diff --git a/non_plat/atci_service.te b/non_plat/atci_service.te new file mode 100644 index 0000000..73b2f06 --- /dev/null +++ b/non_plat/atci_service.te @@ -0,0 +1,148 @@ +# ============================================== +# Policy File of /vendor/bin/atci_service Executable File +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== +type atci_service, domain; +type atci_service_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(atci_service) + +allow atci_service block_device:dir search; +allow atci_service misc2_block_device:blk_file { open read write }; +allow atci_service misc2_device:chr_file { open read write }; +allow atci_service bootdevice_block_device:blk_file { open read write }; + +allow atci_service self:capability { net_raw chown fsetid sys_nice net_admin fowner sys_admin }; +allow atci_service camera_isp_device:chr_file { read write ioctl open }; +allow atci_service graphics_device:chr_file { read write ioctl open }; +allow atci_service graphics_device:dir search; +allow atci_service kd_camera_hw_device:chr_file { read write ioctl open }; +allow atci_service self:capability { sys_nice ipc_lock }; +allow atci_service nvram_device:chr_file { read write open ioctl }; +allow atci_service camera_isp_device:chr_file { read write ioctl open }; +allow atci_service camera_sysram_device:chr_file { read ioctl open }; +allow atci_service camera_tsf_device:chr_file rw_file_perms; +allow atci_service camera_rsc_device:chr_file rw_file_perms; +allow atci_service camera_gepf_device:chr_file rw_file_perms; +allow atci_service camera_fdvt_device:chr_file rw_file_perms; +allow atci_service camera_wpe_device:chr_file rw_file_perms; +allow atci_service camera_owe_device:chr_file rw_file_perms; +allow atci_service kd_camera_flashlight_device:chr_file { read write ioctl open }; +allow atci_service ccu_device:chr_file { read write ioctl open }; +allow atci_service vpu_device:chr_file { read write ioctl open }; +allow atci_service MTK_SMI_device:chr_file { open read write ioctl }; +#allow atci_service system_server:binder call; +#allow atci_service system_data_file:dir { write remove_name add_name }; +allow atci_service DW9714AF_device:chr_file { read write ioctl open }; +allow atci_service devmap_device:chr_file { open read write ioctl }; +allow atci_service sdcard_type:dir { search write read open add_name remove_name create getattr setattr }; +allow atci_service sdcard_type:file { setattr read create write getattr unlink open append }; +allow atci_service mediaserver:binder call; +#allow atci_service sysfs:file write; +#allow atci_service system_server:unix_stream_socket { read write }; +allow atci_service self:capability sys_boot; + +# Date : 2015/09/17 +# Operation : M-Migration +# Purpose : to operation CCT tool +allow atci_service nvram_device:blk_file { open read write }; +allow atci_service input_device:dir { open read search }; +allow atci_service input_device:file { open read write ioctl }; +allow atci_service input_device:chr_file { open read write ioctl }; +allow atci_service MAINAF_device:chr_file { open read write ioctl }; +allow atci_service MAIN2AF_device:chr_file { open read write ioctl }; +allow atci_service SUBAF_device:chr_file { open read write ioctl }; +allow atci_service tmpfs:lnk_file read; +allow atci_service self:capability2 block_suspend; + +# Date : 2015/10/13 +# Operation : M-Migration +# Purpose : to operation CCT tool +#allow atci_service mediaserver_service:service_manager find; +allow atci_service mnt_user_file:dir search; +allow atci_service mnt_user_file:lnk_file read; +#allow atci_service mtk_perf_service:service_manager find; +#allow atci_service sensorservice_service:service_manager find; +allow atci_service storage_file:lnk_file read; +#allow atci_service media_rw_data_file:dir { write search create add_name }; +#allow atci_service media_rw_data_file:file { read write create open }; + +#============= atci_service ============== +allow atci_service property_socket:sock_file write; +allow atci_service CAM_CAL_DRV_device:chr_file { read write ioctl open}; + +allow atci_service init:unix_stream_socket connectto; +allow atci_service mtk_em_prop:property_service set; + +# Date : 2016/03/02 +# Operation : M-Migration +# Purpose : to support ATCI touch tool +allow atci_service vendor_shell_exec:file { read execute open execute_no_trans }; + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow atci_service proc_ged:file {open read write ioctl getattr}; + +# Date : WK16.35 +# Operation : Migration +# Purpose : Update camera flashlight driver device file +allow atci_service flashlight_device:chr_file { read write ioctl open }; + +# Date : WK17.01 +# Operation : Migration +# Purpose : Update AT_Command NFC function +allow atci_service factory_data_file:sock_file write; + +# Date : WK17.23 +# Stage: O Migration, SQC +# Purpose: Allow to use HAL PQ +hal_client_domain(atci_service, hal_pq) + +# Date : WK17.28 +# Purpose : Allow to execute battery command +allow atci_service MT_pmic_adc_cali_device:chr_file rw_file_perms; + +# Date : WK17.43 +# Purpose : CCT +allow atci_service CAM_CAL_DRV_device:chr_file rw_file_perms; +allow atci_service CAM_CAL_DRV1_device:chr_file rw_file_perms; +allow atci_service CAM_CAL_DRV2_device:chr_file rw_file_perms; +allow atci_service fwk_sensor_hwservice:hwservice_manager find; +allow atci_service hidl_allocator_hwservice:hwservice_manager find; +allow atci_service hidl_memory_hwservice:hwservice_manager find; +allow atci_service ion_device:chr_file { read ioctl open }; +allow atci_service mtk_cmdq_device:chr_file { read ioctl open }; +allow atci_service mtk_hal_power:binder call; +allow atci_service mtk_hal_power_hwservice:hwservice_manager find; +allow atci_service sysfs_batteryinfo:dir search; +allow atci_service sysfs_batteryinfo:file { read getattr open }; +#allow atci_service system_data_file:lnk_file read; +allow atci_service system_file:dir { read open }; +allow atci_service camera_pipemgr_device:chr_file { read ioctl open }; +#allow atci_service media_rw_data_file:dir { read getattr open }; +#allow atci_service media_rw_data_file:file { getattr setattr }; +allow atci_service mtkcam_prop:file { read getattr open }; +#allow atci_service hal_camera_hwservice:hwservice_manager find; +allow atci_service mtk_hal_camera:binder call; +allow atci_service debugfs_ion:dir search; +allow atci_service sysfs_tpd_setting:file { read write open getattr }; +allow atci_service sysfs_vibrator_setting:file { read write open getattr }; +allow atci_service sysfs_leds_setting:file { read write open getattr }; +allow atci_service proc:file getattr; +allow atci_service vendor_toolbox_exec:file { read getattr open execute execute_no_trans }; + +# Date : WK18.21 +# Purpose: Allow to use HIDL +hwbinder_use(atci_service) +hal_client_domain(atci_service, hal_atci) + +# Date : WK18.26 +# Purpose: Allow gps socket sendto +allow atci_service mnld:unix_dgram_socket sendto; + +# Date : WK18.35 +# Purpose : allow CCT to allocate memory +hal_client_domain(atci_service, hal_allocator); diff --git a/non_plat/atcid.te b/non_plat/atcid.te new file mode 100644 index 0000000..7050bc2 --- /dev/null +++ b/non_plat/atcid.te @@ -0,0 +1,77 @@ +# ============================================== +# Policy File of /vendor/bin/atcid Executable File +# ============================================== + +# ============================================== +# MTK Policy Rule +# ============================================== +type atcid, domain; +type atcid_exec, exec_type, file_type, vendor_file_type; + +init_daemon_domain(atcid) +allow atcid init:unix_stream_socket connectto; +allow atcid property_socket:sock_file write; +allow atcid block_device:dir search; +allow atcid socket_device:sock_file write; + +# Date : WK17.21 +# Purpose: Allow to use HIDL +hwbinder_use(atcid) +hal_client_domain(atcid, hal_telephony) + +allow atcid ttyGS_device:chr_file { read write ioctl open }; +allow atcid persist_service_atci_prop:property_service set; +allow atcid misc2_device:chr_file { read write open }; +allow atcid wmtWifi_device:chr_file { write open }; +allow atcid misc2_block_device:blk_file { read write open }; +allow atcid bootdevice_block_device:blk_file { open read write }; +allow atci_service gpu_device:chr_file { read write open ioctl getattr }; +allow atcid self:capability sys_time; + +# Date : WK16.33 +# Purpose: Allow to access ged for gralloc_extra functions +allow atcid proc_ged:file {open read write ioctl getattr}; + +# Date : WK17.23 +# Stage: O Migration, SQC +# Purpose: Allow to use HAL PQ +hal_client_domain(atcid, hal_pq) + +# Date : WK17.34 +# Purpose: Allow to access meta_tst +allow atcid meta_tst:unix_stream_socket connectto; + +# Date : WK18.15 +# Purpose: Allow to access power_supply in sysfs +allow atcid sysfs_batteryinfo:file { read open }; + +# Date : WK18.16 +# Operation: P migration +# Purpose: Allow atcid to get tel_switch_prop +get_prop(atcid, tel_switch_prop) + +# Date : WK18.21 +# Purpose: Allow to use HIDL +hwbinder_use(atcid); +vndbinder_use(atcid); +hal_server_domain(atcid, hal_atci) +add_hwservice(hal_atci_server,hal_atci_hwservice) + +# Date : WK18.21 +# Purpose: For special command for customer +set_prop(atcid, mtk_atci_prop); +set_prop(atcid, powerctl_prop); +allow atcid mnt_vendor_file:dir search; +allow atcid nvdata_file:dir { open read write search add_name }; +allow atcid nvdata_file:file { open read write create getattr setattr }; +allow atcid nvram_device:blk_file { open read write }; +allow atcid proc_meminfo:file { open read }; +allow atcid sysfs_batteryinfo:dir search; +allow atcid sysfs_mmcblk:dir search; +allow atcid sysfs_mmcblk:file { read open }; + +# Date : WK18.35 +# Purpose: Add socket for TelephonyWare ATCI +unix_socket_connect(atcid, rild_atci, rild); +unix_socket_connect(atcid, rilproxy_atci, rild); +unix_socket_connect(atcid, atci_service, atci_service); diff --git a/non_plat/attributes b/non_plat/attributes index eb9ea61..09e4003 100644 --- a/non_plat/attributes +++ b/non_plat/attributes @@ -69,3 +69,10 @@ attribute mtk_hal_em_server; attribute hal_mms; attribute hal_mms_client; attribute hal_mms_server; + +attribute hal_mtkcodecservice_server; +attribute hal_mtkcodecservice; + +attribute hal_atci; +attribute hal_atci_client; +attribute hal_atci_server; diff --git a/non_plat/device.te b/non_plat/device.te index 73edc27..2b3e197 100644 --- a/non_plat/device.te +++ b/non_plat/device.te @@ -258,3 +258,8 @@ type m_situ_misc_device, dev_type; type m_step_c_misc_device, dev_type; type m_fusion_misc_device, dev_type; type m_bio_misc_device, dev_type; + +# Date : 2016/07/11 +# Operation : Migration +# Purpose : Add permission for gpu access +type dri_device, dev_type, mlstrustedobject; diff --git a/non_plat/file.te b/non_plat/file.te index d1a8cbe..1598c6b 100644 --- a/non_plat/file.te +++ b/non_plat/file.te @@ -310,6 +310,22 @@ type sysfs_headset, fs_type, sysfs_type; # socket between atci_service and audio-daemon type atci-audio_socket, file_type; +# ATCI socket types +type rild_atci_socket, file_type; +type rilproxy_atci_socket, file_type; +type atci_service_socket, file_type; +type adb_atci_socket, file_type; + # Date : 2018/11/01 # Purpose : mtk EM c2k bypass read usb file type sys_usb_rawbulk, fs_type, sysfs_type; + +# Backlight brightness file +type sysfs_vibrator_setting, fs_type, sysfs_type; + +# Date : WK18.16 +# Purpose: Android Migration +type sysfs_mmcblk, fs_type, sysfs_type; + +# Vibrator vibrate file +type sysfs_leds_setting, fs_type, sysfs_type; diff --git a/non_plat/hwservice.te b/non_plat/hwservice.te index 5501fd2..368dc3a 100644 --- a/non_plat/hwservice.te +++ b/non_plat/hwservice.te @@ -46,3 +46,6 @@ type mtk_hal_em_hwservice, hwservice_manager_type; # Date: 2018/07/02 # MMS HIDL type mtk_hal_mms_hwservice, hwservice_manager_type; + +type hal_atci_hwservice, hwservice_manager_type; +type mtk_hal_keymanage_hwservice, hwservice_manager_type; diff --git a/non_plat/md_monitor.te b/non_plat/md_monitor.te new file mode 100644 index 0000000..3f12322 --- /dev/null +++ b/non_plat/md_monitor.te @@ -0,0 +1,33 @@ +# ============================================== +# Policy File of /system/bin/md_monitor Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +typeattribute md_monitor coredomain; +typeattribute md_monitor mlstrustedsubject; + +# ============================================== +# MTK Policy Rule +# ============================================== + + +# Date : 2015/10/12 +# Operation : IT +# Purpose : Allow md_monitor to set +allow md_monitor ccci_device:chr_file rw_file_perms; +allow md_monitor sysfs_ccci:dir search; +allow md_monitor sysfs_ccci:file r_file_perms; +allow md_monitor file_contexts_file:file r_file_perms; +#allow md_monitor sysfs:file r_file_perms; + +# Date : 2017/10/16 +# Operation : IT +# Purpose : Allow md_monitor to use restore_image_from_pt() +allow md_monitor block_device:dir search; +allow md_monitor md_block_device:blk_file r_file_perms; +allow md_monitor self:capability { chown }; +allow md_monitor storage_file:dir search; +allow md_monitor tmpfs:lnk_file read; diff --git a/non_plat/mtk_hal_keymanage.te b/non_plat/mtk_hal_keymanage.te new file mode 100644 index 0000000..d3efa88 --- /dev/null +++ b/non_plat/mtk_hal_keymanage.te @@ -0,0 +1,27 @@ +# Set a new domain +type mtk_hal_keymanage, domain; + +# Set mtk_hal_keymanage as server domain of hal_keymaster +hal_server_domain(mtk_hal_keymanage, hal_keymaster) + +# Set exec file type +type mtk_hal_keymanage_exec, exec_type, file_type, vendor_file_type; + +# Setup for domain transition +init_daemon_domain(mtk_hal_keymanage) + +# Associate mtk_hal_keymanage_hwservice with all server domain +add_hwservice(hal_keymaster_server, mtk_hal_keymanage_hwservice) + +# Give permission for hal_keymaster_client to find mtk_hal_keymanage_hwservice via hwservice_manager +allow hal_keymaster_client mtk_hal_keymanage_hwservice:hwservice_manager find; + +# Give permission for hal_key_manage to access kisd service + +allow mtk_hal_keymanage kisd:unix_stream_socket connectto; + +# Allow mtk_hal_keyinstall to access /data/key_provisioning +allow mtk_hal_keymanage key_install_data_file:dir { write add_name remove_name search }; +allow mtk_hal_keymanage key_install_data_file:file { write create setattr read getattr unlink open append }; + +allow mtk_hal_keymanage debugfs_tracing:file { write }; diff --git a/non_plat/mtkbootanimation.te b/non_plat/mtkbootanimation.te index da0d72e..5affa51 100644 --- a/non_plat/mtkbootanimation.te +++ b/non_plat/mtkbootanimation.te @@ -16,6 +16,12 @@ allow mtkbootanimation qemu_pipe_device:chr_file rw_file_perms; # Purpose: Allow to access ged for gralloc_extra functions allow mtkbootanimation proc_ged:file {open read write ioctl getattr}; +# ============================================== +# Type Declaration for secmem +# ============================================== +type proc_secmem, fs_type, proc_type; +# genfscon proc /secmem0 u:object_r:proc_secmem:s0; + # Date : WK14.31 # Operation : Migration # Purpose : access to sec mem proc interface. diff --git a/non_plat/property.te b/non_plat/property.te index e45b952..b9851a5 100644 --- a/non_plat/property.te +++ b/non_plat/property.te @@ -281,3 +281,26 @@ type mtk_voicerecgnize_prop, property_type, mtk_core_property_type; #=============allow radio to set/get xcap rawurl config================ type persist_xcap_rawurl_prop, property_type, extended_core_property_type; + +#=============allow atcid============== +type persist_service_atci_prop, property_type, mtk_core_property_type; +type mtk_atci_prop, property_type, mtk_core_property_type; + +#=============allow Netd property============== +type mtk_net_ipv6_prop, property_type, mtk_core_property_type; + +#============= allow carrier express (cxp) ============== +type usp_prop, property_type, mtk_core_property_type; +type mtk_cxp_vendor_prop, property_type, mtk_core_property_type; + +#=============allow MD to set mtk_md_version_prop============== +type mtk_md_version_prop, property_type, mtk_core_property_type; + +#=============allow radio to set mtk_volte_enable property============== +type mtk_volte_prop, property_type, mtk_core_property_type; + +#=============allow AMS dynamic enable log property=========== +type mtk_amslog_prop, property_type, extended_core_property_type; + +#=============allow android log much property============== +type logmuch_prop, property_type, extended_core_property_type; diff --git a/non_plat/resize.te b/non_plat/resize.te new file mode 100644 index 0000000..b2e8c7c --- /dev/null +++ b/non_plat/resize.te @@ -0,0 +1,38 @@ +# ============================================== +# Policy File of /vendor/bin/resize_xxx Executable File + +# ============================================== +# Type Declaration +# ============================================== +type resize, domain; +type resize_exec, exec_type, file_type, vendor_file_type; + +# ============================================== +# MTK Policy Rule +# ============================================== + +# Date : WK15.30 +# Operation : Migration +# Purpose : resize fs(ext4) partition, only run once. +init_daemon_domain(resize) + +allow resize resize_exec:file execute_no_trans; + +# Inherit and use pty created by android_fork_execvp_ext(). +allow resize devpts:chr_file { read write open getattr ioctl }; + +allow resize kmsg_device:chr_file { write open }; + +allow resize userdata_block_device:blk_file rw_file_perms; + +allow resize block_device:dir search; + +allow resize resize:capability sys_admin; + +allow resize labeledfs:filesystem unmount; + +allow resize property_socket:sock_file write; + +allow resize init:unix_stream_socket connectto; + +#allow resize system_file:file execute_no_trans; diff --git a/plat_private/guiext-server.te b/plat_private/guiext-server.te new file mode 100644 index 0000000..9b301d6 --- /dev/null +++ b/plat_private/guiext-server.te @@ -0,0 +1,20 @@ +# ============================================== +# Policy File of /system/bin/guiext-server Executable File + +# ============================================== +# MTK Policy Rule +# ============================================== +# Type Declaration +# ============================================== +type guiext-server_exec, system_file_type, exec_type, file_type; + +typeattribute guiext-server coredomain; + +init_daemon_domain(guiext-server) + +# for bqdump and conversion pool +binder_service(guiext-server) +binder_use(guiext-server) + +binder_call(guiext-server, binderservicedomain) +binder_call(guiext-server, appdomain) diff --git a/plat_public/guiext-server.te b/plat_public/guiext-server.te new file mode 100644 index 0000000..25d82b6 --- /dev/null +++ b/plat_public/guiext-server.te @@ -0,0 +1,4 @@ +# ============================================== +# Policy File of /system/bin/guiext-server Executable File + +type guiext-server, domain; diff --git a/plat_public/md_monitor.te b/plat_public/md_monitor.te new file mode 100644 index 0000000..b00365e --- /dev/null +++ b/plat_public/md_monitor.te @@ -0,0 +1,13 @@ +# ============================================== +# Policy File of /system/bin/md_monitor Executable File + + +# ============================================== +# Type Declaration +# ============================================== + +type md_monitor ,domain; + +# ============================================== +# MTK Policy Rule +# ============================================== diff --git a/plat_public/service.te b/plat_public/service.te index c916a8c..b7c8dd9 100644 --- a/plat_public/service.te +++ b/plat_public/service.te @@ -5,4 +5,5 @@ # System Server Services # Other Services -type nvram_agent_service, service_manager_type; \ No newline at end of file +type nvram_agent_service, service_manager_type; +type guiext-server_service, service_manager_type;