From 57a8f660be7c72efaabfc148abc8c49dbb078b75 Mon Sep 17 00:00:00 2001
From: MY Chuang <my.chuang@mediatek.com>
Date: Sat, 18 Jan 2020 10:18:16 +0800
Subject: [PATCH] [ALPS04701006] mrdump: fix avc denied condition

1. fix some avc denied condition caused by mrdump_tool.
2. merge the rule about mrdump in one area.

MTK-Commit-Id: c0d93f9196903a772ff1b318f153701714d28d80

Change-Id: I23082aac2d7b522a9f78426796b94de145374ed5
Signed-off-by: MY Chuang <my.chuang@mediatek.com>
CR-Id: ALPS04701006
Feature: Memory RAM Dump (MRDUMP)
---
 non_plat/aee_aedv.te | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/non_plat/aee_aedv.te b/non_plat/aee_aedv.te
index 65251e0..f2b24b6 100644
--- a/non_plat/aee_aedv.te
+++ b/non_plat/aee_aedv.te
@@ -307,11 +307,18 @@ allow aee_aedv selinuxfs:file r_file_perms;
 # Purpose: Allow aee_aedv to read /proc/pid/exe
 #allow aee_aedv exec_type:file r_file_perms;
 
-# Purpose: mrdump pre-allocation: immutable and userdata
-# - avc: denied { linux_immutable } for capability=9 scontext=u:r:aee_aedv:s0
-#   tcontext=u:r:aee_aedv:s0 tclass=capability permissive=0
+# Purpose: mrdump db flow and pre-allocation
+# mrdump db flow
+allow aee_aedv sysfs_dt_firmware_android:dir search;
+allow aee_aedv sysfs_dt_firmware_android:file r_file_perms;
+allow aee_aedv kernel:system module_request;
+allow aee_aedv metadata_file:dir search;
+# pre-allocation
 allow aee_aedv self:capability linux_immutable;
 allow aee_aedv userdata_block_device:blk_file { read write open };
+allow aee_aedv para_block_device:blk_file rw_file_perms;
+allowxperm aee_aedv aee_dumpsys_vendor_file:file ioctl FS_IOC_FIEMAP;
+allow aee_aedv mrdump_device:blk_file rw_file_perms;
 
 # Purpose: allow vendor aee read lowmemorykiller logs
 # file path: /sys/module/lowmemorykiller/parameters/
@@ -405,12 +412,6 @@ allow aee_aedv proc_cmdq_debug:file r_file_perms;
 # temp solution
 get_prop(aee_aedv, vendor_default_prop)
 
-# mrdump
-allow aee_aedv para_block_device:blk_file rw_file_perms;
-allow aee_aedv aee_dumpsys_vendor_file:file ioctl;
-allowxperm aee_aedv aee_dumpsys_vendor_file:file ioctl FS_IOC_FIEMAP;
-allow aee_aedv mrdump_device:blk_file rw_file_perms;
-
 #data/dipdebug
 allow aee_aedv aee_dipdebug_vendor_file:dir r_dir_perms;
 allow aee_aedv aee_dipdebug_vendor_file:file r_file_perms;