogger storage_file:dir { create_dir_perms }; -allow connsyslogger storage_file:file { create_file_perms }; - -#permission for read boot mode -allow connsyslogger sysfs_boot_mode:file { read open }; - -allow connsyslogger fw_log_wifi_device:chr_file {read write open ioctl}; -allow connsyslogger fw_log_bt_device:chr_file {read write open ioctl}; -allow connsyslogger fw_log_gps_device:chr_file {read write open ioctl}; -allow connsyslogger fw_log_wmt_device:chr_file {read write open ioctl}; - -allow connsyslogger sdcardfs:dir { create_dir_perms }; -allow connsyslogger sdcardfs:file { create_file_perms }; -allow connsyslogger rootfs:lnk_file getattr; - -allow connsyslogger media_rw_data_file:file { create_file_perms }; -allow connsyslogger media_rw_data_file:dir { create_dir_perms }; - -set_prop(connsyslogger, vendor_connsysfw_prop) - -allow connsyslogger vendor_configs_file:file map; -#permission to get driver ready status -get_prop(connsyslogger, wmt_prop) - -#Date:2019/03/25 -# purpose: allow connsyslogger to access persist.meta.connecttype -get_prop(connsyslogger, meta_connecttype_prop); - -#Date:2019/03/25 -# purpose: allow emdlogger to create socket -allow connsyslogger port:tcp_socket { name_connect name_bind }; -allow connsyslogger connsyslogger:tcp_socket { create_stream_socket_perms }; -allow connsyslogger node:tcp_socket node_bind; - -#Date:2019/03/25 -# usb device ttyGSx for modem logger usb logging -allow connsyslogger ttyGS_device:chr_file { rw_file_perms}; - - diff --git a/r_non_plat/device.te b/r_non_plat/device.te deleted file mode 100644 index 702a58d..0000000 --- a/r_non_plat/device.te +++ /dev/null @@ -1,274 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -type devmap_device, dev_type; -type ttyMT_device, dev_type; -type ttyS_device, dev_type; -type ttySDIO_device, dev_type; -type vmodem_device, dev_type; -type stpwmt_device, dev_type; -type wmtdetect_device, dev_type; -type wmtWifi_device, dev_type; -type stpbt_device, dev_type; -type fw_log_bt_device, dev_type; -type stpant_device, dev_type; -type fm_device, dev_type; -type stpgps_device, dev_type; -type gpsdl_device, dev_type; -type fw_log_gps_device, dev_type; -type fw_log_wmt_device, dev_type; -type fw_log_wifi_device, dev_type; -type pmem_multimedia_device, dev_type; -type mt6516_isp_device, dev_type; -type mt6516_IDP_device, dev_type; -type mt9p012_device, dev_type; -type mt6516_jpeg_device, dev_type; -type FM50AF_device, dev_type; -type DW9714AF_device, dev_type; -type DW9814AF_device, dev_type; -type AK7345AF_device, dev_type; -type DW9714A_device, dev_type; -type LC898122AF_device, dev_type; -type LC898212AF_device, dev_type; -type BU6429AF_device, dev_type; -type AD5820AF_device, dev_type; -type DW9718AF_device, dev_type; -type BU64745GWZAF_device, dev_type; -type MAINAF_device, dev_type; -type MAIN2AF_device, dev_type; -type SUBAF_device, dev_type; -type M4U_device_device, dev_type; -type Vcodec_device, dev_type; -type MJC_device, dev_type; -type smartpa_device, dev_type; -type smartpa1_device, dev_type; -type uio0_device, dev_type; -type xt_qtaguid_device, dev_type; -type rfkill_device, dev_type; -type sw_sync_device, dev_type, mlstrustedobject; -type sec_device, dev_type; -type hid_keyboard_device, dev_type; -type btn_device, dev_type; -type uinput_device, dev_type; -type TV_out_device, dev_type; -type gz_device, dev_type; -type camera_sysram_device, dev_type; -type camera_isp_device, dev_type; -type camera_dip_device, dev_type; -type camera_dpe_device, dev_type; -type camera_tsf_device, dev_type; -type camera_fdvt_device, dev_type; -type camera_rsc_device, dev_type; -type camera_gepf_device, dev_type; -type camera_wpe_device, dev_type; -type camera_owe_device, dev_type; -type camera_mfb_device, dev_type; -type camera_pipemgr_device, dev_type; -type ccu_device, dev_type; -type vpu_device, dev_type, mlstrustedobject; -type mdla_device, dev_type, mlstrustedobject; -type mtk_jpeg_device, dev_type; -type kd_camera_hw_device, dev_type; -type seninf_device, dev_type; -type kd_camera_flashlight_device, dev_type; -type flashlight_device, dev_type; -type kd_camera_hw_bus2_device, dev_type; -type MATV_device, dev_type; -type mt_otg_test_device, dev_type; -type mt_mdp_device, dev_type; -type mtkg2d_device, dev_type; -type misc_sd_device, dev_type; -type mtk_sched_device, dev_type; -type ampc0_device, dev_type; -type mmp_device, dev_type; -type ttyGS_device, dev_type; -type CAM_CAL_DRV_device, dev_type; -type CAM_CAL_DRV1_device, dev_type; -type CAM_CAL_DRV2_device, dev_type; -type MTK_SMI_device, dev_type; -type mtk_cmdq_device, dev_type; -type mtk_mdp_device, dev_type; -type mtk_rrc_device, dev_type; -type ebc_device, dev_type; -type vow_device, dev_type; -type MT6516_H264_DEC_device, dev_type; -type MT6516_Int_SRAM_device, dev_type; -type MT6516_MM_QUEUE_device, dev_type; -type MT6516_MP4_DEC_device, dev_type; -type MT6516_MP4_ENC_device, dev_type; -type sensor_device, dev_type; -type aed_device, dev_type; -type ccci_device, dev_type; -type ccci_monitor_device, dev_type; -type gsm0710muxd_device, dev_type; -type eemcs_device, dev_type; -type emd_device, dev_type; -type mt6605_device, dev_type; -type st21nfc_device, dev_type; -type st54spi_device, dev_type; -type exm0_device, dev_type; -type mmcblk_device, dev_type; -type BOOT_device, dev_type; -type MT_pmic_device, dev_type; -type aal_als_device, dev_type; -type accdet_device, dev_type; -type android_device, dev_type; -type bmtpool_device, dev_type; -type bootimg_device, dev_type; -type btif_device, dev_type; -type cache_device, dev_type; -type cpu_dma_latency_device, dev_type; -type dummy_cam_cal_device, dev_type; -type ebr_device, dev_type; -type expdb_device, dev_type; -type fat_device, dev_type; -type logo_device, dev_type; -type loop-control_device, dev_type; -type mbr_device, dev_type; -type met_device, dev_type; -type misc_device, dev_type; -type misc2_device, dev_type; -type mtfreqhopping_device, dev_type; -type mtgpio_device, dev_type; -type mtk_kpd_device, dev_type; -type network_device, dev_type; -type nvram_device, dev_type; -type pmt_device, dev_type; -type preloader_device, dev_type; -type pro_info_device, dev_type; -type protect_f_device, dev_type; -type protect_s_device, dev_type; -type psaux_device, dev_type; -type ptyp_device, dev_type; -type recovery_device, dev_type; -type sec_ro_device, dev_type; -type seccfg_device, dev_type; -type tee_part_device, dev_type; -type snapshot_device, dev_type; -type tgt_device, dev_type; -type touch_device, dev_type; -type tpd_em_log_device, dev_type; -type ttyp_device, dev_type; -type uboot_device, dev_type; -type uibc_device, dev_type; -type usrdata_device, dev_type; -type zram0_device, dev_type; -type hwzram0_device, dev_type; -type RT_Monitor_device, dev_type; -type kick_powerkey_device, dev_type; -type agps_device, dev_type; -type mnld_device, dev_type; -type geo_device, dev_type; -type mdlog_device, dev_type; -type md32_device, dev_type; -type scp_device, dev_type; -type adsp_device, dev_type; -type audio_scp_device, dev_type; -type sspm_device, dev_type; -type etb_device, dev_type; -type MT_pmic_adc_cali_device, dev_type; -type mtk-adc-cali_device, dev_type; -type MT_pmic_cali_device,dev_type; -type otp_device, dev_type; -type otp_part_block_device, dev_type; -type qemu_pipe_device, dev_type; -type icusb_device, dev_type; -type nlop_device, dev_type; -type irtx_device, dev_type; -type pmic_ftm_device, dev_type; -type charger_ftm_device, dev_type; -type shf_device, dev_type; -type keyblock_device, dev_type; -type offloadservice_device, dev_type; -type ttyACM_device, dev_type; -type hrm_device, dev_type; -type lens_device, dev_type; -type nvdata_device, dev_type; -type nvcfg_device, dev_type; -type expdb_block_device, dev_type; -type misc2_block_device, dev_type; -type logo_block_device, dev_type; -type para_block_device, dev_type; -type tee_block_device, dev_type; -type seccfg_block_device, dev_type; -type secro_block_device, dev_type; -type preloader_block_device, dev_type; -type lk_block_device, dev_type; -type protect1_block_device, dev_type; -type protect2_block_device, dev_type; -type keystore_block_device, dev_type; -type oemkeystore_block_device, dev_type; -type sec1_block_device, dev_type; -type md1img_block_device, dev_type; -type md1dsp_block_device, dev_type; -type md1arm7_block_device, dev_type; -type md3img_block_device, dev_type; -type mmcblk1_block_device, dev_type; -type mmcblk1p1_block_device, dev_type; -type bootdevice_block_device, dev_type; -type odm_block_device, dev_type; -type oem_block_device, dev_type; -type vendor_block_device, dev_type; -type dtbo_block_device, dev_type; -type loader_ext_block_device, dev_type; -type spm_device, dev_type; -type persist_block_device, dev_type; -type md_block_device, dev_type; -type spmfw_block_device, dev_type; -type mcupmfw_block_device, dev_type; -type scp_block_device, dev_type; -type sspm_block_device, dev_type; -type dsp_block_device, dev_type; -type ppl_block_device, dev_type; -type nvcfg_block_device, dev_type; -type ancservice_device, dev_type; -type mbim_device, dev_type; -type audio_ipi_device, dev_type; -type cam_vpu_block_device,dev_type; -type boot_para_block_device,dev_type; -type mtk_dfrc_device, dev_type; -type vbmeta_block_device, dev_type; -type alarm_device, dev_type; -type mdp_device, dev_type; -type mrdump_device, dev_type; -type kb_block_device,dev_type; -type dkb_block_device,dev_type; - -########################## -# Sensor common Devices Start -# -type hwmsensor_device, dev_type; -type msensor_device, dev_type; -type gsensor_device, dev_type; -type als_ps_device, dev_type; -type gyroscope_device, dev_type; -type barometer_device,dev_type; -type humidity_device,dev_type; -type biometric_device,dev_type; -type sensorlist_device,dev_type; -########################## -# Sensor Devices Start -# -type m_batch_misc_device, dev_type; -########################## -# Sensor bio Devices Start -# -type m_als_misc_device, dev_type; -type m_ps_misc_device, dev_type; -type m_baro_misc_device, dev_type; -type m_hmdy_misc_device, dev_type; -type m_acc_misc_device, dev_type; -type m_mag_misc_device, dev_type; -type m_gyro_misc_device, dev_type; -type m_act_misc_device, dev_type; -type m_pedo_misc_device, dev_type; -type m_situ_misc_device, dev_type; -type m_step_c_misc_device, dev_type; -type m_fusion_misc_device, dev_type; -type m_bio_misc_device, dev_type; - -# Date : 2016/07/11 -# Operation : Migration -# Purpose : Add permission for gpu access -type dri_device, dev_type, mlstrustedobject; diff --git a/r_non_plat/domain.te b/r_non_plat/domain.te deleted file mode 100644 index f1877f7..0000000 --- a/r_non_plat/domain.te +++ /dev/null @@ -1,30 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -# Grant read access to mtk core property type which represents all -# mtk properties except those with ctl_xxx prefix. -# Align Google change: f01453ad453b29dd723838984ea03978167491e5 -get_prop(domain, mtk_core_property_type) - -# Allow all processes to search /sys/kernel/debug/binder/ since it's has been -# labeled with specific debugfs label and many violations to dir search debugfs_binder -# are observed. Grant domain to suppress the violations as originally "debugfs:dir search" -# is also allowed to domain as well in Google default domain.te -allow domain debugfs_binder:dir search; - -# Allow all processes to read /sys/bus/platform/drivers/dev_info/dev_info -# as it is a public interface for all processes to read some OTP data. -allow { - domain - -isolated_app -} sysfs_devinfo:file r_file_perms; - -# Date:20170630 -# Purpose: allow trusted process to connect aee daemon -#allow { -# coredomain -# -untrusted_app_all -#} aee_aed:unix_stream_socket connectto; -allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:unix_stream_socket connectto; - diff --git a/r_non_plat/drmserver.te b/r_non_plat/drmserver.te deleted file mode 100644 index 6086c27..0000000 --- a/r_non_plat/drmserver.te +++ /dev/null @@ -1,7 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -# Date : WK16.33 -# Purpose: Allow to access ged for gralloc_extra functions -allow drmserver proc_ged:file rw_file_perms; diff --git a/r_non_plat/dumpstate.te b/r_non_plat/dumpstate.te deleted file mode 100644 index f9fd5d9..0000000 --- a/r_non_plat/dumpstate.te +++ /dev/null @@ -1,183 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -# Purpose: aee_dumpstate set surfaceflinger property -set_prop(dumpstate, debug_bq_dump_prop); - -# Purpose: access dev/aed0 -allow dumpstate aed_device:chr_file { read getattr }; - -# Purpose: data/dumpsys/* -allow dumpstate aee_dumpsys_data_file:dir { w_dir_perms }; -allow dumpstate aee_dumpsys_data_file:file { create_file_perms }; - -# Purpose: data/aee_exp/* -allow dumpstate aee_exp_data_file:dir { w_dir_perms }; -allow dumpstate aee_exp_data_file:file { create_file_perms }; - -# Purpose: debugfs files -allow dumpstate debugfs:lnk_file read; -allow dumpstate debugfs_binder:dir { read open }; -allow dumpstate debugfs_binder:file { read open }; -allow dumpstate debugfs_blockio:file { read open }; -allow dumpstate debugfs_fb:dir search; -allow dumpstate debugfs_fb:file { read open }; -allow dumpstate debugfs_fuseio:dir search; -allow dumpstate debugfs_fuseio:file { read open }; -allow dumpstate debugfs_ged:dir search; -allow dumpstate debugfs_ged:file { read open }; -allow dumpstate debugfs_rcu:dir search; -allow dumpstate debugfs_shrinker_debug:file { read open }; -allow dumpstate debugfs_wakeup_sources:file { read open }; -allow dumpstate debugfs_dmlog_debug:file { read open }; -allow dumpstate debugfs_page_owner_slim_debug:file { read open }; -allow dumpstate debugfs_ion_mm_heap:dir search; -allow dumpstate debugfs_ion_mm_heap:file { read open }; -allow dumpstate debugfs_ion_mm_heap:lnk_file read; -allow dumpstate debugfs_cpuhvfs:dir search; -allow dumpstate debugfs_cpuhvfs:file { read open }; -allow dumpstate debugfs_vpu_device_dbg:file { read open }; - -# Purpose: /sys/kernel/ccci/md_chn -allow dumpstate sysfs_ccci:dir search; -allow dumpstate sysfs_ccci:file { read open }; - -# Purpose: leds status -allow dumpstate sysfs_leds:lnk_file read; - -# Purpose: /sys/module/lowmemorykiller/parameters/adj -allow dumpstate sysfs_lowmemorykiller:file { read open }; -allow dumpstate sysfs_lowmemorykiller:dir search; - -# Purpose: /dev/block/mmcblk0p10 -allow dumpstate expdb_block_device:blk_file { read write ioctl open }; - -#/data/anr/SF_RTT -allow dumpstate sf_rtt_file:dir { search getattr }; - -# Data : 2017/03/22 -# Operation : add fd use selinux rule -# Purpose : type=1400 audit(0.0:81356): avc: denied { use } for path="/system/bin/linker" -# dev="mmcblk0p26" ino=250 scontext=u:r:dumpstate:s0 -# tcontext=u:r:aee_aed:s0 tclass=fd permissive=0 -allow dumpstate aee_aed:fd use; -allow dumpstate aee_aed:unix_stream_socket { read write ioctl }; - -# private define -# allow dumpstate config_gz:file read; - -allow dumpstate sysfs_leds:dir r_dir_perms; - -# Purpose: 01-01 08:30:57.260 3070 3070 W aee_dumpstate: type=1400 audit(0.0:13196): avc: denied -# { read } for name="SF_dump" dev="dm-0" ino=352257 scontext=u:r:dumpstate:s0 tcontext=u:object_r: -# sf_bqdump_data_file:s0 tclass=dir permissive=0 -allow dumpstate sf_bqdump_data_file:dir r_dir_perms; -allow dumpstate sf_bqdump_data_file:file r_file_perms; - -# Purpose: -# 01-01 17:59:14.440 7664 7664 I aee_dumpstate: type=1400 audit(0.0:63497): -# avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev= -# "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r: -# tracing_shell_writable:s0 tclass=file permissive=1 -allow dumpstate debugfs_tracing:file rw_file_perms; - -# Data : WK17.03 -# Purpose: Allow to access gpu -allow dumpstate gpu_device:dir search; - -# Purpose: Allow aee_dumpstate to invoke "lshal debug ", where is "ICameraProvider". -allow dumpstate mtk_hal_camera:binder { call }; - -# Purpose: Allow aee_dumpstate to read /proc/slabinfo -allow dumpstate proc_slabinfo:file r_file_perms; - -# Purpose: Allow aee_dumpstate to read /proc/zraminfo -allow dumpstate proc_zraminfo:file r_file_perms; - -# Purpose: Allow aee_dumpstate to read /proc/gpulog -allow dumpstate proc_gpulog:file r_file_perms; - -# Purpose: Allow aee_dumpstate to read /proc/sched_debug -allow dumpstate proc_sched_debug:file r_file_perms; - -# Purpose: Allow aee_dumpstate to read /proc/chip/hw_ver -allow dumpstate proc_chip:file r_file_perms; - -# Purpose: Allow aee_dumpstate to write /sys/devices/virtual/timed_output/vibrator/enable -allow dumpstate sysfs_vibrator_setting:file write; - -# Purpose: Allow dumpstate to read /sys/kernel/debug/rcu/rcu_callback_log -allow dumpstate debugfs_rcu:file r_file_perms; - -# Purpose: Allow dumpstate to read /proc/ufs_debug -allow dumpstate proc_ufs_debug:file rw_file_perms; - -# Purpose: Allow dumpstate to read /proc/msdc_debug -allow dumpstate proc_msdc_debug:file r_file_perms; - -# Purpose: Allow dumpstate to r/w /proc/pidmap -allow dumpstate proc_pidmap:file rw_file_perms; - -# Purpose: Allow dumpstate to read /sys/power/vcorefs/vcore_debug -allow dumpstate sysfs_vcore_debug:file r_file_perms; - -# Purpose: Allow dumpstate to read /data/anr/SF_RTT/rtt_dump.txt -allow dumpstate sf_rtt_file:file r_file_perms; - -#Purpose: Allow dumpstate to read/write /sys/mtk_memcfg/slabtrace -allow dumpstate proc_slabtrace:file r_file_perms; - -#Purpose: Allow dumpstate to read /proc/mtk_cmdq_debug/status -allow dumpstate proc_cmdq_debug:file r_file_perms; - -#Purpose: Allow dumpstate to read /proc/cpuhvfs/dbg_repo -allow dumpstate proc_dbg_repo:file r_file_perms; - -#Purpose: Allow dumpstate to read /proc/isp_p2/isp_p2_dump -allow dumpstate proc_isp_p2_dump:file r_file_perms; - -#Purpose: Allow dumpstate to read /proc/isp_p2/isp_p2_kedump -allow dumpstate proc_isp_p2_kedump:file r_file_perms; - -#Purpose: Allow dumpstate to read /proc/mali/memory_usage -allow dumpstate proc_memory_usage:file r_file_perms; - -#Purpose: Allow dumpstate to read /proc/mtk_es_reg_dump -allow dumpstate proc_mtk_es_reg_dump:file r_file_perms; - -#Purpose: Allow dumpstate to read /sys/power/mtkpasr/execstate -allow dumpstate sysfs_execstate:file r_file_perms; - -allow dumpstate proc_isp_p2:dir r_dir_perms; -allow dumpstate proc_isp_p2:file r_file_perms; - -# Date : W19.26 -# Operation : Migration -# Purpose : fix google dumpstate avc error in xTS -allow dumpstate debugfs:dir r_dir_perms; -allow dumpstate debugfs_mmc:dir search; -allow dumpstate mnt_media_rw_file:dir getattr; - -# Date: 19/07/15 -# Purpose: fix google dumpstate avc error in xTs -allow dumpstate sysfs_devices_block:file r_file_perms; -allow dumpstate proc_last_kmsg:file r_file_perms; - -# Date: 19/07/15 -# Purpose: Allow dumpstate to read /sys/kernel/debug/kmemleak -allow dumpstate debugfs_kmemleak:file r_file_perms; - -#Purpose: Allow dumpstate to read /sys/class/misc/adsp/adsp_last_log -allow dumpstate sysfs_adsp:file r_file_perms; - -#Purpose: Allow dumpstate to read /sys/kernel/debug/smi_mon -allow dumpstate debugfs_smi_mon:file r_file_perms; - -# MTEE Trusty -allow dumpstate mtee_trusty_file:file rw_file_perms; - -# 09-05 15:58:31.552000 9693 9693 W df : type=1400 audit(0.0:990): -# avc: denied { search } for name="expand" dev="tmpfs" ino=10779 scontext=u:r:dumpstate:s0 -# tcontext=u:object_r:mnt_expand_file:s0 tclass=dir permissive=0 -allow dumpstate mnt_expand_file:dir { search getattr }; diff --git a/r_non_plat/e2fs.te b/r_non_plat/e2fs.te deleted file mode 100644 index f927a21..0000000 --- a/r_non_plat/e2fs.te +++ /dev/null @@ -1,34 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -# Date : WK17.32 -# Operation : Migration -# Purpose : create ext4 images for protect1/protect2/persist/nvdata/nvcfg block devices. -allow e2fs protect1_block_device:blk_file rw_file_perms; -allow e2fs protect2_block_device:blk_file rw_file_perms; -allow e2fs persist_block_device:blk_file rw_file_perms; -allow e2fs nvdata_device:blk_file rw_file_perms; -allow e2fs nvcfg_block_device:blk_file rw_file_perms; - -allow e2fs devpts:chr_file {read write}; - -# Date : WK18.23 -# Operation: P migration -# Purpose : Allow mke2fs to format userdata and cache partition -allow e2fs cache_block_device:blk_file rw_file_perms; -allow e2fs userdata_block_device:blk_file rw_file_perms; - -# Date : WK19.23 -# Operation: Q migration -# Purpose : Allow format /metadata for UDC -allow e2fs metadata_block_device:blk_file rw_file_perms; - -# Date : WK19.34 -# Operation: Q migration -# Purpose : Allow mke2fs to use ioctl/ioctlcmd -allowxperm e2fs protect1_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD }; -allowxperm e2fs protect2_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD }; -allowxperm e2fs nvdata_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD }; -allowxperm e2fs nvcfg_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD }; -allowxperm e2fs persist_block_device:blk_file ioctl { BLKPBSZGET BLKROGET BLKDISCARD BLKDISCARDZEROES BLKSECDISCARD }; diff --git a/r_non_plat/em_hidl.te b/r_non_plat/em_hidl.te deleted file mode 100644 index fcf6abf..0000000 --- a/r_non_plat/em_hidl.te +++ /dev/null @@ -1,130 +0,0 @@ -# ============================================== -# Policy File of /vendor/bin/em_hidi Executable File -# ============================================== -type em_hidl, domain; -type em_hidl_exec, exec_type, file_type, vendor_file_type; - -# Date : 2018/06/28 -init_daemon_domain(em_hidl) - -# Date : 2018/06/28 -# Purpose: EM_HILD -hal_server_domain(em_hidl, mtk_hal_em) - -# Date : 2018/06/28 -# Operation : EM DEBUG -# Purpose: EM should set ims operator -set_prop(em_hidl, mtk_operator_id_prop) - -# Date : 2018/06/28 -# Operation : EM DEBUG -# Purpose: EM should set mtk_simswitch_emmode_prop -set_prop(em_hidl, mtk_simswitch_emmode_prop) - -# Date : 2018/06/28 -# Operation : EM DEBUG -# Purpose: EM should set mtk_dsbp_support_prop -set_prop(em_hidl, mtk_dsbp_support_prop) - -# Date : 2018/06/28 -# Operation : EM DEBUG -# Purpose: EM should set mtk_imstestmode_prop -set_prop(em_hidl, mtk_imstestmode_prop) - -# Date : 2018/06/28 -# Operation : EM DEBUG -# Purpose: EM should set mtk_smsformat_prop -set_prop(em_hidl, mtk_smsformat_prop) - -# Date : 2018/06/28 -# Operation : EM DEBUG -# Purpose: EM should set mtk_gprs_prefer_prop -set_prop(em_hidl, mtk_gprs_prefer_prop) - -# Date : 2018/06/28 -# Operation : EM DEBUG -# Purpose: EM should set mtk_testsim_cardtype_prop -set_prop(em_hidl, mtk_testsim_cardtype_prop) - -# Date : 2018/06/28 -# Operation : EM DEBUG -# Purpose: EM should set mtk_ct_ir_engmode_prop -set_prop(em_hidl, mtk_ct_ir_engmode_prop) - -# Date : 2018/06/28 -# Operation : EM DEBUG -# Purpose: EM should mtk_disable_c2k_cap_prop -set_prop(em_hidl, mtk_disable_c2k_cap_prop) - -# Date : 2018/06/29 -# Operation : EM DEBUG -# Purpose: EM should mtk_debug_md_reset_prop -set_prop(em_hidl, mtk_debug_md_reset_prop) - - -# Date : 2018/06/29 -# Operation : EM DEBUG -# Purpose: EM should video log mtk_omx_log_prop -set_prop(em_hidl, mtk_omx_log_prop) - -# Date : 2018/06/29 -# Operation : EM DEBUG -# Purpose: EM should video log mtk_vdec_log_prop -set_prop(em_hidl, mtk_vdec_log_prop) - -# Date : 2018/06/29 -# Operation : EM DEBUG -# Purpose: EM should video log mtk_vdectlc_log_prop -set_prop(em_hidl, mtk_vdectlc_log_prop) - -# Date : 2018/06/29 -# Operation : EM DEBUG -# Purpose: EM should video log mtk_venc_h264_showlog_prop -set_prop(em_hidl, mtk_venc_h264_showlog_prop) - -# Date : 2018/06/29 -# Operation : EM DEBUG -# Purpose: EM should video log mtk_modem_warning_prop -set_prop(em_hidl, mtk_modem_warning_prop) - -# Date : 2018/07/06 -# Operation : EM DEBUG -# Purpose: EM allow usb vendor_em_usb_prop -set_prop(em_hidl, vendor_em_usb_prop) - -# Date : 2018/07/06 -# Operation : EM DEBUG -# Purpose: for setting usb otg enable property -set_prop(em_hidl, vendor_usb_otg_switch) - -# Data : 2018/07/06 -# Purpose : EM MCF read nvdata dir and file -allow em_hidl nvdata_file:dir { read open add_name search getattr}; -allow em_hidl nvdata_file:file { getattr read open }; - -# Data : 2018/07/06 -# Purpose : EM MCF search vendor dir -allow em_hidl mnt_vendor_file:dir search; -allow em_hidl vendor_default_prop:file read; - -# Data : 2018/08/10 -# Purpose : EM BT usage -allow em_hidl stpbt_device:chr_file { read write open }; -allow em_hidl sysfs_boot_mode:file { read open }; -allow em_hidl ttyGS_device:chr_file { read write ioctl open }; -allow em_hidl vendor_usb_prop:file { read getattr open }; -set_prop(em_hidl, vendor_usb_prop) - -# Date : 2018/08/28 -# Operation : EM DEBUG -# Purpose: for em set hidl configure -set_prop(em_hidl, mtk_em_hidl_prop) - -# Date : 2019/08/22 -# Operation : EM AAL -# Purpose: for em set aal property -set_prop(em_hidl, mtk_pq_prop) -# Date : 2019/09/10 -# Operation : EM wcn coredump -# Purpose: for em set wcn coredump property -set_prop(em_hidl, coredump_prop) diff --git a/r_non_plat/em_svr.te b/r_non_plat/em_svr.te deleted file mode 100644 index 5c00360..0000000 --- a/r_non_plat/em_svr.te +++ /dev/null @@ -1,77 +0,0 @@ -# Date: WK1812 -# Purpose: add for sensor calibration -allow em_svr als_ps_device:chr_file { read open ioctl }; -allow em_svr gsensor_device:chr_file { read open ioctl }; - -# Date: WK1812 -# Purpose: add for MD log filter -allow em_svr md_block_device:blk_file { read open }; - -# Date: WK1812 -# Purpose: add for SIB capture -allow em_svr para_block_device:blk_file { read open write}; -allow em_svr proc_lk_env:file { read write ioctl open }; - -# Date: WK1812 -# Purpose: add for MSDC get/set -allow em_svr misc_sd_device:chr_file { read open ioctl }; - -# Date: WK1812 -# Purpose: add for battery log -allow em_svr proc_battery_cmd:dir { search }; -allow em_svr proc_battery_cmd:file { create write open }; - -# Date: WK1812 -# Purpose: add for light/proximity sensor -allow em_svr nvram_device:blk_file { open read write }; - -# Date: WK1812 -# Purpose: add for Gyroscope sensor -allow em_svr gyroscope_device:chr_file { read ioctl open }; - -# Date : 2018/06/15 -# Purpose : Allow EM access touchscreen settings -allow em_svr sysfs_tpd_debug:dir { search }; -allow em_svr sysfs_tpd_setting:dir { search }; -allow em_svr sysfs_tpd_debug:file { rw_file_perms }; -allow em_svr sysfs_tpd_setting:file { rw_file_perms }; - -# Date : 2018/06/15 -# Purpose : EM FreqHopping setting -allow em_svr proc_freqhop:file { open read write }; - -# Date : 2018/06/15 -# Purpose : EM flash reading -allow em_svr proc_flash:file { open read }; -allow em_svr proc_partition:file { open read }; - -# Date : 2018/06/15 -# Purpose : EM Power PMU reading/setting -allow em_svr sysfs_pmu:dir { search }; -allow em_svr sysfs_pmu:file { rw_file_perms }; -allow em_svr sysfs_pmu:lnk_file { read }; - -# Date : 2018/06/15 -# Purpose : EM Power debug_log setting -allow em_svr sysfs_spm:dir { search }; -allow em_svr sysfs_spm:file { open read write }; - -# Date: 2019/04/09 -# Purpose: battery temprature setting -allow em_svr sysfs_battery_temp:file w_file_perms; -allow em_svr sysfs_battery_consumption:file r_file_perms; -allow em_svr sysfs_power_on_vol:file r_file_perms; -allow em_svr sysfs_power_off_vol:file r_file_perms; -allow em_svr sysfs_fg_disable:file w_file_perms; -allow em_svr sysfs_dis_nafg:file w_file_perms; - - - -# Date : 2018/10/12 -# Purpose : EM Power PMU register reading/setting -allow em_svr debugfs_regmap:dir { search }; -allow em_svr debugfs_regmap:file { rw_file_perms }; - -# Date:2019/04/15 -# Purpose: EM Power -allow em_svr toolbox_exec:file { map }; diff --git a/r_non_plat/emdlogger.te b/r_non_plat/emdlogger.te deleted file mode 100644 index 6b1dbaf..0000000 --- a/r_non_plat/emdlogger.te +++ /dev/null @@ -1,125 +0,0 @@ -#allow emdlogger to set property -allow emdlogger debug_prop:property_service set; -allow emdlogger persist_mtklog_prop:property_service set; -allow emdlogger system_radio_prop:property_service set; - -# ccci device for internal modem -allow emdlogger ccci_device:chr_file { rw_file_perms }; - -# eemcs device for external modem -allow emdlogger eemcs_device:chr_file { rw_file_perms }; - -# C2K project SDIO device for external modem ttySDIO2 control port, ttySDIO8 log port -allow emdlogger ttySDIO_device:chr_file { rw_file_perms }; - -# C2K project modem device for external modem vmodem start/stop/ioctl modem -allow emdlogger vmodem_device:chr_file { rw_file_perms }; - -# usb device ttyGSx for modem logger usb logging -allow emdlogger ttyGS_device:chr_file { rw_file_perms}; - -# for modem logging sdcard access -allow emdlogger sdcard_type:dir { create_dir_perms }; -allow emdlogger sdcard_type:file { create_file_perms }; - -# modem logger access on /data/mdlog -allow emdlogger mdlog_data_file:dir { create_dir_perms relabelto }; -allow emdlogger mdlog_data_file:fifo_file { create_file_perms }; -allow emdlogger mdlog_data_file:file { create_file_perms }; -allow emdlogger system_data_file:dir { create_dir_perms relabelfrom}; - -# modem logger control port access /dev/ttyC1 -allow emdlogger mdlog_device:chr_file { rw_file_perms}; - -#modem logger SD logging in factory mode -allow emdlogger vfat:dir create_dir_perms; -allow emdlogger vfat:file create_file_perms; - -#modem logger permission in storage in android M version -allow emdlogger mnt_user_file:dir search; -allow emdlogger mnt_user_file:lnk_file read; -allow emdlogger storage_file:lnk_file read; - -#permission for storage link access in vzw Project -allow emdlogger mnt_media_rw_file:dir search; - - -#permission for use SELinux API -#avc: denied { read } for pid=576 comm="emdlogger1" name="selinux_version" dev="rootfs" -allow emdlogger rootfs:file r_file_perms; - -#permission for storage access storage -allow emdlogger storage_file:dir { create_dir_perms }; -allow emdlogger tmpfs:lnk_file read; -allow emdlogger storage_file:file { create_file_perms }; - -#permission for read boot mode -#avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs" -allow emdlogger sysfs_boot_mode:file { read open }; - -# Allow read to sys/kernel/ccci/* files -allow emdlogger sysfs_ccci:dir search; -allow emdlogger sysfs_ccci:file r_file_perms; - -allow emdlogger sysfs_mdinfo:file r_file_perms; -allow emdlogger sysfs_mdinfo:dir search; - -# Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 -# scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 -allow emdlogger system_file:dir read; - - -# purpose: allow emdlogger to access storage in N version -allow emdlogger media_rw_data_file:file { create_file_perms }; -allow emdlogger media_rw_data_file:dir { create_dir_perms }; - -#avc: denied { connectto } for path=006165653A72747464 scontext=u:r:emdlogger:s0 -#tcontext=u:object_r:aee_aed_socket:s0 tclass=unix_stream_socket permissive=0 -#security issue control -allow emdlogger aee_aed:unix_stream_socket connectto; - -# For dynamic CCB buffer feature -#avc: denied { read write } for name="lk_env" dev="proc" ino=4026532192 -#scontext=u:r:emdlogger:s0 tcontext=u:object_r:proc_lk_env:s0 tclass=file permissive=0 -#avc: denied { read } for name="mmcblk0p3" dev="tmpfs" ino=8493 scontext=u:r:emdlogger:s0 -# tcontext=u:object_r:para_block_device:s0 tclass=blk_file permissive=0 -allow emdlogger para_block_device:blk_file { read open write }; -allow emdlogger proc_lk_env:file { read write ioctl open }; - -## purpose: avc: denied { read } for name="plat_file_contexts" -allow emdlogger file_contexts_file:file { read getattr open map}; - -allow emdlogger block_device:dir search; -allow emdlogger md_block_device:blk_file { read open }; -allow emdlogger self:capability { chown }; - - -# purpose: allow emdlogger to access persist.meta.connecttype -get_prop(emdlogger, meta_connecttype_prop); - -# purpose: allow emdlogger to create socket -allow emdlogger port:tcp_socket { name_connect name_bind }; -allow emdlogger emdlogger:tcp_socket { create connect setopt bind }; -allow emdlogger emdlogger:tcp_socket { bind setopt listen accept read write }; -allow emdlogger node:tcp_socket node_bind; - -# Android P migration -set_prop(emdlogger, persist_mtklog_prop) -set_prop(emdlogger, vendor_mdl_prop) -set_prop(emdlogger, vendor_mdl_start_prop) -set_prop(emdlogger, debug_mdlogger_prop) -get_prop(emdlogger, vendor_usb_prop) -set_prop(emdlogger, persist_mdlog_prop) -set_prop(emdlogger, vendor_mdl_pulllog_prop) -set_prop(emdlogger, exported_system_radio_prop) - -allow emdlogger vendor_configs_file:file map; -allow emdlogger vendor_default_prop:file map; - -# Date : WK19.12 -# Operation: add permission to catch logs -# Purpose : get kernel and radio logs when modem exception -allow emdlogger kernel:system syslog_read; -allow emdlogger logcat_exec:file {rx_file_perms}; -allow emdlogger logdr_socket:sock_file write; - diff --git a/r_non_plat/factory.te b/r_non_plat/factory.te deleted file mode 100644 index b1593fb..0000000 --- a/r_non_plat/factory.te +++ /dev/null @@ -1,398 +0,0 @@ -# ============================================== -# Policy File of /system/bin/factory Executable File - -# ============================================== -# Type Declaration -# ============================================== - -# ============================================== -# MTK Policy Rule -# ============================================== -#file_type_auto_trans(factory, system_data_file, factory_data_file) -type factory, domain; -type factory_exec, exec_type, file_type, vendor_file_type; -init_daemon_domain(factory) - -#============= factory ============== -allow factory MTK_SMI_device:chr_file r_file_perms; -allow factory ashmem_device:chr_file execute; -allow factory ebc_device:chr_file rw_file_perms; -allow factory stpbt_device:chr_file rw_file_perms; - -# Date: WK14.47 -# Operation : Migration -# Purpose : CCCI -allow factory eemcs_device:chr_file rw_file_perms; -allow factory ccci_device:chr_file rw_file_perms; -allow factory gsm0710muxd_device:chr_file rw_file_perms; - -#Purpose: file system requirement -allow factory debugfs_usb:file rw_file_perms; -allow factory debugfs_usb:dir search; -allow factory devpts:chr_file rw_file_perms; -allow factory vfat:dir w_dir_perms; -allow factory labeledfs:filesystem unmount; -allow factory rootfs:dir mounton; -allow factory vfat:dir { read open search mounton }; -allow factory vfat:filesystem { mount unmount }; - -# Purpose : SDIO -allow factory ttySDIO_device:chr_file rw_file_perms; - -#Purpose: USB -allow factory ttyMT_device:chr_file rw_file_perms; -allow factory ttyS_device:chr_file rw_file_perms; -allow factory ttyGS_device:chr_file rw_file_perms; - -# Purpose: OTG -allow factory usb_device:chr_file rw_file_perms; -allow factory usb_device:dir r_dir_perms; - -# Date: WK15.01 -# Purpose : OTG Mount -allow factory sdcard_type:dir mounton; -# Date: WK15.07 -# Purpose : use c2k flight mode; -allow factory vmodem_device:chr_file rw_file_perms; - -# Date: WK15.13 -# Purpose: for nand project -allow factory mtd_device:dir search; -allow factory mtd_device:chr_file rw_file_perms; -allow factory self:capability sys_resource; -allow factory pro_info_device:chr_file rw_file_perms; - -# Data: WK15.28 -# Purpose: for mt-ramdump reset -allow factory proc_mrdump_rst:file w_file_perms; - -#Date: WK15.31 -#Purpose: define factory_data_file instead of system_data_file -# because system_data_file is sensitive partition from M -wakelock_use(factory); -allow factory storage_file:dir { write create add_name search mounton }; - -# Date: WK15.44 -# Purpose: factory idle current status -allow factory vendor_factory_idle_state_prop:property_service set; - -# Date: WK15.46 -# Purpose: gps factory mode -allow factory agpsd_data_file:dir search; -allow factory gps_data_file:dir { write add_name search remove_name unlink}; -allow factory gps_data_file:file { read write open create getattr append setattr unlink lock}; -allow factory gps_data_file:lnk_file read; -allow factory storage_file:lnk_file r_file_perms; - -#Date: WK15.48 -#Purpose: capture for factory mode -allow factory devmap_device:chr_file r_file_perms; -allow factory sdcard_type:dir create_dir_perms; -allow factory sdcard_type:file create_file_perms; -allow factory mnt_user_file:dir search; -allow factory mnt_user_file:lnk_file read; -allow factory storage_file:lnk_file read; - -#Date: WK16.05 -#Purpose: For access NVRAM -allow factory factory:capability chown; -allow factory nvram_data_file:dir create_dir_perms; -allow factory nvram_data_file:file create_file_perms; -allow factory nvram_data_file:lnk_file r_file_perms; -allow factory nvdata_file:lnk_file r_file_perms; -allow factory nvram_device:chr_file rw_file_perms; -allow factory nvram_device:blk_file rw_file_perms; -allow factory nvdata_device:blk_file rw_file_perms; - -#Date: WK16.12 -#Purpose: For sensor test -allow factory als_ps_device:chr_file r_file_perms; -allow factory barometer_device:chr_file r_file_perms; -allow factory gsensor_device:chr_file r_file_perms; -allow factory gyroscope_device:chr_file r_file_perms; -allow factory msensor_device:chr_file r_file_perms; -allow factory biometric_device:chr_file r_file_perms; - -#Purpose: For camera Test -allow factory kd_camera_flashlight_device:chr_file rw_file_perms; -allow factory kd_camera_hw_device:chr_file rw_file_perms; -allow factory seninf_device:chr_file rw_file_perms; -allow factory CAM_CAL_DRV_device:chr_file rw_file_perms; - -#Purpose: For reboot the target -allow factory powerctl_prop:property_service set; - -#Purpose: For memory card test -allow factory misc_sd_device:chr_file r_file_perms; -allow factory mmcblk1_block_device:blk_file rw_file_perms; -allow factory bootdevice_block_device:blk_file rw_file_perms; -allow factory mmcblk1p1_block_device:blk_file rw_file_perms; -allow factory block_device:dir w_dir_perms; -allowxperm factory mmcblk1_block_device:blk_file ioctl BLKGETSIZE; -allowxperm factory bootdevice_block_device:blk_file ioctl BLKGETSIZE; - -#Purpose: For EMMC test -allow factory nvdata_file:dir create_dir_perms; -allow factory nvdata_file:file create_file_perms; - -#Purpose: For HRM test -allow factory hrm_device:chr_file r_file_perms; - -#Purpose: For IrTx LED test -allow factory irtx_device:chr_file rw_file_perms; - -#Purpose: For battery test, ext_buck test and ext_vbat_boost test -allow factory pmic_ftm_device:chr_file rw_file_perms; -allow factory MT_pmic_adc_cali_device:chr_file rw_file_perms; -allow factory MT_pmic_cali_device:chr_file r_file_perms; -allow factory charger_ftm_device:chr_file r_file_perms; - -#Purpose: For HDMI test -allow factory graphics_device:dir w_dir_perms; -allow factory graphics_device:chr_file rw_file_perms; - -#Purpose: For WIFI test -allow factory wmtWifi_device:chr_file rw_file_perms; - -#Purpose: For rtc test -allow factory rtc_device:chr_file rw_file_perms; - -#Purpose: For nfc test -allow factory mt6605_device:chr_file rwx_file_perms; - -#Purpose: For gps test -allow factory mnld_device:chr_file rw_file_perms; -allow factory mnld_exec:file rx_file_perms; - -#Purpose: For keypad test -allow factory mtk_kpd_device:chr_file r_file_perms; - -#Purpose: For Humidity test -allow factory humidity_device:chr_file r_file_perms; - -#Purpose: For camera test -allow factory camera_isp_device:chr_file rw_file_perms; -allow factory camera_dip_device:chr_file rw_file_perms; -allow factory camera_pipemgr_device:chr_file r_file_perms; -allow factory camera_sysram_device:chr_file r_file_perms; -allow factory ccu_device:chr_file rw_file_perms; -allow factory vpu_device:chr_file rw_file_perms; -allow factory MAINAF_device:chr_file rw_file_perms; -allow factory MAIN2AF_device:chr_file rw_file_perms; -allow factory SUBAF_device:chr_file rw_file_perms; -allow factory FM50AF_device:chr_file rw_file_perms; -allow factory AD5820AF_device:chr_file rw_file_perms; -allow factory DW9714AF_device:chr_file rw_file_perms; -allow factory DW9714A_device:chr_file rw_file_perms; -allow factory LC898122AF_device:chr_file rw_file_perms; -allow factory LC898212AF_device:chr_file rw_file_perms; -allow factory BU6429AF_device:chr_file rw_file_perms; -allow factory DW9718AF_device:chr_file rw_file_perms; -allow factory BU64745GWZAF_device:chr_file rw_file_perms; -allow factory cct_data_file:dir create_dir_perms; -allow factory cct_data_file:file create_file_perms; -allow factory camera_tsf_device:chr_file rw_file_perms; -allow factory camera_rsc_device:chr_file rw_file_perms; -allow factory camera_gepf_device:chr_file rw_file_perms; -allow factory camera_fdvt_device:chr_file rw_file_perms; -allow factory camera_wpe_device:chr_file rw_file_perms; -allow factory camera_owe_device:chr_file rw_file_perms; -allow factory camera_mfb_device:chr_file rw_file_perms; -allow factory mtk_hal_power_hwservice:hwservice_manager find; -allow factory vendor_data_file:file getattr; -allow factory mtk_hal_power:binder call; -get_prop(factory,mediatek_prop); -#Purpose: For FM test and headset test -allow factory accdet_device:chr_file r_file_perms; -allow factory fm_device:chr_file rw_file_perms; - -#Purpose: For audio test -allow factory audio_device:chr_file rw_file_perms; -allow factory audio_device:dir w_dir_perms; -allow factory audiohal_prop:property_service set; -allow factory audio_ipi_device:chr_file { read write ioctl open }; -allow factory audio_scp_device:chr_file r_file_perms; - -#Purpose: For key and touch event -allow factory input_device:chr_file r_file_perms; -allow factory input_device:dir rw_dir_perms; - -# Date: WK16.17 -# Purpose: N Migration For ccci sysfs node -# Allow read to sys/kernel/ccci/* files -allow factory sysfs_ccci:dir search; -allow factory sysfs_ccci:file r_file_perms; - -# Date: WK16.18 -# Purpose: N Migration For boot_mode -# Allow to read boot mode -# avc: denied { read } for name="boot_mode" dev="sysfs" ino=117 -# scontext=u:r:factory:s0 tcontext=u:object_r:sysfs:s0 -# tclass=file permissive=0 -allow factory sysfs_boot_mode:file { read open }; -allow factory sysfs_boot_type:file { read open }; - -#TODO:: MTK need to remove later -not_full_treble(` - allow factory mnld:unix_dgram_socket sendto; -') - -# Date: WK16.31 -#Purpose: For gps test -allow factory mnld_prop:property_service set; - -# Date: WK16.33 -#Purpose: for unmount sdcardfs and stop services which are using data partition -allow factory sdcard_type:filesystem unmount; -allow factory ctl_default_prop:property_service set; - -# Date : WK16.35 -# Operation : Migration -# Purpose : Update camera flashlight driver device file -allow factory flashlight_device:chr_file rw_file_perms; - - -# Date: WK15.25 -#Purpose: for unmount sdcardfs and stop services which are using data partition -allow factory ctl_emdlogger1_prop:property_service set; -# Date: WK17.07 -# Purpose: Clear bootdevice (eMMC/UFS) may need to unmount tmpfs -allow factory tmpfs:filesystem unmount; -allow factory sysfs:dir { read open }; -allow factory sysfs_leds:dir search; -allow factory sysfs_leds:lnk_file read; -allow factory sysfs_leds:file rw_file_perms; -allow factory sysfs_leds:dir r_dir_perms; -allow factory sysfs_power:file rw_file_perms; -allow factory sysfs_power:dir r_dir_perms; -allow factory self:capability2 {block_suspend}; -allow factory sysfs_vibrator:file {open read write}; -allow factory ion_device:chr_file { read open ioctl }; -allow factory debugfs_ion:dir search; -# Date: WK17.27 -# Purpose: STMicro NFC solution integration -allow factory st21nfc_device:chr_file { open read getattr write ioctl }; -set_prop(factory,hwservicemanager_prop); -hwbinder_use(factory); -hal_client_domain(factory, hal_nfc); - -# Date : WK17.32 -# Operation : O Migration -# Purpose: Allow to access cmdq driver -allow factory mtk_cmdq_device:chr_file { read ioctl open }; -allow factory mtk_mdp_device:chr_file rw_file_perms; -allow factory sw_sync_device:chr_file rw_file_perms; - -# Date: WK1733 -# Purpose: add selinux policy to stop 'ccci_fsd' for clear emmc in factory mode -set_prop(factory,ctl_ccci_fsd_prop); - -# Date : WK17.38 -# Operation : O Migration -# Purpose: Allow to access sysfs -allow factory sysfs_therm:dir search; -allow factory sysfs_therm:file {open read write}; - -#Date: W18.22 -# Purpose: P Migration for factory get com port type and uart port info -# detail avc log: [ 11.751803] <1>.(1)[227:logd.auditd]type=1400 audit(1262304016.560:10): -#avc: denied { read } for pid=203 comm="factory" name="meta_com_type_info" dev= -#"sysfs" ino=11073 scontext=u:r:factory:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0 -allow factory sysfs_comport_type:file rw_file_perms; -allow factory sysfs_uart_info:file rw_file_perms; - - -# from private -allow factory property_socket:sock_file write; -allow factory init:unix_stream_socket connectto; -allow factory kernel:system module_request; -allow factory node:tcp_socket node_bind; -allow factory userdata_block_device:blk_file rw_file_perms; -allow factory port:tcp_socket { name_bind name_connect }; -allow factory self:capability { sys_module ipc_lock sys_nice net_raw fsetid net_admin sys_time sys_boot sys_admin }; -allow factory sdcard_type:dir r_dir_perms; -allow factory self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write }; -allow factory proc_net:file { read getattr open }; -allowxperm factory self:udp_socket ioctl priv_sock_ioctls; -allowxperm factory self:udp_socket ioctl {SIOCGIFFLAGS SIOCGIWNWID}; - -allow factory self:process execmem; -allow factory self:tcp_socket create_stream_socket_perms; -allow factory self:udp_socket create_socket_perms; - -allow factory sysfs_wake_lock:file rw_file_perms; -#allow factory system_file:file x_file_perms; - -# For Light HIDL permission -hal_client_domain(factory, hal_light); -allow factory hal_light_hwservice:hwservice_manager find; -allow factory mtk_hal_light:binder call; -allow factory merged_hal_service:binder call; -# For vibrator test permission -allow factory sysfs_vibrator:file rw_file_perms; -allow factory sysfs_vibrator:dir search; - -# For Audio device permission -allow factory proc_asound:dir { read search open }; -allow factory proc_asound:file { read open getattr write }; -allow factory audiohal_prop:property_service set; - -# For Accdet data permission -allow factory sysfs:file { read open }; -allow factory sysfs_headset:file { read open }; - -# For touch auto test -allow factory sysfs_tpd_setting:dir search; -allow factory sysfs_tpd_setting:file { read getattr open }; - -# Date : WK18.23 -# Operation: P migration -# Purpose : Allow factory to unmount partition, stop service, and then erase partition -allow factory vendor_shell_exec:file { read execute open execute_no_trans }; -allow factory vendor_toolbox_exec:file { execute_no_trans }; -allow factory labeledfs:filesystem { unmount }; -allow factory proc_cmdline:file { read open getattr }; -allow factory factory:capability { sys_boot sys_admin}; -allow factory sysfs_dt_firmware_android:file { read open getattr }; -allow factory sysfs_dt_firmware_android:dir { read open search }; -# Purpose : Allow factory to communicate with driver thru socket -allow factory factory:capability { sys_module net_admin net_raw }; - -# For power_supply and switch permission -r_dir_file(factory, sysfs_batteryinfo) -r_dir_file(factory, sysfs_switch) - -# Date : WK18.27 -# Operation: P migration -# Purpose : Allow factory to save test report to /data/vendor -allow factory vendor_data_file:dir { add_name read write}; -allow factory vendor_data_file:file { create read write open }; - -# Date : WK18.31 -# Operation: P migration -# Purpose : Refine policy -allow factory sysfs_mmcblk:dir { search }; -allow factory sysfs_mmcblk:file { read getattr open }; - -# Date : WK18.37 -# Operation: P migration -# Purpose : ADSP SmartPA calibration -allow factory vendor_file:file execute_no_trans; -allow factory mtk_audiohal_data_file:dir create_dir_perms; -allow factory mtk_audiohal_data_file:file { write create unlink r_file_perms }; - -#Date : WK18.37 -# Operation: P migration -# Purpose : Allow factory to open /proc/version -allow factory proc_version:file {read open getattr}; - -# Purpose : adsp -allow factory adsp_device:chr_file rw_file_perms; - -# Purpose : NFC -allow factory vendor_nfc_socket:dir { write add_name remove_name search }; -allow factory vendor_nfc_socket:sock_file { create write unlink setattr }; - -# Allow to get AOSP property persist.radio.multisim.config -get_prop(factory, exported3_radio_prop) - diff --git a/r_non_plat/fastbootd.te b/r_non_plat/fastbootd.te deleted file mode 100644 index cb6708d..0000000 --- a/r_non_plat/fastbootd.te +++ /dev/null @@ -1,25 +0,0 @@ -# fastbootd (used in recovery init.rc for /sbin/fastbootd) - - -allow fastbootd { - bootdevice_block_device - cache_block_device - logo_block_device - para_block_device - }:blk_file { rw_file_perms }; - -allow fastbootd { - sysfs_boot_type -}:file { rw_file_perms }; - -allowxperm fastbootd { - bootdevice_block_device - cache_block_device - logo_block_device - para_block_device - }:blk_file ioctl { - BLKSECDISCARD - BLKDISCARD - MMC_IOCTLCMD - }; - diff --git a/r_non_plat/file.te b/r_non_plat/file.te deleted file mode 100644 index d43727c..0000000 --- a/r_non_plat/file.te +++ /dev/null @@ -1,416 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -type custom_file, file_type, data_file_type; -type lost_found_data_file, file_type, data_file_type; -type dontpanic_data_file, file_type, data_file_type; -type resource_cache_data_file, file_type, data_file_type; -type http_proxy_cfg_data_file, file_type, data_file_type; -type acdapi_data_file, file_type, data_file_type; -type ppp_data_file, file_type, data_file_type; -type wpa_supplicant_data_file, file_type, data_file_type; -type radvd_data_file, file_type, data_file_type; -type volte_vt_socket, file_type; -type dfo_socket, file_type; -type gsmrild_socket, file_type; -type rild2_socket, file_type; -type rild3_socket, file_type; -type rild4_socket, file_type; -type rild_mal_socket, file_type; -type rild_mal_at_socket, file_type; -type rild_mal_md2_socket, file_type; -type rild_mal_at_md2_socket, file_type; -type rild_ims_socket, file_type; -type rild_imsm_socket, file_type; -type rild_oem_socket, file_type; -type rild_mtk_ut_socket, file_type; -type rild_mtk_ut_2_socket, file_type; -type rild_mtk_modem_socket, file_type; -type rild_md2_socket, file_type; -type rild2_md2_socket, file_type; -type rild_debug_md2_socket, file_type; -type rild_oem_md2_socket, file_type; -type rild_mtk_ut_md2_socket, file_type; -type rild_mtk_ut_2_md2_socket, file_type; -type rild_mtk_modem_md2_socket, file_type; -type rild_vsim_socket, file_type; -type rild_vsim_md2_socket, file_type; -type mal_mfi_socket, file_type; -type mal_data_file, file_type, data_file_type; -type netdiag_socket, file_type; -type wpa_wlan0_socket, file_type; -type soc_vt_imcb_socket, file_type; -type soc_vt_tcv_socket, file_type; -type soc_vt_stk_socket, file_type; -type soc_vt_svc_socket, file_type; -type dbus_bluetooth_socket, file_type; -type bt_int_adp_socket, file_type; -type bt_a2dp_stream_socket, file_type; -type bt_data_file, file_type, data_file_type; -type proc_thermal, fs_type, proc_type; -type proc_mtkcooler, fs_type, proc_type; -type proc_mtktz, fs_type, proc_type; -type proc_mtd, fs_type, proc_type; -type proc_slogger, fs_type, proc_type; -type proc_lk_env, fs_type, proc_type; -type proc_ged, fs_type, proc_type; -type proc_mtk_jpeg, fs_type, proc_type; -type proc_perfmgr, fs_type, proc_type; -type proc_wmtdbg, fs_type, proc_type; -type proc_zraminfo, fs_type, proc_type; -type proc_cpu_alignment, fs_type, proc_type; -type proc_gpulog, fs_type, proc_type; -type proc_sched_debug, fs_type, proc_type; -type proc_chip, fs_type, proc_type; -type proc_atf_log, fs_type, proc_type; -type proc_gz_log, fs_type, proc_type; -type proc_last_kmsg, fs_type, proc_type; -type proc_bootprof, fs_type, proc_type; -type proc_pl_lk, fs_type, proc_type; -type proc_msdc_debug, fs_type, proc_type; -type proc_ufs_debug, fs_type, proc_type; -type proc_pidmap, fs_type, proc_type; -type proc_slabtrace, fs_type, proc_type; -type proc_cmdq_debug, fs_type, proc_type; -type proc_isp_p2, fs_type, proc_type; -type proc_dbg_repo, fs_type, proc_type; -type proc_isp_p2_dump, fs_type, proc_type; -type proc_isp_p2_kedump, fs_type, proc_type; -type proc_memory_usage, fs_type, proc_type; -type proc_mtk_es_reg_dump, fs_type, proc_type; -type sysfs_execstate, fs_type, sysfs_type; -type sysfs_therm, fs_type, sysfs_type; -type sysfs_fps, fs_type, sysfs_type; -type sysfs_ccci, fs_type, sysfs_type; -type sysfs_mdinfo, fs_type,sysfs_type; -type sysfs_ssw, fs_type,sysfs_type; -type sysfs_vcorefs_pwrctrl, fs_type, sysfs_type; -type sysfs_md32, fs_type, sysfs_type; -type sysfs_scp, fs_type, sysfs_type; -type sysfs_adsp, fs_type, sysfs_type; -type sysfs_sspm, fs_type, sysfs_type; -type sysfs_devinfo, fs_type, sysfs_type, mlstrustedobject; -type sysfs_dcm, fs_type, sysfs_type; -type sysfs_dcs, fs_type, sysfs_type; -type sysfs_vcore_debug, fs_type, sysfs_type; -type agpsd_socket, file_type; -type agpsd_data_file, file_type, data_file_type; -type mnld_socket, file_type; -type mnld_data_file, file_type, data_file_type; -type gps_data_file, file_type, data_file_type; -type MPED_socket, file_type; -type MPED_data_file, file_type, data_file_type; -type sysctl_socket, file_type; -type backuprestore_socket, file_type; -type protect_f_data_file, file_type, data_file_type; -type protect_s_data_file, file_type, data_file_type; -type persist_data_file, file_type, data_file_type; -type nvram_data_file, file_type, data_file_type; -type nvdata_file, file_type, data_file_type; -type nvcfg_file, file_type, data_file_type; -type cct_data_file, file_type, data_file_type; -type mediaserver_data_file, file_type, data_file_type; -type mediacodec_data_file, file_type, data_file_type; -type connsyslog_data_vendor_file, file_type, data_file_type; - -#mobilelog data/misc/mblog -type logmisc_data_file, file_type, data_file_type, core_data_file_type; - -#mobilelog data/log_temp -type logtemp_data_file, file_type, data_file_type, core_data_file_type; - -# NE core_forwarder -type aee_core_data_file, file_type, data_file_type, core_data_file_type; -type aee_core_vendor_file, file_type, data_file_type; - -# AEE exp -type aee_exp_data_file, file_type, data_file_type, core_data_file_type; -type aee_exp_vendor_file, file_type, data_file_type; -type aee_dumpsys_data_file, file_type, data_file_type, core_data_file_type; -type aee_dumpsys_vendor_file, file_type, data_file_type; - -# SF rtt dump -type sf_rtt_file, file_type, data_file_type, core_data_file_type; - -#for 3Gdongle -type rild-dongle_socket, file_type; - -type ccci_cfg_file, file_type, data_file_type; -type ccci_data_md1_file, file_type, data_file_type; -type c2k_file, file_type, data_file_type; -#For sensor -type sensor_data_file, file_type, data_file_type; -type stp_dump_data_file, file_type, data_file_type; -type sysfs_keypad_file, fs_type, sysfs_type; -type rild_via_socket, file_type; -type rpc_socket, file_type; -type rild_ctclient_socket, file_type; -#For icusb -type proc_icusb, fs_type, proc_type; - -# for labeling /mnt/cd-rom as iso9660 -type iso9660, fs_type; - -# data_tmpfs_log -type data_tmpfs_log_file, file_type, data_file_type, core_data_file_type; -type vendor_tmpfs_log_file, file_type, data_file_type; - -# rawfs for /protect_f on NAND projects -type rawfs, fs_type, mlstrustedobject; - -# fat on nand fat.img -type fon_image_data_file, file_type, data_file_type; - -# ims ipsec config file -type ims_ipsec_data_file, file_type, data_file_type; - -# thermal manager config file -type thermal_manager_data_file, file_type, data_file_type; - -# adbd config file -type adbd_data_file, file_type, data_file_type, core_data_file_type; - -#autokd data file -type autokd_data_file, file_type, data_file_type; - -#fuse -type fuseblk,sdcard_type,fs_type,mlstrustedobject; - -# for mt-ramdump reset -type proc_mrdump_rst, fs_type, proc_type; - -# battery_cmd file -type proc_battery_cmd, fs_type, proc_type; - -# binder debugfs file -type debugfs_binder, fs_type, debugfs_type; - -# blockio debugfs file -type debugfs_blockio, fs_type, debugfs_type; - -# fuseio debugfs file -type debugfs_fuseio, fs_type, debugfs_type; - -# usb debugfs file -type debugfs_usb, fs_type, debugfs_type; - -# display debugfs file -type debugfs_fb, fs_type, debugfs_type; - -# cpuhvfs debugfs file -type debugfs_cpuhvfs, fs_type, debugfs_type; - -#for engineermode Usb PHY Tuning -type debugfs_usb20_phy, fs_type, debugfs_type; - -# dynamic_debug debugfs file -type debugfs_dynamic_debug, fs_type, debugfs_type; - -# shrinker debugfs file -type debugfs_shrinker_debug, fs_type, debugfs_type; - -# dmlog debugfs file -type debugfs_dmlog_debug, fs_type, debugfs_type; - -# page_owner_slim debugfs file -type debugfs_page_owner_slim_debug, fs_type, debugfs_type; - -# rcu debugfs file -type debugfs_rcu, fs_type, debugfs_type; - -# gpu debugfs file -type debugfs_ged, fs_type, debugfs_type; - -# fpsgo debugfs file -type debugfs_fpsgo, fs_type, debugfs_type; - -# eara_thermal debugfs file -type debugfs_eara_thermal, fs_type, debugfs_type; - -# vpu debugfs file -type debugfs_vpu_power, fs_type, debugfs_type; -type debugfs_vpu_memory, fs_type, debugfs_type; - -# mdla debugfs file -type debugfs_mdla_power, fs_type, debugfs_type; - -# memtrack debugfs file -type debugfs_gpu_mali_midgard, fs_type, debugfs_type; -type debugfs_gpu_mali_utgard, fs_type, debugfs_type; -type debugfs_gpu_img, fs_type, debugfs_type; -type debugfs_ion, fs_type, debugfs_type; - -# /sys/kernel/debug/ion/ion_mm_heap -type debugfs_ion_mm_heap, fs_type, debugfs_type; - -# /sys/kernel/debug/emi_mbw/dump_buf -type debugfs_emi_mbw_buf, fs_type, debugfs_type; - -# /sys/kernel/debug/vpu/device_dbg -type debugfs_vpu_device_dbg, fs_type, debugfs_type; - -# /sys/kernel/debug/kmemleak -type debugfs_kmemleak, fs_type, debugfs_type; - -###################################### -# core domain file data - -# SF bqdump -type sf_bqdump_data_file, file_type, data_file_type, core_data_file_type; -type nfc_socket, file_type, data_file_type, core_data_file_type; -type vendor_nfc_socket, file_type, data_file_type; -# factory data file -type factory_data_file, file_type, data_file_type, core_data_file_type; -# Modem Log folder -type mdlog_data_file, file_type, data_file_type, core_data_file_type; - -# MTK audio HAL folder -type mtk_audiohal_data_file, file_type, data_file_type; - -# MTK Power HAL folder -type mtk_powerhal_data_file, file_type, data_file_type; - -# Date : WK1743 -# Purpose : for meta_tst copy MD DB from MD image -type mddb_data_file, file_type, data_file_type; - -# Date : WK1814 -# Purpose : for factory to get boot mode and type -type sysfs_boot_mode, fs_type, sysfs_type; -type sysfs_boot_type, fs_type, sysfs_type; - -# consys Log folder -type consyslog_data_file, file_type, data_file_type, core_data_file_type; - -# Date : WK1817 -# Purpose : for meta to get com port type and uart port info -type sysfs_comport_type, fs_type, sysfs_type; -type sysfs_uart_info, fs_type, sysfs_type; -type sysfs_usb_cmode, fs_type, sysfs_type; - -# Date : WK1820 -# Purpose : for charger to access vbus info and pump_express -type sysfs_vbus, fs_type, sysfs_type; -type sysfs_pump_express, fs_type, sysfs_type; - -# Widevine move data/mediadrm folder from system to vendor -type mediadrm_vendor_data_file, file_type, data_file_type; - -# mtk usb hal -type sysfs_dual_role_usb20, fs_type, sysfs_type; - -# lbs debug file -#type lbs_dbg_data_file, file_type, data_file_type, core_data_file_type; - -# Touch parameters file -type sysfs_tpd_setting, fs_type, sysfs_type; -type sysfs_tpd_debug, fs_type, sysfs_type; - -# Date : 2018/06/11 -# Purpose : mtk EM FreqHopping setting -type proc_freqhop, fs_type, proc_type; - -# Date : 2018/06/11 -# Purpose : mtk EM flash reading -type proc_flash, fs_type, proc_type; -type proc_partition, fs_type, proc_type; - -# Date : 2018/06/11 -# Purpose : mtk EM PMU reading/setting -type sysfs_pmu, fs_type, sysfs_type; - -# Date : 2018/06/11 -# Purpose : mtk EM Power debug_log setting -type sysfs_spm, fs_type, sysfs_type; - -# Date : 2018/06/11 -# Purpose : mtk EM Audio headset detect -type sysfs_headset, fs_type, sysfs_type; - -# socket between atci_service and audio-daemon -type atci-audio_socket, file_type; - -# ATCI socket types -type rild_atci_socket, file_type; -type rilproxy_atci_socket, file_type; -type atci_service_socket, file_type; -type adb_atci_socket, file_type; - -# EM Power PMU register reading/setting -type debugfs_regmap, fs_type, debugfs_type; - -# Date : 2018/11/01 -# Purpose : mtk EM c2k bypass read usb file -type sys_usb_rawbulk, fs_type, sysfs_type; - -# Backlight brightness file -type sysfs_leds_setting, fs_type, sysfs_type; - -# Vibrator vibrate file -type sysfs_vibrator_setting, fs_type, sysfs_type; - -# Date : 2019/04/09 -# Purpose: mtk EM battery settings -type sysfs_battery_temp, fs_type, sysfs_type; -type sysfs_battery_consumption, fs_type, sysfs_type; -type sysfs_power_on_vol, fs_type, sysfs_type; -type sysfs_power_off_vol, fs_type, sysfs_type; -type sysfs_fg_disable, fs_type, sysfs_type; -type sysfs_dis_nafg, fs_type, sysfs_type; - -# drm key manager -type provision_file, file_type, data_file_type; -type key_install_data_file, file_type, data_file_type; - -# Date : WK18.16 -# Purpose: Android Migration -type sysfs_mmcblk, fs_type, sysfs_type; -type sysfs_mmcblk1, fs_type, sysfs_type; - -type aee_dipdebug_vendor_file, file_type, data_file_type; - -type netd_socket, file_type, coredomain_socket; - -# Date : WK19.27 -# Purpose: Android Migration for SVP -type proc_m4u, fs_type, proc_type; - -# Date : 2019/08/15 -type debugfs_smi_mon, fs_type, debugfs_type; - -# Date : WK19.34 -# Purpose: Android Migration for video codec driver -type vcodec_file, file_type, data_file_type; - -# Date : 2019/08/24 -type sysfs_sensor, fs_type, sysfs_type; - -#MTEE trusty -type mtee_trusty_file, fs_type, sysfs_type; - -# Date : 2019/08/29 -# Purpose: Allow rild access proc/aed/reboot-reason -type proc_aed_reboot_reason, fs_type, proc_type; - -# Date : 2019/09/05 -# Purpose: Allow powerhal to control kernel resources -type proc_ppm, fs_type, proc_type; -type proc_cpufreq, fs_type, proc_type; -type proc_hps, fs_type, proc_type; -type proc_cm_mgr, fs_type, proc_type; -type proc_ca_drv, fs_type, proc_type; -type sysfs_ged, fs_type, sysfs_type; -type sysfs_fbt_cpu, fs_type, sysfs_type; -type sysfs_fbt_fteh, fs_type, sysfs_type; - -# Date : WK19.38 -# Purpose: Android Migration for video codec driver -type sysfs_device_tree_model, fs_type, sysfs_type; - -# Date : 2019/10/22 -# Purpose : allow aee_aedv write /sys/module/mrdump/parameters/lbaooo -type sysfs_mrdump_lbaooo, fs_type, sysfs_type; -# Date : 2019/12/12 -# Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/* -type sysfs_concurrency_scenario, fs_type, sysfs_type; diff --git a/r_non_plat/file_contexts b/r_non_plat/file_contexts deleted file mode 100644 index 4630713..0000000 --- a/r_non_plat/file_contexts +++ /dev/null @@ -1,686 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -############################ -# A/B system -/enableswap.sh u:object_r:rootfs:s0 -/factory_init\..* u:object_r:rootfs:s0 -/meta_init\..* u:object_r:rootfs:s0 -/multi_init\..* u:object_r:rootfs:s0 - -############################# -# Custom files -(/vendor)?/custom(/.*)? u:object_r:custom_file:s0 -/dev/socket/netd u:object_r:netd_socket:s0 - - -############################# -# Data files -# -/data/vendor/.tp(/.*)? u:object_r:thermal_manager_data_file:s0 -/data/vendor_de/meta(/.*)? u:object_r:mddb_data_file:s0 -/data/aee_exp(/.*)? u:object_r:aee_exp_data_file:s0 -/data/vendor/aee_exp(/.*)? u:object_r:aee_exp_vendor_file:s0 -/data/vendor/agps_supl(/.*)? u:object_r:agpsd_data_file:s0 -#/data/mnl_flp(/.*)? u:object_r:mnld_data_file:s0 -#/data/mnl_gfc(/.*)? u:object_r:mnld_data_file:s0 -/data/vendor/gps(/.*)? u:object_r:gps_data_file:s0 -/data/anr/SF_RTT(/.*)? u:object_r:sf_rtt_file:s0 -/data/vendor/ccci_cfg(/.*)? u:object_r:ccci_cfg_file:s0 -/data/vendor/mdlpm(/.*)? u:object_r:ccci_data_md1_file:s0 -/data/vendor/flashless(/.*)? u:object_r:c2k_file:s0 -/data/core(/.*)? u:object_r:aee_core_data_file:s0 -/data/vendor/core(/.*)? u:object_r:aee_core_vendor_file:s0 -#/data/dontpanic(/.*)? u:object_r:dontpanic_data_file:s0 -/data/dumpsys(/.*)? u:object_r:aee_dumpsys_data_file:s0 -/data/vendor/dumpsys(/.*)? u:object_r:aee_dumpsys_vendor_file:s0 -/data/extmdl(/.*)? u:object_r:mdlog_data_file:s0 -#/data/http-proxy-cfg(/.*)? u:object_r:http_proxy_cfg_data_file:s0 -/data/log_temp(/.*)? u:object_r:logtemp_data_file:s0 -#/data/lost\+found(/.*)? u:object_r:lost_found_data_file:s0 -/data/mdlog(/.*)? u:object_r:mdlog_data_file:s0 -/data/mdl(/.*)? u:object_r:mdlog_data_file:s0 -/data/mdl3(/.*)? u:object_r:mdlog_data_file:s0 -#/data/mediaserver(/.*)? u:object_r:mediaserver_data_file:s0 -#/data/mediacodec(/.*)? u:object_r:mediacodec_data_file:s0 -#/data/.tp(/.*)? u:object_r:thermal_manager_data_file:s0 -/data/nfc_socket(/.*)? u:object_r:nfc_socket:s0 -/data/vendor/nfc_socket(/.*)? u:object_r:vendor_nfc_socket:s0 -#/data/nvram(/.*)? u:object_r:nvram_data_file:s0 -#/data/cct(/.*)? u:object_r:cct_data_file:s0 -/data/vendor/md3(/.*)? u:object_r:c2k_file:s0 -#/data/mal(/.*)? u:object_r:mal_data_file:s0 -/data/SF_dump(./*)? u:object_r:sf_bqdump_data_file:s0 -/data/data_tmpfs_log(/.*)? u:object_r:data_tmpfs_log_file:s0 -/data/vendor/data_tmpfs_log(/.*)? u:object_r:vendor_tmpfs_log_file:s0 -#/data/tmp_mnt/data_tmpfs_log(/.*)? u:object_r:data_tmpfs_log_file:s0 -#/data/tmp_mnt/vendor/data_tmpfs_log(/.*)? u:object_r:data_tmpfs_log_file:s0 -#/data/setkey.conf u:object_r:ims_ipsec_data_file:s0 -#/data/setkey_bak.conf u:object_r:ims_ipsec_data_file:s0 -#/data/setkey_latest.conf u:object_r:ims_ipsec_data_file:s0 -/data/vendor/audiohal(/.*)? u:object_r:mtk_audiohal_data_file:s0 -/data/vendor/powerhal(/.*)? u:object_r:mtk_powerhal_data_file:s0 -#/data/vendor/nfc(/.*)? u:object_r:nfc_data_file:s0 -/data/connsyslog(/.*)? u:object_r:consyslog_data_file:s0 -/data/vendor/stp_dump(/.*)? u:object_r:stp_dump_data_file:s0 -/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 -/data/vendor/dipdebug(/.*)? u:object_r:aee_dipdebug_vendor_file:s0 -/data/vendor/key_provisioning(/.*)? u:object_r:key_install_data_file:s0 -/data/vendor/vcodec(/.*)? u:object_r:vcodec_file:s0 - -# Misc data -#/data/misc/acdapi(/.*)? u:object_r:acdapi_data_file:s0 -/data/misc/mblog(/.*)? u:object_r:logmisc_data_file:s0 -#/data/misc/ppp(/.*)? u:object_r:ppp_data_file:s0 -#/data/misc/radvd(/.*)? u:object_r:radvd_data_file:s0 -/data/vendor/sensor(/.*)? u:object_r:sensor_data_file:s0 -#/data/misc/wpa_supplicant(/.*)? u:object_r:wpa_supplicant_data_file:s0 - -# Wallpaper file for smartbook -/data/system/users/[0-9]+/smartbook_wallpaper u:object_r:wallpaper_file:s0 - -/data/vendor/connsyslog(/.*)? u:object_r:connsyslog_data_vendor_file:s0 - -# nvdata -/mnt/vendor/nvdata(/.*)? u:object_r:nvdata_file:s0 -/mnt/vendor/nvcfg(/.*)? u:object_r:nvcfg_file:s0 - -# protected data file -/mnt/vendor/protect_f(/.*)? u:object_r:protect_f_data_file:s0 -/mnt/vendor/protect_s(/.*)? u:object_r:protect_s_data_file:s0 -/mnt/vendor/persist(/.*)? u:object_r:persist_data_file:s0 - -#fat on nand image -/fat(/.*)? u:object_r:fon_image_data_file:s0 - -########################## -# Devices -# -/dev/aal_als(/.*)? u:object_r:aal_als_device:s0 -/dev/accdet(/.*)? u:object_r:accdet_device:s0 -/dev/AD5820AF(/.*)? u:object_r:AD5820AF_device:s0 -/dev/aed[0-9]+ u:object_r:aed_device:s0 -/dev/ampc0(/.*)? u:object_r:ampc0_device:s0 -/dev/android(/.*)? u:object_r:android_device:s0 -/dev/block/zram0 u:object_r:swap_block_device:s0 -/dev/block/platform/bootdevice/by-name/otp u:object_r:otp_part_block_device:s0 -/dev/bmtpool(/.*)? u:object_r:bmtpool_device:s0 -/dev/bootimg(/.*)? u:object_r:bootimg_device:s0 -/dev/BOOT(/.*)? u:object_r:BOOT_device:s0 -/dev/btif(/.*)? u:object_r:btif_device:s0 -/dev/btn(/.*)? u:object_r:btn_device:s0 -/dev/BU6429AF(/.*)? u:object_r:BU6429AF_device:s0 -/dev/BU64745GWZAF(/.*)? u:object_r:BU64745GWZAF_device:s0 -/dev/MAINAF(/.*)? u:object_r:MAINAF_device:s0 -/dev/MAIN2AF(/.*)? u:object_r:MAIN2AF_device:s0 -/dev/SUBAF(/.*)? u:object_r:SUBAF_device:s0 -/dev/cache(/.*)? u:object_r:cache_device:s0 -/dev/CAM_CAL_DRV(/.*)? u:object_r:CAM_CAL_DRV_device:s0 -/dev/CAM_CAL_DRV1(/.*)? u:object_r:CAM_CAL_DRV1_device:s0 -/dev/CAM_CAL_DRV2(/.*)? u:object_r:CAM_CAL_DRV2_device:s0 -/dev/gz_kree(/.*)? u:object_r:gz_device:s0 -/dev/camera-fdvt(/.*)? u:object_r:camera_fdvt_device:s0 -/dev/camera-isp(/.*)? u:object_r:camera_isp_device:s0 -/dev/camera-dip(/.*)? u:object_r:camera_dip_device:s0 -/dev/camera-dpe(/.*)? u:object_r:camera_dpe_device:s0 -/dev/camera-tsf(/.*)? u:object_r:camera_tsf_device:s0 -/dev/camera-rsc(/.*)? u:object_r:camera_rsc_device:s0 -/dev/camera-gepf(/.*)? u:object_r:camera_gepf_device:s0 -/dev/camera-wpe(/.*)? u:object_r:camera_wpe_device:s0 -/dev/camera-owe(/.*)? u:object_r:camera_owe_device:s0 -/dev/camera-mfb(/.*)? u:object_r:camera_mfb_device:s0 -/dev/camera-pipemgr(/.*)? u:object_r:camera_pipemgr_device:s0 -/dev/camera-sysram(/.*)? u:object_r:camera_sysram_device:s0 -/dev/ccu(/.*)? u:object_r:ccu_device:s0 -/dev/vpu(/.*)? u:object_r:vpu_device:s0 -/dev/mdlactl(/.*)? u:object_r:mdla_device:s0 -/dev/ccci_monitor u:object_r:ccci_monitor_device:s0 -/dev/ccci.* u:object_r:ccci_device:s0 -/dev/cpu_dma_latency(/.*)? u:object_r:cpu_dma_latency_device:s0 -/dev/devmap(/.*)? u:object_r:devmap_device:s0 -/dev/dri(/.*)? u:object_r:gpu_device:s0 -/dev/dummy_cam_cal(/.*)? u:object_r:dummy_cam_cal_device:s0 -/dev/DW9714AF(/.*)? u:object_r:DW9714AF_device:s0 -/dev/DW9814AF(/.*)? u:object_r:DW9814AF_device:s0 -/dev/AK7345AF(/.*)? u:object_r:AK7345AF_device:s0 -/dev/DW9714A(/.*)? u:object_r:DW9714A_device:s0 -/dev/DW9718AF(/.*)? u:object_r:DW9718AF_device:s0 -/dev/WV511AAF(/.*)? u:object_r:lens_device:s0 -/dev/ebc(/.*)? u:object_r:ebc_device:s0 -/dev/usip(/.*)? u:object_r:ebc_device:s0 -/dev/ebr[0-9]+ u:object_r:ebr_device:s0 -/dev/eemcs.* u:object_r:eemcs_device:s0 -/dev/emd.* u:object_r:emd_device:s0 -/dev/etb u:object_r:etb_device:s0 -/dev/exm0(/.*)? u:object_r:exm0_device:s0 -/dev/expdb(/.*)? u:object_r:expdb_device:s0 -/dev/fat(/.*)? u:object_r:fat_device:s0 -/dev/FM50AF(/.*)? u:object_r:FM50AF_device:s0 -/dev/fm(/.*)? u:object_r:fm_device:s0 -/dev/fw_log_wmt u:object_r:fw_log_wmt_device:s0 -/dev/fw_log_wifi u:object_r:fw_log_wifi_device:s0 -#/dev/gps(/.*)? u:object_r:gps_device:s0 -/dev/geofence(/.*)? u:object_r:geo_device:s0 -/dev/fw_log_gps u:object_r:fw_log_gps_device:s0 -#/dev/mt3337_gpsonly u:object_r:gps_device:s0 -/dev/hdmitx(/.*)? u:object_r:graphics_device:s0 -/dev/hid-keyboard(/.*)? u:object_r:hid_keyboard_device:s0 -/dev/ion(/.*)? u:object_r:ion_device:s0 -/dev/kd_camera_flashlight(/.*)? u:object_r:kd_camera_flashlight_device:s0 -/dev/flashlight(/.*)? u:object_r:flashlight_device:s0 -/dev/kd_camera_hw_bus2(/.*)? u:object_r:kd_camera_hw_bus2_device:s0 -/dev/kd_camera_hw(/.*)? u:object_r:kd_camera_hw_device:s0 -/dev/seninf(/.*)? u:object_r:seninf_device:s0 -/dev/LC898122AF(/.*)? u:object_r:LC898122AF_device:s0 -/dev/LC898212AF(/.*)? u:object_r:LC898212AF_device:s0 -/dev/logo(/.*)? u:object_r:logo_device:s0 -/dev/loop-control(/.*)? u:object_r:loop-control_device:s0 -/dev/M4U_device(/.*)? u:object_r:M4U_device_device:s0 -/dev/mali.* u:object_r:gpu_device:s0 -/dev/MATV(/.*)? u:object_r:MATV_device:s0 -/dev/mbr(/.*)? u:object_r:mbr_device:s0 -/dev/md32(/.*)? u:object_r:md32_device:s0 -/dev/scp(/.*)? u:object_r:scp_device:s0 -/dev/scp_B(/.*)? u:object_r:scp_device:s0 -/dev/sspm(/.*)? u:object_r:sspm_device:s0 -/dev/misc-sd(/.*)? u:object_r:misc_sd_device:s0 -/dev/misc(/.*)? u:object_r:misc_device:s0 -/dev/misc2(/.*)? u:object_r:misc2_device:s0 -/dev/MJC(/.*)? u:object_r:MJC_device:s0 -/dev/mmp(/.*)? u:object_r:mmp_device:s0 -/dev/MT6516_H264_DEC(/.*)? u:object_r:MT6516_H264_DEC_device:s0 -/dev/mt6516-IDP(/.*)? u:object_r:mt6516_IDP_device:s0 -/dev/MT6516_Int_SRAM(/.*)? u:object_r:MT6516_Int_SRAM_device:s0 -/dev/mt6516-isp(/.*)? u:object_r:mt6516_isp_device:s0 -/dev/mt6516_jpeg(/.*)? u:object_r:mt6516_jpeg_device:s0 -/dev/MT6516_MM_QUEUE(/.*)? u:object_r:MT6516_MM_QUEUE_device:s0 -/dev/MT6516_MP4_DEC(/.*)? u:object_r:MT6516_MP4_DEC_device:s0 -/dev/MT6516_MP4_ENC(/.*)? u:object_r:MT6516_MP4_ENC_device:s0 -/dev/mt6605 u:object_r:mt6605_device:s0 -/dev/st21nfc u:object_r:st21nfc_device:s0 -/dev/st54spi u:object_r:st54spi_device:s0 -/dev/mt9p012(/.*)? u:object_r:mt9p012_device:s0 -/dev/mtfreqhopping(/.*)? u:object_r:mtfreqhopping_device:s0 -/dev/mtgpio(/.*)? u:object_r:mtgpio_device:s0 -/dev/mtk-adc-cali(/.*)? u:object_r:mtk-adc-cali_device:s0 -/dev/mtk_disp.* u:object_r:graphics_device:s0 -/dev/mtkfb_vsync(/.*)? u:object_r:graphics_device:s0 -/dev/mtkg2d(/.*)? u:object_r:mtkg2d_device:s0 -/dev/mtk_jpeg(/.*)? u:object_r:mtk_jpeg_device:s0 -/dev/mtk-kpd(/.*)? u:object_r:mtk_kpd_device:s0 -/dev/mtk_sched(/.*)? u:object_r:mtk_sched_device:s0 -/dev/MTK_SMI(/.*)? u:object_r:MTK_SMI_device:s0 -/dev/mtk_cmdq(/.*)? u:object_r:mtk_cmdq_device:s0 -/dev/mdp_device(/.*)? u:object_r:mdp_device:s0 -/dev/mdp_sync(/.*)? u:object_r:mtk_mdp_device:s0 -/dev/mtk_rrc(/.*)? u:object_r:mtk_rrc_device:s0 -/dev/mtk_dfrc(/.*)? u:object_r:mtk_dfrc_device:s0 -/dev/mt-mdp(/.*)? u:object_r:mt_mdp_device:s0 -/dev/mt_otg_test(/.*)? u:object_r:mt_otg_test_device:s0 -/dev/MT_pmic_adc_cali u:object_r:MT_pmic_adc_cali_device:s0 -/dev/MT_pmic_adc_cali(/.*)? u:object_r:MT_pmic_cali_device:s0 -/dev/MT_pmic(/.*)? u:object_r:MT_pmic_device:s0 -/dev/network.* u:object_r:network_device:s0 -/dev/nvram(/.*)? u:object_r:nvram_device:s0 -/dev/nxpspk(/.*)? u:object_r:smartpa_device:s0 -/dev/otp u:object_r:otp_device:s0 -/dev/pmem_multimedia(/.*)? u:object_r:pmem_multimedia_device:s0 -/dev/pmt(/.*)? u:object_r:pmt_device:s0 -/dev/preloader(/.*)? u:object_r:preloader_device:s0 -/dev/pro_info(/.*)? u:object_r:pro_info_device:s0 -/dev/protect_f(/.*)? u:object_r:protect_f_device:s0 -/dev/protect_s(/.*)? u:object_r:protect_s_device:s0 -/dev/psaux(/.*)? u:object_r:psaux_device:s0 -/dev/ptmx(/.*)? u:object_r:ptmx_device:s0 -/dev/ptyp.* u:object_r:ptyp_device:s0 -/dev/pvr_sync(/.*)? u:object_r:gpu_device:s0 -/dev/qemu_pipe(/.*)? u:object_r:qemu_pipe_device:s0 -/dev/recovery(/.*)? u:object_r:recovery_device:s0 -/dev/rfkill(/.*)? u:object_r:rfkill_device:s0 -/dev/rtc[0-9]+ u:object_r:rtc_device:s0 -/dev/RT_Monitor(/.*)? u:object_r:RT_Monitor_device:s0 -/dev/kick_powerkey(/.*)? u:object_r:kick_powerkey_device:s0 -/dev/seccfg(/.*)? u:object_r:seccfg_device:s0 -/dev/sec_ro(/.*)? u:object_r:sec_ro_device:s0 -/dev/sec(/.*)? u:object_r:sec_device:s0 -/dev/tee1 u:object_r:tee_part_device:s0 -/dev/tee2 u:object_r:tee_part_device:s0 -/dev/sensor(/.*)? u:object_r:sensor_device:s0 -/dev/smartpa_i2c(/.*)? u:object_r:smartpa1_device:s0 -/dev/snapshot(/.*)? u:object_r:snapshot_device:s0 -/dev/socket/adbd(/.*)? u:object_r:adbd_socket:s0 -/dev/socket/agpsd2(/.*)? u:object_r:agpsd_socket:s0 -/dev/socket/agpsd3(/.*)? u:object_r:agpsd_socket:s0 -/dev/socket/agpsd(/.*)? u:object_r:agpsd_socket:s0 -/dev/socket/atci-audio(/.*)? u:object_r:atci-audio_socket:s0 -/dev/socket/backuprestore(/.*)? u:object_r:backuprestore_socket:s0 -/dev/socket/dfo(/.*)? u:object_r:dfo_socket:s0 -/dev/socket/dnsproxyd(/.*)? u:object_r:dnsproxyd_socket:s0 -/dev/socket/dumpstate(/.*)? u:object_r:dumpstate_socket:s0 -/dev/socket/mdnsd(/.*)? u:object_r:mdnsd_socket:s0 -/dev/socket/mdns(/.*)? u:object_r:mdns_socket:s0 -/dev/socket/mnld(/.*)? u:object_r:mnld_socket:s0 -/dev/socket/netdiag(/.*)? u:object_r:netdiag_socket:s0 -/dev/socket/netd(/.*)? u:object_r:netd_socket:s0 -/dev/socket/mrild(/.*)? u:object_r:gsmrild_socket:s0 -/dev/socket/mrild2(/.*)? u:object_r:gsmrild_socket:s0 -/dev/socket/mrild3(/.*)? u:object_r:gsmrild_socket:s0 -/dev/socket/rild-atci u:object_r:gsmrild_socket:s0 -/dev/socket/rild-mbim(/.*)? u:object_r:gsmrild_socket:s0 -/dev/socket/msap_uim_socket1(/.*)? u:object_r:gsmrild_socket:s0 -/dev/socket/msap_uim_socket2(/.*)? u:object_r:gsmrild_socket:s0 -/dev/socket/sap_uim_socket(/.*)? u:object_r:gsmrild_socket:s0 -/dev/socket/msap_c2k_socket1(/.*)? u:object_r:gsmrild_socket:s0 -/dev/socket/msap_c2k_socket2(/.*)? u:object_r:gsmrild_socket:s0 -/dev/socket/msap_c2k_socket3(/.*)? u:object_r:gsmrild_socket:s0 -/dev/socket/msap_c2k_socket4(/.*)? u:object_r:gsmrild_socket:s0 -/dev/socket/sap_uim_socket1(/.*)? u:object_r:gsmrild_socket:s0 -/dev/socket/sap_uim_socket2(/.*)? u:object_r:gsmrild_socket:s0 -/dev/socket/sap_uim_socket3(/.*)? u:object_r:gsmrild_socket:s0 -/dev/socket/sap_uim_socket4(/.*)? u:object_r:gsmrild_socket:s0 -/dev/socket/rild2-md2(/.*)? u:object_r:rild2_md2_socket:s0 -/dev/socket/rild2(/.*)? u:object_r:rild2_socket:s0 -/dev/socket/rild3(/.*)? u:object_r:rild3_socket:s0 -/dev/socket/rild4(/.*)? u:object_r:rild4_socket:s0 -/dev/socket/rild-mal(/.*)? u:object_r:rild_mal_socket:s0 -/dev/socket/rild-mal-at(/.*)? u:object_r:rild_mal_at_socket:s0 -/dev/socket/rild-mal-md2(/.*)? u:object_r:rild_mal_md2_socket:s0 -/dev/socket/rild-mal-at-md2(/.*)? u:object_r:rild_mal_at_md2_socket:s0 -/dev/socket/rild-ims(/.*)? u:object_r:rild_ims_socket:s0 -/dev/socket/volte_imsm_dongle(/.*)? u:object_r:rild_imsm_socket:s0 -/dev/socket/rild-vsim(/.*)? u:object_r:rild_vsim_socket:s0 -/dev/socket/rild-vsim2(/.*)? u:object_r:rild_vsim_socket:s0 -/dev/socket/rild-vsim3(/.*)? u:object_r:rild_vsim_socket:s0 -/dev/socket/rild-vsim-md2(/.*)? u:object_r:rild_vsim_md2_socket:s0 -/dev/socket/rild-ctclient u:object_r:rild_ctclient_socket:s0 -/dev/socket/rild-debug-md2(/.*)? u:object_r:rild_debug_md2_socket:s0 -/dev/socket/rild-debug(/.*)? u:object_r:rild_debug_socket:s0 -/dev/socket/rild-dongle(/.*)? u:object_r:rild-dongle_socket:s0 -/dev/socket/rild-md2(/.*)? u:object_r:rild_md2_socket:s0 -/dev/socket/rild-mtk-modem-md2(/.*)? u:object_r:rild_mtk_modem_md2_socket:s0 -/dev/socket/rild-mtk-modem(/.*)? u:object_r:rild_mtk_modem_socket:s0 -/dev/socket/rild-mtk-ut-2-md2(/.*)? u:object_r:rild_mtk_ut_2_md2_socket:s0 -/dev/socket/rild-mtk-ut-2(/.*)? u:object_r:rild_mtk_ut_2_socket:s0 -/dev/socket/rild-mtk-ut-md2(/.*)? u:object_r:rild_mtk_ut_md2_socket:s0 -/dev/socket/rild-mtk-ut(/.*)? u:object_r:rild_mtk_ut_socket:s0 -/dev/socket/rild-oem-md2(/.*)? u:object_r:rild_oem_md2_socket:s0 -/dev/socket/rild-oem(/.*)? u:object_r:rild_oem_socket:s0 -/dev/socket/rild(/.*)? u:object_r:rild_socket:s0 -/dev/socket/rild-via u:object_r:rild_via_socket:s0 -/dev/socket/rildc-debug u:object_r:rild_via_socket:s0 -/dev/socket/rild-atci-c2k u:object_r:rild_via_socket:s0 -/dev/socket/mal-mfi(/.*)? u:object_r:mal_mfi_socket:s0 -/dev/socket/mal-mfi-dongle(/.*)? u:object_r:mal_mfi_socket:s0 -/dev/socket/rpc u:object_r:rpc_socket:s0 -/dev/socket/soc_vt_stk(/.*)? u:object_r:soc_vt_stk_socket:s0 -/dev/socket/soc_vt_svc(/.*)? u:object_r:soc_vt_svc_socket:s0 -/dev/socket/soc_vt_tcv(/.*)? u:object_r:soc_vt_tcv_socket:s0 -/dev/socket/sysctl(/.*)? u:object_r:sysctl_socket:s0 -/dev/socket/volte_vt(/.*)? u:object_r:volte_vt_socket:s0 -/dev/socket/wpa_wlan0(/.*)? u:object_r:wpa_wlan0_socket:s0 -/dev/stpant(/.*)? u:object_r:stpant_device:s0 -/dev/stpbt(/.*)? u:object_r:stpbt_device:s0 -/dev/fw_log_bt u:object_r:fw_log_bt_device:s0 -/dev/stpgps u:object_r:mnld_device:s0 -/dev/stpgps(/.*)? u:object_r:stpgps_device:s0 -/dev/gpsdl0 u:object_r:mnld_device:s0 -/dev/gpsdl0(/.*)? u:object_r:gpsdl_device:s0 -/dev/gpsdl1 u:object_r:mnld_device:s0 -/dev/gpsdl1(/.*)? u:object_r:gpsdl_device:s0 -/dev/stpwmt(/.*)? u:object_r:stpwmt_device:s0 -/dev/sw_sync(/.*)? u:object_r:sw_sync_device:s0 -/dev/tgt(/.*)? u:object_r:tgt_device:s0 -/dev/touch(/.*)? u:object_r:touch_device:s0 -/dev/tpd_em_log(/.*)? u:object_r:tpd_em_log_device:s0 -/dev/ttyC0 u:object_r:gsm0710muxd_device:s0 -/dev/ttyC1 u:object_r:mdlog_device:s0 -/dev/ttyC2 u:object_r:agps_device:s0 -/dev/ttyC3 u:object_r:icusb_device:s0 -/dev/ttyC6 u:object_r:nlop_device:s0 -/dev/ttyGS.* u:object_r:ttyGS_device:s0 -/dev/ttyMT.* u:object_r:ttyMT_device:s0 -/dev/ttyS.* u:object_r:ttyS_device:s0 -/dev/ttyp.* u:object_r:ttyp_device:s0 -/dev/ttySDIO.* u:object_r:ttySDIO_device:s0 -/dev/ttyUSB0 u:object_r:tty_device:s0 -/dev/ttyUSB1 u:object_r:tty_device:s0 -/dev/ttyUSB2 u:object_r:tty_device:s0 -/dev/ttyUSB3 u:object_r:tty_device:s0 -/dev/ttyUSB4 u:object_r:tty_device:s0 -/dev/TV-out(/.*)? u:object_r:TV_out_device:s0 -/dev/uboot(/.*)? u:object_r:uboot_device:s0 -/dev/uibc(/.*)? u:object_r:uibc_device:s0 -/dev/uinput(/.*)? u:object_r:uinput_device:s0 -/dev/uio0(/.*)? u:object_r:uio0_device:s0 -/dev/usrdata(/.*)? u:object_r:usrdata_device:s0 -/dev/Vcodec(/.*)? u:object_r:Vcodec_device:s0 -/dev/vmodem u:object_r:vmodem_device:s0 -/dev/vow(/.*)? u:object_r:vow_device:s0 -/dev/wmtdetect(/.*)? u:object_r:wmtdetect_device:s0 -/dev/wmtWifi(/.*)? u:object_r:wmtWifi_device:s0 -/dev/ancservice(/.*)? u:object_r:ancservice_device:s0 -/dev/offloadservice(/.*)? u:object_r:offloadservice_device:s0 -/dev/audio_ipi(/.*)? u:object_r:audio_ipi_device:s0 -/dev/adsp(/.*)? u:object_r:adsp_device:s0 -/dev/audio_scp(/.*)? u:object_r:audio_scp_device:s0 -/dev/irtx u:object_r:irtx_device:s0 -/dev/spm(/.*)? u:object_r:spm_device:s0 -/dev/xt_qtaguid(/.*)? u:object_r:xt_qtaguid_device:s0 -/dev/pmic_ftm(/.*)? u:object_r:pmic_ftm_device:s0 -/dev/charger_ftm(/.*)? u:object_r:charger_ftm_device:s0 -/dev/shf u:object_r:shf_device:s0 -/dev/ttyACM0 u:object_r:ttyACM_device:s0 -/dev/hrm u:object_r:hrm_device:s0 -/dev/trusty-ipc-dev0 u:object_r:tee_device:s0 -/dev/nebula-ipc-dev0 u:object_r:tee_device:s0 -/dev/mbim u:object_r:mbim_device:s0 -/dev/alarm(/.*)? u:object_r:alarm_device:s0 -########################## -# Sensor common Devices Start -# -/dev/als_ps(/.*)? u:object_r:als_ps_device:s0 -/dev/barometer(/.*)? u:object_r:barometer_device:s0 -/dev/humidity(/.*)? u:object_r:humidity_device:s0 -/dev/gsensor(/.*)? u:object_r:gsensor_device:s0 -/dev/gyroscope(/.*)? u:object_r:gyroscope_device:s0 -/dev/hwmsensor(/.*)? u:object_r:hwmsensor_device:s0 -/dev/msensor(/.*)? u:object_r:msensor_device:s0 -/dev/biometric(/.*)? u:object_r:biometric_device:s0 -/dev/sensorlist(/.*)? u:object_r:sensorlist_device:s0 -########################## -# Sensor Devices Start -# -/dev/m_batch_misc(/.*)? u:object_r:m_batch_misc_device:s0 -########################## -# Sensor bio Devices Start -# -/dev/m_als_misc(/.*)? u:object_r:m_als_misc_device:s0 -/dev/m_ps_misc(/.*)? u:object_r:m_ps_misc_device:s0 -/dev/m_baro_misc(/.*)? u:object_r:m_baro_misc_device:s0 -/dev/m_hmdy_misc(/.*)? u:object_r:m_hmdy_misc_device:s0 -/dev/m_acc_misc(/.*)? u:object_r:m_acc_misc_device:s0 -/dev/m_mag_misc(/.*)? u:object_r:m_mag_misc_device:s0 -/dev/m_gyro_misc(/.*)? u:object_r:m_gyro_misc_device:s0 -/dev/m_act_misc(/.*)? u:object_r:m_act_misc_device:s0 -/dev/m_pedo_misc(/.*)? u:object_r:m_pedo_misc_device:s0 -/dev/m_situ_misc(/.*)? u:object_r:m_situ_misc_device:s0 -/dev/m_step_c_misc(/.*)? u:object_r:m_step_c_misc_device:s0 -/dev/m_fusion_misc(/.*)? u:object_r:m_fusion_misc_device:s0 -/dev/m_bio_misc(/.*)? u:object_r:m_bio_misc_device:s0 - -# block partition definitions -/dev/block/mmcblk0boot0 u:object_r:preloader_block_device:s0 -/dev/block/mmcblk0boot1 u:object_r:preloader_block_device:s0 -/dev/block/sda u:object_r:preloader_block_device:s0 -/dev/block/sdb u:object_r:preloader_block_device:s0 -/dev/block/mmcblk0 u:object_r:bootdevice_block_device:s0 -/dev/block/sdc u:object_r:bootdevice_block_device:s0 -/dev/block/mmcblk1 u:object_r:mmcblk1_block_device:s0 -/dev/block/mmcblk1p1 u:object_r:mmcblk1p1_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/proinfo u:object_r:nvram_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/nvram u:object_r:nvram_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/nvdata u:object_r:nvdata_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/frp u:object_r:frp_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/expdb u:object_r:expdb_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/misc2 u:object_r:misc2_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/logo u:object_r:logo_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/para u:object_r:para_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/misc u:object_r:misc_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/seccfg u:object_r:seccfg_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/secro u:object_r:secro_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/system u:object_r:system_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/userdata u:object_r:userdata_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/cache u:object_r:cache_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/recovery u:object_r:recovery_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/protect1 u:object_r:protect1_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/protect2 u:object_r:protect2_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/keystore u:object_r:keystore_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/oemkeystore u:object_r:oemkeystore_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/boot u:object_r:boot_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/persist u:object_r:persist_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/metadata u:object_r:metadata_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/nvcfg u:object_r:nvcfg_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/ppl u:object_r:ppl_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/sec1 u:object_r:sec1_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/boot_para u:object_r:boot_para_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/super u:object_r:super_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/boot(_[ab])? u:object_r:boot_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/system(_[ab])? u:object_r:system_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/odm(_[ab])? u:object_r:odm_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/oem(_[ab])? u:object_r:oem_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/vendor(_[ab])? u:object_r:vendor_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/lk(_[ab])? u:object_r:lk_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/odmdtbo(_[ab])? u:object_r:dtbo_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/dtbo(_[ab])? u:object_r:dtbo_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/tee([12]|_[ab]) u:object_r:tee_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md1img(_[ab])? u:object_r:md_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md1dsp(_[ab])? u:object_r:dsp_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md1arm7(_[ab])? u:object_r:md_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md3img(_[ab])? u:object_r:md_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/scp(_[ab])? u:object_r:scp_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/sspm(_[ab])? u:object_r:sspm_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/spmfw(_[ab])? u:object_r:spmfw_block_device:s0 -/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/vbmeta(_system|_vendor)?(_[ab])? u:object_r:vbmeta_block_device:s0 - -/dev/block/platform/bootdevice/by-name/proinfo u:object_r:nvram_device:s0 -/dev/block/platform/bootdevice/by-name/nvram u:object_r:nvram_device:s0 -/dev/block/platform/bootdevice/by-name/nvdata u:object_r:nvdata_device:s0 -/dev/block/platform/bootdevice/by-name/frp u:object_r:frp_block_device:s0 -/dev/block/platform/bootdevice/by-name/expdb u:object_r:expdb_block_device:s0 -/dev/block/platform/bootdevice/by-name/misc2 u:object_r:misc2_block_device:s0 -/dev/block/platform/bootdevice/by-name/logo u:object_r:logo_block_device:s0 -/dev/block/platform/bootdevice/by-name/para u:object_r:para_block_device:s0 -/dev/block/platform/bootdevice/by-name/misc u:object_r:misc_block_device:s0 -/dev/block/platform/bootdevice/by-name/seccfg u:object_r:seccfg_block_device:s0 -/dev/block/platform/bootdevice/by-name/secro u:object_r:secro_block_device:s0 -/dev/block/platform/bootdevice/by-name/userdata u:object_r:userdata_block_device:s0 -/dev/block/platform/bootdevice/by-name/cache u:object_r:cache_block_device:s0 -/dev/block/platform/bootdevice/by-name/recovery u:object_r:recovery_block_device:s0 -/dev/block/platform/bootdevice/by-name/protect1 u:object_r:protect1_block_device:s0 -/dev/block/platform/bootdevice/by-name/protect2 u:object_r:protect2_block_device:s0 -/dev/block/platform/bootdevice/by-name/keystore u:object_r:keystore_block_device:s0 -/dev/block/platform/bootdevice/by-name/persist u:object_r:persist_block_device:s0 -/dev/block/platform/bootdevice/by-name/metadata u:object_r:metadata_block_device:s0 -/dev/block/platform/bootdevice/by-name/nvcfg u:object_r:nvcfg_block_device:s0 -/dev/block/platform/bootdevice/by-name/sec1 u:object_r:sec1_block_device:s0 -/dev/block/platform/bootdevice/by-name/boot_para u:object_r:boot_para_block_device:s0 -/dev/block/platform/bootdevice/by-name/super u:object_r:super_block_device:s0 -/dev/block/platform/bootdevice/by-name/cam_vpu[1-3](_[ab])? u:object_r:cam_vpu_block_device:s0 -/dev/block/platform/bootdevice/by-name/system(_[ab])? u:object_r:system_block_device:s0 -/dev/block/platform/bootdevice/by-name/boot(_[ab])? u:object_r:boot_block_device:s0 -/dev/block/platform/bootdevice/by-name/odm(_[ab])? u:object_r:odm_block_device:s0 -/dev/block/platform/bootdevice/by-name/oem(_[ab])? u:object_r:oem_block_device:s0 -/dev/block/platform/bootdevice/by-name/vendor(_[ab])? u:object_r:vendor_block_device:s0 -/dev/block/platform/bootdevice/by-name/lk(_[ab])? u:object_r:lk_block_device:s0 -/dev/block/platform/bootdevice/by-name/odmdtbo(_[ab])? u:object_r:dtbo_block_device:s0 -/dev/block/platform/bootdevice/by-name/dtbo(_[ab])? u:object_r:dtbo_block_device:s0 -/dev/block/platform/bootdevice/by-name/tee([12]|_[ab]) u:object_r:tee_block_device:s0 -/dev/block/platform/bootdevice/by-name/md1img(_[ab])? u:object_r:md_block_device:s0 -/dev/block/platform/bootdevice/by-name/md1dsp(_[ab])? u:object_r:dsp_block_device:s0 -/dev/block/platform/bootdevice/by-name/md1arm7(_[ab])? u:object_r:md_block_device:s0 -/dev/block/platform/bootdevice/by-name/md3img(_[ab])? u:object_r:md_block_device:s0 -/dev/block/platform/bootdevice/by-name/scp(_[ab])? u:object_r:scp_block_device:s0 -/dev/block/platform/bootdevice/by-name/sspm(_[ab])? u:object_r:sspm_block_device:s0 -/dev/block/platform/bootdevice/by-name/spmfw(_[ab])? u:object_r:spmfw_block_device:s0 -/dev/block/platform/bootdevice/by-name/mcupmfw(_[ab])? u:object_r:mcupmfw_block_device:s0 -/dev/block/platform/bootdevice/by-name/loader_ext(_[ab])? u:object_r:loader_ext_block_device:s0 -/dev/block/platform/bootdevice/by-name/vbmeta(_system|_vendor)?(_[ab])? u:object_r:vbmeta_block_device:s0 - -# Key manager -/dev/block/platform/soc/[0-9]+\.mmc/by-name/kb u:object_r:kb_block_device:s0 -/dev/block/platform/soc/[0-9]+\.mmc/by-name/dkb u:object_r:dkb_block_device:s0 - -# W19.23 Q new feature - Userdata Checkpoint -/dev/block/by-name/md_udc u:object_r:metadata_block_device:s0 - -############################# -# System files -# -/(system\/vendor|vendor)/bin/audiocmdservice_atci u:object_r:audiocmdservice_atci_exec:s0 -/(system\/vendor|vendor)/bin/stp_dump3 u:object_r:stp_dump3_exec:s0 -/(system\/vendor|vendor)/bin/wmt_launcher u:object_r:mtk_wmt_launcher_exec:s0 -/(system\/vendor|vendor)/bin/ccci_fsd u:object_r:ccci_fsd_exec:s0 -/(system\/vendor|vendor)/bin/fuelgauged u:object_r:fuelgauged_exec:s0 -/(system\/vendor|vendor)/bin/fuelgauged_nvram u:object_r:fuelgauged_nvram_exec:s0 -/(system\/vendor|vendor)/bin/gsm0710muxd u:object_r:gsm0710muxd_exec:s0 -/(system\/vendor|vendor)/bin/mmc_ffu u:object_r:mmc_ffu_exec:s0 -/(system\/vendor|vendor)/bin/mtk_agpsd u:object_r:mtk_agpsd_exec:s0 -/(system\/vendor|vendor)/bin/MtkCodecService u:object_r:MtkCodecService_exec:s0 -/(system\/vendor|vendor)/bin/mtkrild u:object_r:mtkrild_exec:s0 -/(system\/vendor|vendor)/bin/muxreport u:object_r:muxreport_exec:s0 -/(system\/vendor|vendor)/bin/nvram_agent_binder u:object_r:nvram_agent_binder_exec:s0 -/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.nvram@(.*)-service u:object_r:nvram_agent_binder_exec:s0 -/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.nvram@(.*)-service-lazy u:object_r:nvram_agent_binder_exec:s0 -/(system\/vendor|vendor)/bin/nvram_daemon u:object_r:nvram_daemon_exec:s0 -/(system\/vendor|vendor)/bin/slpd u:object_r:slpd_exec:s0 -/(system\/vendor|vendor)/bin/thermal_manager u:object_r:thermal_manager_exec:s0 -/(system\/vendor|vendor)/bin/thermalloadalgod u:object_r:thermalloadalgod_exec:s0 -/(system\/vendor|vendor)/bin/lbs_hidl_service u:object_r:lbs_hidl_service_exec:s0 -/(system\/vendor|vendor)/bin/meta_tst u:object_r:meta_tst_exec:s0 -/(system\/vendor|vendor)/bin/kisd u:object_r:kisd_exec:s0 - -/(system\/vendor|vendor)/bin/fm_hidl_service u:object_r:fm_hidl_service_exec:s0 -/(system\/vendor|vendor)/bin/wlan_assistant u:object_r:wlan_assistant_exec:s0 -/(system\/vendor|vendor)/bin/wmt_loader u:object_r:wmt_loader_exec:s0 -/(system\/vendor|vendor)/bin/spm_loader u:object_r:spm_loader_exec:s0 -/(system\/vendor|vendor)/bin/ccci_mdinit u:object_r:ccci_mdinit_exec:s0 -/(system\/vendor|vendor)/bin/factory u:object_r:factory_exec:s0 - -/(system\/vendor|vendor)/bin/mnld u:object_r:mnld_exec:s0 -#/system/bin/connsyslogger u:object_r:connsyslogger_exec:s0 - -/(system\/vendor|vendor)/bin/biosensord_nvram u:object_r:biosensord_nvram_exec:s0 -/(system\/vendor|vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service-mediatek u:object_r:mtk_hal_bluetooth_exec:s0 -/(system\/vendor|vendor)/bin/hw/android\.hardware\.gnss@2\.0-service-mediatek u:object_r:mtk_hal_gnss_exec:s0 -/(system\/vendor|vendor)/bin/hw/android\.hardware\.audio@5\.0-service-mediatek u:object_r:mtk_hal_audio_exec:s0 -/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.mtkpower@1\.0-service u:object_r:mtk_hal_power_exec:s0 -/(system\/vendor|vendor)/bin/hw/android\.hardware\.sensors@1\.0-service-mediatek u:object_r:mtk_hal_sensors_exec:s0 -/(system\/vendor|vendor)/bin/hw/android\.hardware\.sensors@2\.0-service-mediatek u:object_r:mtk_hal_sensors_exec:s0 -/(system\/vendor|vendor)/bin/hw/rilproxy u:object_r:rild_exec:s0 -/(system\/vendor|vendor)/bin/hw/mtkfusionrild u:object_r:rild_exec:s0 -/(system\/vendor|vendor)/bin/hw/android\.hardware\.light@2\.0-service-mediatek u:object_r:mtk_hal_light_exec:s0 -/(system\/vendor|vendor)/bin/hw/android\.hardware\.light@2\.0-service-mediatek-lazy u:object_r:mtk_hal_light_exec:s0 -/(system\/vendor|vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service-mediatek u:object_r:hal_vibrator_default_exec:s0 -/(system\/vendor|vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service-mediatek-lazy u:object_r:hal_vibrator_default_exec:s0 -/(system\/vendor|vendor)/bin/hw/camerahalserver u:object_r:mtk_hal_camera_exec:s0 -/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.imsa@1\.0-service u:object_r:mtk_hal_imsa_exec:s0 - -# Google Trusty system files -/(vendor|system\/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service\.trusty u:object_r:hal_keymaster_default_exec:s0 - -#PQ hal -/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.pq@2\.2-service u:object_r:mtk_hal_pq_exec:s0 -#MMS hal -/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.mms@1\.3-service u:object_r:mtk_hal_mms_exec:s0 -/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.mms@1\.3-service-lazy u:object_r:mtk_hal_mms_exec:s0 -# Keymaster Attestation Hal -/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.keymaster_attestation@1\.1-service u:object_r:hal_keymaster_attestation_exec:s0 -#ST NFC 1.2 hidl service -/(system\/vendor|vendor)/bin/hw/android\.hardware\.nfc@1\.2-service-st u:object_r:hal_nfc_default_exec:s0 -/(system\/vendor|vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service-st54spi u:object_r:st54spi_hal_secure_element_exec:s0 -# MTK Wifi Hal -/(system\/vendor|vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-mediatek u:object_r:mtk_hal_wifi_exec:s0 -/(system\/vendor|vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-lazy-mediatek u:object_r:mtk_hal_wifi_exec:s0 -# MTK USB hal -/(system\/vendor|vendor)/bin/hw/android\.hardware\.usb@1\.1-service-mediatek u:object_r:mtk_hal_usb_exec:s0 -# MTK OMAPI for UICC -/(system\/vendor|vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service-mediatek u:object_r:mtk_hal_secure_element_exec:s0 - -#gpu hal -/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.gpu@1\.0-service u:object_r:mtk_hal_gpu_exec:s0 - -############################# -# System/bin files - -#hidl process merging -/(system\/vendor|vendor)/bin/hw/merged_hal_service u:object_r:merged_hal_service_exec:s0 - - -############################################### -# same-process HAL files and their dependencies -# -/vendor/lib(64)?/hw/gralloc\.mt[0-9]+[a-z]*\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/hw/vulkan\.mt[0-9]+\.so u:object_r:same_process_hal_file:s0 - -/vendor/lib(64)?/libIMGegl\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libglslcompiler\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libPVRScopeServices\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libsrv_um\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libmpvr\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libusc\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libtqvalidate\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libPVROCL\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libufwriter\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libmemtrack_GL\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libPVRTrace\.so u:object_r:same_process_hal_file:s0 - -/vendor/lib(64)?/libGLES_mali\.so u:object_r:same_process_hal_file:s0 - -/vendor/lib(64)?/libgralloc_extra\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libgpu_aux\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libgpud\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libged\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libion_mtk\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libion_ulit\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/mtk_cache\.so u:object_r:same_process_hal_file:s0 - -/vendor/lib(64)?/hw/android\.hardware\.graphics\.mapper@2\.0-impl-2\.1\.so u:object_r:same_process_hal_file:s0 - -/vendor/lib(64)?/libdpframework\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libpq_cust_base\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/vendor\.mediatek\.hardware\.pq@[0-9]\.[0-9]\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libpq_prot\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libhdrvideo\.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libscltm\.so u:object_r:same_process_hal_file:s0 - -/vendor/lib(64)?/vendor\.mediatek\.hardware\.gpu@1\.0.so u:object_r:same_process_hal_file:s0 - -/vendor/lib(64)?/libladder\.so u:object_r:same_process_hal_file:s0 - -/vendor/lib(64)?/libtflite_mtk.so u:object_r:same_process_hal_file:s0 - -/vendor/bin/hw/vendor\.mediatek\.hardware\.log@1\.0-service u:object_r:aee_hal_exec:s0 - -/vendor/bin/loghidlvendorservice u:object_r:loghidlvendorservice_exec:s0 - -/vendor/bin/em_hidl u:object_r:em_hidl_exec:s0 - -/vendor/bin/hw/modemdbfilter_service u:object_r:modemdbfilter_service_exec:s0 - -# Date: 2018/07/06 -# Purpose for same-process HAL files and their dependencies: libGLES_mali.so need libm4u.so on mali GPU. -/vendor/lib(64)?/libm4u\.so u:object_r:same_process_hal_file:s0 - -# Date: 2018/12/04 -# Purpose: Neuron runtime API and the dependencies -/vendor/lib(64)?/libneuron_platform.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libion_mtk.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/mtk_cache.so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libvpu.so u:object_r:same_process_hal_file:s0 - -# Date: 2019/01/21 -# Purpose: OpenCL feature requirments -/vendor/lib(64)?/libOpenCL\.so u:object_r:same_process_hal_file:s0 - -#MRDUMP -/dev/block/platform/bootdevice/by-name/mrdump(/.*)? u:object_r:mrdump_device:s0 - -# Date: 2019/07/16 -# hdmi hal -/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.hdmi@1\.0-service u:object_r:mtk_hal_hdmi_exec:s0 - -#Widevine drm hal(include lazy hal) -/vendor/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.widevine u:object_r:hal_drm_widevine_exec:s0 -/vendor/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service-lazy\.widevine u:object_r:hal_drm_widevine_exec:s0 -#Cleaarkey hal(include lazy hal) -/vendor/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey u:object_r:hal_drm_clearkey_exec:s0 -/vendor/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service-lazy\.clearkey u:object_r:hal_drm_clearkey_exec:s0 - - -# Date : 2019/10/28 -# Purpose : move these contexts from plat_private/file_contexts -/(system\/vendor|vendor)/bin/aee_aedv u:object_r:aee_aedv_exec:s0 -/(system\/vendor|vendor)/bin/aee_aedv64 u:object_r:aee_aedv_exec:s0 -/vendor/bin/aeev u:object_r:aee_aedv_exec:s0 diff --git a/r_non_plat/fm_hidl_service.te b/r_non_plat/fm_hidl_service.te deleted file mode 100644 index 30509ca..0000000 --- a/r_non_plat/fm_hidl_service.te +++ /dev/null @@ -1,19 +0,0 @@ -# Set a new domain -type fm_hidl_service, domain; - -# Set domain as server domain of mtk_hal_fm -hal_server_domain(fm_hidl_service, mtk_hal_fm) - -# Set exec file type -type fm_hidl_service_exec, exec_type, vendor_file_type, file_type; - -# Setup for domain transition -init_daemon_domain(fm_hidl_service) - -#add_hwservice(hal_fm_server, mtk_hal_fm_service) - -vndbinder_use(fm_hidl_service) - -#r_dir_file(fm_hidl_service, system_file) - -allow fm_hidl_service fm_device:chr_file { rw_file_perms }; \ No newline at end of file diff --git a/r_non_plat/fsck.te b/r_non_plat/fsck.te deleted file mode 100644 index 635d3c7..0000000 --- a/r_non_plat/fsck.te +++ /dev/null @@ -1,18 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -# Date : WK15.29 -# Operation : Migration -# Purpose : file system check for protect1/protect2/nvdata/persist/nvcfg block devices. -allow fsck protect1_block_device:blk_file rw_file_perms; -allow fsck protect2_block_device:blk_file rw_file_perms; -allow fsck nvdata_device:blk_file rw_file_perms; -allow fsck persist_block_device:blk_file rw_file_perms; -allow fsck nvcfg_block_device:blk_file rw_file_perms; -allow fsck odm_block_device:blk_file rw_file_perms; -allow fsck oem_block_device:blk_file rw_file_perms; - -# Date : WK17.12 -# Purpose: Fix bootup fail -allow fsck system_block_device:blk_file getattr; diff --git a/r_non_plat/fuelgauged.te b/r_non_plat/fuelgauged.te deleted file mode 100644 index 332043a..0000000 --- a/r_non_plat/fuelgauged.te +++ /dev/null @@ -1,71 +0,0 @@ -# ============================================== -# Policy File of /system/bin/fuelgauged Executable File - -# ============================================== -# Type Declaration -# ============================================== -type fuelgauged ,domain; -type fuelgauged_exec , exec_type, file_type, vendor_file_type; -type fuelgauged_file, file_type, data_file_type; - -# ============================================== -# Android Policy Rule -# ============================================== - -# ============================================== -# NSA Policy Rule -# ============================================== - -# ============================================== -# MTK Policy Rule -# ============================================== - -init_daemon_domain(fuelgauged) - -# Data : WK14.43 -# Operation : Migration -# Purpose : Fuel Gauge daemon for access driver node -allow fuelgauged input_device:dir rw_dir_perms; -allow fuelgauged input_device:file r_file_perms; - -# Data : WK14.43 -# Operation : Migration -# Purpose : For meta tool calibration -allow fuelgauged mtk-adc-cali_device:chr_file rw_file_perms; - -# Data : WK14.43 -# Operation : Migration -# Purpose : For fg.log can be printed with kernel log -allow fuelgauged kmsg_device:chr_file w_file_perms; - -# Data : WK14.43 -# Operation : Migration -# Purpose : For fg daemon can comminucate with kernel -allow fuelgauged self:netlink_socket create; -allow fuelgauged self:netlink_socket create_socket_perms_no_ioctl; -allow fuelgauged self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write }; - -# Data : WK16.39 -allow fuelgauged self:capability { chown fsetid }; - -# Date: W17.22 -# Operation : New Feature -# Purpose : Add for A/B system -allow fuelgauged kernel:system module_request; - -# Date: W18.03 -# Operation : change fuelgagued access from cache to nvcfg -# Purpose : add fuelgauged to nvcfg read write permit -allow fuelgauged nvcfg_file:dir { search write open read add_name create getattr}; -allow fuelgauged nvcfg_file:file { read write getattr open create }; - -# Date: W18.17 -# Operation : add label for /sys/devices/platform/battery(/.*) -# Purpose : add fuelgauged could access -r_dir_file(fuelgauged, sysfs_batteryinfo); - -# Date : WK18.21 -# Operation: P migration -# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init() -allow fuelgauged mnt_vendor_file:dir search; - diff --git a/r_non_plat/fuelgauged_nvram.te b/r_non_plat/fuelgauged_nvram.te deleted file mode 100644 index 1bf2585..0000000 --- a/r_non_plat/fuelgauged_nvram.te +++ /dev/null @@ -1,67 +0,0 @@ -# ============================================== -# Policy File of /system/bin/fuelgauged_nvram Executable File - -# ============================================== -# Type Declaration -# ============================================== -type fuelgauged_nvram ,domain; -type fuelgauged_nvram_exec , exec_type, file_type, vendor_file_type; -type fuelgauged_nvram_file, file_type, data_file_type; - -# ============================================== -# Android Policy Rule -# ============================================== - -# ============================================== -# NSA Policy Rule -# ============================================== - -# ============================================== -# MTK Policy Rule -# ============================================== - -init_daemon_domain(fuelgauged_nvram) - -# Data : WK16.21 -# Operation : New Feature -# Purpose : For fg daemon can do nvram r/w to save car_tune_value -allow fuelgauged_nvram nvdata_file:dir rw_dir_perms; -allow fuelgauged_nvram nvdata_file:file {rw_file_perms create_file_perms}; -allow fuelgauged_nvram nvram_data_file:lnk_file rw_file_perms; -allow fuelgauged_nvram nvdata_file:lnk_file rw_file_perms; - -allow fuelgauged_nvram fuelgauged_file:dir rw_dir_perms; -allow fuelgauged_nvram fuelgauged_file:file {rw_file_perms create_file_perms}; - -# Data : W16.43 -# Operation : New Feature -# Purpose : Change from /data to /cache -allow fuelgauged_nvram self:capability { chown }; -allow fuelgauged_nvram kmsg_device:chr_file { write open }; -allow fuelgauged_nvram self:capability fsetid; - -# Data : W17.34 -# Operation : New Feature -# Purpose : fgauge_nvram could use IOCTL -allow fuelgauged_nvram MT_pmic_adc_cali_device:chr_file rw_file_perms; - -# Date: W18.03 -# Operation : change fuelgagued_nvram access from cache to nvcfg -# Purpose : add fuelgauged to nvcfg read write permit -# need add label -allow fuelgauged_nvram sysfs:file { read open }; -allow fuelgauged_nvram nvcfg_file:dir { search write open read add_name create getattr}; -allow fuelgauged_nvram nvcfg_file:file { read write getattr open create }; - -# Date: W18.17 -# Operation : add label for /sys/devices/platform/battery(/.*) -# Purpose : add fuelgauged could access -r_dir_file(fuelgauged_nvram, sysfs_batteryinfo) - - -# Date : WK18.21 -# Operation: P migration -# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init() -allow fuelgauged_nvram mnt_vendor_file:dir search; - -allow fuelgauged_nvram sysfs_boot_mode:file { open read }; diff --git a/r_non_plat/genfs_contexts b/r_non_plat/genfs_contexts deleted file mode 100644 index 003aa24..0000000 --- a/r_non_plat/genfs_contexts +++ /dev/null @@ -1,254 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============ - -############################# -# proc files -# -genfscon proc /driver/thermal u:object_r:proc_thermal:s0 -genfscon proc /thermlmt u:object_r:proc_thermal:s0 -genfscon proc /fps_tm u:object_r:proc_thermal:s0 -genfscon proc /wmt_tm u:object_r:proc_thermal:s0 -genfscon proc /mobile_tm u:object_r:proc_thermal:s0 -genfscon proc /bcctlmt u:object_r:proc_thermal:s0 -genfscon proc /battery_status u:object_r:proc_thermal:s0 -genfscon proc /mtkcooler u:object_r:proc_mtkcooler:s0 -genfscon proc /mtktz u:object_r:proc_mtktz:s0 -genfscon proc /lk_env u:object_r:proc_lk_env:s0 -genfscon proc /driver/storage_logger u:object_r:proc_slogger:s0 -genfscon proc /driver/icusb u:object_r:proc_icusb:s0 -genfscon proc /mrdump_rst u:object_r:proc_mrdump_rst:s0 -genfscon proc /mtk_battery_cmd u:object_r:proc_battery_cmd:s0 -genfscon proc /mtd u:object_r:proc_mtd:s0 -genfscon proc /ged u:object_r:proc_ged:s0 -genfscon proc /mtk_jpeg u:object_r:proc_mtk_jpeg:s0 -genfscon proc /perfmgr u:object_r:proc_perfmgr:s0 -genfscon proc /driver/wmt_dbg u:object_r:proc_wmtdbg:s0 -genfscon proc /zraminfo u:object_r:proc_zraminfo:s0 -genfscon proc /gpulog u:object_r:proc_gpulog:s0 -genfscon proc /cpu/alignment u:object_r:proc_cpu_alignment:s0 -genfscon proc /sched_debug u:object_r:proc_sched_debug:s0 -genfscon proc /chip/hw_ver u:object_r:proc_chip:s0 -genfscon proc /chip/info u:object_r:proc_chip:s0 -genfscon proc /atf_log u:object_r:proc_atf_log:s0 -genfscon proc /gz_log u:object_r:proc_gz_log:s0 -genfscon proc /last_kmsg u:object_r:proc_last_kmsg:s0 -genfscon proc /bootprof u:object_r:proc_bootprof:s0 -genfscon proc /pl_lk u:object_r:proc_pl_lk:s0 -genfscon proc /msdc_debug u:object_r:proc_msdc_debug:s0 -genfscon proc /ufs_debug u:object_r:proc_ufs_debug:s0 -genfscon proc /pidmap u:object_r:proc_pidmap:s0 -genfscon proc /mtk_memcfg/slabtrace u:object_r:proc_slabtrace:s0 -genfscon proc /mtk_cmdq_debug/status u:object_r:proc_cmdq_debug:s0 -genfscon proc /cpuhvfs/dbg_repo u:object_r:proc_dbg_repo:s0 - -# mtk EM FreqHopping setting -genfscon proc /freqhopping/freqhopping_debug u:object_r:proc_freqhop:s0 -genfscon proc /freqhopping/status u:object_r:proc_freqhop:s0 -genfscon proc /freqhopping/dumpregs u:object_r:proc_freqhop:s0 - -# mtk EM flash reading -genfscon proc /partitions u:object_r:proc_partition:s0 - -# Purpose dump not exit file -genfscon proc /isp_p2/isp_p2_dump u:object_r:proc_isp_p2_dump:s0 -genfscon proc /isp_p2/isp_p2_kedump u:object_r:proc_isp_p2_kedump:s0 -genfscon proc /mali/memory_usage u:object_r:proc_memory_usage:s0 -genfscon proc /mtk_es_reg_dump u:object_r:proc_mtk_es_reg_dump:s0 - -# Date : 2018/11/01 -# Purpose : mtk EM c2k bypass read usb file -genfscon proc /isp_p2 u:object_r:proc_isp_p2:s0 - -# Date : WK19.27 -# Purpose: Android Migration for SVP -genfscon proc /m4u u:object_r:proc_m4u:s0 - - -############################# -# sysfs files -# -genfscon sysfs /bus/platform/drivers/mtk-kpd u:object_r:sysfs_keypad_file:s0 -genfscon sysfs /power/vcorefs/pwr_ctrl u:object_r:sysfs_vcorefs_pwrctrl:s0 -genfscon sysfs /power/dcm_state u:object_r:sysfs_dcm:s0 -genfscon sysfs /power/mtkdcs/mode u:object_r:sysfs_dcs:s0 -genfscon sysfs /power/mtkpasr/execstate u:object_r:sysfs_execstate:s0 -genfscon sysfs /mtk_ssw u:object_r:sysfs_ssw:s0 - -# Date : 2018/06/15 -# Purpose : mtk EM Audio headset detect -genfscon sysfs /bus/platform/drivers/Accdet_Driver/state u:object_r:sysfs_headset:s0 -genfscon sysfs /bus/platform/drivers/dev_info/dev_info u:object_r:sysfs_devinfo:s0 -genfscon sysfs /bus/platform/drivers/meta_com_type_info/meta_com_type_info u:object_r:sysfs_comport_type:s0 -genfscon sysfs /bus/platform/drivers/meta_uart_port_info/meta_uart_port_info u:object_r:sysfs_uart_info:s0 - -genfscon sysfs /devices/platform/battery u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/charger/ADC_Charger_Voltage u:object_r:sysfs_vbus:s0 -genfscon sysfs /devices/platform/battery/ADC_Charger_Voltage u:object_r:sysfs_vbus:s0 -genfscon sysfs /devices/platform/charger/Pump_Express u:object_r:sysfs_pump_express:s0 -genfscon sysfs /devices/platform/battery/Pump_Express u:object_r:sysfs_pump_express:s0 -genfscon sysfs /devices/platform/mt_charger/power_supply u:object_r:sysfs_batteryinfo:s0 -genfscon sysfs /devices/platform/mt-rtc/rtc u:object_r:sysfs_rtc:s0 -genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6359-pmic/mt6359-rtc/rtc u:object_r:sysfs_rtc:s0 -genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6358-pmic/mt6358-rtc/rtc u:object_r:sysfs_rtc:s0 -genfscon sysfs /devices/platform/mt-pmic u:object_r:sysfs_pmu:s0 -genfscon sysfs /devices/platform/1000d000.pwrap/mt-pmic u:object_r:sysfs_pmu:s0 -genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6358-pmic/mt-pmic u:object_r:sysfs_pmu:s0 -genfscon sysfs /devices/platform/1000d000.pwrap/1000d000.pwrap:mt6359-pmic/mt-pmic u:object_r:sysfs_pmu:s0 -genfscon sysfs /devices/platform/mt6333-user u:object_r:sysfs_pmu:s0 -genfscon sysfs /devices/platform/mt6311-user u:object_r:sysfs_pmu:s0 -genfscon sysfs /devices/platform/mt_usb/musb-hdrc/dual_role_usb u:object_r:sysfs_dual_role_usb20:s0 -genfscon sysfs /devices/platform/mt_usb/musb-hdrc/cmode u:object_r:sysfs_usb_cmode:s0 - -genfscon sysfs /devices/virtual/BOOT/BOOT/boot/boot_mode u:object_r:sysfs_boot_mode:s0 -genfscon sysfs /devices/virtual/BOOT/BOOT/boot/boot_type u:object_r:sysfs_boot_type:s0 - -genfscon sysfs /devices/virtual/misc/md32 u:object_r:sysfs_md32:s0 -genfscon sysfs /devices/virtual/misc/scp u:object_r:sysfs_scp:s0 -genfscon sysfs /devices/virtual/misc/scp_B u:object_r:sysfs_scp:s0 -genfscon sysfs /devices/virtual/misc/sspm u:object_r:sysfs_sspm:s0 -genfscon sysfs /devices/virtual/misc/adsp u:object_r:sysfs_adsp:s0 - -# Date : 2019/09/12 -genfscon sysfs /devices/virtual/thermal u:object_r:sysfs_therm:s0 -genfscon sysfs /devices/class/thermal u:object_r:sysfs_therm:s0 - -genfscon sysfs /devices/virtual/switch/fps u:object_r:sysfs_fps:s0 - -genfscon sysfs /firmware/devicetree/base/chosen/atag,devinfo u:object_r:sysfs_devinfo:s0 - -genfscon sysfs /kernel/ccci u:object_r:sysfs_ccci:s0 - -# Date : 2018/06/15 -# Purpose : mtk EM touchscreen settings -genfscon sysfs /module/tpd_debug u:object_r:sysfs_tpd_debug:s0 -genfscon sysfs /module/tpd_setting u:object_r:sysfs_tpd_setting:s0 -genfscon sysfs /power/vcorefs/vcore_debug u:object_r:sysfs_vcore_debug:s0 -genfscon sysfs /power/vcorefs/opp_table u:object_r:sysfs_vcore_debug:s0 - -# Date: 2018/08/09 -#Purpose : MTK Vibrator -genfscon sysfs /devices/virtual/timed_output/vibrator u:object_r:sysfs_vibrator:s0 -genfscon sysfs /devices/platform/odm/odm:vibrator@0/leds/vibrator u:object_r:sysfs_vibrator:s0 -genfscon sysfs /devices/platform/leds-mt65xx/leds u:object_r:sysfs_leds:s0 -# Date : 2018/08/109 -# Purpose : mtk EM Power debug_log setting -genfscon sysfs /devices/platform/spm u:object_r:sysfs_spm:s0 - -# Date : 2018/11/01 -# Purpose : mtk EM c2k bypass read usb file -genfscon sysfs /devices/virtual/usb_rawbulk u:object_r:sys_usb_rawbulk:s0 - -#Date : 2018/11/22 -#Purpose: allow mdlogger to read mdinfo file -genfscon sysfs /kernel/md/mdee u:object_r:sysfs_mdinfo:s0 - -# Date : 2019/04/09 -# Purpose: mtk EM battery temprature settings -genfscon sysfs /devices/platform/battery/Battery_Temperature u:object_r:sysfs_battery_temp:s0 -genfscon sysfs /devices/platform/battery/FG_Battery_CurrentConsumption u:object_r:sysfs_battery_consumption:s0 -genfscon sysfs /devices/platform/battery/Power_On_Voltage u:object_r:sysfs_power_on_vol:s0 -genfscon sysfs /devices/platform/battery/Power_Off_Voltage u:object_r:sysfs_power_off_vol:s0 -genfscon sysfs /devices/platform/battery/FG_daemon_disable u:object_r:sysfs_fg_disable:s0 -genfscon sysfs /devices/platform/battery/disable_nafg u:object_r:sysfs_dis_nafg:s0 - -# Date : 2019/07/03 -# Purpose: SIU update mmcblk access -genfscon sysfs /devices/platform/bootdevice/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_mmcblk:s0 -genfscon sysfs /devices/bootdevice/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_mmcblk:s0 -#genfscon sysfs /devices/platform/mtk-msdc.0/11230000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_mmcblk:s0 -genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:0/block/sda u:object_r:sysfs_mmcblk:s0 -genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:1/block/sdb u:object_r:sysfs_mmcblk:s0 -genfscon sysfs /devices/platform/bootdevice/host0/target0:0:0/0:0:0:2/block/sdc u:object_r:sysfs_mmcblk:s0 - -# Date : 2019/07/12 -# Purpose:dumpstate mmcblk1 access -genfscon sysfs /devices/platform/externdevice/mmc_host/mmc0 u:object_r:sysfs_devices_block:s0 -genfscon sysfs /devices/platform/externdevice/mmc_host/mmc1 u:object_r:sysfs_devices_block:s0 - -# Date : 2019/10/22 -# Purpose : mrdump_tool(copy_process by aee_aedv) need to write data to lbaooo -genfscon sysfs /module/mrdump/parameters/lbaooo u:object_r:sysfs_mrdump_lbaooo:s0 - -############################# -# debugfs files -# -genfscon debugfs /binder u:object_r:debugfs_binder:s0 -genfscon debugfs /blockio u:object_r:debugfs_blockio:s0 -genfscon debugfs /cpuhvfs u:object_r:debugfs_cpuhvfs:s0 -genfscon debugfs /displowpower u:object_r:debugfs_fb:s0 -genfscon debugfs /disp u:object_r:debugfs_fb:s0 -genfscon debugfs /dispsys u:object_r:debugfs_fb:s0 -genfscon debugfs /dmlog u:object_r:debugfs_dmlog_debug:s0 -genfscon debugfs /dynamic_debug u:object_r:debugfs_dynamic_debug:s0 -genfscon debugfs /emi_mbw/dump_buf u:object_r:debugfs_emi_mbw_buf:s0 -genfscon debugfs /fbconfig u:object_r:debugfs_fb:s0 -genfscon debugfs /fpsgo u:object_r:debugfs_fpsgo:s0 -genfscon debugfs /fuseio u:object_r:debugfs_fuseio:s0 -genfscon debugfs /ged u:object_r:debugfs_ged:s0 -genfscon debugfs /ion/client_history u:object_r:debugfs_ion_mm_heap:s0 -genfscon debugfs /ion/clients u:object_r:debugfs_ion:s0 -genfscon debugfs /ion/heaps u:object_r:debugfs_ion_mm_heap:s0 -genfscon debugfs /ion/ion_mm_heap u:object_r:debugfs_ion_mm_heap:s0 -genfscon debugfs /kmemleak u:object_r:debugfs_kmemleak:s0 -genfscon debugfs /mali0/gpu_memory u:object_r:debugfs_gpu_mali_midgard:s0 -genfscon debugfs /mali/gpu_memory u:object_r:debugfs_gpu_mali_utgard:s0 -genfscon debugfs /mtkfb u:object_r:debugfs_fb:s0 -genfscon debugfs /mmprofile u:object_r:debugfs_fb:s0 -genfscon debugfs /musb-hdrc u:object_r:debugfs_usb:s0 -genfscon debugfs /page_owner_slim u:object_r:debugfs_page_owner_slim_debug:s0 -genfscon debugfs /pvr u:object_r:debugfs_gpu_img:s0 -genfscon debugfs /rcu u:object_r:debugfs_rcu:s0 -genfscon debugfs /shrinker u:object_r:debugfs_shrinker_debug:s0 -genfscon debugfs /usb20_phy u:object_r:debugfs_usb20_phy:s0 -genfscon debugfs /usb_c u:object_r:debugfs_usb:s0 -genfscon debugfs /vpu/device_dbg u:object_r:debugfs_vpu_device_dbg:s0 - -# mtk VPU/MDLA power reading -genfscon debugfs /vpu/power u:object_r:debugfs_vpu_power:s0 -genfscon debugfs /mdla/power u:object_r:debugfs_mdla_power:s0 -genfscon debugfs /vpu/vpu_memory u:object_r:debugfs_vpu_memory:s0 - -# mtk eara thermal reading -genfscon debugfs /eara_thermal/enable u:object_r:debugfs_eara_thermal:s0 - -# mtk EM power PMU register -genfscon debugfs /rt-regmap u:object_r:debugfs_regmap:s0 - -# 2019/08/15 -genfscon debugfs /smi_mon u:object_r:debugfs_smi_mon:s0 - -genfscon iso9660 / u:object_r:iso9660:s0 -genfscon rawfs / u:object_r:rawfs:s0 -genfscon fuseblk / u:object_r:fuseblk:s0 - -# 2019/08/24 -genfscon sysfs /class/sensor u:object_r:sysfs_sensor:s0 -genfscon sysfs /devices/virtual/sensor u:object_r:sysfs_sensor:s0 - -# MTEE trusty -genfscon sysfs /devices/platform/trusty u:object_r:mtee_trusty_file:s0 - -# Date : 2019/08/29 -# Purpose: allow rild to access /proc/aed/reboot-reason -genfscon proc /aed/reboot-reason u:object_r:proc_aed_reboot_reason:s0 - - -# 2019/09/05 -# Purpose: Allow powerhal to control kernel resources -genfscon proc /ppm u:object_r:proc_ppm:s0 -genfscon proc /cpufreq u:object_r:proc_cpufreq:s0 -genfscon proc /hps u:object_r:proc_hps:s0 -genfscon proc /cm_mgr u:object_r:proc_cm_mgr:s0 -genfscon proc /ca_drv u:object_r:proc_ca_drv:s0 -genfscon sysfs /module/ged u:object_r:sysfs_ged:s0 -genfscon sysfs /module/fbt_cpu u:object_r:sysfs_fbt_cpu:s0 -genfscon sysfs /module/fbt_fteh u:object_r:sysfs_fbt_fteh:s0 - -# Date : WK19.38 -# Purpose: Android Migration for video codec driver -genfscon sysfs /firmware/devicetree/base/model u:object_r:sysfs_device_tree_model:s0 - -# Date : 2019/12/12 -# Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/* -genfscon sysfs /bus/platform/drivers/mem_bw_ctrl/concurrency_scenario u:object_r:sysfs_concurrency_scenario:s0 diff --git a/r_non_plat/gpuservice.te b/r_non_plat/gpuservice.te deleted file mode 100644 index 0fa7d06..0000000 --- a/r_non_plat/gpuservice.te +++ /dev/null @@ -1,8 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -# Date : WK19.31 -# Operation : Migration -# Purpose : [ALPS04685294] com.google.android.graphics.gts.VulkanTest#checkVulkan1_1Requirements-fail -allow gpuservice gpu_device:dir search; diff --git a/r_non_plat/gsm0710muxd.te b/r_non_plat/gsm0710muxd.te deleted file mode 100644 index 5afcd84..0000000 --- a/r_non_plat/gsm0710muxd.te +++ /dev/null @@ -1,42 +0,0 @@ -# ============================================== -# Policy File of /system/bin/gsm0710muxd Executable File - -# ============================================== -# Type Declaration -# ============================================== -type gsm0710muxd, domain; -type gsm0710muxd_exec , exec_type, file_type, vendor_file_type; - -# ============================================== -# MTK Policy Rule -# ============================================== -init_daemon_domain(gsm0710muxd) - -# Capabilities assigned for gsm0710muxd -allow gsm0710muxd self:capability { chown fowner setuid }; - -# Property service -# Set ctl.ril-daemon property -set_prop(gsm0710muxd, ctl_rildaemon_prop) -set_prop(gsm0710muxd, ctl_ril-daemon-mtk_prop) -set_prop(gsm0710muxd, ctl_fusion_ril_mtk_prop) -set_prop(gsm0710muxd, gsm0710muxd_prop) -set_prop(gsm0710muxd, vendor_radio_prop) -# allow set muxreport control properties -set_prop(gsm0710muxd, ril_mux_report_case_prop) - -# Allow read/write to devices/files -allow gsm0710muxd gsm0710muxd_device:chr_file rw_file_perms; -allow gsm0710muxd device:dir rw_dir_perms; -allow gsm0710muxd device:lnk_file { create unlink }; -allow gsm0710muxd devpts:chr_file setattr; -allow gsm0710muxd eemcs_device:chr_file rw_file_perms; -allow gsm0710muxd sysfs:file r_file_perms; - -# Allow read to sys/kernel/ccci/* files -allow gsm0710muxd sysfs_ccci:dir search; -allow gsm0710muxd sysfs_ccci:file r_file_perms; - -#Date: W1818 -#Purpose: allow rild access property of vendor_radio_prop -set_prop(rild, vendor_radio_prop) diff --git a/r_non_plat/hal_audio.te b/r_non_plat/hal_audio.te deleted file mode 100644 index 9245891..0000000 --- a/r_non_plat/hal_audio.te +++ /dev/null @@ -1,10 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============ - -# Date: 2019/06/14 -# Operation : Migration -# Purpose : interface=android.hardware.audio::IDevicesFactory for hal_audio_hwservice -binder_call(hal_audio_client, hal_audio_server) -binder_call(hal_audio_server, hal_audio_client) -hal_attribute_hwservice(hal_audio, hal_audio_hwservice) diff --git a/r_non_plat/hal_bootctl_default.te b/r_non_plat/hal_bootctl_default.te deleted file mode 100644 index 5c2afda..0000000 --- a/r_non_plat/hal_bootctl_default.te +++ /dev/null @@ -1,14 +0,0 @@ -# Add for bootctl -#============= hal_bootctl_default ============== -allow hal_bootctl_default para_block_device:blk_file { read open write}; -allow hal_bootctl_default rootfs:file { read getattr open }; -allow hal_bootctl_default sysfs:dir { read open }; -allow hal_bootctl_default sysfs_boot_type:file { read open }; -allow hal_bootctl_default block_device:dir search; -allow hal_bootctl_default misc_sd_device:chr_file rw_file_perms; -allow hal_bootctl_default bootdevice_block_device:blk_file rw_file_perms; -allowxperm hal_bootctl_default bootdevice_block_device:blk_file ioctl MMC_IOCTLCMD; -allowxperm hal_bootctl_default bootdevice_block_device:blk_file ioctl UFS_IOCTLCMD; -allow hal_bootctl_default proc_cmdline:file r_file_perms; -allow hal_bootctl_default sysfs_boot_type:file r_file_perms; -allow hal_bootctl_default self:capability sys_rawio; \ No newline at end of file diff --git a/r_non_plat/hal_cas_default.te b/r_non_plat/hal_cas_default.te deleted file mode 100644 index 4e23d6b..0000000 --- a/r_non_plat/hal_cas_default.te +++ /dev/null @@ -1,5 +0,0 @@ -# Date : 2017/08/14 -# Operation : O1 Migration -# Purpose : hal_cas_default needs to use vendor binder to communicate -vndbinder_use(hal_cas_default); - diff --git a/r_non_plat/hal_drm_clearkey.te b/r_non_plat/hal_drm_clearkey.te deleted file mode 100644 index 976b9fa..0000000 --- a/r_non_plat/hal_drm_clearkey.te +++ /dev/null @@ -1,11 +0,0 @@ -# policy for /vendor/bin/hw/android.hardware.drm@1.1-service.clearkey -type hal_drm_clearkey, domain; -type hal_drm_clearkey_exec, exec_type, vendor_file_type, file_type; - -init_daemon_domain(hal_drm_clearkey) - -hal_server_domain(hal_drm_clearkey, hal_drm) - -vndbinder_use(hal_drm_clearkey); - -allow hal_drm_clearkey { appdomain -isolated_app }:fd use; diff --git a/r_non_plat/hal_drm_default.te b/r_non_plat/hal_drm_default.te deleted file mode 100644 index 465ec55..0000000 --- a/r_non_plat/hal_drm_default.te +++ /dev/null @@ -1,6 +0,0 @@ -vndbinder_use(hal_drm_default); - -#============= hal_drm_default ============== -allow hal_drm_default debugfs_tracing:file write; -allow hal_drm_default debugfs_ion:dir search; - diff --git a/r_non_plat/hal_drm_widevine.te b/r_non_plat/hal_drm_widevine.te deleted file mode 100644 index c3705ba..0000000 --- a/r_non_plat/hal_drm_widevine.te +++ /dev/null @@ -1,16 +0,0 @@ -# define SELinux domain -type hal_drm_widevine, domain; -hal_server_domain(hal_drm_widevine, hal_drm) - -type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_drm_widevine) - -allow hal_drm_widevine mediacodec:fd use; -allow hal_drm_widevine { appdomain -isolated_app }:fd use; - -vndbinder_use(hal_drm_widevine); -hal_client_domain(hal_drm_widevine, hal_graphics_composer); -allow hal_drm_widevine hal_allocator_server:fd use; -allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms; -allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms; - diff --git a/r_non_plat/hal_gnss.te b/r_non_plat/hal_gnss.te deleted file mode 100644 index eee7a92..0000000 --- a/r_non_plat/hal_gnss.te +++ /dev/null @@ -1,2 +0,0 @@ -#TODO:: work around solution, wait for correct solution from google -vndbinder_use(hal_gnss) diff --git a/r_non_plat/hal_gnss_default.te b/r_non_plat/hal_gnss_default.te deleted file mode 100644 index 884aacf..0000000 --- a/r_non_plat/hal_gnss_default.te +++ /dev/null @@ -1,7 +0,0 @@ -# Communicate over a socket created by mnld process. -allow hal_gnss_default mnld_data_file:sock_file create_file_perms; -allow hal_gnss_default mnld_data_file:sock_file rw_file_perms; -allow hal_gnss_default mnld_data_file:dir create_file_perms; -allow hal_gnss_default mnld_data_file:dir rw_dir_perms; - -allow hal_gnss_default mnld:unix_dgram_socket sendto; diff --git a/r_non_plat/hal_gpu.te b/r_non_plat/hal_gpu.te deleted file mode 100644 index 6020588..0000000 --- a/r_non_plat/hal_gpu.te +++ /dev/null @@ -1,6 +0,0 @@ -# HwBinder IPC from clients into server, and callbacks -binder_call(hal_gpu_client, hal_gpu_server) -binder_call(hal_gpu_server, hal_gpu_client) - -# give permission for hal client -allow hal_gpu_client mtk_hal_gpu_hwservice :hwservice_manager find; diff --git a/r_non_plat/hal_graphics_allocator.te b/r_non_plat/hal_graphics_allocator.te deleted file mode 100644 index 6da702d..0000000 --- a/r_non_plat/hal_graphics_allocator.te +++ /dev/null @@ -1,5 +0,0 @@ -# Date : WK17.13 -# Operation : Add sepolicy -# Purpose : Add policy for gralloc HIDL - -allow hal_graphics_allocator proc_ged:file r_file_perms; diff --git a/r_non_plat/hal_graphics_allocator_default.te b/r_non_plat/hal_graphics_allocator_default.te deleted file mode 100644 index a968437..0000000 --- a/r_non_plat/hal_graphics_allocator_default.te +++ /dev/null @@ -1,24 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -#============= hal_graphics_allocator_default ============== -allow hal_graphics_allocator_default gpu_device:dir search; - -#============= hal_graphics_allocator_default ============== -allow hal_graphics_allocator_default sw_sync_device:chr_file { open read write getattr ioctl }; - -#============= hal_graphics_allocator_default ============== -allow hal_graphics_allocator_default debugfs_ion:dir search; - -#============= hal_graphics_allocator_default ============== -allow hal_graphics_allocator_default debugfs_tracing:file write; - -#============= hal_graphics_allocator_default ============== -allow hal_graphics_allocator_default debugfs_tracing:file open; - -#============= hal_graphics_allocator_default ============== -allow hal_graphics_allocator_default proc_ged:file r_file_perms; -allowxperm hal_graphics_allocator_default proc_ged:file ioctl { proc_ged_ioctls }; - -#============= hal_graphics_allocator_default ============== diff --git a/r_non_plat/hal_graphics_composer_default.te b/r_non_plat/hal_graphics_composer_default.te deleted file mode 100644 index 242c062..0000000 --- a/r_non_plat/hal_graphics_composer_default.te +++ /dev/null @@ -1,54 +0,0 @@ -vndbinder_use(hal_graphics_composer_default) - -allow hal_graphics_composer_default debugfs_ged:dir search; - -# Date : WK17.09 -# Operation : Add sepolicy -# Purpose : Add polivy for hwc HIDL - -allow hal_graphics_composer_default proc:file { read getattr open ioctl }; -allow hal_graphics_composer_default proc_ged:file r_file_perms; -allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { read bind create setopt }; - -# Date : WK17.21 -# Purpose: GPU driver required -allow hal_graphics_composer_default sw_sync_device:chr_file rw_file_perms; -allow hal_graphics_composer_default hal_graphics_mapper_hwservice:hwservice_manager find; - -# Date : W17.24 -# Purpose: GPU driver required -allow hal_graphics_composer_default gpu_device:dir search; - -allow hal_graphics_composer_default debugfs_ion:dir search; -allow hal_graphics_composer_default debugfs_tracing:file write; -allow hal_graphics_composer_default debugfs_tracing:file open; - -# Date : WK17.30 -# Operation : O Migration -# Purpose: Allow to access cmdq driver -allow hal_graphics_composer_default mtk_cmdq_device:chr_file { read ioctl open }; - -# Date : W17.30 -# Add for control PowerHAL -allow hal_graphics_composer_default mtk_hal_power_hwservice:hwservice_manager find; -binder_call(hal_graphics_composer_default, mtk_hal_power) - -# Date : WK17.32 -# Operation : O Migration -# Purpose: Allow to access property -set_prop(hal_graphics_composer_default, graphics_hwc_pid_prop) -get_prop(hal_graphics_composer_default, graphics_hwc_pid_prop) -set_prop(hal_graphics_composer_default, graphics_hwc_latch_unsignaled_prop) -set_prop(hal_graphics_composer_default, graphics_hwc_hdr_prop) - -# Date : WK18.03 -# Purpose: Allow to access property dev/mdp_sync -allow hal_graphics_composer_default mtk_mdp_device:chr_file rw_file_perms; -allow hal_graphics_composer_default mdp_device:chr_file rw_file_perms; -allow hal_graphics_composer_default tee_device:chr_file rw_file_perms; -allowxperm hal_graphics_composer_default proc_ged:file ioctl { proc_ged_ioctls }; - -# Date: 2018/11/08 -# Operation : JPEG -# Purpose : JPEG need to use PQ via MMS HIDL -allow hal_graphics_composer_default sysfs_boot_mode:file r_file_perms; diff --git a/r_non_plat/hal_hdmi.te b/r_non_plat/hal_hdmi.te deleted file mode 100644 index ea8e0c5..0000000 --- a/r_non_plat/hal_hdmi.te +++ /dev/null @@ -1,6 +0,0 @@ -# HwBinder IPC from clients into server, and callbacks -binder_call(hal_hdmi_client, hal_hdmi_server) -binder_call(hal_hdmi_server, hal_hdmi_client) - -# give permission for hal client -allow hal_hdmi_client mtk_hal_hdmi_hwservice :hwservice_manager find; diff --git a/r_non_plat/hal_imsa.te b/r_non_plat/hal_imsa.te deleted file mode 100644 index d517344..0000000 --- a/r_non_plat/hal_imsa.te +++ /dev/null @@ -1,6 +0,0 @@ -# HwBinder IPC from clients into server, and callbacks -binder_call(hal_imsa_client, hal_imsa_server) -binder_call(hal_imsa_server, hal_imsa_client) - -# give permission for hal client -allow hal_imsa_client mtk_hal_imsa_hwservice :hwservice_manager find; \ No newline at end of file diff --git a/r_non_plat/hal_ir.te b/r_non_plat/hal_ir.te deleted file mode 100644 index 2a01403..0000000 --- a/r_non_plat/hal_ir.te +++ /dev/null @@ -1,4 +0,0 @@ -#============= hal_ir_default ============== -allow hal_ir_default irtx_device:chr_file rw_file_perms; -allow hal_ir_default irtx_device:chr_file { ioctl open }; -allow hal_ir_default irtx_device:chr_file { read write }; \ No newline at end of file diff --git a/r_non_plat/hal_keymaster_attestation.te b/r_non_plat/hal_keymaster_attestation.te deleted file mode 100644 index 35b9b71..0000000 --- a/r_non_plat/hal_keymaster_attestation.te +++ /dev/null @@ -1,17 +0,0 @@ -type hal_keymaster_attestation, domain; -hal_server_domain(hal_keymaster_attestation, mtk_hal_keyattestation) - -type hal_keymaster_attestation_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_keymaster_attestation) - -hwbinder_use(hal_keymaster_attestation); - -#============= hal_keymaster_attestation ============== -allow hal_keymaster_attestation tee_device:chr_file { read write open ioctl }; - -# Date : WK17.42 2017/10/19 -# Operation: Keymaster 3.0 -# Purpose: Access attestation key in persist partition -allow hal_keymaster_attestation mnt_vendor_file:dir search; -allow hal_keymaster_attestation persist_data_file:dir { write search add_name }; -allow hal_keymaster_attestation persist_data_file:file { write create open getattr }; diff --git a/r_non_plat/hal_memtrack_default.te b/r_non_plat/hal_memtrack_default.te deleted file mode 100644 index 8594ac3..0000000 --- a/r_non_plat/hal_memtrack_default.te +++ /dev/null @@ -1,9 +0,0 @@ -# Date : WK16.52 -# Operation : HIDL Migration -# Purpose : For memtrack related service access -allow hal_memtrack debugfs_gpu_mali_midgard:file {open read getattr }; -allow hal_memtrack debugfs_gpu_mali_utgard:file {open read getattr }; -allow hal_memtrack debugfs_gpu_img:dir search; -allow hal_memtrack debugfs_gpu_img:file {open read getattr }; -allow hal_memtrack debugfs_ion:dir rw_dir_perms; -allow hal_memtrack debugfs_ion:file {open read getattr }; diff --git a/r_non_plat/hal_mms.te b/r_non_plat/hal_mms.te deleted file mode 100755 index 766ccac..0000000 --- a/r_non_plat/hal_mms.te +++ /dev/null @@ -1,6 +0,0 @@ -# HwBinder IPC from clients into server, and callbacks -binder_call(hal_mms_client, hal_mms_server) -binder_call(hal_mms_server, hal_mms_client) - -# give permission for hal client -allow hal_mms_client mtk_hal_mms_hwservice :hwservice_manager find; diff --git a/r_non_plat/hal_nfc.te b/r_non_plat/hal_nfc.te deleted file mode 100644 index e9683be..0000000 --- a/r_non_plat/hal_nfc.te +++ /dev/null @@ -1,5 +0,0 @@ -# ============================================== -# ST NFC HAL rule -# ============================================== - -allow hal_nfc st21nfc_device:chr_file { read write getattr open ioctl }; diff --git a/r_non_plat/hal_nvramagent.te b/r_non_plat/hal_nvramagent.te deleted file mode 100755 index 680a031..0000000 --- a/r_non_plat/hal_nvramagent.te +++ /dev/null @@ -1,6 +0,0 @@ -#for nvram hidl client support -binder_call(hal_nvramagent_client, hal_nvramagent_server) -allow hal_nvramagent_client nvram_agent_binder_hwservice:hwservice_manager find; - -# add/find permission rule to hwservicemanager -add_hwservice(hal_nvramagent_server, nvram_agent_binder_hwservice) diff --git a/r_non_plat/hal_pq.te b/r_non_plat/hal_pq.te deleted file mode 100644 index 30eaf0e..0000000 --- a/r_non_plat/hal_pq.te +++ /dev/null @@ -1,6 +0,0 @@ -# HwBinder IPC from clients into server, and callbacks -binder_call(hal_pq_client, hal_pq_server) -binder_call(hal_pq_server, hal_pq_client) - -# give permission for hal client -allow hal_pq_client mtk_hal_pq_hwservice :hwservice_manager find; diff --git a/r_non_plat/hal_thermal_default.te b/r_non_plat/hal_thermal_default.te deleted file mode 100755 index 2a648fb..0000000 --- a/r_non_plat/hal_thermal_default.te +++ /dev/null @@ -1,8 +0,0 @@ - -# Date : WK18.23 -# Operation : P Migration -# Purpose : add grant permission for Thermal HAL mtktz and proc - -allow hal_thermal_default proc_mtktz:dir search; -allow hal_thermal_default proc_mtktz:file {open read getattr}; -allow hal_thermal_default proc_stat:file {open read getattr }; diff --git a/r_non_plat/hal_usb.te b/r_non_plat/hal_usb.te deleted file mode 100644 index b1f7134..0000000 --- a/r_non_plat/hal_usb.te +++ /dev/null @@ -1,11 +0,0 @@ -type mtk_hal_usb, domain; -hal_server_domain(mtk_hal_usb, hal_usb) - -type mtk_hal_usb_exec, exec_type, file_type, vendor_file_type; -init_daemon_domain(mtk_hal_usb) - -allow hal_usb_default sysfs_dual_role_usb20:dir {search read}; -allow hal_usb_default sysfs_dual_role_usb20:file {open read getattr}; - -allow mtk_hal_usb sysfs_dual_role_usb20:dir {search read open}; -allow mtk_hal_usb sysfs_dual_role_usb20:file {open read getattr}; diff --git a/r_non_plat/hal_vibrator.te b/r_non_plat/hal_vibrator.te deleted file mode 100644 index 7f13029..0000000 --- a/r_non_plat/hal_vibrator.te +++ /dev/null @@ -1,6 +0,0 @@ -# vibrator sysfs rw access -allow hal_vibrator sysfs_vibrator:dir r_dir_perms; -allow hal_vibrator sysfs_leds:file rw_file_perms; -allow hal_vibrator sysfs_leds:dir r_dir_perms; -allow hal_vibrator sysfs_leds:lnk_file read; -allow hal_vibrator_default sysfs:file { open write read }; diff --git a/r_non_plat/hal_wifi.te b/r_non_plat/hal_wifi.te deleted file mode 100644 index 4a2d8f5..0000000 --- a/r_non_plat/hal_wifi.te +++ /dev/null @@ -1,8 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -# Allow hal wifi service to open/read/setattr wifi device. -# wmtWifi is wifi char device file to control wifi driver. -allow hal_wifi wmtWifi_device:chr_file w_file_perms; - diff --git a/r_non_plat/hwservice.te b/r_non_plat/hwservice.te deleted file mode 100644 index 6a7304a..0000000 --- a/r_non_plat/hwservice.te +++ /dev/null @@ -1,63 +0,0 @@ -type mtk_hal_bluetooth_hwservice, hwservice_manager_type; - -# Date: 2017/05/9 -type mtk_hal_rild_hwservice, hwservice_manager_type; - -# Date: 2017/06/07 -# power hidl -type mtk_hal_power_hwservice, hwservice_manager_type; - -# Date: 2017/06/12 -# LBS HIDL -type mtk_hal_lbs_hwservice, hwservice_manager_type; - -# Date: 2017/06/27 -# IMSA HIDL -type mtk_hal_imsa_hwservice, hwservice_manager_type; - -# Date: 2017/07/12 -# NVRAM HIDL -type nvram_agent_binder_hwservice, hwservice_manager_type; - -# Date: 2017/07/19 -# PQ HIDL -type mtk_hal_pq_hwservice, hwservice_manager_type; - -# Date: 2017/07/20 -# keymaster attestation hidl -type mtk_hal_keyattestation_hwservice, hwservice_manager_type; - -# Date: 2018/05/25 -# FM HIDL -type mtk_hal_fm_hwservice, hwservice_manager_type; - -# Date: 2018/03/23 -# log hidl -type mtk_hal_log_hwservice, hwservice_manager_type; - -# Date: 2018/06/26 -# em hidl -type mtk_hal_em_hwservice, hwservice_manager_type; - -# Date: 2018/07/02 -# MMS HIDL -type mtk_hal_mms_hwservice, hwservice_manager_type; - -type hal_atci_hwservice, hwservice_manager_type; -type mtk_hal_keymanage_hwservice, hwservice_manager_type; - -# Date: 2019/04/26 -# GPU HIDL -type mtk_hal_gpu_hwservice, hwservice_manager_type; - -# Date: 2019/06/12 -# modem db filter hidl -type mtk_hal_md_dbfilter_hwservice, hwservice_manager_type; - -# Date: 2019/07/16 -# HDMI HIDL -type mtk_hal_hdmi_hwservice, hwservice_manager_type; - -# Date: 2019/09/06 -# BGService HIDL -type mtk_hal_bgs_hwservice, hwservice_manager_type; diff --git a/r_non_plat/hwservice_contexts b/r_non_plat/hwservice_contexts deleted file mode 100644 index 3991a9f..0000000 --- a/r_non_plat/hwservice_contexts +++ /dev/null @@ -1,69 +0,0 @@ -vendor.mediatek.hardware.bluetooth::IMtkBluetoothHci u:object_r:mtk_hal_bluetooth_hwservice:s0 - -# Date: 2017/05/9 -vendor.mediatek.hardware.mtkradioex::IMtkRadioEx u:object_r:mtk_hal_rild_hwservice:s0 -vendor.mediatek.hardware.radio::ISap u:object_r:mtk_hal_rild_hwservice:s0 -vendor.mediatek.hardware.interfaces_tc1.mtkradioex_tc1::IMtkRadioEx u:object_r:mtk_hal_rild_hwservice:s0 -vendor.mediatek.hardware.radio_op::IRadioOp u:object_r:mtk_hal_rild_hwservice:s0 - -# Date: 2017/06/07 -# power hidl -vendor.mediatek.hardware.mtkpower::IMtkPerf u:object_r:mtk_hal_power_hwservice:s0 -vendor.mediatek.hardware.mtkpower::IMtkPower u:object_r:mtk_hal_power_hwservice:s0 -vendor.mediatek.hardware.power::IPerf u:object_r:mtk_hal_power_hwservice:s0 -vendor.mediatek.hardware.power::IPower u:object_r:mtk_hal_power_hwservice:s0 - - - -# Date: 2017/06/12 -# LBS HIDL -vendor.mediatek.hardware.lbs::ILbs u:object_r:mtk_hal_lbs_hwservice:s0 - -# Date : 2017/06/27 -# IMSA HIDL -vendor.mediatek.hardware.imsa::IImsa u:object_r:mtk_hal_imsa_hwservice:s0 - -# Date : 2017/07/12 -#nvram hidl -vendor.mediatek.hardware.nvram::INvram u:object_r:nvram_agent_binder_hwservice:s0 - -# Date : 2017/07/19 -# PQ HIDL -vendor.mediatek.hardware.pq::IPictureQuality u:object_r:mtk_hal_pq_hwservice:s0 - -# Date: 2017/07/20 -# keymaster attestation hidl -vendor.mediatek.hardware.keymaster_attestation::IKeymasterDevice u:object_r:mtk_hal_keyattestation_hwservice:s0 - -# Date: 2018/05/25 -# FM HIDL -vendor.mediatek.hardware.fm::IFmRadio u:object_r:mtk_hal_fm_hwservice:s0 - -# Date: 2018/03/23 -# log hidl -vendor.mediatek.hardware.log::ILog u:object_r:mtk_hal_log_hwservice:s0 - -# Date: 2018/06/26 -# em hidl -vendor.mediatek.hardware.engineermode::IEmd u:object_r:mtk_hal_em_hwservice:s0 - -# Date : 2018/07/02 -# MMS HIDL -vendor.mediatek.hardware.mms::IMms u:object_r:mtk_hal_mms_hwservice:s0 - -# Date : 2019/04/19 -# GPU HIDL -vendor.mediatek.hardware.gpu::IGraphicExt u:object_r:mtk_hal_gpu_hwservice:s0 - -# Date: 2019/06/12 -# modem db filter hidl -vendor.mediatek.hardware.modemdbfilter::ICopyDBFilter u:object_r:mtk_hal_md_dbfilter_hwservice:s0 - -# Date: 2019/07/04 -vendor.mediatek.hardware.camera.lomoeffect::ILomoEffect u:object_r:hal_camera_hwservice:s0 -vendor.mediatek.hardware.camera.ccap::ICCAPControl u:object_r:hal_camera_hwservice:s0 -vendor.mediatek.hardware.camera.bgservice::IBGService u:object_r:mtk_hal_bgs_hwservice:s0 - -# Date : 2019/07/16 -# HDMI HIDL -vendor.mediatek.hardware.hdmi::IMtkHdmiService u:object_r:mtk_hal_hdmi_hwservice:s0 diff --git a/r_non_plat/init.te b/r_non_plat/init.te deleted file mode 100644 index 9844687..0000000 --- a/r_non_plat/init.te +++ /dev/null @@ -1,147 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============ - -# Date : WK14.34 -# Operation : Migration -# Purpose : for L early bring up: add for nvram command in init rc files -allow init nvram_data_file:dir create_dir_perms; -allow init nvram_data_file:lnk_file r_file_perms; -allow init nvdata_file:lnk_file r_file_perms; -allow init nvdata_file:dir create_file_perms; - -#============= init ============== -# Date : W14.42 -# Operation : Migration -# Purpose : for L : add for partition (chown/chmod) -allow init block_device:blk_file setattr; -allow init system_block_device:blk_file setattr; -allow init nvram_device:blk_file setattr; -allow init seccfg_block_device:blk_file setattr; -allow init secro_block_device:blk_file setattr; -allow init frp_block_device:blk_file setattr; -allow init logo_block_device:blk_file setattr; -allow init para_block_device:blk_file setattr; -allow init recovery_block_device:blk_file setattr; - -# Date : WK15.30 -# Operation : Migration -# Purpose : format wiped partition with "formattable" and "check" flag in fstab file -allow init protect1_block_device:blk_file rw_file_perms; -allow init protect2_block_device:blk_file rw_file_perms; -allow init userdata_block_device:blk_file rw_file_perms; -allow init cache_block_device:blk_file rw_file_perms; -allow init nvdata_device:blk_file w_file_perms; -allow init persist_block_device:blk_file rw_file_perms; -allow init nvcfg_block_device:blk_file rw_file_perms; -allow init odm_block_device:blk_file rw_file_perms; -allow init oem_block_device:blk_file rw_file_perms; -allow init para_block_device:blk_file w_file_perms; - -# Date : WK15.32 -# Operation : Migration -# Purpose : disable AT_SECURE for LD_PRELOAD -#userdebug_or_eng(` -# allow init { domain -lmkd -crash_dump -llkd -mediaswcodec }:process noatsecure; -#') - -# Date : WK16.26 -# Operation : Access dynamic_debug control file -# Purpose : For MobileLog on/off pr_debug on user/userdebug load -allow init debugfs_dynamic_debug:file write; - -# Date : W16.28 -# Operation : Migration -# Purpose : enable modules capability -allow init self:capability sys_module; -allow init kernel:system module_request; - -# Date : WK16.35 -# Operation : Migration -# Purpose : create symbolic link from /mnt/sdcard to /sdcard -allow init tmpfs:lnk_file create; - -# Date:W17.07 -# Operation : bt hal -# Purpose : bt hal interface permission -allow init mtk_hal_bluetooth_exec:file getattr; - -# Date : WK17.12 -# Purpose: Fix bootup fail -allow init debugfs:file w_file_perms; - -# Date : WK17.02 -# Purpose: Fix audio hal service fail -allow init mtk_hal_audio_exec:file getattr; - -# Date : W17.20 -# Purpose: Enable PRODUCT_FULL_TREBLE -allow init vendor_block_device:lnk_file relabelto; - -# Date : WK17.21 -# Purpose: Fix gnss hal service fail -allow init mtk_hal_gnss_exec:file getattr; - -# Fix boot up violation -allow init debugfs_tracing_instances:file relabelfrom; - -# Date: W17.22 -# Operation : New Feature -# Purpose : Add for A/B system -allow init debugfs:file write; -allow init kernel:system module_request; -allow init nvdata_file:dir mounton; -allow init oemfs:dir mounton; -allow init protect_f_data_file:dir mounton; -allow init protect_s_data_file:dir mounton; -allow init nvcfg_file:dir mounton; -allow init persist_data_file:dir mounton; -allow init tmpfs:lnk_file create; - -# boot process denial clean up -allow init debugfs_ged:file w_file_perms; - - - -# Date : WK17.39 -# Operation : able to relabel mntl block device link -# Purpose : Correct permission for mntl -allow init block_device:lnk_file relabelfrom; -allow init expdb_block_device:lnk_file relabelto; -allow init mcupmfw_block_device:lnk_file relabelto; -allow init tee_block_device:lnk_file relabelto; - -# Date : WK17.43 -# Operation : able to insert fpsgo kernel module -# Purpose : Correct permission for fpsgo -allow init rootfs:system module_load; - -# Date: W17.43 -# Operation : module load -# Purpose : insmod LKM under /vendor (connsys module KO) -allow init vendor_file:system module_load; - -# Date : WK17.46 -# Operation : feature porting -# Purpose : kernel module verification -allow init kernel:key search; - -# Date : WK17.50 -# Operation : boost cpu while booting -# Purpose : enhance boottime -allow init proc_perfmgr:file write; -allow init proc_wmtdbg:file w_file_perms; - -# Date : W18.20 -# Operation : mount soc vendor's partition when booting -allow init mnt_vendor_file:dir mounton; - -# Date : W19.28 -# Purpose: Allow to setattr /proc/last_kmsg -allow init proc_last_kmsg:file setattr; -# Purpose: Allow to write /proc/cpu/alignment -allow init proc_cpu_alignment:file w_file_perms; - -# Purpose: Allow to relabelto for selinux_android_restorecon -allow init boot_block_device:lnk_file relabelto; -allow init vbmeta_block_device:lnk_file relabelto; diff --git a/r_non_plat/installd.te b/r_non_plat/installd.te deleted file mode 100644 index 88c6b54..0000000 --- a/r_non_plat/installd.te +++ /dev/null @@ -1,7 +0,0 @@ -# ================================== -# MTK Policy Rule -# ================================== - -# Kernel-4.14 migration, fix boot fail. -allow installd vendor_configs_file:file map; - diff --git a/r_non_plat/ioctl_defines b/r_non_plat/ioctl_defines deleted file mode 100755 index d227aab..0000000 --- a/r_non_plat/ioctl_defines +++ /dev/null @@ -1,64 +0,0 @@ -##################################### -# ged_bridge_id.h -# -define(`GED_BRIDGE_IO_LOG_BUF_GET', `0x6700') -define(`GED_BRIDGE_IO_LOG_BUF_WRITE', `0x6701') -define(`GED_BRIDGE_IO_LOG_BUF_RESET', `0x6702') -define(`GED_BRIDGE_IO_BOOST_GPU_FREQ', `0x6703') -define(`GED_BRIDGE_IO_MONITOR_3D_FENCE', `0x6704') -define(`GED_BRIDGE_IO_QUERY_INFO', `0x6705') -define(`GED_BRIDGE_IO_NOTIFY_VSYNC', `0x6706') -define(`GED_BRIDGE_IO_DVFS_PROBE', `0x6707') -define(`GED_BRIDGE_IO_DVFS_UM_RETURN', `0x6708') -define(`GED_BRIDGE_IO_EVENT_NOTIFY', `0x6709') -define(`GED_BRIDGE_IO_WAIT_HW_VSYNC', `0x670a') -define(`GED_BRIDGE_IO_QUERY_TARGET_FPS', `0x670b') -define(`GED_BRIDGE_IO_VSYNC_WAIT', `0x670c') -define(`GED_BRIDGE_IO_GPU_HINT_TO_CPU', `0x670d') -define(`GED_BRIDGE_IO_HINT_FORCE_MDP', `0x670e') - -define(`GED_BRIDGE_IO_GE_ALLOC', `0x6764') -define(`GED_BRIDGE_IO_GE_GET', `0x6765') -define(`GED_BRIDGE_IO_GE_SET', `0x6766') -define(`GED_BRIDGE_IO_GPU_TIMESTAMP', `0x6767') -define(`GED_BRIDGE_IO_TARGET_FPS', `0x6768') -define(`GED_BRIDGE_IO_GE_INFO', `0x6769') -define(`GED_BRIDGE_IO_GPU_TUNER_STATUS', `0x676a') - -##################################### -# perf_ioctl.h : FPSGO -# -define(`PERFMGR_FPSGO_QUEUE', `0x6701') -define(`PERFMGR_FPSGO_DEQUEUE', `0x6703') -define(`PERFMGR_FPSGO_VSYNC', `0x6705') -define(`PERFMGR_FPSGO_TOUCH', `0x670a') -define(`PERFMGR_FPSGO_QUEUE_CONNECT', `0x670f') -define(`PERFMGR_FPSGO_BQID', `0x6710') - -# perf_ioctl.h : EARA -define(`PERFMGR_EARA_NN_BEGIN', `0x6701') -define(`PERFMGR_EARA_NN_END', `0x6702') -define(`PERFMGR_EARA_GETUSAGE', `0x6703') - -# perf_ioctl.h : others -define(`PERFMGR_CPU_PREFER', `0x6701') - -##################################### -# -# -define(`MMC_IOCTLCMD', `0xb300') -define(`MMC_IOC_MULTI_CMD', `0xb301') -define(`UFS_IOCTLCMD', `0x5388') -define(`UFS_IOCTL_RPMB', `0x5391') - -##################################### -# -# -define(`JPG_BRIDGE_ENC_IO_INIT', `0x780b') -define(`JPG_BRIDGE_ENC_IO_CONFIG', `0x780c') -define(`JPG_BRIDGE_ENC_IO_WAIT', `0x780d') -define(`JPG_BRIDGE_ENC_IO_DEINIT', `0x780e') -define(`JPG_BRIDGE_ENC_IO_START', `0x780f') -##################################### -# m4u_priv.h -define(`MTK_M4U_T_SEC_INIT', `0x6732') diff --git a/r_non_plat/ioctl_macros b/r_non_plat/ioctl_macros deleted file mode 100644 index bf86503..0000000 --- a/r_non_plat/ioctl_macros +++ /dev/null @@ -1,25 +0,0 @@ -# proc_ged ioctls -define(`proc_ged_ioctls', `{ - GED_BRIDGE_IO_LOG_BUF_GET - GED_BRIDGE_IO_LOG_BUF_WRITE - GED_BRIDGE_IO_LOG_BUF_RESET - GED_BRIDGE_IO_BOOST_GPU_FREQ - GED_BRIDGE_IO_MONITOR_3D_FENCE - GED_BRIDGE_IO_QUERY_INFO - GED_BRIDGE_IO_NOTIFY_VSYNC - GED_BRIDGE_IO_DVFS_PROBE - GED_BRIDGE_IO_DVFS_UM_RETURN - GED_BRIDGE_IO_EVENT_NOTIFY - GED_BRIDGE_IO_WAIT_HW_VSYNC - GED_BRIDGE_IO_QUERY_TARGET_FPS - GED_BRIDGE_IO_VSYNC_WAIT - GED_BRIDGE_IO_GPU_HINT_TO_CPU - GED_BRIDGE_IO_HINT_FORCE_MDP - GED_BRIDGE_IO_GE_ALLOC - GED_BRIDGE_IO_GE_GET - GED_BRIDGE_IO_GE_SET - GED_BRIDGE_IO_GPU_TIMESTAMP - GED_BRIDGE_IO_TARGET_FPS - GED_BRIDGE_IO_GE_INFO - GED_BRIDGE_IO_GPU_TUNER_STATUS -}') diff --git a/r_non_plat/kernel.te b/r_non_plat/kernel.te deleted file mode 100644 index 0b33f40..0000000 --- a/r_non_plat/kernel.te +++ /dev/null @@ -1,89 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============ -# Date : WK14.38 -# Operation : Migration -# Purpose : run guitar_update for touch F/W upgrade. -allow kernel sdcard_type:dir search; - -# Date : WK14.39 -# Operation : Migration -# Purpose : ums driver can access blk_file -allow kernel block_device:blk_file rw_file_perms; -allow kernel loop_device:blk_file r_file_perms; -allow kernel vold_device:blk_file rw_file_perms; - -# Date : WK14.43 -# Operation : Migration -# Purpose : Access to nvarm for reading MAC. (LOS WIFI feature) -allow kernel system_data_file:lnk_file r_file_perms; - -# Date : WK15.35 -# Operation : Migration -# Purpose : grant fon_image_data_file read permission for loop device -allow kernel fon_image_data_file:file read; - -# Date : WK15.38 -# Operation : Migration -# Purpose : grant proc_thermal for dir search -allow kernel proc_thermal:dir search; - -# Date : WK16.11 -# Operation : Migration -# Purpose : grant storage_file and wifi_data_file for kernel thread mtk_wmtd to access /sdcard/wifi.cfg -# and /data/misc/wifi/wifi.cfg to access wifi.cfg, in which, some wifi driver configuations are there. -allow kernel mnt_user_file:dir search; -allow kernel mnt_user_file:lnk_file read; -allow kernel wifi_data_file:file r_file_perms; -allow kernel wifi_data_file:dir search; -allow kernel storage_file:lnk_file read; -allow kernel sdcard_type:file open; - -# Data : WK16.16 -# Operation : Migration -# Purpose : Access to TC1 partition for reading MEID -allow kernel block_device:dir search; - -# Data : WK16.16 -# Operation : Migration -# Purpose : Access to TC1 partition for reading MEID -allow kernel misc2_block_device:blk_file rw_file_perms; - -# Date : WK16.30 -# Operation: SQC -# Purpose: Allow sdcardfs workqueue to access lower file systems -allow kernel { fuseblk }:dir create_dir_perms; -allow kernel { fuseblk }:file create_file_perms; - -# Date : WK16.30 -# Operation: SQC -# Purpose: Allow sdcardfs workqueue to access lower file systems -allow kernel {vfat mnt_media_rw_file}:dir create_dir_perms; -allow kernel {vfat mnt_media_rw_file}:file create_file_perms; -allow kernel kernel:key { write search setattr }; - -# Date : WK16.42 -# Operation: SQC -# Purpose: Allow task of cpuset cgroup can migration to parent cgroup when cpus is NULL -allow kernel platform_app:process setsched; - -# Date : WK17.01 -# Operation: SQC -# Purpose: Allow OpenDSP kthread to write debug dump to sdcard -allow kernel audioserver:fd use; - -# Date : WK18.02 -# Operation: SQC -# Purpose: Allow SCP SmartPA kthread to write debug dump to sdcard -allow kernel mtk_hal_audio:fd use; -allow kernel factory:fd use; - -# Date : WK18.29 -# Operation: SQC -# Purpose: Allow kernel read firmware binary on vendor partition -allow kernel vendor_file:file r_file_perms; - -# Date : WK18.35 -# Operation: SQC -# Purpose: Allow VOW kthread to write debug PCM dump -allow kernel mtk_audiohal_data_file:file write; diff --git a/r_non_plat/keystore.te b/r_non_plat/keystore.te deleted file mode 100644 index 174c8f5..0000000 --- a/r_non_plat/keystore.te +++ /dev/null @@ -1,13 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============ - -# Date : WK14.40 2014/12/26 -# Operation : CTS 5.0_r1 -# Purpose : allow access to /data/data for full CTS -allow keystore app_data_file:file write; - -# Date : WK17.30 2017/07/25 -# Operation : keystore -# Purpose : Fix keystore boot selinux violation -allow hal_keymaster_default debugfs_tracing:file write; diff --git a/r_non_plat/kisd.te b/r_non_plat/kisd.te deleted file mode 100644 index b0ed180..0000000 --- a/r_non_plat/kisd.te +++ /dev/null @@ -1,32 +0,0 @@ -# ============================================== -# Policy File of /vendor/bin/kisd Executable File - - -# ============================================== -# Type Declaration -# ============================================== - -type kisd ,domain; -type kisd_exec, exec_type, file_type, vendor_file_type; -typeattribute kisd mlstrustedsubject; - -# ============================================== -# MTK Policy Rule -# ============================================== - -init_daemon_domain(kisd) - -allow kisd tee_device:chr_file {read write open ioctl}; -allow kisd provision_file:dir {read write open ioctl add_name search remove_name}; -allow kisd provision_file:file {create read write open getattr unlink}; -allow kisd block_device:dir {read write open ioctl search}; -allow kisd kb_block_device:blk_file {read write open ioctl getattr}; -allow kisd dkb_block_device:blk_file {read write open ioctl getattr}; -allow kisd key_install_data_file:dir {write remove_name add_name}; -allow kisd key_install_data_file:file {write getattr read create unlink open}; -allow kisd key_install_data_file:dir search; -allow kisd mtd_device:chr_file { open read write }; -allow kisd mtd_device:blk_file { open read write ioctl getattr}; -allow kisd mtd_device:dir { search }; -allow kisd kb_block_device:chr_file {read write open ioctl getattr}; -allow kisd dkb_block_device:chr_file {read write open ioctl getattr}; diff --git a/r_non_plat/lbs_hidl_service.te b/r_non_plat/lbs_hidl_service.te deleted file mode 100644 index 36ccad0..0000000 --- a/r_non_plat/lbs_hidl_service.te +++ /dev/null @@ -1,11 +0,0 @@ -type lbs_hidl_service, domain; -hal_server_domain(lbs_hidl_service, mtk_hal_lbs) - -type lbs_hidl_service_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(lbs_hidl_service) -vndbinder_use(lbs_hidl_service) - -#r_dir_file(lbs_hidl_service, system_file) -unix_socket_connect(lbs_hidl_service, agpsd, mtk_agpsd); -allow lbs_hidl_service mtk_agpsd:unix_dgram_socket sendto; -allow lbs_hidl_service mnld:unix_dgram_socket sendto; diff --git a/r_non_plat/lmkd.te b/r_non_plat/lmkd.te deleted file mode 100644 index 3ba12e2..0000000 --- a/r_non_plat/lmkd.te +++ /dev/null @@ -1,23 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============ - - -# Data : 2015/01/14 -# Operation : MT6735 SQC bug fix -# Purpose : ALPS01905960 - selinux_warning: audit(1420845354.752:91): avc: denied { search } -# for pid=194 comm="lmkd" name="23573" dev="proc" -# ino=915740 scontext=u:r:lmkd:s0 tcontext=u:r:zygote:s0 tclass=dir permissive=0 -dontaudit lmkd zygote:dir rw_dir_perms; - -# Data : 2015/04/17 -# Operation : tb8163p1 low memory selinux warning -# Purpose : ALPS02038466 audit(1429079840.646:7): avc: denied { use } -# for pid=170 comm="lmkd" -# path=2F6465762F6173686D656D2F4469736361726461626C654D656D6F72794173686D656D416C6C6F6361746F72202864656C6574656429 -# dev="tmpfs" ino=14475 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=fd permissive=0 -dontaudit lmkd platform_app:fd use; - -# Data : 2018/05/25 -# Operation : Add for duraSpeed socket -allow lmkd system_server:unix_stream_socket connectto; diff --git a/r_non_plat/loghidlsysservice.te b/r_non_plat/loghidlsysservice.te deleted file mode 100644 index 5af0e39..0000000 --- a/r_non_plat/loghidlsysservice.te +++ /dev/null @@ -1,6 +0,0 @@ -# ============================================== -# Policy File of /system/bin/loghidlsysservice Executable File - -# Purpose : for create hidl server -hal_client_domain(loghidlsysservice, mtk_hal_log) -allow loghidlsysservice connsyslogger:unix_stream_socket connectto; \ No newline at end of file diff --git a/r_non_plat/loghidlvendorservice.te b/r_non_plat/loghidlvendorservice.te deleted file mode 100644 index 9b97bed..0000000 --- a/r_non_plat/loghidlvendorservice.te +++ /dev/null @@ -1,14 +0,0 @@ -# ============================================== -# Policy File of /system/bin/loghidlvendorservice Executable File - -# ============================================== -# Type Declaration -# ============================================== - -type loghidlvendorservice ,domain; -type loghidlvendorservice_exec, exec_type, file_type, vendor_file_type; -typeattribute loghidlvendorservice mlstrustedsubject; - -hal_server_domain(loghidlvendorservice, mtk_hal_log) -init_daemon_domain(loghidlvendorservice) -# allow loghidlvendorservice self:capability dac_override; diff --git a/r_non_plat/mdlogger.te b/r_non_plat/mdlogger.te deleted file mode 100644 index cfda1d6..0000000 --- a/r_non_plat/mdlogger.te +++ /dev/null @@ -1,63 +0,0 @@ -#allow mdlogger to set property -allow mdlogger debug_mdlogger_prop:property_service set; -allow mdlogger debug_prop:property_service set; - -# ccci device for internal modem -allow mdlogger ccci_device:chr_file { rw_file_perms }; - -# usb device ttyGSx for modem logger usb logging -allow mdlogger ttyGS_device:chr_file { rw_file_perms}; - -# modem logger access on /data/mdlog -allow mdlogger mdlog_data_file:dir { create_dir_perms relabelto}; -allow mdlogger mdlog_data_file:fifo_file { create_file_perms}; -allow mdlogger mdlog_data_file:file { create_file_perms }; -allow mdlogger system_data_file:dir { create_dir_perms relabelfrom}; - -# modem logger control port access /dev/ttyC1 -allow mdlogger mdlog_device:chr_file { rw_file_perms}; - - -#modem logger SD logging in factory mode -allow mdlogger vfat:dir create_dir_perms; -allow mdlogger vfat:file create_file_perms; - -#mdlogger for read /sdcard -allow mdlogger tmpfs:lnk_file read; -allow mdlogger storage_file:lnk_file rw_file_perms; -allow mdlogger mnt_user_file:dir search; -allow mdlogger mnt_user_file:lnk_file rw_file_perms; -allow mdlogger sdcard_type:file create_file_perms; -allow mdlogger sdcard_type:dir { create_dir_perms }; -allow mdlogger storage_file:dir { create_dir_perms }; -allow mdlogger storage_file:file { create_file_perms }; - - -# Allow read to sys/kernel/ccci/* files -allow mdlogger sysfs_ccci:dir search; -allow mdlogger sysfs_ccci:file r_file_perms; - -# purpose: allow mdlogger to access storage in new version -allow mdlogger media_rw_data_file:file { create_file_perms }; -allow mdlogger media_rw_data_file:dir { create_dir_perms }; - -#avc: denied { connectto } for path=006165653A72747464 scontext=u:r:mdlogger:s0 -#tcontext=u:object_r:aee_aed_socket:s0 tclass=unix_stream_socket permissive=0 -#security issue control -allow mdlogger aee_aed:unix_stream_socket connectto; - -## purpose: avc: denied { read } for name="plat_file_contexts" -allow emdlogger file_contexts_file:file { read getattr open}; - -#permission for read boot mode -#avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs" -allow mdlogger sysfs_boot_mode:file { read open }; - -# avc: denied { open } for path="system/etc/mddb" dev="mmcblk0p21" scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 -allow mdlogger system_file:dir { read open }; - -# Android P migration -set_prop(mdlogger, vendor_mdl_prop) -set_prop(mdlogger, debug_mdlogger_prop) -set_prop(mdlogger, persist_mdlog_prop) -set_prop(mdlogger, persist_mtklog_prop) diff --git a/r_non_plat/mediacodec.te b/r_non_plat/mediacodec.te deleted file mode 100644 index 18d7e7e..0000000 --- a/r_non_plat/mediacodec.te +++ /dev/null @@ -1,155 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -# Date : WK14.34 -# Operation : Migration -# Purpose : VP/VR -allow mediacodec devmap_device:chr_file { ioctl }; - -# Date : WK14.36 -# Operation : Migration -# Purpose : VDEC/VENC device node -allow mediacodec Vcodec_device:chr_file rw_file_perms; - -# Date : WK16.21 -# Operation : Migration -# Purpose : VP & VR dump and debug -allow mediacodec M4U_device_device:chr_file rw_file_perms; -allow mediacodec proc:file r_file_perms; -allow mediacodec sysfs:file {read write open}; -allow mediacodec debugfs_binder:dir search; -allow mediacodec MTK_SMI_device:chr_file { ioctl read open }; -allow mediacodec storage_file:lnk_file {read write open}; -allow mediacodec tmpfs:dir search; -allow mediacodec mnt_user_file:dir {write read search}; -allow mediacodec mnt_user_file:lnk_file {read write}; -allow mediacodec sdcard_type:dir {write read search add_name remove_name}; -allow mediacodec sdcard_type:file {getattr write read create open append unlink}; -allow mediacodec nvram_data_file:dir w_dir_perms; -allow mediacodec nvram_data_file:file create_file_perms; -allow mediacodec nvram_data_file:lnk_file read; -allow mediacodec nvdata_file:lnk_file read; -allow mediacodec nvdata_file:dir w_dir_perms; -allow mediacodec nvdata_file:file create_file_perms; -allow mediacodec devmap_device:chr_file r_file_perms; -allow mediacodec proc_meminfo:file {read getattr open}; - -# Date : WK14.36 -# Operation : Migration -# Purpose : for SW codec VP/VR -allow mediacodec mtk_sched_device:chr_file { read write ioctl open }; - -# Data : WK14.39 -# Operation : Migration -# Purpose : HW encrypt SW codec -allow mediacodec mediacodec_data_file:file create_file_perms; -allow mediacodec mediacodec_data_file:dir create_dir_perms; -allow mediacodec sec_device:chr_file r_file_perms; - -# Data: WK14.44 -# Operation : Migration -# Purpose : VP -allow mediacodec surfaceflinger:file getattr; - -# Data: WK14.44 -# Operation : Migration -# Purpose : for low SD card latency issue -allow mediacodec sysfs_lowmemorykiller:file { read open }; - -# Data: WK14.45 -# Operation : Migration -# Purpose : for change thermal policy when needed -allow mediacodec proc_mtkcooler:dir search; -allow mediacodec proc_mtktz:dir search; -allow mediacodec proc_thermal:dir search; -allow mediacodec proc_mtkcooler:file { read write open }; -allow mediacodec proc_mtktz:file { read write open getattr }; -allow mediacodec proc_thermal:file { read write open getattr}; -allow mediacodec thermal_manager_data_file:file create_file_perms; -allow mediacodec thermal_manager_data_file:dir { rw_dir_perms setattr }; -allow mediacodec thermal_manager_data_file:dir search; - -# Data : WK14.47 -# Operation : CTS -# Purpose : cts search strange app -allow mediacodec untrusted_app:dir search; - -# Date : WK14.39 -# Operation : Migration -# Purpose : MJC Driver -allow mediacodec MJC_device:chr_file { read write ioctl open }; - -# Date : WK16.27 -# Operation : APE SQC -# Purpose : for APE file playback -allow mediacodec MtkCodecService:binder call; -allow mediacodec MtkCodecService:binder transfer; - -# Date : WK16.33 -# Purpose: Allow to access ged for gralloc_extra functions -allow mediacodec proc_ged:file rw_file_perms; -allowxperm mediacodec proc_ged:file ioctl { proc_ged_ioctls }; - -# Data : WK16.42 -# Operator: Whitney bring up -# Purpose: call surfaceflinger due to powervr -allow mediacodec surfaceflinger:fifo_file rw_file_perms; - -# Date: WK16.43 -# Operator: Whitney SQC -# Purpose: mediacodec use gpu -allow mediacodec gpu_device:dir search; - -# Date : W18.01 -# Add for turn on SElinux in enforcing mode -allow mediacodec vndbinder_device:chr_file rw_file_perms; - -vndbinder_use(mediacodec) - -# Date : WK1721 -# Purpose: For FULL TREBLE -allow mediacodec system_file:dir r_dir_perms; -allow mediacodec debugfs_ion:dir search; - - -# Date : WK17.30 -# Operation : O Migration -# Purpose: Allow mediacodec to access cmdq driver -allow mediacodec mtk_cmdq_device:chr_file { read ioctl open }; -allow mediacodec mtk_mdp_device:chr_file rw_file_perms; -allow mediacodec sw_sync_device:chr_file rw_file_perms; - -# Date : WK17.28 -# Operation : MT6757 SQC -# Purpose : Change thermal config - - -# Date : WK17.30 -# Purpose : For Power Hal -allow mediacodec mtk_hal_power_hwservice:hwservice_manager find; -allow mediacodec mtk_hal_power:binder call; -allow mediacodec mtk_hal_power:unix_stream_socket connectto; - - -# Date : WK17.12 -# Operation : MT6799 SQC -# Purpose : Change thermal config -set_prop(mediacodec, mtk_thermal_config_prop) - -# Date : WK17.43 -# Operation : Migration -# Purpose : DISP access -allow mediacodec graphics_device:chr_file { ioctl open read }; -allow mediacodec graphics_device:dir search; - -# Date : WK19.27 -# Purpose: Android Migration for SVP -allow mediacodec proc_m4u:file r_file_perms; -allowxperm mediacodec proc_m4u:file ioctl MTK_M4U_T_SEC_INIT; - - -# Date : 2019/12/12 -# Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/* -allow mediacodec sysfs_concurrency_scenario:file rw_file_perms; -allow mediacodec sysfs_concurrency_scenario:dir search; \ No newline at end of file diff --git a/r_non_plat/mediadrmserver.te b/r_non_plat/mediadrmserver.te deleted file mode 100644 index 70f5178..0000000 --- a/r_non_plat/mediadrmserver.te +++ /dev/null @@ -1,9 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -# Date : WK16.33 -# Purpose: Allow to access ged for gralloc_extra functions -allow mediadrmserver proc_ged:file rw_file_perms; - - diff --git a/r_non_plat/mediaextractor.te b/r_non_plat/mediaextractor.te deleted file mode 100644 index 1ce425f..0000000 --- a/r_non_plat/mediaextractor.te +++ /dev/null @@ -1,15 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -# Date : WK16.33 -# Purpose: Allow to access ged for gralloc_extra functions -allow mediaextractor proc_ged:file rw_file_perms; - -#============= mediaextractor ============== -allow mediaextractor vfat:file r_file_perms; - -allow mediaextractor mediaserver_service:service_manager find; - -allow mediaextractor platform_app:dir search; -allow mediaextractor platform_app:file r_file_perms; diff --git a/r_non_plat/mediaserver.te b/r_non_plat/mediaserver.te deleted file mode 100644 index 56af7ad..0000000 --- a/r_non_plat/mediaserver.te +++ /dev/null @@ -1,335 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -# Date : WK14.31 -# Operation : Migration -# Purpose : camera devices access. -allow mediaserver camera_isp_device:chr_file rw_file_perms; -allow mediaserver ccu_device:chr_file rw_file_perms; -allow mediaserver vpu_device:chr_file rw_file_perms; -allow mediaserver kd_camera_hw_device:chr_file rw_file_perms; -allow mediaserver seninf_device:chr_file rw_file_perms; -allow mediaserver self:capability { setuid ipc_lock sys_nice }; -allow mediaserver sysfs_wake_lock:file rw_file_perms; -allow mediaserver MTK_SMI_device:chr_file r_file_perms; -allow mediaserver camera_pipemgr_device:chr_file r_file_perms; -allow mediaserver kd_camera_flashlight_device:chr_file rw_file_perms; -allow mediaserver lens_device:chr_file rw_file_perms; - -# Date : WK14.32 -# Operation : Migration -# Purpose : Set audio driver permission to access SD card for debug purpose and accss NVRam. -allow mediaserver sdcard_type:dir { w_dir_perms create }; -allow mediaserver sdcard_type:file create; -allow mediaserver nvram_data_file:lnk_file read; -allow mediaserver nvdata_file:lnk_file read; -allow mediaserver sdcard_type:dir remove_name; -allow mediaserver sdcard_type:file unlink; - -# Date : WK14.34 -# Operation : Migration -# Purpose : nvram access (dumchar case for nand and legacy chip) -allow mediaserver nvram_device:chr_file rw_file_perms; -allow mediaserver self:capability { net_admin }; - -# Date : WK14.34 -# Operation : Migration -# Purpose : VP/VR -allow mediaserver devmap_device:chr_file { ioctl }; - -# Date : WK14.34 -# Operation : Migration -# Purpose : Smartcard Service -allow mediaserver system_data_file:file open; - -# Date : WK14.36 -# Operation : Migration -# Purpose : media server and bt process communication for A2DP data.and other control flow -allow mediaserver bluetooth:unix_dgram_socket sendto; -allow mediaserver bt_a2dp_stream_socket:sock_file write; -allow mediaserver bt_int_adp_socket:sock_file write; - -# Date : WK14.37 -# Operation : Migration -# Purpose : camera ioctl -allow mediaserver camera_sysram_device:chr_file r_file_perms; - -# Date : WK14.36 -# Operation : Migration -# Purpose : VDEC/VENC device node -allow mediaserver Vcodec_device:chr_file rw_file_perms; - -# Date : WK14.36 -# Operation : Migration -# Purpose : access nvram, otp, ccci cdoec devices. -allow mediaserver MtkCodecService:binder call; -allow mediaserver ccci_device:chr_file rw_file_perms; -allow mediaserver eemcs_device:chr_file rw_file_perms; -allow mediaserver devmap_device:chr_file r_file_perms; -allow mediaserver ebc_device:chr_file rw_file_perms; -allow mediaserver nvram_device:blk_file rw_file_perms; -allow mediaserver bootdevice_block_device:blk_file rw_file_perms; - -# Date : WK14.36 -# Operation : Migration -# Purpose : for SW codec VP/VR -allow mediaserver mtk_sched_device:chr_file rw_file_perms; - -# Date : WK14.38 -# Operation : Migration -# Purpose : NVRam access -allow mediaserver block_device:dir { write search }; - -# Date : WK14.38 -# Operation : Migration -# Purpose : FM driver access -allow mediaserver fm_device:chr_file rw_file_perms; - -# Data : WK14.38 -# Operation : Migration -# Purpose : for VP/VR -allow mediaserver block_device:dir search; -allow mediaserver FM50AF_device:chr_file rw_file_perms; -allow mediaserver AD5820AF_device:chr_file rw_file_perms; -allow mediaserver DW9714AF_device:chr_file rw_file_perms; -allow mediaserver DW9814AF_device:chr_file rw_file_perms; -allow mediaserver AK7345AF_device:chr_file rw_file_perms; -allow mediaserver DW9714A_device:chr_file rw_file_perms; -allow mediaserver LC898122AF_device:chr_file rw_file_perms; -allow mediaserver LC898212AF_device:chr_file rw_file_perms; -allow mediaserver BU6429AF_device:chr_file rw_file_perms; -allow mediaserver DW9718AF_device:chr_file rw_file_perms; -allow mediaserver BU64745GWZAF_device:chr_file rw_file_perms; -allow mediaserver MAINAF_device:chr_file rw_file_perms; -allow mediaserver MAIN2AF_device:chr_file rw_file_perms; -allow mediaserver SUBAF_device:chr_file rw_file_perms; - - -# Data : WK14.38 -# Operation : Migration -# Purpose : for boot animation. -allow mediaserver bootanim:binder { transfer call }; - -allow mediaserver mtkbootanimation:binder { transfer call }; - -# Data : WK14.38 -# Operation : Migration -# Purpose : dump for debug -allow mediaserver sdcard_type:file append; - -# Date : WK14.39 -# Operation : Migration -# Purpose : FDVT Driver -allow mediaserver camera_fdvt_device:chr_file rw_file_perms; - -# Date : WK14.39 -# Operation : Migration -# Purpose : APE PLAYBACK -binder_call(mediaserver,MtkCodecService) - -# Date : WK14.40 -# Operation : Migration -# Purpose : HDMI driver access -allow mediaserver graphics_device:chr_file rw_file_perms; - -# Date : WK14.40 -# Operation : Migration -# Purpose : Smartpa -allow mediaserver smartpa_device:chr_file rw_file_perms; - -# Data : WK14.40 -# Operation : Migration -# Purpose : permit 'call' by audio tunning tool audiocmdservice_atci -allow mediaserver audiocmdservice_atci:binder call; -binder_call(mediaserver,audiocmdservice_atci) - -# Date : WK14.40 -# Operation : Migration -# Purpose : mtk_jpeg -allow mediaserver mtk_jpeg_device:chr_file r_file_perms; - -# Date : WK14.41 -# Operation : Migration -# Purpose : WFD HID Driver -allow mediaserver uhid_device:chr_file rw_file_perms; - -# Date : WK14.41 -# Operation : Migration -# Purpose : Camera EEPROM Calibration -allow mediaserver CAM_CAL_DRV_device:chr_file rw_file_perms; -allow mediaserver CAM_CAL_DRV1_device:chr_file rw_file_perms; -allow mediaserver CAM_CAL_DRV2_device:chr_file rw_file_perms; - -# Date : WK14.43 -# Operation : Migration -# Purpose : VOW -allow mediaserver vow_device:chr_file rw_file_perms; - -# Date: WK14.44 -# Operation : Migration -# Purpose : EVDO -allow mediaserver rpc_socket:sock_file write; -allow mediaserver ttySDIO_device:chr_file rw_file_perms; - -# Data: WK14.44 -# Operation : Migration -# Purpose : VP -allow mediaserver surfaceflinger:file getattr; - -# Data: WK14.44 -# Operation : Migration -# Purpose : for low SD card latency issue -allow mediaserver sysfs_lowmemorykiller:file { read open }; - -# Data: WK14.45 -# Operation : Migration -# Purpose : for change thermal policy when needed -allow mediaserver proc_mtkcooler:dir search; -allow mediaserver proc_mtktz:dir search; -allow mediaserver proc_thermal:dir search; - -# Date : WK14.46 -# Operation : Migration -# Purpose : for MTK Emulator HW GPU -allow mediaserver qemu_pipe_device:chr_file rw_file_perms; - -# Date : WK14.46 -# Operation : Migration -# Purpose : for camera init -allow mediaserver system_server:unix_stream_socket { read write }; - -# Data : WK14.46 -# Operation : Migration -# Purpose : for SMS app -allow mediaserver radio_data_file:dir search; -allow mediaserver radio_data_file:file open; - -# Data : WK14.47 -# Operation : Audio playback -# Purpose : Music as ringtone -allow mediaserver radio:dir { search read }; -allow mediaserver radio:file r_file_perms; - -# Data : WK14.47 -# Operation : Launch camcorder from MMS -# Purpose : Camcorder -allow mediaserver radio_data_file:file open; - -# Data : WK14.47 -# Operation : CTS -# Purpose : cts search strange app -allow mediaserver untrusted_app:dir search; - -# Date : WK15.03 -# Operation : Migration -# Purpose : offloadservice -allow mediaserver offloadservice_device:chr_file rw_file_perms; - -# Date : WK15.32 -# Operation : Pre-sanity -# Purpose : 3A algorithm need to access sensor service -allow mediaserver sensorservice_service:service_manager find; - -# Date : WK15.34 -# Operation : Migration -# Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump -allow mediaserver system_data_file:dir write; -allow mediaserver storage_file:lnk_file {read write}; -allow mediaserver mnt_user_file:dir {write read search}; -allow mediaserver mnt_user_file:lnk_file {read write}; - -# Date : WK15.35 -# Operation : Migration -# Purpose: Allow mediaserver to read binder from surfaceflinger -allow mediaserver surfaceflinger:fifo_file {read write}; - -# Date : WK15.46 -# Operation : Migration -# Purpose : DPE Driver -allow mediaserver camera_dpe_device:chr_file rw_file_perms; - -# Date : WK15.46 -# Operation : Migration -# Purpose : TSF Driver -allow mediaserver camera_tsf_device:chr_file rw_file_perms; - -# Date : WK16.32 -# Operation : N Migration -# Purpose : RSC Driver -allow mediaserver camera_rsc_device:chr_file rw_file_perms; - -# Date : WK16.33 -# Purpose: Allow to access ged for gralloc_extra functions -allow mediaserver proc_ged:file rw_file_perms; -allowxperm mediaserver proc_ged:file ioctl { proc_ged_ioctls }; - -# Date : WK16.33 -# Operation : N Migration -# Purpose : GEPF Driver -allow mediaserver camera_gepf_device:chr_file rw_file_perms; - -# Date : WK16.35 -# Operation : Migration -# Purpose : Update camera flashlight driver device file -allow mediaserver flashlight_device:chr_file rw_file_perms; - -# Data : WK16.42 -# Operator: Whitney bring up -# Purpose: call surfaceflinger due to powervr -allow dumpstate surfaceflinger:fifo_file rw_file_perms; - -# Date : WK16.43 -# Operation : N Migration -# Purpose : WPE Driver -allow mediaserver camera_wpe_device:chr_file rw_file_perms; -allow mediaserver gpu_device:dir search; -allow mediaserver sw_sync_device:chr_file rw_file_perms; - -# Date : WK17.19 -# Operation : N Migration -# Purpose : OWE Driver -allow mediaserver camera_owe_device:chr_file rw_file_perms; - -# Date : WK17.30 -# Operation : O Migration -# Purpose: Allow to access cmdq driver -allow mediaserver mtk_cmdq_device:chr_file { read ioctl open }; -allow mediaserver mtk_mdp_device:chr_file rw_file_perms; - -# Date : WK17.43 -# Operation : Migration -# Purpose : DISP access -allow mediaserver graphics_device:chr_file { ioctl open read }; -allow mediaserver graphics_device:dir search; - -# Date : WK17.44 -# Operation : Migration -# Purpose : DIP Driver -allow mediaserver camera_dip_device:chr_file rw_file_perms; - -# Date : WK17.44 -# Operation : Migration -# Purpose : MFB Driver -allow mediaserver camera_mfb_device:chr_file rw_file_perms; - -# Date : WK17.49 -# Operation : MT6771 SQC -# Purpose : Allow permgr access -allow mediaserver proc_perfmgr:dir {read search}; -allow mediaserver proc_perfmgr:file r_file_perms; -allowxperm mediaserver proc_perfmgr:file ioctl { - PERFMGR_FPSGO_DEQUEUE - PERFMGR_FPSGO_QUEUE_CONNECT - PERFMGR_FPSGO_QUEUE - PERFMGR_FPSGO_BQID -}; - -# Date : WK18.18 -# Operation : Migration -# Purpose : wifidisplay hdcp -# DRM Key Manage HIDL -allow mediaserver mtk_hal_keymanage:binder call; -# Purpose : Allow mediadrmserver to call vendor.mediatek.hardware.keymanage@1.0-service. -hal_client_domain(mediaserver , hal_keymaster) -allow mediaserver mtk_hal_keymanage_hwservice:hwservice_manager find; diff --git a/r_non_plat/mediaswcodec.te b/r_non_plat/mediaswcodec.te deleted file mode 100755 index ca64913..0000000 --- a/r_non_plat/mediaswcodec.te +++ /dev/null @@ -1,11 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -# Date : WK19.25 -# Operation : Migration -# Purpose : [ALPS04669482] DRTS failed due to avc denied -allow mediaswcodec debugfs_ion:dir rw_dir_perms; -allow mediaswcodec gpu_device:dir rw_dir_perms; -allow mediaswcodec dri_device:chr_file rw_file_perms; -allow mediaswcodec gpu_device:chr_file rw_file_perms; diff --git a/r_non_plat/merged_hal_service.te b/r_non_plat/merged_hal_service.te deleted file mode 100644 index df44f98..0000000 --- a/r_non_plat/merged_hal_service.te +++ /dev/null @@ -1,95 +0,0 @@ -# ============================================================================== -# Type Declaration -# ============================================================================== -type merged_hal_service, domain; -#type merged_hal_service, domain; -type merged_hal_service_exec, exec_type, file_type, vendor_file_type; - -init_daemon_domain(merged_hal_service) - -hwbinder_use(merged_hal_service) -hal_server_domain(merged_hal_service, hal_vibrator) -hal_server_domain(merged_hal_service, hal_light) -hal_server_domain(merged_hal_service, hal_power) -hal_server_domain(merged_hal_service, hal_thermal) -hal_server_domain(merged_hal_service, hal_memtrack) - -#adjust light brightness -allow merged_hal_service sysfs:file write; - -#mtk libs_hidl_service permissions -hal_server_domain(merged_hal_service, mtk_hal_lbs) -vndbinder_use(merged_hal_service) -#r_dir_file(merged_hal_service, system_file) -unix_socket_connect(merged_hal_service, agpsd, mtk_agpsd); -allow merged_hal_service mtk_agpsd:unix_dgram_socket sendto; - -#mtk_gnss permissions -hal_server_domain(merged_hal_service, hal_gnss); -allow merged_hal_service mnld_data_file:sock_file create_file_perms; -allow merged_hal_service mnld_data_file:sock_file rw_file_perms; -allow merged_hal_service mnld_data_file:dir create_file_perms; -allow merged_hal_service mnld_data_file:dir rw_dir_perms; -allow merged_hal_service mnld:unix_dgram_socket sendto; - -#graphics allocator permissions -hal_server_domain(merged_hal_service, hal_graphics_allocator) -allow merged_hal_service gpu_device:dir search; -allow merged_hal_service sw_sync_device:chr_file rw_file_perms; -allow merged_hal_service debugfs_ion:dir search; -allow merged_hal_service debugfs_tracing:file write; -allow merged_hal_service debugfs_tracing:file open; - -#for ape hidl permissions -hal_server_domain(merged_hal_service,hal_mtkcodecservice) -allow merged_hal_service hidl_allocator_hwservice:hwservice_manager find; -allow merged_hal_service hidl_memory_hwservice:hwservice_manager find; -hal_client_domain(merged_hal_service, hal_allocator) - -#for default drm permissions -hal_server_domain(merged_hal_service, hal_drm) -allow merged_hal_service mediacodec:fd use; -allow merged_hal_service { appdomain -isolated_app }:fd use; -allow merged_hal_service debugfs_tracing:file write; - -#power permissions -allow merged_hal_service proc:dir {search getattr}; -allow merged_hal_service proc:file rw_file_perms; -allow merged_hal_service debugfs_ged:dir search; -allow merged_hal_service debugfs_ged:file { getattr open read write }; -allow merged_hal_service proc_thermal:file { write open }; -allow merged_hal_service proc_thermal:dir search; -allow merged_hal_service sysfs:file {open write read}; -allow merged_hal_service proc_perfmgr:dir search; -allow merged_hal_service proc_perfmgr:file rw_file_perms; -allow merged_hal_service sdcard_type:dir create_dir_perms; -allow merged_hal_service sdcard_type:file create_file_perms; -allow merged_hal_service eemcs_device:chr_file rw_file_perms; -allow merged_hal_service mnt_user_file:dir create_dir_perms; -allow merged_hal_service debugfs_fb:dir search; -allow merged_hal_service debugfs_fb:file { getattr open read write }; -allow merged_hal_service debugfs_fpsgo:dir search; -allow merged_hal_service debugfs_fpsgo:file { getattr open read write }; -allow merged_hal_service mtk_hal_camera:dir search; -allow merged_hal_service mtk_hal_camera:file { open read }; -allow merged_hal_service sysfs_devices_system_cpu:file write; - -allow merged_hal_service mtk_powerhal_data_file:dir {create_dir_perms rw_dir_perms}; -allow merged_hal_service mtk_powerhal_data_file:file {create_file_perms rw_file_perms}; -allow merged_hal_service mtk_powerhal_data_file:sock_file {create_file_perms rw_file_perms}; - - -# Date : WK18.23 -# Operation : P Migration -# Purpose : add grant permission for Thermal HAL mtktz and proc -allow merged_hal_service proc_mtktz:dir search; -allow merged_hal_service proc_mtktz:file {open read getattr}; -allow merged_hal_service proc_stat:file {open read getattr }; - -# Date : WK19.11 -# Operation : Q Migration -allowxperm merged_hal_service proc_ged:file ioctl { proc_ged_ioctls }; - -# Date: 2019/06/14 -# Operation : Migration -allow merged_hal_service nvram_agent_binder_hwservice:hwservice_manager find; diff --git a/r_non_plat/meta_tst.te b/r_non_plat/meta_tst.te deleted file mode 100644 index 3e1858c..0000000 --- a/r_non_plat/meta_tst.te +++ /dev/null @@ -1,421 +0,0 @@ -# ============================================== -# Policy File of /vendor/bin/meta_tst Executable File - - - -# ============================================== -# Type Declaration -# ============================================== -type meta_tst, domain; -type meta_tst_exec , exec_type, file_type, vendor_file_type; -init_daemon_domain(meta_tst) - -# ============================================== -# MTK Policy Rule -# ============================================== - -# Date: WK16.12 -# Operation : Migration -# Purpose : for meta mode device node USB -allow meta_tst ttyGS_device:chr_file rw_file_perms; - -# Date: WK16.12 -# Operation : Migration -# Purpose : for meta mode device node UART -allow meta_tst ttyMT_device:chr_file rw_file_perms; - -# Date: WK17.12 -# Operation : Migration -# Purpose : for meta mode device node UART -allow meta_tst ttyS_device:chr_file rw_file_perms; - -# Date: WK16.12 -# Operation : Migration -# Purpose : for meta mode device node CCCI -allow meta_tst ccci_device:chr_file rw_file_perms; -allow meta_tst eemcs_device:chr_file rw_file_perms; -allow meta_tst emd_device:chr_file rw_file_perms; -allow meta_tst ttyACM_device:chr_file rw_file_perms; -allow meta_tst mdlog_device:chr_file rw_file_perms; - -# Data: WK15.07 -# Purpose : SDIO -allow meta_tst ttySDIO_device:chr_file rw_file_perms; - -# Date: WK16.12 -# Operation : Migration -# Purpose : for meta mode file system -allow meta_tst bootdevice_block_device:blk_file rw_file_perms; -allow meta_tst mmcblk1_block_device:blk_file rw_file_perms; -allow meta_tst userdata_block_device:blk_file rw_file_perms; -allow meta_tst cache_block_device:blk_file rw_file_perms; - -# Date: WK16.12 -# Operation : Migration -# Purpose : for meta mode nvram -allow meta_tst nvram_data_file:dir create_dir_perms; -allow meta_tst nvram_data_file:file create_file_perms; -allow meta_tst nvram_data_file:lnk_file r_file_perms; -allow meta_tst nvdata_file:lnk_file r_file_perms; -allow meta_tst nvdata_file:dir create_dir_perms; -allow meta_tst nvdata_file:file create_file_perms; -allow meta_tst nvram_device:chr_file rw_file_perms; -allow meta_tst nvram_device:blk_file rw_file_perms; -allow meta_tst nvdata_device:blk_file rw_file_perms; - -# Date: WK14.47 -# Operation : Migration -# Purpose : for meta mode audio -allow meta_tst audio_device:chr_file rw_file_perms; -allow meta_tst audio_device:dir r_dir_perms; -allow meta_tst audio_ipi_device:chr_file rw_file_perms; -set_prop(meta_tst, audiohal_prop); - -# Date: WK16.12 -# Operation : Migration -# Purpose : for meta mode RTC and PMIC -allow meta_tst rtc_device:chr_file r_file_perms; -allow meta_tst MT_pmic_adc_cali_device:chr_file rw_file_perms; - -# Date: WK14.45 -# Operation : Migration -# Purpose : HDCP -allow meta_tst persist_data_file:dir create_dir_perms; -allow meta_tst persist_data_file:file create_file_perms; - - -# Date: WK14.46 -# Operation : Migration -# Purpose : Camera -allow meta_tst devmap_device:chr_file rw_file_perms; -allow meta_tst camera_pipemgr_device:chr_file rw_file_perms; -allow meta_tst MTK_SMI_device:chr_file rw_file_perms; -allow meta_tst camera_isp_device:chr_file rw_file_perms; -allow meta_tst camera_sysram_device:chr_file r_file_perms; -allow meta_tst kd_camera_flashlight_device:chr_file rw_file_perms; -allow meta_tst kd_camera_hw_device:chr_file rw_file_perms; -allow meta_tst AD5820AF_device:chr_file rw_file_perms; -allow meta_tst DW9714AF_device:chr_file rw_file_perms; -allow meta_tst DW9714A_device:chr_file rw_file_perms; -allow meta_tst LC898122AF_device:chr_file rw_file_perms; -allow meta_tst LC898212AF_device:chr_file rw_file_perms; -allow meta_tst BU6429AF_device:chr_file rw_file_perms; -allow meta_tst DW9718AF_device:chr_file rw_file_perms; -allow meta_tst BU64745GWZAF_device:chr_file rw_file_perms; -allow meta_tst MAINAF_device:chr_file rw_file_perms; -allow meta_tst MAIN2AF_device:chr_file rw_file_perms; -allow meta_tst SUBAF_device:chr_file rw_file_perms; - -# Date: WK16.12 -# Operation : Migration -# Purpose : meta mode LCM -allow meta_tst graphics_device:chr_file rw_file_perms; -allow meta_tst graphics_device:dir search; - -# Date: WK16.12 -# Operation : Migration -# Purpose : meta mode sensor -allow meta_tst als_ps_device:chr_file r_file_perms; -allow meta_tst gsensor_device:chr_file r_file_perms; -allow meta_tst msensor_device:chr_file r_file_perms; -allow meta_tst gyroscope_device:chr_file r_file_perms; - -# Date: WK16.12 -# Operation : Migration -# Purpose : meta mode FM -allow meta_tst fm_device:chr_file rw_file_perms; -allow meta_tst FM50AF_device:chr_file rw_file_perms; - -# Date: WK16.12 -# Operation : Migration -# Purpose : meta mode wifi -allow meta_tst wmtWifi_device:chr_file w_file_perms; - -# Date: WK16.12 -# Operation : Migration -# Purpose : meta mode BT -allow meta_tst stpbt_device:chr_file rw_file_perms; - -# Date: WK16.12 -# Operation : Migration -# Purpose : meta mode GPS -allow meta_tst gps_data_file:dir { write add_name search remove_name unlink}; -allow meta_tst gps_data_file:file { read write open create getattr append setattr unlink lock}; -allow meta_tst gps_data_file:lnk_file read; -allow meta_tst tmpfs:lnk_file read; -allow meta_tst agpsd_data_file:dir search; -allow meta_tst agpsd_data_file:sock_file write; -allow meta_tst mnld_device:chr_file rw_file_perms; -allow meta_tst mnld_exec:file rx_file_perms; -set_prop(meta_tst, mnld_prop); - -# Date: WK16.12 -# Operation : Migration -# Purpose : meta mode NFC -allow meta_tst mt6605_device:chr_file rw_file_perms; - -#Date WK14.49 -#Operation : Migration -#Purpose : DRM key installation -allow meta_tst key_install_data_file:dir w_dir_perms; -allow meta_tst key_install_data_file:file create_file_perms; - -# Date: WK14.51 -# Purpose : set/get cryptfs cfg in sys env -allow meta_tst misc_device:chr_file rw_file_perms; -allow meta_tst proc_lk_env:file rw_file_perms; - -# Purpose : FT_EMMC_OP_FORMAT_TCARD -allow meta_tst block_device:blk_file getattr; -allow meta_tst system_block_device:blk_file getattr; - -# Date: WK15.52 -# Purpose : NVRAM related LID -allow meta_tst pro_info_device:chr_file rw_file_perms; - -# Date: WK15.13 -# Purpose: for nand project -allow meta_tst mtd_device:dir search; -allow meta_tst mtd_device:chr_file rw_file_perms; - -# Date: WK16.17 -# Purpose: N Migration For ccci sysfs node -allow meta_tst sysfs_ccci:dir search; -allow meta_tst sysfs_ccci:file r_file_perms; - -#Date: W18.22 -# Purpose: P Migration meta_tst get com port type/uart port info/boot mode/usb state/usb close -allow meta_tst sysfs_comport_type:file rw_file_perms; -allow meta_tst sysfs_uart_info:file rw_file_perms; -allow meta_tst sysfs_boot_mode:file rw_file_perms; -allow meta_tst sysfs_boot_type:file r_file_perms; -allow meta_tst sysfs_android_usb:file rw_file_perms; -allow meta_tst sysfs_android_usb:dir search; -allow meta_tst sysfs_usb_cmode:file rw_file_perms; -allow meta_tst sysfs_usb_cmode:dir search; -allow meta_tst sysfs_batteryinfo:file rw_file_perms; -allow meta_tst sysfs_batteryinfo:dir search; - -#Date: W16.17 -# Purpose: N Migration For meta_tst load MD NVRAM database -# Detail avc log: [04-23-20:41:58][ 160.687655] <1>.(1)[230:logd.auditd]type= -#1400 audit(1262304165.560:24): avc: denied { read } for pid=228 comm= -#"meta_tst" name="mddb" dev="mmcblk0p20" ino=664 scontext=u:r:meta_tst: -#s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 -allow meta_tst system_file:dir r_dir_perms; - -# Date: WK16.18 -# Purpose: for CCCI reboot modem -allow meta_tst gsm0710muxd_device:chr_file rw_file_perms; - -# Date : WK16.35 -# Purpose : Update camera flashlight driver device file -allow meta_tst flashlight_device:chr_file rw_file_perms; - -#Date: W16.36 -# Purpose: meta_tst use libmeta_rat to write libsysenv -# Detail avc log:[ 25.307141] .(5)[264:logd.auditd]type=1400 audit(1469438818.570:7): -#avc: denied { read write } for pid=312 comm="meta_tst" name="mmcblk0p2" dev="tmpfs" -#ino=4561 scontext=u:r:meta_tst:s0 tcontext=u:object_r:para_block_device:s0 tclass=blk_file permissive=0 -allow meta_tst para_block_device:blk_file { read write open }; - -#Date: W16.44 -allow meta_tst nvcfg_file:dir { search read open }; - -#Date: W16.45 -# Purpose : Allow unmount sdcardfs mounted on /data/media -allow meta_tst sdcard_type:filesystem unmount; -allow meta_tst storage_stub_file:dir search; - -# Date : WK16.19 -# Operation: meta_tst set persist.meta.connecttype property -# Purpose: Switch meta connect type, set persist.meta.connecttype as "wifi" or "usb". -set_prop(meta_tst, meta_connecttype_prop); - -# Date : WK16.23 -# Purpose: support meta_tst check key event -allow meta_tst input_device:dir r_dir_perms; -allow meta_tst input_device:chr_file r_file_perms; - -# Date : WK16.29 -# Purpose: support meta mode show string on screen -allow meta_tst ashmem_device:chr_file execute; - -#Date: W16.50 -# Purpose : Allow meta_tst stop service which occupy data partition. -allow meta_tst ctl_default_prop:property_service set; - -#Date: W17.25 -# Purpose : Allow meta_tst stop service which occupy data partition. -allow meta_tst ctl_emdlogger1_prop:property_service set; - -#Date: W17.27 -# Purpose: STMicro NFC solution integration -allow meta_tst st21nfc_device:chr_file { open read write ioctl }; -allow meta_tst vendor_file:file { getattr execute execute_no_trans read open }; -set_prop(meta_tst,hwservicemanager_prop); -hwbinder_use(meta_tst); -hal_client_domain(meta_tst, hal_nfc); -allow meta_tst debugfs_tracing:file { open write }; - -# Date: W17.29 -# Purpose : Allow meta_tst to call vendor.mediatek.hardware.keymaster_attestation@1.0-service. -hal_client_domain(meta_tst, mtk_hal_keyattestation) - -# Date : WK17.30 -# Operation : Android O migration -# Purpose : add sepolicy for accessing sysfs_leds -allow meta_tst sysfs_leds:lnk_file read; -allow meta_tst sysfs_leds:file rw_file_perms; -allow meta_tst sysfs_leds:dir r_dir_perms; - -# Date: WK17.43 -# Purpose: add permission for meta_tst access md image -allow meta_tst md_block_device:blk_file { read open }; -allow meta_tst mddb_data_file:file { create open write read getattr}; -allow meta_tst mddb_data_file:dir { search write add_name create getattr read open }; - -# Date: W17.43 -# Purpose : Allow meta_tst to call Audio HAL service -binder_call(meta_tst, mtk_hal_audio) -allow meta_tst mtk_hal_audio:binder call; -#allow meta_tst hal_audio_hwservice:hwservice_manager find; -allow meta_tst mtk_audiohal_data_file:dir {read search open}; -allow meta_tst proc:file {read open}; -allow meta_tst audio_device:chr_file rw_file_perms; -allow meta_tst audio_device:dir w_dir_perms; -allow meta_tst audiohal_prop:property_service set; - -#Data:W1745 -# Purpose : Allow meta_tst to open and read proc/bootprof -allow meta_tst proc_bootprof:file {write open read}; - -# Date:W17.51 -# Operation : lbs hal -# Purpose : lbs hidl interface permission -hal_client_domain(meta_tst, mtk_hal_lbs) - -# Data:W1750 -# Purpose : Allow meta_tst to access mtd device -allow meta_tst mtd_device:blk_file rw_file_perms; - -#Date: W17.51 -#Purpose : Allow meta_tst to access pesist.atm.mdmode in ATM. -set_prop(meta_tst, atm_mdmode_prop); - -#Date: W17.51 -#Purpose : Allow meta_tst to access pesist.atm.ipaddress in ATM. -set_prop(meta_tst, atm_ipaddr_prop); - -# Date : WK18.16 -# Operation: P migration -# Purpose: Allow meta_tst to get tel_switch_prop -get_prop(meta_tst, tel_switch_prop); - -# Date : WK18.21 -# Operation: P migration -# Purpose : Allow meta_tst to call nvram hal -allow meta_tst nvram_agent_binder_hwservice:hwservice_manager find; -allow meta_tst nvram_agent_binder:binder call; - -# Date : WK18.21 -# Operation: P migration -# Purpose : Allow meta_tst to write misc partition -allow meta_tst block_device:dir search; - -# Date : W18.24 -# Operation: P migration -# Purpose : Allow meta_tst to access tpd sysfs nodes for CTP test -allow meta_tst sysfs_tpd_setting:dir search; -allow meta_tst sysfs_tpd_setting:file { read getattr open }; - -# Date : WK18.24 -# Operation: P migration -# Purpose : Allow meta_tst to unmount partition, stop service, and then erase partition -allow meta_tst vendor_shell_exec:file { read execute open execute_no_trans }; -allow meta_tst vendor_toolbox_exec:file { execute_no_trans }; -allow meta_tst labeledfs:filesystem { unmount }; -allow meta_tst proc_cmdline:file { read open getattr }; -allow meta_tst meta_tst:capability { sys_admin }; -allow meta_tst sysfs_dt_firmware_android:file { read open getattr }; -allow meta_tst sysfs_dt_firmware_android:dir { read open search }; -# Purpose : Allow meta_tst to communicate with driver thru socket -allow meta_tst meta_tst:capability { sys_module net_admin net_raw }; -allow meta_tst self:udp_socket { create ioctl }; -allowxperm meta_tst self:udp_socket ioctl priv_sock_ioctls; - -# Date : WK18.25 -# Operation: P migration -# Purpose : GPS test, Allow meta_tst to write/connect tcp socket -allow meta_tst node:tcp_socket node_bind; -allow meta_tst port:tcp_socket { name_bind name_connect }; -allow meta_tst self:capability net_raw; -allow meta_tst self:tcp_socket { setopt bind create listen accept connect }; -allow meta_tst self:tcp_socket { read write }; -allow meta_tst self:udp_socket { write connect }; - -# Date : WK18.28 -# Operation: P migration -# Purpose : AUDIO test, Allow meta_tst to write/read asound -allow meta_tst proc_asound:dir { read search open }; -allow meta_tst proc_asound:file { read open getattr write }; -allow meta_tst mtk_audiohal_data_file:dir { read search open }; -allow meta_tst audiohal_prop:property_service set; -allow meta_tst sysfs:file { read open }; -allow meta_tst sysfs_headset:file { read open }; - -# Date: W18.05 -# Purpose : Allow meta_tst to use socket for listening uevent -allow meta_tst meta_tst:netlink_kobject_uevent_socket { read bind create setopt }; - -# Date : WK18.28 -# Operation: P migration -# Purpose : -set_prop(meta_tst, vendor_usb_prop); - -# Date: W18.29 -# Operation: Catch log -# Purpose : meta connect with loghidlserver by socket. -allow meta_tst loghidlvendorservice:unix_stream_socket connectto; - -# Date: W18.32 -# Operation: Android P migration -# Purpose : Allow meta_tst to set powerctl property -# avc: denied { set } for property=sys.powerctl pid=330 uid=0 gid=1001 scontext=u:r:meta_tst:s0 -# tcontext=u:object_r:powerctl_prop:s0 tclass=property_service permissive=0 -set_prop(meta_tst, powerctl_prop); - -# Date: W18.33 -# Operation: Android P migration -# Purpose : Allow meta_tst to set system clock -# avc: denied { sys_time } for capability=25 scontext=u:r:meta_tst:s0 tcontext=u:r:meta_tst:s0 tclass=capability permissive=0 -allow meta_tst self:capability sys_time; - -# Data: W18.35 -# Operation: Android P migration -# Purpose : check usb online status -# avc: denied { search } for name="power_supply" dev="sysfs" ino=8712 scontext=u:r:meta_tst:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=0 -# avc: denied { read } for name="online" dev="sysfs" ino=8764 scontext=u:r:meta_tst:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=0 -# avc: denied { open } for path="/sys/devices/platform/mt_charger/power_supply/usb/online" dev="sysfs" ino=8764 scontext=u:r:meta_tst:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=0 -allow meta_tst sysfs_batteryinfo:dir search; -allow meta_tst sysfs_batteryinfo:file {read open}; - -# Data: W18.42 -# Operation: Android P migration -# Purpose : add socket permission for meta -allow meta_tst fwmarkd_socket:sock_file write; - -#Date: W18.42 -# Operation: Android P migration -# Purpose : Add ATM meta mvram sepolicy -allow meta_tst mnt_vendor_file:dir search; - -# Date : WK18.44 -# Operation: P migration -# Purpose : adsp -allow meta_tst adsp_device:chr_file rw_file_perms; - -# Date : WK19.08 -# Operation: P migration -# Purpose : audio scp recovery -allow meta_tst audio_scp_device:chr_file r_file_perms; diff --git a/r_non_plat/mmc_ffu.te b/r_non_plat/mmc_ffu.te deleted file mode 100644 index 1206991..0000000 --- a/r_non_plat/mmc_ffu.te +++ /dev/null @@ -1,21 +0,0 @@ -# ============================================== -# Policy File of /system/bin/mmc_ffu Executable File - -# ============================================== -# Type Declaration -# ============================================== -type mmc_ffu, domain; -type mmc_ffu_exec, exec_type, file_type, vendor_file_type; - -# ============================================== -# MTK Policy Rule -# ============================================== -init_daemon_domain(mmc_ffu) -# Purpose: For seek file size -allow mmc_ffu block_device:dir r_dir_perms; - -# Purpose: ioctl to /dev/misc-sd and for obtaining emmc vendor id and firmware revision -allow mmc_ffu misc_sd_device:chr_file r_file_perms; - -#Purpose: Write eMMC firmware data to /dev/block/mmcblk0 for upgrade firmware -allow mmc_ffu bootdevice_block_device:blk_file rw_file_perms; diff --git a/r_non_plat/mnld.te b/r_non_plat/mnld.te deleted file mode 100644 index 6abb5ce..0000000 --- a/r_non_plat/mnld.te +++ /dev/null @@ -1,103 +0,0 @@ -# ============================================== -# Policy File of /vendor/bin/mnld Executable File - -# ============================================== -# Type Declaration -# ============================================== -type mnld, domain; -type mnld_exec, exec_type, file_type, vendor_file_type; -typeattribute mnld mlstrustedsubject; - -# ============================================== -# MTK Policy Rule -# ============================================== -# STOPSHIP: Permissive is not allowed. CTS violation! -init_daemon_domain(mnld) - -net_domain(mnld) -# Purpose : For communicate with AGPSD by socket -allow mnld agpsd_data_file:dir create_dir_perms; -allow mnld agpsd_data_file:sock_file create_file_perms; -allow mnld mtk_agpsd:unix_dgram_socket sendto; -allow mnld sysfs:file rw_file_perms; -allow mnld sysfs_wake_lock:file rw_file_perms; -# Purpose : For access NVRAM data -allow mnld nvram_data_file:dir create_dir_perms; -allow mnld nvram_data_file:file create_file_perms; -allow mnld nvram_data_file:lnk_file read; -allow mnld nvdata_file:lnk_file read; -allow mnld nvram_device:blk_file rw_file_perms; -allow mnld nvram_device:chr_file rw_file_perms; -allow mnld nvdata_file:dir create_dir_perms; -allow mnld nvdata_file:file create_file_perms; -# Purpose : For access kernel device -allow mnld mnld_data_file:dir rw_dir_perms; -allow mnld mnld_data_file:sock_file create_file_perms; -allow mnld mnld_device:chr_file rw_file_perms; -allow mnld mnld_data_file:file rw_file_perms; -allow mnld mnld_data_file:file create_file_perms; -allow mnld mnld_data_file:fifo_file create_file_perms; -# Purpose : For init process -allow mnld init:unix_stream_socket connectto; -allow mnld init:udp_socket { read write }; - -# Send the message to the LBS HIDL Service to forward to applications -allow mnld lbs_hidl_service:unix_dgram_socket sendto; - -# Send the message to the merged hal Service to forward to applications -allow mnld merged_hal_service:unix_dgram_socket sendto; - -# Purpose : For access system data -allow mnld bootdevice_block_device:blk_file rw_file_perms; -allow mnld block_device:dir search; -allow mnld mnld_prop:property_service set; -allow mnld property_socket:sock_file write; -allow mnld mdlog_device:chr_file { read write }; -allow mnld self:capability { fsetid }; -allow mnld stpbt_device:chr_file { read write }; -allow mnld gpsdl_device:chr_file { read write }; -allow mnld ttyGS_device:chr_file { read write }; -# Purpose : For file system operations -allow mnld sdcard_type:dir search; -allow mnld sdcard_type:dir write; -allow mnld sdcard_type:dir add_name; -allow mnld sdcard_type:file create; -allow mnld sdcard_type:file rw_file_perms; -allow mnld sdcard_type:file create_file_perms; -allow mnld sdcard_type:dir { read remove_name create open }; -allow mnld tmpfs:lnk_file { read create open }; -allow mnld mtd_device:dir search; -allow mnld mnt_user_file:lnk_file read; -allow mnld mnt_user_file:dir search; -allow mnld gps_data_file:dir { write add_name search remove_name unlink}; -allow mnld gps_data_file:file { read write open create getattr append setattr unlink lock rename }; -allow mnld gps_data_file:lnk_file read; - -allow mnld storage_file:lnk_file read; -allow mnld nvcfg_file:dir search; - -# Date : WK15.30 -# Operation : Migration -# Purpose : for device bring up, not to block early migration/sanity -allow mnld proc_lk_env:file rw_file_perms; - -# For HIDL, communicate mtk_hal_gnss instead of system_server -allow mnld mtk_hal_gnss:unix_dgram_socket sendto; - -# Purpose : MPE sensor HIDL policy -hwbinder_use(mnld); -binder_call(mnld, system_server) -allow mnld fwk_sensor_hwservice:hwservice_manager find; -#allow mnld hwservicemanager_prop:file { read open getattr }; -get_prop(mnld, hwservicemanager_prop); -allow mnld debugfs_tracing:file { open write }; - -allow mnld mnt_vendor_file:dir search; - -# Date : WK18.26 -# Purpose : for atci gps test -allow mnld atci_service:unix_dgram_socket sendto; - -allow mnld sysfs_boot_mode:file { read open }; - -set_prop(mnld, vendor_radio_prop); diff --git a/r_non_plat/mobile_log_d.te b/r_non_plat/mobile_log_d.te deleted file mode 100644 index 0caa870..0000000 --- a/r_non_plat/mobile_log_d.te +++ /dev/null @@ -1,64 +0,0 @@ -# boot_mdoe file access -allow mobile_log_d sysfs_boot_mode:file { open read }; - -#proc/ access -allow mobile_log_d proc_kmsg:file r_file_perms; -allow mobile_log_d proc_cmdline:file r_file_perms; -allow mobile_log_d proc_atf_log:dir search; -allow mobile_log_d proc_atf_log:file r_file_perms; -allow mobile_log_d proc_gz_log:file r_file_perms; -allow mobile_log_d proc_last_kmsg:file r_file_perms; -allow mobile_log_d proc_bootprof:file r_file_perms; -allow mobile_log_d proc_pl_lk:file r_file_perms; - -#scp -allow mobile_log_d sysfs_scp:file { open write }; -allow mobile_log_d sysfs_scp:dir search; -allow mobile_log_d scp_device:chr_file { read open }; - -#adsp -allow mobile_log_d sysfs_adsp:file { open write }; -allow mobile_log_d sysfs_adsp:dir search; -allow mobile_log_d adsp_device:chr_file r_file_perms; - -#sspm -allow mobile_log_d sysfs_sspm:file { open write }; -allow mobile_log_d sysfs_sspm:dir search; -allow mobile_log_d sspm_device:chr_file { read open }; - -#data/misc/mblog -allow mobile_log_d logmisc_data_file:dir { relabelto create_dir_perms }; -allow mobile_log_d logmisc_data_file:file create_file_perms; - -#data/log_temp -allow mobile_log_d logtemp_data_file:dir { relabelto create_dir_perms }; -allow mobile_log_d logtemp_data_file:file create_file_perms; - -#data/data_tmpfs_log -allow mobile_log_d data_tmpfs_log_file:dir create_dir_perms; -allow mobile_log_d data_tmpfs_log_file:file create_file_perms; - -#mobile itself property -set_prop(mobile_log_d, mobile_log_prop) - -# Date: 2016/11/11 -# purpose: allow MobileLog to access aee socket -allow mobile_log_d aee_aed:unix_stream_socket connectto; - -# purpose: send log to com port -allow mobile_log_d ttyGS_device:chr_file { read write ioctl open }; - -# purpose: allow mobile_log_d to access persist.meta.connecttype -get_prop(mobile_log_d, meta_connecttype_prop); - -# purpose: allow mobile_log_d to create socket -allow mobile_log_d port:tcp_socket { name_connect name_bind }; -allow mobile_log_d mobile_log_d:tcp_socket { create connect setopt bind }; -allow mobile_log_d mobile_log_d:tcp_socket { bind setopt listen accept read write }; -allow mobile_log_d node:tcp_socket node_bind; - -# purpose: allow mobile_log_d to read system property init.svc.vendor. -get_prop(mobile_log_d, vendor_default_prop) - -# purpose: allow mobile_log_d to read persist.vendor.mtk.aee -get_prop(mobile_log_d, persist_mtk_aee_prop) diff --git a/r_non_plat/modemdbfilter_service.te b/r_non_plat/modemdbfilter_service.te deleted file mode 100755 index e1c1090..0000000 --- a/r_non_plat/modemdbfilter_service.te +++ /dev/null @@ -1,18 +0,0 @@ -# ============================================== -# Policy File of /vendor/bin/hw/modemdbfilter_service Executable File - -# ============================================== -# Type Declaration -# ============================================== - -type modemdbfilter_service ,domain; -type modemdbfilter_service_exec, exec_type, file_type, vendor_file_type; -typeattribute modemdbfilter_service mlstrustedsubject; - -#Purpose : for create hidl server -hal_server_domain(modemdbfilter_service, mtk_hal_md_dbfilter) -init_daemon_domain(modemdbfilter_service) - -# ============================================== -# MTK Policy Rule -# ============================================== diff --git a/r_non_plat/mtk_agpsd.te b/r_non_plat/mtk_agpsd.te deleted file mode 100644 index 5c71128..0000000 --- a/r_non_plat/mtk_agpsd.te +++ /dev/null @@ -1,70 +0,0 @@ -# ============================================== -# Policy File of /vendor/bin/mtk_agpsd Executable File - -# ============================================== -# Type Declaration -# ============================================== -type mtk_agpsd_exec, exec_type, file_type, vendor_file_type; -type mtk_agpsd, domain; - -# ============================================== -# MTK Policy Rule -# ============================================== -init_daemon_domain(mtk_agpsd) - -net_domain(mtk_agpsd) - -# Access channels to modem for E-CID, RRLP, and LPP -allow mtk_agpsd agps_device:chr_file rw_file_perms; -allow mtk_agpsd ttySDIO_device:chr_file { create setattr unlink rw_file_perms }; -allow mtk_agpsd ccci_device:chr_file { create setattr unlink rw_file_perms }; - -# Access folders, files, and sockets in /data/agps_supl -allow mtk_agpsd agpsd_data_file:dir create_dir_perms; -allow mtk_agpsd agpsd_data_file:file create_file_perms; -allow mtk_agpsd agpsd_data_file:sock_file create_file_perms; - -# Access file system partitions like /system, /data and SD Card -allow mtk_agpsd sdcard_type:dir create_dir_perms; -allow mtk_agpsd sdcard_type:file create_file_perms; -allow mtk_agpsd eemcs_device:chr_file rw_file_perms; -allow mtk_agpsd mnt_user_file:dir create_dir_perms; -allow mtk_agpsd mnt_vendor_file:dir create_dir_perms; -allow mtk_agpsd mnt_vendor_file:file create_file_perms; -allow mtk_agpsd gps_data_file:dir create_dir_perms; -allow mtk_agpsd gps_data_file:file create_file_perms; - -# Access symbolic link files like /etc and /sdcard -allow mtk_agpsd tmpfs:lnk_file create_file_perms; -allow mtk_agpsd mnt_user_file:lnk_file create_file_perms; -allow mtk_agpsd storage_file:dir create_dir_perms; -allow mtk_agpsd storage_file:file create_file_perms; - -# Send supl profile configuration to SLPD (to get SUPL Reference Location for HW Fused Location) -allow mtk_agpsd slpd:unix_dgram_socket sendto; - -# Operators will send agps settings via OMADM. -# Operators ask UE to save these settings into NVRAM. -allow mtk_agpsd nvcfg_file:dir create_dir_perms; -allow mtk_agpsd nvcfg_file:file create_file_perms; - -# Send GNSS assistance data and AGPS commands to MTK's GPS module 'mnld' -allow mtk_agpsd mnld:unix_dgram_socket sendto; - -# Send the message to the LBS HIDL Service to forward to system partitions -allow mtk_agpsd lbs_hidl_service:unix_dgram_socket sendto; - -# Send the message to the merged hal Service to forward to system partitions -allow mtk_agpsd merged_hal_service:unix_dgram_socket sendto; - -# Allow send socket to fusion rild -allow mtk_agpsd rild:unix_dgram_socket sendto; - -# Allow libapmonitor to read the property of hwservicemanager.ready -get_prop(mtk_agpsd,hwservicemanager_prop) - -# Read the property of vendor.debug.gps.mnld.ne -get_prop(mtk_agpsd,mnld_prop) - -# Read the property of ro.vendor.mtk_log_hide_gps -get_prop(mtk_agpsd,mtk_gps_support_prop) diff --git a/r_non_plat/mtk_hal_audio.te b/r_non_plat/mtk_hal_audio.te deleted file mode 100644 index ffd5c7c..0000000 --- a/r_non_plat/mtk_hal_audio.te +++ /dev/null @@ -1,233 +0,0 @@ -type mtk_hal_audio, domain; -hal_server_domain(mtk_hal_audio, hal_audio) - -type mtk_hal_audio_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(mtk_hal_audio) - -hal_client_domain(mtk_hal_audio, hal_allocator) - -hwbinder_use(mtk_hal_audio) -wakelock_use(mtk_hal_audio); - -allow mtk_hal_audio ion_device:chr_file r_file_perms; - -allow mtk_hal_audio system_file:dir { open read }; - -r_dir_file(mtk_hal_audio, proc) -allow mtk_hal_audio audio_device:dir r_dir_perms; -allow mtk_hal_audio audio_device:chr_file rw_file_perms; - -### -### neverallow rules -### - -# mtk_hal_audio should never execute any executable without -# a domain transition -neverallow mtk_hal_audio { file_type fs_type }:file execute_no_trans; - -# mtk_hal_audio should never need network access. -# Disallow network sockets. -neverallow mtk_hal_audio domain:{ tcp_socket udp_socket rawip_socket } *; - -# Date : WK14.32 -# Operation : Migration -# Purpose : Set audio driver permission to access SD card for debug purpose and accss NVRam. -allow mtk_hal_audio sdcard_type:dir { w_dir_perms create }; -allow mtk_hal_audio sdcard_type:file create; -allow mtk_hal_audio nvram_data_file:dir w_dir_perms; -allow mtk_hal_audio nvram_data_file:file create_file_perms; -allow mtk_hal_audio nvram_data_file:lnk_file read; -allow mtk_hal_audio nvdata_file:lnk_file read; -allow mtk_hal_audio nvdata_file:dir w_dir_perms; -allow mtk_hal_audio nvdata_file:file create_file_perms; -allow mtk_hal_audio sdcard_type:dir remove_name; -allow mtk_hal_audio sdcard_type:file unlink; - -# Date : WK14.34 -# Operation : Migration -# Purpose : nvram access (dumchar case for nand and legacy chip) -allow mtk_hal_audio nvram_device:chr_file rw_file_perms; -allow mtk_hal_audio self:netlink_kobject_uevent_socket { create setopt bind }; - -# Date : WK14.34 -# Operation : Migration -# Purpose : Smartcard Service -allow mtk_hal_audio self:netlink_kobject_uevent_socket read; - -# Date : WK14.36 -# Operation : Migration -# Purpose : media server and bt process communication for A2DP data.and other control flow -allow mtk_hal_audio bt_a2dp_stream_socket:sock_file write; -allow mtk_hal_audio bt_int_adp_socket:sock_file write; - -# Date : WK14.36 -# Operation : Migration -# Purpose : access nvram, otp, ccci cdoec devices. -allow mtk_hal_audio MtkCodecService:binder call; -allow mtk_hal_audio ccci_device:chr_file rw_file_perms; -allow mtk_hal_audio eemcs_device:chr_file rw_file_perms; -allow mtk_hal_audio devmap_device:chr_file r_file_perms; -allow mtk_hal_audio ebc_device:chr_file rw_file_perms; -allow mtk_hal_audio nvram_device:blk_file rw_file_perms; - -# Date : WK14.38 -# Operation : Migration -# Purpose : NVRam access -allow mtk_hal_audio block_device:dir { write search }; - -# Date : WK14.38 -# Operation : Migration -# Purpose : FM driver access -allow mtk_hal_audio fm_device:chr_file rw_file_perms; - -# Data : WK14.38 -# Operation : Migration -# Purpose : dump for debug -allow mtk_hal_audio sdcard_type:file append; - -# Data : WK14.39 -# Operation : Migration -# Purpose : dump for debug -allow mtk_hal_audio audiohal_prop:property_service set; - -# Date : WK14.40 -# Operation : Migration -# Purpose : HDMI driver access -allow mtk_hal_audio graphics_device:chr_file rw_file_perms; - -# Date : WK14.40 -# Operation : Migration -# Purpose : Smartpa -allow mtk_hal_audio smartpa_device:chr_file rw_file_perms; - -# Date : WK14.41 -# Operation : Migration -# Purpose : WFD HID Driver -allow mtk_hal_audio uhid_device:chr_file rw_file_perms; - -# Date : WK14.43 -# Operation : Migration -# Purpose : VOW -allow mtk_hal_audio vow_device:chr_file rw_file_perms; - -# Date: WK14.44 -# Operation : Migration -# Purpose : EVDO -allow mtk_hal_audio rpc_socket:sock_file write; -allow mtk_hal_audio ttySDIO_device:chr_file rw_file_perms; - -# Data: WK14.44 -# Operation : Migration -# Purpose : for low SD card latency issue -allow mtk_hal_audio sysfs_lowmemorykiller:file { read open }; - -# Data: WK14.45 -# Operation : Migration -# Purpose : for change thermal policy when needed -allow mtk_hal_audio proc_mtkcooler:dir search; -allow mtk_hal_audio proc_mtktz:dir search; -allow mtk_hal_audio proc_thermal:dir search; -allow mtk_hal_audio thermal_manager_data_file:file create_file_perms; -allow mtk_hal_audio thermal_manager_data_file:dir { rw_dir_perms setattr }; - -# Data : WK14.47 -# Operation : Audio playback -# Purpose : Music as ringtone -allow mtk_hal_audio radio:dir { search read }; -allow mtk_hal_audio radio:file r_file_perms; - -# Data : WK14.47 -# Operation : CTS -# Purpose : cts search strange app -allow mtk_hal_audio untrusted_app:dir search; - -# Date : WK15.03 -# Operation : Migration -# Purpose : offloadservice -allow mtk_hal_audio offloadservice_device:chr_file rw_file_perms; - -# Date : WK15.34 -# Operation : Migration -# Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump -allow mtk_hal_audio storage_file:dir search; -allow mtk_hal_audio storage_file:lnk_file {read write}; -allow mtk_hal_audio mnt_user_file:dir {write read search}; -allow mtk_hal_audio mnt_user_file:lnk_file {read write}; - -# Date : WK16.17 -# Operation : Migration -# Purpose: read/open sysfs node -allow mtk_hal_audio sysfs_ccci:file r_file_perms; -allow mtk_hal_audio sysfs_ccci:dir search; - -# Date : WK16.18 -# Operation : Migration -# Purpose: research root dir "/" -allow mtk_hal_audio tmpfs:dir search; - -# Purpose: Dump debug info -allow mtk_hal_audio debugfs_binder:dir search; -allow mtk_hal_audio kmsg_device:chr_file { open write }; -allow mtk_hal_audio property_socket:sock_file write; -allow mtk_hal_audio fuse:file rw_file_perms; -allow mtk_hal_audio init:unix_stream_socket connectto; - -# Date : WK16.27 -# Operation : Migration -# Purpose: tunning tool update parameters -binder_call(mtk_hal_audio,radio) -allow mtk_hal_audio mtk_audiohal_data_file:dir create_dir_perms; -allow mtk_hal_audio mtk_audiohal_data_file:file create_file_perms; - -# Date : WK16.28 -# Operation : Migration -# Purpose: Write audio dump files to external SDCard. -allow mtk_hal_audio sdcard_type:file { create_file_perms }; - -# Date : WK16.33 -# Purpose: Allow to access ged for gralloc_extra functions -allow mtk_hal_audio proc_ged:file rw_file_perms; - -set_prop(mtk_hal_audio,hwservicemanager_prop); -allow mtk_hal_audio storage_file:dir search; - -# Fix bootup violation -allow mtk_hal_audio fuse:dir read; - -# for usb phone call, allow sys_nice -allow mtk_hal_audio self:capability sys_nice; - -# Date : W17.29 -# Boot for opening trace file: Permission denied (13) -allow mtk_hal_audio debugfs_tracing:file { write open }; - -# for usb phone call, allow sys_nice -allow mtk_hal_audio self:capability sys_nice; - -# Audio Tuning Tool Android O porting -binder_call(mtk_hal_audio,audiocmdservice_atci); - - -# Add for control PowerHAL -allow mtk_hal_audio mtk_hal_power_hwservice:hwservice_manager find; -binder_call(mtk_hal_audio, mtk_hal_power) -binder_call(mtk_hal_audio, merged_hal_service) -# cm4 smartpa -allow mtk_hal_audio audio_ipi_device:chr_file { read write ioctl open }; -allow mtk_hal_audio audio_scp_device:chr_file r_file_perms; - -# Date : WK18.21 -# Operation: P migration -# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init() -allow mtk_hal_audio mnt_vendor_file:dir search; - -# Date: 2019/06/14 -# Operation : Migration -allow mtk_hal_audio audioserver:fifo_file w_file_perms; -allow mtk_hal_audio sysfs_boot_mode:file r_file_perms; -allow mtk_hal_audio sysfs_dt_firmware_android:dir search; - -# Date : WK18.44 -# Operation: adsp -allow mtk_hal_audio adsp_device:file rw_file_perms; -allow mtk_hal_audio adsp_device:chr_file rw_file_perms; diff --git a/r_non_plat/mtk_hal_bgs.te b/r_non_plat/mtk_hal_bgs.te deleted file mode 100644 index c93342f..0000000 --- a/r_non_plat/mtk_hal_bgs.te +++ /dev/null @@ -1,6 +0,0 @@ -# HwBinder IPC from client to server, and callbacks -binder_call(mtk_hal_bgs_client, mtk_hal_bgs_server) -binder_call(mtk_hal_bgs_server, mtk_hal_bgs_client) - -add_hwservice(mtk_hal_bgs_server, mtk_hal_bgs_hwservice) -allow mtk_hal_bgs_client mtk_hal_bgs_hwservice:hwservice_manager find; \ No newline at end of file diff --git a/r_non_plat/mtk_hal_bluetooth.te b/r_non_plat/mtk_hal_bluetooth.te deleted file mode 100644 index e08fb56..0000000 --- a/r_non_plat/mtk_hal_bluetooth.te +++ /dev/null @@ -1,52 +0,0 @@ -type mtk_hal_bluetooth, domain; -type mtk_hal_bluetooth_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(mtk_hal_bluetooth) - -#r_dir_file(mtk_hal_bluetooth, system_file) -# call into the Bluetooth process (callbacks) -binder_call(mtk_hal_bluetooth, bluetooth) -hwbinder_use(mtk_hal_bluetooth); - -wakelock_use(mtk_hal_bluetooth); - -# bluetooth factory file accesses. -r_dir_file(mtk_hal_bluetooth, bluetooth_efs_file) - -allow mtk_hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms; - -# sysfs access. -r_dir_file(mtk_hal_bluetooth, sysfs_type) -allow mtk_hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms; -allow mtk_hal_bluetooth self:capability2 wake_alarm; - -# Allow write access to bluetooth-specific properties -set_prop(mtk_hal_bluetooth, bluetooth_prop) - -# /proc access (bluesleep etc.). -allow mtk_hal_bluetooth proc_bluetooth_writable:file rw_file_perms; - -# VTS tests need to be able to toggle rfkill -allow mtk_hal_bluetooth self:capability net_admin; - -# Purpose : Set to access stpbt driver & NVRAM -allow mtk_hal_bluetooth stpbt_device:chr_file rw_file_perms; - -allow mtk_hal_bluetooth nvdata_file:dir search; -allow mtk_hal_bluetooth nvdata_file:file rw_file_perms; -allow mtk_hal_bluetooth nvram_data_file:lnk_file read; -allow mtk_hal_bluetooth nvdata_file:lnk_file read; - -# Purpose: Allow to search /mnt/vendor/* for fstab when using NVM_Init() -allow mtk_hal_bluetooth mnt_vendor_file:dir search; - -get_prop(mtk_hal_bluetooth, hwservicemanager_prop) - -#add_hwservice(hal_bluetooth, mtk_hal_bluetooth_hwservice) -allow hal_bluetooth_client mtk_hal_bluetooth_hwservice:hwservice_manager find; - -allow mtk_hal_bluetooth system_data_file:lnk_file read; - -hal_server_domain(mtk_hal_bluetooth,hal_bluetooth); - -# Purpose: Allow BT Driver to insmod -allow mtk_hal_bluetooth wmt_prop:property_service set; diff --git a/r_non_plat/mtk_hal_camera.te b/r_non_plat/mtk_hal_camera.te deleted file mode 100644 index db30551..0000000 --- a/r_non_plat/mtk_hal_camera.te +++ /dev/null @@ -1,352 +0,0 @@ -# ============================================================================== -# Policy File of /vendor/bin/camerahalserver Executable File - -# ============================================================================== -# Type Declaration -# ============================================================================== - -type mtk_hal_camera, domain; -type mtk_hal_camera_exec, exec_type, file_type, vendor_file_type; - -# ============================================================================== -# MTK Policy Rule -# ============================================================================== - -# ----------------------------------- -# Purpose: Binderized HAL Server -# ----------------------------------- - -# Set up a transition from init to the camerahalserver upon executing its binary. -init_daemon_domain(mtk_hal_camera) - -# Allow a base set of permissions required for a domain to offer a -# HAL implementation of the specified type over HwBinder. -hal_server_domain(mtk_hal_camera, hal_camera) - -hal_server_domain(mtk_hal_camera, mtk_hal_bgs) - -# Allow camerahalserver to use HwBinder and vendor binder IPC. -hwbinder_use(mtk_hal_camera) -vndbinder_use(mtk_hal_camera) - -allow mtk_hal_camera hwservicemanager_prop:file { open read getattr }; - -# ----------------------------------- -# Purpose: Allow camerahalserver to perform binder IPC to servers and callbacks. -# ----------------------------------- - -# callback to cameraserver -binder_call(mtk_hal_camera, cameraserver) - -# callback to shell for debugging -binder_call(mtk_hal_camera, shell) - -# callback to /vendor/bin/aee_aedv for aee debugging -binder_call(mtk_hal_camera, aee_aedv) - -# call the graphics allocator hal -binder_call(mtk_hal_camera, hal_graphics_allocator) - -# call PowerHal -binder_call(mtk_hal_camera, mtk_hal_power) - -# ----------------------------------- -# Purpose: Allow camerahalserver to find a service from hwservice_manager -# ----------------------------------- -allow mtk_hal_camera hal_graphics_mapper_hwservice:hwservice_manager find; -#allow mtk_hal_camera hal_graphics_allocator_hwservice:hwservice_manager find; -allow mtk_hal_camera fwk_sensor_hwservice:hwservice_manager find; -allow mtk_hal_camera mtk_hal_power_hwservice:hwservice_manager find; -allow mtk_hal_camera nvram_data_file:lnk_file { read write getattr setattr read create open }; -allow mtk_hal_camera nvdata_file:lnk_file { read write getattr setattr read create open }; -hal_client_domain(mtk_hal_camera, hal_graphics_allocator) - -# ----------------------------------- -# Purpose: Camera-related devices (driver) -# ----------------------------------- -allow mtk_hal_camera proc:file rw_file_perms; -allow mtk_hal_camera proc_mtk_jpeg:file r_file_perms; -allowxperm mtk_hal_camera proc_mtk_jpeg:file ioctl { - JPG_BRIDGE_ENC_IO_INIT - JPG_BRIDGE_ENC_IO_CONFIG - JPG_BRIDGE_ENC_IO_WAIT - JPG_BRIDGE_ENC_IO_DEINIT - JPG_BRIDGE_ENC_IO_START - }; -allow mtk_hal_camera sysfs:file { read write open getattr }; - -allow mtk_hal_camera camera_sysram_device:chr_file r_file_perms; -allow mtk_hal_camera camera_pipemgr_device:chr_file r_file_perms; -allow mtk_hal_camera camera_isp_device:chr_file rw_file_perms; -allow mtk_hal_camera camera_dip_device:chr_file rw_file_perms; -allow mtk_hal_camera camera_tsf_device:chr_file rw_file_perms; -allow mtk_hal_camera kd_camera_hw_device:chr_file rw_file_perms; -allow mtk_hal_camera kd_camera_flashlight_device:chr_file rw_file_perms; -allow mtk_hal_camera flashlight_device:chr_file rw_file_perms; -allow mtk_hal_camera lens_device:chr_file rw_file_perms; - -# FDVT Driver -allow mtk_hal_camera camera_fdvt_device:chr_file rw_file_perms; - -# DPE Driver -allow mtk_hal_camera camera_dpe_device:chr_file rw_file_perms; - -# MFB Driver -allow mtk_hal_camera camera_mfb_device:chr_file rw_file_perms; - -# WPE Driver -allow mtk_hal_camera camera_wpe_device:chr_file rw_file_perms; - -# mtk_jpeg -allow mtk_hal_camera mtk_jpeg_device:chr_file r_file_perms; - -allow mtk_hal_camera ccu_device:chr_file rw_file_perms; -allow mtk_hal_camera vpu_device:chr_file rw_file_perms; - -# Purpose: RSC driver -allow mtk_hal_camera camera_rsc_device:chr_file rw_file_perms; - -# Purpose: OWE driver -allow mtk_hal_camera camera_owe_device:chr_file rw_file_perms; - -# Purpose: AF related -allow mtk_hal_camera MAINAF_device:chr_file rw_file_perms; -allow mtk_hal_camera MAIN2AF_device:chr_file rw_file_perms; -allow mtk_hal_camera SUBAF_device:chr_file rw_file_perms; -allow mtk_hal_camera FM50AF_device:chr_file rw_file_perms; -allow mtk_hal_camera AD5820AF_device:chr_file rw_file_perms; -allow mtk_hal_camera DW9714AF_device:chr_file rw_file_perms; -allow mtk_hal_camera DW9814AF_device:chr_file rw_file_perms; -allow mtk_hal_camera AK7345AF_device:chr_file rw_file_perms; -allow mtk_hal_camera DW9714A_device:chr_file rw_file_perms; -allow mtk_hal_camera LC898122AF_device:chr_file rw_file_perms; -allow mtk_hal_camera LC898212AF_device:chr_file rw_file_perms; -allow mtk_hal_camera BU6429AF_device:chr_file rw_file_perms; -allow mtk_hal_camera DW9718AF_device:chr_file rw_file_perms; -allow mtk_hal_camera BU64745GWZAF_device:chr_file rw_file_perms; - -# Purpose: Camera EEPROM Calibration -allow mtk_hal_camera CAM_CAL_DRV_device:chr_file rw_file_perms; -allow mtk_hal_camera CAM_CAL_DRV1_device:chr_file rw_file_perms; -allow mtk_hal_camera CAM_CAL_DRV2_device:chr_file rw_file_perms; - -# ----------------------------------- -# Purpose: Other device drivers used by camera -# ----------------------------------- -allow mtk_hal_camera ion_device:chr_file rw_file_perms; -allow mtk_hal_camera sw_sync_device:chr_file rw_file_perms; -allow mtk_hal_camera MTK_SMI_device:chr_file r_file_perms; - -# ----------------------------------- -# Purpose: Filesystem in Userspace (FUSE) -# - sdcard access (buffer dump for EM mode) -# ----------------------------------- -allow mtk_hal_camera fuse:dir { search read write }; -allow mtk_hal_camera fuse:file rw_file_perms; - -# ----------------------------------- -# Purpose: Storage access -# ----------------------------------- -## Date : WK14.XX-15.XX -## nvram access -allow mtk_hal_camera block_device:dir { write search }; -allow mtk_hal_camera nvram_data_file:dir { search add_name write create}; -allow mtk_hal_camera nvram_data_file:file { write getattr setattr read create open }; -## nvram access (dumchar case for nand and legacy chip) -allow mtk_hal_camera nvram_device:chr_file rw_file_perms; -allow mtk_hal_camera self:netlink_kobject_uevent_socket { create setopt bind }; - -## Date : WK14.XX-15.XX -## sdcard access - dump for debug -allow mtk_hal_camera sdcard_type:dir { write add_name create }; -allow mtk_hal_camera sdcard_type:file { append create getattr }; - -# ----------------------------------- -# Purpose: property access -# ----------------------------------- -allow mtk_hal_camera mtkcam_prop:file { open read getattr }; - -# ----------------------------------- -# Android O -# Purpose: Shell Debugging -# ----------------------------------- -# Purpose: Allow shell to invoke "lshal debug ", where is "ICameraProvider". -# (used in user build) -allow mtk_hal_camera shell:unix_stream_socket { read write }; -allow mtk_hal_camera shell:fifo_file write; - -# ----------------------------------- -# Android O -# Purpose: AEE Debugging -# ----------------------------------- -# Purpose: Allow aee_dumpstate to invoke "lshal debug ", where is "ICameraProvider". -allow mtk_hal_camera dumpstate:binder { call }; -allow mtk_hal_camera dumpstate:unix_stream_socket { read write }; -allow mtk_hal_camera dumpstate:fd { use }; -allow mtk_hal_camera dumpstate:fifo_file write; - -# Purpose: Allow camerahalserver to dump debug info to SYS_DEBUG_MTKCAM via aee_aedv. -# avc: denied { write } for path="/data/vendor/mtklog/aee_exp/temp/db.9oRG8O/SYS_DEBUG_MTKCAM" -# dev="dm-2" ino=1458278 scontext=u:r:mtk_hal_camera:s0 tcontext=u:object_r:aee_exp_vendor_file:s0 -# tclass=file permissive=0 -allow mtk_hal_camera aee_exp_vendor_file:dir { w_dir_perms }; -allow mtk_hal_camera aee_exp_vendor_file:file { create_file_perms }; - -# ----------------------------------- -# Android O -# Purpose: Debugging -# ----------------------------------- -# Purpose: libmemunreachable.so/GetUnreachableMemory() -allow mtk_hal_camera self:process { ptrace }; - -################################################################################ -# Date : WK14.XX-15.XX -# Operation : Copy from Media server -allow mtk_hal_camera self:capability { setuid ipc_lock sys_nice }; -allow mtk_hal_camera sysfs_wake_lock:file rw_file_perms; -allow mtk_hal_camera nvdata_file:dir { write search add_name }; -allow mtk_hal_camera nvdata_file:file { read write getattr setattr open create }; -allow mtk_hal_camera proc_meminfo:file { read getattr open }; - -## Purpose : for low SD card latency issue -allow mtk_hal_camera sysfs_lowmemorykiller:file { read open }; - -## Purpose : for change thermal policy when needed -allow mtk_hal_camera proc_mtkcooler:dir search; -allow mtk_hal_camera proc_mtktz:dir search; -allow mtk_hal_camera proc_thermal:dir search; -allow mtk_hal_camera thermal_manager_data_file:file create_file_perms; -allow mtk_hal_camera thermal_manager_data_file:dir { rw_dir_perms setattr }; - -## Purpose : cts search strange app -allow mtk_hal_camera untrusted_app:dir search; - -## Purpose : offloadservice -allow mtk_hal_camera offloadservice_device:chr_file rw_file_perms; - -## Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump -allow mtk_hal_camera storage_file:lnk_file {read write}; -allow mtk_hal_camera mnt_user_file:dir {write read search}; -allow mtk_hal_camera mnt_user_file:lnk_file {read write}; - -## Purpose: Allow mtk_hal_camera to read binder from surfaceflinger -allow mtk_hal_camera surfaceflinger:fifo_file {read write}; - -## Purpose : camera read/write /nvcfg/camera data -allow mtk_hal_camera nvcfg_file:dir create_dir_perms; -allow mtk_hal_camera nvcfg_file:file create_file_perms; - -# Purpose : for camera init -allow mtk_hal_camera system_server:unix_stream_socket { read write }; - -################################################################################ -# Date : WK16 -# Operation : N Migration -## Purpose: research root dir "/" -allow mtk_hal_camera tmpfs:dir search; - -## Purpose : EGL file access -allow mtk_hal_camera system_file:dir { read open }; -allow mtk_hal_camera gpu_device:dir search; -allow mtk_hal_camera gpu_device:chr_file rw_file_perms; - -## Purpose: Allow to access ged for gralloc_extra functions -allow mtk_hal_camera proc_ged:file rw_file_perms; -allowxperm mtk_hal_camera proc_ged:file ioctl { proc_ged_ioctls }; - -################################################################################ -# Date : WK17 -# Operation : O Migration -## Purpose: Allow to call hal_graphics_allocator binder. -allow mtk_hal_camera system_data_file:lnk_file read; - -allow mtk_hal_camera debugfs_tracing:file { write open }; - -## Purpose : camera3 IT/CTS -allow mtk_hal_camera debugfs_ion:dir search; -allow mtk_hal_camera hal_graphics_composer_default:fd use; -allow mtk_hal_camera property_socket:sock_file write; - -# Date : WK17.30 -# Operation : O Migration -# Purpose: Allow to access cmdq driver -allow mtk_hal_camera mtk_cmdq_device:chr_file { read ioctl open }; -allow mtk_hal_camera mtk_mdp_device:chr_file rw_file_perms; - -# Date : WK17.36 -# Operation : O Migration -# Purpose: Allow to access battery status -allow mtk_hal_camera sysfs_batteryinfo:dir search; -allow mtk_hal_camera sysfs_batteryinfo:file { getattr open read }; - -# Date : WK17.39 -# Operation : O Migration -# Purpose: Change thermal config -allow mtk_hal_camera mtk_thermal_config_prop:property_service set; - -# Date : WK18.31 -# Stage: P Migration -# Purpose: CCT -allow mtk_hal_camera graphics_device:chr_file { read write ioctl open }; -allow mtk_hal_camera graphics_device:dir search; -allow mtk_hal_camera cct_data_file:dir create_dir_perms; -allow mtk_hal_camera cct_data_file:file create_file_perms; -allow mtk_hal_camera cct_data_file:fifo_file create_file_perms; -allow mtk_hal_camera sysfs_boot_mode:file { read open }; -allow mtk_hal_camera mnt_vendor_file:dir create_dir_perms; -allow mtk_hal_camera mnt_vendor_file:fifo_file create_file_perms; - -# Date : WK18.01 -# Operation : label aee_aed sockets -# Purpose : Engineering mode need access for aee commmand -userdebug_or_eng(` -allow mtk_hal_camera aee_aedv:unix_stream_socket connectto; -') - -# Date : WK18.02 -# Stage: O Migration -# Purpose: ISP tuning remapping -allow mtk_hal_camera mediatek_prop:property_service set; - -# Date : WK18.22 -# Stage: p Migration -# Purpose: NVRAM -allow mtk_hal_camera nvram_data_file:dir search; -allow mtk_hal_camera nvram_data_file:file rw_file_perms; -allow mtk_hal_camera nvram_data_file:lnk_file read; -allow mtk_hal_camera nvdata_file:lnk_file read; -allow mtk_hal_camera nvdata_file:dir create_dir_perms; -allow mtk_hal_camera nvdata_file:file { read write getattr setattr open create }; -allow mtk_hal_camera nvcfg_file:lnk_file read; -allow mtk_hal_camera nvcfg_file:dir create_dir_perms; -allow mtk_hal_camera nvcfg_file:file { read write getattr setattr open create }; -allow mtk_hal_camera mnt_vendor_file:dir search; -allow mtk_hal_camera mnt_vendor_file:file create_file_perms; - -# Date : WK18.35 -# Purpose: allow mtk_hal_camera to access gz_device node -allow mtk_hal_camera gz_device:chr_file rw_file_perms; - -#data/dipdebug -allow mtk_hal_camera aee_dipdebug_vendor_file:dir rw_dir_perms; -allow mtk_hal_camera aee_dipdebug_vendor_file:file { create_file_perms }; - -allow mtk_hal_camera proc_isp_p2:dir search; -allow mtk_hal_camera proc_isp_p2:file {create_file_perms}; - -# Purpose : AINR/Thermal Boost -allow mtk_hal_camera system_data_file:dir { getattr }; - -# Date: 2019/06/14 -# Operation : Migration -allow mtk_hal_camera sysfs_dt_firmware_android:dir search; - -# Date: 2019/07/09 -# Operation : For M4U security -allow mtk_hal_camera proc_m4u:file r_file_perms; -allowxperm mtk_hal_camera proc_m4u:file ioctl MTK_M4U_T_SEC_INIT; - -# Date: 2019/08/27 -# Operation : For android Q allowing ioctl -allow mtk_hal_camera mtk_hal_camera:unix_stream_socket { ioctl }; -allowxperm mtk_hal_camera mtk_hal_camera:unix_stream_socket ioctl IIOCNETAIF; \ No newline at end of file diff --git a/r_non_plat/mtk_hal_em.te b/r_non_plat/mtk_hal_em.te deleted file mode 100644 index 6d3b6a8..0000000 --- a/r_non_plat/mtk_hal_em.te +++ /dev/null @@ -1,6 +0,0 @@ -# HwBinder IPC from client to server, and callbacks -binder_call(mtk_hal_em_client, mtk_hal_em_server) -binder_call(mtk_hal_em_server, mtk_hal_em_client) - -add_hwservice(mtk_hal_em_server, mtk_hal_em_hwservice) -allow mtk_hal_em_client mtk_hal_em_hwservice:hwservice_manager find; diff --git a/r_non_plat/mtk_hal_fm.te b/r_non_plat/mtk_hal_fm.te deleted file mode 100644 index ccd0894..0000000 --- a/r_non_plat/mtk_hal_fm.te +++ /dev/null @@ -1,8 +0,0 @@ -# HwBinder IPC from client to server, and callbacks -binder_call(mtk_hal_fm_client, mtk_hal_fm_server) -binder_call(mtk_hal_fm_server, mtk_hal_fm_client) - -add_hwservice(mtk_hal_fm_server, mtk_hal_fm_hwservice) -allow mtk_hal_fm_client mtk_hal_fm_hwservice:hwservice_manager find; - -vndbinder_use(mtk_hal_fm) \ No newline at end of file diff --git a/r_non_plat/mtk_hal_gnss.te b/r_non_plat/mtk_hal_gnss.te deleted file mode 100644 index 175ff10..0000000 --- a/r_non_plat/mtk_hal_gnss.te +++ /dev/null @@ -1,19 +0,0 @@ -type mtk_hal_gnss, domain; -hal_server_domain(mtk_hal_gnss, hal_gnss); - -type mtk_hal_gnss_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(mtk_hal_gnss) - -#TODO:: work around solution, wait for correct solution from google -vndbinder_use(mtk_hal_gnss) - -#r_dir_file(mtk_hal_gnss, system_file) - -# Communicate over a socket created by mnld process. -allow mtk_hal_gnss mnld_data_file:sock_file create_file_perms; -allow mtk_hal_gnss mnld_data_file:sock_file rw_file_perms; -allow mtk_hal_gnss mnld_data_file:dir create_file_perms; -allow mtk_hal_gnss mnld_data_file:dir rw_dir_perms; - -allow mtk_hal_gnss mnld:unix_dgram_socket sendto; - diff --git a/r_non_plat/mtk_hal_gpu.te b/r_non_plat/mtk_hal_gpu.te deleted file mode 100644 index ab08bdd..0000000 --- a/r_non_plat/mtk_hal_gpu.te +++ /dev/null @@ -1,47 +0,0 @@ -# ============================================== -# Policy File of /vendor/bin/hw/vendor.mediatek.hardware.gpu@1.0-service Executable File - -# ============================================== -# Type Declaration -# ============================================== - -type mtk_hal_gpu, domain; -type mtk_hal_gpu_exec, exec_type, file_type, vendor_file_type; - -# ============================================== -# MTK Policy Rule -# ============================================== - -# Setup for domain transition -init_daemon_domain(mtk_hal_gpu) - -# Allow to use HWBinder IPC -hwbinder_use(mtk_hal_gpu); - -# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder. -hal_server_domain(mtk_hal_gpu, hal_gpu) - -# add/find permission rule to hwservicemanager -add_hwservice(hal_gpu, mtk_hal_gpu_hwservice) -allow hal_gpu_client mtk_hal_gpu_hwservice:hwservice_manager find; - -# Allow to allocate hidl memory -hal_client_domain(mtk_hal_gpu, hal_allocator) - -# Purpose : Allow to use kernel driver -allow mtk_hal_gpu graphics_device:chr_file rw_file_perms; - -# Purpose : Allow permission to set pq property -#set_prop(mtk_hal_gpu, mtk_gpu_prop) - -allow mtk_hal_gpu debugfs_ged:dir rw_dir_perms; -allow mtk_hal_gpu debugfs_ged:file rw_file_perms; -allow mtk_hal_gpu proc_ged:file rw_file_perms; -allowxperm mtk_hal_gpu proc_ged:file ioctl { proc_ged_ioctls }; - -allow mtk_hal_gpu hal_graphics_allocator_default:fd use; -allow mtk_hal_gpu ion_device:chr_file r_file_perms; -allow mtk_hal_gpu debugfs_ion:dir search; - -allow mtk_hal_gpu merged_hal_service:fd use; - diff --git a/r_non_plat/mtk_hal_hdmi.te b/r_non_plat/mtk_hal_hdmi.te deleted file mode 100644 index a1995ca..0000000 --- a/r_non_plat/mtk_hal_hdmi.te +++ /dev/null @@ -1,48 +0,0 @@ -# ============================================== -# Policy File of /vendor/bin/hw/vendor.mediatek.hardware.hdmi@1.0-service Executable File - -# ============================================== -# Type Declaration -# ============================================== - -type mtk_hal_hdmi, domain; -type mtk_hal_hdmi_exec, exec_type, file_type, vendor_file_type; - -# ============================================== -# MTK Policy Rule -# ============================================== - -# Setup for domain transition -init_daemon_domain(mtk_hal_hdmi) - -# Allow to use HWBinder IPC -hwbinder_use(mtk_hal_hdmi); - -# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder. -hal_server_domain(mtk_hal_hdmi, hal_hdmi) - -# add/find permission rule to hwservicemanager -add_hwservice(hal_hdmi_server, mtk_hal_hdmi_hwservice) - -# Allow to allocate hidl memory -#hal_client_domain(mtk_hal_hdmi, hal_allocator) - -# Purpose : Allow to use kernel driver -allow mtk_hal_hdmi graphics_device:chr_file rw_file_perms; - -# Purpose : Allow permission to get AmbientLux from hwservice_manager -allow mtk_hal_hdmi fwk_sensor_hwservice:hwservice_manager find; - -#for hdmi uevent -allow mtk_hal_hdmi self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; - -#============= Key Manager HIDL Service ============== -allow mtk_hal_hdmi mtk_hal_keymanage:binder call; - -# Purpose : Allow hdmi to call vendor.mediatek.hardware.keymanage@1.0-service. -hal_client_domain(mtk_hal_hdmi, hal_keymaster) - -allow mtk_hal_hdmi mtk_hal_keymanage_hwservice:hwservice_manager find; - -# Purpose : Allow permission to set hdmi property -set_prop(mtk_hal_hdmi, mtk_hdmi_prop); diff --git a/r_non_plat/mtk_hal_imsa.te b/r_non_plat/mtk_hal_imsa.te deleted file mode 100644 index bb04277..0000000 --- a/r_non_plat/mtk_hal_imsa.te +++ /dev/null @@ -1,35 +0,0 @@ -# ============================================================================== -# Type Declaration -# ============================================================================== -type mtk_hal_imsa, domain, mtkimsapdomain; -type mtk_hal_imsa_exec, exec_type, vendor_file_type, file_type; - -# ============================================== -# MTK Policy Rule -# ============================================== -init_daemon_domain(mtk_hal_imsa) - -# hwbinder access -hwbinder_use(mtk_hal_imsa) -hal_server_domain(mtk_hal_imsa, hal_imsa) -add_hwservice(hal_imsa_server, mtk_hal_imsa_hwservice) - -# call into system_server process (callbacks) -binder_call(mtk_hal_imsa, system_server) - -# Date : 2017/05/18 -# Operation : VoLTE sanity -# Purpose : Add permission for IMSA connect to IMSM -allow mtk_hal_imsa rild_imsm_socket:sock_file write; - -# Date : 2017/06/08 -# Operation : IMSA sanity -# Purpose : Add permission for IMSA connect to hwservicemanager -allow mtk_hal_imsa hwservicemanager_prop:file { read open }; -allow mtk_hal_imsa hwservicemanager_prop:file getattr; - -# Date : 2017/06/13 -# Operation : IMSA sanity -# Purpose : Add permission for IMSA to access radio -allow mtk_hal_imsa radio:binder call; -allow mtk_hal_imsa debugfs_tracing:file { write open }; \ No newline at end of file diff --git a/r_non_plat/mtk_hal_keyattestation.te b/r_non_plat/mtk_hal_keyattestation.te deleted file mode 100644 index 901f837..0000000 --- a/r_non_plat/mtk_hal_keyattestation.te +++ /dev/null @@ -1,7 +0,0 @@ -# HwBinder IPC from client to server -binder_call(mtk_hal_keyattestation_client, mtk_hal_keyattestation_server); - -add_hwservice(mtk_hal_keyattestation_server, mtk_hal_keyattestation_hwservice) -allow mtk_hal_keyattestation_client mtk_hal_keyattestation_hwservice:hwservice_manager find; - -# allow hal_keymaster tee_device:chr_file rw_file_perms; diff --git a/r_non_plat/mtk_hal_keymanage.te b/r_non_plat/mtk_hal_keymanage.te deleted file mode 100644 index d3efa88..0000000 --- a/r_non_plat/mtk_hal_keymanage.te +++ /dev/null @@ -1,27 +0,0 @@ -# Set a new domain -type mtk_hal_keymanage, domain; - -# Set mtk_hal_keymanage as server domain of hal_keymaster -hal_server_domain(mtk_hal_keymanage, hal_keymaster) - -# Set exec file type -type mtk_hal_keymanage_exec, exec_type, file_type, vendor_file_type; - -# Setup for domain transition -init_daemon_domain(mtk_hal_keymanage) - -# Associate mtk_hal_keymanage_hwservice with all server domain -add_hwservice(hal_keymaster_server, mtk_hal_keymanage_hwservice) - -# Give permission for hal_keymaster_client to find mtk_hal_keymanage_hwservice via hwservice_manager -allow hal_keymaster_client mtk_hal_keymanage_hwservice:hwservice_manager find; - -# Give permission for hal_key_manage to access kisd service - -allow mtk_hal_keymanage kisd:unix_stream_socket connectto; - -# Allow mtk_hal_keyinstall to access /data/key_provisioning -allow mtk_hal_keymanage key_install_data_file:dir { write add_name remove_name search }; -allow mtk_hal_keymanage key_install_data_file:file { write create setattr read getattr unlink open append }; - -allow mtk_hal_keymanage debugfs_tracing:file { write }; diff --git a/r_non_plat/mtk_hal_lbs.te b/r_non_plat/mtk_hal_lbs.te deleted file mode 100644 index 55a9cc7..0000000 --- a/r_non_plat/mtk_hal_lbs.te +++ /dev/null @@ -1,8 +0,0 @@ -# HwBinder IPC from client to server, and callbacks -binder_call(mtk_hal_lbs_client, mtk_hal_lbs_server) -binder_call(mtk_hal_lbs_server, mtk_hal_lbs_client) - -add_hwservice(mtk_hal_lbs_server, mtk_hal_lbs_hwservice) -allow mtk_hal_lbs_client mtk_hal_lbs_hwservice:hwservice_manager find; - -vndbinder_use(mtk_hal_lbs) \ No newline at end of file diff --git a/r_non_plat/mtk_hal_light.te b/r_non_plat/mtk_hal_light.te deleted file mode 100644 index de88326..0000000 --- a/r_non_plat/mtk_hal_light.te +++ /dev/null @@ -1,23 +0,0 @@ -# ============================================================================== -# Type Declaration -# ============================================================================== -type mtk_hal_light, domain; -type mtk_hal_light_exec, exec_type, file_type, vendor_file_type; - -# hwbinder access -init_daemon_domain(mtk_hal_light) -hwbinder_use(mtk_hal_light) - -# call into system_server process (callbacks) -binder_call(mtk_hal_light, system_server) - -# system file -allow mtk_hal_light system_file:dir read; -allow mtk_hal_light system_file:dir open; - -allow mtk_hal_light sysfs_leds:lnk_file read; -allow mtk_hal_light sysfs_leds:file rw_file_perms; -allow mtk_hal_light sysfs_leds:dir r_dir_perms; - -get_prop(mtk_hal_light, hwservicemanager_prop) -hal_server_domain(mtk_hal_light,hal_light); diff --git a/r_non_plat/mtk_hal_log.te b/r_non_plat/mtk_hal_log.te deleted file mode 100644 index 6db3cd0..0000000 --- a/r_non_plat/mtk_hal_log.te +++ /dev/null @@ -1,6 +0,0 @@ -# HwBinder IPC from client to server, and callbacks -binder_call(mtk_hal_log_client, mtk_hal_log_server) -binder_call(mtk_hal_log_server, mtk_hal_log_client) - -add_hwservice(mtk_hal_log_server, mtk_hal_log_hwservice) -allow mtk_hal_log_client mtk_hal_log_hwservice:hwservice_manager find; diff --git a/r_non_plat/mtk_hal_md_dbfilter.te b/r_non_plat/mtk_hal_md_dbfilter.te deleted file mode 100755 index 5abc292..0000000 --- a/r_non_plat/mtk_hal_md_dbfilter.te +++ /dev/null @@ -1,6 +0,0 @@ -# HwBinder IPC from client to server, and callbacks -binder_call(mtk_hal_md_dbfilter_client, mtk_hal_md_dbfilter_server) -binder_call(mtk_hal_md_dbfilter_server, mtk_hal_md_dbfilter_client) - -add_hwservice(mtk_hal_md_dbfilter_server, mtk_hal_md_dbfilter_hwservice) -allow mtk_hal_md_dbfilter_client mtk_hal_md_dbfilter_hwservice:hwservice_manager find; diff --git a/r_non_plat/mtk_hal_mms.te b/r_non_plat/mtk_hal_mms.te deleted file mode 100755 index d52f12b..0000000 --- a/r_non_plat/mtk_hal_mms.te +++ /dev/null @@ -1,56 +0,0 @@ -# ============================================== -# Policy File of /vendor/bin/hw/vendor.mediatek.hardware.mms@1.0-service Executable File - -# ============================================== -# Type Declaration -# ============================================== - -type mtk_hal_mms, domain; -type mtk_hal_mms_exec, exec_type, file_type, vendor_file_type; - -# ============================================== -# MTK Policy Rule -# ============================================== - -# Setup for domain transition -init_daemon_domain(mtk_hal_mms) - -# Allow to use HWBinder IPC -hwbinder_use(mtk_hal_mms); - -# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder. -hal_server_domain(mtk_hal_mms, hal_mms) - -# add/find permission rule to hwservicemanager -add_hwservice(hal_mms_server, mtk_hal_mms_hwservice) - -# Purpose : Allow to use kernel driver -allow mtk_hal_mms graphics_device:chr_file { read write open ioctl }; -allow mtk_hal_mms ion_device:chr_file { read open ioctl }; -allow mtk_hal_mms mtk_cmdq_device:chr_file { read open ioctl }; -allow mtk_hal_mms mtk_mdp_device:chr_file rw_file_perms; -allow mtk_hal_mms sw_sync_device:chr_file rw_file_perms; -allow mtk_hal_mms mtk_hal_pq_hwservice:hwservice_manager find; -allow mtk_hal_mms proc:file r_file_perms; - -# Purpose : Allow to use allocator for JPEG -hal_client_domain(mtk_hal_mms, hal_allocator) -allow mtk_hal_mms mtk_hal_pq:binder call; - -# Purpose : Allow to use graphics allocator fd for gralloc_extra -allow mtk_hal_mms hal_graphics_allocator_default:fd use; -allow mtk_hal_mms debugfs_ion:dir search; -allow mtk_hal_mms merged_hal_service:fd use; - -# Purpose : VDEC/VENC device node -allow mtk_hal_mms Vcodec_device:chr_file rw_file_perms; -allow mtk_hal_mms proc_mtk_jpeg:file r_file_perms; -allowxperm mtk_hal_mms proc_mtk_jpeg:file ioctl { - JPG_BRIDGE_ENC_IO_INIT - JPG_BRIDGE_ENC_IO_CONFIG - JPG_BRIDGE_ENC_IO_WAIT - JPG_BRIDGE_ENC_IO_DEINIT - JPG_BRIDGE_ENC_IO_START - }; -# Allow to use mms by JPEG with handle -allow mtk_hal_mms platform_app:fd use; diff --git a/r_non_plat/mtk_hal_power.te b/r_non_plat/mtk_hal_power.te deleted file mode 100644 index fa52542..0000000 --- a/r_non_plat/mtk_hal_power.te +++ /dev/null @@ -1,161 +0,0 @@ -# ============================================================================== -# Type Declaration -# ============================================================================== -type mtk_hal_power, domain; -type mtk_hal_power_exec, exec_type, file_type, vendor_file_type; - -# hwbinder access -init_daemon_domain(mtk_hal_power) -hwbinder_use(mtk_hal_power); - -get_prop(mtk_hal_power, hwservicemanager_prop) -allow mtk_hal_power hal_power_hwservice:hwservice_manager { add find }; -allow mtk_hal_power hidl_base_hwservice:hwservice_manager add; - -add_hwservice(mtk_hal_power, mtk_hal_power_hwservice) -allow hal_power_client mtk_hal_power_hwservice:hwservice_manager find; - -hal_server_domain(mtk_hal_power, hal_power); -hal_server_domain(mtk_hal_power, hal_wifi); - -# sysfs -allow mtk_hal_power sysfs_devices_system_cpu:file rw_file_perms; - -# debugfs -allow mtk_hal_power debugfs_ged:dir r_dir_perms; -allow mtk_hal_power debugfs_ged:file rw_file_perms; - -# proc_thermal -allow mtk_hal_power proc_thermal:file w_file_perms; - -# proc info -allow mtk_hal_power mtk_hal_audio:dir r_dir_perms; - -# Date : 2017/10/02 -# Operation: SQC -# Purpose : Allow powerHAL to access perfmgr -allow mtk_hal_power proc_perfmgr:dir r_dir_perms; -allow mtk_hal_power proc_perfmgr:file rw_file_perms; -allowxperm mtk_hal_power proc_perfmgr:file ioctl PERFMGR_FPSGO_TOUCH; - -# Date : 2017/10/11 -# Operation: SQC -# Purpose : Allow powerHAL to access powerhal folder -allow mtk_hal_power sdcard_type:dir create_dir_perms; -allow mtk_hal_power sdcard_type:file create_file_perms; -allow mtk_hal_power eemcs_device:chr_file rw_file_perms; -allow mtk_hal_power mnt_user_file:dir create_dir_perms; - -allow mtk_hal_power mtk_powerhal_data_file:dir {create_dir_perms rw_dir_perms}; -allow mtk_hal_power mtk_powerhal_data_file:file {create_file_perms rw_file_perms}; -allow mtk_hal_power mtk_powerhal_data_file:sock_file {create_file_perms rw_file_perms}; - -#camera contorl cpu -allow mtk_hal_power mtk_hal_camera:dir r_dir_perms; -allow mtk_hal_power mtk_hal_camera:file r_file_perms; - -# Date : 2017/10/24 -# Operation: SQC -# Purpose : Allow powerHAL to access thermal -allow mtk_hal_power proc_thermal:dir r_dir_perms; -allow mtk_hal_power debugfs_fpsgo:dir r_dir_perms; -allow mtk_hal_power debugfs_fpsgo:file rw_file_perms; - -# Date : 2017/12/19 -# Operation: SQC -# Purpose : Allow powerHAL to access wlan -allow mtk_hal_power proc_net:file w_file_perms; - -# Date : 2017/12/21 -# Operation: SQC -# Purpose : Allow powerHAL to access mediacodec -allow mtk_hal_power mediacodec:dir r_dir_perms; -allow mtk_hal_power mediacodec:file r_file_perms; - -set_prop(mtk_hal_power, mtk_thermal_config_prop) - -# Date : 2018/03/16 -# Operation: SQC -# Purpose : Allow powerHAL to access /d/mtkfb -allow mtk_hal_power debugfs_fb:dir r_dir_perms; -allow mtk_hal_power debugfs_fb:file rw_file_perms; - -# Date : 2018/06/26 -# Operation: Thermal change policy in perfservice - -allow mtk_hal_power proc_thermal:file r_file_perms; -allow mtk_hal_power thermal_manager_data_file:file create_file_perms; -allow mtk_hal_power thermal_manager_data_file:dir { rw_dir_perms setattr }; - - -allow mtk_hal_power thermalloadalgod:unix_stream_socket connectto; - -allow mtk_hal_power proc_mtkcooler:dir r_dir_perms; -allow mtk_hal_power proc_mtkcooler:file rw_file_perms; -allow mtk_hal_power proc_mtktz:dir r_dir_perms; -allow mtk_hal_power proc_mtktz:file rw_file_perms; - -# Date : 2019/05/08 -# Operation: SQC -# Purpose : Allow powerHAL to access /proc/[pid] -allow mtk_hal_power system_server:dir r_dir_perms; -allow mtk_hal_power system_server:file r_file_perms; - -# Date : 2019/07/11 -# Operation: mt6779 SQC -# Purpose : Allow powerHAL to VPU, RILD -allow mtk_hal_power debugfs_vpu_power:dir r_dir_perms; -allow mtk_hal_power debugfs_vpu_power:file rw_file_perms; - -allow mtk_hal_power debugfs_mdla_power:dir r_dir_perms; -allow mtk_hal_power debugfs_mdla_power:file rw_file_perms; - -allow mtk_hal_power rild_oem_socket:sock_file write; -allow mtk_hal_power rild:unix_stream_socket connectto; - -# Date : 2019/05/22 -# Operation: SQC -# Purpose : Allow powerHAL to access block read ahead -allow mtk_hal_power sysfs_dm:dir r_dir_perms; -allow mtk_hal_power sysfs_dm:file rw_file_perms; -allow mtk_hal_power sysfs_mmcblk:dir r_dir_perms; -allow mtk_hal_power sysfs_mmcblk:file rw_file_perms; - -allow mtk_hal_power debugfs_eara_thermal:dir search; -allow mtk_hal_power debugfs_eara_thermal:file { getattr open write read }; - -# Date : 2019/05/22 -# Operation: SQC -# Purpose : Allow powerHAL to access prop -set_prop(mtk_hal_power, mtk_powerhal_prop) - -# Date : 2019/05/29 -# Operation: SQC -# Purpose : Allow powerHAL to access wifi driver -allow mtk_hal_power self:udp_socket create; -allow mtk_hal_power kernel:system module_request; -allow mtk_hal_power self:capability sys_module; -allowxperm mtk_hal_power self:udp_socket ioctl priv_sock_ioctls; - -# Date : W19.20 -# Operation : MTK power hal migration -# Purpose : MTK power hal interface permission -set_prop(mtk_hal_power, mtk_powerhal_prop) - -# Date : 2019/09/05 -# Operation: SQC -# Purpose : Add procfs, sysfs policy -allow mtk_hal_power proc_ppm:dir r_dir_perms; -allow mtk_hal_power proc_ppm:file rw_file_perms; -allow mtk_hal_power proc_cpufreq:dir r_dir_perms; -allow mtk_hal_power proc_cpufreq:file rw_file_perms; -allow mtk_hal_power proc_hps:dir r_dir_perms; -allow mtk_hal_power proc_hps:file rw_file_perms; -allow mtk_hal_power proc_cm_mgr:dir r_dir_perms; -allow mtk_hal_power proc_cm_mgr:file rw_file_perms; -allow mtk_hal_power sysfs_ged:dir r_dir_perms; -allow mtk_hal_power sysfs_ged:file rw_file_perms; -allow mtk_hal_power sysfs_fbt_cpu:dir r_dir_perms; -allow mtk_hal_power sysfs_fbt_cpu:file rw_file_perms; -allow mtk_hal_power sysfs_fbt_fteh:dir r_dir_perms; -allow mtk_hal_power sysfs_fbt_fteh:file rw_file_perms; diff --git a/r_non_plat/mtk_hal_pq.te b/r_non_plat/mtk_hal_pq.te deleted file mode 100644 index 87b6c59..0000000 --- a/r_non_plat/mtk_hal_pq.te +++ /dev/null @@ -1,41 +0,0 @@ -# ============================================== -# Policy File of /vendor/bin/hw/vendor.mediatek.hardware.pq@2.0-service Executable File - -# ============================================== -# Type Declaration -# ============================================== - -type mtk_hal_pq, domain; -type mtk_hal_pq_exec, exec_type, file_type, vendor_file_type; - -# ============================================== -# MTK Policy Rule -# ============================================== - -# Setup for domain transition -init_daemon_domain(mtk_hal_pq) - -# Allow to use HWBinder IPC -hwbinder_use(mtk_hal_pq); - -# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder. -hal_server_domain(mtk_hal_pq, hal_pq) - -# add/find permission rule to hwservicemanager -add_hwservice(hal_pq_server, mtk_hal_pq_hwservice) - -# Allow to allocate hidl memory -hal_client_domain(mtk_hal_pq, hal_allocator) - -# Purpose : Allow to use kernel driver -allow mtk_hal_pq graphics_device:chr_file { read write open ioctl }; - -# Purpose : Allow property set -allow mtk_hal_pq init:unix_stream_socket connectto; -allow mtk_hal_pq property_socket:sock_file write; - -# Purpose : Allow permission to get AmbientLux from hwservice_manager -allow mtk_hal_pq fwk_sensor_hwservice:hwservice_manager find; - -# Purpose : Allow permission to set pq property -set_prop(mtk_hal_pq, mtk_pq_prop) diff --git a/r_non_plat/mtk_hal_secure_element.te b/r_non_plat/mtk_hal_secure_element.te deleted file mode 100644 index bb51108..0000000 --- a/r_non_plat/mtk_hal_secure_element.te +++ /dev/null @@ -1,18 +0,0 @@ -type mtk_hal_secure_element, domain; -hal_server_domain(mtk_hal_secure_element, hal_secure_element) -type mtk_hal_secure_element_exec, exec_type, vendor_file_type, file_type; - -allow mtk_hal_secure_element secure_element_device:chr_file rw_file_perms; - -init_daemon_domain(mtk_hal_secure_element) - -# Allow to get vendor.mediatek.hardware.radio HIDL interface -allow mtk_hal_secure_element mtk_hal_rild_hwservice:hwservice_manager find; -binder_call(mtk_hal_secure_element, rild) - -# Allow to get android.hardware.radio HIDL interface -hal_client_domain(mtk_hal_secure_element, hal_telephony) -allow mtk_hal_secure_element hal_telephony_hwservice:hwservice_manager find; - -# Allow to use persist.radio.multisim.config -get_prop(mtk_hal_secure_element, exported3_radio_prop) diff --git a/r_non_plat/mtk_hal_sensors.te b/r_non_plat/mtk_hal_sensors.te deleted file mode 100644 index 6ecacea..0000000 --- a/r_non_plat/mtk_hal_sensors.te +++ /dev/null @@ -1,72 +0,0 @@ -# ============================================================================== -# Type Declaration -# ============================================================================== -type mtk_hal_sensors, domain; -type mtk_hal_sensors_exec, exec_type, file_type, vendor_file_type; - -# hwbinder access -init_daemon_domain(mtk_hal_sensors) -hwbinder_use(mtk_hal_sensors) - -# call into system_server process (callbacks) -binder_call(mtk_hal_sensors, system_server) - -# graphics allocator -allow mtk_hal_sensors hal_graphics_allocator_default:fd use; - -# gpu device -allow mtk_hal_sensors gpu_device:dir create_dir_perms; -allow mtk_hal_sensors gpu_device:chr_file rw_file_perms; -allow mtk_hal_sensors dri_device:chr_file rw_file_perms; - -# ion device -allow mtk_hal_sensors ion_device:dir create_dir_perms; -allow mtk_hal_sensors ion_device:chr_file rw_file_perms; -# system file -allow mtk_hal_sensors system_file:dir read; -allow mtk_hal_sensors system_file:dir open; - -# sensors input rw access -allow mtk_hal_sensors sysfs_sensor:dir r_dir_perms; -allow mtk_hal_sensors sysfs_sensor:file rw_file_perms; - -# hal sensor for chr_file -allow mtk_hal_sensors hwmsensor_device:chr_file r_file_perms; -get_prop(mtk_hal_sensors, hwservicemanager_prop) - -#hwservicemanager -hal_server_domain(mtk_hal_sensors, hal_sensors); - -# Access sensor bio devices -allow mtk_hal_sensors sensorlist_device:chr_file rw_file_perms; -allow mtk_hal_sensors m_acc_misc_device:chr_file rw_file_perms; -allow mtk_hal_sensors m_als_misc_device:chr_file rw_file_perms; -allow mtk_hal_sensors m_ps_misc_device:chr_file rw_file_perms; -allow mtk_hal_sensors m_mag_misc_device:chr_file rw_file_perms; -allow mtk_hal_sensors m_gyro_misc_device:chr_file rw_file_perms; -allow mtk_hal_sensors m_baro_misc_device:chr_file rw_file_perms; -allow mtk_hal_sensors m_hmdy_misc_device:chr_file rw_file_perms; -allow mtk_hal_sensors m_act_misc_device:chr_file rw_file_perms; -allow mtk_hal_sensors m_pedo_misc_device:chr_file rw_file_perms; -allow mtk_hal_sensors m_situ_misc_device:chr_file rw_file_perms; -allow mtk_hal_sensors m_step_c_misc_device:chr_file rw_file_perms; -allow mtk_hal_sensors m_fusion_misc_device:chr_file rw_file_perms; -allow mtk_hal_sensors m_bio_misc_device:chr_file rw_file_perms; - -# Access mtk sensor setting and calibration node. -# for data -allow mtk_hal_sensors sensor_data_file:file create_file_perms; -allow mtk_hal_sensors sensor_data_file:dir create_dir_perms; -# for nvcfg -allow mtk_hal_sensors nvcfg_file:file create_file_perms; -allow mtk_hal_sensors nvcfg_file:dir create_dir_perms; - - -# Date : WK18.21 -# Operation: P migration -# Purpose: Allow to search /mnt/vendor/nvdata for fstab when using NVM_Init() -allow mtk_hal_sensors mnt_vendor_file:dir search; - -# Date : WK19.48 -# Purpose: fix [vts_10.0_r2]VtsHalSensorsV2_0Target fail -allow mtk_hal_sensors merged_hal_service:fd use; diff --git a/r_non_plat/mtk_hal_wifi.te b/r_non_plat/mtk_hal_wifi.te deleted file mode 100755 index 4740f38..0000000 --- a/r_non_plat/mtk_hal_wifi.te +++ /dev/null @@ -1,5 +0,0 @@ -type mtk_hal_wifi, domain; -hal_server_domain(mtk_hal_wifi, hal_wifi) - -type mtk_hal_wifi_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(mtk_hal_wifi) diff --git a/r_non_plat/mtk_wmt_launcher.te b/r_non_plat/mtk_wmt_launcher.te deleted file mode 100644 index f0bc360..0000000 --- a/r_non_plat/mtk_wmt_launcher.te +++ /dev/null @@ -1,26 +0,0 @@ -# ============================================== -# Policy File of /system/bin/mtk_wmt_launcher Executable File - - -# ============================================== -# Type Declaration -# ============================================== -type mtk_wmt_launcher ,domain; -type mtk_wmt_launcher_exec , exec_type, file_type, vendor_file_type; - -# ============================================== -# MTK Policy Rule -# ============================================== -init_daemon_domain(mtk_wmt_launcher) - -# set the property -set_prop(mtk_wmt_launcher, wmt_prop) - -# add ioctl/open/read/write permission for mtk_wmt_launcher with /dev/stpwmt -allow mtk_wmt_launcher stpwmt_device:chr_file rw_file_perms; -allow mtk_wmt_launcher devpts:chr_file rw_file_perms; -allow mtk_wmt_launcher system_file:dir { read open }; - -# Date : W18.01 -# Add for turn on SElinux in enforcing mode -allow mtk_wmt_launcher vendor_file:dir { read open }; \ No newline at end of file diff --git a/r_non_plat/mtkbootanimation.te b/r_non_plat/mtkbootanimation.te deleted file mode 100644 index 4c56c81..0000000 --- a/r_non_plat/mtkbootanimation.te +++ /dev/null @@ -1,50 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============ - -# Date : WK14.37 -# Operation : Migration -# Purpose : for opetator -allow mtkbootanimation bootani_prop:property_service set; - -# Date : WK14.46 -# Operation : Migration -# Purpose : For MTK Emulator HW GPU -allow mtkbootanimation qemu_pipe_device:chr_file rw_file_perms; - -# Date : WK16.33 -# Purpose: Allow to access ged for gralloc_extra functions -allow mtkbootanimation proc_ged:file rw_file_perms; - -# ============================================== -# Type Declaration for secmem -# ============================================== -type proc_secmem, fs_type, proc_type; -# genfscon proc /secmem0 u:object_r:proc_secmem:s0; - -# Date : WK14.31 -# Operation : Migration -# Purpose : access to sec mem proc interface. -allow mtkbootanimation proc_secmem:file { read open}; - -# Date : WK14.36 -# Operation : Migration -# Purpose : for ui -# allow mtkbootanimation guiext-server:binder call; -# allow mtkbootanimation guiext-server:binder transfer; - -# Date : WK16.29 -# Operation : Migration -# Purpose : for gpu access -allow mtkbootanimation dri_device:chr_file { read write open ioctl }; - -# Date : WK17.29 -# Operation : Migration -# Purpose : for device bring up -# allow mtkbootanimation guiext-server_service:service_manager find; - -# Date : WK17.48 -# Operation : Migration -# Purpose : FPSGO integration -allow mtkbootanimation proc_perfmgr:dir {search read}; -allow mtkbootanimation proc_perfmgr:file {open read ioctl}; diff --git a/r_non_plat/mtkrild.te b/r_non_plat/mtkrild.te deleted file mode 100644 index a134520..0000000 --- a/r_non_plat/mtkrild.te +++ /dev/null @@ -1,132 +0,0 @@ -# ============================================== -# Policy File of /system/bin/mtkrild Executable File - -# ============================================== -# Type Declaration -# ============================================== -type mtkrild_exec , exec_type, file_type, vendor_file_type; -type mtkrild ,domain; - -# ============================================== -# MTK Policy Rule -# ============================================== -init_daemon_domain(mtkrild) -net_domain(mtkrild) - -# Trigger module auto-load. -allow mtkrild kernel:system module_request; - -# Capabilities assigned for mtkrild -allow mtkrild self:capability { setuid net_admin net_raw }; - -# Control cgroups -allow mtkrild cgroup:dir create_dir_perms; - -# Property service -# allow set RIL related properties (radio./net./system./etc) -#set_prop(mtkrild, radio_prop) -#set_prop(mtkrild, net_radio_prop) -#set_prop(mtkrild, system_radio_prop) -auditallow mtkrild net_radio_prop:property_service set; -auditallow mtkrild system_radio_prop:property_service set; -set_prop(mtkrild, ril_active_md_prop) -# allow set muxreport control properties -set_prop(mtkrild, ril_cdma_report_prop) -set_prop(mtkrild, ril_mux_report_case_prop) -set_prop(mtkrild, ctl_muxreport-daemon_prop) - -#Dat: 2017/02/14 -#Purpose: allow set telephony Sensitive property -set_prop(mtkrild, mtk_telephony_sensitive_prop) - -# Access to wake locks -wakelock_use(mtkrild) - -# Allow access permission to efs files -allow mtkrild efs_file:dir create_dir_perms; -allow mtkrild efs_file:file create_file_perms; -allow mtkrild bluetooth_efs_file:file r_file_perms; -allow mtkrild bluetooth_efs_file:dir r_dir_perms; - -# Allow access permission to dir/files -# (radio data/system data/proc/etc) -# Violate Android P rule -allow mtkrild sdcardfs:dir r_dir_perms; -# Violate Android P rule -#allow mtkrild system_file:file x_file_perms; -#allow mtkrild proc:file rw_file_perms; -allow mtkrild proc_net:file w_file_perms; - -# Set and get routes directly via netlink. -allow mtkrild self:netlink_route_socket nlmsg_write; - -# Allow read/write to devices/files -allow mtkrild radio_device:chr_file rw_file_perms; -allow mtkrild radio_device:blk_file r_file_perms; -allow mtkrild mtd_device:dir search; -# Allow read/write to tty devices -allow mtkrild tty_device:chr_file rw_file_perms; -allow mtkrild eemcs_device:chr_file { rw_file_perms }; - -#allow mtkrild Vcodec_device:chr_file { rw_file_perms }; -allow mtkrild devmap_device:chr_file { r_file_perms }; -allow mtkrild devpts:chr_file { rw_file_perms }; -allow mtkrild ccci_device:chr_file { rw_file_perms }; -allow mtkrild misc_device:chr_file { rw_file_perms }; -allow mtkrild proc_lk_env:file rw_file_perms; -#allow mtkrild bootdevice_block_device:blk_file { rw_file_perms }; -allow mtkrild para_block_device:blk_file { rw_file_perms }; - -# Allow dir search, fd uses -allow mtkrild block_device:dir search; -allow mtkrild platform_app:fd use; -allow mtkrild radio:fd use; - -# For MAL MFI -allow mtkrild mal_mfi_socket:sock_file { w_file_perms }; - -# For ccci sysfs node -allow mtkrild sysfs_ccci:dir search; -allow mtkrild sysfs_ccci:file r_file_perms; - -#For Kryptowire mtklog issue -allow mtkrild aee_aedv:unix_stream_socket connectto; -# Allow ioctl in order to control network interface -allowxperm mtkrild self:udp_socket ioctl {SIOCDELRT SIOCSIFFLAGS SIOCSIFADDR SIOCKILLADDR SIOCDEVPRIVATE SIOCDEVPRIVATE_1}; - -# Allow to use vendor binder -vndbinder_use(mtkrild) - -# Allow to trigger IPv6 RS -allow mtkrild node:rawip_socket node_bind; - -# Allow to use sysenv -allow mtkrild sysfs:file open; -allow mtkrild sysfs:file read; - -#Date : W18.15 -#Purpose: allow rild access to vendor.ril.ipo system property -set_prop(mtkrild, vendor_ril_ipo_prop) - -# Date : WK18.16 -# Operation: P migration -# Purpose: Allow mtkrild to get tel_switch_prop -get_prop(mtkrild, tel_switch_prop) - -#Date: W1817 -#Purpose: allow rild access property of vendor_radio_prop -set_prop(mtkrild, vendor_radio_prop) - -# Date : WK18.26 -# Operation: P migration -# Purpose: Allow carrier express HIDL to set vendor property -set_prop(mtkrild, mtk_cxp_vendor_prop) -allow mtkrild mnt_vendor_file:dir search; -allow mtkrild mnt_vendor_file:file create_file_perms; -allow mtkrild nvdata_file:dir create_dir_perms; -allow mtkrild nvdata_file:file create_file_perms; - -# Date : WK18.31 -# Operation: P migration -# Purpose: Allow supplementary service HIDL to set vendor property -set_prop(mtkrild, mtk_ss_vendor_prop) diff --git a/r_non_plat/muxreport.te b/r_non_plat/muxreport.te deleted file mode 100644 index 1b7243b..0000000 --- a/r_non_plat/muxreport.te +++ /dev/null @@ -1,36 +0,0 @@ -# ============================================== -# Policy File of /system/bin/muxreport Executable File - -# ============================================== -# Type Declaration -# ============================================== -type muxreport_exec , exec_type, file_type, vendor_file_type; -type muxreport ,domain; - -# ============================================== -# MTK Policy Rule -# ============================================== -init_daemon_domain(muxreport) - -# Property service -# allow set muxreport control properties -set_prop(muxreport, ril_mux_report_case_prop) - -# Allow read/write to devices/files -allow muxreport ccci_device:chr_file { rw_file_perms }; -allow muxreport devpts:chr_file { rw_file_perms }; -allow muxreport eemcs_device:chr_file { rw_file_perms }; -allow muxreport emd_device:chr_file { rw_file_perms }; -# Allow read to sys/kernel/ccci/* files -allow muxreport sysfs_ccci:dir search; -allow muxreport sysfs_ccci:file r_file_perms; - -# Date : WK18.16 -# Operation: P migration -# Purpose: Allow muxreport to get tel_switch_prop -get_prop(muxreport, tel_switch_prop) - -#Date: W1824 -#Purpose: allow muxreport access property of vendor_radio_prop -set_prop(muxreport, vendor_radio_prop) - diff --git a/r_non_plat/netd.te b/r_non_plat/netd.te deleted file mode 100644 index 02b380f..0000000 --- a/r_non_plat/netd.te +++ /dev/null @@ -1,65 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - - -# Date : WK14.34 -# Operation : Migration -# Purpose : For WIFI SANITY test to set FW path(STA/P2P/AP) -# Owner£º TingTing Lei -allow netd wmtWifi_device:chr_file { write open }; - -# Date : WK14.34 -# Operation : Migration -# Purpose : NA -# Owner£º Changqing Sun -allow netd kernel:system module_request; -allow netd self:capability sys_module; -allow netd self:capability fsetid; - -# Date : WK14.34 -# Operation : Migration -# Purpose : APP -allow netd platform_app:fd use; - - -# Date : WK14.37 -# Operation : Migration -# Purpose : PPPOE Test -# Owner : lina wang -allow netd ppp:process sigkill; - -# Date : WK14.39 -# Operation : Migration -# Purpose : MDLogger USB logging -# Owner : Bo shang -allow netd mdlogger:fd use; -allow netd mdlogger:tcp_socket { read write }; -allow netd mdlogger:tcp_socket { getopt setopt }; - -# Date : WK14.41 -# Operation : Migration -# Purpose : network logging -# Owner : Bo shang -allow netd netdiag:fd use; -allow netd netdiag:udp_socket { read write getopt setopt}; - -# Date : WK14.44 -# Operation : Migration -# Purpose : ALPS01789552 -#============= netd ============== -allow netd self:capability { setuid setgid }; - - -#============= netd ============== -allow netd untrusted_app:fd use; - - -# Date : W15.02 -# Operation : SQC -# Purpose : CTS for wifi -allow netd untrusted_app:unix_stream_socket { read write getopt setopt}; -allow netd isolated_app:fd use; - -# MTK support antutu feature -get_prop(netd, mtk_antutu_prop); diff --git a/r_non_plat/netdiag.te b/r_non_plat/netdiag.te deleted file mode 100644 index cb19c48..0000000 --- a/r_non_plat/netdiag.te +++ /dev/null @@ -1,28 +0,0 @@ -# Purpose : for access storage file -allow netdiag sdcard_type:dir create_dir_perms; -allow netdiag sdcard_type:file create_file_perms; -allow netdiag net_data_file:file r_file_perms; -allow netdiag net_data_file:dir search; -allow netdiag storage_file:dir search; -allow netdiag storage_file:lnk_file read; -allow netdiag mnt_user_file:dir search; -allow netdiag mnt_user_file:lnk_file read; -allow netdiag platform_app:dir search; -allow netdiag untrusted_app:dir search; -allow netdiag mnt_media_rw_file:dir search; -allow netdiag vfat:dir create_dir_perms; -allow netdiag vfat:file create_file_perms; -allow netdiag tmpfs:lnk_file read; - -#Purpose : for network log property -set_prop(netdiag, debug_netlog_prop) -set_prop(netdiag, persist_mtklog_prop) -set_prop(netdiag, debug_mtklog_prop) - -# Purpose : for acess /system/bin/toybox, mmc_prop,proc_net and safemode_prop -allow netdiag device_logging_prop:file { getattr open }; -allow netdiag mmc_prop:file { getattr open }; - -# purpose: allow netdiag to access storage in new version -allow netdiag media_rw_data_file:file { create_file_perms }; -allow netdiag media_rw_data_file:dir { create_dir_perms }; diff --git a/r_non_plat/nvram_agent_binder.te b/r_non_plat/nvram_agent_binder.te deleted file mode 100644 index 5dc888a..0000000 --- a/r_non_plat/nvram_agent_binder.te +++ /dev/null @@ -1,69 +0,0 @@ -# ============================================== -# Policy File of /vendor/bin/nvram_agent_binder Executable File - -# ============================================== -# Type Declaration -# ============================================== -type nvram_agent_binder_exec , exec_type, file_type, vendor_file_type; -type nvram_agent_binder ,domain; - -# ============================================== -# MTK Policy Rule -# ============================================== -init_daemon_domain(nvram_agent_binder) - -# Date : WK14.35 -# Operation : access nvram by binder -# Purpose : ensure nvram user can access nvram file normally. -#allow nvram_agent_binder nvram_agent_service:service_manager add; - -# Date : WK14.43 -# Operation : 2rd Selinux Migration -# Purpose : the role of nvram_agent_binder is same with nvram_daemon except property_set & exect permission -allow nvram_agent_binder nvram_device:blk_file rw_file_perms; -allow nvram_agent_binder nvdata_device:blk_file rw_file_perms; -allow nvram_agent_binder nvram_data_file:dir create_dir_perms; -allow nvram_agent_binder nvram_data_file:file create_file_perms; -allow nvram_agent_binder nvram_data_file:lnk_file read; -allow nvram_agent_binder nvdata_file:lnk_file read; -allow nvram_agent_binder nvdata_file:dir create_dir_perms; -allow nvram_agent_binder nvdata_file:file create_file_perms; - -allow nvram_agent_binder als_ps_device:chr_file r_file_perms; -allow nvram_agent_binder mtk-adc-cali_device:chr_file rw_file_perms; -allow nvram_agent_binder gsensor_device:chr_file r_file_perms; -allow nvram_agent_binder gyroscope_device:chr_file r_file_perms; -allow nvram_agent_binder self:capability { fowner chown fsetid }; - -# Purpose: for backup -allow nvram_agent_binder nvram_device:chr_file rw_file_perms; -allow nvram_agent_binder pro_info_device:chr_file rw_file_perms; -allow nvram_agent_binder block_device:dir search; - -# for MLC device -allow nvram_agent_binder mtd_device:dir search; -allow nvram_agent_binder mtd_device:chr_file rw_file_perms; - -#for nvram agent hidl -get_prop(nvram_agent_binder, hwservicemanager_prop) - -#for nvram hidl client support -allow nvram_agent_binder sysfs:file { read open }; - -# Allow to use HWBinder IPC -hwbinder_use(nvram_agent_binder); - -# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder. -hal_server_domain(nvram_agent_binder, hal_nvramagent) - -# Date : WK18.16 -# Operation: P migration -# Purpose: Allow nvram_daemon to get tel_switch_prop -get_prop(nvram_daemon, tel_switch_prop) - -# Date : WK18.21 -# Operation: P migration -# Purpose: Allow to search /mnt/vendor/nvdata when using nvram function -allow nvram_agent_binder mnt_vendor_file:dir search; - -allow nvram_agent_binder sysfs_boot_mode:file r_file_perms; diff --git a/r_non_plat/nvram_daemon.te b/r_non_plat/nvram_daemon.te deleted file mode 100644 index 7ed8bfa..0000000 --- a/r_non_plat/nvram_daemon.te +++ /dev/null @@ -1,91 +0,0 @@ -# ============================================== -# Policy File of /vendor/binnvram_daemon Executable File - - -# ============================================== -# Type Declaration -# ============================================== - -type nvram_daemon_exec , exec_type, file_type, vendor_file_type; -type nvram_daemon ,domain; - -# ============================================== -# MTK Policy Rule -# ============================================== - -init_daemon_domain(nvram_daemon) - - - -# Date : WK14.31 -# Operation : Migration -# Purpose : the device is used to store Nvram backup data that can not be lost. -allow nvram_daemon nvram_device:blk_file rw_file_perms; -allow nvram_daemon nvdata_device:blk_file rw_file_perms; - -# Date : WK14.35 -# Operation : chown folder and file permission -# Purpose : ensure nvram user can access nvram file normally when upgrade from KK/KK.AOSP to L. -allow nvram_daemon nvram_data_file:dir create_dir_perms; -allow nvram_daemon nvram_data_file:file create_file_perms; -allow nvram_daemon nvram_data_file:lnk_file read; -allow nvram_daemon nvdata_file:lnk_file read; -allow nvram_daemon nvdata_file:dir create_dir_perms; -allow nvram_daemon nvdata_file:file create_file_perms; - -allow nvram_daemon als_ps_device:chr_file r_file_perms; -allow nvram_daemon mtk-adc-cali_device:chr_file rw_file_perms; -allow nvram_daemon gsensor_device:chr_file r_file_perms; -allow nvram_daemon gyroscope_device:chr_file r_file_perms; -allow nvram_daemon init:unix_stream_socket connectto; - -# Purpose: for property set -allow nvram_daemon self:capability { fowner chown fsetid }; - -# Purpose: for backup -allow nvram_daemon nvram_device:chr_file rw_file_perms; -allow nvram_daemon pro_info_device:chr_file rw_file_perms; - -allow nvram_daemon block_device:dir search; - -# Purpose: for nand project -allow nvram_daemon mtd_device:dir search; -allow nvram_daemon mtd_device:chr_file rw_file_perms; - -# Purpose: for fstab parser -allow nvram_daemon kmsg_device:chr_file w_file_perms; -allow nvram_daemon proc_lk_env:file rw_file_perms; - -# Purpose: property set -allow nvram_daemon service_nvram_init_prop:property_service set; - -# Purpose: copy /fstab* -allow nvram_daemon rootfs:dir { read open }; -allow nvram_daemon rootfs:file r_file_perms; - -# Purpose: remove /data/nvram link -allow nvram_daemon nvram_data_file:lnk_file unlink; - -# Purpose: for setting property -# ro.wlan.mtk.wifi.5g relabel to wifi_5g_prop -# denied { set } for property=ro.wlan.mtk.wifi.5g pid=242 uid=0 gid=1000 scontext=u:r:nvram_daemon:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=1 -set_prop(nvram_daemon, service_nvram_init_prop) -set_prop(nvram_daemon, wifi_5g_prop) - -#WK17.26 camera 8163 -allow nvram_daemon sysfs:dir read; -allow nvram_daemon sysfs:file read; - -# Date : WK18.16 -# Operation: P migration -# Purpose: Allow nvram_daemon to get tel_switch_prop -get_prop(nvram_daemon, tel_switch_prop) - -# Date : WK18.21 -# Operation: P migration -# Purpose: Allow nvram_daemon to search /mnt/vendor/nvdata for fstab -allow nvram_daemon mnt_vendor_file:dir search; -allow nvram_daemon self:capability { fowner chown fsetid }; - -allow nvram_daemon sysfs_boot_mode:file r_file_perms; - diff --git a/r_non_plat/permissive.te b/r_non_plat/permissive.te deleted file mode 100644 index cd38fd1..0000000 --- a/r_non_plat/permissive.te +++ /dev/null @@ -1,5 +0,0 @@ -userdebug_or_eng(` - - -') - diff --git a/r_non_plat/platform_app.te b/r_non_plat/platform_app.te deleted file mode 100644 index 33178e0..0000000 --- a/r_non_plat/platform_app.te +++ /dev/null @@ -1,127 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -typeattribute platform_app mlstrustedsubject; - -# Date : 2017/07/03 -# Operation : Migration -# Purpose : get/set agps configuration via mtk_hal_lbs -hal_client_domain(platform_app, mtk_hal_lbs) - - -# Date : 2014/08/21 -# Operation : Migration -# Purpose : FMRadio enable driver access permission for fmradio hardware device -# Package: com.mediatek.fmradio -allow platform_app fm_device:chr_file rw_file_perms; - -# Date : 2014/09/11 -# Operation : Migration -# Purpose : MTKLogger need setup local socket with native daemon:mobile_logd, -# netdialog,mdlogger,emdlogger,cmddumper -# Package: com.mediatek.mtklogger -allow platform_app mobile_log_d:unix_stream_socket connectto; -allow platform_app mdlogger:unix_stream_socket connectto; -allow platform_app emdlogger:unix_stream_socket connectto; -allow platform_app cmddumper:unix_stream_socket connectto; -allow platform_app connsyslogger:unix_stream_socket connectto; -unix_socket_connect(platform_app, netdiag, netdiag) -# Date: 2018/11/17 -# purpose: allow MTKLogger to control Bluetooth HCI log via socket -allow platform_app bluetooth:unix_stream_socket connectto; - -# Date : 2014/10/17 -# Operation : Migration -# Purpose :Make MTKLogger or VIASaber apk can Access TTYSDIO_device -# Package: com.mediatek.mtklogger -allow platform_app ttySDIO_device:chr_file rw_file_perms; - -# Date : 2014/10/17 -# Operation : Migration -# Purpose :Make MTKLogger or VIASaber apk can Access storage -# Package: com.mediatek.mtklogger -allow platform_app sdcard_type:file create_file_perms; -allow platform_app sdcard_type:dir create_dir_perms; - -# Date : 2014/11/12 -# Operation : Migration -# Purpose : MTKLogger need copy exception db from data folder -# Package: com.mediatek.mtklogger -allow platform_app aee_exp_data_file:file r_file_perms; -allow platform_app aee_exp_data_file:dir r_dir_perms; - -# Date : 2014/11/14 -# Operation : Migration -# Purpose : MTKLogger need update md config file in data for mode changed -# Package: com.mediatek.mtklogger -allow platform_app mdlog_data_file:file rw_file_perms; -allow platform_app mdlog_data_file:dir rw_dir_perms; - -# Date : 2015/01/13 -# Operation : New feature for GPS Log -# Purpose : MTKLogger need setup local socket with mnld -# Package: com.mediatek.mtklogger -# TODO:: MTK need to remove later -not_full_treble(` - allow platform_app mnld:unix_stream_socket connectto; -') - -# Date : WK17.46 -# Operation : Migration -# Purpose : allow MTKLogger to read KE DB -allow platform_app aee_dumpsys_data_file:file r_file_perms; - -# Date : WK18.17 -# Operation : P Migration -# Purpose: allow platform_app to read /data/vendor/mtklog/aee_exp -allow platform_app aee_exp_vendor_file:dir search; -allow platform_app aee_exp_vendor_file:dir { read getattr open }; -allow platform_app aee_exp_vendor_file:file { read getattr open }; - -# Date : WK18.21 -# Operation : Migration -# Purpose : Do FM operation via mtk_hal_fm -hal_client_domain(platform_app, mtk_hal_fm) - -# Date: 2018/03/23 -# Operation : Migration -# Purpose : MTKLogger need connect to log hidl server -# Package: com.mediatek.mtklogger -hal_client_domain(platform_app, mtk_hal_log) - -# Date: 2018/06/08 -# Operation : Migration -# Purpose : MTKLogger need get netlog/mdlog/mobilelog property for property change -# Package: com.mediatek.mtklogger -# allow platform_app debug_mdlogger_prop:file r_file_perms; -# allow platform_app debug_mtklog_prop:file r_file_perms; -get_prop(platform_app, debug_mdlogger_prop) -get_prop(platform_app, debug_mtklog_prop) -get_prop(platform_app, vendor_bluetooth_prop) -get_prop(platform_app, mobile_log_prop) - -get_prop(platform_app, vendor_connsysfw_prop) - -# Date: 2018/11/08 -# Operation : JPEG -# Purpose : JPEG need to use PQ via MMS HIDL -allow platform_app mtk_hal_mms_hwservice:hwservice_manager find; -allow platform_app mtk_hal_mms:binder call; - -# Date: 2019/07/04 -# Stage: Migration -# Purpose: Allow to use lomo effect -# Package: com.mediatek.camera -#allow platform_app hal_camera_hwservice:hwservice_manager find; -allow platform_app mtk_hal_camera:binder call; -allow platform_app sw_sync_device:chr_file rw_file_perms; - -# Date: 2019/07/04 -# Purpose: Allow platform app to use BGService HIDL and access mtk_hal_camera -hal_client_domain(platform_app, mtk_hal_bgs) -allow platform_app mtk_hal_bgs_hwservice:hwservice_manager find; -binder_call(platform_app, mtk_hal_bgs) -binder_call(mtk_hal_bgs, platform_app) -binder_call(platform_app, mtk_hal_camera) -binder_call(mtk_hal_camera, platform_app) diff --git a/r_non_plat/property.te b/r_non_plat/property.te deleted file mode 100644 index 3ac67c0..0000000 --- a/r_non_plat/property.te +++ /dev/null @@ -1,325 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -# MTK properties, allow all system/vendor processes to read. -type mtk_default_prop, property_type, mtk_core_property_type; - -# Date: W14.32 -# Operation: Migration -# Purpose: don't allow to use default_prop -### TBD -#neverallow { domain -init } default_prop:property_service set; -#neverallow { domain -init -system_server -recovery -system_app} ctl_default_prop:property_service set; - -#=============allow ccci_mdinit to start gsm0710muxd============== -type ctl_gsm0710muxd_prop, property_type; -type ctl_gsm0710muxd-s_prop, property_type; -type ctl_gsm0710muxd-d_prop, property_type; - -#=============allow viarild to start property============== -type ctl_viarild_prop, property_type; -#=============allow mtkrild to set persist.ril property============== -type vendor_ril_ipo_prop, property_type, mtk_core_property_type; - -#=============allow gsm0710muxd to set mux property============== -type gsm0710muxd_prop, property_type, mtk_core_property_type; - -#=============allow netlog running============== -type debug_mtklog_prop, property_type, extended_core_property_type; -type persist_mtklog_prop, property_type, extended_core_property_type; -type debug_netlog_prop, property_type, extended_core_property_type; - -#=============allow netd to set mtk_wifi.*========================= -type mtk_wifi_prop, property_type, mtk_core_property_type; - -#=============allow mdlogger============== -type debug_mdlogger_prop, property_type, extended_core_property_type; -type vendor_mdl_prop, property_type, extended_core_property_type; -type vendor_mdl_start_prop, property_type, extended_core_property_type; -type vendor_usb_prop, property_type; -type persist_mdlog_prop, property_type, extended_core_property_type; -type vendor_mdl_pulllog_prop, property_type, extended_core_property_type; - -#=============allow AEE============== -type persist_mtk_aee_prop, property_type, extended_core_property_type; -type persist_aee_prop, property_type, extended_core_property_type; -type debug_mtk_aee_prop, property_type, extended_core_property_type; - -type persist_mtk_aeev_prop, property_type, mtk_core_property_type; -type persist_aeev_prop, property_type, mtk_core_property_type; -type debug_mtk_aeev_prop, property_type, mtk_core_property_type; -type ro_mtk_aee_prop, property_type, mtk_core_property_type; - -#=============allow aee_dumpstate============== -type debug_bq_dump_prop, property_type, extended_core_property_type; - -#=============allow ccci_mdinit to stop rild============== -type ctl_ril-daemon-mtk_prop, property_type; -type ctl_fusion_ril_mtk_prop, property_type; -type ctl_ril-daemon-s_prop, property_type; -type ctl_ril-daemon-d_prop, property_type; -type ctl_ril-proxy_prop, property_type; - -#=============allow ccci_mdinit to start ccci_fsd============== -type ctl_ccci_fsd_prop, property_type; -type ctl_ccci2_fsd_prop, property_type; -type ctl_ccci3_fsd_prop, property_type; - -#=============allow ccci_mdinit to set ril_active_md_prop============== -type ril_active_md_prop, property_type, mtk_core_property_type; - -#=============allow ccci_mdinit to stop rild============== -type ril_mux_report_case_prop, property_type, mtk_core_property_type; -type ril_cdma_report_prop, property_type, mtk_core_property_type; - -#=============allow ccci_mdinit to mtk_md_prop============== -type mtk_md_prop, property_type, mtk_core_property_type; - -#=============allow mtkrild to start muxreport============== -type ctl_muxreport-daemon_prop, property_type; - -#=============allow telephony modules to set tel_switch_prop============== -type tel_switch_prop, property_type, mtk_core_property_type; - -#=============allow bootanim============== -type bootani_prop, property_type, extended_core_property_type; - -#=============allow mnld_prop============== -type mnld_prop, property_type, mtk_core_property_type; - -#=============allow audiohal============== -type audiohal_prop, property_type, mtk_core_property_type; - -#=============allow wmt============== -type wmt_prop, property_type, mtk_core_property_type; -type coredump_prop, property_type, mtk_core_property_type; - -#=============allow sensor============== -type ctl_emcsmdlogger_prop, property_type; -type ctl_eemcs_fsd_prop, property_type; - -#=============allow statusd============== -type net_cdma_mdmstat, property_type, mtk_core_property_type; - -#=============allow bt============== -type persist_bt_prop, property_type, mtk_core_property_type; - -#============= allow factory idle current prop ============== -type vendor_factory_idle_state_prop, property_type, mtk_core_property_type; - -#============= allow mobile log property =============== -type mobile_log_prop, property_type, extended_core_property_type; - -#============= allow service.nvram_init property =============== -type service_nvram_init_prop, property_type, mtk_core_property_type; - -#============= allow ro.wlan.mtk.wifi.5g property =============== -type wifi_5g_prop, property_type, mtk_core_property_type; - -#=============allow em to set client.appmode ============== -type mtk_em_prop, property_type, mtk_core_property_type; - -#=============allow mediatek_prop ============== -type mediatek_prop, property_type, mtk_core_property_type; - -#=============Property set by EM, for test/debug purpose========= -type mtk_em_sys_prop, property_type, extended_core_property_type; -type mtk_em_hidl_prop, property_type, mtk_core_property_type; - -#============= allow em set protocol =============== -type mtk_em_net_auto_tethering_prop, property_type, extended_core_property_type; - -#=============allow em set property============= -type mtk_operator_id_prop, property_type, mtk_core_property_type; - -#=============allow em set testsim.cardtype property=========== -type mtk_simswitch_emmode_prop, property_type, mtk_core_property_type; - -#=============allow em set property============= -type mtk_dsbp_support_prop, property_type, mtk_core_property_type; - -#=============allow em set property============= -type mtk_imstestmode_prop, property_type, mtk_core_property_type; - -#=============allow em set property============= -type mtk_smsformat_prop, property_type, mtk_core_property_type; - -#=============allow em set property============= -type mtk_gprs_prefer_prop, property_type, mtk_core_property_type; - -#=============allow em set property============= -type mtk_testsim_cardtype_prop, property_type, mtk_core_property_type; - -#=============allow em set property============= -type mtk_ct_ir_engmode_prop, property_type, mtk_core_property_type; - -#=============allow em set property============= -type mtk_disable_c2k_cap_prop, property_type, mtk_core_property_type; - -#=============allow em to set modem reset delay property================ -type mtk_debug_md_reset_prop, property_type, mtk_core_property_type; - -#=============allow em to set video log omx.* property================ -type mtk_omx_log_prop, property_type, mtk_core_property_type; - -#=============allow em to set vdec log property================ -type mtk_vdec_log_prop, property_type, mtk_core_property_type; - -#=============allow em to set vdectlc log property================ -type mtk_vdectlc_log_prop, property_type, mtk_core_property_type; - -#=============allow em to set venc h264 showlog property================ -type mtk_venc_h264_showlog_prop, property_type, mtk_core_property_type; - -#=============allow em to set modem warning_prop property================ -type mtk_modem_warning_prop, property_type, mtk_core_property_type; - -#=============allow em to set bgdata disabled property================ -type mtk_bgdata_disabled, property_type, extended_core_property_type; - -#=============allow em to set telecom vibrate property================ -type mtk_telecom_vibrate, property_type, extended_core_property_type; - -#=============allow em to set gprs attach type property================ -type mtk_gprs_attach_type, property_type, extended_core_property_type; - -#=============allow em to set poweroffmd property================ -type mtk_power_off_md_type, property_type, extended_core_property_type; - -#=============allow meta_tst to stop specific service =============== -type ctl_mobile_log_d_prop, property_type; -type ctl_mnld_prop, property_type; -type ctl_mobicore_prop, property_type; - -#=============allow system server to set meta_connecttype property ============== -type meta_connecttype_prop, property_type; - -#=============Telephony Sensitive property============== -type mtk_telephony_sensitive_prop, property_type; - -#=============allow processes to change thermal config================ -type mtk_thermal_config_prop, property_type; - -#=============allow composer set property ============================ -type graphics_hwc_pid_prop, property_type; -type graphics_hwc_latch_unsignaled_prop, property_type; -type graphics_hwc_hdr_prop, property_type; - -#============= mtkcam property ============================ -type mtkcam_prop, property_type; - -#============= atm modem mode property ============== -type atm_mdmode_prop, property_type; - -#============= atm ip address property ============== -type atm_ipaddr_prop, property_type; - -#=============allow consyslogger============== -type vendor_connsysfw_prop, property_type, extended_core_property_type; - -#=============radio group property============= -type vendor_radio_prop, property_type, mtk_core_property_type; - -#=============allow bluetooth============== -type vendor_bluetooth_prop, property_type, extended_core_property_type; - - - -#=============em camera property============== -type vendor_debug_prop, property_type, mtk_core_property_type; - -#=============allow ct volte============== -type mtk_ct_volte_prop, property_type, mtk_core_property_type; - -#=============mtk ril mode property============= -type mtk_ril_mode_prop, property_type, mtk_core_property_type; -type mtk_ss_vendor_prop, property_type, mtk_core_property_type; - -#=============GPS support properties============== -type mtk_gps_support_prop, property_type, mtk_core_property_type; - -#=============mtk rat config property============= -type mtk_rat_config_prop, property_type, mtk_core_property_type; - -#=============mtk aal property============= -type mtk_aal_ro_prop, property_type, mtk_core_property_type; - -#=============mtk pq property============= -type mtk_pq_ro_prop, property_type, mtk_core_property_type; -type mtk_pq_prop, property_type, mtk_core_property_type; - -#=============mtk emmc property============= -type mtk_emmc_support_prop, property_type, mtk_core_property_type; - -#=============sim system property============= -type vendor_sim_system_prop, property_type, extended_core_property_type; - -#=============em usb property============== -type vendor_em_usb_prop, property_type, mtk_core_property_type; - -#=============allow em to set usb otg enable property ============== -type vendor_usb_otg_switch, property_type, mtk_core_property_type; - -#=============mtk anr property============= -type mtk_anr_support_prop, property_type, mtk_core_property_type; - -#=============mtk app resolution tuner property============= -type mtk_appresolutiontuner_prop, property_type, mtk_core_property_type; - -#=============mtk fullscreen switch============= -type mtk_fullscreenswitch_prop, property_type, mtk_core_property_type; - -# MTK Antutu feature -type mtk_antutu_prop, property_type, mtk_core_property_type; - -#=============mtk malloc debug switch unwind backtrace property============= -type mtk_malloc_debug_backtrace_prop, property_type, mtk_core_property_type; - -#=============MTK Voice Recognize property=========== -type mtk_voicerecgnize_prop, property_type, mtk_core_property_type; - -#=============allow radio to set/get xcap rawurl config================ -type persist_xcap_rawurl_prop, property_type, extended_core_property_type; - -#=============allow atcid============== -type persist_service_atci_prop, property_type, mtk_core_property_type; -type mtk_atci_prop, property_type, mtk_core_property_type; - -#=============allow Netd property============== -type mtk_net_ipv6_prop, property_type, mtk_core_property_type; - -#============= allow carrier express (cxp) ============== -type usp_prop, property_type, mtk_core_property_type; -type usp_srv_prop, property_type, extended_core_property_type; -type mtk_cxp_vendor_prop, property_type, mtk_core_property_type; - -#=============allow MD to set mtk_md_version_prop============== -type mtk_md_version_prop, property_type, mtk_core_property_type; - -#=============allow radio to set mtk_volte_enable property============== -type mtk_volte_prop, property_type, mtk_core_property_type; - -#=============allow AMS dynamic enable log property=========== -type mtk_amslog_prop, property_type, extended_core_property_type; - -#=============allow android log much property============== -type logmuch_prop, property_type, extended_core_property_type; - -#=============mtk bt enable SAP profile property============= -type mtk_bt_sap_enable_prop, property_type, mtk_core_property_type; - -#=============MTK powerhal property================ -type mtk_powerhal_prop, property_type; - -#=============MTK Wifi wlan_assistant property============= -type mtk_nvram_ready_prop, property_type, mtk_core_property_type; - -#=============allow wifi hotspot to read property=========== -type mtk_wifi_hotspot_prop, property_type, mtk_core_property_type; - -#=============mtk hdmi property============= -type mtk_hdmi_prop, property_type, mtk_core_property_type; - -#=============mtk nn option property============= -type mtk_nn_option_prop, property_type; diff --git a/r_non_plat/property_contexts b/r_non_plat/property_contexts deleted file mode 100644 index 09883d5..0000000 --- a/r_non_plat/property_contexts +++ /dev/null @@ -1,354 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== -#=============allow ccci_mdinit to start gsm0710muxd============== -ctl.vendor.gsm0710muxd u:object_r:ctl_gsm0710muxd_prop:s0 - - -#=============allow mtkrild to set persist.ril property============== -vendor.ril.ipo u:object_r:vendor_ril_ipo_prop:s0 - -#=============allow netlog============== -vendor.mtklog u:object_r:debug_mtklog_prop:s0 -persist.vendor.mtklog u:object_r:persist_mtklog_prop:s0 -vendor.netlog u:object_r:debug_netlog_prop:s0 - -#=============allow mdlogger============== -vendor.mdlogger u:object_r:debug_mdlogger_prop:s0 -vendor.mdl u:object_r:vendor_mdl_prop:s0 -vendor.starting.mode u:object_r:vendor_mdl_start_prop:s0 -vendor.usb. u:object_r:vendor_usb_prop:s0 -persist.vendor.usb. u:object_r:vendor_usb_prop:s0 -persist.vendor.mdl u:object_r:persist_mdlog_prop:s0 -vendor.pullmdlog u:object_r:vendor_mdl_pulllog_prop:s0 - - -#=============allow AEE============== -# persist.vendor.mtk.aee.mode && persist.vendor.mtk.aee.dal -persist.vendor.mtk.aee. u:object_r:persist_mtk_aee_prop:s0 -persist.vendor.mtk.aeev. u:object_r:persist_mtk_aeev_prop:s0 - -# persist.vendor.aee.core.dump && persist.vendor.aee.core.direct -persist.vendor.aee. u:object_r:persist_aee_prop:s0 -persist.vendor.aeev. u:object_r:persist_aeev_prop:s0 - -# vendor.debug.mtk.aee.db -vendor.debug.mtk.aee. u:object_r:debug_mtk_aee_prop:s0 -vendor.debug.mtk.aeev u:object_r:debug_mtk_aeev_prop:s0 - -ro.vendor.aee.build.info u:object_r:ro_mtk_aee_prop:s0 -ro.vendor.aee.enforcing u:object_r:ro_mtk_aee_prop:s0 -ro.vendor.have_aee_feature u:object_r:ro_mtk_aee_prop:s0 - -#=============allow AEE_Dumpstate============== -vendor.debug.bq.dump u:object_r:debug_bq_dump_prop:s0 - -#=============allow mux============== -vendor.ril.mux. u:object_r:gsm0710muxd_prop:s0 - -#=============allow mdinit============== -ctl.vendor.ril-daemon-mtk u:object_r:ctl_ril-daemon-mtk_prop:s0 -ctl.vendor.fusion_ril_mtk u:object_r:ctl_fusion_ril_mtk_prop:s0 -ctl.vendor.ril-proxy u:object_r:ctl_ril-proxy_prop:s0 -ctl.vendor.viarild u:object_r:ctl_viarild_prop:s0 - -ctl.vendor.muxreport-daemon u:object_r:ctl_muxreport-daemon_prop:s0 -ctl.vendor.ccci_fsd u:object_r:ctl_ccci_fsd_prop:s0 -ctl.vendor.ccci2_fsd u:object_r:ctl_ccci2_fsd_prop:s0 -ctl.vendor.ccci3_fsd u:object_r:ctl_ccci3_fsd_prop:s0 - -vendor.ril.active.md u:object_r:ril_active_md_prop:s0 -vendor.ril.mux.report.case u:object_r:ril_mux_report_case_prop:s0 -vendor.ril.cdma.report u:object_r:ril_cdma_report_prop:s0 - -#=============allow dynamic telephony switch============== -ro.boot.opt_c2k_lte_mode u:object_r:tel_switch_prop:s0 -ro.boot.opt_c2k_support u:object_r:tel_switch_prop:s0 -ro.boot.opt_eccci_c2k u:object_r:tel_switch_prop:s0 -ro.boot.opt_lte_support u:object_r:tel_switch_prop:s0 -ro.boot.opt_md1_support u:object_r:tel_switch_prop:s0 -ro.boot.opt_md2_support u:object_r:tel_switch_prop:s0 -ro.boot.opt_md3_support u:object_r:tel_switch_prop:s0 -ro.boot.opt_md5_support u:object_r:tel_switch_prop:s0 -ro.boot.opt_ps1_rat u:object_r:tel_switch_prop:s0 -ro.boot.opt_sim_count u:object_r:tel_switch_prop:s0 -ro.boot.opt_using_default u:object_r:tel_switch_prop:s0 -ro.vendor.mtk_c2k_lte_mode u:object_r:tel_switch_prop:s0 -ro.vendor.mtk_c2k_support u:object_r:tel_switch_prop:s0 -ro.vendor.mtk_eccci_c2k u:object_r:tel_switch_prop:s0 -ro.vendor.mtk_lte_support u:object_r:tel_switch_prop:s0 -ro.vendor.mtk_md1_support u:object_r:tel_switch_prop:s0 -ro.vendor.mtk_md3_support u:object_r:tel_switch_prop:s0 -ro.vendor.mtk_ps1_rat u:object_r:tel_switch_prop:s0 - -#=============allow bootanim============== -persist.vendor.bootanim. u:object_r:bootani_prop:s0 - -#=============allow mnld_prop ============== -vendor.gps.clock.type u:object_r:mnld_prop:s0 -vendor.gps.gps.version u:object_r:mnld_prop:s0 -vendor.gpsdbglog.enable u:object_r:mnld_prop:s0 -vendor.gpsdbglog. u:object_r:mnld_prop:s0 -vendor.debug.gps. u:object_r:mnld_prop:s0 - -#=============allow audiohal============== -vendor.streamout. u:object_r:audiohal_prop:s0 -vendor.streamin. u:object_r:audiohal_prop:s0 -vendor.a2dp. u:object_r:audiohal_prop:s0 -vendor.audiohal. u:object_r:audiohal_prop:s0 -persist.vendor.audiohal. u:object_r:audiohal_prop:s0 -persist.vendor.vow. u:object_r:audiohal_prop:s0 - -#=============allow wmt ============== -persist.vendor.connsys.coredump.mode u:object_r:coredump_prop:s0 -persist.vendor.connsys. u:object_r:wmt_prop:s0 -vendor.connsys. u:object_r:wmt_prop:s0 - - -#=============allow c2k_prop ============== -vendor.net.cdma.mdmstat u:object_r:net_cdma_mdmstat:s0 - - -#=============allow ccci_mdinit md status ============== -vendor.mtk.md u:object_r:mtk_md_prop:s0 -#============= allow factory idle current prop ============== -vendor.debug.factory.idle_state u:object_r:vendor_factory_idle_state_prop:s0 - -#=============allow mobile log property================ -vendor.MB. u:object_r:mobile_log_prop:s0 - -#=============allow service.nvram_init property================ -vendor.service.nvram_init u:object_r:service_nvram_init_prop:s0 - - -#=============Allow EM To Set Camera APP Mode ============== -vendor.client. u:object_r:mtk_em_prop:s0 - -#=============allow mediatek_prop ============== -vendor.debug.camera.p2plug.log u:object_r:mediatek_prop:s0 -vendor.client.em.appmode u:object_r:mediatek_prop:s0 -#=============Property set by EM, for test/debug purpose========= -persist.vendor.em. u:object_r:mtk_em_sys_prop:s0 -persist.vendor.em.hidl. u:object_r:mtk_em_hidl_prop:s0 - -#=============allow em set tethering protocol================ -persist.vendor.net.auto.tethering u:object_r:mtk_em_net_auto_tethering_prop:s0 - -#=============allow em set ims operator property=========== -vendor.ril.volte.mal.pctid u:object_r:mtk_operator_id_prop:s0 - -#=============allow em set simswitch property=========== -persist.vendor.radio.simswitch.emmode u:object_r:mtk_simswitch_emmode_prop:s0 - -#=============allow em set mtk_dsbp_support property=========== -persist.vendor.radio.mtk_dsbp_support u:object_r:mtk_dsbp_support_prop:s0 - -#=============allow em set imstestmode property=========== -persist.vendor.radio.imstestmode u:object_r:mtk_imstestmode_prop:s0 - -#=============allow em set smsformat property=========== -persist.vendor.radio.smsformat u:object_r:mtk_smsformat_prop:s0 - -#=============allow em set gprs.prefer property=========== -persist.vendor.radio.gprs.prefer u:object_r:mtk_gprs_prefer_prop:s0 - -#=============allow em set testsim.cardtype property=========== -persist.vendor.radio.testsim.cardtype u:object_r:mtk_testsim_cardtype_prop:s0 - -#=============allow em set ct.ir.engmode property=========== -persist.vendor.radio.ct.ir.engmode u:object_r:mtk_ct_ir_engmode_prop:s0 - -#=============allow em set disable_c2k_cap property=========== -persist.vendor.radio.disable_c2k_cap u:object_r:mtk_disable_c2k_cap_prop:s0 - -#=============allow em to set modem reset delay property================ -vendor.mediatek.debug.md.reset.wait u:object_r:mtk_debug_md_reset_prop:s0 - -#=============allow em to set video log omx.* property================ -vendor.mtk.omx. u:object_r:mtk_omx_log_prop:s0 - -#=============allow em to set vdec log property================ -vendor.mtk.vdec.log u:object_r:mtk_vdec_log_prop:s0 - -#=============allow em to set vdectlc logproperty================ -vendor.mtk.vdectlc.log u:object_r:mtk_vdectlc_log_prop:s0 - -#=============allow em to set venc h264 showlog property================ -vendor.mtk.venc.h264.showlog u:object_r:mtk_venc_h264_showlog_prop:s0 - -#=============allow em to set modem warning property================ -persist.vendor.radio.modem.warning u:object_r:mtk_modem_warning_prop:s0 - -#=============allow em to set bgdata disabled property================ -persist.vendor.radio.bgdata.disabled u:object_r:mtk_bgdata_disabled:s0 - -#=============allow em to set telecom vibrate property================ -persist.vendor.radio.telecom.vibrate u:object_r:mtk_telecom_vibrate:s0 - -#=============allow em to set gprs attach type property================ -persist.vendor.radio.gprs.attach.type u:object_r:mtk_gprs_attach_type:s0 - -#=============allow em to set poweroffmd property================ -vendor.ril.test.poweroffmd u:object_r:mtk_power_off_md_type:s0 -vendor.ril.testmode u:object_r:mtk_power_off_md_type:s0 - - -#=============allow system server to set meta_connecttype property ============== -persist.vendor.meta.connecttype u:object_r:meta_connecttype_prop:s0 - -#=============Telephony Sensitive property============== -vendor.ril.iccid.sim u:object_r:mtk_telephony_sensitive_prop:s0 -vendor.ril.uim.subscriberid u:object_r:mtk_telephony_sensitive_prop:s0 -persist.vendor.radio.last_iccid_sim u:object_r:mtk_telephony_sensitive_prop:s0 - -#=============allow sim config property============== -vendor.gsm.sim.operator.default-name u:object_r:vendor_sim_system_prop:s0 - -#=============allow processes to change thermal config================ -vendor.thermal.manager.data u:object_r:mtk_thermal_config_prop:s0 -#=============allow composer set property ============================ -vendor.debug.sf.hwc_pid u:object_r:graphics_hwc_pid_prop:s0 -vendor.debug.sf.latch_unsignaled u:object_r:graphics_hwc_latch_unsignaled_prop:s0 -vendor.debug.sf.hdr_enable u:object_r:graphics_hwc_hdr_prop:s0 - -#============= atm modem mode property(ATM) ============== -persist.vendor.atm.mdmode u:object_r:atm_mdmode_prop:s0 - -#============= atm ip address property(ATM) ============== -persist.vendor.atm.ipaddress u:object_r:atm_ipaddr_prop:s0 - -#============= atm boot property(ATM) ============== -ro.boot.atm u:object_r:mtk_default_prop:s0 - -#=============allow consyslogger============== -vendor.connsysfw u:object_r:vendor_connsysfw_prop:s0 - -#============Label telephony property=======# -vendor.ril. u:object_r:vendor_radio_prop:s0 -ro.vendor.ril. u:object_r:vendor_radio_prop:s0 -vendor.gsm. u:object_r:vendor_radio_prop:s0 -persist.vendor.radio. u:object_r:vendor_radio_prop:s0 - -#=============allow bluetooth============== -vendor.bthcisnoop u:object_r:vendor_bluetooth_prop:s0 - -#=============em camera property============== -vendor.debug. u:object_r:vendor_debug_prop:s0 - -#=============allow ct volte============== -persist.vendor.mtk_ct_volte_support u:object_r:mtk_ct_volte_prop:s0 - -#============Label mtk ril mode=======# -ro.vendor.mtk_ril_mode u:object_r:mtk_ril_mode_prop:s0 - -#=============GPS support properties============== -ro.vendor.mtk_gps_support u:object_r:mtk_gps_support_prop:s0 -ro.vendor.mtk_agps_app u:object_r:mtk_gps_support_prop:s0 -ro.vendor.mtk_log_hide_gps u:object_r:mtk_gps_support_prop:s0 -ro.vendor.mtk_hidl_consolidation u:object_r:mtk_gps_support_prop:s0 - -#============allow rat config=======# -ro.vendor.mtk_protocol1_rat_config u:object_r:mtk_rat_config_prop:s0 - -#=============allow mtk aal==============# -ro.vendor.mtk_aal_support u:object_r:mtk_aal_ro_prop:s0 -ro.vendor.mtk_ultra_dimming_support u:object_r:mtk_aal_ro_prop:s0 -ro.vendor.mtk_dre30_support u:object_r:mtk_aal_ro_prop:s0 - -#=============allow mtk pq==============# -persist.vendor.sys.pq. u:object_r:mtk_pq_prop:s0 -vendor.debug.pq. u:object_r:mtk_pq_prop:s0 -persist.vendor.sys.isp. u:object_r:mtk_pq_prop:s0 -persist.vendor.sys.mtkaal. u:object_r:mtk_pq_prop:s0 -ro.vendor.mtk_pq_color_mode u:object_r:mtk_pq_ro_prop:s0 -ro.vendor.mtk_blulight_def_support u:object_r:mtk_pq_ro_prop:s0 -ro.vendor.mtk_chameleon_support u:object_r:mtk_pq_ro_prop:s0 -ro.vendor.mtk_pq_support u:object_r:mtk_pq_ro_prop:s0 - -# Mtk properties that allow all system/vendor processes to read. -# Usually they are config properties (but not limited to) -ro.vendor.mtk_tdd_data_only_support u:object_r:mtk_default_prop:s0 -ro.vendor.mtk_audio_alac_support u:object_r:mtk_default_prop:s0 -ro.vendor.mtk_support_mp2_playback u:object_r:mtk_default_prop:s0 -ro.vendor.mtk_audio_ape_support u:object_r:mtk_default_prop:s0 -ro.vendor.mtk_flv_playback_support u:object_r:mtk_default_prop:s0 -ro.vendor.mtk_mtkps_playback_support u:object_r:mtk_default_prop:s0 -ro.vendor.mtk_wearable_platform u:object_r:mtk_default_prop:s0 -ro.vendor.mediatek.platform u:object_r:mtk_default_prop:s0 -ro.vendor.mediatek.version.branch u:object_r:mtk_default_prop:s0 -ro.vendor.mediatek.version.release u:object_r:mtk_default_prop:s0 -ro.vendor.mtk_exchange_support u:object_r:mtk_default_prop:s0 -vendor.met.running u:object_r:mtk_default_prop:s0 -ro.vendor.mtk_disable_cap_switch u:object_r:mtk_default_prop:s0 -ro.vendor.mtk_sim_card_onoff u:object_r:mtk_default_prop:s0 -ro.vendor.mtk_perf_plus u:object_r:mtk_default_prop:s0 - -#============mtk emmc=======# -ro.vendor.mtk_emmc_support u:object_r:mtk_emmc_support_prop:s0 - -# MTK connsys log feature -ro.vendor.connsys.dedicated.log u:object_r:mtk_default_prop:s0 - -#=============em usb property============== -vendor.usb.port.mode u:object_r:vendor_em_usb_prop:s0 -vendor.em.usb. u:object_r:vendor_em_usb_prop:s0 - -#=============allow em to set usb otg switch property ============== -persist.vendor.usb.otg.switch u:object_r:vendor_usb_otg_switch:s0 - -#============mtk rsc========# -ro.boot.rsc u:object_r:mtk_default_prop:s0 - -#=============mtk anr property============= -persist.vendor.dbg.anrflow u:object_r:mtk_anr_support_prop:s0 -persist.vendor.anr. u:object_r:mtk_anr_support_prop:s0 -vendor.anr.autotest u:object_r:mtk_anr_support_prop:s0 - -#=============mtk app resolution tuner============= -ro.vendor.app_resolution_tuner u:object_r:mtk_appresolutiontuner_prop:s0 -persist.vendor.dbg.disable.art u:object_r:mtk_appresolutiontuner_prop:s0 - -#=============mtk fullscreen switch============= -ro.vendor.fullscreen_switch u:object_r:mtk_fullscreenswitch_prop:s0 - -#============= allow em set ims xcap property =============== -persist.vendor.ss. u:object_r:mtk_ss_vendor_prop:s0 - -# MTK Antutu feature -ro.vendor.net.upload.benchmark.default u:object_r:mtk_antutu_prop:s0 - -#=============malloc debug unwind backtrace switch property==============# -vendor.debug.malloc.bt.switch u:object_r:mtk_malloc_debug_backtrace_prop:s0 - -#=============allow gmo====================# -ro.vendor.gmo.ram_optimize u:object_r:mtk_default_prop:s0 -ro.vendor.gmo.rom_optimize u:object_r:mtk_default_prop:s0 -ro.vendor.mtk_config_max_dram_size u:object_r:mtk_default_prop:s0 - -#=============MTK Voice Recognize property===========# -vendor.voicerecognize.raw u:object_r:mtk_voicerecgnize_prop:s0 -vendor.voicerecognize_data.raw u:object_r:mtk_voicerecgnize_prop:s0 -vendor.voicerecognize.noDL u:object_r:mtk_voicerecgnize_prop:s0 - -#=============allow radio to set/get xcap rawurl config================ -persist.vendor.mtk.xcap.rawurl u:object_r:persist_xcap_rawurl_prop:s0 - -#=============mtk bt enable SAP profile property=============# -ro.vendor.mtk.bt_sap_enable u:object_r:mtk_bt_sap_enable_prop:s0 - -#=============allow processes to change powerhal config================ -persist.vendor.powerhal. u:object_r:mtk_powerhal_prop:s0 -vendor.powerhal. u:object_r:mtk_powerhal_prop:s0 - -#=============MTK Wifi wlan_assistant property============= -vendor.mtk.nvram.ready u:object_r:mtk_nvram_ready_prop:s0 - -#=============Wi-Fi Hotspot============== -ro.vendor.wifi.sap.interface u:object_r:mtk_wifi_hotspot_prop:s0 - -#=============allow mtk hdmi==============# -persist.vendor.sys.hdmi_hidl. u:object_r:mtk_hdmi_prop:s0 - -#=============mtk nn option==============# -ro.vendor.mtk_nn.option u:object_r:mtk_nn_option_prop:s0 - diff --git a/r_non_plat/radio.te b/r_non_plat/radio.te deleted file mode 100644 index 5d3db51..0000000 --- a/r_non_plat/radio.te +++ /dev/null @@ -1,236 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============ - -# Purpose : allow to access kpd driver file -allow radio sysfs_keypad_file:dir { r_dir_perms }; -allow radio sysfs_keypad_file:file { w_file_perms }; - -# Date : WK15.34 2015/08/21 -# Operation : IT -# Purpose : for engineermode WFD IOT property -allow radio surfaceflinger:fifo_file { rw_file_perms }; - -# Date : 2016/06/11 -# Operation : IT -# Purpose : for engineermode Usb PHY Tuning -allow radio debugfs_usb20_phy:file { read open getattr }; -allow radio debugfs_usb20_phy:dir search; - -# Date : WK14.38 2016/06/28 -# Operation : Migration -# Purpose : for engineermode -allow radio mt_otg_test_device:chr_file { read write ioctl open }; -allow radio mtgpio_device:chr_file { read ioctl open }; -allow radio stpbt_device:chr_file { read write open }; -allow radio stpant_device:chr_file { read write open }; -allow radio bt_int_adp_socket:sock_file write; -allow radio mt6605_device:chr_file { read write ioctl open getattr }; -allow radio nfc_socket:dir { write add_name remove_name search }; -allow radio system_prop:property_service set; - -# Date : WK14.38 2016/06/28 -# Operation : Migration -# Purpose : for engineermode -allow radio em_svr:unix_stream_socket connectto; - -# Date : WK15.25 2016/06/28 -# Operation :N Migration -# Purpose : for engineermode WiFi test mode -# todo: in the feature Google maybe forbid this option,we should use other way -allowxperm radio self:udp_socket ioctl { SIOCIWFIRSTPRIV-SIOCIWFIRSTPRIV_09 SIOCIWFIRSTPRIV_0B SIOCSIWESSID SIOCSIWMODE }; - -# Date : 2014/12/13 -# Operation : IT -# Purpose : for bluetooth relayer mode -allow radio block_device:dir search; -allow radio ttyGS_device:chr_file { open read write ioctl }; - -# Date : 2016/07/05 -# Purpose : -# Write IMEI - presanity item write imei should read the file on storage -# Swift APK integration - access TTL scripts and logs on external storage -# eng mode camera - save iamges files and log files on external storage -# eng mode ygps - save location information on external storage -allow radio media_rw_data_file:dir { create_dir_perms }; -allow radio media_rw_data_file:file { create_file_perms }; - -# Date : 2016/08/02 -# Purpose : -# Swift APK integration - access ccci dir/file -allow radio ccci_fsd:dir { r_dir_perms }; - -# Date : 2016/07/25 -# Operation : Bluetooth access NVRAM fail in Engineer Mode -# Purpose : for Bluetooth read NVRAM data -allow radio nvdata_file:dir search; -allow radio nvdata_file:file rw_file_perms; - -#Date : 2016/11/08 -#Operation: IT -#Purpose: for EM set persist.net.auto.tethering -set_prop(radio, mtk_em_net_auto_tethering_prop) - -# Date : WK17.03 -# Operation : O Migration -# Purpose : HIDL for rilproxy -binder_call(radio, hal_telephony) - -# Date : WK17.15 -# Operation : O Migration -# Purpose : for YGPS execution -allow radio hal_graphics_composer_default:fd use; - -#Dat: 2017/02/14 -#Purpose: allow get telephony Sensitive property -get_prop(radio, mtk_telephony_sensitive_prop) - -# Date : WK17.26 -# Operation : O Migration -# Purpose : HIDL for imsa -binder_call(radio, mtk_hal_imsa) - -# Date : WK1727 2017/07/04 -# Operation : IT -# Purpose : Allow to use HAL imsa -hal_client_domain(radio, hal_imsa) - -#Dat: 2017/06/29 -#Purpose: For audio parameter tuning -#allow radio hal_audio_hwservice:hwservice_manager find; -binder_call(radio,mtk_hal_audio) - -# TODO : Will move to plat_private when SEPolicy split done -# Date : WK1727 2017/07/19 -# Operation : Migration -# Purpose : Allow EM set usb property -set_prop(radio, system_radio_prop) - -#Dat: 2017/07/20 -#Purpose: NFC EM -allow radio hal_nfc_hwservice:hwservice_manager find; -binder_call(radio, hal_nfc) -binder_call(hal_nfc, radio) -hwbinder_use(radio); -#hal_client_domain(radio, hal_nfc) -typeattribute radio halclientdomain; -typeattribute radio hal_nfc_client; -allow radio nfc_socket:sock_file { create write unlink setattr }; -set_prop(radio, system_prop) - -# Date : WK1734 2017/08/23 -# Purpose : Allow EM use power HAL -allow radio mtk_hal_power_hwservice:hwservice_manager find; -binder_call(radio, mtk_hal_power) - -# Date : 2017/10/31 -# Purpose: Policy for EM to set wcn coredump property -get_prop(radio, wmt_prop) - -# Date : WK18.16 -# Operation: P migration -# Purpose: Allow radio to get tel_switch_prop -get_prop(radio, tel_switch_prop) - -# Date : 2018/05/03 -# Operation: P migration -# Purpose: allow EM to set modem reset delay property -get_prop(radio, mtk_debug_md_reset_prop) - -# Date : 2018/06/01 -# Operation : P migration -# Purpose : For EM access battery info -allow radio sysfs_batteryinfo:dir search; -#allow radio sysfs_batteryinfo:file { read write getattr open create}; -allow radio sysfs_vbus:file { read getattr open }; -allow radio sysfs_battery_consumption:file r_file_perms; -allow radio sysfs_power_on_vol:file r_file_perms; -allow radio sysfs_power_off_vol:file r_file_perms; -allow radio sysfs_fg_disable:file w_file_perms; -allow radio sysfs_dis_nafg:file w_file_perms; - -# Date : 2018/06/15 -# Purpose : Allow EM access touchscreen settings -allow radio sysfs_tpd_debug:dir { search read open }; -allow radio sysfs_tpd_setting:dir { search read open }; - -# Date : 2018/06/15 -# Purpose : mtk EM PMU reading/setting -allow radio sysfs_pmu:dir { search }; -allow radio sysfs_pmu:file { read }; -allow radio sysfs_pmu:lnk_file { read }; - -# Date : 2018/06/15 -# Purpose : mtk EM Power debug_log setting -allow radio sysfs_spm:dir { search }; - -# Date : 2018/06/15 -# Purpose: Allow EM detect Audio headset status -allow radio sysfs_headset:file { read open }; - -# Date : 2018/06/26 -# Operation : IT -# Purpose : Allow to use HAL em -hal_client_domain(radio, mtk_hal_em) - -# Date : 2018/07/03 -# Purpose : Allow sim system to set prop -set_prop(radio, vendor_sim_system_prop) - -# Date : 2018/07/03 -# Purpose : Allow Mwi to get vendor default properties (ro.vendor.*) -get_prop(radio, vendor_default_prop) - -# Operation : DEBUG -# Purpose : Allow to use mtk_bgdata_disabled -set_prop(radio, mtk_bgdata_disabled) - -# Date : 2018/07/03 -# Operation : DEBUG -# Purpose : Allow to use mtk_telecom_vibrate -set_prop(radio, mtk_telecom_vibrate) - -# Date : 2018/07/03 -# Operation : DEBUG -# Purpose : Allow to use mtk_gprs_attach_type -set_prop(radio, mtk_gprs_attach_type) - -# Date : 2018/07/12 -# Purpose : Allow EM to use Lbs Hidl -binder_call(radio, lbs_hidl_service) -allow radio mtk_hal_lbs_hwservice:hwservice_manager find; - -# Date : 2018/08/12 -# Purpose : Allow EM to set poweroffmd property -set_prop(radio, mtk_power_off_md_type) - -get_prop(radio, persist_mtk_aeev_prop); - - -# Date : 2018/08/31 -# Purpose : Allow EM to set sys property -set_prop(radio, mtk_em_sys_prop) - -# Date : 2018/11/01 -# Purpose : mtk EM c2k bypass read usb file -allow radio sys_usb_rawbulk:file { r_file_perms }; -allow radio sys_usb_rawbulk:dir { r_dir_perms }; - -#Date : 2018/11/02 -# Operation : Allow radio persist_xcap_rawurl_prop:property_service set; -# Purpose : for set telephony xcap use raw url property in IMS SS -set_prop(radio, persist_xcap_rawurl_prop) - -# Date : 2019/05/08 -# Operation : label aee_aed sockets -# Purpose : Engineering mode need access for aee commmand -allow radio aee_aed:unix_stream_socket connectto; - -# Date : 2019/05/23 -# Operation : Get subpimc reigster status -# Purpose : Engineering mode need get subpimic register status -allow radio debugfs_regmap:dir { search }; - -# Date : 2018/09/29 -# Purpose : Allow get USB Current Speed in Engineer Mode -get_prop(radio, vendor_usb_prop); \ No newline at end of file diff --git a/r_non_plat/recovery.te b/r_non_plat/recovery.te deleted file mode 100644 index a130f89..0000000 --- a/r_non_plat/recovery.te +++ /dev/null @@ -1,57 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== -# recovery console (used in recovery init.rc for /sbin/recovery) - -# Date : WK15.13 -# Operation : UT -# Purpose : Nand device policy -allow recovery mtd_device:dir search; -allow recovery mtd_device:chr_file rw_file_perms; -allow recovery self:capability sys_resource; - -# Date : WK18.16 -# Operation : UT -# Purpose : Refine policy -allow recovery misc_sd_device:chr_file rw_file_perms; -allow recovery vfat:dir r_dir_perms; -allow recovery vfat:file r_file_perms; -allow recovery sysfs_mmcblk:dir r_dir_perms; -allow recovery sysfs_mmcblk:file rw_file_perms; -allow recovery sysfs_mmcblk:lnk_file r_file_perms; - -# Date : WK18.25 -# Operation : UT -# Purpose : Add policy for therm, gpu, battery, and boot_type -allow recovery sysfs:dir r_dir_perms; -allow recovery sysfs_batteryinfo:dir r_dir_perms; -allow recovery sysfs_boot_type:file r_file_perms; -allow recovery sysfs_therm:dir r_dir_perms; -allow recovery sysfs_therm:file r_file_perms; -allow recovery gpu_device:dir r_dir_perms; - -# Date : WK18.09 -# Operation : UT -# Purpose : Allow recovery can update boot partition -allow recovery tmpfs:lnk_file r_file_perms; - -# Date : WK19.03 -# Operation : UT -# Purpose : Android Migration -allow recovery bootdevice_block_device:blk_file rw_file_perms; -allow recovery self:capability { sys_rawio fsetid }; -allowxperm recovery bootdevice_block_device:blk_file ioctl { - MMC_IOCTLCMD - UFS_IOCTLCMD -}; -allow recovery block_device:blk_file ioctl; -allowxperm recovery block_device:blk_file ioctl { - BLKIOMIN - BLKALIGNOFF -}; -allow recovery sysfs_dm:dir search; -allow recovery sysfs_dm:file r_file_perms; -allowxperm recovery tmpfs:file ioctl FS_IOC_FIEMAP; -allowxperm recovery cache_block_device:blk_file ioctl BLKPBSZGET; -allowxperm recovery nvdata_device:blk_file ioctl BLKPBSZGET; -allow recovery proc_filesystems:file r_file_perms; diff --git a/r_non_plat/resize.te b/r_non_plat/resize.te deleted file mode 100644 index b2e8c7c..0000000 --- a/r_non_plat/resize.te +++ /dev/null @@ -1,38 +0,0 @@ -# ============================================== -# Policy File of /vendor/bin/resize_xxx Executable File - -# ============================================== -# Type Declaration -# ============================================== -type resize, domain; -type resize_exec, exec_type, file_type, vendor_file_type; - -# ============================================== -# MTK Policy Rule -# ============================================== - -# Date : WK15.30 -# Operation : Migration -# Purpose : resize fs(ext4) partition, only run once. -init_daemon_domain(resize) - -allow resize resize_exec:file execute_no_trans; - -# Inherit and use pty created by android_fork_execvp_ext(). -allow resize devpts:chr_file { read write open getattr ioctl }; - -allow resize kmsg_device:chr_file { write open }; - -allow resize userdata_block_device:blk_file rw_file_perms; - -allow resize block_device:dir search; - -allow resize resize:capability sys_admin; - -allow resize labeledfs:filesystem unmount; - -allow resize property_socket:sock_file write; - -allow resize init:unix_stream_socket connectto; - -#allow resize system_file:file execute_no_trans; diff --git a/r_non_plat/rild.te b/r_non_plat/rild.te deleted file mode 100644 index 3edcd0b..0000000 --- a/r_non_plat/rild.te +++ /dev/null @@ -1,165 +0,0 @@ -# ============================================== -# Policy File of /vendor/bin/rild Executable File - -# ============================================== -# Type Declaration -# ============================================== - -# ============================================== -# MTK Policy Rule -# ============================================== -# Access to wake locks -wakelock_use(rild) -# Trigger module auto-load. -allow rild kernel:system module_request; - -# Capabilities assigned for rild -allow rild self:capability { setuid net_admin net_raw }; - -# Control cgroups -allow rild cgroup:dir create_dir_perms; - -# Property service -# allow set RIL related properties (radio./net./system./etc) -auditallow rild net_radio_prop:property_service set; -auditallow rild system_radio_prop:property_service set; -set_prop(rild, ril_active_md_prop) -# allow set muxreport control properties -set_prop(rild, ril_cdma_report_prop) -set_prop(rild, ril_mux_report_case_prop) -set_prop(rild, ctl_muxreport-daemon_prop) - -# Access to wake locks -wakelock_use(rild) - -# Allow access permission to efs files -allow rild efs_file:dir create_dir_perms; -allow rild efs_file:file create_file_perms; -allow rild bluetooth_efs_file:file r_file_perms; -allow rild bluetooth_efs_file:dir r_dir_perms; - -# Allow access permission to dir/files -# (radio data/system data/proc/etc) -# Violate Android P rule -allow rild sdcardfs:dir r_dir_perms; -#allow rild system_file:file x_file_perms; -allow rild proc_net:file w_file_perms; - -# Allow rild to create and use netlink sockets. -# Set and get routes directly via netlink. -allow rild self:netlink_route_socket nlmsg_write; - -# Allow read/write to devices/files -allow rild radio_device:chr_file rw_file_perms; -allow rild radio_device:blk_file r_file_perms; -allow rild mtd_device:dir search; -# Allow read/write to tty devices -allow rild tty_device:chr_file rw_file_perms; -allow rild eemcs_device:chr_file { rw_file_perms }; - -#allow rild Vcodec_device:chr_file { rw_file_perms }; -allow rild devmap_device:chr_file { r_file_perms }; -allow rild devpts:chr_file { rw_file_perms }; -allow rild ccci_device:chr_file { rw_file_perms }; -allow rild misc_device:chr_file { rw_file_perms }; -allow rild proc_lk_env:file rw_file_perms; -allow rild sysfs_vcorefs_pwrctrl:file { w_file_perms }; -#allow rild bootdevice_block_device:blk_file { rw_file_perms }; -allow rild para_block_device:blk_file { rw_file_perms }; - -# Allow dir search, fd uses -allow rild block_device:dir search; -allow rild platform_app:fd use; -allow rild radio:fd use; - -# For MAL MFI -allow rild mal_mfi_socket:sock_file { w_file_perms }; - -# For ccci sysfs node -allow rild sysfs_ccci:dir search; -allow rild sysfs_ccci:file r_file_perms; - -#Date : W17.18 -#Purpose: Treble SEpolicy denied clean up -add_hwservice(hal_telephony_server, mtk_hal_rild_hwservice) -allow hal_telephony_client mtk_hal_rild_hwservice:hwservice_manager find; - -#Date : W17.21 -#Purpose: Grant permission to access binder dev node -vndbinder_use(rild) - -#Dat: 2017/03/27 -#Purpose: allow set telephony Sensitive property -set_prop(rild, mtk_telephony_sensitive_prop) - -# For AGPSD -allow rild mtk_agpsd:unix_stream_socket connectto; - -#Date 2017/10/12 -#Purpose: allow set MTU size -#allow rild toolbox_exec:file getattr; -allow rild mtk_net_ipv6_prop:property_service set; - -#Dat: 2017/10/17 -# Allow to use sysenv & persist.radio.multisim.config -# for dynamic feature switch between ss & dsds -allow rild sysfs:file open; -allow rild sysfs:file read; - -#Date: 2017/12/6 -#Purpose: allow set the RS times for /proc/sys/net/ipv6/conf/ccmniX/router_solicitations -allow rild vendor_shell_exec:file {execute_no_trans}; -allow rild vendor_toolbox_exec:file {execute_no_trans}; - -# Date : WK18.16 -# Operation: P migration -# Purpose: Allow rild to get tel_switch_prop -get_prop(rild, tel_switch_prop) - -#Date: W1817 -#Purpose: allow rild access property of vendor_radio_prop -set_prop(rild, vendor_radio_prop) - -#Date : W18.21 -#Purpose: allow rild access to vendor.ril.ipo system property -set_prop(rild, vendor_ril_ipo_prop) - -# Date : WK18.26 -# Operation: P migration -# Purpose: Allow carrier express HIDL to set vendor property -set_prop(rild, mtk_cxp_vendor_prop) -allow rild mnt_vendor_file:dir search; -allow rild mnt_vendor_file:file create_file_perms; -allow rild nvdata_file:dir create_dir_perms; -allow rild nvdata_file:file create_file_perms; - -#Date : W18.29 -#Purpose: allow rild access binder to mtk_hal_secure_element -allow rild mtk_hal_secure_element:binder call; - -# Date : WK18.31 -# Operation: P migration -# Purpose: Allow supplementary service HIDL to set vendor property -set_prop(rild, mtk_ss_vendor_prop) - -# Date : 2018/2/27 -# Purpose : for NVRAM recovery mechanism -set_prop(rild,powerctl_prop); - -# Date: 2019/06/14 -# Operation : Migration -allow rild proc_cmdline:file r_file_perms; - -# Date: 2019/07/18 -# Operation: AP wifi path -# Purpose: Allow packet can be filtered by RILD process -allow rild self:netlink_netfilter_socket { create_socket_perms_no_ioctl }; - -# Date : 2019/08/29 -# Purpose: Allow rild to access proc/aed/reboot-reason -allow rild proc_aed_reboot_reason:file rw_file_perms; - -# Date: 2019/11/15 -# Operation: RILD init flow -# Purpose: To handle illegal rild started -set_prop(rild, gsm0710muxd_prop) diff --git a/r_non_plat/rilproxy.te b/r_non_plat/rilproxy.te deleted file mode 100644 index 0f74a36..0000000 --- a/r_non_plat/rilproxy.te +++ /dev/null @@ -1,79 +0,0 @@ -# ============================================== -# Policy File of /vendor/bin/rilproxy Executable File - - -# ============================================== -# Type Declaration -# ============================================== - -# ============================================== -# MTK Policy Rule -# ============================================== - -# Access to wake locks -wakelock_use(rild) - -# rild Bringup Policy -allow rild init:unix_stream_socket connectto; -allow rild mtkrild:unix_stream_socket connectto; -allow rild property_socket:sock_file write; -allow rild self:capability setuid; -allow rild radio_prop:property_service set; -allow rild ril_mux_report_case_prop:property_service set; -allow rild mtk_agpsd:unix_stream_socket connectto; -allow servicemanager rild:dir search; -allow servicemanager rild:file { read open }; -allow servicemanager rild:process getattr; -allow rild proc:file read; - -# Allow the socket read/write of netd for rild -allow rild netd_socket:sock_file write; -allow rild netd_socket:sock_file read; - -#Date : W17.13 -#Purpose: Treble SEpolicy denied clean up -get_prop(rild, hwservicemanager_prop) - -#Date : W17.18 -#Purpose: Treble SEpolicy denied clean up -add_hwservice(hal_telephony_server, mtk_hal_rild_hwservice) -allow hal_telephony_client mtk_hal_rild_hwservice:hwservice_manager find; - -#Date : W17.21 -#Purpose: Grant permission to access binder dev node -vndbinder_use(rild) - -#Date : W17.20 -#Purpose: allow access to audio hal -binder_call(rild, mtk_hal_audio) -hal_client_domain(rild, hal_audio) - -#Date : W18.15 -#Purpose: allow rild access to vendor.ril.ipo system property -set_prop(mtkrild, vendor_ril_ipo_prop) - -# Date : WK18.26 -# Operation: P migration -# Purpose: Allow carrier express HIDL to set vendor property -set_prop(mtkrild, mtk_cxp_vendor_prop) -allow mtkrild mnt_vendor_file:dir search; -allow mtkrild mnt_vendor_file:file create_file_perms; -allow mtkrild nvdata_file:dir create_dir_perms; -allow mtkrild nvdata_file:file create_file_perms; - -# Date : WK18.31 -# Operation: P migration -# Purpose: Allow supplementary service HIDL to set vendor property -set_prop(mtkrild, mtk_ss_vendor_prop) - -# Date : W19.16 -# Operation: Q migration -# Purpose: Allow rild access to send SUPL INIT to mnld -allow rild mnld:unix_dgram_socket sendto; -allow mtkrild mnld:unix_dgram_socket sendto; - -# Date : W19.35 -# Operation: Q migration -# Purpose: Fix rilproxy SeLinux warning of pre-defined socket -allow rild gsmrild_socket:sock_file write; - diff --git a/r_non_plat/shared_relro.te b/r_non_plat/shared_relro.te deleted file mode 100644 index 88430ee..0000000 --- a/r_non_plat/shared_relro.te +++ /dev/null @@ -1,7 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============ - -# Date: 2019/06/14 -# Operation : Migration -get_prop(shared_relro, mtk_amslog_prop) diff --git a/r_non_plat/shell.te b/r_non_plat/shell.te deleted file mode 100644 index b292564..0000000 --- a/r_non_plat/shell.te +++ /dev/null @@ -1,25 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============ - -# Date : WK16.46 -# Purpose : allow shell to switch aee mode -allow shell aee_aed:unix_stream_socket connectto; - -# Date : WK17.35 -# Purpose : allow shell to dump the debugging information of camera hal. -#allow shell hal_camera_hwservice:hwservice_manager { find }; -binder_call(shell, mtk_hal_camera) - -# Date : WK17.36 -# Purpose : allow shell to dump the debugging information of power hal. -hal_client_domain(shell, hal_power) -allow shell aee_exp_vendor_file:dir r_dir_perms; -allow shell aee_exp_vendor_file:file r_file_perms; -allow shell aee_exp_data_file:dir r_dir_perms; -allow shell aee_exp_data_file:file r_file_perms; - -get_prop(shell, mobile_log_prop) -get_prop(shell, persist_mtk_aee_prop); -get_prop(shell, persist_aee_prop); -get_prop(shell, debug_mtk_aee_prop); diff --git a/r_non_plat/slpd.te b/r_non_plat/slpd.te deleted file mode 100644 index cfce93b..0000000 --- a/r_non_plat/slpd.te +++ /dev/null @@ -1,18 +0,0 @@ -# ============================================== -# Policy File of /vendor/bin/slpd Executable File - -# ============================================== -# Type Declaration -# ============================================== -type slpd_exec, exec_type, file_type, vendor_file_type; -type slpd, domain; - -# ============================================== -# MTK Policy Rule -# ============================================== -init_daemon_domain(slpd) - -net_domain(slpd) - -# mtk_agpsd will send the current SUPL profile to SLPD -allow slpd mtk_agpsd:unix_dgram_socket sendto; diff --git a/r_non_plat/spm_loader.te b/r_non_plat/spm_loader.te deleted file mode 100644 index d0f5984..0000000 --- a/r_non_plat/spm_loader.te +++ /dev/null @@ -1,19 +0,0 @@ -# ============================================== -# Policy File of /system/bin/spm_loader Executable File - -# ============================================== -# Type Declaration -# ============================================== -type spm_loader_exec , exec_type, file_type, vendor_file_type; -type spm_loader ,domain; - -# ============================================== -# MTK Policy Rule -# ============================================== -# date: 2015/6/18 wk1525 -# purpose: load spm firmware -# ============================================== -init_daemon_domain(spm_loader) - -# Read to /dev/spm -allow spm_loader spm_device:chr_file r_file_perms; diff --git a/r_non_plat/st54spi_hal_secure_element.te b/r_non_plat/st54spi_hal_secure_element.te deleted file mode 100644 index f949e19..0000000 --- a/r_non_plat/st54spi_hal_secure_element.te +++ /dev/null @@ -1,9 +0,0 @@ -type st54spi_hal_secure_element, domain; -hal_server_domain(st54spi_hal_secure_element, hal_secure_element) -type st54spi_hal_secure_element_exec, exec_type, vendor_file_type, file_type; - -allow st54spi_hal_secure_element st54spi_device:chr_file rw_file_perms; - -init_daemon_domain(st54spi_hal_secure_element) - - diff --git a/r_non_plat/stp_dump3.te b/r_non_plat/stp_dump3.te deleted file mode 100644 index a26dd61..0000000 --- a/r_non_plat/stp_dump3.te +++ /dev/null @@ -1,44 +0,0 @@ -# ============================================== -# Policy File of /system/binstp_dump3 Executable File - - -# ============================================== -# Type Declaration -# ============================================== - -type stp_dump3_exec, vendor_file_type, exec_type, file_type; -type stp_dump3, domain; - -# ============================================== -# Android Policy Rule -# ============================================== - -# ============================================== -# NSA Policy Rule -# ============================================== - -# ============================================== -# MTK Policy Rule -# ============================================== -file_type_auto_trans(stp_dump3,vendor_data_file,stp_dump_data_file) -allow stp_dump3 self:capability { net_admin fowner chown fsetid }; -allow stp_dump3 self:netlink_socket { read write getattr bind create setopt }; -allow stp_dump3 self:netlink_generic_socket { read write getattr bind create setopt }; -allow stp_dump3 wmtdetect_device:chr_file { read write ioctl open }; -allow stp_dump3 stpwmt_device:chr_file rw_file_perms; -allow stp_dump3 tmpfs:lnk_file r_file_perms; -allow stp_dump3 tmpfs:lnk_file read; -allow stp_dump3 mnt_user_file:dir search; -allow stp_dump3 mnt_user_file:lnk_file read; -allow stp_dump3 storage_file:lnk_file read; -allow stp_dump3 sdcard_type:dir search; -allow stp_dump3 sdcard_type:dir {open read write create setattr getattr add_name remove_name search}; -allow stp_dump3 sdcard_type:file { open read write create setattr getattr append unlink rename}; -allow stp_dump3 sdcard_type:file create_file_perms; -allow stp_dump3 stp_dump_data_file:dir create_dir_perms; -allow stp_dump3 stp_dump_data_file:file create_file_perms; -allow stp_dump3 connsyslog_data_vendor_file:dir create_dir_perms; -allow stp_dump3 connsyslog_data_vendor_file:file create_file_perms; -allow stp_dump3 vendor_data_file:dir create_dir_perms; -get_prop(stp_dump3, coredump_prop) -init_daemon_domain(stp_dump3) diff --git a/r_non_plat/surfaceflinger.te b/r_non_plat/surfaceflinger.te deleted file mode 100644 index 795076e..0000000 --- a/r_non_plat/surfaceflinger.te +++ /dev/null @@ -1,84 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============ - -# Data : WK14.42 -# Operation : Migration -# Purpose : Video playback -allow surfaceflinger sw_sync_device:chr_file { rw_file_perms }; -allow surfaceflinger debug_prop:property_service set; - -# Date : WK16.33 -# Purpose: Allow to access ged for gralloc_extra functions -allow surfaceflinger proc_ged:file rw_file_perms; -allowxperm surfaceflinger proc_ged:file ioctl { proc_ged_ioctls }; - -# Date : W16.42 -# Operation : Integration -# Purpose : DRM / DRI GPU driver required - -allow surfaceflinger gpu_device:dir search; - -# Date : WK17.12 -# Purpose: Fix bootup fail -allow surfaceflinger proc_bootprof:file r_file_perms; - -#============= surfaceflinger ============== -allow surfaceflinger debugfs_ion:dir search; - -# Date : WK17.30 -# Operation : O Migration -# Purpose: Allow to access cmdq driver -allow surfaceflinger mtk_cmdq_device:chr_file { read ioctl open }; - -# Date : W17.39 -# Perform Binder IPC. -binder_use(surfaceflinger) -binder_call(surfaceflinger, binderservicedomain) -binder_call(surfaceflinger, appdomain) -binder_call(surfaceflinger, mtkbootanimation) -binder_service(surfaceflinger) - -allow surfaceflinger mtkbootanimation:dir search; -allow surfaceflinger mtkbootanimation:file { read getattr open }; - -# Date : W17.43 -# Operation : Migration -# Purpose: Allow to access perfmgr -allow surfaceflinger proc_perfmgr:dir {read search}; -allow surfaceflinger proc_perfmgr:file {open read ioctl}; -allowxperm surfaceflinger proc_perfmgr:file ioctl { - PERFMGR_FPSGO_QUEUE - PERFMGR_FPSGO_DEQUEUE - PERFMGR_FPSGO_QUEUE_CONNECT - PERFMGR_FPSGO_BQID - PERFMGR_FPSGO_VSYNC -}; - -# Date : WK17.43 -# Operation : Debug -# Purpose: Allow to dump HWC backtrace -get_prop(surfaceflinger, graphics_hwc_pid_prop) -get_prop(surfaceflinger, graphics_hwc_latch_unsignaled_prop) -allow surfaceflinger hal_graphics_composer_default:dir search; -allow surfaceflinger hal_graphics_composer_default:lnk_file read; - -# Date : WK18.36 -# Operation : Debug -# Purpose: Allow to dump buffer queue -get_prop(surfaceflinger, debug_bq_dump_prop) - -# Date : WK19.4 -# Operation : P Migration -# Purpose: Allow to access /dev/mdp_device driver -allow surfaceflinger mdp_device:chr_file rw_file_perms; - -# Date : WK19.09 -# Purpose: Allow to access property dev/mdp_sync -#============= surfaceflinger ============== -allow surfaceflinger mtk_mdp_device:chr_file rw_file_perms; - -# Date : WK18.43 -# Operation : HDR -# Purpose: Allow to skip aosp hdr solution -get_prop(surfaceflinger, graphics_hwc_hdr_prop) diff --git a/r_non_plat/system_app.te b/r_non_plat/system_app.te deleted file mode 100644 index 4e18c90..0000000 --- a/r_non_plat/system_app.te +++ /dev/null @@ -1,50 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -typeattribute system_app mlstrustedsubject; - -# Date : 2017/07/21 -# Purpose :[CdsInfo] read/ write WI-FI MAC address by NVRAM API -# Package Name: com.mediatek.connectivity -hal_client_domain(system_app, hal_nvramagent); - -hal_client_domain(system_app, mtk_hal_lbs) - -#Dat: 2017/02/14 -#Purpose: allow set telephony Sensitive property -get_prop(system_app, mtk_telephony_sensitive_prop) - - -# Date : WK17.12 -# Operation : MT6799 SQC -# Purpose : Change thermal config -allow system_app mtk_thermal_config_prop:file { getattr open read }; - - -# Date : 2017/11/07 -# Operation : Migration -# Purpose : CAT need copy exception db file from data folder -# Package: CAT tool -allow system_app aee_exp_data_file:file r_file_perms; -allow system_app aee_exp_data_file:dir r_dir_perms; - -# Date: 2018/11/08 -# Operation : JPEG -# Purpose : JPEG need to use PQ via MMS HIDL -allow system_app mtk_hal_mms_hwservice:hwservice_manager find; -allow system_app mtk_hal_mms:binder call; - -# Date: 2019/06/14 -# Operation : Migration -# Purpose : system_app need vendor_default_prop -get_prop(system_app, vendor_default_prop) - -# Date: 2019/07/16 -# Operation : Migration -# Purpose : system_app need use hdmi service and create socktet -allow system_app mtk_hal_hdmi_hwservice:hwservice_manager find; -allow system_app mtk_hal_hdmi:binder call; -allow system_app self:netlink_kobject_uevent_socket {read bind create setopt }; -# system_app need to read from sysfs /sys/class/switch/hdmi/state -r_dir_file(system_app, sysfs_switch); diff --git a/r_non_plat/system_server.te b/r_non_plat/system_server.te deleted file mode 100644 index 427103a..0000000 --- a/r_non_plat/system_server.te +++ /dev/null @@ -1,214 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== -# Access devices. -allow system_server touch_device:chr_file rw_file_perms; -allow system_server stpant_device:chr_file rw_file_perms; -allow system_server devmap_device:chr_file r_file_perms; -allow system_server irtx_device:chr_file rw_file_perms; -allow system_server qemu_pipe_device:chr_file rw_file_perms; -allow system_server wmtWifi_device:chr_file w_file_perms; - -# Add for bootprof -allow system_server proc_bootprof:file rw_file_perms; - -# /data/core access. -allow system_server aee_core_data_file:dir r_dir_perms; - -# /sys/kernel/debug/ion/clients access -allow system_server debugfs:dir r_dir_perms; - -# Perform Binder IPC. -allow system_server zygote:binder impersonate; - -# Property service. -allow system_server ctl_bootanim_prop:property_service set; - -# For dumpsys. -allow system_server aee_dumpsys_data_file:file w_file_perms; -allow system_server aee_exp_data_file:file w_file_perms; - -# Dump native process backtrace. -#allow system_server exec_type:file r_file_perms; - -# Querying zygote socket. -allow system_server zygote:unix_stream_socket { getopt getattr }; - -# Communicate over a socket created by mnld process. - -# Allow system_server to read /sys/kernel/debug/wakeup_sources -allow system_server debugfs_wakeup_sources:file r_file_perms; - -# Allow system_server to read/write /sys/power/dcm_state -allow system_server sysfs_dcm:file rw_file_perms; - -# Date : WK16.36 -# Purpose: Allow to set property log.tag.WifiHW to control log level of WifiHW -allow system_server log_tag_prop:property_service set; - -# Data : WK16.42 -# Operator: Whitney bring up -# Purpose: call surfaceflinger due to powervr -allow system_server surfaceflinger:fifo_file rw_file_perms; - -# Date : W16.42 -# Operation : Integration -# Purpose : DRM / DRI GPU driver required -allow system_server gpu_device:dir search; -allow system_server debugfs_gpu_img:dir search; - -# Date : W16.43 -# Operation : Integration -# Purpose : DRM / DRI GPU driver required -allow system_server sw_sync_device:chr_file { read write getattr open ioctl }; - -# Date : WK16.44 -# Purpose: Allow to access UART1 ttyMT1 -allow system_server ttyMT_device:chr_file rw_file_perms; - -# Date : WK17.52 -# Purpose: Allow to access UART1 ttyS -allow system_server ttyS_device:chr_file rw_file_perms; - -# Date:W16.46 -# Operation : thermal hal Feature developing -# Purpose : thermal hal interface permission -allow system_server proc_mtktz:dir search; -allow system_server proc_mtktz:file r_file_perms; - -# Date:W17.02 -# Operation : audio hal developing -# Purpose : audio hal interface permission -allow system_server mtk_hal_audio:process { getsched setsched }; - -# Date:W17.07 -# Operation : bt hal -# Purpose : bt hal interface permission -binder_call(system_server, mtk_hal_bluetooth) - -# Date:W17.08 -# Operation : sensors hal developing -# Purpose : sensors hal interface permission -binder_call(system_server, mtk_hal_sensors) - -# Operation : light hal developing -# Purpose : light hal interface permission -binder_call(system_server, mtk_hal_light) - -# Date:W17.21 -# Operation : gnss hal -# Purpose : gnss hal interface permission -hal_client_domain(system_server, hal_gnss) - -# Date : W18.01 -# Add for turn on SElinux in enforcing mode -allow system_server vendor_framework_file:dir r_file_perms; - -# Fix bootup violation -allow system_server vendor_framework_file:file getattr; -allow system_server wifi_prop:file { read getattr open }; - -# Date:W17.22 -# Operation : add aee_aed socket rule -# Purpose : type=1400 audit(0.0:134519): avc: denied { connectto } -# for comm=4572726F722064756D703A20737973 -# path=00636F6D2E6D746B2E6165652E6165645F3634 -# scontext=u:r:system_server:s0 tcontext=u:r:aee_aed:s0 -# tclass=unix_stream_socket permissive=0 -allow system_server aee_aed:unix_stream_socket connectto; - -#Dat: 2017/02/14 -#Purpose: allow get telephony Sensitive property -get_prop(system_server, mtk_telephony_sensitive_prop) - -# Date: W17.22 -# Operation : New Feature -# Purpose : Add for A/B system -allow system_server debugfs_wakeup_sources:file { read getattr open }; - -# Date:W17.26 -# Operation : imsa hal -# Purpose : imsa hal interface permission -binder_call(system_server, mtk_hal_imsa) - -# Date:W17.28 -# Operation : camera hal developing -# Purpose : camera hal binder_call permission -binder_call(system_server, mtk_hal_camera) - -# Date:W17.31 -# Operation : mpe sensor hidl developing -# Purpose : mpe sensor hidl permission -binder_call(system_server, mnld) - -# Date : WK17.32 -# Operation : Migration -# Purpose : for network log dumpsys setting/netd information -# audit(0.0:914): avc: denied { write } for path="pipe:[46088]" -# dev="pipefs" ino=46088 scontext=u:r:system_server:s0 -# tcontext=u:r:netdiag:s0 tclass=fifo_file permissive=1 -allow system_server netdiag:fifo_file write; - -# Date : WK17.32 -# Operation : Migration -# Purpose : for DHCP Client ip recover functionality -allow system_server dhcp_data_file:dir search; -allow system_server dhcp_data_file:dir rw_dir_perms; -allow system_server dhcp_data_file:file create_file_perms; - -# Date:W17.35 -# Operation : lbs hal -# Purpose : lbs hidl interface permission -hal_client_domain(system_server, mtk_hal_lbs) - -# Date : WK17.12 -# Operation : MT6799 SQC -# Purpose : Change thermal config -allow system_server mtk_thermal_config_prop:file { getattr open read }; - - -# Date : WK17.43 -# Operation : Migration -# Purpose : perfmgr permission -allow system_server mtk_hal_power_hwservice:hwservice_manager find; -allow system_server proc_perfmgr:dir {read search}; -allow system_server proc_perfmgr:file {open read ioctl}; -allowxperm system_server proc_perfmgr:file ioctl { - PERFMGR_FPSGO_QUEUE - PERFMGR_FPSGO_DEQUEUE - PERFMGR_FPSGO_QUEUE_CONNECT - PERFMGR_FPSGO_BQID -}; - -# Date : W18.22 -# Operation : MTK wifi hal migration -# Purpose : MTK wifi hal interface permission -binder_call(system_server, mtk_hal_wifi) - -# Date : WK18.33 -# Purpose : type=1400 audit(0.0:1592): avc: denied { read } -# for comm=4572726F722064756D703A20646174 name= -# "u:object_r:persist_mtk_aee_prop:s0" dev="tmpfs" -# ino=10312 scontext=u:r:system_server:s0 tcontext= -# u:object_r:persist_mtk_aee_prop:s0 tclass=file permissive=0 -get_prop(system_server, persist_mtk_aee_prop); - -# Date : W19.15 -# Operation : alarm device permission -# Purpose : support power-off alarm -allow system_server alarm_device:chr_file rw_file_perms; - -# Date : WK19.7 -# Operation: Q migration -# Purpose : Allow system_server to use ioctl/ioctlcmd -allow system_server proc_ged:file rw_file_perms; -allowxperm system_server proc_ged:file ioctl { proc_ged_ioctls }; - -# Date: 2019/06/14 -# Operation : Migration -get_prop(system_server, vendor_default_prop) - -# Date: 2019/06/14 -# Operation : when WFD turnning on, turn off hdmi -allow system_server mtk_hal_hdmi_hwservice:hwservice_manager find; -allow system_server mtk_hal_hdmi:binder call; \ No newline at end of file diff --git a/r_non_plat/thermal_manager.te b/r_non_plat/thermal_manager.te deleted file mode 100644 index a33e4b4..0000000 --- a/r_non_plat/thermal_manager.te +++ /dev/null @@ -1,59 +0,0 @@ -# ============================================== -# Policy File of /system/bin/thermal_manager Executable File - -# ============================================== -# Type Declaration -# ============================================== -type thermal_manager_exec , exec_type, file_type, vendor_file_type; -type thermal_manager ,domain; - -# ============================================== -# MTK Policy Rule -# ============================================== -init_daemon_domain(thermal_manager) - -allow thermal_manager proc_mtkcooler:dir search; -allow thermal_manager proc_mtktz:dir search; -allow thermal_manager proc_thermal:dir search; -allow thermal_manager proc_mtkcooler:file rw_file_perms; -allow thermal_manager proc_mtktz:file rw_file_perms; -allow thermal_manager proc_thermal:file rw_file_perms; - - -# Date : WK15.30 -# Operation : Migration -# Purpose : Use file_type_auto_trans to specify label to avoid violated(never allow) - -allow thermal_manager thermal_manager_data_file:file create_file_perms; -allow thermal_manager thermal_manager_data_file:dir { rw_dir_perms setattr }; - - -allow thermal_manager mediaserver:fd use; -allow thermal_manager mediaserver:fifo_file { read write }; -allow thermal_manager mediaserver:tcp_socket { read write }; - -# Date : WK16.30 -# Operation : Migration -# Purpose : Use file_type_auto_trans to specify label to avoid violated(never allow) -allow thermal_manager camera_isp_device:chr_file { read write }; -allow thermal_manager cameraserver:fd use; -allow thermal_manager kd_camera_hw_device:chr_file { read write }; -allow thermal_manager MTK_SMI_device:chr_file read; -allow thermal_manager surfaceflinger:fd use; -set_prop(thermal_manager ,mtk_thermal_config_prop) - -# Date : 2019/09/12 -# Operation : Migration -# Purpose : add sysfs permission -# path = " sys/devices/virtual/thermal/" -# path = " sys/class/thermal/" -allow thermal_manager sysfs_therm:file w_file_perms; - - - -# Date : WK18.18 -# Operation : P Migration -# Purpose : Allow thermal_manager to access vendor data file. - -allow thermal_manager self:capability { fowner chown }; - diff --git a/r_non_plat/thermalloadalgod.te b/r_non_plat/thermalloadalgod.te deleted file mode 100644 index 646f48c..0000000 --- a/r_non_plat/thermalloadalgod.te +++ /dev/null @@ -1,49 +0,0 @@ -# ============================================== -# Policy File of /system/bin/thermalloadalgod_exec Executable File - -# ============================================== -# Type Declaration -# ============================================== -type thermalloadalgod ,domain; -type thermalloadalgod_exec , exec_type, file_type, vendor_file_type; - -# ============================================== -# MTK Policy Rule -# ============================================== -init_daemon_domain(thermalloadalgod) - - - - -# Data : WK14.43 -# Operation : Migration -# Purpose : thermal algorithm daemon for access driver node -allow thermalloadalgod input_device:dir { r_dir_perms write }; -allow thermalloadalgod input_device:file r_file_perms; - -allow thermalloadalgod thermalloadalgod:netlink_socket { create bind write read}; - -allow thermalloadalgod thermal_manager_data_file:dir create_dir_perms; -allow thermalloadalgod thermal_manager_data_file:file create_file_perms; -allow thermalloadalgod kmsg_device:chr_file write; - -# Data : WK16.49 -# Operation : SPA porting -# Purpose : thermal algorithm daemon for SPA -# For /proc/[pid]/cgroup accessing -typeattribute thermalloadalgod mlstrustedsubject; -allow thermalloadalgod proc:dir {search getattr}; -allow thermalloadalgod proc:file {getattr open read write ioctl}; -allow thermalloadalgod shell:dir search; -allow thermalloadalgod platform_app:dir search; -allow thermalloadalgod platform_app:file {open read getattr}; -allow thermalloadalgod priv_app:dir search; -allow thermalloadalgod priv_app:file {open read getattr}; -allow thermalloadalgod system_app:dir search; -allow thermalloadalgod system_app:file {open read getattr}; -allow thermalloadalgod untrusted_app:dir search; -allow thermalloadalgod untrusted_app:file {open read getattr}; -allow thermalloadalgod mediaserver:dir search; -allow thermalloadalgod mediaserver:file {open read getattr}; -allow thermalloadalgod proc_thermal:dir search; -allow thermalloadalgod proc_thermal:file { open read write getattr }; diff --git a/r_non_plat/ueventd.te b/r_non_plat/ueventd.te deleted file mode 100644 index a98faaa..0000000 --- a/r_non_plat/ueventd.te +++ /dev/null @@ -1,14 +0,0 @@ -# Date : WK17.12 -# Purpose: Fix bootup fail -allow ueventd proc_net:file r_file_perms; - -# Date: W17.22 -# Operation : New Feature -# Purpose : Add for A/B system -allow ueventd device:chr_file { relabelfrom relabelto }; -allow ueventd m_acc_misc_device:chr_file { relabelfrom relabelto }; -allow ueventd m_mag_misc_device:chr_file { relabelfrom relabelto }; - -# Date: 2019/06/14 -# Operation : Migration -allow ueventd tmpfs:lnk_file r_file_perms; diff --git a/r_non_plat/uncrypte.te b/r_non_plat/uncrypte.te deleted file mode 100755 index d9e3df8..0000000 --- a/r_non_plat/uncrypte.te +++ /dev/null @@ -1,3 +0,0 @@ -#====================== uncrypt.te ====================== -allow uncrypt para_block_device:blk_file w_file_perms; -allow uncrypt ota_package_file:file w_file_perms; \ No newline at end of file diff --git a/r_non_plat/untrusted_app.te b/r_non_plat/untrusted_app.te deleted file mode 100644 index 040d47f..0000000 --- a/r_non_plat/untrusted_app.te +++ /dev/null @@ -1,12 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -# TODO:: Security Issue. - -# Date: 2016/02/26 -# Operation: Migration -# Purpose: Allow MTK modified ElephantStress and WhatsTemp to read thermal zone temperatures -# from MTK kernel modules for thermal tests at OEM/ODM. -allow untrusted_app proc_mtktz:dir search; -allow untrusted_app proc_mtktz:file r_file_perms; diff --git a/r_non_plat/untrusted_app_25.te b/r_non_plat/untrusted_app_25.te deleted file mode 100644 index 76310d7..0000000 --- a/r_non_plat/untrusted_app_25.te +++ /dev/null @@ -1,19 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -# Date : 2017/08/01 -# Operation: SQC -# Purpose : Allow Whatstemp, a MTK thermal logging tool, to log thermal related information -# properly for thermal tests at OEM/ODM. -allow untrusted_app_25 proc_mtktz:dir search; -allow untrusted_app_25 proc_mtktz:file r_file_perms; -allow untrusted_app_25 proc_thermal:dir search; -allow untrusted_app_25 proc_thermal:file r_file_perms; - -allow untrusted_app_25 sysfs_fps:dir search; -allow untrusted_app_25 sysfs_fps:file r_file_perms; -allow untrusted_app_25 sysfs_batteryinfo:dir search; -#allow untrusted_app_25 sysfs_batteryinfo:file { getattr open read }; -allow untrusted_app_25 sysfs_therm:dir r_dir_perms; -allow untrusted_app_25 sysfs_therm:file r_file_perms; diff --git a/r_non_plat/update_engine.te b/r_non_plat/update_engine.te deleted file mode 100644 index e3013f9..0000000 --- a/r_non_plat/update_engine.te +++ /dev/null @@ -1,29 +0,0 @@ -# MTK Add policy for update_engine -# Add for update_engine update block device -allow update_engine preloader_block_device:blk_file rw_file_perms; -allow update_engine lk_block_device:blk_file rw_file_perms; -allow update_engine dtbo_block_device:blk_file rw_file_perms; -allow update_engine tee_block_device:blk_file rw_file_perms; -allow update_engine vendor_block_device:blk_file rw_file_perms; -allow update_engine odm_block_device:blk_file rw_file_perms; -allow update_engine oem_block_device:blk_file rw_file_perms; -allow update_engine md_block_device:blk_file rw_file_perms; -allow update_engine dsp_block_device:blk_file rw_file_perms; -allow update_engine scp_block_device:blk_file rw_file_perms; -allow update_engine sspm_block_device:blk_file rw_file_perms; -allow update_engine spmfw_block_device:blk_file rw_file_perms; -allow update_engine mcupmfw_block_device:blk_file rw_file_perms; -allow update_engine loader_ext_block_device:blk_file rw_file_perms; -allow update_engine cam_vpu_block_device:blk_file rw_file_perms; -allow update_engine para_block_device:blk_file rw_file_perms; -allow update_engine vbmeta_block_device:blk_file rw_file_perms; -allow update_engine proc_filesystems:file r_file_perms; - -# Add for update_engine call by system_app -allow update_engine system_app:binder { call transfer }; - -# Add for update_engine with postinstall -allow update_engine postinstall_mnt_dir:dir { search getattr open read write search unlink}; - -# Add for AVB20 -allow update_engine tmpfs:lnk_file read; diff --git a/r_non_plat/vendor_init.te b/r_non_plat/vendor_init.te deleted file mode 100644 index 5df8e27..0000000 --- a/r_non_plat/vendor_init.te +++ /dev/null @@ -1,72 +0,0 @@ -allow vendor_init exported3_system_prop:property_service set; -allow vendor_init dalvik_prop:property_service set; - -allow vendor_init ffs_prop:property_service set; -allow vendor_init mediatek_prop:property_service set; -allow vendor_init mtk_md_version_prop:property_service set; -allow vendor_init mtk_volte_prop:property_service set; -allow vendor_init vendor_radio_prop:property_service set; -allow vendor_init mtk_ril_mode_prop:property_service set; -allow vendor_init wmt_prop:property_service set; -allow vendor_init coredump_prop:property_service set; -allow vendor_init proc_wmtdbg:file w_file_perms; -allow vendor_init vold_prop:property_service set; - -allow vendor_init proc:file write; -allow vendor_init proc_bootprof:file write; -allow vendor_init rootfs:dir { write add_name setattr }; -allow vendor_init self:capability sys_module; - -allow vendor_init tmpfs:dir { write create add_name }; -allow vendor_init unlabeled:dir { relabelfrom getattr setattr search }; -allow vendor_init vendor_file:system module_load; - -allow vendor_init kmsg_device:chr_file unlink; -set_prop(vendor_init, persist_mtk_aee_prop) -set_prop(vendor_init, ro_mtk_aee_prop) -set_prop(vendor_init, vendor_usb_prop) -set_prop(vendor_init, mtk_ct_volte_prop) -set_prop(vendor_init, mtk_gps_support_prop) -set_prop(vendor_init, mtk_rat_config_prop) -set_prop(vendor_init, tel_switch_prop) -set_prop(vendor_init, mtk_aal_ro_prop) -set_prop(vendor_init, mtk_pq_ro_prop) -set_prop(vendor_init, mtk_default_prop) -set_prop(vendor_init, mtk_nn_option_prop) - -set_prop(vendor_init, mtk_emmc_support_prop) -set_prop(vendor_init, mtk_anr_support_prop) -set_prop(vendor_init, mtk_antutu_prop) -set_prop(vendor_init, mtk_bt_sap_enable_prop) -set_prop(vendor_init, coredump_prop) - -# allow create symbolic link, /mnt/sdcard, for meta/factory mode -allow vendor_init tmpfs:lnk_file create; - -set_prop(vendor_init, mtk_cxp_vendor_prop) - -# Run "ifup lo" to bring up the localhost interface -allow vendor_init proc_hostname:file w_file_perms; -allow vendor_init self:udp_socket { create ioctl }; -# in addition to unpriv ioctls granted to all domains, init also needs: -allowxperm vendor_init self:udp_socket ioctl { SIOCSIFFLAGS }; -allow vendor_init self:global_capability_class_set net_raw; - -# enhance boot time -allow vendor_init proc_perfmgr:file write; - -# allow create symbolic link, /mnt/sdcard, for meta/factory mode -allow vendor_init tmpfs:lnk_file create; - -set_prop(vendor_init, mtk_appresolutiontuner_prop) - -# fullscreen switch -set_prop(vendor_init, mtk_fullscreenswitch_prop) - -# for kernel module verification support, allow vendor domain to search kernel keyring -allow vendor_init kernel:key search; - -# Purpose: /dev/block/mmcblk0p10 -allow vendor_init expdb_block_device:blk_file rw_file_perms; - -set_prop(vendor_init, mtk_wifi_hotspot_prop) \ No newline at end of file diff --git a/r_non_plat/vendor_shell.te b/r_non_plat/vendor_shell.te deleted file mode 100644 index 46903b0..0000000 --- a/r_non_plat/vendor_shell.te +++ /dev/null @@ -1,5 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================= -# Purpose : allow vendor_shell to run aeev -allow vendor_shell aee_aedv_exec:file execute_no_trans; diff --git a/r_non_plat/vold.te b/r_non_plat/vold.te deleted file mode 100644 index 8679bc7..0000000 --- a/r_non_plat/vold.te +++ /dev/null @@ -1,46 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -# volume manager - -# Date : WK16.19 -# Operation : Migration -# Purpose : unmount /mnt/cd-rom. It causes by unmountAll() when VolumeManager starts -allow vold iso9660:filesystem unmount; - -# Date : WK16.19 -# Operation : Migration -# Purpose : vold will traverse /proc when remountUid(). -# It will trigger violation if mtk customize some label in /proc. -# However, we should ignore the violation if the processes never access the storage. -dontaudit vold proc_battery_cmd:dir { read open }; -dontaudit vold proc_mtkcooler:dir { read open }; -dontaudit vold proc_mtktz:dir { read open }; -dontaudit vold proc_thermal:dir { read open }; - -# Date : WK18.30 -# Operation : Migration -# Purpose : vold create mdlog folder in data for meta mode. -allow vold mdlog_data_file:dir { create_dir_perms }; - -allow vold mtd_device:blk_file rw_file_perms; - -# dontaudit for fstrim on 'vendor' folder -dontaudit vold nvdata_file:dir r_dir_perms; -dontaudit vold nvcfg_file:dir r_dir_perms; -dontaudit vold protect_f_data_file:dir r_dir_perms; -dontaudit vold protect_s_data_file:dir r_dir_perms; - -# execute mke2fs when format as internal -allow vold cache_block_device:blk_file getattr; -allowxperm vold dm_device:blk_file ioctl { - BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET -}; -allow vold nvcfg_block_device:blk_file getattr; -allow vold nvdata_device:blk_file getattr; -allow vold proc_swaps:file r_file_perms; -allow vold protect1_block_device:blk_file getattr; -allow vold protect2_block_device:blk_file getattr; -allow vold proc_swaps:file getattr; -allow vold swap_block_device:blk_file getattr; diff --git a/r_non_plat/vold_prepare_subdirs.te b/r_non_plat/vold_prepare_subdirs.te deleted file mode 100755 index 3c531e2..0000000 --- a/r_non_plat/vold_prepare_subdirs.te +++ /dev/null @@ -1,10 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -# volume manager - -# Date : WK18.42 -# Operation : Migration -# Purpose : kernel-4.14 migration -allow vold_prepare_subdirs vendor_configs_file:file map; diff --git a/r_non_plat/wlan_assistant.te b/r_non_plat/wlan_assistant.te deleted file mode 100644 index f5aa5c2..0000000 --- a/r_non_plat/wlan_assistant.te +++ /dev/null @@ -1,48 +0,0 @@ -# ============================================== -# Policy File of /vendor/bin/wlan_assistant Executable File - -# ============================================== -# Type Declaration -# ============================================== -type wlan_assistant_exec , exec_type, file_type, vendor_file_type; -type wlan_assistant ,domain; - -# ============================================== -# MTK Policy Rule -# ============================================== -init_daemon_domain(wlan_assistant) - -# Date : WK14.34 -# Operation : Migration -# Purpose : for mtk debug mechanism. agpsd_data_file, mtk_agpsd are used -# to share wifi scan results with AGPS module. netlink_socket is used to -# listen events of wlan driver. udp_socket is used to do ioctl with wlan driver -# kernel-3.18 uses netlink_socket, but kernel-4.4 uses generic netlink_socket -allow wlan_assistant agpsd_data_file:sock_file write; -allow wlan_assistant mtk_agpsd:unix_dgram_socket sendto; -allow wlan_assistant agpsd_data_file:dir search; -allow wlan_assistant self:netlink_generic_socket create_socket_perms_no_ioctl; -allow wlan_assistant self:udp_socket { create ioctl }; - -# Date : WK18.17 -# Operation : Migration -# Purpose : To allow wlan_assistant monitor /vendor/nvdata/APCFG/APRDEB, -# /storage/sdcard0, /vendor/firmware. Which can help to check if nvram, -# driver config or firmware config file are changed, if yes, will write it -# to wlan driver in time. -# allow wlan_assistant wifi_data_file:file { read getattr open }; -# allow wlan_assistant wifi_data_file:dir { read search getattr open }; -allow wlan_assistant nvdata_file:dir { search read getattr open }; -allow wlan_assistant nvdata_file:file { read getattr open }; -allow wlan_assistant sysfs:file { open read }; -allow wlan_assistant wmtWifi_device:chr_file { read write getattr open }; - -# allow wlan_assistant to read file under /data/vendor -allow wlan_assistant vendor_data_file:dir { search read getattr open }; -allow wlan_assistant vendor_data_file:file { read getattr open }; - -allow wlan_assistant mnt_vendor_file :dir search; -allow wlan_assistant init:unix_stream_socket connectto; -allow wlan_assistant property_socket:sock_file write; - -set_prop(wlan_assistant, mtk_nvram_ready_prop) diff --git a/r_non_plat/wmt_loader.te b/r_non_plat/wmt_loader.te deleted file mode 100644 index de04ce6..0000000 --- a/r_non_plat/wmt_loader.te +++ /dev/null @@ -1,32 +0,0 @@ -# ============================================== -# Policy File of /system/bin/wmt_loader Executable File - - -# ============================================== -# Type Declaration -# ============================================== -type wmt_loader ,domain; -type wmt_loader_exec , exec_type, file_type, vendor_file_type; - -# ============================================== -# MTK Policy Rule -# ============================================== -init_daemon_domain(wmt_loader) - -allow wmt_loader self:capability chown; - -# Set the property -set_prop(wmt_loader, wmt_prop) - -# add ioctl/open/read/write permission for wmt_loader with /dev/wmtdetect -allow wmt_loader wmtdetect_device:chr_file rw_file_perms; - -# add ioctl/open/read/write permission for wmt_loader with /dev/stpwm -allow wmt_loader stpwmt_device:chr_file rw_file_perms; -allow wmt_loader devpts:chr_file rwx_file_perms; - -allow wmt_loader proc:file setattr; - -# Date: 2019/06/14 -# Operation : Migration -allow wmt_loader proc_wmtdbg:file setattr; diff --git a/r_non_plat/zygote.te b/r_non_plat/zygote.te deleted file mode 100644 index 82dedf9..0000000 --- a/r_non_plat/zygote.te +++ /dev/null @@ -1,15 +0,0 @@ -# ============================================== -# MTK Policy Rule -# ============================================== - -# Date : WK16.33 -# Purpose: Allow to access ged for gralloc_extra functions -allow zygote proc_ged:file rw_file_perms; - -# Date : WK17.02 -# Purpose: Allow to access gpu for memtrack functions -allow zygote gpu_device:dir search; -allow zygote gpu_device:chr_file { open read write ioctl getattr}; - -allow zygote proc_bootprof:file rw_file_perms; -allow zygote proc_uptime:file rw_file_perms;