From 3ace839be3645e135910002a6715381bc84333d2 Mon Sep 17 00:00:00 2001 From: Bo Ye Date: Sat, 18 Jan 2020 09:29:41 +0800 Subject: [PATCH] [ALPS03825066] Mark file context to fix build fails Restore the policies accessing files labeled as proc_xxx or sysfs_xxx, but there are some exceptions for coredomain process, such as meta_tst,dump_state,kpoc_charger MTK-Commit-Id: 7953b5203bb3cac099c3326d330643b4cd73746d Change-Id: I4b16c09c352891783e837bea370c264966ca6d13 CR-Id: ALPS03825066 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK --- non_plat/aee_aed.te | 2 +- non_plat/audioserver.te | 4 ++-- non_plat/boot_logo_updater.te | 2 +- non_plat/cameraserver.te | 12 ++++++------ non_plat/domain.te | 5 ++++- non_plat/drmserver.te | 2 +- non_plat/dumpstate.te | 4 ++-- non_plat/em_svr.te | 14 +++++++------- non_plat/emdlogger.te | 2 +- non_plat/factory.te | 8 ++++---- non_plat/mdlogger.te | 2 +- non_plat/mediaextractor.te | 2 +- non_plat/meta_tst.te | 8 ++++---- non_plat/mobile_log_d.te | 4 ++-- non_plat/mtkbootanimation.te | 6 +++--- non_plat/surfaceflinger.te | 4 ++-- non_plat/system_server.te | 8 ++++---- non_plat/zygote.te | 2 +- plat_private/aee_aed.te | 2 +- plat_private/em_svr.te | 2 +- plat_private/factory.te | 4 ++-- plat_private/meta_tst.te | 2 +- plat_private/mobile_log_d.te | 2 +- plat_private/mtkbootanimation.te | 2 +- prebuilts/api/26.0/plat_private/aee_aed.te | 2 +- prebuilts/api/26.0/plat_private/em_svr.te | 2 +- prebuilts/api/26.0/plat_private/factory.te | 4 ++-- prebuilts/api/26.0/plat_private/meta_tst.te | 2 +- prebuilts/api/26.0/plat_private/mobile_log_d.te | 2 +- prebuilts/api/26.0/plat_private/system_server.te | 2 +- 30 files changed, 61 insertions(+), 58 deletions(-) diff --git a/non_plat/aee_aed.te b/non_plat/aee_aed.te index 2039565..51e0875 100644 --- a/non_plat/aee_aed.te +++ b/non_plat/aee_aed.te @@ -44,7 +44,7 @@ set_prop(aee_aed, persist_aee_prop); set_prop(aee_aed, debug_mtk_aee_prop); # /proc/lk_env -#allow aee_aed proc_lk_env:file rw_file_perms; +allow aee_aed proc_lk_env:file rw_file_perms; # Purpose: Allow aee_aedv to read /proc/pid/exe allow aee_aed exec_type:file r_file_perms; diff --git a/non_plat/audioserver.te b/non_plat/audioserver.te index 42a473f..e676994 100644 --- a/non_plat/audioserver.te +++ b/non_plat/audioserver.te @@ -16,7 +16,7 @@ allow audioserver ttySDIO_device:chr_file rw_file_perms; # Data: WK14.44 # Operation : Migration # Purpose : for low SD card latency issue -#allow audioserver sysfs_lowmemorykiller:file { read open }; +allow audioserver sysfs_lowmemorykiller:file { read open }; # Data: WK14.45 # Operation : Migration @@ -36,7 +36,7 @@ allow audioserver offloadservice_device:chr_file rw_file_perms; # Date : WK16.17 # Operation : Migration # Purpose: read/open sysfs node -#allow audioserver sysfs_ccci:file r_file_perms; +allow audioserver sysfs_ccci:file r_file_perms; # Date : WK16.18 # Operation : Migration diff --git a/non_plat/boot_logo_updater.te b/non_plat/boot_logo_updater.te index 281d160..00e8613 100644 --- a/non_plat/boot_logo_updater.te +++ b/non_plat/boot_logo_updater.te @@ -14,7 +14,7 @@ allow boot_logo_updater bootdevice_block_device:blk_file r_file_perms; #To access file at /dev/logo allow boot_logo_updater logo_device:chr_file r_file_perms; # To access file at /proc/lk_env -#allow boot_logo_updater proc_lk_env:file rw_file_perms; +allow boot_logo_updater proc_lk_env:file rw_file_perms; # Date : WK16.25 # Operation : Global_Device/Uniservice Feature diff --git a/non_plat/cameraserver.te b/non_plat/cameraserver.te index 2b2a14e..92080cb 100644 --- a/non_plat/cameraserver.te +++ b/non_plat/cameraserver.te @@ -37,7 +37,7 @@ allow cameraserver vpu_device:chr_file rw_file_perms; allow cameraserver kd_camera_hw_device:chr_file rw_file_perms; allow cameraserver seninf_device:chr_file rw_file_perms; allow cameraserver self:capability { setuid ipc_lock sys_nice }; -#allow cameraserver sysfs_wake_lock:file rw_file_perms; +allow cameraserver sysfs_wake_lock:file rw_file_perms; allow cameraserver MTK_SMI_device:chr_file r_file_perms; allow cameraserver camera_pipemgr_device:chr_file r_file_perms; allow cameraserver kd_camera_flashlight_device:chr_file rw_file_perms; @@ -51,7 +51,7 @@ allow cameraserver nvram_data_file:file create_file_perms; allow cameraserver nvram_data_file:lnk_file read; allow cameraserver nvdata_file:lnk_file read; #allow cameraserver proc:file { read ioctl open }; -#allow cameraserver proc_meminfo:file { read getattr open }; +allow cameraserver proc_meminfo:file { read getattr open }; #allow cameraserver sysfs:file { read write open }; # Date : WK14.34 @@ -218,7 +218,7 @@ allow cameraserver surfaceflinger:file getattr; # Data: WK14.44 # Operation : Migration # Purpose : for low SD card latency issue -#allow cameraserver sysfs_lowmemorykiller:file { read open }; +allow cameraserver sysfs_lowmemorykiller:file { read open }; # Data: WK14.45 # Operation : Migration @@ -309,7 +309,7 @@ allow cameraserver gpu_device:dir search; # Operation : Migration # Purpose : Use file_type_auto_trans to specify label to avoid violated(never allow) allow cameraserver property_socket:sock_file write; -#allow cameraserver proc:file getattr; +allow cameraserver proc:file getattr; allow cameraserver shell_exec:file { execute read getattr open}; domain_auto_trans(cameraserver, thermal_manager_exec, thermal_manager) typeattribute cameraserver system_executes_vendor_violators; @@ -323,7 +323,7 @@ allow cameraserver camera_rsc_device:chr_file rw_file_perms; # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -#allow cameraserver proc_ged:file {open read write ioctl getattr}; +allow cameraserver proc_ged:file {open read write ioctl getattr}; # Date : WK16.33 # Operation : Migration @@ -393,4 +393,4 @@ allow cameraserver camera_mfb_device:chr_file rw_file_perms; # Operation : MT6771 SQC # Purpose: Allow permgr access allow cameraserver proc_perfmgr:dir {read search}; -#allow cameraserver proc_perfmgr:file {open read ioctl}; +allow cameraserver proc_perfmgr:file {open read ioctl}; diff --git a/non_plat/domain.te b/non_plat/domain.te index a261a44..3367ed0 100644 --- a/non_plat/domain.te +++ b/non_plat/domain.te @@ -15,7 +15,10 @@ allow domain debugfs_binder:dir search; # Allow all processes to read /sys/bus/platform/drivers/dev_info/dev_info # as it is a public interface for all processes to read some OTP data. -#allow domain sysfs_devinfo:file r_file_perms; +allow { + domain + -isolated_app +} sysfs_devinfo:file r_file_perms; # Date:20170519 # Purpose: Full treble bootup issue, coredomain need to access libudf.so where diff --git a/non_plat/drmserver.te b/non_plat/drmserver.te index d825d03..8755b64 100644 --- a/non_plat/drmserver.te +++ b/non_plat/drmserver.te @@ -4,4 +4,4 @@ # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -#allow drmserver proc_ged:file {open read write ioctl getattr}; +allow drmserver proc_ged:file {open read write ioctl getattr}; diff --git a/non_plat/dumpstate.te b/non_plat/dumpstate.te index d8870e5..1acdd1c 100644 --- a/non_plat/dumpstate.te +++ b/non_plat/dumpstate.te @@ -41,13 +41,13 @@ allow dumpstate debugfs_cpuhvfs:file { read open }; # Purpose: /sys/kernel/ccci/md_chn allow dumpstate sysfs_ccci:dir search; -#allow dumpstate sysfs_ccci:file { read open }; +allow dumpstate sysfs_ccci:file { read open }; # Purpose: leds status allow dumpstate sysfs_leds:lnk_file read; # Purpose: /sys/module/lowmemorykiller/parameters/adj -#allow dumpstate sysfs_lowmemorykiller:file { read open }; +allow dumpstate sysfs_lowmemorykiller:file { read open }; allow dumpstate sysfs_lowmemorykiller:dir search; # Purpose: /dev/block/mmcblk0p10 diff --git a/non_plat/em_svr.te b/non_plat/em_svr.te index fc988eb..1ea049f 100644 --- a/non_plat/em_svr.te +++ b/non_plat/em_svr.te @@ -19,25 +19,25 @@ allow em_svr nvram_device:chr_file { open read write ioctl }; typeattribute em_svr system_executes_vendor_violators; allow em_svr thermal_manager_exec:file { getattr execute read open execute_no_trans }; allow em_svr proc_mtkcooler:dir search; -#allow em_svr proc_mtkcooler:file { read getattr open write }; +allow em_svr proc_mtkcooler:file { read getattr open write }; allow em_svr proc_thermal:dir search; -#allow em_svr proc_thermal:file { read getattr open write }; +allow em_svr proc_thermal:file { read getattr open write }; allow em_svr proc_mtktz:dir search; -#allow em_svr proc_mtktz:file { read getattr open write }; -#allow em_svr proc_slogger:file { read getattr open write }; -#allow em_svr proc_lk_env:file { read getattr open write ioctl}; +allow em_svr proc_mtktz:file { read getattr open write }; +allow em_svr proc_slogger:file { read getattr open write }; +allow em_svr proc_lk_env:file { read getattr open write ioctl}; allow em_svr para_block_device:blk_file { read open }; # Date: 2015/12/22 # Operation : M Migration # Purpose : Battery Log can change temperature userdebug_or_eng(` allow em_svr proc_battery_cmd:dir search; -#allow em_svr proc_battery_cmd:file { read getattr open write }; +allow em_svr proc_battery_cmd:file { read getattr open write }; ') # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -#allow em_svr proc_ged:file {open read write ioctl getattr}; +allow em_svr proc_ged:file {open read write ioctl getattr}; # Date : WK17.42 # Purpose: Allow to query md log filter bin diff --git a/non_plat/emdlogger.te b/non_plat/emdlogger.te index cf938fb..74b765e 100644 --- a/non_plat/emdlogger.te +++ b/non_plat/emdlogger.te @@ -61,7 +61,7 @@ allow emdlogger storage_file:file { create_file_perms }; # Allow read to sys/kernel/ccci/* files allow emdlogger sysfs_ccci:dir search; -#allow emdlogger sysfs_ccci:file r_file_perms; +allow emdlogger sysfs_ccci:file r_file_perms; # Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 # scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 diff --git a/non_plat/factory.te b/non_plat/factory.te index 39eca30..c919e6c 100644 --- a/non_plat/factory.te +++ b/non_plat/factory.te @@ -56,7 +56,7 @@ allow factory pro_info_device:chr_file rw_file_perms; # Data: WK15.28 # Purpose: for mt-ramdump reset -#allow factory proc_mrdump_rst:file w_file_perms; +allow factory proc_mrdump_rst:file w_file_perms; #Date: WK15.31 #Purpose: define factory_data_file instead of system_data_file @@ -219,7 +219,7 @@ allow factory input_device:dir rw_dir_perms; # Purpose: N Migration For ccci sysfs node # Allow read to sys/kernel/ccci/* files allow factory sysfs_ccci:dir search; -#allow factory sysfs_ccci:file r_file_perms; +allow factory sysfs_ccci:file r_file_perms; # Date: WK16.18 # Purpose: N Migration For boot_mode @@ -269,7 +269,7 @@ allow factory tmpfs:filesystem unmount; allow factory sysfs:dir { read open }; allow factory sysfs_leds:dir search; allow factory sysfs_leds:lnk_file read; -#allow factory sysfs_vibrator:file {open read write}; +allow factory sysfs_vibrator:file {open read write}; allow factory ion_device:chr_file { read open ioctl }; allow factory debugfs_ion:dir search; #allow factory proc:file ioctl; @@ -296,5 +296,5 @@ set_prop(factory,ctl_ccci_fsd_prop); # Operation : O Migration # Purpose: Allow to access sysfs allow factory sysfs_therm:dir search; -#allow factory sysfs_therm:file {open read write}; +allow factory sysfs_therm:file {open read write}; diff --git a/non_plat/mdlogger.te b/non_plat/mdlogger.te index a46f388..3f671dc 100644 --- a/non_plat/mdlogger.te +++ b/non_plat/mdlogger.te @@ -36,7 +36,7 @@ allow mdlogger storage_file:file { create_file_perms }; # Allow read to sys/kernel/ccci/* files allow mdlogger sysfs_ccci:dir search; -#allow mdlogger sysfs_ccci:file r_file_perms; +allow mdlogger sysfs_ccci:file r_file_perms; # purpose: allow mdlogger to access storage in new version allow mdlogger media_rw_data_file:file { create_file_perms }; diff --git a/non_plat/mediaextractor.te b/non_plat/mediaextractor.te index fda7974..12157b8 100644 --- a/non_plat/mediaextractor.te +++ b/non_plat/mediaextractor.te @@ -4,4 +4,4 @@ # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -#allow mediaextractor proc_ged:file {open read write ioctl getattr}; +allow mediaextractor proc_ged:file {open read write ioctl getattr}; diff --git a/non_plat/meta_tst.te b/non_plat/meta_tst.te index 372ee3f..4dce727 100644 --- a/non_plat/meta_tst.te +++ b/non_plat/meta_tst.te @@ -155,7 +155,7 @@ allow meta_tst key_install_data_file:file create_file_perms; # Date: WK14.51 # Purpose : set/get cryptfs cfg in sys env allow meta_tst misc_device:chr_file rw_file_perms; -#allow meta_tst proc_lk_env:file rw_file_perms; +allow meta_tst proc_lk_env:file rw_file_perms; # Purpose : FT_EMMC_OP_FORMAT_TCARD allow meta_tst block_device:blk_file getattr; @@ -187,7 +187,7 @@ allow meta_tst storage_file:lnk_file read; # Date: WK16.17 # Purpose: N Migration For ccci sysfs node allow meta_tst sysfs_ccci:dir search; -#allow meta_tst sysfs_ccci:file r_file_perms; +allow meta_tst sysfs_ccci:file r_file_perms; #Date: W16.17 # Purpose: N Migration for meta_tst get com port type and uart port info @@ -255,7 +255,7 @@ allow meta_tst self:netlink_socket create_socket_perms_no_ioctl; allow meta_tst self:rawip_socket create; allow meta_tst self:udp_socket create_socket_perms_no_ioctl; allow meta_tst self:rawip_socket create_socket_perms_no_ioctl; -#allow meta_tst proc_ged:file r_file_perms; +allow meta_tst proc_ged:file r_file_perms; allowxperm meta_tst self:udp_socket ioctl {SIOCSIFFLAGS SIOCGIFCONF SIOCIWFIRSTPRIV_08 SIOCIWFIRSTPRIV_09}; allow meta_tst meta_tst:netlink_generic_socket { read write getattr bind create setopt }; @@ -349,7 +349,7 @@ allow meta_tst audiohal_prop:property_service set; #Data:W1745 # Purpose : Allow meta_tst to open and read proc/bootprof #allow meta_tst proc:file write; -#allow meta_tst proc:file getattr; +allow meta_tst proc:file getattr; # Date:W17.51 # Operation : lbs hal diff --git a/non_plat/mobile_log_d.te b/non_plat/mobile_log_d.te index 2cb3827..a0fc62d 100644 --- a/non_plat/mobile_log_d.te +++ b/non_plat/mobile_log_d.te @@ -1,10 +1,10 @@ #scp -#allow mobile_log_d sysfs_scp:file { open write }; +allow mobile_log_d sysfs_scp:file { open write }; allow mobile_log_d sysfs_scp:dir search; allow mobile_log_d scp_device:chr_file { read open }; #sspm -#allow mobile_log_d sysfs_sspm:file { open write }; +allow mobile_log_d sysfs_sspm:file { open write }; allow mobile_log_d sysfs_sspm:dir search; allow mobile_log_d sspm_device:chr_file { read open }; diff --git a/non_plat/mtkbootanimation.te b/non_plat/mtkbootanimation.te index 60b8ace..9d23e95 100644 --- a/non_plat/mtkbootanimation.te +++ b/non_plat/mtkbootanimation.te @@ -17,12 +17,12 @@ allow mtkbootanimation qemu_pipe_device:chr_file rw_file_perms; # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -#allow mtkbootanimation proc_ged:file {open read write ioctl getattr}; +allow mtkbootanimation proc_ged:file {open read write ioctl getattr}; # Date : WK14.31 # Operation : Migration # Purpose : access to sec mem proc interface. -#allow mtkbootanimation proc_secmem:file { read open}; +allow mtkbootanimation proc_secmem:file { read open}; # Date : WK14.36 # Operation : Migration @@ -53,4 +53,4 @@ allow mtkbootanimation guiext-server_service:service_manager find; # Operation : Migration # Purpose : FPSGO integration allow mtkbootanimation proc_perfmgr:dir {search read}; -#allow mtkbootanimation proc_perfmgr:file {open read ioctl}; +allow mtkbootanimation proc_perfmgr:file {open read ioctl}; diff --git a/non_plat/surfaceflinger.te b/non_plat/surfaceflinger.te index c711ff9..ab9592f 100644 --- a/non_plat/surfaceflinger.te +++ b/non_plat/surfaceflinger.te @@ -10,7 +10,7 @@ allow surfaceflinger debug_prop:property_service set; # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -#allow surfaceflinger proc_ged:file {open read write ioctl getattr}; +allow surfaceflinger proc_ged:file {open read write ioctl getattr}; # Date : W16.42 # Operation : Integration @@ -56,7 +56,7 @@ allow surfaceflinger mtkbootanimation:file { read getattr open }; # Operation : Migration # Purpose: Allow to access perfmgr allow surfaceflinger proc_perfmgr:dir {read search}; -#allow surfaceflinger proc_perfmgr:file {open read ioctl}; +allow surfaceflinger proc_perfmgr:file {open read ioctl}; # Date : WK17.43 # Operation : Debug diff --git a/non_plat/system_server.te b/non_plat/system_server.te index 0ff426a..5ec9d53 100644 --- a/non_plat/system_server.te +++ b/non_plat/system_server.te @@ -36,7 +36,7 @@ allow system_server zygote:binder impersonate; allow system_server ctl_bootanim_prop:property_service set; # After connected to DHCPv6, enabled 6to4 IPv6 AP to get property. -#allow system_server proc_net:file w_file_perms; +allow system_server proc_net:file w_file_perms; r_dir_file(system_server, wide_dhcpv6_data_file) # For dumpsys. @@ -73,7 +73,7 @@ allow system_server sysfs_dcm:file rw_file_perms; # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -#allow system_server proc_ged:file {open read write ioctl getattr}; +allow system_server proc_ged:file {open read write ioctl getattr}; # Date : WK16.36 # Purpose: Allow to set property log.tag.WifiHW to control log level of WifiHW @@ -107,7 +107,7 @@ allow system_server ttyMT_device:chr_file rw_file_perms; # Operation : thermal hal Feature developing # Purpose : thermal hal interface permission allow system_server proc_mtktz:dir search; -#allow system_server proc_mtktz:file r_file_perms; +allow system_server proc_mtktz:file r_file_perms; # Date : WK16.46 # Operation: PowerManager set persist.meta.connecttype property @@ -215,4 +215,4 @@ allow system_server mtk_thermal_config_prop:property_service set; # Operation : Migration # Purpose : perfmgr permission allow system_server proc_perfmgr:dir {read search}; -#allow system_server proc_perfmgr:file {open read ioctl}; +allow system_server proc_perfmgr:file {open read ioctl}; diff --git a/non_plat/zygote.te b/non_plat/zygote.te index 3f71f0b..5147cde 100644 --- a/non_plat/zygote.te +++ b/non_plat/zygote.te @@ -4,7 +4,7 @@ # Date : WK16.33 # Purpose: Allow to access ged for gralloc_extra functions -#allow zygote proc_ged:file {open read write ioctl getattr}; +allow zygote proc_ged:file {open read write ioctl getattr}; # Date : WK17.02 # Purpose: Allow to access gpu for memtrack functions diff --git a/plat_private/aee_aed.te b/plat_private/aee_aed.te index b6b3b2b..3a3af42 100644 --- a/plat_private/aee_aed.te +++ b/plat_private/aee_aed.te @@ -106,7 +106,7 @@ allow aee_aed logd:unix_stream_socket connectto; # allow aee_aed system_ndebug_socket:sock_file write; mask for never allow rule # vibrator -#allow aee_aed sysfs_vibrator:file w_file_perms; +allow aee_aed sysfs_vibrator:file w_file_perms; # Data : 2017/03/22 # Operation : add NE flow rule for Android O diff --git a/plat_private/em_svr.te b/plat_private/em_svr.te index 9456f8c..06c492c 100644 --- a/plat_private/em_svr.te +++ b/plat_private/em_svr.te @@ -34,7 +34,7 @@ allow em_svr graphics_device:chr_file { read write open ioctl}; allow em_svr graphics_device:dir search; allow em_svr radio_data_file:dir { search write add_name create }; allow em_svr radio_data_file:file { create write open read }; -#allow em_svr sysfs_devices_system_cpu:file write; +allow em_svr sysfs_devices_system_cpu:file write; #allow em_svr self:capability { dac_override sys_nice fowner chown fsetid }; allow em_svr self:process execmem; allow em_svr system_data_file:dir { write remove_name add_name relabelfrom create open }; diff --git a/plat_private/factory.te b/plat_private/factory.te index a2a5a9d..6248acb 100644 --- a/plat_private/factory.te +++ b/plat_private/factory.te @@ -23,7 +23,7 @@ allow factory sdcard_type:dir r_dir_perms; ### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te #allow factory self:netlink_route_socket create_socket_perms; allow factory self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write }; -#allow factory proc_net:file { read getattr open }; +allow factory proc_net:file { read getattr open }; allowxperm factory self:udp_socket ioctl priv_sock_ioctls; allowxperm factory self:udp_socket ioctl {SIOCGIFFLAGS SIOCGIWNWID}; @@ -31,7 +31,7 @@ allow factory self:process execmem; allow factory self:tcp_socket create_stream_socket_perms; allow factory self:udp_socket create_socket_perms; -#allow factory sysfs_wake_lock:file rw_file_perms; +allow factory sysfs_wake_lock:file rw_file_perms; allow factory system_data_file:dir w_dir_perms; allow factory system_data_file:sock_file create_file_perms; allow factory system_file:file x_file_perms; diff --git a/plat_private/meta_tst.te b/plat_private/meta_tst.te index 7c4ecc1..f4da912 100644 --- a/plat_private/meta_tst.te +++ b/plat_private/meta_tst.te @@ -26,7 +26,7 @@ allow meta_tst self:tcp_socket { create connect setopt bind }; allow meta_tst self:tcp_socket { bind setopt listen accept read write }; allow meta_tst self:udp_socket { create ioctl }; allow meta_tst self:capability { sys_boot ipc_lock }; -#allow meta_tst sysfs_wake_lock:file rw_file_perms; +allow meta_tst sysfs_wake_lock:file rw_file_perms; #allow meta_tst sysfs:file write; allow meta_tst property_socket:sock_file w_file_perms; #allow meta_tst vold_socket:sock_file w_file_perms; diff --git a/plat_private/mobile_log_d.te b/plat_private/mobile_log_d.te index 987e9a6..545a3e0 100644 --- a/plat_private/mobile_log_d.te +++ b/plat_private/mobile_log_d.te @@ -73,4 +73,4 @@ allow mobile_log_d media_rw_data_file:dir create_dir_perms; allow mobile_log_d debugfs_tracing:dir create_dir_perms; #allow mobile_log_d debugfs_tracing:file create_file_perms; allow mobile_log_d debugfs_tracing_instances:dir create_dir_perms; -#allow mobile_log_d debugfs_tracing_instances:file create_file_perms; +allow mobile_log_d debugfs_tracing_instances:file create_file_perms; diff --git a/plat_private/mtkbootanimation.te b/plat_private/mtkbootanimation.te index e2ea4a8..dfcab81 100644 --- a/plat_private/mtkbootanimation.te +++ b/plat_private/mtkbootanimation.te @@ -40,7 +40,7 @@ allow mtkbootanimation hal_graphics_composer:fd use; # Read access to pseudo filesystems. #r_dir_file(mtkbootanimation, proc) -#allow mtkbootanimation proc_meminfo:file r_file_perms; +allow mtkbootanimation proc_meminfo:file r_file_perms; #r_dir_file(mtkbootanimation, sysfs) r_dir_file(mtkbootanimation, cgroup) diff --git a/prebuilts/api/26.0/plat_private/aee_aed.te b/prebuilts/api/26.0/plat_private/aee_aed.te index 00cf482..4f93a2f 100755 --- a/prebuilts/api/26.0/plat_private/aee_aed.te +++ b/prebuilts/api/26.0/plat_private/aee_aed.te @@ -106,7 +106,7 @@ allow aee_aed logd:unix_stream_socket connectto; # allow aee_aed system_ndebug_socket:sock_file write; mask for never allow rule # vibrator -#allow aee_aed sysfs_vibrator:file w_file_perms; +allow aee_aed sysfs_vibrator:file w_file_perms; # Data : 2017/03/22 # Operation : add NE flow rule for Android O diff --git a/prebuilts/api/26.0/plat_private/em_svr.te b/prebuilts/api/26.0/plat_private/em_svr.te index b3fffcb..7dd9385 100755 --- a/prebuilts/api/26.0/plat_private/em_svr.te +++ b/prebuilts/api/26.0/plat_private/em_svr.te @@ -35,7 +35,7 @@ allow em_svr graphics_device:chr_file { read write open ioctl}; allow em_svr graphics_device:dir search; allow em_svr radio_data_file:dir { search write add_name create }; allow em_svr radio_data_file:file { create write open read }; -#allow em_svr sysfs_devices_system_cpu:file write; +allow em_svr sysfs_devices_system_cpu:file write; #allow em_svr self:capability { dac_override sys_nice fowner chown fsetid }; allow em_svr self:process execmem; allow em_svr system_data_file:dir { write remove_name add_name relabelfrom create open }; diff --git a/prebuilts/api/26.0/plat_private/factory.te b/prebuilts/api/26.0/plat_private/factory.te index 2365e93..ca25c0a 100755 --- a/prebuilts/api/26.0/plat_private/factory.te +++ b/prebuilts/api/26.0/plat_private/factory.te @@ -24,7 +24,7 @@ allow factory sdcard_type:dir r_dir_perms; ### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te #allow factory self:netlink_route_socket create_socket_perms; allow factory self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write }; -#allow factory proc_net:file { read getattr open }; +allow factory proc_net:file { read getattr open }; allowxperm factory self:udp_socket ioctl priv_sock_ioctls; allowxperm factory self:udp_socket ioctl {SIOCGIFFLAGS SIOCGIWNWID}; @@ -32,7 +32,7 @@ allow factory self:process execmem; allow factory self:tcp_socket create_stream_socket_perms; allow factory self:udp_socket create_socket_perms; -#allow factory sysfs_wake_lock:file rw_file_perms; +allow factory sysfs_wake_lock:file rw_file_perms; allow factory system_data_file:dir w_dir_perms; allow factory system_data_file:sock_file create_file_perms; allow factory system_file:file x_file_perms; diff --git a/prebuilts/api/26.0/plat_private/meta_tst.te b/prebuilts/api/26.0/plat_private/meta_tst.te index 7c4ecc1..f4da912 100755 --- a/prebuilts/api/26.0/plat_private/meta_tst.te +++ b/prebuilts/api/26.0/plat_private/meta_tst.te @@ -26,7 +26,7 @@ allow meta_tst self:tcp_socket { create connect setopt bind }; allow meta_tst self:tcp_socket { bind setopt listen accept read write }; allow meta_tst self:udp_socket { create ioctl }; allow meta_tst self:capability { sys_boot ipc_lock }; -#allow meta_tst sysfs_wake_lock:file rw_file_perms; +allow meta_tst sysfs_wake_lock:file rw_file_perms; #allow meta_tst sysfs:file write; allow meta_tst property_socket:sock_file w_file_perms; #allow meta_tst vold_socket:sock_file w_file_perms; diff --git a/prebuilts/api/26.0/plat_private/mobile_log_d.te b/prebuilts/api/26.0/plat_private/mobile_log_d.te index 987e9a6..545a3e0 100755 --- a/prebuilts/api/26.0/plat_private/mobile_log_d.te +++ b/prebuilts/api/26.0/plat_private/mobile_log_d.te @@ -73,4 +73,4 @@ allow mobile_log_d media_rw_data_file:dir create_dir_perms; allow mobile_log_d debugfs_tracing:dir create_dir_perms; #allow mobile_log_d debugfs_tracing:file create_file_perms; allow mobile_log_d debugfs_tracing_instances:dir create_dir_perms; -#allow mobile_log_d debugfs_tracing_instances:file create_file_perms; +allow mobile_log_d debugfs_tracing_instances:file create_file_perms; diff --git a/prebuilts/api/26.0/plat_private/system_server.te b/prebuilts/api/26.0/plat_private/system_server.te index dbf4d77..7a5ffc1 100755 --- a/prebuilts/api/26.0/plat_private/system_server.te +++ b/prebuilts/api/26.0/plat_private/system_server.te @@ -6,7 +6,7 @@ allow system_server zygote:binder impersonate; # Property service. allow system_server ctl_bootanim_prop:property_service set; # After connected to DHCPv6, enabled 6to4 IPv6 AP to get property. -#allow system_server proc_net:file w_file_perms; +allow system_server proc_net:file w_file_perms; # Querying zygote socket. allow system_server zygote:unix_stream_socket { getopt getattr }; # Date : WK16.36