NekoSakura/android_device_mediatek_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

import from mediatek/master to mediatek/alps-mp-o1.mp1

Browse Source 
Change-Id: Ic78db8195c5c51f85c9c6fd3ef8333489afd6e79
MTK-Commit-Id: 848bf57127be9d01fd1df4aab95737855456afee
This commit is contained in:
Chunyan Zhang 2020-01-18 09:29:32 +08:00
parent 04ea628303
commit 37e0caa36e
237 changed files with 23242 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
non_plat/MtkCodecService.te Normal file
View File

@ -0,0 +1,23 @@
# ==============================================
# Policy File of /vendor/bin/MtkCodecService Executable File
# ==============================================
# Type Declaration
# ==============================================
type MtkCodecService_exec , exec_type, file_type, vendor_file_type;
type MtkCodecService ,domain;
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK16.12
# Operation : Migration
# Purpose : Do APE decode operation and exchange data with mediaserver.
#binder_use(MtkCodecService)
#init_daemon_domain(MtkCodecService)
#binder_call(MtkCodecService,mediaserver)
#allow MtkCodecService mtk_codec_service_service:service_manager add;
#allow MtkCodecService self:capability{setuid sys_nice};
#allow MtkCodecService dumpstate:fd use;

71
non_plat/adbd.te Normal file
View File

@ -0,0 +1,71 @@
# ==============================================
# MTK Policy Rule
# ============
#permissive adbd;
# Date : WK14.27
# Operation : KK.AOSP SQC
# Purpose : MTK snapshot-related mechanism
allow adbd graphics_device:chr_file r_file_perms;
# Date : WK14.27
# Operation : KK.AOSP SQC
# Purpose : A process wants to access a specific path. For example : shell:ls -l /data/data/
#allow adbd platform_app_data_file:dir ra_dir_perms;
#allow adbd platform_app_data_file:file create_file_perms;
#allow adbd radio_data_file:file r_file_perms;
# Date : WK14.27
# Operation : KK.AOSP SQC
# Purpose : shell:logcat -v threadtime
allow adbd self:capability2 syslog;
allow adbd block_device:dir r_dir_perms;
allow adbd kernel:process setsched;
allow adbd self:capability { net_raw ipc_lock dac_override };
allow adbd system_data_file:dir w_dir_perms;
file_type_auto_trans(adbd, system_data_file, adbd_data_file)
allow adbd adbd_data_file:file create_file_perms;
# Date : WK14.46
# Operation : Migration
# Purpose : for MTK Emulator HW GPU
allow adbd qemu_pipe_device:chr_file rw_file_perms;
# user load adb pull /data/aee_exp db
allow adbd aee_exp_data_file:dir r_dir_perms;
allow adbd aee_exp_data_file:file r_file_perms;
# call screencap by DDMS
allow adbd surfaceflinger:dir search;
allow adbd surfaceflinger:file r_file_perms;
# Date : WK14.48
# Operation : L0 SQC
# Purpose : push/pull files to specific folders
allow adbd sf_rtt_file:dir getattr;
# Date : WK15.35
# Operation : Migration
# Purpose: Allow adbd to read binder from surfaceflinger
allow adbd surfaceflinger:fifo_file rw_file_perms;
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow adbd proc_ged:file {open read write ioctl getattr};
# Data : WK16.42
# Operator: Whitney bring up
# Purpose: call surfaceflinger due to powervr
allow adbd surfaceflinger:fifo_file rw_file_perms;
# Data : WK16.45
# Operator: Whitney SQC
# Purpose: gpu_device uses adbd to screencap
allow adbd gpu_device:dir search;
# Data : WK17.46
# Operator: Migration
# Purpose: Allow adbd to read KE DB
allow adbd aee_dumpsys_data_file:file r_file_perms;

49
non_plat/aee_aed.te Normal file
View File

@ -0,0 +1,49 @@
# ==============================================
# Policy File of /system/bin/aee_aed Executable File
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK14.32
# Operation : AEE UT
# Purpose : for AEE module
allow aee_aed aed_device:chr_file rw_file_perms;
allow aee_aed expdb_device:chr_file rw_file_perms;
allow aee_aed expdb_block_device:blk_file rw_file_perms;
allow aee_aed bootdevice_block_device:blk_file rw_file_perms;
allow aee_aed etb_device:chr_file rw_file_perms;
# open/dev/mtd/mtd12 failed(expdb)
allow aee_aed mtd_device:dir create_dir_perms;
allow aee_aed mtd_device:chr_file rw_file_perms;
# NE flow: /dev/RT_Monitor
allow aee_aed RT_Monitor_device:chr_file r_file_perms;
#data/aee_exp
allow aee_aed aee_exp_data_file:dir create_dir_perms;
allow aee_aed aee_exp_data_file:file create_file_perms;
#data/dumpsys
allow aee_aed aee_dumpsys_data_file:dir create_dir_perms;
allow aee_aed aee_dumpsys_data_file:file create_file_perms;
#/data/core
allow aee_aed aee_core_data_file:dir create_dir_perms;
allow aee_aed aee_core_data_file:file create_file_perms;
# /data/data_tmpfs_log
allow aee_aed data_tmpfs_log_file:dir create_dir_perms;
allow aee_aed data_tmpfs_log_file:file create_file_perms;
# Purpose: aee_aed set property
set_prop(aee_aed, persist_mtk_aee_prop);
set_prop(aee_aed, persist_aee_prop);
set_prop(aee_aed, debug_mtk_aee_prop);
# /proc/lk_env
allow aee_aed proc_lk_env:file rw_file_perms;
# Purpose: Allow aee_aedv to read /proc/pid/exe
allow aee_aed exec_type:file r_file_perms;

359
non_plat/aee_aedv.te Normal file
View File

@ -0,0 +1,359 @@
# ==============================================
# Policy File of /vendor/bin/aee_aedv Executable File
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK14.32
# Operation : AEE UT
# Purpose : for AEE module
allow aee_aedv aed_device:chr_file rw_file_perms;
allow aee_aedv expdb_device:chr_file rw_file_perms;
allow aee_aedv expdb_block_device:blk_file rw_file_perms;
allow aee_aedv bootdevice_block_device:blk_file rw_file_perms;
allow aee_aedv etb_device:chr_file rw_file_perms;
# AED start: /dev/block/expdb
allow aee_aedv block_device:dir search;
# open/dev/mtd/mtd12 failed(expdb)
allow aee_aedv mtd_device:dir create_dir_perms;
allow aee_aedv mtd_device:chr_file rw_file_perms;
#allow aee_aedv userdata_block_device:blk_file create_file_perms; # neverallow
# NE flow: /dev/RT_Monitor
allow aee_aedv RT_Monitor_device:chr_file r_file_perms;
# aee db dir and db files
allow aee_aedv sdcard_type:dir create_dir_perms;
allow aee_aedv sdcard_type:file create_file_perms;
#data/anr
allow aee_aedv anr_data_file:dir create_dir_perms;
allow aee_aedv anr_data_file:file create_file_perms;
#data/aee_exp
allow aee_aedv aee_exp_data_file:dir create_dir_perms;
allow aee_aedv aee_exp_data_file:file create_file_perms;
#data/dumpsys
allow aee_aedv aee_dumpsys_data_file:dir create_dir_perms;
allow aee_aedv aee_dumpsys_data_file:file create_file_perms;
#/data/core
allow aee_aedv aee_core_data_file:dir create_dir_perms;
allow aee_aedv aee_core_data_file:file create_file_perms;
# /data/data_tmpfs_log
allow aee_aedv data_tmpfs_log_file:dir create_dir_perms;
allow aee_aedv data_tmpfs_log_file:file create_file_perms;
allow aee_aedv domain:process { sigkill getattr getsched};
allow aee_aedv domain:lnk_file getattr;
#core-pattern
allow aee_aedv usermodehelper:file r_file_perms;
#suid_dumpable
# allow aee_aedv proc_security:file r_file_perms; neverallow
#property
allow aee_aedv init:unix_stream_socket connectto;
allow aee_aedv property_socket:sock_file write;
#allow aee_aedv call binaries labeled "system_file" under /system/bin/
# allow aee_aedv system_file:file execute_no_trans;
allow aee_aedv init:process getsched;
allow aee_aedv kernel:process getsched;
# Date: W15.34
# Operation: Migration
# Purpose: For pagemap & pageflags information in NE DB
userdebug_or_eng(`allow aee_aedv self:capability sys_admin;')
# Date: W16.17
# Operation: N0 Migeration
# Purpose: creat dir "aee_exp" under /data
allow aee_aedv system_data_file:dir { write create add_name };
# Purpose: aee_aedv set property
set_prop(aee_aedv, persist_mtk_aee_prop);
set_prop(aee_aedv, persist_aee_prop);
set_prop(aee_aedv, debug_mtk_aee_prop);
# Purpose: allow aee_aedv to access toolbox
# allow aee_aedv toolbox_exec:file { execute execute_no_trans };
# purpose: allow aee_aedv to access storage on N version
allow aee_aedv media_rw_data_file:file { create_file_perms };
allow aee_aedv media_rw_data_file:dir { create_dir_perms };
# Purpose: mnt/user/*
allow aee_aedv mnt_user_file:dir search;
allow aee_aedv mnt_user_file:lnk_file read;
allow aee_aedv storage_file:dir search;
allow aee_aedv storage_file:lnk_file read;
# Date : WK17.09
# Operation : AEE UT for Android O
# Purpose : for AEE module to dump files
# domain_auto_trans(aee_aedv, dumpstate_exec, dumpstate)
# Purpose : aee_aedv communicate with aee_core_forwarder
# allow aee_aedv aee_core_forwarder:dir search;
# allow aee_aedv aee_core_forwarder:file { read getattr open };
userdebug_or_eng(`
allow aee_aedv su:dir {search read open };
allow aee_aedv su:file { read getattr open };
')
# /data/vendor/tombstone
allow aee_aedv aee_tombstone_data_file:dir w_dir_perms;
allow aee_aedv aee_tombstone_data_file:file create_file_perms;
# /proc/pid/
allow aee_aedv self:capability { fowner chown dac_override fsetid sys_nice sys_resource net_admin sys_module};
# PROCESS_FILE_STATE
allow aee_aedv dumpstate:unix_stream_socket { read write ioctl };
allow aee_aedv dumpstate:dir search;
allow aee_aedv dumpstate:file r_file_perms;
allow aee_aedv proc:file rw_file_perms;
allow aee_aedv logdr_socket:sock_file write;
allow aee_aedv logd:unix_stream_socket connectto;
# allow aee_aedv system_ndebug_socket:sock_file write; mask for never allow rule
# vibrator
allow aee_aedv sysfs_vibrator:file w_file_perms;
# /proc/lk_env
allow aee_aedv proc_lk_env:file rw_file_perms;
# Data : 2017/03/22
# Operation : add NE flow rule for Android O
# Purpose : make aee_aedv can get specific process NE info
allow aee_aedv domain:dir r_dir_perms;
allow aee_aedv domain:{ file lnk_file } r_file_perms;
allow aee_aedv {
domain
-logd
-keystore
-init
}:process ptrace;
allow aee_aedv dalvikcache_data_file:dir r_dir_perms;
allow aee_aedv zygote_exec:file r_file_perms;
allow aee_aedv init_exec:file r_file_perms;
# Data : 2017/04/06
# Operation : add selinux rule for crash_dump notify aee_aedv
# Purpose : make aee_aedv can get notify from crash_dump
allow aee_aedv crash_dump:dir search;
allow aee_aedv crash_dump:file r_file_perms;
# Date : 20170512
# Operation : fix aee_archive can't execute issue
# Purpose : type=1400 audit(0.0:97916): avc: denied { execute_no_trans } for
# path="/system/vendor/bin/aee_archive" dev="mmcblk0p26" ino=2355
# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:vendor_file:s0
# tclass=file permissive=0
allow aee_aedv vendor_file:file execute_no_trans;
# Purpose: debugfs files
allow aee_aedv debugfs:lnk_file read;
allow aee_aedv debugfs_binder:dir { read open };
allow aee_aedv debugfs_binder:file { read open };
allow aee_aedv debugfs_blockio:file { read open };
allow aee_aedv debugfs_fb:dir search;
allow aee_aedv debugfs_fb:file { read open };
allow aee_aedv debugfs_fuseio:dir search;
allow aee_aedv debugfs_fuseio:file { read open };
allow aee_aedv debugfs_ged:dir search;
allow aee_aedv debugfs_ged:file { read open };
allow aee_aedv debugfs_rcu:dir search;
allow aee_aedv debugfs_shrinker_debug:file { read open };
allow aee_aedv debugfs_wakeup_sources:file { read open };
allow aee_aedv debugfs_dmlog_debug:file { read open };
allow aee_aedv debugfs_page_owner_slim_debug:file { read open };
allow aee_aedv debugfs_ion_mm_heap:dir search;
allow aee_aedv debugfs_ion_mm_heap:file { read open };
allow aee_aedv debugfs_ion_mm_heap:lnk_file read;
allow aee_aedv debugfs_ion_mm_heap:lnk_file read;
allow aee_aedv debugfs_cpuhvfs:dir search;
allow aee_aedv debugfs_cpuhvfs:file { read open };
allow aee_aedv debugfs_emi_mbw_buf:file { read open };
# Purpose:
# 01-01 00:02:46.390 3315 3315 W aee_dumpstatev: type=1400 audit(0.0:4728):
# avc: denied { read } for name="interrupts" dev="proc" ino=4026533608 scontext=
# u:r:aee_aedv:s0 tcontext=u:object_r:proc_interrupts:s0 tclass=file permissive=0
allow aee_aedv proc_interrupts:file read;
# Purpose:
# 01-01 17:59:14.440 7664 7664 I aee_dumpstate: type=1400 audit(0.0:63497):
# avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev=
# "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r:
# tracing_shell_writable:s0 tclass=file permissive=1
allow aee_aedv debugfs_tracing:file { write read open };
# Purpose:
# 01-01 00:05:16.730 3566 3566 W dmesg : type=1400 audit(0.0:5173): avc:
# denied { read } for name="kmsg" dev="tmpfs" ino=12292 scontext=u:r:aee_aedv:
# s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
allow aee_aedv kmsg_device:chr_file read;
# Purpose:
# 01-01 00:05:17.720 3567 3567 W ps : type=1400 audit(0.0:5192): avc:
# denied { getattr } for path="/proc/3421" dev="proc" ino=78975 scontext=u:r:
# aee_aedv:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=dir permissive=0
allow aee_aedv platform_app:dir r_dir_perms;
allow aee_aedv platform_app:file r_file_perms;
# Purpose:
# 01-01 00:05:17.750 3567 3567 W ps : type=1400 audit(0.0:5193): avc:
# denied { getattr } for path="/proc/3461" dev="proc" ino=11013 scontext=u:r:
# aee_aedv:s0 tcontext=u:r:untrusted_app_25:s0:c512,c768 tclass=dir permissive=0
allow aee_aedv untrusted_app_25:dir getattr;
# Purpose:
# 01-01 00:05:17.650 3567 3567 W ps : type=1400 audit(0.0:5179): avc:
# denied { getattr } for path="/proc/2712" dev="proc" ino=65757 scontext=u:r:
# aee_aedv:s0 tcontext=u:r:untrusted_app:s0:c512,c768 tclass=dir permissive=0
allow aee_aedv untrusted_app:dir getattr;
# Purpose:
# 01-01 00:05:17.650 3567 3567 W ps : type=1400 audit(0.0:5180): avc:
# denied { getattr } for path="/proc/2747" dev="proc" ino=66659 scontext=u:r:
# aee_aedv:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=dir permissive=0
allow aee_aedv priv_app:dir getattr;
# Purpose:
# 01-01 00:05:16.270 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5153):
# avc: denied { open } for path="/proc/interrupts" dev="proc" ino=4026533608
# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:proc_interrupts:s0 tclass=file
# permissive=0
allow aee_aedv proc_interrupts:file r_file_perms;
# Purpose:
# 01-01 00:05:16.620 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5171):
# avc: denied { read } for name="route" dev="proc" ino=4026533633 scontext=u:r:
# aee_aedv:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
allow aee_aedv proc_net:file read;
# Purpose:
# 01-01 00:05:16.610 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5168):
# avc: denied { read } for name="zoneinfo" dev="proc" ino=4026533664 scontext=
# u:r:aee_aedv:s0 tcontext=u:object_r:proc_zoneinfo:s0 tclass=file permissive=0
allow aee_aedv proc_zoneinfo:file read;
# Purpose:
# 01-01 00:05:17.840 3554 3554 W aee_dumpstatev: type=1400 audit(0.0:5200):
# avc: denied { search } for name="leds" dev="sysfs" ino=6217 scontext=u:r:
# aee_aedv:s0 tcontext=u:object_r:sysfs_leds:s0 tclass=dir permissive=0
allow aee_aedv sysfs_leds:dir search;
allow aee_aedv sysfs_leds:file r_file_perms;
# Purpose:
# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5592): avc: denied
# { search } for name="ccci" dev="sysfs" ino=6026 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:
# sysfs_ccci:s0 tclass=dir permissive=1
# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5593): avc: denied { read }
# for name="md_chn" dev="sysfs" ino=6035 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:sysfs_ccci:s0
# tclass=file permissive=1
# 01-01 00:03:45.790 3651 3651 I aee_dumpstatev: type=1400 audit(0.0:5594): avc: denied { open }
# for path="/sys/kernel/ccci/md_chn" dev="sysfs" ino=6035 scontext=u:r:aee_aedv:s0 tcontext=u:
# object_r:sysfs_ccci:s0 tclass=file permissive=1
allow aee_aedv sysfs_ccci:dir search;
allow aee_aedv sysfs_ccci:file r_file_perms;
allow aee_aedv system_data_file:dir getattr;
allow aee_aedv system_data_file:file open;
# Purpose:
# 01-01 00:03:44.330 3658 3658 I aee_dumpstatev: type=1400 audit(0.0:5411): avc: denied
# { execute_no_trans } for path="/vendor/bin/toybox_vendor" dev="mmcblk0p26" ino=250 scontext=u:r:
# aee_aedv:s0 tcontext=u:object_r:vendor_toolbox_exec:s0 tclass=file permissive=1
allow aee_aedv vendor_toolbox_exec:file rx_file_perms;
# Purpose:
# 01-01 00:12:06.320000 4145 4145 W dmesg : type=1400 audit(0.0:826): avc: denied { open } for
# path="/dev/kmsg" dev="tmpfs" ino=10875 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:kmsg_device:
# s0 tclass=chr_file permissive=0
# 01-01 00:42:33.070000 4171 4171 W dmesg : type=1400 audit(0.0:1343): avc: denied
# { syslog_read } for scontext=u:r:aee_aedv:s0 tcontext=u:r:kernel:s0 tclass=system permissive=0
allow aee_aedv kmsg_device:chr_file r_file_perms;
allow aee_aedv kernel:system syslog_read;
# Purpose:
# 01-01 00:12:37.890000 4162 4162 W aee_dumpstatev: type=1400 audit(0.0:914): avc: denied
# { read } for name="meminfo" dev="proc" ino=4026533612 scontext=u:r:aee_aedv:s0 tcontext=u:
# object_r:proc_meminfo:s0 tclass=file permissive=0
allow aee_aedv proc_meminfo:file r_file_perms;
# Purpose:
# 01-01 00:08:39.900000 3833 3833 W aee_dumpstatev: type=1400 audit(0.0:371): avc: denied
# { open } for path="/proc/3833/net/route" dev="proc" ino=4026533632 scontext=u:r:aee_aedv:s0
# tcontext=u:object_r:proc_net:s0 tclass=file permissive=0
allow aee_aedv proc_net:file r_file_perms;
# Purpose:
# 01-01 00:08:39.880000 3833 3833 W aee_dumpstatev: type=1400 audit(0.0:370): avc: denied
# { open } for path="/proc/zoneinfo" dev="proc" ino=4026533663 scontext=u:r:aee_aedv:s0 tcontext=
# u:object_r:proc_zoneinfo:s0 tclass=file permissive=0
allow aee_aedv proc_zoneinfo:file r_file_perms;
# Purpose:
# 01-01 00:33:27.750000 338 338 W aee_aedv: type=1400 audit(0.0:98): avc: denied { read }
# for name="fstab.mt6755" dev="rootfs" ino=1082 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:
# rootfs:s0 tclass=file permissive=0
allow aee_aedv rootfs:file r_file_perms;
# Purpose:
# 01-01 00:33:28.340000 338 338 W aee_aedv: type=1400 audit(0.0:104): avc: denied { search }
# for name="dynamic_debug" dev="debugfs" ino=8182 scontext=u:r:aee_aedv:s0 tcontext=u:object_r:
# debugfs_dynamic_debug:s0 tclass=dir permissive=0
allow aee_aedv debugfs_dynamic_debug:dir search;
allow aee_aedv debugfs_dynamic_debug:file r_file_perms;
# Purpose:
# [ 241.001976] <1>.(1)[209:logd.auditd]type=1400 audit(1262304586.172:515): avc: denied { read }
# for pid=1978 comm="aee_aedv64" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aedv:s0
# tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
allow aee_aedv sysfs:file { r_file_perms write };
# Purpose: Allow aee_aedv to use HwBinder IPC.
hwbinder_use(aee_aedv)
allow aee_aedv hwservicemanager_prop:file { read open getattr };
# Purpose: Allow aee_aedv access to vendor/bin/mtkcam-debug, which in turn invokes ICameraProvider
# - avc: denied { find } for interface=android.hardware.camera.provider::ICameraProvider pid=2956
# scontext=u:r:aee_aedv:s0 tcontext=u:object_r:hal_camera_hwservice:s0 tclass=hwservice_manager
# - Transaction error in ICameraProvider::debug: Status(EX_TRANSACTION_FAILED)
allow aee_aedv hal_camera_hwservice:hwservice_manager { find };
binder_call(aee_aedv, mtk_hal_camera)
# Purpose: allow aee to read /sys/fs/selinux/enforce to get selinux status
allow aee_aedv selinuxfs:file r_file_perms;
# Purpose: Allow aee_aedv to read /proc/pid/exe
allow aee_aedv exec_type:file r_file_perms;
# Purpose: mrdump pre-allocation: immutable and userdata
# - avc: denied { linux_immutable } for capability=9 scontext=u:r:aee_aedv:s0
# tcontext=u:r:aee_aedv:s0 tclass=capability permissive=0
allow aee_aedv self:capability linux_immutable;
allow aee_aedv userdata_block_device:blk_file { read write open };
# Purpose: allow vendor aee read lowmemorykiller logs
# file path: /sys/module/lowmemorykiller/parameters/
allow aee_aedv sysfs_lowmemorykiller:dir search;
allow aee_aedv sysfs_lowmemorykiller:file r_file_perms;
# Purpose: Allow aee read /sys/class/misc/scp/scp_dump
allow aee_aedv sysfs_scp:dir r_dir_perms;
allow aee_aedv sysfs_scp:file r_file_perms;

113
non_plat/aee_core_forwarder.te Normal file
View File

@ -0,0 +1,113 @@
# ==============================================
# Policy File of /vendor/bin/aee_core_forwarder Executable File
# ==============================================
# Type Declaration
# ==============================================
type aee_core_forwarder_exec, exec_type, file_type, vendor_file_type;
type aee_core_forwarder, domain;
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(aee_core_forwarder)
#/data/core/zcorexxx.zip
allow aee_core_forwarder aee_core_data_file:dir relabelto;
allow aee_core_forwarder aee_core_data_file:dir create_dir_perms;
allow aee_core_forwarder aee_core_data_file:file create_file_perms;
allow aee_core_forwarder system_data_file:dir { write relabelfrom create add_name };
#mkdir /sdcard/mtklog/aee_exp and write /sdcard/mtklog/aee_exp/zcorexxx.zip
allow aee_core_forwarder sdcard_type:dir create_dir_perms;
allow aee_core_forwarder sdcard_type:file create_file_perms;
allow aee_core_forwarder self:capability fsetid;
allow aee_core_forwarder aee_exp_data_file:dir create_dir_perms;
allow aee_core_forwarder aee_exp_data_file:file create_file_perms;
#mkdir(path, mode)
allow aee_core_forwarder self:capability dac_override;
#read STDIN_FILENO
allow aee_core_forwarder kernel:fifo_file read;
#read /proc/<pid>/cmdline
allow aee_core_forwarder domain:dir r_dir_perms;
allow aee_core_forwarder domain:file r_file_perms;
#get wake_lock to avoid system suspend when coredump is generating
allow aee_core_forwarder sysfs_wake_lock:file rw_file_perms;
# Date : 2015/07/11
# Operation : Migration
# Purpose : for mtk debug mechanism
allow aee_core_forwarder self:capability2 block_suspend;
# Date : 2015/07/21
# Operation : Migration
# Purpose : for generating core dump on sdcard
allow aee_core_forwarder mnt_user_file:dir search;
allow aee_core_forwarder mnt_user_file:lnk_file read;
allow aee_core_forwarder storage_file:dir search;
allow aee_core_forwarder storage_file:lnk_file read;
# Date : 2016/03/05
# Operation : selinux waring fix
# Purpose : avc: denied { search } for pid=15909 comm="aee_core_forwar"
# name="15493" dev="proc" ino=112310 scontext=u:r:aee_core_forwarder:s0
# tcontext=u:r:untrusted_app:s0:c512,c768 tclass=dir permissive=0
dontaudit aee_core_forwarder untrusted_app:dir search;
# Date : 2016/04/18
# Operation : N0 Migration
# Purpose : access for pipefs
allow aee_core_forwarder kernel:fd use;
# Purpose : read AEE persist property
allow aee_core_forwarder persist_aee_prop:file r_file_perms;
# Purpose: search root dir "/"
allow aee_core_forwarder tmpfs:dir search;
# Purpose : read /selinux_version
allow aee_core_forwarder rootfs:file r_file_perms;
# Data : 2016/06/13
# Operation : fix sys_ptrace selinux warning
# Purpose : type=1400 audit(1420070409.080:177): avc: denied { sys_ptrace } for pid=3136
# comm="aee_core_forwar" capability=19 scontext=u:r:aee_core_forwarder:s0
# tcontext=u:r:aee_core_forwarder:s0 tclass=capability permissive=0
dontaudit aee_core_forwarder self:capability sys_ptrace;
# Data : 2016/06/24
# Operation : fix media_rw_data_file access selinux warning
# Purpose :
# type=1400 audit(0.0:6511): avc: denied { search } for name="db.p08JgF"
# dev="dm-0" ino=540948 scontext=u:r:aee_core_forwarder:s0
# tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
# type=1400 audit(0.0:6512): avc: denied { write } for name="db.p08JgF"
# dev="dm-0" ino=540948 scontext=u:r:aee_core_forwarder:s0
# tcontext=u:object_r:media_rw_data_file:s0 tclass=dir permissive=1
# type=1400 audit(0.0:6513): avc: denied { add_name } for name="CURRENT.dbg"
# scontext=u:r:aee_core_forwarder:s0 tcontext=u:object_r:media_rw_data_file:s0
# tclass=dir permissive=1
# type=1400 audit(0.0:6514): avc: denied { create } for name="CURRENT.dbg"
# scontext=u:r:aee_core_forwarder:s0 tcontext=u:object_r:media_rw_data_file:s0
# tclass=file permissive=1
# type=1400 audit(0.0:6515): avc: denied { write open } for
# path="/data/media/0/mtklog/aee_exp/temp/db.p08JgF/CURRENT.dbg" dev="dm-0"
# ino=540952 scontext=u:r:aee_core_forwarder:s0 tcontext=u:object_r:media_rw_data_file:s0
# tclass=file permissive=1
allow aee_core_forwarder media_rw_data_file:dir w_dir_perms;
allow aee_core_forwarder media_rw_data_file:file { create open write };
# Data : 2017/03/08
# Operation : fix aee_core_forwarder connect to aee_aedv
# Purpose : type=1400 audit(0.0:6594): avc: denied { connectto } for
# path=00616E64726F69643A6165655F616564 scontext=u:r:aee_core_forwarder:s0
# tcontext=u:r:aee_aedv:s0 tclass=unix_stream_socket permissive=0
allow aee_core_forwarder aee_aedv:unix_stream_socket connectto;
# Data : 2017/08/04
# Operation : fix sys_nice selinux warning
# Purpose : type=1400 audit(0.0:50): avc: denied { sys_nice } for capability=23
# scontext=u:r:aee_core_forwarder:s0 tcontext=u:r:aee_core_forwarder:s0
# tclass=capability permissive=0
allow aee_core_forwarder self:capability sys_nice;

22
non_plat/app.te Normal file
View File

@ -0,0 +1,22 @@
# ==============================================
# MTK Policy Rule
# ============
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow appdomain proc_ged:file {open read write ioctl getattr};
# Date : W16.42
# Operation : Integration
# Purpose : DRM / DRI GPU driver required
allow appdomain gpu_device:dir search;
# Date : W17.30
# Purpose : Allow MDP user access cmdq driver
allow appdomain mtk_cmdq_device:chr_file {open read ioctl};
# Date : W17.41
# Operation: SQC
# Purpose : Allow HWUI to access perfmgr
allow appdomain proc_perfmgr:dir search;
allow appdomain proc_perfmgr:file { getattr open read ioctl};

8
non_plat/appdomain.te Normal file
View File

@ -0,0 +1,8 @@
# ==============================================
# MTK Policy Rule
# ============
# Data : WK16.42
# Operator: Whitney bring up
# Purpose: call surfaceflinger due to powervr
allow appdomain surfaceflinger:fifo_file rw_file_perms;

47
non_plat/attributes Normal file
View File

@ -0,0 +1,47 @@
# ==============================================
# MTK Attribute declarations
# ==============================================
# Attribute that represents all mtk property types (except those with ctl_xxx prefix)
attribute mtk_core_property_type;
# Date: 2017/06/12
# LBS HIDL
attribute mtk_hal_lbs;
attribute mtk_hal_lbs_client;
attribute mtk_hal_lbs_server;
# Date: 2017/06/22
# WIFI HOSTAPD HIDL
attribute mtk_hal_wifi_hostapd;
attribute mtk_hal_wifi_hostapd_client;
attribute mtk_hal_wifi_hostapd_server;
# Date: 2017/06/27
# IMSA HIDL
attribute hal_imsa;
attribute hal_imsa_client;
attribute hal_imsa_server;
# attribute that represents all MTK IMS types. It should be used by AP side module only.
attribute mtkimsapdomain;
#
# # attribute that represents all MTK IMS types. It should be used by MD side module only.
attribute mtkimsmddomain;
# Date: 2017/07/19
# PQ HIDL
attribute hal_pq;
attribute hal_pq_client;
attribute hal_pq_server;
# Date: 2017/07/28
# KEY ATTESTATION HIDL
attribute mtk_hal_keyattestation;
attribute mtk_hal_keyattestation_client;
attribute mtk_hal_keyattestation_server;
# Date: 2017/07/13
# NVRAM AGENT HIDL
attribute hal_nvramagent;
attribute hal_nvramagent_client;
attribute hal_nvramagent_server;

19
non_plat/audiocmdservice_atci.te Normal file
View File

@ -0,0 +1,19 @@
# ==============================================
# Policy File of /system/bin/audiocmdservice_atci Executable File
# Read/Write NV
allow audiocmdservice_atci nvram_device:devfile_class_set rw_file_perms;
allow audiocmdservice_atci nvram_data_file:dir create_dir_perms;
allow audiocmdservice_atci nvram_data_file:{file lnk_file} create_file_perms;
allow audiocmdservice_atci nvdata_file:dir create_dir_perms;
allow audiocmdservice_atci nvdata_file:file create_file_perms;
# Access to storages for audio tuning tool to read/write tuning result
allow audiocmdservice_atci { block_device device }:dir { write search };
allow audiocmdservice_atci mnt_user_file:dir rw_dir_perms;
allow audiocmdservice_atci { mnt_user_file storage_file }:lnk_file rw_file_perms;
allow audiocmdservice_atci bootdevice_block_device:blk_file { read write };
allow audiocmdservice_atci hal_audio_hwservice:hwservice_manager find;
binder_call(audiocmdservice_atci,mtk_hal_audio);
allow audiocmdservice_atci mtk_audiohal_data_file:dir create_dir_perms;

87
non_plat/audioserver.te Normal file
View File

@ -0,0 +1,87 @@
# ==============================================
# MTK Policy Rule for vendor
# ==============================================
# Data : WK14.39
# Operation : Migration
# Purpose : dump for debug
allow audioserver audiohal_prop:property_service set;
# Date: WK14.44
# Operation : Migration
# Purpose : EVDO
allow audioserver rpc_socket:sock_file write;
allow audioserver ttySDIO_device:chr_file rw_file_perms;
# Data: WK14.44
# Operation : Migration
# Purpose : for low SD card latency issue
allow audioserver sysfs_lowmemorykiller:file { read open };
# Data: WK14.45
# Operation : Migration
# Purpose : for change thermal policy when needed
allow audioserver proc_mtkcooler:dir search;
allow audioserver proc_mtktz:dir search;
allow audioserver proc_thermal:dir search;
allow audioserver thermal_manager_data_file:file create_file_perms;
allow audioserver thermal_manager_data_file:dir { rw_dir_perms setattr };
# Date : WK15.03
# Operation : Migration
# Purpose : offloadservice
allow audioserver offloadservice_device:chr_file rw_file_perms;
# Date : WK16.17
# Operation : Migration
# Purpose: read/open sysfs node
allow audioserver sysfs_ccci:file r_file_perms;
# Date : WK16.18
# Operation : Migration
# Purpose: research root dir "/"
allow audioserver tmpfs:dir search;
# Date : WK16.18
# Operation : Migration
# Purpose: access sysfs node
allow audioserver sysfs:file { open read write };
allow audioserver sysfs_ccci:dir search;
# Purpose: Dump debug info
allow audioserver debugfs_binder:dir search;
allow audioserver fuse:file write;
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow audioserver proc_ged:file {open read write ioctl getattr};
# Date : WK16.48
# Purpose: Allow to trigger AEE dump
allow audioserver aee_aed:unix_stream_socket connectto;
# Date : WK17.28
# Operation : MT6757 SQC
# Purpose : Change thermal config
allow audioserver mtk_thermal_config_prop:file { getattr open read };
allow audioserver mtk_thermal_config_prop:property_service set;
# Date : WK17.42
# Operation : MT6737m CTS
# Purpose : Read compensation filter parameter from nvram data
allow audioserver nvdata_file:dir r_dir_perms;
allow audioserver nvdata_file:file r_file_perms;
# Date : WK17.42
# Operation : ALPS03606059
allow audioserver mtk_audiohal_data_file:dir r_dir_perms;
# Date : WK17.49
# Operation : Migration
# Purpose : Read audio loudness parameter from nvram data
allow audioserver nvdata_file:dir write;
allow audioserver nvram_data_file:dir w_dir_perms;
allow audioserver nvram_data_file:file create_file_perms;
allow audioserver nvram_data_file:lnk_file read;

7
non_plat/autoplay_app.te Normal file
View File

@ -0,0 +1,7 @@
# ==============================================
# MTK Policy Rule
# ============
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
#allow autoplay_app proc_ged:file {open read write ioctl getattr};

33
non_plat/biosensord_nvram.te Normal file
View File

@ -0,0 +1,33 @@
# ==============================================
# Policy File of /system/bin/biosensord_nvram Executable File
# ==============================================
# Type Declaration
# ==============================================
type biosensord_nvram ,domain;
type biosensord_nvram_exec , exec_type, file_type, vendor_file_type;
type biosensord_nvram_file, file_type, data_file_type;
# ==============================================
# Android Policy Rule
# ==============================================
# ==============================================
# NSA Policy Rule
# ==============================================
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(biosensord_nvram)
# Data : WK16.21
# Operation : New Feature
# Purpose : For biosensor daemon can do nvram r/w to save calibration data
allow biosensord_nvram nvdata_file:dir rw_dir_perms;
allow biosensord_nvram nvdata_file:file {rw_file_perms create_file_perms};
allow biosensord_nvram nvram_data_file:lnk_file rw_file_perms;
allow biosensord_nvram biometric_device:chr_file { open ioctl read write };
allow biosensord_nvram self:capability { dac_read_search chown fsetid dac_override };
allow biosensord_nvram system_data_file:lnk_file read;

10
non_plat/bluetooth.te Normal file
View File

@ -0,0 +1,10 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Date:W17.07
# Operation : bt hal developing
# Purpose : bt hal interface permission
binder_call(bluetooth, mtk_hal_bluetooth)
allow bluetooth storage_stub_file:dir getattr;

23
non_plat/boot_logo_updater.te Normal file
View File

@ -0,0 +1,23 @@
# ==============================================
# Policy File of /system/binboot_logo_updater Executable File
# ==============================================
# Type Declaration
# ==============================================
# Date : WK14.43
# Operation : Migration
# Purpose : To access file directories and files like logo.bin
allow boot_logo_updater logo_block_device:blk_file r_file_perms;
# To access block files at /dev/block/mmcblk0 ir /dev/block/sdc
allow boot_logo_updater bootdevice_block_device:blk_file r_file_perms;
#To access file at /dev/logo
allow boot_logo_updater logo_device:chr_file r_file_perms;
# To access file at /proc/lk_env
allow boot_logo_updater proc_lk_env:file rw_file_perms;
# Date : WK16.25
# Operation : Global_Device/Uniservice Feature
# Purpose : for it to read-write SysEnv data
allow boot_logo_updater para_block_device:blk_file rw_file_perms;

25
non_plat/bootanim.te Normal file
View File

@ -0,0 +1,25 @@
# ==============================================
# MTK Policy Rule
# ============
# Date : WK14.37
# Operation : Migration
# Purpose : for opetator
allow bootanim custom_file:dir search;
allow bootanim custom_file:file r_file_perms;
allow bootanim bootani_prop:property_service set;
# Date : WK14.46
# Operation : Migration
# Purpose : For MTK Emulator HW GPU
allow bootanim qemu_pipe_device:chr_file rw_file_perms;
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow bootanim proc_ged:file {open read write ioctl getattr};
# Date : WK17.43
# Operation : Migration
# Purpose : For MTK perfmgr
allow bootanim proc_perfmgr:dir {search read};
allow bootanim proc_perfmgr:file {open read ioctl};

400
non_plat/cameraserver.te Normal file
View File

@ -0,0 +1,400 @@
# ==============================================================================
# Policy File of /system/bin/cameraserver Executable File
# ==============================================
# MTK Policy Rule
# ==============================================
# -----------------------------------
# Android O
# Purpose: Allow cameraserver to perform binder IPC to servers and callbacks.
# -----------------------------------
# call camerahalserver
binder_call(cameraserver, mtk_hal_camera)
# call the graphics allocator hal
binder_call(cameraserver, hal_graphics_allocator)
# -----------------------------------
# Android O
# Purpose: Debugging
# -----------------------------------
# Purpose: adb shell dumpsys media.camera --unreachable
allow cameraserver self:process { ptrace };
# -----------------------------------
# Purpose: property access
# -----------------------------------
allow cameraserver mtkcam_prop:file { open read getattr };
# Date : WK14.31
# Operation : Migration
# Purpose : camera devices access.
allow cameraserver camera_isp_device:chr_file rw_file_perms;
allow cameraserver ccu_device:chr_file rw_file_perms;
allow cameraserver vpu_device:chr_file rw_file_perms;
allow cameraserver kd_camera_hw_device:chr_file rw_file_perms;
allow cameraserver seninf_device:chr_file rw_file_perms;
allow cameraserver self:capability { setuid ipc_lock sys_nice };
allow cameraserver sysfs_wake_lock:file rw_file_perms;
allow cameraserver MTK_SMI_device:chr_file r_file_perms;
allow cameraserver camera_pipemgr_device:chr_file r_file_perms;
allow cameraserver kd_camera_flashlight_device:chr_file rw_file_perms;
allow cameraserver lens_device:chr_file rw_file_perms;
allow cameraserver nvdata_file:dir { write search add_name };
allow cameraserver nvdata_file:file { read write getattr setattr open create };
allow cameraserver nvram_data_file:dir search;
allow cameraserver nvram_data_file:dir w_dir_perms;
allow cameraserver nvram_data_file:file create_file_perms;
allow cameraserver nvram_data_file:lnk_file read;
allow cameraserver nvdata_file:lnk_file read;
allow cameraserver proc:file { read ioctl open };
allow cameraserver proc_meminfo:file { read getattr open };
allow cameraserver sysfs:file { read write open };
# Date : WK14.34
# Operation : Migration
# Purpose : nvram access (dumchar case for nand and legacy chip)
allow cameraserver nvram_device:chr_file rw_file_perms;
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
#allow cameraserver self:netlink_kobject_uevent_socket { create setopt bind };
allow cameraserver self:capability { net_admin };
# Date : WK14.34
# Operation : Migration
# Purpose : VP/VR
allow cameraserver devmap_device:chr_file { ioctl };
# Date : WK14.34
# Operation : Migration
# Purpose : Smartcard Service
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
#allow cameraserver self:netlink_kobject_uevent_socket read;
allow cameraserver system_data_file:file open;
# Date : WK14.36
# Operation : Migration
# Purpose : media server and bt process communication for A2DP data.and other control flow
allow cameraserver bluetooth:unix_dgram_socket sendto;
allow cameraserver bt_a2dp_stream_socket:sock_file write;
allow cameraserver bt_int_adp_socket:sock_file write;
# Date : WK14.37
# Operation : Migration
# Purpose : camera ioctl
allow cameraserver camera_sysram_device:chr_file r_file_perms;
# Date : WK14.36
# Operation : Migration
# Purpose : VDEC/VENC device node
allow cameraserver Vcodec_device:chr_file rw_file_perms;
# Date : WK14.36
# Operation : Migration
# Purpose : MMProfile debug
# userdebug_or_eng(`
#allow cameraserver debugfs:file {read ioctl getattr search};
# ')
# Date : WK14.36
# Operation : Migration
# Purpose : access nvram, otp, ccci cdoec devices.
allow cameraserver MtkCodecService:binder call;
allow cameraserver ccci_device:chr_file rw_file_perms;
allow cameraserver eemcs_device:chr_file rw_file_perms;
allow cameraserver devmap_device:chr_file r_file_perms;
allow cameraserver ebc_device:chr_file rw_file_perms;
allow cameraserver nvram_device:blk_file rw_file_perms;
allow cameraserver bootdevice_block_device:blk_file rw_file_perms;
# Date : WK14.36
# Operation : Migration
# Purpose : for SW codec VP/VR
#allow cameraserver mtk_device:chr_file { read write ioctl open };
allow cameraserver mtk_sched_device:chr_file rw_file_perms;
# Date : WK14.38
# Operation : Migration
# Purpose : NVRam access
allow cameraserver block_device:dir { write search };
# Date : WK14.38
# Operation : Migration
# Purpose : FM driver access
allow cameraserver fm_device:chr_file rw_file_perms;
# Data : WK14.38
# Operation : Migration
# Purpose : for VP/VR
allow cameraserver block_device:dir search;
allow cameraserver FM50AF_device:chr_file rw_file_perms;
allow cameraserver AD5820AF_device:chr_file rw_file_perms;
allow cameraserver DW9714AF_device:chr_file rw_file_perms;
allow cameraserver DW9814AF_device:chr_file rw_file_perms;
allow cameraserver AK7345AF_device:chr_file rw_file_perms;
allow cameraserver DW9714A_device:chr_file rw_file_perms;
allow cameraserver LC898122AF_device:chr_file rw_file_perms;
allow cameraserver LC898212AF_device:chr_file rw_file_perms;
allow cameraserver BU6429AF_device:chr_file rw_file_perms;
allow cameraserver DW9718AF_device:chr_file rw_file_perms;
allow cameraserver BU64745GWZAF_device:chr_file rw_file_perms;
allow cameraserver MAINAF_device:chr_file rw_file_perms;
allow cameraserver MAIN2AF_device:chr_file rw_file_perms;
allow cameraserver SUBAF_device:chr_file rw_file_perms;
# Data : WK14.38
# Operation : Migration
# Purpose : for boot animation.
allow cameraserver bootanim:binder { transfer call };
allow cameraserver mtkbootanimation:binder { transfer call };
# Data : WK14.38
# Operation : Migration
# Purpose : dump for debug
allow cameraserver sdcard_type:file append;
# Date : WK14.39
# Operation : Migration
# Purpose : FDVT Driver
allow cameraserver camera_fdvt_device:chr_file rw_file_perms;
# Date : WK14.39
# Operation : Migration
# Purpose : APE PLAYBACK
binder_call(cameraserver,MtkCodecService)
# Data : WK14.39
# Operation : Migration
# Purpose : HW encrypt SW codec
allow cameraserver mediaserver_data_file:file create_file_perms;
allow cameraserver mediaserver_data_file:dir create_dir_perms;
allow cameraserver sec_device:chr_file r_file_perms;
# Date : WK14.40
# Operation : Migration
# Purpose : HDMI driver access
allow cameraserver graphics_device:chr_file rw_file_perms;
# Date : WK14.40
# Operation : Migration
# Purpose : Smartpa
allow cameraserver smartpa_device:chr_file rw_file_perms;
# Date : WK14.40
# Operation : Migration
# Purpose : mtk_jpeg
allow cameraserver mtk_jpeg_device:chr_file r_file_perms;
# Date : WK14.41
# Operation : Migration
# Purpose : WFD HID Driver
allow cameraserver uhid_device:chr_file rw_file_perms;
# Date : WK14.41
# Operation : Migration
# Purpose : Camera EEPROM Calibration
allow cameraserver CAM_CAL_DRV_device:chr_file rw_file_perms;
allow cameraserver CAM_CAL_DRV1_device:chr_file rw_file_perms;
allow cameraserver CAM_CAL_DRV2_device:chr_file rw_file_perms;
# Date : WK14.43
# Operation : Migration
# Purpose : VOW
allow cameraserver vow_device:chr_file rw_file_perms;
# Date: WK14.44
# Operation : Migration
# Purpose : EVDO
allow cameraserver rpc_socket:sock_file write;
allow cameraserver ttySDIO_device:chr_file rw_file_perms;
# Data: WK14.44
# Operation : Migration
# Purpose : VP
allow cameraserver surfaceflinger:file getattr;
# Data: WK14.44
# Operation : Migration
# Purpose : for low SD card latency issue
allow cameraserver sysfs_lowmemorykiller:file { read open };
# Data: WK14.45
# Operation : Migration
# Purpose : for change thermal policy when needed
allow cameraserver proc_mtkcooler:dir search;
allow cameraserver proc_mtktz:dir search;
allow cameraserver proc_thermal:dir search;
allow cameraserver thermal_manager_data_file:file create_file_perms;
allow cameraserver thermal_manager_data_file:dir { rw_dir_perms setattr };
# Date : WK14.46
# Operation : Migration
# Purpose : for MTK Emulator HW GPU
allow cameraserver qemu_pipe_device:chr_file rw_file_perms;
# Date : WK14.46
# Operation : Migration
# Purpose : for camera init
allow cameraserver system_server:unix_stream_socket { read write };
# Data : WK14.46
# Operation : Migration
# Purpose : for SMS app
allow cameraserver radio_data_file:dir search;
allow cameraserver radio_data_file:file open;
# Data : WK14.47
# Operation : Launch camcorder from MMS
# Purpose : Camcorder
allow cameraserver radio_data_file:file open;
# Data : WK14.47
# Operation : CTS
# Purpose : cts search strange app
allow cameraserver untrusted_app:dir search;
# Date : WK15.03
# Operation : Migration
# Purpose : offloadservice
allow cameraserver offloadservice_device:chr_file rw_file_perms;
# Date : WK15.32
# Operation : Pre-sanity
# Purpose : 3A algorithm need to access sensor service
allow cameraserver sensorservice_service:service_manager find;
# Date : WK15.34
# Operation : Migration
# Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump
allow cameraserver system_data_file:dir write;
allow cameraserver storage_file:lnk_file {read write};
allow cameraserver mnt_user_file:dir {write read search};
allow cameraserver mnt_user_file:lnk_file {read write};
# Date : WK15.35
# Operation : Migration
# Purpose: Allow cameraserver to read binder from surfaceflinger
allow cameraserver surfaceflinger:fifo_file {read write};
# Date : WK15.45
# Purpose : camera read/write /nvcfg/camera data
allow cameraserver nvcfg_file:dir create_dir_perms;
allow cameraserver nvcfg_file:file create_file_perms;
# Date : WK15.46
# Operation : Migration
# Purpose : DPE Driver
allow cameraserver camera_dpe_device:chr_file rw_file_perms;
# Date : WK15.46
# Operation : Migration
# Purpose : TSF Driver
allow cameraserver camera_tsf_device:chr_file rw_file_perms;
# Date : WK16.20
# Operation : Migration
# Purpose: research root dir "/"
allow cameraserver tmpfs:dir search;
# Date : WK16.21
# Operation : Migration
# Purpose : EGL file access
allow cameraserver system_file:dir { read open };
allow cameraserver gpu_device:chr_file { read open write getattr ioctl };
allow cameraserver gpu_device:dir search;
# Date : WK16.30
# Operation : Migration
# Purpose : Use file_type_auto_trans to specify label to avoid violated(never allow)
allow cameraserver property_socket:sock_file write;
allow cameraserver proc:file getattr;
allow cameraserver shell_exec:file { execute read getattr open};
domain_auto_trans(cameraserver, thermal_manager_exec, thermal_manager)
allow cameraserver thermal_manager_exec:file { read getattr open execute};
allow cameraserver init:unix_stream_socket connectto;
# Date : WK16.32
# Operation : Migration
# Purpose : RSC Driver
allow cameraserver camera_rsc_device:chr_file rw_file_perms;
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow cameraserver proc_ged:file {open read write ioctl getattr};
# Date : WK16.33
# Operation : Migration
# Purpose : GEPF Driver
allow cameraserver camera_gepf_device:chr_file rw_file_perms;
# Date : WK16.35
# Operation : Migration
# Purpose : Update camera flashlight driver device file
allow cameraserver flashlight_device:chr_file rw_file_perms;
# Data : WK16.42
# Operator: Whitney bring up
# Purpose: call surfaceflinger due to powervr
allow cameraserver surfaceflinger:fifo_file rw_file_perms;
# Date : WK16.43
# Operation : Migration
# Purpose : WPE Driver
allow cameraserver camera_wpe_device:chr_file rw_file_perms;
# Date : WK16.49
# Operation : label aee_aed sockets
# Purpose : Engineering mode need access for aee commmand
userdebug_or_eng(`
allow cameraserver aee_aed:unix_stream_socket connectto;
')
# Purpose: Allow to access debugfs_ion dir.
#allow cameraserver debugfs_ion:dir search;
allow cameraserver system_data_file:lnk_file read;
# Date : WK17.19
# Operation : Migration
# Purpose : OWE Driver
allow cameraserver camera_owe_device:chr_file rw_file_perms;
# Date : WK17.25
# Operation : Migration
allow cameraserver debugfs_tracing:file { write open };
allow cameraserver nvram_data_file:dir { add_name write create};
allow cameraserver nvram_data_file:file { write getattr setattr read create open };
allow cameraserver debugfs_ion:dir search;
# Date : WK17.30
# Operation : O Migration
# Purpose: Allow to access cmdq driver
allow cameraserver mtk_cmdq_device:chr_file { read ioctl open };
# Date : WK17.28
# Operation : MT6757 SQC
# Purpose : Change thermal config
allow cameraserver mtk_thermal_config_prop:file { getattr open read };
allow cameraserver mtk_thermal_config_prop:property_service set;
# Date : WK17.44
# Operation : Migration
# Purpose : DIP Driver
allow cameraserver camera_dip_device:chr_file rw_file_perms;
# Date : WK17.44
# Operation : Migration
# Purpose : MFB Driver
allow cameraserver camera_mfb_device:chr_file rw_file_perms;
# Date : WK17.49
# Operation : MT6771 SQC
# Purpose: Allow permgr access
allow cameraserver proc_perfmgr:dir {read search};
allow cameraserver proc_perfmgr:file {open read ioctl};

57
non_plat/ccci_fsd.te Normal file
View File

@ -0,0 +1,57 @@
# ==============================================
# Policy File of /system/bin/ccci_fsd Executable File
# ==============================================
# Type Declaration
# ==============================================
type ccci_fsd_exec, exec_type, file_type, vendor_file_type;
type ccci_fsd, domain;
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(ccci_fsd)
wakelock_use(ccci_fsd)
#============= ccci_fsd MD NVRAM==============
allow ccci_fsd nvram_data_file:dir create_dir_perms;
allow ccci_fsd nvram_data_file:file create_file_perms;
allow ccci_fsd nvram_data_file:lnk_file read;
allow ccci_fsd nvdata_file:lnk_file read;
allow ccci_fsd nvdata_file:dir create_dir_perms;
allow ccci_fsd nvdata_file:file create_file_perms;
allow ccci_fsd nvram_device:chr_file rw_file_perms;
allow ccci_fsd system_data_file:lnk_file read;
#============= ccci_fsd device/path/data access==============
allow ccci_fsd ccci_device:chr_file rw_file_perms;
allow ccci_fsd ccci_cfg_file:dir create_dir_perms;
allow ccci_fsd ccci_cfg_file:file create_file_perms;
#============= ccci_fsd MD Data==============
allow ccci_fsd protect_f_data_file:dir create_dir_perms;
allow ccci_fsd protect_f_data_file:file create_file_perms;
allow ccci_fsd protect_s_data_file:dir create_dir_perms;
allow ccci_fsd protect_s_data_file:file create_file_perms;
#============= ccci_fsd MD3 related==============
allow ccci_fsd c2k_file:dir create_dir_perms;
allow ccci_fsd c2k_file:file create_file_perms;
allow ccci_fsd otp_part_block_device:blk_file rw_file_perms;
allow ccci_fsd otp_device:chr_file rw_file_perms;
allow ccci_fsd sysfs:file r_file_perms;
#============= ccci_fsd MD block data==============
allow ccci_fsd block_device:dir search;
allow ccci_fsd nvram_device:blk_file rw_file_perms;
allow ccci_fsd bootdevice_block_device:blk_file rw_file_perms;
allow ccci_fsd nvdata_device:blk_file rw_file_perms;
#============= ccci_fsd cryption related ==============
allow ccci_fsd rawfs:dir create_dir_perms;
allow ccci_fsd rawfs:file create_file_perms;
#============= ccci_fsd sysfs related ==============
allow ccci_fsd sysfs_ccci:dir search;
allow ccci_fsd sysfs_ccci:file r_file_perms;
# Purpose: for fstab parser
allow ccci_fsd kmsg_device:chr_file w_file_perms;
allow ccci_fsd proc_lk_env:file rw_file_perms;

103
non_plat/ccci_mdinit.te Normal file
View File

@ -0,0 +1,103 @@
# ==============================================
# Policy File of /system/bin/ccci_mdinit Executable File
# ==============================================
# Type Declaration
# ==============================================
type ccci_mdinit_exec , exec_type, file_type, vendor_file_type;
type ccci_mdinit ,domain;
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(ccci_mdinit)
wakelock_use(ccci_mdinit)
#=============allow ccci_mdinit to start gsm0710muxd==============
set_prop(ccci_mdinit, ctl_gsm0710muxd_prop)
#=============allow ccci_mdinit to start emcsmdlogger==============
set_prop(ccci_mdinit, ctl_mdlogger_prop)
#=============allow ccci_mdinit to start c2krild==============
set_prop(ccci_mdinit, ctl_viarild_prop)
#=============allow ccci_mdinit to start/stop rild, mdlogger==============
set_prop(ccci_mdinit, ctl_mdlogger_prop)
set_prop(ccci_mdinit, ctl_emdlogger1_prop)
set_prop(ccci_mdinit, ctl_emdlogger2_prop)
set_prop(ccci_mdinit, ctl_emdlogger3_prop)
set_prop(ccci_mdinit, ctl_dualmdlogger_prop)
set_prop(ccci_mdinit, ctl_gsm0710muxd_prop)
set_prop(ccci_mdinit, ctl_gsm0710muxd-s_prop)
set_prop(ccci_mdinit, ctl_gsm0710muxd-d_prop)
set_prop(ccci_mdinit, ctl_rildaemon_prop)
set_prop(ccci_mdinit, ctl_ril-daemon-mtk_prop)
set_prop(ccci_mdinit, ctl_fusion_ril_mtk_prop)
set_prop(ccci_mdinit, ctl_ril-daemon-s_prop)
set_prop(ccci_mdinit, ctl_ril-daemon-d_prop)
set_prop(ccci_mdinit, ctl_ril-proxy_prop)
set_prop(ccci_mdinit, ril_active_md_prop)
set_prop(ccci_mdinit, mtk_md_prop)
set_prop(ccci_mdinit, radio_prop)
set_prop(ccci_mdinit, net_cdma_mdmstat)
#=============allow ccci_mdinit to start/stop fsd==============
set_prop(ccci_mdinit, ctl_ccci_fsd_prop)
set_prop(ccci_mdinit, ctl_ccci2_fsd_prop)
set_prop(ccci_mdinit, ctl_ccci3_fsd_prop)
allow ccci_mdinit ccci_device:chr_file rw_file_perms;
allow ccci_mdinit ccci_monitor_device:chr_file rw_file_perms;
#=============allow ccci_mdinit to access MD NVRAM==============
allow ccci_mdinit nvram_data_file:dir rw_dir_perms;
allow ccci_mdinit nvram_data_file:file create_file_perms;
allow ccci_mdinit nvram_data_file:lnk_file read;
allow ccci_mdinit nvdata_file:lnk_file read;
allow ccci_mdinit nvdata_file:dir rw_dir_perms;
allow ccci_mdinit nvdata_file:file create_file_perms;
allow ccci_mdinit nvram_device:chr_file rw_file_perms;
allow ccci_mdinit system_data_file:lnk_file read;
#=============allow ccci_mdinit to access ccci config==============
allow ccci_mdinit protect_f_data_file:dir rw_dir_perms;
allow ccci_mdinit protect_f_data_file:file create_file_perms;
#=============allow ccci_mdinit to property==============
allow ccci_mdinit protect_s_data_file:dir rw_dir_perms;
allow ccci_mdinit protect_s_data_file:file create_file_perms;
allow ccci_mdinit nvram_device:blk_file rw_file_perms;
allow ccci_mdinit nvdata_device:blk_file rw_file_perms;
allow ccci_mdinit bootdevice_block_device:blk_file rw_file_perms;
set_prop(ccci_mdinit, ril_mux_report_case_prop)
allow ccci_mdinit mdlog_data_file:dir search;
allow ccci_mdinit mdlog_data_file:file r_file_perms;
allow ccci_mdinit ccci_cfg_file:dir create_dir_perms;
allow ccci_mdinit ccci_cfg_file:file create_file_perms;
allow ccci_mdinit block_device:dir search;
allow ccci_mdinit preloader_block_device:blk_file r_file_perms;
allow ccci_mdinit secro_block_device:blk_file r_file_perms;
#===============security relate ==========================
allow ccci_mdinit preloader_device:chr_file rw_file_perms;
allow ccci_mdinit misc_sd_device:chr_file r_file_perms;
allow ccci_mdinit sec_ro_device:chr_file r_file_perms;
allow ccci_mdinit custom_file:dir r_dir_perms;
allow ccci_mdinit custom_file:file r_file_perms;
# Purpose : for nand partition access
allow ccci_mdinit mtd_device:dir search;
allow ccci_mdinit mtd_device:chr_file rw_file_perms;
allow ccci_mdinit devmap_device:chr_file r_file_perms;
# Purpose : for device bring up, not to block early migration/sanity
allow ccci_mdinit proc_lk_env:file rw_file_perms;
allow ccci_mdinit para_block_device:blk_file rw_file_perms;
#============= ccci_mdinit sysfs related ==============
allow ccci_mdinit sysfs_ccci:dir search;
allow ccci_mdinit sysfs_ccci:file rw_file_perms;
allow ccci_mdinit sysfs_ssw:dir search;
allow ccci_mdinit sysfs_ssw:file r_file_perms;
allow ccci_mdinit sysfs:file r_file_perms;
# Purpose : Allow ccci_mdinit to open and read/write /proc/bootprof
allow ccci_mdinit proc:file rw_file_perms;
allow ccci_mdinit proc:file getattr;

29
non_plat/cmddumper.te Normal file
View File

@ -0,0 +1,29 @@
#cmddumper access external modem ttySDIO2
allow cmddumper ttySDIO_device:chr_file { read write ioctl open };
# for modem logging sdcard access
allow cmddumper sdcard_type:dir create_dir_perms;
allow cmddumper sdcard_type:file create_file_perms;
# cmddumper access on /data/mdlog
allow cmddumper mdlog_data_file:fifo_file create_file_perms;
allow cmddumper mdlog_data_file:file create_file_perms;
allow cmddumper mdlog_data_file:dir { create_dir_perms relabelto };
#allow emdlogger to set property
allow cmddumper debug_mdlogger_prop:property_service set;
allow cmddumper debug_prop:property_service set;
# purpose: allow cmddumper to access storage in N version
allow cmddumper media_rw_data_file:file { create_file_perms };
allow cmddumper media_rw_data_file:dir { create_dir_perms };
# purpose: access vmodem device
#allow cmddumper vmodem_device:chr_file { create_file_perms };
# purpose: access plat_file_contexts
allow cmddumper file_contexts_file:file { read getattr open };
# purpose: access /sys/devices/virtual/BOOT/BOOT/boot/boot_mode
allow cmddumper sysfs:file { read open };

249
non_plat/device.te Normal file
View File

@ -0,0 +1,249 @@
# ==============================================
# MTK Policy Rule
# ==============================================
type devmap_device, dev_type;
type ttyMT_device, dev_type;
type ttySDIO_device, dev_type;
type vmodem_device, dev_type;
type stpwmt_device, dev_type;
type wmtdetect_device, dev_type;
type wmtWifi_device, dev_type;
type stpbt_device, dev_type;
type stpant_device, dev_type;
type fm_device, dev_type;
type stpgps_device, dev_type;
type pmem_multimedia_device, dev_type;
type mt6516_isp_device, dev_type;
type mt6516_IDP_device, dev_type;
type mt9p012_device, dev_type;
type mt6516_jpeg_device, dev_type;
type FM50AF_device, dev_type;
type DW9714AF_device, dev_type;
type DW9814AF_device, dev_type;
type AK7345AF_device, dev_type;
type DW9714A_device, dev_type;
type LC898122AF_device, dev_type;
type LC898212AF_device, dev_type;
type BU6429AF_device, dev_type;
type AD5820AF_device, dev_type;
type DW9718AF_device, dev_type;
type BU64745GWZAF_device, dev_type;
type MAINAF_device, dev_type;
type MAIN2AF_device, dev_type;
type SUBAF_device, dev_type;
type M4U_device_device, dev_type;
type Vcodec_device, dev_type;
type MJC_device, dev_type;
type smartpa_device, dev_type;
type smartpa1_device, dev_type;
type uio0_device, dev_type;
type xt_qtaguid_device, dev_type;
type rfkill_device, dev_type;
type sw_sync_device, dev_type, mlstrustedobject;
type sec_device, dev_type;
type hid_keyboard_device, dev_type;
type btn_device, dev_type;
type uinput_device, dev_type;
type TV_out_device, dev_type;
type camera_sysram_device, dev_type;
type camera_isp_device, dev_type;
type camera_dip_device, dev_type;
type camera_dpe_device, dev_type;
type camera_tsf_device, dev_type;
type camera_fdvt_device, dev_type;
type camera_rsc_device, dev_type;
type camera_gepf_device, dev_type;
type camera_wpe_device, dev_type;
type camera_owe_device, dev_type;
type camera_mfb_device, dev_type;
type camera_pipemgr_device, dev_type;
type ccu_device, dev_type;
type vpu_device, dev_type;
type mtk_jpeg_device, dev_type;
type kd_camera_hw_device, dev_type;
type seninf_device, dev_type;
type kd_camera_flashlight_device, dev_type;
type flashlight_device, dev_type;
type kd_camera_hw_bus2_device, dev_type;
type MATV_device, dev_type;
type mt_otg_test_device, dev_type;
type mt_mdp_device, dev_type;
type mtkg2d_device, dev_type;
type misc_sd_device, dev_type;
type mtk_sched_device, dev_type;
type ampc0_device, dev_type;
type mmp_device, dev_type;
type ttyGS_device, dev_type;
type CAM_CAL_DRV_device, dev_type;
type CAM_CAL_DRV1_device, dev_type;
type CAM_CAL_DRV2_device, dev_type;
type MTK_SMI_device, dev_type;
type mtk_cmdq_device, dev_type;
type mtk_rrc_device, dev_type;
type ebc_device, dev_type;
type vow_device, dev_type;
type MT6516_H264_DEC_device, dev_type;
type MT6516_Int_SRAM_device, dev_type;
type MT6516_MM_QUEUE_device, dev_type;
type MT6516_MP4_DEC_device, dev_type;
type MT6516_MP4_ENC_device, dev_type;
type sensor_device, dev_type;
type aed_device, dev_type;
type ccci_device, dev_type;
type ccci_monitor_device, dev_type;
type gsm0710muxd_device, dev_type;
type eemcs_device, dev_type;
type emd_device, dev_type;
type mt6605_device, dev_type;
type st21nfc_device, dev_type;
type exm0_device, dev_type;
type mmcblk_device, dev_type;
type BOOT_device, dev_type;
type MT_pmic_device, dev_type;
type aal_als_device, dev_type;
type accdet_device, dev_type;
type android_device, dev_type;
type bmtpool_device, dev_type;
type bootimg_device, dev_type;
type btif_device, dev_type;
type cache_device, dev_type;
type cpu_dma_latency_device, dev_type;
type dummy_cam_cal_device, dev_type;
type ebr_device, dev_type;
type expdb_device, dev_type;
type fat_device, dev_type;
type logo_device, dev_type;
type loop-control_device, dev_type;
type mbr_device, dev_type;
type met_device, dev_type;
type misc_device, dev_type;
type misc2_device, dev_type;
type mtfreqhopping_device, dev_type;
type mtgpio_device, dev_type;
type mtk_kpd_device, dev_type;
type network_device, dev_type;
type nvram_device, dev_type;
type pmt_device, dev_type;
type preloader_device, dev_type;
type pro_info_device, dev_type;
type protect_f_device, dev_type;
type protect_s_device, dev_type;
type psaux_device, dev_type;
type ptyp_device, dev_type;
type recovery_device, dev_type;
type sec_ro_device, dev_type;
type seccfg_device, dev_type;
type tee_part_device, dev_type;
type snapshot_device, dev_type;
type tgt_device, dev_type;
type touch_device, dev_type;
type tpd_em_log_device, dev_type;
type ttyp_device, dev_type;
type uboot_device, dev_type;
type uibc_device, dev_type;
type usrdata_device, dev_type;
type zram0_device, dev_type;
type hwzram0_device, dev_type;
type RT_Monitor_device, dev_type;
type kick_powerkey_device, dev_type;
type agps_device, dev_type;
type mnld_device, dev_type;
type geo_device, dev_type;
type mdlog_device, dev_type;
type md32_device, dev_type;
type scp_device, dev_type;
type sspm_device, dev_type;
type etb_device, dev_type;
type MT_pmic_adc_cali_device, dev_type;
type mtk-adc-cali_device, dev_type;
type MT_pmic_cali_device,dev_type;
type otp_device, dev_type;
type otp_part_block_device, dev_type;
type qemu_pipe_device, dev_type;
type icusb_device, dev_type;
type irtx_device, dev_type;
type pmic_ftm_device, dev_type;
type charger_ftm_device, dev_type;
type shf_device, dev_type;
type keyblock_device, dev_type;
type offloadservice_device, dev_type;
type ttyACM_device, dev_type;
type hrm_device, dev_type;
type lens_device, dev_type;
type nvdata_device, dev_type;
type nvcfg_device, dev_type;
type expdb_block_device, dev_type;
type misc2_block_device, dev_type;
type logo_block_device, dev_type;
type para_block_device, dev_type;
type tee_block_device, dev_type;
type seccfg_block_device, dev_type;
type secro_block_device, dev_type;
type preloader_block_device, dev_type;
type lk_block_device, dev_type;
type protect1_block_device, dev_type;
type protect2_block_device, dev_type;
type keystore_block_device, dev_type;
type oemkeystore_block_device, dev_type;
type sec1_block_device, dev_type;
type md1img_block_device, dev_type;
type md1dsp_block_device, dev_type;
type md1arm7_block_device, dev_type;
type md3img_block_device, dev_type;
type mmcblk1_block_device, dev_type;
type mmcblk1p1_block_device, dev_type;
type bootdevice_block_device, dev_type;
type odm_block_device, dev_type;
type oem_block_device, dev_type;
type vendor_block_device, dev_type;
type dtbo_block_device, dev_type;
type loader_ext_block_device, dev_type;
type spm_device, dev_type;
type persist_block_device, dev_type;
type md_block_device, dev_type;
type spmfw_block_device, dev_type;
type mcupmfw_block_device, dev_type;
type scp_block_device, dev_type;
type sspm_block_device, dev_type;
type dsp_block_device, dev_type;
type ppl_block_device, dev_type;
type nvcfg_block_device, dev_type;
type ancservice_device, dev_type;
type mbim_device, dev_type;
type audio_ipi_device, dev_type;
type cam_vpu_block_device,dev_type;
type boot_para_block_device,dev_type;
type mtk_dfrc_device, dev_type;
##########################
# Sensor common Devices Start
#
type hwmsensor_device, dev_type;
type msensor_device, dev_type;
type gsensor_device, dev_type;
type als_ps_device, dev_type;
type gyroscope_device, dev_type;
type barometer_device,dev_type;
type humidity_device,dev_type;
type biometric_device,dev_type;
##########################
# Sensor Devices Start
#
type m_batch_misc_device, dev_type;
##########################
# Sensor bio Devices Start
#
type m_als_misc_device, dev_type;
type m_ps_misc_device, dev_type;
type m_baro_misc_device, dev_type;
type m_hmdy_misc_device, dev_type;
type m_acc_misc_device, dev_type;
type m_mag_misc_device, dev_type;
type m_gyro_misc_device, dev_type;
type m_act_misc_device, dev_type;
type m_pedo_misc_device, dev_type;
type m_situ_misc_device, dev_type;
type m_step_c_misc_device, dev_type;
type m_fusion_misc_device, dev_type;
type m_bio_misc_device, dev_type;

36
non_plat/domain.te Normal file
View File

@ -0,0 +1,36 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Grant read access to mtk core property type which represents all
# mtk properties except those with ctl_xxx prefix.
# Align Google change: f01453ad453b29dd723838984ea03978167491e5
get_prop(domain, mtk_core_property_type)
# Allow all processes to search /sys/kernel/debug/binder/ since it's has been
# labeled with specific debugfs label and many violations to dir search debugfs_binder
# are observed. Grant domain to suppress the violations as originally "debugfs:dir search"
# is also allowed to domain as well in Google default domain.te
allow domain debugfs_binder:dir search;
# Allow all processes to read /sys/bus/platform/drivers/dev_info/dev_info
# as it is a public interface for all processes to read some OTP data.
allow domain sysfs_devinfo:file r_file_perms;
# Date:20170519
# Purpose: Full treble bootup issue, coredomain need to access libudf.so where
# located on /vendor.
# TODO:: In O MR1 may need to change design
allow coredomain vendor_file:dir r_dir_perms;
allow coredomain vendor_file:file { read open getattr execute };
allow coredomain vendor_file:lnk_file { getattr read };
# Date:20170630
# Purpose: allow trusted process to connect aee daemon
allow {
coredomain
-untrusted_app_all
-untrusted_v2_app
} aee_aed:unix_stream_socket connectto;
allow { domain -coredomain -hal_configstore_server } aee_aedv:unix_stream_socket connectto;

7
non_plat/drmserver.te Normal file
View File

@ -0,0 +1,7 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow drmserver proc_ged:file {open read write ioctl getattr};

92
non_plat/dumpstate.te Normal file
View File

@ -0,0 +1,92 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Purpose: aee_dumpstate set surfaceflinger property
set_prop(dumpstate, debug_bq_dump_prop);
# Purpose: access dev/aed0
allow dumpstate aed_device:chr_file { read getattr };
# Purpose: data/dumpsys/*
allow dumpstate aee_dumpsys_data_file:dir { w_dir_perms };
allow dumpstate aee_dumpsys_data_file:file { create_file_perms };
# Purpose: data/aee_exp/*
allow dumpstate aee_exp_data_file:dir { w_dir_perms };
allow dumpstate aee_exp_data_file:file { create_file_perms };
# Purpose: debugfs files
allow dumpstate debugfs:lnk_file read;
allow dumpstate debugfs_binder:dir { read open };
allow dumpstate debugfs_binder:file { read open };
allow dumpstate debugfs_blockio:file { read open };
allow dumpstate debugfs_fb:dir search;
allow dumpstate debugfs_fb:file { read open };
allow dumpstate debugfs_fuseio:dir search;
allow dumpstate debugfs_fuseio:file { read open };
allow dumpstate debugfs_ged:dir search;
allow dumpstate debugfs_ged:file { read open };
allow dumpstate debugfs_rcu:dir search;
allow dumpstate debugfs_shrinker_debug:file { read open };
allow dumpstate debugfs_wakeup_sources:file { read open };
allow dumpstate debugfs_dmlog_debug:file { read open };
allow dumpstate debugfs_page_owner_slim_debug:file { read open };
allow dumpstate debugfs_ion_mm_heap:dir search;
allow dumpstate debugfs_ion_mm_heap:file { read open };
allow dumpstate debugfs_ion_mm_heap:lnk_file read;
allow dumpstate debugfs_ion_mm_heap:lnk_file read;
allow dumpstate debugfs_cpuhvfs:dir search;
allow dumpstate debugfs_cpuhvfs:file { read open };
# Purpose: /sys/kernel/ccci/md_chn
allow dumpstate sysfs_ccci:dir search;
allow dumpstate sysfs_ccci:file { read open };
# Purpose: leds status
allow dumpstate sysfs_leds:lnk_file read;
# Purpose: /sys/module/lowmemorykiller/parameters/adj
allow dumpstate sysfs_lowmemorykiller:file { read open };
allow dumpstate sysfs_lowmemorykiller:dir search;
# Purpose: /dev/block/mmcblk0p10
allow dumpstate expdb_block_device:blk_file { read write ioctl open };
#/data/anr/SF_RTT
allow dumpstate sf_rtt_file:dir search;
allow dumpstate sf_rtt_file:file r_file_perms;
# Data : 2017/03/22
# Operation : add fd use selinux rule
# Purpose : type=1400 audit(0.0:81356): avc: denied { use } for path="/system/bin/linker"
# dev="mmcblk0p26" ino=250 scontext=u:r:dumpstate:s0
# tcontext=u:r:aee_aed:s0 tclass=fd permissive=0
allow dumpstate aee_aed:fd use;
allow dumpstate aee_aed:unix_stream_socket { read write ioctl };
# private define
# allow dumpstate config_gz:file read;
allow dumpstate sysfs_leds:dir r_dir_perms;
allow dumpstate sysfs_leds:file r_file_perms;
# Purpose: 01-01 08:30:57.260 3070 3070 W aee_dumpstate: type=1400 audit(0.0:13196): avc: denied
# { read } for name="SF_dump" dev="dm-0" ino=352257 scontext=u:r:dumpstate:s0 tcontext=u:object_r:
# sf_bqdump_data_file:s0 tclass=dir permissive=0
allow dumpstate sf_bqdump_data_file:dir r_dir_perms;
allow dumpstate sf_bqdump_data_file:file r_file_perms;
# Purpose:
# 01-01 17:59:14.440 7664 7664 I aee_dumpstate: type=1400 audit(0.0:63497):
# avc: denied { open } for path="/sys/kernel/debug/tracing/tracing_on" dev=
# "debugfs" ino=2087 scontext=u:r:dumpstate:s0 tcontext=u:object_r:
# tracing_shell_writable:s0 tclass=file permissive=1
allow dumpstate debugfs_tracing:file { write read open };
# Data : WK17.03
# Purpose: Allow to access gpu
allow dumpstate gpu_device:dir search;
# Purpose: Allow aee_dumpstate to invoke "lshal debug <interface>", where <interface> is "ICameraProvider".
allow dumpstate mtk_hal_camera:binder { call };

14
non_plat/e2fs.te Normal file
View File

@ -0,0 +1,14 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK17.32
# Operation : Migration
# Purpose : create ext4 images for protect1/protect2/persist/nvdata/nvcfg block devices.
allow e2fs protect1_block_device:blk_file rw_file_perms;
allow e2fs protect2_block_device:blk_file rw_file_perms;
allow e2fs persist_block_device:blk_file rw_file_perms;
allow e2fs nvdata_device:blk_file rw_file_perms;
allow e2fs nvcfg_block_device:blk_file rw_file_perms;
allow e2fs devpts:chr_file {read write};

44
non_plat/em_svr.te Normal file
View File

@ -0,0 +1,44 @@
# Date: W14.38 2014/09/17
# Operation : Migration
# Purpose : for em_svr
allow em_svr nvram_device:blk_file { read write open };
allow em_svr nvdata_device:blk_file { read write open };
allow em_svr bootdevice_block_device:blk_file { read write open };
allow em_svr misc_sd_device:chr_file { read open ioctl };
allow em_svr als_ps_device:chr_file { read ioctl open };
allow em_svr gsensor_device:chr_file { read ioctl open };
allow em_svr gyroscope_device:chr_file { read ioctl open };
allow em_svr nvram_data_file:dir { write read open add_name search };
allow em_svr nvram_data_file:file { write getattr setattr read create open };
allow em_svr nvram_data_file:lnk_file read;
allow em_svr nvdata_file:lnk_file read;
allow em_svr nvdata_file:dir { write read open add_name search };
allow em_svr nvdata_file:file { write getattr setattr read create open };
allow em_svr nvram_device:chr_file { open read write ioctl };
allow em_svr thermal_manager_exec:file { getattr execute read open execute_no_trans };
allow em_svr proc_mtkcooler:dir search;
allow em_svr proc_mtkcooler:file { read getattr open write };
allow em_svr proc_thermal:dir search;
allow em_svr proc_thermal:file { read getattr open write };
allow em_svr proc_mtktz:dir search;
allow em_svr proc_mtktz:file { read getattr open write };
allow em_svr proc_slogger:file { read getattr open write };
allow em_svr proc_lk_env:file { read getattr open write ioctl};
allow em_svr para_block_device:blk_file { read open };
# Date: 2015/12/22
# Operation : M Migration
# Purpose : Battery Log can change temperature
userdebug_or_eng(`
allow em_svr proc_battery_cmd:dir search;
allow em_svr proc_battery_cmd:file { read getattr open write };
')
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow em_svr proc_ged:file {open read write ioctl getattr};
# Date : WK17.42
# Purpose: Allow to query md log filter bin
allow em_svr md_block_device:blk_file { read open };

107
non_plat/emdlogger.te Normal file
View File

@ -0,0 +1,107 @@
#allow emdlogger to set property
allow emdlogger debug_mdlogger_prop:property_service set;
allow emdlogger debug_prop:property_service set;
allow emdlogger persist_mtklog_prop:property_service set;
allow emdlogger system_radio_prop:property_service set;
# ccci device for internal modem
allow emdlogger ccci_device:chr_file { rw_file_perms };
# eemcs device for external modem
allow emdlogger eemcs_device:chr_file { rw_file_perms };
# C2K project SDIO device for external modem ttySDIO2 control port, ttySDIO8 log port
allow emdlogger ttySDIO_device:chr_file { rw_file_perms };
# C2K project modem device for external modem vmodem start/stop/ioctl modem
allow emdlogger vmodem_device:chr_file { rw_file_perms };
# usb device ttyGSx for modem logger usb logging
allow emdlogger ttyGS_device:chr_file { rw_file_perms};
# for modem logging sdcard access
allow emdlogger sdcard_type:dir { create_dir_perms };
allow emdlogger sdcard_type:file { create_file_perms };
# modem logger access on /data/mdlog
allow emdlogger mdlog_data_file:dir { create_dir_perms relabelto };
allow emdlogger mdlog_data_file:fifo_file { create_file_perms };
allow emdlogger mdlog_data_file:file { create_file_perms };
allow emdlogger system_data_file:dir { create_dir_perms relabelfrom};
# modem logger control port access /dev/ttyC1
allow emdlogger mdlog_device:chr_file { rw_file_perms};
#modem logger SD logging in factory mode
allow emdlogger vfat:dir create_dir_perms;
allow emdlogger vfat:file create_file_perms;
#modem logger permission in storage in android M version
#allow emdlogger log_device:chr_file { write open };
allow emdlogger mnt_user_file:dir search;
allow emdlogger mnt_user_file:lnk_file read;
allow emdlogger storage_file:lnk_file read;
#permission for storage link access in vzw Project
allow emdlogger mnt_media_rw_file:dir search;
#permission for use SELinux API
#avc: denied { read } for pid=576 comm="emdlogger1" name="selinux_version" dev="rootfs"
allow emdlogger rootfs:file r_file_perms;
#permission for storage access storage
allow emdlogger storage_file:dir { create_dir_perms };
allow emdlogger tmpfs:lnk_file read;
allow emdlogger storage_file:file { create_file_perms };
#permission for read boot mode
#avc: denied { open } path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs"
allow emdlogger sysfs:file { read open };
# Allow read to sys/kernel/ccci/* files
allow emdlogger sysfs_ccci:dir search;
allow emdlogger sysfs_ccci:file r_file_perms;
# Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681
# scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
allow emdlogger system_file:dir read;
# purpose: allow emdlogger to access storage in N version
allow emdlogger media_rw_data_file:file { create_file_perms };
allow emdlogger media_rw_data_file:dir { create_dir_perms };
#avc: denied { connectto } for path=006165653A72747464 scontext=u:r:emdlogger:s0
#tcontext=u:object_r:aee_aed_socket:s0 tclass=unix_stream_socket permissive=0
#security issue control
allow emdlogger aee_aed:unix_stream_socket connectto;
# For dynamic CCB buffer feature
#avc: denied { read write } for name="lk_env" dev="proc" ino=4026532192
#scontext=u:r:emdlogger:s0 tcontext=u:object_r:proc_lk_env:s0 tclass=file permissive=0
#avc: denied { read } for name="mmcblk0p3" dev="tmpfs" ino=8493 scontext=u:r:emdlogger:s0
# tcontext=u:object_r:para_block_device:s0 tclass=blk_file permissive=0
allow emdlogger para_block_device:blk_file { read open };
allow emdlogger proc_lk_env:file { read write ioctl open };
#Android O for created file in data
file_type_auto_trans(emdlogger, system_data_file, mdlog_data_file)
## purpose: avc: denied { read } for name="plat_file_contexts"
allow emdlogger file_contexts_file:file { read getattr open };
allow emdlogger block_device:dir search;
allow emdlogger md_block_device:blk_file { read open };
allow emdlogger self:capability { chown dac_override };
# purpose: allow emdlogger to access persist.meta.connecttype
get_prop(emdlogger, meta_connecttype_prop);
# purpose: allow emdlogger to create socket
allow emdlogger port:tcp_socket { name_connect name_bind };
allow emdlogger emdlogger:tcp_socket { create connect setopt bind };
allow emdlogger emdlogger:tcp_socket { bind setopt listen accept read write };
allow emdlogger node:tcp_socket node_bind;

302
non_plat/factory.te Normal file
View File

@ -0,0 +1,302 @@
# ==============================================
# Policy File of /system/bin/factory Executable File
# ==============================================
# Type Declaration
# ==============================================
# ==============================================
# MTK Policy Rule
# ==============================================
file_type_auto_trans(factory, system_data_file, factory_data_file)
#============= factory ==============
allow factory MTK_SMI_device:chr_file r_file_perms;
allow factory ashmem_device:chr_file execute;
allow factory ebc_device:chr_file rw_file_perms;
allow factory stpbt_device:chr_file rw_file_perms;
# Date: WK14.47
# Operation : Migration
# Purpose : CCCI
allow factory eemcs_device:chr_file rw_file_perms;
allow factory ccci_device:chr_file rw_file_perms;
allow factory gsm0710muxd_device:chr_file rw_file_perms;
#Purpose: file system requirement
allow factory debugfs_usb:file rw_file_perms;
allow factory debugfs_usb:dir search;
allow factory devpts:chr_file rw_file_perms;
allow factory vfat:dir w_dir_perms;
allow factory labeledfs:filesystem unmount;
allow factory rootfs:dir mounton;
allow factory vfat:dir { read open search mounton };
allow factory vfat:filesystem { mount unmount };
# Purpose : SDIO
allow factory ttySDIO_device:chr_file rw_file_perms;
#Purpose: USB
allow factory ttyMT_device:chr_file rw_file_perms;
allow factory ttyGS_device:chr_file rw_file_perms;
# Date: WK15.01
# Purpose : OTG Mount
allow factory sdcard_type:dir mounton;
# Date: WK15.07
# Purpose : use c2k flight mode;
allow factory vmodem_device:chr_file rw_file_perms;
# Date: WK15.13
# Purpose: for nand project
allow factory mtd_device:dir search;
allow factory mtd_device:chr_file rw_file_perms;
allow factory mtd_device:chr_file rw_file_perms;
allow factory self:capability sys_resource;
allow factory pro_info_device:chr_file rw_file_perms;
# Data: WK15.28
# Purpose: for mt-ramdump reset
allow factory proc_mrdump_rst:file w_file_perms;
#Date: WK15.31
#Purpose: define factory_data_file instead of system_data_file
# because system_data_file is sensitive partition from M
#allow factory self:capability2 block_suspend;
wakelock_use(factory);
allow factory storage_file:dir { write create add_name search mounton };
allow factory factory_data_file:file create_file_perms;
allow factory shell_exec:file r_file_perms;
# Date: WK15.44
# Purpose: factory idle current status
allow factory factory_idle_state_prop:property_service set;
# Date: WK15.46
# Purpose: gps factory mode
allow factory agpsd_data_file:dir search;
allow factory apk_data_file:dir write;
#allow factory gps_data_file:dir r_dir_perms;
#allow factory gps_data_file:dir { write open };
#allow factory gps_data_file:file { read write };
allow factory gps_data_file:dir { write add_name search remove_name unlink};
allow factory gps_data_file:file { read write open create getattr append setattr unlink lock};
allow factory gps_data_file:lnk_file read;
# allow factory gps_emi_device:chr_file { read write };
allow factory shell_exec:file x_file_perms;
allow factory storage_file:lnk_file r_file_perms;
#Date: WK15.48
#Purpose: capture for factory mode
allow factory devmap_device:chr_file r_file_perms;
allow factory sdcard_type:dir create_dir_perms;
allow factory sdcard_type:file create_file_perms;
allow factory mnt_user_file:dir search;
allow factory mnt_user_file:lnk_file read;
allow factory storage_file:lnk_file read;
#Date: WK16.05
#Purpose: For access NVRAM
allow factory factory:capability chown;
allow factory nvram_data_file:dir create_dir_perms;
allow factory nvram_data_file:file create_file_perms;
allow factory nvram_data_file:lnk_file r_file_perms;
allow factory nvdata_file:lnk_file r_file_perms;
allow factory nvram_device:chr_file rw_file_perms;
allow factory nvram_device:blk_file rw_file_perms;
allow factory nvdata_device:blk_file rw_file_perms;
# Purpose : Allow factory read /data/nvram link
allow factory system_data_file:lnk_file read;
#Date: WK16.12
#Purpose: For sensor test
allow factory als_ps_device:chr_file r_file_perms;
allow factory barometer_device:chr_file r_file_perms;
allow factory gsensor_device:chr_file r_file_perms;
allow factory gyroscope_device:chr_file r_file_perms;
allow factory msensor_device:chr_file r_file_perms;
allow factory biometric_device:chr_file r_file_perms;
#Purpose: For camera Test
allow factory kd_camera_flashlight_device:chr_file rw_file_perms;
allow factory kd_camera_hw_device:chr_file rw_file_perms;
allow factory seninf_device:chr_file rw_file_perms;
#Purpose: For reboot the target
allow factory powerctl_prop:property_service set;
#Purpose: For memory card test
allow factory misc_sd_device:chr_file r_file_perms;
allow factory mmcblk1_block_device:blk_file rw_file_perms;
allow factory bootdevice_block_device:blk_file rw_file_perms;
allow factory mmcblk1p1_block_device:blk_file rw_file_perms;
allow factory block_device:dir w_dir_perms;
#Purpose: For EMMC test
allow factory nvdata_file:dir create_dir_perms;
allow factory nvdata_file:file create_file_perms;
#Purpose: For HRM test
allow factory hrm_device:chr_file r_file_perms;
#Purpose: For IrTx LED test
allow factory irtx_device:chr_file rw_file_perms;
#Purpose: For battery test, ext_buck test and ext_vbat_boost test
allow factory pmic_ftm_device:chr_file rw_file_perms;
allow factory MT_pmic_adc_cali_device:chr_file rw_file_perms;
allow factory MT_pmic_cali_device:chr_file r_file_perms;
allow factory charger_ftm_device:chr_file r_file_perms;
#Purpose: For HDMI test
allow factory graphics_device:dir w_dir_perms;
allow factory graphics_device:chr_file rw_file_perms;
#Purpose: For WIFI test
allow factory wmtWifi_device:chr_file rw_file_perms;
#Purpose: For rtc test
allow factory rtc_device:chr_file rw_file_perms;
#Purpose: For nfc test
allow factory mt6605_device:chr_file rwx_file_perms;
#Purpose: For gps test
allow factory mnld_device:chr_file rw_file_perms;
#Purpose: For keypad test
allow factory mtk_kpd_device:chr_file r_file_perms;
#Purpose: For Humidity test
allow factory humidity_device:chr_file r_file_perms;
#Purpose: For camera test
allow factory camera_isp_device:chr_file rw_file_perms;
allow factory camera_dip_device:chr_file rw_file_perms;
allow factory camera_pipemgr_device:chr_file r_file_perms;
allow factory camera_sysram_device:chr_file r_file_perms;
allow factory ccu_device:chr_file rw_file_perms;
allow factory vpu_device:chr_file rw_file_perms;
allow factory MAINAF_device:chr_file rw_file_perms;
allow factory MAIN2AF_device:chr_file rw_file_perms;
allow factory SUBAF_device:chr_file rw_file_perms;
allow factory FM50AF_device:chr_file rw_file_perms;
allow factory AD5820AF_device:chr_file rw_file_perms;
allow factory DW9714AF_device:chr_file rw_file_perms;
allow factory DW9714A_device:chr_file rw_file_perms;
allow factory LC898122AF_device:chr_file rw_file_perms;
allow factory LC898212AF_device:chr_file rw_file_perms;
allow factory BU6429AF_device:chr_file rw_file_perms;
allow factory DW9718AF_device:chr_file rw_file_perms;
allow factory BU64745GWZAF_device:chr_file rw_file_perms;
allow factory cct_data_file:dir create_dir_perms;
allow factory cct_data_file:file create_file_perms;
allow factory camera_tsf_device:chr_file rw_file_perms;
allow factory camera_rsc_device:chr_file rw_file_perms;
allow factory camera_gepf_device:chr_file rw_file_perms;
allow factory camera_fdvt_device:chr_file rw_file_perms;
allow factory camera_wpe_device:chr_file rw_file_perms;
allow factory camera_owe_device:chr_file rw_file_perms;
allow factory camera_mfb_device:chr_file rw_file_perms;
#Purpose: For FM test and headset test
allow factory accdet_device:chr_file r_file_perms;
allow factory fm_device:chr_file rw_file_perms;
#Purpose: For audio test
allow factory audio_device:chr_file rw_file_perms;
allow factory audio_device:dir w_dir_perms;
allow factory audiohal_prop:property_service set;
#Purpose: For key and touch event
allow factory input_device:chr_file r_file_perms;
allow factory input_device:dir rw_dir_perms;
#Purpose: For gps test
#allow factory gps_device:chr_file rw_file_perms;
# Date: WK16.17
# Purpose: N Migration For ccci sysfs node
# Allow read to sys/kernel/ccci/* files
allow factory sysfs_ccci:dir search;
allow factory sysfs_ccci:file r_file_perms;
# Date: WK16.18
# Purpose: N Migration For boot_mode
# Allow to read boot mode
# avc: denied { read } for name="boot_mode" dev="sysfs" ino=117
# scontext=u:r:factory:s0 tcontext=u:object_r:sysfs:s0
# tclass=file permissive=0
allow factory sysfs:file rw_file_perms;
# Date: WK16.30
#Purpose: For gps test
allow factory media_rw_data_file:dir search;
#allow factory gps_data_file:dir add_name;
#TODO:: MTK need to remove later
not_full_treble(`
allow factory mnld:unix_dgram_socket sendto;
')
# Date: WK16.31
#Purpose: For gps test
allow factory mnld_prop:property_service set;
allow factory media_rw_data_file:dir { read open };
#allow factory gps_data_file:file create_file_perms;
# Date: WK16.33
#Purpose: for unmount sdcardfs and stop services which are using data partition
allow factory sdcard_type:filesystem unmount;
allow factory toolbox_exec:file { read open getattr execute execute_no_trans };
allow factory ctl_default_prop:property_service set;
# Date : WK16.35
# Operation : Migration
# Purpose : Update camera flashlight driver device file
allow factory flashlight_device:chr_file rw_file_perms;
# Date : WK16.48
# Purpose: For SmartPa speaker calibration
allow factory proc:dir search;
allow factory proc:file {open read write};
# Date: WK15.25
#Purpose: for unmount sdcardfs and stop services which are using data partition
allow factory ctl_emdlogger1_prop:property_service set;
# Date: WK17.07
# Purpose: Clear bootdevice (eMMC/UFS) may need to unmount tmpfs
allow factory tmpfs:filesystem unmount;
allow factory sysfs:dir { read open };
allow factory sysfs_leds:dir search;
allow factory sysfs_leds:lnk_file read;
allow factory sysfs_vibrator:file {open read write};
allow factory ion_device:chr_file { read open ioctl };
allow factory debugfs_ion:dir search;
allow factory proc:file ioctl;
# Date: WK17.27
# Purpose: STMicro NFC solution integration
allow factory st21nfc_device:chr_file { open read getattr write ioctl };
allow factory nfc_socket:dir search;
allow factory vendor_file:file { getattr execute execute_no_trans read open };
set_prop(factory,hwservicemanager_prop);
hwbinder_use(factory);
hal_client_domain(factory, hal_nfc);
allow factory debugfs_tracing:file { open write };
# Date : WK17.32
# Operation : O Migration
# Purpose: Allow to access cmdq driver
allow factory mtk_cmdq_device:chr_file { read ioctl open };
# Date: WK1733
# Purpose: add selinux policy to stop 'ccci_fsd' for clear emmc in factory mode
set_prop(factory,ctl_ccci_fsd_prop);
# Date : WK17.38
# Operation : O Migration
# Purpose: Allow to access sysfs
allow factory sysfs_therm:dir search;
allow factory sysfs_therm:file {open read write};

232
non_plat/file.te Normal file
View File

@ -0,0 +1,232 @@
# ==============================================
# MTK Policy Rule
# ==============================================
type custom_file, file_type, data_file_type;
type lost_found_data_file, file_type, data_file_type;
type dontpanic_data_file, file_type, data_file_type;
type resource_cache_data_file, file_type, data_file_type;
type http_proxy_cfg_data_file, file_type, data_file_type;
type acdapi_data_file, file_type, data_file_type;
type ppp_data_file, file_type, data_file_type;
type wide_dhcpv6_data_file, file_type, data_file_type;
type wpa_supplicant_data_file, file_type, data_file_type;
type radvd_data_file, file_type, data_file_type;
type volte_vt_socket, file_type;
type dfo_socket, file_type;
type rild2_socket, file_type;
type rild3_socket, file_type;
type rild4_socket, file_type;
type rild_mal_socket, file_type;
type rild_mal_at_socket, file_type;
type rild_mal_md2_socket, file_type;
type rild_mal_at_md2_socket, file_type;
type rild_ims_socket, file_type;
type rild_imsm_socket, file_type;
type rild_oem_socket, file_type;
type rild_mtk_ut_socket, file_type;
type rild_mtk_ut_2_socket, file_type;
type rild_mtk_modem_socket, file_type;
type rild_md2_socket, file_type;
type rild2_md2_socket, file_type;
type rild_debug_md2_socket, file_type;
type rild_oem_md2_socket, file_type;
type rild_mtk_ut_md2_socket, file_type;
type rild_mtk_ut_2_md2_socket, file_type;
type rild_mtk_modem_md2_socket, file_type;
type rild_vsim_socket, file_type;
type rild_vsim_md2_socket, file_type;
type mal_mfi_socket, file_type;
type mal_data_file, file_type, data_file_type;
type netdiag_socket, file_type;
type wpa_wlan0_socket, file_type;
type soc_vt_imcb_socket, file_type;
type soc_vt_tcv_socket, file_type;
type soc_vt_stk_socket, file_type;
type soc_vt_svc_socket, file_type;
type dbus_bluetooth_socket, file_type;
type bt_int_adp_socket, file_type;
type bt_a2dp_stream_socket, file_type;
type bt_data_file, file_type, data_file_type;
type proc_thermal, fs_type;
type proc_mtkcooler, fs_type;
type proc_mtktz, fs_type;
type proc_slogger, fs_type;
type proc_lk_env, fs_type;
type proc_ged, fs_type;
type proc_perfmgr, fs_type;
type sysfs_therm, fs_type, sysfs_type;
type sysfs_power_supply, fs_type, sysfs_type;
type sysfs_fps, fs_type, sysfs_type;
type sysfs_ccci, fs_type, sysfs_type;
type sysfs_ssw, fs_type,sysfs_type;
type sysfs_vcorefs_pwrctrl, fs_type, sysfs_type;
type sysfs_md32, fs_type, sysfs_type;
type sysfs_scp, fs_type, sysfs_type;
type sysfs_sspm, fs_type, sysfs_type;
type sysfs_devinfo, fs_type, sysfs_type, mlstrustedobject;
type sysfs_dcm, fs_type, sysfs_type;
type sysfs_dcs, fs_type, sysfs_type;
type agpsd_socket, file_type;
type agpsd_data_file, file_type, data_file_type;
type mnld_socket, file_type;
type mnld_data_file, file_type, data_file_type;
type gps_data_file, file_type, data_file_type;
type MPED_socket, file_type;
type MPED_data_file, file_type, data_file_type;
type sysctl_socket, file_type;
type backuprestore_socket, file_type;
type protect_f_data_file, file_type, data_file_type;
type protect_s_data_file, file_type, data_file_type;
type persist_data_file, file_type, data_file_type;
type nvram_data_file, file_type, data_file_type;
type nvdata_file, file_type, data_file_type;
type nvcfg_file, file_type, data_file_type;
type cct_data_file, file_type, data_file_type;
type mediaserver_data_file, file_type, data_file_type;
type mediacodec_data_file, file_type, data_file_type;
#mobilelog data/misc/mblog
type logmisc_data_file, file_type, data_file_type;
#mobilelog data/log_temp
type logtemp_data_file, file_type, data_file_type;
# NE core_forwarder
type aee_core_data_file, file_type, data_file_type;
# NE tombstone
type aee_tombstone_data_file, file_type, data_file_type;
# AEE exp
type aee_exp_data_file, file_type, data_file_type;
type aee_dumpsys_data_file, file_type, data_file_type;
# SF rtt dump
type sf_rtt_file, file_type, data_file_type;
#for 3Gdongle
type rild-dongle_socket, file_type;
type ccci_cfg_file, file_type, data_file_type;
type c2k_file, file_type, data_file_type;
#For sensor
type sensor_data_file, file_type, data_file_type;
type stp_dump_data_file, file_type,data_file_type;
type sysfs_keypad_file, file_type,sysfs_type;
type rild_via_socket, file_type;
type rpc_socket, file_type;
type rild_ctclient_socket, file_type;
#For icusb
type proc_icusb, fs_type;
# for labeling /mnt/cd-rom as iso9660
type iso9660, fs_type;
# data_tmpfs_log
type data_tmpfs_log_file, file_type, data_file_type;
# rawfs for /protect_f on NAND projects
type rawfs, fs_type, mlstrustedobject;
# fat on nand fat.img
type fon_image_data_file, file_type, data_file_type;
# ims ipsec config file
type ims_ipsec_data_file, file_type, data_file_type;
# thermal manager config file
type thermal_manager_data_file, file_type, data_file_type;
# adbd config file
type adbd_data_file, file_type, data_file_type, core_data_file_type;
#autokd data file
type autokd_data_file, file_type, data_file_type;
#fuse
type fuseblk,sdcard_type,fs_type,mlstrustedobject;
# for mt-ramdump reset
type proc_mrdump_rst, fs_type;
# battery_cmd file
type proc_battery_cmd, fs_type;
# binder debugfs file
type debugfs_binder, fs_type, debugfs_type;
# blockio debugfs file
type debugfs_blockio, fs_type, debugfs_type;
# fuseio debugfs file
type debugfs_fuseio, fs_type, debugfs_type;
# usb debugfs file
type debugfs_usb, fs_type, debugfs_type;
# display debugfs file
type debugfs_fb, fs_type, debugfs_type;
# cpuhvfs debugfs file
type debugfs_cpuhvfs, fs_type, debugfs_type;
#for engineermode Usb PHY Tuning
type debugfs_usb20_phy, fs_type, debugfs_type;
# dynamic_debug debugfs file
type debugfs_dynamic_debug, fs_type, debugfs_type;
# /sys/kernel/debug/wakeup_sources
type debugfs_wakeup_sources, fs_type, debugfs_type;
# shrinker debugfs file
type debugfs_shrinker_debug, fs_type, debugfs_type;
# dmlog debugfs file
type debugfs_dmlog_debug, fs_type, debugfs_type;
# page_owner_slim debugfs file
type debugfs_page_owner_slim_debug, fs_type, debugfs_type;
# rcu debugfs file
type debugfs_rcu, fs_type, debugfs_type;
# gpu debugfs file
type debugfs_ged, fs_type, debugfs_type;
# fpsgo debugfs file
type debugfs_fpsgo, fs_type, debugfs_type;
# memtrack debugfs file
type debugfs_gpu_mali_midgard, fs_type, debugfs_type;
type debugfs_gpu_mali_utgard, fs_type, debugfs_type;
type debugfs_gpu_img, fs_type, debugfs_type;
type debugfs_ion, fs_type, debugfs_type;
# /sys/kernel/debug/ion/ion_mm_heap
type debugfs_ion_mm_heap, fs_type, debugfs_type;
# /sys/kernel/debug/emi_mbw/dump_buf
type debugfs_emi_mbw_buf, fs_type, debugfs_type;
######################################
# core domain file data
# SF bqdump
type sf_bqdump_data_file, file_type, data_file_type, core_data_file_type;
type nfc_socket, file_type, data_file_type, core_data_file_type;
# factory data file
type factory_data_file, file_type, data_file_type, core_data_file_type;
# Modem Log folder
type mdlog_data_file, file_type, data_file_type, core_data_file_type;
# MTK audio HAL folder
type mtk_audiohal_data_file, file_type, data_file_type;
# MTK Power HAL folder
type mtk_powerhal_data_file, file_type, data_file_type;
# Date : WK1743
# Purpose : for meta_tst copy MD DB from MD image
type mddb_data_file, file_type, data_file_type;

566
non_plat/file_contexts Normal file
View File

@ -0,0 +1,566 @@
# ==============================================
# MTK Policy Rule
# ==============================================
############################
# A/B system
/enableswap.sh u:object_r:rootfs:s0
/factory_init\..* u:object_r:rootfs:s0
/meta_init\..* u:object_r:rootfs:s0
/multi_init\..* u:object_r:rootfs:s0
#############################
# Custom files
(/vendor)?/custom(/.*)? u:object_r:custom_file:s0
#############################
# Data files
#
/data/misc/mddb(/.*)? u:object_r:mddb_data_file:s0
/data/aee_exp(/.*)? u:object_r:aee_exp_data_file:s0
/data/vendor/mtklog/aee_exp(/.*)? u:object_r:aee_exp_data_file:s0
/data/agps_supl(/.*)? u:object_r:agpsd_data_file:s0
/data/mnl_flp(/.*)? u:object_r:mnld_data_file:s0
/data/mnl_gfc(/.*)? u:object_r:mnld_data_file:s0
/data/misc/gps(/.*)? u:object_r:gps_data_file:s0
/data/anr/SF_RTT(/.*)? u:object_r:sf_rtt_file:s0
/data/ccci_cfg(/.*)? u:object_r:ccci_cfg_file:s0
/data/flashless(/.*)? u:object_r:c2k_file:s0
/data/core(/.*)? u:object_r:aee_core_data_file:s0
/data/vendor/core(/.*)? u:object_r:aee_core_data_file:s0
/data/vendor/tombstones(/.*)? u:object_r:aee_tombstone_data_file:s0
/data/dontpanic(/.*)? u:object_r:dontpanic_data_file:s0
/data/dumpsys(/.*)? u:object_r:aee_dumpsys_data_file:s0
/data/vendor/dumpsys(/.*)? u:object_r:aee_dumpsys_data_file:s0
/data/extmdl(/.*)? u:object_r:mdlog_data_file:s0
/data/http-proxy-cfg(/.*)? u:object_r:http_proxy_cfg_data_file:s0
/data/log_temp(/.*)? u:object_r:logtemp_data_file:s0
/data/lost\+found(/.*)? u:object_r:lost_found_data_file:s0
/data/mdlog(/.*)? u:object_r:mdlog_data_file:s0
/data/mdl(/.*)? u:object_r:mdlog_data_file:s0
/data/mdl3(/.*)? u:object_r:mdlog_data_file:s0
/data/mediaserver(/.*)? u:object_r:mediaserver_data_file:s0
/data/mediacodec(/.*)? u:object_r:mediacodec_data_file:s0
/data/.tp(/.*)? u:object_r:thermal_manager_data_file:s0
/data/nfc_socket(/.*)? u:object_r:nfc_socket:s0
/data/nvram(/.*)? u:object_r:nvram_data_file:s0
/data/cct(/.*)? u:object_r:cct_data_file:s0
/data/md3(/.*)? u:object_r:c2k_file:s0
/data/mal(/.*)? u:object_r:mal_data_file:s0
/data/SF_dump(./*)? u:object_r:sf_bqdump_data_file:s0
/data/data_tmpfs_log(/.*)? u:object_r:data_tmpfs_log_file:s0
/data/vendor/data_tmpfs_log(/.*)? u:object_r:data_tmpfs_log_file:s0
/data/tmp_mnt/data_tmpfs_log(/.*)? u:object_r:data_tmpfs_log_file:s0
/data/tmp_mnt/vendor/data_tmpfs_log(/.*)? u:object_r:data_tmpfs_log_file:s0
/data/setkey.conf u:object_r:ims_ipsec_data_file:s0
/data/setkey_bak.conf u:object_r:ims_ipsec_data_file:s0
/data/setkey_latest.conf u:object_r:ims_ipsec_data_file:s0
/data/vendor/audiohal(/.*)? u:object_r:mtk_audiohal_data_file:s0
/data/vendor/powerhal(/.*)? u:object_r:mtk_powerhal_data_file:s0
/data/vendor/nfc(/.*)? u:object_r:nfc_data_file:s0
# Misc data
/data/misc/acdapi(/.*)? u:object_r:acdapi_data_file:s0
/data/misc/mblog(/.*)? u:object_r:logmisc_data_file:s0
/data/misc/ppp(/.*)? u:object_r:ppp_data_file:s0
/data/misc/radvd(/.*)? u:object_r:radvd_data_file:s0
/data/misc/sensor(/.*)? u:object_r:sensor_data_file:s0
/data/misc/stp_dump(/.*)? u:object_r:stp_dump_data_file:s0
/data/misc/wide-dhcpv6(/.*)? u:object_r:wide_dhcpv6_data_file:s0
/data/misc/wpa_supplicant(/.*)? u:object_r:wpa_supplicant_data_file:s0
# Wallpaper file for smartbook
/data/system/users/[0-9]+/smartbook_wallpaper u:object_r:wallpaper_file:s0
# nvdata
/(vendor|system/vendor)/nvdata(/.*)? u:object_r:nvdata_file:s0
/(vendor|system/vendor)/nvcfg(/.*)? u:object_r:nvcfg_file:s0
# protected data file
/(vendor|system/vendor)/protect_f(/.*)? u:object_r:protect_f_data_file:s0
/(vendor|system/vendor)/protect_s(/.*)? u:object_r:protect_s_data_file:s0
/(vendor|system/vendor)/persist(/.*)? u:object_r:persist_data_file:s0
#fat on nand image
/fat(/.*)? u:object_r:fon_image_data_file:s0
##########################
# Devices
#
/dev/aal_als(/.*)? u:object_r:aal_als_device:s0
/dev/accdet(/.*)? u:object_r:accdet_device:s0
/dev/AD5820AF(/.*)? u:object_r:AD5820AF_device:s0
/dev/aed[0-9]+ u:object_r:aed_device:s0
/dev/ampc0(/.*)? u:object_r:ampc0_device:s0
/dev/android(/.*)? u:object_r:android_device:s0
/dev/block/zram0 u:object_r:swap_block_device:s0
/dev/block/platform/bootdevice/by-name/otp u:object_r:otp_part_block_device:s0
/dev/bmtpool(/.*)? u:object_r:bmtpool_device:s0
/dev/bootimg(/.*)? u:object_r:bootimg_device:s0
/dev/BOOT(/.*)? u:object_r:BOOT_device:s0
/dev/btif(/.*)? u:object_r:btif_device:s0
/dev/btn(/.*)? u:object_r:btn_device:s0
/dev/BU6429AF(/.*)? u:object_r:BU6429AF_device:s0
/dev/BU64745GWZAF(/.*)? u:object_r:BU64745GWZAF_device:s0
/dev/MAINAF(/.*)? u:object_r:MAINAF_device:s0
/dev/MAIN2AF(/.*)? u:object_r:MAIN2AF_device:s0
/dev/SUBAF(/.*)? u:object_r:SUBAF_device:s0
/dev/cache(/.*)? u:object_r:cache_device:s0
/dev/CAM_CAL_DRV(/.*)? u:object_r:CAM_CAL_DRV_device:s0
/dev/CAM_CAL_DRV1(/.*)? u:object_r:CAM_CAL_DRV1_device:s0
/dev/CAM_CAL_DRV2(/.*)? u:object_r:CAM_CAL_DRV2_device:s0
/dev/camera-fdvt(/.*)? u:object_r:camera_fdvt_device:s0
/dev/camera-isp(/.*)? u:object_r:camera_isp_device:s0
/dev/camera-dip(/.*)? u:object_r:camera_dip_device:s0
/dev/camera-dpe(/.*)? u:object_r:camera_dpe_device:s0
/dev/camera-tsf(/.*)? u:object_r:camera_tsf_device:s0
/dev/camera-rsc(/.*)? u:object_r:camera_rsc_device:s0
/dev/camera-gepf(/.*)? u:object_r:camera_gepf_device:s0
/dev/camera-wpe(/.*)? u:object_r:camera_wpe_device:s0
/dev/camera-owe(/.*)? u:object_r:camera_owe_device:s0
/dev/camera-mfb(/.*)? u:object_r:camera_mfb_device:s0
/dev/camera-pipemgr(/.*)? u:object_r:camera_pipemgr_device:s0
/dev/camera-sysram(/.*)? u:object_r:camera_sysram_device:s0
/dev/ccu(/.*)? u:object_r:ccu_device:s0
/dev/vpu(/.*)? u:object_r:vpu_device:s0
/dev/ccci_monitor u:object_r:ccci_monitor_device:s0
/dev/ccci.* u:object_r:ccci_device:s0
/dev/cpu_dma_latency(/.*)? u:object_r:cpu_dma_latency_device:s0
/dev/devmap(/.*)? u:object_r:devmap_device:s0
/dev/dri(/.*)? u:object_r:gpu_device:s0
/dev/dummy_cam_cal(/.*)? u:object_r:dummy_cam_cal_device:s0
/dev/DW9714AF(/.*)? u:object_r:DW9714AF_device:s0
/dev/DW9814AF(/.*)? u:object_r:DW9814AF_device:s0
/dev/AK7345AF(/.*)? u:object_r:AK7345AF_device:s0
/dev/DW9714A(/.*)? u:object_r:DW9714A_device:s0
/dev/DW9718AF(/.*)? u:object_r:DW9718AF_device:s0
/dev/WV511AAF(/.*)? u:object_r:lens_device:s0
/dev/ebc(/.*)? u:object_r:ebc_device:s0
/dev/ebr[0-9]+ u:object_r:ebr_device:s0
/dev/eemcs.* u:object_r:eemcs_device:s0
/dev/emd.* u:object_r:emd_device:s0
/dev/etb u:object_r:etb_device:s0
/dev/exm0(/.*)? u:object_r:exm0_device:s0
/dev/expdb(/.*)? u:object_r:expdb_device:s0
/dev/fat(/.*)? u:object_r:fat_device:s0
/dev/FM50AF(/.*)? u:object_r:FM50AF_device:s0
/dev/fm(/.*)? u:object_r:fm_device:s0
#/dev/gps(/.*)? u:object_r:gps_device:s0
/dev/geofence(/.*)? u:object_r:geo_device:s0
#/dev/mt3337_gpsonly u:object_r:gps_device:s0
/dev/hdmitx(/.*)? u:object_r:graphics_device:s0
/dev/hid-keyboard(/.*)? u:object_r:hid_keyboard_device:s0
/dev/ion(/.*)? u:object_r:ion_device:s0
/dev/kd_camera_flashlight(/.*)? u:object_r:kd_camera_flashlight_device:s0
/dev/flashlight(/.*)? u:object_r:flashlight_device:s0
/dev/kd_camera_hw_bus2(/.*)? u:object_r:kd_camera_hw_bus2_device:s0
/dev/kd_camera_hw(/.*)? u:object_r:kd_camera_hw_device:s0
/dev/seninf(/.*)? u:object_r:seninf_device:s0
/dev/LC898122AF(/.*)? u:object_r:LC898122AF_device:s0
/dev/LC898212AF(/.*)? u:object_r:LC898212AF_device:s0
/dev/logo(/.*)? u:object_r:logo_device:s0
/dev/loop-control(/.*)? u:object_r:loop-control_device:s0
/dev/M4U_device(/.*)? u:object_r:M4U_device_device:s0
/dev/mali.* u:object_r:gpu_device:s0
/dev/MATV(/.*)? u:object_r:MATV_device:s0
/dev/mbr(/.*)? u:object_r:mbr_device:s0
/dev/md32(/.*)? u:object_r:md32_device:s0
/dev/scp(/.*)? u:object_r:scp_device:s0
/dev/scp_B(/.*)? u:object_r:scp_device:s0
/dev/sspm(/.*)? u:object_r:sspm_device:s0
/dev/misc-sd(/.*)? u:object_r:misc_sd_device:s0
/dev/misc(/.*)? u:object_r:misc_device:s0
/dev/misc2(/.*)? u:object_r:misc2_device:s0
/dev/MJC(/.*)? u:object_r:MJC_device:s0
/dev/mmp(/.*)? u:object_r:mmp_device:s0
/dev/MT6516_H264_DEC(/.*)? u:object_r:MT6516_H264_DEC_device:s0
/dev/mt6516-IDP(/.*)? u:object_r:mt6516_IDP_device:s0
/dev/MT6516_Int_SRAM(/.*)? u:object_r:MT6516_Int_SRAM_device:s0
/dev/mt6516-isp(/.*)? u:object_r:mt6516_isp_device:s0
/dev/mt6516_jpeg(/.*)? u:object_r:mt6516_jpeg_device:s0
/dev/MT6516_MM_QUEUE(/.*)? u:object_r:MT6516_MM_QUEUE_device:s0
/dev/MT6516_MP4_DEC(/.*)? u:object_r:MT6516_MP4_DEC_device:s0
/dev/MT6516_MP4_ENC(/.*)? u:object_r:MT6516_MP4_ENC_device:s0
/dev/mt6605 u:object_r:mt6605_device:s0
/dev/st21nfc u:object_r:st21nfc_device:s0
/dev/mt9p012(/.*)? u:object_r:mt9p012_device:s0
/dev/mtfreqhopping(/.*)? u:object_r:mtfreqhopping_device:s0
/dev/mtgpio(/.*)? u:object_r:mtgpio_device:s0
/dev/mtk-adc-cali(/.*)? u:object_r:mtk-adc-cali_device:s0
/dev/mtk_disp.* u:object_r:graphics_device:s0
/dev/mtkfb_vsync(/.*)? u:object_r:graphics_device:s0
/dev/mtkg2d(/.*)? u:object_r:mtkg2d_device:s0
/dev/mtk_jpeg(/.*)? u:object_r:mtk_jpeg_device:s0
/dev/mtk-kpd(/.*)? u:object_r:mtk_kpd_device:s0
/dev/mtk_sched(/.*)? u:object_r:mtk_sched_device:s0
/dev/MTK_SMI(/.*)? u:object_r:MTK_SMI_device:s0
/dev/mtk_cmdq(/.*)? u:object_r:mtk_cmdq_device:s0
/dev/mtk_rrc(/.*)? u:object_r:mtk_rrc_device:s0
/dev/mtk_dfrc(/.*)? u:object_r:mtk_dfrc_device:s0
/dev/mt-mdp(/.*)? u:object_r:mt_mdp_device:s0
/dev/mt_otg_test(/.*)? u:object_r:mt_otg_test_device:s0
/dev/MT_pmic_adc_cali u:object_r:MT_pmic_adc_cali_device:s0
/dev/MT_pmic_adc_cali(/.*)? u:object_r:MT_pmic_cali_device:s0
/dev/MT_pmic(/.*)? u:object_r:MT_pmic_device:s0
/dev/network.* u:object_r:network_device:s0
/dev/nvram(/.*)? u:object_r:nvram_device:s0
/dev/nxpspk(/.*)? u:object_r:smartpa_device:s0
/dev/otp u:object_r:otp_device:s0
/dev/pmem_multimedia(/.*)? u:object_r:pmem_multimedia_device:s0
/dev/pmt(/.*)? u:object_r:pmt_device:s0
/dev/preloader(/.*)? u:object_r:preloader_device:s0
/dev/pro_info(/.*)? u:object_r:pro_info_device:s0
/dev/protect_f(/.*)? u:object_r:protect_f_device:s0
/dev/protect_s(/.*)? u:object_r:protect_s_device:s0
/dev/psaux(/.*)? u:object_r:psaux_device:s0
/dev/ptmx(/.*)? u:object_r:ptmx_device:s0
/dev/ptyp.* u:object_r:ptyp_device:s0
/dev/pvr_sync(/.*)? u:object_r:gpu_device:s0
/dev/qemu_pipe(/.*)? u:object_r:qemu_pipe_device:s0
/dev/recovery(/.*)? u:object_r:recovery_device:s0
/dev/rfkill(/.*)? u:object_r:rfkill_device:s0
/dev/rtc[0-9]+ u:object_r:rtc_device:s0
/dev/RT_Monitor(/.*)? u:object_r:RT_Monitor_device:s0
/dev/kick_powerkey(/.*)? u:object_r:kick_powerkey_device:s0
/dev/seccfg(/.*)? u:object_r:seccfg_device:s0
/dev/sec_ro(/.*)? u:object_r:sec_ro_device:s0
/dev/sec(/.*)? u:object_r:sec_device:s0
/dev/tee1 u:object_r:tee_part_device:s0
/dev/tee2 u:object_r:tee_part_device:s0
/dev/sensor(/.*)? u:object_r:sensor_device:s0
/dev/smartpa_i2c(/.*)? u:object_r:smartpa1_device:s0
/dev/snapshot(/.*)? u:object_r:snapshot_device:s0
/dev/socket/adbd(/.*)? u:object_r:adbd_socket:s0
/dev/socket/agpsd2(/.*)? u:object_r:agpsd_socket:s0
/dev/socket/agpsd3(/.*)? u:object_r:agpsd_socket:s0
/dev/socket/agpsd(/.*)? u:object_r:agpsd_socket:s0
/dev/socket/backuprestore(/.*)? u:object_r:backuprestore_socket:s0
/dev/socket/dfo(/.*)? u:object_r:dfo_socket:s0
/dev/socket/dnsproxyd(/.*)? u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate(/.*)? u:object_r:dumpstate_socket:s0
/dev/socket/mdnsd(/.*)? u:object_r:mdnsd_socket:s0
/dev/socket/mdns(/.*)? u:object_r:mdns_socket:s0
/dev/socket/mnld(/.*)? u:object_r:mnld_socket:s0
/dev/socket/MPED(/.*)? u:object_r:MPED_socket:s0
/dev/socket/netdiag(/.*)? u:object_r:netdiag_socket:s0
/dev/socket/netd(/.*)? u:object_r:netd_socket:s0
/dev/socket/rild2-md2(/.*)? u:object_r:rild2_md2_socket:s0
/dev/socket/rild2(/.*)? u:object_r:rild2_socket:s0
/dev/socket/rild3(/.*)? u:object_r:rild3_socket:s0
/dev/socket/rild4(/.*)? u:object_r:rild4_socket:s0
/dev/socket/rild-mal(/.*)? u:object_r:rild_mal_socket:s0
/dev/socket/rild-mal-at(/.*)? u:object_r:rild_mal_at_socket:s0
/dev/socket/rild-mal-md2(/.*)? u:object_r:rild_mal_md2_socket:s0
/dev/socket/rild-mal-at-md2(/.*)? u:object_r:rild_mal_at_md2_socket:s0
/dev/socket/rild-ims(/.*)? u:object_r:rild_ims_socket:s0
/dev/socket/volte_imsm_dongle(/.*)? u:object_r:rild_imsm_socket:s0
/dev/socket/rild-vsim(/.*)? u:object_r:rild_vsim_socket:s0
/dev/socket/rild-vsim-md2(/.*)? u:object_r:rild_vsim_md2_socket:s0
/dev/socket/rild-ctclient u:object_r:rild_ctclient_socket:s0
/dev/socket/rild-debug-md2(/.*)? u:object_r:rild_debug_md2_socket:s0
/dev/socket/rild-debug(/.*)? u:object_r:rild_debug_socket:s0
/dev/socket/rild-dongle(/.*)? u:object_r:rild-dongle_socket:s0
/dev/socket/rild-md2(/.*)? u:object_r:rild_md2_socket:s0
/dev/socket/rild-mtk-modem-md2(/.*)? u:object_r:rild_mtk_modem_md2_socket:s0
/dev/socket/rild-mtk-modem(/.*)? u:object_r:rild_mtk_modem_socket:s0
/dev/socket/rild-mtk-ut-2-md2(/.*)? u:object_r:rild_mtk_ut_2_md2_socket:s0
/dev/socket/rild-mtk-ut-2(/.*)? u:object_r:rild_mtk_ut_2_socket:s0
/dev/socket/rild-mtk-ut-md2(/.*)? u:object_r:rild_mtk_ut_md2_socket:s0
/dev/socket/rild-mtk-ut(/.*)? u:object_r:rild_mtk_ut_socket:s0
/dev/socket/rild-oem-md2(/.*)? u:object_r:rild_oem_md2_socket:s0
/dev/socket/rild-oem(/.*)? u:object_r:rild_oem_socket:s0
/dev/socket/rild(/.*)? u:object_r:rild_socket:s0
/dev/socket/rild-via u:object_r:rild_via_socket:s0
/dev/socket/mal-mfi(/.*)? u:object_r:mal_mfi_socket:s0
/dev/socket/mal-mfi-dongle(/.*)? u:object_r:mal_mfi_socket:s0
/dev/socket/rpc u:object_r:rpc_socket:s0
/dev/socket/soc_vt_stk(/.*)? u:object_r:soc_vt_stk_socket:s0
/dev/socket/soc_vt_svc(/.*)? u:object_r:soc_vt_svc_socket:s0
/dev/socket/soc_vt_tcv(/.*)? u:object_r:soc_vt_tcv_socket:s0
/dev/socket/sysctl(/.*)? u:object_r:sysctl_socket:s0
/dev/socket/vold(/.*)? u:object_r:vold_socket:s0
/dev/socket/volte_vt(/.*)? u:object_r:volte_vt_socket:s0
/dev/socket/wpa_wlan0(/.*)? u:object_r:wpa_wlan0_socket:s0
/dev/stpant(/.*)? u:object_r:stpant_device:s0
/dev/stpbt(/.*)? u:object_r:stpbt_device:s0
/dev/stpgps u:object_r:mnld_device:s0
/dev/stpgps(/.*)? u:object_r:stpgps_device:s0
/dev/stpwmt(/.*)? u:object_r:stpwmt_device:s0
/dev/sw_sync(/.*)? u:object_r:sw_sync_device:s0
/dev/tgt(/.*)? u:object_r:tgt_device:s0
/dev/touch(/.*)? u:object_r:touch_device:s0
/dev/tpd_em_log(/.*)? u:object_r:tpd_em_log_device:s0
/dev/ttyC0 u:object_r:gsm0710muxd_device:s0
/dev/ttyC1 u:object_r:mdlog_device:s0
/dev/ttyC2 u:object_r:agps_device:s0
/dev/ttyC3 u:object_r:icusb_device:s0
/dev/ttyGS.* u:object_r:ttyGS_device:s0
/dev/ttyMT.* u:object_r:ttyMT_device:s0
/dev/ttyp.* u:object_r:ttyp_device:s0
/dev/ttySDIO.* u:object_r:ttySDIO_device:s0
/dev/ttyUSB0 u:object_r:tty_device:s0
/dev/ttyUSB1 u:object_r:tty_device:s0
/dev/ttyUSB2 u:object_r:tty_device:s0
/dev/ttyUSB3 u:object_r:tty_device:s0
/dev/ttyUSB4 u:object_r:tty_device:s0
/dev/TV-out(/.*)? u:object_r:TV_out_device:s0
/dev/ubi_ctrl u:object_r:mtd_device:s0
/dev/ubi[_0-9]* u:object_r:mtd_device:s0
/dev/uboot(/.*)? u:object_r:uboot_device:s0
/dev/uibc(/.*)? u:object_r:uibc_device:s0
/dev/uinput(/.*)? u:object_r:uinput_device:s0
/dev/uio0(/.*)? u:object_r:uio0_device:s0
/dev/usrdata(/.*)? u:object_r:usrdata_device:s0
/dev/Vcodec(/.*)? u:object_r:Vcodec_device:s0
/dev/vmodem u:object_r:vmodem_device:s0
/dev/vow(/.*)? u:object_r:vow_device:s0
/dev/wmtdetect(/.*)? u:object_r:wmtdetect_device:s0
/dev/wmtWifi(/.*)? u:object_r:wmtWifi_device:s0
/dev/ancservice(/.*)? u:object_r:ancservice_device:s0
/dev/offloadservice(/.*)? u:object_r:offloadservice_device:s0
/dev/audio_ipi(/.*)? u:object_r:audio_ipi_device:s0
/dev/irtx u:object_r:irtx_device:s0
/dev/spm(/.*)? u:object_r:spm_device:s0
/dev/xt_qtaguid(/.*)? u:object_r:xt_qtaguid_device:s0
/dev/pmic_ftm(/.*)? u:object_r:pmic_ftm_device:s0
/dev/charger_ftm(/.*)? u:object_r:charger_ftm_device:s0
/dev/shf u:object_r:shf_device:s0
/dev/ttyACM0 u:object_r:ttyACM_device:s0
/dev/hrm u:object_r:hrm_device:s0
/dev/trusty-ipc-dev0 u:object_r:tee_device:s0
/dev/mbim u:object_r:mbim_device:s0
##########################
# Sensor common Devices Start
#
/dev/als_ps(/.*)? u:object_r:als_ps_device:s0
/dev/barometer(/.*)? u:object_r:barometer_device:s0
/dev/humidity(/.*)? u:object_r:humidity_device:s0
/dev/gsensor(/.*)? u:object_r:gsensor_device:s0
/dev/gyroscope(/.*)? u:object_r:gyroscope_device:s0
/dev/hwmsensor(/.*)? u:object_r:hwmsensor_device:s0
/dev/msensor(/.*)? u:object_r:msensor_device:s0
/dev/biometric(/.*)? u:object_r:biometric_device:s0
##########################
# Sensor Devices Start
#
/dev/m_batch_misc(/.*)? u:object_r:m_batch_misc_device:s0
##########################
# Sensor bio Devices Start
#
/dev/m_als_misc(/.*)? u:object_r:m_als_misc_device:s0
/dev/m_ps_misc(/.*)? u:object_r:m_ps_misc_device:s0
/dev/m_baro_misc(/.*)? u:object_r:m_baro_misc_device:s0
/dev/m_hmdy_misc(/.*)? u:object_r:m_hmdy_misc_device:s0
/dev/m_acc_misc(/.*)? u:object_r:m_acc_misc_device:s0
/dev/m_mag_misc(/.*)? u:object_r:m_mag_misc_device:s0
/dev/m_gyro_misc(/.*)? u:object_r:m_gyro_misc_device:s0
/dev/m_act_misc(/.*)? u:object_r:m_act_misc_device:s0
/dev/m_pedo_misc(/.*)? u:object_r:m_pedo_misc_device:s0
/dev/m_situ_misc(/.*)? u:object_r:m_situ_misc_device:s0
/dev/m_step_c_misc(/.*)? u:object_r:m_step_c_misc_device:s0
/dev/m_fusion_misc(/.*)? u:object_r:m_fusion_misc_device:s0
/dev/m_bio_misc(/.*)? u:object_r:m_bio_misc_device:s0
# block partition definitions
/dev/block/mmcblk0boot0 u:object_r:preloader_block_device:s0
/dev/block/mmcblk0boot1 u:object_r:preloader_block_device:s0
/dev/block/sda u:object_r:preloader_block_device:s0
/dev/block/sdb u:object_r:preloader_block_device:s0
/dev/block/mmcblk0 u:object_r:bootdevice_block_device:s0
/dev/block/sdc u:object_r:bootdevice_block_device:s0
/dev/block/mmcblk1 u:object_r:mmcblk1_block_device:s0
/dev/block/mmcblk1p1 u:object_r:mmcblk1p1_block_device:s0
/dev/block/mtd(.*)? u:object_r:mtd_device:s0
/dev/block/mntlblk(.*)? u:object_r:mtd_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/proinfo u:object_r:nvram_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/nvram u:object_r:nvram_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/nvdata u:object_r:nvdata_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/frp u:object_r:frp_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/expdb u:object_r:expdb_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/misc2 u:object_r:misc2_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/logo u:object_r:logo_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/para u:object_r:para_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/seccfg u:object_r:seccfg_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/secro u:object_r:secro_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/system u:object_r:system_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/userdata u:object_r:userdata_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/cache u:object_r:cache_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/recovery u:object_r:recovery_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/protect1 u:object_r:protect1_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/protect2 u:object_r:protect2_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/keystore u:object_r:keystore_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/oemkeystore u:object_r:oemkeystore_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/boot u:object_r:boot_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/persist u:object_r:persist_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/metadata u:object_r:metadata_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/nvcfg u:object_r:nvcfg_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/ppl u:object_r:ppl_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/sec1 u:object_r:sec1_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/boot_para u:object_r:boot_para_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/boot(_[ab])? u:object_r:boot_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/system(_[ab])? u:object_r:system_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/odm(_[ab])? u:object_r:odm_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/oem(_[ab])? u:object_r:oem_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/vendor(_[ab])? u:object_r:vendor_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/lk(_[ab])? u:object_r:lk_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/odmdtbo(_[ab])? u:object_r:dtbo_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/tee([12]|_[ab]) u:object_r:tee_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md1img(_[ab])? u:object_r:md_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md1dsp(_[ab])? u:object_r:dsp_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md1arm7(_[ab])? u:object_r:md_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/md3img(_[ab])? u:object_r:md_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/scp(_[ab])? u:object_r:scp_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/sspm(_[ab])? u:object_r:sspm_block_device:s0
/dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/spmfw(_[ab])? u:object_r:spmfw_block_device:s0
/dev/block/platform/bootdevice/by-name/proinfo u:object_r:nvram_device:s0
/dev/block/platform/bootdevice/by-name/nvram u:object_r:nvram_device:s0
/dev/block/platform/bootdevice/by-name/nvdata u:object_r:nvdata_device:s0
/dev/block/platform/bootdevice/by-name/frp u:object_r:frp_block_device:s0
/dev/block/platform/bootdevice/by-name/expdb u:object_r:expdb_block_device:s0
/dev/block/platform/bootdevice/by-name/misc2 u:object_r:misc2_block_device:s0
/dev/block/platform/bootdevice/by-name/logo u:object_r:logo_block_device:s0
/dev/block/platform/bootdevice/by-name/para u:object_r:para_block_device:s0
/dev/block/platform/bootdevice/by-name/seccfg u:object_r:seccfg_block_device:s0
/dev/block/platform/bootdevice/by-name/secro u:object_r:secro_block_device:s0
/dev/block/platform/bootdevice/by-name/userdata u:object_r:userdata_block_device:s0
/dev/block/platform/bootdevice/by-name/cache u:object_r:cache_block_device:s0
/dev/block/platform/bootdevice/by-name/recovery u:object_r:recovery_block_device:s0
/dev/block/platform/bootdevice/by-name/protect1 u:object_r:protect1_block_device:s0
/dev/block/platform/bootdevice/by-name/protect2 u:object_r:protect2_block_device:s0
/dev/block/platform/bootdevice/by-name/keystore u:object_r:keystore_block_device:s0
/dev/block/platform/bootdevice/by-name/persist u:object_r:persist_block_device:s0
/dev/block/platform/bootdevice/by-name/metadata u:object_r:metadata_block_device:s0
/dev/block/platform/bootdevice/by-name/nvcfg u:object_r:nvcfg_block_device:s0
/dev/block/platform/bootdevice/by-name/sec1 u:object_r:sec1_block_device:s0
/dev/block/platform/bootdevice/by-name/boot_para u:object_r:boot_para_block_device:s0
/dev/block/platform/bootdevice/by-name/cam_vpu[1-3](_[ab])? u:object_r:cam_vpu_block_device:s0
/dev/block/platform/bootdevice/by-name/system(_[ab])? u:object_r:system_block_device:s0
/dev/block/platform/bootdevice/by-name/boot(_[ab])? u:object_r:boot_block_device:s0
/dev/block/platform/bootdevice/by-name/odm(_[ab])? u:object_r:odm_block_device:s0
/dev/block/platform/bootdevice/by-name/oem(_[ab])? u:object_r:oem_block_device:s0
/dev/block/platform/bootdevice/by-name/vendor(_[ab])? u:object_r:vendor_block_device:s0
/dev/block/platform/bootdevice/by-name/lk(_[ab])? u:object_r:lk_block_device:s0
/dev/block/platform/bootdevice/by-name/odmdtbo(_[ab])? u:object_r:dtbo_block_device:s0
/dev/block/platform/bootdevice/by-name/tee([12]|_[ab]) u:object_r:tee_block_device:s0
/dev/block/platform/bootdevice/by-name/md1img(_[ab])? u:object_r:md_block_device:s0
/dev/block/platform/bootdevice/by-name/md1dsp(_[ab])? u:object_r:dsp_block_device:s0
/dev/block/platform/bootdevice/by-name/md1arm7(_[ab])? u:object_r:md_block_device:s0
/dev/block/platform/bootdevice/by-name/md3img(_[ab])? u:object_r:md_block_device:s0
/dev/block/platform/bootdevice/by-name/scp(_[ab])? u:object_r:scp_block_device:s0
/dev/block/platform/bootdevice/by-name/sspm(_[ab])? u:object_r:sspm_block_device:s0
/dev/block/platform/bootdevice/by-name/spmfw(_[ab])? u:object_r:spmfw_block_device:s0
/dev/block/platform/bootdevice/by-name/mcupmfw(_[ab])? u:object_r:mcupmfw_block_device:s0
/dev/block/platform/bootdevice/by-name/loader_ext(_[ab])? u:object_r:loader_ext_block_device:s0
#############################
# sysfs files
#
/sys/bus/platform/drivers/mtk-kpd(/.*)? u:object_r:sysfs_keypad_file:s0
/sys/power/vcorefs/pwr_ctrl -- u:object_r:sysfs_vcorefs_pwrctrl:s0
/sys/power/dcm_state u:object_r:sysfs_dcm:s0
/sys/power/mtkdcs/mode u:object_r:sysfs_dcs:s0
/sys/devices/virtual/misc/md32(/.*)? u:object_r:sysfs_md32:s0
/sys/devices/virtual/misc/scp(/.*)? u:object_r:sysfs_scp:s0
/sys/devices/virtual/misc/scp_B(/.*)? u:object_r:sysfs_scp:s0
/sys/devices/virtual/misc/sspm(/.*)? u:object_r:sysfs_sspm:s0
/sys/kernel/ccci(/.*)? u:object_r:sysfs_ccci:s0
/sys/mtk_ssw(/.*)? u:object_r:sysfs_ssw:s0
/sys/bus/platform/drivers/dev_info/dev_info u:object_r:sysfs_devinfo:s0
/sys/firmware/devicetree/base/chosen/atag\,devinfo u:object_r:sysfs_devinfo:s0
/sys/devices/virtual/thermal(/.*)? u:object_r:sysfs_therm:s0
/sys/devices/platform/battery/power_supply(/.*)? u:object_r:sysfs_power_supply:s0
/sys/devices/virtual/switch/fps(/.*)? u:object_r:sysfs_fps:s0
#############################
# debugfs files
#
/sys/kernel/debug/binder(/.*)? u:object_r:debugfs_binder:s0
/sys/kernel/debug/blockio(/.*)? u:object_r:debugfs_blockio:s0
/sys/kernel/debug/fuseio(/.*)? u:object_r:debugfs_fuseio:s0
/sys/kernel/debug/musb-hdrc(/.*)? u:object_r:debugfs_usb:s0
/sys/kernel/debug/usb_c(/.*)? u:object_r:debugfs_usb:s0
/sys/kernel/debug/mtkfb u:object_r:debugfs_fb:s0
/sys/kernel/debug/mmprofile(/.*)? u:object_r:debugfs_fb:s0
/sys/kernel/debug/fbconfig u:object_r:debugfs_fb:s0
/sys/kernel/debug/displowpower u:object_r:debugfs_fb:s0
/sys/kernel/debug/disp(/.*)? u:object_r:debugfs_fb:s0
/sys/kernel/debug/dispsys u:object_r:debugfs_fb:s0
/sys/kernel/debug/cpuhvfs(/.*)? u:object_r:debugfs_cpuhvfs:s0
/sys/kernel/debug/usb20_phy(/.*)? u:object_r:debugfs_usb20_phy:s0
/sys/kernel/debug/dynamic_debug(/.*)? u:object_r:debugfs_dynamic_debug:s0
/sys/kernel/debug/wakeup_sources u:object_r:debugfs_wakeup_sources:s0
/sys/kernel/debug/dmlog u:object_r:debugfs_dmlog_debug:s0
/sys/kernel/debug/page_owner_slim u:object_r:debugfs_page_owner_slim_debug:s0
/sys/kernel/debug/shrinker u:object_r:debugfs_shrinker_debug:s0
/sys/kernel/debug/rcu(/.*)? u:object_r:debugfs_rcu:s0
/sys/kernel/debug/ged(/.*)? u:object_r:debugfs_ged:s0
/sys/kernel/debug/ion/ion_mm_heap(/.*)? u:object_r:debugfs_ion_mm_heap:s0
/sys/kernel/debug/ion/heaps(/.*)? u:object_r:debugfs_ion_mm_heap:s0
/sys/kernel/debug/ion/client_history(/.*)? u:object_r:debugfs_ion_mm_heap:s0
/sys/kernel/debug/mali0/gpu_memory u:object_r:debugfs_gpu_mali_midgard:s0
/sys/kernel/debug/mali/gpu_memory u:object_r:debugfs_gpu_mali_utgard:s0
/sys/kernel/debug/pvr(/.*)? u:object_r:debugfs_gpu_img:s0
/sys/kernel/debug/ion/clients(/.*)? u:object_r:debugfs_ion:s0
/sys/kernel/debug/fpsgo(/.*)? u:object_r:debugfs_fpsgo:s0
/sys/kernel/debug/emi_mbw/dump_buf(/.*)? u:object_r:debugfs_emi_mbw_buf:s0
#############################
# System files
#
/(system\/vendor|vendor)/bin/stp_dump3 u:object_r:stp_dump3_exec:s0
/(system\/vendor|vendor)/bin/wmt_launcher u:object_r:mtk_wmt_launcher_exec:s0
/(system\/vendor|vendor)/bin/aee_core_forwarder u:object_r:aee_core_forwarder_exec:s0
/(system\/vendor|vendor)/bin/ccci_fsd u:object_r:ccci_fsd_exec:s0
/(system\/vendor|vendor)/bin/fuelgauged u:object_r:fuelgauged_exec:s0
/(system\/vendor|vendor)/bin/fuelgauged_nvram u:object_r:fuelgauged_nvram_exec:s0
/(system\/vendor|vendor)/bin/gsm0710muxd u:object_r:gsm0710muxd_exec:s0
/(system\/vendor|vendor)/bin/mmc_ffu u:object_r:mmc_ffu_exec:s0
/(system\/vendor|vendor)/bin/mtk_agpsd u:object_r:mtk_agpsd_exec:s0
/(system\/vendor|vendor)/bin/MtkCodecService u:object_r:MtkCodecService_exec:s0
/(system\/vendor|vendor)/bin/mtkrild u:object_r:mtkrild_exec:s0
/(system\/vendor|vendor)/bin/muxreport u:object_r:muxreport_exec:s0
/(system\/vendor|vendor)/bin/nvram_agent_binder u:object_r:nvram_agent_binder_exec:s0
/(system\/vendor|vendor)/bin/nvram_daemon u:object_r:nvram_daemon_exec:s0
/(system\/vendor|vendor)/bin/slpd u:object_r:slpd_exec:s0
/(system\/vendor|vendor)/bin/thermal_manager u:object_r:thermal_manager_exec:s0
/(system\/vendor|vendor)/bin/thermalloadalgod u:object_r:thermalloadalgod_exec:s0
/(system\/vendor|vendor)/bin/lbs_hidl_service u:object_r:lbs_hidl_service_exec:s0
/(system\/vendor|vendor)/bin/wifi2agps u:object_r:wifi2agps_exec:s0
/(system\/vendor|vendor)/bin/wmt_loader u:object_r:wmt_loader_exec:s0
/(system\/vendor|vendor)/bin/md_ctrl u:object_r:md_ctrl_exec:s0
/(system\/vendor|vendor)/bin/spm_loader u:object_r:spm_loader_exec:s0
/(system\/vendor|vendor)/bin/ccci_mdinit u:object_r:ccci_mdinit_exec:s0
/(system\/vendor|vendor)/bin/MPED u:object_r:MPED_exec:s0
/(system\/vendor|vendor)/bin/mnld u:object_r:mnld_exec:s0
/(system\/vendor|vendor)/bin/sysenv_daemon u:object_r:sysenv_daemon_exec:s0
/(system\/vendor|vendor)/bin/biosensord_nvram u:object_r:biosensord_nvram_exec:s0
/(system\/vendor|vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service-mediatek u:object_r:mtk_hal_bluetooth_exec:s0
/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.gnss@1\.1-service u:object_r:mtk_hal_gnss_exec:s0
/(system\/vendor|vendor)/bin/hw/android\.hardware\.audio@2\.0-service-mediatek u:object_r:mtk_hal_audio_exec:s0
/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.power@1\.1-service u:object_r:mtk_hal_power_exec:s0
/(system\/vendor|vendor)/bin/hw/android\.hardware\.sensors@1\.0-service-mediatek u:object_r:mtk_hal_sensors_exec:s0
/(system\/vendor|vendor)/bin/hw/rilproxy u:object_r:rild_exec:s0
/(system\/vendor|vendor)/bin/hw/mtkfusionrild u:object_r:rild_exec:s0
/(system\/vendor|vendor)/bin/hw/android\.hardware\.light@2\.0-service-mediatek u:object_r:mtk_hal_light_exec:s0
/(system\/vendor|vendor)/bin/hw/camerahalserver u:object_r:mtk_hal_camera_exec:s0
/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.imsa@1\.0-service u:object_r:mtk_hal_imsa_exec:s0
#Widevine drm hal
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service.widevine u:object_r:hal_drm_widevine_exec:s0
#PQ hal
/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.pq@2\.0-service u:object_r:mtk_hal_pq_exec:s0
# Keymaster Attestation Hal
/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.keymaster_attestation@1\.1-service u:object_r:hal_keymaster_attestation_exec:s0
#############################
# System/bin files
#hidl process merging
/(system\/vendor|vendor)/bin/hw/merged_hal_service u:object_r:merged_hal_service_exec:s0

18
non_plat/fsck.te Normal file
View File

@ -0,0 +1,18 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK15.29
# Operation : Migration
# Purpose : file system check for protect1/protect2/nvdata/persist/nvcfg block devices.
allow fsck protect1_block_device:blk_file rw_file_perms;
allow fsck protect2_block_device:blk_file rw_file_perms;
allow fsck nvdata_device:blk_file rw_file_perms;
allow fsck persist_block_device:blk_file rw_file_perms;
allow fsck nvcfg_block_device:blk_file rw_file_perms;
allow fsck odm_block_device:blk_file rw_file_perms;
allow fsck oem_block_device:blk_file rw_file_perms;
# Date : WK17.12
# Purpose: Fix bootup fail
allow fsck system_block_device:blk_file getattr;

88
non_plat/fuelgauged.te Normal file
View File

@ -0,0 +1,88 @@
# ==============================================
# Policy File of /system/bin/fuelgauged Executable File
# ==============================================
# Type Declaration
# ==============================================
type fuelgauged ,domain;
type fuelgauged_exec , exec_type, file_type, vendor_file_type;
type fuelgauged_file, file_type, data_file_type;
# ==============================================
# Android Policy Rule
# ==============================================
# ==============================================
# NSA Policy Rule
# ==============================================
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(fuelgauged)
# Data : WK14.43
# Operation : Migration
# Purpose : Fuel Gauge daemon for access driver node
allow fuelgauged input_device:dir rw_dir_perms;
allow fuelgauged input_device:file r_file_perms;
# Data : WK14.43
# Operation : Migration
# Purpose : For meta tool calibration
allow fuelgauged mtk-adc-cali_device:chr_file rw_file_perms;
# Data : WK14.43
# Operation : Migration
# Purpose : For fg.log can be printed with kernel log
allow fuelgauged kmsg_device:chr_file w_file_perms;
# Data : WK14.43
# Operation : Migration
# Purpose : For fg daemon can comminucate with kernel
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.t
#allow fuelgauged fuelgauged:netlink_kobject_uevent_socket create_socket_perms;
#allow fuelgauged fuelgauged:netlink_socket create_socket_perms;
allow fuelgauged self:netlink_socket create;
allow fuelgauged self:netlink_socket create_socket_perms_no_ioctl;
allow fuelgauged self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write };
# Data : WK16.21
# Operation : New Feature
# Purpose : For fg daemon can access /data/FG folder
file_type_auto_trans(fuelgauged, system_data_file, fuelgauged_file);
allow fuelgauged fuelgauged_file:file rw_file_perms;
allow fuelgauged system_data_file:dir rw_dir_perms;
# Data : WK16.21
# Operation : New Feature
# Purpose : For fg daemon can do nvram r/w to save car_tune_value
allow fuelgauged nvdata_file:dir rw_dir_perms;
allow fuelgauged nvdata_file:file {rw_file_perms create_file_perms};
allow fuelgauged nvram_data_file:lnk_file rw_file_perms;
allow fuelgauged nvdata_file:lnk_file rw_file_perms;
# Data : WK16.39
allow fuelgauged self:capability { chown fsetid dac_override };
# Data : W16.43
# Operation : New Feature
# Purpose : Change from /data to /cache
allow fuelgauged cache_file:file {rw_file_perms create_file_perms};
allow fuelgauged cache_file:dir {rw_dir_perms create_dir_perms};
allow fuelgauged sysfs:file {rw_file_perms create_file_perms};
# Date: W17.22
# Operation : New Feature
# Purpose : Add for A/B system
allow fuelgauged kernel:system module_request;
# Date: W18.03
# Operation : change fuelgagued access from cache to nvcfg
# Purpose : add fuelgauged to nvcfg read write permit
#allow fuelgauged nvcfg_file:dir getattr;
#allow fuelgauged nvcfg_file:dir {rw_dir_perms create_dir_perms};
#allow fuelgauged nvcfg_file:file {rw_dir_perms create_dir_perms};
allow fuelgauged nvcfg_file:dir { search write open read add_name create getattr};
allow fuelgauged nvcfg_file:file { read write getattr open create };

63
non_plat/fuelgauged_nvram.te Normal file
View File

@ -0,0 +1,63 @@
# ==============================================
# Policy File of /system/bin/fuelgauged_nvram Executable File
# ==============================================
# Type Declaration
# ==============================================
type fuelgauged_nvram ,domain;
type fuelgauged_nvram_exec , exec_type, file_type, vendor_file_type;
type fuelgauged_nvram_file, file_type, data_file_type;
# ==============================================
# Android Policy Rule
# ==============================================
# ==============================================
# NSA Policy Rule
# ==============================================
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(fuelgauged_nvram)
# Data : WK16.21
# Operation : New Feature
# Purpose : For fg daemon can access /data/FG folder
file_type_auto_trans(fuelgauged_nvram, system_data_file, fuelgauged_nvram_file);
allow fuelgauged_nvram fuelgauged_nvram_file:file rw_file_perms;
allow fuelgauged_nvram system_data_file:dir rw_dir_perms;
# Data : WK16.21
# Operation : New Feature
# Purpose : For fg daemon can do nvram r/w to save car_tune_value
allow fuelgauged_nvram nvdata_file:dir rw_dir_perms;
allow fuelgauged_nvram nvdata_file:file {rw_file_perms create_file_perms};
allow fuelgauged_nvram nvram_data_file:lnk_file rw_file_perms;
allow fuelgauged_nvram nvdata_file:lnk_file rw_file_perms;
allow fuelgauged_nvram fuelgauged_file:dir rw_dir_perms;
allow fuelgauged_nvram fuelgauged_file:file {rw_file_perms create_file_perms};
# Data : W16.43
# Operation : New Feature
# Purpose : Change from /data to /cache
allow fuelgauged_nvram cache_file:file {rw_file_perms create_file_perms};
allow fuelgauged_nvram cache_file:dir {rw_dir_perms create_dir_perms};
allow fuelgauged_nvram self:capability { dac_read_search dac_override chown };
allow fuelgauged_nvram kmsg_device:chr_file { write open };
allow fuelgauged_nvram self:capability fsetid;
# Data : W17.34
# Operation : New Feature
# Purpose : fgauge_nvram could use IOCTL
allow fuelgauged_nvram MT_pmic_adc_cali_device:chr_file rw_file_perms;
# Date: W18.03
# Operation : change fuelgagued_nvram access from cache to nvcfg
# Purpose : add fuelgauged to nvcfg read write permit
allow fuelgauged_nvram sysfs:file { read open };
allow fuelgauged_nvram nvcfg_file:dir { search write open read add_name create getattr};
allow fuelgauged_nvram nvcfg_file:file { read write getattr open create };

33
non_plat/fuelgauged_static.te Normal file
View File

@ -0,0 +1,33 @@
# ==============================================
# Policy File of /system/bin/fuelgauged_static Executable File
# ==============================================
# Android Policy Rule
# ==============================================
# ==============================================
# NSA Policy Rule
# ==============================================
# ==============================================
# MTK Policy Rule
# ==============================================
# Data : WK14.43
# Operation : Migration
# Purpose : For meta tool calibration
allow fuelgauged_static mtk-adc-cali_device:chr_file rw_file_perms;
# Data : WK14.43
# Operation : Migration
# Purpose : For fg.log can be printed with kernel log
allow fuelgauged_static kmsg_device:chr_file w_file_perms;
# Data : WK16.21
# Operation : New Feature
# Purpose : For fg daemon can do nvram r/w to save car_tune_value
allow fuelgauged_static nvdata_file:dir rw_dir_perms;
allow fuelgauged_static nvdata_file:file {rw_file_perms create_file_perms};
allow fuelgauged_static nvram_data_file:lnk_file rw_file_perms;
allow fuelgauged_static nvdata_file:lnk_file rw_file_perms;

25
non_plat/genfs_contexts Normal file
View File

@ -0,0 +1,25 @@
# ==============================================
# MTK Policy Rule
# ============
# proc interfaces
genfscon proc /driver/thermal u:object_r:proc_thermal:s0
genfscon proc /thermlmt u:object_r:proc_thermal:s0
genfscon proc /fps_tm u:object_r:proc_thermal:s0
genfscon proc /wmt_tm u:object_r:proc_thermal:s0
genfscon proc /mobile_tm u:object_r:proc_thermal:s0
genfscon proc /bcctlmt u:object_r:proc_thermal:s0
genfscon proc /battery_status u:object_r:proc_thermal:s0
genfscon proc /mtkcooler u:object_r:proc_mtkcooler:s0
genfscon proc /mtktz u:object_r:proc_mtktz:s0
genfscon proc /lk_env u:object_r:proc_lk_env:s0
genfscon proc /driver/storage_logger u:object_r:proc_slogger:s0
genfscon proc /driver/icusb u:object_r:proc_icusb:s0
genfscon proc /mrdump_rst u:object_r:proc_mrdump_rst:s0
genfscon proc /mtk_battery_cmd u:object_r:proc_battery_cmd:s0
genfscon proc /ged u:object_r:proc_ged:s0
genfscon proc /perfmgr u:object_r:proc_perfmgr:s0
genfscon iso9660 / u:object_r:iso9660:s0
genfscon rawfs / u:object_r:rawfs:s0
genfscon fuseblk / u:object_r:fuseblk:s0

39
non_plat/gsm0710muxd.te Normal file
View File

@ -0,0 +1,39 @@
# ==============================================
# Policy File of /system/bin/gsm0710muxd Executable File
# ==============================================
# Type Declaration
# ==============================================
type gsm0710muxd, domain;
type gsm0710muxd_exec , exec_type, file_type, vendor_file_type;
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(gsm0710muxd)
# Capabilities assigned for gsm0710muxd
allow gsm0710muxd self:capability { chown fowner setuid };
# Property service
# Set ctl.ril-daemon property
set_prop(gsm0710muxd, ctl_rildaemon_prop)
set_prop(gsm0710muxd, ctl_ril-daemon-mtk_prop)
set_prop(gsm0710muxd, ctl_fusion_ril_mtk_prop)
set_prop(gsm0710muxd, gsm0710muxd_prop)
set_prop(gsm0710muxd, radio_prop)
# allow set muxreport control properties
set_prop(gsm0710muxd, ril_mux_report_case_prop)
# Allow read/write to devices/files
allow gsm0710muxd gsm0710muxd_device:chr_file rw_file_perms;
allow gsm0710muxd device:dir rw_dir_perms;
allow gsm0710muxd device:lnk_file { create unlink };
allow gsm0710muxd devpts:chr_file setattr;
allow gsm0710muxd eemcs_device:chr_file rw_file_perms;
allow gsm0710muxd sysfs:file r_file_perms;
# Allow read to sys/kernel/ccci/* files
allow gsm0710muxd sysfs_ccci:dir search;
allow gsm0710muxd sysfs_ccci:file r_file_perms;

10
non_plat/hal_bootctl_default.te Normal file
View File

@ -0,0 +1,10 @@
# Add for bootctl
#============= hal_bootctl_default ==============
allow hal_bootctl_default para_block_device:blk_file { read open write};
allow hal_bootctl_default proc:file { read getattr open };
allow hal_bootctl_default rootfs:file { read getattr open };
allow hal_bootctl_default sysfs:dir { read open };
allow hal_bootctl_default sysfs:file { read getattr open };
allow hal_bootctl_default block_device:dir search;
allow hal_bootctl_default misc_sd_device:chr_file rw_file_perms;
allow hal_bootctl_default bootdevice_block_device:blk_file { read write ioctl open };

5
non_plat/hal_cas_default.te Normal file
View File

@ -0,0 +1,5 @@
# Date : 2017/08/14
# Operation : O1 Migration
# Purpose : hal_cas_default needs to use vendor binder to communicate
vndbinder_use(hal_cas_default);

6
non_plat/hal_drm_default.te Normal file
View File

@ -0,0 +1,6 @@
vndbinder_use(hal_drm_default);
#============= hal_drm_default ==============
allow hal_drm_default debugfs_tracing:file write;
allow hal_drm_default debugfs_ion:dir search;

14
non_plat/hal_drm_widevine.te Normal file
View File

@ -0,0 +1,14 @@
type hal_drm_widevine, domain;
hal_server_domain(hal_drm_widevine, hal_drm)
type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_drm_widevine)
allow hal_drm_widevine mediacodec:fd use;
allow hal_drm_widevine { appdomain -isolated_app }:fd use;
vndbinder_use(hal_drm_widevine);
#============= hal_drm_widevine ==============
allow hal_drm_widevine debugfs_tracing:file write;
allow hal_drm_widevine debugfs_ion:dir search;

2
non_plat/hal_gnss.te Normal file
View File

@ -0,0 +1,2 @@
#TODO:: work around solution, wait for correct solution from google
vndbinder_use(hal_gnss)

8
non_plat/hal_gnss_default.te Normal file
View File

@ -0,0 +1,8 @@
# Communicate over a socket created by mnld process.
#allow hal_gnss debuggerd:fd use;
allow hal_gnss_default mnld_data_file:sock_file create_file_perms;
allow hal_gnss_default mnld_data_file:sock_file rw_file_perms;
allow hal_gnss_default mnld_data_file:dir create_file_perms;
allow hal_gnss_default mnld_data_file:dir rw_dir_perms;
allow hal_gnss_default mnld:unix_dgram_socket sendto;

5
non_plat/hal_graphics_allocator.te Normal file
View File

@ -0,0 +1,5 @@
# Date : WK17.13
# Operation : Add sepolicy
# Purpose : Add policy for gralloc HIDL
allow hal_graphics_allocator proc_ged:file { read ioctl open };

18
non_plat/hal_graphics_allocator_default.te Normal file
View File

@ -0,0 +1,18 @@
# ==============================================
# MTK Policy Rule
# ==============================================
#============= hal_graphics_allocator_default ==============
allow hal_graphics_allocator_default gpu_device:dir search;
#============= hal_graphics_allocator_default ==============
allow hal_graphics_allocator_default sw_sync_device:chr_file { open read write getattr ioctl };
#============= hal_graphics_allocator_default ==============
allow hal_graphics_allocator_default debugfs_ion:dir search;
#============= hal_graphics_allocator_default ==============
allow hal_graphics_allocator_default debugfs_tracing:file write;
#============= hal_graphics_allocator_default ==============
allow hal_graphics_allocator_default debugfs_tracing:file open;

48
non_plat/hal_graphics_composer_default.te Normal file
View File

@ -0,0 +1,48 @@
vndbinder_use(hal_graphics_composer_default)
allow hal_graphics_composer_default debugfs_ged:dir search;
#allow hal_graphics_composer_default debugfs_ion:dir search;
# Date : WK17.09
# Operation : Add sepolicy
# Purpose : Add polivy for hwc HIDL
allow hal_graphics_composer_default proc:file { read getattr open ioctl };
allow hal_graphics_composer_default proc_ged:file { read ioctl open };
allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { read bind create setopt };
# Date : WK17.21
# Purpose: GPU driver required
allow hal_graphics_composer_default sw_sync_device:chr_file { read write open ioctl };
allow hal_graphics_composer_default hal_graphics_mapper_hwservice:hwservice_manager find;
# Date : W17.24
# Purpose: GPU driver required
allow hal_graphics_composer_default gpu_device:dir search;
#============= hal_graphics_composer_default ==============
allow hal_graphics_composer_default debugfs_ion:dir search;
#============= hal_graphics_composer_default ==============
allow hal_graphics_composer_default debugfs_tracing:file write;
#============= hal_graphics_composer_default ==============
allow hal_graphics_composer_default debugfs_tracing:file open;
# Date : WK17.30
# Operation : O Migration
# Purpose: Allow to access cmdq driver
allow hal_graphics_composer_default mtk_cmdq_device:chr_file { read ioctl open };
# Date : W17.30
# Add for control PowerHAL
allow hal_graphics_composer_default mtk_hal_power_hwservice:hwservice_manager find;
binder_call(hal_graphics_composer_default, mtk_hal_power)
# Date : WK17.32
# Operation : O Migration
# Purpose: Allow to access property
set_prop(hal_graphics_composer_default, graphics_config_prop)
get_prop(hal_graphics_composer_default, graphics_config_prop)
set_prop(hal_graphics_composer_default, graphics_hwc_pid_prop)
get_prop(hal_graphics_composer_default, graphics_hwc_pid_prop)

6
non_plat/hal_imsa.te Normal file
View File

@ -0,0 +1,6 @@
# HwBinder IPC from clients into server, and callbacks
binder_call(hal_imsa_client, hal_imsa_server)
binder_call(hal_imsa_server, hal_imsa_client)
# give permission for hal client
allow hal_imsa_client mtk_hal_imsa_hwservice :hwservice_manager find;

4
non_plat/hal_ir.te Normal file
View File

@ -0,0 +1,4 @@
#============= hal_ir_default ==============
allow hal_ir_default irtx_device:chr_file rw_file_perms;
allow hal_ir_default irtx_device:chr_file { ioctl open };
allow hal_ir_default irtx_device:chr_file { read write };

16
non_plat/hal_keymaster_attestation.te Normal file
View File

@ -0,0 +1,16 @@
type hal_keymaster_attestation, domain;
hal_server_domain(hal_keymaster_attestation, mtk_hal_keyattestation)
type hal_keymaster_attestation_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_keymaster_attestation)
hwbinder_use(hal_keymaster_attestation);
#============= hal_keymaster_attestation ==============
allow hal_keymaster_attestation tee_device:chr_file { read write open ioctl };
# Date : WK17.42 2017/10/19
# Operation: Keymaster 3.0
# Purpose: Access attestation key in persist partition
allow hal_keymaster_attestation persist_data_file:dir { write search add_name };
allow hal_keymaster_attestation persist_data_file:file { write create open getattr };

9
non_plat/hal_memtrack_default.te Normal file
View File

@ -0,0 +1,9 @@
# Date : WK16.52
# Operation : HIDL Migration
# Purpose : For memtrack related service access
allow hal_memtrack debugfs_gpu_mali_midgard:file {open read getattr };
allow hal_memtrack debugfs_gpu_mali_utgard:file {open read getattr };
allow hal_memtrack debugfs_gpu_img:dir search;
allow hal_memtrack debugfs_gpu_img:file {open read getattr };
allow hal_memtrack debugfs_ion:dir rw_dir_perms;
allow hal_memtrack debugfs_ion:file {open read getattr };

5
non_plat/hal_nfc.te Normal file
View File

@ -0,0 +1,5 @@
# ==============================================
# ST NFC HAL rule
# ==============================================
allow hal_nfc st21nfc_device:chr_file { read write getattr open ioctl };

6
non_plat/hal_nvramagent.te Executable file
View File

@ -0,0 +1,6 @@
#for nvram hidl client support
binder_call(hal_nvramagent_client, hal_nvramagent_server)
allow hal_nvramagent_client nvram_agent_binder_hwservice:hwservice_manager find;
# add/find permission rule to hwservicemanager
add_hwservice(hal_nvramagent_server, nvram_agent_binder_hwservice)

6
non_plat/hal_pq.te Normal file
View File

@ -0,0 +1,6 @@
# HwBinder IPC from clients into server, and callbacks
binder_call(hal_pq_client, hal_pq_server)
binder_call(hal_pq_server, hal_pq_client)
# give permission for hal client
allow hal_pq_client mtk_hal_pq_hwservice :hwservice_manager find;

5
non_plat/hal_vibrator.te Normal file
View File

@ -0,0 +1,5 @@
# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:dir r_dir_perms;
allow hal_vibrator sysfs_leds:file rw_file_perms;
allow hal_vibrator sysfs_leds:dir r_dir_perms;
allow hal_vibrator sysfs_leds:lnk_file read;

8
non_plat/hal_wifi.te Normal file
View File

@ -0,0 +1,8 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Allow hal wifi service to open/read/setattr wifi device.
# wmtWifi is wifi char device file to control wifi driver.
allow hal_wifi wmtWifi_device:chr_file w_file_perms;

21
non_plat/hostapd.te Normal file
View File

@ -0,0 +1,21 @@
# ====================================
# MTK Policy Rule
# ====================================
# Date: 2014/09/15
# Operation: [Pre-SQC] Hotspot Manager cannot communicate with framework
# Purpose: Add socket write permission for hostapd
allow hostapd system_wpa_socket:sock_file write;
# Date: 2014/10/13
# Operation: [L-SQC] SELinux warning during whole chip reset
# Purpose: kernel module netdev-ap0 gets invalid during whole chip reset, no impact to normal flow, dontaudit
dontaudit hostapd kernel:system module_request;
# Date: 2017/06/22
# Operation: [O-SQC] WiFi hal
# Purpose: WiFi hal for WiFi hotspot manager
hal_server_domain(hostapd, hal_wifi_supplicant)
hal_server_domain(hostapd, mtk_hal_wifi_hostapd)

32
non_plat/hwservice.te Normal file
View File

@ -0,0 +1,32 @@
type mtk_hal_bluetooth_hwservice, hwservice_manager_type;
# Date: 2017/05/9
type mtk_hal_rild_hwservice, hwservice_manager_type;
# Date: 2017/06/07
# power hidl
type mtk_hal_power_hwservice, hwservice_manager_type;
# Date: 2017/06/12
# LBS HIDL
type mtk_hal_lbs_hwservice, hwservice_manager_type;
# Date: 2017/06/22
# WIFI HOSTAPD HIDL
type mtk_hal_wifi_hostapd_hwservice, hwservice_manager_type;
# Date: 2017/06/27
# IMSA HIDL
type mtk_hal_imsa_hwservice, hwservice_manager_type;
# Date: 2017/07/12
# NVRAM HIDL
type nvram_agent_binder_hwservice, hwservice_manager_type;
# Date: 2017/07/19
# PQ HIDL
type mtk_hal_pq_hwservice, untrusted_app_visible_hwservice, hwservice_manager_type;
# Date: 2017/07/20
# keymaster attestation hidl
type mtk_hal_keyattestation_hwservice, hwservice_manager_type;

39
non_plat/hwservice_contexts Normal file
View File

@ -0,0 +1,39 @@
vendor.mediatek.hardware.bluetooth::IMtkBluetoothHci u:object_r:mtk_hal_bluetooth_hwservice:s0
vendor.mediatek.hardware.gnss::IMtkGnss u:object_r:hal_gnss_hwservice:s0
# Date: 2017/05/9
vendor.mediatek.hardware.radio::IRadio u:object_r:mtk_hal_rild_hwservice:s0
vendor.mediatek.hardware.radio::ISap u:object_r:mtk_hal_rild_hwservice:s0
vendor.mediatek.hardware.radio_tc1::IRadio u:object_r:mtk_hal_rild_hwservice:s0
vendor.mediatek.hardware.radio_tc1::ISap u:object_r:mtk_hal_rild_hwservice:s0
vendor.mediatek.hardware.radio.deprecated::IOemHook u:object_r:mtk_hal_rild_hwservice:s0
vendor.mediatek.hardware.radio_tc1.deprecated::IOemHook u:object_r:mtk_hal_rild_hwservice:s0
vendor.mediatek.hardware.radio_op::IRadioOp u:object_r:mtk_hal_rild_hwservice:s0
# Date: 2017/06/07
# power hidl
vendor.mediatek.hardware.power::IPower u:object_r:mtk_hal_power_hwservice:s0
# Date: 2017/06/12
# LBS HIDL
vendor.mediatek.hardware.lbs::ILbs u:object_r:mtk_hal_lbs_hwservice:s0
# Date: 2017/06/22
# WIFI HOSTAPD HIDL
vendor.mediatek.hardware.wifi.hostapd::IHostapd u:object_r:mtk_hal_wifi_hostapd_hwservice:s0
# Date : 2017/06/27
# IMSA HIDL
vendor.mediatek.hardware.imsa::IImsa u:object_r:mtk_hal_imsa_hwservice:s0
# Date : 2017/07/12
#nvram hidl
vendor.mediatek.hardware.nvram::INvram u:object_r:nvram_agent_binder_hwservice:s0
# Date : 2017/07/19
# PQ HIDL
vendor.mediatek.hardware.pq::IPictureQuality u:object_r:mtk_hal_pq_hwservice:s0
# Date: 2017/07/20
# keymaster attestation hidl
vendor.mediatek.hardware.keymaster_attestation::IKeymasterDevice u:object_r:mtk_hal_keyattestation_hwservice:s0

134
non_plat/init.te Normal file
View File

@ -0,0 +1,134 @@
# ==============================================
# MTK Policy Rule
# ============
# Date : WK14.34
# Operation : Migration
# Purpose : for L early bring up: add for nvram command in init rc files
allow init nvram_data_file:dir create_dir_perms;
allow init nvram_data_file:lnk_file r_file_perms;
allow init nvdata_file:lnk_file r_file_perms;
allow init nvdata_file:dir create_file_perms;
#============= init ==============
# Date : W14.42
# Operation : Migration
# Purpose : for L : add for partition (chown/chmod)
allow init block_device:blk_file setattr;
allow init system_block_device:blk_file setattr;
allow init nvram_device:blk_file setattr;
allow init seccfg_block_device:blk_file setattr;
allow init secro_block_device:blk_file setattr;
allow init frp_block_device:blk_file setattr;
allow init logo_block_device:blk_file setattr;
allow init para_block_device:blk_file setattr;
allow init recovery_block_device:blk_file setattr;
# Date : WK15.30
# Operation : Migration
# Purpose : format wiped partition with "formattable" and "check" flag in fstab file
allow init protect1_block_device:blk_file rw_file_perms;
allow init protect2_block_device:blk_file rw_file_perms;
allow init userdata_block_device:blk_file rw_file_perms;
allow init cache_block_device:blk_file rw_file_perms;
allow init nvdata_device:blk_file w_file_perms;
allow init persist_block_device:blk_file rw_file_perms;
allow init nvcfg_block_device:blk_file rw_file_perms;
allow init odm_block_device:blk_file rw_file_perms;
allow init oem_block_device:blk_file rw_file_perms;
allow init para_block_device:blk_file w_file_perms;
# Date : WK15.32
# Operation : Migration
# Purpose : disable AT_SECURE for LD_PRELOAD
userdebug_or_eng(`
allow init { domain -lmkd -crash_dump }:process noatsecure;
')
# Date : WK16.26
# Operation : Access dynamic_debug control file
# Purpose : For MobileLog on/off pr_debug on user/userdebug load
allow init debugfs_dynamic_debug:file write;
# Date : W16.28
# Operation : Migration
# Purpose : enable modules capability
allow init self:capability sys_module;
allow init kernel:system module_request;
# Date : WK16.35
# Operation : Migration
# Purpose : create symbolic link from /mnt/sdcard to /sdcard
allow init tmpfs:lnk_file create;
# Date:W17.07
# Operation : bt hal
# Purpose : bt hal interface permission
allow init mtk_hal_bluetooth_exec:file getattr;
# Date : WK17.12
# Purpose: Fix bootup fail
allow init debugfs:file w_file_perms;
# Date : WK17.02
# Purpose: Fix audio hal service fail
allow init mtk_hal_audio_exec:file getattr;
# Date : W17.20
# Purpose: Enable PRODUCT_FULL_TREBLE
allow init vendor_block_device:lnk_file relabelto;
# Date : WK17.21
# Purpose: Fix gnss hal service fail
allow init mtk_hal_gnss_exec:file getattr;
# Fix boot up violation
allow init debugfs_tracing_instances:file relabelfrom;
# Date: W17.22
# Operation : New Feature
# Purpose : Add for A/B system
allow init debugfs:file write;
allow init kernel:system module_request;
allow init nvdata_file:dir mounton;
allow init oemfs:dir mounton;
allow init protect_f_data_file:dir mounton;
allow init protect_s_data_file:dir mounton;
allow init nvcfg_file:dir mounton;
allow init persist_data_file:dir mounton;
#allow init system_file:dir setattr;
allow init tmpfs:lnk_file create;
# boot process denial clean up
allow init debugfs_ged:file w_file_perms;
# Date : WK17.39
# Operation : able to relabel mntl block device link
# Purpose : Correct permission for mntl
allow init block_device:lnk_file relabelfrom;
allow init expdb_block_device:lnk_file relabelto;
allow init mcupmfw_block_device:lnk_file relabelto;
allow init tee_block_device:lnk_file relabelto;
# Date : WK17.43
# Operation : able to insert fpsgo kernel module
# Purpose : Correct permission for fpsgo
allow init rootfs:system module_load;
# Date: W17.43
# Operation : module load
# Purpose : insmod LKM under /vendor (connsys module KO)
allow init vendor_file:system module_load;
# Date : WK17.46
# Operation : feature porting
# Purpose : kernel module verification
allow init kernel:key search;
# Date : WK17.50
# Operation : boost cpu while booting
# Purpose : enhance boottime
allow init proc_perfmgr:file write;

109
non_plat/kernel.te Normal file
View File

@ -0,0 +1,109 @@
# ==============================================
# MTK Policy Rule
# ============
# Date : WK14.38
# Operation : Migration
# Purpose : run guitar_update for touch F/W upgrade.
allow kernel sdcard_type:dir search;
# Date : WK14.39
# Operation : Migration
# Purpose : ums driver can access blk_file
allow kernel block_device:blk_file rw_file_perms;
allow kernel loop_device:blk_file r_file_perms;
allow kernel vold_device:blk_file rw_file_perms;
# Date : WK14.43
# Operation : Migration
# Purpose : Access to nvarm for reading MAC. (LOS WIFI feature)
allow kernel system_data_file:lnk_file r_file_perms;
# Date : WK14.31
# Operation : Migration
# Purpose : transit from kernel to aee_core_forwarder domain when executing aee_core_forwarder
domain_auto_trans(kernel, aee_core_forwarder_exec, aee_core_forwarder)
# Date : WK14.43
# Operation : Migration
# Purpose : Access to nvarm for reading MAC. (LOS WIFI feature)
#allow kernel nvram_device:blk_file rw_file_perms;
# Date : WK15.29
# Operation : Migration
# Purpose : grant wifi data file access for mtk_wmtd as root.
#allow kernel self:capability { dac_read_search dac_override };
# Date : WK15.35
# Operation : Migration
# Purpose : grant fon_image_data_file read permission for loop device
allow kernel fon_image_data_file:file read;
# Date : WK15.38
# Operation : Migration
# Purpose : grant proc_thermal for dir search
allow kernel proc_thermal:dir search;
# Date : WK16.11
# Operation : Migration
# Purpose : grant nvram data access permission for kernel thread mtk_wmtd to access nvram file,
# because wifi driver need to access nvram to get radio configuration. On Userdebug or Eng load,
# factory engineers may need to update nvram by Egineer Mode, so we need to grant write permissions
# on Eng or Userdebug load
allow kernel nvram_data_file:dir search;
allow kernel nvram_data_file:file r_file_perms;
allow kernel nvram_data_file:lnk_file read;
allow kernel nvdata_file:lnk_file read;
allow kernel nvdata_file:dir search;
allow kernel nvdata_file:file r_file_perms;
userdebug_or_eng(`
allow kernel nvdata_file:file w_file_perms;
')
# Date : WK16.11
# Operation : Migration
# Purpose : grant storage_file and wifi_data_file for kernel thread mtk_wmtd to access /sdcard/wifi.cfg
# and /data/misc/wifi/wifi.cfg to access wifi.cfg, in which, some wifi driver configuations are there.
allow kernel mnt_user_file:dir search;
allow kernel mnt_user_file:lnk_file read;
allow kernel wifi_data_file:file r_file_perms;
allow kernel wifi_data_file:dir search;
allow kernel storage_file:lnk_file read;
allow kernel sdcard_type:file open;
# Data : WK16.16
# Operation : Migration
# Purpose : Access to TC1 partition for reading MEID
allow kernel block_device:dir search;
# Data : WK16.16
# Operation : Migration
# Purpose : Access to TC1 partition for reading MEID
allow kernel misc2_block_device:blk_file rw_file_perms;
# Date : WK16.30
# Operation: SQC
# Purpose: Allow sdcardfs workqueue to access lower file systems
allow kernel { fuseblk }:dir create_dir_perms;
allow kernel { fuseblk }:file create_file_perms;
# Date : WK16.30
# Operation: SQC
# Purpose: Allow sdcardfs workqueue to access lower file systems
allow kernel {vfat mnt_media_rw_file}:dir create_dir_perms;
allow kernel {vfat mnt_media_rw_file}:file create_file_perms;
allow kernel kernel:key { write search setattr };
# Date : WK16.42
# Operation: SQC
# Purpose: Allow task of cpuset cgroup can migration to parent cgroup when cpus is NULL
allow kernel platform_app:process setsched;
# Date : WK17.01
# Operation: SQC
# Purpose: Allow OpenDSP kthread to write debug dump to sdcard
allow kernel audioserver:fd use;
# Date : WK18.02
# Operation: SQC
# Purpose: Allow SCP SmartPA kthread to write debug dump to sdcard
allow kernel mtk_hal_audio:fd use;

14
non_plat/keystore.te Normal file
View File

@ -0,0 +1,14 @@
# ==============================================
# MTK Policy Rule
# ============
# Date : WK14.40 2014/12/26
# Operation : CTS 5.0_r1
# Purpose : allow access to /data/data for full CTS
allow keystore app_data_file:file write;
# Date : WK17.30 2017/07/25
# Operation : keystore
# Purpose : Fix keystore boot selinux violation
allow keystore debugfs_tracing:file write;
allow hal_keymaster_default debugfs_tracing:file write;

11
non_plat/lbs_hidl_service.te Normal file
View File

@ -0,0 +1,11 @@
type lbs_hidl_service, domain;
hal_server_domain(lbs_hidl_service, mtk_hal_lbs)
type lbs_hidl_service_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(lbs_hidl_service)
vndbinder_use(lbs_hidl_service)
r_dir_file(lbs_hidl_service, system_file)
unix_socket_connect(lbs_hidl_service, agpsd, mtk_agpsd);
allow lbs_hidl_service mtk_agpsd:unix_dgram_socket sendto;
allow lbs_hidl_service mnld:unix_dgram_socket sendto;

19
non_plat/lmkd.te Normal file
View File

@ -0,0 +1,19 @@
# ==============================================
# MTK Policy Rule
# ============
# Data : 2015/01/14
# Operation : MT6735 SQC bug fix
# Purpose : ALPS01905960 - selinux_warning: audit(1420845354.752:91): avc: denied { search }
# for pid=194 comm="lmkd" name="23573" dev="proc"
# ino=915740 scontext=u:r:lmkd:s0 tcontext=u:r:zygote:s0 tclass=dir permissive=0
dontaudit lmkd zygote:dir rw_dir_perms;
# Data : 2015/04/17
# Operation : tb8163p1 low memory selinux warning
# Purpose : ALPS02038466 audit(1429079840.646:7): avc: denied { use }
# for pid=170 comm="lmkd"
# path=2F6465762F6173686D656D2F4469736361726461626C654D656D6F72794173686D656D416C6C6F6361746F72202864656C6574656429
# dev="tmpfs" ino=14475 scontext=u:r:lmkd:s0 tcontext=u:r:platform_app:s0 tclass=fd permissive=0
dontaudit lmkd platform_app:fd use;

30
non_plat/md_ctrl.te Normal file
View File

@ -0,0 +1,30 @@
# ==============================================
# Policy File of /system/bin/md_ctrl Executable File
# ==============================================
# Type Declaration
# ==============================================
type md_ctrl, domain;
type md_ctrl_exec, exec_type, file_type, vendor_file_type;
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK14.46
# Operation : Migration
# Purpose : Start md_ctrl
init_daemon_domain(md_ctrl)
allow md_ctrl ccci_device:chr_file { rw_file_perms };
allow md_ctrl devpts:chr_file { rw_file_perms };
allow md_ctrl self:capability dac_override;
allow md_ctrl muxreport_exec:file rx_file_perms;
allow md_ctrl emd_device:chr_file { rw_file_perms };
allow md_ctrl eemcs_device:chr_file { rw_file_perms };
# Needed to set vold.encryption.type
set_prop(md_ctrl, vold_prop)
# Allow read to sys/kernel/ccci/* files
allow md_ctrl sysfs_ccci:dir search;
allow md_ctrl sysfs_ccci:file r_file_perms;

55
non_plat/mdlogger.te Normal file
View File

@ -0,0 +1,55 @@
#allow mdlogger to set property
allow mdlogger debug_mdlogger_prop:property_service set;
allow mdlogger debug_prop:property_service set;
# ccci device for internal modem
allow mdlogger ccci_device:chr_file { rw_file_perms };
# usb device ttyGSx for modem logger usb logging
allow mdlogger ttyGS_device:chr_file { rw_file_perms};
# modem logger access on /data/mdlog
allow mdlogger mdlog_data_file:dir { create_dir_perms relabelto};
allow mdlogger mdlog_data_file:fifo_file { create_file_perms};
allow mdlogger mdlog_data_file:file { create_file_perms };
allow mdlogger system_data_file:dir { create_dir_perms relabelfrom};
# modem logger control port access /dev/ttyC1
allow mdlogger mdlog_device:chr_file { rw_file_perms};
#modem logger SD logging in factory mode
allow mdlogger vfat:dir create_dir_perms;
allow mdlogger vfat:file create_file_perms;
#mdlogger for read /sdcard
#allow mdlogger log_device:chr_file w_file_perms;
allow mdlogger tmpfs:lnk_file read;
allow mdlogger storage_file:lnk_file rw_file_perms;
allow mdlogger mnt_user_file:dir search;
allow mdlogger mnt_user_file:lnk_file rw_file_perms;
allow mdlogger sdcard_type:file create_file_perms;
allow mdlogger sdcard_type:dir { create_dir_perms };
allow mdlogger storage_file:dir { create_dir_perms };
allow mdlogger storage_file:file { create_file_perms };
# Allow read to sys/kernel/ccci/* files
allow mdlogger sysfs_ccci:dir search;
allow mdlogger sysfs_ccci:file r_file_perms;
# purpose: allow mdlogger to access storage in new version
allow mdlogger media_rw_data_file:file { create_file_perms };
allow mdlogger media_rw_data_file:dir { create_dir_perms };
#avc: denied { connectto } for path=006165653A72747464 scontext=u:r:mdlogger:s0
#tcontext=u:object_r:aee_aed_socket:s0 tclass=unix_stream_socket permissive=0
#security issue control
allow mdlogger aee_aed:unix_stream_socket connectto;
#Android O for created file in data
file_type_auto_trans(mdlogger, system_data_file, mdlog_data_file)
## purpose: avc: denied { read } for name="plat_file_contexts"
allow emdlogger file_contexts_file:file { read getattr open};

202
non_plat/mediacodec.te Normal file
View File

@ -0,0 +1,202 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK14.34
# Operation : Migration
# Purpose : VP/VR
allow mediacodec devmap_device:chr_file { ioctl };
# Date : WK14.34
# Operation : Migration
# Purpose : Smartcard Service
#allow mediacodec self:netlink_kobject_uevent_socket read;
#allow mediacodec system_data_file:file open;
# Date : WK14.36
# Operation : Migration
# Purpose : VDEC/VENC device node
allow mediacodec Vcodec_device:chr_file { read write ioctl open };
# Date : WK16.21
# Operation : Migration
# Purpose : VP & VR dump and debug
allow mediacodec M4U_device_device:chr_file rw_file_perms;
allow mediacodec proc:file {open read};
allow mediacodec sysfs:file {read write open};
allow mediacodec debugfs_binder:dir search;
allow mediacodec proc:file { getattr ioctl };
allow mediacodec MTK_SMI_device:chr_file { ioctl read open };
allow mediacodec storage_file:lnk_file {read write open};
allow mediacodec tmpfs:dir search;
allow mediacodec mnt_user_file:dir {write read search};
allow mediacodec mnt_user_file:lnk_file {read write};
allow mediacodec sdcard_type:dir {write read search add_name remove_name};
allow mediacodec sdcard_type:file {getattr write read create open append unlink};
allow mediacodec nvram_data_file:dir w_dir_perms;
allow mediacodec nvram_data_file:file create_file_perms;
allow mediacodec nvram_data_file:lnk_file read;
allow mediacodec nvdata_file:lnk_file read;
allow mediacodec nvdata_file:dir w_dir_perms;
allow mediacodec nvdata_file:file create_file_perms;
allow mediacodec devmap_device:chr_file r_file_perms;
allow mediacodec proc_meminfo:file {read getattr open};
# Date : WK14.36
# Operation : Migration
# Purpose : MMProfile debug
# userdebug_or_eng(`
#allow mediacodec debugfs:file {read ioctl getattr};
# ')
# Date : WK14.36
# Operation : Migration
# Purpose : for SW codec VP/VR
#allow mediacodec mtk_device:chr_file { read write ioctl open };
allow mediacodec mtk_sched_device:chr_file { read write ioctl open };
# Date : WK14.38
# Operation : Migration
# Purpose : NVRam access
#allow mediacodec block_device:dir { write search };
# Data : WK14.38
# Operation : Migration
# Purpose : for boot animation.
#allow mediacodec bootanim:binder { transfer call };
# Date : WK14.39
# Operation : Migration
# Purpose : APE PLAYBACK
#binder_call(mediacodec,MtkCodecService)
# Data : WK14.39
# Operation : Migration
# Purpose : HW encrypt SW codec
allow mediacodec mediacodec_data_file:file create_file_perms;
allow mediacodec mediacodec_data_file:dir create_dir_perms;
allow mediacodec sec_device:chr_file r_file_perms;
# Data: WK14.44
# Operation : Migration
# Purpose : VP
allow mediacodec surfaceflinger:file getattr;
# Data: WK14.44
# Operation : Migration
# Purpose : for low SD card latency issue
allow mediacodec sysfs_lowmemorykiller:file { read open };
# Data: WK14.45
# Operation : Migration
# Purpose : for change thermal policy when needed
allow mediacodec proc_mtkcooler:dir search;
allow mediacodec proc_mtktz:dir search;
allow mediacodec proc_thermal:dir search;
allow mediacodec proc_mtkcooler:file { read write open };
allow mediacodec proc_mtktz:file { read write open getattr };
allow mediacodec proc_thermal:file { read write open };
allow mediacodec thermal_manager_data_file:file create_file_perms;
allow mediacodec thermal_manager_data_file:dir { rw_dir_perms setattr };
allow mediacodec thermal_manager_data_file:dir search;
# Date : WK14.46
# Operation : Migration
# Purpose : for MTK Emulator HW GPU
#allow mediacodec qemu_pipe_device:chr_file rw_file_perms;
# Data : WK14.47
# Operation : CTS
# Purpose : cts search strange app
allow mediacodec untrusted_app:dir search;
# Date : WK15.35
# Operation : Migration
# Purpose: Allow mediacodec to read binder from surfaceflinger
#allow mediacodec surfaceflinger:fifo_file {read write};
# Date : WK15.45
# Operation : 1/32x SlowMotion SQC
# Purpose : for Clearmotion LowPower Switch
#allow mediacodec mjc_lib_prop:property_service set;
#allow mediacodec mtk_mjc_prop:property_service set;
# Date : WK15.02
# Operation : 120Hz Feature SQC
# Purpose : for 120Hz Smart Switch
#allow mediacodec mtk_rrc_device:chr_file { read write ioctl open };
# Date : WK14.39
# Operation : Migration
# Purpose : MJC Driver
allow mediacodec MJC_device:chr_file { read write ioctl open };
# Date : WK16.27
# Operation : APE SQC
# Purpose : for APE file playback
allow mediacodec MtkCodecService:binder call;
allow mediacodec MtkCodecService:binder transfer;
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow mediacodec proc_ged:file {open read write ioctl getattr};
# Data : WK16.42
# Operator: Whitney bring up
# Purpose: call surfaceflinger due to powervr
allow mediacodec surfaceflinger:fifo_file rw_file_perms;
# Date: WK16.43
# Operator: Whitney SQC
# Purpose: mediacodec use gpu
allow mediacodec gpu_device:dir search;
allow mediacodec debug_prop:property_service set;
allow mediacodec system_prop:property_service set;
# Date : W18.01
# Add for turn on SElinux in enforcing mode
allow mediacodec vndbinder_device:chr_file rw_file_perms;
vndbinder_use(mediacodec)
# Date : WK1721
# Purpose: For FULL TREBLE
allow mediacodec system_file:dir r_dir_perms;
allow mediacodec debugfs_ion:dir search;
# Date : WK17.30
# Operation : O Migration
# Purpose: Allow mediacodec to access cmdq driver
allow mediacodec mtk_cmdq_device:chr_file { read ioctl open };
# Date : WK17.28
# Operation : MT6757 SQC
# Purpose : Change thermal config
allow mediacodec mtk_thermal_config_prop:file { getattr open read };
allow mediacodec mtk_thermal_config_prop:property_service set;
# Date : WK17.30
# Purpose : For Power Hal
allow mediacodec mtk_hal_power_hwservice:hwservice_manager find;
allow mediacodec mtk_hal_power:binder call;
allow mediacodec mtk_hal_power:unix_stream_socket connectto;
# Date : WK17.12
# Operation : MT6799 SQC
# Purpose : Change thermal config
allow mediacodec mtk_thermal_config_prop:file { getattr open read };
allow mediacodec mtk_thermal_config_prop:property_service set;
# Date : WK17.43
# Operation : Migration
# Purpose : DISP access
allow mediacodec graphics_device:chr_file { ioctl open read };
allow mediacodec graphics_device:dir search;
# Date : WK18.03
# Operation : MT6771 SQC
# Purpose : Video SW decoder setprop for dex2oat thread 2
allow mediacodec dalvik_prop:property_service set;

16
non_plat/mediadrmserver.te Normal file
View File

@ -0,0 +1,16 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow mediadrmserver proc_ged:file {open read write ioctl getattr};
# Date : WK17.28
# Operation : MT6757 SQC
# Purpose : Change thermal config
allow mediaserver mtk_thermal_config_prop:file { getattr open read };
allow mediaserver mtk_thermal_config_prop:property_service set;

7
non_plat/mediaextractor.te Normal file
View File

@ -0,0 +1,7 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow mediaextractor proc_ged:file {open read write ioctl getattr};

386
non_plat/mediaserver.te Normal file
View File

@ -0,0 +1,386 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK14.31
# Operation : Migration
# Purpose : camera devices access.
allow mediaserver camera_isp_device:chr_file rw_file_perms;
allow mediaserver ccu_device:chr_file rw_file_perms;
allow mediaserver vpu_device:chr_file rw_file_perms;
allow mediaserver kd_camera_hw_device:chr_file rw_file_perms;
allow mediaserver seninf_device:chr_file rw_file_perms;
allow mediaserver self:capability { setuid ipc_lock sys_nice };
allow mediaserver sysfs_wake_lock:file rw_file_perms;
allow mediaserver MTK_SMI_device:chr_file r_file_perms;
allow mediaserver camera_pipemgr_device:chr_file r_file_perms;
allow mediaserver kd_camera_flashlight_device:chr_file rw_file_perms;
allow mediaserver lens_device:chr_file rw_file_perms;
# Date : WK14.32
# Operation : Migration
# Purpose : Set audio driver permission to access SD card for debug purpose and accss NVRam.
allow mediaserver sdcard_type:dir { w_dir_perms create };
allow mediaserver sdcard_type:file create;
allow mediaserver nvram_data_file:dir w_dir_perms;
allow mediaserver nvram_data_file:file create_file_perms;
allow mediaserver nvram_data_file:lnk_file read;
allow mediaserver nvdata_file:lnk_file read;
allow mediaserver nvdata_file:dir w_dir_perms;
allow mediaserver nvdata_file:file create_file_perms;
allow mediaserver sdcard_type:dir remove_name;
allow mediaserver sdcard_type:file unlink;
# Date : WK14.34
# Operation : Migration
# Purpose : nvram access (dumchar case for nand and legacy chip)
allow mediaserver nvram_device:chr_file rw_file_perms;
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
#allow mediaserver self:netlink_kobject_uevent_socket { create setopt bind };
allow mediaserver self:capability { net_admin };
# Date : WK14.34
# Operation : Migration
# Purpose : VP/VR
allow mediaserver devmap_device:chr_file { ioctl };
# Date : WK14.34
# Operation : Migration
# Purpose : Smartcard Service
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
#allow mediaserver self:netlink_kobject_uevent_socket read;
allow mediaserver system_data_file:file open;
# Date : WK14.36
# Operation : Migration
# Purpose : media server and bt process communication for A2DP data.and other control flow
allow mediaserver bluetooth:unix_dgram_socket sendto;
allow mediaserver bt_a2dp_stream_socket:sock_file write;
allow mediaserver bt_int_adp_socket:sock_file write;
# Date : WK14.37
# Operation : Migration
# Purpose : camera ioctl
allow mediaserver camera_sysram_device:chr_file r_file_perms;
# Date : WK14.36
# Operation : Migration
# Purpose : VDEC/VENC device node
allow mediaserver Vcodec_device:chr_file rw_file_perms;
# Date : WK14.36
# Operation : Migration
# Purpose : MMProfile debug
# userdebug_or_eng(`
#allow mediaserver debugfs:file {read ioctl getattr};
# ')
# Date : WK14.36
# Operation : Migration
# Purpose : access nvram, otp, ccci cdoec devices.
allow mediaserver MtkCodecService:binder call;
allow mediaserver ccci_device:chr_file rw_file_perms;
allow mediaserver eemcs_device:chr_file rw_file_perms;
allow mediaserver devmap_device:chr_file r_file_perms;
allow mediaserver ebc_device:chr_file rw_file_perms;
allow mediaserver nvram_device:blk_file rw_file_perms;
allow mediaserver bootdevice_block_device:blk_file rw_file_perms;
# Date : WK14.36
# Operation : Migration
# Purpose : for SW codec VP/VR
#allow mediaserver mtk_device:chr_file { read write ioctl open };
allow mediaserver mtk_sched_device:chr_file rw_file_perms;
# Date : WK14.38
# Operation : Migration
# Purpose : NVRam access
allow mediaserver block_device:dir { write search };
# Date : WK14.38
# Operation : Migration
# Purpose : FM driver access
allow mediaserver fm_device:chr_file rw_file_perms;
# Data : WK14.38
# Operation : Migration
# Purpose : for VP/VR
allow mediaserver block_device:dir search;
allow mediaserver FM50AF_device:chr_file rw_file_perms;
allow mediaserver AD5820AF_device:chr_file rw_file_perms;
allow mediaserver DW9714AF_device:chr_file rw_file_perms;
allow mediaserver DW9814AF_device:chr_file rw_file_perms;
allow mediaserver AK7345AF_device:chr_file rw_file_perms;
allow mediaserver DW9714A_device:chr_file rw_file_perms;
allow mediaserver LC898122AF_device:chr_file rw_file_perms;
allow mediaserver LC898212AF_device:chr_file rw_file_perms;
allow mediaserver BU6429AF_device:chr_file rw_file_perms;
allow mediaserver DW9718AF_device:chr_file rw_file_perms;
allow mediaserver BU64745GWZAF_device:chr_file rw_file_perms;
allow mediaserver MAINAF_device:chr_file rw_file_perms;
allow mediaserver MAIN2AF_device:chr_file rw_file_perms;
allow mediaserver SUBAF_device:chr_file rw_file_perms;
# Data : WK14.38
# Operation : Migration
# Purpose : for boot animation.
allow mediaserver bootanim:binder { transfer call };
allow mediaserver mtkbootanimation:binder { transfer call };
# Data : WK14.38
# Operation : Migration
# Purpose : dump for debug
allow mediaserver sdcard_type:file append;
# Date : WK14.39
# Operation : Migration
# Purpose : FDVT Driver
allow mediaserver camera_fdvt_device:chr_file rw_file_perms;
# Date : WK14.39
# Operation : Migration
# Purpose : APE PLAYBACK
binder_call(mediaserver,MtkCodecService)
# Data : WK14.39
# Operation : Migration
# Purpose : dump for debug
allow mediaserver audiohal_prop:property_service set;
# Data : WK14.39
# Operation : Migration
# Purpose : HW encrypt SW codec
allow mediaserver mediaserver_data_file:file create_file_perms;
allow mediaserver mediaserver_data_file:dir create_dir_perms;
allow mediaserver sec_device:chr_file r_file_perms;
# Date : WK14.40
# Operation : Migration
# Purpose : HDMI driver access
allow mediaserver graphics_device:chr_file rw_file_perms;
# Date : WK14.40
# Operation : Migration
# Purpose : Smartpa
allow mediaserver smartpa_device:chr_file rw_file_perms;
# Data : WK14.40
# Operation : Migration
# Purpose : permit 'call' by audio tunning tool audiocmdservice_atci
allow mediaserver audiocmdservice_atci:binder call;
binder_call(mediaserver,audiocmdservice_atci)
# Date : WK14.40
# Operation : Migration
# Purpose : mtk_jpeg
allow mediaserver mtk_jpeg_device:chr_file r_file_perms;
# Date : WK14.41
# Operation : Migration
# Purpose : Lossless BT audio
#allow mediaserver shell_exec:file { read open execute execute_no_trans };
#allow mediaserver system_file:file execute_no_trans;
#allow mediaserver zygote_exec:file execute_no_trans;
# Date : WK14.41
# Operation : Migration
# Purpose : WFD HID Driver
allow mediaserver uhid_device:chr_file rw_file_perms;
# Date : WK14.41
# Operation : Migration
# Purpose : Camera EEPROM Calibration
allow mediaserver CAM_CAL_DRV_device:chr_file rw_file_perms;
allow mediaserver CAM_CAL_DRV1_device:chr_file rw_file_perms;
allow mediaserver CAM_CAL_DRV2_device:chr_file rw_file_perms;
# Date : WK14.43
# Operation : Migration
# Purpose : VOW
allow mediaserver vow_device:chr_file rw_file_perms;
# Date: WK14.44
# Operation : Migration
# Purpose : EVDO
allow mediaserver rpc_socket:sock_file write;
allow mediaserver ttySDIO_device:chr_file rw_file_perms;
# Data: WK14.44
# Operation : Migration
# Purpose : VP
allow mediaserver surfaceflinger:file getattr;
# Data: WK14.44
# Operation : Migration
# Purpose : for low SD card latency issue
allow mediaserver sysfs_lowmemorykiller:file { read open };
# Data: WK14.45
# Operation : Migration
# Purpose : for change thermal policy when needed
allow mediaserver proc_mtkcooler:dir search;
allow mediaserver proc_mtktz:dir search;
allow mediaserver proc_thermal:dir search;
allow mediaserver thermal_manager_data_file:file create_file_perms;
allow mediaserver thermal_manager_data_file:dir { rw_dir_perms setattr };
# Date : WK14.46
# Operation : Migration
# Purpose : for MTK Emulator HW GPU
allow mediaserver qemu_pipe_device:chr_file rw_file_perms;
# Date : WK14.46
# Operation : Migration
# Purpose : for camera init
allow mediaserver system_server:unix_stream_socket { read write };
# Data : WK14.46
# Operation : Migration
# Purpose : for SMS app
allow mediaserver radio_data_file:dir search;
allow mediaserver radio_data_file:file open;
# Data : WK14.47
# Operation : Audio playback
# Purpose : Music as ringtone
allow mediaserver radio:dir { search read };
allow mediaserver radio:file r_file_perms;
# Data : WK14.47
# Operation : Launch camcorder from MMS
# Purpose : Camcorder
allow mediaserver radio_data_file:file open;
# Data : WK14.47
# Operation : CTS
# Purpose : cts search strange app
allow mediaserver untrusted_app:dir search;
# Date : WK15.03
# Operation : Migration
# Purpose : offloadservice
allow mediaserver offloadservice_device:chr_file rw_file_perms;
# Date : WK15.32
# Operation : Pre-sanity
# Purpose : 3A algorithm need to access sensor service
allow mediaserver sensorservice_service:service_manager find;
# Date : WK15.34
# Operation : Migration
# Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump
allow mediaserver system_data_file:dir write;
allow mediaserver storage_file:lnk_file {read write};
allow mediaserver mnt_user_file:dir {write read search};
allow mediaserver mnt_user_file:lnk_file {read write};
# Date : WK15.35
# Operation : Migration
# Purpose: Allow mediaserver to read binder from surfaceflinger
allow mediaserver surfaceflinger:fifo_file {read write};
# Date : WK15.45
# Purpose : camera read/write /nvcfg/camera data
allow mediaserver nvcfg_file:dir create_dir_perms;
allow mediaserver nvcfg_file:file create_file_perms;
# Date : WK15.46
# Operation : Migration
# Purpose : DPE Driver
allow mediaserver camera_dpe_device:chr_file rw_file_perms;
# Date : WK15.46
# Operation : Migration
# Purpose : TSF Driver
allow mediaserver camera_tsf_device:chr_file rw_file_perms;
# Date : WK1631
# Operation : N Migration
# Purpose : add permission for thermal manager
domain_auto_trans(mediaserver, thermal_manager_exec, thermal_manager)
allow mediaserver thermal_manager_exec:file { read getattr open execute};
# Date : WK16.32
# Operation : N Migration
# Purpose : RSC Driver
allow mediaserver camera_rsc_device:chr_file rw_file_perms;
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow mediaserver proc_ged:file {open read write ioctl getattr};
# Date : WK16.33
# Operation : N Migration
# Purpose : GEPF Driver
allow mediaserver camera_gepf_device:chr_file rw_file_perms;
# Date : WK16.35
# Operation : Migration
# Purpose : Update camera flashlight driver device file
allow mediaserver flashlight_device:chr_file rw_file_perms;
# Data : WK16.42
# Operator: Whitney bring up
# Purpose: call surfaceflinger due to powervr
allow dumpstate surfaceflinger:fifo_file rw_file_perms;
# Date : WK16.43
# Operation : N Migration
# Purpose : WPE Driver
allow mediaserver camera_wpe_device:chr_file rw_file_perms;
allow mediaserver gpu_device:dir search;
allow mediaserver sw_sync_device:chr_file rw_file_perms;
# Date : WK17.19
# Operation : N Migration
# Purpose : OWE Driver
allow mediaserver camera_owe_device:chr_file rw_file_perms;
# Date : WK17.27
# Operation : O Migration
# Purpose : m4u Driver
allow mediaserver proc:file r_file_perms;
# Date : WK17.29
# Operation : O Migration
# Purpose : hdcp
allow mediaserver kisd:unix_stream_socket connectto;
# Date : WK17.30
# Operation : O Migration
# Purpose: Allow to access cmdq driver
allow mediaserver mtk_cmdq_device:chr_file { read ioctl open };
# Date : WK17.12
# Operation : MT6799 SQC
# Purpose : Change thermal config
allow mediaserver mtk_thermal_config_prop:file { getattr open read };
allow mediaserver mtk_thermal_config_prop:property_service set;
# Date : WK17.43
# Operation : Migration
# Purpose : DISP access
allow mediaserver graphics_device:chr_file { ioctl open read };
allow mediaserver graphics_device:dir search;
# Date : WK17.44
# Operation : Migration
# Purpose : DIP Driver
allow mediaserver camera_dip_device:chr_file rw_file_perms;
# Date : WK17.44
# Operation : Migration
# Purpose : MFB Driver
allow mediaserver camera_mfb_device:chr_file rw_file_perms;
# Date : WK17.49
# Operation : MT6771 SQC
# Purpose : Allow permgr access
allow mediaserver proc_perfmgr:dir {read search};
allow mediaserver proc_perfmgr:file {open read ioctl};

108
non_plat/merged_hal_service.te Normal file
View File

@ -0,0 +1,108 @@
# ==============================================================================
# Type Declaration
# ==============================================================================
type merged_hal_service, domain;
#type merged_hal_service, domain;
type merged_hal_service_exec, exec_type, file_type, vendor_file_type;
init_daemon_domain(merged_hal_service)
hwbinder_use(merged_hal_service)
hal_server_domain(merged_hal_service, hal_vibrator)
hal_server_domain(merged_hal_service, hal_light)
hal_server_domain(merged_hal_service, hal_power)
hal_server_domain(merged_hal_service, hal_thermal)
hal_server_domain(merged_hal_service, hal_memtrack)
#adjust light brightness
allow merged_hal_service sysfs:file write;
#mtk libs_hidl_service permissions
hal_server_domain(merged_hal_service, mtk_hal_lbs)
vndbinder_use(merged_hal_service)
r_dir_file(merged_hal_service, system_file)
unix_socket_connect(merged_hal_service, agpsd, mtk_agpsd);
allow merged_hal_service mtk_agpsd:unix_dgram_socket sendto;
#mtk_gnss permissions
hal_server_domain(merged_hal_service, hal_gnss);
allow merged_hal_service mnld_data_file:sock_file create_file_perms;
allow merged_hal_service mnld_data_file:sock_file rw_file_perms;
allow merged_hal_service mnld_data_file:dir create_file_perms;
allow merged_hal_service mnld_data_file:dir rw_dir_perms;
allow merged_hal_service mnld:unix_dgram_socket sendto;
#for nvram agent hidl
allow merged_hal_service hwservicemanager_prop:file r_file_perms;
allow merged_hal_service sysfs:file { read open };
allow merged_hal_service system_data_file:lnk_file read;
hal_server_domain(merged_hal_service, hal_nvramagent)
# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder.
#hal_server_domain(merged_hal_service, hal_nvramagent)
#for nvram agent hidl access nvram file
allow merged_hal_service nvram_agent_service:service_manager add;
allow merged_hal_service nvram_device:blk_file rw_file_perms;
allow merged_hal_service bootdevice_block_device:blk_file rw_file_perms;
allow merged_hal_service nvdata_device:blk_file rw_file_perms;
allow merged_hal_service nvram_data_file:dir create_dir_perms;
allow merged_hal_service nvram_data_file:file create_file_perms;
allow merged_hal_service nvram_data_file:lnk_file read;
allow merged_hal_service nvdata_file:lnk_file read;
allow merged_hal_service nvdata_file:dir create_dir_perms;
allow merged_hal_service nvdata_file:file create_file_perms;
#allow merged_hal_service system_file:file execute_no_trans;
allow merged_hal_service als_ps_device:chr_file r_file_perms;
allow merged_hal_service mtk-adc-cali_device:chr_file rw_file_perms;
allow merged_hal_service gsensor_device:chr_file r_file_perms;
allow merged_hal_service gyroscope_device:chr_file r_file_perms;
allow merged_hal_service init:unix_stream_socket connectto;
allow merged_hal_service property_socket:sock_file write;
allow merged_hal_service sysfs:file write;
allow merged_hal_service self:capability { fowner chown dac_override fsetid };
allow merged_hal_service system_data_file:dir create_file_perms;
allow merged_hal_service nvram_device:chr_file rw_file_perms;
allow merged_hal_service pro_info_device:chr_file rw_file_perms;
allow merged_hal_service block_device:dir search;
allow merged_hal_service app_data_file:file write;
allow merged_hal_service mtd_device:dir search;
allow merged_hal_service mtd_device:chr_file rw_file_perms;
#graphics allocator permissions
hal_server_domain(merged_hal_service, hal_graphics_allocator)
allow merged_hal_service gpu_device:dir search;
allow merged_hal_service sw_sync_device:chr_file { open read write getattr ioctl };
allow merged_hal_service debugfs_ion:dir search;
allow merged_hal_service debugfs_tracing:file write;
allow merged_hal_service debugfs_tracing:file open;
#for ape hidl permissions
hal_server_domain(merged_hal_service,hal_mtkcodecservice)
allow merged_hal_service hidl_allocator_hwservice:hwservice_manager find;
allow merged_hal_service hidl_memory_hwservice:hwservice_manager find;
hal_client_domain(merged_hal_service, hal_allocator)
#for default drm permissions
hal_server_domain(merged_hal_service, hal_drm)
allow merged_hal_service mediacodec:fd use;
allow merged_hal_service { appdomain -isolated_app }:fd use;
allow merged_hal_service debugfs_tracing:file write;
#power permissions
allow merged_hal_service proc:dir {search getattr};
allow merged_hal_service proc:file {getattr open read write ioctl};
allow merged_hal_service debugfs_ged:dir search;
allow merged_hal_service debugfs_ged:file { getattr open read write };
allow merged_hal_service system_data_file:dir { create write add_name };
allow merged_hal_service proc_thermal:file { write open };
allow merged_hal_service proc_thermal:dir search;
allow merged_hal_service sysfs:file {open write read};
allow merged_hal_service proc_perfmgr:dir search;
allow merged_hal_service proc_perfmgr:file { getattr open read write ioctl };
allow merged_hal_service sdcard_type:dir create_dir_perms;
allow merged_hal_service sdcard_type:file create_file_perms;
allow merged_hal_service eemcs_device:chr_file rw_file_perms;
allow merged_hal_service mnt_user_file:dir create_dir_perms;
allow merged_hal_service mtk_powerhal_data_file:dir {create_dir_perms rw_dir_perms};
allow merged_hal_service mtk_powerhal_data_file:file {create_file_perms rw_file_perms};
allow merged_hal_service mtk_powerhal_data_file:sock_file {create_file_perms rw_file_perms};

373
non_plat/meta_tst.te Normal file
View File

@ -0,0 +1,373 @@
# ==============================================
# Policy File of /system/bin/meta_tst Executable File
# ==============================================
# MTK Policy Rule
# ==============================================
# Date: WK16.12
# Operation : Migration
# Purpose : for meta mode device node USB
allow meta_tst ttyGS_device:chr_file rw_file_perms;
# Date: WK16.12
# Operation : Migration
# Purpose : for meta mode device node UART
allow meta_tst ttyMT_device:chr_file rw_file_perms;
# Date: WK16.12
# Operation : Migration
# Purpose : for meta mode device node CCCI
allow meta_tst ccci_device:chr_file rw_file_perms;
allow meta_tst eemcs_device:chr_file rw_file_perms;
allow meta_tst emd_device:chr_file rw_file_perms;
allow meta_tst ttyACM_device:chr_file rw_file_perms;
allow meta_tst mdlog_device:chr_file rw_file_perms;
# Data: WK15.07
# Purpose : SDIO
allow meta_tst ttySDIO_device:chr_file rw_file_perms;
# Date: WK16.12
# Operation : Migration
# Purpose : for meta mode file system
allow meta_tst bootdevice_block_device:blk_file rw_file_perms;
allow meta_tst mmcblk1_block_device:blk_file rw_file_perms;
allow meta_tst userdata_block_device:blk_file rw_file_perms;
allow meta_tst cache_block_device:blk_file rw_file_perms;
# Date: WK16.12
# Operation : Migration
# Purpose : for meta mode nvram
allow meta_tst nvram_data_file:dir create_dir_perms;
allow meta_tst nvram_data_file:file create_file_perms;
allow meta_tst nvram_data_file:lnk_file r_file_perms;
allow meta_tst nvdata_file:lnk_file r_file_perms;
allow meta_tst nvdata_file:dir create_dir_perms;
allow meta_tst nvdata_file:file create_file_perms;
allow meta_tst nvram_device:chr_file rw_file_perms;
allow meta_tst nvram_device:blk_file rw_file_perms;
allow meta_tst nvdata_device:blk_file rw_file_perms;
# Date: WK14.47
# Operation : Migration
# Purpose : for meta mode audio
allow meta_tst audio_device:chr_file rw_file_perms;
allow meta_tst audio_device:dir r_dir_perms;
set_prop(meta_tst, audiohal_prop);
# Date: WK16.12
# Operation : Migration
# Purpose : for meta mode RTC and PMIC
allow meta_tst rtc_device:chr_file r_file_perms;
allow meta_tst MT_pmic_adc_cali_device:chr_file rw_file_perms;
# Date: WK14.45
# Operation : Migration
# Purpose : HDCP
allow meta_tst persist_data_file:dir create_dir_perms;
allow meta_tst persist_data_file:file create_file_perms;
# Date: WK14.46
# Operation : Migration
# Purpose : Camera
allow meta_tst cct_data_file:dir create_dir_perms;
allow meta_tst cct_data_file:file create_file_perms;
allow meta_tst devmap_device:chr_file rw_file_perms;
allow meta_tst camera_pipemgr_device:chr_file rw_file_perms;
allow meta_tst MTK_SMI_device:chr_file rw_file_perms;
allow meta_tst camera_isp_device:chr_file rw_file_perms;
allow meta_tst camera_sysram_device:chr_file r_file_perms;
allow meta_tst kd_camera_flashlight_device:chr_file rw_file_perms;
allow meta_tst kd_camera_hw_device:chr_file rw_file_perms;
allow meta_tst AD5820AF_device:chr_file rw_file_perms;
allow meta_tst DW9714AF_device:chr_file rw_file_perms;
allow meta_tst DW9714A_device:chr_file rw_file_perms;
allow meta_tst LC898122AF_device:chr_file rw_file_perms;
allow meta_tst LC898212AF_device:chr_file rw_file_perms;
allow meta_tst BU6429AF_device:chr_file rw_file_perms;
allow meta_tst DW9718AF_device:chr_file rw_file_perms;
allow meta_tst BU64745GWZAF_device:chr_file rw_file_perms;
allow meta_tst MAINAF_device:chr_file rw_file_perms;
allow meta_tst MAIN2AF_device:chr_file rw_file_perms;
allow meta_tst SUBAF_device:chr_file rw_file_perms;
# Date: WK16.12
# Operation : Migration
# Purpose : meta mode LCM
allow meta_tst graphics_device:chr_file rw_file_perms;
allow meta_tst graphics_device:dir search;
# Date: WK16.12
# Operation : Migration
# Purpose : meta mode sensor
allow meta_tst als_ps_device:chr_file r_file_perms;
allow meta_tst gsensor_device:chr_file r_file_perms;
allow meta_tst msensor_device:chr_file r_file_perms;
allow meta_tst gyroscope_device:chr_file r_file_perms;
# Date: WK16.12
# Operation : Migration
# Purpose : meta mode FM
allow meta_tst fm_device:chr_file rw_file_perms;
allow meta_tst FM50AF_device:chr_file rw_file_perms;
# Date: WK16.12
# Operation : Migration
# Purpose : meta mode wifi
allow meta_tst wmtWifi_device:chr_file w_file_perms;
# Date: WK16.12
# Operation : Migration
# Purpose : meta mode BT
allow meta_tst stpbt_device:chr_file rw_file_perms;
# Date: WK16.12
# Operation : Migration
# Purpose : meta mode GPS
#allow meta_tst gps_device:chr_file rw_file_perms;
#allow meta_tst gps_data_file:file create_file_perms;
#allow meta_tst gps_data_file:dir rw_dir_perms;
allow meta_tst gps_data_file:dir { write add_name search remove_name unlink};
allow meta_tst gps_data_file:file { read write open create getattr append setattr unlink lock};
allow meta_tst gps_data_file:lnk_file read;
allow meta_tst tmpfs:lnk_file read;
allow meta_tst agpsd_data_file:dir search;
allow meta_tst agpsd_data_file:sock_file write;
allow meta_tst mnld_device:chr_file rw_file_perms;
set_prop(meta_tst, mnld_prop);
# Date: WK16.12
# Operation : Migration
# Purpose : meta mode NFC
allow meta_tst mt6605_device:chr_file rw_file_perms;
#Date WK14.49
#Operation : Migration
#Purpose : DRM key installation
allow meta_tst shell_exec:file rx_file_perms;
allow meta_tst system_data_file:dir create;
allow meta_tst key_install_data_file:dir w_dir_perms;
allow meta_tst key_install_data_file:file create_file_perms;
# Date: WK14.51
# Purpose : set/get cryptfs cfg in sys env
allow meta_tst misc_device:chr_file rw_file_perms;
allow meta_tst proc_lk_env:file rw_file_perms;
# Purpose : FT_EMMC_OP_FORMAT_TCARD
allow meta_tst block_device:blk_file getattr;
allow meta_tst system_block_device:blk_file getattr;
#allow meta_tst fuse_device:chr_file getattr;
allow meta_tst shell_exec:file r_file_perms;
# Date: WK15.52
# Purpose : NVRAM related LID
allow meta_tst pro_info_device:chr_file rw_file_perms;
# Date: WK15.14
# Purpose : CCT linker fail
allow meta_tst self:process execmem;
# Date: WK15.13
# Purpose: for nand project
allow meta_tst mtd_device:dir search;
allow meta_tst mtd_device:chr_file rw_file_perms;
# Date: WK15.38
# Purpose: M Migration for CCT linker fail
allow meta_tst sdcard_type:dir create_dir_perms;
allow meta_tst sdcard_type:file create_file_perms;
allow meta_tst mnt_user_file:dir search;
allow meta_tst mnt_user_file:lnk_file read;
allow meta_tst storage_file:lnk_file read;
# Date: WK16.17
# Purpose: N Migration For ccci sysfs node
allow meta_tst sysfs_ccci:dir search;
allow meta_tst sysfs_ccci:file r_file_perms;
#Date: W16.17
# Purpose: N Migration for meta_tst get com port type and uart port info
# detail avc log: [ 11.751803] <1>.(1)[227:logd.auditd]type=1400 audit(1262304016.560:10):
#avc: denied { read } for pid=203 comm="meta_tst" name="meta_com_type_info" dev=
#"sysfs" ino=11073 scontext=u:r:meta_tst:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
allow meta_tst sysfs:file rw_file_perms;
#Date: W16.17
# Purpose: N Migration For meta_tst load MD NVRAM database
# Detail avc log: [04-23-20:41:58][ 160.687655] <1>.(1)[230:logd.auditd]type=
#1400 audit(1262304165.560:24): avc: denied { read } for pid=228 comm=
#"meta_tst" name="mddb" dev="mmcblk0p20" ino=664 scontext=u:r:meta_tst:
#s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
allow meta_tst system_file:dir r_dir_perms;
# Date: WK16.18
# Purpose: for CCCI reboot modem
allow meta_tst gsm0710muxd_device:chr_file rw_file_perms;
# Date: WK16.20
# Purpose: meta_tst set sys.usb.config
set_prop(meta_tst, system_radio_prop);
#Date: W16.33
# Purpose: N Migration For CCT
allow meta_tst media_rw_data_file:dir { search read open getattr };
allow meta_tst media_rw_data_file:file { write open read};
# Date : WK16.35
# Purpose : Update camera flashlight driver device file
allow meta_tst flashlight_device:chr_file rw_file_perms;
#Date: W16.36
# Purpose: meta_tst use libmeta_rat to write libsysenv
# Detail avc log:[ 25.307141] .(5)[264:logd.auditd]type=1400 audit(1469438818.570:7):
#avc: denied { read write } for pid=312 comm="meta_tst" name="mmcblk0p2" dev="tmpfs"
#ino=4561 scontext=u:r:meta_tst:s0 tcontext=u:object_r:para_block_device:s0 tclass=blk_file permissive=0
allow meta_tst para_block_device:blk_file { read write open };
#Date: W16.44
allow meta_tst nvcfg_file:dir { search read open };
#Date: W16.45
# Purpose : Allow unmount sdcardfs mounted on /data/media
allow meta_tst sdcard_type:filesystem unmount;
allow meta_tst toolbox_exec:file { getattr execute execute_no_trans read open };
allow meta_tst storage_stub_file:dir search;
# Date: WK16.16
# Purpose: support meta mode wifi on
allow meta_tst self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write };
#allow meta_tst self:packet_socket { bind create write read ioctl };
#allow meta_tst net_wlan_dns_prop:property_service set;
allow meta_tst self:capability { setgid setuid };
allow meta_tst self:packet_socket create_socket_perms_no_ioctl;
allow meta_tst self:capability { setgid setuid sys_module sys_time};
#allow meta_tst wpa_exec:file getattr;
allow meta_tst wifi_data_file:dir create_dir_perms;
allow meta_tst wifi_data_file:sock_file create_file_perms;
#allow meta_tst wpa_exec:file rx_file_perms;
#allow meta_tst wpa_socket:dir create_dir_perms;
#allow meta_tst wpa_socket:sock_file create_file_perms;
allow meta_tst self:netlink_socket create_socket_perms_no_ioctl;
allow meta_tst self:rawip_socket create;
allow meta_tst self:udp_socket create_socket_perms_no_ioctl;
allow meta_tst self:rawip_socket create_socket_perms_no_ioctl;
allow meta_tst proc_ged:file r_file_perms;
allowxperm meta_tst self:udp_socket ioctl {SIOCSIFFLAGS SIOCGIFCONF SIOCIWFIRSTPRIV_08 SIOCIWFIRSTPRIV_09};
allow meta_tst meta_tst:netlink_generic_socket { read write getattr bind create setopt };
# Date : WK16.19
# Operation: meta_tst set persist.meta.connecttype property
# Purpose: Switch meta connect type, set persist.meta.connecttype as "wifi" or "usb".
set_prop(meta_tst, meta_connecttype_prop);
# Date : WK16.23
# Purpose: support meta_tst check key event
allow meta_tst input_device:dir r_dir_perms;
allow meta_tst input_device:chr_file r_file_perms;
# Date : WK16.29
# Purpose: support meta mode show string on screen
allow meta_tst ashmem_device:chr_file execute;
#Date: W16.50
# Purpose : Allow meta_tst stop service which occupy data partition.
allow meta_tst ctl_default_prop:property_service set;
#Date: W17.25
# Purpose : Allow meta_tst stop service which occupy data partition.
allow meta_tst ctl_emdlogger1_prop:property_service set;
#Date: W17.27
# Purpose : Allow meta_tst read /data/nvram link
allow meta_tst system_data_file:lnk_file read;
#Date: W17.27
# Purpose: STMicro NFC solution integration
allow meta_tst st21nfc_device:chr_file { open read write ioctl };
allow meta_tst factory_data_file:sock_file { write unlink };
allow meta_tst nfc_socket:dir search;
allow meta_tst vendor_file:file { getattr execute execute_no_trans read open };
set_prop(meta_tst,hwservicemanager_prop);
hwbinder_use(meta_tst);
hal_client_domain(meta_tst, hal_nfc);
allow meta_tst debugfs_tracing:file { open write };
# Date: W17.29
# Purpose : Allow meta_tst to call vendor.mediatek.hardware.keymaster_attestation@1.0-service.
hal_client_domain(meta_tst, mtk_hal_keyattestation)
# Date : WK17.30
# Operation : Android O migration
# Purpose : add sepolicy for accessing sysfs_leds
allow meta_tst sysfs_leds:lnk_file read;
allow meta_tst sysfs_leds:file rw_file_perms;
allow meta_tst sysfs_leds:dir r_dir_perms;
# Date: WK17.43
# Purpose: add permission for meta_tst access md image
allow meta_tst md_block_device:blk_file { read open };
allow meta_tst mddb_data_file:file { create open write read getattr};
allow meta_tst mddb_data_file:dir { search write add_name create getattr read open };
# Date: W17.43
# Purpose : meta connect with mdlogger by socket.
allow meta_tst emdlogger:unix_stream_socket connectto;
# Date: W17.43
# Purpose : meta connect with mobilelog by socket.
allow meta_tst mobile_log_d:unix_stream_socket connectto;
# Date: W17.43
# Purpose : meta access mobile log.
allow meta_tst logtemp_data_file:dir { relabelto create_dir_perms };
allow meta_tst logtemp_data_file:file create_file_perms;
allow meta_tst data_tmpfs_log_file:dir create_dir_perms;
allow meta_tst data_tmpfs_log_file:file create_file_perms;
# Date: W17.43
# Purpose meta access on /data/mdlog
allow meta_tst mdlog_data_file:dir { create_dir_perms relabelto };
allow meta_tst mdlog_data_file:fifo_file { create_file_perms };
allow meta_tst mdlog_data_file:file { create_file_perms };
allow meta_tst system_data_file:dir { create_dir_perms relabelfrom};
# Date: W17.43
# Purpose : Allow meta_tst to call android.hardware.audio@2.0-service-mediatek
binder_call(meta_tst, mtk_hal_audio)
allow meta_tst mtk_hal_audio:binder call;
allow meta_tst hal_audio_hwservice:hwservice_manager find;
allow meta_tst mtk_audiohal_data_file:dir {read search open};
allow meta_tst proc:file {read open};
allow meta_tst audio_device:chr_file rw_file_perms;
allow meta_tst audio_device:dir w_dir_perms;
allow meta_tst audiohal_prop:property_service set;
#Data:W1745
# Purpose : Allow meta_tst to open and read proc/bootprof
allow meta_tst proc:file write;
allow meta_tst proc:file getattr;
# Date:W17.51
# Operation : lbs hal
# Purpose : lbs hidl interface permission
hal_client_domain(meta_tst, mtk_hal_lbs)
# Data:W1750
# Purpose : Allow meta_tst to access mtd device
allow meta_tst mtd_device:blk_file rw_file_perms;
#Date: W17.51
#Purpose : Allow meta_tst to access pesist.atm.mdmode in ATM.
set_prop(meta_tst, atm_mdmode_prop);
#Date: W17.51
#Purpose : Allow meta_tst to access pesist.atm.ipaddress in ATM.
set_prop(meta_tst, atm_ipaddr_prop);

21
non_plat/mmc_ffu.te Normal file
View File

@ -0,0 +1,21 @@
# ==============================================
# Policy File of /system/bin/mmc_ffu Executable File
# ==============================================
# Type Declaration
# ==============================================
type mmc_ffu, domain;
type mmc_ffu_exec, exec_type, file_type, vendor_file_type;
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(mmc_ffu)
# Purpose: For seek file size
allow mmc_ffu block_device:dir r_dir_perms;
# Purpose: ioctl to /dev/misc-sd and for obtaining emmc vendor id and firmware revision
allow mmc_ffu misc_sd_device:chr_file r_file_perms;
#Purpose: Write eMMC firmware data to /dev/block/mmcblk0 for upgrade firmware
allow mmc_ffu bootdevice_block_device:blk_file rw_file_perms;

98
non_plat/mnld.te Normal file
View File

@ -0,0 +1,98 @@
# ==============================================
# Policy File of /vendor/bin/mnld Executable File
# ==============================================
# Type Declaration
# ==============================================
type mnld, domain;
type mnld_exec, exec_type, file_type, vendor_file_type;
typeattribute mnld mlstrustedsubject;
# ==============================================
# MTK Policy Rule
# ==============================================
# STOPSHIP: Permissive is not allowed. CTS violation!
init_daemon_domain(mnld)
net_domain(mnld)
# Purpose : For communicate with AGPSD by socket
allow mnld agpsd_data_file:dir create_dir_perms;
allow mnld agpsd_data_file:sock_file create_file_perms;
allow mnld mtk_agpsd:unix_dgram_socket sendto;
allow mnld sysfs:file rw_file_perms;
allow mnld sysfs_wake_lock:file rw_file_perms;
# Purpose : For access NVRAM data
allow mnld nvram_data_file:dir create_dir_perms;
allow mnld nvram_data_file:file create_file_perms;
allow mnld nvram_data_file:lnk_file read;
allow mnld nvdata_file:lnk_file read;
allow mnld nvram_device:blk_file rw_file_perms;
allow mnld nvram_device:chr_file rw_file_perms;
allow mnld nvdata_file:dir create_dir_perms;
allow mnld nvdata_file:file create_file_perms;
# Purpose : For access kernel device
allow mnld mnld_data_file:dir rw_dir_perms;
allow mnld mnld_data_file:sock_file create_file_perms;
allow mnld mnld_device:chr_file rw_file_perms;
allow mnld mnld_data_file:file rw_file_perms;
allow mnld mnld_data_file:file create_file_perms;
allow mnld mnld_data_file:fifo_file create_file_perms;
#allow mnld gps_device:chr_file rw_file_perms;
# Purpose : For init process
allow mnld init:unix_stream_socket connectto;
allow mnld init:udp_socket { read write };
# Send the message to the LBS HIDL Service to forward to applications
allow mnld lbs_hidl_service:unix_dgram_socket sendto;
# Send the message to the merged hal Service to forward to applications
allow mnld merged_hal_service:unix_dgram_socket sendto;
# Purpose : For access system data
allow mnld system_data_file:dir { write add_name };
allow mnld system_data_file:lnk_file read;
allow mnld bootdevice_block_device:blk_file rw_file_perms;
allow mnld block_device:dir search;
allow mnld mnld_prop:property_service set;
allow mnld property_socket:sock_file write;
allow mnld mdlog_device:chr_file { read write };
allow mnld self:capability { fsetid dac_override };
allow mnld stpbt_device:chr_file { read write };
allow mnld ttyGS_device:chr_file { read write };
# Purpose : For file system operations
allow mnld sdcard_type:dir search;
allow mnld sdcard_type:dir write;
allow mnld sdcard_type:dir add_name;
allow mnld sdcard_type:file create;
allow mnld sdcard_type:file rw_file_perms;
allow mnld sdcard_type:file create_file_perms;
allow mnld sdcard_type:dir { read remove_name create open };
allow mnld tmpfs:lnk_file { read create open };
allow mnld mtd_device:dir search;
allow mnld mnt_user_file:lnk_file read;
allow mnld mnt_user_file:dir search;
allow mnld gps_data_file:dir { write add_name search remove_name unlink};
allow mnld gps_data_file:file { read write open create getattr append setattr unlink lock rename };
allow mnld gps_data_file:lnk_file read;
allow mnld storage_file:lnk_file read;
allow mnld nvcfg_file:dir search;
allow mnld media_rw_data_file:dir { search create read open write add_name remove_name getattr };
allow mnld media_rw_data_file:file create;
allow mnld media_rw_data_file:file rw_file_perms;
allow mnld media_rw_data_file:file create_file_perms;
# Date : WK15.30
# Operation : Migration
# Purpose : for device bring up, not to block early migration/sanity
allow mnld proc_lk_env:file rw_file_perms;
# For HIDL, communicate mtk_hal_gnss instead of system_server
allow mnld mtk_hal_gnss:unix_dgram_socket sendto;
# Purpose : MPE sensor HIDL policy
hwbinder_use(mnld);
binder_call(mnld, system_server)
allow mnld fwk_sensor_hwservice:hwservice_manager find;
allow mnld hwservicemanager_prop:file { read open getattr };
allow mnld debugfs_tracing:file { open write };

44
non_plat/mobile_log_d.te Normal file
View File

@ -0,0 +1,44 @@
#scp
allow mobile_log_d sysfs_scp:file { open write };
allow mobile_log_d sysfs_scp:dir search;
allow mobile_log_d scp_device:chr_file { read open };
#sspm
allow mobile_log_d sysfs_sspm:file { open write };
allow mobile_log_d sysfs_sspm:dir search;
allow mobile_log_d sspm_device:chr_file { read open };
#data/misc/mblog
allow mobile_log_d logmisc_data_file:dir { relabelto create_dir_perms };
allow mobile_log_d logmisc_data_file:file create_file_perms;
#data/log_temp
allow mobile_log_d logtemp_data_file:dir { relabelto create_dir_perms };
allow mobile_log_d logtemp_data_file:file create_file_perms;
#data/data_tmpfs_log
allow mobile_log_d data_tmpfs_log_file:dir create_dir_perms;
allow mobile_log_d data_tmpfs_log_file:file create_file_perms;
#ftrace log property
set_prop(mobile_log_d, ftrace_log_prop)
#Dat: 2017/02/14
#Purpose: allow set telephony Sensitive property
set_prop(mobile_log_d, mtk_telephony_sensitive_prop)
# Date: 2016/11/11
# purpose: allow MobileLog to access aee socket
allow mobile_log_d aee_aed:unix_stream_socket connectto;
# purpose: send log to com port
allow mobile_log_d ttyGS_device:chr_file { read write ioctl open };
# purpose: allow mobile_log_d to access persist.meta.connecttype
get_prop(mobile_log_d, meta_connecttype_prop);
# purpose: allow mobile_log_d to create socket
allow mobile_log_d port:tcp_socket { name_connect name_bind };
allow mobile_log_d mobile_log_d:tcp_socket { create connect setopt bind };
allow mobile_log_d mobile_log_d:tcp_socket { bind setopt listen accept read write };
allow mobile_log_d node:tcp_socket node_bind;

65
non_plat/mpe.te Normal file
View File

@ -0,0 +1,65 @@
# ==============================================
# Policy File of /vendor/bin/MPED Executable File
# ==============================================
# Type Declaration
# ==============================================
type MPED, domain;
type MPED_exec, exec_type, file_type, vendor_file_type;
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK15.29
# Operation : Feature Developing
# Purpose : Sensor Aiding GPS
# ==============================================
init_daemon_domain(MPED)
net_domain(MPED)
# Date : WK15.29
# Operation : Feature Developing
# Purpose : Setup Connection with GPS for sensor aiding data exchange
allow MPED sdcard_type:file create_file_perms;
allow MPED sdcard_type:dir create_dir_perms;
allow MPED init:unix_stream_socket connectto;
allow MPED init:udp_socket rw_socket_perms;
allow MPED self:capability { fsetid dac_override };
allow MPED sysfs:file rw_file_perms;
allow MPED tmpfs:lnk_file create_file_perms;
# TODO::mtk work around and will fix it later
# allow MPED system_server:unix_dgram_socket sendto;
# allow MPED system_server:unix_stream_socket rw_socket_perms;
# allow MPED system_server:binder call;
# Date : WK15.30
# Operation : Feature Developing
# Purpose : Setup Connection with sensormanager to obtain mems sensor data for the calculation of dead reckoning algorithm
# binder_use(MPED)
# TODO::mtk work around and will fix it later
# binder_call(MPED,binderservicedomain)
# allow MPED servicemanager:dir search;
# allow MPED servicemanager:file r_file_perms;
# Create data/mtk_mpe_server as mpe socket
type_transition MPED system_data_file:sock_file MPED_socket "mtk_mpe_server";
allow MPED MPED_socket:sock_file { create_file_perms link };
# allow MPED system_data_file:dir remove_name;
# allow MPED system_data_file:sock_file create_file_perms;
# All others under /data get MPED_data_file
file_type_auto_trans(MPED, system_data_file, MPED_data_file);
allow MPED MPED_data_file:dir w_dir_perms;
allow MPED MPED_data_file:file create_file_perms;
# Date : WK15.33
# Operation : Feature Developing
# Purpose : Add permission for mped socket
allow MPED MPED_socket:sock_file setattr;
# Date : WK15.40
# Operation : Feature Developing
# Purpose : Add sensorservice registration permission to obtain sensor data from sensor listener
# TODO::mtk work around and will fix it later
# allow MPED sensorservice_service:service_manager find;

58
non_plat/mtk_agpsd.te Normal file
View File

@ -0,0 +1,58 @@
# ==============================================
# Policy File of /vendor/bin/mtk_agpsd Executable File
# ==============================================
# Type Declaration
# ==============================================
type mtk_agpsd_exec, exec_type, file_type, vendor_file_type;
type mtk_agpsd, domain;
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(mtk_agpsd)
net_domain(mtk_agpsd)
# Access channels to modem for E-CID, RRLP, and LPP
allow mtk_agpsd agps_device:chr_file rw_file_perms;
allow mtk_agpsd ttySDIO_device:chr_file { create setattr unlink rw_file_perms };
allow mtk_agpsd ccci_device:chr_file { create setattr unlink rw_file_perms };
# Access folders, files, and sockets in /data/agps_supl
allow mtk_agpsd agpsd_data_file:dir create_dir_perms;
allow mtk_agpsd agpsd_data_file:file create_file_perms;
allow mtk_agpsd agpsd_data_file:sock_file create_file_perms;
# Access file system partitions like /system, /data and SD Card
allow mtk_agpsd sdcard_type:dir create_dir_perms;
allow mtk_agpsd sdcard_type:file create_file_perms;
allow mtk_agpsd eemcs_device:chr_file rw_file_perms;
allow mtk_agpsd mnt_user_file:dir create_dir_perms;
# Access symbolic link files like /etc and /sdcard
allow mtk_agpsd tmpfs:lnk_file create_file_perms;
allow mtk_agpsd storage_file:lnk_file create_file_perms;
allow mtk_agpsd mnt_user_file:lnk_file create_file_perms;
allow mtk_agpsd media_rw_data_file:dir { search write add_name read open };
allow mtk_agpsd media_rw_data_file:file { create open append read getattr };
# Send supl profile configuration to SLPD (to get SUPL Reference Location for HW Fused Location)
allow mtk_agpsd slpd:unix_dgram_socket sendto;
# Operators will send agps settings via OMADM.
# Operators ask UE to save these settings into NVRAM.
allow mtk_agpsd nvcfg_file:dir create_dir_perms;
allow mtk_agpsd nvcfg_file:file create_file_perms;
# Send GNSS assistance data and AGPS commands to MTK's GPS module 'mnld'
allow mtk_agpsd mnld:unix_dgram_socket sendto;
# Send the message to the LBS HIDL Service to forward to system partitions
allow mtk_agpsd lbs_hidl_service:unix_dgram_socket sendto;
# Send the message to the merged hal Service to forward to system partitions
allow mtk_agpsd merged_hal_service:unix_dgram_socket sendto;
# Allow send socket to fusion rild
allow mtk_agpsd rild:unix_dgram_socket sendto;

250
non_plat/mtk_hal_audio.te Normal file
View File

@ -0,0 +1,250 @@
type mtk_hal_audio, domain;
hal_server_domain(mtk_hal_audio, hal_audio)
type mtk_hal_audio_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(mtk_hal_audio)
hal_client_domain(mtk_hal_audio, hal_allocator)
hwbinder_use(mtk_hal_audio)
allow mtk_hal_audio ion_device:chr_file r_file_perms;
allow mtk_hal_audio system_file:dir { open read };
userdebug_or_eng(`
# used for pcm capture for debug.
allow mtk_hal_audio audiohal_data_file:dir create_dir_perms;
allow mtk_hal_audio audiohal_data_file:file create_file_perms;
')
r_dir_file(mtk_hal_audio, proc)
allow mtk_hal_audio audio_device:dir r_dir_perms;
allow mtk_hal_audio audio_device:chr_file rw_file_perms;
###
### neverallow rules
###
# mtk_hal_audio should never execute any executable without
# a domain transition
neverallow mtk_hal_audio { file_type fs_type }:file execute_no_trans;
# mtk_hal_audio should never need network access.
# Disallow network sockets.
neverallow mtk_hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
# Date : WK14.32
# Operation : Migration
# Purpose : Set audio driver permission to access SD card for debug purpose and accss NVRam.
allow mtk_hal_audio sdcard_type:dir { w_dir_perms create };
allow mtk_hal_audio sdcard_type:file create;
allow mtk_hal_audio nvram_data_file:dir w_dir_perms;
allow mtk_hal_audio nvram_data_file:file create_file_perms;
allow mtk_hal_audio nvram_data_file:lnk_file read;
allow mtk_hal_audio nvdata_file:lnk_file read;
allow mtk_hal_audio nvdata_file:dir w_dir_perms;
allow mtk_hal_audio nvdata_file:file create_file_perms;
allow mtk_hal_audio sdcard_type:dir remove_name;
allow mtk_hal_audio sdcard_type:file unlink;
allow mtk_hal_audio system_data_file:lnk_file read;
# Date : WK14.34
# Operation : Migration
# Purpose : nvram access (dumchar case for nand and legacy chip)
allow mtk_hal_audio nvram_device:chr_file rw_file_perms;
allow mtk_hal_audio self:netlink_kobject_uevent_socket { create setopt bind };
#allow mtk_hal_audio self:capability { net_admin };
# Date : WK14.34
# Operation : Migration
# Purpose : Smartcard Service
allow mtk_hal_audio self:netlink_kobject_uevent_socket read;
allow mtk_hal_audio system_data_file:file open;
# Date : WK14.36
# Operation : Migration
# Purpose : media server and bt process communication for A2DP data.and other control flow
#allow mtk_hal_audio bluetooth:unix_dgram_socket sendto;
allow mtk_hal_audio bt_a2dp_stream_socket:sock_file write;
allow mtk_hal_audio bt_int_adp_socket:sock_file write;
# Date : WK14.36
# Operation : Migration
# Purpose : access nvram, otp, ccci cdoec devices.
allow mtk_hal_audio MtkCodecService:binder call;
allow mtk_hal_audio ccci_device:chr_file rw_file_perms;
allow mtk_hal_audio eemcs_device:chr_file rw_file_perms;
allow mtk_hal_audio devmap_device:chr_file r_file_perms;
allow mtk_hal_audio ebc_device:chr_file rw_file_perms;
allow mtk_hal_audio nvram_device:blk_file rw_file_perms;
# Date : WK14.38
# Operation : Migration
# Purpose : NVRam access
allow mtk_hal_audio block_device:dir { write search };
# Date : WK14.38
# Operation : Migration
# Purpose : FM driver access
allow mtk_hal_audio fm_device:chr_file rw_file_perms;
# Data : WK14.38
# Operation : Migration
# Purpose : dump for debug
allow mtk_hal_audio sdcard_type:file append;
# Data : WK14.39
# Operation : Migration
# Purpose : dump for debug
allow mtk_hal_audio audiohal_prop:property_service set;
# Date : WK14.40
# Operation : Migration
# Purpose : HDMI driver access
allow mtk_hal_audio graphics_device:chr_file rw_file_perms;
# Date : WK14.40
# Operation : Migration
# Purpose : Smartpa
allow mtk_hal_audio smartpa_device:chr_file rw_file_perms;
# Date : WK14.41
# Operation : Migration
# Purpose : Lossless BT audio
#allow mtk_hal_audio shell_exec:file { read open execute execute_no_trans };
#allow mtk_hal_audio system_file:file execute_no_trans;
#allow mtk_hal_audio zygote_exec:file execute_no_trans;
# Date : WK14.41
# Operation : Migration
# Purpose : WFD HID Driver
allow mtk_hal_audio uhid_device:chr_file rw_file_perms;
# Date : WK14.43
# Operation : Migration
# Purpose : VOW
allow mtk_hal_audio vow_device:chr_file rw_file_perms;
# Date: WK14.44
# Operation : Migration
# Purpose : EVDO
allow mtk_hal_audio rpc_socket:sock_file write;
allow mtk_hal_audio ttySDIO_device:chr_file rw_file_perms;
# Data: WK14.44
# Operation : Migration
# Purpose : for low SD card latency issue
allow mtk_hal_audio sysfs_lowmemorykiller:file { read open };
# Data: WK14.45
# Operation : Migration
# Purpose : for change thermal policy when needed
allow mtk_hal_audio proc_mtkcooler:dir search;
allow mtk_hal_audio proc_mtktz:dir search;
allow mtk_hal_audio proc_thermal:dir search;
allow mtk_hal_audio thermal_manager_data_file:file create_file_perms;
allow mtk_hal_audio thermal_manager_data_file:dir { rw_dir_perms setattr };
# Data : WK14.46
# Operation : Migration
# Purpose : for SMS app
allow mtk_hal_audio radio_data_file:dir search;
allow mtk_hal_audio radio_data_file:file open;
# Data : WK14.47
# Operation : Audio playback
# Purpose : Music as ringtone
allow mtk_hal_audio radio:dir { search read };
allow mtk_hal_audio radio:file r_file_perms;
# Data : WK14.47
# Operation : CTS
# Purpose : cts search strange app
allow mtk_hal_audio untrusted_app:dir search;
# Date : WK15.03
# Operation : Migration
# Purpose : offloadservice
allow mtk_hal_audio offloadservice_device:chr_file rw_file_perms;
# Date : WK15.34
# Operation : Migration
# Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump
allow mtk_hal_audio system_data_file:dir write;
allow mtk_hal_audio storage_file:dir search;
allow mtk_hal_audio storage_file:lnk_file {read write};
allow mtk_hal_audio mnt_user_file:dir {write read search};
allow mtk_hal_audio mnt_user_file:lnk_file {read write};
# Date : WK16.17
# Operation : Migration
# Purpose: read/open sysfs node
allow mtk_hal_audio sysfs_ccci:file r_file_perms;
# Date : WK16.18
# Operation : Migration
# Purpose: research root dir "/"
allow mtk_hal_audio tmpfs:dir search;
# Date : WK16.18
# Operation : Migration
# Purpose: access sysfs node
allow mtk_hal_audio sysfs:file { open read write };
allow mtk_hal_audio sysfs_ccci:dir search;
# Purpose: Dump debug info
allow mtk_hal_audio debugfs_binder:dir search;
allow mtk_hal_audio kmsg_device:chr_file { open write };
allow mtk_hal_audio property_socket:sock_file write;
allow mtk_hal_audio media_rw_data_file:dir { create_dir_perms };
allow mtk_hal_audio fuse:file rw_file_perms;
allow mtk_hal_audio init:unix_stream_socket connectto;
# Date : WK16.27
# Operation : Migration
# Purpose: tunning tool update parameters
binder_call(mtk_hal_audio,radio)
allow mtk_hal_audio mtk_audiohal_data_file:dir create_dir_perms;
allow mtk_hal_audio mtk_audiohal_data_file:file create_file_perms;
# Date : WK16.28
# Operation : Migration
# Purpose: Write audio dump files to external SDCard.
allow mtk_hal_audio sdcard_type:file { create_file_perms };
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow mtk_hal_audio proc_ged:file {open read write ioctl getattr};
set_prop(mtk_hal_audio,hwservicemanager_prop);
allow mtk_hal_audio storage_file:dir search;
# Date : W18.01
# Add for turn on SElinux in enforcing mode
allow mtk_hal_audio system_data_file:lnk_file r_file_perms;
# Fix bootup violation
allow mtk_hal_audio fuse:dir read;
# for usb phone call, allow sys_nice
allow mtk_hal_audio self:capability sys_nice;
# Date : W17.29
# Boot for opening trace file: Permission denied (13)
allow mtk_hal_audio debugfs_tracing:file { write open };
# for usb phone call, allow sys_nice
allow mtk_hal_audio self:capability sys_nice;
# Audio Tuning Tool Android O porting
binder_call(mtk_hal_audio,audiocmdservice_atci);
# audio dump
allow mtk_hal_audio media_rw_data_file:file { create read write open append getattr };
# Add for control PowerHAL
allow mtk_hal_audio mtk_hal_power_hwservice:hwservice_manager find;
binder_call(mtk_hal_audio, mtk_hal_power)
binder_call(mtk_hal_audio, merged_hal_service)
# cm4 smartpa
allow mtk_hal_audio audio_ipi_device:chr_file { read write ioctl open };

54
non_plat/mtk_hal_bluetooth.te Normal file
View File

@ -0,0 +1,54 @@
type mtk_hal_bluetooth, domain;
type mtk_hal_bluetooth_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(mtk_hal_bluetooth)
r_dir_file(mtk_hal_bluetooth, system_file)
# call into the Bluetooth process (callbacks)
binder_call(mtk_hal_bluetooth, bluetooth)
hwbinder_use(mtk_hal_bluetooth);
wakelock_use(mtk_hal_bluetooth);
# bluetooth factory file accesses.
r_dir_file(mtk_hal_bluetooth, bluetooth_efs_file)
allow mtk_hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
# Access to config files to look for a Bluetooth address
r_dir_file(mtk_hal_bluetooth, bluetooth_data_file)
# sysfs access.
r_dir_file(mtk_hal_bluetooth, sysfs_type)
allow mtk_hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
allow mtk_hal_bluetooth self:capability2 wake_alarm;
# Allow write access to bluetooth-specific properties
set_prop(mtk_hal_bluetooth, bluetooth_prop)
# /proc access (bluesleep etc.).
allow mtk_hal_bluetooth proc_bluetooth_writable:file rw_file_perms;
# VTS tests need to be able to toggle rfkill
userdebug_or_eng(`
allow mtk_hal_bluetooth self:capability net_admin;
')
# Logging for backward compatibility
allow mtk_hal_bluetooth bluetooth_data_file:dir ra_dir_perms;
allow mtk_hal_bluetooth bluetooth_data_file:file create_file_perms;
# Purpose : Set to access stpbt driver & NVRAM
allow mtk_hal_bluetooth stpbt_device:chr_file rw_file_perms;
allow mtk_hal_bluetooth nvdata_file:dir search;
allow mtk_hal_bluetooth nvdata_file:file rw_file_perms;
allow mtk_hal_bluetooth nvram_data_file:lnk_file read;
allow mtk_hal_bluetooth nvdata_file:lnk_file read;
allow mtk_hal_bluetooth hwservicemanager_prop:file r_file_perms;
add_hwservice(hal_bluetooth, mtk_hal_bluetooth_hwservice)
allow hal_bluetooth_client mtk_hal_bluetooth_hwservice:hwservice_manager find;
allow mtk_hal_bluetooth system_data_file:lnk_file read;
hal_server_domain(mtk_hal_bluetooth,hal_bluetooth);

306
non_plat/mtk_hal_camera.te Normal file
View File

@ -0,0 +1,306 @@
# ==============================================================================
# Policy File of /vendor/bin/camerahalserver Executable File
# ==============================================================================
# Type Declaration
# ==============================================================================
type mtk_hal_camera, domain;
type mtk_hal_camera_exec, exec_type, file_type, vendor_file_type;
# ==============================================================================
# MTK Policy Rule
# ==============================================================================
# -----------------------------------
# Purpose: Binderized HAL Server
# -----------------------------------
# Set up a transition from init to the camerahalserver upon executing its binary.
init_daemon_domain(mtk_hal_camera)
# Allow a base set of permissions required for a domain to offer a
# HAL implementation of the specified type over HwBinder.
hal_server_domain(mtk_hal_camera, hal_camera)
# Allow camerahalserver to use HwBinder and vendor binder IPC.
hwbinder_use(mtk_hal_camera)
vndbinder_use(mtk_hal_camera)
allow mtk_hal_camera hwservicemanager_prop:file { open read getattr };
# -----------------------------------
# Purpose: Allow camerahalserver to perform binder IPC to servers and callbacks.
# -----------------------------------
# callback to cameraserver
binder_call(mtk_hal_camera, cameraserver)
# callback to shell for debugging
binder_call(mtk_hal_camera, shell)
# callback to /vendor/bin/aee_aedv for aee debugging
binder_call(mtk_hal_camera, aee_aedv)
# call the graphics allocator hal
binder_call(mtk_hal_camera, hal_graphics_allocator)
# call PowerHal
binder_call(mtk_hal_camera, mtk_hal_power)
# -----------------------------------
# Purpose: Allow camerahalserver to find a service from hwservice_manager
# -----------------------------------
allow mtk_hal_camera hal_graphics_mapper_hwservice:hwservice_manager find;
allow mtk_hal_camera hal_graphics_allocator_hwservice:hwservice_manager find;
allow mtk_hal_camera fwk_sensor_hwservice:hwservice_manager find;
allow mtk_hal_camera mtk_hal_power_hwservice:hwservice_manager find;
allow mtk_hal_camera nvram_data_file:lnk_file { read write getattr setattr read create open };
allow mtk_hal_camera nvdata_file:lnk_file { read write getattr setattr read create open };
# -----------------------------------
# Purpose: Camera-related devices (driver)
# -----------------------------------
allow mtk_hal_camera proc:file { read ioctl open };
allow mtk_hal_camera sysfs:file { read write open getattr };
allow mtk_hal_camera camera_sysram_device:chr_file r_file_perms;
allow mtk_hal_camera camera_pipemgr_device:chr_file r_file_perms;
allow mtk_hal_camera camera_isp_device:chr_file rw_file_perms;
allow mtk_hal_camera camera_dip_device:chr_file rw_file_perms;
allow mtk_hal_camera camera_tsf_device:chr_file rw_file_perms;
allow mtk_hal_camera kd_camera_hw_device:chr_file rw_file_perms;
allow mtk_hal_camera kd_camera_flashlight_device:chr_file rw_file_perms;
allow mtk_hal_camera lens_device:chr_file rw_file_perms;
# FDVT Driver
allow mtk_hal_camera camera_fdvt_device:chr_file rw_file_perms;
# DPE Driver
allow mtk_hal_camera camera_dpe_device:chr_file rw_file_perms;
# MFB Driver
allow mtk_hal_camera camera_mfb_device:chr_file rw_file_perms;
# WPE Driver
allow mtk_hal_camera camera_wpe_device:chr_file rw_file_perms;
# mtk_jpeg
allow mtk_hal_camera mtk_jpeg_device:chr_file r_file_perms;
allow mtk_hal_camera ccu_device:chr_file rw_file_perms;
allow mtk_hal_camera vpu_device:chr_file rw_file_perms;
# Purpose: RSC driver
allow mtk_hal_camera camera_rsc_device:chr_file rw_file_perms;
# Purpose: OWE driver
allow mtk_hal_camera camera_owe_device:chr_file rw_file_perms;
# Purpose: AF related
allow mtk_hal_camera MAINAF_device:chr_file rw_file_perms;
allow mtk_hal_camera MAIN2AF_device:chr_file rw_file_perms;
allow mtk_hal_camera SUBAF_device:chr_file rw_file_perms;
allow mtk_hal_camera FM50AF_device:chr_file rw_file_perms;
allow mtk_hal_camera AD5820AF_device:chr_file rw_file_perms;
allow mtk_hal_camera DW9714AF_device:chr_file rw_file_perms;
allow mtk_hal_camera DW9814AF_device:chr_file rw_file_perms;
allow mtk_hal_camera AK7345AF_device:chr_file rw_file_perms;
allow mtk_hal_camera DW9714A_device:chr_file rw_file_perms;
allow mtk_hal_camera LC898122AF_device:chr_file rw_file_perms;
allow mtk_hal_camera LC898212AF_device:chr_file rw_file_perms;
allow mtk_hal_camera BU6429AF_device:chr_file rw_file_perms;
allow mtk_hal_camera DW9718AF_device:chr_file rw_file_perms;
allow mtk_hal_camera BU64745GWZAF_device:chr_file rw_file_perms;
# Purpose: Camera EEPROM Calibration
allow mtk_hal_camera CAM_CAL_DRV_device:chr_file rw_file_perms;
allow mtk_hal_camera CAM_CAL_DRV1_device:chr_file rw_file_perms;
allow mtk_hal_camera CAM_CAL_DRV2_device:chr_file rw_file_perms;
# -----------------------------------
# Purpose: Other device drivers used by camera
# -----------------------------------
allow mtk_hal_camera ion_device:chr_file rw_file_perms;
allow mtk_hal_camera sw_sync_device:chr_file getattr;
allow mtk_hal_camera MTK_SMI_device:chr_file r_file_perms;
# -----------------------------------
# Purpose: Filesystem in Userspace (FUSE)
# - sdcard access (buffer dump for EM mode)
# -----------------------------------
allow mtk_hal_camera fuse:dir { search read write };
allow mtk_hal_camera fuse:file rw_file_perms;
# -----------------------------------
# Purpose: Storage access
# -----------------------------------
## Date : WK14.XX-15.XX
## nvram access
allow mtk_hal_camera block_device:dir { write search };
allow mtk_hal_camera nvram_data_file:dir { search add_name write create};
allow mtk_hal_camera nvram_data_file:file { write getattr setattr read create open };
## nvram access (dumchar case for nand and legacy chip)
allow mtk_hal_camera nvram_device:chr_file rw_file_perms;
allow mtk_hal_camera self:netlink_kobject_uevent_socket { create setopt bind };
## Date : WK14.XX-15.XX
## sdcard access - dump for debug
allow mtk_hal_camera sdcard_type:dir { write add_name create };
allow mtk_hal_camera sdcard_type:file { append create getattr };
# -----------------------------------
# Purpose: property access
# -----------------------------------
allow mtk_hal_camera mtkcam_prop:file { open read getattr };
# -----------------------------------
# Android O
# Purpose: Shell Debugging
# -----------------------------------
# Purpose: Allow shell to invoke "lshal debug <interface>", where <interface> is "ICameraProvider".
# (used in user build)
allow mtk_hal_camera shell:unix_stream_socket { read write };
allow mtk_hal_camera shell:fifo_file write;
# -----------------------------------
# Android O
# Purpose: AEE Debugging
# -----------------------------------
# Purpose: Allow aee_dumpstate to invoke "lshal debug <interface>", where <interface> is "ICameraProvider".
allow mtk_hal_camera dumpstate:binder { call };
allow mtk_hal_camera dumpstate:unix_stream_socket { read write };
allow mtk_hal_camera dumpstate:fd { use };
allow mtk_hal_camera dumpstate:fifo_file write;
# Purpose: avc: denied { write } for path="/data/vendor/mtklog/aee_exp/temp/db.fXpwOm/SYS_DEBUG_MTKCAM"
# dev="dm-0" ino=82287 scontext=u:r:mtk_hal_camera:s0 tcontext=u:object_r:aee_exp_data_file:s0
# tclass=file permissive=0
allow mtk_hal_camera aee_exp_data_file:dir { w_dir_perms };
allow mtk_hal_camera aee_exp_data_file:file { create_file_perms };
# -----------------------------------
# Android O
# Purpose: Debugging
# -----------------------------------
# Purpose: libmemunreachable.so/GetUnreachableMemory()
allow mtk_hal_camera self:process { ptrace };
################################################################################
# Date : WK14.XX-15.XX
# Operation : Copy from Media server
allow mtk_hal_camera self:capability { setuid ipc_lock sys_nice };
allow mtk_hal_camera sysfs_wake_lock:file rw_file_perms;
allow mtk_hal_camera nvdata_file:dir { write search add_name };
allow mtk_hal_camera nvdata_file:file { read write getattr setattr open create };
allow mtk_hal_camera proc_meminfo:file { read getattr open };
## Purpose : for low SD card latency issue
allow mtk_hal_camera sysfs_lowmemorykiller:file { read open };
## Purpose : for change thermal policy when needed
allow mtk_hal_camera proc_mtkcooler:dir search;
allow mtk_hal_camera proc_mtktz:dir search;
allow mtk_hal_camera proc_thermal:dir search;
allow mtk_hal_camera thermal_manager_data_file:file create_file_perms;
allow mtk_hal_camera thermal_manager_data_file:dir { rw_dir_perms setattr };
## Purpose : cts search strange app
allow mtk_hal_camera untrusted_app:dir search;
## Purpose : offloadservice
allow mtk_hal_camera offloadservice_device:chr_file rw_file_perms;
## Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump
allow mtk_hal_camera system_data_file:dir write;
allow mtk_hal_camera storage_file:lnk_file {read write};
allow mtk_hal_camera mnt_user_file:dir {write read search};
allow mtk_hal_camera mnt_user_file:lnk_file {read write};
allow mtk_hal_camera media_rw_data_file:dir {getattr create};
## Purpose: Allow mtk_hal_camera to read binder from surfaceflinger
allow mtk_hal_camera surfaceflinger:fifo_file {read write};
## Purpose : camera read/write /nvcfg/camera data
allow mtk_hal_camera nvcfg_file:dir create_dir_perms;
allow mtk_hal_camera nvcfg_file:file create_file_perms;
# Purpose : for camera init
allow mtk_hal_camera system_server:unix_stream_socket { read write };
################################################################################
# Date : WK16
# Operation : N Migration
## Purpose: research root dir "/"
allow mtk_hal_camera tmpfs:dir search;
## Purpose : EGL file access
allow mtk_hal_camera system_file:dir { read open };
allow mtk_hal_camera gpu_device:dir search;
allow mtk_hal_camera gpu_device:chr_file { read open write getattr ioctl };
## Purpose: Allow to access ged for gralloc_extra functions
allow mtk_hal_camera proc_ged:file {open read write ioctl getattr};
################################################################################
# Date : WK17
# Operation : O Migration
## Purpose: Allow to call hal_graphics_allocator binder.
allow mtk_hal_camera system_data_file:lnk_file read;
allow mtk_hal_camera debugfs_tracing:file { write open };
## Purpose : camera3 IT/CTS
allow mtk_hal_camera debugfs_ion:dir search;
allow mtk_hal_camera hal_graphics_composer_default:fd use;
allow mtk_hal_camera property_socket:sock_file write;
# Date : WK17.30
# Operation : O Migration
# Purpose: Allow to access cmdq driver
allow mtk_hal_camera mtk_cmdq_device:chr_file { read ioctl open };
# Date : WK17.36
# Operation : O Migration
# Purpose: Allow to access battery status
allow mtk_hal_camera sysfs_power_supply:dir search;
allow mtk_hal_camera sysfs_power_supply:file { getattr open read };
# Date : WK17.39
# Operation : O Migration
# Purpose: Change thermal config
allow mtk_hal_camera mtk_thermal_config_prop:property_service set;
# Date : WK17.48
# Stage: O Migration
# Purpose: CCT
allow mtk_hal_camera graphics_device:chr_file { read write ioctl open };
allow mtk_hal_camera graphics_device:dir search;
allow mtk_hal_camera cct_data_file:dir create_dir_perms;
allow mtk_hal_camera cct_data_file:file create_file_perms;
allow mtk_hal_camera cct_data_file:fifo_file create_file_perms;
# Date : WK18.01
# Operation : label aee_aed sockets
# Purpose : Engineering mode need access for aee commmand
userdebug_or_eng(`
allow mtk_hal_camera aee_aedv:unix_stream_socket connectto;
')
# Date : WK18.02
# Stage: O Migration
# Purpose: ISP tuning remapping
allow mtk_hal_camera mediatek_prop:property_service set;

20
non_plat/mtk_hal_gnss.te Normal file
View File

@ -0,0 +1,20 @@
type mtk_hal_gnss, domain;
hal_server_domain(mtk_hal_gnss, hal_gnss);
type mtk_hal_gnss_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(mtk_hal_gnss)
#TODO:: work around solution, wait for correct solution from google
vndbinder_use(mtk_hal_gnss)
r_dir_file(mtk_hal_gnss, system_file)
# Communicate over a socket created by mnld process.
#allow mtk_hal_gnss debuggerd:fd use;
allow mtk_hal_gnss mnld_data_file:sock_file create_file_perms;
allow mtk_hal_gnss mnld_data_file:sock_file rw_file_perms;
allow mtk_hal_gnss mnld_data_file:dir create_file_perms;
allow mtk_hal_gnss mnld_data_file:dir rw_dir_perms;
allow mtk_hal_gnss mnld:unix_dgram_socket sendto;

35
non_plat/mtk_hal_imsa.te Normal file
View File

@ -0,0 +1,35 @@
# ==============================================================================
# Type Declaration
# ==============================================================================
type mtk_hal_imsa, domain, mtkimsapdomain;
type mtk_hal_imsa_exec, exec_type, vendor_file_type, file_type;
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(mtk_hal_imsa)
# hwbinder access
hwbinder_use(mtk_hal_imsa)
hal_server_domain(mtk_hal_imsa, hal_imsa)
add_hwservice(hal_imsa_server, mtk_hal_imsa_hwservice)
# call into system_server process (callbacks)
binder_call(mtk_hal_imsa, system_server)
# Date : 2017/05/18
# Operation : VoLTE sanity
# Purpose : Add permission for IMSA connect to IMSM
allow mtk_hal_imsa rild_imsm_socket:sock_file write;
# Date : 2017/06/08
# Operation : IMSA sanity
# Purpose : Add permission for IMSA connect to hwservicemanager
allow mtk_hal_imsa hwservicemanager_prop:file { read open };
allow mtk_hal_imsa hwservicemanager_prop:file getattr;
# Date : 2017/06/13
# Operation : IMSA sanity
# Purpose : Add permission for IMSA to access radio
allow mtk_hal_imsa radio:binder call;
allow mtk_hal_imsa debugfs_tracing:file { write open };

7
non_plat/mtk_hal_keyattestation.te Normal file
View File

@ -0,0 +1,7 @@
# HwBinder IPC from client to server
binder_call(mtk_hal_keyattestation_client, mtk_hal_keyattestation_server);
add_hwservice(mtk_hal_keyattestation_server, mtk_hal_keyattestation_hwservice)
allow mtk_hal_keyattestation_client mtk_hal_keyattestation_hwservice:hwservice_manager find;
# allow hal_keymaster tee_device:chr_file rw_file_perms;

8
non_plat/mtk_hal_lbs.te Normal file
View File

@ -0,0 +1,8 @@
# HwBinder IPC from client to server, and callbacks
binder_call(mtk_hal_lbs_client, mtk_hal_lbs_server)
binder_call(mtk_hal_lbs_server, mtk_hal_lbs_client)
add_hwservice(mtk_hal_lbs_server, mtk_hal_lbs_hwservice)
allow mtk_hal_lbs_client mtk_hal_lbs_hwservice:hwservice_manager find;
vndbinder_use(mtk_hal_lbs)

24
non_plat/mtk_hal_light.te Normal file
View File

@ -0,0 +1,24 @@
# ==============================================================================
# Type Declaration
# ==============================================================================
type mtk_hal_light, domain;
type mtk_hal_light_exec, exec_type, file_type, vendor_file_type;
# hwbinder access
init_daemon_domain(mtk_hal_light)
hwbinder_use(mtk_hal_light)
# call into system_server process (callbacks)
binder_call(mtk_hal_light, system_server)
# system file
allow mtk_hal_light system_file:dir read;
allow mtk_hal_light system_file:dir open;
allow mtk_hal_light sysfs:file rw_file_perms;
allow mtk_hal_light sysfs_leds:lnk_file read;
allow mtk_hal_light sysfs_leds:file rw_file_perms;
allow mtk_hal_light sysfs_leds:dir r_dir_perms;
allow mtk_hal_light hwservicemanager_prop:file r_file_perms;
hal_server_domain(mtk_hal_light,hal_light);

87
non_plat/mtk_hal_power.te Normal file
View File

@ -0,0 +1,87 @@
# ==============================================================================
# Type Declaration
# ==============================================================================
type mtk_hal_power, domain;
type mtk_hal_power_exec, exec_type, file_type, vendor_file_type;
# hwbinder access
init_daemon_domain(mtk_hal_power)
hwbinder_use(mtk_hal_power);
allow mtk_hal_power hwservicemanager_prop:file r_file_perms;
allow mtk_hal_power hal_power_hwservice:hwservice_manager { add find };
allow mtk_hal_power hidl_base_hwservice:hwservice_manager add;
add_hwservice(hal_power, mtk_hal_power_hwservice)
allow hal_power_client mtk_hal_power_hwservice:hwservice_manager find;
hal_server_domain(mtk_hal_power, hal_power);
# proc fs
allow mtk_hal_power proc:dir {search getattr};
allow mtk_hal_power proc:file {getattr open read write ioctl};
# sysfs
allow mtk_hal_light sysfs:file rw_file_perms;
allow mtk_hal_power sysfs_devices_system_cpu:file write;
# debugfs
allow mtk_hal_power debugfs_ged:dir search;
allow mtk_hal_power debugfs_ged:file { getattr open read write };
allow mtk_hal_power system_data_file:dir { create write add_name };
# proc_thermal
allow mtk_hal_power proc_thermal:file { write open };
# proc info
allow mtk_hal_power mtk_hal_audio:dir getattr;
# Date : 2017/10/02
# Operation: SQC
# Purpose : Allow powerHAL to access perfmgr
allow mtk_hal_power proc_perfmgr:dir search;
allow mtk_hal_power proc_perfmgr:file { getattr open read write ioctl };
# Date : 2017/10/11
# Operation: SQC
# Purpose : Allow powerHAL to access powerhal folder
allow mtk_hal_power sdcard_type:dir create_dir_perms;
allow mtk_hal_power sdcard_type:file create_file_perms;
allow mtk_hal_power eemcs_device:chr_file rw_file_perms;
allow mtk_hal_power mnt_user_file:dir create_dir_perms;
allow mtk_hal_power mtk_powerhal_data_file:dir {create_dir_perms rw_dir_perms};
allow mtk_hal_power mtk_powerhal_data_file:file {create_file_perms rw_file_perms};
allow mtk_hal_power mtk_powerhal_data_file:sock_file {create_file_perms rw_file_perms};
#camera contorl cpu
allow mtk_hal_power mtk_hal_camera:dir search;
allow mtk_hal_power mtk_hal_camera:file { read open };
# Date : 2017/10/24
# Operation: SQC
# Purpose : Allow powerHAL to access thermal
allow mtk_hal_power proc_thermal:dir search;
allow mtk_hal_power sysfs:file {open write read};
allow mtk_hal_power debugfs_fpsgo:dir search;
allow mtk_hal_power debugfs_fpsgo:file { getattr open write read };
# Date : 2017/12/19
# Operation: SQC
# Purpose : Allow powerHAL to access wlan
allow mtk_hal_power proc_net:file {open write};
# Date : 2017/12/21
# Operation: SQC
# Purpose : Allow powerHAL to access mediacodec
allow mtk_hal_power mediacodec:dir search;
allow mtk_hal_power mediacodec:file { getattr open write read };
set_prop(mtk_hal_power, mtk_thermal_config_prop)
# Date : 2018/01/31
# Operation: SQC
# Purpose : Allow powerHAL to access /proc/[pid]
allow mtk_hal_power su:dir { search getattr };
allow mtk_hal_power su:file { read open };

40
non_plat/mtk_hal_pq.te Normal file
View File

@ -0,0 +1,40 @@
# ==============================================
# Policy File of /vendor/bin/hw/vendor.mediatek.hardware.pq@2.0-service Executable File
# ==============================================
# Type Declaration
# ==============================================
type mtk_hal_pq, domain;
type mtk_hal_pq_exec, exec_type, file_type, vendor_file_type;
# ==============================================
# MTK Policy Rule
# ==============================================
# Setup for domain transition
init_daemon_domain(mtk_hal_pq)
# Allow to use HWBinder IPC
hwbinder_use(mtk_hal_pq);
# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder.
hal_server_domain(mtk_hal_pq, hal_pq)
# add/find permission rule to hwservicemanager
add_hwservice(hal_pq_server, mtk_hal_pq_hwservice)
# Allow to allocate hidl memory
hal_client_domain(mtk_hal_pq, hal_allocator)
# Purpose : Allow to use kernel driver
allow mtk_hal_pq graphics_device:chr_file { read write open ioctl };
# Purpose : Allow property set
allow mtk_hal_pq init:unix_stream_socket connectto;
allow mtk_hal_pq property_socket:sock_file write;
allow mtk_hal_pq system_prop:property_service set;
allow mtk_hal_pq debug_prop:property_service set;
# Purpose : Allow permission to get AmbientLux from hwservice_manager
allow mtk_hal_pq fwk_sensor_hwservice:hwservice_manager find;

52
non_plat/mtk_hal_sensors.te Normal file
View File

@ -0,0 +1,52 @@
# ==============================================================================
# Type Declaration
# ==============================================================================
type mtk_hal_sensors, domain;
type mtk_hal_sensors_exec, exec_type, file_type, vendor_file_type;
# hwbinder access
init_daemon_domain(mtk_hal_sensors)
hwbinder_use(mtk_hal_sensors)
# call into system_server process (callbacks)
binder_call(mtk_hal_sensors, system_server)
# system file
allow mtk_hal_sensors system_file:dir read;
allow mtk_hal_sensors system_file:dir open;
# sensors input rw access
allow mtk_hal_sensors sysfs:file rw_file_perms;
# hal sensor for chr_file
allow mtk_hal_sensors hwmsensor_device:chr_file r_file_perms;
allow mtk_hal_sensors hwservicemanager_prop:file r_file_perms;
#hwservicemanager
hal_server_domain(mtk_hal_sensors, hal_sensors);
#allow mtk_hal_sensors hal_sensors_hwservice:hwservice_manager { add find };
#allow mtk_hal_sensors hidl_base_hwservice:hwservice_manager add;
# Access sensor bio devices
allow mtk_hal_sensors m_acc_misc_device:chr_file rw_file_perms;
allow mtk_hal_sensors m_als_misc_device:chr_file rw_file_perms;
allow mtk_hal_sensors m_ps_misc_device:chr_file rw_file_perms;
allow mtk_hal_sensors m_mag_misc_device:chr_file rw_file_perms;
allow mtk_hal_sensors m_gyro_misc_device:chr_file rw_file_perms;
allow mtk_hal_sensors m_baro_misc_device:chr_file rw_file_perms;
allow mtk_hal_sensors m_hmdy_misc_device:chr_file rw_file_perms;
allow mtk_hal_sensors m_act_misc_device:chr_file rw_file_perms;
allow mtk_hal_sensors m_pedo_misc_device:chr_file rw_file_perms;
allow mtk_hal_sensors m_situ_misc_device:chr_file rw_file_perms;
allow mtk_hal_sensors m_step_c_misc_device:chr_file rw_file_perms;
allow mtk_hal_sensors m_fusion_misc_device:chr_file rw_file_perms;
allow mtk_hal_sensors m_bio_misc_device:chr_file rw_file_perms;
# Access mtk sensor setting and calibration node.
# for data
allow mtk_hal_sensors sensor_data_file:file create_file_perms;
allow mtk_hal_sensors sensor_data_file:dir create_dir_perms;
# for nvcfg
allow mtk_hal_sensors nvcfg_file:file create_file_perms;
allow mtk_hal_sensors nvcfg_file:dir create_dir_perms;

41
non_plat/mtk_hal_wifi_hostapd.te Normal file
View File

@ -0,0 +1,41 @@
# HwBinder IPC from client to server
binder_call(mtk_hal_wifi_hostapd_client, mtk_hal_wifi_hostapd_server)
binder_call(mtk_hal_wifi_hostapd_server, mtk_hal_wifi_hostapd_client)
add_hwservice(mtk_hal_wifi_hostapd_server, mtk_hal_wifi_hostapd_hwservice)
allow mtk_hal_wifi_hostapd_client mtk_hal_wifi_hostapd_hwservice:hwservice_manager find;
# in addition to ioctls whitelisted for all domains, grant mtk_hal_wifi_hostapd priv_sock_ioctls.
allowxperm mtk_hal_wifi_hostapd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(mtk_hal_wifi_hostapd, sysfs_type)
r_dir_file(mtk_hal_wifi_hostapd, proc_net)
allow mtk_hal_wifi_hostapd kernel:system module_request;
allow mtk_hal_wifi_hostapd self:capability { setuid net_admin setgid net_raw };
allow mtk_hal_wifi_hostapd cgroup:dir create_dir_perms;
allow mtk_hal_wifi_hostapd self:netlink_route_socket nlmsg_write;
allow mtk_hal_wifi_hostapd self:netlink_socket create_socket_perms_no_ioctl;
allow mtk_hal_wifi_hostapd self:netlink_generic_socket create_socket_perms_no_ioctl;
allow mtk_hal_wifi_hostapd self:packet_socket create_socket_perms;
allowxperm mtk_hal_wifi_hostapd self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
allow mtk_hal_wifi_hostapd wifi_data_file:dir create_dir_perms;
allow mtk_hal_wifi_hostapd wifi_data_file:file create_file_perms;
# Create a socket for receiving info from wpa
allow mtk_hal_wifi_hostapd wpa_socket:dir create_dir_perms;
allow mtk_hal_wifi_hostapd wpa_socket:sock_file create_file_perms;
# Allow hostapd_cli to work. hostapd_cli creates a socket in
# /data/misc/wifi/sockets which mtk_hal_wifi_hostapd hostapd communicates with.
userdebug_or_eng(`
unix_socket_send(mtk_hal_wifi_hostapd, wpa, su)
')
###
### neverallow rules
###
# hostapd should not trust any data from sdcards
neverallow mtk_hal_wifi_hostapd_server sdcard_type:dir ~getattr;
neverallow mtk_hal_wifi_hostapd_server sdcard_type:file *;

26
non_plat/mtk_wmt_launcher.te Normal file
View File

@ -0,0 +1,26 @@
# ==============================================
# Policy File of /system/bin/mtk_wmt_launcher Executable File
# ==============================================
# Type Declaration
# ==============================================
type mtk_wmt_launcher ,domain;
type mtk_wmt_launcher_exec , exec_type, file_type, vendor_file_type;
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(mtk_wmt_launcher)
# set the property
set_prop(mtk_wmt_launcher, wmt_prop)
# add ioctl/open/read/write permission for mtk_wmt_launcher with /dev/stpwmt
allow mtk_wmt_launcher stpwmt_device:chr_file rw_file_perms;
allow mtk_wmt_launcher devpts:chr_file rw_file_perms;
allow mtk_wmt_launcher system_file:dir { read open };
# Date : W18.01
# Add for turn on SElinux in enforcing mode
allow mtk_wmt_launcher vendor_file:dir { read open };

55
non_plat/mtkbootanimation.te Normal file
View File

@ -0,0 +1,55 @@
# ==============================================
# MTK Policy Rule
# ============
# Date : WK14.37
# Operation : Migration
# Purpose : for opetator
allow mtkbootanimation custom_file:dir search;
allow mtkbootanimation custom_file:file r_file_perms;
allow mtkbootanimation bootani_prop:property_service set;
# Date : WK14.46
# Operation : Migration
# Purpose : For MTK Emulator HW GPU
allow mtkbootanimation qemu_pipe_device:chr_file rw_file_perms;
# Date : WK16.33
# Purpose: Allow to access ged for gralloc_extra functions
allow mtkbootanimation proc_ged:file {open read write ioctl getattr};
# Date : WK14.31
# Operation : Migration
# Purpose : access to sec mem proc interface.
allow mtkbootanimation proc_secmem:file { read open};
# Date : WK14.36
# Operation : Migration
# Purpose : for ui
allow mtkbootanimation guiext-server:binder call;
allow mtkbootanimation guiext-server:binder transfer;
# Date : WK16.29
# Operation : Migration
# Purpose : for gpu access
allow mtkbootanimation dri_device:chr_file { read write open ioctl };
# Date : WK14.37
# Operation : Migration
# Purpose : for op
#allow mtkbootanimation terservice:binder call;
# Date : WK15.30
# Operation : Migration
# Purpose : for device bring up, not to block early migration/sanity
#allow mtkbootanimation terservice_service:service_manager find;
# Date : WK17.29
# Operation : Migration
# Purpose : for device bring up
allow mtkbootanimation guiext-server_service:service_manager find;
# Date : WK17.48
# Operation : Migration
# Purpose : FPSGO integration
allow mtkbootanimation proc_perfmgr:dir {search read};
allow mtkbootanimation proc_perfmgr:file {open read ioctl};

135
non_plat/mtkfusionrild.te Normal file
View File

@ -0,0 +1,135 @@
# ==============================================
# Policy File of /vendor/bin/rild Executable File
# ==============================================
# Type Declaration
# ==============================================
# ==============================================
# MTK Policy Rule
# ==============================================
# Access to wake locks
wakelock_use(rild)
# Trigger module auto-load.
allow rild kernel:system module_request;
# Capabilities assigned for rild
allow rild self:capability { setuid net_admin net_raw };
allow rild self:capability dac_override;
# Control cgroups
allow rild cgroup:dir create_dir_perms;
# Property service
# allow set RIL related properties (radio./net./system./etc)
set_prop(rild, radio_prop)
set_prop(rild, net_radio_prop)
set_prop(rild, system_radio_prop)
set_prop(rild, persist_ril_prop)
auditallow rild net_radio_prop:property_service set;
auditallow rild system_radio_prop:property_service set;
set_prop(rild, ril_active_md_prop)
# allow set muxreport control properties
set_prop(rild, ril_cdma_report_prop)
set_prop(rild, ril_mux_report_case_prop)
set_prop(rild, ctl_muxreport-daemon_prop)
# Access to wake locks
wakelock_use(rild)
# Allow access permission to efs files
allow rild efs_file:dir create_dir_perms;
allow rild efs_file:file create_file_perms;
allow rild bluetooth_efs_file:file r_file_perms;
allow rild bluetooth_efs_file:dir r_dir_perms;
# Allow access permission to dir/files
# (radio data/system data/proc/etc)
allow rild radio_data_file:dir rw_dir_perms;
allow rild radio_data_file:file create_file_perms;
allow rild sdcard_type:dir r_dir_perms;
allow rild system_data_file:dir r_dir_perms;
allow rild system_data_file:file r_file_perms;
allow rild system_file:file x_file_perms;
allow rild proc:file rw_file_perms;
allow rild proc_net:file w_file_perms;
# Allow rild to create and use netlink sockets.
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
#allow rild self:netlink_socket create_socket_perms;
#allow rild self:netlink_kobject_uevent_socket create_socket_perms;
# Set and get routes directly via netlink.
allow rild self:netlink_route_socket nlmsg_write;
# Allow rild to create sockets.
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
#allow rild self:socket create_socket_perms;
# Allow read/write to devices/files
allow rild alarm_device:chr_file rw_file_perms;
allow rild radio_device:chr_file rw_file_perms;
allow rild radio_device:blk_file r_file_perms;
allow rild mtd_device:dir search;
# Allow read/write to uart driver (for GPS)
#allow rild gps_device:chr_file rw_file_perms;
# Allow read/write to tty devices
allow rild tty_device:chr_file rw_file_perms;
allow rild eemcs_device:chr_file { rw_file_perms };
allow rild Vcodec_device:chr_file { rw_file_perms };
allow rild devmap_device:chr_file { r_file_perms };
allow rild devpts:chr_file { rw_file_perms };
allow rild ccci_device:chr_file { rw_file_perms };
allow rild misc_device:chr_file { rw_file_perms };
allow rild proc_lk_env:file rw_file_perms;
allow rild sysfs_vcorefs_pwrctrl:file { w_file_perms };
allow rild bootdevice_block_device:blk_file { rw_file_perms };
allow rild para_block_device:blk_file { rw_file_perms };
# Allow dir search, fd uses
allow rild block_device:dir search;
#allow rild platformblk_device:dir search;
allow rild platform_app:fd use;
allow rild radio:fd use;
# For MAL MFI
allow rild mal_mfi_socket:sock_file { w_file_perms };
# For ccci sysfs node
allow rild sysfs_ccci:dir search;
allow rild sysfs_ccci:file r_file_perms;
#Date : W17.18
#Purpose: Treble SEpolicy denied clean up
add_hwservice(hal_telephony_server, mtk_hal_rild_hwservice)
allow hal_telephony_client mtk_hal_rild_hwservice:hwservice_manager find;
#Date : W17.21
#Purpose: Grant permission to access binder dev node
vndbinder_use(rild)
#Dat: 2017/03/27
#Purpose: allow set telephony Sensitive property
set_prop(rild, mtk_telephony_sensitive_prop)
# For AGPSD
allow rild mtk_agpsd:unix_stream_socket connectto;
#Date 2017/10/12
#Purpose: allow set MTU size
allow rild toolbox_exec:file getattr;
allow rild toolbox_exec:file {execute read open};
allow rild toolbox_exec:file {execute_no_trans};
allow rild mtk_net_ipv6_prop:property_service set;
#Dat: 2017/10/17
# Allow to use sysenv & persist.radio.multisim.config
# for dynamic feature switch between ss & dsds
allow rild sysfs:file open;
allow rild sysfs:file read;
allow rild usp_prop:property_service set;
#Date: 2017/12/6
#Purpose: allow set the RS times for /proc/sys/net/ipv6/conf/ccmniX/router_solicitations
allow rild vendor_shell_exec:file {execute_no_trans};
allow rild vendor_toolbox_exec:file {execute_no_trans};

128
non_plat/mtkrild.te Normal file
View File

@ -0,0 +1,128 @@
# ==============================================
# Policy File of /system/bin/mtkrild Executable File
# ==============================================
# Type Declaration
# ==============================================
type mtkrild_exec , exec_type, file_type, vendor_file_type;
type mtkrild ,domain;
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(mtkrild)
net_domain(mtkrild)
# Trigger module auto-load.
allow mtkrild kernel:system module_request;
# Capabilities assigned for mtkrild
allow mtkrild self:capability { setuid net_admin net_raw };
allow mtkrild self:capability dac_override;
# Control cgroups
allow mtkrild cgroup:dir create_dir_perms;
# Property service
# allow set RIL related properties (radio./net./system./etc)
set_prop(mtkrild, radio_prop)
set_prop(mtkrild, net_radio_prop)
set_prop(mtkrild, system_radio_prop)
set_prop(mtkrild, persist_ril_prop)
auditallow mtkrild net_radio_prop:property_service set;
auditallow mtkrild system_radio_prop:property_service set;
set_prop(mtkrild, ril_active_md_prop)
# allow set muxreport control properties
set_prop(mtkrild, ril_cdma_report_prop)
set_prop(mtkrild, ril_mux_report_case_prop)
set_prop(mtkrild, ctl_muxreport-daemon_prop)
#Dat: 2017/02/14
#Purpose: allow set telephony Sensitive property
set_prop(mtkrild, mtk_telephony_sensitive_prop)
# Access to wake locks
wakelock_use(mtkrild)
# Allow access permission to efs files
allow mtkrild efs_file:dir create_dir_perms;
allow mtkrild efs_file:file create_file_perms;
allow mtkrild bluetooth_efs_file:file r_file_perms;
allow mtkrild bluetooth_efs_file:dir r_dir_perms;
# Allow access permission to dir/files
# (radio data/system data/proc/etc)
allow mtkrild radio_data_file:dir rw_dir_perms;
allow mtkrild radio_data_file:file create_file_perms;
allow mtkrild sdcard_type:dir r_dir_perms;
allow mtkrild system_data_file:dir r_dir_perms;
allow mtkrild system_data_file:file r_file_perms;
allow mtkrild system_file:file x_file_perms;
allow mtkrild proc:file rw_file_perms;
allow mtkrild proc_net:file w_file_perms;
# Allow mtkrild to create and use netlink sockets.
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
#allow mtkrild self:netlink_socket create_socket_perms;
#allow mtkrild self:netlink_kobject_uevent_socket create_socket_perms;
# Set and get routes directly via netlink.
allow mtkrild self:netlink_route_socket nlmsg_write;
# Allow mtkrild to create sockets.
### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
#allow mtkrild self:socket create_socket_perms;
# Allow read/write to devices/files
allow mtkrild alarm_device:chr_file rw_file_perms;
allow mtkrild radio_device:chr_file rw_file_perms;
allow mtkrild radio_device:blk_file r_file_perms;
allow mtkrild mtd_device:dir search;
# Allow read/write to uart driver (for GPS)
#allow mtkrild gps_device:chr_file rw_file_perms;
# Allow read/write to tty devices
allow mtkrild tty_device:chr_file rw_file_perms;
allow mtkrild eemcs_device:chr_file { rw_file_perms };
allow mtkrild Vcodec_device:chr_file { rw_file_perms };
allow mtkrild devmap_device:chr_file { r_file_perms };
allow mtkrild devpts:chr_file { rw_file_perms };
allow mtkrild ccci_device:chr_file { rw_file_perms };
allow mtkrild misc_device:chr_file { rw_file_perms };
allow mtkrild proc_lk_env:file rw_file_perms;
allow mtkrild sysfs_vcorefs_pwrctrl:file { w_file_perms };
allow mtkrild bootdevice_block_device:blk_file { rw_file_perms };
allow mtkrild para_block_device:blk_file { rw_file_perms };
# Allow dir search, fd uses
allow mtkrild block_device:dir search;
#allow mtkrild platformblk_device:dir search;
allow mtkrild platform_app:fd use;
allow mtkrild radio:fd use;
# For emulator
allow mtkrild qemu_pipe_device:chr_file rw_file_perms;
allow mtkrild socket_device:sock_file { w_file_perms };
# For MAL MFI
allow mtkrild mal_mfi_socket:sock_file { w_file_perms };
# For ccci sysfs node
allow mtkrild sysfs_ccci:dir search;
allow mtkrild sysfs_ccci:file r_file_perms;
allow init socket_device:sock_file { create unlink setattr };
#For Kryptowire mtklog issue
allow mtkrild aee_aedv:unix_stream_socket connectto;
# Allow ioctl in order to control network interface
allowxperm mtkrild self:udp_socket ioctl {SIOCDELRT SIOCSIFFLAGS SIOCSIFADDR SIOCKILLADDR SIOCDEVPRIVATE SIOCDEVPRIVATE_1};
# Allow to use vendor binder
vndbinder_use(mtkrild)
# Allow to trigger IPv6 RS
allow mtkrild node:rawip_socket node_bind;
# Allow to use sysenv
allow mtkrild sysfs:file open;
allow mtkrild sysfs:file read;

31
non_plat/muxreport.te Normal file
View File

@ -0,0 +1,31 @@
# ==============================================
# Policy File of /system/bin/muxreport Executable File
# ==============================================
# Type Declaration
# ==============================================
type muxreport_exec , exec_type, file_type, vendor_file_type;
type muxreport ,domain;
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(muxreport)
# Capabilities assigned for muxreport
allow muxreport self:capability dac_override;
# Property service
# allow set muxreport control properties
set_prop(muxreport, ril_mux_report_case_prop)
# Allow read/write to devices/files
allow muxreport ccci_device:chr_file { rw_file_perms };
allow muxreport devpts:chr_file { rw_file_perms };
allow muxreport eemcs_device:chr_file { rw_file_perms };
allow muxreport emd_device:chr_file { rw_file_perms };
# Allow read to sys/kernel/ccci/* files
allow muxreport sysfs_ccci:dir search;
allow muxreport sysfs_ccci:file r_file_perms;
set_prop(muxreport, radio_prop)

64
non_plat/netd.te Normal file
View File

@ -0,0 +1,64 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK14.34
# Operation : Migration
# Purpose : For WIFI SANITY test to set FW path(STA/P2P/AP)
# Owner£º TingTing Lei
allow netd wmtWifi_device:chr_file { write open };
# Date : WK14.34
# Operation : Migration
# Purpose : NA
# Owner£º Changqing Sun
allow netd kernel:system module_request;
allow netd self:capability sys_module;
allow netd self:capability fsetid;
# Date : WK14.34
# Operation : Migration
# Purpose : APP
allow netd platform_app:fd use;
# Date : WK14.37
# Operation : Migration
# Purpose : PPPOE Test
# Owner : lina wang
allow netd ppp:process sigkill;
# Date : WK14.39
# Operation : Migration
# Purpose : MDLogger USB logging
# Owner : Bo shang
allow netd mdlogger:fd use;
allow netd mdlogger:tcp_socket { read write };
allow netd mdlogger:tcp_socket { getopt setopt };
# Date : WK14.41
# Operation : Migration
# Purpose : network logging
# Owner : Bo shang
allow netd netdiag:fd use;
allow netd netdiag:udp_socket { read write getopt setopt};
# Date : WK14.44
# Operation : Migration
# Purpose : ALPS01789552
#============= netd ==============
allow netd self:capability { setuid setgid };
#============= netd ==============
allow netd untrusted_app:fd use;
# Date : W15.02
# Operation : SQC
# Purpose : CTS for wifi
allow netd untrusted_app:unix_stream_socket { read write getopt setopt};
allow netd isolated_app:fd use;

31
non_plat/netdiag.te Normal file
View File

@ -0,0 +1,31 @@
# Purpose : for access storage file
allow netdiag sdcard_type:dir create_dir_perms;
allow netdiag sdcard_type:file create_file_perms;
allow netdiag net_data_file:file r_file_perms;
allow netdiag net_data_file:dir search;
allow netdiag storage_file:dir search;
allow netdiag storage_file:lnk_file read;
allow netdiag mnt_user_file:dir search;
allow netdiag mnt_user_file:lnk_file read;
allow netdiag platform_app:dir search;
allow netdiag untrusted_app:dir search;
allow netdiag mnt_media_rw_file:dir search;
allow netdiag vfat:dir create_dir_perms;
allow netdiag vfat:file create_file_perms;
allow netdiag tmpfs:lnk_file read;
#Purpose : for network log property
set_prop(netdiag, debug_netlog_prop)
set_prop(netdiag, persist_mtklog_prop)
set_prop(netdiag, debug_mtklog_prop)
# Purpose : for acess /system/bin/toybox, mmc_prop,proc_net and safemode_prop
allow netdiag device_logging_prop:file { getattr open };
allow netdiag mmc_prop:file { getattr open };
# purpose: allow netdiag to access storage in new version
allow netdiag media_rw_data_file:file { create_file_perms };
allow netdiag media_rw_data_file:dir { create_dir_perms };
# Fix boot up SELinux violation
allow netdiag mtk_em_ril_apnchange_prop:file open;

70
non_plat/nvram_agent_binder.te Normal file
View File

@ -0,0 +1,70 @@
# ==============================================
# Policy File of /vendor/bin/nvram_agent_binder Executable File
# ==============================================
# Type Declaration
# ==============================================
type nvram_agent_binder_exec , exec_type, file_type, vendor_file_type;
type nvram_agent_binder ,domain;
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(nvram_agent_binder)
# Date : WK14.35
# Operation : access nvram by binder
# Purpose : ensure nvram user can access nvram file normally.
allow nvram_agent_binder nvram_agent_service:service_manager add;
# Date : WK14.43
# Operation : 2rd Selinux Migration
# Purpose : the role of nvram_agent_binder is same with nvram_daemon except property_set & exect permission
allow nvram_agent_binder nvram_device:blk_file rw_file_perms;
allow nvram_agent_binder bootdevice_block_device:blk_file rw_file_perms;
allow nvram_agent_binder nvdata_device:blk_file rw_file_perms;
allow nvram_agent_binder nvram_data_file:dir create_dir_perms;
allow nvram_agent_binder nvram_data_file:file create_file_perms;
allow nvram_agent_binder nvram_data_file:lnk_file read;
allow nvram_agent_binder nvdata_file:lnk_file read;
allow nvram_agent_binder nvdata_file:dir create_dir_perms;
allow nvram_agent_binder nvdata_file:file create_file_perms;
#allow nvram_agent_binder system_file:file execute_no_trans;
allow nvram_agent_binder als_ps_device:chr_file r_file_perms;
allow nvram_agent_binder mtk-adc-cali_device:chr_file rw_file_perms;
allow nvram_agent_binder gsensor_device:chr_file r_file_perms;
allow nvram_agent_binder gyroscope_device:chr_file r_file_perms;
allow nvram_agent_binder init:unix_stream_socket connectto;
allow nvram_agent_binder property_socket:sock_file write;
allow nvram_agent_binder sysfs:file write;
allow nvram_agent_binder self:capability { fowner chown dac_override fsetid };
allow nvram_agent_binder system_data_file:dir create_file_perms;
# Purpose: for backup
allow nvram_agent_binder nvram_device:chr_file rw_file_perms;
allow nvram_agent_binder pro_info_device:chr_file rw_file_perms;
allow nvram_agent_binder block_device:dir search;
allow nvram_agent_binder app_data_file:file write;
# for MLC device
allow nvram_agent_binder mtd_device:dir search;
allow nvram_agent_binder mtd_device:chr_file rw_file_perms;
#for nvram agent hidl
allow nvram_agent_binder hwservicemanager_prop:file r_file_perms;
#for nvram hidl client support
allow nvram_agent_binder sysfs:file { read open };
allow nvram_agent_binder system_data_file:lnk_file read;
# Allow to use HWBinder IPC
hwbinder_use(nvram_agent_binder);
# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder.
hal_server_domain(nvram_agent_binder, hal_nvramagent)

99
non_plat/nvram_daemon.te Normal file
View File

@ -0,0 +1,99 @@
# ==============================================
# Policy File of /vendor/binnvram_daemon Executable File
# ==============================================
# Type Declaration
# ==============================================
type nvram_daemon_exec , exec_type, file_type, vendor_file_type;
type nvram_daemon ,domain;
# ==============================================
# MTK Policy Rule
# ==============================================
init_daemon_domain(nvram_daemon)
# Date : WK14.31
# Operation : Migration
# Purpose : the device is used to store Nvram backup data that can not be lost.
allow nvram_daemon nvram_device:blk_file rw_file_perms;
allow nvram_daemon bootdevice_block_device:blk_file rw_file_perms;
allow nvram_daemon nvdata_device:blk_file rw_file_perms;
# Date : WK14.34
# Operation : Migration
# Purpose : the option is used to tell that if other processes can access nvram.
allow nvram_daemon system_prop:property_service set;
# Date : WK14.35
# Operation : chown folder and file permission
# Purpose : ensure nvram user can access nvram file normally when upgrade from KK/KK.AOSP to L.
#allow nvram_daemon shell_exec:file rx_file_perms;
allow nvram_daemon nvram_data_file:dir create_dir_perms;
allow nvram_daemon nvram_data_file:file create_file_perms;
allow nvram_daemon nvram_data_file:lnk_file read;
allow nvram_daemon nvdata_file:lnk_file read;
allow nvram_daemon nvdata_file:dir create_dir_perms;
allow nvram_daemon nvdata_file:file create_file_perms;
#allow nvram_daemon system_file:file execute_no_trans;
allow nvram_daemon als_ps_device:chr_file r_file_perms;
allow nvram_daemon mtk-adc-cali_device:chr_file rw_file_perms;
allow nvram_daemon gsensor_device:chr_file r_file_perms;
allow nvram_daemon gyroscope_device:chr_file r_file_perms;
allow nvram_daemon init:unix_stream_socket connectto;
# Purpose: for property set
#allow nvram_daemon property_socket:sock_file w_file_perms;
allow nvram_daemon sysfs:file w_file_perms;
allow nvram_daemon self:capability { fowner chown dac_override fsetid };
# Purpose: for backup
allow nvram_daemon nvram_device:chr_file rw_file_perms;
allow nvram_daemon pro_info_device:chr_file rw_file_perms;
allow nvram_daemon block_device:dir search;
# Purpose: for nand project
allow nvram_daemon mtd_device:dir search;
allow nvram_daemon mtd_device:chr_file rw_file_perms;
# Purpose: for fstab parser
allow nvram_daemon kmsg_device:chr_file w_file_perms;
allow nvram_daemon proc_lk_env:file rw_file_perms;
# Purpose: for workaround
# Todo: Remove this policy
allow nvram_daemon system_data_file:dir write;
# Purpose: property set
#allow nvram_daemon service_nvram_init_prop:property_service set;
# Purpose: copy /fstab*
allow nvram_daemon rootfs:dir { read open };
allow nvram_daemon rootfs:file r_file_perms;
allow nvram_daemon system_data_file:lnk_file read;
# Purpose: remove /data/nvram link
allow nvram_daemon system_data_file:dir { remove_name add_name };
allow nvram_daemon system_data_file:lnk_file { create unlink };
allow nvram_daemon nvram_data_file:lnk_file unlink;
# Purpose: for run toolbox command: chown chmode..
#allow nvram_daemon toolbox_exec:file rx_file_perms;
# Purpose: for setting property
# ro.wlan.mtk.wifi.5g relabel to wifi_5g_prop
# denied { set } for property=ro.wlan.mtk.wifi.5g pid=242 uid=0 gid=1000 scontext=u:r:nvram_daemon:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=1
#allow nvram_daemon wifi_5g_prop:property_service set;
set_prop(nvram_daemon, service_nvram_init_prop)
set_prop(nvram_daemon, wifi_5g_prop)
#WK17.26 camera 8163
allow nvram_daemon sysfs:dir read;
allow nvram_daemon sysfs:file read;

5
non_plat/permissive.te Normal file
View File

@ -0,0 +1,5 @@
userdebug_or_eng(`
')

85
non_plat/platform_app.te Normal file
View File

@ -0,0 +1,85 @@
# ==============================================
# MTK Policy Rule
# ==============================================
typeattribute platform_app mlstrustedsubject;
# Date : 2017/07/03
# Operation : Migration
# Purpose : get/set agps configuration via mtk_hal_lbs
hal_client_domain(platform_app, mtk_hal_lbs)
# Date : 2014/08/21
# Operation : Migration
# Purpose : FMRadio enable driver access permission for fmradio hardware device
# Package: com.mediatek.fmradio
allow platform_app fm_device:chr_file rw_file_perms;
# Date : 2014/09/11
# Operation : Migration
# Purpose : MTKLogger need setup local socket with native daemon:mobile_logd,
# netdialog,mdlogger,emdlogger,cmddumper
# Package: com.mediatek.mtklogger
allow platform_app mobile_log_d:unix_stream_socket connectto;
allow platform_app mdlogger:unix_stream_socket connectto;
allow platform_app emdlogger:unix_stream_socket connectto;
allow platform_app cmddumper:unix_stream_socket connectto;
unix_socket_connect(platform_app, netdiag, netdiag)
# Date : 2014/10/17
# Operation : Migration
# Purpose :Make MTKLogger or VIASaber apk can Access TTYSDIO_device
# Package: com.mediatek.mtklogger
allow platform_app ttySDIO_device:chr_file rw_file_perms;
# Date : 2014/10/17
# Operation : Migration
# Purpose :Make MTKLogger or VIASaber apk can Access storage
# Package: com.mediatek.mtklogger
allow platform_app sdcard_type:file create_file_perms;
allow platform_app sdcard_type:dir create_dir_perms;
# Date : 2014/11/12
# Operation : Migration
# Purpose : MTKLogger need copy exception db from data folder
# Package: com.mediatek.mtklogger
allow platform_app aee_exp_data_file:file r_file_perms;
allow platform_app aee_exp_data_file:dir r_dir_perms;
# Date : 2014/11/14
# Operation : Migration
# Purpose : MTKLogger need update md config file in data for mode changed
# Package: com.mediatek.mtklogger
allow platform_app mdlog_data_file:file rw_file_perms;
allow platform_app mdlog_data_file:dir rw_dir_perms;
# Date : 2015/01/13
# Operation : New feature for GPS Log
# Purpose : MTKLogger need setup local socket with mnld
# Package: com.mediatek.mtklogger
# TODO:: MTK need to remove later
not_full_treble(`
allow platform_app mnld:unix_stream_socket connectto;
')
# Date : 2015/11/18
# Operation : label aee_aed sockets
# Purpose : Engineering mode need access for aee commmand
# Package: MTKLogger/Debugutils
allow platform_app aee_aed:unix_stream_socket connectto;
# Date : WK17.31
# Operation : O Migration
# Purpose : m4u Driver
allow platform_app proc:file r_file_perms;
# Date : WK17.44
# Operation : O Migration
# Purpose : allow LocationEM to set mnld property
set_prop(platform_app, mnld_prop)
# Date : WK17.46
# Operation : Migration
# Purpose : allow MTKLogger to read KE DB
allow platform_app aee_dumpsys_data_file:file r_file_perms;

10
non_plat/ppp.te Normal file
View File

@ -0,0 +1,10 @@
# ==============================================
# MTK Policy Rule
# ==============================================
# Date : WK14.37
# Operation : Migration
# Purpose: for PPPOE Test: Property permission
allow ppp pppoe_ppp0_prop:property_service set;

6
non_plat/pre_meta.te Normal file
View File

@ -0,0 +1,6 @@
# ==============================================
# MTK Policy Rule
# ==============================================
allow pre_meta proc_lk_env:file rw_file_perms;
allow pre_meta para_block_device:blk_file rw_file_perms;set_prop(meta_tst, powerctl_prop);

168
non_plat/property.te Normal file
View File

@ -0,0 +1,168 @@
# ==============================================
# MTK Policy Rule
# ==============================================
type mtk_default_prop, property_type;
# Date: W14.32
# Operation: Migration
# Purpose: don't allow to use default_prop
### TBD
#neverallow { domain -init } default_prop:property_service set;
#neverallow { domain -init -system_server -recovery -system_app} ctl_default_prop:property_service set;
#=============allow ccci_mdinit to start gsm0710muxd==============
type ctl_gsm0710muxd_prop, property_type;
type ctl_gsm0710muxd-s_prop, property_type;
type ctl_gsm0710muxd-d_prop, property_type;
#=============allow ccci_mdinit to ctl. mdlogger==============
type ctl_mdlogger_prop, property_type;
type ctl_emdlogger1_prop, property_type;
type ctl_emdlogger2_prop, property_type;
type ctl_emdlogger3_prop, property_type;
type ctl_dualmdlogger_prop, property_type;
#=============allow viarild to start property==============
type ctl_viarild_prop, property_type;
#=============allow mtkrild to set persist.ril property==============
type persist_ril_prop, property_type, mtk_core_property_type;
#=============allow gsm0710muxd to set mux property==============
type gsm0710muxd_prop, property_type, mtk_core_property_type;
#=============allow netlog running==============
type debug_mtklog_prop, property_type, mtk_core_property_type;
type persist_mtklog_prop, property_type, mtk_core_property_type;
type debug_netlog_prop, property_type, mtk_core_property_type;
#=============allow netd to set mtk_wifi.*=========================
type mtk_wifi_prop, property_type, mtk_core_property_type;
#=============allow mdlogger==============
type debug_mdlogger_prop, property_type, mtk_core_property_type;
#=============allow AEE==============
type persist_mtk_aee_prop, property_type, mtk_core_property_type;
type persist_aee_prop, property_type, mtk_core_property_type;
type debug_mtk_aee_prop, property_type, mtk_core_property_type;
#=============allow aee_dumpstate==============
type debug_bq_dump_prop, property_type, mtk_core_property_type;
#=============allow ccci_mdinit to stop rild==============
type ctl_ril-daemon-mtk_prop, property_type;
type ctl_fusion_ril_mtk_prop, property_type;
type ctl_ril-daemon-s_prop, property_type;
type ctl_ril-daemon-d_prop, property_type;
type ctl_ril-proxy_prop, property_type;
#=============allow ccci_mdinit to start ccci_fsd==============
type ctl_ccci_fsd_prop, property_type;
type ctl_ccci2_fsd_prop, property_type;
type ctl_ccci3_fsd_prop, property_type;
#=============allow ccci_mdinit to set ril_active_md_prop==============
type ril_active_md_prop, property_type, mtk_core_property_type;
#=============allow ccci_mdinit to stop rild==============
type ril_mux_report_case_prop, property_type, mtk_core_property_type;
type ril_cdma_report_prop, property_type, mtk_core_property_type;
#=============allow ccci_mdinit to mtk_md_prop==============
type mtk_md_prop, property_type, mtk_core_property_type;
#=============allow mtkrild to start muxreport==============
type ctl_muxreport-daemon_prop, property_type;
#=============allow ppp to set pppoe.ppp0==============
type pppoe_ppp0_prop, property_type, mtk_core_property_type;
#=============allow bootanim==============
type bootani_prop, property_type, mtk_core_property_type;
#=============allow mnld_prop==============
type mnld_prop, property_type, mtk_core_property_type;
#=============allow audiohal==============
type audiohal_prop, property_type, mtk_core_property_type;
#=============allow wmt==============
type wmt_prop, property_type, mtk_core_property_type;
#=============allow sensor==============
type ctl_emcsmdlogger_prop, property_type;
type ctl_eemcs_fsd_prop, property_type;
#=============allow statusd==============
type net_cdma_mdmstat, property_type, mtk_core_property_type;
#=============allow bt==============
type bt_prop, property_type, mtk_core_property_type;
type persist_bt_prop, property_type, mtk_core_property_type;
#============= allow factory idle current prop ==============
type factory_idle_state_prop, property_type, mtk_core_property_type;
#============= allow ftrace log property ===============
type ftrace_log_prop, property_type, mtk_core_property_type;
#============= allow service.nvram_init property ===============
type service_nvram_init_prop, property_type, mtk_core_property_type;
#============= allow ro.wlan.mtk.wifi.5g property ===============
type wifi_5g_prop, property_type, mtk_core_property_type;
#=============allow em to set client.appmode ==============
type mtk_em_prop, property_type, mtk_core_property_type;
#=============allow mediatek_prop ==============
type mediatek_prop, property_type, mtk_core_property_type;
#============= allow em set protocol ===============
type mtk_em_pdn_prop, property_type, mtk_core_property_type;
#============= allow em set protocol ===============
type mtk_em_ims_simulate_prop, property_type, mtk_core_property_type;
#============= allow em set property ===============
type mtk_em_auto_answer_prop, property_type, mtk_core_property_type;
#============= allow em set protocol ===============
type mtk_em_bt_sspdebug_prop, property_type, mtk_core_property_type;
#============= allow em set mtk_em_ril_apnchange_prop property ===============
type mtk_em_ril_apnchange_prop, property_type;
#============= allow em set protocol ===============
type mtk_em_net_auto_tethering_prop, property_type, mtk_core_property_type;
#=============allow meta_tst to stop specific service ===============
type ctl_mobile_log_d_prop, property_type;
type ctl_mnld_prop, property_type;
type ctl_mobicore_prop, property_type;
#=============allow system server to set meta_connecttype property ==============
type meta_connecttype_prop, property_type;
#=============Telephony Sensitive property==============
type mtk_telephony_sensitive_prop, property_type;
#=============allow processes to change thermal config================
type mtk_thermal_config_prop, property_type;
#=============allow composer set property ============================
type graphics_config_prop, property_type;
type graphics_hwc_pid_prop, property_type;
#============= mtkcam property ============================
type mtkcam_prop, property_type;
#============= allow em set xcap property ===============
type mtk_em_ril_xcapset_prop, property_type, mtk_core_property_type;
#============= allow em set UCE property ===============
type persist_uce_prop, property_type;
#============= atm modem mode property ==============
type atm_mdmode_prop, property_type;
#============= atm ip address property ==============
type atm_ipaddr_prop, property_type;

Some files were not shown because too many files have changed in this diff Show More