[ALPS04340791] SEPOLICY: workaround fix BASIC build error

[Detail] Only BASIC Sepolicy need to be applyed for BASIC, we separate basic/bsp sepolicy for BASIC. This workaround is for fixing the build errors that cause by the declarations were defined in bsp/ dir and neverallow rules. MTK-Commit-Id: f1ed54e84b85f73e20dcc8c2ac5f0c42fddedc77 Change-Id: I568873fcc272d04b018efc4be00924b751bb3775 CR-Id: ALPS04340791 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
2020-01-18 10:09:28 +08:00 · 2020-01-18 10:09:28 +08:00 · 427c135bd6
commit 427c135bd6
parent a27e813df1
15 changed files with 422 additions and 1 deletions
--- a/non_plat/atci_service.te
+++ b/non_plat/atci_service.te
@ -0,0 +1,148 @@
+# ==============================================
+# Policy File of /vendor/bin/atci_service Executable File
+# ==============================================
+
+# ==============================================
+# MTK Policy Rule
+# ==============================================
+type atci_service, domain;
+type atci_service_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(atci_service)
+
+allow atci_service block_device:dir search;
+allow atci_service misc2_block_device:blk_file { open read write };
+allow atci_service misc2_device:chr_file { open read write };
+allow atci_service bootdevice_block_device:blk_file { open read write };
+
+allow atci_service self:capability { net_raw chown fsetid sys_nice net_admin fowner sys_admin };
+allow atci_service camera_isp_device:chr_file { read write ioctl open };
+allow atci_service graphics_device:chr_file { read write ioctl open };
+allow atci_service graphics_device:dir search;
+allow atci_service kd_camera_hw_device:chr_file { read write ioctl open };
+allow atci_service self:capability { sys_nice ipc_lock };
+allow atci_service nvram_device:chr_file { read write open ioctl };
+allow atci_service camera_isp_device:chr_file { read write ioctl open };
+allow atci_service camera_sysram_device:chr_file { read ioctl open };
+allow atci_service camera_tsf_device:chr_file rw_file_perms;
+allow atci_service camera_rsc_device:chr_file rw_file_perms;
+allow atci_service camera_gepf_device:chr_file rw_file_perms;
+allow atci_service camera_fdvt_device:chr_file rw_file_perms;
+allow atci_service camera_wpe_device:chr_file rw_file_perms;
+allow atci_service camera_owe_device:chr_file rw_file_perms;
+allow atci_service kd_camera_flashlight_device:chr_file { read write ioctl open };
+allow atci_service ccu_device:chr_file { read write ioctl open };
+allow atci_service vpu_device:chr_file { read write ioctl open };
+allow atci_service MTK_SMI_device:chr_file { open read write ioctl };
+#allow atci_service system_server:binder call;
+#allow atci_service system_data_file:dir { write remove_name add_name };
+allow atci_service DW9714AF_device:chr_file { read write ioctl open };
+allow atci_service devmap_device:chr_file { open read write ioctl };
+allow atci_service sdcard_type:dir { search write read open add_name remove_name create getattr setattr };
+allow atci_service sdcard_type:file { setattr read create write getattr unlink open append };
+allow atci_service mediaserver:binder call;
+#allow atci_service sysfs:file write;
+#allow atci_service system_server:unix_stream_socket { read write };
+allow atci_service self:capability sys_boot;
+
+# Date : 2015/09/17
+# Operation : M-Migration
+# Purpose : to operation CCT tool
+allow atci_service nvram_device:blk_file { open read write };
+allow atci_service input_device:dir { open read search };
+allow atci_service input_device:file { open read write ioctl };
+allow atci_service input_device:chr_file { open read write ioctl };
+allow atci_service MAINAF_device:chr_file { open read write ioctl };
+allow atci_service MAIN2AF_device:chr_file { open read write ioctl };
+allow atci_service SUBAF_device:chr_file { open read write ioctl };
+allow atci_service tmpfs:lnk_file read;
+allow atci_service self:capability2 block_suspend;
+
+# Date : 2015/10/13
+# Operation : M-Migration
+# Purpose : to operation CCT tool
+#allow atci_service mediaserver_service:service_manager find;
+allow atci_service mnt_user_file:dir search;
+allow atci_service mnt_user_file:lnk_file read;
+#allow atci_service mtk_perf_service:service_manager find;
+#allow atci_service sensorservice_service:service_manager find;
+allow atci_service storage_file:lnk_file read;
+#allow atci_service media_rw_data_file:dir { write search create add_name };
+#allow atci_service media_rw_data_file:file { read write create open };
+
+#============= atci_service ==============
+allow atci_service property_socket:sock_file write;
+allow atci_service CAM_CAL_DRV_device:chr_file { read write ioctl open};
+
+allow atci_service init:unix_stream_socket connectto;
+allow atci_service mtk_em_prop:property_service set;
+
+# Date : 2016/03/02
+# Operation : M-Migration
+# Purpose : to support ATCI touch tool
+allow atci_service vendor_shell_exec:file { read execute open execute_no_trans };
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow atci_service proc_ged:file {open read write ioctl getattr};
+
+# Date : WK16.35
+# Operation : Migration
+# Purpose : Update camera flashlight driver device file
+allow atci_service flashlight_device:chr_file { read write ioctl open };
+
+# Date : WK17.01
+# Operation : Migration
+# Purpose : Update AT_Command NFC function
+allow atci_service factory_data_file:sock_file write;
+
+# Date : WK17.23
+# Stage: O Migration, SQC
+# Purpose: Allow to use HAL PQ
+hal_client_domain(atci_service, hal_pq)
+
+# Date : WK17.28
+# Purpose : Allow to execute battery command
+allow atci_service MT_pmic_adc_cali_device:chr_file rw_file_perms;
+
+# Date : WK17.43
+# Purpose : CCT
+allow atci_service CAM_CAL_DRV_device:chr_file rw_file_perms;
+allow atci_service CAM_CAL_DRV1_device:chr_file rw_file_perms;
+allow atci_service CAM_CAL_DRV2_device:chr_file rw_file_perms;
+allow atci_service fwk_sensor_hwservice:hwservice_manager find;
+allow atci_service hidl_allocator_hwservice:hwservice_manager find;
+allow atci_service hidl_memory_hwservice:hwservice_manager find;
+allow atci_service ion_device:chr_file { read ioctl open };
+allow atci_service mtk_cmdq_device:chr_file { read ioctl open };
+allow atci_service mtk_hal_power:binder call;
+allow atci_service mtk_hal_power_hwservice:hwservice_manager find;
+allow atci_service sysfs_batteryinfo:dir search;
+allow atci_service sysfs_batteryinfo:file { read getattr open };
+#allow atci_service system_data_file:lnk_file read;
+allow atci_service system_file:dir { read open };
+allow atci_service camera_pipemgr_device:chr_file { read ioctl open };
+#allow atci_service media_rw_data_file:dir { read getattr open };
+#allow atci_service media_rw_data_file:file { getattr setattr };
+allow atci_service mtkcam_prop:file { read getattr open };
+#allow atci_service hal_camera_hwservice:hwservice_manager find;
+allow atci_service mtk_hal_camera:binder call;
+allow atci_service debugfs_ion:dir search;
+allow atci_service sysfs_tpd_setting:file { read write open getattr };
+allow atci_service sysfs_vibrator_setting:file { read write open getattr };
+allow atci_service sysfs_leds_setting:file { read write open getattr };
+allow atci_service proc:file getattr;
+allow atci_service vendor_toolbox_exec:file { read getattr open execute execute_no_trans };
+
+# Date : WK18.21
+# Purpose: Allow to use HIDL
+hwbinder_use(atci_service)
+hal_client_domain(atci_service, hal_atci)
+
+# Date : WK18.26
+# Purpose: Allow gps socket sendto
+allow atci_service mnld:unix_dgram_socket sendto;
+
+# Date : WK18.35
+# Purpose : allow CCT to allocate memory
+hal_client_domain(atci_service, hal_allocator);
--- a/non_plat/atcid.te
+++ b/non_plat/atcid.te
@ -0,0 +1,77 @@
+# ==============================================
+# Policy File of /vendor/bin/atcid Executable File
+# ==============================================
+
+# ==============================================
+# MTK Policy Rule
+# ==============================================
+type atcid, domain;
+type atcid_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(atcid)
+allow atcid init:unix_stream_socket connectto;
+allow atcid property_socket:sock_file write;
+allow atcid block_device:dir search;
+allow atcid socket_device:sock_file write;
+
+# Date : WK17.21
+# Purpose: Allow to use HIDL
+hwbinder_use(atcid)
+hal_client_domain(atcid, hal_telephony)
+
+allow atcid ttyGS_device:chr_file { read write ioctl open };
+allow atcid persist_service_atci_prop:property_service set;
+allow atcid misc2_device:chr_file { read write open };
+allow atcid wmtWifi_device:chr_file { write open };
+allow atcid misc2_block_device:blk_file { read write open };
+allow atcid bootdevice_block_device:blk_file { open read write };
+allow atci_service gpu_device:chr_file { read write open ioctl getattr };
+allow atcid self:capability sys_time;
+
+# Date : WK16.33
+# Purpose: Allow to access ged for gralloc_extra functions
+allow atcid proc_ged:file {open read write ioctl getattr};
+
+# Date : WK17.23
+# Stage: O Migration, SQC
+# Purpose: Allow to use HAL PQ
+hal_client_domain(atcid, hal_pq)
+
+# Date : WK17.34
+# Purpose: Allow to access meta_tst
+allow atcid meta_tst:unix_stream_socket connectto;
+
+# Date : WK18.15
+# Purpose: Allow to access power_supply in sysfs
+allow atcid sysfs_batteryinfo:file { read open };
+
+# Date : WK18.16
+# Operation: P migration
+# Purpose: Allow atcid to get tel_switch_prop
+get_prop(atcid, tel_switch_prop)
+
+# Date : WK18.21
+# Purpose: Allow to use HIDL
+hwbinder_use(atcid);
+vndbinder_use(atcid);
+hal_server_domain(atcid, hal_atci)
+add_hwservice(hal_atci_server,hal_atci_hwservice)
+
+# Date : WK18.21
+# Purpose: For special command for customer
+set_prop(atcid, mtk_atci_prop);
+set_prop(atcid, powerctl_prop);
+allow atcid mnt_vendor_file:dir search;
+allow atcid nvdata_file:dir { open read write search add_name };
+allow atcid nvdata_file:file { open read write create getattr setattr };
+allow atcid nvram_device:blk_file { open read write };
+allow atcid proc_meminfo:file { open read };
+allow atcid sysfs_batteryinfo:dir search;
+allow atcid sysfs_mmcblk:dir search;
+allow atcid sysfs_mmcblk:file { read open };
+
+# Date : WK18.35
+# Purpose: Add socket for TelephonyWare ATCI
+unix_socket_connect(atcid, rild_atci, rild);
+unix_socket_connect(atcid, rilproxy_atci, rild);
+unix_socket_connect(atcid, atci_service, atci_service);
--- a/non_plat/attributes
+++ b/non_plat/attributes
@ -69,3 +69,10 @@ attribute mtk_hal_em_server;
 attribute hal_mms;
 attribute hal_mms_client;
 attribute hal_mms_server;
+
+attribute hal_mtkcodecservice_server;
+attribute hal_mtkcodecservice;
+
+attribute hal_atci;
+attribute hal_atci_client;
+attribute hal_atci_server;
--- a/non_plat/device.te
+++ b/non_plat/device.te
@ -258,3 +258,8 @@ type m_situ_misc_device, dev_type;
 type m_step_c_misc_device, dev_type;
 type m_fusion_misc_device, dev_type;
 type m_bio_misc_device, dev_type;
+
+# Date : 2016/07/11
+# Operation : Migration
+# Purpose : Add permission for gpu access
+type dri_device, dev_type, mlstrustedobject;
--- a/non_plat/file.te
+++ b/non_plat/file.te
@ -310,6 +310,22 @@ type sysfs_headset, fs_type, sysfs_type;
 # socket between atci_service and audio-daemon
 type atci-audio_socket, file_type;

+# ATCI socket types
+type rild_atci_socket, file_type;
+type rilproxy_atci_socket, file_type;
+type atci_service_socket, file_type;
+type adb_atci_socket, file_type;
+
 # Date : 2018/11/01
 # Purpose : mtk EM c2k bypass read usb file
 type sys_usb_rawbulk, fs_type, sysfs_type;
+
+# Backlight brightness file
+type sysfs_vibrator_setting, fs_type, sysfs_type;
+
+# Date : WK18.16
+# Purpose: Android Migration
+type sysfs_mmcblk, fs_type, sysfs_type;
+
+# Vibrator vibrate file
+type sysfs_leds_setting, fs_type, sysfs_type;
--- a/non_plat/hwservice.te
+++ b/non_plat/hwservice.te
@ -46,3 +46,6 @@ type mtk_hal_em_hwservice, hwservice_manager_type;
 # Date: 2018/07/02
 # MMS HIDL
 type mtk_hal_mms_hwservice, hwservice_manager_type;
+
+type hal_atci_hwservice, hwservice_manager_type;
+type mtk_hal_keymanage_hwservice, hwservice_manager_type;
--- a/non_plat/md_monitor.te
+++ b/non_plat/md_monitor.te
@ -0,0 +1,33 @@
+# ==============================================
+# Policy File of /system/bin/md_monitor Executable File
+
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+typeattribute md_monitor coredomain;
+typeattribute md_monitor mlstrustedsubject;
+
+# ==============================================
+# MTK Policy Rule
+# ==============================================
+
+
+# Date : 2015/10/12
+# Operation : IT
+# Purpose : Allow md_monitor to set
+allow md_monitor ccci_device:chr_file rw_file_perms;
+allow md_monitor sysfs_ccci:dir search;
+allow md_monitor sysfs_ccci:file r_file_perms;
+allow md_monitor file_contexts_file:file r_file_perms;
+#allow md_monitor sysfs:file r_file_perms;
+
+# Date : 2017/10/16
+# Operation : IT
+# Purpose : Allow md_monitor to use restore_image_from_pt()
+allow md_monitor block_device:dir search;
+allow md_monitor md_block_device:blk_file r_file_perms;
+allow md_monitor self:capability { chown };
+allow md_monitor storage_file:dir search;
+allow md_monitor tmpfs:lnk_file read;
--- a/non_plat/mtk_hal_keymanage.te
+++ b/non_plat/mtk_hal_keymanage.te
@ -0,0 +1,27 @@
+# Set a new domain
+type mtk_hal_keymanage, domain;
+
+# Set mtk_hal_keymanage as server domain of hal_keymaster
+hal_server_domain(mtk_hal_keymanage, hal_keymaster)
+
+# Set exec file type
+type mtk_hal_keymanage_exec, exec_type, file_type, vendor_file_type;
+
+# Setup for domain transition
+init_daemon_domain(mtk_hal_keymanage)
+
+# Associate mtk_hal_keymanage_hwservice with all server domain
+add_hwservice(hal_keymaster_server, mtk_hal_keymanage_hwservice)
+
+# Give permission for hal_keymaster_client to find mtk_hal_keymanage_hwservice via hwservice_manager
+allow hal_keymaster_client mtk_hal_keymanage_hwservice:hwservice_manager find;
+
+# Give permission for hal_key_manage to access kisd service
+
+allow mtk_hal_keymanage kisd:unix_stream_socket connectto;
+
+# Allow mtk_hal_keyinstall to access /data/key_provisioning
+allow mtk_hal_keymanage key_install_data_file:dir { write add_name remove_name search };
+allow mtk_hal_keymanage key_install_data_file:file { write create setattr read getattr unlink open append };
+
+allow mtk_hal_keymanage debugfs_tracing:file { write };
--- a/non_plat/mtkbootanimation.te
+++ b/non_plat/mtkbootanimation.te
@ -16,6 +16,12 @@ allow mtkbootanimation qemu_pipe_device:chr_file rw_file_perms;
 # Purpose: Allow to access ged for gralloc_extra functions
 allow mtkbootanimation proc_ged:file {open read write ioctl getattr};

+# ==============================================
+# Type Declaration for secmem
+# ==============================================
+type proc_secmem, fs_type, proc_type;
+# genfscon proc /secmem0 u:object_r:proc_secmem:s0;
+
 # Date : WK14.31
 # Operation : Migration
 # Purpose : access to sec mem proc interface.
--- a/non_plat/property.te
+++ b/non_plat/property.te
@ -281,3 +281,26 @@ type mtk_voicerecgnize_prop, property_type, mtk_core_property_type;

 #=============allow radio to set/get xcap rawurl config================
 type persist_xcap_rawurl_prop, property_type, extended_core_property_type;
+
+#=============allow atcid==============
+type persist_service_atci_prop, property_type, mtk_core_property_type;
+type mtk_atci_prop, property_type, mtk_core_property_type;
+
+#=============allow Netd property==============
+type mtk_net_ipv6_prop, property_type, mtk_core_property_type;
+
+#============= allow carrier express (cxp) ==============
+type usp_prop, property_type, mtk_core_property_type;
+type mtk_cxp_vendor_prop, property_type, mtk_core_property_type;
+
+#=============allow MD to set mtk_md_version_prop==============
+type mtk_md_version_prop, property_type, mtk_core_property_type;
+
+#=============allow radio to set mtk_volte_enable property==============
+type mtk_volte_prop, property_type, mtk_core_property_type;
+
+#=============allow AMS dynamic enable log property===========
+type mtk_amslog_prop, property_type, extended_core_property_type;
+
+#=============allow android log much property==============
+type logmuch_prop, property_type, extended_core_property_type;
--- a/non_plat/resize.te
+++ b/non_plat/resize.te
@ -0,0 +1,38 @@
+# ==============================================
+# Policy File of /vendor/bin/resize_xxx Executable File
+
+# ==============================================
+# Type Declaration
+# ==============================================
+type resize, domain;
+type resize_exec, exec_type, file_type, vendor_file_type;
+
+# ==============================================
+# MTK Policy Rule
+# ==============================================
+
+# Date : WK15.30
+# Operation : Migration
+# Purpose : resize fs(ext4) partition, only run once.
+init_daemon_domain(resize)
+
+allow resize resize_exec:file execute_no_trans;
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow resize devpts:chr_file { read write open getattr ioctl };
+
+allow resize kmsg_device:chr_file { write open };
+
+allow resize userdata_block_device:blk_file rw_file_perms;
+
+allow resize block_device:dir search;
+
+allow resize resize:capability sys_admin;
+
+allow resize labeledfs:filesystem unmount;
+
+allow resize property_socket:sock_file write;
+
+allow resize init:unix_stream_socket connectto;
+
+#allow resize system_file:file execute_no_trans;
--- a/plat_private/guiext-server.te
+++ b/plat_private/guiext-server.te
@ -0,0 +1,20 @@
+# ==============================================
+# Policy File of /system/bin/guiext-server Executable File
+
+# ==============================================
+# MTK Policy Rule
+# ==============================================
+# Type Declaration
+# ==============================================
+type guiext-server_exec, system_file_type, exec_type, file_type;
+
+typeattribute guiext-server coredomain;
+
+init_daemon_domain(guiext-server)
+
+# for bqdump and conversion pool
+binder_service(guiext-server)
+binder_use(guiext-server)
+
+binder_call(guiext-server, binderservicedomain)
+binder_call(guiext-server, appdomain)
--- a/plat_public/guiext-server.te
+++ b/plat_public/guiext-server.te
@ -0,0 +1,4 @@
+# ==============================================
+# Policy File of /system/bin/guiext-server Executable File
+
+type guiext-server, domain;
--- a/plat_public/md_monitor.te
+++ b/plat_public/md_monitor.te
@ -0,0 +1,13 @@
+# ==============================================
+# Policy File of /system/bin/md_monitor Executable File
+
+
+# ==============================================
+# Type Declaration
+# ==============================================
+
+type md_monitor ,domain;
+
+# ==============================================
+# MTK Policy Rule
+# ==============================================
--- a/plat_public/service.te
+++ b/plat_public/service.te
@ -5,4 +5,5 @@
 # System Server Services

 # Other Services
-type nvram_agent_service, service_manager_type;
+type nvram_agent_service, service_manager_type;
+type guiext-server_service, service_manager_type;